BIG-IP Release Information

Version: 12.1.5.3
Build: 5.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

Important: Memory leak after upgrade
F5 has uncovered a memory leak that occurs after upgrading to 12.1.5.3 that may affect configurations with HTTPS monitors. This occurs as a result of bug 625156.
To download a hotfix that addresses this issue, go to the F5 Downloads site here (login required).
For information about this issue, see K50524736: Bigd process memory leak after updating to BIG-IP 12.1.5.3.
and K02024500: Pool-members with HTTPS monitors go down after upgrade to 12.1.5.3.

Cumulative fixes from BIG-IP v12.1.5.2 that are included in this release
Cumulative fixes from BIG-IP v12.1.5.1 that are included in this release
Cumulative fixes from BIG-IP v12.1.5 that are included in this release
Cumulative fixes from BIG-IP v12.1.4.1 that are included in this release
Cumulative fixes from BIG-IP v12.1.4 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.7 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.6 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.5 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.4 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.3 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.2 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v12.1.3 that are included in this release
Cumulative fixes from BIG-IP v12.1.2 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v12.1.2 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v12.1.2 that are included in this release
Cumulative fixes from BIG-IP v12.1.1 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v12.1.1 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v12.1.1 that are included in this release
Cumulative fixes from BIG-IP v12.1.0 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v12.1.0 Hotfix 1 that are included in this release
Known Issues in BIG-IP v12.1.x

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
933741-6	CVE-2021-22979	K63497634	Security hardening in FPS GUI
932065-5	CVE-2021-22978	K87502622	iControl REST framework exception handling hardening
921337-4	CVE-2021-22976	K88230177	ASM processes some web-sockets requests longer than usual
917509-6	CVE-2020-27718	K58102101	ASM processes some requests longer than usual
911761-6	CVE-2020-5948	K42696541	F5 TMUI XSS vulnerability CVE-2020-5948
908673-1	CVE-2020-27717	K43850230	TMM may crash while processing DNS traffic
879745-7	CVE-2020-5942	K82530456	TMM may crash while processing Diameter traffic
846917-6	CVE-2019-10744	K47105354	lodash Vulnerability: CVE-2019-10744
837773-5	CVE-2020-5912	K12936322	Restjavad Storage and Configuration Hardening
750292-3	CVE-2019-6592	K54167061	TMM may crash when processing TLS traffic
904937-6	CVE-2020-27725	K25595031	Excessive resource consumption in zxfrd
898949-5	CVE-2020-27724	K04518313	APM may consume excessive resources while processing VPN traffic
880361-5	CVE-2021-22973	K13323323	TMM may crash while processing iRules LX commands
859089-2	CVE-2020-5907	K00091341	TMSH allows SFTP utility access
842717-2	CVE-2020-5855	K55102004	BIG-IP Edge Client for Windows vulnerability CVE-2020-5855
832757-2	CVE-2017-18551	K48073202	Linux kernel vulnerability CVE-2017-18551
811789-5	CVE-2020-5915	K57214921	Device trust UI hardening
751036-4	CVE-2020-27721	K52035247	Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone
734177	CVE-2012-6701 CVE-2015-8830 CVE-2016-8650 CVE-2017-2671 CVE-2017-6001 CVE-2017-7308 CVE-2017-7616 CVE-2017-7889 CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077 CVE-2017-12190 CVE-2017-15121 CVE-2017-18203 CVE-2018-1130 CVE-2018-3639 CVE-2018-5803	K42142782	CVE-2019-12190 : RHEL6 Kernel Vulnerability
693360-6	CVE-2020-27721	K52035247	A virtual server status changes to yellow while still available
681535	CVE-2017-2628	K35453761	CVE-2015-3148 in curl was incomplete.
818177-7	CVE-2019-12295	K06725231	CVE-2019-12295 Wireshark Vulnerability
746091-4	CVE-2019-19151	K21711352	TMSH Vulnerability: CVE-2019-19151
717276-3	CVE-2020-5930	K20622530	TMM Route Metrics Hardening
954381-5	CVE-2021-22986	K03009991	iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
955145-5	CVE-2021-22986	K03009991	iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
950077-5	CVE-2021-22987, CVE-2021-22988	K18132488	TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
953677-5	CVE-2021-22987, CVE-2021-22988	K18132488	TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
953729-5	CVE-2021-22989, CVE-2021-22990	K56142644	Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990
973333-1	CVE-2021-22991	K56715231	TMM buffer-overflow vulnerability CVE-2021-22991
981169-5	CVE-2021-22994	K66851119	F5 TMUI XSS vulnerability CVE-2021-22994
743105-5	CVE-2021-22998	K31934524	BIG-IP SNAT vulnerability CVE-2021-22998
932697	CVE-2021-23000	K34441555	BIG-IP TMM vulnerability CVE-2021-23000

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
724556-1	2-Critical		icrd_child spawns more than maximum allowed times (zombie processes)
657912-1	3-Major		PIM can be configured to use a floating self IP address
760234-3	4-Minor		Configuring Advanced shell for Resource Administrator User has no effect

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
860517-5	2-Critical		MCPD may crash on startup with many thousands of monitors on a system with many CPUs.
841953-2	2-Critical		A tunnel can be expired when going offline, causing tmm crash
841333-2	2-Critical		TMM may crash when tunnel used after returning from offline
780817-3	2-Critical		TMM can crash on certain vCMP hosts after modifications to VLANs and guests.
769817-5	2-Critical		BFD fails to propagate sessions state change during blade restart
737322-1	2-Critical		tmm may crash at startup if the configuration load fails
706521-6	2-Critical	K21404407	The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password
648270-4	2-Critical		mcpd can crash if viewing a fast-growing log file through the GUI
948769-2	3-Major		TMM panic with SCTP traffic
888497-6	3-Major		Cacheable HTTP Response
887089-6	3-Major		Upgrade can fail when filenames contain spaces
871657-4	3-Major		Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S
842189-1	3-Major		Tunnels removed when going offline are not restored when going back online
814585-6	3-Major		PPTP profile option not available when creating or modifying virtual servers in GUI
810957-6	3-Major		Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core
807005-6	3-Major		Save-on-auto-sync is not working as expected with large configuration objects
800185-1	3-Major		Saving a large encrypted UCS archive may fail and might trigger failover
794501-5	3-Major		Duplicate if_indexes and OIDs between interfaces and tunnels
783113-2	3-Major		BGP sessions remain down upon new primary slot election
760950-1	3-Major		Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment
760439-1	3-Major		After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status
759596-4	3-Major		Tcl errors in iRules 'table' command
757520	3-Major		After a software upgrade, the BIG-IP system does not use the correct hostname for logging.★
749785-3	3-Major		nsm can become unresponsive when processing recursive routes
749007-4	3-Major		South Sudan, Sint Maarten, and Curacao country missing in GTM region list
745261-3	3-Major		The TMM process may crash in some tunnel cases
742628-6	3-Major	K53843889	Tmsh session initiation adds increased control plane pressure
739872-3	3-Major		The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover
738943-1	3-Major		imish command hangs when ospfd is enabled
724109-5	3-Major		Manual config-sync fails after pool with FQDN pool members is deleted
720569-2	3-Major		Disaggregation algorithm distributing traffic unequally across CPU cores on Virtual Edition
699091-1	3-Major		SELinux denies console access for remote users.
698429-3	3-Major		Misleading log error message: Store Read invalid store addr 0x3800, len 10
688399-5	3-Major		HSB failure results in continuous TMM restarts
687115-1	3-Major		SNMP performance can be impacted by a long list of allowed-addresses
680917-2	3-Major		Invalid monitor rule instance identifier
678456-2	3-Major		ZebOS BGP peer-group configuration not fixed up on upgrade★
672063-1	3-Major	K38335326	Misconfigured GRE tunnel and route objects may cause an ill-formed routing loop inside the TMM, resulting in a TMM crash.
626589-6	3-Major	K73230273	iControl-SOAP prints beyond log buffer
620311-1	3-Major		GUI Failover Unicast Address information incorrect
605675-1	3-Major		Sync requests can be generated faster than they can be handled
600732-2	3-Major		IKEv1 racoon daemon dangling pointer from phase-one SA to deleted peer description
489572-2	3-Major	K60934489	Sync fails if file object is created and deleted before sync to peer BIG-IP
933461-1	4-Minor		BGP multi-path candidate selection does not work properly in all cases.
931837-4	4-Minor		NTP has predictable timestamps
902417-1	4-Minor		Configuration error caused by Drafts folder in a deleted custom partition★
831293-1	4-Minor		SNMP address-related GET requests slow to respond.
801637-2	4-Minor		Cmp_dest on C2200 platform may give incorrect results
721526-1	4-Minor		tcpdump fails to write verbose packet data to file
685582-5	4-Minor		Incorrect output of b64 unit key hash by command f5mku -f
664524	4-Minor		CVE-2017-2636: A race condition was found in the N_HLDC Linux kernel driver that can lead to double free CVE-2016-7910:A flaw was found in the Linux kernel's implementation of seq_file which can lead to memory corruption

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
715032-6	1-Blocking	K73302459	iRulesLX Hardening
941089-5	2-Critical		TMM core when using Multipath TCP
842937-1	2-Critical		TMM crash due to failed assertion 'valid node'
743950-3	2-Critical		TMM crashes due to memory leak found during SSL OCSP with C3D feature enabled
740228-3	2-Critical		TMM crash while sending a DHCP Lease Query to a DHCP server
949145-2	3-Major		Improve TCP's response to partial ACKs during loss recovery
915281-7	3-Major		Do not rearm TCP Keep Alive timer under certain conditions
879413-5	3-Major		Statsd fails to start if one or more of its *.info files becomes corrupted
851789-1	3-Major		SSL monitors flap with client certs with private key stored in FIPS
851045-5	3-Major		LTM database monitor may hang when monitored DB server goes down
814761-4	3-Major		PostgreSQL monitor fails on second ping with count != 1
807821-1	3-Major		ICMP echo requests occasionally go unanswered
805017-4	3-Major		DB monitor marks pool member down if no send/recv strings are configured
796993-2	3-Major		Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs
785481-5	3-Major		A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached
770477-4	3-Major		SSL aborted when client_hello includes both renegotiation info extension and SCSV
755997-3	3-Major		Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address
753805-2	3-Major		BIG-IP system failed to advertise virtual address even after the virtual address was in Available state.
750473-2	3-Major		VA status change while 'disabled' are not taken into account after being 'enabled' again
724824-5	3-Major		Ephemeral nodes on peer devices report as unknown and unchecked after full config sync
722707-1	3-Major		mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall
687887-4	3-Major		Unexpected result from multiple changes to a monitor-related object in a single transaction
686059-1	3-Major		FDB entries for existing VLANs may be flushed when creating a new VLAN.
608952-5	3-Major		MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2
604811-3	3-Major		Under certain conditions TMM may crash while processing OneConnect traffic
516307-2	3-Major	K35152864	Multiple Relay in DHCP relay is not working.
409340-1	3-Major	K63086108	https/ssl monitor closes immediately (rather than awaiting remote close-notify)
822025-5	4-Minor		HTTP response not forwarded to client during an early response
808409-2	4-Minor		Unable to specify if giaddr will be modified in DHCP relay chain
781225-4	4-Minor		HTTP profile Response Size stats incorrect for keep-alive connections
769309-4	4-Minor		DB monitor reconnects to server on every probe when count = 0
746077-2	4-Minor		If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified
726983-5	4-Minor		Inserting multi-line HTTP header not handled correctly
939841-5	2-Critical		BIG-IP MPTCP vulnerability CVE-2021-23003
939845-5	3-Major		Invalid MPTCP JOIN messages not immediately dropped

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
702457-3	3-Major		DNS Cache connections remain open indefinitely

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
927617-5	2-Critical		"Illegal Base64 value" violation is detected for cookie with valid base64 value
943125-5	3-Major		Web-Socket request with JSON payload causing core during the payload parsing
941853-4	3-Major		Logging Profiles do not disassociate from virtual server when multiple changes are made
918933-5	3-Major	K88162221	Some ASM attack signatures do not match on cookies
848445-5	3-Major	K86285055	Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer★
833685-2	3-Major		Idle async handlers can remain loaded for a long time doing nothing
712336-3	3-Major		bd daemon restart loop
686763-2	3-Major		asm_start is consuming too much memory
630355-3	3-Major	K57041868	Local Logs Missing Or Recorded Found For Incorrect Policy
975233-5	1-Blocking		Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992
935401-6	3-Major		BIG-IP ASM iControl REST vulnerability CVE-2021-23001

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
727031-2	1-Blocking		TMM disruption from disaggregation in vCMP systems
760629-1	3-Major		Remove Obsolete APM keys in BigDB
739570-1	3-Major		Unable to install EPSEC package★
766017-5	4-Minor		[APM][LocalDB] Local user database instance name length check inconsistencies★

WebAccelerator Fixes

ID Number	Severity	Solution Article(s)	Description
621284-5	3-Major		Incorrect TMSH help text for the 'max-response' RAMCACHE attribute

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
939529-5	3-Major		Branch parameter not parsed properly when topmost via header received with comma separated values
747909-2	4-Minor		GTPv2 MEI and Serving-Network fields decoded incorrectly

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
726154-1	3-Major		TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
753014-2	3-Major		PEM iRule action with RULE_INIT event fails to attach to PEM policy

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
940401-5	5-Cosmetic		Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
913441-1	2-Critical		Tmm cores while doing Hitless Upgrade while there are active flows
949861	3-Major		Wr_urldbd returns unknown results for customdb on some blades
741994	4-Minor		Cleanup Webroot database files when database fail to download
674795-1	4-Minor		tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds, when it should be hours.

Cumulative fixes from BIG-IP v12.1.5.2 that are included in this release


Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
895525-6	CVE-2020-5902	K52145254	TMUI RCE vulnerability CVE-2020-5902
909237-2	CVE-2020-8617	K05544642	CVE-2020-8617: BIND Vulnerability
909233-2	CVE-2020-8616	K97810133	DNS Hardening
905905-5	CVE-2020-5904	K31301245	TMUI CSRF vulnerability CVE-2020-5904
895993-6	CVE-2020-5902	K52145254	TMUI RCE vulnerability CVE-2020-5902
895981-6	CVE-2020-5902	K52145254	TMUI RCE vulnerability CVE-2020-5902
895881-5	CVE-2020-5903	K43638305	BIG-IP TMUI XSS vulnerability CVE-2020-5903
883717-5	CVE-2020-5914	K37466356	BD crash on specific server cookie scenario
882185-3	CVE-2020-5897	K20346072	BIG-IP Edge Client Windows ActiveX
879025-7	CVE-2020-5913	K72752002	When processing TLS traffic, LTM may not enforce certificate chain restrictions
841577-7	CVE-2020-5922	K20606443	iControl REST hardening
839453-1	CVE-2019-10744	K47105354	lodash library vulnerability CVE-2019-10744
830401-6	CVE-2020-5877	K54200228	TMM may crash while processing TCP traffic with iRules
819197-7	CVE-2019-13135	K20336394	BIGIP: CVE-2019-13135 ImageMagick vulnerability
819189-6	CVE-2019-13136	K03512441	BIGIP: CVE-2019-13136 ImageMagick vulnerability
788057-6	CVE-2020-5921	K00103216	MCPD may crash while processing syncookies
626360	CVE-2017-6163	K22541983	TMM may crash when processing HTTP2 traffic
886085-7	CVE-2020-5925	K45421311	BIG-IP TMM vulnerability CVE-2020-5925
883097-3	CVE-2020-5924	K11400411	Radius authentication may consume excessive resources
881445-3	CVE-2020-5898	K69154630	BIG-IP Edge Client for Windows vulnerability CVE-2020-5898
872673-5	CVE-2020-5918	K26464312	TMM can crash when processing SCTP traffic
870273-1	CVE-2020-5936	K44020030	TMM may consume excessive resources when processing SSL traffic
860477-7	CVE-2020-5906	K82518062	SCP hardening
858025-6	CVE-2021-22984	K33440533	Proactive Bot Defense does not validate redirected paths
848405-7	CVE-2020-5933	K26244025	TMM may consume excessive resources while processing compressed HTTP traffic
838881-6	CVE-2020-5853	K73183618	APM Portal Access Vulnerability: CVE-2020-5853
837837-6	CVE-2020-5917	K43404629	F5 SSH server key size vulnerability CVE-2020-5917
832885-6	CVE-2020-5923	K05975972	Self-IP hardening
829121-6	CVE-2020-5886	K65720640	State mirroring default does not require TLS
829117-6	CVE-2020-5885	K17663061	State mirroring default does not require TLS
888493-6	CVE-2020-5928	K40843345	ASM GUI Hardening
852929-4	CVE-2020-5920	K25160703	AFM WebUI Hardening
838909-2	CVE-2020-5893	K97733133	BIG-IP APM Edge Client vulnerability CVE-2020-5893
823893-5	CVE-2020-5890	K03318649	Qkview may fail to completely sanitize LDAP bind credentials
749324-4	CVE-2012-6708	K62532311	jQuery Vulnerability: CVE-2012-6708
760723-4	CVE-2015-4037	K64765350	Qemu Vulnerability

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
858229-1	3-Major	K22493037	XML with sensitive data gets to the ICAP server
858189-6	3-Major		Make restnoded/restjavad/icrd timeout configurable with sys db variables.
643459-3	3-Major	K81809012	Unable to login to BIG-IP Configuration Utility when BIG-IP is behind a Reverse proxy

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
767013-5	2-Critical		Reboot when HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch
749388-4	2-Critical		'table delete' iRule command can cause TMM to crash
743082-3	2-Critical		Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members★
737055-3	2-Critical		Unable to access BIG-IP Configuration Utility when BIG-IP system is behind a Reverse proxy
795649-1	3-Major		Loading UCS from one iSeries model to another causes FPGA to fail to load
788577-2	3-Major		BFD sessions may be reset after CMP state change
762073-3	3-Major		Continuous TMM restarts when HSB drops off the PCI bus
754460	3-Major		No failover on HA Dual Chassis setup using HA score
741902-4	3-Major		sod does not validate message length vs. received packet length
725791-3	3-Major	K44895409	Potential HW/HSB issue detected
722380-3	3-Major		The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core.
648621-1	3-Major		SCTP: Multihome connections may not expire
619873-2	3-Major		Secure Vault: Key cleanup for 5000-, 7000-series, and i-Series platforms★
559001-1	3-Major		Unable to clear LCD messages and Alarm LED state on non-iSeries platforms
743815-4	4-Minor		vCMP guest observes connflow reset when a CMP state change occurs.
722230-6	4-Minor		Cannot delete FQDN template node if another FQDN node resolves to same IP address
660760-1	4-Minor	K75105750	DNS graphs fail to display in the GUI
550526	4-Minor	K84370515	Some time zones prevent configuring trust with a peer device using the GUI.

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
831325-4	2-Critical	K10701310	HTTP PSM detects more issues with Transfer-Encoding headers
757578-5	2-Critical		RAM cache is not compatible with verify-accept
747617-4	2-Critical		TMM core when processing invalid timer
705768-4	2-Critical		The dynconfd process may core and restart with multiple DNS name servers configured
860005-5	3-Major		Ephemeral nodes/pool members may be created for wrong FQDN name
858301-5	3-Major	K27551003	HTTP RFC compliance now checks that the authority matches between the URI and Host header
858297-5	3-Major	K27551003	HTTP requests with multiple Host headers are rejected if RFC compliance is enabled
803233-5	3-Major		Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable
784565-5	3-Major		VLAN groups are incompatible with fast-forwarded flows
766169-1	3-Major		Replacing all VLAN interfaces resets VLAN MTU to a default value
755727-4	3-Major		Ephemeral pool members not created after DNS flap and address record changes
720440	3-Major		Radius monitor marks pool members down after 6 seconds
704450-2	3-Major		bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration
689361-3	3-Major		Configsync can change the status of a monitored pool member
655724-3	3-Major	K15695	MSRDP persistence does not work across route domains.
640809-1	3-Major	K79892782	Merged constantly restarts★
582207-7	3-Major		MSS may exceed MTU when using HW syncookies
575642-1	3-Major		rst_cause of "Internal error"
594064-2	4-Minor	K57004151	tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
760471-5	3-Major		GTM iQuery connections may be reset during SSL key renegotiation.
746348-3	3-Major		On rare occasions, gtmd fails to process probe responses originating from the same system.
708421-1	3-Major	K52142743	DNS::question 'set' options are applied to packet, but not to already parsed dns_msg
704198-1	3-Major	K29403988	Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
681010-1	3-Major	K33572148	'Referer' is not masked when 'Query String' contains sensitive parameter

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
866021-5	3-Major		Diameter Mirror connection lost on the standby due to "process ingress error"
815877-5	3-Major		Information Elements with zero-length value are rejected by the GTP parser
747187-4	3-Major		SIP falsely detects media flow collision when SDP is in both 183 and 200 response
745404-3	3-Major		MRF SIP ALG does not reparse SDP payload if replaced
741951-3	3-Major		Multiple extensions in SIP NOTIFY request cause message to be dropped.
651886-1	3-Major		Certain FIX messages are dropped
836357-2	4-Minor		SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2
788513-5	4-Minor		Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
816529	3-Major		If wr_urldbd is restarted while queries are being run against Custom DB then further lookups can not be made after wr_urldbd comes back up from restart.

Cumulative fixes from BIG-IP v12.1.5.1 that are included in this release


Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
852445-6	CVE-2019-6477	K15840535	Big-IP : CVE-2019-6477 BIND Vulnerability
818709-5	CVE-2020-5858	K36814487	TMSH does not follow current best practices
818429-1	CVE-2020-5857	K70275209	TMM may crash while processing HTTP traffic
805837-5	CVE-2019-6657	K22441651	REST does not follow current design best practices
795437-1	CVE-2019-6677	K06747393	Improve handling of TCP traffic for iRules
795197-4	CVE-2019-11477, CVE-2019-11478, CVE-2019-11479	K26618426	Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
781377-3	CVE-2019-6681	K93417064	tmrouted may crash while processing Multicast Forwarding Cache messages
780601-5	CVE-2020-5873	K03585731	SCP file transfer hardening
778077-2	CVE-2019-6680	K53183580	Virtual to virtual chain can cause TMM to crash
767373-4	CVE-2019-8331	K24383845	CVE-2019-8331: Bootstrap Vulnerability
759343-3	CVE-2019-6668	K49827114	MacOS Edge Client installer does not follow best security practices
737731-3	CVE-2019-6622	K44885536	iControl REST input sanitization
809165-5	CVE-2020-5854	K50046200	TMM may crash will processing connector traffic
805557-5	CVE-2020-5882	K43815022	TMM may crash while processing crypto data
795797-5	CVE-2019-6658	K21121741	AFM WebUI Hardening
788773-5	CVE-2019-9515	K50233772	HTTP/2 Vulnerability: CVE-2019-9515
788769-5	CVE-2019-9514	K01988340	HTTP/2 Vulnerability: CVE-2019-9514
782529-5	CVE-2019-6685	K30215839	iRules does not follow current design best practices
773673-5	CVE-2019-9512	K98053339	HTTP/2 Vulnerability: CVE-2019-9512
768981-5	CVE-2019-6670	K05765031	VCMP Hypervisor Hardening
761144-2	CVE-2019-6684	K95117754	Broadcast frames may be dropped
761112-6	CVE-2019-6683	K76328112	TMM may consume excessive resources when processing FastL4 traffic
761014-5	CVE-2019-6669	K11447758	TMM may crash while processing local traffic
725551-5	CVE-2019-6682	K40452417	ASM may consume excessive resources
857669	CVE-2020-5908	K33023560	BIG-IP Edge Client may log sensitive data on Linux client
811109	CVE-2020-5861	K22113131	TMM RAM Cache Vulnerability: CVE-2020-5861
789893-5	CVE-2019-6679	K54336216	SCP file transfer hardening
779177-5	CVE-2019-19150	K37890841	Apmd logs "client-session-id" when access-policy debug log level is enabled
773653-3	CVE-2019-6656	K23876153	APM Client Logging
773649-3	CVE-2019-6656	K23876153	APM Client Logging
773641-3	CVE-2019-6656	K23876153	APM Client Logging
773637-3	CVE-2019-6656	K23876153	APM Client Logging
773633-3	CVE-2019-6656	K23876153	APM Client Logging
773621-3	CVE-2019-6656	K23876153	APM Client Logging
738236-3	CVE-2019-6688	K25607522	UCS does not follow current best practices
712876-4	CVE-2017-8824	K15526101	CVE-2017-8824: Kernel Vulnerability

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
819397-4	1-Blocking	K50375550	TMM does not enforce RFC compliance when processing HTTP traffic
769193-3	3-Major		Added support for faster congestion window increase in slow-start for stretch ACKs
557322-1	3-Major		Sensitive monitor parameters recorded in bigd and monitor logs

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
765533-5	2-Critical	K58243048	Sensitive information logged when DEBUG logging enabled
621260-5	2-Critical		mcpd core on iControl REST reference to non-existing pool
812981-1	3-Major		MCPD: memory leak on standby BIG-IP device
809205-2	3-Major		CVE-2019-3855: libssh2 Vulnerability
641450	3-Major	K30053855	A transaction that deletes and recreates a virtual may result in an invalid configuration
625901-1	3-Major		SNAT pools allow members in different partitions to be assigned, but this causes a load failure
620954-3	3-Major		Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable
618137-1	3-Major		Native IXLV: New tagged VLAN does not work after several restarts of tmm
614808-1	3-Major		Running qkview with option -c (--complete) fails if there is an encrypted key
600944-1	3-Major		tmsh does not reset route domain to 0 after cd /Common and loading bash
596815-1	3-Major		System DNS nameserver and search order configuration does not always sync to peers
595317-4	3-Major		Forwarding address for Type 7 in ospfv3 is not updated in the database
584041	3-Major		forward slash '/' is used in the description field, admin user will be demoted to guest.
516167-2	3-Major	K21382264	TMSH listing with wildcards prevents the child object from being displayed
503482-2	3-Major		BGP cannot redistribute IPv4 routes learned from OSPFv3.
638960-2	4-Minor		A subset of the BIG-IP default profiles can be incorrectly deleted
638893-1	4-Minor		Reference to SOL14556 instead of K14556 in tmsh modify net interface X.X media command
625428-1	4-Minor		SNMP reports incorrect values for F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit
624909-2	4-Minor		Static route create validation is less stringent than static route delete validation
623536-2	4-Minor		SNMP traps for TCP resets sent due to maintenance mode enabled may not be sent
620522-1	4-Minor		Some expected command output are missing in qkview
591732-2	4-Minor		Local password policy not enforced when auth source is set to a remote type.
590415-1	4-Minor		Partition can be removed when remote role info entries refer to it
589862-6	4-Minor		HA Grioup percent-up display value is truncated, not rounded
590399-1	5-Cosmetic	K11304001	Unnecessary logging during startup: 'Unable to connect to MCPD' and Errdefsd is starting'.
571634-1	5-Cosmetic		tmstat CPU values can be incorrect

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
826601-2	2-Critical		Prevent receive window shrinkage for looped flows that use a SYN cookie
787825-4	2-Critical	K58243048	Database monitors debug logs have plaintext password printed in the log file
639764-2	2-Critical		Crash when searching external data-groups with records that do not have values
616298-1	2-Critical		Loading the configuration fails when a virtual server uses HTTP Strict Transport Security (HSTS).
615303-2	2-Critical	K47381511	bigd crash with Tcl monitors
788325-5	3-Major	K39794285	Header continuation rule is applied to request/response line
773421-5	3-Major		Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied
761185-5	3-Major	K50375550	Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic
663730-1	3-Major		Bigd prematurely kills child/external monitor process if WIFCONTINUED signal received
643041-4	3-Major	K64451315	Less than optimal interaction between OneConnect and proxy MSS
636842-1	3-Major	K51472519	A FastL4 virtual server may drop a FIN packet when mirroring is enabled
601189-2	3-Major		The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode
594751-3	3-Major	K90535529	LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN
567330-1	5-Cosmetic		tmsh show sys memory on secondaries will generate innocuous error

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
662308-1	2-Critical		BD core
636669-3	2-Critical	K37300224	bd log are full of 'Can't run patterns' messages
635977-1	2-Critical		Bd core on specific out of memory scenario
620301-4	2-Critical		Policy import fails due to missing signature System in associated Signature Set
854177-1	3-Major		ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality
850673-5	3-Major		BD sends bad ACKs to the bd_agent for configuration
832205-2	3-Major		ASU cannot be completed after Signature Systems database corruption following binary Policy import
831661-5	3-Major		ASMConfig Handler undergoes frequent restarts
809125-4	3-Major		CSRF false positive
793149-1	3-Major		Adding the Strict-transport-Policy header to internal responses
785009-1	3-Major		Binary policy import fails with a user-defined Signature Set containing only non-existent signatures
783505-1	3-Major		ASU is very slow on device with hundreds of policies due to table checksums
765809	3-Major		Memory increases for the bd daemon on cluster environment primary blade
725879	3-Major		Internet Explorer running on Windows phone 8.1 gets CAPTCHA during legitimate browsing
755005-4	4-Minor		Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations
747560-2	4-Minor		ASM REST: Unable to download Whitehat vulnerabilities

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
825049-2	1-Blocking		Windows code signing certificate update 2019
685862-2	3-Major		BIG-IP as SAML IdP/SP may include last x509 certificate found in the configured bundle in signed SAML Response or single logout message

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
642211-2	3-Major		Warning logged when GENERICMESSAGE::message drop iRule command used

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
602098-1	3-Major		Translation object created in non-Common partition is visible in the policy created for Common partition

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
627341-1	3-Major		TMUI loginProviderName is invalid when requesting a REST token

Cumulative fixes from BIG-IP v12.1.5 that are included in this release


Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
807477-4	CVE-2019-6650	K04280042	ConfigSync Hardening
797885-5	CVE-2019-6649	K05123525	ConfigSync Hardening
796469-1	CVE-2019-6649	K05123525	ConfigSync Hardening
810557-5	CVE-2019-6649	K05123525	ASM ConfigSync Hardening
799617-5	CVE-2019-6649	K05123525	ConfigSync Hardening
799589-5	CVE-2019-6649	K05123525	ConfigSync Hardening
794389-5	CVE-2019-6651	K89509323	iControl REST endpoint response inconsistency
771873-2	CVE-2019-6642	K40378764	TMSH Hardening
762453-4	CVE-2020-5872	K63558580	Hardware cryptography acceleration may fail
758065-3	CVE-2019-6667	K82781208	TMM may consume excessive resources while processing FIX traffic
757023-5	CVE-2018-5743	K74009656	BIND vulnerability CVE-2018-5743
756538-2	CVE-2019-6645	K15759349	Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair.
739971-3	CVE-2018-5391	K74374841	Linux kernel vulnerability: CVE-2018-5391
737574-3	CVE-2019-6621	K20541896	iControl REST input sanitization★
737565-3	CVE-2019-6620	K20445457	iControl REST input sanitization
726393-5	CVE-2019-6643	K36228121	DHCPRELAY6 can lead to a tmm crash
715923-3	CVE-2018-15317	K43625118	When processing TLS traffic TMM may terminate connections unexpectedly
794413-5	CVE-2019-6471	K10092301	BIND vulnerability CVE-2019-6471
758018-2	CVE-2019-6661	K61705126	APD/APMD may consume excessive resources
757455-4	CVE-2019-6647	K87920510	Excessive resource consumption when processing REST requests
745257-4	CVE-2018-14634	K20934447	Linux kernel vulnerability: CVE-2018-14634
702469-4	CVE-2019-6633	K73522927	Appliance mode hardening in scp
679861-2	CVE-2019-6655	K31152411	Weak Access Restrictions on the AVR Reporting Interface

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
744937-4	3-Major	K00724442	BIG-IP DNS and GTM DNSSEC security exposure

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
707509-3	1-Blocking		Initial vCMP guest creations can fail if certain hotfixes are used
769809-1	2-Critical		The vCMP guests 'INOPERATIVE' after upgrade
750586-3	2-Critical		HSL may incorrectly handle pending TCP connections with elongated handshake time.
748205-2	2-Critical		SSD bay identification incorrect for RAID drive replacement★
744331-1	2-Critical		OpenSSH hardening
743790-4	2-Critical		BIG-IP system should trigger a high availability (HA) failover event when expected HSB device is missing from PCI bus
734539-2	2-Critical		The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads
726487-1	2-Critical		MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.
710277-2	2-Critical		IKEv2 further child_sa validity checks
693996-3	2-Critical	K42285625	MCPD sync errors and restart after multiple modifications to file object in chassis
685458-5	2-Critical	K44738140	merged fails merging a table when a table row has incomplete keys defined.
671741-4	2-Critical		LCD on iSeries devices can lock at red 'loading' screen.
653152-1	2-Critical		Support RSASSA-PSS-SIGN in F5 crypto APIs.
788301-2	3-Major	K58243048	SNMPv3 Hardening
777261-1	3-Major		When SNMP cannot locate a file it logs messages repeatedly
758527-5	3-Major	K39604784	BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode
758119-3	3-Major	K58243048	qkview may contain sensitive information
747592-4	3-Major		PHP vulnerability CVE-2018-17082
746266-4	3-Major		A vCMP guest VLAN MAC mismatch across blades.
745405	3-Major		Under heavy SSL traffic, sw crypto codec queue is stuck and taken out of service without failover
743803-5	3-Major		IKEv2 potential double free of object when async request queueing fails
738445-1	3-Major		IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup
737437-1	3-Major		IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages
663924-2	3-Major		Qkview archives includes Kerberos keytab files
641753-2	3-Major		Syncookies activated on a genuine connection gets reset almost 30-50% of the time
599543-3	3-Major		Cannot update (overwrite) PKCS#12 SSL cert & key while referenced in SSL profile
575919-3	3-Major		Running concurrent TMSH instances can result in error in access to history file
523797-2	3-Major		Upgrade: file path failure for process name attribute in snmp.★
726317-3	4-Minor		Improved debugging output for mcpd
692165-2	4-Minor		A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token
662372-1	4-Minor	K41250179	Uploading a new device certificate file via the GUI might not update the device certificate
631334-4	4-Minor	K69038629	TMSH does not preserve \? for config save/load operations
520877-1	4-Minor		Alerts sent by the lcdwarn utility are not shown in tmsh
479471-1	4-Minor	K00342205	CPU statistics reported by the tmstat command may spike or go negative

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
759968-1	1-Blocking		Distinct vCMP guests are able to cluster with each other.
757391-1	2-Critical		Datagroup iRule command class can lead to memory corruption
756450-3	2-Critical		Traffic using route entry that's more specific than existing blackhole route can cause core
752930	2-Critical		Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state
740963-3	2-Critical		VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart
738046-3	2-Critical		SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby
724214-2	2-Critical		TMM core when using Multipath TCP
671714-2	2-Critical		Empty persistence cookie name inserted from policy can cause TMM to crash
667779-2	2-Critical		iRule commands may cause the TMM to crash in very rare situations.
474797-7	2-Critical		Nitrox crypto hardware may attempt soft reset while currently resetting
760550-2	3-Major		Retransmitted TCP packet has FIN bit set
759480-1	3-Major		HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash
758872-1	3-Major		TMM memory leak
758631-1	3-Major		ec_point_formats extension might be included in the server hello even if not specified in the client hello
756270-1	3-Major		SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle
749414-1	3-Major		Invalid monitor rule instance identifier error
749294-1	3-Major		TMM cores when query session index is out of boundary
742237-1	3-Major		CPU spikes appear wider than actual in graphs
740959-1	3-Major		User with manager rights cannot delete FQDN node on non-Common partition
739963-1	3-Major		TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
727292-2	3-Major		SSL in proxy shutdown case does not deliver server TCP FIN
726232-1	3-Major		iRule drop/discard may crash tmm
720219-1	3-Major	K13109068	HSL::log command can fail to pick new pool member if last picked member is 'checking'
715467-3	3-Major		Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY
702450-4	3-Major		The validation error message generated by deleting certain object types referenced by a policy action is incorrect
699598-4	3-Major		HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR
688629-3	3-Major	K52334096	Deleting data-group in use by iRule does not trigger validation error
617382-1	3-Major		Csyncd memory leak on multi-bladed systems
599567	3-Major		APM assumes SNAT automap, does not use SNAT pool
576311-1	3-Major	K41335027	HTTP Strict Transport Security (HSTS) configuration error when no clientssl profile is present
511324-12	3-Major	K23159242	HTTP::disable does not work after the first request/response.
504522-2	3-Major		Trailing space present after 'tmsh ltm pool members monitor' attribute value
747585-1	4-Minor		TCP Analytics supports ANY protocol number
624168-2	4-Minor		DATA_ACK and DATA_FIN ignored on a subflow not currently used for transmission

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
735832-2	2-Critical		RAM Cache traffic fails on B2150

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
750213-1	3-Major	K25351434	DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
723790-4	2-Critical		Idle asm_config_server handlers consumes a lot of memory
773553-5	3-Major		ASM JSON parser false positive.
761231-5	3-Major	K79240502	Bot Defense Search Engines getting blocked after configuring DNS correctly
760878-1	3-Major		Incorrect enforcement of explicit global parameters
727107-1	3-Major		Request Logs are not stored locally due to shmem pipe blockage
721399-3	3-Major		Signature Set cannot be modified to Accuracy = 'All' after another value
695878-5	3-Major		Signature enforcement issue on specific requests
685164-3	3-Major	K34646484	In partitions with default route domain != 0 request log is not showing requests
660327-2	3-Major		Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded.
653017-2	3-Major		Bot signatures cannot be created after upgrade with DoS profile in non-Common partition
605649-3	3-Major	K28782793	The cbrd daemon runs at 100% CPU utilization
758336-2	4-Minor		Incorrect recommendation in Online Help of Proactive Bot Defense

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
774301-1	3-Major		Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList
766577-5	3-Major		APMD fails to send response to client and it already closed connection.
755507-1	3-Major		[App Tunnel] 'URI sanitization' error

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
709670-5	3-Major		iRule triggered from RADIUS occasionally fails to create subscribers.

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
757088	2-Critical		TMM clock advances and cluster failover happens during webroot db nightly updates
754257	3-Major		URL lookup queries not working

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
658417-1	2-Critical		REST: Failure to authenticate/renew user who is using expired password

Cumulative fixes from BIG-IP v12.1.4.1 that are included in this release


Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
757025-4	CVE-2018-5744	K00040234	BIND Update
756774-3	CVE-2019-6612	K24401914	Aborted DNS queries to a cache may cause a TMM crash
754944-4	CVE-2019-6626	K00432398	AVR reporting UI does not follow best practices
754345-4	CVE-2019-6625	K79902360	WebUI does not follow best security practices
754103-3	CVE-2019-6644	K75532331	iRulesLX NodeJS daemon does not follow best security practices
753776-3	CVE-2019-6624	K07127032	TMM may consume excessive resources when processing UDP traffic
749879	CVE-2019-6611	K47527163	Possible interruption while processing VPN traffic
748502-4	CVE-2019-6623	K72335002	TMM may crash when processing iSession traffic
744035-3	CVE-2018-15332	K12130880	APM Client Vulnerability: CVE-2018-15332
739970-3	CVE-2018-5390	K95343321	Linux kernel vulnerability: CVE-2018-5390
739947-3	CVE-2019-6610	K42465020	TMM may crash while processing APM traffic
757027-4	CVE-2019-6465	K01713115	BIND Update
757026-4	CVE-2018-5745	K25244852	BIND Update
753796-3	CVE-2019-6640	K40443301	SNMP does not follow best security practices
750460-4	CVE-2019-6639	K61002104	Subscriber management configuration GUI
750187-4	CVE-2019-6637	K29149494	ASM REST may consume excessive resources
745713-2	CVE-2019-6619	K94563344	TMM may crash when processing HTTP/2 traffic
745387-4	CVE-2019-6618	K07702240	Resource-admin user roles can no longer get bash access
745371-3	CVE-2019-6636	K68151373	AFM GUI does not follow best security practices
745165-4	CVE-2019-6617	K38941195	Users without Advanced Shell Access are not allowed SFTP access
742226-3	CVE-2019-6635	K11330536	TMSH platform_check utility does not follow best security practices
737910-1	CVE-2019-6609	K18535734	Security hardening on the following platforms
710857-4	CVE-2019-6634	K64855220	iControl requests may cause excessive resource usage
703835-4	CVE-2019-6616	K82814400	When using SCP into BIG-IP systems, you must specify the target filename
702472-4	CVE-2019-6615	K87659521	Appliance Mode Security Hardening
698376-4	CVE-2019-6614	K46524395	Non-admin users have limited bash commands and can only write to certain directories
673842-3	CVE-2019-6632	K01413496	VCMP does not follow best security practices

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
666505-2	2-Critical		Gossip between VIPRION blades
667257-2	3-Major		CPU Usage Reaches 100% With High FastL4 Traffic
607410-1	3-Major	K81239824	In the iRule output of X509 Certificate's subject and issuer, the display is not OpenSSL compatible
600811-2	3-Major		CATEGORY::lookup command change in behavior★

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
752835-1	2-Critical	K46971044	Mitigate mcpd out of memory error with auto-sync enabled.
756153-1	3-Major		Add diskmonitor support for MySQL /var/lib/mysql
749153	3-Major		Cannot create LTM policy from GUI using iControl
735565-3	3-Major		BGP neighbor peer-group config element not persisting
726409-3	3-Major		Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077
723794-4	3-Major		PTI (Meltdown) mitigation should be disabled on AMD-based platforms
722682-1	3-Major		Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load★
720819-1	3-Major		Certain platforms may take longer than expected to detect and recover from HSB lock-ups
720269-3	3-Major		TACACS audit logging may append garbage characters to the end of log strings
720110-4	3-Major		0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session.
716166-3	3-Major		Dynamic routing not added when conflicting self IPs exist
714986-1	3-Major		Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot
714903-1	3-Major		Errors in chmand
714654-3	3-Major		Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM
709544-4	3-Major		VCMP guests in HA configuration become Active/Active during upgrade★
707740-3	3-Major		Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination
693388-1	3-Major		Log additional HSB registers when device becomes unresponsive
678488-3	3-Major	K59332320	BGP default-originate not announced to peers if several are peering over different VLANs
639619-3	3-Major		UCS may fail to load due to Master key decryption failure on EEPROM-less systems★
582792-7	3-Major		iRules are not updated in transactions through TMSH or iControl
581921-2	3-Major	K22327083	Required files under /etc/ssh are not moved during a UCS restore
508302-2	3-Major		Auto-sync groups may revert to full sync
671044-3	4-Minor	K78612407	FIPS certificate creation can cause failover to standby system
668964-2	4-Minor	K81873940	'bgp neighbor <peer -IP> update-source <IP>' command may apply change to all peers in peer-group
619706-1	4-Minor		tmsh appears to allow password change for internal lcd admin user
436116-1	4-Minor		The tcpdump utility may fail to capture packets

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
753912-1	2-Critical	K44385170	UDP flows may not be swept
747968-4	2-Critical		DNS64 stats not increasing when requests go through DNS cache resolver
744269-3	2-Critical		dynconfd restarts if FQDN template node deleted while IP address change in progress
741919-1	2-Critical		HTTP response may be dropped following a 100 continue message.
738945-1	2-Critical		SSL persistence does not work when there are multiple handshakes present in a single record
727206-4	2-Critical		Memory corruption when using SSL Forward Proxy on certain platforms
718210-3	2-Critical		Connections using virtual targeting virtual and time-wait recycle result in a connection being improperly reused
746922-3	3-Major		When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.
744536	3-Major		HTTP/2 may garble large headers
742078-1	3-Major		Incoming SYNs are dropped and the connection does not time out.
739638-1	3-Major		BGP failed to connect with neighbor when pool route is used
738523-3	3-Major		SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages
721621-2	3-Major		Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node
720799-3	3-Major		Virtual Server/VIP flaps with FQDN pool members when all IP addresses change
717896-1	3-Major		Monitor instances deleted in peer unit after sync
717100-4	3-Major		FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member
716716-3	3-Major		Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core
710564-3	3-Major		DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0
710355-1	3-Major		High CPU when using HTTP::collect for large chunked payloads
705112-1	3-Major		DHCP server flows are not re-established after expiration
685519-3	3-Major		Mirrored connections ignore the handshake timeout
651889-2	3-Major		persist record may be inconsistent after a virtual hit rate limit
625166-1	3-Major		Suspended iRules cannot complete on aborted flows
588720-1	3-Major	K44907534	Fast Forwarded UDP packets might be dropped if datagram-load-balancing is enabled.
273104-2	3-Major		Modulate tcp_now on a per-tuple basis to hide uptime in tcp timestamps
751586-1	4-Minor		Http2 virtual does not honour translate-address disabled
684319-2	4-Minor		iRule execution logging
664618-3	4-Minor		Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block'
658382-1	5-Cosmetic		Large numbers of ERR_UNKNOWN appearing in the logs

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
756094-1	2-Critical		DNS express in restart loop, 'Error writing scratch database' in ltm log
739846-4	2-Critical		Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection
749508-4	3-Major		LDNS and DNSSEC: Various OOM conditions need to be handled properly
748902-8	3-Major		Incorrect handling of memory allocations while processing DNSSEC queries
746877-4	3-Major		Omitted check for success of memory allocation for DNSSEC resource record
744707-1	3-Major		Crash related to DNSSEC key rollover
723288-3	3-Major		DNS cache replication between TMMs does not always work for net dns-resolver
721895-1	3-Major		Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery)
748177-4	4-Minor		Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character
726412-1	4-Minor		Virtual server drop down missing objects on pool creation

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
691945-2	3-Major		Security Policy Configuration Changes When Disabling Learning
690215-1	3-Major		Missing requests in request log
641307-2	3-Major		Response Page contents are corrupted by XML policy import for non-UTF-8 policies
641083-2	3-Major		Policy Builder Persistence is not saved while config events are received
754365-2	4-Minor		Updated flags for countries that changed their flags since 2010
583402-1	4-Minor		ASM Policy Parameter's Filter: Search for at least 1 Override doesn't work

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
747192-3	2-Critical		Small memory leak while creating Access Policy items
714716-3	2-Critical	K10248311	Apmd logs password for acp messages when in debug mode
660913-1	2-Critical		For ActiveSync client type, browscap info provided is incorrect.★
597674-1	2-Critical		TunnelServer may crash due to division by zero under unknown circumstances while establishing AppTunnels.
758764-5	3-Major		APMD Core when CRLDP Auth fails to download revoked certificate
747725-1	3-Major		Kerberos Auth agent may override settings that manually made to krb5.conf
746768-2	3-Major		APMD leaks memory if access policy policy contains variable/resource assign policy items
745654-1	3-Major		Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server
722969-1	3-Major		Access Policy import with 'reuse' enabled instead rewrites shared objects
672818-2	3-Major		When 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows, VPN cannot be established
656784-2	3-Major	K98510679	Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM

Wan Optimization Manager Fixes

ID Number	Severity	Solution Article(s)	Description
674367-1	3-Major	K20983428	SDD v3 symmetric deduplication may stop working indefinitely

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
701680-1	3-Major		MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
747104-4	1-Blocking	K52868493	LibSSH: CVE-2018-10933
686376-1	3-Major		Scheduled blob and current blob no longer work after restarting BIG-IP or PCCD daemon
624314-1	3-Major		AVR reports incorrect 'actions' in ACL reports

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
726647-1	3-Major		PEM content insertion in a compressed response may truncate some data

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
744959-2	3-Major		SNMP OID for sysLsnPoolStatTotal not incremented in stats
708830-1	3-Major		Inbound or hairpin connections may get stuck consuming memory.

Cumulative fixes from BIG-IP v12.1.4 that are included in this release


Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
738119-3	CVE-2019-6589	K23566124	SIP routing UI does not follow best practices
714181-3	CVE-2019-6603	K14632915	TMM may crash while processing TCP traffic
671498-3	CVE-2017-3143	K02230327	BIND zone contents may be manipulated
745358-4	CVE-2019-6607	K14812883	ASM GUI does not follow best practices
737442-1	CVE-2019-6591	K32840424	Error in APM Hosted Content when set to public access
724680-3	CVE-2018-0732	K21665601	OpenSSL Vulnerability: CVE-2018-0732
716900-1	CVE-2019-6594	K91026261	TMM core when using MPTCP
699452-3	CVE-2019-6597	K29280193	Web UI does not follow current best coding practices
658557-2	CVE-2019-6606	K35209601	The snmpd daemon may leak memory when processing requests.
643554-12	CVE-2017-3731 CVE-2017-3732 CVE-2016-7055	K37526132 K44512851 K43570545	OpenSSL vulnerabilities - OpenSSL 1.0.2k library update
603658-1	CVE-2019-6601	K25359902	AAM security hardening
530775-4	CVE-2019-6600	K23734425	Login page may generate unexpected HTML output
701785-3	CVE-2017-18017	K18352029	Linux kernel vulnerability: CVE-2017-18017

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
734527-4	3-Major		BGP 'capability graceful-restart' for peer-group not properly advertised when configured
700827-2	3-Major		B2250 blades may lose efficiency when source ports form an arithmetic sequence.
600385-1	3-Major	K43295141	BIG-IP LTM and BIG-IP DNS monitors are allowed to be configured with interval value larger than timeout
597899-1	3-Major		Disabling all pool members may not be reflected in Virtual Server status

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
741423-1	2-Critical		Secondary blade goes offline when provisioning ASM/FPS on already established config-sync
738887-2	2-Critical		BIG-IP SNMPD vulnerability CVE-2019-6608
723722-3	2-Critical		MCPD crashes if several thousand files are created between config syncs.
723298-3	2-Critical		BIND upgrade to version 9.11.4
700386-1	2-Critical		mcpd may dump core on startup
697424	2-Critical		iControl-REST crashes on /example for firewall address-lists
691589	2-Critical		When using LDAP client auth, tamd may become stuck
689437-2	2-Critical	K49554067	icrd_child cores due to infinite recursion caused by incorrect group name handling
638091-4	2-Critical		Config sync after changing named pool members can cause mcpd on secondary blades to restart
594366-1	2-Critical	K21271097	Occasional crash of icrd_child when BIG-IP restarts
748187-1	3-Major		'Transaction Not Found' Error on PATCH after Transaction has been Created
720713-3	3-Major		TMM traffic to/from a i5800/i7800/i10800 device in vCMP host mode may fail
720651-3	3-Major		Running Guest Changed to Provisioned Never Stops
720461-3	3-Major		qkview prompts for password on chassis
711249-2	3-Major		NAS-IP-Address added to RADIUS packet unexpectedly
707391-4	3-Major		BGP may keep announcing routes after disabling route health injection
706354-1	3-Major		OPT-0045 optic unable to link
706104-2	3-Major		Dynamically advertised route may flap
705037-3	3-Major	K32332000	System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart
704449-4	3-Major		Orphaned tmsh processes might eventually lead to an out-of-memory condition
700757-2	3-Major		vcmpd may crash when it is exiting
698619-1	3-Major		Disable port bridging on HSB ports for non-vCMP systems
693884-3	3-Major		ospfd core on secondary blade during network unstability
692189-3	3-Major		errdefsd fails to generate a core file on request.
689002-1	3-Major		Stackoverflow when JSON is deeply nested
676705-2	3-Major		Agetty should not run on VE that lack serial port
673974-1	3-Major	K63225596	agetty auto detects parity on console port incorrectly
671447-2	3-Major		ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form
666884-2	3-Major	K27056204	Message: Not enough free disk space to install! cpcfg cannot copy a configuration on a chassis platform★
653888-2	3-Major		BGP advertisement-interval attribute ignored in peer group configuration
652877-3	3-Major		Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades
642923-2	3-Major		MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system
639575-5	3-Major		Using libtar with files larger than 2 GB will create an unusable tarball
628402-4	3-Major		Operator users receive 'can't get object count from mcpd' error in response to certain commands
613509-1	3-Major	K49101035	Platforms using RSS DAG hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve
610449-2	3-Major		restarting mcpd on guest makes block-device-images disappear
602566-5	3-Major		sod daemon may crash during start-up
598289-4	3-Major		TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port>
598085-2	3-Major		Expected telemetry is not transmitted by sFlow on the standby-mode unit.
563905-2	3-Major		Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.
491560-1	3-Major		Using proxy for IP intelligence updates
737389	4-Minor		Kern.log contains many messages: warning kernel: Tracklist initialized; Tracklist destroyed
674145-3	4-Minor		chmand error log message missing data
608348-4	4-Minor		Config sync after deleting iApp f5.citrix_vdi.v2.3.0 could leave an extra tunnel object on synced system

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
744117-6	2-Critical	K18263026	The HTTP URI is not always parsed correctly
740490-2	2-Critical		Configuration changes involving HTTP2 or SPDY may leak memory
739927-1	2-Critical		Bigd crashes after a specific combination of logging operations
737758-1	2-Critical		MPTCP Passthrough and VIP-on-VIP can lead to TMM core
727044-1	2-Critical		TMM may crash while processing compressed data
726239-3	2-Critical		interruption of traffic handling as sod daemon restarts TMM
724868-2	2-Critical		dynconfd memory usage increases over time
663178-1	2-Critical		tmm may crash sometimes usng VPN
606035-1	2-Critical		csyncd crash
738521-2	3-Major		i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.
714559-1	3-Major		Removal of HTTP hash persistence cookie when a pool member goes down.
710028-4	3-Major		LTM SQL monitors may stop monitoring if multiple monitors querying same database
708068-3	3-Major		Tcl commands like "HTTP::path -normalize" do not return normalized path.
706102-3	3-Major		SMTP monitor does not handle all multi-line banner use cases
701678-1	3-Major		Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded
695925-3	3-Major		Tmm crash when showing connections for a CMP disabled virtual server
693910-2	3-Major		Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)
693582-3	3-Major		Monitor node log not rotated for certain monitor types
680264	3-Major		HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags
674591-2	3-Major	K37975308	Packets with payload smaller than MSS are being marked to be TSOed
672312-2	3-Major		IP ToS may not be forwarded to serverside with syncookie activated
666595-2	3-Major		Monitor node log fd leak by bigd instances not actively monitoring node
662816-2	3-Major	K61902543	Monitor node log fd leak for certain monitor types
653930-2	3-Major	K69713140	Monitor with description containing backslash may fail to load.
613618-1	3-Major		The TMM crashes in the websso plugin.
611482-4	3-Major	K71450348	Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule) .
610138-2	3-Major	K23284054	STARTTLS in SMTPS filter does not properly restrict I/O buffering
605147-1	3-Major		No mirroring for TCP TIME-WAIT reconnections and new TCP flows after HA reconnections.
598707-4	3-Major		Path MTU does not work in self-IP flows
586621-7	3-Major	K36008344	SQL monitors 'count' config value does not work as expected.
628016-2	4-Minor		MP_JOIN always fails if MPTCP never receives payload data
618884-1	4-Minor		Behavior when using VLAN-Group and STP

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
750488	3-Major		Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
750484	3-Major		Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
750472	3-Major		Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
750457	3-Major		Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
749774-2	3-Major		EDNS0 client subnet behavior inconsistent when DNS Caching is enabled
749675-2	3-Major		DNS cache resolver may return a malformed truncated response with multiple OPT records
737332-2	3-Major		It is possible for DNSX to serve partial zone information for a short period of time
723792-3	3-Major		GTM regex handling of some escape characters renders it invalid

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
741108	2-Critical		tmm dosl7 memory leak when X-Forwared-For header value contains a long list of comma separated ip addresses
744347-1	3-Major		Protocol Security logging profiles cause slow ASM upgrade and apply policy
739945-1	3-Major		JavaScript challenge on POST with 307 breaks application
738789-3	3-Major		ASM/XML family parser does not support us-ascii encoding when it appears in the document prolog
738647-1	3-Major		Add the login detection criteria of 'status code is not X'
737998	3-Major		Brute Force end attack condition isn't satisfied for successful logins only
698757-1	3-Major	K58143082	Standby system saves config and changes status after sync from peer
664714-1	3-Major		Client-side challenge is changing POST parameter value under some circumstances
642185-1	3-Major		Add support for IBM AppScan scanner schema changes
613728-1	3-Major		Import/Activate Security policy with 'Replace policy associated with virtual server' option fails
569195-1	3-Major	K41874435	A Set-Cookie for an existing ASM cookie without value change
542817-1	3-Major	K11619228	Specific numbers that are not credit card numbers are being masked as such
653895	4-Minor		Admin user cannot edit policy

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
616161-1	2-Critical		BD process crash and restarts
737597	3-Major		AVR DoS Attack report misses virtual server name in a specific config

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
740777-2	2-Critical		Secondary blades mcp daemon restart when subroutine properties are configured
672221	2-Critical		TMM cores if the certificate configured to validate message signature does not exist.
631060-1	2-Critical		BIG-IP may incorrectly reject serverside connection when REQLOG is configured.
745574-4	3-Major		URL is not removed from custom category when deleted
739744-2	3-Major		Import of Policy using Pool with members is failing
726592-2	3-Major		Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop
628712-1	3-Major	K53129098	Advanced customization doesn't work for Profiles in non-common partition with . (period) with name

WebAccelerator Fixes

ID Number	Severity	Solution Article(s)	Description
706642-3	2-Critical		wamd may leak memory during configuration changes and cluster events
603746-1	4-Minor		DCDB security hardening

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
724532-1	2-Critical		SIG SEGV during IP intelligence category match in TMM
710755-2	2-Critical		TMM crash when route information becomes stale and the system accesses stale information.
699454-3	4-Minor		Web UI does not follow current best coding practices
627454	4-Minor		Trimming leading whitespaces at logging profile creation

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
744516-2	2-Critical		TMM panics after a large number of LSN remote picks
734446-3	2-Critical		TMM crash after changing LSN pool mode from PBA to NAPT
669645-1	2-Critical		tmm crashes after LSN pool member change
663531-1	2-Critical		TMM crashes when PPTP finds a non-ALG flow when checking for an existing tunnel

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
746868	2-Critical		memory leakage when "apply to base domain" is enabled

Cumulative fixes from BIG-IP v12.1.3.7 that are included in this release


Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
739094-4	CVE-2018-5546	K54431371	APM Client Vulnerability: CVE-2018-5546
737441-1	CVE-2018-5546	K54431371	Disallow hard links to svpn log files
726089-3	CVE-2018-15312	K44462254	Modifications to AVR metrics page
724339-2	CVE-2018-15314	K04524282	Unexpected TMUI output in AFM
724335-2	CVE-2018-15313	K21042153	Unexpected TMUI output in AFM
722677-3	CVE-2019-6604	K26455071	BIG-IP HSB vulnerability CVE-2019-6604
722387-2	CVE-2019-6596	K97241515	TMM may crash when processing APM DTLS traffic
722091-2	CVE-2018-15319	K64208870	TMM may crash while processing HTTP traffic
717742-3	CVE-2018-2798, CVE-2018-2811, CVE-2018-2795, CVE-2018-2790, CVE-2018-2783, CVE-2018-2825, CVE-2018-2826, CVE-2018-2796, CVE-2018-2799, CVE-2018-2815, CVE-2018-2800, CVE-2018-2814, CVE-2018-2797, CVE-2018-2794	K44923228	Oracle Java SE vulnerability CVE-2018-2783
707990-3	CVE-2018-15315	K41704442	Unexpected TMUI output in SSL Certificate Instance page
704184-3	CVE-2018-5529	K52171282	APM MAC Client create files with owner only read write permissions
701253-3	CVE-2018-15318	K16248201	TMM core when using MPTCP
721924-3	CVE-2018-17539	K17264695	BIG-IP ARM BGP vulnerability CVE-2018-17539
719554-3	CVE-2018-8897	K17403481	Linux Kernel Vulnerability: CVE-2018-8897
674486-5	CVE-2017-9233	K03244804	Expat Vulnerability: CVE-2017-9233
661828-1	CVE-2019-6590	K55101404	TMM may consume excessive resources when processing SSL traffic

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
715750-3	3-Major	K41515225	The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.
652671-4	3-Major	K31326690	Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit.

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
716391-3	2-Critical	K76031538	High priority for MySQL on 2 core vCMP may lead to control plane process starvation
690793-2	2-Critical	K25263287	TMM may crash and dump core due to improper connflow tracking
688148-1	2-Critical		IKEv1 racoon daemon SEGV during phase-two SA list iteration
613476-2	2-Critical		IKEv1 racoon daemon delayed timer use of ike-peer (rmconf) after deletion
704247-3	3-Major		BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted
686124-3	3-Major	K83576240	IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs
678380-3	3-Major	K26023811	Deleting an IKEv1 peer in current use could SEGV on race conditions.
671712	3-Major		The values returned for the ltmUserStatProfileStat table are incorrect.
670528-1	3-Major	K20251354	Warnings during vCMP host upgrade.
620746-1	3-Major		MCPD crash
580602-1	3-Major		Configuration containing LTM nodes with IPv6 link-local addresses fail to load.
551925-3	3-Major		Misdirected UDP traffic with hardware acceleration
464650-4	3-Major		Failure of mcpd with invalid authentication context.
689211-2	4-Minor		IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 }
678254-2	4-Minor		Error logged when restarting Tomcat

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
716213-3	2-Critical		BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic
697259-1	2-Critical	K14023450	Different versioned vCMP guests on the same chassis may crash.
694656-3	2-Critical	K05186205	Routing changes may cause TMM to restart
666401-2	2-Critical	K03294104	Memory might become corrupted when a Standby device transitions to Active during failover
659709-1	2-Critical		Mirroring persistence records may cause a TMM memory leak
641869-1	2-Critical	K62744980	Assertion "vmem_hashlist_remove not found" failed.
635191-1	2-Critical		Under rare circumstances TMM may crash
618106-1	2-Critical	K74714343	bigd core due to memory leak, especially with FQDN nodes
615097-1	2-Critical		Incorrect use of HTTP::collect leads to TMM core.
513310-1	2-Critical		TMM might core when a profile is changed.
722363-1	3-Major		Client fails to connect to server when using PVA offload at Established
720293-1	3-Major		HTTP2 IPv4 to IPv6 fails
713690-1	3-Major		IPv6 cache route metrics are locked
712664-4	3-Major		IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address
711981-3	3-Major		BIG-IP system accepts larger-than-egress MTU, PMTU update
700696-2	3-Major		SSID does not cache fragmented Client Certificates correctly via iRule
694697-3	3-Major	K62065305	clusterd logs heartbeat check messages at log level info
693308-3	3-Major		SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain
691224-1	3-Major	K59327001	Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled
671725-1	3-Major	K19920320	Connection leak on standby unit
632968-2	3-Major		supported_signature_algorithms extension in CertificateRequest sent by a TLS server fails
600812-1	3-Major		IPv6 virtual address with icmp-echo is enabled on a IPv6 Host IP forwarding ignores the neighbor advertisement packet.
578971-3	3-Major		When mcpd is restarted on a blade, cluster members may be temporarily marked as failed
572234-2	3-Major		When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10.
716922-4	4-Minor		Reduction in PUSH flags when Nagle Enabled
622148-5	4-Minor		flow generated icmp error message need to consider which side of the proxy they are
602708-2	4-Minor	K84837413	Traffic may not passthrough CoS by default

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
718885-1	2-Critical	K25348242	Under certain conditions, monitor probes may not be sent at the configured interval
726255-3	3-Major		dns_path lingering in memory with last_access 0 causing high memory usage
719644-1	3-Major		If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★
715448-1	3-Major		Providing LB::status with a GTM Pool name in a variable caused validation issues
710246-3	3-Major		DNS-Express was not sending out NOTIFY messages on VE
636790-3	3-Major		Manager role has Create, Update, and Release access to Datacenter/links/servers/prober-pool/Topology objects but throws general error when complete.

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
739798	2-Critical		Massive number of log messages being generated and written to the bd.log.
734622	2-Critical	K83093212	Policy change with newly enforced signatures causes sig collection failure in other policies
721741-2	2-Critical		BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative
716788-3	2-Critical		TMM may crash while response modifications are being performed within DoSL7 filter
685230-1	2-Critical		memory leak on a specific server scenario
666221-2	2-Critical	K47152503	tmm may crash from DoSL7
617391-1	2-Critical	K53345828	Custom ASM Search Engines causing sync, offline, and upgrade issues★
721752-1	3-Major		Null char returned in REST for Suggestion with more than MAX_INT occurrences
713282-3	3-Major		Remote logger violation_details field does not appear when virtual server has more than one remote logger
701856-2	3-Major		Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart
701039	3-Major		Requests do not appear in local logging due to rare file descriptor exhaustion
676223-2	3-Major		Internal parameter in order not to sign allowed cookies
650070-2	3-Major	K23041827	iRule that uses ASM violation details may cause the system to reset the request
648639-3	3-Major	K92201230	TS cookie name contains NULL or other raw byte
646800-2	3-Major		A part of the request is not sent to ICAP server in a specific case
644725-4	3-Major	K01914292	Configuration changes while removing ASM from the virtual server may cause graceful ASM restart
614730-1	3-Major		Session opening log shows incorrect number of challenged responses.
564324-2	3-Major		ASM scripts can break applications
463314-2	4-Minor		Enabling ASM AJAX blocking response page feature causing cross domain AJAX requests to fail

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
685741	3-Major		DoS Overview is very slow to load data, to the point of timeout
649177-2	3-Major	K54018808	Testing for connection to SMTP Server always returns "OK"

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
722013-3	2-Critical		MCPD restarts on all secondary blades post config-sync involving APM customization group
631286-1	2-Critical		TMM Memory leak caused by APM URI cache entries
546489-1	2-Critical		VMware View USB redirection stops working after client reconnect
739144-1	3-Major		Domain logoff scripts runs after VPN connection is closed
738397-2	3-Major		SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails.
726895-1	3-Major	K02205915	VPE cannot modify subroutine settings
713655-3	3-Major		RouteDomainSelectionAgent might fail under heavy control plane traffic/activities
703793-1	3-Major		tmm restarts when using ACCESS::perflow get' in certain events
702873-3	3-Major		Windows Logon Integration feature may cause Windows logon screen freeze
631626	3-Major		Unable to delete an access profile which contains a route domain agent
631048-1	3-Major		Portal Access [PeopleSoft] 'My Preferences' page does not have content
596166-1	3-Major		Cannot create email using Address Book
565347-2	3-Major		Rewrite engine behaves improperly in case of AS2 SWF with a badly formatted 'push' instruction
721375	4-Minor		Export then import of config with RSA server in it might fail

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
603755-1	2-Critical		dwbld core dump when Auto Blacklisting is configured, in a rare scenario
698806-2	3-Major		Firewall NAT Source Translation UI does not show the enabled VLAN on egress interfaces

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
738669-3	3-Major		Login validation may fail for a large request with early server response
716318-4	3-Major		Engine/Signatures automatic update check may fail to find/download the latest update

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
726303	3-Major		Unlock 10 million custom db entry limit

Cumulative fixes from BIG-IP v12.1.3.6 that are included in this release


Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
716992-3	CVE-2018-5539	K75432956	The ASM bd process may crash
710244-1	CVE-2018-5536	K27391542	Memory Leak of access policy execution objects
709972-4	CVE-2017-12613	K52319810	CVE-2017-12613: APR Vulnerability
709688-5	CVE-2017-3144 CVE-2018-5732 CVE-2018-5733	K08306700	dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733
693744-3	CVE-2018-5531	K64721111	CVE-2018-5531: vCMP vulnerability
710827-4	CVE-2019-6598	K44603900	TMUI dashboard daemon stability issue
710705-3	CVE-2018-7320, CVE-2018-7321, CVE-2018-7322, CVE-2018-7423, CVE-2018-7324, CVE-2018-7325, CVE-2018-7326, CVE-2018-7327, CVE-2018-7428, CVE-2018-7329, CVE-2018-7330, CVE-2018-7331, CVE-2018-7332, CVE-2018-7333, CVE-2018-7334, CVE-2018-7335, CVE-2018-7336, CVE-2018-7337, CVE-2018-7417, CVE-2018-7418, CVE-2018-7419, CVE-2018-7420, CVE-2018-7421	K34035645	Multiple Wireshark vulnerabilities
710314-2	CVE-2018-5537	K94105051	TMM may crash while processing HTML traffic
710148-4	CVE-2017-1000111 CVE-2017-1000112	K60250153	CVE-2017-1000111 & CVE-2017-1000112
705476-4	CVE-2018-15322	K28003839	Appliance Mode does not follow design best practices
703940-3	CVE-2018-5530	K45611803	Malformed HTTP/2 frame consumes excessive system resources
698813-3	CVE-2018-5538	K45435121	When processing DNSX transfers ZoneRunner does not enforce best practices
677088-4	CVE-2018-15321	K01067037	BIG-IP tmsh vulnerability CVE-2018-15321
672124-3	CVE-2018-5541	K12403422	Excessive resource usage when BD is processing requests
714879-1	CVE-2018-15326	K34652116	APM CRLDP Auth passes all certs
708653-3	CVE-2018-15311	K07550539	TMM may crash while processing TCP traffic
673165	CVE-2017-7895	K15004519	CVE-2017-7895: Linux Kernel Vulnerability

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
671999-2	3-Major		Re-extract the the thales software everytime the installation script is run
643034-1	3-Major	K52510343	Turn off TCP Proxy ICMP forwarding by default
620445-4	3-Major		New SIP::persist keyword to set the timeout without changing key
613023-4	3-Major		Update SIP::Persist to support resetting timeout value.
441079-2	3-Major	K55242686	BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved
693007-3	4-Minor		Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
700315-3	1-Blocking	K26130444	Ctrl+C does not terminate TShark
636774-1	1-Blocking		Potential TMM crash credits to BWC token distribution logic
723130-3	2-Critical	K13996	Invalid-certificate warning displayed when deploying BIG-IP VE OVA file
707003-2	2-Critical		Unexpected syntax error in TMSH AVR
706423-2	2-Critical		tmm may restart if an IKEv2 child SA expires during an async encryption or decryption
696113-1	2-Critical		Extra IPsec reference added per crypto operation overflows connflow refcount
692158-2	2-Critical		iCall and CLI script memory leak when saving configuration
690819-3	2-Critical		Using an iRule module after a 'session lookup' may result in crash
671314-4	2-Critical	K37093335	BIG-IP system cores when sending SIP SCTP traffic
665362-4	2-Critical		MCPD might crash if the AOM restarts
663197-3	2-Critical		Security hardening of files to prevent sensitive configuration from being stored in qkview.
626861-2	2-Critical	K31220138	Ensure unique IKEv2 sequence numbers
599223-1	2-Critical		Prevent static destructors in tmipsecd daemon
581851-2	2-Critical	K16234725	mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands
559980-1	2-Critical		Change console baud rate requires reboot to take effect
508113-3	2-Critical		tmsh load sys config base merge file <filename> fails
720880	3-Major		Attempts to license/re-license the BIG-IP system fail.
720756	3-Major		SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS
720104	3-Major		BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'
714848	3-Major		OPT-0031 and OPT-0036 log DDM warning every minute when interface disabled and DDM enabled
710602	3-Major		iCRD commands requiring 'root' user access fixed
707445	3-Major	K47025244	Nitrox 3 compression hangs/unable to recover
704336-3	3-Major		Updating 3rd party device cert not copied correctly to trusted certificate store
704282-3	3-Major		TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy
701900	3-Major	K55938217	DHCP configured domain-name-servers unavailable after reboot when there are more than two domain-name servers in the lease.
698947-1	3-Major		BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled.
694740-1	3-Major		BIG-IP reboot during a TMM core results in an incomplete core dump
693106-2	3-Major		IKEv1 newest established phase-one SAs should be found first in a search
692179-3	3-Major		Potential high memory usage from errdefsd.
687905	3-Major	K72040312	OneConnect profile causes CMP redirected connections on the HA standby
687534-3	3-Major		If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page
686926-3	3-Major		IPsec: responder N(cookie) in SA_INIT response handled incorrectly
684391-1	3-Major		Existing IPsec tunnels reload. tmipsecd creates a core file.
680838-3	3-Major		IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator
679347-3	3-Major	K44117473	ECP does not work for PFS in IKEv2 child SAs
678925-4	3-Major		Using a multicast VXLAN tunnel without a proper route may cause a TMM crash.
677928-2	3-Major		A wrong source MAC address may be used in the outgoing IPsec encapsulated packets.
676897-1	3-Major	K25082113	IPsec keeps failing to reconnect
676092-1	3-Major		IPsec keeps failing to reconnect
675718-1	3-Major		IPsec keeps failing to reconnect
669268	3-Major		Failover in the same availability zone of AWS may fail when AWS services are intermittently available.
667223	3-Major		The merge option for the tmsh load sys config command removes existing nested objects
666035-1	3-Major		Obscuring secrets in files collected by qkview
621314-6	3-Major	K55358710	SCTP virtual server with mirroring may cause excessive memory use on standby device
617865-1	3-Major		Missing health monitor information for FQDN members
605270-5	3-Major		On some platforms the SYN-Cookie status report is not accurate
588929-2	3-Major		SCTP emits 'address conflict detected' log messages during failover
588794-2	3-Major		Misconfigured SCTP alternate addresses may emit incorrect ARP advertisements
588771-2	3-Major		SCTP needs traffic-group validation for server-side client alternate addresses
586938-1	3-Major	K57360106	Standby device will respond to the ARP of the SCTP multihoming alternate address
586031-1	3-Major	K40453207	Configuration with LTM policy may fail to load
525580-1	3-Major	K51013874	tmsh load sys config merge file filename.scf base command does not work as expected
685475-3	4-Minor	K93145012	Unexpected error when applying hotfix
680856-3	4-Minor		IPsec config via REST scripts may require post-definition touch of both policy and traffic selector
679135-3	4-Minor		IKEv1 and IKEv2 cannot share common local address in tunnels
678388-3	4-Minor	K00050055	IKEv1 racoon daemon is not restarted when killed multiple times
658298-3	4-Minor		SMB monitor marks node down when file not specified
624484-2	4-Minor	K09023677	Timestamps not available in bash history on non-login interactive shells
573031-1	4-Minor		qkview may not collect certain configuration files in their entirety
720391-1	5-Cosmetic		BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware'
713491-1	5-Cosmetic		IKEv1 logging shows spi of deleted SA with opposite endianess
651826-2	5-Cosmetic		SPI fields of IPsec ike-sa, byte order of displayed numbers rendered incorrectly

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
718071-3	2-Critical		HTTP2 with ASM policy not passing traffic
709334-2	2-Critical		Memory leak when SSL Forward proxy is used and ssl re-negotiates
708114-3	2-Critical	K33319853	TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed
707447-2	2-Critical		Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles.
707207-2	2-Critical		iRuleLx returning undefined value may cause TMM restart
703914-1	2-Critical		TMM SIGSEGV crash in poolmbr_conn_dec.
686685-1	2-Critical		LTM Policy internal compilation error
683631-1	2-Critical		TMM crashes during stress test
678722-2	2-Critical		In SSL-O, TMM may core when SSL forward proxy cleanup certificate resources
676721-2	2-Critical	K33325265	Missing check for NULL condition causes tmm crash.
674004-1	2-Critical	K34448924	tmm may crash when after deleting pool member in traffic
670804-2	2-Critical	K03163260	Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP
656898-2	2-Critical		'oops' 'bad transition' messages occur
613524-3	2-Critical		TMM crash when call HTTP::respond twice in LB_FAILED
598110-1	2-Critical		pkcs11d daemon should not show status 'up' until all connections are established with HSM and BIG-IP is ready to process traffic.
586587-1	2-Critical		RatePaceMaxRate functionality does not work for the TCP flows where the round-trip time (RTT) is less than 6ms.
571651-3	2-Critical		Reset Nitrox3 crypto accelerator queue if it becomes stuck.
440620-2	2-Critical		New connections may be reset when a client reuses the same port as it used for a recently closed connection
713951-3	3-Major		tmm core files produced by nitrox_diag may be missing data
713934-4	3-Major		Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response
712475-1	3-Major	K56479945	DNS zones without servers will prevent DNS Express reading zone data
712464-1	3-Major		Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate
712437-1	3-Major	K20355559	Records containing hyphens (-) will prevent child zone from loading correctly
711281-3	3-Major		nitrox_diag may run out of space on /shared
707951	3-Major		Stalled mirrored flows on HA next-active when OneConnect is used.
704381-3	3-Major		SSL/TLS handshake failures and terminations are logged at too low a level
703580	3-Major		TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host.
702151-2	3-Major		HTTP/2 can garble large headers
700889-2	3-Major	K07330445	Software syncookies without TCP TS improperly include TCP options that are not encoded
700061-3	3-Major		Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file
700057-3	3-Major		LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved
698916-3	3-Major		TMM crash with HTTP/2 under specific condition
698379-3	3-Major	K61238215	HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR(
693838	3-Major		Adaptive monitor feature does not mark pool member down when hard limit set on UDP monitors
691806-3	3-Major	K61815412	RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state
688553-1	3-Major		SASP GWM monitor may not mark member UP as expected
685615-5	3-Major	K24447043	Incorrect source mac for TCP Reset with vlangroup for host traffic
681757-1	3-Major	K32521651	Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member'
678872-2	3-Major		Inconsistent behavior for virtual-address and selfip on the same ip-address
677525-3	3-Major		Translucent VLAN group may use unexpected source MAC address
676914-1	3-Major		The SSL Session Cache can grow indefinitely if the traffic group is changed.
676828-2	3-Major	K09012436	Host IPv6 traffic is generated even when ipv6.enabled is false
676355-2	3-Major		DTLS retransmission does not comply with RFC in certain resumed SSL session
675212-3	3-Major		The BIG-IP system incorrectly allows clients through as part of SSL Client Certificate Authentication
673052-2	3-Major		On i-Series platforms, HTTP/2 is limited to 10 streams
671337-1	3-Major		NetHSM DNSSEC key creation can attempt to change the SELinux label on a file
668196-2	3-Major		Connection limit continues to be enforced with least-connections and pool member flap, member remains down
668006-1	3-Major	K12015701	Suspended 'after' command leads to assertion if there are multiple pending events
667707-2	3-Major		LTM policy associations with virtual servers are not ConfigSynced correctly
659519-1	3-Major	K42400554	Non-default header-table-size setting on HTTP2 profiles may cause issues
657883-2	3-Major	K34442339	tmm cache resolver should not cache response with TTL=0
657626-2	3-Major		User with role 'Manager' cannot delete/publish LTM policy.
651541-2	3-Major	K83955631	Changes to the HTTP profile do not trigger validation for virtual servers using that profile
636289-2	3-Major		Fixed a memory issue while handling TCP::congestion iRule
633691-4	3-Major		HTTP transaction may not finish gracefully due to TCP connection is closed by RST
624846-1	3-Major		TCP Fast Open does not work for Responses < 1 MSS
604838-1	3-Major		TCP Analytics reports incorrectly reports entities as "Aggregated"
595281-1	3-Major		TCP Analytics reports huge goodput numbers
570277-1	3-Major	K16044231	SafeNet client not able to establish session to all HSMs on all blades.
367226-4	3-Major		Outgoing RIP advertisements may have incorrect source port
251162-3	3-Major	K11564	The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name
248914-4	3-Major	K00612197	ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address
713533-3	4-Minor		list self-ip with queries does not work
708249-4	4-Minor		nitrox_diag utility generates QKView files with 5 MB maximum file size limit
700433-2	4-Minor	K10870739	Memory leak when attaching an LTM policy to a virtual server
685467-2	4-Minor	K12933087	Certain header manipulations in HTTP profile may result in losing connection.
678801-2	4-Minor		WS::enabled returned empty string
677958-2	4-Minor		WS::frame prepend and WS::frame append do not insert string in the right place.
645729-1	4-Minor		SSL connection is not mirrored if ssl session cache is cleared and resume attempted
639970-3	4-Minor		GUI - Client SSL profile certificate extensions names switch to numbers in case of validation error
627764-2	4-Minor		Prevent sending a 2nd RST for a TCP connection
627695-2	4-Minor		[netHSM SafeNet] The 'Yes' and 'No' options to proceed or cancel the unisntall during "safenet-sync.sh -u " are not operational
621379-2	4-Minor		TCP Lossfilter not enforced after iRule changes TCP settings
618024-2	4-Minor		software switched platforms accept traffic on lacp trunks even when the trunk is down
604272-1	4-Minor		SMTPS profile connections_current stat does not reflect actual connection count.
523814-3	4-Minor		When iRule or Web-Acceleration profile demotes HTTP request from HTTP/1.1 to HTTP/1.0, OneConnect may not pool serverside connections
522302-2	4-Minor		TCP Receive Window error messages are inconsistent on UI
495242-3	4-Minor		mcpd log messages: Failed to unpublish LOIPC object

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
713066-3	2-Critical	K10620131	Connection failure during DNS lookup to disabled nameserver can crash TMM
707310-1	2-Critical		DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs)
706128-1	3-Major		DNSSEC Signed Zone Transfers Can Leak Memory
705503-1	3-Major		Context leaked from iRule DNS lookup
680069-3	3-Major	K81834254	zxfrd core during transfer while network failure and DNS server removed from DNS zone config★
675539-1	3-Major		Inter-system communications targeted at a Management IP address might not work in some cases.
672491-2	3-Major	K10990182	net resolver uses internal IP as source if matching wildcard forwarding virtual server
660263-4	3-Major		DNS transparent cache message and RR set activity counters not incrementing
653775-3	3-Major	K05397641	Ampersand (&) in GTM synchronization group name causes synchronization failure.
643813-2	3-Major		ZoneRunner does not properly process $ORIGIN directives
637227-4	3-Major	K60414305	DNS Validating Resolver produces inconsistent results with DNS64 configurations.
629421-1	3-Major		Big3d memory leak when adding/removing Wide IPs in a GTM sync pair.
609527-2	3-Major		DNS cache local zone not properly copying recursion desired (RD) flag in response
602300-1	3-Major		Zone Runner entries cannot be modified when sys DNS starts with IPv6 address
669262-2	4-Minor		[GUI][ZoneRunner] reverse zones should be treated case insensitive when creating resource record
638170-1	4-Minor	K36455356	Pagination broken or missing while viewing pool statistics for GTM wideip
605537-5	4-Minor	K03997964	Error when resetting statistics on GSLB Pool Members

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
639767-2	2-Critical		Policy with Session Awareness Statuses may fail to export
606983-3	2-Critical		ASM errors during policy import
580862-1	2-Critical		Policy disabled after enabled with apply-policy via REST, asm-sync removal fixes
712362-1	3-Major		ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase
710327-3	3-Major		Remote logger message is truncated at NULL character.
707888	3-Major		Some ASM operations delayed due to scheduled ASU update
707147-2	3-Major		High CPU consumed by asm_config_server_rpc_handler_async.pl
706845-1	3-Major		False positive illegal multipart violation
704143-2	3-Major		BD memory leak
700726-1	3-Major		Search engine list was updated, and fixing case of multiple entries
691897-1	3-Major		Names of the modified cookies do not appear in the event log
687759-2	3-Major		bd crash
686765-1	3-Major		Database cleaning failure may allow MySQL space to fill the disk entirely
683241-3	3-Major	K70517410	Improve CSRF token handling
674527-1	3-Major		TCL error in ltm log when server closes connection while ASM irules are running
666112-1	3-Major	K53708490	TMM 'DoS Layer 7' memory leak during config load
663396-1	3-Major		URL Method override is enforced incorrectly after upgrade
654996-1	3-Major	K50345236	Closed connections remains in memory
665470-1	4-Minor		Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised
700812-2	5-Cosmetic		asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
716747-4	2-Critical		TMM my crash while processing APM or SWG traffic
715250-2	2-Critical		TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED
681850-1	2-Critical		APMD process may fail to initialize on start either after upgrade or after adding certain configurations
671373-2	2-Critical		urldb core seen
632798-2	2-Critical	K30710317	Double-free may occur if Access initialization fails
720695-2	3-Major		Export then import of APM access Profile/Policy with advanced customization is failing
720030-3	3-Major		Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U)
718208-1	3-Major		Unable to install Network Access plugin on Linux Ubuntu 16.04 with Firefox v52 ESR using SUDO
715207-2	3-Major		coapi errors while modifying per-request policy in VPE
714542-1	3-Major		'Always Connected Mode' text is missing in EdgeClient tray
712924	3-Major		In VPE SecurID servers list are not being displayed in SecurID authentication dialogue
712857-1	3-Major		SWG-Explicit rejects large POST bodies during policy evaluation
706374-2	3-Major		Heavy use of APM Kerberos SSO can sometimes lead to memory corruption
704524-2	3-Major		[Kerberos SSO] Support for EDNS for kerberos DNS SRV queries
684937-6	3-Major	K26451305	[KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users
683113-6	3-Major	K22904904	[KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users
658664-3	3-Major	K21390304	VPN connection drops when 'prohibit routing table change' is enabled
609793-1	3-Major		HTTP header modify agent logs error message as it is disabled since it cannot modify headers/cookies in HTTP Response.
602429-1	3-Major		DNS suffix is not restored after disconnecting Network Access
543344-3	3-Major		ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event
516736-1	3-Major		URLs with backslashes in the path may not be handled correctly in Portal Access

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
703515-5	2-Critical	K44933323	MRF SIP LB - Message corruption when using custom persistence key
698338-2	2-Critical		Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection
685708-3	2-Critical		Routing via iRule to a host without providing a transport from a transport-config created connection cores
669739-1	2-Critical	K71963740	Potential core when using MRF SIP with SCTP
659173-1	2-Critical	K76352741	Diameter Message Length Limit Changed from 1024 to 4096 Bytes
700571-2	3-Major		SIP MR profile, setting incorrect branch param for CANCEL to INVITE
696049-3	3-Major		High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running
688942-3	3-Major		ICAP: Chunk parser performs poorly with very large chunk
679114-2	3-Major		Persistence record expires early if an error is returned for a BYE command
674747-2	3-Major	K30837366	sipdb cannot delete custom bidirectional persistence entries.
673814-4	3-Major	K37822302	Custom bidirectional persistence entries are not updated to the session timeout
642298-3	3-Major		Unable to create a bidirectional custom persistence record in MRF SIP
640384-3	3-Major		New iRule options for MR::message route command
620759-4	3-Major		Persist timeout value gets truncated when added to the branch parameter.
632658-4	4-Minor		Enable SIP::persist command to operate during SIP_RESPONSE event
617690-4	4-Minor		enable SIP::respond iRule command to operate during MR_FAILED event

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
677473-1	2-Critical		MCPD core is generated on multiple add/remove of Mgmt-Rules
663770-2	3-Major	K04025134	AFM rules are bypassed / ignored when traffic is internally forwarded to a redirected virtual server

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
699531-3	2-Critical		Potential TMM crash due to incorrect number of attributes in a PEM iRule command
696294-3	2-Critical		TMM core may be seen when using Application reporting with flow filter in PEM
715090	3-Major		PEM policy actions obtained via a PCRF are not applied for traffic generated subscribers
711570-1	3-Major		PEM iRule subscriber policy name query using subscriber ID, may not return applied policies
711093-2	3-Major		PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled
709610-1	3-Major		Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM
697718-3	3-Major		Increase PEM HSL reporting buffer size to 4K.
648802-3	3-Major		Required custom AVPs are not included in an RAA when reporting an error.

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
667662-1	3-Major	K06579313	Autolasthop does not work for PPTP-GRE traffic.

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
625114-2	2-Critical	K08062851	Internal sync-change conflict after update to local users table

Cumulative fixes from BIG-IP v12.1.3.5 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
708956	1-Blocking	K51206433	During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'
696732	2-Critical	K54431534	tmm may crash in a compression provider
697616	3-Major		Report Device error: crypto codec qat-crypto0-0 queue is stuck on vCMP guests
692239-1	3-Major	K31554905	AOM menu power off then on results in 'Host Power Cycle Event' SEL log entries posted every two seconds
689730-2	3-Major		Software installations from v13.1.0 might fail★
674455-7	3-Major		Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS
680388-2	4-Minor		f5optics should not show function name in non-debug log messages
653759-2	4-Minor		Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update★

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
701538-1	2-Critical		SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured
662078-1	2-Critical		Occasionally connections are dropped in response to timing errors
694778-2	3-Major		Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size
686631-1	3-Major		Deselect a compression provider at the end of a job and reselect a provider for a new job
679494-2	3-Major		Change the default compression strategy to speed
632824-1	3-Major	K00722715	SSL TPS limit can be reached if the system clock is adjusted
495443-10	3-Major	K16621	ECDH negotiation failures logged as critical errors.
679496-1	4-Minor		Add 'comp_req' to the output of 'tmctl compress'

Cumulative fixes from BIG-IP v12.1.3.4 that are included in this release


Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
695901-2	CVE-2018-5513	K46940010	TMM may crash when processing ProxySSL data
693312-2	CVE-2018-5518	K03165684	vCMPd may crash when processing bridged network traffic
688516-2	CVE-2018-5518	K03165684	vCMPd may crash when processing bridged network traffic
704580-3	CVE-2018-5549	K05018525	apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP
701359-2	CVE-2017-3145	K08613310	BIND vulnerability CVE-2017-3145
688009-5	CVE-2018-5519	K46121888	Appliance Mode TMSH hardening
671497-4	CVE-2017-3142	K59448931	TSIG authentication bypass in AXFR requests
615269-1	CVE-2016-2183	K13167034	CVE-2016-2183: AFM SSH Proxy Vulnerability
603758-1	CVE-2018-5540	K82038789	Big3D security hardening

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
680850-1	3-Major	K48342409	Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage.
570570-5	3-Major		Default crypto failure action is now 'go-offline-downlinks'.

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
711547	1-Blocking		Update cipher support for Common Criteria compliance
708054-3	2-Critical		Web Acceleration: TMM may crash on very large HTML files with conditional comments
706305-2	2-Critical		bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled
703761-1	2-Critical		Disable DSA keys for public-key and host-based authentication in Common Criteria mode
677937-1	2-Critical	K41517253	APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets
673484-1	2-Critical	K85405312	IKEv2 does not support NON_FIRST_FRAGMENTS_ALSO
664549-2	2-Critical	K55105132	TMM restart while processing rewrite filter
599423-1	2-Critical	K24584925	merged cores and restarts
583111-1	2-Critical		BGP activated for IPv4 address family even when 'no bgp default ipv4-unicast' is configured
701626-1	3-Major	K16465222	GUI resets custom Certificate Key Chain in child client SSL profile
686029-1	3-Major		A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces
664737-2	3-Major		Do not reboot on ctrl-alt-del
655005-1	3-Major	K23355841	"Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync
646890-1	3-Major	K12068427	IKEv1 auth alg for ike-phase2-auth-algorithm sha256, sha384, and sha512
635703-1	3-Major	K14508857	Interface description may cause some interface level commands to be removed
614486-1	3-Major		BGP community lower bytes of zero is not allowed to be set in route-map
612721-4	3-Major		FIPS: .exp keys cannot be imported when the local source directory contains .key file
609967-2	3-Major	K55424912	qkview missing some HugePage memory data
586412-2	3-Major		BGP peer-group members address-family configuration not saved to configuration
583108-1	3-Major		Zebos issue: No neighbor x.x.x.x activate in address-family IPv6 lost on reboot/restart.
581101-1	3-Major		non-admin user running list cmd: can't get object count
557155-8	3-Major	K33044393	BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.
421797-3	3-Major		ePVA continues to accelerate hardware offloaded traffic in Standby.
651413-2	4-Minor	K34042229	tmsh list ltm node does not return an error when node does not exist
598437-1	4-Minor		SNMP process monitoring is incorrect for tmm and bigd

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
706631	2-Critical		A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured.
705611-1	2-Critical		The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used
704666-2	2-Critical		memory corruption can occur when using certain certificates
701202-1	2-Critical	K35023432	SSL memory corruption
700862-2	2-Critical	K15130240	tmm SIGFPE 'valid node'
700393-2	2-Critical	K53464344	Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash
685254-1	2-Critical	K14013100	RAM Cache Exceeding Watchdog Timeout in Header Field Search
678416-2	2-Critical		Some tmm/umem_usage_stat counters may be incorrect under memory pressure.
676028-2	2-Critical	K09689143	SSL forward proxy bypass may fail to release memory used for ssl_hs instances
673951-4	2-Critical	K56466330	Memory leak when using HTTP2 profile
670814-2	2-Critical		Wrong SE Linux label breaks nethsm DNSSEC keys
665185-1	2-Critical	K20994524	SSL handshake reference is not dropped if forward proxy certificate lookup failed
657463-2	2-Critical		SSL sends HUDEVT_SENT to TCP in wrong state which causes HTTP disconnect the handshake.
648320-3	2-Critical	K38159538	Downloading via APM tunnels could experience performance downgrade.
647757-2	2-Critical	K96395052	RATE-SHAPER:Fred not properly initialized may halt traffic
613088-3	2-Critical		pkcs11d thread has session initialization problem.
452283-2	2-Critical		An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows
705794-1	3-Major		Under certain circumstances a stale HTTP/2 stream might cause a tmm crash
690042-3	3-Major	K43412307	Potential Tcl leak during iRule suspend operation
689449-3	3-Major		Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured
687205-3	3-Major		Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart
686972-1	3-Major		The change of APM log settings will reset the SSL session cache.
686395	3-Major		With DTLS version1, when client hello uses version1.2, handshake shall proceed
683697-3	3-Major	K00647240	SASP monitor may use the same UID for multiple HA device group members
677962-3	3-Major		Invalid use of SETTINGS_MAX_FRAME_SIZE
677457	3-Major	K13036194	HTTP/2 Gateway appends semicolon when a request has one or more cookies
677400-3	3-Major	K82502883	pimd daemon may exit on failover
673399-1	3-Major		HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server.
665652-2	3-Major	K41193475	Multicast traffic not forwarded to members of VLAN group
664528-1	3-Major	K53282793	SSL record can be larger than maximum fragment size (16384 bytes)
663551-1	3-Major	K14942957	SERVERSSL_DATA is not triggered when iRule issues [SSL::collect] in the SERVERSSL_HANDSHAKE event
662911-2	3-Major	K93119070	SASP monitor uses same UID for all vCMP guests in a chassis or appliance
654368-7	3-Major	K15732489	ClientSSL/ServerSSL profile does not report an error when a certain invalid CRL is associated with it when authentication is set to require
654086-3	3-Major		Incorrect handling of HTTP2 data frames larger than minimal frame size
653976-2	3-Major	K00610259	SSL handshake fails if server certificate contains multiple CommonNames
651901-2	3-Major		Removed unnecessary ASSERTs in MPTCP code
640369-2	3-Major		TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan
633333-3	3-Major		During an MPTCP connection, the serverside connection will occasionally be aborted before all data has been sent
619844-2	3-Major		Packet leak if reject command is used in FLOW_INIT rule
611691-5	3-Major		Packet payload ignored when DSS option contains DATA_FIN
608991-7	3-Major		BIG-IP retransmits SYN/ACK on a subflow after an MPTCP connection is closed
605480-4	3-Major		BIG-IP sends MP_FASTCLOSE after completing active close of MPTCP connection
604880-4	3-Major		tmm assert "valid pcb" in tcp.c
604549-7	3-Major		MPTCP connection not closed properly when the segment with DATA_FIN also DATA_ACKs data
592731-1	3-Major	K34220124	Default value of device-request timeout factor might cause false alert: Hardware Error ni3-crypto request queue stuck.
653746-2	4-Minor	K83324551	Unable to display detailed CPU graphs if the number of CPU is too large
569814-2	4-Minor	K30240351	iRule "nexthop IP_ADDR" rejected by validator

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
710424-3	2-Critical		Possible SIGSEGV in GTMD when GTM persistence is enabled.
699135-2	2-Critical		tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip
691287-3	2-Critical		tmm crashes on iRule with GTM pool command
682335-3	2-Critical		TMM can establish multiple connections to the same gtmd
699339-1	3-Major	K24634702	Geolocation upgrade files fail to replicate to secondary blades
696808-3	3-Major		Disabling a single pool member removes all GTM persistence records
687128-3	3-Major		gtm::host iRule validation for ipv4 and ipv6 addresses
679149-2	3-Major		TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0]
663310-3	3-Major		named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files★
619158-1	3-Major		iRule DNS request with trailing dot times out with empty response
595293-4	3-Major		Deleting GTM links could cause gtm_add to fail on new devices.

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
679221-1	1-Blocking		APMD may generate core file or appears locked up after APM configuration changed
702278-3	2-Critical		Potential XSS security exposure on APM logon page.
678715-1	2-Critical		Large volume of query result update to SessionDB fails and locks down ApmD
712315-1	3-Major		LDAP and AD Group Resource Assign are not displaying Static ACLs correctly
710211	3-Major		Cannot edit Terminals of Macro if one or more Macrocalls point to a given Macro.
702490-4	3-Major		Windows Credential Reuse feature may not work
702487-1	3-Major		AD/LDAP admins with spaces in names are not supported
700780-4	3-Major		F5 DNS Relay Proxy service now warns about and clears truncated flag in proxied DNS responses
699267-1	3-Major		LDAP Query may fail to resolve nested groups
681415-1	3-Major		Copying of profile with advanced customization or images might fail
675775-2	3-Major		TMM crashes inside dynamic ACL building session db callback
672250-1	3-Major		SessionDB update from ApmD with large volume fails
671149-3	3-Major		Captive portal login page is not rendered until it is refreshed
669459-2	3-Major		Efect of bad connection handle between APMD and memcachd
639283-4	3-Major		Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate
569542-1	3-Major		After upgrade, user cannot upload APM Sandbox hosted-content file in a partition existing before upgrade★
667237-3	4-Minor		Edge Client logs the routing and IP tables repeatedly

Wan Optimization Manager Fixes

ID Number	Severity	Solution Article(s)	Description
673463-2	2-Critical	K68275280	SDD v3 symmetric deduplication may start performing poorly after a failover event
685693	3-Major		APM AppTunnels memory leak

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
702738	3-Major	K32181540	Tmm might crash activating new blob when changing firewall rules
528499-3	4-Minor		AFM address lists are not sorted while trying to create a new rule.

Cumulative fixes from BIG-IP v12.1.3.3 that are included in this release


Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
706086-1	CVE-2018-5515	K62750376	PAM RADIUS authentication subsystem hardening
704490	CVE-2017-5754	K91229003	CVE-2017-5754 (Meltdown)
704483	CVE-2017-5753 CVE-2017-9074 CVE-2017-7542 CVE-2017-11176	K91229003	CVE-2017-5753 (Spectre Variant 1)

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
467709-1	4-Minor		FQDN nodes or pool members show Green (Available) when DNS responds with NXDOMAIN

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
707226-2	1-Blocking		DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations
704804-2	3-Major		The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address
704733-2	3-Major		NAS-IP-Address is sent with the bytes in reverse order
703869-1	3-Major		Waagent updated to 2.2.21
701249-2	3-Major		RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1
699147	3-Major		Hourly billed cloud images are now pre-licensed
687098	3-Major		IPv6 RADIUS servers not supported for remote authentication
674288-2	3-Major	K62223225	FQDN nodes - monitor attribute doesn't reliably show in GUI
649465-1	3-Major		SELinux warning messages regarding nsm daemon

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
695117	2-Critical	K30081842	bigd cores and sends corrupted MCP messages with many FQDN nodes
668883	2-Critical		FQDN pool member status may become out-of-sync when enabled/disabled through GUI
707675	3-Major		FQDN nodes or pool members flap when DNS response received
701609	3-Major		Static member of pool with FQDN members may revert to user-disabled after being re-enabled
685344-2	3-Major		Monitor 'min 1 of' not working as expected with FQDN nodes/members
673075-1	3-Major		Reduced Issues for Monitors configured with FQDN
671228-1	3-Major		Multiple FQDN ephemeral nodes may be created with autopopulate disabled
667560-3	3-Major	K69205908	FQDN nodes: Pool members can become unknown (blue) after monitor configuration is changed
573602-1	3-Major		FQDN pool members not shown by tmsh show ltm monitor
573302-1	3-Major		FQDN pool member remains in disabled state after removing monitor
571095-1	3-Major		Monitor probing to pool member stops after FQDN pool member with same IP address is deleted
699262-2	5-Cosmetic		FQDN pool member status remains in 'checking' state after full config sync

Cumulative fixes from BIG-IP v12.1.3.2 that are included in this release


Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
700556-2	CVE-2018-5504	K11718033	TMM may crash when processing WebSockets data
698080-1	CVE-2018-5503	K54562183	TMM may consume excessive resources when processing with PEM
691504-3	CVE-2018-5503	K54562183	PEM content insertion in a compressed response may cause a crash.
686305-2	CVE-2018-5534	K64552448	TMM may crash while processing SSL forward proxy traffic
677193-2	CVE-2017-6154	K38243073	ASM BD Daemon Crash.
674189	CVE-2016-0718	K52320548	iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0
673078-1	CVE-2017-6150	K62712037	TMM may crash when processing FastL4 traffic
670822-3	CVE-2017-6148	K55225440	TMM may crash when processing SOCKS data
668501-2	CVE-2017-6151	K07369970	HTTP2 does not handle some URIs correctly
630446-1	CVE-2016-0718	K52320548	Expat vulnerability CVE-2016-0718
621233-1	CVE-2018-5509	K49440608	FastL4 and HTTP profile or hash persistence with ip-protocol not set to TCP can crash tmm
699455-3	CVE-2018-5523	K50254952	SAML export does not follow best practices
699346-2	CVE-2018-5524	K53931245	NetHSM capacity reduces when handling errors
694274-2	CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 CVE-2017-9798	K23565223	[RHSA-2017:3195-01] Important: httpd security update - EL6.7
688625-2	CVE-2017-11628	K75543432	PHP Vulnerability CVE-2017-11628
688011-5	CVE-2018-5520	K02043709	Dig utility does not apply best practices
676457-3	CVE-2017-6153	K52167636	TMM may consume excessive resource when processing compressed data
671638-4	CVE-2018-5500	K33211839	TMM crash when load-balancing mptcp traffic
670405-4	CVE-2017-1000366	K20486351	K20486351: glibc vulnerability CVE-2017-1000366:
662850-2	CVE-2015-2716	K50459349	Expat XML library vulnerability CVE-2015-2716
662663-6	CVE-2018-5507	K52521791	Decryption failure Nitrox platforms in vCMP mode
643375-1	CVE-2018-5508	K10329515	TMM may crash when processing compressed data
631204-1	CVE-2018-5521	K23124150	GeoIP lookups incorrectly parse IP addresses
617273-7	CVE-2016-5300	K70938105	Expat XML library vulnerability CVE-2016-5300
593139-9	CVE-2014-9761	K31211252	glibc vulnerability CVE-2014-9761
572272-5	CVE-2018-5506	K65355492	BIG-IP - Anonymous Certificate ID Enumeration
673607-2	CVE-2017-3169	K83043359	Apache CVE-2017-3169
672667-4	CVE-2017-7679	K75429050	CVE-2017-7679: Apache vulnerability
605579-8	CVE-2012-6702	K65460334	iControl-SOAP expat client library is subjected to entropy attack
578983-4	CVE-2015-8778	K51079478	glibc: Integer overflow in hcreate and hcreate_r
684033-1	CVE-2017-9798	K70084351	CVE-2017-9798 : Apache Vulnerability (OptionsBleed)

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
686389-3	3-Major		APM does not honor per-farm HTML5 client disabling at the View Connection Server
685020-1	3-Major		Enhancement to SessionDB provides timeout
653772-2	3-Major		fastL4 fails to evict flows from the ePVA
639505-3	3-Major		BGP may not send all configured aggregate routes
587107-3	3-Major		Allow iQuery to negotiate up to version TLS1.2

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
667148-1	1-Blocking	K02500042	Config load or upgrade can fail when loading GTM objects from a non-/Common partition
689577-1	2-Critical	K45800333	ospf6d may crash when processing specific LSAs
678833	2-Critical		IPv6 prefix SPDAG causes packet drop
676203-1	2-Critical		Inter-blade mpi connection fails, does not recover, and eventually all memory consumed.
667405-2	2-Critical	K61251939	Fragemented IPsec encrypted packets with fragmented original payloads may cause memory leak in the TMM.
667404-2	2-Critical	K77576404	Fragmented IP over IPsec tunnels might capture mcp flows and provoke restarts
651362	2-Critical		eventd crashes during boot
631700-1	2-Critical	K72453283	sod may kill bcm56xxd under heavy load
617733-1	2-Critical		Error message: subscriber id response; Subscription not found
580753-1	2-Critical	K82583534	eventd might core on transition to secondary.
563661-2	2-Critical		Datastor may crash
694696-3	3-Major		On multiblade Viprion, creating a new traffic-group causes the device to go Offline
687658-2	3-Major		Monitor operations in transaction will cause it to stay unchecked
687353-3	3-Major	K35595105	Qkview truncates tmstat snapshot files
682213-3	3-Major	K31623549	TLS v1.2 support in IP reputation daemon
679480-1	3-Major		User able to create node when an ephemeral with the same IP already exists
674320-2	3-Major	K11357182	Syncing a large number of folders can prevent the configuration getting saved on the peer systems
672815-2	3-Major		Incorrect disaggregation on VIPRION B4200 blades
671082-1	3-Major	K85168072	snmpd constantly restarting
669888-2	3-Major		No distinction between IPv4 addresses and IPv6 subnet ::ffff:0:0/96
669462-1	3-Major		Error adding /Common/WideIPs as members to GTM Pool in non-Common partition
669415-1	3-Major		Flow eviction for hardware-accelerated flow might fail
664894-1	3-Major	K11070206	PEM sessions lost when new blade is inserted in chassis
664057-2	3-Major		Upgrading GTM from pre-12.0.0 to post 12.0.0 no longer removes WideIPs without pools attached if they have an iRule attached
664017-3	3-Major		OCSP may reject valid responses
652968-2	3-Major	K88825548	IKEv2 PFS CREATE_CHILD_SA in rekey does not negotiate new keys
645723-2	3-Major	K74371937	Dynamic routing update can delete admin ip route from the kernel
632366-1	3-Major		Prevent a spurious Broadcom switch driver failure.
631316	3-Major	K62532020	Unable to load config with client-SSL profile error★
626990-1	3-Major	K64915164	restjavad logs flooded with messages from ChildWrapper
624362-1	3-Major		VCMP guest /shared file system growth due to /shared/tmp/guestagentd.out file
623803-2	3-Major	K12921801	General DB error when select Profiles: Protocol: SCTP profile. Error due to 'read access denied type Virtual Address profile SCTP'
610122-1	3-Major		Hotfix installation fails: can't create /service/snmpd/run★
598724-1	3-Major		Abandoned indefinite lifetime SessionDB entries on STANDBY devices.
586887-2	3-Major	K25883308	SCTP tmm crash with virtual server destination.
579760-3	3-Major	K55703840	HSL::send may fail to resume after log server pool member goes down/up
471237-2	3-Major	K12155235	BIG-IP VE instances do not work with an encrypted disk in AWS.
699281	4-Minor		Version format of hypervisor bundle matches Version format of ISO
669255-2	4-Minor	K20100613	An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms
660239-3	4-Minor		When accessing the dashboard, invalid HTTP headers may be present
655085-2	4-Minor		While one chassis in a DSC is being rebooted, other members report spurious HA Group configuration errors
613275-2	4-Minor	K62581339	SNMP get/MIB walk returns incorrect speed for sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed when the interface is not up
601168-1	4-Minor		Incorrect virtual server CPU utilization may be observed.
509980-1	4-Minor		Spurious HA group configuration errors can be displayed during reboot of other DSC cluster members.

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
692970-3	2-Critical		Using UDP port 67 for purposes other than DHCP might cause TMM to crash
687603-1	2-Critical	K36243347	tmsh query for dns records may cause tmm to crash
686228-3	2-Critical	K23243525	TMM may crash in some circumstances with VLAN failsafe
682682-3	2-Critical		tmm asserts on a virtual server-to-virtual server connection
681175-1	2-Critical	K32153360	TMM may crash during routing updates
676982-2	2-Critical	K21958352	Active connection count increases over time, long after connections expire
674576-4	2-Critical		Outage may occur with VIP-VIP configurations
665924-1	2-Critical	K24847056	The HTTP2 and SPDY filters may cause a TMM crash in complicated scenarios
665732-2	2-Critical	K45001711	FastHTTP may crash when receiving a fragmented IP packet
664461-3	2-Critical	K16804728	Replacing HTTP payload can cause tmm restart
658989-2	2-Critical		Memory leak when connection terminates in iRule process
639039-4	2-Critical	K33754014	Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons
614702-1	2-Critical	K24172560	Race condition when using SSL Orchestrator can cause TMM to core
704073-3	3-Major	K24233427	Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm
698000-1	3-Major	K04473510	Connections may stop passing traffic after a route update
689089-3	3-Major		VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot
686307-1	3-Major	K10665315	Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later
686065-1	3-Major		RESOLV::lookup iRule command can trigger crash with slow resolver
685955	3-Major		TMM hud_message_ctx leak
685110-3	3-Major	K05430133	With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.
683683-1	3-Major		ASN1::encode returns wrong binary data
682104-1	3-Major		HTTP PSM leaks memory when looking up evasion descriptions
680755-1	3-Major	K27015502	max-request enforcement no longer works outside of OneConnect
673621-2	3-Major		Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile.
670816-2	3-Major	K44519487	HTTP/HTTPS/TCP Monitor response code for 'last fail reason' can include extra characters
669974-1	3-Major	K90395411	Encoding binary data using ASN1::encode may truncate result
668522-1	3-Major		bigd might try to read from a file descriptor that is not ready for read
668419-1	3-Major	K53322151	ClientHello sent in multiple packets results in TCP connection close
666315	3-Major		Global SNAT sets TTL to 255 instead of decrementing
666160-1	3-Major	K63132146	L7 Policy reconfiguration causes a slow memory leak
665022-1	3-Major		Rateshaper stalls when TSO packet length exceeds max ceiling.
664769-1	3-Major		TMM may restart when using SOCKS profile and an iRule
663821-3	3-Major	K41344010	SNAT Stats may not include port FTP traffic
661881-2	3-Major	K00030614	Memory and performance issues when using certain ASN.1 decoding formats in iRules
659648-2	3-Major		LTM Policy rule name migration doesn't properly handle whitespace
657795-1	3-Major	K51498984	Possible performance impact on some SSL connections
655432-7	3-Major	K85522235	SSL renegotiation failed intermittently with AES-GCM cipher
651681-4	3-Major		Orphaned bigd instances may exist (within multi-process bigd)
651135-4	3-Major	K41685444	LTM Policy error when rule names contain slash (/) character★
645220-2	3-Major		bigd identified as username "(user %-P)" or "(user %-S)" in mcpd debug logs
645197-3	3-Major		Monitors receiving unique HTTP 'success' response codes may stop monitoring after status change
640565-1	3-Major	K11564859	Incorrect packet size sent to clone pool member
636149-3	3-Major		Multiple monitor response codes to single monitor probe failure
628721-1	3-Major		In rare conditions, DNS cache resolver outbound TCP connections fail to expire.
627926-1	3-Major	K21211001	Retrieving a server-side SSL session ID in iRules does not work
584865-1	3-Major		Primary slot mismatch after primary cluster member leaves and then rejoins the cluster
582487-2	3-Major	K22210514	'merged.method' set to 'slow_merge,' does not update system stats
574526-1	3-Major	K55542554	HTTP/2 and SPDY do not parse the path for the location/existence of the query parameter
573366-4	3-Major		parking command used in the nesting script of clientside and serverside command can cause tmm core
692095-3	4-Minor	K65311501	bigd logs monitor status unknown for FQDN Node/Pool Member
625892-2	4-Minor		Nagle Algorithm Not Fully Enforced with TSO
530877-7	4-Minor	K13887095	TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances.

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
692941-3	2-Critical		GTMD and TMM SIGSEGV when changing wide IP pool in GTMD
678861-3	2-Critical		DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other★
580537-1	2-Critical		The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data
562921-4	2-Critical		Cipher 3DES and iQuery encrypting traffic between BIG-IP systems
700527-1	3-Major		cmp-hash change can cause repeated iRule DNS-lookup hang
691498-1	3-Major		Connection failure during iRule DNS lookup can crash TMM
690166-3	3-Major		ZoneRunner create new stub zone when creating a SRV WIP with more subdomains
671326-2	3-Major	K81052338	DNS Cache debug logging might cause tmm to crash.
667469-1	3-Major	K35324588	Higher than expected CPU usage when using DNS Cache
665347-2	3-Major	K17060443	GTM listener object cannot be created via tmsh while in non-Common partition
636853-2	3-Major	K19401488	Under some conditions, a change in the order of GTM topology records does not take effect.
621374-1	3-Major		"abbrev" argument in "whereis" iRule returns nothing
487144-2	3-Major		tmm intermittently reports that it cannot find FIPS key

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
701327-1	2-Critical		failed configuration deletion may cause unwanted bd exit
699720-3	2-Critical		ASM crash when configuring remote logger for WebSocket traffic with response-logging:all
691670-3	2-Critical		Rare BD crash in a specific scenario
684312-2	2-Critical	K54140729	During Apply Policy action, bd agent crashes, causing the machine to go Offline
681109-2	2-Critical	K46212485	BD crash in a specific scenario
679603-2	2-Critical	K15460886	bd core upon request, when profile has sensitive element configured.
678462-2	2-Critical		after chassis failover: asmlogd CPU 100% on secondary
678228-1	2-Critical	K27568142	Repeated Errors in ASM Sync
672301-2	2-Critical		ASM crashes when using a logout object configuration in ASM policy
664708-2	2-Critical		TMM memory leak when DoS profile is attached to VS
662281-2	2-Critical		Inconsistencies in Automatic sync ASM Device Group
637252-1	2-Critical	K73107660	Rest worker becomes unreliable after processing a call that generated an error
633070-1	2-Critical		Sync Inconsistencies when using Autosync ASM Group between Chassis devices
631609-1	2-Critical		ASM Centralized Management Infrastructure Sync issues
614441-4	2-Critical	K04950182	False Positive for illegal method (GET)
611154-1	2-Critical		BD crash
599221-1	2-Critical		ASM Policy cannot be created in non-default partition via the Import Policy Task
576123-3	2-Critical	K23221623	ASM policies are created as inactive policies on the peer device
702946-2	3-Major		Added option to reset staging period for signatures
701841-1	3-Major		Unnecessary file recovery_db/conf.tar.gz consumes /var disk space
700564-2	3-Major		JavaScript errors shown when debugging a mobile device with ASM deviceID enabled
700330	3-Major		AJAX blocking page isn't shown when a webpage uses jQuery framework.
700143-1	3-Major		ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages
698919-1	3-Major		Anti virus false positive detection on long XML uploads
697303-3	3-Major		BD crash
696265-3	3-Major	K60985582	BD crash
694922-4	3-Major		ASM Auto-Sync Device Group Does Not Sync
691477-1	3-Major		ASM standby unit showing future date and high version count for ASM Device Group
685743-3	3-Major		When changing internal parameter 'request_buffer_size' in large request violations might not be reported
685207-2	3-Major		DoS client side challenge does not encode the Referer header.
683508-3	3-Major	K00152663	WebSockets: umu memory leak of binary frames when remote logger is configured
682612	3-Major		Event Correlation is disabled on vCMP even though all the prerequisites are met.
679384-1	3-Major	K85153939	The policy builder is not getting updates about the newly added signatures.
678293-1	3-Major	K25066531	Uncleaned policy history files cause /var disk exhaustion
676416-2	3-Major		BD restart when switching FTP profiles
675232-3	3-Major		Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction
674494-1	3-Major	K77993010	BD memory leak on specific configuration and specific traffic
671675-1	3-Major		Centralized Management Infrastructure: asm_config_server restart on device group change
668184-1	3-Major		Huge values are shown in the AVR statistics for ASM violations
668181-2	3-Major		Policy automatic learning mode changes to manual after failover
667922	3-Major	K44692860	Alternative unicode encoding in JSON objects not being parsed correctly
666986-2	3-Major	K50320144	Filter by Support ID is not working in Request Log
663535-1	3-Major		Sending ASM cookies with "secure" attribute even without client-ssl profile
654925-1	3-Major	K25952033	Memory Leak in ASM Sync Listener Process
654873-2	3-Major		ASM Auto-Sync Device Group
619516-1	3-Major		Inconsistencies in Automatic sync ASM Device Group
605982-1	3-Major		Policy settings change during export/import
434821-1	3-Major		Remote logging of staged signatures and staged sets
694073-1	4-Minor		All signature update details are shown in 'View update history from previous BIG-IP versions' popup
655159-1	4-Minor	K84550544	Wrong XML profile name Request Log details for XML violation
625602-3	4-Minor		ASM Auto-Sync Device Group Does Not Sync

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
658343-2	3-Major	K33043439	AVR tcp-analytics: per-host RTT average may show incorrect values
648242	3-Major	K73521040	Administrator users unable to access all partition via TMSH for AVR reports
582029-4	3-Major		AVR might report incorrect statistics when used together with other modules.
682105	4-Minor		Adding widget in Analytics Overview can cause measures list to empty out on Page change
649161-1	4-Minor	K42340304	AVR caching mechanism not working properly

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
693739-3	2-Critical		VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled
660711-1	2-Critical	K05265457	MCPd might crash when user trying to import a access policy
649234-3	2-Critical	K64131101	TMM crash from a possible memory corruption.
639929-2	2-Critical		Session variable replace with value containing these characters ' " & < > = may cause tmm crash
632178-1	2-Critical		LDAP Query agent creates only two session variables when required attributes list is empty
703984-2	3-Major		Machine Cert agent improperly matches hostname with CN and SAN
703429-1	3-Major		Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services
700783-3	3-Major		Machine certificate check does not check against all FQDN hostnames
692307-1	3-Major		User with 'operator' role may not be able to view some session variables
689826-2	3-Major	K95422068	Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese)
686282-1	3-Major		APMD intermittently crash when processing access policies
684325-3	3-Major		APMD Memory leak when applying a specific access profile
683389-1	3-Major		Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file
682500-1	3-Major		VDI Profile and Storefront Portal Access resource do not work together
680112-1	3-Major	K18131781	SWG-Explicit rejects large POST bodies during policy evaluation
678851-1	3-Major		Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase()
676690-3	3-Major		Windows Edge Client sometimes crashes when user signs out from Windows
675866-1	3-Major		WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO
675399-3	3-Major	K14304639	Network Access does not work when empty variables are assigned for WINS and DNS
674593-1	3-Major		APM configuration snapshot takes a long time to create
674410-3	3-Major	K59281892	AD auth failures due to invalid Kerberos tickets
673748-1	3-Major	K19534801	ng_export, ng_import might leave security.configpassword in invalid state
672868-1	3-Major		Portal Access: JavaScript application with non-whitespace control characters may be processed incorrectly
672040-3	3-Major		Access Policy Causing Duplicate iRule Event Execution
671597-1	3-Major		Import, export, copy and delete is taking too long on 1000 entries policy
670910-2	3-Major		Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined
669510-2	3-Major		When network changes after VPN is established, network access tunnel is closed when network access configuration has 'Allow local DNS servers' and 'Prohibit routing table changes during Network Access connection' options enabled.
669154-1	3-Major	K25342114	Creating new invalid SAML IdP configuration object may cause tmm restart in rare cases.
668623-5	3-Major	K85991425	macOS Edge client fails to detect correct system language for regions other than USA
668503-3	3-Major		Edge Client fails to reconnect to virtual server after disabling Network Adapter
668129-1	3-Major		BIG-IP as SAML SP support for multiple signing certificates in SAML metadata from external identity providers.
666689-1	3-Major		Occasional "profile not found" errors following activate access policy
666058-2	3-Major	K86091857	XenApp 6.5 published icons are not displayed on APM Webtop
665416-3	3-Major	K02016491	Old versions of APM configuration snapshots need to be reaped more aggressively if not used
665330-1	3-Major		MSIE 11 should avoid compatibility mode
664507-3	3-Major		When BIG-IP is used as SP with IdP-connector automation, updates to remotely published metadata may remove certificate reference from the local configuration
663127-1	3-Major		Empty attribute values in SAML Identity Provider configuration may cause error when loading configuration.
655364-1	3-Major		Portal access rewriting window.opener causes JS exception
655146-2	3-Major		APM Profile access stats are not updated correctly
654508-2	3-Major		SharePoint MS-OFBA browser window displays Javascript errors
654046-1	3-Major	K22121533	BIG-IP as SAML IdP may fail to process signed authentication requests from some external SPs.
653771-2	3-Major		tmm crash after per-request policy error
653324-3	3-Major	K87979026	On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly
651910-2	3-Major		Cannot change 'Enable Access System Logs' or 'Enable URL Request Logs' via the GUI after upgrading from 12.x to 13.0.0 or later
649613-3	3-Major		Multiple UDP/TCP packets packed into one DTLS Record
632646-4	3-Major		APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server.
629921-4	3-Major		[[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work.
621682-1	3-Major		Portal Access: problem with specific JavaScript code
616104-2	3-Major		VMware View connections to pool hit matching BIG-IP virtuals
613373-2	3-Major		Access may be denied to users with Application Editor role when accessing SAML Authentication Context UI page
610582-2	3-Major		Device Guard prevents Edge Client connections
601420-3	3-Major		Possible SAML authentication loop with IE and multi-domain SSO.
596083-1	3-Major		Error running custom APM Reports with "session creation time" on Viprion Platform
590992-3	3-Major		If IP address on network adapter changes but DNS remains unchanged, DNS resolution stops working
578413-1	3-Major		Missing reference to customization-group from connectivity profile if created via portal access wizard
575444-1	3-Major		Wininfo agent incorrectly reports OS version on Windows 10 in some cases
563135-3	3-Major		SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt
466068-1	3-Major		Allow setting of the AAA Radius server timeout value larger than 60 seconds
447565-5	3-Major	K33692321	Renewing machine-account password does not update the serviceId for associated ntlm-auth.
691017-1	4-Minor		Preventing ng_export hangs
684414-1	4-Minor		Retrieving too many groups is causing out of memory errors in TMUI and VPE
673717-1	4-Minor		VPE loading times can be very long
671627-1	4-Minor	K06424790	HTTP responces without body may contain chunked body with empty payload being processed by Portal Access.
667304-1	4-Minor	K68108551	Logon page shows 'Save Password' checkbox even if 'Allow Password Caching' is not enabled
561892-2	4-Minor	K08121752	Kerberos cache is not cleared when Administrator password is changed in AAA AD Server

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
662844	2-Critical	K87735013	TMM crashes if Diameter MRF mirroring is enabled in v12.x.x. Diameter MRF mirroring is not implemented in v12.x.x.
643785-3	2-Critical		diadb crashes if it cannot find pool name
699431	3-Major		Possible memory leak in MRF under low memory

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
456376-4	1-Blocking	K53153545	BIG-IP does not support IPv4-mapped-IPv6 notation in the configuration with prefix length greater than 32
671052-3	2-Critical	K50324413	AFM NAT security RST the traffic with (FW NAT) dst_trans failed
644822-2	2-Critical	K19245372	FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned
564058-1	2-Critical	K91467162	AutoDoS daemon aborts intermittently after it's being up for several days
620543-1	3-Major		Security Address Lists and Port Lists can't change Description field

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
696383-2	2-Critical		PEM Diameter incomplete flow crashes when sweeped
694717-3	2-Critical		Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.
616008-3	2-Critical	K23164003	TMM core may be seen when using an HSL format script for HSL reporting in PEM
696789-2	3-Major		PEM Diameter incomplete flow crashes when TCL resumed
695968-3	3-Major		Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.
694319-3	3-Major		CCA without a request type AVP cannot be tracked in PEM.
694318-3	3-Major		PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.
684333-3	3-Major		PEM session created by Gx may get deleted across HA multiple switchover with CLI command
678820-2	3-Major		Potential memory leak if PEM Diameter sessions are not created successfully.
678714-3	3-Major		After HA failover, subscriber data has stale session ID information
660187-3	3-Major		TMM core after intra-chassis failover for some instances of subscriber creation
642068-1	3-Major		PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens
638594-3	3-Major		TMM crash when handling unknown Gx messages.
627616-3	3-Major		CCR-U missing upon VALIDITY TIMER expiry when quota is zero
624231-5	3-Major		No flow control when using content-insertion with compression
680729-3	4-Minor	K64307999	DHCP Trace log incorrectly marked as an Error log.
678822-3	4-Minor		Gx/Gy stats display provision pending sessions if there is no route to PCRF or the app is unlicensed

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
663333-1	2-Critical		TMM may core in PBA mode id LSN pool is under provisioned or the utilization is high
615432-1	2-Critical		Multiple TFTP data transfers cannot be initiated in a single session
663974-2	3-Major		TMM crash when using LSN inbound connections

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
692123-2	3-Major		GET parameter is grayed out if MobileSafe is not licensed
667892-2	3-Major		FPS: BLFN inheritance won't take effect until GUI refresh

Cumulative fixes from BIG-IP v12.1.3.1 that are included in this release


Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
681710-4	CVE-2017-6155	K10930474	Malformed HTTP/2 requests may cause TMM to crash
673595-2	CVE-2017-3167 CVE-2017-3169	K34125394	Apache CVE-2017-3167
648786-5	CVE-2017-6169	K31404801	TMM crashes when categorizing long URLs

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
673129	3-Major	K41458656	New feature: revoke license

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
682837	1-Blocking		Compression watchdog period too brief.
675921	1-Blocking		Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running
696468	2-Critical		Active compression requests can become starved from too many queued requests.
667173	2-Critical		13.1.0 cannot join a device group with 13.1.0.1
665656-1	2-Critical		BWC with iSession may memory leak
663366-3	2-Critical		SEGV fault can occur during tmm 'panic' on i4x00 and i2x00 platforms.
621386-1	2-Critical	K91988084	restjavad spawns too many icrd_child instances
683114-1	3-Major		Need support for 4th element version in Update Check
679959-1	3-Major		Unable to ping self IP of VCMP guest configured on i5000, i7000, or i10000
672988-2	3-Major	K03433341	MCP memory leak when performing incremental ConfigSync
669288-3	3-Major	K76152943	Cannot run tmsh utils unix-* commands in Appliance mode when /shared/f5optics/images does not exist.
668352-2	3-Major		High Speed Logging unbalance in log distribution for multiple pool destination.
668048-1	3-Major	K02551403	TMM memory leak when manually enabling/disabling pool member used as HSL destination
663063-2	3-Major		Disabling pool member used in busy HSL TCP destination can result service disruption.
659057-1	3-Major		BIG-IP iSeries: Retrieving the gateway from the Host via REST through the LCD
658636-2	3-Major	K51355172	When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped.
652691-1	3-Major		Installation fails if only .iso.384.sig (new format signature file) is present★
652689-2	3-Major	K14243280	Displaying 100G interfaces
642952	3-Major		platform_check doesn't run PCI check on i11800
640636-3	3-Major		F5 Optics seen as unsupported instead of misconfigured when inserted into wrong port on B4450 Blade
638881-1	3-Major		Incorrect fan status displayed when fan tray is removed on BIG-IP iSeries appliances
628739-1	3-Major		BIG-IP iSeries does not disallow configuring of management IP outside the management subnet using the LCD
628735-1	3-Major		Displaying Hardware SYN Cookie Protection field in TCP/FastL4/FastHTTP profiles
604547-1	3-Major	K21551422	Unix daemon configuration may lost or not be updated upon reboot
674515	4-Minor		New revoke license feature for VE only implemented
663580-1	4-Minor	K31981624	logrotate does not automatically run when /var/log reaches 90% usage
644723-1	4-Minor		cm56xxd logs link 'DOWN' message when an interface is admin DISABLED
507206-1	4-Minor		Multicast Out stats always zero for management interface.

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
689080	2-Critical		Erroneous syncookie validation in HSB causes the BIG-IP system to choose the wrong MSS value
463097-3	3-Major		Clock advanced messages with large amount of data maintained in DNS Express zones

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
672504-1	2-Critical	K52325625	Deleting zones from large databases can take excessive amounts of time.
614788-1	2-Critical		zxfrd crash due to lack of disk space
655233-1	3-Major	K93338593	DNS Express using wrong TTL for SOA RRSIG record in NoData response
648766-1	3-Major	K57853542	DNS Express responses missing SOA record in NoData responses if CNAMEs present
645615-2	3-Major	K70543226	zxfrd may fail and restart after multiple failovers between blades in a chassis.
433678-2	3-Major	K32401561	A monitor removed from GTM link cannot be deleted: 'monitor is in use'
646615-1	4-Minor		Improved default storage size for DNS Express database

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
652796-1	1-Blocking		When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.
652792-1	2-Critical		When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.
678976-2	3-Major	K24756214	Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.
677058-3	3-Major	K31757417	Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
679440-2	2-Critical	K14120433	MCPD Cores with SIGABRT
591828-4	3-Major	K52750813	For unmatched connection, TCP RST may not be sent for data packet

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
668252-2	2-Critical	K22784428	TMM crash in PEM_DIAMETER component
628311-3	2-Critical	K87863112	Potential TMM crash due to duplicate installed PEM policies by the PCRF
675928-2	3-Major		Periodic content insertion could add too many inserts to multiple flows if http request is outstanding
674686-2	3-Major		Periodic content insertion of new flows fails, if an outstanding flow is a long flow
673683-2	3-Major		Periodic content insertion fails, if pem and classification profile are detached and reattached to the Listener
673678-2	3-Major		Periodic content insertion fails, if http request/response get interleaved by second subscriber http request
673472-2	3-Major		After classification rule is updated, first periodic Insert content action fails for existing subscriber
639486-4	3-Major		TMM crash due to PEM usage reporting after a CMP state change.
634015-3	3-Major	K49315364	Potential TMM crash due to a PEM policy content triggered buffer overflow
572568-2	3-Major		Gy CCR-i requests are not being re-sent after initial configured re-transmits

Cumulative fixes from BIG-IP v12.1.3 that are included in this release


Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
687193-1	CVE-2018-5533	K45325728	TMM may leak memory when processing SSL Forward Proxy traffic
684879-2	CVE-2017-6164	K02714910	TMM may crash while processing TLS traffic
662022-5	CVE-2017-6138	K34514540	The URI normalization functionality within the TMM may mishandle some malformed URIs.
653993-3	CVE-2017-6132	K12044607	A specific sequence of packets to the HA listener may cause tmm to produce a core file
653880	CVE-2017-6214	K81211720	Kernel Vulnerability: CVE-2017-6214
652539	CVE-2016-0634 CVE-2016-7543 CVE-2016-9401	K73705133	Multiple Bash Vulnerabilities
652516	CVE-2016-10088 CVE-2016-10142 CVE-2016-2069 CVE-2016-2384 CVE-2016-6480 CVE-2016-7042 CVE-2016-7097 CVE-2016-8399 CVE-2016-9576	K31603170	Multiple Linux Kernel Vulnerabilities
651221-2	CVE-2017-6133	K25033460	Parsing certain URIs may cause the TMM to produce a core file.
650286-2	CVE-2017-6167	K24465120	REST asynchronous tasks permissions issues
650059-1	CVE-2017-6129	K20087443	TMM may crash when processing VPN traffic
649907-2	CVE-2017-3137	K30164784	BIND vulnerability CVE-2017-3137
649904-2	CVE-2017-3136	K23598445	BIND vulnerability CVE-2017-3136
644904-5	CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929, CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933, CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, CVE-2016-8575, CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984, CVE-2016-7985 CVE-2017-5202, CVE-2017-5203, CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342, CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, CVE-2017-5486	K55129614	tcpdump 4.9
644693-3	CVE-2016-2183, CVE-2017-3272, CVE-2017-3289, CVE-2017-3253, CVE-2017-3261, CVE-2017-3231,CVE-2016-5547,CVE-2016-5552, CVE-2017-3252, CVE-2016-5546, CVE-2016-5548, CVE-2017-3241	K15518610	Fix for multiple CVE for openjdk-1.7.0
638556-2	CVE-2016-10045	K73926196	PHP Vulnerability: CVE-2016-10045
634779-1	CVE-2017-6147	K43945001	TMM may crash will processing SSL Forward Proxy traffic
625860-2	CVE-2017-6140	K55102452	Improved handling of crypto hardware decrypt failures on B4450 platform.
624903-6	CVE-2017-6140	K55102452	Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms.
600069-6	CVE-2017-0301	K54358225	Portal Access: Requests handled incorrectly
659791-2	CVE-2017-6136	K81137982	TFO and TLP could produce a core file under specific circumstances
655059-3	CVE-2017-6134	K37404773	TMM Crash
653224-1	CVE-2016-8610 CVE-2017-5335 CVE-2017-5336 CVE-2017-5337	K59836191	Multiple GnuTLS Vulnerabilities
653217-2	CVE-2016-2125 CVE-2016-2126	K03644631	Multiple Samba Vulnerabilities
645480-3	CVE-2017-6139	K45432295	Unexpected APM response
645101-2	CVE-2017-3731, CVE-2017-3732	K44512851	OpenSSL vulnerability CVE-2017-3732
642659-2	CVE-2015-8870, CVE-2016-5652, CVE-2016-9533, CVE-2016-9534, CVE-2016-9535, CVE-2016-9536, CVE-2016-9537, CVE-2016-9540	K34527393	Multiple LibTIFF Vulnerabilities
640768	CVE-2016-10088 CVE-2016-9576	K05513373	Kernel vulnerability: CVE-2016-10088
639729-2	CVE-2017-0304	K39428424	Request validation failure in AFM UI Policy Editor
637666-2	CVE-2016-10033	K74977440	PHP Vulnerability: CVE-2016-10033
635314-5	CVE-2016-1248	K22183127	vim Vulnerability: CVE-2016-1248
622178-1	CVE-2017-6158	K19361245	Improve flow handling when Autolasthop is disabled
597176-1	CVE-2015-8711 CVE-2015-8714 CVE-2015-8716 CVE-2015-8717 CVE-2015-8718 CVE-2015-8720 CVE-2015-8721 CVE-2015-8723 CVE-2015-8725 CVE-2015-8729 CVE-2015-8730 CVE-2015-8733 CVE-2016-2523 CVE-2016-4006 CVE-2016-4078 CVE-2016-4079 CVE-2016-4080 CVE-2016-4081 CVE	K01837042	Multiple Wireshark (tshark) vulnerabilities
583678-1	CVE-2016-3115	K93532943	SSHD session.c vulnerability CVE-2016-3115
582773-5	CVE-2018-5532	K48224824	DNS server for child zone can continue to resolve domain names after revoked from parent
567233-1	CVE-2015-5252, CVE-2015-5296, CVE-2015-5299	K92616530	Multiple samba vulnerabilities
353229-2	CVE-2018-5522	K54130510	Buffer overflows in DIAMETER
656912-4	CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464, CVE-2017-6451, CVE-2017-6458	K32262483	Various NTP vulnerabilities
632875-3	CVE-2018-5516	K37442533	Non-Administrator TMSH users no longer allowed to run dig
615226-5	CVE-2015-8925 CVE-2015-8933 CVE-2016-8688 CVE-2015-8919 CVE-2016-8689 CVE-2015-8931 CVE-2015-8923 CVE-2015-8930 CVE-2015-8922 CVE-2016-5844 CVE-2015-8917 CVE-2016-8687 CVE-2015-8932 CVE-2015-8916 CVE-2016-4809 CVE-2015-8934 CVE-2015-8924 CVE-2015-8920 CVE-2016-4302 CVE-2015-8921 CVE-2015-8928 CVE-2015-8926 CVE-2016-7166 CVE-2016-4300	K13074505	Libarchive vulnerabilities: CVE-2016-8687 and others
590840-2	CVE-2015-8325	K20911042	OpenSSH vulnerability CVE-2015-8325
655021-2	CVE-2017-3138	K23598445	BIND vulnerability CVE-2017-3138
652638-2	CVE-2016-10167	K23731034	php - Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
627203-1	CVE-2016-5542, CVE-2016-5554, CVE-2016-5573, CVE-2016-5582, CVE-2016-5597	K63427774	Multiple Oracle Java SE vulnerabilities

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
654549-1	2-Critical		PVA support for uncommon protocols DoS vector
653729-2	2-Critical		Support IP Uncommon Protocol
653234	2-Critical		Many objects must be reconfigured before use when loading a UCS from another device.★
652094-2	2-Critical	K49190243	Improve traffic disaggregation for uncommon IP protocols
643210-2	2-Critical	K45444280	Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM
643054-2	2-Critical		ARP and NDP packets should be CoS marked by the swtich on ingress
663521-2	3-Major		Intermittent dropping of multicast packets on certain BIG-IP platforms
651772-3	3-Major		IPv6 host traffic may use incorrect IPv6 and MAC address after route updates
643143-2	3-Major		ARP and NDP packets should be QoS/DSCP marked on egress
610710-2	3-Major		Pass IP TOS bits from incoming connection to outgoing connection
584545-2	3-Major		Failure to stabilize internal HiGig link will not trigger failover event
567177-1	4-Minor		Log all attempts of key export in ltm log
650074-1	5-Cosmetic		Changed Format of RAM Cache REST Status output.

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
642703-2	1-Blocking		Formatting installation using software v12.1.2 or v13.0.0 fails for i5000, i7000, i10000, i11000, i12000 platforms.★
619097	1-Blocking		iControl REST slow performace on GET request for virtual servers
539093-1	1-Blocking	K26104530	VE shows INOPERATIVE status until at least one VLAN is configured and attached to an interface.
697878	2-Critical		High crypto request completion time under some workload patterns
666790-2	2-Critical	K06619044	Use HSB HiGig MAC reset to recover both FCS errors and link instability
665354-2	2-Critical	K31190471	Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log
658574-2	2-Critical	K61847644	An accelerated flow transmits packets to a stale (incorrect) destination MAC address.
655357-2	2-Critical	K06245820	Corrupted L2 FDB entries on B4450 blades might result in dropped traffic
653376-5	2-Critical		bgpd may crash on receiving a BGP update with >= 32 extended communities
649866-1	2-Critical		fsck should not run during first boot on public clouds
638997-2	2-Critical		Reboot required after disk size modification in a running BIG-IP VE instance.
625456-5	2-Critical		Pending sector utility may write repaired sector incorrectly
624826-2	2-Critical	K36404710	mgmt bridge takes HWADDR of guest vm's tap interface
613415-2	2-Critical	K22750357	Memory leak in ospfd when distribute-list is used
609335-1	2-Critical		IPsec tmm devbuf memory leak.
604011-1	2-Critical		Sync fails when iRule or policy is in use★
595783	2-Critical		Changing console baud rate for B2100, B2150 and B2250 blades does not work
593137-1	2-Critical		userDefined property for bot signatures is not shown in REST
579210-3	2-Critical	K11418051	VIPRION B4400N blades might fail to go Active under rare conditions.
471860-10	2-Critical	K16209	Disabling interface keeps DISABLED state even after enabling
412817-3	2-Critical		BIG-IP system unreachable for IPv6 traffic via PCI pass-through interfaces as current ixgbevf drivers do not support multicast receive.
671920-1	3-Major		Accessing SNMP over IPv6 on non-default route domains
669818-2	3-Major	K64537114	Higher CPU usage for syslog-ng when a syslog server is down
667278-3	3-Major		DSC connections between BIG-IP units may fail to establish
667138-1	3-Major		LTM 12.1.2 HF1 - Upgrade to 12.1.2 HF1 fails with err "folder does not exist"★
664829-1	3-Major		BIG-IP sometimes performs unnecessary reboot on first boot
662331-1	3-Major	K24331010	BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
661764-2	3-Major	K53762147	It is possible to configure a number of CPUs that exceeds the licensed throughput
660532-2	3-Major	K21050223	Cannot specify the event parameter for redirects on the policy rule screen.
655671-1	3-Major		Polling time waiting for I2C bus transactions in the bcm56xxd daemon needs to be reduced
655649-2	3-Major	K88627152	BGP last update timer incorrectly resets to 0
654011-2	3-Major	K33210520	Pool member's health monitors set to Member Specific does not display the active monitors
651155-1	3-Major		HSB continually logs 'loopback ring 0 tx not active'
650349	3-Major	K50168519	Creation or reconfiguration of iApps fails if high speed logging is configured
650002-1	3-Major		tzdata bug fix and enhancement update
649949-1	3-Major		Intermittent failure to do a clean install on iSeries platforms from USB DVD-ROM★
647988-3	3-Major	K15331432	HSL Balanced distribution to Two-member pool may not be balanced correctly.
647944-2	3-Major		MCP may crash when making specific changes to a FIX profile attached to more than one virtual server
645179-6	3-Major		Traffic group becomes active on more than one BIG-IP after a long uptime
644404-1	3-Major		Extracting SSD from system leads to Emergency LCD alert★
644184-4	3-Major	K36427438	ZebOS daemons hang while AgentX SNMP daemon is waiting.
643294	3-Major		IGMP and PIM not in self-allow default list when upgrading from 10.2.x★
643121-1	3-Major		Failed installation volumes cannot be deleted in the GUI.
643013	3-Major		DAGv2 introduced on i5600, i5800, i7600, i7800, i10600, i10800 platforms in v12.1.3
642982-3	3-Major	K23241518	tmrouted may continually restart after upgrade, adding or renaming an interface★
642314-2	3-Major	K24276198	CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x★
638825-2	3-Major		SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD
637561-1	3-Major		Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice
636744-1	3-Major	K16918340	IKEv1 phase 2 SAs not deleted
631866-2	3-Major	K12402013	Cannot access LTM policy rules in the web UI when the name contains certain characters
631172-4	3-Major	K54071336	GUI user logged off when idle for 30 minutes, even when longer timeout is set
624692-3	3-Major		Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying
623391-5	3-Major		cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size★
622619-5	3-Major		BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD
622133-1	3-Major		VCMP guests may incorrectly obtain incorrect MAC addresses
621259-3	3-Major		Config save takes long time if there is a large number of data groups
619060	3-Major		Reduction in boot time in BIG-IP Virtual Edition platforms
612752-1	3-Major		UCS load or upgrade may fail under certain conditions.★
610442-2	3-Major	K75051412	vcmp_media_insert failed message and lind restart loop on vCMP guest when installing with block-device-image with bad permissions on .iso★
607961-1	3-Major		Secondary blades restart when modifying a virtual server's route domain in a different partition.
605792-1	3-Major		Installing a new version changes the ownership of administrative users' files★
601709-2	3-Major	K02314881	I2C error recovery for BIG-IP 4340N/4300 blades
590938-3	3-Major		The CMI rsync daemon may fail to start
583475-1	3-Major		The BIG-IP may core while recompiling LTM policies
577474-3	3-Major	K35208043	Users with auditor role are unable to use tmsh list sys crypto cert
569100-1	3-Major		Virtual server using NTLM profile results in benign Tcl error
544906-2	3-Major	K07388310	Issues when using remote authentication when users have different partition access on different devices
507240-4	3-Major	K13811263	ICMP traffic cannot be disaggregated based on IP addresses
480983-4	3-Major		tmrouted daemon may core due to daemon_heartbeat
471029-2	3-Major		If the configuration contains a filename with the $ character, then saving the UCS fails.
656900-1	4-Minor		Blade family migration may fail
655314	4-Minor		When failing to load a UCS, the hostname is still changed, only in 12.1.2 or 13.0.0★
653225-1	4-Minor		coreutils security and bug fix update
645717	4-Minor		UCS load does not set directory owner
644975-4	4-Minor	K09554025	/var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost
644799-1	4-Minor	K42882011	TMM may crash when the BIG-IP system processes CGNAT traffic.
642723-3	4-Minor		Western Digital WD1600YS-01SHB1 hard drives not recognized by pendsect
634371-2	4-Minor		Cisco ethernet NIC driver
530927-8	4-Minor		Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed
530530-6	4-Minor	K07298903	tmsh sys log filter is displayed in UTC time
527720-1	4-Minor		Rare 'No LopCmd reply match found' error in getLopReg
448409-1	4-Minor	K15491	'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle
626596	5-Cosmetic		Statistics :: Analytics :: Hardware Acceleration menu contains misspelled menu item: 'Assited Connections'.

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
670011-2	1-Blocking		SSL forward proxy does not create the server certchain when ignoring server certificates
621452-1	1-Blocking	K58146172	Connections can stall with TCP::collect iRule
659899-1	2-Critical	K10589537	Rare, intermittent system instability observed in dynamic load-balancing modes
657713-5	2-Critical	K05052273	Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart.
655628-1	2-Critical		TCP analytics does not release resources under specific sequence of packets
655211-1	2-Critical		bigd crash (SIGSEGV) when running FQDN node monitors
650317-3	2-Critical		The TMM on the next-active panics with message: "Missing oneconnect HA context"
649171-4	2-Critical		tmm core in iRule with unreachable remote address
648037-2	2-Critical		LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash
646643-2	2-Critical	K43005132	HA standby virtual server with non-default lasthop settings may crash.
646604-5	2-Critical	K21005334	Client connection may hang when NTLM and OneConnect profiles used together
645663	2-Critical		Crypto traffic failure for vCMP guests provisioned with more than 12 vcpus.
644112-2	2-Critical	K56150996	Permanent connections may be expired when endpoint becomes unreachable
643631	2-Critical	K70938130	Serverside connections on virtual servers using VDI may become zombies.
635274-1	2-Critical	K21514205	SSL::sessionid command may return invalid values
634265-2	2-Critical	K34688632	Using route pools whose members aren't directly connected may crash the TMM.
632552-2	2-Critical	K08634156	tmm crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event
629178-1	2-Critical	K42206046	Incorrect initial size of connection flow-control window
611704-5	2-Critical		tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event
605983-1	2-Critical		tmrouted may crash when being restarted in debug mode
604926-3	2-Critical	K50041125	The TMM may become unresponsive when using SessionDB data larger than ~400K
604223-2	2-Critical		pkcs11d signal handler improvement to turn off all threads at time of "SIGTERM"
583700-3	2-Critical	K32784801	tmm core on out of memory
583355-1	2-Critical		The TMM may crash when changing profiles associated with plugins
566071-5	2-Critical		network-HSM may not be operational on secondary slots of a standby chassis.
559030-1	2-Critical	K65244513	TMM may core during ILX RPC activity if a connflow closes before the RPC returns
677119	3-Major		HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE
676471-1	3-Major		Insufficient space for core files on i11x00-series platforms
672008-1	3-Major	K22122208	NUL character inserted into syslog message when system time rolls over to exactly 1000000 microseconds
671935-2	3-Major		Possible uneven ephemeral port reuse.
669025-1	3-Major	K11425420	Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate
668521-2	3-Major		Bigd might stall while waiting for an external monitor process to exit
666032-3	3-Major	K05145506	Secure renegotiation is set while data is not available.
663326-2	3-Major		Thales HSM: "fipskey.nethsm --export" fails to make stub keys
662881-2	3-Major	K10443875	L7 mirrored packets from standby to active might cause tmm core when it goes active.
662085-1	3-Major		iRules LX Workspace editor in TMUI fails to display all workspace contents after install of large Node.js packages
658214-2	3-Major	K20228504	TCP connection fail intermittently for mirrored fastl4 virtual server
655793-1	3-Major	K04178391	SSL persistence parsing issues due to SSL / TCP boundary mismatch
654109-2	3-Major	K01102467	Configuration loading may fail when iRules calling procs in other iRules are deleted
653511-2	3-Major		Intermittent connection failure with SNAT/automap, SP-DAG and virtual server source-port=preserve
652535-1	3-Major	K54443700	HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented.
652445-2	3-Major	K87541959	SAN with uppercase names result in case-sensitive match or will not match
651651-3	3-Major	K54604320	bigd can crash when a DNS response does not match the expected value
650292-2	3-Major		DNS transparent cache can return non-recursive results for recursive queries
650152-1	3-Major		Support AES-GCM acceleration in Nitrox PX wlite VCMP platforms
648954-5	3-Major	K01102467	Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls
647137	3-Major		bigd/tmm con vCMP guests
646443-1	3-Major	K54432535	Ephemeral Node may be errantly created in bigd, causing crash
645058-3	3-Major		Modifying SSL profiles in GUI may fail when key is protected by passphrase
645036-3	3-Major	K85772089	Removing pool from virtual server does not update its status
644873-2	3-Major	K97237310	ssldump can fail to decrypt captures with certain TCP segmenting
644851-2	3-Major		Websockets closes connection on receiving a close frame from one of the peers
644418-2	3-Major		Do not consider self-signed certificate in hash algorithm selection when Forward Proxy forges a certificate
643777-2	3-Major	K27629542	LTM policies with more than one IP address in TCP address match may fail
643582-2	3-Major		Config load with large ssl profile configuration may cause tmm restart
641491-2	3-Major	K37551222	TMM core while running iRule LB::status pool poolname member ip port
640376-3	3-Major	K46452834	STPD leaks memory on 2000/4000/i2000/i4000 series
638715-3	3-Major	K77010072	Multiple Diameter monitors to same server ip/port may race on PID file
632001-1	3-Major		For Thales net-HSMs, fipskey.nethsm now defaults to module protected keys
627574-1	3-Major		After upgrade to BIG-IP v12.1.x, Local Traffic Policies in partitions other than Common cannot be converted into a draft.
626434-6	3-Major	K65283203	tmm may be killed by sod when a hardware accelerator does not work
624805-1	3-Major		ILX node.js process may be restarted if a single operation takes more than 15 seconds
623940-3	3-Major		SSL Handshake fails if client tries to negotiate EC ciphers but does not present ec_point_formats extension in ClientHello
622017-8	3-Major	K54106058	Performance graph data may become permanently lost after corruption.
621736-6	3-Major	K00323105	statsd does not handle SIGCHLD properly in all cases
620788-1	3-Major	K05232247	FQDN pool created with existing FQDN node has RED status
618161-1	3-Major		SSL handshake fails when clientssl uses softcard-protected key-certs.
618121	3-Major		"persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x★
607246-10	3-Major		Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires
603609-2	3-Major		Policy unable to match initial path segment when request-URI starts with "//"
602040-3	3-Major		Truncated support ID for HTTP protocol security logging profile
600614-5	3-Major		External crypto offload fails when SSL connection is renegotiated
596433-3	3-Major		Virtual with lasthop configured rejects request with no route to client.
596242-1	3-Major	K17065223	[zxfrd] Improperly configured master name server for one zone makes DNS Express respond with previous record
595275-5	3-Major		Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN
593390-4	3-Major		Profile lookup when selected via iRule ('SSL::profile') might cause memory issues.
589006-5	3-Major		SSL does not cancel pending sign request before the handshake times out or is canceled.
587705-5	3-Major	K98547701	Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.
578573-1	3-Major		SSL Forward Proxy Forged Certificate Signature Algorithm
563933-4	3-Major		[DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs
536563-7	3-Major		Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets.
484542-1	3-Major		QinQ tag-mode can be set on unsupported platforms
668802-3	4-Minor	K83392557	GTM link graphs fail to display in the GUI
667318-3	4-Minor		BIG-IP DNS/GTM link graphs fail to display in the GUI.
584210-1	4-Minor		TMM may core when running two simultaneous WebSocket collect commands
578415-2	4-Minor		Support for hardware accelerated bulk crypto SHA256 missing
513288-7	4-Minor		Management traffic from nodes being health monitored might cause health monitors to fail.
462043-2	4-Minor		DB variable 'qinq.cos' does not work in all cases on 5000 and C2400 platforms

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
620903-1	2-Critical		Decreased performance of ICMP attack mitigation.

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
636541-3	1-Blocking		DNS Rapid Response filters large datagrams
667028-1	2-Critical		DNS Express does not run on i11000 platforms with htsplit disabled.
649564-2	2-Critical		Crash related to GTM monitors with long RECV strings
663073-1	3-Major		GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.
659912-1	3-Major	K81210772	GSLB Pool Member Manage page display issues and error message
655807-5	3-Major	K40341291	With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score
655445-2	3-Major		Provide the ability to globally specifiy a DSCP value.
654599-1	3-Major	K74132601	The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed
648286-2	3-Major		GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button.
644447-2	3-Major		sync_zones script increasingly consumes memory when there is network connectivity failure
626141-3	3-Major		DNSX Performance Graphs are not displaying Requests/sec"
615222-1	3-Major	K79580892	GTM configuration fails to load when it has GSLB pool with members containing more than one colon character★
605260-1	3-Major		[GUI] Changes can not be made to GTM listener in partition with default route domain <> 0
659969-1	4-Minor		tmsh command for gtm-application disabled contexts does not work with none and replace-all-with
644220-3	4-Minor		Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page
604371-1	4-Minor		Pagination controls missing for GSLB pool members

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
653014-1	2-Critical		Apply Policy failure if an custom Blocking Page is configured with an underscore in the header name
652200-1	2-Critical	K81349220	Failure to update ASM enforcer about account change.
651001-1	2-Critical		massive prints in tmm log: "could not find conf for profile crc"
638629-2	2-Critical		Bot can be classified as human
619110-1	2-Critical		Slow to delete URLs, CPU spikes with Automatic Policy Builder
672695-1	3-Major		Internal perl process listening on all interfaces when ASM enabled
665905	3-Major	K83305000	Signature System corruption from specific ASU prevents ASU load after upgrade
664930-2	3-Major		Policy automatic learning mode changes to manual after failover
655617-1	3-Major	K36442669	Safari, Firefox in incognito mode on iOS device cannot pass persistent client identification challenge
650081-1	3-Major	K53010710	Proactive Bot Defense JavaScript challenges may introduce high latencies and cause some browsers to display a blank page.
648617	3-Major	K23432927	JavaScript challenge repeating in loop when URL has path parameters
644855-2	3-Major		irules with commands which may suspend processing cannot be used with proactive bot defense
631444-2	3-Major		Bot Name for ASM Search Engines is case sensitive
630356-1	3-Major		JavaScript challenge follow-up to POST is sent as GET in iframe from IE/Edge
628351-1	3-Major		Redirect loops on URLs with Path Parameters when Proactive Bot Defense is enabled
618656-2	3-Major		JavaScript challenge repeating in loop on Firefox when URL is longer than 1033 characters
606521-1	3-Major		Policy with UTF-8 encoding retains disallowed high ASCII meta-characters after upgrade
605616-1	3-Major		Creating 256 Fundamental Security policies will result in an out of memory error
602975-1	3-Major		Unable to update the HTTP URL's "Header-Based Content Profiles" values
596685-1	3-Major	K76841626	Request Log failure on request with XML format violation
595900-4	3-Major	K11833633	Cookie Signature overrides may be ignored after Signature Update
563727-1	3-Major		Issue a Body in Get sub violation for GET request with 'transfer-encoding: chunked'
534247-1	3-Major		Issue a Body in Get sub violation for GET request with content type header
519612-1	3-Major		JavaScript challenge fails when coming within iframe with different domain than main page

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
604191-1	2-Critical		AVR: Loading the configuration after upgrade might fail due to mishandling of scheduled-reports★
629573-1	3-Major	K66001885	No drill-down filter for virtual-servers is mentioned on exported reports when using partition
603875-2	3-Major		The statistic ASM memory Utilization - bd swap size: stats are wrong
601536-1	3-Major		Analytics load error stops load of configuration★
639395-2	4-Minor	K91614278	AVR does not display 'Max read latency' units.

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
647108-1	1-Blocking		Deletion of saml-idp-connector may fail depending on the order in which related objects are deleted within a transaction
679235-5	2-Critical		Inspection Host NPAPI Plugin for Safari can not be installed
669341	2-Critical		Category Lookup by Subject.CN will result in a reset
666454-2	2-Critical	K05520115	Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update
663506-7	2-Critical	K30533350	apmd crash during ldap cache initialization
652004-2	2-Critical	K45320415	Show /apm access-info all-properties causes memory leaks in tmm
662639-2	3-Major		Policy Sync fails when policy object include FIPS key
659371-2	3-Major	K54310201	apmd crashes executing iRule policy evaluate
658852-5	3-Major		Empty User-Agent in iSessions requests from APM client on Windows
654513-6	3-Major	K11003951	APM daemon crashes when the LDAP query agent returns empty in its search results.
649929-1	3-Major		saml_sp_connector not properly deleted in a transaction that removes the saml resource and servers referring to it
648053-1	3-Major	K94477320	Rewrite plugin may crash on some JavaScript files
646928-1	3-Major		Landing URI incorrect when changing URI
645684-2	3-Major		Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting.
618957-1	3-Major		Certificate objects are not properly imported from external SAML SP metadata when metadata contains both signing and encryption certificates
601919-2	3-Major		Custom categories and custom url filter assignment must be specific to partition instead of global lookup
583272-2	3-Major		"Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth
580567-1	3-Major		LDAP Query agent failed to resolve nested group membership
551795-1	3-Major		Portal Access: corrections to CORS support for XMLHttpRequest
550547-2	3-Major		URL including a "token" query fails results in a connection reset

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
664535-1	2-Critical		Diameter failure: load balancing fails when all pool members use same IP Address
640407-1	2-Critical		Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF
568545-2	2-Critical	K17124802	iRules commands that refer to a transport-config will fail validation
559953-1	2-Critical		tmm core on long DIAMETER::host value
662364-2	3-Major		MRF DIAMETER: IP ToS not passing through with DIAMETER
644946-2	3-Major	K05053251	Enabling mirroring on SIP or DIAMETER router profile effects per-client connection mode operation
644565-1	3-Major		MRF Message metadata lost when routing message to a connection on a different TMM
634078-2	3-Major		MRF: Routing using a virtual with SNAT set to none may select a source port of zero
624155-2	3-Major		MRF Per-Client mode connections unable to return responses if used by another client connection
620929-4	3-Major		New iRule command, MR::ignore_peer_port
651640-3	4-Minor		queue full dropped messages incorrectly counted as responses

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
670400-3	2-Critical		SSH Proxy public key authentication can be circumvented in some cases
655470	2-Critical	K79924625	IP Intelligence logging publisher removal can cause tmm crash
618902-4	3-Major		PCCD memory usage increases on configuration changes and recompilation due to small amount of memory leak on each compilation

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
658261-2	2-Critical	K12253471	TMM core after HA during GY reporting
658148-2	2-Critical	K23150504	TMM core after intra-chassis failover for some instances of subscriber creation
657632-4	2-Critical		Rarely if a subscriber delete is performed following HA switchover, tmm may crash
653285-1	2-Critical		PEM rule deletion with HSL reporting may cause tmm coredump
652973-2	2-Critical		Coredump observed at system bootup time when many DHCP packets arrive
650422-2	2-Critical		TMM core after a switchover involving GY quota reporting
659567-1	3-Major	K94685557	iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions
652052-3	3-Major		PEM:sessions iRule made the order of parameters strict
635257-2	3-Major	K41151808	Inconsistencies in Gx usage record creation.
623037-2	3-Major		delete of pem session attribute does not work after a update

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
676808-2	2-Critical		FPS: tmm may crash on response with large payload from server
669364-1	2-Critical		TMM core when server responds fast with server responses such as 404.
669359	2-Critical		WebSafe might cause connections to hang
674931	3-Major		FPS modified responses/injections might result in a corrupted response
674909-3	3-Major		Application CSS injection might not work as expected when connection is congested
667872-1	3-Major		Websafe's 'Apply cookies to base domain' feature doesn't work for non standard ports
658321-2	3-Major		Websafe features might break in IE8
657502-2	3-Major		JS error when leaving page opened for several minutes
644694	3-Major		FPS security update check ends up with an empty page when error occurs.
618185-1	3-Major		Mismatch in URL CRC32 calculation
643602-2	4-Minor		'Select All' checkbox selects items on hidden pages

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
605123-1	2-Critical		IAppLX objects fail to sync after establishing HA in auto-sync mode★

iApp Technology Fixes

ID Number	Severity	Solution Article(s)	Description
606316-4	1-Blocking		HTTPS request to F5 licensing server fails
665778-1	2-Critical	K34503519	Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.
599424-2	2-Critical		iApps LX fails to sync★
632060-1	4-Minor		restjavad is unable to read the dtca.key files resulting in Error: Failed to read key: invalid header★

Cumulative fixes from BIG-IP v12.1.2 Hotfix 2 that are included in this release


Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
693211-3	CVE-2017-6168, CVE-2020-5929	K21905460	CVE-2017-6168

Functional Change Fixes

None


TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
664063-1	2-Critical	K03203976	Azure displays failure for deployment of BIG-IP from a Resource Manager template

Cumulative fixes from BIG-IP v12.1.2 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
652151-1	CVE-2017-6131	K61757346	Azure VE: Initialization improvement
623885-4	CVE-2016-9251	K41107914	Internal authentication improvements
621371-2	CVE-2016-9257	K43523962	Output Errors in APM Event Log
648865-2	CVE-2017-6074	K82508682	Linux kernel vulnerability: CVE-2017-6074
643187-2	CVE-2017-3135	K80533167	BIND vulnerability CVE-2017-3135
641445-1	CVE-2017-6145	K22317030	iControl improvements
641360-2	CVE-2017-0303	K30201296	SOCKS proxy protocol error
641256-1	CVE-2016-9257	K43523962	APM access reports display error
636702-3	CVE-2016-9444	K40181790	BIND vulnerability CVE-2016-9444
636699-5	CVE-2016-9131	K86272821	BIND vulnerability CVE-2016-9131
631582	CVE-2016-9250	K55792317	Administrative interface enhancement
630475-5	CVE-2017-6162	K13421245	TMM Crash
628836-4	CVE-2016-9245	K22216037	TMM crash during request normalization
624570-1	CVE-2016-8864	K35322517	BIND vulnerability CVE-2016-8864
624526-3	CVE-2017-6159	K10002335	TMM core in mptcp
624457-5	CVE-2016-5195	K10558632	Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195
623093-1	CVE-2016-3990 CVE-2016-3632 CVE-2015-7554 CVE-2016-5320	K38871451	TIFF vulnerability CVE-2015-7554
620400-1	CVE-2017-6141	K21154730	TMM crash during TLS processing
610255-1	CVE-2017-6161	K62279530	CMI improvement
596340-8	CVE-2016-9244	K05121675	F5 TLS vulnerability CVE-2016-9244
580026-5	CVE-2017-6165	K74759095	HSM logging error
648879-2	CVE-2016-6136 CVE-2016-9555	K90803619	Linux kernel vulnerabilities: CVE-2016-6136 CVE-2016-9555
641612-2	CVE-2017-0302	K87141725	APM crash
638137	CVE-2016-7117 CVE-2016-4998 CVE-2016-6828	K51201255	CVE-2016-7117 CVE-2016-4998 CVE-2016-6828
635412	CVE-2017-6137	K82851041	Invalid mss with fast flow forwarding and software syn cookies
635252-1	CVE-2016-9256	K47284724	CVE-2016-9256
631688-7	CVE-2016-9311 CVE-2016-9310 CVE-2016-7427 CVE-2016-7428 CVE-2016-9312 CVE-2016-7431 CVE-2016-7434 CVE-2016-7429 CVE-2016-7426 CVE-2016-7433	K55405388 K87922456 K63326092 K51444934 K80996302	Multiple NTP vulnerabilities
630150-1	CVE-2016-9253	K51351360	Websockets processing error
627916-1	CVE-2017-6144	K81601350	Improve cURL Usage
627907-1	CVE-2017-6143	K11464209	Improve cURL usage
627747-1	CVE-2017-6142	K20682450	Improve cURL Usage
625372-5	CVE-2016-2179	K23512141	OpenSSL vulnerability CVE-2016-2179
623119	CVE-2016-4470	K55672042	Linux kernel vulnerability CVE-2016-4470
622496	CVE-2016-5829	K28056114	Linux kernel vulnerability CVE-2016-5829
622126-1	CVE-2016-7124 CVE-2016-7125 CVE-2016-7126 CVE-2016-7127	K54308010	PHP vulnerability CVE-2016-7124
621337-6	CVE-2016-7469	K97285349	XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469
618261-6	CVE-2016-2182	K01276005	OpenSSL vulnerability CVE-2016-2182
615267-2	CVE-2016-2183	K13167034	OpenSSL vulnerability CVE-2016-2183
613225-7	CVE-2016-2180, CVE-2016-6306, CVE-2016-6302	K90492697	OpenSSL vulnerability CVE-2016-6306
606710-10	CVE-2016-2834 CVE-2016-5285 CVE-2016-8635	K15479471	Mozilla NSS vulnerability CVE-2016-2834
605420-5	CVE-2016-5387, CVE-2007-6750	K80513384	httpd security update - CVE-2016-5387
600232-9	CVE-2016-2177	K23873366	OpenSSL vulnerability CVE-2016-2177
600223-2	CVE-2016-2177	K23873366	OpenSSL vulnerability CVE-2016-2177
599858-7	CVE-2015-8895 CVE-2015-8896 CVE-2015-8897 CVE-2015-8898 CVE-2016-5118 CVE-2016-5239 CVE-2016-5240	K68785753	ImageMagick vulnerability CVE-2015-8898
635933-3	CVE-2004-0790	K23440942	The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable
628832-4	CVE-2016-6161	K71581599	libgd vulnerability CVE-2016-6161
622662-7	CVE-2016-6306	K90492697	OpenSSL vulnerability CVE-2016-6306
617901-1	CVE-2018-5525	K00363258	GUI to handle file path manipulation to prevent GUI instability.
609691-1	CVE-2014-4617	K21284031	GnuPG vulnerability CVE-2014-4617
600205-9	CVE-2016-2178	K53084033	OpenSSL Vulnerability: CVE-2016-2178
600198-2	CVE-2016-2178 CVE-2016-6306 CVE-2016-6302 CVE-2016-2216	K53084033	OpenSSL vulnerability CVE-2016-2178
599285-2	CVE-2016-5094 CVE-2016-5095 CVE-2016-5096	K51390683	PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095
598002-10	CVE-2016-2178	K53084033	OpenSSL vulnerability CVE-2016-2178
621937-1	CVE-2016-6304	K54211024	OpenSSL vulnerability CVE-2016-6304
621935-6	CVE-2016-6304	K54211024	OpenSSL vulnerability CVE-2016-6304
606771-2	CVE-2016-5399 CVE-2016-6288 CVE-2016-6289 CVE-2016-6290 CVE-2016-5385 CVE-2016-6291 CVE-2016-6292 CVE-2016-6207 CVE-2016-6294 CVE-2015-8879 CVE-2016-6295 CVE-2016-6296 CVE-2016-6297	K35799130	Multiple PHP vulnerabilities
601268-5	CVE-2015-8874 CVE-2016-5770 CVE-2016-5772 CVE-2016-5768 CVE-2016-5773 CVE-2016-5769 CVE-2016-5766 CVE-2016-5771 CVE-2016-5767 CVE-2016-5093 CVE-2016-5094	K43267483	PHP vulnerability CVE-2016-5766

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
653453	2-Critical		ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs.
628972-2	2-Critical		BMC version 2.51.7 for iSeries appliances
624831-2	2-Critical		BWC: tmm crash can occur if dynamic BWC policy is used at max-user-rate over 2gbps
616918-1	2-Critical		BMC version 2.50.3 for iSeries appliances
633723-3	3-Major		New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot
633391-1	3-Major		GUI Error trying to modify IP Data-Group
609614-3	3-Major		Yafuflash 4.25 for iSeries appliances
597797-4	3-Major	K78449695	Allow users to disable enforcement of RFC 7507 Fallback SCSV
584471-1	3-Major	K34343741	Priority order of clientssl profile selection of virtual server.
581840-5	3-Major	K46576869	Cannot use Administrator account other than 'admin' to manage BIG-IP systems through BIG-IQ.
564876-2	3-Major		New DB variable log.lsn.comma changes CGNAT logs to CSV format
609084-2	4-Minor	K03808942	Max number of chunks not configurable above 1000 chunks
597270-2	4-Minor		tcpdump support missing for VXLAN-GPE NSH

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
655500	1-Blocking		Rekey SSH sessions after one hour
642058-1	1-Blocking		CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances
641390-5	1-Blocking	K00216423	Backslash removal in LTM monitors after upgrade
627433-1	1-Blocking		HSB transmitter failure on i2x00 and i4x00 platforms
602830-1	1-Blocking		BIG-IP iSeries appliance LCD does not indicate when BIG-IP is in platform_check diagnostic mode
648056-2	2-Critical	K16503454	bcm56xxd core when configuring QinQ VLAN with vCMP provisioned.
645805	2-Critical	K92637255	LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain incorrect Ethernet source MAC addresses
641248	2-Critical		IPsec-related tmm segfault
641013-5	2-Critical		GRE tunnel traffic pinned to one TMM
638935-3	2-Critical		Monitor with send/receive string containing double-quote may cause upgrade to fail.★
636918-2	2-Critical		Fix for crash when multiple tunnels use the same traffic selector
636290	2-Critical		vCMP support for B4450 blade
627898-2	2-Critical	K53050234	tmm leaks memory in the ECM subsystem
625824-1	2-Critical		iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory
624263-4	2-Critical		iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response
618779-1	2-Critical		Route updates during IPsec tunnel setup can cause tmm to restart
616059-1	2-Critical	K19545861	Modifying license.maxcores Not Allowed Error
614296-1	2-Critical		Dynamic routing process ripd may core
613536-5	2-Critical		tmm core while running the iRule STATS:: command
610295-1	2-Critical	K32305923	TMM may crash due to internal backplane inconsistency after reprovisioning
583516-2	2-Critical		tmm ASSERT's "valid node" on Active, after timer fire..
567457-2	2-Critical		TMM may crash when changing the IKE peer config.
652484-2	3-Major		tmsh show net f5optics shows information for only 1 chassis slot in a cluster
649617-2	3-Major		qkview improvement for OVSDB management
648544-5	3-Major	K75510491	HSB transmitter failure may occur when global COS queues enabled
646760	3-Major		Common Criteria Mode Disrupts Administrative SSH Access
644892-1	3-Major		Files captured multiple times in qkview
644490-1	3-Major		Finisar 100G LR4 values need to be revised in f5optics
637559-1	3-Major		Modifying iRule online could cause TMM to be killed by SIGABRT
636535	3-Major	K24844444	HSB lockup in vCMP guest doesn't generate core file
635961-1	3-Major		gzipped and truncated files may be saved in qkview
635129	3-Major		Chassis systems in HA configuration become Active/Active during upgrade★
635116-1	3-Major	K34100550	Memory leak when using replicated remote high-speed logging.
634115-1	3-Major		Not all topology records may sync.
633879-1	3-Major	K52833014	Fix IKEv1 md5 phase1 hash algorithm so config takes effect
633512-1	3-Major		HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION.
633413-1	3-Major		IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI
631627-4	3-Major		Applying BWC over route domain sometimes results in tmm not becoming ready on system start
630622-1	3-Major		tmm crash possible if high-speed logging pool member is deleted and reused
630610-5	3-Major	K43762031	BFD session interface configuration may not be stored on unit state transition
630546-1	3-Major		Very large core files may cause corrupted qkviews
629499-9	3-Major		tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found"
629085-1	3-Major	K55278069	Any CSS content truncated at a quoted value leads to a segfault
628202-4	3-Major		Audit-forwarder can take up an excessive amount of memory during a high volume of logging
628164-3	3-Major	K20766432	OSPF with multiple processes may incorrectly redistribute routes
628009-1	3-Major		f5optics not enabled on Herculon iSeries variants HRC-i2800, HRC-i5800, HRC-i10800
627961-3	3-Major	K15130343	nic_failsafe reboot doesn't trigger if HSB fails to disable interface
627914-1	3-Major		Unbundled 40GbE optics reporting as Unsupported Optic
627214-3	3-Major		BGP ECMP recursive default route not redistributed to TMM
626839	3-Major		sys-icheck error for /var/lib/waagent in Azure.
626721-5	3-Major		"reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart
625703-2	3-Major		SELinux: snmpd is denied access to tmstat files
625085	3-Major		lasthop rmmod causes kernel panic
624361-1	3-Major		Responses to some of the challenge JS are not zipped.
623930-3	3-Major		vCMP guests with vlangroups may loop packets internally
623401-1	3-Major		Intermittent OCSP request failures due to non-optimal default TCP profile setting
623336-4	3-Major		After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS★
623055-1	3-Major		Kernel panic during unic initialization
622183-5	3-Major		The alert daemon should remove old log files but it does not.
621909-4	3-Major	K23562314	Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members
621273-1	3-Major		DSR tunnels with transparent monitors may cause TMM crash.
620659-3	3-Major		The BIG-IP system may unecessarily run provisioning on successive reboots
620366-4	3-Major		Alertd can not open UDP socket upon restart
617628-1	3-Major		SNMP reports incorrect value for sysBladeTempTemperature OID
615934-1	3-Major		Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
615107-1	3-Major		Cannot SSH from AOM/SCCP to host without password (host-based authentication).
613765-3	3-Major		Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors.
612809-1	3-Major		Bootup script fails to run on on a vCMP guest due to a missing reference file.
611658-3	3-Major		"less" utility logs an error for remotely authenticated users using the tmsh shell
611512-1	3-Major		AWS: Pool member autoscaling in BIG-IP fails to add pool members when pool name is same as AWS Autoscaling Group name.
611487-3	3-Major		vCMP: VLAN failsafe does not trigger on guest
610417-1	3-Major	K54511423	Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.
609119-7	3-Major		Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:
608320-3	3-Major		iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response
604727-1	3-Major		Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4.★
604237-3	3-Major		Vlan allowed mismatch found error in VCMP guest
604061-2	3-Major		Link Aggregation Control Protocol May Lose Synchronization after TMM Crash
602376-1	3-Major		qkview excludes files
598498-7	3-Major		Cannot remove Self IP when an unrelated static ARP entry exists.
598134-1	3-Major		Stats query may generate an error when tmm on secondary is down
596067-2	3-Major		GUI on VIPRION hangs on secondary blade reboot
590211-2	3-Major		jitterentropy-rngd quietly fails to start
586738-4	3-Major		The tmm might crash with a segfault.
583754-7	3-Major		When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.
575027-1	3-Major		Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
562928-2	3-Major		Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled
559080-5	3-Major		High Speed Logging to specific destinations stops from individual TMMs
557471-3	3-Major		LTM Policy statistics showing zeros in GUI
543208-1	3-Major		Upgrading to v12.x or later in a sync-failover group might cause mcpd to become unresponsive.★
534520-1	3-Major		qkview may exclude certain log files from /var/log
424542-5	3-Major		tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments
418349-2	3-Major		Update/overwrite of FIPS keys error
643404-2	4-Minor	K30014507	'tmsh system software status' does not display properly in a specific cc-mode situation★
636520-3	4-Minor	K88813435	Detail missing from power supply 'Bad' status log messages
633181-1	4-Minor		A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section
632668-5	4-Minor		When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds
632069-3	4-Minor		Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076
621957-2	4-Minor		Timezone data on AOM not syncing with host
609107-1	4-Minor		mcpd does not properly validate missing 'sys folder' config in bigip_base.conf
599191-2	4-Minor		One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card
589379-2	4-Minor	K20937139	ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.
585097-1	4-Minor		Traffic Group score formula does not result in unique values.
541550-3	4-Minor		Defining more than 10 remote-role groups can result in authentication failure
541320-10	4-Minor	K50973424	Sync of tunnels might cause restore of deleted tunnels.
500452-8	4-Minor	K28520025	PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hardware
642015-2	5-Cosmetic		SSD Manufacturer "unavailable"
524277-2	5-Cosmetic		Missing power supplies issue warning message that should be just a notice message.

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
651476	2-Critical		bigd may core on non-primary bigd when FQDN in use
648715-2	2-Critical		BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0
643396-2	2-Critical	K34553627	Using FLOW_INIT iRule may lead to TMM memory leak or crash
642400-2	2-Critical		Path MTU discovery occasionally fails
640352-2	2-Critical	K01000259	Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet
639744-1	2-Critical	K84228882	Memory leak in STREAM::expression iRule
637181-4	2-Critical		VIP-on-VIP traffic may stall after routing updates
632685	2-Critical		bigd memory leak for FQDN nodes on non-primary bigd instance
630306-1	2-Critical		TMM crash in DNS processing on UDP virtual server with no available pool members
629145-1	2-Critical		External datagroups with no metadata can crash tmm
628890-1	2-Critical		Memory leak when modifying large datagroups
627403-2	2-Critical		HTTP2 can can crash tmm when stats is updated on aborting of a new connection
626311-2	2-Critical	K75419237	Potential failure of DHCP relay functionality credits to incorrect route lookup.
625198-1	2-Critical		TMM might crash when TCP DSACK is enabled
622856-1	2-Critical		BIG-IP may enter SYN cookie mode later than expected
621870-2	2-Critical		Outage may occur with VIP-VIP configurations
619663-3	2-Critical	K49220140	Terminating of HTTP2 connection may cause a TMM crash
619528-4	2-Critical		TMM may accumulate internal events resulting in TMM restart
619071-3	2-Critical		OneConnect with verified accept issues
614509-1	2-Critical		iRule use of 'all' keyword with 'class match' on large external datagroups may result in TMM restart
609027-1	2-Critical		TMM crashes when SSL forward proxy is enabled.
608304-1	2-Critical	K55292305	TMM crash on memory corruption
603667-2	2-Critical		TMM may leak or corrupt memory when configuration changes occur with plugins in use
603082-3	2-Critical		Ephemeral pool members are getting deleted/created over and over again.
602136-5	2-Critical		iRule drop/discard/reject commands causes tmm segfault or still sends 3-way handshake to the server.
601828-1	2-Critical	K13338433	An untrusted certificate can cause tmm to crash.
600982-5	2-Critical		TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0"
599720-2	2-Critical		TMM may crash in bigtcp due to null pointer dereference
597828-1	2-Critical		SSL forward proxy crashes in some cases
596450-1	2-Critical		TMM may produce a core file after updating SSL session ticket key
594642-3	2-Critical		Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.
581746-1	2-Critical	K42175594	MPTCP or SSL traffic handling may cause a BIG-IP outage
557358-5	2-Critical		TMM SIGSEGV and crash when memory allocation fails.
423629-3	2-Critical	K08454006	bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted
653201	3-Major		Update the default CA certificate bundle file to the latest version and remove expiring certificates from it
651106	3-Major		memory leak on non-primary bigd with changing node IPs
649571-1	3-Major		Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello
648990	3-Major		Serverside SSL renegotiation does not occur after block cipher data limit is exceeded
641512-4	3-Major	K51064420	DNSSEC key generations fail with lots of invalid SSL traffic
632324-2	3-Major		PVA stats does not show correct connection number
629412-3	3-Major		BIG-IP closes a connection when a maximum size window is attempted
627246-1	3-Major	K09336400	TMM memory leak when ASM policy configured on virtual server
626386-1	3-Major	K28505256	SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled
626106-3	3-Major		LTM Policy with illegal rule name loses its conditions and actions during upgrade★
625106-2	3-Major		Policy Sync can fail over a lossy network
624616-1	3-Major		Safenet uninstall is unable to remove libgem.so
620625-2	3-Major	K38094257	Changes to the Connection.VlanKeyed db key may not immediately apply
620079-3	3-Major		Removing route-domain may cause monitors to fail
619849-4	3-Major		In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.
618430-2	3-Major		iRules LX data not included in qkview
618428	3-Major		iRules LX - Debug mode does not function in dedicated mode
618254-4	3-Major		Non-zero Route domain is not always used in HTTP explicit proxy
617858-2	3-Major		bigd core when using Tcl monitors
616022-2	3-Major	K46530223	The BIG-IP monitor process fails to process timeout conditions
613326-1	3-Major		SASP monitor improvements
612694-5	3-Major		TCP::close with no pool member results in zombie flows
610429-5	3-Major		X509::cert_fields iRule command may memory with subpubkey argument
610302-1	3-Major		Link throughput graphs might be incorrect.
609244-4	3-Major		tmsh show ltm persistence persist-records leaks memory
608551-3	3-Major		Half-closed congested SSL connections with unclean shutdown might stall.
607152-1	3-Major		Large Websocket frames corrupted
604496-4	3-Major		SQL (Oracle) monitor daemon might hang.
603979-4	3-Major		Data transfer from the BIG-IP system self IP might be slow
603723-2	3-Major		TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
603550-1	3-Major	K63164073	Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.
600827-8	3-Major	K21220807	Stuck Nitrox crypto queue can erroneously be reported
600593-1	3-Major		Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests
600052-1	3-Major		GUI displaying "Internal Server Error" page when there many (~3k) certs/keys in the system
599121-2	3-Major	K24036315	Under heavy load, hardware crypto queues may become unavailable.
592871-3	3-Major		Cavium Nitrox PX/III stuck queue diagnostics missing.
591666-3	3-Major		TMM crash in DNS processing on TCP virtual with no available pool members
589400-1	3-Major	K33191529	With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
584310-1	3-Major	K83393638	TCP:Collect ignores the 'skip' parameter when used in serverside events
584029-6	3-Major		Fragmented packets may cause tmm to core under heavy load
582769-1	3-Major	K99405272	WebSockets frames are not forwarded with Websocket profile and ASM enabled on virtual
579926-1	3-Major		HTTP starts dropping traffic for a half-closed connection when in passthrough mode
568543-4	3-Major		Syncookie mode is activated on wildcard virtuals
562267-3	3-Major		FQDN nodes do not support monitor alias destinations.
517756-6	3-Major		Existing connections can choose incorrect route when crossing non-strict route-domains
509858-5	3-Major		BIG-IP FastL4 profile vulnerability
419741-3	3-Major		Rare crash with vip-targeting-vip and stale connections on VIPRION platforms
352957-4	3-Major	K03005026	Route lookup after change in route table on established flow ignores pool members
660170-1	4-Minor	K28505910	tmm may crash at ~75% of VLAN failsafe timeout expiration
631862-1	4-Minor	K32107573	Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk
618517-1	4-Minor	K61255401	bigd may falsely complain of a file descriptor leak when it cannot open its debug log file; bigd stops monitoring
611161-3	4-Minor	K28540353	VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.
587966-1	4-Minor	K77283304	LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port
583943-1	4-Minor	K27491104	Forward proxy does not work when netHSM is configured on TMM interfaces
574020-5	4-Minor		Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}')

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
621115-1	2-Critical		IP/IPv6 TTL/hoplimit may not be preserved for host traffic

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
642039-2	2-Critical	K20140595	TMM core when persist is enabled for wideip with certain iRule commands triggered.
584374-2	2-Critical	K67622400	iRule cmd: RESOLV::lookup causes tmm crash when resolving an IP address.
642330-2	3-Major		GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★
640903-1	3-Major		Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen
632423-4	3-Major	K40256229	DNS::query can cause tmm crash if AXFR/IXFR types specified.
629530-2	3-Major	K53675033	Under certain conditions, monitors do not time out.
628897-1	3-Major		Add Hyperlink to gslb server and vs on the Pool Member List Page
625671-4	3-Major		The diagnostic tool dnsxdump may crash with non-standard DNS RR types.
624876-1	3-Major		Response Policy Zones can trigger even after entry removed from zone
624193-2	3-Major		Topology load balancing not working as expected
623023-1	3-Major		Unable to set DNS Topology Continent to Unknown via GUI
621239-2	3-Major		Certain DNS queries bypass DNS Cache RPZ filter.
620215-5	3-Major		TMM out of memory causes core in DNS cache
619398-7	3-Major		TMM out of memory causes core in DNS cache
612769-1	3-Major	K33842313	Hard to use search capabilities on the Pool Members Manage page.
601180-2	3-Major	K73505027	Link Controller base license does not allow DNS namespace iRule commands.★
567743-2	3-Major	K70663134	Possible gtmd crash under certain conditions.
557434-4	3-Major		After setting a Last Resort Pool on a Wide IP, cannot reset back to None
366695-1	5-Cosmetic		Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
646511-1	2-Critical		BD crashes repeatedly after interrupted roll-forward upgrade★
636397-1	2-Critical		bd cores when persistent storage configuration and under some memory conditions.
634001-2	2-Critical		ASM restarts after deleting a VS that has an ASM security policy assigned to it
627117-1	2-Critical		crash with wrong ceritifcate in WSS
625783-1	2-Critical		Chassis sync fails intermittently due to sync file backlog
618771-1	2-Critical		Some Social Security Numbers are not being masked
601378-2	2-Critical		Creating an ASM security policy with "Auto accept" language leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons
584082-3	2-Critical		BD daemon crashes unexpectedly
540928-1	2-Critical		Memory leak due to unnecessary logging profile configuration updates.
640824-1	3-Major	K20770267	Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★
635754-1	3-Major	K65531575	Wildcard URL pattern match works inncorectly in Traffic Learning
632344-2	3-Major		POP DIRECTIONAL FORMATTING causes false positive
632326-2	3-Major	K52814351	relax_unicode_in_xml/json internal may still trigger a false positive Malformed XML violation
631737-1	3-Major	K61367823	ArcSight cs4 (attack_type) is N/A for certain HTTP Compliance sub-violations
630929-1	3-Major	K69767100	Attack signature exception list upload times-out and fails
627360-1	3-Major		Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★
626438-1	3-Major		Frame is not showing in the browser and/ or an error appears
625832-4	3-Major		A false positive modified domain cookie violation
622913-2	3-Major		Audit Log filled with constant change messages
621524-2	3-Major		Processing Timeout When Viewing a Request with 300+ Violations
620635-2	3-Major		Request having upper case JSON login parameter is not detected as a failed login attempt
614563-3	3-Major		AVR TPS calculation is inaccurate
611151-2	3-Major		An upper case JSON sensitive parameter is not masked when ASM policy is case-insensitive
608245	3-Major		Reporting missing parameter details when attack signature is matched against parameter value
583024-1	3-Major		TMM restart rarely during startup
581406-1	3-Major		SQL Error on Peer Device After Receiving ASM Sync in a Device Group
580168-4	3-Major		Information missing from ASM event logs after a switchboot and switchboot back
576591-6	3-Major		Support for some future credit card number ranges
572885-1	3-Major		Policy automatic learning mode changes to manual after failover
392121-3	3-Major		TMSH Command to retrieve the memory consumption of the bd process
642874-1	4-Minor	K15329152	Ready to be Enforced filter for Policy Signatures returns too many signatures

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
634215-1	2-Critical		False detection of attack after restarting dosl7d
573764-1	2-Critical		In some cases, only primary blade retains it's statistics after upgrade on multi bladed system
642221-2	3-Major		Incorrect entity is used when exporting TCP analytics from GUI
641574	3-Major	K06503033	AVR doesn't report on virtual and client IP in DNS statistics
635561-1	3-Major		Heavy URLs statistics are not shown after upgrade.
631722	3-Major		Some HTTP statistics not displayed after upgrade
631131-3	3-Major		Some tmstat-adapters based reports stats are incorrect
605010-1	3-Major		Thrift::TException error
560114-6	3-Major		Monpd is being affected by an I/O issue which makes some of its threads freeze

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
645339-2	1-Blocking		TMM may crash when processing APM data
637308-8	2-Critical	K41542530	apmd may crash when HTTP Auth agent is used in an Access Policy
632005-1	2-Critical		BIG-IP as SAML SP: Objects created by IdP connector automation may not be updated when remote metadata changes
622244-2	2-Critical		Edge client can fail to upgrade when always connected is selected
617310-2	2-Critical		Edge client can fail to upgrade when Always Connected is selected★
614322-1	2-Critical	K31063537	TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway
608424-2	2-Critical		Dynamic ACL agent error log message contains garbage data
608408-2	2-Critical		TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library
593078-1	2-Critical		CATEGORY::filetype command may cause tmm to crash and restart
643547-1	3-Major	K43036745	APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP
638799-1	3-Major		Per-request policy branch expression evaluation fails
638780-3	3-Major		Handle 302 redirects for VMware Horizon View HTML5 client
636044-1	3-Major	K68018520	Large number of glob patterns affects custom category lookup performance
634576	3-Major	K48181045	TMM core in per-request policy
634252	3-Major	K99114539	TMM crash with per-request policy in SWG explicit
632504-1	3-Major	K31277424	APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list
632499-1	3-Major	K70551821	APM Policy Sync: Resources under webtop section are not sync'ed automatically
632472-1	3-Major		Frequently logged "Silent flag set - fail" messages
632386-1	3-Major		EdgeClient cannot establish iClient control connection to BIG-IP if another control connection exists
630571-1	3-Major	K35254214	Edge Client on Mac OSX Sierra stuck in a reconnect loop
629801-2	3-Major		Access policy is applied automatically on target device after policy sync, when there is a also a FODG in the trust domain.
629698-1	3-Major		Edge client stuck on "Initializing" state
629069-2	3-Major		Portal Access may delete scripts from HTML page in some cases
628687-2	3-Major		Edge Client reconnection issues with captive portal
628685-2	3-Major	K79361498	Edge Client shows several security warnings after roaming to a network with Captive Portal
627972-2	3-Major	K11327511	Unable to save advanced customization when using Exchange iApp
627059-1	3-Major		In some rare cases TMM may crash while handling VMware View client connection
626910-1	3-Major		Policy with assigned SAML Resource is exported with error
625474-1	3-Major		POST request body is not saved in session variable by access when request is sent using edge client
625159-1	3-Major		Policy sync status not shown on standby device in HA case
624966-2	3-Major		Edge client starts new APM session when Captive portal session expire
623562-3	3-Major		Large POSTs rejected after policy already completed
622790-1	3-Major		EdgeClient disconnect may take a lot of time when machine is moved to network with no connectivity to BIG-IP
621976-4	3-Major		OneDrive for Business thick client shows javascript errors when rendering APM logon page
621974-4	3-Major		Skype For Business thick client shows javascript errors when rendering APM logon page
621447-1	3-Major		In some rare cases, VDI may crash
621210-2	3-Major		Policy sync shows as aborted even if it is completed
621126-2	3-Major		Import of config with saml idp connector with reuse causes certificate not found error
620829-2	3-Major	K34213161	Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
620801-3	3-Major		Access Policy is not able to check device posture for Android 7 devices
620614-4	3-Major		Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account
619879-1	3-Major		HTTP iRule commands could lead to WEBSSO plugin being invoked
619811-2	3-Major		Machine Cert OCSP check fails with multiple Issuer CA
619486-3	3-Major		Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self
619473-2	3-Major		Browser may hang at APM session logout
618170-3	3-Major		Some URL unwrapping functions can behave bad
617063-1	3-Major		After VPN tunnel established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel
617002-1	3-Major		SWG with Response Analytics agent in a Per-Request policy fails with some URLs
616838-3	3-Major		Citrix Remote desktop resource custom parameter name does not accept hyphen character
615970-1	3-Major		SSO logging level may cause failover
615254-2	3-Major		Network Access Launch Application item fails to launch in some cases
612419-1	3-Major		APM - suspected memory leak (umem_alloc_32/network access (variable))
611968-3	3-Major		JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow
611669-4	3-Major		Mac Edge Client customization is not applied on macOS 10.12 Sierra
610180-2	3-Major		SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.
597214-5	3-Major		Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
595819-1	3-Major		Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a http/2 enabled browser and HTTP/2 profile attached,
595272-1	3-Major		Edge client may show a windows displaying plain text in some cases
591246-1	3-Major		Unable to launch View HTML5 connections in non-zero route domain virtual servers
584582-1	3-Major		JavaScript: 'baseURI' property may be handled incorrectly
570217-2	3-Major		BIG-IP APM now uses Airwatch v2 API to retreive device posture information
533956-3	3-Major	K30515450	Portal Access: Space-like characters in EUC character sets may be handled incorrectly.
503842-4	3-Major		Microsoft WebService HTML component does not work after rewriting
640521-1	4-Minor		EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices
636254-2	4-Minor		Cannot reinitiate a sync on a target device when sync is completed
618404-1	4-Minor		Access Profile copying might be invalid if policies are named series of names.
606257-3	4-Minor	K56716107	TCP FIN sent with Connection: Keep-Alive header for webtop page resources

WebAccelerator Fixes

ID Number	Severity	Solution Article(s)	Description
630661-2	3-Major	K30241432	WAM may leak memory when a WAM policy node has multiple variation header rules

Wan Optimization Manager Fixes

ID Number	Severity	Solution Article(s)	Description
644970-1	2-Critical		Editing a virtual server config loses SSL encryption on iSession connections
644489-1	3-Major	K14899014	Unencrypted iSession connection established even though data-encrypt configured in profile

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
639236-1	2-Critical	K66947004	Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute
624023-3	2-Critical		TMM cores in iRule when accessing a SIP header that has no value
569316-1	2-Critical		Core occurs on standby in MRF when routing to a route using a transport config
649933-1	3-Major		Fragmented RADIUS messages may be dropped
629663-1	3-Major	K23210890	CGNAT SIP ALG will drop SIP INVITE
625542-1	3-Major		SIP ALG with Translation fails for REGISTER refresh.
625098-3	3-Major		SCTP::local_port iRule not supported in MRF events
601255-4	3-Major		RTSP response to SETUP request has incorrect client_port attribute

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
632731-2	2-Critical	K21964367	specific external logging configuration can cause TMM service restart
628623-1	2-Critical		tmm core with AFM provisioned
639193-1	3-Major	K03453591	For HA BIG-IP devices, deleting parent policy causes sync to fail.
631025-1	3-Major		500 internal error on inline rule editor for certain firewall policies
610129-3	3-Major	K43320840	Config load failure when cluster management IP is not defined, but instead uses address-list.
592113-5	3-Major		tmm core on the standby unit with dos vectors configured
590805-4	3-Major		Active Rules page displays a different time zone.
431840-3	3-Major		Cannot add vlans to whitelist if they contain a hyphen

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
627257-2	2-Critical		Potential PEM crash during a Gx operation
626851-2	2-Critical	K37665112	Potential crash in a multi-blade chassis during CMP state changes.
624744-1	2-Critical		Potential crash in a multi-blade chassis during CMP state changes.
624733-1	2-Critical		Potential crash in a multi-blade chassis during CMP state changes.
624228-1	2-Critical		Memory leak when using insert action in pem rule and flow gets aborted
623922-5	2-Critical	K64388805	TMM failure in PEM while processing Service-Provider Disaggregation
641482-2	3-Major		Subscriber remains in delete pending state until CCR-t ack has success as result code is received
640510-3	3-Major		BWC policy category attachment may fail during a PEM policy update for a subscriber.
640457-2	3-Major		Session Creation failure after HA
635233-3	3-Major	K80902149	Missing some Custom AVPs in CCRu for non-existent policy and CCRt messages
630611-1	3-Major	K84324392	PEM module crash when subscriber not fund
627798-3	3-Major		Buffer length check for quota bucket objects
627279-2	3-Major		Potential crash in a multi-blade chassis during CMP state changes.
623927-2	3-Major	K41337253	Flow entry memory leaked after DHCP DORA process
564281-3	3-Major		TMM (debug) assert seen during Failover with Gy
628869-4	4-Minor		Unconditional logs seen due to the presence of a PEM iRule.

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
609788	2-Critical		PCP may pick an endpoint outside the deterministic mapping
642284	3-Major		Closing a PCP connection while an asynchronous mapping request is in progress may result in memory corruption.
629871-2	3-Major		FTP ALG deployment should not rewrite PASV response 464 XLAT cases

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
639750-1	2-Critical		username aliases are not supported
636370	3-Major		Application Layer Encryption AJAX support
629627-1	3-Major		FPS Log Publisher is not grouped nor filtered by partition
629127-1	3-Major		Parent profiles cannot be saved using FPS GUI
628348-1	3-Major		Cannot configure any Mobile Security list having 11 records or more via the GUI
628337-1	3-Major		Forcing a single injected tag configuration is restrictive
625275-1	3-Major		Unable to add and modify URL parameters containing square brackets "[]" in FPS GUI
624198-1	3-Major		Unable to add multiple User-Defined alerts with the same search category
623518-1	3-Major		Unable to add users in User Enforcement list under user-defined partition. Update check fails in user-defined partition
594127-2	3-Major		Pages using Angular may hang when Websafe is enabled
635541	4-Minor		"Application CSS Locations" is not inherited if changing parent profile

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
625172-1	2-Critical		tmm crashes when classification is enabled and ftp traffic is flowing trough the box
631472-1	3-Major		Reseting classification signatures to default may result in non-working configuration

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
606518-3	2-Critical	K00762373	iControl REST with 3rd party auth does not function as expected with special characters in the username e.g., '$', '@' / email addresses as username.
642983-1	3-Major	K94534313	Update to max message size limit doesn't work sometimes
629845-2	3-Major		Disallowing TLSv1 connections to HTTP causes iControl/REST issues
626542-2	3-Major		Unable to set maxMessageBodySize in iControl REST after upgrade★

Cumulative fixes from BIG-IP v12.1.2 that are included in this release


Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
618306-2	CVE-2016-9247	K33500120	TMM vulnerability CVE-2016-9247
616864-1	CVE-2016-2776	K18829561	BIND vulnerability CVE-2016-2776
613282-2	CVE-2016-2086, CVE-2016-2216, CVE-2016-1669	K15311661	NodeJS vulnerability CVE-2016-2086
611469-3	CVE-2016-7467	K95444512	Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector
597394-2	CVE-2016-9252	K46535047	Improper handling of IP options
591328-7	CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109	K36488941	OpenSSL vulnerability CVE-2016-2106
591325-8	CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109	K75152412	OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109
591042-17	CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109	K23230229	OpenSSL vulnerabilities
560109-7	CVE-2017-6160	K19430431	Client capabilities failure
618549-1	CVE-2016-9249	K71282001	Fast Open can cause TMM crash CVE-2016-9249
618263-1	CVE-2016-2182	K01276005	OpenSSL vulnerability CVE-2016-2182
614147-1	CVE-2017-6157	K02692210	SOCKS proxy defect resolution
614097-1	CVE-2017-6157	K02692210	HTTP Explicit proxy defect resolution
607314-1	CVE-2016-3500 CVE-2016-3508	K25075696	Oracle Java vulnerability CVE-2016-3500, CVE-2016-3508
605039-3	CVE-2016-2775	K92991044	lwresd and bind vulnerability CVE-2016-2775
601059-6	CVE-2016-1762 CVE-2016-1833 CVE-2016-1834 CVE-2016-1835 CVE-2016-1836 CVE-2016-1837 CVE-2016-1838 CVE-2016-1839 CVE-2016-1840 CVE-2016-3627 CVE-2016-3705 CVE-2016-4447 CVE-2016-4448 CVE-2016-4449	K14614344	libxml2 vulnerability CVE-2016-1840
599536-1	CVE-2017-6156	K05263202	IPsec peer with wildcard selector brings up wrong phase2 SAs
597023-1	CVE-2016-4954	K82644737	NTP vulnerability CVE-2016-4954
595242-1	CVE-2016-3705	K54225343	libxml2 vulnerabilities CVE-2016-3705
595231-1	CVE-2016-3627	K54225343	libxml2 vulnerabilities CVE-2016-3627 and CVE-2016-3705
594496-1	CVE-2016-4539	K35240323	PHP Vulnerability CVE-2016-4539
593447-1	CVE-2016-5024	K92859602	BIG-IP TMM iRules vulnerability CVE-2016-5024
592485	CVE-2015-5157 CVE-2015-8767	K17326	Linux kernel vulnerability CVE-2015-5157
592001-1	CVE-2016-4071 CVE-2016-4073	K64412100	CVE-2016-4073 PHP vulnerabilities
591455-7	CVE-2016-1550 CVE-2016-1548 CVE-2016-2516 CVE-2016-2518	K24613253	NTP vulnerability CVE-2016-2516
591447-1	CVE-2016-4070	K42065024	PHP vulnerability CVE-2016-4070
591358-1	CVE-2016-3425 CVE-2016-0695 CVE-2016-3427	K81223200	Oracle Java SE vulnerability CVE-2016-3425
585424-1	CVE-2016-1979	K20145801	Mozilla NSS vulnerability CVE-2016-1979
580747-1	CVE-2016-0739	K57255643	libssh vulnerability CVE-2016-0739
557190-3	CVE-2017-6166	K65615624	'packet_free: double free!' tmm core
597010-1	CVE-2016-4955	K03331206	NTP vulnerability CVE-2016-4955
596997-1	CVE-2016-4956	K64505405	NTP vulnerability CVE-2016-4956
591767-8	CVE-2016-1547	K11251130	NTP vulnerability CVE-2016-1547
591438-7	CVE-2015-8865	K54924436	PHP vulnerability CVE-2015-8865
575629-3	CVE-2015-8139	K00329831	NTP vulnerability: CVE-2015-8139
573343-1	CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158	K01324833	NTP vulnerability CVE-2015-8158

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
615377-3	3-Major		Unexpected rate limiting of unreachable and ICMP messages for some addresses.
590122-2	3-Major		Standard TLS version rollback detection for TLSv1 or earlier might need to be relaxed to interoperate with clients that violate TLS specification.
581438-2	3-Major		Allow more than 16 pool members to be chosen from a pool during a single load-balancing decision.
561348-7	3-Major		krb5.conf file is not synchronized between blades and not backed up
541549-2	3-Major		AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.
530109-3	3-Major		OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.
246726-1	3-Major	K8940	System continues to process virtual server traffic after disabling virtual address
225634-1	3-Major		The rate class feature does not honor the Burst Size setting.
599839-3	4-Minor		Add new keyords to SIP::persist command to specify how Persistence table is updated
591733-4	4-Minor	K83175883	Save on Auto-Sync is missing from the configuration utility.

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
625784	1-Blocking		TMM crash on i4x00 and i2x00 platforms with large ASM configuration.
617622	1-Blocking		In TM Shell, saving the AAM configuration removes value from matching rule causing system configuration loading failure
621422	2-Critical		i2000 and i4000 series appliances do not warn when an incorrect optic is in a port
620056-1	2-Critical		Assert on deletion of paired in-and-out IPsec traffic selectors
617935	2-Critical		IKEv2 VPN tunnels fail to establish
617481-1	2-Critical		TMM can crash when HTML minification is configured
614865-5	2-Critical		Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
610354-1	2-Critical		TMM crash on invalid memory access to loopback interface stats object
605476-3	2-Critical		statsd can core when reading corrupt stats files.
601527-4	2-Critical		mcpd memory leak and core
600894-1	2-Critical		In certain situations, the MCPD process can leak memory
598748	2-Critical		IPsec AES-GCM IVs are now based on a monotonically increasing counter
598697-1	2-Critical		vCMP guests may fail after vCMP host system is upgraded to BIG-IP v12.1.x when 'qemu' user isn't created★
595712-1	2-Critical		Not able to add remote user locally
591495-2	2-Critical		VCMP guests sflow agent can crash due to duplicate vlan interface indices
591104-1	2-Critical		ospfd cores due to an incorrect debug statement.
588686	2-Critical		High-speed logging to remote logging node stops sending logs after all logging nodes go down
587698-3	2-Critical		bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured
585745-2	2-Critical		sod core during upgrade from 10.x to 12.x.
583936-5	2-Critical		Removing ECMP route from BGP does not clear route from NSM
557680-4	2-Critical		Fast successive MTU changes to IPsec tunnel interface crashes TMM
355806-7	2-Critical		Starting mcpd manually at the command line interferes with running mcpd
622877-1	3-Major		i2000 and i4000 series appliances may show intermittent DDM alarms/warnings at powerup that clear right away
622199	3-Major		sys-icheck reports error with /var/lib/waagent
622194	3-Major		sys-icheck reports error with ssh_host_rsa_key
621423	3-Major		sys-icheck reports error with /config/ssh/ssh_host_dsa_key
621242-1	3-Major		Reserve enough space in the image for future upgrades.
621225	3-Major		LTM log contains misleading error messages for front panel interfaces, "PCI Device not found for Interface X.0"
620782	3-Major		Azure cloud now supports hourly billing
619410-1	3-Major		TMM hardware accelerated compression not registering for all compression levels.
617986-2	3-Major		Memory leak in snmpd
617229-1	3-Major	K54245014	Local policy rule descriptions disappear when policy is re-saved
616242-3	3-Major	K39944245	basic_string::compare error in encrypted SSL key file if the first line of the file is blank★
614530-2	3-Major		Dynamic ECMP routes missing from Linux host
614180-1	3-Major		ASM is not available in LTM policy when ASM is licensed as the main active module
610441-3	3-Major		When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.
610352-1	3-Major		sys-icheck reports error with /etc/sysconfig/modules/unic.modules
610350-1	3-Major		sys-icheck reports error with /config/bigpipe/defaults.scf
610273-3	3-Major		Not possible to do targeted failover with HA Group configured
605894-3	3-Major		Remote authentication for BIG-IP users can fail
603149-2	3-Major		Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy
602854-8	3-Major		Missing ASM control option from LTM policy rule screen in the Configuration utility
602502-2	3-Major		Unable to view the SSL Cert list from the GUI
601989-3	3-Major	K88516119	Remote LDAP system authenticated username is case sensitive★
601893-2	3-Major	K89212666	TMM crash in bwc_ctb_instance_recharge because of pkts_avg_size is zero.
601502-4	3-Major		Excessive OCSP traffic
600558-5	3-Major		Errors logged after deleting user in GUI
599816-2	3-Major		Packet redirections occur when using VLAN groups with members that have different cmp-hash settings.
598443-1	3-Major		Temporary files from TMSH not being cleaned up intermittently.
598039-6	3-Major		MCP memory may leak when performing a wildcard query
597729-5	3-Major		Errors logged after deleting user in GUI
596104-1	3-Major	K84539934	HA trunk unavailable for vCMP guest★
595773-4	3-Major		Cancellation requests for chunked stats queries do not propagate to secondary blades
594426-2	3-Major		Audit forwarding Radius packets may be rejected by Radius server
592870-2	3-Major		Fast successive MTU changes to IPsec tunnel interface crashes TMM
592344-2	3-Major		NTP Security Updates
592320-5	3-Major		ePVA does not offload UDP when pva-offload-state set to establish in BIG-IP 12.1.0 and 12.1.1
589083-2	3-Major		TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.
586878-4	3-Major		During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.★
585833-3	3-Major		Qkview will abort if /shared partition has less than 2GB free space
585547-1	3-Major		NTP configuration items are no longer collected by qkview★
585485-3	3-Major		inter-ability with "delete IPSEC-SA" between AZURE, ASA, and the BIG-IP system
584583-3	3-Major	K18410170	Timeout error when using the REST API to retrieve large amount of data
583285-5	3-Major	K24331010	BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
582084-1	3-Major		BWC policy in device sync groups.
580500-1	3-Major		/etc/logrotate.d/sysstat's sadf fails to read /var/log/sa6 or fails to write to /var/log/sa6, disk space is not reclaimed.
578551-5	3-Major		bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot
576305-7	3-Major		Potential MCPd leak in IPSEC SPD stats query code
575649-5	3-Major		MCPd might leak memory in IPFIX destination stats query
575591-6	3-Major		Potential MCPd leak in IKE message stats query code
575589-5	3-Major		Potential MCPd leak in IKE event stats query code
575587-7	3-Major		Potential MCPd leak in BWC policy class stats query code
575176-1	3-Major	K58275035	Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic
575066-1	3-Major		Management DHCP settings do not take effect
570818-4	3-Major		Address lease-pool in IKEv2 might interfere with IKEv2 negotiations.
568672-1	3-Major		Down IPsec traffic-selector shows as 'up' in 'show net ipsec traffic-selector' and in GUI
566507-4	3-Major		Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment
553795-7	3-Major		Differing cert/key after successful config-sync
547479-5	3-Major		Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted
546145-1	3-Major		Creating local user for previously remote user results in incomplete user definition.
540872-1	3-Major		Config sync fails after creating a partition.
527206-5	3-Major		Management interface may flap due to LOP sync error
393270-1	3-Major		Configuration utility may become non-responsive or fail to load.
618421	4-Minor		Some mass storage is left un-used
617124	4-Minor		Cannot map hardware type (12) to HardwareType enumeration
581835-1	4-Minor		Command failing: tmsh show ltm virtual vs_name detail.
567546-1	4-Minor		Files with file names larger than 100 characters are omitted from qkview
564771-1	4-Minor		cron sends purge_mysql_logs.pl email error on LTM-only device
564522-2	4-Minor	K40547220	cron is configured with MAILTO=root but mailhost defaults to 'mail'
559837-4	4-Minor		Misleading error message in catalina.out when listing certificates.
551349-5	4-Minor	K80203854	Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade★
460833-5	4-Minor		MCPD sync errors and restart after multiple modifications to file object in chassis
572133-5	5-Cosmetic		tmsh save /sys ucs command sends status messages to stderr
442231-4	5-Cosmetic		Pendsect log entries have an unexpected severity

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
618905-1	1-Blocking		tmm core while installing Safenet 6.2 client
616215-4	2-Critical		TMM can core when using LB::detach and TCP::notify commands in an iRule
615388-1	2-Critical		L7 policies using normalized HTTP URI or Referrer operands may corrupt memory
612229-1	2-Critical		TMM may crash if LTM a disable policy action for 'LTM Policy' is not last
609628-2	2-Critical		CLIENTSSL_SERVERHELLO_SEND event in SSL forward proxy is not raised when client reuses session
609199-6	2-Critical		Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join
608555-1	2-Critical		Configuring asymmetric routing with a VE rate limited license will result in tmm crash
607724-2	2-Critical	K25713491	TMM may crash when in Fallback state.
607524-2	2-Critical		Memory leak when multiple DHCP servers are configured, and the last DHCP server configured is down.
607360-5	2-Critical		Safenet 6.2 library missing after upgrade★
606573-3	2-Critical		FTP traffic does not work through SNAT when configured without Virtual Server★
605865-4	2-Critical		Debug TMM produces core on certain ICMP PMTUD packets
604133-2	2-Critical		Ramcache may leave the HTTP Cookie Cache in an inconsistent state
603032-1	2-Critical		clientssl profiles with sni-default enabled may leak X509 objects
602326-1	2-Critical		Intermittent pkcs11d core when stopping or restarting pkcs11d service
599135-2	2-Critical		B2250 blades may suffer from high TMM CPU utilisation with tcpdump
588959-2	2-Critical	K34453301	TMM may crash or behave abnormally on a Standby BIG-IP unit
588351-5	2-Critical		IPv6 fragments are dropped when packet filtering is enabled.
586449-1	2-Critical		Incorrect error handling in HTTP cookie results in core when TMM runs out of memory
584213-1	2-Critical		Transparent HTTP profiles cannot have iRules configured
575011-1	2-Critical	K21137299	Memory leak. Nitrox3 Hang Detected.
574880-3	2-Critical		Excessive failures observed when connection rate limit is configured on a fastl4 virtual server.
549329-3	2-Critical	K02020031	L7 mirrored ACK from standby to active box can cause tmm core on active
545810-3	2-Critical	K14304373	TMM halts and restarts
459671-4	2-Critical		iRules source different procs from different partitions and executes the incorrect proc.
617862-2	3-Major		Fastl4 handshake timeout is absolute instead of relative
617824-3	3-Major		"SSL::disable/enable serverside" + oneconnect reuse is broken
615143-1	3-Major		VDI plugin-initiated connections may select inappropriate SNAT address
613429-2	3-Major		Unable to assign wildcard wide IPs to various BIG-IP DNS objects.
613369-4	3-Major		Half-Open TCP Connections Not Discoverable
613079-4	3-Major		Diameter monitor watchdog timeout fires after only 3 seconds
613065-1	3-Major		User can't generate netHSM key with Safenet 6.2 client using GUI
612040-4	3-Major		Statistics added for all crypto queues
611320-3	3-Major		Mirrored connection on Active unit of HA pair may be unexpectedly torndown
610609-3	3-Major		Total connections in bigtop, SNMP are incorrect
608024-3	3-Major		Unnecessary DTLS retransmissions occur during handshake.
607803-3	3-Major	K33954223	DTLS client (serverssl profile) fails to complete resumed handshake.
607304-5	3-Major		TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
606940-3	3-Major		Clustered Multiprocessing (CMP) peer connection may not be removed
606575-6	3-Major		Request-oriented OneConnect load balancing ends when the server returns an error status code.
606565-2	3-Major	K52231531	TMM may crash when /sys db tm.simultaneousopen is set to reset or drop_connection
604977-2	3-Major	K08905542	Wrong alert when DTLS cookie size is 32
603236-1	3-Major		1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware
602385-1	3-Major		Add zLib compression
602366-1	3-Major		Safenet 6.2 HA performance
602358-5	3-Major		BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version
601496-4	3-Major		iRules and OCSP Stapling
601178-6	3-Major		HTTP cookie persistence 'preferred' encryption
598874-2	3-Major		GTM Resolver sends FIN after SYN retransmission timeout
597978-2	3-Major		GARPs may be transmitted by active going offline
597879-1	3-Major		CDG Congestion Control can lead to instability
597532-1	3-Major		iRule: RADIUS avp command returns a signed integer
597089-8	3-Major		Connections are terminated after 5 seconds when using ePVA full acceleration
593530-6	3-Major	K26430211	In rare cases, connections may fail to expire
592784-2	3-Major		Compression stalls, does not recover, and compression facilities cease.
592497-1	3-Major		Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state.
591659-5	3-Major	K47203554	Server shutdown is propagated to client after X-Cnection: close transformation.
591476-7	3-Major	K53220379	Stuck crypto queue can erroneously be reported
591343-5	3-Major	K03842525	SSL::sessionid output is not consistent with the sessionid field of ServerHello message.
589223-1	3-Major		TMM crash and core dump when processing SSL protocol alert.
588115-1	3-Major		TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw
588089-3	3-Major		SSL resumed connections may fail during mirroring
587016-3	3-Major		SIP monitor in TLS mode marks pool member down after positive response.
585813-3	3-Major	K22111214	SIP monitor with TLS mode fails to find cert and key files.
585412-4	3-Major		SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines
583957-6	3-Major		The TMM may hang handling pipelined HTTP requests with certain iRule commands.
582465-1	3-Major		Cannot generate key after SafeNet HSM is rebooted
580303-5	3-Major		When going from active to offline, tmm might send a GARP for a floating address.
579843-1	3-Major		tmrouted may not re-announce routes after a specific succession of failover states
579371-4	3-Major	K70126130	BIG-IP may generate ARPs after transition to standby
578951-2	3-Major		TCP Fast Open connection timeout during handshake does not decrement pre_established_connections
572281-5	3-Major		Variable value in the nesting script of foreach command get reset when there is parking command in the script
570057-2	3-Major		Can't install more than 16 SafeNet HSMs in its HA group
569288-6	3-Major		Different LACP key may be used in different blades in a chassis system causing trunking failures
565799-4	3-Major		CPU Usage increases when using masquerade addresses
551208-6	3-Major		Nokia alarms are not deleted due to the outdated alert_nokia.conf.
550161-4	3-Major		Networking devices might block a packet that has a TTL value higher than 230.
545796-5	3-Major		[iRule] [Stats] iRule is not generating any stats for executed iRules.
545450-5	3-Major		Log activation/deactivation of TM.TCPMemoryPressure
537553-8	3-Major		tmm might crash after modifying virtual server SSL profiles in SNI configuration
534457-4	3-Major		Dynamically discovered routes might fail to remirror connections.
530266-7	3-Major		Rate limit configured on a node can be exceeded
506543-5	3-Major		Disabled ephemeral pool members continue to receive new connections
483953-1	3-Major		Cached route MTUs may be set to the value of TM.MinPathMTU even if the path MTU is lower than that value.
472571-7	3-Major		Memory leak with multiple client SSL profiles.
464801-3	3-Major		Intermittent tmm core
423392-6	3-Major		tcl_platform is no longer in the static:: namespace
371164-1	3-Major		BIG-IP sends ND probes for all masquerading MAC addresses on all VLANs, so MAC might associated with multiple VLANs.
598860-4	4-Minor		IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address
587676-2	4-Minor		SMB monitor fails due to internal configuration issue
560471-1	4-Minor		Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down
544033-5	4-Minor	K30404012	ICMP fragmentation request is ignored by BIG-IP
222034-4	4-Minor		HTTP::respond in LB_FAILED with large header/body might result in truncated response

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
510631-1	3-Major		B4450 L4 No ePVA or L7 throughput lower than expected

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
603598-3	2-Critical		big3d memory under extreme load conditions
587656-2	2-Critical		GTM auto discovery problem with EHF for ID574052
587617-1	2-Critical		While adding GTM server, failure to configure new IP on existing server leads to gtmd core
615338-2	3-Major		The value returned by "matchregion" in an iRule is inconsistent in some cases.
613576-1	3-Major		QOS load balancing links display as gray
613045-7	3-Major		Interaction between GTM and 10.x LTM results in some virtual servers marked down
607658-1	3-Major		GUI becomes unresponsive when managing GSLB Pool
589256-1	3-Major	K71283501	DNSSEC NSEC3 records with different type bitmap for same name.
588289-1	3-Major		GTM is Re-ordering pools when adding pool including order designation
584623-2	3-Major		Response to -list iRules command gets truncated when dealing with MX type wide IP
574052-4	3-Major		GTM autoconf can cause high CPU usage for gtmd
370131-4	3-Major		Loading UCS with low GTM Autoconf Delay drops pool Members from config

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
609499-1	2-Critical		Compiled signature collections use more memory than prior versions
603945-2	2-Critical		BD config update should be considered as config addition in case of update failure
588087-1	2-Critical		Attack prevention isn't escalating under some conditions in session opening mitigation
587629-2	2-Critical		IP exceptions may have issues with route domain
575133-1	2-Critical		asm_config_server_rpc_handler_async.pl SIGSEGV and core
622386-1	3-Major		Internet Explorer getting blocked when Web Scraping and Proactive Bot Defense are both enabled
621808-1	3-Major		Proactive Bot Defense failing in IE11 with Compatibility View enabled
616169	3-Major		ASM Policy Export returns HTML error file
613459-1	3-Major		Non-common browsers blocked by Proactive Bot Defense
613396-1	3-Major		Invalid XML Policy Exported for Policies with Metachar Overrides on Websocket URLs
611385-1	3-Major		"Learn Explicit Entities" may continue to work as if it is 'Add All Entities'
610857-1	3-Major		DoSL7 Proactive Bot Defense should block requests from a browser (Chrome/Firefox) when it is running selenium webdriver.
610830-1	3-Major		FingerPrint javascript runs slow and causes bad user browsing experience when accessing a webapp's first page.
609496-2	3-Major		Improved diagnostics in BD config update (bd_agent) added
608509-1	3-Major		Policy learning is slow under high load
606875-1	3-Major		DoS Application - Block requests from suspicious browsers feature causes javascript latency for webapp first page
604923-5	3-Major		REST id for Signatures change after update
604612-1	3-Major	K20323120	Modified ASM cookie violation happens after upgrade to 12.1.x★
602221-2	3-Major		Wrong parsing of redirect Domain
601924-1	3-Major		Selenium detection by ports scanning doesn't work even if the ports are opened
596502-1	3-Major		Unable to force Bot Defense action to Allow in iRule
584642-1	3-Major		Apply Policy Failure
584103-2	3-Major		FPS periodic updates (cron) write errors to log
582683-2	3-Major		xpath parser doesn't reset a namespace hash value between each and every scan
582133-1	3-Major		Policy builder doesn't enable staging after policy change on "*" entities (file types, urls, etc.)
581315-1	3-Major		Selenium detection not blocked
579917-1	3-Major		User-defined signature set cannot be created/updated with Signature Type = "All"
579495-1	3-Major		Error when loading Upgrade UCS★
521204-2	3-Major		Include default values in XML Policy Export
501892-1	3-Major		Selenium is not detected by headless mechanism when using client version without server

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
602654-2	2-Critical		TMM crash when using AVR lookups
602434-1	2-Critical		Tmm crash with compressed response
601056	2-Critical		TCP-Analytics, error message not using rate-limit mechanism can halt TMM
622735	3-Major		TCP Analytics statistics does not list all virtual servers
618944-1	3-Major		AVR statistic is not save during the upgrade process
601035	3-Major		TCP-Analytics can fail to collect all the activity

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
618506	2-Critical		TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual.
618324-1	2-Critical		Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor
592868-3	2-Critical		Rewrite may crash processing HTML tag with HTML entity in attribute value
591117-3	2-Critical		APM ACL construction may cause TMM to core if TMM is out of memory
569563-3	2-Critical		Sockets resource leak after loading complex policy
619250-1	3-Major		Returning to main menu from "RSS Feed" breaks ribbon
617187-1	3-Major		APM CustomDialer can't connect to APM server with invalid/untrusted SSL certificate
614891-2	3-Major		Routing table doesn't get updated when EDGE client roams among wireless networks
613613-2	3-Major		Incorrect handling of form that contains a tag with id=action
611922-1	3-Major		Policy sync fails with policy that includes custom CA Bundle.
611240-3	3-Major		Import of config with securid might fail
610224-3	3-Major		APM client may fetch expired certificate when a valid and an expired certificate co-exist
608941-1	3-Major		AAA RADIUS system authentication fails on IPv6 network
604767-1	3-Major		Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.
601905-1	3-Major		POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server
600119-3	3-Major		DNS name resolution for servers outside of Network Access Name Split scope can be slow in some conditions
598981-3	3-Major	K06913155	APM ACL does not get enforced all the time under certain conditions
598211-1	3-Major		Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.
597431-2	3-Major		VPN establishment may fail when computer wakes up from sleep
596116-3	3-Major		LDAP Query does not resolve group membership, when required attribute(s) specified
595227-1	3-Major		SWG Custom Category: unable to have a URL in multiple custom categories
594288-1	3-Major		Access profile configured with SWG Transparent results in memory leak.
592414-4	3-Major		IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed
591840-1	3-Major		encryption_key in access config is NULL in whitelist
591590-1	3-Major		APM policy sync results are not persisted on target devices
591268-1	3-Major		VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions
590820-3	3-Major		Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
588888-3	3-Major	K80124134	Empty URI rewriting is not done as required by browser.
586718-1	3-Major		Session variable substitutions are logged
586006-1	3-Major		Failed to retrieve CRLDP list from client certificate if DirName type is present
585562-3	3-Major		VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari
583113-1	3-Major		NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event
582752-3	3-Major		Macrocall could be topologically not connected with the rest of policy.★
582526-3	3-Major		Unable to display and edit huge policies (more than 4000 elements)
580893-2	3-Major	K08731969	Support for Single FQDN usage with Citrix Storefront Integration mode
573643-3	3-Major		flash.utils.Proxy functionality is not negotiated
572558-1	3-Major		Internet Explorer: incorrect handling of document.write() to closed document
569309-3	3-Major		Clientside HTML parser does not recognize HTML event attributes without value
562636-2	3-Major	K05489319	Possible memory exhaustion in access end-user interface pages for transparent proxy/SWG cases.
525429-11	3-Major		DTLS renegotiation sequence number compatibility
455975-1	3-Major		Separate MIBS needed for tracking Access Sessions and Connectivity Sessions
389484-6	3-Major		OAM reporting Access Server down with JDK version 1.6.0_27 or later
386517-1	3-Major		Multidomain SSO requires a default pool be configured
238444-3	3-Major	K14219	An L4 ACL has no effect when a layered virtual server is used.
605627	4-Minor		Selinux denial seen for apmd when it is being shutdown.
584373-2	4-Minor		AD/LDAP resource group mapping table controls are not accessible sometimes
573611-1	4-Minor		Erroneous error message Access encountered error: ERR_NOT_FOUND may appear in APM logs
557411-1	4-Minor		Full Webtop resources appear overlapping in IE11 compatibility mode

Wan Optimization Manager Fixes

ID Number	Severity	Solution Article(s)	Description
619757-1	2-Critical		iSession causes routing entry to be prematurely freed

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
613297-3	2-Critical		Default generic message routing profile settings may core
612135-3	2-Critical		Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic
603397-2	2-Critical		tmm core on MRF when routing via MR::message route iRule command using a non-existant transport-config
596631-2	2-Critical		SIP MRF: Wrong listener may be deleted during media deny-listener deletions, causing crash later
609575-5	3-Major		BIG-IP drops ACKs containing no max-forwards header
609328-3	3-Major	K53447441	SIP Parser incorrectly parsers empty header
607713-3	3-Major		SIP Parser fails header with multiple sequential separators inside quoted string.
603019-3	3-Major		Inserted SIP VIA branch parameter not unique between INVITE and ACK
599521-5	3-Major		Persistence entries not added if message is routed via an iRule
598854-3	3-Major		sipdb tool incorrectly displays persistence records without a pool name
598700-6	3-Major		MRF SIP Bidirectional Persistence does not work with multiple virtual servers
597835-3	3-Major	K12228503	Branch parameter in inserted VIA header not consistent as per spec
583010-4	3-Major		Sending a SIP invite with 'tel' URI fails with a reset
578564-4	3-Major		ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response
573075-4	3-Major		ADAPT recursive loop when handling successive iRule events
566576-6	3-Major		ICAP/OneConnect reuses connection while previous response is in progress
401815-1	3-Major		BIG-IP system may reset the egress IP ToS to zero when load balancing SIP traffic
585807-2	4-Minor		'ICAP::method <method>' iRule is documented but is read-only
561500-4	4-Minor		ICAP Parsing improvement

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
612874-1	2-Critical		iRule with FLOW_INIT stage execution can cause TMM restart
609095-1	2-Critical		mcpd memory grows when updating firewall rules
622281-1	3-Major		Network DoS logging configuration change can cause TMM crash
614284-2	3-Major		Performance fix to not reset a data structure in the packet receive hotpath.
608566-1	3-Major		The reference count of NW dos log profile in tmm log is incorrect
605427-1	3-Major		TMM may crash when adding and removing virtual servers with security log profiles
594869-4	3-Major		AFM can log DoS attack against the internal mpi interface and not the actual interface
594075-2	3-Major		Sometimes when modifying the firewall rules, the blob does not compile and pccd restarts periodically
586070	3-Major		'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings
585823-1	3-Major		FW NAT translation fails if the matched FW NAT rule uses source address list and the source translation object in the rule is configured for dynamic-pat (with deterministic mode)

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
609005-2	1-Blocking		Crash: tmm crashing when 2nd client (srcPort=68) sends a DHCP renew with giaddr (Relay Agent IP) in the packet after 1st client (srcPort=67).
611467-3	2-Critical		TMM coredump at dhcpv4_server_set_flow_key().
608009-1	2-Critical		Crash: Tmm crashing when active system connections are deleted from cli
603825-2	2-Critical		Crash when a Gy update message is received by a debug TMM
593070-2	2-Critical		TMM may crash with multiple IP addresses per session
472860-5	2-Critical		RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.
623491-2	3-Major		After receiving the first Gx response from the PCRF, the BWC action against a rule is lost.
622220-2	3-Major		Disruption during manipulation of PEM data with suspected flow irregularity
618657-4	3-Major		Bogus ICMP unreachable messages in PEM with ipother profile in use
617014-3	3-Major		tmm core using PEM
608742-2	3-Major	K48561135	DHCP: DHCP renew ACK messages from server are getting dropped by BIG-IP in Forward mode.
608591-1	3-Major		Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers
592070-5	3-Major		DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied
588456-3	3-Major	K60250444	PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed).
577863-5	3-Major	K56504204	DHCP relay not forwarding server DHCPOFFER and DHCPACK message after some time

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
606066-2	2-Critical		LSN_DELETE messages may be lost after HA failover
605525-1	2-Critical		Deterministic NAT combined with NAT64 may cause a TMM core
587106-1	2-Critical		Inbound connections are reset prematurely when zombie timeout is configured.
602171-1	3-Major		TMM may core when remote LSN operations time out

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
617648	2-Critical		Surfing with IE8 sometimes results with script error
603234-3	2-Critical		Performance Improvements
597471	2-Critical		Some Alerts are sent with outdated username value
617688	3-Major		Encryption is not activated unless "real-time encryption" is selected
613671-2	3-Major		Error in the Console, when configured nonexistent parameter with Encryption and Obfuscation
610897-2	3-Major		FPS generated request failure throw "unspecified error" error in old IE.
609098-1	3-Major		Improve details of ajax failure
604885-1	3-Major		Redirect/Route action doesn't work if there is an alert logging iRule
601083-1	3-Major		FPS Globally Forbidden Words lists freeze in IE 11
588058-3	3-Major		False positive "failed to unseal" Source Integrity alerts from old versions of Internet Explorer
609114-1	4-Minor		Add the ability to control dropping of alerts by before-load-function
605125-2	4-Minor		Sometimes, passwords fields are readonly
592274-3	4-Minor		RAT-Detection alerts sent with incorrect duration details

Anomaly Detection Services Fixes

ID Number	Severity	Solution Article(s)	Description
588405-1	3-Major		BADOS - BIG-IP Self-protection during (D)DOS attack
608826-1	4-Minor		Greylist (bad actors list) is not cleaned when attack ends

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
624370-1	2-Critical		tmm crash during classification hitless upgrade if virtual server configuration is modified

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
621401	3-Major		When HA is configured on BIG-IPs managed by BIG-IQ, the AVR reporting from BIG-IQ may fail under the load

iApp Technology Fixes

ID Number	Severity	Solution Article(s)	Description
615824-1	3-Major		REST API calls to invalid REST endpoint log level change

Cumulative fixes from BIG-IP v12.1.1 Hotfix 2 that are included in this release


Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
613127-3	CVE-2016-5696	K46514822	Linux TCP Stack vulnerability CVE-2016-5696

Functional Change Fixes

None


TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
612564	1-Blocking		mysql does not start
618382-4	2-Critical		qkview may cause tmm to restart or may take 30 or more minutes to run
614766-1	3-Major		lsusb uses unknown ioctl and spams kernel logs
612952-1	3-Major		PSU FW revision not displayed correctly
611352	3-Major	K68092141	Benign message "replay num rollover error condition correctable errors" counter on iSeries platforms
610307	3-Major		Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber
609325	3-Major		Unsupported DDM F5 SFP modules do not write log message saying DDM is not supported
606807-1	3-Major		i5x00, i7x00, i10x00 series appliances may use sensor number instead of name "LCD health" reporting communication error
604459-1	3-Major		On i5x00, i7x00 and i10x00 platforms, bcm56xxd may restart on power-up
597309-2	3-Major		Increase the Maximum Members Per Trunk limit to 32 or 64 for high end platforms
561444-1	3-Major		LCD might display incorrect output.
521270-1	3-Major		Hypervisor might replace vCMP guest SYN-Cookie secrets
434573-6	3-Major	K25051022	Tmsh 'show sys hardware' displays Platform ID instead of platform name
609677-1	4-Minor		Dossier warning 14
607857-1	4-Minor		Some information displayed in "list net interface" will be stale for interfaces that change bundle state
607200-1	4-Minor		Switch interfaces may seem up after bcm56xxd goes down
602061	4-Minor		i5x00, i7x00, i10x00 series appliances have inconsistent firmware update messages
601309	4-Minor		Locator LED no longer persists across reboots
592716-1	4-Minor		BMC timezone value was not being synchronized by BIG-IP

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
597708-4	3-Major		Stats are unavailable and vCMP state and status are incorrect

Cumulative fixes from BIG-IP v12.1.1 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
598294-1	CVE-2016-7472	K17119920	BIG-IP ASM Proactive Bot Defense vulnerability CVE-2016-7472
601938-2	CVE-2016-7474	K52180214	MCPD stores certain data incorrectly

Functional Change Fixes

None


TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
542097-4	2-Critical		Update to RHEL6 kernel
601927-1	4-Minor	K52180214	Security hardening of control plane

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
602653-1	2-Critical		TMM may crash after updating bot-signatures
599769	2-Critical		TMM may crash when managing APM clients.
605682-2	3-Major		With forward proxy enabled, sometimes the client connection will not complete.
599054-2	3-Major		LTM policies may incorrectly use those of another virtual server

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
585120-1	2-Critical		Memory leak in bd under rare scenario

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
596674-2	2-Critical		High memory usage when using CS features with gzip HTML responses.
575170-2	2-Critical		Analytics reports may not identify virtual servers correctly
590074-1	3-Major		Wrong value for TCP connections closed measure

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
603997	2-Critical		Plugin should not inject nonce to CSP header with unsafe-inline
594910-1	3-Major		FPS flags no cookie when length check fails
590608-1	3-Major		Alert is not redirected to alert server when unseal fails
590578-4	3-Major		False positive "URL error" alerts on URLs with GET parameters
593355	4-Minor		FPS may erroneously flag missing cookie
589318-1	4-Minor		Clicking 'Customize All' checkbox does not work.

iApp Technology Fixes

ID Number	Severity	Solution Article(s)	Description
603605-1	2-Critical		Cannot install DoS Hybrid Defender on standby device in HA pair if it's already installed on active
608373-2	3-Major		Some iApp LX packages will not be saved during upgrade or UCS save/restore

Cumulative fixes from BIG-IP v12.1.1 that are included in this release


Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
596488-1	CVE-2016-5118	K82747025	GraphicsMagick vulnerability CVE-2016-5118.
579955-6	CVE-2016-7475	K01587042	BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475
587077-1	CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118	K37603172	Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118
579220-1	CVE-2016-1950	K91100352	Mozilla NSS vulnerability CVE-2016-1950
570697-1	CVE-2015-8138	K71245322	NTP vulnerability CVE-2015-8138
580340-1	CVE-2016-2842	K52349521	OpenSSL vulnerability CVE-2016-2842
580313-1	CVE-2016-0799	K22334603	OpenSSL vulnerability CVE-2016-0799
579829-7	CVE-2016-0702	K79215841	OpenSSL vulnerability CVE-2016-0702
579085-6	CVE-2016-0797	K40524634	OpenSSL vulnerability CVE-2016-0797
578570-1	CVE-2016-0705	K93122894	OpenSSL Vulnerability CVE-2016-0705
569355-1	CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494	K50118123	Java vulnerabilities CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494
565895-1	CVE-2015-8389 CVE-2015-8388 CVE-2015-5073 CVE-2015-8395 CVE-2015-8393 CVE-2015-8390 CVE-2015-8387 CVE-2015-8391 CVE-2015-8383 CVE-2015-8392 CVE-2015-8386 CVE-2015-3217 CVE-2015-8381 CVE-2015-8380 CVE-2015-8384 CVE-2015-8394 CVE-2015-3210	K17235	Multiple PCRE Vulnerabilities
570667-2	CVE-2016-0701 CVE-2015-3197	K64009378	OpenSSL vulnerabilities

Functional Change Fixes

None


TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
606509-4	2-Critical		Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover★
595605	2-Critical		Upgrades from 11.6.1 or recent hotfix rollups to 12.0.0 may fail★
591119	2-Critical		OOM with session messaging may result in TMM crash
601076	3-Major		Fix watchdog event for accelerated compression request overflow
597303	3-Major		"tmsh create net trunk" may fail
595693	3-Major		Incorrect PVA indication on B4450 blade
591261	3-Major		BIG-IP VPR-B4450N shows "unknown" SNMP Object ID
590904-1	3-Major		New HA Pair created using serial cable failover only will remain Active/Active
589661	3-Major		PS2 power supply status incorrect after removal
588327	3-Major		Observe "err bcm56xxd' liked log from /var/log/ltm
587735	3-Major		False alarm on LCD indicating bad fan
587668	3-Major		LCD Checkmark button does not always bring up clearing prompt on VIPRION blades.
585332	3-Major		Virtual Edition network settings aren't pinned correctly on startup★
584670	3-Major		Output of tmsh show sys crypto master-key
584661	3-Major		Last good master key
584655	3-Major		platform-migrate won't import password protected master-keys from a 10.2.4 UCS file
583177	3-Major		LCD text truncated by heartbeat icon on VIPRION
581945-2	3-Major		Device-group 'datasync-global-dg' becomes out-of-sync every hour
581811	3-Major		The blade alarm LED may not reflect the warning that non F5 optics is used.
579529	3-Major		Stats file descriptors kept open in spawned child processes
578064	3-Major		tmsh show sys hardwares show "unavailable" for hard disk manufacturer on B4400/B4450 blade
578036-1	3-Major		incorrect crontab can cause large number of email alerts
573584	3-Major		CPLD update success logs at the same error level as an update failure
563592	3-Major		Content diagnostics and LCD
559655	3-Major		Post RMA, system does not display correct platform name regardless of license
555039-4	3-Major	K24458124	VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration
539360	3-Major		Firmware update that includes might take over 15 minutes. Do not turn off device.
526708	3-Major		system_check shows fan=good on removed PSU of 4000 platform
433357	3-Major		Management NIC speed reported as 'none'
400778	3-Major		Message: err chmand[5011]: 012a0003:3: Physical disk CF1/HD1 not found for logical disk delete
400550	3-Major		LCD listener error during shutdown
587780	4-Minor		warning: HSBe2 XLMAC initial recovery failed after 11 retries.
478986	4-Minor		Powered down DC PSU is treated as not-present
418009	5-Cosmetic		Hardware data display inaccuracies

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
603700	2-Critical		tmm core on multiple SSL::disable calls
598052-1	2-Critical		SSL Forward Proxy "Cache Certificate by Addr-Port", cache lookup fails
591139	2-Critical		TMM QAT segfault after zlib/QAT compression conflation.
585654	2-Critical		Enhanced implementation of AES in Common Criteria mode
579953	2-Critical		Updated the list of Common Criteria ciphersuites
584926-1	3-Major		Accelerated compression segfault when devices are all in error state.
566342	3-Major		Cannot set 10T-FD or 10T-HD on management port

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
599803	1-Blocking		TMM accelerated compression incorrectly destroying in-flight contexts.
588879-2	2-Critical		apmd crash under rare conditions with LDAP

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
581824-2	3-Major		"Instance not found" error when viewing the properties of GSLB monitors gateway_icmp and bigip_link.

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
588049-1	2-Critical		Improve detection of browser capabilities
585352-2	2-Critical		bruteForce record selfLink gets corrupted by change to brute force settings in GUI
585054-1	2-Critical		BIG-IP imports delay violations incorrectly, causing wrong policy enforcement
583686-2	3-Major		High ASCII meta-characters can be disallowed on UTF-8 policy via XML import
581991-1	3-Major		Logging filter for remote loggers doesn't work correctly with more than one logging profile
521370-1	3-Major		Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8
518201-4	3-Major		ASM policy creation fails with after upgrading

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
587419-1	3-Major		TMM may restart when SAML SLO is performed after APM session is closed
585442-2	3-Major		Provisioning APM to 'none' creates a core file

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
596809-1	3-Major		It is possible to create ssh rules with blank space for auth-info
593925-1	3-Major		ssh profile should not contain rules that begin and end with spaces (cannot be deleted)
593696-1	3-Major		Sync fails when deleting an ssh profile

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
584921-1	2-Critical		Inbound connections fail to keep port block alive

Cumulative fixes from BIG-IP v12.1.0 Hotfix 2 that are included in this release


Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
600662-9	CVE-2016-5745	K64743453	NAT64 vulnerability CVE-2016-5745
599168-7	CVE-2016-5700	K35520031	BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
598983-7	CVE-2016-5700	K35520031	BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
580596-1	CVE-2013-0169 CVE-2016-6907 CVE-2019-6593	K14190 K39508724 K10065173	TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907

Functional Change Fixes

None


TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
604211-1	2-Critical	K72931250	License not operational on Azure after upgrading from 12.0.0 HF1-EHF14 to 12.0.0-HF4 or 12.1.0-HF1 or 12.1.1.★
600859-2	2-Critical		Module not licensed after upgrade from 11.6.0 to 12.1.0 HF1 EHF.★
599033-5	2-Critical		Traffic directed to incorrect instance after network partition is resolved
595394-3	2-Critical		Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.★
606110-2	3-Major		BIG-IP VE dataplane interfaces change to using UNIC modules instead of sockets.
596814-4	3-Major		HA Failover fails in certain valid AWS configurations
596603-2	3-Major		AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
600357-2	3-Major		bd crash when asm policy is removed from virtual during specific configuration change

Cumulative fixes from BIG-IP v12.1.0 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
569467-5	CVE-2016-2084	K11772107	BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.
591806-8	CVE-2016-3714	K03151140	ImageMagick vulnerability CVE-2016-3714
591918-2	CVE-2016-3718	K61974123	ImageMagick vulnerability CVE-2016-3718
591908-2	CVE-2016-3717	K29154575	ImageMagick vulnerability CVE-2016-3717
591894-2	CVE-2016-3715	K10550253	ImageMagick vulnerability CVE-2016-3715
591881-1	CVE-2016-3716	K25102203	ImageMagick vulnerability CVE-2016-3716

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
583631-2	1-Blocking		ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers.
590993	3-Major		Unable to load configs from /usr/libexec/aws/.
576478	3-Major		Enable support for the Purpose-Built DDoS Hybrid Defender Platform
544477	3-Major		New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support.

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
591039	2-Critical		DHCP lease is saved on the Custom AMI used for auto-scaling VE
590779	2-Critical		Rest API - log profile in json return does not include the partition but needs to
588140	2-Critical		Pool licensing fails in some KVM/OpenStack environments
587791-1	2-Critical		Set execute permission on /var/lib/waagent
565137	2-Critical	K12372003	Pool licensing fails in some KVM/OpenStack environments.
554713-2	2-Critical		Deployment failed: Failed submitting iControl REST transaction
592363	3-Major		Remove debug output during first boot of VE
592354	3-Major		Raw sockets are not enabled on Cloud platforms

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
592699-3	2-Critical		IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP performance
594302-1	3-Major		Connection hangs when processing large compressed responses from server
592854-1	3-Major		Protocol version set incorrectly on serverssl renegotiation
592682-1	3-Major		TCP: connections may stall or be dropped
531979-6	3-Major		SSL version in the record layer of ClientHello is not set to be the lowest supported version.

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
582629-1	2-Critical		User Sessions lookups are not cleared, session stats show marked as invalid

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
590601-2	3-Major		BIG-IP as SAML SP does not redirect users to original request URI after authentication is completed
590428-1	3-Major		The "ACCESS::session create" iRule command does not work
590345-1	3-Major		ACCESS policy running iRule event agent intermittently hangs
585905-1	3-Major		Citrix Storefront integration mode with pass-through authentication fails
581834-5	3-Major		Firefox signed plugin for VPN, Endpoint Check, etc

Anomaly Detection Services Fixes

ID Number	Severity	Solution Article(s)	Description
588399-1	3-Major		BIG-IP CPU utilization can be high even when all bad actors are detected and mitigated
582374-1	3-Major		Multiple 'Loading state for virtual server' messages in admd.log
569121-1	3-Major		Advanced Detection rate limiting can be incorrect in multi-blade clusters when rate limit is low
547053-1	4-Minor		Bad actor quarantining

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
590795-1	2-Critical		tmm crash when loading default signatures or updating classification signature★

 

Cumulative fix details for BIG-IP v12.1.5.3 that are included in this release

---

---

---

---

---

---

---

---

949861 : Wr_urldbd returns unknown results for customdb on some blades

Component: Traffic Classification Engine

Symptoms:
Some blades return 'Unknown' for newly added URLs in a custom database

Conditions:
This might occur under when feedlist updates are done quickly in a loop

Impact:
BIG-IP is unable to classify using url categories defined in the custom database.

Workaround:
Restart wr_urldbd

Fix:
Customdb classification now work as expected with the provided fix

---

949145-2 : Improve TCP's response to partial ACKs during loss recovery

Component: Local Traffic Manager

Symptoms:
- A bursty retransmission occurs during TCP's loss recovery period.

Conditions:
- TCP filter is used.
- TCP stack is used instead of TCP4 stack (based on profile settings).
- Packet loss occurs during the data transfer and TCP's loss recovery takes place.

Impact:
The bursty retransmissions may lead to more data getting lost due to large amount of data being injected into the network.

Workaround:
In versions prior to v16.0.0, use a TCP profile which selects the TCP4 stack instead of the TCP stack. There is no workaround for version 16.0.0.

Fix:
Partial ACK handling during loss recovery is improved.

---

948769-2 : TMM panic with SCTP traffic

Component: TMOS

Symptoms:
TMM panics and generates a core file. The panic message is "balanced nodes".

Conditions:
SCTP enabled virtual server

Impact:
Traffic interrupted while TMM restarts

Workaround:
Ensure that you have a route to the server's alternate address (like a default route since the remote server might not be under direct control) or
On versions earlier than 13.0 make sure that auto-lasthop is enabled for the virtual server (either via global, vlan or virtual setting)

Fix:
TMM now handles SCTP traffic properly

---

943125-5 : Web-Socket request with JSON payload causing core during the payload parsing

Component: Application Security Manager

Symptoms:
Any web-socket request with JSON payload may cause a core witihin the JSON parser, depending on the used machine memory distribution.

Conditions:
Depends on the memory distribution of the used machine.
Sending web-socket request with JSON payload to the backend server.

Impact:
BD crash while parsing the JSON payload.

Workaround:
N/A

Fix:
No crashes during JSON payload parsing.

---

941853-4 : Logging Profiles do not disassociate from virtual server when multiple changes are made

Component: Application Security Manager

Symptoms:
When multiple Logging Profiles profile changes are made in a single update, the previous Logging Profiles are not disassociated from the virtual server. Additionally, when an Application Security Logging Profile change is made, newly added Protocol Security Logging Profile settings do not take effect.

Conditions:
Multiple Logging Profile changes are made in a single update.

Impact:
The previous Logging Profiles are not disassociated from the virtual server.

Workaround:
Perform each Log Profile change individually. For example, to change an Application Security Log Profile:
1. Remove the current association and save.
2. Add the new association and save again.

---

941089-5 : TMM core when using Multipath TCP

Component: Local Traffic Manager

Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.

Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.

Impact:
Traffic interrupted while TMM restarts.

Workaround:
There is no workaround other than to disable MPTCP.

Fix:
TMM no longer produces a core.

---

940401-5 : Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'

Component: Fraud Protection Services

Symptoms:
MobileSafe SDK does not support iOS jailbreak detection, so the GUI should refer only to Android Rooting Detection.

Conditions:
-- Fraud Protection Service (FPS) provisioned.
-- FPS and MobileSafe Licensed.

Impact:
Introduces confusion when indicating that iOS jailbreak detection is supported, which it is not.

Workaround:
None.

Fix:
Section now reads 'Rooting Detection'.

---

---

---

939529-5 : Branch parameter not parsed properly when topmost via header received with comma separated values

Component: Service Provider

Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This Via header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP specification states that INVITE/CANCEL messages in a dialogue should contain the same branch header. The code used to encrypt the branch field returns a different branch ID for INVITE and CANCEL messages.

Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.
-- INVITE Via header received with multiple comma-separated values.

Impact:
Some SIP clients have code to verify the branch fields in the Via header. These clients expect the branch to be same for INVITE and CANCEL in a dialogue. Because the branch received is different, these clients are unable to identify the specific INVITE transaction. CANCEL is received and client sends a 481 error:

SIP/2.0 481 Call/Transaction Does Not Exist.

Workaround:
Use iRules to remove the topmost Via header and add new a new Via header that uses the same branch as INVITE and CANCEL while sending messages to SIP clients.

Fix:
The BIG-IP system now ensures the branch field inserted in the via header same for INVITE and CANCEL messages.

---

---

933741-6 : Security hardening in FPS GUI

Solution Article: K63497634

---

933461-1 : BGP multi-path candidate selection does not work properly in all cases.

Component: TMOS

Symptoms:
ZebOS BGP might not properly clear the multi-path candidate flag when handling a BGP route.

Conditions:
An inbound route-map exists that modifies a route's path selection attribute.

Impact:
Incorrect path selection and/or a timer on a route getting refreshed every time the Routing Information Base (RIB) is scanned.

Workaround:
None.

---

---

932065-5 : iControl REST framework exception handling hardening

Solution Article: K87502622

---

931837-4 : NTP has predictable timestamps

Component: TMOS

Symptoms:
No known symptoms.

Conditions:
Ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 are vulnerable.

Two main prerequisites for this to be exploited.

1. Having the BIG-IP act as an NTP server.
2. Sources for BIG-IP's time being unreliable/unauthenticated upstream NTP servers

Impact:
A high-performance ntpd instance that gets its time from unauthenticated IPv4 time sources may be vulnerable to an off-path attacker who can query time from the victim's ntpd instance. An attacker who can send a large number of packets with the spoofed IPv4 address of the upstream server can use this flaw to modify the victim's clock by a limited amount or cause ntpd to exit.

Workaround:
Redhat suggested the following mitigations:

1. Have enough trustworthy sources of time.

2. If you are serving time to a possibly hostile network, have your system get its time from other than unauthenticated IPv4 over the hostile network.

3. Use NTP packet authentication where appropriate.

4. Pay attention to error messages logged by ntpd.

5. Monitor your ntpd instances. If the pstats command of ntpq shows the value for "bogus origin" is increasing then that association is likely under attack.

6. If you must get unauthenticated time over IPv4 on a hostile network, Use restrict ... noserve to prevent this attack (note that this is a heavy-handed protection), which blocks time service to the specified network.

---

927617-5 : "Illegal Base64 value" violation is detected for cookie with valid base64 value

Component: Application Security Manager

Symptoms:
Request that should be passed to the backend server with cookie header which contain cookie valid value encoded to base64 is blocked.

Conditions:
A cookie name has to be defined in "Security ›› Application Security : Headers : Cookies List ›› New Cookie..." with enabled "Base64 Decoding".

Impact:
Blocking page, while the request should not be blocked.

Workaround:
Disable "Base64 Decoding" for the desired cookie.

Fix:
Requests with valid base64 encoding cookies should not get blocked by the enforcer.

---

921337-4 : ASM processes some web-sockets requests longer than usual

Solution Article: K88230177

---

918933-5 : Some ASM attack signatures do not match on cookies

Solution Article: K88162221

Component: Application Security Manager

Symptoms:
Some ASM attack signatures are not matching as expected on a cookie value.

Conditions:
Matching enabled for specific attack signatures.

Impact:
False negative. A signature does not match and an attack is getting through.

Workaround:
There is no valid workaround except creating custom signatures for cookies from all these signatures.

Fix:
Signatures now match on cookies as expected.

---

917509-6 : ASM processes some requests longer than usual

Solution Article: K58102101

---

915281-7 : Do not rearm TCP Keep Alive timer under certain conditions

Component: Local Traffic Manager

Symptoms:
Increased CPU usage due to zombie TCP flows rearming TCP Keep Alive timer continuously and unnecessarily.

Conditions:
-- A large number of zombie flows exists.
-- TCP Keep Alive timer is rearmed aggressively for zombie flows with very small idle_timeout (0) value.
-- TCP Keep alive timer keeps expiring and is rearmed continuously.

Impact:
Continuous rearming results in consuming CPU resources unnecessarily.

Workaround:
None.

Fix:
Rearming of TCP Keep Alive timer is improved.

---

913441-1 : Tmm cores while doing Hitless Upgrade while there are active flows

Component: Traffic Classification Engine

Symptoms:
Tmm cores.

Conditions:
Addition of new flows to existing lib while Hitless Upgrade is in progress.

Impact:
Tmm core while doing app detection for new flows. Traffic disrupted while tmm restarts.

Workaround:
Restrict addition of new flows if a Hitless Upgrade is in progress.

Fix:
New flows are no longer added to the classification engine to any of the library if the Hitless Upgrade process is in progress.

---

911761-6 : F5 TMUI XSS vulnerability CVE-2020-5948

Solution Article: K42696541

---

909237-2 : CVE-2020-8617: BIND Vulnerability

Solution Article: K05544642

---

909233-2 : DNS Hardening

Solution Article: K97810133

---

908673-1 : TMM may crash while processing DNS traffic

Solution Article: K43850230

---

905905-5 : TMUI CSRF vulnerability CVE-2020-5904

Solution Article: K31301245

---

904937-6 : Excessive resource consumption in zxfrd

Solution Article: K25595031

---

902417-1 : Configuration error caused by Drafts folder in a deleted custom partition★

Component: TMOS

Symptoms:
Error during config load due to custom partition associated Draft folder exists after deleting partition.

01070734:3: Configuration error: Can't associate folder (/User/Drafts) folder does not exist
Unexpected Error: Loading configuration process failed.

Conditions:
Create draft policy under custom partition

Impact:
Impacts the software upgrade.

Workaround:
Remove the Draft folder config from bigip_base.conf or use command "tmsh delete sys folder /User/Drafts" followed by "tmsh save sys config" after removing partition.

---

898949-5 : APM may consume excessive resources while processing VPN traffic

Solution Article: K04518313

---

895993-6 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254

---

895981-6 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254

---

895881-5 : BIG-IP TMUI XSS vulnerability CVE-2020-5903

Solution Article: K43638305

---

895525-6 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254

---

888497-6 : Cacheable HTTP Response

Component: TMOS

Symptoms:
JSESSIONID, BIGIPAUTHCOOKIE, BIGIPAUTH can be seen in the browser's debugging page.

Conditions:
-- Accessing the BIG-IP system using the GUI.
-- Viewing the browser's stored cache information.

Impact:
HTTPS session information is captured/seen in the browser's local cache, cookie.

Note: The BIG-IP system does not display and/or return sensitive data in the TMUI. Content that is marked appropriately as sensitive is never returned, so it is never cached. Data that is cached for TMUI in the client browser session is not considered secret.

Workaround:
Disable caching in browsers.

---

888493-6 : ASM GUI Hardening

Solution Article: K40843345

---

887089-6 : Upgrade can fail when filenames contain spaces

Component: TMOS

Symptoms:
Filenames with spaces in /config directory can cause upgrade/UCS load to fail because the im upgrade script that backs up the config, processes the lines in a file spec using white space characters. The number of spaces in the filename is significant because it determines how the process separates the name into various fields, including a path to the file, an md5sum, and some file properties (notably size). If the path contains white space, when the upgrade/UCS load process attempts to use a field, the operation encounters a value other than what it expects, so the upgrade/UCS load fails.

The file's content is also significant because that determines the md5sum value.

Although rarely occurring, a tangential issue exists when the sixth word is a large number. The sixth field is used to determine the amount of space needed for the installation. When the value is a very large number, you might see an error message at the end of the upgrade or installation process:

Not enough free disk space to install!

Conditions:
Filenames with spaces in /config directory.

Impact:
Upgrade or loading of UCS fails.

Workaround:
Remove the spaces in filenames and try the upgrade/UCS load again.

---

886085-7 : BIG-IP TMM vulnerability CVE-2020-5925

Solution Article: K45421311

---

883717-5 : BD crash on specific server cookie scenario

Solution Article: K37466356

---

883097-3 : Radius authentication may consume excessive resources

Solution Article: K11400411

---

882185-3 : BIG-IP Edge Client Windows ActiveX

Solution Article: K20346072

---

881445-3 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5898

Solution Article: K69154630

---

880361-5 : TMM may crash while processing iRules LX commands

Solution Article: K13323323

---

879745-7 : TMM may crash while processing Diameter traffic

Solution Article: K82530456

---

879413-5 : Statsd fails to start if one or more of its *.info files becomes corrupted

Component: Local Traffic Manager

Symptoms:
If one of the *.info files in /var/rrd becomes corrupted, statsd fails to load it and ends up restarting continuously. You see the following messages in /var/log/ltm:

-- err statsd[766]: 011b020b:3: Error 'Success' scanning buffer '' from file '/var/rrd/throughput.info'.
-- err statsd[766]: 011b0826:3: Cluster collection start error.Exitting.

Conditions:
Corrupted *.info file in /var/rrd.

Impact:
Stats are no longer accurate.

Workaround:
It might take multiple attempts to repair the *.info files. You might have to run the following command several times for different .info files, where <filename> is the actual name of the file (e.g., 'throughput.info'):

found=0;while [ $found != 1 ]; do filetype=`file throughput.info | cut -d " " -f2`;if [[ $filetype != "ASCII" ]]; then rm -f <filename>.info; else grep CRC <filename>.info;found=1;fi; done

Fix:
The system now detects corrupt *.info files and deletes and recreates them.

---

879025-7 : When processing TLS traffic, LTM may not enforce certificate chain restrictions

Solution Article: K72752002

---

872673-5 : TMM can crash when processing SCTP traffic

Solution Article: K26464312

---

871657-4 : Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S

Component: TMOS

Symptoms:
Mcpd restarts and produces a core file.

Conditions:
This can occur while adding a pool member to a NAPTR GTM pool where the flag used is an uppercase 'A' or 'S' character.

Impact:
Mcpd crash and restart results in high availability (HA) failover.

Workaround:
Use a lowercase 'a' or 's' as the flag value.

Fix:
Mcpd no longer crashes under these conditions. The flag value is always stored in lowercase regardless of the case used as input in the REST call or tmsh command, etc.

---

870273-1 : TMM may consume excessive resources when processing SSL traffic

Solution Article: K44020030

---

866021-5 : Diameter Mirror connection lost on the standby due to "process ingress error"

Component: Service Provider

Symptoms:
In MRF/Diameter deployment, mirrored connections on the standby may be lost when the "process ingress error" log is observed only on the standby, and there is no matching log on the active.

Conditions:
This can happen when there is a large amount of mirror traffic, this includes the traffic processed by the active that requires mirroring and the high availability (HA) context synchronization such as persistence information, message state, etc.

Impact:
Diameter mirror connections are lost on the standby. When failover occurs, these connections may need to reconnect.

Fix:
Diameter mirror connection no longer lost due to "process ingress error" when there is high mirror traffic.

---

860517-5 : MCPD may crash on startup with many thousands of monitors on a system with many CPUs.

Component: TMOS

Symptoms:
MCPD can crash with out of memory when there are many bigd processes (systems with many CPU cores) and many pool members/nodes/monitors.

As a guideline, approximately 100,000 pool members, nodes, and monitors can crash a system that has 10 bigd processes (BIG-IP i11800 platforms). tmm crash

Conditions:
-- Tens of thousands of pool members, nodes, and/or monitors.
-- Multiple (generally 6 or more) bigd processes.
-- System startup or bigstart restart.

Impact:
The mcpd process crashes. Traffic disrupted while mcpd restarts.

Workaround:
Set the db variable bigd.numprocs to a number smaller than the number of bigd processes currently being started.

Fix:
The memory efficiency of MCPD has been improved. This allows very large BIG-IP configurations to be used successfully.

---

860477-7 : SCP hardening

Solution Article: K82518062

---

860005-5 : Ephemeral nodes/pool members may be created for wrong FQDN name

Component: Local Traffic Manager

Symptoms:
Under rare timing conditions, one or more ephemeral nodes and pool members may be created for the wrong FQDN name, resulting in one or more ephemeral pool members being created incorrectly for a given pool.

Conditions:
This problem occurs when a DNS Request is sent to resolve a particular FQDN name with the same DNS Transaction ID (TXID) as another DNS Request currently pending with the same DNS name server. When this occurs, the IP addresses returned in the first DNS Response received with that TXID may be incorrectly associated with a pending DNS Request with the same TXID, but for a different FQDN name which does not actually resolve to those IP addresses.

The timing conditions that produce such duplicate TXIDs may be produced by one or more of the following factors:
1. Many FQDN names to be resolved.
2. Short DNS query interval values configured for the FQDN template nodes (or short TTL values returned by the DNS name server with the query interval configured as 'ttl').
3. Delayed responses from the DNS name server causing DNS queries to remain pending for several seconds.

Impact:
When this issue occurs, traffic may be load-balanced to the wrong members for a given pool.

Workaround:
It may be possible to mitigate this issue by one or more of the following actions:

-- Ensuring that the DNS servers used to resolve FQDN node names have sufficient resources to respond quickly to DNS requests.

-- Reducing the number of FQDN template nodes (FQDN names to be resolved).

-- Reducing the frequency of DNS queries to resolve FQDN node names (FQDN names) by either increasing the 'interval' value configured for FQDN template nodes, or by increasing the TTL values for DNS zone records for FQDN names for FQDN nodes configured with an 'interval' value of 'ttl'.

---

859089-2 : TMSH allows SFTP utility access

Solution Article: K00091341

---

858301-5 : HTTP RFC compliance now checks that the authority matches between the URI and Host header

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
It is possible to have an absolute URI with an authority different from that in the Host header. The HTTP profile by default does not verify that these are the same.

Conditions:
HTTP profile is enabled.
A request contains an absolute URI with an authority different from that in the Host header.

Impact:
HTTP requests with mismatched authority and Host headers are forwarded to back-end servers.

Workaround:
None.

Fix:
The HTTP RFC compliance option now rejects requests with an absolute URI that contains an authority different than that in the Host header.

HTTP PSM's "invalid host" option now checks that the authorities match between the URI and Host header.

---

858297-5 : HTTP requests with multiple Host headers are rejected if RFC compliance is enabled

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
HTTP requests with multiple Host headers may confuse servers. The HTTP parser currently uses the last header of a given name in a header block, whereas other software may not. This miss-match in parsing may lead to a security hole.

Note that many servers reject such requests. Such servers are not vulnerable to this kind of attack.

Conditions:
HTTP profile enabled.
Multiple Host headers exist in a HTTP request.

Impact:
HTTP requests with multiple host headers may be forwarded to back-end servers.

Workaround:
None.

Fix:
If HTTP RFC compliance is enabled on the HTTP profile, then a request that has multiple Host headers will be rejected.

HTTP PSM can now be configured to reject multiple Host headers.

---

858229-1 : XML with sensitive data gets to the ICAP server

Solution Article: K22493037

Component: Application Security Manager

Symptoms:
XML with sensitive data gets to the ICAP server, even when the XML profile is not configured to be inspected.

Conditions:
XML profile is configured with sensitive elements on a policy.
ICAP server is configured to inspect file uploads on that policy.

Impact:
Sensitive data will reach the ICAP server.

Workaround:
No immediate workaround except policy related changes

Fix:
An internal parameter, send_xml_sensitive_entities_to_icap was added. It's default is 1 as this is the expected behavior. To disable this functionality, change the internal parameter value to 0.

Behavior Change:
An internal parameter has been added, called send_xml_sensitive_entities_to_icap, and the default value is 1.

When this is changed to 0 (using this command):
 /usr/share/ts/bin/add_del_internal add send_xml_sensitive_entities_to_icap 0
XML requests with sensitive data will not be sent to ICAP.

---

858189-6 : Make restnoded/restjavad/icrd timeout configurable with sys db variables.

Component: Device Management

Symptoms:
When a large number of LTM objects are configured on BIG-IP, making updates via iControl REST can result in restjavad/restnoded/icrd errors.

Conditions:
Using iControl REST/iapp to update a data-group that contains a large number of records, e.g., 75,000 or more.

Impact:
REST operations can time out when they take too long, and it is not possible to increase the timeout.

Workaround:
None.

Fix:
ICRD/restjavad/restnoded timeouts are now configurable through sys db variables.

Behavior Change:
New Sys DB variables have been added to allow you to modify the timeout settings of restjavad, restnoded, and icrd:

restnoded.timeout
restjavad.timeout
icrd.timeout

The default value is 60 seconds for each of these.

A restart of restjavad and restnoded is required for the change to take effect.

tmsh restart /sys service restjavad
tmsh restart /sys service restnoded

---

858025-6 : Proactive Bot Defense does not validate redirected paths

Solution Article: K33440533

---

857669 : BIG-IP Edge Client may log sensitive data on Linux client

Solution Article: K33023560

---

854177-1 : ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality

Component: Application Security Manager

Symptoms:
Whenever a pool IP address is modified, an update is sent to bd regardless of whether that pool is relevant to ASM. When these updates occur frequently, as can be the case for FQDN nodes that honor DNS TTL, latency can be introduced in ASM handling.

Conditions:
Pool nodes have frequent IP address updates, typically due to an FQDN node set to honor DNS TTL.

Impact:
Latency is introduced to ASM handling.

Workaround:
Set the fast changing nodes to static updates every hour.

Fix:
ASM now correctly ignores pool member updates that do not affect remote logging.

---

852929-4 : AFM WebUI Hardening

Solution Article: K25160703

---

852445-6 : Big-IP : CVE-2019-6477 BIND Vulnerability

Solution Article: K15840535

---

851789-1 : SSL monitors flap with client certs with private key stored in FIPS

Component: Local Traffic Manager

Symptoms:
Bigd reporting 'overload' or 'overloaded' in /var/log/ltm.
SSL monitors flapping while the servers are available.

Conditions:
-- FIPS-enabled platform.
-- HTTPS monitors using client-cert authentication where the key is stored in FIPS HSM.
-- Large number of monitors or low interval.

Impact:
Periodic service interruption depending on which monitors are flapping. Reduced number of available servers.

Workaround:
-- Increase the interval on the monitors.
-- Switch the monitors to use software keys.

Fix:
Optimized FIPS API calls to improve performance of SSL monitors.

---

851045-5 : LTM database monitor may hang when monitored DB server goes down

Component: Local Traffic Manager

Symptoms:
When multiple database servers are monitored by LTM database (MSSQL, MySQL, PostgreSQL, Oracle) monitors and one database server goes down (such by stopping the database server process), a deadlock may occur in the LTM database monitor daemon (DBDaemon) which causes an interruption in monitoring of other database servers.
When this occurs, one database server going down may cause all monitored database servers to be marked Down for several minutes until the blocking operation times out and normal monitoring can resume.

Conditions:
This may occur when:
1. Running a version of BIG-IP or an Engineering Hotfix which contains fixes for bugs ID769309 and ID775901.
2. Stopping a monitored database server process (such as by halting the database service).

Impact:
Monitoring of database servers may be interrupted for up to several minutes, causing monitored database servers to be marked Down. This may persist for several minutes until the blocking operation times out, the backlog of blocked DB monitor threads are processed to completion, and normal DB monitoring resumes.

Workaround:
You can prevent this issue from occurring by using a different LTM monitor type (such as a TCP monitor or external monitor) to monitor the database servers.

---

850673-5 : BD sends bad ACKs to the bd_agent for configuration

Component: Application Security Manager

Symptoms:
-- The bd_agents stops sending the configuration in the middle of startup or a configuration change.

-- The policy may be incomplete in the bd causing incorrect enforcement actions.

Conditions:
This is a rarely occurring issue, and the exact conditions that trigger it are unknown.

Impact:
-- The bd_agent hangs or restarts, which may cause a complete ASM restart (and failover).

-- A partial policy may exist in bd causing improper enforcement.

Workaround:
-- Unassign and reassign the policy.

-- if unassign/reassign does not help, export and then reimport the policy.

Fix:
Fixed inconsistency scenario between bd and bd_agent.

---

848445-5 : Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer★

Solution Article: K86285055

Component: Application Security Manager

Symptoms:
Global/URL/Flow Parameters with flag is_sensitive true are not masked in referrer and their value may be exposed in logs.

Conditions:
Global/URL/Flow Parameters with flag is_sensitive true are defined in the policy. In logs, the value of such parameter will be masked in QS, but will be exposed in the referrer.

Impact:
The parameter will not be masked in 'Referer' value header in logs, although it is masked in 'QS' string.

Workaround:
Can defined the parameters as global sensitive parameters.

Fix:
After the fix, such parameters will be treated like global sensitive parameters and will be covered also in the Referer

---

848405-7 : TMM may consume excessive resources while processing compressed HTTP traffic

Solution Article: K26244025

---

846917-6 : lodash Vulnerability: CVE-2019-10744

Solution Article: K47105354

---

842937-1 : TMM crash due to failed assertion 'valid node'

Component: Local Traffic Manager

Symptoms:
Under undetermined load pattern TMM may crash with message: Assertion 'valid node' fail.

Conditions:
This can occur while passing traffic with the Ram Cache profile enabled on a Virtual Server. Other conditions are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Refrain from using ramcache may mitigate the problem.

Fix:
Ramcache module stops handling messages after it is teared down, so it does not attempt to use data structures which have already been deinitialized.

---

842717-2 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5855

Solution Article: K55102004

---

842189-1 : Tunnels removed when going offline are not restored when going back online

Component: TMOS

Symptoms:
When a BIG-IP instance goes offline, any functioning tunnel is removed from the active configuration. Upon restoration to online operation, the tunnel is not automatically restored.

Conditions:
-- Configuration includes tunnels.
-- BIG-IP instance goes offline and then comes back online.

Impact:
Failure of tunnel packet traffic.

Workaround:
Manually recreate the tunnel after the BIG-IP instance has been brought back online.

Fix:
Tunnels removed when going offline are now restored when going back online.

---

841953-2 : A tunnel can be expired when going offline, causing tmm crash

Component: TMOS

Symptoms:
When the system transitions from active or next active (standby), e.g., to offline, the internal flow of a tunnel can be expired.

If the device returns to active or standby, and if the tunnel is modified, a double flow removal can cause a tmm crash.

Conditions:
-- System transitions from active or next active.
-- Tunnel is modified.
-- Device returns to active or next active mode.

Impact:
The tmm process restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The tmm process no longer crashes under these conditions.

---

841577-7 : iControl REST hardening

Solution Article: K20606443

---

841333-2 : TMM may crash when tunnel used after returning from offline

Component: TMOS

Symptoms:
TMM may crash when a tunnel is used after the unit returns from offline status.

Conditions:
-- Tunnel is configured and active.
-- Unit is transitioned from offline to online.
-- Tunnel is used after online status is restored.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

---

839453-1 : lodash library vulnerability CVE-2019-10744

Solution Article: K47105354

---

838909-2 : BIG-IP APM Edge Client vulnerability CVE-2020-5893

Solution Article: K97733133

---

838881-6 : APM Portal Access Vulnerability: CVE-2020-5853

Solution Article: K73183618

---

837837-6 : F5 SSH server key size vulnerability CVE-2020-5917

Solution Article: K43404629

---

837773-5 : Restjavad Storage and Configuration Hardening

Solution Article: K12936322

---

836357-2 : SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2

Component: Service Provider

Symptoms:
In MBLB/SIP, if the BIG-IP system attempts to send messages to the destination over a TCP connection that is in FIN-wait2 stage, instead of returning a failure and silently dropping the message, the BIG-IP system attempts to create a new TCP connection by sending a SYN. Eventually, the attempt fails and causes the connection to be aborted.

Conditions:
-- This happens on MBLB/SIP deployment with TCP.
-- There is message sent from the server to the BIG-IP system.
-- The BIG-IP system forwards the message from the server-side to client-side.
-- The destination flow (for the BIG-IP system to forward the message to) is controlled by 'node <ip> <port>' and 'snat <ip> <port>' iRules command.
-- The destination flow is in the FIN-wait2 stage.

Impact:
This causes the BIG-IP system to abort the flow that originates the message.

Workaround:
None.

Fix:
SIP MBLB correctly initiates a new flow from a virtual IP to the client when an existing flow is in the FIN-wait2 stage.

---

833685-2 : Idle async handlers can remain loaded for a long time doing nothing

Component: Application Security Manager

Symptoms:
Idle async handlers can remain loaded for a long time doing nothing because they do not have an idle timer. The sum of such idle async handlers can add unnecessary memory pressure.

Conditions:
This issue might result from several sets of conditions. Here is one:

Exporting a large XML ASM policy and then leaving the BIG-IP system idle. The relevant asm_config_server handler process increases its memory consumption and remains that way, holding on to the memory until it is released with a restart.

Impact:
Depletion of memory by lingering idle async handlers may deprive other processes of sufficient memory, triggering out-of-memory conditions and process failures.

Workaround:
-- Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
-- Restart asm_config_server periodically using cron, as idle handlers are soon created again.

Fix:
Idle async handlers now exit after 5 minutes of not receiving any new calls.

---

832885-6 : Self-IP hardening

Solution Article: K05975972

---

832757-2 : Linux kernel vulnerability CVE-2017-18551

Solution Article: K48073202

---

832205-2 : ASU cannot be completed after Signature Systems database corruption following binary Policy import

Component: Application Security Manager

Symptoms:
Signatures cannot be updated after signature systems have become corrupted in the configuration database, after a binary policy containing a user-defined Signature Set using an unknown System was imported.

Conditions:
Signature systems are corrupted in configuration database, because a binary policy containing a user-defined Signature Set using an unknown System was imported.

Impact:
Signatures cannot be updated.

Workaround:
Delete signature systems with an ID greater than 38, and re-add them by performing a signature update. You can delete these signature systems by running the following command:

mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "DELETE FROM PLC.NEGSIG_SYSTEMS WHERE system_group = ''"

---

831661-5 : ASMConfig Handler undergoes frequent restarts

Component: Application Security Manager

Symptoms:
Under some settings and load the RPC handler for the Policy Builder process restarts frequently, causing unnecessary churn and slower learning performance.

Conditions:
Configure one or more policies with automatic policy building enabled and learn traffic with violations

Impact:
Control Plane instability and poor learning performance on the device.

Fix:
The Policy Builder handler is now restored to a more robust process lifecycle.

---

831325-4 : HTTP PSM detects more issues with Transfer-Encoding headers

Solution Article: K10701310

Component: Local Traffic Manager

Symptoms:
HTTP PSM may not detect some invalid Transfer-Encoding headers.

Conditions:
HTTP PSM is used to detect HTTP RFC violations. A request with an invalid Transfer-Encoding header is sent.

Impact:
Traffic is not alarmed/blocked as expected.

Workaround:
None.

Fix:
HTTP PSM detects new cases of invalid Transfer-Encoding headers.

---

831293-1 : SNMP address-related GET requests slow to respond.

Component: TMOS

Symptoms:
SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical are slow to respond.

Conditions:
Using SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical.

Impact:
Slow performance.

Workaround:
None.

---

830401-6 : TMM may crash while processing TCP traffic with iRules

Solution Article: K54200228

---

829121-6 : State mirroring default does not require TLS

Solution Article: K65720640

---

829117-6 : State mirroring default does not require TLS

Solution Article: K17663061

---

826601-2 : Prevent receive window shrinkage for looped flows that use a SYN cookie

Component: Local Traffic Manager

Symptoms:
TMM cores.

Conditions:
-- VIP to VIP (looped flow) configuration.
-- SYN cookie is used.
-- Initial receive window is greater than 3.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
-- Set the initial receive window value of the VIP to 3.

Fix:
Receive window shrinkage is prevented for looped flows using SYN cookies.

---

825049-2 : Windows code signing certificate update 2019

Component: Access Policy Manager

Symptoms:
The certificate for APM Edge Client (v7.1.8.1) expires on 12 Dec. 2019

Conditions:
Code signing certificate expired on December 11,2019.

Impact:
Certificate is expired.

Fix:
Update APM client with the certificate attributes and use the new code singing certificate.

---

823893-5 : Qkview may fail to completely sanitize LDAP bind credentials

Solution Article: K03318649

---

822025-5 : HTTP response not forwarded to client during an early response

Component: Local Traffic Manager

Symptoms:
In early server responses, the client does not receive the intended response from the HTTP::respond iRule. The client instead receives an unexpected 500 internal server error.

Conditions:
-- A slow client.
-- early server response with the HTTP::respond iRule.

Impact:
A client does not receive the redirect from the HTTP::respond iRule.

Workaround:
None.

Fix:
The client now receives the redirect from the HTTP:respond iRule.

---

819397-4 : TMM does not enforce RFC compliance when processing HTTP traffic

Solution Article: K50375550

Component: Local Traffic Manager

Symptoms:
TMM does not require RFC compliance when processing HTTP traffic. This does not impact the performance or security of BIG-IP systems, but may impact connected systems if they expect only compliant traffic to be forwarded.

Conditions:
-- HTTP virtual server
-- Non-compliant HTTP request from client

Impact:
Pool members may be exposed to non-compliant HTTP requests.

Workaround:
None.

Fix:
The HTTP filter now optionally performs basic RFC compliance checks. If a request fails these checks, then the connection is reset.

Behavior Change:
A new BigDB variable has been added.

The new 'Tmm.HTTP.RFC.Enforcement' option may be enabled or disabled. It is disabled by default.

If enabled, the HTTP filter performs basic RFC compliance checks. If a request fails these checks, then the connection is reset.

The checks performed are a subset of those described within the HTTP PSM module. If a blocking page is required, or more detailed control over which checks are performed, configure HTTP PSM or ASM on the virtual server.

If either HTTP PSM or ASM are configured on a virtual server, the state of the 'Tmm.HTTP.RFC.Enforcement' BigDB variable is ignored on that virtual server.

---

819197-7 : BIGIP: CVE-2019-13135 ImageMagick vulnerability

Solution Article: K20336394

---

819189-6 : BIGIP: CVE-2019-13136 ImageMagick vulnerability

Solution Article: K03512441

---

818709-5 : TMSH does not follow current best practices

Solution Article: K36814487

---

818429-1 : TMM may crash while processing HTTP traffic

Solution Article: K70275209

---

818177-7 : CVE-2019-12295 Wireshark Vulnerability

Solution Article: K06725231

---

816529 : If wr_urldbd is restarted while queries are being run against Custom DB then further lookups can not be made after wr_urldbd comes back up from restart.

Component: Traffic Classification Engine

Symptoms:
URLCAT lookups to Custom DB return Unknown result.

Conditions:
-- URL is being looked up against Custom DB
-- wr_urldbd is restarted at the same time

Impact:
Queries will likely fail in highly loaded environments if wr_urldbd is restarted for any reason.

Workaround:
None.

Fix:
Wr_urldbd restores connection to Custom DB after restart.

---

815877-5 : Information Elements with zero-length value are rejected by the GTP parser

Component: Service Provider

Symptoms:
When processing a GTP message containing zero-length IEs (which are allowed by the 3GPP Technical Specification), the message might get rejected.

Conditions:
Virtual server with GTP profile enabled processing GTP traffic.

Impact:
Well-formed GTP messages might get rejected.

Workaround:
Avoid sending GTP messages containing zero-length IEs.

Fix:
Zero-length IEs are now processed correctly.

---

814761-4 : PostgreSQL monitor fails on second ping with count != 1

Component: Local Traffic Manager

Symptoms:
When using one of the DB monitors (Oracle, MSSQL, MySQL, PostgreSQL) to monitor the health of a server, the pool member may initially be marked UP, but then will be marked DOWN on the next and all subsequent pings.

When this occurs, an error message similar to the following appears in the monitor-instance log under /var/log/monitors:

Database down, see /var/log/DBDaemon.log for details.
Exception in thread "DBPinger-##" java.lang.AbstractMethodError: org.postgresql.jdbc3.Jdbc3Connection.isValid(I)Z
    at com.f5.eav.DB_Pinger.db_Connect(DBDaemon.java:1474)
    at com.f5.eav.DB_Pinger.db_Ping(DBDaemon.java:1428)
    at com.f5.eav.MonitorWorker.run(DBDaemon.java:772)
    at java.lang.Thread.run(Thread.java:748)

Conditions:
This may occur if all of the following conditions are true:
1. You are using a DB monitor (Oracle, MSSQL, MySQL, PostgreSQL) configured with a 'count' value of either '0' or a value of '2' or higher.
2. You are using a version of BIG-IP (including an Engineering Hotfix) which contains the fix for ID 775901.

Impact:
Unable to monitor the health of postgresql server pool members accurately.

Workaround:
To work around this issue, configure a 'count' value of '1' in the postgresql monitor configuration.

Fix:
The DB monitor reports the health of a DB server pool member accurately in conjunction with the fix for ID 775901.

---

814585-6 : PPTP profile option not available when creating or modifying virtual servers in GUI

Component: TMOS

Symptoms:
There is no option to configure a PPTP profile for a virtual server in the GUI.

Conditions:
Creating or modifying a virtual server in the GUI.

Impact:
Unable to configure the PPTP profile for a virtual server using the GUI.

Workaround:
Use TMSH to add a PPTP profile to the virtual server.

---

812981-1 : MCPD: memory leak on standby BIG-IP device

Component: TMOS

Symptoms:
MCPD memory consumption may increase on standby BIG-IP device if APM configuration is updated. Some of the allocated memory is not freed after configuration update.

Conditions:
-- BIG-IP high availability (HA) pair is installed and configured
-- APM is provisioned
-- Access Policy is configured and updated periodically

Impact:
MCPD may take a lot of memory on the standby device. Normal functionality of standby device may be stopped; reboot of the device is required.

Fix:
MCPD on standby BIG-IP device does not take more memory than the same daemon on active BIG-IP device.

---

811789-5 : Device trust UI hardening

Solution Article: K57214921

---

811109 : TMM RAM Cache Vulnerability: CVE-2020-5861

Solution Article: K22113131

---

810957-6 : Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core

Component: TMOS

Symptoms:
When using dynamic routing, changing a virtual server's address from IPv6 to IPv4 can cause tmrouted to core.

Conditions:
-- Using dynamic routing.
-- Changing a virtual server's destination address from IPv6 to IPv4.
-- The virtual server's state changes.

Impact:
Tmrouted cores and restarts, which causes a temporary interruption of dynamic routing services.

Workaround:
Use TMSH to modify both the destination address and the netmask at the same time, e.g.:

tmsh modify ltm virtual <virtual server name> destination <destination address> mask <netmask>

Fix:
Now preventing tmrouted from coring when a virtual server's address is changed from IPv6 to IPv4.

---

810557-5 : ASM ConfigSync Hardening

Solution Article: K05123525

---

809205-2 : CVE-2019-3855: libssh2 Vulnerability

Component: TMOS

Symptoms:
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server.

Conditions:
-- Authenticated administrative user with Advanced Shell Access.
-- Use of cURL from the command line to connect to a compromised SSH server.

Impact:
A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

Workaround:
None.

Fix:
libcurl updated

---

809165-5 : TMM may crash will processing connector traffic

Solution Article: K50046200

---

809125-4 : CSRF false positive

Component: Application Security Manager

Symptoms:
A CSRF false-positive violation.

Conditions:
CSRF enforcing security policy.

This is a very rare scenario, but it happens due to a specific parameter in the request, so the false-positive might repeat itself many times for the same configuration.

Impact:
False-positive Blocking / Violation

Workaround:
If this happens change the csrf parameter and restart the asm daemon:

1. Change the csrf parameter name internal parameter:
/usr/share/ts/bin/add_del_internal add csrf_token_name <string different than csrt>

2. Restart the asm daemon:
restart asm

---

808409-2 : Unable to specify if giaddr will be modified in DHCP relay chain

Component: Local Traffic Manager

Symptoms:
ID746077 changed the dhcprelay behavior in order to comply with RFC 1542 Clarifications and Extensions for BOOTP.

However, as the change also encompasses the DHCP-to-DHCP relay scope, the behavior cannot be configurable with a db key.

Conditions:
DHCP Relay deployments where the giaddr needs to be changed.

Impact:
You are unable to specify whether giaddr will be changed.

Workaround:
None.

Fix:
A new sys db tmm.dhcp.relay.giaddr.overwrite is introduced

The default is :

sys db tmm.dhcp.relay.giaddr.overwrite {
    value "enable"
}

On versions with a fix to 746077, the sys db DOES NOT exist and BIG-IP will always retain the source IP

On versions with both this fix and ID748333 fix, this fix overrides the fix for 746077. To change the default, set to "disable" to retain

---

807821-1 : ICMP echo requests occasionally go unanswered

Component: Local Traffic Manager

Symptoms:
ARP entry get stuck at state NEXTHOP_INCOMPLETE for several seconds.

Conditions:
-- There is no ARP entry for the return-route router.
-- The 'remote' BIG-IP system receives ICMP echo request.

Impact:
Possible traffic failures.

Workaround:
None.

Fix:
ICMP echo replies are always sent for a valid ICMP echo request.

---

807477-4 : ConfigSync Hardening

Solution Article: K04280042

---

807005-6 : Save-on-auto-sync is not working as expected with large configuration objects

Component: TMOS

Symptoms:
In device group has enabled 'save sys config' for all auto-sync operations using the following command:
modify cm device-group name save-on-auto-sync true

Warning: Enabling the save-on-auto-sync option can unexpectedly impact system performance when the BIG-IP system automatically saves a large configuration change to each device.

Conditions:
-- The save-on-auto-sync option is enabled.
-- Device has large configuration, such as 2,100 virtual servers and ~1100 partitions

Impact:
Configuration is not saved, which leads to out-of-sync condition.

Workaround:
You can avoid this issue by using manual sync instead of auto-sync, or by not enabling 'save-on-auto-sync'.

---

805837-5 : REST does not follow current design best practices

Solution Article: K22441651

---

805557-5 : TMM may crash while processing crypto data

Solution Article: K43815022

---

805017-4 : DB monitor marks pool member down if no send/recv strings are configured

Component: Local Traffic Manager

Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle or PostgreSQL database monitor type) is configured without a 'send' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.

Conditions:
-- AnLTM pool or pool members are configured to us an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- No send string is configured for the monitor.

Impact:
With this configuration, the monitor connects to the configured database, but does not issue a query or check for a specific response. Pool members are always marked DOWN when using a database monitor with no 'send' string configured.

Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).

---

803233-5 : Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable

Component: Local Traffic Manager

Symptoms:
Intermittently (depending the timing of operations that keep MCP busy):

1. Messages similar to the following may be logged in the LTM log, indicating that the virtual server associated with a pool became temporarily unavailable:

-- notice mcpd[4815]: 01071682:5: SNMP_TRAP: Virtual /Common/test_vs has become unavailable.
-- notice mcpd[4815]: 01071681:5: SNMP_TRAP: Virtual /Common/test_vs has become available.

2. Optionally, if a 'min-up-members' value is configured for the pool, a message similar to the following may be logged in the LTM log, indicating that the number of available pool members became less than the configured value:

-- notice mcpd[4815]: 01070282:3: Number of pool members 2 less than min up members 3.

Conditions:
1. The pool members are all FQDN pool members.
2. The DNS query to resolve pool member FQDNs returns a completely new (non-overlapping) set of IP addresses.
(This causes all existing Ephemeral pool members to be removed and replaced with new Ephemeral pool members.)
3. MCP is very busy and slow to process messages.

Impact:
Under these conditions, existing Ephemeral pool members may be removed before new Ephemeral pool members can be created to replace them, causing the pool member to become temporarily empty. This can result in intermittent loss of availability of the virtual server if all records returned by the DNS server for the referenced FQDN change from the previous response.

Workaround:
None.

---

801637-2 : Cmp_dest on C2200 platform may give incorrect results

Component: TMOS

Symptoms:
Cmp_dest on C2200 platform may give incorrect results.

Conditions:
Run cmp_dest.

Impact:
Incorrect results from cmp_dest.

Fix:
Cmp_dest now gives correct results.

---

800185-1 : Saving a large encrypted UCS archive may fail and might trigger failover

Component: TMOS

Symptoms:
-- When saving a very large encrypted UCS file, you may encounter an error:

# tmsh save /sys ucs my_ucs passphrase <mysecret>
Saving active configuration...
Can't fork at /usr/local/bin/im line 305.
/var/tmp/configsync.spec: Error creating package

-- If saving UCS is automated you may find related errors in /var/log/audit:

err scriptd[45342]: 014f0013:3: Script (/Common/f5.automated_backup__backup) generated this Tcl error: (script did not successfully complete: (UCS saving process failed. while executing "tmsh::save /sys ucs $fname ))

-- Other services might be restarted due to lack of memory, which might result in failover.

--System management via config utility or command line may be sluggish while UCS saves.

Conditions:
-- Large encrypted UCS files and low free host memory.

-- UCS file sizes in hundreds of MB are much more likely to encounter this issue, along with free memory less than 1 GB.

Impact:
The operation uses at least 1.3 times the UCS file size of RAM. The UCS may not get saved correctly, and if not enough memory is available, low free-memory symptoms become apparent.

The latter may result in services being killed to free memory, resulting in service impact and failover, though it is quite typical for the overly large process saving the UCS to be terminated with no other impact.

Workaround:
A mitigation is to minimise UCS file size. UCS files large enough to encounter this issue typically contain very large files, some of which may not be needed or are no longer necessary.

Remove unnecessary large files from directories that contribute to UCS archives, for example, stray, large files such as packet captures in /config or its subdirectories. (For help understanding what is in UCS archives, see K12278: Removing non-essential files from a UCS when disk space errors are encountered :: https://support.f5.com/csp/article/K12278.)

If using APM, remove unnecessary EPSEC ISO files. (For more information, see K21175584: Removing unnecessary OPSWAT EPSEC packages from the BIG-IP APM system :: https://support.f5.com/csp/article/K21175584.

Fix:
Saving a large UCS file no longer fails.

---

799617-5 : ConfigSync Hardening

Solution Article: K05123525

---

799589-5 : ConfigSync Hardening

Solution Article: K05123525

---

797885-5 : ConfigSync Hardening

Solution Article: K05123525

---

796993-2 : Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs

Component: Local Traffic Manager

Symptoms:
When a pool contains FQDN nodes as pool members, pool member state changes messages are not logged in /var/log/ltm.

Conditions:
-- Create a pool with fqdn node as it pool members
-- Apply monitor to it
-- Monitor marks the pool member up/down based on reachability

Impact:
-- Status message is not updated in /var/log/ltm logs.
-- There is no functional impact.

---

796469-1 : ConfigSync Hardening

Solution Article: K05123525

---

795797-5 : AFM WebUI Hardening

Solution Article: K21121741

---

795649-1 : Loading UCS from one iSeries model to another causes FPGA to fail to load

Component: TMOS

Symptoms:
When loading a UCS file from one iSeries model to a different iSeries model, the FPGA fails to load due to a symlink in the UCS file pointing to the firmware version for the source device.

The system will remain in INOPERATIVE state, and messages similar to the following will be seen repeatedly in /var/log/ltm:

-- emerg chmand[7806]: 012a0000:0: FPGA firmware mismatch - auto update, No Interruption!
-- emerg chmand[7806]: 012a0000:0: No HSBe2_v4 PCIs found yet. possible restart to recover Dataplane.
-- emerg chmand[7806]: 012a0000:0: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2
-- err chmand[7806]: 012a0003:3: HAL exception publishing switch config: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2

Conditions:
Loading a UCS from one iSeries model onto another model, for example, from an i7800 onto an i11400-ds, or from an i2600 to an i5600.

Impact:
FPGA fails to load; the BIG-IP system becomes unusable.

Workaround:
1. Update the symbolic link /config/firmware/hsb/current_version to point to the correct firmware file for the hardware model in use. Here are some examples:

-- For the i2800:

# ln -sf /usr/firmware/hsbe2v4_atlantis/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

-- For the i7800:

# ln -sf /usr/firmware/hsbe2v2_discovery/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

-- For the i11400-ds:

# ln -sf /usr/firmware/hsbe2_discovery_turbo/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

2. Reboot the system

---

795437-1 : Improve handling of TCP traffic for iRules

Solution Article: K06747393

---

795197-4 : Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

Solution Article: K26618426

---

794501-5 : Duplicate if_indexes and OIDs between interfaces and tunnels

Component: TMOS

Symptoms:
In certain instances, having a configuration with both tunnels and interfaces can result in duplicate if_indexes between a tunnel and an interface, which also results in duplicate OIDs for SNMP.

Conditions:
There is no completely predictable trigger, but at a minimum, a configuration with at least one interface and at least one tunnel is needed.

Impact:
SNMP OIDs relating to interfaces may yield incomplete results.

Duplicate if_indexes and duplicate OIDs. SNMP logs error messages:

# tmsh list net interface all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net vlan all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net tunnel all-properties | egrep "(^net)|(if-index)"
net interface 0.10 {
    if-index 64 <-------------------------------
net interface mgmt {
    if-index 32
net vlan external {
    if-index 96
net vlan internal {
    if-index 112
net vlan test {
    if-index 128
net vlan tmm_bp {
    if-index 48
net tunnels tunnel http-tunnel {
    if-index 64 <-------------------------------
net tunnels tunnel socks-tunnel {
    if-index 80


# snmpwalk -c public -v 2c localhost >/dev/null; tail /var/log/ltm

-- notice sod[4258]: 010c0044:5: Command: running disable zrd bigstart.
-- notice zxfrd[6556]: 01530007:5: /usr/bin/zxfrd started
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID ZXFRD_Publisher and filterType 1024
-- info bigd[11158]: 0114002b:6: high availability (HA) daemon_heartbeat bigd enabled.
-- info cbrd[6106]: 0114002b:6: high availability (HA) daemon_heartbeat cbrd enabled.
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID cbrd and filterType 1152921504606846976
-- info runsm1_named[6104]: 0114002b:6: high availability (HA) proc_running named enabled.
=========================

-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if_x.c:289

Workaround:
No workaround currently known.

Fix:
Duplicate if_indexes are no longer assigned to tunnels and interfaces. The resulting duplicate SNMP OIDs are prevented.

---

794413-5 : BIND vulnerability CVE-2019-6471

Solution Article: K10092301

---

794389-5 : iControl REST endpoint response inconsistency

Solution Article: K89509323

---

793149-1 : Adding the Strict-transport-Policy header to internal responses

Component: Application Security Manager

Symptoms:
Some applications requires the Strict-transport-Policy header to appear in all responses. BIG-IP internal responses do not add this header.

Conditions:
- ASM is provisioned with CAPTCHA/CSI challenge enabled
or
- DoS is provisioned with CAPTCHA/CSI enabled
or
- Bot Defense is provisioned with CAPTCHA mitigation/Browser JS verification/Device ID collection is enabled.

Impact:
Responses arrives to the browser without the Strict-transport-Policy header.

Workaround:
Create an iRule to add the header to the response.

Fix:
Adding a BigDB parameter (asm.strict_transport_policy) which allows to add the header to all internal responses. Default is disabled.

---

789893-5 : SCP file transfer hardening

Solution Article: K54336216

---

788773-5 : HTTP/2 Vulnerability: CVE-2019-9515

Solution Article: K50233772

---

788769-5 : HTTP/2 Vulnerability: CVE-2019-9514

Solution Article: K01988340

---

788577-2 : BFD sessions may be reset after CMP state change

Component: TMOS

Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.

This happens in the following instances:
  - Blade reset.
  - Booting up or shutting down.
  - Running 'bigstart restart'.
  - Setting a blade state from/to primary/secondary.

During these events, Bidirectional Forwarding Detection (BFD) session processing ownership might be migrating from old, processing TMMs to new, selected TMMs. This process is rapid and could lead to contest between several TMMs over who should be the next BFD processing owner.

It might also lead to a situation where the BFD session is deleted and immediately recreated.

This problem occurs rarely and only on a chassis with more than one blade.

Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BFD peering is configured.
-- CMP state change is occurred on one of the blades.
-- BFD connection is redistributed to the processing group (TMMs) on the blade that experienced the CMP state change and the contest between the old TMM owner and the new TMM owner occurs.

Impact:
When the BFD session is recreated, it marks corresponding routing protocol DOWN if it's configured. The protocol might be BGP, OSPF, or any other routing protocols that support BFD.

This causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.

In most cases, unexpected routing decision are from networks learnt by affected routing protocols when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
There are two workarounds, although the latter is probably impractical:

-- Change CMP hash of affected VLAN to the Default value.
-- Maintain a chassis with a single blade only. Disable or shut down all blades except one.

Fix:
BFD session is no longer reset during CMP state change.

---

788513-5 : Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log

Component: Service Provider

Symptoms:
A configuration warning is produced when the RADIUS avp command is used with a variable instead of a constant, for example:

 warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:integer"102 45][RADIUS::avp replace USER-NAME $custom_name]

This appears to be benign, as the configuration loads successfully, and the script works as expected.

Conditions:
Using:
RADIUS::avp replace USER-NAME $custom_name

Instead of:
RADIUS::avp replace USER-NAME "static value"

Impact:
Incorrect warning in log. You can ignore these messages, as the configuration loads successfully, and the script works as expected.

Workaround:
This warning is benign, as the configuration loads successfully, and script works as expected.

---

788325-5 : Header continuation rule is applied to request/response line

Solution Article: K39794285

Component: Local Traffic Manager

Symptoms:
When a browser communicates with a server over HTTP, it can split a long header into several lines, prepending continuation lines with leading whitespace symbols. This rule does not apply to request or response line, so having leading whitespace in a first header line is invalid. The BIG-IP system parses such line a header with empty value.

Conditions:
A virtual server is configured on the BIG-IP system with HTTP profile.

Impact:
The BIG-IP system can hide some important HTTP headers either passing those to the pool member or failing to properly handle the request (or response) or failing to correctly load balance a connection (or request in case of OneConnect profile).

Workaround:
None.

Fix:
Now, when the BIG-IP system receives an invalid request or response with leading whitespace in first header line, it properly parses the header and handles it correctly.

---

788301-2 : SNMPv3 Hardening

Solution Article: K58243048

Component: TMOS

Symptoms:
SNMPv3 agents do not follow current best practices.

Conditions:
SNMPv3 agents enabled.

Impact:
SNMPv3 agents do not follow current best practices.

Fix:
SNMPv3 features now follow current best practices.

---

788057-6 : MCPD may crash while processing syncookies

Solution Article: K00103216

---

787825-4 : Database monitors debug logs have plaintext password printed in the log file

Solution Article: K58243048

Component: Local Traffic Manager

Symptoms:
When monitor instance is in "debug" logging enabled mode for certain monitor types, the resulting monitor instance logs may contain sensitive details like password

Conditions:
When debug mode is enabled for following monitoring types
1. mssql
2. mysql
3. oracle
4. postgresql

Impact:
The user-account password configured in the health monitor may appear in plain text form in the monitor instance logs under /var/log/monitors/.

Workaround:
1. Do not enable monitor instance logging or monitor debug logging for affected monitor types. 2. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes , remove the resulting log files from the BIG-IP system after troubleshooting is completed.

Fix:
The password filed for monitor will now be redacted by external monitors when monitor debugging is enabled.

---

785481-5 : A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached

Component: Local Traffic Manager

Symptoms:
Setting the DB variable tm.rejectunmatched to 'false' causes the BIG-IP system to not send RSTs when there is a match but the connection is rejected due to connection limits.

Conditions:
- tm.rejectunmatched is set to 'false'.
- A packet is matching a BIG-IP object.
- The packet is to be rejected because of connection limits.

Impact:
Reset packets are not sent back to clients when they should be.

Workaround:
None.

Fix:
Packets that match a BIG-IP object but fail due to connection limits will now be rejected with an RST.

---

785009-1 : Binary policy import fails with a user-defined Signature Set containing only non-existent signatures

Component: Application Security Manager

Symptoms:
Binary policy import fails if the policy contains a user-defined Signature Set which contains only non-existent Signatures (such as user-defined Signatures).

The error in the GUI:
Failed to insert to PLC.PL_POLICY_NEGSIG_SETS (DBD::mysql::db do failed: Cannot add or update a child row: a foreign key constraint fails (`PLC`.`PL_POLICY_NEGSIG_SETS`, CONSTRAINT `PL_POLICY_NEGSIG_SETS_ibfk_2` FOREIGN KEY (`set_id`) REFERENCES `NEGSIG_SETS` (`set_id`) ON DELETE CASCADE) at /usr/local/share/perl5/F5/BatchInsert.pm line 223.
)

The error in /var/log/asm:

crit g_server_rpc_handler_async.pl[26870]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): Failed to insert to PLC.PL_POLICY_NEGSIG_SETS (DBD::mysql::db do failed: Cannot add or update a child row: a foreign key constraint fails (`PLC`.`PL_POLICY_NEGSIG_SETS`, CONSTRAINT `PL_POLICY_NEGSIG_SETS_ibfk_2` FOREIGN KEY (`set_id`) REFERENCES `NEGSIG_SETS` (`set_id`) ON DELETE CASCADE) at /usr/local/share/perl5/F5/BatchInsert.pm line 223.

Conditions:
A binary policy file contains a user-defined Signature Set which contains only signatures that don't exist on the target device (such as user-defined Signatures).

Impact:
Policy import fails.

Workaround:
You can use either of the following Workarounds:

-- Re-export the policy as XML.
-- Create the missing user-defined Signatures.

Fix:
Binary policy import succeeds even with empty user-defined Signature Sets.

---

784565-5 : VLAN groups are incompatible with fast-forwarded flows

Component: Local Traffic Manager

Symptoms:
Traffic flowing through VLAN groups may get fast-forwarded to another TMM, which might cause that connection to be reset with reason 'Unable to select local port'.

Conditions:
-- Using VLAN groups.
-- Flows are fast-forwarded to other TMMs.

Impact:
Some connections may fail.

Workaround:
None.

Fix:
The system now prevents flows on VLAN groups from being fast-forwarded to other TMMs.

---

783505-1 : ASU is very slow on device with hundreds of policies due to table checksums

Component: Application Security Manager

Symptoms:
ASU is very slow on devices with hundreds of policies due to table checksums.

Conditions:
-- There are hundreds of ASM policies on the device.
-- ASU is performed.
-- 'DoTableChecksums' is set to 1.

Impact:
The ASU process takes hours to complete.

Workaround:
In the configuration file /etc/ts/dcc/prepare_policy.cfg, set 'DoTableChecksums' to 0.

---

783113-2 : BGP sessions remain down upon new primary slot election

Component: TMOS

Symptoms:
BGP flapping after new primary slot election.

Conditions:
--- A BFD session is processed on a secondary blade. (It can be identified by running tcpdump.)

-- After a primary blade reset/reboot, the BFD session should be processed by the same tmm on the same blade, which was secondary before the primary blade reset/reboot.

-- The BFD session creation should happens approximately in 30 seconds after the reset/reboot.

Impact:
BGP goes down. BGP flaps cause route-dampening to kick-in on the BGP neighbors.

Workaround:
There is no workaround, but you can stabilize the BIG-IP system after the issue occurs by restarting the tmrouted daemon. To do so, issue the following command:
 bigstart restart tmrouted

Fix:
BFD no longer remains DOWN after a blade reset/reboot. There is a convergence period caused by blade changes(blade reset/reboot, new blade installed, blade comes up), which may take a few moments, but after that BFD sessions show correct status.

---

782529-5 : iRules does not follow current design best practices

Solution Article: K30215839

---

781377-3 : tmrouted may crash while processing Multicast Forwarding Cache messages

Solution Article: K93417064

---

781225-4 : HTTP profile Response Size stats incorrect for keep-alive connections

Component: Local Traffic Manager

Symptoms:
The HTTP profile Response Size static is incorrectly updated per-response using the cumulative number of response bytes seen for the lifetime of the connection, rather than the bytes seen per-response.

Conditions:
-- HTTP profile configured
-- HTTP connection reused for multiple requests/responses

Impact:
The HTTP profile Response Size statistics may be incorrectly reported and do not correlate to actual traffic seen.

Workaround:
None.

Fix:
The HTTP Response Size statistics are correctly updated using per-response values.

---

780817-3 : TMM can crash on certain vCMP hosts after modifications to VLANs and guests.

Component: TMOS

Symptoms:
TMM crashes and produces a core file. TMM logs show the crash was of type SIGFPE, with the following panic message:

notice panic: ../base/vcmp.c:608: Assertion "guest has vlan ref" failed.

Conditions:
-- The vCMP host is a platform with more than one tmm process per blade or appliance.

  + VIPRION B4300, B4340, and B44xx blades.
  + BIG-IP iSeries i15x00 platforms

-- A VLAN is assigned to a vCMP guest.
-- The TAG of the VLAN is modified.
-- The VLAN is removed from the vCMP guest.

Impact:
While TMM crashes and restarts on the host, traffic is disrupted on all the guests running on that system.

Guests part of a redundant pair may fail over.

Workaround:
None.

Fix:
TMM no longer crashes on certain vCMP hosts after modifications to VLANs and guests.

---

780601-5 : SCP file transfer hardening

Solution Article: K03585731

---

779177-5 : Apmd logs "client-session-id" when access-policy debug log level is enabled

Solution Article: K37890841

---

778077-2 : Virtual to virtual chain can cause TMM to crash

Solution Article: K53183580

---

777261-1 : When SNMP cannot locate a file it logs messages repeatedly

Component: TMOS

Symptoms:
When the SNMP daemon experiences an error when it attempts to statfs a file then it logs an error message. If the file is not present then this error is repeatedly logged and can fill up the log file.

Conditions:
When an SNMP request causes the daemon to query a file on disk it is possible that a system error occurs. If the file is not present then the error is logged repeatedly.

Impact:
This can fill up the log with errors.

Fix:
The SNMP daemon has been fixed to log this error once.

---

774301-1 : Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList

Component: Access Policy Manager

Symptoms:
When the BIG-IP system is configured as SAML IdP or SAML SP processes SAML Requests/Responses, the verification of digital signature fails in certain cases:

err apmd[19684]: 01490000:3: modules/Authentication/Saml/SamlSPAgent.cpp func: "verifyAssertionSignature()" line: 5321 Msg: ERROR: verifying the digest of SAML Response

Conditions:
-- BIG-IP system is configured as SAML IdP or SAML SP.

-- SAML sends the "ArtifactResponse" message with both "ArtifactResponse" and "Assertion" signed.

-- This is also applicable to any SAML requests/responses that are signed:
   a) SAML Authentication Request
   b) SAML Assertion
   c) SAML Artifact Response
   e) SAML SLO Request/Response

Impact:
Output does not match the 'Canonicalized element without Signature' calculated by APM. BIG-IP SAML IdP or SAM SP fails to process SAML Requests/Responses resulting in errors. Cannot deploy APM as SAML SP with Assertion Artifact binding.

Workaround:
None.

Fix:
Output now matches the Canonicalized element without Signature' calculated by APM, so deployment occurs without error.

---

773673-5 : HTTP/2 Vulnerability: CVE-2019-9512

Solution Article: K98053339

---

773653-3 : APM Client Logging

Solution Article: K23876153

---

773649-3 : APM Client Logging

Solution Article: K23876153

---

773641-3 : APM Client Logging

Solution Article: K23876153

---

773637-3 : APM Client Logging

Solution Article: K23876153

---

773633-3 : APM Client Logging

Solution Article: K23876153

---

773621-3 : APM Client Logging

Solution Article: K23876153

---

773553-5 : ASM JSON parser false positive.

Component: Application Security Manager

Symptoms:
False positive JSON malformed violation.

Conditions:
-- JSON profile enabled (enabled is the default).
-- Specific JSON traffic is passed.

Impact:
HTTP request is blocked or an alarm is raised.

Workaround:
There is no workaround other than disabling the JSON profile.

Fix:
JSON parser has been fixed as per RFC8259.

---

773421-5 : Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied

Component: Local Traffic Manager

Symptoms:
When OneConnect is applied to a virtual server, the server-side packets larger than the client-side MTU may be dropped.

Conditions:
-- If the client-side MTU is smaller than server-side (either via Path MTU Discovery (PMTUD), or by manually configuring the client-side VLAN).

-- OneConnect is applied.

-- proxy-mss is enabled (the default value starting in v12.0.0).

Impact:
The BIG-IP system rejects server-side ingress packets larger than the client-side MTU, with an ICMP fragmentation needed message. Connections could hang if the server ignores ICMP fragmentation needed and still sends TCP packets with larger size.

Workaround:
Disable proxy-mss in the configured TCP profile.

Fix:
OneConnect prevents sending ICMP fragmentation needed messages to servers.

---

771873-2 : TMSH Hardening

Solution Article: K40378764

---

770477-4 : SSL aborted when client_hello includes both renegotiation info extension and SCSV

Component: Local Traffic Manager

Symptoms:
Client SSL reports an error and terminates handshake.

Conditions:
Initial client_hello message includes both signaling mechanism for secure renegotiation: empty renegotiation_info extension and TLS_EMPTY_RENEGOTIATION_INFO_SCSV.

Impact:
Unable to connect with SSL.

Workaround:
None.

Fix:
Allow both signaling mechanism in client_hello.

---

769817-5 : BFD fails to propagate sessions state change during blade restart

Component: TMOS

Symptoms:
BFD fails to propagate sessions state change during blade restart.

Conditions:
-- On a chassis with multiple blades, several routing protocol sessions are established, (e.g., BGP sessions).
-- BFD sessions are configured for each BGP session to sustain fast failover of BGP sessions.
-- There is a BGP session that can be established only via specific blade and the corresponding BFD session of this BGP session is processed on the same blade.
-- This blade is restarted (e.g., using the bladectl command) or experienced a blade failure.

Impact:
The BFD session remains in the BFD sessions table and remains there until BGP session is timed out by hold the timer (90 seconds, by default). Dynamic routes, which are learnt via affected BGP session, remain in the routing table until the hold time is reached.

Workaround:
Change BGP hold time to reasonable lower value.

Fix:
The affected BFD session is removed from the BFD table after blade reset during the period configured for this BFD session.

---

769809-1 : The vCMP guests 'INOPERATIVE' after upgrade

Component: TMOS

Symptoms:
After upgrading the host or creating new vCMP guests, the prompt in the vCMP guests report as INOPERATIVE.

Conditions:
-- The system truncates the unit key. (Note: This occurs because the unit key is designed to be a certain length, and the internally generated unit key for the guest has a NULL in it.)
-- Upgrading the host.
-- Creating new guests.

Impact:
The vCMP guests are sent a truncated unit key and fail to decrypt the master key needed to load the config. vCMP Guests report 'INOPERATIVE' after upgrade.

Workaround:
Important: If you upgrade vCMP hosts from an affected version to a version unaffected by this issue (ID 769809), ensure that the upgrade version contains the fix for Bug ID 810593: Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade :: https://cdn.f5.com/product/bugtracker/ID810593.html.

Upon encountering this issue, it may be best to roll back to the previously used, unaffected version on the vCMP host, and then install a version unaffected by this issue (i.e., versions later than 12.1.4.1 or later than 13.1.1.5).

Fix:
The system now handles a guest unit key that has a NULL in it, so vCMP guests are no longer 'INOPERATIVE' after upgrade

---

769309-4 : DB monitor reconnects to server on every probe when count = 0

Component: Local Traffic Manager

Symptoms:
When using an LTM database monitor configured with the default 'count' value of 0 (zero), the database monitor reconnects to the monitored server (pool member) to perform each health monitor probe, then closes the connection once the probe is complete.

Conditions:
This occurs when using one of the LTM mssql, mysql, oracle or postgresql monitor types is configured with the default 'count' value of 0 (zero).

Impact:
Connections to the monitored database server are opened and closed for each periodic health monitor probe.

Workaround:
Configure the 'count' value for the monitor to some non-zero value (such as 100) to allow the network connection to the database server to remain open for the specified number of monitor probes before it is closed and a new network connection is created.

Fix:
The LTM database monitor keeps the network connection to the monitored database server open indefinitely when configured with the default 'count' value of 0 (zero).

---

769193-3 : Added support for faster congestion window increase in slow-start for stretch ACKs

Component: Local Traffic Manager

Symptoms:
When Appropriate Byte Counting is enabled (the default), TCP's congestion window increases slower in slow-start when the data receiver sends stretch ACKs.

Conditions:
-- TCP data sender receives stretch ACKs (ACKs that acknowledges more than 2*MSS bytes of data).
-- Appropriate Byte Counting (ABC) is enabled in slow-start.

Impact:
ABC limits the increase of congestion window by 2*MSS bytes per ACK. TCP's congestion window is increased slower in slow-start, which may lead to longer transfer times.

Workaround:
There is no workaround at this time.

Fix:
A new sys db (TM.TcpABCssLimit) is provided to set TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received. If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.

Behavior Change:
There is a new db variable, TM.TcpABCssLimit for specifying TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received.

Note: If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.

---

768981-5 : VCMP Hypervisor Hardening

Solution Article: K05765031

---

767373-4 : CVE-2019-8331: Bootstrap Vulnerability

Solution Article: K24383845

---

767013-5 : Reboot when HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch

Component: TMOS

Symptoms:
In a rare scenario, the HSB sends a large amount and continuous pause frames to the Broadcom switch, which indicates that the HSB is in a bad state.

Conditions:
This happens when there is heavy traffic load on VIPRION B2150, B2250, and B4450 blades. This has also been seen on F5 Appliances, such as iSeries platforms. The root cause of that is still under investigation. It happens extreme rarely.

Impact:
Reboot the BIG-IP system.

Workaround:
None.

Fix:
The system now monitors the pause frames and reboots when it detects that the HSB is in this state.

---

766577-5 : APMD fails to send response to client and it already closed connection.

Component: Access Policy Manager

Symptoms:
APMD fails to send response to client and produces error message:
err apmd[8353]: 01490085:3: /pt-qp-campus/apm-cdp-qp-qa:pt-qp-campus:bb651ae6: Response could not be sent to remote client. Socket error: Connection reset by peer

APMD does most of its action with backend authentication servers (e.g., AD, LDAP, RADIUS). If the backend server response is very slow (because of various reasons such as network issues), it might cause slow apmd client response. Sometimes, the client has already closed the connection to the virtual server, so the client connection is no longer valid.

Conditions:
Backend server is slow, causing longer-than-usual response times.

Impact:
This causes the client to close the connection. APMD fails to respond to the client.

The cumulative slowness of the backend server causes delay in response. Most of the time, the client connection is already closed. As a result, the request queue gets full. When apmd starts processing the request from the queue, the client connection is already closed for some of them, and processing those requests still continues, which is unnecessary and causes more delay.

Fix:
The system now tests the client connection after picking up the request from the request queue and before processing.
-- If the connection is already closed, the system drops the request.
-- If the request is already in progress, the system checks the client connection before saving the session variables and sending the response to client.

---

766169-1 : Replacing all VLAN interfaces resets VLAN MTU to a default value

Component: Local Traffic Manager

Symptoms:
When the last physical interface is removed from a VLAN, VLAN's MTU is reset to default value of 1500. However when replacing all interfaces belonging to a VLAN with a new ones (e.g., with a command 'tmsh modify net vlan [name] interfaces replace-all-with {...}'), even if it does not look like removing all interfaces, it is actually done by removing all interfaces immediately followed by adding new ones. Because all interfaces are removed first, the VLAN MTU is reset to the default value even if the original value is perfectly valid for newly added interfaces. As it is done automatically inside TMM, it is not reflected in the configuration. TMSH and Configuration Utility continue to report original value.

Conditions:
Issue is visible only when removing or replacing all interfaces in a VLAN which has MTU value different than default 1500. Added interfaces must also have MTU values larger than 1500.

Impact:
VLAN MTU is set to 1500 despite Configuration Utility and TMSH still reporting original value.

Workaround:
There are two workarounds:

-- Reset desired MTU value after each operation of replacing all interfaces in a VLAN.
-- Avoid replace-all-with operation by adding new interfaces before removing unneeded ones.

Fix:
VLAN MTU value is left unchanged after the last interface is removed. It is recalculated upon adding a new interface anyway, so there is no risk it will be too large.

---

766017-5 : [APM][LocalDB] Local user database instance name length check inconsistencies★

Component: Access Policy Manager

Symptoms:
Tmsh accepts long localdb instance names, but ldbutil later refuses to work with names longer than 64 characters.

The GUI limits the instance name length to 64 characters including the partition prefix, but this is not obvious to the admin.

Conditions:
-- Create a 64 character long local user database instance using tmsh.
-- Try to add users to this instance or try to delete the instance from the GUI.

Impact:
A tmsh-created localdb instance with a name length greater than 64 characters can be created but cannot be used.

Workaround:
Delete instance from tmsh and re-create it with a shorter name.

Fix:
Tmsh now enforces the length limit for localdb instance names.

---

765809 : Memory increases for the bd daemon on cluster environment primary blade

Component: Application Security Manager

Symptoms:
BD memory increases. The increased memory is seen as a very large number in the last column of the bd.log files UMU prints.

Conditions:
-- ASM provisioned on cluster environment.
-- ASM policy attached to a virtual.
-- Brute force protection configured.

Impact:
Memory increase; swap usage.

Workaround:
None.

Fix:
Freed a chunk of memory which was allocated upon a sync from secondary to primary blade.

---

765533-5 : Sensitive information logged when DEBUG logging enabled

Solution Article: K58243048

Component: TMOS

Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048

Conditions:
For more information see: https://support.f5.com/csp/article/K58243048

Impact:
For more information see: https://support.f5.com/csp/article/K58243048

Workaround:
For more information see: https://support.f5.com/csp/article/K58243048

Fix:
For more information see: https://support.f5.com/csp/article/K58243048

---

762453-4 : Hardware cryptography acceleration may fail

Solution Article: K63558580

---

762073-3 : Continuous TMM restarts when HSB drops off the PCI bus

Component: TMOS

Symptoms:
In the unlikely event that HSB drops off the PCI bus, TMM continuously restarts until the BIG-IP system is rebooted.

Conditions:
The conditions under which the issue occurs are unknown, but it is a rarely occurring issue.

Impact:
Repeated TMM restarts. Traffic disrupted until you reboot the BIG-IP system. The HSB reappears and is functional after reboot.

Workaround:
Manually reboot the BIG-IP system.

Fix:
TMM no longer gets stuck in a restart loop, as a reboot is now automatic in this scenario.

---

761231-5 : Bot Defense Search Engines getting blocked after configuring DNS correctly

Solution Article: K79240502

Component: Application Security Manager

Symptoms:
Bot Defense performs a reverse DNS for requests with User-Agents of known Search Engines.

A cache is stored for legal / illegal requests to prevent querying the DNS again.

This cache never expires, so in case of an initial misconfiguration, after fixing the DNS configuration, or routing or networking issue, the Search Engines may still be blocked until TMM is restarted.

Conditions:
-- Initial misconfiguration of DNS or routing or networking issue.
-- Cache stores requests to prevent future queries to DNS.
-- Correct the misconfiguration.

Impact:
Cache does not expire and is never updated, so it retains the misconfigured requests. As a result, valid Search Engines are getting blocked by Bot Defense.

Workaround:
Restart TMM by running the following command:
bigstart restart tmm

Fix:
The internal DNS cache within Bot Defense and DoSL7 now expires after five minutes.

---

761185-5 : Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic

Solution Article: K50375550

Component: Local Traffic Manager

Symptoms:
For more information please see: https://support.f5.com/csp/article/K50375550

Conditions:
For more information please see: https://support.f5.com/csp/article/K50375550

Impact:
For more information please see: https://support.f5.com/csp/article/K50375550

Workaround:
For more information please see: https://support.f5.com/csp/article/K50375550

Fix:
For more information please see: https://support.f5.com/csp/article/K50375550

---

761144-2 : Broadcast frames may be dropped

Solution Article: K95117754

---

761112-6 : TMM may consume excessive resources when processing FastL4 traffic

Solution Article: K76328112

---

761014-5 : TMM may crash while processing local traffic

Solution Article: K11447758

---

760950-1 : Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment

Component: TMOS

Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.

Note: A previous bug had this same symptom, but was due to a different root cause.

Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.

Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.

Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.

Fix:
The advertised next-hop in BGP is now the smallest floating-IP active on the current BIG-IP system.

---

760878-1 : Incorrect enforcement of explicit global parameters

Component: Application Security Manager

Symptoms:
A false positive or false negative enforcement of explicit global parameter.

Conditions:
-- A configuration with more than 255 security policies.
-- Policies configured with an explicit parameter that is unique (for example, 'static', a disabled signature, etc.).
-- Attempt to enforce that parameter.

Impact:
Wrong blocking/violations. The parameter is not found, and the wildcard * parameter is enforced instead.

Workaround:
Make the explicit parameters a wildcard parameter.

Fix:
Explicit parameters are enforced correctly on all parameters.

---

760723-4 : Qemu Vulnerability

Solution Article: K64765350

---

760629-1 : Remove Obsolete APM keys in BigDB

Component: Access Policy Manager

Symptoms:
Several APM/Access BigDB keys are obsolete and should be removed as they only add confusion

Conditions:
--BigIp is UP and Running

Impact:
Though those keys are not being used they create confusion as a placeholder

Workaround:
Remove those keys from BigDB and control plane side as those are not being used. But don't remove the keys which has still dependancies with other modules and also don/'t remove those keys used in upgrade

Fix:
Remove those keys from BigDB and control plane side as those are not being used. But don't remove the keys which has still dependancies with other modules and also don/'t remove those keys used in upgrade

---

760550-2 : Retransmitted TCP packet has FIN bit set

Component: Local Traffic Manager

Symptoms:
After TCP sends a packet with FIN, retransmitted data earlier in the sequence space might also have the FIN bit set.

Conditions:
-- Nagle is enabled.
-- TCP has already sent a FIN.
-- A packet is retransmitted with less than MSS bytes in the send queue.

Impact:
The retransmitted packet has the FIN bit set even if it does not contain the end of the data stream. This might cause the connection to stall near the end.

Workaround:
Set Nagle to disabled in the TCP profile.

Fix:
The incorrect FIN bit is removed.

---

760471-5 : GTM iQuery connections may be reset during SSL key renegotiation.

Component: Global Traffic Manager (DNS)

Symptoms:
During routine iQuery SSL renegotiation, the iQuery connection will occasionally be reset.

Conditions:
This occurs occasionally during routine renegotiation. Renegotiation occurs once very 24 hours, per connection, by default (but can be controlled by the db key big3d.renegotiation.interval)

Impact:
The affected iQuery connection is briefly marked down as the connection is marked down before the connection is immediately re-established.

Workaround:
There is no workaround.

Fix:
GTM iQuery renegotiations no longer cause the error that reset the connection.

---

760439-1 : After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status

Component: TMOS

Symptoms:
After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status (e.g., transitions to standby or active).

Conditions:
Installing UCS that was taken in forced-offline state on clean installed unit.

Impact:
Unit may become active/standby before intended (e.g., during maintenance).

Workaround:
After installing the UCS, ensure that the unit is in forced-offline state as intended. If not in forced-offline state, force the unit offline before proceeding.

---

760234-3 : Configuring Advanced shell for Resource Administrator User has no effect

Component: TMOS

Symptoms:
Advanced shell is present in the Terminal Access dropdown list when creating a Resource Administrator User, but the functionality is not available.

Conditions:
Configuring Advanced shell for Resource Administrator User.

Impact:
There is no warning message, but the setting has no effect. Gives the false impression that you can configure a Resource Administrator User to have Advanced shell access when the role does not support it.

Workaround:
None.

Fix:
The Advanced shell option is no longer present in the Resource Administrator User Terminal Access dropdown list.

Behavior Change:
Resource Administrator User can no longer select Advanced shell. The option has been removed from the dropdown list in the GUI for the Resource Administrator User.

---

759968-1 : Distinct vCMP guests are able to cluster with each other.

Component: Local Traffic Manager

Symptoms:
-- Distinct vCMP guests are able to cluster with each other.

-- Guests end up having duplicate rebroad_mac on one or more slots. This can be checked using below command:

clsh tmctl -d blade tmm/vcmp -w 200 -s vcmp_name,tmid,rebroad_mac

Check the 'rebroad_mac' field for duplicate mac addresses.

vcmp_name tmid rebroad_mac
--------- ---- -----------------
default 0 02:01:23:45:01:00
vcmp1 0 00:00:00:00:00:00
vcmp5 0 02:01:23:45:01:04
vcmp6 0 00:00:00:00:00:00
vcmp7 0 02:01:23:45:01:06
vcmp8 0 00:00:00:00:00:00
vcmp9 0 02:01:23:45:01:08
vcmp10 0 02:01:23:45:01:0A <--------------
vcmp11 0 02:01:23:45:01:0A <--------------

Conditions:
-- It is not yet clear under what circumstances the issue occurs.

-- One of the ways this issue occurs is when guests are moved between blades and they end up having a non-null and duplicate 'rebroad_mac' on one or more slots.

Impact:
Only the vCMP guest acting as primary will be operative.

Workaround:
-- Disable clusterd from sending packets over tmm_bp by turning off the db variable clusterd.communicateovertmmbp:

modify sys db clusterd.communicateovertmmbp value false.

To disable the db variable on the affected guest, log in to the TMOS Shell (tmsh) by entering the following command:

tmsh

Then run the following commands, in sequence:

stop sys service clusterd
modify sys db clusterd.communicateovertmmbp value false
start sys service clusterd
save sys config

Afterwards, the affected guest might still have the wrong management IP address. To resolve that, log into the vCMP Hypervisor and force a management IP update such as changing the netmask and then changing it back.

With the above steps, the duplicated rebroadcaster MAC still shows, but the vguests are in stable states. To fix the duplicated MAC problem, apply the workaround (on all blades) documented in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.

Important: Applying procedure described in K13030 interrupts traffic.

Fix:
The vCMP guests no longer end up having a non-null and duplicate 'rebroad_mac' on one or more slots. Distinct vCMP guests are no longer able to cluster with each other.

---

759596-4 : Tcl errors in iRules 'table' command

Component: TMOS

Symptoms:
The iRules 'table delete' command causes Tcl errors due to improperly handling the return code from SessionDB.

Conditions:
-- iRules 'table delete' command is used.
-- Does not occur consistently, but is more prone to occur when the system is processing more traffic.

Impact:
The 'table delete' command randomly fails and causes disruptions in traffic.

Workaround:
Do not use 'table delete' command

Fix:
Fixed 'table delete' to properly interpret the return code from SessionDB.

---

759480-1 : HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash

Component: Local Traffic Manager

Symptoms:
When a request is sent to the virtual server which meets the conditions specified, TMM may crash.

Conditions:
When all of the following conditions are met:

-- Virtual server configured with iRule that contains HTTP::respond or HTTP::redirect in an LB_FAILED event.

-- A command in an LB_FAILED event (does not have to be in the same iRule as the previous point, but must be attached to the same virtual server), that parks the iRule (e.g., table, session, persist, after, HSL).

-- A CLIENT_CLOSED event is present.

-- The pool member fails in some manner, triggering LB_FAILED

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Add reject command to LB_FAILED event to force the serverside of the connection closed before response is sent to the client.

---

759343-3 : MacOS Edge Client installer does not follow best security practices

Solution Article: K49827114

---

758872-1 : TMM memory leak

Component: Local Traffic Manager

Symptoms:
When a Clustered Multiprocessing (CMP) disabled virtual server enters syncookie mode the flows created on TMM instances other than tmm0 are not removed, resulting in a TMM memory leak.

Note: CMP-disabled virtual servers are not distributed among the available TMM processes, but instead are processed on tmm0.

Conditions:
-- Virtual server is CMP disabled.
-- The same virtual server enters syncookie mode.

Impact:
Elevated memory utilization that may impact performance. In extreme cases, it might lead to out-of-memory crash.

Workaround:
Make sure the virtual server is not CMP disabled, for example, avoid using global variables in iRules.

Fix:
Flows of CMP-disabled virtual servers are now properly removed from all TMM instances.

---

758764-5 : APMD Core when CRLDP Auth fails to download revoked certificate

Component: Access Policy Manager

Symptoms:
Download CRLDP Auth fails to download revoked certificates, so the list of revoked certificate remains empty (NULL). APMD cores while accessing this empty (NULL) list.

Conditions:
Empty revoked-certificate list handling.

Impact:
APMD core. No access policy enforcement for user session or any MPI-reliant processes, such as rewrite and websso while apmd restarts.

Workaround:
None.

Fix:
The system now checks for empty revoked certificate lists (for NULL) and lets the validation OK (because there is nothing to validate against).

---

758631-1 : ec_point_formats extension might be included in the server hello even if not specified in the client hello

Component: Local Traffic Manager

Symptoms:
RFC 5246 states that if an extension does not exist in the client hello, it must not exist in the server hello. When an EC cipher suite is selected, the server might send the ec_point_formats extension, even if none exists in the client hello.

Conditions:
-- An EC cipher suite is selected.
-- The client does not send an ec_point_formats extension.

Impact:
Some clients abort the connection in this case.

Workaround:
There is no workaround other than not configuring any EC cipher suites.

Fix:
With this change, the server does not send an unsolicited ec_point_formats extension.

---

758527-5 : BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode

Solution Article: K39604784

Component: TMOS

Symptoms:
Under certain conditions BIG-IP may forward VLAN-tagged frames even if the VLAN is not defined on the ingress interface.

Conditions:
Tagged VLANs in use.
STP pass-through mode enabled.

Impact:
Frames not delivered as expected.

Workaround:
Disable global STP.

Fix:
Frames now delivered as expected.

---

758336-2 : Incorrect recommendation in Online Help of Proactive Bot Defense

Component: Application Security Manager

Symptoms:
The online help of Proactive Bot Defense within the DoS profile shows the following under the 'Cross-Domain Requests' section:

Allow configured domains; validate in bulk: ... We recommend this option if your web site has many cross-domain resources.

Allow configured domains; validate upon request: ... We recommend this option if your web site does not have many cross-domain resources.

The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.

Conditions:
Application has multiple cross-domain resources.

Impact:
Confusing documentation. The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.

Workaround:
For many cross-domain resources, it is better to use 'validate upon request'.

Fix:
The online help of Proactive Bot Defense has been corrected under the 'Cross-Domain Requests' section.

---

758119-3 : qkview may contain sensitive information

Solution Article: K58243048

Component: TMOS

Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048

Conditions:
For more information see: https://support.f5.com/csp/article/K58243048

Impact:
For more information see: https://support.f5.com/csp/article/K58243048

Workaround:
For more information see: https://support.f5.com/csp/article/K58243048

Fix:
For more information see: https://support.f5.com/csp/article/K58243048

---

758065-3 : TMM may consume excessive resources while processing FIX traffic

Solution Article: K82781208

---

758018-2 : APD/APMD may consume excessive resources

Solution Article: K61705126

---

757578-5 : RAM cache is not compatible with verify-accept

Component: Local Traffic Manager

Symptoms:
The TCP profile's verify-accept option is not compatible with the RAM cache feature

Conditions:
A TCP profile is used with the 'verify-accept' option enabled, together with a Web Acceleration via RAM cache.

Impact:
There may be a log message in /var/log/tmm# describing an 'Invalid Proxy Transition'. The RAM cache feature may not handle later pipelined requests due to the proxy shutting down the connection.

Workaround:
Do not use TCP's verify-accept option together with RAM cache.

Fix:
RAM cache now works correctly when the TCP profile enables the verify-accept option.

---

757520 : After a software upgrade, the BIG-IP system does not use the correct hostname for logging.★

Component: TMOS

Symptoms:
After performing a regular software upgrade during which the configuration was rolled forward, the log messages for all daemons except tmm on the upgraded unit, report the default hostname (i.e., localhost) instead of the hostname assigned to the BIG-IP system.

Conditions:
Performing a software upgrade to BIG-IP version 11.5.6, 11.5.7, 11.5.8, or 12.1.4 while rolling forward the existing configuration.

This can also happen when you first set up remote syslog on a new LTM on an affected version.

Impact:
There is no impact to the BIG-IP system itself. However, a BIG-IP Administrator may wrongly assume that the configuration failed to load the configuration due to the default hostname being visible in the logs.

This is not the case; the BIG-IP system correctly loads the configuration post-upgrade. If you are concentrating logs to an external server this may make it difficult to determine where some logs originated.

Workaround:
To work around this issue, run the following command:

bigstart restart syslog-ng

Note: This issue occurs only the very first time one of the affected versions is booted. Once the issue has been worked around once, the issue does not recur. Therefore, this workaround can be considered permanent.

Fix:
After software upgrade, the BIG-IP system now uses the intended hostname for logging.

---

757455-4 : Excessive resource consumption when processing REST requests

Solution Article: K87920510

---

757391-1 : Datagroup iRule command class can lead to memory corruption

Component: Local Traffic Manager

Symptoms:
When using the iRule command to access datagroups within a foreach loop, memory can be corrupted and tmm can crash.

Conditions:
A [class] command used within a foreach loop.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround aside from removing that iRule.

Fix:
tmm no longer crashes under these conditions.

---

757088 : TMM clock advances and cluster failover happens during webroot db nightly updates

Component: Traffic Classification Engine

Symptoms:
Webroot database mapping and unmapping takes a very long amount of time on TMM, so you might see clock advances occur. The long interval might result in a failover/state-transition in clustered environment.

Conditions:
-- Webroot database is downloaded.
-- TMM needs to swap to the new instance.

Impact:
TMM does not process traffic because of the long delay in mapping and unmapping, and failover might happen in a clustered environment.

Workaround:
You can avoid this issue by disabling BrightCloud updates, however, your environments will miss the latest updates as a result.

#vi /etc/wr_urldbd/bcsdk.cfg
  DoBcap=true
  DoRtu=false
  DownloadDatabase=false

Fix:
Mapping/Unmapping the database is done asynchronously and the delay is reduced so that the CDP failover does not happen.

---

757027-4 : BIND Update

Solution Article: K01713115

---

757026-4 : BIND Update

Solution Article: K25244852

---

757025-4 : BIND Update

Solution Article: K00040234

---

757023-5 : BIND vulnerability CVE-2018-5743

Solution Article: K74009656

---

756774-3 : Aborted DNS queries to a cache may cause a TMM crash

Solution Article: K24401914

---

756538-2 : Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair.

Solution Article: K15759349

---

756450-3 : Traffic using route entry that's more specific than existing blackhole route can cause core

Component: Local Traffic Manager

Symptoms:
TMM asserts with 'Attempting to free loopback interface'message.

Conditions:
- Using blackhole routes.
- Have a route entry that is more specific than the existing blackhole route.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use /32 blackhole routes.

Fix:
TMM no longer cores when using blackhole routes that are less specific than non-blackhole routes.

---

756270-1 : SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle

Component: Local Traffic Manager

Symptoms:
If there are multiple certificates in the trusted CA bundle with the same common name, CRL signature verification checks only one of them while looking for CRL issuer.

Conditions:
Multiple certificates with the same subject name as the CRL issuer in the trusted CA bundle used for authentication in SSL profiles.

Impact:
Handshake failure.

Workaround:
None.

Fix:
This has been fixed to check for the issuer among all certificates that have the same subject name as the CRL issuer.

---

756153-1 : Add diskmonitor support for MySQL /var/lib/mysql

Component: TMOS

Symptoms:
If the disk partition /var/lib/mysql is filled to 100%, diskmonitor does not notify that the partition is nearly exhausted.

Conditions:
The disk partition /var/lib/mysql is filled to 100%.

Impact:
diskmonitor does not notify that disk partition /var/lib/mysql is nearly exhausted.

Workaround:
None.

---

756094-1 : DNS express in restart loop, 'Error writing scratch database' in ltm log

Component: Global Traffic Manager (DNS)

Symptoms:
DNS express (zxfrd) daemon gets stuck in a restart loop with the messages:
-- In /var/log/ltm:
Error writing scratch database (no error information available), serving database is unchanged. zxfrd will exit and restart.
-- The system posts the following message on the command line every few seconds:
emerg logger: Re-starting zxfrd

Conditions:
An update to an SOA record (and only an SOA) is received through a incremental zone transfer update (IXFR).

Impact:
Zone updates from the DNS master servers are not processed.

Workaround:
As a partial workaround, the DNS express cache files can be removed, forcing zxfrd to pull the entire zone using an AXFR request. To do so, use the following commands, in sequence:

   bigstart stop zxfrd
   rm /shared/zxfrd/*
   bigstart start zxfrd

Note: DNS express will not be able to service DNS responses until the zone transfers have completed. For this reason, this procedure should be carried out on the standby device, if possible.

Fix:
The system now properly handles IXFRs that contain only starting and ending SOA RRs, and no other RRs.

---

755997-3 : Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address

Component: Local Traffic Manager

Symptoms:
When IPsec traffic is processed by a FastL4 profile, which is not related to an IPsec listener, and is send out via a gateway pool or a dynamic route, the source address of this traffic can be erroneously changed to 127.0.0.x.

Conditions:
-- IPsec traffic is processed by a FastL4 profile, which is not related to an IPSEC listener.
-- The traffic is sent out via a gateway pool or a dynamic route.

Impact:
The incorrect source address is used.

Workaround:
None.

Fix:
The IPsec traffic uses now the correct IP source-address.

---

755727-4 : Ephemeral pool members not created after DNS flap and address record changes

Component: Local Traffic Manager

Symptoms:
When using FQDN node/pool members, ephemeral pool members may not be created for one or more pools after address records change on the DNS server.

Once this condition occurs, ephemeral pool members are no longer created for a given FQDN name in the affected pool.

Conditions:
This issue may occur under rare timing conditions when the following factors are present:

-- Using FQDN nodes/pool members.
-- Changes occur in the address records on the DNS server, causing new ephemeral nodes/pool members to be created and old ephemeral nodes/pool members to be deleted.
-- There is a temporary loss of connectivity to/responsiveness from the DNS server.

Impact:
When this issue occurs, the affected pool may be left with no active pool members. In that case, virtual servers targeting the affected pool become unavailable and stop passing traffic.

Workaround:
When this issue occurs, the ability to create ephemeral pool members can be restored by either of the following actions:

1. Restart the dynconfd daemon:
bigstart restart dynconfd

2. Delete and re-create the FQDN template pool member using the following two commands:
tmsh mod ltm pool affected_pool members del { fqdn_pool_member:port }
tmsh mod ltm pool affected_pool members add { fqdn_pool_member:port { additional field values } }


To ensure that a pool contains active members even if this issue occurs, populate each pool with more than one FQDN pool member, or with an additional non-FQDN pool member.

---

755507-1 : [App Tunnel] 'URI sanitization' error

Component: Access Policy Manager

Symptoms:
URI sanitization error with app tunnel (application tunnel). The system posts messages similar to the following:
-- APM log: warning tmm[19703]: 01490586:4: /Common/AP-AD:Common:ff776e4a: Invalid Resource Access For RESOURCENAME. RST due to URI sanitization
-- LTM log: err tmm[19703]: 01230140:3: RST sent from 10.0.0.1:80 to 10.0.0.1:228, [0x2263e2c:7382] Unrecognized resource access (RESOURCENAME)

Conditions:
Access Policy that includes a 'Logon Page' and 'Advanced Resource Assign' (full webtop and app tunnel).

Impact:
APM does not send a response after receiving a request to 'GET /vdesk/resource_app_tunnels_info.xml'.

Workaround:
None.

---

755005-4 : Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations

Component: Application Security Manager

Symptoms:
Illegal Request Length uses Illegal Query String Length template and vice versa, so the incorrect titles are shown in violation details.

Conditions:
Open details of Illegal Request Length or Illegal Query String Length violation in request log.

Impact:
Illegal Request Length uses Illegal Query String Length template and vice versa. Only the titles are wrong. The actual requests are recorded correctly.

Workaround:
None.

Fix:
Correct templates are now used for Illegal Request Length and Illegal Query String Length violations, so the correct titles show.

---

754944-4 : AVR reporting UI does not follow best practices

Solution Article: K00432398

---

754460 : No failover on HA Dual Chassis setup using HA score

Component: TMOS

Symptoms:
On a high availability (HA) set up of two chassis, an HA failover does not occur, despite HA score on Standby being greater than Active.

Conditions:
-- Multiple blades disabled.
-- Both active and standby chassis have same HA score.
-- Enabling blades on standby chassis.

Impact:
Although enabling blades on the standby chassis causes a higher HA score on the standby (which should cause a failover to occur), HA state remains the same on both chassis. HA failover is not occurring using HA score calculation.

Workaround:
None.

---

754365-2 : Updated flags for countries that changed their flags since 2010

Component: Application Security Manager

Symptoms:
Old flags for countries that changed their flags since 2010.

Conditions:
Requests from one of the following counties:
-- Myanmar
-- Iraq
-- Libya

Impact:
Old flag is shown.

Workaround:
None.

Fix:
The three flags are now updated in ASM.

---

754345-4 : WebUI does not follow best security practices

Solution Article: K79902360

---

754257 : URL lookup queries not working

Component: Traffic Classification Engine

Symptoms:
Occasionally, there is no response to a url-categorization query.

Conditions:
This might occur under the following conditions:
-- When there are duplicate requests using tmsh.
-- When the connection is partially closed by the server.

Impact:
URL does not get classified. Cannot take any actions against those URLs.

Workaround:
None.

Fix:
URL lookup queries now work as expected.

---

754103-3 : iRulesLX NodeJS daemon does not follow best security practices

Solution Article: K75532331

---

753912-1 : UDP flows may not be swept

Solution Article: K44385170

Component: Local Traffic Manager

Symptoms:
Some UDP connection flows do not show in connection table but do show up in stats. This might occur with datagram_lb mode is enabled on the UDP profile under heavy load.

Conditions:
-- UDP profile with datagram_lb mode enabled.
-- System under heavy load.

Impact:
Increased memory utilization of TMM.

Workaround:
None.

Fix:
The system now correctly manages all expired flows.

---

753805-2 : BIG-IP system failed to advertise virtual address even after the virtual address was in Available state.

Component: Local Traffic Manager

Symptoms:
After failover, a longer time than expected for the virtual server to become available.

Conditions:
-- There is a configuration difference in the pool members before and after the configuration synchronization.
-- Probe status is also different.

Impact:
Virtual server takes longer than expected to become available.

Workaround:
Run full sync (force-full-load-push) from the active BIG-IP system to solve this issue.

---

753796-3 : SNMP does not follow best security practices

Solution Article: K40443301

---

753776-3 : TMM may consume excessive resources when processing UDP traffic

Solution Article: K07127032

---

753014-2 : PEM iRule action with RULE_INIT event fails to attach to PEM policy

Component: Policy Enforcement Manager

Symptoms:
PEM iRule action with RULE_INIT event fails to attach to PEM policy.

Conditions:
Attaching PEM policy with PEM iRule action that contains a RULE_INIT event.

Impact:
PEM fails to update the new iRule action.

Workaround:
Force mcpd to reload the BIG-IP configuration.

To do so, follow the steps in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.

Fix:
The system now continues processing PEM iRule actions if RULE_INIT event is present, so this issue no longer occurs.

---

752930 : Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state

Component: Local Traffic Manager

Symptoms:
Virtual Servers left in unknown state. Blade keeps restarting.

Conditions:
Change default route domain (RD) of partition with wildcard Virtual Servers.

Impact:
-- Cannot persist the wildcard virtual server RD configuration.
-- Changing virtual server description after moving route-domain fails.
-- Secondary blade in constant reboot loop or mcpd process restarting loop.

Workaround:
1. Delete wildcard virtual servers before changing default route-domain on partition.

2. Execute the following commands, in sequence, substituting your values for the configuration-specific ones in this example:

# ssh slot2 bigstart stop

# modify auth partition pa-1098-blkbbsi0000csa21ad1142 default-route-domain 109

# save sys config

# clsh rm -f /var/db/mcpdb.bin

# ssh slot2 bigstart start

Note: This recovery method might have to be executed multiple times to restore a working setup.

---

752835-1 : Mitigate mcpd out of memory error with auto-sync enabled.

Solution Article: K46971044

Component: TMOS

Symptoms:
If auto-sync is enabled and many configuration changes are sent quickly, it is possible for a peer system to fall behind in syncs. Once it does, it will exponentially get further behind due to extra sync data, leading to the sending mcpd running out of memory and core dumping.

Conditions:
-- Auto-sync enabled in an high availability (HA) pair.
-- High volume of configuration changes made in rapid succession. Typically, this requires hundreds or thousands of changes per minute for several minutes to encounter this condition.

Impact:
Mcpd crashes.

Workaround:
There are no workarounds other than not using auto-sync, or reducing the frequency of system configuration changes.

Fix:
This is not a complete fix. It is still possible for mcpd to run out of memory due to a peer not processing sync messages quickly enough. It does, however, make it more difficult for this scenario to happen, so configuration changes with auto-sync on can be sent somewhat more quickly without crashing mcpd as often.

---

751586-1 : Http2 virtual does not honour translate-address disabled

Component: Local Traffic Manager

Symptoms:
Translate-address disabled on an HTTP/2 virtual server is ignored.

Conditions:
-- HTTP/2 virtual server configured.
-- Translate-address disabled.

Impact:
The traffic is still translated to the destination address to the pool member.

Workaround:
None.

Fix:
Translate-address disabled is working correctly now.

---

751036-4 : Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone

Solution Article: K52035247

---

750586-3 : HSL may incorrectly handle pending TCP connections with elongated handshake time.

Component: TMOS

Symptoms:
HSL may incorrectly handle TCP connections that are pending 3-way handshake completion that exceed default handshake timeout.

Conditions:
-- HSL or ReqLog configured to send logging data to pool via TCP protocol.
-- TCP 3-way handshake takes longer than 20 seconds (the default handshake timeout) to complete.

Impact:
-- Service interruption while TMM restarts.
-- Failover event.

Workaround:
None.

Fix:
HSL handles unusually long pending TCP handshakes gracefully and does not cause outage.

---

750488 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Cache does not always include an EDNS OPT Record in responses to queries that contain an EDNS OPT Record.

Conditions:
Responses to queries with EDNS0 record to DNS Cache do not contain the RFC-required EDNS0 record.

Impact:
Some compliance tools and upstream DNS servers may consider the BIG-IP non-compliant, and report it as such.

This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.

Workaround:
None.

Fix:
Corrected EDNS OPT record handling in DNS Cache.

Note: Any NOSOA and NOAA results from the EDNS Compliance Tester used for DNS Flag Day are false positives and are expected when testing against DNS Cache. The EDNS Compliance Tester assumes an authoritative server, and makes non-recursive queries. For example, you might see a Resolver response similar to the following:

example1.com. @10.10.10.126 (ns.example1.com.): dns=nosoa,noaa edns=nosoa,noaa edns1=ok edns@512=noaa ednsopt=nosoa,noaa edns1opt=ok do=nosoa,noaa ednsflags=nosoa,noaa optlist=nosoa,noaa,subnet signed=nosoa,noaa,yes ednstcp=noaa

These types of responses are expected when running the validation tool against DNS Cache.

---

750484 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Cache drops a DNS query that contains an EDNS OPT Record that it does not understand.

Conditions:
If a client (such as a DNS Flag Day compliance tool) or upstream DNS Server sends an invalid ENDS OPT record.

Impact:
DNS Cache drops the request. Clients (such as a DNS Flag Day compliance tool) or upstream DNS server will experience a timeout for that query.

This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.

Workaround:
None.

Fix:
When a query with an invalid EDNS OPT version is received by DNS Cache, the system now sends a response with the BADVERS error code, as stipulated by the RFC.

Note: Any NOSOA and NOAA results from the EDNS Compliance Tester used for DNS Flag Day are false positives and are expected when testing against DNS Cache. The EDNS Compliance Tester assumes an authoritative server, and makes non-recursive queries. For example, you might see a Resolver response similar to the following:

example1.com. @10.10.10.126 (ns.example1.com.): dns=nosoa,noaa edns=nosoa,noaa edns1=ok edns@512=noaa ednsopt=nosoa,noaa edns1opt=ok do=nosoa,noaa ednsflags=nosoa,noaa optlist=nosoa,noaa,subnet signed=nosoa,noaa,yes ednstcp=noaa

These types of responses are expected when running the validation tool against DNS Cache.

---

750473-2 : VA status change while 'disabled' are not taken into account after being 'enabled' again

Component: Local Traffic Manager

Symptoms:
The virtual-address network is not advertised with route-advertisement enabled.

Conditions:
1. Using a virtual-address with route advertisement enabled.
2. Disable virtual-address while state is down.
3. Enable virtual-address after state comes up.

Impact:
No route-advertisement of the virtual-address.

Workaround:
Toggle the route-advertisement for virtual-address.

Fix:
The virtual-address now operations as expected when disabled.

---

750472 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express drops a DNS query that contains an EDNS OPT Record that it does not understand.

Conditions:
If a client (such as a DNS Flag Day compliance tool) or upstream DNS Server sends an invalid ENDS OPT record.

Impact:
DNS Express drops the request. Clients (such as a DNS Flag Day compliance tool) or upstream DNS server will experience a timeout for that query.

This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.

Workaround:
None.

Fix:
When a query with an invalid EDNS OPT version is received by DNS Express, send a response with the BADVERS error code as stipulated by the RFC.

Note: The EDNS Compliance Tester should produce output similar to the following when run against DNS Express:

example1.com. @10.10.10.125 (ns.example1.com.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=ok

---

750460-4 : Subscriber management configuration GUI

Solution Article: K61002104

---

750457 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express does not always include an EDNS OPT Record in responses to queries that contain an EDNS OPT Record.

Conditions:
Queries to DNS Express containing an ENDS0 record it does not understand.

Impact:
DNS Express responses might not contain the RFC-required ENDS0 record. Some compliance tools and upstream DNS servers may consider the BIG-IP non-compliant, and report it as such.

This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.

Workaround:
None.

Fix:
Corrected EDNS OPT record handling in DNS Express.

Note: The EDNS Compliance Tester should produce output similar to the following when run against DNS Express:

example1.com. @10.10.10.125 (ns.example1.com.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=ok

---

750292-3 : TMM may crash when processing TLS traffic

Solution Article: K54167061

---

750213-1 : DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.

Solution Article: K25351434

Component: Global Traffic Manager (DNS)

Symptoms:
FPGA hardware-accelerated DNS Cache can respond improperly to DNS queries that contain EDNS OPT Records. This improper response can take several forms, ranging from not responding with an OPT record, to a query timeout, to a badvers response.

Conditions:
-- Using VIPRION B2250 blades.
-- This may occur if a client sends a query with an EDNS OPT record that has an unknown version or other values that the Hardware-accelerated Cache does not understand. These errors only occur when matching the query to a hardware cached response.

Note: If the response is not in the hardware cache, then the query should be properly handled.

Impact:
Hardware-accelerated DNS Cache drops the request. Clients will experience a timeout for that query.

This is occurring now because of the changes coming to software from certain DNS software vendors that remove specific workarounds on February 1st, 2019. This is known as DNS Flag Day.

Workaround:
None.

---

750187-4 : ASM REST may consume excessive resources

Solution Article: K29149494

---

749879 : Possible interruption while processing VPN traffic

Solution Article: K47527163

---

749785-3 : nsm can become unresponsive when processing recursive routes

Component: TMOS

Symptoms:
imish hangs, and the BIG-IP Network Services Module (nsm) daemon consuming 100% CPU.

Conditions:
-- Dynamic routing enabled
-- Processing recursive routes from a BGP peer with different prefixlen values.

Impact:
Dynamic routing, and services using dynamic routes do not operate. nsm does not recover and must be restarted.

Workaround:
None.

Fix:
nsm now processes recursive route without issues.

---

749774-2 : EDNS0 client subnet behavior inconsistent when DNS Caching is enabled

Component: Global Traffic Manager (DNS)

Symptoms:
When EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled, the responses differ in their inclusion of EDNS0 client subnet information based on whether the response was supplied by the cache or not.

Conditions:
This occurs when EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled.

Impact:
Inconsistent behavior.

Workaround:
None.

Fix:
In this release, responses are now consistent when caching is enabled.

---

749675-2 : DNS cache resolver may return a malformed truncated response with multiple OPT records

Component: Global Traffic Manager (DNS)

Symptoms:
A configured DNS resolving cache returns a response with two OPT records when the response is truncated and not in the cache.

Conditions:
This can occur when:
-- A DNS resolving cache is configured.
-- The DNS query being handled is not already cached.
-- The response for the query must be truncated because it is larger than the size the client can handle (either 512 bytes or the buffer size indicated by an OPT record in the query).

Impact:
A DNS message with multiple OPT records is considered malformed and will likely be dropped by the client.

Workaround:
A second query will return the cached record, which will only have one OPT record.

Fix:
DNS cache resolver now returns the correct response under these conditions.

---

749508-4 : LDNS and DNSSEC: Various OOM conditions need to be handled properly

Component: Global Traffic Manager (DNS)

Symptoms:
Some LDNS and DNSSEC out-of-memory (OOM) conditions are not handled properly.

Conditions:
LDNS and DNSSEC OOM conditions.

Impact:
Various traffic-processing issue, for example, TMM panic during processing of DNSSEC activity.

Workaround:
None.

Fix:
The system contains improvements for handling OOM conditions properly.

---

749414-1 : Invalid monitor rule instance identifier error

Component: Local Traffic Manager

Symptoms:
Modifying nodes/pool-member can lose monitor_instance and monitor_rule_instances for unrelated objects.

Conditions:
-- BIG-IP system is configured with nodes, pool-members, and pools with monitors.
-- Modify one of the nodes that is in a pool.
-- Run the following command: tmsh load /sys config
-- Loading UCS/SCF file can trigger the issue also.
-- Nodes share the same monitor instance.
-- default-node-monitor is not configured.

Impact:
-- The system might delete monitor rule instances for unrelated nodes/pool-members.

-- Pool members are incorrectly marked down.

Workaround:
You can use either of the following:

-- Failover or failback traffic to the affected device.

-- Run the following command: tmsh load sys config.

---

749388-4 : 'table delete' iRule command can cause TMM to crash

Component: TMOS

Symptoms:
TMM SegFaults and restarts.

Conditions:
'table delete' gets called after another iRule command.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
Call 'table lookup' on any key before performing a 'table delete'.
Whether or not the key was added into the database beforehand does not matter.

Fix:
Fixed code to prevent invalid use of internal data structure.

---

749324-4 : jQuery Vulnerability: CVE-2012-6708

Solution Article: K62532311

---

749294-1 : TMM cores when query session index is out of boundary

Component: Local Traffic Manager

Symptoms:
TMM cores when the queried session index is out of boundary. This is not a usual case. It is most likely caused by the memory corrupted issue.

Conditions:
When session index equals the size of session caches.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The index boundary check now operates correctly in this situation, so tmm no longer cores.

---

749153 : Cannot create LTM policy from GUI using iControl

Component: TMOS

Symptoms:
LTM policy cannot be created from GUI using iControl REST.

Conditions:
Using iControl to create an LTM policy.

Impact:
LTM policy cannot be created from the GUI

Workaround:
Create LTM policy using TMSH.

Fix:
Can now create LTM policy from GUI using iControl.

---

749007-4 : South Sudan, Sint Maarten, and Curacao country missing in GTM region list

Component: TMOS

Symptoms:
South Sudan, Sint Maarten, and Curacao countries are missing from the region list.

Conditions:
-- Creating a GTM region record.
-- Create a GTM any region of Country South Sudan, Sint Maarten, or Curacao.

Impact:
Cannot select South Sudan county from GTM country list.

Workaround:
None

Fix:
South Sudan, Sint Maarten, and Curacao are now present in the GTM country list.

---

748902-8 : Incorrect handling of memory allocations while processing DNSSEC queries

Component: Global Traffic Manager (DNS)

Symptoms:
tmm crashes.

Conditions:
-- Heavy DNS traffic using DNS security signatures.
-- Use of external HSM may aggravate the problem.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release corrects the handling of memory allocations while processing DNSSEC queries.

---

748502-4 : TMM may crash when processing iSession traffic

Solution Article: K72335002

---

748205-2 : SSD bay identification incorrect for RAID drive replacement★

Component: TMOS

Symptoms:
On iSeries platforms with dual SSDs, the 'bay' of a given SSD indicated in the 'tmsh show sys raid' command may be incorrect. If a drive fails, or for some other reason it is intended to be replaced, and you are using the bay number listed from the tmsh command, the wrong drive could be removed from the system resulting in system failure to operate or boot.

Conditions:
iSeries platform with dual SSDs.

Impact:
Removal of the one working drive could result in system failure and subsequent failure to boot

Workaround:
If you discover that you removed the incorrect drive, you can attempt to recover by re-inserting the drive into the bay that it was in, and powering on the device.

The following steps will help to avoid inadvertently removing the wrong drive:

As a rule for systems with this issue:
-- Power should be off when you remove a drive. This makes it possible to safely check the serial number of the removed drive.
-- Power should be on, and the system should be completely 'up' before you add a new drive.

Here are some steps to follow to prevent this issue from occurring.


1. Identify the failed drive, taking careful note of its serial number (SN). You can use any of the following commands to get the serial number:
     • tmsh show sys raid
     • tmsh show sys raid array
     • array
2. Logically remove the failed drive using the following command: tmsh modify sys raid array MD1 remove HD<>
3. Power down the unit.
4. Remove the fan tray and physically remove the failed drive.
5. Manually inspect the SN on the failed drive to ensure that the correct drive was removed.
6. Replace the fan tray.
7. Power on the unit with the remaining, single drive.
8. Once booted, wait for the system to identify the remaining (good) drive. You can confirm that this has happened when it appears in the 'array' command output.
9. Remove fan tray again (with the system running).
10. Install the new drive.
11. Use the 'array' command to determine that the new drive is recognized (Note: the tmsh commands do not show new drive at this stage.)
12. Logically add the new drive using the command command: tmsh modify sys raid array MD1 add HD<>
13. Monitor the rebuild using any of the commands shown in step 1.

Note: You must follow these steps exactly. If you insert the new drive while the system is off, and you then boot the system with the previously existing working drive and the new blank drive present, the system recognizes the blank drive as the working Array member, and you cannot add it to the array. That means system responds and replicates as if 'HD already exists'.

---

748187-1 : 'Transaction Not Found' Error on PATCH after Transaction has been Created

Component: TMOS

Symptoms:
In systems under heavy load of transactions with multiple icrd_child processes, the system might post an erroneous 'Transaction Not Found' response after the transaction has definitely been created.

Conditions:
Systems under heavy load of transactions with multiple icrd_child processes.

Impact:
Failure to provide PATCH to a transaction whose ID has been created and logged as created.

Workaround:
If transaction is not very large, configure icrd_child to only run single-threaded.

Fix:
Erroneous 'Transaction Not Found' messages no longer occur under these conditions.

---

748177-4 : Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character

Component: Global Traffic Manager (DNS)

Symptoms:
Multiple wildcards not matched to the most specific WideIP.

Conditions:
Two wildcard WideIPs differ on a '?' and a non-wildcard character.

Impact:
DNS request gets wrong answer.

Workaround:
There is no workaround at this time.

Fix:
Multiple wildcards are now matched to the most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character.

---

747968-4 : DNS64 stats not increasing when requests go through DNS cache resolver

Component: Local Traffic Manager

Symptoms:
DNS64 stats are not incrementing when running the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands if responses are coming from DNS cache resolver.

Conditions:
-- DNS responses are coming from DNS cache resolver.
-- Viewing statistics using the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands.

Impact:
DNS64 stats are not correct.

Workaround:
There is no workaround at this time.

---

747909-2 : GTPv2 MEI and Serving-Network fields decoded incorrectly

Component: Service Provider

Symptoms:
MEI and Serving-Network vales obtained with GTP::ie get iRule command contains digits swapped in pairs, first digit missing and a random digit added at the back.

Conditions:
Processing GTP traffic with iRules.

Impact:
It is impossible to obtain correct value of MEI and Serving-Network fields of the GTPv2 packets when processing with iRules.

Workaround:
No workaround.

Fix:
Decoding of GTPv2 MEI and Serving-Network fields corrected.

---

747725-1 : Kerberos Auth agent may override settings that manually made to krb5.conf

Component: Access Policy Manager

Symptoms:
when apmd starts up, it can override settings in krb5.conf file with those required for Kerberos Auth agent

Conditions:
- Kerberos Auth is configured in an Access Policy,
- administrator made changes to krb5.conf manually
to the section [realms] of the configured realm

Impact:
Kerberos Auth agent behavior is not what administrator expects with the changes.
it may also affect websso(kerberos) to behave properly

Workaround:
None

Fix:
after fix, the configuration file changes are merged.
Kerberos Auth agent adds the lines it requires and does not override existing settings

---

747617-4 : TMM core when processing invalid timer

Component: Local Traffic Manager

Symptoms:
TMM crashes while processing an SSLO iRules that enables the SSL filter on an aborted flow.

Conditions:
SSLO is configured and passing traffic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround

Fix:
SSL filter will no longer be enabled after connection close.

---

747592-4 : PHP vulnerability CVE-2018-17082

Component: TMOS

Symptoms:
The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.

Conditions:
This exploit doesn't need any authentication and can be exploited via POST request. Because of 'Transfer-Encoding: Chunked' header php is echoing the body as response.

Impact:
F5 products not affected by this vulnerability. Actual impact of this vulnerability is possible XSS attack.

Workaround:
No known workaround.

Fix:
The brigade seems to end up in a messed up state if something fails in shutdown, so we clean it up.

---

747585-1 : TCP Analytics supports ANY protocol number

Component: Local Traffic Manager

Symptoms:
No TCP analytics data is collected for an ANY virtual server.

Conditions:
1. Provision AVR
2. Create a FastL4 server that accepts all protocols.
3. Attach a TCP Analytics profile
4. Try to run UDP traffic through it.

Impact:
No TCP analytics data is collected for TCP flows when a virtual server's protocol number is ANY.

Workaround:
There is no workaround this time.

Fix:
TCP analytics now supports both ANY and TCP protocol numbers and would collect analytics for TCP flows if protocol number is ANY or TCP.

---

747560-2 : ASM REST: Unable to download Whitehat vulnerabilities

Component: Application Security Manager

Symptoms:
When using the Whitehat Sentinel scanner, the REST endpoint for importing vulnerabilities (/mgmt/tm/asm/tasks/import-vulnerabilities) does not download the vulnerabilities from the server automatically when no file is provided.

Conditions:
The ASM REST API (/mgmt/tm/asm/tasks/import-vulnerabilities) is used to download vulnerabilities from the server when a Whitehat Sentinel Scanner is configured.

Impact:
Vulnerabilities from the Whitehat server are not automatically downloaded when no file is provided, and it must be downloaded manually, or the GUI must be used.

Workaround:
The ASM GUI can be used to download the vulnerabilities from the Whitehat Server, or the file can be downloaded separately, and provided to the REST endpoint directly.

Fix:
The REST endpoint for importing Scanner Vulnerabilities for the Whitehat Scanner now correctly downloads the vulnerability file automatically when no file is provided.

---

747192-3 : Small memory leak while creating Access Policy items

Component: Access Policy Manager

Symptoms:
Memory slowly leaks for every access policy item added: 32 + 80 bytes for each item.

Conditions:
The leak occurs while creating new policy items in Access.

Impact:
After a long uptime interval, mcpd may crash due to lack of memory.

Workaround:
Restart mcpd periodically if you modify Access policies frequently by adding or deleting policy items.

Fix:
Leak was fixed by clearing the leaked objects.

---

747187-4 : SIP falsely detects media flow collision when SDP is in both 183 and 200 response

Component: Service Provider

Symptoms:
A spurious error message is logged ("MR SIP: Media flow creation (...) failed due to collision") and media does not flow.

Conditions:
A SIP server responds to an INVITE with both a 183 "Session Progress" and later a "200 OK" for a single SIP call, and both responses contain an SDP with the same media info.

Impact:
Media does not flow on pinholes for which a collision was detected and reported.

Workaround:
None

Fix:
No collision is detected or logged when multiple messages with SDP recreate the same flows in the same call.

---

747104-4 : LibSSH: CVE-2018-10933

Solution Article: K52868493

Component: Advanced Firewall Manager

Symptoms:
For more information see: https://support.f5.com/csp/article/K52868493

Conditions:
For more information see: https://support.f5.com/csp/article/K52868493

Impact:
For more information see: https://support.f5.com/csp/article/K52868493

Fix:
For more information see: https://support.f5.com/csp/article/K52868493

---

746922-3 : When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.

Component: Local Traffic Manager

Symptoms:
In a situation when a routing entity belonging to the child route domain is searching for an egress point for a traffic flow, it's searching for a routing entry in the child domain first, then if nothing is found, it searches for it in the parent route domain and returns the best found routing entry.

If the best routing entry from the parent route domain is selected, then it is held by a routing entity and is used to forward a traffic flow. Later, a new route entry is added to the child route domain's routing table and this route entry might be better than the current, previously selected, routing entry. But the previously selected entry doesn't get invalidated, thus the routing entity that is holding this entry is forwarding traffic to a less-preferable egress point.

#Example:
RD0(parent) -> RD1(child)
routing table: default gw for RD0 is 0.0.0.0/0%0
pool member is 1.1.1.1/32%1
-
Pool member searches for the best egress point and finds nothing in the routing table for route domain 1, and then later finds a routing entry, but from the parent route domain - 0.0.0.0/0%0.

Later a new gw for RD1 was added - 0.0.0.0/0%1, it's preferable for the 1.1.1.1/32%1 pool member. 0.0.0.0/0%0 should be (but is not) invalidated to force the pool member to search for a new routing entry and find a better one if it exists, as in this case, with - 0.0.0.0/0%1.

Conditions:
1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. New routing entry for child route domain is added.

Impact:
If a new added route is preferable to an existing one in a different route domain, the new, preferable, route is not going to be used by a routing object that has previously selected a route. Thus, traffic flows through these routing objects to an unexpected/incorrect egress point. This might result in undesirable behavior:
-- The route might be unreachable, and all traffic for a specific pool member is dropped.
-- The virtual server cannot find an available SNAT address.
-- Simply, the wrong egress interface is being used.

Workaround:
Use either of these workaround after a new route in child domain is added.

-- Recreate a route.
Recreate a parent route domain's routes. Restart tmrouted daemon if routes are gathered via routing protocols.

-- Recreate a routing object.
  - If a pool member is affected, recreate the pool member.
  - If a SNAT pool list is affected, recreate it.
  - And so on.

Fix:
Routing objects are now forced to reselect a routing entry after a new route is added to the child route domain's routing table.

---

746877-4 : Omitted check for success of memory allocation for DNSSEC resource record

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM may panic from SIGABRT while logging this message:
./rdata.c:25: ldns_rdf_size: Assertion `rd != ((void *)0)' failed.

Conditions:
During memory stress while handling DNSSEC traffic.

Impact:
TMM panic and subsequent interruption of network traffic.

Workaround:
Keeping the workload within normal ranges reduces the probability of encounter.

Fix:
The system now checks for success of memory allocation for DNSSEC resource record, so this issue no longer occurs.

---

746868 : memory leakage when "apply to base domain" is enabled

Component: Fraud Protection Services

Symptoms:
Memory leakage when "apply to base domain" is enabled. this can result in a crash or aggressive sweeper mode.

Conditions:
"apply to base domain" is enabled in the anti-fraud profile

Impact:
Aggressive connections sweeper mode, and traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

---

746768-2 : APMD leaks memory if access policy policy contains variable/resource assign policy items

Component: Access Policy Manager

Symptoms:
If an access policy contains variable/resource assign policy items, APMD will leak memory every time the policy is modified and applied.

Conditions:
1. Access policy has variable/resource assign policy items.
2. The access policy is modified and applied.

Impact:
APMD's memory footprint will increase whenever the access policy is applied.

Workaround:
There is no workaround.

Fix:
Memory growth has been addressed.

---

746348-3 : On rare occasions, gtmd fails to process probe responses originating from the same system.

Component: Global Traffic Manager (DNS)

Symptoms:
On rare occasions, some resources are marked 'unavailable', with a reason of 'big3d: timed out' because gtmd fails to process some probe responses sent by the instance of big3d that is running on the same BIG-IP system.

Conditions:
The monitor response from big3d sent to the gtmd on the same device is being lost. Monitor responses sent to other gtmds are sent without issue. The conditions under which this occurs have not been identified.

Impact:
Some resources are marked 'unavailable' on the affected BIG-IP system, while the other BIG-IP systems in the sync group mark the resource as 'available'.

Workaround:
Restart gtmd on the affected BIG-IP system.

---

746266-4 : A vCMP guest VLAN MAC mismatch across blades.

Component: TMOS

Symptoms:
The vCMP guests running on blades in a single chassis report different MAC addresses on a single VLAN upon host reboot for the vCMP guest.

Conditions:
This issue may be seen when all of the following conditions are met:

-- One or more blades are turned off completely via AOM.
-- There are two VLANs.
-- You deploy a multi-slot guest with the higher lexicographic VLAN, and assign the lower VLAN to the guest.
-- Reboot the host.

Impact:
Incorrect MAC addresses are reported by some blades.

Workaround:
None.

Fix:
There is no longer a vCMP guest VLAN MAC mismatch across blades under these conditions.

---

746091-4 : TMSH Vulnerability: CVE-2019-19151

Solution Article: K21711352

---

746077-2 : If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified

Component: Local Traffic Manager

Symptoms:
DHCP-RELAY overwrites the 'giaddr' field containing a non-zero value. This violates RFC 1542.

Conditions:
DHCP-RELAY processing a message with the 'giaddr' field containing a non-zero value,

Impact:
RFC 1542 violation

Workaround:
None.

Fix:
DHCP-RELAY no longer overwrites the 'giaddr' field containing a non-zero value.

---

745713-2 : TMM may crash when processing HTTP/2 traffic

Solution Article: K94563344

---

745654-1 : Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server

Component: Access Policy Manager

Symptoms:
When there are a lot of tcp connections that needs new kerberos ticket to be fetched from kdc, then the websso processes requests slower than the incoming requests. This could lead to low throughput and virtual server is very slow to respond to requests.

Conditions:
Large number of APM users using Kerberos SSO to access backend resources and all the tickets expire at the same time.

Impact:
Low throughput and slow responses from Virtual server.

Workaround:
There is no workaround at this time.

Fix:
Increase the size of websso worker queue, so that tmm and websso process can communicate effectively. This eliminates VS slowness and hence increase throughput.

---

745574-4 : URL is not removed from custom category when deleted

Component: Access Policy Manager

Symptoms:
When the admin goes to delete a certain URL from a custom category, it should be removed from the category and not be matched anymore with that category. In certain cases, the URL is not removed effectively.

Conditions:
This only occurs when the syntax "http*://" is used at the beginning of the URL when inserted into custom categories.

Impact:
When the URL with syntax "http*://" is deleted from the custom category, it will not take effect for SSL matches. For example, if "http*://www.f5.com/" was inserted and then deleted, and the user passed traffic for http://www.f5.com/ and https://www.f5.com/, the SSL traffic would still be categorized with the custom category even though it was deleted. The HTTP traffic would be categorized correctly.

Workaround:
"bigstart restart tmm" will resolve the issue.

Fix:
Made sure that the deletion takes effect properly and SSL traffic is no longer miscategorized after removal of the URL from the custom category.

---

745405 : Under heavy SSL traffic, sw crypto codec queue is stuck and taken out of service without failover

Component: TMOS

Symptoms:
Under heavy SSL traffic, it is observed that sw crypto codec queue is stuck and taken out of service, but no failover happened

Conditions:
Heavy SSL traffic

Impact:
Traffic is impacted and a large number of SSL handshakes to the BIG-IP are failing.

Workaround:
Increase crypto.queue.timeout to a much larger number(from 100 to 500 for example). Restart tmms for the change to take effect.

---

745404-3 : MRF SIP ALG does not reparse SDP payload if replaced

Component: Service Provider

Symptoms:
When a SIP message is loaded, the SDP is parsed. If modified or replaced, the system does not reparse the modified payload.

Conditions:
This occurs internally while processing SDP in a SIP message.

Impact:
Changes to the SDP are ignored when creating media pinhole flows

Workaround:
None.

Fix:
The SDP payload is now reparsed if modified or replaced.

---

745387-4 : Resource-admin user roles can no longer get bash access

Solution Article: K07702240

---

745371-3 : AFM GUI does not follow best security practices

Solution Article: K68151373

---

745358-4 : ASM GUI does not follow best practices

Solution Article: K14812883

---

745261-3 : The TMM process may crash in some tunnel cases

Component: TMOS

Symptoms:
When Direct Server Return (DSR) or asymmetric routing with a tunnel is deployed, the TMM process may crash.

Conditions:
There are two scenarios that may lead to this issue:

Scenario 1: DSR
- DSR is deployed.


Scenario 2: Asymmetric routing
- The sys db variable connection.vlankeyed is set to 'disable'.
- A VLAN and a tunnel are used to handle asymmetric routing.

Impact:
The TMM process crashes.Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The TMM process no longer crashes.

---

745257-4 : Linux kernel vulnerability: CVE-2018-14634

Solution Article: K20934447

---

745165-4 : Users without Advanced Shell Access are not allowed SFTP access

Solution Article: K38941195

---

744959-2 : SNMP OID for sysLsnPoolStatTotal not incremented in stats

Component: Carrier-Grade NAT

Symptoms:
SNMP OID for sysLsnPoolStatTotal is not incremented in stats totals.

Conditions:
This affects all of the global port block allocation (PBA) counters.

Impact:
SNMP OID for sysLsnPoolStatTotal is not incremented when it should be. Stats are not accurate.

Workaround:
None.

Fix:
SNMP OID for sysLsnPoolStatTotal is now incremented in stats totals.

---

744937-4 : BIG-IP DNS and GTM DNSSEC security exposure

Solution Article: K00724442

Component: Global Traffic Manager (DNS)

Symptoms:
For more information please see: https://support.f5.com/csp/article/K00724442

Conditions:
For more information please see: https://support.f5.com/csp/article/K00724442

Impact:
For more information please see: https://support.f5.com/csp/article/K00724442

Workaround:
None.

Fix:
For more information please see: https://support.f5.com/csp/article/K00724442

Behavior Change:
Note: After installing a version of the software that includes the fix for this issue, you must set the following db variables:

-- dnssec.nsec3apextypesbitmap
-- dnssec.nsec3underapextypesbitmap.

These two db variables are used globally (i.e., not per-DNSSEC zone) to configure the NSEC3 types bitmap returned in one-off NODATA responses for apex and under-apex responses, respectively.

When the BIG-IP system is queried for a DNS name in which the DNS name exists and is not of the RR type requested, the NSEC3 types bitmap on the response reflects what you configure for the db variable, minus the queried-for type.

When using these variables:

-- Configure type values as all lowercase.
-- Enclose multiple types in quotation marks (e.g., "txt rrsig").
-- Understand that there is likely no need to change the apex type setting; do so with extreme care. The under-apex settings are what you will find helpful in addressing the negative caching issue.

---

744707-1 : Crash related to DNSSEC key rollover

Component: Global Traffic Manager (DNS)

Symptoms:
When running out of memory, a DNSSKEY rollover event might cause a tmm crash and core dump.

Conditions:
-- System has low memory or is out of memory.
-- DNSSKEY rollover event occurs.

Impact:
tmm crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround.

Fix:
Fixed an issue in DNSSEC Key Rollover event that could cause a crash.

---

744536 : HTTP/2 may garble large headers

Component: Local Traffic Manager

Symptoms:
The HTTP/2 filter may incorrectly encode large headers.

Conditions:
A header that encodes to larger than 2048 bytes.

Impact:
Application functionality may be disrupted because large header values, such as for cookies, may be truncated when passed to the endpoint.

Workaround:
None.

Fix:
The HTTP/2 filter now correctly encodes large HTTP headers.

---

744516-2 : TMM panics after a large number of LSN remote picks

Component: Carrier-Grade NAT

Symptoms:
TMM panics with the assertion 'nexthop ref valid' failed. This occurs after a large number of remote picks cause the nexthop reference count to overflow.

Conditions:
An LSN Pool and remote picks. Remote picks occur when the local TMM does not have any addresses or port blocks available. Remote picks are more likely when inbound and hairpin connections are enabled.

Impact:
TMM restarts. Traffic is interrupted.

Workaround:
There is no workaround.

Fix:
TMM no longer panics regardless of the number of remote picks.

---

744347-1 : Protocol Security logging profiles cause slow ASM upgrade and apply policy

Component: Application Security Manager

Symptoms:
ASM upgrade and apply policy are delayed by an additional 3 seconds for each virtual server associated with a Protocol Security logging profile (regardless of whether ASM is active on that virtual server). During upgrade, all active policies are applied, which leads to multiple delays for each policy.

Conditions:
There are multiple virtual servers associated with Protocol Security logging profiles.

Impact:
ASM upgrade and apply policy are delayed.

Workaround:
There is no workaround at this time.

---

744331-1 : OpenSSH hardening

Component: TMOS

Symptoms:
The default OpenSSH configuration does not follow best practices for security hardening.

Conditions:
Administrative SSH access enabled.

Impact:
OpenSSH does not follow best practices.

Fix:
The default OpenSSH configuration includes best practices for security hardening.

---

744269-3 : dynconfd restarts if FQDN template node deleted while IP address change in progress

Component: Local Traffic Manager

Symptoms:
The dynconfd daemon may crash and restart if an FQDN template node is deleted (by user action or config sync) while ephemeral nodes are in the process of being created, and deleted as the result of new IP addresses being returned by a recent DNS query.

Conditions:
This may occur on BIG-IP version 14.0.0.3 (and BIG-IP versions 13.1.x or v12.1.x with engineering hotfixes for ID 720799, ID 721621 and ID 726319), under the following conditions:
1. A DNS query returns a different set of IP addresses for one or more FQDN names.
2. While new ephemeral node(s) are being created (for new IP addresses and deleted (for old IP addresses), an FQDN template node is deleted (either by user action or config sync).

Impact:
The dynconfd daemon crashes and restarts.
Ephemeral nodes may not be updated in a timely manner while the dynconfd daemon is restarting.

Fix:
The dynconfd daemon does not crash and restart if an FQDN template node is deleted while ephemeral nodes are in the process of being created and deleted as the result of new IP addresses being returned by a recent DNS query.

---

744117-6 : The HTTP URI is not always parsed correctly

Solution Article: K18263026

Component: Local Traffic Manager

Symptoms:
The HTTP URI exposed by the HTTP::uri iRule command, Traffic Policies, or used by ASM is incorrect.

Conditions:
-- HTTP profile is configured.
-- The URI is inspected.

Impact:
If the URI is used for security checks, then those checks might be bypassed.

Workaround:
None.

Fix:
The HTTP URI is parsed in a more robust manner.

---

744035-3 : APM Client Vulnerability: CVE-2018-15332

Solution Article: K12130880

---

743950-3 : TMM crashes due to memory leak found during SSL OCSP with C3D feature enabled

Component: Local Traffic Manager

Symptoms:
TMM raises a segmentation violation and restarts.

Conditions:
-- Set up client-side and server-side SSL with:
  + Client Certificate Constrained Delegation (C3D) enabled.
  + OCSP enabled.

-- Supply SSL traffic.

Impact:
Memory leaks when traffic is supplied. When traffic intensifies, more memory leaks occur, and eventually, tmm raises a segmentation fault, crashes, and restarts itself. All SSL connections get terminated. Traffic disrupted while tmm restarts.

Workaround:
Disable C3D.

Fix:
Memory no longer leaks when C3D and OCSP are both enabled with client SSL and server SSL set up.

---

743815-4 : vCMP guest observes connflow reset when a CMP state change occurs.

Component: TMOS

Symptoms:
There is a connflow reset when a CMP state change occurs on a vCMP guest. The system posts log messages similar to the following: CMP Forwarder expiration.

Conditions:
-- vCMP configured.
-- Associated virtual server has a FastL4 profile with loose init and loose close enabled.

Impact:
This might interrupt a long-lived flow and eventually cause an outage.

Workaround:
None.

Fix:
The system now drops the connflow instead of resetting it.

---

743803-5 : IKEv2 potential double free of object when async request queueing fails

Component: TMOS

Symptoms:
TMM may core during an IPsec cleanup of a failed async operation.

Conditions:
When an async IPsec crypto operation fails to queue.

Impact:
Restart of tmm. All tunnels lost must be re-established.

Workaround:
No workaround known at this time.

---

743790-4 : BIG-IP system should trigger a high availability (HA) failover event when expected HSB device is missing from PCI bus

Component: TMOS

Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might drop off the PCI bus, resulting in the BIG-IP system not being able to pass traffic. However, no high availability (HA) failover condition is triggered, so the BIG-IP system stays active.

Conditions:
HSB drops off the PCI bus. This is caused in response to certain traffic patterns (FPGA issue) that are yet to be determined.

Impact:
No failover to standby unit after this error condition, causing site outage.

Workaround:
None.

Fix:
Now the active BIG-IP system fails over to the standby when HSB on the active unit drops off the PCI bus.

---

---

743082-3 : Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members★

Component: TMOS

Symptoms:
Upgrading to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 might result a configuration that fails to load due to a stray colon-character that gets added to the configuration file.

Conditions:
-- Upgrade from pre-12.1.3 to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2.
-- GTM Pool Members.

Impact:
Configuration fails to load.

Workaround:
Remove stray colon-character from bigip_gtm.conf.

Fix:
Fixed an issue preventing configurations from loading into 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from a version before 12.1.3.

---

742628-6 : Tmsh session initiation adds increased control plane pressure

Solution Article: K53843889

Component: TMOS

Symptoms:
Under certain circumstances, the Traffic Management Shell (tmsh) can consume more system memory than expected.

Conditions:
Multiple users or remote processes connecting to the BIG-IP administrative command-line interface.

Impact:
Increased control plane pressure. Various delays may occur in both command-line and GUI response. Extreme instances may cause one or more processes to terminate, with potential disruptive effect. Risk of impact from this issue is increased when a large number of automated tmsh sessions are created.

Workaround:
For users with administrative privilege (who are permitted to use the 'bash' shell), the login shell can be changed to avoid invoking tmsh when it may not be needed:

tmsh modify /auth user ADMINUSERNAME shell bash

---

742237-1 : CPU spikes appear wider than actual in graphs

Component: Local Traffic Manager

Symptoms:
Graphs of CPU usage show spikes that are wider than actual CPU usage.

Conditions:
CPU usage has spikes.

Impact:
Graphs of CPU spikes appear to last longer than they actually last.

Workaround:
Perform the following procedure:

1. Run the following command to record the 5-second average rather than the 1-second average:

sed -i.bak 's/TMCOLNAME "ratio"/TMCOLNAME "five_sec_avg.ratio"/;s/TMCOLNAME "cpu_ratio_curr"/TMCOLNAME "cpu_ratio_5sec"/g' /config/statsd.conf

2. Restart statsd to load the new configuration:

bigstart restart statsd

Fix:
CPU samples for graphs are averaged over longer time to more closely represent actual time between samples.

---

742226-3 : TMSH platform_check utility does not follow best security practices

Solution Article: K11330536

---

742078-1 : Incoming SYNs are dropped and the connection does not time out.

Component: Local Traffic Manager

Symptoms:
There is a hard-coded limit on the number of SYNs forwarded on a FastL4 connection. This might cause a problem when a connection is reused, for example, if a connection is not correctly closed.

Conditions:
-- SYN forwarding on FastL4 connections.
-- The number of SYNs on a single connection reaches the hard-coded limit.

Impact:
If the number of SYNs on a single connection reaches this limit, subsequent incoming SYNs are dropped and the connection might not time out.

Workaround:
There is no workaround.

Fix:
The following command enables the forwarding of an an unlimited number of SYNs:
tmsh modify sys db tm.dupsynenforce value disable

---

741994 : Cleanup Webroot database files when database fail to download

Component: Traffic Classification Engine

Symptoms:
/var partition gets full when the temporary files are not deleted.

Conditions:
When the update process of the wr_urldb encounters errors, the temporary (downloaded/created) files do not appear to be deleted, and /var directory fills with them.

Impact:
/var partition may get full.

Workaround:
Empty /var/wr_urldb/bcdatabase, and restart wr_urldbd to re-download the new database file.

Fix:
With this release, the temp files downloaded during the database download process get deleted when the download fails.

---

741951-3 : Multiple extensions in SIP NOTIFY request cause message to be dropped.

Component: Service Provider

Symptoms:
When SIP NOTIFY messages are sent with a request URI that contains multiple client extensions, the system does not forward the message as expected.

Conditions:
SIP NOTIFY messages sent with a request URI that contains multiple client extensions.

Impact:
NOTIFY message is not forwarded.

Workaround:
None.

Fix:
Improved SIP URI parser now correctly handles multiple extensions in a URI.

---

741919-1 : HTTP response may be dropped following a 100 continue message.

Component: Local Traffic Manager

Symptoms:
When a 100 response a quickly followed by another HTTP response (2xx/4xx), the second response might be dropped.

Conditions:
When a 100 response is quickly followed by another HTTP response (i.e., a 2xx/4xx response arrives within a few microseconds).

Impact:
The second response might be dropped, so the end user client might not receive all the HTTP responses coming from the server.

Note: This does not happen all the time, and depends on how the underlying data packets are formed and delivered to the HTTP filter.

Workaround:
You can use either of the following workarounds:
-- Use an iRule to disable the HTTP filter in the HTTP_REQUEST event.

-- Disable LRO by running the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable

---

741902-4 : sod does not validate message length vs. received packet length

Component: TMOS

Symptoms:
sod may crash or produce unexpected behavior.

Conditions:
If a malformed network failover packet is received by sod, it may cause an invalid memory access.

Impact:
sod may crash, causing a failover.

Workaround:
None.

Fix:
sod validates the received packet length and does not reference invalid memory.

---

741423-1 : Secondary blade goes offline when provisioning ASM/FPS on already established config-sync

Component: TMOS

Symptoms:
When provisioning ASM for the first time on a device that is already linked in a high availability (HA) config-sync configuration, any other cluster device that is on the trust domain experiences mcpd restarting on all secondary blades due to a configuration error.

The system logs messages similar to the following in /var/log/ltm:
-- notice mcpd[12369]: 010718ed:5: DATASYNC: Done initializing datasync configuration for provisioned modules [ none ].
-- err mcpd[9791]: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.
-- err mcpd[9791]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.... failed validation with error 16908342.
-- notice mcpd[12369]: 0107092a:5: Secondary slot 2 disconnected.

Conditions:
-- Cluster devices are joined in the trust for high availability (HA) or config-sync.
-- Provisioning ASM or FPS on clusters which are already joined in a trust.
-- ASM and FPS have not been provisioned on any of the devices: this is the first ASM/FPS provisioning in the trust.

Impact:
Traffic on all secondary blades is interrupted while mcpd restarts. Then, traffic is resumed.

Workaround:
Before provisioning ASM/FPS (but after setting up a trust configuration):

1. On the device on which ASM/FPS is about to be provisioned, create the datasync-global-dg device group and add all of the available devices.

For example, if there are two devices in the Trust Domain: test1.lab.com and test2.lab.com, and you plan to provision ASM/FPS for the first time on test1.lab.com, first run the following command from test1.lab.com:

tmsh create cm device-group datasync-global-dg devices add { test1.lab.com test2.lab.com }

2. Do not sync the device group.
3. Then on test1.lab.com, you can provision ASM/FPS.

Fix:
Secondary blades no longer go offline when provisioning ASM/FPS on already established high availability (HA) or config-sync configurations.

---

741108 : tmm dosl7 memory leak when X-Forwared-For header value contains a long list of comma separated ip addresses

Component: Application Security Manager

Symptoms:
tmm memory leak can lead to tmm out-of-memory state.

Conditions:
-- ASM provisioned.
-- ASM policy attached on a virtual server.
-- ASM policy has device ID enabled.
-- HTTP profile accept_xff enabled.

Impact:
Unexpected tmm out-of-memory state can be reached, causing sweeper activity and disrupting traffic.

Workaround:
Disable accept_xff in HTTP profile that is assigned to a virtual server along with ASM policy.

Fix:
The leak is now fixed.

---

740963-3 : VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart

Component: Local Traffic Manager

Symptoms:
VIP-on-VIP traffic might cause TCP retransmit bursts, which in certain situations can cause tmm to restart.

Conditions:
- Virtual server handling TCP traffic.
- iRule using the 'virtual' command.

Impact:
Temporary memory consumption and potential for tmm to restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TCP retransmit bursts are now handled gracefully.

---

740959-1 : User with manager rights cannot delete FQDN node on non-Common partition

Component: Local Traffic Manager

Symptoms:
A user that has manager rights for a non-Common partition, but not for the /Common partition, may be denied delete privileges for an FQDN template node that is created on the non-Common partition for which the user does have manager rights.

This occurs because ephemeral nodes created from the FQDN template node are 'shared' in the /Common partition, so the delete transaction fails because the user has insufficient permissions to delete the dependent ephemeral nodes on the /Common partition.

Conditions:
-- A user is created with manager rights for a non-Common partition.

-- That user does not have manager rights for the /Common partition;

-- At least one ephemeral node is created from that FQDN template node (due to DNS lookup), which is not also shared by other FQDN template nodes.

-- That user attempts to delete an FQDN template node on the non-Common partition for which the user has manager rights.

Impact:
The transaction to delete the FQDN template node fails due to insufficient permissions. No configuration changes occur as a result of the FQDN template node-delete attempt.

Workaround:
You can use either of the following workarounds:

-- Perform the FQDN template node-delete operation with a user that has manager rights to the /Common partition.

-- Create the FQDN template node on the /Common partition.

Fix:
A user with manager rights for a non-Common partition that has no manager rights to the /Common partition, is now able to successfully delete an FQDN template node created on that non-Common partition.

---

740777-2 : Secondary blades mcp daemon restart when subroutine properties are configured

Component: Access Policy Manager

Symptoms:
Secondary blades' MCP daemons restart with the following error messages:
-- err mcpd[26818]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested Subroutine Properties (/Common/confirm_10 /Common/confirm_10) was not found.... failed validation with error 16908342.

Conditions:
When a subroutine is configured in the access policy.

Impact:
The secondary blade MCP daemon restarts. Cannot use subroutine in the access policy.

Workaround:
There is no workaround other than to not use subroutine in the access policy.

Fix:
You can now use subroutines in the access policy.

---

740490-2 : Configuration changes involving HTTP2 or SPDY may leak memory

Component: Local Traffic Manager

Symptoms:
If virtual servers which have HTTP2 or SPDY profiles are updated, then the TMM may leak memory.

Conditions:
-- A virtual server has a HTTP2 or SPDY profile.
-- Any configuration object attached to that virtual server changes.

Impact:
The TMM leaks memory, and may take longer to execute future configuration changes. If the configuration changes take too long, the TMM may be restarted by SOD.

Workaround:
None.

Fix:
The TMM no longer leaks memory when virtual servers that contain a HTTP2 or SPDY profile are reconfigured.

---

740228-3 : TMM crash while sending a DHCP Lease Query to a DHCP server

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
- DHCP Lease Query is enabled on the BIG-IP system.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes while sending a DHCP Lease Query to a DHCP server.

---

739971-3 : Linux kernel vulnerability: CVE-2018-5391

Solution Article: K74374841

---

739970-3 : Linux kernel vulnerability: CVE-2018-5390

Solution Article: K95343321

---

739963-1 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup

Component: Local Traffic Manager

Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.

Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.

Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.

Workaround:
To restore the state of the member, remove it and add it back to the pool.

---

739947-3 : TMM may crash while processing APM traffic

Solution Article: K42465020

---

739945-1 : JavaScript challenge on POST with 307 breaks application

Component: Application Security Manager

Symptoms:
A JavaScript whitepage challenge does not reconstruct when the challenge is on a POST request and the response from the back-end server is 307 Redirect. This happens only if the challenged URL is on a different path than the redirected URL. This prevents the application flow from completing.

Conditions:
- JavaScript challenge / CAPTCHA is enabled from either Bot Defense, Proactive Bot Defense, Web Scraping, DoSL7 Mitigation or Brute Force Mitigation.
- The challenge is happening on a POST request on which the response from the server is a 307 Redirect to a different path.

Impact:
Server is not able to parse the request payload and application does not work. This issue occurs because the TS*75 cookie is set on the path of the challenged URL, so the redirected URL does not contain the cookie, and the payload is not reconstructed properly to the server.

Workaround:
As a workaround, you can construct an iRule to identify that the response from the server is 307 Redirect, retrieve the TS*75 cookie from the request, and add to the response a Set-Cookie header, setting the TS*75 cookie on the '/' path.

Fix:
Having a JavaScript challenge on a POST request with 307 Response no longer prevents the application from working.

---

739927-1 : Bigd crashes after a specific combination of logging operations

Component: Local Traffic Manager

Symptoms:
Bigd crashes. Bigd core will be generated.

Conditions:
1. Boot the system and set up any monitor.
2. Enable and disable bigd.debug:
-- tmsh modify sys db bigd.debug value enable
-- tmsh modify sys db bigd.debug value disable
3. Enable monitor logging.

Impact:
Bigd crashes.

Workaround:
None.

Fix:
Bigd no longer crashes under these conditions.

---

739872-3 : The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover

Component: TMOS

Symptoms:
Running the 'load sys config verify' command for a configuration that would alter the high availability (HA) Group score for a Traffic Group can cause the HA group score to be updated.

Conditions:
Run 'load sys config verify' with configuration data that affects a Traffic Group's HA Group score.

Impact:
Unintended failover.

Workaround:
None.

Fix:
HA Group scores are no longer updated when running 'load sys config verify' commands.

---

739846-4 : Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection

Component: Global Traffic Manager (DNS)

Symptoms:
When the big3d runs out of memory for iQuery connections, a segmentation fault might occur.

Conditions:
-- Not enough memory to create additional iQuery connections.
-- Receive an new iQuery connection.

Impact:
Segmentation fault and big3d restarts. No statistics collection or auto-discovery while big3d restarts.

Workaround:
None.

Fix:
The big3d process no longer gets a segmentation fault when reaching the limits of the memory footprint while trying to establish iQuery connections.

---

739798 : Massive number of log messages being generated and written to the bd.log.

Component: Application Security Manager

Symptoms:
Log messages regarding parameters might fill the bd.log file. The system logs messages appear similar to the following:

deleting job-> converterd key
deleting p_node

Conditions:
No special conditions are required to cause this to occur.

Impact:
Lots of I/O processing. Potentially large bd.log file.

Workaround:
None.

Fix:
Fixed a scenario that resulted in a massive number of log messages being generated and written to the bd.log.

---

739744-2 : Import of Policy using Pool with members is failing

Component: Access Policy Manager

Symptoms:
Import of Policy using Pool with members is failing with an error Pool member node (/Common/u.x.y.z%0) and existing node (/Common/u.x.y.z) cannot use the same IP Address (u.x.y.z)

Conditions:
Policy has pool attached to it with resource assign or chained objects

Impact:
Policy is not being imported on the same box

Workaround:
There is no workaround at this time.

Fix:
ng-import is now importing policy correctly.

---

739638-1 : BGP failed to connect with neighbor when pool route is used

Component: Local Traffic Manager

Symptoms:
BGP peering fails to be established.

Conditions:
- Dynamic routing enabled.
- BGP peer connect through a pool route or ECMP route.

Impact:
BGP dynamic route paths are not created.

Workaround:
Use a gateway route.

Fix:
BGP peering can be properly established through a pool route.

---

739570-1 : Unable to install EPSEC package★

Component: Access Policy Manager

Symptoms:
Installation of EPSEC package via tmsh fails with error:

Configuration error: Invalid mcpd context, folder not found (/Common/EPSEC/Images).

Conditions:
-- EPSEC package has never been installed on the BIG-IP device.
-- Running the command:
tmsh create apm epsec epsec-package <package_name>.iso local-path /shared/apm/images/<package_name>.iso

Impact:
First-time installation of EPSEC package through tmsh fails.

Workaround:
You can do a first-time installation of EPSEC with the following commands:

tmsh create sys folder /Common/EPSEC
tmsh create sys folder /Common/EPSEC/Images
tmsh install Upload/<package_name>.iso

Fix:
When EPSEC package is installed through tmsh command, the folder /Common/EPSEC/Images gets created if it does not exist.

---

739144-1 : Domain logoff scripts runs after VPN connection is closed

Component: Access Policy Manager

Symptoms:
APM Network Access option: 'Execute logoff scripts on connection termination' does not work when script runs after VPN connection is closed.

Conditions:
Following options configured for Microsoft Windows clients:
* Synchronize with Active Directory policies on connection establishment.
and
* Execute logoff scripts on connection termination.

-- Windows client is part of a domain.
-- Domain logoff script is not available without VPN connection.

Impact:
'Execute logoff scripts on connection termination' does not work when script runs after VPN connection is closed.

Workaround:
None.

Fix:
Changes in APM client allow it to wait until domain logoff script execution completes before closing VPN connection, so this issue no longer occurs.

---

739094-4 : APM Client Vulnerability: CVE-2018-5546

Solution Article: K54431371

---

738945-1 : SSL persistence does not work when there are multiple handshakes present in a single record

Component: Local Traffic Manager

Symptoms:
SSL persistence hangs while parsing SSL records comprising multiple handshake messages.

Conditions:
This issue intermittently happens when an incoming SSL record contains multiple handshake messages.

Impact:
SSL persistence parser fails to parse such messages correctly. The start of the record may be forwarded on to server but then connection will stall and eventually idle timeout.

Workaround:
There is no workaround other than using a different persistence, or disabling SSL persistence altogether.

After changing or disabling persistence, the transaction succeeds and no longer hangs.

---

738943-1 : imish command hangs when ospfd is enabled

Component: TMOS

Symptoms:
- dynamic routing enabled
- ospfd protocol enabled
- imish hangs

Conditions:
- running imish command

Impact:
ability to show dynamic routing state using imish

Workaround:
restart ospfd daemon

---

738887-2 : BIG-IP SNMPD vulnerability CVE-2019-6608

Component: TMOS

Symptoms:
https://support.f5.com/csp/article/K12139752

Conditions:
https://support.f5.com/csp/article/K12139752

Impact:
https://support.f5.com/csp/article/K12139752

Workaround:
https://support.f5.com/csp/article/K12139752

Fix:
https://support.f5.com/csp/article/K12139752

---

738789-3 : ASM/XML family parser does not support us-ascii encoding when it appears in the document prolog

Component: Application Security Manager

Symptoms:
ASM blocks requests when a request payload is an xml document with a prolog line at the begging with encoding="us-ascii".

Conditions:
- ASM provisioned.
- ASM policy attached to a virtual server.
- ASM handles XML traffic with encoding="us-ascii" (use of the value encoding="us-ascii" is very uncommon, the typical value is encoding="utf-8").

Impact:
Blocked XML requests.

Workaround:
You can use either of the following workarounds:

-- Remove XML profile from a URL in the ASM policy.

-- Disable XML malformed document detection via ASM policy blocking settings.

Fix:
XML parser now supports encoding="us-ascii".

---

738669-3 : Login validation may fail for a large request with early server response

Component: Fraud Protection Services

Symptoms:
in case of large request/response, if FPS needs to store ingress and ingress chunks in buffer for additional processing (ingress :: for parameter parsing, egress :: for login validation's banned/mandatory strings check or scripts injection), if the server responds fast enough, the buffer may contain mixed parts of request/response. This may have several effects, from incorrectly performing login-validation to generating a tmm core file.

Conditions:
-- Login validation is enabled and configured to check for banned/mandatory string.
-- A username parameter is configured.
-- There are no parameters configured for encrypt/HTML Field Obfuscation (HFO), and no decoy parameters.
-- There is a large request and response.
-- The system response very quickly.

Impact:
This results in one or more of the following:
-- Login validation failure/skip.
-- Bad response/script injection.
-- tmm core. In this case, traffic is disrupted while tmm restarts.

Workaround:
None.

Fix:
FPS now handles ingress/egress buffers separately, so this issue no longer occurs.

---

738647-1 : Add the login detection criteria of 'status code is not X'

Component: Application Security Manager

Symptoms:
There is a criterion needed to detect successful login.

Conditions:
Attempting to detect successful login when the response code is not X (where 'x' = some code).

Impact:
Cannot configure login criteria.

Workaround:
None.

Fix:
This release adds a new criterion to the login criteria.

---

738523-3 : SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages

Component: Local Traffic Manager

Symptoms:
When monitoring an SMTP server that emits multi-line '250' responses to the initial 'HELO' message, the monitor fails. If monitor logging is enabled on the pool member, the system posts an error similar to the following in the monitor log:

09:50:08.580145:(_Tcl /Common/mysmtp): ERROR: failed to complete the transfer, Failed to identify domain.

Conditions:
-- Monitoring an SMTP server.
-- SMTP server is configured to return a multi-line '250' response to the initial 'HELO' message.

Impact:
The pool member is marked down even though it is actually up.

Workaround:
None.

Fix:
The system now handles multi-line '250' responses to the initial 'HELO' message.

---

738521-2 : i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.

Component: Local Traffic Manager

Symptoms:
A trunk configured between a BIG-IP i4x00/i2x00 platform and an upstream switch may go down due to the presence of the VLAN tag.

Conditions:
LACP configured between a BIG-IP i4x00/i2x00 platform and an upstream switch.

Impact:
Trunks are brought down by upstream switch.

Workaround:
There are two workarounds:

-- Configure the trunk as 'untagged' in one of the VLANs in which it's configured.
-- Disable LACP.

Fix:
The system no longer transmits a VLAN tag for LACP PDUs, so this issue no longer occurs.

---

738445-1 : IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup

Component: TMOS

Symptoms:
INVALID_SPI notification does not delete the IPsec-SA with the SPI value that appears in the notify payload. This occurs because the handler of INVALID-SPI notifications performs the following incorrect actions:

-- Fetches SPI from payload as if it's a string, rather than the network byte order integer it actually is.

-- Attempts phase 2 lookup via selector ID (reqid) rather than SPI.

Either alone prevents finding the SA to delete.

Conditions:
An IKEv1 IPsec peer sends an INVALID-SPI notification to the BIG-IP system.

Impact:
The IPsec-SA with that SPI cannot be found and is not deleted.

Workaround:
From the BIG-IP command line, you can still manually delete any IPsec-SA, including the invalid SPI, using the following command:
# tmsh delete net ipsec ipsec-sa spi <spi number>

Fix:
SPI is now extracted correctly from the payload as a binary integer, and the phase 2 SA lookup is done with a proper SPI search, which also requires a match in the peer address.

---

738397-2 : SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails.

Component: Access Policy Manager

Symptoms:
For a BIG-IP system configured as IdP, in the SAML-IdP-initiated case: If the IdP has a Per-Request policy (in addition to a V1 policy), such that the Per-Request policy has a subroutine or a subroutine macro with a logon page, the system reports access failure on running the policy.

The error logged is similar to the following: '/Common/sso_access:Common:218f759e: Authorization failure: Denied request for SAML resource /Common/saml_resource_obj1&state=000fffff032db022'.

Conditions:
-- BIG-IP system configured as IdP.
-- SAML IdP initiated case in which the following is true:
  + The IdP has a Per-Request policy (in addition to a V1 policy).
  + That Per-Request policy has a subroutine or a subroutine macro with a logon page.

Impact:
Access is denied. The request URI has '&state=<per-flow-id>' appended to the SAML Resource name.

Workaround:
None.

Fix:
The system now checks for additional query parameters in the request_uri while extracting Resource name so it is not incorrectly set to 'ResourceName&state=<per-flow-id>' which causes the access failure.

---

738236-3 : UCS does not follow current best practices

Solution Article: K25607522

---

738119-3 : SIP routing UI does not follow best practices

Solution Article: K23566124

---

738046-3 : SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby

Component: Local Traffic Manager

Symptoms:
For FastL4 connections, SERVER_CONNECTED currently doesn't fire on the standby device. If the standby device then becomes active, the first packet from the server on an existing FastL4 connection causes SERVER_CONNECTED to fire. Depending on what the iRule does in SERVER_CONNECTED, a variety of results can occur, including TMM coring due to commands being executed in unexpected states.

Conditions:
-- High availability configuration.
-- Mirrored FastL4 virtual server.
-- Attached iRule contains a SERVER_CONNECTED event.

Impact:
SERVER_CONNECTED does not fire when expected on standby device. When the standby device becomes active, the SERVER_CONNECTED iRule may cause TMM to core with traffic being disrupted while TMM restarts.

Workaround:
None.

Fix:
SERVER_CONNECTED now fires when expected on the standby device.

---

737998 : Brute Force end attack condition isn't satisfied for successful logins only

Component: Application Security Manager

Symptoms:
When brute force attack is detected and prevented by asm, asm continue to prevent login attempts even the attacking traffic has stopped 5 minutes ago.

Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- ASM Brute Force protection enabled in the asm policy
- There is an ongoing brute force attack on the backend server.

Impact:
ASM doesn't report that brute force attack is finished and logins mitigation continues to occur.

Workaround:
While ongoing endless brute force attack, change an arbitrary field in brute force configuration and apply policy. Brute force attack end event will be triggered and the system will stop brute force prevention, if the attacking traffic still being sent, new brute force attack event will be raised and the mitigation will reoccur.

Fix:
Fix brute force end condition check for a case when only successful logins are sent.

---

737910-1 : Security hardening on the following platforms

Solution Article: K18535734

---

737758-1 : MPTCP Passthrough and VIP-on-VIP can lead to TMM core

Component: Local Traffic Manager

Symptoms:
If a FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled, TMM may produce a core upon receiving certain traffic.

Conditions:
A FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with a TCP profile attached that has MPTCP passthrough enabled, and certain traffic is received.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not using an iRule with the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled.

Fix:
If MPTCP passthrough is enabled, the system now processes incoming MPTCP connections coming from the loop device as if MPTCP is disabled.

---

737731-3 : iControl REST input sanitization

Solution Article: K44885536

---

737597 : AVR DoS Attack report misses virtual server name in a specific config

Component: Application Visibility and Reporting

Symptoms:
In Security :: Reporting : DoS : Network, the report shows the attack, but categorizes the attack under 'Aggregated' in the Virtual Server name value, rather than the actual name of the Virtual Server on which the attack is happening.

Conditions:
-- A Virtual Server is configured with a IP/Subnet range.

For example,
-- Virtual Server with Destination Address: 10.10.10.0/27 (meaning the destination range is 10.10.10.32 - 10.10.10.63).
-- Destination Address of the Client Traffic and Attack: 10.10.10.63

View AVR Reporting, which does not resolve the to any specific Virtual Server, but instead categorizes the attack as 'Aggregate'.

Impact:
AVR report missing the Virtual Server information.

Workaround:
None.

---

737574-3 : iControl REST input sanitization★

Solution Article: K20541896

---

737565-3 : iControl REST input sanitization

Solution Article: K20445457

---

737442-1 : Error in APM Hosted Content when set to public access

Solution Article: K32840424

---

737441-1 : Disallow hard links to svpn log files

Solution Article: K54431371

---

737437-1 : IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages

Component: TMOS

Symptoms:
The BIG-IP system might fail to re-establish an IKEv1 phase 1 security association (ISAKMP-SA) when the Initiator starts the exchange using UDP port 4500. The exchange progresses to the point of NAT detection, whereupon the BIG-IP system stops using the Non-ESP marker and sends malformatted ISAKMP.

Conditions:
All of the following must be true:
-- The BIG-IP system is an IKEv1 Responder.
-- ISAKMP phase 1 negotiation starts on UDP port 4500.
-- NAT is detected on only one side during the phase 1 exchange.

Impact:
-- Establishment of an ISAKMP-SA will fail until the peer device switches to UDP port 500.
-- The remote peer may send INVALID-SPI messages quoting SPI numbers that do not exist.

Workaround:
To help workaround this issue, you can try the following:
-- Make sure the BIG-IP system is always the Initiator.
-- Bypass NAT.
-- Configure both the BIG-IP system and remote peer to use address IDs that are not the same as the IP addresses used in the ISAKMP exchange, thus causing the BIG-IP system to think there is NAT on both sides.

Fix:
The BIG-IP system now keeps the Non-ESP marker when NAT is detected.

---

737389 : Kern.log contains many messages: warning kernel: Tracklist initialized; Tracklist destroyed

Component: TMOS

Symptoms:
There may be a large number of messages in /var/log/kern.log similar to the following:

Tracklist initialized
Tracklist destroyed

Conditions:
This can happen when vCMP is provisioned, which enables SR-IOV mode.

Impact:
It causes messages to show up in /var/log/kern.log, but does not affect traffic. This is a cosmetic issue and does not indicate a functionality issue.

Workaround:
None.

Fix:
Tracklist is now disabled, so this issue no longer occurs.

---

737332-2 : It is possible for DNSX to serve partial zone information for a short period of time

Component: Global Traffic Manager (DNS)

Symptoms:
During zone transfers into DNS Express, partial zone data may be available until the transfer completes.

Conditions:
-- Two zones being transferred during the same time period
  + zone1.example.net
  + zone2.example.net

-- Transfer of zone1 has started, but not finished.

-- zone2 starts a transfer and finishes before zone1 finishes, meaning that the database might be updated with all of the zone2 data, and only part of the zone1 data.

Impact:
Partial zone data will be served, including possible NXDOMAIN or NODATA messages. This happens until zone1 finishes and saves to the database, at which time both zones' data will be complete and correct.

Workaround:
The workaround is to limit the number of concurrent transfers to 1. However this severely limits the ability of DNS Express to update zones in a timely fashion if there are many zones and many updates.

Fix:
All zone transfers are now staged until they are complete. The zone transfer data is then saved to the database. Only when the zone data has completed updating to the database will the data be available to queries.

---

737322-1 : tmm may crash at startup if the configuration load fails

Component: TMOS

Symptoms:
Under certain circumstances, tmm may crash at startup if the configuration load fails.

Conditions:
This might occur after a configuration loading failure during startup, when TMM might take longer than usual to be ready.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm no longer crashes at startup if the configuration load fails.

---

737055-3 : Unable to access BIG-IP Configuration Utility when BIG-IP system is behind a Reverse proxy

Component: TMOS

Symptoms:
When a BIG-IP management interface is accessed through a Reverse Proxy, you cannot login to the Configuration Utility. Instead the system presents a blank page, as the Reverse Proxy IP/hostname is in the Referer header instead of that of the BIG-IP system.

Conditions:
You are accessing the BIG-IP Configuration Utility through a Reverse Proxy.

Impact:
You are unable to login to the Configuration Utility.

Workaround:
Configure their Reverse Proxy to place the IP address of the BIG-IP system in the Referer header.

---

735832-2 : RAM Cache traffic fails on B2150

Component: Performance

Symptoms:
Rendering pages from RAM Cache fails. System does not pass RAM Cache traffic on B2150 platform.

Conditions:
-- VIPRION B2150 blade.
-- Attempting to pass traffic from RAM Cache.

Impact:
B2150 does not pass any RAM Cache traffic.

Workaround:
None.

Fix:
RAM Cache traffic now succeeds on B2150.

---

735565-3 : BGP neighbor peer-group config element not persisting

Component: TMOS

Symptoms:
neighbor peer-group configuration element not persisting after restart

Conditions:
- dynamic routing enabled
- BGP neighbor configured with peer-group
- BIG-IP or tmrouted daemon restart

Impact:
BGP peer-group configuration elements don't persist

Workaround:
Reconfigure BGP neighbor peer-group after restart

Fix:
BGP neighbor peer-group configuration is properly save to configuration, and persists after restart

---

734622 : Policy change with newly enforced signatures causes sig collection failure in other policies

Solution Article: K83093212

Component: Application Security Manager

Symptoms:
An ASM policy change with newly enforced signatures causes a signature collection failure in all other policies.

Conditions:
An ASM policy is changed by adding newly enforced signatures.

Impact:
Signature collection failures are logged for all other policies.

Workaround:
For each other policy on the device, make a spurious change (such as modifying policy description and saving) and apply the policy. Alternatively, a new user-defined signature which would be included in enforcement can be spuriously added and then immediately removed.

---

734539-2 : The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads

Component: TMOS

Symptoms:
When an IKEv1 peer sends an INVALID-SPI payload, and BIG-IP system cannot find the phase-two Security Association (SA) for that SPI but can find phase-one SA involved; the racoon daemon may crash if there are additional INVALID-SPI payloads afterward.

Conditions:
-- An INVALID-SPI notification is received.
-- That phase-two SA is already gone.
-- The phase-one parent SA is still around.
-- Subsequent notification INVALID-SPI payloads involve the same phase-one SA.

Impact:
The v1 racoon daemon cores, interrupting traffic until new tunnels can be established after racoon restarts.

Workaround:
There is no workaround at this time.

Fix:
The system no longer destroys the parent phase-one SA when an INVALID-SPI notification cannot find the target phase-two SA, so this issue does not occur.

---

734527-4 : BGP 'capability graceful-restart' for peer-group not properly advertised when configured

Component: TMOS

Symptoms:
BGP neighbor using peer-group with 'capability graceful-restart' enabled (which is the default). However, on the system, peer-group defaults to disable. Because there is no config statement to enable 'capability graceful-restart' after restart, it gets turned off after config load, which also turns it off for any BGP neighbor using it.

Conditions:
- Neighbor configured to use peer-group.
- Peer-group configured with capability graceful-restart, but with the default: disabled.

Impact:
Because peer-group is set to disable by default, and there is no operation to enable it after restart, 'capability graceful-restart' gets turned off after config load, and neighbors using it from peer-group get turned off as well.

Workaround:
Re-issue the commands to set peer-group 'capability graceful-restart' and 'clear ip bgp *' to reset BGP neighbors.

Fix:
The peer-group now has 'capability graceful-restart' enabled by default, so this issue no longer occurs.

Behavior Change:
In this release, peer-group has 'capability graceful-restart' enabled by default.

---

734446-3 : TMM crash after changing LSN pool mode from PBA to NAPT

Component: Carrier-Grade NAT

Symptoms:
TMM crashes after changing LSN pool mode from PBA to NAPT when long lived connections are killed due to the PBA block lifetime and zombie timeout expiring.

Conditions:
An LSN pool using PBA mode with a block lifetime and zombie timeout set and long lived connections.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Instead of changing the LSN pool mode from PBA to NAPT, create a new LSN pool configured for NAPT and change the source-address-translation pool on the virtual servers that use the PBA pool.

The PBA pool can be deleted after the virtual servers are no longer using it.

Fix:
TMM no longer crashes after changing LSN pool mode from PBA to NAPT.

---

734177 : CVE-2019-12190 : RHEL6 Kernel Vulnerability

Solution Article: K42142782

---

727292-2 : SSL in proxy shutdown case does not deliver server TCP FIN

Component: Local Traffic Manager

Symptoms:
Connection is not torn down.

Conditions:
HTTPS server disconnects connection when in handshake.

Impact:
Potential resource exhaustion.

Workaround:
You can mitigate this condition in either of the following ways:

-- Wait for system to clean up lingering connections.

-- Use tmsh to clean up connections. (Note: Sometimes this might not work as expected depending on conditions.)

-- If this happens on the config-sync channel, use a different self-ip for config-sync on the affected device.

Fix:
SSL server side handles this error situation by sending out all remaining egress data and sending a shutdown signal to lower filters.

---

727206-4 : Memory corruption when using SSL Forward Proxy on certain platforms

Component: Local Traffic Manager

Symptoms:
When using SSL Forward proxy, memory corruption can occur, which can eventually lead to a tmm crash.

Conditions:
Client SSL profile on a virtual server with SSL Forward proxy enabled.

-- Using the following platforms:
   - vCMP host
   - 2000s / 2200s
   - 5000s / 5200v
   - 5050s / 5250v / 5250v-F
   - 10350V-F

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes under these conditions.

---

727107-1 : Request Logs are not stored locally due to shmem pipe blockage

Component: Application Security Manager

Symptoms:
An unknown issue causes the communication layer between pabnagd and asmlogd to be become stuck. Messages similar to the following appear in pabnagd.log:

----------------------------------------------------------------------
account |NOTICE|... src/Account.cpp:183|Skipped 36 repeated messages. Request Log protobuf subscription queue is full. Message dropped.
rqlgwriter |WARNIN|... src/RequestLogWriter.cpp:137|Skipped 599 repeated messages. No space to write in shmem.

Messages similar to the following appear in pabnagd.log:

Conditions:
Request Logs are not stored locally due to shmem pipe blockage.

Impact:
Event logs stop logging locally.

Workaround:
Restart policy builder with:
killall -s SIGHUP pabnagd

Fix:
The policy builder now detects the blockage, and restarts the connection with the request logger.

---

727044-1 : TMM may crash while processing compressed data

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing compressed data.

Conditions:
Compression enabled
Hardware compression disabled

Impact:
TMM crash leading to a failover event.

Workaround:
No workaround.

Fix:
TMM now correctly processes compressed traffic

---

727031-2 : TMM disruption from disaggregation in vCMP systems

Component: Access Policy Manager

Symptoms:
On B2250 blades the Traffic Management Microkernel (TMM) may experience a series of panics and restarts.

The system reports a related message in /var/log/tmm:
vdag failed to attach

On other types of BIG-IP systems some ICMP monitors may fail, indicating a node that is known to be up is down.

Conditions:
-- Guest BIG-IP instance in a vCMP configuration.
-- Guest is running BIG-IP v13.1.3.5.
-- Host is running a software version other than BIG-IP v13.1.3.5.
-- For tmm panic issue, host is B2250 blade

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Note: If installing 13.1.3.5 on a vCMP host or guest, please contact F5 Support and ask for an engineering hotfix with the fix for this issue. Install it on the vCMP host and all guests on that host running 13.1.3.5.

Fix:
TMM disruption no longer occurs from disaggregation in vCMP systems.

---

726983-5 : Inserting multi-line HTTP header not handled correctly

Component: Local Traffic Manager

Symptoms:
Using an iRule to insert an HTTP header that contains an embedded newline followed by whitespace is not parsed properly. It can result in the new header being incorrectly split into multiple headers.

Conditions:
iRule which adds a header containing embedded newline followed by whitespace:
    HTTP::header insert X-Multi "This is a\n multi-line header"

Impact:
New header does not get parsed properly, and its values are treated like new header values. In some cases the tmm may be restarted.

Workaround:
Ensure that the trailing whitespace text is not present (if not legitimately there). For manipulation of HTTP Cookie headers, use the HTTP::cookie API rather than directly via HTTP::header.

Fix:
Inserting multi-line HTTP header parsed correctly

---

726895-1 : VPE cannot modify subroutine settings

Solution Article: K02205915

Component: Access Policy Manager

Symptoms:
Open per-request policy in Visual Policy Editor (VPE) that has a subroutine. Click 'Subroutine Settings / Rename.

Numeric values like the inactivity timeout are displayed as 'NaN. Attempts to modify the values results in MCP validation errors such as one of these:
- Unable to execute transaction because of:
- Unable to execute transaction because of: 01020036:3: The requested user role partition (admin Common) was not found.

Conditions:
-- Per-request policy in the VPE.
-- Subroutine in the per-request policy.
-- Attempt to change the values.

Impact:
All fields say 'NaN', and error when trying to modify properties. Subroutine settings like the Inactivity Timeout and Gating Criteria cannot be modified through the VPE

Workaround:
Use tmsh to modify these values, for example:

tmsh modify apm policy access-policy <policy_name> subroutine properties modify { all { inactivity-timeout 301 } }

Fix:
The issue has been fixed; it is now possible to view and modify subroutine settings in the VPE.

---

726647-1 : PEM content insertion in a compressed response may truncate some data

Component: Policy Enforcement Manager

Symptoms:
HTTP compressed response with content insert action can truncate data.

Conditions:
PEM content insertion action with compressed HTTP response.

Impact:
Data might be truncated.

Workaround:
There is no workaround other than disabling compression accept-encoding attribute in the HTTP request.

Fix:
HTTP compressed response with content insert action no longer truncates data.

---

726592-2 : Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop

Component: Access Policy Manager

Symptoms:
Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop. This could be triggered by invalid state of our control plane daemons.

Conditions:
This is an extremely rare situation that can be caused by invalid logsetting config messaging between our daemons. However, once it happens it can impact multiple daemons at the same time causing all of them to hang.

Impact:
Once this happens it can impact multiple daemons (apmd, apm_websso, localdbmgr) at the same time causing all of them to hang.

Workaround:
There is no workaround at this time, you can recover by restarting the daemons that hang.

Fix:
We have fixed a memory corruption that can break the linkages in our data structure which would cause certain traversals to loop indefinitely.

---

726487-1 : MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.

Component: TMOS

Symptoms:
The MCPD daemon on secondary VIPRION or vCMP blades exits and restarts, logging errors similar to the following:

-- err mcpd[11869]: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5.

-- err mcpd[11869]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5... failed validation with error 17237812.

Or:

--- err mcpd[8320]: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).

--- err mcpd[8320]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).... failed validation with error 17236027.

Or:

err mcpd[12620]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Invalid static route modification. A destination change from 172.25.0.1%500 to 172.25.0.1 is not supported... failed validation with error 17237812.

Conditions:
This issue occurs when all of the following conditions are met:

-- VIPRION or vCMP platform with more than one blade.
-- A partition with a non-default route domain.
-- Either:
   + Creating a pool member in that partition while a configuration save is taking place at the same time (either system- or user-initiated).
   + Modifying a route in that partition while a configuration save is taking place at the same time (either system- or user-initiated).

Impact:
If the system is Active, traffic is disrupted as the secondary blades restart. The capacity of the system will be reduced until all blades are on-line again. Additionally, depending on the system configuration, the system may fail over to its peer (if one exists).

Workaround:
There is no workaround other than not to create pool members or modify routes from one client while saving configuration changes in another client. However, this does not help if the configuration save operation was system-initiated.

Fix:
MCPD on secondary blades no longer restarts if a pool member is created or a route is modified in a partition that uses a non-default route domain at the same as the configuration is being saved.

---

726412-1 : Virtual server drop down missing objects on pool creation

Component: Global Traffic Manager (DNS)

Symptoms:
Available virtual servers are not populated in the drop down list during Pool creation.

Conditions:
Virtual server names containing single quote, backslash, or greater-than and less-than signs: ' \ < >.

Impact:
Unable to add available virtual servers to pools.

Workaround:
After pool creation, go into that newly created pool, click 'Members', and then click 'Manage', and use the Virtual Server drop-down list to add any virtual servers.

Fix:
Fixed the drop down for virtual servers. Now virtual servers get loaded in the drop-down list during pool creation.

---

726409-3 : Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077

Component: TMOS

Symptoms:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890
The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allows attackers to cause a denial of service (double free) or
possibly have unspecified other impact by leveraging use of the accept system call.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075
The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076
The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077
The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.

Conditions:
For more information see: https://support.f5.com/csp/article/K02236463
https://support.f5.com/csp/article/K02613439

Impact:
denial of service

Workaround:
don't allow login

Fix:
For more information see: https://support.f5.com/csp/article/K02236463
https://support.f5.com/csp/article/K02613439

---

726393-5 : DHCPRELAY6 can lead to a tmm crash

Solution Article: K36228121

---

726317-3 : Improved debugging output for mcpd

Component: TMOS

Symptoms:
In some cases, mcpd debugging output is insufficient for diagnosing a problem.

Conditions:
Using debugging in mcpd, specifically, setting log.mcpd.level to debug.

Impact:
None. Has no effect without log.mcpd.level set to debug.

Workaround:
None.

Fix:
New output helps F5 engineers diagnose mcpd problems more easily.

---

726303 : Unlock 10 million custom db entry limit

Component: Traffic Classification Engine

Symptoms:
Cannot add more than 10 million custom db entries.

Conditions:
This happens when you try to add more than 10 million custom db entries.

Impact:
Not able to add more than 10 million entries.

Workaround:
There is no workaround at this time.

Fix:
This release provides a sys db var, tmm.urlcat.no_db_limit, to allow growth beyond the existing limit of 10 million custom db entries.

---

726255-3 : dns_path lingering in memory with last_access 0 causing high memory usage

Component: Global Traffic Manager (DNS)

Symptoms:
dns_path not released after exceeding the inactive path ttl.

Conditions:
1. Multiple tmm's in sync group
2. Multiple dns paths per GTM needed for load balancing.

Impact:
High memory usage.

Workaround:
There is no workaround at this time.

Fix:
dns_path memory will be released after ttl.

---

726239-3 : interruption of traffic handling as sod daemon restarts TMM

Component: Local Traffic Manager

Symptoms:
When the receiving host in a TCP connection has set its send window to zero (stopping the flow of data), following certain unusual protocol sequences, the logic in the TMM that persists in probing the zero window may enter an endless loop.

Conditions:
When the TCP implementation is probing a zero-window connection under control of a persist timer.

Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This fix handles a rare TMM crash when TCP persist timer is active.

---

726232-1 : iRule drop/discard may crash tmm

Component: Local Traffic Manager

Symptoms:
TMM crash after an iRule attempts to drop packet.

Conditions:
Virtual server with UDP profile, and following iRule:
when LB_SELECTED {
    drop
    # discard - drop is the same as discard
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
TMM correctly handles 'drop' command in 'LB_SELECTED' event.

---

726154-1 : TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies

Component: Advanced Firewall Manager

Symptoms:
TMM might restart when changing firewall or NAT configurations on a virtual server with the same name as a route-domain.

Conditions:
- There is a virtual server and a route-domain that have the same name in the configuration.
- A firewall or NAT policy is being attached or removed from one or both of the virtual server or route-domain.

Impact:
TMM might halt and traffic processing temporarily ceases. TMM restarts and traffic processing resumes.

Workaround:
There is no workaround other than not to use the same name for virtual server and route-domain objects.

Fix:
TMM no longer crashes under the conditions described. Firewall and NAT configurations are applied correctly on virtual servers with the same names as route-domains.

---

726089-3 : Modifications to AVR metrics page

Solution Article: K44462254

---

725879 : Internet Explorer running on Windows phone 8.1 gets CAPTCHA during legitimate browsing

Component: Application Security Manager

Symptoms:
Internet Explorer (IE) running on Microsoft Windows phone v8.1 gets CAPTCHA during legitimate browsing.

Conditions:
-- Proactive Bot Defense is enabled on a DoS profile attached to a virtual server.
-- A client connects using IE on Windows phone v8.1.

Impact:
CAPTCHA occurs during legitimate browsing.

Workaround:
None.

Fix:
A CAPTCHA event is no longer inadvertently enabled for Internet Explorer browsers on Windows Phone 8.1.

---

725791-3 : Potential HW/HSB issue detected

Solution Article: K44895409

Component: TMOS

Symptoms:
There are a number of High-Speed Bridge (HSB) stats registers that monitor the errors in HSB SRAM that are critical for passing traffic, for example, RQM_CRC_ERROR Count 0, RQM_CRC_ERROR count 1, RQM_CRC_ERROR Count 2, etc. Any errors in any of these registers may indicate a hardware error in the HSB SRAM that impedes traffic through embedded Packet Velocity Acceleration (ePVA). In that case, ePVA-accelerated flow might fail.

With a burst of CRC errors in the SRAM for ePVA transformation cache, it does not trigger a failover and causes a silent traffic outage on the FastL4 VIP with hardware traffic acceleration. This occurs because the health check watchdog packets are still functioning correctly, and the current TMOS software primarily monitors watchdog packets tx/rx failures to trigger failover.

In these cases, there might be the following messages in /var/log/tmm*:

  Device error: hsb_lbb* tre2_crc_errs count *

Conditions:
Traffic is offloaded to HSB hardware for acceleration.

Impact:
Hardware accelerated traffic drop.

Workaround:
Switch traffic to software acceleration.

Fix:
Including traffic-critical registers in failover triggers, helps failover happen quickly with minimum disruption to traffic in the case of SRAM hardware failures.

---

725551-5 : ASM may consume excessive resources

Solution Article: K40452417

---

724868-2 : dynconfd memory usage increases over time

Component: Local Traffic Manager

Symptoms:
dynconfd memory usage slowly increases over time as it processes various state-related messages.

Conditions:
No special conditions as dynconfd is a core LTM process. Large numbers of pool members combined with flapping might increase the rate of memory usage increase.

Impact:
dynconfd grows over time and eventually the system is pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.

Workaround:
Periodic restarts of dynconfd avoids the growth affecting the system.

Fix:
dynconfd no longer leaks memory when processing messages.

---

724824-5 : Ephemeral nodes on peer devices report as unknown and unchecked after full config sync

Component: Local Traffic Manager

Symptoms:
After a Full Configuration Sync is performed in a device cluster, Ephemeral (FQDN) nodes on peers to the device initiating the Configuration Sync will report their status as Unknown with monitor status of Unchecked.

Note: The nodes are still monitored properly by the peer devices even though they are not reported as such.

Conditions:
-- Full configuration sync performed in a device cluster.
-- Ephemeral (FQDN) nodes configured.

Impact:
Monitor status on the peer devices is reported incorrectly.

Workaround:
Any of the following three options will correct reporting status on the peer devices:

-- Restart bigd

-- Cause monitoring to the FQDN nodes to fail for at least one probing interval, and then restore monitoring accessibility.

-- Disable and then re-enable the FQDN node

Each of these workarounds results in the reported status of the FQDN node on the peer reporting correctly again. The workarounds do not prevent a subsequent configuration sync from placing the FQDN nodes back into Unknown status on peers, however.

---

724680-3 : OpenSSL Vulnerability: CVE-2018-0732

Solution Article: K21665601

---

724556-1 : icrd_child spawns more than maximum allowed times (zombie processes)

Component: TMOS

Symptoms:
icrd_child is issued a SIGTERM. The SIGTERM might not succeed in destroying the process, especially if the system is under a lot of load. This leads to zombie processes.

Conditions:
-- The icrd_child process is issued a SIGTERM that does not successfully destroy the icrd_child process.
-- System under heavy load.

Impact:
There are zombie icrd_child processes consuming memory.

Workaround:
Restart the system.

Fix:
Introduced the following configuration in /etc/icrd.conf: sigkillDelaySeconds

If set to 0, or if missing from icrd.conf, SIGKILL will not be issued after SIGTERM is issued to the icrd_child process.

If set to greater than 0, after the specified delay, SIGKILL will be issued after SIGTERM is issued to the icrd_child process if icrd_child process is not terminated.

A 'safe' number for the delay may be 3 seconds, but will depend on your configuration.

Behavior Change:
Introduced the following configuration in /etc/icrd.conf: sigkillDelaySeconds

If set to 0, or if missing from icrd.conf, SIGKILL will not be issued after SIGTERM is issued to the icrd_child process.

If set to greater than 0, after the specified delay, SIGKILL will be issued after SIGTERM is issued to the icrd_child process if icrd_child process is not terminated.

A 'safe' number for the delay may be 3 seconds, but will depend on your configuration.

---

724532-1 : SIG SEGV during IP intelligence category match in TMM

Component: Advanced Firewall Manager

Symptoms:
TMM restart while matching traffic from source IP to IP Intelligence category.

Conditions:
Multiple configuration changes that include deleting the custom IP intelligence categories.

Impact:
TMM restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer restarts while matching traffic from source IP to IP Intelligence category.

---

724339-2 : Unexpected TMUI output in AFM

Solution Article: K04524282

---

724335-2 : Unexpected TMUI output in AFM

Solution Article: K21042153

---

724214-2 : TMM core when using Multipath TCP

Component: Local Traffic Manager

Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.

Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.

Impact:
Traffic interrupted while TMM restarts.

Workaround:
There is no workaround other than to disable MPTCP.

Fix:
TMM no longer produces a core.

---

724109-5 : Manual config-sync fails after pool with FQDN pool members is deleted

Component: TMOS

Symptoms:
If a user, deletes a fqdn pool on one BIG-IP in a cluster and then run a manual config sync with another BIG-IP, the change fails to sync with the other BIG-IPs in the cluster.

Conditions:
- Create fqdn pool in one BIG-IP
- Save sys config
- Run config sync
- Delete fqdn pool
- Save sys config
- Run config sync manually

Result: After deleting fqdn pool in BIG-IP and config sync with another BIG-IP, Manual config sync failed. Still, we can see the deleted fqdn pool in another BIG-IP

Impact:
FQDN pool delete failed in another BIG-IP and manual config sync operation is failed.

Workaround:
The workaround for this issue is to use auto-sync.

---

723794-4 : PTI (Meltdown) mitigation should be disabled on AMD-based platforms

Component: TMOS

Symptoms:
Platforms with AMD processors freeze when the PTI (Page Table Isolation) mitigation is enabled, after a period ranging from several hours to several days.

You can find information about which versions have the PTI (Meltdown) mitigations enabled in the AskF5 Article: Bug ID 707226: DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations :: https://cdn.f5.com/product/bugtracker/ID707226.html.

Conditions:
-- AMD-based platforms:
   + BIG-IP B4100 blades
   + BIG-IP B4200 blades
   + BIG-IP 6900 and NEBS appliances
   + BIG-IP 89x0 appliances
   + BIG-IP 6400 FIPS and NEBS platforms
   + BIG-IP 110x0 appliances

-- The database variable kernel.pti is set to enable (to address PTI (Meltdown)).

Impact:
System locks up and is rebooted by the watchdog timer.

Workaround:
Set the database variable kernel.pti to disable by running the following command:

tmsh modify sys db kernel.pti value disable

According to AMD, these AMD processors are not vulnerable to PTI (Meltdown), so there is no reason to leave the db variable enabled.

Fix:
PTI (Page Table Isolation) mitigation is no longer enabled on AMD-based platforms.

---

723792-3 : GTM regex handling of some escape characters renders it invalid

Component: Global Traffic Manager (DNS)

Symptoms:
The memory footprint of big3d increases.

Conditions:
GTM monitor recv string such as the following: ^http\/\d\.\d[23]\d\d

Impact:
Escaped characters are mishandled. This causes the regex compilation to fail and leak memory. The monitor marks the server it is monitoring UP as long as the server returns any response.

Workaround:
If you notice big3d memory footprint increase and you have a monitor recv string that has escaped characters such as '^http\/\d\.\d[23]\d\d', try changing the recv string to something similar to the following: ^HTTP/[0-9][.][0-9] [23][0-9]{2}

Fix:
Fixed handling of escape characters. Recv strings that previously failed to compile will now compile.

---

723790-4 : Idle asm_config_server handlers consumes a lot of memory

Component: Application Security Manager

Symptoms:
Idle asm_config_server handlers needlessly uses a large amount of memory.

Conditions:
This issue might result from several sets of conditions. Here is one:

Exporting a big XML ASM policy and then leaving the BIG-IP system idle. Relevant asm_config_server handler process increases its memory consumption and stays that way, holding on to the memory until it is released with a restart.

Impact:
Unnecessary memory consumption.

Workaround:
1) Lower the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server:
---------------
# perl -pi.bak -e 's/MaxMemorySize=471859200/MaxMemorySize=262144000/' /etc/ts/tools/asm_config_server.cfg
---------------

2) Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------

Notes:
-- The provided workaround does not permanently fix the issue. Instead it alleviates the symptoms of memory pressure, by (1) lowering the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server, and (2) freeing up all the memory that is currently taken by all asm_config_server processes.
-- This workaround does not cause any down time; the asm_config_server processes automatically start within ~30 seconds.

---

723722-3 : MCPD crashes if several thousand files are created between config syncs.

Component: TMOS

Symptoms:
If more than several thousand (typically 20,000, but number varies by platform) files, for example SSL certificates or keys, are created between config syncs, the next config sync operation will take too long and mcpd will be killed by sod.

Conditions:
Creation of several thousand SSL certificates or keys followed by a config sync operation.

Impact:
Traffic is disrupted while the MCPD process restarts.

Workaround:
Run a config sync operation after every ~5000 files created.

Fix:
MCPD no longer crashes if several thousand files are created between config sync operations.

---

723298-3 : BIND upgrade to version 9.11.4

Component: TMOS

Symptoms:
The BIG-IP system is running BIND version 9.9.9.

Conditions:
BIND on BIG-IP system.

Impact:
BIND 9.9 Extended Support Version was supported until June, 2018.

Workaround:
None.

Fix:
BIND version has been upgraded to 9.11.4.

---

723288-3 : DNS cache replication between TMMs does not always work for net dns-resolver

Component: Global Traffic Manager (DNS)

Symptoms:
System DNS resolvers (net dns-resolver objects) do not share DNS reply information between the dns resolver instances across TMMs, which can result in separate TMMs performing seemingly-unnecessary DNS lookups.

Conditions:
There are no LTM DNS *cache* objects present in the BIG-IP configuration.

Impact:
A performance impact resulting from each TMM having to perform unnecessary DNS lookups.

Workaround:
Use tmsh to create a placeholder LTM DNS cache resolver object. The object does not need to be used anywhere, just present in the config.

Note: This workaround is effective even without a DNS license (although in that case, the placeholder object must be created using tmsh, as the GUI menu would not be available without a DNS license.)

---

723130-3 : Invalid-certificate warning displayed when deploying BIG-IP VE OVA file

Solution Article: K13996

Component: TMOS

Symptoms:
The OVA signing certificate that signs BIG-IP Virtual Edition (VE) OVA files expired. When deploying a BIG-IP VE from an OVA file, an invalid-certificate warning might be displayed due to the expired OVA signing certificate.

Conditions:
This issue may be encountered during the creation of new instances of BIG-IP VE in clients that check the validity of the OVA signing certificate (e.g., VMware).

Note: Existing BIG-IP VE instances are not subject to this issue.

Impact:
There might be questions about the integrity of the OVA file, and in some cases, might not be able to deploy a new instance from an OVA file.

Workaround:
None.

Fix:
The expired OVA signing certificate has been replaced with a valid signing certificate.

---

722969-1 : Access Policy import with 'reuse' enabled instead rewrites shared objects

Component: Access Policy Manager

Symptoms:
If a policy is exported and then imported with 'reuse' it rewrites objects on the server instead of simply reusing them.

Conditions:
-- Exporting profile A.
-- Importing profile B, with 'reuse' configured.
-- The objects in both profiles are named the same and are the same type.

Impact:
-- 'Reused' objects on the system are modified.
-- Policy A requires 'apply', because objects shared with Policy B are overwritten.

Workaround:
None.

Fix:
Access policy import with 'reuse' option enabled no longer rewrites shared objects

---

722707-1 : mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall

Component: Local Traffic Manager

Symptoms:
The 'debug' log for a 'mysql' monitor may incorrectly report data being received from the database when network routing is configured to drop packets from that database, causing confusion when diagnosing packet traffic. This might be stimulated by configuring the firewall to enable traffic to/from the 'mysql' database, and then (after the 'mysql' monitor successfully connecting with the database) changing firewall rules to drop packets returned *from* the database.

Conditions:
-- A 'mysql' monitor successfully connects to the 'MySql' database.
2. Once connection is established, firewall rules are changed to 'DROP' packets returned from the 'MySQL' database, resulting in several entries in the 'mysql' monitor 'debug' log that incorrectly suggest packets were received from the 'MySQL' database.

Impact:
Several log entries may be made in the 'mysql' debug log suggesting packets were received from the 'MySQL' database (after a previous successful database probe connection), when in fact those packets were dropped due to changes in the firewall rules. These log entries may confuse debugging scenarios, but will typically self-correct (such as after three log message entries).

Workaround:
When configuring network traffic for 'MySQL' database resources, ensure symmetry for traffic handling (either bi-directional packet routing between 'bigd' and the 'MySQL' database is supported, or neither 'send' nor 'receive' packet routing to the 'MySQL' database is supported).

---

722682-1 : Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load★

Component: TMOS

Symptoms:
Loading configuration process failed after upgrade when pool member names contain colons. The system posts errors similar to the following:
01070226:3: Pool Member 443:10.10.10.10 references a nonexistent Virtual Server
Unexpected Error: Loading configuration process failed.

Conditions:
-- GTM pool member has colon in its name.
-- Upgrade to any of the following versions:
  + 12.1.3.x
  + Any 13.0.x
  + All 13.1.x earlier than 13.1.1.2
  + 14.0.x earlier than 14.0.0.3

Impact:
The system removes the part of the pool member name that precedes the colon, and configuration load fails. For example, when the configuration contains a pool member named example_pm:443:10:10:10:10, the system removes the part of the pool member name that precedes the first colon, in this case, example_pm, leaving the pool member name 443:10.10.10.10.

Workaround:
After upgrade, add two backslash characters, \\ before the first colon, : character.

1. Upgrade the BIG-IP DNS system to the new version of software.
2. SSH to log into the bash prompt of the BIG-IP DNS system.
3. Run the following command to add the string \\ in front of the first colon character, : in the name of each affected GTM pool member:

  for j in $(find /config/ -name bigip_gtm.conf); do for i in $(awk '$0 ~ /^gtm server.*:/ {gsub("[/:]"," ",$0); print $4}' ${j}); do sed -i "s, /Common/${i}, /Common/${i}\\\\\\\,g" ${j} | grep " /Common/${i}"; done; done

4. Run the following command: load sys config gtm-only

Fix:
Configuration load no longer fails when upgrading with a configuration that contains BIG-IP DNS pools with members whose names contain colon characters.

---

722677-3 : BIG-IP HSB vulnerability CVE-2019-6604

Solution Article: K26455071

---

722387-2 : TMM may crash when processing APM DTLS traffic

Solution Article: K97241515

---

722380-3 : The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core.

Component: TMOS

Symptoms:
On platforms with HSB, if an HSB lockup occurs, then TMM panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. In certain cases, the reboot occurs before the core file is fully written, resulting in a truncated core.

Conditions:
-- Any platform with HSB.
-- An HSB lockup occurs, triggering a core dump and a nic_failsafe reboot.

Impact:
The reboot happens after the core dump begins before it completes, resulting in a truncated core dump, which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Reboot is delayed until TMM core file is completed.

---

722363-1 : Client fails to connect to server when using PVA offload at Established

Component: Local Traffic Manager

Symptoms:
A client can fail to connect to the server on subsequent attempts if using FastL4 with hardware (HW) acceleration.

When this issue occurs, the profile_bigproto_stat/rxsynatestablished stat is non-zero.

Conditions:
A FastL4 virtual server is configured with offload_state = EST.

Impact:
Clients fail to connect to the server.

Workaround:
There is no workaround other than to disable PVA acceleration.

---

722230-6 : Cannot delete FQDN template node if another FQDN node resolves to same IP address

Component: TMOS

Symptoms:
If multiple FQDN nodes and corresponding pool members are created, with FQDN names that resolve to the same (or a common) IP address, you may not be able to delete any of the affected FQDN nodes even after its corresponding FQDN pool member has been deleted.

Conditions:
This occurs under the following conditions
-- Multiple FQDN template nodes exist with FQDN names that resolve to the same (or a common) IP address.
-- FQDN pool members exist for each FQDN template node, with corresponding ephemeral pool members for each which share the same IP address.
-- One of the FQDN pool members is removed from its pool.
-- You attempt to delete the corresponding FQDN template node.

Impact:
The FQDN template node remains in the configuration and cannot be deleted, while an ephemeral node or pool member exists with an IP address corresponding to that FQDN name.

Workaround:
To work around this issue:
1. Remove all remaining conflicting FQDN pool members (with FQDN names that resolve to the shared/conflicting IP address).
2. Delete the desired FQDN node.
3. Re-create the remaining FQDN pool members to replace those removed in step 1.

---

722091-2 : TMM may crash while processing HTTP traffic

Solution Article: K64208870

---

722013-3 : MCPD restarts on all secondary blades post config-sync involving APM customization group

Component: Access Policy Manager

Symptoms:
After performing a series of specific config-sync operations between multi-blade systems, the MCPD daemon restarts on all secondary blades of one of the systems.

Each affected blade will log an error message similar to the following example:

-- err mcpd[5038]: 01070711:3: Caught runtime exception, Failed to collect files (snapshot path () req (7853) pmgr (7853) not valid msg (create_if { customization_group { customization_group_name "/Common/Test-A_secure_access_client_customization" customization_group_app_id "" customization_group_config_source 0 customization_group_cache_path "/config/filestore/files_d/Common_d/customization_group_d/:Common:Test-A_secure_access_client_customization_66596_1" customization_group_system_path "" customization_group_is_system 0 customization_group_access 3 customization_group_is_dynamic 0 customization_group_checksum "SHA1:62:fd61541c1097d460e42c50904684def2794ba70d" customization_group_create_time 1524643393 customization_group_last_update_time 1524643393 customization_group_created_by "admin" customization_group_last_updated_by "admin" customization_group_size 62 customization_group_mode 33188 customization_group_update_revision 1

Conditions:
This issue occurs when all of the following conditions are met:

- You have configured a device-group consisting of multi-blade systems (such as VIPRION devices or vCMP guests).

- Systems are provisioned for APM.

- The device-group is configured for incremental manual synchronizations.

- On one system (for example, source_system), you create an APM configuration object (for example, a connectivity profile) that causes the automatic creation of an associated customization group.

- You synchronize the configuration from the source_system to the device-group.

- On the source_system, you create a new configuration object of any kind (for example, an LTM node).

- Instead of synchronizing the newest configuration to the device-group, you synchronize the configuration from another device in the device-group to the source_system (which effectively undoes your recent change).

- The MCPD daemon restarts on all secondary blades of the source_system.

Impact:
While the MCPD daemon restarts, the blade is offline, and many other BIG-IP daemons need to restart along with MCPD.

-- If the source_system is Active, the load capacity of the system temporarily decreases proportionally to the number of blades restarting. Additionally, if the systems use the min-up-members or HA-Group features, losing a certain number of secondary blades may trigger a failover.

-- If the source_system is Standby, some of the previously mirrored information may become lost as TMM on secondary blades restarts along with MCPD. Should this system later become the Active system, traffic may be impacted by the lack of previously mirrored information.

Workaround:
None.

Fix:
The MCPD daemon no longer restarts on secondary blades after config-sync of APM.

---

721924-3 : BIG-IP ARM BGP vulnerability CVE-2018-17539

Solution Article: K17264695

---

721895-1 : Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery)

Component: Global Traffic Manager (DNS)

Symptoms:
big3d advertises a TLSv1.0 version. Even though big3d requires previously exchanged certificates to validate a connection request, the TLSv1.0 advertisement triggers various vulnerability scanners and is flagged.

Conditions:
Running a vulnerability scanner or other SSL test tool.

Impact:
The scanner or tool reports that big3d might potentially accept a TLSv1.0 connection request (which is considered insecure). Vulnerability scanners then flag the BIG-IP system as vulnerable.

Workaround:
Although there is no workaround, because big3d accepts connections only from clients that match the certificates on the BIG-IP system, the risk is minimal.

In addition, you can deploy firewall rules to accept connections only on port 4353 from know BIG-IP systems.

Fix:
This version adds a db variable for the big3d
big3d.minimum.tls.version. By default the value is 'TLSv1'. You can also specify TLSV1.1 or TLSV1.2 (the setting is case insensitive).

After changing the DB variable, restart big3d. Change the value on all BIG-IP systems that are subject to scans. This includes GTM as well as LTM configurations.

---

721752-1 : Null char returned in REST for Suggestion with more than MAX_INT occurrences

Component: Application Security Manager

Symptoms:
Unable to view ASM event log details for a majority of violations.

Conditions:
Suggestion with more than MAX_INT (2,147,483,647) occurrences.

Impact:
Null char returned in REST for Suggestion with more than MAX_INT occurrences.

Workaround:
Use the following sql command:

UPDATE PLC.PL_SUGGESTIONS set occurrence_count = 2147483647 where occurrence_count < 0;

Fix:
Null char is no longer returned in REST for Suggestion with more than MAX_INT occurrences.

---

721741-2 : BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative

Component: Application Security Manager

Symptoms:
bd log spits this error.
-------
ECARD_POLICY|NOTICE|May 24 04:49:42.035|4143|table.h:2408|IPTableList::del_object key not found in table
ECARD|ERR |May 24 04:49:42.035|4143|table.h:0398|KEY_UPDATE: Failed to REMOVE data will continue to add
-------

Conditions:
Configuring IP Address Exceptions in certain order - w/ and w/o route domain.

Impact:
BD and BD_Agent out-of-sync for IP Address Exception, causes false positives / false negatives

Workaround:
There is no workaround at this time.

Fix:
System no longer generates these false positive/negative log entries.

---

721621-2 : Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node

Component: Local Traffic Manager

Symptoms:
If an LTM pool is configured with only FQDN members, the DNS server resolves the FQDN to IP addresses that match statically-configured LTM nodes, and the IP address records returned by the DNS server change, an ephemeral pool member may not be added to the pool for the new IP address.

When in this state, if the FQDN template pool member is deleted from the pool, a new ephemeral pool member may be added corresponding to the last IP address record returned by the DNS server.

Conditions:
This may occur when:
1. Static nodes are configured which match addresses that may be returned in the DNS query for a given FQDN name.
2. An FQDN node is created with autopopulate disabled, for an address which may resolve to the same address as one of the static nodes.
3. This FQDN node is added (as a pool member) with autopopulate disabled, to a pool with no other non-FQDN members.
4. The DNS server resolves the FQDN name to an address that matches one of the static nodes.
5. A subsequent DNS query resolves the FQDN name to a different address that matches a different static node.

Impact:
In this case:
-- The original ephemeral member is removed from the pool.
-- A new ephemeral member for the new address may NOT be added to the pool.
-- In this state, if the FQDN template member is deleted from the pool, a new ephemeral member (i.e., the missing ephemeral with new IP address) is re-added to the pool.

Note. This symptom can occur only if the statically-configured node is created prior to an ephemeral pool member being created for the same IP address. If an ephemeral pool member and node are created first, it is not possible to create a statically-configured node or pool member using the same IP address.

Overall, traffic for the affected pool may not be sent to correct pool member (new ephemeral address).

If no other members are defined in the pool, traffic will be interrupted.

Workaround:
This issue can be prevented by:
-- Avoiding configuring a static (non-FQDN) node with an IP address that matches any address that might be returned by the DNS server when resolving the FQDN.
-- Adding a statically-configured pool member to the pool in addition to the FQDN template member.

Once the symptom occurs, recovery is possible by performing either of the following actions:
-- Delete the statically-configured node with the conflicting IP address.
-- Recreate the node using the following procedure:
1. Delete the FQDN template member from the pool.
2. Delete the orphaned ephemeral member from the pool.
3. Re-add the FQDN template member to the pool.

Fix:
When an FQDN pool member address resolves to the same IP address as an existing static node, the corresponding ephemeral pool member is successfully created and deleted as expected, including when the IP address returned by the DNS query changes.

---

721526-1 : tcpdump fails to write verbose packet data to file

Component: TMOS

Symptoms:
On some BIG-IP platforms, tcpdump is unable to write verbose packet data to a file (e.g., 'tcpdump -nni 2.1:nn -e -vvv -s 0 -w /tmp/dump.pcap').

Conditions:
Use tcpdump with -w and -v options on a front panel interface that is actively sending/receiving traffic.

This occurs on the following hardware:

-- BIG-IP 5000,7000, 10000, i5000, i7000, i10000, i11000, and i15000 platforms.
-- VIPRION B4400, B4300, B2200, and B2100 blades.

Impact:
Cannot use tcpdump to write verbose packet data to file.

Workaround:
There is no workaround at this time.

Fix:
The tcpdump operation is now able to write verbose packet data to file.

---

721399-3 : Signature Set cannot be modified to Accuracy = 'All' after another value

Component: Application Security Manager

Symptoms:
ASM Signature Set cannot be modified to Accuracy = 'All' after another value was used previously.

Conditions:
-- ASM Signature Set has a value set for Accuracy filter.
-- Accuracy is subsequently set to 'All'.

Impact:
The change to Accuracy = 'All' does not take effect. ASM Signature Set cannot be modified to Accuracy = 'All'.

Workaround:
You can use either of the following workarounds:

-- Delete and re-create the Signature Set with the desired value.
-- Modify the filter to a value that will match all results (such as Accuracy is greater than or equal to 'Low').

Fix:
ASM Signature Set can now be set to Accuracy = 'All' after a value was previously set.

---

721375 : Export then import of config with RSA server in it might fail

Component: Access Policy Manager

Symptoms:
If an exported policy configuration contains both an RSA server as well as the RSA-provided sdconf.rec and sdstatus.12 config files, policy import might fail.

Conditions:
-- RSA server and access profile are in the same, non-Common partition.
-- Exported policy contains an RSA server as well as both the RSA-provided sdconf.rec and sdstatus.12 config files.

Impact:
Unable to import the exported configuration. This occurs because of how the names for the files are resolved in the exported configuration.

Workaround:
Although there is no actual workaround, you can avoid this issue if the profile is outside of the partition. That case uses a different name resolution during the export, so import works as expected.

Fix:
You can now successfully import an exported policy containing an RSA server as well as both sdconf.rec and sdstatus.12 files.

---

720880 : Attempts to license/re-license the BIG-IP system fail.

Component: TMOS

Symptoms:
Attempts to activate or reactivate the license on the BIG-IP system results in failure messages.

Conditions:
No specific configurations are associated with this issue, but license activation/reactivation requests that include add-ons are more likely to fail.

This occurs under random conditions.

Impact:
The system is either unusable or very difficult to activate.

Workaround:
Because the conditions under which this issue occurs are random, additional licensing attempts might succeed.

Fix:
The source of the underlying problem has been corrected. No additional logs, error message, or user-interaction is involved.

---

720819-1 : Certain platforms may take longer than expected to detect and recover from HSB lock-ups

Component: TMOS

Symptoms:
In the unlikely event of a HSB lock-up, certain BIG-IP platforms may take longer than expected to detect and recover from the condition.

For instance, it may take several minutes for an affected unit to detect the condition and initiate the predefined failsafe action.

Instead, the recovery mechanism should trigger almost instantaneously.

Conditions:
This issue occurs when all of the following conditions are met:

-- The BIG-IP system is an i56xx/i58xx, i76xx/i78xx, or i106xx/i108xx platform.

-- The HSB locks-up due to a different issue.

Impact:
Traffic is negatively impacted until the BIG-IP system detects and remedies the condition. This might take up to 15 minutes before remedied by a reboot, depending on other traffic being processed.

Workaround:
None.

Fix:
The HSB lock-up is now promptly detected and remedied.

---

720799-3 : Virtual Server/VIP flaps with FQDN pool members when all IP addresses change

Component: Local Traffic Manager

Symptoms:
When using FQDN pool members, if all ephemeral members are removed and replaced by a DNS query that returns an entirely new set of IP addresses (no overlap with previous DNS query results), all ephemeral pool members are removed before the new ephemeral pool members are created.

This results in a brief moment when there are no ephemeral members (that can receive traffic) in the pool.

Conditions:
A DNS query for the FQDN node in which the pool members belong, returns an entirely new set of IP addresses (no overlap with previous DNS query results).

Impact:
The brief moment during which there are no ephemeral members (that can receive traffic) in the pool can cause a Virtual Server or Virtual Address using that pool to flap.

Workaround:
It is possible to work around this issue by:
1. Adding a pool member with a statically-configured IP address.
2. Including multiple FQDN pool members in the pool, to limit the effect of the ephemeral members changing for a single FQDN pool member.

Fix:
When using FQDN pool members, ephemeral members whose IP addresses are not present in the most DNS query results are not immediately deleted from the pool.

To prevent the brief condition in which there are no ephemeral members in the pool (which can cause a Virtual Server or Virtual Address using that pool to flap), creation of new ephemeral nodes and pool members occurs immediately, but deletion of old new ephemeral nodes and pool members occurs after a delay.

The duration of the delay follows the fqdn 'down-interval' value configured for the associated FQDN template node.

---

720756 : SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS

Component: TMOS

Symptoms:
The SNMP query for platform marketing name is 'unknown' for i11400-DS/i11600-DS/i11800-DS.

Conditions:
-- On licensed system, check OID marketing name.
-- Using i11400-DS/i11600-DS/i11800-DS platforms.

Impact:
Cannot tell the actual platform name in the SNMP query.

Workaround:
There is no workaround at this time.

Fix:
SNMP platform name is now reported correctly on BIG-IP i11400-DS/i11600-DS/i11800-DS platforms.

---

720713-3 : TMM traffic to/from a i5800/i7800/i10800 device in vCMP host mode may fail

Component: TMOS

Symptoms:
When a BIG-IP iSeries i5800, i7800, or i10800 device is configured as a vCMP host and at least one vCMP guest is running (or ever ran), TMM traffic to the vCMP host may fail.

Note: Management port traffic to/from the device is unaffected.

Note: TMM traffic to/from the vCMP guests running on the device is unaffected. This issue affects only the vCMP host.

The most visible symptom is that TMM on the vCMP host fails to answer ARP requests that it receives for its own Self-IP addresses.

Conditions:
This issue occurs when all of the following conditions apply:

- BIG-IP iSeries i5800, i7800, or i10800 device in vCMP host mode.

- At least one vCMP guest is deployed or was deployed, at some point.

Impact:
Inability to communicate to/from the vCMP host via its Self-IP addresses.

Workaround:
Ensure that the host is running a compatible version of BIG-IP. For more information on supported host/guest versions, see K14088: vCMP host and compatible guest version matrix, available at https://support.f5.com/csp/article/K14088

Fix:
The vCMP host continues to handle traffic correctly once a guest is started.

---

720695-2 : Export then import of APM access Profile/Policy with advanced customization is failing

Component: Access Policy Manager

Symptoms:
An exported policy containing advanced customization fails to import.

Conditions:
-- Export policy containing advanced customization.
-- Import the same policy.

Impact:
Import fails.

Workaround:
None.

Fix:
Access policy import containing advanced customization now succeeds.

---

720651-3 : Running Guest Changed to Provisioned Never Stops

Component: TMOS

Symptoms:
After changing a vCMP guest status to provisioned the guest remains running showing a status of stopping.

Conditions:
-- Guests deployed on a BIG-IP VCMP host.
-- Changing the state from deployed to provisioned.

Impact:
Guests do not stop and change status until vcmpd process is restarted, which is likely to impact running guests.

Workaround:
There is no workaround.

Fix:
The guest now stops when the state is changed from deployed to provisioned.

---

720569-2 : Disaggregation algorithm distributing traffic unequally across CPU cores on Virtual Edition

Component: TMOS

Symptoms:
After a period of time, Inet port exhaustion error messages begin to be reported, and traffic starts to fail:
crit tmm1[17985]: 01010201:2: Inet port exhaustion on <ip_address> to <ip_address>.


CPU cores are unevenly loaded by the tmm process. Typically odd cores will have a more loaded tmm thread.

Conditions:
BIG-IP system uses unic, sock or virtIO drivers

Impact:
The system reports Inet port exhaustion error messages, and traffic starts to fail.

Where CPU use by the tmm process is very uneven as the busiest cores reach near maximum connections will be offloaded at an early stage to less used tmm threads on quieter cores. This means the uneven CPU usually has a minimal impact itself.

Workaround:
None.

Fix:
Disaggregation algorithm has been improved to avoid unequal distribution.

---

720461-3 : qkview prompts for password on chassis

Component: TMOS

Symptoms:
Qkview prompts for a password when executing getnodedates from the chassis module.

Conditions:
SSH auth keys are missing or corrupted.

Impact:
This blocks collecting qkview.

Workaround:
Edit the /user/bin/getnodedates script and add -oBatchMode=yes for the SSH command as shown in the following example:

        $date = `/usr/bin/ssh -q -oBatchMode=yes -oStrictHostKeyChecking=no $ip /bin/date`;

Fix:
The qkview is no longer blocked with a password prompt.

---

720440 : Radius monitor marks pool members down after 6 seconds

Component: Local Traffic Manager

Symptoms:
The radius monitor marks a pool member down if it does not respond within 6 seconds, regardless of the interval or timeout settings in the monitor configuration.

Conditions:
A radius monitor is used, and the pool member takes more than 6 seconds to respond to a radius request.

Impact:
The pool member may be marked down incorrectly if the monitor interval is configured to be greater than 6 seconds.

Workaround:
There is no workaround at this time.

Fix:
The maximum length of time that the radius probe will wait for has been increased from 6 seconds to 30 seconds.

---

720391-1 : BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware'

Component: TMOS

Symptoms:
BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' and 'unknown' when OID sysObjectID is queried.

Conditions:
1. Execute 'tmsh show sys hardware'.
2. Query for OID sysObjectID using snmpwalk.

Impact:
System is reported as 'none', when it should be i7800-D. Platform with dual SSD not correctly identified using tmsh command or snmpwalk.

Workaround:
None.

Fix:
Added new SNMP OID for BIG-IP i7800 Dual SSD, reported as BIG-IP i7800-D, which is the correct designation.

---

720293-1 : HTTP2 IPv4 to IPv6 fails

Component: Local Traffic Manager

Symptoms:
An IPv4-formatted virtual server with an IPv6-formatted pool member cannot establish the connection to the pool member if HTTP2 is configured.

Conditions:
-- IPv4 virtual Server.
-- IPv6 pool member.
-- HTTP2 profile.

Impact:
Traffic connection does not establish; no traffic passes.

Workaround:
None.

Fix:
In this release, an IPv4-formatted virtual server with an IPv6-formatted pool member works with HTTP2.

---

720269-3 : TACACS audit logging may append garbage characters to the end of log strings

Component: TMOS

Symptoms:
When using TACACS audit logging, you might see extra 'garbage' characters appended to the end of logging strings.

Conditions:
Using audit forwarding with a remote TACACS server.

Impact:
Confusing log messages. Remote TACACS logging might stop altogether after some time.

Workaround:
There is no workaround at this time.

Fix:
Prevented extra characters from being appended to TACACS audit logs.

---

720219-1 : HSL::log command can fail to pick new pool member if last picked member is 'checking'

Solution Article: K13109068

Component: Local Traffic Manager

Symptoms:
This occurs in certain configurations where the HSL::log command is using a remote high speed log (HSL) pool with failing pool members. If a pool member goes into a 'checking' state and the command attempts to send the log via that pool member, it can fail to send and all future log commands from that iRule will also fail, if that pool member is actually unavailable.

Conditions:
-- Using HSL::log command.
-- iRule with a remote high speed logging configured.

Impact:
Failure to send log messages via HSL.

Workaround:
Follow this procedure:
1. Change the 'distribution' method of the remote high speed config to something else.
2. Save the configuration.
3. Change the method back.

Fix:
This issue no longer occurs. If a 'down' pool member is picked, it will eventually be bypassed to find an 'up' pool member, if possible.

---

720110-4 : 0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session.

Component: TMOS

Symptoms:
Neither learned nor default-originate default routes (0.0.0.0/0) are sent to the BGP peer if the BGP peer has terminated the BGP session with TCP FIN, without the BGP notify message.

Conditions:
-- BGP session is terminated without BGP notify (just TCP FIN).
-- Either learned (not originated in the BIG-IP system) and default-originate (originated in the BIG-IP system) routes are not sent.

Impact:
Default routes are not propagated in the network after the BGP peer restart.

Workaround:
There is no workaround at this time.

Fix:
Default routes are now always sent after the BGP session reset. Consistent behavior between BGP session reset with and without BGP notify message.

---

720104 : BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'

Component: TMOS

Symptoms:
BIG-IP i2800/i2600 650W AC PSU is missing marketing name under 'show sys hardware' and displays 'unknown' when OID sysObjectID is queried.

Conditions:
-- Execute 'tmsh show sys hardware'.
-- Query for OID sysObjectID using snmpwalk.
-- Using BIG-IP i2800/i2600 platforms.

Impact:
System reports an empty marketing name when queried. Platform with 650W AC PSU not identified using tmsh command or snmpwalk.

Workaround:
There is no workaround at this time.

Fix:
Added new SNMP OID for BIG-IP i2800/i2600 650W AC PSU.

---

720030-3 : Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U)

Component: Access Policy Manager

Symptoms:
Kerberos DNS SRV requests are generated without enabling EDNS0. Without this, internal DNS server (dnscached) truncates the UDP response if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in a lot of TIME_WAIT connections on the socket using dnscached.

Conditions:
APM end users using Kerberos SSO to access backend resources.

Impact:
Ability to create new DNS requests is affected, if there are numerous sockets in TIME_WAIT. This can result in scalability issues.

Workaround:
For BIG-IP software v12.x and later,

Edit the /etc/resolv.conf file to add an EDNS0 option.

There is no workaround if you are running a version earlier than 12.x.

Fix:
Kerberos DNS SRV requests now support EDNS0, so that UDP responses greater than 512 bytes can be received correctly, eliminating the need to re-send the request on TCP while communicating to the internal DNS server (dnscached).

---

719644-1 : If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★

Component: Global Traffic Manager (DNS)

Symptoms:
When an LTM configuration has virtual server names containing period (.), a GTM configuration with auto-discovery enabled is upgraded from v11.5.x to a later version might lose consistency.

Conditions:
-- Upgrading GTM from v11.5.x to later versions (e.g., BIG-IP DNS v12.x).
-- Auto-discovery is enabled.
-- LTM configuration containing virtual server names containing the period character (.).
-- The same virtual server name is used in multiple partitions.

Impact:
The configuration after the upgrade might be affected in the following ways:
-- Missing virtual servers.
-- Deletion of some pool members.
-- Virtual servers with incorrect addresses.

Workaround:
There is no workaround at this time.

Fix:
This release supports GTM upgrades from 11.x to BIG-IP DNS 12.x and later versions for cases where:
-- Auto-discovery is enabled.
-- LTM virtual server name a period character (.).
-- The same virtual server name is used in multiple partitions.

---

719554-3 : Linux Kernel Vulnerability: CVE-2018-8897

Solution Article: K17403481

---

718885-1 : Under certain conditions, monitor probes may not be sent at the configured interval

Solution Article: K25348242

Component: Global Traffic Manager (DNS)

Symptoms:
When sufficient resources are configured with the same monitor interval, and the monitor timeout value is no more than two times the monitor interval, the monitored resource may be marked as unavailable (due to a timeout) then immediately changed to available.

Conditions:
Monitor interval is lower than the number of resources configured with the same monitor interval.

Impact:
Monitor probes are not consistently performed at the configured interval.

Workaround:
Set the monitor interval to a value greater than the number of resources monitored using that same interval value.

The key to this workaround is to ensure that the sum of the resources monitored at a given interval is not greater than the interval. That can be accomplished several ways depending on your configuration and requirements.

For example, if the monitoring interval is 30 seconds and there are 40 different monitors with a 30-second interval and each monitor is assigned to exactly one resource, there are at least two options:

-- Change the interval for 10 of the monitors to a different value.

-- Set the monitor interval to 40.

Note: If you change the monitor interval, make sure to also change the timeout value to follow best practices:
timeout value = (3 x interval) + 1.

Fix:
Monitoring is now consistently performed at the configured interval regardless of the number of resources with the same monitor interval.

---

718210-3 : Connections using virtual targeting virtual and time-wait recycle result in a connection being improperly reused

Component: Local Traffic Manager

Symptoms:
In very rare circumstances, connections that use virtual targeting virtual server and time-wait recycle result in a connection being improperly reused.

Conditions:
Virtual server targeting virtual server (usually occurs in an iRule) with time-wait recycle being used on the virtual server's TCP profile.

Note: This is the default value, so any virtual servers defined internally are using it.

Impact:
A connection might be reused even though it is a new one. TMM can crash and restart. Traffic disrupted while tmm restarts.

Note: This is an extremely rare issue.

Workaround:
None.

Fix:
This issue has been fixed.

---

718208-1 : Unable to install Network Access plugin on Linux Ubuntu 16.04 with Firefox v52 ESR using SUDO

Component: Access Policy Manager

Symptoms:
When using Firefox v52 ESR to install SVPN client, the SVPN client keeps prompting to enter SUDO credentials.

Conditions:
Using Firefox v52 ESR to install SVPN client.

Impact:
Cannot install SVPN client using Firefox v52 ESR browser.

Workaround:
Follow this procedure to work around this problem:

1. Delete the NPAPI plugin from the browser. To do so, remove the browser plugin, which you can find in either or both of the following locations:

~/.mozilla/plugins/np_F5_SSL_VPN_x86_64.so

~/.mozilla/firefox/w8wdvzyy.default/extensions/{5984e8a4-b593-11e5-ad1f-ac88bb8e7f8b}/

2. Launch the browser; connect to APM and install the SVPN client manually.
3. Install the plugin through the browser, or copy the plugin to the browser plugin directory.
4. Restart Firefox v52 ESR to connect to APM.

Fix:
This issue has been fixed, and now you can install the Network Access plugin on Linux Ubuntu 16.04 with Firefox v52 ESR browser.

---

718071-3 : HTTP2 with ASM policy not passing traffic

Component: Local Traffic Manager

Symptoms:
HTTP2 traffic does not pass traffic if an ASM policy is applied.

Conditions:
-- HTTP2 virtual server.
-- ASM policy applied.

Impact:
Traffic does not pass.

Workaround:
No workaround.

Fix:
HTTP2 and ASM now work correctly together.

---

717896-1 : Monitor instances deleted in peer unit after sync

Component: Local Traffic Manager

Symptoms:
An incremental-sync from a modified-node that was set to 'user-down' causes the target-node on the target-device to have only a single monitor instance, rather than the several monitor instances that were present on the from-node.

During the incremental sync, the system issues several messages similar to the following: err mcpd[6900]: 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 24913.

Conditions:
-- In high availability (HA) configurations.
-- A node is modified, and then manually set to 'user-down'.
-- That node has more than one associated monitor.
-- An incremental-sync occurs to the paired device.

Impact:
After incremental-sync, a single monitor instance exists for the node on a 'backup' unit in an HA configuration, rather than the several monitor instances that exist for that node on the 'active' unit; and that node session is 'enabled' (where the 'from-node' was 'disabled); and that node status may be 'up' (where the 'from-node' was 'user-down'), and later transition to 'down' from a monitor-fail.

Thus, after incremental-sync, the target-node may then be 'down', while the active unit in the HA configuration continues to function as expected.

Workaround:
There are several workarounds:
-- Perform a 'full-sync' (rather than an 'incremental-sync').
-- Ensure the node is 'user-up' (not 'user-down') before the incremental-sync.
-- Perform 'tmsh load sys config' on the target unit. In this case, the 'Invalid monitor rule instance identifier' messages will be seen, but the configuration will successfully load, and the target-unit will run correctly with the expected configuration.

Fix:
An incremental-sync from a modified-node that was set to 'user-down' successfully replicates the several monitor instances on that node to the target-node on the backup device in an HA configuration.

---

717742-3 : Oracle Java SE vulnerability CVE-2018-2783

Solution Article: K44923228

---

717276-3 : TMM Route Metrics Hardening

Solution Article: K20622530

---

717100-4 : FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member

Component: Local Traffic Manager

Symptoms:
FQDN ephemeral pool members and corresponding FQDN ephemeral nodes may not be created if multiple FQDN template pool members are created rapidly, without the corresponding FQDN template nodes being created first.

The missing FQDN ephemeral pool members may be created an hour after initial operations.

Conditions:
This may occur when all of the following conditions are true:
-- Multiple FQDN template pool members are created rapidly, such as during config load or multiple FQDN template pool members created in a single tmsh cli transaction, without the corresponding FQDN template nodes being created first.
-- The FQDN names in the newly-created FQDN template nodes all resolve to the same IP address.

Impact:
One or more FQDN ephemeral pool members may not be created, which could result in a pool with no members, and any virtual servers using that pool to fail to pass traffic.

Workaround:
The following steps, alone or in combination, may help avoid this issue:

1. Avoid rapid creation of multiple FQDN template pool members (such as by creating multiple in a single tmsh CLI transaction).
2. Create the corresponding FQDN template nodes first, before creating the FQDN template pool members.

Once this issue occurs (such as, after a config load), you can recover from this condition by deleting and recreating the FQDN template pool members that have no corresponding FQDN ephemeral pool members.

In addition, creating the corresponding FQDN template nodes first, with an FQDN 'interval' value set to a shorter timeout than the default (3600 seconds) allows automatic recovery from this condition after the configured FQDN 'interval' period (instead of after the default period of one hour).

Fix:
Ephemeral pool members are now created for each pool under these conditions.

---

716992-3 : The ASM bd process may crash

Solution Article: K75432956

---

716922-4 : Reduction in PUSH flags when Nagle Enabled

Component: Local Traffic Manager

Symptoms:
When Nagle is enabled in the TCP profile, the number of PUSH flags generated by the BIG-IP system drops substantially compared to the Nagle-disabled case, or to the Nagle-enabled case prior to v12.1.2-HF1. This matters most when there is a single outstanding unsent segment in the send buffer awaiting acknowledgment of all other data.

Conditions:
-- Nagle is enabled.
-- Running BIG-IP software versions later than v12.1.2-HF1.

Note: The problem is only impactful when the client withholds ACKs when there is no PUSH flag.

Impact:
If the client withholds ACKs, this can save handset power, but it also causes Nagle's algorithm to withhold the last bit of data, increasing latency.

Workaround:
Set Nagle to the 'Auto' setting or 'Disabled'.

Mote: To take advantage of some of the Nagle benefits, use 'Auto'.

Fix:
Revised PUSH flag setting logic to set the flag in cases where sending is Nagle-limited.

---

716900-1 : TMM core when using MPTCP

Solution Article: K91026261

---

716788-3 : TMM may crash while response modifications are being performed within DoSL7 filter

Component: Application Security Manager

Symptoms:
TMM might crash when a response is modified by the DoSL7 filter while injecting an HTML response from a backend server.

Conditions:
-- ASM provisioned.
-- DoS application profile is attached to a virtual server.

Impact:
Traffic disrupted while tmm restarts, failover may occur.

Workaround:
There is no workaround other than to remove the DoS application profile from the virtual server.

Fix:
Response modification handler has been modified so that this issue no longer occurs.

---

716747-4 : TMM my crash while processing APM or SWG traffic

Component: Access Policy Manager

Symptoms:
Under certain circumstances, TMM may crash when processing APM or SWG.

There will be a log message in /var/log/apm near the time of crash with this:

err tmm[20598]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_initiate_swgt_policy_done, Line: 17000.

Conditions:
APM or SWG enabled.

Impact:
TMM crash, leading to a failover event.

Workaround:
There is no workaround at this time.

Fix:
TMM now processes APM and SWG traffic as expected.

---

716716-3 : Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core

Component: Local Traffic Manager

Symptoms:
TMM cores when the system has a kernel route configured, but no matching TMM route.

Conditions:
The scenario that can lead to this state is unknown.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
Either remove the kernel route, or add a matching TMM route.

Fix:
This release prevents the core that occurred when the kernel has a route that has no corresponding TMM route.

---

716391-3 : High priority for MySQL on 2 core vCMP may lead to control plane process starvation

Solution Article: K76031538

Component: TMOS

Symptoms:
vCMP guest with only 2 cores (or 2 cores per blade for multi-blade guests) may undergo control plane process starvation, which could lead to failover due to CPU starvation of sod.

Conditions:
-- A device using Intel Hyper-Threading Technology is configured with only 2 cores (or 2 cores per blade for multi-blade vCMP guests).
-- A module using MySQL is provisioned, MySQL, for example BIG-IP ASM and BIG-IP Analytics (AVR). These other modules also implicitly provision AVR: ASM, AFM, DOS, APM, PEM, and vCMP.

Impact:
Control plane processes may experience CPU starvation, including failover due to CPU starvation of sod. This is a rarely occurring issue.

Workaround:
Revert to pre-11.5.1 HF4 behavior by setting the scheduler.splitplanes.asmopt database key to false.
 
IMPORTANT: You should not revert to pre-11.5.1 HF4 behavior unless requested by F5 Support. However, if required, you can disable this new behavior and revert to pre-11.5.1-HF4 behavior. For instructions on how to do so, see K16469: Certain BIG-IP ASM control plane processes are now pinned to the highest-numbered logical CPU core :: https://support.f5.com/csp/article/K16469.

---

716318-4 : Engine/Signatures automatic update check may fail to find/download the latest update

Component: Fraud Protection Services

Symptoms:
Engine/Signatures automatic update check may fail to find/download the latest update if the timestamp of the factory update file is later than the timestamp of the update file in downloads.f5.com.

Note: This issue is relevant only for engineering hotfixes.

Conditions:
This occurs when the following conditions are met:
-- Engineering hotfix.
-- The factory update file timestamp is later than the timestamp of the update file in downloads.f5.com.

Impact:
Automatic update check will detect the wrong update file.

Workaround:
Manually check, and then download and install the update file from downloads.f5.com, if needed.

Fix:
The factory update file timestamp is now set to 0, unless there is a reason to install the factory file over the current update file in downloads.f5.com.

---

716213-3 : BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic

Component: Local Traffic Manager

Symptoms:
When APM connects to Active Directory Federation Services (ADFS), a blank page is observed. The log file /var/log/ltm exhibits a TCP reset issued by the BIG-IP system. The TCP capture informs that the issue is due to an out-of-bounds error that occurs when traffic gets parsed by the SSL Persistence Parser (SSID).

Conditions:
-- SSL persistence (SSID) is enabled for a virtual host.
-- APM connects to ADFS.

Impact:
A blank page is observed due to the TCP reset.

Workaround:
No workaround is available.

Fix:
The SSL persistence parser now validates the handshake message data-bytes are available prior to fetching them, so the bounds error does not get raised.

---

716166-3 : Dynamic routing not added when conflicting self IPs exist

Component: TMOS

Symptoms:
Missing dynamic route in dynamic routing daemon as shown via 'show ip route'.

Conditions:
When a self IP host address is the same as the network address of the dynamic route being propagated. For example: self IP 10.10.10.0/31 versus dynamic route 10.10.10.0/24; or 10.10.0.0/24 versus dynamic route 10.10.0.0/16.

Impact:
Propagation of the dynamic route to the kernel, TMM.

Workaround:
There is no workaround other than not creating self IPs on the network address of a prefix.

---

715923-3 : When processing TLS traffic TMM may terminate connections unexpectedly

Solution Article: K43625118

---

715750-3 : The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.

Solution Article: K41515225

Component: Local Traffic Manager

Symptoms:
Upon receiving a FIN midstream in an SSL connection, the BIG-IP system will immediately proxy the FIN to the remote host on the peer side. At this point, depending on the specific configuration of the remote host on the peer side, the BIG-IP system may exhibit behaviors that may be deemed undesirable.

For instance, if the remote host on the peer side acknowledges the FIN but ignores it and keeps sending data to the BIG-IP system, the BIG-IP system will drop all ingress data (i.e., not proxy it) while keeping the side that transmitted the original FIN open indefinitely.

Once the remote host on the peer side completes transmitting data and sends a FIN of its own, the BIG-IP system will finally release the side that sent the original FIN by allowing it to close.

Conditions:
This issue occurs when the following conditions are met:

-- A standard virtual server with the clientssl and serverssl profiles in use.

-- As part of a connection handled by the virtual server, one side sends a FIN midstream to the BIG-IP system.

Impact:
There is no real impact to the BIG-IP system because of this issue. However, both the client and the server can be negatively impacted by this issue.

For example, if the original FIN was received by the BIG-IP system on the clientside:

-- The client connection is not allowed to close for potentially a very long time. During this time, the client does not receive anything other than Keep-Alive packets from the BIG-IP system. This can delay or adversely impact applications on the client.

-- The server continues to send data to the BIG-IP system unnecessarily. After accounting for the fact this could be a lot of data and many connections could be in this state, the server and/or its surrounding network could become impacted/congested. At a minimum, this might cause a waste of resources.

Workaround:
There is no workaround at this time.

Fix:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.

Behavior Change:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.

---

715467-3 : Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY

Component: Local Traffic Manager

Symptoms:
If the 'A' record for an FQDN node is removed or replaced on the DNS server, then the BIG-IP system does not remove the old ephemeral pool member or create the new pool member and node.

Conditions:
-- FQDN nodes.
-- Pool members with a service port of ANY.

Impact:
Ephemeral pool member and nodes are not removed or updated when the DNS 'A' record is removed or changed.

Workaround:
There is no workaround at this time.

Fix:
Upon a DNS 'A' record being removed or changed, the ephemeral pool members and nodes based on the old value are removed or changed.

---

715448-1 : Providing LB::status with a GTM Pool name in a variable caused validation issues

Component: Global Traffic Manager (DNS)

Symptoms:
When utilizing an LB::status iRule where the GTM Pool name was provided in a variable, instead of directly written into the command, the system posts the following error message: Can't read 'monkey': no such variable.

Conditions:
LB::status pool a <Variable containing string>.

Impact:
Unable to use LB::status iRule.

Workaround:
There is no workaround at this time.

Fix:
Can now use LB::status iRule command to display the status of a GTM Pool when the name of the pool is provided in a variable.

---

715250-2 : TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED

Component: Access Policy Manager

Symptoms:
TMM generates a core and restarts when RPC resumes iRule event ACCESS_SESSION_CLOSED.

Conditions:
Plugin RPC call has iRule event ACCESS_SESSION_CLOSED configured.

Impact:
System instability, failover, traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

---

715207-2 : coapi errors while modifying per-request policy in VPE

Component: Access Policy Manager

Symptoms:
System reports errors about coapi in /var/log/ltm when modifying a per-request policy in the Visual Policy Editor (VPE).

err coapi: PHP: requested conversion of uninitialized member.

Conditions:
-- The per-request policy being modified is attached to the virtual server.
-- Using VPE.

Impact:
The impact can vary by version.
-- In some versions it represents a stray error log.
-- In other versions the 'Accepted Languages' in the Logon Page agent does not have the full list.
-- In other versions, there are server 500 errors when modifying agents.

Workaround:
To work around this issue, perform the following procedure: 1. Remove the per-request policy from the virtual server.
2. Modify the policy.
3. Add the policy back to the virtual server.

Fix:
Now per-request access policies can be simultaneously used and edited without causing spurious 'coapi' log errors.

---

715090 : PEM policy actions obtained via a PCRF are not applied for traffic generated subscribers

Component: Policy Enforcement Manager

Symptoms:
Policy and Charging Rules Function (PCRF) policy actions will have no effect on the subscribers' traffic.

Conditions:
PEM creates a traffic generated subscriber that has PCRF-provided policies associated with it.

Impact:
Potential loss of service depending on the policy actions that do not take effect.

Workaround:
There is no workaround at this time.

Fix:
This issue has been fixed.

---

715032-6 : iRulesLX Hardening

Solution Article: K73302459

Component: Local Traffic Manager

Symptoms:
iRulesLX does not follow current best practices and should be updated to ensure layered protections.

Conditions:
-iRulesLX in use

Impact:
iRulesLX does not follow current best practices.

Workaround:
None.

Fix:
iRulesLX now follows current best practices.

---

714986-1 : Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot

Component: TMOS

Symptoms:
On an iSeries platform, when the console baud rate is changed through TMSH, new terminal sessions revert back to the previous baud rate instead of adopting the new setting unless the unit is rebooted.

Conditions:
1. Modify the console baud rate in BIG-IP through TMSH on an iSeries platform (i2xxx, i4xxx, i5xxx, i7xxx, i10xxx, i15xxx), for example: tmsh modify sys console baud-rate 9600.

2. Exit from the login prompt in the current terminal session, or kill it and start a new session.

Impact:
The BIG-IP system reverts to the previous baud rate instead of the new setting. Inability to create any new serial console connections with the modified baud-rate without a reboot.

Workaround:
The problem can be mitigated by manually reprogramming the TTY device and restarting the agetty process and bash login sessions. This closes any existing console connections, but newly established connections will connect at the modified baud rate.

1. Use TMSH to modify the baud rate to the desired speed by running a command similar to the following:

tmsh modify sys console baud-rate 9600

2. Re-program the TTY device with the desired speed by running a command similar to the following:

stty -F /dev/ttyS0 9600

3. Kill the existing agetty process so it will re-start at the new baud rate by running the following command:

/usr/bin/killall -q agetty

4. Restart bash logins by running the following command:

/bin/kill -HUP `/bin/ps -A | /bin/grep ttyS0 | /bin/grep -v grep | /bin/grep bash | /bin/awk '{print $1}'` >/dev/null 2>&1

Fix:
In addition to reprogramming the UART with the new baud rate, the BIG-IP system now re-initializes the TTY device and agetty process with the correct speed so that new terminal sessions reflect the change.

---

714903-1 : Errors in chmand

Component: TMOS

Symptoms:
VIPRION cluster does not form; only primary blade stays online. Chassis manager chmand generated a core file. System logs the following error in ltm log: err clusterd[11162]: 013a0004:3: Error adding cluster mgmt addr, HAL error 7.

Conditions:
-- Restoring UCS.
-- Chassis starting up.
-- System in stressed condition, where there is very little or no memory available.

Impact:
Cluster does not form.

Workaround:
None.

Fix:
These errors in chmand are fixed.

---

714879-1 : APM CRLDP Auth passes all certs

Solution Article: K34652116

---

714848 : OPT-0031 and OPT-0036 log DDM warning every minute when interface disabled and DDM enabled

Component: TMOS

Symptoms:
DDM transmit power too low warning continually appear in /var/log/ltm, and in SNMP traps. Messages appear similar to the following:
DDM interface:3/1.0 transmit power too low warning. Transmit power(mWatts) 0.0001 0.0001 0.0001 0.0001

A single warning message is expected, not repeating messages.

Conditions:
This occurs when all of the following conditions are met:
-- The interface is disabled.
-- DDM is enabled.
-- OPT-0031 or OPT-0036.

Impact:
There are multiple messages in /var/log/ltm, and SNMP DDM traps. There is no impact on traffic.

Workaround:
There is no workaround other than to enable the interface or disable DDM.

Fix:
DDM errors no longer continually appear on disabled interfaces containing OPT-0031 or OPT-0036.

---

714716-3 : Apmd logs password for acp messages when in debug mode

Solution Article: K10248311

Component: Access Policy Manager

Symptoms:
Apmd logs password when executing policy via iRule.

Conditions:
-- APM is licensed and provisioned
-- Executing policy via iRule using iRule command 'ACCESS::policy evaluate'.
-- Clear text password is supplied for authentication
-- Debug mode active

Impact:
Apmd logs clear text password

Fix:
Apmd now no longer logs password in debug mode when evaluating policy via iRule.

---

714654-3 : Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM

Component: TMOS

Symptoms:
While creating a static route, tmrouted disconnects with error: existing entry is not a dynamic.

Conditions:
Creating a static route for a network that already has an advertised dynamic route.

Impact:
TMM's connection to tmrouted goes down, which results in loss of the dynamic route for TMM.

Workaround:
There is no workaround other than not creating a static route for routes received through dynamic routing.

Fix:
Creating static routes for advertised dynamic route no longer causes the tmrouted-to-TMM connection to drop.

---

714559-1 : Removal of HTTP hash persistence cookie when a pool member goes down.

Component: Local Traffic Manager

Symptoms:
When HTTP cookie hash persistence is configured the cookie is removed when a pool member goes down. This is incorrect if pool members are using session replication.

Conditions:
- Cookie hash persistence is configured.
- A pool member that the persistence record points to goes down.
- Pool members are using session replication.

Impact:
Connected clients must establish a new session.

Workaround:
To configure HTTP cookie hash persistence, use an iRule similar to the following:

when CLIENT_ACCEPTED {
    persist cookie hash JSESSIONID
}

Fix:
HTTP hash persistence cookie is no longer removed when a pool member goes down.

If you need to remove the cookie, use an iRule similar to the following:

when PERSIST_DOWN {
    HTTP::cookie remove JSESSIONID
}

---

714542-1 : 'Always Connected Mode' text is missing in EdgeClient tray

Component: Access Policy Manager

Symptoms:
When right-clicking the EdgeClient tray icon, the pop-up menu shows a grey box instead of the 'Always Connected Mode' text.

Conditions:
EdgeClient installed in 'Always Connected Mode' with 'Allow' traffic when VPN is disconnected.

Impact:
No functional impact. Previously, the message appeared only for blocked mode.

Workaround:
None.

Fix:
Now, when a user right-clicks the Edge Client tray icon in Always Connected mode, the <uicontrol>Always Connected Mode</uicontrol> text is displayed on the tray icon pop-up menu.

---

714181-3 : TMM may crash while processing TCP traffic

Solution Article: K14632915

---

713951-3 : tmm core files produced by nitrox_diag may be missing data

Component: Local Traffic Manager

Symptoms:
When the nitrox_diag utility generates a tmm core file, that file might include data for only one tmm thread instead of all tmm threads.

Conditions:
-- Running the nitrox_diag utility.
-- Using devices with the Cavium Nitrox crypto card.
-- The nitrox_diag utility generates a tmm core file.

Impact:
The resulting core file might include data for only one tmm thread instead of all tmm threads, making it more difficult for F5 to diagnose reported problems with the Cavium Nitrox crypto card. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
When the nitrox_diag utility generates a tmm core file, that file now includes data for all tmm threads instead of only one.

---

713934-4 : Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response

Component: Local Traffic Manager

Symptoms:
Received malformed Truncated DNS response.

Conditions:
-- Using iRule 'DNS::question name' to shorten the name.
-- DNS response is longer than 4096 UDP limit.

Impact:
DNS request might not be resolved correctly.

Workaround:
There is no workaround at this time.

Fix:
In this release, when DNS::query name changes the query name, the software ensures that the request is updated with proper lengths.

---

713690-1 : IPv6 cache route metrics are locked

Component: Local Traffic Manager

Symptoms:
Under certain circumstances IPv6 route metrics are locked for the lifetime of a route metrics cache entry.

Conditions:
Under certain circumstances IPv6 route metrics cache entries are created locked.

Impact:
IPV6 route metrics are locked for the lifetime of a route metrics cache entry. When receiving subsequent icmpv6 packet to big messages with a larger MTU, the value does not get updated.

Workaround:
None.

Fix:
IPv6 route metrics are not locked anymore.

---

713655-3 : RouteDomainSelectionAgent might fail under heavy control plane traffic/activities

Component: Access Policy Manager

Symptoms:
If per-session access policy requests route domain selection during policy evaluation, the agent might hang and fail to retrieve route domain information. APMD might restart and produce a core file.

Conditions:
-- Policy sync operation.
-- System receives a query for route domain information.
-- There is a heavy load of control plane traffic to process.

Impact:
Poor performance and/or APMD restarts with a core file, causing brief disruption of the authentication service.

Workaround:
None.

Fix:
Route domain selection operations no longer fail under heavy control-plane traffic/activities.

---

713533-3 : list self-ip with queries does not work

Component: Local Traffic Manager

Symptoms:
"list net self" command always returns all Self IPs, regardless of the regex patterns.

Conditions:
list net self always returns all Self IPs

Impact:
You are unable to filter the Self IP list using a regex pattern.

Fix:
You can now use pattern matching to list Self IPs

---

713491-1 : IKEv1 logging shows spi of deleted SA with opposite endianess

Component: TMOS

Symptoms:
Sometimes the IKEv1 racoon daemon logs a 32-bit child-SA spi with octets in backwards order (reversing the endianness).

Conditions:
When an SA is deleted.

Impact:
Logging typically shows a network byte order spi in the wrong order. Cosmetic interference with logging interpretation.

Workaround:
There is no workaround at this time.

Fix:
The spi values are shown in the correct endianness now.

---

713282-3 : Remote logger violation_details field does not appear when virtual server has more than one remote logger

Component: Application Security Manager

Symptoms:
Remote logger violation_details field appears empty.

Conditions:
-- More than one remote logger is attached to the virtual server.
-- A violation occurs.
-- Viewing the associated log.

Impact:
Violation_details field appears empty in logs.

Workaround:
There is no workaround at this time.

Fix:
Remote logger violation_details field is now populated as expected when the virtual server has more than one remote logger.

---

713066-3 : Connection failure during DNS lookup to disabled nameserver can crash TMM

Solution Article: K10620131

Component: Global Traffic Manager (DNS)

Symptoms:
TMM restart as a result of a DNS lookup to disabled nameserver.

Conditions:
DNS lookup that tries to connect to a nameserver that is not reachable for some reason.

This could be an explicit 'RESOLV::lookup' command in iRule, or it could be DNS lookups internally triggered by APM or HTTP.

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
Verify connectivity to nameserver.

As an alternative, refrain from using RESOLV::lookup in iRules.

Fix:
This issue is now fixed.

---

712924 : In VPE SecurID servers list are not being displayed in SecurID authentication dialogue

Component: Access Policy Manager

Symptoms:
In VPE SecurID servers list are not being displayed in SecurID authentication dialogue. List is displaying only None.

Conditions:
Always when adding SecureID authentication action.

Impact:
Inability to (re)configure SecureId via VPE.

Workaround:
Manually modify RSA AAA server in SecurID Auth Agent via tmsh:

tmsh modify apm policy agent aaa-securid <aaa agent> server <securid server name>

---

712876-4 : CVE-2017-8824: Kernel Vulnerability

Solution Article: K15526101

---

712857-1 : SWG-Explicit rejects large POST bodies during policy evaluation

Component: Access Policy Manager

Symptoms:
When an access profile of type SWG-Explicit is being used, there is a 128 KB limit on POST bodies while the policy is being evaluated.

The system posts an error message similar to the following in /var/log/apm:
err tmm[13751]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 3048

Conditions:
This applies only during policy evaluation. After the policy has been set to 'Allow', there is no limit to the POST body.

Impact:
Unable to start an SWG-Explicit policy with a large POST body.

Workaround:
None.

Fix:
Now, you can resolve this issue by modifying db variable 'tmm.access.maxrequestbodysize' to use a value larger than the maximum request size you want to support.

---

712664-4 : IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address

Component: Local Traffic Manager

Symptoms:
As a result of a known issue IPv6 NS may be dropped if corresponds for host on remote VLAN of transparent vlangroup and matches a Virtual address with disabled ARP setting

Conditions:
- transparent vlan-group
 - Virtual Address with ARP disabled
 - Virtual Address corresponds to remote IPv6 host address

Impact:
NS for the host is dropped.
Traffic will not reach the remote host as resolution does not complete.

Workaround:
Do not use overlapping Virtual-addresses with ARP disabled, or enable ARP.

Fix:
IPv6 NS is no longer dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address.

---

712475-1 : DNS zones without servers will prevent DNS Express reading zone data

Solution Article: K56479945

Component: Local Traffic Manager

Symptoms:
DNS Express does not return dig requests.

Conditions:
DNS Express is configured a zone without a server.

Impact:
DNS Express does not return dig requests.

Workaround:
You can use either of the following workarounds:
-- Remove the zone without the server.
-- Configure a server for the zone.

Fix:
DNS zones without servers no longer prevent DNS Express reading zone data.

---

712464-1 : Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate

Component: Local Traffic Manager

Symptoms:
SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain except the self-signed certificate.

Some of the intermediate CA certificates in the cert chain use the SHA1 hash algorithm. This kind of intermediate CAs is usually in the BIG-IP system's ca-bundle. BIG-IP receives the cert chain including the intermediate CA and forges the cert with SHA1, which is rejected by some web clients.

Conditions:
-- The BIG-IP system is configured to use SSL Forward Proxy or SSL Intercept.
-- Some intermediate CA in the web server's cert chain is using a weak algorithm like SHA1 to sign certificates.
-- The web client rejects the weak-algorithm-signed certificate.

Impact:
Clients cannot access the web server due to SSL handshake failure.

Workaround:
There is no workaround at this time.

Fix:
This fix excludes trusted CA certificates in hash algorithm selection. This may prevent forged certificate from using SHA1 hash algorithm.

---

712437-1 : Records containing hyphens (-) will prevent child zone from loading correctly

Solution Article: K20355559

Component: Local Traffic Manager

Symptoms:
The dig command returns no record with SOA from the parent zone even though dnsxdump shows that the record exists.

Conditions:
-- Parent zone has a record containing - (a hyphen) and the preceding characters match the child zone. For example,
 myzone.com -- parent
 foo.myzone.com -- child
 
-- In myzone.com, you have a record of the following form:
foo-record.myzone.com

Impact:
DNS can not resolve records correctly.

Workaround:
None.

Fix:
DNS now handles the case in which the parent zone has a record containing - (a hyphen) and the preceding characters match the child zone.

---

712362-1 : ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase

Component: Application Security Manager

Symptoms:
When the WebSocket HTTP handshake response comes without 'Switching Protocols' reason phrase at the first line, the ASM does not follow up WebSocket frames on the WebSocket's connection.

The system posts the following messages in /ts/log/bd.log:
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0269|101 Switching Protocols HTTP status arrived, but the websocket hanshake failed.
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0270|Possible reasons are websocket profile isn't assigned on a virtual server or handshake is illegal.

Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- WebSocket backend server sends 101 response without the 'Switching Protocols' phrase.

Impact:
WebSocket frames stalls.

Workaround:
#1 Change the backend server:
Change WebSocket backend server to return 101 response to include the 'Switching Protocols' reason phrase:

HTTP/1.1 101 Switching Protocols


#2 Use an irRule:
when SERVER_CONNECTED {
    TCP::collect 15
}
when SERVER_DATA {
    if { [TCP::payload 15] contains "HTTP/1.1 101 \r\n" } {
        TCP::payload replace 0 12 "HTTP/1.1 101 Switching Protocols"
    }
}

Fix:
This release correctly handles 101 responses even without the 'Switching Protocols' reason phrase.

---

712336-3 : bd daemon restart loop

Component: Application Security Manager

Symptoms:
Continuous BD restarts after period where /var was full and then cleaned

Conditions:
/var was full and then cleaned

Impact:
Continuous BD restarts

Workaround:
A) Make a spurious change in a policy and apply it.
OR
B) Restart ASM

---

712315-1 : LDAP and AD Group Resource Assign are not displaying Static ACLs correctly

Component: Access Policy Manager

Symptoms:
In VPE LDAP and AD Group Resource Assign are not displaying static acls when they are configured.

Conditions:
While attempting to assign Static ACls via AD or LDAP Group Resource assign (aka Group Mapping) Static ACLs are not displayed.

Impact:
Users are not able to assign Static ACLs with AD and LDAP Group Mapping via VPE.

Workaround:
Static ACLs are assignable with TMSH.

Fix:
Functionality is restored and Static ACLs are being displayed in AD and Ldap Group Resource Assign aka Group Mapping

use:
tmsh modify apm policy agent resource-assign

---

711981-3 : BIG-IP system accepts larger-than-egress MTU, PMTU update

Component: Local Traffic Manager

Symptoms:
A Path MTU (PMTU) message can lead to the BIG-IP system to falsely assume an egress MTU on the related flow to be larger than the interface egress MTU.

Conditions:
A valid PMTU message.

Impact:
BIG-IP sends larger-than-configured interface egress MTU messages.

Workaround:
None.

Fix:
The BIG-IP system now limits the flow egress MTU to the interface egress MTU.

---

711570-1 : PEM iRule subscriber policy name query using subscriber ID, may not return applied policies

Component: Policy Enforcement Manager

Symptoms:
PEM::subscriber config policy get <subscriber id> does not return policy names

Conditions:
PEM iRule using subscriber ID to get policy name.

Impact:
Subscriber policy names are not returned.

Workaround:
Use PEM::subscriber config policy get <IP address> instead.

Fix:
Subscriber policy names are now returned when running PEM iRules using subscriber ID to get policy names.

---

711547 : Update cipher support for Common Criteria compliance

Component: TMOS

Symptoms:
Default cipher selection may not be compliant with Common Criteria requirements. Please see the Common Criteria guidance documentation for details about cipher strings in CC mode.

Conditions:
Common Criteria mode active

Impact:
Please see the Common Criteria guidance documentation for details about cipher strings in CC mode.

Workaround:
Please see the Common Criteria guidance documentation for details about cipher strings in CC mode.

Fix:
Improved Common Criteria compliance in default cipher strings.

---

711281-3 : nitrox_diag may run out of space on /shared

Component: Local Traffic Manager

Symptoms:
Running nitrox_diag may lose collected data if there is insufficient free space for the tar file to be created.

Conditions:
-- Running nitrox_diag.
-- Insufficient free space available on /shared.

Impact:
Might lose data required to diagnose problems with Cavium Nitrox chips.

Workaround:
The only workaround is to ensure there is enough free space for the files to be created.

In general, planning enough space for two copies of a tmm core file and two copies of a qkview works. That might require approximately one gigabyte. Though more might be needed for systems with a large amount of RAM.

Fix:
nitrox_diag now clears the older data before gathering new data, instead of after. Note, however, that if there is insufficient free space on /shared to collect the raw data, the operation still cannot succeed.

---

711249-2 : NAS-IP-Address added to RADIUS packet unexpectedly

Component: TMOS

Symptoms:
RADIUS authentication request contains NAS-IP-Address attribute with value 127.0.0.1.

Conditions:
VIPRION (single or multiblade) with no cluster member IP addresses configured.

Impact:
Authentication does not work as it has invalid/unrecognized source NAS-IP-Address.

Workaround:
Configure cluster member IP address or define hostname and address via global-settings remote-host.

---

711093-2 : PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled

Component: Policy Enforcement Manager

Symptoms:
PEM sessions may stay in the marked-for-delete state after session deletion.

Conditions:
This occurs if Gx final usage reporting response comes before Gy delete response (CCA).

Impact:
PEM sessions remain in marked-for-delete state.

Workaround:
None.

Fix:
PEM sessions no longer stay in the marked-for-delete state after session delete

---

710857-4 : iControl requests may cause excessive resource usage

Solution Article: K64855220

---

710827-4 : TMUI dashboard daemon stability issue

Solution Article: K44603900

---

710755-2 : TMM crash when route information becomes stale and the system accesses stale information.

Component: Advanced Firewall Manager

Symptoms:
The crash happens intermittently when the route information becomes stale and the system accesses the stale information.

Conditions:
Route information is stale. This usually happens when a connection is waiting for a reply, and in-between route information (applicable for both static and dynamic routes) becomes stale (e.g., change of network-related configuration). If the connection is already filled with old route information, accessing that can cause this crash

Impact:
This condition can lead to a crash as the route information is no longer valid, and can lead to illegal memory access. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now fetches the latest egress route/interface information before accessing it.

---

710705-3 : Multiple Wireshark vulnerabilities

Solution Article: K34035645

---

710602 : iCRD commands requiring 'root' user access fixed

Component: TMOS

Symptoms:
Some of the iCRD calls that run commands on the base operating system that require elevated permissions fail because iCRD was not correctly executing the commands in the right context.

Conditions:
Use an iCRD endpoint that requires elevated permissions to succeed.

Impact:
Only impacts iCRD endpoints which run commands that require root access.

Workaround:
There is no workaround at this time.

Fix:
This fix resolves this issue by running the commands with the correct user context.

---

710564-3 : DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0

Component: Local Traffic Manager

Symptoms:
The DNS filter returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0.

Conditions:
- Virtual Server configured with 'DNS Profile' set to 'dns' or a 'dns'-derived profile.
- DNS queries with EDNS0 ECS option set.

Impact:
If the response ECS Scope Netmask has a value other than '0', LTM drops it, causing timeout and retry on client side.

Workaround:
There is no workaround at this time.

---

710424-3 : Possible SIGSEGV in GTMD when GTM persistence is enabled.

Component: Global Traffic Manager (DNS)

Symptoms:
When GTM persistence is enabled, GTMD may occasionally crash and restart. The gtmd process reports a SIGSEGV when persistence is enabled.

As a result of this issue, you may encounter one or more of the following symptoms:

-- The gtmd process reports a SIGSEGV and produces a core file.
-- The gtmd process restarts, which prevents clients from receiving answers to requests.

Conditions:
This issue occurs when the following condition is met:

Persistence is enabled for the wide IP pools.

Impact:
The gtmd process may occasionally restart, which prevents clients from receiving answers to requests.

Workaround:
Disable persistence on wide IP pools.

Fix:
The gtmd process no longer crashes and restarts when persistence is enabled.

---

710355-1 : High CPU when using HTTP::collect for large chunked payloads

Component: Local Traffic Manager

Symptoms:
When collecting large amounts of chunked payload, approximately one million bytes, the processing to parse each chunk for the chunk headers and offsets results in high CPU utilization.

Conditions:
-- HTTP profile is attached to virtual server.
-- Server sends chunked response.
-- An iRule on the virtual server uses the HTTP::collect command to collect and parse large chunked payloads.

Impact:
High CPU utilization.

Workaround:
None.

---

710327-3 : Remote logger message is truncated at NULL character.

Component: Application Security Manager

Symptoms:
When a request including binary null character has been sent to an remote logger, configured for ASM, the request will arrive to the remote destination and will be truncated exactly at binary NULL character.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM remote logger attached to a virtual server.
-- Request including binary NULL character is sent to the remote logger destination.

Impact:
Partial request is logged at the remote logger destination.

Workaround:
None.

Fix:
Binary NULL character is now escaped before being sent to the remote logger destination, so the request is no longer truncated.

---

710314-2 : TMM may crash while processing HTML traffic

Solution Article: K94105051

---

710277-2 : IKEv2 further child_sa validity checks

Component: TMOS

Symptoms:
A tmm restart can occur when a child_sa is rekeyed at expiration time, provided a race condition occurs.

Conditions:
Encountering the issue in which rekeying a child_sa might core when race conditions allowed that child_sa to be destroyed while in use.

Impact:
Restart of tmm and outage of IPsec tunnels until renegotiated.

Workaround:
None.

Fix:
The validity of a child_sa and its traffic selector are checked now before use, to prevent failure when freed objects are accidentally used.

---

710246-3 : DNS-Express was not sending out NOTIFY messages on VE

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express is not sending out NOTIFY messages on BIG-IP Virtual Edition (VE).

Conditions:
-- DNS Express configured to send out NOTIFY messages.
-- Running on BIG-IP VE configuration.

Impact:
DNS secondary servers serving stale data.

Workaround:
There is no workaround at this time.

Fix:
DNS Express now sends out NOTIFY messages on VE.

---

710244-1 : Memory Leak of access policy execution objects

Solution Article: K27391542

---

710211 : Cannot edit Terminals of Macro if one or more Macrocalls point to a given Macro.

Component: Access Policy Manager

Symptoms:
Cannot edit Terminals of Macro if one or more Macrocalls point to a given Macro. The system posts a message similar to the following:

Unable to execute transaction because of: 01071203:3: Caption (XYZ1) of the rule in macrocall (/Common/abc_macro) must be identical to the caption (XYZ2) of terminalout.

Conditions:
-- Using Access Policy.
-- Policy includes one or more macros.
-- There is a macrocall on one of the macros.
-- You attempt to add a new terminal to that macro.

Impact:
Cannot edit macro terminals.

Workaround:
None.

Fix:
Can now edit Terminals of Macro if one or more Macrocalls point to a given Macro.

---

710148-4 : CVE-2017-1000111 & CVE-2017-1000112

Solution Article: K60250153

---

710028-4 : LTM SQL monitors may stop monitoring if multiple monitors querying same database

Component: Local Traffic Manager

Symptoms:
When using an SQL monitor to monitor the health of SQL database pool members, one of the health monitors may stop actively monitoring one or more pool members.

When this problem occurs, the following error messages may be logged in /var/log/DBDaemon-0.log:

[if debug = yes in monitor configuration]:
Using cached DB connection for connection string '<connection string>'

then multiple, periodic instances of the following message, referencing the same connection string:

Abandoning hung SQL query: '<query string>' for: '<connection string>'

or:

<connection string>(<thread-number>): Hung SQL query; abandoning

Conditions:
This may occur when all of the following conditions are met:
-- Using one of the following LTM monitors: mssql, mysql, oracle, postgresql.
-- Configuring multiple pool members for the same node (server).
-- Configuring multiple SQL monitors that query the same server and database.

And when one or both of the following conditions are met:
Either:
-- The SQL monitor is configured with a non-zero 'count' value.
Or:
-- An error occurs while querying a SQL database, such as [recorded in the DBDaemon log]:
java.io.EOFException: Can not read response from server. Expected to read 4 bytes, read 0 bytes before connection was unexpectedly lost.

Impact:
When this problem occurs, the affected pool members are reported down, even though the database is actually up and responding correctly to traffic.

Workaround:
When this problem occurs, successful monitoring can be temporarily restored by disabling then re-enabling monitoring of affected pool members.

To avoid one possible trigger for this issue (and thus reduce the likelihood of this issue occurring), configure the 'count' parameter in the SQL monitor configuration to a value of '0'.

Fix:
LTM SQL monitors continue monitoring when multiple monitors/ query the same server and database.

---

709972-4 : CVE-2017-12613: APR Vulnerability

Solution Article: K52319810

---

709688-5 : dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733

Solution Article: K08306700

---

709670-5 : iRule triggered from RADIUS occasionally fails to create subscribers.

Component: Policy Enforcement Manager

Symptoms:
The subscriber can not be added with the same IP address after retries. This is a rarely occurring issue: if the daily average of subscriber additions is ~30000 subscribers, 5 to 6 subscribers face this problem (0.02%).

Conditions:
Running iRule to create PEM sessions from RADIUS packets using the 'PEM::subscriber create' command.

Impact:
Intermittently (a few operations per day), the command silently fails. No session is created, and no TCL error is produced. Subscriber addition requires manual intervention.

Workaround:
Trigger a RADIUS START using a different IP address for the subscriber.

---

709610-1 : Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM

Component: Policy Enforcement Manager

Symptoms:
Session replacement fails as a result of a race condition between multiple RADIUS Accounting Start and Stop messages for the same subscriber.

Conditions:
This occurs when the following conditions are met:
-- These SysDB variables are set as follows:
sys db tmm.pem.session.radius.retransmit.timeout {
    value "0"
}
sys db tmm.pem.session.provisioning.continuous {
    value "disable"
}

-- Actions occur in the following order:
 1. PEM receives RADIUS START with subscriber ID1 and IP1.
 2. PEM receives RADIUS STOP with subscriber ID1 and IP1.
 3. PEM receives RADIUS START with subscriber ID1 and IP2.
 4. PEM receives RADIUS STOP with subscriber ID1 and IP2.

-- The time interval between steps 1 and 2 is very small (less than ~1ms).

Impact:
Subscriber session creation via PEM may fail.

Workaround:
There is no workaround other than to leave SysDbs variables set to the default values.

Fix:
The system now handles PEM subscriber session updates properly, so this issue no longer occurs.

---

709544-4 : VCMP guests in HA configuration become Active/Active during upgrade★

Component: TMOS

Symptoms:
When devices in a Device Service Cluster (DSC) are upgraded, multiple devices might become Active simultaneously.

During upgrade, the process erroneously clears the management-ip during reboot, and then synchronizes to other members of the DSC. If the system is not performing an upgrade, the error is repaired as the device starts up, and has no visible effect. If an upgrade is being performed, the management-ip cannot be repaired, and the DSC members lose contact with each other, so they all become Active.

Conditions:
-- Running on VIPRION chassis systems, either natively, or as a vCMP guest.
-- Upgrading from any affected versions (TMOS v12.1.3, TMOS v13.0.0, TMOS v13.0.1, TMOS v13.1.0), to any other version.

Impact:
When multiple devices become Active simultaneously, traffic is disrupted.

Workaround:
There is no workaround other than to remain in Active/Active state until upgrade is complete on all chassis in the DSC are finished. See K43990943: VIPRION systems configured for high availability may become active-active during the upgrade process :: https://support.f5.com/csp/article/K43990943 for more information on how to mitigate this issue.

Fix:
The erroneous management-ip change is not made, and the HA failover mechanism operates correctly across upgrade.

---

709334-2 : Memory leak when SSL Forward proxy is used and ssl re-negotiates

Component: Local Traffic Manager

Symptoms:
When looking at tmsh show sys memory you will see
ssl_compat continue to grow and fails to release memory.

Conditions:
-SSL Forward Proxy In use
-SSL Re-negotiations happening

Impact:
Eventually memory reaper will kick in.

Workaround:
There is no workaround at this time.

Fix:
ssl_compat now properly releases connections on re-negotiation.

---

708956 : During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'

Solution Article: K51206433

Component: TMOS

Symptoms:
During system bootup, the system occasionally posts the following error message and the system does not come up:
 Dataplane INOPERABLE - only 1 HSBes found on this platform.

Conditions:
This occurs occasionally at system bootup.
-- Using the following platforms:
i4600, i4800, i10600, i10800, i2600, i2800, i7600, i7800, i5600, i5800, i15600, i15800, i12600, i12800, HERCULON i2800, HERCULON i5800, HERCULON i10800, i11600, i11800, i11800-DS, i5820-DF, i7820-DF.

Impact:
System does not come up.

Workaround:
Reboot system.

Because this condition only happens occasionally, rebooting typically corrects the issue.

Fix:
This release fixes a race condition that might have occurred while reading FPGA firmware loading status.

---

708830-1 : Inbound or hairpin connections may get stuck consuming memory.

Component: Carrier-Grade NAT

Symptoms:
When inbound or hairpin connections require a remote Session DB lookup, and the lookup request or response messages get lost, the connections can get stuck in an embryonic state. They remain stuck in this state until they time out and expire. In this state, UDP connections queue inbound packets. If the client application continues to send packets, the connection may never expire. The queued packets accumulate, consuming memory. If the memory consumption becomes excessive, connections may be killed and 'TCP: Memory pressure activated' and 'Aggressive mode activated' messages appear in the logs.

Conditions:
-- An LSN pool with inbound and/or hairpin connections enabled.
-- Lost Session DB messages due to heavy load or hardware failure.
-- Remote lookups are more likely when using PBA mode or NAPT mode with default DAG.

Impact:
Excessive memory consumption that leads to dropped connections.

Workaround:
There is no workaround at this time.

Fix:
When Session DB messages are lost, the connection is killed and any queued packets are discarded. If the client application resends packets, they are treated as new connections.

---

708653-3 : TMM may crash while processing TCP traffic

Solution Article: K07550539

---

708421-1 : DNS::question 'set' options are applied to packet, but not to already parsed dns_msg

Solution Article: K52142743

Component: Global Traffic Manager (DNS)

Symptoms:
For certain types of iRules, using the DNS command DNS::question for type AAAA, when the DNS transparent cache is involved in the filter, the type can be reverted.

Conditions:
-- DNS transparent cache.

-- Using an iRule similar to the following:
when DNS_REQUEST {
   DNS::question type AAAA
}

Impact:
When the packet goes to the pool, the type is reverted.

Workaround:
Enable gslb or dnsx on the profile.

---

708249-4 : nitrox_diag utility generates QKView files with 5 MB maximum file size limit

Component: Local Traffic Manager

Symptoms:
When nitrox_diag generates a QKView file, the utility does not use the -s0 flag for the qkview command. That means there is a 5 MB file-size limit for the resulting QKView file nitrox_diag generates.

Conditions:
Run the nitrox_diag command.

Impact:
QKView files generated in response to running the nitrox_diag command might not contain all necessary information, for example, the result might contain truncated log files.

Workaround:
After running nitrox_diag, run the following command to generate a complete QKView file: qkview -s0

Fix:
Nitrox_diag utility now uses the -s0 command to generate QKView files, so there is no longer a 5 MB maximum file size limit, and the full QKView file is created.

---

708114-3 : TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed

Solution Article: K33319853

Component: Local Traffic Manager

Symptoms:
TMM crashes when receiving the HUDEVT_SSL_OCSP_RESUME_CLNT_HS after the SSL connection is closed.

Conditions:
-- The SSL connection has been closed.
-- SSL receives the HUDEVT_SSL_OCSP_RESUME_CLNT_HS message.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now ensures that SSL can still properly process the messages, even when the SSL connection is closed.

---

708068-3 : Tcl commands like "HTTP::path -normalize" do not return normalized path.

Component: Local Traffic Manager

Symptoms:
When using HTTP::path with the -normalized parameter:

"%2E%2E" is converted to ".." (expected)
"/foo/../bar" is converted to "/bar" (expected)
"/foo/%2E%2E/bar" is converted to "/foo/../bar" (unexpected)

Conditions:
The TCL command HTTP::path -normalize does not return normalized path as expected.

Impact:
Unexpected result.

Workaround:
There is no workaround.

Fix:
The TCL command HTTP::path -normalize should return normalized path.

---

708054-3 : Web Acceleration: TMM may crash on very large HTML files with conditional comments

Component: TMOS

Symptoms:
Web Acceleration feature may not handle big HTML file with improper conditional comments inside in some cases. TMM may crash processing such files if Web Acceleration profile is attached to VIP.

Conditions:
- HTML file with conditional comments inside:
  <!--[if condition...]> ... <![endif]-->

- The size of "condition" from the pattern above is comparable with RAM size of BIG-IP box, i.e. ~8-10GB.

Impact:
TMM crash interrupts all active sessions.

Workaround:
There is no workaround at this time.

Fix:
Now Web Acceleration feature can handle long HTML conditional comments correctly.

---

707990-3 : Unexpected TMUI output in SSL Certificate Instance page

Solution Article: K41704442

---

707951 : Stalled mirrored flows on HA next-active when OneConnect is used.

Component: Local Traffic Manager

Symptoms:
-- 'tmctl -d blade tmm/umem_usage_stat | grep xdata' may show increased memory usage.
-- 'tmsh show sys connect' shows idle flows.

Conditions:
- OneConnect profile is configured.
- High availability (HA) mirroring is enabled.

Impact:
- Some flows are mirrored incorrectly.
- Stalled flows may occupy a lot of memory.

Workaround:
Disable OneConnect.

Fix:
Stalled mirrored flows no longer appear when OneConnect is used.

---

707888 : Some ASM operations delayed due to scheduled ASU update

Component: Application Security Manager

Symptoms:
Some ASM operations (such as Apply Policy) are delayed while a scheduled ASU update is in progress. This issue affects only 12.1.3.x from 12.1.3.2 and later.

Conditions:
A scheduled ASM update is in progress on systems running v12.1.3.x.

Impact:
Some ASM operations, such as Apply Policy, are delayed.

Workaround:
There is no workaround at this time.

Fix:
Other ASM operations are no longer blocked by scheduled ASU update.

---

707740-3 : Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination

Component: TMOS

Symptoms:
When attempting to delete a GTM monitor, the system indicates that it is in use, even after removing that monitor from all GTM virtual servers. The system posts a message similar to the following:
01070083:3: Monitor /Common/mon-A is in use.

Conditions:
1. Attach a GTM monitor to multiple GTM virtual servers in the same transaction, where both of the virtual servers are monitoring the same ip:port.
2. Remove the monitor from all virtual servers.
3. Attempt to delete the monitor from the configuration.

Impact:
Cannot delete the unused monitor.

Workaround:
After removing the monitor from all virtual servers, reload the GTM configuration using the following command:
tmsh load sys config gtm-only

You can now delete the monitor.

Fix:
You can now delete an unused GTM monitor, if that monitor was attached to multiple GTM virtual servers of the same ip+port combination.

---

707675 : FQDN nodes or pool members flap when DNS response received

Component: Local Traffic Manager

Symptoms:
When an LTM pool is configured with FQDN nodes or pool members, the LTM pool and associated virtual server(s) may transition from an UP to DOWN state and back over a period of a few seconds.

Such an event is accompanied by log messages similar to the following:

-- notice mcpd[#]: 01071682:5: SNMP_TRAP: Virtual /Common/vs_test has become unavailable
-- notice mcpd[#]: 010719e7:5: Virtual Address /Common/123.45.67.89 general status changed from GREEN to RED.
-- notice mcpd[#]: 010719e8:5: Virtual Address /Common/123.45.67.89 monitor status changed from UP to DOWN.
-- err mcpd[#]: 01020066:3: The requested Pool Member (/Common/Test_Pool /Common/test-dummy.com-12.34.56.78 443) already exists in partition Common.
-- notice bigd[##]: 01060144:5: Pool /Common/Test_Pool member /Common/test-dummy.com-12.34.56.78 session status enabled by monitor
-- notice bigd[##]: 01060145:5: Pool /Common/Test_Pool member /Common/test-dummy.com-12.34.56.78 monitor status up. [ /Common/mon_test_https: UP ] [ was checking for 0hr:0min:2sec ]
-- notice mcpd[#]: 01071681:5: SNMP_TRAP: Virtual /Common/vs_test has become available
-- notice mcpd[#]: 010719e7:5: Virtual Address /Common/123.45.67.89 general status changed from RED to GREEN.
-- notice mcpd[#]: 010719e8:5: Virtual Address /Common/123.45.67.89 monitor status changed from DOWN to UP.

This symptom repeats each time a DNS query is performed to resolve the FQDN node/pool-member name to its IP addresses, based on the 'interval' value configured for the FQDN node.

This symptom occurs only when the 'autopopulate' value is set to 'enabled' for the FQDN node/pool-member.

Conditions:
-- LTM pool is configured with FQDN nodes or pool members.
-- The 'autopopulate' value is set to 'enabled' for the FQDN node/pool-member.

Impact:
LTM pool and virtual server are briefly and periodically marked DOWN. Traffic may be impacted.

Workaround:
Either of the following methods can be used to work around this issue:

-- Configure static IP addresses instead of FQDN nodes/pool-members.

-- Set the 'autopopulate' value to 'disabled' for the FQDN node/pool-member, if possible (that is, if only one IP address is required/expected to be returned for the FQDN name, which means that the 'autopopulate' feature of FQDN nodes/pool-members is not required).

Fix:
FQDN node/pool-member and corresponding pool and virtual server are no longer briefly marked DOWN when the DNS server is queried to resolve the FQDN name, with the 'autopopulate' feature enabled for the FQDN node/pool-member. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

---

707509-3 : Initial vCMP guest creations can fail if certain hotfixes are used

Component: TMOS

Symptoms:
vCMP guest fails to enter the 'provisioned' or 'deployed' states and similar messages can be seen in /var/log/ltm:

-- vcmpd[14254]: 01510003:2: Guest (guest_name): Install failed.
-- vcmpd[14254]: 01510004:3: Guest (guest_name): Install to VDisk /shared/vmdisks/guest_name.img FAILED: Child exited with non-zero exit code: 255

Conditions:
Creating vCMP guest using certain hotfix images, such as BIG-IP HF software released as partial .iso software images, and engineering hotfixes.

Impact:
vCMP guest cannot be created.

Workaround:
1. Create and deploy the vCMP guest using the full .iso base software image.
2. Log in to the vCMP guest once it has finished starting up.
3. Apply the hotfix image or engineering hotfix.

Fix:
Guest creation succeeds.

---

707447-2 : Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles.

Component: Local Traffic Manager

Symptoms:
SSL SNI mechanism creates a hash containing a mapping between SAN entries in a given profile's certificate and the profile. This hash is owned by the default SNI profile, however is held by the other profiles on the VIP without a reference. If a connection utilizes SNI to use a non-default SNI profile *and* the default SNI profile reinitializes its state for any reason, the prf->sni_certsn_hash can be cleared and freed, leaving the existing connection(s) with profiles that refer to the freed hash. If then the connection attempts a renegotiation that causes the hash to be used, the freed hash can cause a fault should it have been reused in the meantime (i.e. the contents are invalid).
       
The fix: When the default SNI profile is initializing, and SSL handshake is searching SAN/COMMON cert from
non-default SNI profile, stop the search and return NULL.

Conditions:
SNI configured with one default SNI profile, one or multiple SNI profiles. The default SNI profile is changed and renegotiation with SNI(with non-default SNI profile) is issued.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
There is no workaround at this time.

Fix:
When the default SNI profile is initializing, and SSL handshake is searching SAN/COMMON cert from non-default SNI profile, stop the search and return NULL.

---

707445 : Nitrox 3 compression hangs/unable to recover

Solution Article: K47025244

Component: TMOS

Symptoms:
LTM logs show the following message:

    Nitrox 3, Hang Detected: compression device was reset

When the error manifests, there will be three error messages sent to the log over a period of several seconds. The device is then considered unrecoverable and marked down, and will no longer accept compression requests.

Conditions:
This applies only to vCMP guests. Some compression requests can stall the device after a bad compression request is made.

Note: Traffic volume and concurrence, along with the type of error have to occur together in order to result in this issue, so the issue is not easily reproduced.

Impact:
Once the device is marked down, compression will be sent to the software compression provider, until tmm on the device is restarted. This can cause local CPU utilization to climb.

Workaround:
There is no complete workaround without a software fix. However, compression will always default to the software compression provider when hardware cannot be recovered.

There are three recovery options available if the TMM-internal reset fails to recover the compression device automatically. These should be employed in this order:

A. Restart tmm using the command: bigstart restart tmm.
B. Restart the vCMP guest.
C. Restart the host (which restarts all guests).

Note: Because of the traffic volume, timing, and error type that cause this condition, this error might recur. This issue appears to be caused by a particular compression request. So regardless of the recovery method you execute, the problem may recur in a short time, or months later.

Fix:
Compression device reset recovery made more robust for some compression failures.

---

707391-4 : BGP may keep announcing routes after disabling route health injection

Component: TMOS

Symptoms:
As a result of a known issue BIG-IP with BGP configured may continue to announce routes even after disabling the virtual address or disabling route announcement on the virtual address.

Conditions:
BGP configured with multiple routes announced via Virtual-address route announcements.
Configuration changes made on the BGP configuration itself.
Virtual address or its route health announcement disabled.

Impact:
Prefixes continue to exist in the BGP table even after disabling the virtual address (visible via imish with the "show ip bgp" command); which will continue to announce the prefix to configured peers.

Workaround:
Workaround would be to restart the dynamic routing process.

Fix:
BGP may no longer keeps announcing routes after disabling route health injection

---

707310-1 : DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs)

Component: Global Traffic Manager (DNS)

Symptoms:
It is possible that when performing a sufficiently large DNSSEC signed zone transfer (e.g., ~1 KB records) that the final packet (or several packets) of NSEC3s and RRSIGs could be missing from the zone. This issue can be detected using a free third-party tool such as ldns-verify-zone or some other DNSSEC validating tool.

Conditions:
-- Dynamic DNSSEC signing of zone transfers is configured for a given zone from an authoritative DNS Server (this could be on-box BIND, off-box BIND, etc.), or from DNS Express.

Impact:
The DNSSEC signed zone transfer could be incomplete, that is missing some NSEC3s and RRSIGs. An incomplete DNSSEC zone is considered an invalid zone.

Workaround:
There is no workaround at this time.

Fix:
DNSSEC signed zone transfers from general authoritative DNS Servers as well as from DNS Express are now complete regardless of the number of records in the zone.

---

707226-2 : DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations

Component: TMOS

Symptoms:
Mitigations might CVE-2017-5754 Meltdown/PTI (Page Table Isolation) can negatively impact performance.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Conditions:
Mitigations for CVE-2017-5754 Meltdown/PTI (Page Table Isolation) enabled.

Impact:
Meltdown/PTI mitigations may negatively impact performance.

Workaround:
Disable CVE-2017-5754 Meltdown/PTI mitigations.

To turn off mitigations for CVE-2017-5754 Meltdown/PTI, run the following command:

tmsh modify sys db kernel.pti value disable

Note: Turning off these mitigations renders the system vulnerable to CVE-2017-5754 Meltdown; but in order to take advantage of this vulnerability, they must already possess the ability to run arbitrary code on the system. Good access controls and keeping your system up-to-date with regards to security fixes will mitigate this risk on non-VCMP systems. vCMP systems with multiple tenants should leave these mitigations enabled.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Fix:
On releases that provide mitigations for CVE-2017-5754 Meltdown/PTI, the protection is enabled by default, but can be controlled using db variables.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

---

707207-2 : iRuleLx returning undefined value may cause TMM restart

Component: Local Traffic Manager

Symptoms:
When an iRulesLX rule returns an undefined value, TMM may restart. An example of an undefined value is one where
its jsonrpc v2.0 representation is missing required fields, such as "result".

Conditions:
iRulesLX is licensed, and a rule is run that returns an undefined value.

Impact:
Traffic is interrupted.

Workaround:
There is no workaround at this time.

Fix:
A TMM restart resulting from an iRulesLX rule returning an undefined value was fixed.

---

707147-2 : High CPU consumed by asm_config_server_rpc_handler_async.pl

Component: Application Security Manager

Symptoms:
During a period of heavy learning from Policy Builder, typically due to Collapse Common elements, the backlog of events can cause a process to consume high CPU.

Conditions:
1) Automatic Policy Builder is enabled
2) An element is configured to "Always" learn new entities, and collapse common elements
3) An extended period of heavy learning due to traffic is enountered

Impact:
A process may consume high CPU even after the high traffic period is finished.

Workaround:
Kill asm_config_server.pl (This will not affect traffic)

Optionally modify one of the following
A) Learn "Always" to another mode
B) Turn off Collapse common URLs
C) Change from Automatic Learning to Manual

---

707003-2 : Unexpected syntax error in TMSH AVR

Component: TMOS

Symptoms:
The following tmsh command does not work: tmsh show analytics http report view-by virtual measures { transactions } drilldown

It fails with the following error message: 'Syntax Error: "drilldown" property requires at least one of (device device-list) to be specified before using.'

Conditions:
Whenever the affected tmsh command is run.

Impact:
The following tmsh command will not run: tmsh show analytics http report view-by virtual measures { transactions } drilldown

Workaround:
There is no workaround besides not running the affected command.

Fix:
The following command now works as expected: tmsh show analytics http report view-by virtual measures { transactions } drilldown

---

706845-1 : False positive illegal multipart violation

Component: Application Security Manager

Symptoms:
A false positive multipart violation.

Conditions:
Uploading a file with a filename value that is encoded in non utf-8 encoding.

Impact:
A false positive violation, request rejected.

Workaround:
Might be workaround using an irule

Fix:
Corrected ASM multipart parsing.

---

706642-3 : wamd may leak memory during configuration changes and cluster events

Component: WebAccelerator

Symptoms:
wamd memory consumption increases over time.

Conditions:
-- AAM is provisioned so wamd is running.
-- User-initiated configuration change and/or other internal configuration or cluster events.

Impact:
wamd grows slowly over time, eventually crashing due to lack of memory. Temporary outage of services provided by wamd such as PDF linearization, invalidation, etc.

Workaround:
No workaround available.

Fix:
wamd n longer leaks memory during configuration changes and cluster events.

---

706631 : A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured.

Component: Local Traffic Manager

Symptoms:
According to RFC2818, if the certificate sent by the TLS server has a valid Common Name, but the Subject Alternative Name does not match the Authenticate Name in the server-ssl profile, the connection should be terminated.

Conditions:
-- A server-ssl profile is enabled on a virtual server and has the 'authenticate-name' property set.

-- The TLS server presents a certificate in which the Subject Alternative Name does not match the configured authenticate-name.

-- Common Criteria mode licensed and configured.

Impact:
A TLS connection succeeds which should fail.

Workaround:
There is no workaround at this time.

Fix:
A remote TLS server certificate with a bad Subject Alternative Name is now rejected when Common Criteria mode is licensed and configured.

---

706521-6 : The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password

Solution Article: K21404407

Component: TMOS

Symptoms:
TACACS Shared Key is not encrypted in the DB key and is visible to admin and a read-only user.

Conditions:
Configure TACACS+ auditing forwarder.

Impact:
Exposes sensitive information.

Workaround:
None.

Fix:
The sensitive data is not exposed, and this issue is fixed.

---

706423-2 : tmm may restart if an IKEv2 child SA expires during an async encryption or decryption

Component: TMOS

Symptoms:
TMM may discard an existing child-SA via timer during the moment it is in use for encryption or decryption. And in another spot, an error aborting negotiation can cause multiple timers associated with one child-SA, which fight one another.

Conditions:
Errors in IPsec config that fail negotiation can happen when a child-SA is in a state that does not manage timers correctly.

A config with short SA lifetime, causing frequent re-keying, can have the effect of searching for a race condition when expire happens during active use in crypto.

Impact:
TMM restarts, disrupting traffic and causing HA failover.

Workaround:
Ensure that the IPsec IKEv2 configuration in the IPsec policy is correct (the same) on both IPsec peers. Also, ensure SA lifetime has longer duration, instead of merely seconds. (The default is one day.)

Fix:
Now we ensure only one timer can be associated with a child-SA related to short-term progress toward maturity during negotiation, even if an error happens.

Now we also ensure a child-SA is safe during async crypto operations, even if they expire while currently in use.

---

706374-2 : Heavy use of APM Kerberos SSO can sometimes lead to memory corruption

Component: Access Policy Manager

Symptoms:
Kerberos SSO under high load can sometimes lead to system instability.

Conditions:
APM users using Kerberos SSO to access backend resources.

Impact:
This might result in unpredictable behavior such as memory corruption or core. However, the occurrence is rare since it only impacts concurrent DNS SRV requests to resolve different KDCs.

Workaround:
There is no workaround.

Fix:
Stability problems in DNS lookups in APM Kerberos SSO (S4U) have been corrected.

---

706354-1 : OPT-0045 optic unable to link

Component: TMOS

Symptoms:
The OPT-0045 optical transceiver when inserted into a 40G port does not function. The following error appears in /var/log/ltm:
Invalid module for bundle configuration of interface <portNumber>.0.

Conditions:
OPT-0045 in a 40G port.

Impact:
Optic does not work; interface does not come up.

Workaround:
None.

Fix:
This release supports the OPT-0045 optical transceiver.

---

706305-2 : bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled

Component: TMOS

Symptoms:
bgpd may crash on a BIG-IP system configured for dynamic routing announcing multiple overlapping aggregate-addresses with extended asn capabilities enabled.

Conditions:
- BGP enabled on route-domain
- BGP configured to announce several overlapping aggregate-addresses
- BGP configured with extended-asn-cap enabled.

Impact:
Inability for the unit to use BGP

Workaround:
Disabling extended-asn-cap or not announcing multiple overlapping aggregate addresses may allow to workaround this issue.

Fix:
bgpd no longer crashes with overlapping aggregate addresses and extended-asn-cap enabled

---

706128-1 : DNSSEC Signed Zone Transfers Can Leak Memory

Component: Global Traffic Manager (DNS)

Symptoms:
TMM might leak memory when performing DNSSEC signed zone transfers. You can detect this issue by examining system memory before and after performing zone transfers.

For example:

tmsh show sys memory raw | grep dnssec

Conditions:
-- Dynamic DNSSEC signing of zone transfers is configured for a given zone from an authoritative DNS Server (this could be on-box BIND, off-box BIND, etc) or from DNS Express.

Impact:
TMM leaks memory related to the signed zone transfer.

Workaround:
There is no workaround at this time.

Fix:
TMM no longer leaks DNSSEC zone transfer related memory.

---

706104-2 : Dynamically advertised route may flap

Component: TMOS

Symptoms:
ZebOS may repeatedly add and delete the routes from protocol daemons. This may cause the protocol daemons to delete and re-advertise the default route.

Conditions:
- Dynamic routing in use
- Kernel routes redistributed into a routing protocol
- Static route configure in TMOS
- Route advertisement enabled on the virtual-address that's the same as the static route

Impact:
Route flapping may cause instability in the network, including inability to reach the default network advertised by the BIG-IP.

Workaround:
Since the static route will be redistributed in the same way as the virtual-address, there is no need to enable route-advertisement on the VIP virtual-address. Disabling this will resolve the problem.

The problem will also be resolved by moving the route from tmsh into ZebOS.
 - In imish config mode, "ip route <route> <gateway>"
 - In tmsh, "delete net route <route>"

Fix:
Configuring a static route in TMOS and enabling route-advertisement on the same virtual-address no longer causes route flapping in ZebOS.

---

706102-3 : SMTP monitor does not handle all multi-line banner use cases

Component: Local Traffic Manager

Symptoms:
An SMTP monitor does not handle all multi-line banner use cases, such as when the banner is physically split across two packets. This issue is due to attempting to parse the banner value from the first packet without a portion of the banner value that may arrive in a second packet.

Conditions:
An SMTP monitor is configured; and uses a multi-line banner; and the SMTP monitor banner is split across two physical packets.

Impact:
The SMTP monitor sends an RST after the first packet, and marks the resource down.

Workaround:
Use an SMTP monitor with a single-line banner. Or, rather than using an SMTP monitor, instead use a TCP monitor with send/recv strings.

Fix:
An SMTP monitor handles all use cases that include a multi-line banner.

---

706086-1 : PAM RADIUS authentication subsystem hardening

Solution Article: K62750376

---

705794-1 : Under certain circumstances a stale HTTP/2 stream might cause a tmm crash

Component: Local Traffic Manager

Symptoms:
A HTTP/2 stream is getting overlooked when cleaning up a HTTP/2 flow.

Conditions:
The only known condition is that the closing_stream is not empty. Exact entrance conditions are not clear.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
HTTP/2 flows are now properly cleaned up to prevent a tmm crash.

---

705768-4 : The dynconfd process may core and restart with multiple DNS name servers configured

Component: Local Traffic Manager

Symptoms:
The dynconfd daemon may crash with a core and restart when processing a DNS query when there are multiple DNS name servers configured, or when the list of DNS name servers is changed.

Conditions:
This may occur rarely when FQDN nodes are configured and multiple DNS name servers are configured, including when a name server is added to or removed from the system DNS configuration while a DNS query is active.

Impact:
Resolution of FQDN names for FQDN nodes and pool members may be briefly interrupted while the dynconfd daemon restarts. This may cause a delay in propagation of DNS zone changes to the BIG-IP configuration.

Workaround:
This issue occurs rarely. There is currently no known workaround.

Fix:
The dynconfd process no longer cores and restarts with multiple DNS name servers configured.

---

705611-1 : The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used

Component: Local Traffic Manager

Symptoms:
The TMM may later crash after a configuration change done under load if the HTTP/2 profile is used.

Conditions:
A configuration change occurs. The configuration change is large enough, or the TMM load large enough that the change is not synchronous. The change involves a HTTP/2 profile.

Data traffic progresses through a partially initialized HTTP/2 virtual server, potentially causing a later crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Large configuration changes to the TMM involving a HTTP/2 profile will no longer potentially cause a TMM crash.

---

705503-1 : Context leaked from iRule DNS lookup

Component: Global Traffic Manager (DNS)

Symptoms:
The memory usage increases, and stats are inaccurate.

Conditions:
Call RESOLV::lookup from an iRule.

Impact:
Memory leak that accumulates over time and inaccurate stats.

Workaround:
There is no workaround other than not using RESOLV::lookup in an iRule.

Fix:
Memory leak no longer occurs.

---

705476-4 : Appliance Mode does not follow design best practices

Solution Article: K28003839

---

705112-1 : DHCP server flows are not re-established after expiration

Component: Local Traffic Manager

Symptoms:
DHCP relay agent does not have server flows connecting to all active DHCP servers after a while.

Conditions:
- More than one DHCP servers configured for a DHCP virtual.
- Server flows timeout in 60 seconds

Impact:
DHCP server traffic not load balanced.

Workaround:
None.

Fix:
A new logic to re-establish server flows is introduced to ensure a relay agent will have all DHCP servers connected.

---

705037-3 : System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart

Solution Article: K32332000

Component: TMOS

Symptoms:
It is possible for the BIG-IP system to present duplicate if_index statistics of network objects, either viewed internally or polled via SNMP.

Conditions:
-- High availability (HA) configuration.
-- Tunnels configured.
-- If dynamic routing is configured, additional impact may be noted.

Impact:
-- Unreliable or confusing statistics via SNMP polling.

-- If dynamic routing is also configured, possible nsm daemon restart, which may lead to loss of dynamic routes.

Workaround:
None.

Fix:
System no longer exhibits duplicate if_index statistics.

---

704804-2 : The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address

Component: TMOS

Symptoms:
The NAS-IP-Address in RADIUS remote authentication requests is set to the loopback address, not the management IP.

Conditions:
This applies to remote authentication for the control plane, not APM.

Impact:
Login may be impacted.

Workaround:
There is no workaround at this time.

Fix:
NAS-IP-Address Attribute is now set correctly when the the BIG-IP system is configured to use RADIUS authentication.

---

704733-2 : NAS-IP-Address is sent with the bytes in reverse order

Component: TMOS

Symptoms:
The NAS-IP-Address has the address of the local device sent with the bytes in reverse order (e.g., 78.56.30.172, where 172.30.56.78 is expected).

Conditions:
-- This affects IPv4 addresses only.
-- BIG-IP system is configured for RADIUS authentication.

Impact:
The server may be configured to check the NAS-IP-Address before allowing logins, in which case it would fail.

Workaround:
There is no workaround at this time.

Fix:
This has been corrected.

---

704666-2 : memory corruption can occur when using certain certificates

Component: Local Traffic Manager

Symptoms:
If a certificate has an extremely long common name, or an extremely long alternative name and is attached to an SSL profile, memory corruption can occur when loading the profile.

Conditions:
An SSL profile is loaded with a certificate containing an extremely long common name or subject alternative name.

Impact:
TMM could crash.

Workaround:
Do not use certificates with extremely long common names

Fix:
A length check has been added to avoid corruption when using extremely long common names.

---

704580-3 : apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP

Solution Article: K05018525

---

704524-2 : [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries

Component: Access Policy Manager

Symptoms:
Kerberos DNS SRV requests do not contain EDNS headers. Without this header, DNS server truncates the UDP responses if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in unnecessary round trips in order to resolve DNS SRV queries.

Conditions:
APM users using Kerberos SSO to access backend resources.

Impact:
Increased latency of HTTP request processing. If the number of APM users is large, then this issue is magnified.

Workaround:
There is no workaround at this time.

Fix:
Kerberos DNS SRV requests now support EDNS0 so that UDP responses greater than 512 bytes can be received correctly, eliminating delays caused by TCP retransmission.

---

704490 : CVE-2017-5754 (Meltdown)

Solution Article: K91229003

---

704483 : CVE-2017-5753 (Spectre Variant 1)

Solution Article: K91229003

---

704450-2 : bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration

Component: Local Traffic Manager

Symptoms:
A rarely seen scenario exists where 'bigd' crashes when the BIG-IP system is under extremely heavy load, due to 'bigd' running with an incomplete configuration and attempting to interact with 'mcpd' prior to being fully configured by 'mcpd'. This may occur when 'mcpd' is sufficiently delayed in configuring 'bigd' upon 'bigd' process start (at system-start, or upon 'bigd' process re-start), such that 'bigd' attempts to report monitoring results to 'mcpd' prior to fully receiving its configuration (from 'mcpd').

Conditions:
BIG-IP is under heavy load; and 'bigd' process is (re-)started; and 'mcpd' is delayed in relaying the full configuration to 'bigd'; and 'bigd' attempts to report monitoring results to 'mcpd'.

Impact:
Monitoring is delayed while bigd is restarting. If the load lasts for a long enough period of time, bigd might repeatedly fail to start and monitoring will not resume. In some cases 'bigd' may run with an incomplete configuration.

Workaround:
Reduce the load on the system.

Fix:
'bigd' does not crash and runs with complete configuration when (re-)starting when BIG-IP runs under heavy configuration resulting in 'mcpd' delaying its configuration of 'bigd'.

---

704449-4 : Orphaned tmsh processes might eventually lead to an out-of-memory condition

Component: TMOS

Symptoms:
Occasionally, tmsh processes are orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects.

An orphaned tmsh process will have a parent pid (PPID) of 1. You can check for orphaned tmsh processes using the following shell command:

/bin/ps -o pid,ppid,comm -C tmsh
PID PPID COMMAND
8255 1 tmsh

If this issue occurs often enough, it might cause the BIG-IP system to run out of memory.

Conditions:
-- Using tmsh to connect to the BIG-IP system via SSH.
-- Running commands.
-- Quitting the session or disconnecting.

Impact:
Orphaned tmsh processes are created, which might eventually lead to an out-of-memory condition, if it occurs often enough.

Workaround:
There are several workarounds for this issue:

-- Change the default shell to bash for users that are going to use the script.
-- Use iControl.
-- Kill orphaned tmsh processes.

Fix:
tmsh processes are no longer orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects under these conditions.

---

704381-3 : SSL/TLS handshake failures and terminations are logged at too low a level

Component: Local Traffic Manager

Symptoms:
SSL/TLS handshake failures and terminations are being logged at too low of a level (INFO).

Conditions:
-- SSL/TLS connections are received or sent.
-- Handshake failures are logged.

Impact:
Sometimes other errors are produced, and the cause is a SSL/TLS handshake failure, but this failure is not being logged.

Workaround:
There is no workaround.

Fix:
SSL/TLS handhake failures and terminations are now logged at a higher level (WARNING).

---

704336-3 : Updating 3rd party device cert not copied correctly to trusted certificate store

Component: TMOS

Symptoms:
When a BIG-IP admin updates the Device Certificate which also includes multiple CA intermediate and root certificates, it's expected that the new Device Certificate and its trust chain certificates are written to /config/big3d/client.crt and /config/gtm/server.crt. However, if the new Device Certificate is signed by a third party, only the Device Certificate is copied to client.crt and server.crt, even though root and intermediate certificates are written to /config/httpd/conf/ssl.crt/server.crt.

Conditions:
Updating Device certificate which also includes multiple intermediate and root certificates.

Impact:
The Trusted Device and Trusted server Certificates do not include intermediate CA and root certificates.

Workaround:
Manually copy/append the missing intermediate and root certificate to /config/big3d/client.crt and /config/gtm/server.crt.

Fix:
The fix will now add all the intermediate and root certificate including device certificate to Trusted Server and Trusted Device certificate bundle.

---

704282-3 : TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy

Component: TMOS

Symptoms:
Rarely, TMM halts and restarts when calculating the BWC pass rate for dynamic bwc policy.

Conditions:
-- Using BWC dynamic bwc policy.
-- Fair share rate is low.

For this to happen, the fair share rate of the instance of dynamic policy has to be less than than 32 times the average packet size of the instance of policy.

For example, if the average packet size is 1 KB, then the fair share would be under 32 KB.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
F5 does not recommend running the BWC under 64Kbps.

Either decrease the number of subscribers or increase the max-rate of dynamic policy.

Fix:
TMM no longer halts and restarts when calculating the BWC pass rate for dynamic bwc policy when fair share rate is low.

---

704247-3 : BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted

Component: TMOS

Symptoms:
BIG-IP .iso images may fail to install if multiple copies of the same image are present and have been deleted.

Conditions:
-- Have multiple copies of the same image .iso in the /shared directory on a BIG-IP system.
-- Delete one of them.

Impact:
Installation attempt of the remaining image(s) might fail.

Workaround:
Restart the lind process, so the installation can continue.

Fix:
The BIG-IP system now installs an image if multiple copies of the same image are present and have been deleted

---

704198-1 : Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance

Solution Article: K29403988

Component: Global Traffic Manager (DNS)

Symptoms:
Orphaned monitor_instance records in mcpd. Secondary blade restarting in a loop.

Conditions:
Modify the monitor for GTM objects using tmsh with replace-all-with.

Impact:
There is an leaked/extra monitor instance. Restarting the secondary slot results in a restart loop.

Workaround:
Impact of workaround: Might change the primary slot.

Restart services using the following command:
# bigstart restart

---

704184-3 : APM MAC Client create files with owner only read write permissions

Solution Article: K52171282

---

704143-2 : BD memory leak

Component: Application Security Manager

Symptoms:
A BD memory leak.

Conditions:
websocket traffic with specific configuration

Impact:
Resident memory increases, swap getting used.

Workaround:
Make sure the web socket violations are not due to bad websocket URL configuration, that they are turned on in Learn/Alarm or block and that there is a local logger configured and attached.

---

704073-3 : Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm

Solution Article: K24233427

Component: Local Traffic Manager

Symptoms:
'bad transition' OOPS messages may be repeatedly logged to /var/log/ltm and /var/log/tmm over time, polluting the log files.

Conditions:
Although there are no definitive user-discernible conditions, use of SSL functionality might increase the likelihood of logging.

Impact:
Log pollution and potential for performance degradation.

Workaround:
Suppress the logging using the following command:
tmsh modify sys db tmm.oops value silent

Fix:
The 'bad transition' OOPS logging has been demoted to internal, debug builds only.

---

703984-2 : Machine Cert agent improperly matches hostname with CN and SAN

Component: Access Policy Manager

Symptoms:
MacOS Machine certificate agent matches the configured hostname with the actual hostname upon a beginning partial string match.

Conditions:
MacOS APM client using Machine Certificate Check agent.

Impact:
Hostname match may be incorrect in these cases.

Workaround:
There is no workaround at this time.

Fix:
The MacOS machine certificate check agent now matches on the whole host string rather than a sub string.

---

703940-3 : Malformed HTTP/2 frame consumes excessive system resources

Solution Article: K45611803

---

703914-1 : TMM SIGSEGV crash in poolmbr_conn_dec.

Component: Local Traffic Manager

Symptoms:
TMM cores in poolmbr_conn_dec function.

Conditions:
A connection limit is reached on a VS having an iRule using LB::reselect and a pool using request queueing.

Impact:
TMM core, traffic interruption, possible failover.

Workaround:
Do not use LB::reselect, disable request queueing on a pool associated with the VS.

Fix:
TMM correctly handles LB:reselect on virtual servers with pools using request queueing.

---

703869-1 : Waagent updated to 2.2.21

Component: TMOS

Symptoms:
Microsoft updates waagent via an opensource process, but it is not compatible with BIG-IP software, and so cannot be upgraded outside of BIG-IP releases. Without this, Microsoft will not support older releases of BIG-IP systems in their environment.

Conditions:
Using Microsoft Azure.

Impact:
Microsoft does not support the version of waagent shipped as part of BIG-IP software.

Workaround:
None.

Fix:
Waagent was updated to 2.2.21 from Microsoft along with F5 changes for compatibility with BIG-IP software.

---

703835-4 : When using SCP into BIG-IP systems, you must specify the target filename

Solution Article: K82814400

---

703793-1 : tmm restarts when using ACCESS::perflow get' in certain events

Component: Access Policy Manager

Symptoms:
tmm will restart when using 'ACCESS::perflow get' if the per-request policy has not been started yet.

Conditions:
Use 'ACCESS::perflow get' iRule in an event that runs before the per-request policy (e.g., CLIENT_ACCEPTED).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Initialization of certain variables was reworked so that the iRule command will not cause a core anymore if the per-flow value is unavailable due to the per-request policy not having been started yet.

---

703761-1 : Disable DSA keys for public-key and host-based authentication in Common Criteria mode

Component: TMOS

Symptoms:
On a BIG-IP system configured for Common Criteria (CC) mode, DSA keys can still be used for key-based authentication to the BIG-IP system.

Conditions:
-- Running a CC release with CC Mode enabled.
-- Attempt to SSH-connect to the BIG-IP system from another system with a DSA key.
-- That DSA key is present in the BIG-IP system's authorized_keys file.

Impact:
If the key is in the BIG-IP system's authorized_keys file, public-key authentication succeeds, when DSA authentication should be disabled in CC mode.

Workaround:
There is no workaround at this time.

Fix:
DSA SSH keys are now disabled for public-key and host-based authentication in Common Criteria mode, as expected.

---

703580 : TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host.

Component: Local Traffic Manager

Symptoms:
TLS1.1 handshake failure on guest. The following error appears in /var/log/ltm:
warning tmm[11611]: 01260009:4: Connection error: ssl_hs_cn_vfy_fin:2339: corrupt Finished (20)

Conditions:
-- Using the VIPRION 42xx/43xx and B21xx blades.
-- Running BIG-IP software earlier than v12.1.3 (for example v12.1.2-hf2) on the vCMP host system.
-- Deploying vCMP guest running v12.1.3.
-- Using TLS1.1.

Impact:
TLS1.1 handshake fails on the guest.

Workaround:
Use the same software version on the vCMP host and vCMP guests.

Fix:
TLS1.1 handshake no longer fails running v12.x/v13.x vCMP guest with earlier BIG-IP software version on vCMP host.

---

703515-5 : MRF SIP LB - Message corruption when using custom persistence key

Solution Article: K44933323

Component: Service Provider

Symptoms:
If the custom persistence key is not a multiple of 3 bytes, the SIP request message may be corrupted when the via header is inserted.

Conditions:
Custom persistence key is not a multiple of 3 bytes

Impact:
The SIP request message may be corrupted when the via header is inserted.

Workaround:
Pad the custom persistence key to a multiple of 3 bytes in length.

Fix:
All persistence key lengths work as expected.

---

703429-1 : Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services

Component: Access Policy Manager

Symptoms:
Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services through F5 BIG-IP APM virtual server. The application closes just after entering the credentials.

Conditions:
-- Citrix Receiver for Android (v3.13.1) is used.
-- PNAgent replacement mode is configured for BIG-IP APM virtual server.

Impact:
No access to published Applications and Desktops through Citrix Receiver for Android.

Workaround:
None.

Fix:
System now provides valid data to Citrix Receiver for Android client.

---

702946-2 : Added option to reset staging period for signatures

Component: Application Security Manager

Symptoms:
In cases where a staging period was started, but no traffic passed through security policy, you might want to reset the staging period when traffic starts, but there is no option to do so.

Conditions:
Staging enabled for signatures in policy.

Impact:
There is a suggestion to enforce the signature before any traffic can influence this decision.

Workaround:
If all signatures are staged, you can enforce them all, and then enable staging again.

Note: Apply policy is required between actions.

Fix:
Added option to reset the staging period for all or specific signatures. In modal windows shown after clicking 'Change properties...' on the Policy Signatures screen, when 'No' is not selected for 'Perform Staging', the system presents a checkbox: Reset Staging Period.

---

702873-3 : Windows Logon Integration feature may cause Windows logon screen freeze

Component: Access Policy Manager

Symptoms:
Windows Logon Integration feature might cause a Microsoft Windows logon screen freeze, making Windows OS unresponsive to any client end user actions.

Conditions:
-- Client user putting laptop into sleep mode and waking it up multiple times.
-- Possibly, only Windows 10 is affected.

Impact:
Logon screen may hang, not allowing client user to type in credentials.

Workaround:
Reinstall EdgeClient without the Windows Logon Integration Feature.

Fix:
Previously, the Windows Logon Integration feature sometimes caused the Windows Logon screen to freeze. Now, this issue has been fixed.

As a side effect of the fix, the Logon screen now shows duplicates of the pre-logon VPN Entries, which might be confusing for client users. One duplicate comes from the Microsoft Credentials Provider. For information on how to disable the default Microsoft Credentials Provider, see the Microsoft Windows article: How to disable additional credential providers :: https://social.technet.microsoft.com/Forums/windows/en-US/9c23976a-3e2b-4b71-9f19-83ee3df0848b/how-to-disable-additional-credential-providers.

---

702738 : Tmm might crash activating new blob when changing firewall rules

Solution Article: K32181540

Component: Advanced Firewall Manager

Symptoms:
TMM crashes with core when changing firewall rules. TMM can enter a crash-loop, so it will crash again after restarting.

Conditions:
Updating, removing, or adding firewall rules.

Specific characteristics of change that can cause this issue are unknown; this issue occurs rarely.

Impact:
Data traffic processing stops.

Workaround:
There are two workaround options:
Option A
1. Delete all policies.
2. Create them again without allowing blob compilation.
3. Repeat steps 1 and 2 until all the policies have been created (enable on-demand-compilation).

Option B
Modify all the rules simultaneously.

For example, the following steps will resolve this issue:
1. Enable on-demand-compilation
2. Select an IP address that is not used in any rules, e.g., 1.1.1.1.
3. Add that IP address to all the rules/source in all of the policies. To do so, run the following command for each policy:
tmsh modify security firewall policy POLICY_NAME rules modify { all { source { addresses add { 1.1.1.1 } } } }

4. Delete the IP address (restore rules) in all of the policies. To do so, run the following command for each policy:
tmsh modify security firewall policy POLICY_NAME rules modify { all { source { addresses delete { 1.1.1.1 } } } }
5. Disable on-demand-compilation. Doing so starts new blob compilation.

Fix:
TMM no longer crashes when changing firewall rules.

---

702490-4 : Windows Credential Reuse feature may not work

Component: Access Policy Manager

Symptoms:
Windows Credential Reuse feature may not work requiring that the EdgeClient end user enter credentials in the EdgeClient login window as well as at the Microsoft Windows logon screen, instead of getting Single Sign-On (SSO).

The logterminal.txt file contains messages similar to the following:

<Date and time>, 1312,1320,, 48, \certinfo.cpp, 926, CCertInfo::IsSignerTrusted(), the file is signed by 3rd party certificate
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1004, CCertInfo::IsSignerTrusted(), EXCEPTION - CertFindCertificateInStore() failed, -2146885628 (0x80092004) Cannot find object or property.
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1009, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 256, IsTrustedClient, EXCEPTION - File signed by untrusted certificate
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 264, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 360, GetCredentials, EXCEPTION - Access Denied - client not trusted

Conditions:
-- Using a specific combination of versions of F5 Credential Manager Service and EdgeClient on Windows systems.
-- The Reuse Credential option is enabled in the Connectivity Profile.

Impact:
The EdgeClient end user must retype credentials in EdgeClient login windows instead of having the login occur without requiring credentials, as SSO supports.

Workaround:
There is no workaround at this time.

Fix:
Previously, in some situations, Windows Credential Reuse did not work, requiring the EdgeClient end user to log in separately. This issue has been fixed.

---

702487-1 : AD/LDAP admins with spaces in names are not supported

Component: Access Policy Manager

Symptoms:
If admin is imported from Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) and the name contains spaces, Visual Policy Editor (VPE), import/export/copy/delete, etc., fail, and post an error message similar to the following: sourceMCPD::loadDll User 'test user' have no access to partition 'Common'.

Note: Names containing spaces are not supported on BIG-IP systems.

Conditions:
-- Admin name containing spaces is imported from AD or LDAP.
-- Attempt to perform operations in VPE.

Impact:
VPE, import/export/copy/delete do not work.

Workaround:
There is no workaround other than to not use admin names containing spaces.

Fix:
VPE and utilities operations are now supported, even for admins with spaces in names. However, F5 recommends against using spaces in admin names, and recommends that you modify the admin name to remove the spaces.

---

702472-4 : Appliance Mode Security Hardening

Solution Article: K87659521

---

702469-4 : Appliance mode hardening in scp

Solution Article: K73522927

---

702457-3 : DNS Cache connections remain open indefinitely

Component: Global Traffic Manager (DNS)

Symptoms:
Resize / Clearing the DNS cache while a lot of traffic is running can cause numerous connections to remain open indefinitely. tmm crash

Conditions:
Resize / Clear the DNS Cache while it is resolving connections.

Impact:
Connections remain open forever, using up memory

Workaround:
If you are encountering this, you can remove these connections by restarting tmm:

tmsh restart sys service tmm

Impact of workaround: Traffic disrupted while tmm restarts.

Fix:
Fixed an issue where the DNS Cache kept connections open indefinitely when clearing or resizing a cache with active resolutions occurring.

---

702450-4 : The validation error message generated by deleting certain object types referenced by a policy action is incorrect

Component: Local Traffic Manager

Symptoms:
When deleting certain objects that are referenced by policy actions, you may see a validation error like this:

# tmsh delete ltm virtual test-vs
01071726:3: Cannot delete policy action '/Common/test-vs'. It is in use by ltm policy '/Common/test-policy'.

The referenced object is not a "policy action" in this case, but is a virtual server.

Conditions:
LTM policies must be in use, and at least one policy action must forward to an object. The user must attempt to delete that object.

Impact:
Possible confusion at the error message.

Workaround:
There is no workaround at this time.

Fix:
Made the error message accurately reflect what the user was attempting to delete.

---

702278-3 : Potential XSS security exposure on APM logon page.

Component: Access Policy Manager

Symptoms:
Potential XSS security exposure on APM logon page.

Conditions:
-- A LTM virtual server with an Access Policy assigned to it.
-- The Access Policy is configured to use a 'Logon Page' VPE agent, followed by AAA agent with 'Max Logon Attempts Allowed' set to a value greater than 1.

Impact:
Potential XSS security exposure.

Workaround:
1. Using APM Advance Customization UI, remove setOrigUriLink(); call in logon.inc from the next JS function:

369 function OnLoad()
370 {
371 var header = document.getElementById("credentials_table_header");
372 var softTokenHeaderStr = getSoftTokenPrompt();
373 if ( softTokenHeaderStr ) {
374 header.innerHTML = softTokenHeaderStr;
375 }
376 setFormAttributeByQueryParams("auth_form", "action", "/subsession_logon_submit.php3");
377 setFormAttributeByQueryParams("v2_original_url", "href", "/subsession_logon_submit.php3");
378 // ===> REMOVE THIS ONE setOrigUriLink();
----

Fix:
Potential security exposure has been removed from APM logon page.

---

702151-2 : HTTP/2 can garble large headers

Component: Local Traffic Manager

Symptoms:
The HTTP/2 filter may incorrectly encode large headers.

Conditions:
A header that encodes to larger than 2048 bytes may be incorrectly encoded.

Impact:
The garbled header may no longer conform to the HPACK spec, and cause the connection to be dropped. The garbled header may be correctly formed, but contain incorrect data.

Fix:
The HTTP/2 filter correctly encodes large HTTP headers.

---

701900 : DHCP configured domain-name-servers unavailable after reboot when there are more than two domain-name servers in the lease.

Solution Article: K55938217

Component: TMOS

Symptoms:
DHCP-configured domain-name-servers (DNS) unavailable after reboot when there are more than two domain-name-servers in the lease.

Conditions:
- DHCP is enabled on the mgmt interface.
- DHCP server provides more than 2 domain-name-servers in its lease.

Impact:
Name resolution on mgmt interface fails due to misconfiguration in DNS information for mgmt interface.

Workaround:
No workaround at this time.

Fix:
This release corrects the handling of multiple DNS name-servers.

---

701856-2 : Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart

Component: Application Security Manager

Symptoms:
In rare circumstance, when Policy Builder restarts continuously (in response to a different issue in which there are many shmem segments allocated and used by tmm), ASM-config Event Dispatcher memory usage grows uncontrollably.

Conditions:
In rare circumstances, Policy Builder restarts continuously (in response to a different issue in which there are many shmem segments allocated and used by tmm).

Impact:
ASM-config Event Dispatcher memory usage grows continuously until the device eventually fails over.

Workaround:
Restart asm_config_server on all devices using the following command:
 killall asm_config_server.pl

Fix:
ASM-config Event Dispatcher memory usage remains stable even upon multiple Policy Builder restarts.

---

701841-1 : Unnecessary file recovery_db/conf.tar.gz consumes /var disk space

Component: Application Security Manager

Symptoms:
A file, /ts/var/install/recovery_db/conf.tar.gz ,is saved unnecessarily during UCS file save, and consumes /var disk space.

Conditions:
UCS file is saved.

Impact:
The /var filesystem can become full; this may degrade system performance over time, and can eventually lead to traffic disruptions.

Workaround:
Manually delete /ts/var/install/recovery_db/conf.tar.

Fix:
Unnecessary file recovery_db/conf.tar.gz is no longer written.

---

701785-3 : Linux kernel vulnerability: CVE-2017-18017

Solution Article: K18352029

---

701680-1 : MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds

Component: Service Provider

Symptoms:
Applying rate-limiting to MBLB SIP or Diameter virtual servers might cause the virtual server to periodically stop sending packets to the pool member server for a few seconds.

Conditions:
-- MBLB SIP or Diameter virtual server.
-- Rate-limited is applied.

Impact:
The virtual server might intermittently stop sending packets to the pool member server for a few seconds.

Workaround:
There is no workaround at this time.

Fix:
MBLB rate-limited virtual server now correctly sends packets to the server.

---

701678-1 : Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded

Component: Local Traffic Manager

Symptoms:
TMM may periodically stop sending packets to the server for a few seconds when the configured virtual server rate-limited value is exceeded.

Conditions:
-- Virtual configured with rate-limit.
-- Uses a UDP profile (i.e., not using TCP or FastL4).
-- The idle-timeout is set to immediate.

Impact:
The virtual server might intermittently stop sending packets to the pool member server for a few seconds.

Workaround:
None.

Fix:
UDP rate-limited virtual server now correctly sends packets to the server.

---

701626-1 : GUI resets custom Certificate Key Chain in child client SSL profile

Solution Article: K16465222

Component: TMOS

Symptoms:
In the GUI, editing a client SSL profile or selecting a different parent profile changes the Certificate Key Chain to default (i.e., /Common/default.crt and /Common/default.key).

Conditions:
This happens in the following scenario:

1. Using the GUI, create a client SSL profile.
2. Configure the new profile to inherit from a client SSL profile other than the default, clientssl.
3. Click the Custom box for Certificate Key Chain and select a different cert and key from the default.
4. Click Update.
5. In the GUI, change any setting in the newly created profile, or select a different parent profile (but not the clientssl profile).
6. Click Update again.

Impact:
The system resets Certificate Key Chain to default, even though the Custom box is checked.

Workaround:
To work around this issue in the GUI, click the Custom checkbox next to the 'Certificate Key Chain' option in the parent profile. This will set the value of inherit-certkeychain to false , preventing the issue from occurring.

You can also use tmsh to update parent profile settings to avoid the occurrence of this issue..

Fix:
GUI no longer resets custom Certificate Key Chain in child client SSL profiles.

---

701609 : Static member of pool with FQDN members may revert to user-disabled after being re-enabled

Component: Local Traffic Manager

Symptoms:
Within an LTM pool containing both FQDN members and members configured with static IP addresses; a statically-configured member that had been disabled (session = user-disabled) and then re-enabled (session = user-enabled) may become disabled again after making other changes affecting the state of other FQDN members of the pool.

Conditions:
This may occur under the following conditions:
- An LTM pool containing a mix of FQDN and statically-configured members.
- A statically-configured pool member is disabled (session = user-disabled) and then re-enabled (session = user-enabled).
- Other changes occur which affect the availability of FQDN pool members.
For example, if a route to an FQDN pool member is deleted and recreated, a previously-disabled statically-configured member may revert to a disabled state.

Depending on circumstances, the issue may only occur once after BIG-IP, TMM, bigd, or a related daemon restarts.

Impact:
A pool member may be unexpectedly disabled after being re-enabled, and thus would not receive traffic.

Workaround:
It may be possible to work around this issue by disabling and re-enabling the statically-configured pool member again.

Fix:
Statically-configured pool members of a pool that also contains FQDN members remain enabled after being manually disabled then re-enabled. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

---

701538-1 : SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured

Component: Local Traffic Manager

Symptoms:
SSL handshake fails if the client initiates the handshake with TLS false start (specifically, client SSL sends the SSL record data to the server before the Server sends out the CSS is FINISHED notification).

Conditions:
1. Client initiates the SSL handshake with False Start.
2. The BIG-IP system has SSL hardware acceleration enabled (which is default for for non-virtual edition (VE) versions).

Impact:
The BIG-IP system sends the RST to tear down the connection in TLS false start.

Workaround:
There are no true workarounds. You must disable one of the conditions to workaround the issue:

-- Disable TLS False Start. (Note: this might not be feasible because it needs to be done on all clients.)
-- Disable SSL acceleration.
-- Disable AES-GCM ciphers in the client SSL profile. Without AES-GCM, clients do not try to use TLS false start and still be able to use (EC)DHE.

Fix:
The system no longer processes application data before verifying that the finished message arrives and handshake is complete.

---

701359-2 : BIND vulnerability CVE-2017-3145

Solution Article: K08613310

---

701327-1 : failed configuration deletion may cause unwanted bd exit

Component: Application Security Manager

Symptoms:
Immediately after the deletion of a configuration fails, bd exists.

Conditions:
When deleting a configuration fails.

Impact:
Unwanted bd restart.

Workaround:
None.

Fix:
bd will exit upon a failed configuration only when configured to exit on failure.

---

701253-3 : TMM core when using MPTCP

Solution Article: K16248201

---

701249-2 : RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1

Component: TMOS

Symptoms:
RADIUS requests from BIG-IP have attribute NAS-IP-Address = 127.0.0.1, which might cause authentication to fail.

The NAS-IP-Address is essentially the resource an end user client is trying to authenticate to. This is typically the management IP address of the BIG-IP system, but the BIG-IP system always sends 127.0.0.1 instead. That might fail or it might work, depending on how the server is configured.

Conditions:
This is an issue for all RADIUS authentication requests that use the attribute NAS-IP-Address.

Note: This affects remote control plane authentication only, not APM or other uses of RADIUS.

Impact:
BIG-IP system always sends 127.0.0.1 instead of the BIG-IP system's management IP address. RADIUS server might not service the request, so authentication fails.

Workaround:
There is no workaround.

---

701202-1 : SSL memory corruption

Solution Article: K35023432

Component: Local Traffic Manager

Symptoms:
In some instances random memory can be corrupted causing TMM core.

Conditions:
SSL is configured (either client-ssl or server-ssl) and SNI is used to select a non-default profile.

Impact:
TMM crash, disrupting traffic.

Workaround:
There is no workaround at this time.

Fix:
The memory corruption issue has been fixed.

---

701039 : Requests do not appear in local logging due to rare file descriptor exhaustion

Component: Application Security Manager

Symptoms:
In an extremely rare circumstance, requests do not appear in local logging due to file descriptor exhaustion in asmlogd.

Conditions:
-- ASM configured.
-- ASM policy with an associated 'Log all requests' logging profile.
-- Requests sent to virtual server.
-- View Request Log.

Impact:
Requests do not appear in local logging.

Workaround:
Restart ASM, or pkill -f asmlogd.

Fix:
Requests appear in local logging correctly.

---

700889-2 : Software syncookies without TCP TS improperly include TCP options that are not encoded

Solution Article: K07330445

Component: Local Traffic Manager

Symptoms:
When sending a software syncookie and there is no TCP timestamp option, tmm sends back TCP options like window scaling (WS), sackOK, etc. The values for these options are encoded in the timestamp field which is not sent. When the final ACK of the 3WHS arrives (without a timestamp), there is no way to know that the BIG-IP system negotiated the use of SACK, WS and other options that were encoded in the timestamp. This will leave the client believing that options are enabled and the BIG-IP believing that they are not.

Conditions:
TCP timestamps are disabled by the client, or in the TCP profile.

Impact:
In one known case, the client was Windows 7 which apparently disables timestamps by default. Users might experience poor connection performance because the client believed it was using WS, and that the BIG-IP system would scale up the advertised window. However, the BIG-IP system does not using WS in this case, and used the window size from the TCP header directly, causing the BIG-IP system to send small packets (believing it had filled the window) and wait for a response.

Workaround:
Specifically prevent the WS issue by lowering the send_buffer_size and receive_window_size to less than or equal to 65535.

Fix:
Added dependency between the window scale option and the timestamp option in a SYN/ACK response.

---

700862-2 : tmm SIGFPE 'valid node'

Solution Article: K15130240

Component: Local Traffic Manager

Symptoms:
A rare TMM crash with tmm SIGFPE 'valid node' may occur if the host is unreachable.

Conditions:
The host is unreachable.

Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This fix handles a rare TMM crash when the host is unreachable.

---

700827-2 : B2250 blades may lose efficiency when source ports form an arithmetic sequence.

Component: TMOS

Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command:
tmsh show sys tmm-traffic

Conditions:
Source ports used to connect to B2250 blade form an arithmetic sequence.

For example, some servers always use randomly selected even source port numbers. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8... 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.

Impact:
Traffic imbalance between tmm threads may result in sub-optimal performance.

Workaround:
Randomize source ports when connecting via a BIG-IP system.

Fix:
This release introduces a new variable you can use to mitigate the issue:
mhdag.pu.table.size.multiplier

1. Set the variable to to 2 or 3 on the host.
2. Restart tmm on all blades.
3. Restart tmm on the host.
4. Restart tmm on all guests.

Note: Restarting tmm on the guests only does nothing; restarting on the host only means that the guests still use old DAG settings and have high inter-TMM forwarding traffic, resulting in a worse condition than originally experienced.

Behavior Change:
This release introduces a new variable to mitigate this issue:
mhdag.pu.table.size.multiplier.

You must set the variable to 2 or 3 on the host, and then restart tmm on all host blades and then all guests to mitigate the issue.

---

700812-2 : asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview

Component: Application Security Manager

Symptoms:
asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview.

Conditions:
Try to deploy a qkview on a BIG-IP using the asmrepro tool
while BIG-IP has a 4 element version like 13.1.0.1.

Impact:
Cannot deploy a 4 element version qkview on a BIG-IP using the asmrepro tool.

Workaround:
n/a

Fix:
asmrepro now handles the version number properly.

---

700783-3 : Machine certificate check does not check against all FQDN hostnames

Component: Access Policy Manager

Symptoms:
macOS machine can be on multiple networks simultaneously, so it might have multiple hostnames. Machine certificate check does not check against all FQDN hostnames. This causes failure in certain scenarios.

Conditions:
-- macOS configuration with multiple hostnames.
-- The 'match FQDN with subject alt name' option is specified for machine certificate check.

Impact:
Machine cert check might fail.

Workaround:
No workaround at this time.

Fix:
Previously, with a macOS system that had multiple hostnames, the machine certificate check could not check against all hostnames, causing failures in some scenarios. Now, the machine certificate check compares all hostnames on macOS devices.

---

700780-4 : F5 DNS Relay Proxy service now warns about and clears truncated flag in proxied DNS responses

Component: Access Policy Manager

Symptoms:
F5 DNS Relay Proxy service does not support DNS-over-TCP requests, so if, in some configuration, the client resolver decides to use TCP for DNS resolution, this packet is not re-routed/proxied by the DNS Relay Proxy service, and may be causing DNS to be resolved using an incorrect DNS server (where the system decides to send it).

Typically, if a client receives DNS response with the TC flag set, it retries using TCP. Clearing the TC flag makes client resolver not use TCP at all, preventing DNS packets leakage.

Conditions:
-- DNS server responds with TC flag set in DNS response packet.
-- Windows only is affected.

Impact:
DNS resolution may not work as designed, as the system might send a packet to an incorrect DNS server.

Workaround:
None.

Fix:
Now F5 DNS Relay Proxy service clears TC flag in all proxied packets, preventing client DNS resolvers from using TCP. An appropriate log entry is printed into the service's log.

---

700757-2 : vcmpd may crash when it is exiting

Component: TMOS

Symptoms:
vcmpd may crash when it is exiting. The system logs an error message similar to the following in /var/log/ltm:

err vcmpd[14604]: 01510000:3: Uncaught exception: basic_string::_S_create

It's possible that vcmpd will then not start up, logging errors similar to the following in /var/log/ltm:

umount(/var/tmstat-vcmp/<guest name>) failed: (16, Device or resource busy

Conditions:
vCMP must be in use.

Impact:
vcmpd cores, but does so when already exiting. It is possible that vcmpd will then be unable to restart itself, and will need to be manually restarted.

Workaround:
If vcmpd cannot restart itself, you can manually restart it by running the following command:

tmsh restart sys service vcmpd

Fix:
Prevented vcmpd from crashing when exiting.

---

700726-1 : Search engine list was updated, and fixing case of multiple entries

Component: Application Security Manager

Symptoms:
Default search engine list does not identify current search engines, and blocks traffic unnecessarily. Part of the issue is that when adding custom search engines, there may be multiple search engines which match the User-Agent header, and this causes the match to fail.

Conditions:
Site accessed by search engines.

Impact:
Traffic from search engines is blocked unnecessarily.

Workaround:
Manually add search engines.

Fix:
Search engine list has been updated to reflect current common search engine usage. Also, this version removes the check of multiple search engines, so that now when multiple Search Engines are matched, the Search Engine bypasses the challenges.

---

700696-2 : SSID does not cache fragmented Client Certificates correctly via iRule

Component: Local Traffic Manager

Symptoms:
The last few bytes of a very large-sized Client Certificate (typically greater than 16,384 bytes) are not cached correctly if the certificate is received fragmented by the SSL Session ID (SSID) parser.

Conditions:
-- Client Authentication is enabled.
-- A very large Client Certificate is supplied (typically greater than 16,384 bytes).
-- SSL Session ID Persistence is enabled.
-- The iRule CLIENTSSL_CLIENTCERT is enabled.

Impact:
The client certificate is not stored on the BIG-IP device correctly. The last few bytes are missing.

Workaround:
Disable the CLIENTSSL_CLIENTCERT iRule when SSL Session ID (SSID) persistence is in use. Even though the Client Certificate does not get cached, that is preferable to caching an incorrect client certificate.

Fix:
This release supports caching of fragmented client certificates in the SSL Session ID (SSID) persistence feature to properly cache very large-size client certificates (typically exceeding 16,384 bytes).

---

700571-2 : SIP MR profile, setting incorrect branch param for CANCEL to INVITE

Component: Service Provider

Symptoms:
BIG-IP SIP profile MR does not maintain the Via 'branch parameter' ID when the Via header insertion is enabled for INVITE and CANCEL for the same INVITE.

Conditions:
This happens only when the following conditions are both met:
-- The transport connection that issued INVITE has been terminated.
-- A new transport is used to issue CANCEL

Impact:
The result is different branch IDs for the BIG-IP system-generated Via header. INVITE is only cancelled on the calling side, while on the called side, the line will ring until time out.

Workaround:
None.

Fix:
The branch parameter value calculation now remains consistent throughout the connection.

---

700564-2 : JavaScript errors shown when debugging a mobile device with ASM deviceID enabled

Component: Application Security Manager

Symptoms:
When debugging a mobile device with ASM Device ID enabled, the Google Chrome browser console log contains JavaScript errors similar to the following: net::ERR_UNKNOWN_URL_SCHEME.

Note: In order to view the Chrome browser console log, you must use BrowserStack from a developer's console, or physically connect the phone by cable, enable 'usb debug',
enable 'device discovery' on Chrome on the desktop, and view the console from there.

Conditions:
-- ASM policy is attached on a virtual server with deviceID enabled.
-- Device ID collection request has been sent from a mobile device.
-- Chrome browser console log is opened.

Impact:
Mobile device app developers might be concerned about the errors, potentially asking about why the ASM JavaScript code attempts to access UNKNOWN_URL_SCHEME in a mobile device.

The errors occur because Device ID enabled on an ASM policy uses the JavaScript request URI argument 'chrome-extension' to detect the existence of malicious browser extension. However, Chrome on Android/iOS does not support 'chrome-extension'.

Workaround:
Disable Device ID in ASM policy.

Fix:
The system now avoids checking Chrome extensions on mobile devices, so no UNKNOWN_URL_SCHEME errors occur.

---

700556-2 : TMM may crash when processing WebSockets data

Solution Article: K11718033

---

700527-1 : cmp-hash change can cause repeated iRule DNS-lookup hang

Component: Global Traffic Manager (DNS)

Symptoms:
An iRule that uses RESOLV::lookup can hang repeatedly when cmp-hash configuration is changed.

Conditions:
-- iRule is in the middle of a call to RESOLV::lookup.
-- A change is made to VLAN cmp-hash configuration.

Impact:
The iRule call can hang repeatedly.

Workaround:
Restart the TMM. This will interrupt client traffic while TMM restarts.

Fix:
The iRule connection is reestablished when the pending query expires, so subsequent RESOLV::lookup calls do not hang per TMM.

---

700433-2 : Memory leak when attaching an LTM policy to a virtual server

Solution Article: K10870739

Component: Local Traffic Manager

Symptoms:
BIG-IP LTM policies may cause an mcpd process memory leak.

As a result of this issue, you may encounter one or more of the following symptoms:

-- Latency when configuring the BIG-IP system.
-- Error messages logged in /var/log/ltm similar to the following example:
01140029:4: HA daemon_heartbeat mcpd fails action is restart.
-- The mcpd process may generate a core file in the /var/core directory.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your configuration includes one or more virtual servers with an associated BIG-IP LTM policy.
-- The BIG-IP LTM policy has at least one rule.
Note: Rules with actions or conditions can leak increased amounts of memory.

-- You delete and add BIG-IP LTM policies that are associated with the virtual server.
Note: This modification causes the memory leak to increase over time.

Impact:
The mcpd process might run slower as memory is consumed, and can fail when all system memory is exhausted. Devices in a high availability (HA) configuration may experience a failover event.

Workaround:
None.

Fix:
The system now prevents MCP from leaking memory when attaching an LTM policy to a virtual server.

---

700393-2 : Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash

Solution Article: K53464344

Component: Local Traffic Manager

Symptoms:
Tmm might crash due to a stale/stalled HTTP/2 stream.

Conditions:
HTTP/2 profile in use.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Stale/stalled HTTP2 streams are handled correctly to prevent a tmm crash.

---

700386-1 : mcpd may dump core on startup

Component: TMOS

Symptoms:
mcpd may generate a core file upon startup, with a message being logged that overdog restarted it because mcpd failed to send a heartbeat for five minutes.

Conditions:
This can happen only at startup.

Impact:
mcpd restarts, but resumes normal operation.

Workaround:
None.

Fix:
mcpd no longer generates a core on startup.

---

700330 : AJAX blocking page isn't shown when a webpage uses jQuery framework.

Component: Application Security Manager

Symptoms:
Request is blocked by an ASM policy, but the ASM end user does not see the blocking page with a unique support id for the blocked request.

Conditions:
1. ASM policy Asynchronous JavaScript and XML (AJAX) blocking page enabled.
2. ASM policy is working in blocking mode.
3. ASM policy attached to a virtual server.
4. AJAX request has been sent and blocked.

Impact:
ASM end user has no visual indication that there has been a blocked AJAX request.

Workaround:
None.

Fix:
The system now handles Ajax requests being sent via the JQuery framework.

---

700315-3 : Ctrl+C does not terminate TShark

Solution Article: K26130444

Component: TMOS

Symptoms:
A running TShark process on the BIG-IP system has problems exiting when the user is finished capturing and presses CTRL+C while listening on a tmm VLAN or 0.0.

Conditions:
-- Using TShark on a tmm VLAN or 0.0.
-- Pressing Ctrl+C to exit.

Impact:
TShark does not exit as expected when pressing CTRL+C.

Workaround:
To recover, you can move the process to the background (CTRL+Z) and then halt the process, by running a command similar to the following: kill -9 'pidof tshark'

Fix:
Ctrl+C now terminates TShark as expected.

---

700143-1 : ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages

Component: Application Security Manager

Symptoms:
Attempting to delete request logs by a filter (10,000 at a time), only works once. Subsequent delete by filter actions do not remove additional earlier logs.

Conditions:
System has over 10,000 ASM request logs by a selected filter, and delete all by filter is used multiple times.

Impact:
Only the latest 10,000 events are deleted.

Workaround:
No work around for deleting by a filter.
Delete all (without filter) works, and deleting selected requests works.

Fix:
Deletion by filter correctly deletes subsequent sets of 10,000 rows per action.

---

700061-3 : Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file

Component: Local Traffic Manager

Symptoms:
Restarting service MCPD or rebooting the BIG-IP device adds Unix 'other' read file permissions for key files.
Key files Unix permission changes from '-rw-r-----' to
'-rw-r--r--'

Conditions:
1. Restarting the service MCPD
2. Rebooting BIG-IP device.

Impact:
Key file Unix read permission changes from '-rw-r-----' to
'-rw-r--r--'

Workaround:
There is no workaround at this time.

Fix:
Fix made sure restart of service MCPD and reboot of device does not change key files Unix read permissions from '-rw-r-----' to
'-rw-r--r--'

---

700057-3 : LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved

Component: Local Traffic Manager

Symptoms:
After upgrading to an affected build, the default key will have incorrect group ownership.

Conditions:
Upgrade or load a .ucs with SSL keys configured.

Impact:
File permissions are not preserved in the .ucs file. The httpd process will not be able to use the default key, so anything using it will fail.

Workaround:
Run the following two commands:
tmsh save /sys config
tmsh load /sys config

Fix:
The system now preserves correct permissions for default.key across upgrade and ucs load.

---

699720-3 : ASM crash when configuring remote logger for WebSocket traffic with response-logging:all

Component: Application Security Manager

Symptoms:
ASM may crash when configuring remote logger for WebSocket traffic virtual server.

Conditions:
-- Virtual server handling WebSocket traffic.
-- ASM remote logger on the same virtual server.

Impact:
ASM crash; system goes offline.

Workaround:
Use either of the following workarounds:

-- Remove remote logger.
-- Have response logging for illegal requests only.

Fix:
The system now handles memory correctly and avoids crashing in this specific scenario.

---

699598-4 : HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR

Component: Local Traffic Manager

Symptoms:
HTTP/2 requests with a large body may result in the BIG-IP system sending RST_STREAM with FRAME_SIZE_ERROR.

Conditions:
-- HTTP/2 profile is configured on the virtual server.
-- Request has body size greater than 16 KB.

Impact:
HTTP/2 stream is reset with FRAME_SIZE_ERROR and transfer does not complete.

Workaround:
None.

Fix:
Large HTTP/2 requests are now processed as expected.

---

699531-3 : Potential TMM crash due to incorrect number of attributes in a PEM iRule command

Component: Policy Enforcement Manager

Symptoms:
TMM crash.

Conditions:
An iRule with a PEM iRule command that does not have the minimum number of attributes.

Impact:
Loss of service. Traffic disrupted while tmm restarts.

Workaround:
Make sure the PEM iRule command is called with at least the minimum number of parameters.

For example, make sure to call 'PEM::subscriber config policy referential set' with referential policies.

Fix:
The system now provides the correct number of attributes, preventing a NULL pointer dereference.

---

699455-3 : SAML export does not follow best practices

Solution Article: K50254952

---

699454-3 : Web UI does not follow current best coding practices

Component: Advanced Firewall Manager

Symptoms:
The web UI does not follow current best coding practices while processing URL DB updates.

Conditions:
Authenticated web UI user.

Impact:
UI does not respond as intended.

Workaround:
None.

Fix:
The web UI now follows current best coding practices while processing URL DB updates.

---

699452-3 : Web UI does not follow current best coding practices

Solution Article: K29280193

---

699431 : Possible memory leak in MRF under low memory

Component: Service Provider

Symptoms:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.

Conditions:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.

Impact:
The table entry will be remain until the box resets.

Workaround:
There is no workaround at this time.

Fix:
The code has been fixed to remove the table entry when a memory allocation failure occurs while adding the record.

---

699346-2 : NetHSM capacity reduces when handling errors

Solution Article: K53931245

---

699339-1 : Geolocation upgrade files fail to replicate to secondary blades

Solution Article: K24634702

Component: Global Traffic Manager (DNS)

Symptoms:
Geolocation upgrade files fail to replicate to secondary blades.

Conditions:
-- Multiblade VIPRION platforms/vCMP guests.
-- Upgrading geolocation files on the primary blade.
-- Viewing the geolocation files on the secondary blades.

Impact:
Geoip database is not updated to match primary blade.

Workaround:
Use either of the following workarounds:

-- Use the root account to manually create the /shared/GeoIP/v2 directory on secondary blades, and then run geoip_update_data on primary blade.

-- On primary blade:
1. Edit /etc/csyncd.conf as shown below.
2. Restart csyncd.
3. Run geoip_update_data.

To edit /etc/csyncd.conf:

Merge the following two terms:
 monitor dir /shared/GeoIP {...)
 monitor dir /shared/GeoIP/v2 {...}

into one term, as follows:
monitor dir /shared/GeoIP {
        queue geoip
        pull pri2sec
        recurse yes
        defer no
        lnksync yes
        md5 no
        post "/usr/local/bin/geoip_reload_data"
}

Fix:
Geolocation upgrade files now correctly replicate to secondary blades.

---

699281 : Version format of hypervisor bundle matches Version format of ISO

Component: TMOS

Symptoms:
Recently F5 incorporated 4th element into versioning scheme. 4th and 5th are separated by dash (instead of dot) in ISO name. This change/bug insures that names of hypervisor bundles also use dash between 4th and 5th elements.

Conditions:
Applies to hypervisor bundles (for example ova files for vmware).

Impact:
Version format in names of hypervisor bundles matches version format of ISO file

Workaround:
Version format in names of hypervisor bundles matches version format of ISO file

Fix:
Version format in names of hypervisor bundles matches version format of ISO file (usage of dash between 4th and 5th elements).

---

699267-1 : LDAP Query may fail to resolve nested groups

Component: Access Policy Manager

Symptoms:
LDAP Query agent may fail to resolve nested groups for a user.
/var/log/apm logfile contains the following error messages when 'debug' log level is enabled for Access Profile:
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while getting group membership down with error (No such object.).
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while querying LDAP with error (No such object.).

Conditions:
LDAP Query agent is configured in an Access Policy.
'Fetch groups to which the user or group belong' option is enabled

Impact:
LDAP Query agent fails.
unable to get user identity.
unable to finalize Access Policy.

Fix:
after fix, LDAP Query resolves all nested groups as expected and session.ldap.last.attr.memberOf attributes contains user's groups

---

699262-2 : FQDN pool member status remains in 'checking' state after full config sync

Component: Local Traffic Manager

Symptoms:
After performing a full config-sync (with overwrite config option checked) the sync target (peer) shows FQDN pool members stuck in the 'checking' state.

Conditions:
This occurs after a full config sync is forced between peers using FQDN pool members:

tmsh modify cm device-group <dg_name> devices modify { <local_member> { set-sync-leader } }

Impact:
Affected pools show an Availability state of 'unknown', although pool members are available and can pass traffic.

Workaround:
Restart bigd on the affected peer after the config sync.

Fix:
After performing a full config-sync (with overwrite config option checked) the sync target (peer) no longer shows FQDN pool members stuck in the 'checking' state. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

---

699147 : Hourly billed cloud images are now pre-licensed

Component: TMOS

Symptoms:
Hourly billed images in cloud environments require outbound internet access to the F5 public license server in order to retrieve a license. This causes some sites with strict network access policies to fail to license.

Conditions:
Using hourly billing.

Impact:
Hourly instances do not receive licenses and thus could not pass traffic without outbound internet access.

Workaround:
Enable outbound internet access when the guest instance is created to allow it to license, then revoke it.

Fix:
Hourly billed cloud images are now pre-licensed and so do not require internet access to receive a license.

---

699135-2 : tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip

Component: Global Traffic Manager (DNS)

Symptoms:
tmm cores with SIGSEGV in dns_rebuild_response.

Conditions:
1. Create a wideip of type other than A/AAAA.
2. Create a iRule with a host command for the previously created wideip.
3. Create a related zonerunner record with the same name and type.
4. Dig against the wideip with type any.
5. Observe that tmm cores.

Impact:
tmm cores.

Workaround:
Don't use host command for non type A/AAAA wideips.

---

699091-1 : SELinux denies console access for remote users.

Component: TMOS

Symptoms:
SELinux denies console access for remote users if they are attempting to log in for the first time. This occurs because the user has not logged in before, so no entries exist for them in the userrolepartitions file.

Conditions:
-- Remote authentication is enabled.
-- BIG-IP system user attempts to log in to the console as their first login.

Impact:
Certain remote users may not be able to log in to the console.

Workaround:
Login as a remote user using SSH or the GUI.

Fix:
Allow login to connect to MCP to announce remote user login and set user role partition access.

---

698947-1 : BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled.

Component: TMOS

Symptoms:
The BIG-IP system may incorrectly drop packets from a GRE point-to-point tunnel with auto-lasthop disabled.

Conditions:
The auto-lasthop of a GRE point-to-point tunnel is disabled.

Impact:
The decapsulated packets may be dropped in the BIG-IP system.

Fix:
The BIG-IP system correctly processes decapsulated packets from a GRE point-to-point tunnel.

---

698919-1 : Anti virus false positive detection on long XML uploads

Component: Application Security Manager

Symptoms:
A false positive virus-detected violation. The description of the violation explains that the ICAP server was not contacted.

Conditions:
-- A long XML upload or payload.
-- The assigned XML profile is configured to be inspected by the ICAP server.

Impact:
Violation is detected where no violation has occurred (false positive violation).

Workaround:
Increase the internal parameter max_raw_request_len to the required length of the XML.

Note: This workaround will affect the amount of logged data from ASM.

Fix:
Fixed a false positive virus-detected violation related to long XML uploads.

---

698916-3 : TMM crash with HTTP/2 under specific condition

Component: Local Traffic Manager

Symptoms:
TMM may crash when upgrading an HTTP/1.1 connection to an HTTP/2 connnection.

Conditions:
-- HTTP/2 gateway enabled.
-- Pool member supports protocol switching.

Impact:
TMM crash, leading to a failover event.

Workaround:
There is no workaround other than removing the HTTP/2 profile from the virtual server.

Fix:
TMM properly handles protocol upgrade requests from pool members when HTTP/2 is enabled, so no crash occurs.

---

698813-3 : When processing DNSX transfers ZoneRunner does not enforce best practices

Solution Article: K45435121

---

698806-2 : Firewall NAT Source Translation UI does not show the enabled VLAN on egress interfaces

Component: Advanced Firewall Manager

Symptoms:
Egress Interfaces are not checked in the Source Translation page even if they are configured.

Conditions:
Create a source translation object with egress Interfaces set to 'Enabled on...', select Egress Interfaces from the list, and hit 'Finished'. Egress Interfaces will not be checked with the originally configured values.

Impact:
Egress Interfaces will not be checked even if they are configured.

Workaround:
Use tmsh to check if the object is actually configured with Egress Interfaces

Fix:
Egress Interfaces will be selected whenever a user tries to create a source Translation object with Egress Interfaces.

---

698757-1 : Standby system saves config and changes status after sync from peer

Solution Article: K58143082

Component: Application Security Manager

Symptoms:
After running config sync from an Active to a Standby device, the sync status is in SYNC for a short period time.
After a while, it automatically goes to Changes Pending status.

Conditions:
-- Manual sync device-group configuration.
-- Modify existing policy encoding to uppercase (via tmsh).
-- ASM configuration.

Impact:
The high availability (HA) configuration goes out of SYNC.

Workaround:
Use either of the following workarounds:
-- Push the sync back from the Standby device to the Active device, and then again from the Active to Standby.

-- Put the device group into auto-sync state and push the config from the Active to the Standby. After the Sync state resolves and the ASM configuration is finished loading, the device group can be put back to Manual sync.

Fix:
Change requested encoding to lowercase.

---

698619-1 : Disable port bridging on HSB ports for non-vCMP systems

Component: TMOS

Symptoms:
Internal packets flooded on internal switch interfaces by the HSB can be bridged back to the HSB on BIG-IP 5000/7000 and VIPRION B2100 blades configured to enable port bridging by the switch.

Conditions:
-- Packets being flooded from the HSB to VLAN members when adding/deleting VLANs.
-- Non-vCMP systems.
-- Virtual server configured for Direct Server Return (DSR or nPath Routing).

Impact:
This can result in packet flooding back to the HSB and potential network saturation.

Workaround:
None.

Fix:
Port bridging on HSB interfaces in the switch for non-vCMP systems is now disabled on BIG/IP 5000/7000. However, this issue still occurs on B2100 blades as port bridging is required on that platform for chassis data plane support.

---

698429-3 : Misleading log error message: Store Read invalid store addr 0x3800, len 10

Component: TMOS

Symptoms:
On rare occasions, messages like these can appear in /var/log/ltm:

Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Loading keys from the file.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Read the unit key file if exists.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash from key header: 9d:e6:90:...
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash computed from read key:9d:e6:90:...
Oct 20 14:21:04 localhost err mcpd[4139]: 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071029:5: Symmmetric Unit Key decrypt
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071027:5: Master key OpenSSL error: 1506270960:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:587:
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Attempting Master Key migration to new unit key.
Oct 20 14:21:04 localhost warning chmand[5559]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
Oct 20 14:21:04 localhost warning chmand[5559]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
Oct 20 14:21:04 localhost warning mcpd[4139]: 012a0004:4: halStorageRead: unable to read storage on this platform.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071029:5: Cannot open unit key store
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Reloading the RSA unit to support config roll forward.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Loading keys from the file.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Read the unit key file if exists.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash from key header: 9d:e6:90:...

These messages are due to a transient failure reading the system's unit key from the virtual EEPROM on a vCMP guest. The error handling from this failure causes misleading messages, but it does successfully read the unit key during this error recovery.

Conditions:
These messages can only happen on a vCMP guest with SecureVault, and are very rare.

Impact:
None. These messages do not indicate an actual problem with the system.

---

698379-3 : HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR(

Solution Article: K61238215

Component: Local Traffic Manager

Symptoms:
Uploads for the HTTP2 virtual server fail intermittently with HTTP2 error error_code=FLOW_CONTROL_ERROR.

Conditions:
HTTP2 virtual server configured.

Impact:
Uploads for the HTTP2 virtual server might fail intermittently.

Workaround:
None.

Fix:
Uploads for the HTTP2 virtual server do not fail intermittently anymore.

---

698376-4 : Non-admin users have limited bash commands and can only write to certain directories

Solution Article: K46524395

---

698338-2 : Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection

Component: Service Provider

Symptoms:
The system may core.

Conditions:
-- Egress messages are queued waiting for MR_EGRESS event to be raised.
-- Current MR event exits with an error, thus aborting the connection.

Impact:
The system cores and will restart.

Workaround:
None.

Fix:
The system now returns pending messages back to the originator if the connection aborts due to an iRule error.

---

698080-1 : TMM may consume excessive resources when processing with PEM

Solution Article: K54562183

---

698000-1 : Connections may stop passing traffic after a route update

Solution Article: K04473510

Component: Local Traffic Manager

Symptoms:
When a pool is used with a non-translating virtual server, routing updates may lead to an incorrect lookup of the nexthop for the connection.

Conditions:
-- Pool on a non-translating virtual server.
-- Routing update occurs.

Impact:
Connections may fail after routing updates. New connections will not be affected.

Workaround:
Use a route to direct traffic to the ultimate destination rather than using a pool to indicate the nexthop.

Fix:
Routing updates no longer interrupts traffic to connections using a pool member to reach the nexthop.

---

697878 : High crypto request completion time under some workload patterns

Component: TMOS

Symptoms:
The tmctl tmm/crypto table shows heavily loaded bulk crypto queues backed up into associated waiting queue. The crypto requests continue to complete, but are significantly delayed.

Conditions:
High crypto usage often in conjunction with high compression usage.

Impact:
Crypto requests can be delayed as long as 1.5 seconds.

Workaround:
Disable hardware crypto by setting the "crypto.hwacceleration" DB key to "disable":
    tmsh modify sys db crypto.hwacceleration value disable

Fix:
Improve accelerated crypto poll-timing calculation.

---

697718-3 : Increase PEM HSL reporting buffer size to 4K.

Component: Policy Enforcement Manager

Symptoms:
Before this fix, PEM HSL reporting buffer size is limited by 512 bytes.

Conditions:
If any PEM HSL flow reporting stream goes beyond 512 bytes, it will be truncated.

Impact:
Part of PEM HSL flow reporting information will be lost.

Fix:
We increase PEM HSL reporting buffer size to 4K, which should be enough for uses cases we currently know.

---

697616 : Report Device error: crypto codec qat-crypto0-0 queue is stuck on vCMP guests

Component: TMOS

Symptoms:
Failure in SSL traffic in vCMP configurations. The system logs the following device error:
-- crit tmm[17083]: 01010025:2: Device error: crypto codec qat-crypto0-0 queue is stuck.
-- warning sod[7759]: 01140029:4: high availability (HA) crypto_failsafe_t qat-crypto0-0 fails action is failover.

Conditions:
-- vCMP guests when performing crypto operations.
-- i5600, i5800, i7600, i7800, i10600, i10800, i12600, i12800, i15600, i15800 platforms.

Impact:
The 'crypto queue stuck' message is reported, and failover will be triggered.

Workaround:
None.

Fix:
The 'crypto queue stuck' issue on vCMP platforms no longer occurs.

---

697424 : iControl-REST crashes on /example for firewall address-lists

Component: TMOS

Symptoms:
Making a call to /example on firewall address-list crashes iControl-REST.

Conditions:
Making a call to /example on firewall address-list.

Impact:
The icrd_child process crashes.

Workaround:
There is no workaround other than not calling /example on firewall address-lists.

---

697303-3 : BD crash

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
-- The internal parameter relax_unicode_in_json is set to 1.
-- Specific traffic scenario.

Impact:
BD crash, failover, and traffic disturbance.

Workaround:
Turn off the internal parameter relax_unicode_in_json.

Fix:
BD no longer crashes under these conditions.

---

697259-1 : Different versioned vCMP guests on the same chassis may crash.

Solution Article: K14023450

Component: Local Traffic Manager

Symptoms:
The vCMP guest TMM crashes soon after startup.

Conditions:
-- You are using BIG-IP software versions 12.1.0-12.1.2.
-- vCMP guests are deployed in a chassis.
-- You configure a new guest running unaffected software alongside an existing or new guest running affected software. In other words, the issue occurs if you mix guests running affected and non-affected versions in a single vCMP host.

Impact:
vCMP guests running older versions of the software might crash. Blades continuously crash and restart. Traffic cannot pass. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Different versioned vCMP guests on the same chassis no longer crash.

---

696808-3 : Disabling a single pool member removes all GTM persistence records

Component: Global Traffic Manager (DNS)

Symptoms:
Disabling a single pool member removes all GTM persistence records.

Conditions:
1. WideIP with persistence enabled.
2. drain-persistent-requests no.
3. GTM pool member toggled from enabled to disabled.

Impact:
All GTM persistence records are accidently cleared.

Workaround:
Set drain-persistent-requests yes.

Fix:
When drain-persistent-requests is set to no, only the persistence records associated with the affected pool members are cleared when a resource is disabled.

---

696789-2 : PEM Diameter incomplete flow crashes when TCL resumed

Component: Policy Enforcement Manager

Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, and the irule is resumed because of timeout.

Conditions:
PEM Diameter flow not fully created, suspended by iRule, and the iRule is resumed by timeout.

Impact:
The tmm will restart and all flows will reset.

Fix:
The PEM diameter flow is now created in such a way to prevent any crash by iRule resumed by timeout.

---

696732 : tmm may crash in a compression provider

Solution Article: K54431534

Component: TMOS

Symptoms:
TMM may crash with the following panic message in the log files:

panic: ../codec/compress/compress.c:1161: Assertion "context active" failed.

Conditions:
-- Running on the following platforms: BIG-IP i-series or VIPRION 4400 blades.
-- Virtual servers are performing compression.

Impact:
TMM crashes, Traffic disrupted while tmm restarts.

Workaround:
Do not use compression, or use software compression instead of hardware compression. To configure for software compression, run the following command:

tmsh modify sys db compression.strategy value softwareonly

---

696468 : Active compression requests can become starved from too many queued requests.

Component: TMOS

Symptoms:
From the "tmctl compress" table: the cur_ctx value for QAT is equal or higher than 512, and the cur_active remains at zero.

CPU utilization per tmm in this condition may be quite high.

Conditions:
At least 512 contexts with no traffic wait in the compression queue and prevent new requests from getting compression service.

Impact:
Compression on a per-tmm basis can stop servicing new requests.

Workaround:
Switch to software compression.

Fix:
Soften the restriction so that accumulated contexts with no traffic cannot not prevent busy contexts from getting compression time.

---

696383-2 : PEM Diameter incomplete flow crashes when sweeped

Component: Policy Enforcement Manager

Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, the sweeper may encounter a tmm crash.

Conditions:
-- PEM Diameter flow not fully created.
-- The flow is suspended by an iRule.
-- There is a CMP state change (likely) or a manual cluster-mirror change (less likely) while the flow is suspended.

Impact:
The tmm restarts and all flows reset. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The PEM diameter flow is now created in such a way to prevent any crash by the sweeper.

---

696294-3 : TMM core may be seen when using Application reporting with flow filter in PEM

Component: Policy Enforcement Manager

Symptoms:
TMM core with flow filter when Application reporting action is enabled

Conditions:
If Application reporting is enabled along with flow filter

Impact:
TMM restart causing service interruption

Fix:
Initialize the application start buffer so as to prevent the TMM core

---

696265-3 : BD crash

Solution Article: K60985582

Component: Application Security Manager

Symptoms:
BD crash.

Conditions:
ecard_max_http_req_uri_len is set to a value greater than 8 KB.

Impact:
Potential traffic disturbance and failover.

Workaround:
Change the value of ecard_max_http_req_uri_len to a size lower than 8 KB.

Fix:
Fixed a BD crash scenario.

---

696113-1 : Extra IPsec reference added per crypto operation overflows connflow refcount

Component: TMOS

Symptoms:
The size of the refcount field in connflow became smaller, making the length of some crypto queues in IPsec able to reach and exceed the maximum refcount value.

Conditions:
When a large data transfer under an IPsec SA creates a queue of crypto operations longer than the connflow's refcount can handle, the refcount can overflow.

Impact:
Unexpected tmm failover after refcount overflow.

Workaround:
There is no workaround at this time.

Fix:
An object tracking crypto operations now adds a sole reference to the connflow as long as the count of crypto operation pending is nonzero.

---

696049-3 : High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running

Component: Service Provider

Symptoms:
High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running.

Conditions:
Multiple response messages arrive on a connection while an asynchronous Tcl command is running on that connection.

Impact:
High CPU load might occur as multiple responses will be assigned the same request_sequence_number.

Workaround:
None.

Fix:
Request_sequence_numbers are not assigned to response messages until the Tcl event is executed for that message. This avoids assigning the same number to multiple events.

---

695968-3 : Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.

Component: Policy Enforcement Manager

Symptoms:
Memory leak resulting in a potential OOM scenario.

Conditions:
1. PEM configured with Gx
2. Flaky Diameter connection
3. Subscriber creation via PEM

Impact:
Potential loss of service.

Workaround:
There is no workaround at this time.

Fix:
Freed Diameter messages appropriately.

---

695925-3 : Tmm crash when showing connections for a CMP disabled virtual server

Component: Local Traffic Manager

Symptoms:
Tmm crashes when performing 'tmsh show sys connection' and there is a connection from a secondary blade to a CMP-disabled virtual server.

Conditions:
This occurs when all of the following conditions are met:

-- There is a CMP-disabled virtual server, or a floating self-IP address defined.

-- There is a connection to that server from the control plane of a secondary blade (this can include monitoring traffic).

-- Connections are displayed that include the connection from the secondary blade ('tmsh show sys connection').

Impact:
Tmm crashes and restarts impacting traffic.

Workaround:
Do not use 'cmp-enabled no' virtual servers when there will be connections from the BIG-IP control plane to the virtual server.

Avoid using tmsh show sys connection.

---

695901-2 : TMM may crash when processing ProxySSL data

Solution Article: K46940010

---

695878-5 : Signature enforcement issue on specific requests

Component: Application Security Manager

Symptoms:
Request payload does not get enforced by attack signatures on a certain policy configuration with specific traffic.

Conditions:
-- The violation 'Request exceeds max buffer size' is turned off.

-- The request is longer than the max buffer size (i.e., a request is larger than the internal long_request_buffer_size).

Impact:
Attack signatures are not enforced on the payload of this request at all.

Workaround:
Turn on the violation in blocking 'Request exceed max buffer size'.

Fix:
The operation now looks into part of the payload for the attack signatures enforcement.

---

695117 : bigd cores and sends corrupted MCP messages with many FQDN nodes

Solution Article: K30081842

Component: Local Traffic Manager

Symptoms:
When configured to monitor large numbers of nodes and/or pool members including FQDN nodes and/or pool members, the following symptoms may occur:
- bigd may core (aborted by sod due to missed heartbeat).
- bigd may produce corrupted MCP messages.
- FQDN nodes and/or pool members may remain in a Checking state indefinitely.

Conditions:
These symptoms may occur on affected versions of BIG-IP when a large number of nodes and/or pool members including FQDN nodes and/or pool members are configured. Depending on the capabilities of the platform in use, approximately one thousand (1,000) or more total nodes and/or pool members may be required to produce these symptoms.

FQDN nodes and/or pool members generate a more significant workload for the bigd daemon than nodes and/or pool members with statically-configured IP addresses. This additional load contributes to high CPU usage and the other observed symptoms.

Impact:
This issue produces the following impacts:
- bigd may core.
- nodes and/or pool members may remain in a Checking state indefinitely.
- bigd may produce corrupted MCP messages, which generate error messages in the LTM log of the following form:

... err mcpd[####]: 01070712:3: Caught configuration exception (0), Can't parse MCP message, ...

Examination of the corrupted MCP message shows objects at the point of corruption that have no hierarchical relationship with the objects referenced at the beginning of the message.

Workaround:
To work around this issue, use the following approaches singly or in combination:
1. Reduce the number of nodes and/or pool members configured for a given BIG-IP system.
2. Configure nodes and/or pool members with statically-configured IP addresses.

Fix:
bigd no longer produces corrupted MCP messages, resulting in nodes and/or pool members remaining in a 'checking' state, with up to 2,000 nodes and/or pool members including FQDN nodes and/or pool members configured. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

---

694922-4 : ASM Auto-Sync Device Group Does Not Sync

Component: Application Security Manager

Symptoms:
In rare circumstances a device may enter an untrusted state and confuse the device group.

Conditions:
1) ASM sync is enabled on an autosync device group
2) A new ASM entity is created on a device

Impact:
ASM configuration is not correctly synchronized between devices

Workaround:
1) Remove ASM sync from the device group (Under Security ›› Options : Application Security : Synchronization : Application Security Synchronization)
2) Restart asm_config_server.pl on both devices and wait until they come back up
3) Change the device group to a manual sync group
4) On the device with the good configuration re-enable ASM sync for the device group
5) Make a spurious ASM change, and push the configuration.
6) Change the sync type back to automatic

Fix:
Devices no longer spuriously enter an untrusted state

---

694778-2 : Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size

Component: Local Traffic Manager

Symptoms:
SSO-enabled Native RDP resources cannot be accessed via hardware (HW) BIG-IP systems with 'Intel Cave Creek' coprocessor (i.e., SSL connection cannot be established with the db variable 'crypto.hwacceleration' enabled, and RSA key used).

Conditions:
The failure might occur in the following scenario:
-- Running on Intel Cave Creek Engine (e.g., BIG-IP 2000 (C112) or 4000 (C113)).
-- Client OS is Mac, iOS, or Android.
-- HW crypto is enabled
-- Using a virtual server with a client SSL profile and 2048 bit RSA key on.
-- Native RDP resource with enabled SSO is used on hardware BIG-IP with 'Intel Cave Creek' coprocessor.
-- Output buffer size differs from RSA private key size.

Impact:
-- SSL connection fails.
-- RDP client cannot launch the requested resource (desktop/application).

Workaround:
There is no workaround other than to disable crypto HW acceleration with following command:
tmsh modify sys db crypto.hwacceleration value disable

Fix:
SSL connection can now be established as expected. SSO-enabled Native RDP resources now can now be accessed via hardware BIG-IP systems with 'Intel Cave Creek' coprocessor (e.g., BIG-IP 2000 (C112) or 4000 (C113) platforms) from Mac, iOS, and Android clients.

---

694740-1 : BIG-IP reboot during a TMM core results in an incomplete core dump

Component: TMOS

Symptoms:
If an HSB lockup occurs on i10600 and i10800 platforms, then HSB panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. On this platform, the reboot occurs before the core file is fully written, resulting in a truncated core.

Conditions:
An HSB lockup occurs, triggering a core dump and a nic_failsafe reboot.

Impact:
The reboot happens before the core dump completes, resulting in an incomplete core dump which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.

Workaround:
No workaround; does not hinder device operation, but does prevent post-crash analysis.

Fix:
Reboot is delayed until TMM core file is completed.

---

694717-3 : Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.

Component: Policy Enforcement Manager

Symptoms:
TMM crashes

Conditions:
PEM iRule command that would result in an inter-TMM lookup on a long lived flow that would result in the PEM iRule command being hit several times. For example, a long lived flow with multiple HTTP transactions.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Always release the connFlow reference associated with the TCL command to avoid a memory leak and potential crash.

---

694697-3 : clusterd logs heartbeat check messages at log level info

Solution Article: K62065305

Component: Local Traffic Manager

Symptoms:
The system reports clusterd logs heartbeat check messages at log level info, similar to the following.

-- info clusterd[6161]: 013a0007:6: Skipping heartbeat check on peer slot 3: Slot is DOWN.
-- info clusterd[5705]: 013a0007:6: Checking heartbeat of peer slot: 2 (Last heartbeat 0 seconds ago)

Conditions:
log.clusterd.level set to info.

Impact:
This is a cosmetic issue: clusterd heartbeat messages will be logged at info to the /var/log/ltm.

Workaround:
Set log.clusterd.level to notice.

Fix:
The log level of clusterd logs heartbeat check messages has changed. For 'Skipping heartbeat check' messages, the log level is now debug, and 'Checking heartbeat of peer slot' messages log level is verbose and now reports on which bp the heartbeat was received.

---

694696-3 : On multiblade Viprion, creating a new traffic-group causes the device to go Offline

Component: TMOS

Symptoms:
All devices in the failover device group will go offline, resulting in traffic disruption and possible failovers.

Conditions:
When a new traffic-group is created on a multiblade Viprion system that is a member of a sync-failover device group.

Impact:
Traffic to all other traffic-groups is disrupted for several seconds.

Workaround:
There is no workaround at this time.

Fix:
Creating a new traffic-group does not disrupt existing traffic-groups.

---

694656-3 : Routing changes may cause TMM to restart

Solution Article: K05186205

Component: Local Traffic Manager

Symptoms:
When routing changes are made while traffic is passing through the BIG-IP system, TMM might restart. This isn't a general issue, but can occur when other functionality is in use (such as Firewall NAT).

Conditions:
-- Routing changes occurring while BIG-IP is active and passing traffic.

-- Dynamic routing, due to its nature, is likely increase the potential for the issue to occur.

-- Usage of Firewall NAT functionality is one specific case known to contribute to the issue (there may be others).

Impact:
TMM restarts, resulting in a failover and/or traffic outage.

Workaround:
If dynamic routing is not in use, avoiding static route changes may avoid the issue.

If dynamic routing is in use, there is no workaround.

Fix:
TMM now properly manages routing information for active connections.

---

694319-3 : CCA without a request type AVP cannot be tracked in PEM.

Component: Policy Enforcement Manager

Symptoms:
May cause diagnostic issues as not all CCA messages cannot be tracked.

Conditions:
1. PEM with Gx/Gy configured
2. PCRF sends CCA's without a request type AVP

Impact:
May hamper effective diagnostics.

Workaround:
Mitigation:
Configure the PCRF to always include a request type in its CCAs.

Fix:
Add a statistics counter to track CCA's that do not request type AVPs.
Name of new counter:cca_unknown_type

---

694318-3 : PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.

Component: Policy Enforcement Manager

Symptoms:
Subscriber sessions in PEM will be stuck in a "Marked for Delete" state.

Conditions:
1. PEM provisioned with Gx.
2. PCRF responds to a CCR-t with a DIAMETER_TOO_BUSY return code and no Request type AVP.

Impact:
Subscriber sessions stuck in delete pending resulting in a potential increase in memry consumption over a period of time.

Workaround:
Mitigation:
PCRF (remote Diameter end point) must send a CCA-t with a request type AVP in case a DIAMETER_TOO_BUSY return code is present.

Fix:
Handle the DIAMETER_TOO_BUSY return code on a CCA-t regardless of the request type AVP.

---

694274-2 : [RHSA-2017:3195-01] Important: httpd security update - EL6.7

Solution Article: K23565223

---

694073-1 : All signature update details are shown in 'View update history from previous BIG-IP versions' popup

Component: Application Security Manager

Symptoms:
If you are running a BIG-IP release named with 4 digits (e.g., 12.1.3.1), all signature update details are shown only in 'View update history from previous BIG-IP versions' popup. The 'Latest update details' section is missing.

Conditions:
Running a BIG-IP software release named with 4 digits (e.g., 12.1.3.1).

Impact:
Low and incorrect visibility of signature update details.

Workaround:
Signature update details can be viewed in 'View update history from previous BIG-IP versions' popup.

Fix:
Signature updates are now shown correctly for all versions.

---

693996-3 : MCPD sync errors and restart after multiple modifications to file object in chassis

Solution Article: K42285625

Component: TMOS

Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:

1. Errors are logged to /var/log/ltm similar to the following:

-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..

2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.

Conditions:
Making multiple changes to the same file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group.

Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.

Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.

---

693910-2 : Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)

Component: Local Traffic Manager

Symptoms:
Some MAC addresses might experience delayed forwarding after the interface on which they are learned transition to a STP blocked state. This is because the FDB entries are not being flushed on these interfaces after they change to a block state. Traffic destined to these MAC addresses gets dropped until their associated entries in the FDB age out.

Conditions:
MAC addresses are learned on a STP forwarding interface that transitions to a blocked interface following a topology change.

Impact:
Traffic interruption for up to a few minutes for MAC addresses learned on the affected interface.

Workaround:
None.

Fix:
FDB entries are now flushed by interface whenever an interface transitions to a STP block state.

---

693884-3 : ospfd core on secondary blade during network unstability

Component: TMOS

Symptoms:
ospfd core on secondary blade while network is unstable.

Conditions:
-- Dynamic routing configured with OSPF on a chassis.
-- During a period of network instability.

Impact:
Dynamic routing process ospfd core on secondary blade.

Workaround:
None.

---

693838 : Adaptive monitor feature does not mark pool member down when hard limit set on UDP monitors

Component: Local Traffic Manager

Symptoms:
Member of pool is not marked down when response time exceeds hard limit.

Conditions:
Adaptive monitoring enabled for UDP monitor and server response time exceeds hard limit.

Impact:
Member remains in pool despite exceeding hard limit which may result in degraded services.

Workaround:
None.

---

693744-3 : CVE-2018-5531: vCMP vulnerability

Solution Article: K64721111

---

693739-3 : VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled

Component: Access Policy Manager

Symptoms:
For some Network Access configurations, VPN cannot establish a connection with client systems running macOS High Sierra 10.13.1 using F5 Edge client or Browser helper apps.

Conditions:
The following conditions must be true:
-- The Network Access resource Traffic Options setting is configured for Force all Traffic Through Tunnel.
-- The Network Access resource Allow Local Subnet setting is disabled.
(Both of these options are defaults.)
-- Client running macOS High Sierra 10.13.1.

Impact:
The Edge Client unsuccessfully tries to connect, resulting in a loop. The client cannot establish VPN.

Workaround:
1. Navigate to the Network Access resource.
2. Set the Network Access resource Allow Local Subnet checkbox to Enabled.
3. Save the setting, and apply the Access Policy.

Fix:
Edge Client operation does not go into a reconnect loop and is able to establish and maintain connection successfully on macOS High Sierra 10.13.1.

---

693582-3 : Monitor node log not rotated for certain monitor types

Component: Local Traffic Manager

Symptoms:
When Monitor Logging is enabled for an LTM node or pool member using certain monitor types, the monitor node log under /var/log/monitors/ is not rotated or compressed when log rotation occurs.

Conditions:
-- This occurs if Monitor Logging is enabled for an LTM node or pool member, and the LTM node or pool member uses any of the following monitor types:
   - icmp
   - gateway-icmp
   - external

-- This also can happen with tcp-half-open if the monitor is down.

Impact:
Depending on the affected BIG-IP software version in use, effects may include the following symptoms:

1. The active monitor node log is not rotated (not renamed from *.log to *.log.1).

2. The active monitor node log is rotated (renamed from *.log to *.log.1), but subsequent messages are logged to the rotated log file (*.log.1) instead of to the 'current' log file name (*.log).

3. The active monitor node log is not compressed (*.log.2.gz) when log rotation occurs.

Workaround:
To allow logging to the correct monitor node log file to occur, and for rotated monitor node log files to be compressed, disable Monitor Logging for the affected node or pool members.

-- If symptom #1 occurs, Monitor Logging can be re-enabled after log rotation has occurred.

-- To address symptoms #2 or #3, Monitor Logging can be re-enabled immediately.

For more information on Monitor Logging, see:
K12531: Troubleshooting health monitors :: https://support.f5.com/csp/article/K12531.

Fix:
Monitor node logs are now rotated/compressed as expected.

---

693388-1 : Log additional HSB registers when device becomes unresponsive

Component: TMOS

Symptoms:
HSB becomes unresponsive, and logs no registers to indicate the state of the device. There is no logging of additional registers to assist in diagnosing the failure.

Conditions:
It is unknown under what conditions the HSB becomes unresponsive.

Impact:
Limited visibility into the HSB state when it becomes unresponsive.

Workaround:
None.

Fix:
There is now logging of additional registers to assist in diagnosing the failure.

The registers can be seen in the TMM log files when there is either an HSB transmitter or receive failure.

---

693360-6 : A virtual server status changes to yellow while still available

Solution Article: K52035247

---

693312-2 : vCMPd may crash when processing bridged network traffic

Solution Article: K03165684

---

693308-3 : SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain

Component: Local Traffic Manager

Symptoms:
When a very large Client Certificate Chain, typically exceeding 16,384 bytes, is received by BIG-IP on a virtual service, and Session Persistence is enabled, the handshake hangs.

Conditions:
[1] SSL client authentication is enabled on the backend server
[2] No SSL profile is specified on the BIG-IP device for the virtual service, on both, client and server side
[3] An SSL connection is initiated from the front-end client, via the BIG-IP's virtual service, to the backend server.
[4] The client certificate chain is passed to the BIG-IP device as part of initiating the connection.

Impact:
The backend server will not be securely accessible via SSL because the connection hangs

Workaround:
Disable SSL Session Persistence.

Fix:
Whenever a fragmented message is received by a BIG-IP virtual service, subsequent messages contain a 5-byte header, each, which should be accounted for. Upon taking this into consideration, no more multiple-of-5 bytes are found missing while the message is being parsed by the Session Persistence parser, and the parser no longer hangs.

---

693211-3 : CVE-2017-6168

Solution Article: K21905460

---

693106-2 : IKEv1 newest established phase-one SAs should be found first in a search

Component: TMOS

Symptoms:
Some IKEv1 implementations might delete "duplicate" phase one IKE SAs, even though not yet expired, keeping only the most recently negotiated IKE-SA. If this happens, and BIG-IP uses an older SA to negotiate, then phase two negotiation can fail.

If at all possible, we want BIG-IP to prefer the newest SA for a given remote peer. If a peer deletes a second SA without notifying BigIP, preferring a newest SA may mitigate the problem.

Conditions:
The situation seems mostly easily arranged when two peers initiate a new IKE-SA at the same time, so that both are negotiated concurrently, since neither has yet been established. Afterward, there are two IKE-SAs for one remote peer, nearly the same age.

If the other end deletes a duplicate without sending a DELETE message to BigIP, we might accidently use the older SA of a pair.

Impact:
If BIG-IP picks a mature IKE-SA for phase two negotiation that has been deleted by a peer, then BIG-IP's attempt to negotiate a new phase two SA will fail.

Workaround:
Try to configure other IPsec implementations to avoid deleting duplicate IKE-SAs.

Fix:
At the momenet a new IKE-SA is established, we now move that SA to the head of the hashmap bucket searched for that remote peer in the future. This makes us more likely to use the newest SA from the perspective of a remote peer, the next time we initiate another phase two negotiation ourselves.

---

693007-3 : Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC

Component: Global Traffic Manager (DNS)

Symptoms:
The current IPv4 address for b.root-servers.net is 192.228.79.201. The IPv4 address for b.root-servers.net will be renumbered to 199.9.14.201, effective 2017-10-24. The older number will be invalid after that date.

Conditions:
Several profiles contain the b.root-servers.net IPv4 address as 192.228.79.201.

Impact:
The impact is likely minimal, at most a single timeout for pending TLD queries when they happen to round-robin onto an old IP address, probably not more often than the hint's TTL, which is more than a month, and even this should cause a timeout only when the old IP actually stops responding.

Workaround:
Update the root hints for all affected profiles manually except the hardwired ones.

Fix:
The IPv4 address for b.root-servers.net has been renumbered to 199.9.14.201, effective 2017-10-24.

Behavior Change:
The IPv4 address for b.root-servers.net has been renumbered to 199.9.14.201, effective 2017-10-24, according to InterNIC. The old IPv4 address (192.228.79.201) will continue to answer queries for at least 6 months.

---

692970-3 : Using UDP port 67 for purposes other than DHCP might cause TMM to crash

Component: Local Traffic Manager

Symptoms:
DHCP relay presumes that a flow found via lookup is always a server-side flow of type DHCP relay. Hence TMM can crash when DHCP relay makes a server connection if UDP port 67 is used for another purpose, in which case a wrong DHCP server flow could be selected.

Conditions:
A UDP port 67 is configured for a purpose other than DHCP relay.

Impact:
TMM restart causes traffic interruption or failover.

Workaround:
Do not use UDP port 67 for other virtual servers, or configure a drop listener on certain VLANs that cannot avoid using UDP port 67.

Fix:
TMM no longer crashes with DHCP flow validation.

---

692941-3 : GTMD and TMM SIGSEGV when changing wide IP pool in GTMD

Component: Global Traffic Manager (DNS)

Symptoms:
Changing wide IP causes gtmd and tmm core under certain conditions.

Conditions:
-- GTM pool is removed when it is referenced by a persist record.
-- That record is accessed before it is purged.

Impact:
gtmd and/or tmm core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Changing wide IP no longer causes gtmd and tmm core when GTM pool is removed when it is referenced by a persist record, and that record is accessed before it is purged.

---

692307-1 : User with 'operator' role may not be able to view some session variables

Component: Access Policy Manager

Symptoms:
When a user with 'operator' role tries to view the session variables, the GUI may show the following error: An error has occurred while trying to process you request.

Conditions:
This occurs when there is a huge blob of data associated with the user whose session variable is being viewed. For example Active Directory (AD) user accounts with thumbnailphoto and userCertificate user attributes containing binary data.

Impact:
User cannot view the session variables for those particular sessions. This data is available, however, via clicking on the Session ID.

Workaround:
Find this data via clicking on the session ID.

Fix:
User with 'operator' role can now view all expected session variables

---

692239-1 : AOM menu power off then on results in 'Host Power Cycle Event' SEL log entries posted every two seconds

Solution Article: K31554905

Component: TMOS

Symptoms:
When using the AOM menu, LCD touchscreen, or the operating system 'halt' command to power off then on the host CPU on i5600, i5800, i7600, i7800, i10600, i10800 platforms, the AOM creates a 'Host Power Cycle Event' SEL log entry every two seconds. The SEL log will continue to grow until external power to the appliance is fully power cycled.

Conditions:
-- Running on i5600, i5800, i7600, i7800, i10600, i10800 platforms.

-- With an older version of CPLD code installed (e.g., CPLD 0x45), power-off the host using the AOM menu, the LCD touchscreen, or the operating system's 'halt' command.

   + Bring up the AOM menu using ESC shift-9, then select 'p' and '0' from the menu to power off the host CPU complex.
   + On the LCD touchscreen, navigate to [System] menu and select [Power Off] to power off the host CPU complex.
   + Run the 'halt' command on the BIG-IP host subsystem.

-- Wait a few seconds, and power on the host.

   + On the AOM menu, select 'p' and '1' to power on the host CPU complex.
   + On the LCD touchscreen, navigate to [System] menu and select [Power On] to power on the host CPU complex.
   + There is no equivalent shell method to turn the power back on after running the 'halt' command.

Impact:
This results in ongoing 'Host Power Cycle Event' messages to post in the SEL log (tail /var/log/sel) every two seconds.
The SEL log will continue to grow and wrap as this message continues to post to the SEL log every two seconds.
This results in a very large number of SEL entry fetches by the host CPU to the AOM and can place a substantial load on the AOM interface.

In addition, the loss of communication between the BIG-IP host and the AOM can cause a number of related errors to be logged in the LTM log, such as:
012a0022:4: Host to AOM communication error
012a0004:4: Unable to get sensor reading for sens num #
012a0004:4: AomSelLogger: unable to sync SEL log time
012a0004:4: AomSelLogger: unable to process SEL logs
012a0004:4: Error writing SEL records, BmcDev: Unable to get SEL Info
012a0004:4: Error syncing SEL time, BmcDev: IpmiCmdDev: : Unable to Set SEL time ######## (rv=fd) Other error 0xfd (cc=80) Invalid Session Handle or Empty Buffer

Workaround:
The actual fix is to install a newer version of i5600, i5800, i7600, i7800, i10600, i10800 platform CPLD code (e.g., CPLD 0x54 or CPLD 0x55).

Another workaround is to fully power cycle the appliance.
However, every time the AOM menu is used to power off then on the host, the SEL log entries re-appear.

Fix:
This issue is fixed in newer versions of the i5600, i5800, i7600, i7800, i10600, i10800 platforms CPLD (e.g., CPLD 0x54 or CPLD 0x55).

---

692189-3 : errdefsd fails to generate a core file on request.

Component: TMOS

Symptoms:
Should errdefsd crash or be manually cored for the purpose of gathering diagnostic information, no core file will be generated.

Conditions:
Forcing errdefsd to core for diagnostic purposes.

Impact:
Increased communication required with F5 Support when attempting to diagnose problems with errdefsd.

Workaround:
1. Add the following lines to the official errdefsd script, /etc/bigstart/scripts/errdefsd:
16a17,19
> # set resource limits, affinity, etc
> setproperties ${service}
>
2. Run the following command: bigstart restart errdefsd

Fix:
errdefsd now generates a core file when forced to core.

---

692179-3 : Potential high memory usage from errdefsd.

Component: TMOS

Symptoms:
errdefsd memory usage grows with each config-sync or config update.

Conditions:
Ever increasing errdefsd memory usage is visible when the following conditions are met:
-- Config updates are frequent.
-- management-port logging is not being used.

Impact:
In extreme cases, errdefsd memory usage might increase userland memory-pressure. Note, however, that it isn't actually using the extra memory, so while Virtual Memory Size (VSZ) might be high, Resident Set Size (RSS) need not be.

Workaround:
A workaround for this problem is to periodically send logs to a management-port destination. The destination may be as simple as a dummy UDP port on 127.0.0.1. Adding such a destination to the publisher for an existing, active log source will work. errdefsd just needs a reason to process and flush accumulating configurations.

Fix:
The changes in this bug force errdefsd to check for config changes once every second in addition to checking whenever management-port destination logs come in.

---

692165-2 : A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token

Component: TMOS

Symptoms:
For some HTTP requests, a request-log profile can log nothing for the $VIRTUAL_POOL_NAME token (which expands to an empty string in the resulting logs).

Conditions:
- The virtual server where the request-log profile is used also uses OneConnect.

- The client uses HTTP Keep-Alive and sends multiple HTTP requests over the same TCP connection.

Impact:
For all HTTP requests the client sends except the first one, the $VIRTUAL_POOL_NAME token logs nothing. As a result, a BIG-IP Administrator may struggle to determine which pool serviced which request.

Workaround:
The $SERVER_IP and $SERVER_PORT tokens work for all requests, and so if those are also being logged it may be possible to deduce the pool name from that information.

However, there is no workaround to make the $VIRTUAL_POOL_NAME token work all of the time.

---

692158-2 : iCall and CLI script memory leak when saving configuration

Component: TMOS

Symptoms:
Whenever an iCall script or CLI script saves the configuration, the scriptd process on the device leaks memory.

Conditions:
Use of iCall or CLI scripts to save the configuration.

Impact:
Repeated invocation might cause the system to run out of memory eventually, causing tmm to restart and disrupting traffic.

Workaround:
There is no workaround other than not saving the configuration from iCall or CLI scripts.

Fix:
scriptd process on the device no longer leaks memory when iCall and CLI scripts are used to save the configuration.

---

692123-2 : GET parameter is grayed out if MobileSafe is not licensed

Component: Fraud Protection Services

Symptoms:
GET parameter is grayed out if MobileSafe is not licensed.

Conditions:
-- Provision FPS on a system whose license has at least one active feature.
-- Do not license MobileSafe.

Impact:
In FPS Parameter's list, the GET method is always grayed out.

Workaround:
Use either of the following workarounds:
-- License MobileSafe.
-- Use TMSH or REST.

Fix:
The GET method is not grayed out if MobileSafe is not licensed.

---

692095-3 : bigd logs monitor status unknown for FQDN Node/Pool Member

Solution Article: K65311501

Component: Local Traffic Manager

Symptoms:
While monitoring FQDN nodes or pool members, bigd may log the current or previous monitor status of the node or pool member as 'unknown' in messages where that state internally could have been logged as 'checking' or 'no address' for FQDN template nodes. Other states for FQDN configured nodes or pool members log monitor status as expected. Messages are similar to the following:

notice bigd[####]: 01060141:5: Node /Common/node_name monitor status unknown [ ip.address: unknown ] [ was up for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: unknown ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: up ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status unknown. [ ] [ was unchecked for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status up. [ ] [ was unknown for ##hrs:##mins:##sec ]

Conditions:
This may occur of the FQDN template node or pool member is in a 'checking' or 'no address' state.
The 'checking' state may occur if the DNS resolution of the FQDN node or pool member name is in progress.
The 'no address' state may occur if no IP addresses were returned by the DNS server for the configured FQDN node or pool member name.

Impact:
Unable to triage state of FQDN nodes or pool members identified in these log messages, to determine whether further troubleshooting is required, or what specific problem condition might require further investigation.

Workaround:
None.

Fix:
An FQDN-configured node or pool member logs each internal monitor status, including for scenarios of 'checking' and 'no address' for FQDN template nodes which were previously logged as 'unknown'.

---

691945-2 : Security Policy Configuration Changes When Disabling Learning

Component: Application Security Manager

Symptoms:
When Learning is enabled in either manual or automatic mode, and is then disabled. This was considered to be the end of the learning process, and so changes are automatically made to the default wildcard entities ("*" URL, Parameter, Filetype) such as removing the element from staging.

The user is not notified of these changes, and they may not be expected, leading to undesired security enforcement.

Conditions:
-- Learning is enabled in Manual or Automatic mode.
-- Learning is then disabled.

Impact:
Unexpected changes to the default wildcard elements in the policy can lead to undesired security enforcement.

Workaround:
The audit log shows all changes that were made to the policy, and undesired changes can be remedied before the policy changes are applied.

Fix:
No changes are made to the default wildcard entities upon disabling of learning.

---

691897-1 : Names of the modified cookies do not appear in the event log

Component: Application Security Manager

Symptoms:
A modified domain cookies violation happened. When trying to see additional details by clicking the violation link, the name and value of the modified cookie is empty.

Conditions:
A modified domain cookies violation happens.

Note: This can happen only if there are also non-modified or staged cookies.

Impact:
Expected violation details are not displayed.

Workaround:
There is no workaround at this time.

Fix:
Issue with modified domain cookie violation details is now fixed.

---

691806-3 : RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state

Solution Article: K61815412

Component: Local Traffic Manager

Symptoms:
The BIG-IP system resets connection with RST if it receives FIN/ACK in SYN-RECEIVED state.

Conditions:
The BIG-IP system receives FIN/ACK when it is in SYN-RECEIVED state.

Impact:
The BIG-IP system resets connection with RST.

Workaround:
None.

Fix:
The BIG-IP system now responds with FIN/ACK to early FIN/ACK.

---

691670-3 : Rare BD crash in a specific scenario

Component: Application Security Manager

Symptoms:
BD crash or False reporting of signature ID 200023003.

Conditions:
JSON/XML/parameters traffic (should not happen with the enforce value signature).

Impact:
Failover, traffic disturbance in the core case. False positive violation or blocking in the other scenario.

Workaround:
Removing attack signature 200023003 from the security policy stops the issue.

Fix:
Fix a bug in the signatures engine that causes a false positive reporting of a signature. In some rare cases, this false reporting may cause a crash.

A newly released attack signature update changes the signature in a way that it no longer causes the issue to happen.

---

691589 : When using LDAP client auth, tamd may become stuck

Component: TMOS

Symptoms:
When a virtual server uses an LDAP auth profile for client authentication, the system can get into a state where all authentications time out. This condition persists until tamd restarts. Traffic analysis between the BIG-IP system and the LDAP server shows that the BIG-IP system makes a TCP handshake with the server, then immediately sends FIN. Tamd cores may be seen.

Conditions:
-- Virtual server using LDAP auth profile.
-- BIG-IP system makes a TCP handshake with the server, then immediately sends FIN.

Impact:
Authentication to the virtual server fails until tamd is restarted.

Workaround:
To recover, restart tamd by running the following command: bigstart restart tamd

Fix:
tamd no longer becomes stuck when using LDAP client auth.

---

691504-3 : PEM content insertion in a compressed response may cause a crash.

Solution Article: K54562183

---

691498-1 : Connection failure during iRule DNS lookup can crash TMM

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes in the DNS response cache periodic sweep.

Conditions:
The DNS resolver connection fails after a successful lookup response is cached. This has been reproduced with a failure due to a lost route. Other failures such as down ports do not cause a crash.

Impact:
The TMM cores and automatically restarts, Traffic disrupted while tmm restarts.

Workaround:
No known workaround.

Fix:
The reference counting of the resolver connection was fixed.

---

691477-1 : ASM standby unit showing future date and high version count for ASM Device Group

Component: Application Security Manager

Symptoms:
Policy builder is changing configuration of standby unit.

Conditions:
The system state changes from active to standby (also when blade is changed from master to non-master).

Impact:
Unexpected changes are made to the policy on standby device (CID increment).

Workaround:
Restart pabnagd when switching device from active to standby (also when blade is changed from master no non-master):

killall -s SIGHUP pabnagd

Fix:
Policy builder now updates its state correctly and doesn't make changes to a policy on a standby device.

---

691287-3 : tmm crashes on iRule with GTM pool command

Component: Global Traffic Manager (DNS)

Symptoms:
tmm crashes with a SIGSEGV when a GTM iRule executes a 'pool' command against Tcl variables that have internal string representations, which can occur when a value is a result of (some) string commands (e.g., 'string tolower') or if the value comes from a built-in iRules command (such as 'class').

For example:

when DNS_REQUEST {
    pool [string tolower "Test.com"]
}

or:

when DNS_REQUEST {
    pool [class lookup pool-dg key-value]
}

Conditions:
GTM iRule executes a 'pool' command against Tcl variables that have internal string representations.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Pass the 'pool' argument through 'string trim'. For instance:

when DNS_REQUEST {
    pool [string trim [class lookup pool-dg key-value]]
}

Fix:
tmm no longer crashes on GTM iRules that use the 'pool' command.

---

691224-1 : Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled

Solution Article: K59327001

Component: Local Traffic Manager

Symptoms:
Node Server rejects received-and-incomplete ClientHello message and connection terminates.

Conditions:
This occurs when the following conditions are met:
-- SSL Persistence is enabled.
-- There is no ClientSSL and ServerSSL profile.
-- The BIG-IP device receives fragments of a ClientHello message (typically, 11 bytes each) from an SSL front-end client.

Impact:
With Session Persistence enabled
-- The parser fails to reassemble fragmented ClientHello messages prior to passing it on to the backend server.
-- As a result, the backend server responds as if it has received an incomplete ClientHello message, rejects the handshake, and terminates the connection.

Workaround:
The issue disappears when SSL Persistence is disabled.

---

691017-1 : Preventing ng_export hangs

Component: Access Policy Manager

Symptoms:
Sometimes ng_export is stuck while reading tmsh thru the pipe because of buffer issues. Export is trying to read more data from tmsh while data is lost in the middle of the read operation.

Conditions:
-- ng_export receives tmsh replies through buffer of constant size x.
-- During the read operation, tmsh returns a buffer size of x minus k, where k is a very small random number (less than 50).

Note: K is a very small random number, which makes this issue difficult to describe.

Impact:
The export operation hangs.

Workaround:
There is no workaround at this time.

Fix:
APM access policy export now uses non-blocking socket and loops to wait for data or terminate gracefully.

---

690819-3 : Using an iRule module after a 'session lookup' may result in crash

Component: TMOS

Symptoms:
'session lookup' does not clean up an internal structure after the call finishes. If another iRule module uses the values in this internal structure after a 'session lookup', it may result in a core or other undesired behavior.

Conditions:
Calling 'session lookup' in an iRule where a result is successfully retrieved, and then calling another module.

Impact:
The system may core, or result in undefined and/or undesired behavior.

Workaround:
Check the return value of 'session lookup' before using another iRule module.

If 'session lookup' says that the entry exists, call 'session lookup' again for a key that is known to not exist.

---

690793-2 : TMM may crash and dump core due to improper connflow tracking

Solution Article: K25263287

Component: TMOS

Symptoms:
In rare circumstances, it is possible for the embedded Packet Velocity Acceleration (ePVA) chip to try to process non-ePVA connflows. Due to this improper internal connflow tracking, TMM can crash and dump core.

Conditions:
This issue can occur on any system equipped with an ePVA and configured with virtual servers that make use of it to accelerate flows.

While no other conditions are required, it is known that modifying a FastL4 virtual server to Standard while the virtual server is processing traffic is very likely to cause the issue.

Impact:
TMM crashes and dumps core. A redundant unit will fail over. Traffic may be impacted while TMM restarts.

Workaround:
It is not recommended to switch virtual server profiles while running traffic. To change virtual server profiles, it is recommended to halt traffic to the system first.

However, this does not eliminate entirely the chances of running into this issue.

Fix:
The system now checks for HSB flow status update data and prevents false positive matches to virtual servers with non-FastL4 profiles.

---

690215-1 : Missing requests in request log

Component: Application Security Manager

Symptoms:
Requests are missing from request log

Conditions:
Either of:
- pabnagd restart
- asm restart
- failover

Impact:
- Requests are not logged for up to an hour (affected by the amount of policies)

Workaround:
No workaround.

Fix:
All requests are now logged always.

---

690166-3 : ZoneRunner create new stub zone when creating a SRV WIP with more subdomains

Component: Global Traffic Manager (DNS)

Symptoms:
Creating SRV wideip will result in stub zone creation even there are already matching zones.

Conditions:
Creating SRV wideip with three more layers than existing zone.

Impact:
Unnecessary stub zones created.

---

690042-3 : Potential Tcl leak during iRule suspend operation

Solution Article: K43412307

Component: Local Traffic Manager

Symptoms:
TMM's Tcl memory usage increases over time, and does not decrease. Memory leak of Tcl objects might cause TMM to core.

Conditions:
-- iRules are in use.
-- Some combination of nested proc calls and/or loops must go at least five levels deep.
-- Inside the nested calls, an iRule executes a suspend operation.

Impact:
Degraded performance. TMM out-of-memory crash. A failover or temporary outage might occur. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer leaks memory.

---

689826-2 : Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese)

Solution Article: K95422068

Component: Access Policy Manager

Symptoms:
On a Microsoft Windows 10 system configured for a Unicode language (Japanese, Korean, or Chinese, for example) the client proxy autoconfig file is not assigned in the Microsoft Internet Explorer browser after the VPN connection is established.

Conditions:
- Client proxy settings provided in Network Access settings, or client is configured with proxy prior to establishing VPN tunnel.
- Windows 10 configured for a unicode-language (Japanese/Korean/Chinese/etc.).
- VPN tunnel is established using either a browser or the Edge Client.

Impact:
Proxy settings are not applied on client side after VPN is established.

Workaround:
There are two possible workarounds:
Workaround A
============
-- Change the language to English from Control panel :: Region :: Administrative :: Language for non-Unicode programs :: Change System locale.
 
Workaround B
============
-- Add a variable assign agent in the access policy, after the logon item and before the resource is assigned. To do so, follow this procedure:

 1. Set the custom variable name to the following value:
    config.connectivity_resource_network_access./Common/<network_access_resource_name>.client.ConnectionTrayIcon
    Note: <network access resource name> is the name of the network access resource.

 2. Set the value to be of the type 'custom expression' and populate it with the following value (including the quotation marks):
    return "</ConnectionTrayIcon><connection_name_txt>F5VPN</connection_name_txt><ConnectionTrayIcon>"
    Note: The <connection_name_txt> tag contains the name of the adapter that the client will create.

 3. After making these two changes, apply the access policy. The next time the VPN is established, a new virtual adapter entry will be created with the name provided in <connection_name_txt> tag.

Fix:
Previously, on a Windows 10 system configured for a Unicode language (for example, Japanese, Korean, or Chinese) the client proxy autoconfig file was not assigned with Internet Explorer after the VPN connection was established. This issue has been fixed.

---

689730-2 : Software installations from v13.1.0 might fail★

Component: TMOS

Symptoms:
Installation terminates with the following final log messages:

info: updating shared filesystem directories...
progress: 10/100
error: mkdir /mnt/tm_install/3543.JENFeQ/core failed - File exists
Terminal error: Failed to install.

Conditions:
-- BIG-IP Virtual Editions, or the following appliances:
   + i2600
   + i2800
   + i4600
   + i4800
   + i5600
   + i5800
   + i5820
   + i7600
   + i7800
   + i7820
   + i10600
   + i10800
   + i11600
   + i11800

-- Running BIG-IP software v13.1.0 or earlier.
-- Installing BIG-IP software with --instslot option.

Impact:
Installation of new software cannot proceed.

Workaround:
Remove the '/shared/core' symlink, the restart the installation.

Fix:
The installer now properly detects the symlink and proceeds without error.

---

689577-1 : ospf6d may crash when processing specific LSAs

Solution Article: K45800333

Component: TMOS

Symptoms:
When OSPFv3 is configured and another router in the network performs a graceful restart, ospf6d may crash.

Conditions:
-- OSPFv3 in use.
-- Graceful restart initiated by another system.

Impact:
OSPFv3 routing will interrupted while the daemon restarts and the protocol re-converges.

Workaround:
Disabling graceful restart on other network systems will prevent ospf6d from crashing on the BIG-IP system. However, it will cause a routing interruption on a system that restarts.

Fix:
The ospf6d daemon no longer crashes when a graceful restart occurs in the network.

---

689449-3 : Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, in some circumstances the system may experience an unconstrained TMM memory growth when a virtual server is configured for spdy/http2 and http with fallback-host.

Conditions:
- VIP configured with spdy/http2 and http with fallback-host.

Impact:
TMM may eventually enter aggressive sweeper mode where this memory will be released. In the process it is possible that some legitimate connections will killed.

Workaround:
No workaround at this time.

Fix:
BIG-IP no longer attempts to send a response with a configured fallback host in HTTP profile, when a connection is aborted by a client or due to an internal error. It prevents the internal flow to stay in memory after the connection has died.

---

689437-2 : icrd_child cores due to infinite recursion caused by incorrect group name handling

Solution Article: K49554067

Component: TMOS

Symptoms:
Every time the virtual server stats are requested via REST, icrd_child consumes high CPU, grows rapidly toward the 4 GB max process size (32-bit process), and might eventually core.

Conditions:
Virtual server stats are requested via iControl REST with a special string that includes the dotted group names.

Impact:
icrd_child consumes high CPU, grows rapidly, and might eventually core.

Workaround:
Clear the virtual server stats via reset-stats and icrd_child no longer cores.

Fix:
icrd_child parsing logic update is needed to not enter recursion.

---

689361-3 : Configsync can change the status of a monitored pool member

Component: Local Traffic Manager

Symptoms:
It is possible for a configsync operation to incorrectly change a monitor's state. For example, it can change an 'unchecked' monitor to 'up', when that unchecked monitor references a node that does not respond to ICMP requests. This may occur when a node does not respond to ICMP requests for exactly one of two paired devices, but a configuration change made to one device causes the 'up' status to be propagated to the 'unchecked' device. Other state changes are possible.

Conditions:
Pool members are monitored and a configsync is initiated from a paired device.

Impact:
The configsync causes the monitor on the standby system to transition to an incorrect state, out of sync with the active system.

Workaround:
There is a workaround for the case described in 'Symptoms':

Ensure network configuration such that a monitored node responds to ICMP requests from both (or neither) of each paired-device. Alternatively, initiate configuration changes only from the device to which the node does not respond to ICMP requests.

Fix:
A configsync no longer causes an unexpected monitor transition on the standby system.

---

689211-2 : IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 }

Component: TMOS

Symptoms:
If you accidentally change an ike-peer version to { v1 v2 } for both IKEv1 and IKEv2 support then IKEv1 does not work when version is changed to { v1 }. Note: This is not a recommended action.

Packets from a remote peer after this appear to arrive via IPv6 and will not match the IPv4 config of the actual peer, so tunnels cannot be established.

Conditions:
Transiently changing an ike-peer version to { v1 v2 } before fixing it with 'version replace-all-with { v1 }' to target IKEv1 alone.

Impact:
IKEv1 tunnels cannot be established when the remote peer initiates. (If the local peer initiates, negotiation may succeed anyway, until the SA is expired or deleted.) After this, tmm forwards packets to racoon improperly.

Workaround:
After changing version to v1 alone, issue the following command to have the config work correctly:
 bigstart restart

Fix:
Added check for the IPv6 flag in the packet, in addition to testing for a v4-in-v6 address; this corrects the corner case of an address containing all zero when forwarded.

---

689089-3 : VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot

Component: Local Traffic Manager

Symptoms:
The cluster configuration file can be lost or corrupted, resulting in the out-of-band cluster management IP reverting to the default value.

Conditions:
Unexpected system restart while the configuration file is being updated may cause the file to become corrupted. If this occurs, the following error will be logged during blade startup:

"err clusterd[8171]: 013a0027:3: Chassis has N slots, config file has 0, ignoring config file"

Where "N" is the number of physical slots in the chassis (2, 4, or 8).

Impact:
Management IP reverts to 192.168.1.246, resulting in loss of access to the chassis through the out-of-band management network.

Workaround:
If this occurs, the management IP can be restored using TMSH or the UI through an in-band self IP, or with TMSH through the management console port.

Fix:
The configuration file update logic has been changed to prevent file corruption during update.

---

689080 : Erroneous syncookie validation in HSB causes the BIG-IP system to choose the wrong MSS value

Component: Local Traffic Manager

Symptoms:
When a software encoding algorithm is being used by tmm to generate syn cookies in a SYN/ACK packet, there is a chance that HSB might mistakenly identify the ACK response to the SYN/ACK as valid syncookie response and stamp a SYNCOOKIE_VALID flag on the packet. In that case, software processes try to extract the MSS (maximum segment size) value encoded in the syncookie, which would be a wrong value. This may cause connection to fail in subsequent transactions, or cause performance degradation.

Conditions:
When software syncookie protection mode is activated and a software encoding algorithm is being used.

Impact:
Connections either fail, or the smaller, incorrect MSS value causes performance degradation.

Workaround:
None.

Fix:
If a software syncookie encoding algorithm is being used, tmm now ignores the SYNCOOKIE_VALID flag stamped by HSB, so the correct MSS value is calculated.

---

689002-1 : Stackoverflow when JSON is deeply nested

Component: TMOS

Symptoms:
When the returned JSON payload from iControl REST is very large and deeply nested, the JSON destruction could trigger stack overflow due to deep recursion. This will crash icrd_child.

Conditions:
Deeply nested JSON returned from iControl-REST.

Impact:
icrd_child process coredumps.

Workaround:
None.

Fix:
The fix changes the destruction mechanism into an iterative solution, to completely avoid the stack overflow.

---

688942-3 : ICAP: Chunk parser performs poorly with very large chunk

Component: Service Provider

Symptoms:
When an ICAP response contains a very large chunk (MB-GB), the BIG-IP system buffers the entire chunk and reevaluates the amount of data received as each new packet arrives.

Conditions:
ICAP server returns large payload entirely in a single chunk, or otherwise generates very large chunks (MB to GB range).

Impact:
The BIG-IP system uses memory to buffer the entire chunk. In extreme cases the parser can peg the CPU utilization at 100% as long as packets are arriving.

Workaround:
If possible, configure the ICAP server to chunk the response payload in mulitple normal sized chunks (up to a few tens of KB).

Fix:
When an ICAP response contains a very large chunk (MB-GB), the BIG-IP system streams content back to the HTTP client or server as it arrives, without undue memory use or performance impact.

---

688629-3 : Deleting data-group in use by iRule does not trigger validation error

Solution Article: K52334096

Component: Local Traffic Manager

Symptoms:
iRule aborts due to failed commands, causing connflow aborts.

Conditions:
-- Delete a data group.
-- iRule uses that data-group on a virtual server

Impact:
In use data-group can be deleted without error. iRule aborts leading to connflow aborts.

Workaround:
Don't delete data-groups in use by an iRule.

Fix:
An attempt to delete a data-group in use by an iRule now triggers a validation error.

---

688625-2 : PHP Vulnerability CVE-2017-11628

Solution Article: K75543432

---

688553-1 : SASP GWM monitor may not mark member UP as expected

Component: Local Traffic Manager

Symptoms:
Pool members monitored by the SASP monitor may be incorrectly marked DOWN when they should be marked UP.

Conditions:
This may occur on affected BIG-IP versions when using the SASP monitor targeting a Load Balancing Advisor GWM (Global Workload Manager).

This is more likely to occur if pool members monitored by the SASP monitor are also monitored by an additional monitor which has marked the members DOWN, or if one or more pool members monitored by the SASP monitor have been manually marked down (state user-down via tmsh, or Disabled in the GUI).

This is not expected to occur with non-affected BIG-IP versions or when using the SASP monitor targeting a Lifeline GWM (Global Workload Manager).

Impact:
Traffic handled by pool members monitored by the SASP monitor may be disrupted.

Workaround:
Removing the SASP monitor from the pool or pool member configuration then re-adding the SASP monitor may reset the pool member status to the correct state.

---

688516-2 : vCMPd may crash when processing bridged network traffic

Solution Article: K03165684

---

688399-5 : HSB failure results in continuous TMM restarts

Component: TMOS

Symptoms:
The TMM is continually restarted due to lack of the HSB PDE device. When this issue occurs, HSB errors may be present in the TMM log files, prior to a TMM core (SIGSEGV).

Conditions:
The conditions under which this occurs are unknown.

Impact:
TMM continually restarts until the unit is rebooted. Traffic disrupted while tmm restarts. The reboot appears to clear the condition.

Workaround:
Manually reboot the unit.

Fix:
The TMM restarts no longer occur.

---

688148-1 : IKEv1 racoon daemon SEGV during phase-two SA list iteration

Component: TMOS

Symptoms:
The wrong list linkage is iterated when phase-two SAs are deleted.

Conditions:
Deleting phase-two SAs, either manually or in response to notifications.

Impact:
IKEv1 tunnel outage until the racoon daemon restarts.

Workaround:
None.

Fix:
Fixed list iteration to use the correct list linkage, so iterating one phase-one SAs list does not instead visit the global list of phase-two SAs.

---

688011-5 : Dig utility does not apply best practices

Solution Article: K02043709

---

688009-5 : Appliance Mode TMSH hardening

Solution Article: K46121888

---

687905 : OneConnect profile causes CMP redirected connections on the HA standby

Solution Article: K72040312

Component: TMOS

Symptoms:
When virtual server uses OneConnect profile in HA setup, it can cause Clustered Multiprocessing (CMP) redirected connections and memory leak on high availability (HA) standby systems, including high memory usage on standby units.

Conditions:
-- Virtual server uses OneConnect profile in HA configuration.
-- Mirroring is enabled.
-- BIG-IP platform supports CMP.

Impact:
Redirected connections and memory leak on a standby device.

Workaround:
Remove OneConnect profile from the virtual server.

---

687887-4 : Unexpected result from multiple changes to a monitor-related object in a single transaction

Component: Local Traffic Manager

Symptoms:
When a transaction attempts multiple commands (delete, create, modify) for the same object in the same transaction, the results can be unexpected or undefined. A common example is: 'transaction { delete key create_if key }' where the transaction attempts the 'delete key', and then the 'create_if key', which unmarks the delete operation on the key (so in this case the key remains unmodified). In other cases it is possible that monitoring stops for the associated object, such as for: pool, pool_member, node_address, monitor.

Conditions:
A user-initiated transaction attempts multiple commands for the same monitor-related object, such as (delete, create, modify).

Impact:
The monitor-related object may be unchanged; or monitoring may stop for that object.

Workaround:
Transactions modifying a monitor-related object (pool, pool_member, node_address, monitor) should perform a single command upon that object (such as one of: 'delete', 'create', 'modify').

Fix:
Behavior is as-expected when a transaction executes multiple commands (such as 'delete', 'create', 'modify') upon the same monitor-related object (pool, pool_member, node_address, monitor).

---

687759-2 : bd crash

Component: Application Security Manager

Symptoms:
A bd crash.

Conditions:
-- A config change follows a bd crash.
-- There is a policy that is misconfigured, for example, a form-data parsing is applied on a non-form-data payload (such as XML or JSON).

Impact:
bd crashes; system fails over; traffic disturbance occurs.

Workaround:
Set the following internal parameter to 0: max_converted_length_to_cache

---

687658-2 : Monitor operations in transaction will cause it to stay unchecked

Component: TMOS

Symptoms:
If a monitored object is deleted and created or modified in the same transaction, and any of its monitor configuration is changed (either the monitor, or the state user-down), the monitor state will become unchecked.

Conditions:
This only happens within transactions.

Note: Using the command 'modify ltm pool <name> members replace-all-with' is considered a transaction containing a delete and create of pool members.

Impact:
Monitor state never returns to its correct value.

Workaround:
Do not do these operations in transactions. For pool members, use 'modify ltm pool <name> members modify' instead of replace-all-with.

---

687603-1 : tmsh query for dns records may cause tmm to crash

Solution Article: K36243347

Component: Local Traffic Manager

Symptoms:
tmm experiences segmentation fault.

Conditions:
Run 'tmsh show ltm dns cache records key cache <cache>' query when dns cache contains malformed records.

Impact:
Core file / system outage. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm experiences segmentation fault when running the 'tmsh show ltm dns cache records key cache <cache>' query when dns cache contains malformed records.

---

687534-3 : If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page

Component: TMOS

Symptoms:
- Create a pool with name containing two dots (that is, the string '..')
- Go to the GUI Local Traffic :: Pools : Member List page and click the Add button to add a member.
- There is a No Access error preventing you from adding a member to the pool

Conditions:
This issue occurs when a pool name contains .. in the name.

Impact:
Cannot add a Member to the pool using the GUI.

Workaround:
Use tmsh to add pool members to an existing pool using a command similar to the following.
 tmsh modify ltm pool <pool name> members add { <member info> }

Fix:
For pools with '..' in the name, it is now possible to add members after pool creation using the GUI Local Traffic :: Pools : Member List page.

---

687353-3 : Qkview truncates tmstat snapshot files

Solution Article: K35595105

Component: TMOS

Symptoms:
Qkview truncates the snapshot files it collects in /shared/tmstat/snapshots/.

Conditions:
Files are larger than 5 MiB, or the 'max file size' limit specified when running Qkview (the -s argument).

Note: 5 MiB is qkview utility's default maximum file size value.

Impact:
Snapshot data may not be collected in qkview. This may result in data being lost if the issue is only identified once important data has rotated out of history.

Workaround:
To specify no file size limit when collecting qkviews, use the following tmsh command:
qkview -s0

---

687205-3 : Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart

Component: Local Traffic Manager

Symptoms:
During flow shutdown, SSL may deliver HUDEVT_SENT messages, causing additional messages to be queued by higher filters, which may result in a tmm crash and restart.

Conditions:
This happens in response to a relatively rare condition that occurs during shutdown, such as HUDEVT_SENT queued after HUDCTL_SHUTDOWN.

Impact:
Possible tmm restart. Traffic disrupted while tmm restarts.

Workaround:
None.

---

687193-1 : TMM may leak memory when processing SSL Forward Proxy traffic

Solution Article: K45325728

---

687128-3 : gtm::host iRule validation for ipv4 and ipv6 addresses

Component: Global Traffic Manager (DNS)

Symptoms:
gtm::host iRule isn't validating that the host given matches the type of WideIP it is attached to.

Conditions:
An AAAA-type wideip with a ipv4 gtm::host iRule, or A-type wideip with an ipv6 gtm::host iRUle.

Impact:
Incorrect host information was being returned.

Workaround:
Only attach gtm::host of IPv4 type to A-type WideIPs, and gtm::host rules of IPv6 to AAAA-type WideIPs.

Fix:
FIxed issue allowing incorrect gtm::host iRule commands to trigger on incorrect wideip types.

---

687115-1 : SNMP performance can be impacted by a long list of allowed-addresses

Component: TMOS

Symptoms:
If the SNMP configuration includes a long list of allowed-addresses in the configuration then it can impact SNMP performance.

Conditions:
-- The SNMP daemon consults a system file to determine whether a request can be serviced.

-- There is a long list of allowed addresses in the configuration.

Impact:
Potentially slow SNMP response.

Workaround:
Make the list of allowed addresses be the minimum set of your clients.

Fix:
The daemon code is now more efficient.

---

687098 : IPv6 RADIUS servers not supported for remote authentication

Component: TMOS

Symptoms:
Authenticating against an IPv6 RADIUS server is not supported, only an IPv4 server.

Conditions:
This applies to remote authentication to log on to the BIG-IP system for management purposes.

Impact:
Logon operation will time out, as if the server did not respond.

Workaround:
Use an IPv4 server. If you have an IPv6 management IP, then you will need to have the IPv4 server reachable over a dataplane VLAN.

Fix:
Support for IPv6 RADIUS servers has been added.

---

686972-1 : The change of APM log settings will reset the SSL session cache.

Component: Local Traffic Manager

Symptoms:
If you change the configuration of APM log settings, it might cause the SSL session cache to be reset. Also, subsequent resumption of SSL sessions may fail after such change causing a situation where full ssl handshakes may occur more frequently.

Conditions:
-- Change the configuration of APM log settings.
-- SSL session cache is not empty.

Impact:
The change of APM log settings resets the SSL session cache, which causes the SSL session to initiate full-handshake instead of abbreviated re-negotiation.

Workaround:
Follow this procedure:
1. Change access policy.
2. The status of that access policy changes to 'Apply Access Policy'.
3. Re-apply that.

Fix:
The change of APM log settings now limits its effect on APM module instead of affecting other (SSL) module's data.

---

686926-3 : IPsec: responder N(cookie) in SA_INIT response handled incorrectly

Component: TMOS

Symptoms:
IKEv2 negotiation fails when a responder uses N(cookie) in the SA_INIT response, because the BIG-IP system does not expect a second response with the same zero message_id always used by SA_INIT.

Conditions:
Any time a responder sends N(cookie) in the first response to SA_INIT from a BIG-IP initiator.

Impact:
The SA negotiation fails when a responder includes N(cookie) in a SA_INIT response, because a second response appears to have an out-of-order message ID when BIG-IP believe the first message_id of zero was already handled earlier.

Workaround:
None.

Fix:
The BIG-IP system now correctly tracks a need to receive a SECOND response with message_id zero, to finish the SA_INIT exchange, whenever the first SA_INIT response caused the BIG-IP system to resend the first request with the cookie included.

---

686765-1 : Database cleaning failure may allow MySQL space to fill the disk entirely

Component: Application Security Manager

Symptoms:
Database cleaning failure may allow MySQL space to fill the disk entirely, which prevents any modification of ASM policy configuration.

In /var/log/ts/asm_config_server.log you might see these errors repeatedly:

Jun 9 09:38:45 10gal-f5-5000-2 crit g_server_rpc_handler.pl[16654]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::handle_error): Code: 999, Error message = DBD::mysql::db do failed: The table 'NEGSIG_SIGNATURES' is full

Conditions:
This occurs if database cleaning failures occur.

Impact:
Disk will fill up, and you will be unable to modify ASM policies.

---

686763-2 : asm_start is consuming too much memory

Component: Application Security Manager

Symptoms:
asm_start is consuming too much memory.

Conditions:
Roll forward a device with a large ASM configuration.

Impact:
Increase memory pressure on the device.

Workaround:
Run the following command: restart asm

Fix:
asm_start no longer increases its memory footprint during upgrade.

---

686685-1 : LTM Policy internal compilation error

Component: Local Traffic Manager

Symptoms:
To enable maximum performance, LTM Policies undergo a compilation process, where they are transformed to a compact binary representation. An issue was discovered where the transformation is being done incorrectly under certain circumstances.

Conditions:
While not common, certain LTM Policy combinations will be transformed to binary representation where certain internal parameters are incorrect.

Impact:
The tmm process may experience an unexpected restart, or a policy action may not run as expected.

Workaround:
None.

Fix:
LTM Policies are correctly transformed to their high-performance, compact binary representations.

---

686631-1 : Deselect a compression provider at the end of a job and reselect a provider for a new job

Component: Local Traffic Manager

Symptoms:
The system might potentially retain a compression context, even though there is no data to be compressed or decompressed. This can affect the calculation of the load of the compression provider.

Conditions:
-- A connection is up.
-- Compression context is active.
-- There is no data for the compression provider.

Impact:
It affects the compression provider selection.

Workaround:
None.

Fix:
The system now deselects a provider at the end of a compression/decompression operation, and reselects a provider at the beginning of another compression/decompression operation.

---

686395 : With DTLS version1, when client hello uses version1.2, handshake shall proceed

Component: Local Traffic Manager

Symptoms:
With DTLS version1, when client hello uses version1.2, handshake fails with error of :unsupported version".

Conditions:
DTLS version1 handshake:
Handshake version 1.0 . (0xfeff)
Client hello version 1.2(0xfefd)

Impact:
DTLS functionalities.

Workaround:
N/A

Fix:
In this case, we shall still proceed to perform handshake instead of bailing out with "unsupported version" error.

---

686389-3 : APM does not honor per-farm HTML5 client disabling at the View Connection Server

Component: Access Policy Manager

Symptoms:
Current logic for determining whether to offer HTML5 client option works for Horizon 6.x (and earlier) but it does not work for Horizon 7.x.

With Horizon 7.x, VMware has enhanced the XML so that each resource includes a flag to indicate whether HTML5 client is enabled (absence of <html-access-disabled/> tag). APM does not honor this flag to show HTML5 client option to APM end user only if it has been enabled for that resource.

Conditions:
-- APM webtop with a VMware View resource assigned.
-- HTML5 Access disabled for some of the RDS farms managed by the broker.

Impact:
APM offers HTML5 client launch option and actually runs it if requested, although it is disabled at the backend.

Workaround:
There is no workaround at this time.

Fix:
For Horizon 7.x, the system now honors the <html5-access-disabled> flag in broker responses to disable HTML5 client for those RDS desktops and apps that have this flag set.

Behavior Change:
Before this fix, all the RDS desktops and apps were available for HTML5 client if it was installed on VCS.
Now, for those desktops and apps where HTML5 access has been deliberately disabled at the broker, only the native client option will be available.

---

686376-1 : Scheduled blob and current blob no longer work after restarting BIG-IP or PCCD daemon

Component: Advanced Firewall Manager

Symptoms:
When there are scheduled firewall rules, and the BIG-IP system is restarted or PCCD daemon is restarted, new blob compilation succeeds, but TMM fails to activate the new blob. Both GUI and TMSH show error status: Firewall rules deployment failed. After the system gets in this state it cannot be fixed except by removing or disabling all scheduled firewall rules.

Conditions:
-- There are scheduled firewall rules.
-- The BIG-IP system is restarted or the PCCD daemon is restarted.

Impact:
After this failure, firewall rules are not applied on data traffic.

Workaround:
Remove or disable all scheduled firewall rules.

Fix:
New blob deployed and new firewall rules applied successfully.

---

686307-1 : Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later

Solution Article: K10665315

Component: Local Traffic Manager

Symptoms:
When upgrading, monitor attributes such as receive string and send string might contain escape sequences that must be processed after the upgrade. However, due to a problem introduced by the LTM policy upgrade script, this processing is not performed, resulting in monitors not functioning correctly after the upgrade.

Note: Without LTM policies in the configuration, monitors upgrade without problem.

Conditions:
-- Upgrading and rolling forward monitor configuration data.
-- LTM policy data present.

Impact:
Monitors may not work after upgrade.

Workaround:
No workaround at this time.

Fix:
This release addresses the underlying problem so the issue no longer occurs.

---

686305-2 : TMM may crash while processing SSL forward proxy traffic

Solution Article: K64552448

---

686282-1 : APMD intermittently crash when processing access policies

Component: Access Policy Manager

Symptoms:
APMD process may crash intermittently (rare) when processing access policies.

Conditions:
This rarely encountered issue occurs when any one of the following conditions exist:

-- iRule is configured with 'ACCESS::policy evaluate'.
-- NTLM authentication configured and ECA plugin is involved (for example VDI RDG).
-- Kerberos authentication is configured with RBA enabled.

Impact:
APM end users cannot pass access policy, cannot login.

Workaround:
None.

Fix:
APMD no longer intermittently crashes when processing access policies.

---

686228-3 : TMM may crash in some circumstances with VLAN failsafe

Solution Article: K23243525

Component: Local Traffic Manager

Symptoms:
TMM may crash when managing traffic in response to the VLAN failsafe traffic generating mechanisms

Conditions:
- VLAN failsafe is configured with low timers.
- VLAN failsafe is triggered and multiple responses are received for traffic generating in fast succession.

Impact:
A TMM may core file may be produced. Traffic disrupted while tmm restarts.

Workaround:
Relax the timer to the default VLAN failsafe timer setting.

Fix:
TMM no longer crashes in some circumstances with VLAN failsafe.

---

686124-3 : IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs

Solution Article: K83576240

Component: TMOS

Symptoms:
Deleting SAs on a remote peer can cause improper handling in the IKEv1 racoon daemon when invalid SPI notifications are processed.

Conditions:
Events causing deletion of phase one IKE SAs.

Impact:
IPsec IKEv1 tunnels will halt or restart. Connectivity between remote private networks will be interrupted.

Workaround:
None.

Fix:
Phase one and phase two SA relationships are now more robust, tolerating operations that occur in any order, so tearing down old data structures will be done safely.

---

686065-1 : RESOLV::lookup iRule command can trigger crash with slow resolver

Component: Local Traffic Manager

Symptoms:
If thousands of connections are serviced by an iRule that performs a lookup for the same FQDN before the FQDN can be resolved, tmm may crash.

Conditions:
iRule with RESOLV::lookup.
Slow DNS resolver.
Thousand of connections triggering resolution of the same name.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove RESOLV::lookup from the workflow if it is not required.

Fix:
The scenario now works as expected and no longer results in a crash.

---

686059-1 : FDB entries for existing VLANs may be flushed when creating a new VLAN.

Component: Local Traffic Manager

Symptoms:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN.

Conditions:
- Creating a new VLAN with existing VLANs using trunk members.
- STP is enabled on its trunk member.

Impact:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN. This will result in potential network saturation.

Workaround:
To avoid the FDB flushing on trunk member interfaces of existing, unrelated VLANs, ensure that STP is disabled on its trunk member.

---

686029-1 : A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces

Component: TMOS

Symptoms:
FDB flushing on VLAN deletes is performed by VLAN member interface reference only, without regard to VLAN tags. This can result in unrelated VLAN FDB entries also being flushed on shared VLAN member interfaces.

Conditions:
Issuing a VLAN delete with other VLANs using shared tagged member interfaces with the VLAN being deleted.

Impact:
FDB entries for unrelated VLANs will be flushed if they share the same tagged VLAN member interfaces as the VLAN being deleted.

Workaround:
None.

Fix:
Correct FDB flushing on VLAN deletes, by limiting the scope to be VLAN specific.

---

685955 : TMM hud_message_ctx leak

Component: Local Traffic Manager

Symptoms:
There is a TMM memory issue caused by leaked hud_message_ctx objects, each holding a websockets_frame.

Conditions:
Running WebSocket traffic that needs to be processed by a plugin like ASM.

Impact:
Increasing TMM memory usage leading to eventual service outage. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The memory leak in TMM has been fixed.

---

685862-2 : BIG-IP as SAML IdP/SP may include last x509 certificate found in the configured bundle in signed SAML Response or single logout message

Component: Access Policy Manager

Symptoms:
When BIG-IP is used as SAML IdP, and signing is configured, BIG-IP will sign the message by configured signing key, and include last certificate from the configured signing certificate chain in the SAML protocol message. Expected behavior is to include first certificate from the configured signing certificate chain.
The same applies to SAML SP generating SLO request/response messages.

Conditions:
All of the following:
- BIG-IP is used as SAML IdP or SAML as SP with SLO configured.
- BIG-IP generates signed SAML response containing assertion or SLO request/response
- Configured on BIG-IP signing certificate is a security chain and not a single certificate

Impact:
Impact is based on the SAML implementation on the receiving end of message sent by BIG-IP.
Some implementation may drop signed SAML message if last certificate from the bundle is included in the message. Other implementations will accept such signed messages. Note that signing operation itself is performed correctly by BIG-IP using configured signing certificate, and digital signature will contain correct value.

Workaround:
Instead of using signing certificate chain, change BIG-IP SAML IdP/SP configured signing certificate to refer to a standalone signing certificate (single X509 object) by extracting first certificate from the chain.

Fix:
After the fix, BIG-IP will include first certificate found within configured signing certificate (chain).

---

685743-3 : When changing internal parameter 'request_buffer_size' in large request violations might not be reported

Component: Application Security Manager

Symptoms:
When the internal 'request_buffer_size' is set to a large value, long requests might be blocked, and no violation is reported.

Conditions:
-- Internal parameter 'request_buffer_size' is set to a large value (~50 KB or larger).
-- Request is long (~50 KB or longer).
-- Violations found.

Impact:
Requests might be blocked, and no reason is reported.

Workaround:
Reset internal 'request_buffer_size' to default.

Fix:
The system now handles the case in which the internal 'request_buffer_size' is set to a large value, so long requests are no longer blocked, and the violation is reported.

---

685741 : DoS Overview is very slow to load data, to the point of timeout

Component: Application Visibility and Reporting

Symptoms:
When logs contains more than 1 million records, loading of attacks data is extremely slow and requires many SQL queries.

Conditions:
N/A

Impact:
DoS Overview page is unusable

Workaround:
N/A

Fix:
The fix revolved around combining all the required data into a couple of queries instead of sending distinct queries for every attack.

---

685708-3 : Routing via iRule to a host without providing a transport from a transport-config created connection cores

Component: Service Provider

Symptoms:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.

Conditions:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Specify a transport to use for creating a new outgoing connection in the MR::message route command.

Fix:
The system will no longer core.

---

685693 : APM AppTunnels memory leak

Component: Wan Optimization Manager

Symptoms:
Using APM AppTunnels causes a slow memory leak.

Conditions:
Use of APM AppTunnels.

Impact:
The slow memory leak exhaust tmm memory over time. Traffic disrupted when tmm restarts.

Workaround:
None.

Fix:
The memory leak has been corrected.

---

685615-5 : Incorrect source mac for TCP Reset with vlangroup for host traffic

Solution Article: K24447043

Component: Local Traffic Manager

Symptoms:
BIG-IP outbound host TCP RST packets have incorrect source-mac-address.

Conditions:
BIG-IP host traffic is exiting via VLANs in a VLAN group.

Impact:
TCP Reset for traffic exiting the BIG-IP system with incorrect source-mac-address, which could include monitor traffic.

Workaround:
Use transparent mode on the VLAN group.

Fix:
source-mac-address for host traffic is correctly set.

---

685582-5 : Incorrect output of b64 unit key hash by command f5mku -f

Component: TMOS

Symptoms:
The output of the b64 unit key hash is inconsistent upon each 'f5mku -f' command, whereas the hex version of the unit key hash was always correct/consistent.

Conditions:
Viewing output of 'f5mku -f' command.

Impact:
Inconsistent output of the b64 unit key.

Workaround:
Adding the verbose option (v) to the f5mku command will print additional information. The following command prints the hex version of the unit key header hash, which will be stable and can be used to detect changes to the unit key:

 f5mku -vf

For example:

# f5mku -vf
...
-- hdr.hash = c9:0d:13:2a:74:d4:7e:31:a4:78:5e:c8:3e:9c:b5:3d:7b:65:9c:7d
...

Fix:
The unit key hash is now the correct length and is consistent upon each 'f5mku -f' command.

---

685519-3 : Mirrored connections ignore the handshake timeout

Component: Local Traffic Manager

Symptoms:
Mirrored connections that do not complete the TCP 3-way-handshake do not honor the configured TCP handshake timeout on active and standby systems.

Conditions:
High availability mirroring enabled on virtual server with attached FastL4 profile.

Impact:
Unestablished TCP sessions in the connection table stay open for the duration of the TCP idle-timeout.

Workaround:
None.

Fix:
Mirrored connections now honor the TCP handshake timeout.

---

685475-3 : Unexpected error when applying hotfix

Solution Article: K93145012

Component: TMOS

Symptoms:
Software 'install hotfix' commands fail with a message similar to the following: Image (BIG-IP-11.6.1.0.0.317.iso) has a software image entry in MCP database but does not exist on the filesystem.

Conditions:
Before installing the hotfix, the necessary full (base) software image prerequisite was added to the images directory, but then was removed before issuing the hotfix command.

For example, to apply 'Hotfix-BIG-IP-11.6.1.2.0.338-HF2.iso', the system must have access to the base image; 'BIG-IP-11.6.1.0.0.317.iso'.

Here is another example: on multi-bladed VIPRION systems, where it is resolved by running 12.1.3.6.

1) Install and boot into 12.0.0 on the VIPRION system:
-- install /sys software image 12.0.0.iso create-volume volume HD1.test
-- reboot volume HD1.test
2) Install and boot into 12.1.2.0.402.249:
-- install /sys software hotfix Hotfix-BIG-IP-12.1.2.0.402.249-ENG.iso create-volume volume HD1.test2
-- reboot volume HD1.test2
3) Delete 12.0.0.iso and volume HD1.test:
-- delete sys software image 12.0.0.iso
-- delete sys software volume HD1.test
4) Copy over Hotfix-BIG-IP-13.1.0.7.0.17.1-ENG.iso without the 13.1.0.7 base image.
5) Check the /var/log/ltm logs for the following message:
-- lind[6288]: 013c0006:5: Image (BIG-IP-12.0.0.0.0.606.iso) has a software image entry in MCP database but does not exist on the filesystem.

Impact:
Cannot apply hotfix until the full base image is present.

Workaround:
Perform the following procedure:
1. Copy the base image to the images directory on the BIG-IP system.
2. Restart the 'lind' daemon.
3. Try the hotfix installation operation again.

Fix:
Issuing a 'install hotfix' command when the base image is not available sends the system into a 'wait' state. The process status is 'waiting for base image', which should make clear what needs to be done. When the base image becomes available (in the images directory), the hotfix installation proceeds.

---

685467-2 : Certain header manipulations in HTTP profile may result in losing connection.

Solution Article: K12933087

Component: Local Traffic Manager

Symptoms:
HTTP profile has an option 'Insert X-Forwarded-For' which adds a header when a request is forwarding to a pool member. When a virtual server has iRule with a collect command like SSL::collect, it is affected by the HTTP profile processing. Same issue has an option 'Request Header Erase' available in HTTP profile.

Conditions:
A virtual server meets the following conditions:
-- ClientSSL profile.
-- HTTP profile with option 'Insert X-Forwarded-For' enabled and/or configured option 'Request Header Erase'.
-- iRule that has an 'SSL::collect' command in at least two events (e.g., CLIENTSSL_HANDSHAKE and CLIENTSSL_DATA).

Impact:
TCP connection is reset, and no response is provided to a client.

Workaround:
Use iRule to insert X-Forwarded-For with an appropriate IP address and/or remove headers configured in 'Request Header Erase' option of HTTP profile.

Fix:
An issue of a resetting connections due to configuration options 'Insert X-Forwarded-For' and 'Request Header Erase' in HTTP profile no longer happens.

---

685458-5 : merged fails merging a table when a table row has incomplete keys defined.

Solution Article: K44738140

Component: TMOS

Symptoms:
There is as timing issue in merged where it will fail processing a table row with incomplete keys defined.

Conditions:
There are no specific conditions required, only that merged is running, which is true on every BIG-IP system, when the BIG-IP system is processing a table row with incomplete keys defined.

Although this issue is not dependent on configuration or traffic, it appears that it is more prevalent on vCMP hosts.

Impact:
There will be a few second gap in available statistics during the time when a core is being created and merged restarts.

Workaround:
None.

Fix:
merged now detect this scenario, a table row with incomplete keys defined, and does not fail.

---

685344-2 : Monitor 'min 1 of' not working as expected with FQDN nodes/members

Component: Local Traffic Manager

Symptoms:
A pool with a monitor configured as 'min 1 of {...}' may be unavailable when one or more members configured with FQDN are down, rather than remain available as long as at least one pool member remains up.

Conditions:
-- Pool nodes/members are configured with FQDN.
-- At least one associated monitor is defined with the 'min 1 of {...}' feature.

Impact:
The pool may be seen as 'offline' when one or more members are down, rather than remaining available as long as a single pool member is 'UP'.

Workaround:
To configure a pool with 'min 1 of{...}', specify static pool members, do not use FQDN to configure pool members.

Fix:
A pool with FQDN configured nodes/members and specified with a monitor of 'min 1 of {...}' remains available as long as a single pool member remains up.
This issue is resolved by the FQDNv2 feature re-implementation.

---

685254-1 : RAM Cache Exceeding Watchdog Timeout in Header Field Search

Solution Article: K14013100

Component: Local Traffic Manager

Symptoms:
SOD halts TMM while RAM cache is processing a header.

Conditions:
When RAM cache is attempting to match an ETag and fails to find it in the header field.

Impact:
The search continues until a match is found in memory, or a NUL byte is encountered. If the search takes too long, sod kills RAM cache on a watchdog timeout violation.

Workaround:
No workaround at this time.

Fix:
SOD no longer halts TMM while RAM cache is processing a header.

---

685230-1 : memory leak on a specific server scenario

Component: Application Security Manager

Symptoms:
The bd process memory increases.

Conditions:
A specific server scenario of handling the traffic.

Impact:
Swap may be used. The kernel OOM killer may be invoked. Possible traffic disturbance.

Workaround:
There is no workaround at this time.

Fix:
A memory leaked related to a specific server scenario was fixed.

---

685207-2 : DoS client side challenge does not encode the Referer header.

Component: Application Security Manager

Symptoms:
XSS reflection when DoS client side is enabled as a mitigation, or a proactive bot defense is enabled.

Conditions:
1. Login to the client IP address and send the ab request.
2. Once the DoS attack starts, sends the curl request
hl=en&q=drpdrp'-alert(1)-'drpdrp".
3. Unencoded Referer header is visible.

Impact:
The XSS reflection occurs after triggering the DoS attack.

Workaround:
None.

Fix:
DoS client side challenge now encodes the Referer header.

---

685164-3 : In partitions with default route domain != 0 request log is not showing requests

Solution Article: K34646484

Component: Application Security Manager

Symptoms:
No requests in request log when partition selected, while they can be seen when 'All [Read Only]' is selected.

Conditions:
Select a partition whose default route domain is not 0 (zero).

Impact:
No requests in request log.

Workaround:
As a partial workaround, you can use [All], but it's read only.

Fix:
Fixed filter by Source IP, which worked incorrectly in partitions whose default route domain was not 0 (zero).

---

685110-3 : With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.

Solution Article: K05430133

Component: Local Traffic Manager

Symptoms:
1. FQDN Node/pools fails to populate with members.

2. An error similar to the following is logged in /var/log/ltm when an FQDN node or pool member is created:

err mcpd[####]: 01070356:3: Ratio load balancing feature not licensed.

Conditions:
1. License a BIG-IP system with non-LTM license lacking the ltm_lb_ratio feature.
Such licenses include APM and/or ASM licenses for certain newer platforms which do not support the AAM module.
Affected platforms include certain iSeries and Virtual Edition (VE) releases.
2. Configure an FQDN node/pool member. Do not specify a 'ratio' value.

Impact:
Unable to use FDQN nodes/pool members with non-LTM license.

Workaround:
None.

Fix:
Non-LTM license (ASM, APM, etc.), ephemeral nodes are now created for FQDN nodes/pool members.

---

685020-1 : Enhancement to SessionDB provides timeout

Component: TMOS

Symptoms:
In some cases, calls made to SessionDB never return from the remote TMM.

Conditions:
-- Using add, update, delete, and lookup commands to remote TMM.
-- SessionDB request is not returned.

Impact:
Calls made to SessionDB never return from the remote TMM.

Workaround:
None.

Fix:
The system initiates a timeout after 2 seconds. If a timeout occurs, the calling command receives a result of err==ERR_TIMEOUT.

A new sys db variable was added to enable the timeout for the iRule table command. It defaults to false. Below is the new definition followed by the tmsh command to set the value.

# Enable or disable iRule table cmd timeout override to cause all
# requests to be 'remembered' so that we do not leak them
# if subsystems fail.
[Tmm.SessionDB.table_cmd_timeout_override]
default=false
type=enum
realm=common
enum=|true|false|

Behavior Change:
A new sys db variable was added to enable the timeout for the iRule table command. It defaults to false. Below is the new definition followed by the tmsh command to set the value.

# Enable or disable iRule table cmd timeout override to cause all
# requests to be 'remembered' so that we do not leak them
# if subsystems fail.
[Tmm.SessionDB.table_cmd_timeout_override]
default=false
type=enum
realm=common
enum=|true|false|

---

684937-6 : [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users

Solution Article: K26451305

Component: Access Policy Manager

Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over period of time.
Websso process CPU usage is very high during this time. The latency can vary between APM end users.

Conditions:
-- A large number of APM end users have logged on and are using Kerberos SSO.
-- Running APM.

Impact:
Increased latency of HTTP request processing.

Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.

Fix:
LRU cache performance no longer drops linearly with the number of caches Kerberos tickets, the latency of HTTP request processing has been significantly improved.

---

684879-2 : TMM may crash while processing TLS traffic

Solution Article: K02714910

---

684414-1 : Retrieving too many groups is causing out of memory errors in TMUI and VPE

Component: Access Policy Manager

Symptoms:
Retrieving too many groups might cause out-of-memory errors in TMUI and VPE. TMUI might end up with HTTP 502 and VPE fails with HTTP 500

Conditions:
LDAP/AD server with over 20,000 groups.

Impact:
It's hard to perform LDAP/AD group mapping because there are no group names in the dialog box, which complicates work on such a large number of groups.

Workaround:
The only solution is to remove /shared/tmp/gmcache folder and use manual groupmapping.

Fix:
Retrieving too many groups no longer results in memory errors in TMUI and VPE, even on LDAP/AD servers with over 20,000 groups.

---

684391-1 : Existing IPsec tunnels reload. tmipsecd creates a core file.

Component: TMOS

Symptoms:
Existing IPsec tunnels reload. tmipsecd creates a core file.

Conditions:
Although an exact replication of the issue has not been reliable, the one instance occurred after the following conditions:
-- Remote peer repeatedly tries to establish a tunnel.
-- The IPsec IKEv1 daemon 'racoon' is dead.

Impact:
Existing IPsec tunnels reload when tmipsecd aborts. tmipsecd creates a core file.

Workaround:
None.

Fix:
Exception handling in tmipsecd has been improved so that tmipsecd will not reload when encountering some unusual conditions.

---

684333-3 : PEM session created by Gx may get deleted across HA multiple switchover with CLI command

Component: Policy Enforcement Manager

Symptoms:
PEM sessions may get cleaned up with terminate cause of FATAL GRACE TIMEOUT, if multiple high availability (HA) failover is being performed using the following command: tmsh run sys failover standby.

Conditions:
Multiple HA failover performed using the following command: tmsh run sys failover standby.

Impact:
PEM session created using Gx may get deleted.

Workaround:
Initiate failover using alternate commands, such as the following:
 tmm big start restart.

---

684325-3 : APMD Memory leak when applying a specific access profile

Component: Access Policy Manager

Symptoms:
Access profile having CheckMachineCert agent, while updating profile using 'Apply access policy', each time it leaks 12096 bytes of memory.

Conditions:
-- Access profile configured with agent 'CheckMachineCert'.
-- Repeatedly update the profile using 'Apply access policy'.

Impact:
APMD process stops after repeated application of the script.

Workaround:
None.

Fix:
APMD no longer leaks memory when applying Access profile configured with agent 'CheckMachineCert'.

---

684319-2 : iRule execution logging

Component: Local Traffic Manager

Symptoms:
iRule execution can block tmm from getting CPU cycles.

Conditions:
when executing iRule TCL with e.g. a tight while loop, tmm will miss to sent its heartbeat. This change adds additional logging around this.

Impact:
Logging shows now iRule perpetrator.

Workaround:
No workaround.

Fix:
tmm will now log the following message should the configurable execution limit exceed:

 notice tmm9[20262]: 01010338:5: Virtual /Common/http_respond iRule /Common/responder <HTTP_REQUEST> execution ran for 631 ticks (192.168.24.24:38169 -> 10.209.31.20:80 TCP)
 notice tmm9[20262]: 01010029:5: Clock advanced by 632 ticks

---

684312-2 : During Apply Policy action, bd agent crashes, causing the machine to go Offline

Solution Article: K54140729

Component: Application Security Manager

Symptoms:
During Apply Policy action, bd agent crashes, causing with this error:
--------------------
crit perl[21745]: 01310027:2: ASM subsystem error (bd_agent,): bd_agent exiting, error:[Bit::Vector::new_Dec(): input string syntax error at /usr/local/share/perl5/F5/CfgConvert.pm line 66, <$inf> line 1. ]
--------------------

Causing bd and bd_agent processes restart, and causing the machine to go Offline.

Conditions:
-- ASM provisioned.
-- Applying policy.
-- Corrupted data was attempted to be loaded during an Apply Policy action.

Impact:
bd and bd_agent processes restart, causing the machine to go Offline while the processes restart..

Workaround:
None.

Fix:
During Apply Policy action, bd agent no longer crashes when attempting to load corrupted data.

---

684033-1 : CVE-2017-9798 : Apache Vulnerability (OptionsBleed)

Solution Article: K70084351

---

683697-3 : SASP monitor may use the same UID for multiple HA device group members

Solution Article: K00647240

Component: Local Traffic Manager

Symptoms:
Under rare timing conditions, the SASP monitor running on one member of an HA group (failover device group) may use the same LB UID as another member of the device group.

The LB UID used to connect to the Server/Application State Protocol (SASP) Group Workload Manager (GWM) is required to be unique for each client connecting to the GWM.

As a result, only the first HA group member using the duplicated UID is able to successfully use the SASP monitor.

The SASP monitor instance running on the HA group member using the duplicated UID will fail to connect to the SASP GWM.

Conditions:
This occurs under rare timing conditions when using the SASP monitor on a BIG-IP system that belongs to an HA group.

It is possible that the necessary timing conditions may occur if the external SASP monitor daemon is forcibly restarted (such as for troubleshooting purposes).

Impact:
The SASP monitor is unable to monitor pool member availability on all members of the HA group.

Workaround:
Forcing the mcpd process to reload the configuration (as described in article K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030) allows recovery from this condition.

It is possible that less-intrusive measures such as restarting the external SASP monitor daemon (such as by sending a SIGTERM to the SASPD_monitor process) may also allow recovery. Due to the rare occurrence of this symptom, this solution has not been confirmed.

Fix:
The SASP monitor reliably uses a unique UID across HA group members, allowing all HA group members to successfully connect to the SASP GWM.

---

683683-1 : ASN1::encode returns wrong binary data

Component: Local Traffic Manager

Symptoms:
ASN1::encode returns incorrect data for certain integer values. For example, for integer 49280, ASN1::encode returns 02030000.

Conditions:
The problem happens in an implicit UTF encoding/decoding, and it is not obvious what data triggers the error.

This is because it implicitly converts the Tcl object type from byte array to string and later back to byte array, but because of the UTF de-coding algorithm, certain bytes get changed.

Impact:
The returned binary is wrong.

Workaround:
Use binary scan for the value that is incorrectly encoded by the command.

Fix:
ASN1::encode ENCODE mode now works so that it avoids the implicit type-conversion byte array to string back to byte array, which gets the original byte array changed during UTF-8 decoding.

---

683631-1 : TMM crashes during stress test

Component: Local Traffic Manager

Symptoms:
During stress/load testing, with a large number of connections which triggers flow sweeping, TMM restarts.

Conditions:
A large number of connections are seen, which triggers an expansion of the connflow hash table at the same time the connflow sweeper is active.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Connflow removal from the internal hash table is deferred until the entire bucket is processed.

---

683508-3 : WebSockets: umu memory leak of binary frames when remote logger is configured

Solution Article: K00152663

Component: Application Security Manager

Symptoms:
ASM out of memory error messages in /var/log/asm.

Conditions:
-- Virtual server configured with WebSocket profile.
-- ASM remote logger configured and assigned to the virtual server.

Impact:
ASM out of memory, memory leak.

Workaround:
Remove ASM remote logging profile from a virtual server.

Fix:
This release correctly releases unused memory after WebSocket message is sent to the logging destination.

---

683389-1 : Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file

Component: Access Policy Manager

Symptoms:
Flash ActionScript3 application shows Error #2134 when trying to call flash.net::SharedObject.getLocal with localPath specified.

Conditions:
Attempt to create local SharedObject.

Impact:
Affected Flash applications are not working when accessed through Portal Access.

Workaround:
None.

Fix:
Addressed an issue in Portal Access which caused rewritten Flash files to show Error #2134 on attempt to create local SharedObject.

---

683241-3 : Improve CSRF token handling

Solution Article: K70517410

Component: Application Security Manager

Symptoms:
Under certain conditions, CSRF token handling does not follow current best practices.

Conditions:
CSRF is configured.

Impact:
CSRF token handling does not follow current best practices.

Workaround:
None.

Fix:
CSRF token handling now follows current best practices.

---

683114-1 : Need support for 4th element version in Update Check

Component: TMOS

Symptoms:
Previously, there was no 4th element version Update Check functionality.

Conditions:
Using Update Check.

Impact:
No 4th element version support provided.

Workaround:
None.

Fix:
There is now 4th element version support in Update Check.

---

683113-6 : [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users

Solution Article: K22904904

Component: Access Policy Manager

Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over a period of time.

Websso CPU usage is very high.

The BIG-IP system response can rate drop to the point that the clients disconnect after waiting for a response. The system logs error messages similar to the following: Failure occurred when processing the work item.

Conditions:
-- Running APM.
-- A large number of APM end users (~20 KB) have logged on and are using Kerberos SSO.

Impact:
Increased latency of HTTP request processing.

Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.

Fix:
Improvements to the krb5 library have been implemented for better scalability, so the latency of HTTP request processing has been significantly improved.

---

682837 : Compression watchdog period too brief.

Component: TMOS

Symptoms:
Compression TPS can be reduced on certain platforms when sustained, very high compression request traffic is present.

Conditions:
Very high sustained system-wide compression request traffic.

Impact:
Accelerated compression throughput can drop significantly; some flows dropped.

Workaround:
Switch to software compression.

Fix:
Compression request monitor tuned to account for systems with smaller bandwidth.

---

682682-3 : tmm asserts on a virtual server-to-virtual server connection

Component: Local Traffic Manager

Symptoms:
tmm might crash when using a virtual server-to-virtual server connection, and that connection has a TCP profile with keepalive configured.

Conditions:
-- L7 virtual server-to-virtual server connection (Virtual command, cpm rule, etc.).
-- TCP profile with keepalive configured.
-- (Deflate profile.)
-- At the beginning of the connection, there is a stall for longer than the specified keepalive timer interval.
-- The received response decompresses to a size that is greater than the advertised window size on the first virtual server's TCP stack.

Impact:
Shortly after the keepalive packet is received, which then is decompressed, the assert is triggered, and tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
Remove keepalive from the TCP profiles of the two virtual servers involved.

Fix:
The system now honors the current receive window size when sending keepalives, so the tmm crash no longer occurs.

---

682612 : Event Correlation is disabled on vCMP even though all the prerequisites are met.

Component: Application Security Manager

Symptoms:
The GUI screen Security :: Event Logs : Application : Event Correlation reports the message: Event Correlation is not supported on this platform.

Conditions:
Multi-bladed vCMP guest, running on a BIG-IP system with SSD drives, having only one available slot (other slots appear offline/unavailable).

Impact:
Under these conditions, Event Correlation is disabled.

Workaround:
The following workaround does not survive ASM restart.
Thus, it has to be executed after every restart of ASM:
------------------------
# perl -MF5::ASMReady -MF5::Cfg -e 'while (! F5::ASMReady::is_asm_ready()) { print "Waiting for ASM to be ready.\n"; sleep 5; }; print "ASM is ready, patching Event Correlation cfg file\n"; F5::Cfg::cfg_set_config_item(qw{/etc/ts/correlation/correlation.cfg}, qw{General}, qw{Idle}, 0)'

# pkill -f correlation
------------------------

Event Correlation should start with in ~15 seconds, after the execution of this workaround:
------------------------
# ps -elf | grep correlation

0 S root ... /usr/share/ts/bin/correlation
------------------------

Fix:
Event Correlation is now enabled on a multi-bladed SSD vCMP guest with only one active slot.

---

682500-1 : VDI Profile and Storefront Portal Access resource do not work together

Component: Access Policy Manager

Symptoms:
Accessing a Citrix Storefront portal access resource and clicking on the application does not work since VDI returns HTTP status 404.

Conditions:
-- VDI profile is attached to the Virtual server.
-- Access policy has Citrix Storefront portal access resource.
-- Citrix remote-desktop resource is attached.

Impact:
Citrix Storefront portal access resource cannot be used to launch applications.

Workaround:
None.

Fix:
Citrix Storefront portal access resources can now be used with Citrix Remote desktop resources.

---

682335-3 : TMM can establish multiple connections to the same gtmd

Component: Global Traffic Manager (DNS)

Symptoms:
TMM can establish multiple connections to the same gtmd, and tmm may core.

Conditions:
This timing-related issue involves coordination between license blob arrival, gtmd connection teardown/establishment, and gtmd restart.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed, if there is an existing connflow, don't start another connection.

---

682213-3 : TLS v1.2 support in IP reputation daemon

Solution Article: K31623549

Component: TMOS

Symptoms:
The IP reputation daemon opens SSL connections to the Webroot BrightCloud server using TLS 1.0 protocol.

Conditions:
This occurs when using IP reputation.

Impact:
Because IP reputation services are used to accept/deny connections to critical business applications, there might be concerns about the service. Also some configurations might require that all transactions exfiltrating a PCI-controlled environment leverage secure protocols and ciphers, which won't be the case for IP reputation services.

Workaround:
None.

Fix:
Webroot updated BrightCloud servers to support TLS 1.2. This is additional support. To preserve backward compatiblity, the servers support TLS 1.0, TLS 1.1, TLS 1.2, SSL 2.0 and SSL 3.0.

In addition, this software version supports TLS 1.2 on the client side by customizing the SDK used by the IP reputation daemon.

---

682105 : Adding widget in Analytics Overview can cause measures list to empty out on Page change

Component: Application Visibility and Reporting

Symptoms:
When adding a new widget on Analytics Overview page with multiple modules (e.g., vCMP, Security), it is possible to reach a state in which the list of available measures is empty.

Conditions:
-- All 'available measurements' is selected (moved left).
-- A page should be changed.

Impact:
In some cases (like in vCMP when changing from Network to SynCookies), the list of available measurements will remain empty. Unable to select measures to display in new widget.

Workaround:
To reset the list of measures so that all measures are visible again, switch to another page and return to the previous one right away.

---

682104-1 : HTTP PSM leaks memory when looking up evasion descriptions

Component: Local Traffic Manager

Symptoms:
http_psm_description_lookup leaks xfrags containing PSM evasion descriptions.

Conditions:
When PSM looks up evasion descriptions.

Impact:
Memory leaked each time might eventually cause out of memory to the TMM.

Workaround:
None.

Fix:
This fix will stop the memory leakage.

---

681850-1 : APMD process may fail to initialize on start either after upgrade or after adding certain configurations

Component: Access Policy Manager

Symptoms:
APMD process may fail at initialization time with errors similar to the following:

-- createAgent - initInstance() failed for agent xxx_saml_auth_ag type (46)
-- Exiting due to failure in loading access policy objects

Conditions:
-- BIG-IP system is configured as SAML SP.
-- Certificate used by configured SAML Agent was imported onto BIG-IP system in DER format.

Impact:
APMD service may become unresponsive, dropping all traffic protected by APM access policies.

Workaround:
Convert DER encoded certificate used by SAML SP agent into PEM format.

Fix:
DER certificate no longer cause APMD process errors at initialization time.

---

681757-1 : Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member'

Solution Article: K32521651

Component: Local Traffic Manager

Symptoms:
In response to this issue, you might see the following symptoms:
-- System remains inoperative
-- Screen alerts similar to the following are posted: 'Configuration has not yet loaded'.
-- Configuration fails to load after upgrade to v12.1.0 or higher.

The system records an error message similar to the following in the ltm log file:

 emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 010716de:3: Policy '/Common/Policy', rule 'Policy-Rule'; target 'forward' action 'select' does not support parameter of type 'member'. Unexpected Error: Loading configuration process failed.

Conditions:
Local Traffic Policy with a forward action that selects a target of type 'member'.

Impact:
Configuration fails to load on upgrade.

Workaround:
Modify the local traffic policies to use a target type of 'node' before upgrading, or, after upgrading, edit the config file and modify 'member' to 'node' in the local traffic policy, and then reload the configuration.

Fix:
Upon upgrade to v12.1.0 or later, policies that perform the action 'forward - select - member' will be automatically changed to 'forward - select - node', and configuration will load successfully.

---

681710-4 : Malformed HTTP/2 requests may cause TMM to crash

Solution Article: K10930474

---

681535 : CVE-2015-3148 in curl was incomplete.

Solution Article: K35453761

---

681415-1 : Copying of profile with advanced customization or images might fail

Component: Access Policy Manager

Symptoms:
Copying a profile with advanced customization or images produces an error message similar to the following: 'Please specify language code' or similar

Conditions:
Access Profile has advanced customization group or customization image assigned to any of object connected to profile.

Impact:
Unable to copy policy.

Workaround:
None.

Fix:
Copying of profile with advanced customization or images now succeeds as expected.

---

681175-1 : TMM may crash during routing updates

Solution Article: K32153360

Component: Local Traffic Manager

Symptoms:
When dynamic routing is configured and ECMP routes are received, certain routing updates may lead to a TMM crash.

Conditions:
-- Dynamic routing.
-- ECMP routes.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable ECMP routes by configuring "max-paths 1" in ZebOS.

Fix:
TMM no longer crashes on routing updates when ECMP is in use.

---

681109-2 : BD crash in a specific scenario

Solution Article: K46212485

Component: Application Security Manager

Symptoms:
BD crash occurs.

Conditions:
A specific, non-default configuration with specific traffic.

The issue is much more likely to occur when the policy is not tuned correctly, in which case you might receive a potentially huge number of false positive attack signature matches on that payload. The crash might then occur if there is a subsequent 'Parameter value does not comply with regular expression' violation on that same payload.

For example, nothing prevents you from incorrectly associating a Content-Type and <type-value> with a Request Body Handling parser that is not designed to parse that type of data, such as the following:
  Content-Type :: *xml* :: form-data

This configuration is likely to result in a very long list of false-positive attack signatures. Because of the big message generated, The regex violation which is also likely to happen on the payload cannot be added to the filled message, which causes the crash.

Impact:
Failover, traffic disturbance.

Workaround:
In order to prevent this, correctly configure the header-based-content-profile property on URLs for cases where an unusual header requires a specific, potentially unexpected parsing mechanism.

A correctly configured header-based-content-profile property on URLs appears as follows:

In URL Properties, the Header-Based Content Profiles section of the wildcard URL is by default applying the value and content signature. Here, you can associate Content-Type with <type-value> with <parser-type>. By default, the correct definitions are as follows:
 Content-Type :: *form* :: Form Data
 Content-Type :: *json* :: JSON
 Content-Type :: *xml* :: XML

Fix:
Added a check to prevent a crash in a specific scenario.

---

681010-1 : 'Referer' is not masked when 'Query String' contains sensitive parameter

Solution Article: K33572148

Component: Application Security Manager

Symptoms:
While 'Query String' contains masked sensitive parameter value the 'Referer' header sensitive parameter value is exposed.

Conditions:
-- Sensitive parameter is defined in: 'Security :: Application Security : Parameters : Sensitive Parameters'.

-- 'Query String' contains the defined sensitive parameter.

Impact:
"Referer" header contains unmasked value of the sensitive parameter.

Workaround:
Enable 'Mask Value in Logs' in: 'Security :: Application Security : Headers : HTTP Headers :: referer'.

Fix:
The 'Referer' header value is masked in case of sensitive parameter in 'Query String'.

---

680917-2 : Invalid monitor rule instance identifier

Component: TMOS

Symptoms:
iApp triggers an error while attempting to change server properties for pool members. The error reads "Invalid monitor rule instance identifier"

Conditions:
While changing the server properties associated with the pool members through iApp.

Impact:
Will not be able to change the server properties using iApp.

---

680856-3 : IPsec config via REST scripts may require post-definition touch of both policy and traffic selector

Component: TMOS

Symptoms:
A new IPsec tunnel may not work after being configured over REST. While the configuration is correct, a log message similar to the following may appear in ipsec.log (IKEv2 example):

info tmm[24203]: 017c0000 [0.0] [IKE] [INTERNAL_ERR]: selector index (/Common/Peer_172.16.4.1) does not have corresponding policy

Conditions:
A new IPsec tunnel is configured over REST.

Impact:
The newly configured IPsec tunnel does not start.

Workaround:
The following methods cause the traffic-selector and ipsec-policy to be correctly related to one another:
-- Restart tmm.
-- Change the configuration, for example the Description field, of both the policy and the traffic selector. This may also be done using REST.

Fix:
A traffic selector can no longer use a deleted policy by name, and if recreated after deletion, the policy is correctly constructed.

---

680850-1 : Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage.

Solution Article: K48342409

Component: Global Traffic Manager (DNS)

Symptoms:
Enabling debug logging on zxfrd (DNSX) can result in excessive CPU and disk usage, as well as errors during DNS AXFR or IXFR processing.

Conditions:
log.zxfrd.level is set to debug by running the following command: tmsh modify sys db log.zxfrd.level value debug

Impact:
IXFRs or AXFRs may fail and be rescheduled due to high CPU usage by zxfrd, which causes it to fail to process data packets during a transfer.

Workaround:
To avoid this issue, do not set log.zxfrd.level to debug.

Fix:
With this change, the dump to /var/tmp/zxfrd.out occurs only when a new db variable, dnsexpress.dumpastext, is set to true. This enables turning on logging for debug without consuming all the CPU and disk necessary to dump packets and zone contents.

Note: Setting this value to true will cause the information to be dumped to stderr, which reveals the original issue, potentially causing transfer failures and high system resource usage. F5 recommends that you enable it only when directed to do so by F5 support staff.

Behavior Change:
Previously, setting the zxfrd log level to debug caused all AXFR and IXFR requests and responses to be logged to /var/tmp/zxfrd.out. Doing so also caused the contents of all zones to be dumped, as text, to /var/tmp/zxfrd.out when the database was saved.

This was extremely CPU-, memory-, and disk-intensive. The CPU load could cause zxfrd to fail to process transfer data packets in a timely fashion, which could cause the master DNS server to close the connection.

With this fix, setting log.zxfrd.level debug no longer outputs this information.

Although it is not generally useful to output the contents of the transfer packets or the contents of the database, if this information is required for troubleshooting or information-verification purposes, you can set the new db variable: dnsexpress.dumpastext.

Note: Setting this value to true will cause the information to be dumped to stderr, which reveals the original issue, potentially causing transfer failures and high system resource usage. F5 recommends that you enable it only when directed to do so by F5 support staff.

---

680838-3 : IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator

Component: TMOS

Symptoms:
A tmm restart and corefile can occur in rare cases while negotiating an IKEv2 IPsec tunnel.

A child_sa managed to process GETSPI_DONE once in the IDLING state, where the ike_sa was expected to be the initiator, but it appeared not to be -- failing an assert.

Conditions:
The BIG-IP is negotiating an IPsec tunnel as the Initiator, but an unexpected state change associated with being the Responder occurs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM will no longer restart due to assertion failure.

---

680755-1 : max-request enforcement no longer works outside of OneConnect

Solution Article: K27015502

Component: Local Traffic Manager

Symptoms:
max-request enforcement does not work when OneConnect is not configured.

Conditions:
-- The max-request enforcement option is configured.
-- OneConnect is not configured.

Impact:
max-request enforcement does not work.

Workaround:
Always use OneConnect.

Fix:
max-request enforcement now works when OneConnect is not configured.

---

680729-3 : DHCP Trace log incorrectly marked as an Error log.

Solution Article: K64307999

Component: Policy Enforcement Manager

Symptoms:
The following sample DHCP debug log may be found repeatedly in the TMM logs.

<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>

Conditions:
Send a DHCP request through a DHCP virtual and wait for 30 seconds for the DHCP callback to trigger.

Impact:
Possible clutter in the TMM logs.

Workaround:
Set the db variable to critical. To do so, run the following command: setdb tmm.dhcp.log.level critical

Fix:
The following log can be seen only when DHCP debug logs are set to enabled.
<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>

---

680388-2 : f5optics should not show function name in non-debug log messages

Component: TMOS

Symptoms:
For logging thresholds other than debug, the function name appears in log messages created by f5optics.

Conditions:
-- BIG-IP is running.
-- Logging thresholds is set to a value other than debug.

Impact:
Log files contain unexpected data.

Workaround:
There is no workaround at this time.

Fix:
With the fix, f5optics is not displaying function names in non-debug logging messages.

---

680264 : HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags

Component: Local Traffic Manager

Symptoms:
Intermittently, HTTP2 experiences protocol resets.

Conditions:
-- xfrag is 2 bytes in length.
-- The header length is greater than 128.
-- xfrag starts.

For example, the following returns the incorrect header length:
 (0xFF BYTE1) next byte, http2_arbint_read.

Impact:
Unexpected loss of HTTP2 frames due to protocol resets.

Workaround:
No effective workaround.

Fix:
HTTP2 now parses the request, regardless of its xfrags distribution.

---

680112-1 : SWG-Explicit rejects large POST bodies during policy evaluation

Solution Article: K18131781

Component: Access Policy Manager

Symptoms:
When an access profile of type SWG-Explicit is being used, there is a 64 KB limit on POST bodies while the policy is being evaluated.

==> /var/log/apm <==
err tmm[13751]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 3048

Conditions:
This applies only during the policy evaluation. After the policy has been set to 'Allow', there is no limit.

Impact:
Unable to start an SWG-Explicit policy with a large POST body.

Workaround:
None.

Fix:
Modify the db variable 'tmm.access.maxrequestbodysize' with a value larger than the maximum post body size you would like to support. The maximum supported value is 25000000 (25 MB).

---

680069-3 : zxfrd core during transfer while network failure and DNS server removed from DNS zone config★

Solution Article: K81834254

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd cores and restarts.

Conditions:
While zone transfer is in progress, the network fails and the DNS server is removed from the DNS zone configuration.

Impact:
zxfrd cores.

Workaround:
None.

Fix:
zxfrd no longer cores during transfer while network failure and DNS server removed from DNS zone config.

---

679959-1 : Unable to ping self IP of VCMP guest configured on i5000, i7000, or i10000

Component: TMOS

Symptoms:
Unable to the ping self IP of VCMP guests configured on i5000, i7000, or i10000.

Conditions:
Running TMOS v12.1.3 and VCMP guests configured on i5000, i7000 or i10000.

Impact:
Unable to process client traffic.

Workaround:
No workaround at this time.

Fix:
This issue is fixed.

---

679861-2 : Weak Access Restrictions on the AVR Reporting Interface

Solution Article: K31152411

---

679603-2 : bd core upon request, when profile has sensitive element configured.

Solution Article: K15460886

Component: Application Security Manager

Symptoms:
bd crash, system goes offline.

Conditions:
ASM provisioned.
-- ASM policy attached on a virtual server.
-- json profile configured with sensitive element.

Impact:
System goes offline/fails over.

Workaround:
Remove sensitive elements from the json profile in the ASM policy.

Fix:
ASM now handles this condition so the crash no longer occurs.

---

679496-1 : Add 'comp_req' to the output of 'tmctl compress'

Component: Local Traffic Manager

Symptoms:
The output of 'tmctl compress' displays the total numbers of requests (tot_req), but does not distinguish between deflate (compression) requests and inflate (decompression) requests.

Conditions:
Viewing the output of the 'tmctl compress' command.

Impact:
Cannot determine the different types of requests.

Workaround:
There is no workaround at this time.

Fix:
This release now distinguishes between deflate (compression) requests and inflate (decompression) requests, as follows: there is an indicator, 'comp_req', for compression requests. The number of decompression request is tot_req - comp_req.

---

679494-2 : Change the default compression strategy to speed

Component: Local Traffic Manager

Symptoms:
The current default compression.strategy is 'latency', which does not perform properly, i.e., the provider selection algorithm does not react to load change fast enough.

Conditions:
Using compression.strategy to distribute workload among hardware and software compression providers.

Impact:
The work load may not be distributed evenly among hardware and software compression providers when compression.strategy is 'latency'.

Workaround:
Modify the tmsh sys db variable compression.strategy to 'speed'.

Fix:
The default compression strategy is now set to 'speed'.

---

679480-1 : User able to create node when an ephemeral with the same IP already exists

Component: TMOS

Symptoms:
If an FQDN ephemeral node exists for a given IP address, the user is still able to create a real node for the same IP address.

Conditions:
This can only be done by the GUI, not by tmsh or iControl REST.

Impact:
This should be prevented, but is allowed.

Workaround:
Avoid creating such a node.

Fix:
Validation now prevents this from happening.

---

679440-2 : MCPD Cores with SIGABRT

Solution Article: K14120433

Component: Advanced Firewall Manager

Symptoms:
MCPD cores with SIGABRT.

Conditions:
This occurs while the dynamic white/black daemon (dwbld) processes auto-blacklisted IP addresses.

Impact:
MCPD core.

Workaround:
Run the following command:
tmsh modify sys db debug.afm.shun.notify_peers value disable

Fix:
MCPD no longer cores with SIGABRT if the auto-blacklisting feature is enabled.

---

679384-1 : The policy builder is not getting updates about the newly added signatures.

Solution Article: K85153939

Component: Application Security Manager

Symptoms:
The policy builder is not getting updates about the newly added signatures.

Conditions:
When ASU is installed or user-defined signatures are added/updated.

Impact:
No learning suggestions for some of the newly added signatures.

Workaround:
Use either of the following workarounds:
-- One workaround is restarting the policy builder. This will revert the learning progress made in the last 24 hours:
 killall -s SIGHUP pabnagd

-- Manually change some Policy Attack Signature Set in Learning and Blocking Settings (e.g., disabling and re-enabling Learn checkbox).

Fix:
After the fix, Policy Builder will be aware of all newly added signatures.

---

679347-3 : ECP does not work for PFS in IKEv2 child SAs

Solution Article: K44117473

Component: TMOS

Symptoms:
The original racoon2 code has no support for DH generate or compute using elliptic curve algorithms for (perfect forward security).

Additionally, the original interfaces are synchronous, but the only ECP support present uses API with async organization and callbacks, so adding ECP does not work.

Conditions:
Changing an ike-peer definition from the default phase1-perfect-forward-secrecy value of modp1024 to something using ECP: ecp256, ecp384, or ecp512.

Note: The first child SA is negotiated successfully.

Impact:
Once the first child SA expires (or is deleted), the IKEv2 tunnel goes down when another SA cannot be negotiated.

Workaround:
Use MODP for perfect-forward-secrecy instead of ECP.

Fix:
Full support for ECP as PFS has now been added, so a new child-SA negotiated in a IKEV2EXCH_CREATE_CHILD_SA exchange works as expected for ecp256, ecp384, and ecp512.

---

679235-5 : Inspection Host NPAPI Plugin for Safari can not be installed

Component: Access Policy Manager

Symptoms:
Inspection Host NPAPI Plugin for Safari on macOS High Sierra can not be installed.

Conditions:
macOS High Sierra, Inspection Host Plugin package installation triggered.

Impact:
Inspection Host plugin cannot be installed, therefore, endpoint checks will not work.

Workaround:
There is no workaround at this time.

Fix:
Previously, the Inspection Host NPAPI Plugin for Safari on macOS High Sierra could not be successfully installed. This plugin can now be successfully installed.

---

679221-1 : APMD may generate core file or appears locked up after APM configuration changed

Component: Access Policy Manager

Symptoms:
Right after clicking the 'Apply Access Policy' link, APMD may generate a core file and restart; or appears to be locked up.

Conditions:
-- Changing APM configuration, especially Per-Session and Per-Request Policy.
-- Configured for AD or LDAP Auth Agent.

Impact:
If APMD restarts, then AAA service will be interrupted for a brief period of time. If APMD appears to be locked up, then AAA service will be stopped until manually restarted.

Workaround:
None.

Fix:
APMD now processes the configuration changes correctly during 'modify apm profile access <profile name> generation-action increment' (TMSH) or 'Apply Access Policy' (GUI), and no service interruption occurs.

---

679149-2 : TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0]

Component: Global Traffic Manager (DNS)

Symptoms:
TMM may crash or LB::server returns unexpected result.

Conditions:
GTM rule command LB::server is executed before a load balance decision is made or the decision is not to a real pool member.

Impact:
GTM rule command LB::server returns unexpected result. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
GTM rule command LB::server is now executed at the correct time, so TMM does not crash and LB::server returns expected results.

---

679135-3 : IKEv1 and IKEv2 cannot share common local address in tunnels

Component: TMOS

Symptoms:
When IKEv1 and IKEv2 IPsec tunnels are configured to use the same local IP address, either all the IKEv1 or all the IKEv2 tunnels will not establish.

Note: This is as designed: the system does not support using the same local self IP to establish both IKEv1 and IKEv2 tunnels. However, the system does not prevent it, and there is no indication of the reason for the failure.

Conditions:
-- Use the same self IP as the local address of an IPsec tunnel for IKEv1, as well as the local address of a tunnel for IKEv2.
-- Try to create competing listeners.

Impact:
Either the IKEv1 or IKEv2 tunnel will not work, because the listener for that tunnel fails to establish. Usually the IKEv1 tunnel will not work after tmm restart or BIG-IP reboot.

Workaround:
Use another self IP for the tunnel local address to keep IKEv1 and IKEv2 local tunnel addresses separate.

Note: If IKEv1 tunnels use one local address, while IKEv2 tunnels use another, everything works as expected.

Fix:
Logging in /var/log/ltm now reveals failure to establish listener, along with a suggestion to avoid sharing one local address across IKEv1 and IKEv2 tunnels.

---

679114-2 : Persistence record expires early if an error is returned for a BYE command

Component: Service Provider

Symptoms:
When an error is returned for a SIP command, the persistence timeout is set to the transaction timeout.

Conditions:
An error is returned for a any SIP command.

Impact:
The persistence record will expire early when the call has not been ended.

Workaround:
None.

Fix:
For BYE commands, the timeout is not set to transaction timeout on failure.

---

678976-2 : Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.

Solution Article: K24756214

Component: Access Policy Manager

Symptoms:
VDI debug logs print user credentials to /var/log/apm.

Conditions:
VDI debug logs are enabled and VDI functionality is used on the virtual server.

Impact:
User credentials are written to /var/log/apm.

Workaround:
Set VDI debug level to Notice.

Fix:
The system no longer prints user credentials to VDI debug logs.

---

678925-4 : Using a multicast VXLAN tunnel without a proper route may cause a TMM crash.

Component: TMOS

Symptoms:
Using a multicast VXLAN tunnel without a proper route associated with the tunnel's local-address may cause a TMM crash.

Conditions:
When the following conditions are met:
- No route is associated with the tunnel's local-address.
- A selfip address is assigned to the tunnel.

Then, a connection using the tunnel may cause a TMM crash.

Note that the user can use the TMSH command "show net route lookup <address>" to check if there is a route associated with the tunnel's local-address.

Impact:
The TMM crashes and traffic is disrupted.

Workaround:
Make sure that there is a route associated with the tunnel's local-address, before using the tunnel.

Fix:
The TMM no longer crashes.

---

678872-2 : Inconsistent behavior for virtual-address and selfip on the same ip-address

Component: Local Traffic Manager

Symptoms:
Inconsistent ICMP/ARP behavior for self IP address or virtual-address when virtual-address and self IP address have the same IP address.

Conditions:
Virtual-address and self IP address have the same IP address.
-- Virtual-address ICMP and ARP disabled.

Impact:
ICMP echo reply and ARP for the IP address might be inconsistent. Self IP address might override the ARP setting of a virtual address.

Workaround:
No workaround.

Fix:
This implements the initialization-order-independent set of rules of whether particular IP address should have ARP/ICMP enabled for multiple maching vaddrs. The lookup is performed from the most fine netmask to the most coarse netmask. If for particular netmask there is no maching vaddr then more coarse netmask is lookedup. Otherwise if any machnig vaddr for particular netmask have ARP/ICMP enabled then IP address will have ARP/ICMP enabled. If none of matching vaddrs for particular netmask have ARP/ICMP enabled the then IP address will have ARP/ICMP disabled.

The rule above have one exception, due to the performance optimizations. If the vaddr have both ARP and ICMP disabled then the vaddr is considered deleted.

---

678861-3 : DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other★

Component: Global Traffic Manager (DNS)

Symptoms:
Upgrade fails with a message similar to the following.

emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 01070356:3: Link Controller feature not licensed. Unexpected Error: Loading configuration process failed.

Conditions:
Previously had Link Controller with DNS:: commands in an iRule proc.

Impact:
Upgrade fails.

Workaround:
Remove DNS:: commands from procs before upgrade.

Or use AFM instead of iRules.

---

678851-1 : Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase()

Component: Access Policy Manager

Symptoms:
Java applets containing call of getDocumentBase() through a reference to java.applet.AppletStub are incorrectly rewritten.

Attempt to call incorrectly patched method causes following exception:
java.lang.VerifyError: (...) Illegal type in constant pool

Conditions:
This occurs when using rewrite on Java applets that call getDocumentBase().

Impact:
Affected Java applets cannot be started through Portal Access.

Workaround:
None.

Fix:
Rewritten applets with calls of java.applet.AppletStub interface methods are no longer causing java.lang.VerifyError exception during execution.

---

678833 : IPv6 prefix SPDAG causes packet drop

Component: TMOS

Symptoms:
If IPv6 prefix SPDAG is turned on, on systems running v12.1.2 HF1, v12.1.2 HF2, or 12.1.3, it can cause packet drops.

Conditions:
Turn on IPv6 prefix DAG.
-- Assign a value other than 128 to sys db tmm.pem.session.ipv6.prefix.len.
-- Running v12.1.2 HF1, v12.1.2 HF2, or 12.1.3.

Impact:
Packet drops.

Workaround:
Turn off IPv6 prefix SPDAG.

---

678822-3 : Gx/Gy stats display provision pending sessions if there is no route to PCRF or the app is unlicensed

Component: Policy Enforcement Manager

Symptoms:
If the PEM subscribers are brought up with diameter apps (Gx/Gy) configured and the PCRF is not reachable since there is no route or simply because there is no license configured for those apps. The Provision pending for sessions will get incremented and never rollback to zero even after the subscribers are cleaned up.

Conditions:
If the route to PCRF/OCS is missing or not reachable.

Impact:
Non-Zero stats for provision pending sessions

Workaround:
Disable the Gx/Gy profile if not required or configure the route.

Fix:
The system no longer increments the stats for diameter apps if the PCRF/OCS is not reachable, so this issue no longer occurs.

---

678820-2 : Potential memory leak if PEM Diameter sessions are not created successfully.

Component: Policy Enforcement Manager

Symptoms:
Memory leak resulting in reduction in available memory.

Conditions:
1. PEM configured with Gx.
2. PCRF Gx end point operationally DOWN
3. Subscriber creation attempt.

Impact:
Loss of service

Workaround:
There is no workaround at this time.

Fix:
Diameter context is freed in case of a failed Diameter session creation.

---

678801-2 : WS::enabled returned empty string

Component: Local Traffic Manager

Symptoms:
WS::enabled command returned empty string instead of 0 or 1 for status.

Conditions:
-- WS::enabled command is used to query the status of WebSocket processing.
-- WebSocket and HTTP profiles are configured on the virtual server.

Impact:
Unable to determine the status of WebSocket processing using iRule commands.

Workaround:
There is no workaround at this time.

Fix:
Invoke appropriate method via WebSocket Tcl code.

---

678722-2 : In SSL-O, TMM may core when SSL forward proxy cleanup certificate resources

Component: Local Traffic Manager

Symptoms:
in SSL-O, due to race condition, TMM may core when SSL forward proxy tries to free up memory usage by releasing certificate resources.

Conditions:
This only happens in SSL-O with SSL forward proxy configured.

Impact:
TMM may restart due to using the wrong free function. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores under these conditions.

---

678715-1 : Large volume of query result update to SessionDB fails and locks down ApmD

Component: Access Policy Manager

Symptoms:
While writing large query results from AD server to sessionDB using memcache API, write operation fails with partial write.

Conditions:
Large volumes of AD query (with Required 'All Attributes') results from AD server while writing to SessionDB.

Impact:
Operation fails with partial write. All worker threads performing authentication eventually gets locks down. Session watchdog thread eventually make a forced abort to recover from the situation. Apmd restarts in this situation.

Workaround:
Make query for specific attributes not the option 'All Attributes'.

Fix:
Partial write failure has been fixed, by writing remaining parts of the query results in several iterations, till the entire result is written.

---

678714-3 : After HA failover, subscriber data has stale session ID information

Component: Policy Enforcement Manager

Symptoms:
After a failover in a high availability (HA) configuration, subscriber local data is populated with stale session id information

Conditions:
-- HA failover.
-- PEM subscriber.

Impact:
Subscriber data with stale session ID information might cause invalid reference to incorrect subscriber data.

Workaround:
None.

Fix:
Subscriber local data is now populated with new, generated session ID information.

---

678488-3 : BGP default-originate not announced to peers if several are peering over different VLANs

Solution Article: K59332320

Component: TMOS

Symptoms:
BGP default-originate is not announced to peers if several are configured as peers over different VLANs.

Conditions:
-- default-originate is configured on four similar neighbors.
-- The neighbors are reachable over different interfaces/subnets.

Impact:
Only some of the peered neighbors get the default route.

Workaround:
Add the following to the the BGP configuration:
 network 0.0.0.0/0

Fix:
All peered neighbors now get the default route.

---

678462-2 : after chassis failover: asmlogd CPU 100% on secondary

Component: Application Security Manager

Symptoms:
After a failover in a chassis:

 - asmlogd CPU 0% on primary slot (which was secondary before the failover).

 - asmlogd CPU 100% on secondary (which was primary before the failover).

Without traffic running through the chassis.

Conditions:
-- ASM provisioned.
-- Chassis with at least two active slots.
-- Chassis failover after some traffic was passed through the chassis.

Impact:
asmlogd CPU shows 100% on secondary (which was primary before the failover), and vice versa.

Workaround:
There is no workaround at this time.

Fix:
The asmlogd process now better handles chassis failovers during which the chassis slots change roles (primary/secondary), so this issue no longer occurs.

---

678456-2 : ZebOS BGP peer-group configuration not fixed up on upgrade★

Component: TMOS

Symptoms:
ZebOS BGP configuration failed to load from upgrade.

Conditions:
Upgrade to 12.1.3.4-12.1.5 or 13.0.0

Configuration specifies neighbor peer-group inside the address-family clause

Impact:
Loading of ZebOS configuration after upgrade

Workaround:
Modify the ZebOS configuration to put the neighbor peer-group clause outside of the address-family clause

Fix:
The ZebOS configuration correctly orders the neighbor peer-group clause outside of the address-family clause, and loading of the BGP configuration after upgrade is successful.

---

678416-2 : Some tmm/umem_usage_stat counters may be incorrect under memory pressure.

Component: Local Traffic Manager

Symptoms:
After the BIG-IP system experiences severe memory pressure, the 'allocated' and 'max_allocated' counters from the tmm/umem_usage_stat table incorrectly show extremely high values.

Conditions:
The BIG-IP system experiences enough memory pressure that slabs are transferred between threads.

Impact:
The 'allocated' and 'max_allocated' counters from the tmm/umem_usage_stat table do not reflect actual values. However, there is no functionality issue as a result. This is a cosmetic issue only.

Workaround:
None.

Fix:
The system now manages better under memory pressure so that the tmm/umem_usage_stat counters correctly reflect actual values.

---

678388-3 : IKEv1 racoon daemon is not restarted when killed multiple times

Solution Article: K00050055

Component: TMOS

Symptoms:
IPsec IKEv1 tunnels will fail and stay down indefinitely if the IKEv1 racoon daemon crashes. racoon does not get restarted by tmipsecd. This can occur if racoon has crashed more than once beforehand.

Conditions:
The IPsec IKEv1 racoon daemon crashes, or is killed manually, multiple times.

Impact:
IPsec IKEv1 tunnels cannot be established because the racoon daemon is dead. The user will receive no CLI or web UI clues to indicate that racoon is dead. Attempts to reconfigure IPsec while racoon is dead will not resolve the problem.

Workaround:
Run the following command to restart the IPsec IKEv1 racoon and tmipsecd daemons at the same time:
tmsh restart sys service tmipsecd

Fix:
Fixed tmipsecd so it correctly tracks whether the IKEv1 racoon daemon is still running or needs a restart. This also covers odd timing, such as killing racoon right after it starts.

---

678380-3 : Deleting an IKEv1 peer in current use could SEGV on race conditions.

Solution Article: K26023811

Component: TMOS

Symptoms:
When either deleting a peer in IKEv1 or updating it, this problem causes the v1 racoon daemon to crash with a SIGSEGV under some race conditions, intermittently.

Conditions:
This requires a peer using IKEv1, which gets updated or deleted while the IKEv1 racoon daemon is performing operations related to this peer.

Impact:
If the problem occurs, the IKEv1 racoon daemon restarts and interrupts IPsec traffic.

Workaround:
None.

Fix:
The system now checks whether the old peer definition is valid when navigating from phase-one SAs to the IKEv1 peer definition.

---

678293-1 : Uncleaned policy history files cause /var disk exhaustion

Solution Article: K25066531

Component: Application Security Manager

Symptoms:
There are hundreds of policy history files for non-existent policies stored under /ts/dms/policy/policy_versions, which might cause /var disk exhaustion.

Conditions:
There are hundreds of policy history files for non-existent policies stored under /ts/dms/policy/policy_versions.

Two possible causes might explain what caused the history files to be copied:
-- The device was synchronized from itself.
-- There was a UCS loaded on the device.

Impact:
/var disk usage is high.

Workaround:
Use the following one-liner to find unreferenced policy history files that can be deleted:

----------------------------------------------------------------------
perl -MData::Dumper -MF5::DbUtils -MFile::Find -e '$dbh = F5::DbUtils::get_dbh(); $sql = ($dbh->selectrow_array(q{show tables in PLC like ?}, undef, q{PL_POLICY_VERSIONS})) ? q{select policy_version, policy_id from PLC.PL_POLICY_VERSIONS} : q{select revision, policy_id from PLC.PL_POLICY_HISTORY}; %known_history_files = map { (qq{$_->[1]/$_->[0].plc} => 1) } @{$dbh->selectall_arrayref($sql)}; find({ wanted => sub { next unless -f $_; $_ =~ m|/policy_versions/(.*)$|; if (! $known_history_files{$1}) { print qq{$_\n} } }, no_chdir => 1, }, q{/ts/dms/policy/policy_versions});'
----------------------------------------------------------------------

Manually verity the file list output. If it seems correct, you can then delete the files by piping the output into 'xargs rm'.

In addition, you can delete the following file: /var/ts/var/install/recovery_db/conf.tar.gz.

---

678254-2 : Error logged when restarting Tomcat

Component: TMOS

Symptoms:
An error is logged after restarting Tomcat and using the web UI.

Conditions:
Using the web UI to restart tomcat.

Impact:
An error is logged after restarting Tomcat and using the web UI.

Workaround:
There is no workaround.

Fix:
When restarting Tomcat and using the web UI, and error will be logged only if the debug flag is enabled.

---

678228-1 : Repeated Errors in ASM Sync

Solution Article: K27568142

Component: Application Security Manager

Symptoms:
If an error is encountered when building a full sync file for an ASM enabled Device Group, any future attempts at building a sync file will continue to fail.

Conditions:
An error such as a full disk or out of memory occurs when attempting to build a sync file for an ASM enabled Device Group

Impact:
Any future attempts at building a sync file will continue to fail.

Workaround:
Restart the ASM Config processes, or clear out /ts/var/sync.

Fix:
Remnants of failed sync files are now correctly cleaned up before building a new one.

---

677962-3 : Invalid use of SETTINGS_MAX_FRAME_SIZE

Component: Local Traffic Manager

Symptoms:
When BIG-IP negotiates settings over HTTP/2 connection, it adopts a value of peer's SETTINGS_MAX_FRAME_SIZE parameter as its own.

Conditions:
A virtual is configured with HTTP/2 profile.

Impact:
BIG-IP may accept a DATA frame with size above 16,384 bytes violating RFC.

Workaround:
There is no workaround at this time.

Fix:
BIG-IP no longer accepts DATA frames with sizes exceeding a default value of 16,384 bytes.

---

677958-2 : WS::frame prepend and WS::frame append do not insert string in the right place.

Component: Local Traffic Manager

Symptoms:
When WS::frame prepend and WS::frame append are used together in the same event, the strings are not inserted in the right place.

Conditions:
-- Both WS::frame prepend and WS::frame append commands are present in the same iRule event.
-- WebSocket and HTTP profile are configured on the virtual.
-- Client/server send and receive WebSocket frames.

Impact:
The user-supplied string is not inserted in the right place when sent to the end-point.

Workaround:
None.

Fix:
Separate buffers were now used for append and prepend, instead of reusing the same buffer.

---

677937-1 : APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets

Solution Article: K41517253

Component: TMOS

Symptoms:
APM client cannot connect to server when the APM tunnel is encapsulated in an IPsec tunnel.

Conditions:
This requires a relatively complicated network setup of configuring an APM tunnel over an IPsec tunnel (and iSession is in use).

Impact:
No connectivity between the client and the server.

Workaround:
Do not encapsulate APM tunnel in an IPsec tunnel. (The APM tunnel has its own TLS.)

Fix:
APM tunnel and IPsec over IPsec tunnel now correctly accepts isession-SYN connect packets.

---

677928-2 : A wrong source MAC address may be used in the outgoing IPsec encapsulated packets.

Component: TMOS

Symptoms:
A wrong source MAC address may be used in the outgoing IPsec encapsulated packets when the BIG-IP VE system is operated in Azure.

Conditions:
The BIG-IP VE system is first deployed in Azure with a single NIC. After the first reboot and then power off, a second NIC is added to the BIG-IP system. Then, an IPsec tunnel is configured to associate with a selfip on the second NIC.

Impact:
The Azure environment or a remote device may drop the outgoing IPsec encapsulated packets from the BIG-IP system because the source MAC address of the packets is wrong.

Fix:
The source MAC address of the outgoing IPsec encapsulated packets from the BIG-IP system is set correctly.

---

677525-3 : Translucent VLAN group may use unexpected source MAC address

Component: Local Traffic Manager

Symptoms:
When a VLAN group is configured in translucent mode, IPv6 neighbor discovery packets sent from the BIG-IP system may have the locally unique bit flipped in the source MAC address.

Conditions:
VLAN group in translucent mode.

Impact:
In an HA configuration, switches in the network may have FDB entries for the standby system assigned to the port of the active system.

Workaround:
No workaround at this time.

Fix:
Translucent VLAN group no longer send neighbor discovery packets whose source MAC has the locally unique bit flipped.

---

677473-1 : MCPD core is generated on multiple add/remove of Mgmt-Rules

Component: Advanced Firewall Manager

Symptoms:
MCP crashes with core. MCP automatically restarts causing other dependent daemons, including tmm, to restart. Corresponding messages (restarting mcp, restarting tmm, and so on) are broadcast in all command line connections (terminals). Core files are written into /shared/core directory. The BIG-IP system might become unusable while daemons restart, so both control-plane (tmsh/GUI) and data traffic processing are stopped until all daemons restart.

Conditions:
-- AFM is licensed and provisioned.
-- There are firewall policies/rules defined in configuration.
-- Remove firewall rules/policies, especially rules attached to management-IP (might have to repeat this).

Impact:
The BIG-IP system might become unusable for few minutes while daemons restart, so both control-plane (tmsh/GUI) and data traffic processing are stopped. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
MCP no longer crashes, and other dependent daemons no longer restart. The BIG-IP system remains operational in both control-plane (tmsh/GUI) and data traffic processing.

---

677457 : HTTP/2 Gateway appends semicolon when a request has one or more cookies

Solution Article: K13036194

Component: Local Traffic Manager

Symptoms:
With an HTTP/2 profile, a virtual server on a BIG-IP system receives requests and handles cookies converting those into a cookie-string. The BIG-IP system concatenates the cookie pairs with semicolon (%3B) and a space (%20) in the cookie-string. This delimiters pair also is appended to the last cookie pair.

Conditions:
HTTP/2 profile is configured on a virtual server and a request contains one or more cookies.

Impact:
The request forwarded to a backend server contains an extra semicolon at the end of cookie-string.

Workaround:
Use an iRule to remove an extra delimiter if it negatively impacts backend server performance.

For example:

when HTTP_REQUEST {
if {[HTTP::header value "Cookie"] contains ";"}
{
set new_header [string range [HTTP::header "Cookie"] 0 end-2]
log local0.notice "$new_header"
HTTP::header replace "Cookie" $new_header
}
}

Fix:
Virtual server with HTTP/2 profile no longer appends extra delimiter to a cookie-string when it forwards the request to HTTP/1.x backend server.

---

677400-3 : pimd daemon may exit on failover

Solution Article: K82502883

Component: Local Traffic Manager

Symptoms:
When multicast traffic is passing on a high availability (HA) pair, the pimd daemon on the unit that transitions to standby may exit and drop a core file.

Conditions:
-- Multicast routing configured.
-- PIM-Sparse Mode configured.
-- HA failover configuration.

Impact:
None. The system that goes active will reconverge, and multicast traffic will resume.

Workaround:
No workaround required.

Fix:
The pimd daemon no longer exits when an HA failover occurs.

---

677193-2 : ASM BD Daemon Crash.

Solution Article: K38243073

---

677119 : HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE

Component: Local Traffic Manager

Symptoms:
When HTTP2 connection's parameters are negotiated, either side may report about its limits in SETTINGS type frame where one of the parameters SETTINGS_MAX_HEADER_LIST_SIZE determines a maximum size of headers list it is willing to accept. The BIG-IP system incorrectly interchanged this parameter with another one called SETTINGS_HEADER_TABLE_SIZE, limiting value of the former one to 32,768.

Conditions:
HTTP2 is configured and an opposite endpoint (user agent using HTTP2 protocol) tries to set SETTINGS_MAX_HEADER_LIST_SIZE to a value above 32,768.

Impact:
The BIG-IP system does not accept the value, and terminates the connection using GOAWAY frame with PROTOCOL_ERROR as a reason.

Workaround:
None.

Fix:
The BIG-IP system no longer generates an error due to this issue, and allows value for SETTINGS_MAX_HEADER_LIST_SIZE to exceed 32,768.

---

677088-4 : BIG-IP tmsh vulnerability CVE-2018-15321

Solution Article: K01067037

---

677058-3 : Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text

Solution Article: K31757417

Component: Access Policy Manager

Symptoms:
Logon page agent with more than one password variable or Citrix logon prompt will log plain text password when debug logging is turned on for access policy.

Conditions:
This occurs when following conditions are met:

- Citrix Logon Prompt with two factor auth or Logon page agent with more than one password variable is added in the Access Policy.
- Access Policy logging is set to debug.

Impact:
APM logs plain text password when debug logging is turned on for access policy.

Workaround:
None.

Fix:
Password values are no longer written in APM logs when debug logging is enabled for access policy.

---

676982-2 : Active connection count increases over time, long after connections expire

Solution Article: K21958352

Component: Local Traffic Manager

Symptoms:
- Number of active connections is increasing over time.
- Memory used by TMM increases over time.
- Potential TMM restart is possible.

Conditions:
This issue arises only when all the following conditions occur:
- Hardware is chassis type.
- There is more than one blade in service.
- A fastL4 profile is configured (e.g., using bigproto).
- SessionDB is used either by iRules or by native profile
  functionality.

Impact:
- Service may be impacted after a period.
- TMM instances may restart.

Workaround:
None.

Fix:
SessionDB-related accesses initiated via iRules are now properly cleaned up and no longer hang.

---

676914-1 : The SSL Session Cache can grow indefinitely if the traffic group is changed.

Component: Local Traffic Manager

Symptoms:
If there are entries in the SSL Session Cache, and the traffic group is changed, the cache might grow indefinitely.

Conditions:
-- SSL is configured.
-- Session cache has a limit on the number of entries. --
 After entries are made into the session cache, the traffic group is then changed.

Impact:
Eventually all memory will be consumed causing TMM to restart. Traffic disrupted while tmm restarts.

Workaround:
Disable the session cache.

As an alternative, after changing the traffic group, restart TMM.

Fix:
Changing the traffic group no longer causes the session cache to grow.

---

676897-1 : IPsec keeps failing to reconnect

Solution Article: K25082113

Component: TMOS

Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.

Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.

Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.

Workaround:
Manually delete the SA.

Fix:
This release corrects this issue.

---

676828-2 : Host IPv6 traffic is generated even when ipv6.enabled is false

Solution Article: K09012436

Component: Local Traffic Manager

Symptoms:
Observing IPv6 traffic from the BIG-IP system, even when ipv6.enabled is set to false.

Conditions:
sys db ipv6.enabled is false.

Impact:
Extraneous IPv6 traffic from the the BIG-IP system.

Workaround:
None.

Fix:
IPv6 traffic now properly observes the ipv6.enabled sys db variable.

---

676808-2 : FPS: tmm may crash on response with large payload from server

Component: Fraud Protection Services

Symptoms:
A request to a unprotected FPS URL may cause tmm crash if response payload is large and the URL was configured via live update.

Conditions:
1. Page is not protected.
2. Large response payload (e.g.,50 KB).
3. FPS registered for response event (this will happen if a global URL (configured via live update) was matched).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
FPS will check for fast response situation and will act accordingly.

---

676721-2 : Missing check for NULL condition causes tmm crash.

Solution Article: K33325265

Component: Local Traffic Manager

Symptoms:
Missing check for NULL condition causes tmm crash.

Conditions:
This issue occurs when all of the following conditions are met:

1) The BIG-IP system receives a new connection request and attempts to select a pool member.
2) All pool members are unresponsive. This may be due to one of the following reasons:
  a) The pool members have reached their configured connection limit.
  b) There is no route to the pool members.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM correctly checks for NULL condition to prevent the crash.

---

676705-2 : Agetty should not run on VE that lack serial port

Component: TMOS

Symptoms:
The init process spawns the /sbin/agetty over and over, filling the log file daemon.log.

Conditions:
BIG-IP Virtual Edition without a serial port.

Impact:
Excessive logging.

Workaround:
Change 'respawn' to 'off' in /etc/init/serial-ttySX.conf.

Fix:
Serial ports are now correctly detected.

---

676690-3 : Windows Edge Client sometimes crashes when user signs out from Windows

Component: Access Policy Manager

Symptoms:
In rare cases Windows Edge Client may crash when user signs out from Windows

Conditions:
User signs out from Windows or restarts Windows while EdgeClient is running and VPN is established

Impact:
No functional impact, user see a message box with error block sign out process. When the user closes the message box, sign out process continues.

Fix:
Previously, in some instances, the Edge Client on Windows would crash when the user signed out of Windows. This has been fixed.

---

676471-1 : Insufficient space for core files on i11x00-series platforms

Component: Local Traffic Manager

Symptoms:
The default location for core files is '/var/core'. On i11000 Series platforms, there is insufficient space in this directory for core files. When a process generates a core file, or when a core file is created manually, the system truncates the core file's content.

Conditions:
-- A process encounters a condition that leads to a core file being generated, or a core file is produced manually.

-- Using one of the following platforms:
  + i11400-DS
  + i11600 / i11800
  + i11600-DS / i11800-DS

Impact:
Core file content is truncated. Further analysis of the problem that created the core cannot proceed.

Workaround:
Change the location where the kernel places core files. For example, you might use '/appdata' as the destination.

Change /proc/sys/kernel/core_pattern to define the pathname used to generate the core file.

For more information about core files, refer to the core man page, available by running the following command in tmsh: man core

Fix:
More space has been made available in '/var/core'. Core files are no longer truncated.

---

676457-3 : TMM may consume excessive resource when processing compressed data

Solution Article: K52167636

---

676416-2 : BD restart when switching FTP profiles

Component: Application Security Manager

Symptoms:
Switching a Virtual Server from an FTP profile with Protocol Security enabled to an FTP profile with Protocol Security disabled, causes the BIG-IP system to go offline, generates errors in the bd log, and causes BD to restart.

Conditions:
-- Running FTP traffic with FTP profile with Protocol Security enabled.
-- On FTP service, change to FTP profile with Protocol Security disabled.

Impact:
BD restart, traffic disrupted, and failover in high availability (HA) configuration.

Workaround:
There is no workaround at this time.

Fix:
This version provides an improved mechanism for switching FTP profiles, so that now there is no BD restart.

---

676355-2 : DTLS retransmission does not comply with RFC in certain resumed SSL session

Component: Local Traffic Manager

Symptoms:
The DTLS FINISHED message is not retransmitted if it is lost in the Cavium SSL offloading platform. Specifically, it is the CCS plus FINISHED messages that are not retransmitted.

Conditions:
-- In the Cavium SSL offloading platform.
-- DTLS FINISHED Message is lost.

Impact:
When the DTLS FINISHED Message is lost in the Cavium SSL offloading platform, the CCS and FINISHED messages do not get retransmitted.

Workaround:
None.

Fix:
The FINISHED messages are saved before transmitting the Cavium encrypted FINISHED message, and starting the DTLS re-transmit timer. When the re-transmit timer expires, the CCS plus FINISHED messages will be retransmitted.

---

676223-2 : Internal parameter in order not to sign allowed cookies

Component: Application Security Manager

Symptoms:
ASM TS cookies may get big (up to 4k).

Conditions:
policy building is turned on (manual or automatic). There are allowed cookies.

Impact:
This increases web site throughput.

Workaround:
N/A

Fix:
Parameter to not to sign allowed cookies added.

---

676203-1 : Inter-blade mpi connection fails, does not recover, and eventually all memory consumed.

Component: TMOS

Symptoms:
TMM memory usage suddenly increases rapidly.

Conditions:
The inter-blade mpi connection fails and does not recover.

Impact:
Inter-blade mpi requests do not complete and the system eventually exhausts memory.

Workaround:
None.

Fix:
Inter-blade mpi connection now continues as expected, without memory issues.

---

676092-1 : IPsec keeps failing to reconnect

Component: TMOS

Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.

Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.

Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.

Workaround:
Manually delete the SA.

Fix:
The system now correctly handles these conditions so the issue no longer occurs.

---

676028-2 : SSL forward proxy bypass may fail to release memory used for ssl_hs instances

Solution Article: K09689143

Component: Local Traffic Manager

Symptoms:
TMM leaks memory used for ssl_hs instances when using SSL forward proxy when bypass is enabled.

Conditions:
-- The leak can be triggered by iRules, where a duplicate forward proxy lookup is initiated and interferes with the initial asynchronous lookup.
-- SSL Forward Proxy with SSL Forward Proxy Bypass are enabled.

Impact:
TMM will core after running out of memory, which impacts availability.

Workaround:
None.

Fix:
Resolved by preventing duplicate forward proxy lookup.

---

675928-2 : Periodic content insertion could add too many inserts to multiple flows if http request is outstanding

Component: Policy Enforcement Manager

Symptoms:
Multiple flows of the same subscriber could get insert content enabled frequently, if the requests from those flows are outstanding

Conditions:
If the http request from the subscriber is outstanding when the new flow is triggered

Impact:
PEM insert content pem_acton will be enabled on multiple flows till the first response is received

Fix:
Throttle insert content action on new flows only to periodic interval if the transaction is outstanding.

---

675921 : Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running

Component: TMOS

Symptoms:
Creating 'ssl-mode dedicated' guests on the BIG-IP i5800, the 5th guest and beyond get an error, however they do become deployed with Status of 'running'.

Conditions:
-- Creating 5 (or more) 'ssl-mode dedicated' vCMP guests.
-- Running on the BIG-IP i5800 platform.

Impact:
5th guest and beyond result in an error.

Workaround:
There is no workaround other than not creating more than 4 'ssl-mode dedicated' vCMP guests when provisioning vCMP guests on the i5800 platform.

Fix:
The system now limits the maximum number of 'ssl-mode dedicated' vCMP guests to the number that the BIG-IP i5800 can physically support.

---

675866-1 : WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO

Component: Access Policy Manager

Symptoms:
Kerberos rejects tickets with 2 minutes left in their ticket lifetime. This causes tickets to be rejected by KDC, causing APM to disable SSO.

Conditions:
This occurs with Kerberos-protected resources using Windows Server 2012-based DC due to issue described in the Microsoft KB: Kerberos authentication fails when the computer tries to request a service ticket from a Windows Server 2012-based DC, https://support.microsoft.com/en-us/help/2877460/kerberos-authentication-fails-when-the-computer-tries-to-request-a-ser.

Impact:
Cannot access the Kerberos-protected resources.

Workaround:
None.

Fix:
Kerberos SSO (S4U) tickets are not used when the remaining lifetime is less than 5 minutes. Existing tickets with more than half the configured lifetime or at least 1 hour of lifetime remaining are used. If there are no such tickets, then new tickets are acquired and used.

---

675775-2 : TMM crashes inside dynamic ACL building session db callback

Component: Access Policy Manager

Symptoms:
Race condition between PPP tunnel close and Session expired happening on different TMM almost at the same time may cause TMM restart in dynamic ACL building session db callback.

Conditions:
Race condition between PPP tunnel close and Session expired happening on different TMM almost at the same time.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Guard against NULL pointer dereference for dynamic ACL build.

---

675718-1 : IPsec keeps failing to reconnect

Component: TMOS

Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.

Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.

Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.

Workaround:
Manually delete the SA.

Fix:
Corrected an environmental problem with the racoon daemon.

---

675539-1 : Inter-system communications targeted at a Management IP address might not work in some cases.

Component: Global Traffic Manager (DNS)

Symptoms:
Inter-system communications fail to connect to a BIG-IP system using the Management IP address.

Conditions:
This occurs if the device connection is configured between a Self IP address on one BIG-IP system and the Management IP address on another.

This occurs because the big3d daemon acts as a proxy, listening on the Management IP address and will send proper SSL connections (using SNI) to TMM (since TMM does not listen on the Management IP address).

This is not an issue if either of the following is true:

-- If the source of the connection is coming from the Management IP,
the connection is clear text. (Not SSL encrypted and thus does not use SNI)

-- The destination of the connection is a Self IP address, because TMM (via an iRule) will
handle the connection.

Impact:
Device sync operations do not work.

Workaround:
Do not use the Management IP address for between-device communications.

Fix:
The big3d proxy properly handles SSL SNI connections on the Management IP address.

---

675399-3 : Network Access does not work when empty variables are assigned for WINS and DNS

Solution Article: K14304639

Component: Access Policy Manager

Symptoms:
Network Access does not work when empty variables are assigned for WINS and DNS.

Conditions:
If the admin configures empty values for WINS or DNS in the Variable Assign agent in the VPE.

Impact:
The system does not parse the XML tags correctly. Users may not be able establish VPN tunnel.

Workaround:
Do not leave the DNS or WINS values empty in the Variable assign Agent.

Fix:
APM now correctly handles the condition where an empty string is assigned for WINS and/or DNS in the Variable Assign policy agent.

---

675232-3 : Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction

Component: Application Security Manager

Symptoms:
Errors encountered -

In TMSH CLI transaction:
----------------
transaction failed: 01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------

In iApp template implementation:
----------------
script did not successfully complete: (01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------

Conditions:
In an iApp template implementation or TMSH CLI transaction, create a new ASM policy and then try to modify it's active state.

Impact:
The policy is created but the modify action cannot find the policy.

Workaround:
iApps are built to work with ASM Policy Templates.

A new ASM Policy Template can be created from the desired ASM Policy.

That can be done via GUI and starting from from v13.0 via REST as well.

Then, the newly created ASM Policy Template can be referenced in the iApp template implementation or TMSH CLI transaction as follows:
-----------------
tmsh::create asm policy <some_policy> active policy-template NEWLY_CREATED_POLICY_TEMPLATE
-----------------

Fix:
iApp template implementation and TMSH CLI transaction can now modify a newly created ASM policy.

---

675212-3 : The BIG-IP system incorrectly allows clients through as part of SSL Client Certificate Authentication

Component: Local Traffic Manager

Symptoms:
Under specific conditions, the BIG-IP system allows clients through (that otherwise should be rejected) as part of SSL Client Certificate Authentication.

Conditions:
This issue occurs when the Trusted Certificate Authority specified in the Client-SSL profile is expired.

Note: The client's certificate must be valid and trusted for the SSL handshake to continue.

This issue purely deals with how the BIG-IP system treats the validity period of the signing Certificate Authority.

Impact:
F5 has reviewed this issue and has not classified it as a Vulnerability. However, F5 recognizes this issue may have a Security Exposure depending on how the BIG-IP system is utilized.

Please observe that the issue here is not validation of the expiration time in the client's certificate. The issue here is handling of the expiration field in the certificate the BIG-IP system explicitly trusts, the so-called 'trust anchor'. In most cases, the trust anchor is a self-signed certificate.

It is important to understand that the expiration field in trust anchors has no clear meaning, and even utilities such as OpenSSL historically treated this field in different ways.

After completing its review, F5 has decided the correct and best behavior for the BIG-IP system is to reject the SSL handshake when the Trusted Certificate Authority has expired.

The impact of this issue will vary greatly based on your deployment and type of business. In most cases, continuing to allow clients through past the validity of the Certificate Authority may be the behavior you expect or one that carries no negative consequences.

However, if you obtained the Certificate Authority from a third party and expected the client certificates signed by that authority to stop working when its validity period expires, this will not happen because of this issue.

Workaround:
F5 recommends that you renew (or obtain renewed copies of) Certificate Authorities that are about to expire and that you want the BIG-IP system to continue trusting.

F5 recommends that you remove from the BIG-IP system Certificate Authorities that are about to expire and that you do not plan to renew or continue trusting.

This will ensure the BIG-IP system behaves optimally on versions affected by this issue.

Fix:
The BIG-IP system now correctly handles the validity period of Trusted Certificate Authorities used for SSL Client Certificate Authentication.

---

674931 : FPS modified responses/injections might result in a corrupted response

Component: Fraud Protection Services

Symptoms:
in case a connection was congested and FPS tries to send additional egress (modifying the response, e.g. injections) the order of the response sending might break if this send is successful (i.e congestion just ended). instead of sending the buffered data first (response part that was buffered due to congestion), FPS tries to send the new data first and only than will send the buffered data.

Conditions:
- congested connection
- FPS sends modified response (e.g. injections)
- sending egress succeeded (congestion ended)

Impact:
response is corrupted - order of data has erroneously changed

Workaround:
N/A

Fix:
FPS will handle this case correctly, first sending buffered data then sending the new egress.

---

674909-3 : Application CSS injection might not work as expected when connection is congested

Component: Fraud Protection Services

Symptoms:
Large CSS files configured for phishing protection injection in FPS may be truncated upon response to client.

Conditions:
-- Inject into Application CSS enabled in Anti-Fraud Profile :: Advanced :: Phishing Detection.

-- Large CSS file such as bootstrap files configured for Application CSS Locations.

-- Network congestion engaging TMM flow control.

Impact:
Pages may display incorrectly in client browser depending on application requirements with specific CSS. Application functionality might not work as expected.

Workaround:
You can use either of the following workarounds:

-- Remove affected large files from Application CSS Locations.

-- Disable Inject into Application CSS entirely.

Fix:
FPS now handles the case where injecting to application CSS is interrupted by congestion.

---

674795-1 : tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds, when it should be hours.

Component: Traffic Classification Engine

Symptoms:
tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds. In fact, it is in hours.

Conditions:
-- Viewing tmsh help/man page.
-- Searching for urldb feedlist polling interval.

Impact:
Note that the interval described is in hours instead of seconds.

Workaround:
None.

Fix:
tmsh help/man page now correctly states that the urldb feedlist polling interval is in hours.

---

674747-2 : sipdb cannot delete custom bidirectional persistence entries.

Solution Article: K30837366

Component: Service Provider

Symptoms:
Custom bidirectional SIP persistence entries cannot be deleted using the sipdb tool.

Conditions:
Rules and SIP messages created custom bidirectional SIP persistence entries.

Impact:
Custom bidirectional SIP persistence entries exist and can be viewed with the sipdb utility. They cannot be deleted,
however.

Workaround:
None.

Fix:
The sipdb tool now supports deletion of bidirectional SIP persistence entries.

---

674686-2 : Periodic content insertion of new flows fails, if an outstanding flow is a long flow

Component: Policy Enforcement Manager

Symptoms:
If an outstanding flow with periodic insertion pem_action is very long, it prevents new flow matching the same rule from adding inert content pem_action even for a new periodic interval

Conditions:
If the outstanding flow with insert content pem_action spans multiple periodic interval.

Impact:
No content insertion during the time the long flow is outstanding for new flows matching the same rule as the long flow.

Workaround:
Long flows and short flows need to have separate rule configured

Fix:
New flows will add content insertion, if the new flow request falls in the new periodic interval.

---

674593-1 : APM configuration snapshot takes a long time to create

Component: Access Policy Manager

Symptoms:
It takes a long time to create the configuration snapshot for a file. This may be accompanied by MEMCACHED related log message, as shown below.

notice apmd[12928]: 0149016a:5: Initiating snapshot creation: tmm.session.10b9e255c7bb0_28oooooooooooooooo for access profile: /Common/workspace-acess
notice apmd[12928]: 0149016f:5: Waiting for MEMCACHED to be ready
notice apmd[12928]: 01490000:5: ApmD.cpp func: "wait_for_memcached_ready()" line: 1273 Msg: Unable to connect to tmm (sessiondb). Trying again...
notice apmd[12928]: 01490000:5: ApmD.cpp func: "wait_for_memcached_ready()" line: 1280 Msg: Successfully connected to tmm (sessiondb)...
notice apmd[12928]: 0149016b:5: Completed snapshot creation: tmm.session.10b9e255c7bb0_28oooooooooooooooo for access profile: /Common/workspace-acess
notice apmd[12928]: 01490171:5: MEMCACHED is up

Conditions:
The issue happens if an access profile contains many resources, the resulting configuration
snapshot will have even more configuration variables.

Impact:
TMM will run out of memory If the issue persists. User will not be able to log in due to profile not found error similar to the following:

err apmd[13681]: 01490114:3: /Common/workspace-acess2:Common:a6b495ce: process_request(): Profile '/Common/workspace-acess2' was not found

Workaround:
None.

Fix:
APM policy configuration snapshot generation performance for very large configurations has been improved.

---

674591-2 : Packets with payload smaller than MSS are being marked to be TSOed

Solution Article: K37975308

Component: Local Traffic Manager

Symptoms:
Packets with length less than the specified MSS are sent as TSO packets, and the Broadcom NIC drops those to degrade performance.

Conditions:
When TM.TcpSegmentationOffload is enabled, Packets with length less than MSS are sent as TSO packets.

Impact:
TCP Packets are dropped.

Workaround:
Disable TSO option by setting the following SYS DB variable to disable: TM.TcpSegmentationOffload.

Fix:
Packets less than MSS are not sent as TSO packets, so there is no performance degradation.

---

674576-4 : Outage may occur with VIP-VIP configurations

Component: Local Traffic Manager

Symptoms:
In some VIP-VIP configurations, TMM may produce a core with a 'no trailing data' assert.

Conditions:
VIP-VIP configuration.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround at this time.

Fix:
TMM no longer produces a core with a 'no trailing data' assert.

---

674527-1 : TCL error in ltm log when server closes connection while ASM irules are running

Component: Application Security Manager

Symptoms:
TCL error in ltm log, for example:
TCL error: /Common/bug <ASM_REQUEST_DONE> - plugin_tcl_command_execute: Command error. invoked from within "ASM::severity"

Conditions:
1. ASM irules are attached.
2. There was already one request passed to the web-server
3. Server closes connection.

Impact:
Error in ltm log.

---

674515 : New revoke license feature for VE only implemented

Component: TMOS

Symptoms:
Prior to this version, the license revoke feature was not implemented/available.

Conditions:
With out revoke implemented, the feature is simply not available.

Impact:
Licenses cannot be revoked and hence re-used.

Fix:
With this feature implemented, VE licenses can be revoked and then re-used on different VE.

---

674494-1 : BD memory leak on specific configuration and specific traffic

Solution Article: K77993010

Component: Application Security Manager

Symptoms:
RSS memory of the bd grows.

Conditions:
-- Remote logger is configured.
-- IP has ignore logging configured.
-- Traffic is coming from the ignored logging IP.

Impact:
Potential memory exhaustion. The kernel might run out of memory and may kill bd, causing traffic disruption.

Workaround:
None.

Fix:
Freeing up the remote loggers data when deciding not to log remotly.

---

674486-5 : Expat Vulnerability: CVE-2017-9233

Solution Article: K03244804

---

674455-7 : Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS

Component: TMOS

Symptoms:
When booted into the Maintenance OS image from the grub boot menu, running tmidiag -r drops the serial console from the grub kernel line, which causes a loss of communication on the serial console after rebooting.

Conditions:
-- Booted into Maintenance OS.
-- Running the command: tmidiag -r

Impact:
Serial console baud rate settings are incorrect. Uses the bios baud rate on the console.

Workaround:
When booting, edit the grub kernel line to include console=ttyS0.

Note: The value is "tty", an uppercase "S" character, and zero, so ttyS0.

Fix:
tmidiag has been fixed to not strip out console=ttyS0.

---

674410-3 : AD auth failures due to invalid Kerberos tickets

Solution Article: K59281892

Component: Access Policy Manager

Symptoms:
User can not login.

Conditions:
- AAA AD server is configured on BIG-IP.
- AD Auth/Query agent is used in Access Policy.
- Cached Kerberos ticket is invalid or backend AD server is not reachable for some reason

Impact:
AD Auth/Query fails. APM end user won't be able to take successful branch in Access Policy.

Workaround:
None.

Fix:
Invalid Kerberos tickets for AD Query are now automatically renegotiated by APM.

---

674367-1 : SDD v3 symmetric deduplication may stop working indefinitely

Solution Article: K20983428

Component: Wan Optimization Manager

Symptoms:
In certain high availability (HA) configurations and after performing specific maintenance tasks involving failovers, SDD v3 symmetric deduplication may stop working indefinitely.

Conditions:
This issue occurs when all of the following conditions are met:

1) A BIG-IP HA configuration is deployed on each side of the WOM tunnel.
2) Symmetric deduplication is configured to use the SDD v3 codec.
3) Applications configured to benefit from symmetric deduplication are actively passing traffic.
4) Both BIG-IP HA pairs (the near and far sides) are failed over concurrently (although in more rare cases, even failing over a single pair is sufficient to reproduce the issue).

Impact:
Applications no longer benefit from symmetric deduplication, increasing the amount of data transmitted over the WAN.

Workaround:
Restarting the services on all BIG-IP units involved in the topology (without performing additional failovers after they return on-line) restores symmetric deduplication functionality. This will cause some downtime.

Fix:
Performing failovers in AAM environment no longer breaks SDD v3 symmetric deduplication.

---

674320-2 : Syncing a large number of folders can prevent the configuration getting saved on the peer systems

Solution Article: K11357182

Component: TMOS

Symptoms:
When syncing a large number of folders (more than 56), the configuration on the peer systems fails to save. An error similar to the following appears in the audit log, possibly followed by garbage characters:

 notice tmsh[15819]: 01420002:5: AUDIT - pid=15819 user=root folder=/Common module=(tmos)# status=[Syntax Error: "}" is missing] cmd_data=save / sys config partitions { tf01 tf02 tf03 tf04 tf05 tf06 tf07 tf08 tf09 tf10 tf11 tf12 tf13 tf14 tf15 tf16 tf17 tf18 tf19 tf20 tf21 tf22 tf23 tf24 tf25 tf26 tf27 tf28 tf29 tf30 tf31 tf32 tf33 tf34 tf35 tf36 tf37 tf38 tf39 tf40 tf41 tf42 tf43 tf44 tf45 tf46 tf47 tf48 tf49 tf50 tf51 tf52 tf53 tf54 tf55 tf56 tf57 tf58 tf59

Note: These 'tfnn' folder names are examples. The audit log will contain a list of the actual folder names. (Folders are also called 'partitions'.)

Conditions:
-- System is in a device group.
-- Sync operation occurs on the device group.
-- There are a large number of folders (more than 56).

Impact:
Configuration on peer systems in a device group does not get saved after a sync.

Workaround:
Manually save the configuration on peer systems after a sync.

Fix:
The configuration on peer systems is now saved when a large number of folders are involved in the sync.

---

674288-2 : FQDN nodes - monitor attribute doesn't reliably show in GUI

Solution Article: K62223225

Component: TMOS

Symptoms:
When creating more than one node with FQDN configured with monitors, monitors are not displayed in the GUI properly.

Conditions:
Create more than one node with FQDN configured.

Impact:
The previously created FQDN node does not display monitors in the GUI. However, the subsequently created FQDN node does display the correct monitors.

Workaround:
Use tmsh to view monitors for Nodes with FQDN configured.

Fix:
Node page now displays the correct monitors for nodes configured with FQDN.

---

674189 : iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0

Solution Article: K52320548

---

674145-3 : chmand error log message missing data

Component: TMOS

Symptoms:
When there is an error with communication between chmand and lopd, a message is logged giving information about the problem. That message is missing data useful to F5 for determining the cause of the communications error.

Messages similar to:
Jul 11 11:10:19 localhost warning chmand[7815]: 012a0004:4: getLopReg: lop response data does not match request, u16DataLen=0xb expected=0xb, u8Length=0x8 expected=0x, u8Page=0x28 expected=0x$, u8Register=0x50 expected=0xP

The expected data values are missing in this message, making it more difficult for F5 engineers to determine what caused the original communications problem.

Conditions:
This issue only occurs when there is some problem with the communication channel between chmand and lopd.

Impact:
Added difficulty for F5 to determine what problem caused the error message to be logged.

Fix:
The expected data values are properly printed in the log message.

---

674004-1 : tmm may crash when after deleting pool member in traffic

Solution Article: K34448924

Component: Local Traffic Manager

Symptoms:
tmm may crash when after deleting pool member that is processing traffic.

Conditions:
-- Two or more pools share the same node as pool member.
-- A pool member (with the shared node) is deleted while traffic is passing.
-- A One-Connect profile is configured on the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm no longer crashes when after deleting pool member while traffic is passing.

---

673974-1 : agetty auto detects parity on console port incorrectly

Solution Article: K63225596

Component: TMOS

Symptoms:
With a BIG-IP system configured for a console baud rate that is different from the baud rate of the serial terminal that is plugged in to the console port, he system returns garbled characters on the screen. Changing the terminal setting to match the console baud rate has no effect after that: the BIG-IP system continues to send garbage.

Conditions:
BIG-IP system with a console at certain baud rate.
-- Plug in a serial terminal with a different baud rate.
-- Press enter several times.

Impact:
The parity detection code selects the wrong setting, leaving the console port unusable until reboot of the BIG-IP system, or after killing and restarting agetty.

Workaround:
To recover from this condition, log on to the BIG-IP system via ssh, force parity off, and kill the agetty process (assuming the console is not logged in, and is therefore running agetty).

      via ssh:

      # stty -F /dev/ttyS0 -parenb ; killall agetty

   However, this is not an ideal workaround, as a frequent reason to use the serial console is lack of network access to the device.

   In that situation, you can log on by setting the terminal to Mark parity (8 data bits, Mark parity, 1 stop bit).

Note: There is no way to mitigate the issue from the console connection itself, as agetty doesn't run while the console is logged in.

You can also reboot the BIG-IP system, reset the terminal speed on the laptop to match the console speed set on the BIG-IP system, and reconnect the laptop.

Fix:
This issue has been corrected.

---

673951-4 : Memory leak when using HTTP2 profile

Solution Article: K56466330

Component: Local Traffic Manager

Symptoms:
Memory continues to grow despite reduced volume of traffic. Large number of spdy_frame and xdata allocated.

Conditions:
Virtual server configured with HTTP2 profile.

Impact:
Memory leak, which might eventually trigger aggressive sweeper and potential crash, resulting in failover.

Workaround:
None.

Fix:
Virtual server configured with HTTP2 profile no longer leaks memory.

---

673842-3 : VCMP does not follow best security practices

Solution Article: K01413496

---

673814-4 : Custom bidirectional persistence entries are not updated to the session timeout

Solution Article: K37822302

Component: Service Provider

Symptoms:
Custom bidirectional persistence entries will be created using the transaction timeout when processing the request, but will not be updated to the session timeout on a successful response.

Conditions:
-- Using custom bidirectional persistence.
-- Successful response message is received.

Impact:
The persistence timeout will prematurely time out.

Workaround:
Set the transaction timeout to the session timeout value.

Fix:
The persistence timeout is correctly updated to the session timeout value when a successful response message is received.

---

673748-1 : ng_export, ng_import might leave security.configpassword in invalid state

Solution Article: K19534801

Component: Access Policy Manager

Symptoms:
If import/export of Access Profile or Access Policy results in an error, security.configpassword may retain temporary not <null> state, which can cause problems when the config is saved or loaded using the sys save config or sys load config commands.

Conditions:
Import or export of Access Profile or Access Policy fails with an error.

Impact:
Passwords in .conf might get mangled.

Workaround:
Set the security.configpassword db variable using the following command:
 modify sys db security.configpassword value "<null>"

Fix:
Error handling for access policy import failures has been improved.

---

673717-1 : VPE loading times can be very long

Component: Access Policy Manager

Symptoms:
When a configuration contains 2000-3000 Access Policy objects, the Visual Policy Editor (VPE) loading operations can take tens of seconds to load.

Conditions:
-- Access Policy configured with 2000-3000 Access Policy objects.
-- Open in VPE.

Impact:
Policies with thousands of entries can take tens of seconds or more to load.

Workaround:
None.

Fix:
Configuration load has been optimized, so VPE loading time is significantly shorter for these types of configurations.

---

673683-2 : Periodic content insertion fails, if pem and classification profile are detached and reattached to the Listener

Component: Policy Enforcement Manager

Symptoms:
Periodic content insertion for a subscriber may stop working after one or more insertions.

Conditions:
When a subscriber action list have Insert content added and if pem and classification profiles are detached and re-attached to the Listener, periodic insertion may fail to insert the content. This happens when more than one subscriber is using the same policy rule and the listener.

Impact:
Periodic insert content action will fail to insert the content

Workaround:
Delete and recreate the subscriber for which insert content action no longer working

Fix:
For subscriber content insertion record lookup, use the right session id storage associated with the subscriber

---

673678-2 : Periodic content insertion fails, if http request/response get interleaved by second subscriber http request

Component: Policy Enforcement Manager

Symptoms:
Periodic content insertion for a subscriber may stop working after one or more insertions.

Conditions:
When a subscriber action list have Insert content added and if the request/response for that http transaction get interleaved by another subscriber request. This happens when more than one subscriber is using the same policy rule

Impact:
Periodic insert content action will fail to insert the content

Workaround:
Delete and recreate the subscriber for which insert content action no longer working

Fix:
For subscriber content insertion record lookup, use the correct session id storage associated with the subscriber.

---

673621-2 : Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile.

Component: Local Traffic Manager

Symptoms:
Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile.

Conditions:
Set ca-file to 'none' in the clientssl profile.

Impact:
Chain is still sent.

Workaround:
None.

Fix:
Chain certificate is no longer sent to the client when both ca-file and chain certificate are removed from the clientssl profile.

---

673607-2 : Apache CVE-2017-3169

Solution Article: K83043359

---

673595-2 : Apache CVE-2017-3167

Solution Article: K34125394

---

673484-1 : IKEv2 does not support NON_FIRST_FRAGMENTS_ALSO

Solution Article: K85405312

Component: TMOS

Symptoms:
IPsec IKEv2 tunnels cannot be established when the remote peer sends a NON_FIRST_FRAGMENTS_ALSO notification as part of the child Security Association (SA) establishment. This parameter is commonly sent by ASA devices.

Conditions:
-- IPsec IKEv2 with ASA peer.
-- Remote peer sends a NON_FIRST_FRAGMENTS_ALSO notification as part of the child SA establishment.

Impact:
IKEv2 IPsec tunnels cannot be established with ASA peer.

Workaround:
Use IKEv1.

Fix:
During IPsec IKEv2 child SA establishment, the BIG-IP will ignore the NON_FIRST_FRAGMENTS_ALSO notification and will continue to establish the SA.

---

673472-2 : After classification rule is updated, first periodic Insert content action fails for existing subscriber

Component: Policy Enforcement Manager

Symptoms:
Immediately after the classification rule associated with a static subscriber is updated and if the action list has Insert content, the first periodic insert content action fails for the subscribers. Subsequent Insert content action will proceed as expected

Conditions:
Update of the classification rule associated with the subscribers.

Impact:
First periodic Insert content action, immediately succeeding after the update of the classification rule will fail.

Workaround:
bigstart restart tmm, after updating the classification rule with insert content action will fix the issue

Fix:
Update the record count associated with the subscriber during eval.

---

673463-2 : SDD v3 symmetric deduplication may start performing poorly after a failover event

Solution Article: K68275280

Component: Wan Optimization Manager

Symptoms:
In certain high availability (HA) configurations and after performing specific maintenance tasks involving failovers, SDD v3 symmetric deduplication may start performing poorly for some file transfers.

Conditions:
This issue occurs when all of the following conditions are met:

1) A BIG-IP HA configuration is deployed on each side of the WOM tunnel.
2) Symmetric deduplication is configured to use the SDD v3 codec.
3) The far side BIG-IP HA configuration (from the perspective of the client performing the download) is failed over.
4) Clients attempt to download files that had previously been transferred through the BIG-IP units.

Impact:
Symmetric deduplication is severely impacted (virtually no hits) for files that had previously been transferred through the units. This causes the amount of data transmitted over the WAN to increase. Files that were not transferred previously through the units are not affected by this issue.

Workaround:
To eliminate the impacted symmetric deduplication condition, restart the receiving (i.e., the near) side.

Fix:
SDD v3 symmetric deduplication no longer performs poorly after a failover event.

---

673399-1 : HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server.

Component: Local Traffic Manager

Symptoms:
The client sends a GET request with switching protocols and the server responds with a 401. Subsequent GET request from client is dropped.

Conditions:
HTTP and Websocket profiles are attached to the virtual server. The client sends a GET request with switching protocols indicating upgrade to Websockets, and the server responds with a 401. Subsequent GET request from client is dropped.

Impact:
Connection is reset.

Workaround:
Disable Websockets profile on the virtual server.

Fix:
We now check whether the Websockets filter is on the virtual server before attempting an insert.

---

673165 : CVE-2017-7895: Linux Kernel Vulnerability

Solution Article: K15004519

---

673129 : New feature: revoke license

Solution Article: K41458656

Component: TMOS

Symptoms:
A different license is required for each Virtual Edition (VE) instance.

Conditions:
Creating new instances of VE.

Impact:
Cannot reuse an existing VE license.

Workaround:
None.

Fix:
For Virtual Edition (VE) BIG-IP systems, licenses can now reused by other VE instances by revoking an active license on one and installing it on another.

Behavior Change:
Revoke license is a new feature so that licenses can be reused for other virtual edition configurations.

To revoke a license using tmsh, run the following command:
 tmsh revoke sys license registration-key <reg-key-number>

The system responds with the following confirmation prompt:
 Revoking the license will return this BIG-IP to an unlicensed state. It will stop processing traffic. Are you sure? Y/N:

When you type y, the system revokes the license and returns a response similar to the following:
 License successfully revoked
 [root@bigip11:LICENSE INOPERATIVE:Standalone] config # Jul 17 12:04:28 bigip11 emerg mcpd[5144]: 01070608:0: License is not operational (expired or digital signature does not match contents).

---

673078-1 : TMM may crash when processing FastL4 traffic

Solution Article: K62712037

---

673075-1 : Reduced Issues for Monitors configured with FQDN

Component: Local Traffic Manager

Symptoms:
Monitors configured using FQDN might experience several edge cases in some deployment environments. For example, you might experience issues with FQDN-configured monitors when used in environments with volatile/unstable DNS servers, or when network configuration causes ICMP packets from an unreachable DNS server to be non-routable back to 'bigd'. In such cases, the monitor may experiences delay in rotating to the next available DNS server. This is due to complex edge cases that exist within the initial FQDN monitor implementation, where anomalous behavior is aggravated through some network configurations.

Conditions:
Monitors are configured using FQDN, and one-or-more environment conditions exist such as: Unstable DNS servers (i.e., 'flapping' DNS), or the network configuration causes ICMP packets from an unreachable DNS server to be non-routable back to 'bigd'.

Impact:
The monitor will not be updated with information from the (new) DNS server when the previous DNS server becomes unavailable. Other monitor behavior will continue to function normally.

Workaround:
In some cases network configuration can be changed to avoid these edge cases, such as: Ensuring stable DNS servers with only periodic rollovers to backup DNS servers; ensure network ICMP packets are routable back to 'bigd'. Alternatively, monitors may be configured without using FQDN.

Fix:
Monitors configured using FQDN behave as expected in volatile environments, such as those with flapping DNS servers and where ICMP packets for unreachable DNS servers are non-routable back to 'bigd'.

---

673052-2 : On i-Series platforms, HTTP/2 is limited to 10 streams

Component: Local Traffic Manager

Symptoms:
On i-Series platforms, HTTP/2 is limited to 10 streams by licensing.

"HTTP2 limited to 10 concurrent streams: Web Accelerator feature not licensed." appears in /var/log/ltm

Conditions:
Using an i-Series platform where WAM is unlicensable.

Impact:
HTTP/2 performance may be less than desired

Fix:
It is possible to configure HTTP/2 with more than 10 streams on i-Series platforms.

---

672988-2 : MCP memory leak when performing incremental ConfigSync

Solution Article: K03433341

Component: TMOS

Symptoms:
MCP will leak memory when performing incremental ConfigSync operations to peers in its device group. The memory leak can be seen tmctl utility to watch the umem_alloc_80 cache over time.

This leak occurs on the device that is sending the configuration.

Conditions:
A device group that has incremental sync enabled. In versions prior to BIG-IP v13.0.0, this is controlled by the 'Full Sync' checkbox. When unchecked, the system attempts to perform incremental sync operations.

Impact:
MCP leaks a small amount of memory during each sync operation, and after an extended period of time, might eventually crash.

Workaround:
None.

Fix:
MCPD no longer leaks when performing incremental ConfigSync operations.

---

672868-1 : Portal Access: JavaScript application with non-whitespace control characters may be processed incorrectly

Component: Access Policy Manager

Symptoms:
Portal Access server-side JavaScript parser may work incorrectly if JavaScript code includes non-whitespace control characters inside text constants.

Conditions:
JavaScript code with non-whitespace control characters (0x00..0x08, 0x0E..0x1B, 0x7F..0x9F) inside text constants.

Impact:
Web application may not work correctly.

Workaround:
There is no workaround at this time.

Fix:
Now JavaScript code with non-whitespace control characters can be processed by Portal Access.

---

672818-2 : When 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows, VPN cannot be established

Component: Access Policy Manager

Symptoms:
When 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows, VPN cannot be established.

Conditions:
-- Install Traditional Chinese Windows.
-- Change the 'Region and Language' setting format to Simplified Chinese.
-- Edge Client or browser.

Impact:
Cannot establish VPN.

Workaround:
There is no workaround if there is a to change the 'Region and language' setting must be Simplified Chinese.

Fix:
VPN can now be established when 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows.

---

672815-2 : Incorrect disaggregation on VIPRION B4200 blades

Component: TMOS

Symptoms:
During startup of the bcm56xxd daemon, the LTM log shows BCM SDK errors containing the string 'SDK error Invalid parameter'. IP fragments fail to be reassembled. The reassembly time out triggers and the flow is killed.

Conditions:
-- After startup as long as the SDK errors occur.
-- Running on VIPRION B4200 blades.

Impact:
TCP connections and UDP datagrams which have fragmented packets are killed or dropped.

Workaround:
There is no workaround that will process fragments correctly.

Fix:
Incorrect disaggregation on VIPRION B4200 blades has been corrected.

---

672695-1 : Internal perl process listening on all interfaces when ASM enabled

Component: Application Security Manager

Symptoms:
ASM configuration processes are available on unprotected network interfaces.

Conditions:
ASM provisioned

Impact:
Connections to the ASM configuration processes may interfere with normal ASM operations, leading to reduced performance

Workaround:
None

Fix:
ASM-config Event Dispatcher now listens only on protected interfaces

---

672667-4 : CVE-2017-7679: Apache vulnerability

Solution Article: K75429050

---

672504-1 : Deleting zones from large databases can take excessive amounts of time.

Solution Article: K52325625

Component: Global Traffic Manager (DNS)

Symptoms:
When deleting a zone or large number of Resource Records, zxfrd can reach 100% CPU for large amounts of time.

Conditions:
With a significantly sized database, deletes might be very time-intensive.

Impact:
Because zxfrd takes an excessive amount of time deleting records, it can delay transfer requests

Workaround:
None.

Fix:
Dramatically improved algorithm, to remove significant delay in deletions.

---

672491-2 : net resolver uses internal IP as source if matching wildcard forwarding virtual server

Solution Article: K10990182

Component: Global Traffic Manager (DNS)

Symptoms:
If a net resolver is created and contains a forwarding zone that matches an existing wildcard forwarding virtual server, an incorrect internal IP address will be used as the source.

Upon listener lookup for the net resolver, the wildcard virtual server will be matched to the forwarding zone resulting in a loopback IP address being used as the source IP address.

Conditions:
When creating an AFM policy that restricts FQDNs, a net resolver is needed to resolve the FQDNs. If the forwarding zone of this net resolver matches a wildcard server, DNS queries from the net resolver will use a loopback IP address as the source IP address.

Impact:
Failed DNS queries as a result of incorrect source IP address.

Workaround:
None.

Fix:
This issue was resolved by ensuring listener lookup only matches the exact IP addresses, no-wildcards.

---

672312-2 : IP ToS may not be forwarded to serverside with syncookie activated

Component: Local Traffic Manager

Symptoms:
IP ToS field may not be preserved on forwarding in a FastL4 virtual server when syncookie is activated.

Conditions:
-- FastL4 ip-forwarding virtual server.
-- ToS in passthrough mode.
-- Syncookie is activated in hardware mode.
-- On a hardware platform with ePVA.

Impact:
IP ToS header is not forwarded to the serverside.

Workaround:
None.

Fix:
The BIG-IP system now forwards IP ToS in syncookie mode.

---

672301-2 : ASM crashes when using a logout object configuration in ASM policy

Component: Application Security Manager

Symptoms:
bd daemon crash and writes a core file in the /shared/core directory.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Logout object configured in the policy.
-- System receives a POST request.

Impact:
System goes offline for a few seconds, failover occurs.

Workaround:
Remove logout object configuration from ASM policy.

Fix:
The system now handles this condition.

---

672250-1 : SessionDB update from ApmD with large volume fails

Component: Access Policy Manager

Symptoms:
While writing large amounts of data to sessionDB using memcache API, the write operation fails with partial write.

Conditions:
Large volumes data writing to SessionDB via memcache API.

Impact:
All worker threads performing authentication eventually get locked down. Session watchdog thread eventually makes a forced abort to recover from the situation. ApmD restarts in this situation.

Workaround:
Control write to sessionDB with a smaller data size.

Fix:
Partial write failure has been fixed, by writing remaining part(s) of query results in several iteration(s), until entire result is written.

---

672221 : TMM cores if the certificate configured to validate message signature does not exist.

Component: Access Policy Manager

Symptoms:
TMM cores if the SAML message signature verification certificate cannot be found in the configuration.

Conditions:
-- SAML is configured with an invalid certificate in the message signature validation setting.
-- The control-plane is unable to detect such misconfiguration.

Note: This is an unlikely occurrence if the usual control-plane is used to configure the SSO/SAML object. In this particular case, the certificate-key was passed in as the certificate which triggered a certificate-not-found error.

Impact:
The issue can lead to momentary service interruption. Traffic disrupted while tmm restarts.

Workaround:
Make sure the certificate configured for use with the SAML message signature verification is correctly configured and the configuration loads successfully.

---

672124-3 : Excessive resource usage when BD is processing requests

Solution Article: K12403422

---

672063-1 : Misconfigured GRE tunnel and route objects may cause an ill-formed routing loop inside the TMM, resulting in a TMM crash.

Solution Article: K38335326

Component: TMOS

Symptoms:
Misconfigured GRE tunnel and route objects on the BIG-IP system might cause an ill-formed routing loop inside the TMM, resulting in a TMM crash.

The following is an example to illustrate how misconfiguration can lead to an ill-formed routing loop inside the TMM.

net tunnels tunnel gre1 {
    if-index 5472
    local-address 10.10.0.1
    mtu 1400
    profile gre
    remote-address 10.20.0.1
}

net self 10.9.0.1/24 {
    address 10.9.0.1/24
    traffic-group traffic-group-local-only
    vlan gre1
}

net route 10.20.0.0/24 {
    interface /Common/gre1
    network 10.20.0.0/24
}

In the above example, if a packet is destined for the network 10.20.0.0/24, the packet is sent over the GRE tunnel for encapsulation. After encapsulation, the destination address of the encapsulated packet is 10.20.0.1 (i.e., tunnel's remote-address) which matches the configured route again. As a result, the encapsulated packet is fed to the tunnel again and this process repeats to form a routing loop inside the TMM.

Conditions:
Misconfigured GRE tunnel and route objects, leading to an ill-formed routing loop inside the TMM. Please refer to the above example for an illustration.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
This issue is caused by misconfiguration which can be avoided. The recommendation is to examine the configuration, making sure that it does not lead to an ill-formed routing loop inside the TMM.

Fix:
The TMM has been enhanced to detect an ill-formed single-level routing loop in a tunnel setting (e.g., refer to the above example). When an ill-formed single-level routing loop is detected in a tunnel setting, the packets will be dropped and the TMM no longer crashes, and the following message is also logged in /var/log/ltm:

Tunnel output has a potential loop for remote endpoint <IP address>, tunnel name = <name>.

---

672040-3 : Access Policy Causing Duplicate iRule Event Execution

Component: Access Policy Manager

Symptoms:
iRule event gets triggered twice in clientless mode when access policy is executed.

Conditions:
This only occurs when using iRule in clientless-mode.

Impact:
HTTP_REQUEST event is logged twice in /var/log/ltm.

See below example:

when HTTP_REQUEST {
  HTTP::header insert {clientless-mode} 1
  set myCount [expr {$myCount + 1}]
  log local0. "Count is $myCount"
}

LTM logs:
-----------

Jul 3 12:29:35 BIG-IP10002-vcmp2 info tmm1[23908]: Rule /Common/test_irule <HTTP_REQUEST>: Count is 1
Jul 3 12:29:36 BIG-IP10002-vcmp2 info tmm1[23908]: Rule /Common/test_irule <HTTP_REQUEST>: Count is 2


When this iRule is used, you will see duplicate HTTP_REQUEST with increased count in logs. If this count is used in further calculation, it gives you incorrect result.

Fix:
HTTP_REQUEST iRule event is no longer executed multiple times when using APM clientless-mode.

---

672008-1 : NUL character inserted into syslog message when system time rolls over to exactly 1000000 microseconds

Solution Article: K22122208

Component: Local Traffic Manager

Symptoms:
Remote syslog logging destinations configured for RFC5424 format might receive malformed timestamp values if the log message is sent when clock rolls over to 1,000,000 microseconds exactly. The resulting log message will have a NUL character appended to the microseconds value in the log's timestamp field.

Example:
Correct timestamp: 2003-08-24T05:14:15.000000-07:00
Malformed timestamp: 2003-08-24T05:14:14.100000\00-07:00

Conditions:
-- syslog destination configured for RFC5424 format.
-- Sending log message when clock rolls over to 1,000,000 microseconds.

Impact:
Some syslog collectors may fail to parse the message, resulting in incorrect log entry or warning.

Workaround:
Change syslog destination format to use RFC3164, which does not include microsecond resolution in timestamp fields.

Fix:
The timestamp field is now formatted correctly for microseconds and seconds values. Seconds now correctly increment when microseconds equal 1,000,000.

---

671999-2 : Re-extract the the thales software everytime the installation script is run

Component: Local Traffic Manager

Symptoms:
If Thales has already been installed on the BIG-IP system, installing a new version does not overwrite the existing installed version.

Conditions:
/shared/nfast exists on the BIG-IP system before installing the Thales client software.

Impact:
The old version of the software will be used in the installation operation, instead of the expected new version of the software.

Workaround:
You can use either or both of the following workarounds before running the installation script:

-- Run the uninstallation script.
-- Delete the /shared/nfast folder.

Fix:
The Thales installation script now always extracts the Thales software in /shared/thales_install and overwrites the /shared/nfast directory.

Behavior Change:
Thales HSM installation script always overwrites the /shared/nfast directory.

---

671935-2 : Possible uneven ephemeral port reuse.

Component: Local Traffic Manager

Symptoms:
When selecting server-side source ports, the BIG-IP system favors ephemeral ports in the upper range.

Conditions:
In many cases, the BIG-IP system needs to select a source port for the server-side flow different than the source port selected by the client.

This is always the case when the virtual server's 'source-port' option is set to 'change'.

Impact:
If connections on the servers are in the TIME_WAIT state and connection recycling is not configured, the servers may reset those connections that reused a source port too quickly.

Workaround:
Modify the virtual server's 'source-port' option to 'preserve'.

This will reduce the need to find suitable source ports for the server-side by the BIG-IP system.

Fix:
When searching for an available source port, and wrapping into the privileged port range (<1024), the BIG-IP system now performs a small jump out of that range, thus not going into the upper range unnecessarily.

---

671920-1 : Accessing SNMP over IPv6 on non-default route domains

Component: TMOS

Symptoms:
The SNMP daemon cannot send traps to a non-default route domain destination. However, it can respond to SNMP requests over from a client that is accessed through a non-default route domain path for IPv4. For IPv6 this does not work.

Conditions:
SNMP access over IPv6 on a client accessed through a non-default route domain does not work.

Impact:
Access to SNMP must be through default route domain for IPv6.

Fix:
With this bug fix you can access SNMP from an IPv6 client on a non-default route domain. There is no plan to allow traps to be delivered to destinations on a non-default route domain.

---

671741-4 : LCD on iSeries devices can lock at red 'loading' screen.

Component: TMOS

Symptoms:
There are cases when TMOS is under stress conditions that the LCD on iSeries devices can lock at red 'loading' screen.

Conditions:
-- iSeries platforms.
-- Device under stress.

Impact:
LCD on iSeries devices can lock at red 'loading' screen. Appliance power cycle is required to correct the error.

Workaround:
None. You must power cycle the device to correct the condition.

Fix:
This issue is resolved.

---

671725-1 : Connection leak on standby unit

Solution Article: K19920320

Component: Local Traffic Manager

Symptoms:
High connection count on standby unit.

Conditions:
-- High availability (HA) configuration.
-- Virtual server that has the attribute 'spanning enabled'.

Impact:
Flow leak on Next Active action.

Workaround:
None.

Fix:
Connection leak on standby unit no longer occurs under these conditions.

---

671714-2 : Empty persistence cookie name inserted from policy can cause TMM to crash

Component: Local Traffic Manager

Symptoms:
Empty persistence cookie name inserted from policy can cause TMM to restart.

Conditions:
Empty persistence cookie name is used in a policy definition.
A connection is made that uses the policy.

Impact:
Traffic disrupted while tmm restarts

Workaround:
Use non-empty peristence cookie name in policy definition.

Fix:
Empty persistence cookie name inserted from policy no longer causes TMM to restart.

---

671712 : The values returned for the ltmUserStatProfileStat table are incorrect.

Component: TMOS

Symptoms:
An SNMP table entry that intermittently comes back incorrectly. Specifically, an LTM profile user statistic value is returned with an OID that is off by one in the table.

Conditions:
A statistics profile is attached to a virtual server with an iRule that increments statistics on the profile. The SNMP walk of the table created by the statistics profile intermittently returns the values shifted up one OID such that the last row is zero and the first row is lost. A subsequent request is correct.

Impact:
Incorrect data returned in SNMP walk of LTM profile table.

Workaround:
The statistics themselves are kept correctly and can be accessed without using SNMP.

Fix:
The values in the ltmUserStatProfileStat table are always correct.

---

671675-1 : Centralized Management Infrastructure: asm_config_server restart on device group change

Component: Application Security Manager

Symptoms:
If device is moved from one ASM sync enabled device group immediately to another ASM sync enabled device group the ASMConfig relay listener restarts, and artifacts are left over from the previous device group that could cause undesired config synchronization if it returns to the original device group

Conditions:
A device is moved from one ASM sync enabled device group immediately to another ASM sync enabled device group.

Impact:
ASMConfig relay listener restarts, and artifacts are left over from the previous device group that could cause undesired config synchronization if it returns to the original device group

Workaround:
Wait 30 seconds between leaving an ASM enabled device group before joining a different one.

Fix:
Successive changes to ASM sync enabled device group are handled correctly.

---

671638-4 : TMM crash when load-balancing mptcp traffic

Solution Article: K33211839

---

671627-1 : HTTP responces without body may contain chunked body with empty payload being processed by Portal Access.

Solution Article: K06424790

Component: Access Policy Manager

Symptoms:
Some HTTP responses do not contain any body. For instance, responses with status codes 1xx, 204, or 304 must not include body. Portal Access adds 'Transfer-Encoding: chunked' header and may add chunked body with empty payload to such responses.

Conditions:
HTTP response without body processed by Portal Access

Impact:
Most browsers ignore invalid 'Transfer-Encoding' header and/or body for responses which must not include body at all. And yet, some traffic validators may refuse to pass invalid responses.

Workaround:
Use an iRule to remove 'Transfer-Encoding' header and/or body from HTTP responses with status codes 1xx, 204, and 304.

Fix:
Now Portal Access does not add invalid 'Transfer-Encoding' header and/or body to responses which have no body.

---

671597-1 : Import, export, copy and delete is taking too long on 1000 entries policy

Component: Access Policy Manager

Symptoms:
Huge policies with 10^3 items are impossible to import, export and copy.

Conditions:
When access policy has 1000+ entires.

Impact:
Import, export and copy are abandoned or fail due to out of memory condition.

Workaround:
Use ng_export, ng_import and ng_profile rather than UI to import/export.

Fix:
Ng_export speed has been improved 5 times
ng_import and ng_profile are working 50 times faster because of avoiding denormalisation and optimisation

ng_export is still should be used from the console.

---

671498-3 : BIND zone contents may be manipulated

Solution Article: K02230327

---

671497-4 : TSIG authentication bypass in AXFR requests

Solution Article: K59448931

---

671447-2 : ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form

Component: TMOS

Symptoms:
When using a BIG-IP system configured in an IS-IS network; adjacencies may fail to form with other vendor devices.

Conditions:
- BIG-IP configured to participate as a peer in a IS-IS network.
- IS-IS peers perform strict validation on the length of the Restart TLV.
-- The SystemID used by the BIG-IP system is of length 7 instead of 6. (ZebOS uses a 7-Byte SystemID.)

Impact:
IS-IS adjacencies may not form.

Workaround:
None.

Fix:
The BIG-IP system now uses a correct SystemID length in the Restart TLV.

---

671373-2 : urldb core seen

Component: Access Policy Manager

Symptoms:
Due to having multiple threads, terminating and destroying the database can cause the crash. The main thread does not wait for others to exit before trying to destroy the database.

Conditions:
SWG is provisioned and re-provisioned after the config has loaded.

Note: This core is very rare (it is intermittent and timing-dependent).

Impact:
urldb cores. Since it was in the process of being shut down for the re-provisioning anyway, this has little to no impact.

Workaround:
There is no workaround at this time.

Fix:
urldb no longer cores SWG is provisioned and re-provisioned after the config has loaded.

---

671337-1 : NetHSM DNSSEC key creation can attempt to change the SELinux label on a file

Component: Local Traffic Manager

Symptoms:
A log message such as type=AVC msg=audit(1498506868.354:3786): avc: denied { relabelfrom } for pid=7567 comm="mv" name="_Common_zsk_127000B6DC9454EACB50A1FD2073C5F5314F.key" dev="dm-15" ino=80012 scontext=system_u:system_r:mcpd_t:s0 tcontext=system_u:object_r:mcpd_tmp_t:s0 tclass=file
can appear in the logs.

Conditions:
When a NetHSM DNSSEC key is created in a temporary directory and is trying to change the SELinux label on a file without permissions.

Impact:
SELinux error will be logged

Fix:
Allow netHSM script via MCPd to relabel files

---

671326-2 : DNS Cache debug logging might cause tmm to crash.

Solution Article: K81052338

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Cache debug logging might cause tmm to crash.

Conditions:
This occurs when the following conditions are met:

-- The dnscacheresolver.loglevel debug value is set to 1 - 5.
-- tmm.verbose is enabled.

Impact:
tmm crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
Do not enable the DNS Cache debug log when tmm.verbose is enabled.

Fix:
DNS Cache debug logging no longer causes tmm to crash.

---

671314-4 : BIG-IP system cores when sending SIP SCTP traffic

Solution Article: K37093335

Component: TMOS

Symptoms:
Virtual servers with an SCTP profile and a SIP message-routing profile may crash the TMM.

Conditions:
This flaw affects virtual servers that pass SCTP traffic, where the SIP message-routing profile has the record-route option enabled.

Impact:
TMM crashes and fails over, disrupting traffic processing. Traffic disrupted while TMM restarts.

Workaround:
Remove the record-route option, or change the traffic to use TCP or UDP instead of SCTP.

Fix:
This crash has been fixed.

---

671228-1 : Multiple FQDN ephemeral nodes may be created with autopopulate disabled

Component: Local Traffic Manager

Symptoms:
Multiple FQDN ephemeral nodes may be created unexpectedly if an FQDN node is configured with autopopulate disabled, the DNS server returns multiple address records for the FQDN, and bigd is restarted.

Conditions:
This may occur when:
1. An FQDN node is configured with autopopulate disabled.
2. The DNS server returns multiple address records for the FQDN.
3. There is a pool configured to use the FQDN node.
4. bigd is restarted (such as when the system goes offline or tmm restarts).

Impact:
Multiple FQDN ephemeral nodes may be created unexpectedly.

Workaround:
Configure the FQDN node with autopopulate enabled.

Fix:
Multiple FQDN ephemeral nodes are no longer created unexpectedly if an FQDN node is configured with autopopulate disabled, the DNS server returns multiple address records, and bigd is restarted. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

---

671149-3 : Captive portal login page is not rendered until it is refreshed

Component: Access Policy Manager

Symptoms:
Sometimes Edge Client shows an error page for captive portal-redirected URLs.

Conditions:
Some captive portal pages use cloud-based authentication and network management. Such captive portals rely on several HTTP redirects and/or HTML (auto-refresh). Sometimes Edge Client fails to download the page/content from the redirected URL. In such scenarios, a full browser re-attempts and successfully downloads and displays the page, but Edge Client does not re-attempt and shows an error page.

Impact:
For the locked client, an APM end user has no access to the internet until captive portal authentication is performed and the Network Access (VPN) tunnel is created.

Workaround:
None.

Fix:
Edge Client now has a retry mechanism to access and display captive portal login pages in case the first attempt fails.

---

671082-1 : snmpd constantly restarting

Solution Article: K85168072

Component: TMOS

Symptoms:
sod is restarting snmpd, which also produces a core.
SNMP clients are unable to walk the ifTable.

Conditions:
snmpd takes too long processing a request for the ifTable because there are a large amount of VLANs or VLAN groups configured.

Impact:
SNMP requests will not receive replies while snmpd is restarting.
SNMP clients are not able to walk the ifTable.

Workaround:
None.

Fix:
Significantly reduced the time it takes snmpd to process requests for the ifTable when the number of VLANs or VLAN groups is high.

---

671052-3 : AFM NAT security RST the traffic with (FW NAT) dst_trans failed

Solution Article: K50324413

Component: Advanced Firewall Manager

Symptoms:
In certain cases, destination translation fails with the following message: reset cause '(FW NAT) dst_trans failed'.

Conditions:
This issue may be seen with Source/Destination translation.

Impact:
Destination translation failure. In most of the cases, TMM restart resolves the issue. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fix addresses a case where one of the fields was not initialized.

---

671044-3 : FIPS certificate creation can cause failover to standby system

Solution Article: K78612407

Component: TMOS

Symptoms:
FIPS certificate creation can cause failover or outage of a system under heavy load. The certificate creation could take longer than the default timeout, causing TMOS to think the FIPS chip is locked up.

Conditions:
Creating a FIPS certificate while the system is handling a high FIPS traffic load.

Impact:
Possible failover from active to standby, or an outage if there is no standby system, or if the certificate creation causes both active and standby systems to time out.

Workaround:
Setting crypto.queue.timeout to 2000 will avoid this problem. The actual timeout needed depends on the system type and how heavily loaded the FIPS chip is. 2000 should be more than sufficient for all currently supported BIG-IP platforms under high load.

Fix:
FIPS certificate creation no longer causes failover to standby system under these conditions.

---

670910-2 : Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined

Component: Access Policy Manager

Symptoms:
Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined.

Conditions:
This might occur when using the following definition:

<?xml version="1.0" encoding="utf-8"?>
<s:Application xmlns:fx="http://ns.adobe.com/mxml/2009"
<-->xmlns:s="library://ns.adobe.com/flex/spark"
<-->width="100%" height="100%"
<-->minWidth="256" minHeight="64"
<-->creationComplete="initApp()">
<--><s:VGroup width="100%" height="100%" verticalAlign="middle" horizontalAlign="center">
<--><--><s:TextInput id="f_output" text="..." width="100%" />
<--><--><fx:Script><![CDATA[
<--><--><-->import flash.external.ExternalInterface;
<--><--><-->private function initApp():void {
<--><--><--><-->f_output.text = ExternalInterface.call("function(v){window.alert(/a\\dc/.toString());return '\\\\Done: '+v+' URL: '+location.href;}", "\\\\Ok?");
<--><--><-->}
<--><-->]]></fx:Script>
<--></s:VGroup>
</s:Application>

Impact:
Flash application malfunction.

Workaround:
None.

Fix:
APM Portal Access Rewrite now correctly handles flash.external.ExternalInterface.call() when the loaderInfo object is not defined.

---

670822-3 : TMM may crash when processing SOCKS data

Solution Article: K55225440

---

670816-2 : HTTP/HTTPS/TCP Monitor response code for 'last fail reason' can include extra characters

Solution Article: K44519487

Component: Local Traffic Manager

Symptoms:
An HTTP/HTTPS/TCP monitor response code may contain extraneous trailing characters, such as: 'Response Code: 200 (OKxxx)' where the server response code 'OK' is appended with unrelated characters 'xxx', when the server does not include a carriage-return/line-feed after the response status line.

Conditions:
An HTTP/HTTPS/TCP monitor is configured with a receive string, and the server does not include a carriage-return/line-feed in the TCP segments that match the receive string.

Impact:
The monitor status code displays the correct server response code, but with extraneous trailing characters appended. The monitor continues to function and respond to status changes as expected.

Workaround:
Configure HTTP/HTTPS/TCP servers to return a response that includes a carriage-return/line-feed after the response status line and before the receive string.

Fix:
HTTP/HTTPS/TCP monitor response code for 'last fail reason' no longer contains extraneous trailing characters when the server does not include a carriage-return/line-feed in the TCP segments that match the receive string.

---

670814-2 : Wrong SE Linux label breaks nethsm DNSSEC keys

Component: Local Traffic Manager

Symptoms:
In /var/log/ltm:

(_Common_thales_key) create failed, retry attempt 1 [nfgk_new: Permission denied rfs-sync: error from NFastApp_Connect `(null)': Permission denied mv: cannot stat `/shared/tmp/_Common_thales_key': No such file or directory mv: cannot stat `/shared/tmp/_Common_thales_key_req': No such file or directory mv: cannot stat `/shared/tmp/_Common_thales_key_selfcert': No such file or directory str[cd /shared/tmp && /opt/nfast/bin/generatekey -b pkcs11 certreq=yes selfcert=yes protect=module size=1024 embedsavefile="_Common_thales_key" plainname="_Common_thales_key" digest=sha256] rfs-sync: error from NFastApp_Connect `(null)': Permission denied rfs-sync: error from NFastApp_Connect `(null)': Permission denied No updates. Update done. Create key pair done. ].

or the output of the following command:

ausearch -m AVC,SELINUX_ERR -ts recent

time->Fri Jun 23 04:38:06 2017
type=SYSCALL msg=audit(1498217886.574:24190): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffd059e2720 a2=6e a3=7ffd059e2470 items=0 ppid=3310 pid=3311 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="generatekey" exe="/shared/nfast/tcl/bin/generatekey" subj=system_u:system_r:mcpd_t:s0 key=(null)
type=AVC msg=audit(1498217886.574:24190): avc: denied { write } for pid=3311 comm="generatekey" name="nserver" dev=dm-1 ino=141191 scontext=system_u:system_r:mcpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=sock_file
----
time->Fri Jun 23 04:38:06 2017
type=SYSCALL msg=audit(1498217886.600:24191): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7ffd9dbc33a0 a2=6e a3=7ffd9dbc30f0 items=0 ppid=3313 pid=3316 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rfs-sync" exe="/shared/nfast/bin/rfs-sync" subj=system_u:system_r:mcpd_t:s0 key=(null)
type=AVC msg=audit(1498217886.600:24191): avc: denied { write } for pid=3316 comm="rfs-sync" name="nserver" dev=dm-1 ino=141191 scontext=system_u:system_r:mcpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=sock_file
----

Conditions:
trying to use a thales nethsm for DNSSEC

Impact:
cannot create DNSSEC keys protected by a thales nethsm

Workaround:
chcon -R --reference=/var/run/rd0.sock /shared/nfast/sockets/

NB: you should also apply the workaround for BZ671337 as well. It's almost certain that if this bug exists, that bug also exists.

Fix:
SE LInux labels no longer prevent the creation of thales-protected nethsm DNSSEC keys

---

670804-2 : Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP

Solution Article: K03163260

Component: Local Traffic Manager

Symptoms:
The system experiences a 'verify_accept' assert in server-side TCP.

Conditions:
-- Verified Accept enabled in TCP profile.
-- Hardware syncookies enabled.
-- OneConnect profile on virtual servers.
-- Syncookie threshold crossed.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Disable verified accept when used with OneConnect on a virtual server.

Fix:
Verified accept, OneConnect, and hardware syncookies now work together correctly.

---

670528-1 : Warnings during vCMP host upgrade.

Solution Article: K20251354

Component: TMOS

Symptoms:
- Log message repeats every 5 seconds in /var/log/ltm
     slot<#>/<host> warning vcmpd[<pid>]: 01510005:4: Failed to find value for enum::cli_id (ha_feature_t::provisioning-failed).

Conditions:
- Configure vCMP host in 12.1.x or 11.6.x.
 - Deploy 13.x guest.
 - Monitor /var/log/ltm.

Impact:
Warning message displayed every 5 seconds.

Workaround:
Run the following command:
 tmsh create sys log-config filter stop_vcmpd_log message-id 01510005 publisher none

---

670405-4 : K20486351: glibc vulnerability CVE-2017-1000366:

Solution Article: K20486351

---

670400-3 : SSH Proxy public key authentication can be circumvented in some cases

Component: Advanced Firewall Manager

Symptoms:
SSH Proxy public key authentication might be circumvented in some cases, allowing a user without the appropriate private key in to the back-end end SSH server.

Conditions:
Public key authentication is being used to authenticate users.

Note: This issue affects only public key authentication, so if additional forms of authentication are being used, the additional security that they provide will not be impacted.

Impact:
Unauthorized access.

Workaround:
A suggested workaround is to configure the back-end SSH server to require 2-factor authentication, or 3-factor authentication. This can be done by adding both publickey+password and publickey+keyboard-interactive as Required Authentications in the configuration file for the back-end SSH server.

See the list below of supported client method orders. Also, keep in mind that the back-end server must support all 3 authentication methods (public-key, password, and keyboard-interactive), as an existing constraint of the current SSH proxy functionality.
 
One cosmetic item to note is that, when multi-factor authentication is used, regardless of the result of the validity check of the public-key, the SSH proxy will report a 'failed' authentication to the client. However, the returned 'failed' code is merely cosmetic: the actual result of the validity check is what is used to determine whether or not the authentication succeeded.

-------
Supported client method orders:
 
publickey,keyboard-interactive
publickey,password
publickey,keyboard-interactive,password
publickey,password,keyboard-interactive
 
Any other combination of authentication methods will fail.

Fix:
Implemented stricter error handling in authentication checking.

---

670011-2 : SSL forward proxy does not create the server certchain when ignoring server certificates

Component: Local Traffic Manager

Symptoms:
Forward proxy not working correctly when the server certificates are ignored. SSL forward proxy does not create the server certchain when ignoring server certificates, this prevents the client side from trusting the server cert and the SSL handshake hangs and fails after timeout.

Conditions:
-- SSL forward proxy or SSL intercept is configured.
-- Ignore server certificate configured in the server SSL profile.

Impact:
Client cannot establish SSL connection with server due to SSL handshake always timing out.

Workaround:
None.

Fix:
The system now generates the server certchain (even when the server SSL profile ignores server certificates) and passes it to the client SSL, so that the client SSL can forge the cert and finish the SSL handshake.

---

669974-1 : Encoding binary data using ASN1::encode may truncate result

Solution Article: K90395411

Component: Local Traffic Manager

Symptoms:
When using ASN1::encode to encode one or more values, and where the encoding of any of these values results in a representation containing a NUL ('\x0') byte, the overall result that is presented to the iRule does not include the entire set of encoded values and is truncated at the first NUL byte.

Conditions:
-- Using ASN1::encode with binary values (e.g., INTEGER).
-- Encoded results contain a NUL ('\x0') byte.

Impact:
Encoding results in the wrong/truncated value.

Workaround:
It is possible to encode the problematic values using an alternative method.

Fix:
ASN1::encode now correctly encodes binary values.

---

669888-2 : No distinction between IPv4 addresses and IPv6 subnet ::ffff:0:0/96

Component: TMOS

Symptoms:
The BIG-IP does not differentiate between IPv4 addresses (such as 1.2.3.4) and IPv6 addresses in the prefix ::ffff:0:0/96 (such as ::ffff:102:304, also written ::ffff:1.2.3.4). If you enter such an IPv6 address, the equivalent IPv4 address will be rendered and used.

Conditions:
Any attempt to use an IPv6 address in that subnet.

Impact:
The BIG-IP system will operate as if you entered the IPv4 address.

Workaround:
No workaround at this time.

Fix:
The differing addresses now are handled correctly. For most modules, this does not change the functionality at all. AFM is one exception; IPv6 traffic in the ::ffff:0:0/96 subnet will be treated differently than IPv4 traffic.

---

669818-2 : Higher CPU usage for syslog-ng when a syslog server is down

Solution Article: K64537114

Component: TMOS

Symptoms:
Higher CPU usage for syslog-ng when a syslog server is down.

Conditions:
A remote log server is added but it is not available.

Impact:
Potentially higher than expected CPU usage.

Workaround:
To mitigate this issue, use either of the following:
-- Ensure that the remote log server is available.
-- Remove the remote log server from the configuration.

---

669739-1 : Potential core when using MRF SIP with SCTP

Solution Article: K71963740

Component: Service Provider

Symptoms:
The system may core when using SCTP with MRF SIP if the outgoing connection receives more messages than it can process.

Conditions:
-- SCTP with MRF SIP configured.
-- Outgoing connection receives more messages than it can process.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
With SCTP with MRF SIP, the system better handles conditions when the outgoing connection receives more messages than it can process, so the system does not core and restart.

---

669645-1 : tmm crashes after LSN pool member change

Component: Carrier-Grade NAT

Symptoms:
Changing LSN pool members while processing traffic may cause tmm to crash.

Conditions:
-- Changing, using, or removing an LSN pool.
-- Traffic is being processed.

Impact:
When tmm crashes, traffic processing will stop until tmm restarts. Note that this can occur, even if the change was on a high-availability peer unit and config-sync has taken place.

Workaround:
Recommend to change LSN pool members during a maintainence window with low traffic or ideally to use an HA pair with a standby unit for implementing configuration changes on live traffic.

Fix:
tmm no longer crashes when changing LSN pool members while processing traffic.

---

669510-2 : When network changes after VPN is established, network access tunnel is closed when network access configuration has 'Allow local DNS servers' and 'Prohibit routing table changes during Network Access connection' options enabled.

Component: Access Policy Manager

Symptoms:
- When network changes after VPN is established, network access tunnel is closed when network access configuration has 'Allow local DNS servers' and 'Prohibit routing table changes during Network Access connection' options enabled.

Conditions:
- Allow local DNS servers' option is enabled in Network Access configuration.
- Prohibit routing table changes during Network Access connection option is enabled in Network Access configuration.
- Network changes after VPN is established.

Impact:
- Network access tunnel is dropped due to routing table changes.

Workaround:
User needs to connect to VPN again.

---

669462-1 : Error adding /Common/WideIPs as members to GTM Pool in non-Common partition

Component: TMOS

Symptoms:
Unable to use Pool Members from /Common/ when outside of /Common/

Conditions:
Adding /Common/WideIPs as members in non-Common GTM Pool

Impact:
Unable to use pool-members from /Common/ when outside of /Common/

Workaround:
No workaround at this time.

Fix:
Fixed issue preventing users from using GTM pool-members within /Common/ on GTM Pools outside of /Common/

---

669459-2 : Efect of bad connection handle between APMD and memcachd

Component: Access Policy Manager

Symptoms:
When a connection handle (fd) between apmd and memcachd gets bad (someone else is using or already closed by memcachd), all worker threads gets locked out. A cleaner thread then restart APMD with an assert.

Conditions:
This is difficult to reproduce. It happens if one or more connection handle between apmd worker thread and memcachd gets misused.

Impact:
APMD gets locked down , eventually restart with a core.

Workaround:
None.

Fix:
Communication between APMD and TMM has been improved to be more tolerant of error conditions.

---

669415-1 : Flow eviction for hardware-accelerated flow might fail

Component: TMOS

Symptoms:
In rare cases, evicting a hardware-accelerated ePVA flow might fail. Under normal conditions, this flow eventually idles out of the ePVA, but if traffic happens to be generated over the flow, then it can stay in the ePVA indefinitely, even if there is no software connection context for this connection.

Conditions:
A virtual server using a FastL4 profile.

Impact:
A connection becomes stuck in the ePVA. Traffic might be disrupted if tmm restarts.

Workaround:
Disable hardware acceleration.

Fix:
This release has updated the process for evicting a connection from the ePVA.

---

669364-1 : TMM core when server responds fast with server responses such as 404.

Component: Fraud Protection Services

Symptoms:
TMM core when server responds fast with server responses such as 404.

Conditions:
-- FPS gets a request with a WebSafe URL (usually global URL - declared by signatures update).
-- Server response is fast (based on URL/headers).
-- FPS need to take some action on response.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
FPS now handles these conditions without a tmm crash.

---

669359 : WebSafe might cause connections to hang

Component: Fraud Protection Services

Symptoms:
In a loaded environment, FPS might free a connection context without cleaning up the state.

Conditions:
This occurs in a loaded environment (xoff events present).

Impact:
A connection might stall until abandoned by client.

Workaround:
None.

Fix:
when freeing a connection context, FPS will clear internal egress state.

---

669341 : Category Lookup by Subject.CN will result in a reset

Component: Access Policy Manager

Symptoms:
Category Lookup Agent is unable to find the Subject.CN, so it initiates an SSL Handshake failure.

==> /var/log/apm <==
crit tmm[11181]: 01790602:2: [C] 10.20.100.1:11980 -> 10.11.10.101:443: (ERR_NOT_FOUND) Error processing URL Classification query from CatEngine

Conditions:
Category Lookup agent configured to use Subject.CN. May also apply if a Category Lookup agent is configured to use SNI, but the client does not send an SNI, resulting in the agent trying to use the Subject.CN.

Impact:
Cannot use Subject.CN as a data source for category lookup agent.

Workaround:
None.

Fix:
The category lookup agent is now able to find the Subject.CN.

---

669288-3 : Cannot run tmsh utils unix-* commands in Appliance mode when /shared/f5optics/images does not exist.

Solution Article: K76152943

Component: TMOS

Symptoms:
From tmsh, running util unix-ls /var/log fails with the following error:

exception: (Failed to canonicalize "/shared/f5optics/images") (util/RealpathHelper.cpp, line 49), continuing...
Data Input Error: /var/log is not an accessible directory for the current mode.

Conditions:
-- A BIG-IP system configured for Appliance mode.
-- Upgrading from a pre-v12.x to v12.x or later.
-- Using a platform that does not have a /shared/f5optics/images directory.

These include the following BIG-IP blades and appliances:
B4400, i4x00, i10x00, i2x00, i7x00, i5x00

Impact:
There is no shell access to the file system when the BIG-IP system is in Appliance mode. This is the intended purpose of Appliance mode. Therefore, unix-* commands are the only way to list directories, and perform other operations specific to the operating system.

Workaround:
To work around this issue, create the /shared/f5optics/images directory. To do so, do the following:

 1. Boot the BIG-IP system into single-user mode.

 2. Create the directory /shared/f5optics/images with the following command:
  mkdir -m 777 -p /shared/f5optics/images.

 3. Reboot the BIG-IP system, and allow it to start up normally.

Fix:
The reported exception does not occur, and unix-* commands commands issued in Appliance mode run as expected.

---

669268 : Failover in the same availability zone of AWS may fail when AWS services are intermittently available.

Component: TMOS

Symptoms:
Intermittently available AWS services may lead to failure of curl requests to AWS or ec2 tools commands, resulting in failure of failover. As a result, public EIPs (for virtual servers) might remain pointing to the standby BIG-IP system.

Conditions:
AWS services are intermittently available.

Impact:
Failure of failover. Traffic will be routed to the standby BIG-IP system and lost.

Workaround:
Manually fail the systems over till failover succeeds at the desired BIG-IP system.

---

669262-2 : [GUI][ZoneRunner] reverse zones should be treated case insensitive when creating resource record

Component: Global Traffic Manager (DNS)

Symptoms:
Creating a reverse zone in ZoneRunner ending not exactly as .arpa but with other case variations like .ARPA, resulting that zone is not treated as reverse zone.

PTR is not available from the 'Type' dropbox menu when creating new resource record for that zone:
DNS :: Zones : ZoneRunner : Resource Record List :: New Resource Record.

Conditions:
Creating a reverse zone in ZoneRunner ending not exactly as .arpa but with other case variations like .ARPA.

Impact:
Cannot create PTR resource record for the created reverse zones.

Workaround:
Create reverse zones exactly ending with .arpa.

---

669255-2 : An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms

Solution Article: K20100613

Component: TMOS

Symptoms:
If the BIG-IP configuration includes at least one enabled sFlow receiver, certain platforms will experience poor TMM performance. Symptoms will include one or more of the following:

- Higher than normal ping latency to the BIG-IP Self-IP addresses.
- Higher than normal latency for applications flowing through BIG-IP virtual servers.
- TMM clock advanced messages in the /var/log/ltm file.
- Continuous activation and then quick deactivation of the idle enforcer for all TMM instances in the /var/log/kern.log file.

Conditions:
The BIG-IP configuration must include at least one enabled sFlow receiver (it doesn't matter whether this is reachable or not) and the platform type must be one of the following:

- BIG-IP i10000 series
- BIG-IP i7000 series
- BIG-IP i5000 series
- BIG-IP i4000 series
- BIG-IP i2000 series
- VIPRION B4450 blade

Impact:
The BIG-IP system operates at a suboptimal performance level.

Workaround:
If the sFlow receiver is not strictly necessary for the correct functioning of your deployment, this can be disabled or removed to work around the issue.

Fix:
Performance is no longer degraded on certain platforms when the configuration includes enabled sFlow receivers.

---

669154-1 : Creating new invalid SAML IdP configuration object may cause tmm restart in rare cases.

Solution Article: K25342114

Component: Access Policy Manager

Symptoms:
Adding new SAML IdP configuration object containing empty attribute values via tmsh may cause tmm to restart.

Conditions:
New SSO SAML configuration contains one or more attribute values containing a session variable, following by another empty value "", for example:

multi-values { "%{session.ad.last.attr.name}" "" }

Note: This is not a valid configuration: empty values must not be provided in the list of SAML attributes.

Impact:
TMM may restart when new configuration is added. Traffic disrupted while tmm restarts.

Workaround:
Remove empty attribute values from configuration.

Fix:
SAML object validation has been improved so that empty SAML SSO object attribute values will no longer be accepted.

---

669025-1 : Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate

Solution Article: K11425420

Component: Local Traffic Manager

Symptoms:
SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain except the self-signed certificate.

Some of the intermediate CA certificates in the cert chain use the SHA1 hash algorithm. This kind of intermediate CAs usually is are the BIG-IP system's ca-bundle. The BIG-IP system receives the cert chain including the intermediate CA and forges the cert with SHA1, which is rejected by some web clients.

Conditions:
-- The BIG-IP system is configured to use SSL Forward Proxy or SSL Intercept.
-- Some intermediate CA in the web server's cert chain is using a weak algorithm like SHA1 to sign certificates.
-- The web client rejects the weak-algorithm-signed certificate.

Impact:
Clients cannot access the web server due to SSL handshake failure.

Workaround:
There is no workaround at this time.

Fix:
This fix excludes trusted CA certificates in hash algorithm selection. This may prevent forged certificate from using SHA1 hash algorithm.

---

668964-2 : 'bgp neighbor <peer -IP> update-source <IP>' command may apply change to all peers in peer-group

Solution Article: K81873940

Component: TMOS

Symptoms:
When running the 'bgp neighbor <peer IP> update-source <IP>' command to a single peer, the changes may be applied to all peers in peer-group, if the peer IP belongs to a peer group.

Conditions:
- Using BGP with peer-groups.
- Run 'bgp neighbor <peer IP> update-source <IP>', where <peer IP> is an IP of a peer in a peer-group.

Impact:
Changes may apply to all peers in the group.

Workaround:
Depending on the network setup, it may be possible to workaround the issue using the interface version of the command:
bgp neighbor <peer IP> update-source <vlan name>.

Fix:
The command 'bgp neighbor <peer -IP> update-source <IP>' no longer applies the change to all peers in peer-group

---

668883 : FQDN pool member status may become out-of-sync when enabled/disabled through GUI

Component: Local Traffic Manager

Symptoms:
After toggling enable/disable on an FQDN pool member through the GUI, an FQDN pool member status may become 'out-of-sync', and the pool member might process connections opposite to its status. Specifically: 'disabled' might accept connections, and 'enabled' might not accept connections. In this state, the FQDN pool member appears to be exactly 'one-message-behind' for an enable/disable status change made in the GUI.

The FQDN pool member status for enabled/disabled is always correctly displayed in the GUI and in tmsh, and behavior is correctly restored after a system reboot. Other pool members are unaffected.

Conditions:
-- BIG-IP systems configured for high availability (HA).
-- At least three members within an FQDN pool.
-- Use the GUI to toggle enable/disable state on a FQDN pool member.

Impact:
The FQDN pool member does not correctly participate in receiving connections to the pool when in this error state. Other pool members remain unaffected.

Workaround:
Change FQDN pool to statically assign members.

Fix:
Toggling FQDN pool member between 'enable/disable' correctly changes that member's participation for accepting connections within its parent pool. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

---

668802-3 : GTM link graphs fail to display in the GUI

Solution Article: K83392557

Component: Local Traffic Manager

Symptoms:
When a BIG-IP administrator tries to view the GTM link graphs in the GUI, the system reports 'General database error retrieving information'.

statsd reports an error in /var/log/ltm

err statsd[6318]: 011b030d:3: Graph '/Common/Link_AS394043' not found

Conditions:
-- BIG-IP DNS/GTM is licensed and provisioned.
-- BIG-IP DNS/GTM links are configured.
-- Trying to view the GTM link graphs in the GUI.

Impact:
Unable to view BIG-IP DNS/GTM link graphs.

Workaround:
None.

Fix:
The GTM graphs are available as expected.

---

668623-5 : macOS Edge client fails to detect correct system language for regions other than USA

Solution Article: K85991425

Component: Access Policy Manager

Symptoms:
macOS Edge client fails to detect correct system language for regions other than USA.

Conditions:
-- macOS Sierra.
-- Non-English language (e.g., Korean with different regions).

Impact:
Incorrect customization of Edge client for certain items, such as: logo, banner color, banner text color, and tray icon type.

Workaround:
Run one of the following command on the Terminal and re-launch Edge client:

For English:
$ defaults write -globalDomain AppleLanguages -array "en" "en-US"

For German:
$ defaults write -globalDomain AppleLanguages -array "de" "de-US"

For Korean:
$ defaults write -globalDomain AppleLanguages -array "ko" "ko-US"

For Japanese:
$ defaults write -globalDomain AppleLanguages -array "ja" "ja-US"

For French:
$ defaults write -globalDomain AppleLanguages -array "fr" "fr-US"

For Spanish:
$ defaults write -globalDomain AppleLanguages -array "es" "es-US"

For Chinese traditional:
$ defaults write -globalDomain AppleLanguages -array "zh-Hant" "zh-Hant-TW" "zh-Hant-US"

For Chinese simplified:
$ defaults write -globalDomain AppleLanguages -array "zh-Hans" "zh-Hans-US"

Fix:
Customization of the following items for Edge client now correctly reflect the region's language selection.

-- Edge client logo.
-- Banner color.
-- Banner text color.
-- Tray icon.

---

668522-1 : bigd might try to read from a file descriptor that is not ready for read

Component: Local Traffic Manager

Symptoms:
The bigd process might consume excessive CPU resources or monitor probes might be erroneously marked as failed.

Conditions:
External monitors are in use. External monitors include user-defined external monitors as well as built-in external monitors (for example, SNMP, LDAP, etc.).

Impact:
The bigd process might consume excessive CPU resources for for various amounts of time.

Single monitor probes might fail. Depending upon the timing of these failures, it might be possible to see monitor flapping when multiple probes for a specific monitored object happen to fail.

Workaround:
None.

Fix:
An issue was resolved where the bigd process might consume excessive CPU resources or monitor probes might be erroneously marked as failed.

---

668521-2 : Bigd might stall while waiting for an external monitor process to exit

Component: Local Traffic Manager

Symptoms:
The bigd process restarts due to a hearbeat failure. /var/log/ltm will contain a message similar to:
warning sod[5444]: 01140029:4: HA daemon_heartbeat bigd fails action is restart.

Conditions:
External monitors are in use. External monitors include user-defined external monitors as well as built-in external monitors (for example, SNMP, LDAP, etc.)

High system load makes this more likely to occur.

Impact:
bigd will restart due to a heartbeat failure and monitoring will be interrupted.

Workaround:
Mitigations:
-- If possible, reduce the system load on the BIG-IP system.
-- If possible, use a built-in monitor type.

Fix:
bigd no longer stalls while waiting for an external monitor process to exit.

---

668503-3 : Edge Client fails to reconnect to virtual server after disabling Network Adapter

Component: Access Policy Manager

Symptoms:
1. Connect to an APM Virtual Server.
2. Disable Network Adapter.
3. Enable the Network Adapter.

Edge Client fails to reconnect.

Conditions:
Network Adapter is disabled and re-enabled.

Impact:
Edge Client does not re-establish VPN when Network Adapter is re-enabled.

Workaround:
Disconnect and Connect Edge Client.

Fix:
Edge Client now successfully reconnects to virtual server after disabling and enabling Network Adapter.

---

668501-2 : HTTP2 does not handle some URIs correctly

Solution Article: K07369970

---

668419-1 : ClientHello sent in multiple packets results in TCP connection close

Solution Article: K53322151

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system receives ClientHello messages in multiple fragments, and the first fragment length is less than 9 bytes, SSL might process it as a non-SSL packet.

Conditions:
-- The system receives ClientHello messages in multiple fragments.
-- The first fragment length is less than 9 bytes.

Impact:
SSL might process the first fragment as a non-SSL packet, and discard it, and then tear down the TCP connection.

Workaround:
None.

Fix:
Now, if the system receives the ClientHello message in multiple fragments, and the first fragment is less than 9 bytes, the system waits for the whole SSL packet to arrive before processing it.

---

668352-2 : High Speed Logging unbalance in log distribution for multiple pool destination.

Component: TMOS

Symptoms:
Remote High Speed Logging may send logs in an imbalance when configured to use multiple logging pools.
The imbalance may occur if the logging destination remained idle for a while (no logs sent) after initial configuration.

Conditions:
-- Remote High Speed Logging destination configured with multiple pools.
-- The logging destination idle after initial configuration for more than 5 seconds.

Impact:
-- Log distribution imbalance.

Workaround:
There is no workaround at this time.

Fix:
Logs distributed equally on destination pools.

---

668252-2 : TMM crash in PEM_DIAMETER component

Solution Article: K22784428

Component: Policy Enforcement Manager

Symptoms:
TMM crashes when the route to PCRF is lost.

Conditions:
-- PEM establishes connection with the diameter endpoint (Gx / Gy).
-- The route to the diameter endpoint is lost (interface down / route deleted).

Impact:
TMM diameter module tries to communicate, does not handle the error, and crashes. Module reboot. Traffic disrupted while tmm restarts.

Workaround:
Mitigation: Ensure that the network interface configuration routing diameter packet is not manually brought down.

No workaround for externally triggered failures.

Fix:
The system now handles connections established with the diameter endpoint when the route to PCRF is lost.

---

668196-2 : Connection limit continues to be enforced with least-connections and pool member flap, member remains down

Component: Local Traffic Manager

Symptoms:
In rare circumstances while using least-connections load balancing with a connection limit applied, if a pool member is at the connection limit and the node is stopped and restarted, the node will remain marked down.

Conditions:
This occurs under the following circumstances:
- Least Connections (node or member).
- Connection limit is set.
- Then a pool member hits the connection limit.
- The pool member is then marked down then up (e.g., manually).

Impact:
Pool member remains marked down.

Workaround:
This condition is very rare but if it occurs you can try removing the pool member or node and re-adding it.

Fix:
Connection limit is now correctly enforced with least-connections and pool member flap, so the member no longer incorrectly remains down.

---

668184-1 : Huge values are shown in the AVR statistics for ASM violations

Component: Application Security Manager

Symptoms:
Huge values are shown in the AVR statistics for ASM violations.

Conditions:
Out-of memory-condition in the ASM. Some other extreme conditions might also cause this behavior.

Impact:
ASM violation numbers are incorrectly reported.

Workaround:
None.

Fix:
An issue with bd sending wrong numbers to AVR was fixed.

---

668181-2 : Policy automatic learning mode changes to manual after failover

Component: Application Security Manager

Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.

Conditions:
-- ASM provisioned.
-- Device group with ASM policy sync configured for multi-blade devices.
-- ASM Policy is in automatic learning mode.
-- A failover occurs.

Impact:
The policy changes from automatic learning mode to manual.

Workaround:
None.

Fix:
Policy automatic learning mode no longer changes to manual when a failover occurs. Automatic learning mode will now be disabled only in active/active configurations.

---

668129-1 : BIG-IP as SAML SP support for multiple signing certificates in SAML metadata from external identity providers.

Component: Access Policy Manager

Symptoms:
Certain SAML implementations support configuration of multiple signing certificates to be used for signing SAML messages. In these deployments different signing certificates could be used when certificate rotation takes place. Until now BIG-IP as SP only supported single signing certificate from external IdPs.
When certificate rotation happens on external IdP, BIG-IP signing verification certificates have to be updated.

Conditions:
External IdP advertises multiple signing certificates in SAML metadata.

Impact:
When external IdP starts using new signing certificate previously advertised in metadata, authentication on BIG-IP as SAML SP will fail until administrator adjusts configuration to specify new signature validation certificate on appropriate SAML IdP connector object.

Workaround:
Signing certificates on BIG-IP as SAML SP can be reconfigured manually.

Fix:
BIG-IP as SP now supports multiple signing certificates advertised by external identity providers.

---

668048-1 : TMM memory leak when manually enabling/disabling pool member used as HSL destination

Solution Article: K02551403

Component: TMOS

Symptoms:
High Speed Logging fails to free an allocated cache memory resulting in memory leak. A small linear increase in mds_btree_nodes memory utilization may occur.

Conditions:
- Remote High Speed Logging configured.
- Server-side connections dropped or closed. OR
- High Speed Logging pool members removed.

Impact:
Increase in mds_btree_nodes memory utilization.

Workaround:
There is no workaround at this time.

Fix:
High Speed Logging frees allocated memory correctly.

---

668006-1 : Suspended 'after' command leads to assertion if there are multiple pending events

Solution Article: K12015701

Component: Local Traffic Manager

Symptoms:
TMM crashes when an iRule has multi-parking commands including command after.

Conditions:
-- iRule has multi-parking commands.
-- Command after is used multiple times in the iRule.

Note: The exact condition of crashing tmm is not definitive, but when the above situation is met, it could trigger this crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Depending on the iRule, (e.g., script that uses command after very heavily, very often), the usages can be combined:

after 100
after 200 { some script }

can be combined to after 300 { the script }

Fix:
Suspended 'after' command no longer leads to assertion if there are multiple pending events

---

667922 : Alternative unicode encoding in JSON objects not being parsed correctly

Solution Article: K44692860

Component: Application Security Manager

Symptoms:
JSON content might be blocked when unicode encoding is used in one of the JSON nodes.

Conditions:
Configured ASM Policy with JSON profile.

Impact:
False positive blocked request.

Workaround:
Disable metachars checks in JSON profile.

Fix:
The JSON parser now handles unicode sequences correctly.

---

667892-2 : FPS: BLFN inheritance won't take effect until GUI refresh

Component: Fraud Protection Services

Symptoms:
1. Create fps profile with a "Additional function to be run before JavaScript load" (BLFN) configured.
2. Clone this profile.
3. In the cloned profile choose another profile to defaults from (where there is no BLFN).
4. Save configuration.

Conditions:
- Current profile has a BLFN configured.
- New parent profile has no BLFN.

Impact:
The original BLFN is still configured on the profile (should have inherited the empty BLFN from parent profile).

Workaround:
1. Use tmsh.
2. Refresh before save.

Fix:
Correct BLFN inheritance logic in GUI.

---

667872-1 : Websafe's 'Apply cookies to base domain' feature doesn't work for non standard ports

Component: Fraud Protection Services

Symptoms:
'Apply cookies to base domain' feature doesn't work for non standard ports.

Conditions:
'Apply cookies to base domain' is enabled and
connection is over non-standard ports (not 80, 443, etc.).

Impact:
Cookies won't be applied to base domain, thus WebSafe functionality will be broken and missing cookie alerts will be sent.

Workaround:
Use only standard ports.

Fix:
FPS now correctly parses base-domain, including port (if exists).

---

667779-2 : iRule commands may cause the TMM to crash in very rare situations.

Component: Local Traffic Manager

Symptoms:
A TMM crash may occur in very rare situations.

Conditions:
A Tcl iRule command is used.

Impact:
A TMM Core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Tcl iRule commands are more robust to extreme scenarios within the TMM.

---

667707-2 : LTM policy associations with virtual servers are not ConfigSynced correctly

Component: Local Traffic Manager

Symptoms:
The association of Local Traffic Policies to virtual servers do not synchronize properly.

This can result in configuration sync failures with error messages including:

-- 01070635:3: The policy (/Common/asm_auto_l7_policy__vs_27) is referenced by one or more virtuals.
-- Configuration error: The bot-defense-asm profile /Common/asm_policy_1 was added to virtual server /Common/vs1 but it does not match the asm-controlling policy. The bot-defense-asm profile is added to the virtual server automatically.
-- 010716fd:3: Virtual Server '/Common/vs' cannot contain policies with conflicting controls.

In other circumstances, BIG-IP systems report themselves as 'in sync' despite a virtual server having different local traffic policies associated.

Under certain circumstances, configuration sync fails after an LTM policy is removed from a virtual server and deleted.

Conditions:
This occurs under the following conditions:

-- Full sync operations (e.g., 'full-load-on-sync' or 'force-full-load-push').

And either of the following:
-- Configuration changes made where local traffic policies are removed or added from a virtual server.

-- Configuration changes made where a local traffic policy is removed from a virtual server, and then the virtual server is deleted.

Impact:
Configuration fails to sync, or devices report 'In Sync' but have different LTM policies associated with virtual servers.

Workaround:
There is no workaround at this time.

Fix:
Configuration sync is successful.

---

667662-1 : Autolasthop does not work for PPTP-GRE traffic.

Solution Article: K06579313

Component: Carrier-Grade NAT

Symptoms:
Autolasthop does not work for PPTP-GRE traffic.

Conditions:
Autolasthop configured for client ingress VLAN, serving PPTP-ALG traffic.

Impact:
PPTP-ALG traffic through the BIG-IP system.

Workaround:
Create static routes to return PPTP-GRE traffic back to the client network.

Fix:
Autolasthop setting works correctly for PPTP-GRE traffic.

---

667560-3 : FQDN nodes: Pool members can become unknown (blue) after monitor configuration is changed

Solution Article: K69205908

Component: Local Traffic Manager

Symptoms:
A pool member configured through an FQDN node and which has multiple associated monitors may become unknown (blue) after a monitor rule change to one of its associated monitors. The expected behavior is that the node should remain 'green' if monitoring is successful with the new rule, but the node may become unknown (blue) until bigd is restarted.

Conditions:
A pool member is configured through an FQDN node, and has multiple associated monitors, and a monitor rule change is made to one of the associated monitors.

Impact:
The pool member status correctly reflects whether monitoring is successful (green) or the pool member is unknown (blue), but the changed monitor rule may not take effect until bigd is restarted.

Workaround:
When making changes to a monitor rule associated with a pool member configured through FQDN, verify the node remains monitored (green or checking), or restart bigd. Alternatively, change monitor rules within the configuration file, and reload the configuration.

Fix:
Pool members configured through FQDN nodes and with multiple associated monitors continue to be monitored after a monitor rule change to one of the associated monitors. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

---

667469-1 : Higher than expected CPU usage when using DNS Cache

Solution Article: K35324588

Component: Global Traffic Manager (DNS)

Symptoms:
CPU usage shows higher than expected usage when using the DNS Cache.

Conditions:
Usage of any of the 3 DNS Cache types, particularly on chassis with multiple blades.

Impact:
Higher than expected CPU usage.

Workaround:
No workaround at this time.

Fix:
Improvements have been made to the efficiency of the DNS Cache inter-tmm mirroring. These efficiencies may result in better CPU utilization and/or higher responses per second.

---

667405-2 : Fragemented IPsec encrypted packets with fragmented original payloads may cause memory leak in the TMM.

Solution Article: K61251939

Component: TMOS

Symptoms:
When the BIG-IP system receives fragmented IPsec encrypted packets that contain fragmented IP packets, memory leaks may occur in the TMM.

Conditions:
The BIG-IP system receives fragmented IPsec encrypted packets that contain fragmented IP packets.

Impact:
Memory leak in the TMM.

Workaround:
None.

Fix:
No memory leak in the TMM.

---

667404-2 : Fragmented IP over IPsec tunnels might capture mcp flows and provoke restarts

Solution Article: K77576404

Component: TMOS

Symptoms:
If fragmented IP packets match an IPsec policy, then get forwarded to another tmm for actual processing, the flow lookup might accidentally grab a stale flow_key for another connflow, including internal MCP flows. When that happens, if IPsec does tunnel those flows, internal MCP heartbeats later miss and cause tmm restarts.

Conditions:
-- Packet fragmentation.
-- Packets are serviced by IPsec due to a matching policy for those packets.

Impact:
Tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
You can prevent this using either of the following methods:
-- If you can, arrange that fragmented packets are re-assembled before reaching IPsec policy handling.
-- Modify MTU configuration so fragmentation does not happen.

Note: There is no mitigation when fragmented packets reach IPsec and need forwarding from one tmm to another.

Fix:
Now fragmented packets are handled correctly, and other flows cannot experience interference.

---

667318-3 : BIG-IP DNS/GTM link graphs fail to display in the GUI.

Component: Local Traffic Manager

Symptoms:
When a BIG-IP administrator tries to view the GTM link graphs in the GUI, the system reports 'General database error retrieving information'.

statsd reports an error in /var/log/ltm

err statsd[6318]: 011b030d:3: Graph '/Common/Link_AS394043' not found

Conditions:
-- BIG-IP DNS/GTM is licensed and provisioned.
-- BIG-IP DNS/GTM links are configured.

Impact:
Unable to view BIG-IP DNS/GTM link graphs.

Workaround:
None.

Fix:
BIG-IP DNS/GTM link graphs are now available in the GUI.

---

667304-1 : Logon page shows 'Save Password' checkbox even if 'Allow Password Caching' is not enabled

Solution Article: K68108551

Component: Access Policy Manager

Symptoms:
'Save Password' checkbox is shown even if the feature is not enabled.

Conditions:
-- APM end user tries to authenticate to APM/BIG-IP Server.
-- 'Save Password' is not enabled.

Impact:
APM end user receives the login page with 'Save Password' checkbox. Checking the box has no effect unless 'Save Password' is enabled.

Workaround:
None.

Fix:
'Save Password' checkbox is not shown unless the feature is enabled.

---

667278-3 : DSC connections between BIG-IP units may fail to establish

Component: TMOS

Symptoms:
The device service clustering (DSC) connection between two BIG-IP units may fail to establish. One unit will log messages similar to the following example:

-- err mcpd[7912]: 01071af4:3: Inbound CMI connection from IP (192.168.100.1) denied because it came from VLAN (v1542), not from expected VLAN (tmm).

While the unit at the other end of the connection will log messages similar to the following example:

-- notice mcpd[5730]: 01071432:5: CMI peer connection established to 192.168.200.1 port 6699 after 0 retries
May 31 20:58:04 BIG-IP-c-sea notice mcpd[5730]: 0107143c:5: Connection to CMI peer 192.168.200.1 has been removed

Conditions:
This issue occurs when the Self-IP addresses used for Config-Sync by the two BIG-IP units are not in the same IP subnet, and special routing is configured between the BIG-IP units. Examples of special routing include a gateway pool or dynamic routing configurations with multiple routes to the same destination (i.e., ECMP routing).

Impact:
Config-Sync and device discovery operations will fail between affected units.

Workaround:
You can work around this issue by using Self-IP addresses for Config-Sync that are on the same IP subnet or rely on simpler routing to achieve connectivity (i.e., a single route).

Fix:
Config-Sync and device discovery operations no longer fail.

---

667257-2 : CPU Usage Reaches 100% With High FastL4 Traffic

Component: TMOS

Symptoms:
CPU usage reaches 100% with high FastL4 traffic. Issue with re-offloading evicted FastL4 traffic to ePVA.
Typically observed on systems handling a lot of FastL4 traffic that have been upgraded to a version that has re-offload behavior implemented by Bug ID 563475: ePVA dynamic offloading can result in immediate eviction and re-offloading of flows.

Conditions:
-- Most traffic is FastL4 forwarding deterministic LDNS.
-- ePVA hardware is in use.

Impact:
Default configurations may suddenly show higher CPU performance profile usage after upgrade.

Workaround:
None.

Fix:
The following db variables have been added to control re-offload behavior:

sys db pva.reoffload.delay {
    value "5"
}
sys db pva.reoffload.exponential {
    value "true"
}

pva.reoffload.delay is in seconds. This is the amount of time that needs to expire before TMM attempts to re-offload the flow to the ePVA.

If pva.reoffload.exponential is 'true', then if there is a collision, there is an exponential backoff (5 seconds, 10 seconds, 20 seconds, and so on), before the flow is re-offloaded).

If pva.reoffload.exponential is 'false', then there is no backoff, and the flow is re-offloaded after the pva.reoffload.delay expires.

Behavior Change:
The following db variables have been added to control re-offload behavior:

sys db pva.reoffload.delay {
    value "5"
}
sys db pva.reoffload.exponential {
    value "true"
}

pva.reoffload.delay is in seconds. This is the amount of time that needs to expire before TMM attempts to re-offload the flow to the ePVA.

If pva.reoffload.exponential is 'true', then if there is a collision, there is an exponential backoff (5 seconds, 10 seconds, 20 seconds, and so on), before the flow is re-offloaded).

If pva.reoffload.exponential is 'false', then there is no backoff, and the flow is re-offloaded after the pva.reoffload.delay expires.

---

667237-3 : Edge Client logs the routing and IP tables repeatedly

Component: Access Policy Manager

Symptoms:
Edge Client logs the routing and IP tables repeatedly - in each reconnecting attempt.

Conditions:
Edge Client is in reconnecting state and gateway is reachable. However, APM server is not reachable/responding.

Impact:
It fills up the log file with information that is not useful.

Workaround:
There is no workaround at this time.

Fix:
When Edge Client is in re-connection state and the APM server is not reachable/responding, skip logging the Routing/IP tables in each reconnecting attempts.

---

667223 : The merge option for the tmsh load sys config command removes existing nested objects

Component: TMOS

Symptoms:
Nested objects are removed when newer objects are merged in.

Configuration objects can contain nested objects. The merge option for tmsh load sys config command expects the nested-objects passed in to be merged alongside existing objects.

example:

Initial configuration

[root@plate:Active:Standalone] config # tmsh list ltm pool
    ltm pool test-pool-mcconfig {
        members {
            test-mc1:http {
                address 10.13.14.15
                priority-group 1
                session monitor-enabled
                state checking
            }
            test-mc2:http {
                address 10.13.14.16
                priority-group 4
                session monitor-enabled
                state down
            }
        }
        monitor tcp
    }

Run load merge command:

    [root@plate:Active:Standalone] config # tmsh -m
    root@(plate)(cfg-sync Standalone)(Active)(/Common)(tmos)# load sys config merge from-terminal
    Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
    ltm pool test-pool-mcconfig {
     members {
      test-mc2:http {
       priority-group 0
      }
     }
    }
    Loading configuration...
    root@(plate)(cfg-sync Standalone)(Active)(/Common)(tmos)# ^D

New configuration, not merged:

    [root@plate:Active:Standalone] config # tmsh list ltm pool
    ltm pool test-pool-mcconfig {
        members {
            test-mc2:http {
                address 10.13.14.16
                session monitor-enabled
                state down
            }
        }
        monitor tcp
    }

Conditions:
Execute tmsh load sys config merge from-terminal command.

The configuration contains nested objects. The configuration that is being merged in contains nested objects of the same type as the existing configuration.

Impact:
Configuration loss: Post merge the existing nested configuration objects are deleted.

Workaround:
None.

Fix:
The behavior for the merge option of tmsh load sys config is corrected. The nested objects in the existing configuration are not deleted.

---

667173 : 13.1.0 cannot join a device group with 13.1.0.1

Component: TMOS

Symptoms:
13.1.0.1 cannot form device trust with a 13.1.0 device.

Conditions:
A device running 13.1.0 wanting to establish device trust with a device running 13.1.0.1 or vice versa.

Impact:
Cannot form Device Trust.

Workaround:
13.1.0 cannot initially form device trust with a 13.1.0.1 device. However, if you establish trust from the 13.1.0.1 device and then bring in the 13.1.0 device from 13.1.0.1, you can mitigate this issue. Once trust is formed, there should be no issue.

Fix:
13.1.0.1 now can form device trust with a 13.1.0 device.

---

667148-1 : Config load or upgrade can fail when loading GTM objects from a non-/Common partition

Solution Article: K02500042

Component: TMOS

Symptoms:
GTM configuration fails to load.

Conditions:
GTM config referencing non-/Common partition objects from /Common.

Impact:
GTM configuration fails to load, which may keep a system from becoming active

Workaround:
No workaround.

Fix:
Fixed issue preventing GTM configurations from loading when non-Common partitioned items present.

---

667138-1 : LTM 12.1.2 HF1 - Upgrade to 12.1.2 HF1 fails with err "folder does not exist"★

Component: TMOS

Symptoms:
After upgrade from 10.2.4 to 12.1.2, full config load fails.

Conditions:
The pre-upgrade version must be 10.2.4 and the pre-upgrade config must have user-defined partitions.

Impact:
After upgrade, if changes are made to the running config (in memory; not on disk), then the config files on disk from upgrade cannot be restored.

Workaround:
10.2.4 config on upgrade is stored at /config/bigpipe/. So, a workaround is to load defaults, then merge the original config using bigpipe.

/usr/libexec/bigpipe merge /config/bigpipe/*.conf

Fix:
Full load after upgrade from 10.2.4 now succeeds.

---

667028-1 : DNS Express does not run on i11000 platforms with htsplit disabled.

Component: Global Traffic Manager (DNS)

Symptoms:
tmm processes enter a restart loop when trying to run DNS Express (DNSX) on i11000 platforms with htsplit disabled.

Conditions:
-- i11000 platform.
-- htsplit disabled (sys db scheduler.splitplanes.ltm set to false).
-- Trying to run DNSX.

Impact:
tmm processes enter a restart loop. In this condition, DNSX does not run, though other DNS functions are unaffected.

Workaround:
Enable htsplit using the following command:

modify sys db scheduler.splitplanes.ltm value true

Fix:
tmm no longer cores under these conditions. However, you cannot use DNSX with htsplit disabled; htsplit must be enabled.

Note: DNSX works as expected with htsplit enabled, both before and after the fix.

---

666986-2 : Filter by Support ID is not working in Request Log

Solution Article: K50320144

Component: Application Security Manager

Symptoms:
In some cases the Support ID of a request might be shorter than 19 digits. In this case filter by Support ID does not work in Request Logs.

Conditions:
-- Support ID is shorter than 19 digits.
-- Trying to filter by Support ID.

Impact:
Filter by Support ID is not displayed in filter bar and does not affect the list.

Workaround:
You can try to filter by last 4 digits of Support ID. Although that does not replace filter by Support ID functionality, it might help.

Fix:
Filter by Support ID works for any length but 4 digits (in this case search uses the last 4 digits; also a 4-digit Support ID is not a realistic occurrence).

---

666884-2 : Message: Not enough free disk space to install! cpcfg cannot copy a configuration on a chassis platform★

Solution Article: K27056204

Component: TMOS

Symptoms:
cpcfg fails with errors similar to the following:

info: Getting configuration from HD1.3
info: Copying configuration to HD1.1
info: Applying configuration to HD1.1
error: status 256 returned by command: F5_INSTALL_MODE=install F5_INSTALL_SESSION_TYPE=hotfix chroot /mnt/tm_install/23102.e3MAZU /usr/local/bin/im -force /var/local/ucs/config.ucs
info: >++++ result:
info: Extracting manifest: /var/local/ucs/config.ucs
info: /shared: Not enough free space
info: 6144 bytes required
info: 0 bytes available
info: /var/local/ucs/config.ucs: Not enough free disk space to install!
info: Operation aborted.

Conditions:
Only on a chassis platform running 12.1.x or 13.0.x.

Impact:
You cannot use cpcfg on a chassis platform.

Workaround:
Save a UCS from the source volume, reboot to the destination volume, then load that UCS file.

Fix:
cpcfg could incorrectly calculate the amount of free space available, refusing to do the copy unless the /shared filesystem had sufficient space to do the copy. This has been resolved and this free space calculation is done correctly.

---

666790-2 : Use HSB HiGig MAC reset to recover both FCS errors and link instability

Solution Article: K06619044

Component: TMOS

Symptoms:
In addition to HiGig Link instability, FCS errors can be seen on internal switch and HSB Higig link. This is likely some PHY-related issues and can cause instability in communication links.

One symptom associated with this might be that a blade cannot become active and join the cluster.

Conditions:
FCS errors reported in tmm/hsbe2_internal_lbb_hgm. Traffic failure observed on some VIPs or self IPs.

Impact:
Link unstable, frame loss.
TMOS MPI and CDP packet loss and internal blade communication issues.

HSB lockup and accumulated FCS errors observed from stats and log.

Workaround:
A switch port reset might be used to recover this failure. Note, however: that procedure might cause potential HSB lockups.

Fix:
FCS errors and link instability no longer occur.

---

666689-1 : Occasional "profile not found" errors following activate access policy

Component: Access Policy Manager

Symptoms:
Immediately following the applying of a modified access policy it is possible for some profiles to disappear.
It is transient and within a minute or two the profiles are available again.

Conditions:
Clicking "apply access policy" in the GUI or using tmsh to increment snapshot ids will clear the list of profiles and policies and then rebuild those lists. Authentication requests using profiles or policies not yet rebuilt returned the "profile not found" error.

Impact:
Some authentication attempts fail while the lists get rebuilt.
Retrying the authentication a minute or two later succeeds.

Workaround:
Retry the authentication.

Fix:
Applying Access Policies in APM is improved to avoid a short dead time between when the old policies are removed and the new policies are activated.

---

666595-2 : Monitor node log fd leak by bigd instances not actively monitoring node

Component: Local Traffic Manager

Symptoms:
Each instance of bigd running on the BIG-IP appliance or on each blade in a VIPRION chassis opens a file descriptor for each node or pool member that has monitor logging enabled. However, only one instance of bigd is actively monitoring each individual node, and actively logging health monitor events to the node log. When LTM health monitors are configured with node logging enabled, the bigd daemon may leak file descriptors for the node logs when the monitor is removed from the LTM node, pool, or pool member configuration.

Note: This problem does not occur if node logging is disabled in the LTM node or pool member configuration ('logging' value set to 'disabled' in the LTM node or pool member configuration) prior to removing the monitor from the LTM node, pool or pool member configuration.

Conditions:
This may occur when the following conditions are met:
1. An LTM health monitor is assigned to an LTM node, pool or pool member with node logging enabled ('logging' value set to 'enabled' in the LTM node or pool member configuration).
2. The LTM health monitor is removed from the LTM node, pool or pool member configuration while logging is still enabled ('monitor' value set to 'none').

Impact:
When this problem occurs, the instance of bigd that is actively monitoring a particular node will close its file descriptor to that node's log file (under /var/log/monitors), but other instances of bigd running on the BIG-IP appliance or on each blade in a VIPRION chassis will leak their file descriptor to the node log.

File descriptors that are opened by the bigd daemon and not closed will count against bigd's internal file descriptor limit. This may result in file descriptor exhaustion and failure of LTM health monitoring.

Workaround:
Disable node logging (set 'logging' value to 'disabled') in the LTM node or pool member configuration prior to removing the monitor from the LTM node, pool, or pool member configuration.

Fix:
The bigd daemon no longer leaks file descriptors for monitor node logs when multiple instances of bigd are running, LTM health monitors are configured with node logging enabled, and the monitor is then removed from the LTM node, pool, or pool member configuration.

---

666505-2 : Gossip between VIPRION blades

Component: iApp Technology

Symptoms:
The REST framework's 'gossip' mechanism does not appear to run between VIPRION blades in a device service cluster.

Conditions:
-- VIPRION systems.
-- Configured with device service clustering and a high availability (HA) group.
-- The REST framework's 'gossip' mechanism is configured on the non-primary blade.

Impact:
Gossip being enabled on the non-primary VIPRION blade interferes with communication between the primary and the remote peer.

Workaround:
None.

Fix:
The system no longer enables Gossip sync on non-primary VIPRION blades.

Behavior Change:
Previously, when The REST framework's 'gossip' mechanism was enabled on the non-primary VIPRION blade, it interfered with communication between the primary and the remote peer. Now, the 'gossip' mechanism is disabled on the non-primary blade, so communication between the primary and the remote peer is not impacted.

---

666454-2 : Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update

Solution Article: K05520115

Component: Access Policy Manager

Symptoms:
Edge client running on Macbook Pro 2016 with a touch bar interface cannot connect to VPN in a full tunneling configuration with 'Prohibit routing table modification' option selected.

Edge client's svpn.log shows an error entry similar to
2017-05-18,13:55:17:000, 16637,16638,svpn, 1, , 870, CMacOSXRouteTable::UpdateIpForwardEntry2(), EXCEPTION - write failed, 22, Invalid argument.

Conditions:
This occurs when all of the following conditions are met:
1) Edge client is running on Macbook Pro that has the iBridge interface (e.g., one with the touch bar).
2) VPN is configured in full tunneling configuration
3) Mac OS X version is v10.12.5.

Note: You can find the interface on the Macbook Pro in the Network Utility under the Info tab.

Impact:
VPN connection will fail.

Workaround:
Use one of the following workarounds:
- Disable 'Prohibit Routing table change' in the network access configuration.
- Enable 'Allow access to local subnets'.
- Enable a split tunneling configuration.

---

666401-2 : Memory might become corrupted when a Standby device transitions to Active during failover

Solution Article: K03294104

Component: Local Traffic Manager

Symptoms:
When a failover event occurs with connection mirroring enabled, it is possible for memory to be corrupted when the Standby device transitions to Active.

Conditions:
-- Active-Standby high availability configuration.
-- Virtual server configured with the type set to 'Standard'.
-- Connection mirroring enabled.

Impact:
Tmm might crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Memory is no longer corrupted.

---

666315 : Global SNAT sets TTL to 255 instead of decrementing

Component: Local Traffic Manager

Symptoms:
Global SNAT sets the TTL to 255 instead of decrementing.

Conditions:
Global SNAT configured.

Impact:
Possible routing loop.

Workaround:
No workaround.

Fix:
TTL for global SNAT now gets decremented.

---

666221-2 : tmm may crash from DoSL7

Solution Article: K47152503

Component: Application Security Manager

Symptoms:
tmm crash.

Conditions:
A virtual server configured with the following:
compression profile configuration, HTTP/DoSL7 with DoSL7 iRule, RamCache.

Impact:
SIGSEGV. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a possible tmm crash.

---

666160-1 : L7 Policy reconfiguration causes a slow memory leak

Solution Article: K63132146

Component: Local Traffic Manager

Symptoms:
When a virtual server with a L7 policy is reconfigured, a small amount of memory is leaked.

Conditions:
A virtual server with L7 policies has a configuration change.

Impact:
The memory leak will reduce the amount of resources for the TMM.

Workaround:
None.

Fix:
L7 Policies no longer leak memory when a virtual server using them is reconfigured.

---

666112-1 : TMM 'DoS Layer 7' memory leak during config load

Solution Article: K53708490

Component: Application Security Manager

Symptoms:
Degraded performance; potential eventual out-of-memory.

Note: The 'DoS Layer 7' allocations increase by 'TMM count * #domains' after each config load.

Tip: You can watch the watch the 'DoS Layer 7' allocations increase on a shell on the BIG-IP system using the following command:
# watch -n1 -- 'tmctl -s name,allocated,max_allocated,cur_allocs memory_usage_stat | grep -E "^name|---|^DoS Layer 7 "'

Conditions:
-- Provision ASM.
-- Make sure the built-in 'security dos bot-signature' are added to the config.
-- Load the config from another shell using the following command:
 tmsh load sys config

Impact:
Degraded performance; potential eventual out-of-memory.

Workaround:
None.

Fix:
Fix memory leak after each config load.

---

666058-2 : XenApp 6.5 published icons are not displayed on APM Webtop

Solution Article: K86091857

Component: Access Policy Manager

Symptoms:
While publishing XenApp 6.5 resources through APM Webtop, some applications are not displaying the icons correctly.

VDI Error logs are seen as follows:
failed to handle '/f5vdi/citrix/icon/': Incorrect bitmap size.

Conditions:
-- XenApp 6.5 is used with their rollup hotfix 6 or 7.
-- Some of the third-party applications more icon bitmap information than expected.

Impact:
Icons are not displayed on the APM Webtop

Workaround:
None.

Fix:
Now APM Webtop correctly displays Citrix XenApp icons correctly regardless of the size of the bitmap data.

---

666035-1 : Obscuring secrets in files collected by qkview

Component: TMOS

Symptoms:
Some config files collected by qkview may have clear text secrets.

Conditions:
Run qkview and extract to see files with cleartext secrets

Impact:
Plaintext secrets are uploaded to iHealth.

Workaround:
To workaround this issue, follow this procedure:
1. Untar qkview file.
2. Obfuscate secrets from the affected file.
3. Recreate qkview file to upload.

For more information, see K55559493: Obfuscating sensitive data in a QKView file :: https://support.f5.com/csp/article/K55559493.

Qkview obfuscation
==================
-- Specific information from text files collected by qkview can be replaced/obscured.
-- Configuration file is in JSON format and it requires regex search pattern and replacement text for given files.

  Config file
  ===========
  /etc/qkview_obfuscate.conf

  Config Template
  ===============
  {
    "filename_regex1":
       {
           "search_regex11": "replace_text11",
           "search_regex12": "replace_text12",
           "search_regex13": "replace_text13" <= No comma after the last element.
       },
    "filename_regex2":
       {
           "search_regex21": "replace_text21",
           "search_regex22": "replace_text22",
           "search_regex23": "replace_text23"
       } <= No comma after the last node.
  }

Notes
=====
-- Search-and-replace rules are applied to the files that match the filename regex.

-- Filename and search_pattern are the regex. JSON special characters need to be escaped in the regex. (JSON special chars list :: http://json.org/.)

   Example:
       search_pattern "bindpw\s+(\S+)" should be "bindpw\\s+(\\S+)".
       ('\' is escaped by '\\'.)

-- If a filename matches multiple filename regexes, all rules of those files' regexes are applied to that file.

   Example:
        {
            "abc123\\.conf": {
                "password\\s+(\\S+)": "password ####",
                "passphrase\\s+(\\S+)": "passphrase ####"
            },
            "abc\\w+\\.conf": {
                "bindpw\\s+(\\S+)": "bindpw dummypasswd"
            }
        }

     Because abc123.conf matches both filename regexes, all three rules are applied to abc123.conf.

-- Obfuscation works only on text files. Compressed files are ignored.

-- The qkview command fails if the config file is syntactically incorrect.

Sample config
=============
  {
      "abc123\\.conf": {
          "password\\s+(\\S+)": "password ####",
          "passphrase\\s+(\\S+)": "passphrase ####"
      },
      "myapp?\\w+\\.conf": {
          "bindpw\\s+(\\S+)": "bindpw dummypasswd"
      }
  }

  "abc123\\.conf" - matches abc123.conf
  "myapp?\\w+\\.conf - matches myapp*.conf

---

666032-3 : Secure renegotiation is set while data is not available.

Solution Article: K05145506

Component: Local Traffic Manager

Symptoms:
Secure renegotiation is set while data is not available, which causes a crash in certain connections.

Conditions:
This occurs when handling SSL secure renegotiation in certain connections.

Impact:
Crashes happen to certain SSL connections.

Workaround:
None.

Fix:
Secure renegotiation is set while data is not available no longer causes a crash in certain connections.

---

665924-1 : The HTTP2 and SPDY filters may cause a TMM crash in complicated scenarios

Solution Article: K24847056

Component: Local Traffic Manager

Symptoms:
A TMM crash caused by a double-free of memory within the HTTP2 and SPDY filters. This crash could occur in other TMM sub-systems unrelated to HTTP2 or SPDY.

Conditions:
The HTTP2 or SPDY filter is used, together with many other TMM modules. This situation is difficult to trigger.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The HTTP2 and SPDY filters will no longer double-free memory in rare situations.

---

665905 : Signature System corruption from specific ASU prevents ASU load after upgrade

Solution Article: K83305000

Component: Application Security Manager

Symptoms:
After loading Attack Signature Update "ASM-SignatureFile_20170403_145743.im" on 11.5.4 HF2 (or later) and upgrading to certain software versions, attempts to perform Signature Update fail.

Conditions:
-- Loading Attack Signature Update "ASM-SignatureFile_20170403_145743.im".
-- Using v11.5.4 HF2 (or later).
-- Upgrading the device to 11.6.1, 12.1.0, 12.1.1, or 12.1.2.

Impact:
Attempts to perform Signature Update fail.

Workaround:
The mistaken Signature System can be deleted using the following SQL:

----------------------------------------------------------------------
UPDATE PLC.NEGSIG_SIGNATURE_SYSTEMS set system_id = 14 where system_id = (select system_id FROM PLC.NEGSIG_SYSTEMS where system_name = 'Apache');
DELETE FROM PLC.NEGSIG_SYSTEMS where system_name = 'Apache';
----------------------------------------------------------------------

Fix:
Database corruption introduced by loading Attack Signature Update 'ASM-SignatureFile_20170403_145743.im' is now corrected upon upgrade.

---

665778-1 : Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.

Solution Article: K34503519

Component: iApp Technology

Symptoms:
Non-admin BIG-IP users cannot view deployed iApps, so they cannot redeploy the iApp. The system presents an error and does not allow access to the component view or the reconfiguration view. The error shown is 'An error has occurred while trying to process your request.'

Conditions:
-- Login to the BIG-IP system as a non-admin.
-- Try to view components or reconfigure iApps.

Impact:
Cannot view/re-deploy iApps.

Workaround:
Use TMSH to view/re-deploy iApps.

There are two TMUI workarounds to view/re-deploy iApps. Once you employ one of the workarounds, a Manager user can reconfigure the iApp successfully.

Note: After successful submission, the system posts the error described, and the Manager still cannot access the Component list or iApps editing screens.

-- Click on 'app_name' link anywhere in the system where iApp-related objects are listed. For example, if the iApp created a virtual server, click the Application column link on the 'Local Traffic :: Virtual Servers : Virtual Server List' page.

-- Have an Admin user provide the direct link to app. To do so, perform the following procedure:
1. Login as Admin to the BIG-IP system.
2. Navigate to iApps :: Application Services : Applications :: <app_name>.
3. Get the direct link to the app reconfigure page by hovering over the Settings icon and then clicking 'Direct link to this page'. Note: This link will work as long as 'app_name' and template name have not been modified. The URL appears similar to the following:
   https://10.10.10.10/tmui/Control/jspmap/tmui/application/reenter.jsp?mode=app&name=/ptn1/abcd.app/abcd&template_name=/Common/f5.microsoft_exchange_2010_2013_cas.v1.6.1
4. Logout as Admin and login as Manager.
5. Paste the app direct link in the browser's address bar and press Enter.

Fix:
Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.

---

665732-2 : FastHTTP may crash when receiving a fragmented IP packet

Solution Article: K45001711

Component: Local Traffic Manager

Symptoms:
A virtual server configured to use FastHTTP may cause a TMM core if fragmented IP packets are received by the virtual. This can be observed by the following TMM log statement: panic: Assertion 'l4hdr set' failed.

Conditions:
A virtual server configured with a FastHTTP profile receiving fragmented IP packets.

Impact:
Intermittent TMM core, resulting in a TMM restart. Traffic disrupted while tmm restarts.

Workaround:
Use a different profile than FastHTTP, such as a full proxy with TCP/HTTP filters.

Fix:
Force packet reassembly before packet is forwarded to a FastHTTP virtual.

---

665656-1 : BWC with iSession may memory leak

Component: TMOS

Symptoms:
A memory leak may occur when BWC is configured with iSession.

Conditions:
-- BWC is configured with iSession.
-- The BWC policy is removed or reset.

Impact:
A memory leak.

Workaround:
None.

Fix:
The memory leak is prevented when BWC and iSession are configured together and a BWC policy is removed or reset.

---

665652-2 : Multicast traffic not forwarded to members of VLAN group

Solution Article: K41193475

Component: Local Traffic Manager

Symptoms:
Multicast traffic traversing through the BIG-IP system through a VLAN that is member of a VLAN group does not get forwarded to other members of the VLAN group.

Conditions:
Multicast traffic ingress from a VLAN in a VLAN group.

Impact:
Traffic is not forwarded to the other members of the VLAN group.

Workaround:
None.

Fix:
Multicast traffic is now correctly forwarded to members of VLAN group.

---

665470-1 : Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised

Component: Application Security Manager

Symptoms:
Failed to Learn page malicious IP addresses in a specific case.

Conditions:
-- IP intelligence is turn on.
-- Logging is turned off.

Impact:
Requests that should be learned are not.

Workaround:
Turn on logging.

Fix:
The system now Learns page malicious IP addresses when IP intelligence is turn on and logging is turned off.

---

665416-3 : Old versions of APM configuration snapshots need to be reaped more aggressively if not used

Solution Article: K02016491

Component: Access Policy Manager

Symptoms:
Currently, it takes 24 hrs for old versions of APM config snapshots that are not being used to time out and to release the memory. If access profiles are complex and are updated frequently within 24 hrs, memory resource is likely to be exhausted.

Conditions:
If access profiles are updated frequently within 24 hrs and each version of the configuration snapshot contains many variables.

Impact:
TMM may run out of memory and crash, causing service interruption.

Workaround:
None.

Fix:
Per-session access policy snapshots are now deleted after 60 minutes instead of 24 hours.

---

665362-4 : MCPD might crash if the AOM restarts

Component: TMOS

Symptoms:
In very rare circumstances, mcpd might crash when the AOM restarts.

Conditions:
This can occur while AOM is restarting.

Impact:
System goes offline for a few minutes.

Workaround:
None.

Fix:
Added error handling to prevent crash. If this error occurs in the future it will not crash, but a restart of mcpd is required.

---

665354-2 : Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log

Solution Article: K31190471

Component: TMOS

Symptoms:
The most common symptom is a reboot of the unit without much detail in the normal tmm or ltm logs. From there, inspect the SEL logs. In the SEL logs, you will see a message about a bad_tlp_status, followed shortly by a message about completion_time_out_status.

Those two messages together indicate this known issue.

Conditions:
-- There are empty 10 GB ports or 10 GB ports that have optics but are not connected to a proper link.
-- Running on one of the following platforms: i2600, i2800, i4600, i4800.

Impact:
The unit intermittently reboots.

Workaround:
To prevent the issue from occurring, you must populate all 10 Gb ports with optic cables and ensure they are connecting to a working peer link. A single 10 Gb empty or improperly connected port can cause a system reboot.

If that is not possible, however, there is no workaround, and you must contact F5 Technical Support to request a software update or engineering hotfix.

Important: A device Return Materials Authorization (RMA) will not prevent this issue.

Fix:
There is a BIG-IP system software update to disable the 10 Gb FPGA mac receiver until a valid link is detected. This eliminates the issue and prevents the ultra jumbo packet from being sent to the FPGA datapath.

---

665347-2 : GTM listener object cannot be created via tmsh while in non-Common partition

Solution Article: K17060443

Component: Global Traffic Manager (DNS)

Symptoms:
Cannot use tmsh to create a GTM listener in a non-Common partition.

Conditions:
-- In a non-Common partition.
-- Create a listener using a command similar to the following:
(/Common/newpart)(tmos)# create gtm listener new address 10.2.2.2

Impact:
The listener will not be created. The system outputs an error similar to the following:
 01020036:3: The requested profile (/Common/newpart/udp_gtm_dns) was not found.

Workaround:
None.

Fix:
GTM Listener parser now correctly handles validation and selections of profiles for GTM listeners.

---

665330-1 : MSIE 11 should avoid compatibility mode

Component: Access Policy Manager

Symptoms:
MSIE 11 in compatibility mode is causing JS errors because MSIE 7-9 are not good in javascript.

Conditions:
APM Client and MSIE 11 forced to compartibility mode.

Impact:
Certain pages on client UI are not being rendered or being rendered with errors.

Workaround:
Don't push MSIE 11 to compatibility mode with APM
Use browsers that are good with javascript.

Fix:
We've added meta that sets MSIE in native mode. Although group policy in domain still can overwrite it, for most use cases it's enough.

---

665185-1 : SSL handshake reference is not dropped if forward proxy certificate lookup failed

Solution Article: K20994524

Component: Local Traffic Manager

Symptoms:
In rare cases, when forward-proxy certificate-lookup fails, the SSL handshake reference is not dropped, which can consume memory that is no longer needed.

Conditions:
Forward-proxy certificate-lookup fails; specifically, input string size is larger than maximum allowed.

Impact:
tmm memory use grows.

Workaround:
None.

Fix:
The system now drops the SSL handshake reference when when forward-proxy certificate-lookup fails. This is correct behavior.

---

665022-1 : Rateshaper stalls when TSO packet length exceeds max ceiling.

Component: Local Traffic Manager

Symptoms:
If a TCP Segmentation Offload (TSO) packet length exceeds the rateshaper's max ceiling, it causes the flow to stall.

Conditions:
Packet length exceeds rateshaper's configured max ceiling.

Impact:
The flow stalls.

Workaround:
Increase the configured rateshaper's max ceiling value to be larger than the largest packet length.

Fix:
Rateshaper no longer stalls when TSO packet length exceeds max ceiling.

---

664930-2 : Policy automatic learning mode changes to manual after failover

Component: Application Security Manager

Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.

Conditions:
-- ASM provisioned.
-- Device group with ASM policy sync configured for multi-blade devices.
-- ASM Policy is in automatic learning mode.
-- A failover occurs.

Impact:
The policy changes from automatic learning mode to manual.

Workaround:
None.

Fix:
Policy automatic learning mode no longer changes to manual when a failover occurs. Automatic learning mode will now be disabled only in active/active configurations.

---

664894-1 : PEM sessions lost when new blade is inserted in chassis

Solution Article: K11070206

Component: TMOS

Symptoms:
Inserting a blade into a chassis that is using high availability (HA) is configured for 'between clusters' can cause data loss in the SessionDB. This includes iRule table command as well as entries stored in the SessionDB from modules.

Conditions:
HA in use 'between clusters'.

Impact:
Data loss of some SessionDB entries.

Workaround:
In order to cleanly add a blade, put the setting from 'between clusters' to 'within cluster'; then add the new blade(s) to both clusters. Wait 60 seconds, then restore the HA connection to 'between clusters'

Fix:
PEM sessions are now retained when new blade is inserted in chassis when using 'between clusters'.

---

664829-1 : BIG-IP sometimes performs unnecessary reboot on first boot

Component: TMOS

Symptoms:
Some versions of the BIG-IP Virtual Edition (VE) software incorrectly determine that the size of its disk has changed, and re-sizes the partition table and causes a reboot to occur. This is likely to occur only on VE guests.

Conditions:
-- First boot of VE.
-- Software version that exhibits this issue.

Note: A specific software version for a specific cloud environment either always exhibit this, or never does.

Impact:
Additional, unnecessary minor filesystem size adjustment and additional time for a reboot to occur.

Workaround:
None.

Fix:
An additional, unnecessary reboot of a BIG-IP Virtual Edition during its first boot-up should no longer occur.

---

664769-1 : TMM may restart when using SOCKS profile and an iRule

Component: Local Traffic Manager

Symptoms:
TMM restarts when sending traffic through a SOCKS virtual server that has an attached iRule that uses certain blocking commands.

Conditions:
Virtual server has a SOCKS profile, and an iRule which triggers on the SERVER_CONNECTED event. If the iRule uses commands that block, tmm might restart.

Impact:
Unexpected tmm restart. Traffic disrupted while tmm restarts.

Workaround:
Avoid adding iRule on the SERVER_CONNECTED event, or avoid using certain iRule commands which do not complete immediately, such as 'after', 'table', 'session', and others.

Fix:
TMM no longer crashes when using SOCKS profile and serverside iRule parks.

---

664737-2 : Do not reboot on ctrl-alt-del

Component: TMOS

Symptoms:
BIG-IP reboots on ctrl-alt-del keys

Conditions:
VE with ctrl-alt-del keys in the video console.

Impact:
BIG-IP reboots.

Fix:
prevent reboot on ctrl-alt-del

---

664714-1 : Client-side challenge is changing POST parameter value under some circumstances

Component: Application Security Manager

Symptoms:
A parameter arrives with a different value to the server than was sent from the client. Happens while a brute force attack or web scraping challenge or web scraping session client-side mitigation is happening,

Conditions:
-- POST request with URL-decoded parameters.
-- A parameter is escaped.
-- A client-side challenge is returned for this request.

Impact:
The wrong parameter arrives to the application. In response, the application may stop working or have other errors.

Workaround:
N/A

Fix:
Client-side challenge no longer changes POST parameter value under described circumstances.

---

664708-2 : TMM memory leak when DoS profile is attached to VS

Component: Application Security Manager

Symptoms:
TMM memory leak when DoS profile is attached to VS

Conditions:
1. have DoS profile
2. traffic from search engine is coming to this VS
3. DNS resolver is configured

Impact:
TMM memory use increases over time.

Workaround:
There is no workaround at this time.

Fix:
Free memory periodically.

---

664618-3 : Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block'

Component: Local Traffic Manager

Symptoms:
When using Protocol Security profiles for HTTP, the HTTP Protocol Checks 'Alarm' vs. 'Block' setting will not be honored for the 'Check maximum number of headers' check. If an HTTP response contains more than the configured maximum number of headers, the connection will be reset.

Client traffic with more than the maximum allowed headers will be allowed through to the server, and an alert will be generated, as expected. The server response will also have too many headers, but the connection will be reset.

Conditions:
-- PSM HTTP Protocol Checks configured in 'Alarm' mode ('Block' disabled).
-- The maximum number of headers is exceeded for server responses.

Impact:
Connections are reset, when only alerting is expected.

Workaround:
None.

Fix:
Two threshold values are now available for monitoring the number of HTTP headers:
-- Use the HTTP security profile and select 'alarm' (as opposed to 'block').
-- Use the HTTP service protocol profile. When the 'alarm' threshold is hit, the HTTP traffic remains intact, and logging can be seen in the PSM event logs. When the HTTP service protocol profile's threshold is hit, the HTTP traffic will be blocked, and logging to be seen in both LTM log and PSM event logs.

---

664549-2 : TMM restart while processing rewrite filter

Solution Article: K55105132

Component: TMOS

Symptoms:
TMM restart and failover occurs while processing rewrite filter.

Conditions:
-- Virtual server with rewrite-uri-translation profile.
-- Serverside attempts to get data from clientside when connection flow does not exist.

Impact:
TMM restart and failover. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM restart and failover no longer occurs while processing rewrite filter.

---

664535-1 : Diameter failure: load balancing fails when all pool members use same IP Address

Component: Service Provider

Symptoms:
Case1: Run 2 Servers with same IP but different ports. Send 10 request from 1 client.
Result: All 10 requests from client are delivered to 1 server. Same result when use-local-connection is disabled.

Case2: Run 2 Servers with same IP but different ports but this time use MR::message route iRule command to route messages between hosts. Send 10 request from 1 client.
Result: All 10 requests from client are delivered to 1 server.

Conditions:
Load balancing scenario with single client and two pool members. The servers use same IP, different ports.

Impact:
All the requests from the same client are delivered to 1 server only.

Workaround:
Use different IP address in the pool member. Or use different IP address as the client request.

Fix:
Load balancing scenario with single client and two pool members now completes successfully even when all pool members use same IP Address.

---

664528-1 : SSL record can be larger than maximum fragment size (16384 bytes)

Solution Article: K53282793

Component: Local Traffic Manager

Symptoms:
SSL record containing handshake data can exceed maximum fragment size of 16384 bytes because handshake data is not fragmented.

Conditions:
This usually happen when a large certificate or certificate chain is configured for server or client authentication.

Impact:
SSL handshake will fail with client or server that properly checks the record size.

Workaround:
Use a certificate that is smaller in size.

Fix:
Properly fragment handshake data.

---

664524 : CVE-2017-2636: A race condition was found in the N_HLDC Linux kernel driver that can lead to double free CVE-2016-7910:A flaw was found in the Linux kernel's implementation of seq_file which can lead to memory corruption

Component: TMOS

Symptoms:
CVE-2017-2636:
A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free.
CVE-2016-7910:
A flaw was found in the Linux kernel's implementation of seq_file where a local attacker could manipulate memory in the put() function pointer. This could lead to memory corruption and possible privileged escalation.

Conditions:
CVE-2017-2636:
A local, unprivileged user able to set the HDLC line discipline on the tty device.
CVE-2016-7910:
local attacker could manipulate memory in the put() function pointer

Impact:
CVE-2017-2636:
Local user can use this flaw to increase their privileges on the system.

CVE-2016-7910:
local attacker can manipulate memory which could lead to memory corruption and possible privileged escalation

Workaround:
CVE-2017-2636:
This module can be prevented from loading using the following commnd # echo "install n_hdlc /bin/true" >> /etc/modprobe.d/disable-n_hdlc.conf
The system will need to be restarted if the n_hdlc modules are already loaded.
In most circumstances, the n_hdlc kernel modules will be unable to be unloaded if in use and while any current process using this line discipline is required.

CVE-2016-7910:
None

Fix:
Upstream patch applied.

---

664507-3 : When BIG-IP is used as SP with IdP-connector automation, updates to remotely published metadata may remove certificate reference from the local configuration

Component: Access Policy Manager

Symptoms:
IdP-connector automation removes certificate reference when update to metadata file is detected, and metadata file contains multiple signing certificates

Conditions:
- BIG-IP is used as SAML SP with configured IdP-connector automation via remotely published metadata.
- Remotely published SAML metadata contains multiple signing certificates.
- Remotely published SAML metadata is periodically updated.

Impact:
Certificate reference to remotely published metadata is removed from local configuration (saml-idp-connector object). As a result, assertions generated by external IdP will not be accepted until proper certificate is configured on saml-idp-connector object again.

Workaround:
When remote metadata is changed, manually update certificate reference on saml-idp-connector object.

Fix:
When changes to remotely published SAML metadata are detected by IdP-connector automation, certificate is no longer removed from saml-idp-connector object.

---

664461-3 : Replacing HTTP payload can cause tmm restart

Solution Article: K16804728

Component: Local Traffic Manager

Symptoms:
Under certain conditions, using the [ HTTP::payload replace ... ] iRule can result in the tmm restarting.

Conditions:
Occurs when server response is non-chunked, does not contain a Content-Length header, an iRule adds a Content-Length header and performs an HTTP::payload replace command where the length is shorter than the original body length.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The HTTP::payload replace command no longer causes tmm restarts under certain conditions.

---

664063-1 : Azure displays failure for deployment of BIG-IP from a Resource Manager template

Solution Article: K03203976

Component: TMOS

Symptoms:
When deploying BIG-IP images through Azure Resource Manager or Marketplace Solution templates, the Azure portal will never display success. A timeout will eventually occur and the deployment will appear to have failed.

Conditions:
Deployment from an Azure Resource Manager or Solution template, including the BIG-IP WAF Solution from the Azure Security Center.

Impact:
A successful deployment will appear to have failed when monitoring the status in the Azure portal.

Workaround:
None.

Fix:
Deployments of BIG-IP from Azure Resource Manager or Marketplace Solution templates, or the BIG-IP WAF Solution from the Azure Security Center, now show the correct deployment status.

---

664057-2 : Upgrading GTM from pre-12.0.0 to post 12.0.0 no longer removes WideIPs without pools attached if they have an iRule attached

Component: TMOS

Symptoms:
Upgrades from pre-12.0.0 to 12.0.0 or beyond would delete WideIPs without pools attached even if they had an iRule attached.

Conditions:
Pre-12.0.0 configuration with an WideIP without any pools, but with an iRule.

Impact:
Some or all of a post-upgrade "GSLB-typed" wideip would be lost during the upgrade process.

Workaround:
Manually add missing WideIPs after upgrade.

Fix:
Fixed issue that could delete certain types of GTM WideIPs after an upgrade from a pre-12.0.0 version to a post 12.0.0 version.

---

664017-3 : OCSP may reject valid responses

Component: TMOS

Symptoms:
If OCSP is configured with certain responders, a valid response may be rejected with the following error:

OCSP response: got EOF

Conditions:
This is entirely dependent on the behavior of the server. If a responder sends null or blank data (but does not close the connection) OCSP simply ends the response.

Impact:
Valid OCSP responses may be rejected.

Workaround:
None.

Fix:
These responses are now accepted.

---

663974-2 : TMM crash when using LSN inbound connections

Component: Carrier-Grade NAT

Symptoms:
TMM might crash when using an LSN pool with inbound connections.

Conditions:
LSN inbound connections configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when using an LSN pool with inbound connections.

---

663924-2 : Qkview archives includes Kerberos keytab files

Component: TMOS

Symptoms:
Qkview captures Kerberos keytab files used for APM dataplane services.

Conditions:
APM provisioned with Kerberos authentication.

Impact:
Private security key exposure.

Workaround:
There is no workaround.

Fix:
Qkview no longer collects 'kerberos_keytab_file_d' directory containing keytab files when creating qkview archive.

---

663821-3 : SNAT Stats may not include port FTP traffic

Solution Article: K41344010

Component: Local Traffic Manager

Symptoms:
Using 'tmsh show ltm snat' command or the GUI, SNAT stats are not updated for port 21 traffic (FTP).

Conditions:
-- SNAT is configured.
-- FTP connections transverse the SNAT.

Impact:
Stats are not incremented in tmsh or GUI

Workaround:
None.

Fix:
SNAT Stats now include port FTP traffic, and values are incremented as expected.

---

663770-2 : AFM rules are bypassed / ignored when traffic is internally forwarded to a redirected virtual server

Solution Article: K04025134

Component: Advanced Firewall Manager

Symptoms:
AFM rules are bypassed / not evaluated on the 'redirected' virtual server when the traffic is internally forwarded to that virtual server.

This is a regression from 12.1.x behavior.

Conditions:
Incoming traffic matches a virtual server and then gets internally redirected to another virtual server either via an iRule or a LTM local traffic policy.

Impact:
This has the effect of potentially negating firewall protections for the traffic that is being redirected to a different virtual server (application) if that virtual server has an AFM policy enabled on it.

Workaround:
There is no workaround at this time.

Fix:
Cause of the regression is fixed and now AFM policy is applied to traffic that is internally redirected to another virtual server (either via iRule or LTM traffic policy).

---

663730-1 : Bigd prematurely kills child/external monitor process if WIFCONTINUED signal received

Component: Local Traffic Manager

Symptoms:
The bigd daemon may prematurely kill a child/external monitor process when a WIFCONTINUED signal is received for the child process.

Conditions:
This may occur under rare timing conditions when one of the following LTM monitor types is configured and in active use:
- external
- ftp
- imap
- pop3
- snmp

Impact:
Health monitoring using an affected monitor type may be temporarily interrupted when the child/external monitor process is killed and subsequently restarted.

Fix:
The bigd daemon now logs a message and does not prematurely kill a child/external monitor process when a WIFCONTINUED signal is received.

---

663580-1 : logrotate does not automatically run when /var/log reaches 90% usage

Solution Article: K31981624

Component: TMOS

Symptoms:
The alertd daemon does not run logrotate when the diskmonitor utility detects that /var/log has less than 10% free space.

Conditions:
/var/log has less than 10% free space.

Impact:
The /var/log filesystem might become completely full, preventing new log messages from being written.

Note: K8865: Overview of the diskmonitor utility (https://support.f5.com/csp/article/K8865) provides a desription for expected behavior.

Workaround:
None.

Fix:
The alertd daemon now correctly recognizes the log message from diskmonitor to initiate logrotate.

---

663551-1 : SERVERSSL_DATA is not triggered when iRule issues [SSL::collect] in the SERVERSSL_HANDSHAKE event

Solution Article: K14942957

Component: Local Traffic Manager

Symptoms:
If an iRule calls [SSL::collect] in the SERVERSSL_HANDSHAKE event, the expected result is that the SERVERSSL_DATA event will be raised when the serverside receives the SSL data. Then, the decrypted SSL data can be examined and manipulated.
*****************************
when SERVERSSL_HANDSHAKE {
    SSL::collect
}
when SERVERSSL_DATA {
    log local0. "ServerSSL Data"
    log local0. [SSL::payload]
    SSL::release
}
*****************************

The issue is that SERVERSSL_DATA is not raised, even when the serverside receives the SSL data when the iRule calls the [SSL::collect] in the SERVERSSL_HANDSHAKE:
****************************
when SERVERSSL_HANDSHAKE {
    SSL::collect
}
****************************

Conditions:
Calling the [SSL::collect] in the SERVERSSL_HANDSHAKE event.
****************************
when SERVERSSL_HANDSHAKE {
    SSL::collect
}
****************************

Impact:
SERVERSSL_DATA event is not raised.

Workaround:
Add the [SSL::release] command in the SERVERSSL_HANDSHAKE event.
**********************************
when SERVERSSL_HANDSHAKE {
    SSL::collect
    SSL::release
}

Fix:
SERVERSSL_DATA event is now raised when an iRule calls [SSL::collect] in the SERVERSSL_HANDSHAKE.

---

663535-1 : Sending ASM cookies with "secure" attribute even without client-ssl profile

Component: Application Security Manager

Symptoms:
ASM cookies can be set with "secure" attribute on when BIG-IP works on SSL profile.

Conditions:
Enabling ASM, network to BIG-IP without client-ssl.

Impact:
When working with encrypted network in the client side but clear network in the ASM virtual, cookies cannot be set with "secure" attributes.

Workaround:
There is no workaround at this time.

Fix:
Added an internal parameter "assume_https", to decide always setting the "secure" attribute, even when the BIG-IP network is clear.

---

663531-1 : TMM crashes when PPTP finds a non-ALG flow when checking for an existing tunnel

Component: Carrier-Grade NAT

Symptoms:
TMM crashes when PPTP finds a matching non-PPTP-GRE flow when checking for an existing tunnel.

Conditions:
PPTP-ALG and CGNAT on a BIG-IP system when a GRE tunnel matches a PPTP-GRE flow

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Possible mitigation by not using a forwarding virtual for non-PPTP GRE traffic.

Fix:
The system now drops the new flow/tunnel and allow it to clean up, so TMM no longer crashes when PPTP finds a non-PPTP-GRE flow when checking for an existing tunnel.

---

663521-2 : Intermittent dropping of multicast packets on certain BIG-IP platforms

Component: TMOS

Symptoms:
The switch device on the VIPRION B2250 and B4300 blades and the BIG-IP 10x00, i10x00, i7x00 and i5x00 platforms might drop multicast packets under certain high traffic conditions.

Conditions:
-- Certain high-traffic conditions.
-- Running on the specified blades/platforms.

Note: These dropped packets are counted under the 'drop_out' column from 'show net interface all-properties'.

Impact:
Dropped multicast packets, possibly impacting multicast protocols.

Workaround:
None.

Behavior Change:
Under certain high traffic conditions, multicast and broadcast packets will no longer be dropped.

---

663506-7 : apmd crash during ldap cache initialization

Solution Article: K30533350

Component: Access Policy Manager

Symptoms:
apmd crashes.

Conditions:
- LDAP module is in use in an access policy,
- APM end-users are logging in, while administrator modifies AAA LDAP Server or LDAP Agent,
- Cache update takes a while (too many groups in domain and/or slow network).

Impact:
BIG-IP cannot process user logon request, until apmd is restarted and LDAP cache is updated

Workaround:
The best practice is to update policy/AAA LDAP Server when BIG-IP is not under load. Then make one logon manually. apmd updates caches on first APM end-user's logon. Once caches update, all the further logons should happen much faster and should not cause any problems

Fix:
APMD now handles the generation of LDAP Query / AD Query nested group cache correctly during high authentication load.

---

663396-1 : URL Method override is enforced incorrectly after upgrade

Component: Application Security Manager

Symptoms:
After an upgrade, an overridden HTTP method on a particular URL is enforced incorrectly. Additionally, in a rare circumstance, requests using GET method are illegal after upgrade.

Conditions:
A HTTP method is overridden on a particular URL and the system is upgraded.

Impact:
Requests are incorrectly blocked.

Workaround:
Make a spurious change to any policy and click 'Apply Policy'.

Fix:
Overridden HTTP methods are enforced correctly after upgrade.

---

663366-3 : SEGV fault can occur during tmm 'panic' on i4x00 and i2x00 platforms.

Component: TMOS

Symptoms:
On the i4x00 and i2x00 platforms, TMM can encounter a second SEGV fault while crashing from an initial 'panic'.

Conditions:
-- i4x00 and i2x00 platforms.
-- TMM encounters a second SEGV fault while crashing from an initial 'panic'.

Impact:
TMM is crashing due to a 'panic'. No additional impact, as traffic is already disrupted while tmm restarts.

Workaround:
None.

Fix:
This release fixes the driver shutdown code to prevent SEGV during TMM panic.

---

663333-1 : TMM may core in PBA mode id LSN pool is under provisioned or the utilization is high

Component: Carrier-Grade NAT

Symptoms:
TMM may core while trying to allocate a new block

Conditions:
If LSN pool is under provisioned OR if the utilization is high, TMM may need to send MPI messages to other TMMs to search for other blocks. The TMM may core if these operations time out

Impact:
Traffic disrupted while tmm restarts.

---

663326-2 : Thales HSM: "fipskey.nethsm --export" fails to make stub keys

Component: Local Traffic Manager

Symptoms:
When using "fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey" to export a key file from BIG-IP and import into HSM, the HSM fails to generate the stub key at /config/ssl/ssl.key/ on the BIG-IP system.

Conditions:
-- Thales HSM is installed.
-- Running 'fipskey.nethsm --export' to export a key file from BIG-IP and import it to the Thales HSM.

Impact:
Even the key has been stored in HSM, the BIG-IP is still unable to use it because of its lacking stub key to be configured on the BIG-IP system.

Workaround:
This can be worked around by directly using the Thales command, for example:

[root@localhost:Active:Standalone] config # generatekey --import pkcs11 certreq=yes
type: Key type? (DES3, RSA, DES2) [RSA] >
pemreadfile: PEM file containing RSA key? []
> /shared/tmp/testkey.pem
embedsavefile: Filename to write key to? []
> /config/ssl/ssl.key/thales2
plainname: Key name? [] > thales2
x509country: Country code? [] > US
x509province: State or province? [] > WA
x509locality: City or locality? [] >
x509org: Organisation? [] > F5
x509orgunit: Organisation unit? [] > AS
x509dnscommon: Domain name? [] >
x509email: Email address? [] > test@test.com
nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] >
digest: Digest to sign cert req with? (md5, sha1, sha256, sha384, sha512)
  [default sha1] >

Fix:
When using 'fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey' to export a key file from BIG-IP and import into HSM, the HSM now generates a stub key and stores it at /config/ssl/ssl.key/ on the BIG-IP system, as expected.

---

663310-3 : named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files★

Component: Global Traffic Manager (DNS)

Symptoms:
named reports "file format mismatch", zone files are renamed randomly to db-XXXX files, and zone cannot be loaded.

Conditions:
-- Upgrade from BIG-IP containing pre-9.9.X versions of Bind, to BIG-IP versions with Bind versions later than 9.9.x.
-- Slave zone files are in text format.
-- No options set for masterfile-format text.

Impact:
Zones cannot be loaded.

Workaround:
Before upgrading, add the following line to the named.conf options:
masterfile-format text;

Fix:
BIND 9.9.x changes the default behavior governing the storage format of slave zone files to "raw" from "text".

On upgrade, the config needs to be parsed looking for slave zones that do not specify the masterfile-format and set them to "text".

---

663197-3 : Security hardening of files to prevent sensitive configuration from being stored in qkview.

Component: TMOS

Symptoms:
Sensitive configuration information, such as auth-related passwords, is being stored in cleartext in qkview files.

Conditions:
Run qkview and extract to see files with cleartext configuration information.

Impact:
Cleartext configuration information is uploaded to iHealth

Workaround:
None.

Fix:
Security hardening of files to prevent sensitive configuration from being stored in qkview. Cleartext passwords will be replaced with **** in all of the following config files while collecting in qkview:

/config/bigip/auth/pam.d/cert-ldap/system-auth.conf
/config/bigip/auth/pam.d/ldap/system-auth.conf
/config/bigip/auth/pam.d/radius/system-auth.conf
/config/bigip/auth/pam.d/tacacs/system-auth
/config/bigip/auth/pam.d/ocsp/*
/config/bigip/auth/pam.d/cc_ldap/*

---

663178-1 : tmm may crash sometimes usng VPN

Component: Local Traffic Manager

Symptoms:
tmm crash and BIG-IP fail over

Conditions:
VPN is used

Impact:
tmm crash and BIG-IP fail over. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Problem is fixed.

---

663127-1 : Empty attribute values in SAML Identity Provider configuration may cause error when loading configuration.

Component: Access Policy Manager

Symptoms:
Symptom will show as an error log in /var/log/apm similar to the one below:

Internal error processing sso config /Common/idp_obj_name
sso_tmconf_string_parse_list

When this error message is logged, subsequent authentication attempt using this BIG-IP as IdP object will fail.

Conditions:
SAML Identity Provider configuration is invalid: attribute contains empty value(s), for example:

apm sso saml /Common/idp_obj {
    attributes {
        {
            multi-values { "" user@f5.com }
            name User.Email
        }
    }

Impact:
Authentication will fail for users using affected SAML IdP object.

Workaround:
Manually edit bigip.conf configuration fail and remove empty value(s) in SAML attribute, e.g.:

apm sso saml /Common/idp_obj {
    attributes {
        {
            multi-values { user@f5.com }
            name User.Email
        }
    }

Fix:
Empty values in SAML attributes will no longer be accepted by validation logic.

---

663073-1 : GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.

Component: Global Traffic Manager (DNS)

Symptoms:
GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.

Conditions:
When adding a pool member via the combo box, if you click the arrow to expand the dropdown list and select a member by clicking on it, that member name is added to the text box.

If you then mouse over other members in the dropdown list, and then click the Add button, the system adds the selected member to the list, but also removes the wrong member from the combo box: more specifically, it removes the member that was last highlighted by the mouse over.

Impact:
Available pool members might be potentially lost from the combo box until a page reload.

Note: The pool members are not gone from the system; they are still present, just not displayed.

Workaround:
Either use TMSH or place the mouse cursor away from the combo box, and use the text box to narrow down the content in the dropdown list. Then use the arrow keys and the Enter key to select the desired pool member.

Fix:
Changed the behavior of the combo box when a member is selected by clicking on it in the dropdown list. Adding a selected pool member as described above will cause the combo box to correctly remove that pool member from the combo box.

---

663063-2 : Disabling pool member used in busy HSL TCP destination can result service disruption.

Component: TMOS

Symptoms:
Manually disabling an otherwise available pool member from a pool used as HSL TCP destination can result in tmm crash and service disruption.

This is more likely to occur when HSL destination is using 'balanced' distribution.

Conditions:
-- Busy HSL destination configured with TCP protocol, balanced distribution, and using pool.
-- Manually disabling a pool member.

Impact:
Service disruption while tmm recovers. HA fail-over event. Traffic disrupted while tmm restarts.

Workaround:
You can avoid the issue in either of these ways:
-- Do not manually disable busy pool members that can still respond to TCP handshake.
-- Disable the service on the pool member first.

Fix:
TMM crash no longer occurs when HSL TCP pool member with pending connection is manually disabled.

---

662911-2 : SASP monitor uses same UID for all vCMP guests in a chassis or appliance

Solution Article: K93119070

Component: Local Traffic Manager

Symptoms:
The SASP GWM monitor generates the LB UID from the chassis serial number of the platform on which BIG-IP is running. All vCMP guests running on the platform attempt to use the same UID.

The LB UID used to connect to the Server/Application State Protocol (SASP) Group Workload Manager (GWM) is required to be unique for each client connecting to the GWM.

As a result, only one vCMP guest running on each BIG-IP appliance or VIPRION chassis is able to successfully use the SASP monitor.
- The SASP monitor running on the first vCMP guest can successfully connect to the SASP GWM.
- Subsequent SASP monitor instances running on other vCMP guests will fail to connect to the SASP GWM.

Conditions:
This occurs when multiple vCMP guests are running on a single BIG-IP appliance or VIPRION chassis, each using a SASP monitor connecting to the same SASP GWM to monitor pool member availability.

Impact:
The SASP monitor is unable to monitor pool member availability on more than one vCMP guest running on a single BIG-IP appliance or VIPRION chassis.

Workaround:
None.

Fix:
The SASP monitor can be used to monitor pool member availability on multiple vCMP guests running on a single BIG-IP appliance or VIPRION chassis.

---

662881-2 : L7 mirrored packets from standby to active might cause tmm core when it goes active.

Solution Article: K10443875

Component: Local Traffic Manager

Symptoms:
L7 mirrored packets from standby to active might cause tmm core when it goes active.

Conditions:
-- Spurious ACK sent to the standby unit that is mirrored over to the active unit for processing.
-- Matching connection on the active has not been fully initialized.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.

---

662850-2 : Expat XML library vulnerability CVE-2015-2716

Solution Article: K50459349

---

662844 : TMM crashes if Diameter MRF mirroring is enabled in v12.x.x. Diameter MRF mirroring is not implemented in v12.x.x.

Solution Article: K87735013

Component: Service Provider

Symptoms:
Mirroring for Diameter MRF was not implemented in v12.x.x. However, there is a option that allows the user to enable it. When enabled, tmm crashes.

Conditions:
-- Connection mirroring is enabled for Diameter MRF virtual server's router profile.
-- Using v12.x.x.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Note: Mirroring for Diameter MRF was implemented in v13.0.0. The presence of the option to enable the unimplemented functionality is erroneous.

Workaround:
Do not enable Diameter MRF router profile's connection mirroring setting for v12.x.x.

Fix:
Diameter MRF mirroring for Diameter MR has been implemented beginning with v13.0.0. Enabling this option in v12.x.x results in a tmm crash.

---

662816-2 : Monitor node log fd leak for certain monitor types

Solution Article: K61902543

Component: Local Traffic Manager

Symptoms:
When certain types of LTM health monitors are configured with node logging enabled, the bigd daemon may leak file descriptors for the node logs when the monitor is removed from the LTM node, pool or pool member configuration.

Conditions:
This may occur when:
1. One of the below-listed LTM health monitor types is assigned to an LTM node, pool, or pool member with node logging enabled ('logging' value set to 'enabled' in the LTM node or pool member configuration).
2. The LTM health monitor is removed from the LTM node, pool, or pool member configuration while logging is still enabled ('monitor' value set to 'none').

Affected LTM health monitor types include:
diameter, external, firepass, ftp, gateway_icmp, icmp, imap, ldap, module_score, mssql, mysql, nntp, oracle, pop3, postgresql, radius, radius_accounting, real_server, rpc, sasp, scripted, sip, smb, smtp, snmp_dca, snmp_dca_base, soap, virtual_location, wap, wmi.

This problem does not occur if node logging is disabled in the LTM node or pool member configuration ('logging' value set to 'disabled' in the LTM node or pool member configuration) prior to removing the monitor from the LTM node, pool, or pool member configuration.

The following LTM health monitor types are not affected:
dns, http, https, inband, mqtt, tcp, tcp_echo, tcp_half_open

Impact:
When this problem occurs, each instance of bigd running on the BIG-IP appliance or on each blade in a VIPRION chassis leaks one file descriptor for each node or pool member with monitor logging enabled.

File descriptors that are opened by the bigd daemon and not closed count against bigd's internal file descriptor limit. This can result in file descriptor exhaustion and failure of LTM health monitoring.

Workaround:
Disable node logging (set 'logging' value to 'disabled') in the LTM node or pool member configuration prior to removing the monitor from the LTM node, pool, or pool member configuration.

Fix:
The bigd daemon does not leak file descriptors for monitor node logs when certain types of LTM health monitors are configured with node logging enabled and the monitor is then removed from the LTM node, pool, or pool member configuration.

---

662663-6 : Decryption failure Nitrox platforms in vCMP mode

Solution Article: K52521791

---

662639-2 : Policy Sync fails when policy object include FIPS key

Component: Access Policy Manager

Symptoms:
Policy sync failed with a vague error:

err mcpd[5597]: 01071600:3: APM PSync: Atom attribute (fips_exported_key) data type (blob) in class (certificate_key_file_object) object name (/Common/fips1.key) blob value is not empty - no handler for blob Object dump: **certificate_key_file_object:/Common/fips1.key ...

Conditions:
-- Sync-only device group configuration.
-- FIPS cards in use.
-- On one device:
   + Create FIPS key and certificate:
     1. Go to System::Certificate Management::Traffic Certificate Management::SSL Certificate List::Create.
     2. For 'Security Type' field of 'Key Properties' section, select 'FIPS'.
   + Create a rewrite profile:
     1. Go to Access Policy :: Portal Access :: Rewrite :: Create New Profile.
     2. Under 'JavaPatcher Settings' select 'Signer' and 'Signer Key' to the one created above (e.g., 'fips1.crt' and 'fips1.key', respectively).
   + Create an access profile.
   + Create a virtual server and attach the access profile and rewrite profile to it.
     (Note: You must also include other dependent settings, such as a connectivity profile.)
3. Start a policy sync from the device.

Impact:
Feature failure for specific configurations.

Workaround:
None.

Fix:
Now APM policy sync succeeds even when policy includes FIPS key.

---

662372-1 : Uploading a new device certificate file via the GUI might not update the device certificate

Solution Article: K41250179

Component: TMOS

Symptoms:
After uploading a new device certificate via the 'Upload File' option in the GUI, the device certificate remains unchanged.

Conditions:
-- Upload a new device certificate file via the GUI.
-- There is already a file called /tmp/server.crt.

Impact:
The device certificate is not updated and no error is shown.

Workaround:
Use the 'Paste Text' option to import the certificate.

---

662364-2 : MRF DIAMETER: IP ToS not passing through with DIAMETER

Component: Service Provider

Symptoms:
IP layer's ToS is not passing through MRF Diameter.

Conditions:
-- The IP ToS bit is received in the clientside connection.
-- ip-tos-to-client is set as pass-through.

Impact:
The ToS from the client does not reach the server.

Workaround:
Use an iRule to preserve the ToS from the client and set it to serverside's connection.

Fix:
The ToS bit that arrives from the clientside connection is able to pass-through with Diameter MRF.

---

662331-1 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.

Solution Article: K24331010

Component: TMOS

Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message.

Note: There are three parts to this issue, as recorded in the following bugs: 569236, 583285, and 662331.

Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.

Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.

Workaround:
Manually remove the invalid SA on the BIG-IP system by running the following command:
delete /net ipsec ipsec-sa spi <invalid_spi>

Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again.

Note: There is a three-part fix provided for this issue, as provided in the following bugs: 569236, 583285, and 662331.

---

662308-1 : BD core

Component: Application Security Manager

Symptoms:
BD process crashes and produces a core file; traffic disturbance.

Conditions:
BD threads access the data structure, and in a rare circumstance, one thread touches while the other is processing data.

Note: This issue very timing sensitive to occur so it is unlikely to occur in normal operating conditions.

Impact:
Memory corruption on one of the internal data structures. Traffic disrupted while bd restarts.

Workaround:
None.

Fix:
Fixed a bd crash related to internal CPU stats.

---

662281-2 : Inconsistencies in Automatic sync ASM Device Group

Component: Application Security Manager

Symptoms:
Some ASM calls are not propagated correctly across an automatic sync device group.

This can cause any of the following depending on the change:
A) Superfluous full syncs
B) Updating the wrong element on the remote devices
C) Missing changes on the remote devices

Conditions:
Automatic Sync is configured for a Device Group with ASM enabled.

Impact:
Any of the following depending on the change:
A) Superfluous full syncs
B) Updating the wrong element on the remote devices
C) Missing changes on the remote devices

Workaround:
Disable automatic sync on the device group, and periodically push changes manually.

Fix:
Calls are correctly propagated across Automatic sync Device Groups

---

662085-1 : iRules LX Workspace editor in TMUI fails to display all workspace contents after install of large Node.js packages

Component: Local Traffic Manager

Symptoms:
Using Node.js package manager (NPM) to install a large Node.js package in the TMUI results in truncated contents in the workspace.

Conditions:
Installing large Node.js packages using the TMUI.

Impact:
The workspace contents will be truncated. Some of the package contents will be missing, or boilerplate F5 elements (f5-nodejs, package.json, etc.) will not be shown.

Workaround:
None.

Note: TMSH recognizes the entire file structure of node_modules (e.g., package.json and module folders of f5-nodejs and async), but TMUI does not.

Fix:
All contents from the workspace filesystem are now shown and are editable from the TMUI.

---

662078-1 : Occasionally connections are dropped in response to timing errors

Component: Local Traffic Manager

Symptoms:
Occasionally connections are dropped and the following message is posted, even when TPS is set to UNLIMITED: SSL transaction (TPS) rate limit reached.

Conditions:
-- SSL traffic is received.
-- A certain timing condition is encountered.

Impact:
Connection is dropped. This is an occasional, timing-related issue.

Workaround:
There is no workaround at this time.

Fix:
Timing error no longer occurs when SSL traffic is received, so connections are not dropped.

---

662022-5 : The URI normalization functionality within the TMM may mishandle some malformed URIs.

Solution Article: K34514540

---

661881-2 : Memory and performance issues when using certain ASN.1 decoding formats in iRules

Solution Article: K00030614

Component: Local Traffic Manager

Symptoms:
Memory and performance issues when using calls to ASN1::decode with "a" or "B" characters in the format string. This occurs because these calls do not correctly free memory allocated by those functions.

Conditions:
iRules that contain calls to ASN1::decode with "a" or "B" characters in the format string.

Impact:
Memory leak, degraded performance, potential eventual out-of-memory crash.

Workaround:
None.

Note: Because of the memory leak associated with this issue, using calls to ASN1::decode with "a" or "B" characters in the format string should be avoided.

Fix:
Prevented memory leak when using calls to ASN1::decode with "a" or "B" characters in the format string.

---

661828-1 : TMM may consume excessive resources when processing SSL traffic

Solution Article: K55101404

---

661764-2 : It is possible to configure a number of CPUs that exceeds the licensed throughput

Solution Article: K53762147

Component: TMOS

Symptoms:
The system does not prevent you from selecting a number of CPUs that exceeds the license's throughput limit.

Conditions:
Configure a number of CPUs that exceeds the licensed throughput, for example, configuring 4 CPUs on a 2Mbps license on a VE system.

Impact:
Depending on the operations performed, it is possible for tmm to core.

Workaround:
None, other than configuring only the available number of CPUs.

Fix:
The system now detects when a configuration invalid for the license is in use and fails gracefully, presenting an error message explaining the failure.

---

660913-1 : For ActiveSync client type, browscap info provided is incorrect.★

Component: Access Policy Manager

Symptoms:
Clients using Microsoft ActiveSync are failing access policy evaluation.

Conditions:
-- This occurs with clients using Microsoft ActiveSync.
-- It can be encountered on upgrade if you are upgrading to version 12.1.2 - 14.1.0 from an earlier version.

Impact:
ActiveSync "Client UI" expression will fail and a wrong branch will be selected. As a result Clients using ActiveSync may not be authenticated.

Workaround:
In the VPE change the ActiveSync "Client UI" expression to:

expr { [mcget {session.server.landinguri}] starts_with "/Microsoft-Server-ActiveSync" || [mcget {session.ui.mode}] == 8 }

Fix:
Session variable session.client.browscap_info is now set correctly.

---

660760-1 : DNS graphs fail to display in the GUI

Solution Article: K75105750

Component: TMOS

Symptoms:
Can no longer view the DNS graphs in the GUI after upgrading from an earlier release. The system reports the following error in the GUI when visiting GUI Statistic :: Performance :: DNS: Error trying to access the database.

Conditions:
This occurs when the BIG-IP system is licensed for the GTM module (mod_gtm) instead of the DNS module (mod_dnsgtm). This might occur in the case where the system is upgraded from an earlier release such as v10.2.4 (where the module was GTM) to a later release such as v12.1.1 (where the module is DNS).

Impact:
Accessing the DNS graphs in the GUI fails.

Workaround:
None.

Fix:
The DNS graphs are now created in the GUI when the system is licensed for the GTM module (mod_gtm) or for the DNS module (mod_dnsgtm).

---

660711-1 : MCPd might crash when user trying to import a access policy

Solution Article: K05265457

Component: Access Policy Manager

Symptoms:
MCPd restarts during importing an access policy; other daemon might also restart because of MCPd restart.

Conditions:
-- An access policy uses the same agent more than once.
-- Importing that access policy.
-- You do not use GUI/VPE to manage access policy, but directly modify the config file in exported access policy.

Impact:
MCPd and some other daemons restart. GUI unresponsive until daemons restart.

Workaround:
Always use the GUI/VPE to manage access policies; do not modify the config file for an exported access policy.

Fix:
MCP now applies appropriate validation to avoid importing invalid access policies.

---

660532-2 : Cannot specify the event parameter for redirects on the policy rule screen.

Solution Article: K21050223

Component: TMOS

Symptoms:
Cannot specify the event parameter for redirects on the policy rule screen.

System presents the following error: An error occurred: transaction failed:010716e2:3: Policy '/Common/Drafts/test', rule 'test-rule3'; an action precedes its conditions.

Conditions:
This occurs when setting a policy rule action's "event" parameter in the GUI when configuring redirects.

Impact:
Cannot specify the event parameter.

Workaround:
None.

Fix:
This release has an option for choosing event for redirect action.

---

660327-2 : Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded.

Component: Application Security Manager

Symptoms:
Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded.

This happens only if before the upgrade, there was an ASM logging profile which had both remote logging and local logging enabled on it.

In the case of a single logging profile with local-plus-remote ASM enabled on it, upon an upgrade, the logging profile is split into two profiles. One has the '_local' extension added to it. Another attempt to load the config of the pre-upgrade system will fail. This only happens when using 'load sys config' or 'load sys config file', and does not happen when using 'load sys ucs'.

Upon failure, the following error is seen on the terminal:
01070710:3: Cannot update_indexes/checkpoint DB object, class:fw_log_profile status:13 - EdbCfgObj.cpp, line 127
Unexpected Error: Loading configuration process failed.

And in /var/log/ltm:
err mcpd[6618]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:fw_log_profile status:13 - EdbCfgObj.cpp, line 127.

Conditions:
-- Using a configuration that contains a Log Profile with ASM enabled and both Remote Log and Local Log enabled.
-- Upgrade to 12.1.2 or later (Use roll-forward upgrade, or instead use clean install and afterwards load the saved config file).

Impact:
Config load fails. Upgrade fails.

Workaround:
Use one of the following Workarounds:
1.
Save the new configuration before editing and re-loading, using the following commands:
tmsh save sys config partitions all
tmsh load sys config partitions all

(Note: Saving the UCS also saves the configuration.)

2.
Instead of loading the full configuration directly, first load the base and then load the full configuration:
tmsh -c 'load sys config partitions all base; load sys config partitions all'

---

660263-4 : DNS transparent cache message and RR set activity counters not incrementing

Component: Global Traffic Manager (DNS)

Symptoms:
The message and Resource Record (RR) set counters for transparent caches do not increment to reflect traffic.

Conditions:
The cache is of type transparent.
-- Viewing statistics counters.

Impact:
The statistics counters stay zero.

Workaround:
There is no workaround.

Fix:
The system now enables the code that increments these counters for transparent caches similar to other type caches.

---

660239-3 : When accessing the dashboard, invalid HTTP headers may be present

Component: TMOS

Symptoms:
When accessing parts of the BIG-IP dashboard via the GUI, there might be invalid HTTP headers in the responses.

Conditions:
Access the dashboard via Statistics :: Dashboard.

Impact:
The invalid HTTP headers might cause issues with the dashboard if there are intervening proxies between the browser and the BIG-IP.

You may see such errors in the http error logs

Feb 20 08:47:58 myBIG-IP err httpd[13777]: [error] [client 10.20.30.40] Response header name '<PostData><![CDATA[table=log%5Fstat]]></PostData>Cache-Control' contains invalid characters, aborting request, referer: https://mybigip.com/tmui/dashboard/MonitorDashboardModule.swf

Workaround:
There is no workaround at this time.

Fix:
Eliminated invalid header data.

---

660187-3 : TMM core after intra-chassis failover for some instances of subscriber creation

Component: Policy Enforcement Manager

Symptoms:
If intra-chassis failover is triggered in a loaded chassis, the tmm crashes in some cases of subscriber creation.

Conditions:
-- The chassis is loaded with many blades.
-- The high availability (HA) configuration is intra-chassis.
-- RADIUS subscriber is added with custom attributes.
-- The subscriber attributes are corrupted or erased.

Impact:
TMM crashes. The slot reboots, potentially triggering further daglib hash changes. May result in cascading core under load. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Verify the validity of the AVPs before copying the attributes

---

660170-1 : tmm may crash at ~75% of VLAN failsafe timeout expiration

Solution Article: K28505910

Component: Local Traffic Manager

Symptoms:
When VLAN failsafe is configured, and the VLAN failsafe timeout is 3/4 expired, tmm wants to generate ICMP traffic to evoke a network response. When this occurs, the system might experience a crash.

Conditions:
- VLAN failsafe is configured on a VLAN, for example with the recommended VLAN failsafe timeout of 90 sec.
- The VLAN does not observe ARP/ndp traffic for 3/4 of the timeout, 67.5 seconds.
- ICMP traffic generated to provoke a network response can under certain circumstances cause a TMM crash.

Impact:
TMM crashes, failover is triggered, as it would with a fully expired VLAN-failsafe-timeout condition (note that failover with a fully expired VLAN failsafe is correct behavior).

Traffic on other VLANs might be disrupted while TMM restarts. (Traffic on the VLAN-failsafe-triggered VLAN is already disrupted, causing the timeout to expire.)

Workaround:
1. To allow for VLAN failsafe to be updated for any frame, run the following command with VLAN failsafe enabled, run the following command:
 tmsh modify failover.vlanfailsafe.resettimeronanyframe enable

This configuration increases the confidence that in the case of a timeout expiry a real traffic disruption is detected.

2. Set the timeout of VLAN failsafe to 4/3 of the setting you want, for example, to have a timeout setting of 90, specify 120. With this setting, failover occurs at 90 seconds for a fully quiescent network.

Note: Having a fully quiescent network is a rare occurrence and likely indicates that another issue is occurring anyway.

Fix:
Generating ICMP traffic from TMM is no longer exposed to a potential crash in an invalid configuration or a completely quiet network, when generating ICMP traffic to provoke a network response on an expiring timer of VLAN failsafe, assuming the following configuration:

- VLAN failsafe is configured.
- VLAN failsafe expired 3/4 of the configured timeout (e.g., 67.5 seconds of 90 seconds ).

---

659969-1 : tmsh command for gtm-application disabled contexts does not work with none and replace-all-with

Component: Global Traffic Manager (DNS)

Symptoms:
The command for distributed-app's disabled-contexts does not work with the options 'none' and 'replace-all-with'.

Conditions:
Issuing gtm-application disabled contexts commands including the options 'none' and 'replace-all-with'.

Impact:
Command does not complete successfully. This is an internal validation issue.

Workaround:
None.

---

659912-1 : GSLB Pool Member Manage page display issues and error message

Solution Article: K81210772

Component: Global Traffic Manager (DNS)

Symptoms:
The GSLB Pool Member Manage page displays an error message 'Entry could not be matched against existing objects' when using the static-target checkbox to add a member that does not exist on the BIG-IP config.

Also when editing a pool member, the pool member's name will not be auto-selected in the combo box.

Conditions:
-- GSLB pool configured.
-- Members available for addition to the pool.

Note: This issue can happen when creating a pool in the members section as well as on the pool members manage page.

Impact:
Degraded usability.

Workaround:
Use TMSH to add a static-target and to edit pool members.

Fix:
Fixed issue with the edit button and issue that prevented adding as a static-target a GSLB pool member that was not part of the GTM config. Now, if static target is enabled, you can type the name of the target without the target being configured on the system.

---

659899-1 : Rare, intermittent system instability observed in dynamic load-balancing modes

Solution Article: K10589537

Component: Local Traffic Manager

Symptoms:
The dynamic pool member load-balancing modes require a precision measurement of active connection counts and/or rates. Rare, intermittent system instability has been observed in dynamic pool member selection when a new connection arrives. TMM may restart, leaving a core file.

Conditions:
LTM pool configured to use a dynamic load-balancing mode ('ltm pool NAME load-balancing-mode MODE' where MODE is one of the dynamic load-balancing modes, such as dynamic-ratio-member, least-connections-node, predictive-node, etc.). The dynamic modes use the session database to share data among all TMM instances, and under extremely rare conditions, the session database may become unreliable.

Impact:
TMM restarts and leaves a core file. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The dynamic load-balancing modes are now more tolerant of errors from the underlying session database.

---

659791-2 : TFO and TLP could produce a core file under specific circumstances

Solution Article: K81137982

---

659709-1 : Mirroring persistence records may cause a TMM memory leak

Component: Local Traffic Manager

Symptoms:
Mirroring persistence records may cause a Traffic Management Microkernel (TMM) memory leak.

As a result of this issue, you may encounter one or more of the following symptoms:

-- The tmsh show /sys memory command indicates that TMM memory usage increases over time.
-- The TMM process generates a core file to the /shared/core directory.
-- The BIG-IP system generates a SIGSEGV fault message in the /var/log/tmm log file.

Conditions:
-- Mirroring enabled on virtual server and/or persistence profile.
-- Persistence used.
-- Another error condition exists, such as high availability (HA) channel down or no mirroring address configured.

Impact:
Traffic is disrupted while the TMM process produces a core file and restarts. Systems configured as part of a HA device group may fail over to a peer device.

Workaround:
To work around this issue, you can disable the Mirror Persistence option for the persistence profiles or make sure the mirroring channel is properly configured and operational. For information about troubleshooting the mirroring channel, refer to K54622241: Troubleshooting connection mirroring :: https://support.f5.com/csp/article/K54622241.

Fix:
When HA mirroring is re-established, persist records will now be freed

---

659648-2 : LTM Policy rule name migration doesn't properly handle whitespace

Component: Local Traffic Manager

Symptoms:
LTM Policy validation does not allow rule names to begin or end with whitespace characters. When migrating configuration to the next version, the migration process attempts to trim off any leading and trailing whitespace. However, this process does not handle leading and trailing whitespace when such characters occur within a double quoted string.

Conditions:
LTM policy with a rule name that contains leading and/or trailing whitespace characters. These will typically occur within a double-quoted string. Here is an example that one might find in bigip.conf:

ltm policy example1 {
    rules {
        " leading and trailing spaces " {
            ...
        }
        ...
    }

Impact:
Policy rules are migrated incorrectly, then fail validation because there of remaining leading and/or trailing whitespace characters.

Workaround:
Prior to migration, LTM Policy rule name can be renamed to remove leading and trailing whitespace. After a failed migration, bigip.conf can be manually edited to remove offending characters and then the configuration can be manually loaded.

Fix:
LTM Policy migration properly handles whitespace in rule names in a quoted string.

---

659567-1 : iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions

Solution Article: K94685557

Component: Policy Enforcement Manager

Symptoms:
When the RADIUS discovery virtual server and the traffic listener virtual server sit in two different route domains, the iRule command 'PEM::session info $sub subscriber-id' may not be able to fetch the subscriber-id.

Conditions:
-- Running v12.1.x or v13.0.0.
-- RADIUS server.
-- Use of iRule command PEM::session.

Impact:
'PEM::session info state/subscriber-id' commands might not return the expected session info.

Workaround:
None.

Fix:
iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions. The commands now consider route domains.

---

659519-1 : Non-default header-table-size setting on HTTP2 profiles may cause issues

Solution Article: K42400554

Component: Local Traffic Manager

Symptoms:
HTTP2 connection sent RST_STREAM due to protocol error in response to headers frame.

Conditions:
HTTP2 profile configured with header-table-size with value exceeding 4096.

Impact:
Periodic HTTP2 connection failure to the virtual.

Workaround:
Restore the default header-table-size setting for the HTTP2 profile.

---

659371-2 : apmd crashes executing iRule policy evaluate

Solution Article: K54310201

Component: Access Policy Manager

Symptoms:
Following a restart, if apmd executes an iRule policy evaluate before its reinitialization is complete, apmd can crash.

Conditions:
If apmd restarts due to a crash or explicit restart command but tmm remains active, then iRule policy evaluate commands can reach apmd before it completes initialization and it will crash.

Impact:
apmd crashes and restarts, preventing end users from logging in.

Workaround:
NOne.

Fix:
Now APMD has a more robust initialization process to ensure that it does not execute access policies from iRule commands before it is ready.

---

659173-1 : Diameter Message Length Limit Changed from 1024 to 4096 Bytes

Solution Article: K76352741

Component: Service Provider

Symptoms:
Diameter messages longer than 1024 might cause core dumps.

Conditions:
Using Diameter messages longer than 1024.

Impact:
Diameter MRF virtual servers.

Workaround:
Make sure messages are less than 1024 bytes.

Fix:
Messages of 4096 or fewer bytes now pass, and longer messages no longer cause core dumps.

---

659057-1 : BIG-IP iSeries: Retrieving the gateway from the Host via REST through the LCD

Component: TMOS

Symptoms:
The LCD on BIG-IP iSeries appliances must detect whether the system is in IPv4 or IPv6 context before retrieving the gateway from the Host via REST. If two gateways are configured (IPv4 and IPv6) only whichever is first in the list is returned via REST and will be set on the Host.

Conditions:
If two gateways are configured (IPv4 and IPv6).

Impact:
Incorrect gateway retrieval can create bad configs which would impact traffic resulting in failed ping attempts, destination unreachable errors, request timeouts, etc.

Workaround:
No workaround at this time.

Fix:
LCD code now retrieves the correct gateway when switching between IPV4 and IPV6 context.

---

658989-2 : Memory leak when connection terminates in iRule process

Component: Local Traffic Manager

Symptoms:
Memory leak eventually leading to alloc failure and TMM crash.

Conditions:
Connection is aborted/terminated when iRule processing is suspended for the current connection.

Impact:
Memory leak and eventual TMM restart. Traffic disrupted while tmm restarts.

Workaround:
Avoid suspend/park commands in iRule processing.

Fix:
Memory no longer leaks when connection is aborted/terminated when iRule processing is suspended.

---

658852-5 : Empty User-Agent in iSessions requests from APM client on Windows

Component: Access Policy Manager

Symptoms:
'User-Agent' might be empty in some '/isession' requests from APM client on Microsoft Windows. Having empty User-Agent headers is not in RFC compliance and forces some firewall to block the connection. This might result in failure to establish a VPN tunnel.

Conditions:
'/isession' requests from APM client on Windows.

Impact:
Failure to establish a VPN tunnel.

Workaround:
None.

Fix:
Now all connections from Windows APM VPN client contain 'User-Agent' headers, as expected.

---

658664-3 : VPN connection drops when 'prohibit routing table change' is enabled

Solution Article: K21390304

Component: Access Policy Manager

Symptoms:
When there is a brief network outage and 'prohibit routing table change' is enabled, VPN gets disconnected and no further attempts are made to re-establish the VPN connection.

Conditions:
-- A brief network outage occurs.
-- The 'prohibit routing table change' option is enabled.

Impact:
APM end users must click 'Connect' and re-authenticate in order to re-establish the VPN connection.

Workaround:
To re-establish the VPN connection, click 'Connect' and re-authenticate.

Fix:
Now the Windows Edge Client VPN connection stays active during a brief network outage, regardless of the state of the 'prohibit routing table changes' option.

---

658636-2 : When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped.

Solution Article: K51355172

Component: TMOS

Symptoms:
- LTM/DNS monitors created via tmsh batch/transactions improperly escape newline characters.
- Expected escaping: \r\n
- Actual escaping: \\r\\n
- Impact: The URI sent is not correct,

Conditions:
When creating LTM or DNS monitors through batch/transaction mode when strings contain newline characters. For example, using the following commands to batch-create:

create gtm monitor http one_test_mon { send "GET / HTTP/1.0\r\nHost: abc.example.com\r\nUser-Agent: slb-healthcheck\r\nConnection: Close\r\n\r\n" recv "200"}
submit cli transaction
list gtm monitor http one_test_mon

The system creates the following monitor:

gtm monitor http one_test_mon {
    defaults-from http
    destination *:*
    interval 30
    probe-timeout 5
    recv 200
    send "GET / HTTP/1.0\\r\\nHost: abc.example.com\\r\\nUser-Agent: slb-healthcheck\\r\\nConnection: Close\\r\\n\\r\\n"

Impact:
Cannot use batch/transaction mode in TMSH to create LTM or DNS monitors. Cannot use LTM or DNS monitors created using batch/transaction mode in tmsh.

Workaround:
Create the monitor directly in tmsh without using batch/transaction mode.

Fix:
When creating LTM or DNS monitors through batch/transaction mode newlines are now properly escaped.

---

658574-2 : An accelerated flow transmits packets to a stale (incorrect) destination MAC address.

Solution Article: K61847644

Component: TMOS

Symptoms:
An accelerated flow can send to a stale destination MAC address after the ARP packet with the updated MAC address is received.

Warning: disabling auto-lasthop is not enough when they want BIG-IP to use updated destination MAC address.

Conditions:
A flow is accelerated with a destination MAC address that changes while the flow is accelerated.

Impact:
The BIG-IP system sends packets to a stale (incorrect) destination MAC address. In this case, the new MAC address is not updated for the accelerated flow and the flow will continue to send traffic using the original MAC address.

Workaround:
Disable HW acceleration. Prevent the downstream destination MAC address from changing. For example, if the downstream unit is a BIG-IP active/standby configuration, then use MAC masquerading to prevent the MAC address from changing.

---

658557-2 : The snmpd daemon may leak memory when processing requests.

Solution Article: K35209601

---

658417-1 : REST: Failure to authenticate/renew user who is using expired password

Component: Device Management

Symptoms:
1. Authentication failed for REST user, instead of prompt to renew the password.
2. Authentication is down briefly.

Conditions:
1. REST API is used.
2. User password is expired.

Impact:
1. Core log is dumped.
2. Authentication is down briefly.

Workaround:
There is no workaround at this time.

Fix:
Request to /mgmt/shared/authn/login with a user with an expired password returns a 401 and a response asking the user to change their password using basic auth.

---

658382-1 : Large numbers of ERR_UNKNOWN appearing in the logs

Component: Local Traffic Manager

Symptoms:
There are times when LTM Policy subsystem attempts to execute particular actions, which fail and result in LTM Policy writing an error to the logs with an error type of ERR_UNKNOWN.

Conditions:
This has been observed when plugins are active and experiencing high traffic volumes. The logging of ERR_UNKNOWN occurs when filters and plug-ins experience failures (such as out of memory) and react by initiating a reset of the connection. When these filters and plug-ins return an error to LTM Policy, LTM Policy logs ERR_UNKNOWN.

Impact:
This is a case of unnecessary logging, and there is no adverse effect other than a higher-than-normal amount of logging.

Workaround:
None

---

658343-2 : AVR tcp-analytics: per-host RTT average may show incorrect values

Solution Article: K33043439

Component: Application Visibility and Reporting

Symptoms:
When viewing the Statistics :: Analytics :: TCP :: RTT, then selecting (in the table below the graph), View By: "Remote Host IP Address", the values presented RTT Avg (ms) may be incorrect (they could even be larger than the RTT Max column).

As values are aggregated through the data tables, the reported rtt average value becomes larger and larger.

Conditions:
AVR is provisioned, and a tcp-analytics profile is attached to a virtual server.

Impact:
The values reported in the RTT Avg column when viewing by Remote Host IP Address may be incorrect.

Workaround:
None.

Fix:
The rtt_count, rtt_max, rtt_avg, rtt_sum metrics after day aggregation and week aggregations are now correct in the day, week, month reports. The rtt_sum is now aggregated with correct value (exceed max int), as expected.

---

658321-2 : Websafe features might break in IE8

Component: Fraud Protection Services

Symptoms:
IE8 transform all custom HTTP headers names to lowercase
in case header name configured with upper-case characters, WebSafe feature might break.

Conditions:
custom HTTP header configured with upper case characters
client is IE8.

Impact:
FPS plugin will not find the header, as it received lower-case but configured with upper-case characters
as a result, WebSafe functionality is broken (functionality which involve the custom HTTP header, e.g. ajax username header)

Workaround:
Set custom HTTP header name to lower case only.

Fix:
FPS now performs case-insensitive matches for custom HTTP headers.

---

658298-3 : SMB monitor marks node down when file not specified

Component: TMOS

Symptoms:
The smb monitor may always mark the node down when the file is not specified in the monitor config.

Conditions:
Pool member monitored with smb monitor.

Impact:
Service impact due to node being marked down.

Workaround:
Configure monitor to fetch file (authenticated).

---

658261-2 : TMM core after HA during GY reporting

Solution Article: K12253471

Component: Policy Enforcement Manager

Symptoms:
If intra-chassis failover is triggered in a loaded chassis, the tmm crashes in some cases of GY reporting

Conditions:
-- Failover is triggered,
-- The daglib hash redistributes the subscriber DATA to different slots.
-- Existing flows continue on the slots that were allocated using the old hash of daglib.

Note: This is a rarely encountered issue that occurred in a setup with 8 slots and 750 thousand subscribers.

Impact:
Slot reboots. May trigger more hash rearrangement. Traffic disrupted while tmm restarts.

Workaround:
None.

---

658214-2 : TCP connection fail intermittently for mirrored fastl4 virtual server

Solution Article: K20228504

Component: Local Traffic Manager

Symptoms:
In some cases, an active BIG-IP may fail to forward the SYN on the server-side when handling traffic for a mirrored FastL4 virtual after receiving a context ACK from the standby BIG-IP.

Symptoms include:
-- TCP connection failures.
-- Possibly other packets lost.

Conditions:
-- FastL4 virtual server.
-- Mirroring is enabled.
-- Certain traffic interleaving might be necessary for this intermittent problem to occur.

Impact:
FastL4 mirroring does not always forward SYN to server after receiving context ACK. Connections fail.

Workaround:
Set the tm.fastl4_ack_mirror db variable using the following command:

tmsh modify sys db tm.fastl4_ack_mirror value disable

Fix:
In this release, mirrored FastL4 virtual servers now forward the SYN on the server-side after receiving the context-ack from the peer as expected.

---

658148-2 : TMM core after intra-chassis failover for some instances of subscriber creation

Solution Article: K23150504

Component: Policy Enforcement Manager

Symptoms:
If intra-chassis failover is triggered in a loaded chassis, the tmm crashes in some cases of subscriber creation.

Conditions:
-- The chassis is loaded with many blades.
-- The HA configuration is intra-chassis.
-- RADIUS subscriber is added with custom attributes.
-- The subscriber attributes are corrupted or erased.

Impact:
TMM crashes. The slot reboots, potentially triggering further daglib hash changes. May result in cascading core under load. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
If intra-chassis failover is triggered in a loaded chassis, the tmm no longer crashes in some cases of subscriber creation.

---

657912-1 : PIM can be configured to use a floating self IP address

Component: TMOS

Symptoms:
Using PIM-Sparse Mode for multicast traffic with BGP for unicast routing/reverse path filtering may prevent PIM neighbor routers from switching from the RPT to the SPT.

Conditions:
-- PIM-Sparse Mode.
-- BGP.
-- Floating self IP address.

Impact:
Routers upstream and including BIG-IP will never receive PIM JOIN messages from the rendezvous point, which is required for traffic to switch from the RPT to the SPT. The sender's DR may continue to send traffic to the RP in register messages indefinitely.

Workaround:
Remove the floating self IP address from the traffic group or select a routing protocol that does not use it, such as OSPF.

Fix:
PIM can now send hello messages from a floating self IP address.

Behavior Change:
PIM can now send hello messages using a floating self IP address. Configure it in imish under the interface along with the PIM mode:

#imish
imish> enable
imish# configure terminal
imish(config)# interface external
imish(config-if)# ip pim use-floating-address

Upon failover, the previously active unit will send hellos from a non-floating self IP address, and the new active unit will begin sending hellos from the floating self IP address. No state is shared between the units; both will generate a new PIM generation ID, and the state of all multicast routes will be reset and need to reconverge.

---

657883-2 : tmm cache resolver should not cache response with TTL=0

Solution Article: K34442339

Component: Local Traffic Manager

Symptoms:
tmm cache resolver caches responses with TTL=0, and it shouldn't.

Conditions:
TTL is set to 0 on the BIG-IP DNS system, so TMM will see TTL=0 from the DNS answer.

Impact:
tmm cache resolver caches responses with TTL=0.

Workaround:
None.

Fix:
The system no longer caches ttl=0 response for tmm cache resolver. This is correct behavior.

---

657795-1 : Possible performance impact on some SSL connections

Solution Article: K51498984

Component: Local Traffic Manager

Symptoms:
Some SSL connections may be delayed by almost exactly 5 seconds. The delay occurs between the SSL client hello and the server hello response from the BIG-IP system.

Conditions:
-- SSL configured on a Virtual Server. Affects VIPRION/vCMP Guests.

-- Client connects with an SSL session ID that is not in the cache, and in a very specific format that causes tmm to associate the session ID to a blade that does not exist.

Impact:
Performance may be impacted on those SSL connections.

Workaround:
Disable SSL session cache by setting cache-size to zero in the clientssl profile.

Fix:
This release fixes an issue that might cause performance impact on certain SSL connections.

---

657713-5 : Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart.

Solution Article: K05052273

Component: Local Traffic Manager

Symptoms:
As a result of this issue, you may encounter one or more of the following symptoms:

-- TMM generates a core file in the /shared/core directory.
-- Your BIG-IP system logs a SIGFPE to the /var/log/tmm file at the same time TMM produces a core file and restarts.
-- In one of the /var/log/tmm log files, you may observe error messages similar to the following example:

notice panic: ../modules/hudfilter/hudfilter.c:1063: Assertion "valid node" failed.
notice ** SIGFPE **

Conditions:
This issue occurs when either of the following conditions are met:
1.
-- Your BIG-IP system is configured to route traffic using a gateway pool.
-- Your BIG-IP system is configured with DNS resolver.
-- The gateway pool is configured with Action On Service Down = Reject or Action On Service Down = Drop.
-- The pool monitor marks all members of the gateway pool as unavailable.
-- An outstanding DNS request that is pending response.
2.
-- Your BIG-IP system is not configured to route traffic using a gateway pool.
-- Your BIG-IP system is configured with DNS resolver.
-- All pools are configured with Action on Service Down = None.

Impact:
The BIG-IP system temporarily fails to process traffic while the TMM process restarts. If the BIG-IP system is configured for high availability (HA), the system fails over to a peer system.

Workaround:
For the set of Conditions defined in the first scenario, you can use the following workaround:

Set service-down-action to Action On Service Down = None or Action On Service Down = Reselect.

There is no workaround for the issue described in the second scenario in Conditions.

Fix:
Gateway pool action no longer triggers TMM to produce a core file and restart.

---

657632-4 : Rarely if a subscriber delete is performed following HA switchover, tmm may crash

Component: Policy Enforcement Manager

Symptoms:
If a subscriber delete is performed following a HA switchover, tmm may coredump. The probability of this scenario is rare, where a subscriber may have been freed during switchover and a subsequent forced delete command quickly follows.

Conditions:
-- A subscriber delete command followed by a HA switchover.
-- During the switchover, the subscriber was freed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now removes the subscriber index from the table if present in these cases.

---

657626-2 : User with role 'Manager' cannot delete/publish LTM policy.

Component: Local Traffic Manager

Symptoms:
User with role 'Manager' cannot delete/publish LTM policy.

audit.log contains a message similar to the following:
notice icrd_child[18194]: 01420002:5: AUDIT - pid=18194 user=Manager folder=/Manager module=(tmos)# status=[01070822:3: Access Denied: User (Manager) may not delete objects in partition (Common)] cmd_data=publish ltm policy /Manager/Drafts/draft-test.

Conditions:
-- User with 'Manager' role.
-- Attempting to delete or publish an LTM policy.

Impact:
Operation does not complete, and system posts error.

Workaround:
None.

---

657502-2 : JS error when leaving page opened for several minutes

Component: Fraud Protection Services

Symptoms:
Google Chrome delays JS execution when the tab is not active.
Therefore anti-debug module acts as if someone is trying to debug JS code.

Conditions:
-- JS runs in hidden tab in Google Chrome.
-- Anti-debug functionality is active.
-- Page is left open for several minutes.

Impact:
Errors in console and JS logic is incorrectly executed.

Workaround:
Identify hidden tab and pause anti-debug functionality.

Fix:
The system now correctly handles JS code running in a hidden tab and pauses anti-debug check.

---

657463-2 : SSL sends HUDEVT_SENT to TCP in wrong state which causes HTTP disconnect the handshake.

Component: Local Traffic Manager

Symptoms:
SSL sends HUDEVT_SENT to TCP in wrong state which causes HTTP disconnect the handshake.

Conditions:
SSL sends HUDEVT_SENT to TCP in wrong state.

Impact:
Then HTTP disconnects the handshake

Fix:
Don't allow SSL send HUDEVT_SENT event in the wrong state.

---

656912-4 : Various NTP vulnerabilities

Solution Article: K32262483

---

656900-1 : Blade family migration may fail

Component: TMOS

Symptoms:
Migrating the configuration from a B2100 blade to a newer variant, as documented in the "Migrating the Configuration on B2000 Series Blades" page in the "VIPRION Systems: Blade Migration" manual, may show output indicating a failure.

Conditions:
All such blade upgrades.

Impact:
The line 'load ucs failed!' should be ignored. If the line '/var/local/ucs/upgradeConfig-your-serial-number.ucs is loaded.' is present, then the UCS load was in fact successful and you can proceed with the instructions.

Workaround:
The line 'load ucs failed!' should be ignored. If the line '/var/local/ucs/upgradeConfig-your-serial-number.ucs is loaded.' is present, then the UCS load was in fact successful and you can proceed with the instructions.

---

656898-2 : 'oops' 'bad transition' messages occur

Component: Local Traffic Manager

Symptoms:
The /var/log/ltm log shows many 'oops' 'bad transition' messages.

Conditions:
These messages occur due to internal invariant violations on full proxy TCP virtual servers. Ramcache or SSL on these virtual servers are likely causes. There may be yet unknown causes.

Impact:
Connections encountering these errors are aborted.

Workaround:
The excess logging may be stopped by setting the DB variable tmm.oops to 'silent'.

Although these errors are not reported, connections are still aborted.

Fix:
The conditions under which this error occurred have been resolved.

---

656784-2 : Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM

Solution Article: K98510679

Component: Access Policy Manager

Symptoms:
After upgrading to Windows 10 Creators Update (version 1703), when attempting to connect to a remote desktop through APM with the Remote Desktop Gateway (RDG) feature, the remote desktop client is not able to authenticate and connect.

Windows 10 Version 1703 RDP client is using Negotiate HTTP authentication scheme, while APM requires NTLM scheme for RD Gateway.

Conditions:
- You are accessing Microsoft Remote Desktop through BIG-IP APM using Remote Desktop Gateway (RDG) feature.
- You upgrade to Windows 10 Creators Update (version 1703).

Impact:
Remote desktop client is not able to authenticate and connect to the desktop.

Workaround:
Use either of the following workarounds:

-- Force the Windows RDP client to use NTLM authentication scheme (instead of Negotiate) by setting Group Policy 'User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\RD Gateway\Set RD Gateway authentication method' to 'Ask for credentials, use NTLM protocol'.

-- Use the following iRule to convert Negotiate to NTLM:
when HTTP_REQUEST {
    set is_rdg_request [expr { [HTTP::method] starts_with "RDG_" }]
    if {!$is_rdg_request} { return; }

    set auth [HTTP::header Authorization]
    set is_nego_auth [expr { $auth contains "Negotiate" }]

    if { $is_nego_auth } {
        set auth [string map {"Negotiate" "NTLM"} $auth]
        HTTP::header replace Authorization $auth
    }
}
when HTTP_RESPONSE_RELEASE {
    if {!$is_rdg_request || !$is_nego_auth} { return; }

    catch {
        set auth [HTTP::header WWW-Authenticate]
        if { $auth contains "NTLM" } {
            set auth [string map {"NTLM" "Negotiate"} $auth]
            HTTP::header replace WWW-Authenticate $auth
        }
    }
}

Fix:
After upgrading to Windows 10 Creators Update (version 1703), the RDP client can still authenticate and connect via APM used as RD Gateway.

---

655807-5 : With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score

Solution Article: K40341291

Component: Global Traffic Manager (DNS)

Symptoms:
When choosing QoS Load balance, packet rate is dominating the score.

Conditions:
QoS load balance.

Impact:
Load balance decision is mostly impacted by packet rate.

Workaround:
None.

Fix:
Corrected a calculation error for QoS score involving packet rate.

---

655793-1 : SSL persistence parsing issues due to SSL / TCP boundary mismatch

Solution Article: K04178391

Component: Local Traffic Manager

Symptoms:
When the SSL client or server system is set up to send SSL messages whose boundaries do not align with underlying TCP boundaries, the parser fails when SSL persistence is enabled.

So, any SSL record spanning over multiple TCP segments (in this case it's ServerHello, Certificate, and ServerHelloDone) triggers the issue with the SSID error RST cause.

This can also result from a message size exceeding the maximum configured size (default is 32K).

Conditions:
[1] SSL persistence is enabled.
[2a] SSL message boundary does not align with underlying TCP segment boundary. One example of boundary mismatch is when the TCP MTU size is changed to a lower value (around 1200 bytes). Even then there may be specific values for which the boundaries match and parsing succeeds.
[2b] The message size is greater than the maximum configured size (default 32k).

Impact:
When the parsing fails, the SSL client or server hangs and times out. In other words, SSL traffic is affected.

The SSL parsing should succeed regardless of a match or mismatch between SSL message boundary and TCP segment boundary.

Workaround:
Disable SSL persistence.

Fix:
The system now switches the state of the SSL persistence to pass through all remaining messages, since no further parsing is needed.

---

655724-3 : MSRDP persistence does not work across route domains.

Solution Article: K15695

Component: Local Traffic Manager

Symptoms:
MSRDP persistence doesn't work with non-default route domains.

Conditions:
Configure a virtual server with a MSRDP persistence profile and a pool using a non-default route domain.

Impact:
MSRDP persistence does not work.

Workaround:
Implement MSRDP persistence using iRules.

Fix:
MSRDP persistence with non-default route domains works correctly now.

---

655671-1 : Polling time waiting for I2C bus transactions in the bcm56xxd daemon needs to be reduced

Component: TMOS

Symptoms:
On platforms that run the bcm56xxd daemon, the polling time that the system waits for I2C bus transactions to complete runs too long. On systems with I2C bus issues, this can lead to bcm56xxd core files, because the bcm56xxd daemon doesn't reset the watchdog so the watchdog timer kills the process.

Conditions:
This is an issue only when there is a stuck I2C bus, which occurs rarely.

Impact:
bcm56xxd process may core and restart. That typically resets the I2C bus, which resolves any issues.

Workaround:
None. Typically, the issue resolves itself.

Fix:
The number of times the bcm56xxd process polls for an I2C bus transaction to complete is reduced to prevent bcm56xxd core files.

---

655649-2 : BGP last update timer incorrectly resets to 0

Solution Article: K88627152

Component: TMOS

Symptoms:
In ZebOS, every time the scan timer resets it also incorrectly resets the BGP last update timer as shown under the imish command 'sh ip route'.

Output from 'sh ip route':

4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:32
               [20/0] via 10.10.1.6, eno33554952, 00:00:32
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:33
               [20/0] via 10.10.1.6, eno33554952, 00:00:33
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:00 <<<< shouldn't reset
               [20/0] via 10.10.1.6, eno33554952, 00:00:00

Conditions:
Once ZebOS has learned a route from a BGP peer the route will show up under 'sh ip route' and the BGP last update timer will incorrectly reset.

Impact:
If BGP routes are being redistributed into other protocols, the route may flap in the destination process.

Workaround:
None.

Fix:
BIG-IP no longer resets the last update time of learned routes via BGP and BGP routes redistributed into other protocols no longer flap.

---

655628-1 : TCP analytics does not release resources under specific sequence of packets

Component: Local Traffic Manager

Symptoms:
TCP analytics does not release memory when a specific sequence of packets is observed, and memory usage increases as more such flows occur.

Conditions:
-- A TCP analytics profile is configured to collect clientside/serverside analytics data.
-- AVR is provisioned.
-- FastL4 and HTTP profiles are configured.
-- A specific sequence of packets (on the serverside) occurs.

Impact:
Main memory occupied by TCP analytics is not released which might lead to memory exhaustion on the BIG-IP system.

Workaround:
Turn off collecting TCP analytics data for the virtual server.

Fix:
TCP analytics now releases resources properly.

---

655617-1 : Safari, Firefox in incognito mode on iOS device cannot pass persistent client identification challenge

Solution Article: K36442669

Component: Application Security Manager

Symptoms:
When running Safari or Firefox in incognito mode on iOS devices, browser gets TCP RST and will not be able to pass client-side challenge. The system posts the following error in tmm log: failed parsing header 3.

Conditions:
1. Web scraping is configured.
2. Persistent client identification is enabled.
3. Using Safari or Firefox on iOS devices.

Impact:
Browser cannot access the site.

Workaround:
Turn off persistent client identification.

Fix:
Safari, Firefox in incognito mode on iOS device can now pass persistent client identification challenge.

---

655500 : Rekey SSH sessions after one hour

Component: TMOS

Symptoms:
Common Criteria requires that SSH session be rekeyed at least every hour

Conditions:
SSH connections to or from the BIG-IP system.

Impact:
SSH sessions are rekeyed in response to the quantity of data transferred, or on user demand, but not on the basis of elapsed time

Workaround:
If time-based rekeying is required in your environment, edit the SSH configuration to include a RekeyLimit with both data and time parameters using a command similar to the following:
tmsh modify sys sshd include 'RekeyLimit 256M 3600s'

Outbound SSH client connections can be modified by adding the same RekeyLimit configuration to /config/ssh/ssh_config or by including that option on the command line when calling the ssh client.

Fix:
SSH sessions are now rekeyed every hour regardless of the quantity of data transferred.

---

655470 : IP Intelligence logging publisher removal can cause tmm crash

Solution Article: K79924625

Component: Advanced Firewall Manager

Symptoms:
TMM restart immediately after removing global ip-intelligence logging publisher.

Conditions:
1) Global IP Intelligence logging enabled.
2) While new incoming connections are handled by the system, delete the global logging publisher using the following command:
modify security log profile global-network ip-intelligence { log-publisher none }

Impact:
Traffic disrupted while tmm restarts. This is an intermittent, timing-related issue.

Note: Because deleting the global ip-intelligence logging configuration publisher is uncommon, and might occur once, at setup, this issue is unlikely to manifest.

Workaround:
There is no workaround, other than to not delete the ip-intelligence global logging publisher when heavy traffic is being handled.

Fix:
Error handling now checks for NULL publisher and prevents the TMM restart.

---

655445-2 : Provide the ability to globally specifiy a DSCP value.

Component: Global Traffic Manager (DNS)

Symptoms:
The DSCP value is not configurable for some types of traffic, which can lead to dropped traffic during adverse network conditions.

Conditions:
Under adverse network conditions, monitor traffic can be dropped by the network.

Impact:
BIG-IP DNS incorrectly reports resources as unavailable because monitor traffic is dropped by the network due to congestion with unrelated traffic.

Workaround:
None.

Fix:
Setting the new db variable tm.egressdscp to a value other than the default value of 0, results in the system setting the DSCP value for outgoing traffic to the configured value.

---

655432-7 : SSL renegotiation failed intermittently with AES-GCM cipher

Solution Article: K85522235

Component: Local Traffic Manager

Symptoms:
SSL failed to renegotiate intermittently with AES-GCM cipher because IV is not properly updated when a change cipher spec message is received.

Conditions:
This failure is more likely to occur during mutual authentication.

Impact:
Some servers authenticate client using renegotiation. This issue prevents their clients from properly connecting to the servers.

Workaround:
Disable AES-GCM cipher.

Fix:
The system now properly updates AES-GCM IV when a change cipher spec message is received.

---

655364-1 : Portal access rewriting window.opener causes JS exception

Component: Access Policy Manager

Symptoms:
Portal access engine rewriting window.opener causes JavaScript exception error.

Conditions:
When rewriting window.opener.

Impact:
JavaScript exception error generated.

Workaround:
None.

Fix:
The rewriting window.opener operation now completes with Message 'null', which is correct behavior. No JavaScript exception error is generated.

---

655357-2 : Corrupted L2 FDB entries on B4450 blades might result in dropped traffic

Solution Article: K06245820

Component: TMOS

Symptoms:
ARP replies reach front panel port of B4450 blades but fail to reach TMMs.

This occurs because the switch in the B4450 blade has an L2 learning issue in the switch fabric that requires the system to correct the new L2 FDB entries learned on Higig trunks. The L2 module runs in poll mode by default, which is exposed to a 3-second race window in software, during which learning events in the switch hardware for a given L2 FDB entry can be lost. That can lead to corrupted L2 FDB entries and cause traffic hitting the corrupted L2 FDB entries to fail.

Conditions:
-- An L2 FDB entry is learned on Higig trunk.
-- Multiple L2 learning events happen on the L2 FDB entry during the 3-second race window in software.

Impact:
The traffic hitting the corrupted L2 FDB entry will be dropped by the switch.

Workaround:
Delete the corrupted L2 FDB entries and cause the switch to re-learn them.

To do so, identify the affected VLAN and flush L2 FDB entries on that VLAN using the following command: tmsh delete net fdb vlan {vlan_name}.

Fix:
A db variable switchboard.l2.mitigation was introduced to configure this feature.

-- A value of "enable" allows packets to be forwarded in the case of corrupted L2 FDB entries. Packets will be hashed on source and destination addresses. Enabling forwarding this way is only a temporary measure.

-- A value of "monitor" does not forward packets but will count packets which were affected by corrupted L2 FDB entries. The stat table switch/l2_mitgation, updated every 11 seconds, reports packet counts. Differences in packet counts are logged to /var/log/ltm.

-- A value of "disable" disables both forwarding and packet counting. Packet counts are reset.

---

655314 : When failing to load a UCS, the hostname is still changed, only in 12.1.2 or 13.0.0★

Component: TMOS

Symptoms:
The platform-migrate option to the UCS load command is supposed to reject UCS archives generated on BIG-IP software v10.x. It does this; however, the hostname of the BIG-IP system changes to the one in the UCS.

Conditions:
You are trying to do a platform-migrate load to 12.1.2 or 13.0.0 of a UCS originating on a system running v10.x.

Impact:
The hostname is changed, but no other configuration is modified.

Workaround:
Set the hostname back to its old value.

Fix:
The hostname is now left unmodified.

---

655233-1 : DNS Express using wrong TTL for SOA RRSIG record in NoData response

Solution Article: K93338593

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express returns an incorrect TTL for the SOA RRSIG record in a NoData response.

Conditions:
-- DNS Express configured.
-- A query that results in a NoData response and DNSSEC signing requested.

Impact:
This brings the behavior in line with RFC2308. There is no known functional impact.

Workaround:
There is no workaround.

Fix:
The TTL of the RRSIG record now matches the TTL of the covered SOA record.

---

655211-1 : bigd crash (SIGSEGV) when running FQDN node monitors

Component: Local Traffic Manager

Symptoms:
bigd processing FQDN node monitors may crash due to a timing issue when processing probe responses.

Conditions:
bigd is configured for FQDN node monitors.

Impact:
bigd crashes (SIGSEGV). The system restarts bigd automatically, and monitoring resumes. No other action is needed.

Workaround:
Although no workaround is available for bigd configured for FQDN node monitors, this crash occurs due to a timing issue, and should be rare.

Fix:
bigd no longer crashes (SIGSEGV) when running FQDN node monitors due to a timing issue.

---

655159-1 : Wrong XML profile name Request Log details for XML violation

Solution Article: K84550544

Component: Application Security Manager

Symptoms:
After system upgrade, Request Log details for XML violation show XML profile name as 'N/A'.

Conditions:
System upgrade.
Request Log details for XML violation.

Impact:
System upgrade does not synchronize properly between policy and already existing XML profiles. System functions properly on existing XML profiles, but violation report reference to the XML profile is wrong.

Workaround:
No workaround for already existing violation records.

For new violation reports, run apply policy.

Fix:
The system now uses the correct XML profile name in the Request Log details for XML violation.

---

655146-2 : APM Profile access stats are not updated correctly

Component: Access Policy Manager

Symptoms:
The active and established sessions counts in the output of 'tmsh show apm profile access' command are not getting updated as sessions are established and terminated. At the same time, the following errors are showing up in the APM log:

err tmm1[19902]: 01490574:3: (null):Common:00000000: Could not find tmstat. (/Common/Google_vsstats_key)

Conditions:
-- When session is established and terminated.
-- Running the command: tmsh show apm profile access to view stats.

Impact:
APM profile access stats are not accurate.

Workaround:
None.

Fix:
Now the tmsh command "tmsh show apm profile access" displays the correct profile access stats.

---

655085-2 : While one chassis in a DSC is being rebooted, other members report spurious HA Group configuration errors

Component: TMOS

Symptoms:
Message of the form

"notice sod[nnnn]: 010c006e:5: All devices in traffic group traffic-group-1(1 of 2) should have a HA group."

is logged on peer devices when a Viprion chassis is being rebooted.

Conditions:
Multiple Viprion chassis are configured in a sync-failover device group, using HA Group scores.

Impact:
Log message indicates a configuration error that does not exist.

Workaround:
If these messages occur during a peer reboot, they should be ignored.

Fix:
Viprion chassis does not report HA Group configuration errors during peer reboot.

---

655059-3 : TMM Crash

Solution Article: K37404773

---

655021-2 : BIND vulnerability CVE-2017-3138

Solution Article: K23598445

---

655005-1 : "Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync

Solution Article: K23355841

Component: TMOS

Symptoms:
The "Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync.

Conditions:
Changing the "Inherit traffic group from current partition / path" setting and syncing to a peer unit using incremental sync.

Impact:
Peers in a Device Group will get out of sync.

Workaround:
Use a full sync instead.

Fix:
The "Inherit traffic group from current partition / path" virtual-address setting is now synchronized during an incremental sync.

---

654996-1 : Closed connections remains in memory

Solution Article: K50345236

Component: Application Security Manager

Symptoms:
A connection remains open, which results in memory leaks in the tmm for the connections.
The following command shows connections on traffic that was already closed: tmsh show sys conn.

Conditions:
A ASM_RESPONSE_VIOLATION iRule on the ASM-enabled virtual server.
A request with connection: close.

Impact:
Memory increase due to connections left open.

Incoming connections to the virtual server may fail and result in the BIG-IP sending a reset with a reset cause of "TCP closed".

Workaround:
If possible, remove this event from the iRule and/or add the OneConnect profile to the virtual server.

---

654925-1 : Memory Leak in ASM Sync Listener Process

Solution Article: K25952033

Component: Application Security Manager

Symptoms:
Following several sync errors, a memory leak occurs in the ASM sync listener process (asm_config_server.pl).

Conditions:
-- asm-sync is enabled on an auto-sync Device Group.

-- Errors occur during attempts to sync, either due to full disk or in response to one or more of the following uses in GUI or REST API:
 + Creating/importing/deleting policies.
 + Accepting many suggestions at once.
 + Adjusting Policy Building Settings.

Impact:
RAM is increasing consumed leading to swap usage until the device reaches a panic state.

Workaround:
Restart asm_config_server on all devices using the following command:
 killall asm_config_server.pl

Fix:
Hard limits for memory size are now enforced for ASM processes. The sync listener process now shuts down and restarts after an hour of failed repeated attempts to synchronize the device group state.

---

654873-2 : ASM Auto-Sync Device Group

Component: Application Security Manager

Symptoms:
Some messages that were meant to be sent to peers in a device group are not successfully sent.

Conditions:
A mix of the following uses in GUI or REST API:
1) Creating/importing/deleting policies.
2) Accepting many suggestions at once.
3) Adjusting Policy Building Settings.

Impact:
1) Overuse of full sync between devices.
2) Possible inconsistencies between devices.
3) Possibility of memory leak in rare cases.

Workaround:
Use manual sync groups for ASM sync.

Fix:
Communication for auto-sync groups repaired.

---

654599-1 : The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed

Solution Article: K74132601

Component: Global Traffic Manager (DNS)

Symptoms:
Tomcat can potentially drop requests made by the client via the Web GUI on the GSLB Pool Members Manage page.

Conditions:
The config contains a large amount (in the thousands) of GSLB virtual servers or wide IP's, resulting in the action not being completed.

Impact:
The "Finished" button on that page does not save the changes made on that page.

Workaround:
Use TMSH.

Fix:
Fixed an issue with saving GSLB data via the GUI in large configurations.

---

654549-1 : PVA support for uncommon protocols DoS vector

Component: TMOS

Symptoms:
A new HSB bitstream for VIPRION B4450 blades is needed to support IP uncommon protocols for DoS Vector.

Conditions:
Using the B4450 blade.

Impact:
No support for IP uncommon protocols for DoS Vector.

Workaround:
None.

Fix:
HSB v3.2.13.0 bitsteam for VIPRION B4450 blades now provides support for IP uncommon protocols for DoS Vector.

Behavior Change:
This bitstream now supports IP uncommon protocols for DoS Vector. Any number of protocols with values between 0-255 can be simultaneously enabled.

---

654513-6 : APM daemon crashes when the LDAP query agent returns empty in its search results.

Solution Article: K11003951

Component: Access Policy Manager

Symptoms:
APM daemon crashes when the LDAP query agent returns no search results.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP access profile access policy is configured with an AD Auth agent.
-- The access policy is configured with an LDAP query agent.
-- A user successfully authenticates to the access profile.
-- The LDAP query agent returns no query results.

Impact:
APM daemon crashes, need to restart RBA and WebSSO. This is a very rarely encountered issue.

Workaround:
Add LDAP Auth agent before the LDAP query to the existing policy.

Note: Adding the extra agent, LDAP Auth agent, in the policy will preserve the functionality and features, enabling the policy to fail in LDAP Auth agent, instead of crash in LDAP Query agent.

Fix:
Now APM daemon no longer crashes when the LDAP query agent returns a specific type of null result from its search.

---

654508-2 : SharePoint MS-OFBA browser window displays Javascript errors

Component: Access Policy Manager

Symptoms:
SharePoint MS-OFBA browser window displays Javascript errors while doing authentication.

Conditions:
-- SharePoint Access through LTM and APM.
-- MS-OFBA iRule is used.

Impact:
JavaScript errors shown on the MS-OFBA browser window

Workaround:
None.

Fix:
Now the SharePoint MS-OFBA browser window no longer displays Javascript errors while doing authentication from Microsoft applications.

---

654368-7 : ClientSSL/ServerSSL profile does not report an error when a certain invalid CRL is associated with it when authentication is set to require

Solution Article: K15732489

Component: Local Traffic Manager

Symptoms:
Error is not reported if the profile is associated with an invalid Certificate Revocation List (CRL) that is not signed by trusted CAs, if the CRL issuer has the same subject name as one of the certs in trusted CA.

Conditions:
This occurs when associating CRLs with virtual servers.

Impact:
Error is not reported for invalid CRL.

Workaround:
OpenSSL command can be used to check if the CRL is signed by trusted CA.

The command to verify CRL against a CA file is as follows:
openssl crl -CAfile <path to the CA certificate bundle/file> -noout -in <path to CRL file>

Fix:
Error is reported in TMM logs if the CRL is not signed by trusted CA.

---

654109-2 : Configuration loading may fail when iRules calling procs in other iRules are deleted

Solution Article: K01102467

Component: Local Traffic Manager

Symptoms:
Loading of the configuration fail with a message indicating a previously deleted iRule cannot be found:

 01020036:3: The requested rule (/Common/rule_uses_procs) was not found.

Conditions:
- iRule A is calling another iRule B using proc calls
- iRule A is attached to a virtual server.
- Detaching and deleting iRule A.
- Loading the config (or performing config sync).

Impact:
iRules are still referenced after implicit deletion (via load).
Configuration does not load.

Workaround:
Force reloading of the MCP binary database.

For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).

Fix:
Configuration loading no longer fails when iRules calling procs in other iRules are deleted.

---

654086-3 : Incorrect handling of HTTP2 data frames larger than minimal frame size

Component: Local Traffic Manager

Symptoms:
HTTP2 can vary frame size between 16K bytes (included) and 16 Mbytes (not included).

When a client sends a data frame spawning more than one TCP segment, the BIG-IP system incorrectly decrements the frame size twice from the receive window.

If the proxy flow control is disabled, this just creates an additional window update frame. If the proxy is in flow control, this causes a flow control error.

Conditions:
-- HTTP2 profile is configured on a virtual server.
-- Client sends a data frame larger than 16384 bytes, violating RFC. Note: The receiving maximum frame size of the BIG-IP is permanently set at 16384 bytes.

Impact:
HTTP2 resets the stream with FLOW_CONTROL_ERROR.

Workaround:
There is no workaround at this time.

Fix:
When a client sends HTTP2 a data frame exceeding a negotiated maximum frame size, the BIG-IP system correctly resets the stream.

---

654046-1 : BIG-IP as SAML IdP may fail to process signed authentication requests from some external SPs.

Solution Article: K22121533

Component: Access Policy Manager

Symptoms:
When an external Service Provider (SP) canonicalizes authentication requests with the use of inclusive namespaces, a BIG-IP system used as SAML IdP may fail to process such requests. User's SSO will fail with following errors contained in /var/log/tmm:

err tmm1[13063]: 014d0002:3: 9c7802e1: SSOv2 Digest from SAML message is invalid
err tmm1[13063]: 014d0002:3: 9c7802e1: SSOv2 Error(12) Signature verification failed for SAML Authentication

Conditions:
- BIG-IP is used as SAML IdP.
- User performs SP-initiated SAML SSO.
- External SAML SP sends signed authentication request, in which canonicalization was done with use of inclusive namespaces.

Impact:
Users are unable to perform SAML SSO with certain external service providers.

Workaround:
None.

Fix:
Now BIG-IP APM as IdP SAML canonicalized authentication requests containing inclusive namespaces can be processed successfully.

---

654011-2 : Pool member's health monitors set to Member Specific does not display the active monitors

Solution Article: K33210520

Component: TMOS

Symptoms:
When you configure a pool to have member-specific health monitoring, the active monitor no longer displays in the GUI.

Conditions:
Have a pool member with Health Monitors set to Member Specific.

Impact:
The specified active monitors will be saved but won't be displayed as active.

Workaround:
Use tmsh to view a pool member's active monitors.

Fix:
Pool member's Health Monitors set to Member Specific now display active monitors.

---

653993-3 : A specific sequence of packets to the HA listener may cause tmm to produce a core file

Solution Article: K12044607

---

653976-2 : SSL handshake fails if server certificate contains multiple CommonNames

Solution Article: K00610259

Component: Local Traffic Manager

Symptoms:
SSL server side handshake fails when the external server certificate's Subject field contains multiple CommonNames.

Conditions:
This issue occurs when both of the following conditions are met:
-- The external server certificate's Subject field contains multiple CommonNames.
-- The certificate does not contain subjAltName extension (or if it does, the same names are not included in the subjAltName's dNSName list).

Impact:
Connection with external server cannot be established. In case of forward proxy, bypass or intercept will fail.

Workaround:
In case of forward proxy bypass, configure IP address bypass instead of hostname bypass since IP address bypass check happens before SSL handshake.

The second option is to update the external server's certificate to include the list of CommonNames in subjAltName extension as dNSName.

Fix:
The system now checks all CommonNames in a certificate's Subject field instead of checking only the longest one in length.

---

653930-2 : Monitor with description containing backslash may fail to load.

Solution Article: K69713140

Component: Local Traffic Manager

Symptoms:
When a monitor description contains a \ (backslash) character, the system adds another backslash for every save-load operation. After enough saves/loads, the description eventually hits the maximum length, causing an error message: '01020057:3: The string with more than 65535 characters cannot be stored in a message' upon loading the config.

Conditions:
Monitor with description containing backslash.

Impact:
Configuration changes without human intervention. Potential load failure.

Workaround:
Don't use backslashes in monitor descriptions.

---

653895 : Admin user cannot edit policy

Component: Application Security Manager

Symptoms:
While logged into the active device, you are unable to edit a policy. The Save and Reconfigure buttons are grayed out. The standby device allows you to edit the policy and you can deploy the change to the active device, but you occasionally can't edit it from the active device.

Conditions:
It is not known what triggers this intermittent problem.

Impact:
Admin users are unable to edit a policy on the active device.

Workaround:
You can edit the policy on the standby device and deploy it to the active device.

---

653888-2 : BGP advertisement-interval attribute ignored in peer group configuration

Component: TMOS

Symptoms:
BGP peer-group advertisement-interval attribute may be ignored with default settings set on individual peers belonging to the peer-group.

Conditions:
- BGP configured with peer-groups.
- advertisement-interval configured with a non-default value

Impact:
The BGP peer will have an additional statement added indicating a default value of the advertisement-interval.

Workaround:
Manually set the advertisement-interval of the peer, instead of using the peer-group for this particular setting.

Fix:
BGP advertisement-interval attribute is no longer ignored in peer group configuration

---

653880 : Kernel Vulnerability: CVE-2017-6214

Solution Article: K81211720

---

653775-3 : Ampersand (&) in GTM synchronization group name causes synchronization failure.

Solution Article: K05397641

Component: Global Traffic Manager (DNS)

Symptoms:
A GTM synchronization-group-name containing an ampersand (&) might cause an XML parsing failure and GTM sync groups would fail to sync.

Conditions:
A GTM synchronization group name with an ampersand (&) in the name.

Impact:
GTM sync groups does not synchronize.

Workaround:
Remove ampersand from sync group name.

Fix:
Fixed issue that prevented GTM sync groups with an ampersand (&) in the GTM synchronization-group-name from syncing.

---

653772-2 : fastL4 fails to evict flows from the ePVA

Component: TMOS

Symptoms:
An accelerated flow is in the ePVA with no corresponding software connection.

Conditions:
-- FastL4.
-- ePVA.
-- The other conditions under which this occurs are not well defined.

Impact:
ePVA can continuously send a packet. This might eventually result in a network outage.

Workaround:
Disable HW acceleration.

Fix:
There are now no unknown accelerated flows.

Behavior Change:
The default behavior is to ignore unknown HW accelerated flows (connections). This change will proactively evict unknown HW accelerated flows from the HW (ePVA).

---

653771-2 : tmm crash after per-request policy error

Component: Access Policy Manager

Symptoms:
TMM core is seen when reject ending in per-request policy encounters error.

Conditions:
The conditions which trigger this are unknown at this time, it was seen once on a per-request policy error.

Impact:
Traffic disrupted while tmm restarts.

Fix:
TMM no longer cores when reject ending encounters error in per-request policy

---

653759-2 : Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update★

Component: TMOS

Symptoms:
Chassis Variant number is not specified when checking the log file /var/log/ltm, for example:

#grep queryFDD /var/log/ltm
...debug chmand[12982]: 012a0007:7: queryFDD returned 1 items for: update|F100|||NONE|NONE|NONE|0x0

This should contain the Variant number 400-0028-04, as follows:
...debug chmand[32663]: 012a0007:7: queryFDD returned 1 items for: update|F100|400-0028-04||NONE|NONE|NONE|0x0

Conditions:
-- B2100/B2150/B2200 blade in C2200/C2400 chassis.
-- Checking for the Chassis Variant number.

Impact:
This has no impact, since there are no Variants currently defined for the C2200/C2400 chassis.

Workaround:
There is no workaround at this time.

Fix:
Chassis Variant number is printed out as expected in the log file.

---

653746-2 : Unable to display detailed CPU graphs if the number of CPU is too large

Solution Article: K83324551

Component: Local Traffic Manager

Symptoms:
Cannot display detail CPU graph. Go to Statistics :: Performance. Click 'View Detail Graph' under System CPU usage. Graph cannot display. System posts the message: Error trying to access the database.

Conditions:
VIPRION with 288 CPU cores or more totaled across all blades.

Impact:
Administrator is unable to view the detail CPU graphs.

Workaround:
None.

Fix:
The GUI can now display detailed CPU graphs for 1024 cores with the default of 4 lines per graph.

---

653729-2 : Support IP Uncommon Protocol

Component: Advanced Firewall Manager

Symptoms:
A BIG-IP system can have CPU usage be non-uniformly distributed across the datapath (tmm) threads, such that the overall CPU usage is low, but individual datapath threads may show high usage of a subset of the CPUs on the system. This can be observed by viewing the per-CPU usage, and can manifest as spuriously dropped packets/flows.

Conditions:
A BIG-IP system receives packets that have uncommon IP protocols – those not parsed by the BIG-IP system.

Impact:
The packets are eventually dropped but may drive a subset of the CPUs in the system to very high usage. As CPU increases, potentially reaching 100%, then the BIG-IP system will start dropping packets and the system might eventually fail.

Workaround:
None.

Fix:
The system now supports packets that have uncommon IP protocols.

Behavior Change:
This change adds the capability of specifying various IP protocols as 'uncommon' protocols. Using this list of uncommon protocols can have the system mitigate an attack from uncommon protocols.

To do so, perform the following procedure:
1. Set the sys db tunable dos.uncommon.replace.illegal to true (it is false by default).
2. Set the 8 sys db tunables dos.uncommon.protocols[0-7] to specify which protocols should be considered uncommon (by default all protocols except TCP/UDP/ICMPv4/ICMPv6/SCTP - bits 1/6/17/58/132 are uncommon).
- dos.uncommon.protocols0 represents bits 31:0 of a 256-bit vector
- dos.uncommon.protocols1 represents bits 63:32 of a 256-bit vector
- dos.uncommon.protocols2 represents bits 95:64 of a 256-bit vector
- dos.uncommon.protocols3 represents bits 127:96 of a 256-bit vector
- dos.uncommon.protocols4 represents bits 159:128 of a 256-bit vector
- dos.uncommon.protocols5 represents bits 191:160 of a 256-bit vector
- dos.uncommon.protocols6 represents bits 223:192 of a 256-bit vector
- dos.uncommon.protocols7 represents bits 255:224 of a 256-bit vector

Setting the specific bit to '1' means that the specified protocol is considered 'uncommon', and setting the specific bit to '0' means that the specified protocol is not considered 'uncommon'.

Then the DoS vector IP Unknown Protocol can be used to mitigate an attack from the above-specified 'Uncommon Protocols'.

---

653511-2 : Intermittent connection failure with SNAT/automap, SP-DAG and virtual server source-port=preserve

Component: Local Traffic Manager

Symptoms:
Connections can fail intermittently when multiple clients use the same ephemeral port to connect to BIG-IP and are SNATted to the same address.

Conditions:
When SNAT/Automap is configured with SP-DAG and virtual server source-port setting is "preserve".

Impact:
Service interruption due to intermittent connection failures.

Workaround:
None.

Fix:
Connections no longer fail intermittently with SNAT/automap, SP-DAG and virtual server source-port=preserve.

---

653453 : ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs.

Component: TMOS

Symptoms:
ARP replies reach the front panel port of the B4450 blade, but fail to reach TMMs. This is caused by a L2 issue in the Broadcom Trident2+ switch B4450 blade uses.

Conditions:
The switch learned a corrupted L2 FDB entry on internal HiGig trunk.

Impact:
The traffic hitting the corrupted L2 FDB entry will be dropped by the switch.

Workaround:
Identify the affected VLAN and flush L2 FDB entries on that VLAN using the following command: tmsh delete net fdb vlan {vlan_name}.

Fix:
Resolved an issue on Broadcom Trident2+ switch B4450 blades use in which ARP replies reached the front panel port, but failed to reach TMMs.

Behavior Change:
A new BigDB variable is added to control in which mode the l2xmsg module in Broadcom SDK should run.

bcm56xxd.l2xmsg.mode: poll/fifo (default)

The BIG-IP system used to always run l2xmsg module in poll mode. Now, the BIG-IP system will run l2xmsg mode in fifo by default.

---

653376-5 : bgpd may crash on receiving a BGP update with >= 32 extended communities

Component: TMOS

Symptoms:
bgpd may crash when receiving a BGP update with >= 32 extended communities

Conditions:
A configured BGP peer sends a route update including and attribute containing 32 or more extended communities.

Impact:
bgpd may crash causing the BGP peering to reset

Workaround:
Ensure that peers do not send 32 or more extended communities to the BIG-IP in BGP routing updates.

Fix:
bgpd no longer crashes on receiving a BGP update with >= 32 extended communities

---

653324-3 : On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly

Solution Article: K87979026

Component: Access Policy Manager

Symptoms:
On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly; it appears very small.

Conditions:
On macOS Sierra (10.12), edge client, customized icon of size 48x48 pixels.

Impact:
This is a display issue only. There is no functional impact to the system.

Workaround:
Use a custom logo image with the pixel dimensions of 100x121 pixels.

Fix:
On macOS Sierra (10.12), Edge client now shows the customized icon of size 48x48 pixels that is now scaled correctly.

---

653285-1 : PEM rule deletion with HSL reporting may cause tmm coredump

Component: Policy Enforcement Manager

Symptoms:
tmm coredump caused by deletion of a PEM policy rule with HSL reporting configured and passing active traffic. tmm crash.

Conditions:
PEM policy rule with HSL reporting is deleted while passing subscriber traffic.

Impact:
tmm coredump causes traffic disruption and restart of tmm.

Workaround:
None.

Fix:
PEM rule deletion with HSL reporting no longer causes tmm coredump.

---

653234 : Many objects must be reconfigured before use when loading a UCS from another device.★

Component: TMOS

Symptoms:
Many objects are ignored by the platform-migrate option, and must be reconfigured before use when loading a UCS from another device.

Conditions:
UCS is being loaded from another device, using the platform-migrate option.

Impact:
Risk of configuration load failures.

Workaround:
None, other than reconfiguring for the destination device.

Fix:
The platform-migrate option for UCS loading has been modified so that nearly all configuration is loaded. Now, the only things you must configure are the management IP and license, then you can load the UCS. The end result should be a successfully loaded configuration, but with empty VLANs and trunks. You should be able to pass traffic once you reconnect these VLANs to interfaces.

Behavior Change:
The platform-migrate option for UCS loading has been modified so that nearly all configuration is loaded. Now, the only things you must configure are the management IP and license, then you can load the UCS. The end result should be a successfully loaded configuration, but with empty VLANs and trunks. You should be able to pass traffic once you reconnect these VLANs to interfaces.

---

653225-1 : coreutils security and bug fix update

Component: TMOS

Symptoms:
A race condition was found in the way su handled the management of child processes.

Impact:
A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions. (CVE-2017-2616)

Workaround:
install latest hotfix

Fix:
fixed in coreutils-8.4-46.el6

---

653224-1 : Multiple GnuTLS Vulnerabilities

Solution Article: K59836191

---

653217-2 : Multiple Samba Vulnerabilities

Solution Article: K03644631

---

653201 : Update the default CA certificate bundle file to the latest version and remove expiring certificates from it

Component: Local Traffic Manager

Symptoms:
The default CA certificate bundle file used by the system contains some older certificates, e.g., expired or soon-to-be expired.

Conditions:
If the default CA certificate bundle file is configured in SSL profiles, it is used as a set of built-in trusted certificates when verifying peer's certificate during SSL handshake.

Impact:
When the built-in trusted certificates are obsolete, i.e., containing a certain number of expired certificates, the systems might fail to verify peers certificate correctly.

Workaround:
You can either directly update the default CA certificate bundle file /config/ssl/ssl.crt/ca-bundle.crt with proper certificates and then 'bigstart restart tmm'

Alternatively, you can use a separate certificate, for example:
tmsh install sys crypto cert better_ca_bundle from-local-file /shared/better_ca_bundle.pem
tmsh modify ltm profile client-ssl cssl ca-file better_ca_bundle.crt

Fix:
This release updates the default CA certificate bundle file by adding the latest certificates and removing the expired certificates.

---

653152-1 : Support RSASSA-PSS-SIGN in F5 crypto APIs.

Component: TMOS

Symptoms:
Client certificate verification in BIG-IP v11.6.0 through v13.1.0 does not support client certificates that are signed using the RSASSA-PSS signature algorithm. Validation of such client certificates will fail.

Conditions:
- Client certificate signed with RSASSA-PSS algorithm.
- Client Certificate is set to 'Required' in Client SSL profile.
- Running any version of BIG-IP software from v11.6.0 through v13.1.0.

Impact:
SSL connections using client PSS certificates are rejected.

Workaround:
There is no workaround at this time.

Fix:
Validation of client certificates that are signed using the RSASSA-PSS signature algorithm now completes successfully.

---

653017-2 : Bot signatures cannot be created after upgrade with DoS profile in non-Common partition

Component: Application Security Manager

Symptoms:
Bot signatures cannot be created after roll-forward upgrade of configuration with only a DoS profile in non-Common partition.

Conditions:
A DoS profile in non-Common partition has Proactive Bot Defense enabled

Impact:
Bot signatures are not created.

Workaround:
Delete DoS Profile before upgrade, and re-create after upgrade is successful.

Alternatively, another DoS Profile can be created in /Common, even if unused.

---

653014-1 : Apply Policy failure if an custom Blocking Page is configured with an underscore in the header name

Component: Application Security Manager

Symptoms:
An issue was introduced when dealing with custom Blocking pages containing an HTTP Header that has an underscore in the name.

Conditions:
A custom Blocking page is defined containing an HTTP Header that has an underscore in the name.

Impact:
Set Active fails

Workaround:
Use hyphens instead of underscores in the header name.

Fix:
Underscores in HTTP Headers in Blocking Response pages are handled correctly.

---

652973-2 : Coredump observed at system bootup time when many DHCP packets arrive

Component: Policy Enforcement Manager

Symptoms:
During system bootup, system coredump is observed when many DHCP packets arrive before system is fully ready and many flow entry creation failures are observed

Conditions:
-- BIG-IP DHCP proxy is in forwarding mode.
-- DHCP relay agent in front of BIG-IP modifies giaddr field of DHCP packets to its own IP address.
-- DHCP packets arrive during system bootup and before system is fully ready (i.e., some VLANs, interfaces and routes are not fully up).

Impact:
System crash and coredump.

Workaround:
Make sure system has come up completely before sending DHCP packets to the system.

Fix:
Coredump no longer occurs under these conditions.

---

652968-2 : IKEv2 PFS CREATE_CHILD_SA in rekey does not negotiate new keys

Solution Article: K88825548

Component: TMOS

Symptoms:
During negotiations that use CREATE_CHILD_SA, IKEv2 will fail to send a KE in the payload when PFS (perfect forward security) is used in config.

Rekey in IKEv2 does not negotiate new keys; the PFS value in phase1-perfect-forward-secrecy is used in the first exchange, then this first key is re-used in later rekey negotiation. Vendor interop problems exist when PFS is required by the other peer.

Conditions:
Define phase1-perfect-forward-secrecy with value other than none. After IPsec SAs expire or are manually deleted, the CREATE_CHILD_SA phase to negotiate new keys has no KEi payload from the BIG-IP Initiator and so no new encryption key.

Impact:
PFS settings apply only to first negotiation and not to subsequent SA rekeys. PFS is therefore absent. When the BIG-IP enters CREATE_CHILD_SA with a third party IPsec peer, negotiation will fail if the peer requires PFS. Under the same conditions, BIG-IP to BIG-IP tunnels will not fail.

Workaround:
To resolve vendor interop problems, disable PFS in the IPsec policy of both peers.

Fix:
When phase1-perfect-forward-secrecy is configured with a value other than none, the BIG-IP will now perform PFS negotiation correctly. Now rekey with CREATE_CHILD_SA generates a new key using the same DH Group as the first exchange that creates the first SA.

Note: In the ipsec-policy configuration object, the ike-phase2-perfect-forward-secrecy option is relevant only to IKEv1 and has no influence on IKEv2 PFS rekeying.

---

652877-3 : Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades

Component: TMOS

Symptoms:
All services on one or all secondary blades in a VIPRION chassis restart, and MCPD logs errors similar to the following:

-- err mcpd[9063]: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)
-- err mcpd[9063]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3:Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)... failed validation with error 17237812.

In versions prior to v11.6.0, the error is: 'Can't save/checkpoint DB object,' rather than 'Can't update_indexes/checkpoint DB object'.

Conditions:
Multi-bladed VIPRION system, where the 'if-index' value for VLANs differs between blades.

You can check the 'if-index' value by running the following command on each blade: tmsh list net vlan all if-index.

Impact:
MCPD restart on all secondary blades results in partial service outage.

Workaround:
Reactivate the license only on a system that is standby/offline.

Fix:
Reactivating the license on a VIPRION system no longer causes MCPD process restart on one or all secondary blades.

---

652796-1 : When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.

Component: Access Policy Manager

Symptoms:
ECA may be constantly restarting on BIG-IP appliance that has over 24 CPU cores.

Conditions:
-- BIG-IP appliance has over 24 CPU cores or BIG-IP Virtual Edition (VE) platform has over 24 CPU cores.
-- APM is provisioned.

Impact:
ECA NTLM functionality will not be accessible to the users.

Workaround:
If ECA functionality is not required - disable process by running 'bigstart stop eca'.


If ECA functionality is needed:

1. Stop eca by running "bigstart stop eca'.

2. Modify file '/etc/bigstart/scripts/eca' as follows:

a) Replace line:
 cpu_count=$(get_number_cpu)

with line:
 tmm_count=$(get_tmm_count)

b) Replace line:
 exec /usr/sbin/${service} -n ${cpu_count}

with line:
 exec /usr/sbin/${service} -n ${tmm_count}

3. Save the file, and restart the process by running 'bigstart start eca'.

Fix:
ECA no longer restarts when used on a platform with over 24 CPU cores and under 64 CPU cores.

---

652792-1 : When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.

Component: Access Policy Manager

Symptoms:
urldb may be constantly restarting on a BIG-IP appliance that has over 24 CPU cores.

Conditions:
-- BIG-IP appliance has over 24 CPU cores or BIG-IP Virtual Edition (VE) platform has over 24 CPU cores.
-- APM is provisioned.

Impact:
URLDB functionality will not be accessible to the users.

Workaround:
If URLDB functionality is not required - disable process by running 'bigstart stop urldb'.


If urldb functionality is needed:

1. Stop urldb by running "bigstart stop urldb'.

2. Modify file '/etc/bigstart/scripts/urldb' as follows:

a) Replace line:
 cpu_count=$(get_number_cpu)

with line:
 tmm_count=$(get_tmm_count)

b) Replace line:
 exec /usr/sbin/${service} -n ${cpu_count}

with line:
 exec /usr/sbin/${service} -n ${tmm_count}

3. Save the file, and restart the process by running 'bigstart start urldb'.

Fix:
urldb no longer restarts when used on a platform with over 24 CPU cores and under 64 CPU cores.

---

652691-1 : Installation fails if only .iso.384.sig (new format signature file) is present★

Component: TMOS

Symptoms:
Tab completion only will complete the names of ISO images that have an old style signature format ("BIG-IP-version-build.iso.sig"), not the new style ("BIG-IP-version-build.iso.384.sig"). Then, installation will fail even if you type out the full name.

Conditions:
This only happens when signature checking is enabled for ISO images. You can determine this by looking at the value of the DB variable "liveinstall.checksig".

Impact:
Tab completion will not show the ISO image, and even if you type out the full name, the installation will fail. An error message will appear in "show sys software status" and /var/log/liveinstall.log .

Workaround:
Put both types of signature file (.iso.sig and .iso.384.sig) on the device.

Fix:
Tab completion and installation will now work if the old signature file format (.iso.sig) is missing, and only the new signature format (.iso.384.sig) is present.

---

652689-2 : Displaying 100G interfaces

Solution Article: K14243280

Component: TMOS

Symptoms:
Interfaces' Active Media Type and Media Speed rows display none.

Conditions:
Having a server with 100G interfaces.

Impact:
Cannot use GUI to determine interfaces' Active Media Type and Media Speed.

Workaround:
Use tmsh to see the affected interface.

Fix:
100G interfaces now display correctly.

---

652671-4 : Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit.

Solution Article: K31326690

Component: TMOS

Symptoms:
Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit. When provision.extramb is synced to the peer unit, mprov is called, which restarts tmm.

Conditions:
-- Configure two devices in a sync group.
-- tmsh modify sys db provision.extramb value 150.
-- Sync to peer unit.

Impact:
TMM restarts on the peer unit. Traffic halted while tmm restarts.

Workaround:
Ensure that the provision.extramb value is the same on all units in the device cluster before performing a config sync.

Fix:
The provision.extramb and provision.tomcat.extramb DB keys no longer ConfigSync, which prevents TMM restarting on peer devices after a change is made to the management subsystem provisioning and then performing a ConfigSync.

Behavior Change:
The provision.extramb and provision.tomcat.extramb DB keys no longer ConfigSync between devices.

---

652638-2 : php - Fix DOS vulnerability in gdImageCreateFromGd2Ctx()

Solution Article: K23731034

---

652539 : Multiple Bash Vulnerabilities

Solution Article: K73705133

---

652535-1 : HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented.

Solution Article: K54443700

Component: Local Traffic Manager

Symptoms:
HTTP/2 RST_STREAM is seen with PROTOCOL_ERROR when frame header is fragmented.

Conditions:
HTTP/2 profile is enabled on the virtual. The frame header gets fragmented because of TCP segmentation.

Impact:
HTTP/2 stream is reset.

Workaround:
None.

Fix:
HTTP/2 parser changed to handle header splitting across multiple buffers.

---

652516 : Multiple Linux Kernel Vulnerabilities

Solution Article: K31603170

---

652484-2 : tmsh show net f5optics shows information for only 1 chassis slot in a cluster

Component: TMOS

Symptoms:
When you run tmsh show net f5optics, f5optics version information is displayed for one blade of a multi-blade chassis.

Conditions:
This occurs when running the tmsh show net f5optics command on VIPRION.

Impact:
The f5optics version is not displayed for all of the blades.

Fix:
f5optics version information for all blades within a chsasis is displayed when the user issues tmsh show net f5optics from the primary blade.

---

652445-2 : SAN with uppercase names result in case-sensitive match or will not match

Solution Article: K87541959

Component: Local Traffic Manager

Symptoms:
SSL certificates with SAN domain names with uppercase characters will fail to match SNI requests for that domain name.

Conditions:
Multiple client-ssl profiles configured with SNI associated with a single virtual where the SAN (Subject Alternative Name) contains DNS names with uppercase characters.

Impact:
SNI does not match, resulting in the wrong certificate being returned to the client, which potentially results in a security warning in the client application due to a non-matching domain.

Workaround:
Use lowercase characters for SAN domain names in SSL certificates.

Fix:
SNI match is now case-insensitive.

---

652200-1 : Failure to update ASM enforcer about account change.

Solution Article: K81349220

Component: Application Security Manager

Symptoms:
There is an error updating BD with the following information:
Errors:
------------
  bd_agent|ERR|...|F5::BdAgent::handle_bd_pipe_message,,Some records sent to enforcer were not handled

  ECARD|ERR |...|account_id_table_management.cpp:0222|Failed to PUT table
  ECARD|ERR |...|temp_func.c:0850|CONFIG_TYPE_ACCOUNTS message had errors in block_index: 0. status=9
-------------

Conditions:
In a high availability environment (with manual failover and ASM) with a UCS load that contains policies with the same names.

Impact:
Traffic is blocked due to Unknown HTTP selector

Workaround:
Use one of the following Workaround:
A) Deactivate and reactivate the affected policy.
B) Restart ASM on the affected device.

Fix:
The system now correctly handles a UCS containing policies with the same names in a high availability environment (with manual failover and ASM).

---

652151-1 : Azure VE: Initialization improvement

Solution Article: K61757346

---

652094-2 : Improve traffic disaggregation for uncommon IP protocols

Solution Article: K49190243

Component: TMOS

Symptoms:
The traffic of uncommon IP protocols on VLAN running default DAG is sent to one TMM by default.

Conditions:
Traffic of uncommon IP protocols on VLAN configured with default DAG.

Impact:
Traffic for uncommon IP protocols not distributed evenly among available processing units.

Workaround:
None.

Fix:
The system now correctly distributes traffic for uncommon IP protocols based on src IP and dest IP.

The traffic of uncommon IP protocols on VLAN running default DAG is sent to one TMM by default. This DAG enhancement allows the default DAG to disaggregate traffic of uncommon IP protocols based on src IP and dest IP. Two more DB variables are added to control DAG behavior for uncommon IP protocols.

ipproto.lookupip: enable/disable (default)
ah.lookupip: enable/disable (default)

Setting ipproto.lookupip to enable will disaggregate uncommon IP protocols based on src IP and dest IP. DB ipproto.lookupip applies to all IP protocols except for TCP, UDP, SCTP, IGMP, AH, ESP, GRE, ICMP, ICMPv6.

Setting ah.lookupip to enable will disaggregate AH traffic based on src IP and dest IP.

Behavior Change:
The traffic of uncommon IP protocols on VLAN running default DAG is sent to one TMM by default. This DAG enhancement allows the default DAG to disaggregate traffic of uncommon IP protocols based on src IP and dest IP. Two more DB variables are added to control DAG behavior for uncommon IP protocols.

ipproto.lookupip: enable/disable (default)
ah.lookupip: enable/disable (default)

Setting ipproto.lookupip to enable will disaggregate uncommon IP protocols based on src IP and dest IP. DB ipproto.lookupip applies to all IP protocols except for TCP, UDP, SCTP, IGMP, AH, ESP, GRE, ICMP, ICMPv6.

Setting ah.lookupip to enable will disaggregate AH traffic based on src IP and dest IP.

---

652052-3 : PEM:sessions iRule made the order of parameters strict

Component: Policy Enforcement Manager

Symptoms:
In the versions before 12.0, the order of parameters for "PEM::SESSIONS" rule was flexible. It was made strict because of the new validation infrastructure in 12.0. This breaks some existing iRules.

The system will report a validation error such as:

01070151:3: Rule [/Common/test_irule] error: /Common/test_irule:2: error: ["invalid argument subscriber-type"][PEM::session create $ip subscriber-type e164 user-name $user imsi $imsi subscriber-id $callingstationid]

Conditions:
Some parameters, for example, subscriber-id come before the parameter user-name.

Impact:
Configuration that was valid in earlier versions is not accepted in newer versions. This may result in the configuration failing to load during an upgrade and return an MCP validation error.

Workaround:
Change the order of the parameters.

---

652004-2 : Show /apm access-info all-properties causes memory leaks in tmm

Solution Article: K45320415

Component: Access Policy Manager

Symptoms:
When tmsh is used to view session information, memory will leak on each request to pull the session information from tmm. This is a small leak but can be significant issue when all sessions are examined or the sessions are examined multiple times in a short time interval.

Conditions:
when using show /apm access-info all-properties

Impact:
Memory will leak in tmm daemons. This affects all modules that use tmm.

Workaround:
The only workaround is not to use the mcp interface by tmm daemon, or to restart the tmms periodically after using the interface multiple times.

Fix:
Accessing APM session variables via tmsh (e.g., 'tmsh show /apm access-info all-properties') no longer causes a small TMM memory leak.

---

651910-2 : Cannot change 'Enable Access System Logs' or 'Enable URL Request Logs' via the GUI after upgrading from 12.x to 13.0.0 or later

Component: Access Policy Manager

Symptoms:
You cannot change the 'Enable Access System Logs' and 'Enable URL Request Logs' properties via the GUI.

Conditions:
After upgrade from 12.x to 13.0.0 (where these new fields were added) or later.

Impact:
You cannot change 'Enable Access System Logs' and 'Enable URL Request Logs'.

Workaround:
Manually add the properties via tmsh. To do so, follow these steps (substituting your affected log setting for abc in the following example):

modify log-setting abc access add { general-log { publisher sys-db-access-publisher } }
modify log-setting abc url-filters add { test_logsetting_swg { enabled true publisher sys-db-access-publisher }}

Fix:
Now it is possible to use the GUI to successfully use and configure log-setting objects that were created with tmsh.

---

651901-2 : Removed unnecessary ASSERTs in MPTCP code

Component: Local Traffic Manager

Symptoms:
There are many scenarios that call ASSERT in the MPTCP code, many of which can be handled without using ASSERT.

Conditions:
A virtual server is configured with a TCP profile with MPTCP enabled.

Impact:
If an ASSERT fails, traffic is disrupted while TMM restarts.

Workaround:
There is no workaround at this time.

Fix:
Replaced many ASSERTs with other mitigations that allow TMM to continue running.

---

651889-2 : persist record may be inconsistent after a virtual hit rate limit

Component: Local Traffic Manager

Symptoms:
persist record may be inconsistent after a virtual hit rate limit

Conditions:
A virtual with rate limit set.
persist is enabled.

Impact:
persist behavior will be impacted.

Workaround:
disable rate limit on virtual

Fix:
The problem is fixed.

---

651886-1 : Certain FIX messages are dropped

Component: Service Provider

Symptoms:
When a FIX message is received with a length, checksum, or message type field containing leading zeros, the message may be dropped.

Conditions:
This bug affects all FIX messages having a length (tag 9), checksum (tag 10) or message type (tag 35) field that contains at least one leading zero. Certain third-party FIX protocol implementations are known to insert leading zeros in these fields.

Impact:
FIX messages from these products cannot be processed by the FIX profile in BIG-IP.

Fix:
Valid Financial Information eXchange protocol messages are no longer rejected

---

651826-2 : SPI fields of IPsec ike-sa, byte order of displayed numbers rendered incorrectly

Component: TMOS

Symptoms:
When checking the SPI fields of an IKEv2 IPsec SA, the byte order of the displayed number is rendered incorrectly. The SPI details are seen in "tmsh show net ipsec ike-sa all-properties".

For example, the BIG-IP will render this:
Spi(local): 0x3c4742cab016098c
Spi(Remote): 0x959f0a013581e25d

When the actual SPIs viewed on the peer device are:
Local spi: 5DE28135010A9F95
Remote spi: 8C0916B0CA42473C

Conditions:
IKEv2 IPsec SAs are established or attempting to be established.

Impact:
Can confuse a BIG-IP Administrator who is attempting to verify that IPsec peers have the same SAs.

Workaround:
Rearrange the SPI numbers manually or examine the ipsec.log to see the established SA SPI numbers.

Fix:
The correct SPI numbers are displayed when running the "tmsh show net ipsec ike-sa all-properties" command. Note that this command only shows IKEv2 SAs.

---

651772-3 : IPv6 host traffic may use incorrect IPv6 and MAC address after route updates

Component: Local Traffic Manager

Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, may use an MAC and IPv6 source address from a different VLAN.

Conditions:
- Multiple VLANs with IPv6 configured addresses.
- Multiple routes to the same destination, either the same or more specific, default routes, etc., that cover the traffic destination.
- Changes in routes that cause the traffic to the destination to shift from one VLAN and gateway to another. This can be typically observed with dynamic routing updates.

Impact:
Traffic to the destination may fail due to using incorrect source IPv6/MAC address.

This may cause monitor traffic to fail.

Workaround:
Continuous traffic to the IPv6 link-local nexthops can avoid this issue.

This may be achieved by a script or an external monitor pinging the nexthop link-local address using the specific VLAN.

Fix:
IPv6 host traffic no longer use incorrect IPv6 and MAC address after route updates.

Behavior Change:
Introduction of sys db ipv6.host.router_probe_interval, to control sysctl net.ipv6.conf.default.router_probe_interval value. This value is default to 5s.

---

651681-4 : Orphaned bigd instances may exist (within multi-process bigd)

Component: Local Traffic Manager

Symptoms:
When multi-process 'bigd' is configured, orphaned 'bigd' instances may be exit; such as an orphaned 'bigd.1' alongside the active 'bigd.1'.

Conditions:
-- db variable Bigd.NumProcs to 2 or higher.
-- System monitors with long timeouts (such as ~183 seconds or longer), might also be relevant.

When 'bigd' manages monitor configurations that results in no monitoring activity for a long time (such as due to long monitor timeouts), the operating system may temporarily suspend (and later resume) the 'bigd' process. The system might treat the 'bigd' process as if it were "hung", and start another 'bigd' instance without explicitly terminating the suspended 'bigd' process.

Impact:
The suspended 'bigd' process consumes process memory. The process might be suspended (consuming no CPU resources), or running, which might result in "double-monitoring" the resources assigned to that 'bigd' process.

Note: If double-monitoring occurs, monitor status should be correct, but the double-monitoring unnecessarily consumes extra resources.

Workaround:
Configure 'bigd' to run as a single process. To do so, set the db variable Bigd.NumProcs to 1.

Shortening monitor timeouts can reduce the possibility of a 'bigd' process being (temporarily) suspended by the operating system.

Fix:
Multi-process 'bigd' no longer produces orphaned (suspended) process instances.

---

651651-3 : bigd can crash when a DNS response does not match the expected value

Solution Article: K54604320

Component: Local Traffic Manager

Symptoms:
bigd can crash when a response returned from a DNS request does not match the expected value.

Conditions:
Monitoring DNS server(s), or using FQDN.

Impact:
Potential bigd core and restart; may cause endless restart loop as long as DNS monitor instance is configured.

Workaround:
No workaround at this time.

Fix:
Prevented bigd from crashing when a response returned from a DNS request does not match the expected value.

---

651640-3 : queue full dropped messages incorrectly counted as responses

Component: Service Provider

Symptoms:
negative number of active response messages reported on sipsession profile stats

Conditions:
If a request message is dropped because the sip filter's ingress message queue is full, the wrong stats is incremented

Impact:
Counting the dropped request messages as response messages causes the calculation of the accepted response messages to be incorrectly calculated, thus producing a negative value.

Fix:
correct stats fields are incremented

---

651541-2 : Changes to the HTTP profile do not trigger validation for virtual servers using that profile

Solution Article: K83955631

Component: Local Traffic Manager

Symptoms:
Changing the HTTP profile does not trigger validation for virtual servers, so no inter-profile dependencies are checked.

Conditions:
Using an HTTP profile with a virtual server that uses other profiles that have settings that are mutually exclusive with those of the HTTP profile.

Impact:
The system will be in an invalid state. One immediate way this can be seen is when syncing to a peer. The sync operation does not complete as expected.

Workaround:
Use the error messages in the logs to determine how to change the configuration to return the system to a valid state.

Fix:
Changing the HTTP profile now triggers validation of all virtual servers using that profile.

---

651476 : bigd may core on non-primary bigd when FQDN in use

Component: Local Traffic Manager

Symptoms:
When using FQDN node/pool member resolution, a non-primary bigd process may core under certain circumstances. A non-primary bigd is any process instance other than zero in a multi-bigd scenario, or any bigd process on a non-primary blade in a chassis.

Conditions:
FQDN is in use.

Impact:
bigd may core and be restarted in a loop, causing some monitor instances to not be serviced. This may cause node/pool member flapping, or may cause certain nodes or pool members to be effectively not monitored.

Workaround:
Use static IPs instead of FQDN for node/pool member address assignment.

Fix:
Known causes of the bug have been fixed.

---

651413-2 : tmsh list ltm node does not return an error when node does not exist

Solution Article: K34042229

Component: TMOS

Symptoms:
TMSH does not post an error message in response to the tmsh command to list a specific, non-existent LTM node, or when listing a set of non-existent nodes using regular expressions.

Conditions:
-- Running the command: tmsh list ltm node.
-- Running a regular expression to list a set of nodes.
-- The specified node does not exist.

Impact:
The command produces no output or error message. No indication of why there is no output, nor is there a description of the possible error condition.

Workaround:
None.

Fix:
TMSH now posts the appropriate, node-not-found error message when LTM nodes do not exist when running the command: tmsh list ltm node.

---

651362 : eventd crashes during boot

Component: TMOS

Symptoms:
eventd may crash during boot due to heap corruption.

Conditions:
This happens during subscription and unsubscription of events.

Impact:
eventd crashes.

Workaround:
None.

Fix:
Race condition has been resolved, so eventd no longer crashes.

---

651221-2 : Parsing certain URIs may cause the TMM to produce a core file.

Solution Article: K25033460

---

651155-1 : HSB continually logs 'loopback ring 0 tx not active'

Component: TMOS

Symptoms:
In the TMM log files, HSB reports that 'loopback ring 0 tx not active'.

Conditions:
The conditions under which this occurs are not known.

Impact:
Excessive logging. This may also cause an HSB lockup to not be detected.

Workaround:
None.

Fix:
HSB no longer continually logs 'loopback ring 0 tx not active'.

---

651135-4 : LTM Policy error when rule names contain slash (/) character★

Solution Article: K41685444

Component: Local Traffic Manager

Symptoms:
Beginning with v12.0.0, there has been additional validation for LTM Policy rule names to allow only certain valid characters. Prior to v13.1.0, the slash (/) character was included in the set of valid characters.

But because the slash character is used as a delimiter in the BIG-IP virtual path hierarchy (e.g., /Common/my_policy/my_rule), extra slashes in a rule name causes validation problems because the rule appears to the system as having additional path segments.

Conditions:
LTM Policy rule contains the slash (/) character.

Impact:
Configuration will not load.
Configuration may load, but admin GUI may not show policy rule.

Workaround:
In the bigip.conf file, the LTM Policy rule names can be manually edited to either remove the illegal character or to substitute a valid character.

For example, the following policy won't load because the rule name contains a slash (/) character:
   
    ltm policy mypolicy {
    ...
       rules {
          /testperson/a {
    ...
    }

But it will load when the slash (/) characters are changed to a legal character, such as underscores (_):
    ltm policy mypolicy {
    ...
       rules {
          _testperson_a {
    ...
    }

Fix:
For upgraded configurations, the roll-forward process will automatically translate slash (/) to underscore (_) in LTM Policy rule names. When creating new rules, validation will not succeed if a rule name contains an illegal character, such as a slash, so the issue will be prevented.

---

651106 : memory leak on non-primary bigd with changing node IPs

Component: Local Traffic Manager

Symptoms:
On BIG-IP systems with the multiple blades, or a BIG-IP system with multiple bigd processes running (bigd.1, bigd.2, etc.), if the system has FQDN nodes configured, all secondary bigd processes will consume an unusually high amount of memory, and bigd cores may exist when the FQDN node IP addresses change frequently.

Conditions:
FQDN nodes configured on a system, and the system (as a whole) has multiple bigd processes running, either across multiple blades or multiple bigd instances on a single blade. As configuration changes are made to FQDN nodes causing IP addresses to change, bigd on the non-primary places memory consumption may be unusually high.

Impact:
bigd memory leak; possible bigd crash.

Workaround:
Mitigation: use static IP nodes and pool members rather than FQDN.

---

651001-1 : massive prints in tmm log: "could not find conf for profile crc"

Component: Application Security Manager

Symptoms:
Massive messages in tmm log:
"could not find conf for profile crc"

messages are shown while traffic is passing.

Conditions:
1. Have dos profile attached to vs. dos profile does not have dos application enabled.
2. Have ASM policy attached to VS with Web Scraping on/session hijacking/session awarness with DID collection/brute force with DID collection.

Impact:
Massive prints in tmm log that can cause tmm to abort. Traffic disrupted while tmm restarts.

Workaround:
Have DOS application enabled (even if doing nothing).

Fix:
disable prints.

---

650422-2 : TMM core after a switchover involving GY quota reporting

Component: Policy Enforcement Manager

Symptoms:
Core dump in the code path for async subscriber lookup causes core-dump.

Conditions:
This core happens in an intra-chassis HA configuration, if GY is configured & HA switchover is forced.

Impact:
An initial coredump (or HA switchover) forces multiple core dumps. Traffic disrupted while tmm restarts.

---

650349 : Creation or reconfiguration of iApps fails if high speed logging is configured

Solution Article: K50168519

Component: TMOS

Symptoms:
If logging destination of any type is configured (ArcSight, IPFIX, remote high speed logging, etc.), creation or reconfiguration of iApps will fail. The following error will be reported in /var/log/webui.log and displayed in the GUI: The connection to mcpd has been lost, try again.

If the iApp is being create or modified via iControl then the following message will be logged in /var/log/audit

-- notice icrd_child[19904]: 01420002:5: AUDIT - pid=19904 user=admin folder=/Common module=(tmos)# status=[The connection to mcpd has been lost, try again.] cmd_data=create sys application service /Common/group2-analytics { template /Common/group2-analytics variables add { statistics__pushinterval { value 120 } statistics__customcollection { value Yes } } lists add { statistics__customcollectionconfig { value { tmm_stat interface_stat cpu_info_stat disk_info_stat host_info_stat profile_dns_stat gtm_wideip_stat dns_cache_resolver_stat tmmdns_zone_stat rule_stat virtual_server_stat pool_member_stat } } } }

The import part of the message is the daemon, which is 'icrd_child', and the status, which is 'The connection to mcpd has been lost, try again.'

Conditions:
-- Logging is configured: filter, destination, and publisher where scriptd logs to a high speed logging target, which can occur if the there is a logging filter that has source of 'all' or 'scriptd'.
-- Attempting to create or reconfigure iApps.

Impact:
iApp creation or reconfiguration fails. Cannot create new iApps or reconfigure existing ones.

Workaround:
This workaround stops scriptd from logging anything to any logging destination, so you should remove it and restart scriptd after the iApp is created/reconfigured.

1. Which step one you take depends on whether you have log filters that have a source of 'scriptd' and a publisher whose destination is of type remote-high-speed-log:

  a. If you do, make sure all those filters have their publisher set to 'none'.

  b. If you do not, create a log-config filter with a source of 'scriptd', a level of 'debug', and a publisher of 'none'.

For example:

sys log-config filter NoScriptd {
    app-service none
    description none
    level debug
    message-id none
    publisher none
    source scriptd
}

2. After the log-config filters are modified, restart scriptd using the following command:

bigstart restart scriptd

Fix:
Can now create or reconfigure iApps if logging is configured.

---

650317-3 : The TMM on the next-active panics with message: "Missing oneconnect HA context"

Component: Local Traffic Manager

Symptoms:
The next-active TMM panics with message: "Missing oneconnect HA context" on a virtual which doesn't have one-connect on the active.

Conditions:
A mirrored virtual is configured with one-connect on the next-active but no one-connect profile is present on the active. This can occur when the config-sync connection between peers is down or auto-sync on the device group is disabled. The next-active expects a one-connect HA context but the active does not send it.

Impact:
Connections on the active are not mirrored while the next-active restarts.

Workaround:
Resolving configuration differences between the active and next-active will prevent this panic.

Fix:
Mirrored connections which fail to find an HA context on the next-active are not established on the next-active.

---

650292-2 : DNS transparent cache can return non-recursive results for recursive queries

Component: Local Traffic Manager

Symptoms:
If a non recursive query is cached by the DNS transparent cache, subsequent recursive queries provide the non-recursive answer.

Conditions:
DNS transparent cache that receives a non-recursive query whose result is stored in the cache.

Impact:
Non recursive responses for recursive requests.

Workaround:
An iRule can be attached to the listener to disable the cache if the "rd bit" is not set in the DNS request.

Fix:
The RD bit is now handled as expected. If a recursive request is received, a non-recursive cached entry is ignored, and replaced, when the recursive request is answered.

---

650286-2 : REST asynchronous tasks permissions issues

Solution Article: K24465120

---

650152-1 : Support AES-GCM acceleration in Nitrox PX wlite VCMP platforms

Component: Local Traffic Manager

Symptoms:
In Nitrox PX platforms, vCMP guests can't accelerate AES-GCM traffic, which might cause high CPU usage.

Conditions:
For those vCMP guests deployed on Nitrox PX-based platforms, and SSL cipher is configured to use AES-GCM.

The following blades support the Nitrox PX and vCMP combination: VIPRION B4200, B4300, B2100, and B2150 blades.

Impact:
High CPU usage.

Workaround:
No workaround.

Fix:
Added AES-GCM hardware acceleration support for Nitrox PX-based vCMP.

---

650081-1 : Proactive Bot Defense JavaScript challenges may introduce high latencies and cause some browsers to display a blank page.

Solution Article: K53010710

Component: Application Security Manager

Symptoms:
When PBD and FP are both enabled, there is a very high client-side latency, especially on Microsoft Internet Explorer version 11 (IE11).

On IE11, sometimes the challenge remains on a blank page, never moving on to the site from the back-end server.

Conditions:
This issue occurs when the following conditions are met:

-- Your BIG-IP system has Proactive Bot Defense and fingerprinting enabled.
-- The client is using IEll.

Note: IE11 is known to be affected by this issue. However, other browsers may also be affected.

Impact:
Delay or blank page when clients access the page using IE11.

Workaround:
None

Fix:
Improved the client-side run-time of the JavaScript challenge and prevented it from getting stuck on Internet Explorer.

---

650074-1 : Changed Format of RAM Cache REST Status output.

Component: Local Traffic Manager

Symptoms:
The REST API returned cache contents in displayable form, not tagged field form.

Conditions:
Using REST API.

Impact:
Text must be parsed as if the caller plans to post-process it.

Workaround:
To present the data in some other format, the text can be displayed as is, but must be parsed as if the caller plans to post-process it.

Fix:
Now RAM Cache REST Status output is returned in field format, and must be parsed by a JSON parser and formatted for display. If you were using the previous format, you must now parse the JSON and re-format the data for display.

Behavior Change:
REST API calls for ramcache stats now returns data as formatted JSON.

---

650070-2 : iRule that uses ASM violation details may cause the system to reset the request

Solution Article: K23041827

Component: Application Security Manager

Symptoms:
When an iRule attempts to use the violation details such as attackSignature or MaliciousFingerprint, in some cases a legal request will be reset.

Conditions:
-- An ASM iRule that uses violation details is attached to the virtual server.
-- The request contains the violation

Impact:
A legal request is being reset.

Workaround:
None.

Fix:
iRule that uses ASM violation details no longer causes the system to reset the request.

---

650059-1 : TMM may crash when processing VPN traffic

Solution Article: K20087443

---

650002-1 : tzdata bug fix and enhancement update

Component: TMOS

Symptoms:
There have been changes to timezone data that impact tzdata packages:

* Mongolia no longer observes Daylight Saving Time (DST).

* The Magallanes Region of Chile has moved from a UTC-04/-03 scheme to UTC-03 all year. Starting 2017-05-13 at 23:00, the clocks for the Magallanes Region will differ from America/Santiago.

Conditions:
-- Mongolia during DST portion of the year.
-- Comparing clock times in the America/Santiago zone with those in the Magallanes Region.

Impact:
Timezone data provided in tzdata will not match the area's time. Clocks for the Magallanes Region will differ from America/Santiago (its current timezone).

Workaround:
None.

Fix:
To accommodate for Mongolia no longer observing DST, the new America/Punta_Arenas zone was created. Changes were also made to support other timezone changes.

* The zone1970.tab file has been added to the list of files to be installed with the tzdata packages installation.

Note: Users of tzdata are advised to upgrade tzdata to zdata-2017b-1.el6

---

649949-1 : Intermittent failure to do a clean install on iSeries platforms from USB DVD-ROM★

Component: TMOS

Symptoms:
Following the instructions at https://support.f5.com/csp/article/K13117 will occasionally fail on iSeries platforms, with the system being unable to find the installation media.

If this happens, running the following command will fail.

  image2disk --instslot=HD1.1 --setdefault --nosaveconfig

Conditions:
This can occur on iSeries platforms while performing a clean installation.

Impact:
The /dev/cdrom softlink points to the virtual CD-ROM drive in iSeries platforms instead of the physical USB DVD-ROM drive. This prevents image2disk from automatically finding the installation media.

Workaround:
After the failure, while in MOS, determine USB CDROM device name, mount it, and tell image2disk specifically where it is:

bash (try 'info') / > dmesg | grep "sr0\|sr1"
sr0: scsi3-mmc drive: 62x/62x writer dvd-ram cd/rw xa/form2 cdda tray <-- cdrom name
sr 6:0:0:0: Attached scsi CD-ROM sr0
sr1: scsi-1 drive
sr 7:0:0:0: Attached scsi CD-ROM sr1

bash (try 'info') / > mount -r -t iso9660 /dev/srX /cdserver
bash (try 'info') / > image2disk --instslot=HD1.1 --nosaveconfig /cdserver

In the mount command, replace "/dev/srX" with whichever device is the physical drive.

---

649933-1 : Fragmented RADIUS messages may be dropped

Component: Service Provider

Symptoms:
Large RADIUS messages may be dropped when processed by iRules.

Conditions:
This occurs when a RADIUS message that exceeds 2048 bytes is processed by an iRule containing the RADIUS::avp command.

Impact:
The RADIUS message will be dropped, and an error will be logged that resembles:

Illegal argument (line 1) (line 1) invoked from within "RADIUS::avp 61 "integer""

Workaround:
Remove RADIUS::avp commands from iRules processing large messages, or ensure that no RADIUS client or server will send large messages.

---

649929-1 : saml_sp_connector not properly deleted in a transaction that removes the saml resource and servers referring to it

Component: Access Policy Manager

Symptoms:
Cannot delete saml_sp_connector from a transaction even when all related objects are specified.

Conditions:
When deleting saml_sp_connector from a transaction along their associated objects.

Impact:
Cannot delete saml_sp_connector and associated objects.

Workaround:
Delete objects in the following order:
SSOResource
SSOSAMLConfig
SPConnector

Fix:
The apm sso saml_sp_connector object can now be deleted from a transaction involving all the related objects regardless of the order in which the objects are specified.

---

649907-2 : BIND vulnerability CVE-2017-3137

Solution Article: K30164784

---

649904-2 : BIND vulnerability CVE-2017-3136

Solution Article: K23598445

---

649866-1 : fsck should not run during first boot on public clouds

Component: TMOS

Symptoms:
Although it is not needed, filesystem check runs during the first boot. This increases the boot time, especially for images that were created more than 180 days before the first boot, because twice year, booting up runs a more comprehensive fsck operation.

Conditions:
This occurs when booting up public cloud configurations of Virtual Edition (VE).

Impact:
Potentially unacceptable long boot times.

Workaround:
None.

Fix:
fsck does not run during first boot on public cloud configurations of VE. Running fsck is postponed until the second boot. If the more comprehensive fsck operation is required, it runs during the second boot as well.

---

649617-2 : qkview improvement for OVSDB management

Component: TMOS

Symptoms:
The user can configure ovsdb-server in the BIG-IP system to communicate with an OVSDB-capable controller.

If the user wants the BIG-IP system to connect to an OVSDB-capable controller via a SSL connection, the user needs to configure a certificate and a certificate key in the TMSH command "sys management-ovsdb". Later on, if the user invokes qkview to collect system information, the configured certificate key can be collected in qkview.

Conditions:
The following conditions need to be met:

- BIG-IP has the SDN services license.

- The TMSH command "sys management-ovsdb" is set to "enabled". Note that this is set to "disabled" by default.

- The TMSH command "sys management-ovsdb cert-key-file" is set to a certificate key. Note that this is set to "none" by default.

Impact:
If the user invokes qkview to collect system information, the certificate key configured in the command "sys management-ovsdb cert-key-file" will be collected in qkview.

Workaround:
If OVSDB management is currently set to "enabled" in the BIG-IP system, then the user can reset "sys management-ovsdb cert-file" and "sys management-ovsdb cert-key-file" to "none" before calling qkview to collect system information.

In general, if OVSDB management has ever been set to "enabled", the user with the bash shell access can check if the file /var/run/openvswitch/BIG-IP_ovs_cert_key exists and delete it before calling qkview to collect system information.

Fix:
The certificate key configured in the "sys management-ovsdb" will not be collected when invoking qkview.

---

649613-3 : Multiple UDP/TCP packets packed into one DTLS Record

Component: Access Policy Manager

Symptoms:
The system converts the server provided packet into PPP buffers. These PPP packets are used to pack into DTLS records. Currently there is a limit of about 14 KB of DTLS records, such that the system can pack multiple PPP records into one DTLS record.

However, creating bigger DTLS record can cause server IP Fragmentation. In the lossy environment, losing one IP fragment can cause the complete DTLS record to be lost, resulting in poor performance.

Conditions:
Multiple UDP/TCP packets packed into one DTLS Record.

Impact:
In networks with packet losses, the APM end-user application might suffer poor network performance.

Workaround:
None.

Fix:
DTLS performance has been improved in lossy or high latency networks by optimizing the number of encoded ppp records inside of DTLS records.

---

649571-1 : Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello

Component: Local Traffic Manager

Symptoms:
The BIG-IP system does not act on the absence of renegotiation.

Conditions:
A BIG-IP system acts as TLS client, a TLS server ignores renegotiation request. Finite TLS session data or time limits are configured in Server SSL Profile on the BIG-IP system.

An example of such a TLS server is Apache/2.4.10 on Fedora Linux.

Impact:
Limits, such as data limits ("Renegotiate Size" in Server SSL) or time limits ("Renegotiate Period" in Server SSL) are not enforced with finite "Handshake Timeout".

Workaround:
None.

Fix:
BIG-IP system acting as TLS client (Server SSL Profile) now shuts down the connection if a TLS server did not continue with TLS renegotiation within "Handshake Timeout" seconds after the ClientHello, corresponding to the renegotiation initiation, was sent by the BIG-IP system.

---

649564-2 : Crash related to GTM monitors with long RECV strings

Component: Global Traffic Manager (DNS)

Symptoms:
gtmd core dump related to GTM monitors with long RECV strings.

Conditions:
Sufficiently large RECV (receive) string on a GTM Monitor.

Impact:
Core dump. Traffic might be disrupted while gtmd restarts.

Workaround:
None.

Fix:
Fixed an issue relating to a crash when a GTM monitor has a sufficiently large receive string configured.

---

649465-1 : SELinux warning messages regarding nsm daemon

Component: TMOS

Symptoms:
Receiving SELinux warning messages regarding nsm daemon when BFD is enabled, and deleting VLANs.

Conditions:
-- BFD enabled for any route-domain.
-- Deleting VLANs.

Impact:
None. This warning message references actions that are extraneous for the nsm daemon.

Workaround:
None.

Fix:
nsm no longer triggers SELinux warning messages with BFD enabled, and deleting VLANs

---

649234-3 : TMM crash from a possible memory corruption.

Solution Article: K64131101

Component: Access Policy Manager

Symptoms:
When APM resumes an iRule event from an asynchronous session data lookup, the resumption fails due to a bad memory access resulting in a crash.

Conditions:
The following must be true for this to happen:
- APM provisioned and licensed.
- Use of APM iRule events.
- Session data lookup from iRule events.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Access to an invalid or stale Access session result from custom iRules no longer causes TMM crash.

---

649177-2 : Testing for connection to SMTP Server always returns "OK"

Solution Article: K54018808

Component: Application Visibility and Reporting

Symptoms:
When you click the SMTP GUI config "Test Connection" button it always gives green "OK" response, even if there is no network, or if the DNS response is NXDomain.

Conditions:
This is encountered when testing the SMTP connection using the GUI.

Impact:
Validation of SMTP server availability is incorrect

Workaround:
You can test SMTP at the command line by attempting to send a test email, as in this example (substitute user@example.com with your valid email address):

# echo "ssmtp test mail" | mail -vs "Test email" user@example.com

Fix:
The 'Test Connection' button for the SMTP server configuration reports errors as expected.

---

649171-4 : tmm core in iRule with unreachable remote address

Component: Local Traffic Manager

Symptoms:
TCP::unused_port <remote_addr> <remote_port> <local_addr> [<hint_port>] with a non reachable remote_addr, tmm cores

Conditions:
This occurs when using TCP::unused_port in an iRule and the remote address is not reachable

Impact:
Traffic disrupted while tmm restarts.

Workaround:
create faux route for the destination address

---

649161-1 : AVR caching mechanism not working properly

Solution Article: K42340304

Component: Application Visibility and Reporting

Symptoms:
The AVR caching mechanism fails to store dimension-based queries properly, which leads to incorrect reports.

Conditions:
Using AVR caching mechanism (turned-on by default).

Impact:
Reports will be incorrect.

Workaround:
Using the following TMSH command should solve the problem:
tmsh modify sys db avr.requestcache value disable

* NOTE: the above might cause AVR to perform a bit slower.

Fix:
The system no longer stores the dimension-based queries in the AVR cache.

---

648990 : Serverside SSL renegotiation does not occur after block cipher data limit is exceeded

Component: Local Traffic Manager

Symptoms:
If you have a virtual server with a serverssl profile configured that serves large (>2GB) files, you may see these errors in /var/log/ltm:

info tmm[17859]: 01260034:6: Block cipher data limit exceeded.

Conditions:
This occurs when a serverssl profile is in use, and the server-side traffic exceeds 2GB.

Impact:
Serverssl renegotiation does not occur, log message is displayed.

---

648954-5 : Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls

Solution Article: K01102467

Component: Local Traffic Manager

Symptoms:
Configuration validation fails spuriously, including potentially as a result of a ConfigSync or modifying an iRule, with an error similar to the following:

    01020036:3: The requested rule (/Common/rule_uses_procs) was not found.

Referencing an iRule that previously existed, but has been deleted (or is being deleted as a result of a ConfigSync).

Conditions:
-- iRule using procedures in a different iRule.
-- iRule attached to virtual server.

Impact:
iRule procs are still referenced after deletion. Configuration validation fails spuriously.

Workaround:
Force reloading of the MCP binary database.

For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).

---

648879-2 : Linux kernel vulnerabilities: CVE-2016-6136 CVE-2016-9555

Solution Article: K90803619

---

648865-2 : Linux kernel vulnerability: CVE-2017-6074

Solution Article: K82508682

---

648802-3 : Required custom AVPs are not included in an RAA when reporting an error.

Component: Policy Enforcement Manager

Symptoms:
Custom Attribute-Value-Pairs (AVPs) defined on the system will not be visible in a Re-Auth-Answer (RAA).

Conditions:
This occurs when the following conditions are met:
-- PEM enabled with Gx.
-- Custom AVPs configured.
-- PEM responds with an error code in an RAA against a Policy and Charging Rules Function (PCRF) triggered action.

Impact:
Lack of custom AVPs in such an RAA may result in loss of AVP dependent service.

Workaround:
There is no workaround at this time.

Fix:
Custom AVPs included regardless of an error code in an RAA.

---

648786-5 : TMM crashes when categorizing long URLs

Solution Article: K31404801

---

648766-1 : DNS Express responses missing SOA record in NoData responses if CNAMEs present

Solution Article: K57853542

Component: Global Traffic Manager (DNS)

Symptoms:
A valid NoData response can contain CNAMEs if a partial chase occurred without final resolution. DNS Express is not including the expected SOA record in this scenario.

Conditions:
-- DNS Express configured.
-- Partial CNAME chase resulting in incomplete resolution.

Impact:
A valid DNS response with a a partial chase but missing the SOA record may not be considered authoritative due to the missing record.

Workaround:
None.

Fix:
The SOA record is now included as appropriate.

---

648715-2 : BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0

Component: Local Traffic Manager

Symptoms:
LACP, STP, and LLDP PDUs sent from either of the i2x00 or i4x00 platforms have a VLAN tag added to the PDU when they shouldn't.

Conditions:
Provision any of the three protocols: LLDP, STP, or LACP and the PDU sent by the BIG-IP will incorrectly have a VLAN tag with a tag-id of 0 added to the PDU.

Impact:
Some 3rd party devices may reject the packet. This will adversely affect operation of the affected protocol.

Workaround:
None.

Fix:
This release ensures that the VLAN tag is stripped before the PDU is sent onto the wire.

---

648639-3 : TS cookie name contains NULL or other raw byte

Solution Article: K92201230

Component: Application Security Manager

Symptoms:
The TS cookie name may intermittently contain NULL.

Conditions:
This can occur intermittently when ASM is provisioned and has a unique combination of security policy name and the server's cookie attributes (path and domain).

Impact:
False positives triggered on modified domain cookies.

Workaround:
To resolve this, change the policy security name.

Fix:
Fixed an issue with the TS cookie name length.

---

648621-1 : SCTP: Multihome connections may not expire

Component: TMOS

Symptoms:
SCTP: Multihome connections may not expire when forcibly deleted.

Conditions:
When the multi-homing connections have been forcibly deleted from tmsh command.

Impact:
The multi-homing connections won't be expired.

Workaround:
Don't manually deleted the multi-homing connections.

---

648617 : JavaScript challenge repeating in loop when URL has path parameters

Solution Article: K23432927

Component: Application Security Manager

Symptoms:
The JavaScript challenge is repeating in a loop on URLs which have path parameters (when the URL contains the ';' character). The request never reaches the back-end server.
This happens in the following challenges:
* Proactive Bot Defense with Suspicious Browsers enabled
* Client-Side Integrity Defense
In the rest of the challenges, the challenges will succeed, but POST requests will not be reconstructed correctly and sent as a multipart message to the back-end server.

Conditions:
URLs contain the ';' character, AND:
Either:
* Proactive Bot Defense with Suspicious Browsers enabled, OR
* Client-Side Integrity Defense is enabled and is used as a DoSL7 mitigation during an attack.

Impact:
Requests with ';' character will be blocked and the browser will repeat the challenge in a loop.

Workaround:
None

Fix:
The JavaScript challenge no longer gets stuck in a loop on URLs which have path parameters.

---

648544-5 : HSB transmitter failure may occur when global COS queues enabled

Solution Article: K75510491

Component: TMOS

Symptoms:
An HSB transmitter failure may occur if global COS queues enabled. The HSB transmitter failure is logged in the TMM log files.

Conditions:
With global COS queues enabled, the HSB's watchdog loopback packets are sent on HSB ring 2, instead of ring 0. If HSB ring 2 is heavily utilized, this could cause the loopback packets to be dropped. If this occurs, then the watchdog may trigger an HSB transmitter failure.

Impact:
If this issue occurs then the BIG-IP is rebooted.

Workaround:
Do not use global COS queues.

Fix:
Loopback packet priority is now set during runtime to guarantee transmit on mgmt ring 0.

---

648320-3 : Downloading via APM tunnels could experience performance downgrade.

Solution Article: K38159538

Component: Local Traffic Manager

Symptoms:
Multiple DTLS records can be packed into one UDP packet. When packet size is too large, packet fragmentation is possible at IP layer. This causes high number of packet drops and therefore performance downgrade.

Conditions:
When downloading using APM tunnels.

Impact:
High number of packet drops and inferior performance.

Workaround:
None.

Fix:
One DTLS record is now contained in each UDP packet to avoid packet fragmentation.

---

648286-2 : GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button.

Component: Global Traffic Manager (DNS)

Symptoms:
The combobox does not auto-select the next entry in the list of virtual servers/wide IPs after pressing the Add button and successfully adding an entry to the member list.

Conditions:
-- Have at least two entries in the combobox.
-- Add one of the entries to the member list.

Impact:
The other entry is not selected automatically (as it was in BIG-IP versions 12.1 and earlier). Must manually select each entry to add to the member list.

Loss of functionality from earlier releases.

Workaround:
Manually select each entry to add to the member list.

Fix:
Restored behavior that selects the next available entry in list after pressing the Add button on GSLB Pool's Member manage page.

---

648270-4 : mcpd can crash if viewing a fast-growing log file through the GUI

Component: TMOS

Symptoms:
If the GUI tries to display a log file that is actively growing by thousands of log entries per second, the GUI might hang, and mcpd could run out of memory and crash.

Conditions:
The GUI tries to display a log file that is actively growing by thousands of log entries per second.

Impact:
mcpd crashes, and it and tmm restart. Traffic disrupted while tmm restarts.

Workaround:
Do not use the GUI to view a log file that is growing by thousands of log entries per second.

---

648242 : Administrator users unable to access all partition via TMSH for AVR reports

Solution Article: K73521040

Component: Application Visibility and Reporting

Symptoms:
Using the TMSH for AVR reports can fail if it contains partition based entities, even with an administrator user (which should have permissions to all partitions).

Conditions:
Using the TMSH for querying partitioned based stats with an administrator user.

Impact:
AVR reports via TMSH will fail when using partition based entities.

Workaround:
None.

Fix:
Allowing for administrator users to get all partitions available on query.

---

648056-2 : bcm56xxd core when configuring QinQ VLAN with vCMP provisioned.

Solution Article: K16503454

Component: TMOS

Symptoms:
bcm56xxd constantly crashes, device goes off-line.

Conditions:
Reboot the system with QinQ VLANs configured and vCMP provisioned.

Impact:
Device goes off-line.

Workaround:
None.

Fix:
bcm56xxd no longer crashes when QinQ VLANs are configured and vCMP provisioned.

---

648053-1 : Rewrite plugin may crash on some JavaScript files

Solution Article: K94477320

Component: Access Policy Manager

Symptoms:
Rewrite plugin may crash parsing JavaScript files in US ASCII encoding.

Conditions:
JavaScript file in US ASCII encoding (not in UTF-8).

Impact:
Rewrite plugin may crash parsing this file. No response is sent to client.

Workaround:
It is possible to change/add 'charset' parameter in response header 'Content-type' to 'UTF-8' by iRule.

Fix:
Now Portal Access rewrite correctly handles JavaScript data if the web page uses US ASCII encoding.

---

648037-2 : LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash

Component: Local Traffic Manager

Symptoms:
tmm crashes after the LB::reselect iRule fails to connect to the server.

Conditions:
This issue can occur when a virtual server is configured with HTTP and the LB::reselect iRule. If the LB::reselect fails to connect to the server and there is not a monitor on the pool, tmm will crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure a monitor for the pool.

Fix:
Fixed a tmm crash related to LB::reselect

---

647988-3 : HSL Balanced distribution to Two-member pool may not be balanced correctly.

Solution Article: K15331432

Component: TMOS

Symptoms:
When configuring a two-member pool as HSL destination and using "balanced" distribution, logs from iRule HSL::send may end up balanced to a single pool member.

Conditions:
- Two-member pool configured as remote-high-speed-log destination.
- The remote-high-speed-log distribution is set to "balanced"
- Data-Plane logging using for example but not limited to: iRule HSL::send.

Impact:
Log message may not be distributed correctly resulting in more load on a single pool member.

Workaround:
None.

Fix:
Logs are distributed more equally on pool members in "balanced" distribution HSL.

---

647944-2 : MCP may crash when making specific changes to a FIX profile attached to more than one virtual server

Component: TMOS

Symptoms:
When a FIX profile is attached to more than one virtual server, making specific edits to the profile may result in MCP crashing and restarting.

Conditions:
A FIX profile is be in use and attached to more than one virtual server. You then edit the profile (and click "Update") in this order:

- Change the Error Action from "Don't Forward" to "Drop Connection"
- Add a new mapping to the Sender and Tag Substitution Data Group Mapping.

Impact:
Traffic disrupted while mcpd restarts.

Fix:
Prevented MCP from crashing when the FIX profile is edited.

---

647757-2 : RATE-SHAPER:Fred not properly initialized may halt traffic

Solution Article: K96395052

Component: Local Traffic Manager

Symptoms:
RATE-SHAPER:Fred is not properly initialized and might halt traffic.

Conditions:
Initialize RATE-SHAPER:Fred as the drop policy using its default properties.

Impact:
Traffic is halted.

Workaround:
There are two possible workarounds:
-- Initialize the drop policy fred to the value of 9999 instead of default 0.
-- Use RED as drop policy instead of fred.

---

647137 : bigd/tmm con vCMP guests

Component: Local Traffic Manager

Symptoms:
bigd/tmm con vCMP guests.

Conditions:
Set up vCMP guest on VIPRION B2100, B4200, or B4300 blades.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround.

Fix:
This release corrects this issue so the crash no longer occurs.

---

647108-1 : Deletion of saml-idp-connector may fail depending on the order in which related objects are deleted within a transaction

Component: Access Policy Manager

Symptoms:
The system posts messages similar to the following even when the server associated to the connector is also being deleted in the same transaction:
01070734:3: Configuration error: apm aaa saml-idp-connector: Cannot delete saml-idp-connector /Common/saml_connector because it is being used by aaa-saml-server (/Common/saml_server_test1

Conditions:
When deleting saml-idp-connector first then the associated saml server.

Impact:
Cannot delete saml-idp-connector and associated server in that specific order.

Workaround:
Delete saml server first and then delete the saml connector.

Fix:
Now saml-idp-connector can be deleted with associated objects in any order from a transaction.

---

646928-1 : Landing URI incorrect when changing URI

Component: Access Policy Manager

Symptoms:
User accesses resource1, and an access policy starts. Before the policy completes, the user changes to resource2. There is a warning page that the session already exists, and the user clicks to create a new session. After the policy completes, the user is directed to the landing URI of the resource1.

Conditions:
Attempting to change landing URI in the middle of an access policy

Impact:
End-user is inconveniently directed to the first resource instead of the second.

Fix:
Now the "To open a new session, please click here." link on the APM logout page reflects the last used landing URI rather than the first used landing URI.

---

646890-1 : IKEv1 auth alg for ike-phase2-auth-algorithm sha256, sha384, and sha512

Solution Article: K12068427

Component: TMOS

Symptoms:
Changing the IKEv1 phase2 authentication algorithm to sha256, sha384, or sha512 does not work immediately, without a restart of the tmipsecd daemon.

Conditions:
If you change the ike-phase2-auth-algorithm attribute (inside an instance of ipsec-policy) to a value of sha256, sha384, or sha512, this causes a parse error when received by racoon. Thus the change does not take affect without a racoon restart.

Impact:
Cannot switch IKEv1 ipsec-policy to sha256, sha384, or sha512 authentication without either restarting BIG-IP or restarting tmipsecd.

Workaround:
Restarting the tmipsecd daemon causes a restart of all racoon processes, which causes the config to be re-read and then IKEv1 IPsec works correctly with SHA authentication algorithms.

Fix:
Now tmipsecd sends the correct incremental config description of SHA authentication algorithms to racoon, so that IKEv1 ipsec-policy reconfiguration works immediately without requiring a restart of tmipsecd.

---

646800-2 : A part of the request is not sent to ICAP server in a specific case

Component: Application Security Manager

Symptoms:
The portion of the request that is not sent is not checked for viruses

Conditions:
ICAP is configured.

Impact:
There might be a false negative on anti-virus check

Workaround:
N/A

---

646760 : Common Criteria Mode Disrupts Administrative SSH Access

Component: TMOS

Symptoms:
If Common Criteria mode is enabled the administrative SSH interface on BIG-IP may become unavailable.

Conditions:
CC-mode enabled.

Impact:
SSH interface not available, sshd may fail to start.

Workaround:
There is no workaround at this time.

Fix:
Correct SSH configuration when in CC mode

---

646643-2 : HA standby virtual server with non-default lasthop settings may crash.

Solution Article: K43005132

Component: Local Traffic Manager

Symptoms:
A long-running high availability (HA) Standby Virtual Server with non-default lasthop settings may crash TMM.

Conditions:
-- HA standby virtual server is configured on the system with non-default lasthop configurations (e.g., lasthop pools or autolasthop disabled, etc).

-- That virtual server receives more than 2 billion connections (2 billion is the maximum value of a 32-bit integer).

Impact:
TMM on the next-active device crashes. The Active device is not affected. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
HA standby virtual server configured with non-default lasthop configurations no longer crashes.

---

646615-1 : Improved default storage size for DNS Express database

Component: Global Traffic Manager (DNS)

Symptoms:
A tweak has been made to the DNS Express database to improve the initial database size.

Conditions:
DNS Express with configured zones.

Impact:
Possibly reduced database size.

Workaround:
N/A as this is an improvement.

Fix:
A tweak has been made to the DNS Express database to improve the initial database size.

---

646604-5 : Client connection may hang when NTLM and OneConnect profiles used together

Solution Article: K21005334

Component: Local Traffic Manager

Symptoms:
In deployments where a NT LanManager (NTLM) authentication profile and a OneConnect profile are used together in a LTM virtual server to label an authenticated connection to a Domain Controller (DC); if the persisted connection to the DC is re-used, the connection may hang. A connection in this state may not be cleaned up by the sweeper, resulting in a memory leak.

Conditions:
The NTLM and OneConnect profiles are associated with a LTM virtual server.

Impact:
A client connection won't be serviced and TMM memory will leak. Over a long time period, this may result in more widespread service disruptions.

Workaround:
Avoid the use of OneConnect profiles on virtual servers that use NTLM profiles. The connections to the Domain Controller won't be pooled, but all other features will be retained.

Fix:
Fixed a problem that prevented NTLM and OneConnect profiles from working properly on the same LTM virtual server.

---

646511-1 : BD crashes repeatedly after interrupted roll-forward upgrade★

Component: Application Security Manager

Symptoms:
After roll-forward upgrade of version 12.1.x with ASM traffic data is interrupted, BD crashes repeatedly.

Conditions:
Roll-forward upgrade with ASM traffic data from version 12.1.x (with or without hotfixes) to any 12.1.x or later is interrupted by restart/reboot.

Impact:
BD crashes repeatedly on subsequent attempts to start ASM.

Workaround:
Disable roll-forward upgrade of ASM traffic data before upgrade:

tmsh modify sys db ucs.asm.traffic_data.save value disable

Fix:
ASM completes roll-forward upgrade with traffic data correctly, even after upgrade process is interrupted.

---

646443-1 : Ephemeral Node may be errantly created in bigd, causing crash

Solution Article: K54432535

Component: Local Traffic Manager

Symptoms:
When FQDN Ephemeral Nodes are being used at the same time as static Node objects, and there is change in those objects, either via DNS resolver changes or manual changes to static nodes, there exists a chance where one may be misidentified as the other during an update, causing a crash in bigd.

Conditions:
This issue occurs when all of the following conditions are met:

-- The BIG-IP configuration contains a mix of FQDN pool members or nodes, and static node objects.
-- You perform one of the following actions:
  + Modify current node settings
  + Create or delete nodes

Impact:
The bigd process restarts and produces a core file, causing interruption of pool member monitors.

Workaround:
Avoid use of FQDN Nodes and Pool Members; use only static-IP Nodes/Members instead.

Fix:
Fixed case where misidentification may occur, resulting in bigd running without crashing.

---

645805 : LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain incorrect Ethernet source MAC addresses

Solution Article: K92637255

Component: TMOS

Symptoms:
LACP PDUs generated by lacpd on the i4x00 and i2x00 platforms contain the wrong Ethernet source MAC address.

Conditions:
LACP configured on an trunk interface on i4x00 or i2x00 platforms.

Impact:
Some Cisco and Juniper switches discard these PDUs. They send PDUs as if the BIG-IP system is not transmitting with an all-zeros 'Partner' section System ID. This renders LACP inoperable, and simply does nothing if the far end is configured for 'Passive'.

Workaround:
None.

Fix:
The BIG-IP software now inserts the correct Source MAC address in the LACP PDU.

---

645729-1 : SSL connection is not mirrored if ssl session cache is cleared and resume attempted

Component: Local Traffic Manager

Symptoms:
SSL connection is not mirrored if ssl session cache is cleared before attempting to resume the ssl connection.

Conditions:
A previous ssl session is attempting to resume the connection after the ssl session cache has been cleared.

Impact:
Connection is established but is not mirrored.

Workaround:
Could be avoided by disabling ssl session cache.

Fix:
SSL connection is not mirrored if ssl session cache is cleared before attempting to resume the ssl connection.

---

645723-2 : Dynamic routing update can delete admin ip route from the kernel

Solution Article: K74371937

Component: TMOS

Symptoms:
Routes obtained from dynamic routing (BGP, etc.) can replace existing management route for the admin IP address, making the BIG-IP lose its management route. Static routes created via TMSH can replace management route.

Conditions:
Using TMSH to create "net route" that matches management network, or dynamic routing accepts a route that matches the management network.

Impact:
Losing the management network route, and potential loss of access to the BIG-IP via the management network.

Workaround:
Don't accept route updates for the management network. Don't create static routes for the management network.

Fix:
Management network admin IP address is now protected from being overwritten.

---

645717 : UCS load does not set directory owner

Component: TMOS

Symptoms:
When loading a UCS file the directory /etc/ssh will become owned by the first user in the UCS with an .authorized_keys file.

Conditions:
UCS loaded that contains users with .authorized_key files

Impact:
Ownership of /etc/ssh is set to a non-root user after UCS load. This does not interfere with normal system operation or SSH authentication but does not follow secure coding practices

Workaround:
Ownership of on /etc/ssh can be restored with the command: chown root /etc/ssh

Fix:
UCS load now explicitly sets ownership of the /etc/ssh directory to root.

---

645684-2 : Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting.

Component: Access Policy Manager

Symptoms:
Flash ActionScript3 application components are loaded into incorrect ApplicationDomain and in some rare cases this may cause errors in application.

Conditions:
This can occur when viewing Flash video while connected to APM.

Impact:
Flash applications might fail to render through Portal Access.

Workaround:
None

Fix:
Flash files accessed through Portal Access are now loading components into correct Application Domain. This improves compatibility with Flash apps.

---

645663 : Crypto traffic failure for vCMP guests provisioned with more than 12 vcpus.

Component: Local Traffic Manager

Symptoms:
Accelerated crypto and compression traffic may fail; stuck queue reports appear in logs.

Conditions:
Guests provisioned with more than 12 vcpus, and crypto or compression traffic passed through hardware acceleration.

Impact:
Can cause the hardware accelerator to fail and require host reboot.

Workaround:
Limit guest provisioning to 12 vcpus.

Fix:
Allow guests provisioned with more than 12 vcpus to operate without stalling hardware accelerators.

---

645615-2 : zxfrd may fail and restart after multiple failovers between blades in a chassis.

Solution Article: K70543226

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd may fail and restart after multiple failovers between blades in a single chassis.

Conditions:
DNS Express must be configured in a multi-blade chassis. If a blade transitions from active to backup to active states and the DNS Express (tmmdns.bin) database has been re-created while the blade was in backup status, zxfrd may fail when attempting to reference old data.

Impact:
zxfrd will create a core file and restart, picking up where it left off.

Workaround:
None.

Fix:
The cause of the failure is now addressed.

---

645480-3 : Unexpected APM response

Solution Article: K45432295

---

645339-2 : TMM may crash when processing APM data

Component: Access Policy Manager

Symptoms:
Under certain conditions TMM may crash while processing APM data

Conditions:
APM enabled

Impact:
TMM crash leading to a failover event

Fix:
TMM processes APM data as expected

---

645220-2 : bigd identified as username "(user %-P)" or "(user %-S)" in mcpd debug logs

Component: Local Traffic Manager

Symptoms:
When mcpd debug logging is enabled, mcp messages sent to or received from the bigd daemon are logged with a username of "(user %-P)" or "(user %-S)" instead of "(user %bigd.#)" [where # is the bigd process index] or "(user %bigd)".

Conditions:
mcpd debug messages with the "(user %-P)" identifier are logged on affected BIG-IP versions when mcpd debug logging is enabled and multiple instances of bigd are running.
mcpd debug messages with the "(user %-S)" identifier are logged on affected BIG-IP versions when mcpd debug logging is enabled and a single instance of bigd is running.

Impact:
Confusion about which daemon is referenced in mcpd debug logs with username "(user %-S)" or "(user %-P)".

Fix:
mcpd debug messages sent to or received from the bigd daemon are correctly logged with a username of "(user %bigd.#)" [where # is the bigd process index] or "(user %bigd)".

---

645197-3 : Monitors receiving unique HTTP 'success' response codes may stop monitoring after status change

Component: Local Traffic Manager

Symptoms:
Monitors that return unique HTTP/1.1 200 codes (indicating success) accumulate in the monitor history. Upon monitor status change (such as to 'fail'), this history is sent (from 'bigd' to 'mcpd') to indicate that monitor's new-status, plus historical context. This history may grow too large if no monitor status is detected for an extended time (such as days or weeks) when unique status codes are returned from the web server and accumulated in the history. Upon a monitor status change (such as from 'success' to 'fail'), notification from 'bigd' to 'mcpd' fails due to this too-large history, resulting in the monitor remaining in its previous state (i.e., 'success'). 'bigd' properly records the monitor status and continues to monitor, but 'mcpd' is not notified of that status change (due to message-send failure from the history being too large).

This is typically not an issue when the web server returns the same HTTP/1.1 200 code (indicating 'success'), as 'bigd' elides/merges the response-value into the monitor history (so the history does not continue to grow). However, for web servers generating a unique value for each success code (e.g., by appending an always-unique transaction ID to the end of the HTTP/1.1 200 response), the history continues to grow for that monitor until a status-change is detected.

Conditions:
-- Web server returns unique HTTP/1.1 200 (success) codes, such as an included date/time stamp.
-- Success history is accumulated for that monitor without status-change for extended time (typically days-or-weeks); followed by a monitor status change (such as from 'success' to 'fail').

Impact:
The monitor remains in the 'success' state, as the status-change is lost' ('bigd' properly recognizes the changed monitor status, but 'mcpd' is not notified of the change). The system may eventually self-correct, such as when 'bigd' detects further monitor status changes, and again forwards status-change notifications for that monitor to 'mcpd'.

Workaround:
Modify the web server configuration to not respond with unique HTTP/1.1 200 codes.

(Receiving the same return-code elides/merges content with previously accumulated values in the monitor history.)

Fix:
HTTP/1.1 200 codes with unique values accumulate for limited history, rather than unbounded history, such that monitor status change notifications are always recorded.

---

645179-6 : Traffic group becomes active on more than one BIG-IP after a long uptime

Component: TMOS

Symptoms:
Traffic-groups become active/active for 30 seconds after a long uptime interval.

Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime.

For example:

-- For 4 traffic groups, the interval is ~1242 days.
-- For 7 traffic groups, the interval is ~710 days.
-- For 15 traffic groups, the interval is ~331 days.

Conditions:
-- Two or more BIG-IP systems defined in a device group for sync/failover.
-- There is one or more traffic groups configured.
-- The BIG-IP systems have a long uptime.

Impact:
Outage due to traffic-group members being active on both systems at the same time.

Workaround:
There is no workaround.

The only option is to reboot all the BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.

Fix:
Traffic groups no longer becomes active on more than one BIG-IP system in a device group after a long uptime interval.

---

645101-2 : OpenSSL vulnerability CVE-2017-3732

Solution Article: K44512851

---

645058-3 : Modifying SSL profiles in GUI may fail when key is protected by passphrase

Component: Local Traffic Manager

Symptoms:
When a client SSL profile has a Certificate Key Chain (CKC) entry with a passphrase-protected key, attempting to modify/update the profile via the GUI may fail, and produce an error similar to the following:

01070313:3: Error reading key PEM file <Key_File_Path> for profile <Profile_Name>: error:0906A068:PEM routines:PEM_do_header:bad password read.

This can occur even when the passphrase already in the SSL profile is correct.

Conditions:
Upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.

Alternately, creating an SSL profile with a custom cert-key-chain name that references a passphrase-protected key, e.g.:

tmsh create ltm profile client-ssl example-profile defaults-from clientssl cert-key-chain replace-all-with { no { cert protected.crt key protected.key passphrase password } }

Impact:
User cannot update client SSL profile via the GUI.

Workaround:
Modifications to the profile can be made from tmsh. Alternately, delete the CKC and recreate it.

Fix:
User can now update client SSL profile after upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.

---

645036-3 : Removing pool from virtual server does not update its status

Solution Article: K85772089

Component: Local Traffic Manager

Symptoms:
Removing a pool from a virtual server does not update the virtual server's status.

Conditions:
1) Create a pool and assign a monitor to it.
2) Ensure the pool goes green.
3) Create a virtual server without assigning the pool to it.
4) Ensure the virtual server stays blue (unknown).
5) Associate the pool to the virtual server.
6) Ensure the virtual server goes green (available).
7) Remove the pool from the virtual server.
8) The virtual server should go back to blue (unknown); however, it doesn't and stays green.

Impact:
The virtual will appear to be associated with a monitored pool when it is not. This should have no functional impact on the virtual server, since a virtual server without a pool has no traffic to pass, and associating a pool with the virtual server will reflect the pool status.

Workaround:
Restart the BIG-IP system. The status should be blue/unchecked once again after the BIG-IP is restarted.

Note: Restarting the BIG-IP system might have an impact on existing traffic. Because this issue is cosmetic, this workaround is not recommended for BIG-IP systems in production.

Fix:
Associating a pool with the virtual server now correctly updates the virtual server status.

---

644975-4 : /var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost

Solution Article: K09554025

Component: TMOS

Symptoms:
Entries in /var/log/maillog similar to the following:
err sSMTP[25793]: Unable to connect to "localhost" port 25.

Conditions:
This happens when certain crontab configuration files do not specify MAILTO="" at the top, and some of the scripts appearing in those files output something to STDOUT or STDERR. This causes the system to try to send an email with that output, which will fail when ssmtp is not configured to use a valid mailhost.

Impact:
Error messages logged to /var/log/maillog. Note that the maillog file is rotated so it doesn't fill up the /var/log volume.

Workaround:
1) Run the "crontab -e -u root" command; this will open the root user's crontab configuration in your default text editor.

2) Move the MAILTO="" line to the top of the file, right under the "# cron tab for root" banner.

3) Save the file and exit the text editor to install the root user's new crontab configuration.

4) Using a text editor of your choice, replace MAILTO=root with MAILTO="" in the /etc/crontab file.

5) Using a text editor of your choice, replace MAILTO=root with MAILTO="" in the /etc/cron.d/0hourly file.

6) To verify that MAILTO=root does not appear anywhere else, run the following command: grep -i -r mailto /etc/cron*.

7) If the previous command shows MAILTO=root still appears in some files, also modify those file so that MAILTO=root becomes MAILTO="".

Fix:
The crontab configuration files now specify MAILTO="" at the top, so the /var/log/maillog errors no longer occur.

---

644970-1 : Editing a virtual server config loses SSL encryption on iSession connections

Component: Wan Optimization Manager

Symptoms:
Editing a virtual server configuration causes iSession connection resets or unencrypted iSession connections to be established, because the virtual server's dynamically configured default server-ssl profile has been deleted.

Conditions:
A virtual server has a server-side iSession profile with data-encrypt enabled. This virtual server also lacks client-ssl and server-ssl profiles.

Impact:
After editing the virtual server, iSession connections fail to be established if the destination iSession listener has a client-ssl profile with allow-non-ssl disabled. If the destination iSession listener has allow-non-ssl enabled, unencrypted iSession connections are established.

Workaround:
Modify the virtual server's configured server-side iSession profile. For example toggle the iSession profile from A to B and then back to A.

Fix:
Editing a virtual server configuration no longer deletes
an iSession dynamically configured default server-ssl profile.

---

644946-2 : Enabling mirroring on SIP or DIAMETER router profile effects per-client connection mode operation

Solution Article: K05053251

Component: Service Provider

Symptoms:
When the mirror flag is enabled in the siprouter and diameterrouter profiles, outgoing per-client create connection will be usable by any client connection from the same IP address.

Conditions:
This occurs when the mirror flag is enabled in the siprouter and diameterrouter profiles.

Impact:
In the siprouter and diameterrouter profiles, enabling mirroring incorrectly enables the internal ignore_peer_port flag, which causes the router to not consider the remote port of the client side connection when determining which of an outgoing per-client connection can be used for forwarding messages.

Workaround:
None.

Fix:
The ignore_peer_port flag is no longer affected by the setting of the mirror flag, which is correct functionality.

---

644904-5 : tcpdump 4.9

Solution Article: K55129614

---

644892-1 : Files captured multiple times in qkview

Component: TMOS

Symptoms:
When running a qkview, some files are captured more than once.

Conditions:
This occurs when generating a qkview.

Impact:
Some small files are duplicated in the qkview; there is no other impact.

Workaround:
None.

Fix:
Files are now captured only once when running qkview.

---

644873-2 : ssldump can fail to decrypt captures with certain TCP segmenting

Solution Article: K97237310

Component: Local Traffic Manager

Symptoms:
ssldump fails to decrypt a capture. In rare circumstances, ssldump can crash.

The ssldump might display output similar to the following:
1 25 0.4781 (0.0000) S>CShort record
Unknown SSL content type 224
1 26 0.4781 (0.0000) S>CShort record
Unknown SSL content type 142
...
1 30 0.4781 (0.0000) S>CShort record
1 31 0.6141 (0.1359) S>CV231.213(45857) application_data

Conditions:
ssldump is decrypting traffic where an SSL record header spans TCP segments.

Impact:
ssldump can fail to fully decrypt the capture starting at the frame where the SSL record spans a TCP segment. Depending on the remaining data in the TCP stream, ssldump can crash.

Workaround:
None.

Fix:
ssldump now successfully decrypt a capture, so ssldump no longer crashes.

---

644855-2 : irules with commands which may suspend processing cannot be used with proactive bot defense

Component: Application Security Manager

Symptoms:
A request is dropped.

Conditions:
1. The proactive bot defense is assigned to the virtual.
2. An iRule which suspends processing is assigned to the virtual. (includes a command like the "after" commands")

For more information on which TCL commands park, see K12962: Some iRule commands temporarily suspend iRule processing, available at https://support.f5.com/csp/article/K12962

Impact:
All requests which issue the proactive bot defense and the iRule will get dropped.

Workaround:
N/A

Fix:
irules which suspends the execution won't cause a request drop when the proactive bot defense is assigned.

---

644851-2 : Websockets closes connection on receiving a close frame from one of the peers

Component: Local Traffic Manager

Symptoms:
Websocket connection should be closed once an endpoint has both sent and received a Close control frame. BIG-IP closes connection on receiving a close frame from peer and does not wait for close frame from other endpoint. This results in data sent in the other direction to be dropped.

Conditions:
Websocket and HTTP profile are attached to the virtual.

Impact:
One endpoint sends a Websocket Close control frame. Other endpoint continues sending data which is dropped by BIG-IP.

Fix:
Half-close of connection will be triggered instead of closing the connection entirely.

---

644822-2 : FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned

Solution Article: K19245372

Component: Advanced Firewall Manager

Symptoms:
If AFM provisioned, a FastL4 virtual server with enabled loose-init option drops all RST packets that do not relate to any existing flows.

This behavior does not match the BIG-IP behavior when AFM is not provisioned.

Conditions:
AFM provisioned.
-- FastL4 virtual server.
-- Loose-init option enabled.

Impact:
RST packets that do not relate to any existing flows are dropped, while they should not be dropped if the loose-init option enabled.

Workaround:
No workaround.

Fix:
Fixed, so FastL4 virtual servers with enabled loose-init option will forward any RST packets.

---

644799-1 : TMM may crash when the BIG-IP system processes CGNAT traffic.

Solution Article: K42882011

Component: TMOS

Symptoms:
TMM may crash when the BIG-IP system processes CGNAT traffic.

Conditions:
A TMM connflow related to CGNAT traffic is expired.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when the BIG-IP system processes CGNAT traffic.

---

644725-4 : Configuration changes while removing ASM from the virtual server may cause graceful ASM restart

Solution Article: K01914292

Component: Application Security Manager

Symptoms:
Configuration changes while removing ASM from the virtual server may cause graceful ASM restart.

Conditions:
A reconfiguration / headers configuration happens while the ASM is removed from a VIP. This may happen especially in scripts that create a config or remove a config.

Impact:
ASM restarts. The system goes offline. A failover may happen.

Workaround:
Ensure that there is some time between setting a configuration to removing ASM from the VIP.

---

644723-1 : cm56xxd logs link 'DOWN' message when an interface is admin DISABLED

Component: TMOS

Symptoms:
If you disable an interface, the interface is erroneously logged as DOWN:

Feb 12 23:14:09 i5800-R18-S30 info bcm56xxd[8210]: 012c0015:6: Link: 1.1 is DOWN

Conditions:
This is logged when disabling an interface.

Impact:
Log message says the interface is DOWN, it should say DISABLED.

---

644694 : FPS security update check ends up with an empty page when error occurs.

Component: Fraud Protection Services

Symptoms:
While checking for security updates in FPS, GUI may display an empty page caused by internal errors, such as network errors or temporary downtime.

Conditions:
-- Provision and license FPS.
-- Check for security updates.

Impact:
Empty page is presented, with no indication of what error occurred.

Workaround:
Use TMSH or REST API to perform an update check.

Fix:
Now, when an error occurs, the error will be displayed.

---

644693-3 : Fix for multiple CVE for openjdk-1.7.0

Solution Article: K15518610

---

644565-1 : MRF Message metadata lost when routing message to a connection on a different TMM

Component: Service Provider

Symptoms:
The system might choose to create a new outgoing connection when there is an available exiting connection that can be used.

Conditions:
When a message is forwarded to another TMM for delivery, an internal state might be lost.

Impact:
Messages should be delivered correctly as the metadata is lost after routing. There might be an impact if routing is retried and the ignore-peer-port setting is lost. This might cause a new connection to be created when an available existing connection exists.

Workaround:
None.

Fix:
The system now ensures that the ignore-peer-port flag is preserved when forwarding a message to a connection on another TMM.

---

644490-1 : Finisar 100G LR4 values need to be revised in f5optics

Component: TMOS

Symptoms:
The original tuning values for the Finisar 100G LR4 optics don't support module tuning. You might see FCS errors.

Conditions:
FCS errors can be observed with the shipping Finisar 100G LR4 tuning values.

Impact:
Occasional packet loss at the 100G physical layer.

Workaround:
Use 100G SR4 optics modules on the link if possible.

Fix:
FCS errors no longer occur using the latest Finisar 100G LR4 tuning values.

For information on installing and using the latest f5optics package (build 48.0 or later) that contains these tuning values, see F5 Platforms: Accessories (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/f5-plat-accessories.html).

---

644489-1 : Unencrypted iSession connection established even though data-encrypt configured in profile

Solution Article: K14899014

Component: Wan Optimization Manager

Symptoms:
iSession connections may be intermittently established as unencrypted even though they are configured to be secure.

Conditions:
Either of two scenarios can result in an unencrypted iSession connection being established:
    1) An error occurs during dynamic server-ssl profile replacement.
    2) Both the WOM local-endpoint and destination WOM remote-endpoint lack server-ssl profiles.

In both cases the virtual server must have a server-side iSession profile with data-encrypt enabled and the remote virtual must have a client-ssl profile with allow-non-ssl enabled.

Impact:
An unencrypted iSession connection may be established which is inconsistent with configuring data-encrypt as enabled in the sever-side iSession profile.

Workaround:
Configure the client-ssl profile with allow-non-ssl disabled (the default value) to reject non-SSL connections.

Fix:
The outgoing connection is aborted if the server-side iSession profile is configured with data-encrypt enabled and either of the two following scenarios occurs:
    1) The destination remote-endpoint and the local-endpoint lack server-ssl profiles.
    2) An error occurs during dynamic server-ssl profile replacement.

---

644447-2 : sync_zones script increasingly consumes memory when there is network connectivity failure

Component: Global Traffic Manager (DNS)

Symptoms:
sync_zones memory usage exponentially increases during network disruption

Conditions:
Network interruption occurs during the "Retrieving remote DNS/named configuration" stage of a gtm_add operation.

Impact:
Memory increases exponentially, potentially resulting in an eventual out-of-memory condition.

Workaround:
None.

Fix:
sync_zones script now exits successfully at network failure.

---

644418-2 : Do not consider self-signed certificate in hash algorithm selection when Forward Proxy forges a certificate

Component: Local Traffic Manager

Symptoms:
SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain including the self-signed certificate.
Many of the self-signed certificates use the SHA1 hash algorithm, which is not acceptable to many sites. The SSL handshake may be rejected.

Conditions:
This may occur when SSL Forward Proxy is in use.

Impact:
Forged certificate with SHA1 hash algorithm may be rejected during SSL handshake and the SSL handshake will then fail.

Workaround:
None.

Fix:
In this release, the system excludes self-signed certificates in hash algorithm selection (which is correct behavior). This may prevent forged certificate from using SHA1 hash algorithm

---

644404-1 : Extracting SSD from system leads to Emergency LCD alert★

Component: TMOS

Symptoms:
When an SSD in a dual-SSD system configuration is extracted, an emergency alert may be issued on the LCD. This does not match the actual severity (Warning) as reported in the LTM log.

Conditions:
Dual SSDs in any BIG-IP system where one has been selected for removal.

Impact:
LCD reports an Emergency-level alert, which does not match the actual Warning severity reported in the LTM log.

Workaround:
Clear the Emergency alert from the LCD.

Fix:
The classification for SSD removal has been changed to 'Warning' to match the LTM log level.

---

644220-3 : Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page

Component: Global Traffic Manager (DNS)

Symptoms:
Under LTM :: Virtual Servers :: Properties, the "Link" value sometimes displays "none" when it should display an actual link name.

Conditions:
This happens under certain configuration of Self IP / GTM Servers / GTM Links / LTM Virtual Servers.

Impact:
When conditions are met, the Virtual Server's link information displayed is not correct.

Workaround:
None.

Fix:
Virtual Server's assigned Link on the LTM Virtual Server Properties page is now displayed correctly.

---

644184-4 : ZebOS daemons hang while AgentX SNMP daemon is waiting.

Solution Article: K36427438

Component: TMOS

Symptoms:
ZebOS daemons hang while AgentX SNMP daemon is unresponsive.

Conditions:
- Dynamic routing is enabled.
- SNMP is enabled.
- SNMP is unresponsive which could be caused by several issues such as snmpd calling an external script that takes several moments to return or mcpd is slow to respond to snmpd queries.

Impact:
Dynamic routing may be halted for the duration of AgentX daemon being busy.

Workaround:
If snmpd is calling external scripts that take several moments to return, then stop using the external script.

Fix:
ZebOS daemons no longer hangs while AgentX is waiting.

---

644112-2 : Permanent connections may be expired when endpoint becomes unreachable

Solution Article: K56150996

Component: Local Traffic Manager

Symptoms:
Permanent connections, such as those used between tunnel endpoints, can be deleted when the route to the remote endpoint is removed.

Conditions:
-- Permanent connection, such as a tunnel.
-- Routing updates, either from explicit static or dynamic routes, or modifying self IP addresses.

Impact:
Tunnel, or other affected connection, will not pass traffic.

Workaround:
Remove and re-add the affected connection: e.g., delete and re-configure tunnel.

Fix:
Routing updates can no longer lead to expired permanent connections.

---

643813-2 : ZoneRunner does not properly process $ORIGIN directives

Component: Global Traffic Manager (DNS)

Symptoms:
During an import zone operation, ZoneRunner incorrectly associates the "@" directive with the zone name and not $ORIGIN specified.

Conditions:
If the zone file to be imported contains the $ORIGIN directive, the following "@" directives will reference the zone name, which is incorrect.

Impact:
Zones will not be imported correctly.

Workaround:
Use the named-compilezone tool to "normalize" the zone file before importing into ZoneRunner.

The syntax for this command is similar to the following:
named-compilezone -s full -o outputfilename zone_name input.file
(For information about the other available options, see the named-compilezone tool's man page.)

For example, given a zone file named example.com.file that contains the following information:

"example.com"
$TTL 3600
example.com. 86400 IN SOA ns1.example.com. hostmaster.ns1.example.com. 2017020201 10800 3600 604800 86400
@ IN NS ns1.example.com.
ns1.example.com. IN A 1.1.1.1
$ORIGIN alpha.example.com.
@ IN A 2.2.2.2
$ORIGIN bravo.example.com.
@ IN A 3.3.3.3

The command is as follows:

named-compilezone -s full -o example.com.file.full example.com example.com.file

The contents of the new file are:
example.com. 86400 IN SOA ns1.example.com. hostmaster.ns1.example.com. 2017020201 10800 3600 604800 86400
example.com. 3600 IN NS ns1.example.com.
alpha.example.com. 3600 IN A 2.2.2.2
bravo.example.com. 3600 IN A 3.3.3.3
ns1.example.com. 3600 IN A 1.1.1.1

Which is correct. This file can then be used to import into ZoneRunner.

---

643785-3 : diadb crashes if it cannot find pool name

Component: Service Provider

Symptoms:
diadb utility crashes if it cannot find pool name.

Conditions:
-- diadb utility is running.
-- Pool name is not available in the Diameter persistence record.

Impact:
diadb utility crashes.

Workaround:
None.

Fix:
diadb will not crash even if it cannot find the pool name in the Diameter persistence record.

---

643777-2 : LTM policies with more than one IP address in TCP address match may fail

Solution Article: K27629542

Component: Local Traffic Manager

Symptoms:
An LTM policy using a rule that attempts to match based on a list of IP addresses may fail if more than one IP address is used.

Conditions:
LTM policy rule with a 'tcp match address' statement that attempts to match against more than one IP address.

Impact:
The action configured with the match may not be taken.

Workaround:
Use one of the following workarounds:
- Use a subnet instead of single IP addresses.
- Use a datagroup with the list of IP addresses to match.
* Datagroup option available beginning in v13.0.0.

Fix:
The BIG-IP system now correctly matches several IP addresses in LTM policies.

---

643631 : Serverside connections on virtual servers using VDI may become zombies.

Solution Article: K70938130

Component: Local Traffic Manager

Symptoms:
Listing connections with "tmsh show sys connection all-properties" (please be cautious executing this command as it could have performance impact) will show connections with only a server side whose age is greater than the configured idle timeout. As more zombie connections accumulate, the BIG-IP may run out of memory.

Conditions:
APM provisioned and VDI (Virtual Desktop Infrastructure) is configured on the affected virtual.

Impact:
Zombie connections consume memory that cannot be reclaimed. Potential out-of-memory condition.

Workaround:
None.

Fix:
Expired serverside connections are properly torn down.

---

643602-2 : 'Select All' checkbox selects items on hidden pages

Component: Fraud Protection Services

Symptoms:
In FPS GUI, clicking 'Select All' when the list contains more than 10 items, selects all items and not just the items on the current page, as expected.

Conditions:
-- FPS provisioned and licensed.
-- Check 'Select All' and click Delete on a list page containing enough items to span more than one page, for example:

On the Security :: Fraud Protection Service :: Anti-Fraud Profile :: Mobile Security :: Man in the Middle Detection page, add 20 domains. This creates two pages of domains on the list page. When you then check 'Select all' and click Delete, all 20 domains are deleted instead of the expected 10 visible on the page.

Impact:
Unexpected behavior: items are deleted from pages that are not visible.

Workaround:
Check one or more items individually for deletion.

Fix:
Clicking the 'Select All' checkbox now selects all items on the currently visible page.

---

643582-2 : Config load with large ssl profile configuration may cause tmm restart

Component: Local Traffic Manager

Symptoms:
When doing a config load with a large number of ssl profiles tmm may become busy enough to cause mcp tcp connection to go down and cause tmm restart.

Conditions:
Doing a full config load with large number of ssl profiles.

Impact:
Possible tmm restart.

Workaround:
Doing incremental sync of changes can avoid this issue.

Fix:
A full configuration reload with large number of ssl profiles may cause tmm restart.

---

643554-12 : OpenSSL vulnerabilities - OpenSSL 1.0.2k library update

Solution Article: K37526132 K44512851 K43570545

---

643547-1 : APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP

Solution Article: K43036745

Component: Access Policy Manager

Symptoms:
Requests to /my.policy are not getting HTTP responses.

Log file '/var/log/apm' contains large number of error messages about failed XML data creation:

err apmd[5076]: 01490207:3: SAML Agent XML thread specific data creation error: ERR_FAIL.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP APM system is configured with a large number of access policy agents.
-- You are performing an operation that requires the apmd process to start.
-- For example, your BIG-IP APM system is reloaded, you install a new image, or you manually restart the apmd process.

Impact:
APMD will not able to process any requests.

Workaround:
For some configurations and platforms, you can use the following steps to recover:

- Remove all unused access policies (if applicable).
- Restart apmd.

Fix:
Now APMD initialization will no longer fail at XML initialization when a large number of access policies/agents are present in the configuration.

---

643459-3 : Unable to login to BIG-IP Configuration Utility when BIG-IP is behind a Reverse proxy

Solution Article: K81809012

Component: TMOS

Symptoms:
When a BIG-IP management interface is accessed through a Reverse Proxy, you are not able to log in to the Configuration Utility. Instead you will see a login error, as the Reverse Proxy IP/hostname is in the Referer header instead of that of the BIG-IP.

Conditions:
You are accessing the BIG-IP Configuration Utility through a Reverse Proxy.

Impact:
You are unable to login to the Configuration Utility.

Workaround:
Configure their Reverse Proxy to place the IP address of the BIG-IP in the Referer header.

Behavior Change:
Customers who are utilizing the BIG-IP Configuration Utility behind a reverse proxy that does not transparently set the Referer header will be unable log in.
Prior to the change, there were no restrictions on logging in.

---

643404-2 : 'tmsh system software status' does not display properly in a specific cc-mode situation★

Solution Article: K30014507

Component: TMOS

Symptoms:
If software image verification is enabled, the system must first verify a software archive with a cryptographic signature file before using it. If that file is not available, the software change will (intentionally) not proceed. It is also intended that 'tmsh system software status' will explain the condition. But instead, it shows 'failed (reason unknown)'.

Conditions:
Trying to initiate a software change, but there is no signature file available that corresponds to the selected software archive if any of the following is also true:
-- The system is in Common Criteria mode (db var Security.CommonCriteria).
-- The system is in FIPS compliance mode (db var security.fips140.compliance).
-- Signature checking is manually enabled (db var LiveInstall.CheckSig).

Impact:
It is difficult to ascertain why the software change cannot be made.

Workaround:
The installation logs a more detailed explanation for the failure. In the case of Common Criteria mode, it is essential to have the signature file in the same images directory as the .iso image you intend to install.

To do so, copy the .sig file from the F5 Downloads site to the image location, and try the installation again.

Fix:
The 'tmsh show system software status' now displays the relevant issue, for example:
failed (No signature verification possible for image /shared/images/BIG-IP-12.1.2.0.0.249.iso).

Although you must still download the .sig file from F5 Downloads, it's clear what the failure is and what to do next.

---

643396-2 : Using FLOW_INIT iRule may lead to TMM memory leak or crash

Solution Article: K34553627

Component: Local Traffic Manager

Symptoms:
Memory leak in TMM or even crash may be observed if using FLOW_INIT event in iRules.

Conditions:
iRule triggered by FLOW_INIT event is in use. Note: The leak is difficult to observe, and the crash requires specific steps, so encountering this issue is relatively uncommon.

Impact:
TMM memory leak or crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a memory leak in the FLOW_INIT iRule event.

---

643375-1 : TMM may crash when processing compressed data

Solution Article: K10329515

---

643294 : IGMP and PIM not in self-allow default list when upgrading from 10.2.x★

Component: TMOS

Symptoms:
IGMP or PIM not in self-allow by default after upgrade.

Conditions:
Upgrade from 10.2.x.

Impact:
Advance routing with multicast or PIM does not work, when configured after upgrade with default self-allow.

Workaround:
Manually add PIM or IGMP to self-allow default.

---

643210-2 : Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM

Solution Article: K45444280

Component: Local Traffic Manager

Symptoms:
When mcpd (re)starts on a secondary slot, part of the initialization process triggers the delete of any netHSM keys on the SafeNet HSM.

Conditions:
This occurs on a chassis that is configured to use a SafeNet netHSM.

Impact:
The key is removed from the HSM and must be reimported to the HSM from a backup, if it exists.

Workaround:
When rebooting a secondary blade, temporarily remove the BIG-IP from the network it uses to connect to the SafeNet HSM. Once the BIG-IP is Active, it is safe to reconnect it to the network.

Fix:
The BIG-IP no longer deletes keys from the Safenet HSM when the key is deleted from the BIG-IP system. Now, you must manually delete keys using fipskey.nethsm or 'cmu delete'.

Important! Delete operations cannot be undone. Before deleting keys on the HSM using one of these commands, make sure that the key is not used by any BIG-IP, because the key deletion on the HSM is irreversible.

Behavior Change:
Beginning with this release, the BIG-IP system will not delete a key from the SafeNet HSM when you delete the corresponding key on the BIG-IP system: You must manually delete the key on the HSM using either fipskey.nethsm or 'cmu delete'.

Important! Delete operations cannot be undone. Before deleting keys on the HSM using one of these commands, make sure that the key is not used by any BIG-IP, because the key deletion on the HSM is irreversible.

---

643187-2 : BIND vulnerability CVE-2017-3135

Solution Article: K80533167

---

643143-2 : ARP and NDP packets should be QoS/DSCP marked on egress

Component: Local Traffic Manager

Symptoms:
There is currently no way to prioritize ARP/NDP traffic on BIG-IP or configure QoS on TMM-originated ARP/NDP packets.

Conditions:
ARP and/or NDP is in use.

Impact:
When the BIG-IP system's CPU is saturated, there is a possibility that ARP and NDP packets might be dropped.

Workaround:
N/A

Fix:
You can now configure QoS on TMM-originated ARP/NDP packets.

To have ARP and NDP packets be treated with high priority internally within the BIG-IP system, set the following database keys to 'high':
-- arp.priority
-- ipv6.nbr.priority

To explicitly assign the 802.1p/q priority (QoS bits), set the following database keys:
-- arp.vlanpriority
-- ipv6.nbr.vlanpriority

Note: The 802.1q/p QoS priority applies to queries that originate on the BIG-IP system. Replies generated by BIG-IP will preserve the QoS value received in the request.

These variables are set with the following commands:

tmsh modify sys db arp.priority value (normal|high)
tmsh modify sys db arp.vlanpriority value [-1-7]
tmsh modify sys db ipv6.nbr.priority value (normal|high)
tmsh modify sys db ipv6.nbr.vlanpriority value [-1-7]

Behavior Change:
You can now configure QoS on TMM-originated ARP/NDP packets.

To have ARP and NDP packets be treated with high priority internally within the BIG-IP system, set the following database keys to 'high':
-- arp.priority
-- ipv6.nbr.priority

To explicitly assign the 802.1p/q priority (QoS bits), set the following database keys:
-- arp.vlanpriority
-- ipv6.nbr.vlanpriority

Note: The 802.1q/p QoS priority applies to queries that originate on the BIG-IP system. Replies generated by BIG-IP will preserve the QoS value received in the request.

These variables are set with the following commands:

tmsh modify sys db arp.priority value (normal|high)
tmsh modify sys db arp.vlanpriority value [-1-7]
tmsh modify sys db ipv6.nbr.priority value (normal|high)
tmsh modify sys db ipv6.nbr.vlanpriority value [-1-7]

---

643121-1 : Failed installation volumes cannot be deleted in the GUI.

Component: TMOS

Symptoms:
Failed installation volumes aren't displayed under Disk Management and, therefore, cannot be deleted.

Conditions:
Have a failed installation volume.

Impact:
Cannot use the GUI to delete

Workaround:
Use tmsh to delete failed installation volumes using a command similar to the following:
tmsh delete /sys software volume <HDx.y>.

For example, to delete software volume HD1.0, use the following command:
tmsh delete /sys software volume HD1.0.

Fix:
Failed installation volumes can now be deleted in the GUI.

---

643054-2 : ARP and NDP packets should be CoS marked by the swtich on ingress

Component: Local Traffic Manager

Symptoms:
When ARP and NDP requests are dropped, ARP caches can time out, and peer nodes may fail to resolve the BIG-IP system's self-IP addresses or virtual servers.

Conditions:
TMM0 is saturated and dropping packets.

Impact:
ARP requests can be dropped, and peer devices, such as routers and monitored devices, can fail to resolve the BIG-IP system's address.

Workaround:
None.

Fix:
You can now use db variables to control internal traffic priority for ingress ARP/NDP packets in the switch.

-- arp.priority : high/normal (default)
-- ipv6.nbr.priority : high/normal (default)

The 'normal' value is the default.

-- Setting arp.priority to high raises ARP packet priority.
-- Setting ipv6.nbr.priority to high raises NDP packet priority.

Behavior Change:
You can now use db variables to raise the internal traffic priority for ingress ARP/NDP packets in switch.

arp.priority : high/normal(default)
ipv6.nbr.priority : high/normal(default)

Setting arp.priority to high raises ARP packet priority.
Setting ipv6.nbr.priority to high raises NDP packet priority.

---

643041-4 : Less than optimal interaction between OneConnect and proxy MSS

Solution Article: K64451315

Component: Local Traffic Manager

Symptoms:
When a client with low MSS is the first to establish a OneConnect flow pair and proxy MSS is enabled, the serverside will share the same low MSS. Successive connections from full-MSS clients may utilize this server-side flow, resulting in suboptimal throughput.

Conditions:
Configure a virtual server with both OneConnect and proxy MSS. Note: Proxy MSS is enabled by default beginning with v12.1.0.

Impact:
Decreased throughput, possible congestion due to small segments.

Workaround:
In some instances, it may be sufficient to disable proxy MSS. This too has the potential to increase segment count and decrease throughput.

Fix:
This release provides improved interaction between OneConnect and proxy MSS. By default, proxy MSS is disabled with OneConnect. This is controlled by the db variable TM.Tcp.OC.ProxyMSS

---

643034-1 : Turn off TCP Proxy ICMP forwarding by default

Solution Article: K52510343

Component: Local Traffic Manager

Symptoms:
Forwarding of ICMP PMTU messages through the BIG-IP can negatively impact performance if OneConnect or SNAT functionality is active.

Conditions:
Forwarding of ICMP PMTU messages through the BIG-IP when OneConnect or SNAT are active.

Impact:
Peers use suboptimal Path Maximum Transmission Units (PMTUs).

Workaround:
For TCP and UDP proxies, ensure proxy-mss is disabled in the profile.

OR

Disable MTU caching on pool members.

Fix:
There are legitimate reasons to forward ICMP messages through BIG-IP, so in some cases mitigation must occur at pool members. However, we have introduced more control (tm.tcp.enforcepathmtu) to tune this more precisely.

Behavior Change:
The default behavior on TCP proxies is now to not forward ICMP messages, restoring the default from TMOS 12.0.0 and earlier.

For TCP proxies to forward ICMP PMTU messages now requires BOTH proxy-mss 'enabled' in the TCP profile (which is the default setting) and 'tm.tcp.enforcepathmtu' set to 'enabled' (not the default).

---

643013 : DAGv2 introduced on i5600, i5800, i7600, i7800, i10600, i10800 platforms in v12.1.3

Component: TMOS

Symptoms:
DAGv2 is a new DAG type and is designed to run on new platforms, including i5600, i5800, i7600, i7800, i10600, i10800 platforms. DAGv2 was not ready when these platforms were first released. DAGv2 is enabled on these platforms in v12.1.3.

Conditions:
i5600, i5800, i7600, i7800, i10600, i10800 platforms.

Impact:
No functional impact. This is simply an announcement of a change in the DAG version.

Workaround:
None.

Fix:
DAGv2 introduced on i5600, i5800, i7600, i7800, i10600, i10800 platforms in v12.1.3.

---

642983-1 : Update to max message size limit doesn't work sometimes

Solution Article: K94534313

Component: Device Management

Symptoms:
There is a cap on all REST request/response message size. By default it is set to 32 MB, and you can modify it to higher limit using /mgmt/shared/server/messaging/settings/8100 REST endpoint. But the REST framework may not apply this change.

When this occurs, you will see 501 Bad Gateway error from Apache and error message link "java.lang.IllegalArgumentException: 47177925 is more than 33554432" in restjavad log (/var/log/restjavad.0.log).

Conditions:
This can occur when requesting or receiving more than 32 MB of data via iControl REST.

Impact:
REST framework applies message body limit only on incoming request and response. If incoming request results in requests to iControl REST or restnoded, the same settings (message body limit) are not applied.

Workaround:
None.

Fix:
Messaging settings are applied on requests/responses, rather than on RestServer as forwarded outgoing requests/responses will not have server instance attached to request.

---

642982-3 : tmrouted may continually restart after upgrade, adding or renaming an interface★

Solution Article: K23241518

Component: TMOS

Symptoms:
tmrouted continually restarts when it fails to resolve the interface index for a VLAN, VLAN group, or tunnel.

Conditions:
-- Dynamic routing configured.
-- Non-default partition name or VLAN names greater than 15 characters.

Impact:
Dynamic routing does not function. This may include monitors not functioning properly and marking pool members down incorrectly.

Workaround:
Shorten VLAN, VLAN group, or tunnel name, or move the interface into the Common partition.

Fix:
tmrouted no longer restarts when using long VLAN, VLAN group, or tunnel names in a non-default partition.

---

642952 : platform_check doesn't run PCI check on i11800

Component: TMOS

Symptoms:
When "platform_check misc" is run, it will return

Miscellaneous Tests
  PCI: NOT RUN
    Test not available on this platform

Conditions:
This always happens.

Impact:
No platform check for PCI is executed.

Workaround:
There is no workaround.

Fix:
It is fixed, platform check for PCI is executed.

---

642923-2 : MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system

Component: TMOS

Symptoms:
MCP may timeout and be killed by the sod watchdog, causing mcpd to restart.

Conditions:
Certain operations, under certain conditions, on certain platforms, may take longer to complete than the mcpd heartbeat timeout (300 seconds). When that happens, the system considers mcpd unresponsive, and will kill mcpd before it has finished its task, resulting in this issue.

There are a number of ways that this issue may manifest.

For example, the default mcpd heartbeat timeout might be reached when loading a configuration file with a large number* of file objects configured (e.g., SSL certificates and keys, data-groups, APM customizations, EPSEC file updates, external monitors, or other data present in the filestore (/config/filestore)).

*Note: Depending the operations mcpd is performing, the performance of the hardware, the speed of disk access, and other potential factors, 3,000 is a relative estimate of the number of filestore objects that might cause this issue to occur.

Impact:
mcpd restarts, which causes a system to go offline and restart services.

Workaround:
To prevent the issue from occurring, you can temporarily disable the heartbeat timeout using the following command:

   modify sys daemon-ha mcpd heartbeat disable

Important: Disabling the heartbeat timer means that, should the mcpd process legitimately become unresponsive, the system will not automatically restart mcpd to recover.

Note: If you have a large number of objects (more than 3,000) in the filestore, and are able to reduce this by deleting their related configuration objects, you may be able to work around the issue.

To determine the specific cause of the issue, you can open a support case with F5, to inspect the resulting mcpd core file.

Fix:
A possible case where mcpd goes too long without updating the heartbeat has been fixed by replacing one algorithm with a more efficient one.

---

642874-1 : Ready to be Enforced filter for Policy Signatures returns too many signatures

Solution Article: K15329152

Component: Application Security Manager

Symptoms:
Signatures that have not passed the staging period are shown when the filter is set to only show those that are ready to be enforced.

Conditions:
Signatures exist on a policy that have not passed their staging period and have no learning suggestions for them.

Impact:
Incorrect results are shown as a result of the filter.

Workaround:
The result should be inspected to see if the staging period has passed for each individual signature.

Fix:
The "Ready to be Enforced" filter works correctly.

---

642723-3 : Western Digital WD1600YS-01SHB1 hard drives not recognized by pendsect

Component: TMOS

Symptoms:
In version 11.4.0, when pendsect was introduced, the Western Digital WD1600YS-01SHB1 hard drive was not supported. This drive was used in very early shipments of the 1600/3600 products.

If you are running 11.4.0 and have a WD1600YS-01SHB1, you might see the following errors in /var/log/ltm:

-- notice pendsect[1662]: skipping drive -- Model: WDC WD1600YS-01SHB1
-- notice pendsect[1662]: No known drives detected for pending sector check. Exiting

Conditions:
-- Running 11.4.0.
-- Using WD1600YS-01SHB1 hard drives.

Impact:
The only impact is a pendsect notice in /var/log/ltm. The hard drive operates as expected.

Workaround:
There is no mitigation or workaround for this issue.

Fix:
The WD1600YS-01SHB1 hard drive was added to the supported list of hard drives in versions 11.5.x, 11.6.x, and 12.1.3.

---

642703-2 : Formatting installation using software v12.1.2 or v13.0.0 fails for i5000, i7000, i10000, i11000, i12000 platforms.★

Component: TMOS

Symptoms:
Installation from external media (PXE or USB) fails with error:

error: status 768 returned by command: /sbin/lvcreate -L -4719088K -n dat.share vg-db-cpmirror
info: >++++ result:
info: Negative size is invalid
info: Run `lvcreate --help' for more information.
info: >----
error: MultiVolume_add cpmirror.dat.share failed.

Conditions:
-- i5000, i7000, i10000, i11000, and i12000 platforms.
-- Installation from external media (PXE or USB).
-- Running software v12.1.2 or v13.0.0.

Impact:
System is non-functional. It will not work at all, until an 'installation from external media' is performed. There is no software on the system because the operation failed during the early stages of a formatting installation.

Workaround:
Use an earlier version for the formatting installation, such as 12.1.1, and then upgrade to the target version.

Fix:
The error no longer occurs; the formatting installation succeeds.

---

642659-2 : Multiple LibTIFF Vulnerabilities

Solution Article: K34527393

---

642400-2 : Path MTU discovery occasionally fails

Component: Local Traffic Manager

Symptoms:
Connections using a TCP profile that receive an ICMP needsfrag message may incorrectly ignore the message. This may cause Path MTU discovery to fail.

Conditions:
TCP profile assigned to VIP. Smaller MTU on data path than on TCP endpoints.

Impact:
The connection may stall as large TCP segments are continually retransmitted.

Workaround:
Configure the MSS in the TCP profile to match the lowest MSS. Use or disable Path MTU discovery with the tm.pathmtudiscovery database key.

Fix:
Path MTU discovery functions correctly with the TCP profile.

---

642330-2 : GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★

Component: Global Traffic Manager (DNS)

Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.

Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.

Impact:
Configuration fails to load.

Workaround:
Manually edit each string in the BIG-IP_gtm.conf to include enclosing quotes in order to get the config to load the first time.

Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the BIG-IP_gtm.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list gtm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.

---

642314-2 : CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x★

Solution Article: K24276198

Component: TMOS

Symptoms:
gtm config load failure after upgrade from v11.x to v12.x or v13.x.

Conditions:
Create GTM pool with canonical-name ending with dot - for example "cname-with-dot.com." in v11.x and then upgrade to v12.x or v13.x.

Impact:
gtm config load failure after upgrade.

Workaround:
Remove trailing dots or set "Domain Validation" to "none".

Fix:
Upgrading from 11.x to 12.x or 13.x with GTM Pool with canonical-name removes trailing FQDN dot.

---

642298-3 : Unable to create a bidirectional custom persistence record in MRF SIP

Component: Service Provider

Symptoms:
Setting a persistence key via iRule sets the persistence entry as uni-directional

Conditions:
Setting a persistence key via iRule sets the persistence entry as uni-directional

Impact:
Custom SIP persistence entries cannot be bidirectional.

Fix:
This change adds a new SIP::persist key to set or reset the persistence entry as bidirectional.

---

642284 : Closing a PCP connection while an asynchronous mapping request is in progress may result in memory corruption.

Component: Carrier-Grade NAT

Symptoms:
Memory corruption caused by closing a PCP connection while requests are being processed.

Conditions:
This can occur when a PCP client sends multiple requests and closes before receiving the replies. When the client OS receives a reply it will send an ICMP destination unreachable message which causes the BIG-IP to close the PCP connection. If the PCP connection is closed while a request is being processed, memory corruption may occur when the request completes.

Impact:
When memory corruption occurs, TMM may crash or assert. Traffic disrupted while tmm restarts.

Fix:
Closing the PCP connection will not cause memory corruption.

---

642221-2 : Incorrect entity is used when exporting TCP analytics from GUI

Component: Application Visibility and Reporting

Symptoms:
When exporting statistics from the TCP Analytics page, the resulted data is for the default "view by" entity rather than the one that's actually selected

Conditions:
This occurs in Statistics :: Analytics : TCP, when you are viewing any dimension other than the default, and clicking Export.

Impact:
Incorrect data is being exported.

Workaround:
Use tmsh.

Fix:
The correct entity is now used when exporting TCP analytics from GUI, so the correct data is being exported.

---

642211-2 : Warning logged when GENERICMESSAGE::message drop iRule command used

Component: Service Provider

Symptoms:
When submitting an iRule script using GENERICMESSAGE::message drop iRule command, a warning message is returned.

Conditions:
This occurs when saving an iRule that contains GENERICMESSAGE::message drop.

Impact:
A warning message is returned.

Workaround:
NA

Fix:
iRule validation was improved to allow GENERICMESSAGE::message drop commands.

---

642185-1 : Add support for IBM AppScan scanner schema changes

Component: Application Security Manager

Symptoms:
IBM AppScan changed schema for its report file.

Conditions:
Using IBM AppScan for reporting.

Impact:
Data from new IBM AppScan scanner report file is not extracted properly for URL, parameters and cookies.

Workaround:
None.

Fix:
Added support for IBM AppScan scanner schema changes.

---

642068-1 : PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens

Component: Policy Enforcement Manager

Symptoms:
PEM sessions stay in the marked-for-delete state if CCR-T times out.

Conditions:
This occurs if PCRF does not respond to CCR-T packets from the BIG-IP system during session termination.

Impact:
PEM sessions remain in the marked-for-delete state.

Workaround:
Configure the required timeout value in the sys db variable tmm.pem.session.timeout.endpointdeleteresponse.

Note: The value must be greater than 0 (zero).

Fix:
PEM sessions no longer stay in the marked-for-delete state if CCR-T times out.

---

642058-1 : CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances

Component: TMOS

Symptoms:
CBL-0138-01 will not come up or show link on i2000/i4000/HRC-i2800 series appliances.

The following message will appear on the LCD:
0 01/30/17 09:02:59 error 0x1660016 Interface 5.0 detected a non 10GbE optic

The following message will appear in /var/log/ltm:
err pfmand[7630]: 01660016:3: Interface 5.0 detected a non 10GbE optic

The interface will report in tmsh as down:
tmsh show net interface 5.0

--------------------------------------------------------
Net::Interface
Name Status Bits Bits Pkts Pkts Drops Errs Media
                In Out In Out
--------------------------------------------------------
5.0 down 0 0 0 0 0 0 none

Conditions:
i2000/i4000/HRC-i2800 series appliances and CBL-0138-01.

Impact:
The CBL-0138-01 will not work.

Workaround:
None.

Fix:
CBL-0138-01 Active Copper now works correctly on i2000/i4000/HRC-i2800 Series appliances.

---

642039-2 : TMM core when persist is enabled for wideip with certain iRule commands triggered.

Solution Article: K20140595

Component: Global Traffic Manager (DNS)

Symptoms:
tmm cores with SIGSEGV.

Conditions:
This occurs when persist is enabled for wideip, and an iRule with the following commands triggered:
forward
reject
drop
discard
noerror
host

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable persist on wideip.

Note: Although this is not an ideal workaround, it provides a way that to use those iRule commands without causing a tmm core.

Fix:
TMM no longer coreswhen persist is enabled for wideip with certain iRule commands triggered.

---

642015-2 : SSD Manufacturer "unavailable"

Component: TMOS

Symptoms:
On systems with an SSD, the manufacturer displayed in 'tmsh show sys hardware' may appear as "unavailable"..

Conditions:
BIG-IP system with SSD installed.

Impact:
No functional impact, cosmetic only.

Workaround:
No workaround but the issue is only cosmetic and does not indicate an issue with the system.

Fix:
SSD Manufacturer now displays "Samsung" as expected.

---

641869-1 : Assertion "vmem_hashlist_remove not found" failed.

Solution Article: K62744980

Component: Local Traffic Manager

Symptoms:
TMM cores with the following assertion: "vmem_hashlist_remove not found" failed.

Conditions:
It is unknown what leads to that situation directly.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The memory function fails the allocation gracefully.

---

641753-2 : Syncookies activated on a genuine connection gets reset almost 30-50% of the time

Component: TMOS

Symptoms:
Syncookies activated on a genuine connection to a TCP-based virtual server gets reset almost 30%-50% of the time.

Conditions:
-- VADC platform when syncookie protection mode is configured and activated on a virtual server.

Note: This issue might also occur on v12.x systems using the L7-intelligent-fpga HSB firmware.

Impact:
Potential performance impact.

Workaround:
None.

Fix:
When syncookie protection mode is activated, all the genuine connections go through as expected, so there are no resets.

---

641612-2 : APM crash

Solution Article: K87141725

---

641574 : AVR doesn't report on virtual and client IP in DNS statistics

Solution Article: K06503033

Component: Application Visibility and Reporting

Symptoms:
On the analytics DNS page, the virtual and client IP stats will be shown as "Aggregated".

Conditions:
This can be seen in DNS analytics, when view-by virtual or client-ip is selected.

Impact:
DNS statistics show incomplete results.

Workaround:
None.

Fix:
AVR now provides the complete report results on virtual and client IP in DNS statistics.

---

641512-4 : DNSSEC key generations fail with lots of invalid SSL traffic

Solution Article: K51064420

Component: Local Traffic Manager

Symptoms:
DNSSEC keys can rollover periodically. This will fail, leading to no keys to sign DNSSEC queries (no RRSIG records) when the BIG-IP is handling a lot of SSL traffic with invalid certificates.

The system posts the following log signature in /var/log/ltm:
err tmm1[12393]: 01010228:3: DNSSEC: Could not initialize cipher context for key /Common/x1-zsk.

Conditions:
DNSSEC keys configured with periodic rollover. The certificate path queues an error (situations include but not limited to lots of SSL traffic with invalid certificates).

Impact:
DNSSEC key generations fail to be accepted by the TMM so that when the prior generation expires there is no valid certificate to sign DNSSEC queries.

Workaround:
Restart the TMM after the new key generation is created.

Fix:
DNSSEC key generations now complete successfully, even with a lot of SSL traffic with invalid certificates.

---

641491-2 : TMM core while running iRule LB::status pool poolname member ip port

Solution Article: K37551222

Component: Local Traffic Manager

Symptoms:
An iRule response to a DNS request may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart. As a result of this issue, you may encounter one or more of the following symptoms:

-- The BIG-IP system may temporarily fail to process traffic as it recovers from the TMM restart, and devices configured as an HA pair may fail over.
-- The BIG-IP system generates a TMM core file to the /shared/core directory.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP DNS system is configured with a wide IP that utilizes an iRule.
-- The iRule uses the DNS_REQUEST event command LB::status to check a pool member status.
-- The iRule pool address and port are separated by white space.

Example iRule syntax:

gtm rule pool_member_selection {
    when DNS_REQUEST {
        LB::status pool pool-one member 10.0.0.10 80
    }
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use format 'ip:port' or vsname instead of 'ip port. Following are two examples:
1.
gtm rule rule_crash_test {
    when DNS_REQUEST {
        LB::status pool pool-one member 10.2.108.100:80
    }
}

2.
gtm rule rule_crash_test {
    when DNS_REQUEST {
        LB::status pool pool-one member pool_vs_name
    }
}

Fix:
An iRule response to a DNS request no longer triggers TMM to produce a core file and restart.

---

641482-2 : Subscriber remains in delete pending state until CCR-t ack has success as result code is received

Component: Policy Enforcement Manager

Symptoms:
BIG-IP subscriber session will remain in delete pending (stale) state if the Result-code received Acknowledgement from Gx or Gy and is marked as Failure for CCR-T request.

Conditions:
The stale session happens, during subscriber termination and if any CCR-T request for Gx or Gy receives an acknowledgement with non-SUCCESS in Result-code AVP

Impact:
The subscriber session in BIG-IP will stay in delete pending state (stale)

Workaround:
A tmm restart will cleanup all the stale sessions

Fix:
Fix will cleanup the session if a CCR-T acknowledgement is received irrespective of the Result-code AVP

---

641450 : A transaction that deletes and recreates a virtual may result in an invalid configuration

Solution Article: K30053855

Component: TMOS

Symptoms:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp) may result in an invalid in-memory configuration. This may also result in traffic failing to pass, because TMM rejects the invalid configuration.

Config load error:
    01070095:3: Virtual server /Common/vs_icr_test lists incompatible profiles.

Configuration-change-time error in /var/log/ltm:
    err tmm[22370]: 01010007:3: Config error: Incomplete hud chain for listener: <name>

Conditions:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp).

Impact:
Configuration fails to load in the future.
Traffic fails to pass, because TMM rejects the configuration.

Workaround:
Within tmsh, use the following command: profiles replace-all-with.
Within iControl REST, use three separate calls:
   1. Delete virtual server.
   2. Create virtual server (with an empty profile list).
   3. Modify the virtual server's profile list.

---

641445-1 : iControl improvements

Solution Article: K22317030

---

641390-5 : Backslash removal in LTM monitors after upgrade

Solution Article: K00216423

Component: TMOS

Symptoms:
After upgrading, BIG-IP fails to load the configuration and reports that a monitor failed to load.

Conditions:
-- Specific backslash escaping in LTM monitors.
-- Upgrading from 11.5.x, 11.6.0, 11.6.1, 11.6.2, or 11.6.3 to 12.0.0, 12.1.0, 12.1.1, 12.1.2, or 13.0.0.

Note: This issue is specific to LTM monitors. It does not occur in BIG-IP DNS/GTM monitors.

For example, to have two backslashes in the value, you specify three backslashes. The first backslash is the 'escape' character.

ltm monitor https /Common/my_https {
    adaptive disabled
    cipherlist DEFAULT:+SHA:+3DES:+kEDH
    compatibility enabled
    defaults-from /Common/https
    destination *:*
    interval 5
    ip-dscp 0
    recv "Test string"
    recv-disable \\\"Test\\\"me\\\" <-- pertinent string value (can be in recv, send or username attributes too).
    send Test
    time-until-up 0
    timeout 16
    username test\\\"me
}

Impact:
The monitor fails to load.

Workaround:
Manually correct the string to be the way it was before upgrade, then the configuration will load.

Fix:
Upgrade no longer results in incorrectly removing backslashes for some LTM monitor attributes.

---

641360-2 : SOCKS proxy protocol error

Solution Article: K30201296

---

641307-2 : Response Page contents are corrupted by XML policy import for non-UTF-8 policies

Component: Application Security Manager

Symptoms:
If non-UTF-8 policy has Response Pages configured with non-ASCII characters, the Response Page contents will be corrupted by an XML export/import.

Conditions:
1) Response pages are configured with Non-ASCII characters in a non-UTF-8 Policy.
2) The Policy is exported via XML export.

Impact:
Response Page contents are corrupted

Workaround:
1) Use binary policy export/import for non-UTF-8 policies.
or
2) Encode the non-ascii characters using the html entities/code representations of them. (Example: 日本語 -> &#26085;&#26412;&#35486;)

Fix:
Response Page contents are correctly exported.

---

641256-1 : APM access reports display error

Solution Article: K43523962

---

641248 : IPsec-related tmm segfault

Component: TMOS

Symptoms:
The tmm cores and all connections are reset.

Conditions:
Race condition during IPsec tunnel tear down.

Impact:
The tmm restarts and all connections reset. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The IPsec-related tmm segfault has been corrected.

---

641083-2 : Policy Builder Persistence is not saved while config events are received

Component: Application Security Manager

Symptoms:
Policy Builder Persistence is not saved while config events are received.

Conditions:
This occurs when there are many changes made to the policy.

Impact:
Statistics are lost after pabnagd restarts.

Workaround:
None.

Fix:
Persistence is now saved every 24 hours.

---

641013-5 : GRE tunnel traffic pinned to one TMM

Component: TMOS

Symptoms:
GRE tunnel traffic can be sent to one TMM if BIG-IP doesn't proxy the GRE tunnel and uses forwarding virtual to handle GRE tunnel traffic.

Conditions:
Use forwarding virtual to handle GRE tunnel traffic.

Impact:
GRE tunnel traffic can overwhelm the one TMM and cause performance degradation.

Workaround:
None.

Fix:
Improved GRE tunnel traffic handling so traffic does not overwhelm one TMM and cause performance degradation.

---

640903-1 : Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen

Component: Global Traffic Manager (DNS)

Symptoms:
Extremely long page load on Link Controller Inbound Wide IP list page.

Conditions:
The preference settings "Records per screen" must be a high value. 50 or more will start causing the page to load very slowly.

Impact:
Extremely long page load time.

Workaround:
Prior to the fix, the workaround is to set the preference settings "Records per screen" to a low value. The default value of 10 is fine.

Fix:
The page can now load hundreds of records on a single screen under 3 seconds.

---

640824-1 : Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★

Solution Article: K20770267

Component: Application Security Manager

Symptoms:
Upon first start after upgrade, the following error messages appear in asm log:
-------------------------
notice boot_marker : ---===[ HD1.2 - BIG-IP 12.1.1 Build 0.0.184 <HD1.2> ]===---
info set_ibdata1_size.pl[18523]: Setting ibdata1 size finished successfully, a new size is: 8466M
info tsconfig.pl[21351]: ASM initial configration script launched
info tsconfig.pl[21351]: ASM initial configration script finished
info asm_start[19802]: ASM config loaded

crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined

crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Cannot remove all partitions, use DROP TABLE instead

 crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::ConfigSync::load_traffic_data): Could not import table data PRX.REQUEST_LOG - ASM configuration save aborted

info perl[21860]: 01310053:6: ASM starting
-------------------------

Conditions:
-- ASM provisioned.
-- Local request logging enabled.
-- Upgrade of a maintenance release, hotfix, or engineering hotfix.

Impact:
Upgrade fails.

Workaround:
Upgrade by the means of saving a UCS, performing a clean install and then loading the UCS.

In the manual save/load UCS process, the upgrade of the Request Log can be disabled, which will workaround the error and the UCS will load fine.

There are two options to disable the upgrade of the Request Log, when upgrading by the means of a UCS:
-------------------
1) Do not load a Request Log, when loading a UCS:
    # tmsh modify sys db ucs.asm.traffic_data.load value never

2) Do not save a Request Log, when saving a UCS:
    # tmsh modify sys db ucs.asm.traffic_data.save value disable
-------------------

Fix:
Roll-forward upgrade including traffic data now works correctly.

---

640809-1 : Merged constantly restarts★

Solution Article: K79892782

Component: Local Traffic Manager

Symptoms:
Merged constantly restarts. This may occur on upgrade or after merged restarts after enabling debug logging.

The system logs the following error signature in /var/log/user.log:

err merged[27984]: isc/libev evGetNext: Bad File Descriptor: 5, errno: 9 Bad file descriptor.
notice logger: Started writing core file: /var/core/merged.bld0.0.249.core.gz for PID 27984.

Conditions:
log-config filter level is debug and merged restarts.

Note: 'level debug' is the default for a log-config filter therefore the following would be debug logging:

sys log-config filter myfilter {
    publisher mypub
}

Impact:
Merged restarting may impact stats collection. This can also impact qkview generation, the statistics may be corrupt or missing, GUI might return "General database error retrieving information."

Workaround:
If you are encountering this, you can run the following tmsh commands to set the log level to the warning level.

Impact of procedure: This will disable debug logging of merged.

tmsh modify sys log-config filter <HSL-Filter-Name> level warn
tmsh save sys config

---

640768 : Kernel vulnerability: CVE-2016-10088

Solution Article: K05513373

---

640636-3 : F5 Optics seen as unsupported instead of misconfigured when inserted into wrong port on B4450 Blade

Component: TMOS

Symptoms:
Inserting a 40G optic into a 100G port, or inserting a 100G optic into a 40G shows the optic as "Unsuported Optic". That is not correct, it may be a supported optic, just inserted in the wrong port.

Conditions:
B4450 Blades with 100G or 40G optics inserted in a port that does not support that speed optic.

Impact:
The user may be confused on why the optic is not working, the error message is misleading when the optic is inserted in the wrong port.

Workaround:
If the optic shows up in "tmsh list net interface" as "Unsuported Optic" remove the optic and verify that the optic speed matches the port.

Fix:
The "tmsh list net interface" will now show:
 
module-description "F5 Qualified Optic in invalid port"

And the LCD warning message will show:
Optic OPT-XXXX not valid in Interface <InterfaceNumber>.

---

640565-1 : Incorrect packet size sent to clone pool member

Solution Article: K11564859

Component: Local Traffic Manager

Symptoms:
Cloned packets do not obey the egress interface MTU, and clone pool members may get traffic exceeding the link MTU.

Conditions:
Clone pool is configured on a virtual server.

Impact:
Clone pool members may get traffic exceeding the link MTU.

Workaround:
Disable TSO using the following tmsh command:
tmsh modify sys db tm.tcpsegmentationoffload value disable.

---

640521-1 : EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices

Component: Access Policy Manager

Symptoms:
Connect to a public network which has Captive Portal and the Captive Portal uses jQuery library for mobile devices. EdgeClient does not render login page for such Captive Portal.

Conditions:
Use public network with Captive Portal that uses jQuery library for mobile devices.

Impact:
EdgeClient can not establish VPN connection.

Workaround:
Use a browser to authenticate to Captive Portal. For locked client, there is no suitable workaround.

Fix:
Now Edge Client can successfully interact with a greater number of wifi captive portals.

---

640510-3 : BWC policy category attachment may fail during a PEM policy update for a subscriber.

Component: Policy Enforcement Manager

Symptoms:
The correct BWC category is not applied resulting in incorrect BWC handling of subscriber traffic.

Conditions:
PEM policies against a subscriber should be modified such that the BWC policy stays the same while the BWC category changes.

Impact:
Use cases dependent on BWC can be impacted.

Fix:
Code changes were added such that BWC policy and category changes through PEM are handled correctly.

---

640457-2 : Session Creation failure after HA

Component: Policy Enforcement Manager

Symptoms:
Under some HA scenarios, the subscriber session will be lost. If such a deleted session is added (the same subscriber-id), the addition attempt fails.

Conditions:
Intra-chassis HA is configured. One of the blades goes down & comes back up very rapidly & some subscriber sessions are lost.
An attempt to add the lost subscriber again fails.

Impact:
A set of subscribers lost during HA will never be added back.

Workaround:
No workaround.

---

640407-1 : Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF

Component: Service Provider

Symptoms:
A core may occur with message routing framework (MRF) virtuals or transport-config connections if trying to use certain iRule commands during CLIENT_CLOSED event.

Conditions:
Use of an iRule command that gets or sets state in a MRF protocol filter or MR proxy during CLIENT_CLOSED iRule event may core. This is because CLIENT_CLOSED event is raised after all state has been freed for the current connection.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use iRule command to get or set state during CLIENT_CLOSED iRule event.

---

640384-3 : New iRule options for MR::message route command

Component: Service Provider

Symptoms:
When routing a message via the MR::message route command, the connection-mode and max-connections attributes are not settable.

Conditions:
This is encountered when using the MR::message or MR::peer iRule commands and you wish to set the connection mode or max connections.

Impact:
For applications where other connection-modes are required (for example PER_CLIENT), it is not possible to implement via iRule.

Workaround:
NA

Fix:
New keywords added to MR::message route command to allow specification of the connection-mode and max-connections attributes of the temporary route added to the message.

---

640376-3 : STPD leaks memory on 2000/4000/i2000/i4000 series

Solution Article: K46452834

Component: Local Traffic Manager

Symptoms:
STPD process on any 2000/4000/i2000/i4000 series platform that sends BPDUs will grow in physical memory usage indefinitely so long as its role in the tree results in sending BPDU packets. The memory usage will be faster for each interface that is sending BPDUs.

Conditions:
Spanning tree is enabled on any 2000/4000/i2000/i4000 series platform and the device has a role in the tree that results in sending BPDUs on one or more interfaces. Memory can be seen to increase when tracking with Linux top commands.

ex. top -b -n 1 | grep stpd

The 5th and 6th columns 'VIRT' and 'RES' slowly increase over time, indicating the memory leak.

Impact:
Memory leak resulting in indefinite consumption of available physical memory over time.

Workaround:
While the memory leak itself cannot be mitigated without a hotfix, the problem can be avoided if the tree can be configured in such a way that the defect affected platforms don't generate BPDUs. This can be done by choosing a root such that the defect affected platforms will have its interfaces to be in blocking mode, or if possible, to be in passthrough mode.

Fix:
BPDU process source code fixed to release memory allocated for each BPDU packet created and sent.

---

640369-2 : TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, TMM may respond to an ICMPv6 echo request using the auto-lasthop mechanism, when this has been disabled on the vlan.

Conditions:
- Auto-lasthop disabled on the ingress vlan
- ICMPv6 echo request for a self-IP on the ingress vlan.
- Route to the client IP address via a different vlan

TMM may respond directly using the auto-lasthop feature and not via the route lookup.

Impact:
Traffic may not follow the expected path.

Fix:
TMM now correctly uses the configured option for auto-lashop and ICMPv6 traffic

---

640352-2 : Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet

Solution Article: K01000259

Component: Local Traffic Manager

Symptoms:
Connflow entry memory are leaked when BIG-IP DHCP proxy is configured in forwarding mode and the DHCP relay agent between
the DHCP client and the BIG-IP system sets giaddr field to itself after connflows created are aged out in a particular order.

Conditions:
1) BIG-IP DHCP proxy is configured in forwarding mode.
2) DHCP relay agent sits between the DHCP client and the BIG-IP system sets giaddr field in DHCP renewal packet to itself (this has been observed in Cisco devices), so that DHCP renewal packet will be sent to a relay agent by DHCP servers.
3) Connflow created to giaddr(relay agent) ages out before
connflows created to DHCP clients.

Impact:
Some connflows are not freed. Memory leak occurs. Eventually memory is exhausted.

Workaround:
None.

Fix:
Ref count handing for giaddr connflows are now decremented when the client side connflow is removed, preventing the memory leak.

---

639970-3 : GUI - Client SSL profile certificate extensions names switch to numbers in case of validation error

Component: Local Traffic Manager

Symptoms:
Client SSL profile certificate extensions names switch to numbers if there is any validation error in save.

Conditions:
Try to Create/Modify client ssl profile such that it results in a validation error and click 'Finished/Update'.

Impact:
No functional impact: certificate extensions names switch to their number representation, but if you correct the actual validation error and submit the change, the saved object will have the expected set of certificate extensions.

Workaround:
Use TMSH to create/update client SSL profile.

Fix:
GUI client SSL profile certificate extensions names are displayed even if there is a validation error.

---

639929-2 : Session variable replace with value containing these characters ' " & < > = may cause tmm crash

Component: Access Policy Manager

Symptoms:
TMM crash with session variable being replaced with a value containing one of the following special characters:
' " & < > =

Conditions:
Session variable replace with value containing the following characters:
' " & < > =

Impact:
Traffic disrupted while tmm restarts.

Workaround:
If possible, avoid session variable values containing ' " & < > =. Otherwise, there is no workaround.

Fix:
Session variable overwrite operation with value containing special characters now works correctly.

---

639767-2 : Policy with Session Awareness Statuses may fail to export

Component: Application Security Manager

Symptoms:
ASM policy with many Session Awareness Statuses may fail to export.

Conditions:
There are many Session Awareness Statuses configured for the policy.

Impact:
ASM policy export will fail.

Workaround:
Remove all Session Awareness Statuses before export.

Fix:
ASM policy export only includes Session Awareness Statuses set to "Block All", and completes reliably.

---

639764-2 : Crash when searching external data-groups with records that do not have values

Component: Local Traffic Manager

Symptoms:
The TMM may crash when search through an external data-group that has at least one value with empty value.

Conditions:
For example, this occurs if data-group is defined as follows:
the key for network 10.40.0.0/13 has no value:
network 10.0.0.0/9 := "network 10.0.0.0/9",
network 10.40.0.0/13,
network 10.10.0.0/17 := "network 10.10.0.0/17",

A search in the data-group above with -value or -element options where at least one of the result records has no value will most likely result in a TMM crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Make sure that every record in the external data-groups has a value.

Fix:
Searching values in an external data-group where result will contain at least one value with an empty value no longer results in a TMM crash. A -value search will yield an empty string for the records that do not have a value.

---

639750-1 : username aliases are not supported

Component: Fraud Protection Services

Symptoms:
in is a common practice to use aliases for username. for example, an app might allow users to login with either their ID, cell number, or nickname.
WebSafe doesn't support username aliases.

Conditions:
This is encountered when your application uses username aliases.

Impact:
You are unable to use username aliases in your applications.

Workaround:
None.

Fix:
providing new ANTIFRAUD irule command for setting username (replace username alias with the "real" username)

---

639744-1 : Memory leak in STREAM::expression iRule

Solution Article: K84228882

Component: Local Traffic Manager

Symptoms:
If you are using the STREAM::expression iRule with APM, the stream filter can leak memory.

Conditions:
This can occur when using the STREAM::expression iRule with an APM virtual.

Impact:
This causes a memory leak in tmm.

Workaround:
None.

Fix:
This release fixes a memory leak in STREAM::expression iRule.

---

639729-2 : Request validation failure in AFM UI Policy Editor

Solution Article: K39428424

---

639619-3 : UCS may fail to load due to Master key decryption failure on EEPROM-less systems★

Component: TMOS

Symptoms:
The following error:
'Symmetric Unit Key decrypt failure - decrypt failure'
is logged to /var/log/ltm when attempting to load a UCS.
Configuration fails then to load due to a secure attribute decryption failure.

Conditions:
1. UCS contains secure attributes.
2. UCS contains a '/config/bigip/kstore/.unitkey' file.
3. The current '/config/bigip/kstore/.unitkey' file does not match the '.unitkey' file within UCS.
4. System does not utilize an EEPROM for storing its unitkey. (For more information, see K73034260: Overview of the BIG-IP system Secure Vault feature :: https://support.f5.com/csp/article/K73034260.)

Impact:
The configuration fails to load.

Workaround:
Perform the following procedure:

1. Stop the system:
# bigstart stop
2. Replace the '/config/bigip/kstore/.unitkey' file with the '.unitkey' file from the UCS
3. Replace the '/config/bigip/kstore/master' file with the 'master' file from the UCS
4. Remove the mcp db to forcibly reload the keys:
# rm -f /var/db/mcpd.bin
# rm -f /var/db/mcpd.info

5. Restart the system and reload the configuration:
# bigstart start
# tmsh load sys config
or
# reboot

Fix:
The system now always reload the .unitkey from storage when loading other keys, so the UCS loads as expected.

---

639575-5 : Using libtar with files larger than 2 GB will create an unusable tarball

Component: TMOS

Symptoms:
Programs such as qkview create a .tar file (tarball) using libtar. If any of the files collected are greater than 2 GB, the output tar file cannot be read by /bin/tar.

This occurs due to a limitation of the file compression library employed by qkview command; the system cannot collect files larger than 2 GB in size in a Qkview.

The qkview command may generate output that iHealth cannot parse, and that the tar command cannot extract.

Conditions:
-- The file collected via libtar (e.g., by qkview or other program dynamically linking with /usr/lib/libtar-1.2.11) is greater than 2 GB.
-- A 2 GB or larger file exists in a directory that qkview normally collects.

Impact:
No qkview diagnostics file is created. Although you can extract the qkview tarball using /usr/bin/libtar, the file will be a zero-length file. Cannot submit a qkview to iHealth for analysis. Other applications using libtar will produce invalid tar files.

Workaround:
Remove the file larger than 2 GB from the system prior to running qkview or other program that uses libtar.

Fix:
With the fix to third party software, libtar, programs using libtar no longer create an unusable tarball when dealing with files larger than 2 GB.

---

639505-3 : BGP may not send all configured aggregate routes

Component: TMOS

Symptoms:
As a result of a known issue, BGP may not send all configured Aggregate routes if one is a supernet of another.

Conditions:
- BGP established sessions.
 - BGP configuration contains several aggregate routes, one or more being a supernet of others.

Impact:
The smaller prefix aggregate (least specific), may not be sent to the BGP peer.

Fix:
BGP now sends all configured aggregates

Behavior Change:
BGP now sends all configured aggregates, even if one is supernetwork of another.

---

639486-4 : TMM crash due to PEM usage reporting after a CMP state change.

Component: Policy Enforcement Manager

Symptoms:
TMM crash due to a code assertion resulting in potential loss of service.

Conditions:
A CMP state change due to a card reboot, disable, enable, insert or remove should have occurred while or right before a PEM usage reporting action.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Instead of asserting, handled the error condition gracefully.

---

639395-2 : AVR does not display 'Max read latency' units.

Solution Article: K91614278

Component: Application Visibility and Reporting

Symptoms:
AVR does not display units for 'Max Read Latency'.

Conditions:
AVR, ASM, DoS, or AFM are provisioned.

Impact:
No units are displayed.

Workaround:
1. Edit the following file: /etc/avr/monpd/monp_disk_info_measures.cfg.
2. Add the following line at line 63: units=microsecond.
3. Restart monpd.

Fix:
Added units (microsecond) to AVR report.

---

639283-4 : Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate

Component: Access Policy Manager

Symptoms:
Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate

Conditions:
* Virtual Server has untrusted certificate
* Using Custom Dialer or Windows logon integration features on client machine for establishing secure VPN

Impact:
Windows logon integration doesn't work. Cannot establish secure VPN connection before logging in to the machine.

Custom dialer doesn't work. Cannot establish secure VPN using Dial-up entry.

Workaround:
- Install trusted certificate to Virtual Server or whitelist untrusted certificate on the client machine.
or
- Use Edge Client to establish secure VPN connection.

Fix:
The Custom Dialer/Windows Logon Integration feature now shows a certificate warning when the certificate is untrusted by the client. This allows the logon to proceed if the user accepts the certificate.

---

639236-1 : Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute

Solution Article: K66947004

Component: Service Provider

Symptoms:
Incoming SIP REGISTER messages are rejected by the SIP MRF parser when they contain Contact header expires value set to 0 that is not the last attribute

Conditions:
If the Contact header has an expires value of 0 and it's not the last attribute, for example:
Contact: <sip:+414000400@10.0.0.42:5060>;expires=0;q=0.1.

Impact:
REGISTER is rejected with a '400 Bad request' error message

Workaround:
None.

Fix:
Updated SIP parser to handle a Contact header with an expires value set to 0 that is not the last attribute.

---

639193-1 : For HA BIG-IP devices, deleting parent policy causes sync to fail.

Solution Article: K03453591

Component: Advanced Firewall Manager

Symptoms:
In a high availability (HA) environment, deleting parent policy causes sync to fail.

Conditions:
This occurs when you delete the parent of a policy that was used as the parent of another policy. For example:
1. Clone Policy A and create Policy B.
2. Clone Policy B and create Policy C.
3. Delete Policy B.

Impact:
Sync operation fails.

Workaround:
Use the following Workaround:
Run the following commands:
   tmsh save sys config partitions all
   tmsh load sys config partitions all
   Sync

Fix:
In high availability (HA) environments, deleting parent policy no longer causes sync to fail.

---

639039-4 : Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons

Solution Article: K33754014

Component: Local Traffic Manager

Symptoms:
Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons.

Conditions:
Dynamic routing in use, and you change the host name of the BIG-IP.

Impact:
Dynamic routing information is lost and must be relearned.

Workaround:
When using dynamic routing, only change the host name during a maintenance window.

---

638997-2 : Reboot required after disk size modification in a running BIG-IP VE instance.

Component: TMOS

Symptoms:
- BIG-IP VE supports disk size modification during the lifetime of a running instance to expand or reduce the disk size that was allocated at the time of deployment.

- A reboot is required after any such modification in the disk size for the changes to take effect. In previous versions, the reboot happened automatically but an affected BIG-IP VE will not have the reboot happening automatically.

- Due to the lack of reboot, changes in disk size do not take effect on the BIG-IP system.

Conditions:
Modifying disk size in a running BIG-IP VE instance.

Impact:
Changes in the disk size do not take effect till BIG-IP system is rebooted.

Workaround:
Manually reboot the running BIG-IP VE instance after making changes in disk size.

Fix:
Reboot required after disk size modification in a BIG-IP VE instance.

---

638960-2 : A subset of the BIG-IP default profiles can be incorrectly deleted

Component: TMOS

Symptoms:
On the BIG-IP system, default profiles should not be deletable. However, the system incorrectly allows a subset of them to be deleted. Known affected profiles include all default persistence and http profiles.

Conditions:
The issue occurs when someone attempts to delete a susceptible profile via TMSH, iControl SOAP or iControl REST. The issue does not occur when using the WebUI (where susceptible profiles are not selectable for deletion).

Impact:
If a default profile is missing from the configuration, several issues may arise. For instance, the configuration may fail to load or save, and the WebUI may fail to display certain screens.

Fix:
The system no longer allows certain default profiles to be deleted.

---

638935-3 : Monitor with send/receive string containing double-quote may cause upgrade to fail.★

Component: TMOS

Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.

Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.

Impact:
Configuration fails to load.

Workaround:
Manually edit each string in the bigip.conf to include enclosing quotes in order to get the config to load the first time.

Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the bigip.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list ltm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.

If you have an escaped quote in your configuration, and are moving to a configuration with this the dependency of this fix, you cannot reload the configuration or the license which also reloads the configuration. Doing so, will cause the config load to fail.

---

638893-1 : Reference to SOL14556 instead of K14556 in tmsh modify net interface X.X media command

Component: TMOS

Symptoms:
Error message references solution number instead of Knowledgebase number:
 err mcpd[6492]: 01071ab6:3: The requested media 100TX-FD for interface 1.0 is invalid. Valid settings are: auto, 1000T-FD. Please see SOL14556 for details.

Conditions:
Incorrectly configure net interface media, e.g.,
modify net interface 1.0 media 100TX-FD.

Impact:
Posted message references SOL14556. The Ask F5 site now uses K numbers instead of SOL numbers. At some point, the previously used SOL numbers might no longer redirect, and the information originally in that article would be lost.

Workaround:
View knowledgebase article K14556: Copper 1 Gbps modules configured with media other than the 'auto' setting may not function, https://support.f5.com/csp/article/K14556.

Fix:
Updated tmsh output to reference the new knowledgebase numbering.

---

638881-1 : Incorrect fan status displayed when fan tray is removed on BIG-IP iSeries appliances

Component: TMOS

Symptoms:
When the fan tray is removed, the fan status in tmctl tables and 'tmsh show sys hardware' are not updated correctly to reflect the current status of the fan tray i.e. not-present.

Conditions:
When the fan tray is physically removed.

Impact:
It is important to be aware of the fan status since malfunctioning of the fan tray can result in thermal shutdown when temperature thresholds are reached. Having incorrect/incomplete status would result in delayed corrective actions if a problem should arise.

Workaround:
No workaround at this time.

---

638825-2 : SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD

Component: TMOS

Symptoms:
Value returned for sysInterfaceMediaActiveSpeed OID has value of 80 for interface with type 100000SR4-FD instead of value of 100000.

Conditions:
This always occurs for this type of interface.

Impact:
User sees wrong value for this interface in SNMP get. Value is correct in tmsh 'show net interface'.

Workaround:
Use tmsh to obtain the value by running the following command: show net interface. Note: There is no workaround in SNMP.

---

638799-1 : Per-request policy branch expression evaluation fails

Component: Access Policy Manager

Symptoms:
Per-request policy branch expression evaluation fails and you see the following in /var/log/ltm:

info tmm[20278]: 01870007:6: /Common/<policy>:Common:640446c9: Executed expression (expr { [mcget {perflow.category_lookup.failure}] == 1 || [mcget {perflow.response_analytics.failure}] == 1 }) from policy item (Category Lookup) with return value (Failed)

Conditions:
Per-request policy branch expression evaluation fails for any non-Access (non-APM) iRule events that are attached to the virtual server.


The evaluation does not trigger for some requests when, in the same connection, the virtual server gets a request for an internal Access whitelisted URL, and then request for backend resource URIs.

Impact:
Per-request policy branch expression evaluation fails. If Access gets a request for whitelisted URL, the system disables all iRule events except the following:

   #define ACCESS_ALLOWED_IRULE_EVENTS ( \
       ((UINT64)1 << TCLRULE_ACCESS_SESSION_STARTED) | \
       ((UINT64)1 << TCLRULE_ACCESS_SESSION_CLOSED) | \
       ((UINT64)1 << TCLRULE_ACCESS_POLICY_AGENT_EVENT) | \
       ((UINT64)1 << TCLRULE_ACCESS_POLICY_COMPLETED))

Workaround:
None.

Fix:
Per-request policy branch expression evaluation now complete successfully for non-Access (non-APM) iRule events that are attached to the virtual server.

---

638780-3 : Handle 302 redirects for VMware Horizon View HTML5 client

Component: Access Policy Manager

Symptoms:
Starting from v4.4, Horizon View HTML5 client is using new URI for launching remote sessions, and supports 302 redirect from old URI for backward compatibility.

Conditions:
APM webtop with a VMware View resource assigned.
HTML5 client installed on backend is of version 4.4 or later.

Impact:
This fix allows for VMware HTML5 clients v4.4 or later to work properly through APM.

Workaround:
For versions 11.6.x and 12.x:
===============================

priority 2
when HTTP_REQUEST {
    regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] vmview_html5_prefix dummy
}

when HTTP_RESPONSE {
    if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
        if { [info exists vmview_html5_prefix] } {
            set location [HTTP::header "Location"]
            set location_path [URI::path $location]
            if { $location_path starts_with "/portal/" } {
                set path_index [string first $location_path $location]
                set new_location [substr $location $path_index]
                regsub "/portal/" $new_location $vmview_html5_prefix new_location
                HTTP::header replace "Location" $new_location
            }
            unset vmview_html5_prefix
        }
    }
}

======================
For version 13.0:
priority 2
when HTTP_REQUEST {
    regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] dummy vmview_html5_prefix
}

when HTTP_RESPONSE {
    if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
        if { [info exists vmview_html5_prefix] } {
            set location [HTTP::header "Location"]
            set location_path [URI::path $location]
            if { $location_path starts_with "/portal/" } {
                set path_index [string first $location_path $location]
                set new_location "$vmview_html5_prefix[substr $location $path_index]"
                HTTP::header replace "Location" $new_location
            }
            unset vmview_html5_prefix
        }
    }
}

Fix:
Handle 302 redirects for VMware View HTML5 client are now handled properly.

---

638715-3 : Multiple Diameter monitors to same server ip/port may race on PID file

Solution Article: K77010072

Component: Local Traffic Manager

Symptoms:
Two 'Diameter_monitor' instances probing the same server (IP/port) from different pools may interfere with each other, causing one of the monitor instances to fail. This is caused by a possible race in creating a PID file for this 'Diameter_monitor' configuration.

Conditions:
Configuration with multiple Diameter monitors probing the same server IP/port.

Impact:
One Diameter monitor may fail, while the other Diameter monitor to the same server IP/port succeeds. On subsequent probe-retry, the failed monitor may now succeed.

Workaround:
A possible work-around is to establish different monitor periods for the two pools (such as 28 seconds and 31 seconds), so a simultaneous probe-collision will fail one monitor once, which upon retry will succeed (as three monitor failures are required for a virtual server to be marked down).

Fix:
The fix includes the monitor-template name in the generation of the PID file, which ensures multiple Diameter monitor instances probing the same server (IP/port) do not interfere with each other.

---

638629-2 : Bot can be classified as human

Component: Application Security Manager

Symptoms:
A bot is classified as human in a rare case.

Conditions:
Web scraping is turned on. The CSHUI is tried on the user.

Impact:
Bot traffic gets classified as human by ASM.

Workaround:
N/a

Fix:
Fixed the CSHUI algorithm to have better bot detection.

---

638594-3 : TMM crash when handling unknown Gx messages.

Component: Policy Enforcement Manager

Symptoms:
TMM crash resulting in potential loss of service.

Conditions:
PCRF sends unsupported Gx messages to PEM.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Add support for identifying unknown messages types and handle them gracefully.

---

638556-2 : PHP Vulnerability: CVE-2016-10045

Solution Article: K73926196

---

638170-1 : Pagination broken or missing while viewing pool statistics for GTM wideip

Solution Article: K36455356

Component: Global Traffic Manager (DNS)

Symptoms:
Error occurs while viewing pool statistics for GTM wideip if the number of pools are more than what can be displayed in a single screen.

Conditions:
When the number of pools are more than what can be displayed as specified in the System :: Preferences :: Record Per Screen setting.

Impact:
Unable to view the statistics of GTM wideip pools beyond those displayed on the screen.

Workaround:
Increase the number of Records Per Screen (System :: Preferences :: Records Per Screen) to a number larger than the number of pools in the GTM wideip.

Fix:
Can now view the statistics of GTM wideip pools beyond those displayed on the initial screen.

---

638137 : CVE-2016-7117 CVE-2016-4998 CVE-2016-6828

Solution Article: K51201255

---

638091-4 : Config sync after changing named pool members can cause mcpd on secondary blades to restart

Component: TMOS

Symptoms:
After performing a ConfigSync, mcpd restarts and the following error is seen in /var/log/ltm:

     01070734:3: Configuration error: Invalid mcpd context, folder not found <foldername>

Conditions:
- Chassis cluster with at least two blades
- sync-failover device group set to full-sync and auto-sync disabled
- Changing a named pool-member in non-default partition without syncing between delete and create

Impact:
Secondary blades do not process traffic as they restart

Workaround:
To prevent blade restart, follow the workaround in K16592: ConfigSync may fail when deleting and recreating a pool member with a node name set (https://support.f5.com/csp/article/K16592).

To work around this issue, you can synchronize the configuration just after deleting the pool member and node, before re-creating the pool member. To do so, perform the following procedure:

Impact of workaround: Performing the following procedure may impact client connectivity to the node. You should perform this procedure only during a maintenance window.

1. Log in to the BIG-IP system Configuration utility.
2. Navigate to Local Traffic :: Pools, and select the Pool with the member you want to delete.
3. From the top of the menu, click Members.
4. Select the checkbox next to the pool member you want to delete, and click Remove.
5. Navigate to Local Traffic :: Nodes.
6. Select the checkbox next to the node with the same name, and click Delete.
7. Navigate to Device Management :: Overview.
8. Select the local device by hostname (self).
9. Click the Sync option.
10. If the ConfigSync was successful, you may now re-create the pool member.

Fix:
Config sync after changing named pool members no longer causes mcpd on secondary blades to restart.

---

637666-2 : PHP Vulnerability: CVE-2016-10033

Solution Article: K74977440

---

637561-1 : Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice

Component: TMOS

Symptoms:
The wildcard wideip is not functioning as a wildcard wideip, but as a regular wideip.

Conditions:
Run tmsh load after the wildcard wideip is created:
# tmsh load sys conf gtm-only.

Impact:
Wildcard wideips are not returning wildcard requests correctly.

Workaround:
reload mcpdb using commands:
# touch /service/mcpd/forceload
# bigstart restart mcpd

Fix:
Wildcard wideips now handle matching queries after tmsh load sys from gtm conf file twice.

---

637559-1 : Modifying iRule online could cause TMM to be killed by SIGABRT

Component: TMOS

Symptoms:
If iRule is used by several virtual servers, and you edit the iRule online, it could cause TMM to be eventually killed by SOD (watchdog).

Conditions:
This can occur under the following conditions:
1. The iRule is used by large number of virtual servers.
2. You edit the iRule and save changes.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
If iRule is used by several virtual servers, and you edit the iRule online, it no longer causes TMM to be eventually killed by SOD (watchdog).

---

637308-8 : apmd may crash when HTTP Auth agent is used in an Access Policy

Solution Article: K41542530

Component: Access Policy Manager

Symptoms:
apmd may crash when HTTP Auth agent is used in an Access Policy.

Conditions:
This might occur on heavy load, when AAA HTTP Server is configured in 'Form based' or 'Custom body' mode.

The probability of occurrence is greater if there are session variables specified in the AAA HTTP Server configuration.

Impact:
apmd daemon crash. APM cannot process requests until apmd starts up again.

Workaround:
Use basic auth, or do not use HTTP Auth.

Fix:
apmd no longer crashes when HTTP Auth agent is used in an Access Policy.

---

637252-1 : Rest worker becomes unreliable after processing a call that generated an error

Solution Article: K73107660

Component: Application Security Manager

Symptoms:
Unreliable behavior from ASM REST API.
1) REST API tasks (like apply-policy) sometimes do not execute.
2) Calls that end in error are not correctly rolled back on the system.

Conditions:
A REST worker can enter this state if it processes specific calls that ended in error, such as creating a new active Policy.

Note: Policies are meant to be created inactive and then activated through the apply-policy task.

Impact:
1) REST API tasks (like apply-policy) sometimes do not execute.
2) Calls that end in error are not correctly rolled back on the system.

Workaround:
1) Do not create 'active' policies. Create them with 'active': false, and then use the apply-policy task to set them active.

2) To recover a device that has reached this state, restart restjavad using the following command:
 bigstart restart restjavad

Fix:
REST workers maintain correct state and behavior after calls with errors.

---

637227-4 : DNS Validating Resolver produces inconsistent results with DNS64 configurations.

Solution Article: K60414305

Component: Global Traffic Manager (DNS)

Symptoms:
A DNS Validating Resolver incorrectly validates DNS responses received from A queries made as a result of a front-end AAAA query received on a profile with DNS64 configured.

A SERVFAIL response may be sent to the client unless the Validating Resolver cache has previously successfully validated a front-end A query. In this scenario where the A records already exist in the cache, the expected DNS64 AAAA records are synthesized.

Conditions:
This issue may be observed with a DNS Validating Resolver configured on a DNS profile with DNS64 configured when processing AAAA queries.

Impact:
Incorrect SERVFAIL responses for AAAA queries that should get valid responses.

Workaround:
None.

Fix:
DNS validation now occurs as expected, resulting in valid answers to AAAA queries.

---

637181-4 : VIP-on-VIP traffic may stall after routing updates

Component: Local Traffic Manager

Symptoms:
After a routing update traffic for an existing connection sent to a VIP-on-VIP virtual server may be sent directly to the destination address instead of to the inner virtual server.

Conditions:
VIP-on-VIP configuration and static or dynamic routing changes.

Impact:
Existing connections to the outer VIP may stall.

Workaround:
None.

Fix:
Connections to VIP-on-VIP virtual servers no longer stall after routing updates.

---

636918-2 : Fix for crash when multiple tunnels use the same traffic selector

Component: TMOS

Symptoms:
Given multiple tunnels with the same traffic selector, a crash could sometimes occur.

Conditions:
Same traffic selector used with more than one tunnel.

Impact:
Possible tmm restart if problem happens. Traffic disrupted while tmm restarts.

Workaround:
Use different traffic selectors for different tunnels.

Fix:
Fixed a tmm crash related to traffic selectors used with more than one tunnel.

---

636853-2 : Under some conditions, a change in the order of GTM topology records does not take effect.

Solution Article: K19401488

Component: Global Traffic Manager (DNS)

Symptoms:
A change in the order of topology records does not take effect in GTM until the configuration is reloaded or a topology record is added or deleted.

Conditions:
This occurs only when Longest Match is disabled and the order of topology records is changed without adding or deleting records.

Impact:
In certain configurations, the topology load balancing decision may not be made correctly.

Workaround:
Reload the GTM configuration or add/delete a topology record.

Fix:
Changes in the order of topology records now take effect immediately.

---

636842-1 : A FastL4 virtual server may drop a FIN packet when mirroring is enabled

Solution Article: K51472519

Component: Local Traffic Manager

Symptoms:
A FastL4 virtual server may drop a FIN packet when mirroring is enabled.

Conditions:
- The virtual server uses the FastL4 profile.
- The virtual server performs mirroring.
- The tm.fastl4_ack_mirror db key is enabled (default).
- The client or the server sends a FIN packet, immediately followed by a RST packet.

Impact:
The BIG-IP system forwards the RST packet but not the FIN packet.

As the RST sent by one of the TCP endpoints would have its sequence number increased by 1 to account for the FIN packet, the other TCP endpoint may not accept the RST as the FIN packet was never seen.

This issue is exacerbated if the FIN packet also carries application data (for example, if it is actually a FIN,PSH,ACK packet). In this case, the other TCP endpoint never sees the application data contained within the packet, and the sequence number in the RST will be off by more than just 1.

Ultimately this can cause application failures and also the two connection flows to stall for some time.

Workaround:
To workaround this issue you can either:

1) Disable mirroring for the virtual server (but this comes with a loss of functionality, which may not be acceptable).

or

2) Disable the tm.fastl4_ack_mirror db key (but this would affect all FastL4 virtual servers performing mirroring on the box).

Fix:
A FastL4 virtual server no longer drops a FIN packet when mirroring is enabled.

---

636790-3 : Manager role has Create, Update, and Release access to Datacenter/links/servers/prober-pool/Topology objects but throws general error when complete.

Component: Global Traffic Manager (DNS)

Symptoms:
While logged in as a Manager role, if a user attempts to modify an object this role does not have access to, the GUI will post a validation error.

Conditions:
This occurs when users in the Manager role make changes to Datacenter links/servers/prober-pool/Topology.

Impact:
The system posts generic validation errors when Create, Update, Delete actions are initiated by a user without proper permissions. These permissions are not allowed for the Manager, but the GUI makes it appear as if they are.

Workaround:
None.

Fix:
The GUI now properly hides or disables the action buttons if a user does not have proper permissions to perform the action.

---

636774-1 : Potential TMM crash credits to BWC token distribution logic

Component: TMOS

Symptoms:
tmm crashes at 'bwc_stb_static_recharge (stb_static=0x560086f501f0) at ../net/bwc_stb.c:364'.

Conditions:
Bandwidth Control (BWC) policies enabled with PEM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Fixed a potential TMM crash credits to BWC token distribution logic.

---

636744-1 : IKEv1 phase 2 SAs not deleted

Solution Article: K16918340

Component: TMOS

Symptoms:
The BIG-IP system will not start phase 1 or phase 2 ISAKMP negotiation after an Active -> Standby -> Active failover within a short period of time.

Conditions:
The HA Active BIG-IP system goes Standby and then becomes Active again within the phase 2 lifetime.

Impact:
IPsec tunnel(s) is/are not initiated by the BIG-IP system. Network connectivity is broken between the private networks.

Workaround:
Option 1: Switch to IKEv2 and 12.x, which skips the problem altogether. This combination will mirror the SAs and so deleting existing SAs upon failover is not required.

Option 2: Edit /config/failover/active and add the following two lines at the end:

logger -p local0.notice "Employ ID636744 workaround. Purge IPsec phase2 SAs."
tmsh delete net ipsec ipsec-sa

---

636702-3 : BIND vulnerability CVE-2016-9444

Solution Article: K40181790

---

636699-5 : BIND vulnerability CVE-2016-9131

Solution Article: K86272821

---

636669-3 : bd log are full of 'Can't run patterns' messages

Solution Article: K37300224

Component: Application Security Manager

Symptoms:
The bd log are getting filled up with 'Can't run patterns' messages. A core might occur due to the i/o outage. General traffic disturbance/slowness might occur.

Conditions:
Configuration change that relates to attack patterns happens while there is heavy traffic.

Impact:
Potential traffic outage/slowness. 'Can't run patterns' messages filling up the bd log file.

Workaround:
None.

Fix:
Fixed log throttling issue related to attack patterns configuration change.

---

636541-3 : DNS Rapid Response filters large datagrams

Component: Global Traffic Manager (DNS)

Symptoms:
Assigning a profile with DNS rapid response enabled to a virtual server on a P8 chassis might result in problems with blades and the cluster.

Depending on the timing of operations (config is loaded and tmm restarts), blades might never join the cluster properly and you will see errors similar to the following looping in /var/log/tmm:
notice CDP: exceeded 1/2 timeout for PG 0
notice CDP: PG 0 timed out
notice CDP: New pending state ff -> fe
notice CDP: New pending state fe -> ff
notice CDP: Selected DAG state from PG 0 for CMP state ff with clock 2445394
notice CDP: exceeded 1/2 timeout for PG 0
notice CDP: PG 0 timed out
notice CDP: New pending state ff -> fe
notice CDP: New pending state fe -> ff
notice CDP: Selected DAG state from PG 0 for CMP state ff with clock 2445416

Conditions:
-- Assigning a profile with DNS rapid response enabled to a virtual server.
-- P8 chassis.
-- Large datagrams being passed.

Impact:
DNS Rapid Response filters large datagrams. Blades might never join the cluster.

Workaround:
There is no workaround at this time.

Fix:
The system now passes through any datagrams too big for DNS rapid response.

---

636535 : HSB lockup in vCMP guest doesn't generate core file

Solution Article: K24844444

Component: TMOS

Symptoms:
If an HSB lockup occurs in a vCMP guest, the system does not generate a core file.

Conditions:
HSB lockup, which occur rarely.

Impact:
Limited ability to diagnose failures due to HSB lockups.

Workaround:
None.

Fix:
Whenever an HSB lockup occurs in a vCMP guest, the system generates a core file.

---

636520-3 : Detail missing from power supply 'Bad' status log messages

Solution Article: K88813435

Component: TMOS

Symptoms:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, no detail is included which indicates which characteristic of the power supply's state is resulting in a 'Bad' overall status for the power supply.
In this scenario, the message logged at default logging level contains information similar to the following:
... crit chmand[...]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(SPAFFIV03G): Bad

Conditions:
This occurs when the system posts an internal hardware sensor alert.

Impact:
Unable to diagnose cause of 'Bad' power supply status at default logging level to determine whether the probable cause is due to a power supply hardware fault or a possible external power source issue.

Workaround:
If power supply errors continue to be logged:

1. Set the libhal logging level to 'Debug':
tmsh mod sys db log.libhal.level { value "Debug" }

2. Let the system run in this configuration for at least a few minutes to collect a number of chmand error logs, such as:
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x3 pin:0x2 action:0xd
... debug chmand[...]: 012a0007:7: Received Sensor Alert: sensor id 0x16f slot 0xff
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x1 pin:0x2 action:0x3.

3. Set the libhal logging level back to 'Notice':
tmsh mod sys db log.libhal.level { value "Notice" }

4. Take a qkview or an archive of /var/log/ltm, and engage F5 Professional Services for further analysis.

Fix:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, additional detail is now logged to help identify the cause of the 'Bad' overall status for the power supply.

---

636397-1 : bd cores when persistent storage configuration and under some memory conditions.

Component: Application Security Manager

Symptoms:
bd cores. Log signature in /var/log/bd looks similar to the following:

BD_MISC|ERR |Jan 02 14:24:06.422|27867|io_manager_init.c:0395|internal_keep_alive: BD shrinking...,going down - BD will be right back.
ptr BD_MISC|CRIT |Jan 02 14:24:06.422|27867|signals.c:0073|Received SIGSEGV - Core Dumping.

Conditions:
There is persistent storage configuration. There is high memory usage.

Impact:
bd crash. Traffic resets and/or failover

Workaround:
None.

Fix:
This release fixes a bd crash due to specific memory conditions and persistent storage.

---

636370 : Application Layer Encryption AJAX support

Component: Fraud Protection Services

Symptoms:
WebSafe doesn't support parameters encryption in Single Page Applications (using AJAX)

Conditions:
Application uses AJAX for sending parameters to web server

Impact:
Encryption won't work for Single Page Applications

Workaround:
N/A

Fix:
Adding AJAX encryption support (full payload encryption)

for 12.1.2-hf, enabling this feature requires:

tmsh modify sys db antifraud.internalconfig.string1 value <AJAX-HEADER-NAME>

AJAX-HEADER-NAME existence will enable AJAX support for current request and its value may contain the username used in current request (if configured and exists)

Note that activating AJAX support in releases > 12.1.2-hf is done differently (configured in profile, not in db)

---

636290 : vCMP support for B4450 blade

Component: TMOS

Symptoms:
vCMP is not supported in the B4450 blade

Conditions:
This occurs on the B4450 blade on specific BIG-IP software versions, for more information on supported vCMP versions see K14088: vCMP host and compatible guest version matrix, available at https://support.f5.com/csp/article/K14088

Impact:
You are unable to configure vCMP on the B4450 blade.

Fix:
vCMP is supported on the B4450 blade in this version.

---

636289-2 : Fixed a memory issue while handling TCP::congestion iRule

Component: Local Traffic Manager

Symptoms:
Increased memory usage in tmm.

Conditions:
TCP::congestion highspeed iRule is executed for the TCP connection. The issue is only observed for highspeed congestion control.

Impact:
The memory allocated for congestion control is not freed.

Workaround:
If it is desired to use highspeed congestion control under some conditions, it is possible to start with highspeed by choosing highspeed congestion control in the TCP profile and switch to other desired congestion control when condition does not hold. With this workaround, once congestion control is changed to something other than highspeed, it is not possible to switch back to highspeed again.

Fix:
Improved memory utilization while using TCP::congestion iRule.

---

636254-2 : Cannot reinitiate a sync on a target device when sync is completed

Component: Access Policy Manager

Symptoms:
After a policy sync is successful, re-initating a sync fails with the following error:
"PolicySyncMgr: Sync already in progress for policy xxx"

Conditions:
This occurs rarely when performing a sync after a successful sync.

Impact:
You cannot re-sync a policy. This is a rare occurrence, and after waiting a small amount of time sync should start working again.

Fix:
Now APM Policy Sync no longer hangs in rare cases with the message: "PolicySyncMgr: Sync already in progress for policy xxx"

---

636149-3 : Multiple monitor response codes to single monitor probe failure

Component: Local Traffic Manager

Symptoms:
A monitor probe failure to a monitor (such as HTTP) is logged to '/var/log/ltm' when the probed resource is unavailable. In some cases, for a probe resulting in an 'Unable to connect' error, multiple log entries are made, with the last log entry being the error that triggered the log entry. The other monitor entries made during this event are not specifically relevant, as they are 'stale' and due to previous monitor probe behavior that was logged earlier.

This is due to an error where the 'Could not connect' event appends rather than overwrites existing earlier error messages.

Conditions:
A monitor probe to a monitor is attempted (such as over HTTP), resulting in an 'Unable to connect' failure; and where that specific monitor previously reported an error (which is now appended).

Impact:
No system behavior is affected, but multiple log entries are made. The final log entry of the 'Could not connect' or 'Unable to connect' message is relevant, while the possible multiple log entries immediately preceding are 'stale' and not relevant (as they are due to an earlier issue that was previously successfully logged).

Workaround:
For an external monitor that generates a 'Could not connect' or 'Unable to connect' error, consider only the last-line for the '/var/log/ltm' log entry, and ignore possibly-present log entries associated with that specific monitor that might be appear immediately above the 'Could not connect' line.

Fix:
The system now handles previous monitor-log errors when reporting a 'Could not connect' error, rather than appending a previous error that might be present.

---

636044-1 : Large number of glob patterns affects custom category lookup performance

Solution Article: K68018520

Component: Access Policy Manager

Symptoms:
The number of glob patterns in a custom category linearly affects custom category lookup compute times. For example, twice as many glob patterns will roughly double the CPU resources required to compute a match.

Conditions:
A large number of custom category glob patterns. The precise number is not so important as the observed effect of slow response times. However, more than 1000 glob patterns is known to cause a significant observed performance degradation.

Impact:
Slow response times to HTTP requests.

Workaround:
It may be possible to compress the large collection of glob patterns into fewer patterns.

Fix:
Glob pattern matching has been extended to be context sensitive. If the pattern includes the marker "://", a glob immediately before it is restricted to the scheme, and a glob immediately after it is restricted to the hostname. If the match can be satisfied with prefix matching, the pattern will be processed with a prefix comparison rather than as a glob. Also, multiple glob patterns are combined together to create a more optimal match pattern. If custom categories patterns use the context sensitive feature, custom category lookup will be optimized.

---

635977-1 : Bd core on specific out of memory scenario

Component: Application Security Manager

Symptoms:
The bd process crashes.

Conditions:
-- ASM configured.
-- WebSocket traffic.
-- Memory pressure.

Impact:
The bd process crashes. Traffic disrupted while bd restarts.

Workaround:
None.

Fix:
Memory pressure with WebSocket traffic does not lead to intermittent crashes.

---

635961-1 : gzipped and truncated files may be saved in qkview

Component: TMOS

Symptoms:
When looking at the files in the qkview, some files might be both gzipped and truncated, when only one or the other is expected.

Conditions:
This occurs for certain files that are large enough to require truncation and gzipping.

Impact:
Minimal impact, as the extra file can be ignored. This is primarily an issue of wasting image space.

Workaround:
Ignore the extra copy of the file.

Fix:
Files are no longer both gzipped and truncated.

---

635933-3 : The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable

Solution Article: K23440942

---

635754-1 : Wildcard URL pattern match works inncorectly in Traffic Learning

Solution Article: K65531575

Component: Application Security Manager

Symptoms:
In the policy with URL learning mode set to ALWAYS, wildcard URL matching for *.[Pp][Nn][Gg]", "*.[Jj][Pp][Gg]", "*.[Gg][Ii][Ff]" will prevent you from adding other wildcard destinations using policy builder.

Conditions:
Policy builder enabled. PolicyBuilder creates the wildcard urls "*.[Pp][Nn][Gg]", "*.[Jj][Pp][Gg]", "*.[Gg][Ii][Ff]".
If you need to manually create another wildcard url "/polo/images/*", the pattern match will be incorrect and you will not be able to accept the learning suggestion.

Impact:
You will not be able to accept the learning suggestion to the correct wildcard URL.

Workaround:
In order to get suggestions on the correct wildcard match, remove "png" from the URL list in the policy: To do so, navigate to Security :: Application Security :: Policy Building :: Learning and Blocking Settings :: URLs :: File types for which wildcard HTTP URLs will be configured (e.g., *.jpg).

Also make sure that you have correct wildcard order. Go to
Security :: Application Security :: URLs :: Wildcards Order :: HTTP URLs.

"/polo/images/*" should be above "*.[Pp][Nn][Gg]" in the list. If it is not, move it using "Up" button".

Fix:
Wildcard URL pattern match now works as expected in Traffic Learning

---

635703-1 : Interface description may cause some interface level commands to be removed

Solution Article: K14508857

Component: TMOS

Symptoms:
Adding a description to the interface from within ZebOS may cause interface level routing protocol commands to be lost on restart.

Conditions:
- Add interface level description to a configuration with interface level routing protocol commands.
- Restart services, tmrouted, or reboot.

Impact:
Interface level commands after the description will not appear in the imish running config and will not be loaded/functional.

Workaround:
To prevent this issue, do not use interface-level descriptions.

If the issue has already occurred, and the configuration is not loading, you can manually correct it using the following procedure:
1. Stop tmrouted using the following command: bigstart stop tmrouted
2. Edit the ZebOS.conf from the corresponding route-domain file manually and remove the interface-level 'description' and 'no shutdown' commands.
3. Restart tmrouted using the following command: bigstart restart tmrouted.

Note: Performing the workaround procedure will temporarily disrupt dynamic routing, so care and adequate planning must be taken into consideration.

Fix:
Routing protocol interface commands are no longer lost with the addition of interface descriptions.

---

635561-1 : Heavy URLs statistics are not shown after upgrade.

Component: Application Visibility and Reporting

Symptoms:
Heavy URLs statistics are not shown after upgrade.

Conditions:
Upgrading to newer version

Impact:
Missing statistics.

Workaround:
No workaround

Fix:
Upgrade and verify all heavy URLs statistics are shown.

---

635541 : "Application CSS Locations" is not inherited if changing parent profile

Component: Fraud Protection Services

Symptoms:
"Application CSS Locations" is not inherited if changing parent profile, which can cause to the following error while saving: Application CSS Locations cannot be empty.

Conditions:
This occurs in the GUI when FPS provisioned when the system is configured with phishing detection license.

Impact:
Cannot use FPS GUI to configure Application CSS Locations.

Workaround:
Use tmsh or the REST API to configure Application CSS Locations.

Fix:
"Application CSS Locations" is inherited if parent profile is changed. No errors are shown while saving.

---

635412 : Invalid mss with fast flow forwarding and software syn cookies

Solution Article: K82851041

---

635314-5 : vim Vulnerability: CVE-2016-1248

Solution Article: K22183127

---

635274-1 : SSL::sessionid command may return invalid values

Solution Article: K21514205

Component: Local Traffic Manager

Symptoms:
The SSL::sessionid iRule command might return random, invalid values. This also causes high CPU usage on TMM. This occurs when the SSL ID retrieved from SSL is on the stack and gets overwritten prior to use, resulting in a persist lookup loop which causes the high CPU. The issue is also associated with the SSL::sessionid iRule command because SSL::sessionid and SSL persistence use the same internal mechanism to retrieve the SSL session ID.

Conditions:
This issue occurs when either of the following conditions exists:
-- An iRule exists that queries the SSL::sessionid.
-- An SSL persist profile is configured on the virtual server.

Impact:
The iRule might not work as expected.
High CPU usage.

Workaround:
Do not use the SSL:sessionid iRule.

Fix:
The SSL::sessionid iRule returns the session ID as expected.

---

635257-2 : Inconsistencies in Gx usage record creation.

Solution Article: K41151808

Component: Policy Enforcement Manager

Symptoms:
Duplicate usage records may be created or expected usage records may be missing.

Conditions:
A subscriber session is associated with the following policies:

1. At least 1 PEM policy with multiple rules containing the same usage monitoring key and applicationId or URLcat filter will result in the creation of duplicate usage records.

2. At least 2 PEM policies containing one or more rules with the same MK across policies will result in failure to create expected usage records.

Impact:
Failure to create usage records. Duplicate usage records will reduce the effective usage records supported per session. Both can result in inconsistencies with billing use cases.

Workaround:
To prevent duplicate usage records, do not create PEM policies with multiple rules that have the same usage monitoring key and applicationId or UrlCat filter.

To make sure all expected usage records are created, do not use the same monitoring key across multiple policies for the same subscriber.

Fix:
Checks to create usage records are now done using the same keys that are used to create them, so there are no duplicate usage records created or expected usage records missing.

---

635252-1 : CVE-2016-9256

Solution Article: K47284724

---

635233-3 : Missing some Custom AVPs in CCRu for non-existent policy and CCRt messages

Solution Article: K80902149

Component: Policy Enforcement Manager

Symptoms:
CCR-u or CCR-t sent in response to a non-existent policy may be missing some of the custom AVPs such as IMSI, E164, etc., even if the AVPs are marked mandatory.

Conditions:
This occurs when the BIG-IP system sends a CCR-u or CCR-t when the specified policy received from PCRF does not exist.

Impact:
CCR-u and CCR-t may miss some of the subscriber attributes such as IMSI, E164.

Workaround:
None.

Fix:
Added the custom AVPs in the case of CCR-u and CCR-t, if those attributes are enabled for reporting in the protocol profile.

---

635191-1 : Under rare circumstances TMM may crash

Component: Local Traffic Manager

Symptoms:
tmm crash and BIG-IP failover.

Conditions:
There are no known, reproducible conditions under which this occurs. However, the tmm restart happens once, and then does not recur. The only way to determine that the issue exists is through a review of the core stack, which must be completed by F5 Support.

Impact:
tmm restart and failover. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The tmm restart and failover no longer occur.

---

635129 : Chassis systems in HA configuration become Active/Active during upgrade★

Component: TMOS

Symptoms:
When devices in a Device Service Cluster are upgraded, multiple devices will become Active simultaneously.

The affected versions erroneously clear their management-ip during reboot and synchronize this to other members of the Device Service Cluster. If the system is not performing an upgrade, the error is repaired as the device starts up, and has no visible effect. If an upgrade is being performed, the management-ip cannot be repaired, and the Device Service Cluster members lose contact with each other, and all become Active.

Conditions:
This problem occurs on VIPRION chassis systems, either running natively, or as a VCMP guest, when upgrading from the affected versions (12.1.0, 12.1.1, 12.1.2), to any other version. The problem occurs on any upgrade, whether on the list of affected versions, or a later version.

Impact:
When multiple devices become Active simultaneously, traffic is disrupted.

Workaround:
There is no workaround other than to remain in Active/Active state until all Chassis are finished upgrade. See https://support.f5.com/csp/article/K43990943 for more information on how to mitigate this issue.

Fix:
The erroneous management-ip change is not made, and the HA failover mechanism operates correctly across upgrade.

---

635116-1 : Memory leak when using replicated remote high-speed logging.

Solution Article: K34100550

Component: TMOS

Symptoms:
As a result of a known issue when a system uses a High Speed Logging (HSL) configuration with replication across the HSL pool TMM may leak memory.

Conditions:
Remote HSL setup with distribution set to replicated in the log destination configuration.
More than one poolmember, and one of them becomes unavailable.

Impact:
TMM will leak memory at a rate proportional to the amount of logging.
Over time this may cause an outage should TMM run out of memory.

Workaround:
Do not use replication in the HSL destination configuration.

Fix:
TMM no longer leaks memory when using a replicated HSL setup.

---

634779-1 : TMM may crash will processing SSL Forward Proxy traffic

Solution Article: K43945001

---

634576 : TMM core in per-request policy

Solution Article: K48181045

Component: Access Policy Manager

Symptoms:
TMM might core in cases when per-request policy encounters a reject ending and the server-side flow is not available.

Conditions:
APM or SWG per-request policy with reject ending.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores when per-request policy encounters reject ending.

---

634371-2 : Cisco ethernet NIC driver

Component: TMOS

Symptoms:
The Cisco Ethernet NIC driver is version 2.1.1.67

Conditions:
N/A

Impact:
Cisco recommends using the updated version 2.3.0.12

Fix:
Cisco VIC Ethernet NIC Driver 2.3.0.12 is now used.

---

634265-2 : Using route pools whose members aren't directly connected may crash the TMM.

Solution Article: K34688632

Component: Local Traffic Manager

Symptoms:
The TMM crashes when trying to resolve routes using route pools whose members are not directly connected.

Conditions:
A configuration has route pools whose members aren't directly connected. Additionally, this is an issue only in configurations where the TMM doesn't proxy traffic but sources traffic. An example is an sFLOW configuration.

Impact:
Traffic disrupted while tmm restarts. The TMM crashes whenever a connection tries to resolve such a route.

Workaround:
Create route pools with directly connected members.

Fix:
Using route pools whose members aren't directly connected no longer crashes the TMM.

---

634252 : TMM crash with per-request policy in SWG explicit

Solution Article: K99114539

Component: Access Policy Manager

Symptoms:
TMM crash is seen intermittently when evaluating per-request access policies for SWG-explicit use cases.

Conditions:
Although the exact conditions required for this issue are unknown, evaluating per-request access policies for SWG-explicit use cases might be related.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM crash is no longer seen when evaluating per-request access policies for SWG-explicit use cases.

---

634215-1 : False detection of attack after restarting dosl7d

Component: Application Visibility and Reporting

Symptoms:
False detection of an attack.

Conditions:
Restarting dosl7d during traffic.

Impact:
False attack is reported.

Workaround:
No workaround

Fix:
Restart dosl7d during moderate traffic and verify no false attack is reported.

---

634115-1 : Not all topology records may sync.

Component: TMOS

Symptoms:
Some GTM topology records may silently not be synchronized to other devices in the sync group.

Conditions:
One known case occurs when topology records have overlapping subnet specifiers (such as 1.0.0.0/8 and 1.0.0.0/9). It is possible that there are other conditions that might cause this issue.

Impact:
Other devices in the GTM sync group will have an incomplete set of topology records, so the returned DNS answers may differ from the expected values.

Workaround:
After updating topology records, run the following command to force a push of all GTM objects: run cm config-sync force-full-load-push to-group gtm.


This can be performed from tmshell or bash.

tmshell:
---------
(/Common)(tmos)# run cm config-sync force-full-load-push to-group gtm
Force a full load sync? (y/n)y

bash:
---------
tmsh run cm config-sync force-load-push to-group gtm

Note: This command executes and returns to bash with no feedback. To determine the outcome, you can check /var/log/gtm for 'success'.

Fix:
Some GTM topology records may have silently not been synchronized to other devices in the sync group. This is now resolved; all topology objects will be synchronized to all expected devices.

---

634078-2 : MRF: Routing using a virtual with SNAT set to none may select a source port of zero

Component: Service Provider

Symptoms:
If a virtual server has a SNAT setting of none and the 'source-port' attribute set to 'preserve' or 'preserve-strict', the outgoing connection will be created with a source port of zero (0) instead of the remote port of the originating connection.

Conditions:
This occurs when a message routing SIP profile is in use.

Impact:
Source port is set to 0.

Workaround:
None.

Fix:
Source port is now set to the source port of the client when SNAT is set to none. This is correct behavior.

---

634015-3 : Potential TMM crash due to a PEM policy content triggered buffer overflow

Solution Article: K49315364

Component: Policy Enforcement Manager

Symptoms:
Failure to add a PEM policy to a subscriber session in addition to a TMM crash.

Conditions:
PEM configured with a large number of policy rules that goes beyond the maximum supported PEM resources.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Buffer allocation checks have been added in that result in an error log along in case of a buffer overflow.

---

634001-2 : ASM restarts after deleting a VS that has an ASM security policy assigned to it

Component: Application Security Manager

Symptoms:
ASM restarts with the following errors:

'ltm' log error:
--------
err mcpd[9458]: 0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------

'ts_debug.log' error:
--------
asm|INFO|0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------

Conditions:
ASM provisioned
Deleting a virtual server that has an ASM security policy assigned to it.

Impact:
ASM restart

Workaround:
None.

Fix:
ASM no longer restarts when deleting a virtual server that has an ASM security policy assigned to it.

---

633879-1 : Fix IKEv1 md5 phase1 hash algorithm so config takes effect

Solution Article: K52833014

Component: TMOS

Symptoms:
BIG-IP does not recognize the choice of md5 as hash algorithm in phase1 negotiation for IKEv1, but the GUI indicates it is available and configured.

Conditions:
Using either the command line or web UI to change hash algorithm to md5 in IKEv1 phase1.

Impact:
You are unable to configure md5 as hash algorithm in IKEv1, despite the UI and command line indicating this as an option.

Workaround:
You may be able to select md5, then save and then restart, this would set up the daemon from a config file instead of via incremental config parsing. So while it would not work right after being changed in the UI, the md5 option may work after a restart.

Fix:
The choice of md5 for hash algorithm now works correctly and immediately for an IKEv1 peer. The message causing this is now parsed correctly so md5 is recognized and used.

---

633723-3 : New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot

Component: Local Traffic Manager

Symptoms:
A new db variable has been added to print diagnostic information when Cavium Nitrox devices encounter a 'request queue stuck' error. When this occurs, the system posts a log message such as:
crit tmm1[19936]: 01010260:2: Hardware Error(Co-Processor): cn1 request queue stuck.

Conditions:
-- A Cavium Nitrox 'request queue stuck' error occurs.
-- The db variable 'crypto.ha.action' is set to reboot.

Impact:
The system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.

The system immediately fails over to the standby system, but will then spend approximately one minute gathering diagnostic information before rebooting.

See https://support.f5.com/csp/article/K95944198 for more information about nitrox_diag.

Workaround:
None.

Fix:
The system now automatically gathers nitrox data collection when request queue stuck errors occur.

Behavior Change:
Under rare conditions, the system will take approximately one additional minute to reboot.

If a Cavium Nitrox 'request queue stuck' error occurs and the db variable 'crypto.ha.action' is set to reboot, the system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.

When the error happens, failover to the standby system will still happen immediately. The delay occurs only on rebooting the system that has already gone to standby mode.

---

633691-4 : HTTP transaction may not finish gracefully due to TCP connection is closed by RST

Component: Local Traffic Manager

Symptoms:
HTTP or other higher layer protocol transactions may not finish gracefully due to TCP connection is closed by RST.

Conditions:
1. There is ClientSSL or ServerSSL configured on the Virtual Server.
2. HTTP or other higher layer protocol has not finished the translations yet.
3. Client or Server sends out the TCP FIN packet.

Impact:
Application-level responses may not be received at all by the client.

Workaround:
No Workaround.

Fix:
TMM should try to use the TCP FIN to close the connection gracefully as much as possible instead of using RST which will abandon the data which has not been sent out to the wire.

---

633512-1 : HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION.

Component: TMOS

Symptoms:
When a preferred device becomes available and takes over due to an Auto-Failback configuration, the takeover is not performed as a smooth handoff, but instead results in both devices becoming Active for the network failover timeout period (3 seconds).

Conditions:
This problem affects traffic groups on VIPRION systems configured with HA Order and Auto-Failback enabled.

Impact:
Since both nodes are Active for (by default) 3 seconds, this may cause network traffic to be dropped or interrupted during the overlap interval. In addition, the Active/Active overlap may not resolve in favor of the preferred device. When this happens, the preferred device attempts to Auto-Failback again after the Auto-Failback expires, and the process repeats forever.

Workaround:
Do not configure Auto-Failback on VIPRION.

Fix:
The devices perform a clean handoff during Auto-Failback, with no Active/Active overlap.

---

633413-1 : IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI

Component: TMOS

Symptoms:
IPv6 addr can't be deleted; not able to add ports to addr in a data-group using the GUI. System posts an error similar to the following:
err mcpd[31438]: 01070378:3: The requested data group IP member network address (10.10.12.184) does match the netmask (ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff).

Conditions:
Modify IPv6 data-group in the GUI on the Local Traffic :: iRules :: Data Group List.

Impact:
Get error with unrelated IPv4 address.

Workaround:
Use tmsh to delete data group IP addresses in an iRules data group.

Fix:
You can now add/remove/edit IPv6 and IPv4 within an existing iRules data group.

---

633391-1 : GUI Error trying to modify IP Data-Group

Component: TMOS

Symptoms:
While trying to add/remove/edit IPv6&IPv4 within an existing data group list for iRules, the properties page throws a parsing error.

Conditions:
Try to modify the value field under Address Records Row whether string/int, and click Update

Impact:
There is an "Error parsing IP address" messave at the top of the page. You cannot modify internal data groups using GUI. You can delete and re-create the entry, but cannot modify it.

Workaround:
Use tmsh to modify the record field of the data groups.

Fix:
You can now modify the IPv6&IPv4 value within an existing data group.

Behavior Change:
users would be able to modify and update data groups

---

633333-3 : During an MPTCP connection, the serverside connection will occasionally be aborted before all data has been sent

Component: Local Traffic Manager

Symptoms:
During an MPTCP connection, the serverside connection will occasionally be aborted before all data has been sent.

Conditions:
A TCP profile with Multipath TCP enabled is attached to a virtual server, and an MPTCP connection is established.

Impact:
The serverside connection is reset before all data has been sent, causing the tail end of the data stream to not be proxied.

Workaround:
There is no workaround

Fix:
Fixed sequence of events on connection closure.

---

633181-1 : A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section

Component: TMOS

Symptoms:
Certificate signing requests generated from the Configuration Utility or in tmsh on affected versions may have an empty 'Attributes' or 'Requested Extensions' section if no data was supplied for these fields during CSR generation. The correct behavior is to supply an empty set (a0:00) for the Attributes section and to omit the 'Requested Extensions' section if no data were supplied for these fields.

Conditions:
- Running an affected version of BIG-IP software
- Using tmsh or the Configuration Utility to generate the CSR
- Not filling in 'E-mail Address' and/or 'Subject Alternative Name' sections while generating the CSR

Impact:
Impact varies according to the CA signing the request. An empty attribute section is generally well-tolerated but may be incompatible with some CA's.

Workaround:
Use openssl from the bash command line to generate CSR's.
Solution article K14534 contains the appropriate procedure.

---

633070-1 : Sync Inconsistencies when using Autosync ASM Group between Chassis devices

Component: Application Security Manager

Symptoms:
When at least two Bladed Devices are in two autosync device groups together, where one device group is the failover device group, and the other device group has ASM sync enabled on it, Devices may go out of sync and may end up with incorrect ASM configuration

Conditions:
At least two Bladed Devices are in two autosync device groups together, where one device group is the failover device group, and the other device group has ASM sync enabled on it.

An ASM policy is created.

Impact:
Devices may go out of sync and may end up with incorrect ASM configuration

Workaround:
Enable ASM sync on the failover device group, or use manual sync for the ASM device group.

Fix:
Bladed devices (chassis) handle ASM autosync device groups correctly

---

632968-2 : supported_signature_algorithms extension in CertificateRequest sent by a TLS server fails

Component: Local Traffic Manager

Symptoms:
Clients are unable to establish an SSL session.

If the backend server sends a Certificate Request with Signature Hash Algorithms set to SHA256, the server SSL profile responds with Certificate and Certificate Verify containing a signature signed by SHA1 when ssl-sign-hash in that profile is set to 'ANY'. Because the backend server does not expect SHA1, the handshake fails.

If the BIG-IP server SSL profile advanced configuration setting for SSL sign hash is set to SHA-256 (and not ANY), the handshake fails with the following error:
Connection error: ssl_hs_rsaprivenc:8528: no shared hash algorithm (40).

Conditions:
* BIG-IP system is communicating with a TLS server (applies to server SSL profiles).
* TLS server is requesting client authentication (this is less common).
* TLS client is using the supported_signature_algorithms extension (this is very common)
* TLS 1.2 is likely needed. TLS 1.0 does not support extensions.
* SSL sign hash for the server SSL profile is set to either 'any' or 'sha-256'.

Impact:
BIG-IP systems sign the TLS handshake with the SHA1 algorithm, which fails on the server.

Note that this issue is orthogonal to the issue of hash algorithm in X.509 certificates, e.g., 'SHA1 in X.509 certificates'.

Workaround:
No mitigation is known.

Fix:
BIG-IP now properly parses the following extension in CertificateRequest by a TLS server.:

SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>.

This allows the existing logic to work, in particular, to learn that the server supports SHA2 family of hash algorithms and use them with the signature in the TLS handshake.

---

632875-3 : Non-Administrator TMSH users no longer allowed to run dig

Solution Article: K37442533

---

632824-1 : SSL TPS limit can be reached if the system clock is adjusted

Solution Article: K00722715

Component: Local Traffic Manager

Symptoms:
If you adjust the system clock you will occasionally get error messages of the form "SSL transaction (TPS) rate limit reached". (For the intended feature of this message, see K7747: Error Message: SSL transaction (TPS) rate limit reached https://support.f5.com/csp/article/K7747.)

Conditions:
Occurs when you adjust the system clock.

Impact:
When the message occurs, the connection and often several subsequent connections are dropped.

Workaround:
None.

Fix:
The message no longer occurs when the system clock is changed and only occurs when system legitimately reaches the SSL TPS limit.

---

632798-2 : Double-free may occur if Access initialization fails

Solution Article: K30710317

Component: Access Policy Manager

Symptoms:
Double-free may occur if Access initialization fails.

Conditions:
Access initialization failure occurs, possibly due to license issues.

Impact:
tmm crashes and cores. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release fixes a double free condition so that the associated tmm crash no longer occurs.

---

632731-2 : specific external logging configuration can cause TMM service restart

Solution Article: K21964367

Component: Advanced Firewall Manager

Symptoms:
When external logging is configured for ACL rule hits, and the logging server connection is routed through a Forwarding Virtual, the ACL logging causes a TMM crash and service disruption.

Conditions:
The problem is seen when all the following conditions match:

1. External Logging server configured for ACL rule match.

2. External logging server is routed through a Forwarding Virtual (the destination IP of the external logging server matches a Forwarding Virtual's destination address/mask and hence gets routed through the Forwarding VIP).

3. The forwarded logging destination connection causes a crash in TMM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use one of the following workarounds:
--Avoid configuring remote logging to be forwarded through a Forwarding Virtual.
-- Do not have logging enabled on the forwarding Virtual.

Fix:
Connections originated from the BIG-IP to the remote logging server are not subjected to ACL checks, which prevents generation of logs for log server connection, which prevents the error conditions.

---

632685 : bigd memory leak for FQDN nodes on non-primary bigd instance

Component: Local Traffic Manager

Symptoms:
On BIG-IP systems with the multiple blades, or a BIG-IP system with multiple bigd processes running (bigd.1, bigd.2, etc.), if the system has FQDN nodes configured, all secondary bigd processes will consume an unusually high amount of memory, and bigd cores may exist.

Conditions:
FQDN nodes configured on a system, and the system (as a whole) has multiple bigd processes running, either across multiple blades or multiple bigd instances on a single blade. As configuration changes are made to FQDN nodes, bigd on the non-primary places memory consumption may be unusually high.

Impact:
bigd memory leak; possible bigd crash.

Workaround:
None.

---

632668-5 : When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds

Component: TMOS

Symptoms:
When a BIG-IP using statically configured BFD sessions (i.e. "bfd session <IP> <IP>" in the ZebOS configuration) is forced offline, it continues to send "State Up" BFD packets for an additional ~30 seconds.

Conditions:
System is using statically configured BFD sessions. System is forced offline.

Impact:
The BFD peer thinks the BIG-IP is still online and may send packets to it.

Fix:
Ensure BFD "State Up" packets are not sent when the BIG-IP is forced offline.

---

632658-4 : Enable SIP::persist command to operate during SIP_RESPONSE event

Component: Service Provider

Symptoms:
Without this change, it is not possible to change the timeout of a SIP persistence entry during SIP response message processing.

Conditions:
It is not possible to change the timeout of a SIP persistence entry during SIP response message processing.

Impact:
it is not possible to change the timeout of a SIP persistence entry during SIP response message processing.

Workaround:
NA

Fix:
It is possible to change the timeout of a SIP persistence entry during SIP response message processing.

---

632646-4 : APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server.

Component: Access Policy Manager

Symptoms:
APM - OAM login with invalid ObSSOCookie results in error page instead of redirecting to login page.

Conditions:
This happens occasionally if a session cookie (ObSSOCookie) is deleted from OAM server, or an OAM session is deleted from server.

Impact:
OAM login with invalid ObSSOCookie results in error page. However, expected behavior is that user is redirected to login page if login with ObSSOCokkie fails.

Workaround:
No Workaround

Fix:
Issue is fixed - On authenticate with ObSSOCookie, read getStatus() API call to check the ObSSOCookie status and redirect to IDP if it is not 1 (LOGGEDIN, AWAITINGLOGIN). With this fix user will be redirected to IDP on logging with cookie that is deleted manually from the OAM server.

---

632552-2 : tmm crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event

Solution Article: K08634156

Component: Local Traffic Manager

Symptoms:
tmm crashes.

Conditions:
When CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event which is fired before either event.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Move the script in _CLOSED events to another events.

Fix:
tmm no longer crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event.

---

632504-1 : APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list

Solution Article: K31277424

Component: Access Policy Manager

Symptoms:
Non-LSO resources such as webtop, even they are assigned via a normal resource assign agent, are listed under dynamic resource as opposed to static one.

Conditions:
- Create a webtop resource.
- Create an access profile.
- Launch VPE to assign webtop resource via a normal resource assign agent ("Advanced Resource Assign").
- Click on "Sync policy" button to bring up the policy sync dialog, click on "Advanced Settings" drop-down button and select "Static resources".

Impact:
No impact when default settings are configured for policy sync. Only in advanced setting is it confusing that a static resource is only listed in the dynamic resource list, with a prompt to include it as dynamic resource. Doing so does not cause any harm, but is unnecessary.

Workaround:
If it is a static resource, do not select it as dynamic resource.

Fix:
Static non-LSO resources such as webtop will be listed in static resource list in the advanced setting dialog for policy sync.

---

632499-1 : APM Policy Sync: Resources under webtop section are not sync'ed automatically

Solution Article: K70551821

Component: Access Policy Manager

Symptoms:
Resources put under webtop section such as webtop link, portal access requires to be included as dynamic resource or else sync will fail.

Conditions:
- Create a webtop section source such as portal access.
- Create a webtop section and add the above-create portal access to it.
- Create an access profile and add the webtop section resource via a resource assign agent in VPE.
- Sync the profile.

Impact:
Sync will fail and some configured resources will not be available on the other devices.

Workaround:
Includes those resources as dynamic resources in Policy Sync advanced settings.

Fix:
Now administrators can sync access profiles with resources under webtop sections without including them manually as dynamic resources.

---

632472-1 : Frequently logged "Silent flag set - fail" messages

Component: Access Policy Manager

Symptoms:
APM logs excessive messages similar to the following:

2016-12-07,21:46:10:864, 1740,884,APPCTRL, 2, \UBindSecurityMgr.h, 119, UBindSecurityMgrImpl::GetWindow, Silent flag set - fail

Conditions:
This can occur when connecting to APM via the Edge Client.

Impact:
Excessive messages are logged. These messages can be ignored.

---

632423-4 : DNS::query can cause tmm crash if AXFR/IXFR types specified.

Solution Article: K40256229

Component: Global Traffic Manager (DNS)

Symptoms:
Passing "AXFR" or "IXFR" as the type to the DNS::query iRule command can cause a tmm crash.

Conditions:
DNS Express must be enabled when one of the XFR types is used in the DNS::query iRule command.

Impact:
tmm will crash and restart every time this command is issued. Traffic disrupted while tmm restarts.

Workaround:
Do not explicitly use AXFR or IXFR query types.

If the [DNS::question type] command is being used to dynamically pass in the type, add a preceding check similar to the following:

if { not [DNS::question type] ends_with "XFR" } {
    set rrs [DNS::query dnsx [DNS::question name] [DNS::question type]]
}

Fix:
The iRule now provides an error message in /var/log/ltm indicating that AXFR and IXFR are not valid types to use with the DNS::query command, and no tmm crash occurs as a result.

---

632386-1 : EdgeClient cannot establish iClient control connection to BIG-IP if another control connection exists

Component: Access Policy Manager

Symptoms:
When a iClient control connection, between Edge Client and BIG-IP, exists for a given session id, a new iClient control connection for the same session id cannot be established until the existing connection is torn down. When the client interface is down or the client changes networks, it takes time for the BIG-IP to detect that the existing control connection is down. During this time, if the client attempts to establish a new control connection (interface up or different network), BIG-IP rejects the new connection request.

Conditions:
EdgeClient attempts to open a new iClient control connection with the same session id as that of an existing control connection and without explicitly closing the current connection. This could happen when the client interface is down or clients changes the network it is on.

Impact:
Edge Client cannot establish a iClient control connection and hence a tunnel to the BIG-IP.

Fix:
When BIG-IP sees a new iClient control connection request for a session id for which another iClient control connection exists, the existing connection is closed and the new connection request is attempted to be accepted.

---

632366-1 : Prevent a spurious Broadcom switch driver failure.

Component: TMOS

Symptoms:
When a high volume traffic is sent to a BIG-IP system, the Broadcom network switch driver might fail. The failure occurs because the switch driver is preempted (by tmm) from completing a long chip reprogramming routine and touching a watchdog. Sod, which monitors the watchdog, thinks the switch driver has become nonfunctional and kills it.

Conditions:
A very high volume traffic is sent to a BIG-IP system under certain circumstances.

Impact:
Potential eventual system outage if the Broadcom switch driver fails.

Workaround:
None.

Fix:
A spurious Broadcom switch driver failure is not possible anymore.

---

632344-2 : POP DIRECTIONAL FORMATTING causes false positive

Component: Application Security Manager

Symptoms:
ASM reports false positive violation for the XML request.

Conditions:
This occurs when using "%E2%80%AC" POP DIRECTIONAL FORMATTING as a input in the XML request.

Impact:
When one of the following 3 byte chars arrives to the XML parser, the payload considered as malformed XML:
LEFT-TO-RIGHT EMBEDDING (202a).
RIGHT-TO-LEFT EMBEDDING (202b).
POP DIRECTIONAL FORMATTING(202c).

Workaround:
None.

Fix:
This release now supports the following 3 byte chars within the XML parser:
LEFT-TO-RIGHT EMBEDDING (202a).
RIGHT-TO-LEFT EMBEDDING (202b).
POP DIRECTIONAL FORMATTING(202c).

---

632326-2 : relax_unicode_in_xml/json internal may still trigger a false positive Malformed XML violation

Solution Article: K52814351

Component: Application Security Manager

Symptoms:
You observe Malformed XML violations on valid XML, even with the relax_unicode_in_xml flag set. The same can apply to JSON with the relax_unicode_in_json flag.

Conditions:
Valid XML containing unicode characters is passed through ASM, and the relax_unicode_in_xml flag is enabled.

Impact:
False positive Malformed XML violations may still be reported.

Workaround:
N/A

Fix:
XML and JSON unicode now operates as expected when using the relax_unicode_in_xml or relax_unicode_in_json internal parameter.
To set these parameters, run the following commands:
/usr/share/ts/bin/add_del_internal add relax_unicode_in_xml 1.
/usr/share/ts/bin/add_del_internal add relax_unicode_in_json 1.
bigstart restart asm.

---

632324-2 : PVA stats does not show correct connection number

Component: Local Traffic Manager

Symptoms:
do command tmsh show sys pva-traffic global

The current connection number showed up may not be correct

Conditions:
This occurs when there is PVA Traffic

Impact:
Wrong stats number for current PVA connections

Fix:
Fixed incorrect statistics for PVA Traffic

---

632178-1 : LDAP Query agent creates only two session variables when required attributes list is empty

Component: Access Policy Manager

Symptoms:
When required attributes list is empty, LDAP Query agent produces only two session variables.
in previous releases, the default behavior was - to get all user's attributes and populate those as session variables

Conditions:
LDAP Query agent configured in an Access Policy.
Required attributes list is empty (not any attr is configured)

Impact:
LDAP Query agent failed if branch rule expects to get user's attributes.
any other agent in the policy that relies on user's LDAP attributes will also fail.

Workaround:
As a workaround you can configure required attributes to be retrieved by LDAP Query agent explicitly

Fix:
The default behavior is back; when the required attributes list is empty, the LDAP Query Agent will retrieve all user's attributes and populate them as session variables.

---

632069-3 : Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076

Component: TMOS

Symptoms:
On VE platforms, under certain conditions, the sudo utility does not correctly enforce all restrictions specified in its configuration file.

Conditions:
VE platform
Authenticated user with advanced shell access

Impact:
BIG-IP does not depend on the restrictions related to these vulnerabilities, and sudo is only present on VE platforms. Only VE users who have modified the sudo configuration by editing its configuration file directly are impacted.

Fix:
Update sudo package to improve security

---

632060-1 : restjavad is unable to read the dtca.key files resulting in Error: Failed to read key: invalid header★

Component: iApp Technology

Symptoms:
when upgrading to 12.1.1, 12.1.2 or 13.0 releases, executing a command similar to

curl -k -u admin:admin https://127.0.0.1:443/mgmt/shared/device-discovery-tasks causes the following error:

"errorMessage": "Could not connect to host 10.0.0.160. Please ensure there are no licensing, firewall, port lockdown or network connectivity issues. Error: Failed to read key /config/filestore/files_d/Common_d/trust_certificate_key_d/:Common:dtca.key_12100_2: invalid header",

Conditions:
Upgrading from releases prior to 12.1.1 to 12.1.1 or 12.1.2 or 13.0

Impact:
if your device has an iApps LX application, then that application sill not synchronize to the standby device. So if a failover occurs, then the iApps LX application will seem to disappear, and traffic will not pass through the application.

Workaround:
If you have upgraded and are in this condition, and you need to use iAppsLX, you can perform the following procedure to recover.

Impact of procedure: this procedure disables HA and requires you to rebuild your HA environment. You only need to use this procedure if you absolutely need to run an iAppLX.

1. Reset device trust, then re-establish device trust, your device group(s), and your traffic group(s)
2. At the BIG-IP command line for each of the devices, run the following command:
clear-rest-storage

Fix:
Upgrade to 13.1 or 13.0.x hot fix

---

632005-1 : BIG-IP as SAML SP: Objects created by IdP connector automation may not be updated when remote metadata changes

Component: Access Policy Manager

Symptoms:
When BIG-IP is used as SAML Service provider (SP), IdP connector creation can be automated using list of URIs containing IdP metadata.

Symptom for this issue:
When remotely published metadata changes - BIG-IP will not be able to modify previously created idp-connector object(s) to reflect the changes.

When issue happens, the error similar to following is logged in /var/log/saml_automation.log :

"apm aaa saml-idp-connector *NAME* import-metadata only supports create operations."

Conditions:
BIG-IP is used as SP. IdP connector creation is automated. Metadata published on automation URIs changes.

Impact:
BIG-IP configuration will not contain the latest changes reflected in published IdP metadata.

This may have different impact based on how metadata is changed.
Impact can be from none to user authentication failure (e.g. when IdP signing certificate is changed).

Workaround:
When error is encountered:
- Manually remove affected idp-connector configuration object
- Restart samlidpd service : "bigstart restart samlidpd"

As a result, SAML connector automation will re-create new idp-connector objects will current up-to-date metadata files.

Fix:
BIG-IP is able to modify previously created idp-connector object(s) to reflect the changes when connector automation is deployed.

---

632001-1 : For Thales net-HSMs, fipskey.nethsm now defaults to module protected keys

Component: Local Traffic Manager

Symptoms:
fipskey.nethsm uses a Thales utility to actually generate/export keys. This utility looks at files in .../kmdata/local to determine what type of protection to use. If there are any softcard or OCS files, then the key will be token protected. If there aren't any files then the key will be module protected.

This can be a problem for BIG-IP since that entire folder is synced down to it, so OCS or softcard files unrelated to the BIG-IP operation will change fipskey.nethsm's behavior.

Conditions:
Use fipskey.nethsm to generate/export a nethsm-protected key while there are OCS or softcard files in the BIG-IP system's .../kmdata/localfolder.

Impact:
Key protection type changes based on the presence of softcard or OCS files in .../kmdata/local.

Workaround:
Explicitly use the -c or --protect option to define the protection type when generating/exporting keys.

Fix:
fipskey.nethsm will now default to making a module-protected key regardless of the presence of OCS or softcard files in .../kmdata/local.

Scripts that export or generate token or softcard protected keys will now need to explicitly set the protection type via the -c or the --protect option in all situations.

---

631866-2 : Cannot access LTM policy rules in the web UI when the name contains certain characters

Solution Article: K12402013

Component: TMOS

Symptoms:
Access LTM policy rules in the web UI when the name contains percent (%) or slash (/) displays an empty page.

Conditions:
The LTM policy rule name being accessed contains the characters percent (%) or slash (/).

Impact:
The policy rule properties page displays an empty page.

Workaround:
Update the LTM policy rule using tmsh.

Fix:
LTM policy rules can be accessed as expected in the web UI regardless of their names.

---

631862-1 : Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk

Solution Article: K32107573

Component: Local Traffic Manager

Symptoms:
When OWS sends a chunked response and the only chunk has a zero size, HTTP2 profile receives neither the response's body nor indication that the response has zero size.

Conditions:
A virtual server must have HTTP2 profile, and OWS must serve a response with Transfer-Encoding: chunked and a zero size chunk (empty body).

Impact:
On a stream with such response, BIG-IP doesn't generate a frame which would have END_STREAM flag. Some browsers may not handle the response properly. For example, a redirect may not be performed when the stream is not finalized. It results in incorrect page rendering on a client.

Workaround:
Use following iRule for broken URLs:

when HTTP_RESPONSE {
  if {[HTTP::header exists "Transfer-Encoding"] && [HTTP::status] eq 301} {
    HTTP::respond 301 -version 1.1 noserver Location [HTTP::header Location] Date [HTTP::header Date] Content-Type [HTTP::header Content-Type] Connection [HTTP::header Connection]
  }
}

A condition may be changed to narrow the iRule for specific URLs.
HTTP::respond may be modified to include other important headers and serve a proper status code.

Fix:
When OWS serves Transfer-Encoding chunked with zero size chuck, BIG-IP properly handles the response and sends END_STREAM flag finalizing the response.

---

631737-1 : ArcSight cs4 (attack_type) is N/A for certain HTTP Compliance sub-violations

Solution Article: K61367823

Component: Application Security Manager

Symptoms:
ArcSight cs4 (attack_type) is reported as "N/A" for a violation whose sub-violation does not have a specific attack_type_code.

Conditions:
This occurs when there are HTTP Compliance sub-violations such as "Header name with no header value" that do not correlate to any attack_type. Other attack types are as follows:
-- HTTP Protocol Compliance/ High ASCII characters in headers.
-- HTTP Protocol Compliance/ Host header contains IP address.
-- HTTP Protocol Compliance/ CRLF characters before request start.
-- HTTP Protocol Compliance/ Header without header value.
-- HTTP Protocol Compliance/ Body in GET/HEAD requests.
-- Evasion technique/ directories traversals.

Impact:
When one of these violations occurs, the system does not assign the appropriate attack type to the logged request in the log or in the remote logger. The system reports the ArcSight remote logger message as attack_type="N/A". (If no other violation was found.)

Workaround:
None.

Fix:
Now, when ArcSight cs4 (attack_type) HTTP Compliance sub-violations do not correlate to any attack_type, the system assigns the parent violation's attack type when reporting the violation.

---

631722 : Some HTTP statistics not displayed after upgrade

Component: Application Visibility and Reporting

Symptoms:
Some statistics will disappear after upgrade due to bug in HTTP statistics backup.

Conditions:
Upgrading to newer version

Impact:
Not all statistics are shown.

Workaround:
No workaround

Fix:
Fixed an issue where some ASM HTTP statistics would disappear after upgrade.

---

631700-1 : sod may kill bcm56xxd under heavy load

Solution Article: K72453283

Component: TMOS

Symptoms:
Under heavy load, bcm56xxd may not get enough CPU cycles to finish some of its operations and activate the watchdog process. In that case, sod will suspect that bcm56xxd has halted and terminate the process.

Conditions:
When the system is very busy, tmm has higher execute priority, and bcm56xxd does not have enough CPU cycles.

Impact:
The switch will not operate during the restart, and traffic might be interrupted.

Workaround:
Reduce the traffic to make the system less busy.

Fix:
The system now has bcm56xxd activate the watchdog so that sod does not terminate the bcm56xxd process.

---

631688-7 : Multiple NTP vulnerabilities

Solution Article: K55405388 K87922456 K63326092 K51444934 K80996302

---

631627-4 : Applying BWC over route domain sometimes results in tmm not becoming ready on system start

Component: TMOS

Symptoms:
Rebooting after applying BWC to route domain stops vlan traffic on VCMP guest. You will experience connection failures when bandwidth Controller (bwc) and Web Accelerator are enabled.

Running the tmsh show sys ha-status all-properties command will indicate that tmm is in "ready-for-world", but the Fail status will read "Yes" when this is triggered.

Conditions:
BWC enabled and associated with a route domain, Web Accelerator is enabled, and the system is rebooted.

Impact:
The system does not comes up fully. TMM does not reach a ready state and will not pass traffic.

Workaround:
Remove BWC from route domain and then reapply the BWC back.

Fix:
BWC enabled and associated with a route domain, Web Accelerator enabled, and the system is rebooted, now results in the system and TMM coming up fully and passing traffic.

---

631626 : Unable to delete an access profile which contains a route domain agent

Component: Access Policy Manager

Symptoms:
If an Access profile contains a policy with a route domain agent, the policy cannot be copied or deleted from the GUI or command line tools.

The GUI and CLI both fail with the following message:
Operation error: getHash failed

Conditions:
Access profile contains a route domain agent.

Impact:
Cannot delete or copy the Access profile.

Workaround:
Delete the route domain agent from the VPE and then copy/delete the Access profile.

Fix:
You can now copy and delete Access profiles which contain a route domain agent.

---

631609-1 : ASM Centralized Management Infrastructure Sync issues

Component: Application Security Manager

Symptoms:
Devices in a multiple Automatic sync device-groups may extraneously request a full sync after initial device sync creation, or after a full sync event.

Conditions:
Devices are in an autosync failover group and an autosync sync-only group with ASM sync enabled.

Impact:
A device may extraneously request additional full syncs after receiving a full sync from its peer or after adding an ASM policy.

Workaround:
No workaround.

Fix:
Extraneous full sync requests are no longer sent.

---

631582 : Administrative interface enhancement

Solution Article: K55792317

---

631472-1 : Reseting classification signatures to default may result in non-working configuration

Component: Traffic Classification Engine

Symptoms:
Configuration will not load when running "tmsh load ltm classification signature default" or clicking Reset to Defaults button on Traffic Intelligence :: Applications : Signature Update page.

Conditions:
1. You upgrade classification signatures to an IM package, and reference one of the newly added applications / categories in your configuration (e.g., PEM classification filter).
2. You reset classification signatures back to default by running "tmsh load ltm classification signature default" or selecting "Reset To Defaults" on the Traffic Intelligence :: Applications : Signature Update page.

Impact:
Configuration will not load.

Workaround:
Remove application that came with the new IM from the configuration.

Fix:
The release solves the problem of potentially non-working configurations after classification signatures were reset to default.

---

631444-2 : Bot Name for ASM Search Engines is case sensitive

Component: Application Security Manager

Symptoms:
CS challenge is returned for request with known search engine which is sent with different case than configured.

Conditions:
ASM profile is configured on the VS; DoS profile is not configured on the VS.

Impact:
Known search engines will get CS challenge.

Workaround:
Have DoS profile on the VS, in which the only feature turned on is Bot Signature, in report only, where only search engine category is turned on.

Fix:
making the ASM Search Engines case insensitive

---

631334-4 : TMSH does not preserve \? for config save/load operations

Solution Article: K69038629

Component: TMOS

Symptoms:
TMSH strips the escape characters for literal strings '\?' to be '?' or '\[' to be '[' in ltm monitor send/recv strings.

Conditions:
This condition manifests whenever the send/recv string in LTM monitor contains '\?' (backslash-question mark) or '\[' (backslash-open square bracket).

Impact:
This might cause the BIG-IP system to load incorrect monitor send/recv strings.

Workaround:
Use [] (open square bracket-close square bracket) in these cases when using a recv string, for example:

[?] [[]

Another option is not using '\' (backslash) in front of '[' (open square bracket) to indicate a literal string.

Note: This workaround is not valid for send strings.

---

631316 : Unable to load config with client-SSL profile error★

Solution Article: K62532020

Component: TMOS

Symptoms:
Config loading fails with an error similar to the following: 'Client SSL profile cannot contain more than one set of same certificate/key type.'

Conditions:
This occurs when both of the following conditions are met:
 -- The system is loading config.
 -- The config contains a client SSL profile which has an RSA cert-key-chain whose key is default (/Common/default.key), but whose chain is non-empty, or the cert is different from /Common/default.crt. For example:

    cert-key-chain {
        cert /Common/default.crt <==== default cert
        chain /Common/chainCA.crt <==== non-empty
        key /Common/default.key <==== default key
        rsa {
            cert /Common/default.crt <==== default cert
            chain /Common/chainCA.crt <==== non-empty
            key /Common/default.key <==== default key
        }
    }

Impact:
Configuration can not be loaded.

Workaround:
Remove or adjust the problematic client SSL profile by editing the appropriate bigip.conf file (/config/bigip.conf or /config/partitions/<name>/bigip.conf, depending on the partition the profile resides in), and then load the configuration again.

Steps:
1. Open the configuration file in a text editor.
2. Load the file /config/bigip.conf (or /config/partitions/<name>/bigip.conf, if the client SSL profile is in a partition).
   
3. Update the client SSL profile by setting .crt and .key to non-default, as shown in the following example:

    cert-key-chain {
        cert /Common/kc.crt <==== changed to non-default
        chain /Common/chainCA.crt
        key /Common/kc.key <==== changed to non-default
        rsa {
            cert /Common/kc.crt <==== changed to non-default
            chain /Common/chainCA.crt
            key /Common/kc.key <==== changed to non-default
        }
    }

4. Save your changes, and then run the following command:
 tmsh load sys conf

---

631286-1 : TMM Memory leak caused by APM URI cache entries

Component: Access Policy Manager

Symptoms:
Tmctl stats for "access_uri_info" gradually grows and can lead to TMM memory exhaustion.

Conditions:
APM or SWG in use.

Impact:
TMM memory exhaustion.

Workaround:
Restart tmm.

Fix:
This release implements a limit of how many entries the system stores in the URI cache. The default is 2048 entries. The DB variable allows a range of 2048 - 8192. You can the following DB variable to control the max limit:

access.max.euie_uri.cache.entries

---

631204-1 : GeoIP lookups incorrectly parse IP addresses

Solution Article: K23124150

---

631172-4 : GUI user logged off when idle for 30 minutes, even when longer timeout is set

Solution Article: K54071336

Component: TMOS

Symptoms:
GUI user is auto-logged off when idle for 30 minutes, even though the configured idle timeout is longer.

Conditions:
User logged in to gui and idle for 20-30 minutes

Impact:
User is logged out of the GUI.

Workaround:
None.

Fix:
GUI user is no longer auto-logged off when idle for 30 minutes when the configured idle timeout is longer.

---

631131-3 : Some tmstat-adapters based reports stats are incorrect

Component: Application Visibility and Reporting

Symptoms:
Stats are being collected in a wrong way for tmstat tables that are using partial-key. This leads to wrong values on reports.

Conditions:
Using partial key from tmstat-table on tmstat-adapter

Impact:
Wrong stats values for some reports.

Fix:
Tmstat-Adapters is now using the correct API from tmstat-framework which simulate a 'group-by' function on the query, and thus provide the correct result-set.

---

631060-1 : BIG-IP may incorrectly reject serverside connection when REQLOG is configured.

Component: Access Policy Manager

Symptoms:
Serverside connection can be reset when V2 plugin e.g. REQLOG is configured on virtual.

Conditions:
Virtual server configured with REQLOG and SSL clientside and serverside profiles.

Impact:
Serverside connections can not be established due to early TCP RST and failing TCP handshake.

Workaround:
Remove REQLOG from configuration.

Fix:
V2 Plugins work correctly if clientside is disabled on the hudchain.

---

631048-1 : Portal Access [PeopleSoft] 'My Preferences' page does not have content

Component: Access Policy Manager

Symptoms:
IN PeopleSoft (PS) web-application 'My Preferences' page contains no content.

Conditions:
Steps to Reproduce:

1. Navigate and login to PS Portal through reverse proxy.
2. Click on 'My Preferences' item in 'Action list' button.

Impact:
Page contains no content. Web-application does not work as expected.

Workaround:
To work around this issue, use an iRule.

Fix:
The issue is fixed.

---

631025-1 : 500 internal error on inline rule editor for certain firewall policies

Component: Advanced Firewall Manager

Symptoms:
While attempting to use the inline rule editor on a firewall policy, the system returns a 500 internal error. Viewing and editing the same policy in tmsh works as expected.

Conditions:
-- This occurs when editing certain firewall policies in the GUI.
-- The issue is specific to policies with rules that meet the following criteria:

a) At least two addresses with the same first three octets.
b) Addresses should have non-default partition.

141.146.155.40%1 { }
141.146.155.41%1 { }

Impact:
Unable to view or edit the policy, page returns an error

Workaround:
You can view these rules in the GUI by disabling the inline rule editor.

Fix:
Fixed an issue with certain AFM rules generating a 500 internal error in the GUI.

---

630929-1 : Attack signature exception list upload times-out and fails

Solution Article: K69767100

Component: Application Security Manager

Symptoms:
httpd_errors log:
------------
err httpd[<PID>]: [error] [client <client_IP>] PHP Fatal error: Maximum execution time of 30 seconds exceeded in /var/ts/dms/common/classes/Thrift/packages/asmconfig/f5_thrift.php on line <line_ID>, referer: https://<BIG-IP_MGMT_IP>/dms/policy/pl_header_normalization.php
------------

Conditions:
ASM provisioned.
Attack signature exception list uploaded.

Impact:
Attack signature exception list upload times-out and fails.

Workaround:
N/A

Fix:
Improved the Attack signature exception list upload process to take much less time.

---

630661-2 : WAM may leak memory when a WAM policy node has multiple variation header rules

Solution Article: K30241432

Component: WebAccelerator

Symptoms:
When a WAM policy node has multiple variation header rules, a memory leak occurs upon evaluation of each request.

Conditions:
WAM policy with node utilizing multiple variation header rules.

Impact:
Potential per-request memory leakage driven by client traffic.

Workaround:
The only workaround is to ensure that individual WAM policy nodes have fewer than two header variation rules.

Fix:
WAM no longer leaks memory when evaluation policy nodes which utilize two or more header variation rules.

---

630622-1 : tmm crash possible if high-speed logging pool member is deleted and reused

Component: TMOS

Symptoms:
When deleting and then re-using a high-speed logging pool member that is in use, a rare tmm crash may occur.

Conditions:
High-speed logging profile configured, high-speed logging pool configured, and a pool member is removed and re-added while the pool is in use.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Rare tmm crash no longer occurs if high-speed logging pool member is deleted and reused.

---

630611-1 : PEM module crash when subscriber not fund

Solution Article: K84324392

Component: Policy Enforcement Manager

Symptoms:
Under rare circumstances, PEM usage reporting for a subscriber will cause a crash.

Conditions:
PEM subscriber info is missing for the current tmm, e.g., after a CMP state change.

Impact:
PEM/TMM SIGSEV.

Workaround:
None.

Fix:
PEM usage reporting for a subscriber no longer causes a crash when PEM subscriber info is missing for the current tmm.

---

630610-5 : BFD session interface configuration may not be stored on unit state transition

Solution Article: K43762031

Component: TMOS

Symptoms:
'bfd session' statements missing in ZebOS 'running-config'.

Conditions:
State transitions from online to offline.

Impact:
BFD configuration will become missing in ZebOS running config and no BFD sessions will be established.

Workaround:
Re-add statements manually.

Fix:
BFD session interface configuration is now stored on unit state transition.

---

630571-1 : Edge Client on Mac OSX Sierra stuck in a reconnect loop

Solution Article: K35254214

Component: Access Policy Manager

Symptoms:
Upon waking laptop Edge Client stuck in a reconnect loop.

Conditions:
Full-Tunnel, no Local LAN Access profile; when opening the device lid, which attempts to reconnect to the VPN service. This occurs only with MAC OS X 10.12.1.

Impact:
Cannot connect to VPN, and the Edge Client gets stuck in a reconnect loop.

Workaround:
Allow local subnet access set to enabled.

Fix:
In this release, using MAC OS X 10.12.1 now resumes a connection to VPN using the Edge Client.

---

630546-1 : Very large core files may cause corrupted qkviews

Component: TMOS

Symptoms:
If a core file is found on a slave blade in a chassis, that is too large for qkview to include, this can cause the qkview file for the blade to be corrupted.

Conditions:
qkview is run when core files greater than 2.4 GB exist in /var/core.

Impact:
iHealth will not parse the qkview.

Workaround:
Copy the core files on the slave blade from /etc/core to a back up location and delete the original files before creating the qkview.

Fix:
qkview files run when core files greater than 2.4 GB exist in /var/core now complete as expected.

---

630475-5 : TMM Crash

Solution Article: K13421245

---

630446-1 : Expat vulnerability CVE-2016-0718

Solution Article: K52320548

---

630356-1 : JavaScript challenge follow-up to POST is sent as GET in iframe from IE/Edge

Component: Application Security Manager

Symptoms:
The JavaScript challenge that is sent to a POST request within an iframe will have a follow-up request of GET when coming from Microsoft Internet Explorer or Edge browser. The request reconstruction is incorrect, and the back-end server does not receive the request payload.
This is relevant to all types JavaScript challenges: Proactive Bot Defense, DoSL7 Client-Side Integrity Defense, Device-ID Challenge, or CAPTCHA Challenge.

Conditions:
JavaScript challenge is used in a POST request, when one of the following features in enabled: Proactive Bot Defense, DoSL7 Client-Side Integrity Defense, Device-ID Challenge, or CAPTCHA Challenge.

Impact:
POST requests will be sent as GET and the request payload will not reach the back-end server.

Workaround:
None.

Fix:
JavaScript challenges to POST requests are sent correctly to the back-end server when coming from iframe in Microsoft Internet Explorer/Edge browsers.

---

630355-3 : Local Logs Missing Or Recorded Found For Incorrect Policy

Solution Article: K57041868

Component: Application Security Manager

Symptoms:
When loading a UCS (manually or due to a UCS sync) which has a the same ASM Policy names, but created in a differing order, the local logging daemon does not update its internal mappings.

Conditions:
The configuration is replaced by a UCS load that had a different list of ASM Policies.

Impact:
Local logs may be missing or listed for an incorrect ASM policy.

Workaround:
Restart asmlogd.

---

630306-1 : TMM crash in DNS processing on UDP virtual server with no available pool members

Component: Local Traffic Manager

Symptoms:
TMM crash when processing requests to a DNS virtual server.

Conditions:
The issue can occur if a UDP DNS virtual receives a request when no pool members are available to service the request and a DNS iRule is suspended due to previous requests.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Mitigation is to ensure at least one pool member is available whenever the DNS virtual is processing traffic, or to avoid iRule commands that can suspend processing.

Ensure datagram LB mode is enabled on UDP DNS virtuals.

Fix:
This release prevents a crash in DNS processing on UDP virtual server with no available pool members.

---

630150-1 : Websockets processing error

Solution Article: K51351360

---

629921-4 : [[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work.

Component: Access Policy Manager

Symptoms:
With SWG client side NTLM auth configuration while doing the NTLM auth for backend, ECA plugin is trapping the Authorization credentials (NTLMSSP_NEGOTIATE) sent by the client, it sinks the request and generates the 407 to the client to do proxy authentication.

Conditions:
Set-up SWG for auth with ntlm credentials
Access a proxied resource which also requires ntlm auth

Impact:
Backend server access is restricted.

Workaround:
None

Fix:
Now when using SWG in explicit proxy mode with NTLM authentication with the Proxy-Authenticate header, BIG-IP allows NTLM authentication to proceed simultaneously to protected resource servers that also use NTLM authentication with the Authenticate header.

---

629871-2 : FTP ALG deployment should not rewrite PASV response 464 XLAT cases

Component: Carrier-Grade NAT

Symptoms:
Deploying NAT64 part of a 464 XLAT solution may overwrite PASV response 464 XLAT cases.

Conditions:
FTP ALG deployment.

Impact:
PASV response 464 XLAT cases overwritten.

Workaround:
None.

Fix:
Deploying NAT64 part of a 464 XLAT solution no longer overwrites PASV response 464 XLAT cases.

---

629845-2 : Disallowing TLSv1 connections to HTTP causes iControl/REST issues

Component: Device Management

Symptoms:
When HTTP disallows TLSv1 connections, UCS via iControl/REST fails with the following in the logs:

[SEVERE][86][08 Nov 2016 16:47:20 UTC][com.f5.rest.icontrol.IControlRunnable] (iControl execution) AxisFault[; nested exception is:
          javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]:
[WARNING][87][08 Nov 2016 16:47:20 UTC][8100/tm/shared/sys/backup/52d67805-3aab-4260-8770-a690154c698e/worker UcsBackupTaskWorker] Failed to restore from backup: backup_test.ucs

Conditions:
This occurs when TLSv1 is explicitly disallowed in the HTTP profile.

Impact:
iControl REST clients are unable to connect.

Workaround:
None.

Fix:
Explicitly disallowing TLSv1 in the HTTP profile no longer causes iControl/REST issues.

---

629801-2 : Access policy is applied automatically on target device after policy sync, when there is a also a FODG in the trust domain.

Component: Access Policy Manager

Symptoms:
After syncing an access policy, the access policy change on the other device should be prompting you to apply the policy, but instead it applies the policy automatically.

Conditions:
Two or more devices configured in a trust group, one device group is a failover device group, and one device group is a sync-only device group with automatic sync enabled.

A key component that triggers this symptom is that the failover device group is listed first in the configuration. When this occurs, the policy will be applied automatically, which shouldn't occur.

Impact:
Policy changes are automatically applied, when they should only be synced with a prompt to apply after the sync.

Workaround:
None.

Fix:
After syncing an access policy, the access policy change on the other device in the trust group now prompts you to apply the policy, which is correct behavior.

---

629698-1 : Edge client stuck on "Initializing" state

Component: Access Policy Manager

Symptoms:
It takes a lot of time to reestablish the VPN connection when the Edge Client switches to network with Captive Portal authentication. Edge client freezes on "Initializing" state for around 1 minute.

Conditions:
This can occur on the Edge Client with Captive Portal configured.

Impact:
Edge client is stuck on "Initializing" for an excessive amount of time.

---

629663-1 : CGNAT SIP ALG will drop SIP INVITE

Solution Article: K23210890

Component: Service Provider

Symptoms:
SIP INVITE message is dropped.

Conditions:
Subscriber registers and then attempts to call out.

Impact:
Subscriber not able to make calls.

Workaround:
None.

Fix:
The system now uses the expiration value from the SIP message i.e. either from expires parameter or the Expire header to update the timeout of the registration record.

---

629627-1 : FPS Log Publisher is not grouped nor filtered by partition

Component: Fraud Protection Services

Symptoms:
If there are several log publishers assigned to different partitions, it is not clear which log publisher is assigned to which partition.

All log publishers are displayed regardless of the partition selected.

Conditions:
Provision FPS.
Two or more partitions
Two or more log publishers assigned to different partitions

Impact:
All log publishers are displayed regardless of partition.

Workaround:
None.

Fix:
Log publishers are now grouped in GUI and filtered by the currently selected partition.

---

629573-1 : No drill-down filter for virtual-servers is mentioned on exported reports when using partition

Solution Article: K66001885

Component: Application Visibility and Reporting

Symptoms:
The selected filters will not appear in exported reports for virtual servers created under non 'Common' partitions.

Conditions:
When using virtual-servers and ASM policies under a non 'Common' partition, exported reports will not display the the selected drill-down filters.

Impact:
Exported reports will be displayed without the filters.

Workaround:
None.

Fix:
Exported reports will take into consideration partitions which will make the drill-down filters appear as expected.

---

629530-2 : Under certain conditions, monitors do not time out.

Solution Article: K53675033

Component: Global Traffic Manager (DNS)

Symptoms:
Some monitored resources are marked as "Unknown" when the actual status is "offline".

Conditions:
This can rarely occur when the monitor timeout period elapses when either no response has been received, or a response has been received indicating that the resource is "down" and the monitor is configured to ignore down responses. It is more likely to occur when many monitor timeout periods elapse at the same time, and the monitor timeout value is evenly divisible by the monitor's monitor interval.

Impact:
The status of the monitored resource is incorrect. This does not materially affect the operation of the system since resources marked "Unknown" will not be used.

Workaround:
Disable the affected resources, and then enable them again.

Fix:
The resource status is now correct under all monitor timeout conditions.

---

629499-9 : tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found"

Component: TMOS

Symptoms:
When you run the command tmsh show sys perf, you get an error:
011b030d:3: Graph 'dnsx' not found

This can also occur with other tmsh commands related to performance statistics, like show sys perf dnssec and show sys perf dnsexpress.

Conditions:
It is not known what exactly triggers this, it is caused by a timing issue that occurs during system initialization of multi-blade chassis.

Impact:
Certain tmsh sys perf commands fail to work and give an error.

Workaround:
Restart statsd on all blades once the chassis is up.

e.g.

"bigstart restart statsd" on each blade.

Fix:
statsd has been updated to reparse the statsd config file before rebuild it's config so that it doesn't lose the unsupported tables in it's list.

---

629421-1 : Big3d memory leak when adding/removing Wide IPs in a GTM sync pair.

Component: Global Traffic Manager (DNS)

Symptoms:
The memory consumption of Big3d will slowly increase if a lot of Wide IPs are being created or deleted.

Conditions:
Adding or removing Wide IPs on a GTM sync pair.

Impact:
A few bytes of memory will be leaked by Big3d on sync.

Workaround:
there is no workaround at this time.

Fix:
The leak has been eliminated.

---

629412-3 : BIG-IP closes a connection when a maximum size window is attempted

Component: Local Traffic Manager

Symptoms:
HTTP2 provides flow control options which allow you to limit the amount of data on flight. A client can send an increment for a window size to an initial value set by standard to 65,535 bytes. BIG-IP used 64K value inherited from SPDY, causing overflow when the client tried to increment the value to its maximum.

Conditions:
HTTP2 profile is configured on a virtual, and client sends a WINDOW_UPDATE frame to increment the value to its maximum.

Impact:
BIG-IP considers the window size overflow as a protocol violation thus it shuts the connection down not serving any request.

Workaround:
None.

Fix:
With a correct value for initial window size (for both a connection and a stream) BIG-IP correctly processes an increment request of the window size to its maximum.

---

629178-1 : Incorrect initial size of connection flow-control window

Solution Article: K42206046

Component: Local Traffic Manager

Symptoms:
When a client establishes an HTTP2 connection, both endpoints can update their flow-control windows for the connection but their initial sizes of connection flow-control windows must be 65,535. BIG-IP erroneously sets it immediately to a configured value instead. Discrepancy in the window size calculation can result in cancelling of the client's requests.

Conditions:
A virtual server that has an HTTP2 profile with a custom value for receive-window exceeding 79 (Kilobytes).

Impact:
BIG-IP updates another endpoint with a WINDOW_UPDATE frame for the connection once it reaches a certain threshold. It doesn't happen when receive-window is set above 79 (Kilobytes). If a client has a large request (e.g., POST with a large amount of data), it resets the stream with HTTP2 RST_STREAM frame, canceling the request.

Workaround:
Configure receive-window attribute in HTTP2 profile to a value below 80 (Kilobytes).

Fix:
The fix in this release allows BIG-IP to behave according to RFC and send WINDOW_UPDATE frames, preventing the connection flow-control window from exhaustion on a remote endpoint.

---

629145-1 : External datagroups with no metadata can crash tmm

Component: Local Traffic Manager

Symptoms:
If a large data group exists or the db variable tmm.classallocatemetadata is set to disabled, tmm may crash if the class match iRule matches 9 or more items in the datagroup.

Conditions:
External datagroups in use, a class match iRule will produce at least 9 matches, and the datagroup is extremely large or the db variable tmm.classallocatemetadata is set to disabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm crash related to large datagroups.

---

629127-1 : Parent profiles cannot be saved using FPS GUI

Component: Fraud Protection Services

Symptoms:
Any parent profile (profile that has bee inherited) cannot be saved in FPS GUI.

Conditions:
Provision FPS
License FPS.
1 or more child profiles.

Impact:
User configurations may not be saved.

Workaround:
Can use TMSH or REST.

---

629085-1 : Any CSS content truncated at a quoted value leads to a segfault

Solution Article: K55278069

Component: TMOS

Symptoms:
Any CSS content truncated at a quoted value leads to a segfault.

Example:
...
.c1 {background-image: url('some

Conditions:
CSS ends without closing quote in value.

Example:
...
.c1 {background-image: url('some

Impact:
TMM or rewrite segfault. Traffic disrupted while tmm restarts.

Workaround:
Use a particular iRule.

Fix:
CSS content truncated at a quoted value no longer leads to a segfault.

---

629069-2 : Portal Access may delete scripts from HTML page in some cases

Component: Access Policy Manager

Symptoms:
If JavaScript uses Range.createContextualFragment() call to insert new scripts into HTML document, in some cases Portal Access may delete one of the scripts in the page.

Conditions:
JavaScript with Range.createContextualFragment() call which is used to add new scripts by subsequent insertBefore()/insertAfter() calls.

Impact:
Web application may not work correctly.

Workaround:
None.

Fix:
Now web apps delivered via APM Portal Access can use Range.createContextualFragment(), insertBefore(), and insertAfter() javascript properly.

---

628972-2 : BMC version 2.51.7 for iSeries appliances

Component: TMOS

Symptoms:
Firmware on BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx needs to be upgraded to BMC version 2.51.7.

Conditions:
-- BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
-- Upgrading firmware.

Impact:
This is a firmware upgrade.

Workaround:
None.

Fix:
This release contains BMC version 2.51.7 which includes the fix for a BMC firmware update failure on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

Behavior Change:
This release contains BMC version 2.51.7 which includes the fix for a BMC firmware update failure on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

---

628897-1 : Add Hyperlink to gslb server and vs on the Pool Member List Page

Component: Global Traffic Manager (DNS)

Symptoms:
Hyperlinks to the GSLB Server and Virtual-server are missing from the GSLB Pool Member list page.

Conditions:
This can be seen in the DNS :: GSLB : Pools : Pick a pool : Members tab

Impact:
You are unable to to quickly get to the server and virtual server from this page.

Workaround:
Manually navigate to associated server and Virtual Server.

Fix:
Hyperlinks for associated server and VS are not showing on the Pool Member list page.

---

628890-1 : Memory leak when modifying large datagroups

Component: Local Traffic Manager

Symptoms:
When modifying large external datagroups, a significant memory leak may occur.

Conditions:
This can occur when a large datagroup is in use and is modified.

Impact:
Memory is leaked, and the amount of memory leaked can be significant.

Workaround:
None.

Fix:
Fixed a memory leak related to modifying large datagroups.

---

628869-4 : Unconditional logs seen due to the presence of a PEM iRule.

Component: Policy Enforcement Manager

Symptoms:
TMM log files will fill up.

Conditions:
Execution of an iRule with the following iRule command:

PEM::subscriber config policy get <subscriber-id> <e164 | imsi | nai | private | mac-address | dhcp | mac-dhcp | dhcp-custom | sip-uri>.

Impact:
Limits the gathering and traversal of relevant data from the TMM logs if the condition is encountered several times.

Workaround:
Do not use an iRule containing the following iRule command: PEM::subscriber config policy get.

Fix:
Unconditional logs are no longer seen in response to the presence of a PEM iRule.

---

628836-4 : TMM crash during request normalization

Solution Article: K22216037

---

628832-4 : libgd vulnerability CVE-2016-6161

Solution Article: K71581599

---

628739-1 : BIG-IP iSeries does not disallow configuring of management IP outside the management subnet using the LCD

Component: TMOS

Symptoms:
Configuring the management IP outside the management subnet succeeds without error.

Conditions:
On the LCD, navigate to the 'Setup' tab, and select 'Management'.
1. Set the default Gateway for the network.
2. Now set an IP address outside the Gateway subnet.
3. Notice no errors and commit is successful.

Impact:
Admin IP and Gateway for management route (/Common/default) not in a connected network.

Workaround:
Do not configure the IP and Gateway outside the management route.

Fix:
LCD no longer allows invalid configuration of mgmt IP (with gateway IP outside mgmt subnet).

---

628735-1 : Displaying Hardware SYN Cookie Protection field in TCP/FastL4/FastHTTP profiles

Component: TMOS

Symptoms:
The Hardware SYN Cookie Protection field is not displayed in the GUI configuration screen for TCP/FastL4/FastHTTP profiles, despite hardware support for the feature existing on the
platform.

Conditions:
Configuring TCP/FastL4/FastHTTP profiles in the BIG-IP GUI.

This occurs on vCMP guests, on the 5000/5050, 5200/5250, 7000/7050/7055, 7200/7250/7255, 10000/100050/10055, 10200/10250/10255, 10350N, i5600, i5800, i7600, i7800, i10600, i10800 platforms, and on VIPRION systems using the B4450 or B4450N blades.

Impact:
The Hardware SYN Cookie Protection field is not displayed.

Workaround:
Use tmsh to set the Hardware SYN Cookie Protection field.

Fix:
The system no longer uses a static list of platforms that have an HSB as a basis for displaying the Hardware SYN Cookie Protection option in the GUI, so the field is shown as expected.

---

628721-1 : In rare conditions, DNS cache resolver outbound TCP connections fail to expire.

Component: Local Traffic Manager

Symptoms:
If a TCP connection is initiated by the DNS cache resolver but fails to be fully created, it may be leaked until the next restart of tmm.

Conditions:
This is only known to occur when other internal issues are affecting the tmm's functionality. If there are ongoing log messages in the tmm logs of the form: "hud_msg_queue is full," and a DNS cache resolver is attempting new outbound TCP connections, then it is possible to leak these connections.

Impact:
If enough connections are leaked, the tmm will not be able to create new connections even if the conditions causing the "hud_msg_queue" log messages resolve.

Workaround:
Restarting tmm will clear the leaked connections.

Fix:
The connections are now properly cleaned up if they are unsuccessfully created.

---

628712-1 : Advanced customization doesn't work for Profiles in non-common partition with . (period) with name

Solution Article: K53129098

Component: Access Policy Manager

Symptoms:
Advanced customization doesn't work for Profiles in non-common partition with . (period) with name.
For example, when selecting logon.inc, it shows no source in the window.

Conditions:
Access Profile outside of Common partition.

Impact:
Unable to modify advanced customizaiton. Other functionality is not affected.

Workaround:
Rename profile and policy to non-period version or import profile and then reexport with no periods.

Fix:
Advanced customization now works for Profiles in non-Common partition with . (period) with name

---

628687-2 : Edge Client reconnection issues with captive portal

Component: Access Policy Manager

Symptoms:
Edge Client stuck at 'Reconnecting' when losing connection to Captive Portal with certificate warning.

Conditions:
Connect to APM through a captive portal.

Impact:
EdgeClient stuck at "Reconnecting".

Workaround:
None.

Fix:
Edge Client no longer hangs at 'Reconnecting' when losing connection to Captive Portal with certificate warning.

---

628685-2 : Edge Client shows several security warnings after roaming to a network with Captive Portal

Solution Article: K79361498

Component: Access Policy Manager

Symptoms:
Network is blocked by a captive portal. Captive portal uses HTTPS. Periodic-session-check reports SSL certificate is not trusted because access to APM is redirected (to captive portal).

Conditions:
Create a VPN tunnel over WiFi.
Place the computer in sleep/hibernate.
Move to a new network with Captive Portal with SSL and resume from sleep/hibernate.

Impact:
Numerous security warnings.

Workaround:
None.

Fix:
Edge Client no longer shows several security warnings after roaming to a network with Captive Portal.

---

628623-1 : tmm core with AFM provisioned

Component: Advanced Firewall Manager

Symptoms:
tmm cores on the secondary blade while passing traffic.

Conditions:
This can occur intermittently with AFM provisioned while passing traffic, even if AFM is not in use.

Impact:
Traffic disrupted while tmm restarts.

---

628402-4 : Operator users receive 'can't get object count from mcpd' error in response to certain commands

Component: TMOS

Symptoms:
Operator users receive the following error in response to certain commands:
Unexpected Error: Can't display all items, can't get object count from mcpd.

Conditions:
-- The user is 'Operator' level.
-- The command is a top-level list or show command, such as the 'show running-config' command.

Impact:
Operator-level users are unable to issue 'show' and 'list' commands on top-level objects, but can 'show' and 'list' specific configuration objects.

Workaround:
Issue commands for specific configuration objects.

Fix:
Operator-level users are now able to issue 'show' and 'list' commands on top-level objects without error.

---

628351-1 : Redirect loops on URLs with Path Parameters when Proactive Bot Defense is enabled

Component: Application Security Manager

Symptoms:
When Proactive Bot Defense is enabled, requests to URLs with Path Parameters (URLs containing a semicolon ;) may get stuck on a redirect loop. This typically applies to URLs which do not respond with HTML content or to URLs with low traffic.

Conditions:
-- Proactive Bot Defense is enabled.
-- URLs use Path Parameters (containing the semicolon ; character).

Impact:
Clients cannot access the web server, getting caught in an infinite redirect loop.

Workaround:
None.

Fix:
Requests to URLs with ";" no longer get stuck in a redirect loop when Proactive Bot Defense is enabled.

---

628348-1 : Cannot configure any Mobile Security list having 11 records or more via the GUI

Component: Fraud Protection Services

Symptoms:
Any item added to a list with more than 10 records in Mobile Security section is ignored.

Conditions:
Provision FPS
License mobilesafe
add 11 records to a list

Impact:
User configuration may not be saved.

Workaround:
Use TMSH or Rest.

Fix:
GUI allows adding items to lists with more than 10 records.

---

628337-1 : Forcing a single injected tag configuration is restrictive

Component: Fraud Protection Services

Symptoms:
Injected tags configuration in profile is globally controlled from the db variable antifraud.injecttags, and forces all protected pages to have a common set of HTML tags. If your web application has pages that do not work with the injected tags, then this will cause the application to work improperly.

Conditions:
This occurs when the injected tags db variable (antifraud.injecttags) is configured.

Impact:
Your web application may have pages that do not handle the tags properly and may malfunction.

Workaround:
Configure injected tags in a way which can applied to all URLs protected in a profile. If it is not possible due to some URL HTML structure, HTML must be modified.

Fix:
Injected tags configuration has been moved to the URL level.

---

628311-3 : Potential TMM crash due to duplicate installed PEM policies by the PCRF

Solution Article: K87863112

Component: Policy Enforcement Manager

Symptoms:
Potential TMM crash due to duplicate installed PEM policies by the PCRF.

Conditions:
- PEM enabled with Gx and Gy.
- PEM policies configured with Gy quota management.
- PCRF installs an already-installed policy against a subscriber.

Impact:
Loss of service. Traffic disrupted while tmm restarts.

Workaround:
Configure the PCRF to not install an already-installed policy against a subscriber.

Fix:
PEM now prevents PCRF from installing an already-installed policy against a subscriber.

---

628202-4 : Audit-forwarder can take up an excessive amount of memory during a high volume of logging

Component: TMOS

Symptoms:
During a period where a lot of data is logged (such as the loading of a large configuration), audit_forwarder can use up a large amount of memory.

Conditions:
audit_forwarder is used with config.auditing.forward.type set to either "none" or "radius" and config.auditing set to "verbose" or "all".

Impact:
The excessive memory usage may result in processes getting restarted. Once the logging is done, audit_forwarder will not release all of the used memory.

Workaround:
Setting config.auditing value to "enable" or "disable" will slow or stop the excessive memory usage.

Fix:
Prevented audit_forwarder from using more memory than it needs.

---

628164-3 : OSPF with multiple processes may incorrectly redistribute routes

Solution Article: K20766432

Component: TMOS

Symptoms:
When OSPF is configured with multiple processes that each redistribute different type routes, LSAs may be created in a process for a route of the type other than the one configured for redistribution into that process.

Conditions:
OSPF routing with multiple processes configured. Each OSPF process configured with a different route type redistributed.

Impact:
Incorrect routing information in the network when OSPF converges.

Workaround:
Redistribute the leaked route type into the affected OSPF process and use a route map that filters out all routes.

Fix:
OSPF no longer leaks LSAs between processes redistributing different types of routes.

OSPF routes are now created synchronously when the LSA database is updated. If routes are rapidly deleted and re-added, OSPF will send maxage LSAs followed by new LSAs. This is potentially a behavior change where, previously, only a single updated LSA would have been sent.

---

628016-2 : MP_JOIN always fails if MPTCP never receives payload data

Component: Local Traffic Manager

Symptoms:
MP_JOIN during an MPTCP connection always fails if the BIG-IP never receives payload data.

Conditions:
A virtual server is configured with a TCP profile attached and "Multipath TCP" is enabled.
An MPTCP connection is established where payload data is never sent to the BIG-IP.

Impact:
Unidirectional data connections receiving data from the BIG-IP (like with FTP) cannot join additional subflows.

Workaround:
There is no workaround at this time.

Fix:
Allow MP_JOIN after receiving a DATA_ACK that acknowledges data.

---

628009-1 : f5optics not enabled on Herculon iSeries variants HRC-i2800, HRC-i5800, HRC-i10800

Component: TMOS

Symptoms:
The f5optics functionality is not initialized on Herculon iSeries variants.

Conditions:
This occurs on the following Herculon iSeries platforms: HRC-i2800, HRC-i5800, HRC-i10800.

Impact:
None. No f5optics optics module database is presently provided for Herculon platforms. Herculon uses no optics modules that require tuning (e.g., 100G).

Workaround:
None.

Fix:
With the fix, if an optics module data base is provided via an f5optics install, f5optics will become operational on Herculon. An f5optics database will be provided if optics modules requiring tuning are ever used with Herculon.

---

627972-2 : Unable to save advanced customization when using Exchange iApp

Solution Article: K11327511

Component: Access Policy Manager

Symptoms:
When Policy created using Microsoft Exchange iApp script, Advanced Customization (usually of logon page) might fail with error similar to the following: 01020066:3: The requested Customization Template File (/Common/Exchange.app/exch_custom_logon_ag logon.inc) already exists in partition Common.

Conditions:
Usually: HA Pair, iApp exchange created profile, in general any advanced customization where name not equals customization_group_name:filename is affected.

Impact:
Unable to edit advanced customization, functionality is unaffected.

Workaround:
edit bigip.conf
apm policy customization-group /Common/Exchange_2010.app/exch_custom_logon_ag {
    templates {
        logon.inc {
            name /Common/Exchange_2010.app/exch_custom_logon:logon.inc
        }
    }
}
change
name /Common/Exchange_2010.app/exch_custom_logon:logon.inc
to customizaton_group_name:filename i.e.

name /Common/Exchange_2010.app/exch_custom_logon_ag:logon.inc

Fix:
Can now save advanced customization when using Microsoft Exchange iApp.

---

627961-3 : nic_failsafe reboot doesn't trigger if HSB fails to disable interface

Solution Article: K15130343

Component: TMOS

Symptoms:
The HSB driver attempts a nic_failsafe in the case of failing to disable the interface.

Conditions:
The driver disables nic_failsafe prior to triggering the nic_failsafe. This is in hsb_ifdown_go_dead.

Impact:
TMM may restart continuously resulting in interfaces bouncing constantly.

Workaround:
Reboot the device.

Fix:
This release fixes issues where nic_failsafe reboot did not happen on HSB failures.

---

627926-1 : Retrieving a server-side SSL session ID in iRules does not work

Solution Article: K21211001

Component: Local Traffic Manager

Symptoms:
Retrieving the server-side SSL session ID using iRule does not work.

Conditions:
Retrieve server-side SSL Session ID using an iRule.

Impact:
iRules that try to log or capture an SSL session ID will not work properly.

Workaround:
None.

Fix:
The server-side SSL session ID can now be retrieved with an iRule.

---

627916-1 : Improve cURL Usage

Solution Article: K81601350

---

627914-1 : Unbundled 40GbE optics reporting as Unsupported Optic

Component: TMOS

Symptoms:
When a 40G interface is configured "bundle disabled" the optic module in use on the interface will be declared as an "Unsupported optic" module even though the optic module is F5 branded.

Conditions:
Using unbundled 40GbE optics.

Impact:
This is a cosmetic problem. The interface is able to function as intended.

Workaround:
No workaround, problem is cosmetic.

Fix:
The fix for the defect results in no longer declaring an otherwise supported optics module as unsupported when bundling is configured disabled on the interface.

---

627907-1 : Improve cURL usage

Solution Article: K11464209

---

627898-2 : tmm leaks memory in the ECM subsystem

Solution Article: K53050234

Component: TMOS

Symptoms:
tmm leaks memory in the ECM subsystem.

Conditions:
-- You import one or more SSL certificates onto the system.
-- The SSL certificates names contain the 'ca-bundle.crt'. For example, 'my-ca-bundle.crt'.

Impact:
With this configuration in place, tmm leaks memory each time the configuration is modified. tmm eventually runs out of free memory. This initially impacts traffic and might eventually lead to tmm crashing and restarting. Traffic disrupted while tmm restarts.

Workaround:
You can work around this issue by renaming your SSL certificates so that their names do not contain the 'ca-bundle.crt' string.

Fix:
TMM no longer leaks memory in the ECM subsystem.

---

627798-3 : Buffer length check for quota bucket objects

Component: Policy Enforcement Manager

Symptoms:
For quota bucket (Rating Groups) object, BIG-IP allocates a large buffer locally, and doesn't expect it to be over-run as the objects are expected to be smaller

Conditions:
Any quota bucket objects which are being inserted in PEM database

Impact:
For quota bucket objects which are in PEM database, the buffer is usually large enough, so there should not be any impact. But if the quota bucket ever gets larger, then potential corruption of the quota bucket information could occur. This could trigger a tmm core. Traffic disrupted while tmm restarts.

Workaround:
quota bucket with fewer rules

---

627764-2 : Prevent sending a 2nd RST for a TCP connection

Component: Local Traffic Manager

Symptoms:
After a specific sequence of packets resulting in sending a RST packet, TCP connection was kept alive and sent another RST when connection expired.

Conditions:
A specific sequence of packets (a second SYN segment within the TCP window) is received by a TCP connection.

Impact:
2 RST segments is sent to the client instead of 1. In addition, the TCP connection was kept alive until the sweeper cleaned it.

Workaround:
There is no workaround at this time.

Fix:
TCP sends a single RST for specific sequence of packets

---

627747-1 : Improve cURL Usage

Solution Article: K20682450

---

627695-2 : [netHSM SafeNet] The 'Yes' and 'No' options to proceed or cancel the unisntall during "safenet-sync.sh -u " are not operational

Component: Local Traffic Manager

Symptoms:
'Yes' and 'No' options to proceed or cancel the uninstall operation are not operational.

Conditions:
Issue happens when running safenet-sync.sh -u.

Impact:
No impact.

Workaround:
None.

Fix:
In this release, there is no Yes or No option for the SafeNet uninstall 'safenet-sync.sh -u.' command.

---

627616-3 : CCR-U missing upon VALIDITY TIMER expiry when quota is zero

Component: Policy Enforcement Manager

Symptoms:
CCR-U is not sent upon VALIDITY TIMER experts.

Conditions:
If PCRF does not grant any GSU (no quota), but only specifies the VALIDITY timer.

Impact:
OCS does not get the CCR-U message and misses the information about quota.

Workaround:
Work around is to set the following timers using sysdb to non-zero value. Here is an example:
sys db tmm.pem.session.quota.bucket.denied.timeout { value "1" }
sys db tmm.pem.session.quota.bucket.depleted.timeout { value "2" }
sys db tmm.pem.session.quota.bucket.idle.timeout { value "3" }

Fix:
CCR-U is now sent upon VALIDITY TIMER experts.

---

627574-1 : After upgrade to BIG-IP v12.1.x, Local Traffic Policies in partitions other than Common cannot be converted into a draft.

Component: Local Traffic Manager

Symptoms:
If a BIG-IP system has Local Traffic Policies defined in a non-Common partition, and the system is upgraded to version 12.1.0, 12.1.1, or 12.1.2, attempting to create a new draft of the policy by selecting "Create Draft" will fail and give an error message similar to:

err mcpd[8140]: 01070734:3: Configuration error: Can't associate policy rule (/Partition1/Drafts/policy_name policy_name_policy_rule) folder does not exist

Conditions:
A system is upgraded to version v12.1.x with Local Traffic Policies in a non-default partition.

Impact:
You cannot modify existing Local Traffic Policies.

Workaround:
Manually create a 'Drafts' folder in the appropriate partition, e.g.:

    tmsh create sys folder /Partition1/Drafts

Alternately, create a new (different) policy in the specified partition, and then delete it. Doing this has a side-effect of creating the Drafts folder.

---

627454 : Trimming leading whitespaces at logging profile creation

Component: Advanced Firewall Manager

Symptoms:
If a logging profile has a TAB character in its name, the name does not get double-quoted in bigip.conf, so configuration load fails.

Conditions:
Copy-pasting the logging profile name including a leading TAB character.

Impact:
Configuration loading failure upon next boot.

Workaround:
Copy-paste only the name (without the TAB character).

Fix:
Leading whitespaces (including TAB characters) are trimmed at profile creation, so the condition that caused the issue is eliminated.

---

627433-1 : HSB transmitter failure on i2x00 and i4x00 platforms

Component: TMOS

Symptoms:
On the BIG-IP i2x00 and i4x00 platforms, tmm enters an infinite 'restart' loop after a 'bigstart restart' or 'bigstart restart tmm' command if traffic is actively flowing through the TMM. This is the result of an HSB transmitter failure.

Conditions:
Traffic actively flowing through the tmm and you issue 'bigstart restart' or 'bigstart restart tmm'.

Another instance occurs when syncing the datasync-global-dg device-group for an HA configuration on iSeries platforms.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure all traffic is stopped before issuing the 'bigstart restart' or 'bigstart restart tmm' commands.

Set HSB::failures_before_reset in /config/tmm_init.tcl to a high value, such as 1000 (default is 50) may resolve the issue, depending on the conditions this issue occurred.

Fix:
TMM restart loop no longer occurs following 'bigstart restart' on i2x00 and i4x00 platforms.

---

627403-2 : HTTP2 can can crash tmm when stats is updated on aborting of a new connection

Component: Local Traffic Manager

Symptoms:
HTTP2 allocates a block of memory for collecting stats on a connection. If the connection is aborted for any reason, tmm may try to update stats prior the memory is allocated.

Conditions:
HTTP2 profile is configured and assigned to a virtual.

Impact:
Traffic disrupted while tmm restarts.

Fix:
A fix stops HTTP2 from accessing stats prior memory is allocated preventing TMM crash for this reason.

---

627360-1 : Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★

Component: Application Security Manager

Symptoms:
These errors come up in asm log, upon first start after upgrade:
-------------------------
2016-11-02T08:33:09-06:00 localhost notice boot_marker : ---===[ HD1.2 - BIG-IP 12.1.1 Build 0.0.184 <HD1.2> ]===---
Nov 2 08:35:34 c5af5ltm1b info set_ibdata1_size.pl[18523]: Setting ibdata1 size finished successfully, a new size is: 8466M
Nov 2 08:36:03 c5af5ltm1b info tsconfig.pl[21351]: ASM initial configration script launched
Nov 2 08:36:17 c5af5ltm1b info tsconfig.pl[21351]: ASM initial configration script finished
Nov 2 08:36:23 c5af5ltm1b info asm_start[19802]: ASM config loaded

Nov 2 08:37:40 c5af5ltm1b crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined

Nov 2 08:38:28 c5af5ltm1b crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Cannot remove all partitions, use DROP TABLE instead

Nov 2 08:38:28 c5af5ltm1b crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::ConfigSync::load_traffic_data): Could not import table data PRX.REQUEST_LOG - ASM configuration save aborted

Nov 2 08:38:33 c5af5ltm1b info perl[21860]: 01310053:6: ASM starting
-------------------------

Conditions:
ASM provisioned
Local request logging enabled
Upgrade of a maintenance release, HF or EHF

Impact:
Upgrade fails

Workaround:
Upgrade by the means of saving a UCS, performing a clean install and then loading the UCS.

In the manual save/load UCS process, the upgrade of the Request Log can be disabled, which will workaround the error and the UCS will load fine.

There are two options to disable the upgrade of the Request Log, when upgrading by the means of a UCS:
-------------------
1) do not load a Request Log, when loading a UCS:
    # tmsh modify sys db ucs.asm.traffic_data.load value never

2) do not save a Request Log, when saving a UCS:
    # tmsh modify sys db ucs.asm.traffic_data.save value disable
-------------------

---

627341-1 : TMUI loginProviderName is invalid when requesting a REST token

Component: Device Management

Symptoms:
Requests for X-F5-Auth-Token fail when a TMUI view is loaded that requires a X-F5-Auth-Token used for REST requests.

Conditions:
On startup if the tmos login provider takes too long to become available it will cause the login provider to be unavailable, and requests for auth tokens will fail. This is a race condition and happens intermittently. Typically on lower end devices.

Impact:
GUI cannot retrieve F5-Auth-Token for REST requests

Workaround:
bigstart restart restjavad

Fix:
Added retry to add login provider if unavailable.

---

627279-2 : Potential crash in a multi-blade chassis during CMP state changes.

Component: Policy Enforcement Manager

Symptoms:
tmm on a blade may crash during a CMP and PEM change.

Conditions:
Multi-blade chassis undergoing a CMP state change. Additionally requires PEM policy changes resulting in usage record updates.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use an HA pair and have the active chassis fail over during a CMP state change. Allow for the new stand by chassis to complete its CMP state change activity.

Fix:
Handle sessionDB failures gracefully.

---

627257-2 : Potential PEM crash during a Gx operation

Component: Policy Enforcement Manager

Symptoms:
Tmm may core during a Gx operation

Conditions:
Requires a PEM virtual with Gx, Sd or Gy enabled. This occurs when tmm starts.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Perform proper validation checks as part of API processing.

---

627246-1 : TMM memory leak when ASM policy configured on virtual server

Solution Article: K09336400

Component: Local Traffic Manager

Symptoms:
TMM memory leak in hud_oob when ASM policy configured on virtual server.

Conditions:
-- ASM policy is configured on a virtual server.
-- URL access via the virtual server.

Impact:
System leaks 64 bytes of memory. TMM might run out of memory and eventually crash.

Workaround:
None. But disabling ASM policy configuration on the virtual server can alleviate the problem.

Fix:
A memory leak in hud_oob when ASM policy configured on virtual server has been fixed.

---

627214-3 : BGP ECMP recursive default route not redistributed to TMM

Component: TMOS

Symptoms:
ECMP recursive routes are not properly redistributed to TMM, resulting in an incorrect routing table.

Conditions:
Dynamic routing configured with multiple equal cost paths reachable through a recursive nexthop.

Impact:
Packets are not routed to all ECMP nexthops.

Workaround:
None.

Fix:
ECMP routes with a recursive nexthop are now used correctly by TMM.

---

627203-1 : Multiple Oracle Java SE vulnerabilities

Solution Article: K63427774

---

627117-1 : crash with wrong ceritifcate in WSS

Component: Application Security Manager

Symptoms:
BD crash.

Conditions:
Web services security is turned on.
a bad / wrong / missing certificate is attached.

Impact:
Traffic drop until the BD is back (or failover).

Workaround:
The workaround would be to fix the attached certificate.

Fix:
Fix an issue with wrong certificates.

---

627059-1 : In some rare cases TMM may crash while handling VMware View client connection

Component: Access Policy Manager

Symptoms:
TMM crashes.

Conditions:
VMware View client uses PCoIP to connect to backend via APM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed rare TMM crash during handling of VMware View client PCoIP connection

---

626990-1 : restjavad logs flooded with messages from ChildWrapper

Solution Article: K64915164

Component: TMOS

Symptoms:
Running iControl REST under heavy load might result in restjavad logs being filled with multiple, repeating messages similar to the following:

[WARNING][76559][13 Dec 2016 07:08:00 UTC][ChildWrapper] Exception found in child runner thread: null

Conditions:
-- Put iControl REST under a heavy load.
-- View restjavad logs.

Impact:
Logs fill with messages and rotate out. Logs full of these error messages might cause other messages to be missed.

Workaround:
None.

Fix:
iControl REST properly handles the exception described.

---

626910-1 : Policy with assigned SAML Resource is exported with error

Component: Access Policy Manager

Symptoms:
If Access Profile's Access Policy has saml resource assigned export is failing with error.

Conditions:
1. Access profile/access policy
2. Saml resource is assigned

Impact:
Unable to Export Policy

Fix:
Work order is restored

---

626861-2 : Ensure unique IKEv2 sequence numbers

Solution Article: K31220138

Component: TMOS

Symptoms:
Although BIG-IP generates random sequence numbers for use in protocol negotiation, it is possible to allocate a new number already in use by a phase-one ike-SA or a phase-two child-SA.

Conditions:
When a sufficiently large number of tunnels are in use (e.g., numbering in thousands), odds of generating a duplicate sequence number is relatively high, given the number of random bits used to generate the number. More tunnels makes it more likely to occur.

Impact:
On sequence number collision, this might confuse an old SA, and probably never complete negotiation of a new SA. In addition, the system might crash if updating an old SA happened in a state where update is not expected.

Workaround:
None.

Fix:
Now BIG-IP uses more random bits in generated sequence numbers, and it always checks whether a new sequence number is currently in use anywhere else before proceeding. Thus collisions cannot be generated in sequence number allocation. New numbers should always be guaranteed unique now.

---

626851-2 : Potential crash in a multi-blade chassis during CMP state changes.

Solution Article: K37665112

Component: Policy Enforcement Manager

Symptoms:
CMP state change can result in a blade crash.

Conditions:
CMP state change with a PEM profile enabled on a virtual. The former can be triggered using a TMM restart/unrelated crash, blade insertion or blade administrative state change.

Impact:
Blade crash resulting in potential loss of service.

Workaround:
Deploy PEM in an HA-pair with a chassis fail over configured to occur if at most one blade on the active chassis fails.

Fix:
The system now gracefully handles sessionDB errors due to a CMP state change.

---

626839 : sys-icheck error for /var/lib/waagent in Azure.

Component: TMOS

Symptoms:
On a BIG-IP deployed in Azure cloud, sys-icheck reports readlink error for /var/lib/waagent directory as following:

ERROR: ....L.... /var/lib/waagent

Conditions:
BIG-IP deployed in Azure cloud.

Impact:
sys-icheck reports "rpm --verify" errors for /var/lib/waagent. This doesn't have any functional impact on the product but looks like factory RPM settings were modified externally and incorrectly.

Workaround:
No workaround exists for this issue.

Fix:
sys-icheck error for /var/lib/waagent in Azure.

---

626721-5 : "reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart

Component: TMOS

Symptoms:
Running the command "tmsh reset-stats auth login-failures <username>" on a bladed system can cause the mcpd process to restart on secondary blades if the <username> is not an actual user on the system. The /var/log/ltm log file will contain errors messages similar to:

Configuration error: Configuration from primary failed validation: 01020036:3: The requested username (username) was not found.... failed validation with error 16908342

Conditions:
This occurs on VIPRION systems when running the command for a user that doesn't exist on the other blades.

Impact:
mcpd processes on secondary blades restart, possibly causing loss of traffic and a failover (if in a device cluster).

Workaround:
Run the command "tmsh reset-stats auth login-failure <username>" using only valid usernames.

Fix:
Prevented the command "tmsh reset-stats auth login-failure <username>" from restarting mcpd instances on secondary blades when <username> is an unknown user. The bad command is intercepted at the primary blade and is dealt with there.

---

626596 : Statistics :: Analytics :: Hardware Acceleration menu contains misspelled menu item: 'Assited Connections'.

Component: TMOS

Symptoms:
Statistics :: Analytics :: Hardware Acceleration menu contains misspelled menu item: 'Assited Connections' instead of 'Assisted Connections'.

Conditions:
-- Running vCMP.
-- System provides hardware acceleration.
-- Statistics :: Analytics :: Hardware Acceleration menu.

Impact:
Spelling of 'Assited' instead of the expected 'Assisted'.

Workaround:
N/A

Fix:
Changed spelling of 'Assited' to 'Assisted'.

---

626589-6 : iControl-SOAP prints beyond log buffer

Solution Article: K73230273

Component: TMOS

Symptoms:
When trace logging is turned on, iControl SOAP can potentially print text beyond its log buffer.

Conditions:
Logging for iControl SOAP is turned on with trace level.

Impact:
iControl-SOAP can print out garbage log to /var/log/ltm and can potentially lead to instability with reading beyond a buffer.

Workaround:
Do not enable logging with trace level, which is not turned on by default.

Fix:
Trim trace buffer to appropriate length to prevent printing garbage.

---

626542-2 : Unable to set maxMessageBodySize in iControl REST after upgrade★

Component: Device Management

Symptoms:
After upgrading and attempting to set maxMessageBodySize via iControl REST, you get an error indicating the command is not implemented:

{"code":400,"message":"onPut Not implemented","originalRequestBody":"{\"maxMessageBodySize\": \"111111111\"}","referer":"127.0.0.1","restOperationId":216941,"kind":":resterrorresponse"}

Conditions:
This occurs when upgrading from v11.6.1 to v12.1.0, v12.1.1,or v12.1.2, and applying the UCS from the 11.6.1 release. The error is generated because new defaults were added but they are not set on UCS restore.

Impact:
Command fails, unable to set maxMessageBodySize.

Workaround:
If you encounter this after an upgrade and UCS restore, you can run the following commands from the BIG-IP command line:

1. curl -X DELETE http://localhost:8100/shared/storage?key=shared/server/messaging/settings/8100.
2. bigstart restart restjavad.

Fix:
You can now set maxMessageBodySize via iControl REST after upgrading.

---

626438-1 : Frame is not showing in the browser and/ or an error appears

Component: Application Security Manager

Symptoms:
frame going blank when ASM policy enabled. this will trigger the following JS error in clients console:
Uncaught TypeError: Cannot read property '3' of undefined

Conditions:
Asm policy enabled. Device id is enabled theough one of the supporting features

Impact:
Site not operating correctly.

Workaround:
N/a

Fix:
Fixed device id javascript issue that prevented a frame from being displayed .

---

626434-6 : tmm may be killed by sod when a hardware accelerator does not work

Solution Article: K65283203

Component: Local Traffic Manager

Symptoms:
tmm may hang and crash (killed by the switchover daemon, sod), when the Cavium hardware accelerator does not come back after the reset from the driver.

Conditions:
This is a rarely seen occurrence. It is triggered when the Cavium hardware accelerator stops working.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Power cycling the system might correct the error.

Fix:
The system now prints out an error message in the log file, improving the way tmm handles the failure.

---

626386-1 : SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled

Solution Article: K28505256

Component: Local Traffic Manager

Symptoms:
On a BIG-IP device, whenever a large-sized client certificate is sent by an SSL client to a virtual service, and SSL persistence is enabled, the SSID parser does not reassemble fragmented ClientKeyExchange messages correctly. It interprets the next incoming fragment - part of the CertificateVerify message - as a new record, incorrectly calculates its length and ends up waiting endlessly for more bytes to receive the record.

Conditions:
When SSL persistence is enabled and a large-sized client
certificate is sent by the SSL client to the BIG-IP device.

Impact:
Client connection hangs during the handshake. No impact to any other module.

Workaround:
Disable SSL persistence.

Fix:
SSL now reassembles fragments correctly with a large-sized client certificate when SSL persistence is enabled.

---

626360 : TMM may crash when processing HTTP2 traffic

Solution Article: K22541983

---

626311-2 : Potential failure of DHCP relay functionality credits to incorrect route lookup.

Solution Article: K75419237

Component: Local Traffic Manager

Symptoms:
DHCP requests from client to server may not make it through.

Conditions:
-- BIG-IP system configured as a DHCP relay.
-- Input variable (flow_key) incorrectly initialized.

Impact:
Clients might not get an IP address from the DHCP server.

Workaround:
None.

Fix:
Input variable (flow_key) is initialized properly to prevent a potential route-lookup failure.

---

626141-3 : DNSX Performance Graphs are not displaying Requests/sec"

Component: Global Traffic Manager (DNS)

Symptoms:
The DNSX Performance graphs have a X and Y axis of Requests/second but the data actually shows total requests.

Conditions:
Always.

Impact:
The data displayed in the graph is not correct.

---

626106-3 : LTM Policy with illegal rule name loses its conditions and actions during upgrade★

Component: Local Traffic Manager

Symptoms:
BIG-IP version 12.0.0 introduced more strict checking on the characters allowed in policy and rule names, and it also introduced an auto-migration feature to convert any disallowed characters to an underscore (_). Allowed characters in policy and rule names are:
  A-Z a-z 0-9 . / : % -
Spaces are allowed between these characters.

When there is a pre-v12.0 Policy that contains an illegal character, the rule has each illegal character converted to a legal one. But conditions and actions, which are joined to the rule by name were not similarly adjusted. After migration, LTM Policy rule does not have any conditions or actions referring to its new name.

Conditions:
- Pre-v12.0 BIG-IP
- Policy and/or rule names contain illegal characters like: * < > ( ) [ ]
- Upgrade to v12.0 or later

Impact:
Policy rule name is changed, illegal characters converted to benign underscore (_). The upgraded configuration will load successfully, but the Rule's associated conditions and actions are not changed, and still point to the policy by its former name, effectively becoming orphaned. Inspecting rule using UI or tmsh shows conditions and actions missing.

Workaround:
The bigip.conf file can be manually edited to fix illegal characters and configuration reloaded.

---

625901-1 : SNAT pools allow members in different partitions to be assigned, but this causes a load failure

Component: TMOS

Symptoms:
SNAT pools allow members in different partitions to be assigned, but this is prohibited at load time.

Conditions:
The SNAT pool is in a partition different from that of the member you are trying to add to it.

Impact:
Load will fail with an error like the following:

01070726:3: SNAT pool translation address /p1/mysnatpool /p2/1.2.3.4%5 in partition PARE cannot reference SNAT Translation /p2/1.2.3.4%5 in partition p2

Workaround:
Use a SNAT pool member in the same partition.

---

625892-2 : Nagle Algorithm Not Fully Enforced with TSO

Component: Local Traffic Manager

Symptoms:
Sub MSS packets are more numerous than Nagle's algorithm would imply.

Conditions:
TCP Segmentation Offload is enabled.

Impact:
Sub-MSS packets increase overhead and client power consumption.

Workaround:
Disable TCP Segmentation Offload by running the following command:
tmsh modify sys db tm.tcpsegmentationoffload value disable

Fix:
Deliver Integer Multiples of MSS to the TSO hardware when Nagle's algorithm applies.

---

625860-2 : Improved handling of crypto hardware decrypt failures on B4450 platform.

Solution Article: K55102452

---

625832-4 : A false positive modified domain cookie violation

Component: Application Security Manager

Symptoms:
An unexpected modified domain cookie violation on system that has more than 127 policies configured.

Conditions:
This occurs when more than 127 policies are configured. The violation modified domain cookie is turned on and there are enforced cookies.

Impact:
A false positive violation.

Workaround:
Remove the modified domain cookie violation from blocking.

Fix:
Fixed a false positive modified domain cookie violation.

---

625824-1 : iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory

Component: TMOS

Symptoms:
iControl calls related to Management::KeyCertificate might leak memory slowly, which causes swap space to increase continuously and might lead to exhaustion of swap space

Conditions:
This occurs with the iControl command bigip.Management.KeyCertificate.certificate_export_to_pem

Impact:
iControlPortal.cgi memory increases.

Workaround:
Restart httpd to reload the iControl daemon.

Fix:
Fixed a memory leak associated with iControl.

---

625784 : TMM crash on i4x00 and i2x00 platforms with large ASM configuration.

Component: TMOS

Symptoms:
With large ASM configurations (50 virtual servers, 50 ASM policies), TMM continuously crashes on boot-up or restart.

Conditions:
-- Large ASM configurations (50 virtual servers, 50 ASM policies).
-- Using i4x00 and i2x00 platforms.

Impact:
TMM continuously crashes and restarts; system is unusable.

Workaround:
None.

Fix:
TMM no longer crashes on i4x00 and i2x00 platforms with large ASM configurations.

---

625783-1 : Chassis sync fails intermittently due to sync file backlog

Component: Application Security Manager

Symptoms:
Chassis sync may fail intermittently if policies are changed and applied in a short interval.

Conditions:
Policies are changed and applied in a short interval on a chassis platform.

Impact:
Disk partition /var may fill up and synchronized changes may not appear on secondary blades.

Fix:
ASM configuration sync on chassis platform now works more reliably.

---

625703-2 : SELinux: snmpd is denied access to tmstat files

Component: TMOS

Symptoms:
When a custom SNMP MIB is created by using Tcl scripts or other methods, the snmpwalk will fail to access the created MIB data.

Conditions:
Custom created MIBs.

Impact:
Access to that MIB is denied.

Workaround:
None.

Fix:
When a custom SNMP MIB is created by using a Tcl scripts or other methods, the snmpwalk no longer fails to access the created MIB data.

---

625671-4 : The diagnostic tool dnsxdump may crash with non-standard DNS RR types.

Component: Global Traffic Manager (DNS)

Symptoms:
If the dnsxdump diagnostic tool is run when the DNS Express database has a DNS resource record using a non-standard type, the process may crash providing incomplete diagnostic output.

Conditions:
Running dnsxdump with a DNS Express database containing non-standard resource record types.

Impact:
dnsxdump provide incomplete diagnostic output, stopping on the zone containing the resource record with the non-standard type.

Workaround:
This is primarily known to be caused by non-standard RR types created for WINS records. Removing the WINS records from the master nameserver, will allow dnsxdump to work again after the next zone transfer.

Fix:
dnsxdump handles non-standard resource record types.

---

625602-3 : ASM Auto-Sync Device Group Does Not Sync

Component: Application Security Manager

Symptoms:
Some messages that should be sent to peers in a device group are not successfully sent.

Conditions:
A series of create/delete ASM policies and multiple changes to the ASM sync Device Group (creation, deletion, joining devices, removing devices).

Impact:
ASM configuration does not sync properly

Workaround:
Reconfigure the device group and restart asm_config_server using the following command:
# pkill -f asm_config_server

Fix:
Communication over the ASM Device Group now works correctly after leaving/joining Device Groups.

---

625542-1 : SIP ALG with Translation fails for REGISTER refresh.

Component: Service Provider

Symptoms:
SIP-MBLB-ALG-Translation mode doesn't translate SIP REGISTER refresh message when arriving on the original flow.

Conditions:
1. LSN Pool selected on CLIENT_ACCEPTED event.
2. SIP REGISTER request refresh happens on the original flow.

Impact:
SIP Register message egressed will not have translation applied i.e. the CONTACT and VIA header will not be translated.

Workaround:
None

Fix:
SIP REGISTER refresh processing identifies the translation used for the original SIP REGISTER and applies that translation to the SIP REGISTER refresh message.

---

625474-1 : POST request body is not saved in session variable by access when request is sent using edge client

Component: Access Policy Manager

Symptoms:
POST body sent by Edge Client is not saved in the session db session variable by access hudfilter.

Conditions:
- Configure BIG-IP as SAML Service Provider. To simplify reproduction change Access Policy execution timeout to few seconds.
- Use Edge Client to connect to BIG-IP.
- Saml Agent will redirect user for authentication to IdP
- Wait for few seconds for access policy to time out on BIG-IP.
- Enter credentials/complete authentication on IdP
- User will be redirected back to BIG-IP as SP. At this moment APM will create a new session, and will evaluate access policy again.

Impact:
SAML Agent will now fail with the following error:
SAML Agent: <AgentNameHere> cannot find assertion information in SAML request

Workaround:
Removing the ‘Origin’ header from the request with iRule does fix the issue, and the POST body becomes available to access hudfilter.

Fix:
Check for receipt of HUDEVT_REQUEST_DONE before falling through from EV_ACCESS_TCL_COMPLETION to EV_ACCESS_REQUEST_DONE in client wait for request body to ensure proper storage of POST request body in sessiondb.

---

625456-5 : Pending sector utility may write repaired sector incorrectly

Component: TMOS

Symptoms:
When the pendsect process detects a pending sector and performs a repair of that sector, incorrect data may be written to an incorrect location on the hard disk.
This may result in corruption of files on the BIG-IP volume that may not be detected for an indeterminate period of time after the pending sector was repaired.

When a pending sector is repaired, a message similar to the following is logged to :
warning pendsect[17377]: Recovered Pending LBA:#########
(where ######### is the Logical Block Address of the repaired sector)

For more information on the pendsect utility, see:
SOL14426: Hard disk error detection and correction improvements

Conditions:
This may occur on BIG-IP appliances or VIPRION blades which contain hard disks which use 4096-byte physical sectors.

Currently-known affected platforms include:
BIG-IP 5000-/7000-series appliances
BIG-IP 10000-series appliances
VIPRION B4300 blades
VIPRION B2100 blades

Due to manufacturing changes and RMA replacements, additional platforms may potentially be affected.

The smartctl utility can be used to identify hard disks using 4096-byte physical sectors:

# smartctl --scan
/dev/sda -d scsi # /dev/sda, SCSI device

# smartctl -i /dev/sda | grep "Sector Size"

Affected:
Sector Sizes: 512 bytes logical, 4096 bytes physical

Not Affected:
Sector Size: 512 bytes logical/physical

Impact:
Potential corruption of unknown files on BIG-IP volumes.

---

625428-1 : SNMP reports incorrect values for F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit

Component: TMOS

Symptoms:
The F5 BIG-IP local mib has the wrong value definitions for
F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit
allowed(0),disallowed(1)
instead of
disabled(0),enabled(1)

Conditions:
This occurs on any platform that supports this MIB field and has LTM Pool configurations.

Impact:
Information mismatch

---

625372-5 : OpenSSL vulnerability CVE-2016-2179

Solution Article: K23512141

---

625275-1 : Unable to add and modify URL parameters containing square brackets "[]" in FPS GUI

Component: Fraud Protection Services

Symptoms:
When trying to add URL parameters containing square brackets "[]" in FPS GUI >> URL the parameters name become "0". If trying to modify, the parameters are not saved.

Conditions:
Provision FPS
Create URL

Impact:
FPS GUI

Workaround:
via tmsh, an example:

tmsh modify security anti-fraud profile criteria urls modify { /xml.php { parameters add { "mouse\[2]" } } }

Fix:
It is now possible to add parameters containing square brackets in FPS GUI.

---

625198-1 : TMM might crash when TCP DSACK is enabled

Component: Local Traffic Manager

Symptoms:
TMM crashes

Conditions:
All of the below are required to see this behavior:

DSACK is enabled

MPTCP, rate-pace, tail-loss-probe, and fast-open are disabled.

cmetrics-cache-timeout is set to zero; congestion control is high-speed, new-reno, reno, or scalable; AND Nagle is not set to 'auto'.

an iRule exists that changes any of the conditions above besides DSACK.

various client packet combinations interact in certain ways with the iRule logic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Change any of the conditions above.

Fix:
TCP maintains state appropriately to avoid crash.

---

625172-1 : tmm crashes when classification is enabled and ftp traffic is flowing trough the box

Component: Traffic Classification Engine

Symptoms:
tmm crash

Conditions:
1. classification profile attached to the virtual server
2. ftp traffic flows through the system
3. complex configuration with iRules and multiple modules enabled

Impact:
Traffic disrupted while tmm restarts.

Workaround:
remove classification profile from the virtual server

Fix:
Incorrect memory management in one of classification matching mechanisms led to a crash.

---

625166-1 : Suspended iRules cannot complete on aborted flows

Component: Local Traffic Manager

Symptoms:
An suspended iRule does not resume if the connection aborts in the interim.

Conditions:
an iRule suspends, connection aborts.

Impact:
Not all business logic may execute.

Workaround:
None

Fix:
Keep the connflow alive if TCL operations are pending.

---

625159-1 : Policy sync status not shown on standby device in HA case

Component: Access Policy Manager

Symptoms:
After policy sync, policy sync statuses are not shown in admin GUI on standby device in a failover device group.

Conditions:
- Create a failover device group whose members are in a bigger sync-only device group for policy.
- Initiate a policy sync from an active device
- Check policy sync stats on standby device

Impact:
It does not affect sync functionality and user still can see the sync status on an active device.

Workaround:
Check sync status on an active device in the group.

Fix:
User will be able to see the sync statuses on a standby device, including itself as well as the list of devices in the whole sync-only group where sync is performed.

---

625114-2 : Internal sync-change conflict after update to local users table

Solution Article: K08062851

Component: Device Management

Symptoms:
User sync is initiated unexpectedly and automatically by the REST framework. To the internal sync system, this appears as if the same change is being made manually on all devices, causing a change conflict. In other words, 'show cm sync-status' returns output similar to the following:

--------------------------------------------------------
CM::Sync Status
--------------------------------------------------------
Color red
Status Changes Pending
Mode high-availability
Summary There is a possible change conflict between device1 and device2.
Details
         device1: connected
         mydg (Changes Pending): There is a possible change conflict between device1 and device2.
          - Recommended action: Synchronize device2 to group mydg

In addition, users that were synchronized by the REST framework may not have the correct role and/or partition assigned to them.

Conditions:
-- A sync-failover device group exists.

-- The REST framework's 'gossip' mechanism is set up correctly, which should happen automatically, but might not be ready.

You can confirm that this is the case by running 'restcurl shared/resolver/device-groups/tm-shared-all-bigips/devices'. The output must show all your devices, and show that they all have the same 'version' and the same 'restFrameworkVersion'.

Impact:
An unexpected change conflict between devices. In some cases, high CPU utilization by restjavad may be observed.

Workaround:
-- When you have the change conflict, force a sync to the device group from the device where the user was originally created.

-- If the high CPU utilization by restjavad persists after a full sync, you can remediate the CPU utilization by restarting the restjavad service:
restart sys service restjavad

Fix:
Internal sync-change conflict is no longer present after update to local users table.

---

625106-2 : Policy Sync can fail over a lossy network

Component: Local Traffic Manager

Symptoms:
Policy Sync fails.

Conditions:
BIG-IPs are connected over a lossy link.

Impact:
HA redundancy fails.

Workaround:
tmsh modify sys db TM.TCPProgressive.AutoBufferTuning value disabled

Fix:
Change configuration as described.

---

625098-3 : SCTP::local_port iRule not supported in MRF events

Component: Service Provider

Symptoms:
SCTP::local_port iRule not supported in MRF events

Conditions:
If MRF events are used, such as MR_INGRESS, MR_EGRESS and MR_FAILED events are used.

Impact:
SCTP::local_port won't work under MR events.

Fix:
After the fix, SCTP::local_port iRule will be supported in MRF events.

---

625085 : lasthop rmmod causes kernel panic

Component: TMOS

Symptoms:
If someone attempts to unload the lasthop kernel module, it will cause a kernel panic.

Conditions:
Attempting to unload the lasthop kernel module.

Impact:
The system reboots.

Workaround:
Avoid running the following command:

# rmmod lasthop

Fix:
The lasthop kernel module should never be unloaded. The system now prevents the lasthop kernel module from being unloaded, so no kernel panic occurs.

---

624966-2 : Edge client starts new APM session when Captive portal session expire

Component: Access Policy Manager

Symptoms:
When a Captive portal session expires during Network Access,
Edge-Client shows the Captive portal Authentication page. If the user doesn't authenticate for some amount of time (30-60sec) the Edge Client tries to disconnect the current session. When the user successfully authenticates, Edge Client starts new APM session instead of waiting until the user authenticates on Captive page.

Conditions:
This can occur when Captive portal is configured and the session expires.

Impact:
The Edge Client starts a new session when it should re-use the existing session.

---

624909-2 : Static route create validation is less stringent than static route delete validation

Component: TMOS

Symptoms:
When creating a static route the BIG-IP ensures that there is a self-IP on the same interface, but does not check to make sure that there is a self-IP on the same interface that uses the same IP protocol (IPv4 vs. IPv6). If the route is created with only self-IPs that use different IP protocols, then the system will not allow you to delete any self-IPs on the same interface as the static route.

Conditions:
Using a static route that has one IP protocol on a given interface along with self-IPs that, while on the same interface, use a different IP protocol.

Impact:
Unable to delete certain self-IPs.

Workaround:
In order to delete the self-IPs you can either:

1) Delete the static route.
or
2) Create a self-IP on the same interface and using the IP protocol as the static route.

Fix:
Added validation to ensure that when a static route is created there is at least one self-IP that uses the same interface and IP protocol.

---

624903-6 : Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms.

Solution Article: K55102452

---

624876-1 : Response Policy Zones can trigger even after entry removed from zone

Component: Global Traffic Manager (DNS)

Symptoms:
If an entry (resource record) is removed from a response policy zone it is possible that it may still trigger as a match for RPZ.

Conditions:
-- An RPZ zone contains an entry, for example badzone.example.com.
-- That entry is subsequently removed.

Impact:
The badzone.example.com entries will continue to be blocked by RPZ, even though the item has been removed.

Workaround:
Delete /var/db/zxfrd.bin and /var/db/tmmdns.bin and restart the system using the following command: bigstart restart zxfrd.

This recreates the databases without the remnants of the deleted entries.

Fix:
The deleted entries are now properly handled and no longer trigger incorrect matches.

---

624846-1 : TCP Fast Open does not work for Responses < 1 MSS

Component: Local Traffic Manager

Symptoms:
BIG-IP does not send the data until receiving the first client ACK.

Conditions:
TCP Fast Open requests an object of less than 1 MSS in size.

Fast open and delayed acks enabled.

Impact:
Delayed completion of the connection.

Workaround:
Disable delayed acks.

Fix:
TCP sends SYN/ACK immediately after receiving the SYN, and the response as soon as it arrives from the server.

---

624831-2 : BWC: tmm crash can occur if dynamic BWC policy is used at max-user-rate over 2gbps

Component: TMOS

Symptoms:
tmm crashes while using Bandwidth Control (BWC) dynamic policies.

Conditions:
max-user-rate is set at 2gbps or higher.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
Use a maximum of 1gbps for dynamic BWC policy max-user-rate.

Fix:
tmm crashes while using Bandwidth Control (BWC) dynamic policies with max-user-rate set at 2gbps or higher.

Behavior Change:
no

---

624826-2 : mgmt bridge takes HWADDR of guest vm's tap interface

Solution Article: K36404710

Component: TMOS

Symptoms:
MGMT interface becomes unreachable and stops responding to traffic. Whenever guest is in provisioned state MAC address assigned to mgmt is correct (taken from base MAC). Whenever guest is in deployed state MAC address on host mgmt interface changes and is exactly the same as mgmt_vm_tap MAC.

Conditions:
The platform shipped with a "low" F5 base_mac

A Linux bridge by default takes as its mac the lowest mac of its constituent interfaces. This did not cause a problem before because F5 Networks systems' baseMacs have historically been "low", e.g., with legacy_baseMacs in {00:01:D7, 00:0A:49, 00:23:E9}.

When a guest tap interface is added to the mgmt bridge, the bridge takes its Linux default action, which is to take as its mac the lowest mac address of its constituent interfaces. With the comparison min(eth0's mac, guestTap's mac) returning guestTap's mac, the mgmt bridge incorrectly assumes a guestTapIntfc mac.

Impact:
Connectivity to the vCMP host platform is lost when the guest is deployed.

Workaround:
Use ifconfig to ensure that the mac address of the mgmt bridge never changes from eth0. For example, the following command sets as the mac of this bridge, the value passed in Mac.

ifconfig <bridgeName= mgmt> hw ether <Mac of Eth0>


Note: This assumes that eth0 will always be contained in the mgmt bridge.

Fix:
The system now uses ifconfig to assign the mac of interface eth0 to bridge mgmt.

---

624805-1 : ILX node.js process may be restarted if a single operation takes more than 15 seconds

Component: Local Traffic Manager

Symptoms:
There is an ILX node.js process restart that occurs, conditional on the code and operations of the node.js process. The restart occurs when one specific operation (code path in your node.js app) takes longer than 15 seconds to complete.

Conditions:
-- Running ILX with a node.js RPC or streaming setup.
-- A single operation takes more than 15 seconds.

Impact:
Connflow is dropped, traffic processing for the flows handled by that process stops until it restarts fully.

Workaround:
To work around this issue, you can time yourself in your node.js app, to either make sure operations complete within the timeframe, or determine where operations exceed the 15 second limit and rework the code so that operations complete within 15 seconds.

Fix:
There is no longer a time restriction on a single operation.

---

624744-1 : Potential crash in a multi-blade chassis during CMP state changes.

Component: Policy Enforcement Manager

Symptoms:
Potential TMM crash resulting in flows being impacted.

Conditions:
A multi-blade chassis with PEM needs to undergo a CMP state change with flows on the active blade.

Impact:
Traffic disrupted while tmm restarts.

Fix:
NULL check has been added prior to calling a callback for asynchronous handling.

---

624733-1 : Potential crash in a multi-blade chassis during CMP state changes.

Component: Policy Enforcement Manager

Symptoms:
Potential TMM crash resulting in flows being impacted.

Conditions:
A multi-blade chassis with PEM needs to undergo a CMP state change with flows on the active blade.

Impact:
Traffic disrupted while tmm restarts.

Fix:
NULL check has been added to facilitate a graceful failure during asynchronous handling.

---

624692-3 : Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying

Component: TMOS

Symptoms:
SSL Certificate List page displays "An error has occurred while trying to process your request." or unable to view certificate information via iControl/REST.

Conditions:
Certificate with multi-byte encoded strings.

Impact:
Unable to view certificate list page or view certificate information via iControl/REST.

---

624616-1 : Safenet uninstall is unable to remove libgem.so

Component: Local Traffic Manager

Symptoms:
When uninstalling Safenet client 6.2 from a BIG-IP chassis, it can't remove libgem.so and generates the following error:

rm: cannot remove `/usr/lib64/openssl/engines/libgem.so': Read-only file system.

Conditions:
This can be triggered when uninstalling the safenet client using the command safenet-sync.sh -u.

Impact:
Uninstall is unable to complete.

Workaround:
None.

Fix:
When uninstalling Safenet client 6.2 from a BIG-IP chassis, the system can now remove libgem.so, so there is no error condition, and uninstall can complete as expected.

---

624570-1 : BIND vulnerability CVE-2016-8864

Solution Article: K35322517

---

624526-3 : TMM core in mptcp

Solution Article: K10002335

---

624484-2 : Timestamps not available in bash history on non-login interactive shells

Solution Article: K09023677

Component: TMOS

Symptoms:
There are no timestamps in bash history when bash is initiated from tmsh.

Conditions:
This issue arises when an Administrator or Resource Administrator with tmsh as the default shell runs bash from tmsh and then runs the 'history' command.

Impact:
Running 'history' in bash will not include timestamps of commands.

Workaround:
Timestamps can be added to bash history by running the following command in bash: export HISTTIMEFORMAT="%Y-%m-%d %T ".

Fix:
Added timestamps to bash history for non-login interactive shells.

---

624457-5 : Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195

Solution Article: K10558632

---

624370-1 : tmm crash during classification hitless upgrade if virtual server configuration is modified

Component: Traffic Classification Engine

Symptoms:
tmm crash

Conditions:
1. classification hitless upgrade is triggered
2. pending (not saved) changes on any of the virtual servers

Impact:
Traffic disrupted while tmm restarts.

Fix:
Change of virtual server configuration triggers new library to be loaded during upgrade which wasn't expected by hitless upgrade mechanism and led to tmm crash. This is fixed in versions starting with 12.1.2.

---

624362-1 : VCMP guest /shared file system growth due to /shared/tmp/guestagentd.out file

Component: TMOS

Symptoms:
/shared disk usage growth and the diskmonitor can alarm when percent of disk usage reaches the configured threshold.

Conditions:
VCMP guest, overtime /shared/tmp/guestagentd.out grows and not rotated.

Impact:
/shared filesystem can fill and cause alerting and inability to copy files such as .iso to /shared.

Workaround:
1. periodically delete the non-critical file /shared/tmp/guestagentd.out

OR,

2. bigstart stop guestagentd (this will disable vcmp health feature on the host)

Fix:
The guestagentd logs no longer fill the tmp file.

---

624361-1 : Responses to some of the challenge JS are not zipped.

Component: TMOS

Symptoms:
Performance is affected on the JS challenge.

Conditions:
The following is turned on in the application dos configuration :
CS challenge, or PBD challenge when Suspicious browsers are disabled or the Device-ID challenge.

Impact:
1. These responses consume more CPU and more Bandwidth than needed.
2. Client-side latency is degraded.
3. More disk space is utilized than needed

Workaround:
None.

Fix:
Some of the JS challenge have better performance now.

---

624314-1 : AVR reports incorrect 'actions' in ACL reports

Component: Advanced Firewall Manager

Symptoms:
AVR reports incorrect 'actions' in ACL reports:
-- 'Default" reports as 'Drop'.
-- 'Drop" reports as 'Reject'.
-- 'Reject" reports as 'Accept'.
-- 'Accept" reports as 'Accept decisively'.
-- 'Accept decisively' reports as "Default'.

Conditions:
AVR reporting on ACL statistics.

Impact:
The system reports incorrect actions.

Workaround:
There is no workaround.

Fix:
AVR reports now shows correct actions.

---

624263-4 : iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response

Component: TMOS

Symptoms:
For profiles, iControl REST does not provide visibility for profile property override when "none" is specified, including references, passwords, and array of strings.

Conditions:
-- Use iControl REST API.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.

Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for profile property overrides.

Workaround:
None.

Fix:
iControl REST API now returns elements (i.e., string, enum, or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.

---

624231-5 : No flow control when using content-insertion with compression

Component: Policy Enforcement Manager

Symptoms:
Packets can get queued in PEM and cause performance impact.
It could cause memory corruptions in some cases

Conditions:
This issue can happen when system there is are a lot of connections with compression enabled, hardware offload is not enabled, and content insertion is enabled

Impact:
Performance impact to flows and possible system crash.

Workaround:
Enable hardware offload and use the pem throttle feature for content insertion

---

624228-1 : Memory leak when using insert action in pem rule and flow gets aborted

Component: Policy Enforcement Manager

Symptoms:
Memory keeps increasing in PEM after several hours of live service.

Conditions:
Insert action in pem rule and response spawning multiple segments. Connection gets aborted midway.

Impact:
Connections can get reset once memory usage increases beyond threshold

Fix:
free xfrags when aborting flows

---

624198-1 : Unable to add multiple User-Defined alerts with the same search category

Component: Fraud Protection Services

Symptoms:
Adding 2 or more User-Defined alerts causes to DB exception error.

Conditions:
Provision FPS
Malware Detection license

Add multiple User-Defined alerts with the same "Search In" category.

Impact:
Can impact detection of certain malware.

Workaround:
Adding single record each time.
Use TMSH or Rest.

Fix:
GUI allows adding multiple User-Defined alerts of the same search category.

---

624193-2 : Topology load balancing not working as expected

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, load balancing decisions can result in an unequal or unexpected distribution.

Conditions:
Occurs when topology load balancing is used for a wide IP and more than one pool share the highest assigned score for a particular load balancing decision.

Impact:
The resulting load balancing decisions can lead to an unequal or unexpected distribution of pool selections.

Workaround:
Topology records and pools can be configured to avoid the conditions which cause the condition.

Fix:
A system DB variable, gtm.wideiptoporandom, has been added. When this system DB variable is assigned the value of "enable" and more than one pool shares the highest assigned score for a given load balancing decision, a random pool is selected.

---

624168-2 : DATA_ACK and DATA_FIN ignored on a subflow not currently used for transmission

Component: Local Traffic Manager

Symptoms:
During an MPTCP connection, if a DATA_ACK or DATA_FIN is received on a subflow that is not currently being used to transmit data, that DATA_ACK or DATA_FIN is ignored. Clients generally respond on the same subflow that they received data on, making this situation somewhat rare.

Conditions:
MPTCP is in use on a connection and a DATA_ACK or DATA_FIN is received on a subflow that is not currently being used to transmit data.

Impact:
The DATA_ACK or DATA_FIN is ignored. If the same information is not sent on other subflows, this can cause the connection to hang until the subflow times out.

Fix:
Accept DATA_ACK and DATA_FIN on any subflow.

---

624155-2 : MRF Per-Client mode connections unable to return responses if used by another client connection

Component: Service Provider

Symptoms:
When an outgoing connection is created in per-client mode, that connection is exclusively for use by the client whose message was routed to the destination. All messages (response or requests) received by the server are automatically forwarded to the client. The messages received from the server are forwarded to the original connection from the client (even if it has been closed).

Conditions:
The connection from the client closes and the client connects again.

Impact:
Messages from the new client connection will be routed using the previously created outgoing connection. But messages received from the server will be forwarded to the original connection from the client which is closed. These message will fail to be delivered.

Workaround:
None.

Fix:
When message arrive from a new client connection, the outgoing connection will be to forward messages received from the server to the new connection.

---

624023-3 : TMM cores in iRule when accessing a SIP header that has no value

Component: Service Provider

Symptoms:
When used an iRule to access a SIP header attribute with no value, TMM cores.

Conditions:
Use iRule to access the value of SIP message header attribute with no value.
Eg:
"Supported: " IEOL
"Session-Expires:" IEOL

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No Workaround.

Fix:
Fix includes adjusting the buffer offset properly to handle the empty header attributes while parsing the SIP message.

---

623940-3 : SSL Handshake fails if client tries to negotiate EC ciphers but does not present ec_point_formats extension in ClientHello

Component: Local Traffic Manager

Symptoms:
If client tries to negotiate EC ciphers but does not present ec_point_formats extension, SSL handshake fails.

The ltm error log message looks like:
*****************************************************
Oct 12 11:25:08 gtm2 warning tmm1[21167]: 01260009:4: Connection error: ssl_select_suite:6799: no shared ciphers (40)
Oct 12 11:25:08 gtm2 warning tmm1[21167]: 01260026:4: No shared ciphers between SSL peers 10.1.6.50.36563:10.1.6.15.443.
*****************************************************

Conditions:
If client tries to negotiate EC ciphers but does not present ec_point_formats extension, SSL handshake fails.

Impact:
SSL Handshake fails.

---

623930-3 : vCMP guests with vlangroups may loop packets internally

Component: TMOS

Symptoms:
If a vlangroup is configured within a vCMP guest, under some circumstances unicast packets may be looped between the switchboard and the BIG-IP guest. This is most likely to occur when the guest is part of an HA pair.

Conditions:
vCMP guest, vlangroups.

Impact:
High CPU utilization and potentially undelivered packets.

Workaround:
Correctly configure proxy ARP excludes on the vlangroup and increase the FDB timeout by setting the vlan.fdb.timeout database key to a larger value such as 3600.

Fix:
Packets are no longer looped between vlangroup children on vCMP guests.

---

623927-2 : Flow entry memory leaked after DHCP DORA process

Solution Article: K41337253

Component: Policy Enforcement Manager

Symptoms:
After DHCP discover/offer/request/ack process (DORA), client side connection flow entry memory is not freed.

Conditions:
Run the DHCP DORA process through BIG-IP (in relay mode or forwarding mode, and wait for client connection flow entry ages out.

Impact:
The system leaks flow entry memory. Over a long period of time, system memory will eventually run out.

Workaround:
None.

Fix:
After DHCP discover/offer/request/ack process (DORA), client side connection flow entry memory is now freed, so no memory leak occurs.

---

623922-5 : TMM failure in PEM while processing Service-Provider Disaggregation

Solution Article: K64388805

Component: Policy Enforcement Manager

Symptoms:
TMM failure in PEM while processing Service-Provider Disaggregation.

Conditions:
System crashes when traffic flows and rules get executed on the flow.

Impact:
System crashes.

Workaround:
Set Service-Provider Disaggregation to sp as suggested by documentation.

Fix:
There is no longer a TMM failure in PEM while processing Service-Provider Disaggregation.

---

623885-4 : Internal authentication improvements

Solution Article: K41107914

---

623803-2 : General DB error when select Profiles: Protocol: SCTP profile. Error due to 'read access denied type Virtual Address profile SCTP'

Solution Article: K12921801

Component: TMOS

Symptoms:
When SCTP profile is selected, the system posts a general DB error due to 'read access denied type Virtual Address profile SCTP'.

Conditions:
-- Login to GUI with non-Admin user.
-- Select SCTP profile from the GUI

Impact:
Cannot get the SCTP profile.

Workaround:
Login with Admin user.

Fix:
The non-Admin user is now be able to login to GUI, select the SCTP profile and retrieve SCTP profile information correctly.

---

623562-3 : Large POSTs rejected after policy already completed

Component: Access Policy Manager

Symptoms:
When the policy has already completed, access still rejects POSTs greater than 64k. Client will see a reset, and these error messages will appear on the BIG-IP:

/var/log/ltm
Oct 18 19:10:04 bigip6 err tmm[14242]: 01230140:3: RST sent from 10.2.61.80:8080 to 10.2.61.10:55280, [0x1d4cb2c:2863] APM HTTP body too big

/var/log/apm
Oct 19 09:42:37 bigip3922mgmt err tmm1[7636]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 2960

Conditions:
Policy has already been fully evaluated to allow. Then the client sends a large POST. Only applies to POSTs made to '/'. Would not apply if the URL is something else like '/test'. Also does not apply to clientless modes, where the db key tmm.access.maxrequestbodysize can be used to increase the maximum POST body size allowed.

Impact:
Clients are unable to send POST bodies to '/' that are larger than 64kb, even though the policy has already been evaluated to allow.

Workaround:
Move the resource from '/' to another URL.

Fix:
The logic of '/' in this area was changed to be consistent with other URLs.

---

623536-2 : SNMP traps for TCP resets sent due to maintenance mode enabled may not be sent

Component: TMOS

Symptoms:
Due to a syntax issue in /etc/alert/alertd.conf, SNMP traps sent for notifying RSTs sent due to maintenance mode on are not being sent.

Conditions:
Reset cause logging and maintenance mode are enabled
Snmp trap destination is configured and routable

Impact:
snmp traps are not sent

Workaround:
Adding custom trap in /config/user_alert.conf with escaped characters will workaround the issue:

alert BIGIP_IP_REJECT_MAINT_MODE_FIX "RST sent from (.*) Maintenance mode \(all VIP\/SNAT\/Proxy connections disabled\)" {
   snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.34"
}

Fix:
BIG-IP now correctly sends SNMP traps when configured to do so with TCP resets in maintenance mode.

---

623518-1 : Unable to add users in User Enforcement list under user-defined partition. Update check fails in user-defined partition

Component: Fraud Protection Services

Symptoms:
If a profile is assigned to a user-defined partition, it is not possible to add users to User Enforcement list.

Also, if a user-defined partition is selected, the GUI will not display a message if a there are available signatures/engine updates.

Conditions:
Provision and license FPS.
Create user-defined partition.

Impact:
You are unable to manage the profile in the user-defined partition.

Workaround:
Use tmsh to add users.

Fix:
Users can be added to User Enforcement list and a message will be displayed if a new update is available.

---

623491-2 : After receiving the first Gx response from the PCRF, the BWC action against a rule is lost.

Component: Policy Enforcement Manager

Symptoms:
The BWC action against a rule is lost and the traffic flow is capped at the maximum bandwidth configured in the BWC policy.

Conditions:
A flow should be associated with a PEM rule that has atleast a BWC action along with a Gx reporting action.

Impact:
The traffic flow is not capped by the correct BWC action, instead it is capped by the maximum configured bandwidth in the BWC policy.

Fix:
The BWC policy is restored correctly after a policy update.

---

623401-1 : Intermittent OCSP request failures due to non-optimal default TCP profile setting

Component: TMOS

Symptoms:
The connection between BIG-IP and OCSP responder is not reliable since it uses the default internal TCP configuration which doesn't fit the usage well.

Conditions:
When the OCSP stapling option is enabled in the clientSSL profile that is in use by a virtual server.

Impact:
The BIG-IP as a SSL server fails to staple the OCSP response to the SSL client. In other words, the certificate status messages are not added in the Server Hello message in the TLS handshakes to the SSL client.

Workaround:
The fix proposed an optimal TCP configuration used by the connection between BIG-IP and OCSP responder which makes the connection reliable now. Therefore the virtual server can now always correctly staple the certificate status in the Server Hello message to the SSL client.

---

623391-5 : cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size★

Component: TMOS

Symptoms:
cpcfg fails with errors similar to:

Getting configuration from HD1.2
info: Copying configuration to HD1.1
info: Applying configuration to HD1.1
info: >++++ result:
info: Extracting manifest: /var/local/ucs/config.ucs
info: /: Not enough free space info: 739487744 bytes required
info: 259965952 bytes available
info: /var/local/ucs/config.ucs: Not enough free disk space to install!
info: Operation aborted.

Conditions:
Use cpcfg for a UCS that is larger than free space on root filesystem of target volume set.

Impact:
You cannot use cpcfg to copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size

Workaround:
Run the below to fix /etc/mtab on target (HD1.3 is used in this example; substitute the correct target volume) before cpcfg:
- volumeset -f mount HD1.3
- grep HD1.3 /proc/mounts | sed 's_/mnt/HD1.3_/_g;s_//_/_g' > /mnt/HD1.3/etc/mtab
- volumeset -f umount HD1.3

Fix:
cpcfg could incorrectly calculate the amount of free space required, refusing to do the copy unless the / filesystem on the target volume had sufficient space to do the copy (not taking into account /config, /usr, /var, and other filesystems). This has been resolved and this free space calculation is done correctly.

---

623336-4 : After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS★

Component: TMOS

Symptoms:
When installing a new version of TMOS, the installer will choose the bundle by looking at the current installation and what came with the target version, choosing the newer one. This check is performed incorrectly, and the old bundle may accidentally be chosen.

Conditions:
This happens when /config/ssl/ssl.crt/ca-bundle.crt in the old version contains an RCS revision number near the top of the file, and the newer TMOS version does not contain a revision number. (This is a change in the format of the file generated by the organization providing F5 with this bundle.)

Impact:
Upgrades to versions that ship the "non-RCS" files will incorrectly retain the ca-bundle.crt from the previous version, instead of keeping the newer version that shipped with those versions.

This can result in certificate verification failures (e.g. for an OCSP stapling profile), or a BIG-IP creating an inconsistent/incomplete certificate chain for a virtual server.

Workaround:
On every device affected by this, or on every blade in a VIPRION system affected by this:

1. Update /config/ssl/ssl.crt/ca-bundle.crt with the version that ships with this software version:
   cp /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt

2. Reboot the system and clear the MCPD binary database. Refer to SOL13030, but essentially:
    touch /service/mcpd/forceload && reboot

3. After reboot, verify that the two files match (they should have the same checksum):
   md5sum /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt

Fix:
When installing a new version of TMOS, the installer will choose the bundle by looking at the current installation and what came with the target version, choosing the newer one. This check was performed incorrectly, and the old bundle could accidentally have been chosen. This has been fixed, and the newer version of the file is correctly chosen.

---

623119 : Linux kernel vulnerability CVE-2016-4470

Solution Article: K55672042

---

623093-1 : TIFF vulnerability CVE-2015-7554

Solution Article: K38871451

---

623055-1 : Kernel panic during unic initialization

Component: TMOS

Symptoms:
During system initialization, the kernel panics during unic initialization.

Conditions:
This can occur on BIG-IP Virtual Edition if an error (on memory allocation, io etc.) occurs during unic initialization.

Impact:
The kernel panics, system will not boot.

Fix:
Initialize resources to fail gracefully on error.

---

623037-2 : delete of pem session attribute does not work after a update

Component: Policy Enforcement Manager

Symptoms:
it will not be possible to delete the session attribute through rules.

Conditions:
rules with session attribute update & delete

Impact:
unable to delete session attribute

---

623023-1 : Unable to set DNS Topology Continent to Unknown via GUI

Component: Global Traffic Manager (DNS)

Symptoms:
No option in dropdown menu to select Unknown Continent when configuring DNS Topology Record via GUI. Existing Topology Records will be displayed as "Continent is", instead of "Continent is Unknown".

Conditions:
Attempting to configure a DNS Topology Record via the GUI.

Impact:
Unable to set the Continent field to 'Unknown' via GUI.

Workaround:
Set the continent via tmsh using the command `create gtm topology ldns: continent -- server: continent --`

Fix:
The dropdown menu now has an option to select an "Unknown" Continent.

---

622913-2 : Audit Log filled with constant change messages

Component: Application Security Manager

Symptoms:
Frequent changes by Policy Builder fill the audit log too quickly and can affect viewing the Security Logs:

Error 502 Bad Gateway when clicking "Application Security" logs

Conditions:
Frequent Policy Builder changes occur and no ASM device group is configured.

Impact:
Disk space usage and errors viewing the Application Security logs

Workaround:
Workarounds:
1) Turn off "Recommend Sync when Policy is not applied". (Security ›› Options : Application Security : Preferences)

2) Enable ASM sync on a device group.

Fix:
Updates to the audit log are throttled at max 1/minute.

---

622877-1 : i2000 and i4000 series appliances may show intermittent DDM alarms/warnings at powerup that clear right away

Component: TMOS

Symptoms:
Messages like the following in /var/log/ltm:

Oct 14 12:22:26 localhost err pfmand[5637]: 01660011:3: DDM interface: 6.0 transmit power too low alarm. Transmit power:0.0515 mWatts
Oct 14 12:22:26 localhost err pfmand[5637]: 01660011:3: DDM interface:6.0 receive power too low alarm. Received power:0.0000 mWatts
Oct 14 12:23:29 localhost err pfmand[5637]: 01660013:3: DDM interface:6.0 transmit power too low alarm cleared
Oct 14 12:23:29 localhost err pfmand[5637]: 01660013:3: DDM interface:6.0 receive power too low alarm cleared
'

Conditions:
i2000 or i4000 series appliances with DDM enabled and a reboot or restart of the pfmand daemon

Impact:
No functional impact, these are not valid DDM alarms or warnings.

Workaround:
Ignore DDM errors that clear right away after powerup or pfmand restart.

Fix:
During DDM initialization clear any alarms or warnings cached in the hardware registers.

---

622856-1 : BIG-IP may enter SYN cookie mode later than expected

Component: Local Traffic Manager

Symptoms:
BIG-IP entry to SYN cookie mode may not occur even though traffic pattern would dictate that it should.

Conditions:
Verified accept enabled on a Virtual IP.
Large volume of traffic being processed by BIG-IP.

Impact:
BIG-IP does not enter SYN cookie mode at the expected time.

Workaround:
Disable verified accept on all VIP TCP profiles.

Fix:
BIG-IP correctly enters SYN cookie mode when traffic pattern
dictates that it should.

---

622790-1 : EdgeClient disconnect may take a lot of time when machine is moved to network with no connectivity to BIG-IP

Component: Access Policy Manager

Symptoms:
Edge Client takes a lot of time to disconnect when machine is moved to network with no connectivity to BIG-IP

Conditions:
* VPN is established
* Machine is moved to different network (with no BIG-IP) connectivity
* EdgeClient stays in "Disconnecting..." state for few minutes

Impact:
User have to wait until Disconnect procedure is complete

Fix:
Now Edge Client uses 5000msec timeout in order to complete logout HTTP request. This is enough in normal conditions

---

622735 : TCP Analytics statistics does not list all virtual servers

Component: Application Visibility and Reporting

Symptoms:
In "Statistics :: Analytics : TCP", displaying the stats by virtual server will only allow the option of "Aggregated".

Conditions:
This occurs on virtual servers with the TCP Analytics profile attached.

Impact:
GUI does not list all virtual servers that have the TCP Analytics profile attached.

Fix:
Fixed an issue with displaying TCP Analytics statistics for virtual servers.

---

622662-7 : OpenSSL vulnerability CVE-2016-6306

Solution Article: K90492697

---

622619-5 : BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD

Component: TMOS

Symptoms:
MCPd cpu utilization is high and renders it unresponsive.

Conditions:
A ranged log query where the log files are excessively large, e.g., 1 GB uncompressed.

Impact:
MCPd is killed due to being unresponsive, which restarts multiple daemons.

Workaround:
Lower the logging level, thereby decreasing the size of the file which must be parsed.

---

622496 : Linux kernel vulnerability CVE-2016-5829

Solution Article: K28056114

---

622386-1 : Internet Explorer getting blocked when Web Scraping and Proactive Bot Defense are both enabled

Component: Application Security Manager

Symptoms:
Internet Explorer browsers will get into an endless loop of requests, never reaching the back-end server, when accessing a Virtual Server which is enabled with both the Web Scraping feature, and the Proactive Bot Defense, if the mode of Proactive Bot Defense is set to During Attacks.

Conditions:
1. ASM Security Policy is attached to the Virtual Server, and has Web Scraping's Bot Detection set to Alarm & Block.
2. Within Web Scraping, both Fingerprint and Persistent Client Identification are disabled.
3. DoS profile is attached to the Virtual Server, and has Proactive Bot Defense set to During Attacks.
4. Users are using the Internet Explorer browser.

Impact:
Internet Explorer browser users are getting blocked from accessing the back-end server.

Workaround:
Two options for workaround:
1. Set Proactive Bot Defense to Always instead of During Attacks.
2. Enable either Fingerprint or Persistent Client Identification in the Web Scraping configuration.

Fix:
Internet Explorer users are no longer blocked when accessing a Virtual Server which has both Web Scraping enabled, and Proactive Bot Defense set to During Attacks.

---

622281-1 : Network DoS logging configuration change can cause TMM crash

Component: Advanced Firewall Manager

Symptoms:
Whenever a DoS Network logging profile is assigned or removed from a Virtual Server, it could cause random TMM crash.

Conditions:
The problem happens only with runtime config change.

Any logging profile config settings which was configured already and which gets loaded on TMM startup does not have this problem. Since this problem is a one time event on config change, TMM restart will pickup the config change and will work without any problem after the one time crash and TMM restart.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Invalid memory reference after free resulted in crash, which is fixed.

---

622244-2 : Edge client can fail to upgrade when always connected is selected

Component: Access Policy Manager

Symptoms:
Attempt to upgrade an Edge client may fail if the Always Connected mode is enabled

Conditions:
Always Connected is selected in BIG-IP when upgrading the client

Impact:
Upgrade will fail

Workaround:
Disable the Always Connected mode

Fix:
Upgrade functions as intended regardless of connection mode

---

622220-2 : Disruption during manipulation of PEM data with suspected flow irregularity

Component: Policy Enforcement Manager

Symptoms:
tmm crashes.

Conditions:
It is not known exactly what conditions trigger this; it was observed with Policy Enforcement Manager configured. It may occur when a new blade is added or HA event occurs and flows get rebalanced before the session is established.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm crash related to manipulating Policy Enforcement Manager data.

---

622199 : sys-icheck reports error with /var/lib/waagent

Component: TMOS

Symptoms:
On Azure cloud, running sys-icheck may report an error with /var/lib/waagent.

On BIG-IP version 12.0.0:
ERROR: ....L.... /var/lib/waagent
L - readLink(2) path mismatch

On BIG-IP version 12.1.0 and 12.1.1:
ERROR: .M....... /var/lib/waagent

M - Mode differs (includes permissions and file type)

Conditions:
This occurs on BIG-IP running on Azure cloud.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.

Fix:
Fixed an issue with waagent that was causing sys-icheck to fail.

---

622194 : sys-icheck reports error with ssh_host_rsa_key

Component: TMOS

Symptoms:
On Azure cloud, running sys-icheck may report an error with /config/ssh/ssh_host_rsa_key and ssh_host_rsa_key.pub

ERROR: SM5...... /config/ssh/ssh_host_rsa_key
ERROR: SM5...... /config/ssh/ssh_host_rsa_key.pub

Conditions:
This occurs on BIG-IP running on Azure cloud when running the sys-icheck utility.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.

Fix:
Fixed an issue with ssh_host_rsa_key and ssh_host_rsa_key.pub that was causing sys-icheck to generate an error.

---

622183-5 : The alert daemon should remove old log files but it does not.

Component: TMOS

Symptoms:
When the utilization of the log filesystem goes above the configuration setting 'sys db logcheck.alertthres' (default 90%), it is intended that the alert daemon should delete old log files. It does not.

Conditions:
System activity generates a high number of log messages, and/or a user puts large files in /var/log.

Impact:
The log filesystem may become completely full, and new log messages cannot be saved.

Fix:
The alert daemon will now remove old log files as intended.

---

622178-1 : Improve flow handling when Autolasthop is disabled

Solution Article: K19361245

---

622148-5 : flow generated icmp error message need to consider which side of the proxy they are

Component: Local Traffic Manager

Symptoms:
when generating an error message from a flow, the icmp6 code does not check which side the messages needs to be crafted for.

Conditions:
error handling

Impact:
As a result generated ICMP error message might contain the wrong addressing

Workaround:
no workaround

Fix:
now the code checks flow type before crafting the error message

---

622133-1 : VCMP guests may incorrectly obtain incorrect MAC addresses

Component: TMOS

Symptoms:
vCMP guests may be re-configured to use MAC addresses based off an all zero MAC address (00:00:00:00:00:00).

The 'tmsh show net vlan' command will show the vlan interfaces having mostly 0's in the MAC address:

-------------------------------------
Net::Vlan: external
-------------------------------------
Interface Name external
Mac Address (True) 00:00:00:00:00:01
MTU 1500
Tag 3702
Customer-Tag

-------------------------------------
Net::Vlan: internal
-------------------------------------
Interface Name internal
Mac Address (True) 00:00:00:00:00:02
MTU 1500
Tag 3703
Customer-Tag

Conditions:
For this to manifest the vCMP host vcmpd process will have to have had a prior crash or be killed.
In this scenario vcmpd on restart uses a default zero-base MAC address for the guests.
The guests will not use the new zero-based MAC until services are restarted on the guest, on which the new MAC address will take effect.

Impact:
This can cause network issues and conflicts if occurring on multiple guests in the same VLAN as the same MAC addresses will be used.

Workaround:
Restart the guest from the hypervisor.

Fix:
vCMP no longer uses zero-based MACs on vcmpd crash/kill.

---

622126-1 : PHP vulnerability CVE-2016-7124

Solution Article: K54308010

---

622017-8 : Performance graph data may become permanently lost after corruption.

Solution Article: K54106058

Component: Local Traffic Manager

Symptoms:
During an upgrade, system reboot or restart of the statsd daemon, if a performance graph /var/rrd/*.info file is corrupt, the system is expected to backup the performance data before replacing it and starting with new empty graph data. It is then possible to manually recover the previous performance data.

However, if the /shared/rrd.backup directory already exists, the system restarts the performance graph with new data without backing up the previous data.

Conditions:
During startup of the statsd daemon (such as after an upgrade or reboot), the issue occurs if the following two conditions are present:
* The /var/rrd/<filename>.info files are corrupt (CRC value does not match contents).
* The /shared/rrd.backup directory exists.

Impact:
The previous performance graph data is not displayed, and is no longer available for manual recovery.

Workaround:
Old performance graph data can be extracted from the var/rrd directory of a QKView taken prior to the beginning of the problem.

Fix:
Corrupt performance graph RRD data is now backed up to the /shared/rrd.backup directory during startup even if the directory already exists.

---

621976-4 : OneDrive for Business thick client shows javascript errors when rendering APM logon page

Component: Access Policy Manager

Symptoms:
OneDrive for Business thick client shows javascript errors when rendering APM logon page

Conditions:
APM is used as federated auth provider for Microsoft Azure. User uses OneDrive for Business thick client to authenticate.

Impact:
User experience is impacted, however clicking thru javascript errors eventually leads to successful authentication and working OneDrive for Business app.

Workaround:
Click thru javascript error dialogs.

Fix:
OneDrive for Business thick client is now fully supported when authenticating against APM as federation provider for Microsoft Azure.

---

621974-4 : Skype For Business thick client shows javascript errors when rendering APM logon page

Component: Access Policy Manager

Symptoms:
Skype For Business thick client shows javascript errors when rendering APM logon page

Conditions:
APM is used as federated auth provider for Microsoft Azure. User uses Skype For Business thick client to authenticate.

Impact:
User experience is impacted, however clicking thru javascript errors eventually leads to successful authentication and working Skype For Business app.

Workaround:
Click thru javascript error dialogs.

Fix:
Skype For Business thick client is now fully supported when authenticating against APM as federation provider for Microsoft Azure.

---

621957-2 : Timezone data on AOM not syncing with host

Component: TMOS

Symptoms:
Updating the timezone on the host does not sync to the AOM, because certain tzdata files are placed in the wrong directories.

Conditions:
A system using tzdata version v2016i-1 may encounter this problem. If the following files exist:

/usr/share/zoneinfo/posix/zoneinfo/posix/F5zone.tab
/usr/share/zoneinfo/right/zoneinfo/right/F5zone.tab
/usr/share/zoneinfo/zoneinfo/F5zone.tab

then the system has this problem.

Impact:
Time on the AOM is incorrect.

Workaround:
If the following files exist:

/usr/share/zoneinfo/posix/zoneinfo/posix/F5zone.tab
/usr/share/zoneinfo/right/zoneinfo/right/F5zone.tab
/usr/share/zoneinfo/zoneinfo/F5zone.tab

move them to:

/usr/share/zoneinfo/F5zone.tab
/usr/share/zoneinfo/posix/F5zone.tab
/usr/share/zoneinfo/right/F5zone.tab

Fix:
Timezone data on AOM now syncs correctly with host again

---

621937-1 : OpenSSL vulnerability CVE-2016-6304

Solution Article: K54211024

---

621935-6 : OpenSSL vulnerability CVE-2016-6304

Solution Article: K54211024

---

621909-4 : Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members

Solution Article: K23562314

Component: TMOS

Symptoms:
When a trunk on the BIG-IP 5000 or 10000 platforms has an odd number of members, the traffic distribution to those interfaces will be unbalanced. Some interfaces will see more traffic than others.

Conditions:
This can occur for two reasons:
-- Purposefully configuring an odd number of members.
-- A port goes down in a trunk that has an even number of members.

Impact:
Uneven traffic distribution.

Workaround:
None.

Fix:
This release fixes uneven egress trunk distribution on the BIG-IP 5000 or 10000 platforms when there is an odd number of ports.

---

621870-2 : Outage may occur with VIP-VIP configurations

Component: Local Traffic Manager

Symptoms:
In some VIP-VIP configurations, a system outage may occur while processing traffic.

Conditions:
VIP-VIP configuration

Impact:
System outage

Workaround:
None.

---

621808-1 : Proactive Bot Defense failing in IE11 with Compatibility View enabled

Component: Application Security Manager

Symptoms:
Microsoft Internet Explorer version 11 (IE11) browsers which have 'Compatibility View' enabled (under Compatibility View Settings IE11 menu), fail the JavaScript challenge when Proactive Bot Defense is enabled and the 'Block requests from suspicious browsers' checkbox is checked.

The challenged request is blocked using a TCP_RST flag, and the browser displays 'This page can't be displayed'.

Conditions:
-- DoS profile that is attached to the virtual server.
-- Proactive Bot Defense is enabled
-- The 'Block requests from suspicious browsers' checkbox is checked.
-- IE11 browsers are in use.
-- The site's domain is inserted to the 'Compatibility View Settings' in the browser's menu.

Impact:
Legitimate browsers get blocked when accessing the site.

Workaround:
None.

Fix:
IE11 browsers with 'Compatibility View' enabled on the site no longer get blocked when Proactive Bot Defense is enabled on the DoS profile.

---

621736-6 : statsd does not handle SIGCHLD properly in all cases

Solution Article: K00323105

Component: Local Traffic Manager

Symptoms:
- Performance graphs are not updating or are not existent.
- proc_pid_stat shows statsd time not increasing.
- Top also shows that statsd is not taking any processor time.

In fact statsd is stuck on a wait in a signal handler.

Conditions:
If statsd receives a SIGCHLD signal.

Impact:
The system gets stuck and does not process anything. No performance graphs are collected / generated

Workaround:
Restart statsd using the following command:
bigstart restart statsd

Fix:
statsd now handles SIGCHLD properly.

---

621682-1 : Portal Access: problem with specific JavaScript code

Component: Access Policy Manager

Symptoms:
Portal Access does not rewrite JavaScript code with try...catch... operator followed by literal regular expression.

Conditions:
JavaScript code like follows:
try {} catch (e) {} /aaa/.test(b)

Impact:
Web application may not work correctly.

Fix:
Now try / catch operator followed by literal regular expression in JavaScript code is handled correctly by Portal Access.

---

621524-2 : Processing Timeout When Viewing a Request with 300+ Violations

Component: Application Security Manager

Symptoms:
When attempting to view a request that triggered hundreds or thousands of violations, a timeout is encountered.

Conditions:
Attempting to view a request that triggered hundreds or thousands of violations

Impact:
A timeout is encountered.

Workaround:
increase the "max_execution_time" timeout in /usr/loca/lib/php.ini from 30 to 240 seconds.

Fix:
Processing high violation requests is now more efficient.

---

621452-1 : Connections can stall with TCP::collect iRule

Solution Article: K58146172

Component: Local Traffic Manager

Symptoms:
Connection does not complete.

Conditions:
-- A TCP::collect command is in use.
-- The first packet received after the SYN carries data.

The Initial Sequence number in the SYN, plus the length of the data in the first packet, plus 1, is greater than-or equal to 2^31.

Note: APM VDI profiles internally use TCP::collect, so virtual servers with VDI profiles may be affected as well.

Impact:
-- Connection fails.
-- This issue can also cause the Configuration Utility's Device Management :: Overview page to stop responding.

Workaround:
There is no workaround at this time.

Fix:
The system now properly sets state variables associated with TCP::collect, so this issue no longer occurs.

---

621447-1 : In some rare cases, VDI may crash

Component: Access Policy Manager

Symptoms:
VDI process crashes and connections to VDI resources are aborted.

Conditions:
VDI receives unexpected session variable result which is meant for some other VDI thread.

Impact:
Existing VDI connections are aborted and the user needs to login again.

Fix:
VDI should gracefully handle the error condition and should not crash

---

621423 : sys-icheck reports error with /config/ssh/ssh_host_dsa_key

Component: TMOS

Symptoms:
On Azure cloud, running sys-icheck may report an error with /config/ssh/ssh_host_dsa_key and other files:

ERROR: missing /config/ssh/ssh_host_dsa_key
ERROR: missing /config/ssh/ssh_host_dsa_key.pub
ERROR: missing /config/ssh/ssh_host_key
ERROR: missing /config/ssh/ssh_host_key.pub

Conditions:
This occurs on BIG-IP running on Azure cloud.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.

Fix:
Fixed an issue with files in /config/ssh/ that was causing sys-icheck to report errors.

---

621422 : i2000 and i4000 series appliances do not warn when an incorrect optic is in a port

Component: TMOS

Symptoms:
A 1G optic is inserted in a port that only supports 10G optics, or a 10G optic is inserted in a port that only supports 1G optics.

The invalid optic may show a link light, and no warning appears on the LCD.

Conditions:
i2000 or i4000 platforms ports do not auto-negotiate between 1G and 10G optics. Ports are assigned to one or the other speed.

Impact:
User may not understand why optic is not working correctly

Workaround:
Move the optic to the correct port.

---

621401 : When HA is configured on BIG-IPs managed by BIG-IQ, the AVR reporting from BIG-IQ may fail under the load

Component: Device Management

Symptoms:
When BIG-IQ is monitoring more than 1 BIG-IP in a HA clustser, AVR reporting on the BIG-IQ may fail if one of the BIG-IPs is under heavy load.

Conditions:
BIG-IQ monitoring BIG-IPs in a HA cluster
BIG-IPs running AFM and/or ASM
BIG-IQ used to monitor AFM and/or ASM reporting.
At least one of the BIG-IPs is under significant load so as to cause delays in responding to BIG-IQ requests.

Impact:
AVR reporting will stop functioning.

Workaround:
bigstart restart restjavad

---

621386-1 : restjavad spawns too many icrd_child instances

Solution Article: K91988084

Component: TMOS

Symptoms:
icrd_child process keeps crashing and can lead to an out-of-memory condition.

Conditions:
This occurs due to a race condition while restarting the icrd daemon.

Impact:
icrd might crash.

Workaround:
None.

Fix:
Fixed race condition that caused the system to run out of memory by spawning too many icrd_child processes.

---

621379-2 : TCP Lossfilter not enforced after iRule changes TCP settings

Component: Local Traffic Manager

Symptoms:
TCP Lossfilter function doesn't work properly, although the first few losses will be properly ignored.

Conditions:
TCP profile has ALL of the following settings:
mptcp disabled; rate-pace disabled; tail-loss-probe disabled; fast-open disabled; cmetrics-cache-timeout = 0; congestion ctrl is reno, new-reno, high-speed, or scalable; nagle enabled or disabled; rtx_thresh = 3; loss-filter settings are both > 0.

an iRule changes any of the above settings except loss-filter.

Impact:
Sending rate declines due to packet losses improperly interpreted as congestion.

Workaround:
Change any of the conditions above.

Fix:
Properly handle loss-filter state when switching TCP stacks.

---

621374-1 : "abbrev" argument in "whereis" iRule returns nothing

Component: Global Traffic Manager (DNS)

Symptoms:
The iRule [whereis <ip|ldns> abbrev] does not return a value.

Conditions:
iRule relying on whereis abbrev is used.

Impact:
The whereis iRule command will not return the expected value.

---

621371-2 : Output Errors in APM Event Log

Solution Article: K43523962

---

621337-6 : XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469

Solution Article: K97285349

---

621314-6 : SCTP virtual server with mirroring may cause excessive memory use on standby device

Solution Article: K55358710

Component: TMOS

Symptoms:
If a SCTP virtual server has high availability (HA) mirroring enabled, the send buffer on the standby may have extremely high memory usage until the connections close.

Conditions:
SCTP virtual server has mirroring enabled.

Impact:
TMMs will have high memory usage on standby device.

Workaround:
Disable mirroring on the SCTP virtual server.

Fix:
SCTP virtual server with mirroring no longer causes excessive memory use on standby device.

---

621284-5 : Incorrect TMSH help text for the 'max-response' RAMCACHE attribute

Component: WebAccelerator

Symptoms:
The TMSH help text for the 'max-response' RAMCACHE attribute incorrectly states that for the default value of 0 (zero) unlimited cache entries are allowed. In reality the number of cache entries is limited to 10.

Conditions:
Invoking the TMSH man/help page on RAMCACHE.

Impact:
Incorrect TMSH help text

Workaround:
N/A

Fix:
max-response:

Displays the maximum number of entries in the RAM cache. The default value is 0 (zero), which is equivalent with no max-response value being specified. Without the max-response option the system will limit the number of entries to 10 per Traffic Management Microkernel (TMM).

---

621273-1 : DSR tunnels with transparent monitors may cause TMM crash.

Component: TMOS

Symptoms:
The TMM may crash if the BIG-IP system is configured with a DSR tunnel with a transparent monitor.

Conditions:
The BIG-IP system is configured with a DSR tunnel with a transparent monitor and the DB variable tm.monitorencap is set to "enable".

Impact:
Traffic disrupted while tmm restarts.

Fix:
The TMM does not crash.

---

621260-5 : mcpd core on iControl REST reference to non-existing pool

Component: TMOS

Symptoms:
MCPd cores when attempting to create a pool and a monitor reference by using a REST call such as:

curl -u admin:admin -H "Content-Type: application/json" -X POST http://localhost:8100/tm/ltm/pool -d'{"name":"test_pool","monitor":" "}'

Conditions:
The monitor reference in the REST call must be comprised of a single space character.

Impact:
MCPd restarts, causing many of the system daemons to restart as well.

Workaround:
Don't use spaces in the monitor reference name.

---

621259-3 : Config save takes long time if there is a large number of data groups

Component: TMOS

Symptoms:
Config save takes a long time to complete

Conditions:
This occurs when there is a large number (~2000) of data-group objects in the configuration

Impact:
When take longer than 90 seconds soap iControl will time out.
This make it impossible to manage via EM

---

621242-1 : Reserve enough space in the image for future upgrades.

Component: TMOS

Symptoms:
Increased the reserved free space in VM image from 15% to 30% to accommodate upgrades to future versions. Each next version tends to be bigger and require more disk space to install. The increased reserved space will allow upgrading to at least next 2 versions.

Conditions:
VE in local hypervisors and VE in the Cloud (AWS, Azure).

Impact:
Extends the disk image to reserve more disk space for upgrades.

Workaround:
N/A

Fix:
Increased the reserved free space on VE images.

---

621239-2 : Certain DNS queries bypass DNS Cache RPZ filter.

Component: Global Traffic Manager (DNS)

Symptoms:
A DNS query with the DO-bit set to 1 will bypass the RPZ filter on a DNS Cache.

Conditions:
A DNS Cache configured with RPZ.

Impact:
Queries with DO-bit set to 1 will bypass the RPZ filter and be answered normally.

Fix:
The DO-bit is now ignored with respect to RPZ filtering.

---

621233-1 : FastL4 and HTTP profile or hash persistence with ip-protocol not set to TCP can crash tmm

Solution Article: K49440608

---

621225 : LTM log contains misleading error messages for front panel interfaces, "PCI Device not found for Interface X.0"

Component: TMOS

Symptoms:
When BIG-IP is initially booted or re-started, there are certain conditions under which the LTM log may report the following message for front panel interfaces, "PCI Device not found for Interface <X.0>", where X can be in the range of 1-6. These messages are misleading because the front panel interfaces do not have any PCI devices associated with them and should not have been flagged as errors.

Conditions:
i2600/i2800 products intermittently produce these messages upon power-up or BIG-IP re-start.

Impact:
They are false alarms in the log. The associated interfaces do not have said PCI devices.

Fix:
Removed the possibility of getting false alarm messages in the LTM log for front panel interfaces 1.0-6.0 that claim, "PCI Device not found for Interface X.0".

---

621210-2 : Policy sync shows as aborted even if it is completed

Component: Access Policy Manager

Symptoms:
After syncing a policy in a sync-only device group, the policy appears to be synced to the target successfully, however, the remote HA pair devices show status as canceled/aborted.

Conditions:
It is not known exactly what triggers this condition. It was observed in a 4-device trust group consisting of 2 sync/failover groups and a single sync-only device group for all 4 devices. After the sync the status reported as cancelled/aborted.

Impact:
Sync status is displayed incorrectly, even after the sync was successful.

Workaround:
None.

Fix:
Policy sync now shows as completed when it is completed.

---

621126-2 : Import of config with saml idp connector with reuse causes certificate not found error

Component: Access Policy Manager

Symptoms:
Export and then Import with reuse of config that has SAML Idp Connector as part of configuration would fail with Object not found or Certificate not found error:

Import Error: 01070734:3: Configuration error: /Common/my_cert.crt certificate not found.

Conditions:
Exporting and then importing with "Reuse existing objects" checked. Normal import is ok.

Impact:
Importing fails.

Workaround:
On From box:Disconnect Idp configuration, export config.
On To box:Recereate Idp configuration, import, reconnect it.

Fix:
Importing with reuse is fixed.

---

621115-1 : IP/IPv6 TTL/hoplimit may not be preserved for host traffic

Component: Performance

Symptoms:
Traffic to and from the Linux host has TTL set to 255 or hop limit set to 64. This may impact any protocols that scrutinize the TTL such as IGMP or BGP.

Conditions:
IP/IPv6 TTL/hoplimit for host traffic.

Impact:
IGMP packets will not be passed from TMM to the Linux host and remote routers may reject IGMP packets from the BIG-IP.

BGP neighbors may reject packets from the BIG-IP.

Workaround:
Adjust TTL verification restrictions on peer devices.

Fix:
The IP/IPv6 TTL/hoplimit of host traffic is no longer modified when it traverses TMM.

---

620954-3 : Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable

Component: TMOS

Symptoms:
Contention for /var/log/tallylog lock might result in users failing to authenticate correctly. As a result of this issue, you might see the following message:
 PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable.

Conditions:
High concurrent authentication attempts may trigger this issue. For example, open a connection, using basic authentication, performing a query (for example, get node list, get virtual address list, and set pool min active members), then close the connection. If done frequently enough, there is an occasional authentication failure.

Impact:
This intermittent authentication failure results in users not being able to login.

Workaround:
Since this is an intermittent authentication failure, wait a few seconds and then attempt to log in again.

---

620929-4 : New iRule command, MR::ignore_peer_port

Component: Service Provider

Symptoms:
For incoming connections where the client used a ephemeral source port, subsequents connections from the same client may connect using a different ephemeral port. Without being able to identify the current connection as equivalents to other connections from the same IP, it will not be discoverable as an equivalent connection.

Conditions:
For incoming connections where the client used a ephemeral source port, subsequents connections from the same client may connect using a different ephemeral port.

Impact:
Without being able to identify the current connection as equivalents to other connections from the same IP, it will not be discoverable as an equivalent connection.

Workaround:
Without this change, a new connection would need to be created to the client.

Fix:
New iRule command allow script author to identify the current connection as equivalent to other connections of the IP and route domain ID matches.

---

620903-1 : Decreased performance of ICMP attack mitigation.

Component: Performance

Symptoms:
Decreased performance of ICMP attack mitigation.

Conditions:
A Big-Ip is under attack, for example a ICMP flood attack.

Impact:
Decreased performance of ICMP attack mitigation.

Workaround:
NA

Fix:
Increased performance of ICMP attack mitigation.

---

620829-2 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly

Solution Article: K34213161

Component: Access Policy Manager

Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.

Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:

var a = { default: 1, continue: 2 };

Impact:
JavaScript code is not rewritten and may not work correctly.

Workaround:
None.

Fix:
Now JavaScript with literal object definition containing reserved keywords as field names is handled correctly by Portal Access.

---

620801-3 : Access Policy is not able to check device posture for Android 7 devices

Component: Access Policy Manager

Symptoms:
APM identifies Android devices based on their MAC address. With Android 7, it is not possible to retrieve device MAC address and hence APM is not able to check for device compliance against configured Endpoint Management System (EMS) using the Managed Endpoint Status Policy Item.

If the Access Policy is configured to restrict access based on APM's Managed Endpoint Status, and the user attempts to connect to APM using an Android 7 device with the F5 Edge Client app, access will be disallowed.

Conditions:
- Access policy is configured to deny access on endpoint compliance failure with Managed Endpoint Status
- User accesses APM from an Android 7 device using F5 Edge Client app.

Impact:
Connection is denied because F5 Edge Client is not able to determine the device MAC address to transmit to APM. The lookup for endpoint posture will result in a compliance check failure.

Workaround:
This workaround only applies to IBM Maas360:

Add Variable Assign agent just before Managed Endpoint Status agent with the following variables:

session.client.platform_tmp = expr {[mcget session.client.platform]}
session.client.platform = expr {"iOS"}
session.client.unique_id = expr {"Android[mcget session.client.unique_id]"}

And add Variable Assign agent after Managed Endpoint Status agent to reset session.client.platform to its original state:
session.client.platform = expr {[mcget session.client.platform_tmp]}

Fix:
Access policy now uses multiple fallback types to correlate the device identity with endpoint management systems: Device Serial Number, IMEI number, and MAC address, respectively.

---

620788-1 : FQDN pool created with existing FQDN node has RED status

Solution Article: K05232247

Component: Local Traffic Manager

Symptoms:
After creating an FQDN pool using an existing FQDN node, the pool has RED status.

Conditions:
-- Existing FQDN node.
-- Pool created with an existing FQDN node as a member.

Impact:
Traffic will not pass in this pool.

Workaround:
As a workaround, follow these steps:
1. Delete the existing FQDN node.
2. Create a new one.
3. Create a pool that includes the new FQDN node.

Fix:
When creating an FQDN pool with an existing FQDN node, the pool status now reflects the actual monitor status.

---

620782 : Azure cloud now supports hourly billing

Component: TMOS

Symptoms:
Prior to 12.1.2 hourly billing was not supported in Azure cloud.

Conditions:
Any version prior to 12.1.2 in Azure Cloud

Impact:
Hourly billing not possible

Fix:
With 12.1.2 hourly billing is now supported in Azure.

---

620759-4 : Persist timeout value gets truncated when added to the branch parameter.

Component: Service Provider

Symptoms:
Persist timeout value gets truncated when added to the branch parameter due to difference in storage type.

Conditions:
If the persist timeout value was higher that 65535 then the value gets truncated.

Impact:
Incorrect persist timeout get into affect for the call other than the value set in the config.

Workaround:
None.

Fix:
Persist timeout value no longer gets truncated when added to the branch parameter.

---

620746-1 : MCPD crash

Component: TMOS

Symptoms:
MCPD may crash while processing large requests.

Conditions:
The conditions under which this occurs are not yet defined.

Impact:
MCPD crash, leading to a failover event.

Workaround:
None.

Fix:
MCPD now processes large requests as expected.

---

620659-3 : The BIG-IP system may unecessarily run provisioning on successive reboots

Component: TMOS

Symptoms:
After the first boot, the system runs provisioning and boots successfully, but there is a file left on the system /mprov_firstboot. This will appear in /var/log/ltm:
  info mprov:4614:: \'\'provision.initialized\' indicates force TMOS only provisioning - forcing.\'

During a subsequent boot, provisioning will run again, potentially unnecessarily, due to the existence of this file. The following will appear in /var/log/ltm during the second boot:
  info mprov:4609:: \'Existence of file \'/mprov_firstboot\' indicates force TMOS only provisioning - forcing.\'

Conditions:
The memory size of the host changes and there is some other need for reprovisioning (for example a new configuration load).

Impact:
On a vCMP host, the second provisioning may not complete properly and guest systems will not pass traffic.

The vCMP host will continually try to start more than one tmm and fail when there should only be one tmm running. The /var/log/tmm logfile on the vCMP host will contain:
  <13> Sep 25 01:33:28 vcmphost1 notice Too small memsize (60) -- need at least 136 MB

The /var/log/tmm logfile on the vCMP guest will contain:
  <13> Sep 25 01:38:21 bigip1 notice Failed to write /var/run/libdag.so_2, err: -30
  <13> Sep 25 01:38:21 bigip1 notice panic: vdag failed to attach
  <13> Sep 25 01:38:21 bigip1 notice ** SIGFPE **

Workaround:
If the vCMP host is in a tmm restart loop due to this issue, reboot the vCMP host to allow the system to come up properly.

Fix:
The BIG-IP software now always removes the /mprov_firstboot file when the system is reprovisioned.

---

620635-2 : Request having upper case JSON login parameter is not detected as a failed login attempt

Component: Application Security Manager

Symptoms:
Not able to detect failed login attempt if ASM policy is case insensitive, and incoming JSON string contains upper case.

Conditions:
ASM provisioned
ASM policy is case-insensitive
JSON profile, w/ JSON login parameter with an upper-case character

Impact:
Not able to detect failed login attempt if ASM policy is case insensitive, and incoming JSON string contains upper case.

Workaround:
N/A

Fix:
We've made sure that JSON login parameter are always treated as case sensitive, regardless of the ASM policy case sensitivity setting.

---

620625-2 : Changes to the Connection.VlanKeyed db key may not immediately apply

Solution Article: K38094257

Component: Local Traffic Manager

Symptoms:
When you modify the connection.vlankeyed database key, some asymmetrically routed connections unexpectedly fail.

Conditions:
This issue occurs when the following condition is met:

You modify the connection.vlankeyed database key.
For example, you set the database key value to disable.

For more information, refer to K13558: Allowing asymmetrically routed connections across multiple VLANs (11.x - 13.x) :: https://support.f5.com/csp/article/K13558.

Impact:
Some connections using asymmetrical routing do not reach their destination.

Workaround:
Restarting TMM resolves the issue, though this briefly interrupt traffic so should be performed during a maintenance window. To do so, run one of the following tmsh commands:

-- On an appliance (BIG-IP platform):
bigstart restart tmm
-- On a clustered system (a VIPRION or VIPRION-based vCMP guest):
clsh bigstart restart tmm

Fix:
Asymmetrically routed connections no longer fail with Connection.VlanKeyed disabled.

---

620614-4 : Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account

Component: Access Policy Manager

Symptoms:
iOS Citrix receiver fails to add new store account and touching on the Save option after providing the credentials displays "Loading" and comes back to previous save option.

/var/log/apm displays "An exception is thrown: EVP_CipherFinal_ex failed: EVP_DecryptFinal_ex:bad decrypt" from VDI.

The above error, otherwise, below error which deletes the session id abruptly.

Oct 24 16:33:12 slot2/vip-guest7-test notice tmm[11547]: 01490567:5: /Common/mvdi-r_ap:Common:e19516fd: Session deleted (internal_cause).

Conditions:
APM is configured with Citrix replacement mode. Provide wrong passcode values for RSA SecurId auth for continuously three times which trigger the next token input for the fourth time entering the right passcode. APM rotate session is enabled.

Impact:
iOS Citrix receiver could not add the account after providing wrong token values for two factor auth

Workaround:
Kill the iOS Citrix receiver application and click on the receiver again to add the account.

Fix:
Use the right session id for decrypting the password.

---

620543-1 : Security Address Lists and Port Lists can't change Description field

Component: Advanced Firewall Manager

Symptoms:
'Description' doesn't get saved when a user tries to create a Address List, or Port List.

Conditions:
Create an Address List/Port List with a description, and hit 'Finished'. The Address/Port List will be created, but the object will not be saved.

Impact:
Users will not be able to save description when Address List/Port List gets created via GUI.

Workaround:
Use tmsh to create Address/Port List.

Fix:
'Description' gets saved when a user tries to create a Address List, or Port List.

---

620522-1 : Some expected command output are missing in qkview

Component: TMOS

Symptoms:
Some commands are not executed and output are not collected by qkview.

Conditions:
If total execution time of all commands is exceeding 360 seconds.

Impact:
Missing command output in qkview tar file.

Workaround:
Missing commands need to be executed manually to share output with F5 support.

Fix:
Timeout can be passed as an arg to qkview command with -t option.

---

620445-4 : New SIP::persist keyword to set the timeout without changing key

Component: Service Provider

Symptoms:
Setting the SIP persistence key's timeout using SIP::persist <new_key> <new_timeout> disables bidirectional persistence.

Conditions:
Setting the SIP persistence key's timeout using SIP::persist <new_key> <new_timeout>.

Impact:
Disables bidirectional persistence. Persistence entry only records destination (not source) of the session.

Workaround:
None.

Fix:
New keyword, SIP::persist timeout <new_timeout> allows changing the timeout without changing the key.

Behavior Change:
There is a new keyword, SIP::persist timeout <new_timeout> allows changing the timeout without changing the key. Previously, if you changed the timeout, it disabled bidirectional persistence.

---

620400-1 : TMM crash during TLS processing

Solution Article: K21154730

---

620366-4 : Alertd can not open UDP socket upon restart

Component: TMOS

Symptoms:
alertd fails to restart due to the following error:
Sep 29 18:29:44 B2200-R76-S19 err alertd[16882]: 01100009:3: Couldn't open file UDP listener

Conditions:
alertd has spawned a long-running process (e.g. ntpd) which does not close inherited file descriptors.

Impact:
alertd fails to restart

Fix:
Mark alertd file descriptors for automatic closure in child processes.

---

620311-1 : GUI Failover Unicast Address information incorrect

Component: TMOS

Symptoms:
In the GUI, the Failover Unicast Address information for the peer device shows the Management IP of the local device, instead of the peer's Management address.

Conditions:
Failover Device group with failover unicast addresses configured with management addresses.

Impact:
GUI displays incorrect address. *Mgmt addresses listed incorrectly show local mgmt addresses in the following locations:
-- Device management :: Devices :: <peer device>
-- Device Connectivity: Failover Unicast Configuration

Workaround:
None.

---

620301-4 : Policy import fails due to missing signature System in associated Signature Set

Component: Application Security Manager

Symptoms:
ASM policy import fails due to a missing System, used in an associated Signature Set.

Conditions:
ASM policy is imported using an export file from a device with a more recent ASM Signature Update.

Impact:
The ASM policy import fails.

Workaround:
Update the ASM Signature on the target device before importing the policy.

---

620215-5 : TMM out of memory causes core in DNS cache

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.

Conditions:
This can occur when the TMM memory is exhausted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Provision sufficient memory for the TMM or reduce load.

Fix:
The fix was to properly handle the failure allocating memory.

---

620079-3 : Removing route-domain may cause monitors to fail

Component: Local Traffic Manager

Symptoms:
Removing a route-domain may cause icmp and gateway-icmp monitors in unrelated route-domains to fail.

Conditions:
-- Route-domain is removed.
-- icmp/gateway-icmp monitor is used.

Impact:
Monitor marks the node down, resulting in partial service outrage.

Workaround:
Restart bigd using the following command:
bigstart restart bigd

Fix:
Removing route-domain no longer causes monitors to fail.

---

620056-1 : Assert on deletion of paired in-and-out IPsec traffic selectors

Component: TMOS

Symptoms:
When two traffic-selectors, one in and one out, mirror each other by reversing source and destination addresses, then deleting one can miss-fire an assert, restarting tmm.

Conditions:
Defining two clearly related traffic selectors, one for in and one for out, can confuse a later check of their names.

Impact:
When a traffic selector is deleted, from such a pair, an assert can fail that restarts tmm processes. Traffic disrupted while tmm restarts.

Workaround:
Using one traffic selector with direction=both would avoid the problem, before this change appears in a release.

Fix:
The confusion of over names for such paired traffic selectors is now fixed, so the assert cannot occur. Such traffic selectors -- just like each other execpt for reversed source and destination -- will work correctly for IKEv1 configs. For IKEv2 it is still best to use single TS insances with direction=both.

---

619879-1 : HTTP iRule commands could lead to WEBSSO plugin being invoked

Component: Access Policy Manager

Symptoms:
With SSO logs set to 'Debug' in Access log configuration, the following log messages are seen in '/var/log/apm':
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: constructor
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext constructor ...
Sep 30 12:46:17 BIG-IP3900mgmt err websso.3[14520]: 014d0005:3: Unsupported SSO Method
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914b510, SERVER: TMEVT_REQUEST
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914a718, CLIENT: TMEVT_ABORT_PROXY
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext destructor ...
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoConfig destructor

With 'rstcause' enabled, the following log message is seen in '/var/log/ltm':
Sep 30 12:46:17 BIG-IP3900mgmt err tmm2[13116]: 01230140:3: RST sent from 172.17.90.92:57611 to 127.0.0.1:10001, [0x24ccbbc:820] Internal error (APM::WEBSSO requested abort (Unsupported SSO Method))

Conditions:
HTTP::disable followed by HTTP::enable.

when CLIENT_ACCEPTED {
    HTTP::disable
    // do some other stuff
    HTTP::enable
}

Impact:
client receives a HTTP 503 reset

Workaround:
When the access profile is added to the virtual server, the websso plugin profile is automatically added. Manually removing the websso plugin fixes this bug.

Fix:
The server-side access hudfilter was mistakenly enabling the websso plugin. The logic has been updated so that this does not happen.

---

619873-2 : Secure Vault: Key cleanup for 5000-, 7000-series, and i-Series platforms★

Component: TMOS

Symptoms:
Outdated and unused unit key is left on some devices after an upgrade from an older version.

- This occurs with 5000- and 7000-series platforms after upgrade from an older version to v13.0.0.

- This occurs with iSeries platforms after upgrade from an older version to v12.1.4.1 or a later v12.1.x software version.

Conditions:
One of the following sets of conditions:

-- Running on 5000- and 7000-series platforms.
-- Upgrading from a version earlier than v13.0.0 to v13.0.0.
-- Installing v13.0.0 hotfixes

Or:

-- Running on iSeries platforms.
-- Upgrading from v12.1.4 or earlier, to 12.1.4.1 or a later 12.1.x version.
-- Installing v12.1.x point releases or engineering hotfixes.

Impact:
1) Unit key on disk is preferred over unit key in hardware.
2a) Potential config load failures when installing v13.0.0 hotfixes on 5000- and 7000- series devices.
2b) Potential config load failures when installing v12.1.x point releases or hotfixes on iSeries devices.

Workaround:
NOTES:
-- Impacts 5000- and 7000-series platforms on v13.0.x.
-- Impacts iSeries platforms on v12.1.4.1 or a later v12.1.x software version.

On or before upgrade to v13.0.0 or its associated hotfixes, perform the following procedure:
1) Set master key to a known value:
   modify sys crypto master-key prompt-for-password
2) Save config:
   tmsh save sys config
3) Remove the old unit key:
   rm /config/bigip/kstore/.unitkey
4) Load config:
   tmsh load sys config
5) Save config:
   tmsh save sys config

Fix:
Unit key is no longer left on platforms after upgrade from an older version.

---

619849-4 : In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.

Component: Local Traffic Manager

Symptoms:
TMM crashes with a SIGABRT (killed by sod)

Conditions:
TCP (full proxy) virtual servers with verified-accept enabled in the TCP profiles, that must be handling traffic.

This issue occurs extremely rarely.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
disable verify accept.

Fix:
the loop is fixed.

---

619844-2 : Packet leak if reject command is used in FLOW_INIT rule

Component: Local Traffic Manager

Symptoms:
TMM memory usage (packets) increases steadily over time.

Conditions:
'reject' command is used in a FLOW_INIT rule

Impact:
Packet leak over time will consume TMM memory.

Workaround:
Do not use reject command in FLOW_INIT iRule

---

619811-2 : Machine Cert OCSP check fails with multiple Issuer CA

Component: Access Policy Manager

Symptoms:
If there are multiple CAs in the CA bundle and issuing CA is not first in it, the OCSP responder returns "unauthorized" response.

Conditions:
This can only happen when issuing CA is not first in the CA file.

Impact:
OSCP check in machine cert will fail and user won't be able to follow successful branch in Access Policy. This might result in Authentication failure even though the machine cert is valid.

Workaround:
Use iRule Event and variable Assign agent in between Machine Cert and OCSP Auth agent.

Follow these steps:

iRule:

1) Loop through the CA bundle until you find matching issuer cert
2) Set this new issuer cert to "session.check_machinecert.last.cert.issuer.cert"

Variable Assign:

3) Read this issuer cert from the session db and assign it back to the same session variable:

session.check_machinecert.last.cert.issuer.cert = expr { [mcget -nocache {session.check_machinecert.last.cert.issuer.cert}] }

Fix:
Issuer cert is now looked up and set properly from the CA bundle. So there is no longer any failure response from OCSP responder.

---

619757-1 : iSession causes routing entry to be prematurely freed

Component: Wan Optimization Manager

Symptoms:
iSession may cause TMM to prematurely free a routing entry resulting in memory corruption and TMM restarting.

Conditions:
iSession-enabled virtual.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
No reasonable workaround short of not using iSession functionality.

Fix:
iSession no longer causes routing entries to be prematurely freed.

---

619706-1 : tmsh appears to allow password change for internal lcd admin user

Component: TMOS

Symptoms:
The 'tmsh modify auth password' command appears to allow the password to be changed for the f5hubblelcdadmin user.

Conditions:
Using the 'modify auth password' command under tmsh, and manually specifying the 'f5hubblelcdadmin' user (which does not appear among the list of available users, such as via tab-completion).

Impact:
This operation appears to succeed, but has no actual effect on BIG-IP operations.
This is an internal user account which provides the context for communication with the lcd front panel display on newer BIG-IP appliances. Changing the stored password for this user account does not affect these operations.

Fix:
Removed the appearance of the ability to change the password for the internal lcd admin user.

---

619663-3 : Terminating of HTTP2 connection may cause a TMM crash

Solution Article: K49220140

Component: Local Traffic Manager

Symptoms:
TMM crashes when an HTTP2 connection is being terminating on client and server sides concurrently.

Conditions:
-- HTTP2 profile is configured and assigned to a virtual server.
-- A client SSL profile is also used on the same virtual server.
-- Client interrupting a connection and server terminating a connection at the same time.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
A fix stops HTTP2 from further processing when a connection is terminating preventing TMM crash for this reason.

---

619528-4 : TMM may accumulate internal events resulting in TMM restart

Component: Local Traffic Manager

Symptoms:
Under some uncommon circumstances, long-lived connections may cause internal events to be accumulated causing excessive memory usage potentially resulting in TMM restarting.

Conditions:
HTTP virtual with long-lived connections.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
The issue can be mitigated by setting the HTTP 'max-requests' profile option to a reasonably low value - this value will depend on application requirements.

Fix:
Internal events are no longer accumulated thus avoiding low memory conditions.

---

619516-1 : Inconsistencies in Automatic sync ASM Device Group

Component: Application Security Manager

Symptoms:
Some ASM calls are not propagated correctly across an automatic sync device group.

Conditions:
Automatic Sync is configured for a Device Group with ASM enabled.

Impact:
This can cause any of the following depending on the change:
-- Superfluous full sync operations.
-- Updating the wrong element on the remote devices.
-- Missing changes on the remote devices.

Workaround:
Disable automatic sync on the device group, and periodically push changes manually.

Fix:
Calls are correctly propagated across Automatic sync Device Groups with ASM enabled.

---

619486-3 : Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self

Component: Access Policy Manager

Symptoms:
Attempts to call some JavaScript methods (such as XMLHttpRequest.open) on a page accessed through Portal Access could fail if application modifies window.self builtin object. As a result, the application will stop working and optionally log an undefined variable/reference exception into Developer Tools console.

To verify that window.self is modified, run 'window.self == window' command in Developer Tools console of the page with error and check if it returns 'false'.

Conditions:
This can occur if a web application has javascript that modifies the value of window.self.

Impact:
Affected web-applications will not work when accessed through Portal Access.

Workaround:
None

Fix:
Scripts on pages accessed through Portal Access are no longer failing when web application code modifies window.self.

---

619473-2 : Browser may hang at APM session logout

Component: Access Policy Manager

Symptoms:
Browser hangs at logout from APM session with RDP client and/or VMware View client.

Conditions:
- APM Virtual server with RDP client and/or VMware View client on webtop;
- active session on this webtop with opened client.

Impact:
Logout from APM session may take a long time (several minutes). In some cases, it may be necessary to restart browser.

Fix:
Now browser does not hangs at logout from APM session with RDP client and/or VMvare View client.

---

619410-1 : TMM hardware accelerated compression not registering for all compression levels.

Component: TMOS

Symptoms:
DEFLATE/gzip/zlib compression levels other than level 1 bypass the hardware accelerator and are serviced in software, resulting in higher CPU utilization and slower compression times.

Conditions:
-- Compression requests for DEFLATE/gzip/zlib levels other than level 1.
-- BIG-IP devices using Coleto Creek SSL hardware acceleration.

Impact:
Compression requests serviced by software are scheduled on local CPUs. During heavy compression traffic, overall system traffic flow may be reduced. Compression requests serviced in software may take significantly longer to complete.

Workaround:
None.

Fix:
Hardware accelerator correctly registers for all DEFLATE/gzip/zlib compression levels, not just level 1.

---

619398-7 : TMM out of memory causes core in DNS cache

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.

Conditions:
This can occur when the TMM memory is exhausted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Provision sufficient memory for the TMM or reduce load.

Fix:
The fix was to properly handle the failure allocating memory.

---

619250-1 : Returning to main menu from "RSS Feed" breaks ribbon

Component: Access Policy Manager

Symptoms:
When you go to "RSS Feed" configuration page for Document, Picture Library, List etc. and go back to SharePoint Dashboard using link at the top pointing to "RSS FEED for ..." and then click any option on the ribbon, you got "500 Internal Server Error" and ribbon stops working. When you use built-in browser button "go back" instead, everything works Ok.

Conditions:
"500 Internal Server Error" occurred. Ribbon stop working.

Impact:
Ribbon stop working.

Workaround:
Use built-in browser "go back" button instead.

Fix:
Returning to main menu from "RSS FEED for ...", ribbon continue to work. No more "500 Internal Server Error".

---

619158-1 : iRule DNS request with trailing dot times out with empty response

Component: Global Traffic Manager (DNS)

Symptoms:
The DNS request takes about 20 seconds to respond and the response is empty.

Conditions:
An iRule uses RESOLV::lookup or NAME::lookup to resolve a domain name that ends with a dot.

Impact:
The request does not properly resolve to an IP address.

Workaround:
Strip the trailing dot from the domain name before calling RESOLV::lookup or NAME::lookup.

Fix:
Domain names with trailing dots are properly resolved from iRules. The trailing dot is stripped when the request is saved to later match with the response.

---

619110-1 : Slow to delete URLs, CPU spikes with Automatic Policy Builder

Component: Application Security Manager

Symptoms:
Deleting a URL causes an incorrect event to be generated and logged for every other URL in the Policy.

When a policy has many URLs configured, deleting a URL takes a long time and consumes heavy CPU time.

Conditions:
Many URLs are configured in the Policy.
This can be due to Policy Builder being set to "Always" learn new HTTP URLs.
If Policy Builder is also configured to collapse common URLs to wildcards, then it deletes the collapsed urls and these calls can be resource intensive.

Impact:
1) GUI is slow to delete URLs
2) Misleading (incorrect) logs are present in the audit log for each other URL in the system after a URL delete.
3) CPU can spike to 100%

Workaround:
A) Change "Learn New HTTP URLs" mode to "Selective" from "Always"
B) Disable collapse URLS.

Fix:
URL delete no longer incorrectly generates an event for every other URL in the system.

---

619097 : iControl REST slow performace on GET request for virtual servers

Component: TMOS

Symptoms:
Performing a GET request on a BIG-IP with a large number of virtual servers may result in slow performance and timeout errors.

Conditions:
When a significant number of virtual servers reference persistence profiles.

Impact:
Unable to perform large GET query on virtual servers.

Workaround:
None.

Fix:
Improved iControl REST performance for Performing a GET request on a BIG-IP with a large number persistence profiles on virtual servers.

---

619071-3 : OneConnect with verified accept issues

Component: Local Traffic Manager

Symptoms:
System may experience an outage.

Conditions:
Verified Accept enabled in TCP profile
hardware syncookies enabled
OneConnect profile on VIP
Syncookie threshold crossed

Impact:
System outage.

Workaround:
Disabled verified accept when used with OneConnect on a VIP.

Fix:
Verified accept, OneConnect and hardware syncookies work
correctly together.

---

619060 : Reduction in boot time in BIG-IP Virtual Edition platforms

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) version has experienced increased boot time.

Conditions:
The increased boot time occurs each time a VE is booted.

Impact:
Long boot time, longer than previous releases.

Workaround:
None.

Fix:
Reduction in boot time in BIG-IP Virtual Edition platforms.

---

618957-1 : Certificate objects are not properly imported from external SAML SP metadata when metadata contains both signing and encryption certificates

Component: Access Policy Manager

Symptoms:
BIG-IP supports import of external SAML SP metadata to create SP-Connector objects. When such metadata file contains two certificates (one with 'signing' and one with 'encryption use) then BIG-IP will import certificate that is positioned 'second' in metadata twice.

Conditions:
Imported metadata contains two certificates with different use types: 'signing' and 'encryption'

Impact:
There is no impact if in metadata signing and encryption certificates are the same. If certificates are different - SAML SSO may not function properly due to incorrect certificate imported in configuration.

Workaround:
Import certificates manually, and assign them to created from metadata SAML SP connector

Fix:
Issue is now fixed: both certificates are imported correctly.

---

618944-1 : AVR statistic is not save during the upgrade process

Component: Application Visibility and Reporting

Symptoms:
All AVR statistics will be lost after upgrade from 12.1.0 or 12.1.1.

Conditions:
AVR statistic was collected on 12.1.0 or 12.1.1.
The BIG-IP was upgraded.

Impact:
Old AVR statistics will be lost

Workaround:
1. before upgrade edit the following file:
./usr/libdata/configsync/avr_save_pre
2. change the following line " [ $(is_provisioned avr) -eq 1 -o $(is_provisioned pem) -eq 1 -o $(is_provisioned afm) -eq 1 -o $(is_provisioned swg) -eq 1 $(is_provisioned asm) -eq 1 ] && "

with " [ $(is_provisioned avr) -eq 1 -o $(is_provisioned pem) -eq 1 -o $(is_provisioned afm) -eq 1 -o $(is_provisioned swg) -eq 1 -o $(is_provisioned asm) -eq 1 ] && "

Fix:
AVR upgrade script fixed

---

618905-1 : tmm core while installing Safenet 6.2 client

Component: Local Traffic Manager

Symptoms:
tmm core while installing Safenet 6.2 client.

Conditions:
Safenet 6.2 client installation

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm core related to Safenet 6.2 client installation.

---

618902-4 : PCCD memory usage increases on configuration changes and recompilation due to small amount of memory leak on each compilation

Component: Advanced Firewall Manager

Symptoms:
Each time the Packet Classification Compiler Daemon (PCCD) process recompiles rules due to configuration changes, it loses approximately 20 bytes or more (depends on the rule complexity) due to small memory leak.

Conditions:
This occurs when making changes to the firewall configuration when AFM is configured.

Impact:
This can potentially lead to an out-of-memory situation if the system runs for a long time without reboot and PCCD continuously recompiles due to frequent configuration changes.

Workaround:
None.

Fix:
The PCCD memory leak was identified and fixed.

---

618884-1 : Behavior when using VLAN-Group and STP

Component: Local Traffic Manager

Symptoms:
May not see ICMP response traffic when using Ping within the same VLAN when STP mode is configured.

Conditions:
-- STP mode is configured.
-- Ping is issued in the same VLAN.

Note: This issue is a constraint to soft switched platforms.

Impact:
May not see ICMP response traffic.

Workaround:
None.

---

618779-1 : Route updates during IPsec tunnel setup can cause tmm to restart

Component: TMOS

Symptoms:
During the setup of IPsec tunnel flows, tmm depends on a valid route being available towards a remote peer to correctly create the IPsec inbound tunnel flows. The absence of the route at this stage, causes tmm to crash and restart. This is more likely to happen if the route towards the endpoint is dynamic.

Conditions:
IPsec tunnels are being set up with a given remote peer and the route towards that peer is not reliably present (as is in the case of dynamic route updates)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure that there is always a valid route towards each of the remote peers.

Fix:
The tmm process no longer restarts if there is no valid route towards the remote peer during IPsec tunnel setup.

---

618771-1 : Some Social Security Numbers are not being masked

Component: Application Security Manager

Symptoms:
ASM does not block or mask some SSN numbers.

Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains social security numbers with specific ranges.

Impact:
The traffic passes neither masked nor blocked to the end client.

Workaround:
None.

Fix:
The system now correctly masks and/or blocks all relevant social security numbers.

---

618657-4 : Bogus ICMP unreachable messages in PEM with ipother profile in use

Component: Policy Enforcement Manager

Symptoms:
The ipother virtual server will send bogus ICMP unreachable messages caused by incorrect error handling in the PEM filter.

Conditions:
A VS with ipother profile configured together with the PEM profile. In the field defect the additional piece needed was the missing classification, but this is due to code ordering, so in non-fixed versions this can also happen with the classification profile present.

Impact:
Unnecessary ICMP traffic

Fix:
Fixed an issue related to unnecessary ICMP traffic in the PEM filter.

---

618656-2 : JavaScript challenge repeating in loop on Firefox when URL is longer than 1033 characters

Component: Application Security Manager

Symptoms:
The JavaScript challenge is repeating in a loop on Firefox on URLs which are longer than 1033 characters. The request never reaches the back-end server.
This happens in the following challenges:
* Proactive Bot Defense with Suspicious Browsers enabled
* Client-Side Integrity Defense
In the rest of the challenges, the challenges will succeed, but POST requests will not be reconstructed correctly and sent as a multipart message to the back-end server.

Conditions:
URLs are longer than 1033 characters, AND:
Users are using the Firefox browser, AND:
Either:
* Proactive Bot Defense with Suspicious Browsers enabled, OR
* Client-Side Integrity Defense is enabled and is used as a DoSL7 mitigation during an attack.

Impact:
Requests to URLs longer than 1033 will be blocked on Firefox, and the browser will repeat the challenge in a loop.

Workaround:
None

Fix:
The JavaScript challenge no longer gets stuck in a loop on Firefox, on URLs which are longer than 1033 characters.

---

618549-1 : Fast Open can cause TMM crash CVE-2016-9249

Solution Article: K71282001

---

618517-1 : bigd may falsely complain of a file descriptor leak when it cannot open its debug log file; bigd stops monitoring

Solution Article: K61255401

Component: Local Traffic Manager

Symptoms:
- In v11.6.1, bigd reports pool members were marked down that are not actually down, and logs messages similar to the following in the ltm log file:

warning bigd[7413]: 01060154:4: Bigd PID 7413 throttling monitor instance probe because file descriptor limit 65436 reached.

- Because of changes in the v12.1.x software, although the problem is still present, it has negligible impact.

Conditions:
-- Monitoring is in use.
-- bigd debug logging is enabled.
-- The bigd debug log file (/var/log/bigdlog) is full.

Impact:
- On v11.6.1 this can cause bigd to stop monitoring, resulting in pool members being marked down erroneously.

- In v12.1.x, some of the underlying logging code changed, and there is no real impact.

Workaround:
Prevent the log file from getting full. To do so, rotate the log file using the following command:
logrotate -f bigdlog

Fix:
Stopped bigd from thinking it was out of file descriptors when it was unable to open its debug log file.

---

618506 : TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual.

Component: Access Policy Manager

Symptoms:
TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual.

Conditions:
APM is provisioned and access profile is attached to the virtual.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Correctly handle session DB data in APM to prevent memory segmentation fault.

---

618430-2 : iRules LX data not included in qkview

Component: Local Traffic Manager

Symptoms:
Qkview does not contain any of the iRuleLX information.

Conditions:
N/A

Impact:
Support engineers will have to ask for the iRuleLX information separately. No iHealth heuristics possible at the moment.

Fix:
The following ILX information was added to the qkview:

TMSH commands:
  list ilx workspace all-properties
  list ilx plugin all-properties
  list ilx global-settings (13.0.0+)
  list ltm profile ilx all-properties (13.0.0+)
  show ilx plugin all
  show ltm profile ilx all (13.0.0+)

The files in the following folders:
  /var/ilx - master copies of workspaces
  /var/sdm - running files of the plugins
  /var/log/ilx - ILX specific logs

---

618428 : iRules LX - Debug mode does not function in dedicated mode

Component: Local Traffic Manager

Symptoms:
In case if the debug option is enabled in the dedicated mode, sometimes some of the nodejs process can be allocated a "in-use" port, which prevents it from starting successfully.
By design every process is guaranteed a debug port in the configured range as long as there are enough ports available in the system. In-use ports are skipped, so consecutive port allocation is not guaranteed.

Conditions:
some of the ports in the range are busy.

Impact:
Some of the nodejs processes fail to start which prevents normal iRuleLX operation.

Workaround:
Consult with netstat output and set the debug-port-range-low to a higher value (eg. 10000+) to minimise the change of a port conflict.

---

618421 : Some mass storage is left un-used

Component: TMOS

Symptoms:
In some conditions, about 10% of BIG-IP's mass storage capacity is not made available for application data.

Conditions:
This occurs on the BIG-IP i-Series platforms.

Impact:
Applications that use a lot of storage may not function optimally.

Fix:
The storage is optimally reallocated.

---

618404-1 : Access Profile copying might be invalid if policies are named series of names.

Component: Access Policy Manager

Symptoms:
After copying an access policy, you receive an error when trying to open the copy: Unable to load accessPolicy '/Common/my_policy_access_1_1' from source.

In version 11.5.x, there was no name resolution, so this issue appeared only because of name truncation. Beginning in version 12.0.0, bot name resolution, truncation and _x reduction happen simultaneously.

Conditions:
When policies have with names ending with _1, _2, etc. For example, my_policy_access_1_1, my_policy_access_1_2, etc.

Impact:
Unable to copy the policy properly.

Workaround:
Export the policy, and then import it with reuse.

Fix:
Copying is fixed for these conditions.

---

618382-4 : qkview may cause tmm to restart or may take 30 or more minutes to run

Component: TMOS

Symptoms:
When taking a qkview on a heavily loaded BIG-IP device (with lots of connections) running 12.1.0 or 12.1.1, the qkview utility may take a very long time to complete (30+ minutes) or cause tmm to restart. This is due to a new qkview command that was added to gather a list of recent connections with the tmsh show sys connection command, which has a significant performance impact when run while the BIG-IP is heavily loaded.

Conditions:
This can occur on the following versions:

- 12.1.0 including 12.1.0 HF1 and 12.1.0 HF2
- 12.1.1 including 12.1.1 HF1

This can occur when the BIG-IP is heavily loaded and while running the qkview command.

Impact:
Qkview command can take an exceedingly long time to run (30+ minutes).
Traffic disrupted while tmm restarts.

Workaround:
Do not run the qkview command if the device is heavily loaded.

Fix:
Removed offending "show sys connection" command from qkview utility.

---

618324-1 : Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor

Component: Access Policy Manager

Symptoms:
When upgrading from OPSWAT SDK V3 to V4, opening Access Policy in VPE if one of the opswat checker (e.g. Anti-Virus checker) contains an Undefined (i.e. previously defined but out of support) ID it will display as "Any." The correct display should be "Unsupported" or "Invalid" product.

Conditions:
Wrongful information displayed.

Impact:
Wrongful information displayed.

Workaround:
N/A

Fix:
Correct (*** Invalid ***) information displayed.

---

618306-2 : TMM vulnerability CVE-2016-9247

Solution Article: K33500120

---

618263-1 : OpenSSL vulnerability CVE-2016-2182

Solution Article: K01276005

---

618261-6 : OpenSSL vulnerability CVE-2016-2182

Solution Article: K01276005

---

618254-4 : Non-zero Route domain is not always used in HTTP explicit proxy

Component: Local Traffic Manager

Symptoms:
You may experience connectivity failure in certain situations where a sideband communications are required as part of the transaction.

Conditions:
BIG-IP has http-explicit configuration, where a sideband connection is required, say in the case of getting an OCSP response or a DNS resolver response when those services are associated with a different route domain.

Impact:
End-to-end connectivity failure.

Workaround:
Change configuration so that all services required are on the default route domain, 0.

---

618185-1 : Mismatch in URL CRC32 calculation

Component: Fraud Protection Services

Symptoms:
In some cases URL CRC32 calculated by JS does not match referrer CRC32 calculated by Plugin.

Conditions:
Each one of next conditions cause this problem:
1. CRC32 calculated for URL with path parameters while strip_path_parameters BigDB variable value is 'true'.
2. CRC32 calculated for URL with a fragment (hashmark '#') in query string.

Impact:
A component validation alert is triggered as a result of mismatch between URL CRC32 calculated by JS and referrer CRC32 calculated by Plugin.

Workaround:
No workaround.

Fix:
strip_path_parameters BigDB variable value is passed to JS and JS URL normalization before CRC32 calculation is now similar to the one Plugin does.

---

618170-3 : Some URL unwrapping functions can behave bad

Component: Access Policy Manager

Symptoms:
Some URL unwrapping functions can behave incorrectly with different web application malfunctions as a result.

Conditions:
JavaScript with "location.pathname" like fields at the right side of an expression.

Impact:
Different web application malfunctions. One example is SharePoint 2010 using IE11, clicking the Edit button results in "Only secure content is displayed" at the bottom of the page.

Fix:
Fixed.

---

618161-1 : SSL handshake fails when clientssl uses softcard-protected key-certs.

Component: Local Traffic Manager

Symptoms:
SSL handshake fails when clientssl uses softcard-protected key-certs.

Conditions:
Softcard-protection is enabled and token protection is disabled.

Impact:
SSL handshake fails

Workaround:
None known.

Fix:
SSL handshake no longer fails when clientssl uses softcard-protected key-certs.

---

618137-1 : Native IXLV: New tagged VLAN does not work after several restarts of tmm

Component: TMOS

Symptoms:
Traffic does not pass for newly added tagged VLANs.

Conditions:
1. Native IXLV devices (Intel X710/XL710/XXV710 family) NICs are in use.
2. Tagged VLAN in use.
3. TMM is restarted several times.
4. A new tagged VLAN is added.

Impact:
The BIG-IP system does not send/receive traffic for tagged VLANs.

Workaround:
To work around this, do the following:

1. Stop the BIG-IP guest.
2. Re-load the i40e driver on the hypervisor host using the following command: rmmod i40e; modprobe i40e.
3. Start the BIG-IP guest.

Fix:
Tagged VLANs now pass traffic as expected regardless of tmm restarts.

---

618121 : "persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x★

Component: Local Traffic Manager

Symptoms:
"persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x

Conditions:
When the RTSP_RESPONSE event and "persist add" iRule are used and upgrade to v12.x.x.

Impact:
"persist add" iRule validation failed. The iRule will not be loaded.

Workaround:
possible workaround is to bypass validation

when RULE_INIT {
  set static::persist_cmd { persist add uie $SessionID $static::persist_timeout }
}

when RTSP_RESPONSE {
   set SessionID [RTSP::header value "Session"]
  if { $SessionID != "" }{
    #persist add uie $SessionID $static::persist_timeout
    eval $static::persist_cmd
  }
}

---

618106-1 : bigd core due to memory leak, especially with FQDN nodes

Solution Article: K74714343

Component: Local Traffic Manager

Symptoms:
The bigd daemon may core due to excessive memory consumption caused by a slow memory leak that occurs when creating or updating an LTM node or pool member.

This memory leak occurs much more quickly on BIG-IP v12.1.3.2 and earlier when using FQDN nodes/pool members with the 'autopopulate' feature enabled.

Conditions:
The bigd memory leak occurs slowly with non-FQDN nodes/pool members, but much more quickly on BIG-IP v12.1.3.2 and earlier when using FQDN nodes/pool members with the 'autopopulate' feature enabled.

On BIG-IP v12.1.3.2 and earlier, an additional leak occurs each time an FQDN name is resolved for an FQDN node or pool member. The rate of the leak in this case is determined by the number of FQDN nodes/pool members configured with the 'autopopulate' feature enabled, and the FQDN name resolution interval (determined by the 'interval' setting of the 'fqdn' configuration for the FQDN node).

Impact:
The bigd daemon may core due to excessive memory consumption.

Workaround:
It is possible to work around this issue by one of the following methods:
1. Restart the bigd daemon before memory consumption becomes excessive. (Note that this may interrupt traffic to configured pool members.)

On BIG-IP v12.1.3.2 and earlier:
2. Configure a longer 'interval' value in the 'fqdn' configuration for configured FQDN nodes.
3. Configure FQDN nodes/pool members without the 'autopopulate' setting enabled.

Fix:
The bigd daemon no longer leaks memory when configuring an LTM node or pool member.

---

618024-2 : software switched platforms accept traffic on lacp trunks even when the trunk is down

Component: Local Traffic Manager

Symptoms:
On software switched platforms tmm owned LCAP trunks still accept traffic even though the trunk is down from the control plane ( LACP status down).

Conditions:
LACP trunk with status down

Impact:
VLAN failsafe timers are erroneous reset, VLAN failsafe is broken.

Workaround:
no workaround

Fix:
tmm now checks the link status on tmm owned lacp trunks before accepting traffic.

---

617986-2 : Memory leak in snmpd

Component: TMOS

Symptoms:
Memory usage in snmpd is increases until the OOM process kills snmpd.

Conditions:
BIG-IP configured with virtual servers that have the same destination IP address

Impact:
snmp disrupted while snmp restarts.

Workaround:
No workaround

Fix:
Fixed memory leaks.

---

617935 : IKEv2 VPN tunnels fail to establish

Component: TMOS

Symptoms:
IKEv2 VPN tunnels fail to establish.

Conditions:
This occurs with IKEv2 on a specific 12.1.2 HF1 engineering hotfix.

Impact:
IPsec IKEv2 VPN tunnels fail to establish.

Workaround:
Use IPsec IKEv1.

Fix:
IKEv2 VPN tunnels now establish as expected.

---

617901-1 : GUI to handle file path manipulation to prevent GUI instability.

Solution Article: K00363258

---

617865-1 : Missing health monitor information for FQDN members

Component: TMOS

Symptoms:
Health monitor information and status are both missing for FQDN nodes and pool members.

Conditions:
FQDN nodes and pool members configured.

Impact:
GUI does not show health monitors info/status in node properties page, pool member properties page, or monitor instances page. Difficulty checking health monitor info/status for FQDN members.

Workaround:
Check logs for this info.

Fix:
The system now exposes health monitors info/status and the GUI shows them in node properties page, pool member properties page, and monitor instances page.

---

617862-2 : Fastl4 handshake timeout is absolute instead of relative

Component: Local Traffic Manager

Symptoms:
TCP connections that are pending completion of the three-way handshake are expired based on the absolute value of handshake timeout. For example, if handshake timeout is 5 seconds, then the connection is reset after 5 seconds of receiving the initial SYN from the client.

Conditions:
A TCP connection in three-way handshake.

Impact:
Connections are expired prematurely if they are still in three-way handshake.

Workaround:
Disable handshake timeout.

Impact of workaround: Your TCP handshake will not prematurely timeout and connections remains open until the Idle Timeout expires.

Fix:
The handshake timeout now expires based on idleness of the connection, taking into consideration of any SYN retransmissions, etc., that might occur.

---

617858-2 : bigd core when using Tcl monitors

Component: Local Traffic Manager

Symptoms:
If a Tcl monitor encounters an error, it may exit with an assert which causes bigd to core.

Conditions:
This can occur rarely when Tcl monitors are in use (specifically, SMTP, FTP, IMAP, POP3 monitors).

Impact:
bigd can core, which temporarily suspends monitoring while bigd restarts.

Workaround:
None.

Fix:
Now, when a Tcl monitor encounters an error, it no longer exits with an assert, so bigd no longer cores.

---

617824-3 : "SSL::disable/enable serverside" + oneconnect reuse is broken

Component: Local Traffic Manager

Symptoms:
If "SSL::disable/enable serverside" is configured in an iRule and oneConnect is configured in the iRule or in the Virtual Server profile, BIG-IP may not receive the backend server's HTTP response for every client's HTTP Request.

Conditions:
1. "SSL::disable/enable serverside" exists in the iRule
2. OneConnect is configured in the iRule or in the VS profile
3. apply the iRule and oneConnect Profile to the VS.

Impact:
The oneConnect behavior is unexpected, and may not get the backend Server's HTTP response for every client's HTTP Request.

Workaround:
You can work around the problem by disabling oneConnect.

---

617733-1 : Error message: subscriber id response; Subscription not found

Component: TMOS

Symptoms:
BIG-IP restarts the icr_eventd process and generates a core file. You might see the following messages in the LTM log file:

-- err icr_eventd[4589]: 01a10003:3: Receive MCP msg failed: could not get subscriber id response, status: 0x1020046
-- err mcpd[4206]: 01070069:3: Subscription not found in mcpd for subscriber Id %icr_eventd.

Conditions:
Might be related to restarting a BIG-IP Virtual Edition installation.

Impact:
The icr_eventd process restarts, and the system produces a core file.

Workaround:
None.

---

617690-4 : enable SIP::respond iRule command to operate during MR_FAILED event

Component: Service Provider

Symptoms:
When an message fails to route, it is not possible to return an error status back to the client.

Conditions:
When a message fails to route, the MR_FAILED event is raised for the message.

Impact:
Without this change, it is not possible for the script author to generate a response message to the client based on the routing failure.

Workaround:
NA

Fix:
SIP::respond command now works during MR_FAILED event.

---

617688 : Encryption is not activated unless "real-time encryption" is selected

Component: Fraud Protection Services

Symptoms:
Encryption is not activated as expected

Conditions:
Encryption enabled
Real-time encryption disabled

Impact:
Encryption error alert received in alert server

Workaround:
Enable "real-time encryption"

Fix:
Encryption on submit is now supported better.

---

617648 : Surfing with IE8 sometimes results with script error

Component: Fraud Protection Services

Symptoms:
Slow devices running Internet Explorer 8 can suffer performance issues on websafe protected sites.

Conditions:
Slow device running Internet Explorer 8.
Large number of configured or updated malware signatures.

Impact:
Clientside slowness.
In extreme cases, a popup asking the user whether to stop the script.

Workaround:
Reduce the number of malware signatures

Fix:
Compressed signatures

---

617628-1 : SNMP reports incorrect value for sysBladeTempTemperature OID

Component: TMOS

Symptoms:
SNMP reports incorrect value for sysBladeTempTemperature OID, while TMSH reports the corresponding value correctly.

# snmpwalk -v2c -c public localhost .1.3.6.1.4.1.3375.2.1.3.2.4.2.1.2.8.1
F5-BIGIP-SYSTEM-MIB::sysBladeTempTemperature.8.1 = Gauge32: 4294967245

# tmsh show sys hardware

Sys::Hardware
Blade Temperature Status
  Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
...
  1 8 0 -48 0 Blade CPU #1 TControl Delta tem
...

The negative "Blade CPU #1 TControl Delta" temperature is being incorrectly reported as a large positive temperature by SNMP.

Impact:
A negative temperature may be incorrectly reported by SNMP as an impossibly high positive value.

Workaround:
Use tmsh show sys hardware to view blade temperatures. Negative temperatures are properly reported.

config # tmsh show /sys hardware
Sys::Hardware
Blade Temperature Status
  Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
  1 1 0 19 49 Blade air outlet temperature 1
  1 2 0 14 41 Blade air inlet temperature 1
  1 3 0 21 57 Blade air outlet temperature 2
  1 4 0 16 41 Blade air inlet temperature 2
  1 5 0 25 60 Mezzanine air outlet temperatur
  1 6 0 27 72 Mezzanine HSB temperature 1
  1 7 0 17 63 Blade PECI-Bridge local tempera
  1 8 0 -48 0 Blade CPU #1 TControl Delta tem
  1 9 0 25 68 Mezzanine BCM56846 proximity te
  1 10 0 22 69 Mezzanine BCM5718 proximity tem
  1 11 0 19 57 Mezzanine Nitrox3 proximity tem
  1 12 0 16 46 Mezzanine SHT21 Temperature

---

617622 : In TM Shell, saving the AAM configuration removes value from matching rule causing system configuration loading failure

Component: TMOS

Symptoms:
In TMSH, when trying to save the AAM configuration, TMSH removes value from matching rule. It corrupts bigip.conf and causes system loading configuration failure, with the following error in /var/log/ltm:

01070734:3: Configuration error: Policy "/Common/Drafts/<policy>", node "test_node", matching rule "path:Path": Must have a value.
Unexpected Error: Validating configuration process failed.

Conditions:
-- Use TM Shell to load configuration.
-- AAM configuration is loaded on BIG-IP and it is saved

Impact:
TMSH fails to load system configuration file.

Before the configuration save the policy would look like this:
matching {
  path {
    values {
      / { }
    }
  }
}

After the save it is converted to
matching {
  path { }
}

Workaround:
None.

Fix:
TMSH now saves AAM configuration without removing values from matching rules. Saving/loading system configuration succeeds.

---

617481-1 : TMM can crash when HTML minification is configured

Component: TMOS

Symptoms:
When AAM is provisioned and is used to cache dynamic pages, it can be configured to use HTML Minification to improve performance and optimize memory utilization. In some cases, HTML may incorrectly process the HTML code and cause TMM to crash.

Conditions:
1) AAM has to be provisioned and
2) AAM policy has to be configured and
3) has HTML minification enabled and
4) be applied to a virtual.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disabling minification prevent TMM from crashing for this reason.

---

617391-1 : Custom ASM Search Engines causing sync, offline, and upgrade issues★

Solution Article: K53345828

Component: Application Security Manager

Symptoms:
-- The Device sync status constantly shows 'Changes Pending' when a custom ASM Search Engine is added with a new Bot Name to an existing Search Engine name.

For example, the Yandex search engine is a built-in search engine with Bot Name 'Yandex'. When adding a custom search engine with the same name: 'Yandex', but a different Bot Name, for example: 'yandexbot', the issue occurs.

When the issue appears, the device sync status shows 'Changes Pending'. Running a config-sync brings the status to 'In Sync', but a few seconds later, the status again changes to 'Changes Pending'.

-- Adding a custom ASM Search Engine with Bot Name and Domain Name identical to an existing Search Engine reports an error message, but the Search Engine will be successfully added. The next time ASM is restarted, the device remains offline and ASM restarts indefinitely.

-- Adding a custom ASM Search Engine and then upgrading to a release that already includes it as a built-in Search Engine under a different name, causes ASM to restart indefinitely and the system to remain offline. For example: adding a custom Search Engine with Domain Name '.msn.com' and Bot Name 'msnbot' in 12.1.3.5 and then upgrading to 12.1.3.6 triggers this issue.

Conditions:
This issue occurs when any of the following sets of criteria are met:

-- Multiple devices are joined in sync-failover device-group and ASM sync is enabled, and a custom ASM Search Engine is added with a new Bot Name, for which there is an existing Search Engine Name.

-- Adding a custom Search Engine with a Bot Name and Domain Name identical to an existing Search Engine.

-- Upgrading to 12.1.3.6, and ASM sync is enabled. Note: Only 12.1.3.6 exhibits this behavior.

Impact:
-- Device sync status constantly shows 'Changes Pending'.

-- The custom ASM Search Engine might not be bypassed for JavaScript challenges that are sent as a result of either the Web Scraping Feature, or Device-ID. This applies also to standalone deployments.

-- System might remain offline while ASM is constantly restarting.

-- Upgrade might fail.

Workaround:
-- Add the custom ASM Search Engine under a new name. For example, if adding the 'yandexbox' search engine, then use the Search Engine name 'Yandex-yandexbot' instead of simple 'Yandex'.
-- Before upgrading, remove any custom Search Engines whose Bot Name and Domain Name is identical to an existing Search Engine after the upgrade.

Fix:
Adding custom ASM Search Engines no longer triggers sync, offline or upgrade issues.

---

617382-1 : Csyncd memory leak on multi-bladed systems

Component: Local Traffic Manager

Symptoms:
Csyncd memory use increases over time.
It may fail due to large size (>2 to 3 GB), possibly leading to this ltm log:

err csyncd[8258]: 013b0004:3: Fatal error: fork failed.

Memory pressure may develop, leading to an increased use of swap, and the system may become sluggish and show other low-memory symptoms.

If memory pressure is severe, the Linux oom killer will likely terminate csyncd. On systems with more free memory, csyncd will terminate with a core file when it is approaching 4GB in size. In both cases csyncd automatically restarts.

Conditions:
Multi-bladed vCMP guest or VIPRION.

Impact:
Low free memory may lead to system instability.

If memory pressure is severe, the Linux oom killer will likely terminate csyncd. On systems with more free memory, csyncd will terminate with a core file when it is above ~2.2 GB in size. In both cases csyncd automatically restarts.

Workaround:
Restart csycnd on all blades to free the memory it has in use:

clsh bigstart restart csyncd

This is typically not service-affecting.

Fix:
Memory leak identified and fixed.

---

617310-2 : Edge client can fail to upgrade when Always Connected is selected★

Component: Access Policy Manager

Symptoms:
Attempt to upgrade from an Edge client version to a current version fails when Always Connected is enabled

Conditions:
Always Connected is selected in BIG-IP when upgrading the client.

Impact:
Upgrade fails. Must turn off Always Connected to upgrade client.

Workaround:
Turn off Always Connected before upgrading.

Fix:
Edge client now succeeds during upgrade when Always Connected is selected.

---

617273-7 : Expat XML library vulnerability CVE-2016-5300

Solution Article: K70938105

---

617229-1 : Local policy rule descriptions disappear when policy is re-saved

Solution Article: K54245014

Component: TMOS

Symptoms:
Local policy rule descriptions disappear when policy is re-saved.

Conditions:
A rule with description exists, and the policy it's under is saved.

Impact:
An existing rule description disappears when the policy it's under is saved.

Workaround:
Use TMSH to modify the policy's properties.

Fix:
Local policy rule descriptions now remain visible when policy is re-saved.

---

617187-1 : APM CustomDialer can't connect to APM server with invalid/untrusted SSL certificate

Component: Access Policy Manager

Symptoms:
If APM server uses untrusted SSL certificate/or it is accessed using IP address CustomDilaer, access is refused and there is no prompt to confirm the security warning.

Conditions:
APM has invalid certificate
User uses CustomDialer to access VPN

Impact:
VPN connection can't be established

Workaround:
Use valid SSL certificate on APM or add particular invalid certificate to trusted store on Windows

Fix:
Now CustomDialer warns user about invalid certificate and allows to proceed with invalid certificate.

---

617124 : Cannot map hardware type (12) to HardwareType enumeration

Component: TMOS

Symptoms:
iControl-SOAP throws an error whenever a method call to SystemInfo::get_hardware_information() is made.

Conditions:
This is reproducible in under all conditions.

Impact:
iControl-SOAP crashes when this call is made.

Workaround:
Don't call this SystemInfo::get_hardware_information().

Fix:
Call this method no longer leads to a crash.

---

617063-1 : After VPN tunnel established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel

Component: Access Policy Manager

Symptoms:
After VPN tunnel is established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel.

Conditions:
VPN tunnel is established. Place the computer in hibernation. Resume from hibernation and connect to a new network where a Captive Portal is present, e.g. Starbucks.

Impact:
EdgeClient may show an error page for captive portal or stay in Reconnecting state for extended period. Disconnect button may not be responsive.

Fix:
If captive portal is detected during reconnect, close VPN resources before showing captive portal authentication page.

---

617014-3 : tmm core using PEM

Component: Policy Enforcement Manager

Symptoms:
tmm core when using PEM with cloning monitored traffic

Conditions:
Using PEM with iRules and cloning traffic

Impact:
Traffic disrupted while tmm restarts.

Fix:
The problem with PEM and cloning traffic via iRule has been corrected.

---

617002-1 : SWG with Response Analytics agent in a Per-Request policy fails with some URLs

Component: Access Policy Manager

Symptoms:
SWG with Response Analytics agent in a Per-Request policy fails with some URLs

Conditions:
Response analytics agent is added to per-request policy and per-request policy is attached to the virtual. APM and SWG are provisioned and licensed.

Impact:
Client might receive resets for some URLs when response analytics doesn't function correctly.

Workaround:
Remove response analytics agent from the per-request policy and perform categorization based only on URLs.

Fix:
Correctly handle the response analytics for these URLs and dont send resets to client.

---

616918-1 : BMC version 2.50.3 for iSeries appliances

Component: TMOS

Symptoms:
Firmware on BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx needs to be upgraded to BMC version 2.50.3.

Conditions:
-- BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
-- PXE boot.

Impact:
This is a firmware upgrade.

Workaround:
None.

Fix:
This release contains BMC version 2.50.3 which includes support for PXE boot on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

Behavior Change:
This release contains BMC version 2.50.3 which includes support for PXE boot on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

---

616864-1 : BIND vulnerability CVE-2016-2776

Solution Article: K18829561

---

616838-3 : Citrix Remote desktop resource custom parameter name does not accept hyphen character

Component: Access Policy Manager

Symptoms:
While adding the custom parameter in Citrix Resource would give parser error as following,

01070734:3: Configuration error: apm resource remote-desktop /Common/ctx_resource: Parse error on line 1: DesktopViewer-ForceFullScreenStartup=On"

Conditions:
Having Citrix resource with custom parameter name with hyphen character

Impact:
Custom parameter can not be used with hyphen character

Workaround:
None

Fix:
Accept custom parameter name with hyphen character

---

616298-1 : Loading the configuration fails when a virtual server uses HTTP Strict Transport Security (HSTS).

Component: Local Traffic Manager

Symptoms:
When loading the BIG-IP system's configuration by running the 'tmsh load sys config' command, the command fails and returns an error similar to the following example:

01071afb:3: With HSTS mode enabled in HTTP Profile '/Common/my-http', virtual server '/Common/my-vs' using this profile requires a 'clientssl' profile attached.
Unexpected Error: Loading configuration process failed.

This validation error should only be returned when a virtual server using HSTS was not assigned a client-ssl profile. This issue consists in the fact the BIG-IP system returns the error when your configuration is correct.

Note this issue can also occur during an upgrade from an unaffected version (e.g., 12.1.4) to an affected version (e.g., 12.1.5).

Conditions:
This issue occurs when all of the following conditions are met:

-- Your configuration contains at least one virtual server making use of a HTTP profile with HSTS enabled.

-- You attempt to reload the BIG-IP system's configuration (either explicitly via the tmsh utility, or implicitly during an upgrade).

Impact:
The configuration fails to load. This can have several consequences, depending on what you were doing:

-- Upgrading from an unaffected version to an affected one: the configuration does not load after the upgrade and the system remains inoperative.

-- Reloading the configuration to get rid of unsaved changes: you cannot do so, and the configuration elements you were trying to remove continue to exist in memory.

-- Reloading the configuration to pick up manual changes you made to a configuration file (e.g., bigip.conf): you cannot do so, and the new configuration elements are not loaded into memory.

Workaround:
There is a temporary workaround.

Potential impact of workaround: ideally, this workaround should not be performed on a unit that is already processing traffic, as the virtual servers will not operate in HSTS mode until the procedure is complete. As such, a small window will exist during which new clients will not immediately learn that the virtual servers wish to use HSTS.

1) Edit the /config/bigip.conf file (and all /config/partitions/*/bigip.conf files) and change the following section in HTTP profiles:

From this:
hsts {
    mode enabled
}

To this:
hsts {
    mode disabled
}

2) Load the configuration:
tmsh load sys config partitions all

3) Re-apply HSTS to the appropriate HTTP profiles.

However, note that the issue occurs again the next time a configuration load is attempted.

If you are planning to upgrade to an affected version and you use HSTS, you can contact F5 Support to obtain an Engineering Hotfix for this issue for your software version.

Fix:
The configuration loads as expected.

---

616242-3 : basic_string::compare error in encrypted SSL key file if the first line of the file is blank★

Solution Article: K39944245

Component: TMOS

Symptoms:
Trying to load a configuration that references an encrypted SSL key file may fail if the first line of the SSL key file is blank. When this occurs, the system will report a vague error message:

    01070711:3: basic_string::compare

If this happens during an upgrade, the system will not load the configuration under the new software version, and will remain inoperative.

Conditions:
This can occur if an affected configuration is present on a system running BIG-IP v11.3.0 or earlier, and is upgraded to BIG-IP v11.4.0 through v12.1.1.

Impact:
Configuration fails to load on upgrade with extremely unhelpful error message, and absolutely no indication as to what file was being processed at the time (or that this relates to a filestore file).

Workaround:
Remove the newlines at the beginning of any SSL key files that begin with a newline. During an upgrade scenario, edit the files in the filestore.

---

616215-4 : TMM can core when using LB::detach and TCP::notify commands in an iRule

Component: Local Traffic Manager

Symptoms:
TMM cores when running an iRule that has the LB::detach command before the TCP::notify command.

Conditions:
A virtual server with an iRule that has the LB::detach command executed before the TCP::notify command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid the combination of the TCP::notify and LB::detach commands.

Fix:
TMM no longer cores in this instance.

---

616169 : ASM Policy Export returns HTML error file

Component: Application Security Manager

Symptoms:
When attempting to export an ASM Policy the resulting file contains an HTML error page.

Conditions:
It is not known what triggers this condition.

Impact:
Unable to export ASM Policies.

Workaround:
Delete all files in /ts/dms/policy/upload_files/. All files are transient and can safely be deleted.

Fix:
Permissions are now explicitly set on exported ASM Policies so the GUI PHP process can successfully download it.

---

616161-1 : BD process crash and restarts

Component: Application Visibility and Reporting

Symptoms:
bd restarts and generates a core file. bd.log contains messages similar to the following:
-- BD_MISC|ERR ... BD shrinking...,going down - BD will be right back.
-- BD_MISC|CRIT ... Received SIGSEGV - Core Dumping.

Conditions:
The virtual server has a Security Policy and there is a heavy load of traffic.

Note: This is a rare race condition case that might occur occasionally when the system is under heavy stress.

Impact:
bd restarts, causing a halt to traffic for few seconds.

Workaround:
None.

Fix:
Race condition has been fixed.

---

616104-2 : VMware View connections to pool hit matching BIG-IP virtuals

Component: Access Policy Manager

Symptoms:
When a VMware View resource is configured to use a pool as a destination, for all the connections to this pool, except the very first one, a matching virtual lookup is performed.
This doesn't align with the typical BIG-IP behavior on pool connections that should go directly to the chosen pool member and not hit matching virtual servers.

Conditions:
If a VMware View resource is configured to connect to a pool and there is a virtual server matching some or all the IP/port values of pool members, connections to those members will go through the matching virtual server, except for the very first one.

Impact:
If a matching virtual is not intended to pass the traffic through (e.g., a 'reject-all' virtual), those connections routed to this virtual server will fail.

Workaround:
None.

Fix:
All the connections to VMWare View pool members now go directly without hitting matching BIG-IP virtual servers.

---

616059-1 : Modifying license.maxcores Not Allowed Error

Solution Article: K19545861

Component: TMOS

Symptoms:
Your sync-failover device group status says 'Sync Failed' and reports the following error in Device Management :: Overview: Sync error on <device name>: Load failed from /Common/BIG-IP1 0107178a:3: Modifying license.maxcores to a value other than 8 is not allowed.

Conditions:
-- Non-homogeneous Virtual Edition (VE) configured with different licenses in a device group, or with hardware-based BIG-IP systems.
-- License variable perf_VE_cores is different among licenses.

Impact:
The device group fails to sync.

Workaround:
If you are using VEs in a device group, ensure that their licenses are the same.

Fix:
The license variable perf_VE_cores no longer syncs, so there is no error message.

---

616022-2 : The BIG-IP monitor process fails to process timeout conditions

Solution Article: K46530223

Component: Local Traffic Manager

Symptoms:
Pool members that are down are not marked down by the monitor. The BIG-IP system continues to attempt to monitor the object.

Conditions:
It is not known exactly what triggers this condition. It was encountered on an HTTPS monitor.

Impact:
Incorrect monitor state. Pool members may not be marked down even though the target pool-member is down.

Workaround:
No known workaround.

Fix:
The monitor process no longer inadvertently skips processing monitor timeouts and correctly marks monitored objects down.

---

616008-3 : TMM core may be seen when using an HSL format script for HSL reporting in PEM

Solution Article: K23164003

Component: Policy Enforcement Manager

Symptoms:
TMM core resulting in potential loss of service.

Conditions:
Requires a PEM HSL reporting action with an HSL format script against a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
In an iRule against the virtual server, set a Tcl variable in the first line after an iRule event. Unset the same Tcl variable in the last line of the iRule event.

Fix:
TMM core no longer occurs when using an HSL format script for HSL reporting in PEM.

---

615970-1 : SSO logging level may cause failover

Component: Access Policy Manager

Symptoms:
SSO logging level may cause failover.

Conditions:
SSO logging level set to "Debug".

Impact:
TMM may crash. Core file may be generated.

Workaround:
Lower the SSO log level from "Debug" to either "Info" or "Notice".

Fix:
The SSO logging level of "Debug" no longer causes failover.

---

615934-1 : Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.

Component: TMOS

Symptoms:
Overwrite flag in key/certificate management iControl functions is ignored and might result in errors.

Conditions:
If there is an existing key/certificate, and the key/certificate management iControl/SOAP functions are used to overwrite the key/certificate by setting the overwrite flag, the flag is ignored, and an error is returned.

Impact:
Key/certificate overwrite using iControl operations might fail.

Fix:
The fix honors the overwrite flag, so that the key/certificate is overwritten when the flag is set to true.

---

615824-1 : REST API calls to invalid REST endpoint log level change

Component: iApp Technology

Symptoms:
In Big-IP 12.x versions before 12.1.2 invalid requests to a REST endpoint were being recorded in the FINE level logs, making it difficult to audit when an invalid request to a REST endpoint was coming in. In version 12.1.2, the log level was changed to INFO so that these messages are more easily consumed by users attempting to audit the log.

Conditions:
Any request made to an invalid REST endpoint will trigger a log message at the FINE level indicating that a request came in to an invalid REST endpoint.

Impact:
Auditing the REST Framework logs is more difficult, requiring you to look at messages logged at the FINE level.

Workaround:
Users can increase the log level of the REST Framework to FINE by making the following change to the file '/etc/restjavad.log.conf':

Before:
.level=FINE
After:
.level=INFO

Fix:
This message is included in the INFO log level on BIG-IP v12.1.2.

---

615432-1 : Multiple TFTP data transfers cannot be initiated in a single session

Component: Carrier-Grade NAT

Symptoms:
Multiple TFTP data transfers cannot be initiated in a single session.

Conditions:
Virtual server with TFTP profile is configured to handle TFTP traffic.

Impact:
Multiple TFTP data transfers cannot be initiated in a single session.

Workaround:
There is no workaround at this time.

Fix:
Multiple TFTP data transfers can be initiated in a single session

---

615388-1 : L7 policies using normalized HTTP URI or Referrer operands may corrupt memory

Component: Local Traffic Manager

Symptoms:
TMM may restart when using a L7 policy that contains the 'normalized' keyword for HTTP URI or Referrer operands.

Conditions:
Normalized HTTP URI or Referrer operands used in L7 policies.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
No workaround short of removing use of normalization for HTTP URI and Referrer instances in L7 policies.

Fix:
Use of URI or Referrer normalization in L7 policies no longer results in memory corruption.

---

615377-3 : Unexpected rate limiting of unreachable and ICMP messages for some addresses.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system might fail to send RSTs, ICMP unreachable, or ICMP echo responses for some addresses.

/var/log/ltm might contain messages similar to the following:
-- Limiting icmp unreach response from 251 to 250 packets/sec.
-- Limiting icmp ping response from 251 to 250 packets/sec.
-- Limiting closed port RST response from 251 to 250 packets/sec.

Conditions:
Certain traffic patterns to addresses in two or more different traffic-groups.

Impact:
Certain response messages from addresses in one or more traffic-groups (but not all) might be rate limited by the BIG-IP system even though the level of traffic has not exceeded the tm.maxrejectrate setting.

Workaround:
None known.

Fix:
The rate limiting messages in the ltm log will now include the name of the traffic group that is being rate limited.

Example old log message:
  warning tmm[6167]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec.
Example new log message:
  warning tmm[19109]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec for traffic group /Common/traffic-group-1.

Behavior Change:
The rate limiting messages in the ltm log will now include the name of the traffic group that is being rate limited.

Example old log message:
  warning tmm[6167]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec.
Example new log message:
  warning tmm[19109]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec for traffic group /Common/traffic-group-1.

---

615338-2 : The value returned by "matchregion" in an iRule is inconsistent in some cases.

Component: Global Traffic Manager (DNS)

Symptoms:
The value returned by "matchregion" in an iRule is inconsistent when the GTM global setting, "cache-ldns-servers", is set to "yes" and the region contains a region, continent, country, state, or ISP.

Conditions:
The GTM global setting, "cache-ldns-servers" must be set to "yes" and the region must contain a region, continent, country, state, or ISP.

Impact:
The value returned by "matchregion" in an iRule is inconsistent and may lead to inconsistent behavior in the iRule.

Workaround:
Set the GTM global setting, "cache-ldns-servers" to "no".

Fix:
"Matchregion" returns the correct value under all conditions.

---

615303-2 : bigd crash with Tcl monitors

Solution Article: K47381511

Component: Local Traffic Manager

Symptoms:
bigd crashes after logging an error similar to the following:

emerg bigd: PID: 38611 Received invalid magic '1213486160' in the stream

Conditions:
-- Tcl Monitors: FTP, SMTP, POP3, IMAP.

-- This issue might also occur if the Tcl worker is in a stuck state, due to pool member not responding within the configured timeout.

-- May be particularly likely if the monitor is configured with an interval value of 1 second.

Note: Although less frequent, this issue might still occur with proper monitor configurations (timeout: 3*interval + 1).

Impact:
bigd crashes and error messages.

Possible interruption of monitoring status, pool members going down, interruption of traffic.

Workaround:
For the case where a Tcl monitor is configured with a 1-second interval value, increase the interval value to 2 seconds. Also increase the timeout value to 7 seconds (3*interval + 1). This reduces the chances of this issue occurring but does not eliminate it entirely.

Fix:
Monitor works as expected under the conditions described.

---

615269-1 : CVE-2016-2183: AFM SSH Proxy Vulnerability

Solution Article: K13167034

---

615267-2 : OpenSSL vulnerability CVE-2016-2183

Solution Article: K13167034

---

615254-2 : Network Access Launch Application item fails to launch in some cases

Component: Access Policy Manager

Symptoms:
If access policy has multiple network resources with application launch configured, applications will launch only from first network resource.

Conditions:
Multiple Network access resources are configured with application launch.

Impact:
Applications will launch only from first network resource. Applications will not launch for other network resources

Workaround:
Launch applications manually after VPN is established.

Fix:
Applications from all network resources are now detected and launched correctly.

---

615226-5 : Libarchive vulnerabilities: CVE-2016-8687 and others

Solution Article: K13074505

---

615222-1 : GTM configuration fails to load when it has GSLB pool with members containing more than one colon character★

Solution Article: K79580892

Component: Global Traffic Manager (DNS)

Symptoms:
The user configuration set (UCS) configuration file may fail to load due to the global server load balancing (GSLB)-referenced virtual server name syntax. The system posts errors similar to the following:

01070226:3: Pool Member 20002 references a nonexistent Virtual Server.

Conditions:
This issue occurs when all of the following conditions are met:

-- You have configured your BIG-IP DNS system (formerly known as BIG-IP GTM) with a virtual server name that includes the colon (:) character.
-- The virtual server is included as a GSLB pool member.
-- You save the configuration to a UCS file.
-- You attempt to load the UCS configuration file.

Impact:
Unable to create GTM Pool Member from TMSH, or to load a configuration with this object in it.

Workaround:
None.

Fix:
Fixed issue related to parsing of GTM Pool member names that prevents the use of GTM virtual servers or GTM servers with a colon (:) in the name from being used as a GTM pool member.

---

615143-1 : VDI plugin-initiated connections may select inappropriate SNAT address

Component: Local Traffic Manager

Symptoms:
When the VDI plugin makes outgoing connections, the source address is selected from a SNAT pool. Should the connection pass through another matching virtual server before reaching the external network, the selected SNAT address may be inappropriate for the egress VLAN.

Conditions:
-- APM configuration.
-- VDI functionality enabled.
-- Additional virtual server matching the VDI-initiated connections.

Impact:
Return traffic from destination may not be able to return to the BIG-IP, thus breaking the VDI functionality.

Workaround:
No workaround short of removing the additional virtual server matching the VDI traffic.

Fix:
Outgoing VDI connections now select an appropriate SNAT address even when passing through additional matching virtual servers before reaching the external network.

---

615107-1 : Cannot SSH from AOM/SCCP to host without password (host-based authentication).

Component: TMOS

Symptoms:
Issuing commands from the AOM/SCCP menu to the host do not function, or password is required when SSH from AOM/SCCP to the host.

Conditions:
Presence of /etc/ssh directory on host.

Impact:
AOM/SCCP unable to connect to host without password.

Workaround:
None.

Fix:
Can now SSH from AOM/SCCP to host without password (host-based authentication).

---

615097-1 : Incorrect use of HTTP::collect leads to TMM core.

Component: Local Traffic Manager

Symptoms:
Incorrect use of HTTP::collect leads to TMM hang. Watchdog kills TMM on timeout leading to core.

Conditions:
If the iRule requests non-incremental HTTP::collect or amount greater than content-length when the whole-body has already been received, then this leads to TMM hang.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Add an HTTP::release after the HTTP::payload instruction;
Or
Use incremental HTTP::collect commands.

Fix:
HTTP state machine was modified to handle non-incremental collects and condition where whole body has been received when the collect is issued.

---

614891-2 : Routing table doesn't get updated when EDGE client roams among wireless networks

Component: Access Policy Manager

Symptoms:
Clients using the EDGE client report that they are unable to reach the VPN when they switch wifi networks.

Conditions:
This is triggered when a device running the EDGE client is on a wifi network, then roams to another wifi network that has a different default route.

Impact:
Clients have an incorrect route to the VPN and are forced to re-connect.

---

614865-5 : Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.

Component: TMOS

Symptoms:
Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.

Specifically, the functions are:
key_import_from_pem()
certificate_import_from_pem()
key_import_from_pem_v2()
certificate_import_from_pem_v2()

Conditions:
When there is an existing key or certificate on the BIG-IP system, and you want to overwrite them using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls, it results in errors stating that the key or certificate already exists on the BIG-IP system.

Impact:
Cannot overwrite the key/certificate file-objects using these iControl calls.

Workaround:
There are two workarounds:
- Delete and import the key/certificate using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls.

- Use key_import_from_file and certificate_import_from_file iControl calls as an alternative to import key/certificate from a file.

Fix:
Overwrite flag in iControl functions key/certificate_import_from_pem_v2() functions are now processed correctly and no longer produce errors.

---

614808-1 : Running qkview with option -c (--complete) fails if there is an encrypted key

Component: TMOS

Symptoms:
When you run qkview -c, you are prompted for a password:
Enter pass phrase for ./Common_d/certificate_key_d/:Common:f5_api_com.key_64768_1:

Conditions:
An OpenSSL key exists that is encrypted with a passphrase.

Impact:
qkview -c cannot be run because /bin/printcertmods requires a valid passphrase to finish.

Workaround:
Unless you can enter passphrases from the command line, assuming there are a small number of such keys and the passphrase is available, there is no workaround.

Fix:
The fix simply avoids the issue and skips computing the modulus for any encrypted key.

---

614788-1 : zxfrd crash due to lack of disk space

Component: Global Traffic Manager (DNS)

Symptoms:
It is possible that the zone transfer daemon (zxfrd) can crash if the /var disk partition fills up and zxfrd needs to increase the size of its database.

Conditions:
DNS Express configured
Full /var partition
Changes to the zone database require more space to be allocated for zxfrd.

Impact:
zxfrd may crash and restart. This process may repeat depending on the need for space on restart.

Workaround:
Free up space in the /var partition.

Fix:
zxfrd now correctly handles the out of space condition.

---

614766-1 : lsusb uses unknown ioctl and spams kernel logs

Component: TMOS

Symptoms:
RHEL6 version of lsusb and associated libusb1 libraries
are using an ioctl that isn't properly supported by the kernel in the 32-bit syscall path.

Conditions:
RHEL6 version of lsusb and associated libusb1 libraries.

Impact:
Spamming of kernel logs.

Workaround:
None.

Fix:
kernel.el6.5: fix missing ia32 compat mapping for USBDEVFS_GET_CAPABILITIES.

---

614730-1 : Session opening log shows incorrect number of challenged responses.

Component: Application Security Manager

Symptoms:
Session opening log shows the incorrect number of challenged response.

Conditions:
Session opening is configured to mitigate session opening attack by client-side challenges.

Impact:
The log viewed contains incorrect values.

Workaround:
None.

Fix:
Fixed a reporting issue with the session opening client-side challenges.

---

614702-1 : Race condition when using SSL Orchestrator can cause TMM to core

Solution Article: K24172560

Component: Local Traffic Manager

Symptoms:
A race condition you encounter when you use the F5 Herculon SSL Orchestrator system can cause the Traffic Management Microkernel (TMM) to restart.

Conditions:
Running the F5 Herculon SSL Orchestrator system with large numbers of connections.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release fixes the race condition so that TMM does not restart.

---

614563-3 : AVR TPS calculation is inaccurate

Component: Application Security Manager

Symptoms:
The TPS that AVR calculates for DoS is 11% more than the real TPS.

Conditions:
DoS profile attached to the virtual server.

Impact:
Attack can wrongly be detected.

Workaround:
None.

Fix:
TPS that AVR calculates for DoS now reflects the actual TPS.

---

614530-2 : Dynamic ECMP routes missing from Linux host

Component: TMOS

Symptoms:
When an ECMP route is learned via dynamic routing, it is not added to the Linux host and local processes may not be able to reach the destination prefix. Load balanced traffic is not affected.

Conditions:
Dynamic routing in use, ECMP configured, ECMP route received from neighbors.

Impact:
Monitors may fail, other host-originated traffic may be sent out the wrong interface or nowhere at all.

Workaround:
Disable ECMP in ZebOS by setting "maximum-paths 1" in imish.

Fix:
ECMP routes are correctly added to the Linux host.

---

614509-1 : iRule use of 'all' keyword with 'class match' on large external datagroups may result in TMM restart

Component: Local Traffic Manager

Symptoms:
When the 'all' keyword is used with 'class match' on large external datagroups, the results will be incorrect and may result in TMM restarting.

Conditions:
iRule utilizing 'all' keyword with 'class match' on large external datagroups. A more unusual case is external datagroups with the tmm.classallocatemetadata bigdb entry set to the non-default 'disable' value.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No reasonable workaround short of not using 'all' keyword with 'class match' in iRules.

Fix:
'all' keyword with 'class match' now returns the correct results and TMM does not restart.

---

614486-1 : BGP community lower bytes of zero is not allowed to be set in route-map

Component: TMOS

Symptoms:
The bgpd process does not accept community attributes that contain values of the form ASN:0.

Conditions:
set the BGP community value to a value of form ASN:0

Impact:
if you attempt to configure a BGP daemon community attribute with a value of the form ASN:0, the system does not set the community value. This could also impact upgrading from the old versions to the version that doesn't support community values of the form ASN:0.

Workaround:
None

Fix:
BGP community can be set to values of the form ASN:0.

---

614441-4 : False Positive for illegal method (GET)

Solution Article: K04950182

Component: Application Security Manager

Symptoms:
False Positive for illegal method (GET) and errors in BD log on Apply Policy:
----
ECARD|ERR |Sep 04 07:38:47.992|23835|table.h:0287|KEY_REMOVE: Failed to REMOVE data
----

Conditions:
This was seen after upgrade and/or failover.

Impact:
-- False positives.
-- BD has the incorrect security configuration.

Workaround:
Run the following command: restart asm.

---

614322-1 : TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway

Solution Article: K31063537

Component: Access Policy Manager

Symptoms:
TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway.

Conditions:
RDP client uses RDG-RPC protocol to connect via APM's RD Gateway implementation.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Fixed TMM crash, which occurred during RDG-RPC protocol handling.

---

614296-1 : Dynamic routing process ripd may core

Component: TMOS

Symptoms:
As a result of a known issue the dynamic routing protocol daemon ripd, used for the RIP protocol may produce a core file when configuring it to use a interface configured with multiple self IP addresses on different subnets on the same VLAN.

Conditions:
- Use the RIP dynamic routing on an affected version.
- Have multiple self IP addresses belonging to different subnets on the same VLAN
- Add one of the subnets with the network command within the "router RIP" stanza.

Impact:
ripd will core and the configuration will not be allowed.

Workaround:
Configure one subnet/self IP address per VLAN.

Fix:
ripd no longer cores when configured with multiple subnets on the same VLAN.

---

614284-2 : Performance fix to not reset a data structure in the packet receive hotpath.

Component: Advanced Firewall Manager

Symptoms:
No symptoms. This is a performance fix.

Conditions:
This will happen always in the packet receive hotpath.

Impact:
No impact. Without this fix BIG-IP could have 0.5% (hard to measure) performance impact.

Workaround:
No workaround.

Fix:
Made an optimization to the packet receive hotpath.

---

614180-1 : ASM is not available in LTM policy when ASM is licensed as the main active module

Component: TMOS

Symptoms:
ASM is not available in LTM policy rule creation when ASM is licensed as the main active module

Conditions:
ASM is licensed as the main active module

Impact:
ASM is not available in LTM policy rule creation

Workaround:
Use a license that has ASM as a sub-module. For example, LTM with Best Bundle.

Fix:
Fixed license data parsing so that the main module is also included in the license map used to determine whether a module is licensed or not.

---

614147-1 : SOCKS proxy defect resolution

Solution Article: K02692210

---

614097-1 : HTTP Explicit proxy defect resolution

Solution Article: K02692210

---

613765-3 : Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors.

Component: TMOS

Symptoms:
Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors.

Conditions:
When a virtual server with a destination address of 0.0.0.0:0 is in the list, sorting the list is slow because of extra name resolution performed.

Impact:
Degraded user experience waiting for the extra logic and misleading error in logs.

Workaround:
None.

Fix:
Creating 0.0.0.0:0 Virtual Server in TMUI no longer results in slow-loading virtual server page and name resolution errors.

---

613728-1 : Import/Activate Security policy with 'Replace policy associated with virtual server' option fails

Component: Application Security Manager

Symptoms:
Visible errors in the BIG-IP Configuration utility:

-- MCP Validation error - 01071abb:3: Cannot create/modify published policy '/Common/<ltm_policy_name>' directly, try specifying a draft folder like '/Common/Drafts/<ltm_policy_name>'.

-- MCP Validation error - 01071726:3: Cannot deactivate policy action '/Common/<asm_policy_name>'. It is in use by ltm policy '/Common/<asm_policy_name>'.

Conditions:
-- ASM provisioned.

-- Having an active Security policy 'A' assigned to an LTM L7 Policy 'L'.

-- Import/Activate Security policy 'B' with the option 'Replace policy associated with virtual server' enabled, to replace security policy 'A'.

Impact:
Security Policy is activated but not assigned to the LTM policy.

Workaround:
Run the following command prior to the Import/Activate of a Security policy action:
---------
# tmsh modify ltm policy L legacy
---------

Fix:
The process of importing/activating a Security policy now correctly replaces an existing policy, when the option 'Replace policy associated with virtual server' is enabled.

---

613671-2 : Error in the Console, when configured nonexistent parameter with Encryption and Obfuscation

Component: Fraud Protection Services

Symptoms:
Wrong handling of nonexistent parameter configured with Encryption and Obfuscation

Conditions:
nonexistent parameter configured with Encryption and Obfuscation

Impact:
Error in console

Fix:
Ignore nonsexist parameter

---

613618-1 : The TMM crashes in the websso plugin.

Component: Local Traffic Manager

Symptoms:
The TMM core and plugins operate asynchronously. A connection may abort and the TMM may deallocate connection context before the plugin has finished processing asynchronous events. The TMM crashes when a plugin accesses deallocated connection context.

Conditions:
Events raised during normal use of the sessiondb store may be processed after the connection context has been deallocated.

Impact:
Traffic disrupted while tmm restarts.

Fix:
The TMM will no longer crash.

---

613613-2 : Incorrect handling of form that contains a tag with id=action

Component: Access Policy Manager

Symptoms:
In some cases, a form with an absolute path in the action is handled incorrectly in Internet Explorer (IE) versions 7, 8, and 9. The resulting action path is wrong and the form cannot be submitted.

Conditions:
This issue occurs under these conditions:
-- HTML Form with absolute action path.
-- A tag with id=action inside this form.
-- A submit button in the form.
-- IE versions 7 through 9.

Impact:
The impact of this issue is that the web application can not work as expected.

Workaround:
This issue has no workaround at this time.

Fix:
Forms with absolute action paths and tag with id=action inside are handled correctly.

---

613576-1 : QOS load balancing links display as gray

Component: Global Traffic Manager (DNS)

Symptoms:
All links in all data centers appear gray. After this patch all link appear to be green and the functional of load balancing to the first available link in each pool is restored.

Conditions:
This bug only affects devices licensed after 9/1/2016 which contain the gtm_lc: disabled field.

Impact:
Any GTM/LC devices licensed after 9/1/2016 and using links as part of their configuration will have the links reported as gray.

Workaround:
Remove all ilnks from configuration or install this hotfix.

---

613536-5 : tmm core while running the iRule STATS:: command

Component: TMOS

Symptoms:
With an iRule that runs the STATS::set command inside the ACCESS_SESSION_CLOSED event, tmm cores.

Conditions:
STATS:: command invoked inside the ACCESS_SESSION_CLOSED event. This event does not have all of the connection information so invoking STATS:: to store data from the connection will fail and cause tmm to crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use STATS::set inside ACCESS_SESSION_CLOSED

---

613524-3 : TMM crash when call HTTP::respond twice in LB_FAILED

Component: Local Traffic Manager

Symptoms:
TMM core-dumps when these conditions are met:
- LB_FAILED event
- irule script must use a "delay" (parked) statement together with two HTTP::respond statements.

Conditions:
- LB_FAILED event must be triggered by good IP address and bad port so that the serverside connflow is establish. you will not see this bug if no pool member is used or invalid IP address is used.
- irule script must use a "delay" (parked) statement. the delay together with http response creates the right timing for the client side connflow to go away while proxy is pushing Abort event down to both clientside and serverside.

Impact:
Traffic disrupted while tmm restarts.

Fix:
This fix rectifies the problem.

---

613509-1 : Platforms using RSS DAG hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve

Solution Article: K49101035

Component: TMOS

Symptoms:
The BIG-IP system running RSS DAG hash attempts to reuse ports while pool members remain in a TIME_WAIT state and are unable to process new connections.

Conditions:
This issue occurs when all of the following conditions are met:

-- You are running on a BIG-IP platform using RSS DAG hash, for instance, z100 and 2000 or 4000 series hardware platform.
-- You have the FastL4 profile associated with a virtual server.
-- The virtual server is configured with source-port preserve.

Impact:
Traffic throughput may be degraded.

Workaround:
Set source-port to change.

Fix:
Platforms running RSS DAG hash now reuse source port at the correct rate when virtual server sets source-port preserve.

---

613476-2 : IKEv1 racoon daemon delayed timer use of ike-peer (rmconf) after deletion

Component: TMOS

Symptoms:
The IKEv1 racoon daemon can crash and restart when a v1 ike-peer is removed entirely from the config, or simply changed from v1 to v2.

Conditions:
When you remove an ike-peer whose version is v1, including any change from version v1 to v2 (since this has the effect of changing who handles that peer from the racoon daemon to tmm).

Impact:
IKEv1 racoon daemon restart that causes tunnel outage until re-established by future traffic.

Workaround:
None.

Fix:
Validity of a v1 ike-peer inside the racoon daemon is more carefully checked. This release also prevents stale references from old security associations when a peer is removed.

Note: A peer can be removed by complete erasure, or by changing the version to v2 so the IKEv1 racoon daemon no longer handles it.

---

613459-1 : Non-common browsers blocked by Proactive Bot Defense

Component: Application Security Manager

Symptoms:
Some non-common browsers may get blocked by the Proactive Bot Defense feature. This has been seen in rare cases, and causes these browsers to remain in a white page while the request is not being sent to the back-end server.

Conditions:
Proactive Bot Defense enable on the DoS profile.

Impact:
In rare cases, some non-common browsers may get blocked.

Workaround:
None

Fix:
Non-common browsers no longer get blocked when Proactive Bot Defense is enabled.

---

613429-2 : Unable to assign wildcard wide IPs to various BIG-IP DNS objects.

Component: Local Traffic Manager

Symptoms:
Assigning a wide IP with wildcard characters in the name to a DHS distributed application may not work properly when done via tmsh, and such configurations created via the GUI will result in configuration files that fail to load.

Conditions:
A wide IP with a wildcard character in its name.

Impact:
Unable to assign wide IP to BIG-IP DNS distributed-app.

Workaround:
None.

Fix:
Fixed issue preventing wide IPs to be assigned to BIG-IP DNS distributed apps if those wide IPs have a wildcard character in their name.

---

613415-2 : Memory leak in ospfd when distribute-list is used

Solution Article: K22750357

Component: TMOS

Symptoms:
Memory might be leaked when a distribute-list is used to filter routes between OSPFv2 and the Routing Information Base (RIB). The leak may lead to a the daemon being terminated via the oom-killer.

Conditions:
OSPFv2 in use with a distribute-list, and Link State Advertisements (LSAs) in the database whose prefixes will be filtered by the distribute-list.

Impact:
ospfd may leak memory until the system terminates the process via the oom-killer.

Workaround:
Position the BIG-IP system in the network so there are no LSAs that need to be filtered using a distribute-list, such as in a stub area.

Fix:
ospfd no longer leaks memory when a distribute-list is configured.

---

613396-1 : Invalid XML Policy Exported for Policies with Metachar Overrides on Websocket URLs

Component: Application Security Manager

Symptoms:
Exported Policy in XML format cannot be imported.

Conditions:
Metacharacter overrides are defined on a Websocket URL in the policy.

Impact:
Exported XML policies cannot be imported back into the system without manual manipulation

Workaround:
If such a policy has already been exported only manual manipulation would allow it to be imported again.

Fix:
Policy export now correctly creates valid XML Policies for configurations with metachar overrides configured on Websocket URLs.

---

613373-2 : Access may be denied to users with Application Editor role when accessing SAML Authentication Context UI page

Component: Access Policy Manager

Symptoms:
When accessing the SAML Authentication Context UI page with application editor user role, the following error will be displayed:
Read Access Denied: user (username) type (SAML authentication context classes list)

Conditions:
User attempting to view the page belongs to application editor group/role

Impact:
SAML Authentication Context UI page will not display existing objects

Workaround:
SAML Authentication Context UI page will still show existing object for users with administrative role.

Fix:
With the fix, no errors will be shown to users with Application Editor role when accessing SAML Authentication Context UI page

---

613369-4 : Half-Open TCP Connections Not Discoverable

Component: Local Traffic Manager

Symptoms:
New TCP connection requests are reset after a specific sequence of TCP packets.

Conditions:
A TCP connection in half-open state.

Impact:
Half-open TCP connections are not discoverable

Fix:
Properly acknowledge half-open TCP connections.

---

613326-1 : SASP monitor improvements

Component: Local Traffic Manager

Symptoms:
A SASP monitor created in versions earlier than 13.0.0 might exhibit problems in certain situations, such as:
-- Attempting to connect multiple times with GWM pairs.
-- Dropping and reconnecting frequently with GWM pairs.
-- Problematic behavior with mixed Push/Pull workgroups on the same GWM.
-- Overly-chatty use of the SASP protocol when establishing/reestablishing connections.
-- Marking pool members down during GWM switch-over.
.-- Inability to handle many hundreds of workgroups/workloads

Conditions:
Using versions of the SASP monitor created in versions earlier than 13.0.0.

Impact:
Might cause flapping pool members or unstable pools.

Workaround:
None.

Fix:
A significantly improved SASP monitor has been developed in version 13.0.0. It properly handles the SASP protocol, GWM pairs, and connection semantics. In addition, it has the ability to briefly delay node down on GWM switchover, resulting in no interrupted traffic in most cases, and has vastly improved scalability.

When run in push mode (now the default), it is more efficient with the SASP protocol, only asking for changes from GWM, and pinging GWM infrequently if no traffic has been received.

The improved monitor uses Pool name rather than Monitor name as the Workload name. This allows a single Monitor definition to be shared among many Pools, where previously a single unique Monitor was required for each SASP Pool.

---

613297-3 : Default generic message routing profile settings may core

Component: Service Provider

Symptoms:
If a virtual is created using the default generic message profile, the first packet received will produce an infinite number of messages and overflow the internal buffers.

Conditions:
The default generic message profile has the internal parser enabled but a zero byte message separator pattern. This causes the parser when receiving traffic to create an infinite number of empty packets and overflow the system.

Impact:
The infinite number of message will cause an internal panic producing a core. Traffic disrupted while tmm restarts.

Workaround:
Each usage of generic message should either provide a separator pattern or disable the internal parser.

Fix:
In this release, the system automatically disables the internal parser if no separator is provided, so if a virtual is created using the default generic message profile, the first packet received no longer produces an infinite number of messages and overflows the internal buffers.

---

613282-2 : NodeJS vulnerability CVE-2016-2086

Solution Article: K15311661

---

613275-2 : SNMP get/MIB walk returns incorrect speed for sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed when the interface is not up

Solution Article: K62581339

Component: TMOS

Symptoms:
The values returned during an SNMP get/MIB walk are incorrect for the sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed objects.

The values should match what is displayed in tmsh list net interface media-max and tmsh list net interface media-active respectively which are correct.

Conditions:
-- Performing an SNMP get or MIB walk.
-- Viewing values for the sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed objects.

Impact:
The system reports inaccurate information for these objects.

Workaround:
To get the correct results, use the following commands:
 tmsh list net interface media-max
 tmsh list net interface media-active

Fix:
SNMP get/MIB walk now return correct information for the sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed objects.

---

613225-7 : OpenSSL vulnerability CVE-2016-6306

Solution Article: K90492697

---

613127-3 : Linux TCP Stack vulnerability CVE-2016-5696

Solution Article: K46514822

---

613088-3 : pkcs11d thread has session initialization problem.

Component: Local Traffic Manager

Symptoms:
pkcs11d does not initialize, especially in the secondary slot(s). SafeNet connections cannot be established on the secondary blades.

Conditions:
This occurs when SafeNet is configured with VIPRION chassis

Impact:
When this occurs, BIG-IP is unable to establish SafeNet connections from the secondary blades.

Workaround:
None.

Fix:
Fixed a pkcs11d thread session initialization problem that prevented SafeNet connections.

---

613079-4 : Diameter monitor watchdog timeout fires after only 3 seconds

Component: Local Traffic Manager

Symptoms:
The Diameter monitor has a 3-second timeout that overrides the interval and timeout settings configured for the monitor.

Conditions:
A Diameter monitor must be configured.

Impact:
If the Diameter server takes longer than 3 seconds to reply to requests, it will be marked down.

Workaround:
None.

Fix:
Removed the 3-second Diameter monitor watchdog timeout so that interval and timeout can be used like other external monitors.

---

613065-1 : User can't generate netHSM key with Safenet 6.2 client using GUI

Component: Local Traffic Manager

Symptoms:
With Safenet6.2, creating key using GUI may hang and timeout. The GUI eventually quits with error message.

Conditions:
Installing Safenet6.2 client and attempting to create netHSM key from the GUI

Impact:
netHSM key creation fails, GUI hang.

Workaround:
You can use the corresponding tmsh command to create key.

Fix:
NetHSM key waiting time has been increased and you can now create a netHSM key using GUI.

---

613045-7 : Interaction between GTM and 10.x LTM results in some virtual servers marked down

Component: Global Traffic Manager (DNS)

Symptoms:
Some GTM virtual servers are never marked up when interacting with 10.x LTM.

Conditions:
1. On a GTM server, with autoconf off, manually create a virtual server that is using translated IP/port and either no LTM virtual server name or an incorrect LTM virtual server name.
2. Make sure the LTM virtual server is available.

Impact:
On the GTM side, that LTM virtual server will never get marked up.

Workaround:
None.

Fix:
Interaction between GTM and 10.x LTM now works, so virtual servers are correctly marked up.

---

613023-4 : Update SIP::Persist to support resetting timeout value.

Component: Service Provider

Symptoms:
SIP::persist needs improvement to support long-lived SIP sessions. Having a long timeout for persistence entries globally does not seem efficient for resource usage.

Conditions:
Efficiently using long-lived SIP sessions.

Impact:
Smaller persist timeouts will result in messages being delivered to the wrong entity in the case of supporting long lived SIP sessions.

Workaround:
Set a higher persist timeout value globally.

Note: This workaround might result in memory issues, depending on the BIG-IP system setup and traffic.

Fix:
New SIP Persist iRule commands allow persistence key and an additional parameter to redefine lifetime of the persistence entry to any new value.

Behavior Change:
In previous versions, the SIP Persist iRule command allowed only the persistence key as the parameter to store the persistence entry in the table.

New SIP Persist iRule commands allows persistence key and an additional parameter to define the lifetime of persistence entry. BIG-IP systems now can have better control on the persistence entry for long lived SIP sessions.

---

612952-1 : PSU FW revision not displayed correctly

Component: TMOS

Symptoms:
When EUD displays the PSU FW revison it is truncated from 16 bytes to 14 bytes.

Conditions:
This occurs when using a Murata REV02 M1845 PSU with AOM FW less than 2.7.14

Impact:
Incomplete PSU FW rev.

Workaround:
Infer the last 2 characters of the PSU FW rev from the 14 that are displayed and the HW revision of the PSU.

---

612874-1 : iRule with FLOW_INIT stage execution can cause TMM restart

Component: Advanced Firewall Manager

Symptoms:
If you have an iRule that has FLOW_INIT stage execution, it is likely to result in random TMM crashes.

Conditions:
iRule that has FLOW_INIT stage action in it.

The FLOW_INIT stage iRule could be executed either because it was attached to a Virtual Server or configured on an AFM ACL Rule.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use iRule with FLOW_INIT action. Other stage iRules does not cause this problem.

Fix:
Memory allocation and release during iRule FLOW_INIT execution was not handled right in a specific scenario, which was corrected.

---

612809-1 : Bootup script fails to run on on a vCMP guest due to a missing reference file.

Component: TMOS

Symptoms:
Script /etc/sysconfig/sysinit/10virtual-platform.sysinit fails to run. sod log spamming.

Conditions:
Startup in a vCMP guest.

Impact:
vCMP guests shows dbg_echo related errors in /var/log/boot.log.

Workaround:
Disable sys db variable "failover.usetty01" and restart sod.

If unable to restart sod at the moment, apply a filter with no publisher matching message-id 012a0003:
    sys log-config filter no-serial-failover-logs {
        message-id 012a0003
    }

Fix:
This release adds a separate sysinit file for vCMP instead of using sysinit-virtual-platform.

---

612769-1 : Hard to use search capabilities on the Pool Members Manage page.

Solution Article: K33842313

Component: Global Traffic Manager (DNS)

Symptoms:
With hundreds of potential pool members the GUI does not make it easy to search for them. The search list only supports searches that match the beginning of the pool member's name.

Conditions:
This difficulty exists when there are more than a few potential pool members.

Impact:
Frustrating BIG-IP system administrator experience.

Workaround:
A workaround is to perform the needed virtual server/member addition to the pool via TMOS/CLI using a command similar to the following:


$ tmsh modify gtm pool <record> <pool> members add { <member> }.

Tip: You can take advantage of auto-completing the member's name by pressing the <tab> key, which saves typing the entire name.

Fix:
The system now provides better search capabilities on the Pool Members Manage page.

---

612752-1 : UCS load or upgrade may fail under certain conditions.★

Component: TMOS

Symptoms:
UCS load fails, with the following error message: loaddb[20786]: 01080023:3: Error return while getting reply from mcpd: 0x10718e6, 010718e6:3: The requested primary admin user (user1) must exist in local user database.

Conditions:
Root login is disabled and the primary administrative user is set to anything other than 'admin', the default.

Impact:
UCS load or upgrade will fail.

Workaround:
Before upgrading or generating the UCS, re-enable the root account by setting DB variable systemauth.disablerootlogin to 'false'.

Unset the custom primary administrative user by setting DB variable systemauth.primaryadminuser to 'admin'.

These settings may be safely reinstated after the upgrade is complete.

---

612721-4 : FIPS: .exp keys cannot be imported when the local source directory contains .key file

Component: TMOS

Symptoms:
*.exp exported FIPS keys cannot be imported from local directory when the directory contains any file named *.key with matching name. For example, if the directory /shared/abc/ contains an exported FIPS key named xyz.exp and another file named xyz.key, the user will fail to import xyz.exp as a FIPS key into the system.

Conditions:
When the local source directory of the exported FIPS key (xyz.exp) also contains a file with matching name (xyz.key).

Impact:
Unable to import the FIPS key

Workaround:
Remove the same name *.key file from the local directory before importing the FIPS exported key *.exp.

---

612694-5 : TCP::close with no pool member results in zombie flows

Component: Local Traffic Manager

Symptoms:
'tmsh show sys conn all-properties' shows connections whose idle time exceeds the timeout.

Conditions:
There is no pool member, and a TCP::close iRule activates (typically after a TCP::respond).

Impact:
Connection does not tear itself down.

Workaround:
Make TCP::close conditional on pool failure, and rely on the pool failure to RST the connection rather than perform a clean TCP close.

Fix:
The system now properly handles TCP teardown when TCP::close has already torn down the rest of the stack.

---

612564 : mysql does not start

Component: TMOS

Symptoms:
ASM storage initialization does not happen.

Conditions:
BIG-IP iSeries platforms; this occurs after new software install.

Impact:
Application is non-functional.

Workaround:
remove the sentinel file ;
/appdata/mprov/local/HD1.4/mysqldb/.moved.to.asmdbvol.
and reboot.

---

612419-1 : APM - suspected memory leak (umem_alloc_32/network access (variable))

Component: Access Policy Manager

Symptoms:
When there are multiple network access resources, and users switch between them within the same connection, a small memory leak happens.

Conditions:
Network access; full webtop, multiple Network Access resources.

Impact:
Memory usage increases over time.

Workaround:
There is no workaround. It is a relatively slow leak though. In the case where it was observed, the leak was about 130MB per month.

Fix:
Fixed a memory leak related to network access.

---

612229-1 : TMM may crash if LTM a disable policy action for 'LTM Policy' is not last

Component: Local Traffic Manager

Symptoms:
TMM may crash while processing an LTM policy.

Conditions:
- VIP with LTM policy attached.
- LTM policy contains rule with 2 or more actions.
- Policy action of disable - LTMN Policy is not the last one in the list of actions.

Impact:
TMM crash with the following in one of the /var/log/tmm log files:
notice ** SIGABRT **
Traffic disrupted while tmm restarts.

Workaround:
Ensure any LTM policy disable action is the last in the list of actions.

Fix:
TMM no longer crashes if LTM a disable policy action for 'LTM Policy' is not last in the list of actions in the rule.

---

612135-3 : Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic

Component: Service Provider

Symptoms:
Configuring a virtual server with generic message profile without message routing profile will core when a packet is received by the virtual.

Conditions:
Configuring a virtual server with generic message profile without message routing profile.

Impact:
The system will core when a packet is received by the virtual server. Traffic disrupted while tmm restarts.

Workaround:
Each virtual server that contains a generic message profile should also have a message routing profile.

Fix:
Validation has been improved to fail unless both a generic message profile and a message routing profile are used.

---

612040-4 : Statistics added for all crypto queues

Component: Local Traffic Manager

Symptoms:
Requests for crypto operations that have been issued but not yet actively queued in the crypto hardware will not show up in the "tmm/crypto" statistics table.

Conditions:
Crypto requests issued but not actively queued in the crypto hardware.

Impact:
Crypto requests do not show up in the "tmm/crypto" statistics table.

Fix:
New rows have been added to the "tmm/crypto" statistics table that will count requests that have been issued but not actively queued to the crypto hardware.

---

611968-3 : JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow

Component: Access Policy Manager

Symptoms:
JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow.

Conditions:
- IE8 only.
- Significant number of links: >1000.
- JavaScript event handlers presence.

Impact:
Web application performance slowdown.

Workaround:
None

Fix:
Fixed.

---

611922-1 : Policy sync fails with policy that includes custom CA Bundle.

Component: Access Policy Manager

Symptoms:
Policy sync fails with a policy that includes a custom CA Bundle with an error similar to the following: mcpd[6191]: 01070710:3: Database error (65), Can't set attribute value, type:certificate_summary attribute:name.

Conditions:
- Add a custom certificate bundle
- Add it to a policy, e.g. create an LTM SSL CA profile and add it to the endpoint security check agent in the access policy.
- Initiate a policy sync.

Impact:
Policy sync fails.

Workaround:
Use a built-in certificate bundle on source device and sync the policy.

Import the custom certificate bundle to all devices

Replace the built-in certificate bundle with the custom one in the policy.

Fix:
Policy sync now succeeds when the policy includes a custom certificate bundle.

---

611704-5 : tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event

Component: Local Traffic Manager

Symptoms:
A tmm crash was discovered during internal testing.

Conditions:
HTTPS virtual server configured with an iRule that uses TCP::close in the CLIENTSSL_CLIENTCERT iRule event.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm crash related to TCP::close in CLIENTSSL_CLIENTCERT

---

611691-5 : Packet payload ignored when DSS option contains DATA_FIN

Component: Local Traffic Manager

Symptoms:
The payload of a packet is ignored when an MPTCP DSS option has DATA_FIN set.

Conditions:
A packet contains both a payload and an MPTCP DSS option with DATA_FIN set. This has been observed when uploading files from a Linux client to a server.

Impact:
The last packet of data is not received.

Workaround:
Disable MPTCP.

Fix:
Accept data when a packet contains both a payload and an MPTCP DSS option with DATA_FIN set.

---

611669-4 : Mac Edge Client customization is not applied on macOS 10.12 Sierra

Component: Access Policy Manager

Symptoms:
Mac Edge Client's Icon, application name, company name, amongst other things can be customized on BIG-IP before deploying on end user's machine. But on Mac Edge Client on macOS 10.12 Sierra this customization is not applied.

Conditions:
macOS Sierra 10.12, Edge client, customization

Impact:
Mac Edge Client customization is not applied on macOS 10.12 Sierra. Functionally there should be no impact except that user will see default application visually.

Workaround:
run following command on Terminal and re-launch Edge client:

For English:
$ defaults write -globalDomain AppleLanguages -array "en" "en-US"

For German:
$ defaults write -globalDomain AppleLanguages -array "de" "de-US"

For Korean:
$ defaults write -globalDomain AppleLanguages -array "ko" "ko-US"

For Japanese
$ defaults write -globalDomain AppleLanguages -array "ja" "ja-US"

For French
$ defaults write -globalDomain AppleLanguages -array "fr" "fr-US"

For spanish
$ defaults write -globalDomain AppleLanguages -array "es" "es-US"

For Chinese traditional
$ defaults write -globalDomain AppleLanguages -array "zh-Hant" "zh-Hant-TW" "zh-Hant-US"

For Chinese simplified
$ defaults write -globalDomain AppleLanguages -array "zh-Hans" "zh-Hans-US"

Fix:
Edge client honors customization on macOS Sierra 10.12 now.

---

611658-3 : "less" utility logs an error for remotely authenticated users using the tmsh shell

Component: TMOS

Symptoms:
when using 'less' Syntax Error: unexpected argument "/usr/bin/lesspipe.sh"

Conditions:
admin user configured with tmsh shell

Impact:
admin user cannot use the less command from shell

Workaround:
configure admin user to use the bash shell

---

611512-1 : AWS: Pool member autoscaling in BIG-IP fails to add pool members when pool name is same as AWS Autoscaling Group name.

Component: TMOS

Symptoms:
In AWS, Pool member autoscaling in BIG-IP fails to add pool members when pool name in BIG-IP is same as Autoscaling Group name in AWS.

Conditions:
- BIG-IP is configured to perform autoscaling of pool members in AWS.
 - Pool name in BIG-IP is same as the autoscaling group name in AWS attached with it.

Impact:
- Pool member autoscaling doesn't occur correctly without user intervention.

Workaround:
When configuring pool member auto-scaling in AWS, you must choose a different name for the pool compared to the autoscaling group name attached with it.

Fix:
Choose different names for Pool in BIG-IP and autoscaling group in AWS to correctly configure Pool member autoscaling in BIG-IP .

---

611487-3 : vCMP: VLAN failsafe does not trigger on guest

Component: TMOS

Symptoms:
vCMP: VLAN failsafe does not trigger on guest due to IPv6 link-local neighbor discovery traffic from host.

Conditions:
vCMP host configured, VLAN failsafe enabled on a VLAN, one or more VCMP guests enabled that use that VLAN

Impact:
Since the heartbeat messages going over IPv6 link-local addresses continue to be successfully passed from host to guest, VLAN failsafe does not trigger if a downstream router or switch goes down that's connected to the VLAN.

Workaround:
If you are able to, disabling IPv6 on the host will allow VLAN failsafe to work as expected.

---

611482-4 : Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule) .

Solution Article: K71450348

Component: Local Traffic Manager

Symptoms:
Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule).

Conditions:
Universal persistence is configured. A loop of HTTP request is sent to tmm which doesn't own the record. Persistence lookup is performed, but finally the pool command is used for load-balancing pick.

Impact:
Discrepancy between persistence records.

Workaround:
Use persist, not pool command, to bind persistence record to a flow.

Fix:
Fixed keeping alive the owner record.

---

611469-3 : Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector

Solution Article: K95444512

---

611467-3 : TMM coredump at dhcpv4_server_set_flow_key().

Component: Policy Enforcement Manager

Symptoms:
TMM coredump at dhcpv4_server_set_flow_key().

Conditions:
1. You are using Policy Enforcement Manager (PEM) DHCP to discover subscribers.
2. You have configured a DHCP relay virtual server.
3. Two PEM DHCP subscriber connections share the same connection to a remote DHCP server.
4. One of the PEM DHCP subscriber connections expires.
5. The non-expired PEM DHCP subscriber connection sends a new DHCP request.
6. The remote PEM DHCP server responds to the new PEM subscriber request.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The client uses broadcast to do DHCP renewal is an indication the client did not get ACK from DHCP server when it uses unicast to talk to DHCP server directly. The most likely reason for this to happen is the server routing table is not configured to send DHCP ACK packets back to the client.

You can work around this problem by configuring DHCP server routing table so that it knows how to send DHCP ACK to the client.

---

611385-1 : "Learn Explicit Entities" may continue to work as if it is 'Add All Entities'

Component: Application Security Manager

Symptoms:
Under some scenarios, setting "Learn Explicit Entities" to 'Never' has no effect; it continues to work as if it is 'Add All Entities'

Conditions:
Steps to Reproduce:
1) Create a default policy, set "Learn New HTTP URLs" to "Add All Entities".
2) Create a non-pure wildcard URL "/in*".
3) Send the following request:
     GET /index.html HTTP/1.1\r\n
     Host: <Host URL>\r\n
     \r\n
4) There will be no suggestion to add /index.html URL since learning mode on "/in*" wildcard is "Never" by default.
5) Set "Learn Explicit Entities" to "Add All Entities" on "/in*" wildcard.
6) Send the same traffic again; there will be suggestion to add /index.html URL (which is still correct).
7) Delete all suggestions.
8) Set "Learn Explicit Entities" to "Never" on "/in*" wildcard.
9) Send the same traffic again.

Impact:
There is suggestion to add /index.html URL when there should be no such suggestion since the wildcard is in 'Never' mode now.

Workaround:
Go to "Learning and Blocking Settings", set "Learn New HTTP URLs" to "Never" press "Save", then set it back to "Add All Entities". press "Save" again.

Fix:
"Learn Explicit Entities" to 'Never' now works as expected.

---

611352 : Benign message "replay num rollover error condition correctable errors" counter on iSeries platforms

Solution Article: K68092141

Component: TMOS

Symptoms:
In /var/log/sel you see these errors:
0082 11/23/16 08:23:11 MAJ CPU 0 PCI/DMI Error B:D:F 0x1a: corerrsts: replay_num_rollover_status
0083 11/23/16 08:23:11 MAJ CPU 0 PCI/DMI Error B:D:F 0x1a: rperrsts: correctable_error_received

Conditions:
This can be seen on BIG-IP iSeries platforms.

Impact:
This error message is benign and can be safely ignored.

Workaround:
N/A

Fix:
Benign message "replay num rollover error condition correctable errors" counter is no longer seen.

---

611320-3 : Mirrored connection on Active unit of HA pair may be unexpectedly torndown

Component: Local Traffic Manager

Symptoms:
Mirrored connection on Active unit is torn down. TCP connection is RST with cause of 'HA Expire flow'.

Conditions:
Mirrored connection on Standby unit times out due state mismatch with connection on Active unit.

Impact:
Traffic loss.

Workaround:
Disable mirroring.

Fix:
The system no longer mirrors connflow expiration from Standby to Active. This is correct behavior.

---

611240-3 : Import of config with securid might fail

Component: Access Policy Manager

Symptoms:
Import of the profile used for securid auth might fail if the profile has already been used for auth purposes at the moment of export.

Conditions:
This occurs when the following conditions are met:
-- Profile configured for securid authenticaiton with securid server attached.
-- Profile has been used for authentication more than 0 times.
-- Full import (no reuse) or Reuse import when secureid server under the same name is not present.

Impact:
Unable to import certain configurations.

Workaround:
1. In VPE, open securid auth item and set server to none before export.
2. Export profile.
3. Import profile.
4. Re-create the aaa securid server.
5. In VPE, open the securid auth item and set server to one from step #4.

Or
1. Export profile.
2. Create aaa securid server under the same name.
2. Import profile with reuse.

It is also possible to remove securid entry from config-files of securid server configuration in .conf.tar.gz, which would also work.

Fix:
It is now possible to successfully export and the import profile using securid in any state.

---

611161-3 : VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.

Solution Article: K28540353

Component: Local Traffic Manager

Symptoms:
VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.

Conditions:
VLAN failsafe configured on a non-default cmp-hash VLAN.
When the VLAN failsafe situation occurs, and the generated arp requests are not being answered, VLAN failsafe resorts to ICMP.

Impact:
There are very rare situations in which failsafe triggers but it should have not.

Workaround:
None.

Fix:
VLAN failsafe no longer generates traffic using ICMP, and now supports non-default cmp-hash on VLAN.

---

611154-1 : BD crash

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
An iRule (or other non-ASM module) that adds or delete the server headers. Especially if it touches the Set-Cookies header

Impact:
Failover, traffic disrupted while TMM restarts.

Workaround:
No workaround at this time.

Fix:
Added checking for bad dictionary on the response side.

---

611151-2 : An upper case JSON sensitive parameter is not masked when ASM policy is case-insensitive

Component: Application Security Manager

Symptoms:
If you configure a sensitive parameter with an upper-case character (like "Password"), the data masking does not take place. When the sensitive parameter is all lower-case (like "password"), the data masking takes place as expected.

Conditions:
ASM provisioned
ASM policy is case-insensitive
JSON profile, w/ a sensitive parameter with an upper-case character

Impact:
no data masking for a JSON sensitive parameter

Workaround:
N/A

Fix:
We've made sure that JSON parameters are always treated as case sensitive, regardless of the ASM policy case sensitivity setting.

---

610897-2 : FPS generated request failure throw "unspecified error" error in old IE.

Component: Fraud Protection Services

Symptoms:
If FPS generated request sent and failed in old IE, it will throw "unspecified error" error.

Conditions:
FPS generated request sent and failed in old IE

Impact:
The browser will show error message in the left bottom side.

Workaround:
N\A

Fix:
N\A

---

610857-1 : DoSL7 Proactive Bot Defense should block requests from a browser (Chrome/Firefox) when it is running selenium webdriver.

Component: Application Security Manager

Symptoms:
When selenium client webdriver is detected running a browser Chrome or Firefox it is not being blocked due to low score being assigned by PBD (Suspicious Browsers) mechanism.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled.

Impact:
A bot which running selenium Chrome or Firefox webdriver isn't mitigated by DoSL7 PBD mechanism.

Workaround:
N/A

Fix:
Adjusted scoring for selenium detection to trigger CAPTCHA upon an attempt to access a website without TSPD101 cookie (usually occurs upon accessing a website's first page)

---

610830-1 : FingerPrint javascript runs slow and causes bad user browsing experience when accessing a webapp's first page.

Component: Application Security Manager

Symptoms:
When an end-user accesses a web-site's first page there is a noticeable latency until it gets the page content.

Conditions:
This occurs when ASM is provisioned and to a virtual sever assigned dos application profile where Device ID mitigation configured or ASM policy with WebScraping and FingerPrint detection enabled.

Impact:
Bad user experience when accessing the website's first page.

Workaround:
tmsh modify sys db dosl7.fp_fonts_enabled disabled

Fix:
The javascript slowness bottleneck is fonts collection, to improve the performance the number of font reduced from 300 to 50. If you wish to eliminate the slowness of the fonts collection at all, a new sys db has been added. tmsh list sys db dosl7.fp_fonts_enable. Note, that eliminating the fonts collection for the fingerprint can reduce the its entropy.

---

610710-2 : Pass IP TOS bits from incoming connection to outgoing connection

Component: Service Provider

Symptoms:
ToS is set to 0 when going through a SIP profile.

Conditions:
This occurs when a SIP profile is in use and ToS is set.

Impact:
Currently outgoing packets TOS bits are configured via profile and are not affected by TOS bits of incoming packet.

Workaround:
NA

Fix:
Outgoing packets TOS bits can be configured via profile to preserve the TOS bits of incoming packet.

Behavior Change:
This change will only change existing behavior if the transport protocol (TCP, UDP or SCTP) has the ip-tos-to-client attribute set to pass-through. If configured as pass-through, the TOS bits of the incoming packet containing a message will be used on the outgoing packets containing the message. Without this change, the TOS bits of the outgoing packet would be undefined if configured this way.

---

610609-3 : Total connections in bigtop, SNMP are incorrect

Component: Local Traffic Manager

Symptoms:
While looking at total connections for the active BIG-IP using bigtop or SNMP, the connections are reported too high. For example if you sent a single connection through BIG-IP it is reported as 2 connections. Meanwhile, the standby device with mirroring configured accurately shows the number of connections.

Conditions:
This occurs on PVA-enabled hardware platforms.

Impact:
The total connection count statistic is incorrect.

---

610582-2 : Device Guard prevents Edge Client connections

Component: Access Policy Manager

Symptoms:
When Device Guard is enabled, BIG-IP Edge Client cannot establish a VPN connection.

Conditions:
-- Clients running Windows 10.
-- Device Guard enabled.
-- Attempting to connect using the Edge client.

Impact:
Clients are unable to establish a VPN connection.

Workaround:
As a workaround, have the affected Edge Client users disable Device Guard.

Note: Previously, Device Guard was disabled by default. Starting with the Windows 10 Creators Update, however, Device Guard is enabled by default.

Fix:
The F5 VPN Driver is recertified and is now compliant with Microsoft Device Guard, so that Edge Client users can now establish a VPN connection as expected.

---

610449-2 : restarting mcpd on guest makes block-device-images disappear

Component: TMOS

Symptoms:
tmsh list sys software block-device-images typically shows available BIG-IP images saved on the platform which are available for install via tmsh install sys software ...

When running BIG-IP on a vcmp guest, GuestAgentDaemon is responsible for fetching from the host these available images and displaying them to the user.

When mcpd goes down, GuestAgentDaemon loses the connection required to fetch and display this information.

If mcpd has gone down since GuestAgentDaemon came up, running "(tmos)# show sys software block-device-image" a second time will no longer display the BIG-IP images available for install.

Restarting GuestAgentDaemon when mcpd restart ensures that GuestAgentDaemon will reestablish the required connection. With this fix, GuestAgentDaemon will restart only in response to mcpd going down and subsequently coming back up. Once both daemons are up and running again, the command '(tmos)# list sys software block-device-image' will again function as designed.

Conditions:
vCMP is provisioned to level dedicated.
One or more guests is provisioned and deployed.
The user is operating inside a deployed guest.
The user attempts to use a block-device-image,
but mcpd has restarted since GuestAgentDaemon began execution.
No block-device-images are shown by GuestAgentDaemon

Impact:
tmsh list sys software block-device-images returns nothing from inside the guest.

Workaround:
Restart GuestAgentDaemon in response to mcpd successfully restarting.

Fix:
GuestAgentDaemon now automatically restarts in response to McpDaemon successfully restarting.

---

610442-2 : vcmp_media_insert failed message and lind restart loop on vCMP guest when installing with block-device-image with bad permissions on .iso★

Solution Article: K75051412

Component: TMOS

Symptoms:
On a vCMP guest, If a user attempts to install using the block-device-image argument (e.g., install sys software block-device-image <some.iso>), and the .iso file has incorrect file permissions (e.g., $chmod 600 <some.iso>), then the lind process on the guest will enter a restart loop, and the system posts the following error:
  lind[23565]: 013c0004:3: Fatal error: vcmp_media_insert failed

Conditions:
-- vCMP guest.
-- Run a command similar to the following:
install sys software block-device-image <some.iso>.
-- <some.iso> has bad permissions, e.g., -r--------.

Impact:
On the guest, lind restarts continuously, logging its restart to /var/log/ltm each time and posting the vcmp_media_insert failed error message.

Workaround:
Use either of the following workarounds:
-- Avoid installing block-device-images known to have bad permissions.

-- From the host, attempt to repair the file with bad permissions, copy the repaired file to /shared/images/, and try the install again. To do so, follow this procedure, running these commands from the host:

1. To repair the file, run the following command:
 chmod 644 <some.iso>

2. To copy the file, run the following command:
 scp <some.iso> mysystem:/shared/images/

3. To install the guest, run the following commands:
 bigstart restart lind
 tmsh install sys software block-device-image <some.iso>

Fix:
Instead of throwing a runtime error, lind will log an error to /var/log/ltm and return.

---

610441-3 : When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.

Component: TMOS

Symptoms:
When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.

Conditions:
This occurs when adding a new member to an existing pool using iControl REST.

Impact:
Unable to tell if the request has succeeded or failed via iControl REST.

Workaround:
Add the following to partitionInfo in icrd.conf.

{"gtm/pool/a/members":[true, true]},
{"gtm/pool/aaaa/members":[true, true]}

---

610429-5 : X509::cert_fields iRule command may memory with subpubkey argument

Component: Local Traffic Manager

Symptoms:
The X509::cert_fields iRule command can leak memory in the 'method' memory subsystem if called with the 'subpubkey' argument, when the 'subpubkey' argument is not the last argument.

Conditions:
Create an iRule using X509::cert_fields where the subpubkey is not the last argument.

Example/signature to look for:
ltm rule rule_leak {
    when HTTP_REQUEST {
        if { [SSL::cert 0] ne "" } {
            HTTP::respond 200 content "[X509::cert_fields [SSL::cert 0] 0 subpubkey hash]\n"
        } else {
            HTTP::respond 200 content "no client cert (WRONG!)"
        }
    }
}

Impact:
Memory will leak, eventually impacting the operation of tmm.

Workaround:
Ensure that 'subpubkey' is the last argument to X509::cert_fields

---

610417-1 : Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.

Solution Article: K54511423

Component: TMOS

Symptoms:
When adding a device to the trust, the SSL connection can use insecure ciphers. Also it will use the undesirable TLSv1 protocol instead of negotiating to the highest safest protocol available which is TLSv1.2

If the peer device is configured to use TLSv1.1 or TLSv1.2 only, device trust will not be established

Conditions:
This exists when configuring devices in a device cluster.

Impact:
Unable to configure stronger ciphers for device trust.

If the peer device is modified to not use TLSv1.0, it is impossible to establish Device Trust.

Workaround:
None.

Fix:
Advertised client ciphers reduced to what the common criteria compliance standard approves.
Changed the initial OpenSSL call to use the correct one to negotiate to the highest available TLS protocol (1.2).

---

610354-1 : TMM crash on invalid memory access to loopback interface stats object

Component: TMOS

Symptoms:
TMM can crash with segmentation fault when TMM drops packets on its internal loopback interface. TMM needs to update interface stats associated with the loopback interface when dropping packets on that interface. The interface stats object for loopback interface is not allocated yet. That results in segmentation fault.

Conditions:
TMM drops packets on its internal loopback interfaces.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No Workaround.

---

610352-1 : sys-icheck reports error with /etc/sysconfig/modules/unic.modules

Component: TMOS

Symptoms:
On Azure cloud, running sys-icheck may report an error with /etc/sysconfig/modules/unic.modules:

ERROR: S.5...... /etc/sysconfig/modules/unic.modules

Conditions:
This occurs on BIG-IP running on Azure cloud.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.

Fix:
Fixed an issue with files in /etc/sysconfig/modules/unic.modules that was causing sys-icheck to report errors.

---

610350-1 : sys-icheck reports error with /config/bigpipe/defaults.scf

Component: TMOS

Symptoms:
n Azure cloud, running sys-icheck may report an error with /config/bigpipe/defaults.scf and /usr/share/defaults/defaults.scf:

ERROR: S.5...... c /config/bigpipe/defaults.scf (no backup)
ERROR: S.5...... /usr/share/defaults/defaults.scf

Conditions:
This occurs on BIG-IP running on Azure cloud.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.

Fix:
Fixed an issue with files in /config/bigpipe/defaults.scf that was causing sys-icheck to report errors.

---

610307 : Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber

Component: TMOS

Symptoms:
This error message may be generated once or twice at shutdown:

01070069:3: Subscription not found in mcpd for subscriber Id BIGD_Subscriber.

Conditions:
Occurs once or twice per boot as a BIG-IP is being shut down or restarted.

Impact:
None. This can be ignored.

Workaround:
No workaround necessary. This message indicates no ill effects and can be ignored.

Fix:
This error message could have been generated once or twice at shutdown:

01070069:3: Subscription not found in mcpd for subscriber Id BIGD_Subscriber.

It no longer appears. Note that even when it was present, it only occurred at system shutdown and could be ignored.

---

610302-1 : Link throughput graphs might be incorrect.

Component: Local Traffic Manager

Symptoms:
The link throughput performance graphs available in the GTM, DNS or Link Controller modules might show the throughput for the wrong link in the graph.

Conditions:
Multiple links exist and one of the links has a name that is a prefix for the name of one or more other links.

For example, there are two links defined and named "mylink" and "mylink2".

Impact:
The graphs for all links that contain the prefix might show the throughput for the link whose name matches the prefix.

For example, the throughput graphs for both "mylink" and "mylink2" might both show the throughput data for "mylink"

As a result of this issue, the historical link throughput data is gathered and stored incorrectly. This data is used to generate the throughput graphs.

Workaround:
Do not create links where the name of one link forms a prefix for the name of other links.

Fix:
Link throughput graphs now collect and show the throughput for the proper link when one link name is a prefix of one or more other links. Note that historical information gathered before the fix will not be corrected.

---

610295-1 : TMM may crash due to internal backplane inconsistency after reprovisioning

Solution Article: K32305923

Component: TMOS

Symptoms:
In some scenarios on BIG-IP Virtual Edition (VE) platforms, TMM may crash due to backplane inconsistency shortly after a provisioning change.

Conditions:
- BIG-IP VE with performance-limited license.
- Additional licensing/provisioning of modules raises performance limits. New TMM processes are started.
- No reboot has occurred after provisioning.

Impact:
TMM may core with panic and post the following message in /var/log/tmm log: 'Unexpected backplane address'. Traffic disrupted while tmm restarts.

Workaround:
Reboot after provisioning if new license add-on keys raises performance of the BIG-IP system.

Fix:
TMM no longer crashes after provisioning if new license add-on keys raises performance of the BIG-IP system.

---

610273-3 : Not possible to do targeted failover with HA Group configured

Component: TMOS

Symptoms:
With a traffic-group configured to use HA Group, it is not possible to disable the HA Group to perform targeted failover. Running tmsh run sys failover standby traffic-group traffic-group-1 produces an error:
"Unexpected Error: SOD command standby may not be issued for traffic group /Common/traffic-group-1 because it is configured to use HA group."

Conditions:
Traffic-group configured to use HA Group. Versions prior to 12.0.0 allowed you to disable the HA Group to do targeted failover.

Impact:
Unable to force the traffic-group to standby if HA Group is configured. You would need to change it to use a different mode, such as HA Order.

Workaround:
Temporarily change the traffic group to use a different Failover Method such as Load Aware or HA Order in order to failover. Note that this will disable HA Group functionality until the Failover Method is restored.

---

610255-1 : CMI improvement

Solution Article: K62279530

---

610224-3 : APM client may fetch expired certificate when a valid and an expired certificate co-exist

Component: Access Policy Manager

Symptoms:
APM client does not consider the expiration when it matches certificates for Machine Cert Check. If a matching but expired certificate is found before a valid certificate, the expired certificate is used for Machine Cert Check on Windows.

Conditions:
A valid and an expired certificate co-exist in the certificate store.

Impact:
Machine Certificate check fails.

Workaround:
Remove the expired certificate from the store.

Fix:
When a valid and an expired certificate co-exist, the system now matches the valid certificate.

---

610180-2 : SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.

Component: Access Policy Manager

Symptoms:
When BIG-IP is used as SAML SP, and SLO is not properly configured on associated saml-idp-connector objects, IdP initiated SAML SLO may result in memory leak in SSO plugin.

Conditions:
- BIG-IP is used as SP.
- Associated saml-idp-connector object has 'single-logout-uri' property configured, but 'single-logout-response-uri' property is empty.
- User performs IdP initiated SAML SLO

Impact:
SSO plugin leaks memory

Workaround:
There are two possible workarounds:
- Fix misconfiguration: Configure SLO correctly by adding value to 'single-logout-response-uri' property of IdP connector object.
- Disable SLO by removing single-logout-uri' property of IdP connector object.

Fix:
When fixed, memory will no longer leak in SSO plugin even when SLO is misconfigured.

---

610138-2 : STARTTLS in SMTPS filter does not properly restrict I/O buffering

Solution Article: K23284054

Component: Local Traffic Manager

Symptoms:
Commands following STARTTLS in a group are accepted and processed after TLS is in place.

Conditions:
SMTPS profile in use.

Impact:
SMTPS filter will improperly process commands after STARTTLS.

Workaround:
None.

Fix:
Commands in a group after STARTTLS are dropped. This is correct behavior.

---

610129-3 : Config load failure when cluster management IP is not defined, but instead uses address-list.

Solution Article: K43320840

Component: Advanced Firewall Manager

Symptoms:
In Cluster setup with multiple blades, if configurations do not have management IP addresses assigned to individual blades, but instead assign a cluster management IP address list to the cluster of blades. The configuration load will fail. System posts an error message similar to the following: err mcpd[24235]: 01071824:3: The address list is referenced by one of the rules of the admin IP either directly or in a nested manner, and the entry is of a different address family from that of the Admin IP.

Conditions:
1. Cluster setup with multiple blades.
2. No management IP assigned to individual blades.
3. Assign cluster management IP address list to the cluster of blades.

Impact:
After reboot, configuration load failure on secondary blades.

Workaround:
Define the cluster management IP address as the destination (in rule) without using address list.

Fix:
Config load failure no longer occurs when cluster management IP is not defined, but instead uses address-list.

---

610122-1 : Hotfix installation fails: can't create /service/snmpd/run★

Component: TMOS

Symptoms:
Hotfix installation fails with RPM transaction errors.
The system posts several errors similar to the following in /var/log/liveinstall.log: info: RPM: can't create /service/snmpd/run at usr/share/perl5/vendor_perl/daemon.pm line 99.

Conditions:
12.x hotfix installation from 11.6.0 on top of a 12.x base image that was previously booted.

Impact:
It is not possible to perform a hotfix installation to a 12.x volume from 11.6.0 after the 12.x volume has been booted.

Workaround:
- Install the hotfix directly to a new slot which has not been booted into before using a command similar to the following:
     tmsh install sys software hotfix 12.1.0-hf1 create-volume volume HD1.4

---

609967-2 : qkview missing some HugePage memory data

Solution Article: K55424912

Component: TMOS

Symptoms:
Some HugePage status data is missing from qkview, if the contents of /proc/meminfo does not list a units column for the Huge Page data.

Conditions:
/proc/meminfo file does not list units for HugePage data.

Impact:
HugePage data is missing from qkview diagnostics file.

Workaround:
Separately provide /proc/meminfo file.

Fix:
HugePage status data is now collected as expected.

---

609793-1 : HTTP header modify agent logs error message as it is disabled since it cannot modify headers/cookies in HTTP Response.

Component: Access Policy Manager

Symptoms:
HTTP Header Modify agent skips execution if it believes it is in the serverside chain, as the check is based on receipt of HUDEVT_REQ_DONE, which can be true on the clientside chain, causing HTTP header modify agent operations to log out with an error message.

Conditions:
Receipt of HUDEVT_REQ_DONE before execution of HTTP Header Modify agent.

Impact:
HTTP header modify agent cannot perform modification of headers/cookies.

Workaround:
None.

Fix:
Appropriate check for disabling HTTP header agent only in serverside chain has been added and the check for the receipt of request has been processed has been removed.

---

609788 : PCP may pick an endpoint outside the deterministic mapping

Component: Carrier-Grade NAT

Symptoms:
When PCP is picking an endpoint for a LSN pool in deterministic mode and the initial pick fails due to an existing mapping, the subsequent picks are from the entire LSN pool translation port range. This may result in a mapping that violates the deterministic mapping algorithm.

Conditions:
With PCP configured and enabled with a lsn-pool in deterministic mode.

Impact:
Deterministic mapping restriction may be violated causing reverse mapping of public IP address to private IP address to not identify the correct subscriber.

Workaround:
Configure PCP with a NAPT pool (such as the DNAT mode's backup pool) and enable logging. Do not use an lsn-pool in deterministic mode.

Fix:
PCP no longer picks mappings outside of a client's DNAT range after the first mapping attempt fails.

---

609691-1 : GnuPG vulnerability CVE-2014-4617

Solution Article: K21284031

---

609677-1 : Dossier warning 14

Component: TMOS

Symptoms:
After each boot, the var/log/ltm log file contains messages similar to the following: warning mcpd[6296]: 01070267:4: Dossier warning 14.

Conditions:
This occurs upon reboot after licensing and management port configuration is complete on i5000/i7000/i10000-Series platforms.

Impact:
There is no functional impact. This is a benign message that can be safely ignored.

Workaround:
None.

Fix:
The var/log/ltm log file no longer contains the benign messages similar to the following: warning mcpd[6296]: 01070267:4: Dossier warning 14.

---

609628-2 : CLIENTSSL_SERVERHELLO_SEND event in SSL forward proxy is not raised when client reuses session

Component: Local Traffic Manager

Symptoms:
When a client performs an abbreviated handshake by reusing the session from a previously established full handshake, the SSL forward proxy does not raise the CLIENTSSL_SERVERHELLO_SEND event.

Conditions:
This occurs when the following conditions are met:
-- SSL forward proxy configured
-- Session cache is enabled.

Impact:
iRule commands inside of the CLIENTSSL_SERVERHELLO_SEND are only executed for full handshakes but not for abbreviated handshakes; thus any logic that's applied per SSL connection should not run inside of CLIENTSSL_SERVERHELLO_SEND event since it is not reliably raised under all types of handshakes.

Workaround:
To make sure that the CLIENTSSL_SERVERHELLO_SEND event is reliably raised, disable session cache in the client SSL profile.

---

609614-3 : Yafuflash 4.25 for iSeries appliances

Component: TMOS

Symptoms:
Firmware on BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx needs to be upgraded to Yafuflash 4.25.

Conditions:
-- BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
-- Yafuflash.

Impact:
This is a firmware upgrade.

Workaround:
None.

Fix:
This release contains Yafuflash v4.25 for BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

Behavior Change:
This release contains Yafuflash v4.25 for BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

---

609575-5 : BIG-IP drops ACKs containing no max-forwards header

Component: Service Provider

Symptoms:
When a sip profile is in use and receives an acknowledgment packet missing the Max-Forwards header, BIG-IP will treat the packet as un-forwardable and does not forward the ACK. This can be experienced as a specific cilent being unable to make a call.

Conditions:
This would only be seen when BIG-IP is connected to specific clients that fail to populate the Max-Forwards header on an ACK.

Impact:
BIG-IP treats packets with the missing header as having a value of 0, which means "Do not forward".

---

609527-2 : DNS cache local zone not properly copying recursion desired (RD) flag in response

Component: Global Traffic Manager (DNS)

Symptoms:
When a DNS query sets the RD flag, that setting is supposed to be copied to the response. When a DNS query is handled by a cache local zone, the RD flag is not set properly.

Conditions:
A DNS cache local zone must be configured and a DNS query with the RD flag set must be handled by this local zone.

Impact:
The flag is not set properly in the DNS response. This most likely will only be noticed by protocol validation tools as standard DNS clients generally do not check this bit.

Workaround:
Use an equivalent DNS Express configuration instead of the local zone.

Fix:
The fix is to properly check the RD flag on the query so that it can be copied to the response.

---

609499-1 : Compiled signature collections use more memory than prior versions

Component: Application Security Manager

Symptoms:
Compiled signature collections use more memory than prior versions.

Conditions:
Different signature sets are used for different policies.

Impact:
BD memory usage for compiled signature collections is increased.

Fix:
Compiled signature collections memory usage was consolidated and reduced.

---

609496-2 : Improved diagnostics in BD config update (bd_agent) added

Component: Application Security Manager

Symptoms:
Improved diagnostics in BD config update (bd_agent) are needed.

Conditions:
Further troubleshooting of BD config update transmission is needed.

Impact:
No diagnostics are available.

Workaround:
None.

Fix:
Improved diagnostics in BD config update (bd_agent) were added.

---

609335-1 : IPsec tmm devbuf memory leak.

Component: TMOS

Symptoms:
A small memory leak was discovered during internal testing of IPsec tunnels. Over time tmm might run out of memory and crash.

Conditions:
It is not known exactly what triggers this condition.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

---

609328-3 : SIP Parser incorrectly parsers empty header

Solution Article: K53447441

Component: Service Provider

Symptoms:
If a SIP message contains an empty header, the following header will be included as the value of the empty header.

Conditions:
A SIP header without any value will incorrectly cause the next header to be used as the value.

Impact:
If the following header is needed for processing the message, it will not be seen (since it is incorrectly considered the value of the previous header).

Workaround:
None.

Fix:
Parser has been corrected to terminate an empty header when a line ending is seen.

---

609325 : Unsupported DDM F5 SFP modules do not write log message saying DDM is not supported

Component: TMOS

Symptoms:
QSFP modules that do not support DDM (Digital Diagnostic Monitoring), write messages to /var/log/ltm indicating DDM is not supported, however, there are certain unsupported DDM F5-branded SFP modules that do not write a message to the log.

Conditions:
Upon inserting the unsupported DDM SFP modules.

Impact:
DDM is not reporting information for the following optics:

Unsupported DDM 1Gb-10GB SFP modules:

OPT-0004
OPT-0007
OPT-0011
OPT-0015
OPT-0051
OPT-0033

Workaround:
None.

Fix:
All DDM SFP 1Gb-10GB modules now log in /var/log/ltm that DDM is not supported with that optical transceiver.

---

609244-4 : tmsh show ltm persistence persist-records leaks memory

Component: Local Traffic Manager

Symptoms:
A small memory leak is detected when running the following command: tmsh show ltm persistence persist-records.

Conditions:
This occurs when running tmsh show ltm persistence persist-records.

Impact:
The memory leak is small, however if the command is run constantly the memory growth can become large.

Workaround:
None.

Fix:
tmsh show ltm persistence persist-records no longer leaks memory.

---

609199-6 : Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join

Component: Local Traffic Manager

Symptoms:
If an MPTCP connection times out while a subflow is still performing the three-way handshake, the TMM produces a core. This only affects the debug TMM, not the default one.

Conditions:
An MPTCP connection times out while a subflow is still performing the three-way handshake with MP_JOIN. This only affects the debug TMM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable MPTCP.

Fix:
Remove unestablished joining subflows when freeing the MPTCP connection structure.

---

609119-7 : Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:

Component: TMOS

Symptoms:
Occasionally the logging system prints out a blank message, similar to the following example:

-- err mcpd[19114]: 01070711:3:

For this log statement, there is text associated with the error in the bigip_mcpd_error_defs.in file, so something should be logged.

Conditions:
The problem is the result of an exception handler issue in mcpd's File Object validator. The damaged logs can come from anywhere in mcpd, but appear only after a File Object configuration change fails validation. If the problem occurs, it will happen only once per validation error. The damage caused by the exception handler is automatically corrected when the system rewrites the log.

Impact:
Except for the missing log text, the state and behavior of the BIG-IP system is unaffected.

Workaround:
None. The problem corrects automatically when the system rewrites the log.

Fix:
The logging system prints out a blank message in response to failed file object configuration change validations.

---

609114-1 : Add the ability to control dropping of alerts by before-load-function

Component: Fraud Protection Services

Symptoms:
Too many alerts prevents you from enabling FPS. If it does get enabled, a large number of 'missing component' alerts are generated.

Conditions:
This can occur when enabling FPS will trigger a high number of alerts.

Impact:
FPS is disabled, or alerts are not categorized.

Fix:
Add before-load-function capability to drop alert on client.

---

609107-1 : mcpd does not properly validate missing 'sys folder' config in bigip_base.conf

Component: TMOS

Symptoms:
If a 'sys folder' is manually removed from bigip_base.conf, and the config is then reloaded, mcpd does not produce any warning or error messages, and allows the config to load.

Conditions:
A folder is removed from a previously valid configuration file.

Impact:
Inconsistent configuration between devices in the same device-group, shows in-sync when they are not, prevents config loading after mcpd has been reset.

Workaround:
Do not remove folders from the configuration file.

Fix:
mcpd now properly validates missing 'sys folder' config in bigip_base.conf, so the config performs as expected.

---

609098-1 : Improve details of ajax failure

Component: Fraud Protection Services

Symptoms:
When AJAX request fails, insufficient information is provided to debug the failure.

Conditions:
AJAX failure

Impact:
Difficult to diagnose the failure.

Workaround:
Not relevant

Fix:
Add information to alert about AJAX failure.

---

609095-1 : mcpd memory grows when updating firewall rules

Component: Advanced Firewall Manager

Symptoms:
While updating firewall rules such as adding/deleting a blacklist, mcpd memory grows by a small amount with each update.

Conditions:
This can occur when making changes to firewall policies.

Impact:
mcpd memory grows unbounded; over a significant amount of time with many changes and no restarts, mcpd can run out of memory and oom killer can trigger a failover.

---

609084-2 : Max number of chunks not configurable above 1000 chunks

Solution Article: K03808942

Component: Application Security Manager

Symptoms:
If you want to support requests larger than 1000 chunks, the request is blocked and the system posts the following message in the ASM event log:

Unparsable request content Chunks number exceeds request chunks limit: 1000.

Conditions:
This occurs when the request exceeds 1000 chunks.

Impact:
Requests that are valid from the server side are being rejected.

Workaround:
None.

Fix:
This release adds an internal parameter "request_max_chunks_number" to enable configuring a greater than 1000 max number of chunks. The default value is 1000

Behavior Change:
This release adds an internal parameter "request_max_chunks_number" to enable configuring a greater than 1000 max number of chunks. The default value is 1000

---

609027-1 : TMM crashes when SSL forward proxy is enabled.

Component: Local Traffic Manager

Symptoms:
TMM crashes when SSL forward proxy is enabled.

Conditions:
This can occur when SSL forward proxy is enabled and there is a server handshake done when client SSL handshake is not ongoing.

Impact:
Traffic disrupted while tmm restarts.

Fix:
SSL forward proxy now ignores server handshake done when client SSL handshake is not ongoing, so an intermittent TMM crash no longer occurs.

---

609005-2 : Crash: tmm crashing when 2nd client (srcPort=68) sends a DHCP renew with giaddr (Relay Agent IP) in the packet after 1st client (srcPort=67).

Component: Policy Enforcement Manager

Symptoms:
Two client side DHCP packets with giaddr field set, one with source port 67 and another client side packet with source port 68 (not conforming to RFC since giaddr set DHCP packet (from relay agent) should use 67 as source port per RFC),
tmm will crash during err message logging.

Conditions:
1) Two client side DHCP packets arrive one after another.
2) Both DHCP packets have giaddr fields set
3) One packet uses 67 as source port, the other uses 68

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The conditions that cause the crash should not happen in a normal network setup. A DHCP relay agent should only use 67 as source port.

---

608991-7 : BIG-IP retransmits SYN/ACK on a subflow after an MPTCP connection is closed

Component: Local Traffic Manager

Symptoms:
If a SYN with MP_JOIN is received on a new subflow during an MPTCP connection and the connection closes before the three-way handshake is complete, the BIG-IP will continue trying to complete the three-way handshake.

Conditions:
A TCP profile with Multipath TCP enabled is attached to a virtual server, and a SYN with MP_JOIN is received on another flow during an MPTCP connection.

Impact:
The BIG-IP retransmits the SYN/ACK to the joining flow after the connection is closed.

Workaround:
There is no workaround

Fix:
Free joining connections when an MPTCP connection is closed.

---

608952-5 : MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2

Component: Local Traffic Manager

Symptoms:
MSSQL health monitor always shows down.

Conditions:
The Microsoft SQL server that is being monitored has disabled support for legacy security protocols, and supports only versions TLSv1.1 and TLSv1.2.

Impact:
MSSQL monitor is unable to perform health checking when SQL Server is configured to require TLSv1.1 or TLSv1.2.

Workaround:
None.

---

608941-1 : AAA RADIUS system authentication fails on IPv6 network

Component: Access Policy Manager

Symptoms:
APM supports RADIUS authentication to IPv6 servers for APM clients if the IPv6 servers are in a pool, but using RADIUS for system authentication directly to a RADIUS server fails on invalid IP address. The signature in the log file is as follows:

err apmd[13481]: 01490108:3: /Common/profilename: RADIUS module: authentication with 'aa' failed: Invalid Server IP(0)/Port(0) (1)

Conditions:
RADIUS authentication configured for system authentication direct to a RADIUS server, and the RADIUS server is an IPv6 server.

Impact:
RADIUS is unable to connect directly to the IPv6 RADIUS server, clients unable to log into the system.

---

608826-1 : Greylist (bad actors list) is not cleaned when attack ends

Component: Anomaly Detection Services

Symptoms:
When attack ends the greylist (detected bad actors) remains till the timeout expiration.

Conditions:
Detected bad actors and attack end.

Impact:
If new attack will start sooner than greylist expiration time, greylist member will be mitigated even if they are not related to the current attack.

Workaround:
It it's necessary it's possible to clear greylist manually using ipidr utility.

Fix:
Clear the greylist upon attack end.

---

608742-2 : DHCP: DHCP renew ACK messages from server are getting dropped by BIG-IP in Forward mode.

Solution Article: K48561135

Component: Policy Enforcement Manager

Symptoms:
When the BIG-IP system is configured in Forwarding mode, the BIG-IP system drops the renewal ACK message from the server in response to unicast renewal message from DHCP clients.

Conditions:
-- BIG IP system configured in forwarding mode.
-- DHCP clients sending unicast renewal message to DHCP server.

Impact:
Unicast DHCP renewal requests are not responded to with ACKs. DHCP clients will send broadcast renewal messages and will receive ACK from servers.

Workaround:
None.

Fix:
After being unable to receive ACK responses from DHCP servers for unicast DHCP renewal messages, the DHCP client will send broadcast DHCP renewal messages and receive an ACK from the DHCP server and ACKs forwarded by the BIG-IP system and received by DHCP clients.

---

608591-1 : Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers

Component: Policy Enforcement Manager

Symptoms:
CCR-I requests from PEM to PCRF have subscriber ID type set to 6 (UNKNOWN) for DHCP subscribers instead of 3 (NAI).

Conditions:
Occurs for DHCP discovered subscribers on a BIG-IP system that uses a PCRF for policy determination.

Impact:
Might impact the way policies are provided from the PCRF.

Workaround:
None

Fix:
Subscrbier ID type is marked as NAI for DHCP discovered subscribers.

---

608566-1 : The reference count of NW dos log profile in tmm log is incorrect

Component: Advanced Firewall Manager

Symptoms:
In certain circumstances when virtual servers are configured with security log profiles, the log message in tmm log is showing incorrect reference cnt to the log profiles.

Conditions:
Creation, modification and deletion of many virtual servers with security log profiles attached.

Impact:
This may lead to issues such as TMM crash if the reference count is not calculated correctly

Fix:
The reference count now is showing correct number in the log message after the fix

---

608555-1 : Configuring asymmetric routing with a VE rate limited license will result in tmm crash

Component: Local Traffic Manager

Symptoms:
Configuring asymmetric routing with a VE rate limited license results in tmm crash.

Conditions:
Asymmetric routing is configured (i.e., client and/or server ingress and egress travel on different VLANs), and a VE rate limited license is used.

Impact:
tmm might continually crash when passing traffic. Traffic disrupted while tmm restarts.

Workaround:
Do not use asymmetric routing with a rate limited license.

Fix:
The VE rate shaper now works correctly when asymmetric routing is configured, tmm does not crash.

---

608551-3 : Half-closed congested SSL connections with unclean shutdown might stall.

Component: Local Traffic Manager

Symptoms:
Half-closed congested SSL connections with unclean shutdown might stall.

Conditions:
If SSL egress is congested and the client FINs with no Close Notify, connection might stall as SSL does not request more egress data from HTTP.

Impact:
Possible stalled flow.

Workaround:
Use SSL client that sends clean shutdown.

Fix:
Resolved half-closed congested SSL connections with unclean shutdown, so connections no longer stall.

---

608509-1 : Policy learning is slow under high load

Component: Application Security Manager

Symptoms:
On systems with high load, policy learning is slow and learning suggestions are slow to arrive.

Conditions:
Policy builder generates many learning suggestions on a system that processes intense traffic.

Impact:
Learning suggestions appear with considerable delay, policy learning speed goes down.

Workaround:
No workaround

Fix:
Fixed an issue with slow policy learning on heavily loaded systems.

---

608424-2 : Dynamic ACL agent error log message contains garbage data

Component: Access Policy Manager

Symptoms:
Starting in BIG-IP version 12.0.0, Dynamic ACL error log messages might contain garbage data.

Conditions:
This occurs when Dynamic ACL detects incorrect syntax of an ACL entry.

Impact:
The system logs garbage data.

Workaround:
Make sure the ACL entry is correct.

Fix:
Dynamic ACL error log messages no longer contain garbage data when Dynamic ACL detects incorrect syntax of an ACL entry.

---

608408-2 : TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library

Component: Access Policy Manager

Symptoms:
TMM may restart when new SAML SSO configuration is created on BIG-IP systems as SAML IdP. This could also happen when BIG-IP is restarted, or a saved configuration containing SAML SSO objects is loaded on running BIG-IP.

Conditions:
All of the following
- The BIG-IP system is used as SAML IdP
- New SAML SSO configuration is added on BIG-IP
- Rarely occurring internal tmconf error happens when processing newly added configuration.

Impact:
TMM may restart.

Workaround:
None.

Fix:
TMM no longer restarts when internal error happens upon adding new SAML SSO configurations. Instead, the system logs the following error in /var/log/apm to indicate problematic configuration object: Internal error processing sso config <name>.

---

608373-2 : Some iApp LX packages will not be saved during upgrade or UCS save/restore

Component: iApp Technology

Symptoms:
iApp LX packages that include dependencies on system utilities (like /bin/sh, /bin/bash, python etc.) cannot be imported to iApp LX RPM database.

Conditions:
oApp LX packages that depends on system utilities.

Impact:
iApp LX packages with dependencies will not be restored during upgrade or UCS restore process.

Workaround:
None.

Fix:
iApp LX UCS save process is updated turn off automatic dependency generation by rpmbuild so iApp LX package can be imported during UCS restore or upgrade.

---

608348-4 : Config sync after deleting iApp f5.citrix_vdi.v2.3.0 could leave an extra tunnel object on synced system

Component: TMOS

Symptoms:
After deleting an iApp build from the f5.citrix_vdi.v2.3.0 template then running a config sync, the system that received the sync could have a tunnel object left over which should have been deleted.

Running 'tmsh load sys config verify' after this sync would give the following error.
01070734:3: Configuration error: The object (Tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect) is owned by a non-existent application (/Common/test-citrix-app-svc.app/test-citrix-app-svc).
Unexpected Error: Validating configuration process failed.

Conditions:
This occurs when the iApp has been deployed in a sync group, then the iApp is deleted, then a config sync is initiated.

Impact:
Config validation fails, and you must delete the tunnel manually.

Workaround:
On the system that received the sync, edit /config/BIG-IP_base.conf to remove the following objects (replace "test-citrix-app-svc" with the name of the deleted iApp):
a. vlan from net route-domain: /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect
b. net fdb tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect
c. net tunnels tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect

Fix:
The autogenerated tunnel is now successfully removed on receiving devices.

---

608320-3 : iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response

Component: TMOS

Symptoms:
For persistence profiles, iControl REST does not provide visibility for property override when "none" is specified, including references, passwords, and array of strings.

Conditions:
-- Use iControl REST API with persistence profiles.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.

Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for persistence profile property overrides.

Workaround:
None.

Fix:
iControl REST API now returns persistence profile elements (i.e., string, enum , or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.

---

608304-1 : TMM crash on memory corruption

Solution Article: K55292305

Component: Local Traffic Manager

Symptoms:
In rare cases tmm might crash on memory corruption.

Conditions:
It is not known what sequence of events triggers this condition.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm no longer crashes on memory corruption in rare cases.

---

608245 : Reporting missing parameter details when attack signature is matched against parameter value

Component: Application Security Manager

Symptoms:
A parameter is shown without parameters details or with garbled parameter details in the local logging GUI.

Conditions:
An attack signature was detected in a parameter value.

Impact:
Bad reporting

Workaround:
N/A

---

608024-3 : Unnecessary DTLS retransmissions occur during handshake.

Component: Local Traffic Manager

Symptoms:
Unnecessary DTLS retransmissions occur during handshake.

Conditions:
During DTLS handshake, unnecessary retransmissions of handshake message may occur on VE platform.

Impact:
Possible DTLS handshake failure on VE platform.

Workaround:
None.

Fix:
This release fixes a possible failed DTLS handshake on VE platforms.

---

608009-1 : Crash: Tmm crashing when active system connections are deleted from cli

Component: Policy Enforcement Manager

Symptoms:
When the BIG-IP is in DHCP forwarding mode, if the giaddr field in the unicast DHCP renewal packet is set to DHCP relay agent IP address by relay agent, tmm may crash when active system connections are deleted from cli or via aging.

Conditions:
1) BIG-IP in forwarding mode
2) giaddr field in unicast DHCP renewal packet is set to IP address of relay agent (Typically, it is set to 0 by the DHCP client)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This is not a typical network setup. Usually DHCP relay agent will not modify DHCP renewal packet to insert its own address as giaddr.

---

607961-1 : Secondary blades restart when modifying a virtual server's route domain in a different partition.

Component: TMOS

Symptoms:
Secondary blades restart when modifying a virtual server's route domain in a different partition. This log signature is in /var/log/ltm before the secondaries restart: err mcpd[1255]: 0107004d:3: Virtual address (/stef/1.1.1.1%0) encodes IP address (1.1.1.1) which differs from supplied IP address field (1.1.1.1%1).

Conditions:
- Only happens on chassis.
- Route domains created on each device.
- Route domain assigned to a new partition after they were created.

Impact:
Traffic disrupted while secondary blades restart.

Workaround:
None.

Fix:
Secondary blades no longer restart when modifying a virtual server's route domain in a different partition.

---

607857-1 : Some information displayed in "list net interface" will be stale for interfaces that change bundle state

Component: TMOS

Symptoms:
Changing the bundling on an interface does not clear the following fields in the previously configured interface:
module-description, serial, vendor, vendor-oui, vendor-partnum, vendor-revision.

That information will be correct for the active interface, it is just not cleared for the previously configured interface.

Module description is not correctly reported on unbundled interfaces.

Conditions:
Bundling change on an interface

Impact:
"list net interface" on previously configured interfaces will show stale information. May be confusing.
Module description is missing from "list net interface" on unbundled interfaces.

Workaround:
Stale data will clear on a reboot. This is purely a display issue, it does not affect the functionality of the currently configured interfaces.

---

607803-3 : DTLS client (serverssl profile) fails to complete resumed handshake.

Solution Article: K33954223

Component: Local Traffic Manager

Symptoms:
DTLS client (serverssl profile) fails to complete resumed handshake.

Conditions:
This occurs when the BIG-IP system acts as a DTLS client.

Impact:
Possible failed resumed handshake.

Workaround:
Disable session reuse.

Fix:
This release fixes a possible failed resumed DTLS handshake.

---

607724-2 : TMM may crash when in Fallback state.

Solution Article: K25713491

Component: Local Traffic Manager

Symptoms:
There is a chance, when HTTP in Fallback mode, that the HTTP filter will send an Abort event to the TCP filter (causing tear down) prematurely while the Aborting that was triggered by the upper filter/proxy is occurring.

TMM may crash when this happens.

Conditions:
It is not known exactly what conditions trigger this, but it has been known to occur when issuing HTTP::respond in the LB_FAILED event in an iRule, and it has been seen only rarely.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a rarely occurring tmm crash that might be related to issuing HTTP::respond in the LB_FAILED event in an iRule.

---

607713-3 : SIP Parser fails header with multiple sequential separators inside quoted string.

Component: Service Provider

Symptoms:
SIP Parser fails header with multiple sequential separators inside quoted string.

Conditions:
If a SIP header contains multiple attribute separators ',' or ';' in an attribute.

Impact:
The SIP parser flags the message as an error. If this occurs in a quote within the attribute, it should be allowed, but it will still fail, Valid SIP messages are failing to be parsed.

Workaround:
None.

Fix:
The SIP parser has been improved to ignore multiple sequential separators if within quotes.

---

607658-1 : GUI becomes unresponsive when managing GSLB Pool

Component: Global Traffic Manager (DNS)

Symptoms:
GUI Locks Up and becomes unresponsive. Most major web browsers will complain about slow javascript and prompt you to kill the script.

Conditions:
Managing an A type GSLB pool when hundereds of virtual servers exist. These virtual servers do not have to be associated with the pool you are attempting to manage.

Impact:
Page takes a significantly long time to load.

Workaround:
Manage pools through tmsh, or wait for it to load.

---

607524-2 : Memory leak when multiple DHCP servers are configured, and the last DHCP server configured is down.

Component: Local Traffic Manager

Symptoms:
When the last member of a list of multiple DHCP servers is down, the original DHCP packet from client is not freed and memory is leaked.

Conditions:
Multiple DHCP servers are configured, and the last DHCP server configured is down.

Impact:
Packet memory is leaked.

Workaround:
Remove the last DHCP server that is down, or move it to the middle or front of the server member list.

Fix:
Free the original packet memory when last DHCP server is down.

---

607410-1 : In the iRule output of X509 Certificate's subject and issuer, the display is not OpenSSL compatible

Solution Article: K81239824

Component: Local Traffic Manager

Symptoms:
When using an iRule to output X509 Certificate's subject and issuer, the display is not OpenSSL compatible.

Conditions:
Using iRule command 'X509::subject' and 'X509::issuer' to get the Cert's subject and issuer.

Impact:
The BIG-IP system fails to produce properly-formatted certificate information.

If logged, it may display incorrectly-parsed attributes similar to the following:

-- In prior versions without the fix the format is:
CN=USERNAME,OU=CONTRACTOR,OU=PKI,OU=DEPT,O=COMPANY,C=US

-- In versions with the fix the format now requires spaces between these attributes:
C=US, O=COMPANY, OU=DEPT, OU=PKI, OU=CONTRACTOR, CN=USERNAME

Workaround:
None.

Fix:
In the iRule output of X509 Certificate's subject and issuer, the system now outputs the information in a format that is 'OpenSSL X509' compatible.

Behavior Change:
In this release the order of output is reversed for the X509::subject as compared to previous versions. This change was done to make the output of [X509::subject [SSL::cert 0]] OpenSSL-compatible.

-- In prior versions without the fix the format is:
CN=USERNAME,OU=CONTRACTOR,OU=PKI,OU=DEPT,O=COMPANY,C=US

-- In versions with the fix the format now requires spaces between these attributes:
C=US, O=COMPANY, OU=DEPT, OU=PKI, OU=CONTRACTOR, CN=USERNAME

IMPORTANT: Depending on iRules you have configured, this change might impact application functionality that depends on the old format. If your application expects the output X509::subject to be in the old format, make sure to modify the iRules after upgrading.

To use the new format in any iRules that use the old structure, change the output format of the X.509 certificate subject to use this format:

C=US, O=COMPANY, OU=DEPT, OU=PKI, OU=CONTRACTOR, CN=USERNAME


Additional note:
Comma (,) is a valid character in X509::subject. In this release, the escaping method has changed.

-- In prior versions, the subject string returned by X509::subject escapes comma with backslash (\):

Rule /Common/rule_customer <CLIENTSSL_HANDSHAKE>: Subject DN: CN=user8,OU=DEPT,O=COMPANY\,,L=Tokyo,ST=Tokyo,C=JP

When writing an iRule to validate the string, comma is already escaped by the backslash, but backslash should be escaped by another backslash as follows:

set dn_validation "OU=DEPT,O=COMPANY\\,,L=Tokyo"


-- In versions with the fix, the subject string returned by X509::subject wraps attributes with double quotation marks ("").

Rule /Common/rule_customer <CLIENTSSL_HANDSHAKE>: Subject DN: C=JP, ST=Tokyo, L=Tokyo, O="COMPANY,", OU=DEPT, CN=user8

When writing an iRule to validate the string, the whole attribute should be enclosed with double quotation marks, and each double quotation mark should be escaped by a backslash:

set dn_validation "L=Tokyo, O=\"COMPANY,\", OU=DEPT"

---

607360-5 : Safenet 6.2 library missing after upgrade★

Component: Local Traffic Manager

Symptoms:
After upgrading BIG-IP, a symbolic link is missing to the core Safenet library.

Conditions:
This occurs when a BIG-IP installation with Safenet 6.2 already installed is upgraded.

Impact:
Safenet 6.2 is not functional.

Workaround:
Reinstall Safenet 6.2. Or,

run this command at all blades of BIG-IP after the installation.

ln -sf /shared/safenet/toolkit/libgem.so /usr/lib64/openssl/engines/libgem.so

Fix:
Add symbolic link to libgem at time of pkcs11d daemon start/restart.

---

607314-1 : Oracle Java vulnerability CVE-2016-3500, CVE-2016-3508

Solution Article: K25075696

---

607304-5 : TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.

Component: Local Traffic Manager

Symptoms:
TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.

Conditions:
This can occur under normal operation, while running the geo_update command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Running the geo_update command no longer causes this error.

---

607246-10 : Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires

Component: Local Traffic Manager

Symptoms:
You notice erratic persistence behavior when you set cookie persistence to "required" in your cookie persistence profile

Conditions:
Encrypted cookie persistence with fallback where the fallback persistence has a reasonable short timer such that a request containing a valid cookie is handled after the fallback entry has expired.

Impact:
Persistence fails after fallback expired.

Workaround:
Change cookie-encryption to preferred which allows persistence on either encrypted or decrypted cookie.

---

607200-1 : Switch interfaces may seem up after bcm56xxd goes down

Component: TMOS

Symptoms:
'tmsh show net interface' may show that switch ports are still up after bcm56xxd is brought down. This is because bcm56xxd does not notify mcpd that bcm56xxd will go down.

Conditions:
If the switch ports are up and bcm56xxd is brought down, 'tmsh show net interface' will show that the switch ports are still up.

Impact:
The switch ports may seem up, but traffic can't be sent/received.

Workaround:
None.

Fix:
Fix for bcm56xxd to notify mcpd that all ports become uninitialized before it goes down has already been implemented.

---

607152-1 : Large Websocket frames corrupted

Component: Local Traffic Manager

Symptoms:
If large Websocket frames are being sent by the end-point and this transfer is interleaved with frames being sent by the other endpoint, corrupted frames could be sent by BIG-IP.

Conditions:
Websocket profile is attached to the virtual. Large Websocket frames are sent by the end-point. This transfer is interleaved with frames being sent in the other direction.

Impact:
Connection reset because of corrupted frames being received by the end-point.

---

606983-3 : ASM errors during policy import

Component: Application Security Manager

Symptoms:
Import failure when importing ASM policy with many Session Awareness Data Points.

ASM logs errors similar to the following:
-- crit g_server_rpc_handler_async.pl[10933]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): Could not update the Export Policy Task 'Export Policy Task (1469519765.114479)'. DBD::mysql::db do failed: Got a packet bigger than 'max_allowed_packet' bytes.

Conditions:
-- ASM provisioned.
-- Session Awareness enabled.
-- Many (more than 1000) active Session Awareness 'Block All' data points are present.
-- Export a policy.
-- Import the same policy.

Impact:
asm_config_server crash occurs. asm_config_server recovers automatically, within ~15-30 seconds.

Workaround:
Either release all Session Awareness Data Points before export, or remove them from the exported policy before importing it back.

Fix:
Import failure no longer occurs when importing ASM policy with more than 1000 Session Awareness Data Points. Now, there is a maximum of 1000 Session Awareness Data Points exported into an XML policy export.

---

606940-3 : Clustered Multiprocessing (CMP) peer connection may not be removed

Component: Local Traffic Manager

Symptoms:
- High memory usage due to connflow allocations
 - conn_remove_cf_not_found stat is non-zero

Conditions:
CMP with multiple TMMs. CMP peer connection is removed before it has been established.

Impact:
Low memory may lead to allocation failures that may lead to tmm core

Fix:
Fix validation performed on parsed CMP flow keys that allows unknown CMP connections to be removed.

---

606875-1 : DoS Application - Block requests from suspicious browsers feature causes javascript latency for webapp first page

Component: Application Security Manager

Symptoms:
When an end-user accesses a web-site's first page there is a noticeable latency until it gets the page content.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled, when accessing the page for a first time.

Impact:
Bad user experience when accessing the website's first page.

Workaround:
N/A

Fix:
The javascript has improved as much as possible to reduce the time to get the website's first page.

---

606807-1 : i5x00, i7x00, i10x00 series appliances may use sensor number instead of name "LCD health" reporting communication error

Component: TMOS

Symptoms:
If the LCD is not communicating with BIG-IP when the chassis manager daemon starts occasionally LCD errors will be displayed using the sensor number rather than the name "LCD"

Conditions:
chmand restart and LCD unable to commuicate

Impact:
cosmetic

Fix:
LCD error will show name "LCD" rather than sensor number in communication error.

---

606771-2 : Multiple PHP vulnerabilities

Solution Article: K35799130

---

606710-10 : Mozilla NSS vulnerability CVE-2016-2834

Solution Article: K15479471

---

606575-6 : Request-oriented OneConnect load balancing ends when the server returns an error status code.

Component: Local Traffic Manager

Symptoms:
Request-oriented OneConnect load balancing ends when the server returns an error status code.

Conditions:
OneConnect is enabled and the server responds with a HTTP error status code.

Impact:
The client remains connected to the server, and no further load-balancing decisions are made.

Workaround:
It may be possible to detect the HTTP status code in the response, and manually detach the client-side.

To do so, use an iRule similar to the following:

when HTTP_RESPONSE {
    if { [HTTP::status] == 200 } { return }
    if { [HTTP::status] == 401 } {
        set auth_header [string tolower [HTTP::header values "WWW-Authenticate"]]
        if { $auth_header contains "negotiate" || $auth_header contains "ntlm" } {
            # Connection-oriented auth. System should already be doing the right thing
            unset auth_header
            return
        }

        unset auth_header
    }

    catch { ONECONNECT::detach enable }
}.

Note: These workarounds should not be used when the backend server is using connection-oriented HTTP authentication (e.g., NTLM or Negotiate authentication).

Fix:
With OneConnect, the client-side remains detachable when the server-side returns an HTTP error status code.

---

606573-3 : FTP traffic does not work through SNAT when configured without Virtual Server★

Component: Local Traffic Manager

Symptoms:
After upgrading to 12.1.0 or 12.1.1, FTP traffic no longer works correctly with SNAT, when SNAT is configured without a virtual server.

Conditions:
The BIG-IP system configured to allow FTP traffic through, and SNAT is configured without a virtual server.

Impact:
The BIG-IP system does not SNAT port 21 traffic. In rare circumstances this can cause tmm to restart.

Workaround:
None.

Fix:
FTP traffic now works through SNAT when SNAT is configured without a virtual server.

---

606565-2 : TMM may crash when /sys db tm.simultaneousopen is set to reset or drop_connection

Solution Article: K52231531

Component: Local Traffic Manager

Symptoms:
When the /sys db tm.simultaneousopen variable is set to 'reset' or 'drop_connection', TMM may crash during a TCP simultaneous 4 way handshake.

Conditions:
1. The /sys db tm.simultaneousopen variable is set to 'reset' or 'drop_connection'.
2. A TCP 4 way handshake (simultaneous open) occurs as described in RFC 793.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The crash can be avoided, while still mitigating TCP 4 way handshakes, by setting the /sys db tm.simultaneousopen variable to 'drop_pkt'.

---

606521-1 : Policy with UTF-8 encoding retains disallowed high ASCII meta-characters after upgrade

Component: Application Security Manager

Symptoms:
Policy with UTF-8 encoding has disallowed high ASCII meta-characters even after upgrade, which results in suggestions for allowing meta-characters that cannot be accepted.

Conditions:
System with a policy with encoding set to UTF-8 (uppercase).
Upgrading from v11.6.x/v12.x to v12.1.2 or 13.0.0.

Impact:
Suggestions for allowing high ASCII meta-characters cannot be accepted.

Workaround:
None.

Fix:
The upgrade process now fixes policies that had their encoding stored in uppercase as well.

---

606518-3 : iControl REST with 3rd party auth does not function as expected with special characters in the username e.g., '$', '@' / email addresses as username.

Solution Article: K00762373

Component: Device Management

Symptoms:
Cannot use usernames containing special characters ('$', '@', '.', etc.) when requesting an authentication token for iControl REST when 3rd party authentication provider being used. An 'at' ( @ ) character is a common instance when using an email address as the username.

Conditions:
-- BIG-IP system uses 3rd party RADIUS or LDAP authentication.
-- Username contains a special character (e.g., an email address).

Impact:
Cannot authenticate and get authentication token using iControl REST.

Workaround:
Do not use username with special characters, e.g., 'at' ( @ ), period ( . ), dollar sign ( $ ), and so on.

Fix:
Updated logic to allow any special characters in username and password when 3rd party authentication system is used on the BIG-IP system.

---

606509-4 : Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover★

Component: TMOS

Symptoms:
Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover.

Conditions:
This occurs when the following conditions are met:
* vCMP provisioned.
* vCMP hypervisor (host) running 12.1.0
* vCMP guest with 2 or more cores deployed and running 11.5.0 or greater.
* vCMP guest has HT-Split enabled (tmsh list sys db scheduler.splitplanes.ltm).

Impact:
vCMP guests may experience control-plane issues (such as failures to send or receive network failover traffic in an HA-pair, causing a failover).

Fix:
This release restores the process nice value of VCMP guest control-plane, so the vCMP guest no longer experiences potential frequent failovers.

---

606316-4 : HTTPS request to F5 licensing server fails

Component: iApp Technology

Symptoms:
Licensing BIG-IP systems through REST API fails.

Conditions:
Licensing BIG-IP systems using the REST API.

Impact:
Cannot use REST API to license BIG-IP systems.

Workaround:
Use TMUI or TMSH to license BIG-IP systems.

Fix:
Licensing BIG-IP systems through REST API now completes successfully.

---

606257-3 : TCP FIN sent with Connection: Keep-Alive header for webtop page resources

Solution Article: K56716107

Component: Access Policy Manager

Symptoms:
When using customized webtops (for example, using custom images for the webtop links), sometimes a TCP FIN flag will be sent with a packet with an HTTP "Connection: Keep-Alive" header. Not all clients recover from this.

Conditions:
Use a customized webtop link.

Impact:
The webtop links page does not render correctly.

Fix:
Weptop page resources no longer send FIN flags with Keep-Alive headers.

---

606110-2 : BIG-IP VE dataplane interfaces change to using UNIC modules instead of sockets.

Component: TMOS

Symptoms:
On AWS and Azure, dataplane interfaces use socket-based networking instead of UNIC modules. After upgrading a version later than 12.1.0, the default module for dataplane interfaces is UNIC modules instead of socket-based networking.

Conditions:
Upgrading BIG-IP VE on AWS or Azure running versions 12.0.0 or 12.1.0.

Impact:
The raw socket-based tmm driver is replaced by a UNIC driver. The socket-based driver eliminates kernel driver dependencies and provides better portability during kernel/driver upgrades.

Workaround:
None.

Fix:
BIG-IP VE socket-based networking driver retained after upgrade on AWS or Azure.

---

606066-2 : LSN_DELETE messages may be lost after HA failover

Component: Carrier-Grade NAT

Symptoms:
After a failover, an LSN_DELETE message may be lost if the connection continued after the failover.

Conditions:
CGNAT configured as an HA pair, with session logging enabled.

Impact:
An LSN_DELETE message may be missing from the logs.

Fix:
After the fix, the LSN_DELETE message will not be lost.

---

606035-1 : csyncd crash

Component: Local Traffic Manager

Symptoms:
csyncd crashes and dumps core under certain conditions. You might see messages such as the following: emerg logger: Re-starting csyncd.

Conditions:
csyncd handles filenames that contain certain exotic characters or symbols, or files with very long filenames.

Impact:
csyncd will crash and dump core. csyncd retarts continuously.

Workaround:
None.

Fix:
csyncd now handles filenames that contain certain exotic characters or symbols, and files with very long filenames.

---

605983-1 : tmrouted may crash when being restarted in debug mode

Component: Local Traffic Manager

Symptoms:
tmrouted may restart after it being manually restarted with debug level equal or higher than 2.

Conditions:
tmrouted is manually restarted with debug level equal or higher than 2.
Multi route-domain setup with independent routing processes enabled on several route-domains.

Impact:
tmrouted may restart additional times which can add delay to getting back to service after manually restarting tmrouted.
Any restart of tmrouted already causes loss of dynamic routing sessions.

Workaround:
Do not use equal or higher than 2 debug level for tmrouted. This should be carried out only under recommendation from F5 Support.

Fix:
tmrouted no longer crashes when being restarted in debug mode

---

605982-1 : Policy settings change during export/import

Component: Application Security Manager

Symptoms:
Exporting a security policy from one device with specific learning and blocking settings selected, and then imports it to another device, the security policy does not load the expected learning and blocking settings on the target device, and is a mismatch from what is on the source device.

Conditions:
On device A: Security :: Application Security : Policy Building : Learning and Blocking Settings

• Select 'Enable' and 'Learn' under HTTP protocol compliance failed for all the sub-violations.

• Save and export the policy in XML format.

• Import to device B.

Impact:
The loaded policy on device B does not have all the options checked for HTTP protocol compliance failed for all the sub-violations as expected.

When exporting the policy from device B, the name of the exported file does not change to match device B's name, but still remains as device A's name.

Workaround:
For exporting a policy that has Policy Builder enabled, use either of the methods below:

-- Use XML export:

  + On export:
    - Stop policy builder.
    - Export to XML policy.
    - Start policy builder.

   + On import:
     - Import the XML policy.
     - Start the policy builder on the newly imported policy.

  2) Use binary export/import.

Fix:
This release fixes the XML Policy export/import processes so that there are no differences created in the 'HTTP protocol compliance' learning settings

---

605894-3 : Remote authentication for BIG-IP users can fail

Component: TMOS

Symptoms:
While trying to log into the command line of BIG-IP as a remotely authenticated user, login will intermittently fail. You may see the following in /var/log/secure: "err httpd[19596]: pam_ldap: ldap_simple_bind Can't contact LDAP server" but the LDAP server is up and is accessible by the BIG-IP

Conditions:
Remote authentication configured, users configured to use remote authentication, ssl-check-peer is enabled and one or more of these properties are different than "none": ssl-ca-cert-file, ssl-client-cert, ssl-client-key.

Impact:
The remote authentication service will fail to initiate a connection to the LDAP server with the ssl-check-peer setting enabled, even if the ssl-ca-cert-file is valid. It will terminate the connection and remote authentication will fail.

Workaround:
Disabling ssl-check-peer and setting ssl-ca-cert-file, ssl-client-cert and ssl-client-key to "none" can work around this issue.

---

605865-4 : Debug TMM produces core on certain ICMP PMTUD packets

Component: Local Traffic Manager

Symptoms:
The debug TMM will produce a core on the assert "cwnd or ssthresh too low" when receiving an ICMP PMTUD packet with an MTU larger than the current MTU. This does not affect the default TMM.

Conditions:
While using the debug TMM, an ICMP PMTUD packet is received with an MTU larger than the current MTU.

Impact:
Debug TMM crashes on assert "cwnd or ssthresh too low." Traffic disrupted while tmm restarts.

Workaround:
Block incoming ICMP PMTUD packets. Note that this will cause Path MTU Discovery to fail, and IP packets sent by the BIG-IP system with the Don't Fragment (DF) bit set may be dropped silently if the MTUs of the devices on the path are configured incorrectly.

Fix:
The system now always updates TCP MSS after an ICMP PMTUD packet, so there is no debug TMM core.

---

605792-1 : Installing a new version changes the ownership of administrative users' files★

Component: TMOS

Symptoms:
Installing a new version changes the ownership of administrative users' files to a different, nonzero UID.

Conditions:
A user is an administrative user who has advanced shell (bash) access and custom files in their home directory.

Impact:
Low in most cases, since the administrative user can still access most files. One exception is that SSH requires that the authorized_keys file be owned by the user ID in question. This is 0 when a user has an administrative role, so the authorized_keys file will be ignored and a password will still be required for login.

Workaround:
Run the following command, substituting a different filename as needed: chown 0 /home/theuser/.ssh/authorized_keys.

Fix:
Installing a new version changes the ownership of administrative users' files to a different, nonzero UID. This still happens by design, but no longer applies to the user's SSH configuration files, which stay at UID 0. Therefore, these users are no longer be prevented from using stored public keys in authorized_keys.

---

605682-2 : With forward proxy enabled, sometimes the client connection will not complete.

Component: Local Traffic Manager

Symptoms:
If forward proxy is enabled, and a required forged certificate is not in the cache, the connection might not complete.

Conditions:
Forward proxy is enabled, and a required forged certificate is not in the cache.

Impact:
Degraded service due to connections not completing.

Workaround:
None.

Fix:
The stalling caused by a missing forged certificate no longer happens.

---

605675-1 : Sync requests can be generated faster than they can be handled

Component: TMOS

Symptoms:
Configuration changes in quick succession might generate sync change messages faster than the receiving BIG-IP system can parse them. The sending BIG-IP system's queue for its peer connection fills up, mcp fails to allocate memory, and then the system generates a core file.

Conditions:
Configuration changes in quick succession that might generate sync-change messages.

Impact:
Core file and sync operation does not complete as expected. The possibility for this occurring depends on the size and complexity of the configuration, which impacts the time required to sync, and the traffic load occurring at the time of the sync operation.

Workaround:
None.

---

605649-3 : The cbrd daemon runs at 100% CPU utilization

Solution Article: K28782793

Component: Application Security Manager

Symptoms:
The cbrd daemon runs at 100% CPU utilization.

You may notice this issue while inspecting:

- The performance graphs for the BIG-IP device.
- SNMP reports from the BIG-IP device.
- The output of utilities such as top or ps.

Note: The cbrd daemon performs XML Content-Based Routing on the BIG-IP system. However, the daemon runs regardless of provisioning and whether the feature is actually being utilized or not.

Conditions:
This is a rarely occurring event whose cause is not known.

Impact:
The cbrd daemon may run inefficiently. Additionally, other control-plane processes running on the BIG-IP device may also be detrimentally affected (depending on the size of the BIG-IP device and its configuration).

Workaround:
You can try to work around this issue by restarting the cbrd daemon using the following command:
bigstart restart cbrd

As the issue occurs rarely, you may not experience this issue again for a long time. This is, however, only a temporary workaround, and will have to be repeated as needed.

---

605627 : Selinux denial seen for apmd when it is being shutdown.

Component: Access Policy Manager

Symptoms:
When Apmd process is stopped, you observe a selinux related log which indicates that apmd process does not have the getattr permission for shared memory component owned by tmm.

Conditions:
When apmd is stopped or restarted.

Impact:
No Impact to APMD functionality. APMd stops and starts normally.

---

605616-1 : Creating 256 Fundamental Security policies will result in an out of memory error

Component: Application Security Manager

Symptoms:
ASM out of memory error will occur when 256 fundamental security policies are created.

Conditions:
Create 256 fundamental security policies.

Impact:
Out of memory error.

Workaround:
None.

Fix:
Improved memory allocations for shared XML profiles to enable more than 256 fundamental security policies.

---

605579-8 : iControl-SOAP expat client library is subjected to entropy attack

Solution Article: K65460334

---

605537-5 : Error when resetting statistics on GSLB Pool Members

Solution Article: K03997964

Component: Global Traffic Manager (DNS)

Symptoms:
GUI error: "An error has occurred while trying to process your request." when attempting to reset the GSLB stats for DNS Pool Members.

Conditions:
-- In the GUI on the Statistics :: Module Statistics : DNS : GSLB :: Pool Members page.
-- Attempting to reset statistics.

Note: This occurs only on Pool Members Statistics. Other Types are unaffected.

Impact:
Inability to reset stats for BID-IP DNS Pool Members statistics from the GUI.

Workaround:
You can attempt to reset using a command line command similar to the following:

$ tmsh reset-stats gtm pool <record> <pool> members { <server_obj>:<member> }.


For example:

$ tmsh reset-stats gtm pool a myPool1 members { LTM107:/Common/myFastL4VS }.

Fix:
Fixed issue on the GSLB Pool Member stats page.

---

605525-1 : Deterministic NAT combined with NAT64 may cause a TMM core

Component: Carrier-Grade NAT

Symptoms:
TMM crashes when a virtual is configured with nat64 enabled, and a deterministic NAT lsn-pool, and there is traffic.

Conditions:
lsn-pool in deterministic mode is attached to a virtual server with nat64 enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Deterministic NAT is not supported with nat64, and should not be configured.

---

605480-4 : BIG-IP sends MP_FASTCLOSE after completing active close of MPTCP connection

Component: Local Traffic Manager

Symptoms:
After completing an active close of an MPTCP connection, the BIG-IP sends MP_FASTCLOSE.

Conditions:
A TCP profile with Multipath TCP enabled is attached to a virtual server, and MPTCP performs an active close of a connection.

Impact:
The BIG-IP retransmits MP_FASTCLOSE after the connection closing is complete until the maximum number of retransmissions is reached.

Fix:
Fixed sequence of events on connection closure.

---

605476-3 : statsd can core when reading corrupt stats files.

Component: TMOS

Symptoms:
-- The istatsd process produces a core file in the /shared/core directory.

Conditions:
This issue occurs when the following condition is met:

The istatsd process attempts to read a corrupt iStats segment file with duplicate FIDs.

Under these conditions, the istatsd process continually consumes memory which produces a core causing the istatsd process to restart.

Impact:
iStatsd process will restart due to resource exhaustion.

Workaround:
To work around this issue, you can remove the iStats files and restart the istatsd processes. To do so, perform the following procedure:

Impact of workaround: This workaround will cause all statistics in the iStats files to reset.

1. Log in to the BIG-IP command line.
2. To stop the istatsd and related processes, type the following command:
tmsh stop sys service istatsd avrd merged.

3. To delete the iStats files, type the following command:
find /var/tmstat2/ -depth -type f -delete.

4. To start the istatsd and related processes, type the following command:
tmsh start sys service istatsd avrd merged.

Fix:
Added a fix to protect against a continually reading a segment file that is corrupted and has Duplicate Fids.

---

605427-1 : TMM may crash when adding and removing virtual servers with security log profiles

Component: Advanced Firewall Manager

Symptoms:
In certain circumstances when virtual servers are configured with security log profiles TMM may crash.

Conditions:
Creation, modification and deletion of many virtual servers with security log profiles attached.

Impact:
TMM may crash with the following log in /var/log/tmm:
<13> Apr 18 13:23:04 <hostname> notice panic: ../base/fw_log_profile.c:3368: Assertion "fw_log_profile_protocol_sip_dos ref non-zero" failed.

Traffic disrupted while tmm restarts.

Fix:
TMM no longer crashes with multiple creation, modification and deletion of many virtual servers with security log profiles attached.

---

605420-5 : httpd security update - CVE-2016-5387

Solution Article: K80513384

---

605270-5 : On some platforms the SYN-Cookie status report is not accurate

Component: TMOS

Symptoms:
On a vCMP guest, after a ePVA-enabled virtual server enters SYN Cookie mode, the FPGA will never leave SYN Cookie mode even though BIG-IP has returned to normal mode.

Conditions:
This occurs intermittently on virtual servers with ePVA enabled on a vCMP instance where SYN Protection is triggered.

Impact:
Since this occurs very intermittently, the entire impact is not known. Initially this is an incorrect SYN Cookie status reporting issue for LTM Virtual statistics, but it is possible that if SYN Cookie mode is triggered again, hardware SYN might not be enabled properly.

Workaround:
Upgrade with new fixes for this.

Fix:
BIG-IP FPGAs now correctly report hardware SYN Cookie mode.

---

605260-1 : [GUI] Changes can not be made to GTM listener in partition with default route domain <> 0

Component: Global Traffic Manager (DNS)

Symptoms:
When a listener is created in a partition that has a default route domain set, you cannot make changes to the listener in the GUI via DNS -> Delivery -> Listeners. It gives 'Instance not found' error when you try to save the change. Also, a listener in the /Common partition cannot even be viewed when a partition that has a default route domain other than 0 is selected.

Conditions:
This occurs when using partitions that have default-route-domain set to something other than 0.

Impact:
You will be unable to make changes to the listener.

Workaround:
Use TMSH or through LTM GUI: Local Traffic :: Virtual Servers.

---

605147-1 : No mirroring for TCP TIME-WAIT reconnections and new TCP flows after HA reconnections.

Component: Local Traffic Manager

Symptoms:
New connections made when a BIG-IP flow is in TCP TIME-WAIT state are not mirrored. New TCP flows after high availability (HA) reconnections may not be mirrored correctly.

Conditions:
This occurs when a TCP profile is used, along with one of the following:
 -- A BIG-IP flow is in TCP TIME-WAIT state.
 -- HA connection is reestablished and a mirrored BIG-IP flow has lost some packets.

Impact:
The connections affected are not mirrored.

Workaround:
Disable TIME-WAIT for the TCP profile.

Fix:
Reconnections in TCP TIME-WAIT state are now mirrored correctly. New connections after HA reconnections are now mirrored correctly.

---

605125-2 : Sometimes, passwords fields are readonly

Component: Fraud Protection Services

Symptoms:
Sometimes, passwords fields are readonly so the user won't be able to type any password.

Conditions:
WebSafe protection enabled on a site

Impact:
the user won't be able to type any password on the site.

Workaround:
N/A

Fix:
N/A

---

605123-1 : IAppLX objects fail to sync after establishing HA in auto-sync mode★

Component: Device Management

Symptoms:
IAppLX objects are part of REST Framework. REST Framework implements gossip based replication. This replication might not work when restFrameworkVersion in device-group device out of sync with actual restFrameworkVersion

Conditions:
DeviceInfoWorker detects and update the framework version after rest RPM upgrade. But device group device doesn't get updated correctly

Impact:
REST framework objects (Including iAppLX instances, templates, packages) fail to sync to HA peer

Workaround:
Mitigation is to run DeviceRefreshWorker and it is responsible for patching the localhost resource in all device groups with correct framework version on update. Workaround is to patch the restFrameworkVersion manually on the device-group device.

Fix:
Run the DeviceRefreshWorker and it is responsible for patching the localhost resource in all device groups with correct framework version on update.

---

605039-3 : lwresd and bind vulnerability CVE-2016-2775

Solution Article: K92991044

---

605010-1 : Thrift::TException error

Component: Application Visibility and Reporting

Symptoms:
Trying to send a scheduled report might fail in some cases with the error "Thrift::TException=HASH(0x9a65410)".

Conditions:
This occurs when sending scheduled reports.

Impact:
Failure on sending scheduled-report.

Workaround:
Modify the script to use the explicit address instead of the 'localhost' value. This can be achieved with the following command:

mount -o remount -rw /usr
sed -i 's/localhost/127\.0\.0\.1/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm
mount -o remount -r /usr

Fix:
Changing script to use explicit address instead of 'localhost'.

---

604977-2 : Wrong alert when DTLS cookie size is 32

Solution Article: K08905542

Component: Local Traffic Manager

Symptoms:
When ServerSSL profile using DTLS receives a cookie with length of 32 bytes, the system reports a fatal alert.

Conditions:
Another LTM with ClientSSL profile issues 32-byte long cookie.

Impact:
DTLS with cookie size 32-byte fails.

Workaround:
None.

Fix:
DTLS now accepts cookies with a length of 32 bytes.

---

604926-3 : The TMM may become unresponsive when using SessionDB data larger than ~400K

Solution Article: K50041125

Component: Local Traffic Manager

Symptoms:
There is a hard limit on messages sizes sent on the backplane on chassis platforms. Messages larger than the limit (~400K) are refused from being sent at a lower layer but buffered for resending at a higher layer. The messages are never sent which cases backplane communication to lockup.

Conditions:
-- The BIG-IP system is a chassis with more than one blade.
-- Client traffic triggers the creation of SessionDB data larger than ~400K.

Impact:
The TMM becomes unresponsive to client traffic. If left running under load, the TMM might run out of memory from buffering SessionDB data and crash.

Workaround:
The workaround is the avoid sending large SessionDB data. The TMM may be restarted in the event it does become unresponsive.

Fix:
There is no longer a hard limit for sending SessionDB data on the backplane.

---

604923-5 : REST id for Signatures change after update

Component: Application Security Manager

Symptoms:
The REST id of existing signatures are unexpectedly modified after updating a User Defined Signature, or downloading an Attack Signature Update that modifies existing signatures.

Conditions:
A User-Defined Signature is updated, or an ASU containing updated signatures is downloaded.

Impact:
The REST id of the modified signatures is changed which may confuse REST clients.

Workaround:
Execution of the following script will repair an affected device:

perl -MF5::Utils::Rest -MF5::DbUtils -MF5::ASMConfig::Entity::Signature -e '$dbh = F5::DbUtils::get_dbh(); $dbh->begin_work(); $dbh->do("UPDATE PLC.NEGSIG_SIGNATURES SET rest_uuid = \"\" "); F5::Utils::Rest::populate_uuids(dbh => $dbh, rest_entities => ["F5::ASMConfig::Entity::Signature"]); $dbh->commit();'

Fix:
Updated Signatures now retain the correct REST id.

---

604885-1 : Redirect/Route action doesn't work if there is an alert logging iRule

Component: Fraud Protection Services

Symptoms:
When "Trigger iRule Events" is enabled in FPS profile and there are configured FPS rules with Route/Redirect actions, the actions will not be performed.

Conditions:
"Trigger iRule Events" is enabled in FPS profile and the virtual server has at least one iRule with ANTIFRAUD_ALERT or ANTIFRAUD_LOGIN events.

Impact:
Configured FPS rules with Route/Redirect actions will not be performed.

Workaround:
Disabling the "Trigger iRule Events" in FPS profile.

Fix:
"Trigger iRule Events" no longer breaks FPS rules with configured Route/Redirect actions.

---

604880-4 : tmm assert "valid pcb" in tcp.c

Component: Local Traffic Manager

Symptoms:
tmm panic tcp.c:2435: Assertion "valid pcb" failed

Conditions:
Unknown.

Impact:
Traffic disrupted while tmm restarts.

---

604838-1 : TCP Analytics reports incorrectly reports entities as "Aggregated"

Component: Local Traffic Manager

Symptoms:
Although the user has configured TCP Analytics to store statistics for a certain entity, it reports data for that entity in a single "Aggregated" row.

Conditions:
ALL of these conditions must be true:

The TCP Analytics profile is attached to a virtual with both clientside or serverside collection turned off in the profile.

TCP profile has mptcp, rate-pace, tail-loss-probe, fast-open, AND enhanced-loss-recovery all disabled. Also, Nagle, send-buffer, receive-window, proxy-buffer are not in AUTO mode. Finally, rexmt-thresh is 3 and the congestion control algorithm is not delay-based (NewReno, HighSpeed, Cubic). Regrettably, this matches the default TCP profile.

An iRule enables TCP-Analytics when disabled by default in the tcp-analytics profile.

Impact:
Defect eliminates nearly all data granularity for TCP Analytics.

Workaround:
Change the TCP profile on the virtual to violate any of the conditions listed above. The easiest is probably to enable rate pace or mptcp. For all affected versions, this will result in a noticeable CPU performance penalty.

Fix:
Load entity information for both TCP stacks.

---

604811-3 : Under certain conditions TMM may crash while processing OneConnect traffic

Component: Local Traffic Manager

Symptoms:
TMM may crash while processing OneConnect traffic

Conditions:
Removing the OneConnect profile from a virtual server while passing traffic.

Impact:
TMM crash leading to a failover event

Fix:
TMM now processes profile removals as expected

---

604767-1 : Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.

Component: Access Policy Manager

Symptoms:
When importing SAML IdP's metadata, certificate object might not be assigned as 'idp-certificate' value of saml-idp-connector object.

Conditions:
BIG-IP is used as SAML SP.

Impact:
Described behavior will result in misconfiguration. SAML WebSSO will subsequently fail.

Workaround:
Manually assign imported certificate as a 'idp-certificate' value of saml-idp-connector object.

---

604727-1 : Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4.★

Component: TMOS

Symptoms:
Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4. After upgrade from 10.2.4 to 12.1.x, you are unable to use the GUI. The system posts the following message: The configuration has not yet loaded. CLI login works, and /var/log/ltm shows that the following message was recorded during the device bootup phase:

emerg load_config_files: "/usr/libexec/bigpipe base daol" - failed. -- BIGpipe parsing error (/config/bigpipe/bigip_sys.conf Line 113): 012e0010:3: The requested value ({ i192_168_0_20_1) is invalid (<trapsess list> ` none) [add ` delete]) for 'trapsess' in 'snmpd'.

Conditions:
Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4. The root cause is that the host parameter in the trap is encapsulated in quotation marks.

Impact:
The upgrade completes, but the configuration does not load when the system restarts.

Workaround:
After the configuration fails to load in this case, you can remove the SNMP trap destination configuration by editing the /config/bigpipe/bigip_sys.conf file, and performing a manual configuration conversion and reload to recover.

Alternatively, to prevent the configuration load failure from occurring, you can remove the SNMP trap destination configuration before you upgrade to BIG-IP 12.1.x. Both procedures require that you re-create the SNMP trap destination configuration once the upgrade to BIG-IP 12.1.x and/or configuration load are complete.

Fix:
Upgrade from 10.2.4 now completes successfully when the host parameter exists in the 10.2.4 configuration includes SNMP traps.

---

604612-1 : Modified ASM cookie violation happens after upgrade to 12.1.x★

Solution Article: K20323120

Component: Application Security Manager

Symptoms:
False positive modified ASM cookie violation. Perhaps other false positive cookie related violations.

Conditions:
System upgraded to 12.1.x. Existing end users are connected with their browsers to the site.

Impact:
False positive violations. A blocking page will be shown in case the modified ASM cookie is set to blocking (which is the default for this violation in case the policy is in blocking state).

Workaround:
There are three options:
A. Set the modified ASM cookie violation to transparent after an upgrade for some time after the upgrade.
B. Use the erase cookie blocking page as the default blocking page for some time after the upgrade.
C. Use an iRule similar to the following:
when ASM_REQUEST_DONE {
    if {[ASM::violation names] contains "VIOLATION_MOD_ASM_COOKIE"} {
        log local0. "remove TS01d2cce8 cookie"
        HTTP::respond 302 Location "http://sub.some_domain.com/index.html?[ASM::support_id]" "Set-Cookie" "TS01d2cce8=deleteOldTSCookie;expires=Thu, 01 Jan 1970 00:00:01 GMT"
    }

Fix:
Modified ASM cookie violation no longer happens after upgrade to this version.

---

604549-7 : MPTCP connection not closed properly when the segment with DATA_FIN also DATA_ACKs data

Component: Local Traffic Manager

Symptoms:
If a DATA_FIN is received with a DATA_ACK that acknowledges data, the BIG-IP will not process the DATA_ACK and will not shutdown the connection properly as it thinks there is still outstanding data to be acknowledged.

Conditions:
A TCP profile with Multipath TCP enabled is attached to a virtual server, and a DATA_FIN that DATA_ACKs data is received on an MPTCP connection.

Impact:
The connection is not closed properly and eventually times out.

Fix:
Fixed DATA_FIN handling.

---

604547-1 : Unix daemon configuration may lost or not be updated upon reboot

Solution Article: K21551422

Component: TMOS

Symptoms:
The confpp script is invoked to pass TMOS configuration information to other non-TMOS daemons running on a BIG-IP system. When a BIG-IP system is rebooted, if TMOS configuration elements are parsed or configuration changes or other events occur early in the boot process, the corresponding changes may not be propagated to the confpp.dat file and processed by the confpp script. As a result, configuration information may not be propagated as expected to non-TMOS daemons.

A common symptom of this issue is that syslog-ng configuration is not updated to reflect the selection of the primary blade in a VIPRION chassis.

Conditions:
This issue may occur when booting an affected version of BIG-IP, such as:
- Rebooting blades in a VIPRION chassis.
- Rebooting a BIG-IP appliance or Virtual Edition instance.

Impact:
Expected configuration settings may not be applied to non-TMOS daemons upon a reboot.

For example, syslog-ng configuration may not be updated to include expected logging on the primary blade in a VIPRION chassis.

Workaround:
On a running BIG-IP system that shows symptoms of this issue, changing a db variable will trigger the confpp script to run and update the relevant non-TMOS daemons with appropriate settings from the current configuration. To implement this workaround, use the Traffic Management Shell (tmsh) to update a db variable.

For example:
tmsh modify sys db log.clusterd.level value "Informational"

This issue can be avoided by forcing the MCP configuration to be reloaded from configuration files instead of from the MCP binary database (mcpdb.bin).

For details, see:
K13030: Forcing the mcpd process to reload the BIG-IP configuration.

Fix:
Configuration data/changes that occur early in the BIG-IP boot process are propagated successfully to non-TMOS daemons by the confpp script.

---

604496-4 : SQL (Oracle) monitor daemon might hang.

Component: Local Traffic Manager

Symptoms:
SQL (Oracle) monitor daemon might hang with high monitoring load (hundreds of monitors). DBDaemon debug log contains messages indicating hung connection aborting and that the address in use, unable to connect.

Conditions:
High number of SQL (Oracle, MSSQL, MySQL, PostgresSQL) monitors. Slow SQL responses might make the condition worse.

Impact:
Flapping pool members connected to SQL monitors. Frequent aborts and restarts of SQL monitor daemon.

Workaround:
You can mitigate this issue in the following ways:
-- Reduce number of monitored pool members.
-- Reduce frequency of monitor interval.
-- Split monitors among multiple devices.
-- Run monitors on bladed systems.

Fix:
This release fixes the address-in-use issue, and contains multiple monitor improvements to handle aborts and restarts of the SQL monitor daemon as well so that the system handles hung connections without aborting.

---

604459-1 : On i5x00, i7x00 and i10x00 platforms, bcm56xxd may restart on power-up

Component: TMOS

Symptoms:
The following message appears on the console shortly after the system boots:

emerg logger: Re-starting bcm56xxd.

Conditions:
This occurs as a result of a possible race condition on On i5x00, i7x00 and i10x00 platforms.

Impact:
No functional impact, bcm56xxd daemon restarts successfully.

Workaround:
None.

---

604371-1 : Pagination controls missing for GSLB pool members

Component: Global Traffic Manager (DNS)

Symptoms:
The pagination controls for GSLB pool members do not appear when there are more items in the list than can be displayed (Record Per Screen)

Conditions:
Customer is running 12.1.0 - 12.1.2

Impact:
Unable to view the status of, or modify GSLB pool members beyond those displayed on the screen

Workaround:
Increase the number of Records Per Screen (System / Preferences / Records Per Screen) to a number larger than the number of items in your pool

---

604272-1 : SMTPS profile connections_current stat does not reflect actual connection count.

Component: Local Traffic Manager

Symptoms:
SMTPS profile connections_current stat does not reflect actual connection count.

Conditions:
This occurs if you have an SMTPS virtual server configured.

Impact:
profile_smtps_stat.connections_current rises over time and doesn't reflect actual number of SMTPS connections active.

---

604237-3 : Vlan allowed mismatch found error in VCMP guest

Component: TMOS

Symptoms:
Your vCMP guests are unable to reach the network. You see in /var/log/ltm "mcpd[5503]: 01071322:4: Vlan allowed mismatch found: hypervisor "

Conditions:
When a VLAN exists in the vlan-allowed list contains a VLAN which matches the suffix of another VLAN in the list and both VLANs are configured on the VCMP guest. For example, xyz and abc_xyz will produce the error "warning mcpd[6374]: 01071322:4: Vlan allowed mismatch found: hypervisor (abc_xyz:1860), guest (/Common/xyz:1850)."

Impact:
Unable to use VLAN.

Workaround:
Rename the VLANs such that no VLAN matches suffix of any other VLAN.

---

604223-2 : pkcs11d signal handler improvement to turn off all threads at time of "SIGTERM"

Component: Local Traffic Manager

Symptoms:
The current signal handler use 'exit' at time of 'SIGTERM'. This may result in a core under some abnormal situations.

Conditions:
When stopping pkcs11d using command like 'bigstart restart pkcs11d' or 'kill pkcs11d'.

Impact:
pkcs11d cores.

Workaround:
pkcs11d automatically comes up again after the core.

Fix:
The system now waits for all threads to finish before the pkcs11d program exits, so the core no longer occurs.

---

604211-1 : License not operational on Azure after upgrading from 12.0.0 HF1-EHF14 to 12.0.0-HF4 or 12.1.0-HF1 or 12.1.1.★

Solution Article: K72931250

Component: TMOS

Symptoms:
On Azure, after upgrading to any version other than 12.0.0 HF1-EHF14 or 12.1.0-HF1-EHF22, the system boots up as Not Licensed and Inoperative.

Although certain cloud-specific 12.x EHFs such as BIG-IP Virtual Edition 12.1.0 HF1 EHF1 is intended for AWS only, BIG-IP does not prevent you from accidentally downloading and installing it into Azure environments. If you upgrade Azure from BIG-IP Virtual Edition 12.0.0 HF1 EHF14 to the 12.1.0 HF1 EHF1 or 12.0.0-hf4 or 12.1.1, the Azure license becomes nonoperational and gets invalidated.

Conditions:
Upgrading a BYOL instance on Azure to 12.1.0 HF1 EHF1 or 12.1.1. The Azure-specific versions are as follows:
- 12.0.0-HF1-EHF14.
- 12.1.0-HF1-EHF22.

Impact:
License becomes unusable. Re-licensing the instance gets an invalid license.

Workaround:
The workaround for this issue is to boot back into previous boot volume, and then upgrade to 12.1.0-HF1-EHF22 in Azure.

To change default boot volume, choose one of the following methods:
1. tmsh reboot volume volume-name.
2. switchboot utility (interactive mode by default).
3. Admin UI.

For more information about the switchboot utility, see SOL5658: Overview of the switchboot utility, available here: https://support.f5.com/csp/#/article/K5658

Fix:
This release fixes the issue that occurred when the Azure license become nonoperational after upgrading to BIG-IP Virtual Edition 12.1.0 HF1 EHF1 from 12.0.0 HF1 EHF14.

Note: Do not use BIG-IP 12.1.0 HF1 EHF1 in the Azure environments.

---

604191-1 : AVR: Loading the configuration after upgrade might fail due to mishandling of scheduled-reports★

Component: Application Visibility and Reporting

Symptoms:
Loading the configuration after upgrade might fail due to mishandling of scheduled-reports, with an error similar to the following:

err mcpd[5492]: 01071afc:3: Report scheduling requires specifying valid measures for entity asm_repev_ip.

Conditions:
-- AVR provisioned.
-- Having scheduled report defined on a version earlier than v12.1.0, and upgrading to v12.1.0, v12.1.0, or v12.1.0.

Impact:
Loading the configuration after upgrade might fail.

Workaround:
None.

Fix:
Loading the configuration after upgrade of scheduled-reports is now properly handled.

---

604133-2 : Ramcache may leave the HTTP Cookie Cache in an inconsistent state

Component: Local Traffic Manager

Symptoms:
Ramcache may re-use internal HTTP data without clearing the cookie cache. If other filters later inspect that cache they may read corrupted cookie information, or cause a TMM crash.

Conditions:
Ramcache + another filter or iRule inspecting/modifying cookies in a Ramcache response.

Impact:
The modifications of the corrupt cookie cache may cause HTTP headers to be malformed. Inspecting the cookie cache may cause the TMM to crash with an assert. Traffic disrupted while tmm restarts.

Fix:
Ramcache clears the HTTP cookie cache in its responses.

---

604061-2 : Link Aggregation Control Protocol May Lose Synchronization after TMM Crash

Component: TMOS

Symptoms:
Traffic does not pass through a trunk interface and /var/log/ltm contains messages such as:

lacpd[6636]: 01160011:6: Link 2.2 Actor Out of Sync
lacpd[6636]: 01160012:6: Link 2.2 Partner Out of Sync

Conditions:
1) BIG-IP 2000/4000 or similar platform where "qprop tmos.lacpd_depends_on_tmm == true"
2) Passive LACP trunk
3) tmm has crashed after box has come up
4) tmm startup delayed by dumping large core file
5) tmm startup delayed by large config or busy control plane

Impact:
Trunks created by LACP do not pass traffic.

Workaround:
Restart lacpd after tmm has come up again: "bigstart restart lacpd"

Alternatively, modify /etc/bigstart/scripts/tmm.finish to restart lacpd on tmm going down

Modify this line:
for d in admd asm avrd dosl7d; do

With these:
for d in lacpd admd asm avrd dosl7d; do
        if [ `$BIGSTART singlestatus $d` = "run" ]; then
            $BIGSTART restart $d &
        fi
    done

---

604011-1 : Sync fails when iRule or policy is in use★

Component: TMOS

Symptoms:
After upgrading and attempting to sync to devices in a sync group, sync fails with the following error:

Load failed from 119.big.ip 01070621:3: Rule priorities for virtual server (vs1) must be unique.

Load failed from /Common/big152 01070712:3: Caught configuration exception (0), Values (/Common/vs1) specified for virtual server policy (/Common/vs1 /Common/asm_auto_l7_policy__vs1): foreign key index (vs_FK) do not point at an item that exists in the database.

Conditions:
- A virtual address exists in the traffic-group-local-only group, meaning that it is not synced
- A CPM policy or iRule is applied to that virtual server
- Conduct a sync

This was seen on an upgrade from 12.0.0 to 12.1.0 HF1 or beyond, but could be triggered on an upgrade from any version from 11.4.0 and beyond to 12.1.0 HF1.

Impact:
Config sync fails.

Workaround:
Disassociate the iRule or policy from the virtual server, then attempt to sync.

---

603997 : Plugin should not inject nonce to CSP header with unsafe-inline

Component: Fraud Protection Services

Symptoms:
When injecting CSP header values to enable FPS Plugin to work, unnecessary injections may invalidate the application's 'allow inline script' policy, since the more restrictive directive is always applied.

Conditions:
Server response contains either header from the 'Content-Security-Policy' header family.

Impact:
The application's inline scripts will refuse to run since FPS Plugin injects nonce. This breaks user's application.

Workaround:
None.

Fix:
CSP header's 'unsafe-inline' and 'nonce' directive injection has been made mutually exclusive.

---

603979-4 : Data transfer from the BIG-IP system self IP might be slow

Component: Local Traffic Manager

Symptoms:
TCP traffic on a BIG-IP system using a self IP address may not correctly honor the MSS size specified during the connection establishment. The result is IP fragmentation of TCP segments sent out on the wire. The expected behavior is that TSO would package the TCP segments in a way that would not require fragmentation.

When a large amount of data needs to be transferred using a self IP address, the BIG-IP system might send out fragmented IP packets with both the DF and MF bits set. Setting both bits is RFC compliant and valid, however some routers drop such packets. This might result in retransmissions and low throughput

Conditions:
This occurs when a self IP address processes large data transfers, and the router between the two endpoints does not process the IP fragments that have both the DF and MF bits set.

This occurs only when TCP segmentation offload (TSO) is enabled, and traffic is using a tmm interface. TSO enabled is the default setting.

Impact:
Data transfer from the BIG-IP system's self IP address might be slow or fail.

Workaround:
To work around this issue, you can disable TSO by issuing the command:
ethtool -K tmm tso off.

Note: This has a different effect from setting the db key tm.tcpsegmentationoffload to 'disable' (which is not a workaround for the issue).

Note: To persist the effect of this command across reboots, use the solution specified in K14397: Running a command or custom script based on a syslog message, available here: https://support.f5.com/csp/#/article/K14397. For example,

alert tmmready "Tmm ready" {
exec command="/sbin/ethtool -K tmm tso off"
}

Fix:
Data transfer from the BIG-IP system self IP address has been improved.

---

603945-2 : BD config update should be considered as config addition in case of update failure

Component: Application Security Manager

Symptoms:
A configuration update fails when the system cannot find the item to update. Configuration failures are shown in bd.log.

Conditions:
The condition that leads to this scenario is not clear and is still under investigation.

Impact:
The update fails and the entity is not added.

Workaround:
Delete the faulty entity and re-add, and then issue the following command: restart asm.

This fixes the issue in the cases in which it is a single entity.

Fix:
A configuration update no longer fails when the system cannot find the item to update. Now, the system adds the item with its updated value if the entity does not already exist. Otherwise, the operation updates the value of the existing entry.

---

603875-2 : The statistic ASM memory Utilization - bd swap size: stats are wrong

Component: Application Visibility and Reporting

Symptoms:
AVR reports incorrect bd swap size statistics.

Conditions:
-- ASM provisioned.
-- Viewing swap size statistics.

Impact:
Wrong value is displayed.

Workaround:
1. Edit /etc/avr/tmstat_tables.xml
2. Change the following line:
From:
<value publishName="swap_size" columnName="swap_size" behavior="total" type="diff"/>
To:
<value publishName="swap_size" columnName="swap_size" behavior="average" type="status"/>
3. Run the following command: restart avrd.

Fix:
The statistic ASM memory Utilization - bd swap size: stats are now correct.

---

603825-2 : Crash when a Gy update message is received by a debug TMM

Component: Policy Enforcement Manager

Symptoms:
Debug TMM will crash when a Gy update message is received.

Conditions:
- Need a Debug TMM running
- Gy update message must be received by the BIG-IP

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use non-debug TMM.

Fix:
Added checks to detect Gy udpate messages and handle them accordingly in the debug TMM. Thus, preventing a crash in the debug TMM.

---

603758-1 : Big3D security hardening

Solution Article: K82038789

---

603755-1 : dwbld core dump when Auto Blacklisting is configured, in a rare scenario

Component: Advanced Firewall Manager

Symptoms:
The dynamic white/black daemon (dwbld) (a Control Plane daemon that supports the AFM IP intelligence feature) generates a core when processing an Auto Blacklisting Entry addition by TMM, when attack traffic causes a blacklist entry to be added.

The problem happens in a rare scenario when dwbld and tmm are out of sync with respect to category names. This might happen for a very short window when configuration changes are made to Blacklist Categories (such as adding or removing a category).

Conditions:
-- DoS Auto Blacklisting feature enabled.
-- Attack traffic generates an Auto Blacklist IP address entry.
-- Configuration change to Blacklist Category occurs at the same time.

Impact:
dwbld crashes and restarts. No significant impact, as after restart, the dwbld should work properly.

Workaround:
None.

Fix:
The release adds handling for the case in which dwbld is not up-to-date with configuration changes to Blacklist Categories when it simultaneously receives an Auto Blacklist Entry.

---

603746-1 : DCDB security hardening

Component: WebAccelerator

Symptoms:
The DCDB utility, as used in AAM processing, does not use current secure coding practices.

Conditions:
AAM active

Impact:
DCDB usage does not follow current secure coding practices.

Fix:
Update DCDB use to meet current secure coding standards.

---

603723-2 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup

Component: Local Traffic Manager

Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.

Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.

Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.

Workaround:
None.

Fix:
The system now successfully handles TLS v1.0 fallback when pool members are configured to use TLS v1.2 only, so pool members are correctly marked as being up.

---

603700 : tmm core on multiple SSL::disable calls

Component: Local Traffic Manager

Symptoms:
tmm can crash if SSL::disable is called repeatedly in an iRule event.

Conditions:
Invoking SSL::disable multiple times in the same iRule event

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a crash related to multiple calls of SSL::disable

---

603667-2 : TMM may leak or corrupt memory when configuration changes occur with plugins in use

Component: Local Traffic Manager

Symptoms:
TMM may leak memory when plugins are in use and the plugin is re-initialized (typically due to configuration changes). In rare cases, memory corruption may occur causing TMM to restart.

Conditions:
Plugin-based functionality configured (ASM, APM, etc.) and configuration changes occur.

Impact:
The memory leakage generally occurs infrequently and at a rate that TMM operations are not affected. However, when memory corruption occurs, a traffic interruption may occur due to TMM restarting.

Workaround:
No workaround except disabling plugin-based functionality (such as ASM, APM, etc.).

Fix:
TMM now properly manages plugin memory, and no longer leaks or corrupts this memory.

---

603658-1 : AAM security hardening

Solution Article: K25359902

---

603609-2 : Policy unable to match initial path segment when request-URI starts with "//"

Component: Local Traffic Manager

Symptoms:
HTTP URI path policy does not match when request-URI starts with "//".

Conditions:
Policy unable to catch request when HTTP URI path configured to match value anywhere in path or in initial path segment when the request-URI starts with "//".

Impact:
The policy does not match in this case.

Workaround:
The policy could be modified to scan the full URI instead of just the path element however care should be taken to correctly handle potential matches with absolute URIs or in the query string.

---

603605-1 : Cannot install DoS Hybrid Defender on standby device in HA pair if it's already installed on active

Component: iApp Technology

Symptoms:
After installation, the rpm on active device applications will be replicated to the standby. If standby does not have DHD installed, the installation page is never shown.

Conditions:
HA setup for DoS Hybrid Defender, with DHD only installed on Active.

Impact:
HA cannot be supported for DHD application on 12.1.0 and 12.1.1.

Workaround:
None.

Fix:
Can now install DoS Hybrid Defender on standby device in HA pair if it's already installed on active.

---

603598-3 : big3d memory under extreme load conditions

Component: Global Traffic Manager (DNS)

Symptoms:
big3d memory consumption can grow if big3d is unable to process monitor requests in a timely fashion.

This can be seen by monitoring the memory consumption of big3d using standard OS tools such as top.

Conditions:
big3d maintains a queue for monitor requests.
Incoming monitor requests are first placed in the Pending queue.
Requests are moved from the Pending queue to the Active queue, if there is room in the Active queue.

When the Pending queue is full, there is no room for the Monitor Request. big3d attempts to clean up the Monitor request, but fails to completely free the memory.
This might result in a significant memory leak.

For this to happen, the Active queue must be full as well as the Pending queue.

One possible condition that might cause this is if multiple Monitors time out. This results in Monitors having long life times, which keeps the Active queue full.

Thus the Pending queue might become full and the memory leak can occur.

In BIG-IP 11.1.0 versions of big3d,
the Active queue has 256 slots and
the Pending queue has 4096 slots.

In BIG-IP 11.1.0-hf3, the queue sizes were expanded to
2048 for the Active queue and 16384 for the Pending queue.

Since the queues were smaller n versions prior to
11.1.0-hf3, this leaks is more likely to manifest itself.

In later versions, the leak is still possible, but is less likely to occur.

Impact:
big3d memory consumption grows unbounded. This might result in a big3d restart or memory starvation of other processes.

Workaround:
This can be partially mitigated by ensuring that monitors
settings are reasonable and that big3d is not overloaded.

This will minimize the chances that the Pending queue
does not become full.

There is no mechanism to resize the queues.

Fix:
When a monitor request is unable to be placed in the queue, the memory for the request is freed properly.

---

603550-1 : Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.

Solution Article: K63164073

Component: Local Traffic Manager

Symptoms:
Virtual server remains in syncookie mode even after the syn flood stops.

As a result of this issue, you might see the following symptoms:
-- Virtual servers that use both FastL4 and HTTP profiles might show incorrect 'Current SYN Cache' stats.

-- Virtual stats 'Current SYN Cache' does not decrease.

Conditions:
This issue occurs when the configuration contains a virtual server that uses FastL4 as a filter (for example, has both the FastL4 profile and layer 7 profile (HTTP) syn flood to the virtual server).

Impact:
The virtual server stays stuck in syncookie mode after the synflood is over, and does not recover.

Workaround:
None.

Fix:
Virtual servers that use both FastL4 and HTTP profiles will have correct syn cache stats.

---

603397-2 : tmm core on MRF when routing via MR::message route iRule command using a non-existant transport-config

Component: Service Provider

Symptoms:
tmm will core if the transport config specified in a MR::message route iRule command does not exist.

Conditions:
the transport config specified in a MR::message route iRule command does not exist.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use the correct name for the trasnport-config object.

Fix:
fixed a tmm core.

---

603236-1 : 1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware

Component: Local Traffic Manager

Symptoms:
Creating 1024 and 4096 size keys fail when the SafeNet client version installed on BIG-IP is 6.2 and SafeNet appliance firmware is 6.10.9.

Conditions:
-- SafeNet appliance: 6.2.
-- SafeNet client: 6.2.
-- SafeNet firmware: 6.10.9.

Impact:
Cannot create 1024 or 4096 size RSA keys.

Workaround:
None.

Fix:
Removed the config line, RSAKeyGenMechRemap = 1, that was conflicting with 6.10.9 firmware.

---

603234-3 : Performance Improvements

Component: Fraud Protection Services

Symptoms:
Certain detection algorithms can slow down the client application.

Conditions:
FPS enabled, full AJAX encryption enabled

Impact:
Client side AJAX detection can be slow.

Fix:
The performance of some detection algorithms has been improved

---

603149-2 : Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy

Component: TMOS

Symptoms:
Setting max data limit transmitted (in kilobytes) to a very large limit results in a smaller limit, causing SAs to expire too quickly. Values for ike-phase2-lifetime-kilobytes inside ipsec-policy can reach 2^32-1 kilobytes, but will be processed incorrectly, as if the value were smaller.

Conditions:
When lifetime-kilobytes is large enough, it can act as though it were smaller.

Impact:
Negotiated SAs expire too quickly when size lifetime is calculated too small.

Workaround:
Before the fix, decrease lifetime-kilobytes until properly stable.

Fix:
The fix should make every value no more than 4294967295 kilobytes work correctly, without becoming some smaller value. (Note this value is 2^32-1.) If the size of ike-phase2-lifetime-kilobytes becomes 64-bit in the future, this will also work, causing a 64-bit value for kilobytes to occur in isakmp negotiation.

---

603082-3 : Ephemeral pool members are getting deleted/created over and over again.

Component: Local Traffic Manager

Symptoms:
When fqdn nodes are configured, you may see ephemeral pool members getting created and deleted continuously. In severe cases, this can cause mcpd to run out of memory and crash.

Conditions:
It is not known exactly what triggers this condition, but it has been observed after running bigstart restart in a configuration containing many fqdn nodes.

Impact:
Traffic disrupted while mcpd restarts.

---

603032-1 : clientssl profiles with sni-default enabled may leak X509 objects

Component: Local Traffic Manager

Symptoms:
SSL memory consumption grows when virtuals with sni-default-enabled clientssl profiles are modified.

Conditions:
clientssl profile with sni-default enabled combined with configuration manipulations of virtuals with such profiles.

Impact:
The amount of leakage will depending on the number of virtuals with sni-default-enabled clientssl profiles and frequency of configuration manipulations. For large configurations, the leakage can be very noticeable over time.

Workaround:
No workaround short of not using sni-default.

Fix:
SSL now handles sni-default-enabled clientssl profiles without leaking the X509 objects.

---

603019-3 : Inserted SIP VIA branch parameter not unique between INVITE and ACK

Component: Service Provider

Symptoms:
The branch parameter of the inserted VIA header is sometimes the same between an INVITE and ACK message.

Conditions:
If the CSEQ number of a SIP message is the same, the inserted VIA header will contain the same branch parameter.

Impact:
SIP proxy servers which perform strict message validations may reject the call.

Fix:
Included a hash of the branch parameter of the received top-most via header into the branch parameter of the inserted via header. Thus is the received top-most via conforms to the spec and generates a different branch parameter between INVITE and ACK, the inserted via will have a different branch parameter.

---

602975-1 : Unable to update the HTTP URL's "Header-Based Content Profiles" values

Component: Application Security Manager

Symptoms:
When HTML5 Cross-Domain Request Enforcement is enabled on a URL, Header-Based Content Profiles cannot be updated.

Conditions:
HTML5 Cross-Domain Request Enforcement is enabled on a URL.

Impact:
Header-Based Content Profiles cannot be updated on the URL.

Workaround:
Use the following procedure:
1. Disable HTML5 Cross-Domain Request Enforcement on the URL.
2. Update the Header-Based Content Profiles.
3. Re-enabled HTML5 Cross-Domain Request Enforcement.

Fix:
Updating Header-Based Content Profiles for a URL with HTML5 Cross-Domain Request Enforcement is now successful.

---

602854-8 : Missing ASM control option from LTM policy rule screen in the Configuration utility

Component: TMOS

Symptoms:
In the Configuration utility, when creating or editing a LTM policy, the ASM control option may be missing from the rule screen.

Conditions:
Whether the ASM control option is present or missing purely depends on the license installed on the system.

The system incorrectly reports certain licensed modules to the Configuration utility, which fails to parse them and ultimately to display the ASM control option. If you wish to determine whether you are affected by this issue, SSH to the advanced shell of the BIG-IP system and run this command:

# grep -E '^active module : [^|]*\|[^|]*$' /config/bigip.license

If any output is returned, then you are affected by this issue.

Impact:
ASM cannot be enabled in LTM policies using the Configuration utility.

Workaround:
Use the TMSH utility to enable ASM in LTM policies.

Fix:
ASM can now be enabled in LTM policies using the Configuration utility regardless of the license installed on the system.

---

602830-1 : BIG-IP iSeries appliance LCD does not indicate when BIG-IP is in platform_check diagnostic mode

Component: TMOS

Symptoms:
The LCD display does not indicate diagnostic mode when you stop BIG-IP daemons(bigstart stop) and run platform_check diagnostic command.

Conditions:
Dignostic mode is not displayed on LCD.

Impact:
There is no visible indication on LCD display to indicate when system in diagnostic mode.

Fix:
Diagnostic message display on LCD when system is diagnostic mode.

---

602708-2 : Traffic may not passthrough CoS by default

Solution Article: K84837413

Component: Local Traffic Manager

Symptoms:
The BIG-IP system may set the packet Quality of Service (QoS) priority to 3 when traffic is processed by an IP forwarding virtual server.

Conditions:
-- IP forwarding virtual server.
-- Traffic received with priority other than 3.

Impact:
Traffic is set to L2 QoS priority 3 and may cause issues on other networking devices.

Workaround:
Create a default CoS configuration or apply L2 QoS settings in the FastL4 profile.

Fix:
TMM now correctly passes through CoS by default.

---

602654-2 : TMM crash when using AVR lookups

Component: Application Visibility and Reporting

Symptoms:
When trying to find/insert data into AVR lookups TMM/AVR core might occur.

Conditions:
AVR lookups in use.

Impact:
tmm crashes. The crash occur when two processes simultaneously try to access the same cell in the lookup. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when using AVR lookups.

---

602653-1 : TMM may crash after updating bot-signatures

Component: Local Traffic Manager

Symptoms:
TMM may crash after DOSL7 bot signatures config has changed.

Conditions:
This is likely to happen after DOSL7 bot signatures config has changed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Try adding/removing some signatures, this should avoid the crash.

Fix:
Fixed a memory corruption when updating bot signatures.

---

602566-5 : sod daemon may crash during start-up

Component: TMOS

Symptoms:
sod daemon produces core file during start-up

Conditions:
sod encounters an error during start-up and attempts to recover.

Impact:
sod restarts

Fix:
Reset freed pointers to prevent double free during error recovery.

---

602502-2 : Unable to view the SSL Cert list from the GUI

Component: TMOS

Symptoms:
When you try to see information about any SSL certificates in the GUI, it displays an error: An error has occurred while trying to process your request.

Conditions:
Can not view any SSL certificates in the GUI if at least one certificate has a double extension(like test.crt.crt) in its name.

Impact:
Unable to view the any SSL Cert from the GUI

Workaround:
Delete such certificate through TMSH and reimport without .crt extension in the certificate name.

delete sys file ssl-cert test.crt.crt

Fix:
Should be able to view/delete/export certificates from GUI.

---

602434-1 : Tmm crash with compressed response

Component: Application Visibility and Reporting

Symptoms:
AVR decompressed all the traffic in order to do classification.
This can cause tmm core due to too many decompress request.

Conditions:
Sending stressed compressed traffic on virtual with dos profile.

Impact:
Traffic disrupted while tmm restarts.

Fix:
AVR will ask no more than 10 decompressed request simultaneously.

---

602429-1 : DNS suffix is not restored after disconnecting Network Access

Component: Access Policy Manager

Symptoms:
DNS suffix search list is not restored after disconnecting the VPN connection. The client DNS search list retains the suffix that came from Network Access Resource.

Conditions:
-- On Microsoft Windows.
-- Use APM client to establish VPN tunnel.

Impact:
Certain hostname resolution may fail.

Workaround:
There is no workaround at this time.

Fix:
DNS suffix is restored after disconnecting from VPN.

---

602385-1 : Add zLib compression

Component: Local Traffic Manager

Symptoms:
Current driver supports only compress GZip and compress deflate.

Conditions:
APM Network Access tunnel has an option for compression. Compression is implemented in GZIP hudfilter which uses COMPRESS_ZLIB compression method. Currently only 'zlib' compression provider (software based) is implementing this method. None of the hardware providers (such as Coleto Creek) support it; they support COMPRESS_DEFLATE and COMPRESS_GZIP. GZIP hudfilter could use all 3 methods, but only ZLIB is compatible with current and older versions of the client. To preserve backward compatibility it must use ZLIB.

Impact:
Current compression hardware (such as Coleto Creek) is needed to support ZLIB method, otherwise compression in APM Network Access tunnel does not scale.

Workaround:
None.

Fix:
zLib compression is now supported.

---

602376-1 : qkview excludes files

Component: TMOS

Symptoms:
When running the qkview command to generate a diagnostic file, some files are omitted from the qkview.

Conditions:
This occurs when running qkview, when the configuration settings for qkview for the admin user include the --exclude flag. For example if the setting has --exclude core then none of the core files will be included in the qkview even if it is run without the --exclude parameter.

Impact:
Debugging of issues impaired if the missing files were needed to resolve the problem.

Workaround:
None.

Fix:
Corrected errors and made sure all files are included or excluded as designed.

---

602366-1 : Safenet 6.2 HA performance

Component: Local Traffic Manager

Symptoms:
With Safenet 6.2 HA setup, you only sees the performance of one HSM.

Conditions:
Safenet 6.2 client is installed and Safenet HA is used.

Impact:
Only one HSM is used for the HA setup.

Workaround:
Add primary hsm to the newly created ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup createGroup -serialNumber 464683014 -label ha_test -password <pw>

or
echo "copy" | /shared/safenet/lunasa/bin/lunacm -c hagroup createGroup -serialNumber 464683014 -label ha_test -password <pw>

Add following hsm to the ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup addMember -serialNumber 470379014 -group ha_test -password <pw>

Enable HAonly
/shared/safenet/lunasa/bin/lunacm -c hagroup HAOnly -enable

Delete ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup deleteGroup -label ha_test

Fix:
Installation script is updated for Safenet 6.2 HA.

---

602358-5 : BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version

Component: Local Traffic Manager

Symptoms:
During SSL/TLS renegotiation, the TLS standard requires that the new ClientHello version matches the first session.

Usually, SSL/TLS servers require the new ClientHello version to match the previous negotiated (ServerHello) version. The BIG-IP ServerSSL default behavior is to match this requirement.

The problem occurs if the SSL/TLS server requires the ClientHello (both in the Record layer and Handshake Protocol) in the new ClientHello to be exactly the same as the SSL/TLS version of the first ClientHello; that is:
************************************************************
1st ClientHello record layer version == 2nd ClientHello record layer version;
1st ClientHello Handshake Protocol version == 2nd ClientHello Handshake Protocol version.
************************************************************
As a result, the SSL/TLS server will reject the renegotiation handshake, causing the connection to terminate.

Conditions:
This occurs when using virtual servers configured with one or more ServerSSL profiles, and an SSL/TLS renegotiation occurs, and the server requires the new ClientHello version to match the first ClientHello instead of the previous ServerHello version.

Impact:
SSL/TLS renegotiation between BIG-IP ServerSSL profile and server may fail, resulting in an unexpected connection close or reset.

Workaround:
Manually setting the ciphers in the ServerSSL to TLS1.0 can solve the issue.

Fix:
A new db variable called ssl.RenegotiateWithInitialClientHello has been added to control the SSL/TLS version in the 2nd ClientHello:

1. The default is disable, which means that the 2nd ClientHello SSL/TLS version will be set to the negotiated version in the 1st round ServerHello.

2. If it is set to enable, both ClientHello versions will be exactly the same.

---

602326-1 : Intermittent pkcs11d core when stopping or restarting pkcs11d service

Component: Local Traffic Manager

Symptoms:
Sometimes you may see pkcs11d core when stopping/restarting pkcs11d service. This may happen when installing netHSM software or when restarting an existing pkcs11d service.

Conditions:
bigstart issues 'stop' to pkcs11d while pkcs11d receives message.

Impact:
pkcs11d may core intermittently.

Workaround:
pkcs11d may automatically restart without intervention.

Fix:
This release fixes the intermittent pkcs11d core that might have occurred when stopping or restarting the pkcs11d service.

---

602300-1 : Zone Runner entries cannot be modified when sys DNS starts with IPv6 address

Component: Global Traffic Manager (DNS)

Symptoms:
Zone Runner entries cannot be modified if an IPv6 DNS name server is listed first. This can happen when a user runs the tmsh command
tmsh modify sys dns name-servers add { <IPv6> }

as the first dns name-server.
This will show in the /etc/resolv.conf file (an example)
nameserver 2001::1
nameserver 192.168.100.1

Conditions:
When an IPv6 nameserver is the first server defined.

Impact:
ZoneRunner records cannot be modified.

Workaround:
Do not use DNS server with IPv6 address or add IPv4 server at top of the list.

Fix:
The IP address type was not set properly while communicating with BIND. This does not matter if the first nameserver listed is an IPv4 address or if there are no nameservers listed at all.

If the first nameserver listed is an IPv6 and the IP address type is not set to IPv4 (AF_INET), BIND libraries will attempt to use the IPv6 library from /etc/resolv.conf.

We not properly set the AF_INET type to IPv4.

---

602221-2 : Wrong parsing of redirect Domain

Component: Application Security Manager

Symptoms:
ASM learns wrong domain names

Conditions:
no '/' after domain name in the redirect domain

Impact:
wrong learning suggestion can lead to wrong policy

Workaround:
N/A

Fix:
Fixing an issue with parsing the URL in the location header

---

602171-1 : TMM may core when remote LSN operations time out

Component: Carrier-Grade NAT

Symptoms:
TMM configured with LSN may core during high utilization, when local endpoint resources are exhausted, and request for remote resources times out.

Conditions:
LSN remote operation time out. LSN can request remote TMM for resources when local resources are exhausted, when such request time out, this can result in a core in affected versions.

Impact:
Traffic disrupted while tmm restarts.

Fix:
TMM LSN remote operations will no longer cause core.

---

602136-5 : iRule drop/discard/reject commands causes tmm segfault or still sends 3-way handshake to the server.

Component: Local Traffic Manager

Symptoms:
If you have a client-side iRule that terminates a client-side connection, either tmm will segfault or the BIG-IP system still sends the SYN to the server, and then a RST. The reset cause will be 'TCP 3WHS rejected'.

Conditions:
Client-side iRule that terminates a connection using one of the following commands:

- drop
- discard
- reject

Impact:
TMM segfaults or the BIG-IP system still sends a SYN to the server. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

---

602098-1 : Translation object created in non-Common partition is visible in the policy created for Common partition

Component: Advanced Firewall Manager

Symptoms:
On BIG-IP system, the source translation object created in a non-Common partition is available for use in a policy created for the Common partition.

Conditions:
-- On BIG-IP system, provision the AFM and LTM Modules.
-- Configure a non-Common partition and create a source translation object in that partition.
-- Create a policy in Common partition.
-- Add a rule in the translated source section.

Impact:
While adding a rule in the translated source section, in the dropdown menu, the object created in non-Common partition is available for selection. The policy created in Common partition can use the source translation object created in non-Common partition. This is not a valid usage.

Workaround:
None.

Fix:
When creating policy for specific partition, added validation to display only the objects created in that specific partition.

---

602061 : i5x00, i7x00, i10x00 series appliances have inconsistent firmware update messages

Component: TMOS

Symptoms:
When firmware is updated on a i5000, i7000, i10000 series series appliance messages appear on the console indicating the update is in progress. The messages are inconsistent, some give an expected time the update will take and some do not.

Conditions:
Firmware update following the installation of a new iso with new firmware that must be programmed.

Impact:
cosmetic

Workaround:
None

---

602040-3 : Truncated support ID for HTTP protocol security logging profile

Component: Local Traffic Manager

Symptoms:
The HTTP Protocol Security logging profile yields to incomplete support ID published in the local storage.

Conditions:
Configuration: LTM with Protocol Security Module provisioned, LTM virtual server with HTTP Protocol Security and local-storage logging profile attached. The log-db entries created by the HTTP Protocol Security logging profile have a truncated support ID.

Impact:
The support ID presented to the user does not match the one in the logs because the log entry is truncated (missing a few digits)

Workaround:
There is no workaround

---

601989-3 : Remote LDAP system authenticated username is case sensitive★

Solution Article: K88516119

Component: TMOS

Symptoms:
Unable to login via ssh, with cause being reported as 'user account has expired'. Wrong role being assigned for remote-user.

Conditions:
The character-case for the username returned from LDAP must match the login username and the configured account name. This can be exposed on an upgrade from 11.6.0 to 12.1.0 or 12.1.1.

Impact:
Unable to login via ssh with remote-user or remote-user being assigned incorrect role when multiple accounts exists with the same name and mixed case.

Workaround:
Avoid configuring the same account username with different case. The authenticated user account in TMOS used to login should exactly match the user account name returned from LDAP.

Fix:
When logging in to BIG-IP via ssh, the case of the logged-in user name is preserved when authenticating against an LDAP source, and matched in a case-sensitive manner to the appropriate locally defined user role.

---

601938-2 : MCPD stores certain data incorrectly

Solution Article: K52180214

---

601927-1 : Security hardening of control plane

Solution Article: K52180214

Component: TMOS

Symptoms:
File permissions changes needed as found by internal testing

Conditions:
N/A

Impact:
N/A

Fix:
Apply latest security practices to control plane files.

---

601924-1 : Selenium detection by ports scanning doesn't work even if the ports are opened

Component: Application Security Manager

Symptoms:
When selenium server package is running on an end point and a traffic being sent from there, proactive bot defense mechanism doesn't see selenium server opened ports.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled.

Impact:
Low impact as the selenium detection by ports scan has a low score and doesn't mitigate a client, unless it has another suspicious client properties (for example tor browser)

Workaround:
N/A

Fix:
Ports scanning has fixed - wider range of ports are scanned.

---

601919-2 : Custom categories and custom url filter assignment must be specific to partition instead of global lookup

Component: Access Policy Manager

Symptoms:
Custom categories lookup and matching is not partition specific.

Conditions:
Create SWG Explicit VS, access policy, per-request policy, custom-category with a glob URL and URL filter in custom partition say partition1
and similarly create similar set in partition2 (Note make sure the glob URL is matched in custom categories in 2 different partitions). Set the browser to explicit proxy:port information of partition1 VS and access the URL to be matched to the custom category.

Impact:
Partition specific custom category match is not available if user specific whitelist needs to be applied.

Workaround:
None

Fix:
Code to check custom categories only for the partition that connflow belongs to and Common partition has been added

---

601905-1 : POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server

Component: Access Policy Manager

Symptoms:
POST requests appear to hang when they are sent through a virtual server with EAM plugin enabled.

Conditions:
Most likely, the POST request contains large post data.

Impact:
The POST request will fail.

Workaround:
The following iRule will workaround the issue:

 when HTTP_REQUEST {

  if {[HTTP::method] eq "POST"}{
    # Trigger collection for up to $max_collect of data
    set max_collect 1000000
    if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= $max_collect}{
      set content_length [HTTP::header "Content-Length"]
    } else {
        set content_length $max_collect
    }
    # Check if $content_length is not set to 0
    if { $content_length > 0} {
      HTTP::collect $content_length
    }
  }

---

601893-2 : TMM crash in bwc_ctb_instance_recharge because of pkts_avg_size is zero.

Solution Article: K89212666

Component: TMOS

Symptoms:
Tmm cores. There might be messages similar to the following notice in /var/log/ltm just before the crash: notice BWC: instance already exist. This is an extremely rarely occurring issue.

Conditions:
This extremely rare issue occurs when the following conditions are met:
Dynamic BWC use with dynamic change in rate for each instance.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use dynamic modification of rates for dynamic policies.

Fix:
You can now successfully use dynamic modification of rates for dynamic policies.

---

601828-1 : An untrusted certificate can cause tmm to crash.

Solution Article: K13338433

Component: Local Traffic Manager

Symptoms:
If the certificate sent by an SSL server to the server-side BIG-IP profile is untrusted, tmm might crash.

Conditions:
-- Server-side SSL profile is attached to a virtual server.
-- The SSL server sends an untrusted certificate to the BIG-IP system.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The BIG-IP system will now log the certificate name 'unknown' if an SSL server sends an untrusted certificate, and tmm does not restart.

---

601709-2 : I2C error recovery for BIG-IP 4340N/4300 blades

Solution Article: K02314881

Component: TMOS

Symptoms:
The I2C internal bus for the front switch on BIG-IP 4340N/4300 blades may not work.

Conditions:
This rarely happens.

Impact:
Corrupted serial number information from SFPs, and fiber SFPs may not come up.

Workaround:
bigstart restart bcm56xxd

Fix:
The system now ensures that the I2C internal bus can recover from occasional errors.

---

601536-1 : Analytics load error stops load of configuration★

Component: Application Visibility and Reporting

Symptoms:
After upgrading, the configuration fails to load and you see this log message: 01071ac1:3: Non-Comulative metric (max-request-throughput) cannot be calculated per single entity (pool-member).
Unexpected Error: Validating configuration process failed.

Conditions:
This can occur any time the analytics configuration was valid in a previous release and is no longer valid. For example, if you have an analytics profile set at pool-member granularity, it will load in 12.0.0 but will fail to load on 12.1.0 as granularity must be set at the virtual-server level, not the pool level.

Impact:
Configuration fails to load, will not pass traffic.

Workaround:
Fixing the configuration manually is the only option when this occurs. In the pool-member granularity example, you can check all your analytics profiles for granularity pool-member and set them to granularity virtual-server.

Fix:
An analytics configuration that was valid in a previous release now loads successfully in the current release.

---

601527-4 : mcpd memory leak and core

Component: TMOS

Symptoms:
Mcpd can leak memory during config update or config sync.

Conditions:
All of the conditions that trigger this are not known but it seems to occur during full configuration sync and is most severe on the config sync peers. It was triggered making a single change on the primary by configuring a monitor rule, e.g., tmsh create ltm pool p members { 1.2.3.4:80 } monitor http

Impact:
Loss of memory over time, which may result in out-of-memory and mcpd core.

Fix:
Fixed a memory lean in mcpd

---

601502-4 : Excessive OCSP traffic

Component: TMOS

Symptoms:
With OCSP configured on a virtual server, you see excessive OCSP requests going to the OCSP server.

Conditions:
Virtual server configured with an OCSP profile

Impact:
OCSP responses are not cached properly and excessive requests are sent to the server.

Workaround:
None.

Fix:
OCSP responses are now cached properly, so excessive requests are no longer sent to the server.

---

601496-4 : iRules and OCSP Stapling

Component: Local Traffic Manager

Symptoms:
Using certain iRules on virtual servers with OCSP Stapling enabled on the Client SSL profile might cause OCSP requests to be reissued, resulting in a memory leak.

You may notice warning messages similar to the following in /var/log/ltm:
warning tmm[11300]: 011e0003:4: Aggressive mode sweeper: /Common/default-eviction-policy (0) (global memory) 115 Connections killed.

Conditions:
This occurs when the following conditions are met:
-- Virtual server with OCSP Stabling enabled.
-- iRule attached to the virtual server that uses SSL::renegotiate.

Impact:
TMM memory used increases gradually, eventually the aggressive mode sweeper is activated.

Workaround:
None.

Fix:
Using certain iRules on virtual servers with OCSP Stapling enabled on the Client SSL profile no longer causes OCSP requests to be reissued, so there is no associated memory leak.

---

601420-3 : Possible SAML authentication loop with IE and multi-domain SSO.

Component: Access Policy Manager

Symptoms:
When APM is configured with SAML authentication and multi-domain SSO, Internet Explorer may encounter authentication loop and never complete the access policy.

Conditions:
APM is configured with SAML authentication and multi-domain SSO.

Impact:
Using Internet Explorer, the client may not be unable to connect to its desired destination.

Workaround:
Chrome and Firefox do not seem to be affected.

Fix:
Use cookie for session for multi-domain if TOKEN lookup fails. Previously, the cookie was ignored for multi-domain response URI. However, with the introduction of TOKEN based session lookup, this causes a failure if the client retries the request (since the TOKEN was consumed in the request prior to the retry).

---

601378-2 : Creating an ASM security policy with "Auto accept" language leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons

Component: Application Security Manager

Symptoms:
These errors can be observed in '/var/log/asm':
-------------------------
The caller:[F5::ASMConfig::Entity::Charset::get_policy_encoding_type] did not pass in a value for 'encoding_name' to retrieve the 'encoding_type' for -- aborting.

ASM subsystem error (asm_config_server.pl,): ASM Config server died unexpectedly

ASM subsystem error: (asm_start,F5::NwdUtils::Nwd::log_failure): Watchdog detected failure for process. Process name: pabnagd, Failure: Insufficient number of threads.

ASM subsystem error: (asm_start,F5::NwdUtils::Nwd::log_failure): Watchdog detected failure for process. Process name: asm_config_server.pl, Failure: Insufficient number of threads.
-------------------------

Conditions:
ASM provisioned.
Create security policy with "Auto accept" language.

Impact:
ASM daemons restart, numerous errors in asm log.

Workaround:
None.

Fix:
Creating an ASM security policy with "Auto accept" language no longer leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons

---

601309 : Locator LED no longer persists across reboots

Component: TMOS

Symptoms:
The Locator LED (blinking F5 logo ball) state could be retained across reboots if the TMSH config was saved. The intended behavior is to default to disabled on reboot.

Conditions:
Setting the Locator to "enabled" via either the LCD or TMSH, then saving the TMSH config.

Impact:
i5600, i5800, i7600, i7800, i10600, and i10800 appliances

Workaround:
Disable the Locator LED and save the TMSH config

Fix:
Fixed Locator LED state persisting through reboots

---

601268-5 : PHP vulnerability CVE-2016-5766

Solution Article: K43267483

---

601255-4 : RTSP response to SETUP request has incorrect client_port attribute

Component: Service Provider

Symptoms:
- Clientside data is sent to UDP port 0
- RTSP response to SETUP request contains incorrect 'client_port' attribute (0)

Conditions:
- Virtual with RTSP profile.
- 200/OK is received from server in response to the initial SETUP request
- SETUP request was the initial message received on a new connection

Impact:
Unicast media may forwarded to incorrect UDP port (0).

Fix:
Initialize 'client_port' attribute to value received from server when re-writing response to client.

---

601189-2 : The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode

Component: Local Traffic Manager

Symptoms:
The BIG-IP system might send TCP packets out of order in Fastl4 in syncookie mode.

Conditions:
-- Fastl4 VS.
-- syncookie mode.

Impact:
TCP packet are sent out of order.

Workaround:
None.

Fix:
The BIG-IP system no longer sends TCP packets out of order in Fastl4 in syncookie mode.

---

601180-2 : Link Controller base license does not allow DNS namespace iRule commands.★

Solution Article: K73505027

Component: Global Traffic Manager (DNS)

Symptoms:
The Link Controller base license improperly prevents DNS namespace iRule commands.

Conditions:
A Link Controller license without an add-on that allows Layer 7 iRule commands.

Impact:
An administrator cannot add DNS namespace commands to an iRule. Cannot upgrade from a pre-11.5 configuration, where the commands were working, to 11.5.4 through 12.1.2.

Workaround:
To enable upgrade, remove DNS namespace commands from the configuration prior to upgrade.

Fix:
DNS namespace iRule commands are now properly accepted with a Link Controller base license.

---

601178-6 : HTTP cookie persistence 'preferred' encryption

Component: Local Traffic Manager

Symptoms:
When encryption is 'preferred' in the http cookie persistence profile, when the client presents a plain-text route domain formatted cookie the BIG-IP will ignore the cookie and re-load balance the connection.

Conditions:
This occurs when route-domain-compatible cookies are sent in plaintext.

Impact:
Cookie does not get accepted by the persistence profile and flow does not persist.

---

601168-1 : Incorrect virtual server CPU utilization may be observed.

Component: TMOS

Symptoms:
The virtual_server_cpu_stat table counters are always at zero.

Conditions:
ASM license is in effect.

Impact:
Wrong CPU utilization per virtual server.

Workaround:
No workaround.

Fix:
An issue in computing CPU averages for virtual server has been resolved.

---

601083-1 : FPS Globally Forbidden Words lists freeze in IE 11

Component: Fraud Protection Services

Symptoms:
When attempting to move more than 1 item in Globally Forbidden Words in Internet Explorer 11 browser, the lists freeze.

Conditions:
FPS Provisioned
Add 2 or words in "Search for malicious words in the HTML or JavaScript code"

Impact:
FPS GUI freezes

Workaround:
Add 1 item each time and save.
Use tmsh.

Fix:
Internet Explorer 11 will not freeze if moving more than one item at a time.

---

601076 : Fix watchdog event for accelerated compression request overflow

Component: TMOS

Symptoms:
Accelerated compression requests that exceed 128 in-flight requests can cause a watchdog event.

Conditions:
Very rapid queuing of concurrent accelerated compression requests.

Impact:
TMM generates an HA failover driven by the accelerated compression watchdog timer.

Workaround:
Disable accelerated compression by disabling hardware accelerated compression with:

  % tmsh modify sys db compression.strategy value softwareonly

Fix:
Apply a constraint on accelerated compression request DMA ring so no more than 128 in-flight requests are queued at any one time.

---

601059-6 : libxml2 vulnerability CVE-2016-1840

Solution Article: K14614344

---

601056 : TCP-Analytics, error message not using rate-limit mechanism can halt TMM

Component: Application Visibility and Reporting

Symptoms:
An error message is displayed when TCP-Analytics fails to save new data. This error message is not rate-limited, as all other TMM error messages are, so if the error situation is encountered very frequently, the message will be displayed only occasionally, and not for every error event.

Since the error message is not rate-limited, hitting this error many times might eventually lead to TMM halt.

Conditions:
-- TCP-Analytics is assigned to virtual server.
-- The aggregation method of TCP Analytics causes a full table situation because of the distribution of the client IP addresses and subnets.

Impact:
TMM can halt. Traffic disrupted while tmm restarts.

Workaround:
Remove TCP-Analytics from virtual servers.

Fix:
Error message is performed with rate-limiting mechanism.

---

601035 : TCP-Analytics can fail to collect all the activity

Component: Application Visibility and Reporting

Symptoms:
When the traffic reaching the BIG-IP system comes from a very large number of different client IP addresses and subnets, the TCP-Analytics table can get full, which leads to ignoring the activity that follows, until next snapshot of data.

Conditions:
-- TCP-Analytics profile is attached to a virtual server.
-- Incoming traffic represents a large amount of client IP addresses and subnets (the exact number that causes the full table condition depends on machine type and provisioned modules).

Impact:
TCP Analytics is showing only some of the activity, not all of it. In addition, numerous log messages might fill the logs.

Workaround:
Disable TCP-Analytics.

Fix:
Aggregation method of TCP Analytics was fixed, so the system no longer reaches the full table situation, no matter the distribution of the client IP addresses.

---

600982-5 : TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0"

Component: Local Traffic Manager

Symptoms:
When SSL is configured, the TMM might rarely crash, logging the following error in /var/log/ltm: notice panic: ../modules/hudfilter/ssl/ssl_session.c:538: Assertion "cached" failed.

Conditions:
No conditions to be set, however this is a very rare occurrence in which a random number generator can technically generate the number Zero ( 0 ) which would trigger this.

Impact:
Traffic disrupted while TMM restarts, and failover occurs if high availability is configured. Mirroring and LB may be lost with renegotiation for certain types of traffic.

Workaround:
None.

Fix:
When SSL is configured, the TMM no longer intermittently crashes with the message: Assertion "cached" failed.

---

600944-1 : tmsh does not reset route domain to 0 after cd /Common and loading bash

Component: TMOS

Symptoms:
In tmsh, you are in a partition with a custom route domain. When you run 'cd /Common' and run bash then run 'ip route', the routing table from the partition is displayed, not /Common

Conditions:
Attempting to see the route table from the /Common partition after leaving another parition

Impact:
You cannot get /Common's route table back without quitting and restarting tmsh.

Workaround:
Quit tmsh and restart.

---

600894-1 : In certain situations, the MCPD process can leak memory

Component: TMOS

Symptoms:
In certain situations, the MCPD process can leak memory. This has been observed, for example, while updating large external data-group file objects. Each time an external data-group file is updated, MCPD's memory utilization grows a little bit. Once enough iterations have occurred, the system may no longer be able to update the external data-group file, but instead return the following error message:

err mcpd[xxxx]: 01070711:3: Caught runtime exception, std::bad_alloc.

Conditions:
So far, this issue has only been observed while updating a large external data-group file object.

Impact:
The system may no longer be able to update the external data-group file object. It is also possible for MCPD to crash, or be killed by the Linux OOM killer, as a result of the memory leak.

---

600859-2 : Module not licensed after upgrade from 11.6.0 to 12.1.0 HF1 EHF.★

Component: TMOS

Symptoms:
After upgrading 11.6.0 Hourly instances to 12.1.0 EHF Hourly instances with Instance Registration support, instance license becomes invalid and BIG-IP is unable to acquire a new hourly license.

Conditions:
Upgrading 11.6.0, or earlier Hourly Licensing instance to 12.1.0 HF1 EHF.

Impact:
License is invalidated and instance becomes unusable.

Workaround:
- Run "/usr/libexec/autoLicense -l" from command-line.

Fix:
Module licenses correctly after upgrade from 11.6.0 to 12.1.0 HF2 or later.

---

600827-8 : Stuck Nitrox crypto queue can erroneously be reported

Solution Article: K21220807

Component: Local Traffic Manager

Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Cavium Nitrox-based (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The following message appears in the ltm log: Hardware Error(Co-Processor): n3-crypto0 request queue stuck.

Conditions:
This issue occurs when all of the following conditions are met:
- Your BIG-IP system uses Nitrox PX or Nitrox 3 encryption hardware.
- You are making use of hardware-based SSL encryption.
- The BIG-IP system is under heavy load.

Impact:
The system reports device errors in logs, and takes crypto high availability (HA) action, possibly resulting in failover.

Workaround:
None.

Fix:
The Nitrox crypto driver uses a proper timeout value for crypto requests.

---

600812-1 : IPv6 virtual address with icmp-echo is enabled on a IPv6 Host IP forwarding ignores the neighbor advertisement packet.

Component: Local Traffic Manager

Symptoms:
tmsh show net ndp shows an incomplete entry for the neighbor

Conditions:
icmp-echo is enabled for an IPv6 virtual address on a IPv6 Host IP forwarding virtual server.

Impact:
The neighbor advertisement reaches the LTM, but the ndp entry for that neighbor is left incomplete, leading to not being able to connect to that neighbor.

Workaround:
This issue can be resolved by disabling the icmp-echo on the virtual IPv6 address or configuring a static mac-address
for the neighbor

Fix:
The neighbor entry in the LTM displays the correct neighbor information.

---

600811-2 : CATEGORY::lookup command change in behavior★

Component: Access Policy Manager

Symptoms:
Starting in v12.1.1, the CATEGORY::lookup iRule command will no longer accept an HTTP URI in its argument to the command if the BIG-IP system has APM and URL Filtering provisioned or just URL Filtering provisioned along for SSL Bypass decisions. Only a valid hostname can be used and have its category returned.

In versions prior to v12.1.1, the following iRule command was valid:

when HTTP_REQUEST {
  set this_uri http://[HTTP::host][HTTP::uri]
  set reply [CATEGORY::lookup $this_uri]
  log local0. "Category lookup for $this_uri returns $reply"
}

Starting in v12.1.1, using the previous example, you must remove the HTTP::uri statement. If an HTTP::uri is provided to the command, the system returns an error similar to the following:

err tmm2[12601]: 01220001:3: TCL error: /Common/_1_categ_test <HTTP_REQUEST> - Categorization engine returned an error. invoked from within "CATEGORY::lookup $this_uri"

Correcting the iRule for post-v12.1.1 installation, the example must be modified to pass in the HTTP::host only, as follows:

when HTTP_REQUEST {
  set this_uri http://[HTTP::host]
  set reply [CATEGORY::lookup $this_uri]
  log local0. "Category lookup for $this_uri returns $reply"
}

Note: If APM and SWG are licensed and provisioned, the CATEGORY::lookup iRule command will accept an HTTP URI as a part of the argument to the command.

Conditions:
- BIG-IP licensed and provisioned for:
  o APM and URL Filtering
  o URL Filtering (used for SSL Bypass decisions in SSL Air-Gap deployments).
- An iRule that supplies a URI path to the CATEGORY::lookup iRule command.
- Upgrading from pre-v12.1.1 versions that use the CATEGORY::lookup iRule command and use an HTTP::uri or pass in a plain text string that contains anything other than an HTTP hostname.

Impact:
There is an error returned from the command. This can cause errors in existing deployments.

Workaround:
Update the iRule to only pass an HTTP hostname to the CATEGORY::lookup iRule command

Fix:
Starting in v12.1.1, the CATEGORY::lookup iRule command will no longer accept an HTTP URI in its argument to the command if the BIG-IP system has APM and URL Filtering provisioned or just URL Filtering provisioned along for SSL Bypass decisions.

Only a valid hostname can be used and have its category returned.

Behavior Change:
Starting in v12.1.1, the CATEGORY::lookup iRule command will no longer accept an HTTP URI in its argument to the command if the BIG-IP system has APM and URL Filtering provisioned or just URL Filtering provisioned along for SSL Bypass decisions. Only a valid hostname can be used and have its category returned.

In versions prior to v12.1.1, the following iRule command was valid:

when HTTP_REQUEST {
  set this_uri http://[HTTP::host][HTTP::uri]
  set reply [CATEGORY::lookup $this_uri]
  log local0. "Category lookup for $this_uri returns $reply"
}

Starting in v12.1.1, using the previous example, you must remove the HTTP::uri statement. If an HTTP::uri is provided to the command, the system returns an error similar to the following:

err tmm2[12601]: 01220001:3: TCL error: /Common/_1_categ_test <HTTP_REQUEST> - Categorization engine returned an error. invoked from within "CATEGORY::lookup $this_uri"

Correcting the iRule for post-v12.1.1 installation, the example must be modified to pass in the HTTP::host only, as follows:

when HTTP_REQUEST {
  set this_uri http://[HTTP::host]
  set reply [CATEGORY::lookup $this_uri]
  log local0. "Category lookup for $this_uri returns $reply"
}

Note: If APM and SWG are licensed and provisioned, the CATEGORY::lookup iRule command will accept an HTTP URI as a part of the argument to the command.

---

600732-2 : IKEv1 racoon daemon dangling pointer from phase-one SA to deleted peer description

Component: TMOS

Symptoms:
The IKEv1 racoon daemon can crash when a security association (SA) is deleted (which can be done either explicitly on the command line, or indirectly by changing the ike-peer definition in config via tmsh). Usually this crash also requires that the ike-peer be altered or removed at the same time.

Note: Merely altering a v1 ike-peer causes the racoon daemon to first delete the old ike-peer, and then add a new one. So 'modify' effectively means 'delete' in this bug context.

Conditions:
When a v1 ike-peer is changed in any way while the racoon daemon actually has a valid security association in current use.

Impact:
IKEv1 racoon daemon restarts, and then tunnel outage until new SAs are negotiated.

Workaround:
No workaround is known at this time.

Fix:
When a v1 ike-peer changes, which causes the racoon daemon to delete and then redefine the peer, existing security associations are also deleted (because they were only valid for the last definition). During the process of tearing things down, it was possible for a security association to access the old, destroyed ike-peer during a late-stage followup action. This is now prevented.

---

600662-9 : NAT64 vulnerability CVE-2016-5745

Solution Article: K64743453

---

600614-5 : External crypto offload fails when SSL connection is renegotiated

Component: Local Traffic Manager

Symptoms:
If and external crypto offload client is configured with an SSL profile and renegotiation is enabled for the SSL profile, the crypto client connection will fail when the SSL connection is renegotiated.

Conditions:
External crypto offload client configured with an SSL profile with renegotiation enabled.

Impact:
Crypto client connection to the crypto server will fail.

Workaround:
Disable renegotiation on the SSL profile.

Fix:
The crypto client connection to the crypto server will no longer fail when the SSL connection is renegotiated.

---

600593-1 : Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests

Component: Local Traffic Manager

Symptoms:
After a CONNECT request is sent to the BIG-IP system and processed, if the client disconnects before a response is received from the server, the FIN is not propagated to the server-side and that connection remains open. If a client sends another CONNECT request to the same destination, the previous server-side flow is reused for the new request. Inspection of packet captures reveals that the BIG-IP system does not process the new CONNECT request as such, but instead forwards it to the server using the old server-side flow. This behaviour is incorrect. The CONNECT method should disable connection reuse, and the BIG-IP should close the server-side flow if the client disconnects first.

Conditions:
Use of HTTP Explicit Proxy and OneConnect together. CONNECT requests must arrive to the virtual server. The client must disconnect before the server responds.

Impact:
Some connections may fail. Depending on what data is sent to the server over an unintended connection, unpredictable results may be experienced.

Workaround:
You can apply the following iRule to the HTTP Explicit Proxy virtual server to mitigate the issue:

when HTTP_PROXY_REQUEST {
   if { [HTTP::method] equals "CONNECT" } {
      ONECONNECT::reuse disable
   }
   else {
      ONECONNECT::reuse enable
   }
}

---

600558-5 : Errors logged after deleting user in GUI

Component: TMOS

Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may be observed:

1. After approximately 10 minutes, an error similar to the following appears in the LTM log (/var/log/ltm):

mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests

This message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.

2. After clicking Refresh, the GUI may not show the correct web page.

Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.

Impact:
Error messages logged.
GUI may not show the correct web page.

Workaround:
Use the CLI (tmsh) to delete local users.

Fix:
Errors are no longer logged after deleting user in GUI.

---

600385-1 : BIG-IP LTM and BIG-IP DNS monitors are allowed to be configured with interval value larger than timeout

Solution Article: K43295141

Component: Local Traffic Manager

Symptoms:
When configuring BIG-IP LTM and BIG-IP DNS monitors, administrators can set the interval value be larger than the timeout value.

Conditions:
Setting interval value to be larger than the timeout value.

Impact:
The misconfigured monitor setting might result in unexpected monitor behavior.

Workaround:
Set the interval value lower than the timeout value.

Fix:
Monitors are no longer allowed to set the interval value be larger than the timeout. This is correct behavior.

Behavior Change:
Monitors are no longer allowed to set the interval value be larger than the timeout. This is correct behavior.

---

600357-2 : bd crash when asm policy is removed from virtual during specific configuration change

Component: Application Security Manager

Symptoms:
BD restarts and produces a core file

Conditions:
A configuration change which involves headers configuration or a policy re-configuration and at the same time, while this update is taking place the ASM policy is removed from the virtual.
This is more likely to happen in scripted tests than in the field.

Impact:
Traffic gets dropped while the ASM gets restarted.

Workaround:
Don't change ASM configuration at the same time as changing the virtual server configuration.

Fix:
System will still restart but will not produce a core file when this happens.

---

600232-9 : OpenSSL vulnerability CVE-2016-2177

Solution Article: K23873366

---

600223-2 : OpenSSL vulnerability CVE-2016-2177

Solution Article: K23873366

---

600205-9 : OpenSSL Vulnerability: CVE-2016-2178

Solution Article: K53084033

---

600198-2 : OpenSSL vulnerability CVE-2016-2178

Solution Article: K53084033

---

600119-3 : DNS name resolution for servers outside of Network Access Name Split scope can be slow in some conditions

Component: Access Policy Manager

Symptoms:
When connected to the vpn and wifi adapter is enabled (not connected to any wlan) access to websites outside the vpn is very slow.
Access is fine when wifi interface is disabled.

Conditions:
- number of DNS servers configured for active network adapters matches the number of DNS servers configured in Network Access resource

Impact:
User experience while navigating servers outside of VPN scope is impacted by increased connection time

Workaround:
Disable unused adapters or change the number of configured DNS servers

Fix:
DNS requests for names outside the VPN scope sent to VPN DNS server are redirected to DNS servers from NIC using Round Robin algorithm

---

600069-6 : Portal Access: Requests handled incorrectly

Solution Article: K54358225

---

600052-1 : GUI displaying "Internal Server Error" page when there many (~3k) certs/keys in the system

Component: Local Traffic Manager

Symptoms:
Cannot access SSL certs/keys using the GUI. GUI displays "Internal Server Error" page.

Conditions:
Having large (~3k) number of SSL certs/keys in the system.

Impact:
Cannot use the GUI to view/edit the SSL certs/keys.

Workaround:
User tmsh to access SSL certs/keys.

Fix:
Can now access SSL certs/keys using the GUI

---

599858-7 : ImageMagick vulnerability CVE-2015-8898

Solution Article: K68785753

---

599839-3 : Add new keyords to SIP::persist command to specify how Persistence table is updated

Component: Service Provider

Symptoms:
SIP::persist command keywords were not present prior to 12.1.2

Conditions:
Using the SIP::persist command in an iRule

Impact:
Limited control via SIP::persist

Workaround:
N/A

Fix:
The following new keywords were introduced with SIP::persist command that improve some key entry issues.

-reset: remove any persistence entry associated with the key stored with the message.
-use: normal persistence and routing operation.
-replace: replace any persistence existing with the result of the routing operation used on this message.
-bypass: route the message ignoring any persistence entry, if no entry exists, add a new entry based on the result of this message
-ignore: route the message ignoring any persistence entry. Do not add or update the persistence entry.

Behavior Change:
The following new keywords were introduced with SIP::persist command that improve some key entry issues.

-reset: remove any persistence entry associated with the key stored with the message.
-use: normal persistence and routing operation.
-replace: replace any persistence existing with the result of the routing operation used on this message.
-bypass: route the message ignoring any persistence entry, if no entry exists, add a new entry based on the result of this message
-ignore: route the message ignoring any persistence entry. Do not add or update the persistence entry.

---

599816-2 : Packet redirections occur when using VLAN groups with members that have different cmp-hash settings.

Component: TMOS

Symptoms:
Packets arriving on members of the VLAN group are CMP redirected. Redirections may be tracked with the tmm/flow_redir_stats table.

Conditions:
VLANs in the VLAN group must have different cmp-hash settings. For example, one VLAN may configure src-ip and another dst-ip.

Impact:
Throughput drops because of the redirections. However, because this is an error in the software disaggregator, components and features which depend on correct disaggregation may fail. Some features of PEM may fail.

Fix:
Packets are correctly disaggregated without redirections.

---

599803 : TMM accelerated compression incorrectly destroying in-flight contexts.

Component: Performance

Symptoms:
You see a tmm core while using compression profiles.

Conditions:
Related to use of hardware compression.

Impact:
Report of a watchdog event, or an ASSERT generated by the compression layer. Traffic disrupted while tmm restarts.

Workaround:
Disable accelerated compression using the following command:

% tmsh modify sys db compression.strategy value softwareonly.

Fix:
The system now correctly dispatches cancelled in-flight accelerated compression contexts when cancellation comes while hardware is still actively compressing.

---

599769 : TMM may crash when managing APM clients.

Component: Local Traffic Manager

Symptoms:
When managing APM clients it is possible to encounter a rare tmm crash.

Conditions:
APM enabled and actively managing clients.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
There is no longer a rarely encountered TMM crash when managing APM clients.

---

599720-2 : TMM may crash in bigtcp due to null pointer dereference

Component: Local Traffic Manager

Symptoms:
TMM crashed in bigtcp_queue_pkt() due to null pointer dereference of clientside flow.

Conditions:
This only occurs for serverside flow whose peer no longer exists.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround.

Fix:
A problem of null pointer dereferece in bigtcp has been fixed.

---

599567 : APM assumes SNAT automap, does not use SNAT pool

Component: Local Traffic Manager

Symptoms:
When a virtual server configured to use a SNAT pool is also associated with APM (for example, when configured as a RDP gateway), the SNAT pool setting is not honored.
Also SNAT configuration of 'None' does not work. It always works as if it is configured with Automap.

Conditions:
SNAT pool configured.
-- APM configured (one example is deploying the Horizon View iApp for APM).

Impact:
The VLAN Self IP address is used instead of the SNAT pool addresses.

Workaround:
First, follow the configuration details in K03113285: Overview of BIG-IP APM layered virtual servers :: https://support.f5.com/csp/article/K03113285, to ensure everything is configured properly.

Then ensure that the appropriate SNAT pool is set on the new layered forwarding virtual sever.

Note: This workaround does not work when using a pool of VMware vCenter Server (VCS) as configured by default with the iApp.

Fix:
The system now honors the virtual server SNAT configuration.

---

599543-3 : Cannot update (overwrite) PKCS#12 SSL cert & key while referenced in SSL profile

Component: TMOS

Symptoms:
When PKCS#12 cert and key are in use by SSL profiles, importing key/cert fails with the below error message:

Import Failed: Exception caught in Management::urn:iControl:Management/KeyCertificate::pkcs12_import_from_file_v2()
0107160f:3: Profile /Common/z-cssl's SSL forward proxy CA key and certificate do not match

Conditions:
1. When the cert and key are in the PKCS#12 format.
2. When the cert and key are in use by SSL profiles.

Impact:
When PKCS#12 cert and key are in use by SSL profiles, they can not be directly updated (overwritten) using key/cert import.

Workaround:
Use tmsh to install the PKCS#12 key. For example, suppose the key/cert to be replaced is called orig.key and orig.crt, it can be overwritten using the below command:

tmsh install sys crypto pkcs12 orig from-local-file /shared/eee.pfx

---

599536-1 : IPsec peer with wildcard selector brings up wrong phase2 SAs

Solution Article: K05263202

---

599521-5 : Persistence entries not added if message is routed via an iRule

Component: Service Provider

Symptoms:
MRF SIP route table implementation does not add a persistence entry if the message was routed via an iRule.

Conditions:
If the message is routed via an iRule, a SIP persistence entry will not be created.

Impact:
Since MRF SIP persistence may be bidirectional, not having the persistence entry will keep message flowing in the opposite direction from being automatically routed via persistence.

Workaround:
An iRule could be used to route messages directed towards the original client.

Fix:
MRF SIP will add a persistence entry for message routed via an iRule.

---

599424-2 : iApps LX fails to sync★

Component: iApp Technology

Symptoms:
In a device group, iApps LX applications fail to sync to the other devices. In restjavad.0.log you notice this log entry, approximately once per hour:

[8100/tm/shared/BIG-IP-failover-state BIG-IPFailoverStateWorker] Failed to discover [address]: java.lang.IllegalStateException: Authentication Failure to host [address]. Please check the credentials provided.

Conditions:
- This occurs after upgrading devices in a device group from 12.1.1 to a version higher than 12.1.1, such as 12.1.1 HF1.

- It can also occur on UCS restore.

- This occurs after upgrading devices in a device group from 12.1.0 to a version higher than 12.1.0, such as 12.1.0-HF1 (or above).

- Also found this can occur with a clean install of v12.1.2-Final and upgraded to v12.1.2 HF1.

Impact:
If you do not have iApps LX configured, there should be no impact other than the warning in restjavad.0.log which you can safely ignore. If you have iApps LX configured and the iApp is not syncing, then this will impact traffic if a failover event occurs.

Workaround:
None.

Fix:
iApps LX will now sync correctly.

---

599423-1 : merged cores and restarts

Solution Article: K24584925

Component: TMOS

Symptoms:
The vCMP host overwrites the stats table with data from guests.

Conditions:
vCMP running SSL traffic for more than one day.

Impact:
An internal value that tracks the interfaces changes, and merged cores and restarts.

Workaround:
None.

Fix:
The host no longer overwrites the reference values in the interface stats table, so merged does not core and restart.

---

599285-2 : PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095

Solution Article: K51390683

---

599223-1 : Prevent static destructors in tmipsecd daemon

Component: TMOS

Symptoms:
The tmipsecd daemon can leave a core when it exits main().

Conditions:
When tmipsecd exits deliberately, say in response to an exception, this can crash during program cleanup, despite the cleanup not being necessary. What begins as a clean termination turns into a messy crash.

Impact:
Generation of a distracting core, using disk space and attracting user attention unnecessarily. (Since tmipsecd was restarting anyway, the restart is not extra impact.)

Workaround:
there is no workaround.

Fix:
When a tmipsecd process terminates, cleaning up globals on shutdown is unnecessary, so this has now been prevented. So we cannot get a core when cleanup fails.

---

599221-1 : ASM Policy cannot be created in non-default partition via the Import Policy Task

Component: Application Security Manager

Symptoms:
An ASM Policy cannot be created in a non-default (/Common) partition using the Import Policy Task (/mgmt/tm/asm/tasks/import-policy).

Conditions:
User attempts to create a new ASM policy in a non-/Common partition using a file or template via the import policy tasks.

Impact:
Policy is created in /Common instead of the specified partition.

Workaround:
1) Create a Policy in the desired partition via a POST to the /mgmt/tm/asm/policies endpoint.
2) Execute the Import Policy Task (/mgmt/tm/asm/tasks/import-policy) using the created policy as the policyReference to overwrite it.

Fix:
Policy Import creates new policies in the specified partition.

---

599191-2 : One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card

Component: TMOS

Symptoms:
When running the tmsh show sys crypto fips command, you notice stale keys that you have previously deleted are left behind on the FIPS card.

Conditions:
This occurs when you have BIG-IPs with FIPS HSMs, configured in manual sync mode, under the following set of actions:
- Create a key-cert pair
- Associate the new key-cert pair with a clientssl profile
- Config sync to the peers
- Associate the clientssl profile with the default key and cert
- Delete the key and cert
- Manual sync

Impact:
A stale key is left on the FIPS card. There is no impact to functionality.

Workaround:
Check for the handles/key-ids of the keys in configuration using tmsh. Then remove the key that is not in use using the command tmsh delete sys crypto key <keyname>

---

599168-7 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700

Solution Article: K35520031

---

599135-2 : B2250 blades may suffer from high TMM CPU utilisation with tcpdump

Component: Local Traffic Manager

Symptoms:
B2250 blades may suffer from continuous TMM CPU utilization when tcpdump has been in use.

Conditions:
Run tcpdump on a B2250 platform

Impact:
Increment in TMM CPU utilization with every run of tcpdump.

Workaround:
Restart TMM, avoid the use of tcpdump.

Fix:
B2250 blades no longer suffer from high TMM CPU utilisation with tcpdump

---

599121-2 : Under heavy load, hardware crypto queues may become unavailable.

Solution Article: K24036315

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system is under heavy load, it may erroneously determine that the hardware crypto queues are unavailable and trigger an HA failover event.

Conditions:
BIG-IP system under heavy load and using hardware crypto.

Impact:
HA failover. You might see messages similar to the following:
 -- crit tmm2[22560]: 01010025:2: Device error: crypto codec cn-crypto-2 queue is stuck.
 -- warning sod[6892]: 01140029:4: HA crypto_failsafe_t cn-crypto-2 fails action is failover.
 -- notice sod[6892]: 010c0052:5: Standby for traffic group /Common/traffic-group-1.

Workaround:
None.

Fix:
BIG-IP system now performs an extra check to determine whether the crypto hardware queues are available.

---

599054-2 : LTM policies may incorrectly use those of another virtual server

Component: Local Traffic Manager

Symptoms:
LTM policies may use policies configured on another virtual server.

Conditions:
- A configurations with several virtual servers and several configured ltm policies attached to those virtual servers.
- Configuration load: manually using the command tmsh load sys conf, or automatically by an upgrade or full config-sync.

Impact:
LTM policies get incrementally added to virtual servers as the policies are compiled, causing unexpected traffic handling decisions based on other policies.

Workaround:
Do not run tmsh load sys conf if you have policies configured. After an upgrade or full config-sync issuing a bigstart restart command or restarting the device will fix this condition.

Fix:
LTM policies no longer incorrectly use those of another virtual server

---

599033-5 : Traffic directed to incorrect instance after network partition is resolved

Component: TMOS

Symptoms:
After a network partition is resolved, the BIG-IP high availability subsystem may select a different device to handle traffic than the external network.

Conditions:
If the external network does not respond to GARP (Gratuitous ARP) messages to direct IP traffic to the correct device after an Active/Active condition is resolved, then it may continue to send traffic to a device that is now in Standby mode.

Impact:
Traffic will be interrupted since the upstream network is sending traffic to a device that won't process it.

Workaround:
The administrator might be able to manually run a script or command to redirect traffic to the correct device that is hosting the virtual service.

Fix:
When a network partition is resolved, and an Active/Active high availability pair chooses a single Active node, it now invokes a script that can be used to automatically notify the external network infrastructure of the new location for the virtual service. This new script is located in /config/failover/tgrefresh, and is invoked in addition to the transmission of GARP messages.

---

598983-7 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700

Solution Article: K35520031

---

598981-3 : APM ACL does not get enforced all the time under certain conditions

Solution Article: K06913155

Component: Access Policy Manager

Symptoms:
APM ACL does not get enforced all the time under certain conditions

Conditions:
The following conditions individually increase the chances for this problem to occur:
1. The device is very busy. (Construction of ACL windows is prolonged.)
2. Concentration of connections into one TMM. (e.g., VPN feature.)
3. Small number of TMMs (e.g., BIG-IP low-end platform, Virtual Edition (VE) configurations.)
4. Application starts with a high number of concurrent connections.

Impact:
ACL is not applied for subsequent connections for that TMM. This issue does not consistently reproduce.

Workaround:
Mitigation:
Administrator can kill the affected session, which forces the user to re-login, and ultimately restarts the ACL construction process.

Fix:
Switching context when applying ACL is properly processed, and no longer cause ACL to be not enforced.

---

598874-2 : GTM Resolver sends FIN after SYN retransmission timeout

Component: Local Traffic Manager

Symptoms:
If a DNS server is not responding to TCP SYN, GTM Resolver sends a FIN after a retransmission timeout (RTO) of the SYN.

Conditions:
GTM Resolver tries to open a TCP connection to a server that does not respond.

Impact:
Firewalls may log the FIN as a possible attack.

Fix:
Do not send anything in response to a SYN retransmission timeout.

---

598860-4 : IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address

Component: Local Traffic Manager

Symptoms:
The IP::addr iRule can be used to translate an IPv6 address containing an IPv4 address, but instead it converts it into an IPv4 compatible IPv6 address.

Example:
ltm rule test_bug {
    when CLIENT_DATA {
    log local0. "[IP::addr 2A01:CB09:8000:46F5::A38:1 mask ::ffff:ffff]"
}

Expected result:
Rule /Common/test_bug <CLIENT_DATA>: 10.56.0.1

Actual result:
Rule /Common/test_bug <CLIENT_DATA>: ::10.56.0.1

Conditions:
using IP::addr to convert an IPv6 to an IPv4 address

Impact:
Address is converted into an IPv4-compatible IPv6 address.

---

598854-3 : sipdb tool incorrectly displays persistence records without a pool name

Component: Service Provider

Symptoms:
MRF SIP persistence records added for a forwarding route (a peer object without a pool), will not be displayed properly by sipdb

Conditions:
If a persistence record is added for a route that does not contain a pool, this persistence entry will not be displayed correctly.

Impact:
The persistence entry is correctly stored in the persistence table and will operate correctly. Due to the bug in the sipdb tool, this entry will not be viewable for debugging purposes.

Fix:
The fix corrects the sipdb tool so that entries which do not have a pool name will display correctly.

---

598748 : IPsec AES-GCM IVs are now based on a monotonically increasing counter

Component: TMOS

Symptoms:
IPsec was using random IVs.

With random IVs and shortest packets the complete integrity loss will happen before 8 Gb of data are exchanged over the security association in one direction (assuming probability of collision at 0.1%).

Conditions:
Use of AES-GCM or GMAC in IPsec.

Impact:
The use of random IVs limits the amount of traffic that can be sent with AES-GCM in IPsec.

Workaround:
The workaround is to limit the amount of traffic per above guidelines for long-lived security associations in IPsec.

A re-key before 10 Gbyte of data are exchanged is recommended. For 1 Gbps connection the rekey should happen in under 1 min (100 Mbps -- 15 min, 10 Gbps -- 10 sec).

Fix:
Changed IPsec AES-GCM IV scheme to use a counter-based IV.

This is an improvement that allows maximum amount of traffic to be sent on the same security association for AES-GCM in IPsec.

---

598724-1 : Abandoned indefinite lifetime SessionDB entries on STANDBY devices.

Component: TMOS

Symptoms:
Memory hold/leak in SessionDB due to poor HA connection. Active device cannot tell the Standby device that an entry has been deleted because of poor HA connection. These entries accumulate on the Standby device, consuming extra memory which is not released.

Conditions:
A poor HA or insufficient connection exists, one that is not capable of handling the required HA traffic between devices.

Impact:
Eventual out-of-memory errors on standby device.

Workaround:
The mitigation steps in ID 555465 apply to this as well:

You can mitigate by temporarily disabling HA:
- Disable session mirroring: tmsh modify sys db statemirror.mirrorsessions value disable
- Wait a minute for HA connections to stabilize
- Sync the config changes
- Reboot the standby
- Re-enable session mirroring: tmsh modify sys db statemirror.mirrorsessions value enable

Fix:
On the Next Active ("Standby") device, SessionDB will remove all Subkey entries that the Next Active did not receive HA (re)mirror messages for during the HA sync that occurs after an HA (re)connect; the Next Active not receiving a (re)mirror for an entry generally indicates that the entry no longer exists on the Active.

---

598707-4 : Path MTU does not work in self-IP flows

Component: Local Traffic Manager

Symptoms:
While performing an Update Check, the network connection fails. Path MTU is not working in self-IP initiated flows.

Conditions:
Network flows initiated by the Self IP address (in this case it was encountered while running Update Check)

Impact:
If the downstream router sends ICMP Path MTU messages back to the Self IP, the messages will be ignored and MTU will not be adjusted.

---

598700-6 : MRF SIP Bidirectional Persistence does not work with multiple virtual servers

Component: Service Provider

Symptoms:
Messages received by different virtual servers (sharing the same router) are not able to be properly routed using the call-id persistence.

Conditions:
A router with multiple virtual servers bridging between networks are not able to use the same call-id persistence entry for routing messages. Messages trying to use a persistence entry created by a different virtual server may be routed to the wrong device.

Impact:
Messages received on another virtual server trying to use the persistence entry will be routed to the wrong device.

Fix:
Fix corrects problems identifying which end of the bi-directional persistence the message has arrived on so that it can be forwarded to the proper device.

---

598697-1 : vCMP guests may fail after vCMP host system is upgraded to BIG-IP v12.1.x when 'qemu' user isn't created★

Component: TMOS

Symptoms:
After installing v12.1.0 on a vCMP host system the guests don't start anymore and remain in "failed" state.

Errors similar to these are logged in the ltm log file:

Jun 10 08:17:22 slot1/VIP4480-R68-S26 crit vcmpd[14354]: 01510003:2: User "qemu" doesn't exist
<..>
Jun 10 08:17:22 slot1/VIP4480-R68-S26 err vcmpd[14354]: 01510004:3: Guest (test-guest): Failure - Error starting VM.
Jun 10 08:17:22 slot1/VIP4480-R68-S26 info vcmpd[14354]: 01510007:6: Guest (test-guest): VS_STARTING->VS_FAILED

Conditions:
Upgrade vCMP host to v12.1.0 or higher
vCMP host system was originally installed with v11.6.0 or older builds.

Impact:
After installing v12.1.0 on a vCMP host system the guest don't start anymore and remain in "failed" state.

Workaround:
Workaround is to run the following command:

useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu

then:
 
bigstart restart vcmpd

---

598498-7 : Cannot remove Self IP when an unrelated static ARP entry exists.

Component: TMOS

Symptoms:
Cannot remove a self-IP when an unrelated static ARP entry exists. The system produces an error similar to the following: err mcpd[6743]: 01071907:3: Cannot delete IP <addr> because it would leave a static neighbor (ARP/NDP) entry unreachable.

Conditions:
Static arp entry exists, and there are no Self IP addresses on the same subnet as the static ARP entry. When in this condition, none of the Self IP addresses can be deleted.

Impact:
Must delete static ARP entries in order to delete Self IP addresses.

Workaround:
None.

Fix:
In this release, you can delete Self IP addresses if unrelated static ARP entries exist.

---

598443-1 : Temporary files from TMSH not being cleaned up intermittently.

Component: TMOS

Symptoms:
/var/tmp/tmsh and /var/system/tmp/tmsh can have left over unused directories if there was an abrupt termination wherein TMSH does not get a chance to clean up remaining directories. This script does not automatically run, but instead provides a way for you to manually clean up these scripts. To execute script run bin # ./clean_tmsh_tmp_dirs and follow the prompts.

Conditions:
This can occur if a running task creates a TMSH tmp file, then gets killed before it finishes its clean-up.

Impact:
This can cause the directories /var/tmp/tmsh and /var/system/tmp/tmsh to fill up and cause out of memory exceptions.

Workaround:
Manually delete all unused files in /var/tmp/tmsh and /var/system/tmp/tmsh.

Fix:
The BIG-IP system now contains a command ("clean_tmsh_tmp_dirs") that can be run to clean-up temporary files in /var/system/tmp/tmsh and /var/tmp/tmsh.

---

598437-1 : SNMP process monitoring is incorrect for tmm and bigd

Component: TMOS

Symptoms:
The default configuration for SNMP process monitoring causes an error of "Too many bigd running", and "No tmm process running".

snmpwalk -c public -v 2c localhost prErrMessage
UCD-SNMP-MIB::prErrMessage.1 = STRING: Too many bigd running (# = 2)
...
UCD-SNMP-MIB::prErrMessage.6 = STRING: No tmm process running

Conditions:
Depending on system capacity and configuration, more than one "bigd" process may be running, resulting in the incorrect report of "Too many bigd running".

The system does not properly count instances of the "tmm" process. In older releases, the system always detected a single "tmm" process, even if more than one existed. In the affected releases, no "tmm" process is detected.

Impact:
SNMP monitoring of system health incorrectly reports error conditions.

Workaround:
For the 'bigd' problem, the administrator can change the the process-monitor max-processes to allow for more instances of "bigd". For example:

(tmos)# modify sys snmp process-monitors modify { bigd { max-processes infinity } }

max-processes should be set to the same value as the sys dbvar bigdb.numprocs or "infinity" if the dbvar is set to "0", allowing bigd to dynamically adjust the number of processes.


For tmm process count

(twos)# modify sys snap process-monitors modify { tmm { process tmm.0 max-processes 1 } }

Fix:
The system now correctly counts the number of TMM process instances, which is not the same as the number of TMM threads. but is based on the hardware capabilities.

Existing/upgraded configurations need to manually adjust the bigd 'max-processes' attribute as described in the Mitigation section. New configurations will be configured appropriately.

---

598294-1 : BIG-IP ASM Proactive Bot Defense vulnerability CVE-2016-7472

Solution Article: K17119920

---

598289-4 : TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port>

Component: TMOS

Symptoms:
In tmsh, when trying to add a pool member that has name in the format of <ipv4>:<number>:<service port>, tmsh reports the following error:
Unexpected Error: Syntax Error: A port number or service name is missing for "/Common/192.0.2.1:80:80". Please specify a port number or service name using the syntax "/Common/192.0.2.1:80:80.<port>".

It also corrupts bigip.conf so that it no longer loads.

Conditions:
-- Use tmsh to load configuration.
-- LTM pools have members that have names in the format of: <ipv4>:<number>:<service port>.

Impact:
TMSH fails to load system configuration file.

Workaround:
None.

Fix:
TMSH now supports pool members with names in the format of <ipv4>:<number>:<service port>, so the valid pool member passes TMSH checks without error.

---

598211-1 : Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.

Component: Access Policy Manager

Symptoms:
During the logon to Citrix StoreFront through an APM virtual server, after the login page, the BIG-IP system sends the client the following error: Error 404 file or directory not found.

Conditions:
This occurs when the following conditions are met:
- Citrix Android receiver 3.9.
- APM is in integration mode with Citrix StoreFront.
- Storefront unified experience mode is enabled.

Impact:
Cannot access Citrix StoreFront unified UI through Android Receiver 3.9.

Workaround:
For StoreFront integration mode, there is an iRule that is created by the iApp that redirects the root page to the store's URI. The workaround is to add an additional redirect for the receiver_uri ending with receiver.html. The iRule below contains this workaround.
It is also recommended to delete and recreate the existing store account.

when HTTP_REQUEST {
    if { [regexp -nocase {/citrix/(.+)/receiver\.html} [HTTP::path] dummy store_name] } {
        log -noname accesscontrol.local1.debug "01490000:7: setting http path to /Citrix/$store_name/"
        HTTP::path "/Citrix/$store_name/"
    }
}

Fix:
Citrix Android Receiver 3.9 now works through APM in StoreFront integration mode.

---

598134-1 : Stats query may generate an error when tmm on secondary is down

Component: TMOS

Symptoms:
Querying for stats results in an error and further iControl messages are incorrect.

Conditions:
Must be on a chassis. The query must be for stats generated by tmm. A secondary tmm must be down.

Impact:
The iControl session must be restarted.

Workaround:
Ensure all tmms are up and running.

Fix:
The request is handled appropriately even if a tmm is down and no unexpected error is generated.

---

598110-1 : pkcs11d daemon should not show status 'up' until all connections are established with HSM and BIG-IP is ready to process traffic.

Component: Local Traffic Manager

Symptoms:
The pkcs11d daemon shows 'up' when the connections to HSM is not up and the BIG-IP system is not ready to process traffic.

Conditions:
When the connections to HSM is not up and the BIG-IP system is not ready to process traffic.

Impact:
The pkcs11d daemon shows status as 'up'. The traffic will be dropped since the connections to HSM is not up or the BIG-IP system is not ready to process traffic.

Workaround:
There is no workaround.

Fix:
This release fixes the pkcs11d thread session initialization problem.

---

598085-2 : Expected telemetry is not transmitted by sFlow on the standby-mode unit.

Component: TMOS

Symptoms:
The expected telemetry is not transmitted by sFlow on the standby-mode unit. In a high-availability (HA)/redundant BIG-IP configuration, standby BIG-IP units are failing to generate sFlow telemetry packets containing unit-specific data.

Conditions:
In a high-availability/redundant BIG-IP configuration with sFlow configured.

Impact:
The sFlow data being transmitted by the standby unit consists of packet samples of the HA Heartbeat traffic, and no other telemetry information.

Workaround:
None.

---

598052-1 : SSL Forward Proxy "Cache Certificate by Addr-Port", cache lookup fails

Component: Local Traffic Manager

Symptoms:
When enabling the SSL Forward Proxy "Cache Certificate by Addr-Port" on the client SSL profile, later flows on cached certificate lookups by "Addr-Port" do not hit the cache.

Conditions:
Enable SSL Forward Proxy and use "Cache certificate by Addr-Port".

Impact:
The client side certificate lookup failed, it may trigger the server side SSL handshake.

Fix:
With this fix, the certificate lookup by "Addr-Port" may have a cache hit.

---

598039-6 : MCP memory may leak when performing a wildcard query

Component: TMOS

Symptoms:
MCP's umem_alloc_80 cache (visible using tmctl -a) increases in size after certain wildcard queries. Accordingly, the MCP process shows increased memory usage.

Conditions:
Folders must be in use, and the user must execute a wildcard query for objects that are in the upper levels of the folder hierarchy (i.e. not at the very bottom of the folder tree).

Impact:
MCP loses available memory with each query. MCP could eventually run out of memory and core, resulting in an outage or failover (depending on whether or not the customer is running in a device cluster).

Workaround:
Do not perform wildcard queries.

Fix:
Stopped MCP leaking when wildcard queries are performed.

---

598002-10 : OpenSSL vulnerability CVE-2016-2178

Solution Article: K53084033

---

597978-2 : GARPs may be transmitted by active going offline

Component: Local Traffic Manager

Symptoms:
GARPs may be transmitted by the active when going offline. As the standby which takes over for the active will also transmit GARPs, it is not expected that this will cause impact.

Conditions:
Multiple traffic-groups configured and active goes offline.

Impact:
It is not expected that this will cause any impact.

Workaround:
Make the unit standby before forcing offline.

---

597899-1 : Disabling all pool members may not be reflected in Virtual Server status

Component: Local Traffic Manager

Symptoms:
When all pool members are set to session-disable, the expectation is that persistent connections will be drained, and the Virtual Server should not accept new incoming connections.
- Simply disabling (not forcing down) a node does not bubble up to Pool status, because it switches from Green-Enabled to Green-Disabled (staying green is seen as a non-change).
- Since the Pool enabled/disabled state is not updated, this does not bubble up to the Virtual Server, which also stays Green-Enabled.

Conditions:
-- All pool members are set to session-disable.
-- Persistent connections existing on the associated Virtual Server.
-- New connections to associated Virtual Server.
-- Viewing Virtual Server status.

Impact:
Disabling all members of a Pool may not be reflected in Virtual Server status, indicating it is Green-Enabled when in fact it has been disabled indirectly by disabling all members of the related pool.

Workaround:
N/A

Fix:
When all pool-members are disabled via GUI or tmsh, Virtual Server shows Green-Disabled (visually represented as gray) and is still able to process traffic from an existing connections but not able to accept newer traffic.

Green-Disabled status roll-up to Pool (from Pool Member / Node Address) is still necessary. But instead of marking the Virtual Server Yellow, which would stop existing traffic flows on the Virtual Server, the BIG-IP system propagate the Green-Disabled status to the Virtual Server as well.

So in the case where all the Pools associated with a Virtual Server are Green-Disabled (because all the Pool Members for all the Pools are Green-Disabled), the status of the Virtual Server will become Green-Disabled. As soon as any Pool (Pool Member) becomes Green-Enabled, the Virtual Server will also become Green-Enabled.

Note: Green-Disabled shows up as gray in the GUI.

Behavior Change:
When all pool members are set to session-disable, the virtual server state is set to disabled-by-parent, persistent connections will be drained, and the virtual server does not accept new incoming connections.

---

597879-1 : CDG Congestion Control can lead to instability

Component: Local Traffic Manager

Symptoms:
Debug TMM crashes when the TCP congestion window allows an abnormally high or low congestion window. You can see this by looking at the bandwidth value in "tmsh show net cmetrics" if cmetrics-cache is enabled in the TCP profile.

Conditions:
Running the Debug TMM with CDG Congestion Control.

Impact:
Traffic disrupted while tmm restarts.
In the default TMM, the allowed sending rate will be abnormally high or low.

Workaround:
Use a congestion control algorithm other than CDG.

Switch to the default TMM.

Fix:
Fixed congestion window calculation in CDG.

---

597835-3 : Branch parameter in inserted VIA header not consistent as per spec

Solution Article: K12228503

Component: Service Provider

Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This VIA header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP spec states that all messages in the same transaction should contain the same branch header. The code used to encrypt the branch field returns a different value each time.

Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.

Impact:
Some servers have code to verify the brach fields in the VIA header do not change within a transaction. These servers complain when they see the fields change.

Workaround:
None.

Fix:
The system now ensures the branch field in the via header does not change.

---

597828-1 : SSL forward proxy crashes in some cases

Component: Local Traffic Manager

Symptoms:
SSL forward proxy crashes when a check in the state machine is called with something other than a fwdp lookup result

Conditions:
SSL forward proxy is enabled.

Impact:
SSL forward proxy crashes sometimes.

Workaround:
None.

Fix:
Fixed a crash in the SSL forward proxy.

---

597797-4 : Allow users to disable enforcement of RFC 7507 Fallback SCSV

Solution Article: K78449695

Component: Local Traffic Manager

Symptoms:
When RFC 7507 (fallback SCSV) was implemented, some BIG-IP administrators found their TLS/SSL clients were incompatible and could no longer connect to the BIG-IP system.

Conditions:
Client software that attempts to connect to a virtual server using an older, less secure version of the TLS/SSL protocol, for instance, TLS 1.0.

Impact:
Inability to support connections from older TLS/SSL clients that are unable to use the more recent (and more secure) TLS/SSL protocols.

Workaround:
There is no workaround.

Fix:
When SSL.fallback_SCSV is set to disable, the RFC 7507 implementation will be disabled, though it must be acknowledged that this introduces a security hole when negotiating SSLv3.

Behavior Change:
When RFC 7507 was implemented, some BIG-IP administrators found that their SSL clients were incompatible. This change introduces a bigdb variable (SSL.fallback_SCSV) to disable this.

---

597729-5 : Errors logged after deleting user in GUI

Component: TMOS

Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may potentially be observed:

1. After approximately 10 minutes, an error similar to the following may appear in the LTM log (/var/log/ltm):

mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests

Such message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.

2. After clicking Refresh, the GUI may not show the correct web page.

Conditions:
It is possible that this error could be encountered when deleting local users (Access Policy :: Local User DB : Manage Users), and may theoretically be encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.

Impact:
Error messages logged.
GUI may not show the correct web page.

Workaround:
Use the CLI (tmsh) to delete local users.

---

597708-4 : Stats are unavailable and vCMP state and status are incorrect

Component: Local Traffic Manager

Symptoms:
Unable to retrieve statistics or statistics are all 0 (zero) when they should not be zero.

This is vCMP related.

Guest virtual-disks always show in-use even when the guest is not in the running state.

When the guest O/S is shut down, the GUI and TMSH do not show accurate information about status.

Conditions:
If a directory is removed from /shared/tmstat/snapshots merged might run at 100% CPU utilization and become unresponsive.

Impact:
No statistics are available. Some statistics, such as traffic stats from TMM, will not be updated, though they may be non-zero. Others, such as system CPU stats that are calculated by merged, will be zero. This will be evident through all management interfaces such as TMSH, TMUI, SNMP, etc.

vCMP guest O/S status is reportedly incorrectly.

Workaround:
If merged has stopped responding, restart the daemon using the following command:

bigstart restart merged

On a chassis with multiple blades or a device with vCMP guests, merged is running on each blade and on each guest. To determine which instance of merged is not responding, ssh to each blade and each vCMP guest, and run the following command to check the CPU utilization of merged:

top -p `pidof merged`

Any merged that has a CPU utilization of over 90% for more than a few seconds is potentially in this state and should be restarted.

To prevent the issue from occurring, disable tmstat snapshots using the following command:

tmsh modify sys db merged.snapshots value false.

Fix:
The merged process no longer becomes unresponsive when a directory is removed from /shared/tmstat/snapshots.

---

597674-1 : TunnelServer may crash due to division by zero under unknown circumstances while establishing AppTunnels.

Component: Access Policy Manager

Symptoms:
TunnelServer crashes during AppTunnel establishment. Network Access goes to 'Reconnecting' state and then to 'Disconnected' state

Conditions:
The crash happens due to division by zero operation when interval between two events equals to zero ms. This occurs rarely and it is not clear under which circumstances/conditions this occurs.

Impact:
Application Tunnel cannot be established.

---

597532-1 : iRule: RADIUS avp command returns a signed integer

Component: Local Traffic Manager

Symptoms:
iRules that process attribute-value pairs from RADIUS treat integers as signed when they should be treated as unsigned.

Conditions:
iRules using RADIUS::avp to retrieve data.

Impact:
iRules using the RADIUS::avp command will not work as expected.

Workaround:
The result can be cast to an unsigned integer after obtaining the value, as follows:

ltm rule radius_avp_integer {
    when CLIENT_DATA {
                set charid_integer [RADIUS::avp 26 "integer" index 0 vendor-id XXXXX vendor-type Y]
                set unsigned_charid_integer [expr {$charid_integer & 0xFFFFFFFF}]
}
}

Note that tmm internally treats avp values as signed integers so this might not completely correct the issue.

Fix:
Ensure that the system uses unsigned integers for RADIUS AVPs.

---

597471 : Some Alerts are sent with outdated username value

Component: Fraud Protection Services

Symptoms:
user-defined, components validation and vtrack Alerts are sent with outdated username value

Conditions:
Log in, then log in again with different user (with conditions to generate an alert)

Impact:
Alert is sent with username of the first login

Fix:
Alerts sending is blocked until after parameters processing is done

---

597431-2 : VPN establishment may fail when computer wakes up from sleep

Component: Access Policy Manager

Symptoms:
EdgeClient doesn't cleanup routing table before windows goes to hibernate. This may result in establishment of VPN when computer wakes up. It may also result in other network connectivity issues

Conditions:
-VPN connection is not disconnected
-Computer goes in hibernation

Impact:
Issues with Network connectivity

Workaround:
Renew DHCP lease by running
ipconfig/renew.

or

reboot the machine.

---

597394-2 : Improper handling of IP options

Solution Article: K46535047

---

597309-2 : Increase the Maximum Members Per Trunk limit to 32 or 64 for high end platforms

Component: TMOS

Symptoms:
The Maximum Members Per Trunk limits is 8 or 16 depending on platform. This is due to

1. The limitation of an SDK from a third party vendor.
2. The number of external interfaces actually provided by the platform.

Conditions:
These platform limits are on the BIG-IP 10000 appliance and B2400, B4300, and B4450 blades.

Impact:
The number of interfaces per trunk is limited to either 8 or 16.

Workaround:
None.

Fix:
New limit of 32 is implemented for the BIG-IP 10000 appliance, and on VIPRION 2400 and VIPRION 4300. New limit 64 is implemented for VIPRION 4450N.

---

597303 : "tmsh create net trunk" may fail

Component: TMOS

Symptoms:
When a trunk is created with "tmsh create net trunk", with LACP enabled or disabled, the addition of a trunk member may fail. When it fails, there will be log in /var/log/ltm like

Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0011:3: bs_trunk_addr_set: unit=0 Invalid parameter bs_trunk.cpp(2406)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0011:3: Trouble setting trunk 1, unit 0 bs_trunk.cpp(2591)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0011:3: SDK error Invalid parameter bs_trunk.cpp(2592)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0010:3: Trouble setting trunk: unit=0, trunk=testTrunk bs_trunk.cpp(1886)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0010:3: Trouble adding interface to trunk=testTrunk bsx.c(3109)

Conditions:
The problem tends to happen when a trunk is created right after it is deleted. If you wait for over 30 seconds, it is unlikely to happen.

Impact:
A trunk can't be created, and no trunk members can be added.

Workaround:
Wait for over 30 seconds before adding back the same trunk.

Fix:
A fix is already staged, and may show up in a hot fix later.

---

597270-2 : tcpdump support missing for VXLAN-GPE NSH

Component: TMOS

Symptoms:
The tcpdump utility does not support VxLAN (Virtual eXtensible Local Area Network) GPE (Generic Protocol Extension) Network Service Header (NSH).

Conditions:
Running tcpdump on BIG-IP systems.

Impact:
No support for VXLAN-GPE NSH.

Workaround:
None.

Fix:
tcpdump now has support for VXLAN-GPE NSH.

Behavior Change:
tcpdump now has support for VxLAN (Virtual eXtensible Local Area Network) GPE (Generic Protocol Extension) Network Service Header (NSH).

---

597214-5 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly

Component: Access Policy Manager

Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.

Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:

var a = { default: 1, continue: 2 };

Impact:
JavaScript code is not rewritten and may not work correctly.

Workaround:
You can use an iRule to rename field names in the original code.

Fix:
Now JavaScript with literal object definition containing reserved keywords as field names is handled correctly by Portal Access.

---

597176-1 : Multiple Wireshark (tshark) vulnerabilities

Solution Article: K01837042

---

597089-8 : Connections are terminated after 5 seconds when using ePVA full acceleration

Component: Local Traffic Manager

Symptoms:
When using a fast L4 profile with ePVA full acceleration configured, the 5-second TCP 3WHS handshake timeout is not being updated to the TCP idle timeout after the handshake is completed. The symptom is an unusually high number of connections getting reset in a short period of time.

Conditions:
It is not known all of the conditions that trigger this, but it is seen when using the fast L4 profile with pva-acceleration set to full.

Impact:
High number of connections get reset, longer than expected idling TCP connections, and potential performance issues.

Workaround:
Disabling the PVA resolves the issue.

---

597023-1 : NTP vulnerability CVE-2016-4954

Solution Article: K82644737

---

597010-1 : NTP vulnerability CVE-2016-4955

Solution Article: K03331206

---

596997-1 : NTP vulnerability CVE-2016-4956

Solution Article: K64505405

---

596815-1 : System DNS nameserver and search order configuration does not always sync to peers

Component: TMOS

Symptoms:
Modifying the System DNS nameserver and search order configuration does not always sync during an incremental sync if modified in the GUI or tmsh modify sys db.

Conditions:
The device is in a failover device group with incremental sync turned on.

In the GUI, modify the DNS Lookup Server List or the DNS Search Domain List fields under System >> Configuration : Device : DNS.

In tmsh, tmsh modify sys db dns.nameserver (or dns.domainname), and in some cases tmsh modify sys dns name-servers (or search)

Impact:
Modifications will not change the sync status nor sync the change to peers.

Workaround:
Perform a full sync or use 'tmsh modify sys dns name-servers replace-all-with' or 'tmsh modify sys dns search replace-all-with'.

Optionally, to get this setting to sync, modify the file /config/BigDB.dat to set realm=common for [DNS.NameServers] and [DNS.DomainName] and restart mcpd on all devices in the failover device group. However, this file may get overridden on a hotfix or upgrade.

Fix:
The sys db variables dns.domainname and dns.nameserver will now always sync across your failover device group.

---

596814-4 : HA Failover fails in certain valid AWS configurations

Component: TMOS

Symptoms:
Some of the floating object's IPs might not be reattached to the instance acting as the new active device.

Conditions:
AWS deployments where there are multiple coincidences for the provided IP address (corresponding to other Amazon VPCs in the same Availability Zone containing unrelated instances but having the same IP address as the BIG-IP's floating IP address.

Impact:
Potential traffic disruption. Some of the floating object's IPs might not be reattached to the instance acting as the new active device.

Workaround:
Do not have AWS deployments with multiple VPCs sharing the same IP address as the BIG-IP's floating IP address.

Fix:
Failover now narrows network description by filtering with VPC id.

---

596809-1 : It is possible to create ssh rules with blank space for auth-info

Component: Advanced Firewall Manager

Symptoms:
In tmsh it is possible to create profile actions that contain blank spaces, such as in this example:

create security ssh profile ssh-test actions add { " " } rules add { " " { actions add { " " } identity-users add { " "} identity-groups add { " " } } } auth-info add { " " }

Conditions:
This occurs when creating profile actions.

Impact:
Actions can be created with blank spaces in them, you should be receiving a validation error. These rules also cannot be deleted.

Workaround:
Do not create profile actions with blank spaces.

Fix:
BIG-IP will now throw a validation error if you create a profile action containing only a blank space.

---

596685-1 : Request Log failure on request with XML format violation

Solution Article: K76841626

Component: Application Security Manager

Symptoms:
When Request Log entry with violations for XML format violation is selected, it cannot be displayed and an error is returned.

Conditions:
Request Log entry with violations for XML format violation is selected.

Impact:
Request Log entry cannot be displayed.

Workaround:
None.

Fix:
Requests with XML format violations are now displayed correctly.

---

596674-2 : High memory usage when using CS features with gzip HTML responses.

Component: Application Visibility and Reporting

Symptoms:
AVR use consumes a lot of memory while trying to decompress responses. This can cause tmm core during stress traffic.

Conditions:
-- Enabled Dosl7d virtual server with CS features.
-- The server is sending compressed responses.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
High memory usage no longer occurs when using CS features with gzip HTML responses.

---

596631-2 : SIP MRF: Wrong listener may be deleted during media deny-listener deletions, causing crash later

Component: Service Provider

Symptoms:
A SIP media flow deny-listener was to have been deleted but an unrelated listener was deleted instead due to an incorrect address/port match.

For example, when the wrongly deleted listener is later meant to be deleted, there might be a SIGFPE with assertion failure "Assertion "bound listener" failed.".

Conditions:
A SIP MRF media flow existed and was deleted.
An unrelated flow exists with an address/port with wildcards such that it includes that of the media flow.

Impact:
Later when the wrongly deleted listener is referenced, the TMM crashes.

Fix:
When a SIP media flow deny-listener is searched for deletion, an exact match is required that uniquely identifies the deny-listener, so that an unrelated listener is not deleted.

---

596603-2 : AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.

Component: TMOS

Symptoms:
When deploying BIG-IP VE in AWS with c4.8xlarge instance type, the system never boots and remains in "Stopped" state after briefly trying to start-up.

Conditions:
BIG-IP VE is deployed with c4.8xlarge instance type in AWS.

Impact:
c4.8xlarge instance type are not supported for BIG-IP VE in AWS.

Workaround:
Choose c4.4xlarge or other instance types in AWS.

Fix:
Issue corrected so that BIG-IP VE will work with c4.8xlarge instance type AWS.

---

596502-1 : Unable to force Bot Defense action to Allow in iRule

Component: Application Security Manager

Symptoms:
When a request is being blocked (or challenged with CAPTCHA) due to being a suspicious browser, the action cannot be forced to allow in the iRule

Conditions:
This occurs when a bot defense action is triggered on suspicious browser, and you wish to allow the request to go through anyway and not send a RST.

Impact:
The bot defense action cannot be forced to "allow", the RST will still be sent.

---

596488-1 : GraphicsMagick vulnerability CVE-2016-5118.

Solution Article: K82747025

---

596450-1 : TMM may produce a core file after updating SSL session ticket key

Component: Local Traffic Manager

Symptoms:
When regenerating SSL session ticket key, TMM may restart unexpectedly, leaving a core file.

Conditions:
When the value of ssl.sessionticketkey.regen is reached (every 3 days by default), TMM will regenerate its SSL session ticket key. This operation may lead to an assert: "shared random data inited".

Impact:
TMM core and restart.

Workaround:
None.

Fix:
Resolved a problem that could cause TMM to restart when regenerating the SSL session ticket key

---

596433-3 : Virtual with lasthop configured rejects request with no route to client.

Component: Local Traffic Manager

Symptoms:
Virtual with lasthop pool configured rejects requests which are sourced from MAC address which is not configured in the lasthop pool.

Conditions:
This issue occurs when the following conditions are meet:

- Virtual with lasthop pool.
- Connection sourced from MAC address which is not configured in the lasthop pool.
- Lasthop pool member is local to TMM.
- tm.lhpnomemberaction db key is set to 2.

Impact:
Connection is erroneously reset with no route to client.

Workaround:
- Change tm.lhpnomemberaction db key to 0 or 1 (behavior change).
- Add IP address for lasthop member which client is originating from to lasthop pool.

---

596340-8 : F5 TLS vulnerability CVE-2016-9244

Solution Article: K05121675

---

596242-1 : [zxfrd] Improperly configured master name server for one zone makes DNS Express respond with previous record

Solution Article: K17065223

Component: Local Traffic Manager

Symptoms:
Improperly configured master name server for one zone prevents updates to other, properly configured zones
from propagating to tmm, thus making DNS Express respond with an old record.

Conditions:
Incorrectly configured DNS zone that cannot get updates correctly.

Impact:
DNS Express responds with previous record after zone transfer.

Workaround:
Correct the configuration on the incorrectly configured zone.

Fix:
DNS Express now responds with current record after zone transfer.

---

596166-1 : Cannot create email using Address Book

Component: Access Policy Manager

Symptoms:
Cannot create email using Address Book, specifically, the To, Cc, and Bcc buttons do not work.

Conditions:
Attempting to create email using Address Book.

1. Use OWA2010.
2. Navigate to the virtual server.
3. Click logon.
4. Type credentials in the Web App form, and logon to OWA.
5. Click New to create new email.
6. Click To (to open Address Book), click To, Cc, and Bcc to choose highlighted user.
7. Once address is in To field Click OK.

Impact:
Email window will be closed and New empty one is opened. Cannot use the To, Cc, and Bcc buttons to add users.

Workaround:
None.

Fix:
Now, clicking the To, Cc, and Bcc buttons opens a new message window addressed to the specified users.

---

596116-3 : LDAP Query does not resolve group membership, when required attribute(s) specified

Component: Access Policy Manager

Symptoms:
Corresponding session variable session.ldap.last.memberOf contains only the groups user has explicit membership.

Conditions:
This occurs when the following conditions are met:
-- When APM LDAP Query is configured with option "Fetch groups to which the user or group belong" is set to "All".
-- The Required Attribute includes the "memberOf" LDAP attribute.

Impact:
Only groups the user is a direct member of will be populated to the APM 'session.ldap.last.memberOf' variable.

Workaround:
Add the following attribute to the "Required Attributes" list:

"objectClass"

If APM is communicating via LDAP with Microsoft Active Directory, consider adding this attribute to the list:

"primaryGroupID"

Note: Adding the "primaryGroupID" attribute will cause APM to fetch all groups Microsoft Active Directory, including the primary group.

Fix:
LDAP Query now retrieves groups from the backend server in accordance with option "fetch groups to which the user or group belong". it doesn't matter if any required attribute set or not set.

---

596104-1 : HA trunk unavailable for vCMP guest★

Solution Article: K84539934

Component: TMOS

Symptoms:
If a vCMP guest is configured with a high availability (HA) trunk with a threshold value greater than 0, the HA trunk configuration fails with a message similar to the following:

err mcpd[5926]: 01071569:3: Ha group ha_group threshold for trunk _your_trunk_name_here_ 1 is greater than the maximum number of members 0.

Conditions:
This occurs when an HA trunk is configured a vCMP guest, with a threshold value greater than 0. This may occur by any of the following means:
1) Attempting to upgrade a guest to an affected version of BIG-IP, with an HA trunk configured with a threshold value greater than 0. The upgrade fails with the indicated error message.
2) Attempting to load a UCS from a guest with an HA trunk configured with a threshold value greater than 0. The UCS load fails with the indicated error message.
3) Creating an HA group and then attempting to modify the threshold value for the HA trunk. The modify command fails with the indicated error message.

Impact:
HA trunks do not work.
You cannot upgrade the vCMP guest to an affected version of BIG-IP or load a configuration with an HA trunk configured with a threshold value greater than 0.

Workaround:
To allow the upgrade to succeed or the configuration to load, configure the HA trunk threshold to 0.

Important! This disables the HA trunk feature.

Fix:
HA trunks with a threshold value greater than 0 are supported on vCMP guests.

---

596083-1 : Error running custom APM Reports with "session creation time" on Viprion Platform

Component: Access Policy Manager

Symptoms:
Error is encountered when running custom APM Reports with "session creation time" on Viprion Platform

Conditions:
- On Viprion platform
- Create a APM custom report
- Select "Session creation time" field
- Run the report

Impact:
Won't be able to run custom APM report on Viprion platform

---

596067-2 : GUI on VIPRION hangs on secondary blade reboot

Component: TMOS

Symptoms:
After rebooting a VIPRION chassis, the GUI suddenly becomes unresponsive several minutes after the reboot.

Conditions:
It is not known exactly triggers this as it is a race condition that occurs on system start, but it is believed that Enterprise Manager making queries against the VIPRION for non-chunked statistics while the blade(s) has not fully started will trigger this condition.

Impact:
GUI becomes unresponsive

Workaround:
bigstart restart httpd will clear this condition if it occurs.

---

595900-4 : Cookie Signature overrides may be ignored after Signature Update

Solution Article: K11833633

Component: Application Security Manager

Symptoms:
Cookie Signature overrides may be ignored after Attack Signature Update.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP ASM security policy is configured with an allowed cookie where Check attack signatures on this cookie is cleared (disabled).
-- You install a Security Update Attack Signatures file.
-- Your BIG-IP ASM system processes traffic that matches an attack signature for the URL or cookie that is configured with the attack signature override.

Impact:
The system detects an attack signature violation for the object.

Workaround:
To work around this issue, you can modify the security policy settings and override (disable) the ability to check attack signatures on cookies. To do so, perform the following procedure in accordance with the object that is affected in your security policy:

Impact of workaround: Performing the following procedures should not have a negative impact on your system.

Disabling Check attack signatures on cookies

The following procedure disables checking of attack signatures for the allowed cookie.

1. Log in to the Configuration utility.
2. Navigate to Security :: Application Security :: Headers :: Cookie List.
2. Click the Allowed Cookies tab.
4. Click the name of the cookie.
5. Click the Attack Signatures tab.
6. Clear the Attack Signatures box.
7. Click Update.
8. Click Apply Policy.

Fix:
Cookie Signature overrides are observed correctly, even after Signature Update.

---

595819-1 : Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a http/2 enabled browser and HTTP/2 profile attached,

Component: Access Policy Manager

Symptoms:
Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a HTTP/2 enabled browser and HTTP/2 profile attached.

Conditions:
This occurs when the following conditions are met:
- An HTTP/2 enabled browser is in use.
- APM and HTTP/2 are enabled on the same virtual.

Impact:
APM statistics for bytes in and out are not updated.

Workaround:
None.

Fix:
Access session 'Bytes In' and 'Bytes Out' are now getting updated when accessed with a http/2 enabled browser and HTTP/2 profile attached,

---

595783 : Changing console baud rate for B2100, B2150 and B2250 blades does not work

Component: TMOS

Symptoms:
Changing the console baud rate does not take effect and leaves the setting unchanged.

Conditions:
Whenever the console baud rate is changed via tmsh, GUI, or iControl on the VIPRION B2100, B2150 and B2250 blades.

Impact:
Changing the console baud rate causes the front panel display manager to restart and does not actually modify the baud rate.

Workaround:
None.

Fix:
Added needed object to global config map for VIPRION B2100, B2150 and B2250 blades so modify message no longer fail the object lookup.

---

595773-4 : Cancellation requests for chunked stats queries do not propagate to secondary blades

Component: TMOS

Symptoms:
Canceling a request for a chunked stats query (e.g. hitting ctrl-c during "tmsh show sys connection") does not stop data flowing from secondary blades.

Conditions:
A chassis-based system with multiple blades. Users must execute a chunked stats query (e.g. "tmsh show sys connection") and then cancel it before it finishes (e.g. with ctrl-c in tmsh).

Impact:
Unnecessary data will be sent from TMM to secondary mcpd instances, as well as from secondary mcpd instances to the primary mcpd instance. This could cause mcpd to restart unexpectedly.

Fix:
Cancellations for chunked stats queries are now propagated to secondary blades.

---

595712-1 : Not able to add remote user locally

Component: TMOS

Symptoms:
When a user has logged in remotely, using tmsh to add a user with the same name will fail:

01020066:3: The requested user role partition (raduser TestPartition) already exists in partition Common.

Conditions:
Remote authentication is configured and a remote user has logged in.

Impact:
Changing remote user to local fails.

Workaround:
Use "replace-all-with" for partition access:

create auth user raduser password raduser1 partition-access replace-all-with { TestPartition {role manager }}

---

595693 : Incorrect PVA indication on B4450 blade

Component: TMOS

Symptoms:
When you run guishell -c "select HAS_PVA, PVA_VERSION from platform" on a B4450 blade (which includes PVA), the output indicates that it does not have PVA.

Conditions:
This occurs when looking at platform information on B4450 blades.

Impact:
PVA acceleration is not detected properly

Fix:
PVA service is now indicated properly on the B4450 blade.

---

595605 : Upgrades from 11.6.1 or recent hotfix rollups to 12.0.0 may fail★

Component: TMOS

Symptoms:
An upgrade to BIG-IP v12.0.0 will fail when all of the following conditions are met:
- AVR provisioned
- Upgrading to v12.0.0 from the following versions :
  - 11.6.1

Certain engineering hotfixes are also affected.

Conditions:
The following Engineering Hotfixes are affected.

- 11.6.0-hf5 EHF index 110 (Hotfix-BIGIP-11.6.0.5.110.429-HF5-ENG.iso)
- 11.6.0-hf5 EHF Index 214
- 11.6.0-hf5 EHF index 233
- 11.6.0-hf6 EHF index 240

11.6.1 is also affected.

Impact:
The upgrade to 12.0.0 will succeed but the configuration will fail to load.

This can be detected by running tmsh load sys config verify. You will see the following signature:

Unexpected Error: "Can't load keyword definition (analytics-report.device_group)"

Workaround:
12.1.1 is schema compatible with 11.6.1, so upgrade to 12.1.1 instead.

---

595394-3 : Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.★

Component: TMOS

Symptoms:
Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.

Conditions:
11.5.x/11.6.x Hourly Billing instances with multiple NICs attached.

Impact:
User might not be able to log-in to the instance.

Workaround:
Rebooting the instance corrects the problem.

Fix:
Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x works with new Hourly billing licenses.

---

595317-4 : Forwarding address for Type 7 in ospfv3 is not updated in the database

Component: TMOS

Symptoms:
The ospf nssa-external database is not updated when the global address on an interface that is used as a forwarding address is changed

Conditions:
remove the global address on the forwarding interface

Impact:
the packets will be sent to an incorrect interface.

Workaround:
clear ipv6 ospf process

Fix:
The ospf nasa-external data shows correct forwarding address when the global address on the forwarding interface is changed.

---

595293-4 : Deleting GTM links could cause gtm_add to fail on new devices.

Component: Global Traffic Manager (DNS)

Symptoms:
Once links are auto-discovered, if auto discovery is disabled and the links are deleted, they could become stuck in the Server > Virtual Server list, preventing new devices from joining the sync group. If gtm_add is run from a new device, the add will appear to succeed, but no GTM objects will show up on the unit.

Conditions:
Links are auto-discovered
Auto discovery is disabled
The links are deleted

Impact:
If gtm_add is run from a new device, the add will appear to succeed, but no GTM objects will show up on the unit.

Workaround:
None

Fix:
Cleanup all aspects of a GTM link when it is deleted.

---

595281-1 : TCP Analytics reports huge goodput numbers

Component: Local Traffic Manager

Symptoms:
TCP Analytics reports that 2^32 bytes have been delivered, rather than 0.

Conditions:
When the serverside connection attempt fails.

Impact:
TCP Analytics stats are inaccurate.

Fix:
Handle the failed connection case properly.

---

595275-5 : Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN

Component: Local Traffic Manager

Symptoms:
Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN when pool goes empty.

Conditions:
This occurs when the configuration contains a pool with only one FQDN pool member.

Impact:
VIP can go briefly RED and offline.

Workaround:
Configuring a fallback static IP node or multiple FQDN pool members removes this risk.

---

595272-1 : Edge client may show a windows displaying plain text in some cases

Component: Access Policy Manager

Symptoms:
Under captive portal environment, sometimes edge client may show a windows with some plain text content.

Conditions:
Edge client is launched when users machine is inside captive portal network.

Impact:
User may not be able to establish VPN

Workaround:
Authenticate to captive portal using browser and Launch edge client again.

---

595242-1 : libxml2 vulnerabilities CVE-2016-3705

Solution Article: K54225343

---

595231-1 : libxml2 vulnerabilities CVE-2016-3627 and CVE-2016-3705

Solution Article: K54225343

---

595227-1 : SWG Custom Category: unable to have a URL in multiple custom categories

Component: Access Policy Manager

Symptoms:
When configuring a url in multiple categories you receive a validation error message:
May 19 16:13:44 bigip12 err mcpd[8992]: 010717f3:3: Custom category (/Common/category_allow_group2) has invalid URL (http://172.16.20.1/*). Reason: You cannot have the same URL in two or more custom categories. URL used in category (/Common/category_allow_group1).

Conditions:
Configuring the same URL in multiple custom categories.

Impact:
Unable to have the same URL in multiple custom categories, and therefore cannot configure the system to have a URL allowed for one group but not for another.

Workaround:
None

Fix:
Validation preventing the configuration of same URL for multiple custom categories has been fixed.

---

594910-1 : FPS flags no cookie when length check fails

Component: Fraud Protection Services

Symptoms:
You see No Cookie errors for validation errors other than No Cookie.

Conditions:
Malformed component validation cookie

Impact:
No Cookie errors counted when the validation error was not due to No Cookie

Workaround:
No

Fix:
Fixed an issue with No Cookie error counting.

---

594869-4 : AFM can log DoS attack against the internal mpi interface and not the actual interface

Component: Advanced Firewall Manager

Symptoms:
While under an attack that matches a DoS profile, BIG-IP may indicate that the interface is the internal mpi interface and not the interface that the attack is happening on.

Conditions:
This can occur in CMP-enabled systems.

Impact:
A valid DoS attack will be misreported

---

594751-3 : LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN

Solution Article: K90535529

Component: Local Traffic Manager

Symptoms:
Vlan Name and Vlan Tag values are not seen by the LLDP neighbors of the BIG-IP system.

Conditions:
1. LLDP is enabled globally and per interface.

2. Interfaces are added to a trunk after it has already been assigned to a VLAN.

For instance, assume the following protocol were followed for creating an LLDP trunk:

tmsh modify net lldp-globals enabled
tmsh modify net interface 1.1 lldp-admin txrx lldp-tlvmap 114680
tmsh modify net interface 1.2 lldp-admin txrx lldp-tlvmap 114680
tmsh create net trunk myTrunk
tmsh create net vlan myVlan
tmsh modify net trunk myTrunk interfaces add { 1.1 1.2 }
tmsh modify net vlan myVlan interfaces add { myTrunk }

The neighbor to this BIG-IP unit would not see the Vlan Name and Vlan Tag information of this trunk because the interfaces were added after the trunk was already assigned to a VLAN.

Impact:
LLDP Neighbors are unable to see VLAN information for the LLDP interfaces of the BIG-IP.

Workaround:
If the configuration has not yet been performed, the issue can be prevented by assigning all the desired interfaces to a trunk before assigning the trunk to a VLAN.

If the problem already exists, it can be remedied by performing a restart of the LLDP service. This should not impact dataplane services outside of LLDP. To do so, run the following command:
 bigstart restart lldpd

Fix:
VLANs are now properly applied to any interfaces added to a trunk if the trunk already belongs to any VLANs.

---

594642-3 : Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.

Component: Local Traffic Manager

Symptoms:
Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.

Conditions:
Stream filter is active during low memory situations

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Stream may now be configured to parse xbufs in chunks. This limits the maximum amount of memory required and reduces the chance of an allocation failure.

---

594496-1 : PHP Vulnerability CVE-2016-4539

Solution Article: K35240323

---

594426-2 : Audit forwarding Radius packets may be rejected by Radius server

Component: TMOS

Symptoms:
The Accounting-Request packets are missing two required AVPs (Attribute Value Pair), Acct-Session-ID and Acct-Status-Type. Some Radius servers drop Radius Accounting-Requests which are missing these AVPs.

Conditions:
Configured to use audit forwarding with radius and audit messages are not logged on the Radius server.

Impact:
Unable to log audit messages from BIG-IP using audit forwarding.

---

594366-1 : Occasional crash of icrd_child when BIG-IP restarts

Solution Article: K21271097

Component: TMOS

Symptoms:
When BIG-IP restarts (bigstart restart), or when restjavad restarts (bigstart restart restjavad), there is an occasional crash of the icrd_child thread.

Conditions:
When BIG-IP restarts (bigstart restart), or when restjavad restarts. No other specific conditions.

Impact:
Occasional crash/SEGV exception.

Workaround:
Restart restjavad (bigstart restart restjavad).

Impact of workaround: The iControl REST API for making queries or modifications is temporarily unavailable while the restjavad service restarts.

Fix:
Different approach of handling thread termination is implemented. New approach correctly terminates zombie processes and does not cause SEG fault.

---

594302-1 : Connection hangs when processing large compressed responses from server

Component: Local Traffic Manager

Symptoms:
When large compressed responses are sent by the server, the connection hangs when trying to send decompressed content to the client.

Conditions:
An LTM policy which enforces decompression for responses is attached to the virtual server. The virtual server also has http compression profile attached to it. Server sends large compressed responses.

Impact:
Connection hangs when trying to process the compressed response in order to send decompressed content to client.

Fix:
The large compressed responses are successfully processed and no connection hangs are seen.

---

594288-1 : Access profile configured with SWG Transparent results in memory leak.

Component: Access Policy Manager

Symptoms:
Access profile configured with SWG Transparent results in memory leak.

Conditions:
Create an access profile of type SWG Transparent, and assign to a virtual. Run traffic through this virtual.

Impact:
TMM leaks memory.

Workaround:
None

Fix:
Fixed the memory leak caused by access filter for SWG transparent use case.

---

594127-2 : Pages using Angular may hang when Websafe is enabled

Component: Fraud Protection Services

Symptoms:
Pages using angular may not load correctly when Websafe "inject Javascript into page" is enabled

Conditions:
Application using Angular.js
Websafe: "inject Javascript into page" is enabled

Impact:
Page does not load fully

Fix:
Websafe no longer changes the page's "documentMode"

---

594075-2 : Sometimes when modifying the firewall rules, the blob does not compile and pccd restarts periodically

Component: Advanced Firewall Manager

Symptoms:
With pccd.alwaysfromscratch set to true, the blob doesn't compile and pccd restarts periodically when firewall rules are modified.

Conditions:
1. pccd.alwaysfromscratch is set to true (default value is false)
2. Modify some firewall rules.

Impact:
The blob doesn't compile and pccd keeps restarting without loading new rules.

Workaround:
Remove saved blob files in /var/pktclass/ (rm -f /var/pktclass/*) and restart pccd.

---

594064-2 : tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.

Solution Article: K57004151

Component: Local Traffic Manager

Symptoms:
When the tcpdump utility is used with the ':p' modifier, it appears that the first few serverside packets are not captured.

Conditions:
-- Using the ':p' modifier with the tcpdump utility to capture serverside flows associated with clientside flows that match a tcpdump filter.
-- FastL4 or standard virtual server UDP flows are being captured.

Impact:
Typically, the peer flow will not be captured until the second packet is processed on the original flow that is captured by the tcpdump filter. Although there is no operational impact, it might cause confusion when looking for serverside traffic when capturing using a command similar to the following: tcpdump -i <vlan>:p host <client-ip>

Typical examples of missing packets include:
  -- Serverside syn and syn-ack from FastL4 TCP traffic.
  -- All serverside packets for single packet request/reply traffic, e.g., dns request/reply.

Workaround:
Specify filter that includes serverside traffic (e.g., include pool member addresses as 'host <addr>').

Fix:
tcpdump now successfully captures the first serverside packets.

---

593925-1 : ssh profile should not contain rules that begin and end with spaces (cannot be deleted)

Component: Advanced Firewall Manager

Symptoms:
When attempting to delete a rule for an ssh profile and committing the changes in the GUI, you get an error: "Operation is not supported on property /security/ssh/profile/~Common~ssh-test/rules."

Conditions:
This occurs if you previously created ssh profile rules that contain spaces in them, such as this example:

create security ssh profile ssh-test actions add { " " } rules add { " " { actions add { " " } identity-users add { " "} identity-groups add { " " } } } auth-info add { " " }

Impact:
Unable to delete the rules

Fix:
You can now delete ssh profile rules that contain spaces for the rules.

---

593696-1 : Sync fails when deleting an ssh profile

Component: Advanced Firewall Manager

Symptoms:
After creating an ssh profile and successfully syncing it to the sync group, you later delete the profile and sync fails with this error on the target device:
"err mcpd[5178]: 01071488:3: Remote transaction for device group /Common/syncme to commit id 6 6285666289815053813 /Common/bigip2.mysite.com 0 failed with error 01071aaf:3: SSH profile: [/Common/ssh1] default actions is required and cannot be removed."

Conditions:
This is triggered when deleting an ssh profile that has been synced in a sync group. Sync group is configured for manual sync. It is not known if automatic sync also exhibits this behavior.

Impact:
Sync fails.

---

593530-6 : In rare cases, connections may fail to expire

Solution Article: K26430211

Component: Local Traffic Manager

Symptoms:
Connections have an idle timeout of 4294967295 seconds.

Conditions:
Any IP (ipother) profile is assigned to virtual server.

Impact:
Connections may linger.

Workaround:
None.

Fix:
Fixed idle initialization error when using Any IP (ipother) profile.

---

593447-1 : BIG-IP TMM iRules vulnerability CVE-2016-5024

Solution Article: K92859602

---

593390-4 : Profile lookup when selected via iRule ('SSL::profile') might cause memory issues.

Component: Local Traffic Manager

Symptoms:
If an iRule selects a profile using just its name, not the full path, the internal lookup might fail. This might cause a new version of the profile to be instantiated, leading to memory issues.

Conditions:
An iRule calls SSL::profile but does not supply the complete path (e.g., /Common/clientssl); rather, the iRule uses only the profile name.

Impact:
Higher memory usage than necessary.

Workaround:
Always have iRules select profiles using the complete path.

Fix:
If an iRule attempts to select a profile using only its name, the system now prepends the /Common path prior to looking it up, so there is no potential of instantiating another version of the profile, so no memory issue occurs.

---

593355 : FPS may erroneously flag missing cookie

Component: Fraud Protection Services

Symptoms:
You see Missing Cookie errors for validation errors other than Missing Cookie.

Conditions:
Any component validation error.

Impact:
Missing Cookie errors counted when the validation error was not due to Missing Cookie

Workaround:
No.

Fix:
Fixed an issue with Missing Cookie error counting.

---

593139-9 : glibc vulnerability CVE-2014-9761

Solution Article: K31211252

---

593137-1 : userDefined property for bot signatures is not shown in REST

Component: TMOS

Symptoms:
The user defined property of the signature is not exposed in iControl REST.

Conditions:
Attempting an iControl REST API call to see a signature.

Impact:
The userDefined field is not shown. Impacts external interfaces interacting with the BIG-IP configuration and expecting to see a field and a value there.

Workaround:
None.

Fix:
The userDefined field exists now and has a true/false values.

---

593078-1 : CATEGORY::filetype command may cause tmm to crash and restart

Component: Access Policy Manager

Symptoms:
If an iRule command is created using the CATEGORY::filetype command, the tmm may eventually suffer a failure, and restart.

Conditions:
This can occur when using the CATEGORY::filetype iRule under normal operation.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm crash in CATEGORY::filetype

---

593070-2 : TMM may crash with multiple IP addresses per session

Component: Policy Enforcement Manager

Symptoms:
TMM crash

Conditions:
A session with multiple IP addresses with PCRF communication for dynamic policy management may have a crash credits to a race condition.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Check for timer expiration prior to processing the timer.

---

592871-3 : Cavium Nitrox PX/III stuck queue diagnostics missing.

Component: Local Traffic Manager

Symptoms:
Diagnostics tool to investigate rare issue where the Cavium Nitrox PX/III crypto chip gets into a "request queue stuck" situation.

Conditions:
System with Cavium Nitrox PX/III chip(s) which includes the BIG-IP 5xxx, 7xxx, 10xxx, and 12xxx platforms as well as the VIPRIOn B2200 blade, that hits a rare issue which logs a "request queue stuck" message in /var/log/ltm.

Impact:
This tool enables F5 engineers to obtain more data about this problem to help diagnose the issue.

Workaround:
None.

Fix:
Provides a diagnostics tool. Does not directly mitigate the problem.

---

592870-2 : Fast successive MTU changes to IPsec tunnel interface crashes TMM

Component: TMOS

Symptoms:
Changing IPsec tunnel interface MTU attribute repeatedly in quick succession, TMM cores. This can occur whether or not traffic has flowed through the tunnel.

Conditions:
This occurs when quickly changing the IPsec tunnel interface MTU.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Change IPsec tunnel interface attributes at a rate of speed that allows each configuration modification to complete.

Fix:
TMM no longer cores if users quickly and repeatedly change interface attributes (for example, the MTU interface attribute).

---

592868-3 : Rewrite may crash processing HTML tag with HTML entity in attribute value

Component: Access Policy Manager

Symptoms:
If HTML page contains HTML entities in attribute values, rewrite may crash processing this page.

Conditions:
HTML tag like this:
<script src="&#10;" type="text/javascript"></script>

Impact:
Web application may not work correctly.

Workaround:
In most cases HTML entities can be replaced by appropriate characters by iRule.

Fix:
Now rewrite correctly handles HTML entities in attribute values.

---

592854-1 : Protocol version set incorrectly on serverssl renegotiation

Component: Local Traffic Manager

Symptoms:
If the BIG-IP serverssl profile sends a new ClientHello request to renegotiate SSL, the protocol version will be set to 0. This will cause renegotiation to fail.

Conditions:
ServerSSL profile configured on a virtual server, and BIG-IP initiates a renegotiation.

Impact:
Protocol field is invalid (0), and the server will reset the connection.

Fix:
Fixed a reset issue with SSL renegotiation in the serverssl profile.

---

592784-2 : Compression stalls, does not recover, and compression facilities cease.

Component: Local Traffic Manager

Symptoms:
Compression stalls, does not recover, and compression facilities may cease.

Conditions:
A device error of any kind, or requests that result in the device reporting an error (for example, attempting to decompress an invalid compression stream).

Impact:
In general, compression stops altogether. Under some circumstances, compression requests may end up routed to zlib (software compression), but generally the SSL hardware accelerator card does not correctly report that it is unavailable when it stalls.

Workaround:
Select the softwareonly compression provider by running the following tmsh command: tmsh modify sys db compression.strategy value softwareonly.

Fix:
The compression device driver now attempts to recover after a failure. If it still cannot recover, new compression requests will be assigned to zlib (software) for compression.

---

592731-1 : Default value of device-request timeout factor might cause false alert: Hardware Error ni3-crypto request queue stuck.

Solution Article: K34220124

Component: Local Traffic Manager

Symptoms:
Default value of device-request timeout factor might cause false alert: Hardware Error ni3-crypto request queue stuck.

Conditions:
In case of heavy SSL traffic, Cavium Nitrox SSL hardware accelerator card might need more time than the default interval to complete the encryption or decryption.

Impact:
The /var/log/ltm log contains the following message: Hardware Error(Co-Processor): n3-crypto1 request queue stuck. tmm will be in failure state.

Workaround:
Use tmsh to increase the device.request.timeoutfactor db variable to allow more time for encryption or decryption to complete. For example, to increase device.request.timeoutfactor to 200, run the following command: tmsh modify sys db device.request.timeoutfactor value 200.

To clear erroneously stuck queues, you must restart tmm or reboot the BIG-IP system.

Note: Traffic is disrupted while during restarts.

Fix:
The default value of device.request.timeoutfactor is now sufficient to allow the Cavium Nitrox SSL hardware accelerator card to complete the encryption or decryption as expected.

---

592716-1 : BMC timezone value was not being synchronized by BIG-IP

Component: TMOS

Symptoms:
You notice that errors on the LCD have an incorrect timestamp compared to what is reported in BIG-IP

Conditions:
This can occur when running the 12.1.1 base release on the BIG-IP i-Series platforms.

Impact:
Timestamp is reported in the wrong time zone.

Fix:
Fixed an issue with incorrect timestamp reporting on the LCD display

---

592699-3 : IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP performance

Component: Local Traffic Manager

Symptoms:
IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP might encounter significant performance impacts when initiated over a BIG-IP data port using IPv6.

Conditions:
-- Protocols: HTTPS, SCP, SSH, DNS, SMTP.
-- IPv6.
Note: Management port is not impacted.

Impact:
Performance impact pulling data over affected ports from the BIG-IP over IPv6.
BIG-IQ performance is impacted trying to manage BIG-IP devices over IPv6.

Workaround:
Disable TSO for IPv6 at the command line by running the following command: ethtool -K tmm tso off.
Note: This command must be run each time after reboot.

Fix:
The issue has been corrected, so that there is no performance impact pulling data over affected ports using HTTPS, SCP, SSH, DNS or SMTP from the BIG-IP over IPv6, and there is no BIG-IQ performance issue managing BIG-IP devices over IPv6.

---

592682-1 : TCP: connections may stall or be dropped

Component: Local Traffic Manager

Symptoms:
TCP connections stall or get dropped.

Conditions:
Under some network conditions especially with rateshaper enabled TCP connection could stall and ultimately get reset.

Impact:
This usually happens with rateshaper or BWC enabled. Rarely could also happen with very lossy networks.

Fix:
Properly manage re-transmissions after a tail drop by not not doing the exponential back-off. Reset the re-transmit timer for every partial ack received after a tail drop.

---

592497-1 : Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state.

Component: Local Traffic Manager

Symptoms:
While passing normal traffic, CPU utilization of one or more tmms suddenly goes to 100% as viewed by top and remains there indefinitely.

Conditions:
Idle timeout for tcp flows in FIN_WAIT_2.

Impact:
There is a rare occurrence in which tmm might result in 100% CPU busy.

Workaround:
None.

Fix:
This release honors the idle timeout in FIN_WAIT_2 when server-side expired and HTTP in fallback state.

---

592485 : Linux kernel vulnerability CVE-2015-5157

Solution Article: K17326

---

592414-4 : IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed

Component: Access Policy Manager

Symptoms:
IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed from dynamically generated child.

Conditions:
Browsers: IE11 and Chrome
When: After document.write() into its parent has been performed from dynamically generated child.

Impact:
Web application malfunction.

Workaround:
None.

Fix:
Fixed.

---

592363 : Remove debug output during first boot of VE

Component: TMOS

Symptoms:
There was unneeded debug output during 1st boot of VE on Cloud deployments.

Conditions:
Cloud deployment - AWS and Azure.

Impact:
Extra debug output on 1st boot.

Fix:
Debug output was removed.

---

592354 : Raw sockets are not enabled on Cloud platforms

Component: TMOS

Symptoms:
Cloud VMs come configured with UNIC driver instead of using raw sockets.

Conditions:
Cloud deployment - AWS and Azure.

Impact:
UNIC is used instead of raw sockets.

Workaround:
Manually disabling unic driver will force raw sockets to be used.

Fix:
Enabled raw sockets by default on Cloud deployments.

---

592344-2 : NTP Security Updates

Component: TMOS

Symptoms:
It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)
A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)
An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852)
A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977)
A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978)
It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194)
It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195)
It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219)
It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-7703)

Conditions:
NTP enabled.

Impact:
ntpd crash.

Workaround:
None.

Fix:
NTP updates applied via RHSA-2016:0780.

---

592320-5 : ePVA does not offload UDP when pva-offload-state set to establish in BIG-IP 12.1.0 and 12.1.1

Component: TMOS

Symptoms:
When a fastL4 profile's pva-offload-state set to establish (default is embryonic), the corresponding UDP virtual server using that profile won't offload UDP traffic and causes performance degradation.

Conditions:
This issue is introduced during v12.0.0 development and only impacts v12.1.0 and v12.1.1 releases.
A fastL4 UDP virtual server is using a fastL4 profile that has pva-offload-state set to establish.

Impact:
Performance degradation.

Workaround:
Use default setting for pva-offload-state of embryonic for fastL4 profile.

Fix:
With the fix in 12.1.2 and 13.0.0, ePVA will load UDP traffic when pva-offload-state set to establish.

---

592274-3 : RAT-Detection alerts sent with incorrect duration details

Component: Fraud Protection Services

Symptoms:
If a remote access trojan (RAT) detection alert is encountered immediately upon initialization, the timestamp of the alert will be incorrect.

Conditions:
-- Enable RAT detection.
-- RAT detection alert is countered within 5 seconds of initialization.

Impact:
Rat-detection alerts sent with incorrect duration details, and false-positives for RAT keyboard alerts.

Workaround:
None.

Fix:
When generating RAT Detected alert within 5 seconds from page load, actualCounter in alert details is lower than 5 seconds for example:
"timeToResetCounter":5000,"actualCounter":4296

---

592113-5 : tmm core on the standby unit with dos vectors configured

Component: Advanced Firewall Manager

Symptoms:
On the standby unit with mirrored connections configured, uninitialized dos_vectors may cause core dump

Conditions:
HA setup, mirroring enabled on a virtual that has dos vectors configured

Impact:
Traffic disrupted while tmm restarts.

---

592070-5 : DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied

Component: Policy Enforcement Manager

Symptoms:
Variables in the flow context when stored in the sessionDB cannot be shared since the traffic groups of the server and client flows are different.

Conditions:
DHCP virtual created in a non-local traffic group.

Impact:
Variable sharing in the TCL context will not work.

Workaround:
Modify SysDb variable "Tmm.SessionDB.match_ha_unit" to disable the use of traffic-group ID while accessing the sessionDB.

Fix:
Copy the traffic group from client to server connFlows such that both connFlows have the same traffic group.

---

592001-1 : CVE-2016-4073 PHP vulnerabilities

Solution Article: K64412100

---

591918-2 : ImageMagick vulnerability CVE-2016-3718

Solution Article: K61974123

---

591908-2 : ImageMagick vulnerability CVE-2016-3717

Solution Article: K29154575

---

591894-2 : ImageMagick vulnerability CVE-2016-3715

Solution Article: K10550253

---

591881-1 : ImageMagick vulnerability CVE-2016-3716

Solution Article: K25102203

---

591840-1 : encryption_key in access config is NULL in whitelist

Component: Access Policy Manager

Symptoms:
encryption_key in access config is NULL sometime when applying 404 whitelist action and will result in TMM crash.

Conditions:
All the following must be true:
- Access policy action resulted in a "not found".
- The session corresponding to above action must be expired.
- FIPS platform.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Data required to serve a "not found" action is retrieved and made available early so that such responses can be served correctly.

---

591828-4 : For unmatched connection, TCP RST may not be sent for data packet

Solution Article: K52750813

Component: Advanced Firewall Manager

Symptoms:
When TCP connection times out (no entry in 'show sys conn'), and subsequent data packet comes in (not SYN), The BIG-IP system does not send a RST to the client to reset the connection.

Conditions:
This issue occurs if AFM is provisioned. Additionally, in BIG-IP v12.1.0 and above, it occurs if ASM is provisioned (regardless of AFM provisioning).

-- Packets other than SYN with no entry in the connection table arrive.

This can occur either after a failover (when mirroring is disabled) when traffic arrives at the newly-active system, or can occur if the relevant virtual server has 'reset-on-timeout' disabled.

Impact:
Client retransmits several times and then terminates TCP connection. There is no RST sent from BIG-IP to client for unmatched connection.

Workaround:
Enable the reset on timeout option to send TCP RST to client when connection times out.

Note: This workaround does not address the circumstances where a newly-active BIG-IP system receives traffic (e.g. after a failover or system reboot).

Fix:
The BIG-IP system now sends a TCP RST for unknown connections so the clients and backend servers can start a new connection.

---

591806-8 : ImageMagick vulnerability CVE-2016-3714

Solution Article: K03151140

---

591767-8 : NTP vulnerability CVE-2016-1547

Solution Article: K11251130

---

591733-4 : Save on Auto-Sync is missing from the configuration utility.

Solution Article: K83175883

Component: TMOS

Symptoms:
The option to configure save-on-auto-sync is missing in the Device Management GUI.

Conditions:
Devices configured in a DSC configuration.
Automatic with Full or Incremental Sync is enabled.
You attempt to configure the save-on-auto-sync option from the GUI.

Impact:
You will need to have TMSH access to the BIG-IP system to perform this task.

Workaround:
You will need to have TMSH access to the BIG-IP system to perform this task.

Fix:
This release adds per-device-group save_on_auto_sync flag to GUI: flag now shows in GUI and correctly saves.
GUI: The "Sync Type" option in the GUI must be set to "Automatic with Full/Incremental Sync" in order for "Save on Auto-Sync" option to show.

Behavior Change:
Beginning in version 11.5.0, the /cm trust-domain 'save-on-auto-sync' attribute is no longer configured as part of the trust-domain, but is part of the configuration of a device group. With this change, the option to set that attribute becomes available in the GUI on the condition that the "Sync Type" option is set to "Automatic with Full/Incremental Sync".

---

591732-2 : Local password policy not enforced when auth source is set to a remote type.

Component: TMOS

Symptoms:
Local password policy not enforced when auth source is set to a remote type. Any non-default password policy change is not enforced for local users.

Conditions:
1) Some part of the local password policy has been changed from the default values, for example, changing the password minimum-length to 12 where the default is 6.

2) The auth source is set to a remote source, such as LDAP, AD, TACACS.

Impact:
The system does not enforce any of the non-default local password policy options.

For example, even if the minimum-length is set to 12, a local user's password can be set to something less than 12.

Another example, even if the max-duration is set to 90 days, the password does not expire for 99999 days (the default).

Workaround:
None.

---

591666-3 : TMM crash in DNS processing on TCP virtual with no available pool members

Component: Local Traffic Manager

Symptoms:
TMM crash when processing requests to a DNS virtual server.

Conditions:
The issue can occur if a TCP DNS virtual receives a request when no pool members are available to service the request and a DNS iRule is suspended due to previous requests.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Mitigation is to ensure at least one pool member is available whenever the DNS virtual is processing traffic, or to avoid iRule commands that can suspend processing.

Ensure datagram LB mode is enabled on UDP DNS virtuals.

Fix:
Product corrected to prevent crash when there are no available members.

---

591659-5 : Server shutdown is propagated to client after X-Cnection: close transformation.

Solution Article: K47203554

Component: Local Traffic Manager

Symptoms:
Server shutdown is propagated to client after X-Cnection: close transformation.

Conditions:
In OneConnect configurations, when a server's maximum number of keep-alives is exceeded, the server closes the connection between itself and the BIG-IP system. This Connection: Close is transformed to an X-Cnection: close and sent to the Client along with a TCP FIN.

Impact:
Client side connections are closed by the BIG-IP system too early, causing subsequent requests to be dropped.

Workaround:
Set the OneConnect profile "Maximum Reuse" value to 2 below the value of the pool members max keep-alive setting. This forces OneConnect to close the connection before the pool member.

Fix:
Server shutdown is no longer propagated to client after X-Cnection: close transformation, so client side connections are now kept open by the BIG-IP system as expected, and subsequent requests are no longer dropped.

---

591590-1 : APM policy sync results are not persisted on target devices

Component: Access Policy Manager

Symptoms:
Policy sync results, including profile, sync folder, new partition, statuses, history are not persisted on target devices after sync, when there is no LSO resolution.

Conditions:
1. Create an APM policy with no LSO to resolve, or have an APM policy that has LSO resolved by the previous sync.
2. Start a policy sync.

Impact:
Sync results including the policy profiles are not persisted, so when the BIG-IP system restarts, all the sync data will be lost.

Workaround:
Run tmsh command to save config:

tmsh save sys config

Fix:
Policy sync result will be persisted on target devices so even when those devices restart, the data will still be there.

---

591495-2 : VCMP guests sflow agent can crash due to duplicate vlan interface indices

Component: TMOS

Symptoms:
When a VCMP guest uses sflow, the sflow agent will crash when it tries to add a row to its internal data structure and finds the key already exists for some other entry.

Conditions:
This issue can occur on systems with VCMP guests, its occurrence is is more likely with a higher number of cores.

Impact:
sflow agent will crash.

Fix:
Make sure the allocated interface index for a vlan is not already taken by another interface object.

---

591476-7 : Stuck crypto queue can erroneously be reported

Solution Article: K53220379

Component: Local Traffic Manager

Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Cavium Nitrox-based (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The following message appears in the ltm log: Device error: crypto codec cn-crypto-0 queue is stuck. tmm crash

Conditions:
-- Running on one of the following platforms:
 + BIG-IP 800, 1600, 3600, 3900, 6900, 89xx, 2xxx, 4xxx, 5xxx, 7xxx, 10xxx, 11xxx, 12xxx, i2xxx, and i4xxx
 + VIPRION B41xx-B43xx, B21xx, and B22xx blades.
-- Performing SSL.
-- Under heavy load.

Impact:
The system reports device errors in logs, and takes crypto high availability (HA) action, possibly resulting in failover. Traffic disrupted while tmm restarts.

Workaround:
Modify the crypto queue timeout value to 0 to prevent timeouts using the following command:

tmsh modify sys db crypto.queue.timeout value 0

To clear erroneously stuck queues, you must restart tmm or reboot the BIG-IP system.

Note: Traffic is disrupted while during restarts.

Fix:
The crypto driver now only examines requests in the hardware DMA ring to detect a stuck queue on Nitrox devices.

---

591455-7 : NTP vulnerability CVE-2016-2516

Solution Article: K24613253

---

591447-1 : PHP vulnerability CVE-2016-4070

Solution Article: K42065024

---

591438-7 : PHP vulnerability CVE-2015-8865

Solution Article: K54924436

---

591358-1 : Oracle Java SE vulnerability CVE-2016-3425

Solution Article: K81223200

---

591343-5 : SSL::sessionid output is not consistent with the sessionid field of ServerHello message.

Solution Article: K03842525

Component: Local Traffic Manager

Symptoms:
SSL::sessionid output is not consistent with the sessionid field of ServerHello message. This is mostly cosmetic, but if an iRule depends upon the outcome, the result can be unexpected.

Conditions:
This occurs when using an iRule to inspect the session ID on server-side SSL.

Impact:
The values do not match. SSL::sessionid outputs the wrong sessionid.

Workaround:
None.

Fix:
The returned session ID in both the SERVERSSL_SERVERHELLO and SERVERSSL_HANDSHAKE events is the one presented by the SSL server.

---

591328-7 : OpenSSL vulnerability CVE-2016-2106

Solution Article: K36488941

---

591325-8 : OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109

Solution Article: K75152412

---

591268-1 : VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions

Component: Access Policy Manager

Symptoms:
VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions, it depends on client machine configuration. Symptom: negative record in windows DNS cache, can be verified by running ipconfig /displaydns

Conditions:
Specific client machine configuration

Impact:
VS hostname is not resolvable:
- 'Refresh' of webtop causes unavailable webtop
- Recurring check report may fail due to DNS resolve issue

Workaround:
* Clean windows DNS cache: ipconfig /flushdns
or
* Disable DNS Relay proxy service

Fix:
Now DNS Relay proxy service cleans up DNS cache after initialization mitigating issue described

---

591261 : BIG-IP VPR-B4450N shows "unknown" SNMP Object ID

Component: TMOS

Symptoms:
The BIG-IP VPR-B4450N blade does not show the correct Object ID for SNMP. An SNMP query will return "unknown".

Conditions:
This issue may occur on VIPRION B4450N blades running affected versions of BIG-IP software.

Impact:
Some network management applications may complain and fail.

Workaround:
None.

Fix:
A new SNMP Object ID is added to TMOS v12.1.1 for VPR-B4450N.

---

591246-1 : Unable to launch View HTML5 connections in non-zero route domain virtual servers

Component: Access Policy Manager

Symptoms:
Currently APM always attempts to uze the RTDom 0 when VMware View HTML5 client is launched.

This doesn't work with the virtual servers in non-zero route domains.

Conditions:
APM configured as a PCoIP proxy on a VS in non-zero route domain.

Impact:
You cannot use virtuals in non-zero route domains if they need VMware View HTML5 client functionality

Fix:
APM now uses the proper route domain from the virtual server to handle VMware View HTML5 client connections.

---

591139 : TMM QAT segfault after zlib/QAT compression conflation.

Component: Local Traffic Manager

Symptoms:
TMM can segfault during prolonged mixture of software and hardware accelerated compression.

Conditions:
Continuous and prolonged mixture of software and hardware accelerated compression.

Impact:
TMM segfaults.

Workaround:
Disable hardware accelerated compression with:

    tmsh modify sys db compression.strategy value speed

Fix:
TMM QAT compression added pointer-hardening for compression context.

---

591119 : OOM with session messaging may result in TMM crash

Component: TMOS

Symptoms:
Under out of memory conditions, session messaging may not initialize storage correctly, resulting in a later TMM crash.

Conditions:
Under out of memory conditions, memory allocation for session messaging fails, and storage is not initialized correctly.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Reduce load on box in order to avoid OOM conditions.

Fix:
Initialize storage on memory allocation failure.

---

591117-3 : APM ACL construction may cause TMM to core if TMM is out of memory

Component: Access Policy Manager

Symptoms:
During ACL construction, TMM send queries regarding assigned ACL information. If the reply message contains error message of out-of-memory, TMM was not handling this error message properly, and cause TMM to core.

Conditions:
BIG-IP is extremely loaded and out of memory.

Impact:
Traffic disrupted while tmm restarts.

Fix:
When handling the error reply message of out-of-memory during ACL construction, TMM can handle it without causing TMM to crash.

---

591104-1 : ospfd cores due to an incorrect debug statement.

Component: TMOS

Symptoms:
ospfd cores due to an incorrect debug statement.

Conditions:
This occurs in NSSA configs when ASE OSPF debugging enabled in imish (for example, by running the command: debug ospf route ase). Affected configuration commands are (in imish):
debug ospf all.
debug ospf route.
debug ospf route ase.

Impact:
ospfd might crash, interrupting dynamic routing.

Workaround:
Do not enable debugging in ospf that includes 'route ase'.

Fix:
ospfd no longer crashes when debugging is enabled in imish.

---

591042-17 : OpenSSL vulnerabilities

Solution Article: K23230229

---

591039 : DHCP lease is saved on the Custom AMI used for auto-scaling VE

Component: TMOS

Symptoms:
When configuring the instance for auto-scaling purpose and subsequently generating the Custom/Model AMI that is used for autoscaling VEs, the new instances generated from this image, might have the old DHCP lease acquired by the custom instance before an AMI was generated from it. This can collide with the new lease that the new instances get in their boot-up.

Conditions:
This occurs when Auto-scaling VEs.

Impact:
Multiple valid DHClient leases exist, which could result dhclient in BIG-IP choosing wrong IP address for the management interface.

Workaround:
Delete the /var/lib/dhclient/dhclient.leases before shutting down the custom instance and generating a Custom/Model AMI out of it.

Fix:
Auto-scaling AMI will no longer contain a DHCP lease when they are saved.

---

590993 : Unable to load configs from /usr/libexec/aws/.

Component: TMOS

Symptoms:
In 12.1.0, a new tmsh object 'sys global-settings file-whitelist-path-prefix' controls the path from which config can be loaded. To be allowed as a config storage location, the path must exist in file-whitelist-path-prefix. Because /usr/libexec/ is not part of the path, loading auto-scaling and CloudWatch iCall configuration files from /usr/libexec/aws/ fails.

Conditions:
The issue occurs with AWS auto-scaling- and CloudWatch-related configuration files in TMOS v12.1.0.

Impact:
AWS auto-scaling-related automation and CloudFormation Templates (CFTs) for deploying BIG-IP will not work because 'sys global-settings file-whitelist-path-prefix' disallows /usr/libexec/aws/ is disallowed as legitimate config location.

Workaround:
To work around this, add /usr/libexec/aws/ into the 'sys global-settings file-whitelist-path-prefix'. To do so, run the following tmsh command:

tmsh modify sys global-settings file-whitelist-path-prefix "{/var/local/scf} {/tmp/} {/shared/} {/config/} {/usr/libexec/aws}".

Fix:
Starting in 12.1.0-HF1, F5 Networks has changed the paths from which configuration files related to AWS autoscaling and CloudWatch can be loaded. This necessitates an extra step in the Custom AMI generation for Auto Scaling.

Configuration files related to AWS auto scaling and CloudWatch have been moved to the /usr/share/aws/ directory. This change was made because the system no longer allows /usr/libexec/aws as a config file storage and load location.

12.1.0 and earlier Auto Scaling-related automation and CFT configurations must be modified to point to the new locations. The new locations for the Auto Scaling and CloudWatch config files are:

The new locations for these config files are:
-- /usr/share/aws/autoscale/aws-autoscale-icall-config.
-- /usr/share/aws/metrics/aws-cloudwatch-icall-metrics-config.

Behavior Change:
Starting in 12.1.0-HF1, the system has changed the paths from which configuration files related to AWS autoscaling and CloudWatch can be loaded. This necessitates an extra step in the Custom AMI generation for Auto Scaling.

Configuration files related to AWS auto scaling and CloudWatch have been moved to the /usr/share/aws/ directory. This change was made because the system no longer allows /usr/libexec/aws as a config file storage and load location.

12.1.0 and earlier Auto Scaling-related automation and CFT configurations must be modified to point to the new locations. The new locations for the Auto Scaling and CloudWatch config files are:

The new locations for these config files are:
-- /usr/share/aws/autoscale/aws-autoscale-icall-config.
-- /usr/share/aws/metrics/aws-cloudwatch-icall-metrics-config.

---

590992-3 : If IP address on network adapter changes but DNS remains unchanged, DNS resolution stops working

Component: Access Policy Manager

Symptoms:
- If an IP address on an interface changes after the connection to APM is established, DNS resolution stops working if the DNS on that adapter has not changed.
- DNS resolution stops working until DNS relay proxy service is restarted or stopped.

Conditions:
- Using Microsoft Windows version 10.
- Split tunneling configuration with split DNS scope.
- IP address on the network adapter changes after the connection to APM is established, but the DNS on that adapter remains unchanged.
- This might also occur when adapter 1 goes down and adapter 2 with same DNS as adapter 1 comes up.

Impact:
DNS resolution stops working until DNS relay proxy is stopped or restarted.

Workaround:
Stop or restart DNS relay proxy.

Fix:
This issue has been fixed.

---

590938-3 : The CMI rsync daemon may fail to start

Component: TMOS

Symptoms:
CMI starts an instance of the rsync daemon used for synchronizing file objects. If this daemon is not running, but left its PID file, then it will not restart.

Conditions:
The rsync daemon failed unexpectedly.

Impact:
Sync of file objects will fail with an error like this:

01070712:3: Caught configuration exception (0), Failed to sync files...

Workaround:
Delete the PID file, "/var/run/rsyncd-cmi.pid". Then look up the configsync-ip of the local device and run "rsync-cmi start 1.2.3.4", replacing 1.2.3.4 with the current device's configsync-ip.

---

590904-1 : New HA Pair created using serial cable failover only will remain Active/Active

Component: TMOS

Symptoms:
After creating a new sync-failover device group without network failover enabled, both devices remain Active.

Conditions:
Create a new sync-failover device-group without enabling network failover.

Impact:
Both device in the HA pair will be Active, which is unlikely to pass traffic successfully.

Workaround:
After adding the 2nd device to the sync-failover group, restart sod with "bigstart restart sod" on both devices.

Fix:
After creating the sync-failover group with without network failover configured, but a serial failover cable installed, one of the devices becomes Standby and the other remains Active.

---

590840-2 : OpenSSH vulnerability CVE-2015-8325

Solution Article: K20911042

---

590820-3 : Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.

Component: Access Policy Manager

Symptoms:
Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.

Conditions:
Intense usage of JavaScript methods such as: appendChild(), insertBefore(), and other, similar JavaScript methods, in a customer's web application code.

Impact:
Very low web application performance when using Microsoft Internet Explorer.

Workaround:
None.

Fix:
Applications that use appendChild() or similar JavaScript functions to build UI now experience expected performance in Microsoft Internet Explorer browser.

---

590805-4 : Active Rules page displays a different time zone.

Component: Advanced Firewall Manager

Symptoms:
Active Rules page displays a different time zone.

Conditions:
When Active Rules page is loaded after the BIG-IP system timezone has changed.

Impact:
GUI shows incorrect timezone.

Workaround:
Run the following command after changing BIG-IP timezone: bigstart restart tomcat.

Fix:
Active Rules page now shows the correct timezone after the BIG-IP system timezone has changed.

---

590795-1 : tmm crash when loading default signatures or updating classification signature★

Component: Traffic Classification Engine

Symptoms:
When upgrading classification signatures or downgrading to the default signatures, tmm will crash.

Conditions:
This occurs when loading updated classification signatures on versions 12.1.0 and 12.1.1.

Impact:
tmm will crash during the load. Traffic disrupted while tmm restarts.

Fix:
Fixed a crash when loading classification signatures.

---

590779 : Rest API - log profile in json return does not include the partition but needs to

Component: TMOS

Symptoms:
When querying the log profile via the Rest API, the returned response does not include the partition name in FullPath.

For example, for a log profile named mySample:
https://bigip_ip/mgmt/tm/security/log/profile/~Common~mySample/application/mySample

The JSON returned will contain
    "fullPath": "testProfile",
It should contain
    "fullPath": "/Common/testProfile",

This can cause BIG-IQ to fail to sync.

Conditions:
Log profile created. This is most visible when using BIG-IQ to sync.

Impact:
Applications relying on the folder path can fail

Fix:
The Rest API will now provide the full path to the log profile.

---

590608-1 : Alert is not redirected to alert server when unseal fails

Component: Fraud Protection Services

Symptoms:
Alert is not redirected to the alert server when unseal fails and iRule is enabled.

Conditions:
1. Unsealing alert failure.
2. iRule enabled.

Impact:
Alert is not redirected to the alert server and FPS returns 404 response.

Workaround:
Disable iRule.

Fix:
FPS now correctly redirects the alert.

---

590601-2 : BIG-IP as SAML SP does not redirect users to original request URI after authentication is completed

Component: Access Policy Manager

Symptoms:
After end-user successfully performs SP initiated SAML SSO with a original request URI other then "/", SP will redirect user back to '/' as landing URI.

Conditions:
BIG-IP is used as SAML SP and no relay state is configured on either SP or IdP

Impact:
User is not redirected to original request URI.

Workaround:
Workaround provided below works when first client request to BIG-IP as SP is 'GET'. This workaround is not applicable when first client request is 'POST'.

SP object can be configured with relay state pointing to the landing URI: %{session.server.landinguri}

After successful authentication, end-user will be redirected to the landing URI (reflected back by IdP in the relay-state).

Fix:
SAML SSO requests will now be redirected to the original request URI.

---

590578-4 : False positive "URL error" alerts on URLs with GET parameters

Component: Fraud Protection Services

Symptoms:
False-positive URL Error alerts are sometimes generated on URLs with GET parameters.

Conditions:
Use of URLs with GET parameters.

Impact:
Unwanted alerts in alert server.

Workaround:
None

Fix:
Hash calculation is done on slightly different URL inputs, causing mismatch.

---

590428-1 : The "ACCESS::session create" iRule command does not work

Component: Access Policy Manager

Symptoms:
When the "ACCESS::session create" iRule command is used with an APM virtual, the command does not resume properly and causing the sessions to disconnect/hang.

Conditions:
APM virtual configured with an iRule that includes "ACCESS::session create" iRule command.

Impact:
APM virtual won't function correctly.

Workaround:
The "ACCESS::session create" iRule command should be removed from the iRule attached to the virtual.

Fix:
Updated the session DB calls to include req_id parameter so that the TCL context gets updated/saved and used upon resume.

---

590415-1 : Partition can be removed when remote role info entries refer to it

Component: TMOS

Symptoms:
If you have a partition, and a remote-role info that mentions the partition, then you can delete the partition but the role info is not modified. Once this configuration is saved, future loads fail with an error similar to the following:

01070829:5: Input error: Invalid partition ID request, partition does not exist (your-partition-name)

Conditions:
A partition has been deleted, but the remote role configuration still names the partition.

Impact:
Load fails.

Workaround:
Before removing a partition, ensure that any role-info entries mentioning the partition are also removed.

If you already have encountered a failure to load such a configuration, edit /config/bigip.conf to remove the remote-role entries in the 'auth remote-role' section.

Fix:
It is no longer possible to enter this state. If a partition is referenced by a role-info entry, deleting that partition fails.

---

590399-1 : Unnecessary logging during startup: 'Unable to connect to MCPD' and Errdefsd is starting'.

Solution Article: K11304001

Component: TMOS

Symptoms:
Unnecessary logging during startup: err errdefsd[5106]: 01940019:3: Unable to connect to MCPD, will try again in 30 seconds. err errdefsd[5106]: 0194001d:3: Errdefsd is starting. Old shared memory arena is now deprecated.

Conditions:
This occurs during system startup.

Impact:
No to low impact. This message is benign, and you can safely ignore it.

Workaround:
None needed.

Fix:
This release fixes the unnecessary benign error message logging that occurred during startup: 'Unable to connect to MCPD' and Errdefsd is starting'.

---

590345-1 : ACCESS policy running iRule event agent intermittently hangs

Component: Access Policy Manager

Symptoms:
If you are using iRule event agent on the 12.1.0 release, you may see an intermittent Access Policy execution hang. The hang occurs during the execution of ACCESS::policy agent_id.

Conditions:
iRule event agent is configured.
iRule uses ACCESS_POLICY_EVENT_AGENT event
Within this event, ACCESS::policy agent_id command is used.

Impact:
Policy execution intermittently hangs.

Workaround:
Please use this command:
ACCESS::session data get {session.custom_event.id}

Fix:
A hang related to the use of ACCESS::policy agent_id has been fixed.

---

590211-2 : jitterentropy-rngd quietly fails to start

Component: TMOS

Symptoms:
If jitterentropy-rngd fails to start, it does so quietly during system start, causing init.d script [ OK ] when it should be [ FAILED ].

This can cause the system to hang indefinitely at boot time at the following step (the key name may vary, depending on what needs to be generated):

Generating /var/named/config/rndc.key ( 09:08:10 ) ...

Similarly, if jitterentropy-rngd fails to start but there are no keys to be generated at boot time, the system will boot successfully. However, the genkeys and genkeys-1024 processes invoked by crontab every hour might hang.

Conditions:
This can occur on any BIG-IP system if jitterentropy-rngd fails to start. The issue has been observed chiefly on vCMP guests running on VIPRION B21x0 blades.

Impact:
1) The system may fail to boot (user intervention will be required at this point to recover the system).

2) As crontab invokes the genkeys and genkeys-1024 processes every hour, these may start but never terminate (any hung processes might eventually cause increased memory and CPU utilization, potentially leading to unpredictable system failures).

Fix:
jitterentropy-rngd now starts up as expected, so no failures occur.

---

590122-2 : Standard TLS version rollback detection for TLSv1 or earlier might need to be relaxed to interoperate with clients that violate TLS specification.

Component: Local Traffic Manager

Symptoms:
Standard TLS rollback detection for TLSv1 or earlier clients might be too strict for clients that do not comply with RFC 2246 and later. These clients may require 'tls-rollback-bug' option set.

Conditions:
Standard behavior of TLS clients is to use ClientHello.client_version in pre-master secret (PMS).

Some clients, incorrectly, might use negotiated version in PMS.

Impact:
Failed TLS handshake.

Workaround:
None.

Fix:
Added support for tls-rollback-bug option for an SSL profile.

This release provides improved support for 'TLS rollback bug workaround' feature described on AskF5 in SSL Administration :: Additional SSL Profile Configuration Options :: Workarounds and other SSL options. (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-13-1-0/5.html).

Behavior Change:
This release provides improved support for 'TLS rollback bug workaround' feature described on AskF5 in SSL Administration :: Additional SSL Profile Configuration Options :: Workarounds and other SSL options. (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-13-1-0/5.html).

The value is set by the existing tls-rollback-bug option, using the command described in create /ltm profile client-ssl xxx ciphers DEFAULT options { tls-rollback-bug }.

This is an existing option.

When this option is enabled in the client SSL profile, RSA-only ciphersuites will have relaxed treatment of the version field set by the SSL/TLS client as part of the sequence of bytes encrypted to the server RSA key, called pre-master secret (PMS).

With the option enabled, PMS can contain either ClientHello.client_version, or negotiated version. Standard behavior of TLS clients is to use ClientHello.client_version in PMS.

---

590074-1 : Wrong value for TCP connections closed measure

Component: Application Visibility and Reporting

Symptoms:
In TCP analytics, the measure 'connections closed' displays the wrong value.

Conditions:
TMM_API debug enabled.

Impact:
Wrong value displayed.

Workaround:
Do not turn on debug printing.

Fix:
Memory corruption found and fixed. All debug printing organized together at the beginning of the function.

---

589862-6 : HA Grioup percent-up display value is truncated, not rounded

Component: TMOS

Symptoms:
The value displayed in "show sys ha-group detail" and "list sys ha-group" is shown as only the integer portion of the actual percent-up value.

Conditions:
When the number of "up" members in an HA Group results in a percent-up value that is not a whole number, the displayed value is truncated, not rounded.

Impact:
Incorrect display of the percent-up value. The score contribution is correct, and displayed rounded properly.

Fix:
The percent-up value is correctly rounded before display.

---

589661 : PS2 power supply status incorrect after removal

Component: TMOS

Symptoms:
After removing the second power supply (PS2), running system_check indicates that the power supply status is still good:

system_check -d | grep power
Chassis power supply 1: status FAN=good; VINPUT=good; VOUTPUT=good; STATUS=good
Chassis power supply 2: status VINPUT=good; VOUTPUT=good; STATUS=not present

Conditions:
This occurs on 10000-series and 12000-series platforms when removing the PS2 power supply and running system_check

Impact:
Erroneous indication that the power supply is still good

Fix:
Power supply status for PS2 is now correctly indicated when the power supply is removed.

---

589400-1 : With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.

Solution Article: K33191529

Component: Local Traffic Manager

Symptoms:
With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.

Conditions:
Congestion window is small relative to message size; abc is enabled; also might manifest when serverside MTU is greater than clientside MTU.

Impact:
Additional connection latency.

Workaround:
Enabling proxy-mss on the serverside TCP profile significantly reduces incidence of this problem in observed cases.

If init-cwnd is low, raising it might also help.

Disabling abc can also reduce the problem, but might have other negative network implications.

Fix:
Incoming packets are now pulled more aggressively into the send buffer, if there are no negative implications for CPU performance.

---

589379-2 : ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.

Solution Article: K20937139

Component: TMOS

Symptoms:
In a configuration with a summary route that is added to ZebOS and configured with 'not-advertise', when deleting the exactly matching route, ospfd sends LSA route with age 1, then immediately sends update with age 3600.

Conditions:
OSPF using route health injection for default route.

Impact:
No functional impact. The extraneous LSA is immediately aged out.

Workaround:
Configure a static default route in imish instead of using RHI for the default route.

Fix:
ZebOS no longer adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.

---

589318-1 : Clicking 'Customize All' checkbox does not work.

Component: Fraud Protection Services

Symptoms:
Clicking 'Customize All' in Safari browser does not check the checkboxes below, and the settings remain grayed out.

Conditions:
Provision and license FPS.

Impact:
FPS child profile page.

Workaround:
Use tmsh.

Fix:
Clicking 'Customize All' checkbox in Safari browser now checks the checkboxes below and changes the state of the cosponsoring settings.

---

589256-1 : DNSSEC NSEC3 records with different type bitmap for same name.

Solution Article: K71283501

Component: Global Traffic Manager (DNS)

Symptoms:
For a delegation from a secure zone to an insecure zone, the BIG-IP system returns different type of bitmaps in the NSEC3 record depending on the query type. This causes BIND9's validator to reject the secure delegation to the insecure zone.

Conditions:
For insecure delegations, the DNSSEC implementation does not support the DS record. Those queries are forwarded to the backend, BIND, if selected as fallback. Without ZSK/KSK for an insecure child zone, BIND responds SOA which the system dynamically signs.

Impact:
DNS lookups may fail if BIND9's validator rejects the delegation.

Workaround:
None.

Fix:
If response is a NODATA from either the proxy or a transparent cache, and the query is a DS, set the types bitmap to NS.

---

589223-1 : TMM crash and core dump when processing SSL protocol alert.

Component: Local Traffic Manager

Symptoms:
TMM crash and core dump when processing SSL protocol alert.

Conditions:
During SSL handshake, if the server sends protocol Alert to the BIG-IP system, TMM might crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
A problem of TMM restarting when processing SSL protocol alert has been fixed.

---

589083-2 : TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.

Component: TMOS

Symptoms:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation fails because of permission errors.

Using iControl, the system posts an error similar to the following: Error processing request for URI:http://localhost:8110/mgmt/tm/sys/config
{code:400,message: Can't create tmsh temp directory \"/config/.config.backup\" Permission denied, errorStack:[]}.

Using TMSH (e.g., running the command: tmsh save sys config), the system posts an error similar to the following:

Can't create tmsh temp directory "/config/.config.backup" Permission denied

Conditions:
This occurs when the following conditions are met:
-- Remote Authentication is configured.
-- User is logged in as a remote user who has the admin role.
-- Using TMSH or iControl for remotely authenticated user operations.

Impact:
Cannot save the configuration.

Workaround:
Use one of the following workarounds:
-- Use the GUI to save the configuration.
-- Have a locally authenticated user with admin role save the configuration.

Fix:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation now completes as expected, without permission errors.

---

589006-5 : SSL does not cancel pending sign request before the handshake times out or is canceled.

Component: Local Traffic Manager

Symptoms:
When TMM has many SSL handshake, for ephemeral key, SSL does not sign for ServerKeyExchange message. Then it is possible that sign request is pending on crypto SSL queue. Even the handshake is timeout or canceled, the sign request is still in the queue. This might cause memory accumulation.

Conditions:
When TMM has many SSL handshake, for ephemeral key, SSL should sign for ServerKeyExchange message.

Impact:
Even if the handshake times out or canceled, the sign request is still in the queue. This might cause memory accumulation.

Note: Although this issue was fixed in 11.5.4 HF3, the fix was reverted in 11.5.4 HF4, meaning that the issue is not fixed in 11.5.4 HF4.

Workaround:
None.

Fix:
SSL now cancels sign pending request before it times out or is canceled.

---

588959-2 : TMM may crash or behave abnormally on a Standby BIG-IP unit

Solution Article: K34453301

Component: Local Traffic Manager

Symptoms:
TMM may crash or behave abnormally on a Standby BIG-IP unit. Memory utilization before the crash can appear to be unusually high.

Conditions:
This is a rare issue, currently known to occur only in WOM or Multipath TCP (MPTCP) virtual servers configured with mirroring. Virtual servers that make use of the standard TCP profile are not affected.

Impact:
The unit is not operational until TMM has finished writing the core file to disk and restarting. If the unit was Active for a different traffic-group, traffic for that traffic-group will be disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes in the rare case of WOM or Multipath TCP (MPTCP) virtual servers configured with mirroring.

---

588929-2 : SCTP emits 'address conflict detected' log messages during failover

Component: TMOS

Symptoms:
The system may advertise, on the client-side, SCTP alternate addresses that are in a route-domain different from that of the virtual server.

Conditions:
Configuring an SCTP virtual server with alternate-addresses that are not in the correct route domain.

Impact:
No impact to traffic processing. Some addresses advertised may fail to respond to negotiation, but the SCTP association overall will be stable.

Workaround:
Ensure that all addresses for SCTP virtual servers are in the same route domain.

Fix:
The SCTP profile now screens alternate addresses for route domain membership before advertising them.

---

588888-3 : Empty URI rewriting is not done as required by browser.

Solution Article: K80124134

Component: Access Policy Manager

Symptoms:
Empty URI must be rewritten at server side and client side rewriter in the same way: as empty URI (all browsers treat this type of URI in a specific way).

Conditions:
A tag with an empty 'src' or 'href' attribute.

Impact:
Web application malfunction, such as incorrect or unexpected behavior or error messages.

Workaround:
Use an application-specific iRule that modifies the empty URI.
-- For example, for JavaScript methods such as setAttribute(), an iRule should change this:
'F5_Invoke_setAttribute(o, "src", uri)'
to this:
'(uri=="")?o.setAttribute("src", uri):F5_Invoke_setAttribute(o, "src", uri)'.

-- As another example, for JavaScript methods such as write(str), writeln(str), innerHTML=str, outerHTML=str, and similar methods, if str contains <img src="" ... >, the iRule must remove the src attribute.

Fix:
This release fixes the issue of rewriting the empty URI the same way at the server side and client side: as empty URI (all browsers treat this type of URI in a specific way).

---

588879-2 : apmd crash under rare conditions with LDAP

Component: Performance

Symptoms:
apmd crashes during periods of high Active Directory (AD) lookups.

Conditions:
-- APM configured to use LDAP.
-- Might be related to stress testing AD queries.

Impact:
apmd crashes, clients unable to connect.

Workaround:
None.

Fix:
apmd no longer crashes during periods of high Active Directory (AD) lookups.

---

588794-2 : Misconfigured SCTP alternate addresses may emit incorrect ARP advertisements

Component: TMOS

Symptoms:
SCTP alternate addresses may be advertised on the server-side that are in a route-domain that is different from that of the virtual server.

Conditions:
Alternate-addresses are configured on an SCTP virtual server that aren't in the correct route domain.

Impact:
There is no impact to traffic processing. Alternate-addresses will be advertised even though they are not in the correct domain. Some addresses advertised may fail to respond to negotiation, but the SCTP association overall will be stable.

Workaround:
Ensure that all addresses for SCTP virtual servers are in the same route domain.

Fix:
The SCTP profile now screens alternate addresses for route domain membership before advertising them.

---

588771-2 : SCTP needs traffic-group validation for server-side client alternate addresses

Component: TMOS

Symptoms:
Addresses may be advertised in an SCTP INIT chunk even though they are not usable by the BIG-IP.

Conditions:
When an SCTP virtual server has server-side-multihoming enabled and the snatpool used by the virtual server contains addresses from other traffic groups, it will advertise all of the addresses from the snatpool in the INIT chunk.

Impact:
Some of the paths advertised in the SCTP association establishment creation process will be unusable. A conformant SCTP implementation on the server-side should test and disregard these paths, causing no impact to traffic.

Fix:
The SCTP filter in BIG-IP has been fixed so that all of the alternate addresses advertised during SCTP association establishment are in the same traffic group as the virtual server. Configured addresses are checked for the correct traffic group membership before being advertised.

---

588720-1 : Fast Forwarded UDP packets might be dropped if datagram-load-balancing is enabled.

Solution Article: K44907534

Component: Local Traffic Manager

Symptoms:
Fast Forwarded UDP packets might be dropped if datagram-load-balancing is enabled.

Conditions:
-- TMM is overloaded.
-- UDP datagram load-balancing is used.

Impact:
UDP packets are dropped.

Workaround:
There is no workaround other than to disable datagram-load-balancing in the affected UDP profile. To do so, run the following command:

tmsh modify ltm profile udp <profile_name> datagram-load-balancing disabled

Fix:
The fast-forwarding mechanism now properly handle packets with invalidated flows. The packets are now sent back to the source TMM for reprocessing. The TCP and TCP4 filters are updated to properly work with the changed fast-forwarding implementation.

---

588686 : High-speed logging to remote logging node stops sending logs after all logging nodes go down

Component: TMOS

Symptoms:
All logging to external logging nodes (such as BIG-IQ) suddenly stop.

Conditions:
This occurs when all of the configured logging nodes go down. Even when they are brought back up, tmm will not send logs to the remote servers.

Impact:
Remote logging stops and will only resume if tmm is restarted.

---

588456-3 : PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed).

Solution Article: K60250444

Component: Policy Enforcement Manager

Symptoms:
When the BIG-IP system is in DHCP forwarding mode, if the giaddr field in the unicast DHCP renewal packet is set to DHCP relay agent IP address, the DHCP server sends the ACK to the renewal packet to the relay agent IP (giaddr) instead of ciaddr. BIG-IP DHCP module does not process the ACK and update the lease time, which causes PEM subscriber session to be aged out.

Conditions:
-- The BIG-IP system is configured in forwarding mode.
-- The giaddr field in the unicast DHCP renewal packet is set to the IP address of relay agent. (Typically, it is set to 0 by the DHCP client.)

Impact:
PEM Subscriber Session will age out.

Workaround:
None.

Fix:
PEM no longer deletes existing PEM Subscriber Sessions after the lease time expires, so the DHCP renewal is now processed.

---

588405-1 : BADOS - BIG-IP Self-protection during (D)DOS attack

Component: Anomaly Detection Services

Symptoms:
Problem: 100% accurate detection may not help to prevent an attack

It's necessary to protect BIG-IP CPU utilization during attack - for BAD actors (in addition to shunlist) and for unknown IPs.
This mechanism should allow bad actors detection and keep CPU utilization in reasonable limits.

Conditions:
High BIG-IP CPU utilization during (D)DOS attack

Impact:
Service impact due to BIG-IP CPU high utilization

Workaround:
No workaround

Fix:
Added additional CPU protection during a (D)DOS attack

---

588399-1 : BIG-IP CPU utilization can be high even when all bad actors are detected and mitigated

Component: Anomaly Detection Services

Symptoms:
BIG-IP CPU utilization can be excessively high even after mitigating bad actors.

Conditions:
This can occur when Bad Actor detection is used

Impact:
CPU utilization will be higher than expected.

Fix:
An issue with referencing bad actors that have been detected and affecting CPU utilization has been fixed.

---

588351-5 : IPv6 fragments are dropped when packet filtering is enabled.

Component: Local Traffic Manager

Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.

Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.

Impact:
IPv6 fragments with a non-zero offset are lost.

Workaround:
Disable packet filtering.

Fix:
IPv6 fragments are no longer dropped when packet filtering is enabled.

---

588327 : Observe "err bcm56xxd' liked log from /var/log/ltm

Component: TMOS

Symptoms:
Some "err bcm56xxd" log is observed from /var/log/ltm that read "err bcm56xxd[10968]: 012c0012:3: bs_module_do_precond:No preconditioning provided for module on port 3/5.0"

Conditions:
This occurs when during system start.

Impact:
The error is benign and can be ignored.

Fix:
The "No preconditioning provided for module" message is now logged at the info level.

---

588289-1 : GTM is Re-ordering pools when adding pool including order designation

Component: Global Traffic Manager (DNS)

Symptoms:
GTM re-orders, including the "0" order when adding the pool with specific order designation.

Conditions:
This occurs when adding pools with a specified order.

Impact:
This changes the pool order unexpectedly which will affect Load balancing using global-availability.

---

588140 : Pool licensing fails in some KVM/OpenStack environments

Component: TMOS

Symptoms:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ, BIG-IQ can fail. The system posts the following error in /var/log/ltm: Dossier error 16.

Conditions:
This occurs when BIG-IQ is used to license the BIG-IP VE instance.

Impact:
From BIG-IQ, the licensing operation will appear as a successful operation, however, BIG-IP VE will not be licensed.

Fix:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ in OpenStack and/or KVM environments completes with success on BIG-IQ and BIG-IP.

---

588115-1 : TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw

Component: Local Traffic Manager

Symptoms:
As a result of a known issue TMM may crash in some specific scenarios if there is an overlapping and more specific route to the floating self-IP range configured on the unit.

Conditions:
- Unit configured with a floating self-IP and allow-service != none.
  - More specific route exists via GW to the self-IP.
  - Configured gateway for the overlapping route is unreachable.
  - Ingress traffic to the floating self-IP.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid the use of routes overlapping with configured floating self-IPs.

Fix:
TMM no longer crashes when floating self IPs are configured with more specific overlapping routes.

---

588089-3 : SSL resumed connections may fail during mirroring

Component: Local Traffic Manager

Symptoms:
SSL resumed connections when using SSL mirroring may fail during mirroring. This could result in SSL connections being unable to recover after failover.

Conditions:
Mirroring enabled on virtual with an associated client-ssl profile.

Impact:
SSL connections unable to recover after failover.

Workaround:
Disable session cache to prevent connections from resuming.

---

588087-1 : Attack prevention isn't escalating under some conditions in session opening mitigation

Component: Application Security Manager

Symptoms:
Attack is detected and isn't escalating in session opening

Conditions:
A session opening attack, challenges are being answered by the attacker.

Impact:
The attack continues.

Workaround:
Configure the attack prevention as rate limit.

Fix:
Fixed attack escalation in some cases on session opening.

---

588058-3 : False positive "failed to unseal" Source Integrity alerts from old versions of Internet Explorer

Component: Fraud Protection Services

Symptoms:
Large numbers of "failed to unseal" Source Integrity alerts.

Conditions:
Source integrity feature enabled. Clients using Internet Explorer 8 to 10.

Impact:
High number of false positive alerts in alert dashboard.

Workaround:
Create alert dashboard signature to ignore source integrity alerts containing "failed to unseal" and Internet Explorer 8 to 10 user agent.

Fix:
Fixed parsing in relevant browsers.

---

588049-1 : Improve detection of browser capabilities

Component: Application Security Manager

Symptoms:
Browsers can override native functions, and manipulate the PBD capabilities test.

Conditions:
1. Proactive Bot defense is on.
2. Attacker override its native functions.

Impact:
Malicious browsers can go undetected by PBD.

Workaround:
N/A

Fix:
Check that majority of browsers native functions are not overridden.

---

587966-1 : LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port

Solution Article: K77283304

Component: Local Traffic Manager

Symptoms:
LTM FastL4 DNS virtual server or SNAT: first A query dropped when A and AAAA requested at the same time with same source IP:port.

Conditions:
A and AAAA DNS Query requested at the same time with the same source IP and Port.

Impact:
A Type DNS Query dropped intermittently.

Workaround:
Configure a standard virtual server with a UDP profile for the traffic instead of using FastL4 or SNAT.

Fix:
Type A requests no longer dropped when A and AAAA DNS Query requested at the same time with the same source IP and Port.

---

587791-1 : Set execute permission on /var/lib/waagent

Component: TMOS

Symptoms:
Due to recent changes of the build process /var/lib/waagent didn't have proper execute permission set. This caused failure in executing user custom scripts during deploying.

Conditions:
First deployment of VM in Azure, which requires executing custom scripts.

Impact:
Custom scripts cannot be executed.

Workaround:
N/A

Fix:
Properly set execute permissions to /var/lib/waagent directory.

---

587780 : warning: HSBe2 XLMAC initial recovery failed after 11 retries.

Component: TMOS

Symptoms:
ltm log contains multiple instances of the following message on VIPRION B4450 blades: warning: HSBe2 XLMAC initial recovery failed after 11 retries.

Conditions:
This often happens when VIPRION 4480 or 4800 chassis with B4450 blades is rebooting.

Impact:
No operation impact. This is a cosmetic message that you can safely ignore.

Workaround:
None needed. This message is cosmetic only.

Fix:
A more robust XLMAC recovery mechanism has been implemented which reduces the maximum retries to four. It does not completely eliminate this warning message (HSBe2 XLMAC initial recovery failed after 11 retries), but its frequency is greatly reduced.

---

587735 : False alarm on LCD indicating bad fan

Component: TMOS

Symptoms:
During some blade power ON conditions, a false alarm message is displayed on the LCD on the chassis bezel.
This alarm indicates that several chassis fans are bad, however in reality the fans are not bad.
Typically, the messages look like this:
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 2: status (0) is bad.
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 3: status (0) is bad.
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 4: status (0) is bad.
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 5: status (0) is bad.

Conditions:
Erroneous fan warnings may occur when a blade is inserted into a VIPRION 4800 chassis.

Impact:
No functional impact. The user may experience concern over the false alarms.

Workaround:
Press green check button on the front of chassis bezel to clear the alarm.

---

587705-5 : Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.

Solution Article: K98547701

Component: Local Traffic Manager

Symptoms:
Persist lookups fail for source_addr with match-across-virtual servers when multiple entries exist for the client, but pointing to different pools.

Conditions:
'Match_across_virtual' enabled. Multiple persistence entries for a client address exist, and some of these persistence entries point to poolmembers from different pools. Some of these poolmembers do not belong to any of the current virtual server's pools.

Impact:
Source address persistence fails for this client, even though there is a valid persistence entry that can be used.

Workaround:
None.

Fix:
Persist lookups now succeed for source_addr with match-across-virtual servers when multiple entries exist with different pools.

---

587698-3 : bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured

Component: TMOS

Symptoms:
bgpd daemon crashes

Conditions:
bgp extended-asm-cap is configured before configuring
ip extcommunity-list standard with rt and soo fields.

Impact:
bgpd daemon crashes leading to route loss and traffic loss.

Fix:
bgpd does not crash when both bgp extended-asm-cap and
ip extcommunity-list standard with rt and soo parameters are configured.

---

587676-2 : SMB monitor fails due to internal configuration issue

Component: Local Traffic Manager

Symptoms:
SMB monitor fails due to internal configuration issue

Conditions:
Configure the SMB monitor

Impact:
SMB monitor fails to execute

Fix:
Fixed an internal configuration issue so that the SMB monitor will load properly

---

587668 : LCD Checkmark button does not always bring up clearing prompt on VIPRION blades.

Component: TMOS

Symptoms:
Pressing the LCD checkmark button does not always bring up clearing prompt on VIPRION blades.

Conditions:
Pressing the LCD's checkmark button to clear an alert on VIPRION blades.

Impact:
Cannot clear the alert using the LCD.

Workaround:
Press the checkmark button followed by the left or right arrow buttons.

Fix:
In this release, unneeded LCD updates that might have clogged the message channel have been optimized, and the keypress passed along at a later time, so it is not lost. So pressing the LCD checkmark button now correctly brings up clearing prompt on VIPRION blades.

---

587656-2 : GTM auto discovery problem with EHF for ID574052

Component: Global Traffic Manager (DNS)

Symptoms:
After applying EHF9-685.88-ENG to CRCGTMCS101, many WideIPs such as CRT-LEGAL-SERVICE.gslb.global or OneEvent.gslb.global are unexpectedly status Checking instead of Available.

Conditions:
After applying EHF9-685.88-ENG

Impact:
Many WideIPs such as CRT-LEGAL-SERVICE.gslb.global or OneEvent.gslb.global are unexpectedly status Checking instead of Available.

Workaround:
Skip to the next Eng HF
v11.4.1-hf10/hotfix/HF10-690.10-ENG

Fix:
This problem only occurs with the one faulty EHF9-685.88-ENG and does not occur anywhere else.

---

587629-2 : IP exceptions may have issues with route domain

Component: Application Security Manager

Symptoms:
The IP exception feature doesn't work as expected.

Conditions:
There are many defined same IPs but with different route domain.
There were config changes to these IPs regarding their exception properties.

Impact:
An ignored IP is not ignored etc.

Workaround:
bigstart restart asm

Fix:
Fixed an issue with IPs and route domain.

---

587617-1 : While adding GTM server, failure to configure new IP on existing server leads to gtmd core

Component: Global Traffic Manager (DNS)

Symptoms:
gtmd core with SIGSEGV in selfip_needs_xlation.

Conditions:
No GTM server object configured with existent selfip.

Impact:
gtmd cores. GTM unable to respond to DNS queries. DNS traffic disrupted while gtmd restarts.

Workaround:
Configure the GTM server object with an existent selfip. For more information, see K15671: The BIG-IP GTM system must use a local self IP address to define a server to represent the BIG-IP GTM system at https://support.f5.com/csp/#/article/K15671

Fix:
gtmd will not core.

---

587419-1 : TMM may restart when SAML SLO is performed after APM session is closed

Component: Access Policy Manager

Symptoms:
TMM may core when user performs SAML SLO on external to BIG-IP SP/IdP, and BIG-IP's APM session is no longer valid.

Conditions:
- User initiated SAML SLO on external SAML provider, and external provider redirect users to BIG-IP with SLO request.
- User does not have a valid session on BIG-IP when SLO request is received.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable SAML SLO by removing SLO request/response URLs from configuration

Fix:
TMM will no longer restart in the case described above.

---

587107-3 : Allow iQuery to negotiate up to version TLS1.2

Component: Global Traffic Manager (DNS)

Symptoms:
big3d accepts only TLS1.0, and gtmd offers only TLS1.0 during iQuery SSL handshake. iQuery does not negotiate up to TLS 1.2.

Conditions:
Establishing iQuery connections.

Impact:
The older, less secure TLS1.0 version is the only possible iQuery connection.

Workaround:
None.

Fix:
big3d now accepts, and gtmd now offers up to, TLS1.2 in iQuery handshakes.

TLS1 and TLS1.1 are still accepted by both ends of the iQuery connection (gtmd and big3d) to enable older clients (gtmd) to connect to newer servers (big3d) and vice versa.

Behavior Change:
big3d now accepts TLS1.2 in iQuery handshakes, and gtmd now offers up to TLS1.2.

---

587106-1 : Inbound connections are reset prematurely when zombie timeout is configured.

Component: Carrier-Grade NAT

Symptoms:
When an LSN pool is configured in PBA mode with a non-zero zombie timeout, inbound connections are killed and reset prematurely, often in a matter of seconds.

Conditions:
PBA mode configured on the pool, and zombie_timeout set to a non-zero value.

Impact:
Inbound connections to PBA pools with a zombie timeout configured may not be usable.

Workaround:
None.

Fix:
Inbound connections are no longer reset when zombie_timout is configured to a non-zero value.

---

587077-1 : Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118

Solution Article: K37603172

---

587016-3 : SIP monitor in TLS mode marks pool member down after positive response.

Component: Local Traffic Manager

Symptoms:
SIP monitor in TLS mode marks pool member down after positive response. The SIP monitor in TLS mode is constantly marked down.

Conditions:
SIP monitor configured in TLS mode.
Server does not send close_notify alert in response to the monitor's close_notify request.

Impact:
Unable to monitor the status of the TLS SIP server.

Workaround:
None.

Fix:
SIP monitor in TLS mode now marks pool member up after positive response. This is correct behavior.

---

586938-1 : Standby device will respond to the ARP of the SCTP multihoming alternate address

Solution Article: K57360106

Component: TMOS

Symptoms:
When there is a SCTP connection established, the router will request the ARP for the client-side multi-homing alternate address, but the standby device will reply to the ARP request as well.

Conditions:
When an SCTP profile has at least one alternate-address configured, and is used in an high availability (HA) scenario, this issue will manifest.

Impact:
Traffic for the alternate-addresses may be directed to the wrong device in an HA group. The multi-homing function will fail as the alternate connection cannot established on the standby device.

Workaround:
Do not use a VLAN address as an alternate address. Use only routed addresses, and route those addresses to the floating Self-IP address of the BIG-IP system.

Fix:
SCTP multihoming has been fixed to work correctly when used in a high availability setup with VLAN addresses

---

586887-2 : SCTP tmm crash with virtual server destination.

Solution Article: K25883308

Component: TMOS

Symptoms:
Rare configuration with SCTP can cause TMM core.

Conditions:
Complex configurations including wildcards, virtual servers and SCTP profiles.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release fixes a rare SCTP tmm crash with virtual server destination when using complex configurations including wildcards, virtual servers and SCTP profiles.

---

586878-4 : During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.★

Component: TMOS

Symptoms:
During upgrade, configuration fails to load due to invalid clientssl profile cert/key configuration. The validation to verify whether at least one valid key/cert pair exists in clientssl profiles was enforced in software versions through 11.5.0. This validation was not in effect in versions 11.5.1, 11.5.2, and 11.5.3.

The lack of validation resulted in invalid clientssl profiles (those containing empty key/certs or a cert/key of 'default'). When you upgrade such a configuration to 11.5.4 or later, you will receive a validation error, and the configuration will fail to load after upgrade.

Conditions:
The issue occurs when all the below conditions are met.
1. You have a clientssl profile in a configuration from a version without validation (that is, 11.5.1, 11.5.2, or 11.5.3).
2. The clientssl profile in the configuration has an empty cert/key, or a cert/key of 'default'.
3. You upgrade to a version that has the cert/key validation (specifically, 11.5.4, 11.6.0, 11.6.1, and versions 12.1.0 and later).

Impact:
Configuration fails to load. The system posts an error message that might appear similar to one of the following:
-- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed.
-- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file.
Unexpected Error: Loading configuration process failed.

Workaround:
To workaround this situation, modify the configuration file before upgrading:
1. Check the config file /config/bigip.conf.
2. Identify the clientssl profile without a cert/key.
    For example, it might look similar to the following:
    ltm profile client-ssl /Common/cssl_no-cert-key2 {
        app-service none
        cert none
        cert-key-chain {
            "" { }
        }
        chain none
        defaults-from /Common/clientssl
        inherit-certkeychain false
        key none
        passphrase none
    }

   Note: The profile might have cert-key-chain name but not the cert/key. In other words, it could also appear similar to the following example:
    ltm profile client-ssl /Common/cssl_no-cert-key2 {
        app-service none
        cert none
        cert-key-chain {
            default { }
        }
        chain none
        defaults-from /Common/clientssl
        inherit-certkeychain false
        key none
        passphrase none
    }
3. Remove the clientssl profile from /config/bigip.conf.
4. Run the command: tmsh load sys conf.
5. Re-create the clientssl profiles you need.

---

586738-4 : The tmm might crash with a segfault.

Component: TMOS

Symptoms:
The tmm might crash with a segfault.

Conditions:
Using IPsec with hardware encryption.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
IPsec is configured with hardware encryption error now returns an error code when appropriate, and manages the error as expected, so tmm no longer crashes with a segfault.

---

586718-1 : Session variable substitutions are logged

Component: Access Policy Manager

Symptoms:
With the log level set to debug, session variable substitutions are logged, including the encrypted password if you are substituting the password variable. You may see the following logs: debug apmd[3531]: 01490000:7: Util.cpp func: "ScanReplaceSessionVar()" line: 608 Msg: data: '%{session.logon.last.password}' start_pos: 0, count: 30 on 'session.logon.last.password' with the encrypted password logged

Conditions:
APM Access Policy log level set to debug, and session variable substitution is performed.

Impact:
Session variable substitution should not be logged, even if it is secure.

Workaround:
Set log level to informational or notice for normal operations. Logging at debug level is not recommended unless absolutely needed for specific troubleshooting as it adversely affects system performance.

Fix:
Session variable substitutions are no longer logged.

---

586621-7 : SQL monitors 'count' config value does not work as expected.

Solution Article: K36008344

Component: Local Traffic Manager

Symptoms:
SQL monitors 'count' config value does not work as expected.

Conditions:
SQL monitor in use with the 'count' config value specified. The 'count' value is intended to record the number of times the connection to the back-end database is re-used before it is disconnected. However, the value is not correctly recording the number in this release.

Impact:
SQL monitor might use a 'count' value that is incorrect.

Workaround:
Add 101 to the desired value. For example, if the desired count is '5', use '106' instead.

---

586587-1 : RatePaceMaxRate functionality does not work for the TCP flows where the round-trip time (RTT) is less than 6ms.

Component: Local Traffic Manager

Symptoms:
RatePaceMaxRate functionality does not work for the TCP flows where the round-trip time (RTT) is less than 6ms. That results in sending data at higher rates than specified Max Rate.

Conditions:
RTT is less than 6ms.

Impact:
Packet loss might happen (queue overflow) due to sending at higher data rate than the specified max rate.

Workaround:
None.

Fix:
RatePaceMaxRate works as expected, irrespective of latency.

---

586449-1 : Incorrect error handling in HTTP cookie results in core when TMM runs out of memory

Component: Local Traffic Manager

Symptoms:
If an under provisioned TMM runs out of memory, then this may result in allocation failures. Incorrect error handling of allocation failures in HTTP cookie code results in TMM core.

Conditions:
Cookie persistence with encryption required is enabled on the virtual. If an under provisioned TMM runs out of memory, then this may result in allocation failures.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fix error handling in HTTP cookie code. Allocation errors result in connection resets as opposed to core due to assert.

---

586412-2 : BGP peer-group members address-family configuration not saved to configuration

Component: TMOS

Symptoms:
Deactivation of the ipv6 address-family for an IPv6 BGP neighbor that is a member of a peer group may be removed when the configuration is reloaded or the system restarts.

Conditions:
IPv6 BGP neighbors in a peer group
Individual group members with different address-family configurations than the peer-group

Impact:
BGP behavior may change after reboot

Workaround:
If a neighbor must have different behavior than other peer group members it can be removed from the peer group and configured individually.

Fix:
BGP address-family configuration is now correctly saved and reloaded for neighbors belonging to a peer-group.

---

586070 : 'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings

Component: Advanced Firewall Manager

Symptoms:
'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings

Conditions:
'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings

Impact:
'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings

Workaround:
N/A

Fix:
Fixed a typo in GUI

---

586031-1 : Configuration with LTM policy may fail to load

Solution Article: K40453207

Component: TMOS

Symptoms:
Load may fail with an error similar to the following:

01070726:3: Policy /Common/Drafts/[name] in partition Common cannot reference policy reference /Common/Drafts/[name] /Common/[virtual server name] in partition [partition].

Note: The named object is in partition Common, but the message will incorrectly specify a different partition.

Conditions:
* An LTM policy has been published.
* A draft has been created from this policy.
* The LTM policy has been associated with a virtual server.
* At least one partition other than Common has been created (the policy does not need to be in this partition).
* The system is loading the configuration from the text config files (without a binary config file), e.g., as a result of performing a software upgrade or following the directions in K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).

Impact:
Configuration will fail to load.

Workaround:
Edit the configuration file to remove the draft policy (but not the published one).

Fix:
This defect has been resolved and the configuration will now load successfully.

---

586006-1 : Failed to retrieve CRLDP list from client certificate if DirName type is present

Component: Access Policy Manager

Symptoms:
Client certification revocation check will fail.

Conditions:
Two conditions will trigger this problem:
1. A CRLDP agent is configured in the access policy without server hostname and port, which is needed for DirName type processing. AND
2. At least one DirName type CRLDP is present in the client certification and it is the first in the list.

Impact:
Users may fail access policy evaluation when client certification is used.

Workaround:
Configure an LDAP server for the CRLDP object. It need not return a valid CRL.

---

585905-1 : Citrix Storefront integration mode with pass-through authentication fails

Component: Access Policy Manager

Symptoms:
Citrix Storefront integration mode with pass-through authentication fails. Client fails with error message saying "Authentication service is not reachable"

Conditions:
Citrix Storefront integration mode with only pass-through authentication enabled on the Storefront.

Impact:
Could not use pass through authentication on the storefront for remote access of the store.

Workaround:
None

Fix:
Passthrough authentication could be used for remote-access of the store.

---

585833-3 : Qkview will abort if /shared partition has less than 2GB free space

Component: TMOS

Symptoms:
In order to inform the user that the /shared partition needed to be cleaned up, qkview was checking for at least 2GB of free space. This isn't a hard requirement to build a qkview which potentially could use much less than the 2GB limit. Additionally, some F5 VE systems are shipped with less than 2GB in /shared, thus qkviews cannot be produced.

Conditions:
The /shared partition is smaller than 2GB or has less than 2GB free.

Impact:
User is unable to create a qkview despite having enough room to build one.

Workaround:
Increase the size of /shared so that it has at least 2GB of free space. See https://support.f5.com/csp/#/article/K14952 for detailed instructions on resizing volumes.

Fix:
A warning about having less than 2GB will still be issued, but the qkview will continue to attempt to finish.

---

585823-1 : FW NAT translation fails if the matched FW NAT rule uses source address list and the source translation object in the rule is configured for dynamic-pat (with deterministic mode)

Component: Advanced Firewall Manager

Symptoms:
Firewall NAT translation failures are observed if the pre-translation connection matches a Firewall NAT policy rule that uses source address list to match the incoming source address and the source translation object in the rule is configured to do 'dynamic-pat' with mode = deterministic

Conditions:
Following conditions suffice for the issue:

a) FW NAT rule has source translation object of type 'dynamic-pat' and mode = deterministic

AND

b) FW NAT rule has match source address-list only (and no inline source addresses on the match side)

Impact:
Translation failure occurs as described resulting in the connection failures.

Workaround:
If a FW NAT rule has source translation object with dynamic-pat and deterministic mode, the source address(es) on the match side should be specified as inline address(es) instead of specifying the source address-list with such addresses.

Fix:
Fix involves using the addresses specified in the source address list of the FW NAT rule to match incoming connections and perform translation.

---

585813-3 : SIP monitor with TLS mode fails to find cert and key files.

Solution Article: K22111214

Component: Local Traffic Manager

Symptoms:
SIP monitor with TLS enabled fails to find cert and key in filestore.

Conditions:
SIP monitor with TLS mode.

Impact:
Cannot create SIP monitor with TLS mode enabled and have the pool correctly checked.

Workaround:
Create an external monitor script to invoke the SIP monitor. Supply the correct arguments to the script.

Fix:
SIP monitor with TLS mode now finds cert and key files, so you can create SIP monitor with TLS mode enabled and have the pool correctly checked.

---

585807-2 : 'ICAP::method <method>' iRule is documented but is read-only

Component: Service Provider

Symptoms:
'ICAP::method' iRule function is documented as 'ICAP::method <REQMOD|RESPMOD>' which is said to get as well as set (modify) the ICAP method type in the ICAP_REQUEST event. Validation has at times rejected an argument, and at times accepted it. In fact the argument is ignored even if validation accepts it: the method type cannot be changed by the iRule. When validation rejects it, the system posts an error similar to the following: 01070151:3: Rule [/Common/icap_test] error: /Common/icap_test:2: error: [unexpected extra argument "REQMOD"][ICAP::method "REQMOD"]

Conditions:
iRule in ICAP_REQUEST event with 'ICAP::method REQMOD' or 'ICAP::method RESPMOD'.

Impact:
Users may attempt to change the method type. Usually the validator rejects it. In some versions the validator accepts it, but the methods only return the existing method type.

Workaround:
Do not attempt to change the method type with 'ICAP::method <method>'.

Fix:
ICAP::method is now documented as simply 'ICAP::method' with no argument, and it simply returns the current method type 'REQMOD' or 'RESPMOD'.

---

585745-2 : sod core during upgrade from 10.x to 12.x.

Component: TMOS

Symptoms:
The failover daemon (sod) may core during an upgrade, when the peer device upgrade completes and rejoins the trust.

Conditions:
Upgrading a high availability configuration from 10.x to 12.x or later.

Impact:
Corefile generated, and system will temporarily go offline, resulting in an interruption of service.

Workaround:
Upgrade multiple devices in the high availability configuration from 10.x to a supported 11.x release, and then upgrade to the desired 12.x release.

Fix:
The failover daemon (sod) no longer cores during an upgrade, when the peer device upgrade completes and rejoins the trust.

---

585654 : Enhanced implementation of AES in Common Criteria mode

Component: Local Traffic Manager

Symptoms:
Common Criteria (CC) mode disallows the use of dedicated BIG-IP accelerator. It can be observed that performance of the BIG-IP in CC mode may not be as fast as benchmarks for some implementations AES on CPU.

Conditions:
Common Criteria (CC) mode is enabled.

Impact:
Lower performance with CBC-based AES ciphersuites.

Fix:
Updated AES implementation may achieve higher performance of CBC-based AES ciphersuites.

---

585562-3 : VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari

Component: Access Policy Manager

Symptoms:
When using Google Chrome or Safari (WebKit-based) browser to launch VMware View HTML5 client for Horizon 7 from APM webtop, this attempt fails with a blank screen in place of remote desktop session.

Conditions:
-- BIG-IP APM configured as PCoIP proxy for Horizon 7.
-- APM webtop in which the HTML5 client is used to launch a remote desktop.

Impact:
Cannot use HTML5 client. Only native client (Horizon View client) is available.

Workaround:
when HTTP_REQUEST {
    if { [HTTP::header "Origin"] ne "" } {
        HTTP::header remove "Origin"
    }
}

Fix:
VMware View HTML5 client shipped with Horizon 7 now work sthrough BIG-IP APM in Chrome/Safari.

---

585547-1 : NTP configuration items are no longer collected by qkview★

Component: TMOS

Symptoms:
qkview was collecting the file "/etc/ntp/keys" which in some cases, contains secret keys used for integrity verification of NTP messages.

Conditions:
Execute qkview to collect diagnostic information.

Impact:
Possibility for keys to be exposed.

Workaround:
1. Do not execute qkview.
2. If executing qkview, do not share this file with untrusted parties.

Fix:
With this release, qkview no longer collects this file.

---

585485-3 : inter-ability with "delete IPSEC-SA" between AZURE, ASA, and the BIG-IP system

Component: TMOS

Symptoms:
Some IKEv1 IPsec vendor implementations (for example Cisco ASA) send a delete SPI message for an IPsec-SA and expect that the sibling IPsec-SA (the SPI in the other direction) will also be deleted by the peer.

The BIG-IP system sends and expect messages with two SPI's inside.

Conditions:
An IPsec tunnel between a BIG-IP system and some other vendor may experience this. Azure and Cisco ASA are two such vendors.

Impact:
An IPsec tunnel goes down and in some situations may not renegotiate while the BIG-IP believes that the outgoing SPI is still active. The tunnel will stay down until the lifetime of the outbound SA expires.

Workaround:
Delete the outbound SA from the BIG-IP using the tmsh command by specifying the related SA:

(tmos)# delete net ipsec ipsec-sa ?
Properties:
  "{" Optional delimiter
  dst-addr Specifies the destination address of the security associations
  spi Specifies the SPI of the security associations
  src-addr Specifies the source address of the security associations
  traffic-selector Specifies the name of the traffic selector

Fix:
The BIG-IP system will remove both SAs associated with one traffic-selector (tunnel) when the peer sends a delete SPI message.

---

585442-2 : Provisioning APM to 'none' creates a core file

Component: Access Policy Manager

Symptoms:
Provisioning APM level to 'none' may result in apmd creating a core file.

Conditions:
When the APM service is shut down, the apmd daemon may create a core file.

Impact:
There is no impact to functionality. Only a core file is created.

Workaround:
There is no loss in functionality.

Fix:
Provisioning APM level to 'none' no longer results in apmd creating a core file.

---

585424-1 : Mozilla NSS vulnerability CVE-2016-1979

Solution Article: K20145801

---

585412-4 : SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines

Component: Local Traffic Manager

Symptoms:
Connections to a virtual server that uses an SMTPS profile may be reset with a reset cause of 'Out of memory.'

Conditions:
This might occur under the following conditions:
-- A virtual server that uses an SMTPS profile with activation-mode set to allow.
-- A client connection which does not use TLS that sends a DATA section with a text line that is longer than approximately 8192 characters.

8192 characters is an approximation for the maximum line length. The actual problem length can be affected by the MSS value and the particular way that the TCP traffic is segmented.

Impact:
The TCP connection is reset with a reset-cause of Out of memory' and the email will not be delivered.

Workaround:
None.

Fix:
A virtual server that uses an SMTPS profile with activation-mode set to allow no longer resets connections when the client does not use STARTTLS and the email body contains very long lines.

---

585352-2 : bruteForce record selfLink gets corrupted by change to brute force settings in GUI

Component: Application Security Manager

Symptoms:
If you update the brute force settings in the GUI, rest_uuid is updated as well, which breaks the self-link in the iControl REST API

Conditions:
Update brute force settings in GUI

Impact:
Unique record part updated

Workaround:
Update brute force settings using the REST API

Fix:
GUI is not changing rest_uuid when brute force settings are updated

---

585332 : Virtual Edition network settings aren't pinned correctly on startup★

Component: TMOS

Symptoms:
You notice unusually high CPU utilization on Virtual Edition after upgrading to 12.1.0 when compared to a previous release (such as version 11.6.1).

Conditions:
This occurs after upgrading to 12.1.0. In Virtual Edition version 12.1.0, there is an issue where network interface IRQs don't get pinned correctly at startup.

Impact:
Since CPU0 is unusually high compared to previous releases, upgrading could put Virtual Edition into an overloaded state.

Workaround:
bigstart restart tmm will start the network interfaces and pin them to the right IRQ.

Fix:
Fixed an issue where interfaces and their IRQs were not configured correctly during system boot.

---

585120-1 : Memory leak in bd under rare scenario

Component: Application Security Manager

Symptoms:
Under high traffic, bd may leak memory and cause an ASM restart under certain rare conditions

Conditions:
ASM enabled and under high traffic

Impact:
Causes traffic abort while restart is happening. High swap and memory.

Workaround:
None.

Fix:
A memory leak in the bd was fixed.

---

585097-1 : Traffic Group score formula does not result in unique values.

Component: TMOS

Symptoms:
In certain configurations, the Traffic Group score for a particular Traffic Group can be identical across devices in a device service cluster, resulting in the Traffic Group becoming Active on more than one device simultaneously.

Conditions:
The score is derived from the management-ip and other factors. If the device management-ips are not on the same /24 subnet, the score is not guaranteed to be unique.

The score can be observed with the tmsh "run cm watch_trafficgroup_device" command, and in some versions of BIG-IP, the "show cm traffic-group" command.

Impact:
When the problem occurs, Traffic Groups will be Active on multiple devices simultaneously. The problem can affect all Traffic Groups.

Workaround:
The only solution is to change the management-ip on one of the colliding devices. The workaround is not practical with DHCP, and in many other situations.

Fix:
The Active device selection logic has been changed to deterministically choose the Active device location, even in cases with identical static scores.

---

585054-1 : BIG-IP imports delay violations incorrectly, causing wrong policy enforcement

Component: Application Security Manager

Symptoms:
When you import an XML file that contain references to violations in the delay blocking session tracking configuration, extra violations get added to the list.

Conditions:
This occurs when importing delay-type violations in ASM

Impact:
A very large subset of the violations is added to the policy

Fix:
BIG-IP now imports delay-type violations correctly.

---

584926-1 : Accelerated compression segfault when devices are all in error state.

Component: Local Traffic Manager

Symptoms:
TMM segfaults. Kernel log contains "Uncorrectable Error" and "icp_qa_al err" messages.

Conditions:
All physical or virtual devices concurrently enter error state.

Impact:
Tmm segfaults and restarts. May require a reboot.

Workaround:
Disable QAT compression using tmsh:

tmsh modify sys db compression.strategy value softwareonly

Fix:
TMM QAT compression driver will not fail if all QAT devices concurrently go down.

---

584921-1 : Inbound connections fail to keep port block alive

Component: Carrier-Grade NAT

Symptoms:
Connections that use a PBA port block should keep the port block from expiring. However inbound connections to a client using a port block will fail to refresh the block, causing the block to expire pre-maturely. An inbound connection can remain active while the port block has been deleted.

Conditions:
An inbound connection with no outbound connections fails to keep a port block alive, resulting in an inbound connection to a client without a corresponding port block.

Impact:
When reverse mapping an inbound connection to a subscriber (e.g. trying to find who was using an ip address/port at a particular time), customers may find no corresponding port block, or a port block belonging to another client when the reverse map is performed at a time when the connection is closed.

Workaround:
When performing a reverse map, customers should use the start time of a connection to determine which port block was in use.

Fix:
Inbound connections properly refresh the port block, preventing premature expiration of the port block.

---

584865-1 : Primary slot mismatch after primary cluster member leaves and then rejoins the cluster

Component: Local Traffic Manager

Symptoms:
Secondary blades in a Viprion system can disagree about the identity of the Primary blade.

Conditions:
Viprion chassis with 3 or more blades. If the primary is temporarily isolated from the other blades, a new primary will be elected. When the primary rejoins, the non-primary blades do not correctly switch back to the newly re-elected primary.

Impact:
Configuration and status may not be kept properly in sync between blades.

Fix:
Secondary blades properly identify the Primary on changes.

---

584670 : Output of tmsh show sys crypto master-key

Component: TMOS

Symptoms:
In this release, tmsh show sys crypto master-key has changed and will now display its output as the base 64 encoded form of a SHA512 hash.

Conditions:
You will see this when running tmsh show sys crypto master-key, or f5mku -Z, or f5mku -U

Impact:
None

---

584661 : Last good master key

Component: TMOS

Symptoms:
When applying a UCS file to a platform that was different from the one the UCS was taken on, for example after RMA, you get a master key decrypt error because the master key is different.

Conditions:
This can occur either when applying a UCS file to an identical platform you received as an RMA exchange, or while performing the platform-migrate command.

Impact:
UCS load fails when extracting a UCS that came from another system.

Fix:
Secure Vault now stores the last good master key, which allows you to set the master key password to be the same as the other device you are importing from, then load the UCS from the other system. If master key decryption fails, the system will load the master key that was in effect before the UCS load was initiated. If that master key matched the master key from the system where the UCS was taken then encrypted attributes in the UCS can be loaded into the configuration.

---

584655 : platform-migrate won't import password protected master-keys from a 10.2.4 UCS file

Component: TMOS

Symptoms:
If you run the platform-migrate command to migrate from a UCS file generated on a platform running 10.2.4, the password protected master key won't import

Conditions:
You would encounter this when doing platform migration from an older platform running 10.2.4, and using the UCS file from that platform to platform-migrate to 12.1.1. This also only occurs if your 10.2.4 UCS contains secure attributes, such as clientssl or serverssl keys and profiles

Impact:
The platform-migrate command will fail if the 10.2.4 UCS contains a password protected master key.

Fix:
The 12.1.1 release can successfully platform-migrate UCS files from a 10.2.4 configuration if some steps are taken to generate a password protected master key on the 10.2.4 release. Without these steps, this impact exists. The 10.2.4-specific solution https://support.f5.com/csp/#/article/K9420

---

584642-1 : Apply Policy Failure

Component: Application Security Manager

Symptoms:
Some Policies cannot be successfully applied/activated

Conditions:
Signature overrides on Content Profiles are configured

Impact:
Policy cannot be applied

Workaround:
None.

Fix:
Policies can be successfully applied.

---

584623-2 : Response to -list iRules command gets truncated when dealing with MX type wide IP

Component: Global Traffic Manager (DNS)

Symptoms:
GTM iRule "members" with the "-list" flag will truncate MX-type WideIP pool members when printed out to a log.

Conditions:
Use the GTM iRule "members" with the "-list" flag to print out the members of an MX WideIP pool during a DNS event.

Impact:
WideIP MX-type pool members are truncated in the log.

Workaround:
None

---

584583-3 : Timeout error when using the REST API to retrieve large amount of data

Solution Article: K18410170

Component: TMOS

Symptoms:
The Rest API might time out when attempting to retrieve large dataset, such as a large GTM pool list. The error signature when using the Rest API appears as follows: errorStack":["java.util.concurrent.TimeoutException: remoteSender:127.0.0.1, uri:http://localhost:8110/tm/gtm/pool, method:GET

Conditions:
Configuration containing a large number of GTM pools and pool members (numbering in the thousands).

Impact:
If using the Rest API to retrieve the pool list, you may receive timeout errors.

Workaround:
There is no workaround at this time.

Fix:
TMSH performance has been improved for this GTM case (improvement ~5-10 times), which is root case for REST failure. Timeout is no longer triggered for this amount of data.

---

584582-1 : JavaScript: 'baseURI' property may be handled incorrectly

Component: Access Policy Manager

Symptoms:
If generic JavaScript object has 'baseURI' property, it may be handled incorrectly via Portal Access: web application may get 'undefined' value for this property.

Conditions:
User-defined JavaScript object with 'baseURI' property.

Impact:
Web application may work incorrectly.

Workaround:
iRule can be used to remove F5_Deflate_baseURI() calls from rewritten JavaScript code.

Fix:
Now JavaScript objects with 'baseURI' property are handled correctly by Portal Access.

---

584545-2 : Failure to stabilize internal HiGig link will not trigger failover event

Component: Local Traffic Manager

Symptoms:
The internal HiGig interface potentially and repeatedly report FCS errors or does not become stable in rare cases.

Conditions:
The internal HiGig interfaces experiences FCS or XLMAC link failures.

Impact:
Device is left in a state where it cannot receive or pass traffic or have frame checksum errors.

Workaround:
None.

Fix:
HA failover mechanism is now activated when internal HSB ports on critical data path are consistently unstable.

Behavior Change:
There is a condition in which failures happen on the internal HiGig interfaces on the critical packet path between the HSB and the Broadcom switch, causing traffic interruption. Such failures can be inferred by HSB XLMAC instability or by observing increasing FCS errors. When these HSB XLMAC failures happened in the past, TMOS initiated a recovery mechanism by resetting the HSB MAC interface. However, if the failure persisted even after repeated recovery attempts, TMOS triggered a high availability (HA) failover event to prevent prolonged traffic disruption. The failover triggering condition is set as either the consecutive recovery attempts or consecutive FCS failure events that reach a configurable preset limit. After the HA failover was triggered, the original active unit will still keep trying to recover, and will mark itself ready if the failure condition is no longer observed. The XLMAC reset was existing behavior. The new behavior also applies to FCS failure events.

---

584471-1 : Priority order of clientssl profile selection of virtual server.

Solution Article: K34343741

Component: Local Traffic Manager

Symptoms:
When a SSL connection with specified server name is received in a virtual server from the client side, the BIG-IP system selects one clientssl profile for this connection based on the given server name. Currently the system matches the server name using the following rules:
(1) First try to match the server name with explicit server name configuration of the clientssl profiles.
(2) If (1) has no match, then try to match the common names of the certificates used by the clientssl profiles.
(3) If (2) has no match, then try to match the subject alternative names of the certificates used by the clientssl profiles.

The issue is, based on RFC6125, common name should be used as a 'last resort'. In other words, the third rule should be the second rule.

Conditions:
The issue occurs when all of the following conditions are met.
(1) The incoming SSL request includes SNI (server name) extension in the clienthello, used to specify its desirable SSL server.
(2) The given server name from the client side does not match any server name configured in all the clientssl profiles of the virtual server.
(3) The certificates used by the clientssl profile of the virtual server have subject alternative names (note that every certificate has common name but not necessarily subject alternative names).

Impact:
The virtual server might select a clientssl profile that is not preferred by the client side.

Workaround:
None.

Fix:
Priority order of clientssl profile selection of virtual server. The system now matches the server name using the following rules:

(1) First try to match the server name with explicit server name configuration of the clientssl profiles.
(2) If (1) has no match, then try to match the subject alternative names of the certificates used by the clientssl profiles.
(3) If (2) has no match, then try to match the common names of the certificates used by the clientssl profiles.

So the common-name match is last, which is correct according to RFC6125.

Behavior Change:
If server-name is not configured in the client SSL profile for SNI (server name) matching, SANs (subject alternative names) in the certificate will take precedence over CN (common name) in the certificate, for the SNI-matching process for client SSL profile selection.

---

584374-2 : iRule cmd: RESOLV::lookup causes tmm crash when resolving an IP address.

Solution Article: K67622400

Component: Global Traffic Manager (DNS)

Symptoms:
iRule command RESOLV::lookup causes tmm crash when resolving an IP address.

Conditions:
Using the RESOLV::lookup iRule command to resolve an IP address.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use the RESOLV::lookup command to resolve an IP address.

Fix:
TMM no longer crashes when the iRule command RESOLV::lookup is used.

---

584373-2 : AD/LDAP resource group mapping table controls are not accessible sometimes

Component: Access Policy Manager

Symptoms:
AD/LDAP resource group mapping
In case of both lengthy group names and resource names edit link and control buttons could disapper under dialogue bounds

Conditions:
very long group names and resource names

Impact:
Impossible to delete and move rows in table - still possible to edit tho.

Workaround:
Spread one assign thru multiple rows

Fix:
Scroll bar is appearing when needed

---

584310-1 : TCP:Collect ignores the 'skip' parameter when used in serverside events

Solution Article: K83393638

Component: Local Traffic Manager

Symptoms:
When TCP::Collect is used with 'skip' and 'length' arguments in SERVER_CONNECTED, the "skip' argument does not take effect and is ignored. The Collect works, but collects only the length bytes from start.

Conditions:
TCP:Collect on server side events like SERVER_CONNECTED used with the 'skip' parameter. This is an intermittent issue that have happen only with IIS server.

Impact:
TCP:Collect collects bytes without taking into account the skip, so the bytes collected are not the correct ones.

Workaround:
None.

Fix:
The settings for TCP::Collect command skip and length arguments are now honored during packet processing.

---

584213-1 : Transparent HTTP profiles cannot have iRules configured

Component: Local Traffic Manager

Symptoms:
When an HTTP profile is configured in transparent mode, but has a nonexistent iRule attached to it, then tmm will crash.

Conditions:
-- There is iRule.
-- Proxy is transparent.

when HTTP_PROXY_REQUEST {
   after 1000
}

-- Change configuration from explicit to transparent while the system is processing in the after command.
-- There is then an attempt to use a configuration that does not exist.

Impact:
TMM halts and restarts. Traffic disrupted while tmm restarts.

Workaround:
This is incorrect configuration. Either detach the iRule or configure the profile in a mode other than transparent.

Fix:
Incorrectly configured proxy types from TMOS installations of earlier versions will be corrected at upgrade time. A warning will be logged that describes the change made.

---

584210-1 : TMM may core when running two simultaneous WebSocket collect commands

Component: Local Traffic Manager

Symptoms:
TMM may core with a SIGFPE when running two or more WebSocket collect commands in parallel.

Conditions:
-- WebSocket profile is attached to the virtual server.
-- Multiple iRules with WebSocket collect commands are attached to the virtual server.

Impact:
TMM may core with a SIGFPE resulting in loss of service.

Workaround:
Behavior is undefined when multiple collect commands are running at the same time. Rewrite iRules to have only one collect command executing at a time.

Fix:
iRule documentation was updated and WebSocket filter state machine was changed to reject multiple collect commands.

---

584103-2 : FPS periodic updates (cron) write errors to log

Component: Application Security Manager

Symptoms:
FPS periodic updates (run via cron) write errors to log when FPS is not provisioned.

Conditions:
FPS is not provisioned.

Impact:
Errors appears in FPS logs.

---

584082-3 : BD daemon crashes unexpectedly

Component: Application Security Manager

Symptoms:
bd crashes, with the following log signature immediately before the crash in /var/log/bd.log:

"IO_PLUGIN|ERR |Mar 29 20:48:02.217|17328|plugin_common.c:0085|plugin context doesn't match the argument which was originally set on it".

Conditions:
It is not known exactly what triggers this condition; it can occur intermittently during normal use of ASM.

Impact:
A bd crash, failover, traffic disturbance.

Workaround:
None.

Fix:
Fix a bd crash scenario.

---

584041 : forward slash '/' is used in the description field, admin user will be demoted to guest.

Component: TMOS

Symptoms:
When creating a new admin user, if a forward slash '/' is used in the description field, the user will be demoted to guest.

Conditions:
Creating a new admin user with a forward slash in the description text.

Impact:
mcp user's admin group demotion to guest.

Workaround:
Do not use forward slashes in the users description.

Fix:
System now allows forward slashes '/' in user description.

---

584029-6 : Fragmented packets may cause tmm to core under heavy load

Component: Local Traffic Manager

Symptoms:
In rare circumstances, the Traffic Management Microkernel (TMM) process may produce a core file while processing fragmented packets.

As a result of this issue, you may encounter one or more of the following symptoms:

-- TMM generates a core file in the /shared/core directory.
-- In one of the /var/log/tmm log files, you observe an error message similar to the following example:
 notice panic: ../base/flow_fwd.c:255: Assertion "ffwd flag set" failed.
 panic: ../net/packet.c:168: Assertion "packet is locked by a driver" failed.

notice ** SIGFPE **

Conditions:
This issue occurs when all of the following conditions are met:

-- The TMM process offloads a fragmented packet by way of an ffwd operation.
-- Your BIG-IP system is under heavy load.

Impact:
The BIG-IP system temporarily fails to process traffic while the TMM process restarts. If the BIG-IP system is configured for high availability (HA), the system fails over to a peer system.

Workaround:
None.

Fix:
Fragmented packets no longer cause tmm to core under heavy load.

---

583957-6 : The TMM may hang handling pipelined HTTP requests with certain iRule commands.

Component: Local Traffic Manager

Symptoms:
Rarely, the TMM may hang during a HTTP::respond or HTTP::redirect iRule command if it is part of a pipelined HTTP request.

Conditions:
-- A HTTP::respond or HTTP::redirect iRule is used.
-- The iRule command is in an event triggered on the client-side.
-- A pipelined HTTP request is being handled.

Impact:
The TMM will be restarted by SOD. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The TMM no longer hangs in rare situations when processing a pipelined HTTP request and invoking a HTTP::respond or HTTP::redirect iRule command.

---

583943-1 : Forward proxy does not work when netHSM is configured on TMM interfaces

Solution Article: K27491104

Component: Local Traffic Manager

Symptoms:
Forward proxy feature does not always work when netHSM is configured on TMM interfaces.

Conditions:
When netHSM device is configured on TMM interface.

Impact:
The forward proxy feature does not work. This is an intermittent issue.

Workaround:
None.

Fix:
Forward proxy now works consistently when netHSM is configured on TMM interfaces.

---

583936-5 : Removing ECMP route from BGP does not clear route from NSM

Component: TMOS

Symptoms:
When configured to install multiple routes into the routing table, ZebOS does not withdraw BGP routes when a neighbor is shut down and it has more than two routes already installed for the same route prefix.

Conditions:
ECMP routing must be enabled and in-use.

Impact:
ECMP routes are not properly removed from the main routing table.

Fix:
Now properly removing ECMP routes from the routing table.

---

583754-7 : When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.

Component: TMOS

Symptoms:
Executing 'show ltm persist persist-records' results in a blank error message.

Conditions:
TMM must be down.

Impact:
Non-obvious / unhelpful error message is generated, leading to confusion.

Workaround:
N/A

---

583700-3 : tmm core on out of memory

Solution Article: K32784801

Component: Local Traffic Manager

Symptoms:
tmm memory increases quickly, then crashes on out-of-memory condition.

Conditions:
It is not known exactly what triggers this, but it was observed on a hardware platform processing a large number of ECDH and ECDHE ciphers.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None known.

Fix:
The system now cancels ongoing crypto requests when the handshake is dropped, preventing this error condition.

---

583686-2 : High ASCII meta-characters can be disallowed on UTF-8 policy via XML import

Component: Application Security Manager

Symptoms:
After importing an XML policy, you cannot view or edit policies containing high ASCII characters.

Conditions:
This occurs when importing XML policies containing high-ASCII meta-characters but high-ASCII is not allowed in a UTF-8 policy.

Impact:
Unable to view or edit the policy, and Illegal meta character in value violation is triggered

---

583678-1 : SSHD session.c vulnerability CVE-2016-3115

Solution Article: K93532943

---

583631-2 : ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers.

Component: Local Traffic Manager

Symptoms:
Server SSL ClientHello does not encode lowest supported TLS version. The outer record for a ClientHello contains the same version as the ClientHello. If, for example, the ClientHello is TLS1.2, the outer record will contain TLS1.2. Older servers that do not support later TLS versions might generate an alert and close the connection.

Conditions:
A BIG-IP system with a server SSL profile that supports a TLS version higher than that of the server to which it is connecting.

Impact:
The connection fails. The system might generate an alert.

Workaround:
Force the server SSL profile to use a lower TLS version number by selecting 'No TLSv1.2' or 'No TLSv1.1' in the `options' section of the Server SSL Profile.

Fix:
When enabled by setting the db variable, 'SSL.OuterRecordTls1_0,' to, 'enable,' the outer SSL record will always contain TLS1.0. This is the default. You can use this db variable to prevent an issue in older servers that do not support TLS versions later than 1.0, in which an alert might be generated closing the connection.

Behavior Change:
Formerly, the version present in the ClientHello and the version present in the outer record would match. Now, if the sys db variable, 'SSL.OuterRecordTls1_0,' is set to 'enable' the version present in the outer record will be TLS 1.0 regardless of the version in the ClientHello. This is the default.

---

583516-2 : tmm ASSERT's "valid node" on Active, after timer fire..

Component: TMOS

Symptoms:
TMM crashes on ASSERT's "valid node".

Conditions:
The cause is unknown, and this happens rarely.

Impact:
tmm crash

Workaround:
no

Fix:
TMM no longer asserts on 'valid node'

---

583475-1 : The BIG-IP may core while recompiling LTM policies

Component: TMOS

Symptoms:
In some rare and still unknown situations the BIG-IP Mcpd process may core when creating or modifying LTM policies. While the root cause of the crash is not fully understood at this time, one of the symptoms points to a nonexistent or invalid LTM policy.

Conditions:
Creating or modifying LTM policies.

Impact:
The BIG-IP control plane services restart thus affecting both, control plane and data plane functionality.

Workaround:
A possible workaround could be to attempt re-creating the LTM policy producing the crash under a different name. Avoid any special characters (or spaces) in the name of the LTM policy.

Fix:
Not fixed yet.

---

583402-1 : ASM Policy Parameter's Filter: Search for at least 1 Override doesn't work

Component: Application Security Manager

Symptoms:
The 'Overridden Characters in Value' and 'Overridden Attack Signatures' filter options on the Parameters List screen doesn't work correctly. These filter options appear after you set 'Parameter Value Type' to 'User-input value' and 'Data Type' to 'Alpha-Numeric'.

Conditions:
Attempting to filter parameters by settings the 'Value Type' to 'User-input value', 'Data Type' to 'Alpha-Numeric', and searching for 'At least one' signature override.

Impact:
Search fails.

Workaround:
None.

Fix:
Searching for 'At least one' override now works correctly.

---

583355-1 : The TMM may crash when changing profiles associated with plugins

Component: Local Traffic Manager

Symptoms:
The TMM may crash when changing profiles associated with plugins.

Conditions:
The must be a profile associated with a plugin already on a virtual server and traffic must be running. When the profile is removed or swapped for another, the crash may occur.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
A safe way to definitely avoid a crash is to stop the plugin before making changes to its profile.

---

583285-5 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.

Solution Article: K24331010

Component: TMOS

Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message.

Note: There are three parts to this issue, as recorded in the following bugs: 569236, 583285, and 662331.

Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.

Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.

Workaround:
Manually remove the invalid SA on the BIG-IP system by running the following command:
delete /net ipsec ipsec-sa spi <invalid_spi>

Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again.

Note: There is a three-part fix provided for this issue, as provided in the following bugs: 569236, 583285, and 662331.

---

583272-2 : "Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth

Component: Access Policy Manager

Symptoms:
Browser shows a "corrupted connect error" when access policy runs On-Demand Cert Auth on an IPv6 virtual server.

The root cause is that in packet capture, the APM sends an HTTP 302 with invalid brackets around the hostname, like this:
Location: https://[login.example.com]/my.policy

Brackets around IPv6 addresses are for raw IPv6 addresses. They are illegal for DNS names that represent an IPv6 address.

Conditions:
IPv6 virtual server, and On-Demand Cert Auth in the access policy. Only applies if a DNS hostname is used. Raw IPv6 addresses are not affected.

Impact:
Client is unable to authenticate.

Workaround:
None.

Fix:
Clients connecting to an APM access policy with on-demand certificate authentication to an IPv6 virtual server now transmit the client certificate correctly when executing the access policy.

---

583177 : LCD text truncated by heartbeat icon on VIPRION

Component: TMOS

Symptoms:
while looking at informational text on the first line of the LCD display on a VIPRION, the end of the string is truncated by a heartbeat icon.

Conditions:
This occurs on platforms that display a heartbeat icon on the LCD display.

Impact:
The heartbeat icon is displayed over the last character of the string, this is cosmetic.

Fix:
In this release, longer messages on the LCD are now displayed on multiple lines.

---

583113-1 : NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event

Component: Access Policy Manager

Symptoms:
The following iRule did not work as expected when the access profile had an NTLM auth. The client still received a 407 prompt to enter NTLM credentials.

when HTTP_PROXY_REQUEST {
    if { [HTTP::uri] contains "disable" } {
        ACCESS::disable
    }
}

Conditions:
Access profile of an SWG type, with an NTLM auth profile attached.

Impact:
It was impossible to disable NTLM auth from the HTTP_PROXY_REQUEST event.

Workaround:
The following iRule works from HTTP_REQUEST

when HTTP_REQUEST {
    if { [HTTP::uri] contains "disable" } {
        ACCESS::disable
        ECA::disable
    }
}

Fix:
When ACCESS filter is disabled, it still processes certain messages. The logic in one of those message handlers was "if NTLM configured, then wake up the ECA plugin"

Fix changed the logic to "if NTLM configured and ACCESS filter is not disabled, then wake up the ECA plugin."

---

583111-1 : BGP activated for IPv4 address family even when 'no bgp default ipv4-unicast' is configured

Component: TMOS

Symptoms:
When BGP is configured with 'no bgp default ipv4-unicast,' configuring a peer-group with IPv6 members adds 'neighbor <neighbor> activate' for the IPv6 neighbors under address-family ipv4.

Conditions:
This occurs when the following conditions are met:
-- 'no bgp default ipv4-unicast' is configured in imish.
-- 'neighbor <neighbor> peer-group <peergroup>' is configured.

Impact:
Despite disabling IPv4 unicast for BGP by default, neighbors in the peer group have the IPv4 unicast address family enabled.

Workaround:
Delete the line in the configuration that was automatically added in imish in the 'router bgp' section:
no neighbor <neighbor> activate

Fix:
Configuring IPv6 members of a peer-group when 'no bgp default ipv4-unicast' no longer automatically enables IPv4 unicast for the peer-group members.

---

583108-1 : Zebos issue: No neighbor x.x.x.x activate in address-family IPv6 lost on reboot/restart.

Component: TMOS

Symptoms:
when a neighbor with ipv4 address is disabled in ipv6 address family, show running configuration displays that the neighbor is disabled. However, when we restart or reboot the tmrouted or bgp protocol, the neighbor is enabled again. The configuration persistence is not maintained.

Conditions:
1. disable a neighbor with ipv4 address in ipv6 address family.
2. reboot/restart tmrouted or bgp protocol

Impact:
configuration persistence is not maintained. This impacts the BIGIP upgrades as the configuration loaded is not the same as it was before the upgrade. Similarly, a restart/reboot will also have different configuration loaded than originally used. This might alter the intended behavior of the protocol that the use expects to function.

Workaround:
disable the neighbor again.

Fix:
configuration persistence is maintained for the disabled neighbor with ipv4 address in the ipv6 address family.

---

583024-1 : TMM restart rarely during startup

Component: Application Security Manager

Symptoms:
A TMM crashes with a core file during startup. It restarts then correctly.

Conditions:
The system starts up.

Impact:
The system startup takes longer. A core file appears. Traffic is not impacted and a failover usually doesn't occur since the system didn't reach the active state.

Workaround:
None.

Fix:
TMM no longer crashes during startup.

---

583010-4 : Sending a SIP invite with 'tel' URI fails with a reset

Component: Service Provider

Symptoms:
Using a 'INVITE tel:' URI results in SIP error (Illegal value).

Conditions:
Sending a SIP "INVITE tel:" to the BIG-IP system.

Impact:
'INVITE tel:' messages are not accepted by BIG-IP system.

Workaround:
None.

Fix:
'INVITE tel:' messages are now accepted by BIG-IP system.

---

582792-7 : iRules are not updated in transactions through TMSH or iControl

Component: TMOS

Symptoms:
Updating an iRule in a transaction via TMSH or iControl results in the iRule not being updated, but there is no error indicating this.

Conditions:
Updating an iRule in a transaction using TMSH or iControl.

Impact:
iRule is not updated, and the user is not alerted of this fact.

Workaround:
None.

Fix:
iRules modified through transactions are now updated properly.

---

582773-5 : DNS server for child zone can continue to resolve domain names after revoked from parent

Solution Article: K48224824

---

582769-1 : WebSockets frames are not forwarded with Websocket profile and ASM enabled on virtual

Solution Article: K99405272

Component: Local Traffic Manager

Symptoms:
WebSockets frames are not forwarded with WebSocket profile and ASM enabled on virtual.

Conditions:
Virtual has WebSocket profile attached to it. ASM is enabled on the virtual. WebSockets server replies with a "Connection: upgrade" header. The issue is also seen if multiple header values are present in Connection header.

Impact:
WebSockets frames are not forwarded to the pool member

Workaround:
Use a simple iRule similar to the following:

when HTTP_RESPONSE {
    if { [HTTP::status] == 101 } {
        HTTP::header replace "Connection" "Upgrade"
    }
}

Fix:
The system now accepts "Connection: UPGRADE" or "Connection: upgrade" as valid header for WebSocket handshake, and supports a comma-separated list of values for the Connection response header.

---

582752-3 : Macrocall could be topologically not connected with the rest of policy.★

Component: Access Policy Manager

Symptoms:
It is possible to create macrocall access policy item that:

1. Belongs to policy items list.
2. Correctly connected to ending.
3. Have no incoming rules (i.e., no items pointing at it).

Conditions:
1. Create access policy with macrocall item in one of the branches.
2. Remove the item which refers to this macrocall item from AP

As a result, macrocall item remains.

Impact:
VPE fails to render this access policy.

Workaround:
Delete macrocall access policy item manually using tmsh commands.

Fix:
Any modification of access policy is not allowed if it makes any access policy item non-referenced.
At upgrade time, non-referenced access policy items are deleted. All subsequent access policy items are deleted as well. Resulting access policies can be rendered correctly by VPE. Note that only active configuration is corrected, saved configuration file (/config/bigip.conf) contains uncorrected version until any new configuration changes are done. Active configuration can be saved by explicit tmsh command ('tmsh save sys config partitions all").

---

582683-2 : xpath parser doesn't reset a namespace hash value between each and every scan

Component: Application Security Manager

Symptoms:
After a while the iRule event stops firing until the cbrd daemon is restarted.

Conditions:
The customer has a virtual server configured with an XML, along with an iRule that triggers on the XML_CONTENT_BASED_ROUTING event.

Impact:
XML content based routing does not work dependably.

Workaround:
N/A

Fix:
fixing xpath parer -- Restoring namespace declaration each time the xpath parser finishes to parse the document.

---

582629-1 : User Sessions lookups are not cleared, session stats show marked as invalid

Component: Application Visibility and Reporting

Symptoms:
AVR session statistics may be reported as excessively high, and when the sessions time out they get marked as invalid instead of being removed.

Conditions:
The exact conditions which cause this in a production configuration are unknown, as this was discovered during internal testing.

Impact:
Session statistics will report incorrectly

Fix:
An issue with session statistics not clearing after session timeout has been fixed.

---

582526-3 : Unable to display and edit huge policies (more than 4000 elements)

Component: Access Policy Manager

Symptoms:
It takes a very long time or is not possible to display huge policies (more than 4000 elements). VPE returns server timeout error or simple halts.

Conditions:
Huge Access Policy, for example, containing 4000 or more elements.

Impact:
Unable to edit policy because VPE times out.

Workaround:
None.

Fix:
VPE loading times for APM policies is greatly improved, so displaying very large policies (for example, 4000 elements) now completes successfully.

---

582487-2 : 'merged.method' set to 'slow_merge,' does not update system stats

Solution Article: K22210514

Component: Local Traffic Manager

Symptoms:
When the statistics DB variable option 'merged.method' is set to 'slow_merge,' system stats is not updated and remains zero.

Conditions:
Merged.method is set to slow_merge.

Impact:
System stats such as overall CPU usage remain at zero.

Workaround:
Set Merged.method to fast_merge.

Fix:
When the statistics DB variable option 'merged.method' is set to 'slow_merge,' system stats are not updated as expected.

---

582465-1 : Cannot generate key after SafeNet HSM is rebooted

Component: Local Traffic Manager

Symptoms:
After the SafeNet Hardware Security Module (HSM) is restarted, users cannot generate a new key.

Conditions:
The BIG-IP system uses the SafeNet HSM.

Impact:
HSM service is not usable even after restarting pkcs11d. Users must re-authenticate.

Workaround:
To generate a new key, after HSM finishes starting up, run the following commands:

# /shared/safenet/toolkit/sautil -v -s 1 -i 10:11 -c
# /shared/safenet/toolkit/sautil -v -s 1 -i 10:11 -o -p <hsm_partition_password>

Or, you can reinstall SafeNet client.

Fix:
After the SafeNet Hardware Security Module (HSM) is restarted, users can now generate a new key.

---

582374-1 : Multiple 'Loading state for virtual server' messages in admd.log

Component: Anomaly Detection Services

Symptoms:
When a dosl7d profile is configured on a BIG-IP that's in a device group and the BIG-IP is set to "Forced Offline" in the Device Management settings, admd will log multiple messages to admd.log similar to 47854390298368 Mar 22 02:38:50 [info] virtual bool CVirtualServerImpl::loadState() : Loading state for virtual server

Conditions:
- dosl7d profile attached to a virtual server
- BIG-IP is part of a DSC cluster
- a BIG-IP is forced offline in the cluster

Impact:
Excessive logging occurs to /var/log/adm/admd.log

Workaround:
None

Fix:
An issue with excessive logging to admd.log has been fixed.

---

582207-7 : MSS may exceed MTU when using HW syncookies

Component: Local Traffic Manager

Symptoms:
Packets larger than the interface's MTU can be transmitted.

Conditions:
A SYN packet is received with an MSS that exceeds the interface's MTU.

Impact:
Potential packet loss.

Workaround:
Disable HW syncookie mode.

---

582133-1 : Policy builder doesn't enable staging after policy change on "*" entities (file types, urls, etc.)

Component: Application Security Manager

Symptoms:
When conditions of "Track Site Change" settings are met the staging flag on "*" entities is supposed to be turned ON in order to learn sub-sequences of site changes without blocking traffic. However it doesn't happen. The staging flag stays OFF.

Conditions:
Staging was set OFF on "*" entity. After that conditions of "Track Site Change" settings are met.

Impact:
in a situation when the protected Web application was changed, ASM can block traffic when it should not be blocked.

Workaround:
Staging flag can be changed manually via GUI

Fix:
The problem was a sub-sequence of other code changes. The code was fixed he way it should count for "Track Site Change" conditions and change Staging flag when it is needed.

---

582084-1 : BWC policy in device sync groups.

Component: TMOS

Symptoms:
When there is a BWC policy created in global sync group and also a local one, then the configuration displays an error.

Conditions:
If BWC policy is created both in global sync and local.

Impact:
Configuration error, BWC policies will not be synced due to errors.

Workaround:
Ensure that BWC policy is in global sync only.

Fix:
BWC policy is now configured for device group sync only in the global group and not local.

---

582029-4 : AVR might report incorrect statistics when used together with other modules.

Component: Application Visibility and Reporting

Symptoms:
When AVR is assigned to a virtual server that also has APM or Behavioral DoS, it can lead to AVR getting false readings of the activity and as result report on unexpectedly large numbers.

Conditions:
AVR Module is used together with other modules, and these module affect the traffic flow.

Impact:
AVR reports incorrect statistics: unexpectedly large numbers.

Workaround:
None.

Fix:
AVR now identifies the other modules' activity and collects the activity statistics accordingly.

---

581991-1 : Logging filter for remote loggers doesn't work correctly with more than one logging profile

Component: Application Security Manager

Symptoms:
A logging message arrived at a remote logger while the remote logger's filter have a criteria that doesn't match.

Conditions:
More than one logging profile is attached to a virtual server, the logging profiles have different filters conditions.

Impact:
A non related messages will be presented at the remote logger

Fix:
Fixed an issue with multiple remote logging with different filters.

---

581945-2 : Device-group 'datasync-global-dg' becomes out-of-sync every hour

Component: TMOS

Symptoms:
The datasync-global-dg device-group may become out-of-sync unexpectedly without any user changes.

When this happens, you can manually sync the device-group, but after about an hour, the device-group becomes out-of-sync again.

Conditions:
-- This happens only in certain timezones, depending on the timezone configured on the BIG-IP system. (This issue has been seen only in relation to the Europe/London timezone.)
-- The problem starts happening about three days after the first installation of an ASM Signature Update (ASU) or FPS Engine/Signature Update.

Impact:
GUI/shell shows config-sync 'possible change conflict' or 'changes pending' in regards to the datasync-global-dg device-group.

Workaround:
There is no workaround other than manually syncing the device-group approximately every hour.

Fix:
The datasync-global-dg device-group no longer becomes out-of-sync unexpectedly and repeatedly every hour.

---

581921-2 : Required files under /etc/ssh are not moved during a UCS restore

Solution Article: K22327083

Component: TMOS

Symptoms:
The SSH files required for SSH sign on are not transferred when performing a UCS restore operation. Further, files are not transferred even during upgrade.

Conditions:
This can happen when performing a UCS restore operation, or when upgrading from one version to the next.

Impact:
This might impact SSH operations.

Workaround:
Add the /etc/ssh directory to the UCS backup configuration. This causes all subsequent UCS backup and restore operations will now include the /etc/ssh/ directory.

To complete this procedure, refer to K4422: Viewing and modifying the files that are configured for inclusion in a UCS archive :: https://support.f5.com/csp/article/K4422.

Fix:
The correct folder is now present when performing a UCS restore operation, so that all of the files required for the operation of SSH are transferred.

---

581851-2 : mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands

Solution Article: K16234725

Component: TMOS

Symptoms:
The Master Control Program Daemon (MCPD) on secondary blades may unexpectedly restart when the BIG-IP system processes multiple, concurrent TMOS Shell (tmsh) commands.

Under these circumstances, a race condition may occur and cause the mcpd process on the secondary blades to fail to correctly process concurrent updates from the primary blade.

As a result of this issue, you may encounter one or more of the following symptoms:

-- The mcpd process on secondary blades unexpectedly restarts.
-- You notice error messages in the /var/log/ltm file on the BIG-IP system that appears similar to the following example:
 + err mcpd[<PID>]: 01070823:3: Read Access Denied: The current update partition ([None]) does not match the object's partition (Common), stats not reset

 + err mcpd[<PID>]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070823:3: Read Access Denied: The current update partition ([None]) does not match the object's partition (Common), stats not reset

-- Depending on your high availability (HA) configuration, the device may unexpectedly fail over to another system in the device group.

Conditions:
This issue occurs when all of the following conditions are met:

-- You have a VIPRION platform or Virtual Clustered Multiprocessing (vCMP) guest configuration that uses two or more blades.
-- You attempt to run multiple, concurrent tmsh commands on the BIG-IP system. For example, you run a tmsh command to continually reset persistence records and at the same time run another tmsh command to continually reset the TCP statistics.

Impact:
The BIG-IP system may experience performance degradation when the secondary blades become unavailable while the mcpd process restarts. Depending on your HA configuration, the device may fail over.

Workaround:
None.

Fix:
This issue no longer occurs.

---

581840-5 : Cannot use Administrator account other than 'admin' to manage BIG-IP systems through BIG-IQ.

Solution Article: K46576869

Component: Device Management

Symptoms:
Attempting to use BIG-IQ to manage BIG-IP systems using an Administrator account named other than 'admin' can fail.

Conditions:
-- BIG-IQ managing BIG-IP systems.
-- Using an Administrator account different from 'admin',

Impact:
You cannot manage BIG-IP systems through BIG-IQ.

Workaround:
Use the 'admin' account on BIG-IQ to manage BIG-IP devices.

Fix:
Can now use an Administrator account other than 'admin' to manage BIG-IP systems through BIG-IQ.

Behavior Change:
Local requests through iControl client are now made on port 80, instead of 443.

---

581835-1 : Command failing: tmsh show ltm virtual vs_name detail.

Component: TMOS

Symptoms:
The following command fails: tmsh show ltm virtual vs_name detail. The system posts the following error:

01020036:3: The requested profile exchange: virtual server object (exchange_profile_name:vs_name) was not found.

Conditions:
Occurs when an APM Access Profile has an Exchange Profile attached and the access profile is then assigned to a virtual server.

Impact:
No information is displayed by the tmsh show command.

Workaround:
None.

Fix:
The tmsh show command now presents information, and 'tmsh show ltm virtual vs_name detail' shows the expected details without error.

---

581834-5 : Firefox signed plugin for VPN, Endpoint Check, etc

Component: Access Policy Manager

Symptoms:
clients are unable to use the Firefox plugin on Firefox version 47 and above

Conditions:
Clients using Firefox v47 and above attempting to use the Firefox plugin

Impact:
Clients will be unable to use the plugin if they are using Firefox version 47 and above

Fix:
The Firefox plugin now supports all versions.

---

581824-2 : "Instance not found" error when viewing the properties of GSLB monitors gateway_icmp and bigip_link.

Component: Global Traffic Manager (DNS)

Symptoms:
When you attempt to view the monitors' properties, the page throws an "Instance not found" error.

Conditions:
Viewing the GSLB Monitors tcp_half_open, gateway_icmp and bigip_link's properties page.

Impact:
You cannot view some of their monitors' properties.

Fix:
Fixed the "Instance not found" error.

---

581811 : The blade alarm LED may not reflect the warning that non F5 optics is used.

Component: TMOS

Symptoms:
When non F5 optics is used for front switch ports, the LCD and /var/log/ltm will display some warning message. But the alarm LED may not reflect that.

Conditions:
This is caused by a race condition. When a blade comes up and decides its role as a primary blade or a secondary blade, it will clear the alarm LED. So the last blade coming up may have its alarm LED in the right state, but the blades that came up earlier may have their alarm LEDs cleared.

Impact:
The alarm LED may not reflect the warning.

Workaround:
None.

Fix:
The problem is fixed in TMOS v12.1.1.

---

581746-1 : MPTCP or SSL traffic handling may cause a BIG-IP outage

Solution Article: K42175594

Component: Local Traffic Manager

Symptoms:
Occasional BIG-IP outages may occur when MPTCP or SSL traffic is being handled by a virtual server.

Conditions:
MPTCP has been enabled on a TCP profile on a virtual server, or SSL is in use.

Impact:
A system outage may occur.

Workaround:
None.

Fix:
An issue with handling of MPTCP and SSL traffic has been corrected.

---

581438-2 : Allow more than 16 pool members to be chosen from a pool during a single load-balancing decision.

Component: Global Traffic Manager (DNS)

Symptoms:
Prior to this, only 16 pool members could be chosen during a single load-balancing decision.

Impact:
Cannot return more than 16 pool members in a DNS response.

Fix:
GTM now allows more than 16 pool members to be returned from a pool in a DNS response. Any amount from 1 to 500 can be selected.

Behavior Change:
BIG-IP DNS GSLB now allows more than 16 pool members to be returned from a pool in a DNS response. Any amount from 1 to 500 can be selected.

---

581406-1 : SQL Error on Peer Device After Receiving ASM Sync in a Device Group

Component: Application Security Manager

Symptoms:
When:
1) A "Block All" Session Tracking Status exists
and
2) A full sync occurs in an ASM CMI device group (always the case in manual sync device group)

Then upon loading the full sync in the peer an SQL error will appear during the load:
"Failed on insert to PLC.PL_SESSION_AWARENESS_DATA_POINT (DBD::mysql::db do failed: Duplicate entry '<ID>' for key 'PRIMARY')"

Conditions:
1) A "Block All" Session Tracking Status exists
and
2) A full sync occurs in an ASM CMI device group (always the case in manual sync device group)

Impact:
Benign error which does not affect configuration or enforcement.

Workaround:
None

Fix:
SQL error no longer occurs on CMI Sync with Session Awareness

---

581315-1 : Selenium detection not blocked

Component: Application Security Manager

Symptoms:
When selenium client webdriver is detected running the Chrome browser it is not being blocked due to low score being assigned by PBD (Suspicious Browsers) mechanism.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled.

Impact:
A bot which running selenium Chrome webdriver isn't mitigated by DoSL7 PBD mechanism.

Workaround:
N/A

Fix:
Only for Desktop Google Chrome browsers, the PBD javascript code checks if a plugin called "Widevine Content Decryption Module" doesn't exists, the browser considered as running via the selenium tool and will be blocked by PBD.

---

581101-1 : non-admin user running list cmd: can't get object count

Component: TMOS

Symptoms:
Non-admin user running list cmd: can't get object count.

Conditions:
Login as non admin user

Impact:
Very minor
non-admin user got some restrictions to view.

Workaround:
Use admin account.

Fix:
Non admin user rights fixed.

---

580893-2 : Support for Single FQDN usage with Citrix Storefront Integration mode

Solution Article: K08731969

Component: Access Policy Manager

Symptoms:
Adding a new login account onto Citrix Receiver enumerates the applications and desktop. Logging off and reconnecting using the same account starts failing.

Conditions:
-- Citrix Storefront Integration mode with APM.
-- Using the same FQDN to access both Storefront as well as an APM virtual server.

Impact:
Clients are unable to connect.

Workaround:
No workaround other than using different FQDNs.

Fix:
You can now use the same FQDN to successfully access both Storefront as well as an APM virtual server.

---

580862-1 : Policy disabled after enabled with apply-policy via REST, asm-sync removal fixes

Component: Application Security Manager

Symptoms:
After the Apply-policy task completes successfully, there is an LTM incremental sync back from the peer unit and the policy is deactivated.

Conditions:
High availability (HA) configuration with an auto-sync failover group with ASM sync enabled.

Impact:
ASM policy is erroneously deactivated several seconds after it has been activated via the Apply-policy task.

Workaround:
Temporarily disable ASM sync on the device group.

Fix:
This release fixes the Apply-policy task so that there is no erroneous deactivation after it has completed.

---

580753-1 : eventd might core on transition to secondary.

Solution Article: K82583534

Component: TMOS

Symptoms:
Upon transition to secondary, eventd shuts down its consumer list. However, during this shutdown, there could still be queued events yet to be process. This leads to a race condition between processing the events and freeing the memory of the consumer.

Conditions:
This happens when eventd is being shutdown while processing events.

Impact:
Causes eventd segmentation fault and core dump

Workaround:
None.

Fix:
eventd no longer cores on transition to secondary when eventd is being shutdown while processing events.

---

580747-1 : libssh vulnerability CVE-2016-0739

Solution Article: K57255643

---

580602-1 : Configuration containing LTM nodes with IPv6 link-local addresses fail to load.

Component: TMOS

Symptoms:
As a result of a known issue a configuration containing LTM nodes with IPv6 link-local addresses may fail to load.

Conditions:
Attempt to load a configuration containing a LTM node with a IPv6 link-local address.

Impact:
Configuration fails to load.

Workaround:
Use IPv6 global addresses instead.

Fix:
The BIG-IP system now loads correctly a configuration containing a LTM node with a IPv6 linbk-local address.

---

580596-1 : TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907

Solution Article: K14190 K39508724 K10065173

---

580567-1 : LDAP Query agent failed to resolve nested group membership

Component: Access Policy Manager

Symptoms:
Not all of the nested group membership are resolved for a user

Conditions:
Several conditions need to be met:
1. LDAP Query agent is configured to connect to GC (Global Catalog) in AD environment; AND
2. There are sub domains in the AD environment; AND
3. A user who is a member of a group from one of the sub domains login in.

Impact:
User authentication might fail or not getting all the assigned resources due to missing nested group membership.

Fix:
after fix, LDAP agent retrieve group from server when talking to Global Catalog

---

580537-1 : The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data

Component: Global Traffic Manager (DNS)

Symptoms:
The geoip_update_data script will not install a City2 GeoIP data.

Conditions:
Attempting to install the City2 GeoIP data.

Impact:
The City2 GeoIP data must be installed manually.

Workaround:
The City2 GeoIP data can be installed manually by extracting the contents of the RPM and updating the associated files. The commands are:

rpm -U <full path to the City2 GeoIP RPM file>
rm /shared/GeoIP/F5GeoIP.dat
ln -s /shared/GeoIP/F5GeoIPCity2.dat /shared/GeoIP/F5GeoIP.dat
rm /shared/GeoIP/v2/F5GeoIP.dat

Fix:
The geoip_update_data script was updated to support installing City2 GeoIP data.

---

580500-1 : /etc/logrotate.d/sysstat's sadf fails to read /var/log/sa6 or fails to write to /var/log/sa6, disk space is not reclaimed.

Component: TMOS

Symptoms:
/etc/logrotate.d/sysstat fails to read /var/log/sa6 or fails to write to /var/log/sa6,, diskspace in /var/log/sa6 is not rotated and disk space reclaimed.

Conditions:
/var/log/sa6 becomes corrupt or disk space becomes full in /var/log/sa6

Impact:
Disk space is not reclaimed in /var/log/sa6

Workaround:
edit /etc/logrotate.d/sysstat
Add "exit 0" after sadf line

Fix:
When /etc/logrotate.d/sysstat's sadf fails, exit cleanly
so logrotate reclaims disk space

---

580340-1 : OpenSSL vulnerability CVE-2016-2842

Solution Article: K52349521

---

580313-1 : OpenSSL vulnerability CVE-2016-0799

Solution Article: K22334603

---

580303-5 : When going from active to offline, tmm might send a GARP for a floating address.

Component: Local Traffic Manager

Symptoms:
When moving from active to offline, tmm might send one final GARP for a floating address from the device that is moving offline.

Conditions:
Using high availability, and switching a device from active to offline.

Impact:
The GARP from the offline device can arrive on upstream devices after the GARP from the newly active device, which might poison the address cache of the upstream device. The result is that failover takes longer, since the upstream devices must rediscover the active device.

Workaround:
Use MAC masquerading along with the floating address; the system sends a GARP for the MAC masqueraded address, which prevents the issue.

Fix:
tmm no longer sends a final GARP for a floating address immediately before going offline.

---

580168-4 : Information missing from ASM event logs after a switchboot and switchboot back

Component: Application Security Manager

Symptoms:
Information missing from ASM event logs after a switchboot and switchboot back

Conditions:
ASM provisioned
event logs available with violation details
install/upgrade to another volume and switchboot to it
wait for ASM to fully come up
switchboot back
event logs are still available but violation details are gone

Impact:
Information missing from ASM event logs after a switchboot and switchboot back

Workaround:
N/A

Fix:
N/A

---

580026-5 : HSM logging error

Solution Article: K74759095

---

579955-6 : BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475

Solution Article: K01587042

---

579953 : Updated the list of Common Criteria ciphersuites

Component: Local Traffic Manager

Symptoms:
This is a continuous maintenance of the default set per certification requirements

Conditions:
These changes are only in effect when ccmode script is executed.

Impact:
Current set of ciphersuites is the following, subject to change in future releases:

AES{128,256}-{SHA,SHA256}
ECDHE-RSA-AES128-CBC-{SHA,SHA256}
ECDHE-RSA-AES256-CBC-{SHA,SHA384}
ECDHE-RSA-AES128-GCM-{SHA256,SHA384}
ECDHE-ECDSA-AES128-{SHA,SHA256}
ECDHE-ECDSA-AES256-{SHA,SHA384 }
ECDHE-ECDSA-AES128-GCM-{SHA256,SHA384}

---

579926-1 : HTTP starts dropping traffic for a half-closed connection when in passthrough mode

Component: Local Traffic Manager

Symptoms:
HTTP starts dropping traffic for a half-closed connection when in passthrough mode.

Conditions:
HTTP is in passthrough mode. Traffic is flowing for a half-closed connection.

Impact:
Incomplete data transfer to end-point, when the connection is half-closed and HTTP is in passthrough mode.

Workaround:
No workaround.

---

579917-1 : User-defined signature set cannot be created/updated with Signature Type = "All"

Component: Application Security Manager

Symptoms:
When creating a User-Defined Signature Set the Signature Type cannot be set to "All". After saving the setting, it resets back to Request.

Conditions:
Creating a new signature set with Signature Type set to "All" (the dropdown defaults to "Request" when opening the create page).

Impact:
A Custom Signature Set cannot be created for with Request and Response Signatures

Workaround:
No workaround, but can be mitigated by creating two signature sets, or using manual sets.

Fix:
Signature Type can now successfully be set to "All" Signatures

---

579843-1 : tmrouted may not re-announce routes after a specific succession of failover states

Component: Local Traffic Manager

Symptoms:
tmrouted does not re-announce RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.

Conditions:
- Active/Standby HA pair set up
 - Both units configured with a dynamic routing protocol and Route Health Injection enabled on one or more Virtual-Addresses.
 - Active unit has the following succession of failover states:
   Active->Offline->Online->Standby->Active

Impact:
Tmrouted may not announce the Virtual addresses when coming back to Active state after the mention succession.

Workaround:
A failover to Standby and back to Active works around the issue.
Restarting tmrouted is also an alternative option.

Fix:
tmrouted now re-announces RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.

---

579829-7 : OpenSSL vulnerability CVE-2016-0702

Solution Article: K79215841

---

579760-3 : HSL::send may fail to resume after log server pool member goes down/up

Solution Article: K55703840

Component: TMOS

Symptoms:
High speed logging (HSL): asymmetric bandwidth loss might result in no bandwidth tracking.

Conditions:
This will occur if the log server pool only has a single member in it, and that member goes down and up while HSL::send is occurring during traffic processing.

Impact:
For a period of time after the logging node comes back up, HSL::send events will not be sent to the log server. Sometimes it never recovers and tmm needs to be restarted.

Workaround:
If possible, configure log server pools with multiple members to avoid this condition.

---

579529 : Stats file descriptors kept open in spawned child processes

Component: TMOS

Symptoms:
No known user visible impact.

Conditions:
This occurs in all multi-blade platforms where clusterd is running.

Impact:
No known user visible impact.

Workaround:
None.

Fix:
Stats file descriptors are opened so that they are closed when a child process is spawned.

---

579495-1 : Error when loading Upgrade UCS★

Component: Application Security Manager

Symptoms:
When loading an older version UCS file while ASM is live an error may occur when processing the new configuration. You will see the following error in the asm log:

Mar 9 07:16:06 dut30 err perl[22696]: 01310011:3: ASM configuration error: event code T1499 Failed to update configuration table CONFIG_TYPE_DYNAMIC_TABLES

Conditions:
Loading an older version UCS on a live system.

Impact:
Enforcement of Allowed Methods may be incorrect

Workaround:
Restart ASM

Fix:
Configuration is correctly processed when loading a UCS file for upgrade on a live device.

---

579371-4 : BIG-IP may generate ARPs after transition to standby

Solution Article: K70126130

Component: Local Traffic Manager

Symptoms:
tmm generates unexpected ARPs after entering standby.

Conditions:
-- High availability configuration with a vlangroup with bridge-in-standby disabled.
-- ARP is received just before transition to standby.

Impact:
Unexpected ARP requests that might result in packet loops.

Workaround:
None.

Fix:
ARPs will no longer be proxied on vlangroups with bridge-in-standby disabled after entering standby.

---

579220-1 : Mozilla NSS vulnerability CVE-2016-1950

Solution Article: K91100352

---

579210-3 : VIPRION B4400N blades might fail to go Active under rare conditions.

Solution Article: K11418051

Component: TMOS

Symptoms:
Over extended periods of booting and rebooting a VIPRION system containing B4400N blades, a switch port connected to the HSB might fail to initialize properly. In some cases, logs indicate an occurrence of the problem in the following form: hgm_fcs_errs[higig mac #] exceeds 1000.

Conditions:
This happens under very rare conditions on B4400N blades; for example, after approximately 8-12 hours of continuous rebooting.

Impact:
When the problem is manifest, the HSB receives FCS errors at a high-frequency and does not receive any valid traffic from the port switch. The B4400N blade might be unable to go active and join the cluster.

Workaround:
To recover, reboot the system once.

---

579085-6 : OpenSSL vulnerability CVE-2016-0797

Solution Article: K40524634

---

578983-4 : glibc: Integer overflow in hcreate and hcreate_r

Solution Article: K51079478

---

578971-3 : When mcpd is restarted on a blade, cluster members may be temporarily marked as failed

Component: Local Traffic Manager

Symptoms:
When mcpd is restarted on a blade, the clusterd process on that blade may become blocked for some time. This may result in cluster member heartbeat timeouts, which are seen in the /var/log/ltm log file with messages that include:

"Slot 1 suffered heartbeat timeout ..."

This causes cluster members to be marked failed. The condition resolves itself within one minute, and the cluster fully recovers on its own.

Conditions:
Mcpd is restarted on a blade.

Impact:
Though all blades recover on their own, the cluster members being marked fail may result in a failover.

Workaround:
There is no workaround for this issue. It is recommended to avoid restarting mcpd on any blade belonging to the active unit of an HA group. The issue resolves itself within about a minute, and all cluster members will be marked as up again.

Fix:
The clusterd daemon has been fixed to no longer become blocked when mcpd is restarted. This prevents the cluster member heartbeat timeouts from occurring, and thus no cluster members will be marked failed.

---

578951-2 : TCP Fast Open connection timeout during handshake does not decrement pre_established_connections

Component: Local Traffic Manager

Symptoms:
If a TCP connection is started and contains a valid Fast Open cookie, then times out during the three-way handshake, the failure is not accounted for properly. If this occurs more than a threshold number of times, BIG-IP will stop performing TCP Fast Open.

Conditions:
A TCP connection using TCP Fast Open with a valid Fast Open cookie times out during the three-way handshake.

Impact:
Each connection that times out in this fashion decreases the number of valid pre-established connections that the BIG-IP can support. If the number of connections timed out in this fashion rises above a threshold, BIG-IP will act as if TCP Fast Open is disabled. This threshold cannot be changed.

Fix:
Decrement the pre-established connections counter when a TCP Fast Open connection times out during the initial handshake.

---

578573-1 : SSL Forward Proxy Forged Certificate Signature Algorithm

Component: Local Traffic Manager

Symptoms:
In SSL Forward Proxy, the signature algorithm used by the CA certificate configured on the client SSL profile can change the signature algorithm used by the server certificate.

For example, if the server certificate uses SHA1 but the CA certificate configured in client SSL profile uses SHA256, the forged certificate will use SHA256. If the server certificate uses SHA256 but the CA certificate configured in client SSL uses SHA1, the forged certificate will use SHA1.

Both scenarios are a problem for a customer.

Conditions:
when the signature algorithm of the CA certificate configured in client SSL profile differs from the signature algorithm of the server certificate.

Impact:
The signature algorithm of forged certificate may differ from the signature algorithm of the server certificate.

Workaround:
Configure the CA certificate in client SSL profile so that the signature algorithm matches that in server certificate.

---

578570-1 : OpenSSL Vulnerability CVE-2016-0705

Solution Article: K93122894

---

578564-4 : ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response

Component: Service Provider

Symptoms:
Connection aborted with RST "ADAPT unexpected state transition (old_state 22 event 7)"

Conditions:
An HTTP virtual has a request-adapt profile.
The ICAP server returns an HTTP response for REQMOD.
An iRule executes HTTP::respond in the HTTP_RESPONSE_RELEASE event.

Impact:
HTTP::respond cannot be used to modify an HTTP response returned by an ICAP server that is modifying an HTTP request.

Fix:
HTTP::respond works as expected even on an HTTP response returned by an ICAP server after request adaption.

---

578551-5 : bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot

Component: TMOS

Symptoms:
network 0.0.0.0/0 route-map Default is missing in bgp after a restart/reboot

Conditions:
"network 0.0.0.0/0 route-map Default" is configured in bgp

Impact:
The bgp doesn't have the same configuration after a restart/reboot. persistence of bgp protocol is not maintained leading to unexpected behavior of bgp

Fix:
the persistence of "network 0.0.0.0/0 route-map Default" in bgp is maintained after a restart/reboot

---

578415-2 : Support for hardware accelerated bulk crypto SHA256 missing

Component: Local Traffic Manager

Symptoms:
Requests for bulk crypto SHA256 will be performed in software, not by the accelerator.

Conditions:
Any bulk crypto operation that uses SHA256 on the BIG-IP 1600, 3600, 5000, 6900, 7000, 8900, 10000, 11000, 11050, and 12000 platforms, and on VIPRION B2250 blades.

Impact:
The request will be completed in software which may result in increased CPU load.

Workaround:
None.

Fix:
Requests for bulk crypto operations using SHA256 will be assigned to a hardware accelerator, and no longer serviced in software.

---

578413-1 : Missing reference to customization-group from connectivity profile if created via portal access wizard

Component: Access Policy Manager

Symptoms:
An extra customization group is created for connectivity profile when the profile is created via portal access wizard and the configuration is reloaded.

Conditions:
Use portal access wizard to create configure objects.

Impact:
There is no functional impact since customization is not actually used for connectivity group.

Workaround:
Create configure object manually rather than via wizard.

Fix:
There will be a reference to customization group from connectivity profile when the profile is created by wizard.

---

578064 : tmsh show sys hardwares show "unavailable" for hard disk manufacturer on B4400/B4450 blade

Component: TMOS

Symptoms:
tmsh show sys hardware show "unavailable" for hard disk manufacturer

Conditions:
In VIPRION B4400/B4450 blades, tmsh show sys hardware always shows "unavailable" for hard disk manufacturer.

Impact:
Can't get correct hard disk manufacturer information.

Fix:
Fixed

---

578036-1 : incorrect crontab can cause large number of email alerts

Component: TMOS

Symptoms:
There is an incorrect crontab entry in /etc/cron.usbflush for /sbin/lsusb

Conditions:
This occurs for the usbflush entry.

Impact:
usbflush does not run, alert email is generated once per minute.

Workaround:
change /etc/cron.usbflush to use /usr/sbin/lsusb

Fix:
Fix /etc/cron.usbflush to use /usr/sbin/lsusb

---

577863-5 : DHCP relay not forwarding server DHCPOFFER and DHCPACK message after some time

Solution Article: K56504204

Component: Policy Enforcement Manager

Symptoms:
If the routing table on the DHCP server is misconfigured, so that the DHCP server knows how to send packets to the BIG-IP self IP address (used by the BIG-IP system DHCP relay), but does not know how to send packets to DHCP clients, DHCP clients will not receive a DHCP reply for unicast requests and will start to broadcast DHCP renewal. After a while, the BIG-IP system will stop relaying DHCPOFFER and DHCPACK back to DHCP clients altogether.

Conditions:
DHCP server unicast reply back to client is not received by client, causing DHCP client to send broadcast DHCP packets (with client's IP address as the source IP address).

Impact:
The BIG-IP system stops relaying DHCPOFFER and DHCPACK back
to DHCP clients.

Workaround:
Modify the DHCP server routing table, so that the DHCP server can deliver DHCP reply packets back to clients successfully.

Fix:
DHCP relay now continues forwarding the server DHCPOFFER and DHCPACK messages under these conditions.

---

577474-3 : Users with auditor role are unable to use tmsh list sys crypto cert

Solution Article: K35208043

Component: TMOS

Symptoms:
The system returns error messages after running the following command: tmsh list sys crypto cert. Error messages appear similar to the following:

-- Key management library returned bad status: -4, Invalid Parameter.
-- Unexpected Error: Can't chmod key management directory: "/var/tmp/key_mgmt", error: [1] Operation not permitted".

Conditions:
-- BIG-IP user accounts configured with the auditor role.
-- Running the command: tmsh list sys crypto cert.

Impact:
BIG-IP users with the auditor role cannot view certificates using the command: list sys crypto cert.

Workaround:
Use the following command: sys file ssl-cert

For example, use either of the following:
-- list sys file ssl-cert default.crt
-- list sys file ssl-cert

Fix:
BIG-IP users with the auditor users can now see certificates using the following command: list sys crypto cert.

---

576591-6 : Support for some future credit card number ranges

Component: Application Security Manager

Symptoms:
ASM does not block or mask when a specific credit card number range appears in the response.

Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains credit card number with specific ranges.

Impact:
The traffic passes unmasked or unblocked to the end client.

Workaround:
A custom pattern is possible for these cases, but should be adjusted to each configuration specifically.

---

576478 : Enable support for the Purpose-Built DDoS Hybrid Defender Platform

Component: Advanced Firewall Manager

Symptoms:
N/A

Conditions:
Requires new DoS License

Impact:
None

Fix:
This fix adds support for recognition of a Purpose-Built DDoS Hybrid Defender license, and the necessary mechanisms to launch the DDoS Application.

Behavior Change:
There is no change in behavior to existing behavior and functionalities. However, when a DoS License is installed, the Big-IP platform takes on the role of a dedicated DoS protection device. Consequently most non-DoS related functionalities are either disabled or function in limited capacity.

---

576311-1 : HTTP Strict Transport Security (HSTS) configuration error when no clientssl profile is present

Solution Article: K41335027

Component: Local Traffic Manager

Symptoms:
A configuration error is encountered when creating or modifying a virtual server with HTTP profile and no "clientssl" (or derived) profile attached, when HTTP Strict Transport Security (HSTS) is enabled.

Conditions:
Creating or modifying a virtual server with HTTP profile and HTTP Strict Transport Security (HSTS) enabled, when no clientssl or derived profile is attached to the virtual server.

Impact:
Error while configuring a virtual server with HTTP profile and no "clientssl" (or derived) profile attached, when HTTP Strict Transport Security (HSTS) is enabled.

Workaround:
Add a "clientssl" (or derived) profile to the virtual server with HTTP profile and HTTP Strict Transport Security (HSTS) enabled.

Fix:
The system now provides validation of HTTP Strict Transport Security (HSTS) to require 'clientssl' (or derived) profile profile to a virtual server with HTTP profile and HTTP Strict Transport Security (HSTS) enabled.

---

576305-7 : Potential MCPd leak in IPSEC SPD stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying IPSEC SPD stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying IPSEC SPD stats.

---

576123-3 : ASM policies are created as inactive policies on the peer device

Solution Article: K23221623

Component: Application Security Manager

Symptoms:
ASM policies are created as inactive policies on the peer device.

Conditions:
This occurs when the following conditions are met:
-- ASM Sync is enabled on a Sync-Only auto-sync Device Group.
-- There is either no failover group, or the failover group is a manual sync group.

Impact:
ASM policies are created as inactive policies on the peer device, resulting in an inconsistency between peers.

Workaround:
You can use either of the following workarounds:
-- Set the device group with ASM sync enabled to manual sync.
-- Enable auto-sync for the failover group.

Fix:
This release fixes the ASM Synchronization mechanism so that ASM policies are correctly created on the peer device

---

575919-3 : Running concurrent TMSH instances can result in error in access to history file

Component: TMOS

Symptoms:
TMSH writes to the ~/.tmsh-history-username file whenever a command is issued. Running concurrent instances of TMSH can result in a race condition in writing this file.

Conditions:
Running multiple instances can cause one instance of TMSH to lock the history file while the other is trying to access it, resulting in an error.

Impact:
Updating the history file fails, so the file does not reflect the actual history of the commands that have been issued.

Workaround:
Only run a single instance of TMSH.

Fix:
Running concurrent TMSH instances no longer results in error in access to history file.

---

575649-5 : MCPd might leak memory in IPFIX destination stats query

Component: TMOS

Symptoms:
MCPd might leak memory in IPFIX destination stats query.

Conditions:
In some cases, querying IPFIX destination stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying IPFIX destination stats.

---

575642-1 : rst_cause of "Internal error"

Component: Local Traffic Manager

Symptoms:
The rst_cause may be logged as "Internal Error". rst_cause of "Internal error" does not give a narrow reason for the reset. It means that one of the other reset causes was not matched but the exact issue cannot be determined from this generic error.

Conditions:
Heavy/normal production network usage.

Impact:
System problem diagnosis is more difficult.

Workaround:
N/A

---

575629-3 : NTP vulnerability: CVE-2015-8139

Solution Article: K00329831

---

575591-6 : Potential MCPd leak in IKE message stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying IKE message stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying IKE message stats.

---

575589-5 : Potential MCPd leak in IKE event stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying IKE event stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying IKE event stats.

---

575587-7 : Potential MCPd leak in BWC policy class stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying BWC policy stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying BWC policy stats.

---

575444-1 : Wininfo agent incorrectly reports OS version on Windows 10 in some cases

Component: Access Policy Manager

Symptoms:
If Custom Dialer client is used to establish VPN, Wininfo agent incorrectly reports OS as Win8 on Microsoft Windows 10.

This could result in VPN establishment failure.

Conditions:
Custom Dialer client is used on Windows 10
Access policy uses Wininfo agent.

Impact:
VPN cannot be established.

Workaround:
None.

Fix:
Wininfo agent now correctly reports OS version when running Custom Dialer client on Microsoft Windows 10.

---

575176-1 : Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic

Solution Article: K58275035

Component: TMOS

Symptoms:
In some scenarios UDP traffic can cause syncookie statistics to be incremented.

Conditions:
Virtual server with fastL4 profile with ePVA offload enabled.
Virtual server to handle UDP traffic.

Impact:
Statistics might be incorrectly incremented, and can lead to early syncookie activation if used in conjunction with TCP on the same virtual server.

Fix:
The BIG-IP system no longer increases Syn Cookie cache statistics on ePVA enabled devices with UDP traffic.

---

575170-2 : Analytics reports may not identify virtual servers correctly

Component: Application Visibility and Reporting

Symptoms:
In certain configurations, Analytics statistics on virtual server activity may not be reported correctly.

Conditions:
This occurs for virtual servers that are configured in one of these ways:

1. Two virtual servers have the same IP-Port-RouteDomain setting, but they use different protocols (such as TCP for one and UDP for the other) or different sources.

2. A virtual server is defined with a masked IP address rather than an explicit address (for example, 10.10.10.0/24).

Impact:
As a result, Analytics reports show an Aggregated Virtual Server or an incorrect one instead of displaying the correct virtual servers.

Workaround:
None.

Fix:
Correct identification of the virtual server and the activity reported in the charts is displaying to the right virtual server.

---

575133-1 : asm_config_server_rpc_handler_async.pl SIGSEGV and core

Component: Application Security Manager

Symptoms:
asm_config_server_rpc_handler_async.pl SIGSEGV and core

Conditions:
Import ASM XML security policy

Impact:
asm_config_server_rpc_handler_async.pl SIGSEGV and core. This occurs after the policy import completes.

Workaround:
N/A

Fix:
The asm_config_server_rpc_handler_async.pl no longer crashes upon import ASM XML security policy.

---

575066-1 : Management DHCP settings do not take effect

Component: TMOS

Symptoms:
Modifications to /sys management-dhcp do not take effect.

Conditions:
Custom management-dhcp settings configured.

Impact:
DHCP for management interface does not function correctly.

Workaround:
Perform the following procedure:

1. Remount /usr to be read-write.
# mount -o rw,remount /usr

2. Edit the following file, which is a symlink into /usr.
# vi /defaults/config/templates/dhcp.tmpl

3. Change this line around line 7 to add escaped quotes
   print "interface \"$mgmt_interface\" {\n";

4. Remount /usr back to read-only.
# mount -o ro,remount /usr

5. Make a change to the list of DHCP requested options.
# tmsh modify sys management-dhcp sys-mgmt-dhcp-config request-options delete { ntp-servers }

6. Verify that "eth0" is quoted in this file:
# grep interface /etc/dhclient.conf
interface "eth0" {

7. Create a symbolic link to dhclient.conf
# cd /etc/dhcp
# ln -s ../dhclient.conf .

8. Restart DHCP on the management interface.
# tmsh modify sys global-settings mgmt-dhcp disabled
# tmsh modify sys global-settings mgmt-dhcp enabled

No system reboot should be necessary.

Fix:
Management DHCP settings now take effect as expected when custom management-dhcp settings are configured.

---

575027-1 : Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.

Component: TMOS

Symptoms:
Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.

Conditions:
This occurs when the following conditions are met:
1. Use of tagged VLANs in the configuration.
2. Change cmp-hash of the tagged VLAN.

Impact:
Throughput is lower than expected. Packets are not being hashed using the hash set in config. (This can be verified by looking at 'tmm/flow_redir_stat'.)

Workaround:
Use untagged VLANs and hypervisor side tagging.

Fix:
You can now use tagged VLAN configurations along with a cmp-hash setting for the VLAN, without compromising performance.

---

575011-1 : Memory leak. Nitrox3 Hang Detected.

Solution Article: K21137299

Component: Local Traffic Manager

Symptoms:
System exhausts available memory due to compression memory leak. Prior to running out of memory, repeatedly logs "Nitrox3 Hang Detected".

Conditions:
Compression device unavailable during creation of a new context.

Impact:
System can run out of memory.

Workaround:
Disable hardware compression using tmsh:

% tmsh modify sys db compression.strategy softwareonly

Fix:
Repaired memory leak.

---

574880-3 : Excessive failures observed when connection rate limit is configured on a fastl4 virtual server.

Component: Local Traffic Manager

Symptoms:
When connection rate limit is set on a fastL4 virtual server,
client connections hang with high probability.

Conditions:
Set Connection Rate Limit on a fastL4 virtual server.

Impact:
Client connections hang with high probability.

Workaround:
Do rate limiting using iRules.
https://devcentral.f5.com/articles/iruleology-table-based-rate-limiting

Fix:
Fixed Connection Rate Limiting on a fastL4 virtual server.

---

574526-1 : HTTP/2 and SPDY do not parse the path for the location/existence of the query parameter

Solution Article: K55542554

Component: Local Traffic Manager

Symptoms:
HTTP/2 and SPDY do not parse the path for the location/existence of the query parameter.

Conditions:
when http/2 or spdy is configured and client query URI contains '?' (question mark).

Impact:
No query parameter will be returned.

Workaround:
None.

Fix:
Issue fixed.

---

574052-4 : GTM autoconf can cause high CPU usage for gtmd

Component: Global Traffic Manager (DNS)

Symptoms:
The autoconf feature of GTM can cause high CPU utilization (~90%) under certain situations.

In large configurations of LTM vses that contain "." (dot) in the name.

Conditions:
Large configuration of LTM VS that contain "." in the name have the name converted ("." is replaced by "_") and the LTM VS name is saved to the config.

This causes the matching algorithm in autoconf to spend many CPU cycles walking the list of VS to find a match.

This problem is caused by large numbers of VSes on a GTM Server. (10k VSes on 10k Server is less of an issue
than 10k VSes on 1 GTM Server)

Impact:
CPU usage is high, which may impact monitoring and LB decisions.

Workaround:
There are some mitigations. The preferable (for performance
and stability) are listed first.

1. Rename the virtual servers on the LTM to remove the "."
   This would require deleting the GTM configuration and
   rediscovering it and recreating pools.

2. Turn off autoconf.
   Run autoconf once to populate the config, then turn it
   off.

3. Reduce the frequency of autoconf. It will still cause
   a high CPU usage scenario, but it will be less frequent.

Versions 12.0.0 and higher do not convert the "." to "_". So that problem is eliminated for new configurations.
If a customer upgrades to 12.0.0 and the config still contains VS names that were previously converted, they still may run into high CPU usage.
Upgrading to 12.0.0 alone does not fix this issue, a reconfig would be necessary.

Fix:
Change algorithm used to match LTM VS names to GTM VS to reduce linear walk of all VSes on a server.

---

574020-5 : Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}')

Component: Local Traffic Manager

Symptoms:
Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}').

Conditions:
This issue occurs when the following conditions are met:

-- Safenet HSM installation.
-- Password contains special metacharacters (!#{}').

Impact:
Script fails to work properly, and fails to properly install/configure the HSMs, requiring manual intervention. Performing the operation manually is very complex, because the user must account for both tmsh and shell quoting, which the some user environments might not have.

Workaround:
Change password, or manually run tmsh command to define the /sys crypto fips external-hsm object (using proper shell quoting).

Fix:
Safenet HSM installation script install now completes successfully if partition password contains special metacharacters (!#{}').

Note: When using passwords with non-alphanumeric characters, make sure that they are escaped correctly, so that bash does not attempt to reinterpret or expand the password.

---

573764-1 : In some cases, only primary blade retains it's statistics after upgrade on multi bladed system

Component: Application Visibility and Reporting

Symptoms:
Statistics from the primary blade remain after upgrade, but not from the other blades.

Conditions:
Upgrade to new version in multi bladed system.

Impact:
Not all statistics are present after upgrade.

Workaround:
No workaround

---

573643-3 : flash.utils.Proxy functionality is not negotiated

Component: Access Policy Manager

Symptoms:
Access to some field names of classes inherited from flash.utils.Proxy is broken.

Conditions:
Presence of flash.utils.Proxy descendants.

Impact:
Customer application malfunction.

Workaround:
None.

---

573611-1 : Erroneous error message Access encountered error: ERR_NOT_FOUND may appear in APM logs

Component: Access Policy Manager

Symptoms:
When a user session times out, then subsequently attempts access using the expired session ID, APM may log a log message at "err" level similar to this:

Aug 15 14:54:25 bigip.hostname err tmm[10206]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access_session.c, Function: access_session_delete, Line:

Conditions:
User is logged into APM and session times out.

Impact:
Error log messages may be confusing to BIG-IP APM administrators. The client is able to successfully reconnect.

Fix:
Erroneous messages of "Access encountered error: ERR_NOT_FOUND" are no longer logged in the APM log.

---

573602-1 : FQDN pool members not shown by tmsh show ltm monitor

Component: Local Traffic Manager

Symptoms:
The tmsh 'show ltm monitor <monitor-type>' command does not display the status of FQDN pool members.

Conditions:
-- LTM monitor is assigned to FQDN pool members (including FQDN members of an LTM pool to which the monitor is assigned).
-- Running the tmsh command: show ltm monitor <monitor-type>.

Impact:
Unable to view status of FQDN pool members via the tmsh 'show ltm monitor <monitor-type>' command.

Workaround:
There is no workaround at this time.

Fix:
The status of FQDN pool members is displayed by the tmsh 'show ltm monitor <monitor-type>' command. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

---

573584 : CPLD update success logs at the same error level as an update failure

Component: TMOS

Symptoms:
On booting after a successful CPLD update, you see an error in /var/log/ltm: "err chmand[4933]: 012a0003:3: CPLD not updated after previous power cycle."

Conditions:
This occurs during reboot after a successful firmware update

Impact:
The message is logged as an error, but it actually means that the CPLD version is as it is expected to be. This error can be safely ignored.

Fix:
CPLD update not required is now logged at the info level, not error.

---

573366-4 : parking command used in the nesting script of clientside and serverside command can cause tmm core

Component: Local Traffic Manager

Symptoms:
tmm cores in configuration using certain iRules

Conditions:
An iRule that parks the interpreter is used in the nesting script of clientside and serverside command. (e.g. when doing a table lookup).

For more information on iRule commands that park, see SOL12962: Some iRule commands temporarily suspend iRule processing, https://support.f5.com/kb/en-us/solutions/public/12000/900/sol12962.html

Impact:
Traffic disrupted while tmm restarts.

Workaround:
move the parking command outside the nesting script.

---

573343-1 : NTP vulnerability CVE-2015-8158

Solution Article: K01324833

---

573302-1 : FQDN pool member remains in disabled state after removing monitor

Component: Local Traffic Manager

Symptoms:
If an FQDN pool member has been disabled by a monitor (for example, after the monitor receives the configured recv-disable string from the node) and the monitor is then removed from the pool or member configuration, the FQDN pool member remains in a 'disabled' state (state and session-status are 'disabled') instead of changing to an 'unknown' state.

Conditions:
-- FQDN pool member is marked 'disabled' by a monitor.
-- The monitor is then removed.

Impact:
The FQDN pool member remains in a 'disabled' state and is unable to receive traffic.

Workaround:
There is no workaround at this time.

Fix:
When an FQDN pool member is marked 'disabled' by a monitor, then the monitor is removed, the FQDN pool member is updated to an 'unknown' state. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

---

573075-4 : ADAPT recursive loop when handling successive iRule events

Component: Service Provider

Symptoms:
After the first iRule resumes from being parked, ADAPT attempts to process the second iRule event repeatedly.
The connection is aborted with RST cause 'ADAPT unexpected state transition'.

The adapt profile statistic 'records adapted' reaches a very high number as it counts every attempt.

Conditions:
-- A requestadapt or responseadapt profile is configured.
-- An iRule is triggered on the ADAPT_REQUEST_RESULT or ADAPT_RESPONSE_RESULT event, that parks.
-- The modified headers (from an ICAP server) arrive at the ADAPT filter while the first event is parked.
-- Any iRule on the ADAPT_REQUEST_HEADERS or ADAPT_RESPONSE_HEADERS event does not park.

Impact:
The connection is aborted with RST cause 'ADAPT unexpected state transition'.

The 'records adapted' statistic reaches a very high number.
Eventually the TMM crashes and the BIG-IP system fails over.

Workaround:
If possible, arrange the iRules to avoid the conditions above.

In particular, if there is no better way, it is possible to avoid this if there is an iRule on the ADAPT_REQUEST_HEADERS or ADAPT_RESPONSE_HEADERS event that parks.

Fix:
ADAPT correctly processes successive iRule events exactly once for each adaptation, and the 'records adapted' statistic reports the correct number.

---

573031-1 : qkview may not collect certain configuration files in their entirety

Component: TMOS

Symptoms:
If the following files exceed 5M in size, they will be truncated when collected by qkview:

/config/partitions/*/bigip.conf
/config/partitions/*/BIG-IP_base.conf
/config/BIG-IP_gtm.conf

Conditions:
Any of the listed files exceeds 5 Mbytes.

Impact:
Fault diagnosis may be affected.

Workaround:
Create a qkview, and examine the qkview_run.data file. If this file indicates that any of the listed files has been truncated, manually copy that file from the BIG-IP device.

---

572885-1 : Policy automatic learning mode changes to manual after failover

Component: Application Security Manager

Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.

Conditions:
ASM provisioned.
Device group w/ ASM policy sync configured.
ASM Policy is in automatic learning mode.
A failover occurs.

Impact:
The policy changes from automatic learning mode to manual.

Workaround:
None.

Fix:
Policy automatic learning mode no longer changes to manual when a failover occurs. Automatic learning mode will now be disabled only in active/active configurations.

---

572568-2 : Gy CCR-i requests are not being re-sent after initial configured re-transmits

Component: Policy Enforcement Manager

Symptoms:
For Gy interface, if OCS doesn't respond to the initial set of CCR-I requests as per the diameter-endpoint profile (1+ msg-max-retransmits <n>), the new set of CCR-I requests are not being generated, even after provisioning pending timeout happens.

Conditions:
This issues happens only for Gy interface and when initial set of CCR-I request doesn't get a CCA response.

Impact:
The subscriber will be left in Idle state till the default quota is breached and brought down or subscriber can reconnect once OCS CCA response is fixed.

Workaround:
Re-connect the subscriber once the CCA response is fixed in OCS

Fix:
The solution is to resend CCR-I requests once the provisioning timeout happens

---

572558-1 : Internet Explorer: incorrect handling of document.write() to closed document

Component: Access Policy Manager

Symptoms:
HTML page with document.write() operations inside event handlers may not be processed correctly. Internet Explorer may show error on this page.

Conditions:
HTML page with document.write() calls inside event handlers or another scripts executed after document loading.
Strings passed to document.write() function contain HTML tags with URL or another re-writable content in attributes.

Impact:
HTML page is not shown at all or works incorrectly in Internet Explorer.

Workaround:
No workaround known

Fix:
Now HTML pages with document.write() calls for closed document are handled correctly by Portal Access.

---

572281-5 : Variable value in the nesting script of foreach command get reset when there is parking command in the script

Component: Local Traffic Manager

Symptoms:
When there is something like the following script:

foreach a [list 1 2 3 4] {
   set a 10
   after 100
}

There is parking command, after, in the script and it runs after "set a 10", when after command returns, the value of a goes back to the initial value set in the foreach, value of 10 is lost.

Conditions:
There is parking command in the nesting script of foreach. For more information on commands that park, see K12962: Some iRule commands temporarily suspend iRule processing at https://support.f5.com/csp/#/article/K12962

Impact:
Variable values get reset.

Workaround:
Set(or set again) the variable value after the parking command.

Fix:
Will fix in later release.

---

572272-5 : BIG-IP - Anonymous Certificate ID Enumeration

Solution Article: K65355492

---

572234-2 : When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10.

Component: Local Traffic Manager

Symptoms:
When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10. This is the MAC address of Linux's tmm0 or tmm interface.

Conditions:
The traffic destination is the BIG-IP Linux host, e.g. big3d iQuery server.

The traffic is proxied via fastL4, e.g. ConfigSync "Local Address" is set to None.

The return route is a pool route.

The traffic is interrupted, e.g. a router between the iQuery server and the client is switched off for several seconds.

Impact:
The traffic is sourced from invalid ethernet MAC 00:98:76:54:32:10.
The iQuery connection cannot continue.

Workaround:
Increase the lasthop module's TCP idle timeout.

echo 121 > /proc/sys/net/lasthop/idle_timeout/tcp

Fix:
TCP connections no longer emit packets that have a source MAC address of 00:98:76:54:32:10.

---

572133-5 : tmsh save /sys ucs command sends status messages to stderr

Component: TMOS

Symptoms:
When you run the tmsh save /sys ucs command, some normal status messages are being sent to stderr instead of stdout. This will be seen if a you are watching stderr for error messages.

Conditions:
There are no conditions, every time the command is run, it will send some status type messages to stderr.

Impact:
If a script runs the command it may report that the save failed because messages were send to stderr.

Workaround:
You can ignore the message "Saving active configuration..." being sent to stderr. It is not an error.

Fix:
The command will send the status messages to stdout.

---

571651-3 : Reset Nitrox3 crypto accelerator queue if it becomes stuck.

Component: Local Traffic Manager

Symptoms:
Certain configuration parameters used during an SSL handshake can elicit a 'queue stuck' message from the accelerator. When this happens, the /var/log/ltm log file will contain a message similar to the following:

    'n3-cryptoX request queue stuck'.

Conditions:
The BIG-IP system uses Nitrox 3 encryption hardware to perform SSL encryption.

An SSL handshake sent to the BIG-IP system is incorrectly configured or contains bad information.

Impact:
In-flight and queued contexts for the specific accelerator are dropped. After device recovery, new requests will be accelerated.

Workaround:
Disable crypto acceleration.

Fix:
The crypto accelerator is gracefully reset when the accelerator stalls due to a misconfigured request.

Note: This issue resolution is limited to SSL handshake issues, and is not a resolution for all possible causes of a 'queue stuck' event.

---

571634-1 : tmstat CPU values can be incorrect

Component: TMOS

Symptoms:
The CPU values returned by blades in a chassis may not be sorted correctly and so the returned values might appear confusing or invalid.

Conditions:
Retrieving values for a chassis using the following command: tmstat cpu.

Impact:
Incorrect reporting of TMM CPU utilization using tmstat command.

Workaround:
No workaround.

Fix:
Values are now properly sorted and maintained.

---

571095-1 : Monitor probing to pool member stops after FQDN pool member with same IP address is deleted

Component: Local Traffic Manager

Symptoms:
If an FQDN pool member resolves to the same IP address (node) as a non-FQDN (static) pool member, and the FQDN pool/member is deleted, no further monitor probes are sent to the remaining non-FQDN (static) pool member.

Conditions:
This occurs if an FQDN pool member resolves to the same IP address (node) as an existing non-FQDN (static) pool member.

Impact:
Loss of health monitoring to remaining non-FQDN (static) pool member.

Workaround:
There is no workaround other than avoiding creating a static pool member with the same IP address that could be resolved to an FQDN name.

Fix:
An FQDN pool member and static (non-FQDN) pool member can no longer be created with the same IP address, preventing loss of monitoring of the static member of the conflicting FQDN pool member is deleted. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

---

570818-4 : Address lease-pool in IKEv2 might interfere with IKEv2 negotiations.

Component: TMOS

Symptoms:
LTM IPsec IKEv2 does not support dynamic remote-address CONFIG option, but still might potentially process that information sent by third-party devices. The configuration changes from this option might affect traffic-selector selection in IKEv2 negotiations, leading to wrong matching results and failure in establishing IPsec SA.

Conditions:
Certain third-party vendor devices are the remote IKEv2 peer, for example, a CISCO APIC device.

Impact:
Failure in establishing IPsec SA.

Workaround:
None.

Fix:
Address lease-pool in IKEv2 no longer interferes with IKEv2 negotiations.

---

570697-1 : NTP vulnerability CVE-2015-8138

Solution Article: K71245322

---

570667-2 : OpenSSL vulnerabilities

Solution Article: K64009378

---

570570-5 : Default crypto failure action is now 'go-offline-downlinks'.

Component: Local Traffic Manager

Symptoms:
Previously, if a crypto accelerator encountered a failure, the default action was "none" or "failover". Now, the default behavior is "go-offline-downlinks".

(Note: You can find information on crypto accelerator fail-safe behavior in K16951: Overview of SSL hardware acceleration fail-safe :: https://support.f5.com/csp/article/K16951.)

Conditions:
Crypto accelerator encounters a failure and crypto.ha.action has not been changed from its default.

Impact:
If a hardware accelerator failed on a blade in a chassis, the system would failover, but if there was a second failover back to the chassis with the failed blade, SSL traffic might get dropped.

Workaround:
Set the db variable crypto.ha.action to your desired value.

Fix:
Previously, if a crypto accelerator encountered a failure, the default action was either 'none' or 'failover'. Now, the default behavior is 'go-offline-downlinks'.

Behavior Change:
The default value of the db variable crypto.ha.action has changed to 'go-offline-downlinks'. The only time this has an effect on the system is when a crypto accelerator fails. For a chassis, this value will cause the blade that had the failed crypto device to go offline, leaving the other blades to handle the load, while an appliance will failover to its standby peer. See https://support.f5.com/csp/article/K16951 for more details.

---

570277-1 : SafeNet client not able to establish session to all HSMs on all blades.

Solution Article: K16044231

Component: Local Traffic Manager

Symptoms:
SafeNet client not able to establish session to all HSMs on all blades.

Conditions:
When the BIG-IP chassis is used with SafeNet HSM high availability (HA), and when BIG-IP tmm interface is used.

Impact:
SafeNet HSM HA is not being used at its maximal capacity.

Workaround:
Restart pkcs11d to mitigate this issue.

Fix:
We have adjusted the startup timing of pkcs11d to wait until tmm initialization finishes. Also we added retry for pkcs11d threads when connecting to HSM.

---

570217-2 : BIG-IP APM now uses Airwatch v2 API to retreive device posture information

Component: Access Policy Manager

Symptoms:
Airwatch version 8.3 and above no longer use the v1 REST API. APM is not be able to retrieve device information from Airwatch MDM version 8.3 and higher and device posture checking in APM policies fails.

Conditions:
- Airwatch configured on APM
- Airwatch is upgraded to version 8.3 or higher

Impact:
BIG-IP APM is unable to retrieve device information and device posture check will fail.

Workaround:
n/a

Fix:
BIG-IP APM now utilizes the Airwatch v2 API to access device posture information.

Important: you must be using Airwatch release 8.3 and up because older releases do not support the v2 REST API end points.

---

570057-2 : Can't install more than 16 SafeNet HSMs in its HA group

Component: Local Traffic Manager

Symptoms:
With installation script on the BIG-IP, you can't install more than 16 SafeNet HSMs in its high availability group with versions 5.2 and 5.4.

Conditions:
Attempt to install more than 16 SafeNet HSMs.

Impact:
Installer script failure.

Workaround:
The limit is set by SafeNet. Currently, with F5-supported 5.2 and 5.4 client software, SafeNet doesn't allow more than 16 HSMs in one high availability configuration.

Fix:
Updated SafeNet installation scripts by replacing "vtl" to "lunacm" for high availability group creation and member adding operations for version 6.2.

---

569814-2 : iRule "nexthop IP_ADDR" rejected by validator

Solution Article: K30240351

Component: Local Traffic Manager

Symptoms:
The nexthop command allows an administrator the ability to specify a forwarding address in an iRule. The form which takes an IP address may be rejected by the validator with an error message of the form:

01070151:3: Rule [/Common/irule_example] error: Unable to find vlan, vlangroup or tunnel (10.0.0.1) referenced at line 2: [nexthop 10.0.0.1]

Conditions:
This occurs when the nexthop command contains only the IP address, for example:

when HTTP_REQUEST {
  nexthop 10.0.0.1
}

Impact:
The iRule containing the 'nexthop IP_ADDR' command cannot be associated with a virtual server.

Workaround:
The 'nexthop VLAN IP_ADDR' form of the command does pass the validator. Choose the named vlan on which IP_ADDR can be reached. For example:

    when HTTP_REQUEST {
nexthop internal 10.0.0.1
    }

Fix:
Validator now allows 'nexthop IP_ADDR' in iRules.

---

569563-3 : Sockets resource leak after loading complex policy

Component: Access Policy Manager

Symptoms:
File descriptors used by apmd remain unclosed (TCP and UDP) after loading a complex access policy.

After some time, the APM process file descriptor table is exhausted and no more access policies are processed.

The following error messages may be observed in the logs:

err apmd[16013]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 86 Msg: epoll_create() failed [Too many open files].

Conditions:
This can happen at the initial stage after apmd starts, or later when policies are reloaded. Although this is not directly related to log-level, this problem is easier to observe when the access control log-level is Warning or lower (Notice, Info, Debug).

File descriptors leak (remain unclosed) after loading complex policies that contain many agents.

Impact:
The APM process is unable to create new sessions, leading to an inability to process access policy operations.

Workaround:
This can happen at the initial stage after apmd starts, or later when policies are reloaded.

Current preferred workaround is to set log level to ERROR or higher and restart apmd.

When a large number of file descriptors has already been observed, the only way to close them other than disabling logging is to raise log levels to ERROR or above, and then issue the following command:

bigstart restart apmd

Note 1: Do not use sys db variables to change log level for versions 12.0.0 and later.

Note 2: Double-check log levels using the following command: tmsh list apm log-setting all-properties

Note 3: Opened file descriptors do not close until apmd is restarted.

Note 4: When in doubt (about whether file descriptors are leaking), run the following command on the BIG-IP system:

lsof -p `pidof apmd` | grep TCP; lsof -p `pidof apmd` | grep UDP. This gives you the number of open files.

- Detailed steps to change logging-level to ERROR:

Step 1. Modify access control log level using the following command: tmsh modify apm log-setting all access modify { all { log-level { access-control err } } }

Step 2. Check the log levels using the following command: tmsh list apm log-setting all-properties

Step 3. Manually restart apmd using the following command: bigstart restart apmd

Fix:
Sockets are now closed properly, so there is no longer file descriptor leakage when loading or reloading complex access policies.

---

569542-1 : After upgrade, user cannot upload APM Sandbox hosted-content file in a partition existing before upgrade★

Component: Access Policy Manager

Symptoms:
After upgrade, an existing user-created partition will not be able to load any existing hosted-content file or upload a new one.

The issue happens because the required APM Sandbox directory w.r.t. this partition is missing after the upgrade.

01070734:3: Configuration error: Cannot create symbolic link to sandbox. Error: No such file or directory. If you have access to bash shell, try to run command: ln -s /config/filestore/files_d/p1_file_d/sandbox_file_d /var/sam/www/webtop/sandbox/files_d/p1_d/sandbox_file_d. Then try to upload file again.
Unexpected Error: Loading configuration process failed.

REPRODUCTION STEPS:
1) Before upgrade, create a partition (make sure APM is provisioned), say 'p1'.
2) Install the upgrade and reboot.
3) After upgrade, partition 'p1' is created but the required directory '/var/sam/www/webtop/sandbox/files_d/p1_d' is not created.

This can occur on upgrades from prior to 11.6.0 to 11.6.0 through 12.1.0.

Conditions:
Partition is created before the upgrade.

Impact:
Configuration load fails if the existing partition had any hosted-content file before upgrade. If it did not have any hosted-content file before upgrade, the configuration load will be successful, but the user cannot upload/create a new hosted-content file in this partition sandbox.

Workaround:
Workaround is manually create the required sandbox directory using bash command:

mkdir -p /var/sam/www/webtop/sandbox/files_d/p1_d

---

569467-5 : BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.

Solution Article: K11772107

---

569355-1 : Java vulnerabilities CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494

Solution Article: K50118123

---

569316-1 : Core occurs on standby in MRF when routing to a route using a transport config

Component: Service Provider

Symptoms:
If routing a message to a route that uses a transport-config to define how to create an outgoing connection, the standby device will core.

Conditions:
routing a message to a route that uses a transport-config to define how to create an outgoing connection.

Impact:
The standby device will core.

Workaround:
NA

Fix:
Fix properly initializes a field on the standby.

---

569309-3 : Clientside HTML parser does not recognize HTML event attributes without value

Component: Access Policy Manager

Symptoms:
Assignment of a specific HTML content to tag.innerHTML might lead to a JavaScript error. This happens when one or more of tags in HTML text contain HTML event attributes without assigned values (such as <div onclick />).

Error messages similar to the following are logged in the browser JavaScript console:
Unable to get property 'charAt' of undefined or null reference.

Conditions:
Dynamically created HTML page with event attributes without values, for example:

<div onclick />

Impact:
Web application does not work when accessed through Portal Access.

Workaround:
You can use a customized iRule to handle a specific application.

Fix:
Now empty inline event handler attributes are not rewritten on the client side.

---

569288-6 : Different LACP key may be used in different blades in a chassis system causing trunking failures

Component: Local Traffic Manager

Symptoms:
In rare conditions, different blades in a chassis system may use different LACP keys for the same trunk in the LACP control frames. This will cause some of the LACP trunk members not able to aggregate successfully with peer switch.

Conditions:
This only happens in a chassis based system when certain race condition causes trunk id being modified after initial trunk creation.

Impact:
Non aggregated trunk members won't be able to pass traffic.

Workaround:
Restart lacpd in all the blades in the chassis by running command "clsh bigstart restart lacpd"

---

569195-1 : A Set-Cookie for an existing ASM cookie without value change

Solution Article: K41874435

Component: Application Security Manager

Symptoms:
A Set-Cookie command appears for an ASM cookie (TS cookie) where the value has not changed and the set-cookie command is not needed.

Conditions:
-- The policy building is automatic or manual mode.
-- Additional features may also cause TS cookie setting, but usually these will also include cookie changes.

Impact:
The unneeded cookie may disturb caching and cause additional unnecessary bandwidth consumption.

Workaround:
If possible, turn off the policy builder.

Fix:
Unneeded set cookie for an ASM cookie is not issued.

---

569121-1 : Advanced Detection rate limiting can be incorrect in multi-blade clusters when rate limit is low

Component: Anomaly Detection Services

Symptoms:
If you have a large CMP configuration using Advanced Detection and rate limiting with a low rate limit applied, the per-core rate limit on attack traffic can end up being lower than the desired overall rate limit.

Conditions:
This was seen during internal testing with a large number of cores (3 blades / 24 cores) and a very low rate limit applied.

Impact:
Overall rate limit is lower than expected.

Fix:
Improvements were made to rate limiting in environments with a high number of tmms

---

569100-1 : Virtual server using NTLM profile results in benign Tcl error

Component: TMOS

Symptoms:
Tcl error in /var/log/ltm.

Tcl error: bad option "serverside": must be require or preclude while executing "constrain NTLM require clientside {HTTP} serverside {CONNPOOL} preclude FTP

Conditions:
Virtual server using the NTLM profile. Only logged when the first virtual server is created or when TMM restarts.

Impact:
If you are using TMSH to configure virtual server and NTLM profile, validation/constraint is not performed/enforced.

Workaround:
This is a benign, cosmetic error. There should be no functional impact to the system.

Fix:
Fixed the unexpected error message encountered and added validation when creating a virtual server with an NTLM profile.

---

568672-1 : Down IPsec traffic-selector shows as 'up' in 'show net ipsec traffic-selector' and in GUI

Component: TMOS

Symptoms:
After an SA goes down, 'show net ipsec traffic-selector' may report that the traffic-selector is up. The Web UI also reports up.

Conditions:
This occurs if a tunnel times out and goes to the down state.

Impact:
Confusion on the true state of the tunnel.

Workaround:
None needed.

Fix:
Now, when a tunnel times out and goes to the down state, the state is shown correctly.

---

568545-2 : iRules commands that refer to a transport-config will fail validation

Solution Article: K17124802

Component: Service Provider

Symptoms:
If an iRule command refers to a transport-config, the iRule fails validation even if the object exists.

Conditions:
-- iRule command refers to a transport-config.
-- iRule validation occurs.

Example:
create ltm pool p1 members add { 10.2.3.4:5060 }
create ltm message-routing sip transport-config tc1 profiles add { udp sipsession }
create ltm virtual vs1 destination 10.1.1.50:5060 profiles add { udp sipsession siprouter }
create ltm rule r1
ltm rule r1 {
    when MR_INGRESS {
        MR::message route config tc1 pool p1 <==command refers to tc1 which is a transport-config object
    }
}

Impact:
Validation fails even though object exists. Unable to directly refer to a transport-config from an iRule command.

Workaround:
If the name of the transport-config is loaded into a Tcl variable, the Tcl variable can be use to indirectly refer to the transport-config object.

Fix:
iRule validation logic has been improved to check for the existence of a transport config object.

---

568543-4 : Syncookie mode is activated on wildcard virtuals

Component: Local Traffic Manager

Symptoms:
Syncookie mode can be activated with a wildcard virtual, even in the case where there is no SYN flood.

Conditions:
The default number of connections per second before activating syncookie mode is 1993. This value can be increased to a max of 4093. After this threshold is reached, then syncookie mode is activated. This is an insufficient maximum for wildcard virtuals, since they can have 30k+ connections per second.

Impact:
Syncookie mode is activated with high connection rates to a wildcard virtual.

Workaround:
Break up the wildcard virtual into multiple virtuals to reduce the number of connections per virtual.

Fix:
It is now possible to set the PvaSynCookies.Virtual.MaxSynCache DB variable to 64K (previous max was 4093)

---

567743-2 : Possible gtmd crash under certain conditions.

Solution Article: K70663134

Component: Global Traffic Manager (DNS)

Symptoms:
gtmd core leading to a SIGSEV due to a possible race condition.

Conditions:
Due to a possible race condition that occurs under certain conditions (such as a sync event), gtmd might core.

Impact:
This event could lead to an outage.

Workaround:
None.

Fix:
The system now correctly processes this condition so that no race condition occurs.

---

567546-1 : Files with file names larger than 100 characters are omitted from qkview

Component: TMOS

Symptoms:
If the filename of a file being gathered by qkview happens to be larger than 100 characters, the qkview will simply not include it.

Conditions:
No conditions necessary. Any file with a name larger than 100 characters is automatically omitted.

Impact:
Files with names larger than 100 characters are being omitted from the qkview. Since UNIX files can be 256 characters long, this potentially could omit important files that could help diagnose problems.

Workaround:
One would have to rename any files with names larger than 100 characters to names with less than 100 characters.

Fix:
Qkview was fixed to not use POSIX as the tar format, but instead to use the "GNU" format which allows for up to 256 characters (the system limit). The fixed program now allows any length of characters possible.

---

567457-2 : TMM may crash when changing the IKE peer config.

Component: TMOS

Symptoms:
TMM might crash when changing the IKE peer config. It can happen with either IKEv1 or IKEv2 (TMM config crash).

Conditions:
This occurs when making changes to IPsec tunnels that causes the configuration to become invalid. For example, changing ISAKMP phase1 from SHA-1 to MD5 results in an invalid configuration.

Note: This occurs in the GUI only. The tmsh 'create' command does not cause this core.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can use tmsh to make the affected configuration changes... this occurs in the GUI only. The tmsh 'create' command does not cause this core.

Fix:
TMM no longer crashes when changing the IKEv1 or IKEv2 peer config, even if the changes are not valid for the configuration.

---

567330-1 : tmsh show sys memory on secondaries will generate innocuous error

Component: Local Traffic Manager

Symptoms:
The ltm log file contains these errors: err mcpd[9011]: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (5130).

Conditions:
This occurs when logged into secondary member of a cluster (VIPRION blade or vCMP guest) and running the command: tmsh show sys memory.

Impact:
The error indicates that the secondary member cannot display information that is only presented on a primary. This is a spurious error, and you can safely ignore it.

Workaround:
Ignore the specific error with this signature:

0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (5130).

Fix:
no longer displays 'Data publisher not found or not implemented' messages when running the command: tmsh show sys memory on secondary member of a cluster (VIPRION blade or vCMP guest).

---

567233-1 : Multiple samba vulnerabilities

Solution Article: K92616530

---

567177-1 : Log all attempts of key export in ltm log

Component: TMOS

Symptoms:
Attempts to export keys are not logged.

Conditions:
-- Exporting keys.
-- Viewing ltm log.

Impact:
No messages logged to indicate the export attempts.

Workaround:
None.

Fix:
iControl:
======================
When any of the following iControl functions is called (either by the GUI or directly by a system user), the system logs it in ltm log. The log will include the iControl function name, key names, and BIG-IP user name.
key_export_to_file
key_export_to_pem
export_all_to_archive_stream
export_to_archive_stream
export_all_to_archive_file
export_to_archive_file

ltm logs example:
======================
-- info iControlPortal.cgi[26687]: Management: private key export: keys (/Common/kc.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::key_export_to_file()
-- info iControlPortal.cgi[26687]: Management: private key export: keys (/Common/default.key, /Common/kc.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::key_export_to_pem()
-- info iControlPortal.cgi[26687]: Management: private key export: All keys in Default mode are being exported by user "admin" via KeyCertificate_impl::export_all_to_archive_stream()
-- info iControlPortal.cgi[26687]: Management: private key export: keys (/Common/default.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::export_to_archive_stream()
-- info iControlPortal.cgi[26687]: Management: private key export: keys (/Common/default.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::export_to_archive_file()
-- info iControlPortal.cgi[4868]: Management: private key export: All keys in Default mode are being exported by user "admin" via KeyCertificate_impl::export_all_to_archive_file()
-- info iControlPortal.cgi[4868]: Management: private key export: keys (/Common/kc.key, /Common/default.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::export_to_archive_file()

tmsh:
======================
The only possibility for using tmsh to export a key is saving a UCS file, so that will be logged.

ltm logs example:
======================
notice tmsh[21886]: 01420012:5: private key export: All keys are being exported by user "admin" via UCS saving.


GUI:
======================
There are 3 ways that a user can get key export from GUI:
-- System :: Certificate Management : Traffic Certificate Management : SSL Certificate List :: default : Key Export
-- System :: Certificate Management : Traffic Certificate Management : SSL Certificate List :: Archive...
-- System :: Archives :: New Archive...

These are internally implemented by using iControl and tmsh calls, so they will be automatically be logged in ltm log as iControl or tmsh users.

Behavior Change:
With this change, any attempt to export key will be logged in ltm log. Logged attempts include: save a UCS file, archive key files, or export key files, using tmsh/iControl/GUI.

---

566576-6 : ICAP/OneConnect reuses connection while previous response is in progress

Component: Service Provider

Symptoms:
ICAP with OneConnect sometimes initiates a new ICAP request (REQMOD or RESPMOD) on the server connection while a previous response on the same connection is still being streamed from the ICAP server. This can cause the server to append the new response after the end of the previous response, in the same packet.

Conditions:
There is a 'oneconnect' profile on the internal virtual server along with the 'icap' profile.
Triggered by a disconnection of the IVS by the parent HTTP virtual server, before the ICAP transaction is complete.
This can happen for a number of reasons, such as an error in detected on the HTTP virtual server, or an HTTP::respond iRule that replaces an IVS response in progress.

Impact:
The connection used by the interrupted transaction is returned to the pool for reuse, potentially resulting in a new ICAP transaction beginning before the end of the interrupted one, and its response may be concatenated to the incomplete tail of the first one. OneConnect is unable to separate the contiguous ICAP responses whose boundary is within a packet. All the packet payload goes to the first ICAP transaction, and any payload after the terminating chunk is discarded. Thus the beginning of the second response is lost and its header parser gets confused. It keeps waiting for more data and rescanning the entire response, resulting in increasing CPU use up to 100% until the connection is aborted.

Workaround:
Remove OneConnect.

Fix:
Big-IP with ICAP and OneConnect never reuses a server connection while a previous ICAP transaction is still in progress. Whenever the IVS disconnects prior to completion of an ICAP transaction, the connection is not pooled for reuse.

---

566507-4 : Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment

Component: TMOS

Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.

Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.

Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.

Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.

Fix:
The advertised next-hop in BGP is now the smallest floating-IP active on the current BIG-IP system. Note: The ZebOS routing protocol suite available for BIG-IP configurations does not support traffic groups, so this issue might still be seen in certain circumstances.

---

566342 : Cannot set 10T-FD or 10T-HD on management port

Component: Local Traffic Manager

Symptoms:
When setting the B4450 or B4300 mgmt port to 10T-FD or 10T-HD, there is no link LED. However, the peer unit shows the correct link LED for this setting.

Conditions:
B4450 or B4300 blade and you want to set 10T-FD or 10T-HD media type

Impact:
Unable to set this media type.

Fix:
The management port of B4450 and B4300 blades can now be configured with 10T-FD or 10T-HD

---

566071-5 : network-HSM may not be operational on secondary slots of a standby chassis.

Component: Local Traffic Manager

Symptoms:
pkcs11d may not be running on secondary slots of a chassis.

Conditions:
This might occur when the following conditions are true:
1. Network-HSM installed on BIG-IP chassis.
2. Chassis is in standby state OR Secondary slots do not have management IP configured.

Impact:
If SSL profiles are configured with keys of security-type 'nethsm' when the specified conditions are true, traffic for such profiles will fail when the affected slots process traffic.

Workaround:
Manually install netHSM on each secondary slot.

Fix:
netHSM install no longer depends on management IP of secondary slots and also successfully installs on slots of a standby chassis.

---

565895-1 : Multiple PCRE Vulnerabilities

Solution Article: K17235

---

565799-4 : CPU Usage increases when using masquerade addresses

Component: Local Traffic Manager

Symptoms:
When using masquerade addresses, CPU usage increases. This can ultimately lead to a reduction in device capacity.

Conditions:
This can occur if one or more of your traffic groups is configured to use a MAC Masquerade address.

Impact:
Possible performance degradation or reduction in capacity

Fix:
Performance of masquerade address checks is restored.

---

565347-2 : Rewrite engine behaves improperly in case of AS2 SWF with a badly formatted 'push' instruction

Component: Access Policy Manager

Symptoms:
Rewrite engine behaves improperly in case of AS2 SWF with a string in 'push' instruction longer than the instruction length itself.

Conditions:
Any AS2 SWF with a string in 'push' instruction longer than the instruction length.

Impact:
Rewrite coredump.

Workaround:
It can be worked around by adding an Portal Access profile resource item with Flash patcher turned off for improper SWF content.

Fix:
Completely fixed.

---

565137 : Pool licensing fails in some KVM/OpenStack environments.

Solution Article: K12372003

Component: TMOS

Symptoms:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ, BIG-IQ can fail. The system posts the errors such as the following:

-- In /var/log/ltm: Dossier error 16.

-- In /var/log/restjavad: Dossier validation failed. error code: 5.

Conditions:
This occurs when BIG-IQ is used to license the BIG-IP VE instance.

Impact:
From BIG-IQ, the licensing operation will appear as a successful operation, however, BIG-IP VE will not be licensed.

Workaround:
There is no workaround.

Fix:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ in OpenStack and/or KVM environments completes with success on BIG-IQ and BIG-IP.

---

564876-2 : New DB variable log.lsn.comma changes CGNAT logs to CSV format

Component: Carrier-Grade NAT

Symptoms:
New CSV format that does not use quotes as delimiters was not present prior to 12.1.2.

Conditions:
Setting the DB variable log.lsn.comma

Impact:
More control of logging format via the DB variable log.lsn.comma

Workaround:
N/A

Fix:
There is a new db variable log.lsn.comma that changes CGNAT logs to a CSV format that does not use quotes as delimiters between fields. Optional IP address fields appear as zero addresses, and optional numeric fields appear as zero. This new db variable applies to all LSN modes and to all ALG logs.

Behavior Change:
There is a new db variable log.lsn.comma that changes CGNAT logs to a CSV format that does not use quotes as delimiters between fields. Optional IP address fields appear as zero addresses, and optional numeric fields appear as zero. This new db variable applies to all LSN modes and to all ALG logs.

---

564771-1 : cron sends purge_mysql_logs.pl email error on LTM-only device

Component: TMOS

Symptoms:
On a device provisioned with LTM only, cron may log or send an email containing the following perl error:

/etc/cron.hourly/purge_mysql_logs.pl:

Usage: $class->connect([$dsn [,$user [,$passwd [,\%attr]]]]) at /etc/cron.hourly/purge_mysql_logs.pl line 27

This script was only intended to be run with AM, ASM, or ASM provisioned and it generates an error if it is not.

Conditions:
Any device with AM, ASM, and PSM not provisioned. LTM-only devices are impacted.

Impact:
If cron can send email, it will send the perl error in the email once per hour.

---

564522-2 : cron is configured with MAILTO=root but mailhost defaults to 'mail'

Solution Article: K40547220

Component: TMOS

Symptoms:
The crontab and ssmtp configurations environment is MAILTO="", which means no email and it is difficult to find where the email went.

Conditions:
This exists in the default crontab and ssmtp configurations.

Impact:
- You may receive unexpected messages addressed to "root" at a host named "mail" on your network

OR

- You may encounter messages similar to the following in /var/log/maillog:

Dec 10 03:25:24 BIG-IP-1 err sSMTP[8421]: Unable to connect to "mail" port 25.
Dec 10 03:25:24 BIG-IP-1 err sSMTP[8421]: Cannot open mail:25

Workaround:
Change outbound-smtp mailhub to localhost with tmsh:

tmsh modify /sys outbound-smtp mailhub localhost

Fix:
Default mailhub has been changed to localhost. Starting in 12.0.0, MAILTO is set to root instead of "" in /etc/crontab so that the output of cron jobs can be captured. However, ssmtp is configured by default with a mailhost of 'mail', which may result in either error messages logged to /var/log/maillog or unexpected messages received on another system.

---

564324-2 : ASM scripts can break applications

Component: Application Security Manager

Symptoms:
ASM originated scripts are injected into places where they are not supposed to be, causing the script not to work and/or the application to break.

Conditions:
ASM is in front of a single page application, where injection is possible only for the main page. \
ASM has the CSRF or web scraping feature enabled.

Impact:
Application malfunctions, shows javascrip errors

Workaround:
Turn off the relevant feature that causes the injection.

---

564281-3 : TMM (debug) assert seen during Failover with Gy

Component: Policy Enforcement Manager

Symptoms:
When using the debug version of the tmm, HA fail over may cause the tmm to assert when Gy is configured.

Conditions:
Using PEM and Gy is configured.

Impact:
The TMM (debug version) may core and restart, resetting all connections.

Workaround:
Do not use the debug tmm with Gy.

Fix:
This debug assert has been changed to a debug log message.

---

564058-1 : AutoDoS daemon aborts intermittently after it's being up for several days

Solution Article: K91467162

Component: Advanced Firewall Manager

Symptoms:
AutoDoS daemon aborts intermittently when accessing session db api for memcache interface.

Conditions:
This happens in control plan AutoDoS daemon. This is an intermittent issue that occurs in few platforms under specific stress testing.

Impact:
Core will be seen, but the daemon will restart, and there is no loss of state.

Workaround:
No workaround.

Fix:
AutoDoS daemon no longer aborts intermittently when accessing session db api for memcache interface.

---

563933-4 : [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs

Component: Local Traffic Manager

Symptoms:
A and AAAA RRsets in the additional section are dropped.

Conditions:
When dns64-additional-section-rewrite is 'v4-only' or 'v6-only'.

Impact:
Failure to include the additional RRs results in additional lookups by the client which could be glue records for a resolver.

Workaround:
Set dns64-additional-section-rewrite is 'any'.

Fix:
v4-only and v6-only options work as expected. Note that DNS64 prefix operations occur after all other DNS processing blocks -- including GTM.

---

563905-2 : Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.

Component: TMOS

Symptoms:
Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on one or more Secondary blades.

Entries similar to the following example are visible in the /var/log/ltm file:

err mcpd[10724]: 01070920:3: Application error for confpp: STDERR/STDOUT text begins Restarting syslog-ng: Shutting down syslog-ng: [FAILED] Starting syslog-ng: STDERR/STDOUT text ends ************************************************************* Nov 20 22:07:22 bigip1 confpp[20403]: reconfig command FAILURE for unix_config_syslog returned: '/etc/init.d/syslog-ng restart 2>&1' Restarting syslog-ng: Shutting down syslog-ng: [FAILED] Starting syslog-ng: [ OK ]

err mcpd[10724]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070920:3: Application error for confpp: STDERR/STDOUT text begins Restarting syslog-ng: Shutting down syslog-ng: [FAILED] Starting syslog-ng: STDERR/STDOUT text ends ************************************************************* Nov 20 22:07:22 bigip1 confpp[20403]: reconfig command FAILURE for unix_config_syslog returned: '/etc/init.d/syslog-ng restart 2>&1' Restarting syslog-ng: Shutting down syslog-ng: [FAILED] Starting syslog-ng: [ OK ]

Conditions:
-- Multi-blade VIPRION system or vCMP guest.
-- The system is rebooted.

Impact:
The blades that encounter this issue take longer to become operational, as they undergo an unnecessary MCPD restart.

Workaround:
None.

Fix:
Multi-blade systems that are rebooted no longer experience unnecessary MCPD restarts.

---

563727-1 : Issue a Body in Get sub violation for GET request with 'transfer-encoding: chunked'

Component: Application Security Manager

Symptoms:
A GET request without payload but with payload indication doesn't issue the body in get violation.

Conditions:
A Get request without payload arrives.
The request has a 'transfer-encoding: chunked' header although there is no payload.

Impact:
A suspicious request goes by undetected.

Workaround:
Add an iRule that removes this header from the ASM and issues a custom violation.

Fix:
A GET request without payload but with 'transfer-encoding: chunked' will issue the body in GET sub violation.

---

563661-2 : Datastor may crash

Component: TMOS

Symptoms:
In rare cases, datastor may crash to protect the system from corruption. After datastor restarts, tmm may crash when attempting to communicate with datastor.

Conditions:
WAM provisioned and enabled.

Impact:
Datastor and TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This issue has been fixed.

---

563592 : Content diagnostics and LCD

Component: TMOS

Symptoms:
While running platform_check, you notice this on the LCD:

F5 LCD Server
Clients: 0
Screens: 0

Conditions:
This occurs when running platform_check after running bigstart stop

Impact:
This is cosmetic, the LCD does not indicate that it is in diagnostic mode.

Fix:
When the LCD is unable to communicate with BIG-IP, such as during shutdown or platform_check, the LCD now displays the following:
F5 LCD Server
Host inaccessible or
in diagnostic mode

---

563135-3 : SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt

Component: Access Policy Manager

Symptoms:
When the SWG Explicit Proxy is configured to perform a 407 Authentication Request, if the client accesses a non-standard HTTP port (e.g. http://www.example.com:8080) the first request after authentication will fail.

Conditions:
SWG Explicit Proxy configured
HTTP 407 Authorization configured in Per-Request Policy for authentication
Client requests a non-standard HTTP port in request

Impact:
The first request after authentication will fail.

Workaround:
If the user refreshes their browser request, subsequent requests will work as expected.

---

562928-2 : Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled

Component: TMOS

Symptoms:
Certain url connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled with 'curl: (7) couldn't connect to host' error.

Conditions:
Using curl command with'--local-port' option causes the connections to fail on the BIG-IP system.

Impact:
TCP connections do not complete the three way handshake and traffic does not pass.

Workaround:
Disabling 'cmp' option in virtual server secures the traffic over IPsec tunnels.

Fix:
Using curl command with'--local-port' option no longer causes the connections to fail on the BIG-IP system.

---

562921-4 : Cipher 3DES and iQuery encrypting traffic between BIG-IP systems

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP systems use the iQuery protocol to securely communicate with other BIG-IP systems. The BIG-IP system supports the AES/3DES ciphers for encrypting iQuery traffic. Some of these ciphers are now considered unsecure.

Conditions:
The value is hardcoded into the product.

Note: This is completely independent of the TMM profiles or the httpd cipher values.

Impact:
There is no way to configure this; the value is hardcoded. Scanner operations performed on your configuration will report this as an unsecure cipher.

Workaround:
If you do not need iQuery at all, you can block port 4353 completely. For those who do need it, there is no workaround.

Fix:
The cipher list in use is now
"AESGCM:AES:!ADH:!AECDH:!PSK:!aECDH:!DSS:!ECDSA:!AES128:-SHA1:AES256-SHA"

---

562636-2 : Possible memory exhaustion in access end-user interface pages for transparent proxy/SWG cases.

Solution Article: K05489319

Component: Access Policy Manager

Symptoms:
When certain end user interface pages (e.g. 401 response) are served by the APM, these include a unique parameter in the URL. This results in the leak of objects representing caches for these pages, because their unique parameter renders caching ineffective.

Conditions:
This occurs when the following conditions are met:
-- Use of SWG in Transparent mode.
-- One of the following:
+ Use a logon page agent, an external logon page agent, or a 401 agent in the access policy.
+ Trigger an access policy evaluation when one is already in progress or when accessing a page that requires an established session.

Impact:
A memory leak in the TMM.

Workaround:
None (when the triggering conditions are encountered).

Fix:
This release corrects the possible memory exhaustion issue in access end-user interface pages for transparent proxy/SWG cases.

---

562267-3 : FQDN nodes do not support monitor alias destinations.

Component: Local Traffic Manager

Symptoms:
FQDN nodes do not support monitor alias destinations.

Conditions:
Configure a monitor with an alias address or port. The system will either prevent you from configuring, or the monitor will only be directed to the node address or port.

Impact:
The BIG-IP system does not send health checks to the configured monitor alias port. Monitor doesn't work as expected.

Workaround:
Depending on the functionality needed, you might be able to work around this by using an alternative configuration.

Fix:
FQDN nodes now support monitor alias destinations.

---

561892-2 : Kerberos cache is not cleared when Administrator password is changed in AAA AD Server

Solution Article: K08121752

Component: Access Policy Manager

Symptoms:
BIG-IP Administrator's password is changed and AD Query fails.

Conditions:
-- Administrator's password is changed for AAA AD Server.
-- Access policy applied.

Impact:
AD Query fails.

Workaround:
Remove Kerberos cache files (krb5cc_0 and krb5cc_1) manually in /var/run/apmd/krb5cc/ and all subdirectories.

Fix:
Kerberos cache is removed by apmd, if the administrator's password is changed and an access policy is applied.

---

561500-4 : ICAP Parsing improvement

Component: Service Provider

Symptoms:
If a malformed ICAP message is sent to the Big-IP the ICAP parser can enter a state where it consumes an increasing amount of CPU and memory.

Conditions:
A request-adapt or response-adapt profile is configured.
An ICAP message is received from an ICAP server lacking "ICAP/1.0" as initial header line.

Impact:
Memory and CPU usage increase.
Eventually the TMM may crash causing Big-IP fail-over.

Fix:
ICAP parser checks for correct initial ICAP/1.0 header line and rejects message if missing.

---

561444-1 : LCD might display incorrect output.

Component: TMOS

Symptoms:
Incorrect LCD display due to garbled messages received from LCD panel.

Conditions:
This occurs in various situations. Multiple messages sent to LCD and user interaction on LCD seem to reproduce the issue.

Impact:
LCD may display incorrect data.

Workaround:
The LCD usually corrects itself eventually, but to restore it immediately to a good state, run the following command: bigstart restart fpdd.

Fix:
The issue allowing garbled messages between the front panel display daemon (fpdd) and the LCD daemon (LCDd) is now prevented from happening.

---

561348-7 : krb5.conf file is not synchronized between blades and not backed up

Component: Access Policy Manager

Symptoms:
krb5.conf file is not in sync across all blades.
this may cause a feature (Kerberos SSO / Kerberos Auth) to not work as expected.

Conditions:
When administrator made changes to krb5.conf file manually, the configuration file is not synchronized to all blades or is lost upon upgrade.

Impact:
Kerberos Auth / Kerberos SSO does not work properly on all blades.

Workaround:
None.

Fix:
The APM code now automatically synchronizes the changes to /etc/krb5.conf file to all devices in the Failover Device group. Any change made to this file either in Active Device or Standby device will be automatically synced to other device.

In Chassis, all the Secondary blades will mirror the file on the Primary blade. Any manual change done on the Secondary blade(s) will be lost. The admin has to do the changes on Primary blade only and it will be synchronized with all others blades.

Behavior Change:
When admin modifies /etc/krb5.conf file, the changes are automatically updated on other devices in the same Failover Device group.

When admin modifies the /etc/krb5.conf file on the primary blade of the chassis, the changes are automatically updated on all secondary blades.

---

560471-1 : Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down

Component: Local Traffic Manager

Symptoms:
Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down.

Conditions:
Changing the monitor configuration of a pool. For example:

tmsh modify ltm pool http-pool monitor http and tcp
tmsh modify ltm pool http-pool monitor min 1 of { http tcp }

Impact:
Virtual server may be incorrectly marked down, when it should not be.

Fix:
Changing the monitor configuration of a pool no longer causes the virtual server to be marked as down.

---

560114-6 : Monpd is being affected by an I/O issue which makes some of its threads freeze

Component: Application Visibility and Reporting

Symptoms:
When Monpd is restarted, it starts printing non-stop error message to logs. Analytics statistics may be lost, and new data cannot be loaded. The ltm log contains this error signature - err stat_bridge_thread[8278]: monpd`ERR`date`11285` [stat_bridge_thread::validateCorrectNumberOfPartitions, ] Too many partitions (44) defined for DB table AVR_STAT_DISK_T

Conditions:
A system I/O issue (maybe caused by /var/log being full).

Impact:
AVR statistics are lost.
Monpd thread cannot load new data, and it prints non-stop error messages to the logs.

Workaround:
Run the following:

find /var/avr/loader/ -mindepth 1 -name "*" -print0 | xargs -0 rm
touch /var/avr/init_avrdb
bigstart restart monpd

---

560109-7 : Client capabilities failure

Solution Article: K19430431

---

559980-1 : Change console baud rate requires reboot to take effect

Component: TMOS

Symptoms:
When you change the console baud rate, you will see garbage characters.

Conditions:
When you make modification to the console baud rate.

Impact:
The console display has garbage characters.

Workaround:
Reboot the system.

Fix:
Console baud rate change now works.

---

559953-1 : tmm core on long DIAMETER::host value

Component: Service Provider

Symptoms:
tmm crashes and restarts when an iRule is accessed that contains a large DIAMETER::host value.

Conditions:
This occurs with a DIAMETER::host iRule parameter set to a very large value (2000 characters).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Limit the length of the DIAMETER::host parameter to less than 1000 characters.

Fix:
BIG-IP now limits the DIAMETER::host parameter to 1000 characters.

---

559837-4 : Misleading error message in catalina.out when listing certificates.

Component: TMOS

Symptoms:
GUI logs 'Table not found' in catalina.out when some exceptions are returned before/at table creation. The exceptions are the actual cause of the failure.

java.sql.SQLException: Table not found: SSL_CERTIFICATES_0_1652477104084229 in statement [DROP TABLE ssl_certificates_0_1652477104084229].

Conditions:
This occurs when listing certificates, and exceptions are returned.

Impact:
1. Throws table creation exceptions when randomly generated table name contains invalid character ('-').
2. Misleading 'Table not found" message in catalina.out.

Workaround:
Refreshing the page might fix the invalid table name issue because doing so generates a new table name. In some situations a restart of tomcat and httpd may be required.

Fix:
Errors occur when listing certificates that contain invalid characters from the randomly generated table names, so the GUI logs 'Table not found' in catalina.out when some exceptions are returned before/at table creation.

---

559655 : Post RMA, system does not display correct platform name regardless of license

Component: TMOS

Symptoms:
When you get an RMA and you are licensed for a 4000 and the unit received has been licensed as a 4200, you will have a difference between hardware on site and the new hardware received, regardless of what license you have.

Conditions:
Take a 4000 from manufacturing and license it for a 4200 wipe system and rebuild and license for a 4000 and tmsh show sys hardware and device groups will indicate it to be a 4200
if you have a 4200 from manufacturing and license it as a 4000 it will still indicate that it is a 4200
Affected platforms is following
2000/2200 4000/4200 5000/5200 7000/7200 10000/10200

Impact:
Confusion as to what the actual platform is

---

559080-5 : High Speed Logging to specific destinations stops from individual TMMs

Component: TMOS

Symptoms:
High Speed Logging to specific destinations stops from individual TMMs. The flows appear to have very large idle times. Attempts to delete the flows sets the idle time to zero, but does not kill the flow.

Conditions:
This appears to be the result of a failure on the part of the log destination (for example, a log server) wherein the server's TCP stack ACKs a FIN request from the TMM, but does not follow through with a matching FIN or RST. The logging code expects another timeout (essentially a FIN-WAIT2 timeout), but never receives one because the flow has already been marked as expired. As a result, the flow goes into a state in which it appears to be viable but is not actually delivering.

Impact:
Logs are silently lost.

Workaround:
Create an additional virtual server to act as a proxy for the log server, and sent the logs to this virtual server. This essentially uses the TMM itself as a sanitizing proxy.

Fix:
The system now resets the expire timer when it initiates the close. If the server fails to reset or complete the close, the flow is aborted on the next expiration event.

---

559030-1 : TMM may core during ILX RPC activity if a connflow closes before the RPC returns

Solution Article: K65244513

Component: Local Traffic Manager

Symptoms:
TMM core with plugin context refcount error.

Conditions:
-- Using ILX RPC calls.
-- Connflow closes before the RPC returns.

Note: Most likely to occur when using a low-end unit or virtual edition configuration.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
ILX plugin timeout no longer causes TMM core.

---

559001-1 : Unable to clear LCD messages and Alarm LED state on non-iSeries platforms

Component: TMOS

Symptoms:
You cannot clear alert messages shown on the LCD display from the TMOS console.

In addition, the Alarm LED may continue to reflect an elevated alert status (by display a steady or blinking Red or Amber state) after LCD alert messages are cleared.

Conditions:
-- This may occur when BIG-IP system is running on hardware platforms other than iSeries appliances.

-- Specifically, affected platforms include:
  + VIPRION B4200, B4300-series, B4400-series blades
  + VIPRION C4400, C4480, C4800 chassis
  + VIPRION B2100, B2150, B2250 blades
  + VIPRION C2400, C2200 chassis
  + BIG-IP 2000-series, 4000-series, 5000-series, 7000-series, 10000-series, 12000-series appliances
  + BIG-IP 800, 1600, 1600 LC, 3600, 3900, 6900-series, 8900-series, 11000-series appliances
  + EM 4000 appliances


-- Using the following commands to clear alerts from the LCD display or reset the Alarm LED:
tmsh reset-stats sys alert lcd
lcdwarn -c <level> [<blade>]

Impact:
The alarm state does not clear. The Alarm LED may indicate a previous alert state that has been acknowledged/cleared and is no longer accurate.

Workaround:
It may be possible to work around this issue using either of the following procedures:

-- Clear the LCD alert messages by pressing the appropriate buttons on the front panel LCD display itself.

-- Restart the fpdd daemon:
bigstart restart fpdd

Otherwise, rebooting the BIG-IP system restores the correct LED states.

Fix:
Clearing LCD alert messages from the TMOS console successfully clears alert messages from the LCD display and restores the Alarm LED to the correct status.

---

557680-4 : Fast successive MTU changes to IPsec tunnel interface crashes TMM

Component: TMOS

Symptoms:
Changing IPsec tunnel interface MTU attribute repeatedly in quick succession, TMM cores. This can occur whether or not traffic has flowed through the tunnel.

Conditions:
The issue occurs when the IPsec tunnel interface attributes has its configuration modified quickly and repeatedly.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Change IPsec tunnel interface attributes at a rate of speed that allows each configuration modification to complete.

Fix:
TMM no longer cores if users quickly and repeatedly change interface attributes (for example, the MTU interface attribute).

---

557471-3 : LTM Policy statistics showing zeros in GUI

Component: TMOS

Symptoms:
Statistics for LTM Policies, e.g., the total count of policy action invocations and number of successful policy action invocations, are not being updated in the GUI. The GUI shows zeros for both of these stats for every LTM Policy.

Conditions:
Occurs under all conditions.

Impact:
Through the GUI, Administrators cannot see invocation counts for general troubleshooting or to determine which policies are being used.

Workaround:
To work around this issue, you can use the tmsh utility to view BIG-IP LTM traffic policy statistics. To do so, perform the following procedure:

To retrieve stats for all policies, run the following command:
# tmsh show ltm policy.

To retrieve stats for a specific policy, run the following command:
# tmsh show ltm policy <policy-name>.

Fix:
LTM Policy statistics now shows the correct values in the GUI.

---

557434-4 : After setting a Last Resort Pool on a Wide IP, cannot reset back to None

Component: Global Traffic Manager (DNS)

Symptoms:
After configuring a wide IP with a Last Resort Pool set to something other than None, you can no longer change the Last Resort Pool back to None.

Conditions:
Last Resort Pool is set to something other than None.

Impact:
There is no None option in TMSH or GUI.

Workaround:
Setting the Pool Name to an empty string via tmsh will set it to None.
For example
modify gtm wideip a wip.f5.com last-resort-pool a

Fix:
None options added to tmsh and GUI.

---

557411-1 : Full Webtop resources appear overlapping in IE11 compatibility mode

Component: Access Policy Manager

Symptoms:
Full Webtop resources appear overlapping each other in MSIE 11 in compartibility mode

Conditions:
MSIE 11, compartibility mode. Full Webtop in use

Impact:
Everything is working but the icons overlap.

Workaround:
1. modify advanced customization of apm.css

#webtop_favorites_inner_container span.favorite span.caption{
...
    <? if( $_GET['ctype'] == 'IE' && $_GET['cversion'] < 9){ ?>
    zoom: 1;
    <? }elseif( $_GET['ctype'] == 'IE' && $_GET['cversion'] == 11){ ?>
    zoom: 0;
    <? } ?>
}


2. an irule that would change apm.css to
#webtop_favorites_inner_container SPAN.favorite SPAN.caption {
...
zoom: 1; /* <--- set 0 if msie 11 in compartibility mode */
}

Fix:
Everything is back to normal

---

557358-5 : TMM SIGSEGV and crash when memory allocation fails.

Component: Local Traffic Manager

Symptoms:
TMM SIGSEGV and crash when memory allocation fails.

Conditions:
Although the specific conditions under which this occurs are not well understood, it appears that the issue occurs when the SSL operation detects an error and processes the connection for removal from the SSL queue. Before the connection is removed, another command attempts to remove the connection a second time, which causes the issue to occur.

Impact:
TMM SIGSEGV and crash. Traffic disrupted while tmm restarts.

Workaround:
None known at this time.

Fix:
TMM SIGSEGV and crash no longer occur when memory allocation fails due to a command attempting to remove the connection for removal from the SSL queue a second time.

---

557322-1 : Sensitive monitor parameters recorded in bigd and monitor logs

Component: Local Traffic Manager

Symptoms:
When bigd debug logging is enabled, the resulting bigd debug log may contain sensitive parameters from the monitor configuration.

When monitor instance logging or monitor debug logging is enabled for certain monitor types, the resulting monitor instance logs may contain sensitive parameters from the monitor configuration.

In each case, the monitor parameters logged may include:
- user-account password
- radius/diameter secret
- snmp community string

Conditions:
This may occur under either of the following conditions:

1. bigd debug logging is enabled:
tmsh modify sys db bigd.debug value enabled

2. Monitor instance logging is enabled for one of the following LTM monitor types:
ftp
imap
pop3
smtp

Impact:
The user-account password, radius/diameter secret, or snmp community string configured in the LTM health monitor may appear in plain text form in the bigd debug log (/var/log/bigdlog) or in the monitor instance logs under /var/log/monitors.

Workaround:
1. Do not enable bigd debug logging.

2. Do not enable monitor instance logging or monitor debug logging for affected LTM monitor types.

3. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes, remove the resulting log files from the BIG-IP system after troubleshooting is completed.

Fix:
The password, community and secret parameters will now be redacted by bigd and Tcl monitors when debugging is enabled.

Behavior Change:
The password, community and secret parameters will now be redacted by bigd and Tcl monitors when debugging is enabled.

bigd will no longer log all of the monitor parameters every time that a Tcl monitor is scheduled and bigd debugging is enabled unless logging is specifically enabled for the monitor instance (e.g. a pool member has "logging enabled").

The Tcl worker process will no longer log all of the parameters of a monitor when the monitor is run and bigd debugging is enabled. If parameters information is needed for debugging purposes, this should be handled specifically in the Tcl monitor script.

---

557190-3 : 'packet_free: double free!' tmm core

Solution Article: K65615624

---

557155-8 : BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.

Solution Article: K33044393

Component: TMOS

Symptoms:
BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.

Conditions:
Sustained high packet rate with a very small payload.

Impact:
Traffic through the guest stops until the guest/BIG-IP system is reset. However, this issue is reproduced during a test that over provision a 2-vCPU guest and is unlikely to happen in normal operation.

Workaround:
Try ones of the following workarounds (first on is the most preferred and so ):
1. Increase guest memory.
2. Significantly reduce the value of the content in '/sys/module/unic/rx_queue_size'. For example running the following command substantially decreases throughput: echo 1048576 > /sys/module/unic/rx_queue_size.
3. Set panic on OOM. Try this as the last option.
   sysctl vm.panic_on_oom=1

Fix:
BIG-IP Virtual Edition becomes unresponsive under extreme load test due to kernel memory exhaustion from over-provisioning.

---

555039-4 : VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration

Solution Article: K24458124

Component: TMOS

Symptoms:
There is a high drop counts when running tmsh show net interface, and running tmctl -a drop_reason shows that a large number of drops are due to counters.rx_cosq_drop

Smaller buffering alpha values are configured for egress buffering to allow an 8 HW CoS queue feature to correctly implement weight based egress dropping. This results in busy ports dropping more aggressively, although allowing more fair buffering amongst multiple active ports.

Conditions:
Higher traffic rates, which stress switch MMU buffering resources, might result in egress CoS queue drop on busy ports.
This affects the BIG-IP 5000- and 7000 series platforms, and VIPRION B2100, B2150, and PB200 blades.

Impact:
This results in busy ports dropping more aggressively. Note that using smaller values allows more fair buffering amongst multiple active ports, whereas higher values allow better burst absorption but less fair buffering.

Workaround:
None.

Fix:
This release uses a larger alpha value for better burst absorption when the 8 hardware CoS queue feature is not enabled.

---

554713-2 : Deployment failed: Failed submitting iControl REST transaction

Component: TMOS

Symptoms:
When deploying an access control policy to a sync group, you notice the following error: Deployment failed:
Failed submitting iControl REST transaction 1445978291443908: remoteSender:ip_address

Conditions:
This can happen on policy sync with a large number of ACLs.

Impact:
The system will function properly, but some transactions may take longer than expected. BIG-IQ deployment of APM access control lists is one known case to fail due to timeouts.

Workaround:
None.

Fix:
The audit log contains every database modification request message sent to mcpd. Certain messages once took an unexpectedly long time to render, which has been fixed.

---

553795-7 : Differing cert/key after successful config-sync

Component: TMOS

Symptoms:
1) If you change a client-ssl profile to a different cert/key, delete the original cert/key, create a new cert/key with the same name as the original one, associate the new cert/key with the original client-ssl profile, then do a config-sync, the peer system(s)' FIPS chip retains a copy of the original key.

2) If you change a client-ssl profile to a different cert/key, then create a new cert/key with a different name from the original one, associate the new cert/key with the original client-ssl profile, then do a config-sync, the config-sync operation may fail and the peer's client-ssl profile will still use the original cert/key instead of the new one.

Conditions:
1) High Availability failover systems with FIPS configured with Manual Sync.

2) High Availability failover systems without FIPS configured with Manual Sync.

Impact:
1) An abandoned FIPS key is left behind.

2) The systems may be out-of-sync, and one system's client-ssl profile uses one cert/key pair, while the other systems' same client-ssl profile uses a different cert/key pair.

Workaround:
1) For the first scenario, you can use either of the following workarounds:

-- Run an extra config-sync before the second change of the client-ssl profile.
-- Delete the FIPS key by-handle on the peer systems.

2) For the second scenario, you can use the following workaround:
-- Perform another config-sync operation in the GUI with the 'Overwrite Configuration' checkbox checked.

Note: If you also deleted your original cert/key pair, perform the following procedure:

1. Go onto the peer systems.
2. Manually delete those cert/key files that were copied during the first config-sync operation.
3. Look for the corresponding cert/key files in these two directories: /config/filestore/files_d/Common_d/certificate_d: /config/filestore/files_d/Common_d/certificate_key_d:
4. Delete the cert/key files in those directories.

Fix:
Systems now have the same cert/key after successful config-sync of High Availability configurations.

---

551925-3 : Misdirected UDP traffic with hardware acceleration

Component: TMOS

Symptoms:
UDP traffic might be forwarded to the wrong destination when using hardware acceleration.

Conditions:
If the UDP timeout is lower than the embedded Packet Velocity Acceleration (ePVA) aging timeout.

This occurs because UDP connections are accelerated until the ePVA aging timeout expires for the connection. If the ePVA aging timeout is greater than the UDP timeout, then TMM removes the connection from software, but the connection is still accelerated in the ePVA. Subsequent traffic then matches to the original connection, causing it to be sent to the wrong destination.

Impact:
Traffic can be sent to the wrong destination.

Workaround:
You can use either or both of the following workarounds:
-- Increase the UDP timeout (60s or more).
-- Disable UDP hardware acceleration.

---

551795-1 : Portal Access: corrections to CORS support for XMLHttpRequest

Component: Access Policy Manager

Symptoms:
XMLHttpRequest to external domain should fail if the server does not include 'Access-Control-Allow-Origin' header into response. Current implementation of CORS support in Portal Access does not enforce this failure.
If XMLHttpRequest to same-origin resource is redirected to external one, it has to be treated as cross-domain request. Current implementation of CORS support in Portal Access does not handle this case correctly.

Conditions:
XMLHttpRequest to external domain via Portal Access succeeds even when the server response does not include 'Access-Control-Allow-Origin' header.
XMLHttpRequest to same-origin resource succeeds via Portal Access in spite of response redirection.

Impact:
Web application may work incorrectly; some data access restrictions may not work.

Fix:
Now Portal Access supports CORS in case of response redirection for XMLHttpRequest.
CORS support enforces error in the case when 'Access-Control-Allow-Origin' header is absent in server response.

---

551349-5 : Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade★

Solution Article: K80203854

Component: TMOS

Symptoms:
A monitor destination address in the form of *:port (IPv4) is converted to *.port when upgrading from 10.2.4 to 11.5.x.

Conditions:
A monitor exists with a non-explicit address and explicit port on a BIG-IP system running 10.2.4. Then upgrade to 11.5.x (or install 10.2.4 ucs)

Impact:
Monitors appears to function normally but they will have the wrong format in the config file.

Workaround:
None.

Fix:
Determine if non-explicit (*) address is ipv4 or ipv6 based on next character to be parsed.

---

551208-6 : Nokia alarms are not deleted due to the outdated alert_nokia.conf.

Component: Local Traffic Manager

Symptoms:
Some of the log messages watched by alertd changed between BIG-IP software versions 10.x to versions 11.x/12.x. However, the /etc/alertd/alert_nokia.conf file has not been updated accordingly.

Conditions:
Running versions 11.x/12.x and receiving targeted messages that match the 10.x regex key fields. This occurs when the Nokia snmp alarms are enabled. See K15435 at https://support.f5.com/csp/#/article/K15435

Impact:
Matching the specific fields in the log message fails, so the corresponding alarm is not deleted from the nokia_alarm table. This might cause SNMP alerts to not be broadcast in Nokia-specific environments.

Workaround:
None.

Fix:
The log messages watched by alertd and appearing in alert_nokia.conf now match each clear event key to its corresponding error definition, so alerts are recorded correctly.

---

550547-2 : URL including a "token" query fails results in a connection reset

Component: Access Policy Manager

Symptoms:
Per Request Policy access to URL containing a "token" query parameter fails and results in a connection reset with the following error:

"ERR_NOT_FOUND: access2 token not found; subsession might be inactive"

Conditions:
Configure an Explicit SWG with a PRP that includes [protocol lookup (https) + category-lookup]
It does not matter ntlm or basic auth.
This is triggered on sites that have "token" in the query parameters.

Impact:
Clients receive this response:
"ERR_NOT_FOUND: access2 token not found; subsession might be inactive"

Workaround:
Workaround iRule:

when HTTP_REQUEST {
    if { [HTTP::query] contains "token" } {
      set fix 1
      HTTP::query [string map "token aabbcc" [HTTP::query]]
    }
}

when HTTP_REQUEST_SEND {
    if { [info exists fix] && $fix equals 1 } {
      clientside {
        HTTP::query [string map "aabbcc token" [HTTP::query]]
        unset fix
      }
    }
}

Fix:
Customization namespace for subsession state prefix with default value as "000fffff" has been added controlled via db variable "tmm.access.subsessionstateprefix" before state/token query param and validation is ensured to check for the prefix value before triggering serialize/deserialize code to avoid RST.

In case if a UCS is being restored and used for a Hotfix, the newly added DB variable may not be present in /config/Bigdb.dat file. The following information needs to be added in /config/Bigdb.dat file followed by a "bigstart restart" to ensure proper working.

#
# This string is used as the prefix for the subsession state value that is sent as
# part of the redirect URI being sent to the client.
#
[Tmm.Access.SubsessionStatePrefix]
default=000fffff
type=string
realm=local
display_name=Tmm.Access.SubsessionStatePrefix
scf_config=true
max=32

---

550526 : Some time zones prevent configuring trust with a peer device using the GUI.

Solution Article: K84370515

Component: TMOS

Symptoms:
AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, and AWDT time zones prevent configuring trust with a peer device using the GUI.

Conditions:
-- Setting a BIG-IP system timezone to AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, or AWDT.

-- Using the GUI to add a peer device to a trust configuration.

Impact:
Adding a peer device using the GUI fails.

Workaround:
You can use either of the following workarounds (you might find the first one easier):

-- Temporarily set the device timezone to a non-affected timezone (e.g.; UTC), establish trust, and set it back:

1. Navigate to System :: Platform.

2. Under 'Time Zone', select 'UTC', and click 'Update'

3. Repeat steps one and two to change all devices that are to be part of the trust domain.

4. Establish device trust by navigating to Device Management :: Device Trust :: Add all peers to be part of the trust domain.

5. Once trust is established, navigate to System :: Platform, and change Time Zone back to preferred time zone.

-- Use tmsh to add a peer device in these timezones: AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, or AWDT.

Fix:
You can now use the GUI to add AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, and AWDT when adding a peer device.

---

550161-4 : Networking devices might block a packet that has a TTL value higher than 230.

Component: Local Traffic Manager

Symptoms:
Some networking devices block a packet that has a TTL value higher than 230. The TTL value for the BIG-IP system is set to 255 internally and cannot be changed.

Conditions:
The issue occurs when traffic originates from the BIG-IP system (as a client).

Impact:
No access to the resources.

Workaround:
None.

Fix:
The TTL value can now be changed from the hardcoded value of 255. This supports the requirement that some networking devices have to block a packet whose TTL value is higher than 230.

---

549329-3 : L7 mirrored ACK from standby to active box can cause tmm core on active

Solution Article: K02020031

Component: Local Traffic Manager

Symptoms:
A spurious ACK sent to the standby unit will be mirrored over to the active unit for processing. If a matching connection on the active has not been fully initialized, tmm will crash.

Conditions:
HA active-standby configuration setup for L7 packet mirroring.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.

---

547479-5 : Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted

Component: TMOS

Symptoms:
TMM crashes with a subkey that has master_record field set to true.

Conditions:
Unknown.

Impact:
Traffic disrupted while tmm restarts.

---

547053-1 : Bad actor quarantining

Component: Anomaly Detection Services

Symptoms:
An issue was found where bad actors could be released from quarantine due to a timing issue

Conditions:
This is a timing issue related to an having unusually high number of bad actors at the same time.

Impact:
Traffic can be removed from quarantine and passed to the web server

Fix:
An issue was fixed related to bad actor quarantining

---

546489-1 : VMware View USB redirection stops working after client reconnect

Component: Access Policy Manager

Symptoms:
VMware View USB redirection stops working

Conditions:
VMware View client reconnects due to network interruptions

Impact:
VMware View USB redirection stops working

Fix:
VMware View USB redirection works after client reconnect

---

546145-1 : Creating local user for previously remote user results in incomplete user definition.

Component: TMOS

Symptoms:
Creating a local user for a user who previously authenticated using a remote mechanism (e.g. LDAP, RADIUS) results in a user who has no partition-access. Additionally, the user cannot be modified via web UI.

Conditions:
Configure remote system authentication. Create a local user for remotely authenticated user.

Impact:
User cannot authenticate. User name does not appear in User List.

Workaround:
After initial creation, modify local user via tmsh to include appropriate partition-access.

---

545810-3 : TMM halts and restarts

Solution Article: K14304373

Component: Local Traffic Manager

Symptoms:
TMM halts and restarts.

Conditions:
This crash can happen when passing egress traffic on LTM virtual servers that meet the following two configuration criteria:
-- The virtual server is configured with a Fast HTTP profile.

Impact:
Halt and restart of TMM. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Now the system receives only packets that it owns and can be re-used, so this issue no longer occurs.

---

545796-5 : [iRule] [Stats] iRule is not generating any stats for executed iRules.

Component: Local Traffic Manager

Symptoms:
iRule is not generating any stats for executed iRules when the rule is removed/edited and then re-added to the virtual server.

Conditions:
This occurs when the following steps are taken:
1. Move/edit an iRule that is attached to a virtual server.
2. Pass traffic to the virtual server.
3. Add the iRule back to the virtual server.

Impact:
No iRule usage stats available.

Workaround:
None.

Fix:
iRule now generates stats for executed iRules when the rule is removed/edited and then re-added to the virtual server.

---

545450-5 : Log activation/deactivation of TM.TCPMemoryPressure

Component: Local Traffic Manager

Symptoms:
The TCP memory pressure feature allows packets to be randomly dropped when the TMM is running low on available memory. The issue is that these packets are dropped silently.

Conditions:
TM.TCPMemoryPressure set to "enable".

Impact:
Packets are dropped, where the cause of the drop cannot be easily determined.

Fix:
Logging added in /var/log/ltm for activation and deactivation of TCP memory pressure. The deactivation message also includes the number of packets and bytes dropped.

---

544906-2 : Issues when using remote authentication when users have different partition access on different devices

Solution Article: K07388310

Component: TMOS

Symptoms:
User validation failing when adding a partition when the [All] partition already exists, or when adding [All] partition if a specific (non-All) partition is already configured for that user.

For example, on config sync, the system might post an error similar to the following: error 01070821:3: User Restriction Error: Once configured for specific partition(s), user cannot have [all].

Conditions:
Devices configured for remote authentication.

User A on device 1 with role on all-partitions.

User A on device 2 with role restricted to a single partition.

Perform operation that involves accessing partitions on each device. For example, a config sync operation. The config sync issue occurs because one device is trying to sync an [All] partition to a peer that has a non-All partition already configured for a user.

Impact:
The system posts User Restriction Errors and operations (such as config sync) fail.

Workaround:
Switch to local authentication on device 1 to perform operations on multiple devices on which a single user has different partition access configured. After completing the operations, switch back to remote authentication on device 1.

Fix:
User authentication completes successfully for operations on multiple devices on which a single user has different partition access configured.

---

544477 : New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support.

Component: TMOS

Symptoms:
Phone support is not available for hourly billing customers in cloud marketplaces.

Conditions:
All hourly billing VE instances in AWS Marketplace.

Impact:
Phone support is not available for hourly billing VE instances.

Fix:
New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support.

Behavior Change:
Changed licensing for hourly billing instances from pre-licensed image to template reg key which must be licensed through the license server.

---

544033-5 : ICMP fragmentation request is ignored by BIG-IP

Solution Article: K30404012

Component: Local Traffic Manager

Symptoms:
Client sends a large ICMP Echo Request whose size exceeds the MTU of the network the packet traverses requiring the ICMP Echo Response to be fragmented. BIG-IP ignores the fragmentation request and continues sending ICMP Echo Replies that exceed the network MTU.

Conditions:
-- A large (exceeds MTU of network traversed) ICMP Echo Request is directed to a Virtual Address on the BIG-IP system.
-- ICMP Echo Reply is larger than upstream networks MTU resulting in fragmentation needed being sent to BIG-IP.

Impact:
ICMP Echo Reply is not received by the requester.

Workaround:
None.

Fix:
Client now receives correctly ICMP echo response from Virtual Address when echo request has been fragmented.

---

543344-3 : ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event

Component: Access Policy Manager

Symptoms:
When a BIG-IP system is configured with explicit HTTP proxy, an ACCESS iRule does not work reliably in HTTP_PROXY_REQUEST. The issue happens when the current ACCESS iRule searches the associated session ID from the connection itself in either of these ways:
-- The session ID is embedded in the request.
-- The connection was processed by ACCESS previously.

When neither condition is satisfied, then the current ACCESS iRule cannot find the associated session ID.

Conditions:
This occurs when the following conditions are met:

-- ACCESS iRule such as ACCESS::session data get/set.
-- ACCESS::session exists.
-- Session ID is not provided by the caller.
-- Caller expects the session ID to be resolved internally.

Impact:
Whenever ACCESS iRule commands cannot find the associated session ID, ACCESS iRule commands are processed as if the caller provided an empty session ID in its arguments. As a result, ACCESS::iRule commands return an empty result.

Workaround:
If possible, use ACCESS_ACL_ALLOWED as the event for the iRule, when the session ID is known. This would work for a BIG-IP system configured for reverse proxy or forward proxy.

Fix:
Fixed to allow ACCESS iRule commands in commands such as HTTP_PROXY_REQUEST where previously there was not enough data for them to execute.

Note: This fix is only for IP address-based sessions where the access policy is not evaluated via iRules, but in the usual method (attached to virtual server). This fix does not address the issue for NTLM-based sessions and sessions that use 'ACCESS::policy evaluate'.

---

543208-1 : Upgrading to v12.x or later in a sync-failover group might cause mcpd to become unresponsive.★

Component: TMOS

Symptoms:
Failover event on traffic-group-1 causes mcpd to generate messages like this:

01070711:3: Caught runtime exception, Failed to collect files (Invalid IP Address: )..
01070712:3: Caught configuration exception (0), Failed to sync files..
...
0107134b:3: (Child rsync being terminated due to timeout. Total size in Kb: 0 timeout in secs: 10 start-time: Mon Aug 24 11:35:42 2015 max-end-time: Mon Aug 24 11:35:42 2015 time now: Mon Aug 24 11:35:42 2015 ) errno(0) errstr().
01070712:3: Caught configuration exception (0), Failed to sync files..

Conditions:
This occurs when the following sets of conditions are met:

Condition set 1
===============
-- Your BIG-IP high availability (HA) device group members are running BIG-IP 11.6.0 or 11.6.1.
-- You upgrade a peer HA device to BIG-IP 12.x or later.
-- After you upgrade that peer, a failover event occurs.

Condition set 2
===============
-- Your BIG-IP HA device group members are running BIG-IP 12.0.0, 12.1.0, 12.1.1, or 12.1.2.
-- You upgrade a peer HA device to BIG-IP 13.x or later.
-- After you upgrade that peer, a failover event occurs.

Note: This might be most evident with APM configurations.

Impact:
mcpd on the devices running the affected versions may become unresponsive. Upgrade fails. This is fundamentally the result of device group members running different software versions.

Workaround:
None.

Fix:
This release corrects an issue in which a group of devices in a trust domain could potentially cause mcpd to become unresponsive and log failure messages.

---

542817-1 : Specific numbers that are not credit card numbers are being masked as such

Solution Article: K11619228

Component: Application Security Manager

Symptoms:
ASM blocks or masks when a specific credit card number range with specific length appears in the response.

Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains credit card numbers with specific ranges.

Impact:
The traffic passes masked or blocked to the end client.

Workaround:
a partial workaround is to turn off the Data Guard feature, then none of the credit cards numbers will be masked nor blocked.

Fix:
The system now correctly masks and/or blocks only relevant credit cards, specifically not masking credit card numbers starting with specific number that are in a length range.

---

542097-4 : Update to RHEL6 kernel

Component: TMOS

Symptoms:
Rare race condition between two (or more) threads operating on the same buffer_head/journal_head may cause a kernel panic

Conditions:
Running RHEL6 kernel under heavy disk load, more likely on a vCMP host

Impact:
Unexpected machine reboot causing loss of service

Workaround:
None.

Fix:
Redhat provided an update to RHEL6.7
F5 backported to RHEL6.4, 6.5:

jbd2: Fix oops in jbd2_journal_remove_journal_head()
jbd: Fix oops in journal_remove_journal_head()

---

541550-3 : Defining more than 10 remote-role groups can result in authentication failure

Component: TMOS

Symptoms:
Authentication fails, indicating the affected user is associated with an "unknown" role:

notice httpd[2112]: pam_bigip_authz: authenticated user bob with role 12345678 ([unknown]) in partition /bin/false

Conditions:
Define more than 10 remote-role groups and authenticate with a user having more than 10 roles.

Impact:
User cannot authenticate.

Workaround:
None.

---

541549-2 : AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.

Component: TMOS

Symptoms:
The default settings of an AMI is not to delete an attached volume of an instance when the instance is terminated. This results in extra effort to delete a volume manually after terminating the instance. If not done always, the orphaned volume causes extra bills.

Conditions:
A BIG-IP VE is launched from an AMI in the marketplace.

Impact:
Volumes attached to BIG-IP VE instances will be deleted automatically when the instance is terminated. This option is set to be default now. If you want to keep a volume even after terminating a BIG-IP VE instance, you will have to set it to not be deleted upon termination during instance launch in AWS console.

Workaround:
None.

Fix:
A BIG-IP VE AWS image now has the option set such that when an instance is launched out of it, that BIG-IP VE instance will have volumes which are set to be deleted upon termination by default.

Behavior Change:
A BIG-IP VE AWS image now has the option set such that when an instance is launched out of it, that BIG-IP VE instance will have volumes which are set to be deleted upon termination by default.

---

541320-10 : Sync of tunnels might cause restore of deleted tunnels.

Solution Article: K50973424

Component: TMOS

Symptoms:
After a full load sync, tunnels may be spuriously added to the default route domain for the partition that contains them.

Conditions:
Viewing tunnels after a full load sync.

Impact:
This might result in a deleted tunnel being restored to the configuration.

Workaround:
None.

Fix:
Sync of tunnels no longer causes restore of deleted tunnels.

---

540928-1 : Memory leak due to unnecessary logging profile configuration updates.

Component: Application Security Manager

Symptoms:
There is a memory leak in ASM control plane daemons after processing many calls in a long lived process

Conditions:
A) Pool member state changes frequently.
or
B) Manual learning is enabled (versions 12.x)

Impact:
Memory consumption by ASM control plane daemons increases.

Workaround:
Restart ASM - which will cause a failover and a down time

OR just kill asm_config_server by:
-----------------------
pkill -f asm_config_server
-----------------------
which will get restarted back by ASM process watchdog in ~15 seconds and should not cause failover nor downtime.

Fix:
An async worker lifecycle was introduced so long lived processes will now dispatch a fixed number of calls to their workers before retiring them.

---

540872-1 : Config sync fails after creating a partition.

Component: TMOS

Symptoms:
Config sync fails after creating a partition. A config sync error similar to the following occurs:

Configuration error: Can't associate (/P1/pool1) with folder (/P1) folder does not exist

Conditions:
This error occurs when a folder is created in the same transaction that an object is also created in that folder.

This can be done either by explicitly using tmsh or iControl transaction mechanisms or through incremental sync of APM where folders get created.

Impact:
A transaction will fail or incremental sync on APM will fail on a peer.

Workaround:
In the case of transactions, create partitions and folders in a separate transaction from any object creation.

For incremental sync of APM, force a full sync by using the 'Overwrite Configuration' option in the UI.

---

539360 : Firmware update that includes might take over 15 minutes. Do not turn off device.

Component: TMOS

Symptoms:
On certain platforms, firmware updates might take over 15 minutes to complete. It is very important to wait until update completes. Do not turn on the device until the operation is finished.

Conditions:
This occurs on the following iSeries platforms: i2000, i4000, i5000, i7000, and i10000.

Impact:
Reboot takes a long time. The GUI posts the following message: Reboot in progress
Please do not turn off your device. Depending on your configuration, reboot time will vary, taking 5 to 20 minutes. To view reboot progress, connect to the serial port of your device or access the system hypervisor.

Workaround:
None.

Fix:
Although reboot takes a long time on the iSeries platforms, the GUI posts a message containing a time range, similar to the following message: Reboot in progress
Please do not turn off your device. Depending on your configuration, reboot time will vary, taking 5 to 20 minutes. To view reboot progress, connect to the serial port of your device or access the system hypervisor.

---

539093-1 : VE shows INOPERATIVE status until at least one VLAN is configured and attached to an interface.

Solution Article: K26104530

Component: TMOS

Symptoms:
Virtual Edition (VE) deployed with 1 CPU only shows INOPERATIVE status until at least one VLAN is both configured and attached to an interface.

Conditions:
Install the BIG-IP Virtual Edition software on a VM with 1 CPU (1 CPU/2048 MB RAM option available in OVA) and license, but do not create any VLANs (or create VLANs, but do not attach them to an interface).

Impact:
In the CLI, device remains in INOPERATIVE state, but shows ACTIVE in the GUI. This might cause unneeded delay trying to rectify what appears to be a license issue when there is none.

Workaround:
To work around this, configure at least one VLAN and attach it to an interface.

---

537553-8 : tmm might crash after modifying virtual server SSL profiles in SNI configuration

Component: Local Traffic Manager

Symptoms:
Modifying a Secure Sockets Layer (SSL) profile associated with a virtual server may result in the Traffic Management Microkernel (TMM) producing a core file. As a result of this issue, you may encounter one or more of the following symptoms:

-- BIG-IP system sends an invalid memory access segmentation fault (SIGSEGV) or floating point error (SIGFPE), signal to TMM, resulting in a stack trace that appears in the /var/log/tmm file.
-- TMM restarts and produces a core file in the /shared/core directory.
-- The BIG-IP system generates an assertion failure panic string in the /var/log/tmm file that appears similar to the following example:
panic: ../kern/umem.c:3881: Assertion "valid type" failed

Conditions:
1. LTM virtual server is configured with multiple SSL profiles, one of which is the default SNI profile.
2. A configuration change is made that affects the virtual server. Among others:
-- Configuration is reloaded either manually or automatically after config sync.
-- Change is made to any of the SSL profiles configured on the virtual server.
-- SSL profiles are added or removed from the virtual server profile list.
-- Change is made to the virtual server.
-- Virtual server is deleted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Making SSL profile configuration changes now completes successfully.

---

536563-7 : Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets.

Component: Local Traffic Manager

Symptoms:
Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' on subsequent packets.

Conditions:
This occurs when the existing connection is closing while waiting on an ACK to the last FIN.

Impact:
Unexpected RSTs (Clientside).

Workaround:
None.

---

534520-1 : qkview may exclude certain log files from /var/log

Component: TMOS

Symptoms:
After generating a qkview, some log files are missing.

Conditions:
This can occur intermittently while generating a qkview.

Impact:
Certain key log files that might be needed for troubleshooting are missing from the qkview.

Workaround:
None.

Fix:
After generating a qkview, all log files are now present.

---

534457-4 : Dynamically discovered routes might fail to remirror connections.

Component: Local Traffic Manager

Symptoms:
When using dynamic routing, it's possible that L4 connections fail to remirror after a restart on the standby device. Initial mirroring works as expected, but remirroring might not work.

Conditions:
Using dynamic routes and mirroring, and either the active or standby restarts. If the active restarts, failover completes correctly, but connections might not remirror to the previously active device after it comes back online.

Impact:
Dynamically discovered routes might fail to remirror connections. One-way failover, similar to L7 virtual servers. Initial failover works as expected; subsequent failovers might drop connections.

Workaround:
Provide a static route instead of dynamic routes.

Fix:
Remirroring L4 connections using dynamic routes works correctly. (Note that when using dynamic routes it is not guaranteed that the active and standby systems will use the same routes; if the same routing is required on both active and standby fails over, there might be some dropped connections.)

---

534247-1 : Issue a Body in Get sub violation for GET request with content type header

Component: Application Security Manager

Symptoms:
A GET request without payload but with payload indication doesn't issue the body in get violation.

Conditions:
A Get request without payload arrives.
The request has a content type header although there is no payload.

Impact:
A suspicious request goes by undetected.

Workaround:
Add an iRule that removes this request from the ASM and issues a custom violation.

Fix:
A GET request without payload but with content type header will issue the body in GET sub violation.

---

533956-3 : Portal Access: Space-like characters in EUC character sets may be handled incorrectly.

Solution Article: K30515450

Component: Access Policy Manager

Symptoms:
Extended Unix Code (EUC) character sets include several white space characters which have no ASCII equivalents. These characters are not recognized as white spaces by Portal Access. This may lead to incorrect handling of HTML pages, XML files and/or JavaScript files in these character sets.

Conditions:
- HTML page, XML file or JavaScript file in any EUC encoding scheme (EUC-JP, for example).

Impact:
Page or file in EUC encoding scheme may not be parsed correctly.

Workaround:
Use an iRule to replace non-ASCII compatible white space characters by ordinal spaces.

Fix:
Now text content using EUC character encoding schemes is handled correctly by Portal Access.

---

531979-6 : SSL version in the record layer of ClientHello is not set to be the lowest supported version.

Component: Local Traffic Manager

Symptoms:
In the ClientHello message, the system is now setting the SSL version in the record layer to be the same as version value of ClientHello message, which is the highest SSL version now supported.

Although RFC 5246 appendix E.1 does not give specific advice on how to set the TLS versions, the de facto standard used by all major browsers and TLS stacks is to set the ClientHello as follows:

SSL Record:
    Content Type: Handshake (22)
    Version: $LOWEST_VERSION
    Handshake Record:
        Handshake Type: Client Hello (1)
        Version: $HIGHEST_VERSION

The BIG-IP system implementation tells the SSL peer that the system supports only SSL versions from the $HIGHEST_VERSION through the $HIGHEST_VERSION instead of from the $LOWEST_VERSION through the $HIGHEST_VERSION, which effectively limits the range of SSL versions the system can negotiate with the SSL peer.

Conditions:
This issue occurs when the highest SSL version that the BIG-IP system supports does not fall into the range that an SSL peer supports.

For example, with SSL peer support configured for TLS1.0 or TLS1.1, if the BIG-IP system sets the highest SSL version to be TLS1.2, then there will be no version that the SSL peer thinks they have in common, and SSL handshake fails.

Impact:
SSL handshake fails.

Workaround:
There is no workaround for this issue.

Fix:
The SSL version in the record layer of ClientHello is now set to be the lowest supported version, which eliminates that issue that occurred when the highest SSL version that the BIG-IP system supports did not fall into the range that an SSL peer supports.

---

530927-8 : Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed

Component: TMOS

Symptoms:
If a trunk is created from interfaces that have lower than max speed (e.g., 100full-duplex on 1GbE links) adding a new interface fails.
When this occurs, the system posts an error similar to the following:
01070619:3: Interface 1.4 media type is incompatible with other trunk members.

Conditions:
Interfaces use a lower speed then their capacity.
Trunk is created where the highest speed of any of the members is this reduced speed.
Interface, also lowered, is added to the trunk.

Impact:
Interface cannot be added to the trunk.

Workaround:
Remove all interfaces, readd them all at the same time.

Fix:
The BIG-IP system now correctly adds interfaces to a trunk formed from interfaces running at a lowered speed.

---

530877-7 : TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances.

Solution Article: K13887095

Component: Local Traffic Manager

Symptoms:
A specific combination of configuration options might cause iRule processing to run the CLIENT_ACCEPTED event twice.

If the iRule contains a suspending command, the system may eventually stop accepting connections to any TCP virtual servers with that have the Verified Accept option enabled.

Conditions:
This occurs when all of the following conditions are met:
- Standard Virtual Server is configured.
- Virtual Server is configured with a TCP profile in which Verified Accept is enabled.
- Client sends the initial data to be sent on the ACK of the three-way-handshake.

Impact:
Depending on the scenario, this might:
- Result in the specific connection being reset.
- Eventually result in TMM being unable to process any further connections to virtual servers with Verified Accept enabled.

Workaround:
You can use the following workarounds:
- Disable Verified Accept in the TCP profile.
- Modify the iRule to run the commands in the CLIENT_ACCEPTED event once, by setting a variable and checking whether the variable has been set on subsequent runs.

Fix:
The BIG-IP system now correctly processes initial data on the ACK of a three-way handshake when used with Verified Accept so iRule processing does not run the CLIENT_ACCEPTED event twice.

---

530775-4 : Login page may generate unexpected HTML output

Solution Article: K23734425

---

530530-6 : tmsh sys log filter is displayed in UTC time

Solution Article: K07298903

Component: TMOS

Symptoms:
When using the time-based log filters hour, minute, and second, tmsh returns results based on UTC time.

Conditions:
Use range filter for 'tmsh show sys log' in either of the following ways:

Filter logs by hour.
Filter logs for less than 8 hours.

Impact:
tmsh does not filter the log correctly with 'range' filter.

Workaround:
Calculate the difference between the local BIG-IP system time and UTC, or change the system time to UTC.

---

530266-7 : Rate limit configured on a node can be exceeded

Component: Local Traffic Manager

Symptoms:
Rate limit configured on a node is not honored and is exceeded. The excess per second can be as much as 10 (100%) when the limit is configured as 10.

Conditions:
More than 1 tmm needs to be there. Rate limit needs to be configured on the node.

Impact:
Node rate limit feature does not work as intended.

Workaround:
Rate limit can be shifted from the node to pool member and it works.

---

530109-3 : OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.

Component: Access Policy Manager

Symptoms:
OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.

Conditions:
-- User certificate has AIA configured.
-- Option 'Ignore AIA' is unchecked.
-- APM is configured.

Impact:
OCSP auth might fail as wrong URL is used.

Workaround:
1. Clean URL field.
2. Uncheck option 'Ignore AIA'.

Fix:
If the option 'Ignore AIA' is unchecked, APM uses AIA from certificate even if URL is configured for AAA OCSP responder. This is correct behavior.

Behavior Change:
If the option 'Ignore AIA' is unchecked, APM uses AIA from certificate even if URL is configured for AAA OCSP responder. To use the configured URL, the 'Ignore AIA' setting has to be checked.

---

528499-3 : AFM address lists are not sorted while trying to create a new rule.

Component: Advanced Firewall Manager

Symptoms:
AFM address lists are not sorted while trying to create a new rule.

Conditions:
Seen only in the rule creation page.

Impact:
AFM address lists are not sorted in the rule creation page.

Workaround:
none

Fix:
AFM address lists are now sorted in the rule creation page.

---

527720-1 : Rare 'No LopCmd reply match found' error in getLopReg

Component: TMOS

Symptoms:
An error message similar to the following might be logged at rare intervals while the BIG-IP system is operating normally:
warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff.

This message might be followed by a log message similar to one of the following:
err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0.
err chmand[32142]: 012a0003:3: GET_STAT failure (status=0xffffffff) page=0x%20 reg=0x50.

This message might be followed by a log message similar to the following:
warning chmand[5847]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7.

Conditions:
This problem might occur rarely on the BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances, and on VIPRION 2100, 2150, and 2250 blades.

Impact:
This problem might occur if the response to a request to read the status of the hardware registers for the management interface is delayed beyond the normally-expected timeout value. When this problem occurs, status of the management interface might be reported incorrectly, which might cause the management interface to flap momentarily. In this scenario, subsequent requests typically complete successfully, at which point status of the management interface is again reported normally, and expected functionality restored.

Workaround:
None.

---

527206-5 : Management interface may flap due to LOP sync error

Component: TMOS

Symptoms:
An error that occurs while reading the management interface registers might cause incorrect interpretation of the management interface state, which might cause the management interface to flap.
Example error sequence:
-- warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff.
-- err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0 : File mgmtif/BourneMgmtIfSvc.cpp Line 357.
-- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7.
-- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x7 expected=0x5.
...
notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is DOWN.
...
notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is UP.

Conditions:
This problem might occur rarely on BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances and on VIPRION 2100, 2150, 2250 blades.

Impact:
The management interface on the affected blade or appliance might be down for several seconds, 15 seconds being a typical interval.

Workaround:
None.

Fix:
Rare Management interface flap due to LOP sync error no longer occurs on BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances and on VIPRION 2100, 2150, 2250 blades.

---

526708 : system_check shows fan=good on removed PSU of 4000 platform

Component: TMOS

Symptoms:
Running system_check on a 4000 platform with one PSU removed will still show status FAN=good; STATUS=good

Conditions:
This applies only to the BIG-IP 4000 platform.

Impact:
Fan shows status of 'good' when the PSU is removed. Reading the power supply status in the system_check output will show the PSU as down.

Fix:
If a PSU has been removed, system_check will now show status STATUS=not present

---

525580-1 : tmsh load sys config merge file filename.scf base command does not work as expected

Solution Article: K51013874

Component: TMOS

Symptoms:
The presence of base option indicates that only the base objects in the configuration should be considered for the save operation. The non-base objects in the configuration should be ignored.

However, this is not true for the following command:
tmsh load sys config merge file filename.scf base.

Conditions:
Running the command: tmsh load sys config merge file filename.scf base.

Impact:
This command ignores the base option. When specified with the merge option the base option is ignored. It merges the non-base configuration objects. It does not load only the base config objects as specified in the command.

Workaround:
None.

Fix:
tmsh load sys config merge file filename.scf base command now loads only the base config objects as specified in the command.

---

525429-11 : DTLS renegotiation sequence number compatibility

Component: Access Policy Manager

Symptoms:
OpenSSL library was modified to keep it compatible with RFC 6347 complaint DTLS server renegotiation sequence number implementation.

Conditions:
The old OpenSSL library is not compatible with RFC6347, the new OpenSSL library is modified to be compatible with RFC6347.
The current APM client is compatible with old OpenSSL library, not the new OpenSSL library.

Impact:
The current APM client is not compatible with new OpenSSL libary.

Fix:
The APM client is now compatible with both the old and new OpenSSL library.

---

524277-2 : Missing power supplies issue warning message that should be just a notice message.

Component: TMOS

Symptoms:
Missing power supplies issue warning message in /var/log/ltm when the message should be just a notice.

Absent power supplies should be notice level, not warning level since this is a normal acceptable way of running a system.

Conditions:
Running chassis with absent power supplies, or with power not applied, will cause ltm to issue warning messages.

Impact:
Extra logging.

Workaround:
Ignore missing power supply warning messages.

Fix:
Missing power supplies issue warning message in /var/log/ltm when the message should be just a notice.

Absent power supplies should be notice level, not warning level since this is a normal acceptable way of running a system.

---

523814-3 : When iRule or Web-Acceleration profile demotes HTTP request from HTTP/1.1 to HTTP/1.0, OneConnect may not pool serverside connections

Component: Local Traffic Manager

Symptoms:
An HTTP virtual server with OneConnect and RAM Cache will not consistently keep server-side connections alive and idle (for reuse), depending on the HTTP version that the client uses.

Clients that use HTTP/1.1 will result in fewer serverside connections being reused.

Conditions:
HTTP virtual server with HTTP cache enabled (in RAM cache mode, not AAM mode) and OneConnect profile.

Alternately, an iRule that down-steps the HTTP request version to HTTP/1.0

Impact:
Increased server utilization and number of ports in use / timewait / finwait as a result of OneConnect and RAM Cache closing serverside connections more frequently than expected.

Inconsistent behavior as a result of client HTTP version.

Workaround:
An iRule can work around this issue by inserting a Connection: Keep-Alive header.

---

523797-2 : Upgrade: file path failure for process name attribute in snmp.★

Component: TMOS

Symptoms:
The upgrade operation might fail to update the file path name for snmp.process_name, causing a validation error.

Conditions:
Upgrade from 10.x. to 11.5.1 or later.

Impact:
The upgrade operation does not remove the parent path name from process-monitors, which might cause a validation error.

Workaround:
Edit the process name path in /config/BIG-IP_sys.conf to reflect the location. For more information, see K13540: The BIG-IP system may return inaccurate results for the prTable SNMP object at https://support.f5.com/csp/article/K13540.

---

522302-2 : TCP Receive Window error messages are inconsistent on UI

Component: Local Traffic Manager

Symptoms:
Different invalid inputs for Receive Window resulted in inconsistent error messages in TMUI.

Conditions:
Input invalid options (e.g, -1 and 0) for TCP Receive Window in TMUI.

Impact:
User is presented with two different input ranges whereas for both invalid options one correct input range should have been present.

Workaround:
There is no workaround at this time.

Fix:
TMUI for TCP Receive Window is fixed for invalid inputs.

---

521370-1 : Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8

Component: Application Security Manager

Symptoms:
Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8, which results in suggestions for allowing meta-characters that cannot be accepted.

Conditions:
Auto-Detect Language policy is created, and then set to UTF-8 encoding.

Impact:
Suggestions for allowing high ASCII meta-characters cannot be accepted.

Fix:
Auto-Detect Language policy no longer contains disallowed high ASCII meta-characters.

---

521270-1 : Hypervisor might replace vCMP guest SYN-Cookie secrets

Component: TMOS

Symptoms:
Traffic suddenly stops passing on platforms in vCMP mode when SYN-cookie mode is triggered.

Occasionally, under HW-SYN-Cookie mode, HW-SYN-Cookie validation can fail, which triggers the software SYN-Cookie procedure, which does succeed.

Under vCMP guest, you might notice hwalgo_accept increasing under TMCTL table epva_hwvipstat. If this packet's destination is the local high-layer TCP stack, there is no functional impact. Otherwise, there might be a performance impact.

Under vCMP mirroring, however, the packet (failed to validate by FPGA), is sent to the remote TMM, which does not have the correct secret to validate, which causes the connection issue.

Conditions:
vCMP provisioning setup.

Impact:
Under vCMP guest, you might notice hwalgo_accept increased under TMCTL table epva_hwvipstat, which, if under HW-SYN-Cookie mode, everything will be validated automatically by FPGA instead.

You might also notice hwalgo_invalid, if the FPGA used
the updated secret for SYN-Cookie generation from the hypervisor, and when guest and hypervisor secret index overlaps.

Even though guest and hypervisor secret index might not be the same, the history secret might be updated by hypervisor, which might trigger additional hwalgo_accept.

Under vCMP mirroring, however, the packet (failed to validate by FPGA), is sent to the remote TMM, which does not have the correct secret to validate, so the error rate could be higher.

Workaround:
On the vCMP hypervisor, run the following commands.

1. echo "EPVA::enable_secret_diag true" > /config/tmm_init.tcl.
2. bigstart restart TMM.

On a multiple blade system, you must run these commands on all blades.

Fix:
Hypervisor no longer replaces vCMP guest SYN-Cookie secrets.

---

521204-2 : Include default values in XML Policy Export

Component: Application Security Manager

Symptoms:
XML Policy Export does not include some entities, unless their values are different from the system's default settings.

Conditions:
-- ASM provisioned.
-- Configuration contains some entities whose values match the defaults.
-- Export security policy in XML format.

Impact:
XML Policy Export does not include those entities; it only includes entities when their values are different from the system's default settings

Workaround:
None.

Fix:
XML policy export operations now exclude defaults only when exporting a minimal XML configuration.

---

520877-1 : Alerts sent by the lcdwarn utility are not shown in tmsh

Component: TMOS

Symptoms:
Beginning in BIG-IP version 12.1.0, the 'tmsh show sys alert lcd' command displays the list of alerts sent to the LCD front panel display.

The command-line utility lcdwarn can be used to send alert messages to the LCD front panel display.

Alert messages sent to the LCD front panel display by the lcdwarn utility are not included in the list of alerts shown by the 'tmsh show sys alert lcd' command.

Conditions:
This occurs when using the lcdwarn utility to send alert messages to the LCD front panel display. Such messages are typically sent for testing purposes.

This problem occurs on affected BIG-IP software versions running on all BIG-IP and VIPRION hardware platforms.

Impact:
The 'tmsh show sys alert lcd' command may not include all alert messages sent to the LCD front panel display. Messages sent by the lcdwarn utility are not shown.

Workaround:
None. This is a cosmetic issue.

---

519612-1 : JavaScript challenge fails when coming within iframe with different domain than main page

Component: Application Security Manager

Symptoms:
The JavaScript Challenge fails when coming within an iframe that is on a different domain than the main page.

Conditions:
1. The web application uses an iframe coming from a different domain than the main page, AND
2. Any of the following options are enabled on an ASM Policy or Application DoS Profile attached to the Virtual Server which is handling the iframe:
  a. DoS Client-Side Integrity Defense Mitigation (affecting only during attack mitigation)
  b. DoS CAPTCHA Mitigation (affecting only during attack mitigation)
  c. Device-ID (fingerprint)
  d. Web Scraping Bot Detection Challenge
  e. Proactive Bot Defense (with/without "Block Suspicious Browsers")

Impact:
On the browser, the iframe will fail to load, leaving a white box, or the following message:
"Please enable browser cookies to view the page content."
There may be error messages in the browser's console.

Workaround:
It is possible to workaround the problem using Proactive Bot Defense (DoS Profile) and iRules.
This works even if the problem is in Web Scraping and DoS profile was not previously used.

The following steps must be done for the Virtual Server handling the iframe, as well as the one handling the main page.

1. Attach a DoS profile to the Virtual Server (if not already attached).
2. Disable TPS-based detection (unless already enabled, or it is desired).
3. Enable Proactive Bot Defense on the DoS profile (if not already enabled).
   a. Disable "Block Suspicious Browsers" (unless already enabled, or it is desired).
   b. Configure Cross-Domain Requests to "Allow configured domains; validate upon request".
   c. Add the domain of the main page to the Related Site Domains.
4. Attach the following iRule to the virtual server:
ltm rule rule_fix_cross_domain_challenges {
    when HTTP_REQUEST {
        set refdom ""
        regexp -nocase {^https?://([^/]*).*$} [HTTP::header referer] -> refdom
        log local0. "uri [HTTP::uri] host [HTTP::host] referer [HTTP::header referer] refdom $refdom"
        if { $refdom ne "" && $refdom ne [HTTP::host] } {
            BOTDEFENSE::cs_allowed false
        }
    }
}
NOTES:
1. The challenges must run on the main page. The following rule block could be used to force the challenges to run on a specified URL or URLs.
    when HTTP_REQUEST {
        if { [HTTP::uri] eq "/" } {
            BOTDEFENSE::cs_allowed true
        }
    }
2. If additional URLs are getting blocked or challenged as a result of Proactive Bot Defense and it is unwanted, it is possible to control them in the iRule by checking for URLs and using the "BOTDEFENSE::action allow" command.

Fix:
JavaScript challenges no longer fail when coming within an iframe on a different domain than the main page.

---

518201-4 : ASM policy creation fails with after upgrading

Component: Application Security Manager

Symptoms:
You cannot create an ASM security policy after upgrading to version 11.6.x. The system posts the following error message:
------------------
# tmsh create asm policy /Common/blabla active encoding utf-8
Unexpected Error: ASMConfig exception: [101] Policy 'Security Policy /Common/blabla' already exists in this policy.
------------------

It does not matter if the security policy was created at the command line or by the Configuration utility.

Conditions:
-- ASM provisioned
-- Upgrade to 11.6.x.

Impact:
ASM policies cannot be created.

Workaround:
As root user, from the command line of the affected BIG-IP system, run these exact commands (tip: you can copy and paste into the command line):
---------------------
# mysql -uroot -p`perl -MF5::DbUtils -e 'print F5::DbUtils::get_mysql_password(user => qw{root})'` -e 'DELETE FROM PLC.PL_SESSION_AWARENESS_VIOLATIONS WHERE policy_id NOT IN (SELECT id FROM PLC.PL_POLICIES)'
---------------------

IMPORTANT: This operation permanently affects the mentioned database table. It is strongly advised that you first create a backup of the running configuration by running the following command from the command line of the affected BIG-IP:
---------------------
# tmsh save sys ucs /shared/tmp/backup.ucs
---------------------

Before applying the workaround, make sure that you need one. To determine that, run the following command:
---------------------
# mysql -uroot -p`perl -MF5::DbUtils -e 'print F5::DbUtils::get_mysql_password(user => qw{root})'` -e 'SELECT * FROM PLC.PL_SESSION_AWARENESS_VIOLATIONS WHERE policy_id NOT IN (SELECT id FROM PLC.PL_POLICIES)'
---------------------
In case this query does not return any output, meaning that there is no need for the workaround.

If you need the workaround, you can use the same "SELECT *" query to validate the workaround, after it has been applied. Namely, after the workaround was applied, the "SELECT *" query should return no output.

Fix:
This version fixes ASM policy creation so that it does not fail after upgrade.

---

517756-6 : Existing connections can choose incorrect route when crossing non-strict route-domains

Component: Local Traffic Manager

Symptoms:
After modifying the BIG-IP system's routing table, traffic for some existing connections might be interrupted because an incorrect route starts being used.

Conditions:
After a routing table modification, routes might be reselected for a portion of connections through the BIG-IP system. When a connection crosses non-strict route-domains, the routing table from a route-domain that is different from the route-domain used during connection start-up may be used.

Impact:
This might lead to traffic following a different path to the destination and traffic interruption. New connections will work properly, this only affects existing connections.

Workaround:
None.

Fix:
Existing connections now choose the correct route when crossing non-strict route-domains.

---

516736-1 : URLs with backslashes in the path may not be handled correctly in Portal Access

Component: Access Policy Manager

Symptoms:
Safari, Chrome, Edge and Internet Explorer support backslashes in URL path and treat them as slashes. But Portal Access converts backslashes in URLs to slashes explicitly; this may cause unexpected results in some web applications. Note that FireFox has no such support.

Conditions:
HTML page with URL with backslashes in the path, for example:

<a href=http://some.com\some\path/file.ext>

Impact:
Web application may not work correctly.

Workaround:
In some cases it is possible to modify rewritten URLs by iRule.

Fix:
Now URLs with backslashes are supported correctly by Portal Access for all browsers except for Internet Explorer 7--9 and FireFox.

---

516307-2 : Multiple Relay in DHCP relay is not working.

Solution Article: K35152864

Component: Local Traffic Manager

Symptoms:
If the BIG-IP is behind another DHCP relay, then the packets are not sent to the server, instead they are dropped.

Conditions:
This occurs when a DHCP virtual server is configured with a profile based on dhcpv4_fwd.

Impact:
This previously worked on v11.4.x, so if you are running on version 11.4.x and upgrade to 11.6.x, the virtual server may not function correctly.

Workaround:
To work around this, do the following:
1. Configure a unicast IP address for the BIG-IP DHCPv4 listener destination address field.
2. Configure the same IP address as the DHCP server IP address on DHCP relay agent.

This way the BIG-IP system can load balance DHCP load on to a pool of DHCP servers.

Fix:
Multiple Relay in DHCP relay is now working.

---

516167-2 : TMSH listing with wildcards prevents the child object from being displayed

Solution Article: K21382264

Component: TMOS

Symptoms:
The tmsh list command is attempted with an identifier that specifies use of wildcard match character (*) , the results returned may not print the nested objects contained within the parent object.

For example, the list ltm pool* command will print all pools that begin with the word pool, but will fail to list the profiles that are within the pool.

Conditions:
tmsh list with a wildcard character specified for parent object.

Impact:
Missing details of nested objects when tmsh list is invoked with wildcard character (*) specified in the object identifier

Workaround:
None.

Fix:
The tmsh list with a wildcard character specified in the object identifier result contains all the nested objects.

For the example specified, the results would now be as follows:

(tmos)# list ltm pool pool*
ltm pool pool-http-1 {
    members {
        10.1.3.1:http {
            address 10.1.3.1
            inherit-profile disabled
            profiles {
                nvgre { }
            }
        }
    }
}

The missing profile objects are now listed correctly, as expected.

---

513310-1 : TMM might core when a profile is changed.

Component: Local Traffic Manager

Symptoms:
TMM might core when a profile is changed.

Conditions:
A "standard" type virtual server configured with the TCP or SCTP protocol profile, and a Persistence, Access or Auth profile. This issue might occur in either of the following scenarios:
-- Change profile on the active device.
-- Change profile on the standby device and perform a config sync to the active ones.

Impact:
TMM might core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now reinitializes the TCP proxy filter chain on profile change, so that tmm no longer cores.

---

513288-7 : Management traffic from nodes being health monitored might cause health monitors to fail.

Component: Local Traffic Manager

Symptoms:
Management traffic from nodes being health monitored might cause health monitors to fail.

Conditions:
Health monitor checking node_ip:port where 1024 is less than or equal to port, which is less than 65536. Node periodically connects back to management service on self IP (e.g., iControl, GUI, SSH).

Impact:
Traffic is not sent to the node while the monitor is failing.

Workaround:
None.

Fix:
Management traffic from nodes being health monitored no longer causes health monitors to fail.

---

511324-12 : HTTP::disable does not work after the first request/response.

Solution Article: K23159242

Component: Local Traffic Manager

Symptoms:
The HTTP::disable command does not work correctly after the first request is complete. If called during the second request (or response), then the connection is reset with an error message.

Conditions:
HTTP::disable is called in a request after the first. The pass-through data reaches the server-side before the server-side HTTP filter expects it.

Impact:
The connection is reset.

Workaround:
None.

Fix:
HTTP::disable now works correctly after the first request or response.

---

510631-1 : B4450 L4 No ePVA or L7 throughput lower than expected

Component: Performance

Symptoms:
L4 no ePVA and L7 performance was limited to as little as 146Gbps under some traffic conditions instead of the advertised capability of 160Gbps.

Conditions:
This occurs on the B4450 blade.

Impact:
Performance lower than expected

Fix:
Driver enhancements to 12.1.2 and 13.0 enable full 160G performance

---

509980-1 : Spurious HA group configuration errors can be displayed during reboot of other DSC cluster members.

Component: TMOS

Symptoms:
When a DSC cluster is configured using HA Groups, spurious HA group configuration errors can be displayed when rebooting another member of the DSC cluster.

These messages can appear in the output of the "show cm traffic-group", or on the Device Management -> Traffic Groups page.

Conditions:
HA-DSC Cluster with 2 or members. HA-Groups are configured on one or more traffic groups on all Cluster members.

A Cluster member is rebooted, and an administrator is viewing the Device Management- > Traffic Groups page, or issuing the "show cm traffic-group" .

Impact:
A message displaying that all traffic group(s) should have an HA Group configured may be incorrectly displayed. This has no affect on the operation of the system, and will clear once the cluster member has finished rebooting.

Workaround:
There is no workaround or mitigation other than upgrading to a release with the required fix.

Fix:
HA Daemon has been updated to correctly track the configuration of HA Groups on other devices during device reboots.

---

509858-5 : BIG-IP FastL4 profile vulnerability

Component: Local Traffic Manager

Symptoms:
For more information, see SOL36300805: BIG-IP FastL4 profile vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/36/sol36300805.html

Conditions:
For more information, see SOL36300805: BIG-IP FastL4 profile vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/36/sol36300805.html

Impact:
For more information, see SOL36300805: BIG-IP FastL4 profile vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/36/sol36300805.html

Fix:
For more information, see SOL36300805: BIG-IP FastL4 profile vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/36/sol36300805.html

---

508302-2 : Auto-sync groups may revert to full sync

Component: TMOS

Symptoms:
If a large number of configuration changes in the same device group are being applied rapidly, device sync may start to generate full loads instead of incremental patches.

Conditions:
This only affects auto-sync device groups.

Impact:
The system may spuriously start to generate full loads instead of incremental changes.

Workaround:
You can use any of the following workarounds:

-- If a large series of syncs are expected, temporarily disable auto-sync for the device group in question.

-- Wrap all of the changes into a single transaction.

-- Add a short pause in between changes.

---

508113-3 : tmsh load sys config base merge file <filename> fails

Component: TMOS

Symptoms:
Save sys config file.

(tmos)# save sys config file demo.scf no-passphrase
Saving running configuration...
  /var/local/scf/demo.scf
  /var/local/scf/demo.scf.tar

Try to load the base configuration within this file.

(tmos)# load sys config base merge file demo.scf
Loading configuration...
  /var/local/scf/demo.scf
Syntax Error:(/var/local/scf/demo.scf at line: 6) "apm" unexpected argument

The error is from a system configuration, not user created.

apm report default-report {
    report-name sessionReports/sessionSummary
    user /Common/admin
}

Basically the configuration fails to load all components for unprovisioned modules and features.

Conditions:
Running the command: load sys config base merge file <filename> when the system contains unprovisioned modules and features.

Impact:
tmsh load sys config base merge file <filename> fails.

Workaround:
None.

Fix:
The provisioning checks were modified to let this command succeed.

---

507240-4 : ICMP traffic cannot be disaggregated based on IP addresses

Solution Article: K13811263

Component: TMOS

Symptoms:
ICMP traffic might not be disaggregated evenly if there is not enough entropy from the ICMP header.

Conditions:
-- ICMP traffic has low entropy in ICMP header.
-- System is configured to disaggregate traffic.

Impact:
Traffic imbalance.

Workaround:
None.

Fix:
This release supports disaggregation of ICMP traffic based on IP addresses, in addition to ICMP headers. To enable the feature, use the following commands:

In v13.x:
 tmsh modify net dag-globals icmp-hash ipicmp

In v12.x:
 tmsh modify sys db dag.icmp_hash value ipicmp

Note: This feature cannot be used if the BIG-IP system translates IP addresses for ICMP traffic.

---

507206-1 : Multicast Out stats always zero for management interface.

Component: TMOS

Symptoms:
Multicast Out stats are always zero for the management interface.

Conditions:
Statistics information on the management interface.

Impact:
The Multicast Out stats can help determine whether multicast network failover is working (from looking at a qkview). The missing stat might also delay or confuse other troubleshooting activities unrelated to network failover.

Workaround:
Run the following command: clsh 'ethtool -S eth0 | grep tx_mcast_packets'.

---

506543-5 : Disabled ephemeral pool members continue to receive new connections

Component: Local Traffic Manager

Symptoms:
Disabled ephemeral pool members continue to be selected for new connections.

Conditions:
FQDN parent node is disabled causing its derived ephemeral pool members to be marked disabled.

Impact:
Unexpected traffic load balanced to disabled pool members

Workaround:
None.

Fix:
Traffic will no longer be load balanced to disabled ephemeral pool members.

---

504522-2 : Trailing space present after 'tmsh ltm pool members monitor' attribute value

Component: Local Traffic Manager

Symptoms:
Values returned from the tmsh command 'ltm pool pool members monitor' have a trailing space, such as returning '/Common/myhttps ' (note the trailing-space). This trailing-space is also observed for the value returned from a REST call.

Conditions:
'tmsh' or a REST call is used to return the 'monitor' for pool members.

Impact:
Scripts or custom applications processing this returned output may wish to 'trim' whitespace on the value (as a trailing space is present); or should not assume the trailing space will be present in the future (as this behavior is not guaranteed).

Workaround:
Use a script or custom applications to 'trim' trailing whitespace for returned values.

Fix:
Values returned from the tmsh command 'ltm pool pool members monitor' no longer have a trailing space.

---

503842-4 : Microsoft WebService HTML component does not work after rewriting

Component: Access Policy Manager

Symptoms:
The Microsoft webservice.htc component provides JavaScript interface for SOAP services for Microsoft Internet Explorer (IE). It stops working after rewriting through reverse proxy.

Conditions:
-- Using Microsoft webservice.htc component.
-- Rewriting through reverse proxy.
-- Running IE.

Impact:
Microsoft WebService component stops working.

Workaround:
You can use the following iRule to work around this issue:
---
when HTTP_REQUEST {
  # Downgrade IE compatibility mode
  set downgrade_ie_compat 0
  if { [HTTP::path] contains "PreviewQualitySheet.aspx" } {
    set UAString [string tolower [HTTP::header User-Agent]]
    if { ! ($UAString contains "msie 8.") and ! ($UAString contains "msie 7.")} {
      set downgrade_ie_compat 8
    }
  }
  # do not rewrite WebService HTML Component
  # because IE ignores it after rewriting.
  # patching a few things manually instead
  set ms_webservice_fix 0
  if { [HTTP::uri] ends_with "webservice.htc"} {
    set ms_webservice_fix 1
    HTTP::uri "[HTTP::uri]?F5CH=I"
    if { [HTTP::version] eq "1.1" } {
      if { [HTTP::header is_keepalive] } {
        HTTP::header replace "Connection" "Keep-Alive"
      }
      HTTP::version "1.0"
    }
  }
}
when HTTP_RESPONSE {
  if { $downgrade_ie_compat > 0 && ! [HTTP::header exists X-UA-Compatible] } {
    HTTP::header replace "X-UA-Compatible" "IE=$downgrade_ie_compat"
  }
  if { $ms_webservice_fix == 1 } {
    if { [HTTP::header exists "Content-Length"] and \
        [HTTP::header "Content-Length"] > 0 and \
        [HTTP::header "Content-Length"] <= 1048576 } {
      HTTP::collect [HTTP::header Content-Length]
    } else {
      HTTP::collect 1048576
    }
  }
}
when HTTP_RESPONSE_DATA {
  if { $ms_webservice_fix == 1 } {
    set location [string first \
        {if (co.userName == null)} \
        [HTTP::payload]]
    if { $location > 0 } {
      HTTP::payload replace $location 0 {loc=F5_WrapURL(loc);}
    }
  }
  HTTP::release
}

Fix:
Microsoft WebService HTML component no longer stops working after rewriting.

---

503482-2 : BGP cannot redistribute IPv4 routes learned from OSPFv3.

Component: TMOS

Symptoms:
OSPFv3 Route redistribution to BGP does not work.

Conditions:
-- A BIG-IP system with BGP and OSPFv3 configured.
-- Route redistribution enabled.

Impact:
OSPFv3 is capable of learning IPv4 routes from its neighbors. However, BGP is not redistributing IPv4 routes learned from OSPFv3.

Workaround:
None.

Fix:
IPv4 routes learned from OSPFv3 are now correctly redistributed by BGP.

---

501892-1 : Selenium is not detected by headless mechanism when using client version without server

Component: Application Security Manager

Symptoms:
DoSL7 Proactive Bot Defense (Block requests from suspicious browsers) detects selenium when the selenium server is running and a listener has opened on one of specific ports.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled, when accessing the page for a first time.

Impact:
If a bot is running selenium client package only it is not being blocked by DoSL7 Proactive Bot Defense mechanism.

Workaround:
N/A

Fix:
Selenium detection mechanism has improved and if a bot uses FF or Chrome selenium driver it is detected by PBD's javascript code via checking existence of required chrome plugins and FF webdriver.

---

500452-8 : PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hardware

Solution Article: K28520025

Component: TMOS

Symptoms:
PB4300 blade tries to disaggregate the ESP traffic based on the IPsec ESP Security Parameter Index (SPI) value in hardware. But the blade used doesn't have that capability, which causes ESP traffic being sent to one HSB and results in throughput degradation.

Conditions:
When PB4300 receives ESP traffic.

Impact:
Throughput degradation.

Workaround:
None.

Fix:
The PB4300 blade now uses IP addresses to disaggregate ESP traffic in hardware, so throughput is no longer impacted.

---

495443-10 : ECDH negotiation failures logged as critical errors.

Solution Article: K16621

Component: Local Traffic Manager

Symptoms:
When a failure occurs in an SSL negotiation involving Elliptic Curve Diffie-Hellman (ECDH) key agreement, a critical error may be logged. However, an SSL negotiation failure is not a critical issue.

Conditions:
An SSL negotiation failure involving ECDH key agreement.

Impact:
Spurious critical error logs.

Workaround:
Treat SSL ECDH negotiation failures as non-critical errors.

Fix:
These ECDH failures are now logged as non-critical errors.

---

495242-3 : mcpd log messages: Failed to unpublish LOIPC object

Component: Local Traffic Manager

Symptoms:
The system posts the following error: err mcpd[7143]: 010716d6:3: Failed to unpublish LOIPC object for (loipc_name.1417443578.297505208). Call to (shm_unlink) failed with errno (2) errstr (No such file or directory).

Conditions:
This is an intermittent issue that occurs on standby systems in High Availability (HA) configurations. In this case, the system is attempting to remove a file/directory that does not exist. Either the file has already been removed or it was not created.

Impact:
This is a benign error that can be safely ignored.

Workaround:
None.

Fix:
The system now suppresses logging when attempting to delete non-existent file.

---

491560-1 : Using proxy for IP intelligence updates

Component: TMOS

Symptoms:
When connecting to the proxy server, the iprepd daemon doesn't send in CONNECT request the value of DB variable iprep.server but its locally resolved IP address.

Conditions:
The following DB variables are configured to use proxy:
proxy.host
proxy.port

This presents a problem when the proxy server is configured to allow only IPs that have a reverse lookup.

Impact:
When the proxy sees the traffic it denies it, because the reverse lookup for that server IP is not present.

Workaround:
Use one of the workarounds:

-- Do not use proxy.

-- Check the server IP address regularly and maintain proxy white list manually.

Fix:
Now the iprepd daemon sends CONNECT request with the value of DB variable iprep.server and lets the proxy server do the DNS lookup.

---

489572-2 : Sync fails if file object is created and deleted before sync to peer BIG-IP

Solution Article: K60934489

Component: TMOS

Symptoms:
Sync fails if you create/import a file object and delete it before triggering manual sync; ltm logs contain messages similar to the following:

Standby:
-- err mcpd[7339]: 01070712:3: Caught configuration exception (0), Failed to sync files..
-- err mcpd[7339]: 01071488:3: Remote transaction for device group /Common/test to commit id 42 6079477704784246664 /Common/test failed with error 01070712:3: Caught configuration exception (0), Failed to sync files...

Active:
-- err mcpd[6319]: 0107134a:3: File object by name (/Common/filename) is missing.

Conditions:
This occurs when the following conditions are met:
-- BIG-IP systems configured for high availability (HA) are not configured to sync automatically, and incremental synchronization is enabled (these are the default settings).
-- One or more file objects are created and deleted before performing a sync from Active to Standby.

Impact:
Sync fails.

Workaround:
When you create/add a file object, make sure to sync before deleting it.

If a system is already in this state, perform a full sync and overwrite the configuration, as described in K13887: Forcing a BIG-IP device group member to initiate a ConfigSync operation :: https://support.f5.com/csp/#/article/K13887.

---

487144-2 : tmm intermittently reports that it cannot find FIPS key

Component: Global Traffic Manager (DNS)

Symptoms:
You may see the following critical error message in /var/log/ltm: "FIPS acceleration device failure: cannot locate key"

Conditions:
There is FIPS card in the BIG-IP and the key is retrieved. It is not known the exact conditions that cause this, but it seems to be related to GTM being enabled.

Impact:
SSL can not locate the key from the FIPS card, and SSL will not function properly.

Workaround:
None known, but restarting tmm or rebooting might correct the condition.

Fix:
There is now additional information in the error message that can help resolve the issue.

---

484542-1 : QinQ tag-mode can be set on unsupported platforms

Component: Local Traffic Manager

Symptoms:
tmsh does not validate QinQ tag-mode and allows invalid values to be set.

Conditions:
This occurs when trying to set QinQ tag-mode to values other than 'none' on unsupported platforms. Only platforms with ePVA support QinQ tagging.

Impact:
Although you can set !in! tag-mode, the configuration has no effect. There is no negative impact on system functionality.

Workaround:
Only configure QinQ tag-mode on the following platforms: BIG-IP 5050s/5250v/7050s/7250v/10050s/10250v and VIPRION B2150 SSD-based models.

Fix:
QinQ tag-mode is now properly validated when configuring a VLAN via tmsh.

---

483953-1 : Cached route MTUs may be set to the value of TM.MinPathMTU even if the path MTU is lower than that value.

Component: Local Traffic Manager

Symptoms:
ICMP type 3 code 4 (needsfrag) messages are elicited when TMM transmits packets at the TM.MinPathMTU size if the path MTU is lower than that value.

Conditions:
Path MTU discovery results are cached by default. If a client responds to an IP datagram with an ICMP needsfrag message with a very small MTU (smaller than the value of the TM.MinPathMTU database variable), the cached path MTU value will be set to the TM.MinPathMTU value even though this still isn't able to traverse the path.

This can affect multiple endpoints when a low MTU is advertised by an endpoint (misconfigured or malicious) behind a shared NAT address.

Impact:
TMM may use and enforce a low path MTU for clients capable of handling a higher path MTU, but may use an MTU too high to reach clients whose path MTU is lower than TM.MinPathMTU.

This metric will live for 10 minutes by default.

Workaround:
This issue has no workaround at this time.
The route metric lifetime can be lowered using route.metrics.timeout db key.

Fix:
Path MTUs lower than the value of TM.MinPathMTU will no longer be cached by TMM.

---

480983-4 : tmrouted daemon may core due to daemon_heartbeat

Component: TMOS

Symptoms:
In rare instances, tmrouted for dynamic routing may core with a message similar to the following: warning sod[8953]: 01140029:4: HA daemon_heartbeat tmrouted fails action is restart.

Conditions:
This is a rarely occurring issue that occurs due to timing-related interactions in dynamic routing operations.

Impact:
tmrouted cores and restarts.

Workaround:
None.

Fix:
tmrouted now operates normally under these conditions.

---

479471-1 : CPU statistics reported by the tmstat command may spike or go negative

Solution Article: K00342205

Component: TMOS

Symptoms:
On bladed systems, the results from the 'tmstat' and 'tmstat cpu' commands may spike high or go negative due to a issue with how per-blade statistics are collected.

Conditions:
Error in the timing of statistics collection such that display is incorrect.

Impact:
Incorrect display of CPU statistics.

Workaround:
There is no workaround.

Fix:
The CPU statistics display has been fixed.

---

478986 : Powered down DC PSU is treated as not-present

Component: TMOS

Symptoms:
When power is removed from the PSU but the PSU remains in the system, 'tmsh show sys hardware' reports the PSU as 'not-present'.

Conditions:
This occurs when an installed DC powered PSU loses power, and the user runs the command 'tmsh show sys hardware'.

Impact:
Only the message is incorrect. Although the PSU is present, the system cannot read its data without power, so the system marks the PSU 'not present'. Once power is restored, all information is available.

Workaround:
Plug the power cable into the PSU. The system can now detect the power supply status and read the PSU info.

---

474797-7 : Nitrox crypto hardware may attempt soft reset while currently resetting

Component: Local Traffic Manager

Symptoms:
Nitrox crypto hardware may attempt soft reset to clear a stuck condition while already engaged in a soft reset attempt.

Conditions:
Soft reset is needed to clear a stuck condition occurring in the timeframe during which another soft reset is occurring.

Impact:
The initial soft reset attempt does not complete as the process is restarted by the new attempt.

Workaround:
Correct the condition resulting in the need for the soft reset to clear the stuck condition or disable hardware-based crypto acceleration by setting db variable 'tmm.ssl.cn.shunt' to disable.

To disable hardware-based crypto acceleration issue the following command:

tmsh modify sys db tmm.ssl.cn.shunt value disable

Note: Disabling hardware-based crypto acceleration results in all crypto actions being processed in software, which might result in higher CPU and memory usage based on traffic patterns.

Fix:
A crypto soft reset attempt is now allowed to complete before another soft reset attempt can occur.

---

472860-5 : RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.

Component: Policy Enforcement Manager

Symptoms:
The RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.

Conditions:
Session created via iRule running on the RADIUS virtual server.

Impact:
RADIUS session statistics are not incremented.

Workaround:
None.

Fix:
The session statistics for sessions created by RADIUS is now incremented whenever the user runs an iRule on the RADIUS virtual server, that creates a new session.

---

472571-7 : Memory leak with multiple client SSL profiles.

Component: Local Traffic Manager

Symptoms:
If multiple client SSL profiles are attached to a virtual server, memory will leak each time any profile is changed.

Conditions:
Multiple client SSL profiles are attached to a virtual server.

Impact:
Memory will leak a small amount of memory.

Workaround:
None.

Fix:
Multiple client SSL profiles attached to a virtual server no longer causes memory to be leaked.

---

471860-10 : Disabling interface keeps DISABLED state even after enabling

Solution Article: K16209

Component: TMOS

Symptoms:
When you disable an interface, the state shows DISABLED. When you enable that interface, the indication for the interface still shows DISABLED.

Conditions:
This occurs when using both tmsh and the GUI.

Impact:
The state of the interface remains DISABLED. However, the interface passes traffic after enabling.

Workaround:
You can reboot correct the indicator.

Fix:
When you disable an interface, the state shows DISABLED. When you enable that interface, the indication for the interface now shows ENABLED.

---

471237-2 : BIG-IP VE instances do not work with an encrypted disk in AWS.

Solution Article: K12155235

Component: TMOS

Symptoms:
BIG-IP VE instances cannot use encrypted disks in AWS as encryption-decryption introduces some data corruption in the disk that causes failure in some of the TMOS daemons at run-time.

Conditions:
Deploy a BIG-IP VE guests in AWS with an encrypted disk.

Impact:
TMM cores at startup, and does not start.

Workaround:
Do not use encrypted disks in AWS for BIG-IP VE instances.

Fix:
BIG-IP VE instances can now work with an encrypted disk in AWS.

---

471029-2 : If the configuration contains a filename with the $ character, then saving the UCS fails.

Component: TMOS

Symptoms:
If the configuration contains a filename or username with the $ character, then saving the UCS fails. Examples of filenames include cm cert cache-path and cm key cache-path.

tmsh save sys ucs <ucs-id> fails for such configuration.

The error displayed appears similar to the following.:
Fatal: executing: md5sum /var/tmp/filestore_temp/files_d/Common_d/certificate_d/:Common:?><.crt_53783_1
Operation aborted.
/var/tmp/configsync.spec: Error creating package.

Conditions:
Filenames or username in configuration contain $ character. For example, cm cert cache-path or cm key cache-path.

Impact:
Saving UCS fails.

Workaround:
Do not use the $ character as part of the filenames or usernames in the configuration.

---

467709-1 : FQDN nodes or pool members show Green (Available) when DNS responds with NXDOMAIN

Component: Local Traffic Manager

Symptoms:
FQDN nodes and pool members show a status of Green (Available) when the DNS server responds to the FQDN name resolution query with an NXDOMAIN response.

Conditions:
This occurs when the DNS server returns an NXDOMAIN response for the configured FQDN name.

Impact:
FQDN nodes and pool members may appear to be Available when no ephemeral nodes/pool members have been created.

Workaround:
None.

Fix:
FQDN nodes and pool members show a status of Yellow (Unavailable) when the DNS server responds to the FQDN name resolution query with an NXDOMAIN response. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

Behavior Change:
FQDN ephemeral nodes are now deleted when the DNS server responds to the FQDN name resolution query with an NXDOMAIN response. This change in behavior was introduced by the FQDNv2 feature re-implementation in this version of the software.

---

466068-1 : Allow setting of the AAA Radius server timeout value larger than 60 seconds

Component: Access Policy Manager

Symptoms:
Sometimes 60 sec timeout for AAA Radius server is not enough especially when users need to provide input. Following error message will be displayed when user tries to set timeout value greater than 60 :

"01090676:3: The requested timeout value (120) out of range for aaa radius server (/Common/test-radius-server). (1-60)"

Conditions:
This only occurs whenever following conditions are met:
- APM is licensed and provisioned
- AAA Radius server is configured
- Radius Auth agent is included in the access policy

Impact:
Users can not set timeout value to more than 60 sec for AAA Radius server. If response time is more than 60 sec from AAA Radius server, users may not login and access resources if two factor auth is configured.

Workaround:
There is no workaround.

Fix:
Increased the AAA Radius Server timeout range from 0-60 to 0-180.

---

464801-3 : Intermittent tmm core

Component: Local Traffic Manager

Symptoms:
tmm intermittently cores. Stack trace signature indicates "packet is locked by a driver"

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed an intermittent tmm core

---

464650-4 : Failure of mcpd with invalid authentication context.

Component: TMOS

Symptoms:
MCPd cores.

Conditions:
It is not known what triggers this core.

Impact:
Mcpd restarts

Workaround:
None.

Fix:
Failure of mcpd with invalid authentication context no longer occurs.

---

463314-2 : Enabling ASM AJAX blocking response page feature causing cross domain AJAX requests to fail

Component: Application Security Manager

Symptoms:
When AJAX blocking response page feature is enabled, ASM's pre-injected javascript code adds a custom header to each outgoing ajax request. Adding the header to a cross domain ajax request forces browsers to send an OPTIONS preflight request, if a back-end server doesn't not treat the pre-flight request properly, the request will fail resulting in broken functionality of a web application.

Conditions:
Provision asm, attach asm policy to a virtual server and configure Enable AJAX blocking response page feature.

Impact:
Broken cross domain ajax requests

Workaround:
Disable AJAX blocking response page feature in ASM policy.

Fix:
Avoid adding custom headers to cross domain ajax request.

---

463097-3 : Clock advanced messages with large amount of data maintained in DNS Express zones

Component: Local Traffic Manager

Symptoms:
Clock advanced messages with a large amount of data maintained in DNS Express (DNSX) zones, the TMM can suffer from clock advances when performing the DB reload.

Conditions:
Large enough zones into DNSX (several hundred thousand to several million records depending on hardware).

Impact:
Clock advance messages in log. No traffic can be passed for this duration. When DNS Express zones are updated, you may see messages similar to the following in the /var/log/ltm log: notice tmm[25454]: 01010029:5: Clock advanced by 121 ticks.

Workaround:
Prevent all updates to DNSX zones.

Fix:
AXFR and IXFR to DNS Express (DNSX) with large zones has been significantly improved. DNSX DB now reside in /shared to resolve DB size issues.

---

462043-2 : DB variable 'qinq.cos' does not work in all cases on 5000 and C2400 platforms

Component: Local Traffic Manager

Symptoms:
On the 5000 and C2400 platforms, when the DB variable 'qinq.cos' is set to 'inner'; a packets inner priority bits do not determine the CoS mapping when the incoming packet is customer-tagged and the outgoing interface is service-tagged.

Conditions:
On 5000 and C2400 platforms.

Impact:
Incorrect egress CoS queue mapping. In this case, all packets are mapped to CoS queue 0.

Workaround:
None.

Fix:
On the 5000 and C2400 platforms, when the DB variable 'qinq.cos' is set to 'inner', the packets are now handled as expected.

---

460833-5 : MCPD sync errors and restart after multiple modifications to file object in chassis

Component: TMOS

Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:

1. Errors are logged to /var/log/ltm similar to the following:

err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..

2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.

Conditions:
This symptom may occur under the following conditions:

1. Two or more VIPRION chassis are configured in a device sync group.
2. File objects (such as SSL certificates) are added/modified/deleted on one chassis in the group.
3. These changes are synchronized to other members of the device sync group.
4. While the previous changes are still being synchronized to all blades in all chassis in the device sync group, an overlapping set of file objects are added/modified/deleted on a chassis in the group (typically the same chassis as in step 2).
5. While the previous sync operation is still in progress, these subsequent changes are synchronized to other members of the device sync group.

Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.

Workaround:
After performing one set of file-object modifications and synchronizing those changes to the HA group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing additional file-object changes.

Fix:
After performing one set of file-object modifications and synchronizing those changes to the HA group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing additional file-object changes.

---

459671-4 : iRules source different procs from different partitions and executes the incorrect proc.

Component: Local Traffic Manager

Symptoms:
iRules source different procs from different partitions and executes the incorrect proc.

Conditions:
Multiple iRule procs defined in multiple admin partitions.

Impact:
iRules "proc" lookup algorithm is not deterministic, or Virtual Servers are improperly caching and sharing the lookup results.

Workaround:
To work around this issue, ensure all iRule proc names defined in the BIG-IP configuration are unique.

---

456376-4 : BIG-IP does not support IPv4-mapped-IPv6 notation in the configuration with prefix length greater than 32

Solution Article: K53153545

Component: Advanced Firewall Manager

Symptoms:
The BIG-IP system does not allow IPv4-mapped-IPv6 notation (with prefix length greater than 32) in tmsh or GUI. When trying to add '::ffff:0.0.0.0/96' to an address list or directly to a rule the system posts an error: Error parsing IP address: ::ffff:0.0.0.0/96.

Conditions:
-- IPv4-mapped-IPv6 notation in the configuration.
-- Adding prefix length greater than 32.

Impact:
Cannot successfully specify an IPv4-mapped-IPv6 block to be configured in AFM firewall rule (and possibly other AFM configurations as well).

Workaround:
To drop the IPv4-mapped-IPv6 block, enable the following DoS db variable: dos.dropv4mapped.

Fix:
You can now use tmsh for IPv4-mapped-IPv6 notation with prefix length greater than 32.

---

455975-1 : Separate MIBS needed for tracking Access Sessions and Connectivity Sessions

Component: Access Policy Manager

Symptoms:
Using MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns displays incorrect information and description.

Conditions:
Using SNMP MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns.

Impact:
Using MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns displays incorrect information and description.

Workaround:
This issue has no workaround at this time.

Fix:
Access Sessions and Connectivity Sessions are now exposed correctly in SNMP MIBS.

---

452283-2 : An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows

Component: Local Traffic Manager

Symptoms:
An MPTCP connection that never expires can be seen using the command "tmsh show sys conn". Its idle time periodically resets to 0.

Conditions:
A virtual server is configured with a TCP profile with "Multipath TCP" enabled.
BIG-IP receives an MP_FASTCLOSE while the BIG-IP is advertising a zero window.

Impact:
A connection remains that never expires; its idle time periodically resets to 0.

Workaround:
There is no workaround at this time.

Fix:
Fixed MP_FASTCLOSE handling.

---

448409-1 : 'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle

Solution Article: K15491

Component: TMOS

Symptoms:
The commands 'load sys config from-terminal verify' and 'load sys config file <filename> verify' causes loss of sync configuration and initiates a provisioning cycle. The 'verify' option on the 'load sys config' command is designed to ensure that a configuration (either from a file or pasted to the terminal) is valid, but not have it take effect.

Conditions:
This affects the ConfigSync communication channel if configured.

Impact:
The ConfigSync connection, including the connections to other devices, might be lost. In addition, provisioning might be impacted.

Workaround:
You can avoid this issue by using the 'load sys config from-terminal verify' and 'load sys config file <filename> verify' commands 'merge' option, which keeps the current configuration during the validation step. Once affected by this issue, the workaround is to re-load the full configuration using the following command: tmsh load sys config partitions all.

Fix:
Previously, the commands 'load sys config from-terminal verify' and 'load sys config file <filename> verify' did some operations related to sync and provisioning, though they are supposed to check only the validity of the configuration (without changing it). This has been resolved.

---

447565-5 : Renewing machine-account password does not update the serviceId for associated ntlm-auth.

Solution Article: K33692321

Component: Access Policy Manager

Symptoms:
Renewing machine-account password does not update the serviceId for associated ntlm-auth.

Because of this issue, you might see the following symptoms:
-- End users report that they cannot access email.
-- NTLM logons stop working for all users.
-- Log file shows errors similar to the following:
err nlad[12384]: 01620000:3: <0x566d4b90> nlclnt[71601c70a] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC.

Conditions:
This occurs when the system has an NTLM machine account configured, but it is not known exactly what triggers the error. It can be triggered if the machine account credentials change, but the symptom might not show up for days since the connection can be reused.

Impact:
End users will be unable to connect.

Workaround:
Correct the problem by running the following command:
bigstart restart eca.

---

442231-4 : Pendsect log entries have an unexpected severity

Component: TMOS

Symptoms:
Pendsect logs non-errors with a 'warning' severity.

Conditions:
This occurs when pendsect is executed.

Impact:
Unexpected log entries. When pendsect is executed and does not find any disk errors, it logs the following at the warning level: warning pendsect[21788]: pendsect: /dev/sdb no Pending Sectors detected. This is not an error. The message is posted at the incorrect severity level and does not indicate a problem with the BIG-IP system.

Workaround:
None needed. This is cosmetic.

Fix:
Adjusted severity level of various logs generated by pendsect script, so that informational messages are not logged as warnings.

---

441079-2 : BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved

Solution Article: K55242686

Component: Local Traffic Manager

Symptoms:
The BIG-IP system is modifying the source port on NAT connections.

Conditions:
This occurs when NAT is configured on the BIG-IP system. This occurs on BIG-IP 2000/4000 hardware platforms.

Impact:
This impacts any applications where the source port is expected to be preserved.

Workaround:
None.

Fix:
The source port is always preserved for NAT connections.

Behavior Change:
The source port is always preserved for NAT connections.

---

440620-2 : New connections may be reset when a client reuses the same port as it used for a recently closed connection

Component: Local Traffic Manager

Symptoms:
If a client reuses the same port that it used for a recently closed connection, the new connection may receive a RST in response to the client's SYN.

Conditions:
A client reuses the same port that it used for a recently closed connection. The 4-tuple of local address, local port, remote address, and remote port must be the same to trigger this issue.

Impact:
New connections reusing a 4-tuple may be reset for a brief period following a connection close.

Workaround:
Lowering the "Close Wait" and "Fin Wait 1" timeouts in the TCP profile will shorten the amount of time that a particular 4-tuple remains unusable.

Fix:
Improved abort handling to better clean up hanging connections.

---

436116-1 : The tcpdump utility may fail to capture packets

Component: TMOS

Symptoms:
Although packets are flowing correctly through the BIG-IP system, the tcpdump utility may capture no packets when certain command options are used.

Conditions:
This issue occurs when all of the following conditions are met:

- You configure tcpdump to listen for packets on a physical interface (e.g., -i 1.1).

- You configure tcpdump to save the packets to a file in binary format (e.g., -w /var/tmp/example.pcap).

- You configure tcpdump to produce verbose output while capturing packets (e.g., -v, -vv or -vvv).

Impact:
The tcpdump utility does not capture any packets, which may create confusion for a BIG-IP Administrator performing troubleshooting on the system. This issue does not affect the traffic-passing abilities of the system, however.

Workaround:
You can work around this issue by starting the tcpdump utility without the -v, -vv or -vvv verbose output options.

---

434821-1 : Remote logging of staged signatures and staged sets

Component: Application Security Manager

Symptoms:
There is no option to see matched staged signature in the remote logging

Conditions:
A user has remote logger configured. There is no configuration option to see the stage signatures.

Impact:
A user without local logger can't make good decisions about the staged signatures

Workaround:
Add a local logger

Fix:
Added staged signatures ids, names and sets to the remote logger .

---

434573-6 : Tmsh 'show sys hardware' displays Platform ID instead of platform name

Solution Article: K25051022

Component: TMOS

Symptoms:
While running a version of BIG-IP older than the most recent release on a new hardware platform (recently purchased or recently acquired through RMA exchange), the 'tmsh show sys hardware' command may display the Platform ID code in place of the official F5 platform name.

For example, the 'tmsh show sys hardware' command may display a Platform ID like the following:

Platform
  Name D113

instead of the official platform marketing name, such as:

Platform
  Name BIG-IP 10000F

Conditions:
This may occur if the version of BIG-IP software installed is not the most recent release, and the hardware platform is a newer variant (due to added hardware features or other manufacturing change) than was originally supported by the older BIG-IP software release.

Note: The source of the platform information comes in a file: /etc/hal/MARKETING-NAMES. With each release, this file is updated to reflect the platforms available at time of release. The marketing-names package version serves as an identifier of the age of the marketing-names package.

Impact:
Custom automation scripts which depend on correctly matching F5 platform marketing names may fail to match the platform ID.

Workaround:
Update platform-identification scripts to include the relevant platform IDs among the recognized match values.

Note: To get the newest marketing-names package, you must upgrade to a newer BIG-IP release, or specifically request an individual engineering hotfix to address the issue.

Fix:
The system now shows marketing names of platforms that were relatively current at the time of each release, but this issue might occur on any release. It is not possible to predict whether this issue will be present on a specific platform for a specific software version.

This is true because the system relies on a specific file to provide all marketing names for BIG-IP platforms. That file might not be updated for every release, and additional hardware might be released after a software version is shipped. Therefore, you might have to use the platform designation rather than the marketing name in your custom automation scripts.

Note: You can find marketing names of platforms here: K9476: The F5 hardware/software compatibility matrix :: https://support.f5.com/csp/article/K9476.

---

433678-2 : A monitor removed from GTM link cannot be deleted: 'monitor is in use'

Solution Article: K32401561

Component: Global Traffic Manager (DNS)

Symptoms:
A monitor removed from GTM link cannot be deleted. Attempting to delete the monitor results in an error message similar to the following: 01070083:3: Monitor /Common/custom_gtm_mon is in use.

Conditions:
Deleting a custom monitor that was formerly used by a GTM link.

1. Create a custom GTM monitor that can be used on a link.
2. Create a GTM link, and add the custom monitor to it.
3. Remove the monitor from the link.
4. Attempt to delete the monitor.

Impact:
Unable to delete monitor.

Workaround:
Reload the GTM config and delete the monitor.

Fix:
This release enables deletion of a monitor removed from GTM link, and no monitor-in-use error message is returned.

---

433357 : Management NIC speed reported as 'none'

Component: TMOS

Symptoms:
Sometimes,after mcpd get restarted, mcpd does not get management port NIC speed information from chmand; 'tmsh show net interface' might shows the speed of mgmt interface as 'none'.

Conditions:
Management interface is up, and then restart mcpd.

Impact:
The 'tmsh show net interface' commands cannot show correct management speed.

Workaround:
You can resolve this issue by restarting the chmand process. On appliances (BIG-IP platforms), run the following command:
bigstart restart chmand.

On VIPRION systems, run the following command:
clsh "bigstart restart chmand".

Fix:
The tmsh utility now reliably displays the current media of the BIG-IP system's management port even if the mcpd daemon has restarted.

---

431840-3 : Cannot add vlans to whitelist if they contain a hyphen

Component: Advanced Firewall Manager

Symptoms:
When attempting to add a vlan to the DoS protection whitelist and the vlan contains a hyphen, the following validation error is returned:

01071792:3: Vlan should be numeric form as vlan number / mask

Conditions:
Adding a vlan containing a hyphen to the whitelist

Impact:
Unable to add vlans that contain a hyphen

Workaround:
Instead of using the vlan by name, just specify the vlan tag #. Ignore the drop down menu offering the vlan names.

---

424542-5 : tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments

Component: TMOS

Symptoms:
tmsh modify net interface commands with either invalid interface names, or invalid attribute names will appear to create new interfaces.
An invalid interface will show up in "show net interfaces"

Conditions:
Only happens on clustered or virtual environments, not on appliances.

Impact:
Cosmetic only - extraneous interfaces show up in tmsh show net interface.

Workaround:
guishell -c "delete from interface where name='12345/is_this_correct'"

---

423629-3 : bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted

Solution Article: K08454006

Component: Local Traffic Manager

Symptoms:
bigd restarts once, and afterwards, subsequent pings from the monitor fails.

Conditions:
This can occur when assigning an ICMP monitor to a pool member, and specifying a route domain that does not exist.

Impact:
For bigd, a single restart is actually harmless. The invalid config will cause monitor failures, since the route domain no longer exists, the pool member will be marked down.

Workaround:
None.

Fix:
bigd no longer cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted.

---

423392-6 : tcl_platform is no longer in the static:: namespace

Component: Local Traffic Manager

Symptoms:
In previous versions of iRules, the variable tcl_platform was readable as: 'set myvar static::tcl_platform'. However with recent changes, the variable is in the global, not static namespace and should be accessed as '::tcl_platform'.

Conditions:
This occurs on pre-11.4.0 iRules that use the variable 'static::tcl_platform'.

Impact:
iRules that worked properly under earlier versions can result in runtime Tcl exceptions (disrupting traffic) after an upgrade to v11.4.0 or later, if those iRules reference static::tcl_platform.

Workaround:
To map tcl_platform into the static namespace in an iRule, use the following: when RULE_INIT { upvar #0 tcl_platform static::tcl_platform }. Or you can use ::tcl_platform instead of static::tcl_platform. Note: The latter workaround might demote a virtual server from CMP. For more information, see K14544: The tcl_platform iRules variable is not in the static:: namespace, available here: https://support.f5.com/csp/#/article/K14544.

---

421797-3 : ePVA continues to accelerate hardware offloaded traffic in Standby.

Component: TMOS

Symptoms:
For several seconds after a failover of redundant BIG-IP units, some application traffic can still be seen egressing the newly standby unit.

Conditions:
This issue occurs when all of the following conditions are met:

-- BIG-IP units are deployed in a redundant configuration.
-- BIG-IP units are hardware models with the ePVA chip.
-- One or more virtual servers employ hardware acceleration.
-- A failover of the units occurs.
-- For some specific reason, the newly standby unit still receives some application traffic (matching hardware offloaded flows) from the network. It is this traffic which continues to be processed (and egressed back to the network) by the ePVA chip.

Impact:
The offloaded flows are eventually evicted from the ePVA after the failover switch period (16 seconds by default). However, traffic in some deployments may be impacted during this time. What determines whether any impact occurs or not is a combination of:

-- Whether MAC masquerading is used or not.
-- How many IP addresses need to be advertised after a failover.
-- The speed and efficiency with which surrounding network equipment learns the IP addresses have moved.
-- Whether hardware offloaded flows and regular software flows share a common virtual address. This matters because even though a hardware offloaded flow can continue to work despite being processed by the standby unit, egressing such packets may cause a MAC address change and/or port movement for a specific IP address on the surrounding network equipment. In turn, this may cause regular software flows for the virtual address to be directed to the standby unit, and these flows fail as TMM does not process them in standby mode.

Workaround:
There are three possible mitigation scenarios:

-- Reduce the likelihood of this issue by configuring MAC masquerading for your Traffic-Groups. This can improve the situation, as the surrounding network equipment no longer has to learn a MAC address change for a given IP address during a failover of the BIG-IP devices (the equipment only has to learn the port move for the MAC masquerade address).

-- Ensure the surrounding network equipment is not limiting GARPs (or broadcast ARP requests/responses in general).

-- Employ the 'link down time on failover' feature to keep links down after a failover for a few seconds (thus preventing the possibility of any traffic egressing the standby unit). This is not possible for vCMP guests, however.

Fix:
There is now a database variable 'pva.standby.flush' which can be enabled to flush accelerated flows after a failover. Setting 'pva.standby.flush' to 1 instructs the BIG-IP system to evict all accelerated flows from the ePVA hardware after it registers a failover event.

Note: If multiple Traffic-Groups are configured, a failover from any of them causes this flush, regardless of the state of any other Traffic-Groups.

-- To enable this functionality:
tmsh modify sys db pva.standby.flush value 1

-- To disable this functionality (the default setting):
tmsh modify sys db pva.standby.flush value 0

Note: The term 'flush' or 'eviction' does not mean flow 'deletion'; flow eviction occurs normally in other situations. The impact from the flush/eviction of flows on other, still active Traffic-Groups results in brief, increased resource consumption until the flows are returned to ePVA acceleration.

---

419741-3 : Rare crash with vip-targeting-vip and stale connections on VIPRION platforms

Component: Local Traffic Manager

Symptoms:
Rare TMM crash bug with vip-targeting-vip. Core analysis is typically necessary to determine whether this bug is the cause.

Conditions:
Triggering this bug is difficult and seems to require vip-targeting-vip (e.g., use of the 'virtual' command in an iRule) and more than one blade.

Impact:
In rare situations, the TMM crashes.

Workaround:
None. This occurs rarely, and the system recovers automatically. Although this workaround has not be verified, in situations where virtual A targets virtual B via the 'virtual' command, it should be sufficient for virtual A to have shorter timeouts than virtual B.

---

418349-2 : Update/overwrite of FIPS keys error

Component: TMOS

Symptoms:
After deleting and re-creating a FIPS key, sync to other devices fails and /var/log/ltm gives the following error:

crit tmm[10817]: 01260010:2: FIPS acceleration device failure: fips_poll_completed_reqs: req: 78 status: 0x40000116 : ERR_HSM_ERROR

Note that this error is logged on any FIPS-related error, it might be this issue if you were attempting to replace FIPS keys with an identical name on devices in a device group.

Conditions:
This can occur on FIPS-enabled devices in a device group when a FIPS key is deleted and an identically-named FIPS key is added.

Impact:
Sync of the FIPS key fails.

Workaround:
If you are encountering this, you can do the following workaround.

Impact of workaround: this should have no negative impact to the system since your objective is to replace the FIPS keys.

- Detach all keys/certs from all SSL Profiles and delete all keys via script on the standby System
- Run “tmsh show sys crypto fips” and verify all keys have been deleted
- Run a configsync with override and verify the sync has been carried out successfully.

---

418009 : Hardware data display inaccuracies

Component: TMOS

Symptoms:
Sensor location fields show truncated. The Part Number and the PCA titles appear to be not right for some platforms because of the specific nature of the titles.

Conditions:
When displaying the hardware details you could see the problems in the sensor data and in the Hardware Version Information. This appears when running the command tmsh show sys hardware

Impact:
Missing sensor location data, and inaccuracy when naming the titles of the hardware characteristics.

Fix:
Fixed the truncation problem for the sensor location increasing the size of the data used for retrieving it; and used Part Number and PCA to have generic titles that apply to all platforms.

---

412817-3 : BIG-IP system unreachable for IPv6 traffic via PCI pass-through interfaces as current ixgbevf drivers do not support multicast receive.

Component: TMOS

Symptoms:
The BIG-IP system is unreachable for IPv6 traffic via PCI pass-through interfaces, because current ixgbevf drivers do not support multicast receive.

Conditions:
When configured to see IPv6 traffic on a PCI pass-through interface, the BIG-IP guest is not able to see this traffic.

Impact:
PCI pass-through interfaces are unable to see IPv6 traffic.

Workaround:
None.

Fix:
BIG-IP system is now reachable for IPv6 traffic via PCI pass-through interfaces as current ixgbevf drivers do not support multicast receive.

---

409340-1 : https/ssl monitor closes immediately (rather than awaiting remote close-notify)

Solution Article: K63086108

Component: Local Traffic Manager

Symptoms:
SSL-based monitors (such as https) continue to maintain an open connection for up to ~15 seconds after the monitor probe is completed, when connecting to an SSL enabled web server that fails to send close-notify before FIN.

Conditions:
Configuration uses SSL-based monitors (such as https), where your SSL enabled web server fails to send close-notify before FIN.

Impact:
SSL-enabled monitors wait ~15 seconds before closing the connection and reclaiming resources. Although this behavior is correct according to the SSL protocol, it has the potential to introduce a limited amount of connection stacking on the monitored host.

Workaround:
Your SSL enabled web server should send close-notify before FIN for SSL-based monitors to close immediately.

Fix:
Previous behavior for an SSL-based monitor (such as https) sent a shutdown notification to the remote-server, and awaited a close-reply (shutdown acknowledgement) response for up to 15 seconds. When an SSL-enabled web server fails to send close-notify, the SSL-based monitor hangs in CLOSE_WAIT for ~15 seconds before sending FIN and closing the connection. This waiting consumes resources that are unavailable for other monitoring, which is observed to be significant on certain configurations with high https monitor loads.

New behavior is to close the connection immediately after sending shutdown notification to the remote server, and not await a shutdown acknowledgement.

---

401815-1 : BIG-IP system may reset the egress IP ToS to zero when load balancing SIP traffic

Component: Service Provider

Symptoms:
The BIG-IP system resets the egress IP ToS to zero (0). As a result of this issue, you may encounter the following symptoms:

-- A packet capture on the affected traffic shows the DSCP value in the DS field is set to zero for SIP packets egressing from the BIG-IP system.
-- Traffic priority failure for SIP traffic egressing from the BIG-IP system, which may also cause voice quality degradation.

Conditions:
This issue occurs when all of the following conditions are met:

-- A virtual server is configured with both a SIP and UDP profile.
-- The IP ToS setting in the UDP profile is set to Pass Through.

The IP ToS setting controls the Differentiated Services Code Point (DSCP) values of the Differentiated Services (DS) field in the IP header. This information is used in Quality of Service (QoS) configurations to give specific traffic priority on the network. By resetting the DSCP values to zero, the SIP traffic egressing from the BIG-IP system does not receive the expected priority while traversing through the network.

Impact:
SIP traffic egressing the BIG-IP system does not receive the expected priority. This issue may cause voice quality degradation.

Workaround:
To work around this issue, you can use the following iRule to preserve the DSCP values when passing through the BIG-IP system:

when CLIENT_ACCEPTED {
   set client_tos [IP::tos]
}
when SERVER_CONNECTED {
  IP::tos $client_tos
}

Fix:
The BIG-IP system now propagates the ToS bit from ingress flow to the egress flow.

---

400778 : Message: err chmand[5011]: 012a0003:3: Physical disk CF1/HD1 not found for logical disk delete

Component: TMOS

Symptoms:
On a VIPRION system during failover in which the blade transitioning from secondary to primary, log messages make it appear that chmand is looking to delete logical disks on CF1 and HD1.

Conditions:
This occurs on VIPRION systems.

Impact:
The ltm log displays messages: -- err chmand[6909]: 012a0003:3: Physical disk CF1 not found for logical disk delete'. -- err chmand[6909]: 012a0003:3: Physical disk HD1 not found for logical disk delete'.

Workaround:
None. These messages are benign and you can safely ignore them.

---

400550 : LCD listener error during shutdown

Component: TMOS

Symptoms:
During shutdown you see this error message: 012a0004:4: LCD listener write to LCDd exception: Psuedo Terminal: File I/O Error [Bad file descriptor] at PseudoTermDev.cpp:93

Conditions:
This can occur when shutting down a blade on a VIPRION 4400 platform.

Impact:
This occurs on shutdown and is cosmetic, and can be ignored.

Workaround:
None.

Fix:
The system now detects and handles the interruption during shutdown, to exit cleanly without error messages.

---

393270-1 : Configuration utility may become non-responsive or fail to load.

Component: TMOS

Symptoms:
While doing normal operations via the configuration utility, the status indicators may become non-responsive or fail to load, the GUI could become very sluggish, and you could be unable to load the GUI, or you could be taken to the license activation screen.

Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.

Impact:
Unable to log into the GUI or GUI shows blank page

Workaround:
Run the command 'bigstart restart tomcat' or reboot the BIG-IP system.

Fix:
Configuration utility now responds as expected when deleting local users (Access Policy :: Local User DB : Manage Users), or under other conditions in which an internal timeout results in GUI non-responsiveness because of an incomplete transaction close.

---

392121-3 : TMSH Command to retrieve the memory consumption of the bd process

Component: Application Security Manager

Symptoms:
There is no tmsh commands to retrieve the memory consumption of the bd process.

Conditions:
tmsh commands don't show bd process memory usage.

Impact:
Difficult to diagnose memory consumption issues.

Workaround:
Review messages individually in /var/log/ts/bd.log.

### For ASM bd current memory consumption use the following grep command

cat /ts/log/bd.log | grep "UMU: total"
UMU: total 106 ( 0M) VM (1639M) RSS (164M) SWAP ( 0M) trans 0
UMU: total 106 ( 0M) VM (1639M) RSS (163M) SWAP ( 0M) trans 0
UMU: total 5 ( 0M) VM (1612M) RSS (163M) SWAP ( 0M) trans 0

### For XML memory consumption in bd process do the following on a big-ip.

*WARNING*: The following steps enable debug prints to the bd.log it may cause to an excessive io, handle with care on production boxes.

1. add the following 3 lines the /etc/ts/bd/logger.cfg

MODULE=BD_XML;
LOG_LEVEL=TS_INFO | TS_DEBUG;
FILE = 2;

2. Run a CLI tool.
/usr/share/ts/bin/set_active.pl --update_logger_cfg

To stop the debug prints, remove the 3 mentioned lines from the logger.cfg file and run the CLI tool again.

Fix:
The following command now reports memory consumption of the bd process:
tmctl asm_memory_util_stats

For specific fields -s option can be used, for example:
tmctl asm_memory_util_stats -s total_xml_mem_used,total_xml_max_mem

---

389484-6 : OAM reporting Access Server down with JDK version 1.6.0_27 or later

Component: Access Policy Manager

Symptoms:
Cannot connect to Access Server.

When running eamtest tool to check the functionality between OAM and the access server are working correctly, the following error is seen:

Preparing to connect to Access Server. Please wait.

Access Server you specified is currently down. Please check your Access Server.oamconfig[2368]: Could not configure OAM

Conditions:
The problem occurs only when OAM server is installed with JDK version 1.6.0_27 or later.

Impact:
Cannot connect to backend OAM server using BIG-IP AccessGate.

Workaround:
Install older version of JDK than v1.6.0_27.

Fix:
Applied OAM ASDK patch given by Oracle, so OAM no longer reports Access Server down with JDK version 1.6.0_27 or later.

---

386517-1 : Multidomain SSO requires a default pool be configured

Component: Access Policy Manager

Symptoms:
When configuring multidomain SSO, a pool must be assigned to the virtual, even if one is not being used. A typical symptom of not assigning the pool is that after logon, the user will be redirected back to another logon page.

Conditions:
Any use case of multidomain SSO where there is no pool configured on the virtual servers, and there is not a webtop assigned.

Impact:
There are two known use cases where this is commonly encountered. 1) LTM + Secure Connectivity virtuals do not usually have a default pool configured.
2) The pool is being configured through an iRule

Workaround:
When configuring multidomain SSO, always assign a default pool to the virtual server.

Fix:
Some of the logic in ACCESS was updated to add consideration of dynamic pool assignments (eg. iRules) in addition to the default pool. Default pool is no longer needed for multidomain SSO.

---

371164-1 : BIG-IP sends ND probes for all masquerading MAC addresses on all VLANs, so MAC might associated with multiple VLANs.

Component: Local Traffic Manager

Symptoms:
Since traffic groups are not bound to any specific VLAN, so Neighbor Discovery (ND) for link-local addresses go out on all VLANs. This occurs because traffic groups are not bound to any particular VLAN or interface. Since MAC is bound to the traffic group, it is not bounded to particular VLAN either.

Conditions:
Using MAC masquerade addresses on VLANs. TMM creates new link-local address for each masquerading MAC. Thus, the same link-local address might be used on all interfaces, which means that the system might use the same MAC on different VLANs.

For example, in the following configuration, you might expect that traffic-group-1 and MAC 02:23:e9:74:e2:c4 are bound only to VLAN Internal. However, you can create another self IP address, assign it to different VLANs or route domains, and have them be part of the same traffic group. A traffic group is about availability and not about routing or partitioning.


Configuration
===========
net self 10.10.10.10%1 {
    address 10.10.10.10%1/23
    allow-service {
        default
    }
    floating enabled
    traffic-group traffic-group-1
    unit 1
    vlan Internal
}.

Impact:
Although this is intended functionality, some users might not expect the behavior. BIG-IP sends ND probes for all masquerading addresses on all VLANs. Although switches typically build up forwarding tables per VLAN, there are some switches that might not correctly, which results in failure to forward packets as expected. That might impact other traffic, including IPv4.

Workaround:
Set the db variable tm.macmasqaddr_per_vlan to True. This ensures that a single source MAC is associated with a single VLAN ID, and is guaranteed to be unique per VLAN.

---

370131-4 : Loading UCS with low GTM Autoconf Delay drops pool Members from config

Component: Global Traffic Manager (DNS)

Symptoms:
Pool members loaded from the UCS are not in the configuration. If there are objects dependent on them, this may prevent the GTM config from loading completely.

Conditions:
GTM and LTM are enabled, Autoconf Delay is very low, there are GTM autoconfigured pool members from LTM virtual servers, and subsequently a UCS is loaded.

Impact:
GTM config loaded from the UCS might be overwritten and Pool Members might be lost from it.

Workaround:
bigstart stop gtmd during UCS load, or set the autoconf delay to be much higher than the time required to load the UCS.

Fix:
Loading UCS with low GTM Autoconf Delay now completes correctly.

---

367226-4 : Outgoing RIP advertisements may have incorrect source port

Component: Local Traffic Manager

Symptoms:
TMM may change the source port of RIP packets send by ripd to something other than 520. Neighbor routers will not accept these packets and RIP routing will not work.

If the TMM instance handling the outgoing packet would not be selected to handle return traffic by the hashing algorithm in use, the source port of the traffic will be modified so the hashing algorithm returns the same TMM instance.

Conditions:
Multiple TMM instances, RIP routing configured.

Impact:
Dynamic routing using RIP will not work if the traffic hash of the packets does not match the TMM handling the outgoing traffic.

Fix:
TMM no longer modifies the source port of RIP traffic.

---

366695-1 : Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed

Component: Global Traffic Manager (DNS)

Symptoms:
A "Manager" role has the ability to create/modify/delete GTM data centers, links, servers, prober pools, and topology objects from TMSH, but they do not have this permission in the database, so they get an error.

Conditions:
Someone of "Manager" roll attempts to create/modify/delete a GTM datacenter, link, server, prober-pools, or topology objects.

Impact:
Error message thrown

Workaround:
Error thrown is correct, but user's shouldn't be able to even get this far in tmsh.

Fix:
Removed Manager's ability to create/modify/delete GTM data centers, links, servers, prober-pools, and topology objects. This was already prevented through validation code, but now TMSH users only have access to view these objects.

---

355806-7 : Starting mcpd manually at the command line interferes with running mcpd

Component: TMOS

Symptoms:
Starting mcpd at the command line while mcpd is running causes issues.

Conditions:
Having a running mcpd and executing mcpd at the command line.

Impact:
Various issues on the system, such as some utilities may no longer interact with mcpd, etc.

Workaround:
Don't try to use the mcpd directly.

Fix:
You are now told the PID of the current mcpd and the executed command will exit abnormally.

---

353229-2 : Buffer overflows in DIAMETER

Solution Article: K54130510

---

352957-4 : Route lookup after change in route table on established flow ignores pool members

Solution Article: K03005026

Component: Local Traffic Manager

Symptoms:
Established flows via Virtual Servers with iRules using the 'nexthop vlan addr' command to set the nexthop to a different address than the gateway returned in route lookup, or transparent flows to a pool member, might fail after a route table change, even if the change does not affect any of the addresses used in the flow.

Conditions:
An iRule with 'nexthop vlan addr' on the CLIENT_ACCEPTED state is added to a virtual server with pool members and the address in the nexthop command is different from the gateway.

Impact:
A flow established before a route table change may fail if the destination was set in an iRule using 'nexthop'. New flows established after the route table change work as expected.

Workaround:
Modify iRule to fire 'nexthop' on every client packet. If the flow has been modified due to a route change, then the next client packet that fires 'nexthop' will correct it.

Fix:
The nexthop for established flows, set using "nexthop vlan addr" in an iRule for CLIENT_ACCEPTED state, does not change when there are changes in the route table. This is correct behavior.

---

273104-2 : Modulate tcp_now on a per-tuple basis to hide uptime in tcp timestamps

Component: Local Traffic Manager

Symptoms:
Nmap can be used to determine the uptime of a BIG-IP by sampling timestamps and their update frequency.

Conditions:
Always.

Impact:
Nmap can be used to determine the uptime of a BIG-IP by sampling timestamps and their update frequency.

Fix:
Each TCP connection starts with a random Timestamp. Disabled by default. Sys db tm.tcpsendrandomtimestamp can be used to enable/disable TCP random Timestamp.

---

251162-3 : The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name

Solution Article: K11564

Component: Local Traffic Manager

Symptoms:
If you apply a custom HTTP profile to a virtual server, and the maximum header size defined in the profile is exceeded, the BIG-IP system lists the wrong profile name in the corresponding log message. Instead of logging the profile name associated with the virtual server, the BIG-IP system logs the profile name as http.

For example:

tmm1[5133]: 011f0005:3: HTTP header (34083) exceeded maximum allowed size of 32768 (Client side: vip=http_10.1.0.30 profile=http pool=apache2)

Conditions:
-- You apply a custom HTTP profile to a virtual server.
-- The maximum header size defined in the profile is exceeded.

Impact:
The BIG-IP system lists the wrong profile name in the corresponding log message. This is a cosmetic error, as the correct profile is affected. Only its name is incorrectly reported.

Workaround:
None.

---

248914-4 : ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address

Solution Article: K00612197

Component: Local Traffic Manager

Symptoms:
When self IP or virtual addresses are configured on a vlangroup, ARP replies for that address will have the locally administered bit set in the ARP payload, but the source MAC of the frame will have this bit clear.

Conditions:
vlangroup in translucent mode with self IP and/or virtual addresses configured.

Impact:
This may cause destination lookup failures on the layer 2 network.

Workaround:
Use transparent mode instead of translucent mode on the vlangroup.

Fix:
ARP and NDP replies sent from the BIG-IP to a vlangroup use the vlangroup MAC address as the layer 2 source address.

---

246726-1 : System continues to process virtual server traffic after disabling virtual address

Solution Article: K8940

Component: Local Traffic Manager

Symptoms:
A virtual address is defined as the IP address with which you associate one or more virtual servers. A virtual server is represented by an IP address and a service. The BIG-IP system continues to process traffic for virtual servers after disabling the related virtual address.

Conditions:
When a virtual address is disabled in LTM, TMM still processes traffic for the virtual IP addresses on that virtual address. For example, if you define virtual servers of 10.10.10.2:80, and 10.10.10.2:443 on the BIG-IP system, then 10.10.10.2 is the virtual address. If you disable the virtual address of 10.10.10.2, the BIG-IP system continues to process traffic for the virtual servers.

Impact:
Traffic is still processed.

Workaround:
Disable virtual servers instead. For more information, see SOL8940: The BIG-IP system processes traffic for virtual servers after disabling the virtual address, available here: https://support.f5.com/csp/#/article/K8940

Fix:
When disabling a VIP in LTM the VIP no longer passes traffic. This is correct behavior.

Behavior Change:
When disabling a VIP in LTM the VIP no longer passes traffic.

---

238444-3 : An L4 ACL has no effect when a layered virtual server is used.

Solution Article: K14219

Component: Access Policy Manager

Symptoms:
A layer 4 ACL is not applied to the network access tunnel. As a result of this issue, you may encounter the following symptoms:

-- Unexpected network traffic may be allowed to pass.
-- Expected network traffic may be blocked.

Conditions:
This issue occurs when the following conditions are met:

-- The APM virtual server is targeting a layered virtual server, such as an SSO layered virtual server.
-- The referenced BIG-IP APM access policy is configured with a layer 4 ACL.
-- When an ACL is applied to a BIG-IP APM access policy, the access policy dynamically creates an internal layered virtual server that is used to apply the ACL. However, if the BIG-IP APM virtual server targets a layered virtual server, such as an SSO layered virtual server, traffic bypasses the dynamically-created internal layered virtual server and the ACL is not applied.

Impact:
Access control using a layer 4 ACL will not work. This may allow unwanted traffic to pass, or can block valid traffic.

Workaround:
None. However, a layer 7 ACL may be implemented if the network traffic is HTTP.

Fix:
With this fix, an admin needs to perform below tasks:

1. Create an iRule similar to the following:

when CLIENT_ACCEPTED {
        ACL::eval
}

2. Attach this iRule to admin-defined layered virtual servers.

---

225634-1 : The rate class feature does not honor the Burst Size setting.

Component: Local Traffic Manager

Symptoms:
The rate class feature does not honor a Burst Size setting other than the default of 0 (zero).

The Burst Size setting is intended to specify the maximum number of bytes that traffic is allowed to burst beyond the base rate configured for the rate class. When the burst rate is set to zero, no bursting is allowed.

Conditions:
When using a non-default Burst Size setting for a single rate class, the setting does not have the intended effect of allowing traffic to burst beyond the base rate configured for the rate class. When using a non-default Burst Size setting for a rate class referencing a hierarchical rate class (a child class referencing a parent class), traffic processed by the rate class may cause TMM to panic and generate a core file.

Impact:
Traffic does not burst beyond the base rate configured for the rate class. In the case of hierarchical rate classes, the BIG-IP may temporarily fail to process traffic.

Workaround:
To work around this issue, you can disable the Burst Size setting by changing the value to zero. To do so, perform the following procedure:

Impact of workaround: None.

1. Log in to the Configuration utility.
2. Click Network.
3. Click Rate Shaping.
4. Click the appropriate rate class.
5. Change the Burst Size to 0.
6. Click Update.

Fix:
The fix for this issue results in disabling the burst feature temporarily.

Note: Neither the GUI nor tmsh prevent you from configuring the burst feature, but the settings have no effect.

Behavior Change:
The burst feature is now disabled for rate shaping. Although you can configure the burst size setting, it has no effect.

---

222034-4 : HTTP::respond in LB_FAILED with large header/body might result in truncated response

Component: Local Traffic Manager

Symptoms:
If HTTP::respond is called in LB_FAILED with large headers and/or body, the response might be truncated. The Content-Length header value is correct; it is the content itself that is truncated.

Conditions:
This issue occurs when all of the following conditions are met: -- HTTP::respond is used in the LB_FAILED event to return a large response. -- No other TCP data has been sent to the client.

Impact:
The response sent by the BIG-IP system will be truncated. For example, with slow-start enabled, and no data sent to the client yet, the response will be truncated after two packets. Other TCP profile configurations will truncate at different points.

Workaround:
To work around this issue modify the iRule. For example, instead of directly using HTTP::Respond inside of an LB_FAILED event, perform a 302 Redirect to another URI, which can then be handled by an unaffected event. For more information, see K9456: Using the HTTP::respond iRule command in the LB_FAILED event may result in truncated responses, available here: https://support.f5.com/csp/#/article/K9456.

---

Known Issues in BIG-IP v12.1.x


TMOS Issues

ID Number	Severity	Solution Article(s)	Description
694897-4	1-Blocking		Unsupported Copper SFP can trigger a crash on i4x00 platforms.
652223-1	1-Blocking	K50325308	BWC: Non-TCP data going through Category can make policy active
603093	1-Blocking		AC Power Supply output DC LED does not turn off when the input power is cut-off to it in redundant system
544980-5	1-Blocking		BIG-IP Virtual Edition may have minimal disk space for the /var software partition when deploying from the OVA file for the Better or Best license bundle.
990853-6	2-Critical		Mcpd restarts on Secondary VIPRION blades upon modifying a vCMP guest's management IP address or gateway.
980325-2	2-Critical		Chmand core due to memory leak from dossier requests
942549-5	2-Critical		Dataplane INOPERABLE - Only 7 HSBs found. Expected 8
929133-5	2-Critical		TMM continually restarts with errors 'invalid index from net device' and 'device_init failed'
915305-1	2-Critical		Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded
888341-2	2-Critical		HA Group failover may fail to complete Active/Standby state transition
854493-1	2-Critical		Kernel page allocation failures messages in kern.log
831821-6	2-Critical		Corrupted DAG packets causes bcm56xxd core on VCMP host
817709-1	2-Critical		IPsec: TMM cored with SIGFPE in racoon2
817085-1	2-Critical		Multicast Flood Can Cause the Host TMM to Restart
810593-5	2-Critical	K10963690	Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade★
792285-4	2-Critical		TMM crashes if the queuing message to all HSL pool members fails
789973	2-Critical		Tmm crash while using IPsec
780437-5	2-Critical		Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.
777993-4	2-Critical		Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same
770953-5	2-Critical		'smbclient' executable does not work
770741	2-Critical		NIC Tx Engine hang causing ixgbevf interface (SR-IOV) flipping
758929-5	2-Critical		Bcm56xxd MIIM bus access failure after TMM crash
756830-3	2-Critical		BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'
755549	2-Critical		TMM crash and core
746464-4	2-Critical		MCPD sync errors and restart after multiple modifications to file object in chassis
746122-5	2-Critical		'load sys config verify' resets the active master key to the on-disk master key value
743271-2	2-Critical		Querying vCMP Health Status May Show Stale Statistics
711683-4	2-Critical		bcm56xxd crash with empty trunk in QinQ VLAN
708968-4	2-Critical		OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address
703669-3	2-Critical		Eventd restarts on NULL pointer access
698931-3	2-Critical		Corrupted SessionDB messages causes TMM to crash
693246-1	2-Critical		SOD may send SIGABRT to TMM when TMM has not reported its heartbeat for a long enough period of time.
680556-2	2-Critical		Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted
675431-1	2-Critical		Non-default value in db variable pvaSynCookies.enabled reverts to default value after reboot or mcpd restart
673147-1	2-Critical	K01350083	Virtual server configuration incorrectly allows mutually exclusive iSession and OneConnect profiles.
667114-1	2-Critical	K32622880	TCP flows going through the IP forwarding and L2 forwarding virtual server might get very low bandwidth.
644135	2-Critical	K53342451	12.1.1-hf1 does not support module tuning for Finisar 100G LR4 optics
625156	2-Critical	K50524736	Bigd memory leak
613542-2	2-Critical	K81463390	tmm core while running the iRule STATS:: command
608511-2	2-Critical	K22141268	Message router profile is not inheriting the traffic-group from the parent folder
593536-10	2-Critical	K64445052	Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations
481235-2	2-Critical		Rare Watchdog Restart of TMM and Datastor
477611-5	2-Critical		ICMP monitor does not work on DAG Round Robin enabled VLANs
382363-7	2-Critical	K30588577	min-up-members and using gateway-failsafe-device on the same pool.
987081-6	3-Major		Alarm LED remains active on Secondary blades even after LCD alerts are cleared
977609-6	3-Major		Request logging profile not logging server-side variables on a virtual-server with rate-limit or connection-limit applied
977113-2	3-Major		Unable to configure dependency for GTM virtual server if pool member dependency exists
976013-1	3-Major		If bcm56xxd starts while an interface is disabled, the interface cannot be enabled afterwards
972785-2	3-Major		Unable to create virtual server with a non-zero Route Domain for custom partition via iControl SOAP
970829-2	3-Major		iSeries LCD incorrectly displays secure mode after changing login password
967745-5	3-Major		Last resort pool error for the modify command for Wide IP
966949-5	3-Major		Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node
965941-5	3-Major		Creating a net packet filter in the GUI does not work for ICMP for IPv6
964125-5	3-Major		Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.
956589-5	3-Major		The tmrouted daemon restarts and produces a core file
947529-4	3-Major		Security tab in virtual server menu renders slowly
945265-1	3-Major		BGP may advertise default route with incorrect parameters
943669-6	3-Major		B4450 blade reboot
930825-1	3-Major		System should reboot (rather than restart services) when it sees a large number of HSB XLMAC errors
928697-5	3-Major		Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT
927941-1	3-Major		IPv6 static route BFD does not come up after OAMD restart
927909	3-Major		Upgrading a vCMP guest using a block device image may fail on older versions of host software
925797-5	3-Major		Full config sync fails and mcpd memory usage is very high on the receiving device with thousands of FQDN pools members
922613-5	3-Major		Tunnels using autolasthop might drop traffic with ICMP route unreachable
920761-5	3-Major		Changing a virtual server type in the GUI may change some options; changing back to the original type does not restore original values
920517-5	3-Major		Rate Shaping Rate Class 'Queue Method' and 'Drop Policy' defaults are incorrect in the GUI
919317-1	3-Major		NSM consumes 100% CPU processing nexthops for recursive ECMP routes
918693-1	3-Major		Wide IP alias validation error during sync or config load
915557-6	3-Major		The pool statistics GUI page fails (General database error retrieving information.) when filtering on pool status.
915493-1	3-Major		imish command hangs when ospfd is enabled
914081-5	3-Major		Engineering Hotfixes missing bug titles
913829-1	3-Major		i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence
913433-5	3-Major		On blade failure, some trunked egress traffic is dropped.
909197-6	3-Major		The mcpd process may become unresponsive
908021-4	3-Major		Management and VLAN MAC addresses are identical
907549-5	3-Major		Memory leak in BWC::Measure
906505-6	3-Major		Display of LCD System Menu cannot be configured via GUI on iSeries platforms
905749-4	3-Major		imish crash while checking for CLI help string in BGP mode
901989-6	3-Major		Boot_marker writes to /var/log/btmp
900485-6	3-Major		Syslog-ng 'program' filter does not work
899933-6	3-Major		Listing property groups in TMSH without specifying properties lists the entire object
899085-1	3-Major		Configuration changes made by Certificate Manager role do not trigger saving config
898705-1	3-Major		IPv6 static BFD configuration is truncated or missing
898461-6	3-Major		Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'
898389-5	3-Major		Traffic is not classified when adding port-list to virtual server from GUI
896553-1	3-Major		On blade failure, some trunked egress traffic is dropped.
895845-1	3-Major		Implement automatic conflict resolution for gossip-conflicts in REST
895781-1	3-Major		Round Robin disaggregation does not disaggregate globally
892445-6	3-Major		BWC policy names are limited to 128 characters
891337-5	3-Major		'save_master_key(master): Not ready to save yet' errors in the logs
886689-2	3-Major		Generic Message profile cannot be used in SCTP virtual
884729-6	3-Major		The vCMP CPU usage stats are incorrect
883149-6	3-Major		The fix for ID 439539 can cause mcpd to core.
882609-4	3-Major		ConfigSync status remains 'Disconnected' after setting ConfigSync IP to 'none' and back
879969-1	3-Major		FQDN node resolution fails if DNS response latency >5 seconds
874857-1	3-Major		Hardware-accelerated connections might not be removed from ePVA on transition to standby
871705-2	3-Major		Restarting bigstart shuts down the system
871045-6	3-Major		IP fragments are disaggregated to separate TMMs with hardware syncookies enabled
867793-5	3-Major		BIG-IP sending the wrong trap code for BGP peer state
867249-5	3-Major		New SNMP authentication type and privacy protocol algorithms not available in UI
865241-5	3-Major		Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0"
862693-5	3-Major		PAM_RHOST not set when authenticating BIG-IP using iControl REST
862525-5	3-Major		GUI Browser Cache Timeout option is not available via tmsh
858769-1	3-Major		Net-snmp library must be upgraded to 5.8 in order to support SHA-2
853617-5	3-Major		Validation does not prevent virtual server with UDP, HTTP, SSL, (and OneConnect) profiles
842901-6	3-Major		Improve fast failover of PIM-DM-based multicast traffic when BIG-IP is deployed as an Active/Standby HA pair.
842125-1	3-Major		Unable to reconnect outgoing SCTP connections that have previously aborted
841721-6	3-Major		BWC::policy detach appears to run, but BWC control is still enabled
841277-2	3-Major		C4800 LCD fails to load after annunciator hot-swap
838337-6	3-Major		The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.
838297-6	3-Major		Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication
837481-2	3-Major		SNMPv3 pass phrases should not be synced between high availability (HA) devices as that are based on each devices unique engineID
836237-1	3-Major		ZRD process restarts observed due to stale files in /var/zrd/zrd-undo/ when UCS file is loaded or any modifications in wide IP configurations.
836137	3-Major		When BGP recursive nexthop is down, network is down, logs show Type: 0 messages without nexthop.
829889	3-Major		Invalid opcode: kernel BUG at mm/shmem.c:556!
829821-5	3-Major		Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured
827021-5	3-Major		MCP update message may be lost when primary blade changes in chassis
826313-1	3-Major		Error: Media type is incompatible with other trunk members★
826265-1	3-Major		The SNMPv3 engineBoots value restarts at 1 after an upgrade
819281	3-Major		HSB and switch interface pause frames
819261-1	3-Major		Log HSB registers when parts of the device becomes unresponsive
818505-6	3-Major		Modifying a virtual address with an iControl PUT command causes the netmask to always change to IPv6 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
814353-1	3-Major		Pool member silently changed to user-disabled from monitor-disabled
814053-1	3-Major		Under heavy load, bcm56xxd can be killed by the watchdog
812493-6	3-Major		When engineID is reconfigured, snmp and alert daemons must be restarted★
811053-5	3-Major		REBOOT REQUIRED prompt appears after failover and clsh reboot
811041-2	3-Major		Out of shmem, increment amount in /etc/ha_table/ha_table.conf
810381-5	3-Major		The SNMP max message size check is being incorrectly applied.
809657-5	3-Major		HA Group score not computed correctly for an unmonitored pool when mcpd starts
809509-3	3-Major		Resource Admin User unable to download UCS using Rest API.
808277-1	3-Major		Root's crontab file may become empty
806881-4	3-Major		Loading the configuration may not set the virtual server enabled status correctly
806073-6	3-Major		MySQL monitor fails to connect to MySQL Server v8.0
804477-1	3-Major		Log HSB registers when parts of the device becomes unresponsive
803833-1	3-Major		On Upgrade or UCS Restore Decryption of the vCMP Guest sym-unit-key Field Fails on the Host★
803237-6	3-Major		PVA does not validate interface MTU when setting MSS
802493-1	3-Major		Hardware syncookies on some hardware platforms may retrieve the wrong mss
799001-6	3-Major		Sflow agent does not handle disconnect from SNMPD manager correctly
797829-2	3-Major		The BIG-IP system may fail to deploy new or reconfigure existing iApps
797221-4	3-Major		BCM daemon can be killed by watchdog timeout during blade-to-blade failover
795685-4	3-Major		Bgpd crash upon displaying BGP notify (OUT_OF_RESOURCES) info from peer
791061-4	3-Major		Config load in /Common removes routing protocols from other partitions
788645	3-Major		BGP does not function on static interfaces with vlan names longer than 16 characters.
788557-2	3-Major		BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior
783985	3-Major		Grub boot entries not updated on i2600 from iControl SOAP set_boot_location call★
782613-2	3-Major		Security firewall policy in an iApp not deleted on config sync peer with the rest of a deleted iApp
776081	3-Major		The F5-BIGIP-SYSTEM-MIB::sysInterfaceMediaActiveSpeed values are not meaningful on a VE
775845-4	3-Major		Httpd fails to start after restarting the service using the iControl REST API
773577-4	3-Major		SNMPv3: When a security-name and a username are the same but have different passwords, traps are not properly crafted
772497-2	3-Major		When BIG-IP is configured to use a proxy server, updatecheck fails
772117-2	3-Major		Overwriting FIPS keys from the high availability (HA) peer with older config leads to abandoned key on FIPS card
769029-3	3-Major		Non-admin users fail to create tmp dir under /var/system/tmp/tmsh
767305-4	3-Major		If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried
765969-4	3-Major		HSB register dump missing from hsb_snapshot
764873-5	3-Major		An accelerated flow transmits packets to a dated, down pool member.
761833	3-Major		PostgreSQL database disk usage over 2 GB without AFM provisioned
760932-5	3-Major		Part of audit log messages are also in other logs when strings are long
760259-1	3-Major		Qkview silently fails to capture qkviews from other blades
760222-4	3-Major		SCP fails unexpected when FIPS mode is enabled
757709	3-Major		Routing daemon NSM cores if any of interface indexes of VLANs, Tunnels or VLAN Groups are identical to loopback and tmm interfaces of Route Domains where these VLANs, Tunnels or VLAN Groups are located
755976-7	3-Major		ZebOS might miss kernel routes after mcpd deamon restart
754132-1	3-Major		A NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command
753860-2	3-Major		Virtual server config changes causing incorrect route injection.
753423-3	3-Major		Disabling and immediately re-enabling the slot resulting interfaces from the slot permanently removed from aggregation
753001-4	3-Major		mcpd can be killed if the configuration contains a very high number of nested references
752994-4	3-Major		Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod
752228-3	3-Major		GUI Network Map to account for objects in a Disabled By Parent state
751409-4	3-Major		MCP Validation does not detect when virtual servers differ only by overlapping VLANs
751024-1	3-Major		i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd
751021-4	3-Major		One or more TMM instances may be left without dynamic routes.
748608	3-Major		IPsec / ESP traffic pinned to TMM 0 for SP-Dag on 4000s/4200v, 2000s/2200v platforms
748323	3-Major		It is possible for the archive.tm2 file to not get cleaned up
747799-3	3-Major		'Unable to load the certificate file' error and configuration-load failure upgrading from 11.5.4-HF2 to a later version, due to empty cert/key in client SSL profile
746758-5	3-Major		Qkview produces core file if interrupted while exiting
746657-4	3-Major		tmsh help for FQDN node or pool member shows incorrect default for fqdn interval
745309	3-Major		Self IP route is not updated in a routing table if there is more than one route with the same destination signature
744913	3-Major		Tmm may be killed during snapshot creation on VMware ESXi
744520-4	3-Major		virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface
744252-4	3-Major		BGP route map community value: either component cannot be set to 65535
743895	3-Major		Upgrades from 10.2.x fail due to empty virtual address lines in the configuration★
743234-1	3-Major		Configuring EngineID for SNMPv3 requires restart of the SNMP and Alert daemons
743132-3	3-Major		mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile
742877	3-Major		Tmm may fail a heartbeat on VE if unscheduled by busy hypervisor
742753-1	3-Major		Accessing the BIG-IP system's WebUI via special proxy solutions may fail
740517-4	3-Major		Application Editor users are unable to edit HTTPS Monitors via the Web UI
740203	3-Major		Installing a certificate or key may fail for a remote user
740135-4	3-Major		Traffic Group ha-order list does not load correctly after reset to default configuration
739820-4	3-Major		Validation does not reject IPv6 address for TACACS auth configuration
739533-3	3-Major		In rare circumstances, config sync may fail to delete files in /config/filestore/.snapshots_d/, filling up /config
739118-4	3-Major		Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration
738543-1	3-Major		Dynamic route with recursive nexthop might cause tmrouted restart
738359	3-Major		Log output does not reflect BIG-IP system timezone setting
737901-1	3-Major		Management MAC address and host VLAN MAC address is the same on iSeries platforms when in vCMP mode
737536-5	3-Major		Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.
737346-4	3-Major		After entering username and before password, the logging on user's failure count is incremented.
733585-2	3-Major		Merged can use %100 of CPU if all stats snapshot files are in the future
727467-3	3-Major		Some iSeries appliances can experience traffic disruption when the high availability (HA) peer is upgraded from 12.1.3 and earlier to 13.1.0 or later.
727297-4	3-Major		GUI TACACS+ remote server list should accept hostname
727191-4	3-Major		Invalid arguments to run sys failover do not return an error
726416-1	3-Major		Physical disk HD1 not found for logical disk create
725950-1	3-Major		Regcomp() leaks memory if passed an invalid regex.
725792-2	3-Major		BWC: Measure log-publisher if used might result in memory leak
725646-6	3-Major		The tmsh utility cores when multiple tmsh instances are spawned and terminated quickly
725620	3-Major		Corrupted HSB RQM configuration causes HSB receive failures on 5000s/5200v, 5050s/5250v/5250v-F platforms
725427	3-Major		OPT-0036-01 does not report DDM tx power alarms or tx power warnings
724706	3-Major		iControl REST statistics request causes CPU spike
723579-3	3-Major		OSPF routes missing
721740-3	3-Major		CPU stats are not correctly recorded when snapshot files have timestamps in the future
721020-4	3-Major		Changes to the master key are reverted after full sync
719555-1	3-Major		Interface listed as 'disable' after SFP insertion and enable
718800-3	3-Major		Cannot set a password to the current value of its encrypted password
718230-5	3-Major		Attaching a BIG-IP monitor type to a server with already defined virtual servers is not prevented
715061-1	3-Major		TMM may crash and produce a core file on a vCMP guest when the guest is being shut down from the host.
714626-1	3-Major		When licensing through a proxy, setting the db variables for proxy.host, proxy.port, etc., has no effect.
714198	3-Major		Mcpd is blocked when executing the tmsh command 'tmsh -a show net arp all'
713708-3	3-Major		Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI
712266-2	3-Major		Decompression of large buffer might fail with comp_code=11 with Nitrox 3 hardware
712033-1	3-Major		When making a REST request to an object in /stats that is an association list, the selfLink has a duplicate name
711879	3-Major		Web GUI can sometime display the wrong cert and key for a GTM monitor that has the same name as some LTM monitor.
711158-1	3-Major		Admin user roles automatically demoted to guest
710841	3-Major		12.1.3.3 feature refinement might be lost after upgrade★
710039	3-Major		Merging config may not report syslog configuration errors
709559-3	3-Major		LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name
707320-1	3-Major		Upgrades from pre-12.0.0 BIG-IPs to 12.0.0 with WideIPs with ipv6-no-error-response enabled will no longer delete AAAA-type WideIPs
702310-2	3-Major		The ':l' and ':h' options are not available on the tmm interface in tcpdump
701722-2	3-Major		Potential mcpd memory leak for signed iRules
701341-2	3-Major	K52941103	If /config/BigDB.dat is empty or the file is corrupt, mcpd continuously restarts
701289-2	3-Major		Static BFD with BIG-IP floating IP address
700897-3	3-Major		sod is unable to handle the maximum (127) allowable traffic groups if there are 8 devices in the DG
700794-2	3-Major		Cannot replace a FIPS key with another FIPS key via tmsh
700426-2	3-Major	K58033284	Switching partitions while viewing objects in GUI can result in empty list
700250-1	3-Major	K59327012	qkviews for secondary blade appear to be corrupt
698933-3	3-Major		Setting metric-type via ospf redistribute command may not work correctly
698844	3-Major		LCD splash screen may display incorrect platform name on iSeries appliance
698599	3-Major	K24479486	Cave Creek Crypto HW accelerated SSL traffic may encounter errors and performance problems.
698597	3-Major	K10300436	BIG-IP fails to go active after cryptographic hardware has recovered from a failure
698594	3-Major	K53752362	Cave Creek Crypto hardware reports a false positive of a stuck queue state
698462	3-Major		TCP timestamp rewrite mode not working on the client side of ePVA offloaded connections
698171-1	3-Major		STP interfaces remain in block state on 40G bundled interfaces after enabling STP
698034-2	3-Major		PKCS12 file imported via Configuration utility into folder is placed at partition root
698013-4	3-Major	K27216452	TACACS+ system auth and file descriptors leak
696731-1	3-Major	K94062594	The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled
695090	3-Major		In rare situations hardware syncookies may be sent for a L7 virtual server when hardware syncookie protection is disabled
693578-1	3-Major		switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0
693563-3	3-Major	K22942093	No warning when LDAP is configured with SSL but with a client certificate with no matching key★
692753-3	3-Major		shutting down trap not sent when shutdown -r or shutdown -h issued from shell
692218-5	3-Major		Audit log messages sent from the primary blade to the secondaries should not be logged.
691749-3	3-Major		Delete sys connection operations cannot be part of TMSH transactions
690890-3	3-Major		Running sod manually can cause issues/failover
689779	3-Major		VE HyperV packet drops under load due to interrupt distribution
689567-3	3-Major		Some WOM/AAM pages in the GUI are visible to users with iSeries platforms even when AAM cannot be provisioned
688406-3	3-Major	K14513346	HA-Group Score showing 0
687797-1	3-Major		iControl REST /mgmt/tm/sys/crypto/cert endpoint cannot be used to return the details of all SSL certificates present in the configuration at once.
687617-3	3-Major		DHCP request-options when set to "none" are reset to defaults when loading the config.
687172	3-Major		Pools do not appear as expected after deploying iApp via iWorkflow
686816-3	3-Major		Link from iApps Components page to Policy Rules invalid
686626-2	3-Major		The BIG-IP system may connect to an OCSP server using an unexpected source IP address
684096-1	3-Major		stats self-link might include the oid twice
683135-4	3-Major		Hardware syncookies number for virtual server stats is unrealistically high
681782-4	3-Major		Unicast IP address can be configured in a failover multicast configuration
681009-2	3-Major		Large configurations can cause memory exhaustion during live-install★
679605-1	3-Major		Device groups with no members will cause upgrade to fail
679027	3-Major		Rare memory corruption in tmrouted while license is being reset
677485-2	3-Major		Discovery of DSC clustered BIG-IP systems fails due to secure value decryption error
676442-2	3-Major	K37113440	Changes to RADIUS remote authentication may not fully sync
675742	3-Major		Hardware-to-VE-platform-migrate of a UCS may fail with an error on db variable license.maxcores
675298-1	3-Major		F5 MIB value types changed to become RFC compliant
674997	3-Major		It is not possible to use tmsh to change the password for 'admin' after configuring Remote-APM Based Auth on the BIG-IP system.
674957-1	3-Major		If a certificate is stored in DER format, exporting it using the GUI corrupts the output.
674328-3	3-Major		Multicast UDP from BIG-IP may have incorrect checksums
673952	3-Major		1NIC VE in HA device-group shows 'Changes Pending' after reboot
673640	3-Major		Log messages for virtual server status changes are not immediately logged.
673241	3-Major		Platform AC power supply faults when subjected to temperature above 50C (122F) at low input voltage.
671553-2	3-Major		iCall scripts may make statistics request before the system is ready
671372-2	3-Major	K01930721	When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.
671261-2	3-Major	K32306231	MCP does not recognize 'Notify Status to Virtual Address' when using 'Selective' setting of ICMP Echo
671236-2	3-Major	K27343382	BGP local-as command may not work when applied to peer-group
671178	3-Major	K20274760	Date/time change after configuring HA may impair configuration sync
669585-3	3-Major		The tmsh sys log filter is unable to display information in uncompressed log files.
669241-1	3-Major		Cannot create stateless virtual servers with ip-protocol set to 'gre'.
667618-2	3-Major		Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts
667476	3-Major		Upgrade and config load can fail if a data group record of type string contains a tab character
667082-2	3-Major		Dynamic Routing ZebOS using ip ospf <IP> message-digest-key command may fail.
666117-4	3-Major		Network failover without a management address causes active-active after unit1 reboot
662301-6	3-Major		'Unlicensed objects' error message appears despite there being no unlicensed config
660895-2	3-Major		TMM can crash if TMM count is greater than licensed throughput
658036-2	3-Major	K04651090	Honoring negotiated MSS for TCP segmentation
657834-2	3-Major	K45005512	Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent
657727-2	3-Major	K39694060	Running tcpdump from TMSH cannot capture the local "tmm" interface
653928	3-Major		On a BIG-IP system with DHCP enabled, 'tmsh load sys config default' consistently fails after 'tmsh load sys config' has failed with Conflicting configuration error.★
651136-2	3-Major	K36893451	ReqLog profile on FTP virtual server with default profile can result in service disruption.
648873-3	3-Major	K93513131	Traffic-group failover-objects cannot be retrieved via iControl REST
648316-3	3-Major	K10776106	Flows using DEFLATE decompresion can generate error message during flow tear-down.
647834-4	3-Major		Failover DB variables do not correctly implement 'reset-to-default'
647151-1	3-Major		CPU overtemp condition threshold is 75C
645206-4	3-Major	K23105004	Missing cipher suites in outgoing LDAP TLS ClientHello★
644979-2	3-Major		Errors not logged from hourly 1k key generation cron job
643799-1	3-Major		Deleting a partition may cause a sync validation error
642422-2	3-Major		BFD may not remove dependant static routes when peer sends BFD Admin-Down
641582-1	3-Major		Rarely, an HSB transmitter failure occurs
641543-1	3-Major		bindRequest timeout value for LDAP Authentication for remote users is set to 10s and cannot be controlled.
641001	3-Major		BWC: dynamic policy category sees lower bandwidth than expected in Congested policies
640054-1	3-Major		Selective ICMP-echo behavior is inconsistent, depending on where the virtual address is disabled
639774-5	3-Major	K30598276	mysqld.err rollover log files are not collected by qkview
638089-1	3-Major		LACP and CMP state simultaneously fail on 2150 or 2250 blades
637979-1	3-Major		IPsec over isession not working
637279	3-Major		Pool member discovery/autoscale does not work in eu-central-1 (Germany) region of AWS.
633824-2	3-Major	K39319200	Cannot add pool members containing a colon in the node name
633172	3-Major	K12473201	External LDAP user with Administrator role may fail to import key file when using iControl REST crypto command
632825-5	3-Major		bcm56xxd crash following 'silent' port-mirror configuration failure
632204-1	3-Major	K22568472	Local Traffic Policies rule page is incorrectly showing all partition's objects in 'Forward traffic' actions
631046	3-Major		Unable to generate a FIPS key using the GUI
629834-4	3-Major		istatsd high CPU utilization with large number of entries
627760-3	3-Major		gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card
626226-1	3-Major		Large SSL certificate bundle export by GUI silently fails
625215-1	3-Major		unic: flow redirects for non-default cmp-hash on untagged VLANs
624626-3	3-Major		Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility
624580-1	3-Major	K37147352	BigDB.dat may become truncated
623488-3	3-Major		Custom adaptive reaper settings may be lost at upgrade time★
623371-1	3-Major		After changing from remote auth to local auth, if SSH keys are used, SSH attempts from nonexistent users result in a connection closed
623367-1	3-Major	K57879554	When RADIUS remote authentication is enabled, a nonexistent user is able to ssh into the BIG-IP if they present the root's key.
623265-4	3-Major	K15645547	UCS upgrade from v10.x to v11.4.x or later incorrectly retains v10.x ca-bundle.crt★
622378-1	3-Major		Inconsistent hardware syncookie protection mode on B2100/B4300 blades and 5000/7000/10000 appliances
620969-3	3-Major		iControl doesn't give correct valid key sizes for FIPS keys on BIG-IP 5250, 7200F, 10200F, and 11050F platforms running the Cavium Nitrox XL FIPS cards.
619419	3-Major		Workaround for Software Installation Failures in TMUI★
618982-1	3-Major		IPSEC + chassis behavior for case secondary blades on-off switch.
618319-5	3-Major	K58255321	HA pair goes Active/Active, and reports peer as 'offline' if network-failover service is blocked
617875-1	3-Major		vCMP guest may fail to start due to not enough hugepages
617643-1	3-Major		iControl.ForceSessions enabled results in GUI error on certain pages
614648-1	3-Major		Unable to upload software image larger than 2GB using the GUI
614493-1	3-Major		BIG-IP reset on ePVA accelerated flow may contain stale TCP window information.
612086-3	3-Major	K32857340	Virtual server CPU stats can be above 100%
612083	3-Major		Following an AC power cycle, the System Event Log may list HW, PCIe or DMI errors.
609200-2	3-Major		Hotfix installation failure using certain version 11.x software to host incremental hotfix application of version 12.x software.★
609186-5	3-Major		TMM or MCP might core while getting connections via iControl.
606330-5	3-Major		The BIG-IP system does not accept BGP connection requests when using peer-groups and no default address family.
606032	3-Major		Network Failover-based high availability (HA) in AWS may fail
605891-1	3-Major		Enable ASM option disappears from L7 policy actions
605840-5	3-Major		HSB receive failure lockup due to unreceived loopback packets
605800-3	3-Major		Web GUI submits changes to multiple pool members as separate transactions
603772-1	3-Major		Floating tunnels with names more than 15 characters may cause issues during config-sync.
602193-4	3-Major		iControl REST calls fail when payload contains non-UTF8 data
601414-1	3-Major		Combined use of session and table irule commands can result in intermittent session lookup failures
598650-1	3-Major		apache-ssl-cert objects do not support certificate bundles
597818-2	3-Major		Unable to configure IPsec NAT-T to "force"
597564-3	3-Major		'tmsh load sys config' incorrectly allows the removal of the 'app-service' statement from configuration items
596826-5	3-Major		Don't set the mirroring address to a floating self IP address
596020-3	3-Major		Devices in a device-group may report out-of-sync after one of the devices is rebooted
595868-1	3-Major		HSB TX HGM lockup on 3900, 8900, and 10000-series platforms.
595617-1	3-Major	K40420553	Modifying an IPsec tunnel and IPsec plus IKE SA does not remove the remote SA.
593845-3	3-Major	K24093205	VE interface limit
593361-1	3-Major		The malformed MAC for inner pkt with dummy MAC for NSH with VXLAN-GPE.
591305-4	3-Major		Audit log messages with "user unknown" appear on install
589856-2	3-Major		IControl REST : possible to get duplicate transaction IDs when transactions are created by multiple clients
588646-1	3-Major		Use of Standard access list remarks in imish may causes later entries to fail on add
588028-1	3-Major		Clearing alerts from the LCD while the host is down will re-display the alerts on the LCD when the host comes up
587821-5	3-Major		vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.
580499-2	3-Major	K34082034	Configuring alternate admin user fails on multi-blade VIPRION chassis if default admin on primary is disabled.
579035-5	3-Major	K46145454	Config sync error when a key with passphrase is converted into FIPS.
575368-5	3-Major		Error is not posted when a UCS file with FIPS keys is loaded after re-initializing the FIPS card
571333-8	3-Major	K36155089	FastL4 TCP handshake timeout not honored for offloaded flows
570845-3	3-Major	K00334323	Configuration infrastructure should reject invalid 'None' option for IKE Peer Phase 1 Perfect Forward Secrecy
569968	3-Major		snmpd core during startup
569859-2	3-Major		Password policy enforcement for root user when mcpd is not available
569331-1	3-Major		Recovery from Amazon Network Failure may associate some virtual addresses to the standby BIG-IP
569281-6	3-Major	K33242855	L2 loop on the BIG-IP system's management port network might cause VIPRION to reboot
567490-2	3-Major		db.proxy.__iter__ value is overwritten if it's manually set
544568-5	3-Major		Flows for a FastL4 profile that are forwarded may now be accelerated.
542137	3-Major		TMM continually restarts due to HSB failure
538283-5	3-Major		iControl REST asynchronous tasks may block other tasks from running
535122-8	3-Major		[tmsh/iCRD/GUI] Do not automatically add extensions to SSL key/cert/crl/csr file objects
528295-6	3-Major	K40735404	Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later.
524193-5	3-Major		Multiple Source addresses are not allowed on a TMSH SNMP community
524123-1	3-Major		iRule ISTATS::remove does not work
509497-1	3-Major		VCMP guests on a specific host may be restarted when that host system experiences large date/time changes
499348-5	3-Major		System statistics may fail to update, or report negative deltas due to delayed stats merging
489499-3	3-Major		chmand needs to check for LopUnsSensClientExists status after registering for unsolicited alerts with lopd
486997-1	3-Major		The vCMP guest lost watchdog heartbeat, and the host restarted it.
486712-7	3-Major		GUI PVA connection maximum statistic is always zero
469366-3	3-Major	K16237	ConfigSync might fail with modified system-supplied profiles
455066-2	3-Major		Read-only account can save system config
438574-1	3-Major		Web UI: iSession Profile properties page displays incorrect parent profile name.
431503-5	3-Major	K14838	TMSH crashes in rare initial tunnel configurations
410549-1	3-Major		Changing the provision.tmmcount db variable value results in continuous tmm restarts
385013-6	3-Major		Certain user roles do not trigger a sync for a 'modify auth password' command
375434-6	3-Major		HSB lockup might occur when TMM tries unsuccessfully to reset HSB.
291256-5	3-Major		Changing 'Minimum Length' and 'Required Characters' might result in an error
247527-2	3-Major	K14890	Mgmt interface cannot be disabled via tmsh
224665-2	3-Major	K12711	Proxy Exclusion List setting is not aware of administrative partitions
955057-5	4-Minor		UCS archives containing a large number of DNS zone files may fail to restore.★
947865-5	4-Minor		Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read
939757-1	4-Minor		Deleting a virtual server might not trigger route-injection update.
939517-1	4-Minor		DB variable scheduler.minsleepduration.ltm changes to default value after reboot
931609	4-Minor		After installing a UCS file on a new BIG-IP, some configuration items may fail to load
924429-5	4-Minor		Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values
918013-5	4-Minor		Log message with large wchan value
911713-5	4-Minor		Delay in Network Convergence with RSTP enabled
906449-6	4-Minor		Node, Pool Member, and Monitor Instance timestamps may be updated by config sync/load
901985-3	4-Minor		Extend logging for incomplete HTTP requests
893093-6	4-Minor		An extraneous SSL CSR file in the /config/big3d or /config/gtm directory can prevent certain sections in the WebUI from showing.
892677-2	4-Minor		Loading config file with imish adds the newline character
869237-2	4-Minor		Management interface might become unreachable when alternating between DHCP/static address assignment.
858549-1	4-Minor		GUI does not allow IPv4-Mapped IPv6 Address to be assigned to self IPs
848681-2	4-Minor		Disabling the LCD on a VIPRION causes blade status lights to turn amber
846793-1	4-Minor		SCTP flow may be inappropriately aborted due to 'stream-id out of range'
846521-2	4-Minor		Config script does not refresh management address entry properly when alternating between dynamic and static
838925-2	4-Minor		Rewrite URI translation profile can cause connection reset while processing malformed CSS content
828625-5	4-Minor		User shouldn't be able to configure two identical traffic selectors
821745	4-Minor		Mcpd core when changing password for BIG-IP remote user
819421-5	4-Minor		Unable to scp/sftp to device after upgrade★
813165	4-Minor		P2P failure on BIG-IP system while connecting with Cisco router
808481-2	4-Minor		Hertfordshire county missing from GTM Region list
805325-5	4-Minor		tmsh help text contains a reference to bigpipe, which is no longer supported
761981	4-Minor		Information in snmpd.conf files may be overwritten causing SNMP v3 queries to recieve 'Unsupported security level' errors
761084-2	4-Minor		Custom monitor fields appear editable for Auditor, Operator, or Guest
759852-3	4-Minor		SNMP configuration for trap destinations can cause a warning in the log
759590-2	4-Minor		Creation of RADIUS authentication fails with service types other than 'authenticate only'
758105	4-Minor		Drive model WDC WD1005FBYZ-01YCBB2 must be added to pendsect drives.xml
756714-4	4-Minor		UIDs on /home directory are scrambled after upgrade★
750413	4-Minor		UTF-8 character in subject of a certificate used for iQuery cannot be removed
746152-4	4-Minor		Bogus numbers in hsbe2_internal_pde_ring table's rqm_dma_drp_pkts column
740957	4-Minor		'fips_get_key_attr(): mod_err = 0xa9' message seen in /var/log/ltm
740461	4-Minor		Certificate or key upload in the GUI may occasionally fail with 'General database error"
724994-1	4-Minor		API requests with 'expandSubcollections=true' are very slow
723111	4-Minor		mailx is blocked by SELinux Policy
722647-1	4-Minor		The configuration of some of the Nokia alerts is incorrect
719770-4	4-Minor		tmctl -H -V and -l options without values crashed
719241	4-Minor		Using custom DNS servers on the Azure VNet with the missing 168.63.129.16 causes Waagent provisioning failure.
713947-3	4-Minor		stpd repeatedly logs "hal sendMessage failed"
713138	4-Minor		TMUI ILX Editor inserts an unnecessary linefeed
713134-3	4-Minor		Small tmctl memory leak when viewing stats for snapshot files
712241-1	4-Minor		A vCMP guest may not provide guest health stats to the vCMP host
710410-1	4-Minor		TMM hardware accelerated compression not registering for all compression levels.
708415	4-Minor		Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled
706106-1	4-Minor		PUT request sent to ltm/virtual failed because of ip-protocol property value any
703509-1	4-Minor		Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled
702615-1	4-Minor		During reboot to another volume, the GUI login page becomes prematurely available★
698991	4-Minor	K64258832	CPU utilization on i850 is not a reliable indicator of system capacity
697766-3	4-Minor		Cisco IOS XR ISIS routers may report 'Authentication TLV not found'
696363	4-Minor		Unable to create SNMP trap in the GUI
692172-2	4-Minor		rewrite profile causes "No available pool member" failures when connection limit reached
691491-3	4-Minor	K13841403	2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces
690781	4-Minor		VIPRION systems with B2100 or B2150 blades cannot run certain combinations of vCMP guest sizes
689147-1	4-Minor		Confusing log messages on certain user/role/partition misconfiguration when using remote role groups
687343-3	4-Minor		Running 'load sys config merge verify' will add new users to the PostGres database
685233-2	4-Minor	K13125441	tmctl -d blade command does not work in an SNMP custom MIB
683029-2	4-Minor		Sync of virtual address and self IP traffic groups only happens in one direction
678117-1	4-Minor		'Can't create a home directory' logged for remote users on secondary blades after configsync
675368-2	4-Minor		Unable to reorder rules when one of the rule names contain % or /
673573-6	4-Minor		tmsh logs boost assertion when running child process and reaches idle-timeout
670691	4-Minor	K02331705	Unable to list ntlm profile in different root folder or partition
663911-2	4-Minor		When running out of memory, MCP can report an incorrect allocation size
659888-1	4-Minor		Profiles with names that contain percentage signs cannot be accessed in TMUI
655484-1	4-Minor	K69912019	GUI LTM Pool Statistics Page running out of memory with large number of Pools
655464	4-Minor		Incorrect information about number of cores/guests on i11000 platforms
650019-2	4-Minor		The commented-out sample functions in audit_forwarder.tcl are incorrect
647812-3	4-Minor		/tmp/wccp.log file grows unbounded
646768-4	4-Minor	K71255118	VCMP Guest CM device name not set to hostname when deployed
640863-2	4-Minor	K29231946	Disabling partition selector in DNS Resolver's Forward Zones
640489	4-Minor	K53571714	iSeries LCD alerts screen returns to splash screen intermittently
636823-3	4-Minor		Node name and node address
636164	4-Minor		Remote IP not working in IE 8
636163	4-Minor		Certificate Key Chain not working in IE 8
636031-4	4-Minor	K23313837	GUI LTM Monitor Configuration String adding CR for type Oracle
634014	4-Minor		Absolute timers may fire one second early during the leap second event
633495	4-Minor		Cannot switch between partitions in Local Traffic :: Policies
631083-2	4-Minor		Some files in home directory are overwritten on password change
630795-1	4-Minor		No guestagentd entry in merged.conf
627221-1	4-Minor		iControl SOAP doesn't support displaying all possible media options for interfaces
626480-1	4-Minor		Restjavad log messages: [ProcessManager] Maximum child processes of 3 has been reached
626279-1	4-Minor		After reboot LCD reports "unit going standby" even if it has gone active.
623313	4-Minor		After upgrade from 10.2.x, tmsh and GUI do not report the default SNMP community source if it's the default.★
618889-1	4-Minor		Clicking the policies list tab does not refresh the policies list on click.
611054-1	4-Minor		Network failover "enable" setting is sometimes ignored on chassis systems
606799-1	4-Minor	K16703796	GUI total number of records not correctly initialized with search string on several pages.
603693-5	4-Minor	K52239932	Brace matching in switch statement of iRules can fail if literal strings use braces
587804-1	4-Minor		Symmetric Unit Key decrypt failure on base load
586348-1	4-Minor		Network Map Pool Member Parent Node Name display and Pool Member hyperlink
584788-1	4-Minor		Directed failover of HA pair using only hardwire failover will fail
584504-2	4-Minor	K36912228	Allowing non-English characters on login screen
583777-5	4-Minor	K33230520	[TMSH] sys crypto cert missing tab completion function
583084-5	4-Minor	K15101680	iControl produces 404 error while creating records successfully
582595-2	4-Minor	K52029952	default-node-monitor is reset to none for HA configuration.
582127-1	4-Minor	K55138704	VE OVA logrotate max-file-size too big for /var/log partition size
581865-2	4-Minor	K11053914	6900, 8900, 8950, or 11050 platforms missing swap storage★
571727-1	4-Minor	K52707821	'force-full-load-push' is not tab expandable
571017-1	4-Minor		Extra log messages seen on optics removal.
565755	4-Minor		Dashboard does not work when custom port is used for management port.
528894-9	4-Minor		Config sync after sub-partition config changes results extra lines in the partition's conf file
514703-1	4-Minor		gtm listener cannot be listed across partitions
501258-2	4-Minor		Unable to modify 'gtm region region-members' via iControl REST
484683-4	4-Minor		Certificate_summary is not created at peer when the chain certificate is synced to high availability (HA) peer.
479262-4	4-Minor		'readPowerSupplyRegister error' in LTM log
476544-2	4-Minor		mcpd core during sync
463903-5	4-Minor	K68062382	Behavior Change: HA Score calculation when minimum-threshold attribute is in use
965457-1	5-Cosmetic		OSPF duplicate router detection might report false positives
964421-5	5-Cosmetic		Error '01070734:3: Configuration error: Signing key and signing certificate must be set simultaneously'
769145-4	5-Cosmetic		Syncookie threshold warning is logged when the threshold is disabled
713519-3	5-Cosmetic		Enabling MCP Audit logging does not produce log entry for audit logging change
679431-3	5-Cosmetic		In routing module the 'sh ipv6 interface <interface> brief' command may not show header
676395-1	5-Cosmetic		Syslog messages seen with error code while viewing ssl certificate detail with debug turned on.
633568	5-Cosmetic		Pool statistics page doesn't show all pool members in IE8 with compatibility view
617578-2	5-Cosmetic		Inconsistent info between tmsh and WebUI for profile radiusLB-subscriber-aware
617161-1	5-Cosmetic		Cosmetic: duplicated partition names in the 'Resource Management' window when assigning iRules to Virtual Servers.
603092-5	5-Cosmetic		"displayservicenames" does not apply to show ltm pool members
602390-2	5-Cosmetic	K87506901	Cannot use a foreign charset, such as Cyrillic, Arabic, etc., to customize Advisory Banner, Username Prompt, or Password Prompt in TMUI.
594228-2	5-Cosmetic		Resetting mgmt interface statistics doesn't work on VE or VCMP
570013	5-Cosmetic		TCP Analytics Profile section in virtual server UI has erroneous caption
542347-2	5-Cosmetic		Denied message in audit log on first time boot
396273-2	5-Cosmetic		Error message in dmesg and kern.log: vpd r/w failed

Local Traffic Manager Issues

ID Number	Severity	Solution Article(s)	Description
967249-5	2-Critical		TMM may leak memory early during its startup process, and may continue to do so indefinitely.
949137-6	2-Critical		Clusterd crash and vCMP guest failover
938545-6	2-Critical		Oversize plugin Tcl object results can result in 0-length messages and plugin crash
922317	2-Critical		Using the LSN::persistence_entry command in an iRule may cause crashes and/or stalled connections
912289-5	2-Critical		Cannot roll back after upgrading on certain platforms★
910653-1	2-Critical		iRule parking in clientside/serverside command may cause tmm restart
910213-6	2-Critical		LB::down iRule command is ineffective, and can lead to inconsistent pool member status
853329-6	2-Critical		HTTP explicit proxy can crash TMM when used with classification profile
851857-5	2-Critical		HTTP 100 Continue handling does not work when it arrives in multiple packets
851581-5	2-Critical		Server-side detach may crash TMM
851385-6	2-Critical		Failover takes too long when traffic blade failure occurs
841469-2	2-Critical		Application traffic may fail after an internal interface failure on a VIPRION system.
835505	2-Critical		Tmsh crash potentially related to NGFIPS SDK
824437-5	2-Critical		Chaining a standard virtual server and an ipother virtual server together can crash TMM.
807857-2	2-Critical		TMM can leak memory under specific traffic and iRule configurations.
757510-4	2-Critical		Class name mismatch is not caught
757441-1	2-Critical		Specific sequence of packets causes Fast Open to be effectively disabled
757407-3	2-Critical		Error reading RRD file may induce processes to mutually wait for each other forever
745589-3	2-Critical		In very rare situations, some filters may cause data-corruption.
726518-5	2-Critical		Tmsh show command terminated with CTRL-C can cause TMM to crash.
724906-2	2-Critical		sasp_gwm monitor leaks memory over time
721571-3	2-Critical		State Mirroring between BIG-IP 12.1.3.* and 13.* or 14.* systems may cause TMM core on standby system during upgrade★
706505-1	2-Critical		iRule table lookup command may crash tmm when used in FLOW_INIT
696908-2	2-Critical		Updating iRule causes TMM to crash
683454	2-Critical	K99294671	HTTP::header command may crash TMM on an erroneous argument
677975-2	2-Critical	K59237122	SSL may cause the TMM to core when forging a certificate due to race condition
676491-2	2-Critical		BIG-IP as a DHCP relay while in a DHCP relay chain will use its self-IP as the relay agent.
673095	2-Critical		Loading UCS with QinQ VLANs fails 'Can't free vlan entry, can't find vlan with oid'
670893-1	2-Critical		Sensitive monitor parameters recorded in monitor logs
666889-1	2-Critical	K25769531	Deleting virtual server may cause tmm to segfault
663925-5	2-Critical		Virtual server state not updated with pool- or node-based connection limiting
662296-1	2-Critical		Under heavy traffic load tcpdump -i 0.0 can impact the VIPRION management cluster IP address
634369-2	2-Critical		Bigd crash (SIGABRT) while running iControl REST scripts against monitor configuration with FQDN nodes
625807-6	2-Critical		Tmm cores in bigproto_cookie_buffer_to_server
618463-2	2-Critical		artificial low route mtu can cause SIGSEV core from monitor traffic
609609-1	2-Critical		TMM crash, Invalid action
603690-2	2-Critical	K82210057	CPU Saver option not working while the 'latency' compression provider selection algorithm is in use.
598031-1	2-Critical		Slow memory growth leading to TMM core
586862-1	2-Critical	K30859144	Tcl evaluation outside of an iRule can lead to tmm crash when the payload is synchronously released from below HTTP via an iRule.
577904-1	2-Critical		When a fips key is deleted, its corresponding public key is not deleted from fips card
985749-6	3-Major		TCP exponential backoff algorithm does not comply with RFC 6298
984897-6	3-Major		Some connections performing SSL mirroring are not handled correctly by the Standby unit.
971217-5	3-Major		AFM HTTP security profiles may treat POST requests with Content-Length: 0 as "Unparsable Request Content" violations.
968949-2	3-Major		Keepalives aren't sent in FIN_WAIT_2 when using a TCP profile
968509-2	3-Major		Response headers are not parsed correctly causing subsequent requests stall at BIG-IP
967353-6	3-Major		HTTP proxy should trim spaces between a header field-name and colon in its downstream responses.
963705-5	3-Major		Proxy ssl server response not forwarded
962913-6	3-Major		The number of native open connections in the SSL profile is higher than expected
958785-2	3-Major		FTP data transfer does not complete after QUIT signal
955617-4	3-Major		Cannot modify the destination address of a monitor
953845-6	3-Major		After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart
950005-5	3-Major		TCP connection is not closed when necessary after HTTP::respond iRule
947125-5	3-Major		Unable to delete monitors after certain operations
945601-1	3-Major		An incorrect LTM policy rule may be matched when a policy consists of multiple rules with TCP address matching conditions.
942217-5	3-Major		Virtual server keeps rejecting connections for rstcause 'VIP down' even though virtual status is 'available'
936593-1	3-Major		Invalid server-side SSL profile options can be configured in tmsh
936441-5	3-Major		Nitrox5 SDK driver logging messages
934017-2	3-Major		Problems may occur after creating a node named '_auto_<IP address>'
922413-6	3-Major		Excessive memory consumption with ntlmconnpool configured
921541	3-Major		When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.
920789-6	3-Major		UDP commands in iRules executed during FLOW_INIT event fail
920205-2	3-Major		Rate shaping might suppress TCP RST
918277-6	3-Major		Slow Ramp does not take into account pool members' ratio weights
915773-5	3-Major		Restart of TMM after stale interface reference
915605-3	3-Major		Image install fails if iRulesLX is provisioned and /usr mounted read-write★
914061-5	3-Major		BIG-IP may reject a POST request if it comes first and exceeds the initial window size
912517-6	3-Major		MySQL monitor marks pool member down if 'send' is configured but no 'receive' strings are configured
910473	3-Major		Tmm crash when applying config changes
906653-6	3-Major		Server side UDP immediate idle-timeout drops datagrams
904625-6	3-Major		Changes to SSL.CertRequest.* DB variables cause high availability (HA) devices go out of sync
904041-6	3-Major		Ephemeral pool members may be incorrect when modified via various actions
899905	3-Major		N3FIPS kernel driver crash
898681	3-Major		SafeNet install fails with the message 'path not allowed'
895205-6	3-Major		A circular reference in rewrite profiles causes MCP to crash
892385-4	3-Major		HTTP does not process WebSocket payload when received with server HTTP response
891145-1	3-Major		TCP PAWS: send an ACK for half-open connections that receive a SYN with an older TSVal
887045-6	3-Major		The session key does not get mirrored to standby.
885325-6	3-Major		Stats might be incorrect for iRules that get executed a large number of times
883049-7	3-Major		Statsd can deadlock with rrdshim if an rrd file is invalid
876569	3-Major		QAT compression codec produces gzip stream with CRC error
874317-5	3-Major		Client-side asymmetric routing could lead to SYN and SYN-ACK on different VLAN
873677-2	3-Major		LTM policy matching does not work as expected
862597-2	3-Major		Improve MPTCP's SYN/ACK retransmission handling
862069-5	3-Major		Using non-standard HTTPS and SSH ports fails under certain conditions
862001-5	3-Major		Improperly configured NTP server can result in an undisciplined clock stanza
853613-6	3-Major		Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp
852873-5	3-Major		Proprietary Multicast PVST+ packets are forwarded instead of dropped
852325-5	3-Major		HTTP2 does not support Global SNAT
851121-5	3-Major		Database monitor DBDaemon debug logging not enabled consistently
846977-5	3-Major		TCP:collect validation changed in 12.0.0: the first argument can no longer be zero★
846873-1	3-Major		Deleting and re-adding the last virtual server that references a plugin profile in a single transaction causes traffic failure
845333-1	3-Major		An iRule with a proc referencing a datagroup cannot be assigned to Transport Config
842425-5	3-Major		Mirrored connections on standby are never removed in certain configurations
841369-6	3-Major		HTTP monitor GUI displays incorrect green status information
841341-1	3-Major		IP forwarding virtual server does not pick up any traffic if destination address is shared.
840785-5	3-Major		Update documented examples for REST::send to use valid REST endpoints
827441-4	3-Major		Changing a UDP virtual server with an immediate timeout to a TCP virtual server can cause connections to fail
823825-2	3-Major		Renaming HA VLAN can disrupt state-mirror connection
820333-6	3-Major		LACP working member state may be inconsistent when blade is forced offline
819329	3-Major		Specific FIPS device errors will not trigger failover
818097-1	3-Major		Plane CPU stats too high after primary blade failover in multi-blade chassis
816205-1	3-Major		IPsec passthrough scenario may not forward ICMP unreachable messages from the server-side
815405-2	3-Major		GUI update of Child FastL4 profile overwrites CLI-only customized settings (options that are not available in GUI)
815089-6	3-Major		On a system with no VLANs, you can create virtual servers or SNATs that have identical address/port combinations
813701-1	3-Major		Proxy ARP failure
810533-6	3-Major		SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile
806937	3-Major		CPM policy stops matching after adding rule
803629-5	3-Major		SQL monitor fails with 'Analyze Response failure' message even if recv string is correct
801549-5	3-Major		Persist records do not expire properly if mirroring is configured incorrectly
801541-4	3-Major		Persist records do not expire properly if HA peer is unavailable
801329	3-Major		When OneConnect profile is used, pool selection might be pinned to one pool
795933-5	3-Major		A pool member's cur_sessions stat may incorrectly not decrease for certain configurations
794505-1	3-Major		OSPFv3 IPv4 address family route-map filtering does not work
793669-3	3-Major		FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value
786517-6	3-Major		Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address
785509	3-Major		Modifying fields such as chain, trusted certificate authorities in client SSL profile, and/or chain in cert-key-chain belonging to the same client SSL profile might not be reflected in TMM
783145-1	3-Major		Pool gets disabled when one of its pool member with monitor session is disabled
781753-4	3-Major		WebSocket traffic is transmitted with unknown opcodes
781041-5	3-Major		SIP monitor in non default route domain is not working.
767341-6	3-Major		If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file.
766593-3	3-Major		RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20
761869-2	3-Major		WMI monitor may return negative values
761477-4	3-Major		Client authentication performance when large CRL is used
760406-6	3-Major		HA connection might stall on Active device when the SSL session cache becomes out-of-sync
760050-5	3-Major		cwnd warning message in log
758437-3	3-Major		SYN w/ data disrupts stat collection in Fast L4
758436-5	3-Major		Optimistic ACKs degrade Fast L4 statistics
758041-5	3-Major		Pool Members may not be updated accurately when multiple identical database monitors configured
757827-4	3-Major		Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution
757505-1	3-Major		peer-cert-mode set to 'always' does not work when client-ssl is enabled with session-ticket
757029-5	3-Major		Ephemeral pool members may not be created after config load or reboot
756812	3-Major		Nitrox 3 instruction/request logger may fail due to SELinux permission error
756647-4	3-Major		Global SNAT connections do not reset upon timeout.
756313-5	3-Major		SSL monitor continues to mark pool member down after restoring services
755791-5	3-Major		UDP monitor not behaving properly on different ICMP reject codes.
755631-4	3-Major		UDP / DNS monitor marking node down
755250	3-Major		Clock advanced messages when modifying a virtual server with 1000 SSL profiles
754604-1	3-Major		iRule : [string first] returns incorrect results when string2 contains null
753526-4	3-Major		IP::addr iRule command does not allow single digit mask
752530-4	3-Major		TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput.
752334-4	3-Major		Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation
752078-3	3-Major		Header Field Value String Corruption
751427	3-Major		LTM policy rule condition does not match server-name in ssl-extension
750204-1	3-Major		Add support for P-521 curve in the X.509 chain to SSL LTM
750200-4	3-Major		DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode
747077-2	3-Major		Potential crash in TMM when updating pool members
746355	3-Major		A client SSL handshake fails when client hello extension contains only unsupported groups
745663-1	3-Major		During traffic forwarding, nexthop data may be missed at large packet split
743900-4	3-Major		Custom DIAMETER monitor requests do not have their 'request' flag set
743896	3-Major		Gratuitous ARP not sent on interface up
742838-4	3-Major		A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition
741345	3-Major		Adaptive monitor gateway_icmp does not function correctly with two nodes
738450-4	3-Major		Parsing pool members as variables with IP tuple syntax
734692-1	3-Major		Incorrect prefix of ICMP error messages in NAT64
727469-1	3-Major		ProxySSL leaks profile reference
726734-2	3-Major		DAGv2 port lookup stringent may fail
726319-3	3-Major		'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses
725592	3-Major		Outgoing RIP advertisements may have incorrect source port
723306-5	3-Major		Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition
723112	3-Major		LTM policies does not work if a condition has more than 127 matches
718867-3	3-Major		tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades★
718790-5	3-Major		Virtual Server reports unavailable and resets connection erroneously
717346-4	3-Major	K13040347	[WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total
716952-3	3-Major		With TCP Nagle enabled, SSL filter will hold the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message until the last data packet offload process complete.
716492-1	3-Major	K59332523	Rateshaper stalls when TSO packet length exceeds max ceiling.
715756-3	3-Major		Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only
714642-5	3-Major		Ephemeral pool-member state on the standby is down
714503-3	3-Major		When creating a new iRulesLX rule, the GUI appends .tcl to rule filenames that already end in .tcl
714495-3	3-Major		When creating a new iRulesLX rule, TMSH appends ".tcl" to rule filenames that already end in ".tcl"
714384-5	3-Major		DHCP traffic may not be forwarded when BWC is configured
713585-1	3-Major	K31544054	When the system config has many iRules and they are installed on many virtual servers, the config loading time is significantly long
712489-3	3-Major		TMM crashes with message 'bad transition'
710996-1	3-Major		VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP
709963-4	3-Major		Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.
709837-3	3-Major		Cookie persistence profile may be configured with invalid parameter combination.
707691-2	3-Major		BIG-IP handles some pathmtu messages incorrectly
704764-2	3-Major		SASP monitor marks members down with non-default route domains
702439-3	3-Major	K04964898	Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset
701690-3	3-Major	K53819652	Fragmented ICMP forwarded with incorrect icmp checksum
701033-1	3-Major		Tcl actions not run if conditions have overlapping IP ranges
700639	3-Major		The default value for the syncookie threshold is not set to the correct value
700080-1	3-Major		A db var compression.zlibinflateratio.threshold is added to force stopping inflating
696755-2	3-Major		HTTP/2 may truncate a response body when served from cache
695707-3	3-Major		BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection
695109-3	3-Major	K15047377	Changes to fallback persistence profiles attached to a Virtual server are not effective
691992	3-Major		MSTP: CIST bridge priority changes after adjusting the MSTI priority.
691785-3	3-Major		The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes
690778-3	3-Major	K53531153	Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule
690316	3-Major		Software syncookies are sent for FastL4 virtual server with software syncookies disabled
688570-3	3-Major		BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes
687807-3	3-Major		The presence of a file with the suffix '.crt.csr' in folder /config/ssl/ssl.csr/ causes a GUI exception
687044-2	3-Major		tcp-half-open monitors might mark a node up in error
686563-3	3-Major		WMI monitor on invalid node never transitions to DOWN
686547-3	3-Major		WMI monitor sends logging data for credentials when no credentials specified
686101-3	3-Major	K73346501	Creating a pool with a new node always assigns the partition of the pool to that node.
683706-1	3-Major		Pool member status remains 'checking' when manually forced down at creation
683061-2	3-Major		Rapid creation/update/deletion of the same external datagroup may cause core
681673-2	3-Major		tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results
679613-2	3-Major	K23531420	i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1'
678450-3	3-Major		No 'F5RST port in use' sent when new connection arrives to port in use with strict preserve.
678066	3-Major		LTM Policy Tcl-enabled values require 'tcl:' prefix★
677841-1	3-Major		Server SSL TLS session reuse with changed SNI uses incorrect session ID
677666-3	3-Major		/var/tmstat/blades/scripts segment grows in size.
677442	3-Major		During bulk crypto processing for SSL traffic, tmm might restart in rare cases.
676643	3-Major		FTP passive monitor uses IP address from PASV (not monitor destination)
674459	3-Major		Users are not expected to change security.commoncriteria DB variable through TMSH
670520-3	3-Major		FastL4 not sending keepalive at proper interval when other side gets response
670258-2	3-Major		Multicast pings not forwarded by TMM
666127-1	3-Major		Flows are incorrectly processed on a standby system.
664000	3-Major		TMM restart/core possible if key/cert is modified while SSL handshakes are ongoing
660807	3-Major		Clientside command with parking command crashes TMM
660119-1	3-Major	K36005385	Monitor configured with timeout large enough that the timeout plus interval is greater than 86400 seconds, the service may be incorrectly marked down.
655767-5	3-Major		MCPD does not prevent deleting an iRule that contains in-use procedures
654981-3	3-Major		Local Traffic Policies operating in First Match mode do not stop executing after the first matched rule if this has no action
653228-2	3-Major	K34312110	SNAT does not work properly on FTP VIP2VIP
653137-1	3-Major	K24159492	Virtual flaps when FQDN node and pool configured with autopopulate
652370-1	3-Major		The persist cookie insert iRule command may leak memory
649897	3-Major		Using the REST API, making a change to an FQDN pool causes the pool member availability to become unknown.
649275-2	3-Major		RSASSA-PSS client certificates support in Client SSL
646440-7	3-Major		TMSH allows mirror for persistence even when no mirroring configuration exists
645674-2	3-Major		'bigd' message send to 'mcpd' failure is not logged
645635-2	3-Major		Sflow may use 0.0.0.0 as Agent Address in 2 core vCMP guests
643860-4	3-Major	K41573401	Attempt to read or write to the file /dev/vnic can cause TMM to restart and TMM may not startup properly
642786-3	3-Major	K01833444	TMM may drop tunneled traffic when the sys db variable 'connection.vlankeyed' is set to 'disable'.
640395-1	3-Major	K26144701	When upgrading from 10.x to a version that supports spanning VIPs, the virtual address spanning property may not be set properly
637613-3	3-Major	K24133500	Cluster blade being disabled immediately returns to enabled/green
633464-2	3-Major		Content-length header is not passed on to the client when HTTP/2 profile is attached to virtual.
633110-2	3-Major	K09293022	Literal tab character in monitor send/receive string causes config load failure, unknown property
632604-1	3-Major		SSL::sessionid iRule command returns incorrect result
632553-2	3-Major	K14947100	DHCP: OFFER packets from server are intermittently dropped
630257-1	3-Major		Monitor send/receive strings cannot end with trailing single-backslash★
628696-1	3-Major		Under rare circumstances, all blades in cluster claim not primary during start up
624917	3-Major		First few handshakes fail after chassis/appliance reboot when using HSM
624044-1	3-Major	K42806722	LTM Monitor custom recv/send/recv-disable parameters have backslash at the end may fail to load★
623084-2	3-Major		mcpd fails validation of dhcp type virtual servers if the configured profile is /Common/udp★
622870	3-Major		When using a Thales key, SSL handshake failed after restarting pkcs11d
620556-1	3-Major		Fragmented packets on clone pool for L7 virtual server targeting another L7 virtual server through iRule
620053-1	3-Major		Gratuitous ARPs may be transmitted by active unit being forced offline
618131-1	3-Major		Latency for Thales key population to the secondary slot after reboot
618104-1	3-Major		Connection Using TCP::collect iRule May Not Close
614410-3	3-Major		Unexpected handling of TCP timestamps in HA configuration
613483-2	3-Major	K18133264	Some SSL certificate SHA verification fails for different SHA prefix used by crypto codec.
611652-3	3-Major		iRule script validation presents incorrect warning for 'HTTP::cookie cookie-name' command.
610682-2	3-Major		LTM Policy action to reset connection only works for requests
607166-1	3-Major		Hidden directories and files are not synchronized to secondary blades
605175	3-Major		Backslashes in monitor send and receive strings
598204-3	3-Major	K54284420	In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK.
597369-1	3-Major		Reopen TCP's receive window based on initial receive window size after a zero window
597253-1	3-Major		HTTP::respond Tcl command may incorrectly identify parameters as iFiles
596278	3-Major		ILX workspace created by iApp made from template not deleted when iApp deleted
595921-1	3-Major		VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses.
590156-3	3-Major		Connections to an APM virtual server may be reset and fail on appliance and VE platforms.
586660-1	3-Major		HTTP/2 and RAM Cache are not compatible.
585248-1	3-Major		Resetting crypto client statistics can crash TMM and disrupt traffic handling.
584948-5	3-Major		Safenet HSM integration failing after it completes.
584414	3-Major		Deleting persistence-records via tmsh may result in persistence being created to different nodes
582331-1	3-Major		Maximum connections is not accurate when TMM load is uneven
582234-6	3-Major		When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.
579252-3	3-Major		Traffic can be directed to a less specific virtual during virtual modification
572142-2	3-Major		Config sync peer may fail to monitor newly added pool member after it is added via sync
542104-2	3-Major	K33458192	In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades.
537209-5	3-Major		Fastl4 profile sends RST packet when idle timeout value set to 'immediate'
522241-3	3-Major		Using tmsh to display the number of elements in a DNS cache may cause high CPU utilization, and the tmsh command may not complete
516280-4	3-Major		bigd process uses a large percentage of CPU
512490-14	3-Major		Increased latency during connection setup when using FastL4 profile and connection mirroring.
510395-5	3-Major	K17485	Disabling some events while in the event, then running some commands can cause tmm to core.
505037-2	3-Major	K01993279	Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop
486735-5	3-Major		Maximum connections is not accurate when TMM load is uneven
451627-2	3-Major		If key associated with monitor is stored in external hsm, monitor fails.
433572-4	3-Major		DTLS does not work with rfcdtls cipher on the B2250 blade
431480-1	3-Major	K17297	Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message
405898-2	3-Major		If the OSPF derived MTU is different from the path MTU, OSPF may not function as expected
374067-7	3-Major	K14098	Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect virtual server interferes with keepalive connections
369640-1	3-Major	K17195	Folder path objects in iRules can have only a single context per script
315765-5	3-Major		The BIG-IP system erroneously performs a SNAT translation after the SNAT translation address has been disabled.
987885-1	4-Minor		Half-open unclean SSL termination might not close the connection properly
982993-1	4-Minor		Gateway ICMP monitors with IPv6 destination and IPV6 transparent nexthop might fail
962433-1	4-Minor		HTTP::retry for a HEAD request fails to create new connection
962181-5	4-Minor		iRule POLICY command fails in server-side events
962177-5	4-Minor		Results of POLICY::names and POLICY::rules commands may be incorrect
935593-1	4-Minor		Incorrect SYN re-transmission handling with FastL4 timestamp rewrite
932553-1	4-Minor		An HTTP request is not served when a remote logging server is down
931469-3	4-Minor		Redundant socket close when half-open monitor pings
929429-6	4-Minor		Oracle database monitor uses excessive CPU when Platform FIPS is licensed
922005-7	4-Minor		Stats on a certain counter for web-acceleration profile may show excessive value
911853-2	4-Minor		Stream filter chunk-size limits filter to a single match per ingress buffer
898753-1	4-Minor		Multicast control-plane traffic requires handling with AFM policies
898201-6	4-Minor		Fqdn nodes are not getting populated after BIG-IP reboot when DNS server is accessed through a local virtual server.
890881	4-Minor		ARP entry in the FDB table is created on VLAN group when the MAC in the ARP reply differs from Ethernet address
880697-6	4-Minor		URI::query command returning fragment part, instead of query part
865341	4-Minor		SSL::collect and SSL::release in an iRule causes connection reset
838305-1	4-Minor		BIG-IP may create multiple connections for packets that should belong to a single flow.
834217-2	4-Minor		Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window.
832233-5	4-Minor		The iRule regexp command issues an incorrect warning
814037-3	4-Minor		No virtual server name in Hardware Syncookie activation logs.
812949	4-Minor		P2P failure while connecting with Cisco router when firewall is enabled.
801705-1	4-Minor		When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC
787905-1	4-Minor		Improve initializing TCP analytics for FastL4
773253-1	4-Minor		The BIG-IP may send VLAN failsafe probes from a disabled blade
772297-4	4-Minor		LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade
763197-1	4-Minor		Flows not mirrored on wildcard Virtual Server with opaque VLAN group
761913-1	4-Minor		iRule checksum created in GUI might cause config load failure in tmsh
760683-3	4-Minor		RST from non-floating self-ip may use floating self-ip source mac-address
757777-1	4-Minor		bigtcp does not issue a RST in all circumstances
748333-3	4-Minor		DHCP Relay does not retain client source IP address for chained relay mode
747628-4	4-Minor		BIG-IP sends spurious ICMP PMTU message to server
743253-5	4-Minor		TSO in software re-segments L3 fragments.
743116-1	4-Minor		Chunked responses may be incorrectly handled by HTTP/2
738045-2	4-Minor		HTTP filter complains about invalid action in the LTM log file.
724746-2	4-Minor		Incorrect RST message after 'reject' command
722534-4	4-Minor		load sys config merge not supported for iRulesLX
717806-5	4-Minor		In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured
702281-2	4-Minor		OneConnect header transformations may cause some Websocket connections to reset.
699076-3	4-Minor		URI::path iRules command warns end and start values equal
697988-2	4-Minor	K34554754	During config sync, if many client-ssl profiles are on a virtual server the CPU may briefly spike to 100%
697626	4-Minor		iRules LX: Cannot modify workspace imported by "Import From Workspace"
693966-2	4-Minor		TCP sndpack not reset along with other tcp profile stats
693901-3	4-Minor		Active FTP data connection may change source port on client-side
689231	4-Minor		MSSQL filter assumes 64-bit token done row count field
688557-3	4-Minor	K50462482	Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull'
688542-1	4-Minor		SASP GWM monitor always sets No Change / No Send Flag in Set LB State Request
680680-2	4-Minor		The POP3 monitor used to send STAT command on v10.x, but now sends LIST command
677270-2	4-Minor	K76116244	Trailing comments in iRules are removed from the config when entered/loaded in TMSH or Configuration Utility
665777	4-Minor		TMM0 on the secondary blade sends out extra ARP replies
664596-1	4-Minor		One LTM policy causes a different policy to not execute
657118-1	4-Minor		Tmm crash
652577-2	4-Minor		Changes to MAC Masquerading may cause the Standby unit not reach the floating Self-IP address
651005-3	4-Minor		FTP data connection may use incorrect auto-lasthop settings.
646495-2	4-Minor		BIG-IP may send oversized TCP segments on traffic it originates
640704	4-Minor	K20418658	A BIG-IP HA pair upgraded directly from 10.2.x to 12.1.x may lose the primary and secondary mirror IP addresses★
636348-3	4-Minor		BIG-IP systems configured for high availability (HA) and System Gateway Failsafe may fail to load their configuration after device trust is reset.
635871-1	4-Minor		tmsh validation of hash persistence timeout setting is incorrect
632901-1	4-Minor	K03112333	JET documentation incorrect for RESOLV::lookup
622876-1	4-Minor		Certificate serial number is not displayed properly in OCSP Stapling logs.
621843-1	4-Minor		the ipother proxy is sending icmp error messages to the wrong side
603380-6	4-Minor		Very large number of log messages in /var/log/ltm with ICMP unreachable packets.
599048-1	4-Minor		BIG-IP connections to OCSP servers do not use the TCP TIMESTAMPS option
594547	4-Minor		LTM policy TCP address selector offers only the condition 'match any of'
593396-1	4-Minor		Stateless virtual servers may not work correctly with route pools or ECMP routes
592620-1	4-Minor		iRule validation does not catch incorrect 'after' syntax
586138-1	4-Minor	K84112154	Inconsistent display of route-domain information in administrative partitions.
584772	4-Minor		ssldump may crash when decrypting bad records
571622-1	4-Minor		'Exceeding pool member limit' error with FQDN pool members and non-LTM license
564634-5	4-Minor		Using the tmsh "edit" command to remove a monitor from a pool does not stop bigd from monitoring the pool
552988-2	4-Minor		Cannot enable MPTCP on some profiles in GUI.
544958-4	4-Minor		Monitors packets are sent even when pool member is 'Forced Offline'.
539026-5	4-Minor		Stats refinements for reporting Unhandled Query Actions :: Drops
527004-4	4-Minor		Monitor delete-and-create within a transaction fails
499404-1	4-Minor	K15457342	FastL4 does not honor the MSS override value in the FastL4 profile with syncookies
477992-3	4-Minor	K07450534	Instance-specific monitor logging fails for pool members created in iApps
474901-1	4-Minor		Profiles with a large number of regexps can cause excessive memory usage.
470807-3	4-Minor		iRule data-groups are not checked for existence
370573-2	4-Minor		iRule STREAM command internal error causes connection drop
222409-6	4-Minor	K9952	The HTTP::path iRule command may return more information than expected
979213-5	5-Cosmetic		Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM.
897437-1	5-Cosmetic		First retransmission might happen after syn-rto-base instead of minimum-rto.
873249-5	5-Cosmetic		Switching from fast_merge to slow_merge can result in incorrect tmm stats
859717-5	5-Cosmetic		ICMP-limit-related warning messages in /var/log/ltm
687579	5-Cosmetic		TMSH incorrectly allows settings snat-translation ip-idle-timeout to zero.
625156-2	2-Critical	K50524736	Bigd memory leak

Performance Issues

ID Number	Severity	Solution Article(s)	Description
632838-1	3-Major		Deterministic NAT performance may be degraded
567513-4	3-Major		Erroneous syncookie flag in HSB return descriptor causes the BIG-IP system to pass through the ACK packets after the session is closed.
616021-1	4-Minor	K93089152	Name Validation missing for some GTM objects

Global Traffic Manager (DNS) Issues

ID Number	Severity	Solution Article(s)	Description
933405-6	1-Blocking	K34257075	Zonerunner GUI hangs when attempting to list Resource Records
960437-5	2-Critical		The BIG-IP system may initially fail to resolve some DNS queries
918597-3	2-Critical		Under certain conditions, deleting a topology record can result in a crash.
913729-2	2-Critical		Support for DNSSEC Lookaside Validation (DLV) has been removed.
905557-4	2-Critical		Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure
837637-7	2-Critical	K02038650	Orphaned bigip_gtm.conf can cause config load failure after upgrading★
722741-4	2-Critical		Damaged tmm dns db file causes zxfrd/tmm core
685915-1	2-Critical		Allow unsigned DNS notifies if a DNS express zone's target server has no TSIG key configured
675731-2	2-Critical		Certain types of GTM Pools not displaying while listing WideIPs
264701-1	2-Critical	K10066	GTM: zrd exits on error from bind about .jnl file error (Formerly CR 68608)
990929-6	3-Major		Status of GTM monitor instance is constantly flapping
987709-2	3-Major		Static target string as CNAME pool member might cause config load failure if wide IP with same name exists in another partition
973341-6	3-Major		Customized device certs will break scripts relying on /config/httpd/conf/ssl.crt/server.crt
973261-6	3-Major		GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects
969553-5	3-Major		DNS cache returns SERVFAIL
967737-6	3-Major		DNS Express: SOA stops showing up in statistics from second zone transfer
966461-3	3-Major		Tmm leaks memory after each DNSSEC query when netHSM is not connected
958325-5	3-Major		Updating DNS pool monitor via transaction leaves dangling monitor_rule in MCP DB
936777-6	3-Major		Old local config is synced to other devices in the sync group.
926593-5	3-Major		GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout'
921625-6	3-Major		The certs extend function does not work for GTM/DNS sync group
921549-1	3-Major		The gtmd process does not receive updates from local big3d.
920817-2	3-Major		DNS Resource Records can be lost in certain circumstances
911241-2	3-Major		The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug
903521-6	3-Major		TMM fails to sign responses from BIND when BIND has 'dnssec-enable no'
899253-2	3-Major		[GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist
890285-3	3-Major		DNS resolver cannot forward DNS query to local IPv6 virtual server
863917-5	3-Major		The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval.
851341	3-Major		DNS cache responds with records exceeding cache-maximum-ttl for multiple TMMs
799657-1	3-Major		Name validation missing control characters for some GTM objects
781829-3	3-Major		GTM TCP monitor does not check the RECV string if server response string not ending with \n
760615-5	3-Major		Virtual Server discovery may not work after a GTM device is removed from the sync group
758772-5	3-Major		DNS Cache RRSET Evictions Stat not increasing
757464-4	3-Major		DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record
756177-3	3-Major		GTM marks pool members down across datacenters
754901-4	3-Major		Frequent zone update notifications may cause TMM to restart
749222-4	3-Major		dname compression offset overflow causes bad compression pointer
744787-1	3-Major	K04201069	Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias
739553-4	3-Major		Setting large number for Wide IP Persistence TTL breaks Wide IP persistence
737529-1	3-Major		[GTM] load or save configs removes backslash \ from GTM pool member name
723095-1	3-Major		tmsh "modify gtm pool <type> all ... " commands fail
716701-2	3-Major		In iControl REST: Unable to create Topology when STATE name contains space
714507-4	3-Major		[tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server
712500-2	3-Major		Unhandled Query Action Drops Stat does not increment after transparent cache miss
704176-1	3-Major	K22540391	Monitor instances may not get deleted during configuration merge load
701232-1	3-Major		Two-way iQuery connections fail to get established between GTM devices with the same address on different networks connected through address translation
700118-2	3-Major		rrset statistics unavailable
699512-3	3-Major		UDP packet may be dropped when queued in parallel with another packet
698211-3	3-Major	K35504512	DNS express response to non-existent record is NOERROR instead of NXDOMAIN.
689583-3	3-Major		Running big3d from the command line with arguments other than '-v' or '-version' may cause a GTM disruption.
689117-1	3-Major		Transfer Complete log message now includes the SOA Serial number
688335-3	3-Major	K00502202	Big3d may restart in a loop on secondary blades of a chassis system
679316-1	3-Major		iQuery connections reset during SSL renegotiation
677526-2	3-Major		Memory leak may occur during connflow failures.
659930-1	3-Major		Enterprise Manager may receive malformed data if there are multiple monitors on a pool
529896-2	3-Major		DNS Cache can use cached data from ADDITIONAL sections in answers after RRset cache cleared
523198-1	3-Major		DNS resolver multiplexing might cause unexpected behaviors
517609-3	3-Major	K77005041	GTM Monitor Needs Special Escape Character Treatment
222220-1	3-Major		Distributed application statistics
959613-6	4-Minor		SIP/HTTPS monitor attached to generic-host virtual server and pool shows 'blank' reason
947217-1	4-Minor		Fix of ID722682 prevents GTM config load when the virtual server name contains a colon★
889801-5	4-Minor		Total Responses in DNS Cache stats does not increment when an iRule suspending command is present under DNS_RESPONSE.
885201-5	4-Minor		BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log
853585-4	4-Minor		REST Wide IP object presents an inconsistent lastResortPool value
839361-1	4-Minor		iRule 'drop' command does not drop packets when used in DNS_RESPONSE
790113-5	4-Minor		Cannot remove all wide IPs from GTM distributed application via iControl REST
767989-1	4-Minor		DNSSEC RRSIG Inception Offset
752216-3	4-Minor	K33587043	DNS queries without the RD bit set may generate responses with the RD bit set
740284-3	4-Minor		Virtual servers 'In Maintenance Mode' or 'VS limit(s) exceeded on GTM'
717113-1	4-Minor		It is possible to add the same GSLB Pool monitor multiple times
688266-3	4-Minor		big3d and big3d_install use different logics to determine which version of big3d is newer
674754-2	4-Minor		ZoneRunner: GUI "Email Contact" field silently ignores invalid char '@' in Email Contact
666258-2	4-Minor		GTM/DNS manual resume pool member not saved to config when disabled
665117-2	4-Minor	K33318158	DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping
648806-1	4-Minor		Invalid "with the first highest ratio counter" logging for pool member ratio load balance
643455-2	4-Minor		Update TTL for equally trusted records only
480795	4-Minor		GTM: Move address from one high availability (HA) redundant LTM to another might cause BIG-IP monitor failure
588229-1	5-Cosmetic		DNS protocol default profiles can be deleted after being modified.

Application Security Manager Issues

ID Number	Severity	Solution Article(s)	Description
940249-5	2-Critical		Sensitive data is not masked after "Maximum Array/Object Elements" is reached
903453-1	2-Critical		TMM crash following redirect when Proactive Bot Defense is used
879841-1	2-Critical		Domain cookie same-site option is missing the "None" as value in GUI and rest
865461-5	2-Critical		BD crash on specific scenario
784337	2-Critical		False positive header related violation
725887-2	2-Critical		BD crash on specific scenario
612584-1	2-Critical	K34500121	Server side blocking/asm cookie setting may not work under some circumstances
591113-2	2-Critical	K45901635	CSRF injection leading to blank page
974513-5	3-Major		Dropped requests are reported as blocked in Reporting/charts
966613-1	3-Major		Cannot create XML profile based on WSDL when wsdl contains empty soap:address – getting error ‘Column 'object_uri' cannot be null’
962497-6	3-Major		BD crash after ICAP response
962493-1	3-Major		Request is not logged
962489-1	3-Major		False positive enforcement of parameters with specific configuration
955017-6	3-Major		Excessive CPU consumption by asm_config_event_handler
940897-6	3-Major		Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached
926845-2	3-Major		Inactive ASM policies are deleted upon upgrade
923221-6	3-Major		BD does not use all the CPU cores
920961-5	3-Major		Devices incorrectly report 'In Sync' after an incremental sync
907337-6	3-Major		BD crash on specific scenario
905681-2	3-Major		Incorrect enforcement of policy parameters
898825-6	3-Major		Attack signatures are enforced on excluded headers under some conditions
888289-5	3-Major		Add option to skip percent characters during normalization
868721-5	3-Major		Transactions are held for a long time on specific server related conditions
857633-5	3-Major		Attack Type (SSRF) appears incorrectly in REST result
853989-6	3-Major		DOSL7 Logs breaks CEF connector by populating strings into numeric fields
842257	3-Major		Unable to create 'Login Page' from 'Brute Force Protection'
829029-4	3-Major		Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error
797813-1	3-Major		TMM memory grows on custom bot signature with empty domain
785529-4	3-Major		ASM unable to handle ICAP responses which length is greater then 10K
781605-2	3-Major		Fix RFC issue with the multipart parser
781021-4	3-Major		ASM modifies cookie header causing it to be non-compliant with RFC6265
764373-5	3-Major		'Modified domain cookie' violation with multiple enforced domain cookies with different paths
760949-1	3-Major		Empty hostname in remote log after modification
751710-1	3-Major		False positive cookie hijacking violation
746682	3-Major		ASM unable to display *any* event logs, unless they are searched for by support ID
739618-4	3-Major		When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy
718232-1	3-Major		Some FTP servers may cause false positive for ftp_security
711818-1	3-Major		Connection might get reset when coming to virtual server with offload iRule
701025-1	3-Major		BD restart on a device where 'provision.tmmcountactual' is set to a non-default value
694934-3	3-Major		bd crashes on a very specific and rare scenario
694657-2	3-Major		ASM GUI displaying inconsistent policy sync version information
689987-2	3-Major		Requests are not logged on new virtual servers after UCS load while ASM is running
689982-1	3-Major		FTP Protocol Security breaks FTP connection
678322	3-Major		Missing Response Page for 'Login' is not populated upon upgrade
674256-3	3-Major	K60745057	False positive cookie hijacking violation
670501-5	3-Major	K85074430	ASM policies are either not (fully) created or not (fully) deleted on the HA peer device
660326-2	3-Major		Upgrade fails when a websecurity profile assigned to virtual server but ASM is not provisioned.★
657531-2	3-Major	K02310615	High memory usage when using the ICAP server
636412-1	3-Major		ASM start process fail with 'Protobuf message exceeds max defined size' on machines with thousands of ASM configuration entities
633454-1	3-Major		Older versions of Chrome get blocked when Proactive Bot Defense is enabled.
631715-1	3-Major		ASM::disable does not disable client side challenges
625108-1	3-Major		Learn flags of subviolations are incorrectly updated when all violations are updated by REST
590851-4	3-Major		"never log" IPs are still reported to AVR
589606-2	3-Major		CSRF enabled within iframe request causes to unpredictable behavior on a website.
574113-2	3-Major		Block All - Session Tracking Status is not persisted across an auto-sync device group
841985-6	4-Minor		TSUI GUI stuck for the same session during long actions
824093-2	4-Minor		Parameters payload parser issue
761091	4-Minor		Missing charset specification in response page after upgrade
759008	4-Minor		DoSL7 site_severity always equals "1" in remote log
747905	4-Minor		'Illegal Query String Length' violation displays wrong length
747760	4-Minor		Attack Signatures page: filter applied by another user may replace currently applied filter
746984-2	4-Minor		False positive evasion violation
734241	4-Minor		'Detection Evasion' violations might not report violation details in their reports or in the GUI
720588	4-Minor		Pages not loading correctly when AJAX response page is enabled
720581-3	4-Minor		Policy Merge creates incorrect references when merging XML Profiles that contain Schema Files
708576-1	4-Minor		Errors related to dosl7d_tcpdumps_cleaner appearing in email every hour
706930	4-Minor		"Enforce Ready" button has no effect for Signatures for Inactive Policy
702350	4-Minor		FingerPrint JS might be injected although it is disabled in all ASM features, and no DoS
700989-2	4-Minor		Better detecting browser extentsions
699898-3	4-Minor		Wrong policy version time in policy created after synchronization between active and stand by machines.
698917	4-Minor		Unexpected additional policy is created while creating a policy from a template via REST
688833-2	4-Minor		Inconsistent XFF field in ASM log depending violation category
640751-2	4-Minor		No PCRE Validation Performed For Regular Expression Parameters
637686-2	4-Minor		relax_unicode_in_xml should become the default behavior
627144	4-Minor		Two users cannot create policies at the same time.
623779-2	4-Minor		Adding a client side challenge whitelist URL wildcard list
618693-3	4-Minor		Web Scraping session_opening_anomaly reports the wrong route domain for the source IP
618503-1	4-Minor		Irrelevant fields visible in Logging profile
547428-3	4-Minor		Unexpected storage-format string causes asm restart
513887-8	4-Minor		The audit logs report that there is an unsuccessful attempt to install a mysql user on the system

Application Visibility and Reporting Issues

ID Number	Severity	Solution Article(s)	Description
828937-5	2-Critical	K45725467	Some systems can experience periodic high IO wait due to AVR data aggregation
932137-2	3-Major		AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade
869049-1	3-Major		Charts discrepancy in AVR reports
852577-4	3-Major		[AVR] Analytic goodput graph between different time period has big discrepancy
740086-2	3-Major		AVR report ignore partitions for Admin users
713283-2	3-Major		Missing transaction count in = application security report under view by IP Intelligence
707204	3-Major		If the system has more than 264 analytics profiles, the upgrade fails.
703196-3	3-Major		Reports for AVR are missing data
702933	3-Major		Loading UCS with different provisioning can cause a single TMM crash
700035-3	3-Major		/var/log/avr/monpd.disk.provision not rotate
688826-1	3-Major		Charts discrepancy in AVR reports
688813-1	3-Major	K23345645	Some ASM tables can massively grow in size.
683177-2	3-Major		Can't drilldown or filter by 'Client Countries'
665425-4	3-Major	K24182390	AVR Max metrics shows wrong values
654915-3	3-Major		Traffic Capturing: Pool member that has a special name (internal activity) should be exported with its name, not an IP address
652222-1	3-Major		Sending scheduled-reports will fail due to lack of backend support
636104-2	3-Major		If pool member is defined with port 0, member may not be visible on the HTTP dimension pane.
605414-1	3-Major	K23230852	Mysqld and bcm56xxd seem to run at 100% on vCMP host.
600634-2	3-Major		Schedule-reports can break the upgrade process★
588626	3-Major		Analytics alerts: Metric "Maximum TPS" can only be used with Virtual Servers (but not with a Pool Member).
493524	3-Major		ASM attack appear ongoing forever if restarting dosl7d during an attack
473755-1	3-Major		It's possible to exhaust monpd's Thrift server connections by simply not closing the connection on the client side
896641	4-Minor		Large /var/avr/.AVR_TMP_MERGE_STEP101 file continues to grow
754330	4-Minor		Monpd might load many CSV files such that stats for AVR are not loaded to the database as quickly as expected
930217-6	5-Cosmetic		Zone colors in ASM swap usage graph are incorrect

Access Policy Manager Issues

ID Number	Severity	Solution Article(s)	Description
926689-1	1-Blocking	K31523705	[APM] ActiveX-based RDP AppTunnel fails on 12.1.2.5 for all users★
904441-6	2-Critical		APM vs_score for GTM-APM load balancing is not calculated correctly
889497	2-Critical		Deleting a log profile results in urldb and urldbmgrd CPU utilization increase to over 90% usage
708005-3	2-Critical	K12423316	Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources
701944-2	2-Critical	K42284762	machine certificate check crash for 'match issuer' configuration on macOS Sierra 10.12.6
670367-2	2-Critical	K39391280	On large APM configurations (1000 Policies and a large number of Customization groups) mcpd gets killed before it can complete validation.
668849-1	2-Critical		Upgrade failure for apm-log-setting objects★
660826-1	2-Critical		BIG-IQ Deployment fails with customization-templates
658103	2-Critical	K00652162	TMM core while adding logging action to APM SWG
647590-2	2-Critical		Apmd crashes with segmentation fault when trying to load access policy
633349-3	2-Critical	K86613330	localdbmgr hangs and eventually crashes
618637-1	2-Critical		Sometimes f5fpc cannot establish Network Access connection and incorrectly reports 'Session timed out' error
614364-1	2-Critical		Linux client NA components cannot be installed neither using sudo password nor root password
582440-4	2-Critical		Linux client does not restore route to the default GW on Ubuntu 15.10
574318-3	2-Critical		Unable to resume session when switching to Protected Workspace
969317-1	3-Major		"Restrict to Single Client IP" option is ignored for vmware VDI
942953-3	3-Major		Keyboard locks during Windows Edge client logon when just a control button is pressed.
932781-3	3-Major	K14154376	VPN fails to establish on Windows systems where 'Secure Boot' is enabled.
925573-5	3-Major		SIGSEGV: receiving a sessiondb callback response after the flow is aborted
915509-5	3-Major		RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true
899781-1	3-Major		Custom dialup does not establish VPN
863453	3-Major		Internet Explorer restart is required after VPN plugin is upgraded to 12.1.5
846425	3-Major		APM configsnapshot are not created when blade transitions from secondary to primary
825813-2	3-Major		Notarize APM Clients to support macOS Catalina
815753-5	3-Major		TMM leaks memory when explicit SWG is configured with Kerberos authentication
760974-2	3-Major		TMM SIGABRT while evaluating access policy
754201-3	3-Major		Windows Logon Integration throws Invalid Handle error
750823-4	3-Major		Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD
750649-3	3-Major	K74214174	Windows Logon Integration does not work
750631-3	3-Major		There may be a latency between session termination and deletion of its associated IP address mapping
748632	3-Major		APM Endpoint inspection fails on macOS Mojave
747337	3-Major		AAA CRLDP configurations configured using the 'No Server' option may be rendered incorrectly while using IE v11
746771-2	3-Major		APMD recreates config snapshots for all access profiles every minute
744316-3	3-Major		Config sync of APM policy fails with Cannot update_indexes validation error.
738865-5	3-Major		MCPD might enter into loop during APM config validation
724571-3	3-Major		Importing access profile takes a long time
711056-3	3-Major		License check VPE expression fails when access profile name contains dots
710044-1	3-Major		Portal Access: same-origin AJAX request may fail in some case.
707953-1	3-Major		Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page
697590-5	3-Major		APM iRule ACCESS::session remove fails outside of Access events
695985-1	3-Major		Access HUD filter has URL length limit (4096 bytes)
687213-1	3-Major		When access to APM is denied, system changes connection mode to ALWAYS_DISCONNECTED
686206-1	3-Major		Machine Info agent does not collect complete information on disconnected network adapters
682751-5	3-Major		Kerberos keytab file content may be visible.
679735-1	3-Major		Multidomain SSO infinite redirects from session ID parameters
677646-1	3-Major	K62171231	System cannot boot up due to prior aborted installation★
676854-1	3-Major		CRL Authentication agent will hang waiting on unresponsive authentication server.
676300-5	3-Major	K04551025	EPSEC binaries may fail to upgrade in some cases★
670456-3	3-Major		Flash AS3 mx.core::CrossDomainRSLItem() wrapper issue with arguments number
667518	3-Major		SSO Configurations update is failing from UI
666233-1	3-Major		Localdbmgr process cores
658278-3	3-Major		Network Access configuration with Layered-VS does not work with Edge Client
640924-1	3-Major		On macOS Sierra (10.12) LED icons on Edge client's main UI buttons (connect, disconnect and auto-connect) are scaled incorrectly
636866-3	3-Major		Access Policy with a secure attribute object can fail at runtime for users, if admins perform AP export/import at the same time
632958-2	3-Major		APM MIB gauges not reset on standby device
625165-3	3-Major		Routes added by 'Allow local DNS servers' are not removed even if these DNS servers are no longer among client's local DNS servers.
621158-1	3-Major		F5vpn does not close upon closing session
619667-1	3-Major	K34751151	Allow Local DNS Servers is not honored on Mac OS X
617629-1	3-Major		Same report is downloaded repeatedly after user clicks on "export csv" and then click on another tab
614072-1	3-Major		Source Address Translation to SNAT pool breaks SWG explicit use case for IP based session.
611485-1	3-Major		APM AAA RADIUS server address cannot be a multicast IPv6 address.★
610077-2	3-Major		Access Policy Manager CRL cache is locked out for CRLDP authentication
609043-1	3-Major		When BIG-IP processes SAML Single logout request/response, tmm cores intermittently.
605018-2	3-Major	K47516511	Citrix StoreFront integration mode with pass through authentication fails for browser access
600985-4	3-Major		Network access tunnel data stalls
600872-1	3-Major		Access session inactivity expiration time not updated when accessed with http/2 enabled browsers on Windows platforms.
592591-2	3-Major		Deleting/Modifying access profile prompts for apply access policy for other untouched access profiles
591060-1	3-Major		APMD high CPU utilization
584716-1	3-Major		SAML XML Canonicalization on BIG-IP as IdP may return invalid value if AuthnRequest is formed in a special way
582606-1	3-Major		IPv6 downloads stall when NA IPv4&IPv6 is used.
578989-5	3-Major		Maximum request body size is limited to 25 MB
572519-1	3-Major		More than one header name/value pair not accepted by ACCESS::respond
571503-1	3-Major		Windows Edge client cannot detect local LAN in some cases
560601-1	3-Major		HTML5 File API and MediaSource URLs are blocked in Portal Access
559402-4	3-Major		Client initiated form based SSO fails when username and password not replaced correctly while posting the form
559082-2	3-Major		Tunnel details are not shown for MAC Edge client
554504	3-Major		Client OS version not logged in Browser/OS Reports for iOS client devices
552444-1	3-Major		Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD
547692-3	3-Major		Firewall-blocked KPASSWD service does not cause domain join operation to fail
541622-2	3-Major		APD/APMD Crashes While Verifying CAPTCHA
535119-1	3-Major		APM log tables initial rotation in MySQL may be wrong
534187-2	3-Major		Passphrase protected signing keys are not supported by SAML IDP/SP
530092-2	3-Major		AD/LDAP groupmapping is overencoding group names with backslashes
527119-4	3-Major		An iframe document body might be null after iframe creation in rewritten document.
526519-1	3-Major		APM sessiondump command can produce binary data
525378	3-Major		iRule commands do not validate session scope
520500-4	3-Major		Connection inside Windows VPN tunnel may break if renegotiation is enabled in SSL profile
509596-1	3-Major	K44043455	iFrames with 'javascript:' scheme in SRC may not work
494135-1	3-Major	K43101043	HTML Event handlers may not work if 'eval' is redefined
482625-1	3-Major		Pages with utf-8 Content-Type and utf-16 META tag do not render
470346-5	3-Major		Some IPv6 client connections get RST when connecting to APM virtual
450136-3	3-Major		Occasionally customers see chunk boundaries as part of HTTP response
435419-4	3-Major	K10402225	Install of partial EPSEC file causes mcpd to crash, followed by multiple cores.
417819-2	3-Major	K69046914	APM - when Edge Clients, some JS contents are different causing warning
414713-1	3-Major	K51880413	Hosted Content connected object import issues
369407-3	3-Major		Access policy objects are created inconsistently depending on whether created using wizard or manually.
362511	3-Major	K52162658	HTML entities in inline CSS style attributes may cause incorrect rewriting of URLs
944093-5	4-Minor		Maximum remaining session's time on user's webtop can flip/flop
766761-5	4-Minor		Ant-server does not log requests that are excluded from scanning
747234-3	4-Minor		Macro policy does not find corresponding access-profile directly
734595-1	4-Minor		sp-connector is not being deleted together with profile
712542-1	4-Minor		Network Access client caches the response for /pre/config.php
712321	4-Minor		Missing reference to customization-group from connectivity profile if created via network access wizard
708176	4-Minor		SNMP OIDs (NA throughput) incorrect when compression is disable
686722-2	4-Minor		When BIG-IP systems are deployed as SAML IdP, the Single Logout Request processing fails the optional field 'Name ID' is missing in the request.
686718	4-Minor		VPN tunnel adapter stays up in some cases
679751-4	4-Minor		Authorization header can cause a connection reset
666497-3	4-Minor		Some of the Korean translations in Windows Edge Client were incorrect
627384-1	4-Minor		eamtest tool fails with Segmentation fault after initialization.
619099	4-Minor		'General Database Error' while changing the Admin UI authentication type
612758-1	4-Minor	K46453748	Exception within function F5_Inflate_innerHTML.
611327-1	4-Minor	K35559723	Using an established app tunnel may display a Java exception error message.
610436-3	4-Minor	K13222132	DNS resolution does not work in a particular case of DNS Relay Proxy Service when two adapters have the same DNS Server address on Windows 10.
608453-1	4-Minor		Shrink/Expand imgs of Webtop Section is customizable
607684	4-Minor		tmsh provides option to delete all URLs from a custom category, which is not possible
604050	4-Minor		Failed to get master key (ERR_NOT_FOUND) in apm log on first boot
589367-2	4-Minor		Some Edge Client's German translations are incorrect
579652-1	4-Minor		Multidomain SSO Access policy in progress with multiple tabs, landing URL set to the tab in which policy is completed.
567503-1	4-Minor	K03293396	ACCESS:session remove can result in confusing ERR_NOT_FOUND logs
563651-2	4-Minor		Web application does not work/works intermittently via Portal Access after upgrading BIG-IP to any new version.★
523158-1	4-Minor		In vpe if the LDAP server returns "cn=" (lower case) dn/group match fails
510034-2	4-Minor		Access Policy memory is not cleared between access policy executions
496621-1	4-Minor		Portal Access incorectly rewrites expressions with JavaScript typeof operator
478450-5	4-Minor		Improve log details when "Detection invalid host header ()" is logged

WebAccelerator Issues

ID Number	Severity	Solution Article(s)	Description
598908-2	2-Critical	K07353428	Passing an empty URI to AAM might cause tmm to core.
900825-4	3-Major		WAM image optimization can leak entity reference when demoting to unoptimized image
890573-4	3-Major		BigDB variable wam.cache.smallobject.threshold may not pickup its value on restart
890401-4	3-Major		Restore correct handling of small object when conditions to change cache type is satisfied
792045-4	3-Major		Prevent WAM cache type change for small objects
701977-3	3-Major		Non-URL encoded links to CSS files are not stripped from the response during concatenation
596569-3	3-Major		Memory leak on Central device in Symmetric deployment
751383-3	4-Minor		Invalidation trigger parameter values are limited to 256 bytes
748031-4	4-Minor		Invalidation trigger parameter containing reserved XML characters does not create invalidation rule
686318	4-Minor		Inter TMM Caching Delay
674992-3	4-Minor		AAM traffic report's time period doesn't always apply
489960-2	4-Minor		Memory type stats is incorrect
467589-4	4-Minor		Default cron script /usr/share/mysql/purge_mysql_logs.pl throws error.

Service Provider Issues

ID Number	Severity	Solution Article(s)	Description
814097-5	2-Critical		Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event.
745397-4	2-Critical		Virtual server configured with FIX profile can leak memory.
689343-3	2-Critical		Diameter persistence entries with bi-directional flag created with 10 sec timeout
898997-6	3-Major		GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes
891385-6	3-Major		Add support for URI protocol type "urn" in MRF SIP load balancing
882273-2	3-Major		MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow
815529-5	3-Major		MRF outbound messages are dropped in per-peer mode
811745-5	3-Major		Failover between clustered DIAMETER devices can cause mirror connections to be disconnected
804313-5	3-Major		MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded.
790949-5	3-Major		MRF Router Profile parameters 'Maximum Pending Bytes' and 'Maximum Pending Messages' Do Not Match Behavior.
759077-6	3-Major		MRF SIP filter queue sizes not configurable
755630-3	3-Major		MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes
755311-4	3-Major		No DIAMETER Disconnect-Peer-Request message sent when TMM is shutting down
754617-3	3-Major		iRule 'DIAMETER::avp read' command does not work with 'source' option
753501-4	3-Major		iRule commands (such as relate_server) do not work with MRP SIP
751179-4	3-Major		MRF: Race condition may create to many outgoing connections to a peer
749603-4	3-Major		MRF SIP ALG: Potential to end wrong call when BYE received
749528-4	3-Major		IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap
748253-4	3-Major		Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection
747995-1	3-Major		MBLB SIP dropping packets with unknown methods
746731-4	3-Major		BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set
744275-4	3-Major		BIG-IP system sends Product-Name AVP in CER with Mandatory bit set
742829-4	3-Major		SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0
738070-3	3-Major		Persist value for the RADIUS Framed-IP-Address attribute is not correct
727288-4	3-Major		Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC
698911	3-Major		Periodically SIP requests are not sent to the server
696348-1	3-Major		"GTP::ie insert" and "GTP::ie append" do not work without "-message" option
691048-3	3-Major	K34553736	Support DIAMETER Experimental-Result AVP response
676709-2	3-Major	K37604585	Diameter virtual server has different behavior of connection-prime when persistence is on/off
669978-4	3-Major	K15204204	SIP monitor - Via header's branch parameter collision.
647158-3	3-Major	K76581555	Internal virtual server inherits CMP hash mode from parent virtual server
612143-2	3-Major		Potential tmm core when two connections add the same persistence record simultaneously.
583101-2	3-Major		ADAPT::result bypass after continue causes bad state transition
913125-1	4-Minor		Ratio session based Load balancing does not work
600431-6	4-Minor		DIAMETER::avp data get "id" ip4|ip6 errors on valid AVP

Advanced Firewall Manager Issues

ID Number	Severity	Solution Article(s)	Description
938165-5	2-Critical		TMM Core after attempted update of IP geolocation database file
717909-2	2-Critical		tmm can abort on sPVA flush if the HSB flush does not succeed
713629-1	2-Critical		Applying firewall policy to self-ip can cause tmm crash
697265	2-Critical		MCP cores when importing a configuration with 12000 nested address lists and auto-sync enabled.
685820-1	2-Critical		Active connections are silently dropped after HA-failover if ASM licensed and provisioned but AFM is not
632839	2-Critical		UDP Flood does not get detected if the vector limits are infinite
622204-1	2-Critical	K14141640	If a virtual server's name has a "." in it then a DoS profile cannot be attached to it
620844-1	2-Critical		DoS: tmm core after delete packet type from Device Sweep vector
867321-1	3-Major		Error: Invalid self IP, the IP address already exists.
806905	3-Major		TMM may crash when using AFM with sPVA and DoS vectors enabled
703165	3-Major		shared memory leakage
693515	3-Major		A '+' character in a log profile name causes import to fail
686043-3	3-Major		dos.maxicmpframesize and dos.maxicmp6framesize sys db variables does not work for fragmented ICMP packets
679722-2	3-Major		Configuration sync failure involving self IP references
677302	3-Major		Unable to save descriptions for firewall objects
663946-2	3-Major		The vCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments
651169-3	3-Major		The Dashboard does not show an alert when a power supply is unplugged
632723-1	3-Major	K05079458	tmm core with remote logging pool in non-zero route domain
627447	3-Major		Sync fails after firewall policy deletion
613844	3-Major		iApp may fail to install if AFM is provisioned
592819-2	3-Major		Enabling of whitelists on a protected object requires disabling DoS protection support in hardware
592211-1	3-Major		Stress CPU on BIG-IP will also take into the packets dropped by hardware.
591505-1	3-Major		Policy may become unsyncable after changing contexts
581668	3-Major		DNS/SIP whitelisted packets not reported
935865-1	4-Minor		Rules that share the same name return invalid JSON via REST API
714704	4-Minor		ICMP unreachable messages sent only from active to standby
701555-3	4-Minor		DNS Security Logs report Drop action for unhandled rejected DNS queries
632246-1	4-Minor		Configuring pvasyncookies db variable does not persist over reboots or to non-primary blades.
568458	5-Cosmetic		DoS vectors must be enabled in both DoS Profile and Device Configuration

Policy Enforcement Manager Issues

ID Number	Severity	Solution Article(s)	Description
829657	2-Critical		Possible TMM crash with a multi-IP PEM subscriber configured with more than 16 IP addresses
760518-2	2-Critical		PEM flow filter with DSCP attribute optimizes traffic resulting in some PEM action enforcement
750491-1	2-Critical		PEM Once-Every content insertion action may insert more than once during an interval
750490-1	2-Critical		PEM content insertion action may insert more than once with Once-Every method
726665-1	2-Critical		tmm core dump due to SEGFAULT
886653-1	3-Major		Flow lookup on subsequent packets fail during CMP state change.
875401-5	3-Major		PEM subcriber lookup can fail for internet side new connections
842989-2	3-Major		PEM: tmm could core when running iRules on overloaded systems
814941-2	3-Major		PEM drops new subscriber creation if historical aggregate creation count reaches the max limit
797949-1	3-Major		PEM::subscriber delete can leak a connection
781485-1	3-Major		PEM with traffic group can lead to local cache leaks on STANDBY if there is an ACTIVE-ACTIVE transition
756311-2	3-Major		High CPU during erroneous deletion
753163-1	3-Major		PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days
747065-1	3-Major		PEM iRule burst of session ADDs leads to missing sessions
726011-1	3-Major		PEM transaction-enabled policy action lookup optimization to be controlled by a sys db
670994-2	3-Major		There is no validation for IP address on the ip-address-list for static subscriber
640548-1	3-Major		In Gy delayed binding mode, CCR-Us triggered by concurrent flows are blocked.
624187-1	3-Major		Relocate TUC AVP to group AVP USU
564431-3	4-Minor		Lines without EOL characters cause "tmsh load pem subscriber file" and GUI import to fail

Carrier-Grade NAT Issues

ID Number	Severity	Solution Article(s)	Description
723658	2-Critical		TMM core when processing an unexpected remote session DB response.
722919	3-Major		Memory leak when using SP-DAG and a small LSN pool.
751232	4-Minor		LSN pool real-time stats are not persisted over reboot
721579-1	4-Minor		LSN Persistence TTL and Inbound Connection Age were reset in the middle of decreasing/increasing
667295-1	4-Minor	K51601122	'RTSP::header exists' iRule command always returns True

Fraud Protection Services Issues

ID Number	Severity	Solution Article(s)	Description
695401	3-Major		QS user defined alerts may not be sent if there is no URL with qs configured on FPS profile
680298	3-Major		FPS may introduce latency even for unprotected pages
674297-1	3-Major		Custom headers are removed on cross-origin requests
660759-4	3-Major		Cookie hash persistence sends alerts to application server.
652530	4-Minor		Parameter names are case sensitive in Internet Explorer 9 only

Anomaly Detection Services Issues

ID Number	Severity	Solution Article(s)	Description
818465-1	3-Major		Unnecessary memory allocation in AVR module
767045-6	3-Major		TMM cores while applying policy
743464	3-Major		DoSL7 attack is not detected when using multiple profiles with Behavioral Detection
617324-2	3-Major		Service health calculation creates unjustified CPU utilization
653573	4-Minor		ADMd not cleaning up child rsync processes

Traffic Classification Engine Issues

ID Number	Severity	Solution Article(s)	Description
927185	2-Critical		TMM ENGHF-12.1.4.1.0.25.6 SIGFPE Assertion "maximum pages" failed
913453	2-Critical		URL Categorization: wr_urldbd cores while processing urlcat-query
887609-1	2-Critical		TMM crash when updating urldb blacklist
974205-6	3-Major		Unconstrained wr_urldbd size causing box to OOM
948573	3-Major		wr_urldbd list of valid TLDs needs to be updated
797277-1	3-Major		URL categorization fails when multiple segments present in URL path and belong to different categories.
785605-1	3-Major		Traffic Intelligence Feed Lists are not usable if created on Standby unit in Traffic Group
745733-4	3-Major		TMSH command "tmsh show ltm urlcat-query" not performing cloud lookup
649441-2	3-Major		Classification memory allocation

Device Management Issues

ID Number	Severity	Solution Article(s)	Description
710809-6	2-Critical		Restjavad hangs and causes GUI page timeouts
942521-2	3-Major		Certificate Managers are unable to move certificates to BIG-IP via REST
839597-1	3-Major		Restjavad fails to start if provision.extramb has a large value
767613-4	3-Major		Restjavad can keep partially downloaded files open indefinitely
667661-2	3-Major	K69015104	Adding HA devices to Access Group in BIG-IQ fails with error : 'Failed to download file (null). java.lang.IllegalArgumentException: REMOTE_SOURCE_FILE requires remoteFilePath'
688177-2	4-Minor		Local user with Administrator role may be changed to Guest role after BIG-IP software upgrade
619397-5	4-Minor	K04055706	LCD shows error screen on boot or after license expires

iApp Technology Issues

ID Number	Severity	Solution Article(s)	Description
758520	2-Critical		Deploying the f5_microsoft_exchange_2010_2013 template generates erroneous APM policy customization-group.
974193-5	3-Major		Error when trying to create a new f5.vmware_view.v1.5.9 iApp
842193-5	3-Major		Scriptd coring while running f5.automated_backup script
818069-1	3-Major		GUI hangs when iApp produces error message
768085-1	4-Minor		Error in python script /usr/libexec/iAppsLX_save_pre line 79

 

Known Issue details for BIG-IP v12.1.x

990929-6 : Status of GTM monitor instance is constantly flapping

Component: Global Traffic Manager (DNS)

Symptoms:
Status of GTM monitor instance is constantly flapping.

Conditions:
GTM devices in a GTM sync group configured with IP addresses that can not communicate with each other.

Impact:
Resources are marked offline constantly.

Workaround:
Remove from the GTM server object definition the IP addresses that do not communicate with each other.

---

990853-6 : Mcpd restarts on Secondary VIPRION blades upon modifying a vCMP guest's management IP address or gateway.

Component: TMOS

Symptoms:
The mcpd daemon restarts on all secondary VIPRION blades after logging error messages similar to the following example to the /var/log/ltm file:

-- err mcpd[6250]: 0107098a:3: The ip address (10.10.10.3%1) for a VCMP Mgmt IP in partition () references a route domain (1) in a different partition (part1). Objects may only reference objects in the same or the 'Common' partition
-- err mcpd[6250]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107098a:3: The ip address (10.10.10.3%1) for a VCMP Mgmt IP in partition () references a route domain (1) in a different partition (part1). Objects may only reference objects in the same or the 'Common' partition... failed validation with error 17238410.

Conditions:
-- Multi-blade VIPRION system provisioned as vCMP host.
-- The system is configured with partitions using non-default route-domains.
-- Using the GUI, an Administrator attempts to modify the management IP address or management gateway of a vCMP guest.
-- A non-Common partition is selected in the GUI Partition drop-down menu when making the change.

Impact:
MCPD restarts, causing all other daemons on the blade to restart as well. The vCMP guests running on the affected blades suffer an outage and are unable to process traffic while the daemons restart.

Workaround:
Ensure that when you make management IP address or gateway changes to a vCMP guest, you do so while the Common partition is selected in the GUI.

---

987885-1 : Half-open unclean SSL termination might not close the connection properly

Component: Local Traffic Manager

Symptoms:
Upon receiving TCP FIN from the client in the middle of the SSL Application Data, the BIG-IP system does not close the connection on either client- or server-side (i.e., it does not 'forward' the FIN on the server-side as it normally does) causing the connection to go stale until the timeout is reached.

Conditions:
-- TCP and SSL profiles configured on a virtual server.
-- Client terminates the connection in the middle of an SSL record.

Impact:
Connection termination does not happen. Connection remains in the connection table until idle timeout is reached.

Workaround:
None.

---

987709-2 : Static target string as CNAME pool member might cause config load failure if wide IP with same name exists in another partition

Component: Global Traffic Manager (DNS)

Symptoms:
GTM config fails to load with errors similar to this:

01070726:3: Pool 5 /Common/cnamepool1 in partition Common cannot reference GTM wideip pool member 5 /Common/cnamepool1 gslb.mycompany.com /App2/gslb.mycompany.com 1 in partition App2
Unexpected Error: Loading configuration process failed

Conditions:
There is a wide IP with the same name in another partition as the static target CNAME pool member.

Impact:
Gtm config fails to load.

Workaround:
Create the wide IP first and then add the static target CNAME pool member.

---

987081-6 : Alarm LED remains active on Secondary blades even after LCD alerts are cleared

Component: TMOS

Symptoms:
When a condition occurs which causes an alert message to be logged to the LCD display for a VIPRION chassis, the Alarm LED on the blade where the condition was reported may be set (to solid or flashing amber or red) according to the severity of the reported condition.

When the LCD alert messages are cleared, the Alarm LED on the Primary blade in the chassis will be cleared (or set according to remaining alert messages if only a subset of messages are cleared).

However, the Alarm LED on the Secondary blades in the chassis will not be cleared, and will continue to indicate the highest severity of the previously reported alert messages.

Conditions:
This occurs when:
-- A condition is reported by a Secondary blade in the chassis which causes its Alarm LED to be set (to solid or flashing amber or red) and a message logged to the chassis LCD display.
-- The LCD alert messages are cleared, such as by issuing the 'tmsh reset-stats sys alert lcd' command.

Impact:
The Alarm LED on one or more Secondary blades in the chassis continues to indicate an alert condition even after the previously reported alert messages have been cleared.

Workaround:
To restore the Secondary blade LEDs to their proper state, restart the fpdd daemon on each affected blade.

For example, if the Alarm LED is not reset on the blade in slot 4, issue one of the following commands from the console of the Primary blade in the chassis:
-- clsh --slot=4 "bigstart restart fpdd"
-- ssh slot4 "bigstart restart fpdd"

Alternately, you may log in to the console of the affected blade and issue the 'bigstart restart fpdd' command directly.

---

985749-6 : TCP exponential backoff algorithm does not comply with RFC 6298

Component: Local Traffic Manager

Symptoms:
The algorithms used for TCP exponential backoff are different for SYN and non-SYN packets.

Conditions:
Using TCP.

Impact:
Retransmission timeout interval depends on the inclusion/exclusion of SYN flag.

Workaround:
None

---

984897-6 : Some connections performing SSL mirroring are not handled correctly by the Standby unit.

Component: Local Traffic Manager

Symptoms:
Some of the connections performing SSL mirroring do not advance through TCP states as they should on the Standby unit.

Additionally, these connections do not get removed from the connection table of the Standby unit when the connections close. Instead, they linger on until the idle timeout expires.

Conditions:
A virtual server configured to perform SSL connection mirroring.

Impact:
Should the units fail over, some connections may not survive as expected.

Additionally, given a sufficient load and a long idle timeout, this could cause unnecessary TMM memory utilization on the Standby unit.

Workaround:
None.

---

982993-1 : Gateway ICMP monitors with IPv6 destination and IPV6 transparent nexthop might fail

Component: Local Traffic Manager

Symptoms:
Gateway ICMP monitors configured with IPv6 destinations and IPv6 transparent nexthop do not work if the IPv6 destination address is not directly connected, but reachable via an intermediate hop.

Conditions:
An IPv6 monitor's destination address is not directly connected, but reachable via intermediate hop.

Impact:
Monitor status remains DOWN.

Workaround:
Consider monitoring the actual target.

---

980325-2 : Chmand core due to memory leak from dossier requests

Component: TMOS

Symptoms:
Chmand leaks memory and crashes.

Conditions:
Repeated/excessive dossier requests to chmand from the get_dossier program.

Impact:
Chmand crashes; potential traffic impact.

Workaround:
None.

---

979213-5 : Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM.

Component: Local Traffic Manager

Symptoms:
Upon reviewing the performance graphs in the GUI, you may notice significant spikes in the Throughput(bits) and Throughput(packets) graphs.

The spikes may report unrealistically high levels of traffic.

Note: Detailed throughput graphs are not affected by this issue.

Conditions:
This issue occurs when the following conditions are met:

-- The BIG-IP device is a physical system.
-- TMM was restarted on the system.
-- At some point, at least one interface was up on the system and recorded some traffic.

Impact:
This issue is purely cosmetic but might cause concern when reviewing the performance graphs.

Workaround:
None.

---

977609-6 : Request logging profile not logging server-side variables on a virtual-server with rate-limit or connection-limit applied

Component: TMOS

Symptoms:
Pool-name, server IP address, and port are missing in the syslog message.

Conditions:
Request Logging template using '$VIRTUAL_POOL_NAME', '$SERVER_IP', '$SERVER_PORT'.

ltm profile request-log with:
request-log-template "Virtual: $VIRTUAL_NAME Pool: $VIRTUAL_POOL_NAME Server IP: $SERVER_IP Server Port: $SERVER_PORT"

}

Impact:
The request logs are intermittently missing information for VIRTUAL_POOL_NAME, SERVER_IP, SERVER_PORT.

Workaround:
None.

---

977113-2 : Unable to configure dependency for GTM virtual server if pool member dependency exists

Component: TMOS

Symptoms:
The following error is displayed when configuring GTM virtual server dependency:
01020037:3: The requested GTM depends (/Common/Generic-Host GH-VS1 /Common/DC1-DNS1 /Common/VS1) already exists.

Conditions:
The pool member dependency exists for the same virtual server.

Impact:
Not able to configure GTM virtual server dependency at GTM server level.

Workaround:
First creating GTM virtual server dependency at GTM server level, and then create pool member dependency.

---

976013-1 : If bcm56xxd starts while an interface is disabled, the interface cannot be enabled afterwards

Component: TMOS

Symptoms:
A disabled interface is not getting enabled.

Conditions:
-- An interface is disabled
-- bcm56xxd is restarted

Impact:
The interface remains on disable state and no traffic passes via that interface.

Workaround:
Restart bcm56xxd again.

---

974513-5 : Dropped requests are reported as blocked in Reporting/charts

Component: Application Security Manager

Symptoms:
Dropped requests are reported as blocked in Reporting/charts.

Conditions:
Request is dropped (or client side challenge / captcha is not answered) as part of a brute force mitigation or a slow post attack causes dropping of a request.

Impact:
Data reported might be incorrect. There is a filter for dropped requests which, when selected, does not show anything, even when there are drops.

Workaround:
None.

---

974205-6 : Unconstrained wr_urldbd size causing box to OOM

Component: Traffic Classification Engine

Symptoms:
The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests.

Conditions:
This occurs when processing a large volume of distinct and valid URLCAT requests.

Impact:
The device eventually runs out of memory (OOM condition).

Workaround:
Restart the wr_urldbd process:
 restart sys service wr_urldbd

---

974193-5 : Error when trying to create a new f5.vmware_view.v1.5.9 iApp

Component: iApp Technology

Symptoms:
Error when trying to create a f5.vmware_view.v1.5.9 iApp

Configuration Warning: New virtual address (/Common/10.10.10.10) used by server with access profile attached has traffic group (/Common/traffic-group-1) that is different from existing one (/Common/traffic-group-exchange). Change it to the existing one

Conditions:
-- Create a new f5.vmware_view.v1.5.9 iApp
-- iApp uses a traffic group other than the default traffic-group-1

Impact:
Unable to create new f5.vmware_view.v1.5.9 iApp

Workaround:
None.

---

973341-6 : Customized device certs will break scripts relying on /config/httpd/conf/ssl.crt/server.crt

Component: Global Traffic Manager (DNS)

Symptoms:
Bigip_add, big3d_install, gtm_add will not work.

Conditions:
Device cert is customized.

Impact:
Bigip_add, big3d_install, gtm_add not work.

Workaround:
Copy the content of the new cert to default file "/etc/httpd/conf/ssl.crt/server.crt".

---

973261-6 : GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d does not try to open TCP connections if a HTTPS monitor contains a cert/key.
/var/log/gtm shows:

err big3d[19217]: 01333001:3: Start: SSL error:02001002:system library:fopen:No such file or directory
err big3d[19217]: 01333001:3: Start: SSL error:20074002:BIO routines:FILE_CTRL:system lib
err big3d[19217]: 01333001:3: Start: SSL error:140CE002:SSL routines:SSL_use_RSAPrivateKey_file:system lib
err big3d[19217]: 01330014:3: CSSLSocket:: Unable to get the session.

Conditions:
GTM HTTPS monitor with non-default cert/key.

Impact:
Unable to use HTTPs monitor.

---

972785-2 : Unable to create virtual server with a non-zero Route Domain for custom partition via iControl SOAP

Component: TMOS

Symptoms:
While creating a virtual server using iControl SOAP you get an error:

error_string : 0107004d:3: Virtual address (/VPN_WEB_01/0.0.0.0%201) encodes IP address (0.0.0.0%201) which differs from supplied IP address field (1.1.1.5%201).'

Conditions:
-- Using iControl SOAP to create a virtual server
-- The virtual server is assigned to a partition that uses a non-default route domain.

Impact:
Unable to create the virtual server with the iControl SOAP command.

Workaround:
First create the virtual server with a default Virtual Address ("0.0.0.0") and then update the virtual address the desired address.

Example:
ltm.LocalLB.VirtualServer.create([{'name': 'vs_test_9095', 'address': '0.0.0.0', 'port': 9090, 'protocol': 'PROTOCOL_TCP'}], ['255.255.255.255'], [{'type': 'RESOURCE_TYPE_POOL'}], [[{'profile_context': 'PROFILE_CONTEXT_TYPE_ALL', 'profile_name': 'fastL4'}]])
ltm.LocalLB.VirtualServer.set_destination_v2(['vs_test_9095'],[{'address': '10.10.10.50', 'port': 9090}])

---

971217-5 : AFM HTTP security profiles may treat POST requests with Content-Length: 0 as "Unparsable Request Content" violations.

Component: Local Traffic Manager

Symptoms:
An HTTP Security profile can be created and enabled within Advanced Firewall Manager's Protocol Security options. The HTTP Security Profile contains various protocol checks that can be enabled and disabled to allow customization of security checks. When the "Unparsable request content" check is selected, BIG-IP will incorrectly indicate that HTTP POST requests with Content-Length:0 are not allowed assuming that these requests are unparsable. POST requests with Content-Length:0 can still be checked by enabling the "POST request with Content-Length: 0" option in the same profile.

Conditions:
-- HTTP Protocol Security Profile configured with the "Unparsable request content" check.

-- Client sends HTTP POST request with Content-Length:0

Impact:
POST requests of Content-Length 0 cannot be disabled separately from general "Unparsable request content".

Workaround:
None.

---

970829-2 : iSeries LCD incorrectly displays secure mode after changing login password

Component: TMOS

Symptoms:
In certain cases on iSeries platforms, changing the login password for admin can disrupt communication with the LCD, causing it to continuously display secure mode.

Conditions:
This can occur after changing the admin password to anything other than the default on iSeries platforms.

Impact:
LCD continuously displays secure mode.
/var/log/touchscreen_lcd will fill up with error messages like the following:
err lcdui[1236]: URL: http://127.4.2.1/mgmt/tm/sys/failover, result: 'Host requires authentication' (204), HTTP method 2, status 401

Workaround:
None.

---

969553-5 : DNS cache returns SERVFAIL

Component: Global Traffic Manager (DNS)

Symptoms:
- A DNS cache returns SERVFAIL responses to clients, despite the BIG-IP system receiving a good (albeit delayed) response from upstream servers.

- When this happens, the BIG-IP system can be seen reject the responses from the upstream servers with ICMP errors (Destination unreachable - Port unreachable).

- If the db key dnscacheresolver.loglevel is set to debug5, the following error message is visible in the /var/log/ltm file when this issue occurs:

debug tmm[13147]: DNScache: request example.com. has exceeded the maximum number of glue fetches 17 to a single delegation point

Conditions:
This issue occurs when the following conditions are met:

- A DNS cache is in use on the BIG-IP system.

- The DNS cache is configured with a forward-zone that uses multiple servers to perform resolutions.

- The RTT of the servers fluctuates. For example, the servers are generally fast to reply for most domains, but take extra time to reply for a given domain.

- 'Randomize Query Character Case' is enabled in the DNS cache.

If the requests for the domain take a long time to resolve, BIG-IP may reply with SERVFAIL.

Impact:
Clients of the BIG-IP DNS cache are not returned an answer. As a result, application failures may occur.

Workaround:
You can work around this issue by disabling 'Randomize Query Character Case' in the DNS cache.

---

969317-1 : "Restrict to Single Client IP" option is ignored for vmware VDI

Component: Access Policy Manager

Symptoms:
The Restrict to Single Client IP option in the Access Policy is not being honored for VMware VDI.

Conditions:
- Configure APM Webtop with vmware VDI.
- Set "Restrict to Single Client IP" option in Access Profile.
- Try to launch vmware desktop on one client. Copy the launch URI
- Try to launch vmware desktop from other client using the copied URI.

Impact:
A connection from the second client is allowed, but it should not be allowed.

---

968949-2 : Keepalives aren't sent in FIN_WAIT_2 when using a TCP profile

Component: Local Traffic Manager

Symptoms:
When a client-side connection goes into FIN_WAIT_2, BIG-IP doesn't send keepalives even if they are being sent on the server-side connection.

Conditions:
- Virtual server configured with a TCP profile and network listener.

Impact:
Client-side connections timeout prematurely.
As a result, the server-side connections end up being open indefinitely.

Workaround:
No workaround currently known.

---

968509-2 : Response headers are not parsed correctly causing subsequent requests stall at BIG-IP

Component: Local Traffic Manager

Symptoms:
Web browsers are able to connect to a virtual server and send a POST request, but subsequents fail.

Conditions:
-- Standard virtual server with the default http profile
-- Client sends a POST request with Expect: 100-continue header, but does not send a POST body
-- Back-end web server returns 401 Not Authorized and a long response body

Impact:
Subsequent client requests stall at the BIG-IP.

---

967745-5 : Last resort pool error for the modify command for Wide IP

Component: TMOS

Symptoms:
System reports error for the modify command for Wide IP.

01b60021:3: Last resort pool type not specified for Wide IP 9084.example.com of type A.

Conditions:
Running the modify command involving last-resort-pool and not specifying a type or name for the object.

Impact:
The object is not modified, and the system reports an error.

Workaround:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.

Append the command with last-resort-pool a <pool_name>, for example:

modify a 9084.example.com aliases replace-all-with { 9084.example1.com } last-resort-pool a pool1_test

---

967737-6 : DNS Express: SOA stops showing up in statistics from second zone transfer

Component: Global Traffic Manager (DNS)

Symptoms:
Start of Authority (SOA) record is not displayed in zone statistics.

Conditions:
The issue appears after the 2nd zone transfer.

Impact:
This is a cosmetic issue without any actual impact.

Workaround:
None

---

967353-6 : HTTP proxy should trim spaces between a header field-name and colon in its downstream responses.

Component: Local Traffic Manager

Symptoms:
Client receives no response along with a connection reset by the BIG-IP system.

Conditions:
-- HTTP Profile is enabled on the BIG-IP system.
-- Server sends HTTP response with one or more header field names separated with the trailing colon by a space.

Impact:
HTTP responses that should be delivered to the client by the proxy are not being sent out.

Workaround:
None

---

967249-5 : TMM may leak memory early during its startup process, and may continue to do so indefinitely.

Component: Local Traffic Manager

Symptoms:
TMM leaks memory in the packet and xdata components. The aggressiveness of the leak depends on how much traffic TMM receives from the Linux host subsystem.

Conditions:
- A BIG-IP system running more than 1 TMM instance.

- Early during its startup process, TMM begins receiving traffic from the Linux host subsystem destined to the network (e.g., remote syslog traffic routed to its destination through TMM).

- Depending on the system's configuration, TMM attempts to set up flow forwarding for the aforementioned traffic. This may happen, for instance, if the egress VLAN is configured for 'cmp-hash src-ip'.

- TMM hasn't fully completed its startup process yet.

Impact:
TMM leaks memory.

If the flow set up during early TMM startup continues to receive a constant stream of new packets, then the flow may live on indefinitely, and TMM may continue to leak memory indefinitely.

In the example of remote syslog traffic, this could happen, for instance, if the box keeps logging messages at a sustained rate.

Eventually, TMM may be unable to allocate any more memory and crash. Traffic disrupted while tmm restarts.

Workaround:
You can work around this issue by ensuring that TMM does not receive any traffic from the Linux host subsystem for forwarding during early startup.

In the example of remote syslog destinations, you could specify the management IP address of the system as the source IP address for the traffic, thus forcing the traffic out of the management port instead of TMM. This implies the management port has a suitable working route to the destination.

---

966949-5 : Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node

Component: TMOS

Symptoms:
If an FQDN template node is configured with "autopopulate enabled" and the FQDN name resolves to multiple IP addresses, multiple FQDN ephemeral nodes will be created.
If the FQDN template node is then deleted, the associated FQDN ephemeral nodes (sharing the same FQDN name) will not be deleted as expected.

Conditions:
This may occur under the following conditions:
-- An FQDN template node is configured with "autopopulate enabled"
-- The configured DNS server resolves the FQDN name to multiple IP addresses
-- You are running an Affected Version of BIG-IP, or an Engineering Hotfix based on a non-Affected Version of BIG-IP which contains a fix for ID 722230

This issue does not occur if only one FQDN ephemeral node is created for the associated FQDN template node.

Impact:
Unused FQDN ephemeral nodes may remain in the active configuration.
-- Since is it not possible to delete an FQDN template node if there are any FQDN template pool members referring to that node, it is not possible for any FQDN ephemeral pool members to remain when the steps that lead to this issue occur.
-- Since traffic can only be passed to FQDN ephemeral pool members, the existence of the unused FQDN ephemeral nodes does not lead to traffic being passed to such nodes.

Workaround:
It is possible to work around this issue by one of the following methods:
-- Manually deleting the remaining FQDN ephemeral nodes using the "tmsh" command-line interface (CLI)
(Note that this is normally not possible. It is possible to manually delete an FQDN ephemeral node only if the corresponding FQDN template node no longer exists.)
-- Restarting BIG-IP (for example, using the command "bigstart restart")

---

966613-1 : Cannot create XML profile based on WSDL when wsdl contains empty soap:address – getting error ‘Column 'object_uri' cannot be null’

Component: Application Security Manager

Symptoms:
Perl error returned when saving new XML content profile using wsdl file with empty soap:address node "<soap:address/>".

Conditions:
Creating a new content profile using a wsdl file which contains a "<soap:address/>" node which does not have a "location" attribute value.

When this content profile is saved, ASM attempts to create an associated URL with no value, which fails validation.

Impact:
After trying to save the content profile, you see an error message: "Could not create XML Profile; Error: DBD::mysql::db do failed: Column 'object_uri' cannot be null"

Workaround:
Delete the node "<soap:address/>" from the wsdl file

---

966461-3 : Tmm leaks memory after each DNSSEC query when netHSM is not connected

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm memory increases per DNSSEC query.

Conditions:
NetHSM is configured but is disconnected

Impact:
Tmm high memory consumption.

Workaround:
Connect the netHSM.

---

965941-5 : Creating a net packet filter in the GUI does not work for ICMP for IPv6

Component: TMOS

Symptoms:
When using the GUI to create a 'net packet-filter' rule to block ICMP packets, the filter does not block IPv6 packets.

Conditions:
-- Using the GUI to create a packet filter rule to block incoming ICMP packets.
-- Attempting to block an IPv6 address.

Impact:
Packets get through the filter unexpectedly.

Workaround:
Modify the packet filter manually using tcpdump syntax. For example, the following syntax is used to block ICMP packets for both IPv4 and IPv6:

icmp or icmp6

---

965457-1 : OSPF duplicate router detection might report false positives

Component: TMOS

Symptoms:
OSPF duplicate router detection might report false positives

Conditions:
Router sends LSA that is looped in network and sent back to its origin.

Impact:
Cosmetic

---

964421-5 : Error '01070734:3: Configuration error: Signing key and signing certificate must be set simultaneously'

Component: TMOS

Symptoms:
The error message '01070734:3: Configuration error: Signing key and signing certificate must be set simultaneously' is unclear.

It fails to indicate which rewrite profile has failed validation, and it is not clear that the error has something to do with the validation of rewrite profiles.

Conditions:
A BIG-IP Administrator is attempting to configure an invalid rewrite profile (one where the 'signing certificate' and 'signing key' options are not simultaneously set).

Impact:
A confusing error message is logged, which makes it difficult to know what to do next.

---

964125-5 : Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.

Component: TMOS

Symptoms:
Mcpd might core and restart if it fails to process a query for all node statistics in less than 5 minutes.

There is more then one avenue where node statistics would be queried.

The BIG-IP Dashboard for LTM from the GUI is one example.

Conditions:
Thousands of FQDN nodes and pools with FQDN pool members and a query for all node statistics.

Impact:
Mcpd restarted which will cause services to failover. Traffic and configuration disrupted while mcpd restarts.

---

963705-5 : Proxy ssl server response not forwarded

Component: Local Traffic Manager

Symptoms:
A server response may not be forwarded after TLS renegotiation.

Conditions:
-- Proxy ssl enabled
-- A server renegotiation occurs

Impact:
Server response may not be not forwarded

---

962913-6 : The number of native open connections in the SSL profile is higher than expected

Component: Local Traffic Manager

Symptoms:
The number of native open connections in the SSL profile shows a value that is higher than expected.

Conditions:
SSL renegotiation is enabled. Other conditions are unknown.

Impact:
The SSL stats are incorrectly reading higher than expected.

Workaround:
Disable SSL renegotiation.

---

962497-6 : BD crash after ICAP response

Component: Application Security Manager

Symptoms:
BD crash when checking ICAP job after ICAP response

Conditions:
BD is used with ICAP feature

Impact:
Traffic disrupted while BD restarts.

Workaround:
N/A

---

962493-1 : Request is not logged

Component: Application Security Manager

Symptoms:
A request is not logged in the local and/or remote logs.

Conditions:
A request has evasions detected on very large parameters.

Impact:
A missing request in the log.

Workaround:
N/A

---

962489-1 : False positive enforcement of parameters with specific configuration

Component: Application Security Manager

Symptoms:
False positive parameters are being detected in the payload and enforced wrongly.

Conditions:
The URL is not defined (also not as wildcard - not defined at all) and the request has a payload.

Impact:
False positive enforcement - may lead to wrong violations and wrong blocking of requests.

Workaround:
None.

---

962433-1 : HTTP::retry for a HEAD request fails to create new connection

Component: Local Traffic Manager

Symptoms:
In case of a HEAD request, BIG-IP fails to set up a new connection to the server with the HTTP::retry iRule.

Conditions:
1.) Basic HTTP profile is configured on BIG-IP
2.) BIG-IP sends the HEAD request to the server and gets error response
3.) iRule with HTTP::retry is configured
4.) The system is using the default (non-debug) TMM version

Impact:
BIG-IP might send the retry HEAD request after the connection is closed, more specifically after the server has sent a FIN, the retry is leaked on the network.

---

962181-5 : iRule POLICY command fails in server-side events

Component: Local Traffic Manager

Symptoms:
BIG-IP provides an iRule command POLICY to retrieve information on or manipulate an LTM policy attached to a virtual. This command fails when it is used in server-side event like HTTP_RESPONSE.

Conditions:
-- Configure a virtual server with one or more LTM policies.
-- The virtual server has an iRule with a POLICY command executed on a server side (e.g. HTTP_RESPONSE).

Impact:
A command returns an incorrect value and may cause unexpected outcomes in an iRule execution.

---

962177-5 : Results of POLICY::names and POLICY::rules commands may be incorrect

Component: Local Traffic Manager

Symptoms:
When a traffic policy is applied to a virtual server, the iRule commands POLICY::names and POLICY::rules returns incorrect results.

Conditions:
-- BIG-IP has a virtual server with one or more traffic policies having more than one rule.
-- An iRule with POLICY::names and/or POLICY::rules is applied to virtual server to run on multiple transactions over the same connection.

Impact:
Traffic processing may not provide expected results.

---

960437-5 : The BIG-IP system may initially fail to resolve some DNS queries

Component: Global Traffic Manager (DNS)

Symptoms:
Configurations that use a 'DNS Cache' or 'Network DNS Resolver' are affected by an issue whereby the system may initially fail to resolve some DNS queries.

Subsequent queries for the same domain name, however, work as expected.

Only some domain names are affected.

Conditions:
- The BIG-IP system is configured with either a DNS Cache or Network DNS Resolver.

- The cache is still empty in regard to the domain name being resolved (for example, TMM has just started).

- The cache configuration specifies 'Use IPv6' (the default) but the system has no IPv6 default route.

Impact:
Initial DNS resolution of some domain names fails. Regardless of whether this happens via a DNS cache or Network DNS Resolver, the failure cascades to the client.

In the case of a DNS Cache, the client may just be returned with no record. In the case of a Network DNS Resolver, the failure will depend on the feature using the resolver.

For instance, SWG, SSL Orchestrator, or the HTTP Explicit Forward Proxy, in general, are examples of features that rely on a Network DNS Resolver. In this case, the client's browser will fail to connect to the requested destination, and the client will be shown a proxy error.

Workaround:
Disable 'Use IPv6' in the affected DNS Cache or Network DNS Resolver.

1a. Go to DNS :: Caches :: Cache list.
OR
1b. Go to Network :: DNS Resolvers :: DNS Resolver list.
2. Select the item you want to update in the list.
3. Uncheck 'Use IPv6.
4, Select Update.

You can keep the object in this state (with no consequences) until you define an IPv6 default route on the system, and you wish for the system to also use IPv6 to connect to Internet name-servers.

---

959613-6 : SIP/HTTPS monitor attached to generic-host virtual server and pool shows 'blank' reason

Component: Global Traffic Manager (DNS)

Symptoms:
When you double-monitor a Generic Host Virtual Server (pool level + virtual server level) using the same SIP/HTTPS monitor, the 'Reason' is omitted from the output. 'tmsh show gtm server <server> virtual-servers' shows a "blank" reason for monitoring failure/success.

Conditions:
Double-monitor a Generic Host virtual server (pool level + virtual server level) using the same SIP/HTTPS monitor.

Impact:
Impedes your ability to identify the failure/success reason quickly.

Workaround:
Do not use the same monitor on both the virtual server and the pool level.

---

958785-2 : FTP data transfer does not complete after QUIT signal

Component: Local Traffic Manager

Symptoms:
When a QUIT signal is sent over an FTP connection to an FTP virtual server during a data transfer, the data connection is closed immediately instead of waiting until the transfer is complete.

Conditions:
- BIG-IP configured with an FTP virtual server
- A client connects to the FTP virtual server
- Client starts an FTP data transfer
- Client sends a QUIT signal before the data transfer completes.

Impact:
FTP data connections are closed prematurely, causing incomplete data transfers.

Workaround:
This does not occur if the FTP profile for the FTP virtual server has inherit-parent-profile set to enable.

---

958325-5 : Updating DNS pool monitor via transaction leaves dangling monitor_rule in MCP DB

Component: Global Traffic Manager (DNS)

Symptoms:
Dangling monitor rule after pool deletion.

# tmsh delete gtm monitor tcp tcp_test
01070083:3: Monitor /Common/tcp_test is in use

Conditions:
Using transaction to delete pool and create pool of same name with different monitor.

Impact:
Unable to delete the remaining monitor.

Workaround:
Run:
1. # bigstart restart mcpd
Or
2. Do not combine deletion and re-create pool in the same transaction.

---

956589-5 : The tmrouted daemon restarts and produces a core file

Component: TMOS

Symptoms:
The tmrouted daemon restarts and produces a core file.

Conditions:
Exact trigger is unknown, but the issue was seen on a chassis setup during a blade failover

Impact:
Traffic disrupted while tmrouted restarts.

Workaround:
None

---

955617-4 : Cannot modify the destination address of a monitor

Component: Local Traffic Manager

Symptoms:
Modifying monitor properties gives error, if it is attached to a pool with Node/Pool member instance.

0107082c:3: Cannot modify the destination address of monitor /Common/my_monitor

Conditions:
-- Monitor with alias address field as default properties.
-- Pool containing a node or pool member.
-- Monitor is attached to the pool.

Impact:
Monitor properties can't be modified if they are in use by a pool.

Workaround:
Remove monitor, modify it, and then add it back.

---

955057-5 : UCS archives containing a large number of DNS zone files may fail to restore.★

Component: TMOS

Symptoms:
This issue can manifest in the following ways:

- Failure to restore a UCS archive to the currently active boot location (i.e. restoring a backup).

- Failure to restore a UCS archive to a different boot location by means of using the cpcfg utility (or the the "Install Configuration" option when changing boot locations in the Web UI).

- Failure to restore a UCS archive as part of a software upgrade (if rolling forward the configuration was requested, which is the default BIG-IP behavior).

In all cases, error messages similar to the following example are returned to the user:

/bin/sh: /bin/rm: Argument list too long
Fatal: executing: /bin/sh -c rm -fr /var/named/config/namedb/*
Operation aborted.
/var/tmp/configsync.spec: Error installing package
Config install aborted.
Unexpected Error: UCS loading process failed.

Conditions:
This issue occurs when a large number of DNS zone files are already present in the /var/named/config/namedb directory of the boot location to which the UCS archive is being restored.

Impact:
The UCS archive fails to restore. Additionally:

- If the UCS archive was being restored on the currently active boot location, the named and zrd daemons may not be running after the failure, leading to traffic outages.

- If the UCS archive was being restored as part of an upgrade, the installation will fail and the destination boot location will be marked as failed (thus preventing a BIG-IP Administrator from activating it).

Workaround:
Depending on the failure mode, perform one of the following workarounds:


- If you were restoring a UCS archive on the currently active boot location, run the following command, and then attempt the UCS archive restore operation again:

find /var/named/config/namedb -mindepth 1 -delete

- If you encountered the failure during an upgrade, it should mean you were installing an Engineering Hotfix (otherwise the /var/named/config/namedb directory on the destination boot location would have been empty).

Installing an Engineering Hotfix will actually perform two separate installations - first the base version, and then the hotfix on top of that. Each installation restores the source location's UCS archive.

The UCS installation performed during the base installation will work, and the one performed during the hotfix installation will fail (because DNS zone files are already in place now, and they will fail to be deleted).

In this case, you can work around the issue by performing two distinct installations (to the same destination boot location). First the base version by itself, and then the hotfix installation by itself:

Perform the first installation with the liveinstall.moveconfig and liveinstall.saveconfig db keys disabled. Perform the second installation after enabling the liveinstall.moveconfig and liveinstall.saveconfig db keys again.

- If you encountered the failure while using the cpcfg utility (or equivalent WebUI functionality), take a UCS archive instead, download it off of the BIG-IP or save it in a shared directory (e.g. /var/tmp), boot the system into the destination boot location, run the below command, and then restore the UCS archive:

find /var/named/config/namedb -mindepth 1 -delete

---

955017-6 : Excessive CPU consumption by asm_config_event_handler

Component: Application Security Manager

Symptoms:
Asm_config_event_handler is consuming a lot of CPU while processing signatures after sync

Conditions:
This is encountered during a UCS load, or by a high availability (HA) configuration sync.

Impact:
Asm_config_server_rpc_handler.pl consumes excessive CPU and takes an exceedingly long time to complete.

Workaround:
Disable the signature staging action item for all policies.

---

953845-6 : After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart

Component: Local Traffic Manager

Symptoms:
When re-initializing an onboard HSM on particular platforms, BIG-IP may disconnect from the HSM after a second restart of the MCPD daemon.

This can occur when using administrative commands such as:
   -- tmsh run util fips-util init
   -- fipsutil init
   -- tmsh run util fips-util loginreset -r
   -- fipsutil loginreset -r

Conditions:
-- Using the following platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F
  + vCMP guest on i5820-DF / i7820-DF
  + vCMP guest on 10350v-F

Impact:
BIG-IP is unable to communicate with the onboard HSM.

Workaround:
The last step in using "fipsutil init" is to restart all system services ("tmsh restart sys service all") or reboot.

Immediately before doing this:

-- open /config/bigip.conf in a text editor (e.g. vim or nano)
-- locate and delete the configuration "sys fipsuser f5cu" stanza, e.g.:

    sys fipsuser f5cu {
        password $M$Et$b3R0ZXJzCg==
    }

---

951705-5 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Solution Article: https://support.f5.com/csp/article/K03009991

---

950005-5 : TCP connection is not closed when necessary after HTTP::respond iRule

Component: Local Traffic Manager

Symptoms:
HTTP does not close the TCP connection on the client if response is sent via HTTP::respond.

Conditions:
- TCP profile is used.
- HTTP profile is used.
- HTTP::respond iRule is used (via HTTP_RESPONSE_RELEASE).
- HTTP sends "Connection: close" header.

Impact:
TCP connection lives longer than needed.

Workaround:
None

---

949137-6 : Clusterd crash and vCMP guest failover

Component: Local Traffic Manager

Symptoms:
Clusterd crashes and a vCMP guest fails over.

Conditions:
The exact conditions under which this occurs are unknown. It can occur during normal operation.

Impact:
Memory corruption and clusterd can crash, causing failover.

Workaround:
None.

---

948573 : wr_urldbd list of valid TLDs needs to be updated

Component: Traffic Classification Engine

Symptoms:
Several new TLDs have been added and need to be classified. The classification results return "Unknown" when the new TLD is being queried.

Conditions:
New TLD is being queried

Impact:
The URL query with new TLDs can not be blocked with custom feed list.
Custom, Webroot, and Cloud returns Unknown category.

Workaround:
Configure CPM policy to classify traffic based on hostname or SNI rather than urlcat.

---

947865-5 : Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read

Component: TMOS

Symptoms:
Pam-authenticator cores. There is a log message in /var/log/user/log:

err pam-authenticator: tac_author_read: short author header, -1 of 12: Connection reset by peer

Conditions:
-- TACACS auth configured on BIG-IP
-- A BIG-IP user authenticates and the user is a TACACS user
-- The TACACS server resets the connection.

Impact:
Pam-authenticator fails with segfault or sigabrt, and the user is unable to authenticate to BIG-IP.

---

947529-4 : Security tab in virtual server menu renders slowly

Component: TMOS

Symptoms:
When a large number of virtual servers use the same ASM policy from a manually-created LTM Traffic policy, the Security tab of the virtual server takes a long time to load.

Conditions:
Large number of virtual servers using the same ASM policy

Impact:
Loading of Security tab of a virtual server takes a long time

Workaround:
NA

---

947217-1 : Fix of ID722682 prevents GTM config load when the virtual server name contains a colon★

Component: Global Traffic Manager (DNS)

Symptoms:
GTM is unable to load the configuration.

Conditions:
-- GTM has been upgraded to a version with fix for ID722682 from a version that does not have the fix for ID722682
-- A GTM server has a name with no colon
-- That GTM server has a virtual server with colon in the name
-- That virtual server is added to a pool

Impact:
GTM config file cannot be loaded successfully after upgrade.

Workaround:
Edit bigip_gtm.conf manually to delete "\\" or replace colon ":" with other non-reserved char. such as "-".

---

947125-5 : Unable to delete monitors after certain operations

Component: Local Traffic Manager

Symptoms:
Unable to delete monitor with an error similar to:

01070083:3: Monitor /Common/my-mon is in use.

Conditions:
-- HTTP monitors are attached directly to pool members, or node-level monitors exist.
-- Performing an operation that causes the configuration to get rebuilt implicitly, such as "reloadlic".

Impact:
Unable to delete object(s) no longer in use.

Workaround:
When the system gets into this state, save and reload the configuration:
tmsh save sys config && tmsh load sys config

---

945601-1 : An incorrect LTM policy rule may be matched when a policy consists of multiple rules with TCP address matching conditions.

Component: Local Traffic Manager

Symptoms:
An incorrect LTM policy rule is picked up e.g. a rule which should match first is omited.

Conditions:
Policy contains multiple rules which employ TCP address matching condition.

Impact:
Inocorrect LTM policy is applied.

---

945265-1 : BGP may advertise default route with incorrect parameters

Component: TMOS

Symptoms:
If a BGP neighbor is configured with 'default originate,' the nexthop advertised for the default route may be incorrect.

Conditions:
-- Dynamic routing enabled.
-- Using BGP.
-- BGP neighbor configured with 'default originate'.

Impact:
The default route advertised via BGP is not acceptable to peers until the BGP session is cleared.

Workaround:
In imish, run the command:
clear ip bgp <affected neighbor address>

---

944093-5 : Maximum remaining session's time on user's webtop can flip/flop

Component: Access Policy Manager

Symptoms:
When an Access Policy is configured with Maximum Session Timeout, the rendered value of maximum remaining session's time can flip/flop in seconds on a user's webtop

Conditions:
Access Policy is configured with Maximum Session Timeout >= 60000 secs

Impact:
End users will see the remaining time being continually reset.

---

943669-6 : B4450 blade reboot

Component: TMOS

Symptoms:
In a rare scenario, a B4450 blade suddenly reboots.

Conditions:
This occurs when there is heavy traffic load on VIPRION B4450 blades. The root cause is unknown. It happens extremely rarely.

Impact:
Traffic disrupted while the blade reboots.

Workaround:
None.

---

942953-3 : Keyboard locks during Windows Edge client logon when just a control button is pressed.

Component: Access Policy Manager

Symptoms:
Using APM Edge client version 7210.2020.827.422-5307.0, users on Microsoft Windows cannot type in the login window.

Conditions:
-- Edge Client for Windows.
-- The CTRL key is pressed in the login dialog.

Impact:
The Edge Client user is unable to type anything until they press the CTRL button one more time.

Workaround:
The APM end user must press the CTRL button a second time.

---

942549-5 : Dataplane INOPERABLE - Only 7 HSBs found. Expected 8

Component: TMOS

Symptoms:
During boot of a i15xxx system you see the message:

Dataplane INOPERABLE - Only 7 HSBs found. Expected 8

Conditions:
There are no specific conditions that cause the failure.
This can occur on any i15xxx device, although some devices exhibit the failure consistently around 50% of boots and others never exhibit the issue.

Impact:
When this failure occurs in a system, the system is inoperable.

Workaround:
There is no workaround for systems that do not have software capable of resetting the hardware device during the HSB load process.

---

942521-2 : Certificate Managers are unable to move certificates to BIG-IP via REST

Component: Device Management

Symptoms:
You cannot upload a cert/key via the REST API if you are using a certificate manager account

Conditions:
-- Using the REST API to upload a certificate and/or key
-- User is logged in as a Certificate Manager

Impact:
Unable to upload certificates as Certificate Manager

Workaround:
Use admin account instead of using Certificate Manager account to upload certs and keys

---

942217-5 : Virtual server keeps rejecting connections for rstcause 'VIP down' even though virtual status is 'available'

Component: Local Traffic Manager

Symptoms:
With certain configurations, virtual server keeps rejecting connections for rstcause 'VIP down' after 'trigger' events.

Conditions:
Required Configuration:

-- On the virtual server, the service-down-immediate-action is set to 'reset' or 'drop'.

-- The pool member has rate-limit enabled.

Required Conditions:

-- Monitor flap, or adding/removing monitor or configuration change made with service-down-immediate-action.

-- At that time, one of the above events occur, the pool member's rate-limit is active.

Impact:
Virtual server keeps rejecting connections.

Workaround:
Delete one of the conditions.

Note: The affected virtual server may automatically recover upon the subsequent monitor flap, etc., if no rate-limit is activated at that time.

---

940897-6 : Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached

Component: Application Security Manager

Symptoms:
False positive violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached with enabled "Parse Parameter".

Conditions:
"JSON data does not comply with format settings" and "Illegal meta character in value" violations are enabled and content profile parsing is enabled in ASM.

Impact:
False positives detected, such as "Illegal meta character in value" violation and attack signature for incorrect context.

Workaround:
N/A

---

940249-5 : Sensitive data is not masked after "Maximum Array/Object Elements" is reached

Component: Application Security Manager

Symptoms:
If "Maximum Array/Object Elements" is reached and "JSON data does not comply with format settings" is detected, then all sensitive
data after last allowed element is not masked.

Conditions:
Define JSON profile, set "JSON data does not comply with format settings" to blocking and set "Maximum Array/Object Elements" to desired value.

Impact:
Data after last allowed element is not masked.

---

939757-1 : Deleting a virtual server might not trigger route-injection update.

Component: TMOS

Symptoms:
When using multiple virtual-servers sharing the same destination address (virtual-address), deleting a single virtual-server that contributes to a virtual-address status might not trigger a route-injection update.

Conditions:
-- Multiple virtual-servers sharing the same destination address.
-- Virtual-server is deleted.

Impact:
Route remains in a routing table and/or Route is not removed from a routing table.

Workaround:
Disable and re-enable the virtual-address after deleting a virtual-server.

---

939517-1 : DB variable scheduler.minsleepduration.ltm changes to default value after reboot

Component: TMOS

Symptoms:
Running the command 'tmsh list /sys db scheduler.minsleepduration.ltm'
shows that the value is -1.

The db variable 'scheduler.minsleepduration.ltm' is set to -1 on mcpd startup.

This overwrites a custom value.

Conditions:
-- The db variable 'scheduler.minsleepduration.ltm' has a non-default value set.
-- A reboot occurs.

Impact:
The db variable 'scheduler.minsleepduration.ltm' reverts to the default value. When the db variable reverts to the default value of unset -1, tmm uses more CPU cycles when idle.

Workaround:
None

---

938545-6 : Oversize plugin Tcl object results can result in 0-length messages and plugin crash

Component: Local Traffic Manager

Symptoms:
Bd crashes.

Conditions:
-- ASM enabled.
-- iRule used.
-- Command arguments are greater than maximum MPI message size.

Impact:
ASM traffic disrupted while bd restarts.

Workaround:
None.

---

938165-5 : TMM Core after attempted update of IP geolocation database file

Component: Advanced Firewall Manager

Symptoms:
TMM crashes while running traffic that uses AFM Firewall policies.

Conditions:
-- Update IP geolocation database file to the latest version.
-- Configure AFM policies with logging enabled.
-- Run traffic which hits the AFM policies and triggers logging.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Revert to using the previously working version of the IP-geolocation file.

For more information, see K11176: Downloading and installing updates to the IP geolocation database :: https://support.f5.com/csp/article/K11176#restore.

---

937637-6 : BIG-IP APM VPN vulnerability CVE-2021-23002

Solution Article: https://support.f5.com/csp/article/K71891773

---

936777-6 : Old local config is synced to other devices in the sync group.

Component: Global Traffic Manager (DNS)

Symptoms:
Newly added DNS/GTM device may sync old local config to other devices in the sync group.

Conditions:
Newly added DNS/GTM device has a more recent change than other devices in the sync group.

Impact:
Config on other DNS/GTM devices in the sync group are lost.

Workaround:
You can use either of the following workarounds:

-- Make a small DNS/GTM configuration change before adding new devices to the sync group.

-- Make a small DNS/GTM configuration change on the newly added device to re-sync the correct config to other DNS/GTM devices.

---

936593-1 : Invalid server-side SSL profile options can be configured in tmsh

Component: Local Traffic Manager

Symptoms:
TMSH allows you to configure the options 'msie-sslv2-rsa-padding' and 'ssleay-080-client-dh-bug tls-d5-bug' and 'tls-d5-bug' on server-side SSL profiles, but these are client-side options only.

Conditions:
-- Using a server-side SSL profile.
-- Configuring one or more of the 'msie-sslv2-rsa-padding', 'ssleay-080-client-dh-bug tls-d5-bug', or 'tls-d5-bug' options on the server-side SSL profile.

Impact:
The options configuration does not take effect.

Workaround:
Do not use these options.

---

936441-5 : Nitrox5 SDK driver logging messages

Component: Local Traffic Manager

Symptoms:
The system kernel started spontaneously logging messages at an extremely high rate (~3000 per second):

Warning kernel: EMU(3)_INT: 0x0000000000000020
warning kernel: sum_sbe: 0
warning kernel: sum_dbe: 0
warning kernel: sum_wd: 0
warning kernel: sum_gi: 0
warning kernel: sum_ge: 0
warning kernel: sum_uc: 1

The above set of messages seems to be logged at about 2900-3000 times a second.

These messages continue after TMM fails its heartbeat and is killed. The system is rebooted by the host watchdog.

Conditions:
These messages are triggered by Nitrox5 driver when EMU microcode cache errors corrected by hardware.

Impact:
High rate of logging messages. The tmm heartbeat eventually fails, and tmm is restarted. Traffic disrupted while tmm restarts.

Workaround:
None.

---

935865-1 : Rules that share the same name return invalid JSON via REST API

Component: Advanced Firewall Manager

Symptoms:
When retrieving rule stats on a firewall policy, if two rules that share the same name but one of which is directly attached to the policy while the other is attached via a rule list, then a invalid JSON is returned. The JSON has identical keys for each entry associated with the rule. This is an invalid JSON structure that cannot be parsed correctly (Or data for one of the rules is lost)

Conditions:
A firewall policy that has one of rule directly attached to the policy while the other is attached via a rule list, and both rules share the same name.

Impact:
Invalid JSON structure returned for stat REST API call

Workaround:
Ensure that no rule shares its name with another rule.

---

935593-1 : Incorrect SYN re-transmission handling with FastL4 timestamp rewrite

Component: Local Traffic Manager

Symptoms:
FastL4 profiles configured with the TCP timestamp rewrite option enabled does not treat retransmitted SYNs in a correct manner.

Conditions:
FastL4 profile with TCP timestamp rewrite option is in use.

Impact:
Timestamp on some TCP packets sent by BIG-IP systems might be incorrect.

Workaround:
Do not use TCP timestamp rewrite.

---

934017-2 : Problems may occur after creating a node named '_auto_<IP address>'

Component: Local Traffic Manager

Symptoms:
If a node is created and named '_auto_<IP address>', various problems may occur, including but not limited to:
-- If the node is configured as an FQDN template node, no ephemeral nodes may be created based on the FQDN name.
-- If the node is configured as an FQDN template node, when the node is deleted, an ephemeral node may be created based on the FQDN name of the deleted node.
-- If the node is configured as an FQDN template node with autopopulate enabled, when the node is deleted, ephemeral nodes may be created based on the FQDN name of the deleted node, but with no FQDN template node.
-- If the node is configured as an FQDN template node and then deleted, any ephemeral nodes remaining must be deleted manually.

Conditions:
This may occur if:
-- A node is created with a name of the form '_auto_<IP address>', such as:
   - _auto_10.10.10.10 (IPv4 address 10.10.10.10).
   - _auto_fe80..f811.3eff.fe06.9ab9 (IPv6 address fe80::f811:3eff:fe06:9ab9)
-- FQDN template nodes are configured (including the node described above) with FQDN names that resolve to the IP address embedded in the node name.

Impact:
-- Ephemeral nodes (and pool members) may not be created based on resolution of the FQDN name in the configured node.
-- Ephemeral nodes may be created unexpectedly after the configured node is deleted.
-- Ephemeral nodes created unexpectedly after the configured node is deleted must be deleted manually.

Workaround:
Do not create any node with a name beginning with '_auto_'.
That is a reserved name used for creation of FQDN ephemeral nodes.

---

933405-6 : Zonerunner GUI hangs when attempting to list Resource Records

Solution Article: K34257075

Component: Global Traffic Manager (DNS)

Symptoms:
Zonerunner GUI hangs when attempting to list Resource Records; mcpd times out.

Conditions:
Attempt to list Resource Records in Zonerunner GUI.

Impact:
Zonerunner hangs.

Workaround:
Zonerunner GUI is unusable until this issue is resolved. Use tmsh.

---

932781-3 : VPN fails to establish on Windows systems where 'Secure Boot' is enabled.

Solution Article: K14154376

Component: Access Policy Manager

Symptoms:
VPN fails to connect.

Conditions:
-- 'Secure Boot' is enabled on Microsoft Windows systems.
-- Running Windows 10.
-- IP Filtering Engine is enables in the Network Access settings.
-- Connecting to VPN.

Impact:
End user clients cannot establish a VPN connection.

Workaround:
There are two workarounds for this issue:
-- Disable 'Secure Boot' on Windows systems.

Note: Some systems running Windows 10 have a feature called 'Secure Boot' enabled by default to ensure that client computers boot using only software trusted by the computer.

-- Disable IP Filtering Engine setting in the Network Access settings.

---

932553-1 : An HTTP request is not served when a remote logging server is down

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide an option to sanitize HTTP traffic via the http_security profile. When the profile is configured to alarm on a violation, it is possible that a connection to the violating client is reset if a remote logging server is marked down.

Conditions:
-- A BIG-IP system has an HTTP profile and and an http_security profile with the alarm option set.
-- A remote logging server is configured via a BIG-IP pool.
-- The pool has a monitor that marks all the pool members down.
-- A request with an HTTP violation is processed and triggers an alarm configured in the http_security profile.

Impact:
-- A TCP connection to a client is reset by the BIG-IP system.
-- The web page may not render, or may not render as expected.
-- Data are not delivered to a server with a POST request.

Workaround:
None.

---

932137-2 : AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade

Component: Application Visibility and Reporting

Symptoms:
After upgrade, AFM statistics show non-relevant data.

Conditions:
BIG-IP system upgrade
-- Leftovers files remain in /shared/avr_afm partition from other versions.

Impact:
Non-relevant data are shown in AFM statistics.

Workaround:
Delete the non-relevant data manually from MariaDB/MySQL.

---

931609 : After installing a UCS file on a new BIG-IP, some configuration items may fail to load

Component: TMOS

Symptoms:
The FIPS card goes offline.

Conditions:
After switching to new BIG-IP, load the ucs file containing a configuration from a previously working BIG-IP device.

Impact:
Config load errors occur:

emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- Loading schema version: 12.1.5 Loading schema version: 12.1.5.2 01070712:3: FIPS 140 operations not available on this system Unexpected Error: Loading configuration process failed.

The FIPS card is offline.

Workaround:
Reboot the device and the errors should resolve themselves.

---

931469-3 : Redundant socket close when half-open monitor pings

Component: Local Traffic Manager

Symptoms:
Sockets and log files are closed and re-opened twice instead of one time when the half-open TCP monitor pings successfully.

Conditions:
This occurs when the half-open monitor pings successfully.

Impact:
Minor performance impact.

Workaround:
None.

---

930825-1 : System should reboot (rather than restart services) when it sees a large number of HSB XLMAC errors

Component: TMOS

Symptoms:
The following symptoms may be seen when the HSB is experiencing a large number of XLMAC errors and is unable to recover from the errors. After attempting XLMAC recovery fails, the current behavior is to failover to the peer unit and go-offline and down links.

This can be seen the TMM logs:
-- notice The number of the HSB XLMAC recovery operation 11 or fcs failover count 0 reached threshold 11 on bus: 3.
-- notice HA failover action is triggered due to XLMAC/FCS errors on HSB1 on bus 3.
-- notice HSBE2 1 disable XLMAC TX/RX at runtime.
-- notice HA failover action is cleared.

Followed by a failover event.

Conditions:
It is unknown under what conditions the XLMAC errors occur.

Impact:
The BIG-IP system fails over.

Workaround:
Modify the default high availability (HA) action for the switchboard-failsafe to reboot instead of go offline and down links.

---

930217-6 : Zone colors in ASM swap usage graph are incorrect

Component: Application Visibility and Reporting

Symptoms:
In GUI ASM memory utilization chart, 'BD swap size, Total swap size' graph show inconsistent background colors. It looks like these colors are assigned with an assumption that swap usage is shown as percentage but it is shown as absolute value.

Conditions:
-- ASM is provisioned.
-- Viewing ASM memory utilization chart/

Impact:
Potential confusion viewing colors in ASM memory utilization chart.

Workaround:
None. This is a cosmetic issue only.

---

929429-6 : Oracle database monitor uses excessive CPU when Platform FIPS is licensed

Component: Local Traffic Manager

Symptoms:
Whenever you create Oracle monitors, and add a member to the monitor, every time the OpenSSL libraries are loaded for a new connection, high CPU usage occurs.

Conditions:
-- Create an Oracle LTM monitor.
-- Add a pool member to the Oracle monitor created.
-- Platform FIPS is licensed.

Impact:
High CPU Usage due to the loading of libraries whenever new connection is created.

Workaround:
None.

---

929133-5 : TMM continually restarts with errors 'invalid index from net device' and 'device_init failed'

Component: TMOS

Symptoms:
VLANs with a name that that start with "eth" will cause tmm to fail and restart.

Conditions:
Vlan name that starts with "eth"

Impact:
Since tmm fails to start, the BIG-IP cannot serve traffic.

Workaround:
Rename all vlans that start with "eth"

---

928697-5 : Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT

Component: TMOS

Symptoms:
When debug mode is enabled, racoon2 logs packet payloads during IKE negotiation. When multiple proposals are present in an IKE_SA_INIT packet, the logging of the proposal payloads is incorrect.

Conditions:
The initiator sends more than one proposal.

Impact:
Diagnosing connection issues is more difficult.

Workaround:
During debugging, ignore IKE_SA_INIT packet dump in the logs.

---

927941-1 : IPv6 static route BFD does not come up after OAMD restart

Component: TMOS

Symptoms:
The Bidirectional Forwarding Detection (BFD) session for an IPv6 static route is not shown in response to the command:
imish -e "show bfd session"

Conditions:
-- BFD is configured with static route IPv6.
-- Restart the oamd process.

Impact:
BFD session is not shown in 'show bfd session'.

Workaround:
Restart tmrouted:
bigstart restart tmrouted

---

927909 : Upgrading a vCMP guest using a block device image may fail on older versions of host software

Component: TMOS

Symptoms:
Upgrading a vCMP guest fails with the block-device-image option (where the actual images reside on the host),

Attempts to upgrade vCMP guest volumes fail, showing a failed status:

tmsh show sys software
...
HD1.2 1 none none none no failed (archive read or checksum error).

Conditions:
Attempt to upgrade vCMP guest from image residing on the host, for example:

$ tmsh install sys software block-device-image BIGIP-15.1.0.3-0.0.12.iso volume HD1.2

Impact:
Unable to upgrade software on vcmp guest.

Workaround:
Copy upgrade image to guest and upgrade directly, for example:

$ tmsh install sys software image BIGIP-15.1.0.3-0.0.12.iso volume HD1.2

---

927185 : TMM ENGHF-12.1.4.1.0.25.6 SIGFPE Assertion "maximum pages" failed

Component: Traffic Classification Engine

Symptoms:
TMM coring during pages allocation

Impact:
TMM coring causing a failover event for the customer, they're concerned about stability.

Workaround:
No workaround

---

926845-2 : Inactive ASM policies are deleted upon upgrade

Component: Application Security Manager

Symptoms:
Upon upgrade, active ASM policies are preserved, and inactive policies are deleted.

Conditions:
-- Configuration contains active and inactive ASM policies.
-- Upgrade the BIG-IP system to any later version.
-- You can check existing ASM policies in tmsh:
tmsh list asm policy

Impact:
Only the active ASM policies are preserved; the inactive policies are deleted.

Workaround:
None.

---

926689-1 : [APM] ActiveX-based RDP AppTunnel fails on 12.1.2.5 for all users★

Solution Article: K31523705

Component: Access Policy Manager

Symptoms:
After upgrading from 12.1.2.2.0.276 to 12.1.2.5, end users complain that they are unable to use RDP.

Conditions:
Connect to RDP via AppTunnel which loads the ActiveX control.

Impact:
You cannot connect via RDP.

Workaround:
None.

---

926593-5 : GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout'

Component: Global Traffic Manager (DNS)

Symptoms:
The GTM/DNS gateway_icmp monitor for IPv6 virtual servers sometimes returns 'state: timeout' even though big3d receives the packet successfully.

Conditions:
- GTM/DNS provisioned.
- IPv6 virtual server with gateway_icmp GTM/DNS monitor.

Impact:
IPv6 virtual servers are marked down unexpectedly.

Workaround:
Use a different gtm monitor type than gateway_icmp for IPv6 targets

---

925797-5 : Full config sync fails and mcpd memory usage is very high on the receiving device with thousands of FQDN pools members

Component: TMOS

Symptoms:
There there are thousands of FQDN nodes and thousands of pools that have FQDN pool members, mcpd can run out of memory during a full config sync.

The mcpd process might fail and restart or it might remain running but have its virtual memory so fragmented that queries to mcpd might fail to allocate memory.

One of signs that this has occurred is a non-zero free_fail count in the tmstat table vmem_kstat.

Conditions:
-- Thousands of FQDN nodes
-- Thousands of pools with FQDN pool members
-- Full config sync.

Impact:
-- The mcpd process might restart.
-- The config save operation fails:
tmsh save /sys config fails
-- Other queries to mcpd fail.

Workaround:
None.

---

925573-5 : SIGSEGV: receiving a sessiondb callback response after the flow is aborted

Component: Access Policy Manager

Symptoms:
A SIGSEGV error occurs after a connection is ended. This is an intermittent issue that inconsistently recurs.

Conditions:
APM Per-Request is processing a flow that has already been reset (RST) by another filter, such as HTTP or HTTP/2.

Impact:
Connections might reset. You might experience a tmm crash. This is an intermittent issue.

Workaround:
None.

---

924429-5 : Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values

Component: TMOS

Symptoms:
While restoring a UCS archive, you get an error similar to the following example:

/var: Not enough free space
535162880 bytes required
326418432 bytes available
/shared/my.ucs: Not enough free disk space to install!
Operation aborted.
/var/tmp/configsync.spec: Error installing package
Config install aborted.
Unexpected Error: UCS loading process failed.

As part of restoring UCS archives, some files (for example, the contents of the filestore) are temporarily copied to the /var/tmp directory.

The script that ensures enough free disk space is available for the UCS restore operation incorrectly reports the /var filesystem's free disk space for the /var/tmp directory.

This is incorrect, as /var/tmp is a symlink to /shared/tmp, and so the free disk space of the /shared filesystem should be used instead.

Conditions:
-- Restoring a UCS file.
-- The UCS file contains large items that are temporarily stored under the /var/tmp directory (for example, many EPSEC files, many large external data-groups, etc.).
-- The /var filesystem has limited free disk space.

Impact:
The UCS installation fails even if /var/tmp has sufficient disk space.

Workaround:
None.

---

923221-6 : BD does not use all the CPU cores

Component: Application Security Manager

Symptoms:
Not all the CPUs are utilized. The CPUs that are not loaded are those with ID greater than 31.

Conditions:
BIG-IP is installed on a device with more than 32 cores.

Impact:
ASM does not use all of the available CPU cores.

Workaround:
1. Modify the following file on the BIG-IP system:
   /usr/local/share/perl5/F5/ProcessHandler.pm

Change this:
  ALL_CPUS_AFFINITY => '0xFFFFFFFF'

To this:
  ALL_CPUS_AFFINITY => '0xFFFFFFFFFFFF',

2. Restart the asm process:
   bigstart restart asm.

---

922613-5 : Tunnels using autolasthop might drop traffic with ICMP route unreachable

Component: TMOS

Symptoms:
Traffic that should be encapsulated and sent via tunnel might get dropped with an ICMP error, destination unreachable, unreachable route. This happens in a scenario where no route exists towards the remote tunnel endpoint and the BIG-IP system relies on autolasthop to send the encapsulated traffic back to the other end of the tunnel.

Conditions:
No route exists to the other end of the tunnel.

Impact:
Traffic dropped with ICMP error, destination unreachable, unreachable route.

Workaround:
Create a route towards the other remote end of the tunnel.

---

922413-6 : Excessive memory consumption with ntlmconnpool configured

Component: Local Traffic Manager

Symptoms:
OneConnect allows load balancing of HTTP requests from the same client connection over a pool of server side connections. When NTLM authentication is used, the NTLM Conn Pool allows reuse of server-side connections for authenticated client side connections. It holds HTTP authentication headers which is no longer necessary once a client is authenticated.

Conditions:
-- The virtual server is configured with both OneConnect and NTLM Conn Pool profiles.
-- A large number of client systems with NTLM authentication are load balanced via the virtual server with long-lived connections.

Impact:
The BIG-IP system experiences memory pressure, which may result in an out-of-memory condition and a process crash, and potentially cause failover and interruption of traffic processing.

Workaround:
None.

---

922317 : Using the LSN::persistence_entry command in an iRule may cause crashes and/or stalled connections

Component: Local Traffic Manager

Symptoms:
-- Stalled serverside connections visible in connection table.
-- No traffic going out towards pool member.
-- Sometimes tmm crashes may occur.

Conditions:
The LSN::persistence_entry Tcl command is used inside of an iRule triggered by a serverside event, e.g., SERVER_CONNECTED.

Impact:
-- Traffic not reaching pool members.
-- System disruption while tmm restarts in case of crash.

Workaround:
Do not use the LSN::persistence_entry command in iRules triggered by serverside events.

---

922005-7 : Stats on a certain counter for web-acceleration profile may show excessive value

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system is configured to use the RAM Cache feature, a corresponding profile may report an excessively large value for the cache_misses_all counter under certain conditions.

Conditions:
-- The BIG-IP system has a virtual server with web-acceleration profile without an application (RAM Cache feature).
-- The virtual receives uncacheable requests which are interrupted by a client or are not served by a server.

Impact:
A value for cache_misses_all incurs an arithmetic overflow, and shows an excessive number comparable with 1.8e19. The issue has no functional impact; the system operates as normal.

Workaround:
None.

---

921625-6 : The certs extend function does not work for GTM/DNS sync group

Component: Global Traffic Manager (DNS)

Symptoms:
When GTM/DNS systems in the same sync group receive the error 'SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca', these systems cannot automatically connect to BIG-IP devices with which that GTM/DNS device has not already exchanged a SSL cert.

As part of normal functionality, when one GTM/DNS tries to connect to a BIG-IP server and receives 'unknown ca' SSL error, if its peer GTM/DNS has already built a connection with that BIG-IP server, then the second GTM/DNS system should also be able to connect to that BIG-IP server automatically. But it cannot because of this issue.

The problem exists only when the GTM/DNS device has not exchanged a cert with the BIG-IP server object, and there are two or more certs in /config/httpd/conf/ssl.crt/server.crt on that GTM/DNS device.

You might see messages similar to the following:

-- iqmgmt_ssl_connect: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
-- err gtmd[28112]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (336151576).
-- notice gtmd[28112]: 011ae03d:5: Probe to 10.10.0.3: buffer = <direct><![CDATA[<clientcert><ip>10.10.0.10</ip><target_ip>10.10.0.6</target_ip><cert>....

Conditions:
-- /config/httpd/conf/ssl.crt/server.crt file with two or more certs on the requesting GTM/DNS device.
-- Configuration is as follows:
   1. GTMDNS1 and GTMDNS2 are in a same GTM/DNS sync group.
   2. GTMDNS1 has a self-authorized CA cert.
   3. You add a BIG-IP server that is is reachable but with which GTMDNS1 has not exchanged SSL certs.

Impact:
Certain GTM/DNS systems in the sync group cannot automatically connect to BIG-IP devices as expected. You must run additional bigip_add commands on those GTM/DNS systems in the GTM/DNS sync group to add the BIG-IP server.

Workaround:
Run bigip_add on each GTM/DNS server to add the configured BIG-IP servers.

---

921549-1 : The gtmd process does not receive updates from local big3d.

Component: Global Traffic Manager (DNS)

Symptoms:
Oversized server.crt file causes gtmd (other devices in a same syncgroup) from receiving from local big3d.

Conditions:
One GTM/DNS device in the syncgroup has an oversized server.crt file (approximately 4000 or larger) and sends a client cert direct message to peer GTM/DNS devices.

Impact:
The gtmd process marks resources down unexpectedly and does not receive persist updates.

Workaround:
1. For each GTM/DNS device, use bigip_add to add all BIG-IP servers configured in bigip_gtm.conf file.
2. Restart each GTM/DNS that is affected.

---

921541 : When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.

Component: Local Traffic Manager

Symptoms:
The HTTP session initiated by curl hangs.

Conditions:
-- The problem occurs when the file to be compressed meets the following criteria:
-- The following platforms with Intel QAT are affected:
   + B4450N (A114)
   + i4000 (C115)
   + i10000 (C116/C127)
   + i7000 (C118)
   + i5000 (C119)
   + i11000 (C123)
   + i11000 (C124)
   + i15000 (D116)
-- File size to be compressed is less than compression.qat.dispatchsize.
-- File size to be compressed is one of specific numbers from this list: 65535, 32768, 16384, 8192, 4096.

Impact:
Connection hangs, times out, and resets.

Workaround:
Use software compression.

---

920961-5 : Devices incorrectly report 'In Sync' after an incremental sync

Component: Application Security Manager

Symptoms:
The security policies assigned to a virtual server are different among the devices in a traffic-group.

Conditions:
-- ASM provisioned.
-- Manual Sync Active-Standby Failover Device Group with ASM sync enabled.
-- An L7 ASM security policy is manually changed on a virtual server (not using the ASM wizard).

Impact:
After incremental sync, devices report 'In Sync' but there is a configuration discrepancy in the security policy assigned to the virtual server.

Workaround:
Modify the underlying LTM policy to be 'legacy':
   # tmsh modify ltm policy <LTM Policy Name> legacy

---

920817-2 : DNS Resource Records can be lost in certain circumstances

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Zone syncing is missing Resource Records.

Conditions:
This occurs when a large number of configuration changes, including Wide IP changes, are made simultaneously on multiple GTM/DNS devices in a sync group.

Impact:
DNS Resource Records can be missing from the BIND DNS database.

The impact of this is that if GSLB Load Balancing falls back to BIND, the DNS Resource Records may not be present.

Workaround:
Restrict configuration (Wide IP) changes to one GTM/DNS device in a device group.

Note: It is also possible to turn off Zone Syncing. GTM/DNS configuration is still synced, but the you lose the ability to sync non-Wide IP changes to the BIND DB. If you do not utilize ZoneRunner to add additional non-Wide IP records, this is a problem only when GSLB resorts to Fallback to BIND. This can be mitigated with DNSX and DNS (off device) for non Wide IP Resource Records.

---

920789-6 : UDP commands in iRules executed during FLOW_INIT event fail

Component: Local Traffic Manager

Symptoms:
UDP commands in iRules executed during FLOW_INIT event fail.

Conditions:
An iRule that contains UDP commands is executed on the FLOW_INIT event.

Impact:
UDP commands in iRules executed during FLOW_INIT event fail.

Workaround:
None.

---

920761-5 : Changing a virtual server type in the GUI may change some options; changing back to the original type does not restore original values

Component: TMOS

Symptoms:
In the GUI if you change a virtual server from one type to another, there may be changes automatically applied to some of the settings. If you change the type back to its original value, those changes remain, and are saved when you click Update.

Conditions:
-- Modifying a virtual server from one type to another, and then changing it back to the original type.
-- Clicking Update.

Impact:
Unexpected configuration changes, which can lead to unexpected behavior of the BIG-IP system.

Workaround:
To prevent unwanted changes, when you change a virtual server's type and then change it back within the same session, click Cancel instead of Update.

---

920517-5 : Rate Shaping Rate Class 'Queue Method' and 'Drop Policy' defaults are incorrect in the GUI

Component: TMOS

Symptoms:
When creating a Rate Shaping Rate Class in the GUI, the default values for 'Queue Method' and 'Drop Policy' are not correct.

Conditions:
-- Creating a Rate Shaping Rate Class in the GUI.
-- Leaving 'Queue Method' and 'Drop Policy' settings as their defaults.

Impact:
Unexpected values in the configuration: 'Queue Method' is 'sfq' and 'Drop Policy' is 'tail'.

Workaround:
You can use either of the following workarounds:

-- Manually set the 'Queue Method' and 'Drop Policy' when creating a Rate Shaping Rate Class object. These settings are available in the 'Advanced' view of the 'General Properties' section. 'Queue Method' should be 'pfifo' and 'Drop Policy' should be 'fred'.

-- Use TMSH to create Rate Shaping Rate Class objects.

---

920205-2 : Rate shaping might suppress TCP RST

Component: Local Traffic Manager

Symptoms:
When rate shaping is configured, the system might suppress TCP RSTs issued by itself.

Conditions:
Rate shaping is configured.

Impact:
The rate-shaping instance drops TCP RSTs; the endpoint is not informed about the ungraceful shutdown.

Workaround:
Do not use rate-shaping.

---

919317-1 : NSM consumes 100% CPU processing nexthops for recursive ECMP routes

Component: TMOS

Symptoms:
The NSM process might enter a state where it gets stuck at 100% CPU usage.

Conditions:
ECMP routes reachable via recursive nexthops.

Impact:
NSM is stuck at 100% CPU usage.

Workaround:
Avoid using EMCP routes reachable via recursive nexthops.

---

918693-1 : Wide IP alias validation error during sync or config load

Component: TMOS

Symptoms:
DB validation exception occurs during sync or config load:

01070734:3: Configuration error: DB validation exception, unique constraint violation on table (gtm_wideip_alias) object ID (1 /Common/alias.test.com www.test.com). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:gtm_wideip_alias status:13)
Unexpected Error: Loading configuration process failed.

Conditions:
-- Wide IP has an alias associated with it.
-- Sync or load the config.

Impact:
You are unable to load config or full sync from peer GNS/GTM.

Workaround:
Follow this procedure:
1. Delete the wide IP alias on the destination device.
2. Try the sync or load config operation again.

---

918597-3 : Under certain conditions, deleting a topology record can result in a crash.

Component: Global Traffic Manager (DNS)

Symptoms:
During a topology load balancing decision, TMM can crash.

Conditions:
-- Topology records are deleted.
-- A load balancing decision using topology load balancing occurs.

Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.

Workaround:
None.

---

918277-6 : Slow Ramp does not take into account pool members' ratio weights

Component: Local Traffic Manager

Symptoms:
When a pool member is within its slow-ramp period, and is a member of a pool that uses a static-ratio-based load balancing algorithm, its ratio weight is not taken into account when balancing connections to it. If it has a ratio that is higher than other pool members, this can result in a sudden influx of connections once the pool member exits the slow-ramp period.

Conditions:
-- Pool with a non-zero slow-ramp timeout and a static-ratio-based load balancing algorithm.
-- Pool members within the pool have different ratio weights.
-- At least one pool member is inside its slow-ramp period.

Impact:
The pool member could still be overwhelmed despite the attempt to slow-ramp connections to it.

Workaround:
None.

---

918013-5 : Log message with large wchan value

Component: TMOS

Symptoms:
A message is logged with a very large wchan (waiting channel, WCHAN :: Sleeping in Function) value that corresponds to -1 when read as signed instead of unsigned.

Conditions:
This happens in normal operation.

Impact:
The message is not accurately reporting the wchan value

Workaround:
Look at the /proc/PID/stack file for the correct wchan value.

---

915773-5 : Restart of TMM after stale interface reference

Component: Local Traffic Manager

Symptoms:
An assert is reported in the logs:
panic: ../net/ifc.c:975: Assertion "ifc ref valid" failed.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Tmm crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

---

915605-3 : Image install fails if iRulesLX is provisioned and /usr mounted read-write★

Component: Local Traffic Manager

Symptoms:
If iRulesLX is provisioned the /usr mount points are mounted as read-write. This causes the installation of an image to fail.

tmsh show software status will report the status for the target volume:

Could not access configuration source.

Conditions:
-- iRulesLX is provisioned.
-- The /usr mount points are mounted as read-write.
-- Attempt an installation or upgrade.

Impact:
Unable to upgrade or more generally install an image on a new or existing volume.

Workaround:
Re-mount /usr as read-only:

mount -o remount,ro /usr

---

915557-6 : The pool statistics GUI page fails (General database error retrieving information.) when filtering on pool status.

Component: TMOS

Symptoms:
When using the pool statistics GUI page, the page stops displaying and the GUI shows the following error:

General database error retrieving information.

Conditions:
You attempt to apply a Status filter (e.g., Available) to display only some pools.

Impact:
The Status filter is not usable. Additionally, the page continues not to display even after you navigate away from the page and later return to it.

Workaround:
There is no workaround to prevent the issue, but if you wish to access that page again (and not use the Status filter), you can do so by clearing your browser's cache.

---

915509-5 : RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true

Component: Access Policy Manager

Symptoms:
After enabling 'show-extended-error' on the RADIUS Auth agent, instead of seeing the expected message: 'The username or password is not correct. Please try again.', the system reports the message: (error: Access-Reject).

Conditions:
RADIUS Auth with 'show-extended-error' enabled.

Impact:
The content of the Reply Message is not reported. The actual reported error message is confusing and provides no assistance in resolving the condition causing the access error: username, password, passcode, or tokencode.

Workaround:
None.

---

915493-1 : imish command hangs when ospfd is enabled

Component: TMOS

Symptoms:
Running the imish command hangs when ospfd is enabled.

Conditions:
-- Dynamic routing enabled.
-- The ospfd protocol is enabled.
-- Running the imish command.

Impact:
The imish operation hangs.

Workaround:
Restart the ospfd daemon.

---

915305-1 : Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded

Component: TMOS

Symptoms:
Dynamic routing changes do not cause point-to-point tunnel flows to refresh their connection entries causing tunneled traffic to be dropped/discarded.

Conditions:
Path to a remote tunnel endpoint is provided by a dynamic routing.

Impact:
Tunneled traffic might be dropped/discarded by the BIG-IP system.

Workaround:
Use static routing to provide a path to remote tunnel endpoint.

---

914081-5 : Engineering Hotfixes missing bug titles

Component: TMOS

Symptoms:
BIG-IP Engineering Hotfixes may not show the summary titles for fixed bugs (as appear for the affected bugs published via Bug Tracker).

-- The 'tmsh show sys version' command displays the bug numbers for fixes included in Engineering Hotfixes.
-- If a given bug has been published via Bug Tracker, the summary title of the bug is expected to be displayed as well.
-- Running BIG-IP Engineering Hotfixes built on or after March 18, 2019.

Conditions:
For affected BIG-IP Engineering Hotfixes, titles are not displayed for any bugs fixed in the Engineering Hotfix.

Impact:
Cannot see the summaries of the bugs fixed by running the 'tmsh show sys version' command.

Workaround:
For bugs that are published via Bug Tracker, you can query for the affected bug in Bug Tracker (https://support.f5.com/csp/bug-tracker).

Note: Not all bugs fixed in BIG-IP Engineering Hotfixes are published to Bug Tracker.

For information on such bugs, consult F5 support, or the original Service Request submitted to F5 in which the affected Engineering Hotfix was requested.

---

914061-5 : BIG-IP may reject a POST request if it comes first and exceeds the initial window size

Component: Local Traffic Manager

Symptoms:
HTTP/2 protocol allows a negative flow-control window on initial stage of communication while first 65,535 bytes of payload are delivered from a peer. BIG-IP may break this requirement.

Conditions:
-- BIG-IP has a virtual server with http2 profile.
-- A configured receive window size in the http2 profile is below 64K (default 32K).
-- A peer sends POST request with payload exceeding initial receive window size over HTTP/2 connection.

Impact:
BIG-IP denies the POST request and sends RST_STREAM.

---

913829-1 : i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence

Component: TMOS

Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command:
tmsh show sys tmm-traffic

Conditions:
Source ports used to connect to i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades form an arithmetic sequence.

For example, some client devices always use even source port numbers for ephemeral connections they initiate. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8... 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.

Impact:
Traffic imbalance may result in tmm threads on different CPU cores having imbalanced workloads. While this can sometimes impact on performance, an overloaded tmm thread can usually redistribute load to less loaded threads in a way that does not impact performance. However the loads on the CPU cores will appear imbalanced still.

Workaround:
Where possible, configure devices to draw from the largest possible pool of source ports when connecting via a BIG-IP system.

---

913729-2 : Support for DNSSEC Lookaside Validation (DLV) has been removed.

Component: Global Traffic Manager (DNS)

Symptoms:
Following the deprecation of DNSSEC lookaside validation (DLV) by the Internet Engineering Task Force (IETF), support for this feature has been removed from the product.

Conditions:
Attempting to use DLV.

Impact:
Cannot use DLV.

Workaround:
None. DLV is no longer supported.

---

913453 : URL Categorization: wr_urldbd cores while processing urlcat-query

Component: Traffic Classification Engine

Symptoms:
The webroot daemon (wr_urldbd) cores.

Conditions:
This can occur while passing traffic when webroot is enabled.

Impact:
The wr_urldbd daemon cores. URL Categorization functionality may not work as expected.

Workaround:
None.

---

913433-5 : On blade failure, some trunked egress traffic is dropped.

Component: TMOS

Symptoms:
When a blade fails, other blades may try to forward traffic using trunked interfaces on the down blade.

Conditions:
-- A multi-blade chassis.
-- Interfaces are trunked.
-- A blade is pulled or powered off.

Impact:
Some traffic is dropped until the failed blade is detected by clusterd (10 seconds by default.)

Workaround:
None.

---

913125-1 : Ratio session based Load balancing does not work

Component: Service Provider

Symptoms:
Ratio session based Load balancing does not work over MRF framework with Diameter, SIP protocols; all traffic is directed to a single pool member.

Conditions:
-- MRF virtual server configured with either a Diameter or SIP protocol profile.
-- The pool's load balancing method is set to Ratio-Session.

Impact:
All of the SIP traffic is directed to a single server, or the actual Ratio is not maintained correctly depending on the actual calls/configuration

Workaround:
FIRST WORKAROUND:
Create duplicate pool members using the same server. For example if you have two servers, server A and B, and you want a ratio of 2:3, configure multiple pool members to achieve the desired ratio:
A:5060
A:5061
B:5060
B:5061
B:5062

Impact of workaround: You must also disable port translation for the virtual server, and you must configure round robin load balancing. Also, the ratio is not preserved if one of the pool members goes down.


SECOND WORKAROUND:
If you are unable to use multiple ports on the same server, you could also use multiple IP addresses. The following pool configuration also achieves a 2:3 ratio between server A and server B:
​ A1:5060
    A2:5060
    B1:5060
    B2:5060
    B3:5060

Impact of workaround: you must also configure round robin load balancing. Also, the ratio is not preserved if one of the pool members goes down.


THIRD WORKAROUND:
Implement a ratio algorithm in an iRule. After checking to see if the message is of type INVITE, select a pool member based on a computed algorithm in the iRule.

For example you can declare an array of pool member ip:port, then loop through them. A pool member can be selected via:
    pool <pool name> member <ip> <port>

Impact of workaround: The iRule should also check the pool member status to ensure it is up.
    LB::status can be used to check status of pool member

---

912517-6 : MySQL monitor marks pool member down if 'send' is configured but no 'receive' strings are configured

Component: Local Traffic Manager

Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle, or PostgreSQL database monitor type) is configured with a 'send' string but with no 'receive' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.

Conditions:
-- An LTM pool or pool members is configured to use an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- A 'send' string is configured for the monitor.
-- A 'receive' string is not configured.

Impact:
The database monitor marks the pool member down, even in cases where the pool member is actually pingable.

Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).

---

912289-5 : Cannot roll back after upgrading on certain platforms★

Component: Local Traffic Manager

Symptoms:
On certain platforms, after upgrade to particular software versions, you will not be able to boot back into an earlier software version. Contact F5 Support for the reversion process if this is required.

- BIG-IP v15.1.1 or later in the v15.x branch of code
- BIG-IP v16.0.0 or later

Conditions:
-- Using the following platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F

-- Upgrade the software to one of the following software versions:

  + BIG-IP v15.1.1 or later in the v15.x branch of code
  + BIG-IP v16.0.0 or later

-- Attempt to roll back to a previous version.

Impact:
Cannot boot into a previous version. Contact F5 Support for the reversion process if this is required.

Workaround:
None.

---

911853-2 : Stream filter chunk-size limits filter to a single match per ingress buffer

Component: Local Traffic Manager

Symptoms:
The chunk-size profile setting of the stream filter limits memory by capping the match string allocated from an ingress buffer to <chunksize> bytes. This implicitly limits the maximum size of the match, potentially resulting in missed matches beyond chunk-size within the same ingress buffer. For more information, see:

https://support.f5.com/csp/article/K39394712

Conditions:
A stream filter is configured with the chunk-size parameter set and ingress data arrives which contains matches beyond the configured chunk-size in the buffer.

Impact:
Potential matches beyond the configured chunk-size will be sent unmodified by the stream filter, potentially resulting in missed matches.

Workaround:
None.

---

911713-5 : Delay in Network Convergence with RSTP enabled

Component: TMOS

Symptoms:
The BIG-IP system does not to Rapid Spanning Tree Protocol (RSTP) Bridge Protocol Data Units (BPDUs) with only the proposal flag ON (i.e., without the agreement flag ON).

Conditions:
-- Neighbor Switch sends RSTP BPDU with only proposal flag ON.
-- The agreement flag is not ON.

Impact:
Network convergence takes more time than expected.

Workaround:
None.

---

911241-2 : The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug

Component: Global Traffic Manager (DNS)

Symptoms:
The iqsyncer utility leaks memory.

Conditions:
-- There is a large bigip_gtm.conf.
-- The log.gtm.level is set to debug.

Impact:
The iqsyncer utility exhausts memory and is killed.

Workaround:
Do not set log.gtm.level equal to or higher than debug.

---

910653-1 : iRule parking in clientside/serverside command may cause tmm restart

Component: Local Traffic Manager

Symptoms:
If an iRule utilizing the clientside or serverside command causes parking to occur while in the clientside/serverside command (table or after commands, for example), the connection is aborted while parked, and a subsequent iRule event attempts to run (CLIENT_CLOSED, for example), tmm may restart.

Conditions:
-- iRule using clientside or serverside command.
-- Use of commands that may park while in the clientside/serverside command.
-- Flow is aborted while iRule is parked.
-- iRule also has CLIENT_CLOSED or SERVER_CLOSED event handler.

For more information on the conditions that trigger iRule parking, see K12962: Some iRules commands temporarily suspend iRules processing, available at https://support.f5.com/csp/article/K12962.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can use either of the following workarounds:

-- Rework iRules to avoid use of clientside/serverside command.
-- Eliminate parking within the clientside/serverside commands.

---

910473 : Tmm crash when applying config changes

Component: Local Traffic Manager

Symptoms:
Core observed after modifying the config to change the cipher lists.

Conditions:
Changing the LTM configuration at runtime. The exact conditions under which this occurs are unknown.

Impact:
Tmm crashes, and the BIG-IP system generates a core file. Traffic disrupted while tmm restarts.

Workaround:
None.

---

910213-6 : LB::down iRule command is ineffective, and can lead to inconsistent pool member status

Component: Local Traffic Manager

Symptoms:
Use of the LB::down command in an iRule may not have the desired effect.

Specifically, the pool member is marked down within the tmm thread executing the iRule, but the status change is not updated to mcpd, or to other tmm threads.

As a result, the message 'Pool /Common/mypool member /Common/1.1.1.1:80 monitor status iRule down' does not appear in the log, and the status of the pool member is not updated when viewed in the GUI or via 'tmsh show ltm pool xxxx members'.

Conditions:
Using the LB::down command in an iRule.

Impact:
Because mcpd believes the pool member to be up, it does not update tmm's status, so tmm continues to regard it as down indefinitely, or until a monitor state change occurs.

If the LB::down command is used on all members of a pool, the affected tmms cannot load balance to that pool, even though the GUI/tmsh indicate that the pool has available members.

Because pool member status is stored on per-tmm basis and incoming connections are distributed across tmms using a hash, this can lead to apparently inconsistent results, where some traffic (traffic hitting a particular tmm) is rejected with an RST cause of 'No pool member available'.

Workaround:
No direct workaround, but the use of an inband monitor instead of the LB::down command may be effective. You must tune the inband monitor's settings to values consistent with the desired behavior.

---

909197-6 : The mcpd process may become unresponsive

Component: TMOS

Symptoms:
-- The mcpd process is killed with SIGABRT by the sod watchdog due to failed heartbeat check.
-- There is high memory usage by the mcpd process prior to getting killed.
-- There is an mcpd core file contains a very long string. The core might contain a repeating pattern of '{ } { } { } ...'.

Conditions:
The mcpd process receives a malformed message from one of the control plane daemons.

Impact:
-- There is a temporary lack of responsiveness related to actions of inspecting and/or modifying system configuration: GUI, TMSH, etc., operations may fail or time out.
-- SNMP queries might go unanswered.
-- System daemons restart.
-- Traffic disrupted while mcpd restarts.

Workaround:
None.

---

908021-4 : Management and VLAN MAC addresses are identical

Component: TMOS

Symptoms:
The 'tmsh show sys mac-address' command indicates the management interface is using the same MAC address as a VLAN.

Conditions:
This can occur on chassis based systems and on VCMP guests. The MAC address pool does not reserve specific MAC addresses for the management interfaces and so pool entries may be reused for VLANs.

Impact:
The management MAC address is the same as the VLAN MAC address, resulting in issues relating to the inability to differentiate traffic to the management port or to traffic ports.

Workaround:
None.

---

907549-5 : Memory leak in BWC::Measure

Component: TMOS

Symptoms:
Memory leak in BWC calculator.

Conditions:
When the HSL log publisher is attached to the BWC::Measure instance in the Bandwidth policy.

Impact:
A memory leak occurs.

Workaround:
None.

---

907337-6 : BD crash on specific scenario

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
A specific scenario that results in memory corruption.

Impact:
Failover, traffic disturbance. Traffic disrupted while BD restarts.

Workaround:
None.

---

906653-6 : Server side UDP immediate idle-timeout drops datagrams

Component: Local Traffic Manager

Symptoms:
With immediate idle-timeout, flows may be closed before a datagram is forwarded.

Conditions:
-- Immediate idle-timeout is set on the server context of a UDP virtual server.

Impact:
Datagrams are dropped periodically depending on traffic load.

Workaround:
None.

---

906505-6 : Display of LCD System Menu cannot be configured via GUI on iSeries platforms

Component: TMOS

Symptoms:
In the BIG-IP Graphical User Interface (TMUI), display of the System Menu on the LCD front panel of most BIG-IP platforms can be enabled or disabled under System :: Configuration :: Device :: General.

However, on iSeries appliances, the 'Display LCD System Menu' option does not appear on this page.

Conditions:
This occurs on the following iSeries appliances:
-- i850
-- i2000-series (i2600/i2800)
-- i4000-series (i4600/i4800)
-- i5000-series (i5600/i5800/i5820-DF)
-- i7000-series (i7600/i7600-D/i7800/i7800-D/i7820-DF)
-- i10000-series (i10600/i10600-D/i10800/i10800-D)
-- i11000-series (i11600/i11800/i11400-DS/i11600-DS/i11800-DS)
-- i15000-series (i15600/i15800)

Impact:
The 'Display LCD System Menu' option cannot be configured via the GUI.

Workaround:
You can enable display of the LCD System Menu using the Command Line (CLI) by running the following commands, in sequence:

tmsh mod sys global-settings lcd-display [enabled|disabled]
tmsh mod sys db lcd.showmenu value [enabled|disabled]

---

906449-6 : Node, Pool Member, and Monitor Instance timestamps may be updated by config sync/load

Component: TMOS

Symptoms:
The text that describes the monitor state of an LTM node, pool member, or monitor instance also contains a timestamp that initially indicates when the monitor set the affected node or pool member to the indicated state. This timestamp can be affected by other actions, such as incremental or full config sync and config load.

The monitor-state description and timestamp can be viewed in the CLI (CLI/TMSH) and GUI (TMUI) as follows:

-- From the CLI/TMSH:
tmsh show ltm monitor <monitor_type> <monitor_name>

This command shows the state of ltm nodes or pool members currently monitored by the specified ltm health monitor, as in the following example:
-------------------------------------
 LTM::Monitor /Common/mysql_test
-------------------------------------
   Destination: 10.10.200.28:3296
   State time: down for 1hr:58mins:42sec
   | Last error: No successful responses received before deadline. @2020.03.25 14:10:24

-- From the GUI:
   + Navigate to Local Traffic :: Nodes : Node List :: <node_name>. The 'Availability' field shows text describing the node's monitored state with a timestamp.

   + Navigate to Local Traffic :: Pools : Pool List :: <pool_name>, under the Members tab, click the pool member name. The 'Availability' field shows text describing the pool member's monitored state with a timestamp.

Conditions:
This may occur under the following conditions:

-- If an incremental config sync occurs from one high availability (HA) member to another member or to the device group:
   + The timestamp on monitor instances for all Nodes or Pool Members (as shown by 'tmsh show ltm monitor <type> <name>') may be updated on HA members receiving the incremental config sync.
   + If a Node or Pool Member has been marked DOWN by a monitor, its timestamp may be updated in the GUI (Node List/Pool-Member list) on HA members receiving the incremental config sync.

-- If a full/forced config sync occurs from one HA member to another member or to the device group:
   + The timestamp on monitor instances for all Nodes or Pool Members (as shown by 'tmsh show ltm monitor <type> <name>') may be updated on HA members receiving the incremental config sync.
   + The timestamp for all Nodes or Pool Members may be updated in the GUI (Node List/Pool-Member list) on HA members receiving the incremental config sync.

-- If a config load occurs:
   + The timestamp on monitor instances for all Nodes or Pool Members (as shown by 'tmsh show ltm monitor <type> <name>') may be updated on the HA member where the config load occurred.
   + The timestamp for all Nodes or Pool Members may be updated in the GUI (Node List/Pool-Member list) on the HA member where the config load occurred.

Impact:
The timestamp indicated next to the monitored-state description for an LTM Node or Pool Member indicates when the Node or Pool Member was updated in ways other than by its configured monitor. Thus, this timestamp may not indicate the actual time of the monitor event suggested by the description text.

Workaround:
None.

---

905749-4 : imish crash while checking for CLI help string in BGP mode

Component: TMOS

Symptoms:
imish crashes while checking the help strings of '(no) neighbor x.x.x.x fall-over bfd ?' when Border Gateway Protocol (BGP) is configured.

Conditions:
-- Configure BGP.
-- Check for help strings in imish using the '?' (question mark) character.

Impact:
imish crash.

Although imish crashes, BGP functionality is not impacted.

Workaround:
Avoid using '?' while entering the commands.

---

905681-2 : Incorrect enforcement of policy parameters

Component: Application Security Manager

Symptoms:
A parameter is not enforced correctly (i.e., it shows as a false positive or a false negative).

Conditions:
-- The parameter is configured as a global wildcard parameter.
-- The parameter also appears as an explicit parameter on a different policy.
-- Other conditions related to the name of the parameter may apply (e.g., numerical suffix).

Impact:
Enforcement returns false-positive or false-negative results.

Workaround:
Change the parameters to either explicit parameters or URL-level parameters assigned to all the URLs.

---

905557-4 : Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure

Component: Global Traffic Manager (DNS)

Symptoms:
A TMM daemon logs a SIGSEGV error, halts, and then be restarted.

Conditions:
-- A BIG-IP system configured to perform DNS/GTM Global Server Load Balancing.
-- High Speed Logging (HSL) is configured.
-- Multiple HSL destinations are configured.
-- The enabled HSL settings include 'replication'.
-- At least one HSL destination is up.
-- At least one HSL destination is down.
-- A pool resource changes state from up to down.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure HSL with only a single log destination.

---

904625-6 : Changes to SSL.CertRequest.* DB variables cause high availability (HA) devices go out of sync

Component: Local Traffic Manager

Symptoms:
The GUI saves SSL certificate/CSR subject fields data into SSL.CertRequest.* DB variables to use them in pre-populating subject fields for subsequent modifications.

Conditions:
-- SSL certificate/CSR modification through GUI.
-- Changing the content of the SSL.CertRequest.* DB variables.
-- High availability (HA) configuration.

Impact:
HA devices go out of sync.

Workaround:
SSL.CertRequest.* DB variables are used only as GUI SSL certificate/CSR pre-populated suggestions.

You can still review and modify them before completing SSL certificate/CSR modification operation, so it is safe to sync them onto the high availability (HA) peer.

---

904441-6 : APM vs_score for GTM-APM load balancing is not calculated correctly

Component: Access Policy Manager

Symptoms:
Output from the 'show ltm virtual <vs> detail' command reports an incorrect value for the APM Module-Score.

Conditions:
-- Using GTM/DNS and APM.
-- Configure an access profile attached to a virtual server.
-- Configure a non-zero number for 'Max Concurrent Users' for the access profile.
-- Access the virtual server.

Impact:
GTM/DNS load balancing does not work as expected.

Workaround:
None.

---

904041-6 : Ephemeral pool members may be incorrect when modified via various actions

Component: Local Traffic Manager

Symptoms:
Ephemeral pool members may not be in the expected state if the corresponding FQDN template pool member is modified by one of several actions.

For example:

A. Ephemeral pool members may be missing from a pool in a partition other than Common, after reloading the configuration of that partition.

B. Ephemeral pool members may not inherit the 'session' state from the corresponding FQDN template pool member if the FQDN template pool member is disabled (session == user-disabled), the config is synced between high availability (HA) members, and BIG-IP is restarted.

Conditions:
Scenario A may occur when reloading the configuration of non-'Common' partition, e.g.:
-- tmsh -c "cd /testpartition; load sys config current-partition"

Scenario B may occur when an FQDN template pool member is disabled (session == user-disabled), the config is synced between HA members, and BIG-IP is restarted.

Impact:
Impacts may include:
- Missing ephemeral pool members, inability to pass traffic as expected.
- Ephemeral pool members becoming enabled and receiving traffic when expected to be disabled.

Workaround:
For scenario A, reload the entire configuration instead of just the individual partition.

For scenario B, it may be possible to work around this issue by checking the status of ephemeral pool members after BIG-IP restart, and toggling the 'session' value between user-enabled and user-disabled.

---

903521-6 : TMM fails to sign responses from BIND when BIND has 'dnssec-enable no'

Component: Global Traffic Manager (DNS)

Symptoms:
TMM fails to sign responses from BIND.

Conditions:
BIND has 'dnssec-enable no' in named.conf.

Impact:
TMM fails to sign responses from BIND.

Workaround:
Remove 'dnssec-enable no' from named.conf in options section.

---

903453-1 : TMM crash following redirect when Proactive Bot Defense is used

Component: Application Security Manager

Symptoms:
TMM may rarely crash when Proactive Bot Defense is enabled.

Conditions:
TMM may rarely crash under specific configurations when Proactive Bot Defense is used.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
None.

---

901989-6 : Boot_marker writes to /var/log/btmp

Component: TMOS

Symptoms:
The boot_marker is written to /var/log/btmp, but /var/log/btmp is a binary file.

A message similar to:

Apr 21 09:19:52 bigip1 warning sshd[10901]: pam_lastlog(sshd:session): corruption detected in /var/log/btmp

... may be logged to /var/log/secure.

Conditions:
-- Rebooting a BIG-IP.

Impact:
Since this file is unknowingly corrupt at first boot, any potential investigation needing this data may be compromised.

Workaround:
After bootup you can truncate the file.
$ truncate --size 0 /var/log/btmp

---

901985-3 : Extend logging for incomplete HTTP requests

Component: TMOS

Symptoms:
Logging is not triggered for incomplete HTTP requests.

Conditions:
- HTTP profile is configured.
- Request-log profile is configured.
- HTTP request is incomplete.

Impact:
Logging is missing for incomplete HTTP requests.

Workaround:
None.

---

900825-4 : WAM image optimization can leak entity reference when demoting to unoptimized image

Component: WebAccelerator

Symptoms:
WAM image optimization can leak entity reference when demoting to unoptimized image.

WAM allows PNG files to be optimized to WEBP and JPG files to be optimized to JPEG XR formats, based on capabilities inferred from the client's User-Agent value. Once the optimized version is in the cache, internal check failures might cause the entity/document to be reverted to the unoptimized version. If this unoptimized version is already present in the cache, a reference to the corresponding entity is leaked, thus causing the entity to be held in memory along with attached resource/document objects and associated storage (UCI).

Conditions:
-- WAM-optimized PNG files (to WEBP) and JPG files (to JPEG XR) on tye system.
-- A policy change occurs that causes an internal check to fail.

Note: This can also occur in some cases without actual changes to the policy if the optimization step is skipped by wamd.

Impact:
WAM image optimization might leak entity reference.

Workaround:
None.

---

900485-6 : Syslog-ng 'program' filter does not work

Component: TMOS

Symptoms:
The 'program' filter type does not work with the BIG-IP system's version of syslog-ng.

Conditions:
-- Using the 'program' expression in a syslog-ng filter.

Impact:
Unable to filter messages as expected.

Workaround:
None.

---

899933-6 : Listing property groups in TMSH without specifying properties lists the entire object

Component: TMOS

Symptoms:
When listing a property group, if you do not specify any specific properties within that group, the entire object is listed.

Conditions:
-- Using TMSH to list a property group of an object.
-- Not specifying any properties within the property group.

Impact:
Unexpected output.

Workaround:
None.

---

899905 : N3FIPS kernel driver crash

Component: Local Traffic Manager

Symptoms:
The N3FIPS driver crashes and BIG-IP reboots.

Conditions:
Conditions are unknown. This occurs rarely.

Impact:
Traffic disruption due to BIG-IP system reboot

Workaround:
None.

---

899781-1 : Custom dialup does not establish VPN

Component: Access Policy Manager

Symptoms:
Attempting to establish a VPN using a custom dialup does not establish the connection, and reports an error:

...finished with code, -1073740512

Conditions:
-- Setup simple Network Access resource.
-- Download the client package onto the client system and install it.
-- Use WinLogon Integration/Custom dialup to establish VPN.

Impact:
WinLogon Integration/Custom dialup fails to establish VPN.

Workaround:
Use EdgeClient or F5 Helper Applications to establish VPN.

---

899253-2 : [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist

Component: Global Traffic Manager (DNS)

Symptoms:
Making changes to wide IP pools through GUI management do not take effect.

Conditions:
-- GTM configuration contains a sufficiently high number of pools (~ 15,000).
-- Using the GUI to assign a pool to a wide IP.

Impact:
Changes do not take effect. Unable to use the GUI to manage which pools are associated with a wide IP.

Workaround:
Use TMSH.

---

899085-1 : Configuration changes made by Certificate Manager role do not trigger saving config

Component: TMOS

Symptoms:
Configuration changes made in the BIG-IP GUI by a user with role 'Certificate Manager' do not result in the configuration being saved.

If the system is rebooted (or MCPD restarted) without saving the configuration, those changes will be lost.

Conditions:
-- User with role 'Certificate Manager'.
-- Changes made in GUI.
-- System rebooted.

Impact:
Loss of configuration changes.

Workaround:
Users with a 'Certificate Manager' role can save the configuration from tmsh:
tmsh save /sys config

Alternately, another user can save the configuration.

---

898997-6 : GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes

Component: Service Provider

Symptoms:
GTP message parsing fails and log maybe observed as below:

GTP:../modules/hudfilter/gtp/gtp_parser.c::242 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser_ver_2.c::153 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser.c::103 (Failing here).

Conditions:
- GTP profile is applied to virtual or GTP::parse command is used
- GTP message contains IE (information element) which is larger than 2048 bytes

Impact:
- message parsing fails, traffic maybe interupted

---

898825-6 : Attack signatures are enforced on excluded headers under some conditions

Component: Application Security Manager

Symptoms:
Attack signatures are marked as detected when they should be marked as excluded (i.e., a false positive).

Conditions:
-- A 100-continue transaction occurs in HTTP.
-- The internal parameter answer_100_continue is set to a non-default value of 0.

Impact:
False positive enforcement for header signature.

Workaround:
Set the answer_100_continue to 1 (default) on versions later than 15.0.0.

---

898753-1 : Multicast control-plane traffic requires handling with AFM policies

Component: Local Traffic Manager

Symptoms:
AFM virtual-server specific rules are being matched against control-plane traffic.

Conditions:
-- Broadcast OSPF configured.
-- AFM provisioned.
-- OSPF neighbor configured.

Impact:
OSPF neighborship is not formed.

Workaround:
Add an AFM route-domain policy.

---

898705-1 : IPv6 static BFD configuration is truncated or missing

Component: TMOS

Symptoms:
-- When an IPv6 address used in the command 'ipv6 static <addr> <gateway> fall-over bfd' exceeds 19 characters, it gets truncated.

-- IPv6 static BFD configuration entries go missing during a daemon restart.

Conditions:
IPv6 static BFD configuration.

Impact:
The IPv6 static BFD configuration does not persist during reloads.

-- The long IPv6 addresses get truncated.
-- The configuration is removed upon daemon restart.

Workaround:
None.

---

898681 : SafeNet install fails with the message 'path not allowed'

Component: Local Traffic Manager

Symptoms:
SafeNet Luna Client installation fails with the message 'path not allowed.

Conditions:
-- Attempting to install SafeNet Luna Client with the shell script nethsm-safenet-install.sh.

Impact:
Cannot install SafeNet Luna Client.

Workaround:
1. Open the file "/config/ssh/scp.whitelist" in an editor
2. Add the line "/usr/safenet/lunaclient"
3. Save the changes.
4. Try the install again.

---

898461-6 : Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'

Component: TMOS

Symptoms:
The following SCTP iRule commands:

-- SCTP::mss
-- SCTP::ppi
-- SCTP::collect
-- SCTP::respond
-- SCTP::client_port
-- SCTP::server_port

Are unavailable in the following MRF iRule events:

-- GENERICMESSAGE_EGRESS
-- GENERICMESSAGE_INGRESS
-- MR_EGRESS
-- MR_INGRESS

Attempts to use these commands in these events result in errors similar to:

01070151:3: Rule [/Common/sctp_TC] error: /Common/sctp1: error: [command is not valid in current event context (GENERICMESSAGE_EGRESS)][SCTP::ppi 46].

Conditions:
-- Using MRF and SCTP.
-- Using the specified set of iRule commands within the listed iRule events.

Impact:
Unable to use these iRule commands within these iRule events.

Workaround:
None.

---

898389-5 : Traffic is not classified when adding port-list to virtual server from GUI

Component: TMOS

Symptoms:
Traffic is not matching to the virtual server.

Conditions:
Using the GUI to configure traffic-matching-criteria by adding port-list to the virtual server.

Impact:
Traffic loss.

Workaround:
Creating traffic-matching-criteria from the command line

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create ltm traffic-matching-criteria tmc_name_here destination-address-inline <IP ADDR>%10 route-domain <Route domain name>

---

898201-6 : Fqdn nodes are not getting populated after BIG-IP reboot when DNS server is accessed through a local virtual server.

Component: Local Traffic Manager

Symptoms:
After reboot, no access to services host using fqdn nodes.
-- fqdn nodes are not populated with IP addresses.
-- Unable to access virtual servers served by pools using fqdn nodes.

Conditions:
The issue happens after the BIG-IP is rebooted.
-- when DNS server is accessed through a local virtual server.
-- Single arm cloud BIG-IP with virtual server listening for DNS requests to redirect.

Impact:
-- FQDN DNS requests bypassing the listening virtual server.
-- Unable to access the pools of those configured fqdn nodes.

Workaround:
-- restarting dynconfd.
-- Running a script to trigger off "Tmm ready" and either delete the bad flow(s) or a specific connflow entry.
-- change the dummy dns server to be something in the same subnet as the single interface.

---

897437-1 : First retransmission might happen after syn-rto-base instead of minimum-rto.

Component: Local Traffic Manager

Symptoms:
If a TCP profile is configured with a syn-rto-base value that is lower than minimum-rto, the first retransmission might happen after syn-rto-base.

This behavior is encountered only if the BIG-IP system is unable to compute the new RTO value before the retransmission timer expires, meaning:

-- The BIG-IP system has not received a packet with a TCP timestamp reply.
-- The BIG-IP system has not received an ACK for a timed sequence number.

Conditions:
Configured value of syn-rto-base is lower than minimum-rto.

Impact:
Retransmission might happen sooner than expected.

Workaround:
There are two possible workarounds:

-- Avoid using a syn-rto-base value that is lower than the minimum-rto value (the default values are 3 seconds for syn-rto-base and 1 second for minimum-rto).

-- Consider enabling timestamps to allow faster RTT measurement.

---

896641 : Large /var/avr/.AVR_TMP_MERGE_STEP101 file continues to grow

Component: Application Visibility and Reporting

Symptoms:
A very large /var/avr/.AVR_TMP_MERGE_STEP101 file is on one of a VIPRION system, and the file continues to grow until /var is full.

Conditions:
Using a multi-blade VIPRION platform. The exact conditions under which this occurs are unknown.

Impact:
Disk partition /var is becoming full.

Workaround:
Delete the /var/avr/.AVR_TMP_MERGE_STEP101 file.

---

896553-1 : On blade failure, some trunked egress traffic is dropped.

Component: TMOS

Symptoms:
When a blade fails (but not administratively disabled), other blades take 10 seconds (configured with db variable clusterd.peermembertimeout) to detect its absence. Until the blade failure is detected, egress traffic which used the failed blade's interfaces is dropped.

Conditions:
-- A multi-blade chassis.
-- Interfaces are trunked.
-- Some blades do not have directly attached interfaces.
-- A blade which does have directly attached interfaces fails.

Impact:
Some traffic is dropped until the failed blade is detected (10 seconds by default.)

Workaround:
Attach interfaces to all blades.

---

895845-1 : Implement automatic conflict resolution for gossip-conflicts in REST

Component: TMOS

Symptoms:
The devices in a high availability (HA) environment are out of sync in strange ways; config sync status indicates 'In Sync', but iApps such as SSL Orchestrator are out of sync.

Conditions:
-- high availability (HA) environment with two or more devices.
-- Gossip used for config sync. (Note: Gossip sync is used by BIG-IQ for BIG-IP config sync by iAppLX.)
-- A gossip conflict occurs for some reason.

You can detect gossip conflicts at the following iControl REST endpoint:
/mgmt/shared/gossip-conflicts

You can check gossip sync status at the following iControl REST endpoint:
/mgmt/shared/gossip

Impact:
If there are gossip conflicts, the devices requires manual intervention to get back in sync.

Workaround:
When two devices are out of sync with different generation numbers due to gossip conflict, you can use the following guidance to resolve the conflict:

1. Update devices info to use the same generation number.

2. This info found on REST Storage worker. Storage worker uses the selflink plus a generation number as the key to a given set of data.

3. Add the data from the unit with the highest generation number to the other unit.

4. Must also take care to increase the generation number on the new data to match that of the highest generation

Commands used:
1. Look for GENERATION_MISSING and gossip-conflict objects:
tmsh list mgmt shared gossip-conflicts

2. Get the 'selflink in remoteState' attribute. This self link is same across all devices and checks on the browser with each device to discover the device that is on the highest generation number:
tmsh list mgmt shared gossip-conflicts <OBJECT_ID>

3. Now you know what device contains the most recent version of your data, run this command to get up-to-date data:
restcurl /shared/storage?key=<everything after 'https://localhost/mgmt/' on selflink>

4. Make a post to the out-of-date device that includes the info from the up-to-date device as the post body:
restcurl -X POST /shared/storage -d '{<data from above command>}'

---

895781-1 : Round Robin disaggregation does not disaggregate globally

Component: TMOS

Symptoms:
Traffic is not disaggregated uniformly as expected.

Conditions:
-- A multi-blade chassis with one HSB.
-- Traffic is received on blade one.
-- The imbalance is more pronounced when the IP variation is small.

Impact:
Some TMMs may use relatively more CPU.

Workaround:
None.

---

895205-6 : A circular reference in rewrite profiles causes MCP to crash

Component: Local Traffic Manager

Symptoms:
MCPD crash when modifying rewrite profile.

Conditions:
-- More than one rewrite profile is configured.
-- At least two rewrite profiles are referencing each other circularly.

Impact:
MCPD crash. For a Device Service Cluster this results in a failover. For a standalone system, this results in an outage.

Workaround:
Do not create circular references with profiles.

---

893093-6 : An extraneous SSL CSR file in the /config/big3d or /config/gtm directory can prevent certain sections in the WebUI from showing.

Component: TMOS

Symptoms:
The intended screen does not show when you navigate in the WebUI to either of the following locations:

-- System :: Certificate Management :: Device Certificate Management->Device Trust Certificates

-- DNS :: GSLB :: Servers :: Trusted Server Certificates

The system returns the following error:

An error has occurred while trying to process your request.

Additionally, a Java stack trace is also logged to the /var/log/tomcat/catalina.out file.

Conditions:
An extraneous SSL CSR file is present in the /config/big3d or /config/gtm directory.

-- When the extraneous file is in the /config/big3d directory, the System :: Certificate Management :: Device Certificate Management :: Device Trust Certificates screen is affected.

-- When the extraneous file is in the /config/gtm directory, the DNS :: GSLB :: Servers :: Trusted Server Certificates screen is affected.

Impact:
The WebUI cannot be used to inspect those particular SSL certificate stores.

Workaround:
The /config/big3d and /config/gtm directories are meant to contain only one file each (client.crt and server.crt, respectively).

You can resolve this issue by inspecting those directories and removing any file that may have been accidentally copied to them.

For more information on those directories, refer to: K15664: Overview of BIG-IP device certificates (11.x - 15.x) :: https://support.f5.com/csp/article/K15664.

---

892677-2 : Loading config file with imish adds the newline character

Component: TMOS

Symptoms:
While loading configuration from the file with IMISH ('imish -f <f_name>'), the newline character gets copied at the end of each line which causes problems with commands containing regex expressions.

In particular, this affects the bigip_imish_config Ansible module.

Conditions:
Loading a config with 'imish -f <f_name>' commands.

Note: This command is used with the bigip_imish_config Ansible module.

Impact:
Regex expressions are not created properly.

Workaround:
You can use either of the following workarounds:

-- Delete and re-add the offending commands using the imish interactive shell.

-- Restart tmrouted:
bigstart restart tmrouted

---

892445-6 : BWC policy names are limited to 128 characters

Component: TMOS

Symptoms:
A 128-character limit for BWC policy object names is enforced and reports an error:

01070088:3: The requested object name <name> is invalid.

Conditions:
Attempting to create a BWC policy object with a name longer than 128 characters.

Impact:
Unable to create BWC policy objects with names that have more than 128 characters.

Workaround:
Use fewer than 128 characters when creating a BWC policy.

---

892385-4 : HTTP does not process WebSocket payload when received with server HTTP response

Component: Local Traffic Manager

Symptoms:
WebSocket connection hangs on the clientside if the serverside WebSocket payload is small and received in the same TCP packet with server HTTP response.

Conditions:
-- Virtual contains HTTP and WebSocket filters.
-- HTTP response and a small WebSocket payload is received in the same TCP packet from the server.
-- Small WebSocket payload is not delivered on the clientside.

Impact:
-- WebSocket connection hangs.

Workaround:
None.

---

891385-6 : Add support for URI protocol type "urn" in MRF SIP load balancing

Component: Service Provider

Symptoms:
MRF SIP load balancing does not support the urn URI protocol type.

Conditions:
-- Using MRF SIP in LB mode.
-- Clients are using the urn protocol type in their URIs.

Impact:
SIP messages with urn URIs are rejected.

---

891337-5 : 'save_master_key(master): Not ready to save yet' errors in the logs

Component: TMOS

Symptoms:
During config sync, you see error messages in the logs:
save_master_key(master): Not ready to save yet.

Conditions:
UCS load or configuration synchronization that includes encrypted objects.

Impact:
Many errors seen in the logs.

Workaround:
None.

---

891145-1 : TCP PAWS: send an ACK for half-open connections that receive a SYN with an older TSVal

Component: Local Traffic Manager

Symptoms:
SYNs received with TSVal <= TS.Recent are dropped without sending an ACK in FIN-WAIT-2 state.

Conditions:
-- Timestamps are enabled in TCP profile.
-- Local TCP connection is in FIN-WAIT-2 state.
-- Remote TCP connection abandoned the flow.
-- A new TCP connection sends a SYN with TSVal <= TS.Recent to the local connection.

Impact:
The new TCP connection cannot infer the half-open state of Local TCP connections, which prevents faster recovery of half-open connections. The local TCP connection stays around for a longer time.

Workaround:
There are two workarounds:

-- Reduce the Fin Wait 2 timeout (the default: 300 sec) so that TCP connection is terminated sooner.

-- Disable TCP Timestamps.

---

890881 : ARP entry in the FDB table is created on VLAN group when the MAC in the ARP reply differs from Ethernet address

Component: Local Traffic Manager

Symptoms:
Traffic drop occurs.

Conditions:
Source MAC in the ARP header and the Ethernet header do not match.

Impact:
The BIG-IP system drops these packets.

Workaround:
None.

---

890573-4 : BigDB variable wam.cache.smallobject.threshold may not pickup its value on restart

Component: WebAccelerator

Symptoms:
BIG-IP WAM/AAM provides a faster cache store called small object cache. To get into this cache, an object must have its size below a threshold defined in BigDB variable wam.cache.smallobject.threshold. BIG-IP does not always pickup this value after a restart of TMM.

Conditions:
- WAM/AAM is provisioned;
- A virtual server is configured with a webacceleration profile having a web application.

Impact:
When small object cache has a non-default value, it may incorrectly place an object into Small Object cache (faster cache store) or MetaStor (slower cache store), causing performance impact.

Workaround:
Reset wam.cache.smallobject.threshold value.

---

890401-4 : Restore correct handling of small object when conditions to change cache type is satisfied

Component: WebAccelerator

Symptoms:
BIG-IP system software allows you to cache HTTP responses with WAM/AMM web applications. There is a special storage location for small-size objects. If a caching object is about to exceed a threshold limit, the BIG-IP system might change its caching storage to MetaStor. A fix for ID 792045 introduced an issue for instances in which it does not, which resulted in not serving a cached object.

Conditions:
-- WAM/AAM is provisioned.
-- Virtual server has a webacceleration profile with a web application.
-- The BIG-IP software contains a fix for ID 792045.

Impact:
The BIG-IP system resets a connection with an error, a cached object is not served, and the rendering of a client's webpage is not correct.

Workaround:
None.

---

890285-3 : DNS resolver cannot forward DNS query to local IPv6 virtual server

Component: Global Traffic Manager (DNS)

Symptoms:
The DNS resolver is not sending backend dns request to local IPV6 virtual servers.

Conditions:
DNS resolver referring to local IPV6 virtuals.

Impact:
Unable to resolve dns requests properly.

---

889801-5 : Total Responses in DNS Cache stats does not increment when an iRule suspending command is present under DNS_RESPONSE.

Component: Global Traffic Manager (DNS)

Symptoms:
Upon close inspection of the statistics of a particular DNS Cache, for example by running the command 'tmsh show ltm dns cache resolver <name>', you realize that the 'Total Responses' counter for the cache is not incrementing as much as it should be.

Specifically, by comparing the counter with packet captures or the stats of the DNS Profile, you realize the system is under-reporting 'Total Responses'.

Conditions:
The virtual server using the DNS Cache also uses an iRule which happens to include a suspending command (e.g., 'table') under the DNS_RESPONSE event.

Impact:
The incorrect DNS Cache statistics may confuse or mislead a BIG-IP Administrator.

No traffic impact exists as part of this issue. Responses are still being served from the cache even when the counter says they are not.

Workaround:
None.

---

889497 : Deleting a log profile results in urldb and urldbmgrd CPU utilization increase to over 90% usage

Component: Access Policy Manager

Symptoms:
The urldb and urldbmgrd process CPU utilization increases to over 90%.

Conditions:
-- SWG provisioned.
-- Creating an APM Event log profile and then deleting it.

Impact:
High CPU utilization by urldb and urldbmgrd.

Workaround:
Do not delete an APM Event log profile.

If an APM Event log has already been deleted, restart urldb and urldbmgrd to return CPU processing.top

---

888341-2 : HA Group failover may fail to complete Active/Standby state transition

Component: TMOS

Symptoms:
After a long uptime interval (i.e., the sod process has been running uninterrupted for a long time), HA Group failover may not complete despite an HA Group score change occurring. As a result, a BIG-IP unit with a lower HA Group score may remain as the Active device.

Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime, e.g.:

-- 1 floating traffic group: 2485~ days.
-- 2 floating traffic groups: 1242~ days.
-- 4 floating traffic groups: 621~ days.
-- 8 floating traffic groups: 310~ days.
-- 9 floating traffic groups: 276~ days.

Note: You can confirm sod process uptime in tmsh:

# tmsh show /sys service sod

Conditions:
HA Group failover configured.

Note: No other failover configuration is affected except for HA Group failover, specifically, these are not affected:

 o VLAN failsafe failover.
 o Gateway failsafe failover.
 o Failover triggered by loss of network failover heartbeat packets.
 o Failover caused by system failsafe (i.e., the tmm process was terminated on the Active unit).

Impact:
HA Group Active/Standby state transition may not complete despite HA Group score change.

Workaround:
There is no workaround.

The only option is to reboot all BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.

---

888289-5 : Add option to skip percent characters during normalization

Component: Application Security Manager

Symptoms:
An attack signature is not detected.

Conditions:
-- The payload is filled with the percent character in between every other character.
-- The bad unescape violation is turned off.
-- The illegal metacharacter violation is turned off.

Impact:
An attack goes undetected.

Workaround:
Turn on the bad unescape violation or the metacharacter violation.

---

887609-1 : TMM crash when updating urldb blacklist

Component: Traffic Classification Engine

Symptoms:
TMM crashes after updating the urldb blacklist.

Conditions:
-- The BIG-IP system is configured with URL blacklists.
-- Multiple database files are used.

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

---

887045-6 : The session key does not get mirrored to standby.

Component: Local Traffic Manager

Symptoms:
When a session variable key length is 65 KB, session mirroring fails for that specific key.

Conditions:
-- APM high availability (HA) setup.
-- Access Policy is configured and synced across both devices.
-- A session variable key of ~65 KB arrives

Impact:
The session key does not get mirrored to standby.

Workaround:
None

---

886689-2 : Generic Message profile cannot be used in SCTP virtual

Component: TMOS

Symptoms:
When creating virtual server or transport config containing both SCTP and Generic Message profile, it will fail with an error:

01070734:3: Configuration error: Profile(s) found on /Common/example_virtual that are not allowed: Only (TCP Profile, SCTP Profile, DIAMETER Profile, Diameter Session Profile, Diameter Router Profile, Diameter Endpoint, SIP Profile, SIP Session Profile, SIP Router Profile, DoS Profile, profile statistics)

Conditions:
Create virtual server or transport config which contains both SCTP and Generic Message profile.

Impact:
You are unable to combine the Generic Message profile with the SCTP profile.

---

886653-1 : Flow lookup on subsequent packets fail during CMP state change.

Component: Policy Enforcement Manager

Symptoms:
When there is a failover event, there is a chance that some sessions will not move over to new active blade.

Conditions:
-- High availability (HA) environment.
-- A CMP state change occurs.

Impact:
For certain IP addresses that have failed to move to the new active device, a new session create request does not create/replace the current session because it is in inconsistent state.

Workaround:
None.

---

885325-6 : Stats might be incorrect for iRules that get executed a large number of times

Component: Local Traffic Manager

Symptoms:
iRules that execute a lot can make stats counters large enough to overflow in a relatively short amount of time (e.g., a couple of months).

Conditions:
Execute an iRule a lot (e.g., make the total number of executions greater than 32 bits) and check its stats.

Impact:
After the total number exceeds 32 bits, the counter stats are no longer valid.

Workaround:
None.

---

885201-5 : BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log

Component: Global Traffic Manager (DNS)

Symptoms:
Err (error) level messages in /var/log/gtm log when DNS (GTM) SSL monitors such as https are used and are unable to connect to the monitored target IP address:

err big3d[4658]: 01330014:3: CSSLSocket:: Unable to get the session.

These messages do not indicate the IP address or port of the target that failed to connect, and this ambiguity may cause concern.

Conditions:
-- SSL-based DNS (GTM) monitor assigned to a target, for example https
-- TCP fails to connect due to a layer 2-4 issue, for example:
   - No route to host.
   - Received a TCP RST.
   - TCP handshake timeout.

Impact:
The system reports unnecessary messages; the fact that the monitor failed is already detailed by the pool/virtual status change message, and the target changing to a red/down status.

These messages can be safely ignored.

Workaround:
If you want to suppress these messages, you can configure a syslog filter.

For more information, see K16932: Configuring the BIG-IP system to suppress sending SSL access and request messages to remote syslog servers :: https://support.f5.com/csp/article/K16932.

---

884729-6 : The vCMP CPU usage stats are incorrect

Component: TMOS

Symptoms:
The vCMP CPU usage stats are incorrect when process on a secondary blade has the same PID as that of primary blade's qemu process.

Conditions:
A process on a secondary blade has the same PID as that of primary blade's qemu process.

Impact:
The vCMP CPU usage stats are intermittently incorrect.

Workaround:
None.

---

883149-6 : The fix for ID 439539 can cause mcpd to core.

Component: TMOS

Symptoms:
Mcpd cores during config sync.

Conditions:
This has only been observed once. The device was going from standby to active, and the connection between the BIG-IP peers stalled out.

Impact:
Mcpd cores. Traffic disrupted while mcpd restarts.

Workaround:
NA

---

883049-7 : Statsd can deadlock with rrdshim if an rrd file is invalid

Component: Local Traffic Manager

Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'.

You may see errors:

-- err statsd[5005]: 011b0600:3: Error ''/var/rrd/endpisession' is too small (should be 15923224 bytes)' during rrd_update for rrd file '/var/rrd/endpisession'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/endpisession'.

Conditions:
Truncation of a binary file in /var/rrd.

Impact:
Stats are no longer collected. Statsd and rrdshim deadlock.

Workaround:
Remove the truncated file and restart statsd:
bigstart restart statsd

---

882609-4 : ConfigSync status remains 'Disconnected' after setting ConfigSync IP to 'none' and back

Component: TMOS

Symptoms:
After setting a device's ConfigSync IP to 'none' and then back to an actual IP address, the device remains in a disconnected state, and cannot establish ConfigSync connections to other BIG-IP systems in its trust domain.

MCPD periodically logs messages in /var/log/ltm:
err mcpd[27610]: 0107142f:3: Can't connect to CMI peer a.b.c.d, TMM outbound listener not yet created.

Conditions:
--- BIG-IP system is in a trust domain with other BIG-IP systems.
--- Local device's ConfigSync IP is set to 'none', and then back to an actual IP address.

Impact:
Devices unable to ConfigSync.

Workaround:
This workaround will disrupt traffic while TMM restarts:

1. Ensure the local ConfigSync IP is set to an IP address.
2. Restart TMM:
bigstart restart tmm


This workaround should not disrupt traffic:

Copy and paste the following command into the Advanced Shell (bash) on a BIG-IP system, and then run it. This sets the ConfigSync IP for all device objects to 'none', and then back to their correct values.

TMPFILE=$(mktemp -p /var/tmp/ ID882609.XXXXXXX); tmsh -q list cm device configsync-ip > "$TMPFILE"; sed 's/configsync-ip .*$/configsync-ip none/g' "$TMPFILE" > "$TMPFILE.none"; tmsh load sys config merge file "$TMPFILE.none"; echo "reverting back to current"; tmsh load sys config merge file "$TMPFILE"

---

882273-2 : MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow

Component: Service Provider

Symptoms:
Memory leak can cause tmm to crash and memory usage to grow.

Conditions:
-- Diameter transmission setting is enabled and action should be retrans.
-- auto-init should be enabled.
-- And server is down.

Impact:
Memory corruption will lead to tmm crash in longer run and memory leak make memory usage to grow in linear order. Traffic disrupted while tmm restarts.

Workaround:
None.

---

880697-6 : URI::query command returning fragment part, instead of query part

Component: Local Traffic Manager

Symptoms:
The iRule URI commands are designed to parse a given URI string to each components such as scheme (URI::protocol) or authority (URI::host). The URI::query command is designed to return the query part of an URI, but the returned string contains the fragment part. For example, for the URI "foo://example.com:8042/over/there?name=ferret#nose" (an example from Section 3, RFC 3986), URI::query returns "name=ferret#nose". The "#nose" part should not be present in the return value

Conditions:
Create a test rule with URI having '#' like this.

when HTTP_REQUEST {
  # from RFC 3986 Section 3
  set url "foo://example.com:8042/over/there?name=ferret#nose"
  log local0. "query: [URI::query $url]"
}

Impact:
URI operations that involve #fragments may fail.

Workaround:
NA

---

879969-1 : FQDN node resolution fails if DNS response latency >5 seconds

Component: TMOS

Symptoms:
When resolving FQDN names for FQDN nodes/pool members, pending DNS requests are timed out after 5 seconds with no response from the DNS server.
If there is a persistent latency of 5 seconds or greater in the DNS server responses, FQDN name resolution will fail and ephemeral nodes/pool members will not be created.

Conditions:
- BIG-IP using FQDN nodes/pool members
- Persistent latency of 5 seconds or greater in the DNS server responses

Impact:
Ephemeral pool members may not be created, thus no traffic will be sent to the intended pool members.

Workaround:
Resolve any persistent latency issues that might cause delays of 5 seconds or more in DNS server responses.

---

879841-1 : Domain cookie same-site option is missing the "None" as value in GUI and rest

Component: Application Security Manager

Symptoms:
There isn't an option to add to a domain cookie with the attribute "SameSite=None". The value "None" which appears as an option is used will not add the attribute at all.

Conditions:
You want to have SameSite=none attribute added to a domain cookie.

Impact:
You are unable to set SameSite=None

Workaround:
Set the SameSite=None cookie value in the application. An iRule could also be added that inserts the cookie. For more information on the iRule, see the following DevCentral article: https://devcentral.f5.com/s/articles/iRule-to-set-SameSite-for-compatible-clients-and-remove-it-for-incompatible-clients-LTM-ASM-APM

---

876569 : QAT compression codec produces gzip stream with CRC error

Component: Local Traffic Manager

Symptoms:
When an HTTP compression profile is enabled on BIG-IP platforms with Intel QuickAssist Technology (Intel QAT) compression accelerators, gzip errors are produced.

Conditions:
This occurs when the following conditions are met:

-- The following platforms with Intel QAT are affected:
   + 4450 blades
   + i4600/i4800
   + i10600/i10800
   + i7600/i7800
   + i5600/i5800
   + i11600/i11800
   + i11400/i11600/i11800
   + i15600/i15800

-- The compression.qat.dispatchsize variable is set to any of the following values:
   + 65535
   + 32768
   + 16384
   + 8192

-- The size of the file being compressed is a multiple of the compression.qat.dispatchsize value, for exampld:

   + 65355*32768
   + 8192*32768

Impact:
Clients cannot decompress the compressed file because there is an invalid gzip footer.

Workaround:
Disable hardware compression and use software compression.

---

875401-5 : PEM subcriber lookup can fail for internet side new connections

Component: Policy Enforcement Manager

Symptoms:
PEM subcriber lookup can fail for internet side new connections, as PEM might use the remote address to look up the session, which is not the subscriber.

Conditions:
-- PEM enabled and configured
-- Subscriber session has multiple IP's
-- Each IP lands on a different tmm

Impact:
PEM subscriber lookup can fail on the internet side

Workaround:
No workaround.

---

874857-1 : Hardware-accelerated connections might not be removed from ePVA on transition to standby

Component: TMOS

Symptoms:
This issue only affects certain platforms, such as the B4450. For affected platforms, when the active BIG-IP unit in a redundant configuration becomes the standby unit after a failover event, the traffic sent to the virtual servers with hardware acceleration enabled continues to be accelerated by the ePVA hardware on the original active unit (now the standby unit). These entries should be flushed on transition to standby if PVA standby flush is enabled.

Conditions:
When a failover event occurs on a device with hardware-accelerated virtual servers and PVA standby flush is enabled.

Impact:
Hardware-accelerated entries may stay active on the standby unit, processing network traffic.

Workaround:
Disable hardware-accelerated (ePVA) connections.

---

874317-5 : Client-side asymmetric routing could lead to SYN and SYN-ACK on different VLAN

Component: Local Traffic Manager

Symptoms:
When BIG-IP is configured with at least two VLANs/interfaces, and a virtual server with auto-lasthop disabled, then when that virtual server receives a SYN from a client and sends the SYN/ACK directly back to the client on a different VLAN/interface, it currently expects the ACK to be received on the outgoing interface unless the client is not directly connected and the connection is using a default gateway.

Conditions:
-- The BIG-IP is configured with two VLANs/interfaces for a client (one for incoming packets, one for outgoing packets, i.e. asymmetric routing).
-- The client using asymmetric routing is connecting to a virtual server with auto-lasthop disabled.
-- The outgoing route to the client (from the BIG-IP) is directly connected to the client (i.e. on the same network; not going through a gateway).
-- The DB variable connection.vlankeyed has the value "enabled" (which is the default).

Impact:
The mismatch could lead to connections failing to establish.

Workaround:
Use only a single VLAN on the client side, or disable the DB variable "connection.vlankeyed".

---

873677-2 : LTM policy matching does not work as expected

Component: Local Traffic Manager

Symptoms:
Policy matching may fail to work as expected

Conditions:
Having many conditions with the same operand may trigger an issue where the wrong transition is taken.

This may also be triggered by very complex policies with large numbers of rules.

Impact:
LTM policy matching does not work as expected.

Workaround:
None.

---

873249-5 : Switching from fast_merge to slow_merge can result in incorrect tmm stats

Component: Local Traffic Manager

Symptoms:
TMM stats are reported incorrectly. For example, the system may report double the number of running TMMs or an incorrect amount of available memory.

Conditions:
Changing the DB key merged.method from fast_merge to slow_merge.

Impact:
Incorrect reporting for TMM stats.

Workaround:
Remove the file /var/tmstat/cluster/blade0-performance.

These files are roll-ups and will be re-created as necessary.

---

871705-2 : Restarting bigstart shuts down the system

Component: TMOS

Symptoms:
The 'bigstart restart bigstart' command shuts down the system without displaying or informing the BIG-IP system user that this command can interrupt service. The system goes directly to the inoperative state as soon as the command is run.

Conditions:
-- Running the command bigstart restart bigstart.
-- Running 'systemctl restart systemd-bigstart' twice.

Impact:
Different versions appear to have different behavior:

-- v12.1.5: shell hangs on bigstart command, but the BIG-IP system stays Active.
-- v13.1.0.7: The BIG-IP system goes inoperative upon 'bigstart restart bigstart'.
-- 1v4.1.2.3: The 'bigstart restart bigstart' command cannot find the 'bigstart' service, but 'systemctl restart systemd-bigstart' shows this behavior.

Workaround:
None.

---

871045-6 : IP fragments are disaggregated to separate TMMs with hardware syncookies enabled

Component: TMOS

Symptoms:
With hardware syncookies enabled, HTTP POST requests that are fragmented into separate segments are processed by different TMMs.

Connection is subsequently reset with a TCP RST cause reported as: No flow found for ACK.

Conditions:
-- Hardware syncookies triggered.
-- IP fragmented HTTP POST request.

Impact:
Connection is subsequently reset with TCP RST, cause 'No flow found for ACK'.

Workaround:
None.

---

869237-2 : Management interface might become unreachable when alternating between DHCP/static address assignment.

Component: TMOS

Symptoms:
When the Management IP address assignment is changed and the IP address obtained from DHCP lease is used for static interface configuration, the management port might become unreachable after the DHCP lease expiration time, even though interface has a static IP configured.

Conditions:
-- Management IP assignment is changed from dynamic (DHCP) to static.
-- The static IP address that is configured is identical to the DHCP address that was assigned.

Impact:
Remote management access is lost after the DHCP lease expires.

Workaround:
When changing the management interface configuration from DHCP to static, first delete the old configuration, then create new configuration. This can be done with TMSH:

(tmos)# modify sys global-settings mgmt-dhcp disabled
(tmos)# del sys management-ip 10.14.30.111/24
(tmos)# create sys management-ip 10.14.30.111/24 { description configured-statically }

---

869049-1 : Charts discrepancy in AVR reports

Component: Application Visibility and Reporting

Symptoms:
Discrepancy in AVR reports. When filtering on the 'last month' interval, a specific number of total requests per virtual server is shown. Then when filtering to the present day from a date that encompasses that month, a lower number is reported.

Conditions:
-- Number of records in database exceeds the maximum mount of data that AVR can aggregate between different table-resolutions.
-- There are metrics on the report other than the default one (hits-count).

Impact:
Stats on DB get corrupted and incorrect.

Workaround:
None.

---

868721-5 : Transactions are held for a long time on specific server related conditions

Component: Application Security Manager

Symptoms:
Long request buffers are kept around for a long time in bd.

Conditions:
-- The answer_100_continue internal parameter is turned off (non default) or the version is pre 15.1
-- The server closes the connection while request packets are accumulated.

Impact:
The long request buffers are consumed. You may see a "Too many concurrent long requests" log message and requests with large content lengths will get reset.

Workaround:
There is no workaround that can be done from ASM configuration.
If possible, change the server application settings to wait longer for the request payload in 100-continue request or change the client side application to not work with 100-continue.

---

867793-5 : BIG-IP sending the wrong trap code for BGP peer state

Component: TMOS

Symptoms:
When BGP peer is going down, the BIG-IP system sends the wrong 'bgpPeerState: 6(established)' with its SNMP trap.

Conditions:
-- BIG IP system is connected with a Cisco router to verify the traps.
-- BGP peer between the BIG-IP system and the Cisco router is going down.
-- Both devices release an SNMP trap.

Impact:
The BIG-IP system sends the wrong code with its SNMP trap. It should be 'bgpPeerState: idle(1)' when the peer is not connected.

Workaround:
None.

---

867321-1 : Error: Invalid self IP, the IP address already exists.

Component: Advanced Firewall Manager

Symptoms:
When loading a configuration, the config load fails with an error:

Invalid self IP, the IP address <ip_addr> already exists.

Conditions:
-- Config contains an IPv4 SelfIP
-- Config contains an IPv4-mapped IPv6 address that is assigned to the same vlan

BIG-IP does not prevent you from creating this condition and will allow you to save it.

Impact:
During configuration load will fail:

0107176c:3: Invalid self IP, the IP address <ip_addr> already exists.
Unexpected Error: Loading configuration process failed.

Workaround:
Delete one of the SelfIP addresses and load the configuration.

---

867249-5 : New SNMP authentication type and privacy protocol algorithms not available in UI

Component: TMOS

Symptoms:
You are unable to configure the new SNMP authentication type and privacy protocol algorithms from the BIG-IP Configuration utility.

Conditions:
A BIG-IP with net-snmp libraries v5.8

Impact:
The new authentication type and privacy protocol algorithms cannot be configured via the GUI.

Workaround:
Specify the auth-protocol and privacy-protocol values using TMSH.

modify /sys snmp users add { <user> { access rw security-level auth-privacy auth-protocol sha256 auth-password defaultPassword privacy-protocol aes privacy-password defaultPassword username <user> } }

---

865461-5 : BD crash on specific scenario

Component: Application Security Manager

Symptoms:
BD crash on specific scenario

Conditions:
A brute force attack mitigation using captcha or client side challenge.

Impact:
BD crash, failover.

Workaround:
Add an iRule that removes the query string from the referrer header only for the login page POSTs.

---

865341 : SSL::collect and SSL::release in an iRule causes connection reset

Component: Local Traffic Manager

Symptoms:
Using SSL::collect and SSL::release in an iRule alongside a policy with a 'Set Variable' action resets the connection, and reports an error:

01220001:3: TCL error: no connection established SSL::collect needs an established connection! (line 1) invoked from within "SSL::collect".

Conditions:
-- SSL::collect and SSL::release in an iRule.
-- Policy with a 'Set Variable' action.

Impact:
The system resets the connection.

Workaround:
None.

---

865241-5 : Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0"

Component: TMOS

Symptoms:
When BGP tries to print the address of the default route's peer but there is no matching address for IPv4 or IPv6 so the system returns a NULL and attempting to print results in a crash.

Conditions:
-- Running the show command: sh bgp ipv6 ::/0.
-- There is no matching IPv4 or IPv6 address for the peer.

The conditions that cause this to occur are unknown.

Impact:
Bgdp crashes. Routing may be affected while bgpd restarts.

Workaround:
None.

---

863917-5 : The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval.

Component: Global Traffic Manager (DNS)

Symptoms:
Messages similar to the following may be seen in the DNS (GTM) logs:

The list processing time (32 seconds) exceeded the interval value. There may be too many monitor instances configured with a 30 second interval.

This message was introduced in 15.0.0 as an aid to help identifying overloaded DNS (GTM) systems, but it triggers too easily and can be logged when the device is not overloaded.

Conditions:
-- DNS (GTM) servers are present.
-- Virtual servers are configured on those DNS (GTM) servers.
-- A monitor is applied to the DNS (GTM) server.

Impact:
Messages are logged that imply the system is overloaded when it is not.

Workaround:
Create a log filter to suppress the messages

sys log-config filter gtm-warn {
    level warn
    message-id 011ae116
    source gtmd
}

---

863453 : Internet Explorer restart is required after VPN plugin is upgraded to 12.1.5

Component: Access Policy Manager

Symptoms:
After browser components are updated and user tries to establish VPN from Internet Explorer, user sees an error message saying 'Failed to initialize local Tunnel Server'.

Conditions:
- User established VPN from Internet Explorer before using older F5 Internet Explorer browser plugin
- The same instance of Internet Explorer is used to establish VPN after BIG-IP was upgraded to 12.1.5

Impact:
VPN cannot be established until user restarts browser.

Workaround:
Restart browser.

---

862693-5 : PAM_RHOST not set when authenticating BIG-IP using iControl REST

Component: TMOS

Symptoms:
The missing PAM_RHOST setting causes the radius packet to go out without the calling-station-id avp

Conditions:
1. Configure radius server and add it to BIG-IP
tmsh create auth radius system-auth servers add { myrad }

2. modify auth source type to radius
tmsh modify auth source { type radius }

3. try to authenticate to BIG-IP using iControl REST

Impact:
Remote authentication using iControl REST is not allowed based on calling-station-id

---

862597-2 : Improve MPTCP's SYN/ACK retransmission handling

Component: Local Traffic Manager

Symptoms:
- MPTCP enabled TCP connection is in SYN_RECEIVED state.
- TMM cores.

Conditions:
- MPTCP is enabled.
- SYN/ACK (with MP_JOIN or MP_CAPABLE) sent by the BIG-IP is not ACKed and needs to be retransmitted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable MPTCP option in the TCP profile.

---

862525-5 : GUI Browser Cache Timeout option is not available via tmsh

Component: TMOS

Symptoms:
In BIG-IP v10.x it was possible to change the browser cache timeout from bigpipe using the command:
  bigpipe httpd browsercachetimeout

In 14.1.2.1 and newer, it is still possible to change the value in the GUI using "System :: Preferences :: Time To Cache Static Files.

However there is no tmsh equivalent in any version.

Conditions:
This is encountered when you try to configure the GUI browser cache timeout setting using tmsh.

Impact:
Unable to modify browser cache timeout except from GUI

Workaround:
Using GUI to configure this field. GUI System :: Preferences :: Time To Cache Static Files.

---

862069-5 : Using non-standard HTTPS and SSH ports fails under certain conditions

Component: Local Traffic Manager

Symptoms:
On all versions 12.1.0 or later, if you change the HTTPS port (e.g., to 8443, as is required for '1NIC' BIG-IP Virtual Edition (VE) deployments) and then expose the management UI via a self IP in a non-zero route domain, you cannot access the system via the GUI or CLI, and the system does not pass traffic as expected.

In versions 14.1.0 and later on VE installations, attempting to manage a BIG-IP system over a self IP can fail if all these conditions are met:
-- Non-standard HTTPS port used.
-- No TMM default route configured.
-- No route to the client IP address configured.

Conditions:
-- Modify the default HTTPS and/or default SSH ports.

And either of the following:

On 12.1.0 and above:
-- Expose the management UI and/or CLI via a self IP in a non-zero route domain.

On 14.1.0 and above:
-- No TMM default route configured.
-- No route to the client IP address configured.

Impact:
-- Unable to access BIG-IP GUI on non-standard HTTPS port.
-- Unable to access BIG-IP CLI on non-standard SSH port.

Workaround:
None.

---

862001-5 : Improperly configured NTP server can result in an undisciplined clock stanza

Component: Local Traffic Manager

Symptoms:
There can be an undisciplined clock stanza in /etc/ntp.conf, resulting in an undisciplined clock.

NTP documentation:
http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock

Conditions:
This might occur in at least the following ways:
-- No server is specified in 'sys ntp servers {}'.
-- A server does exist, but an improper method was used to configure the NTP server.

Impact:
When the LOCAL undisciplined clock is left as a valid time-source, it delays the system synchronizing time to a real NTP server. It can also result in time being adjusted incorrectly if the the remote time-source becomes unreachable.

Workaround:
Configure a dummy server via 'ntp servers {}' that does not respond.

While this removes the undisciplined local clock, it does result in ntpd having an unreachable time source, and could be flagged in diagnostics, misdirect other troubleshooting, generate unnecessary traffic, etc.
 
However, if the 'dummy' source starts responding, it could become a rogue time source.

---

859717-5 : ICMP-limit-related warning messages in /var/log/ltm

Component: Local Traffic Manager

Symptoms:
'ICMP error limit reached' warning messages in /var/log/ltm:

warning tmm3[23425]: 01200015:4: Warning, ICMP error limit reached.

Conditions:
Viewing /var/log/ltm.

Impact:
Potentially numerous error messages, depending on the traffic and the BIG-IP configuration. No clear indication of how to remedy the situation.

Workaround:
None.

---

858769-1 : Net-snmp library must be upgraded to 5.8 in order to support SHA-2

Component: TMOS

Symptoms:
The net-snmp 5.7.2 library does not support extended key lengths for SHA and AES protocols used for SNMPv3 authentication and privacy protocols.

Conditions:
When the BIG-IP net-snmp libraries are version 5.7.2, or earlier, than only SHA and AES are available for configuring trap sessions and users in SNMPv3.

Impact:
The longer keys lengths for SNMPv3 cannot be used.

---

858549-1 : GUI does not allow IPv4-Mapped IPv6 Address to be assigned to self IPs

Component: TMOS

Symptoms:
When you try to use an IPv4-mapped IPv6 address as the self VI via GUI you get an error: '
Some fields below contain errors. Correct them before continuing.
Invalid IP or Hostname

Conditions:
Assign IPv4-mapped IPv6 address to self IPs via GUI.

Impact:
Cannot add the self IP to the BIG-IP system.

Workaround:
None.

---

857633-5 : Attack Type (SSRF) appears incorrectly in REST result

Component: Application Security Manager

Symptoms:
After ASM Signature update ASM-SignatureFile_20191117_112212.im is installed, a mistaken value for Attack Type (SSRF) appears incorrectly in REST query results.

Conditions:
ASM Signature update ASM-SignatureFile_20191117_112212.im is installed, even if another ASM Signature update is installed subsequently.

Impact:
A mistaken value for Attack Type (SSRF) appears incorrectly in REST query results. This impacts BIG-IQ usage and other REST clients.

Workaround:
Workaround:
1) Install a newer ASU to reassociate the affected signatures with the correct attack type
2) Run the following SQL on the affected BIG-IP devices:

DELETE FROM PLC.NEGSIG_ATTACK_TYPES WHERE attack_type_name = "Server-Side Request Forgery (SSRF)";

---

854493-1 : Kernel page allocation failures messages in kern.log

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:

swapper/16: page allocation failure: order:2, mode:0x104020

After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This issue is known to occur on the following VIPRION blade models:

- B2250 (A112)
- B4300 (A108)
- B4340N (A110)
- B4450 (A114)

Please note the issue is known to occur regardless of whether or not the system is running in vCMP mode, and regardless of whether the system is Active or Standby.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.

It is recommend to increase this as follows:
-- 64 MB (65536 KB for 2250 blades)
-- 48 MB (49152 KB for B4300 blades)
-- 128 MB (131072 KB for 4450 blades)

You must do this on each blade installed in the system.

When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on all blades, and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"

---

853989-6 : DOSL7 Logs breaks CEF connector by populating strings into numeric fields

Component: Application Security Manager

Symptoms:
Dosl7 remote logger messages breaks ArcSight CEF connector when using ArcSight destination format. CEF Logs are dropped.

Conditions:
- ASM provisioned
- Dos profile attached to a virtual server
- Dos application protection enabled
- Logging profile configured with ArcSight format attached to a virtual

Impact:
ArcSight server might be broken after getting dosl7 attack detection messages from the BIG-IP.

Workaround:
BIG-IP iRule or another proxy can be used to intercept ArcSight messages and strip the a string portion from ArcSight numeric type fields.

---

853617-5 : Validation does not prevent virtual server with UDP, HTTP, SSL, (and OneConnect) profiles

Component: TMOS

Symptoms:
Validation does not prevent specific configuration, but reports errors. In newer versions:

-- err tmm1[7019]: 01010008:3: Proxy initialization failed for /Common/vs_test. Defaulting to DENY.
-- err tmm1[7019]: 01010008:3: Listener config update failed for /Common/vs_test: ERR:ERR_ARG

In older versions:

-- err tmm[23118]: 01010007:3: Config error: virtual_server_profile no suitable hudchain
-- err tmm[23118]: 01010007:3: Config error: add virtual server profile error

Conditions:
Creating a virtual server with UDP, HTTP, SSL, (and OneConnect) profiles.

Impact:
Virtual server is defined and in configuration, but does not pass traffic.

On v12.1.x and v13.0.0, attempts to recover from this configuration can leave TMM in a bad state, which can then result in a TMM crash.

Workaround:
None.

---

853613-6 : Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp

Component: Local Traffic Manager

Symptoms:
A TCP connection hangs occasionally.

Conditions:
-- The TCP connection is on the clientside.
-- sys db tm.tcpsendrandomtimestamp is enabled (default is disabled).
-- A virtual server's TCP's Verified Accept and Timestamps are both enabled.

Impact:
TCP connections hangs, and data transfer cannot be completed.

Workaround:
You can use either of the following workarounds:
-- Disable tm.tcpsendrandomtimestamp.
-- Disable either the TCP's Verified Accept or Timestamps option.

---

853585-4 : REST Wide IP object presents an inconsistent lastResortPool value

Component: Global Traffic Manager (DNS)

Symptoms:
The output of a REST call to tm/gtm/wideip/<wideip_kind> returns objects that contain inconsistent values for the property 'lastResortPool'. For instance, for the kind 'aaaa', the output might be:

...
"lastResortPool": "aaaa \"\""
...

Conditions:
The BIG-IP admin has modified a Wide IP object via tmsh and used the following command structure:

tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool <pool_kind>

Impact:
The lastResortValue in the REST response might be confusing for an external orchestrator that consumes the BIG-IP configuration via iControl REST. BIG-IQ, for instance. BIG-IQ might not work as expected with these values.

Workaround:
Change the Wide IP object via the GUI and set the Last Resort Pool to None, then save the changes.

---

853329-6 : HTTP explicit proxy can crash TMM when used with classification profile

Component: Local Traffic Manager

Symptoms:
The BIG-IP system may serve HTTP traffic as forward proxy and use DNS resolver objects to provide a server to connect to for request processing. When a classification profile is attached to the virtual server, it may result in a TMM crash with regards to some HTTP requests.

Conditions:
-- PEM is provisioned.
-- HTTP explicit proxy is configured on a virtual server.
-- A classification profile attached to the virtual server.

Impact:
TMM crashes, causing failover. Traffic disrupted while tmm restarts.

Workaround:
None.

---

852873-5 : Proprietary Multicast PVST+ packets are forwarded instead of dropped

Component: Local Traffic Manager

Symptoms:
Because the BIG-IP system does not recognize proprietary multicast MAC addresses such as PVST+ (01:00:0c:cc:cc:cd) and STP (01:80:c2:00:00:00), when STP is disabled the system does not drop those frames. Instead the system treats those as L2 multicast frames and forwards between 2 interfaces.

Conditions:
-- STP disabled
-- All platforms except 2000 series, 4000 series, i2000 series, i4000 series and i850.

Impact:
PVST+ (01:00:0c:cc:cc:cd), a proprietary multicast MAC is forwarded instead of discarded, even when STP is disabled.

Workaround:
None.

---

852577-4 : [AVR] Analytic goodput graph between different time period has big discrepancy

Component: Application Visibility and Reporting

Symptoms:
The incorrect goodput value is showing on the GUI > Analytics > TCP > Goodput.

Conditions:
AVR is provisioned
Running TCP related traffic (with the amount that can exceeds the MAX_INT value in any aggregation level).

Impact:
AVR statistics for TCP goodput may be incorrect.

Workaround:
There is no workaround at this time.

---

852325-5 : HTTP2 does not support Global SNAT

Component: Local Traffic Manager

Symptoms:
The Global SNAT feature does not work with HTTP2.

Conditions:
-- Global SNAT is used
-- HTTP2 is used.

Impact:
Traffic uses the incorrect IP addresses when sourced from the BIG-IP system.

Workaround:
Use an explicit SNAT setting: SNAT Auto-Map or a SNAT pool.

---

851857-5 : HTTP 100 Continue handling does not work when it arrives in multiple packets

Component: Local Traffic Manager

Symptoms:
If a 100 Continue response from a server arrives in mulitple packets, HTTP Parsing may not work as expected. The later server response payload may not be sent to the client.

Conditions:
The server responds with a 100 Continue response which has been broken into more than one packet.

Impact:
The response is not delivered to the client. Browsers may retry the request.

Workaround:
None.

---

851581-5 : Server-side detach may crash TMM

Component: Local Traffic Manager

Symptoms:
TMM crash with 'server drained' panic string.

Conditions:
-- Server-side flow is detached while the proxy is still buffering data for the pool member and the client continues to send data.
-- The detach may be triggered by the LB::detach iRule commands or internally.

Impact:
TMM crash, failover, brief traffic outage. Traffic disrupted while tmm restarts.

Workaround:
-- In cases in which the detach is triggered internally, there is no workaround.

-- In cases in which the detach is triggered by LB::Detach, make sure the command is not executed when a request may still be in progress by using it in response events, for example HTTP_RESPONSE, USER_RESPONSE, etc.

---

851385-6 : Failover takes too long when traffic blade failure occurs

Component: Local Traffic Manager

Symptoms:
When blades 1 and 4 are disabled on the active chassis, the failover period is between 3.4 to 4.7 seconds before the next-active device starts processing messages.
  
If the blades are physically pulled from the chassis,
the failure occurs within 1 second.

Conditions:
-- Multi-blade VIPRION system
-- Blades 1 and 4 are connected to the network via trunks, blades 2 and 3 are CPU-only blades
-- Blades 1 and 4 are disabled via the GUI

Impact:
Significant delay before BIG-IP delivers a web page during between-cluster failover

---

851341 : DNS cache responds with records exceeding cache-maximum-ttl for multiple TMMs

Component: Global Traffic Manager (DNS)

Symptoms:
DNS cache respond with records exceeding cache-maximum-ttl.

Conditions:
1. Multiple TMMs compared with single TMM.
2. Reassembled DNS response from previous cached records.

Impact:
DNS cache responds with records exceeding cache-maximum-ttl for multiple TMMs, but not with single TMMs. Inconsistent behavior might lead to confusion.

Workaround:
None.

---

851121-5 : Database monitor DBDaemon debug logging not enabled consistently

Component: Local Traffic Manager

Symptoms:
Debug logging in the database monitor daemon (DBDaemon) for database health monitors (mssql, mysql, postrgresql, oracle) is enabled on a per-monitor basis.
When a ping is initiated for a particular monitor with debug logging enabled in the monitor configuration, debug logging in DBDaemon is enabled.
When a ping is initiated for a particular monitor with debug logging disabled in the monitor configuration, debug logging in DBDaemon is disabled.
When monitoring database pool members with a mix of monitors with debug logging enabled vs. disabled, the result can be that debug logging in DBDaemon is enabled and disabled at times which do not correspond to all actions related to a specific database monitor, or pool members monitored by that monitor.
In addition, debug messages logging internal DBDaemon state related to the management of the full collection of monitored objects, active threads, etc. may not be logged consistently.

Conditions:
-- Using multiple database health monitors (mssql, mysql, postrgresql, oracle)
-- Enabling debug logging on one or more database health monitors, but not all

Debug logging for database health monitors is enabled by configuring the "debug" property of the monitor with a value of "yes".
Debug logging is disabled by configuring the "debug" property with a value of "no" (default).

# tmsh list ltm monitor mysql mysql_example debug
ltm monitor mysql mysql_example {
    debug yes
}

Impact:
Logging of database monitor activities by DBDaemon may be inconsistent and incomplete, impeding efforts to diagnose issues related to database health monitors.

Workaround:
When attempting to diagnose database health monitor issues with DBDaemon debug logging, enable debug logging for ALL database monitors currently in use.
Once diagnostic data collection is completed, disable debug logging for all database monitors currently configured/in use.

---

848681-2 : Disabling the LCD on a VIPRION causes blade status lights to turn amber

Component: TMOS

Symptoms:
When the LCD is disabled or turned off on a VIPRION system, the blade status lights turn amber.

Conditions:
You can cause this to occur by running the command:
tmsh modify sys db platform.chassis.lcd value disable

Impact:
Blade status lights change to amber, even if nothing is wrong with the system.

Workaround:
None.

---

846977-5 : TCP:collect validation changed in 12.0.0: the first argument can no longer be zero★

Component: Local Traffic Manager

Symptoms:
Validation for TCP::collect was changed in BIG-IP software v12.0.0 (with the introduction of JET specifications). Prior to 12.0.0, there were no restrictions on the values of the two arguments. As of 12.0.0, the first argument ('collect_bytes') must be a positive integer, and the second argument ('skip_bytes) must be a non-negative integer.

Occurrences of 'TCP::collect 0 0' in iRules experience issues when upgrading to a newer version, producing warnings in LTM log:

/Common/T_collect:9: warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "invalid argument 0; expected syntax spec:"136 17][TCP::collect 0 0].

Conditions:
-- Using a version of BIG-IP software earlier than 12.0.0, configure an iRule with a 'TCP::collect 0 0' command.
-- Upgrade to 12.0.0 or later.

Impact:
Warning in the LTM log file. The iRules containing 0 values do not function as expected. There is no other impact.

Workaround:
Change 'TCP::collect 0 0' to a value other than 0 (zero) in any iRules before or after upgrade.

---

846873-1 : Deleting and re-adding the last virtual server that references a plugin profile in a single transaction causes traffic failure

Component: Local Traffic Manager

Symptoms:
Traffic fails to pass through a virtual server.

Conditions:
-- Virtual server is removed and a new one is added in a single transaction.
-- Virtual server references a plugin profile.

For example, create a CLI transaction:
- delete ltm virtual vs_http
- create ltm virtual vs_https destination 1.1.1.1:443 vlans-enabled profiles replace-all-with { http ntlm oneconnect }
- submit cli transaction

Impact:
Traffic failure on the new virtual server.

Workaround:
Create a virtual server that does not accept any traffic, but keeps the NTLM MPI plugin channel alive:

tmsh create ltm virtual workaround destination 1.1.1.1:1 profiles replace-all-with { http oneconnect ntlm } vlans-enabled vlans none && tmsh save sys config

---

846793-1 : SCTP flow may be inappropriately aborted due to 'stream-id out of range'

Component: TMOS

Symptoms:
SCTP flow may be aborted due to 'stream-id out of range' even both client and server send SCTP chunk with correct stream-id.

The out-of-range stream-id happens because the BIG-IP system fails to store the stream-id during ingress, so it is incorrectly restored on egress.

When this occurs, a message similar to the following may be found in /var/log/ltm:

notice tmm[19016]: 01900032:5: SCTP serverside association (10.65.125.108:388 -> 10.65.135.103:563) aborted (stream-id out of range).

Conditions:
- Standard SCTP virtual deployment.
- SCTP client sends ordered data chunk.
- SCTP server responds with unordered data chunk.
- VLAN tagging is used.

Impact:
Traffic is interrupted due to SCTP connection is aborted unintentionally.

Workaround:
None.

---

846521-2 : Config script does not refresh management address entry properly when alternating between dynamic and static

Component: TMOS

Symptoms:
Config script does not refresh management address entry properly when alternating between dynamic (DHCP) and static configuration.

Conditions:
- Management IP assignment is changed from dynamic (DHCP) to static.
- Same IP address is configured, as previously received from DHCP server.

Impact:
Remote management access is lost after DHCP lease expires.

Workaround:
Restart BIG-IP after changing the management IP address.

---

846425 : APM configsnapshot are not created when blade transitions from secondary to primary

Component: Access Policy Manager

Symptoms:
In a chassis, when a secondary blade transitions to the primary blade it is responsible for keeping APM configuration snapshots current. However, prior to 13.1.0, APM configuration snapshots are not maintained.

Conditions:
-- APM configured in a multi-bladed chassis.
-- Secondary blade transitions to primary blade.

Impact:
Cannot access any APM functionality

Workaround:
Restart the apd process using the following command on the new primary blade:

# bigstart restart apmd

---

845333-1 : An iRule with a proc referencing a datagroup cannot be assigned to Transport Config

Component: Local Traffic Manager

Symptoms:
If you try to assign an iRule to a Transport Config, and if the iRule has a proc that references a datagroup, the assignment fails with an error:
01070151:3: Rule [/Common/test2] error: Unable to find value_list (datagroup) referenced at line 6: [class lookup "first" datagroup]

Conditions:
-- Assign an iRule to a Transport Config.
-- The iRule has a proc.
-- The proc references a datagroup.

Impact:
Validation fails. An iRule with a proc referencing a datagroup cannot be assigned to Transport Config objects.

Workaround:
Make the datagroup a Tcl variable to bypass validation.

---

842989-2 : PEM: tmm could core when running iRules on overloaded systems

Component: Policy Enforcement Manager

Symptoms:
When sessions usage iRules are called on an already overloaded system it might crash.

Conditions:
Session iRule calls on heavily overloaded BIG-IP systems.

Impact:
Tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
Reduce the load on tmm or modify the optimize the irule.

---

842901-6 : Improve fast failover of PIM-DM-based multicast traffic when BIG-IP is deployed as an Active/Standby HA pair.

Component: TMOS

Symptoms:
Although the effect differs for different topologies, in general, the multicast traffic is interrupted for 5-to-180 seconds after failover.

Conditions:
Fast failover of PIM-DM-based multicast traffic when the BIG-IP system is deployed as an Active/Standby high availability (HA) configuration.

Impact:
The multicast traffic is interrupted for 5-to-180 seconds after a failover event.

Workaround:
None. This is an improvement request.

---

842425-5 : Mirrored connections on standby are never removed in certain configurations

Component: Local Traffic Manager

Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.

Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.

Impact:
Leaking connections on the standby system.

Workaround:
You can use either of the following workarounds:

-- Use auto-lasthop with mirrored connections.

-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.

---

842257 : Unable to create 'Login Page' from 'Brute Force Protection'

Component: Application Security Manager

Symptoms:
Not able to Login page from Brute Force Protection.

Conditions:
Clicking create after creating a 'Login page' from Security :: Application Security :: Anomaly Detection :: Brute Force Attack Prevention and entering all required values.

Impact:
The login page is not created.

Workaround:
None.

---

842193-5 : Scriptd coring while running f5.automated_backup script

Component: iApp Technology

Symptoms:
When the iApp, f5.automated_backup, script is terminated due to the max-script-run-time, the script still continues and finishes, sometimes with scriptd coring and posting error messages in /var/log/ltm:

-- info logger[17173]: f5.automated_backup iApp autobackup: STARTED
-- info logger[17175]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs GENERATING

-- err scriptd[13532]: 014f0004:3: script has exceeded its time to live, terminating the script <------ after 20 secs, it continues even after the scriptd core.

-- notice sod[3235]: 01140041:5: Killing /usr/bin/scriptd pid 13532.
-- warning sod[3235]: 01140029:4: high availability (HA) daemon_heartbeat scriptd fails action is restart.
-- info logger[19370]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs SAVED LOCALLY
(/var/local/ucs)
-- info logger[19372]: f5.automated_backup iApp autobackup: FINISHED

Conditions:
Configure the iApp application with f5.automated_backup template to do auto-backup at regular intervals.

Impact:
Scriptd core.

Workaround:
Increasing the sys scriptd max-script-run-time higher then the default of 300 seconds might be helpful if the higher timeout allows the script to complete.

For example, if the script is saving a UCS and the save takes 400 seconds, then increasing the max-script-run-time to 430 seconds would allow the script to finish and would work around this issue.

---

842125-1 : Unable to reconnect outgoing SCTP connections that have previously aborted

Component: TMOS

Symptoms:
When an outgoing SCTP connection is created using an ephemeral port, the connection may appear to be open after an SCTP connection halt. This prevents new connections to the same endpoint, as the connection appears to already exist.

Conditions:
-- A virtual server configured with an SCTP profile.
-- An outgoing SCTP connection after an existing connection to the same endpoint has halted.

Impact:
New connections are unable to be created resulting in dropped messages.

Workaround:
None.

---

841985-6 : TSUI GUI stuck for the same session during long actions

Component: Application Security Manager

Symptoms:
The GUI becomes unresponsive when you perform an operation that takes a long time (e.g., Attack Signatures update).

Conditions:
Long-running task is performed, such as export/import/update signatures.

Impact:
GUI is unresponsive for that session.

Workaround:
If you need to continue working during long task is performed, you can log in via another browser.

---

841721-6 : BWC::policy detach appears to run, but BWC control is still enabled

Component: TMOS

Symptoms:
The dynamic BWC policy can be attached from iRules but not detached. No error occurs when BWC::policy detach is run, but the detached policy continues to work.

Conditions:
-- Dynamic BWC policy for a HTTP request URI during session.
-- Running BWC::policy detach.

Impact:
The detached policy continues to work.

Workaround:
None.

---

841469-2 : Application traffic may fail after an internal interface failure on a VIPRION system.

Component: Local Traffic Manager

Symptoms:
Blades in a VIPRION system connect with one another over a data backplane and a management backplane.

For more information on the manner in which blades interconnect over the data backplane, please refer to K13306: Overview of the manner in which the VIPRION chassis and blades interconnect :: https://support.f5.com/csp/article/K13306.

Should an internal interface fail and thus block communication over the data backplane between two distinct blades, an unusual situation arises where different blades compute different CMP states.

For example, if on a 4-slot chassis, blades 2 and 3 become disconnected with one another, the following is TMM's computation of which slots are on-line:

slot1: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)
slot2: slots 1, 2, and 4 on-line (cmp state 0xb / 11)
slot3: slots 1, 3, and 4 on-line (cmp state 0xd / 13)
slot4: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)

As different slots are effectively operating under different assumptions of the state of the cluster, application traffic does not flow as expected. Some connections time out or are reset.

You can run the following command to inspect the CMP state of each slot:

clsh 'tmctl -d blade -s cmp_state tmm/cmp'

All slots should report the same state, for instance:

# clsh 'tmctl -d blade -s cmp_state tmm/cmp'
=== slot 2 addr 127.3.0.2 color green ===
cmp_state
---------
       15

=== slot 3 addr 127.3.0.3 color green ===
cmp_state
---------
       15

=== slot 4 addr 127.3.0.4 color green ===
cmp_state
---------
       15

=== slot 1 addr 127.3.0.1 color green ===
cmp_state
---------
       15

When this issue occurs, logs similar to the following example can be expected in the /var/log/ltm file:

-- info bcm56xxd[4276]: 012c0015:6: Link: 2/5.3 is DOWN
-- info bcm56xxd[4296]: 012c0015:6: Link: 3/5.1 is DOWN
-- info bcm56xxd[4296]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4339]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4214]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd

And a CMP transition will be visible in the /var/log/tmm file similar to the following example:

-- notice CDP: PG 2 timed out
-- notice CDP: New pending state 0f -> 0b
-- notice Immediately transitioning dissaggregator to state 0xb
-- notice cmp state: 0xb

For more information on troubleshooting VIPRION backplane hardware issues, please refer to K14764: Troubleshooting possible hardware issues on the VIPRION backplane :: https://support.f5.com/csp/article/K14764.

Conditions:
This issue arises after a very specific type of hardware failure. The condition is very unlikely to occur and is impossible to predict in advance.

Impact:
Application traffic is impacted and fails sporadically due to a mismatch in CMP states between the blades. Failures are likely to manifest as timeouts or resets from the BIG-IP system.

Workaround:
F5 recommends the following to minimize the impact of this potential issue:

1) For all highly available configurations (e.g., A/S, A/A, A/A/S, etc.).

The BIG-IP system has functionality, in all software versions, to enact a fast failover when the conditions described occur.

To ensure this functionality will trigger, the following configuration requirements must be met:

a) The mirroring strategy must be set to 'between'.
b) A mirroring channel to the next-active unit must be up.
c) The min-up-members option must be set to the number of blades in the chassis (e.g., 4 if there are 4 blades in the chassis).

Note: It is not required to actually configure connection mirroring on any virtual server; simply choosing the aforementioned strategy and ensuring a channel is up to the next-active unit will suffice. However, note that some configurations will benefit by also configuring connection mirroring on some virtual servers, as that can greatly reduce the number of affected connections during a failover.

2) For 'regular' standalone units.

If a VIPRION system is truly standalone (no kind of redundancy whatsoever), there is no applicable failsafe action, as you will want to keep that chassis online even if some traffic is impaired. Ensure suitable monitoring of the system is in place (e.g., remote syslog servers, SNMP traps, etc.), so that a BIG-IP Administrator can react quickly in the unlikely event this issue does occur.

3) For a standalone chassis which belongs to a pool on an upstream load-balancer.

If the virtual servers of a standalone VIPRION system are pool members on an upstream load-balancer, it makes sense for the virtual servers to report unavailable (e.g., by resetting all new connection attempts) so that the upstream load-balancer can select different pool members.

An Engineering Hotfix can be provided which introduces an enhancement for this particular use-case. A new DB key is made available under the Engineering Hotfix: tmm.cdp.requirematchingstates, which takes values 'enable' and 'disable'.

The default is 'disable', which makes the VIPRION system behave as in versions without the enhancement. When set to 'enable', the VIPRION system attempts to detect this failure and, if it does, resets all new connections. This should trigger some monitor failures on the upstream load-balancer and allow it to select different pool members.

Please note you should only request the Engineering Hotfix and enable this DB key when this specific use-case applies: a standalone VIPRION system which belongs to a pool on an upstream load-balancer.

When the new feature is enabled, the following log messages in the /var/log/ltm file indicate when this begins and stops triggering:

-- crit tmm[13733]: 01010366:2: CMP state discrepancy between blades detected, forcing maintenance mode. Unable to relinquish maintenance mode until event clears or feature (tmm.cdp.requirematchingstates) is disabled.

-- crit tmm[13262]: 01010367:2: CMP state discrepancy between blades cleared or feature (tmm.cdp.requirematchingstates) disabled, relinquishing maintenance mode.

---

841369-6 : HTTP monitor GUI displays incorrect green status information

Component: Local Traffic Manager

Symptoms:
LTM HTTP monitor GUI displays incorrect green status when related pool is down.

TMSH shows correct information

Conditions:
LTM HTTP monitor destination port does not match with pool member port.

Impact:
LTM HTTP marks the node down, but the Instances tab of the monitor in the GUI reports the status as green

Workaround:
You can use either of the following workarounds:
-- Use TMSH to get correct info.
-- Ensure that LTM HTTP monitor destination port does match pool member port.

---

841341-1 : IP forwarding virtual server does not pick up any traffic if destination address is shared.

Component: Local Traffic Manager

Symptoms:
Virtual servers do not forward any traffic but the SNAT does.

Conditions:
-- Multiple wildcard IP forwarding virtual servers with the same destination address.
-- SNAT is configured.

Impact:
IP forwarding virtual server does not pick up any traffic.

Workaround:
Delete and then re-create virtual servers.

---

841277-2 : C4800 LCD fails to load after annunciator hot-swap

Component: TMOS

Symptoms:
After following F5-recommended procedures for hot-swapping the left annunciator card on a C4800 chassis and replacing the top bezel, the LCD screen fails to load.

Conditions:
- C4800 chassis with 2 annunciator cards.
- Hot-swap the left annunciator card and replace the top bezel.

Impact:
-- Status light on the top bezel turns amber.
-- LCD becomes unresponsive, and continuously displays 'F5 Networks Loading...'.

Workaround:
1. Run the command:
tmsh modify sys db platform.chassis.lcd value disable

2. Wait 10 seconds.

3. Run the command:
tmsh modify sys db platform.chassis.lcd value enable.

This forces the LCD to sync back up with the VIPRION system and returns it to normal operation. The top bezel status light should turn green.

---

840785-5 : Update documented examples for REST::send to use valid REST endpoints

Component: Local Traffic Manager

Symptoms:
The documented examples for REST::send refers to REST endpoints that are not valid.

Conditions:
Viewing the documentation at https://clouddocs.f5.com/api/irules/REST__send.html.

Impact:
Invalid examples lead to potential confusion.

Workaround:
Use valid REST endpoints, documented at https://clouddocs.f5.com/api/icontrol-rest/APIRef.html.

---

839597-1 : Restjavad fails to start if provision.extramb has a large value

Component: Device Management

Symptoms:
Rolling restarts of restjavad occur every few seconds and the following messages are seen in the daemon log:

daemon.log: emerg logger: Re-starting restjavad

The system reports similar message at the command line.

No obvious cause is logged in rest logs.

Conditions:
-- System DB variable provision.extramb has an unusually high value*:
  + above ~2700-2800 MB for v12.1.0 and earlier.
  + above ~2900-3000 MB for v13.0.0 and later.

-- On v13.0.0 and later, sys db variable restjavad.useextramb needs to have the value 'true'

*A range of values is shown. When the value is above the approximate range specified, constant restarts are extremely likely, and within tens of MB below that point may be less frequent.

To check the values of these system DB varaiables use:
tmsh list sys db provision.extramb

tmsh list sys db restjavad.useextramb

Impact:
This impacts the ability to use the REST API to manage the system.

Workaround:
If needing sys db restjavad.useextramb to have the value 'true', keep sys db provision.extramb well below the values listed (e.g., 2000 MB work without issue).

To set that at command line:

tmsh modify sys db provision.extramb value 2000


If continual restarts of restjavad are causing difficulties managing the unit on the command line:

1. Stop restjavad (you can copy this string and paste it into the command line on the BIG-IP system):
tmsh stop sys service restjavad

2. Reduce the large value of provision.extramb if necessary.

3. Restart the restjavad service:
tmsh start sys service restjavad

---

839361-1 : iRule 'drop' command does not drop packets when used in DNS_RESPONSE

Component: Global Traffic Manager (DNS)

Symptoms:
The iRule 'drop' command may not drop a DNS response when called under DNS_RESPONSE event.

Conditions:
iRule drop is used under DNS_RESPONSE event.

Impact:
DNS response may be improperly forwarded to the client.

Workaround:
Use DNS::drop instead.

---

838925-2 : Rewrite URI translation profile can cause connection reset while processing malformed CSS content

Component: TMOS

Symptoms:
Malformed CSS where one of the style rules is missing a closing brace could cause LTM Rewrite profile to stop processing file or reset connection.

Conditions:
-- LTM Rewrite (URI translation) profile is attached to virtual server.
-- Content rewriting is enabled in Rewrite profile settings.
-- CSS file contains style rule with missing closing brace.

Impact:
URLs are not modified within affected files, starting from the missing closing brace. Intermittent connection resets occur.

Workaround:
Before rewriting, insert the missing symbol into CSS content either directly on the backend server or with an iRule.

---

838337-6 : The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.

Component: TMOS

Symptoms:
In 2019, Brazil cancelled DST (Daylight Saving Time) and is now on standard time indefinitely. The BIG-IP system's time zone database needs to be updated to reflect this change.

Conditions:
None.

Impact:
BIG-IP systems configured to use "America/Sao_Paul" (or other applicable Brazilian localities) will still apply DST. Hence time will spring forward and backward on previously designated dates.

This will have no impact to application traffic handled by the BIG-IP system. However, logs, alerts, reports, cron jobs, etc. will use incorrect time.

Note: You can inspect the time changes your system is due to apply by running the following command from the BIG-IP system's advanced shell (bash):

zdump -v <timezone>

For example:

zdump -v America/Sao_Paulo

Workaround:
As a workaround, you can set the BIG-IP system's time zone to that of a different country with the same UTC offset and already not observing DST.

For example, instead of using "America/Sao_Paul", you could use "America/Buenos_Aires" to obtain the same result.

---

838305-1 : BIG-IP may create multiple connections for packets that should belong to a single flow.

Component: Local Traffic Manager

Symptoms:
Due to a known issue, BIG-IP may create multiple connections for packets that should belong to a single flow. These connections will stay in the connection table until the idle timeout is reached. These connections can be used for forwarding the traffic.

Conditions:
BIG-IP may create multiple connections for packets that should belong to a single flow when both following conditions are true:
- Packets are coming at a very high rate from the network.
- Flow handling these packets is torn down.

Impact:
This might result in packets from the client being handled by one flow and packets from the server being handled by a different flow.

---

838297-6 : Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication

Component: TMOS

Symptoms:
Under certain conditions, the BIG-IP system requires you to change your password on every login.

Furthermore, the login then fails, and loops endlessly asking for the password, even though the password has not expired.

Conditions:
-- BIG-IP 14.0.0 and later.
-- LDAP authentication is used for remote users.
-- Active Directory (AD) user account has shadowLastChange attribute with a value of 0 (or anything lower than the number of days since 1-1-1970).

Impact:
Remote AD BIG-IP users are unable to login to the BIG-IP system using remote LDAP authentication

Workaround:
Clear the value of shadowLastChange within AD.

---

837637-7 : Orphaned bigip_gtm.conf can cause config load failure after upgrading★

Solution Article: K02038650

Component: Global Traffic Manager (DNS)

Symptoms:
Configuration fails to load after upgrade with a message:

01420006:3: Can't find specified cli schema data for x.x.x.x

Where x.x.x.x indicates an older version of BIG-IP software than is currently running.

Conditions:
-- Orphaned bigip_gtm.conf from an older-version. This can occur if GTM/DNS is provisioned, then deprovisioned before upgrade, leaving behind a bigip_gtm.conf with the old schema.

-- Upgrading to a new version that does not contain the schema for the old version that the bigip_gtm.conf uses.

Impact:
Configuration fails to load after upgrade.

Workaround:
Before upgrading:

If the configuration in bigip_gtm.conf is not needed, then it can be renamed (or deleted) before upgrading:

   mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
   tmsh load sys config gtm-only

After upgrading (i.e., with the system in the Offline state) services must be restarted to pick up the change:

   mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
   tmsh restart sys service all

---

837481-2 : SNMPv3 pass phrases should not be synced between high availability (HA) devices as that are based on each devices unique engineID

Component: TMOS

Symptoms:
SNMPv3 fails to read authenticated or encrypted messages to all but one of the members of a Config Sync group.

Conditions:
Using SNMPv3 to read or receive Traps from high availability (HA) pairs.

Impact:
SNMPv3 can only work for one member of a configsync group.
Configuring passwords on one device, makes that device work, but other members of the config sync group will now fail.

Workaround:
- check "Authoritative (security) engineID for SNMPv3" is not synced (mostly code released since 2019)
engineID needs to be unique per device

- Modify /defaults/config_base.conf to set sync to "no" and check that these do not sync
We must NOT sync these parameters as they need to match the individual device engineID

            display-name "Authoritative (security) engineID for SNMPv3"
            display-name "Authentication pass phrase for SNMPv3 messages"
            display-name "Privacy pass phrase used for encrypted SNMPV3 messages"
            display-name "User's passphrase"
            display-name "Privacy passphrase"

### Mount usr as rw see see K11302
mount -o remount,rw /usr
pico /defaults/config_base.conf
# use Control-w to search for the display names above
# change "configsyncd yes" to "configsyncd no" if necessary in each location
# use Control-x y to exit with saving
# Restore usr as ro
mount -o remount,ro /usr
tmsh load sys config

Then once they are not syncing over, you can create v3 on each device using the same pass phrase as your SNMPv3 manager is using

tmsh modify sys snmp users add { v3snmp { auth-protocol sha privacy-protocol aes username mikev3 auth-password password3 privacy-password password3} }
tmsh modify sys snmp users modify { v3snmp { security-level auth-privacy access rw } }

Then each device should respond OK to query for that same pass phrase

snmpwalk -v 3 localhost -a sha -x aes -A password3 -X password3 -u mikev3 -l authpriv


For more information about SNMP, see the following articles.
K15681: Customizing the SNMP v3 engineID
K6821: SNMP v3 fails if the SNMP engine ID is not unique
K3727: Configuring custom SNMP traps

---

836237-1 : ZRD process restarts observed due to stale files in /var/zrd/zrd-undo/ when UCS file is loaded or any modifications in wide IP configurations.

Component: TMOS

Symptoms:
Due to stale files in /var/zrd/zrd-undo, UCS loading is failing. Stale files are causing differences in zone information between named.conf and /var/zrd/zrd-undo files which is leading to restart of the zrd process (the ZoneRunner daemon).

Conditions:
-- Creating a wide IP with one or more aliases.
-- Deleting the configurations along with the ZoneRunner file.
-- Loading the UCS file.

Impact:
UCS configuration load fails, resulting in zrd restarts.

Workaround:
Note: Before loading the UCS file, remove stale files in /var/zrd/zrd-undo/:

1. Halt the zrd and named processes:
bigstart stop zrd named

2. Delete the GTM wide IP:
tmsh delete gtm wideip a all

3. Remove the stale zrd files:
\rm /var/zrd/zrd-undo/*

4. Edit named.conf (vi /var/named/config/named.conf) and remove all the zones.

5. Remove the stale named files:
\rm /var/named/config/namedb/db.* /var/named/config/dummy

6. Restart the zrd and named processes:
bigstart start zrd named

---

836137 : When BGP recursive nexthop is down, network is down, logs show Type: 0 messages without nexthop.

Component: TMOS

Symptoms:
While BGP is configured to use recursive routes and OSPF is used to provide a route to the recursive routes, you see repeated messages 'Type: 0'.

Conditions:
Due to network unreachable issue, ZebOS is shown all type :0 message.

1. BGP recursive routes are configured.
2. OSPF is configured to provide routing to the recursive routes.
3. OSPF flaps, or the network connection to the next hop is lost somehow.

Impact:
BGP logs do not contain helpful diagnostic information.

Workaround:
None.

---

835505 : Tmsh crash potentially related to NGFIPS SDK

Component: Local Traffic Manager

Symptoms:
Tmsh crash occurs rarely. The NGFIPS SDK may generate a core as well.

Conditions:
The exact conditions that trigger this are unknown.

It can be encountered when running the following tmsh command:

tmsh -a show sys crypto fips key field-fmt include-public-keys all-properties

Impact:
Tmsh may crash. You are exited from tmsh if you were using it as a shell.

Workaround:
None.

---

834217-2 : Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window.

Component: Local Traffic Manager

Symptoms:
Due to a known issue BIG-IP may advertise sub-optimal window size.

Conditions:
Result of (init-rwnd * client-mss) is greater than maximum window size (65,535).

Impact:
Degraded TCP performance.

Workaround:
Do not use init-rwnd values that might result in values higher than maximum window size (65,535).

Assuming MSS of 1480, the maximum value of init-rwnd is:
65535/1480 = 44.

---

832233-5 : The iRule regexp command issues an incorrect warning

Component: Local Traffic Manager

Symptoms:
At validation time, mcpd issues a warning similar to the following:

warning mcpd[7175]: 01071859:4: Warning generated : /Common/test1:2: warning: ["\1" has no meaning. Did you mean "\\1" or "1"?][{(test) (\1)}]

Conditions:
Use arguments such as "\1", "\2", "\3" etc., in command regexp.

Impact:
A warning is generated, "\1" has no meaning, even though it is valid.

Workaround:
Ignore the warning.

---

831821-6 : Corrupted DAG packets causes bcm56xxd core on VCMP host

Component: TMOS

Symptoms:
On VCMP host, bcm56xxd crashes when it receives a corrupted DAG packets.

Conditions:
Unknown.

Impact:
Device goes offline, traffic disruption.

---

829889 : Invalid opcode: kernel BUG at mm/shmem.c:556!

Component: TMOS

Symptoms:
A blade reboots due to a kernel panic with the following message:
crit kernel: kernel BUG at mm/shmem.c:556!

Conditions:
The exact conditions that trigger this are unknown.

Impact:
Kernel panic followed by blade reboot.

Workaround:
None.

---

829821-5 : Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured

Component: TMOS

Symptoms:
If a very large amount of pool members are configured (tens of thousands), mcpd may miss its high availability (HA) heartbeat and be killed by sod.

Conditions:
-- A large number of pool members.
-- Pool member validation occurs (such as when loading a configuration or doing a configsync operation).

Impact:
Mcpd is killed by sod. This causes a failover (when the BIG-IP is in a DSC) or outage (if standalone).

Workaround:
None.

---

829657 : Possible TMM crash with a multi-IP PEM subscriber configured with more than 16 IP addresses

Component: Policy Enforcement Manager

Symptoms:
TMM crash.

Conditions:
PEM configured with a multi-IP subscriber with more than 16 IP addresses.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not create a PEM subscriber with more than 16 IP addresses.

---

829029-4 : Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error

Component: Application Security Manager

Symptoms:
Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error.

Conditions:
At least two REST calls adding Attack Signatures and/or Attack Signature Sets which are sent in quick succession to the BIG-IP system.

Impact:
REST calls after the first may not be successful, resulting in failure to modify configuration as desired.

Workaround:
Retry the subsequent REST calls.

---

828937-5 : Some systems can experience periodic high IO wait due to AVR data aggregation

Solution Article: K45725467

Component: Application Visibility and Reporting

Symptoms:
Systems with a large amount of statistics data collected in the local database (i.e., systems not working with BIG-IQ) can have high IO Wait CPU usage, peaking at 10 minutes, 1 hour, and 24 hours. This is caused by the data aggregation process that is running on the local database. Notice that large memory footprints, particularly for avrd might be a symptom for the phenomenon.

Conditions:
-- The BIG-IP system is collecting statistics locally (i.e., not sending data to BIG-IQ or another external device).
-- There is a large amount of statistics data.
-- May occur even if AVR is not explicitly provisioned.

Impact:
High IO can impact various processes on BIG-IP systems. Some of them can experience timeouts and might restart.

Workaround:
The most effective workaround is to lower the amount of data collected by setting the 'avr.stats.internal.maxentitiespertable' DB variable to a lower value. The recommended values are 20000 (on larger, more powerful systems with more than 16 cores) or 2148 (on smaller systems).


Note: After you lower the database value, continue to monitor the BIG-IP system for long I/O wait times and high CPU usage. If symptoms persist and the system continues to experience resource issues, you may need to reset the BIG-IP AVR statistics. For information about resetting BIG-IP AVR statistics, refer to K14956: Resetting BIG-IP AVR statistics :: https://support.f5.com/csp/article/K14956.

---

828625-5 : User shouldn't be able to configure two identical traffic selectors

Component: TMOS

Symptoms:
Config load fails by issuing "tmsh load sys config verify"
01070734:3: Configuration error: Duplicate traffic selector is not allowed
Unexpected Error: Validating configuration process failed.

Conditions:
Duplicate IP addresses on multiple traffic-selectors attached to different ipsec-policies.

Impact:
Config load will fail after a reboot

Workaround:
Delete duplicate traffic-selectors.

---

827441-4 : Changing a UDP virtual server with an immediate timeout to a TCP virtual server can cause connections to fail

Component: Local Traffic Manager

Symptoms:
The BIG-IP system sends a TCP SYN to the back-end server, but ignores the server's SYN-ACK response.

Conditions:
A virtual server that contains a UDP profile with idle-timeout immediate is modified to replace the UDP profiles with TCP profiles.

Impact:
Connections from the BIG-IP system to backend servers fails.

Workaround:
Delete and recreate the virtual server.

---

827021-5 : MCP update message may be lost when primary blade changes in chassis

Component: TMOS

Symptoms:
In a VIPRION chassis, when the Primary blade is disabled (intentionally or due to an unexpected loss of functionality) and a new Primary blade is selected, there is a brief window of time during which status messages forwarded from MCPD on a Secondary blade to MCPD on the Primary blade might be dropped, possibly resulting in an incorrect view of the state of configured objects.

Conditions:
This problem may occur under the following conditions:
-- The state of a blade-local object/resources (such as a network interface or trunk) changes.
-- There is a high load on MCPD (for example, due to configuration reload on the new Primary blade) which delays processing of some MCPD actions.

Impact:
This problem may result in the state of blade-local objects (such as interfaces or trunks) being seen and reported incorrectly across the blades in the chassis, or on one or more specific blades (Primary, Secondary) in the chassis.

For example, if loss of the Primary blade results in one or more interfaces in a trunk being marked down by LACPD on a specific blade, resulting changes in trunk/member status may not be propagated correctly to the Primary blade, and from there to other Secondary blades.

Workaround:
None.

---

826313-1 : Error: Media type is incompatible with other trunk members★

Component: TMOS

Symptoms:
Loading system configuration is failing after upgrade with an error message

01070619:3: Interface 5.0 media type is incompatible with other trunk members

Conditions:
-- Trunk interface created in BIG-IP version 12.3.4.
-- Trunk interfaces have different speeds (e.g. 100Mb interfaces and 1Gb interfaces)
-- Load the configuration after upgrading from v12.1.3.4 to v12.1.3.5.

Impact:
The system configuration is failing to load.

Workaround:
If you encounter this error, manually fix all trunks to only use interfaces of the same speed, and then load the configuration.

---

826265-1 : The SNMPv3 engineBoots value restarts at 1 after an upgrade

Component: TMOS

Symptoms:
Many SNMPv3 clients pay attention to the engineBoots value as part of server authentication. When the BIG-IP system is upgraded, the engineBoots value is not retained, so it restarts at 1.

Conditions:
Upgrading a BIG-IP system whose engineBoots value is greater than 1.

Impact:
The engineBoots value is reset to 1. This may look like an error condition for the SNMPv3 client.

Workaround:
1. Run the following command (where n = the value at which you want to start the engineBoots):

tmsh modify sys snmp include 'engineBoots n'

2. Restart SNMPD.

---

825813-2 : Notarize APM Clients to support macOS Catalina

Component: Access Policy Manager

Symptoms:
MacOS Catalina requires an installation package be notarized.

Conditions:
Installing EdgeClient on MacOS Catalina.

Impact:
EdgeClient cannot be installed on MacOS Catalina without notarization.

Workaround:
None.

---

824437-5 : Chaining a standard virtual server and an ipother virtual server together can crash TMM.

Component: Local Traffic Manager

Symptoms:
TMM crashes with a SIGFPE and restarts. The TMM logs contain the following panic message:

Assertion "xbuf_delete_until successful" failed.

Conditions:
This issue occurs when the following conditions are met:

-- The system has been configured with a standard virtual server and an Any IP (ipother) virtual server chained together. This can be done explicitly using an iRule that features the 'virtual' command to connect the two virtual servers, or implicitly with certain APM configurations.

-- The pool member on the server-side asks this specific virtual server configuration on the BIG-IP system to retransmit data.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure the target virtual server in the chain configuration does not use the ipother profile.

---

824093-2 : Parameters payload parser issue

Component: Application Security Manager

Symptoms:
Incorrect parameter parsing occurs under some conditions. For example, in a signature violation, the 'Actual Parameter Name' value appears as 'attachment; filename'.

Conditions:
-- ASM in use.
-- Request contains multipart headers.

Impact:
Incorrect policy enforcement.

Workaround:
None.

---

823825-2 : Renaming HA VLAN can disrupt state-mirror connection

Component: Local Traffic Manager

Symptoms:
If the VLAN that services the state mirror connection between BIG-IP systems is renamed, it can cause a disruption of the state mirror connection. It can also lead to an eventual crash.

Conditions:
Renaming the VLAN that services the state mirror connection between BIG-IP systems in an high availability (HA) configuration.

Impact:
System might crash eventually.

Workaround:
Do not rename the VLAN that services the state mirror connection between BIG-IP systems in an HA configuration.

---

821745 : Mcpd core when changing password for BIG-IP remote user

Component: TMOS

Symptoms:
While changing a BIG-IP remote password, mcpd hangs during the LDAP authentication process, and crashes.

Conditions:
The exact conditions that trigger this are unknown; it occurred while changing the password for a remote user on the BIG-IP system.

Impact:
Mcpd stops responding, then crashes. Traffic disrupted while mcpd restarts.

Workaround:
None.

---

820333-6 : LACP working member state may be inconsistent when blade is forced offline

Component: Local Traffic Manager

Symptoms:
Inconsistent (out-of-sync) LACP working member state.
Incorrect trunk high availability (HA) score.

Conditions:
LACP updates while blade is going offline.

Impact:
Incorrect high availability (HA) score may prevent the unit from automatically failing over.

---

819421-5 : Unable to scp/sftp to device after upgrade★

Component: TMOS

Symptoms:
Users with numeric usernames are unable to log in via scp.

Conditions:
-- Logging in via scp/sftp.
-- User account with a numeric username.

Impact:
Unable to log in via scp.

Workaround:
Include alpha characters in username.

---

819329 : Specific FIPS device errors will not trigger failover

Component: Local Traffic Manager

Symptoms:
When the FIPS device experiences a hardware failure during idle-time, the device may not fail over.

Conditions:
-- FIPS hardware failure occurs, but the device is idle

Impact:
The device may not fail over on FIPS hardware failure.

---

819281 : HSB and switch interface pause frames

Component: TMOS

Symptoms:
The interface between the HSB and switch may experience a high number of pause frames, which can be observed in the switch interface stats counters.rx_pause value.

This may also be seen by impacted traffic in the ltm logs, such as lacpd errors:

-- info lacpd[8992]: 01160010:6: Link 2.3 removed from aggregation
-- info lacpd[8992]: 01160011:6: Link 2.3 Actor Out of Sync
-- info lacpd[8992]: 01160012:6: Link 2.3 Partner Out of Sync

Conditions:
This issue can occur if there are hardware-accelerated flows and IPv6 traffic.

Impact:
Network traffic is dropped.

Workaround:
Although there is no workaround, the fix for this issue has been added to HSB firmware images for BIG-IP v14.1.x. This includes the B4450N and iSeries platforms.

---

819261-1 : Log HSB registers when parts of the device becomes unresponsive

Component: TMOS

Symptoms:
Part of the HSB becomes unresponsive, and there is no logging of additional registers to assist in diagnosing the failure.

Conditions:
It is unknown under what conditions the HSB becomes unresponsive.

Impact:
Limited visibility into the HSB state when it becomes unresponsive.

Workaround:
None.

---

818505-6 : Modifying a virtual address with an iControl PUT command causes the netmask to always change to IPv6 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Component: TMOS

Symptoms:
Using an iControl PUT command to modify a virtual address will change that address's netmask to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.

Conditions:
Modifying a virtual address using an iControl PUT command.

Impact:
An unintentional change to the virtual address's netmask.

Workaround:
Two options:
-- Use a PATCH command instead of a PUT command.
-- Always specify the netmask explicitly when making changes.

---

818465-1 : Unnecessary memory allocation in AVR module

Component: Anomaly Detection Services

Symptoms:
Internal Bados indicator is not updated correctly, creating unnecessary memory allocation in AVR module.

Conditions:
Using AVR.

Impact:
Unnecessary memory consumption

Workaround:
None.

---

818097-1 : Plane CPU stats too high after primary blade failover in multi-blade chassis

Component: Local Traffic Manager

Symptoms:
The data, control, and analysis plane stats are too high as reported by tmsh show sys performance system detail.

Conditions:
The primary blade in a multi-blade chassis fails over to another blade.

Impact:
The plane CPU stats are too high.

Workaround:
Remove the /var/tmstat/blade/statsd file on the previous primary blade and restart merged on that blade.

---

818069-1 : GUI hangs when iApp produces error message

Component: iApp Technology

Symptoms:
If lengthy Tcl errors are displayed in the GUI while creating an iApp, the GUI can hang.

Conditions:
-- Creating an iApp that contains a syntax error.
-- A large error message is emitted.

Impact:
GUI hangs.

Workaround:
Restart the tomcat process:
tmsh restart sys service tomcat

---

817709-1 : IPsec: TMM cored with SIGFPE in racoon2

Component: TMOS

Symptoms:
TMM asserted and cored in racoon2 with this panic message:

panic: iked/ikev2_child.c:2858: Assertion "Invalid Child SA proposal" failed.

Conditions:
When IKEv2 Phase 2 SA has no peer proposal associated with it.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

---

817085-1 : Multicast Flood Can Cause the Host TMM to Restart

Component: TMOS

Symptoms:
A vCMP host tmm is restarted.

Conditions:
The vCMP host is processing heavy multicast traffic.

Impact:
The host TMM restarts and traffic stops for the guests.

Workaround:
An adjustment to the scheduling can be made by this setting of the vCMP Host configuration:

# echo "realtime yield 90" > /config/tmm_init.tcl
# bigstart restart tmm

The bigstart restart tmm must be performed individually on all blades on the vCMP host. These changes also must be done on all vCMP hosts with guests in a high availability (HA) setup.

---

816205-1 : IPsec passthrough scenario may not forward ICMP unreachable messages from the server-side

Component: Local Traffic Manager

Symptoms:
ICMP protocol 50 unreachable messages are not forwarded from the server-side to the client-side when a SNAT Virtual Server handles ESP flows that are not encapsulated in UDP port 4500 (RFC 3948). Other ICMP messages related to the server-side ESP flow may be similarly affected.

Conditions:
-- BIG-IP system is forwarding ESP (protocol 50) packets.
-- Virtual Server is configured with a SNAT pool or automap.
-- The server-side IPsec peer sends ICMP protocol errors in response to the ESP packets.

Impact:
ICMP packets arriving on the server-side are not forwarded to the client-side.

Workaround:
Option 1:
-- Enable NAT Detection (RFC 3947) on the IPsec peers.

NOTE: NAT Detection (RFC 3947) is the correct way to implement IPsec peers when network address translation occurs between the two IPsec peers.

Option 2:
-- Remove NAT from the Virtual Server.
-- Set the following sys db values:

# tmsh modify sys db ipsec.lookupip value "enable"
# tmsh modify sys db ipsec.lookupspi value "disable"

NOTE: The sys db settings in option 2 do not resolve the ICMP issue if NAT is configured on the Virtual Server.

---

815753-5 : TMM leaks memory when explicit SWG is configured with Kerberos authentication

Component: Access Policy Manager

Symptoms:
Memory usage of filter keeps increasing over time and becomes one of major consumers of the TMM memory.

Conditions:
This issue happens if the following conditions are met:
1. Access profile type is SWG-explicit.
2. Access policy contains HTTP 407 Response policy item with HTTP Auth Level being Negotiate.
3. Kerberos is used to authenticate a user.

Impact:
TMM sweeper enters aggressive mode and reaps connections.

Workaround:
None.

---

815529-5 : MRF outbound messages are dropped in per-peer mode

Component: Service Provider

Symptoms:
When a Message Routing profile is configured with a peer consisting of an outbound virtual server, transport config, no pool, and per-peer mode, messages may be dropped when the outgoing connection is persisted to a different tmm than the message was received on.

Conditions:
-- Message Routing Profile.
-- A peer configured for outbound traffic with a virtual server and transport config in per-peer mode, no pool.
-- Persistence is enabled.
-- Multiple outbound messages with the same destination address.

Impact:
Outbound traffic with the same destination address may be dropped at random.

Workaround:
Change the peer connection mode to 'Per TMM'.

---

815405-2 : GUI update of Child FastL4 profile overwrites CLI-only customized settings (options that are not available in GUI)

Component: Local Traffic Manager

Symptoms:
Child FastL4 profile is being reset after clicking Update from GUI.

Conditions:
-- Create child SSL FastL4, profile inheriting settings from a parent FastL4 profile.
-- From the command line, change any of the CLI-only visible settings in the child FastL4 profile (e.g., pva-acceleration, explicit-flow-migration, etc.), and save the changes.
-- In the GUI, click the Update button in the child FastL4 profile without making any change.

Impact:
The operation overwrites the CLI changes made in the child profile, and inherits those values from the parent settings instead.

Workaround:
None.

---

815089-6 : On a system with no VLANs, you can create virtual servers or SNATs that have identical address/port combinations

Component: Local Traffic Manager

Symptoms:
If you have a system with no VLANs configured, and you attempt to create virtual servers or SNATs that have the same address/port combinations, you will be able to do so without validation errors.

Conditions:
-- A BIG-IP system with no VLANs configured.
-- Creating virtual servers or SNATs that have identical address/port combinations.

Impact:
An invalid configuration is allowed.

Workaround:
None.

---

814941-2 : PEM drops new subscriber creation if historical aggregate creation count reaches the max limit

Component: Policy Enforcement Manager

Symptoms:
PEM subscriber create fails, usually seen across multiple high availability (HA) failover events

Conditions:
When the aggregate subscriber create reaches the maximum subscriber limit per tmm which is configured using sys db, sys db statemirror.mirrorsessions

Impact:
Unable to bringup any more subscribers

Workaround:
Restart tmm when the limits are reached

---

814353-1 : Pool member silently changed to user-disabled from monitor-disabled

Component: TMOS

Symptoms:
When a node (Disabled by Monitor) is updated via the member screen (no change to configuration required), the status changes from:

'Available (Disabled) pool members is available, monitor disabled'.

To:

'Available (Disabled), pool member is available, user disabled'.

Conditions:
-- A node disabled by Monitor.
-- Go to GUI LTM pool member and navigate into the monitor disabled member, then update without any configuration change.

Impact:
Pool member goes to 'user-disabled'.

Workaround:
To recover, re-enable the pool member.

---

814097-5 : Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event.

Component: Service Provider

Symptoms:
When using the Generic Message router to convert SIP messages from TCP to UDP, BIG-IP fails to raise the SERVER_CONNECTED iRule event.

Conditions:
Converting the transport of SIP messages with the Generic Message router.

Impact:
Any code that waits for the SERVER_CONNECTED event will not run.

---

814053-1 : Under heavy load, bcm56xxd can be killed by the watchdog

Component: TMOS

Symptoms:
bcm56xxd crashes, and the device fails over on heartbeat error:

warning sod[7244]: 01140029:4: HA daemon_heartbeat bcm56xxd fails action is restart.
notice sod[7244]: 010c006c:5: proc stat: [0] pid:12482 comm:(bcm56xxd) state:S utime:16612520 stime:879057 cutime:11 cstime:21 starttime:1601425044 vsize:2189299712 rss:527927 wchan:18446744073709551615 blkio_ticks:0 [-1] pid:12482 comm:(bcm56xxd) state:S

Conditions:
-- HA configured.
-- Programming the DAG while it is under heavy load (i.e., a large number of objects that have to be programmed into the switches).

Impact:
The bcm56xxd daemon may restart and produce a core file. It then continues trying to program the DAG.

This causes a system to go offline and stop processing traffic.

Workaround:
None.

---

814037-3 : No virtual server name in Hardware Syncookie activation logs.

Component: Local Traffic Manager

Symptoms:
Missing virtual server name in Hardware Syncookie activation logs. ltm/logs contains error messages:

notice tmm2[1150]: 01010240:5: Syncookie HW mode activated, server = 0.0.0.0:0, HSB modId = 2.

Conditions:
-- More than one virtual server with same Destination IP e.g., 'x.x.x.x'.
-- Port 'y' configured.
-- Hardware Syncookie activated.

Impact:
Difficult to determine which virtual server actually got the Syncookie activated.

Workaround:
None.

---

813701-1 : Proxy ARP failure

Component: Local Traffic Manager

Symptoms:
In certain configurations, and when the BIG-IP system does not have a directly connected route to the request sender, proxy ARP may fail, leading to dropped ARP replies.

Conditions:
-- Running v12.1.4.1 or 12.1.3.7 with engineering hotfix 0.89.2.
-- ARP requests and replies are processed by different TMMs.
-- A directly connected route to the request sender is not available.

Impact:
ARP replies are dropped, leading to connection failures.

Workaround:
Create a self IP in the same subnet as the ARP request senders. This creates the necessary directly connected route.

---

813165 : P2P failure on BIG-IP system while connecting with Cisco router

Component: TMOS

Symptoms:
P2P connection is stuck when AFM basic firewall is enabled.

Conditions:
The db variable tm.fw.defaultaction is set to drop/reject. (The default is 'accept'.)

Impact:
The BIG-IP system cannot establish a connection with Cisco in P2P configurations.

Workaround:
Set the value of tm.fw.defaultaction to 'allow':

tmsh modify sys db tm.fw.defaultaction value allow

---

812949 : P2P failure while connecting with Cisco router when firewall is enabled.

Component: Local Traffic Manager

Symptoms:
When P2P is configured and a firewall policy is set, OSPF status is set to 'exstart' when AFM is provisioned and tm.fw.defaultaction is set to 'drop'/'reject'.

Conditions:
P2P is configured and a firewall policy is set.

Impact:
OSPFv3 does not work.

Workaround:
Set tm.fw.defaultaction to allow:

tmsh modify sys db tm.fw.defaultaction value allow

---

812493-6 : When engineID is reconfigured, snmp and alert daemons must be restarted★

Component: TMOS

Symptoms:
The engineID, engineBoots, engineTime values in SNMPv3 traps are shared by both the SNMP and the Alert daemons and are included in traps raised by both daemons. When the engineID is reconfigured then both daemons must be restarted in order to resynchronize the new values.

Conditions:
Traps issued by the SNMP and Alert daemons may not have engine values that are in sync when the EngineID is first reconfigured. This can happen both with a configuration change and an upgrade.

Impact:
This may confuse the SNMP client receiving the trap.

Workaround:
Restart the snmp daemon and then the alert daemon when the engine ID is reconfigured for the first time and the first time after a software upgrade

tmsh restart sys service snmpd alertd

---

811745-5 : Failover between clustered DIAMETER devices can cause mirror connections to be disconnected

Component: Service Provider

Symptoms:
When using DIAMETER with certain settings, a failover might cause mirror connections to get disconnected.

Conditions:
-- Two or more BIG-IP systems in a high availability (HA) configuration.
-- Aggressive settings for the DIAMETER watchdog timeout and max failures.

Impact:
Loss of mirroring between BIG-IP systems.

Workaround:
None.

---

811053-5 : REBOOT REQUIRED prompt appears after failover and clsh reboot

Component: TMOS

Symptoms:
In rare circumstances, when a reboot immediately follows a VIPRION blade failover, a REBOOT REQUIRED prompt will appear on one blade after the system starts up again.

Conditions:
This issue can be created by doing the following:
- using a VIPRION system with at least 2 blades running
- AAM is not provisioned
- reset the primary blade
- immediately following the blade reset, run 'clsh reboot' on a secondary blade.

Impact:
Following the clsh reboot, the REBOOT REQUIRED prompt appears on one blade:
[root@vip4480-r44-s18:/S2-yellow-S::REBOOT REQUIRED:Standalone] config #

Any blade with this prompt must be rebooted again.

Workaround:
None currently known.

---

811041-2 : Out of shmem, increment amount in /etc/ha_table/ha_table.conf

Component: TMOS

Symptoms:
System logs error:
err sod[8444]: 01140003:3: Out of shmem, increment amount in /etc/ha_table/ha_table.conf.

Conditions:
-- Large number of traffic groups.
-- A number of devices in the device cluster.
-- Heavy traffic resulting in numerous configsync or config save operations.

Impact:
Memory leak. Future changes to the high availability (HA) table may fail or be ignored. This could result in HA events not being tracked correctly.

Workaround:
None.

---

810593-5 : Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade★

Solution Article: K10963690

Component: TMOS

Symptoms:
The vCMP guests go to 'INOPERATIVE' after upgrade.

Conditions:
-- Upgrading the host from v12.1.4.1.
-- Upgrading the host from v13.1.1.5.

Impact:
The vCMP guests go to the 'INOPERATIVE' state and do not pass traffic.

Workaround:
There is no workaround. You must upgrade the VCMP host to a fixed version, for example, 15.1.0.

---

810533-6 : SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile

Component: Local Traffic Manager

Symptoms:
When the client attempts to connect, even when sending the proper SNI extension, the BIG-IP system resets the connection after the client hello.

Conditions:
-- SNI Required set to true.
-- No Server Name configured in the client SSL profile.

Impact:
SSL connections with valid SNI are closed, and the client cannot connect. With generic alerts enabled, you will see 'SSL alert number 40'. This is because the system does not read the server names from the SAN extension within the certificate.

Workaround:
Specify a valid server name in the server name field of the client SSL profile.

---

810381-5 : The SNMP max message size check is being incorrectly applied.

Component: TMOS

Symptoms:
If the SNMP server receives an SNMPv3 request with a small max message size then, it applies that check to all requests. This can cause SNMPv1 and SNMPv2c requests time out if they are too long or if their responses are too long, for example, large get bulk requests.

Conditions:
An SNMPv3 small max message size received while processing large SNMPv1 and SNMPv2c requests.

Impact:
Responses time out.

Workaround:
Do not send SNMPv3 requests to the BIG-IP system.

---

809657-5 : HA Group score not computed correctly for an unmonitored pool when mcpd starts

Component: TMOS

Symptoms:
When mcpd starts up, unmonitored pools in an high availability (HA) group do not contribute to the HA group's score.

Conditions:
-- HA group configured with at least one pool.
-- At least one of the pools assigned to the HA group is not using monitoring.
-- mcpd is starting up (due to bigstart restart, or a reboot, etc.).

Impact:
Incorrect HA Group score.

Workaround:
Remove the unmonitored pools from the HA group and re-add them.

---

809509-3 : Resource Admin User unable to download UCS using Rest API.

Component: TMOS

Symptoms:
Resource Admin User cannot download UCS file using REST API. The system returns a message:
Authorization failed

Conditions:
-- BIG-IP user with Resource Administrator role.
-- Try to Download UCS file using REST API.

Impact:
Resource Administrator user cannot download UCS file using REST API.

Workaround:
The Resource Administrator user can use the GUI to download the file.

---

808481-2 : Hertfordshire county missing from GTM Region list

Component: TMOS

Symptoms:
Hertfordshire county is missing from Regions in the United Kingdom Country/State list.

Conditions:
-- Creating a GTM region record.
-- Attempting to select Hertfordshire county for the United Kingdom.

Impact:
Cannot select Hertfordshire county from United Kingdom Country/State list.

Workaround:
None.

---

808277-1 : Root's crontab file may become empty

Component: TMOS

Symptoms:
Under low-disk conditions for the /var/ filesystem, BIG-IP system processes may incorrectly update root's crontab file (/var/spool/cron/root). This results in the file contents being removed; i.e., the file is empty.

Conditions:
Low disk space on the /var filesystem.

Impact:
System and user entries in root's crontab file stop executing.

Workaround:
None.

---

807857-2 : TMM can leak memory under specific traffic and iRule configurations.

Component: Local Traffic Manager

Symptoms:
-- TMM leaks memory in the 'bigip_connection' component.
-- Depending on the specific iRule configuration, other components, such as 'tcl' and 'tclrule_pcb', may also leak.
-- A 'double flow removal Oops' message may be visible in the tmm and ltm log files.
-- 'TCL error' messages may be visible in the ltm log file.

Conditions:
This issue is known to occur only under rare circumstances in conjunction with specific traffic and iRule configurations.

Impact:
After a prolonged amount of time spent leaking memory, TMM may not be able to fulfil new memory allocations and crash. This results in a traffic interruption, a core file, and a failover on redundant units. Traffic disrupted while TMM restarts.

Workaround:
None.

---

806937 : CPM policy stops matching after adding rule

Component: Local Traffic Manager

Symptoms:
LTM Centralized Policy Matching (CPM) policy conditions stop matching some traffic.

Conditions:
-- Very specific LTM policy configuration.

-- Adding a matching rule.

For this case, an example scenario might involve a rule with two conditions and two actions. The two conditions check for one of two HTTP hosts, and checking that the HTTP URI path starts with some substring. The two actions are typically disabling server SSL, and forwarding to a specific pool. The last rule is called DropAll and matches all traffic.

Impact:
This might cause the policy to stop matching for nearly all rules, including the rule that check for 'All Traffic'.

Workaround:
None.

---

806905 : TMM may crash when using AFM with sPVA and DoS vectors enabled

Component: Advanced Firewall Manager

Symptoms:
TMM may crash when using AFM/sPVA with Network and DNS Security vectors.

Conditions:
AFM is configured with hardware DoS (sPVA) enabled, along with Network and DNS security vectors.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
-- Use only DNS security vectors.
-- Disable hardware DoS (sPVA):
tmsh modify sys db dos.forceswdos value true

---

806881-4 : Loading the configuration may not set the virtual server enabled status correctly

Component: TMOS

Symptoms:
When loading the configuration, if the virtual address is disabled but the virtual server is enabled, the virtual server may still pass traffic.

Conditions:
-- Loading the configuration.
-- A virtual server's virtual address is disabled.

Impact:
Virtual servers unexpectedly process traffic.

Workaround:
Manually re-enable and disable the virtual address.

---

806073-6 : MySQL monitor fails to connect to MySQL Server v8.0

Component: TMOS

Symptoms:
The LTM MySQL health monitor fails to connect to a MySQL server running MySQL Server v8.0.
A pool member configured for a MySQL server running MySQL Server v8.0 and using the MySQL health monitor will be marked DOWN.

Conditions:
This occurs when using the LTM MySQL health monitor to monitor a MySQL server running MySQL Server v8.0.

Impact:
BIG-IP cannot monitor the health of a MySQL server running MySQL Server v8.0 using the MySQL health monitor.

---

805325-5 : tmsh help text contains a reference to bigpipe, which is no longer supported

Component: TMOS

Symptoms:
The 'sys httpd ssl-certkeyfile' tmsh help text contains a reference to bigpipe, which is no longer supported.

Conditions:
Viewing tmsh help for 'sys httpd ssl-certkeyfile'.

Impact:
Incorrect reference to bigpipe.

Workaround:
You can use the following command sequence to change the key:
modify httpd { ssl-certfile [string] ssl-certkeyfile [string] }

---

804477-1 : Log HSB registers when parts of the device becomes unresponsive

Component: TMOS

Symptoms:
Part of the HSB becomes unresponsive and there is no logging of additional registers to assist in diagnosing the failure.

Conditions:
It is unknown under what conditions the HSB becomes unresponsive.

Impact:
Limited visibility into the HSB state when it becomes unresponsive.

Workaround:
None.

---

804313-5 : MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded.

Component: Service Provider

Symptoms:
The mirrored-message-sweeper-interval configuration option has no effect on the BIG-IP.

Conditions:
MRF in use, high availability configured, and a SIP profile is configured to use a specific Mirrored Message Sweeper Interval setting.

Impact:
On a system under high load, the next active device in a high availability (HA) pair could run out of memory.

Workaround:
None

---

803833-1 : On Upgrade or UCS Restore Decryption of the vCMP Guest sym-unit-key Field Fails on the Host★

Component: TMOS

Symptoms:
An upgrade or UCS restore fails on the host with an error message:

err mcpd[1001]: 01071769:3: Decryption of the field (sym_unit_key) for object (<guest name>) failed.

Conditions:
-- An upgrade or UCS restore of the vCMP host.
-- Having a vCMP guest's sym-unit-key field populated.
-- Having changed the host's master key.

Impact:
The upgrade or UCS restore fails with an MCPD error.

Workaround:
Comment out the sym-unit-key field and load the configuration.

---

803629-5 : SQL monitor fails with 'Analyze Response failure' message even if recv string is correct

Component: Local Traffic Manager

Symptoms:
For a database (mssql, mysql, postgresql or oracle) monitor type, with a 'recv' string configured, a pool member configured to use the DB monitor may be marked down even if the server is working and includes the configured response string among the response data.

Debug logging of the SQL monitor indicates the following:
... [DBPinger-3778] - Response from server: Database: 'db1'Database: 'information_schema'
... [DBPinger-3778] - Checking for recv string: information_schema
... [DBPinger-3778] - Analyze Response failure

The log shows 'Analyze Response failure' error message even when the configured 'recv' string appears within the response message from the DB server.

Conditions:
This occurs when the string matching the configured 'recv' string value does not appear in the response from the DB server in the row indicated by the 'recv-row' value configured for the monitor.

The default value of 'none' for the 'recv-row' monitor configuration value is actually interpreted as 'row 1' by the DB monitor core implementation.
Therefore, with the default configuration, any 'recv' string configured must appear in the first row of the DB server response in order to be recognized as a match.

Impact:
The DB monitor fails, and the DB server (node) is marked as down even though it is reachable and responding correctly per the configured 'recv' string.

Workaround:
You may use one of the following methods to work around this issue:
1. Configure the DB monitor's 'recv' string to match on the first row in the server response message.
2. Configure the 'recv-row' value in the DB monitor to match the row of the DB server's response which contains the configured 'recv' string.
3. Do not configure 'send' or 'recv' string for the DB monitor.

---

803237-6 : PVA does not validate interface MTU when setting MSS

Component: TMOS

Symptoms:
An incorrect MSS value might be used when hardware (HW) syncookies are used, and the MTU is smaller than the MSS.

Conditions:
-- The BIG-IP system sends TCP segments, fragmented across multiple IP packets, that exceed the size of the local interface MTU.
-- This occurs when HW Syncookies are enabled.

Impact:
TCP segments larger than the local interface MTU sent towards the client. These TCP segments are transmitted as IP fragments.

Workaround:
Increase MTU size.

---

802493-1 : Hardware syncookies on some hardware platforms may retrieve the wrong mss

Component: TMOS

Symptoms:
When hardware syncookie is activated, the system may retrieve the wrong MSS (TCP maximum segment size) value for the flow. This impacts all BIG-IP hardware platforms except BIG-IP 2000/4000.

Conditions:
-- Using any BIG-IP platform except BIG-IP 2000/4000.
-- Hardware syncookies used.

Impact:
Connection failures and/or excessive TCP segment retransmissions.

Workaround:
Use software syncookies and disable hardware syncookie protection.

---

801705-1 : When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC

Component: Local Traffic Manager

Symptoms:
The 'HTTP::cookie attribute' irule command allows manipulation of Cookie or Set-Cookie headers in HTTP requests or responses. When this command is used to insert a cookie attribute, it appends the attribute (and a possible value) to the header without a leading space character. A leading space character is a requirement per RFC 6265. When such a header is formed with iRule command 'HTTP::cookie insert' or 'HTTP::cookie attribute insert', the leading space is not provided, violating the RFC.

Conditions:
-- A virtual server with HTTP profile is configured.
-- There is an iRule generating or updating a cookie header with 'HTTP::cookie insert' or 'HTTP::cookie attribute insert' command.

Impact:
There is no space preceding the attribute. RFC is violated.

Workaround:
When inserting a cookie attribute with iRule command, add a leading space to the name of attribute to be inserted.

---

801549-5 : Persist records do not expire properly if mirroring is configured incorrectly

Component: Local Traffic Manager

Symptoms:
-- TMM memory growth with improper high availability (HA) configuration.
-- New connections may be routed to the wrong pool member due to outdated persist records.

Conditions:
- The device mirror-ip is not configured properly, along with either of the following:
  + Persistence mirroring is configured.
  + Connection mirroring of a virtual server with a persistence profile.

Impact:
-- Connection limits due to memory tmm memory pressure or possible tmm out-of-memory failure.
-- New connections may be routed to the wrong pool member due to outdated persist records.

Workaround:
- Properly configure the cm device mirror-ip and/or mirror-secondary-ip. After doing this, the memory utilization should drop.

- Disable mirroring on the persistence profiles and/or virtual servers. After doing this, the memory utilization will not drop until tmm is restarted.

---

801541-4 : Persist records do not expire properly if HA peer is unavailable

Component: Local Traffic Manager

Symptoms:
-- TMM memory utilization growth due to persist records not expiring.
-- New connections may be routed to the wrong pool member due to outdated persist records.

Conditions:
The next-active device in the high availability (HA) configuration is down, and either of the following:
-- Persistence mirroring is configured.
-- Connection mirroring of a virtual server with a persistence profile is configured.

Impact:
-- Connection limits due to memory tmm memory pressure or possible tmm out-of-memory failure.
-- New connections may be routed to the wrong pool member due to outdated persist records.
-- If tmm out-of-memory failure occurs, traffic disrupted while tmm restarts.

Workaround:
Disable persistence and/or connection mirroring if the standby device will be down for an extended period of time.

---

801329 : When OneConnect profile is used, pool selection might be pinned to one pool

Component: Local Traffic Manager

Symptoms:
Pool selection is pinned to one pool.

Conditions:
-- OneConnect profile is used on a virtual server that is passing traffic.
-- The pool for the virtual server is changed.

Impact:
Traffic is not distributed to the other pool.

Workaround:
None.

---

799657-1 : Name validation missing control characters for some GTM objects

Component: Global Traffic Manager (DNS)

Symptoms:
The BIG-IP system fails to prevent control characters from being embedded within GTM object names. Once the objects exist in the configuration, big3d fails to mark the resource up due to XML parsing error.

The following GTM objects are susceptible to this control character issue:
- gtm datacenter
- gtm prober-pool
- gtm device
- gtm application
- gtm region entry
- gtm virtual server
- gtm server
- gtm link
- gtm pool

Conditions:
A GTM object with a control character in the name.

Impact:
The resource whose name having those control characters will not be marked up with big3d error messages:

warning big3d[5729]: 012b2004:4: XML parsing error not well-formed (invalid token) at line 21.

Workaround:
Remove control characters prior to creating GTM objects.

---

799001-6 : Sflow agent does not handle disconnect from SNMPD manager correctly

Component: TMOS

Symptoms:
If Sflow agent loses the connection with the SNMPD Manager, it tries to connect multiple times but fails to reconnect.

Conditions:
Sflow agent loses connection with the SNMPD Manager. The conditions that may trigger this are unknown.

Impact:
Snmpd service restarts repeatedly

Workaround:
Run 'tmsh restart sys service sflow_agent' to clear the session data in the sflow agent which results in successful re-connection with snmpd.

---

797949-1 : PEM::subscriber delete can leak a connection

Component: Policy Enforcement Manager

Symptoms:
Using the PEM::subscriber delete iRule command can lead to a leaked connection.

Conditions:
PEM::subscriber delete is used.

Impact:
Connections which cannot be freed.

Workaround:
None.

---

797829-2 : The BIG-IP system may fail to deploy new or reconfigure existing iApps

Component: TMOS

Symptoms:
The BIG-IP system may fail to deploy new or reconfigure existing iApps. When this happens, a long error message is displayed in the GUI that begins with:

script did not successfully complete: ('source-addr' unexpected argument while executing

The message is also logged to /var/log/audit by scriptd with a severity of 'notice'.

The unexpected argument mentioned in the error varies depending on the iApp being deployed and on the settings you configure. You may also see 'snatpool', 'ldap', etc.

Conditions:
This issue occurs when:

-- The BIG-IP system is configured with multiple users of varying roles.

-- The scriptd daemon has already spawned the maximum number (5) of allowed child processes to serve its queue, and all the processes were assigned a low 'security context'. This can happen, for instance, if a low-privileged user (such as an Auditor) has been looking at the configuration of iApps using the GUI a lot.

-- Subsequently, a high-privileged user (such as an Administrator) attempts to deploy a new iApp or reconfigure an existing one.

Note: You can inspect the number of child processes already created by scriptd by running the following command:

pstree -a -p -l | grep scriptd | grep -v grep

However, it is not possible to determine their current 'security context'.

Impact:
New iApps cannot be deployed. Existing iApps cannot be re-configured.

Workaround:
Restart scriptd. To restart scriptd, run:

bigstart restart scriptd

Running this command has no negative impact on the system.

The workaround is not permanent; the issue may occasionally recur depending on your system usage.

---

797813-1 : TMM memory grows on custom bot signature with empty domain

Component: Application Security Manager

Symptoms:
The TMM memory of type 'mco db' can grow to its maximum, which can reach over a 1 GB of RAM, when creating a custom bot signature with an empty string.

Conditions:
Creating a custom DoS Bot Signature object with a domain name of an empty string ("").

Impact:
Unnecessary growth of TMM memory.

Workaround:
It is redundant and invalid to define a bot signature with an empty domain name. Removing the empty domain name from the signature and restarting tmm prevents this issue.

---

797277-1 : URL categorization fails when multiple segments present in URL path and belong to different categories.

Component: Traffic Classification Engine

Symptoms:
When a URL path contains multiple segments, where each segment belongs to a different URL category, the Webroot URL categorization engine does not store the results correctly and can return the wrong categories for these path segments.

Conditions:
-- URL path contains multiple segments(example: /abc/def/ghi)
-- Each segment belongs to a different URL category
   + abc: News
   + def: Search_Engine
-- URL categorization (Webroot) lookup results in cloud lookup (sending the query to Webroot remote server because of missing match in the local database).

Impact:
URL categorization does not categorize all of the segments in the path correctly when the query results in a cloud lookup to the Webroot BrightCloud server.

Workaround:
None.

---

797221-4 : BCM daemon can be killed by watchdog timeout during blade-to-blade failover

Component: TMOS

Symptoms:
The BCM daemon deletes entries from tables during blade to blade failover. If tables are very large, the entry-by-entry deletion may take too long, such that the daemon is restarted by the watchdog timeout.

Conditions:
Very large L2 tables during blade-to-blade failover.

Impact:
There is a BCM core file on the primary blade after the failover.

Workaround:
None.

---

795933-5 : A pool member's cur_sessions stat may incorrectly not decrease for certain configurations

Component: Local Traffic Manager

Symptoms:
Under certain conditions, a pool member's cur_sessions stat may increase, but not decrease when it should.

Conditions:
- The virtual server using the pool has an iRule attached that references global variables.
- The virtual server using the pool has an ASM security policy attached to it.
- Traffic flows to the pool member.

Impact:
Incorrect stats.

---

795685-4 : Bgpd crash upon displaying BGP notify (OUT_OF_RESOURCES) info from peer

Component: TMOS

Symptoms:
If the BIG-IP system receives a BGP notification for OUT_OF_RESOURCES from its BGP peer, then displaying the peer information on the BIG-IP system causes bgpd to crash (running show ip bgp neighbor).

Conditions:
-- Receive a BGP notification for OUT_OF_RESOURCES from the BGP peer.
-- Run the 'show ip bgp neighbor' command to display the BGP peer information.

Impact:
Bgdp crashes. Routing may be affected while bgpd restarts.

Workaround:
None.

---

794505-1 : OSPFv3 IPv4 address family route-map filtering does not work

Component: Local Traffic Manager

Symptoms:
Filtering IPv4 routes using route-map does not work. All the IPv4 redistributed routes fail to redistribute if the route-map is attached to the OSPFv3 IPv4 address-family.

Conditions:
1. Configure two OSPF sessions, one for the IPv4 address-family and the other for the IPv6 address family.
2. Redistribute kernel routes.
3. Check routes are propagated.
4. Add a route map to allow any IPv4 kernel route matching IP address.

Impact:
All routes fail to propagate and show that the IPv6 OSPF database external is empty. All IPv4 routes are blocked to redistribute instead of the routes mentioned in the route-map/prefix-list.

Workaround:
None.

---

793669-3 : FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value

Component: Local Traffic Manager

Symptoms:
On a high availability (HA) paired device group configuration, where there are FQDN nodes as pool members in a pool, when the pool member is enabled or disabled on one device, and with config-sync, the other device does not fully update the peer. The template node gets updated with the new value, but the ephemeral pool member retains the old value.

Conditions:
Steps to Reproduce:
1. Configure HA, specifically a Device group (e.g., Failover) with two BIG-IP systems.
2. Create an HTTP pool (TEST_FQDN_POOL) and FQDN Pool Member on both systems.
3. Wait for the FQDN pool member to report as AVAIL_GREEN and the ephemeral node as AVAIL_BLUE on both systems.
4. Tmsh login to any of the systems.
5. Run the command:
tmsh run cm config-sync to-group Failover
6. Run the command:
tmsh modify ltm pool TEST_FQDN_POOL members modify { example.com:http { session user-disabled } }
7. Run the command:
tmsh run cm config-sync force-full-load-push to-group Failover

Impact:
FQDN pool member enabling/disabling is not being fully propagated to the other device after config-sync.

Workaround:
None.

---

792285-4 : TMM crashes if the queuing message to all HSL pool members fails

Component: TMOS

Symptoms:
When a system uses a High Speed Logging (HSL) configuration with the HSL pool, TMM is crashing if the queuing message to all HSL pool members fails.

Conditions:
-- Two-member pool configured as remote-high-speed-log destination.
-- Data-Plane logging using for example but not limited to: iRule HSL::send.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

---

792045-4 : Prevent WAM cache type change for small objects

Component: WebAccelerator

Symptoms:
Transfer stalls.

Conditions:
- AAM is provisioned.
- Small object cache is configured.
- Response is a few bytes less than the small object threshold.

Impact:
Transfer stalls.

Workaround:
None.

---

791061-4 : Config load in /Common removes routing protocols from other partitions

Component: TMOS

Symptoms:
While loading the /Common partition, config routing protocols on other partition route-domains will be removed.

Conditions:
-- Configure route-domains on other partitions with routing-protocols.
-- Load the /Common partition config alone.

Impact:
Routing protocols config from other partitions are removed.

Workaround:
Reload the config with the command:
load sys config partitions all

---

790949-5 : MRF Router Profile parameters 'Maximum Pending Bytes' and 'Maximum Pending Messages' Do Not Match Behavior.

Component: Service Provider

Symptoms:
Default values differ between tmsh and GUI documentation, and actual behavior. The special value 0 is documented to either disable the respective limit or apply a default value. Actual behavior for 0 is to silently apply internal default values of 32768 bytes and 256 messages, regardless of the protocol. These defaults might not match the profile default values for a given MRF protocol such as Diameter, SIP, or MQTT.

For some protocols such as Diameter, there is no validation of whether the maximum pending messages value falls within the acceptable range of 1-65535, and values outside that range are silently truncated to 16-bits and then 0 is treated according to the actual behavior described above.

Some documented and actual default values have changed across releases.

Conditions:
An MRF router profile is configured with the 'Maximum Pending Bytes' or 'Maximum Pending Messages' parameter set to a non-default value or 0.

Affected MRF router profiles are: 'diameter', 'sip', 'mqtt' and 'generic'.

Impact:
Depending on the protocol, the limits might not take effect as configured.

Incorrect documentation and/or lack of validation could lead to configuring an invalid value.

Workaround:
None.

---

790113-5 : Cannot remove all wide IPs from GTM distributed application via iControl REST

Component: Global Traffic Manager (DNS)

Symptoms:
The following tmsh command allows you to delete all wide IPs using an 'all' specifier:

modify gtm distributed-app da1 wideips delete { all }

There is no equivalent iControl REST operation to do this.

Conditions:
This can be encountered while trying to delete all wide IPs from a distributed application via iControl REST.

Impact:
iControl REST calls that should allow you to remove all wide IPs from a GTM distribution application return an error, leaving you unable to complete the task via iControl REST.

Workaround:
You can use one of the following workarounds:

-- Use the WebUI.

-- Use the tmsh utility, for example:
tmsh modify gtm distributed-app da1 wideips delete { all }

-- Invoke tmsh from within the bash iControl REST endpoint, for exmaple:
curl -u username:password -s -H 'Content-Type: application/json' -X POST -d "{\"command\":\"run\",\"utilCmdArgs\":\"-c 'tmsh modify gtm distributed-app da1 wideips delete { all }'\"}" https://<IP>/mgmt/tm/util/bash

---

789973 : Tmm crash while using IPsec

Component: TMOS

Symptoms:
Tmm crashes.

Conditions:
-- Passing IPsec traffic.
-- One of the BIG-IP IKEv2 peers is running version 12.x.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

---

788645 : BGP does not function on static interfaces with vlan names longer than 16 characters.

Component: TMOS

Symptoms:
If a VLAN, VLAN group, or tunnel has a name with more than 15 characters, BGP does not function properly on that interface.

Conditions:
-- BGP Dynamic routing in use.
-- Interface name greater than 15 characters.

Impact:
BGP Dynamic Routing is not working.

Workaround:
1. Rename the interface using 15 or fewer characters.
2. Remove Static Binding and Bind to all interfaces.

---

788557-2 : BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior

Component: TMOS

Symptoms:
GRST - BGP graceful reset.

The problem occurs when the routing daemon bgpd restarts/starts (e.g., by terminating the bgpd daemon) its distribution of a process and is not supported. Another way we've found is to call "bigstart restart" command on a primary blade on chassis with more than one blade.

After the new primary blade takes over, BGP and BFD sessions are recreated at around the 'graceful restart' timeout interval.

Conditions:
-- BGP and BFD are configured.
-- BGP router's 'graceful restart' option is configured, enabled (set to 120 by default).
-- The bgpd daemon is terminated.

Another way to trigger the issue is to run 'bigstart restart' on a primary blade on a chassis with more than one blade.

Impact:
If BGP peering is reset, it causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocol from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.


In most cases, unexpected routing decisions come from networks learnt by affected routing protocol when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system, typically, the routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
None.

---

787905-1 : Improve initializing TCP analytics for FastL4

Component: Local Traffic Manager

Symptoms:
TCP analytics for FastL4 might stay uninitialized under specific circumstances.

Conditions:
System clock advances while initializing TCP analytics for FastL4.

Impact:
TCP analytics for FastL4 might stay uninitialized for a while and miss some analytics data.

Workaround:
N/A

---

786517-6 : Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address

Component: Local Traffic Manager

Symptoms:
- Monitors are firing and are being sent to a pool-member or node address rather than a monitor's alias address.

- Running the command 'tmsh load /sys config' reports an error:
  01070038:3: Monitor /Common/a-tcp address type requires a port.

Conditions:
-- Create a monitor without an alias address.
-- Modify the monitor later in the TMUI to specify an alias address.

Impact:
Monitors are sent to an incorrect IP address.

tmsh load /sys config will fail to load the configuration.

Workaround:
There are two workarounds:
-- Delete and recreate the monitor and specify the correct alias address at creation time.

-- Fix the monitor definition using tmsh.

---

785605-1 : Traffic Intelligence Feed Lists are not usable if created on Standby unit in Traffic Group

Component: Traffic Classification Engine

Symptoms:
If Feed List is created on Standby unit, it will not be synchronized to other units in Traffic Group, and will become unusable.

Conditions:
-- Create Feed List on a Standby unit.
-- Attempt to use URLCAT with Custom DB.

Impact:
URL Categorization based on Custom DB does not work.

Workaround:
Create Feed List on the Active unit and synchronize to Standby.

---

785529-4 : ASM unable to handle ICAP responses which length is greater then 10K

Component: Application Security Manager

Symptoms:
ASM drops ICAP and HTTP connections when a multipart request arrives to the ASM enforcer and then forwarded to the ICAP server for virus inspection, and the ICAP server replies with a large (greater then 10 KB) response.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Antivirus service IP and port defined in the BIG-IP GUI under Options :: Integrated Services.
-- Antivirus protection enabled in the ASM policy.

Impact:
ASM drops ICAP and HTTP connections.

Workaround:
Configure the ICAP server to send back responses smaller than 10 KB.

---

785509 : Modifying fields such as chain, trusted certificate authorities in client SSL profile, and/or chain in cert-key-chain belonging to the same client SSL profile might not be reflected in TMM

Component: Local Traffic Manager

Symptoms:
Modifying fields such as chain, trusted certificate authorities, and others, in client SSL profile, or chain in cert-key-chain belonging to the same client SSL profile, might not be reflected in TMM.

Conditions:
Modifying fields such as chain, trusted certificate authorities in client SSL profile or chain in cert-key-chain belonging to the same client SSL profile.

Impact:
Even after modifying trusted certificate authorities, chain, or other fields, those changes might not be reflected in the actual configuration in TMM.

Workaround:
Following workarounds may be applied:

1. Update the client SSL profile again.
2. Restart TMM.
3. Restart mcpd.

---

784337 : False positive header related violation

Component: Application Security Manager

Symptoms:
The system reports a false-positive, header-related violation.

Conditions:
-- A custom header is added to the system.
-- A header related violation is turned on.

Impact:
The system reports a false-positive violation.

Workaround:
None.

---

783985 : Grub boot entries not updated on i2600 from iControl SOAP set_boot_location call★

Component: TMOS

Symptoms:
After calling iControl SOAP System::SoftwareManagement::set_boot_location, the switchboot information correctly shows that the volume should be changed, but grub still shows the current active volume to be unchanged. Upon reboot, the system boots into the unchanged default volume.

The system records the following when the iControl call is made/var/log/messages :

warning grub_default: unkeyed boot entry found (BIG-IP 12.1.2 Build 0.0.249 <HD1.1>); assigning st.u0
M

Conditions:
This occurs on BIG-IP iSeries platforms:
1. iControl SOAP system::SoftwareManagement::set_boot_location
2. Check grub_default -l

Impact:
Unable to upgrade systems via iControl SOAP due to the inability to reboot into the newly installed software.

Workaround:
The following iControlREST call works correctly:

curl -k -u<username>:<passwd> https://<IP-addr>/mgmt/tm/sys -X POST -H "Content-type: application/json" -d '{"command":"reboot", "volume":"<volume>"}'
{"kind":"tm:sys:rebootstate","command":"reboot","volume":"<volume>"}

---

783145-1 : Pool gets disabled when one of its pool member with monitor session is disabled

Component: Local Traffic Manager

Symptoms:
A pool which has at least two pool members and one of its pool members associated with a monitor is disabled, the entire pool gets marked disabled-by-parent.

Conditions:
-- Monitor assigned to a single pool member.
-- That member is manually disabled.

Impact:
The pool status for the entire pool is marked disabled-by-parent.

Workaround:
None.

---

782613-2 : Security firewall policy in an iApp not deleted on config sync peer with the rest of a deleted iApp

Component: TMOS

Symptoms:
If a security firewall policy is part of an iApp inside a folder created by that iApp, then when the iApp is deleted, any config sync peer will not delete the policy when it deletes the rest of the iApp.

Conditions:
-- iApp with folder and security firewall policy is deleted.
-- High availability (HA) config sync configuration.

Impact:
The security policy is gone on the system where the iApp was initially deleted, but the peer still has that object, and it can't be deleted because it's part of an iApp.

Workaround:
None.

---

781829-3 : GTM TCP monitor does not check the RECV string if server response string not ending with \n

Component: Global Traffic Manager (DNS)

Symptoms:
GTM TCP monitor marks resource down.

Conditions:
TCP server respond string not ending with '\n'.

Impact:
Available resources are marked down.

Workaround:
If the TCP server is sending a text response, reconfigure the server to make sure it terminates the output with '\n'.

If the TCP server can not be changed (for example if it produces binary output), it may be possible to create an external gtm monitor instead.

---

781753-4 : WebSocket traffic is transmitted with unknown opcodes

Component: Local Traffic Manager

Symptoms:
The BIG-IP system does not preserve WebSocket frames. Frame headers and payload may be reordered such that a header for a second frame may be sent out in the middle of a first frame's payload. Frame boundaries get skewed and payload gets interpreted as headers.

Conditions:
A request logging profile is configured on a WebSocket virtual server.

Impact:
WebSocket frames are not preserved such that traffic appears to be garbage.

-- If request logging is enabled, client frames may not be preserved.
-- If response logging is enabled, server frames may not be preserved.

Workaround:
Remove the request logging profile.

---

781605-2 : Fix RFC issue with the multipart parser

Component: Application Security Manager

Symptoms:
False positive or false negative attack signature match on multipart payload.

Conditions:
Very specific parsing issue.

Impact:
A parameter specific excluded signature may be matched or un-matched.

Workaround:
N/A

---

781485-1 : PEM with traffic group can lead to local cache leaks on STANDBY if there is an ACTIVE-ACTIVE transition

Component: Policy Enforcement Manager

Symptoms:
PEM spm_local_cache could get leaked on the STANDBY chassis.

Conditions:
-- If the high availability (HA) cluster switches to ACTIVE-ACTIVE mode during its lifetime.
-- PEM running in a Traffic-group configuration.

Impact:
Memory on the STANDBY chassis get leaked.

Workaround:
None.

---

781041-5 : SIP monitor in non default route domain is not working.

Component: Local Traffic Manager

Symptoms:
SIP pool members in non-default route domain are being marked as unavailable even though they are available. This may be intermittent depending on which device is assigned to do the monitoring.

Conditions:
- SIP pool members in non default route domain.
- Probing device attempts to probe from anything other than route domain 0.

Impact:
SIP service unavailable.

---

781021-4 : ASM modifies cookie header causing it to be non-compliant with RFC6265

Component: Application Security Manager

Symptoms:
When ASM strips the cookie header from the ASM cookies, it leaves the cookie header in a way that is not compliant with RFC6265 on two aspects:
-- No space after the semicolon
-- A cookie with no value is sent without the equals sign

Conditions:
-- ASM Security Policy is used.
-- Request includes an ASM cookie.

Impact:
Some web servers may refuse to handle non-compliant Cookie headers, causing the application flow to break.

Workaround:
Disable the cookie stripping by modifying the DB variable as follows:
tmsh modify sys db asm.strip_asm_cookies value false

---

780437-5 : Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.

Component: TMOS

Symptoms:
It is possible, although unlikely, for a vCMP host to scan the /shared/vmdisks directory for virtual disk files while the directory is unmounted.

As such, virtual disk files that existed before the reboot will not be detected, and the vCMP host will proceed to create them again.

The virtual disks get created again, delaying the guests from booting. Once the guests finally boot, they have no configuration.

Additionally, the new virtual disk files are created on the wrong disk device, as /shared/vmdisks is still unmounted.

Symptoms for this issue include:

-- Running the 'mount' command on affected host blades and noticing that /shared/vmdisks is not mounted.

-- Running the 'tmsh show vcmp guest' command on affected host blades (early on after the reboot) and noticing some guests have status 'installing-vdisk'.

-- Running the 'lsof' command on affected and unaffected host blades shows different device numbers for the filesystem hosting the virtual disks, as shown in the following example (note 253,16 and 253,1):

qemu-kvm 19386 qemu 15u REG 253,16 161061273600 8622659 /shared/vmdisks/s1g2.img

qemu-kvm 38655 qemu 15u REG 253,1 161061273600 2678798 /shared/vmdisks/s2g1.img

-- The /var/log/ltm file includes entries similar to the following example, indicating new virtual disks are being created for one of more vCMP guests:

info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Adding.
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:0]
notice vcmpd[x]: 01510006:5: Guest (s2g1): Creating VDisk (/shared/vmdisks/s2g1.img)
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:1]
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_ACQUIRING_VDISK->VS_WAITING_INSTALL
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_WAITING_INSTALL->VS_INSTALLING_VDISK
notice vcmpd[x]: 01510006:5: Guest (s2g1): Installing image (/shared/images/BIGIP-12.1.2.0.0.249.iso) to VDisk (/shared/vmdisks/s2g1.img).
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:2]

Conditions:
-- VIPRION chassis provisioned in vCMP mode with more than one blade in it.

-- Large configuration with many guests.

-- The VIPRION chassis is rebooted.

-- A different issue, of type 'Configuration from primary failed validation' occurs during startup on one or more Secondary blades. By design, MCPD restarts once on affected Secondary blades, which is the trigger for this issue. An example of such a trigger issue is Bug ID 563905: Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.

Impact:
-- Loss of entire configuration on previously working vCMP guests.

-- The /shared/vmdisks directory, in its unmounted state, may not have sufficient disk space to accommodate all the virtual disks for the vCMP guests designated to run on that blade. As such, some guests may fail to start.

-- If you continue using the affected guests by re-deploying configuration to them, further configuration loss may occur after a new chassis reboot during which this issue does not happen. This occurs because the guests would then be using the original virtual disk files; however, their configuration may have changed since then, and so some recently created objects may be missing.

Workaround:
There is no workaround to prevent this issue. However, you can minimize the risk of hitting this issue by ensuring you are running a software version (on the host system) where all known 'Configuration from primary failed validation' issues have been resolved.

If you believe you are currently affected by this issue, please contact F5 Networks Technical Support for assistance in recovering the original virtual disk files.

---

777993-4 : Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same

Component: TMOS

Symptoms:
Egress TCP/UDP traffic with same L4 source port and destination port to an external trunk is pinned to one link only.

Conditions:
This happens on BIG-IP hardware platforms with broadcom switch chip, so BIG-IP 2000/4000 and i2000/i4000 series are not impacted.

Impact:
Performance degradation as only a portion of the trunk bandwidth is utilized.

Workaround:
None.

---

776081 : The F5-BIGIP-SYSTEM-MIB::sysInterfaceMediaActiveSpeed values are not meaningful on a VE

Component: TMOS

Symptoms:
The MIB variable sysInterfaceMediaActiveSpeed is reported correctly on the BIG-IP hardware systems. However, on BIG-IP Virtual Edition (VE) configurations, the values are incorrectly reported. It may be reported as a 10 or as a 0 (zero), both of which are incorrect.

Conditions:
Querying the F5-BIGIP-SYSTEM-MIB::sysInterfaceMediaActiveSpeed variable on a VE-based BIG-IP running 12.x, or earlier, software.

Impact:
This may be confusing when looking at the sysInterface information with SNMP.

Workaround:
None.

---

775845-4 : Httpd fails to start after restarting the service using the iControl REST API

Component: TMOS

Symptoms:
After restarting httpd using the iControl REST API, httpd fails to start, even with a subsequent restart of httpd at the command line.

Similar to the following example:

config # restcurl -u admin:admin /tm/sys/service -X POST -d '{"name":"httpd", "command":"restart"}'
{
  "kind": "tm:sys:service:restartstate",
  "name": "httpd",
  "command": "restart",
  "commandResult": "Stopping httpd: [ OK ]\r\nStarting httpd: [FAILED]\r\n(98)Address already in use: AH00072: make_sock: could not bind to address n.n.n.n:n\nno listening sockets available, shutting down\nAH00015: Unable to open logs\n"
}

config # tmsh restart sys service httpd
Stopping httpd: [ OK ]
Starting httpd: [FAILED]

Conditions:
Restarting httpd service using iControl REST API.

Impact:
Httpd fails to start.

Workaround:
To recover from the failed httpd state, you can kill all instances of the httpd daemon and start httpd:

killall -9 httpd

tmsh start sys service httpd

---

773577-4 : SNMPv3: When a security-name and a username are the same but have different passwords, traps are not properly crafted

Component: TMOS

Symptoms:
On an SNMPv3 configuration, when a security-name and a username are the same but have different passwords, traps are not properly crafted.

Conditions:
security-name is the same as an SNMPv3 username.

Impact:
SNMP traps cannot be decoded

Workaround:
Delete or rename user.

---

773253-1 : The BIG-IP may send VLAN failsafe probes from a disabled blade

Component: Local Traffic Manager

Symptoms:
The BIG-IP system sends multicast ping from a disabled blade. tmm core

Conditions:
-- There is one or more blades disabled on the VIPRION platform.
-- VLAN failsafe is enabled on one or more VLANs.
-- the VLAN failsafe-action is set to 'failover'.
-- There is more than one blade installed in the chassis or vCMP guest.

Impact:
The BIG-IP system sends unexpected multicast ping requests from a disabled blade.

Workaround:
To mitigate this issue, restart tmm on the disabled blade. This causes tmm to stop sending the multicast traffic.

Impact of workaround: Traffic disrupted while tmm restarts.

---

772497-2 : When BIG-IP is configured to use a proxy server, updatecheck fails

Component: TMOS

Symptoms:
Executing Update Check fails when run on a BIG-IP system that is behind a proxy server.

Conditions:
-- A proxy server is configured on the BIG-IP system using proxy.host db variable (and associated port, protocol, etc.).
-- You run Update Check.

Impact:
The Update Check fails to connect because the script resolves the IP address prior to sending the request to the proxy server.

Workaround:
You can use either of the following workarounds:

I
=======
Modify the /usr/bin/updatecheck script to not resolve the service ip for callhome.f5.com. To do so, remove the script text 'PeerAddr => $service_ip,' from lines 336,337:

1. Locate the following section in the script:
 @LWP::Protocol::http::EXTRA_SOCK_OPTS = ( PeerAddr => $service_ip,
     SSL_hostname => $service_name,

2. Update the script to remove the content 'PeerAddr => $service_ip,', so that it looks like the following example:
 @LWP::Protocol::http::EXTRA_SOCK_OPTS = ( SSL_hostname => $service_name,


II
=======
As an alternative, use a sed command, as follows:
1. Remount /usr as rw.
2. Run the following command:
 # sed -e "s/PeerAddr => $service_ip,//" -i /usr/bin/updatecheck

---

772297-4 : LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade

Component: Local Traffic Manager

Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.

Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.

Impact:
LLDP-related options under 'tmsh net interface' for that secondary blade are reset to default.

Workaround:
Run 'tmsh load sys config' on the primary blade, and the LLDP-settings will reapply to the interfaces.

---

772117-2 : Overwriting FIPS keys from the high availability (HA) peer with older config leads to abandoned key on FIPS card

Component: TMOS

Symptoms:
A key being overwritten is not removed from the FIPS card, so it becomes an abandoned key in the FIPS card, which cannot be used and properly tracked by the BIG-IP system.

An abandoned key appears similar to the following:

[root@big8:Active:Standalone] config # tmsh show sys crypto fips
-------------------------------------------
FIPS 140 Hardware Device
-------------------------------------------
=== private keys (1)
ID MOD.LEN(bits)
d3d8ecc5a489c64b8dfd731945d59950 2048 <==== properly tracked and configured key in BIG-IP
        /Common/fffff.key

e35e900af8b269d2f10b20c47e517fd1 2048 <==== no name, abandoned

Conditions:
The issue is seen when all the following conditions are met:
1. High availability (HA) setup formed by multiple BIG-IP systems with FIPS cards.
2. An Administrator of one of the BIG-IP systems deletes its FIPS key, and creates another FIPS key using the same name.
3. high availability (HA) sync occurs from another BIG-IP system (with the older config) back to the first BIG-IP system (i.e., the operation overwrites the newly created FIPS key with the old FIPS key).

Impact:
It leads to orphan keys on the FIPS card, meaning that the keys are not present in the BIG-IP configuration as a configured key, so the key cannot be used by the BIG-IP system.

Workaround:
Manually delete the abandoned key from the FIPS card using the following command.

tmsh delete sys crypto fips key <key-id>

For example, for the abandoned key specified earlier, use the following command:
tmsh delete sys crypto fips key "e35e900af8b269d2f10b20c47e517fd1"

---

770953-5 : 'smbclient' executable does not work

Component: TMOS

Symptoms:
Service Message Block (SMB) monitor is not functional.

Conditions:
This occurs under all conditions.

Impact:
SMB monitors fail. This occurs because the 'smbclient' executable is not functional.

Workaround:
None.

---

770741 : NIC Tx Engine hang causing ixgbevf interface (SR-IOV) flipping

Component: TMOS

Symptoms:
NIC Tx Engine hang is a rarely occurring issue for which there are no known scenarios. In cases in which it occurs, an adapter reset is required to recover the system without reboot. The driver is currently not resetting the adapter, and the issue remains until reboot of system.

Conditions:
-- Running BIG-IP Virtual Edition (VE).
-- No specific conditions. This is a rarely occurring issue.

Impact:
Traffic loss and overall system functionality is impacted, which sometimes it leads to kernel panic.

Workaround:
No known workaround. You must reboot VE could recover the interface to normal functioning.

---

769145-4 : Syncookie threshold warning is logged when the threshold is disabled

Component: TMOS

Symptoms:
Setting connection.syncookies.threshold to zero disables the threshold, but the system still reports log messages similar to:

warning tmm3[18189]: 01010055:4: Syncookie embryonic connection counter 38 exceeded sys threshold 0

Conditions:
Setting connection.syncookies.threshold to zero.

Impact:
Warnings that do not provide valid information. If the threshold value is a non-zero value, it does indicate an issue. However, this message is benign when the end of the message reads 'exceeded sys threshold 0'.

Workaround:
None.

---

769029-3 : Non-admin users fail to create tmp dir under /var/system/tmp/tmsh

Component: TMOS

Symptoms:
The cron.daily/tmpwatch script deletes the /var/system/tmp/tmsh directory. After some time, the tmsh directory is created again as part of another cron job.

During the interval, if a non-admin accesses tmsh, tmsh creates the /tmp/tmsh directory with that user's permissions, which creates issues for subsequently non-admin user logons.

Conditions:
Try to access the tmsh from non-admin users when /var/system/tmp/tmsh is deleted.

Impact:
The first non-admin user can access tmsh. Other, subsequent non-admin users receive the following error:

01420006:3: Can't create temp directory, /var/system/tmp/tmsh/SKrmSB, errno 13] Permission denied.

After some time this /var/system/tmp/tmsh permission is updated automatically.

Workaround:
To prevent this issue, run the following in one of two ways:

-- As root user in bash shell.
-- As a cronjob running in a per-case frequency.

root@bigip# export TARGET=/var/system/tmp/tmsh; [ ! -d $TARGET ] && mkdir -p $TARGET; chmod 1777 $TARGET; unset TARGET

---

768085-1 : Error in python script /usr/libexec/iAppsLX_save_pre line 79

Component: iApp Technology

Symptoms:
While creating a UCS file, you see a confusing error message, and the UCS file is not created:
Failed task: %s: %s"%(taskUri, taskResult['message']))"

Conditions:
This can be encountered while trying to create a UCS file.

Impact:
Certain failure messages are not interpreted correctly by the script, resulting in the actual error message not being displayed.

Workaround:
None.

---

767989-1 : DNSSEC RRSIG Inception Offset

Component: Global Traffic Manager (DNS)

Symptoms:
When a DNSSEC key is used to generate an RRSIG record for the first time, the inception time of the record is set to the current BIG-IP system time. If the system that validates that signed DNS response has a clock skew towards the past relative to the BIG-IP system, then that system will see the RRSIG as if it was generated for a future timestamp and is not yet valid.

Conditions:
-- DNSSEC is used to sign responses for a particular DNS zone.
-- The clock of the validating resolver is running behind the clock of the BIG-IP system.

Impact:
This may cause validation of a DNSSEC response to fail if the validator finds that there are no valid RRSIG records signing the response.

Workaround:
None.

---

767613-4 : Restjavad can keep partially downloaded files open indefinitely

Component: Device Management

Symptoms:
Files that restjavad makes available for download (such as UCS files in /var/local/ucs) can be held open indefinitely if a requesting client does not complete the download. Since these files remain open, the total number of available file handles for the process decreases, and the disk space for the files cannot be recovered. Symptoms may include errors like 'Too many open files', low disk space even after deleting the associated files, and items listed with '(deleted)' in lsof output.

Conditions:
-- Files restjavad makes available for download.
-- The requesting client does not complete the download.

Impact:
Various errors ('Too many open files.'), low disk space, items listed with '(deleted)' when listed using lsof.

Workaround:
To free the file handles, restart restjavad:
tmsh restart sys service restjavad

Files that were deleted now have their space reclaimed.

---

767341-6 : If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file.

Component: Local Traffic Manager

Symptoms:
Repeated TMM service crash SIGBUS with memory copy operation at the top of stack trace.

Conditions:
TMM loads filestore file and size of this file is smaller than the size reported by mcp or if this ifile store is not present at all.

This condition is possible due to
- filesystem errors/corruption or
- BIG-IP user intervention.

Filesystem error might be due to power loss, full disk or other reasons.

Impact:
TMM crash.
The program terminated with signal SIGBUS, Bus error.

Workaround:
Manual copy of the "good" ifile store and forceload on the previously bad unit. Usually trivial, but error prone.

Another workaround is clean install, if possible/acceptable

---

767305-4 : If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried

Component: TMOS

Symptoms:
Upon querying a sysTmmStat* SNMP OID (for example, sysTmmStatTmUsageRatio5s), you find your SNMP client returns an error message similar to the following example:

No Such Instance currently exists at this OID

The very next time you query that same SNMP OID (or any other sysTmmStat* SNMP OID), you find they all work as expected and return the correct result.

Conditions:
This issue occurs after restarting only the mcpd daemon, i.e., running bigstart restart mcpd.

Impact:
All sysTmmStat* SNMP OIDs do not work until one of them is queried at least once, and the query is allowed to fail. After that, all sysTmmStat* SNMP OIDs work as expected.

Workaround:
Restart all services together, i.e., running the command: bigstart restart.

Should the mcpd daemon happen to be restarted on its own, you can simply ignore the error message and allow your SNMP polling station to fail a single polling cycle.

If you want to ensure that this issue does not occur, for example, so that your SNMP polling station does not generate unnecessary alarms, do not restart the mcpd daemon on its own, but rather restart all services together by running the following command:

bigstart restart

---

767045-6 : TMM cores while applying policy

Component: Anomaly Detection Services

Symptoms:
TMM core and possible cores of other daemons.

Conditions:
The exact conditions are unknown.

Occurrences have been seen during specialized internal testing and while applying a copied and edited ASM policy.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

---

766761-5 : Ant-server does not log requests that are excluded from scanning

Component: Access Policy Manager

Symptoms:
Based on Request/Response Analytics agent 'Exclude Types' settings, the requests that are excluded from scanning should log a message that states, 'Response content is in excluded content list'.

Conditions:
Response or Request Analytics agent in the Per-Request Policy.

Impact:
These particular logs are not available.

Workaround:
None.

---

766593-3 : RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20

Component: Local Traffic Manager

Symptoms:
RESOLVE::lookup returns empty string.

Conditions:
Input bytes array is at length of 4, 16, or 20.

For example:
[RESOLV::lookup @dnsserveraddress -a [binary format a* $host1.d1test.com]]

Impact:
RESOLVE::lookup returns empty string.

Workaround:
Use lindex 0 to get the first element of the array.

For example:
[RESOLV::lookup @dnsserveraddress -a [lindex [binary format a* $host1.d1test.com] 0]]

---

765969-4 : HSB register dump missing from hsb_snapshot

Component: TMOS

Symptoms:
Running hsb_snapshot tool fails on B4450 blades with the following message:
Too many rows in tmm/hsb_internal_pde_info table

This issue also occurs on iSeries i15xxx.

Conditions:
When vCMP is provisioned on VIPRION B4450 blades or on the iSeries i15xxx platforms.

Impact:
HSB register dump is not available in hsb_snapshot or qkview for diagnostic purpose.

Workaround:
None.

---

764873-5 : An accelerated flow transmits packets to a dated, down pool member.

Component: TMOS

Symptoms:
Normally, when a pool member becomes unavailable, the flow is redirected towards another available pool member. However, an accelerated flow can continue to send traffic to the dated pool member rather than the updated one.

Conditions:
A flow changes the pool member it goes to while the flow is accelerated.

Impact:
The traffic continues to target the dated pool member that is not available.

Workaround:
Disable HW acceleration.

Or on BIG-IP v14.1.0 and later, if a pool member goes away, run the following command to flush all accelerated flow to be handled correctly by software:
tmsh modify sys conn flow-accel-type software-only

---

764373-5 : 'Modified domain cookie' violation with multiple enforced domain cookies with different paths

Component: Application Security Manager

Symptoms:
When the server sends enforced cookies with the same name for different paths, a false-positive 'Modified domain cookie' violation is reported.

Conditions:
Server sends enforced cookies with the same name but with different paths.

Impact:
A valid request might be rejected.

Workaround:
None.

---

763197-1 : Flows not mirrored on wildcard Virtual Server with opaque VLAN group

Component: Local Traffic Manager

Symptoms:
In an high availability (HA) configuration using an opaque VLAN group and a default (wildcard, 0.0.0.0/0) virtual server configured for connection mirroring, the standby device does not create the mirrored connection.

Conditions:
-- VLAN group configured and set to opaque.
-- db vlangroup.forwarding.override is set to 'disable'.
-- Default virtual server configured for all ports (destination 0.0.0.0/0 :0) with connection mirroring.

Impact:
In the event of a failover, connections that are expected to be mirrored will fail, which can cause traffic loss and client disruption.

Workaround:
None.

---

761981 : Information in snmpd.conf files may be overwritten causing SNMP v3 queries to recieve 'Unsupported security level' errors

Component: TMOS

Symptoms:
During daemon startup, the snmpd daemon zeroes out sensitive data in the snmpd.conf files. This is done so that passwords are not available to be read on disk. This can cause problems when other daemons using the net-snmp shared libraries access snmpd.conf files for data that they need during startup.

If you have 'zeroed out' data under /config/net-snmp/snmpd.conf, the system reports 'Unsupported security level' errors in response to SNMP v3 query, for example:

snmpget -v 3 -u testuser -a SHA -A "testuser" -x AES -X "testuser" -l authPriv localhost sysSystemUptime.0.
snmpget: Unsupported security level (Sub-id not found: (top) -> sysSystemUptime).

Conditions:
Custom SNMP v3 users created and exist in /config/net-snmp/snmpd.conf 'zeroed out' data:

Example from /config/net-snmp/snmpd.conf where user 'testuser' has some data that is 'zeroed out' (0x 0x):

  usmUser 1 3 0x80001f88808047605278d46d5b "testuser" "testuser" NULL .1.3.6.1.6.3.10.1.1.1 0x .1.3.6.1.6.3.10.1.2.1 0x 0x

Impact:
Daemons usually start in an orderly fashion and usually do not conflict with each other. However, it is possible that they might fail to load correctly due to the zeroing out of data.

For example this can cause SNMP v3 access errors for users with 'zeroed out' data under /config/net-snmp/snmpd.conf:

  snmpget -v 3 -u testuser -a SHA -A "testuser" -x AES -X "f5testuser" -l authPriv localhost sysSystemUptime.0.
  
  snmpget: Unsupported security level (Sub-id not found: (top) -> sysSystemUptime).

Workaround:
Use tmsh to configure SNMP users.

---

761913-1 : iRule checksum created in GUI might cause config load failure in tmsh

Component: Local Traffic Manager

Symptoms:
tmsh config load may fail and issue the message indicating mismatching checksum, similar to the following:

01071493:3: iRule (/Common/pool_select_rule) content does not match the checksum.
Unexpected Error: Loading configuration process failed.

Conditions:
-- Select a new or existing iRule on the Local Traffic :: iRules :: iRules List page, and click 'Add Checksum".

-- SSH into the BIG-IP system and run the following command:
   tmsh load sys config

Impact:
tmsh config load fails.

Workaround:
Do not add checksums to iRules you create in the GUI.

---

761869-2 : WMI monitor may return negative values

Component: Local Traffic Manager

Symptoms:
Incorrect or unexpected load balancing results.

If you have enabled snmp.snmpdca.log then you will see negative values logged to /shared/tmp/WMIHttpAgent.log

Conditions:
-- Load Balancing Method is set to either Dynamic Ratio (member) or Dynamic Ratio (node)
-- Metric monitored on server returns very large value

For example: when monitored server has more then 4GB memory allocated

Impact:
WMI monitor returns negative value and incorrect Dynamic Ratio score is calculated.

---

761833 : PostgreSQL database disk usage over 2 GB without AFM provisioned

Component: TMOS

Symptoms:
PostgreSQL uses a large amount of disk when AFM is licensed.

Conditions:
AFM being licensed but not in use.

Impact:
Increase in database file size.

Workaround:
Follow the procedure to dump/load the database.

The dump-load procedure used as follows:

1. pg_dumpall -U postgres |gzip -1v >/shared/tmp/pgdump$(date +%s).gz
2. bigstart stop pgadmind
3. rm -rf /var/local/pgsql/
4. bigstart start pgadmind
5. sleep 3; while pidof initdb; do sleep 1; done; sleep 3
6. zcat /shared/tmp/pgdump$(date +%s).gz|psql -U postgres template1
7. bigstart restart pgadmind

---

761477-4 : Client authentication performance when large CRL is used

Component: Local Traffic Manager

Symptoms:
Search for revoked certificate is done serially on the BIG-IP system. This causes performance impact when a large CRL (e.g., one with ~60K entries) is used.

Conditions:
-- Client authentication configured with a CRL containing a large number of entries (~60K).
-- Associated with virtual server.
-- Client connection requests arrive to be authenticated.

Impact:
CRL checking spikes up TMM CPU usage. Performance may be impacted.

Workaround:
None.

---

761091 : Missing charset specification in response page after upgrade

Component: Application Security Manager

Symptoms:
Blocking response pages are missing charset specification after upgrade, and appear garbled for non-UTF-8 policies.

Conditions:
-- A blocking response page is configured with non-UTF-8 characters.
-- ASM is upgraded.

Impact:
Blocking response pages appear garbled.

Workaround:
To workaround this issue, follow this procedure:

1. Change the policy to transparent and save.
2. Change it back to blocking and save.
4. Apply policy.

Now the response page now appears correctly.

---

761084-2 : Custom monitor fields appear editable for Auditor, Operator, or Guest

Component: TMOS

Symptoms:
Mozilla Firefox browser shows custom monitor fields editable for Auditor, Operator, or Guest role users.

Conditions:
You can experience this issue by following these steps:

1. Create custom monitor (e.g., http, mysql, tcp).
2. Use FireFox browser to logon to the BIG-IP system Configuration utility with a user role that is Auditor, Operator, or Guest.
3. Access the custom monitor. Note that Send String, Receive String, and Receive Disable String are all grayed out.
4. Click the browser Back button.
5. Click the browser Forward button.

Impact:
Send String, Receive String, and Receive Disable String are now editable fields. Although the Auditor, Operator, or Guest. user can edit the fields, the Update button is still grayed out, so any entry is not saved.

Workaround:
None.

---

760974-2 : TMM SIGABRT while evaluating access policy

Component: Access Policy Manager

Symptoms:
TMM cores while evaluating access policy.

Conditions:
-- Secure Web Gateway is configured and in use.
-- An access policy is being evaluated.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use an iRule similar to the following:

when ACCESS_POLICY_COMPLETED {
    set res [ACCESS::session data get "session.policy.result"]

    if {[string compare $res "in_progress"] == 0} {
     log local0.notice "rejecting"
      reject
    }
    log local0.notice "result :$res"
}

---

760949-1 : Empty hostname in remote log after modification

Component: Application Security Manager

Symptoms:
The hostname is empty in ASM remote log after certain modifications to hostname.

Conditions:
Device hostname is modified such that the new value precedes the old value alphabetically.

Impact:
The hostname is empty in ASM remote log.

Workaround:
Restart ASM after modifying hostname.

---

760932-5 : Part of audit log messages are also in other logs when strings are long

Component: TMOS

Symptoms:
Parts of audit logs are found also in other logs like /var/log/user.log and /var/log/messages.

Conditions:
-- When audit log message strings are long.

Impact:
Log messages are duplicated. There is no indication of system functionality, and you can safely ignore them.

Workaround:
Modify the syslog-ng maximum length of incoming log messages from 8192 to 16384 bytes:

tmsh modify sys syslog include "options { log-msg-size(16384); };"

---

760683-3 : RST from non-floating self-ip may use floating self-ip source mac-address

Component: Local Traffic Manager

Symptoms:
A RST from non-floating self-ip may use floating self-ip source mac-address when AFM or ASM is enabled.

Conditions:
-- AFM or ASM is enabled.
-- RST generated from non-floating self-ip address.

Impact:
An L2 switch may update the fwd table incorrectly.

Workaround:
None.

---

760615-5 : Virtual Server discovery may not work after a GTM device is removed from the sync group

Component: Global Traffic Manager (DNS)

Symptoms:
LTM configuration does not auto-discover GTM-configured virtual servers.

Conditions:
-- GTM is deprovisioned on one or more GTM sync group members, or the sync group is reconfigured on one or more members.

-- Those devices remain present in the GTM configuration as 'gtm server' objects.

-- iQuery is connected to those members.

Impact:
Virtual servers are not discovered or added automatically.

Workaround:
You can use either of the following workarounds:

-- Manually add the desired GTM server virtual servers.

-- Delete the 'gtm server' objects that represent the devices that are no longer part of the GTM sync group. These can then be recreated if the devices are operating as LTM-configured devices.

---

760518-2 : PEM flow filter with DSCP attribute optimizes traffic resulting in some PEM action enforcement

Component: Policy Enforcement Manager

Symptoms:
Some PEM action enforcement does not work with flow filter with PEM attribute set.

Conditions:
Flow filter has the Differentiated Services Code Point (DSCP) attribute set

Impact:
Some PEM actions such as http-redirect do not perform as expected.

Workaround:
Set the DSCP to the default value

---

760406-6 : HA connection might stall on Active device when the SSL session cache becomes out-of-sync

Component: Local Traffic Manager

Symptoms:
You see 'SSL handshake timeout' error messages in LTM log, and high availability (HA) system performance becomes degraded.

Conditions:
This might occur in either of the following scenarios:

Scenario 1
-- Manual sync operations are performed during while traffic is being passed.
-- SSL Connection mirroring is enabled.


Scenario 2
-- Saving configuration on an HA Standby node during while traffic is being passed.
-- SSL Connection mirroring is enabled.

Impact:
-- In Scenario 1, the sync operations causes the session cache to be out-of-sync between active and standby nodes.

-- In Scenario 2, the save operation clears the session cache on the standby node. As a result, the session cache might be out-of-sync between active and standby nodes.

In either Scenario:
-- SSL Connection mirroring fails and posts the timeout message.

-- The HA system performance becomes degraded due to SSL connection timeout.

Workaround:
-- Disable SSL session caching by setting 'Cache Size' in the client SSL profile option to 0.

-- Set device management sync type to Automatic with incremental sync.

---

760259-1 : Qkview silently fails to capture qkviews from other blades

Component: TMOS

Symptoms:
When capturing a qkview on a chassis, there are no warnings provided if the qkview utility is run to gather a qkview from other blades.

Conditions:
-- On a chassis system, rename/move the qkview binary from a given blade.

-- Execute qkview on another blade, verify that no warnings or errors are produced.

Impact:
There is no warning that the qkview failed for a given blade.

Workaround:
There is no workaround other than running the qkview on the actual blade.

---

760222-4 : SCP fails unexpected when FIPS mode is enabled

Component: TMOS

Symptoms:
Secure Copy (scp) to some locations fails with the following message:
Path not allowed.

Conditions:
-- FIPS mode is enabled.
-- Copying a file to a restricted location using SCP.

Impact:
Cannot use SCP to copy to restricted locations on the BIG-IP system.

Workaround:
None.

---

760050-5 : cwnd warning message in log

Component: Local Traffic Manager

Symptoms:
The following benign message appears in the log: cwnd too low.

Conditions:
The TCP congestion window has dropped below one Maximum Segment Size, which should not happen.

Impact:
None. TCP resets the congestion window to 1 MSS.

Workaround:
This message does not indicate a functional issue, so you can safely ignore this message. There is no action to take, but the presence of the message can be useful information for debugging other TCP problems.

---

759852-3 : SNMP configuration for trap destinations can cause a warning in the log

Component: TMOS

Symptoms:
The snmpd configuration parameters can cause net-snmp to issue a warning about deprecated syntax.

Conditions:
The use of a sys snmp command similar to the following to modify the snmpd.conf file:
sys snmp v2-traps { TRAP1 { host 1.2.3.4 community somestring } }

Impact:
net-snmp issues a warning that the syntax has been deprecated and reports a warning message in the log.

Workaround:
None.

---

759590-2 : Creation of RADIUS authentication fails with service types other than 'authenticate only'

Component: TMOS

Symptoms:
RADIUS authentication can only have an initial service type of 'authenticate only'.

Conditions:
This is encountered when configuring RADIUS authentication via the GUI.

Impact:
If you change the Service Type to anything except Authenticate Only (default), Authentication creation fails, and the following error appears in /var/log/webui.log:

01020066:3: The requested RADIUS Authentication Configuration (/Common/system-auth) already exists in partition Common.

Workaround:
After configuring RADIUS authentication with 'authenticate only' as the service type, go back and change the service type to the desired option.

---

759077-6 : MRF SIP filter queue sizes not configurable

Component: Service Provider

Symptoms:
The ingress and egress queues of the MRF SIP filter have fixed sizes that cannot be configured.

Conditions:
If the hard-coded queue size of 512 messages or 65535 bytes are exceeded, the filter enables its flow control logic.

Impact:
Messages may be dropped.

Workaround:
None.

---

759008 : DoSL7 site_severity always equals "1" in remote log

Component: Application Security Manager

Symptoms:
Log always shows site_severity as '1'.

Conditions:
- Enable DoSL7.
- Configure remote logger.
- Send traffic.

Impact:
Logged DoSL7 attack severity shows as '1'.

Workaround:
None.

---

758929-5 : Bcm56xxd MIIM bus access failure after TMM crash

Component: TMOS

Symptoms:
Bcm56xxd daemon running on certain BIG-IP devices might experience MIIM bus access failure after a tmm crash. The system posts a message similar to the following in the ltm log:

info bcm56xxd: 012c0016:6: MiimTimeOut:soc_miim_write, timeout (id=0xc9 addr=0x1f data=0x0000)

Conditions:
-- Heavily stressed system
-- Using one of the following platforms:
  + VIPRION B2250 Blade (A112)
  + VIPRION B2150 Blade (A113)
  + VIPRION B4300 Blade (A108)
  + BIG-IP 5250v
  + BIG-IP i5820
  + BIG-IP i7800

Impact:
The affected BIG-IP system fails to pass traffic. If configured for high availability (HA), failover occurs.

Workaround:
Reboot the affected BIG-IP platform / VIPRION blade.

---

758772-5 : DNS Cache RRSET Evictions Stat not increasing

Component: Global Traffic Manager (DNS)

Symptoms:
In the DNS Cache stats, the 'Resource Record Cache' statistic of 'Evictions' does not increase.

Conditions:
This occurs when the cache is full enough for records to be evicted.

Impact:
The 'Evictions' statistics do not increase when those records are evicted. Incorrect statistics accounting.

Workaround:
None.

---

758520 : Deploying the f5_microsoft_exchange_2010_2013 template generates erroneous APM policy customization-group.

Component: iApp Technology

Symptoms:
There is an erroneously named APM policy customization-group after importing a BIG-IP system into BIG-IQ, where the BIG-IP system already has a deployed iApp based on the f5_microsoft_exchange_2010_2013 template:

[ERROR]... Missing cache path for Kind: tm:apm:policy:customization-group:templates:templatesstate, Object:
/Common/Exchange_2013_internal.APM.app/logon.inc.

Conditions:
-- The BIG-IP system has a deployed iApp based on the f5_microsoft_exchange_2010_2013 template (f5.microsoft_exchange_2010_2013_cas.v1.6.2).
-- Importing the BIG-IP system into the BIG-IQ for managing.

Impact:
The resulting configuration contains an incorrectly named APM policy customization-group.

For example, the group name is:
/Common/Exchange_2013_internal.APM.app/exch_custom_logon:logon.inc

The name should be:
/Common/Exchange_2013_internal.APM.app/exch_custom_logon_ag:logon.inc"

Specifically, the '_ag' suffix on the first part of the filename is missing.

Workaround:
You have two options:

-- Modify the bigip.conf file by searching to 'app-service /Common/Exchange_2013_internal.APM.app/Exchange_2013_internal.APM' and changing 'app:exch_custom_logon' to 'app:exch_custom_logon_ag'.

-- Upgrade to the latest Exchange iApp and iApp deployed to BIQ-IQ with version 6.1.0-0.0.1224.0.

---

758437-3 : SYN w/ data disrupts stat collection in Fast L4

Component: Local Traffic Manager

Symptoms:
Fast L4 analytics reports very large integers for goodput.

Conditions:
BIG-IP receives SYNs with attached data.

Impact:
Goodput data is unreliable.

Workaround:
None.

---

758436-5 : Optimistic ACKs degrade Fast L4 statistics

Component: Local Traffic Manager

Symptoms:
Fast L4 Analytics reports very large integers for goodput.

Conditions:
Endpoints send ACKs for data that has not been sent.

Impact:
Goodput statistics are not usable in certain data sets.

Workaround:
None.

---

758105 : Drive model WDC WD1005FBYZ-01YCBB2 must be added to pendsect drives.xml

Component: TMOS

Symptoms:
Below messages get logged to /var/log/messages
-- notice syslog-ng[15662]: Configuration reload request received, reloading configuration;
-- warning pendsect[31898]: skipping drive -- Model: WDC WD1005FBYZ-01YCBB2
-- warning pendsect[31898]: No known drives detected for pending sector check. Exiting

Conditions:
Using hardware containing drive model WDC WD1005FBYZ-01YCBB2.

Impact:
The system logs the messages because the drive model is not listed in /etc/pendsect/drives.xml.

Workaround:
Manually edit /etc/pendsect/drives.xml as follows:

1. Give write permissions to modify file:
chmod u+w /etc/pendsect/drives.xml

2. Open the file and add the following at the end of the file, before default:

<snip>
         <WD1005FBYZ>
            <offset firmware="RR07">0</offset>
            <offset firmware="default">0</offset>
            <family> "wd_Gold"</family>
            <wd_name>"Gold"</wd_name>
         </WD1005FBYZ>
         <DEFAULT>
              <firmware version="default">
                     <offset>0</offset>
              </firmware>
              <name> "UNKNOWN"</name>
              <family> "UNKNOWN"</family>
              <wd_name>"UNKNOWN"</wd_name>
         </DEFAULT>
   </model>
  </drives>

3. Save and close the file.

4. Remove write permissions so that no one accidentally modifies this file:
chmod u-w /etc/pendsect/drives.xml

5. Run the following command and check /var/log/messages to verify no errors are seen:
/etc/cron.daily/pendsect

---

758041-5 : Pool Members may not be updated accurately when multiple identical database monitors configured

Component: Local Traffic Manager

Symptoms:
When two or more database monitors (MSSQL, MySQL, PostgreSQL, Oracle) with identical 'send' and 'recv' strings are configured and applied to different pools (with at least one pool member in each), the monitor status of some pool members may not be updated accurately.

Other parameters of the affected monitors that differ (such as 'recv row' or 'recv column' indicating where the specified 'recv' string should be found in the result set) may cause pool members using one of the affected monitors to connect to the same database to be marked UP, while pool members using another affected monitor may be marked DOWN.

As a result of this issue, pool members that should be marked UP or DOWN by the configured monitor may instead be marked according to another affected monitor's configuration, resulting in the affected pool members being intermittently marked with an incorrect state.

After the next monitor ping interval, affected pool members members may be marked with the correct state.

Conditions:
This may occur when multiple database monitors (MSSQL, MySQL, PostgreSQL, Oracle) are configured with identical 'send' and 'recv' parameters, and applied to different pools/members.

For example:
ltm monitor mysql mysql_monitor1 {
...
    recv none
    send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
    recv none
    send "select version();"
...
}

Impact:
Monitored pool members using a database monitor (MSSQL, MySQL, PostgreSQL, Oracle) randomly go offline/online.

Workaround:
To avoid this issue, configure each database monitor with values that make the combined parameters unique by changing either the 'send' or the 'recv' parameters, or both.

For example:
ltm monitor mysql mysql_monitor1 {
...
    recv none
    send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
    recv 5.7
    send "select version();"
...
}

---

757827-4 : Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution

Component: Local Traffic Manager

Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP reboot operation.

Conditions:
This may occur on affected BIG-IP versions when:
-- Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.

-- DNS queries to resolve these FQDN names occur almost simultaneously.

-- The BIG-IP version in use contains the fix for ID 726319 :: Bug ID 726319: 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses :: https://cdn.f5.com/product/bugtracker/ID726319.html.

The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.

Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected. As a result, some pools may not have any active pool members, and do not pass traffic.

This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default FQDN interval value of 3600 seconds, such downtime lasts approximately one hour.

Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter FQDN interval value for the FQDN nodes ('##' is the desired number of seconds between successive DNS queries to resolve the configure FQDN name):

tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }

---

757777-1 : bigtcp does not issue a RST in all circumstances

Component: Local Traffic Manager

Symptoms:
bigtcp does not issue a TCP reset, e.g. when using the iRule reject command on CLIENT_ACCEPTED

Conditions:
bigtcp in use, tcp connection, connection ungracefully shut down via a 'reject' command in an iRule

Impact:
TCP RST is not sent, and the SYN is silently dropped.

Workaround:
none

---

757709 : Routing daemon NSM cores if any of interface indexes of VLANs, Tunnels or VLAN Groups are identical to loopback and tmm interfaces of Route Domains where these VLANs, Tunnels or VLAN Groups are located

Component: TMOS

Symptoms:
Routing daemon NSM crashes and generates a core file, then the watchdog daemon, tmrouted notices that NSM is down and restarts it, then NSM crashes and generates a core file and everything starts all over again.

Conditions:
This very rare situation occurs when there is a BIG-IP system with the following routing configuration:

-- At least one Route Domain on a BIG-IP has the tmm and loopback interfaces generated (when Route Domain was created) in such way that one of their internal interface indexes (ifindex) is the same as the ifindex of the suspected object, in this example, it's a VLAN.

-- The suspected Route Domain has a routing protocol enabled.

-- The suspected object, VLAN, is added to the suspected Route Domain.

In general, this rarely occurring issue occurs in response to the way route domains and VLANs are organized on the BIG-IP system and how they interact with each other in NSM, and how a collision occurs.

Impact:
Routing Daemon NSM crashes and generates a core file.

Workaround:
Reboot the BIG-IP system.

If this does not resolve the issue, you must re-create all VLANs.

---

757510-4 : Class name mismatch is not caught

Component: Local Traffic Manager

Symptoms:
The datagroup referenced in irule is different from data group definition and the error is not caught at validation. During config load, you see this error:

01070151:3: Rule [/Common/myrule] error: Unable to find value_list

Conditions:
The datagroup referenced in an iRule is different from data group definition.

Impact:
The error is not caught at validation, and TMM errors out at run time.

Workaround:
Use the right name.

Note: The name is case sensitive.

---

757505-1 : peer-cert-mode set to 'always' does not work when client-ssl is enabled with session-ticket

Component: Local Traffic Manager

Symptoms:
When a session is restored using a session-ticket, the peer-cert-mode setting is not acknowledged.

Conditions:
-- Session tickets are enabled.
-- The peer-cert-mode in the client SSL profile is set to `always'.
-- A session is restored using a ticket.

Impact:
The SSL client is validated only once, instead of each time.

Workaround:
Disable session ticket.

---

757464-4 : DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record

Component: Global Traffic Manager (DNS)

Symptoms:
Attempt to delete a DNS Validating Resolver cache record from the 'Key' cache does not remove the record. Also displays a negative TTL for that record.

tmm crash

Conditions:
-- Populate the DNS Validating Resolver Cache.
-- Attempt to delete a record from the 'Key' cache.

Impact:
Undesired behavior due to records not being deleted as instructed. Also negative TTL.

Workaround:
The only workaround is to restart tmm to generate a completely empty DNS cache. Traffic disrupted while tmm restarts.

---

757441-1 : Specific sequence of packets causes Fast Open to be effectively disabled

Component: Local Traffic Manager

Symptoms:
You see this warning in the logs:

warning tmm[21063]: 01010055:4: Syncookie embryonic connection counter -1 exceeded sys threshold 64000.

Conditions:
-- TCP Fast Open and ECN are both enabled.
-- There are multiple RST segments from the receive window received in SYN_RECEIVED state.

Impact:
TCP Fast open is disabled, as the pre_established_connections becomes very large (greater than a threshold).

Workaround:
TCP ECN option can be disabled.

---

757407-3 : Error reading RRD file may induce processes to mutually wait for each other forever

Component: Local Traffic Manager

Symptoms:
If an error occurs while statsd is reading a file that contains performance data, certain control-plane processes may wait for each other indefinitely.

In some instances, error messages about files in the /var/rrd directory may appear in /var/log/ltm.

Conditions:
Errors occur when performance-monitoring processes attempt to read files in the BIG-IP's internal Round-Robin Database.

Impact:
Attempts to issue commands using "tmsh" may hang up.
No "qkview" datasets can be successfully generated.

Workaround:
If damaged data files in /var/rrd can be identified, delete them and run "bigstart restart statsd".

---

757029-5 : Ephemeral pool members may not be created after config load or reboot

Component: Local Traffic Manager

Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP system reboot operation.

Conditions:
This may occur on affected BIG-IP versions when:

-- Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.
-- DNS queries to resolve these FQDN names occur almost simultaneously.

The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.

Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected.

As a result, some pools may not have any active pool members, and do not pass traffic.

This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default FQDN interval value of 3600 seconds, such downtime lasts approximately one hour.

Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter FQDN interval value for the FQDN nodes:

tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }
Where ## is the desired number of seconds between successive DNS queries to resolve the configure FQDN name.

---

756830-3 : BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'

Component: TMOS

Symptoms:
The BIG-IP system may fail source translation for connections matching a virtual server that has connection mirroring enabled and source port selection set to 'preserve strict'.

Conditions:
Connections match a virtual server that has following settings:

- Connection mirroring is enabled.
- Source Port set to 'Preserve Strict'.

In addition, CMP hash selection (DAG mode) on the corresponding VLANs is set to 'Default DAG'.

Impact:
Source translation may fail on BIG-IP system, leading to client connection failures.

Workaround:
You can try either of the following:

-- Do not use the Source Port setting of 'Preserve Strict'.

-- Disable connection mirroring on the virtual server.

---

756812 : Nitrox 3 instruction/request logger may fail due to SELinux permission error

Component: Local Traffic Manager

Symptoms:
When the tmm Nitrox 3 queue stuck problem is encountered, the Nitrox 3 code tries to log the instruction/request, but it may fail due to SELinux permissions error.

The system posts messages in /var/log/ltm similar to the following:

-- crit tmm1[21300]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 00:09.7, discarded 54).
-- crit tmm1[21300]: 01010025:2: Device error: n3-compress0 Failed to open instruction log file '/shared/nitroxdiag/instrlog/tmm01_00:09.7_inst.log' err=2.

Conditions:
-- tmm Nitrox 3 queue stuck problem is encountered.
-- The Nitrox 3 code tries to log the instruction/request.

Impact:
Error messages occur, and the tmm Nitrox 3 code cannot log the instruction/request.

Workaround:
None.

---

756714-4 : UIDs on /home directory are scrambled after upgrade★

Component: TMOS

Symptoms:
UIDs of /home/$USER files and /home file are scrambled after upgrade.

Conditions:
Upgrade from 12.1.3.7 to 13.1.0.8.

Impact:
Low in most cases, since the administrative user can still access most files. One exception is that SSH requires that the authorized_keys file be owned by the user ID in question. This is 0 when a user has an administrative role, so the authorized_keys file will be ignored and a password will still be required for login.

Workaround:
None.

---

756647-4 : Global SNAT connections do not reset upon timeout.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system does not send reset packets when a connection times out.

Conditions:
BIG-IP configured with global SNAT.

Impact:
Client or server might unnecessarily keep the connection open.

Workaround:
You can use either of the following workarounds:

-- Use forwarding virtual server with snatpool instead of global SNAT.

-- Modify tmm_base.tcl as follows:
profile bigproto _bigproto {
    reset_on_timeout enable
}

---

756313-5 : SSL monitor continues to mark pool member down after restoring services

Component: Local Traffic Manager

Symptoms:
After an HTTPS monitor fails, it never resumes probing. No ClientHello is sent, just 3WHS and then 4-way closure. The pool member remains down.

Conditions:
-- The cipherlist for the monitor is not using TLSv1 (e.g., contains -TLSv1 or !TLSv1).
-- The pool member is marked down.

Impact:
Services are not automatically restored by the health monitor.

Workaround:
-- To restore the state of the member, remove it and add it back to the pool.

-- Remove !TLSv1 and -TLSv1 from the cipher string, if possible.

---

756311-2 : High CPU during erroneous deletion

Component: Policy Enforcement Manager

Symptoms:
The utilization of some CPU cores increases and remains high for a long time. Rebooting just one blade can cause the high CPU usage to move to another blade in the chassis.

There might be messages similar to the following in tmm logs:

-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.10.10%0-4a89723e; Instance ID mismatch ERR_OK for subscriber id 310012348494 with 10.1.10.10-0-4a8987ea.

-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.18.10%0-4a8b850c; Look up returned err ERR_OK for subscriber id 3101512411557

Conditions:
The exact conditions under which this occurs are not fully understood, but one way it can be triggered is when a single TMM is crashing on a chassis system.

Impact:
The CPU usage is coming from an erroneous cleanup function, which is only running on a TMM when it's not busy; traffic is not expected to have a significant impact. However, recovering may result in a cluster-wide TMM restart, if the CPU usage does not subside. Traffic disrupted while tmm restarts.

Workaround:
Delete all subscribers from the CLI.

---

756177-3 : GTM marks pool members down across datacenters

Component: Global Traffic Manager (DNS)

Symptoms:
GTM pool members are marked down even though the monitored resource is available.

GTM debug logs indicate that each GTM is relying on the other GTM to conduct probing:

debug gtmd[13166]: 011ae039:7: Check probing of IP:Port in DC /Common/dc1.
debug gtmd[13166]: 011ae03a:7: Will not probe in DC /Common/dc1 because will be done by other GTM (/Common/gtm2).
---
debug gtmd[7991]: 011ae039:7: Check probing of IP:Port in DC /Common/dc2.
debug gtmd[7991]: 011ae03a:7: Will not probe in DC /Common/dc2 because will be done by other GTM (/Common/gtm1).

Conditions:
-- GTM configured in different data centers.
-- GTM pool configured with a single monitor, and the monitor uses an alias address that can be pinged from both data centers.
-- GTM pool members configured from different data centers.

Impact:
Pool members are marked down.

Workaround:
Instead of a single monitor, use a monitor created specifically for each data center.

---

755976-7 : ZebOS might miss kernel routes after mcpd deamon restart

Component: TMOS

Symptoms:
After an mcpd daemon restart, sometimes (in ~30% of cases) ZebOS is missing some of kernel routes (virtual addresses).

One of the most common scenario is a device reboot.

Conditions:
-- Dynamic routing is configured.
-- Virtual address is created and Route Advertisement is configured:
imish -e 'sh ip route kernel'
-- mcpd daemon is restarted or device is rebooted.

Impact:
The kernel route (virtual address) is not added to the ZebOS routing table and cannot be advertised.

Workaround:
There are several workarounds; here are two:

-- Restart the tmrouted daemon:
bigstart restart tmrouted

-- Recreate the affected virtual address.

---

755791-5 : UDP monitor not behaving properly on different ICMP reject codes.

Component: Local Traffic Manager

Symptoms:
Unexpected or improper pool/node member status.

Conditions:
The BIG-IP system receives the ICMP rejection code as icmp-net/host-unreachable.

Impact:
The monitor might consider a server available when some type of ICMP rejection has been received that is not port unreachable.

Workaround:
You can use either of the following workarounds:
-- Use UDP monitors configured with a receive string.
-- Do not use UDP monitors.

---

755631-4 : UDP / DNS monitor marking node down

Component: Local Traffic Manager

Symptoms:
The UDP / DNS monitor marks nodes down.

Conditions:
-- UDP or DNS monitor configured.
-- Interval is multiple of timeout.
-- The response is delayed by over one interval.

Impact:
Pool member is marked down.

Workaround:
Increase the interval to be greater than the response time of the server.

---

755630-3 : MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes

Component: Service Provider

Symptoms:
The media flows get terminated after the UDP idle timeout expires on a Standby device.

Conditions:
-- High availability (HA) configuration.
-- SIP media calls on a SIP-ALG with SNAT feature enabled.

Impact:
SIP calls fail to deliver media when high availability (HA) failover occurs.

Workaround:
Partial mitigation is to set the UDP idle timeout to a higher value.

---

755549 : TMM crash and core

Component: TMOS

Symptoms:
TMM crashes and generates a core file under unknown conditions.

Conditions:
The conditions required for this issue to occur are not well understood, but might be related to a MCP message handling failure (during virtual server creation) in an AAM with LTM configuration.

The issue might be related to an unsupported configuration, as follows:
The BIG-IP system does not prevent you from configuring a server-side iSession profile and a OneConnect profile on the same virtual server. This is not a valid configuration, however. Virtual server configuration should allow either a server-side iSession profile or a OneConnect profile, but not both.

Impact:
TMM crash and core. Traffic disrupted while tmm restarts.

Workaround:
Correct the misconfiguration (specifically, OneConnect and iSession being mutually exclusive features), and try the operation again.

---

755311-4 : No DIAMETER Disconnect-Peer-Request message sent when TMM is shutting down

Component: Service Provider

Symptoms:
When TMM is shutting down with active DIAMETER connections, it does not send out any Disconnect-Peer-Request messages to its DIAMETER pool members.

Conditions:
- DIAMETER in use.
- Active connections from the BIG-IP system to its DIAMETER pool members.
- TMM is shutting down.

Impact:
The remote server is not notified of the change in DIAMETER peer status.

Workaround:
None.

---

755250 : Clock advanced messages when modifying a virtual server with 1000 SSL profiles

Component: Local Traffic Manager

Symptoms:
The system posts clock advanced messages when modifying a virtual server. You might also experience an Active/Active situation because tmm might be too busy to send high availability (HA) packets. The messages appear similar to the following:

notice tmm1[12549]: 01010029:5: Clock advanced by 556 ticks

Conditions:
-- Virtual server has 1000 or more SSL profiles defined.
-- A client SSL profile gets its defaults from another profile.
-- You change the cipher settings in that other profile.

Impact:
The system logs clock advanced messages, and sod kills tmm when you run the following command: tmsh load sys config Traffic disrupted while tmm restarts.

Workaround:
To work around this, do the following:
-- Remove some of the SSL profiles from the virtual server.
-- Reset the cipher settings to default.

---

754901-4 : Frequent zone update notifications may cause TMM to restart

Component: Global Traffic Manager (DNS)

Symptoms:
When there are frequent zone update notifications, the watchdog for TMM may trip and TMM crash/restarts. There may also be 'clock advanced' messages in /var/log/ltm.

Conditions:
- Using DNS express.
- DNS zone with allow notify.
- Frequent zone NOTIFY messages resulting in zone transfers.

Impact:
TMM restart potentially resulting in failing or impacting services. Traffic disrupted while tmm restarts.

Workaround:
None.

---

754617-3 : iRule 'DIAMETER::avp read' command does not work with 'source' option

Component: Service Provider

Symptoms:
Configuring a 'source' option with the iRule 'DIAMETER::avp read' command does not work.

The operation posts a TCL error in /var/log/ltm logs:
err tmm3[11998]: 01220001:3: TCL error: /Common/part1 <MR_INGRESS> - Illegal value (line 1) error Illegal value invoked from within "DIAMETER::avp read 444 source [DIAMETER::avp data get 443 grouped]".

Conditions:
Using the 'DIAMETER::avp read' iRule command with a 'source' option.

Impact:
'DIAMETER::avp read' does not work with the 'source' option.

Workaround:
Use 'DIAMETER::avp get data' with the 'source' option, and re-create the header part when needed.

---

754604-1 : iRule : [string first] returns incorrect results when string2 contains null

Component: Local Traffic Manager

Symptoms:
In an iRule such as 'string first $string1 $string2' returns incorrect results when $string2 contains a null byte and $string1 is not found within $string2. Performing the same search in tclsh, the expected -1 (not found) result is returned.

Conditions:
-- 'string first $string1 $string2' iRule.
-- string2 in an iRule contains a null byte.

Impact:
Operation does not return the expected -1 (not found) result, but instead returns an unexpected, random result.

Workaround:
None.

---

754330 : Monpd might load many CSV files such that stats for AVR are not loaded to the database as quickly as expected

Component: Application Visibility and Reporting

Symptoms:
Monpd attempts to load a batch of CSV files that exceed the partition threshold. This might cause Monpd to falsely detect a corrupted database.

Conditions:
-- Monpd is down for a given interval, and needs to load a batch of CSV files.
-- Monpd gets lower priority for CPU and does not manage loading CSV files within a specific timeframe.
-- Some of the reports are more demanding than others, and create CSV files more often, which makes it harder for Monpd to load efficiently.

Impact:
Stats for AVR might not be loaded to the database within an expected interval.

Workaround:
None.

---

754201-3 : Windows Logon Integration throws Invalid Handle error

Component: Access Policy Manager

Symptoms:
Previously, with Windows Logon Integration, the network logon using dial-up connection failed with invalid handle error:
Connecting Error 6: The handle is invalid.

Conditions:
Windows Logon Integration is used for dial-up / establish VPN.

Impact:
APM end user cannot establish VPN tunnel via Windows Logon Integration.

Workaround:
None.

---

754132-1 : A NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command

Component: TMOS

Symptoms:
A default route is not propagated in Network Layer Reachability Information (NLRI) by a routing framework on a command: 'clear ip bgp <neighbor router-id> soft out'.

-- Enter to imi(Integrated Management Interface) shell.
[root@hostname:Active:Standalone] config # imish
hostname[0]>

-- Issue a command inside imish. 10.0.0.4 is neighbor BGP router-id.
hostname[0]>clear ip bgp 10.0.0.4 soft out

Conditions:
-- There is a BIG-IP system with the following routing configuration:

imish output:
hostname[0]#sh run
!
no service password-encryption
!
interface lo
!
... <skip other default information, like interfaces.>
!
router bgp 1
 bgp router-id 10.17.0.3
 bgp graceful-restart restart-time 120
 neighbor 10.17.0.4 remote-as 1
!

-- There is a default route, which is advertised by this BGP configuration. Here is one way to check it:

hostname[0]:sh ip ospf database
... <skip less important info>
                AS External Link States

Link ID ADV Router Age Seq# CkSum Route Tag
0.0.0.0 10.17.0.3 273 0x80000002 0x5c4e E2 0.0.0.0/0 0

The 'clear ip bgp 10.17.0.4 soft out' command is issued, and there is no NLRI with a default route generated. You can confirm that by running tcpdump and reading what is in the generated Link-state advertisement (LSA), messages or by watching OSPF debug logs.

Note: The source from which you gather the default route and advertise it to the neighbors does not matter. It might be the usual BGP route learned from another router, a locally created route, or it might be configured by 'neighbor <neighbor router-id> default-originate'.

Impact:
A default-route is not propagated in NLRI by 'soft out' request, even with default-originate configured.

Workaround:
There is no specific workaround for 'clear ip bgp <neighbor router-id> soft out' command, but if you want to make routing protocol propagate a NLRI with a default route, you can do either of the following:

-- Remove the default route from advertised routes. This workaround is configuration-specific, so there there are no common steps.
  + If you have default-originate configured for your neighbor, then delete that part of the configuration and re-add it.
  + If you create a default route as a static route, recreate it.
  + And so on.

The idea is to remove a root of default route generation and then add it back.

-- Run a 'soft in' command from your neighbor. If a neighbor you want to propagate a NLRI is a BIG-IP device, or is capable of running this type of command, you can issue a imish command on the neighbor:

# neighbor-hostname[0]: clear ip bgp <neighbor router-id> soft in

Note: This time, the 'soft in' command requests the NLRIs.

---

753860-2 : Virtual server config changes causing incorrect route injection.

Component: TMOS

Symptoms:
Updating the virtual server to use a different virtual address (VADDR) does not work as expected. The old VADDR route should remove and inject the new route for the new virtual address. Instead, it injects incorrect routes into the routing protocols.

Conditions:
-- Change the VADDR on a virtual server.
-- Set route-advertisement on both VADDRs.

Impact:
Incorrect routes are injected into routing protocols.

Workaround:
None.

---

753526-4 : IP::addr iRule command does not allow single digit mask

Component: Local Traffic Manager

Symptoms:
When plain literal IP address and mask are used in IP::addr command, the validation fails if the mask is single digit.

Conditions:
The address mask is single digit.

Impact:
Validation fails.

Workaround:
Assign address/mask to a variable and use the variable in the command.

---

753501-4 : iRule commands (such as relate_server) do not work with MRP SIP

Component: Service Provider

Symptoms:
Some iRule commands (such as relate_server) fail when used in conjunction with Message Routing Protocol (MRP) SIP configurations using message routing transport.

Conditions:
-- MRP SIP configuration uses transport-config.
-- iRule command 'relate_server' is configured on the corresponding virtual server.

Impact:
iRule commands such as relate_server cannot be used with MRF SIP.

Workaround:
None.

---

753423-3 : Disabling and immediately re-enabling the slot resulting interfaces from the slot permanently removed from aggregation

Component: TMOS

Symptoms:
Working-mbr-count not showing correct number of interfaces.

Conditions:
Slot got disabled and re-enabled immediately.

Impact:
Interfaces may be removed from an aggregation permanently.

Workaround:
Disable and re-enable the slot with time gap of one second.

---

753163-1 : PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days

Component: Policy Enforcement Manager

Symptoms:
No connection request with PCRF/OCS if high availability (HA) failover occurs after 26 days. tmm crash

Conditions:
-- Using PEM.
-- high availability (HA) failover occurs after 26 days.

Impact:
PEM does send the reconnect request within the configured reconnect, so there is no connection initiated with PCRF/OCS.

Workaround:
To restart the connection, restart tmm restart using the following command:
tmm restart

Note: Traffic disrupted while tmm restarts.

---

753001-4 : mcpd can be killed if the configuration contains a very high number of nested references

Component: TMOS

Symptoms:
mcpd can be killed by sod if the configuration contains a very high number of nested references. This results in a core file due to a SIGABRT signal.

Conditions:
A very high number of nested configuration references (such as SSL certificate file objects).

Impact:
Failover or outage (if not HA). The system sends no traffic or status while mcpd restarts.

Workaround:
None.

---

752994-4 : Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod

Component: TMOS

Symptoms:
With a large number of client SSL profiles, combined with shallow nesting of these profiles, all referring to a single SSL certificate file object, mcpd can take a lot of time to process an update to that certificate. It is possible this amount of time will be longer than sod's threshold, and cause it to kill mcpd.

Conditions:
- A large number (hundreds or thousands) of client SSL profiles that have a shallow nesting structure and all point back to a single SSL certificate file object.
- Happens when the SSL certificate is updated.

Impact:
sod kills mcpd, which causes a failover (when high availability (HA) is configured) or an outage (when there is no high availability (HA) configured).

Workaround:
None.

---

752530-4 : TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput.

Component: Local Traffic Manager

Symptoms:
Fast L4 TCP Analytics reports incorrect goodput when server sequence number and the TMM generated sequence number are different.

Conditions:
This occurs when either of the following conditions are met:

-- tcp-generate-isn is set in the Fast L4 profile.
-- SYN cookie is active.

Impact:
The GUI page Statistics :: Analytics :: TCP :: Goodput page displays incorrect goodput values.

Workaround:
None.

---

752334-4 : Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation

Component: Local Traffic Manager

Symptoms:
When Fast L4 receives out of order TCP packets, TCP analytics may compute wrong goodput value.

Conditions:
When FAST L4 receives out-of-order packets.

Impact:
Fast L4 reports an incorrect goodput value for the connection.

Workaround:
None.

---

752228-3 : GUI Network Map to account for objects in a Disabled By Parent state

Component: TMOS

Symptoms:
When an object has a Disabled By Parent state, it is counted in the Unknown status instead of evaluating its actual Availability status.

Conditions:
Viewing objects with Disabled By Parent state in Network Map.

Impact:
The status shown in the map and summary view does not reflect the correct status.

Workaround:
Use the object list views to filter by status to see the correct status.

---

752216-3 : DNS queries without the RD bit set may generate responses with the RD bit set

Solution Article: K33587043

Component: Global Traffic Manager (DNS)

Symptoms:
If the BIG-IP system is configured to use forward zones, responses to DNS queries may include the RD bit, even if RD bit is not set on the query.

Conditions:
-- Forward zone is configured.
-- Processing a query without the RD bit.

Impact:
Some responses to DNS queries may include the RD bit, even thought the RD bit is not set on the query. This is cosmetic, but some DNS tools may report this as an RFC violation.

Workaround:
None.

---

752078-3 : Header Field Value String Corruption

Component: Local Traffic Manager

Symptoms:
This is specific to HTTP/2.

In some rare cases, the header field value string can have one or more of its prefix characters removed by the BIG-IP system.

Conditions:
-- The header field value string is exceptionally long, and has embedded whitespace characters.
-- HTTP/2 is used.

Impact:
A header such as:
x-info: very_long_string that has whitespace characters

may be sent to the client as:
x-info: ery_long_string that has whitespace characters

Workaround:
None.

---

751710-1 : False positive cookie hijacking violation

Component: Application Security Manager

Symptoms:
A false positive cookie hijacking violation.

Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.

Impact:
False positive violation / blocking.

Workaround:
N/A

---

751427 : LTM policy rule condition does not match server-name in ssl-extension

Component: Local Traffic Manager

Symptoms:
An LTM policy that attempts to match the server name of an SSL extension does not get executed, even though the server name in the client hello packet is a match for the condition.

Conditions:
Using an LTM policy that has a rule which has a condition that attempts to match on the server name of the an SSL extension.

Impact:
The LTM policy is not executed.

Workaround:
An iRule may be used instead.

---

751409-4 : MCP Validation does not detect when virtual servers differ only by overlapping VLANs

Component: TMOS

Symptoms:
It is possible to configure two virtual servers with the same address, port, and route domain, and have them overlap only in VLANs. MCP does not detect the overlap.

Errors like this may be seen in the ltm log:

err tmm1[29243]: 01010009:3: Failed to bind to address

Conditions:
Two (or more) virtual servers with the same address, port, and route domain, and have them overlap only in VLANs

Impact:
Traffic does not get routed properly.

Workaround:
There is no workaround other than ensuring that virtual servers that have the same address, port, and route domain have no overlap of VLANs.

---

751383-3 : Invalidation trigger parameter values are limited to 256 bytes

Component: WebAccelerator

Symptoms:
Invalidation trigger parameter values are limited to a internal representation of 256 bytes. The values are escaped for regex matching, so the effective value size from the user perspective can be somewhat smaller than 256 bytes. Oversize values result in invalidation of all content on the target policy node.

Conditions:
-- AAM policy with invalidation trigger.
-- Invalidation trigger request with parameter value larger than 256 bytes.

Impact:
All content on target policy node is invalidated rather than the specific content targeted.

Workaround:
None.

---

751232 : LSN pool real-time stats are not persisted over reboot

Component: Carrier-Grade NAT

Symptoms:
After rebooting a VIPRION device or blade for which Port Block Allocation (PBA) is done, the PBA allocation is persisted, but the stats are not.

Conditions:
Reboot the VIPRION device or a blade

Impact:
LSN pool real-time stats are not persisted over reboot. The stats are not consistent with the connection DB.

Workaround:
There is no direct workaround, but you can make the stats consistent by deleting the PBA allocation or wait for it to age out of the LSN DB. Subsequent PBA allocations will be reflected correctly in the stats and will be consistent with the LSN DB.

---

751179-4 : MRF: Race condition may create to many outgoing connections to a peer

Component: Service Provider

Symptoms:
If two different connections attempt to create an outgoing connection to a peer at the same time, multiple connections may be created, even if the peer object is configured for one connection per peer. This is due to a race condition in message routing framework during connection creation.

Conditions:
-- Two different connections attempt to create an outgoing connection to a peer at the same time.
-- The peer is configured for one connection per peer.

Impact:
More than one connection to a peer is created.

Workaround:
None.

---

751024-1 : i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd

Component: TMOS

Symptoms:
Messages similar to the following appear in /var/log/ltm:

info bcm56xxd: 012c0012:6: I2C muxes are not cleared. Problem with mux 224:

Conditions:
-- i5000/i7000/i10000 platforms.
-- May be caused by a defective optic, rebooting/upgrading BIG-IP, removing and reinserting optics.

Impact:
Changes in optic state may be ignored while I2C bus is unavailable.

Workaround:
For each SFP, perform the following procedure:

1. Unplug the optic.
2. Wait 10 seconds.
3. Plug optic back in.

Note: This message might be caused by a defective optic. If error messages stop when one optic is removed, and error messages resume when the optic is inserted, replace that optic.

---

751021-4 : One or more TMM instances may be left without dynamic routes.

Component: TMOS

Symptoms:
Inspecting the BIG-IP's routing table (for instance, using tmsh or ZebOS commands) shows that dynamic routes have been learnt correctly and should be in effect.

However, while passing traffic through the system, you experience intermittent failures. Further investigation reveals that the failures are limited to one or more TMM instances (all other TMM instances are processing traffic correctly). The situation does not self-recover and the system remains in this state indefinitely.

An example of a traffic failure can be a client connection reset with cause 'No route to host'. If the client retries the same request, and this hits a different TMM instance, the request might succeed.

Conditions:
This issue is known to occur when all of the following conditions are met:

- The system is a multi-blade VIPRION or vCMP cluster.

- The system just underwent an event such as a software upgrade, a reboot of one or more blades, a restart of the services on one or more blades, etc.

Impact:
Traffic fails intermittently, with errors that point to lack of routes to certain destinations.

Workaround:
You can try to temporarily resolve the issue by restarting the tmrouted daemon on all blades. To do so, run the following command:

# clsh "bigstart restart tmrouted"

However, there is no strict guarantee this will resolve the issue, given the nature of the issue.

Alternatively, you could temporarily replace the dynamic routes with static routes.

---

750823-4 : Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD

Component: Access Policy Manager

Symptoms:
Memory usage in TMM keeps going up.

Conditions:
Access::policy evaluate command fails with error message in /var/log/ltm:

TCL error: ... - Failed to forward request to apmd.

Impact:
Memory leaks in TMM, which cause a TMM crash eventually.

Workaround:
Limit the amount of data that will be forwarded to APMD.

---

750649-3 : Windows Logon Integration does not work

Solution Article: K74214174

Component: Access Policy Manager

Symptoms:
Windows Logon Integration, the network logon using dial-up connection failed with error message and VPN could not be established:
Connecting - Error 1471: Unable to finish the requested operation because the specified process is not a GUI process.

Conditions:
Windows Logon Integration is used for dial-up / establish VPN.

Impact:
APM end user cannot establish a VPN tunnel via Windows Logon Integration.

Workaround:
None.

---

750631-3 : There may be a latency between session termination and deletion of its associated IP address mapping

Component: Access Policy Manager

Symptoms:
In SWG, if a new request from a client executes iRule command "ACCESS::session exists" when the session has expired previously, the command will return false. However, if command "ACCESS::session create" is executed following the exist command, the session ID of the previous session may be returned.

Conditions:
In SWG, if a new request from a client IP comes into the system right after its previous session has expired.

Impact:
The Access filter will determine that the session ID is stale and, therefore, will redirect the client to /my.policy

---

750491-1 : PEM Once-Every content insertion action may insert more than once during an interval

Component: Policy Enforcement Manager

Symptoms:
Successful PEM content insertion accounting is lost during re-evaluation, resulting in more insertions per insertion interval.

Conditions:
During re-evaluation to update the existing flow.

Impact:
More than expected Insert content action with Once-Every method of insert content action

Workaround:
None.

---

750490-1 : PEM content insertion action may insert more than once with Once-Every method

Component: Policy Enforcement Manager

Symptoms:
PEM content insertion action data is being reset even if there is no PEM policy update.

Conditions:
During re-evaluation to update the existing flow.

Impact:
More than expected Insert content action with Once-Every method of insert content action.

Workaround:
None.

---

750413 : UTF-8 character in subject of a certificate used for iQuery cannot be removed

Component: TMOS

Symptoms:
If certificate subject which is added to 'Trusted Device Certificates' or 'Trusted Server Certificates' contains UTF-8 characters, it cannot be removed via GUI or edited via TMSH. When removing such a certificate GUI posts the following error:

Key management library returned bad status: -2, Not Found.

Conditions:
-- Using a certificate with UTF-8 character in its subject.
-- The cert is in 'Trusted Device Certificates' or 'Trusted Server Certificates'.
-- Try to remove this certificate.

Impact:
Certificates from 'Trusted Device Certificates' or 'Trusted Server Certificates' are not editable via TMSH. The only way of removing them is to edit /config/big3d/client.crt or /config/gtm/server.crt

Workaround:
Edit /config/big3d/client.crt or /config/gtm/server.crt to remove the certificates containing the UTF-8 character in subject of a certificate.

---

750204-1 : Add support for P-521 curve in the X.509 chain to SSL LTM

Component: Local Traffic Manager

Symptoms:
SSL is unable to verify certificate signed with EC P-521 key.

Conditions:
N/A

Impact:
Client/server authentication (X.509 signature verification) will failed when using certificate signed with EC P-521 key.

Workaround:
Client/server has to use certificate signed with supported EC curve (P-256/P-384).

---

750200-4 : DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode

Component: Local Traffic Manager

Symptoms:
DHCP requests from the client are sent only to the first member in the DHCP server pool.

Conditions:
- BIG-IP system configured as a DHCP Relay.
- DHCP server pool contains more than one DHCP server.

Impact:
- DHCP server load balancing is not achieved.
- If the first DHCP server in the DHCP server pool does not respond or is unreachable, the DHCP client will not be assigned an IP address.

Workaround:
None.

---

749603-4 : MRF SIP ALG: Potential to end wrong call when BYE received

Component: Service Provider

Symptoms:
When a BYE is received, the media flows for a different call might be closed in error.

Conditions:
If the hash of the call-id (masked to 12 bits) matches the hash of another's call-id.

Impact:
The media flows for both calls will be closed when one receives a BYE command. A call may be incorrectly terminated early.

Workaround:
None.

---

749528-4 : IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap

Component: Service Provider

Symptoms:
Under certain conditions the wrong self-IP can be selected as a source address for connections from an Internal Virtual Server to remote servers.

Conditions:
- Using an Internal Virtual Server (IVS).
- The VLAN being used to connect from the IVS to the server does not have a floating self-IP configured.
- At least one other VLAN has a floating self-IP configured.
- The primary virtual server that connects to the IVS is using SNAT automap.

Impact:
IVS traffic might not be routed properly.

Workaround:
- Configure a floating self-IP on the IVS server side VLAN.
or
- Use a SNAT pool instead of automap.

---

749222-4 : dname compression offset overflow causes bad compression pointer

Component: Global Traffic Manager (DNS)

Symptoms:
DNS requests receive error response:
-- Got bad packet: bad compression pointer.
-- Got bad packet: bad label type.

Conditions:
When the DNS response is large enough so that dname redirects to an offset larger than 0x3f ff.

Impact:
DNS response is malformed. Because the DNS record is corrupted, zone transfer fails.

Workaround:
None.

---

748632 : APM Endpoint inspection fails on macOS Mojave

Component: Access Policy Manager

Symptoms:
When there are two or more endpoint checks that require OPSWAT libraries, the endpoint checks fail on macOS Mojave.

Conditions:
Access Policy profile with two or more endpoint checks such as AntVirus, Firewall, System Patch.

Impact:
Network Access (VPN) is denied.

---

748608 : IPsec / ESP traffic pinned to TMM 0 for SP-Dag on 4000s/4200v, 2000s/2200v platforms

Component: TMOS

Symptoms:
Traffic pinned to TMM 0 using Source/Destination Disaggregation (SP-DAG) on 4000s/4200v, 2000s/2200v platforms.

Conditions:
-- IPsec / ESP packets.
-- SP-DAG configured.
-- Using 4000s/4200v, 2000s/2200v platforms.

Impact:
Traffic disaggregation does not operate as expected. Traffic pinned to TMM 0.

Workaround:
None.

---

748333-3 : DHCP Relay does not retain client source IP address for chained relay mode

Component: Local Traffic Manager

Symptoms:
The second relay in a DHCP relay chain modifies the src-address. This is not correct.

Conditions:
Using DHCP chained relay mode.

Impact:
The src-address is changed when it should not be.

Workaround:
None.

---

748323 : It is possible for the archive.tm2 file to not get cleaned up

Component: TMOS

Symptoms:
The istats daemon maintains a file (/var/tmstat2/blade/archive.tm2) that is used to track the addition and deletion of dynamic statistics. It is possible for this file to grow so large that it causes the istats daemon to use too much CPU.

Conditions:
This rarely happens, but it is due to loss of state, such that stale statistics are maintained when they should have been deleted.

Impact:
The istats daemon can use too much of the control plane CPU in this error condition.

Workaround:
Remove the /var/tmstat2/archive.tm2 file. The system recovers after one cycle of processing the archive file.

---

748253-4 : Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection

Component: Service Provider

Symptoms:
Depending on the DIAMETER settings of the BIG-IP system, there can be a race condition in a mirrored device cluster where the standby BIG-IP system resets its mirror connection to the active device.

Conditions:
-- MRF DIAMETER in use.
-- The DIAMETER session profile on the BIG-IP system is configured to use a non-zero watchdog timeout.
-- The DIAMETER session profile on the BIG-IP system is configured to use Reset on Timeout.
-- This is more likely to happen if (in the DIAMETER session profile) the Maximum Watchdog Failures is set to 1, and the Watchdog Timeout is configured to be the same value as the remote DIAMETER system.

Impact:
The standby is no longer mirroring the active system, and gets out of sync with it. There may be connections lost if a failover occurs.

Workaround:
To mitigate this issue:

1. Configure the Maximum Watchdog Failures to a value greater than 1.
2. Configure the Watchdog Timeout as something different from the same timeout on the remote peer, preferably to something that will have little overlap (i.e., the two timers should fire at the exact same time very infrequently).

---

748031-4 : Invalidation trigger parameter containing reserved XML characters does not create invalidation rule

Component: WebAccelerator

Symptoms:
If a parameter value for an invalidation trigger contains reserved XML characters, compilation of the resulting invalidation rule fails due to the reserved characters not being escaped.

Conditions:
- AAM policy with invalidation trigger defined
- trigger request with parameter value(s) containing reserved XML characters

Impact:
The invalidation rule requested by the trigger request is not created. Content is not invalidated as expected.

Workaround:
No workaround exists.

---

747995-1 : MBLB SIP dropping packets with unknown methods

Component: Service Provider

Symptoms:
Traffic sent to a MBLB SIP LB is dropped if the SIP method is unknown.

Conditions:
Packets encountered SIP methods not already known to the BIG-IP system.

Impact:
Packet is dropped.

Workaround:
None.

---

747905 : 'Illegal Query String Length' violation displays wrong length

Component: Application Security Manager

Symptoms:
When the system decodes a query string that exceeds the allowed query string length, the system reports the incorrect 'Illegal Query String Length' violation string length.

Conditions:
-- 'Illegal Query String Length' violation is encountered.
-- The query string is decoded and reported.

Impact:
The system reports the decoded character count rather than bytes. For example, for a Detected Query String Length = 3391, the system posts a Detected Query String Length = 1995.

Workaround:
None.

---

747799-3 : 'Unable to load the certificate file' error and configuration-load failure upgrading from 11.5.4-HF2 to a later version, due to empty cert/key in client SSL profile

Component: TMOS

Symptoms:
During upgrade, the configuration fails to load due to an invalid client SSL profile cert/key configuration. The system posts an error: Unable to load the certificate file.

This occurs as a result of an invalid configuration that can be created as a result of a bug (614675) that exists in 11.5.4-HF2 (and only in 11.5.4-HF2). Because of the bug, it is possible to create a client SSL profile with an empty cert-key-chain, as shown in the following example:

 ltm profile client-ssl /Common/cssl {
     app-service none
     cert none
     cert-key-chain {
         "" { } <=============== empty cert-key-chain
         defualt_rsa_ckc { <==== typo: 'defualt'
             cert /Common/default.crt
             key /Common/default.key
         }
     }
     key none
 }

Note: This upgrade failure has an unique symptom: the typo 'defualt_rsa_ckc'. However, the name has no specific negative impact; the issue is with the empty cert-key-chain.

After upgrading such a configuration from 11.5.4-HF2 to any later version of the software, the system posts a validation error, and the configuration fails to load.

Conditions:
The issue occurs when all the following conditions are met:

-- You are using 11.5.4-HF2.
-- The 11.5.4-HF2 configuration contains an invalid client SSL profile (i.e., a client SSL profile containing an empty cert-key-chain).
-- You upgrade to any software version later than 11.5.4-HF2.

Impact:
After upgrade, the configuration fails to load. The system posts an error message similar to the following:

-- "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- Loading schema version: 11.5.4 Loading schema version: 13.1.0.8 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file. Unexpected Error: Loading configuration process failed.

Workaround:
You can fix the profile configuration in /config/bigip.conf either before the upgrade (in 11.5.4-HF2), or after the upgrade failure.

To do so:
1. Replace 'cert none' with a cert name, such as /Common/default.crt.
2. Replace 'key none' with a key name, such as /Common/default.key.
3. Remove the entire line containing the following: "" { }.
4. Correct the spelling of 'defualt' to 'default'. Although there are no negative consequences of this typo, it is still a good idea.

The new profile should appear similar to the following:

   ltm profile client-ssl /Common/cssl {
       app-service none
       cert /Common/default.crt
       chain none
       cert-key-chain {
           default_rsa_ckc {
               cert /Common/default.crt
               key /Common/default.key
           }
       }
       key /Common/default.key
   }

---

747760 : Attack Signatures page: filter applied by another user may replace currently applied filter

Component: Application Security Manager

Symptoms:
If user switches between different policies in the Policy Attack Signature page, and at the same time another user changes Policy Attack Signature properties on the same page, after policy is changes - filter applied by second user is applied for the first user.

Conditions:
2 different users work on the Policy Attack Signature page simultaneously

Impact:
Incorrect filter applied at some scenarios, which may be confusing for user

---

747628-4 : BIG-IP sends spurious ICMP PMTU message to server

Component: Local Traffic Manager

Symptoms:
After negotiating an MSS in the TCP handshake, the BIG-IP system then sends an ICMP PMTU message because the packet is too large.

Conditions:
-- The server side allows timestamps and the client side does not negotiate them.

-- The client-side MTU is lower than the server-side MTU.

-- There is no ICMP message on the client-side connection.

Impact:
Unnecessary retransmission by server; suboptimal xfrag sizes (and possibly packet sizes).

Workaround:
Disable timestamps or proxy-mss on the server-side TCP profile.

---

747337 : AAA CRLDP configurations configured using the 'No Server' option may be rendered incorrectly while using IE v11

Component: Access Policy Manager

Symptoms:
When a user tries to see a AAA CRLP server which has been configured with a 'No Server' option, the server connection shows up as Direct when it is in fact 'No Server'. This is not the case in other browsers, such as Google Chrome v69 or Mozilla Firefox v57. They show the configured object value correctly for the AAA CRLP Server, which is 'No Server'.

Conditions:
Using the Microsoft Internet Explorer (IE) browser v11.

Impact:
Inaccurate configuration information shown for the server connection.

Workaround:
Use Firefox version 57 or Chrome version 69.

Alternatively, view the correct value using the following tmsh command:
tmsh list apm aaa crldp all-properties

---

747234-3 : Macro policy does not find corresponding access-profile directly

Component: Access Policy Manager

Symptoms:
The discovery task runs but does not apply the 'Access Access Policy' for the access policy for which the Provider is configured.

Conditions:
-- Auto-discovery is enabled for a provider.
-- Discovery occurs.

Impact:
The Access Policy is not applied after successful auto-discovery. The policy must be applied manually.

Workaround:
Apply the Access Policy manually after auto-discovery.

---

747077-2 : Potential crash in TMM when updating pool members

Component: Local Traffic Manager

Symptoms:
In very rare cases, TMM can crash while updating pool members.

Conditions:
The conditions that lead to this are not known.

Impact:
TMM crashes, which can cause a failover or outage.

Workaround:
There is no workaround.

---

747065-1 : PEM iRule burst of session ADDs leads to missing sessions

Component: Policy Enforcement Manager

Symptoms:
Some PEM sessions that were originally added, later disappear and cannot be added back.

Conditions:
-- Subscriber addition is done by iRule on UDP virtual servers.
-- The sessions are added in a burst.
-- A small fraction of such sessions cannot be added back after delete.

Impact:
Policies available in the missing session cannot be accessed.

Workaround:
Add a delay of at least a few milliseconds between adding multiple session with same subscriber-id and IP address.

---

746984-2 : False positive evasion violation

Component: Application Security Manager

Symptoms:
When Referer header contains a backslash character ('\') in query string portion, 'IIS backslashes' evasion technique violation is raised.

Conditions:
-- 'Url Normalization' is turned on and 'Evasion Techniques Violations' is enabled.
-- Referer header contains a backslash character ('\') in query string part.

Impact:
False positive evasion technique violation is raised for Referer header.

Workaround:
Turn off 'Url Normalization' on the 'Normalization Settings' section of the 'referer' property on the HTTP Header Properties screen.

---

746771-2 : APMD recreates config snapshots for all access profiles every minute

Component: Access Policy Manager

Symptoms:
When the access profile configurations in APMD and MCPD are out of sync, APMD detects that the config snapshot for one access profile is missing. This triggers AMPD to recreates the config snapshots for all access profiles. The detect-recreate cycle repeats every minute, posting log messages:

-- err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...

-- notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.
...

-- err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...

-- notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.

Conditions:
The conditions under which the access profile configurations in APMD and MCPD become out of sync is unknown.

Impact:
TMM memory usage increases due to excessive config snapshots being created.

Workaround:
Restart APMD to clear the APMD and MCPD out-of-sync condition.

---

746758-5 : Qkview produces core file if interrupted while exiting

Component: TMOS

Symptoms:
If, during qkview operation's exit stage, it is interrupted (with Ctrl-C for example), it produces a core file.

Conditions:
-- Qkview is exiting.
-- The qkview operation receives an interrupt.

Impact:
A core file is produced.

Workaround:
When closing qkview, or if it is closing, do not interrupt it; wait for it to exit.

---

746731-4 : BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set

Component: Service Provider

Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Firmware-Revision AVPs in DIAMETER Capabilities Exchange Request messages.

Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Firmware-Revision AVP.

Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.

Workaround:
Configure an iRule in the MRF transport-config, for example:

ltm rule workaround {
    when DIAMETER_EGRESS {
        if {[serverside] && [DIAMETER::command] == "257" } {
            DIAMETER::avp flags set 267 0
        }
    }
}

---

746682 : ASM unable to display *any* event logs, unless they are searched for by support ID

Component: Application Security Manager

Symptoms:
After an upgrade, ASM is unable to display *any* event logs, unless they are searched for by support ID.

Conditions:
Either the numerical value returned from this query:
   mysql> SELECT request_log_id FROM PRX.REQUEST_LOG_CLEARED;

Or the numerical value returned from this query:
   mysql> SELECT MAX(request_log_id) FROM PRX.REQUEST_LOG_PROPERTIES WHERE flg_is_deleted = 1;

Are larger than the numerical value returned from this query:
   mysql> SELECT MAX(id) FROM PRX.REQUEST_LOG;

Impact:
ASM is unable to display *any* event logs, unless they are searched for by support ID.

Workaround:
mysql> UPDATE PRX.REQUEST_LOG_CLEARED SET PRX.REQUEST_LOG_CLEARED.request_log_id = (SELECT MAX(PRX.REQUEST_LOG.id) FROM PRX.REQUEST_LOG);

mysql> DELETE FROM PRX.REQUEST_LOG_PROPERTIES WHERE PRX.REQUEST_LOG_PROPERTIES.request_log_id NOT IN (SELECT PRX.REQUEST_LOG.id FROM PRX.REQUEST_LOG);

---

746657-4 : tmsh help for FQDN node or pool member shows incorrect default for fqdn interval

Component: TMOS

Symptoms:
The tmsh help text for LTM nodes and pools shows the incorrect default for the FQDN 'interval' value.

The default is indicated as the TTL, whereas the actual default value is 3600 seconds (1 hour).

The configured value is displayed correctly if the node or pool is displayed using the 'all-properties' keyword.

Conditions:
This occurs when viewing tmsh help text.

Impact:
FQDN nodes and pool members may be created with a different FQDN refresh interval than intended.

Workaround:
When creating an FQDN node or pool member, specify the desired FQDN 'interval' value (either TTL, or the desired number of seconds).

---

746464-4 : MCPD sync errors and restart after multiple modifications to file object in chassis

Component: TMOS

Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:

1. Errors are logged to /var/log/ltm similar to the following:

-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..

2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.

Conditions:
This can be encountered when rapidly making changes to files such as creating and then deleting them while the config sync of the file creation is still in progress.

Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.

Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.

---

746355 : A client SSL handshake fails when client hello extension contains only unsupported groups

Component: Local Traffic Manager

Symptoms:
If the supported groups extension in the client hello contains only groups that are not supported by the BIG-IP system, the handshake fails.

Conditions:
-- (ec)dhe ciphers are used.
-- The supported groups extension does not contain any groups supported by the BIG-IP system.

Impact:
Client connections to the BIG-IP system fail.

Workaround:
There is no workaround other than not configuring (ec)dhe ciphers.

---

746152-4 : Bogus numbers in hsbe2_internal_pde_ring table's rqm_dma_drp_pkts column

Component: TMOS

Symptoms:
The DMA drop packet and bytes registers (rqm_dma_drp_pkts and rqm_dma_drp_bytes in tmm/hsbe2_internal_pde_ring
table) can have huge numbers, which appear to be close to multiples of 4G (2^32). The count reported in the register from hsb_snapshot shows very small number:

from tmm/hsbe2_internal_pde_ring

name active bus rqm_dma_drp_pkts rqm_dma_drp_bytes
---------------- ------ --- ---------------- -----------------

lbb0_pde1_ring2 1 2 17179869185 4398046511186
lbb0_pde1_ring3 1 2 8589934597 2199023256108
lbb0_pde2_ring0 1 2 0 0
lbb0_pde2_ring1 1 2 0 0
lbb0_pde2_ring2 1 2 8589934592 2199023255552
lbb0_pde2_ring3 1 2 0 0
lbb0_pde3_ring0 1 2 0 0
lbb0_pde3_ring1 1 2 0 0
lbb0_pde3_ring2 1 2 8589934592 2199023255552
lbb0_pde3_ring3 1 2 0 0
lbb0_pde4_ring0 1 2 0 0
lbb0_pde4_ring1 1 2 0 0
lbb0_pde4_ring2 1 2 8589934592 2199023255552
lbb0_pde4_ring3 1 2 0 0

lbb1_pde1_ring1 1 3 0 0
lbb1_pde1_ring2 1 3 4294967298 1099511627952



From hsb_snapshot for pde1's ring 0 to ring 3:

50430: 00000000 rqm_dma_drp_pkt_cnt_4
50530: 00000000 rqm_dma_drp_pkt_cnt_5
50630: 00000001 rqm_dma_drp_pkt_cnt_6
50730: 00000005 rqm_dma_drp_pkt_cnt_7

Conditions:
The register reads sometimes return a 0 value.

Impact:
The DMA drop stats are not accurate

Workaround:
Restart tmm can reset the stats, but it will disrupt traffic.

---

746122-5 : 'load sys config verify' resets the active master key to the on-disk master key value

Component: TMOS

Symptoms:
Master key is reset to an older value which may differ from the 'active' value.

Conditions:
Configuration is validated via 'tmsh load sys config verify'.

Impact:
Configuration elements may be encrypted with a different key leading to a corrupt configuration state. If the configuration is saved, future loads will fail.

Workaround:
None.

---

745733-4 : TMSH command "tmsh show ltm urlcat-query" not performing cloud lookup

Component: Traffic Classification Engine

Symptoms:
TMSH command "tmsh show ltm urcat-query" does not perform cloud lookup when there is no entry in the local database.

Conditions:
- TMSH command "show ltm urlcat-query abc.com" is executed.
- abc.com doesn't have an entry in the local webroot database.

Impact:
- Cloud lookup is not executed for unknown URL entries.

---

745663-1 : During traffic forwarding, nexthop data may be missed at large packet split

Component: Local Traffic Manager

Symptoms:
When splitting large packages, nexthop data is used for the first small packet, but missed in subsequent packets.

Conditions:
Forward of host LRO packet (e.g., FTP data-channel).

Impact:
Heavy packet loss, re-transmissions, and delays.

Workaround:
None.

---

745589-3 : In very rare situations, some filters may cause data-corruption.

Component: Local Traffic Manager

Symptoms:
In very rare situations, an internal data-moving function may cause corruption.

Filters that use the affected functionality are:
HTTP2, Sip, Sipmsg, MQTTsession, serdes_diameter, FTP.

tmm crash

Conditions:
The affected filters are used, and some very rare situation occurs.

Impact:
This may cause silent data corruption, or a TMM crash. If there is a TMM crash, traffic disrupted while tmm restarts.

Workaround:
None.

---

745397-4 : Virtual server configured with FIX profile can leak memory.

Component: Service Provider

Symptoms:
System memory increases with each transmitted FIX message. tmm crash.

Conditions:
-- Virtual server configured with a FIX profile.
-- FIX profile specifies a message-log-publisher.

Impact:
Memory leak. Specifically, in the xdata cache. Potential traffic disruption while tmm restarts.

Workaround:
If possible, discontinue use of message logging functionality. Removing the message-log-publisher from the FIX profile stops xdata growth.

---

745309 : Self IP route is not updated in a routing table if there is more than one route with the same destination signature

Component: TMOS

Symptoms:
When Self IP address is added/updated via tmsh, Configuration utility, or "tmsh load sys config merge" command, BIG-IP routing daemon updates routing information in the routing table. If Dynamic Routing is configured on BIG-IP and affected Self IP route has the same destination as routes, gathered from routing protocols, then on adding or changing this Self IP address, the corresponding route from routing table has to be updated, usually it means that a new route is added to the routing table and the old one is removed, but a new route is added and then gets deleted from the routing table instead of old one.

Conditions:
1) There is a route in the routing table with the same destination signature as a Self IP address' route we are planning to add or update. Usually this situation occurs when Dynamic Routing is configured on BIG-IP and a dynamic route is added to the routing table.
2) The Self IP is added or updated.

Impact:
The routing information isn't updated. The Self IP route isn't involved in routing decisions and therefore traffic, which has to use Self IP route for routing, uses out of date, incorrect routing information and is sent to a wrong destination.

Workaround:
There is no workaround at this time.

---

744913 : Tmm may be killed during snapshot creation on VMware ESXi

Component: TMOS

Symptoms:
tmm is sometimes killed by sod during snapshot creation when running on VMware ESXi.

Conditions:
An attempt to snapshot a running BIG-IP guest is made. This can cause the instance to be descheduled by the host upon which it is running which prevents tmm from touching its watchdog. Upon being scheduled to run, if sod runs before tmm can update the watchdog, it will kill tmm. A message indicating that tmm did not run for an extended period of time may be logged such as:

01010029:5: Clock advanced by 40124 ticks

This message indicates generally that tmm did not run and can indicate other types of issues as well.

Impact:
Traffic processing can be severely impacted while the snapshot operation is proceeding regardless of whether tmm restarts or not. If tmm is restarted, production traffic will not be processed until it is finished restarting.

Workaround:
There is no workaround at this time.

---

744787-1 : Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias

Solution Article: K04201069

Component: Global Traffic Manager (DNS)

Symptoms:
WideIP alias will be replaced.

Conditions:
There is an existing alias for a WideIP and adding the same alias for another WideIP.

Impact:
The previous WideIP will be replaced.

Workaround:
Avoid adding existing WideIP for other WideIP.

---

744520-4 : virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface

Component: TMOS

Symptoms:
virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface.

Conditions:
Virtual server with pem profile and Vxlan-GRE tunnel interface.

Impact:
Traffic drop.

Workaround:
There is no workaround.

---

744316-3 : Config sync of APM policy fails with Cannot update_indexes validation error.

Component: Access Policy Manager

Symptoms:
Config sync operation fails for APM policy when policy item of same name points to different agent on source and target

The system posts errors similar to the following:

Sync error on rfang-vemgmt.lab.labnet.com: Load failed from /Common/rfang-ve-3mgmt.lab.labnet.com 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (access_policy_item_agent) object ID (/Common/resm_act_message_box_1 /Common/resm_act_message_box_ag_1). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:access_policy_item_agent status:13)"

Conditions:
This occurs in the following scenario:

1. Configure a failover device group containing two BIG-IP systems.
2. Create an APM access profile on one unit.
  + Launch VPE for the policy.
  + Add a macro.
  + In macro add an agent, e.g., Message box.
  + Add macro to the main policy.
3. Initiate config sync to another device.
4. On one BIG-IP system, add another Message box agent using the same macro. On the other BIG-IP system, make a copy of the access profile.
5. On either BIG-IP system, initiate another config sync operation.

Impact:
Unable to sync configuration in a failover device group.

Workaround:
You can work around this using the following procedure:

1. On the device receiving the config sync, delete the APM policies that contain the referenced APM policy items.
2. Perform an overwrite-config-sync operation from the sending device to this device.

---

744275-4 : BIG-IP system sends Product-Name AVP in CER with Mandatory bit set

Component: Service Provider

Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Product-Name AVPs in DIAMETER Capabilities Exchange Request messages.

Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Product-Name AVP.

Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.

Workaround:
Configure an iRule in the MRF transport-config, for example:

ltm rule workaround {
    when DIAMETER_EGRESS {
        if {[serverside] && [DIAMETER::command] == "257" } {
            DIAMETER::avp flags set 269 0
        }
    }
}

---

744252-4 : BGP route map community value: either component cannot be set to 65535

Component: TMOS

Symptoms:
The community value for BGP route map entries should allow values of 1-65535 for both components, but it is not allowing 65535 for either component.

Conditions:
-- Using BGP route map community values.
-- Attempting to set one or both components to 65535.

Impact:
Unable to use the full range of BGP route map community values

Workaround:
There is no workaround at this time.

---

743900-4 : Custom DIAMETER monitor requests do not have their 'request' flag set

Component: Local Traffic Manager

Symptoms:
Using the technique detailed in the Article: K14536: Customizing the BIG-IP Diameter monitor https://support.f5.com/csp/article/K14536 to create custom DIAMETER monitor requests fails for any request that uses the numeric form of a DIAMETER command code, because the 'request' flag is not set in the DIAMETER packet.

Conditions:
-- Using custom DIAMETER monitor requests.
-- Using numeric DIAMETER command codes.

Impact:
The monitor probes fail because the BIG-IP system does not set the DIAMETER 'request' flag for requests it sends when using a numeric value for the command code, so the DIAMETER server thinks it is a response

Workaround:
None.

---

743896 : Gratuitous ARP not sent on interface up

Component: Local Traffic Manager

Symptoms:
Gratuitous ARP not seen when an interface comes up: different behavior depending on software version.

On BIG-IP software version 11.6.x and on BIG-IP Virtual Edition (VE), version 13.1.x, when interface is UP, after 3 seconds, the BIG-IP system sends GARP out.

On version 12.1.2，the BIG-IP system does not send GARP upon interface UP.

Conditions:
The interface transition from DOWN to UP state.

Impact:
No GARP for self-ip addresses on interfaces.

Workaround:
None.

---

743895 : Upgrades from 10.2.x fail due to empty virtual address lines in the configuration★

Component: TMOS

Symptoms:
In 10.2.x it is possible to have 'empty' virtual address lines in the configuration like this:

virtual address 10.10.10.10 {}

Lines such as these cause failures when upgrading to any version of BIG-IP software that includes the functionality to to add 'arp disable' to virtual addresses that do not have an explicit configuration for their ARP setting. This functionality is present beginning with software version 11.5.0.

Conditions:
-- 'Empty' virtual address lines in the configuration.
-- Upgrading to a version of BIG-IP software that includes the functionality to to add 'arp disable' to virtual addresses that do not have an explicit configuration for their ARP setting.

Impact:
The upgrade fails without a clear error message.

Workaround:
Upgrade to 11.5.0 first, and then upgrade to the desired version.

---

743464 : DoSL7 attack is not detected when using multiple profiles with Behavioral Detection

Component: Anomaly Detection Services

Symptoms:
Setting up multiple DoS Application Profiles on the same Virtual Server via either iRules or LTM Policies causes DoSL7 attacks to not be detected or mitigated, if one of the profiles has Behavioral Detection enabled.

Conditions:
-- Multiple DoS profiles are configured on a single Virtual Server, either using the iRule DOSL7::enable command, or LTM Policies controlling the DoS profile.
-- One of the DoS profiles on the Virtual Server has Behavioral Detection enabled, even if the Stress-Based Operation Mode is set to Off.

Impact:
DoSL7 attacks are not detected and not mitigated, with no indication that they are not.

Workaround:
Disable Behavioral Detection on all of the DoS profiles that are directly or indirectly associated with the Virtual Server. If Stress-Based Operation Mode is set to Off, then you might need to temporarily set Stress-Based to Transparent, disable the Behavioral checkboxes, and then set Stress-Based Operation mode back to Off.

---

743271-2 : Querying vCMP Health Status May Show Stale Statistics

Component: TMOS

Symptoms:
Stale statistics collected while the guest was running a pre-13.1.0 version may periodically be seen when querying vCMP health status in the Configuration Utility or via tmsh show vcmp health commands.

Conditions:
This issue may be seen when all of the following conditions are met:

- the vCMP guest is deployed on more than one blade
- the vCMP guest is upgraded from a pre-13.1.0 release to 13.1.0 or above

Impact:
Health status is not always accurately reported

Workaround:
The issue may be resolved by setting the guest status temporarily to configured and then back to deployed.

---

743253-5 : TSO in software re-segments L3 fragments.

Component: Local Traffic Manager

Symptoms:
FastL4 does not re-assemble fragments by default, but on a system with software-enabled TSO (sys db tm.tcpsegmentationoffload value disable), those fragments are erroneously re-segmented.

Conditions:
The behavior is encountered on BIG-IP Virtual Edition when setting sys db tm.tcpsegmentationoffload value disable, but does not cause a tmm core on Virtual Edition.

Impact:
Already-fragmented traffic is fragmented again.

Workaround:
None

---

743234-1 : Configuring EngineID for SNMPv3 requires restart of the SNMP and Alert daemons

Component: TMOS

Symptoms:
Configuring EngineID for SNMPv3 does not take effect until
the SNMP and Alert daemons are restarted.

Conditions:
Configure the EngineID for SNMPv3 using the tmsh command:
modify sys snmp include 'EngineType n'

Impact:
The SNMPv3 value does not take effect.

Workaround:
Restart the daemons after changing the EngineID:

restart /sys service snmpd
restart /sys service alertd

Note: The SNMP daemon should be restarted before the Alert daemon.

---

743132-3 : mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile

Component: TMOS

Symptoms:
On a chassis platform, if 'tmsh modify sys httpd ssl-certificate' is run immediately after creating a new certificate file, it's possible for mcpd to restart on the secondary blades. This happens when it takes longer for csyncd to copy the new certificate file to the other blades than it takes mcpd to send the modify message to the other blades.

Conditions:
Chassis platform with multiple blades.
Setting the httpd ssl-certificate to a new file.

Impact:
mcpd stops on secondary blades, causing those blades to go offline for a short time while mcpd and other daemons restart.

Workaround:
When setting the httpd ssl-certificate to a new file, wait a few seconds after creating the file before issuing the tmsh modify command.

---

743116-1 : Chunked responses may be incorrectly handled by HTTP/2

Component: Local Traffic Manager

Symptoms:
When a chunked HTTP response is serialized by HTTP/2, the chunking headers should be removed. This does not occur in some cases.

Conditions:
The HTTP/2 filter is used. Some other profiles are used on the same virtual. (In particular, the request logging profile triggers this issue.)

Impact:
The HTTP/2 payload will include chunking headers, corrupting it.

Workaround:
An iRule may be used to detect a HTTP/2 client, and forcibly turn on unchunking in the HTTP_RESPONSE event.

Example:

ltm rule unchunk_http2 {
when HTTP_REQUEST {
        set is_http2 [HTTP2::active]
    }
when HTTP_RESPONSE {
        if { $is_http2 } {
            HTTP::payload unchunk
        }
    }
}

---

742877 : Tmm may fail a heartbeat on VE if unscheduled by busy hypervisor

Component: TMOS

Symptoms:
Tmm is killed by sod and restarts after failing to send a heartbeat message.

Conditions:
BIG-IP Virtual Edition (VE) running on a busy host system.

Impact:
Tmm restarts and recovers. Traffic disrupted while tmm restarts.

Workaround:
None.

---

742838-4 : A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition

Component: Local Traffic Manager

Symptoms:
If you have a published policy in /Common that is in use by a virtual server in a different partition, if you try to create and modify a draft of the existing policy, you will get an error like this:

"01070726:3: Policy /Common/Drafts/test-policy in partition Common cannot reference policy reference /Common/Drafts/test-policy /test/test-vs in partition test"

This happens in both the GUI and TMSH.

Conditions:
-- A published policy exists in /Common.
-- The published policy is attached to a virtual server in a different partition.
-- Attempt to create and modify a draft of the policy.

Impact:
Inability to edit the published policy.

Workaround:
None.

---

742829-4 : SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0

Component: Service Provider

Symptoms:
The BIG-IP system incorrectly handles SDP media ports. UAC sends SDP message body publishing capable of handling voice, text, and video. UAS responds, publishing voice, text and video not desired by setting video port to '0'. The BIG-IP system does not honor the fact that UAS does not want video, and translates video port '0' to an ephemeral port, causing the UAC to believe it must open a video channel. When the UAC sends a video connection request, the BIG-IP system sends the request to the wrong port, i.e., to the media port for text, which causes the connection to fail.

Conditions:
RTP media port defined in the SIP message is set to 0.

Impact:
Improper media channel creation.

Workaround:
You can use an iRule workaround to remove the media attributes with ports set to 0 at the ingress, and update the message body size accordingly.

---

742753-1 : Accessing the BIG-IP system's WebUI via special proxy solutions may fail

Component: TMOS

Symptoms:
If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail.

Conditions:
This issue is known to happen with special proxy solutions that do one of the following things:

- Remove the Referer header.

- Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another.

Impact:
Users cannot log on to the BIG-IP system's WebUI.

Workaround:
As a workaround, you can do any of the following things:

- Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution).

- Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header).

- Modify the proxy solution so that it inserts compatible Referer and Host headers.

---

741345 : Adaptive monitor gateway_icmp does not function correctly with two nodes

Component: Local Traffic Manager

Symptoms:
An adaptive gateway-icmp monitor attached to two nodes, and configured with an even interval value (such as '2' or '4' seconds) may cause the node to be marked 'down' even when that node is available.

Conditions:
-- An adaptive gateway-icmp monitor is applied to two nodes.
-- The value configured is an even interval number (such as '2' or '4' seconds).
-- The associated node is available.

Impact:
A node associated with the gateway-icmp monitor might be marked 'down', when it should be marked 'up'.

Workaround:
You can use either of the following workarounds:

-- Configure an interval with an odd number of seconds (such as '3' or '5' seconds).

-- Create a separate adaptive gateway-icmp monitor for each node.

---

740957 : 'fips_get_key_attr(): mod_err = 0xa9' message seen in /var/log/ltm

Component: TMOS

Symptoms:
When a newly created FIPS key with long name (greater than 32 characters) gets synced over an FIPS high availability (HA) setup, the daemon.log shows that the name gets truncated:
key_label '/Common/testtmsh.with.long.name.and.config.sync.ran.with.TMSH.version1' exceed max len of 32, truncating to 'nfig.sync.ran.with.TMSH.version1).

And the ltm log shows the following message:
fips_get_key_attr(): mod_err = 0xa9.

Conditions:
The issue is intermittent.
-- HA setup with FIPS.
-- Perform a config sync operation after creating FIPS keys with names longer than 32 characters.

Impact:
The newly created FIPS key's name gets truncated to 32 characters. The truncated FIPS key is config-sync'd to the peer system, however, so there is no other impact.

Workaround:
There is no workaround, limit FIPS key names to 32 characters or fewer to prevent truncating.

---

740517-4 : Application Editor users are unable to edit HTTPS Monitors via the Web UI

Component: TMOS

Symptoms:
A user with Application Editor role cannot modify an HTTPS Monitor via the GUI. The user is sent the the following, misleading and incorrect error message: Access Denied: user does not have delete access to object (ssl_cert_monitor_param)

Conditions:
The logged in GUI user must be an Application Editor role for the partition containing the HTTPS Monitor

Impact:
The user must use TMSH to modify an HTTPS Monitor.

Workaround:
Run the following tmsh command: modify ltm monitor https"\

---

740461 : Certificate or key upload in the GUI may occasionally fail with 'General database error"

Component: TMOS

Symptoms:
When uploading an SSL certificate or key via the TMUI, the upload might occasionally fail with a 'General database error.'

The /var/log/webui.log shows an error similar to the following:
-- ERROR [TP-Processor2] ssl_certificate.SSLCertificateImportHandler:importCertificateToMcpd - /shared/tmp/upload__36aadee9_16539dee776__8000_00001003.tmp (No such file or directory).

This issue occurs rarely and is intermittent.

Conditions:
Uploading an SSL certificate or key via the GUI.

Impact:
Upload via the GUI fails.

Workaround:
Retry the upload.

---

740284-3 : Virtual servers 'In Maintenance Mode' or 'VS limit(s) exceeded on GTM'

Component: Global Traffic Manager (DNS)

Symptoms:
Virtual servers on generic-hosts may be marked as Yellow, with a message of 'In Maintenance Mode' or 'VS limit(s) exceeded on GTM'.

Conditions:
The conditions under which this occurs are not known.

Impact:
Virtual server is marked Yellow erroneously 'In Maintenance Mode'.

Workaround:
Use any of the following to reset the condition:

-- Restart gtmd by issuing the following command:
bigstart restart gtmd

-- Restart the system.

-- Remove any monitors from the affected server, save the configuration, and then add any required monitors.

-- Delete the affected server from the configuration and recreate it.

---

740203 : Installing a certificate or key may fail for a remote user

Component: TMOS

Symptoms:
iControl REST may return an error to a remote user attempting to install an SSL key or certificate. The same install process runs successfully for a local user.

Conditions:
-- Use a remotely authenticated user, such as via Active Directory (AD), with the admin role assigned to the user.
-- Using iControl REST, upload an SSL certificate (and/or key) to the BIG-IP system and attempt to install the certificate (and/or key).

Impact:
Inability to install a certificate.

Workaround:
If the request to install the certificate fails, change the permissions (chmod 640) on the .key and .crt files to 640.

---

740135-4 : Traffic Group ha-order list does not load correctly after reset to default configuration

Component: TMOS

Symptoms:
After resetting the BIG-IP configuration to default (i.e., 'tmsh load sys config default'), if a configuration is loaded where the name of the self-device changes, this may cause the self-device to be removed from any traffic group high availability (HA) Order lists.

Conditions:
-- Must be loading a configuration after resetting to default.
-- Must have at least one traffic group using the 'HA Order' Failover Method.

Impact:
Incorrect high availability (HA) configuration.

Workaround:
Reload the configuration a second time.

---

740086-2 : AVR report ignore partitions for Admin users

Component: Application Visibility and Reporting

Symptoms:
The behavior of AVR's reporting feature changed after an upgrade.

Reports generated for specific partition include data from all partitions.

Conditions:
-- Users with Admin role.
-- AVR provisioned.
-- AVR profile configured and attached to a virtual server.
-- User with Admin role creates Scheduled Reports or uses GUI to view AVR reports.

Impact:
AVR GUI pages or Scheduled Reports defined for one partition include AVR data from other partitions.

Workaround:
One workaround is to have non-Admin users generate reports.

For non-Admin users, the partition is honored.

---

739820-4 : Validation does not reject IPv6 address for TACACS auth configuration

Component: TMOS

Symptoms:
TACACS authentication does not support IPv6 address for the authentication server, but both GUI and TMSH allow IPv6 addresses to be configured for TACACS. Such configurations may result in failed logins with messages in /var/log/secure like

Aug 8 10:47:39 gtm-13108-174 err httpd[5948]: pam_tacplus: skip invalid server: 2001::1001:1001 (invalid port: no digits)

Conditions:
Use the GUI or TMSH to create or modify a TACACS server

Impact:
Remote authentication will fail unless a second server is configured with IPv4 address.

Workaround:
Do not configure IPv6 address for TACACS server

---

739618-4 : When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy

Component: Application Security Manager

Symptoms:
When using AWAF or MSP license, you cannot use the BIG-IP Configuration Utility to set rule to control ASM in an LTM policy.

Conditions:
- AWAF or MSP license

Impact:
Admin cannot use the BIG-IP Configuration Utility create LTM policy that controls ASM, and must use TMSH.

Workaround:
Use TMSH to create the rule instead of GUI:
For example:
create ltm policy Drafts/test99 controls add { asm } requires add { http } rules add { rule1 { actions add { 0 { asm enable policy dummy2 }} ordinal 1 }}

---

739553-4 : Setting large number for Wide IP Persistence TTL breaks Wide IP persistence

Component: Global Traffic Manager (DNS)

Symptoms:
Wide IP persistence is not working. Previous Wide IP persistence records are cleared.

Conditions:
This occurs when the Wide IP Persistence TTL plus the persist-record creation time is greater than 4294967295.

Impact:
Wide IP persistence does not work.

Workaround:
There is no workaround other than not setting Wide IP Persistence TTL to a number greater than 4294967295.

---

739533-3 : In rare circumstances, config sync may fail to delete files in /config/filestore/.snapshots_d/, filling up /config

Component: TMOS

Symptoms:
If mcpd loses connection with a peer in the middle of a config sync operation when a large file is being transferred, the temporary copy of that file in /config/filestore/.snapshots_d/ might not be deleted. If this happens enough times with large enough files, those temporary files might fill the /config filesystem.

Conditions:
-- A config sync of a large file is happening.
-- The mcp connection between peers is lost.

Impact:
When that happens, the temporary files that should be deleted, might not be. This is not a problem until the issue has occurred many times, leaving many temporary files, at which point /config can run out of space. /config may get to 100% full. Having /config at 100% full might cause config sync to fail, prevent configuration changes, and other issues.

Workaround:
Delete all files in /config/filestore/.snapshots_d that are more than an hour old.

---

739118-4 : Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration

Component: TMOS

Symptoms:
Changing existing self IP addresses in bigip_base.conf file directly. After uploading the changed configuration file, BIG-IP routing service provides out of date Self IP route information to dependent services.

Conditions:
- Self IP address is configured on the BIG-IP system.
- Manually change the IP address of a self IP in bigip_base.conf file.
- Load changed configuration via tmsh.

Impact:
Different services have different route information:
-- tmsh table - has the old route.
-- Dynamic routing - hHas the old and new routes.
-- Kernel table - has the new route.

Workaround:
There are two workarounds, preventive and corrective.
Preventive:
Do not manually change self IP addresses in bigip_base.conf file. It is not recommended way to add/change BIG-IP configuration. Use GUI or tmsh instead.

Corrective:
If changed configuration is uploaded. In GUI or tmsh, delete changed self IP address, and then create a self IP address with old IP address and delete it as well. Now, all affected routes are removed.

---

738865-5 : MCPD might enter into loop during APM config validation

Component: Access Policy Manager

Symptoms:
Mcpd crashes after a config sync.

Conditions:
This can occur during configuration validation when APM is configured.

Impact:
Mcpd may take too long to validate the APM configuration and is killed by watchdog, causing a core

Workaround:
Use the Visual Policy Editor to configure access policy instead of tmsh commands.

The Visual Policy Editor does not allow policies to be created if they contain loops.

---

738543-1 : Dynamic route with recursive nexthop might cause tmrouted restart

Component: TMOS

Symptoms:
Tmrouted restart.

Conditions:
- Dynamic routing enabled.
- Routing update with recursive nexthop.

Impact:
Stability of the dynamic routing daemons. TMM cannot learn or advertise routes while the daemon restarts.

Workaround:
There is no workaround other than not exporting routes with recursive nexthop.

---

738450-4 : Parsing pool members as variables with IP tuple syntax

Component: Local Traffic Manager

Symptoms:
There is a config loading warning at tmsh similar to the following: unexpected end of arguments;expected argument spec:PORT.

Conditions:
Tcl variable is used for the IP tuple instead of a plain value.

Impact:
iRule LB::reselect command may not recognize an IP tuple when it is a variable. tmsh warning shows.

Note: There is no warning in the GUI.

Workaround:
Use plain value instead of variable.

---

738359 : Log output does not reflect BIG-IP system timezone setting

Component: TMOS

Symptoms:
Running the command 'tmsh show sys log' for any module in a specified range displays results according to the UTC timezone, despite the setting on the BIG-IP system.

Conditions:
-- Run the following command:
tmsh show sys log <any_module> range <range options>
-- View the output.

Impact:
Log filtering may not return results because of the difference between timezone settings.

Workaround:
Set timezone to UTC setting.

---

738070-3 : Persist value for the RADIUS Framed-IP-Address attribute is not correct

Component: Service Provider

Symptoms:
Using the RADIUS Framed-IP-Address attribute as a persistence value does not work correctly.

Conditions:
Using RADIUS and persisting on the Framed-IP Address attribute (RADIUS AVP 8).

Impact:
RADIUS requests may not get persisted to the servers they should be.

Workaround:
Use an iRule to persist instead, e.g.:

ltm rule radius-persistence {
    when CLIENT_DATA {
    persist uie [RADIUS::avp 8]
}
}

---

738045-2 : HTTP filter complains about invalid action in the LTM log file.

Component: Local Traffic Manager

Symptoms:
Payload data is collected at the HTTP_REQUEST event and finishes collecting (HTTP::release) when the NAME_RESOLVED event occurs. On releasing, data is forwarded to the serverside, triggering the HTTP_REQUEST_SEND event.
 
When trying to raise HTTP_REQUEST_SEND, the iRule queues it and returns IN_PROGRESS, because the system is already in the process of running TCLRULE_NAME_RESOLVED. (Nested iRules: TCLRULE_NAME_RESOLVED -> TCLRULE_HTTP_REQUEST_SEND)

Due to the IN_PROGRESS status, tcp_proxy skips forwarding HUDCTL_REQUEST to the serverside, but not the subsequent payload. So the HTTP filter considers this an invalid action.

Conditions:
-- Standard virtual server with iRules attached (for example, using the following configuration for a virtual server):

when HTTP_REQUEST {
    HTTP::collect
    NAME::lookup @10.0.66.222 'f5.com'
}
when NAME_RESOLVED {
    HTTP::release
}
when HTTP_REQUEST_SEND {
        log local0. "Entering HTTP_REQUEST_SEND"
}

-- Client sends two HTTP Post requests.
-- After the first request, the second connection is kept alive (for example, by using HTTP header Connection) so that the second request can reuse the same connection.

Impact:
The second request gets reset, and the system logs errors in the LTM log file.

Workaround:
To avoid nested iRules in this instance, simply remove the HTTP_REQUEST_SEND from the iRule.

---

737901-1 : Management MAC address and host VLAN MAC address is the same on iSeries platforms when in vCMP mode

Component: TMOS

Symptoms:
On iSeries platforms, when a VLAN is attached to a vCMP guest, the management MAC address and the host VLAN MAC address will be the same.

Conditions:
-- Creating a VLAN on the host and attaching it to a vCMP guest.
-- iSeries platforms.

Impact:
The management MAC address is the same as the Host VLAN MAC address, resulting in the same MAC being used for the VLAN traffic originating from the vCMP Host along with the Host's mgmt Interface traffic, potentially resulting in issues relating to the inability to differentiate traffic to mgmt port or traffic ports.

Workaround:
There is no workaround at this time.

---

737536-5 : Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.

Component: TMOS

Symptoms:
The use case is the following:
|OSPF 1|---|Network1|------[|OSPF process 1|---BIG-IP system---|OSPF process 2|]-----|Network2|---|OSPF 2|

Attempting to redistribute default route received from OSPF process that is peering with the Internet to OSPF process 2. However, if that route is removed (e.g., an Internet link goes down), OSPF process 2 removes the associated route and the 'default-information originate' command is the ideal choice, because as long as the OSPF process 1 default route is in the routing table, the default route is redistributed into OSPF process 2. If that route is gone, OSPF process 2 immediately removes it from routing table. Enabling 'default-information originate' on OSPF process 2 does not affect the outcome, and a default route is not injected like it should be.

Conditions:
-- On the BIG-IP system, OSPF routing protocol is enabled on a route-domain.
-- Routing configuration example:

OSPF router config examples:
***
OSPF 1:
!router ospf 1
 ospf router-id 10.13.0.7
 redistribute ospf
 network 10.13.0.0/16 area 0.0.0.1
 default-information originate

OSPF 2:
router ospf 1
 ospf router-id 10.14.0.5
 redistribute ospf
 network 10.14.0.0/16 area 0.0.0.1

BIG-IP system:
router ospf 1
 ospf router-id 10.13.0.2
 network 10.13.0.0/16 area 0.0.0.1
router ospf 2
 ospf router-id 10.14.0.9
 network 10.14.0.0/16 area 0.0.0.1
***

-- Enable 'default-information originate' on BIG-IP OSPF process 2 should allow OSPF process 2 to receive advertised default route from BIG-IP OSPF process 1 if such exists.

# expected OSPF routers configuration on the BIG-IP system:
router ospf 1
 ospf router-id 10.13.0.2
 network 10.13.0.0/16 area 0.0.0.1
router ospf 2
 ospf router-id 10.14.0.9
 network 10.14.0.0/16 area 0.0.0.1
 default-information originate

Impact:
A default route from OSPF process 1 is not advertised into OSPF process 2 routing table.

Workaround:
None.

---

737529-1 : [GTM] load or save configs removes backslash \ from GTM pool member name

Component: Global Traffic Manager (DNS)

Symptoms:
GTM config fails to load, and posts an error similar to the following:

Syntax Error:(/config/bigip_gtm.conf at line: 47) the "create" command does not accept wildcard configuration identifiers

Conditions:
GTM server virtual server name contains a backslash (\) character.

Impact:
GTM config fails to load.

Workaround:
Edit bigip_gtm.conf manually and add the \ character.

Important: The system removes the \ (which results in further validation failures) in response to any of the following actions:
-- Load the GTM config.
-- Make changes to the GTM config, and you or the system saves it.
-- cpcfg operation.
-- Upgrade the system.

---

737346-4 : After entering username and before password, the logging on user's failure count is incremented.

Component: TMOS

Symptoms:
Listing login failures (i.e., using the following command: 'tmsh show auth login-failures') shows a failed login for the user who is currently logging in via console or SSH.

Conditions:
-- A user is logging in via console or SSH.
-- Between the time the system presents the password prompt and the user enters the password.

Note: This does not apply to GUI or iControl REST logins.

Impact:
If many logins for the same user get to this state simultaneously, it may be enough to exceed a specified lockout threshold, locking the user out.

Workaround:
There is no workaround other than using the GUI or iControl REST to log in to the system.

---

734692-1 : Incorrect prefix of ICMP error messages in NAT64

Component: Local Traffic Manager

Symptoms:
When ICMPv4 error messages are returned for NAT64 connections, the source address of the ICMPv6-translated error message uses ::ffff as the IPv6 prefix, creating an IPv4-mapped IPv6 address.

Conditions:
-- NAT64 enabled.
-- ICMPv4 error messages are returned from IPv4 hosts and routers.

Impact:
The ICMP error messages cannot be routed to the client and are dropped by intermediate routers. This can prevent clients from properly detecting errors such as unreachable hosts and networks. This causes failures in utilities such as ping and traceroute.

Workaround:
There is no workaround at this time.

---

734595-1 : sp-connector is not being deleted together with profile

Component: Access Policy Manager

Symptoms:
If a profile is connected to an SSO SAML IdP configuration with an SP connector, the sp-connector is not available for delete when the profile is deleted.

Conditions:
-- Profile is connected to an SSO SAML IdP configuration with an SP connector.
-- Deleting the profile and attempting to delete the sp-connector.

Impact:
The SP connector is not listed for delete when the profile is deleted.

Workaround:
To delete the SP connector, run the following command:
tmsh delete apm sso saml-sp-connector NAME

---

734241 : 'Detection Evasion' violations might not report violation details in their reports or in the GUI

Component: Application Security Manager

Symptoms:
Evasion technique details are not presented in the request log.

Conditions:
This occurs in either of the following scenarios:

-- Many evasion techniques occur in a single request.

-- The evasion techniques that occur are not set as enabled in the policy configuration.

Impact:
'Detection Evasion' attacks are reported the logs, but there are no violation details to help clarify what actually triggered.

Workaround:
None.

---

733585-2 : Merged can use %100 of CPU if all stats snapshot files are in the future

Component: TMOS

Symptoms:
Merged uses %100 of CPU if it cannot remove the oldest snapshot file, due to all snapshot files having timestamps in the future.

Conditions:
All stats snapshot file having timestamps in the future, release has the fix for issue 721740, but not this issue.

Impact:
Merged using %100 of the CPU.

Workaround:
Remove snapshot stats files that have timestamps in the future and restart merged.

---

727469-1 : ProxySSL leaks profile reference

Component: Local Traffic Manager

Symptoms:
Proxy SSL leaks server SSL profile references whenever a virtual server is uninitialized or reinitialized.

Conditions:
-- One or more Client SSL profiles are in use
-- SSL profile has the 'Proxy SSL' (proxy-ssl) setting enabled.
-- The profile is re-initialized; this can occur when a profile is modified.

Impact:
Memory leaks. Tmm can crash. Traffic disrupted while tmm restarts.

Workaround:
None.

---

727467-3 : Some iSeries appliances can experience traffic disruption when the high availability (HA) peer is upgraded from 12.1.3 and earlier to 13.1.0 or later.

Component: TMOS

Symptoms:
-- CPU core 0 can be seen utilizing 100% CPU.
-- Other even cores may show a 40% increase in CPU usage.
-- Pool monitors are seen flapping in /var/log/ltm.
-- System posts the following messages:
   + In /var/log/ltm:
     - err tmm4[21025]: 01340004:3: high availability (HA) Connection detected dissimilar peer: local npgs 1, remote npgs 1, local npus 8, remote npus 8, local pg 0, remote pg 0, local pu 4, remote pu 0. Connection will be aborted.
    + In /var/log/tmm:
      - notice DAGLIB: Invalid table size 12
      - notice DAG: Failed to consume DAG data

Conditions:
-- Active unit on a pre-12.1.3.1 release.
-- Standby peer upgraded to a 13.1.0 or later release.
-- Device is an iSeries device (i5600 or later).

Important: This issue may also affect iSeries high availability (HA) peers on the same software version if the devices do not share the same model number.

Note: Although this also occurs when upgrading to 12.1.3.8 and 13.0.x, the issue is not as severe.

Impact:
- High CPU usage.
- Traffic disruption.

Workaround:
Minimize impact on affected active devices by keeping the upgraded post-13.1.0 unit offline as long as possible before going directly to Active.

For example, on a 12.1.3 unit to be upgraded (pre-upgrade):
-- Run the following command: tmsh run sys failover offline persist
-- Run the following command: tmsh save sys config
-- Upgrade to 13.1.0.8.
-- Unit comes back up on 13.1.0.8 as 'Forced Offline' and does not communicate with the active unit running 12.1.3 at all.
-- Set up high availability (HA) group and make sure the 12.1.3 Active unit's high availability (HA) score is lower than 13.1.0.8.
-- To cause the 13.1.0.8 unit to go directly to Active and take over traffic, run the following command on the unit running 13.1.0.8:
tmsh run sys failover online

At this point, the 12.1.3 unit starts to show symptoms of this issue, however, because it is no longer processing traffic, there is no cause for concern.

---

727297-4 : GUI TACACS+ remote server list should accept hostname

Component: TMOS

Symptoms:
Cannot add hostnames to the Remote - TACACS+ server list in the GUI.

Conditions:
-- On the System :: Users : Authentication page with Remote - TACACS+ specified.
-- Add hostname to the server list.

Impact:
Validation does not accept a hostname. Cannot add hostname as a server.

Workaround:
Use tmsh to add a hostname.

---

727288-4 : Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC

Component: Service Provider

Symptoms:
Diameter message routing framework sends Capabilities-Exchange-Request (CER)/Device-Watchdog-Request (DWR) with hop-by-hop (h2h) ID and end-to-end (e2e) ID set to 0 as the server.

Conditions:
Diameter Message Routing Framework (MRF) in use

Impact:
The BIG-IP system sends CER and DWR to remote peers.
However, the BIG-IP system sends e2e=0 and h2h=0 as the server ID in the CER and DWR requests. This does not comply with RFC 6733 (https://tools.ietf.org/html/rfc6733).

Workaround:
Use an DIAMETER_EGRESS iRule event to change the hop-by-hop ID and end-to-end server ID.

---

727191-4 : Invalid arguments to run sys failover do not return an error

Component: TMOS

Symptoms:
If an invalid device name is used in the sys failover command, the device name reject is logged in /var/log/ltm and failover does not occur. No error or failure message is displayed on the command line.

Note: In prior versions, the system incorrectly performed a force-to-standby operation (no 'device' specified), rather than a directed failover operation (failover to specified 'device'). Although this resulted in the active device becoming standby, it did not cause the system to choose the (nonexistent) device specified.

Conditions:
Run a tmsh command similar to the following:
sys failover standby traffic-group traffic-group-1 device invalid_name

Impact:
Since no failover occurs and no error/warning is returned, this may result in some confusion.

Workaround:
There is no workaround.

---

726734-2 : DAGv2 port lookup stringent may fail

Component: Local Traffic Manager

Symptoms:
Under certain circumstances tmm might not be able to find a local port, and the connection may fail. This happens, for example, for active FTP with mirroring enabled.

Conditions:
Active FTP with mirroring enabled.

Impact:
Connection cannot get established.

Workaround:
There is no workaround other than to disable mirroring.

---

726665-1 : tmm core dump due to SEGFAULT

Component: Policy Enforcement Manager

Symptoms:
tmm core dump due to SEGFAULT.

Conditions:
System under load in network. Other conditions required to recreate this are unknown, but indicated a potential memory-handling issue.

Impact:
The blade reboots resulting in failover. Traffic disrupted while tmm restarts.

Workaround:
None.

---

726518-5 : Tmsh show command terminated with CTRL-C can cause TMM to crash.

Component: Local Traffic Manager

Symptoms:
TMM crash when running show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name]

Conditions:
-- Running the command:
show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name].
- The command is terminated by the client connection, aborting with CTRL-C.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not terminate tmsh show commands with CTRL-C.

---

726416-1 : Physical disk HD1 not found for logical disk create

Component: TMOS

Symptoms:
The blade error 'Physical disk HD1 not found for logical disk create' is observed when bigstart restart happens on primary blade of chassis-based systems using solid state drives (SSD).

/var/log/ltm shows messages similar to the following:

-- localhost.localdomain debug chmand[25459]: 012a0007:7: mcp_logical_disk mcp_create received
-- localhost.localdomain debug chmand[25459]: 012a0007:7: logical_disk create received: name[HD1] media[general_use_ssd]
-- localhost.localdomain err chmand[25459]: 012a0003:3: Physical disk HD1 not found for logical disk create
-- localhost.localdomain debug chmand[25459]: 012a0007:7: mcp_physical_disk mcp_create received
-- localhost.localdomain debug chmand[25459]: 012a0007:7: physical_disk create received: serial number[S3F3NX0K810723] name[HD1]

and/or

err chmand[4712]: 012a0003:3: Physical disk HD1 not found for logical disk create

ltm log implies that logical disk create is requested before physical disk creation.

Conditions:
This occurs on chassis-based systems (more than one blade) using SSD, when bigstart restart happens on primary blade.

Impact:
The system posts the following error under ltm log:
err chmand[3370]: 012a0003:3: Physical disk HD1 not found for logical disk create.

When system posts the error, it just skips executing couple of lines of code, to be precise two API calls.
These API calls are related to updating DiskInfo and disk wearout information.

This message is benign and can be safely ignored

Workaround:
There is no workaround.

---

726319-3 : 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses

Component: Local Traffic Manager

Symptoms:
When FQDN nodes and pool members are used in LTM pools, a message similar to the following may be logged if the DNS server returns a different set of IP address records to resolve the FQDN name:

err mcpd[20479]: 01020066:3: The requested Pool Member (****) already exists in partition ****.

Conditions:
This message may be logged when the DNS server returns a different set of IP address records to resolve the FQDN name, and new ephemeral pool members are created corresponding to the new IP addresses.

This may occur intermittently depending on timing conditions.

Impact:
These log messages are cosmetic and do not indicate any impact to traffic or BIG-IP operations.

Workaround:
None.

---

726011-1 : PEM transaction-enabled policy action lookup optimization to be controlled by a sys db

Component: Policy Enforcement Manager

Symptoms:
There is no way to disable optimization if time-based actions are enabled in the PEM policy and a statistical transaction-based action enforcement is desired.

Conditions:
If the PEM classification tokens do not change.

Impact:
Time-based actions such as insert content may not get applied to such flows.

Workaround:
None.

---

725950-1 : Regcomp() leaks memory if passed an invalid regex.

Component: TMOS

Symptoms:
Because of memory leak, big3d's memory usage increased over time

Conditions:
Pass invalid expression to regcomp.

Impact:
Escaped characters are mishandled. This causes the regex compilation to fail and leak memory.

Workaround:
If you notice big3d memory footprint increase and you have a monitor recv string that has escaped characters such as '^http\/\d\.\d[23]\d\d', try changing the recv string to something similar to the following: ^HTTP/[0-9][.][0-9] [23][0-9]{2}

---

725887-2 : BD crash on specific scenario

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
-- Specific traffic conditions.
-- A loaded system.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None.

---

725792-2 : BWC: Measure log-publisher if used might result in memory leak

Component: TMOS

Symptoms:
When Measure is used in BWC with log publisher defined, it might result in a memory leak in tmm.

Conditions:
-- BWC dynamic policy is configured.
-- Measure is enabled.
-- Log-publisher is defined.

Impact:
Memory leak in errdef.

Workaround:
There is no workaround other than not to enable Measure in the BWC dynamic policy.

---

725646-6 : The tmsh utility cores when multiple tmsh instances are spawned and terminated quickly

Component: TMOS

Symptoms:
A tmsh core occurs when multiple tmsh instances are spawned and terminated quickly

/var/log/kern.log:
info kernel: tmsh[19017]: segfault ...

system messages in /var/log/messages:
notice logger: Started writing core file: /var/core/-tmsh ...

/var/log/audit:
notice -tmsh[19010]: 01420002:5: AUDIT - pid=19010 ...

Conditions:
This issue occurs intermittently in the following scenario:

1. Open multiple instances of tmsh using the following command pattern:
tmsh
run util bash
tmsh
run util bash
tmsh
run util bash
tmsh
run util bash
...
2. Quickly terminate them using Ctrl-D or by closing terminal.

Impact:
The tmsh utility crashes and produces a core file in the /shared/core directory. The BIG-IP system remains operational.

Workaround:
Restart tmsh if the problem occurs.

To prevent the issue from occurring: Do not quickly terminate tmsh instances using Ctrl-D.

---

725620 : Corrupted HSB RQM configuration causes HSB receive failures on 5000s/5200v, 5050s/5250v/5250v-F platforms

Component: TMOS

Symptoms:
In rarely occurring cases, HSB RQM queues configuration becomes corrupted, which leads to HSB receive failures. In some cases, all queues above 64 are all disabled, although the lower queues are configured and enabled with no packet drop. In some other cases, all queues are disabled.

Conditions:
-- Using 5000s/5200v, 5050s/5250v/5250v-F platforms.
-- Specific conditions under which this occurs have not been reproduced.

Impact:
The receive failure leads to HSB lockup, and will impact traffic.

Workaround:
Reboot to recover, or disable ePVA to avoid lockup at the cost of some performance degradation.

---

725592 : Outgoing RIP advertisements may have incorrect source port

Component: Local Traffic Manager

Symptoms:
TMM may change the source port of Routing Information Protocol (RIP) packets sent by ripd to something other than port 520. Neighbor routers will not accept these packets and RIP routing will not work.

If the TMM instance handling the outgoing packet would not be selected to handle return traffic by the hashing algorithm in use, the source port of the traffic will be modified so the hashing algorithm returns the same TMM instance.

Conditions:
-- Multiple TMM instances.
-- RIP routing configured.
-- After reboot.

Impact:
Dynamic routing using RIP does not work if the traffic hash of the packets does not match the TMM handling the outgoing traffic.

Workaround:
Delete the sys connection for RIP; the new connection is expected to use the correct port.

---

725427 : OPT-0036-01 does not report DDM tx power alarms or tx power warnings

Component: TMOS

Symptoms:
The OPT-0036 optic does not report Tx alarms or warnings. The optic does report transmit power readings, but does not generate warnings or alarms if the transmit readings are outside the threshold ranges. OPT-0036-01 does not support SFF-8636.

Conditions:
-- Hardware using this optic:
    - vendor-oui 00176a
    - vendor-partnum OPT-0036
    - vendor-revision 01
-- DDM is enabled.

Impact:
OPT-0036-01 does not report DDM transmit alarms or warnings.

Workaround:
DDM Receive power alarms and warnings are correctly reported. You can view the transmit power readings and thresholds to manually determine if the power is outside the DDM transmit threshold values.

Note: When the OPT-0036 is disabled, the transmit laser is disabled and the transmit power is 0mW.

---

724994-1 : API requests with 'expandSubcollections=true' are very slow

Component: TMOS

Symptoms:
Submitting an iControl REST query using the option 'expandedSubcollections=true' takes significantly longer to return than one without that option. For example, the command 'https://localhost/mgmt/tm/ltm/virtual?expandSubcollections=true' takes significantly longer than the command 'https://localhost/mgmt/tm/ltm/virtual'.

Conditions:
Submitting a query using expandedSubcollections=true.

Impact:
The response takes significantly longer to return

Workaround:
The additional processing time occurs because the 'expandedSubCollections' parameter fetches all the related associated elements. You can use the following alternative to retrieve the virtual configuration:

1. Run the following query:
GET mgmt/tm/ltm/virtual

2. Obtain the list of virtual servers by:
   2a. parsing either the selfLink or the fullPath properties in the response items array, where the response is from step 1.
   2b. writing an iControlLX worker that does this.

Note: Writing a worker abstracts the parsing logic into a user-defined endpoint. It provides API access to the data.

3. Iterate over the virtual servers querying each with the option 'expandSubcollections=true'.

---

724906-2 : sasp_gwm monitor leaks memory over time

Component: Local Traffic Manager

Symptoms:
The Server/Application State Protocol (SASP) monitor, sasp_gwm memory usage slowly increases over time.

Conditions:
The Server/Application State Protocol (SASP) monitor is configured.
The leakage occurs during normal operation of the monitor and is not tied to any specific user or traffic action.

Impact:
sasp_gwm grows over time and eventually the system may be pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.

Workaround:
Periodic restarts of sasp_gwm processes avoids the growth affecting the system.

---

724746-2 : Incorrect RST message after 'reject' command

Component: Local Traffic Manager

Symptoms:
BIG-IP sends RST containing "Internal error in tcpproxy invalid state for repick" instead of correct "iRule execution (reject command)".

Conditions:
Virtual Server with a HTTP profile, and an iRule using 'reject' command.

Impact:
Investigating RST causes may be confusing.

Workaround:
There is no workaround at this time.

---

724706 : iControl REST statistics request causes CPU spike

Component: TMOS

Symptoms:
BIG-IQ makes iControl REST requests to BIG-IP systems to get statistics. Regardless of the page size setting, the request causes the CPU to spike to 100% utilization.

Conditions:
An iControl REST API request from a BIG-IQ device for a few stats for an object on a BIG-IP system.

Note: A request for a single statistic usually does not cause a spike.

Impact:
Frequent requests by BIG-IQ for stats causes repeated spikes.

Workaround:
None.

---

724571-3 : Importing access profile takes a long time

Component: Access Policy Manager

Symptoms:
It takes a long time for the 'Apply Access Policy' link to show up on the admin UI after importing an access profile.

Conditions:
-- Access policy with many macros.
-- Import exported profile multiple times with Reuse Existing Objects checked
-- As the number of imports increases, so does the latency.

Impact:
The imported access policy takes a long time to be imported and ready to use.

Workaround:
None.

---

723658 : TMM core when processing an unexpected remote session DB response.

Component: Carrier-Grade NAT

Symptoms:
Using CGNAT or FW-NAT on a cluster may cause a TMM core if there are intra-cluster communication issues that cause CMP state transitions.

The system writes messages to /var/log/tmm* similar to the following:

   notice CDP: exceeded 1/2 timeout for PG 1
   notice CDP: PG 1 timed out
   notice CDP: New pending state 0f -> 0d
   notice Immediately transitioning dissaggregator to state 0xd
   notice cmp state: 0xd
   notice CDP: New pending state 0d -> 0f
   ...
   notice cmp state: 0xf
   notice CDP: exceeded 1/2 timeout for PG 1

Conditions:
-- A LSN pool or FW-NAT source translation that has persistence enabled.
-- Intra-cluster communication issues that cause CMP state transitions.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

---

723579-3 : OSPF routes missing

Component: TMOS

Symptoms:
When newer link-state advertisement (LSA) (with greater seq) comes in, the Open Shortest Path First (OSPF) discards the old one by marking it DISCARD. The SPF calculation function suspends the calculation every 100 vertexes. If the discard happens during such a suspend, then after the calculation resumes, the discarded LSAs are ignored,n which can cause route unreachable, and eventually route withdraws.

Conditions:
A very large number (~500, beyond best practices) of routers in a single OSPF area.

Impact:
Intermittent route flaps occur that might cause unreachable destination or increased network traffic due to the non-optimal route choice.

Workaround:
There is no workaround.

---

723306-5 : Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition

Component: Local Traffic Manager

Symptoms:
Loading correct configuration with 'tmsh load /sys config' fails. The error message appears similar to the following:

    01070726:3: Virtual Address /test/0.0.0.0 in partition test cannot be referenced by Virtual Server /Common/test-internal in partition Common.
Unexpected Error: Loading configuration process failed.

Conditions:
Creating internal virtual server, when 0.0.0.0 address exists on another partition.

Impact:
Inability to load config, with created internal virtual server.

Workaround:
Create internal virtual server first; then create the 0.0.0.0 address on a different partition.

---

723112 : LTM policies does not work if a condition has more than 127 matches

Component: Local Traffic Manager

Symptoms:
LTM policies do not work if number of matches for a particular condition exceeds 127.

Conditions:
LTM policy that has a condition with more than 127 matches.

Impact:
LTM policy does not match the expected condition.

Workaround:
There is no workaround at this time.

---

723111 : mailx is blocked by SELinux Policy

Component: TMOS

Symptoms:
The mail command is not functional with the SELinux Policy.

Conditions:
Using mailx to send mail.

Impact:
Cannot use mailx to send mail. This is a function of the SELinux Policy, which does not allow execution of the mailx commands.

Workaround:
To work around this issue, you can configure the BIG-IP system to communicate with an SMTP mail server using the method appropriate for your BIG-IP version. For specific procedures, see K3667: Configuring alerts to send email notifications :: https://support.f5.com/csp/article/K3667.

---

723095-1 : tmsh "modify gtm pool <type> all ... " commands fail

Component: Global Traffic Manager (DNS)

Symptoms:
tmsh command returns an error similar to the following message:
01070227:3: Pool Member references a nonexistent Pool (/Common/poolname of type NAPTR)

or

01020036:3: The requested Pool (<type> /Common/poolname) was not found.

Conditions:
Changing the record type on GTM pool members by running the following command: tmsh modify gtm pool type all members add.

or

Attempting to use the command "tmsh modify gtm pool <type> all <attribute>", for example "tmsh modify gtm pool a all enabled"

Impact:
Unable to apply a single tmsh command to all pools of a given type

Workaround:
There is no workaround at this time, other than that to apply the command individually to each pool.

---

722919 : Memory leak when using SP-DAG and a small LSN pool.

Component: Carrier-Grade NAT

Symptoms:
High memory usage by objects of type cmp. Using SP-DAG and a small Large Scale NAT (LSN) pool, some TMMs may not have any local translation addresses. If connections are routed out a VLAN that has cmp-hash src-ip, a small amount of memory may be leaked.

Conditions:
-- Using SP-DAG.
-- Using small LSN pools.
-- Having TMMs that do not not have any local translation addresses.
-- Connections are routed out a VLAN that has cmp-hash src-ip.

Impact:
A small amount of memory may be leaked. The aggressive sweeper might kill connections. TMM may crash. Traffic disrupted while tmm restarts.

Workaround:
Using the default DAG with small LSN Pools gives all TMMs local translation endpoints.

To prevent the leak, allow only VLANs with cmp-hash dst-ip in the LSN pool egress interface list.

---

722741-4 : Damaged tmm dns db file causes zxfrd/tmm core

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd/tmm cores on startup.

Conditions:
Damaged tmm dns db file.

Impact:
System remains in a tmm-restart loop caused by tmm opening a corrupted tmmdns.bin on startup and segfaulting. Traffic disrupted while tmm restarts.

Workaround:
Delete the damaged db files.

---

722647-1 : The configuration of some of the Nokia alerts is incorrect

Component: TMOS

Symptoms:
The categories for perceived severity in the alert_nokia.conf file are 0-4, 10-11, but there is an entry in the file with a value of 6.

Conditions:
-- Traps are enabled to support SNMP alerts in the Nokia NetAct format, e.g., using the following command:
tmsh modify sys db alertd.nokia.alarm value enable
-- The values in the alert_nokia.conf file are applied.

Impact:
Some of the values are incorrect. Handling of the trap/clear for the mislabeled trap is incorrect.

Workaround:
Edit the alert_nokia.conf file and restart the alert daemon.

---

722534-4 : load sys config merge not supported for iRulesLX

Component: Local Traffic Manager

Symptoms:
iRulesLX configurations are (for the most part) contained in the file system, rather than the 'traditional' BIG-IP config files. An attempt to merge configurations containing iRulesLX using the tmsh command 'load sys config merge' options fails with an error similar to the following:

# load sys config merge from-terminal
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ilx plugin test-plugin {
  from-workspace test-ws
}
Validating configuration...
Unexpected Error: "basic_string::at"

Conditions:
The configuration being merged contains iRulesLX.

Impact:
The merge will fail with the error: Unexpected Error: "basic_string::at". The previous configuration will continue to work.

Workaround:
There is no workaround at this time for merging iRulesLX configuration. If the iRulesLX configuration is removed from the configuration to be merged, the merge will work.

---

721740-3 : CPU stats are not correctly recorded when snapshot files have timestamps in the future

Component: TMOS

Symptoms:
One symptom is that a message similar to the following comes out in the log files frequently.

May 24 16:31:53 lusia_60.F5.COM warning merged[6940]: 011b0914:4: No individual CPU information is available.

Merged CPU stats will be 0.

Conditions:
If all of the snapshot stats files have timestamps in the future, CPU stats will not be correctly merged.

Impact:
Frequent error messages in the logs, and incorrect merged CPU stats.

Workaround:
Remove all of the stats snapshot files that have timestamps in the future and restart merged.

---

721579-1 : LSN Persistence TTL and Inbound Connection Age were reset in the middle of decreasing/increasing

Component: Carrier-Grade NAT

Symptoms:
When checking persistence TTL by using 'lsndb list all', TTL for 'LSN Persistence Entries' and Age for 'LSN Inbound Mapping Entries' are reset once at around the halfway point of the persistence timeout, even though there is no traffic.

Conditions:
-- LSN with persistence timeout configured.
-- Using the following command: lsndb list all.

Impact:
lsndb shows misleading stats.

Workaround:
There is no workaround at this time.

---

721571-3 : State Mirroring between BIG-IP 12.1.3.* and 13.* or 14.* systems may cause TMM core on standby system during upgrade★

Component: Local Traffic Manager

Symptoms:
BIG-IP devices running 12.1.3.x (12.1.3 or a 12.1.3 point release) and 13.x or 14.x software versions in a high-availability (HA) configuration with state mirroring enabled may cause a standby system to produce a TMM core file.

Conditions:
-- The HA configuration is one of the following:
   + The active system is running v12.1.3.x, and the standby system is running v13.x or v14.x, as a result of an in-progress upgrade.
   + The active system is running v13.x or v14.x and the standby system is running v12.1.3.x.
-- State mirroring configured on two or more BIG-IP systems.
-- For VIPRION clusters or VIPRION-based vCMP guests, the systems are configured to mirror 'Between Clusters'.

Impact:
TMM may crash on a standby system during upgrade.

This issue should not disrupt traffic, because the TMM is coring only on the standby unit.

Workaround:
To workaround this issue, disable State Mirroring prior to upgrading, and re-enable it once both devices are running v13.x or v14.x, or complete the upgrade of both devices to v13.x or v14.x.

1. You can disable mirroring using either the GUI or the command line.

1a. In the GUI: -- Set the Primary and Secondary Local Mirror Address configurations to 'None' under Device Management :: Devices :: [Self] device :: Mirroring Configuration.

1b. From the command-line: -- Run the following command:
tmsh modify cm device <name-of-self-device> mirror-ip any6 mirror-secondary-ip any6 && tmsh save sys config

Important: This action results in connection state loss on failover.

2. Once all devices are running the same software version, re-enable state mirroring by re-adding the device mirror IP addresses removed previously.

Note: F5 recommends that BIG-IP systems in HA configurations run with the same software version on all devices.

---

721020-4 : Changes to the master key are reverted after full sync

Component: TMOS

Symptoms:
Changing the master key on a device that is in a device cluster are reverted when performing a full sync of any device-group. The master key is reset to its previous value.

Conditions:
-- The BIG-IP system is in a device cluster.
-- You change the master key from within TMSH.

Impact:
Subsequent configuration loads fail on the device.

Workaround:
There is no workaround.

---

720588 : Pages not loading correctly when AJAX response page is enabled

Component: Application Security Manager

Symptoms:
Enabling AJAX response page may prevent assets from loading properly due to a conflict with back-end JavaScript.

Browser console shows errors such as:
Uncaught TypeError: Cannot read property 'readyState' of undefined.

Conditions:
-- AJAX response page is enabled.
-- Back-end JavaScript conflicts with ASM JavaScript.

Impact:
Content within pages may fail to load.

Workaround:
None.

---

720581-3 : Policy Merge creates incorrect references when merging XML Profiles that contain Schema Files

Component: Application Security Manager

Symptoms:
When using Policy Merge to add an XML Profile from policy A to policy B, if there are any Schema files (such as xsd or wsdl) associated with the profile, then the XML Profile added to policy B erroneously points to the file that is in policy A and does not create a new reference within policy B.

Conditions:
Policy Merge is used to add an XML Policy that contains a schema file from one policy to another.

Impact:
-- The reference to an object in another policy breaks BIG-IQ discovery.
-- The policy is not consistent after export/import.

Workaround:
None.

---

719770-4 : tmctl -H -V and -l options without values crashed

Component: TMOS

Symptoms:
When the -H, -V or -l options were passed to tmctl without a following value, then tmctl crashed.

Conditions:
Use one of these options without the required value.

Impact:
Core file. No other impact.

Workaround:
Be sure to pass the required value with these options.

---

719555-1 : Interface listed as 'disable' after SFP insertion and enable

Component: TMOS

Symptoms:
If an unpopulated front panel interface is disabled, then an SFP inserted and the interface re-enabled, TMSH will continue to display the interface as 'disabled' in 'tmsh show net interface output' commands.

Conditions:
-- BIG-IP appliance or blade.
-- Unpopulated front panel interface is disabled.
-- SFP inserted and the interface re-enabled.
-- Running the command: tmsh show net interface output.

Impact:
Output of the command shows the interface is disabled even though it is enabled and fully operational.

Workaround:
This issue is cosmetic; the interface is functional so it may be used.

To correctly identify the enabled/disabled state of the interface, use the following command: tmsh list net interface

---

719241 : Using custom DNS servers on the Azure VNet with the missing 168.63.129.16 causes Waagent provisioning failure.

Component: TMOS

Symptoms:
During the BIG-IP or BIG-IQ system boot-up, waagent is unable to get a response from the intended wire server endpoint, which stops it from running custom script extensions. This happens because of the missing route to the Azure virtual public IP address of 168.63.129.16.

The var/log/waagent.log contains error messages similar to the following:
-- INFO Protocol endpoint not found: WireProtocol, [ProtocolError] [Wireserver Exception] [HttpError] [HTTP Failed] GET http://n.n.n.n,n.n.n.n/?comp=versions -- IOError [Errno -3] Temporary failure in name resolution -- 6 attempts made

Conditions:
-- BIG-IP or BIG-IQ system is deployed in Azure VNet with a custom DNS server.
-- The DHCP server has assigned a classless-static-route in its dhclient lease (/var/lib/dhclient/dhclient.leases) which contains a custom route to 168.63.129.16.

Impact:
Waagent custom script extensions do not complete, failing the BIG-IP or BIG-IQ provisioning that waagent intends to perform during startup.

Workaround:
Add 168.63.129.16 route on mgmt interface during BIG-IP or BIG-IQ system initialization to facilitate correct waagent custom script extension execution.

---

718867-3 : tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades★

Component: Local Traffic Manager

Symptoms:
The db variable 'tmm.umem_reap_aggrlevel' (to set the memory-usage level at which aggressive connection-reaping begins) does not persist across upgrades; on upgrade it will be reset to its default value (80%).

Conditions:
-- The db variable 'tmm.umem_reap_aggrlevel' is set to a custom value (specifically, not '80').
-- The BIG-IP system is upgraded.

Impact:
The value for 'tmm.umem_reap_aggrlevel' has reset to '80', its default value.

Workaround:
Reset the variable's custom value after upgrade.

---

718800-3 : Cannot set a password to the current value of its encrypted password

Component: TMOS

Symptoms:
Attempting to set a password to the current value of its encrypted password silently fails without changing the password. For example, running the following tmsh command sets the encrypted password to the value 'password':

modify auth user <username> encrypted-password password

Attempting to set the password to 'password' using the command does not report an error, but does not change the password (meaning that encrypted password remains 'password'):

modify auth user <username> password password

Conditions:
Changing a password to the value of encrypted-password.

Impact:
Difficult to recover from this situation because trying to simply change the password to the correct value doesnot work.

(It is likely this initially happened by accident: attempting to set 'password', but setting 'encrypted-password' instead.)

Workaround:
First, change the password to something else. Then, change it back to the correct value.

---

718790-5 : Virtual Server reports unavailable and resets connection erroneously

Component: Local Traffic Manager

Symptoms:
A Virtual Server will respond to client SYN packets with RST and note an internal F5 reset cause of "VIP disabled (administrative)" despite having resources available or fallback functionality configured.

Conditions:
There are a number of different scenarios where this can occur:

1. All pool members marked administratively down, HTTP profile and Fallback Host configured

2. All pool members marked administratively down, iRule configured to select a different, available pool.

3. Pool members available, pool member status modified by ConfigSync operation.

Impact:
Client traffic is rejected by Virtual Server despite it's ability to successfully handle the traffic.

Workaround:
There are different workarounds based on the scenario:

1. If all pool members are marked administratively down, ensure at least one pool member is in a different state (Available, Offline etc).

2. If one or more pool members are available and a ConfigSync operation caused the behavior, fail over to the Standby BIG-IP and reboot the affected BIG-IP.

---

718232-1 : Some FTP servers may cause false positive for ftp_security

Component: Application Security Manager

Symptoms:
A login might get rejected after a lower number of failed logins than is configured for 'Maximum Username Login Retries'. BIG-IP system posts the following error message: 530 Too many failed login attempts by the user.

Conditions:
-- The server sends unexpected ingresses that are rejected.
-- There is a value specified for 'Maximum Username Login Retries'.

Impact:
A legitimate user might be rejected and have to wait until the configured 'Re-enable login' time.

Workaround:
There is no workaround at this time.

---

718230-5 : Attaching a BIG-IP monitor type to a server with already defined virtual servers is not prevented

Component: TMOS

Symptoms:
In certain circumstances, attaching a BIG-IP monitor type to a non-BIG-IP server with already defined virtual servers is allowed by the system when it should not be allowed.

Conditions:
Attempting to attach a BIG-IP monitor type to a non-BIG-IP server.

Impact:
The BIG-IP monitor can be added to a non-BIG-IP server without error. This causes a configuration load error, such as after a reboot, tmm restart, or tmsh load sys config, and results in an error message such as:

-- localhost emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all gtm-only" - failed. -- Loading schema version: 12.1.3 Loading schema version: 12.1.5.1 01071033:3: Server (/Common/generic_server_object) contains monitor (/Common/bigiptest) which is an invalid type. Unexpected Error: Loading configuration process failed.

Workaround:
None.

---

717909-2 : tmm can abort on sPVA flush if the HSB flush does not succeed

Component: Advanced Firewall Manager

Symptoms:
When the BIG-IP system comes up, or when tmm/dwbld/iprepd restarts, tmm does a flush of sPVA. If the operation does not succeed, the system can wait for 10 seconds, which might cause an abort due to heartbeat failure. tmm crash

Conditions:
-- BIG-IP system comes up, or tmm/dwbld/iprepd restart.
-- HSB flush does not succeed within ~3 seconds (it is supposed to succeed within ~3 seconds unless something is wrong with the HSB).

Impact:
tmm will have to be restarted. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

---

717806-5 : In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured

Component: Local Traffic Manager

Symptoms:
Load average peaks are observed when a high number of monitors (>= 200) are configured across 'n' bigd instances.

Conditions:
When a high number of monitors are configured across 'n' bigd instances. CPU load peaks appear and disappear periodically.

Impact:
No performance impact

Workaround:
None

---

717346-4 : [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total

Solution Article: K13040347

Component: Local Traffic Manager

Symptoms:
WebSocket profile statistics for current and maximum connections are always very large, even right after restarting the system. The numbers are several orders of magnitude larger than the statistics for total connections.

Conditions:
Rarely occurring, unstable network could be one of the reasons.

Impact:
Cannot use stats for troubleshooting.

Workaround:
Reset the stats using the following command:
# tmsh reset-stats ltm profile websocket

---

717113-1 : It is possible to add the same GSLB Pool monitor multiple times

Component: Global Traffic Manager (DNS)

Symptoms:
After adding a monitor in the Web GUI and updating, the monitor does not get removed from the Available list and can be added again.

Conditions:
This issue affects the GSLB Pool create and properties pages.

Impact:
The impact is only for those adding the monitor. No extra system resources are used when adding multiple identical monitors to a pool.

Workaround:
None.

---

716952-3 : With TCP Nagle enabled, SSL filter will hold the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message until the last data packet offload process complete.

Component: Local Traffic Manager

Symptoms:
When TCP Nagle enabled, the data sent from server is handled by the SSL filter to offload data processing. The SSL filter forwards the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message to TCP4 filter. Because Nagle is enabled, this leaves the last offloaded packet 'stuck' in the TCP4 filter.

Conditions:
-- Nagle is enabled.
-- SSL filter is in the chain.

Impact:
The last data packet waits until all other packets have been ACKd.

Workaround:
None.

---

716701-2 : In iControl REST: Unable to create Topology when STATE name contains space

Component: Global Traffic Manager (DNS)

Symptoms:
Cannot use iControl REST to create topology records when whitespace exist in a STATE name.

Conditions:
STATE name contains a space (e.g., New Mexico).

Impact:
Unable to create a topology record using iControl REST.

Workaround:
Use TMSH with quotes or escaping to create topology records for a STATE with whitespace in the name.

---

716492-1 : Rateshaper stalls when TSO packet length exceeds max ceiling.

Solution Article: K59332523

Component: Local Traffic Manager

Symptoms:
If a TCP Segmentation Offload (TSO) packet length exceeds the rateshaper's max ceiling, it causes the flow to stall.

Conditions:
TSO packet length exceeds the rateshaper's configured max ceiling.

Impact:
The flow stalls. Subsequent flows cannot go to the rateshaper from that particular tmm.

Workaround:
If you are running BIG-IP software v12.1.3.2 (or later) or v13.1.0(.x), you can use the following workaround:

There is a sys db variable called 'rateshaper.cmpdivide', which is enabled by default. When enabled, the system internally divides the bandwidth (rate/ceiling/burst) between the available tmm cores. If this issue occurs, set 'rateshaper.cmpdivide' to enabled.

There is no workaround for other versions.

---

715756-3 : Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only

Component: Local Traffic Manager

Symptoms:
When filesystems critical to TMOS functional operation are mounted read-only, clusterd on that blade should trigger a primary election if it was primary. Either way, the cluster should be informed of this critical error state.

Conditions:
A critical filesystem (e.g., '/', '/var', '/var/run', '/config', '/shared') has been mounted read-only.

Impact:
The blade with read-only filesystems and degraded functionality might stay primary and claim to be passing traffic.

Workaround:
There is no workaround other than to avoid mounting filesystems read-only on a BIG-IP system.

---

715061-1 : TMM may crash and produce a core file on a vCMP guest when the guest is being shut down from the host.

Component: TMOS

Symptoms:
TMM on a vCMP guest may crash and produce a core file when the guest is being shut down from the host system.

Conditions:
The vCMP guest is being shut down by an Administrator from the host system.

Impact:
Because the vCMP guest is in the process of being shut down, there is no impact to application traffic. However, the core file may take up disk space on the vCMP guest.

Workaround:
To mitigate the disk space problem, manually delete the core file from the /var/core directory once the vCMP guest is brought back on-line.

---

714704 : ICMP unreachable messages sent only from active to standby

Component: Advanced Firewall Manager

Symptoms:
When the self IP has a firewall rule to reject ICMP unreachable, the system will be sent from active to standby and not from standby to active.

This is correct behavior, but v13.x might show ICMP unreachable messages sent from standby to active along with those from active to standby.

Conditions:
-- AFM firewall rule is applied to the self IP as reject ICMP unreachable messages.
-- Active/standby high availability (HA) cluster.

Impact:
No functional impact. ICMP unreachable messages not showing has no effect on BIG-IP system functionality.

Note: If there is a firewall to block traffic on self IPs, but still want ICMP unreachable messages, that configuration is not valid, and HA will not work.

Workaround:
There is no workaround.

---

714642-5 : Ephemeral pool-member state on the standby is down

Component: Local Traffic Manager

Symptoms:
On a standby BIG-IP system, an ephemeral pool-members state remains user-down after re-enabling an FQDN node on the primary system.

Conditions:
Re-enabling a forced-down FQDN node on the primary system.

Impact:
On the standby system, the ephemeral pool-members are in state: user-down, (forced-down in GUI).

Workaround:
None.

---

714626-1 : When licensing through a proxy, setting the db variables for proxy.host, proxy.port, etc., has no effect.

Component: TMOS

Symptoms:
When the BIG-IP system is behind a proxy server, the licensing process does not work, despite having set the db variables for proxy.host, proxy.port, proxy.protocol, etc.

Conditions:
-- The BIG-IP system is behind a proxy server that gates internet access.
-- Attempting to license (or revoke the license of) the BIG-IP system is not possible using GUI or tmsh since communications with the license server will fail.

Impact:
The --proxy option is required in order to use the SOAPLicenseClient to license, reactivate the license, or revoke the license of the BIG-IP system.

Workaround:
Instead of using GUI or tmsh, run the following command, substituting your proxy specification for <proxy> and your license registration key for <reg-key>:

/usr/local/bin/SOAPLicenseClient --proxy <proxy> --basekey <reg-key> --certupdatecheck

---

714507-4 : [tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server

Component: Global Traffic Manager (DNS)

Symptoms:
GTM pool member dependency cannot be listed correctly using the following command:
# tmsh list gtm pool

Conditions:
-- Virtual server dependency in GTM server.
-- Running the command: tmsh list gtm pool.

Impact:
1. Pool member dependencies are not listed.
2. Pool member dependency information is missing when saving config:
    # tmsh save sys config gtm-only

Workaround:
List specific gtm pools instead by running a command similar to the following:
# tmsh list gtm pool a p1

---

714503-3 : When creating a new iRulesLX rule, the GUI appends .tcl to rule filenames that already end in .tcl

Component: Local Traffic Manager

Symptoms:
When using the GUI to create a new iRulesLX rule with the extension .tcl as part of the rule name, the GUI will append another .tcl at the end of the file. This is problematic when attempting to view the iRule in the iRulesLX workspace (at Local Traffic :: iRules : LX Workspaces :: <workspace name>).

Conditions:
-- Creating a new iRulesLX iRule in the GUI.
-- Adding the extension .tcl.

Impact:
Cannot view or delete the iRule from the iRulesLX GUI.

Workaround:
Do not name rules with the .tcl extension. The system will do that for you.

---

714495-3 : When creating a new iRulesLX rule, TMSH appends ".tcl" to rule filenames that already end in ".tcl"

Component: Local Traffic Manager

Symptoms:
When using TMSH to create a new iRulesLX rule with the extension '.tcl' as part of the rule name, TMSH will append another '.tcl' at the end of the file. This is problematic when attempting to view the iRule in the GUI (in the iRulesLX workspace at Local Traffic :: iRules : LX Workspaces :: <workspace name>).

Conditions:
Creating a new iRulesLX iRule in TMSH.

Impact:
Cannot view or delete the iRule from the iRulesLX GUI.

Workaround:
Do not name rules with the '.tcl' extension.

---

714384-5 : DHCP traffic may not be forwarded when BWC is configured

Component: Local Traffic Manager

Symptoms:
DHCP traffic may not be forwarded when BWC is configured on the system.

Conditions:
-- DHCP virtual server configured.
-- BWC policy configured and attached to the route-domain.

Impact:
DHCP traffic may not be forwarded.

Workaround:
There is no workaround other than to remove the BWC policy.

---

714198 : Mcpd is blocked when executing the tmsh command 'tmsh -a show net arp all'

Component: TMOS

Symptoms:
Mcpd/tmm stops responding to the query sent from tmsh for
'tmsh -a show net arp all'.

Conditions:
This can occur when executing the command 'tmsh -a show net arp all'.

Impact:
Mcpd becomes blocked and you are unable to run other commands, such as qkview.

Workaround:
None.

---

713947-3 : stpd repeatedly logs "hal sendMessage failed"

Component: TMOS

Symptoms:
On non-primary clustered blades in a BIG-IP chassis environment, stpd may repeatedly log "hal sendMessage failed"

Conditions:
Two or more blades clustered in a chassis with STP enabled on one or more ports.

Impact:
All BIG-IP blades

Workaround:
No workaround except to ignore log messages - they are spurious and have no ill effect on the system besides log spam.

---

713708-3 : Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI

Component: TMOS

Symptoms:
On the BIG-IP GUI, under System :: Software Management :: Update Check, after pressing 'Check now', the 'Available Update' shows a long string 'OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install' instead of the EPSEC version, e.g.: epsec-1.0.0-679.0.

Conditions:
-- Under System :: Software Management :: Update Check.
-- Press 'Check now'.

Impact:
Cannot determine what version is available by viewing 'Available Update'. Although this is how all the other updates work, it can result in a confusing BIG-IP user experience.

Workaround:
To have the browser show the link's destination address, view the browser's status fields while hovering the cursor over the following link text: OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install.

---

713629-1 : Applying firewall policy to self-ip can cause tmm crash

Component: Advanced Firewall Manager

Symptoms:
Applying a firewall policy to a self-ip can cause a tmm crash. This is due to an uninitialized local variable that cause memory corruption on a stat memory location.

Conditions:
No specific condition for this to happen. This can happen in any config. However, it should be a vary rare occurrence.

Impact:
Temporary traffic disruption while tmm restarts.

Workaround:
There is no workaround. Tmm should recover automatically and function normally.

---

713585-1 : When the system config has many iRules and they are installed on many virtual servers, the config loading time is significantly long

Solution Article: K31544054

Component: Local Traffic Manager

Symptoms:
Config load could be very long and CPU usage very high.

Conditions:
There are many iRule and they are installed on many virtual servers.

Impact:
BIG-IP system performance could be degraded during the load and may cause system lock up.

Workaround:
Run "tmsh modify sys db rule.validation value syntax", this causes iRule validation to check iRule syntax only; the semantic checks will not be performed.

---

713519-3 : Enabling MCP Audit logging does not produce log entry for audit logging change

Component: TMOS

Symptoms:
When you enable MCP audit logging, the action of changing the audit logging entry is not logged. All actions after the configuration change are logged.

Conditions:
This occurs when enabling MCP audit logging.

Impact:
The audit logging change itself is not logged in the audit logs.

Workaround:
None.

---

713283-2 : Missing transaction count in = application security report under view by IP Intelligence

Component: Application Visibility and Reporting

Symptoms:
Transactions without an IP reputation threat are not listed on application security reports under viewed by IP Intelligence.

Conditions:
-- All transactions without an IP reputation threat.
-- Application security reports.

Impact:
Transaction count statistics are missing.

Workaround:
None.

---

713138 : TMUI ILX Editor inserts an unnecessary linefeed

Component: TMOS

Symptoms:
If you use the TMUI edit for ILX, the system will append a linefeed character every time you save. This is not usually apparent, but if you edit the file, then delete your changes, and then save it, it will still register as changed.

A message indicates the need to refresh the workspace, and the actual content of the file will change, but not the functionality.

Conditions:
Edit a workspace file in ILX via the TMUI editor (i.e., the GUI).

Impact:
File contents can change unexpectedly and have needless characters at the end.

Workaround:
Use TMSH or a different editor, that is not TMUI, to change those files.

---

713134-3 : Small tmctl memory leak when viewing stats for snapshot files

Component: TMOS

Symptoms:
When viewing statistics for snapshot files, tmctl leaks a small amount of memory and displays the message:

tmctl: BUG: tmstat_dealloc invoked on a handle with rows outstanding; release all rows before calling tmstat_dealloc at <address>

Conditions:
Using tmctl to view statistics of snapshot files, for example:
tmctl -D /shared/tmstat/snapshots memory_usage_stat -s time,name,allocated,max_allocated name=access

Impact:
Errors written to output when running tmctl. The leak itself is very small and is only for tmctl (i.e., it does not have a cumulative, detrimental effect on the system that a TMM or MCP leak might).

Workaround:
None.

---

712542-1 : Network Access client caches the response for /pre/config.php

Component: Access Policy Manager

Symptoms:
The Network Access client caches the response for /pre/config.php.

Conditions:
-- APM is provisioned.
-- Network Access is configured.

Impact:
Caching the response for /pre/config.php might reveal configuration information. However, a URL is public information by definition. The only sensitive information revealed are server names, which have to be revealed in order for the client to know where to connect.

Workaround:
None.

---

712500-2 : Unhandled Query Action Drops Stat does not increment after transparent cache miss

Component: Global Traffic Manager (DNS)

Symptoms:
After a transparent cache miss, if the LTM DNS profile has Unhandled Query Action set to Drop, the request is dropped without incrementing the Unhandled Query Action Drops stat.

Conditions:
LTM DNS profile with a Transparent Cache and Unhandled Query Action set to Drop.

Impact:
Inaccurate statistics for the Unhandled Query Action Drops

Workaround:
None.

---

712489-3 : TMM crashes with message 'bad transition'

Component: Local Traffic Manager

Symptoms:
TMM crashes under a set of conditions in which the system detects an internal inconsistency. The system posts an error similar to the following in the LTM and TMM logs:
crit tmm[18755]: 01010289:2: Oops @ 0x2285e10:5157: bad transition

Conditions:
Conditions that cause this to happen are not predictable, but these might make it more likely:
-- FastL4 virtual server and HTTP are configured
-- db variable tmm.oops set to 'panic'.
-- Client sends three GET requests at once, and then closes the connection after a few seconds.
-- The server sends a partial 'Connection: close' response.

Impact:
TMM crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

---

712321 : Missing reference to customization-group from connectivity profile if created via network access wizard

Component: Access Policy Manager

Symptoms:
Connectivity profile generated from the use of network access wizard will not contain a reference to a customization-group.

Conditions:
Use network access wizard to create configure objects.

Impact:
There is no functional impact since customization is not actually used for connectivity group.

Workaround:
Configure the connectivity profile object manually from tmui (GUI) or tmsh (command line) rather than via wizard. Replace the connectivity profile created from the virtual server within the virtual server with the manually created connectivity profile.

---

712266-2 : Decompression of large buffer might fail with comp_code=11 with Nitrox 3 hardware

Component: TMOS

Symptoms:
Messages like the following may show up in /var/log/ltm:

-- crit tmm5[28908]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=11): ctx dropped.

This occurs because the decompression of large compressed data failed.

Conditions:
This issue occurs when compressed data cannot be decompressed in a single request to the Nitrox 3 hardware accelerator.

Impact:
Requests fail with a connection reset.

Workaround:
Use zlib software decompression.

---

712241-1 : A vCMP guest may not provide guest health stats to the vCMP host

Component: TMOS

Symptoms:
A vCMP guest usually provides the vCMP host with some guest health statistics as a convenience to the vCMP host administrator. These stats are:
-- mgmt/tm/sys/ha-status
-- mgmt/tm/sys/software/status
-- mgmt/tm/sys/software/provision

These tables are created by the host when host vcmpd queries the guest over the vmchannel using REST.

These RESTful queries may sometimes fail, causing the queried vCMP guest to be omitted in the display of the output of the following command: $ tmsh show vcmp guest

Conditions:
-- vCMP provisioned.
-- Guests are deployed.
-- Host vcmpd queries the guest over the vmchannel using REST.

Impact:
There is no functional impact to the guests or to the host, other than these lost tables.

-- Some vCMP guests may not show up in the output of the following command: tmsh show vcmp health
-- Some guests may appear with the wrong status in the GUI. Such as being grey when it should be green.
-- Files containing guest information, kept in:
/var/run/vcmpd/<guestname>/json/(sys-ha-status.json|sys-provision.json|sys-software.json) may be missing from that directory.
-- There might be files present there named using the following structure:
 /var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.

Workaround:
There is no workaround at this time.

---

712033-1 : When making a REST request to an object in /stats that is an association list, the selfLink has a duplicate name

Component: TMOS

Symptoms:
When you make a REST request to association list in /stats you get a duplicate name in the selfLink after members in both the entries and the selfLink, e.g.:

# restcurl -X GET -u admin /tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/stats
{
  "kind": "tm:ltm:pool:members:membersstats",
  "generation": 3,
  "selfLink": "https://localhost/mgmt/tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/stats?ver\u003d14.0.0",
  "entries": {
    "https://localhost/mgmt/tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/~Common~node1:8105/stats": {

Conditions:
When making a REST request to an object in /stats that is an association list.

Impact:
The selfLink has a duplicate name. SelfLinks for associations do not work.

Workaround:
None.

---

711879 : Web GUI can sometime display the wrong cert and key for a GTM monitor that has the same name as some LTM monitor.

Component: TMOS

Symptoms:
The web GUI displays an incorrect value for cert and key for a GTM monitor.

Conditions:
The GTM monitor has the same name as an LTM monitor.

Impact:
Incorrect data can be presented regarding the GTM monitor's cert and key.

Workaround:
Use TMSH to display the correct cert and key.

---

711818-1 : Connection might get reset when coming to virtual server with offload iRule

Component: Application Security Manager

Symptoms:
When IN_DOSL7_ATTACK event is triggered, and iRule has an async command in it, events might be released out of order, causing connection RST.

Conditions:
1. Have DoS profile with iRule turned on.
2. iRule is async (such as wait, DNS resolving, etc.).
3. Send POST request.

Impact:
Connection receives a RST.

Workaround:
There is no workaround at this time.

---

711683-4 : bcm56xxd crash with empty trunk in QinQ VLAN

Component: TMOS

Symptoms:
When an empty trunk (no members) is configured 'tagged' in a QinQ VLAN, bcm56xxd will continuously crash.

Conditions:
Trunk with no members, configured as 'tagged' in a QinQ VLAN.

Impact:
bcm56xxd continuously crashes.

Workaround:
Use either of the following workarounds:
-- Add members to the trunk.

-- Remove the trunk from the QinQ VLAN.

---

711158-1 : Admin user roles automatically demoted to guest

Component: TMOS

Symptoms:
Newly created admin users are immediately demoted to guest.

Conditions:
-- A sync-failover device group exists.

-- The REST framework's 'gossip' mechanism is configured.

-- Create a new admin user using a command similar to the following examples:

tmsh
-----
tmsh create auth user test123 password **** partition-access add { all-partitions { role admin } }

GUI
-----
via WebUI System menu :: Users
User Name: test123
Password: **** Confirm: ****
Role: Administrator Partition: All
Click Finish button

Note: Correct REST framework 'gossip' mechanism configuration should occur automatically, but might not be ready. You can confirm whether this is the case by running the following command: restcurl shared/resolver/device-groups/tm-shared-all-big-ips/devices. The output must show all your devices, and show that they all have the same 'version' and the same 'restFrameworkVersion'.

Impact:
In a few seconds, the newly created admin user account reverts to a guest role. User does not have the expected admin access.

Workaround:
On the primary BIG-IP system, do the following:

1. Disable failover by running the following command:
restcurl -X PATCH tm/shared/bigip-failover-state -d '{"isEnabled": false}'

2. Clear REST devices from the device group by running the following command:
restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices

---

711056-3 : License check VPE expression fails when access profile name contains dots

Component: Access Policy Manager

Symptoms:
License Check Agent always flows down fallback branch. Logs show the following pattern:

-- err apmd[13738]: 01490190:3: /Common/my.profile.name:Common:2a392ccd: Key 'tmm.profilelicense./Common/my.profile.name#' was not found in MEMCACHED.

-- err apmd[13738]: 01490086:3: /Common/my.profile.name:Common:2a392ccd: Rule evaluation failed with error: can't use empty string as operand of "-"

Conditions:
-- Access profile contains '.' (dot) characters in its name.
-- License Check agent is used in the VPE to check against profile license.

Impact:
License check always fails, resulting in denied logon.

Workaround:
Use a different policy name without '.' characters.

---

710996-1 : VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP

Component: Local Traffic Manager

Symptoms:
The behavior of outgoing IPv6 management and IPv4 management traffic from the primary blade differs:
IPv4 traffic is sourced from the cluster IP
IPv6 traffic is sourced from the cluster member IP

Conditions:
IPv6 configured on the 'cluster' address and 'cluster member' address.

Impact:
The blade IP address, rather than the cluster floating IP, will be used as the source IP when querying the RADIUS server for remote-auth login against the management port.

Workaround:
There is no workaround at this time.

---

710841 : 12.1.3.3 feature refinement might be lost after upgrade★

Component: TMOS

Symptoms:
If you upgrade from 12.1.3.3 (or later) to 13.1.0 or 13.1.0.1, you will lose the VE-specific 12.1.3.3 feature refinements you gained.

Conditions:
Upgrade from 12.1.3.3 (or later) to 13.0.x, 13.1.0, or 13.1.0.1.

Impact:
Feature refinement provided in 12.1.3.3 will be lost after upgrade. Other functionality is unaffected.

Workaround:
Only upgrade from 12.1.3.3 or later to 13.1.0.2 or later.

---

710809-6 : Restjavad hangs and causes GUI page timeouts

Component: Device Management

Symptoms:
Restjavad stops responding, causing GUI page timeouts.

Conditions:
The conditions behind this issue are not known.

Impact:
restjavad is active, but all endpoints are nonresponsive.

Workaround:
Restart restjavad.

---

710410-1 : TMM hardware accelerated compression not registering for all compression levels.

Component: TMOS

Symptoms:
DEFLATE/gzip compression levels other than level 1 bypass the hardware accelerator and are serviced in software, resulting in higher CPU utilization and slower compression times.

Conditions:
-- Compression requests for DEFLATE/gzip levels other than level 1.
-- BIG-IP devices using Cave Creek SSL hardware acceleration.

Impact:
Compression requests serviced by software are scheduled on local CPUs. During heavy compression traffic, overall system traffic flow may be reduced. Compression requests serviced in software may take significantly longer to complete.

Workaround:
None.

---

710044-1 : Portal Access: same-origin AJAX request may fail in some case.

Component: Access Policy Manager

Symptoms:
If base URL for current HTML page contains default port number, same-origin AJAX request from this page may fail via Portal Access.

Conditions:
- HTML page with explicit default port in base URL, for example:
  <base href='https://some.com:443/path/'>

- Same-origin AJAX request from this page, for example:
  var xhr = new XMLHttpRequest;
  xhr.open('GET', 'some.file');

Impact:
Web application may not work correctly.

Workaround:
It is possible to use iRule to remove default port number from encoded back-end host definition in Portal Access requests, for example:

when RULE_INIT {
  # hex-encoded string for 'https://some.com'
  set ::encoded_backend {68747470733a2f2f736f6d652e636f6d}
  # '3a343433' is hex-encoded form for ':443'
  set ::pattern "/f5-w-${encoded_backend}3a343433\$"
  set ::remove_end [ expr { [ string length $::pattern ] - 2 } ]
  set ::remove_start [ expr {$::remove_end - 7} ]
}

when HTTP_REQUEST {
  if { [HTTP::path] starts_with "$::pattern" } {
    set path [ string replace [HTTP::path] $::remove_start $::remove_end "" ]
    HTTP::path "$path"
  }
}

---

710039 : Merging config may not report syslog configuration errors

Component: TMOS

Symptoms:
A 'load sys config verify merge' may return successfully, but 'load sys config merge' without the 'verify' argument might fail.

Conditions:
Running the 'load sys config merge' without the 'verify' argument.

Impact:
False positive might be received in response to a successful config verify. However, the syslog system is not actually configured during a 'verify', so it does not report errors.

Workaround:
None.

---

709963-4 : Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.

Component: Local Traffic Manager

Symptoms:
For the i4x00 and 4000 platforms, egress trunk distribution will be unbalanced if the number of trunk members is not a power of 2.

Conditions:
A trunk is configured with an odd number of trunk interfaces or a trunk member goes down such that the number of working members is odd.

Impact:
Uneven traffic distribution. Some interfaces will see more traffic than others.

Workaround:
Insure the number of trunk interfaces is a power of 2: 2, 4, or 8.

---

709837-3 : Cookie persistence profile may be configured with invalid parameter combination.

Component: Local Traffic Manager

Symptoms:
Configuring Cookie persistence profile via TMSH or iControl REST allows invalid parameter combinations.

Conditions:
Cookie persistence profile is configured via TMSH or iControl REST. TMUI is not affected.

Impact:
Invalid parameters for any method type of a Cookie persistence profile are ignored by TMM, no functional impact.

Workaround:
Use only the allowed parameters of each method type when Cookie persistence is configured via TMSH or iControl REST.

---

709559-3 : LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name

Component: TMOS

Symptoms:
Loading configuration fails on upgrade

Conditions:
Must have a profile named "/Common/ssh" and must be upgrading to v12.1.2

Impact:
The system won't be functional

Workaround:
Delete or rename "/Common/ssh"

---

708968-4 : OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address

Component: TMOS

Symptoms:
Route entries for IPv4-mapped IPv6 address (::ffff:<IPv4>) are not created in TMM when passed from Dynamic Routing protocols like OSPFv3.

Conditions:
- Route entry is for IPv4-mapped IPv6 address, that is ::ffff:<IPv4>.

Impact:
- Route entry is not created in TMM, packets addressed to such a destination might not be delivered at all or might not be delivered using the most efficient route.
- Connection between TMM and tmrouted is restarted that is a small performance overhead.

Workaround:
- If possible IPv4 address or IPv4-compatible IPv6 address should be passed instead of IPv4-mapped IPv6 address, however this depends on other routers.

---

708576-1 : Errors related to dosl7d_tcpdumps_cleaner appearing in email every hour

Component: Application Security Manager

Symptoms:
Errors may be sent in system emails once an hour due to a runtime error in the dosl7d_tcpdumps_cleaner which is run in an hourly cron job.

Here is an example of such an email:

From: root (Cron Daemon)
To: root
Subject: Cron <root@servername> run-parts /etc/cron.hourly
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
X-Cron-Env: <LANG=en_US.UTF-8>
X-Cron-Env: <SHELL=/bin/bash>
X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin>
X-Cron-Env: <MAILTO=root>
X-Cron-Env: <HOME=/>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>

/etc/cron.hourly/dosl7d_tcpdumps_cleaner:

Use of uninitialized value $s in division (/) at /etc/cron.hourly/dosl7d_tcpdumps_cleaner line 111.

Conditions:
- The administrator configures the BIG-IP system to deliver locally generated email messages, or the administrator checks local emails to root, on the BIG-IP.
- The hardware supports RAID, even if RAID is not configured.

Impact:
- Email messages with errors being sent once an hour.
- DoSL7 tcpdump files may not be automatically cleaned if used in the DoS profile.

Workaround:
None

---

708415 : Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled

Component: TMOS

Symptoms:
When setting the flow control value of an interface with a copper SFP to any value other than 'none' and the link partner has flow control disabled on their end, the interface stats will not reflect the configured flow control setting. This is because the interface stats reflect the negotiated link state rather than the advertised capabilities.

Conditions:
BIG-IP device is using copper SFPs.
-- Flow control is enabled on an interface.
-- That interface is connected to another device where flow control has not been enabled.

For example, an administrator might perform the following on a BIG-IP system with a copper SFP on interface 1.1:

# modify net interface 1.1 flow-control tx-rx

# show net interface 1.1 all-properties

Under the 'Flow Ctrl' column of the interface properties, the value will indicate 'none' even though the interface was configured to enable transmit and receive flow control. This is because the column does not indicate the advertised capabilities but rather the negotiated property of the link.

Impact:
There is no functional impact, as flow control cannot be performed until both link partners agree to support it.

Workaround:
Flow control must be enabled on the remote device and the link must be re-negotiated, in order for the flow control configuration to take effect and be reflected in the interface properties of the link.

---

708176 : SNMP OIDs (NA throughput) incorrect when compression is disable

Component: Access Policy Manager

Symptoms:
SNMP OIDs related to Network Access VPN tunnel or connectivity traffic are not updated if compression is not enabled. However, the definitions for connectivity traffic make it seem like they should be updated.

Conditions:
1. Create an access policy with Network Access resource (no compression enabled). Also, connectivity profile with no compression.
2. Assign this to a virtual server.
3. Establish a VPN tunnel, and download a large file.
4. Compare the SNMP OID values before and after this large file download via VPN tunnel.

Impact:
Confusion and graphs that don't seem to show the expected traffic.

Workaround:
Turn on compression to see the stats updated.

---

708005-3 : Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources

Solution Article: K12423316

Component: Access Policy Manager

Symptoms:
When using VMware View HTML5 client, end users are able to authenticate and see available View resources on the APM webtop. However, any attempt to launch the resource (desktop or application) in HTML5 mode momentarily appears to function, but then redirects to the initial APM login page.

Conditions:
This occurs when the following conditions are met:
-- BIG-IP APM is protecting VMware Horizon View 7.4 resources.
-- End user tries to launch a View resource from the APM webtop using the Horizon View HTML5 client.

Impact:
End user cannot launch VMware View resources with View HTML5 client.

Workaround:
You can use the following workarounds:

-- If you are already running Horizon 7.4, use native View clients instead.

-- If you have not upgraded to Horizon 7.4, stay on an older Horizon release until this issue is resolved.

-- If you are running BIG-IP APM release 13.1.0, you can add the following iRule to the virtual server that handles HTML5 client connections:

when HTTP_REQUEST {
    if { ([info exists tmm_apm_view_uuid]) &&
         ([HTTP::method] == "GET") &&
         ([HTTP::uri] ends_with "/portal/webclient/sessiondata")} {
        HTTP::cookie remove "sessionDataServiceId"
    }
}

when HTTP_RESPONSE {
    if { ([info exists tmm_apm_view_uuid]) } {
        set cookieNames [HTTP::cookie names]
        foreach aCookie $cookieNames {
            set path [HTTP::cookie path $aCookie]
            if {[string length $path] > 0} {
                HTTP::cookie path $aCookie "/f5vdifwd/vmview/$tmm_apm_view_uuid$path"
            }
        }
    }
}

Important:
-- After applying the iRule and before attempting a connection, be sure to clear all cache and cookies from the client systems. Otherwise, the test operation may need to be executed before exhibiting successful behavior.
-- The iRule workaround is for BIG-IP APM release 13.1.0. It is not supported for older BIG-IP releases.

---

707953-1 : Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page

Component: Access Policy Manager

Symptoms:
APM and APM Lite licenses are not distinguishable from the Provisioning UI: they both show as Licensed but APM lite only includes licenses for 10 sessions.

Conditions:
Viewing APM and APM Lite licenses in the GUI.

Impact:
Cannot distinguish the difference in types of licenses.

Workaround:
Check license file and verify what type of apm license is enabled: mod_apm (Full APM) or mod_apml (APM Lite).

---

707691-2 : BIG-IP handles some pathmtu messages incorrectly

Component: Local Traffic Manager

Symptoms:
FastL4 virtual servers incorrectly handle some pathmtu messages, such as ICMPv4 unreachable/fragmentation needed and ICMPv6 packet too big.

Conditions:
This occurs when the following conditions are true:
-- The client sends a window scaling factor greater than 0 (zero).
-- The server sends a window scaling factor equal to 0 (zero).
-- The pmtu message is within the window, but does not reflect the exact expected sequence number. The delta is bigger than the advertised window scaled at a factor of 0 (zero).

Impact:
pmtu message is erroneously ignored.

Workaround:
There is no workaround at this time.

---

707320-1 : Upgrades from pre-12.0.0 BIG-IPs to 12.0.0 with WideIPs with ipv6-no-error-response enabled will no longer delete AAAA-type WideIPs

Component: TMOS

Symptoms:
A pre-12.0.0 WideIP with ipv6-no-error-response enabled and a IPv4 last-resort-pool will only spawn an A-type WideIP after the upgrade

Conditions:
Pre-12.0.0 WideIP with an IPv4 last-resort-pool and ipv6-no-error-response enabled.

Impact:
Loss of the AAAA-type WideIP configuration item

Workaround:
There is no workaround at this time.

---

707204 : If the system has more than 264 analytics profiles, the upgrade fails.

Component: Application Visibility and Reporting

Symptoms:
If the system is upgraded from version 11.5.4-hf2, 11.6.0-hf4 and has more then 264 analytics profiles, the upgrade will fail.

Conditions:
1. The system has more than 264 different analytics profiles.
2. Upgrade from version 11.5.4-hf2,hhf3... or from version 11.6.0-hf4,hf5...

Impact:
The upgrade will fail.

Workaround:
Delete/reduce the number of analytics profiles before the upgrade.

---

706930 : "Enforce Ready" button has no effect for Signatures for Inactive Policy

Component: Application Security Manager

Symptoms:
The "Enforce Ready" button has no effect for Signatures on Inactive Policies.

Conditions:
The user accesses "Enforcement Readiness" page for an Inactive Policy.

Impact:
Pressing "Enforce Ready" button has no effect.

Workaround:
Signature Staging can be disabled from "Application Security > Attack Signatures" page, or via REST.

---

706505-1 : iRule table lookup command may crash tmm when used in FLOW_INIT

Component: Local Traffic Manager

Symptoms:
iRule table lookup command may crash tmm when used in FLOW_INIT.

Conditions:
iRule table lookup command is used in FLOW_INIT.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use table lookup in the events after the flow is constructed.

---

706106-1 : PUT request sent to ltm/virtual failed because of ip-protocol property value any

Component: TMOS

Symptoms:
PUT request to ltm/virtual fails unexpectedly because ip-protocol property value any

Conditions:
When sending PUT request to ltm/virtual

Impact:
PUT request modifies properties that user includes in the request and resets the rest of property value to default.

Workaround:
Using PATCH request

---

704764-2 : SASP monitor marks members down with non-default route domains

Component: Local Traffic Manager

Symptoms:
The LTM SASP monitor marks pool members down, whose address include non-default route domains.

Conditions:
1. Using the SASP health monitor to monitor a pool or pool member.
2. The address of the pool member includes a non-default route domain, such as:

ltm pool rd_test {
    members {
        test_1:http {
            address 12.34.56.78%99
        }
    }
    monitor my_sasp
}

Impact:
Pool members with non-default route domains will never be marked up by the SASP monitor.

Workaround:
Do not specify non-default route domains in the addresses of pool members monitored by the SASP health monitor.

The SASP protocol does not support the use of route domains in member addresses. Thus, the SASP GWM (Global Workload Manager) will ignore route domain information included in the member addresses when registered by the SASP monitor in BIG-IP, and will report the status of members using addresses without route domains.

Therefore, even with a fixed version of the SASP monitor, BIG-IP LTM administrators must be careful to avoid configuring multiple pool members with the same address except for different route domains, to be monitored by the SASP monitor. If case of such a configuration error, the status of the member reported by the SASP GWM may not accurately reflect the status of one or more of the pool members with matching IP addresses.

---

704176-1 : Monitor instances may not get deleted during configuration merge load

Solution Article: K22540391

Component: Global Traffic Manager (DNS)

Symptoms:
Orphaned monitor_instance records in mcpd. Secondary blade restarting in a loop.

-- err mcpd[8982]: 01020036:3: The requested monitor instance (/Common/bigip 10.10.9.39 443 gtm-vs) was not found.
-- err mcpd[8982]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/Common/bigip 10.10.9.39 443 gtm-vs) was not found.... failed validation with error 16908342.

Conditions:
Merge a GTM config file to update a virtual server's monitor.

Impact:
There is a leaked/extra monitor instance. Restarting secondary slot will result in a restart loop.

Workaround:
Remove the MCPD binary database on the Primary blade and restart services:
# touch /service/mcpd/forceload
# bigstart restart

Note: This might change the primary slot.

---

703669-3 : Eventd restarts on NULL pointer access

Component: TMOS

Symptoms:
The loop that reads /config/eventd.xml to load configuration data processes data in 1024-byte chunks. If the size of the file is a multiple of 1024 bytes, the end of file condition that terminates the file read does not occur until the subsequent read. The subsequent read returns zero (0) bytes and passes an empty buffer to the parser, which causes eventd to restart repeatedly.

Conditions:
The length of the file /config/eventd.xml is a multiple of 1024 bytes.

Impact:
Causes eventd to crash.

Workaround:
To work around the problem, insert whitespace in /config/eventd.xml to pad the file to a size that is not a multiple of 1024 bytes.

---

703509-1 : Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled

Component: TMOS

Symptoms:
Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled.

...notice tmsh[32418]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.
...notice tmsh[32418]: 01420003:5: The current session has been terminated.
...err tmsh[32417]: 01420006:3: Project-Id-Version: f5_tmsh 9.7.0 POT-Creation-Date: 2008-05-13 16:18-0700 PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE Last-Translator: F5 Networks <support@f5.com> Language-Team: LANGUAGE <en@li.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit
...err tmsh[32415]: 01420006:3: UCS saving process failed.

Conditions:
The default admin account is disabled, using an alternate user that has the administrator role.

Impact:
User is unable to save the configuration.

Workaround:
A user with the administrator role can save the config.
The root user can save the config.

---

703196-3 : Reports for AVR are missing data

Component: Application Visibility and Reporting

Symptoms:
Some data collected by AVR is missing on some aggregation levels and thus missing from the reports.

Conditions:
Using AVR statistics.

Impact:
Expected AVR statistics may be missing.

Workaround:
Run the following shell command on BIG-IP:

sed -i "s|\(\s\)*SET\ p_aggr_to_ts.*$|$1$(grep "SET p_aggr_to_ts" /var/avr/avr_srv_code.sql | sed 's/truncate(/CEILING/' | sed 's/,0)//')|" /var/avr/avr_srv_code.sql

---

703165 : shared memory leakage

Component: Advanced Firewall Manager

Symptoms:
Processes that require shared memory to operate are failing (e.g. pabnagd).

Conditions:
Many shmem segments allocated and used by tmm.

Impact:
Potential failures in any process that requires shared memory segments, causing lack of services such as learning (bd+pabnagd), request logging (pabnagd+asm-config), etc.

Workaround:
There is no workaround at this time.

---

702933 : Loading UCS with different provisioning can cause a single TMM crash

Component: Application Visibility and Reporting

Symptoms:
Saving a UCS file on one system and loading it on another that has different provisioning, can lead to TMM crash.

Note: The crash will take place only once and the next process of TMM that will be automatically restarted will work without problems.

Conditions:
-- Save a UCS on a system that has AVR or ASM with DoS configured.
-- Load the UCS on a system that does not have AVR nor ASM provisioned.

Impact:
When the system restarts after loading the UCS, TMM can crash but second process of TMM will work fine.

There is no actual impact, since the system is not operational anyway during UCS load, it only takes more time to bring the system to active state after loading the UCS.

Workaround:
When loading a UCS that was saved on a system that had AVR or ASM, make sure the same modules are provisioned first, and then load the UCS.

---

702615-1 : During reboot to another volume, the GUI login page becomes prematurely available★

Component: TMOS

Symptoms:
Less than a minute after a reboot to another volume is initiated from the GUI, the GUI reports that the reboot is complete and displays the login page. Normally, a reboot takes about 5 minutes.

Conditions:
User initiates a reboot to another volume from the GUI.

Impact:
Misleading information is shown in the GUI. The GUI reports that the reboot is completed and displays the login prompts. However this is not correct because the reboot is still in progress.

Workaround:
Check the reboot status from the console or simply wait about 5 minutes before attempting to login to the system again.

---

702439-3 : Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset

Solution Article: K04964898

Component: Local Traffic Manager

Symptoms:
If the HTTP/2 configuration header_table_size is changed from the default value of 4096, then streams will be reset with a RST_STREAM error.

Conditions:
The header_table_size field in the HTTP/2 profile is changed from the default.

Impact:
HTTP/2 connections will be unusable.

Workaround:
Set the header table size argument back to its default.

---

702350 : FingerPrint JS might be injected although it is disabled in all ASM features, and no DoS

Component: Application Security Manager

Symptoms:
Fingerprinting is injected while no ASM feature using it is asking for it.

Conditions:
-- Web-scraping is configured in the policy history.
-- Policy iss configured using REST.

Impact:
FingerPrint JS is injected for each request.

Workaround:
1. Turn on Bot detection and click Save.
2. Turn off Bot detection, FP flag, and suspicious clients detection, and click Save.
3. Apply Policy.

---

702310-2 : The ':l' and ':h' options are not available on the tmm interface in tcpdump

Component: TMOS

Symptoms:
The ':l' and ':h' options are not available on the tmm interface in tcpdump.

Conditions:
Running tcpdump.

Impact:
Packet capture on the tmm interface from the Linux side or the host side of tmm interface is not possible.

Workaround:
There is no workaround at this time.

---

702281-2 : OneConnect header transformations may cause some Websocket connections to reset.

Component: Local Traffic Manager

Symptoms:
During the Websocket handshake, if OneConnect is on, the Websocket header is set as "connection: close", then OneConnect will transform the header to be "X-Cnection: close". If the header is set as "connection: upgrade" as well as "connection: close", then OneConnect will transform both to be "X-Cnection: close" and "X-Cnection: upgrade", respectively. This causes some Websocket handshakes to fail.

Conditions:
Virtual server has HTTP and OneConnect profiles. The request has "Connection: close" and "Connection: upgrade" headers during the Websocket handshake.

Impact:
Websocket handshakes fail resulting in connection reset.

Workaround:
Remove OneConnect or use iRule to re-add "Connection: upgrade"

---

701977-3 : Non-URL encoded links to CSS files are not stripped from the response during concatenation

Component: WebAccelerator

Symptoms:
Non-URL encoded links to CSS files are not stripped from the response during concatenation.

Conditions:
White space in the URLs.

Impact:
As above.

Workaround:
No workaround at this time.

---

701944-2 : machine certificate check crash for 'match issuer' configuration on macOS Sierra 10.12.6

Solution Article: K42284762

Component: Access Policy Manager

Symptoms:
Machine certificate check crashes a Mac BIG-IP Edge Client running on macOS Sierra 10.12.6 (16G29) when 'match issuer' is specified in the configuration.

Conditions:
- Machine certificate check configured for with 'match issuer' configuration.
- macOS Sierra 10.12.6 (16G29).
- BIG-IP Edge client.
- F5 EPI.

Impact:
Machine certificate check does not pass because Edge client crashes.

Workaround:
None.

---

701722-2 : Potential mcpd memory leak for signed iRules

Component: TMOS

Symptoms:
There is an MCP memory leak that occurs when th message "Signature encryption failed" is seen in /var/log/ltm.

Conditions:
Signing of iRules must be in use. Signature encryption must be problematic.

Impact:
MCP leak memory.

Workaround:
Resolve the signature encryption issue.

---

701690-3 : Fragmented ICMP forwarded with incorrect icmp checksum

Solution Article: K53819652

Component: Local Traffic Manager

Symptoms:
Large fragmented ICMP packets that traverse the BIG-IP might have their source or destination IP addresses changed and transmitted with the checksum incorrectly calculated.

Conditions:
A FastL4 virtual server able to transmit ICMP frames (ip-protocol ICMP or any), or SNAT/NAT only when a fragmented ICMP packet is received and is expected to be passed through the virtual server (or SNAT or NAT).

Impact:
Large ICMP echo packets (greater than MTU) will be dropped by the recipient due to the checksum error. No echo response will be seen.

Workaround:
Turn on IP fragment reassembly on the FastL4 profile associated with the virtual server.

---

701555-3 : DNS Security Logs report Drop action for unhandled rejected DNS queries

Component: Advanced Firewall Manager

Symptoms:
DNS Security Logs report Drop action for unhandled rejected DNS queries.

Conditions:
DNS profile set unhandled-query-action reject.

Impact:
Incorrect event log. This is an incorrectly logged event and doe not indicate an issue with the system

Workaround:
None.

---

701341-2 : If /config/BigDB.dat is empty or the file is corrupt, mcpd continuously restarts

Solution Article: K52941103

Component: TMOS

Symptoms:
If an issue causes /config/BigDB.dat to be empty or its contents become corrupted, mcpd fails to start up.

System commands report errors about being unable to read DB keys. 'bigstart' outputs errors:

--dbval: Unable to find variable: [security.commoncriteria]

Conditions:
The event causing BigDB.dat to be truncated is unknown at this time.

Impact:
The system fails to start up, and mcpd continually restarts. The BIG-IP system fails to process traffic while the mcpd process is restarting.

Workaround:
To work around this issue, you can remove the empty or corrupted BigDB.dat file. To do so, perform the following procedure:

Impact of workaround: Performing the following procedure should not have a negative impact on your system.

1. Log in to bash.
2. To remove the zero-byte or corrupted BigDB.dat file, type the following command:
rm /config/BigDB.dat

---

701289-2 : Static BFD with BIG-IP floating IP address

Component: TMOS

Symptoms:
In a HA configuration BFD session on both Active and Standby nodes can be configured with the same floating Self IP as a source IP address. This ends up with both Active and Standby nodes to actively send BFD Control packets to BFD neighbor. Responses from BFD neighbor are delivered to the Active node only. In effect not only the state of the session mismatches on Active and Standby node, also BFD Control packets send different information that disturbs the session.

Conditions:
- BFD sessions on HA Active and Standby have the same floating Self IP as a source IP address.

Impact:
BFD session gets disturbed both on HA Active node and BFD neighbor that might end up with invalidation of the route to the BIG-IP.

Workaround:
Workaround can be to manually disable BFD session on Standby node, however on failover the session would need to be manually restored.

Other workaround can be to use non-floating Self IP as a source IP address of BFD Control packets, this however might require some additional logic on the BFD neighbor side.

---

701232-1 : Two-way iQuery connections fail to get established between GTM devices with the same address on different networks connected through address translation

Component: Global Traffic Manager (DNS)

Symptoms:
Two GTM devices that have the same local IP address are not able to establish an iQuery connection, even when a translated address is configured.

Conditions:
This condition may occur if two GTM servers have the same self IP address on separate networks that are attempting to use address translation to establish a connection.

Impact:
When one or more GTM devices attempt to establish an iQuery connection to another device, it actually establishes a connection with itself instead of the other device.

Workaround:
To resolve the issue,
1. Configure the devices to have different self IP addresses.
2. Change the addresses and translated addresses of the corresponding GTM servers to match the new configuration using the following example command:
tmsh modify gtm server <server_name> addresses ...

---

701033-1 : Tcl actions not run if conditions have overlapping IP ranges

Component: Local Traffic Manager

Symptoms:
Overlapping CIDR subnets in rule's condition cause unexpected result.

Conditions:
-- LTM policy with more than one IP-address-based condition.
-- The IP address ranges overlap.
-- An associated action that invokes a Tcl command.

Impact:
Tcl action is not run.

Workaround:
None.

---

701025-1 : BD restart on a device where 'provision.tmmcountactual' is set to a non-default value

Component: Application Security Manager

Symptoms:
BD restarts with this error:
    Plugin configuration load timeout. Exiting.

Conditions:
The db variable 'provision.tmmcountactual' is set to a number lower than the actual CPU count.

Impact:
BD restarts continuously.

Workaround:
You can use any of these workarounds:
-- In the GUI, set 'RWThreads' under Security :: Options : Application Security : Advanced Configuration : System Variables.

-- Use the 'add_del_internal' utility:
----------------------
# /usr/share/ts/bin/add_del_internal
USAGE:
/usr/share/ts/bin/add_del_internal add <param_name> <param_value> [--default <default_value>]
/usr/share/ts/bin/add_del_internal update <param_name> <param_value> [--default <default_value>]
/usr/share/ts/bin/add_del_internal delete <param_name>
----------------------

-- Set the bd internal parameter num_rw_threads to the amount of plugin channels that TMM expects.

-- Revert 'provision.tmmcountactual' sys db to the default value.

---

700989-2 : Better detecting browser extentsions

Component: Application Security Manager

Symptoms:
Browser extensions are not always detected

Conditions:
enabling "Web Scraping -> Suspicious Clients -> Detect browsers with Scraping Extensions", and choosing disallowed extensions.

Impact:
Browsers with disallowed extensions are not blocked.

Workaround:
None.

---

700897-3 : sod is unable to handle the maximum (127) allowable traffic groups if there are 8 devices in the DG

Component: TMOS

Symptoms:
sod consumes excessive amount of CPU time, and the traffic-group Active and Next-Active locations do not stabilize.

Conditions:
When the number of devices in the failover device group or the number of traffic groups is large. The limit varies by platform capacity, but any Device Service Cluster with more than 4 devices or more than 32 traffic groups can experience this issue.

Impact:
If the Active location is unstable, traffic will not be processed correctly. Excessive CPU consumption and network traffic interferes with other control plane functions including the UI.

Workaround:
There is no workaround at this time.

---

700794-2 : Cannot replace a FIPS key with another FIPS key via tmsh

Component: TMOS

Symptoms:
If you try to replace an existing FIPS key using "tmsh install sys crypto key" the command fails with "is already FIPS". This can also occur when issuing the commands via the REST API.

Conditions:
If a FIPS key already created/installed via tmsh, it can not be replaced or overwritten via "tmsh install sys crypto" command.

Impact:
Fail to overwrite a FIPS key with another FIPS key via tmsh

---

700639 : The default value for the syncookie threshold is not set to the correct value

Component: Local Traffic Manager

Symptoms:
The default value for connection.syncookies.threshold should be set to 64000. Instead, this value defaults to 16384.

Conditions:
This issue may be encountered when a virtual server uses syncookies.

Impact:
The connection.syncookies.threshold value will be lower than intended, possibly resulting in lower performance.

Workaround:
Use tmsh to manually set the threshold value:
# tmsh modify sys db connection.syncookies.threshold value 64000

---

700426-2 : Switching partitions while viewing objects in GUI can result in empty list

Solution Article: K58033284

Component: TMOS

Symptoms:
In LTM Pool List, Node List, and Address Translations pages, switching partitions while viewing objects in the GUI can result in empty list.

Conditions:
This issue is present when all of the following conditions are met:
-- One partition contains multiple pages of objects.
-- The page count in one partition is greater than the page count in another.
-- The active page number is greater than 1.
-- You switch to a partition whose max number of pages is lower than the active page number.

For example, in the GUI:
1. Create two non-Common partitions.
2. In one partition, create enough pools so that they do not fit on one page.
3. In the second partition, create only enough pools for one page.
4. On the Local Traffic :: Pools list page in the first partition, navigate to the second page of objects.
5. Switch to the other partition.
6. Note that the displayed page contains no objects.

Impact:
The list of pools is empty despite the fact that there are pools available.

Workaround:
Return to the first page of objects before switching to any other partition.

---

700250-1 : qkviews for secondary blade appear to be corrupt

Solution Article: K59327012

Component: TMOS

Symptoms:
Normally, a qkview created on a multi-blade system will include a qkview for every blade on the system. Those qkview files have an error that makes the tar-ball appear corrupt.

Conditions:
Running a qkview on a system with blades.
Attempt to access the tar-ball using the following command: tar -tvzf 127.3.0.2.qkview | tail.

Impact:
The system posts the following messages:
    gzip: stdin: unexpected end of file
    tar: Child returned status 1
    tar: Error is not recoverable: exiting now


Confuses troubleshooters into thinking that the blade qkview files are corrupt, which they are not.

Workaround:
None.

---

700118-2 : rrset statistics unavailable

Component: Global Traffic Manager (DNS)

Symptoms:
When cache entries of any kind are deleted, the rrset statistics for the cache may not be available

Conditions:
This occurs when dns cache entries are deleted

Impact:
Rrset statistics may not be available

---

700080-1 : A db var compression.zlibinflateratio.threshold is added to force stopping inflating

Component: Local Traffic Manager

Symptoms:
A zip bomb can be sent to a BIG-IP system. When it is unzipped, its content can consume too much space.

Conditions:
This happens when the inflation ratio is very high.

Impact:
It can cause buffer overflow, or out of memory.

Workaround:
None.

---

700035-3 : /var/log/avr/monpd.disk.provision not rotate

Component: Application Visibility and Reporting

Symptoms:
the log file may fill-up /var partition

Conditions:
there is no special condition for this issue - if the log is big it won't rotate

Impact:
the log file may fill-up /var partition

Workaround:
1. gzip /var/log/avr/monpd.disk.provision
2. touch /var/log/avr/monpd.disk.provision

---

699898-3 : Wrong policy version time in policy created after synchronization between active and stand by machines.

Component: Application Security Manager

Symptoms:
After synchronization, the policy version time in the policy created on the standby BIG-IP system is different from the policy version time on the original policy on the active BIG-IP system.

Conditions:
Synchronizing the new policies on the active system with new policies on the standby system.

Impact:
Policy version timestamp on standby system is not synchronized properly.

Workaround:
Run full synchronization again from active system to the group.

---

699512-3 : UDP packet may be dropped when queued in parallel with another packet

Component: Global Traffic Manager (DNS)

Symptoms:
UDP packets may be dropped.

Conditions:
-- UDP packets are received in quick succession with matching IP/Port pairs.
-- The UDP virtual server does not use datagram LB mode.
-- One of the following:
   + A DNS profile is attached to a virtual server.
   + Rate limit is applied.

Impact:
UDP packets may be dropped.

Workaround:
Configure the virtual server with a UDP profile with datagram LB mode enabled.

---

699076-3 : URI::path iRules command warns end and start values equal

Component: Local Traffic Manager

Symptoms:
URI::path iRules command warns end and start values equal

Conditions:
The end and start values equal

Impact:
Warning message shows in console.

Workaround:
Ignore the warning.

---

698991 : CPU utilization on i850 is not a reliable indicator of system capacity

Solution Article: K64258832

Component: TMOS

Symptoms:
Unlike previous platforms, the i850 may report between 50-70% CPU utilization when at full capacity. The specific number is workload dependent, and therefore should not be used as an indicator of system headroom for sizing purposes.

Conditions:
Running BIG-IP software on an i850.

Impact:
Confusion of actual capacity usage.

Workaround:
Refer to the BIG-IP stats and published capabilities to determine utilized capacity under a specific workload.

---

698933-3 : Setting metric-type via ospf redistribute command may not work correctly

Component: TMOS

Symptoms:
When using a dynamic routing configuration, where an OSPF process redistributes routes setting a metric-type from another OSPF process the metric type is not changed.

Conditions:
Dynamic routing configuration with 2 or more OSPF processes redistributing routes using the "redistribute ospf <other process number> metric-type <type>"

Impact:
Metric type is not changed.

Workaround:
Change metric-type using a route-map applied to the redistribute command.

---

698931-3 : Corrupted SessionDB messages causes TMM to crash

Component: TMOS

Symptoms:
TMM SegFaults and restarts

Conditions:
This was reported once during normal tmm operation.

Impact:
Traffic disrupted while tmm restarts.

---

698917 : Unexpected additional policy is created while creating a policy from a template via REST

Component: Application Security Manager

Symptoms:
An unexpected additional policy is created while creating a policy from a template via REST while modifying other attributes.

Conditions:
The user creates a policy from a template via REST while modifying other attributes.

Impact:
An unexpected additional policy is created.

Workaround:
Use the import-policy task to create a new policy from a template in REST. Alternatively, if using the /policies endpoint, create the policy with just the name and template, and make any other changes as a separate update afterwards.

---

698911 : Periodically SIP requests are not sent to the server

Component: Service Provider

Symptoms:
When rate-limiting is configured on the virtual server and/or pool using a SIP profile, periodically SIP requests may not be forwarded to the server despite rate being under limit.

Conditions:
SIP profile associated with virtual server and rate-limit configured.

Impact:
SIP requests may not be forwarded to the server.

Workaround:
There is no workaround other than disabling rate-limiting.

---

698844 : LCD splash screen may display incorrect platform name on iSeries appliance

Component: TMOS

Symptoms:
The LCD on an iSeries appliance may show the incorrect platform name after a license is applied.

Conditions:
The platform name may be incorrect on the LCD until the first reboot.

Impact:
Display only, no functional impact

Workaround:
Use "tmsh show sys hardware" to see the correct platform name.

---

698599 : Cave Creek Crypto HW accelerated SSL traffic may encounter errors and performance problems.

Solution Article: K24479486

Component: TMOS

Symptoms:
Cave Creek Hardware-accelerated Secure Sockets Layer (SSL) traffic may encounter errors and performance problems.

The BIG-IP system may experience SSL connection failures or reduced performance.

Following logs show an example of errors seen:
/var/log/ltm
-- crit tmm3[11707]: 01010025:2: Device error: crypto codec qa-crypto3-3 queue is stuck.
-- warning tmm3[11707]: 01260009:4: Connection error: ssl_basic_rx:1015: decrypt request error (20)

Conditions:
This issue occurs when all of the following conditions are met:
-- Your BIG-IP system uses Cave Creek SSL hardware acceleration.
-- You are experiencing a high SSL traffic load.

Impact:
The BIG-IP system may experience SSL connection failures or reduced performance.

Workaround:
To work around this issue, you can increase the crypto.queue.timeout database key. To do so, perform the following procedure:

Impact of workaround: Performing the following procedure should not have a negative impact on your system. This procedure will mitigate future occurrences. A reboot of the BIG-IP system is required to clear a currently occurring condition.

1. Log in to the Traffic Management Shell (tmsh) as an administrative user.
2. Run the following command: modify /sys db crypto.queue.timeout value 300
3. Reboot the BIG-IP system.

---

698597 : BIG-IP fails to go active after cryptographic hardware has recovered from a failure

Solution Article: K10300436

Component: TMOS

Symptoms:
A BIG-IP system might not become active after a crypto-failsafe condition even after it has recovered from a cryptographic hardware failure.

As a result of this issue, you might see output of the tmsh show sys ha-status command similar to the following example:

Feature Key Action Fail Feature Take Client Proc Timeout
crypto-failsafe qa-crypto3-3 failover yes yes yes 0 tmm3 0

The /var/log/ltm file contains messages similar to the following examples:
-- crit tmm[9184]: 01010025:2: Device error: crypto codec cn-crypto-0 queue is stuck.
-- notice sod[8874]: 01140029:5: HA crypto_failsafe_t cn-crypto-0 fails action is failover.

Conditions:
This issue occurs when all of the following conditions are met:

-- Using BIG-IP 2000/2200, 4000/4200, or i2600/i2800 platforms.
-- The crypto-failsafe action is set to failover.
-- The failsafe condition is triggered.
-- The cryptographic hardware has recovered from its failure.

Impact:
The BIG-IP system stays down, even after the cryptographic hardware has recovered. When the system is in this condition, traffic is not being processed.

Workaround:
When your BIG-IP system is in this state, you can recover by restarting the Traffic Management Microkernel (TMM) process. To do so, perform the following procedure:

Impact of workaround: Because so there is no traffic being passed, there is no traffic impact to performing this procedure.

1. Log in to the Traffic Management Shell (tmsh) by running the following command:
tmsh
2. Restart TMM by running the following command:
restart /sys service tmm

Note: There is no way to easily determine whether the cryptographic hardware has recovered from the failure. Unfortunately, therefore, performing this mitigation step might not return the BIG-IP system to an active state. There are other issues with similar symptoms. If your system is experiencing one of those issues instead, this mitigation step will not produce successful results.

Here are three other Known Issues that produce almost exactly the same error messages, but involve different configurations. You might find additional assistance here::
  + K53752362: The BIG-IP system may erroneously detect a stuck crypto queue in Cave Creek devices :: https://support.f5.com/csp/article/K53752362
  + K53220379: The BIG-IP system may erroneously detect a stuck crypto queue :: https://support.f5.com/csp/article/K53220379
  + K16632: A vCMP host may stop processing SSL and HTTP compressed traffic for a vCMP guest due to a worker-lite system timeout :: https://support.f5.com/csp/article/K16632

---

698594 : Cave Creek Crypto hardware reports a false positive of a stuck queue state

Solution Article: K53752362

Component: TMOS

Symptoms:
In some cases, a stuck crypto queue may be erroneously detected on Cave Creek-based systems. This includes BIG-IP 2x00, 4x00, i850, i2x00, i4x00, and HRC-i2800.

The system writes messages similar to the following example to the /var/log/ltm file:

crit tmm3[11707]: 01010025:2: Device error: crypto codec qa-crypto3-3 queue is stuck.
warning sod[4949]: 01140029:4: HA crypto_failsafe_t qa-crypto3-3 fails action is failover.

Conditions:
This issue occurs when all of the following conditions are met:
- Your BIG-IP system uses the Cave Creek encryption hardware.
- You are making use of hardware-based SSL encryption.
- The BIG-IP system is under heavy load.

Impact:
The system reports device errors in logs, and takes crypto high availability (HA) action, possibly resulting in failover.

Workaround:
To work around this issue, you can modify the crypto queue timeout value. To do so, perform the following procedure.

Impact of workaround: Performing the following procedure should not have a negative impact on your system.

1. Log in to the BIG-IP system as an administrative user.

2. Log in to the Traffic Management Shell (tmsh) by running the following command:
tmsh

3. To change the crypto queue timeout value, run the following command:
modify /sys db crypto.queue.timeout value 300

4. Save the change by running the following command:
save sys config

Increasing the crypto queue timeout gives the hardware enough time to process all queued request.

---

698462 : TCP timestamp rewrite mode not working on the client side of ePVA offloaded connections

Component: TMOS

Symptoms:
When the tcp-timestamp-mode is set to 'rewrite', not the default 'preserve', the client side TSecr is not set correctly for the FIN packets. When the flow is evicted due to FIN processing in ePVA, the process copies the timestamp from the server sending the FIN/ACK. This unexpected behavior causes the TCP client to halt at the FIN-WAIT-2 because the client thinks the FIN/ACK from the BIG-IP system includes illegitimate timestamp options, and drops it.

Conditions:
-- tcp-timestamp-mode is set to 'rewrite'.
-- FastL4 profile.
-- Systems with ePVA feature support.

Impact:
TCP client cannot handle the FIN packets properly, causing connection issues.

Workaround:
Use the default 'preserve' mode for FastL4 profiles.

---

698211-3 : DNS express response to non-existent record is NOERROR instead of NXDOMAIN.

Solution Article: K35504512

Component: Global Traffic Manager (DNS)

Symptoms:
The DNS express response to a non-existent record is NOERROR instead of NXDOMAIN.

Conditions:
Delete a wildcard resource record to the related DNS express zone.

Impact:
DNS returns the incorrect response.

Workaround:
Delete the old db files: /var/db/tmmdns.bin and /var/db/zxfrd.bin, and then restart zxfrd.

---

698171-1 : STP interfaces remain in block state on 40G bundled interfaces after enabling STP

Component: TMOS

Symptoms:
STP interfaces are in a blocked state.

Conditions:
40G bundled interface is enabled with STP.

Impact:
No STP BPDU gets send out and the STP state is blocked.

---

698034-2 : PKCS12 file imported via Configuration utility into folder is placed at partition root

Component: TMOS

Symptoms:
When importing a certificate (cert) using the GUI Configuration utility, you can specify a partition folder, and the system imports the cert into that partition folder. However, specifying a partition folder when importing a PKCS12 cert imports it to the root partition folder, Common.

Conditions:
Login to GUI:
 - Navigate to:
System :: Certificate Management : Traffic Certificate Management : SSL Certificate List.

 - Click Import:
Select 'PKCS'.

 - Give the cert a name:
sync_group/pk12gui

Impact:
PKCS12 files imported using the GUI Configuration utility are placed at root partition folder, Common, rather than the partition folder.

Workaround:
You can use either workaround:
-- Once the PKCS12 file has been imported, export the cert and key, and then re-import into the partition folder.

-- Import PKCS12 file using TMSH.

---

698013-4 : TACACS+ system auth and file descriptors leak

Solution Article: K27216452

Component: TMOS

Symptoms:
Administrative access to the system with remote authenticated accounts fails, and the following is seen in the security log (/var/log/secure):

-- httpd[###]: PAM [error: /lib/security/pam_bigip_authz.so: cannot open shared object file: Too many open files].
-- httpd[###]: PAM audit_open() failed: Too many open files
-- Other errors that refer to 'Too many open files'.

This might eventually lead to lack of HTTP-based access to the BIG-IP system.

Conditions:
-- Remote system authentication configured to use TACACS+.
-- Administrative access to the BIG-IP system using any HTTP-based results in leaked file descriptors. Relevant access methods include Web UI, iControl and iControl-REST.
-- Repeated automated access using iControl is the fastest route.

Impact:
In some circumstances, the leak might accumulate to the point that no file descriptors are available and administrative access using remote authenticated accounts is no longer possible. This also includes access from SSH and console. The root account, which always uses local authentication, is not affected.

Workaround:
Workaround options:
1. Use only SSH for administrative access.
2. Restart httpd as needed.

---

697988-2 : During config sync, if many client-ssl profiles are on a virtual server the CPU may briefly spike to 100%

Solution Article: K34554754

Component: Local Traffic Manager

Symptoms:
During config sync, if many (hundreds) of client-ssl profiles are attached to a virtual server, the CPU may spike to 100%.

Conditions:
-- Many (hundreds) of client-ssl profiles are attached to a virtual server.
-- Config sync is executed.

Impact:
If enough client-ssl profiles are attached, the watchdog could fire, crashing tmm and causing service disruption. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not attaching hundreds of client-ssl profiles to a virtual server, or disabling config sync.

---

697766-3 : Cisco IOS XR ISIS routers may report 'Authentication TLV not found'

Component: TMOS

Symptoms:
When peering with ISIS to Cisco IOS XR routers, messages similar to the following may be seen

isis[1003]: %ROUTING-ISIS-5-AUTH_FAILURE_DROP : Dropped L2 LSP from TenGigE0/0/0/1 SNPA 0001.47fd.a801 due to authentication TLV not found.

Conditions:
The BIG-IP system is configured for dynamic routing using the ISIS protocol, and is peered with an IOS XR router, or with another BIG-IP system running software older than than version 11.6.1.

In addition, authentication needs to be configured, and a value needs to be set for lsp-refresh-interval, or for max-lsp-lifetime. For example:


   router isis isisrouter
   is-type level-2-only
   authentication mode md5
   authentication key-chain keychain-isis
   lsp-refresh-interval 5
   max-lsp-lifetime 65535
   net 49.8002.00c1.0000.0000.f523.00

Impact:
This is a cosmetic issue. Routing is not impacted. LSPs containing actual routing information do contain the Auth TLV, as expected.

Workaround:
None.

---

697626 : iRules LX: Cannot modify workspace imported by "Import From Workspace"

Component: Local Traffic Manager

Symptoms:
The permissions of an iRules LX workspace copy created from the "Import..." "From Workspace" are set to 775 (drwxr-xr-x) for directories and 444 (-r--r--r--) for files including the node and tcl code files. This causes the "Could not save file: <file>" error upon modification of the code.

Conditions:
Attempting to modify imported workspace.

Impact:
Cannot save changes.

Workaround:
A. Create an "archive file" first and use it for importing.
B. After creating a copy using "From Workspace", run chmod command to add +w to the group and others: e.g., chmod -R g+w,o+w <Workspacename>.

---

697590-5 : APM iRule ACCESS::session remove fails outside of Access events

Component: Access Policy Manager

Symptoms:
ACCESS::session remove fails

Conditions:
iRule calling ACCESS::session remove outside of Access events.

Impact:
APM iRule ACCESS::session remove fails to remove session

Workaround:
Use "ACCESS::session modify" and set the timeout/lifetime to something small, like 1 second. This should cause the session to be deleted due to timeout almost immediately, but note that it will show up in logs as timeout.

---

697265 : MCP cores when importing a configuration with 12000 nested address lists and auto-sync enabled.

Component: Advanced Firewall Manager

Symptoms:
MCP cores when importing a configuration with 12000 nested address lists and auto-sync enabled.

/var/log/ltm contains messages similar to the following:
-- err clusterd[7274]: 013a0004:3: IO error on recv from mcpd - connection lost
-- info sod[7953]: 010c0009:6: Lost connection to mcpd - reestablishing.
-- notice chmand[7594]: 012a0005:5: resetting chmand services
-- err snmpd[7952]: 010e0001:3: Cannot communicate with MCPD server.
-- err mysqlhad[7596]: 014e0006:3: MCP Failure: 1.
-- err zxfrd[7962]: 0153e0f7:3: Lost connection to mcpd.
-- err tmrouted[6299]: 01910013:3: FATAL error: 6 irrecoverable MCP I/O error (Unknown error 16908291).
-- err alertd[7280]: 01100042:3: Failed with MCPD at: MCP msg receive (16908291).
-- err alertd[7280]: 01100042:3: Failed with MCPD at: Socket read (16908291).

Conditions:
-- AFM configuration.
-- Devices in a device group trust configuration.
-- Device group configured with Autosync enabled.
-- Importing a configuration with a very large number of nested address lists (for example, 12000 nested address lists).

Impact:
mcpd cores.

Workaround:
Split the configuration into smaller chunks (e.g., 1000 address lists each) and load them one at a time.

---

696908-2 : Updating iRule causes TMM to crash

Component: Local Traffic Manager

Symptoms:
A tmm core occurs when reloading an iRulesLX (iLX) Plugin. You might see error messages:

notice ** SIGFPE **
        pgo_use x86_64 vadc TMM Version 13.1.3.2.0.0.4
        panic: Tcl Object 5600092578f8 is currently on free list

Conditions:
iRulesLXPlugin was reloaded into Workspace.

Impact:
Crash in TMM caused by updating an iLX instance. Traffic disrupted while tmm restarts.

Workaround:
None.

---

696755-2 : HTTP/2 may truncate a response body when served from cache

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide a client-side HTTP/2 Gateway protocol implementation in conjunction with HTTP 1.x on a server side. A response can be cached on the BIG-IP system with a web acceleration profile. Sometimes a response served from cache is prematurely marked with END_STREAM flag, causing the client to ignore the rest of the response body.

Conditions:
BIG-IP system has a virtual server for which HTTP/2 and Web Acceleration profiles are configured.

Impact:
Some clients' browsers do not retry a resource, causing incorrect rendering of an HTML page.

Workaround:
Adding the following iRule causes the body to be displayed:

when HTTP_RESPONSE_RELEASE {
    set con_len [string trim [HTTP::header value Content-Length]]
    HTTP::header remove Content-Length
    HTTP::header insert Content-Length "$con_len"
}

---

696731-1 : The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled

Solution Article: K94062594

Component: TMOS

Symptoms:
The standard LinkUp/LinkDown traps are issued when a port's status changes; that is, the link goes up or down. Additionally, the network manager can administratively enable and disable ports. For some platforms, there is no reliably issued standard LinkUp/LinkDown trap when a port is administratively enabled/disabled.

Conditions:
Administrative disabling an interface on BIG-IP

Impact:
May issue only the F5 Link change trap and not the additional standard MIB trap. The standard LinkUp/LinkDown traps may not be issued.

Workaround:
Use the F5-proprietary MIB: 1.3.6.1.4.1.3375.2.4.0.37 F5-BIG-IP-COMMON-MIB::BIG-IPExternalLinkChange trap to track administrative changes to links.

---

696363 : Unable to create SNMP trap in the GUI

Component: TMOS

Symptoms:
Trying to create a SNMP trap may fail in the GUI with the following error message: An error has occurred while trying to process your request.

Conditions:
-- Trap destinations are configured using the GUI: When trap destinations are configured in the GUI, the trap name is generated using the destination IP address.
-- Traps of the same destination address were previously created and deleted.

Impact:
GUI parameter checking does not work as expected. BIG-IP Administrator is unable to create a SNMP trap session.

Workaround:
To work around this issue when using the GUI, remove all traps that have the same destination address as the new one that failed. Then re-add your destination.

Tip: You can use tmsh to create/delete/modify SNMP traps, which enables viewing of the generated names, making it easier to understand what error has occurred.

---

696348-1 : "GTP::ie insert" and "GTP::ie append" do not work without "-message" option

Component: Service Provider

Symptoms:
When adding "GTP::ie insert" and "GTP::ie append" without "-message" option to iRule, there is warning message:

[The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:VALUE"1290 38]

Conditions:
Using "GTP::ie insert" or "GTP::ie append" command without "-message" option

Impact:
The commands still be executed during runtime but the warning message may confuse user.

---

695985-1 : Access HUD filter has URL length limit (4096 bytes)

Component: Access Policy Manager

Symptoms:
Access HUD filter cannot process a URL if it is longer than 4096 bytes.

Conditions:
Any URL with a request consisting of more than 4096 bytes.

Impact:
The URL cannot be processed, and client gets a RST.

Workaround:
None.

---

695707-3 : BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection

Component: Local Traffic Manager

Symptoms:
BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection.

Conditions:
Close an MPTCP connection.

Impact:
If a DATA_ACK is not received for the DATA_FIN, the connection will stall until it times out.

Workaround:
There is no workaround at this time.

---

695401 : QS user defined alerts may not be sent if there is no URL with qs configured on FPS profile

Component: Fraud Protection Services

Symptoms:
when FPS signature update defines a URL with a query string, and defines a custom alert for that URL, the alert will not be sent if there is no URL with a query string configured on the FPS profile.

Conditions:
1. Custom alert for a URL with query string.
2. There are. no URLs with query string configured on FPS profile

Impact:
System does not send alert.

Workaround:
Define a URL (potentially a placeholder URL) with query string on FPS profile.

---

695109-3 : Changes to fallback persistence profiles attached to a Virtual server are not effective

Solution Article: K15047377

Component: Local Traffic Manager

Symptoms:
Changes to fallback persistence profiles attached to a Virtual server may not be effective.

Conditions:
-- Virtual server configured with persistence and a fallback persistence profile.
-- Changes made to the fallback persistence profile.

Impact:
Changes to the fallback persistence profile are not effective with new connections until a change is made to the virtual server or TMM is restarted.

Workaround:
Make a simple change, for instance to the description field, to the virtual servers that have the changed fallback persistence profile configured.

---

695090 : In rare situations hardware syncookies may be sent for a L7 virtual server when hardware syncookie protection is disabled

Component: TMOS

Symptoms:
In rare situations, hardware syncookies may be sent for the traffic received on a L7 virtual server even though hardware syncookie protection is disabled on the virtual server.

Conditions:
It is unknown what triggers this error condition at this point.

Impact:
Some of the TCP options are not supported under hardware syncookie protection mode.

Workaround:
There is no workaround at this time.

---

694934-3 : bd crashes on a very specific and rare scenario

Component: Application Security Manager

Symptoms:
When the system is configured in a specific way and the request sender responds incorrectly, bd crashes.

Conditions:
This rarely encountered crash occurs when there is a very specific BIG-IP system configuration, and ICAP is configured but not responding.

Impact:
bd crashes.

Workaround:
None.

---

694897-4 : Unsupported Copper SFP can trigger a crash on i4x00 platforms.

Component: TMOS

Symptoms:
PFMAND can crash when an unsupported Proline Copper SFP is inserted in the 1G interfaces.

Conditions:
-- Using Proline CuSFP, Part number FCLF8521P2BTLTAA.
-- Inserted into 1 GB interfaces.
-- On i4x00 platforms.

Impact:
PFMAND cores.

Workaround:
Use only F5 branded Copper SFPs

---

694657-2 : ASM GUI displaying inconsistent policy sync version information

Component: Application Security Manager

Symptoms:
There is an inconsistency in how ASM-config derives the current policy revision, and in how it determines what is the 'latest' revision number for a policy.

When upgrading machine the system attempts to restore the 'last active version' of each policy. The system determines the latest version by the highest revision number, which is now wrong. So an older version of the policy is restored.

Conditions:
Inactivate policy and activate again.

Impact:
The policy revision numbers start again, so the GUI appears to be displaying incorrect information, which can cause confusion.

Workaround:
None.

---

693966-2 : TCP sndpack not reset along with other tcp profile stats

Component: Local Traffic Manager

Symptoms:
TCP sndpack stat added is not being properly reset when a tmsh reset-stats command is issued.

Conditions:
When tmsh reset-stats command is issued.
-- tmsh reset-stats /ltm profile tcp <profile-name>

Impact:
TCP sndpack stat doesn't reset when tmsh reset-stats command is issued.

Workaround:
There is no workaround.

---

693901-3 : Active FTP data connection may change source port on client-side

Component: Local Traffic Manager

Symptoms:
The active FTP data connection on the client-side may use source port other than what was configured in the 'Data Port' parameter of the FTP profile.

Conditions:
FTP profile is attached to a virtual server and the 'Data Port' parameter is either left as default (20) or defined as a specific value.

Impact:
Active FTP data connection may be blocked by firewalls that expect a pre-defined source port.

Workaround:
None.

---

693578-1 : switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0

Component: TMOS

Symptoms:
switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0

Conditions:
None

Impact:
switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0

Workaround:
None

---

693563-3 : No warning when LDAP is configured with SSL but with a client certificate with no matching key★

Solution Article: K22942093

Component: TMOS

Symptoms:
When LDAP auth is configured with SSL:

- Authentication attempts fail
- Packet captures between the BIG-IP system and the LDAP server show the BIG-IP system sending FIN after TCP handshake.

Conditions:
LDAP auth is configured with SSL with client cert set but no matching key.

Impact:
LDAP auth fails. There is no warning that the auth failed.

Workaround:
Configure a key that matches the specified client certificate.

---

693515 : A '+' character in a log profile name causes import to fail

Component: Advanced Firewall Manager

Symptoms:
When there is a '+' character in log profile name, importing the module on BIG-IQ fails as '+' is treated as a reserved character.

Conditions:
Configuration of '+' character in log profile name

Impact:
Import fails due to reserved character

Workaround:
Do not use '+' in the name.

---

693246-1 : SOD may send SIGABRT to TMM when TMM has not reported its heartbeat for a long enough period of time.

Component: TMOS

Symptoms:
This seems to happen very infrequently. Symptoms vary from a simple TMM restart up to a blade reset. LTM log will show a sod message complaining about TMM heartbeats, followed later by SIGABRT messages from TMM.

Conditions:
TMM has not reported its heartbeat for a long enough period of time. The specific circumstances are unknown, but the issue has been seen with moderate-to-heavy system loads.

Impact:
Interruptions in data path processing. The interruption can be short for a simple TMM restart, longer for a full blade restart. Though these events altogether are rare, when they happen, it appears the simple TMM restart is more common than the blade restart.

Workaround:
None.

---

692753-3 : shutting down trap not sent when shutdown -r or shutdown -h issued from shell

Component: TMOS

Symptoms:
Shutting down trap not sent when shutdown -r or shutdown -h issued from shell.

Conditions:
When user access the linux shell and issues "shutdown -h" or "shutdown -r", the BIG-IP does not send shutting down trap.

Impact:
None.
Since this is user triggered command, the user is aware of the shutdown event, so the lack of trap is not critical.

Workaround:
None

---

692218-5 : Audit log messages sent from the primary blade to the secondaries should not be logged.

Component: TMOS

Symptoms:
Audit log messages sent from the primary blade to the secondaries are logged.

Conditions:
Multi-blade platform.

Impact:
Unnecessary messages in the log file.

Workaround:
None.

---

692172-2 : rewrite profile causes "No available pool member" failures when connection limit reached

Component: TMOS

Symptoms:
ltm rewrite profile (with mode uri-translation) can cause connections on ltm forwarding virtual server to be terminated with reason "No available pool member".

Conditions:
Virtual server configured with ltm rewrite profile. Default pool has request queuing enabled and connection limits configured for all its nodes.

Impact:
When the connection limit is reached, further connections are terminated with "No available pool member" cause instead of being queued.

Workaround:
An iRule which selects default pool on HTTP_REQUEST:

when HTTP_REQUEST priority 1000 {
    pool [LB::server pool]
}

---

691992 : MSTP: CIST bridge priority changes after adjusting the MSTI priority.

Component: Local Traffic Manager

Symptoms:
Changing the priority of a non-zero region MSTP instance results in BPDUs advertising a change to the CIST Bridge Priority, but not for the expected MSTID instance.

Conditions:
Issue a STP MSTID priority modify request.

Impact:
Changing the MSTID priority for forcing the BIG-IP system to become the root bridge, does not work as expected.

Note: F5 Networks recommends against having the BIG-IP system become the root bridge.

Workaround:
After modifying the MSTID priority, also restart the STP daemon (stpd) to have the BPDUs advertising the expected CIST/MSTID priorities.

---

691785-3 : The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes

Component: Local Traffic Manager

Symptoms:
The bcm570x driver will cause TMM to core with the log message:

panic: ifoutput: packet_data_compact failed to reduce pkt size below 4.

Conditions:
-- Running on a platform that uses the bcm570x driver (BIG-IP 800, 1600, 3600).
-- A packet larger than 6144 bytes is transmitted from the BIG-IP system.

Impact:
TMM core. Failover or outage. Traffic disrupted while tmm restarts.

Workaround:
None.

---

691749-3 : Delete sys connection operations cannot be part of TMSH transactions

Component: TMOS

Symptoms:
TMSH operations that delete sys connection cannot be part of transactions. Once the TMSH transaction is submitted, TMSH freezes up if a 'delete sys connection ...' command is included.

Conditions:
Include delete sys connection operations in TMSH transactions.

Impact:
TMSH freezes up and transactions do not complete.

Workaround:
Only use tmsh delete sys connection outside of TMSH transactions.

---

691491-3 : 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces

Solution Article: K13841403

Component: TMOS

Symptoms:
2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces

Conditions:
-- 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms.
-- SNMP query of network interfaces via OID sysIfxStatHighSpeed.

Impact:
Value returned for 10G/40G/100G interfaces may be incorrect.

Workaround:
Use OID sysInterfaceMediaActiveSpeed.

---

691048-3 : Support DIAMETER Experimental-Result AVP response

Solution Article: K34553736

Component: Service Provider

Symptoms:
When the Diameter server returns an answer message with an Experimental-Result AVP, but doesn't have Result-Code AVP inside, then the server side flow is aborted.

Conditions:
Diameter answer message doesn't have Result-Code AVP available, but with Experimental-Result AVP.

Impact:
The server side flow is aborted.

Workaround:
Use iRule to insert Result-Code AVP in all Diameter answer messages.

---

690890-3 : Running sod manually can cause issues/failover

Component: TMOS

Symptoms:
If multiple instances of the system failover daemon are executed, improper behavior results. The system failover daemon is run internally by the system service manager (bigstart). When accidentally or intentionally executing the command 'sod', the second running instance will disrupt the failover system.

Conditions:
Accidentally or intentionally executing the command 'sod'.

Impact:
System might failover, reboot, or perform other undesirable actions that result in traffic interruption.

Workaround:
Do not attempt to invoke the 'sod' daemon directly. There is no use case for executing 'sod' directly, it is managed by 'bigstart'.

---

690781 : VIPRION systems with B2100 or B2150 blades cannot run certain combinations of vCMP guest sizes

Component: TMOS

Symptoms:
VIPRION systems equipped with B2100 or B2150 blades cannot run any more vCMP guests in addition to three 1-slot 8-core guests.

So if a system has four blades, any additional guests created on the remaining blade will not be operational.

Although the system allows all guests to be created and started, the ones deployed last will not work correctly.

Specifically, the guests deployed last will fail to access TMM networks.

Additionally, the vCMP host logs messages similar to the following example to the /var/log/ltm file:

-- info bcm56xxd[13741]: 012c0016:6: FP(unit 0) Error: Group (6) no room.
-- err bcm56xxd[13741]: 012c0011:3: entry create failed: SDK error No resources for operation bs_field.cpp(447)
-- err bcm56xxd[13741]: 012c0011:3: geteid_qualify_egress failed: SDK error No resources for operation bs_field.cpp(2009)
-- err bcm56xxd[13741]: 012c0011:3: program dest mod/port rule failed: SDK error No resources for operation bs_vtrunk.cpp(5353)
-- err bcm56xxd[13741]: 012c0011:3: vdag class L4 redirect failed: SDK error No resources for operation bs_vtrunk.cpp(3261)

Conditions:
This issue occurs when the following conditions are met:

-- A C2400 VIPRION chassis is equipped with four B2100 or B2150 blades.

-- A vCMP configuration consisting of at least three 1-slot 8-core guests was put in place (in other words, three full-blade guests).

-- One or more vCMP guests are created on the remaining VIPRION blade in the chassis.

Impact:
One or more guests do not function properly as they cannot access TMM networks. All traffic fails to pass.

Workaround:
This issue is caused by a hardware limitation on B2100 and B2150 blades preventing this specific vCMP configuration from instantiating correctly.

As a workaround, you must specify different vCMP guest sizes.

For instance, you could use the following configuration:

-- Four 2-slot 4-core vCMP guests instead of four 1-slot 8-core vCMP guests

Although not the same, both configurations yield the same total number of TMM instances per guest.

---

690778-3 : Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule

Solution Article: K53531153

Component: Local Traffic Manager

Symptoms:
Memory leak; the memory_usage_stat cur_allocs will increase each time the iRule is invoked.

Conditions:
This occurs when using an iRule that calls the STREAM::replace command more than once in the iRule's STREAM_MATCHED event.

Impact:
Memory leak; eventually the system will run out of memory and TMM will restart (causing a failover or outage). Traffic disrupted while tmm restarts.

Workaround:
Change the way the iRule is written so that the STREAM::replace command is not called more than once in the iRule's STREAM_MATCHED event.

---

690316 : Software syncookies are sent for FastL4 virtual server with software syncookies disabled

Component: Local Traffic Manager

Symptoms:
If a virtual server using FastL4 is configured with software SYN cookies disabled and global hardware SYN cookies disabled using the pvasyncookies.enabled DB setting, then software SYN cookies may still be sent if a SYN flood occurs on the VIP.

This can be observed by seeing that the virtual server went into syncookie mode in the LTM logfile.

Conditions:
If the FastL4 profile has software-syn-cookie disabled, hardware-syn-cookie enabled, and the pvasyncookies.enabled db setting is set to false.

Impact:
The VIP enters SYN cookie mode.

Workaround:
Both hardware-syn-cookie and software-syn-cookie should be disabled in the FastL4 profile.

---

689987-2 : Requests are not logged on new virtual servers after UCS load while ASM is running

Component: Application Security Manager

Symptoms:
Requests are not logged on new virtual servers after UCS load while ASM is running.

Conditions:
UCS file is loaded with different virtual servers while ASM is running.

Impact:
Requests are not logged on newly added Virtual Servers.

Workaround:
You can use either of the following workarounds:
-- Restart ASM.

-- Disassociate the logging profile and re-associated it with all affected virtual servers.

Note: As a best practice, it is recommended that you always perform a full restart after UCS load. To do so, run the following command: bigstart restart.

---

689982-1 : FTP Protocol Security breaks FTP connection

Component: Application Security Manager

Symptoms:
FTP Protocol Security breaks FTP connection.

Conditions:
-- ASM provisioned
-- FTP profile (Local Traffic :: Profiles : Services : FTP) with 'Protocol Security' enabled is assigned to a virtual server.

Impact:
-- RST on transaction.
-- bd PLUGIN_TAG_ABORT messages in mpidump.

Workaround:
Create and use a custom "FTP Security Profile" instead of the system default one.

1. Navigate to Security :: Protocol Security : Security Profiles : FTP.
2. Create a custom FTP Security Profile alongside the system default named 'ftp_security'.
3. Navigate to Security :: Protocol Security : Profiles Assignment : FTP.
4. From the Assigned Security Profile drop-down menu, choose the newly created custom FTP Security Profile, instead of the pre-selected system default 'ftp_security'.

---

689779 : VE HyperV packet drops under load due to interrupt distribution

Component: TMOS

Symptoms:
A small number of dropped inbound packets to the BIG-IP system while under load.
 
Network captures on a virtual port mirror show that the packets are making it to the BIG-IP VE, but the packets are not seen by tmm or Linux by tcpdumping on 0.0, 1.1, or eth1.

Conditions:
HyperV Virtual Edition (VE) v12.1.x or earlier.

Impact:
Performance and network degradation due to packet loss.

Workaround:
None.

---

689583-3 : Running big3d from the command line with arguments other than '-v' or '-version' may cause a GTM disruption.

Component: Global Traffic Manager (DNS)

Symptoms:
Running big3d from the command line with arguments other than '-v' or '-version' might cause a GTM disruption. When viewing /var/log/gtm, you might see messages similar to the following:
 notice big3d[4131]: 012b0020:5: Executable /shared/bin/big3d timestamp is newer than (or the same as) /usr/sbin/big3d.
 notice big3d[4137]: 012b0018:5: Respawning to run /shared/bin/big3d.
 err big3d[4026]: 012b1015:3: Error 'Address already in use' attempting to bind to socket.

Conditions:
This occurs when attempting to get the big3d version and accidentally typing an invalid or nonsense argument or a valid argument that does not immediately cause big3d to exit. Here are some examples (note the double-dash in the first example):
 big3d --version
 big3d
 big3d -xyz
 big3d -d

Impact:
GTM server goes red momentarily.

Workaround:
There is no workaround other than not specifying an invalid or nonsense argument or a valid argument that does not immediately cause big3d to exit.

---

689567-3 : Some WOM/AAM pages in the GUI are visible to users with iSeries platforms even when AAM cannot be provisioned

Component: TMOS

Symptoms:
Several pages in the Acceleration tab (e.g., Acceleration :: Quick Start : Symmetric Properties) display a warning message that directs you to provision AAM in order to access WOM utilities. These pages are visible even if it is impossible for you to provision AAM, which is confusing.

Conditions:
You have an iSeries platform with no AAM license.

Impact:
The impact is cosmetic only. The page is confusing because it suggests that AAM can be provisioned without the proper license (e.g., that WOM/AAM can be set up with only an LTM license), which it cannot. You can safely ignore the warning messages.

Workaround:
No workaround at this time.

---

689343-3 : Diameter persistence entries with bi-directional flag created with 10 sec timeout

Component: Service Provider

Symptoms:
Diameter persistence entries have timeout value less than 10 seconds, although the configured persistence timeout is 120 seconds

Conditions:
When Diameter custom persistence "DIAMETER::persist key 1" bi-directional iRule is used.

Impact:
The persist timeout is less than 10 seconds, thus subsequent requests will be dispatched to other pool member.

Workaround:
Don't use bi-directional persistence iRule. Use AVP persistence type with session-id as the persist key.

---

689231 : MSSQL filter assumes 64-bit token done row count field

Component: Local Traffic Manager

Symptoms:
Virtual server with MSSQL profile gets tds internal error (Out of bounds) error message. This occurs when the row count of token done is not 64-bit, in which case the connection will be closed with a reset.

Conditions:
-- This occurs using the MSSQL profile for the virtual server.
-- Pool member is running Microsoft SQL Server 2016 with TDS version is 7.1 or earlier.

Impact:
Get reset cause: Packet capture RST cause: [23db241:1807] tds internal error (Out of bounds).

Unable to use TDS 7.1 or earlier with MSSQL filter.

Workaround:
Use TDS 7.2 or later. TDS 7.2 and later use 64-bit row count field for token done.

---

689147-1 : Confusing log messages on certain user/role/partition misconfiguration when using remote role groups

Component: TMOS

Symptoms:
When using remote role groups to set user/role/partition information, user login fails, but logs in /var/log/secure indicate that authentication was successful.

Errors similar to the following appear in /var/log/ltm:

-- User restriction error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition.
-- Input error: invalid remote user credentials, partition does not exist, broken-partition

Errors similar to the following appear in /var/log/secure:

tac_authen_pap_read: invalid reply content, incorrect key?

Conditions:
Using remote role groups to set user/role/partition information for remote users, and either of the following:
-- A remote user is configured with the role of administrator, resource administrator, auditor, or web application security administrator, with access to a particular partition, rather than all. (These roles require access to all partitions.)
-- A remote user is configured with partition access set to a partition that does not exist on the BIG-IP system.

Impact:
The messages in /var/log/secure may be confusing and make it more difficult to diagnose the login failure.

Workaround:
Check /var/log/ltm for more specific error messages.

---

689117-1 : Transfer Complete log message now includes the SOA Serial number

Component: Global Traffic Manager (DNS)

Symptoms:
It was hard to track the serial numbers of completed xfers.

Conditions:
When an AXFR or IXFR completes, the log message does not indicate what serial number was transferred.

Impact:
If there are many, frequent updates to the master zone, it can be difficult to track what serial number(s) have already been transferred from the master server to the DNS Express server.

Workaround:
None.

---

688833-2 : Inconsistent XFF field in ASM log depending violation category

Component: Application Security Manager

Symptoms:
Depending on the violation category, the xff ip field is reported as 'xff_ip' and sometimes as 'xff ip'.

Conditions:
Viewing the XFF results in ASM log.

Impact:
This might cause problems with the syslog filters configured on the remote loggers.

Workaround:
Put in the rules that the client is using both 'xff ip' and 'xff_ip'.

---

688826-1 : Charts discrepancy in AVR reports

Component: Application Visibility and Reporting

Symptoms:
When filtering on a specific virtual server on the 'last week' interval, the total requests are shown. Then, when you drill down by client IP address, a lower number is reported.

Conditions:
-- Number of records in the database exceeds the maximum amount of data that AVR can aggregate between different table-resolutions.
-- Filter AVR report by client IP address.

Impact:
Stats are incorrect.

Workaround:
None.

---

688813-1 : Some ASM tables can massively grow in size.

Solution Article: K23345645

Component: Application Visibility and Reporting

Symptoms:
/var/lib/mysql mount point gets full.

Conditions:
Many combinations of IP addresses, Device IDs (and other ASM dimensions) in traffic over very long period of time (potentially weeks/months).

Impact:
While other dimensions are being collapsed correctly, the Device ID field is not being collapsed causing the growth in size.
-- High disk usage.
-- Frequent need to clear AVR data.

Workaround:
Manually delete AVR mysql partitions located in /var/lib/mysql/AVR.

---

688570-3 : BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes

Component: Local Traffic Manager

Symptoms:
After an MPTCP connection closes properly, the BIG-IP will occasionally start sending MP_FASTCLOSE.

Conditions:
An MPTCP connection is closed.

Impact:
The MPTCP connection on the remote device is closed, but the connection on the BIG-IP remains open until the fastclose retransmission times out.

Workaround:
There is no workaround at this time.

---

688557-3 : Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull'

Solution Article: K50462482

Component: Local Traffic Manager

Symptoms:
The description of the 'mode' parameter shown by tmsh help for the ltm sasp monitor indicates that the default value for the 'mode' parameter is 'pull' (where the load balancer sends Get Weight Requests to the GWM).
As of BIG-IP v13.0.0 and v12.1.2-hf1, the default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).
This is a change from prior versions of BIG-IP, where the default value for the 'mode' parameter was 'pull'.

Conditions:
The incorrect description appears when issuing the 'tmsh help ltm monitor sasp' command on BIG-IP v13.0.0, v12.1.2-hf1, and later.

Impact:
Incorrect information about the default value for the 'mode' parameter for the ltm sasp monitor.

Workaround:
The default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).

---

688542-1 : SASP GWM monitor always sets No Change / No Send Flag in Set LB State Request

Component: Local Traffic Manager

Symptoms:
The version of the SASP monitor requests updates only from the SASP GWM (Global Workload Manager) for members whose state has changed from what the GWM last reported. The previous version of the SASP monitor requested periodic updates for all members monitored by the GWM.

Conditions:
Running the version of the SASP (Server/Application State Protocol) monitor included in post-12.1.2 BIG-IP software.

Note: This behavior does not occur with previous versions of the SASP monitor, included in pre-12.1.2 versions of BIG-IP software.

Impact:
This change in behavior from the previous SASP monitor implementation has not been confirmed to cause any observable symptoms. If any symptoms are observed which are suspected to be the result of this change, a support request should be opened with F5 support for further investigation.

Workaround:
None.

---

688406-3 : HA-Group Score showing 0

Solution Article: K14513346

Component: TMOS

Symptoms:
The 'show sys ha-group' command incorrectly displays a "0" for the total score even if the pools/trunks/clusters components have non-zero scores.

Conditions:
If the sys ha-group object is not currently assigned to any traffic-group.

Impact:
The total score is not calculated. An incorrect score value is displayed.

Workaround:
Refer to the component Score Contributions displayed using the following command: show sys ha-group detail.

---

688335-3 : Big3d may restart in a loop on secondary blades of a chassis system

Solution Article: K00502202

Component: Global Traffic Manager (DNS)

Symptoms:
After big3d_install is run against a target system, and this target system is a multi-blade chassis, the big3d utility may begin restarting in a loop on all secondary blades of the target system. The primary blade is not affected, where big3d continues to run stable.

Conditions:
The following conditions are required to encounter this issue:

-- The big3d_install utility is used against a target system.
-- The target system is a multi-blade chassis.
-- The big3d_install utility picks the iQuery installation method (and not the SSH one).
-- The big3d_install utility incorrectly determines that the local version of the big3d utility should be copied to the remote system. (in other words, can incorrectly overwrite big3d on the remote system with an older version of big3d)

Impact:
Big3d does not typically do anything on secondary blades, so this issue should have no immediate material impact.

However, should the cluster elect a new primary blade, and should big3d still be restarting on that blade, this could cause iQuery communication failures between that system and remote BIG-IP systems.

Workaround:
To stop secondary blades from restarting, manually restart big3d on the primary blade using the following command:
 bigstart restart big3d

To prevent this issue from happening, you can run the big3d_install by specifying that the SSH installation method be used using the following command:
 big3d_install -use_ssh <target IP>

---

688266-3 : big3d and big3d_install use different logics to determine which version of big3d is newer

Component: Global Traffic Manager (DNS)

Symptoms:
The big3d_install utility includes logic to determine whether the local system should copy its version of the big3d daemon to the remote system specified by the user.

This logic is incorrect and may result in the local copy of the big3d daemon being unnecessarily copied to the remote system or not copied when actually necessary.

Conditions:
A user runs the big3d_install utility.

Impact:
If the local big3d daemon was unnecessarily copied over to the remote system, there is no tangible impact (other than the fact big3d restarts on the remote system, which is expected). Eventually, the remote system restores and uses its version of the big3d daemon.

If the local big3d daemon was not copied over when it should have been, then the remote system may continue to run an older version of the big3d daemon, which may impede iQuery communication.

Workaround:
If the local big3d daemon was unnecessarily copied over to the remote system, you do not need to perform any remedial action. The remote system will automatically resolve this situation by restoring the intended (i.e., newer) big3d version.

If the local big3d daemon was not copied over when it should have been, you can invoke the big3d_install utility using the -f argument, which forces an install of the big3d daemon regardless of the local and remote versions.

---

688177-2 : Local user with Administrator role may be changed to Guest role after BIG-IP software upgrade

Component: Device Management

Symptoms:
Following a BIG-IP software upgrade (for example, from version 11.5.4 to version 11.6.1), local users with Administrator role may be changed to Guest role.

Conditions:
The BIG-IP configuration includes one or more local accounts with Administrator role (other than the 'admin' user).

Please note that this issue does not occur on every upgrade, but has roughly a 10% probability of occurring.

Impact:
Administrator users other than 'admin' have no access after the upgrade.

The 'admin' user has to change the role of affected users from Guest back to Administrator after the upgrade.

Workaround:
The 'admin' user has to change the role of affected users from Guest back to Administrator after the upgrade.

---

687807-3 : The presence of a file with the suffix '.crt.csr' in folder /config/ssl/ssl.csr/ causes a GUI exception

Component: Local Traffic Manager

Symptoms:
When there is a file named *.crt.csr in folder /config/ssl/ssl.csr/, the GUI posts an error on page: System :: Device Certificates : Device Certificate :: Device Certificate: An error has occurred while trying to process your request.

Conditions:
The presence of a file with the suffix '.crt.csr' in folder /config/ssl/ssl.csr/.

Impact:
-- Using iCRD with 'sys crypto' fails.
-- The BIG-IP GUI exhibits the following behavior:
   + Inconsistently manages those files improperly.
   + May return errors on System :: Device Certificates : Device Certificate :: Device Certificate (e.g., 'An error has occurred while trying to process your request.').
   + May confuse objects (e.g., 'web-server.crt' and 'web-server.crt.csr').
   + GUI cannot create an archive (System :: File Management : SSL Certificate List :: Archive) containing these files, and reports an error.

Workaround:
Rename the csr file suffix from '.crt.csr' to '.csr'.

---

687797-1 : iControl REST /mgmt/tm/sys/crypto/cert endpoint cannot be used to return the details of all SSL certificates present in the configuration at once.

Component: TMOS

Symptoms:
iControl REST /mgmt/tm/sys/crypto/cert endpoint cannot return the details of all SSL certificates present in the configuration at once.

Requests to said endpoint may return a 400 HTTP status code and a stack trace indicating a timeout exception.

Conditions:
This issue is more likely to occur with configurations that include a large number of SSL certificates.

Impact:
The iControl REST /mgmt/tm/sys/crypto/cert endpoint cannot be used to return the details of all SSL certificates present in the configuration at once.

Workaround:
You can request the details of one SSL certificate at a time from that particular endpoint (for instance, /mgmt/tm/sys/crypto/cert/~Common~my1.crt).

Or you can request the details of all SSL certificates present in the configuration at once by using the /mgmt/tm/sys/file/ssl-cert endpoint (which is not affected by this issue).

---

687617-3 : DHCP request-options when set to "none" are reset to defaults when loading the config.

Component: TMOS

Symptoms:
Config load resets the request-option in "tmsh sys management-dhcp" to its default value when they are set to "none" in configuration.

Conditions:
- A config load in which request-option in "tmsh sys management-dhcp" is set to "none".

Impact:
User configuration is reverted as a side-effect of config load.

Workaround:
request-option specify the minimal set of configuration that DHCP server must provide as part of the lease. Setting it to "none" defeats the whole purpose of DHCP. It's better to set it to a minimal value like "routers, subnet-mask" in order to have management connectivity.

---

687579 : TMSH incorrectly allows settings snat-translation ip-idle-timeout to zero.

Component: Local Traffic Manager

Symptoms:
The configuration setting ' ip-idle-timeout' on the snat-translation object allows zero as a possible value.

Conditions:
Entering the following tmsh command:
tmsh create ltm snat-translation <snat-address> ip-idle-timeout 0

Impact:
The configuration will be invalid. This may cause issues with upgrades and the BIG-IP may not pass traffic correctly or as expected.

Workaround:
Do not set the snat-translation ip-idle-timeout to 0 using tmsh.

---

687343-3 : Running 'load sys config merge verify' will add new users to the PostGres database

Component: TMOS

Symptoms:
Running 'load sys config merge verify' will add new users to the PostGres database. The system posts an error similar to the following:

010719a2:3: PostgreSQL database error: ERROR: duplicate key value violates unique constraint "auth_user_pkey"
DETAIL: Key (name)=(admin1) already exists.

Conditions:
Issue occurs only under the following conditions:
-- 'load config merge verify' of configurations including user definition.
-- Attempt to create user with same name using 'load config merge', 'create user', or GUI options.

Impact:
It is not possible to use the verify argument when using 'load sys config merge' with configurations containing user definitions.

'verify' argument to 'load sys config' does not prevent or rollback side effects

Workaround:
Manually remove the user data from the PSQL database; from a bash prompt:

psql -U postgres

\c tmdb
DELETE FROM auth_user WHERE name='admin1';
DROP OWNED BY admin1;
DROP ROLE admin1;
DROP SCHEMA admin1 CASCADE;
\q

---

687213-1 : When access to APM is denied, system changes connection mode to ALWAYS_DISCONNECTED

Component: Access Policy Manager

Symptoms:
When access to APM is denied, Edge Client goes into ALWAYS_DISCONNECTED mode. Hence, it does not retry to establish VPN tunnel.

Conditions:
-- Edge Client installed in ALWAYS_CONNECTED mode (locked client).
-- Access to APM is denied.

Impact:
No VPN tunnel is established, even if APM becomes accessible momentarily.

Workaround:
None.

---

687172 : Pools do not appear as expected after deploying iApp via iWorkflow

Component: TMOS

Symptoms:
Only two of three pools are visible in the iApp view on the BIG-IP system after deploying via iWorflow 2.2, though the pool can be found as expected in the Pools view.

Conditions:
-- After deploying via iWorflow 2.2.
-- Using iApp to view configured pools.

Impact:
Unreliable query response can result in unexpected behavior.

Workaround:
Do not rely on the iApps Component View, but inspect
BIG-IP (management GUI) Local Traffic pages such as
Local Traffic :: Pools : Pool List or examine the
/config/bigip.conf file to ascertain whether a desired
BIG-IP configuration has been created.

---

687044-2 : tcp-half-open monitors might mark a node up in error

Component: Local Traffic Manager

Symptoms:
The tcp-half-open monitor might mark a node or pool member up when it is actually down, when multiple transparent monitors within multiple 'bigd' processes probe the same IP-address/port.

Conditions:
All of the following are true:
-- There are multiple bigd processes running on the BIG-IP system.
-- There are multiple tcp-half-open monitors configured to monitor the same IP address.
-- One or more of the monitored objects are up and one or more of the monitored objects are down.

Impact:
The BIG-IP system might occasionally have an incorrect node or pool-member status, where future probes may fix an incorrect status.

Workaround:
You can use any of the following workarounds:

-- Configure bigd to run in single process mode by running the following command:
   tmsh modify sys db bigd.numprocs value 1

-- Use a tcp monitor in place of the tcp-half-open monitor.

-- Configure each transparent monitor for different polling cycles to reduce the probability that an 'up' response from the IP address/port is mistakenly viewed as a response to another monitor that is currently 'down'.

---

686816-3 : Link from iApps Components page to Policy Rules invalid

Component: TMOS

Symptoms:
In an application that contains a Local Traffic policy, the link from the Components page to the Rule will not be valid.

Conditions:
-- Application creates or contains a Local Traffic Policy.
-- Click the link from the iApps Components page to the Policy Rules page.

Impact:
Cannot navigate to the policy rule directly from the Components page.

Workaround:
Click on the Policy within the Components page to navigate to the Rule from that page.

---

686722-2 : When BIG-IP systems are deployed as SAML IdP, the Single Logout Request processing fails the optional field 'Name ID' is missing in the request.

Component: Access Policy Manager

Symptoms:
When the BIG-IP system is deployed as SAML Identity Provider (IdP), during the processing of the Single Logout Request, if NameID is empty in the request, the Single Logout Request fails.

Conditions:
This occurs when the SAML Single Logout Request has empty NameID field in the request.

Impact:
The processing of the SAML Single Logout request fails.

Workaround:
None.

---

686718 : VPN tunnel adapter stays up in some cases

Component: Access Policy Manager

Symptoms:
In some cases, the VPN tunnel adapter created by the VPN client stays up even when the tunnel is disconnected.

Conditions:
-- Application launch on VPN establishment is configured on APM.
-- Launched application is not closed.

Impact:
This is a cosmetic issue with no functionality impact. Subsequent launch of VPN creates a new tunnel adapter.

Workaround:
Close the launched application.

---

686626-2 : The BIG-IP system may connect to an OCSP server using an unexpected source IP address

Component: TMOS

Symptoms:
BIG-IP systems configured to perform OCSP Stapling may connect to an OCSP server using an unexpected source IP address.

The source IP address picked by the BIG-IP system may be something that doesn't exist at all in its configuration.

Additionally, the source IP address picked by the BIG-IP system may appear corrupted or invalid to an Administrator (for example: 0.0.0.112).

Conditions:
Required configuration:

1) The BIG-IP system is running a version prior to 13.0.0.

2) The BIG-IP system is deployed as an IPv4/IPv6 multihoming device.

3) The DNS Resolver used by the OCSP Stapling configuration belongs to a non-0 route domain.

4) The virtual servers performing OCSP Stapling belong to a non-0 route domain different than the one used by the DNS Resolver.

5) Virtual servers using OCSP Stapling include both IPv4 and IPv6 destinations.

6) The OCSP server FQDN resolves to an A record.

With these conditions in place, the issue occurs when a client attempts a connection to one of the OCSP Stapling-enabled IPv6 virtual servers, and this needs to connect to an IPv4 OCSP server.

The source IP address used by the BIG-IP system will be an IPv4 address containing the last 4 bytes of an IPv6 Self-IP address configured on the BIG-IP system.

Impact:
The BIG-IP system fails to perform OCSP Stapling, and the unusual traffic may trigger alarms on your network.

The actual impact is limited, as clients who request validation of the certificate status and do not get it should be able to perform it on their own.

Workaround:
Where possible, you can work around this issue by re-configuring the BIG-IP system so that some of the conditions required for this issue to occur no longer apply.

---

686563-3 : WMI monitor on invalid node never transitions to DOWN

Component: Local Traffic Manager

Symptoms:
A WMI monitor configured for an invalid node defaults to 'UP', and never transitions to 'DOWN'. Upon loading a configuration, a node defaults to 'UP' as an initial probe is sent based on the monitor configuration, and the node is then marked 'DOWN' as probes timeout or monitor responses indicate an error. However, an WMI monitor probe sent to a non-existent node is not detected as an error, and that node may persist in an 'UP' state (not transitioning to 'DOWN' as expected, such as after expiration of the configured monitor timeout).

Conditions:
WMI monitor is configured for an invalid node address, or for a node address on which no WMI service is running.

Impact:
The node persists in an 'UP' state, even though no WMI service is available, or that node does not exist.

Workaround:
An additional node monitor can be created to confirm the node is available (which may be a partial solution in some configurations). Using a non-WMI monitor (such as TCP) to probe availability of the WMI service on the target node may be possible in other scenarios.

---

686547-3 : WMI monitor sends logging data for credentials when no credentials specified

Component: Local Traffic Manager

Symptoms:
A properly configured WMI monitor requires username and password credentials; but when these are omitted from the configuration, logging data is sent in place of the username and password (with the monitored object likely being marked 'down'). Because username/password credentials are required, the monitor should have been identified as wrongly configured before the monitor is marked down.

Conditions:
A WMI monitor is configured without including the required username/password credentials.

Impact:
The monitored object will be marked 'down'.

Workaround:
Configure the WMI monitor to include the username/password credentials.

---

686318 : Inter TMM Caching Delay

Component: WebAccelerator

Symptoms:
In some rare circumstances on VE instances, the transmission of updated cache information from TMM to TMM can be delayed.

Conditions:
VE instances.

Impact:
Different TMM hot content caches may serve different versions of the same document from cache.

Workaround:
None

---

686206-1 : Machine Info agent does not collect complete information on disconnected network adapters

Component: Access Policy Manager

Symptoms:
On Mac OS X, the BIG-IP APM Machine Info agent does not collect information for disconnected network adapters.

On Microsoft Windows, the BIG-IP APM Machine Info agent does not collect the MAC address of disconnected network adapters.

Conditions:
Machine info agent is configured in the access policy.

Impact:
Access policy evaluation may yield incorrect results if a access policy node depends on this information.

Workaround:
There is no workaround at this time.

---

686101-3 : Creating a pool with a new node always assigns the partition of the pool to that node.

Solution Article: K73346501

Component: Local Traffic Manager

Symptoms:
When creating a node while creating a pool, the partition of the node is set to the one of the pool regardless of what was expected. For example, after running the command below, the new node will be assigned to differentpartition:
root@(v13)(Active)(/differentpartition)(tmos)# create ltm pool my_pool2 members add { /Common/172.16.199.33:0 }

Conditions:
Creating a node while creating a pool in a partition different from the node.

Impact:
The node is displayed in the wrong partition.

Workaround:
Create a node separately and then add it to the pool.

---

686043-3 : dos.maxicmpframesize and dos.maxicmp6framesize sys db variables does not work for fragmented ICMP packets

Component: Advanced Firewall Manager

Symptoms:
ICMP/ICMPv6 fragmented packet with size larger than dos.maxicmpframesize is not counted in stats for
'ICMP frame too large' DoS vector.

Conditions:
-- ICMP fragmented packet with size larger than dos.maxicmpframesize is received.
-- ICMPv6 fragmented packet with size larger than dos.maxicmpframesize is received.

Impact:
-- ICMP fragmented packet with size larger than dos.maxicmpframesize is not dropped.
-- ICMP fragmented packet with size larger than dos.maxicmpframesize is not counted in stats for 'ICMP frame too large' DoS vector.
-- ICMPv6 fragmented packet with size larger than dos.maxicmp6framesize is not dropped.
-- ICMPv6 fragmented packet with size larger than dos.maxicmp6framesize is not counted in stats for 'ICMP frame too large' DoS vector.

Workaround:
None.

---

685915-1 : Allow unsigned DNS notifies if a DNS express zone's target server has no TSIG key configured

Component: Global Traffic Manager (DNS)

Symptoms:
If a DNS Express zone that has Verify Notify TSIG checked gets a notify with no TSIG at all, unsigned notifies are not processed.

Conditions:
Unigned notify is received when Verify Notify TSIG is checked.

Impact:
Unsigned notifies are not processed

Workaround:
There is no workaround at this time.

---

685820-1 : Active connections are silently dropped after HA-failover if ASM licensed and provisioned but AFM is not

Component: Advanced Firewall Manager

Symptoms:
If ASM licensed and provisioned, but AFM is not licensed/provisioned, active connections are silently dropped after HA-failover.

In earlier versions, active connections were reset after HA-failover if only ASM was licensed/provisioned. When AFM is also licensed/provisioned, existing active connections were always silently dropped after HA-failover.

Conditions:
-- ASM licensed and provisioned, but AFM is not licensed/provisioned.
-- HA-failover occurs.

Impact:
ASM client connections are not reset, but are silently dropped after HA-failover event.

Workaround:
None.

---

685233-2 : tmctl -d blade command does not work in an SNMP custom MIB

Solution Article: K13125441

Component: TMOS

Symptoms:
tmctl -d blade commands run in an SNMP custom MIB fail.

Conditions:
-- Using an SNMP custom MIB.
-- Running tmctl -d blade commands.

Impact:
Unable to configure a custom MIB to gather data via a tmctl -d blade command.

Workaround:
Instead of tmctl -d blade, use the following command:
 tmctl -d /var/tmstat/blade.

---

684096-1 : stats self-link might include the oid twice

Component: TMOS

Symptoms:
The object ID might be erroneously embedded in the self-link twice.

Conditions:
query for stats such as https://<host>/mgmt/tm/ltm/pool/p1/stats

Impact:
incorrect self-link returned

Workaround:
be mindful when parsing the self-link

---

683706-1 : Pool member status remains 'checking' when manually forced down at creation

Component: Local Traffic Manager

Symptoms:
When a pool member is created with an associated monitor, and initially forced offline (e.g., '{session user-disabled state user-down}'), that pool member status remains in 'checking'. By default, the pool member status initializes to 'checking' until the first monitor probe confirms the pool member is available. However, by creating-and-forcing-offline the pool member, no monitoring is performed and the status remains in 'checking'.

Conditions:
Pool member is created with an associated monitor, and that pool member is simultaneously forced offline.

Example: create ltm pool test1 members add { 10.1.108.2:80 { session user-disabled state user-down } } monitor http

Impact:
Pool member remains offline as directed, but pool member status indicates 'checking' rather than 'user-down'.

Workaround:
Create the pool member with associated monitor, and in a separate step, force the pool member offline.

---

683454 : HTTP::header command may crash TMM on an erroneous argument

Solution Article: K99294671

Component: Local Traffic Manager

Symptoms:
An iRule command 'HTTP::header insert' or 'HTTP::header remove' allows manipulation of HTTP headers. The iRule accepts arguments that might result in an error if they have an invalid format. TMM generates an internal Tcl error for the argument but continues to process the command. This might cause TMM to crash.

Conditions:
-- iRule is associated with a virtual server.
-- The iRule contains either or both of the 'HTTP::header insert' and 'HTTP::header remove' commands.
-- An argument in the command generates a Tcl error.

Impact:
TMM crashes causing failover and possible disruption in processing traffic.

Workaround:
Sanitize arguments for the command to prevent TCL error.

---

683177-2 : Can't drilldown or filter by 'Client Countries'

Component: Application Visibility and Reporting

Symptoms:
When drilling down or filtering by 'Client Countries' (Security :: Reporting : Application : Charts) there is an error in the GUI.

Conditions:
-- ASM is provisioned.
-- Attempt to drill down or filter by 'Client Countries'.

Impact:
Internal Error is displayed in the GUI.

Workaround:
1. Edit file: /etc/avr/monpd/monp_asm_entities.cfg.
2. Delete line 171: (dim_authz_filter=vip_crc).
3. Issue the command: bigstart restart monpd.

---

683135-4 : Hardware syncookies number for virtual server stats is unrealistically high

Component: TMOS

Symptoms:
In some situations 'tmsh show ltm virtual' shows unrealistically high hardware (HW) syncookie numbers.

These unrealistically high HW syncookie stats cause AFM DoS TCP synflood vector to have high numbers, and that can cause TCP synflood vector to drop packets in HW based on the configured rate-limit for that vector.

Conditions:
Virtual server with hardware syncookie protection enabled.

Impact:
Stats issue. Can have impact to traffic if AFM TCP Synflood vector is enabled in mitigation mode.

Workaround:
Disable the TCP Synflood vector in mitigate mode.

Since Syncookie is already providing protection, the TCP Synflood option should be enabled only in detect-only mode, if at all.

---

683061-2 : Rapid creation/update/deletion of the same external datagroup may cause core

Component: Local Traffic Manager

Symptoms:
Notice and error messages and core when during rapid creation/update/deletion of the same external datagroup.

-- notice tmm[15187]: 01010259:5: External Datagroup (/Common/Datagroup_1) queued.
-- notice tmm[15187]: 01010259:5: External Datagroup (/Common/Datagroup_1) queued for update.
-- err tmm[15187]: 01010258:3: External Datagroup (/Common/Datagroup_1) creation failed: initial load error, deleting.

Conditions:
Using an external datagroup, rapidly creating and updating, and then deleting it.

Impact:
TMM crashes and generates a core. Traffic disrupted while tmm restarts.

Note: This is a timing-related crash that might not occur every time.

Workaround:
Allow the tmm process enough time to finish processing external datagroup changes before starting another operation.

Depending on the size of the datagroup, this might require from 1 second to 10 seconds or more. You can examine the LTM log for the create=finished message to help determine how much wait time is required.

---

683029-2 : Sync of virtual address and self IP traffic groups only happens in one direction

Component: TMOS

Symptoms:
If you have a virtual address and a self IP that both listen on the same IP address, changing the traffic group of the self IP will make an equivalent change to the traffic group of the virtual address. However, this does not work in reverse. Changing the traffic group of the virtual address will not cause a change of the traffic group of the self IP.

Conditions:
You have a virtual address and a self IP that both listen on the same IP address. (The subnet mask need not be the same.)

Impact:
This is by design, but is counterintuitive, and there is no warning message that this is the case. Setting the traffic group on both objects will always work properly.

Workaround:
Care should be taken to ensure that the desired traffic group is set on both objects.

---

682751-5 : Kerberos keytab file content may be visible.

Component: Access Policy Manager

Symptoms:
Kerberos keytab file content may be visible.

Conditions:
Import a Kerberos keytab file.

From the command line, check the file permissions. It is readable.

Impact:
keytab is similar to a private key file and should not be readable.

Workaround:
Use chmod to change the keytab file permission manually so that it is not world-readable.

---

681782-4 : Unicast IP address can be configured in a failover multicast configuration

Component: TMOS

Symptoms:
Failover multicast configuration does not work when configured with a unicast IP address. Although this is an invalid configuration, the system does not prevent it.

Conditions:
Specify a unicast IP address under 'Failover Multicast Configuration' for network failover in high availability configurations.

Impact:
Failover multicast configuration does not work.

Workaround:
Specify a multicast IP address under 'Failover Multicast Configuration' for network failover.

---

681673-2 : tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results

Component: Local Traffic Manager

Symptoms:
TMSH does not block modify FDB commands that add a multicast MAC addresses.

Conditions:
This occurs when the following is configured using tmsh commands when the mac-address is multicast:
 fdb vlan <vlan> records add {<mac-address> {interface <slot>/<port>}}.

Impact:
There is not enough information to map the outgoing MAC address to a multi-cast group, and therefore it gets a default entry added that has no ports mapped. The result is that the frame will not go out the interface indicated in the tmsh command yet no warning is provided.

Workaround:
None.

---

681009-2 : Large configurations can cause memory exhaustion during live-install★

Component: TMOS

Symptoms:
system memory can be exhausted and the kernel will kill processes as a result.

Conditions:
During live-install, if configuration roll-forward is enabled, and the compressed configuration size is of a similar order of magnitude as total system memory.

Impact:
The kernel will kill any number of processes; any/all critical applications could become non-functional.

Workaround:
Make sure there are no un-intended large files included in the configuration. Any file stored under /config is considered part of the configuration.

If the configuration is, as intended, on the same order of magnitude as total system memory, do not roll it forward as part of live install. Instead, save it manually and restore it after rebooting to the new software.

to turn off config roll forward; setdb liveinstall.saveconfig disable

to save/restore configuration manually; see
https://support.f5.com/csp/article/K13132

---

680680-2 : The POP3 monitor used to send STAT command on v10.x, but now sends LIST command

Component: Local Traffic Manager

Symptoms:
in BIG-IP version 10.x, the POP3 monitor sent STAT command (which returned a count of messages in the mailbox). Now, the monitor sends the LIST command (which returns a list of messages and their sizes).

Conditions:
POP3 monitor set up on a mailbox.

Impact:
If the polled mailbox used in the monitoring has a huge amount of messages, the STAT command might fail to return results in time.

Workaround:
1. Create a mail account that does not receive many emails.
2. Make sure that the mailbox is nearly empty all the time (copy /dev/null periodically to the mailbox file).

---

680556-2 : Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted

Component: TMOS

Symptoms:
TMM crashes with a subkey that has master_record field set to true.

Conditions:
The specific conditions under which this occurs are not known.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

---

680298 : FPS may introduce latency even for unprotected pages

Component: Fraud Protection Services

Symptoms:
Depending on TCP profile parameters, FPS may introduce latency even for unprotected pages due to re-chunking of response.

The latency introduction may arise when re-chunking causes a small TCP segment that the BIG-IP system's TCP stack or upstream device chooses to buffer (for example, due to Nagle's algorithm)

Conditions:
1. FPS attached to virtual server.
2. TCP profile parameters (Nagle's Algorithm, MSS, etc.).
3. Chunked response from server.

Impact:
FPS unprotected pages may suffer 10's to 100's ms latency

Workaround:
Experience shows that disabling Nagle's Algorithm (for example) might overcome FPS latency, but it should be noted that this sort of mitigation should be carefully examined as it is influenced by many parameters (traffic patterns, other TCP profile parameters, SSL profile, etc.).

---

679751-4 : Authorization header can cause a connection reset

Component: Access Policy Manager

Symptoms:
APM resets connections and reports an ERR_ARG from a simple web request.

Conditions:
-- APM profile with User Identification Method as HTTP.
-- APM profile with User Identification Method as OauthToken.
-- HTTP traffic arrives with certain types of Authorization headers.

Impact:
Connections are reset and APM logs ERR_ARG, which is not helpful for understanding the cause.

Workaround:
iRule workaround:

when HTTP_REQUEST {
    if { [HTTP::header "Authorization"] contains "Bearer" && [string tolower [HTTP::header "User-Agent"]] contains "onenote" } {
        HTTP::header replace Authorization [string map {"Bearer" ""} [HTTP::header Authorization]]
    }
  }

---

679735-1 : Multidomain SSO infinite redirects from session ID parameters

Component: Access Policy Manager

Symptoms:
If an application uses a URL parameter of 'sid', 'sess', or 'S', the APM can enter an infinite redirect loop.

In a packet capture, the policy completes on the auth virtual server. After policy completion, the client is redirected back to the resource virtual server. The resource virtual server cannot find the session, and redirects back to the auth virtual server. This begins the infinite loop of redirecting between resource and auth virtual servers.

Conditions:
Application with URL paramater containing 'sid', 'sess', or 'S' while using multidomain SSO.

Impact:
Applications that use 'sid', 'sess', or 'S' parameters cannot be fronted by an APM.

Workaround:
None.

---

679722-2 : Configuration sync failure involving self IP references

Component: Advanced Firewall Manager

Symptoms:
Configuration sync fails, generating an error similar to the following:

Caught configuration exception (0), Values (self-IP) specified for self IP (<name>): foreign key index (fw_enforced_policy_FK) do not point at an item that exists in the database..

Conditions:
-- There is another object, such as a firewall policy, that references a self IP address.
-- The self IP address is non-syncable; that is, its traffic group is set to 'traffic-group-local-only'.

Impact:
Sync operation fails.

Workaround:
Set the self IP address' traffic group to a value other than 'traffic-group-local-only', and then force a full load push from the first device.

---

679613-2 : i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1'

Solution Article: K23531420

Component: Local Traffic Manager

Symptoms:
When an interface is associated with a VLAN whose tag value is '1', traffic is incorrectly sent out as untagged.

Conditions:
1. Create a VLAN with a tag value of '1'.
2. Associate an interface with the VLAN whose value is '1'.
3. Send traffic out that interface.

Impact:
Incorrect routing/switching of traffic.

Workaround:
Use VLANs with a tag value different from '1'.

---

679605-1 : Device groups with no members will cause upgrade to fail

Component: TMOS

Symptoms:
An empty device group will fail upgrade with this error message:

Syntax Error:(/config/bigip_base.conf at line: 37) "save-on-auto-sync" unexpected argument

Conditions:
This only affects systems with empty device groups.

Impact:
Configuration will fail to load after the upgrade.

Workaround:
Remove the empty device group before upgrading. An empty device group has no effect on the system, so this is a safe action to take.

---

679431-3 : In routing module the 'sh ipv6 interface <interface> brief' command may not show header

Component: TMOS

Symptoms:
In the BIG-IP Advanced Routing module the 'sh ipv6 interface <interface> brief' command does not show header

Conditions:
- Advanced Routing module licensed and configured
- From within imish shell, run the command 'sh ipv6 interface <interface> brief'.

Impact:
The header is not shown.

Workaround:
Run the equivalent command without indicating the interface:
sh ipv6 interface brief

---

679316-1 : iQuery connections reset during SSL renegotiation

Component: Global Traffic Manager (DNS)

Symptoms:
Error in /var/log/gtm:
err gtmd[14797]: 011ae0fa:3: iqmgmt_receive: SSL error: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record

Conditions:
This occurs when a system tries to send data over the iQuery connection while the two endpoints are performing SSL renegotiation.

Note: iQuery connections automatically perform SSL renegotiation every 24 hours.

Impact:
The BIG-IP system is marked 'down' until the connection is reestablished. This usually takes no longer than one second.

Note: This is a subtly different issue from the one (with a very similar error, 140940F5 virtual server 140940E5) described in Bug ID 477240: iQuery connection resets every 24 hours :: https://cdn.f5.com/product/bugtracker/ID477240.html (K16185: BIG-IP GTM iQuery connections may be reset during SSL key renegotiation :: https://support.f5.com/csp/article/K16185).

This issue occurs even in versions where ID 477240 is fixed. There is no fix for this specific trigger of the same message.

Note: The iQuery communication issue is fixed through Bug ID 760471: GTM iQuery connections may be reset during SSL key renegotiation :: https://cdn.f5.com/product/bugtracker/ID760471.html.

Workaround:
There is no workaround at this time, but the problem is fixed via changes made in ID760471

---

679027 : Rare memory corruption in tmrouted while license is being reset

Component: TMOS

Symptoms:
tmrouted core due to memory corruption while license is being reset.

Conditions:
Rarely, when license file is being reset, tmrouted could core.

Impact:
restart of tmrouted daemon

---

678450-3 : No 'F5RST port in use' sent when new connection arrives to port in use with strict preserve.

Component: Local Traffic Manager

Symptoms:
When 'Source Port: Preserve Strict' option is configured in performance L4 virtual servers, the 'F5RST port in use' packet is not sent, and connection hangs until timeout.

Conditions:
-- Connect to client and launch:
 # nc -p 8080 -v 10.10.10.40 80
-- Connect to client2 and launch:
 # nc -p 8080 -v 10.10.10.40 80
-- Modify virtual server vs_web type on LTM and repeat.

When the virtual server is standard "F5RST port in use" is sent. When the virtual server is performance L4 is not.

Impact:
Connection hangs. No increase for port-in-use stats when using the following commands:
 tmsh show /net rst-cause.

Workaround:
None.

---

678322 : Missing Response Page for 'Login' is not populated upon upgrade

Component: Application Security Manager

Symptoms:
In a rare case, an error appears due to missing 'Login' Response Page when viewing Response Pages in ASM policy.

Conditions:
An ASM policy is missing a record for 'Login' Response Page. It's not clear how this condition was caused.

Impact:
An error appears:

Could not retrieve Login Page Response; Error: Could not get the ResponsePage 'Persistent Flow Response Page Properties', No matching record was found.

Workaround:
Missing Response Page can be added using this query:

mysql> INSERT IGNORE INTO PL_ALTERNATE_RESPONSES (policy_id, cause, response_type, alternate_response_header, alternate_response_content, redirect_url, ajax_action_type, ajax_redirect_url, ajax_popup_message, ajax_custom_content, rest_uuid) SELECT p.id as policy_id, cause, response_type, alternate_response_header, alternate_response_content, redirect_url, ajax_action_type, ajax_redirect_url, ajax_popup_message, ajax_custom_content, rp.rest_uuid
FROM PL_POLICIES p JOIN PL_ALTERNATE_RESPONSE_DEFAULTS rp where rp.flg_load_defaults = 1;

---

678117-1 : 'Can't create a home directory' logged for remote users on secondary blades after configsync

Component: TMOS

Symptoms:
When a remotely authenticated user logs in, a new entry is created in /config/bigip/auth/userrolepartitions. During config sync operations, the secondary blade of the device receiving the config, logs the following errors:

-- err mcpd[7575]: 01070261:3: Can't create a home directory for username /home/<username> (Failed opening home directory: /home/<username> - No such file or directory)

There is no /home/<username> on the device used as the source of the config sync.

The error message is logged on the secondary blade (of the target system) but not the primary one.

Conditions:
1. Remote user username in /config/bigip/auth/userrolepartitions.
2. No home directory for the remote user in /home/.

Impact:
There is no apparent impact beyond the error message, which sounds quite serious, but has no functional impact.

Workaround:
Create local user account for remote authenticated users.

To do so using the GUI, navigate to System :: Users : User List, and click Create.

---

678066 : LTM Policy Tcl-enabled values require 'tcl:' prefix★

Component: Local Traffic Manager

Symptoms:
Prior to BIG-IP v12.1.0, LTM Policy implicitly allowed certain fields to contain Tcl expressions, which would be evaluated and used at runtime. Version 12.1.0 expanded the number of LTM Policy action fields that allow Tcl expressions, and also added the restriction that these fields must begin with the 4-character prefix tcl: to differentiate between a Tcl runtime expansion and a simple text string.

Conditions:
Pre-v12.1.0 LTM Policy containing an action that has a Tcl expression in one of the following actions, and does not begin with 'tcl:' prefix
   http-uri - value
            - path
            - query string
or
   http-reply - location

Impact:
The migration process, which should find this situation and automatically correct it, can miss in certain cases, leaving a configuration that may fail validation and not load.

Workaround:
Edit configuration file, manually add the 'tcl:' (without the quotes) prefix for the following actions:
 http-uri plus value/path/query
 http-reply plus location

---

677975-2 : SSL may cause the TMM to core when forging a certificate due to race condition

Solution Article: K59237122

Component: Local Traffic Manager

Symptoms:
In SSL-O environment, due to race condition, SSL may cause the TMM to core.

Conditions:
-- After server side completes the SSL handshake.
-- Client side SSL starts to forge a server certificate.

Impact:
Some contexts may be changed due to race condition. TMM might crash. Traffic disrupted while tmm restarts.

Workaround:
None.

---

677841-1 : Server SSL TLS session reuse with changed SNI uses incorrect session ID

Component: Local Traffic Manager

Symptoms:
If an iRule changes the SNI then the wrong session ID will be retrieved (using the original SNI).

Conditions:
Occurs when SNI is being modified by an iRule to an SNI that is different from the one specified in the server SSL profile.

Impact:
Connection may be rejected by the client if checking at the client occurs (Apache commonly does this). If the client finds that the SNI does not match the SNI in the session information, the connection may be rejected.

Workaround:
Disable SSL session cache. This has the side effect of reducing performance.

---

677666-3 : /var/tmstat/blades/scripts segment grows in size.

Component: Local Traffic Manager

Symptoms:
Over time the /var/tmstat/blade/scripts file size grows. This can eventually lead to the system no longer providing up-to-date statistics.

Conditions:
-- Using istats.
-- Deleting configurations.
-- Using ASM.

Impact:
Virtual size of merged process grows linearly with /var/tmstat/blades/scripts segment. This could lead to out-of-memory condition as well as out-of-date statistics.

Workaround:
No known workarounds.

---

677646-1 : System cannot boot up due to prior aborted installation★

Solution Article: K62171231

Component: Access Policy Manager

Symptoms:
System stuck at boot up and never comes up.

Conditions:
Running the rpm command was aborted.

Impact:
BIG-IP system not operational.

Workaround:
Run the following command to remove the extraneous files:

rm -f /shared/lib/rpm/__db.??? && shutdown -r now

---

677526-2 : Memory leak may occur during connflow failures.

Component: Global Traffic Manager (DNS)

Symptoms:
Memory leak may occur during connflow failures.

Conditions:
Connflow failures occur.

Impact:
TMM memory usage grows.

Workaround:
None.

---

677485-2 : Discovery of DSC clustered BIG-IP systems fails due to secure value decryption error

Component: TMOS

Symptoms:
After initially configuring a DSC cluster, iControl-REST on BIG-IP systems might fail to decrypt the secure values due to a stale BIG-IP master key in its cache, and returns the secure values encrypted by the BIG-IP master key. BIG-IQ is unable to decrypt these secure values and fails to discover the BIG-IP system.

Conditions:
-- DSC cluster.
-- iControl REST.
-- BIG-IP system with stale BIG-IP master key in its cache.
-- BIG-IQ attempts to decrypt the secure values.

Impact:
Discovery fails due to secure value decryption error.

Workaround:
Restart iControl-REST server on the BIG-IP system.

On BIG-IP v12.0.0 and later:
-- In TMSH, run the following command:
restart sys service restjavad
-- On the console, run the following command:
bigstart restart restjavad

On BIG-IP v11.x.x:
-- In TMSH, run the following command:
restart sys service icrd
-- On the console, run the following command:
bigstart restart icrd

---

677442 : During bulk crypto processing for SSL traffic, tmm might restart in rare cases.

Component: Local Traffic Manager

Symptoms:
Processing bulk crypto traffic may cause tmm to crash and restart.

Conditions:
When processing bulk crypto requests handled by the Nitrox-based accelerators, a rare memory-corruption condition might occur. Specific circumstances that trigger the corruption are not known.

Impact:
Segmentation fault and core dump. Traffic disrupted while tmm restarts.

Workaround:
None.

---

677302 : Unable to save descriptions for firewall objects

Component: Advanced Firewall Manager

Symptoms:
System erases Description field of Address list/Port list objects when the object is modified.

Conditions:
-- Modifying an address/port definition for Address Lists or Port Lists/
-- Object contains a defined Description.

Impact:
Save operation erases Description.

Workaround:
Use tmsh to modify objects.

---

677270-2 : Trailing comments in iRules are removed from the config when entered/loaded in TMSH or Configuration Utility

Solution Article: K76116244

Component: Local Traffic Manager

Symptoms:
Comments at the bottom of an iRule (outside of any event stanza) end up missing from the config.

Conditions:
-- Merging an iRule in a config file in TMSH or entering the iRule manually in TMSH or entering the iRule in the iRules Editor of the BIG-IP Configuration Utility.
-- iRule comments are outside of any event stanza.

Impact:
Trailing comments in iRules are lost.

Workaround:
Use one or both of the following workarounds:

-- Make sure comments are inside of an event stanza.

---

676854-1 : CRL Authentication agent will hang waiting on unresponsive authentication server.

Component: Access Policy Manager

Symptoms:
Some authentication requests never complete. APMD responsiveness degrades over time and eventually restarts.

Conditions:
The CRL Authentication server must be alive enough to accept connections but busy enough to drop requests without closing connections.

Impact:
APMD responsiveness degrades over time, usually weeks, before eventually restarting.

Workaround:
Restarting the CRL Authentication server usually releases the waiting threads and restores APMD responsiveness.
Using a BIG-IP monitor for the CRL backend can detect the issue and allow recovery before the need for APMD to restart.

---

676709-2 : Diameter virtual server has different behavior of connection-prime when persistence is on/off

Solution Article: K37604585

Component: Service Provider

Symptoms:
When using an Diameter MBLB profile with per-AVP persistence enabled and connection priming enabled, not all pool members may have a connection established as part of priming.

Conditions:
-- Diameter MBLB profile.
-- Per-AVP persistence enabled.
-- Connection priming enabled.

Impact:
It is possible that not all pool members will have a connection established as part of priming.

Workaround:
None.

---

676643 : FTP passive monitor uses IP address from PASV (not monitor destination)

Component: Local Traffic Manager

Symptoms:
A curl-based Tcl monitor for an FTP passive monitor uses the IP address from the FTP PASV command, rather then the IP address from the monitor destination. This is different from legacy behavior, which ignored the IP address obtained in the PASV command (to always establish a data connection to the IP address defined in the monitor destination). FTP passive monitors reliant upon the legacy behavior may stop working (with the pool member always being marked 'down').

Conditions:
FTP monitor is configured for passive, where the FTP PASV command provides an IP address.

Impact:
This new behavior is correct (the FTP passive monitor should use the IP address from the PASV command). However, configurations assuming legacy behavior to ignore the IP address in the PASV command and instead rely upon the IP address in the monitor destination may stop working (with the pool member always being marked 'down').

Workaround:
This behavior is correct, but to avoid using the IP address in the PASV command, configure the FTP monitor for active mode.

---

676491-2 : BIG-IP as a DHCP relay while in a DHCP relay chain will use its self-IP as the relay agent.

Component: Local Traffic Manager

Symptoms:
DHCP request is relayed to backend DHCP servers with Self-IP as relay agent instead of DHCP Virtual IP in case of Relay Chaining.

DHCP server will not be able to use the giaddr field to make a subnet determination while providing an IP address to a client.

Conditions:
DHCP relay chain, BIG-IP should be the relay agent right before the pool of DHCP servers.

Impact:
In a DHCP relay chain, BIG-IP does not relay agent right before the pool of DHCP servers.

Workaround:
1. The relay chain should be used across a single subnet if the DHCP server uses the giaddr to determine subnets for the clients.

2. If the use case is to load balance across multiple DHCP servers and the 3rd part DHCP relay cannot do so, LTM load balancing can be used.

---

676442-2 : Changes to RADIUS remote authentication may not fully sync

Solution Article: K37113440

Component: TMOS

Symptoms:
With multiple devices in a sync group, changes to remote authentication (for example, changes made using commands such as: tmsh modify auth radius system-auth servers replace-all-with { AAA_a AAA_b } ) will be effective on the device where the change was made.

And although the changes are synced to tmsh config on the other devices in the group, the changes are not effective on those devices, as may be observed by checking that the changes do not appear in /config/bigip/auth/pam.d/system-auth and /config/bigip/auth/pam.d/radius/system-auth.conf.

Conditions:
Devices in a sync group that will sync system-auth config.

Impact:
Changes to RADIUS authentication will not be effective throughout the device group.

Workaround:
After syncing RADIUS changes, run the following command on all devices:
 tmsh save sys config && tmsh load sys config.

---

676395-1 : Syslog messages seen with error code while viewing ssl certificate detail with debug turned on.

Component: TMOS

Symptoms:
Log message starting with 'Filemap returns Error 1 for file' gets logged into syslog while viewing certificate details.

Conditions:
1. Turn on debug using the following command:
 tmsh modify sys syslog daemon-from debug
2. Go to Certificate Management and navigate to view certificate details.

Impact:
No known impact other than the logged message.

Workaround:
Turn off debug using the following command:
 tmsh modify sys syslog daemon-from notice

---

676300-5 : EPSEC binaries may fail to upgrade in some cases★

Solution Article: K04551025

Component: Access Policy Manager

Symptoms:
Windows client may fail to upgrade endpoint security package in some cases. This happens due to a corrupted registration of old endpoint security components.

Conditions:
Corrupted registry entry related to endpoint security components.

Impact:
Client may not be able to upgrade to latest endpoint package hosted on APM.

Workaround:
Remove the following registry keys from the registry:

Note: Use extra care editing the registry. Only remove the following keys, and no others.


"HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_CLASSES_ROOT\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_CLASSES_ROOT\Wow6432Node\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_CLASSES_ROOT\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKEY_CLASSES_ROOT\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"


"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"


"HKCU\SOFTWARE\Classes\Wow6432Node\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKCU\SOFTWARE\Classes\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKCU\SOFTWARE\Classes\Wow6432Node\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKCU\SOFTWARE\Classes\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKCU\SOFTWARE\Classes\Wow6432Node\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKCU\SOFTWARE\Classes\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"

---

675742 : Hardware-to-VE-platform-migrate of a UCS may fail with an error on db variable license.maxcores

Component: TMOS

Symptoms:
Using the platform-migrate option to load a UCS from a different platform may show this error from loaddb:

01080023:3: Error return while getting reply from mcpd: 0x107178a, 0107178a:3: Modifying license.maxcores to a value other than 8 is not allowed.

The UCS loads successfully, other than the DB variable, but this error message is printed and the DB variables are not loaded.

Conditions:
-- Migrating a UCS from physical platform hardware to a Virtual Edition (VE) configuration.

-- License has an attribute limiting the maximum number of cores, and the incoming UCS has a value of the DB variable 'license.maxcores' that contradicts this.

Impact:
The DB variable file fails to load, generating the error message, but that does not stop the loading of the regular configuration files in BIG-IP*.conf.

Workaround:
The 'license.maxcores' value is ignored on hardware devices, so set it to 8 before saving the UCS.

---

675731-2 : Certain types of GTM Pools not displaying while listing WideIPs

Component: Global Traffic Manager (DNS)

Symptoms:
If you have a CNAME Pool and an AAAA, MX, NAPTR, or SRV pool in the same WideIP, running a 'list' command in TMSH shows only the CNAME pool.

Conditions:
-- A WideIP with a CNAME-type pool and an AAAA-, MX-, NAPTR-, or SRV-type pool.
-- Running a 'list' command in TMSH.

Impact:
-- Unable to properly view full configuration through TMSH.
-- Unable to save the configuration that is not displayed by the 'list' command.

Workaround:
None.

---

675431-1 : Non-default value in db variable pvaSynCookies.enabled reverts to default value after reboot or mcpd restart

Component: TMOS

Symptoms:
The db variable pvaSynCookies.enabled value changes to true on reboot or mcpd restart

Conditions:
Db variable pvaSynCookies.enabled value false

Impact:
Hardware syn-cookies enabled after reboot or mcpd restart

---

675368-2 : Unable to reorder rules when one of the rule names contain % or /

Component: TMOS

Symptoms:
Unable to reorder rules when one of the rule names contain % or /

Conditions:
One of the rule names contain % or /

Impact:
The rules cannot be reordered

Workaround:
Rename rules to make sure they don't contain % or /

---

675298-1 : F5 MIB value types changed to become RFC compliant

Component: TMOS

Symptoms:
In BIG-IP Version 12.1.2 several F5 MIB variables changed from 64-bit counter types to 32-bit gauge types. This change was made to make the MIBs RFC compliant. In a mixed environment, where some BIG-IPs are running 11.x and some running 12.x this can cause problems with the management station. If the management station cannot load MIBs dependent upon BIG-IP version then those variables can cause errors to be reported on the management station due to type mismatch.

Conditions:
An environment where a management station is managing BIG-IP systems with a mix of version 11.x and 12.x. The station may import a MIB version whose types do not match the MIBs on the BIG-IP system with regards to the type changes made in version 12.x.

Impact:
The management station reports errors due to type mismatch for some variables.

Workaround:
None.

---

674997 : It is not possible to use tmsh to change the password for 'admin' after configuring Remote-APM Based Auth on the BIG-IP system.

Component: TMOS

Symptoms:
With APM-based system authentication, using tmsh to make changes to the password for user 'admin' will apparently succeed, but the password will be unchanged.

Conditions:
-- APM-based system authentication configured.
-- Using tmsh to make changes to the password for user 'admin'.

Impact:
Unable to change password for default system account.

Workaround:
Switch to local system authentication, change the password for 'admin', then switch back to remote authentication.

---

674992-3 : AAM traffic report's time period doesn't always apply

Component: WebAccelerator

Symptoms:
AAM traffic report's time period doesn't always apply.

Conditions:
Select a time period on the AAM traffic report page other than last hour.

Impact:
The table and graph still display last hour data.

---

674957-1 : If a certificate is stored in DER format, exporting it using the GUI corrupts the output.

Component: TMOS

Symptoms:
When a certificate stored in DER format is exported, all bytes with values larger than 0x7E are replaced with 0x3F, and there is one more byte added (0x0a) at the end of the binary file.

Conditions:
Using the GUI to export a certificate stored in DER format.

Impact:
Corrupted certificate.

Workaround:
You will need to use openssl to create a copy of the certificate in .pem or .der format. For example, to export the der certificate myder.crt to a mycert.pem certificate in .pem format, run the following command:

openssl x509 -out mycert.pem -in /config/filestore/files_d/Common_d/certificate_d/\:Common\:myder.crt_75978_1 -inform der

Note: This works for system users who can access the bash command, specifically, those with the administrator role.

---

674754-2 : ZoneRunner: GUI "Email Contact" field silently ignores invalid char '@' in Email Contact

Component: Global Traffic Manager (DNS)

Symptoms:
Changing the email address in ZoneRunner and using a '@' character does not work. System validation catches that the '@' is invalid, but the operation fails silently, and the new email address is not stored.

Note. The '@' character is invalid for the email field because it has other uses in zone files. A dot should be used instead of '@'.

Conditions:
Zone already exists in ZoneRunner.
Trying to update it with a new email address.

Impact:
Confusion as to why the GUI is ignoring the new email address they entered.

Workaround:
The '@' (at sign) character is invalid for ZoneRunner email fields because it has other uses in zone files. Use a '.' (dot, or period) character instead of '@'.

---

674459 : Users are not expected to change security.commoncriteria DB variable through TMSH

Component: Local Traffic Manager

Symptoms:
Changing the security.commoncriteria db variable to true, and then attempting to change it back to false through TMSH causes validation errors related to SSHD configuration. Users are not expected to change this value without using the ccmode script.

Conditions:
Changing the security.commoncriteria db variable to true, and then back to false.

Impact:
Validation errors. The BIG-IP system remains stuck in Common Criteria mode when it is not desired.

Workaround:
None.

---

674328-3 : Multicast UDP from BIG-IP may have incorrect checksums

Component: TMOS

Symptoms:
BIG-IP may transmit UDP datagrams with a bad checksum.

Conditions:
Outgoing link-local multicast UDP traffic from the Linux host, such as RIP.

Impact:
Packets may be dropped by adjacent devices.

Workaround:
Disable checksum offloading on the virtual NIC for affected VLANS, e.g. "ethtool --offload vlan1274 rx on tx off"

---

674297-1 : Custom headers are removed on cross-origin requests

Component: Fraud Protection Services

Symptoms:
Custom headers are removed on cross-origin requests.

Conditions:
A cross domain FPS request uses the FPS custom header. For example: AJAX encryption from one domain to another.

Impact:
The request will be blocked, FPS functionality breaks.

Workaround:
For HOST <HOST NAME> and FPS custom header <HEADER NAME>, a variant of the following iRule can be used:


when HTTP_REQUEST {
    if {[HTTP::method] equals "OPTIONS" && [HTTP::host] equals "<HOST NAME>"} {
       set modify_allowed_headers 1
    }
}

when HTTP_RESPONSE {
    if { [info exists modify_allowed_headers] && $modify_allowed_headers equals "1"} {
        if { [HTTP::header exists "Access-Control-Allow-Headers"] } {
            set hdr [HTTP::header value "Access-Control-Allow-Headers"]
            append hdr ", <HEADER NAME>"
            HTTP::header replace Access-Control-Allow-Headers $hdr
        }
    }
}

---

674256-3 : False positive cookie hijacking violation

Solution Article: K60745057

Component: Application Security Manager

Symptoms:
A false positive cookie hijacking violation.

Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.

Impact:
False positive violation / blocking.

Workaround:
Cookie hijacking violation when the device ID feature is turned off is almost never relevant, as it should be able to detect only cases where some of the TS cookies were taken. The suggestion is to turn off this violation.

---

673952 : 1NIC VE in HA device-group shows 'Changes Pending' after reboot

Component: TMOS

Symptoms:
When Virtual Edition (VE) is configured for 1NIC, you will see the following logs on reboot indicating that configuration has been loaded from file:

 notice tmsh[12232]: 01420002:5: AUDIT - pid=12232 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all base
 notice tmsh[12392]: 01420002:5: AUDIT - pid=12392 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all

Conditions:
- VE configured in 1NIC mode.
- Unit booted either through reboot or power on.

Impact:
This is unlikely to have any impact if the VE is in standalone mode but could result in an unexpected config if the configuration files differ.
If the VE is part of an HA device-group, then this will result in a commit id update and the units will show 'Changes pending'.

Workaround:
None.

---

673640 : Log messages for virtual server status changes are not immediately logged.

Component: TMOS

Symptoms:
Log messages for virtual server status changes are not immediately logged.

Conditions:
-- Virtual server status due to lasthop-pool going down or coming back up.
-- Viewing associated logs.

Impact:
No status-change messages are present.

Workaround:
None.

---

673573-6 : tmsh logs boost assertion when running child process and reaches idle-timeout

Component: TMOS

Symptoms:
An idle-timeout occurs while running a sub-process in interactive mode, resulting in a log message. tmsh logs a benign but ominous-looking critical error to the console and to /var/log/ltm if a tmsh command reaches idle timeout and a spawned sub-process is still running.

The errors in /var/log/ltm begin with the following text:
    'boost assertion failed'

Conditions:
-- tmsh command reaches idle timeout.
-- Spawned sub-process is still running.

Impact:
Although the wording indicates a failure, the message is benign and you can safely ignore it.

Workaround:
None.

---

673241 : Platform AC power supply faults when subjected to temperature above 50C (122F) at low input voltage.

Component: TMOS

Symptoms:
BIG-IP i15600, i15800 appliances utilizing a single 1500W AC power supply (PWR-0341-XX) shut down and trigger a fault.

Conditions:
This occurs when all of the following conditions are met:
-- PWR-0341-XX Single Supply.
-- input voltage is less than or equal to 100VAC.
-- System is is drawing maximum power (greater than 1000W).
-- Inlet temperature of the power supply is greater than 50C (122F).

Impact:
The power supply shuts down to protect itself. This results in appliance shutdown.

Workaround:
You can avoid this issue by doing any of the following:
-- Installing two PSUs in the unit.
-- Ensuring that input voltage is above 100VAC.
-- Operating the system at a temperature lower than 50C (122F).

---

673147-1 : Virtual server configuration incorrectly allows mutually exclusive iSession and OneConnect profiles.

Solution Article: K01350083

Component: TMOS

Symptoms:
The system does not prevent you from configuring a server-side iSession profile and a OneConnect profile on the same virtual server. This is not a valid configuration. Virtual server configuration should allow either a server-side iSession profile or a OneConnect profile, but not both. Although the virtual server configuration completes, three errors are logged to /var/log/tmm:

1) notice ISESSION: 172.27.114.10.443 ! 172.27.14.10.43321: connection error: isession_setup_ssl:1645: server-side SSL hudfilter replacement failed: ERR_NOT_FOUND

2) notice hudchain contains precluded serverside filter: CONNPOOL

3) notice MCP message handling failed in 0x898c80 (16977920): Jul 7 12:34:19 - MCP Message:
notice create {
notice virtual_server_profile {
notice virtual_server_profile_vs_name "/Common/http_optimize_client"
notice virtual_server_profile_profile_name "/Common/oneconnect"
notice virtual_server_profile_object_id 159423
notice virtual_server_profile_profile_class_id profile_connpool
notice virtual_server_profile_profile_type 13
notice virtual_server_profile_profile_context 0
notice virtual_server_profile_partition_id "Common"
notice virtual_server_profile_leaf_name "http_optimize_client"
notice virtual_server_profile_folder_name "/Common"
notice virtual_server_profile_transaction_id 62
notice }
notice }

Loading a configuration containing a virtual server with both a server-side iSession profile and a OneConnect profile succeeds, but logs a mutually exclusive profile error:
    notice hudchain contains precluded serverside filter: CONNPOOL

Conditions:
Three conditions must be satisfied.
1) The BIG-IP has AAM licensed.
2) A server-side iSession profile is added to a virtual server.
3) A OneConnect profile is added to the same virtual server.
Conditions 2 and 3 can be done in either order.

Impact:
OneConnect and iSession are mutually exclusive features, because both implement connection pooling. Configuring
a virtual server with both server-side iSession and
OneConnect profiles will break connection pooling, causing
connections associated the virtual server to hang.

Workaround:
Avoid configuring both server-side iSession and a OneConnect profiles on the same virtual server, as this is never a valid configuration.

---

673095 : Loading UCS with QinQ VLANs fails 'Can't free vlan entry, can't find vlan with oid'

Component: Local Traffic Manager

Symptoms:
Unable to load a UCS due to a VLAN validation error.

Conditions:
QinQ VLANs saved in a UCS file.

Impact:
Unable to reload the saved config.

Workaround:
Before loading the config, use tmsh to delete all VLANs. Then config will load successfully.

---

671553-2 : iCall scripts may make statistics request before the system is ready

Component: TMOS

Symptoms:
iCall scripts may make statistics requests before statsd (a necessary service for stats collection) is ready.

Conditions:
Early during startup.

Impact:
The Tcl script may generate an error and stop working.

Workaround:
Use Tcl's 'catch' command to detect and handle the error.

---

671372-2 : When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.

Solution Article: K01930721

Component: TMOS

Symptoms:
When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.

Conditions:
-- Creating a pool.
-- Modifying all of its members in a single tmsh transaction.

Impact:
The pool will be created but the members will not be modified.

Workaround:
Create a pool in one transaction; followed by modifying members in another transaction.

---

671261-2 : MCP does not recognize 'Notify Status to Virtual Address' when using 'Selective' setting of ICMP Echo

Solution Article: K32306231

Component: TMOS

Symptoms:
When selecting 'Notify Status to Virtual Address' on a virtual server, and using the 'Selective' setting of ICMP Echo for a corresponding virtual address, MCP does not recognize that this setting has changed and does not modify the ICMP echo settings of the virtual address accordingly. The previous setting will continue to take effect until another (unrelated) change is made to the virtual address.

Conditions:
The 'Selective' setting of ICMP Echo is used for a virtual address, and the user selects 'Notify Status to Virtual Address' on a virtual server associated with that address.

Impact:
The previous setting will continue to take effect, until an (unrelated) change is made to the virtual address, at which point the new setting will take effect.

Workaround:
After changing the 'Notify Status to Virtual Address' on a virtual server (where 'Selective' setting of ICMP Echo is used for the corresponding virtual address), make another change to the virtual address to cause the new setting to take effect.

---

671236-2 : BGP local-as command may not work when applied to peer-group

Solution Article: K27343382

Component: TMOS

Symptoms:
Using the BGP level command neighbor <peer-group> local-as <AS> might fail to apply on peers in the peer group.

Conditions:
Applying the BGP local-as command to a peer group.
For instance:
  neighbor <peer-group> local-as <AS>.

Impact:
The command fails to apply, and the actual local AS sent to the peer is that of the BGP process and not the one specified in the command.

Workaround:
Apply the BGP local-as directly to the peer, not the peer-group.

---

671178 : Date/time change after configuring HA may impair configuration sync

Solution Article: K20274760

Component: TMOS

Symptoms:
Configuration not syncing among units in high availability (HA) group.

Conditions:
Date/time is set to an earlier date/time after HA is already configured.

Note: Changes are synced as expected when changing date/time to a later value; only setting to a earlier one results in this issue.

Impact:
-- Configuration changes are not recognized, and changes are not synced, however, system sync status incorrectly reports as 'in-sync'.

-- The 'Time Since Last Sync' displayed when running 'tmsh show /cm device-group' is negative. Note: This is only a cosmetic issue and has no effect on the system.

Workaround:
Note: Devices should be configured with NTP.

To restore consistency to the group, you can do one of the following:
-- Reset the time to be consistent with peers and make another config change.
-- Make a change on the peer device with the farthest future system time.
-- Force a sync to another device with the farthest future system time using a command similar to the following:
 tmsh modify cm device-group <device group name> devices modify { <sync-to-device-name> { set-sync-leader } }.

---

670994-2 : There is no validation for IP address on the ip-address-list for static subscriber

Component: Policy Enforcement Manager

Symptoms:
You can add IP address for a static subscriber with a subnet mask, and the system creates a subscriber by discarding the subnet mask without any error message.

Conditions:
This occurs when you add a ip address with a subnet mask to the ip address list for a static subscriber.

Impact:
An invalid ip address is added without warning or error.

---

670893-1 : Sensitive monitor parameters recorded in monitor logs

Component: Local Traffic Manager

Symptoms:
When monitor instance logging or monitor debug logging is enabled for certain monitor types, the resulting monitor instance logs may contain sensitive parameters from the monitor configuration, including:
- user-account password
- radius/diameter secret
- snmp community string

Conditions:
This may occur under the following conditions:

1. LTM monitor type is one of the following:
ldap
mssql
mysql
nntp
oracle
postgresql
radius
radius-accounting
smb
snmp-dca
snmp-dca-base
wap

On BIG-IP versions prior to v11.6.0, the LTM monitor type is one of the above, or one of the following:
ftp
imap
pop3
smtp


2. Monitor instance logging or monitor debug logging is enabled by one of the following methods:

a. Monitor instance logging is enabled by setting the 'logging' element to 'enabled' for an LTM node or pool member using the monitor.

b. Monitor debug logging is enabled by setting the 'debug' element to 'yes' for an applicable LTM monitor.

Impact:
The user-account password, radius/diameter secret, or snmp community string configured in the LTM health monitor may appear in plain text form in the monitor instance logs under /var/log/monitors.

Workaround:
1. Do not enable monitor instance logging or monitor debug logging for affected LTM monitor types.

2. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes, remove the resulting log files from the BIG-IP system after troubleshooting is completed.

---

670691 : Unable to list ntlm profile in different root folder or partition

Solution Article: K02331705

Component: TMOS

Symptoms:
Unable to list NTLM profiles when they are in a different root folder or partition than the currently active folder or partition.

Conditions:
This occurs when attempting to list a partition that exists in another folder or partition.

For example:
-- The active folder or partition is /Common.
-- The NTLM profile 'my_ntlm' exists in the '/NTLM_Profile' folder or partition.
-- You run a command similar to the following to show details of an NTLM profile: list ltm profile ntlm /NTLM_Profile/my_ntlm.

Impact:
Unable to display NTLM profiles that reside outside of the active folder or partition. The system posts error messages similar to the following:

Error in ntlm: "/NTLM_Profile/my_ntlm" not found.
01020036:3: The requested Config Instance ( /NTLM_Profile/my_ntlm) was not found.

Workaround:
Change folders or partition before listing NTLM profiles.

---

670520-3 : FastL4 not sending keepalive at proper interval when other side gets response

Component: Local Traffic Manager

Symptoms:
FastL4 not sending keepalive at proper interval when other side gets response. With FastL4, when a response to an LTM-initiated keepalive is received from a device on one side is received, it is forwarded to the other.

It appears that causes a keepalive to not be sent on that other side. The keepalive interval is 20 seconds. If the LTM is scheduled to send a keepalive to the server, but receives a keepalive response on the client side, before it sends the serverside keepalive, the client side keepalive response is forwarded, but the actual keepalive is not sent to the server.

Conditions:
FastL4 and keepalive.

Impact:
Potential for failure as in FastL4: the timeout timer is not updated unless a response is returned. Since the LTM does not send the keepalive, there is not going to be a response for that interval.

Workaround:
None.

---

670501-5 : ASM policies are either not (fully) created or not (fully) deleted on the HA peer device

Solution Article: K85074430

Component: Application Security Manager

Symptoms:
Policies are either not (fully) created or not (fully) deleted on the peer device

Conditions:
-- Device Service Clustering configured.
-- High availability (HA) configuration with Sync-Only (no failover) device group (Auto, incremental) with ASM sync enabled.
-- Create/delete active/inactive ASM policies via TMSH/GUI.

Impact:
Policies are either not created/deleted, or not fully created/deleted.

Note: Fully created and fully deleted meaning that the following commands agree with each other:
   # tmsh list asm policy one-line all-properties
   # tmsh list asm policy one-line

Workaround:
Issue a forced full sync from the originating device to the device group.

---

670456-3 : Flash AS3 mx.core::CrossDomainRSLItem() wrapper issue with arguments number

Component: Access Policy Manager

Symptoms:
Flash AS3 mx.core::CrossDomainRSLItem() wrapper fails when being called with a number of arguments different than 7.

Conditions:
Any flash that have a call of mx.core::CrossDomainRSLItem() with a number of arguments different than 7.

Impact:
Flash application malfunction.

---

670367-2 : On large APM configurations (1000 Policies and a large number of Customization groups) mcpd gets killed before it can complete validation.

Solution Article: K39391280

Component: Access Policy Manager

Symptoms:
On large APM configurations (1000 Policies and a large number of Customization groups) mcpd gets killed before it can complete validation.

The limit of customization group object that the BIG-IP Virtual Edition (VE) can load is approximately 13 KB.

Conditions:
Large number of policies (thousands) and customization objects (tens of thousands).

Impact:
Unable to load configuration.

Workaround:
Turn off watchdog for mcpd via tmsh using the following command:
tmsh modify sys daemon-ha mcpd heartbeat disabled

Important! Remember to re-enable tmsh watchdog after the config loads successfully. To do so, run the following command:
tmsh modify sys daemon-ha mcpd heartbeat enabled

---

670258-2 : Multicast pings not forwarded by TMM

Component: Local Traffic Manager

Symptoms:
When multicast routing is configured, ICMP or ICMP6 pings are not forwarded by TMM even though UDP and other protocol traffic to the same group addresses works.

Conditions:
Multicast routing configured, VIP configured to forward ICMP traffic.

Impact:
Multicast group addresses cannot be reached with ICMP or ICMP6 echo requests.

Workaround:
n/a

---

669978-4 : SIP monitor - Via header's branch parameter collision.

Solution Article: K15204204

Component: Service Provider

Symptoms:
When there is a failover in a high availability (HA) setup with SIP monitors, the SIP backend servers start flapping on both units. The reason this occurs is that after the failover, the two BIG-IP systems send SIP monitoring messages to the pool members with the same branch parameter on their Via headers. The backend server internal logic gets confused by the request coming from LB2 because it uses the same branch parameters of the request coming from LB1.

Conditions:
SIP branch hash string length is small enough that when sufficient SIP monitor messages were inundated, possible branch collision.

Impact:
This causes the backend server erroneously to send a response message to LB1 instead of LB2.

Workaround:
None.

---

669585-3 : The tmsh sys log filter is unable to display information in uncompressed log files.

Component: TMOS

Symptoms:
You notice missing log information when reviewing system logs using the tmsh show sys log command.

Conditions:
One or more of the BIG-IP sytem backup log files, designated with .1, .2, etc are not compressed.
Note: Backup log files should end with the .gz extension. For example, ltm.1.gz.
You use the tmsh show sys log command to view log information for one or more days in the past.

Impact:
Unable to view the full range of backup log information.

Workaround:
To log in to the Advanced shell (bash).
To ensure all backup logs for a particular log type are compressed, use the following command syntax:

gzip /var/log/<log>.*

For example, to compress the full set of backup logs for the ltm log type, type the following command:

Note: The following message is expected if the log file is already compressed: gzip: /var/log/<log>.gz already has .gz suffix -- unchanged'

gzip /var/log/ltm.*

---

669241-1 : Cannot create stateless virtual servers with ip-protocol set to 'gre'.

Component: TMOS

Symptoms:
Stateless virtual servers can be used only for UDP traffic.

Conditions:
Attempt to create a stateless virtual server with ip-protocol set to 'gre'.

Impact:
Operation does not succeed. Cannot create stateless virtual servers with ip-protocol set to 'gre'.

Workaround:
None.

---

668849-1 : Upgrade failure for apm-log-setting objects★

Component: Access Policy Manager

Symptoms:
After upgrade to 13.1.0, the configuration will fail to load with error: 01070734:3: Configuration error: In apm log-config (/p1/f1/sso-log-setting-Critical) there can only be one instance of access log configuration
Unexpected Error: Loading configuration process failed.

Conditions:
If before upgrade, you have sso form-basedv2 object or saml sso config objects in your configuration

Impact:
mcpd will fail to start

Workaround:
manually edit the bigip.conf and remove all the sso form-basedv2 objects and saml sso config objects and then do tmsh load sys config

---

667661-2 : Adding HA devices to Access Group in BIG-IQ fails with error : 'Failed to download file (null). java.lang.IllegalArgumentException: REMOTE_SOURCE_FILE requires remoteFilePath'

Solution Article: K69015104

Component: Device Management

Symptoms:
Adding a secondary HA device to Access Group fails with error 'Failed to download file (null). java.lang.IllegalArgumentException: REMOTE_SOURCE_FILE requires remoteFilePath'.

Conditions:
Fails when adding a HA device to Access Group.

Impact:
Device cannot be added to Access Group.

Workaround:
None.

---

667618-2 : Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts

Component: TMOS

Symptoms:
Hardware SYN Cookies activated on a virtual server under a SYN attack may not deactivate after the SYN attack ends and valid TCP traffic starts. The non-supported TCP options under SYN Cookie protection will continue to be unsupported until the machine exit hardware SYN cookies.

Conditions:
A SYN flood attack or similar SYN attack where SYNs are flooded into the BIG-IP system.

Impact:
This can successfully cause hardware SYN cookies to be activated on the BIG-IP virtual server under attack. However, once the attack subsides and falls below the SYN check threshold, SYN cookies may not immediately deactivate.

Because SYN cookie protection is still active, and because under SYN cookie protection some TCP options are not supported, the options will not be taken into account when processing traffic. For example, under SYN cookie protection, MSS is fixed to a few sizes. For traffic that arrives with a different MSS size, the system uses a supported size instead.

Note that if no good traffic hits the virtual server, syncookies will also fail to deactivate, but will do so once both good traffic has been seen, and the attack has ended.

Workaround:
Restarting TMM or rebooting the device will clear the HSB issue

---

667518 : SSO Configurations update is failing from UI

Component: Access Policy Manager

Symptoms:
SSO Configurations update is failing from the GUI.

Conditions:
While creating SSO form with SSO configuration, Update is failing with UI Javascript error.

Impact:
From UI user not able to update the SSO Configurations, with SSO Form creation.

Workaround:
Create separate SSO form and assign to SSO configuration. Or use TMSH to create both.

---

667476 : Upgrade and config load can fail if a data group record of type string contains a tab character

Component: TMOS

Symptoms:
When a datagroup record is of type 'string' and contains a tab (\t) the record loads but when the configuration is saved the record is not save with enclosing quotes.

Conditions:
-- Data group whose type is string.
-- Record entry that contains a tab character along with other non-whitespace characters.

Note: If other whitespace characters are present the string will have enclosing quotes and this issue will occur.

Impact:
Saved config does not load when running the command: tmsh load /sys config.

Upgrade fails to load the configuration.

Workaround:
In order to either load the configuration or upgrade, you must manually edit the bigip.conf file and enclose the string in quotation marks, as shown in the following example:

Existing config
==================
ltm data-group internal /Common/sample_dg {
  records {
    entry1 {
      data /BIG-IP BAD
    ...

Modified config:
ltm data-group internal /Common/sample_dg {
  records {
    entry1 {
      data "/BIG-IP BAD"
   ...

---

667295-1 : 'RTSP::header exists' iRule command always returns True

Solution Article: K51601122

Component: Carrier-Grade NAT

Symptoms:
Using the 'RTSP::header exists' command in an iRule returns true even if the header is not present.

Conditions:
Using the 'RTSP::header exists' command in an iRule, e.g., [RTSP::header exists "Transmitting"].

Impact:
Returns 1 (TRUE) even if the header is not present. Should return 2 (ERR_NOT_FOUND) on failure.

Workaround:
None.

---

667114-1 : TCP flows going through the IP forwarding and L2 forwarding virtual server might get very low bandwidth.

Solution Article: K32622880

Component: TMOS

Symptoms:
TCP flows going through the IP forwarding and L2 forwarding virtual server might get very low bandwidth.

Conditions:
-- BWC policy applied.
-- TCP traffic passes through the IP forwarding or L2 forwarding virtual server.

Impact:
Lower throughput than expected.

Workaround:
When using BWC, use a proxy virtual server instead of IP forwarding or L2 forwarding virtual servers.

---

667082-2 : Dynamic Routing ZebOS using ip ospf <IP> message-digest-key command may fail.

Component: TMOS

Symptoms:
Failure occurs when attempting to configure or load OSPF configurations in imish using an interface-level command similar to the following:
ip ospf <IP> message-digest-key <key index> md5 <password>.

Conditions:
This occurs when using the following command:
ip ospf <IP> message-digest-key.

Impact:
The command causes an error and cannot be used or loaded. This may cause OSPFv2 adjacencies to fail.

Workaround:
If possible, use the non-IP version of the interface-level command, similar to the following:
ip ospf message-digest-key <key index> md5 <password>.

---

666889-1 : Deleting virtual server may cause tmm to segfault

Solution Article: K25769531

Component: Local Traffic Manager

Symptoms:
Deleting virtual server may cause tmm to segfault.

Conditions:
-- Virtual server is rate-limited.
-- In-progress connections exist.
-- Virtual server is deleted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

---

666497-3 : Some of the Korean translations in Windows Edge Client were incorrect

Component: Access Policy Manager

Symptoms:
Some of the Korean translations in Microsoft Windows Edge Client's main windows are incorrect.

Conditions:
User uses Edge Client application on Windows.

Impact:
Confusion due to inaccurate translation.

Workaround:
None.

---

666258-2 : GTM/DNS manual resume pool member not saved to config when disabled

Component: Global Traffic Manager (DNS)

Symptoms:
manual-resume disabled pool member becomes available after reboot.

Conditions:
GTM pool is configured with manual-resume enabled and its pool member was once unavailable.

Impact:
Unexpected available pool member which should be disabled.

Workaround:
After the pool member becomes disabled, manually run:
# tmsh save sys config gtm-only

---

666233-1 : Localdbmgr process cores

Component: Access Policy Manager

Symptoms:
You see continuous "emerg logger: Re-starting localdbmgr" messages and localdbmgr continually cores.

Conditions:
When localdbmgr process tries to persist local user information to the MySQL Database.

Impact:
localdbmgr cores, APM local user database does not initialize.

Workaround:
None.

---

666127-1 : Flows are incorrectly processed on a standby system.

Component: Local Traffic Manager

Symptoms:
Standby system incorrectly processes flows, even if there is no other traffic group active on that system.

Conditions:
-- Spanning is enabled for a virtual address.
-- No other traffic group active on a standby system.

Impact:
Flows are incorrectly processed.

Workaround:
None.

---

666117-4 : Network failover without a management address causes active-active after unit1 reboot

Component: TMOS

Symptoms:
An appliance in a Device Service Cluster may erroneously claim Active status when it is rebooted. This results in an Active/Active situation, which may resolve itself by causing a failover.

Conditions:
Device Service Cluster with only self-ips configured for the failover network.

Impact:
Unexpected failover may cause traffic interruption.

Workaround:
Configuring multiple redundant network failover paths, including the management network will reduce the possibility of this problem.

---

665777 : TMM0 on the secondary blade sends out extra ARP replies

Component: Local Traffic Manager

Symptoms:
TMM0 on the secondary blade can send out more than one ARP reply when it receives an ARP request.

Conditions:
ARP request is received by TMM0 on the secondary blade.

Impact:
The BIG-IP system sends out extra ARP replies.

Workaround:
None.

---

665425-4 : AVR Max metrics shows wrong values

Solution Article: K24182390

Component: Application Visibility and Reporting

Symptoms:
In the AVR HTTP Page, metrics Max TPS and Max Throughput display incorrect values.

Conditions:
The root-cause is 32bit overflow, so the incorrect values are displayed when there are high volumes of traffic.

Impact:
Displayed metrics do not correctly show activity.

Workaround:
There is no workaround at this time.

---

665117-2 : DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping

Solution Article: K33318158

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Server status flapping from red-green-red.

Conditions:
-- Two generic hosts in two different DataCenters;
-- Two generic hosts are not available through DNS;
-- Same monitor with available alias IP/port configured.

Impact:
Server status flaps from red to green and back.

Workaround:
Check Transparent for these monitors.

---

664596-1 : One LTM policy causes a different policy to not execute

Component: Local Traffic Manager

Symptoms:
Under certain circumstances, the presence of one LTM policy will preclude another LTM policy from running.

Conditions:
Two policies present on a virtual server, one policy with a condition at HTTP_RESPONSE time will prevent a policy that unconditionally acts at HTTP_REQUEST time.

Impact:
Expected LTM policy does not run.

Workaround:
None.

---

664000 : TMM restart/core possible if key/cert is modified while SSL handshakes are ongoing

Component: Local Traffic Manager

Symptoms:
Dynamic configuration changes with live traffic may have or cause complicated issue or unpredictable behaviors. TMM might restart and generate a core file when modifying key/cert on a profile while ongoing SSL handshakes are using it. System posts messages similar to the following:

-- crit tmm3[13499]: 01010260:2: Hardware Error(Co-Processor): cn3 request queue stuck
-- warning sod[6005]: 01140029:4: HA crypto_failsafe_t cn-crypto-3 fails action is failover.

Conditions:
The key/cert on a profile is modified while ongoing SSL handshakes are holding it.

In one case, OCSP was removed from all the SSL profiles at some point after the handshake started, so the handshake picked up the new profile without refreshing or invalidating the handshake's copy of the key_cert.

Impact:
Normal functionality might be disrupted. Traffic disrupted while tmm restarts.

Note: There is no support currently for dynamic profile configuration changes while there are ongoing connections using the profile.

Workaround:
Do not try to modify key/certs on a profile while there are a lot of ongoing connections using it.

---

663946-2 : The vCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments

Component: Advanced Firewall Manager

Symptoms:
On a vCMP platform with host and guest using different BIG-IP versions, when DNS is under load greater than the AFM-configured rate limit, certain IPv4 packets are categorized as IPv6 atomic fragments and may be dropped due to rate limits.

Conditions:
-- vCMP platform with host and guest using different BIG-IP versions.
-- AFM enabled.
-- DNS load greater than AFM-configured rate limit for IPv6 atomic fragments (default 10 KB).

Impact:
May result in lower than expected DNS load test results.

Workaround:
You can use any of the following workarounds:
-- Disable AFM.
-- Increase detection limit for IPv6 atomic fragments under AFM.
-- Disable hardware offload with sys db Dos.VcmpHWdos.

Note: For AFM HW DoS protection, the host and vCMP guest must be the same version, disable hardware DoS checking on the vCMP guest to prevent this issue. To do so, set sys db dos.forceswdos to 'true'.

---

663925-5 : Virtual server state not updated with pool- or node-based connection limiting

Component: Local Traffic Manager

Symptoms:
Rate- or connection-limited pool members and nodes do not immediately affect virtual server status.

Conditions:
The connection count reaches the configured connection limit.

Impact:
Virtual server is automatically disabled when connection limit is reached and returns from the unavailable state after connections decrease.

The actual functionality of connection-limiting is occurring at the tmm level (you can see connections rejection after reaching the max limit in logs). The system is just not logging status in mcp as update_status is not being called automatically.

Workaround:
None.

---

663911-2 : When running out of memory, MCP can report an incorrect allocation size

Component: TMOS

Symptoms:
If MCP runs out of memory, it may attempt to log how much memory it was allocating when this happened, with a message similar to the following:

Failed to allocate memory for size 260 at clone_message:952.

The memory size indicated in the message may be incorrect.

Conditions:
MCP runs out of memory while attempting an allocation.

Impact:
Misleading logs that make it more difficult to troubleshoot mcpd memory issues.

Workaround:
None.

---

662301-6 : 'Unlicensed objects' error message appears despite there being no unlicensed config

Component: TMOS

Symptoms:
An error message appears in the GUI reading 'This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.' Examination of the configuration and license shows that there are no configuration error or unlicensed configuration objects. The device is operational.

Conditions:
The BIG-IP system is licensed and the configuration loaded.

Impact:
Error message appears in the GUI stating that the device is not operational. However, the device is operational.

Workaround:
Restart mcpd by running the following command:
bigstart restart mcpd

---

662296-1 : Under heavy traffic load tcpdump -i 0.0 can impact the VIPRION management cluster IP address

Component: Local Traffic Manager

Symptoms:
Management connectivity loss over the management cluster IP address. This is caused by a secondary blade temporarily taking over the cluster primary due to starvation of clusterd on the blade running tcpdump.

Conditions:
-- A multi-bladed configuration with full traffic load.
-- Run tcpdump -i 0.0.

Impact:
Loss of connectivity to the cluster floating IP address. The /var/log/ltm clusterd shows timeouts and temporary change of primaryship.

Workaround:
Mitigation:
-- Judicious use of tcpdump -i 0.0.

Workaround:
-- Kill tcpdump from the SSH session to the slot IP address directly or using the console.
-- Restart tmm to fix the issue with MPI stream connection loss.

---

660895-2 : TMM can crash if TMM count is greater than licensed throughput

Component: TMOS

Symptoms:
The rate shaper used for BIG-IP virtual Edition (VE) divides the total licensed throughput amongst the running TMMs to determine a per-TMM throughput. If the TMM count is greater than the licensed throughput, then this causes a 0-per-tmm throughput limit, which is unfortunately used as a divisor later in rate shaper operations, and which might result in an eventual divide-by-zero error and a crash. This might repeat indefinitely.

Conditions:
Install a license on a VE with a bandwidth limit where the number of megabits per second (Mbps) is less than the number of TMM instances (typically, the number of CPU cores), for example, Use a 2 Mbps license and configure 4 CPUs on a VE system.

Note: This has been observed on evaluation licenses, but might be possible in other circumstances.

Impact:
Traffic is disrupted while TMM restarts, potentially repeatedly.

Workaround:
Change the number of vCPUs available to the BIG-IP guest to be less than the licensed throughput.

---

660826-1 : BIG-IQ Deployment fails with customization-templates

Component: Access Policy Manager

Symptoms:
BIG-IQ involving multiple commands in a transaction to modify customization group fails.

Conditions:
Simulation by tmsh for what's done in BIG-IQ:

1) Add a log-on agent in your policy.

2) Edit the log-on agent customization (Advanced Customication: logon.inc and view.inc both)
This should create two customization templates.

3) Make a backup of the customization template files in some folder (/tmp). For example: To copy logon.inc and view.inc for logon agent in sjc-access policy?(sjc-access_act_logon_page_ag) below cp statements worked.

cp Common_d/customization_template_d/\:Common\:sjc-access_act_logon_page_ag\:\:logon.inc_74991_2 /tmp/logon.inc
:Common:sjc-access_act_logon_page_ag::logon.inc_74991_2

cp Common_d/customization_template_d/\:Common\:sjc-access_act_logon_page_ag\:\:view.inc_74991_2 /tmp/view.inc

4) tmsh

5) create /cli transaction

6) modify /apm policy customization-group sjc-access_act_logon_page_ag templates modify { logon.inc { local-path /tmp/logon.inc } }

7) modify /apm policy customization-group sjc-access_act_logon_page_ag templates modify { view.inc { local-path /tmp/view.inc } }

8) submit /cli transaction

Impact:
BIG IQ operation failed with scenario involving change to customization group.

Workaround:
There is no workaround.

---

660807 : Clientside command with parking command crashes TMM

Component: Local Traffic Manager

Symptoms:
iRule parking command 'table lookup' inside clientside crashes TMM.

Conditions:
iRule parking command 'table lookup' inside clientside.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
If possible, move the parking command outside clientside/serverside.

---

660759-4 : Cookie hash persistence sends alerts to application server.

Component: Fraud Protection Services

Symptoms:
When Persistence cookie insert is enabled with a non-default cookie name, the cookie might be overwritten after an alert is handled.

Conditions:
-- Persistence profile in their virtual server.
-- Profile relies on cookie hash persistence.
-- Non-default Cookie name used for cookie persistence.

(Default cookie naming strategy appends Pool Name, which results in two cookies set with different names and different values, leaving the application pool persistence cookie unmodified.)

Impact:
Sends alerts to application server. Traffic might be sent to wrong pool member.

Workaround:
Use an iRule similar to the following to remove persistence cookie in case of alerts:

ltm rule /Common/cookie_persist_exclude_alerts {
    when HTTP_REQUEST {
    
    #enable the usual persistence cookie profile.

    if { [HTTP::path] eq "/<alert-path>/" } {
        persist none
    }
}
}

---

660326-2 : Upgrade fails when a websecurity profile assigned to virtual server but ASM is not provisioned.★

Component: Application Security Manager

Symptoms:
Upgrade fails when a websecurity profile assigned to virtual server but ASM is not provisioned.

Conditions:
-- Websecurity profile assigned to a virtual server.
-- ASM not provisioned.
-- Upgrade to v12.1.0 or later.

Impact:
Upgrade fails.

Note: Although this is an invalid configuration, upgrade should not fail.

Workaround:
There are two workarounds.
-- Provision ASM.
-- Remove all websecurity profiles (and LTM policies that control ASM) from all virtual servers

Note: The first workaround must be done before the update. The second can be done before the upgrade, or by editing the config files and re-loading config (first base, then all) using the following command:

tmsh -c 'load sys config partitions all base; load sys config partitions all'

---

660119-1 : Monitor configured with timeout large enough that the timeout plus interval is greater than 86400 seconds, the service may be incorrectly marked down.

Solution Article: K36005385

Component: Local Traffic Manager

Symptoms:
When the monitor is configured with a timeout large enough that the timeout plus interval is greater than 86400 seconds, the service may be incorrectly marked down.

Conditions:
Monitor configured with timeout plus interval larger than 86400.

Impact:
Periodically service taken offline which may result in persistence issues or impact service availability.

Workaround:
Reduce the monitor's timeout to less than (86400 - interval).

---

659930-1 : Enterprise Manager may receive malformed data if there are multiple monitors on a pool

Component: Global Traffic Manager (DNS)

Symptoms:
Enterprise Manager (EM) may receive malformed data if there are multiple monitors on a pool. big3d returns malformed xml. Messages similar to the following appear in /var/log/em:
 Could not parse xml for device.

Conditions:
-- Flapping pool monitor has more than two HTTP-type monitors.
-- iControl data returned from big3d LTM is malformed xml.

Impact:
Malformed data causes EM to not be able to gather stats from big3d.

Workaround:
None.

---

659888-1 : Profiles with names that contain percentage signs cannot be accessed in TMUI

Component: TMOS

Symptoms:
Clicking profiles on the list page in the Configuration Utility (GUI) with names that contain a percentage sign does not take you to the profile page.

Conditions:
-- Clicking profile names with percentage signs.
-- The profiles list page in the GUI.

Impact:
The profile pages cannot be accessed from the profiles list page in the GUI.

Workaround:
Use tmsh or rename your profiles so their name does not include a percentage sign.

---

658278-3 : Network Access configuration with Layered-VS does not work with Edge Client

Component: Access Policy Manager

Symptoms:
When Network Access is configured in virtual server-to-virtual server targeting, the Edge client cannot connect.

Conditions:
Network Access is configured as follows :
-- The external-client-facing virtual server has the SSL profile attached.
-- The internal virtual server has the Access profile and connectivity profile attached.
-- The external-client-facing virtual server has an iRule that forwards the HTTP requests to the internal virtual server.

Impact:
When Edge client connects, the external-client-facing virtual server issues a request for '/pre/config.php?version=2.0', and the Edge client hangs.

Workaround:
None.

---

658103 : TMM core while adding logging action to APM SWG

Solution Article: K00652162

Component: Access Policy Manager

Symptoms:
TMM core while adding logging action to APM SWG.

Conditions:
-- Use of an application lookup perflow variable (perflow.application_lookup.result.*) in an SWG per-request Logging Agent.
-- No Application Lookup Agent found prior in the chain.

For example
- The following example will crash:
    start : logging : allow

- The following will succeed:
    start : application lookup : logging : allow

Impact:
TMM core. Traffic disrupted while tmm restarts.

Workaround:
There are two possible workarounds:

-- Remove the applicable perflow variables from the logging agent.
-- Add an application lookup before trying to log application lookup perflow variables.

---

658036-2 : Honoring negotiated MSS for TCP segmentation

Solution Article: K04651090

Component: TMOS

Symptoms:
Following are the symptoms:

1. When the BIG-IP system's MTUs are larger than the smallest MTU in the end-to-end path:
-- The BIG-IP system does not mark coalesced packets larger than egress MSS but smaller than egress MTU in the BIG-IP system for segmentation. Therefore, the BIG-IP system receives 'ICMP fragmentation needed' messages from an intermediate router which drops the packets when the Don't Fragment (DF) bit is set in IP header.

2. When the BIG-IP system's MTUs are less than 1500:
-- On ingress, the BIG-IP system rejects coalesced packets larger than ingress MTU and less than 1500 and having DF bit set in IP header. the BIG-IP system sends 'ICMP fragmentation needed' message to sender.

Conditions:
* Generic Receive Offload (GRO) and Large Receive Offload (LRO) for data plane interfaces are supported and enabled (both in host and guest).

* Packets are sent with DF bit set.

* For #1:
-- FastL4 profile in use.
-- The BIG-IP system's VLAN MTUs are larger than the smallest MTU in the end-to-end path.

* For #2:
-- The BIG-IP system's MTUs are set to a value that is less than 1500.
-- The packets' DF bits are set.

Impact:
No traffic or very low throughput.

Workaround:
Disable LRO and GRO for data plane interfaces using the following command:

tmsh modify sys db tm.tcplargereceiveoffload value disable.

Note: For KVM virtio devices, LRO/GRO need to be turned off in host NIC.

---

657834-2 : Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent

Solution Article: K45005512

Component: TMOS

Symptoms:
When using OSPF with high load and network recalculation there is a possibility of a race condition that can lead to additional OSPF retransmissions being sent out. This might also cause SNMP traps to be sent, if configured on the system.

Conditions:
-- OSPF routing protocol configured.
-- System configured to send SNMP traps.
-- OSPF instability/networking flaps.

Note: The greater the number of routes flapping, the more likely to see the condition.

Impact:
There is no impact on the OSPF processing itself. The additional traffic does not cause failing adjacencies or loss of routing information.

However, this might cause many additional OSPF related traps to be sent, which might cause additional load on the external network monitoring system.

Workaround:
While this does not have a direct workaround, you may want to investigate the cause of the network/OSPF instability that causes the additional retransmissions.

---

657727-2 : Running tcpdump from TMSH cannot capture the local "tmm" interface

Solution Article: K39694060

Component: TMOS

Symptoms:
Cannot run tcpdump against the "tmm" interface. System posts errors similar to the following:
tcpdump: pcap_loop: Device /Common/tmm not found
tcpdump: ioctl: No such device

This occurs because the 'tmm0' interface was renamed to 'tmm' beginning in v12.1.0, but the libbigpacket conditional logic to handle "special device names" still references 'tmm0'.

Conditions:
-- When running tmsh, an environment variable ("TMOS_PATH") is set.
-- The user logs in to the CLI with a default shell of tmsh (either as configured, or with a role assigned via remote-roles), or tries to run tcpdump via tmsh.

Impact:
Cannot run tcpdump on the 'tmm' internal interface.

Workaround:
Unset the 'TMOS_PATH' environment variable before running tcpdump.

---

657531-2 : High memory usage when using the ICAP server

Solution Article: K02310615

Component: Application Security Manager

Symptoms:
High UMU memory when using the ICAP server.

Conditions:
-- ICAP is in use.
-- There are long requests (requests longer than 128 KB) that should get to the ICAP server.

Impact:
UMU memory goes up.

Workaround:
-- Decrease the max concurrent long requests.
-- Decrease the size for the long requests buffer size.
-- Make sure the ICAP server is up and running and responding quickly (the issue will be more visible when the ICAP server is lagging).

---

657118-1 : Tmm crash

Component: Local Traffic Manager

Symptoms:
TMM crashes while passing traffic and generates core file.

Conditions:
Unknown.

Impact:
Traffic disrupted while tmm restarts.

---

655767-5 : MCPD does not prevent deleting an iRule that contains in-use procedures

Component: Local Traffic Manager

Symptoms:
If an iRule that is attached to a virtual server makes a procedure call in a different iRule, it is possible to delete the different iRule with no error.

MCPD contains validation that should prevent a user from deleting an iRule that is currently in use by a virtual server, e.g.:

    01070265:3: The rule (/Common/rule_uses_procs) cannot be deleted because it is in use by a virtual server (/Common/vs_http).

However, if an iRule attached to a virtual server makes a procedure call in a different iRule, it is possible to delete the different iRule with no error. This results in a configuration that will subsequently fail to load (during a config load, MCPD validation will catch this), or will fail if a full configuration sync is performed.

Conditions:
Must be using iRules that call into other iRules.

Impact:
System gets into a state where traffic may fail unexpectedly, and subsequent reboots, configuration loads, upgrades, or configuration sync operations will fail.

Workaround:
None. Use caution when deleting iRules, especially iRules that call into other iRules.

---

655484-1 : GUI LTM Pool Statistics Page running out of memory with large number of Pools

Solution Article: K69912019

Component: TMOS

Symptoms:
When there is a large number of configured Pools, it can adversely affect Pool Statistics Page display, causing an Out of Memory error.

Conditions:
Configure 2200 or more pools, and go to the Pool Statistics page.

Impact:
The page does not display because it causes Tomcat to run out of memory and restart automatically.

Workaround:
You can increase the memory allocated to Tomcat. For more information, see K9719: Error Message: java.lang.OutOfMemoryError, available at https://support.f5.com/csp/article/K9719

---

655464 : Incorrect information about number of cores/guests on i11000 platforms

Component: TMOS

Symptoms:
-- Commands 'getconf _NPROCESSORS_CONF' and 'guishell -c 'select max_vcmp_guests from blade_info'' show different information.

-- Command 'tmsh create vcmp guest <guest_name>' fails and reports an error:

Could not allocate vCMP guest (<guest_name>) because fragmented resources.

Conditions:
-- i11000 hardware with 36 cores.
-- vCMP guests are utilizing 32 cores of the system (4, 8-core guests are installed).
-- Try to install a new guest.

Impact:
-- vCMP guest GUI page shows 36 cores are available, but only 32 cores are actually available for vCMP guests.

-- After installation of 4, 8-core guests, the BIG-IP system should not allow new guest installations. If you try to install a new guest, the system reports an error that does not describe the real issue:

Could not allocate vCMP guest (<guest_name>) because fragmented resources.

Workaround:
Limit the number of vCMP guests to the number reported by the command:
guishell -c 'select max_vcmp_guests from blade_info'

---

654981-3 : Local Traffic Policies operating in First Match mode do not stop executing after the first matched rule if this has no action

Component: Local Traffic Manager

Symptoms:
Local Traffic Policies configured for First Match mode may not stop executing after the first matched rule.

Conditions:
This happens when the first matched rule has no action (i.e. is set to ignore).

Impact:
This may cause Local Traffic Policies to execute an unintended action.

Workaround:
Rework the rules in your affected Local Traffic Policies so that every rule has at least one associated action.

---

654915-3 : Traffic Capturing: Pool member that has a special name (internal activity) should be exported with its name, not an IP address

Component: Application Visibility and Reporting

Symptoms:
For traffic capturing, if a pool member is assigned a special name (e.g., 'for internal activity'), the external AVR log will report the internal IP address instead of the pool member name.

Conditions:
1. Assign name to internal pool member.
2. Enable HTTP traffic capturing.
3. Allow AVR to collect HTTP statistics.
4. View pool member name in external AVR log.

Impact:
External log reports internal IP address instead of pool member name.

Workaround:
There is no workaround at this time.

---

653928 : On a BIG-IP system with DHCP enabled, 'tmsh load sys config default' consistently fails after 'tmsh load sys config' has failed with Conflicting configuration error.★

Component: TMOS

Symptoms:
On a BIG-IP system with DHCP enabled, 'tmsh load sys config default' consistently fails after 'tmsh load sys config' has failed due to an incorrect configuration. The system posts a Conflicting configuration message in response to the error.

Conditions:
There are multiple ways to encounter this:

-- The BIG-IP system has a working configuration and is running normally. If the configuration becomes invalid, due to hardware configuration changes, a configuration mistake, or a typo in one of the configuration files, the MCPD never reaches the running state due to the configuration load error.

-- If the BIG-IP system is managed by a BIG-IQ device, and the BIG-IQ device revokes the BIG-IP system's license, the configuration load might start failing if the BIG-IP system's configuration contains advanced features that require an active license.

Impact:
If the misconfiguration occurs during a upgrade from 10.2.4 to 12.1.x, the operation fails with the DHCP error.

In these cases, when you try to load the default configuration through 'tmsh load sys config default', the configuration load fails with this error:

/Common/management-ip: Conflicting configuration. Management-ip can't be created manually while DHCP is enabled. Within tmsh run 'modify sys global-settings mgmt-dhcp disabled' before manually changing the management-ip.

MCPD never reaches the running state and the BIG-IP system does not function as expected.

Workaround:
Once this problem occurs, there is no way to force 'load sys config default' without first resolving the 'base config load failure' mcpd status, which requires repairing the configuration errors that caused the initial base configuration load failure.

To do so, review the log files to determine the specific misconfiguration and remove it from the corresponding configuration file. Then try the configuration load operation again.

---

653573 : ADMd not cleaning up child rsync processes

Component: Anomaly Detection Services

Symptoms:
ADMd daemon on the device is spinning up rsync processes and not cleaning them up properly, which can result in zombie processes.

Conditions:
The rsync process ends via exit (which might occur if there is an issue with the process).

Impact:
Although there is no technical impact, there are many zombie processes left behind.

Workaround:
Restart admd to remove all existing rsync zombies:
bigstart restart admd

---

653228-2 : SNAT does not work properly on FTP VIP2VIP

Solution Article: K34312110

Component: Local Traffic Manager

Symptoms:
SNAT does not work properly on FTP VIP2VIP.

Conditions:
-- FTP communicates VIP2VIP to second virtual server.
-- SNAT is configured on second virtual server.

Impact:
SNAT does not work properly on FTP VIP2VIP on data channel.

Workaround:
Do not configure SNAT on second virtual server.

---

653137-1 : Virtual flaps when FQDN node and pool configured with autopopulate

Solution Article: K24159492

Component: Local Traffic Manager

Symptoms:
Virtual address status flaps (RED :: BLUE :: DOWN :: UNCHECKED) when the FQDN node and pool are configured with autopopulate enabled, and the FQDN DNS response returns the same addresses.

Conditions:
-- FQDN node and pool are configured with autopopulate enabled.
-- FQDN DNS response returns the same addresses.

Impact:
The virtual server becomes unavailable, and later switches to unchecked.

Workaround:
None.

---

652577-2 : Changes to MAC Masquerading may cause the Standby unit not reach the floating Self-IP address

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, changes to the MAC Masquerading setting of a traffic group may cause the Standby unit to be unable to reach the floating Self-IP.

Conditions:
- HA pair
 - Traffic-group with a MAC set in the MAC Masquerading setting.
 - Floating Self-IP using the above traffic-group
 - Make a change to the MAC Masquerading MAC address on the Active unit.
 - Run a config-sync from Active to Standby

Impact:
Standby unit is unable to reach the floating Self-IP address.
No external or internet facing traffic will be affected.

Workaround:
Reboot or restart TMM.

---

652530 : Parameter names are case sensitive in Internet Explorer 9 only

Component: Fraud Protection Services

Symptoms:
Mis-configured parameter names with incorrect case will work as if they were configured correctly in all browsers except for Internet Explorer 9

Conditions:
Parameter names configured in the wrong case

Impact:
Encryption and data integrity features will appear to work as expected in all browsers except Internet Explorer 9.

In Internet Explorer 9, encryption and data integrity will not be activated on the misconfigured parameter.

Workaround:
Reconfigure the parameter name to use the correct case.

---

652370-1 : The persist cookie insert iRule command may leak memory

Component: Local Traffic Manager

Symptoms:
In some situations, the persist cookie insert iRule command may leak memory for the cookie name.

Conditions:
The persist cookie insert iRule command is used.

Impact:
Eventually, the TMM will run out of memory due to the leak.

---

652223-1 : BWC: Non-TCP data going through Category can make policy active

Solution Article: K50325308

Component: TMOS

Symptoms:
When category is set at lower rate than 100% of the user rate, and traffic going through the category is non-TCP, and the amount of data is 150% of the instance rate, then that can create policy to be active, lowering the overall bandwidth.

Conditions:
This occurs when all of the following conditions are met:
-- Category rate is less than max-user-rate
-- Traffic is non-TCP data.
-- Amount of data passing is 150% of max-user-rate.

Impact:
BWC dynamic policy cannot achieve 100% of max-rate.

Workaround:
Increase the max-rate of any dynamic policy, and add an additional static policy set to the max-rate expected from the dynamic policy.

Note: There is no actual fix for this issue except for not using UDP traffic in categories, if the amount of traffic on that UDP category is expected to exceed 150%, or over to the maximum fair rate provided by the BWC instance. Note that the PEM subscriber and BWC instance have 1-1 relationship.

---

652222-1 : Sending scheduled-reports will fail due to lack of backend support

Component: Application Visibility and Reporting

Symptoms:
Using the scheduled report from GUI fails and causes some orphan file descriptors every time scheduled report runs.

Conditions:
Using the scheduled report from GUI.

Impact:
Scheduled-reports won't work and cause the system to have more orphan opened file-descriptors every time it tries to send the report.

Workaround:
None.

---

651169-3 : The Dashboard does not show an alert when a power supply is unplugged

Component: Advanced Firewall Manager

Symptoms:
The TMUI Dashboard's alert panel will not show any warning if the cord to one of the power supplies is unplugged.

Conditions:
One of the power supplies is unplugged.

Impact:
Watching the Dashboard will not alert the administrator to an unplugged power supply.

Workaround:
None.

---

651136-2 : ReqLog profile on FTP virtual server with default profile can result in service disruption.

Solution Article: K36893451

Component: TMOS

Symptoms:
When FTP's control channel and data channel arrive on different TMMs, ReqLog profile may fail to identify data channel's listener.

Conditions:
Default inherit FTP profile virtual server configured with ReqLog profile.

Impact:
Service disruption, fail-over event.

Workaround:
Create non-inheriting FTP profile for FTP virtual server with ReqLog profile.

---

651005-3 : FTP data connection may use incorrect auto-lasthop settings.

Component: Local Traffic Manager

Symptoms:
Due to known issue FTP data connection may fail to use auto-lasthop settings configured on the virtual server and use a value configured on VLAN level instead.

Conditions:
With the configuration below, FTP data connection will fail to use auto-lasthop:
(1)
- Global auto-lasthop set to 'disable'
- VLAN auto-lasthop set to 'default'
- Virtual server auto-lasthop set to 'enable'

(2)
- Global auto-lasthop set to 'disable'
- VLAN auto-lasthop set to 'disable'
- Virtual server auto-lasthop set to 'enable'

With the configuration below, FTP data connection will improperly use the auto-lasthop:
(1)
- Global auto-lasthop set to 'enable'
- VLAN auto-lasthop set to 'default'
- Virtual server auto-lasthop set to 'disable'

(2)
- VLAN auto-lasthop set to 'enable'
- Virtual server auto-lasthop set to 'disable'

Impact:
FTP data connection may fail to be established.

Workaround:
Use routing instead of auto-lasthop.
(or) Enable auto-lasthop on VLAN level.

---

650019-2 : The commented-out sample functions in audit_forwarder.tcl are incorrect

Component: TMOS

Symptoms:
The commented-out sample "Transform" functions in audit_forwarder.tcl are not correct and should not be used.

Conditions:
Attempting to write your own Transform function in audit_forwarder.tcl using the examples.

Impact:
The Transform function may not work if the examples are followed.

Workaround:
Use the default Transform function as a starting point instead of one of the examples.

---

649897 : Using the REST API, making a change to an FQDN pool causes the pool member availability to become unknown.

Component: Local Traffic Manager

Symptoms:
Using iControl REST, making a change to an FQDN pool member causes the pool member availability to become 'unknown'.

Conditions:
Using iControl REST, modify an existing pool member configured with an FQDN name.

Note: This issue does not affect pool members configured to point directly at an IP address.

Impact:
The pool member status will show 'unknown'.

Workaround:
None.

---

649441-2 : Classification memory allocation

Component: Traffic Classification Engine

Symptoms:
Classification library ('CE') allocates an extra 2 KB of memory per flow and never used it.

Conditions:
Classification and HTTP profile attached to Virtual Server.

Impact:
High memory footprint for heavily loaded systems.

Workaround:
Install latest Classification Update Package ('IM Package').

---

649275-2 : RSASSA-PSS client certificates support in Client SSL

Component: Local Traffic Manager

Symptoms:
Client certificate verification in BIG-IP v11.6.0 through 13.1.0 does not support client certificates that are signed using the RSASSA-PSS signature algorithm. Validation of such client certificates will fail.

Conditions:
- Client certificate signed with RSASSA-PSS algorithm.
- Client Certificate is set to 'Required' in Client SSL profile.
- Running any version from BIG-IP v11.6.0 through 13.1.0.

Impact:
SSL connections using client PSS certificates are rejected.

Workaround:
None.

---

648873-3 : Traffic-group failover-objects cannot be retrieved via iControl REST

Solution Article: K93513131

Component: TMOS

Symptoms:
When issuing a GET you get the following error message:
List property is not implemented! Detail [cm traffic-group failover-objects {...}].

(The ... represents the data that was presented as a list property.)

Conditions:
Trying to use iControl REST for getting failover-objects associated to floating traffic-groups

Impact:
No access to list of failover-objects associated to an specific floating traffic-group via the iControl REST interface

Workaround:
Use a different user interface (tmsh or GUI).

---

648806-1 : Invalid "with the first highest ratio counter" logging for pool member ratio load balance

Component: Global Traffic Manager (DNS)

Symptoms:
Invalid value for "with the first highest ratio counter" for wideip load balancing decision is logged.

Conditions:
Enabled logging for wideip load balancing decision.

Impact:
Invalid value is logged for "with the first highest ratio counter".

---

648316-3 : Flows using DEFLATE decompresion can generate error message during flow tear-down.

Solution Article: K10776106

Component: TMOS

Symptoms:
Repeated entries in the ltm log will show a completion-code error (comp_code=4) as in the following:

  Zip engine ctx eviction (comp_code=4): ctx dropped.

Conditions:
The problem occurs when a flow that requests DEFLATE decompression is terminated when the compression engine is still in the middle of working on an incomplete DEFLATE block.

Impact:
False errors can appear:
  o In fields of tmctl rst_cause_stat table, false stats counters will increment for compression and packet errors.
  o Log entries with the "Zip engine... (comp_code=4)" appear in ltm log.

Monitors observing the ltm log or stats in the tmctl rst_cause_stat table will see false positives.

Workaround:
Disable hardware acceleration.

---

647834-4 : Failover DB variables do not correctly implement 'reset-to-default'

Component: TMOS

Symptoms:
When the 'modify sys db' command option 'reset-to-default' is issued, the new value does not take effect, even though 'list sys db' displays the desired value.

Conditions:
This is known to affect at least the following failover-related DB variables:

log.failover.level
failover.nettimeoutsec
failover.debug
failover.usetty01
failover.rebootviasod
failover.packetcheck
failover.packetchecklog
failover.secure
mysqlhad.heartbeattimeout
mysqlhad.debug
mysqldfailure.enabled
mysqldfailure.haaction.primary
mysqldfailure.haaction.secondary

Impact:
The configuration change does not take effect.

Workaround:
Explicitly set the DB variable to the desired value.

---

647812-3 : /tmp/wccp.log file grows unbounded

Component: TMOS

Symptoms:
WCCP uses /tmp/wccp.log as output for Diagnostic information,
independent of log level or db key. This file can grow unbounded if there are never any WCCP packets sent. If packets are sent the file is cleaned up automatically.

Conditions:
This can occur if WCCP is configured but never goes beyond negotiation.

Impact:
/tmp/wccp.log grows unbounded, filling up the disk.

---

647590-2 : Apmd crashes with segmentation fault when trying to load access policy

Component: Access Policy Manager

Symptoms:
Rarely, apmd restarts when trying to re-load an access policy.

Conditions:
This occurs when some of the policy items are modified while apmd is trying to re-load the access policy.

Impact:
The apmd process restarts.

Workaround:
None.

---

647158-3 : Internal virtual server inherits CMP hash mode from parent virtual server

Solution Article: K76581555

Component: Service Provider

Symptoms:
An internal virtual server might behave in unexpected ways, such as abort a client connection before connecting to the server.

Conditions:
Virtual server with request-adapt or response-adapt profile and a vlan with 'cmp-hash' mode 'src-ip'.
Internal virtual server without a VLAN or 'cmp-hash' setting.

Impact:
The internal virtual server might sometimes abort when attempting to make a connection to the server. This occurs after a successful load-balance pick indicated by the LB_SELECTED event, but before a TCP SYN packet is sent to the server. As a result the parent virtual performs the service-down-action configured in the request-adapt or response-adapt profile.

Workaround:
If possible, do not use the cmp-hash mode 'src-ip'.

---

647151-1 : CPU overtemp condition threshold is 75C

Component: TMOS

Symptoms:
A CPU overtemp condition is logged when a B4450 CPU reaches 75C.

Conditions:
CPU temperature is only 75C and ambient temperature in the blade is in the normal range.

Impact:
Since the temperature threshold is set too low, the warning does not indicate an actual problem.

Workaround:
None.

---

646768-4 : VCMP Guest CM device name not set to hostname when deployed

Solution Article: K71255118

Component: TMOS

Symptoms:
When you access the vCMP guest instance after you deploy the system, the instance uses the hostname bigip1.

Conditions:
This issue occurs when all of the following conditions are met:

-- The BIG-IP system is running v11.6.0 or earlier.
-- You configure a vCMP guest instance that is running BIG-IP v11.6.0 or later.
-- You have configured the vCMP guest instance with a hostname other than bigip1.
-- You deploy the vCMP guest instance.

Impact:
The vCMP guest does not use the configured hostname.

Workaround:
-- In tmsh, run the following commands, in sequence:

 mv cm device bigip1 HOSTNAME
 save sys config

-- Rename the device name in the GUI.

---

646495-2 : BIG-IP may send oversized TCP segments on traffic it originates

Component: Local Traffic Manager

Symptoms:
Traffic from the Linux host on BIG-IP may send TCP segments larger than the advertised TCP MSS of a remote host.

Conditions:
Received TCP MSS (plus protocol overhead) smaller than configured MTU of interface.
Linux host sending large TCP segments, such as SNMP getbulk replies.

Impact:
TMM may send traffic to a TCP host that exceeds the host's advertised MTU.

Workaround:
disable segmentation offload for the vnic

---

646440-7 : TMSH allows mirror for persistence even when no mirroring configuration exists

Component: Local Traffic Manager

Symptoms:
When Mirroring is not configured in a high-availability (HA) configuration, the Configuration Utility (GUI) correctly hides the 'mirror' option for Persistence profile. However, Persistence Mirroring can still be enabled via TMSH.

Conditions:
-- Mirroring is configured in an HA configuration.
-- Persistence profile.
-- Using TMSH.

Impact:
A memory leak and degraded performance can occur when:

-- The Mirroring option of a Persistence profile is enabled.
-- Mirroring in the HA environment is not configured.

Workaround:
Always use the Configuration Utility (GUI) to configure Persistence profiles.

If you encounter this issue, complete the following procedure to locate Persistence profiles with Mirroring enabled, and then disable Mirroring for those profiles:

1. Access the BIG-IP Bash prompt.

2. List the Persistence profiles with the following command:
      tmsh list ltm persistence

3. Examine the Persistence profiles to identify the ones with 'mirror enabled'.

4. Disable Mirroring for each Persistence profile, using a command similar to the following:
tmsh modify ltm persistence <persistence_type> <profile_name> mirror disabled

5. Save the changes to the Persistence profiles:
tmsh save sys config

---

645674-2 : 'bigd' message send to 'mcpd' failure is not logged

Component: Local Traffic Manager

Symptoms:
A bigd message to mcpd notifying of monitor status change may fail to be sent, without log notification, when the message is too large.

Conditions:
A message sent from bigd to mcpd that is too large (e.g., because of the unbounded accumulation of HTTP/1.1 200 codes with unique values).

Impact:
Mcpd is not notified of the monitor status change, and the missing message is not logged. The monitor reflects an incorrect status until a future status change triggers a successful notification-message to be sent from bigd to mcpd.

Workaround:
Diagnosis of an incorrect monitor status may identify this issue, but no direct workaround is available.

The issue of the too-large bigd message is described in ID 645197, and involves the accumulation of unique HTTP/1.1 200 codes (indicating monitor success) without a monitor status-change for extended time (days or weeks). When a monitor status change finally occurs, bigd cannot notify mcpd because the message is too big. Thus, there is no indication of the monitor-status change. The secondary issue, here, is that there is no log message indicating the status-change-message-send failure.

---

645635-2 : Sflow may use 0.0.0.0 as Agent Address in 2 core vCMP guests

Component: Local Traffic Manager

Symptoms:
VCMP clusters without configured slot-specific management-ip addresses will report 0.0.0.0 for: sFlow (Agent Address), High Speed Logging (in certain log messages), and IPFIX (domain ID).

When creating VCMP guests, the cluster's floating IP address is configured on the host using a command of the form: 'tmsh modify vcmp guest guest0 management-ip 10.1.2.3/24'; however, this will leave the slot-specific management IP address unconfigured. In this case, the affected services (sFlow, HSL, and IPFIX) will report 0.0.0.0 as their management IP address.

Conditions:
- vCMP guest deployed on a chassis with only Cluster IP set, and no individual blade IP addresses configured.
- sflow and/or HSL and/or IPFIX configured.

Impact:
sflow, HSL, and IPFIX may incorrectly use 0.0.0.0 when identifying the BIG-IP system by management IP address. For sFlow, this is the default Agent Address. For HSL, certain log messages which identify the origin BIG-IP system by its management IP address will use this default value. For IPFIX, the domain ID will use this default value.

Workaround:
Configure cluster blade IP addresses. For example, to set the slot-specific management IP address on a VCMP guest which runs on a single slot, use a command similar to the following:

tmsh modify sys cluster default members { 1 { address 10.1.2.3 } }

---

645206-4 : Missing cipher suites in outgoing LDAP TLS ClientHello★

Solution Article: K23105004

Component: TMOS

Symptoms:
BIG-IP drops all SHA256 and SHA384 ciphers in the advertised ciphers list in the Client Hello when initiating LDAP/TLS with a pool member (in the case of a monitor). The same behavior is also seen for BIG-IP system auth via LDAP or AD when TLS is used.

Conditions:
You have LDAP servers requiring SHA256 and SHA384 ciphers for LDAP/TLS authentication.

Impact:
Servers requiring SHA for LDAP/TLS authentication will no longer be able to authenticate. This could suddenly break LDAP auth if you are upgrading from version 11.x where SHA256 and SHA384 existed.

Workaround:
Configure LDAP servers not to be dependent on SHA256 and SHA384 ciphers.

---

644979-2 : Errors not logged from hourly 1k key generation cron job

Component: TMOS

Symptoms:
Errors from the 1k key generation hourly cron job do not get logged as intended from the hourly 1024-bit key generation task.

Conditions:
This occurs during hourly generation of ephemeral keys.

Impact:
Errors from the 1k key generation hourly cron job do not get logged, and hourly generation of ephemeral keys fails.

Workaround:
Change "loggcercmd" to "loggercmd" in /etc/cron.hourly/genkeys-1024.

---

644135 : 12.1.1-hf1 does not support module tuning for Finisar 100G LR4 optics

Solution Article: K53342451

Component: TMOS

Symptoms:
12.1.1-hf1 only supports module tuning for Source Photonics 100G LR4 optics. It does not support Finisar 100G LR4 optics via f5optics.

Conditions:
This is relevant only if you are running 12.1.1-hf1, and are using Finisar 100G optics.

Impact:
FCS errors may be observed on interfaces using Finisar 100G LR4 optics.

Workaround:
The only workaround is to update the software you are running with an engineering hotfix or software version that supports module tuning for Finisar 100G LR4 optics.

Note: This issue applies only to 12.1.1-hf1. This issue is addressed in other versions using a mechanism different from 12.1.1-hf1. For version 12.1.1-hf1, there is an engineering hotfix available to support Finisar 100G LR4 optics.

---

625156 : Bigd memory leak

Solution Article: K50524736

Component: LTM

Symptoms:
The bigd process grows in size until one of two things happens:

-- The Linux kernel runs out of memory and OOM kills the bigd process (or potentially some other large process) a few hours after the system starts up.
-- On high-end platforms, the bigd process grows to just under 4GB in virtual size (vsize) and starts failing in unexpected ways, for example marking targets down that are not actually down, or failing to detect targets that are down.

Conditions:
-- You are running BIG-IP 12.1.5.3.
-- You have HTTPS monitors configured.

Impact:
A memory leak occurs. Depending on the platform, process daemons might restart or fail. Monitored targets may be incorrectly marked down.

Although restarting bigd is not traffic-impacting, it is possible that other daemon processes restart due to low memory conditions, and could disrupt traffic while they restart.

Workaround:
None

---

643860-4 : Attempt to read or write to the file /dev/vnic can cause TMM to restart and TMM may not startup properly

Solution Article: K41573401

Component: Local Traffic Manager

Symptoms:
There is no indication that mcpd has restarted, but the system logs messages similar to the following:

-- In /var/log/tmm:
  notice MCP connection expired early in startup; retrying.

In/var/log/ltm:
  mcpd[5747]: 01070406:5: Removed publication with publisher id TMM1.

Conditions:
The file /dev/vnic is opened by something other than BIG-IP programs.

Impact:
The TMM processes will restart and fail to come up properly.

Workaround:
To recover, reboot the system.

Note: Do not perform file open operations on /dev/vnic. There is no need to.

---

643799-1 : Deleting a partition may cause a sync validation error

Component: TMOS

Symptoms:
Deleting a partition may cause the sync to peers to fail.

For example, on BIG-IP1:

tmsh delete auth partition P1
tmsh show cm sync-status
     Sync Summary
     Status Sync Failed
     Summary A validation error occurred while syncing to a remote device
     Details DG1: Sync error on BIG-IP2: Load failed from BIG-IP1 01070829:5: Input error: Invalid partition ID request, partition does not exist (P1)

Conditions:
Two or more BIG-IPs in a DSC device group, say DG1. A partition (P1) is created where the root partition folder (/P1) or a subfolder is assigned to DG1.

Objects have also been configured in the folder and the user deletes the partition, which will cause the folder and its contents to be deleted.

Impact:
The sync of this change may fail on peers.

Workaround:
Disable auto-sync on the device group if it's enabled, delete the partition on all of the peers, and re-enable auto-sync.

---

643455-2 : Update TTL for equally trusted records only

Component: Global Traffic Manager (DNS)

Symptoms:
A child server's domain name may continue to be resolved by the child server even after the parent server revokes the NS record for the child server.

Conditions:
* Steady series of DNS queries for a domain name in the child server.
* The TTL for the domain name. A record is shorter than the TTL for the NS record for the child name server.
* The NS record is removed from the parent server.

Impact:
A client will still use the revoked child server after it is revoked.

Workaround:
Restart the TMM to clear out the cache.

---

642786-3 : TMM may drop tunneled traffic when the sys db variable 'connection.vlankeyed' is set to 'disable'.

Solution Article: K01833444

Component: Local Traffic Manager

Symptoms:
The BIG-IP system may drop tunneled traffic destined for it, even though the corresponding tunnel is created correctly.

Conditions:
The local-address of a tunnel is resided in a non-default route-domain and the sys db variable 'connection.vlankeyed' is set to 'disable'. Note that the default setting of that sys db variable is 'enable'.

Impact:
The BIG-IP system may drop tunneled traffic.

Workaround:
None.

---

642422-2 : BFD may not remove dependant static routes when peer sends BFD Admin-Down

Component: TMOS

Symptoms:
As a result of a known issue, the BFD feature used in an Dynamic routing configuration, may not remove static routes when configured to be dependant on the liveliness of the BFD peer.

Conditions:
- BFD configured and up.
- Static route configured and dependant on the BFD status of the BFD peer.
- BFD peer enters maintenance mode by user configuration, setting the BFD session to admin-down.

Impact:
Static route may not be removed on BFD session configured by peer to be and traffic may still be routed.

---

641582-1 : Rarely, an HSB transmitter failure occurs

Component: TMOS

Symptoms:
A very rare HSB transmitter failure occurs. This is indicated by the following message in the tmm logs:
panic: hsb interface 1 DMA lockup on transmitter failure.

Conditions:
Although the exact conditions for this issue are unknown, this might be related to a 5250 platform or to a configuration containing a vCMP guest.

Impact:
Reboot of the unit.

Workaround:
None.

Note: Although there is no workaround, beginning in v13.0.0, there is an internal counter that tracks occurrences of these types of HSB transmitter failures, which enables better understanding of the issue and a more thorough investigation into its cause.

---

641543-1 : bindRequest timeout value for LDAP Authentication for remote users is set to 10s and cannot be controlled.

Component: TMOS

Symptoms:
If you have a custom bind-timeout value set for ldap system-auth, the custom value is honored for anonymous users but is ignored for explicit users.

Conditions:
ldap auth configured for remote authentication, and a custom bind timeout value is specified.

Impact:
The default timeout value of 10 seconds will be enforced for ldap auth.

Workaround:
None.

---

641001 : BWC: dynamic policy category sees lower bandwidth than expected in Congested policies

Component: TMOS

Symptoms:
When BWC policy is configured with category that is configured at lower rate than max-user-rate, when the system is congested, the system might experience lower bandwidth and is not able to fill the pipe.

Conditions:
BWC dynamic policy configured with category.
The number of sessions created is greater than max-rate/max-user-rate, utilizing all the policies.


For example: max-rate=10mbps, max user rate=5mbps, cat rate=3mbps.

Impact:
Lower bandwidth is seen.

Workaround:
Configure categories at the same rate as that of max-user-rate.

---

640924-1 : On macOS Sierra (10.12) LED icons on Edge client's main UI buttons (connect, disconnect and auto-connect) are scaled incorrectly

Component: Access Policy Manager

Symptoms:
On macOS Sierra (10.12) LED icons on Edge client's main UI, the buttons (Auto-Connect, Connect, Disconnect) are scaled incorrectly.

Conditions:
macOS Sierra (10.12.x) and Edge client application.

Impact:
This is a display issue only. There is no functional impact to the system.

Workaround:
None.

---

640863-2 : Disabling partition selector in DNS Resolver's Forward Zones

Solution Article: K29231946

Component: TMOS

Symptoms:
The partition selector is enabled in DNS Resolver's Forward Zones.

Conditions:
Having Forward Zones in DNS Resolvers inside different partitions.

Impact:
Changing the partition in the Forward Zones page may error out.

Workaround:
Change the partition in the DNS Resolver List or use tmsh.

---

640751-2 : No PCRE Validation Performed For Regular Expression Parameters

Component: Application Security Manager

Symptoms:
If a Parameter is configured to match a specified regular expression, but the regular expression is misconfigured, there is no error presented to the user, and there is no regexp enforcement for the parameter.

The following log can be observed in bd.log
"PCRE compilation failed at offset 12: PCRE does not support \L, \l, \N, \U, or \u"

Conditions:
A non-PCRE regular expression is configured for a Parameter.

Impact:
No Regular Expression enforcement is performed.

---

640704 : A BIG-IP HA pair upgraded directly from 10.2.x to 12.1.x may lose the primary and secondary mirror IP addresses★

Solution Article: K20418658

Component: Local Traffic Manager

Symptoms:
When upgrading a BIG-IP HA pair directly from version 10.2.x to version 12.1.x, the devices may fail to retain their primary and secondary mirror IP addresses after the upgrade.

Conditions:
This will only occur during a direct upgrade from 10.2.x to 12.1.x. This will not occur, for instance, when upgrading to 12.0.x.

Impact:
The devices will not be performing any mirroring after the upgrade to version 12.1.x as a result of this issue.

Workaround:
You can work around this issue by either:

A) Performing an intermediate upgrade to BIG-IP version 12.0.x first.

or

B) Manually reconfiguring the mirror IP addresses after the devices have been upgraded to 12.1.x (for more information on how to do so, refer to K13478: Overview of connection and persistence mirroring (11.x - 12.x) https://support.f5.com/csp/article/K13478).

---

640548-1 : In Gy delayed binding mode, CCR-Us triggered by concurrent flows are blocked.

Component: Policy Enforcement Manager

Symptoms:
In Gy delayed binding mode, CCR-Us triggered by concurrent flows are blocked and PEM doesn't do re-try.

Conditions:
In Gy delayed binding mode, concurrent flows hits another rating group before the CCA-I for the first rating groups comes back.

Impact:
Quota management service will not be active for those concurrent flows.

---

640489 : iSeries LCD alerts screen returns to splash screen intermittently

Solution Article: K53571714

Component: TMOS

Symptoms:
If there is a pending alert and the LCD remains on the alerts screen for an extended period of time, when you attempt to view the alerts for a particular severity (critical, error, warning, etc), the system re-directs to the splash screen instead of to the screen with a list of alerts.

Conditions:
-- An alert is pending.
-- The LCD remains on the alerts screen for a long time (e.g., 1-2 minutes).
-- Navigate to one of the alert levels to view the pending alerts.
-- The LCD displays the splash screen instead of a list of alerts.

Impact:
The system returns to the splash screen instead of a list of alerts.

Workaround:
Navigate back to the alerts screen and select an alert severity to get a list of alerts.

---

640395-1 : When upgrading from 10.x to a version that supports spanning VIPs, the virtual address spanning property may not be set properly

Solution Article: K26144701

Component: Local Traffic Manager

Symptoms:
When upgrading from 10.x to version 12.1.0 or later, a network virtual address that had ARP disabled will not have spanning automatically enabled.

Conditions:
Upgrading from 10.x to 12.1.0 or later. Must have a network virtual address configured with ARP disabled when upgrading.

Impact:
If you are not actually using the spanning feature, there is no impact.

If you are using the spanning feature, it will no longer work until it is explicitly enabled. This can result in the loss of traffic, as the upstream router will be sending packets to standby systems that will now refuse to process that traffic.

Workaround:
Upgrade to an intermediate version that implements the explicit ICMP-Echo setting for virtual addresses (e.g. 11.x) and then upgrade to the desired version.

Alternatively, you can manually set the spanning property on their virtual addresses as desired (after the upgrade).

---

640054-1 : Selective ICMP-echo behavior is inconsistent, depending on where the virtual address is disabled

Component: TMOS

Symptoms:
When a virtual address is using selective ICMP-echo and the virtual address is disabled, it will sometimes respond to ICMP echo requests, and sometimes not.

Conditions:
The difference appears to depend on where the virtual address is disabled.

1) If the virtual address is disabled in the virtual address settings page in the GUI: [Local Traffic :: Virtual Servers : Virtual Address List :: <address>] it stops responding to pings.

2) If the virtual address is disabled on the virtual address list page in the GUI: [Local Traffic :: Virtual Servers : Virtual Address List] it responds to pings.

3) If the virtual address is disabled with TMSH: 'modify ltm virtual-address <address> enabled no' it responds to pings.

In addition, on a BIG-IP Virtual Edition (VE), case #1 also responds to pings.

Impact:
The ICMP echo behavior is different depending on where the virtual address is disabled.

Workaround:
None.

---

639774-5 : mysqld.err rollover log files are not collected by qkview

Solution Article: K30598276

Component: TMOS

Symptoms:
Only the file /var/lib/mysql/mysqld.err is collected in qkview without truncation rules normally used for log files. Also, the mysqld.err.1 and mysqld.err.2.gz, etc are not collected at all.

Conditions:
This occurs when generating a qkview.

Impact:
You cannot see other mysqld.err rollover files in the qkview, and since the one mysqld.err file might be huge (larger than 2 GB) the output of qkview will be unusable.

Workaround:
The missing files must be manually copied into the qkview output. If the mysqld.err is greater than 2 GB in size, it must first be truncated to smaller than 2 GB.

---

638089-1 : LACP and CMP state simultaneously fail on 2150 or 2250 blades

Component: TMOS

Symptoms:
An internal traffic stoppage occurs and causes LACP ACTIVE trunk members to go down, and CMP state changes for the HOST and vCMP guests (if configured) on the impacted blade. The tmctl detailed statistics show sustained TX pause generated by HSB on one or more links and matching RX Pause received in interface_stat (on 4.1, 4.2, 4.3).

Conditions:
-- This happens when using 2150 or 2250 blades and an internal FPGA device gets into a bad state under heavy traffic load.

-- The root cause of that is still under investigation.

-- It happens extremely rarely.

Impact:
Traffic no longer functions on the blade where stoppage occurs.

Workaround:
Reboot blade.

---

637979-1 : IPsec over isession not working

Component: TMOS

Symptoms:
User cannot send IPsec encrypted application data traffic through a secured iSession connection, just by configuring symmetric optimization to use IPsec for IP encapsulation.

Conditions:
Configure IPSec with iSession through the Quick Start screen and/or under the "Local Endpoint" configuration. Do not create any new IKE peers or traffic selectors.

Impact:
User is unable to send encrypted traffic using IPsec over the tunnel without additional configuration required for a typical IPSec setup.

Workaround:
Configuration needed for a typical IPsec setup should be made explicitly.
isession encapsulation should be set to "none", and proper IKE-peer, IPsec policy, and traffic selectors should be configured to capture isession traffic between the isession endpoints.

BIG-IP1 GUI:
[Local Endpoint]
Acceleration->Symmetric Optimization : Local Endpoint->Properties
WAN Self IP Address: <BIG-IP1-local-endpoint-ipaddress>
IP Encapsulation Type: None

[Remote Endpoint]
Acceleration > Symmetric Optimization : Remote Endpoints >New Remote Endpoint...
IP Address: <BIG-IP2-local-endpoint-ipaddress>

[IKE peer]
Network->IPsec : IKE Peers->New IKE Peer...
Remote Address: <BIG-IP2-local-endpoint-ipaddress>
Version: Version1
Presented ID Value: <BIG-IP1-local-endpoint-ipaddress>
Verified ID Value: <BIG-IP2-local-endpoint-ipaddress>

[IPsec policy]
Network->IPsec : IPsec Policies->New IPsec Policy…
Name:<isession_policy_name>
Mode: Tunnel
Tunnel Local Address: <BIG-IP1-local-endpoint-ipaddress>
Tunnel Remote Address: <BIG-IP2-local-endpoint-ipaddress>

[Traffic selector]
Network ->IPsec : Traffic Selectors ->New Traffic Selector...
IPsec Policy Name: <isession_policy_name>
Source IP Address: <BIG-IP1-local-endpoint-ipaddress>
Destination IP Address: <BIG-IP2-local-endpoint-ipaddress>

BIG-IP2 GUI: Analogous--just swap the local and remote endpoint addresses where they appear above

---

637686-2 : relax_unicode_in_xml should become the default behavior

Component: Application Security Manager

Symptoms:
You see "Malformed XML data - Malformed document, Input stream corrupt" violations on valid XML.

Conditions:
A character appears in the payload that is considered by the XML parser as illegal.

Impact:
A violation happens.

Workaround:
Use internal parameter relax_unicode_in_xml.

---

637613-3 : Cluster blade being disabled immediately returns to enabled/green

Solution Article: K24133500

Component: Local Traffic Manager

Symptoms:
In some scenarios, disabling a blade will result in the blade immediately returning to online.

Conditions:
This can occur intermittently under these conditions:

- 2 chassis in an HA pair configured with min-up-members (for example, 2 chassis, 2 blades each, and min-up-members=2)
- You disable a primary blade on the active unit, causing the cluster to failover due to insufficient min-up-members.

Impact:
Disabling the primary blade fails and it remains the primary blade with a status of online.

Workaround:
This is an intermittent issue, and re-trying may work. If it does not, you can configure min-up-members to a lower value or disable it completely while you are disabling the primary blade. The issue is triggered when the act of disabling the primary blade would cause the number of members to drop below min-up-members.

---

637279 : Pool member discovery/autoscale does not work in eu-central-1 (Germany) region of AWS.

Component: TMOS

Symptoms:
Pool member discovery does not work and produces the following error: as-describe-auto-scaling-groups: Refused: The security token included in the request is invalid.

Conditions:
This occurs in the eu-central-1 region only. Does not apply for failover. Note: This error might happen even when correct IAM credentials are specified.

Impact:
Pool member discovery cannot be run in eu-central-1 region.

Workaround:
Create autoscale configuration in regions other than eu-central-1.

---

636866-3 : Access Policy with a secure attribute object can fail at runtime for users, if admins perform AP export/import at the same time

Component: Access Policy Manager

Symptoms:
When an access profile with a secure attribute (for example: AAA AD Auth agent, LDAP Auth agent, RADIUS Auth agent, etc.) is exported and then imported, secret attribute may not be imported properly.

During run-time authentication error logs like below may be observed:

Nov 30 12:12:12 hostname err apmd[8478]: 01490236:3: /Common/access-policy-name:Common:xxxxxxxx: LDAP Module: Failed to bind with 'cn=yyyy,dc=zzz,dc=xxx'. Invalid credentials.

Conditions:
APM access policy agent with a secure attribute (for example: AAA AD Auth agent, LDAP Auth agent, RADIUS Auth agent, etc.) exported and then imported.

Impact:
The APM agent imported in the access profile may not run properly and may end up in wrong branch.

Workaround:
After importing the access profile, manually re-configure agents with secure attributes.

---

636823-3 : Node name and node address

Component: TMOS

Symptoms:
If you create a node with a name that is an IP address but the IP address is different than the name, it can produce an error when adding the node to a pool.

Conditions:
This can occur if the node name is, for example, /Common/10.10.10.10 and the IP address is 10.10.10.10%1

Impact:
When you attempt to add the node to a pool, an error will occur:

Node name /Common/10.10.10.10 encodes IP address 10.10.10.10 which differs from supplied address field 10.10.10.10%1

Workaround:
If you set the node name to an IP address it must be identical to the actual IP address.

---

636412-1 : ASM start process fail with 'Protobuf message exceeds max defined size' on machines with thousands of ASM configuration entities

Component: Application Security Manager

Symptoms:
ASM start process fails on machines with thousands of ASM configuration entities.

The log file contains error messages similar to the following:
Protobuf message exceeds max defined size. Table: CONFIG_TYPE_DYNAMIC_TABLES.

Conditions:
Issue is very rarely reproducible and requires thousands of ASM policy entities on the machine.

Impact:
ASM may report legitimate request traffic as a violation.

Workaround:
There is no workaround at this time.

---

636348-3 : BIG-IP systems configured for high availability (HA) and System Gateway Failsafe may fail to load their configuration after device trust is reset.

Component: Local Traffic Manager

Symptoms:
In the /var/log/ltm file you may observe an error message similar to the following example

01071837:3: The pool (/Common/http_pool) contains a reference to a gateway failsafe device (/Common/bigip1.f5.com), which does not exist on the system. Please specify a valid device for this configuration. Unexpected Error: Loading configuration process failed.

Conditions:
This issue occurs when all the following conditions are met:

-You have multiple BIG-IP systems in a High Availability (HA) configuration.
-You have configured System Gateway Failsafe
-You reset device trust
-You attempt to reload the configuration or reboot the device before recreating the device trust

Impact:
Configuration may fail to load

Workaround:
Remove Gateway Failsafe before resetting device trust

---

636164 : Remote IP not working in IE 8

Component: TMOS

Symptoms:
Adding a Remote IP in System :: Logs : Configuration : Remote Logging has no effect in Microsoft Internet Explorer (IE) version 8.

Conditions:
Using IE 8.

Impact:
Remote IP does not work.

Workaround:
BIG-IP version 12.x and later do not support IE 8. Use a later version of IE, or use another browser.

---

636163 : Certificate Key Chain not working in IE 8

Component: TMOS

Symptoms:
Certificate Key Chain not working in Microsoft Internet Explorer (IE) version 8.

Conditions:
Using IE 8.

Impact:
Certificate Key Chain does not work.

Workaround:
BIG-IP version 12.1.0 and later do not support IE 8. Use a later version of IE, or use another browser.

---

636104-2 : If pool member is defined with port 0, member may not be visible on the HTTP dimension pane.

Component: Application Visibility and Reporting

Symptoms:
You are unable to see the pool member under the HTTP "pool" dimension.

Conditions:
Pool member is defined with port 0 and traffic is being sent to e.g. port 80.

Impact:
Not seeing the pool member under the HTTP "pool" dimension.

Workaround:
You can define a temporary pool member with the port that is being used (e.g. 80) and delete it after that.
But once defined once, it will go to the DB and will be shown from that point.
This is a partial workaround since it needs to be done for every port that is being used in traffic.

---

636031-4 : GUI LTM Monitor Configuration String adding CR for type Oracle

Solution Article: K23313837

Component: TMOS

Symptoms:
If the value entered in for the Configuration String textbox wraps in the GUI, a CR character is added to the configuration file.

Conditions:
Create or edit an LTM Monitor type Oracle. Enter a value in the Configuration String textbox so that it wraps to the next line. Click Finish/Update.

Impact:
The /config/bigip.conf file contains CR characters in the file.

Workaround:
Manually edit the /config/bigip.conf file and remove the CR characters.

---

635871-1 : tmsh validation of hash persistence timeout setting is incorrect

Component: Local Traffic Manager

Symptoms:
The permitted hash persistence timeout value is a range from 1 - 4294967295. But in tmsh you can set the value to 0 without error

Conditions:
This occurs when running the following tmsh command:
tmsh modify ltm persistence hash <profile_name> timeout <number>
where <number> = 0

The GUI will report a validation error if you try to set it to 0 in the GUI.

Impact:
The value of 0 will be saved but the minimum value should be 1.

Workaround:
If you accidentally set a timeout to 0 you can set it back to the correct range using the following tmsh command:
tmsh modify ltm persistence hash <profile>name> timeout <1-4294967295>

---

634369-2 : Bigd crash (SIGABRT) while running iControl REST scripts against monitor configuration with FQDN nodes

Component: Local Traffic Manager

Symptoms:
Bigd crash (SIGABRT) while running iControl REST scripts against monitor configurations with FQDN nodes.

Conditions:
-- Bigd configured with FQDN nodes.
-- iControl REST calls are used to interact with system.

Impact:
Bigd crashes and restarts. Monitoring correctly resumes after the restart period.

Workaround:
None.

---

634014 : Absolute timers may fire one second early during the leap second event

Component: TMOS

Symptoms:
Absolute timers that expire at midnight UTC may fire one second early when the leap second is inserted.

Conditions:
This occurs if an absolute timer is used to trigger a task, and the leap second occurs during the timer window. For example if an absolute timer of 60 seconds is scheduled and the leap second event occurs midway through that interval, the event will appear to fire one second earlier than expected.

Impact:
Impact to applications unknown. The system stays stable, and a timer may be fired off earlier than expected

Workaround:
None.

---

633824-2 : Cannot add pool members containing a colon in the node name

Solution Article: K39319200

Component: TMOS

Symptoms:
You are allowed to create nodes that contain a colon in the node name. If you later try to add the named node (e.g. 10.1.20.10:80), adding the node will fail and you will get an error similar to the following:

0107003a:3: Pool member node (/Common/10.1.20.10) and existing node (/Common/10.1.20.10:80) cannot use the same IP Address (10.1.20.10).

Conditions:
This occurs when attempting to add a node to a pool where the node name contains a colon in it

Impact:
You are unable to add the node to the pool and will get a validation error.

Workaround:
First rename the node to not contain a colon in it, then you can add the node to the pool without error.

---

633568 : Pool statistics page doesn't show all pool members in IE8 with compatibility view

Component: TMOS

Symptoms:
While accessing the pool statistics page with IE8 with compatibility view mode, pool member expand/collapse icons do not work properly. Specifically, one of the pool members is displayed as blank.

Conditions:
This occurs when accessing the BIG-IP GUI using IE8; navigate to Statistics :: Module Statistics : Local Traffic. Select "Pool" and press "collapse (plus)" icon to expand pool members.

Impact:
You will see that one pool member will displayed as blank row.

---

633495 : Cannot switch between partitions in Local Traffic :: Policies

Component: TMOS

Symptoms:
When you are in the Local Traffic :: Policies page, you are unable to change partitions.

Conditions:
This occurs when multiple admin partitions exist and there are policies in each partition, and you wish to change partitions.

Impact:
You are unable to change partitions from the Local Traffic :: Policies page.

Workaround:
Change to another page in the GUI and change the partition, then visit the Policies page again.

---

633464-2 : Content-length header is not passed on to the client when HTTP/2 profile is attached to virtual.

Component: Local Traffic Manager

Symptoms:
Content-length header is not passed on to the client when HTTP/2 profile is attached to virtual.

Conditions:
HTTP/2 profile is attached to the virtual. Content-length header is sent by the server.

Impact:
If a client application requires the content length for HTTP/2, the application does not function as expected.

Workaround:
None.

---

633454-1 : Older versions of Chrome get blocked when Proactive Bot Defense is enabled.

Component: Application Security Manager

Symptoms:
Older versions of Chrome get blocked when Proactive Bot Defense is enabled.

Conditions:
-- Versions of Chrome older than version 53.
-- Proactive Bot Defense is enabled.

Impact:
Browser gets blocked.

Workaround:
Use one of the following workarounds:

-- Use a version of Chrome that is version 53 or later.
-- Use a different browser.

---

633349-3 : localdbmgr hangs and eventually crashes

Solution Article: K86613330

Component: Access Policy Manager

Symptoms:
localdbmgr hangs, consumes a lot of CPU and eventually crashes due to a rare condition where the program's execution halts, upon logging configuration changes.

Conditions:
Rare condition upon changing log settings configuration, or when localdbmgr process loads existing log config settings upon start / restart.

Impact:
localdbmgr hangs, consume a lot of CPU and will eventually crash.

Workaround:
localdbmgr should restart and recover from this crash. If it doesn't, perform a "bigstart restart localdbmgr"

---

633172 : External LDAP user with Administrator role may fail to import key file when using iControl REST crypto command

Solution Article: K12473201

Component: TMOS

Symptoms:
The REST call to install a key from a local file fails when the user is external (e.g., LDAP), even when its role is Administrator.

Conditions:
This issue occurs when all of the following conditions are met:

-- The BIG-IP system is configured to allow access to external LDAP users.
-- The external LDAP user is assigned an Administrator role.
-- The external LDAP user uses the tm/sys/crypto/key iControl REST command to import a key from a local file.

For example, you use the tm/sys/crypto/key iControl REST command with external LDAP user f5user that is assigned with the Administrator role, as follows:

restcurl -u f5user:f5user -X POST https://localhost/tm/sys/crypto/key -d '{"command":"install","name":"/Common/my-key.key","from-local-file":"/var/config/rest/downloads/my_key.key"}'

Impact:
Key install operation fails.

Workaround:
To work around this issue, you can use the sys/file/ssl-key iControl REST command to import a key file instead. To do so, perform the following procedure:

Impact of workaround: Performing the following procedure should not have a negative impact on your system.

Log in to the command line on the system from which you want to import the key file.
Note: The system must be able to support the command line version of the curl command.

Import the key file using the following command syntax:
curl -k -u <username:password> -H "Content-Type: application/json" -X POST https://<BIG-IP device>/tm/sys/file/ssl-key/ -d '{"name":"<key file name>","source-path":"<full path to key file>"}'

For example:

curl -k -u f5user:f5user -H "Content-Type: application/json" -X POST https://localhost/tm/sys/file/ssl-key/ -d '{"name":"f5user1.key","source-path":"file:///shared/my_key.key"}'

Note: Ensure that the key file name includes the file suffix, as the tm/sys/file/ssl-key iControl REST command does not automatically append .key in the key name.

---

633110-2 : Literal tab character in monitor send/receive string causes config load failure, unknown property

Solution Article: K09293022

Component: Local Traffic Manager

Symptoms:
BIG-IP allows you to paste in monitor send or receive strings that contains tabs, but the tabs do not get quoted when it gets saved to the configuration. This will cause the configuration load to fail, with this error signature:

Loading configuration...
  /config/bigip_base.conf
  /config/bigip_user.conf
  /config/bigip.conf
Syntax Error:(/config/bigip.conf at line: <line>) "<text>" unknown property

Conditions:
This can occur if you copy/paste a monitor send or receive string and paste it into the send/recv string field in tmsh or the GUI.

Impact:
The monitor will not work as expected, and subsequent config loads will fail on unknown property.

Workaround:
Since you are still able to use the BIG-IP GUI, you can update the monitor send or receive string using \t to represent the tab, and save the changes.

---

632958-2 : APM MIB gauges not reset on standby device

Component: Access Policy Manager

Symptoms:
The following MIB gauges are not reset after the device transitions from active to standby:

F5-BIG-IP-APM-MIB::apmAccessStatCurrentActiveSessions
F5-BIG-IP-APM-MIB::apmAccessStatCurrentEndedSessions
F5-BIG-IP-APM-MIB::apmPaStatCurrentActiveSessions
F5-BIG-IP-APM-MIB::apmPaStatCurrentPendingSessions
F5-BIG-IP-APM-MIB::apmPaStatCurrentCompletedSessions

Conditions:
After failover happens

Impact:
Since these gauges represent current session counts, administrator may not be able to identify the active device by looking at these gauges.

---

632901-1 : JET documentation incorrect for RESOLV::lookup

Solution Article: K03112333

Component: Local Traffic Manager

Symptoms:
JET documentation for the iRule command RESOLV::lookup contains a description of a bug where PTR records are not being cached. The documentation includes a workaround for this bug. However, the bug no longer exists.

Conditions:
tmsh help ltm rule command RESOLV::lookup | grep "Note: The results" -A6

Impact:
Jet documentation mentions a resolution to a bug that no longer exists.

Workaround:
None. This is a cosmetic issue that you can safely ignore.

---

632839 : UDP Flood does not get detected if the vector limits are infinite

Component: Advanced Firewall Manager

Symptoms:
If the UDP_flood AFM DoS vector is configured as 'infinite' for both detection-threshold-pps and default-internal-rate-limit then it will not get detected. Even per-virtual server and Sweep/Flood will not detect UDP_Flood. If they are not infinite, they should work as expected, and the default value for detection-threshold-pps is 400000.

Conditions:
-- Settings of 'infinite' for UDP_flood device-dos vector.
-- Running v12.1.1, 12.1.2, or 12.1.3.

Impact:
You might expect UDP_flood vector to be detected at the per-virtual server and Sweep/Flood level, but if it is configured at infinite at the global device level, then it will not be detected at any level at all.

Workaround:
To enable the system to detect UDP_Flood at the various levels, set the global device-dos level for UDP_flood to be 4294967294 (1 less than MAX_UINT32).

Note: With this workaround, the system still cannot detect UDP_flood vector still at the global device-level because the number is too high.

---

632838-1 : Deterministic NAT performance may be degraded

Component: Performance

Symptoms:
Deterministic NAT performance may be degraded compared to performance in 12.1.x.

Conditions:
Deterministic NAT configuration in use in version 13.0.

Impact:
CPU utilization will be higher, and the system may pass traffic with less speed.

Workaround:
Enable the db variable pva.fwdaccel to see DNAT performance improve with a fastL4 profile.

---

632825-5 : bcm56xxd crash following 'silent' port-mirror configuration failure

Component: TMOS

Symptoms:
A port-mirror configuration can fail 'silently', that is, no error from MCPD yet the following is logged in /var/log/ltm:

err bcm56xxd: 012c0011:3: Trunk port trouble with bcm_mirror_port_set() Entry exists bs_mirror.c(598).
err bcm56xxd: 012c0010:3: Trouble committing mirror settings to hardware: 0:21 bs_mirror.c(671).
err bcm56xxd: 012c0010:3: Trouble setting port mirror from 2.1 to 2.6 bsx.c(5173).

Once this happens, any subsequent port-mirror configuration will result in a deadlock condition and SOD will restart bcm56xxd.

If the port-mirror interfaces are part of a trunk, any trunk configuration will cause this condition. For example, adding a vCMP guest.

Conditions:
Prior 'silent' port-mirror configuration error followed by a subsequent port-mirror configuration command.

Impact:
bcm56xxd continuously restarts until the bad port-mirror configuration is removed.

Workaround:
None.

---

632723-1 : tmm core with remote logging pool in non-zero route domain

Solution Article: K05079458

Component: Advanced Firewall Manager

Symptoms:
tmm cores every minute with a security log profile set to send log messages to pool members in a different route domain.

Conditions:
Remote logging pool configured, and the pool members are in a non-zero route domain that is different than that of the forwarding virtual.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure the logging pool members are in the zero route domain.

---

632604-1 : SSL::sessionid iRule command returns incorrect result

Component: Local Traffic Manager

Symptoms:
SSL::sessionid iRule command returns incorrect result

Conditions:
An iRule is used to retrieve the session ID.

Impact:
The session ID might not be reliable.

Workaround:
None.

---

632553-2 : DHCP: OFFER packets from server are intermittently dropped

Solution Article: K14947100

Component: Local Traffic Manager

Symptoms:
With a DHCP relay virtual server, OFFER packets from DHCP server are intermittently not forwarded to the client and dropped on BIG-IP.

Conditions:
It is not known exactly what triggers this condition, but it occurs intermittently when the DHCP relay virtual server is in use.

Impact:
Client machines joining the network do not receive DHCP OFFER messages.

Workaround:
Enforce that the serverside flow is getting deleted, e.g. if dhcp server 10.0.66.222 is broken, issue the following tmsh command:

tmsh delete sys connection ss-server-addr 10.0.66.222 cs-server-port 67

---

632246-1 : Configuring pvasyncookies db variable does not persist over reboots or to non-primary blades.

Component: Advanced Firewall Manager

Symptoms:
pvasyncookies db variable does not disable/enable HW syn-cookies on secondary blades, and does not persist across MCPD restart/reboot.

Conditions:
Non-default setting for the pvasyncookies db variable.

Impact:
Setting does not persist across MCPD restart/reboot.

Workaround:
None.

---

632204-1 : Local Traffic Policies rule page is incorrectly showing all partition's objects in 'Forward traffic' actions

Solution Article: K22568472

Component: TMOS

Symptoms:
When creating an LTM policy rule action 'Forward Traffic' and selecting from a list of pools or virtual servers, objects from partitions other than the current partition and the Common partition show up.

Conditions:
This occurs on the LTM policy rule creation page within a specific partition, and there are objects of the same type in other partitions.

Impact:
Users without access to the associated partition receive an error when selecting an object from that partition and clicking submit.

Workaround:
Do not select objects other than the ones in the current or Common partition from a dropdown.

---

631715-1 : ASM::disable does not disable client side challenges

Component: Application Security Manager

Symptoms:
ASM::disable command was run but a challenge was still sent.

Conditions:
irule with ASM::disable. CS or DID challenge is configured.

Impact:
An unexpected JS challenge arrives

Workaround:
N/A

---

631083-2 : Some files in home directory are overwritten on password change

Component: TMOS

Symptoms:
The files

  .bash_logout
  .bash_profile
  .bashrc

in a user's home directory are overwritten when that user's password is changed.

Conditions:
Change a user's password.

Impact:
Customizations to these files would be lost on password change. This only applies to users with advanced shell access.

Workaround:
Back up the files to a different location before making a password change.

---

631046 : Unable to generate a FIPS key using the GUI

Component: TMOS

Symptoms:
While generating a FIPS key from the BIG-IP GUI, you get the following error:
Key management library returned bad status: -4, FIPS security is not licensed, FIPS key security type is not allowed.

Generating a FIPS key from tmsh works properly.

Conditions:
This occurs on FIPS-licensed 12.1.1 HF1 and HF2, when using the GUI to generate the FIPS key.

Impact:
Unable to generate a FIPS key using the GUI.

Workaround:
Use the following tmsh command to generate a FIPS key:
tmsh create sys crypto key <key_object_name> security-type fips.

---

630795-1 : No guestagentd entry in merged.conf

Component: TMOS

Symptoms:
There is no entry in guestagentd in merged.conf. This results in this error in the ltm log whenever merged starts up:

"Process managed by runsv is not in /config/merged.conf: guestagentd"

Conditions:
This is encountered whenever merged starts.

Impact:
In addition, for stats purposes, the proc_stat and plane_proc_stat tables are affected. If the pid changes (for whatever reason) BIG-IP will not have the assignments to the right process information.

Workaround:
Add guestagentd entry to merged.conf

---

630257-1 : Monitor send/receive strings cannot end with trailing single-backslash★

Component: Local Traffic Manager

Symptoms:
A monitor with a 'send' or 'receive' string is not supported with a single trailing backslash, such as "GET /\r\n\" (note the single-trailing backslash that "escapes" the trailing double-quotes).

Conditions:
A monitor 'send' or 'receive' string ends with a single trailing backslash; and the configuration is saved, and then a load is attempted.

Impact:
When configuration is saved and then loaded, the single-trailing backslash will escape the trailing double-quotes and the configuration will fail to load.

Workaround:
A double-trailing backslash is supported, where the trailing double-quotes will not be escaped, for example:
 "GET /\\r\\n"

---

629834-4 : istatsd high CPU utilization with large number of entries

Component: TMOS

Symptoms:
With a large number of istats entries, statsd uses a large amount of CPU time to process istats.

Conditions:
This occurs when there is a large number of istats entries in iRules.

Impact:
istats processing is slow. CPU utilization by istatsd is high.

Workaround:
Reduce the number of istats entries. Periodically purge the the istats entries if possible.

---

628696-1 : Under rare circumstances, all blades in cluster claim not primary during start up

Component: Local Traffic Manager

Symptoms:
All blades in cluster claim not primary during startup

Conditions:
during TMM startup

Impact:
The cluster (even if standalone) appears Standby, and ready-for-world is never reached.

Workaround:
Restart tmm on primary blade

---

627760-3 : gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card

Component: TMOS

Symptoms:
When running gtm_add from one BIG-IP system to another, if the system being added already has the same DNSSEC key (dictated by DNSSEC key name), and you synchronize the FIPS card, then the FIPS card is wiped out (as expected), but the key is not re-added.

Conditions:
-- There is an existing DNSSEC key on one system.
-- A second system has a DNSSEC key of the same name.
-- Run gtm_add, with instructions to synchronize FIPS cards.

Impact:
No DNSSEC key of that name is present on FIPS card.

Workaround:
None.

---

627447 : Sync fails after firewall policy deletion

Component: Advanced Firewall Manager

Symptoms:
When deleting a firewall policy and then creating a new one, sync to standby fails.

Conditions:
Delete firewall policy then create a new one. Sync to Standby.

Impact:
Sync fails.

Workaround:
None.

---

627384-1 : eamtest tool fails with Segmentation fault after initialization.

Component: Access Policy Manager

Symptoms:
Tests done with eamtest tool fail with Segmentation fault after initialization.

Conditions:
Run eamtest tool.

Impact:
eamtest tool fails, which affects troubleshooting using the tool.

Workaround:
Run eamtest with LD_PRELOAD=libeam_asdk_preload.so prefix.

---

627221-1 : iControl SOAP doesn't support displaying all possible media options for interfaces

Component: TMOS

Symptoms:
Newer media options would erroneously be displayed as MT_AUTO from iControl SOAP.

If the media option is considered internal; iControl SOAP will still display the specific type if available in its list. This has been changed to display MT_NONE for those options.

Conditions:
Platforms that support the missing interfaces in the iControl SOAP will not get the right info vi iControl SOAP.
Specifically those that support MEDIA_40000_FDX and MEDIA_40000_LR4_FDX.

Affected Platforms:
A108
A112
D112
D113

Impact:
Information Mismatch

---

627144 : Two users cannot create policies at the same time.

Component: Application Security Manager

Symptoms:
Two users cannot create policies at the same time.

Conditions:
-- Two users with admin authority are logged onto the GUI.
-- Both begin creating separate ASM policies with distinct options.
For instance:
- User 'wafadmin1' logs in first.
- User 'wafadmin2' logs in second.
- Both are creating policies.
- When wafadmin2 submits the policy, it's being overwritten by policy details given by wafadmin1.
- Only user wafadmin1 can de-activate a policy; for other users the option itself is grayed out.

Impact:
Policy from one user can overwrite another's. Can also affect who can de-activate a policy.

Workaround:
Have only one user at a time create/modify/delete policies.

---

626480-1 : Restjavad log messages: [ProcessManager] Maximum child processes of 3 has been reached

Component: TMOS

Symptoms:
Restjavad log file contains multiple messages similar to the following:
-- [I][479][02 Nov 2016 00:38:51 UTC][ProcessManager] Maximum child processes of 3 has been reached.
-- [I][480][02 Nov 2016 00:38:51 UTC][ProcessManager] Maximum child processes of 3 has been reached.

Conditions:
-- Restjavad startup.
-- 100 or more devices discovered/managed.

Impact:
Potentially alarming/unnecessary error log messages.

Workaround:
None. Although the messages might be problematic, they do not indicate a serious condition.

---

626279-1 : After reboot LCD reports "unit going standby" even if it has gone active.

Component: TMOS

Symptoms:
After a reboot, the LCD and the tmsh show sys alert command reports "unit going standby" even though the device has become active.

Conditions:
This can occur intermittently on system startup.

Impact:
LCD and tmsh show sys alert erroneously report "unit going standby". The /var/log/ltm log will have messages from sod indicating that it has become active.

---

626226-1 : Large SSL certificate bundle export by GUI silently fails

Component: TMOS

Symptoms:
GUI SSL certificate bundle export silently fails if the size of the certificate bundle is greater than approximately 1824 KB.

Conditions:
1. Import a certificate whose size is greater than 1823 KB.
2. Try to Export that certificate using the GUI.

Impact:
Unable to download large SSL certificate.

Workaround:
You can export the large SSL Certificate bundle as 'Archive' using the following procedure:

1. Navigate to System :: File Management : SSL Certificate List.
2. Click 'Archive.
3. Download the large SSL Certificate bundle.

---

625807-6 : Tmm cores in bigproto_cookie_buffer_to_server

Component: Local Traffic Manager

Symptoms:
TMM cores on SIGSEGV during normal operation.

Although the exact triggering conditions are unknown, it might that when a connection is aborted in a client-side iRule, the reported log signature may indicate its occurrence:

tmm3[11663]: 01220009:6: Pending rule <irule_name> <HTTP_REQUEST> aborted for <ip> -> <ip>.

Conditions:
Specific conditions that trigger this issue are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

---

625215-1 : unic: flow redirects for non-default cmp-hash on untagged VLANs

Component: TMOS

Symptoms:
-- Low throughput.
-- Flow re-directs in tmstat.

Conditions:
-- Untagged VLAN is in use
-- A non-default cmp hash, such as src-ip or dst-ip, is in use.

Impact:
Performance degradation.

Workaround:
None.

---

625165-3 : Routes added by 'Allow local DNS servers' are not removed even if these DNS servers are no longer among client's local DNS servers.

Component: Access Policy Manager

Symptoms:
-Routes to local DNS that get added due to 'allow local DNS' option in Network Access config do not get removed once network changes after VPN is established.

Conditions:
- 'Allow local DNS' option is selected in Network Access config.
- BIG-IP administrator changes the network configuration after VPN is connected.

Impact:
If the BIG-IP administrator changes the network after a VPN is connected, and if DNS servers have changed, then routes to old DNS servers (which may or may not be reachable) will be left in the routing table.

Workaround:
None.

---

625156-2 : Bigd memory leak

Solution Article: K50524736

Component: Local Traffic Manager

Symptoms:
The bigd process grows in size until one of two things happens:

-- The Linux kernel runs out of memory and OOM kills the bigd process (or potentially some other large process) a few hours after the system starts up.

-- On high-end platforms, the bigd process grows to just under 4GB in virtual size (vsize) and starts failing in unexpected ways, for example marking targets down that are not actually down, or failing to detect targets that are down.

Conditions:
-- You are running BIG-IP 12.1.5.3.
-- You have HTTPS monitors configured.

Impact:
A memory leak occurs. Depending on the platform, process daemons might restart or fail. Monitored targets may be incorrectly marked down.

Although restarting bigd is not traffic-impacting, it is possible that other daemon processes restart due to low memory conditions, and could disrupt traffic while they restart.

Workaround:
There is an engineering hotfix available HotFix-BIGIP-12.1.5.3.0.16.5-EHF16 :: https://downloads.f5.com/esd/product.jsp?sw=BIG-IP&pro=big-ip_v12.x&ver=12.1.5

To work around this, you can switch to non-HTTPS monitors until the engineering hotfix can be applied. Once you switch to non-HTTPS, restart bigd to release the leaked memory (restarting bigd should not be service impacting).

---

625108-1 : Learn flags of subviolations are incorrectly updated when all violations are updated by REST

Component: Application Security Manager

Symptoms:
When the learn flags of all violations are updated by REST PATCH, the learn flags of all subviolations are incorrectly updated as well.

Conditions:
The learn flags of all violations are updated in a single REST PATCH operation.

Impact:
The learn flags of all subviolations are incorrectly updated as well.

Workaround:
You can use either of the following workarounds:

-- Update violations in individual REST operations.
-- Update the subviolations after the violation update.

---

624917 : First few handshakes fail after chassis/appliance reboot when using HSM

Component: Local Traffic Manager

Symptoms:
After rebooting with an HSM configured, you notice the first few handshakes fail, with the following error signature in /var/log/ltm:

warning tmm3[13085]: 01260009:4: Connection error: info tmm3[13085]: 01260013:6: ssl_hs_vfy_sign_srvkeyxchg:9921: sign_srvkeyxchg (80)
1260013:6: SSL Handshake failed for TCP <src> -> <dest>

Conditions:
This occurs on the first few connections after reboot when an HSM is configured, and seems to occur if the device does not immediately pass traffic after reboot.

Impact:
The initial SSL connections will fail, then normal operation will resume.

Workaround:
None.

---

624626-3 : Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility

Component: TMOS

Symptoms:
You cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility, which returns an error message similar to the following example:

01020036:3: The requested Certificate File (/Common/example.crt) was not found

Conditions:
The presence of SSL certificates and keys created without the .crt and .key extensions. This might have happened, for example, if the SSL certificates and keys were created using the tmsh utility.

Impact:
Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility.

Workaround:
You can use the tmsh utility to delete affected SSL certificates and keys. You would use commands similar to the following example:

tmsh delete sys crypto cert example
tmsh delete sys crypto key example

---

624580-1 : BigDB.dat may become truncated

Solution Article: K37147352

Component: TMOS

Symptoms:
BigDB.dat may become truncated.

Conditions:
The conditions under which this occurs are not well understood.

Impact:
Tomcat and possibly mcpd may restart due to having incorrectly generated configuration.

Workaround:
None.

---

624187-1 : Relocate TUC AVP to group AVP USU

Component: Policy Enforcement Manager

Symptoms:
Current implementation sends Traffic Change Usage (TCU) in MSCC at the same level as USU.

Conditions:
Anytime there is a TCU.

Impact:
Interoperability with ZTE OCS, which requires it as a child USU (Used-Service-Unit)

---

624044-1 : LTM Monitor custom recv/send/recv-disable parameters have backslash at the end may fail to load★

Solution Article: K42806722

Component: Local Traffic Manager

Symptoms:
If LTM monitor configuration parameters have custom strings that end with backslash, the saved configuration will fail to load.

Conditions:
Any of the "recv", "send", or "recv-disable" parameters having a backslash at the end, and the configuration is saved.

Impact:
The new configuration fails upon reload.

Workaround:
Do not end custom strings with backslashes. If config contains monitor configuration with custom strings that end with backslash. config can be cleaned with following process:
  tmsh save sys ucs K42806722_before
 find /config/ -type f -name "bigip.conf" -exec sed -i 's/\(\(send\|recv\).*\)\\"$/\1"/g' {} +
  tmsh load /sys config

---

623779-2 : Adding a client side challenge whitelist URL wildcard list

Component: Application Security Manager

Symptoms:
There is no way to tell that a URL wildcard is always qualified for client side challenges. Thus dynamic URLs system can't use the CS defense to dos attack or the proactive bot defense.

Conditions:
dynamic URLs are running in a dos attack and the system has cs mitigation enabled.

Impact:
the cs mitigation is not effective and the dos mitigation moves to the rate limit.

Workaround:
N/A

---

623488-3 : Custom adaptive reaper settings may be lost at upgrade time★

Component: TMOS

Symptoms:
Beginning in 11.6.0, the adaptive-reaper was changed to use the default-eviction policy. The configuration migration script does not migrate the adaptive-reaper settings, so after upgrade the reaper settings are reset to their default.

Conditions:
Upgrade from 10.x to 11.6.0 or later.

Impact:
Settings may be unexpectedly changed as part of upgrade.

Workaround:
Inspect the values after upgrade and reconfigure them.

---

623371-1 : After changing from remote auth to local auth, if SSH keys are used, SSH attempts from nonexistent users result in a connection closed

Component: TMOS

Symptoms:
When attempting to ssh in as a nonexistent user using SSH keypair, the connection closes.

Conditions:
1. Configure SSH keypair for passwordless login.
2. Set auth source to a remote type such as RADIUS, TACACS+, LDAP, Active Directory.
3. Set auth source back to local.
4. Attempt to ssh to BIG-IP using keypair as a user that does not exist in the BIG-IP local user directory.

Impact:
User does not see expected password prompt.

This can be used to check which usernames are valid on the BIG-IP system, but it requires SSH keys.

Workaround:
None known.

---

623367-1 : When RADIUS remote authentication is enabled, a nonexistent user is able to ssh into the BIG-IP if they present the root's key.

Solution Article: K57879554

Component: TMOS

Symptoms:
Able to login to BIG-IP using root's keypair as a user which does not exist on either the BIG-IP or the RADIUS server.

Conditions:
1. Configure SSH keypair for passwordless login on the BIG-IP system.
2. Enable RADIUS auth on the BIG-IP system.
3. Attempt to ssh in to the BIG-IP as a user which does not exist on either the BIG-IP or the RADIUS server, using the keypair.

Impact:
With root SSH keys, can login as nonexistent user.

Workaround:
Set the default remote role to something other than admin.

---

623313 : After upgrade from 10.2.x, tmsh and GUI do not report the default SNMP community source if it's the default.★

Component: TMOS

Symptoms:
After upgrade from 10.2.x, tmsh and GUI do not report the default SNMP community source if it's the default. For example, in response to the 'tmsh list sys snmp' command, output in 10.2.x contains the following strings:
community-name public
source default

in 12.1.x, the output does not contain the string 'source default', only the string 'community-name public'.

Conditions:
Upgrade from 10.2.x.

Impact:
Cannot determine the SNMP community name if it is the default.

Workaround:
None.

---

623265-4 : UCS upgrade from v10.x to v11.4.x or later incorrectly retains v10.x ca-bundle.crt★

Solution Article: K15645547

Component: TMOS

Symptoms:
Inconsistent CA certificate chain creation, or certificate validation/verification when verification occurs against /config/ssl/ssl.crt/ca-bundle.crt.

Conditions:
A system is upgraded from v10.x to v11.x/v12.x, or a v10.x UCS is restored onto a v11.x/v12.x system.

Impact:
Inconsistent ca-bundle.crt upgrade/UCS load handling can lead to odd / non-deterministic behavior between devices, even an HA pair / cluster of devices. Non-determinism increases because ca-bundle.crt does not ConfigSync (and appears not to sync across blades in a chassis).

For example, on one device, the BIG-IP system might construct and send a full certificate chain in an SSL Server Hello, when ca-bundle.crt is specified as a Client SSL profile's 'chain', but on its peer, if the peer is using an older/inconsistent ca-bundle, the peer might be unable to construct a full certificate chain.

Workaround:
On every device affected by this, or on every blade in a VIPRION system affected by this:

1. Update /config/ssl/ssl.crt/ca-bundle.crt with the version that ships with this software version:
   cp /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt

2. Reboot the system and clear the MCPD binary database. Refer to AskF5 article K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030), but essentially:
    touch /service/mcpd/forceload && reboot

3. After reboot, verify that the two files match (they should have the same checksum):
   md5sum /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt

---

623084-2 : mcpd fails validation of dhcp type virtual servers if the configured profile is /Common/udp★

Component: Local Traffic Manager

Symptoms:
mcpd fails to load the configuration if a pre-11.6.0 configuration has a DHCP virtual server configured using any profile that is not /Common/udp.

The following messages appears in /var/log/ltm:

01070095:3: Virtual server /Common/dhcp_relay-p-rd101 lists incompatible profiles.

This is because the profile in this case is /Common/fastL4 and is not 'converted' to a DHCP profile.

Conditions:
-- A pre 11.6.0.
-- DHCP-type virtual server configured with a profile other than /Common/udp.
-- Upgrade to 11.6.0 or later.

Impact:
mcpd fails to load the configuration. The BIG-IP system will not be operational until the configuration is changed and loaded.

Workaround:
Before the upgrade, change the profile to /Common/udp.

If you have already upgraded, manually change the bigip.conf file and load the config using the following command: tmsh load /sys config

---

622876-1 : Certificate serial number is not displayed properly in OCSP Stapling logs.

Component: Local Traffic Manager

Symptoms:
The certificate serial number is not displayed properly in OCSP Stapling logs.

Conditions:
These logs are seen when there are any errors when fetching and validating an OCSP response, and/or when SSL debug logs are enabled.

Impact:
Certificate serial number is not displayed properly.

Workaround:
None.

---

622870 : When using a Thales key, SSL handshake failed after restarting pkcs11d

Component: Local Traffic Manager

Symptoms:
With a Thales key, SSL handshake failed after restarting pkcs11d daemon.

Conditions:
Thales netHSM is used and pkcs11d daemon is restarted.

Impact:
SSL traffic is failed.

Workaround:
bigstart restart tmm

after

bigstart restart pkcs11d

---

622378-1 : Inconsistent hardware syncookie protection mode on B2100/B4300 blades and 5000/7000/10000 appliances

Component: TMOS

Symptoms:
BIG-IP may enter a state where the software indicates it is not in syncookie protection mode for a virtual IP, but the FPGA is still in that mode.

Conditions:
This only occurs on the following platforms (B2100/B4300 blades, 5000/7000/10000 appliances) with Xilinx FPGA. It can be triggered if BIG-IP enters and exits syncookie protection frequently in a short interval as SYN traffic varies.

Impact:
This may lead to undesired behavior in processing traffic. For example it would cause the VIP to remain in hardware syncookie protection mode while SYN traffic is nominal.

Workaround:
Usually "bigstart restart tmm" would clear this error condition.

---

622204-1 : If a virtual server's name has a "." in it then a DoS profile cannot be attached to it

Solution Article: K14141640

Component: Advanced Firewall Manager

Symptoms:
For virtual servers with a . (dot, or period) in the name and a DoS profile attached, a crash might occur when attacks are detected/stopped.

Conditions:
Virtual server with a name that includes a . and an attached DoS profile, and then a DoS attack is detected.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove the . in the virtual server name.

---

621843-1 : the ipother proxy is sending icmp error messages to the wrong side

Component: Local Traffic Manager

Symptoms:
the ipother proxy error handling sends ICMP error messages down the wrong side of the proxy. when a client-side error occurs, the error message is being sent to the server side

Conditions:
error handling of the ipother proxy

Impact:
ICMP error messages show up on the wrong side

Workaround:
no workaround

---

621158-1 : F5vpn does not close upon closing session

Component: Access Policy Manager

Symptoms:
F5vpn does not close upon closing session.

Conditions:
-- With Network Access started and connected to BIG-IP using browser.
-- Clicking 'Logout' button on webtop.

Impact:
Session closes. Network Access window does not close, but instead remains in disconnected state.

Workaround:
None.

---

620969-3 : iControl doesn't give correct valid key sizes for FIPS keys on BIG-IP 5250, 7200F, 10200F, and 11050F platforms running the Cavium Nitrox XL FIPS cards.

Component: TMOS

Symptoms:
Using the get_valid_key_sizes() for querying the valid key sizes, 1024 is returned, which is not valid when the FIPS firmware is version 2.2 or above.

Conditions:
FIPS firmware is version 2.2 or above.

Impact:
Unsupported key-size is returned.

---

620844-1 : DoS: tmm core after delete packet type from Device Sweep vector

Component: Advanced Firewall Manager

Symptoms:
During the config change of Sweep vector, when all tmm threads delete the rate tracker, a race condition might occur that could prevent the tracker from being deleted. As a result, some tmm threads might see the new instance, which causes the tmm thread to abort.

Conditions:
This potential race condition occurs after delete packet type from Device Sweep vector.

Impact:
tmm thread might abort if a race condition occurs. Traffic disrupted while tmm restarts.

Workaround:
None.

---

620556-1 : Fragmented packets on clone pool for L7 virtual server targeting another L7 virtual server through iRule

Component: Local Traffic Manager

Symptoms:
Fragmented packets may be transmited to clone pool members of virtual server, which is also forwarding its traffic to another virtual server.

Conditions:
One virtual server should be configured to forward traffic to another one using iRule, i. e.

when CLIENT_ACCEPTED {
  virtual another_virtual
}

This forwarding virtual should also have clone pool configured.

Impact:
Fragmented packet are transmitted to pool members, which affects performance and may trigger some intrusion detection systems.

---

620053-1 : Gratuitous ARPs may be transmitted by active unit being forced offline

Component: Local Traffic Manager

Symptoms:
When cluster's active is forced offline, the non-primary blades may send gratuitous ARPs.

Conditions:
Cluster's active blade is forced offline.

Impact:
Potential impact to traffic if the gratuitous ARPs of the blade which goes offline is received before the unit taking over as primary, or if gratuitous ARPs are rate-limited on upstream or downstream devices.

Workaround:
Failover the cluster before forcing offline or configuring MAC masquerading.

---

619667-1 : Allow Local DNS Servers is not honored on Mac OS X

Solution Article: K34751151

Component: Access Policy Manager

Symptoms:
In some cases of split tunnel local DNS resolution on client does not work.
Its "emulated" full tunnel mode i.e. split tunnel and IPv4 LAN address space of 0.0.0.0/0.0.0.0 and don't allow local subnet access.

Conditions:
Configure Allow Local DNS Servers is not honored on Mac OS X.
Configure split tunnel and IPv4 LAN address space of 0.0.0.0/0.0.0.0.
Disable local subnet access.
System has only one physical adapter (ethernet or wifi) available for networking.

Impact:
DNS resolution fails for some split tunnel deployment cases.

Workaround:
Specify "*" in DNS included address space to forward all DNS traffic over the tunnel.

---

619419 : Workaround for Software Installation Failures in TMUI★

Component: TMOS

Symptoms:
A software installation fails for one of several reasons (unsupported software versions, lack of disk space, etc). This failure leaves the software volume in a state where future installations cannot be completed.

Conditions:
Software installation fails.

Impact:
You cannot install software on the failed volume. You will see "Previous installation not complete" message if you attempt to install software on this failed volume.

Workaround:
1. Installation fails.
2. Navigate to System >> Disk Management. Click on HD1 (for example)
3. Under Contained Software Volumes, you can see the reason for failure on the failed volume.
4. Select the failed volume and click Delete. Confirm you want to delete the failed volume.
5. Once the volume is deleted successfully, return to System >> Software Management : Image List
6. Select a valid image and click the Install button.
7. Under Volume Set Name enter a valid name and click the Install button.

---

619397-5 : LCD shows error screen on boot or after license expires

Solution Article: K04055706

Component: Device Management

Symptoms:
The LCD on BIG-IP iSeries appliances may display an error screen.

Conditions:
This occurs if the appliance has just finished booting, or if the license has just expired.

Impact:
This may cause an unexpected error and subsequent navigation back to the LCD splash page.

Workaround:
Wait one minute and try to navigate the LCD screens again. If the system has already been licensed and is in the 'Active' state, subsequent attempts should work.

---

619099 : 'General Database Error' while changing the Admin UI authentication type

Component: Access Policy Manager

Symptoms:
Failed to choose Authentication type from Local to other BIG-IP-supported authentication type.

Conditions:
-- User Directory is Remote - APM Based.
-- Authentication Type is RADIUS, AD, LDAP or TACACS+.
-- All needed information about the AAA Server is specified.

Impact:
GUI error: 'General Database Error'.

Workaround:
None.

---

618982-1 : IPSEC + chassis behavior for case secondary blades on-off switch.

Component: TMOS

Symptoms:
After cmp_state change (secondary blade restart), some flows will fail

Conditions:
Adding-removing blades causes DAG flow redistribution and redistribution IKE/IPSEC SA's and IPSEC data flows between existing blades. It makes some flows interrupted and IPSEC peer disconnect.

Impact:
Some users may lose their connections and have difficulty restoring them.

Workaround:
None

---

618889-1 : Clicking the policies list tab does not refresh the policies list on click.

Component: TMOS

Symptoms:
Clicking the policies list tab does not refresh the policies list on click.

Conditions:
This occurs on the policy list page

Impact:
If the policy list changed, the updates will not be displayed.

Workaround:
Refresh the browser or click the menu Local Traffic > Policy List in order to refresh the page

---

618693-3 : Web Scraping session_opening_anomaly reports the wrong route domain for the source IP

Component: Application Security Manager

Symptoms:
When generating a web scraping attack of session opening anomaly type, there is an attack start/end event shown in the /var/log/asm and GUI: Security :: Event Logs : Application : Web Scraping Statistics. The event has a "source ip" field which should come along with the route domain. In the case of "session opening anomaly" the route domain is always zero. (For example: 127.0.0.1%0). Even there is a non-zero route domain configured.

Conditions:
Route domain is configured and a web scraping attack event triggers.

Impact:
Incorrect route domain field is shown in the GUI and /var/log/asm.

Workaround:
None. This is a cosmetic error. The system uses the correct route domain

---

618637-1 : Sometimes f5fpc cannot establish Network Access connection and incorrectly reports 'Session timed out' error

Component: Access Policy Manager

Symptoms:
Sometimes f5fpc cannot establish Network Access connection. Successfully established Network Access connection and subsequent login retries will fail with 'Session timed out' error.

Conditions:
This intermittent issue might occur after there has been a successfully established Network Access connection, and a user retries to login once or multiple times.

Impact:
Network Access cannot be established and 'Session timed out' error is presented to the user.

Workaround:
1) Find all processes with regex f5std, svpn and manually kill them.
2) Restart host OS.

---

618503-1 : Irrelevant fields visible in Logging profile

Component: Application Security Manager

Symptoms:
When switching from logging format 'BIGIQ' to logging format 'Key-Value Pairs' in Application Security logging profiles, 'Maximum Request Size' and 'Maximum Query String Size' properties are not removed.

Conditions:
Switch from logging format 'BIGIQ' to logging format 'Key-Value Pairs' in Application Security logging profiles.

Impact:
Irrelevant fields visible.

Workaround:
None.

---

618463-2 : artificial low route mtu can cause SIGSEV core from monitor traffic

Component: Local Traffic Manager

Symptoms:
When configuring a monitor instance targeting an address reachable via a route with an artificially low route mtu, tmm can crash repeatedly.

Conditions:
see above

Impact:
Traffic disrupted while tmm restarts.

Workaround:
configure correct MTU

---

618319-5 : HA pair goes Active/Active, and reports peer as 'offline' if network-failover service is blocked

Solution Article: K58255321

Component: TMOS

Symptoms:
All members of a Sync/Failover Device Group report 'Active' for all traffic-groups, and 'Offline' for all peers. Configuration sync works appropriately.

Conditions:
This can occur if the network failover configuration is incorrect. Each device should have multiple network failover addresses (either unicast or multicast) configured, and any self-IPs configured as unicast addresses must not block the configured unicast UDP source-port (default value: 1026).

If this port is blocked, the devices cannot exchange failover status information.

Impact:
When devices cannot reach the failover address of their peer devices, failover traffic is not processed correctly and the device become active for all traffic groups. This results in duplicate IP addresses on the network for the objects in the traffic groups, which causes a disruption of service.

Workaround:
Ensure that the 'allow-service' parameter for the self-IP address includes the configured network-failover port.

Normally this is done with 'allow-service { default }' if using the default default-list, or an explicit entry can be used with 'allow-service { udp:1026 }'.

---

618131-1 : Latency for Thales key population to the secondary slot after reboot

Component: Local Traffic Manager

Symptoms:
It may take a significant amount of time for the Thales key to populate from the primary slot to the secondary slot after a reboot. The latency can be a few minutes.

Conditions:
This occurs for Thales netHSM installed on Chassis.

Impact:
The key can't be found at secondary slot and the ssl traffic may fail.

Workaround:
If SSL handshakes fail on secondary blades for newly created Thales keys, you may check secondary blades with
 
    nfkminfo -l
 
to see if the file is there. If not the file can be synchronized with rfs-sync --U.

---

618104-1 : Connection Using TCP::collect iRule May Not Close

Component: Local Traffic Manager

Symptoms:
The BIG-IP never sends a TCP FIN in response to a client FIN.

Conditions:
A finite TCP::collect iRule is in progress.

This is repeatable in the debug kernel; in the default kernel, there has to be execution delay in a CLIENT_DATA iRule.

Impact:
The connection does not close until the sweeper causes a RST.

Workaround:
Adding a TCP::close command to a CLIENT_DATA iRule may work.

---

617875-1 : vCMP guest may fail to start due to not enough hugepages

Component: TMOS

Symptoms:
In rare cases, when there are many vCMP guests, the last one may fail to start because there are not enough hugepages. The shortfall is between 5 and 20 hugepages. Occasionally, that lack is sufficient to prevent the last guest from starting.

Conditions:
The circumstances under which this occurs are not known, but appears related to a race condition related to memory handling.

Impact:
vCMP guest fails to start.

Workaround:
Once in this state, restarting the host system clears the condition.

Note: Restarting the vCMP guests does not clear the condition.

---

617643-1 : iControl.ForceSessions enabled results in GUI error on certain pages

Component: TMOS

Symptoms:
GUI pages display 'An error has occurred while trying to process your request.'

Conditions:
Visiting pages related to PKI (cert/key), SNMP, AFM or licensing tasks when iControl.ForceSessions is enabled.

Impact:
Unable to use GUI for certain tasks when iControl.ForceSessions is enabled.

Workaround:
Use shell for related administrative tasks or if feature is not used, disable with the following command:

tmsh# modify sys db icontrol.forcesessions value disable

---

617629-1 : Same report is downloaded repeatedly after user clicks on "export csv" and then click on another tab

Component: Access Policy Manager

Symptoms:
If you click on the "export csv" button and then switch to another report, the same csv file will be download again when you click on the tab of another report.

Conditions:
Creating multiple reports in Access Report page and clicking on the "export csv" button in one report.

Impact:
Same file will be downloaded repeatedly.

Workaround:
Refresh the page before switching to another report.

---

617578-2 : Inconsistent info between tmsh and WebUI for profile radiusLB-subscriber-aware

Component: TMOS

Symptoms:
On a BIG-IP provisioned with LTM only, the radius profile called radiusLB-subscriber-aware displays inconsistent information between tmsh and configuration utility

Conditions:
This occurs when looking at the radiusLB-subscriber-aware profile in both tmsh and the GUI.

Impact:
On a device that does not have PEM licensed:
root@(v12)(cfg-sync Changes Pending)(Active)(/Common)(tmos)# list ltm profile radius radiusLB-subscriber-aware
ltm profile radius radiusLB-subscriber-aware {
    app-service none
    defaults-from radiusLB
}

However, viewing the profile in the configuration utility Local Traffic :: Profiles : Services : RADIUS : radiusLB-subscriber-aware
Settings field Custom checkbox
Persist Attribute disabled
Subscriber Discovery enabled
Client Spec disabled
Protocol Profile(_sys_radius_proto_imsi) enabled

On a device which does not PEM licensed, the Protocol profile should be set to None but shows as enabled.

---

617324-2 : Service health calculation creates unjustified CPU utilization

Component: Anomaly Detection Services

Symptoms:
When ASM provisioned service health is calculated and published to all VSs with security profile, even if stress-based detection is not configured

Conditions:
AFM provisioned and configured hundreds of VSs with security profile

Impact:
High CPU utilization

Workaround:
No

---

617161-1 : Cosmetic: duplicated partition names in the 'Resource Management' window when assigning iRules to Virtual Servers.

Component: TMOS

Symptoms:
There is a cosmetic issue that results in duplicated partition names in the 'Resource Management' window when assigning iRules to Virtual Servers (in Local Traffic :: Virtual Servers : Virtual Server List :: Virtual_Server_name).

Conditions:
1) Go to Local Traffic :: Virtual Servers : Virtual Server List : Virtual_Server_name : Resources : Manage iRules.
2) Move any two available iRules (created in Common partition) left to the 'Enabled' column.
3) Select the bottom iRule from the 'Enabled' column and click the 'Up' button.
4) Add an additional iRule (created in Common partition) to the 'Enabled' column.

Impact:
Instead of showing all iRules under one partition name (Common), the system is duplicating the partition name.

Workaround:
None. This is cosmetic.

---

616021-1 : Name Validation missing for some GTM objects

Solution Article: K93089152

Component: Performance

Symptoms:
The BIG-IP system fails to prevent control characters from being embedded within GTM object names. Once the objects exist in the configuration, the BIG-IP system fails to load GTM configurations where objects containing control characters are referenced by other objects.

The following GTM objects are susceptible to this control character issue:

gtm datacenter
gtm prober-pool
gtm device
gtm application
gtm region entry
gtm virtual server
gtm server
gtm link
gtm pool

Conditions:
-- A GTM object with a control character in the name.
-- That object is referenced by another object.

Reproduction example:

create gtm datacenter "start^Mend"
create gtm server test datacenter "start^Mend" address add { 1.2.3.4 }
save sys config gtm-only
load sys config gtm-only

Impact:
Causes the config to fail to load.

Workaround:
Remove control characters prior to creating GTM objects.

---

614648-1 : Unable to upload software image larger than 2GB using the GUI

Component: TMOS

Symptoms:
If you attempt to upload a software image at the System :: Software Management : Image List :: New Image screen, the following results may be observed:
-- The Progress bar in the GUI never moves from 0%.
-- A temporary file is created under /shared/images with a name in the form of: upload_###################.dat.
-- The temporary file is never renamed to the correct image file name (as uploaded).

Conditions:
This may occur when the size of the software image to be uploaded is larger than 2 GB in size.

Note: The BIG-IP v14.1.0 Upgrade ISO is 2.1 GB in size. Other BIG-IP v13.x and v14.x Recovery ISOs may also be larger than 2 GB in size.

Impact:
Unable to upload software image via the GUI.

Workaround:
1. Use another method, such as SCP, to copy the BIG-IP software image to the target BIG-IP system.
2. After sufficient time has elapsed to allow the software image upload to complete, manually rename the temporary file under /shared/images to the final file name.

Note: It is highly recommended to verify the md5sum of the temporary file to confirm that upload is complete, and that the temporary file is an accurate copy of the original software image uploaded.

---

614493-1 : BIG-IP reset on ePVA accelerated flow may contain stale TCP window information.

Component: TMOS

Symptoms:
Reset sent by BIG-IP system on ePVA accelerated active flows might contain stale sequence number and ACK number, which might be out of the receiver's valid RST window.

Conditions:
For example, server side pool member down events lead to BIG-IP reset of all client flows on the pool member. If these flows are actively offloaded in ePVA with heavy traffic at the time of pool member down and reset sending out time, the SEQ/ACK number for the sending RST by BIG-IP SW might not be recent, and therefore a RST with most SW aware SEQ/ACK will be encoded.

Impact:
These RST might be ignored by the receiver if it is out of the valid window. The receiver must rely on the idle or alive timeout to clean this up. Although the receiver must rely on its TCP alive or idle timeout to activate in order to clean up these connections, this is the standard TCP stack behavior.

Workaround:
None.

---

614410-3 : Unexpected handling of TCP timestamps in HA configuration

Component: Local Traffic Manager

Symptoms:
Despite TCP timestamps being configured, the BIG-IP system fails to present timestamp option during TCP negotiation.

The BIG-IP system calculates invalid round trip time, which might result in delayed retransmission.

Conditions:
This occurs when the following conditions are met:
- Virtual server configured with a TCP profile with timestamps enabled.
- Virtual server configured with connection mirroring.

Impact:
Retransmission timeout (RTO) value may be skewed. Segments that are subject to RTO might take up to 64 segments to retransmit.

Workaround:
None.

---

614364-1 : Linux client NA components cannot be installed neither using sudo password nor root password

Component: Access Policy Manager

Symptoms:
Linux client Network Access components cannot be installed neither using sudo password nor root password on firefox browser. Issue occurs because version reported is incorrect and post installation version on the machine still doesn't match with version reported by the server.

Conditions:
Firefox web browser, NPAPI plugins, Network Access on Linux distributions

Impact:
Installation and update of web browser plugin for network access fails

---

614072-1 : Source Address Translation to SNAT pool breaks SWG explicit use case for IP based session.

Component: Access Policy Manager

Symptoms:
All SWG session maps to SNAT pool IP and many requests will get stuck.

Conditions:
SWG virtual with Source Address Translation to SNAT pool, create session and send traffic for expired session

Impact:
Request will get stuck in ACCESS filter and browser will keep looping..

Workaround:
Change source address translation to AUTOMAP instead of SNAT Pool.

---

613844 : iApp may fail to install if AFM is provisioned

Component: Advanced Firewall Manager

Symptoms:
When you try to deploy the f5.microsoft_sharepoint_2016.v1.0.0rc1 iApp from the GUI, the install may fail when AFM is provisioned. A similar error occurs when deploying f5.http iApp. The failure to deploy might not be related to a specific iApp.

Conditions:
-- AFM provisioned.
-- Using the GUI to deploy the iApp, f5.microsoft_sharepoint_2016.v1.0.0rc1, f5.http, and others.

Impact:
Deployment fails.

Workaround:
None.

---

613542-2 : tmm core while running the iRule STATS:: command

Solution Article: K81463390

Component: TMOS

Symptoms:
With an iRule that runs the STATS::set command inside the ACCESS_SESSION_CLOSED event, tmm cores.

Conditions:
STATS:: command invoked inside the ACCESS_SESSION_CLOSED event. This event does not have all of the connection information so invoking STATS:: to store data from the connection will fail and cause tmm to crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use STATS::set inside ACCESS_SESSION_CLOSED

---

613483-2 : Some SSL certificate SHA verification fails for different SHA prefix used by crypto codec.

Solution Article: K18133264

Component: Local Traffic Manager

Symptoms:
For PKCS#1, the SHA256 header should be:
30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20.

However, there might also be this alternate header:
30 2f 30 0b 06 09 60 86 48 01 65 03 04 02 01 04 20,

Some implementation use the alternate. According to PKCS#1, the first one is used when producing signature, but both should be accepted when verifying signatures.

In BIG-IP, SSL uses the 1st header: 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20, whereas crypto uses the 2nd header format for some cert verification: 30 2f 30 0b 06 09 60 86 48 01 65 03 04 02 01 04 20, which causes the inconsistent and signature verification fail.

Conditions:
For some particular certificates, crypto uses alternative SHA prefix for verification.

Impact:
SSL handshake fails because of certificate verification failure.

Workaround:
None.

---

612758-1 : Exception within function F5_Inflate_innerHTML.

Solution Article: K46453748

Component: Access Policy Manager

Symptoms:
Using the Mozilla FireFox browser might cause portal access to keep reloading.

Conditions:
Web-application contains object created by application code with following properties:
o = {tagName: true, setAttribute: true}

o.innerHTML = "any_value";

Impact:
Web-application does not work as expected.

Workaround:
Use the following iRule (customization required for /PATTERN_PATH):

# Updated workaround for SR 1-2326181581

when REWRITE_REQUEST_DONE {
  if { [HTTP::path] contains "/PATTERN_PATH" } {

    # log "URI=([HTTP::path])"
    # Found the file we wanted to modify

    REWRITE::post_process 1
  }
}

when REWRITE_RESPONSE_DONE {
  set strt [string first {<script>} [REWRITE::payload]]

  if {$strt > 0} {
    REWRITE::payload replace $strt 0 {
      <script>
        if (typeof F5_Inflate_index !== 'undefined' && typeof F5_old_Inflate_index === 'undefined') {
          var F5_old_Inflate_index = F5_Inflate_index;
          F5_Inflate_index = function(o, s, incr, v) {
            if (typeof v !== 'boolean') return F5_old_Inflate_index (o,s,incr,v);
            return (o[s] = incr ? o[s] + v : v)
          }
        }
      </script>
    }
  }
}

---

612584-1 : Server side blocking/asm cookie setting may not work under some circumstances

Solution Article: K34500121

Component: Application Security Manager

Symptoms:
ASM Cookies are not set, blocking doesn't happen due to server side violation (such as HTTP status or attack signature in response), or data guard masking/blocking doesn't happen.

Conditions:
CSRF or web scraping is configured.

Impact:
False negative - missing blocking.
False positives due to possible missing cookies.

Workaround:
Add the following iRule to the web server:

when HTTP_REQUEST {
  if { [HTTP::uri] contains "TSbd"} {
    HTTP::header remove "Connection"
    HTTP::header insert "connection" "close"
  }
}

---

612143-2 : Potential tmm core when two connections add the same persistence record simultaneously.

Component: Service Provider

Symptoms:
If two messages processed on different connections with the same persistence key add a persistence record at the same time, one add operation is returned a non-fatal error, stating the 'a' record exists. The error might cause the message to be sent to both the destination and the originator, which fails.

Conditions:
Two messages processed on different connections with the same persistence key add a persistence record at the same time.

Impact:
A potential core occurs. The error might cause the message to be sent to both the destination and the originator, which fails. Traffic disrupted while tmm restarts.

Workaround:
None.

---

612086-3 : Virtual server CPU stats can be above 100%

Solution Article: K32857340

Component: TMOS

Symptoms:
The CPU usage is reported as above 100%.

Conditions:
It is not known exactly what triggers this.

Impact:
The reported CPU usage values are invalid and do not properly report the actual CPU usage. The invalid values will be visible in results from tmsh commands, SNMP OID messages, and also in the GUI.

Workaround:
Use top to see the actual CPU usage, or tmctl to examine the stats for the individual CPUs.

---

612083 : Following an AC power cycle, the System Event Log may list HW, PCIe or DMI errors.

Component: TMOS

Symptoms:
One or more of the following messages appear in the system event log:

CPU0 HW Correctable Error
CPU 0 Corrected Error: Port 1a PCIe* logical port has detected an error.
CPU 0 PCI/DMI Error B:D:F 0x8: xpglberrsts: pcie_aer_correctable_error
CPU 0 PCI/DMI Error B:D:F 0x8: corerrsts: receiver_error_status
CPU 0 PCI/DMI Error B:D:F 0x8: rperrsts: correctable_error_received
CPU 0 PCI/DMI Error B:D:F 0x8: rperrsts: multiple_correctable_error_received
CPU 0 Corrected Error: DMI Error Status
CPU 0 PCI/DMI Error B:D:F 0x0: xpglberrsts: pcie_aer_correctable_error
CPU 0 PCI/DMI Error B:D:F 0x0: corerrsts: receiver_error_status
CPU 0 PCI/DMI Error B:D:F 0x0: rperrsts: correctable_error_received
CPU 0 PCI/DMI Error B:D:F 0x0: rperrsts: multiple_correctable_error_received

Conditions:
The error messages may appear following an AC power cycle of the BIG-IP i-Series platforms: i2000, i2800 and i4000.

Impact:
The system detected an error on an internal bus and was able to correct it. There is no data loss or functional impact.

Workaround:
There is no mitigation or workaround for this.

---

611652-3 : iRule script validation presents incorrect warning for 'HTTP::cookie cookie-name' command.

Component: Local Traffic Manager

Symptoms:
While saving an iRule containing HTTP::cookie without the value parameter, you get a validation warning: 'warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. 'unexpected end of arguments;expected argument spec:COOKIE_NAME"160 25][HTTP::cookie $cookie_name]'.

The offending iRule command looks similar to this:
[HTTP::cookie $cookie_name]

Conditions:
iRules containing HTTP::cookie, but missing the optional value parameter, e.g. [HTTP::cookie $cookie_name].

Impact:
Validation warning incorrectly occurs if the optional 'value' parameter is left off. Note that the iRule is still loaded into the configuration.

Workaround:
Use the 'value' parameter in the HTTP::cookie command:
[HTTP::cookie value $cookie_name].

---

611485-1 : APM AAA RADIUS server address cannot be a multicast IPv6 address.★

Component: Access Policy Manager

Symptoms:
In the 13.0.0 release, support for AAA RADIUS direct IPv6 is added. However, validation will prevent using a multicast address for AAA radius IPv6 address. If you upgrade from a previous version to this version, you will see a validation error when the configuration loads.

Conditions:
The validation error occurs if APM AAA RADIUS address is an IPv6 multicast address on BIG-IP version 13.0.0 and beyond.

Impact:
Support for AAA RADIUS direct IPV6 is added in BIG-IP version 13.0.0. And the new validation affects only IPv6 multicast address. So any working IPv4 configuration will not be affected by this validation.

Workaround:
Multicast IPv6 addresses are not supported for direct IPv6 RADIUS, ensure you are using unicast addresses.

---

611327-1 : Using an established app tunnel may display a Java exception error message.

Solution Article: K35559723

Component: Access Policy Manager

Symptoms:
As a result of this issue, you may encounter one or more of the following symptoms:

When users attempt to use the established access session app tunnel, their Mac OS X device displays a Java exception error message similar to the following example:

An uncaught exception was raised. Choose "Continue" to continue running in an inconsistent state. Choose "Crash" to halt the application and file a bug with Crash Reporter. Choosing "Crash" will result in the loss of all unsaved data.

When the user selects Continue, the exception error message is immediately displayed again (loop).

When the user selects Crash, the established app tunnel is terminated.

Though the Java exception error message is displayed, the app tunnel functions as expected.

Conditions:
This issue occurs when all of the following conditions are met:

-- The local user device is running Mac OS X 10.12 (Sierra).
-- The BIG-IP APM system is configured with an app tunnel that is Java Tunnel-enabled.
-- The user established an access session using the Safari 10 web browser.
-- The user launches an app tunnel session.
-- The user attempts to use the established app tunnel.

Impact:
Cannot use Safari 10 web browser for an app tunnel that is Java Tunnel-enabled.

Workaround:
To work around this issue, you can use an alternate browser, or Apple Safari browser, or ignore the system generated error message while using the app tunnel.

---

611054-1 : Network failover "enable" setting is sometimes ignored on chassis systems

Component: TMOS

Symptoms:
The failover device group network-failover attribute has no effect on chassis systems. The high availability subsystem will continue to send network failover packets, and continue to operate normally, even if this is set to "disable".

Conditions:
This only affects chassis systems. On appliances, the setting takes effect, causing all devices to become Active simultaneously.

Impact:
System appears to failover normally even when the configuration is incorrect; however, if the system contains more than one traffic-group, the next-active calculation and other failover features do not function correctly.

Workaround:
Enable network-failover in the sync-failover device-group.

---

610682-2 : LTM Policy action to reset connection only works for requests

Component: Local Traffic Manager

Symptoms:
The LTM Policy forwarding action 'reset', which forcibly terminates the client connection, works for requests, but gives an error when used with a response event.

Conditions:
Issue occurs in an LTM Policy rule where one or more of the conditions is associated with HTTP response, for example, checking the HTTP status code in the response from a backend server.

Impact:
LTM Policy action does not work. System posts error message similar to the following: transaction failed:010716e2:3: Policy '/Common/Drafts/mypolicy', rule 'rule-1'; an action precedes its conditions.

Workaround:
None.

---

610436-3 : DNS resolution does not work in a particular case of DNS Relay Proxy Service when two adapters have the same DNS Server address on Windows 10.

Solution Article: K13222132

Component: Access Policy Manager

Symptoms:
DNS resolution does not work in a particular case of DNS Relay Proxy Service, when two adapters have the same DNS Server address on Microsoft Windows version 10.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP APM configuration uses a network access profile.
-- The user device is running Windows 10 and is connected to two networks through two network interfaces.
-- The Windows user has installed the BIG-IP Edge Client that includes the DNS Relay Proxy Service.
-- Prior to establishing an access session, the lower index network interface of the Windows device is disconnected.
-- The Windows user establishes an access session using BIG-IP Edge Client.
-- The Windows device's lower index network interface is reconnected.
-- The Windows user attempts a DNS resolution.

Impact:
DNS resolution completely stops working on client systems until the VPN is disconnected.

Workaround:
To work around this issue, add the following registry key:

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DnsClient with DWORD EnableMultiHomedRouteConflicts set to 0.

This reverts the Windows DNS client behavior to pre-Windows 10 behavior, so the DNS relay proxy creates listeners on loopback for incoming requests, and the driver redirects DNS requests to the listener on the loopback.

Important: Use extreme care when editing Windows registry keys. Incorrect modification of keys might cause unexpected behavior.

For step-by-step instructions for adding this registry key, see K13222132: The DNS Relay Proxy Service may fail to resolve DNS requests :: https://support.f5.com/csp/article/K13222132.

---

610077-2 : Access Policy Manager CRL cache is locked out for CRLDP authentication

Component: Access Policy Manager

Symptoms:
A page protected by an Access Policy cannot be displayed after submitting credentials.

Internally, on the BIG-IP device, apmd CPU utilization becomes very high.

Conditions:
1. Access policy uses CRLDP authentication.
2. Cached CRL file(s) are expired.

Impact:
Unable to log on due to CRL cache lockout.

Workaround:
None.

---

609609-1 : TMM crash, Invalid action

Component: Local Traffic Manager

Symptoms:
TMM crashes and restarts. Before the crash, you may see this signature in /var/log/ltm: tmm1[21502]: 011f0007:3: http_process_state_prepend - Invalid action:0x109040.

Conditions:
This intermittent issue may be seen if you have an iRule that performs HTTP::disable, and there are network issues between the BIG-IP system and the pool members.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

---

609200-2 : Hotfix installation failure using certain version 11.x software to host incremental hotfix application of version 12.x software.★

Component: TMOS

Symptoms:
Hotfix installation fails using certain version 11.x software to host incremental hotfix application of version 12.x software.

Conditions:
This issue occurs when the following conditions are met:
-- Active software is v11.x.
-- Target software is v12.x.
-- This is the first attempt install a hotfix to the installation target.

Impact:
Cannot install hotfix.

Workaround:
Delete the target location, and perform the hotfix installation again.

Subsequent attempts to install the hotfix will automatically install the base release first, which includes the needed DB hash type, and the hotfix will succeed.

---

609186-5 : TMM or MCP might core while getting connections via iControl.

Component: TMOS

Symptoms:
When getting the connections list over iControl using System.Connections.get_list(), TMM or MCP cores or exits.

Conditions:
Using iControl to view all connections, and there is a very large number of connections (1 million or more) in the list.

Impact:
TMM or MCP may core or exit. Traffic disrupted while tmm restarts.

Workaround:
None.

---

609043-1 : When BIG-IP processes SAML Single logout request/response, tmm cores intermittently.

Component: Access Policy Manager

Symptoms:
The tmm process crashes.

Conditions:
-- BIG-IP system is configured as SAML IdP or SAML SP.

-- BIG-IP processes SAML Single Logout Request/Response

Impact:
Traffic disrupted while tmm restarts. All APM end users must log back in.

Workaround:
None.

---

608511-2 : Message router profile is not inheriting the traffic-group from the parent folder

Solution Article: K22141268

Component: TMOS

Symptoms:
The standby system sends gratuitous ARPs on the standby system for virtual servers configured with message router.

Conditions:
This symptom may occur if:
-- The message router profile traffic-group is set to default (inherit from folder).
-- The message router profile folder is also set to inherit from parent folder.
-- A configuration change is made to the virtual server on the non-active unit.

Impact:
Traffic is routed to the standby system instead of the active one, causing connections to stall/fail until the neighbor table is updated.

Workaround:
Set traffic-group on the message router profile.

---

608453-1 : Shrink/Expand imgs of Webtop Section is customizable

Component: Access Policy Manager

Symptoms:
Changing images for Shrink/Expand of Webtop Section in Webtop Customization does not actually change images on client; users see default images instead

Conditions:
This is encountered when using Webtop Customization.

Impact:
The default image is displayed instead of the customized image.

Workaround:
None.

---

607684 : tmsh provides option to delete all URLs from a custom category, which is not possible

Component: Access Policy Manager

Symptoms:
tmsh provides a command option for admin to delete all URLs from a custom category. However, this is not a valid option, and an error will be displayed. The system presents the following error:
Configuration error: Cannot delete url (http://www.example.com*). This occurs because because url-category (/Common/ex) is a custom category. A custom category must have at least one URL.

Conditions:
Running the following command:
tmsh modify sys url-db url-category pattern urls delete { all }

Impact:
No URLs are deleted. Each URL must be deleted individually.

Workaround:
Delete URLs individually.

---

607166-1 : Hidden directories and files are not synchronized to secondary blades

Component: Local Traffic Manager

Symptoms:
Hidden directories and files (those whose filenames start with '.') that are created on primary blade are not synced to secondary blades.

Existing hidden files that are edited on the primary blade are not synced to secondaries.

Conditions:
Multi-bladed system.

Impact:
The most common uses of hidden files are per-user shell configuration and history.

Workaround:
Manually copy configuration files onto other blades.

---

606799-1 : GUI total number of records not correctly initialized with search string on several pages.

Solution Article: K16703796

Component: TMOS

Symptoms:
GUI total number of records not correctly initialized with search string on several pages.

Conditions:
Searching on the Data Group File List, iFile List, and lw4o6 File Object List pages.

Impact:
GUI shows that there are two pages, but advancing to the second page shows empty page.

Workaround:
Avoid searching in the Data Group File List, iFile List, and lw4o6 File Object List pages to view all items.

---

606330-5 : The BIG-IP system does not accept BGP connection requests when using peer-groups and no default address family.

Component: TMOS

Symptoms:
The BIG-IP system does not accept incoming or initiate outgoing BGP connections when using peer-groups and no default address family.

Conditions:
BGP configured with 'no bgp default ipv4-unicast' and neighbors configured using a peer group that's explicitly activated for IPv4.

Impact:
The BGP connection to any neighbor in the peer group will not come up until 'clear ip bgp' is run on the neighbor or tmrouted is restarted.

Workaround:
Clear the BGP neighbor after changing the configuration.

---

606032 : Network Failover-based high availability (HA) in AWS may fail

Component: TMOS

Symptoms:
MCPD posts an error that network failover is not configurable:
01071ac2:3: Device-group (/Common/autoscale-group): network-failover property must be disabled in VE-1NIC.

Conditions:
Attempting to setup high availability (HA) in Amazon Web Services (AWS) with only 1 network interface.

Impact:
Configuration of high availability (HA) in AWS cannot be completed.

Workaround:
The current workaround is to configure high availability (HA) in AWS with at least 2 network interfaces.

---

605891-1 : Enable ASM option disappears from L7 policy actions

Component: TMOS

Symptoms:
ASM cannot be enabled if 'Application Security Manager' is used in the license string instead of 'ASM'.

Conditions:
'Application Security Manager' is used in the license string instead of 'ASM'.

Impact:
The ASM module cannot be enabled using the GUI under certain licenses where ASM is licensed.

Workaround:
Enable ASM using tmsh instead of the GUI.

---

605840-5 : HSB receive failure lockup due to unreceived loopback packets

Component: TMOS

Symptoms:
HSB reports a lockup due to a receive failure. Analysis of the HSB receive/transmit rings indicate that this is a false positive. Loopback packets were successfully transmitted, but not received, resulting in the receive failure. /var/log/ltm contains this signature: notice *** TMM 9 - PDE 19 - receive failure ***

Conditions:
Unknown.

Impact:
The unit is rebooted.

Workaround:
None.

---

605800-3 : Web GUI submits changes to multiple pool members as separate transactions

Component: TMOS

Symptoms:
You notice an unusually high amount of sync traffic when changing many pool members at once. In extreme cases, mcpd may run out of memory and crash.

Conditions:
When looking at a list of pool members, it is possible to choose to view many pool members at once, and you can then select them all and enable or disable them with one press of a button. Rather than sending all of the operations in a single transaction, the GUI code updates each pool member one by one. When there are a lot of pool members and auto-sync is being used, this can cause race conditions that can generate a large number of transactions going from the local machine to the remote machine.

Impact:
This can cause an unusually high amount of sync traffic to occur between devices in the sync group with auto-sync enabled. In extreme cases this can cause mcpd to crash and traffic is disrupted while mcpd restarts.

Workaround:
If you frequently need to enable/disable many pool members at once, there are a couple of options:
1. You can switch to manual sync during this operation.
2. You can minimize the number of pool members that are altered at once. The issue was observed when changing over 300 pool members at once.

---

605414-1 : Mysqld and bcm56xxd seem to run at 100% on vCMP host.

Solution Article: K23230852

Component: Application Visibility and Reporting

Symptoms:
Mysqld and bcm56xxd seem to run at 100% on vCMP host.

Conditions:
When the hypervisor collects statistical data from itself and all hosted guests, too many system resources are used, leading to constant updates of data to mysql.

Impact:
This results in the hypervisor not functioning properly.

Workaround:
Execute the following command:
bigstart stop monpd.

Impact of this workaround: Although no statistical data will be collected, the hypervisor will perform all other functions.

---

605175 : Backslashes in monitor send and receive strings

Component: Local Traffic Manager

Symptoms:
After creating a monitor using the GUI containing a recv parameter with a backslash such as '\* OK', loading the configuration generates a validation error:

01070753:3: Monitor /Common/test recv parameter contains an invalid regular expression (Invalid preceding regular expression).
Unexpected Error: Loading configuration process failed.

Attempting to configure the same monitor via tmsh throws the validation error before creating the monitor, but the GUI allows the single backslash. Two backslashes are required in this case.

Conditions:
Using the GUI to configure a monitor, whose receive string needs to look for a backslash, and only a single backslash is entered in the GUI.

Impact:
Configuration fails to load after it is successfully created via the GUI. The GUI accepts this when it should throw a validation error: two backslashes are required.

Workaround:
When configuring the monitor via the GUI, use two backslashes instead of one.

---

605018-2 : Citrix StoreFront integration mode with pass through authentication fails for browser access

Solution Article: K47516511

Component: Access Policy Manager

Symptoms:
Citrix StoreFront integration mode with pass through authentication fails for browser access. After providing the credentials, browser access continuously asks for 'Can not complete the request', press 'OK'.

Conditions:
This occurs when the following conditions are met:
- APM is configured in integration mode with StoreFront.
- External access virtual server IP is used in Citrix gateway configuration 'Subnet IP address' column.
- (Request Header Insert) :: [X-Citrix-Via-Vip:10.10.10.10], 10.10.10.10 is the virtual server IP address. Request Header Insert is configured on the HTTP profile of the same virtual server.

Impact:
No browser access to StoreFront.

Workaround:
StoreFront combines multiple headers of the same name and cannot use the resulting value. You can workaround this issue by stripping multiple headers of type x-citrix-via-vip.
Make 10.10.10.10 the corresponding External access virtual IP address.

when HTTP_REQUEST {
   if { [HTTP::header count "X-Citrix-Via-Vip"] >= 2 } {
        HTTP::header remove "X-Citrix-Via-Vip"
        HTTP::header insert "X-Citrix-Via-Vip" "10.10.10.10"
    }
}

---

604050 : Failed to get master key (ERR_NOT_FOUND) in apm log on first boot

Component: Access Policy Manager

Symptoms:
After booting a new platform for the first time, you may see the following log entry in /var/log/apm:
err tmm1[17340]: 01490563:3: (null):Common:00000000: Access stats encountered error: Failed to get master key (ERR_NOT_FOUND)

Conditions:
Viewing /var/log/ltm after first boot

Impact:
This is a residual log entry and is benign and can be safely ignored

---

603772-1 : Floating tunnels with names more than 15 characters may cause issues during config-sync.

Component: TMOS

Symptoms:
Floating tunnels with names more than 15 characters may cause issues in config-sync, because such a long name is truncated when creating a corresponding Linux tunnel interface.

Conditions:
The BIG-IP system consists of both floating and non-floating tunnels and their names are longer than 15 characters.

Impact:
When the config-sync happens, the following error may occur:

Caught configuration exception (0), Cannot create tunnel 'g123456789abc~1' in rd0 - ioctl failed: File exists.

Workaround:
Some workarounds are available:

- Make sure that tunnel names are less than 16 characters; or

- Make sure that the names of floating and non-floating tunnels do not share a common prefix in the first 15 characters; or

- Make sure that the BIG-IP system does not have a mixture of floating and non-floating tunnels.

---

603693-5 : Brace matching in switch statement of iRules can fail if literal strings use braces

Solution Article: K52239932

Component: TMOS

Symptoms:
In the TMUI on any iRule editing page, brace matching within a switch statement can fail if a literal string is surrounded with braces.

Conditions:
Use a literal string surrounded with curly braces for a case/pattern within a switch statement.

Impact:
Incorrect brace matching.

Workaround:
Instead of surrounding the literal string with braces, use double quotes.

---

603690-2 : CPU Saver option not working while the 'latency' compression provider selection algorithm is in use.

Solution Article: K82210057

Component: Local Traffic Manager

Symptoms:
CPU Saver option not working while the 'latency' compression provider selection algorithm is in use.

Conditions:
APM Edge Client over VPN tunnel. The issue tends to occur when CPR Saver is configured on the Edge Client on devices where hardware compression cannot perform the specific type of compression/decompression being requested.

Impact:
Edge Client shows the VPN tunnel as 'Connected' but no traffic flow. This is an intermittent issue.

Workaround:
You can use either of the following workarounds:

-- Enable CPU Saver in the secure connectivity profile.
  + To do so in the GUI:
    1. Navigate to GUI: Access Policy :: Secure Connectivity :: profile_name :: Compression Settings :: Network Access.
    2. Check the CPU Saver checkbox.

  + To do so in tmsh, run the following command:
tmsh modify apm profile connectivity dummy compress-cpu-saver true

-- Configure compression strategy to 'speed' (from 'latency'). To do so, run the following command:
tmsh modify sys db compression.strategy value "speed".

---

603380-6 : Very large number of log messages in /var/log/ltm with ICMP unreachable packets.

Component: Local Traffic Manager

Symptoms:
With ICMP unreachable packets, every packet generates a log message in /var/log/ltm. This results in a very large number of log messages, which takes up space without providing additional information.

Conditions:
You have a DNS virtual server with DNS resolver cache configured. The virtual server receives ICMP unreachable in response to the DNS query.

Impact:
You will see messages similar to the following in /var/log/ltm.

   err tmm[5021]: comm_point_tmm_recv_from failed: Software caused connection abort

Workaround:
None.

---

603093 : AC Power Supply output DC LED does not turn off when the input power is cut-off to it in redundant system

Component: TMOS

Symptoms:
The BIG-IP i-Series platform (i2600, i2800, i4600, i4800) 250W AC power supply PWR-0334-01 and PWR-0334-02 will show differences in their LED behavior when hot swap or hot plug or whenever power is removed from the supply. This includes redundant systems and systems with a single supply.

Conditions:
PWR-0334-01
When the input ramps below 80Vac, the input LED Green Blinking, output LED Amber Blinking.
When the input ramps below 72VAC, the input LED OFF, output LED Amber Blinking.
If the AC cord is removed with 1 or 2 supplies in the system the input LED OFF, output OFF.

PWR-0334-02
When the input ramps below 75VAC + 1VAC, the input LED Green Blinking, output LED Amber Blinking
When the input ramps below 70VAC + 1VAC, the input LED OFF, output LED OFF immediately

Impact:
LED behavior may be inconsistent between revisions of power supply on early platform shipments with PWR-0334-02

Workaround:
N/A

---

603092-5 : "displayservicenames" does not apply to show ltm pool members

Component: TMOS

Symptoms:
The db variable bigpipe.displayservicenames does not apply to the 'show ltm pool members' tmsh command.

Conditions:
This occurs when running tmsh show ltm pool members with bigpipe.displayservicenames enabled.

Impact:
The the IP address but not the service name is displayed.

---

602390-2 : Cannot use a foreign charset, such as Cyrillic, Arabic, etc., to customize Advisory Banner, Username Prompt, or Password Prompt in TMUI.

Solution Article: K87506901

Component: TMOS

Symptoms:
Cannot use a foreign charset, such as Cyrillic, Arabic, etc., to customize Advisory Banner, Username Prompt, or Password Prompt in TMUI.

Conditions:
Customize Advisory Banner, Username Prompt, or Password Prompt in TMUI.

Impact:
Can use only English language characters to customize these fields.

Workaround:
None.

---

602193-4 : iControl REST calls fail when payload contains non-UTF8 data

Component: TMOS

Symptoms:
While using the iControl REST API, calls to the BIG-IP, which result in non-UTF8 data being returned by the BIG-IP, will fail. This data can be intentional (for example, in a TLS certificate) or accidental (like an EEPROM-sourced component name experiencing bit corruption).

Conditions:
BIG-IP attempts to respond to iControl REST API query with data containing non-UTF8 characters.

Impact:
iControl REST API call will fail.

Workaround:
If the data intentionally has non-UTF8 characters, remove or change them to UTF8-compliant characters only. If the data unintentionally contains non-UTF8 characters, determine if a component should be replaced due to name bit corruption.

In some cases, a workaround script can be constructed using the "iconv" utility.

---

601414-1 : Combined use of session and table irule commands can result in intermittent session lookup failures

Component: TMOS

Symptoms:
[session lookup] commands do not return the expected result.

Conditions:
An iRule which combines use of [table] and [session lookup] commands.

Impact:
Intermittent session functionality.

Workaround:
If possible, use table commands in lieu of session commands.

---

600985-4 : Network access tunnel data stalls

Component: Access Policy Manager

Symptoms:
In certain scenarios, the network access tunnel stays up; however, no data transfer occurs on the tunnel. This issue occurs intermittently.

Conditions:
The cause of this issue is not yet known.

Impact:
Data stalls on the tunnel and hence wont be able to access any applications. However, Edge Client shows the VPN tunnel as 'Connected'.

Workaround:
Manually re-establish the tunnel.

---

600872-1 : Access session inactivity expiration time not updated when accessed with http/2 enabled browsers on Windows platforms.

Component: Access Policy Manager

Symptoms:
APM end user sessions start successfully, but end within a few minutes and they are forced to logon again.

The default timeout is 900 seconds.

Conditions:
- An HTTP/2-capable browser is in use on a Microsoft Windows platform.
- APM and HTTP/2 are enabled on the same virtual server.

Impact:
APM sessions time out at the configured inactivity timeout (default is 900 seconds) regardless of activity, and APM end users must restart their sessions.

Workaround:
Remove HTTP/2 profile from the affected virtual server.

---

600634-2 : Schedule-reports can break the upgrade process★

Component: Application Visibility and Reporting

Symptoms:
A scheduled report (of predefined type) that is created using the GUI might result in a validation error on upgrade, which might cause the upgrade process to fail. You may see this error in /var/log/ltm:

Syntax Error:(/config/bigip.conf at line: 86) "predefined-report-name" may not be specified with "multi-leveled-report.time-diff".

Conditions:
Creating predefined-scheduled-report from the GUI.

Impact:
Upgrade process can fail.

Workaround:
If the config load fails, you can get the configuration to load by manually removing the scheduled reports.

Impact of mitigation: This removes scheduled reports from the configuration.

1. Edit bigip.conf.
2. Look for analytics objects that have the scheduled-report in the declaration:
analytics application-security scheduled-report /Common/... {

3. Remove the object and the configuration will load.

---

600431-6 : DIAMETER::avp data get "id" ip4|ip6 errors on valid AVP

Component: Service Provider

Symptoms:
TCL error in /var/log/ltm that looks like 'error Buffer error invoked from within "DIAMETER::avp data get 257 ip4 index 0"'

Conditions:
iRule that extracts ip address from a diameter avp.

Impact:
The iRule ends with an error.

Workaround:
Instead of
set data [DIAMETER::avp data get 257 ip4]

use an iRule such as

if { [DIAMETER::avp count 257] > 0 } {
        set data [DIAMETER::avp data get 257]
       binary scan $data S family
        switch $family {
            1 {
                # ipv4 should contains 4 bytes
                set ip [IP::addr parse -ipv4 $data 2]
                log local0. "ip = $ip"
            }
            2 {
                # ipv6 should contains 16 bytes
                set ip [IP::addr parse -ipv6 $data 2]
                log local0. "ip = $ip"
            }
            default {
                log local0.alert "address family $family is not supported"
            }
        }
    }

---

599048-1 : BIG-IP connections to OCSP servers do not use the TCP TIMESTAMPS option

Component: Local Traffic Manager

Symptoms:
As part of the OCSP Stapling feature, the BIG-IP periodically connects to an OCSP server to certify to its clients that an SSL certificate has not been revoked. It was discovered that these side connections to OCSP servers incorrectly do not use the TCP TIMESTAMPS option.

Conditions:
Use of the OCSP Stapling feature.

Impact:
Usage of the TCP TIMESTAMPS option can help reduce the time a previously used tuple remains in TIME_WAIT on the OCSP server. Therefore, this can help ensure a new connection from the BIG-IP system to the OCSP server re-using a recent tuple is not rejected by the OCSP server. Note that there is little impact even if sporadically a single connection to the OCSP server fails. The BIG-IP will quickly try again, and clients that receive non-stapled SSL SERVER HELLO messages can perform their own validation of the returned SSL certificate.

Workaround:
None

---

598908-2 : Passing an empty URI to AAM might cause tmm to core.

Solution Article: K07353428

Component: WebAccelerator

Symptoms:
Passing an empty URI to AAM might cause tmm to core.

Conditions:
This occurs when the following conditions are met:

-- AAM/WAM is provisioned and a virtual server with web acceleration policy is configured.
-- The virtual server has an iRule that strips the URI in the request.
-- IBR is configured in the acceleration policy.

Impact:
When AAM/WAM processes the request, it does not check whether the string is empty, which results in tmm crash. Traffic disrupted while tmm restarts.

Workaround:
Apply an iRule that inspects the URI in the request and inserts forward slash ( / ) when the URI is missing.

---

598650-1 : apache-ssl-cert objects do not support certificate bundles

Component: TMOS

Symptoms:
The Traffic Management Shell (tmsh) documents command options for apache-ssl-cert objects that suggest that Apache SSL Certificates (apache-ssl-cert objects) support certificate bundles.
References to certificate bundles in context of the 'bundle-certificates', 'subject' and 'is_bundle' fields are in error, and should refer to single certificates only.
Apache SSL Certificates (apache-ssl-cert objects) do not actually support certificate bundles.
On BIG-IP v11.5.0 and later, attempting to create Apache SSL Certificate objects from a certificate bundle will result an error like the following:
01070712:3: Values (/Common/certificate_name) specified for Certificate Bundle Entity (/Common/certificate_name.0 /Common/certificate_name): foreign key index (certificate_file_object_FK) do not point at an item that exists in the database.

Conditions:
Attempting to create Apache SSL Certificate objects from a certificate bundle.

Impact:
Unable to create Apache SSL Certificate objects from a certificate bundle.

---

598204-3 : In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK.

Solution Article: K54284420

Component: Local Traffic Manager

Symptoms:
In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK.

Conditions:
This occurs when the following conditions are met:
-- TCP profile.
-- syncookie mode.

Impact:
A TCP virtual server might use bigger MSS in syncookie mode and not honor the MSS specified in the profile. Some configurations require a smaller MSS for certain virtual servers, rather than using the VLAN's MTU to calculate the MSS.

Workaround:
None.

---

598031-1 : Slow memory growth leading to TMM core

Component: Local Traffic Manager

Symptoms:
Tmm cores when using SSL (client and server) with AVR, DoS, APM, ASM on a virtual server.

Conditions:
The exact conditions under which this occurs are unknown.

Impact:
Slow memory growth leading to TMM core. Traffic disrupted while tmm restarts.

Workaround:
None.

---

597818-2 : Unable to configure IPsec NAT-T to "force"

Component: TMOS

Symptoms:
When configuring IPsec NAT traversal to "Force", the behavior is as if the setting is "Off".

Conditions:
Configuring IPsec NAT Traversal to Force

Impact:
NAT-T does not work

Workaround:
Configure NAT-T to On instead.

---

597564-3 : 'tmsh load sys config' incorrectly allows the removal of the 'app-service' statement from configuration items

Component: TMOS

Symptoms:
The 'tmsh load sys config' command incorrectly allows users to manually remove the 'app-service' statement from configuration items. For example, if a user is manually editing the bigip.conf file, and they remove the 'app-service' statement from a virtual server, 'tmsh load sys config' will not fail to load the config, which is incorrect.

Conditions:
A user manually edits a BIG-IP configuration file and improperly removes the 'app-service' statement from an object.

Impact:
The lack of the 'app-service' statement effectively disassociates the object from its Application Service. This can lead to further issues down the line. For example, if the object is then updated on a multi-blade VIPRION system, secondary blades will restart with an error similar to the following example:

May 6 08:18:27 slot2/VIP2400-R16-S10 err mcpd[32420]: 01070734:3: Configuration error: Configuration from primary failed validation: 010715bd:3: The parent folder is owned by application service (/Common/dummy.app/dummy), the object ownership cannot be changed to ().... failed validation with error 17241533.

Workaround:
Exercise caution when manually editing BIG-IP configuration files.

---

597369-1 : Reopen TCP's receive window based on initial receive window size after a zero window

Component: Local Traffic Manager

Symptoms:
TCP reopens its receive window with 3*MSS bytes after a zero window, which is inefficient when round-trip time (RTT) is high.

Conditions:
- TCP zero window is sent by BIG-IP.
- TCP reopens receive window after enough data is drained from proxy.

Impact:
Reopening receive window slowly on the receive side may impact the throughput performance of the sender on the other side.

Workaround:
None.

---

597253-1 : HTTP::respond Tcl command may incorrectly identify parameters as iFiles

Component: Local Traffic Manager

Symptoms:
The HTTP::respond iRule command may incorrectly identify parameters as an iFile parameter when attaching the iRule to a virtual server.

Conditions:
HTTP::respond command making use of a variable as a header name. For instance:

HTTP::respond 500 -version 1.1 content "<content>" "$VariableHeaderName" "header_value_text" "Connection" "close"

Configure a HTTP/TCP virtual server and attach the iRule.

Impact:
1070151:3: Rule [/Common/example_rule] error: Unable to find ifile (header_value_text) referenced at line 3: [HTTP::respond 500 -version 1.1 content "<content>" "$VariableHeaderName" "header_value_text" "Connection" "close"]

Workaround:
Ensure the offending header name and value are either both literal strings or variables.

---

596826-5 : Don't set the mirroring address to a floating self IP address

Component: TMOS

Symptoms:
Using tmsh, you can configure the mirroring IP address using the command tmsh modify cm device devicename mirror-secondary-ip ip_address

It is possible to set ip_address to a floating self IP address when using tmsh, but BIG-IP can't mirror to a floating self IP address. The tmsh command will complete without error.

Conditions:
Accidentally setting the mirroring IP address to the floating self IP address using tmsh.

Impact:
Mirroring does not work in this case. If you configured it this way using tmsh, the GUI will show the primary and secondary mirroring address as "None".

Workaround:
Change the mirroring address to a non floating self IP address. The GUI will only present non floating self IP addresses.

For more information about mirroring, see K13478: Overview of connection and persistence mirroring at https://support.f5.com/csp/#/article/K13478

---

596569-3 : Memory leak on Central device in Symmetric deployment

Component: WebAccelerator

Symptoms:
When AAM is provisioned and symmetric configuration is deployed, a central unit will suffer a memory leak.

Conditions:
AAM is provisioned and a symmetric deployment is used.

Impact:
Due to memory leak BIG-IP will run out of memory and won't be able to properly serve new requests.

---

596278 : ILX workspace created by iApp made from template not deleted when iApp deleted

Component: Local Traffic Manager

Symptoms:
Any ILX workspace created by an iApp from a template (and possibly otherwise) remains even after the iApp is deleted.

You can check for them under tmsh's ltm/ilx/workspace, on the file system in /var/ilx/workspaces, or in the GUI at Local Traffic :: iRules : LX Workspace.

Conditions:
This occurs when using iApps which create ILX workspaces.

Impact:
Configuration which was supposed to be deleted stays on the box.

Workaround:
Delete the left over workspace manually.

---

596020-3 : Devices in a device-group may report out-of-sync after one of the devices is rebooted

Component: TMOS

Symptoms:
Devices in a device-group may report out-of-sync after one of the devices is rebooted.

As a result of this issue, you may encounter the following symptoms:

- After the reboot, the config-sync originator reports 'Not All Devices Synced'.
- After the reboot, the other devices in the device-group report 'Changes Pending'.

Conditions:
This issue occurs when all of the following conditions are met:

- You have a Sync or Sync-Failover device-group with multiple devices in it.
- On a device (the config-sync originator, you modify the configuration, triggering the devices to become out of synchronization.
- Using the Overwrite Configuration option in the GUI, you manually initiate a synchronization of the configuration from the device where the configuration was modified, to the device-group.
- The devices in the device-group display that they are in the synchronized state.
- You reboot the config-sync originator device.

Impact:
After the reboot, the devices report out-of-sync.

Note: This issue is purely cosmetic; no configuration is lost as result of this issue.

Workaround:
You can work around this issue by not using the Overwrite Configuration option in the Configuration utility if you know you will have to reboot the device soon.

Also note that once the issue occurs, you can restore normal config-sync status on the devices by performing a new config-sync operation.

---

595921-1 : VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses.

Component: Local Traffic Manager

Symptoms:
VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses.

Conditions:
Configuration of a virtual server on a VLAN group that does not have a Self-IP configured.

Impact:
Traffic destined for the virtual server might be rejected with an ICMP unreachable sourced from a loopback address.

Workaround:
Use a Self IP address on the VLAN group.

---

595868-1 : HSB TX HGM lockup on 3900, 8900, and 10000-series platforms.

Component: TMOS

Symptoms:
HSB TX HGM lockup on 3900, 8900, and 10000-series platforms. Tmm cores with the following error message in /var/log/ltm: notice panic: hsb interface 2 DMA lockup on transmitter failure.

Conditions:
It is not known what triggers this condition.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

---

595617-1 : Modifying an IPsec tunnel and IPsec plus IKE SA does not remove the remote SA.

Solution Article: K40420553

Component: TMOS

Symptoms:
When modifying the ipsec-tunnel-profile, the BIG-IP system deletes the IKEv1 phase 2 SAs locally, but does not inform the remote IPsec peer.

Conditions:
- Configuration uses both IPsec 'interface' mode tunnel(s) and IKEv1.
- A user modifies ipsec-tunnel-profile. Namely found here:
  -- web UI 'Network : Tunnels : Profiles : IPsec Interface : ipsec-tunnel-profile'.
  -- tmsh 'net tunnels ipsec ipsec-tunnel-profile'.

Impact:
A traffic outage on one tunnel when the remote IPsec peer is generally plays the role of Initiator. The remote system, will not attempt to establish a new tunnel because it believes that a valid SA exists.

Workaround:
Delete the defunct IPsec SA from the remote peer. If the remote IPsec peer is also a BIG-IP system, then restarting tmipsecd can be employed, however this will cause all IPsec tunnels to restart.

---

594547 : LTM policy TCP address selector offers only the condition 'match any of'

Component: Local Traffic Manager

Symptoms:
In the GUI, you can create a condition on a TCP address where a list of specified addresses are considered for a match. But the negated condition (i.e., 'do not match any of') is not available.

Conditions:
Using the GUI, attempt to create an LTM policy condition that checks for addresses that do not match the specified list.

Impact:
Cannot use the GUI to specify conditions in a policy where the TCP address does-not-match a list of specified addresses.

Workaround:
Use tmsh to create or modify a policy to negate a condition on TCP addresses, for example, in tmsh construct a command similar to the following:

modify ltm policy my_policy rules modify { my_rule { conditions replace-all-with { 0 { tcp address not matches values { 10.10.4.0/0 } } } } }

---

594228-2 : Resetting mgmt interface statistics doesn't work on VE or VCMP

Component: TMOS

Symptoms:
$ tmsh reset-stats net interface mgmt
Doesn't reset mgmt interface statistics.

Conditions:
Only on VE or VCMP

Impact:
You cannot reset the management interface statistics, but this has no impact elsewhere in the system.

---

593845-3 : VE interface limit

Solution Article: K24093205

Component: TMOS

Symptoms:
TMM fails to bootup successfully.

Conditions:
More than 10 interfaces assigned to Virtual Edition (VE).

Impact:
BIG-IP fails to pass traffic as TMM fails to load successfully.

Workaround:
Make sure VE is assigned 10 or fewer interfaces.

---

593536-10 : Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations

Solution Article: K64445052

Component: TMOS

Symptoms:
Devices do not have matching configuration, but system reports device group as being 'In Sync'.

Conditions:
This occurs when the following conditions are met:
-- Device Service Cluster Device Group with incremental sync is enabled.
-- A ConfigSync operation occurs where a configuration transaction fails validation.
-- A subsequent (or the final) configuration transaction is successful.

Impact:
The BIG-IP system incorrectly reports that the configuration is in-sync, despite the fact that it is not in sync. You might experience various, unexpected failures or unexplained behavior or traffic impact from this.

Workaround:
Turn off incremental sync (by enabling 'Full Sync' / 'full load on sync') for affected device groups.

Once the systems are in sync, you can turn back on incremental sync, and it will work as expected.

---

593396-1 : Stateless virtual servers may not work correctly with route pools or ECMP routes

Component: Local Traffic Manager

Symptoms:
Stateless virtual servers might not work correctly if the configured poolmember is reachable via a route pool or via several ECMP routes learned via dynamic routing.

Conditions:
- Stateless virtual server.
- Pool reachable via route pool or via ECMP routes.

Impact:
Traffic might be dropped.

Workaround:
Use other virtual server types to process this traffic.

---

593361-1 : The malformed MAC for inner pkt with dummy MAC for NSH with VXLAN-GPE.

Component: TMOS

Symptoms:
The target platform implementation need to be ensure that it is update to date with draft and additionally tested with other open sources and commercial implementations to deem stable. If not a stable and production version as in case below, sender packets can be with a dummy MAC which is not recognized by BIG-IP.

Conditions:
Target platforms which may be unstable and untested in VXLAN-GPE.

Impact:
BIG-IP drop packets since it does not recognize inner pkt MAC.

Workaround:
Ensure target platform is stable, tested and production version wrt VXLAN-GPE and NSH.

---

592819-2 : Enabling of whitelists on a protected object requires disabling DoS protection support in hardware

Component: Advanced Firewall Manager

Symptoms:
On certain platforms, DDoS protection support in hardware prevents configuration of a whitelist for a protected object.

Conditions:
-- Configuration of a whitelist on a protected object.
-- Hardware acceleration is configured on 5xxx/7xxx/10xxx/12xxx appliances, and all blades other than B2250/B4450.

Impact:
Cannot configure whitelist on a protected object.

Workaround:
Disable hardware support for DDoS protection from the command line using the following command:

modify sys db dos.forceswdos value true.

Note: Disabling DDoS hardware support might impact the performance of the device because then, all DDoS protection mechanisms are managed in software.

---

592620-1 : iRule validation does not catch incorrect 'after' syntax

Component: Local Traffic Manager

Symptoms:
iRule validation does not catch iRule with incorrect 'after' syntax, allowing an invalid iRule to be saved.

Conditions:
iRule with incorrect 'after' syntax. For example "after 5000 periodic" should be "after 5000 -periodic" (with a hyphen)

Impact:
Traffic handled by the iRule fails, generating the Tcl error 'invalid command name 'periodic' while executing 'periodic LB::reselect''.

Workaround:
Correct the syntax error.

---

592591-2 : Deleting/Modifying access profile prompts for apply access policy for other untouched access profiles

Component: Access Policy Manager

Symptoms:
After deleting/modifying an access profile, the 'Apply Access Policy' link appears, and the status flags for other, untouched access profiles turn yellow. Also, there are APM log messages indicating that the configurations for those untouched access profile have been changed.

Conditions:
1. On Admin UI, make a copy of an access policy that contains macros.
3. Delete or modify the copied version of the access policy.

Impact:
The system posts the 'Apply Access Policy' link, and the status flag for the copy becomes yellow.

Note: There is no change to the access profiles that are affected by the deletion or modification. You can click 'Apply Access Policy' to make the link disappear.

Workaround:
None.

---

592211-1 : Stress CPU on BIG-IP will also take into the packets dropped by hardware.

Component: Advanced Firewall Manager

Symptoms:
Rate limit is directly proportional to CPU stress seen by the BIG-IP system. DoS will rate-limit traffic in hardware (HW) when the BIG-IP system is under stress (CPU is high), then if packets are dropped by HW and CPU of the system will come down and hence DOS will stop rate-limiting. SO this kind of behavior could result in toggling of DOS rate-limit state.

Conditions:
-- DoS in HW starts rate-limit in HW.
-- DoS has autodos enabled.

Impact:
The BIG-IP system may see that one second, DoS is rate-limiting packets and next second, it is allowing packets, and then next second it starts rate-limiting again, and so on. So there will be toggling of DoS vector mitigation state.

Workaround:
The workaround is to disable autodosd for that vector.

---

591505-1 : Policy may become unsyncable after changing contexts

Component: Advanced Firewall Manager

Symptoms:
This is a known issue due to internal framework in MCPD which marks configurable objects as either synced and non-synced. If the user applies the policy to a non-syncing context (non-floating self-IP), then that policy won't be synced across HA devices anymore.

Conditions:
A config with standalone firewall policy applied to synced and non synced context.

Impact:
A policy that is assigned to otherwise non-syncing context, e.g. non-floating self-IP, the attached policy will no longer be synced even if attached to a syncing object later.

Workaround:
Create a "local" policy for non-floating self-IP only.

---

591305-4 : Audit log messages with "user unknown" appear on install

Component: TMOS

Symptoms:
Multiple log entries in /var/log/audit similar to

May 4 11:37:35 localhost notice mcpd[5488]: 01070417:5: AUDIT - client Unknown, user Unknown - transaction #33-1 - object 0 - create_if { db_variable { db_variable_name "version.edition" db_variable_value "<none>" db_variable_sync_type "private_internal" db_variable_data_type "string" db_variable_display_name "Version.Edition" } } [Status=Command OK]

Conditions:
This happens on initial install, it is not yet known what triggers it.

Impact:
This is the result of a daemon on the system not properly identifying itself to mcpd. The log messages can be safely ignored.

---

591113-2 : CSRF injection leading to blank page

Solution Article: K45901635

Component: Application Security Manager

Symptoms:
When CSRF JS is injected, a blank page is seen.

Conditions:
-- When CSRF JS is injected.
-- This page has has lots of IFrames with the query parameters.

Impact:
Viewing the site causes some pages to show up blank.

Workaround:
Bypass or disable ASM for the following URL: /apps/consumer/ITS/its_Lite/UpperFrame_Lite.jsp.

Can be done using l7policy rules or an irule:

when HTTP_REQUEST {
    ASM::enable
    if { $uri contains "<affected url>" } {
ASM::disable
     }
}

---

591060-1 : APMD high CPU utilization

Component: Access Policy Manager

Symptoms:
APMD is running at unexpectedly high CPU.

Conditions:
This occurs when both of the following conditions are met:
-- The connection between APMD and MCPD is lost due to MCPD restart.
-- APMD keeps reading from the stale socket.

Impact:
-- High CPU utilization.
-- Configuration cannot be pushed to APMD after MCPD restarts.

Workaround:
None.

---

590851-4 : "never log" IPs are still reported to AVR

Component: Application Security Manager

Symptoms:
IP addresses marked as "never log" are reported to AVR regardless of the flag

Conditions:
Always

Impact:
Extra, unwanted logging for IP addresses flagged as "never log"

Workaround:
N/A

---

590156-3 : Connections to an APM virtual server may be reset and fail on appliance and VE platforms.

Component: Local Traffic Manager

Symptoms:
APM connections failing when mac masquerade is in use and source-port preserve-strict is enabled on the APM virtual server.

Conditions:
The traffic-group has mac-masquerade configured and source-port preserve-strict is in use on the APM virtual server

Impact:
Connections to an APM virtual server may be reset and fail on appliance and VE platforms.

Workaround:
Disable either mac-masquerade or source-port preserve-strict (or both)

---

589856-2 : IControl REST : possible to get duplicate transaction IDs when transactions are created by multiple clients

Component: TMOS

Symptoms:
When two iControl REST clients using the same username create transactions simultaneously, they can potentially get the same transaction ID, which results in unexpected errors and transaction issues.

Conditions:
-- Two iControl REST clients using the same username.
-- Requests to create transactions, either simultaneously or in quick sequence.

Impact:
Transaction semantics are not followed, and unintended errors may occur.

Workaround:
None.

---

589606-2 : CSRF enabled within iframe request causes to unpredictable behavior on a website.

Component: Application Security Manager

Symptoms:
The csrf script changes the frame/iframe source attribute. When it happens the browser issue a request, as a result for each frame on a page 2 requests are being sent, the first is the original request when the frame is loaded and the second is when the csrf script changes the frame source attribute.

Conditions:
Enable ASM CSRF
Request a page with an iframe or frameset

Impact:
Viewing the site causes some pages to show up blank.

Workaround:
Bypassing or disabling ASM for URL appears to fix the issue.

---

589367-2 : Some Edge Client's German translations are incorrect

Component: Access Policy Manager

Symptoms:
Some Edge Client's German translations are incorrect.

Conditions:
APM end-user's system using German locale.

Impact:
Conversion results in confusing text.

Workaround:
None.

---

588646-1 : Use of Standard access list remarks in imish may causes later entries to fail on add

Component: TMOS

Symptoms:
The use of remarks in standard access lists in dynamic routing shell causes subsequent filters in the same ACL to fail to load.

Conditions:
Create a standard access list with a remark.
Add to the same list another entry to permit or deny a IP/range.

Impact:
The ACL does not load and error is returned.

Workaround:
No not use remarks in standard access lists or use an access list in the extended or named ranges.

---

588626 : Analytics alerts: Metric "Maximum TPS" can only be used with Virtual Servers (but not with a Pool Member).

Component: Application Visibility and Reporting

Symptoms:
While configuring an alert for Maximum TPS on an Analytics profile, you get an error: Metric "Maximum TPS" can only be used with Virtual Servers (but not with a Pool Member)

Conditions:
This occurs when attempting to add an Analytics alert that triggers on Max TPS, and the alert is configured to run against a pool member or an application (the default is Virtual Server, not pool member or application).

Impact:
You cannot configure Max TPS alerts at the pool member level. The GUI appears to allow you to do this, but validation rules will prevent you from adding the alert.

The full list of alerts that cannot be configured at the pool or application level include all rules with the word Maximum in them:

- Maximum TPS
- Maximum Server Latency
- Maximum Page Load Time
- Maximum Request Throughput
- Maximum Response Throughput

---

588229-1 : DNS protocol default profiles can be deleted after being modified.

Component: Global Traffic Manager (DNS)

Symptoms:
A protocol default profile can be deleted in some cases.

Conditions:
The protocol default profile is not a parent to any other profile and has been modified.

Impact:
Default protocol profile can be deleted. If a default profile has been deleted, the config might get into an invalid state, and a config reload might be necessary.

Workaround:
Do not attempt to delete a protocol default profile.

---

588028-1 : Clearing alerts from the LCD while the host is down will re-display the alerts on the LCD when the host comes up

Component: TMOS

Symptoms:
If the LCD visible alerts are cleared using the LCD menu while the Host is down, then when the host is brought back up the LCD will re-display any alerts that were generated after the host went down.

Alerts generated after a the Host is down are persistent and when the host comes up it will harvest those alerts and re-display them on the LCD. Alarm LED may be re-initialized to an unexpected state.

Conditions:
Alerts generated while the host is down and alerts are cleared using the LCD menu interface.

Impact:
Alerts are re-displayed on the LCD when the host comes back up. And the alarm LED may indicate an alarm that was thought previously cleared.

Workaround:
Do not clear the alerts from the LCD interface while the host is down.

---

587821-5 : vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.

Component: TMOS

Symptoms:
On the affected slot, the vCMP guest is unable to pass traffic to or from the VLANs. If the guest has multiple slots, the CMP state logged in /var/log/tmm on that slot differs from the CMP state logged by other slots of the same guest.

In the vCMP guest, 'tmsh show net interface -hidden' shows 0.x interfaces for the affected slot that differ from the 0.x interfaces shown by 'tmsh show vcmp guest all-properties' on the vCMP hypervisor for the same guest slot.

Conditions:
The MCPD daemon on one of the blades of the vCMP hypervisor crashes or restarts.

Impact:
The vCMP guests that are still running since before the MCPD daemon restarted may be unable to communicate to VLAN networks. Incoming traffic may also be affected, even though the vCMP guest has other functional slots to process traffic.

Workaround:
On the hypervisor, modify the vCMP guest configuration to not run on the affected slot. Wait to confirm the vCMP guest has stopped on the affected slot. Then modify the vCMP guest to run on the previously affected slot.

Alternatively, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.

---

587804-1 : Symmetric Unit Key decrypt failure on base load

Component: TMOS

Symptoms:
On initial boot of VIPRION blade, before the blade is licensed, you may see the following error message in /var/log/ltm:

err mcpd[5015]: 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure

Conditions:
It is not yet known what the conditions are that trigger this error.

Impact:
This occurs on initial boot of the VIPRION blade, prior to licensing the device. After licensing, this error does not occur.

Workaround:
None. If this error is reported on first boot, but can otherwise be licensed, it can be safely ignored. If this occurred after loading a ucs file, see SOL13132: Backing up and restoring BIG-IP configuration files at https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13132.html for more information on this error.

---

586862-1 : Tcl evaluation outside of an iRule can lead to tmm crash when the payload is synchronously released from below HTTP via an iRule.

Solution Article: K30859144

Component: Local Traffic Manager

Symptoms:
Tcl expression evaluations (outside of an iRule) can lead to tmm crash when the payload is synchronously released from below HTTP via an iRule. A couple of examples where Tcl expressions are evaluated outside the context of an iRule include the tcl-setvar action of LTM Policy and the Request Header Insert feature of the HTTP profile.

Conditions:
Issue has been found on a virtual server with both an attached iRule and LTM Policy. The iRule calls TCP::collect when connection is accepted, and calls TCP::release at the CLIENT_DATA event. The LTM Policy has a single action to set a tcl set-variable expression.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

---

586660-1 : HTTP/2 and RAM Cache are not compatible.

Component: Local Traffic Manager

Symptoms:
A virtual server fails some requests where the response is served from cache.

Conditions:
This might occur in any of the following circumstances:

1.
-- Virtual server has either SPDY or HTTP/2 enabled
-- Requests that would normally served from RAM cache.

2.
-- HTTP virtual server has an iRule attached that responds to the HTTP_RESPONSE_RELEASE event.
-- Tcl commands attempt to access the response headers.

3.
Certain filters and plugins that require access to the response headers.

Impact:
Errors in certain Tcl commands or failed requests. These correlate to Conditions as follows:

1. If a virtual server has either SPDY or HTTP/2 enabled, it might fail requests that would normally be served from RAM cache.

2. An HTTP virtual server that has an iRule attached that responds to the HTTP_RESPONSE_RELEASE event might give errors to Tcl commands that attempt to access the response headers.

3. Certain filters and plugins that require access to the response headers might also fail in unexpected ways.

Workaround:
Disable CACHE via an iRule:

when HTTP_REQUEST {
if {[HTTP2::active]} {
CACHE::disable
}
}

---

586348-1 : Network Map Pool Member Parent Node Name display and Pool Member hyperlink

Component: TMOS

Symptoms:
The Network Map was not displaying the correct node name and the link was taking you to an incorrect pool member.

Conditions:
Create a pool and pool member from a FQDN node. Add that pool to a virtual server. From the Network Map page the pool member link does not show the FQDN making it hard to tell what pool member it is. When you click on the pool member hyperlink it takes you to the incorrect pool member.

Impact:
This causes confusion because the pool members are difficult to identify without the FQDN and the link takes you to the incorrect pool member.

---

586138-1 : Inconsistent display of route-domain information in administrative partitions.

Solution Article: K84112154

Component: Local Traffic Manager

Symptoms:
When IpAddress is displayed in GUI and TMSH, there exists some inconsistencies on how the route-domain of the address is displayed. This occurs for virtual servers and pool members.

Conditions:
IpAddresses configured for virtual servers and pool members outside the default-route-domain of the administrative partition.

Impact:
Although this is only a cosmetic issue, there might be confusion associated with the display inconsistencies.

Workaround:
None.

---

585248-1 : Resetting crypto client statistics can crash TMM and disrupt traffic handling.

Component: Local Traffic Manager

Symptoms:
TMM crashes when the statistics of the crypto client is reset when the External Crypto Offload feature is not licensed and the client configured with an unreachable crypto server. The command to reset the statistics of a crypto client is below:

  tmsh reset-stats sys crypto client [<client name>]

Conditions:
With a crypto client configured to target an invalid or unreachable crypto server and the External Crypto Offload (ECO) feature is not licensed, reset the statics of the crypto client.

Impact:
Traffic is temporarily disrupted while TMM restarts.

Workaround:
Ensure the External Crypto Offload feature is licensed and/or target a valid crypto server when creating the crypto client.

---

584948-5 : Safenet HSM integration failing after it completes.

Component: Local Traffic Manager

Symptoms:
tmm cannot load the Safenet library, and the following log entry is found in /var/log/auditd/audit.log:

denied { read } for pid=4936 comm="tmm" name="libCryptoki2_64.so" dev=dm-1 ino=1441838 scontext=system_u:system_r:tmm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file.

Conditions:
This occurs when there is at least one symlink in the shared/safenet/lunasa/lib/ directory.

The safenet-sync.sh script (used to replicate a functioning Safenet HSM installation to a newly-inserted secondary blade) and csyncd conspire to improperly install/fix permissions on the secondary blade if there are symlinks, which results in the Safenet HSM integration failing after it completes, until the user takes appropriate actions.

Impact:
Upon failover to secondary blade, the BIG-IP system will be unable to communicate with the configured netHSM.

Workaround:
Use chcon and chcon -h to fix any permissions issues. The --reference option can be used on any properly permissioned file in the same directory to do this quickly.

For example: chcon -h --reference=libcklog2.so libCryptoki2_64.so.

---

584788-1 : Directed failover of HA pair using only hardwire failover will fail

Component: TMOS

Symptoms:
Units configured in a HA pair using only hardwire failover will not be able to use a targeted failover.

Conditions:
HA pair configured without network failover but with a hardwire failover.
Failover is attempted using one of the 2 following methods:

Via GUI
Device Management -> Traffic Groups
  check <traffic group>
    click "force to standby"
      again click "force to standby"


via tmsh
tmsh run sys failover standby device <peer device> traffic-group <traffic group name>

Impact:
Failover may fail with the following logs in /var/log/ltm
Mar 15 10:27:57 <hostname> notice sod[8214]: 010c0044:5: Command: go standby <traffic group name> <device name> GUI.
Mar 15 10:27:57 <hostname> notice sod[8214]: 010c002b:5: Traffic group <traffic group name> received a targeted failover command for <peer mgmt IP>.
Mar 15 10:28:00 <hostname> notice sod[8214]: 010c004b:5: Target device <traffic group name> is not responding, cannot failover.

Workaround:
Use an alternative failover method:
  - Device Management > Devices > Force to Standby
  - Device Management > Traffic Groups > [traffic Group name] > Force to Standby
  - tmsh run sys failover standby # without device

---

584772 : ssldump may crash when decrypting bad records

Component: Local Traffic Manager

Symptoms:
ssldump crashes while decrypting.

Conditions:
Using ssldump to decrypt SSL which contains bad records.

Impact:
ssldump crashes making it difficult to decrypt SSL data.

---

584716-1 : SAML XML Canonicalization on BIG-IP as IdP may return invalid value if AuthnRequest is formed in a special way

Component: Access Policy Manager

Symptoms:
Signature validation fails on BIG-IP as IDP when AuthnRequest from external SP is signed, and contains a newline/linefeed character after '</Signature>' element

Conditions:
- BIG-IP is used as IdP
- External SP signs AuthnRequests
- Signed AuthnRequest contains newline/linefeed character after '</Signature>' element

Impact:
WebSSO will fail

Workaround:
n/a

---

584504-2 : Allowing non-English characters on login screen

Solution Article: K36912228

Component: TMOS

Symptoms:
Passwords can contain non-English characters but it fails when logging in.

Conditions:
Passwords contain non-English characters.

Impact:
Users entering these characters on the login screen are unable to log in.

Workaround:
Make sure passwords contain only English characters.

---

584414 : Deleting persistence-records via tmsh may result in persistence being created to different nodes

Component: Local Traffic Manager

Symptoms:
After deleting the persistence records, a connection may use persistent records to two different nodes breaking persistence.

Conditions:
Deleting persistence records when there is high concurrency for particular persistence records (e.g., load testing).

Impact:
Client fails to persist to a particular node.

Workaround:
Avoid removing persistence records from tmsh or use iRules to remove persistence records.

---

583777-5 : [TMSH] sys crypto cert missing tab completion function

Solution Article: K33230520

Component: TMOS

Symptoms:
When pressing the tab key for the tmsh command "sys crypto cert", it does not display existing certificate names. You must manually type the certificate name that you want to operate.

Conditions:
This occurs in tmsh:

root@(big7)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys crypto cert <------- press <tab>.
Options:
  all | <------------ nothing shows up.
root@(big7)(cfg-sync Standalone)(Active)(/Common)(tmos)# show sys crypto cert <------- press <tab>.
Options:
  all | <------------ nothing shows up.

Impact:
Not possible to select a certificate using tab complete.

Workaround:
Manually type the certificate name.

---

583101-2 : ADAPT::result bypass after continue causes bad state transition

Component: Service Provider

Symptoms:
Tcl command 'ADAPT::result bypass' does not work in ADAPT_REQUEST_RESULT when the ICAP server has previously returned 100-continue.

Conditions:
iRules exist on a VS with an adapt profile, containing:

when ADAPT_REQUEST_RESULT {
    ADAPT::result bypass
}

or

when ADAPT_RESPONSE_RESULT {
    ADAPT::result bypass
}

Impact:
ADAPT logs an unexpected state transition and resets the connection, making it impossible for iRules to replace the ICAP response.

Workaround:
Avoid 'ADAPT::result bypass' commands in cases where there is no preview (either configured for no preview, or after the preview has been dropped due to a 100-continue or 200-ok ICAP response).

---

583084-5 : iControl produces 404 error while creating records successfully

Solution Article: K15101680

Component: TMOS

Symptoms:
iControl produces an HTTP 404 - Not Found error message while creating the BIG-IP DNS topology record successfully.

Conditions:
Creating GTM topology record without using full path via iControl.

Impact:
Resulting code/information is not compatible with actual result.

For a post request, the create command and the list command are formed and executed, and the name in the curl request and the name in the list response are compared to verify whether or not it is the actual object. When a create command is executed with properties that are not fullPath (e.g., in iControl), it still creates the object with fullPath. So list returns the name with fullPath and compares it with the name that does not contain the fullPath, and the comparison fails because the names do not match.

Workaround:
Use the full path when creating BIG-IP DNS topology records using iControl.

---

582606-1 : IPv6 downloads stall when NA IPv4&IPv6 is used.

Component: Access Policy Manager

Symptoms:
When downloading large files through network access, downloads can appear to stall for a period of time and then resume.

Conditions:
This occurs when Network Access is configured with an IPv4&IPv6 resource

Impact:
Downloads occasionally stall with download speed going to 0, and then they resume.

Workaround:
It is possible that disabling large receive offload will work as a mitigation. To do so, run the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable.

---

582595-2 : default-node-monitor is reset to none for HA configuration.

Solution Article: K52029952

Component: TMOS

Symptoms:
default-node-monitor is reset to none for high availability (HA) configuration.

Conditions:
Scenario #1
Upgrading HA active/standby configuration, and reboot standby.
Where configuration consists of the following:
  * ltm node with a monitor.
  * ltm default-node-monitor with a different monitor.

Scenario #2
Given a HA active/standby configuration with an ltm default-node-monitor configured, set device-group sync-leader.

Impact:
Monitoring will stop after upgrading or setting sync-leader for all nodes that relied on the default-node-monitor.

Workaround:
Reconfigure a default-node-monitor.

---

582440-4 : Linux client does not restore route to the default GW on Ubuntu 15.10

Component: Access Policy Manager

Symptoms:
Default route may be deleted after network access connection is deleted on Linux Ubuntu 15.10 distribution.

Conditions:
Ubuntu 15.10, network access tunnel connect and then disconnect

Impact:
User will not be able to reach internet after disconnecting from network access.

Workaround:
If Wifi is in use then turn off and on again.
If Ethernet is used then unplugging and plugging cable again should solve the problem.

---

582331-1 : Maximum connections is not accurate when TMM load is uneven

Component: Local Traffic Manager

Symptoms:
Maximum connections is not accurate when TMM load is unevenly distributed. Maximum connection statistics report the sum of maximum connections per TMM, not the maximum connections per virtual server.

Conditions:
This occurs when the load disaggregated to available TMMs is uneven.

Impact:
This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in lower-than-expected maximum connections.

Workaround:
Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs.

---

582234-6 : When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.

Component: Local Traffic Manager

Symptoms:
When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.

Conditions:
A monitored pool member is initially disabled, and a config merge re-enables it

Impact:
Monitoring does not resume when pool member is re-enabled via config merge.

Workaround:
You can re-enable monitoring by running the following commands:

tmsh save sys config
tmsh load sys config

---

582127-1 : VE OVA logrotate max-file-size too big for /var/log partition size

Solution Article: K55138704

Component: TMOS

Symptoms:
Virtual Edition (VE) OVA logrotate max-file-size is too big for the /var/log partition size.

Conditions:
This occurs on 11.5.0 and later, where the partition size was reduced from 6 GB to 500 MB, to better manage disk space.

This can also happen on Micro instance on a fixed version

Impact:
The BIG-IP VE system runs out of disk space due to increased logging. In this instance, logrotate should run and potentially free up space by rotating and compressing the actively written logs. With the current setting for max-file-size, however, that cannot happen, thus leading to increased likelihood of running out of space in /var/log.

Workaround:
You can extend the disk space for logs by performing the following procedure. (From K14952: Extending disk space on BIG-IP Virtual Edition, available here: https://support.f5.com/csp/article/K14952#proc3.)

Impact of procedure: You need to shut down the BIG-IP VE system during the disk provisioning steps, and the system will not be available for traffic processing. You should perform this procedure during a suitable maintenance window. Increasing the disk size on the VE system is irreversible, since F5 does not support disk shrinking.

1. Log in to the command line on the BIG-IP VE system.

2. Shut down the system by typing the following command:
shutdown -h now

3. Provision the desired disk space for the VE system on the hypervisor. For information about disk provisioning on the hypervisor, refer to the documentation from your hypervisor vendor.

4. Start up the BIG-IP VE guest instance on your hypervisor. For information about starting a guest instance on the hypervisor, refer to the documentation from your hypervisor vendor.

5. When the BIG-IP VE system is up, log in to the command line on the VE system.

6. Extend the /var/log directory by using the following command syntax:
tmsh modify /sys disk directory /var/log new-size <desired value in KB>.

--For example you would type the following command to extend the /var/log directory to 10 GB:
tmsh modify /sys disk directory /var/log new-size 10485760.

7. Save the configuration by typing the following command:
tmsh save /sys config.

8. Reboot the VE system by typing the following command:
reboot.

9. When the BIG-IP VE system is up, log in to the command line on the VE system.

10. Verify that the /var/log directory is successfully extended to the size you have specified in step 6 by typing the following command:
tmsh show /sys disk directory.

---

581865-2 : 6900, 8900, 8950, or 11050 platforms missing swap storage★

Solution Article: K11053914

Component: TMOS

Symptoms:
No swap is available; observable via 'cat /proc/swaps'.

Conditions:
A 6900, 8900, 8950, or 11050 platform with RAID LVM, directly upgraded from a pre-10.2.4 version to version 11.x/12.x.

Impact:
No swap space is created during upgrade. Multiple unexpected issues might occur because there is no swap space available.

Workaround:
Newer systems have the swap storage created during initial format. You might also be able to first upgrade to version 10.2.4. Then, when upgrading to version 11.x/12.x, the process creates the swap during upgrade.

---

581668 : DNS/SIP whitelisted packets not reported

Component: Advanced Firewall Manager

Symptoms:
If a DNS/SIP packet hits DOS whitelist then this packet is not being reported to AVR.

Conditions:
The packet has to be DNS or SIP packet and has to hit the whitelist.

Impact:
There is no functional impact but AVR tables will not have the whitelisted packets in their count.

---

580499-2 : Configuring alternate admin user fails on multi-blade VIPRION chassis if default admin on primary is disabled.

Solution Article: K34082034

Component: TMOS

Symptoms:
Configuring alternate admin user fails on multi-blade VIPRION chassis and will prevent newly added blades from being available to process traffic. If default admin on primary is disabled and you are on a chassis with at least two blades. After disabling the default admin on the primary and configuring an alternate, mcpd on secondary blades goes into a restart loop, and posts error messages similar to the following in /var/log/ltm:

warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user admin-primary2.
warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user admin-secondary1.
warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user admin-secondary2.
err mcpd[26012]: 010718e7:3: The requested primary admin user (admin-primary1) must have a password set.
err mcpd[26012]: 01070734:3: Configuration error: Configuration from primary failed validation: 010718e7:3: The requested primary admin user (admin-primary1) must have a password set.... failed validation with error 17242343.

In this example, admin-primary1 is the default admin user set in the GUI under System :: Platform :: Admin Account, admin-primary2, admin-secondary1 and admin-secondary2 are other admin users on the device, but they are not configured as the default admin user.

Conditions:
Chassis with multiple blades; alternate primary admin is set on the primary blade.

Impact:
mcpd in a restart loop on secondaries.

Workaround:
There is no workaround that will allow you to use a different primary admin user on BIG-IP software versions affected by this issue. To stop secondary blades from restarting in a loop, issue the following commands on your primary blade, which should be stable at this time:

# tmsh modify sys db systemauth.primaryadminuser value admin
# tmsh save sys config

---

579652-1 : Multidomain SSO Access policy in progress with multiple tabs, landing URL set to the tab in which policy is completed.

Component: Access Policy Manager

Symptoms:
When URLs from multiple browser tabs start an access policy, the session is created with the landing URL from the first tab that started the session, not with URL the second tab that continued and finished establishing the access session.

For example, an end user opens browser and sends GET to /first_url resource. Access initiates session, and renders logon page. Then end user opens another tab, and sends GET to /second_url resource. Access returns an error message "Access policy evaluation is already in progress for your current session." with a link to start new session. If the end user selects the "click here", the new session will start with /first_url, and not with /second_url as would be expected.

Conditions:
Using Multidomain SSO, and accessing two different resources before the access policy has been created. This causes the access policy to run from two different landing URLs

Impact:
This may cause BIG-IP as SAML SP unable to establish a session with IdP. In the case of LTM and APM, the user is always redirected to the URL from first tab after policy execution finishes.

Workaround:
None.

---

579252-3 : Traffic can be directed to a less specific virtual during virtual modification

Component: Local Traffic Manager

Symptoms:
Traffic can be directed to an less specific virtual during virtual modification. It could also be dropped if there is no less specific virtual server.

Conditions:
net self external-ipv4 {
    address 10.124.0.19/16
    traffic-group traffic-group-local-only
    vlan external
  }
  net self internal-ipv4 {
    address 10.125.0.19/16
    traffic-group traffic-group-local-only
    vlan internal
  }

  ltm pool redirect-echo {
    members { 10.125.0.17:7 }
  }
  ltm virtual fw {
    description "less-specific virtual"
    destination 10.125.0.0:any
    ip-forward
    mask 255.255.255.0
    profiles { fastL4 }
    translate-address disabled
    translate-port disabled
    vlans-disabled
  }
  ltm virtual redirect-echo {
    description "enable/disable this one"
    destination 10.125.0.20:echo
    ip-protocol udp
    mask 255.255.255.255
    pool redirect-echo
    profiles { udp }
    vlans { external }
    vlans-enabled
  }

Impact:
Traffic can be directed to less specific virtual server

Workaround:
No known workaround at this time other than applying configuration changes in a manner that avoids doing them on a unit that is handling the traffic. Applying changes on the standby and then failing over and syncing or utilizing a maintenance window would be common schemes to achieve a separation between production traffic and configuration changes.

---

579035-5 : Config sync error when a key with passphrase is converted into FIPS.

Solution Article: K46145454

Component: TMOS

Symptoms:
When a key with passphrase is converted to a FIPS key (that is, imported into the FIPS card) and a config sync is done, sync fails with an error saying that passphrase is specified but the key is not passphrase protected.

Conditions:
Converting a private key with a passphrase to FIPS key and then performing a config-sync.

Impact:
Config sync will fail.

Workaround:
Ensure that you only import FIPS keys that are not encrypted with a passphrase. For more information, see K15720: Certain tasks related to the management of SSL certificates do not support encrypted private keys (11.x) at https://support.f5.com/csp/#/article/K15720

---

578989-5 : Maximum request body size is limited to 25 MB

Component: Access Policy Manager

Symptoms:
When a POST request with body size exceeds 25 MB is sent to APM virtual server, the request fails.

Conditions:
POST request body size exceeded 25 MB.

Impact:
The POST request fails. The maximum request body size is limited to 25 MB

Workaround:
There is no workaround at this time.

---

577904-1 : When a fips key is deleted, its corresponding public key is not deleted from fips card

Component: Local Traffic Manager

Symptoms:
BIG-IP does not delete the automatically-created public keys in FIPS cards when a FIPS keys is deleted

Conditions:
When the FIPS key is deleted, the corresponding public key is not deleted from the FIPS card.

Impact:
No functional impact.

Workaround:
None.

---

575368-5 : Error is not posted when a UCS file with FIPS keys is loaded after re-initializing the FIPS card

Component: TMOS

Symptoms:
When a UCS with FIPS keys is loaded after re-initializing the FIPS card, errors should be posted that the FIPS keys in the configuration that are now invalid. Instead, the configuration loads without any errors, and SSL handshake failures are seen when a clientSSL profile uses the FIPS key.

Conditions:
UCS file with FIPS keys is loaded after re-initializing the FIPS card.

Impact:
SSL handshake failures are seen when a clientSSL profile uses the FIPS key.

Workaround:
You can delete the FIPS keys, re-initialize the FIPS card, then install the needed keys.

---

574318-3 : Unable to resume session when switching to Protected Workspace

Component: Access Policy Manager

Symptoms:
Clients logging into Protected Workspace are unable to view the page. The client's log file may have the following signature: HandlePwsCmd, detoured.dll signature validation error

Conditions:
This occurs infrequently on certain Windows clients logging into Protected Workspace

Impact:
Client browser cannot render the protected workspace

---

574113-2 : Block All - Session Tracking Status is not persisted across an auto-sync device group

Component: Application Security Manager

Symptoms:
Users, IP addresses, and Sessions that are meant to be blocked due to their traffic patterns, are not being synchronized to the peer device in an auto-sync device group with ASM sync enabled.

This can lead to bad actors becoming unblocked again after failover, or in an Active-Active configuration.

Conditions:
1) Devices are in an auto-sync device group with ASM sync enabled.
2) Session Tracking is enabled.

Impact:
This can lead to bad actors becoming unblocked again after failover, or in an Active-Active configuration.

Workaround:
Force a full sync to propagate the session tracking information.

---

572519-1 : More than one header name/value pair not accepted by ACCESS::respond

Component: Access Policy Manager

Symptoms:
An error is seen when ACCESS::respond command is used, for example, in an iRule with multiple header name/value pairs. The error appears similar to the following:

warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected token(s):....

Conditions:
When ACCESS::respond command is used with multiple header name/value pairs.

Impact:
An error is generated when the command is used.

Workaround:
Let the command take only one name/value pair.

---

572142-2 : Config sync peer may fail to monitor newly added pool member after it is added via sync

Component: Local Traffic Manager

Symptoms:
If a pool member in a sync group is removed and another member added and then synced to the peer, the monitor state on the peer may be erroneous.

Conditions:
2 or more devices in a device group
A pool member is deleted, and another is added, then a full config sync is performed

Impact:
Monitoring does not happen. If the pool member should be marked down by the monitor, it may indicate as being up. You may need to do a system restart to get monitoring to resume properly.

Workaround:
Suggested workaround:

Here’s a way that should avoid any possible downtime:
 
1. Do the node replacement on box A. Do not sync.
2. Do the node replacement on box B. Do not sync.
3. This will cause a sync conflict, and its resolution will require a full load. This is intentional. Force a sync.
 
The result of that final sync will be that mcpd sends no changes to the relevant nodes on the receiving device.

---

571727-1 : 'force-full-load-push' is not tab expandable

Solution Article: K52707821

Component: TMOS

Symptoms:
The 'force-full-load-push' option for 'run cm config-sync' is not tab expandable unless it's the first option given.

Conditions:
This is encountered when trying to use tab complete in tmsh for the 'run cm config-sync' command.

Impact:
The keyword 'force-full-load-push' has to be typed out in full or used as the first option.

Workaround:
Use 'force-full-load-push' as the first option, or type it out in full.

---

571622-1 : 'Exceeding pool member limit' error with FQDN pool members and non-LTM license

Component: Local Traffic Manager

Symptoms:
When configuring FQDN pool members on a BIG-IP system with a license that does not include the LTM module, an error similar to the following may be logged by mcpd:

01071732:3: Exceeding pool member limit (3). Cannot add pool member to pool:(/Common/pool_name).

Conditions:
This may occur if:
1. The active BIG-IP license does not include the LTM module. Specifically, the active license defines a pool member limit (ltm_lb_pool_member_limit) other than 'unlimited'. This applies to AFM, APM, and ASM licenses.
2. FQDN pool members are configured with 'autopopulate' set to 'enabled'.

Impact:
Under these conditions, the ephemeral FQDN pool members are counted against the pool member limit (ltm_lb_pool_member_limit) defined in the LTM license. Cannot configure FQDN pool members with autopopulate enabled on BIG-IP systems without an LTM license.

Workaround:
There are two workarounds for this issue:
Workaround 1
-----------
1. Configure FQDN pool members with autopopulate disabled.
2. Do not attempt to configure more pool members than are permitted by the active license.

Workaround 2
-----------
Add the LTM module to the license configuration.

---

571503-1 : Windows Edge client cannot detect local LAN in some cases

Component: Access Policy Manager

Symptoms:
If Edge client is configured in Always Connected mode with option to "Allow Traffic" without VPN, it will continue to establish VPN even when location awareness is configured.

Conditions:
1) Edge client was installed using a package that was created without setting DNS suffix list in connectivity profile
2) DNS suffix list to identify enterprise LAN was set in the connectivity profile after client package was created.

Impact:
Edge client will fail to detect Enterprise LAN and continue to establish VPN even when machine is connected to enterprise LAN.

---

571333-8 : FastL4 TCP handshake timeout not honored for offloaded flows

Solution Article: K36155089

Component: TMOS

Symptoms:
When a virtual server is configured with a FastL4 profile that enables full acceleration and offload state set to 'embryonic', and if a flow is offloaded to be hardware accelerated, the connection idle timeout during the TCP handshake is set to the 'idle timeout' value of the FastL4 profile, but it should be set to the 'tcp handshake timeout' instead.

Conditions:
-- Virtual server is configured with a FastL4 profile that enables full acceleration and offload state of 'embryonic'.
-- A flow is offloaded for hardware acceleration.

Impact:
The connection may remain in the half-open state longer than what is set in the TCP handshake timeout value.

Workaround:
Set the acceleration-offload state to establish. For example:

tmsh modify ltm profile fastl4 fastl4_xyzzy pva-offload-state establish

---

571017-1 : Extra log messages seen on optics removal.

Component: TMOS

Symptoms:
Following message may appear in /var/log/ltm when optics are removed:
soc_phy_i2c_read_devtype - eeprom soc_phy_i2c_read_bytes failed port(28)

Conditions:
Optics removal.

Impact:
This is a cosmetic message and does not indicate a problem with the system.

Workaround:
None needed.

---

570845-3 : Configuration infrastructure should reject invalid 'None' option for IKE Peer Phase 1 Perfect Forward Secrecy

Solution Article: K00334323

Component: TMOS

Symptoms:
The configuration infrastructure currently allows the invalid 'None' option to be configured on an IPsec IKE peer for phase 1 Perfect Forward Secrecy. Although the ability to configure the 'None' option is incorrect functionality which happens on specific browsers, the configuration infrastructure should have stronger checking and prevent the acceptance of an invalid 'None' option for configured IKE peers.

Conditions:
The ability to configure an IKE peer with an invalid 'None' option for Perfect Forward Secrecy occurs on Internet Explorer and Safari browsers, and the configuration infrastructure does not reject this invalid configuration for these cases.

Impact:
The racoon daemon will fail to start and all IPsec tunnels may fail to work. The racoon.log file may contain messages like:

INFO: Reading configuration from "/etc/racoon/racoon.conf"
ERROR: /etc/racoon/racoon.conf.bigip:59: "}" DH group required.
ERROR: fatal parse failure (1 errors)
ERROR: failed to parse configuration file.

Workaround:
Don't configure the 'None' option for Perfect Forward Secrecy in the IKE peer configuration section.

---

570013 : TCP Analytics Profile section in virtual server UI has erroneous caption

Component: TMOS

Symptoms:
In TMUI: Local Traffic: Virtual Server:: Create: advanced, TCP Analytics profile section has a erroneous caption for HTTP Analytics profile.

Conditions:
This occurs when creating a TCP Analytics profile in the GUI when AVR is not provisioned.

Impact:
The screen posts a warning similar to the following: Warning: The Application Visibility and Reporting (AVR) module is not provisioned. Assigning an HTTP Analytics profile is not recommended.

However, it should be TCP Analytics profile.

Workaround:
None. The message is correct the AVR is not provisioned. However, the warning should reference the TCP Analytics profile instead of the HTTP Analytics profile.

---

569968 : snmpd core during startup

Component: TMOS

Symptoms:
sod reanimates (with core dump) snmpd due to heartbeat timeout during BIG-IP system startup and configuration load.

Conditions:
During startup and configuration load, snmpd sometimes blocks while waiting for certain system resources to become available. If snmpd blocks longer than its configured heartbeat timeout, sod reanimates it (with a core dump).

Impact:
Only impact is the generation of a core file.

Workaround:
Increase the snmpd heartbeat timeout to 300 seconds or more.

The 11.5.1 default timeout of 60 seconds might be too short for certain platforms and configurations. The default timeout for later releases is 300 seconds.

---

569859-2 : Password policy enforcement for root user when mcpd is not available

Component: TMOS

Symptoms:
When the mcpd configuration database is not available password policy is not enforced when changing passwords for the user 'root' using the command-line utility 'passwd' utility.

Conditions:
-- Advanced shell access
-- mcpd is not available.
-- Change root password with the 'passwd' utility.

Impact:
Root password may be set to a string that does not comply with the current password policy.

Workaround:
None.

---

569331-1 : Recovery from Amazon Network Failure may associate some virtual addresses to the standby BIG-IP

Component: TMOS

Symptoms:
Traffic will not pass to virtual servers of a traffic group

Conditions:
BIG-IP AWS
High Availability
AWS network outage

Impact:
Some of virtual addresses end up associated with the standby BIG-IP; traffic will not pass to their virtual servers.

Workaround:
If the desired BIG-IP is standby, failover to the BIG-IP.
If the desired BIG-IP is already active, failover from this BIG-IP and then failover back to this BIG-IP.

---

569281-6 : L2 loop on the BIG-IP system's management port network might cause VIPRION to reboot

Solution Article: K33242855

Component: TMOS

Symptoms:
Several 'kernel: BUG: soft lockup' messages from kernel leading to TMM. Eventual blade reboot

Conditions:
-- Using vCMP.
-- Network to which the BIG-IP management port is connected has a Layer 2 loop.

Impact:
The BIG-IP system is unusable and eventually reboots.

Workaround:
Avoid L2 loops in the network to which the BIG-IP management port is connected.

---

568458 : DoS vectors must be enabled in both DoS Profile and Device Configuration

Component: Advanced Firewall Manager

Symptoms:
In order for a DoS vector in a DoS Profile to detect a you must enable that same vector in the DoS Device Configuration.

Conditions:
DoS vector configured at the per-virtual server level, but not at the device level.

Impact:
Might result in false negatives.

Workaround:
You can use the following workaround:
1. Enable the vector in Security : DoS Protection : DoS Profiles.
 To do so, click Network Protection, click Enabled, and enable the DoS Vector for the DoS Profile.
2. Enable the vector in the Device Configuration.
 To do so, go to Security : Dos Protection : Device Configuration, select the vector, and then configure the vector either manually, or with the auto-configuration option.

---

567513-4 : Erroneous syncookie flag in HSB return descriptor causes the BIG-IP system to pass through the ACK packets after the session is closed.

Component: Performance

Symptoms:
In rare situations, a packet with ACK flag arriving shortly after the FIN packet is received on a flow might be marked by FPGA to be a valid syncookie response. The BIG-IP system creates a new connection for the ACK packet and passes the packet to the server side, causing a double transaction on the server.

Conditions:
This occurs in the unlikely event of an ACK packet accidentally matching the match hardware syncookie.

Impact:
Confusion on the client/server and double transaction on the server side.

Workaround:
None.

---

567503-1 : ACCESS:session remove can result in confusing ERR_NOT_FOUND logs

Solution Article: K03293396

Component: Access Policy Manager

Symptoms:
When using the iRule command ACCESS:session remove, ERR_NOT_FOUND messages may appear in /var/log/apm. Theses are not real errors. ACCESS is trying to insert a session variable, but it is not able to find the session because the iRule already deleted the session.

The logs in /var/log/apm look something like this:
err tmm1[15932]: 01490514:3: 00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_save_init_req_to_sessiondb, Line: 14823.

Conditions:
An iRule using the command ACCESS:session remove, and the end-user does a POST.

Impact:
No functional impact, the iRule correctly deletes the session, and BIG-IP does not send a reset. But the log messages can be alarming or confusing.

Workaround:
None.

---

567490-2 : db.proxy.__iter__ value is overwritten if it's manually set

Component: TMOS

Symptoms:
When setting the "BIND Forwarder Server List" on the "Configuration : Device : DNS" page, the system stores the values in the sysdb variable db.proxy.__iter__. When changing the value using tmsh or iControl, the db.proxy.__iter__ value is overwritten when subsequently viewing the value in the GUI.

Conditions:
When setting these values in sysdb via tmsh or REST, the values are set, but then upon re-visiting Configuration : Device : DNS in the GUI, the values in the sysdb variable are reset to their former values.

Impact:
BIND Forwarder Server List values do not persist.

Workaround:
Use the GUI to change the BIND Forwarder Server List values.

---

565755 : Dashboard does not work when custom port is used for management port.

Component: TMOS

Symptoms:
BIG-IP v12.0.0 introduced the ability to change the management port, but the dashboard was not changed to support that. Dashboard does not work when a port is used for management port other than the default port 443.

Conditions:
Using the dashboard when the management address is configured to use a port other than port 443.

Impact:
The dashboard reports a connection error and asks you to log back in.

Workaround:
None.

---

564634-5 : Using the tmsh "edit" command to remove a monitor from a pool does not stop bigd from monitoring the pool

Component: Local Traffic Manager

Symptoms:
Using the tmsh "edit" command to remove a monitor from a pool does not stop bigd from monitoring the pool.

Conditions:
Remove a monitor from a pool using tmsh edit commands.

Impact:
bigd still monitors the pool.

Workaround:
None.

---

564431-3 : Lines without EOL characters cause "tmsh load pem subscriber file" and GUI import to fail

Component: Policy Enforcement Manager

Symptoms:
Subscriber lines terminated with an EOL that occur before the line without an EOL are loaded.

Conditions:
At least one line in the static subscriber file is not terminated with an EOL character.

Impact:
Impact to support staff in diagnosing the root cause for failure while importing a subscriber file.

Workaround:
Save the file in unix format that appends EOL characters to the each line.
While editing the file make sure lines are terminated with an EOL character.

---

563651-2 : Web application does not work/works intermittently via Portal Access after upgrading BIG-IP to any new version.★

Component: Access Policy Manager

Symptoms:
Web application does not work/works intermittently via Portal Access after upgrading the BIG-IP system to any new software version.

Conditions:
-- Web application via Portal Access.
-- Using any modern browser, for example Google Chrome, Mozilla Firefox, Safari, Microsoft Internet Explorer 11 (IE11), or Microsoft Edge.
-- Upgrading BIG-IP software.
-- Web Application uses HTML5 features Local Storage or Session Storage.

Impact:
Various unexpected behaviors. For example, a custom intranet application link might experience intermittent failures through rewrite. This occurs because Portal Access does not support Storage areas (localStorage, sessionStorage). This might impact web-applications with content previously populated in Storage areas.

Workaround:
Possible workaround:
-- Clear browser 'cookies and website data' or 'offline data' manually after upgrading (options to use depend on which browser you are using).

---

560601-1 : HTML5 File API and MediaSource URLs are blocked in Portal Access

Component: Access Policy Manager

Symptoms:
Web Application is not working and a message similar to following is logged to the developer tools console in the browser:
"Refused to load media from 'blob:https://...' because it violates the following Content Security Policy directive: ..."

Conditions:
This occurs on web applications that are using the HTML5 file API

Impact:
Applications with usage of HTML5 File API could stop working when accessed via APM Portal Access.

Workaround:
when HTTP_RESPONSE_RELEASE {
    if { [HTTP::header exists Content-Security-Policy] } {
        HTTP::header replace Content-Security-Policy \
            [string map {"data:" "data: blob: mediasource: mediastream:"} [HTTP::header Content-Security-Policy]]
    }
}

---

559402-4 : Client initiated form based SSO fails when username and password not replaced correctly while posting the form

Component: Access Policy Manager

Symptoms:
Client initiated form based SSO fails when the username and password are not replaced correctly in post request. The reason for this is that client initiated form based SSO and browser urlencode special character in username/password differently. and the case sensitive comparison fails to find match between both these urlencoded values. So sso module adds the username password to the token again. This results in password attribute/value pair appears twice with both the f5-sso-token and the real password and so it fails

Conditions:
When the password contains special charaters like [ or ]

Impact:
SSO fails with password attribute/value pair appears twice with both the f5-sso-token and the real password in the token and so it fails

Workaround:
No workaround

---

559082-2 : Tunnel details are not shown for MAC Edge client

Component: Access Policy Manager

Symptoms:
Tunnel details are not shown for MAC Edge client.
Tunnel details are located in Edge client :: View details :: Connection :: Tunnel details

Conditions:
MAC Edge client and established network access connection.

Impact:
Minor. Only diagnostic information is missing, otherwise tunnel works fine.

Workaround:
None.

---

554504 : Client OS version not logged in Browser/OS Reports for iOS client devices

Component: Access Policy Manager

Symptoms:
When an iOS device is used to login with APM, the client OS version is not logged and is not correctly reported in the Browser/OS Report.

Conditions:
Client device must run iOS.

Impact:
Devices running different versions of iOS are not differentiated in the Browser/OS Report.

Workaround:
None.

---

552988-2 : Cannot enable MPTCP on some profiles in GUI.

Component: Local Traffic Manager

Symptoms:
Version 12.1 Cannot enable MPTCP on some profiles in GUI. Get error message: 01070734:3: Configuration error: In profile /Common/proxy-client to enable MPTCP, Hardware SYN Cookie must be disabled.

Conditions:
Version 12.1 Enabling MPTCP on some profiles in GUI.

Impact:
Version 12.1 Cannot enable MPTCP.

Workaround:
Use tmsh to enable MPTCP on some profiles.

---

552444-1 : Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD

Component: Access Policy Manager

Symptoms:
Dynamic drive mapping in network access may not work if
mapping is configured to use session variable, and session variable is received from LDAP/AD.

Conditions:
Drive mapping is received from LDAP/AD and contains double slash in the path, e.g. "\\server\path"

Impact:
Dynamic drive mapping may not function.

Workaround:
For example using session.ad.last.attr.homeDirectory attribute value to drive map. Assign variable and escape the textra backslashes added by APM.

homeDirectory = return [regsub -all {\\\\} [mcget {session.ad.last.attr.homeDirectory}] {\\}]

---

547692-3 : Firewall-blocked KPASSWD service does not cause domain join operation to fail

Component: Access Policy Manager

Symptoms:
KPASSWD service runs on tcp/464 and udp/464. If both of these ports were blocked, BIG-IP would not be able to properly set the machine account password for the created machine account. However, there is a bug on BIG-IP as well, which fails to report this failure back to the administrator.

As the machine account itself was successfully created on ActiveDirectory side without the correct password, and BIG-IP's failure to report the KPASSWD failure problem, the domain join operation seems had worked perfectly.

However, since the password information is never set on ActiveDirectory side, this causes this machine account effectively unusable because BIG-IP would never be able to establish a working SCHANNEL with ActiveDirectory server because of this password mismatch.
creation is LDAP (+ Kerberos GSS-API with SASL binding), the machine account itself is generated. Furthermore, as password setting for machine account is not allowed to be performed by administrator, this situation obfuscate the fact the KPASSWD was failing as AD server never receives thus AD never logged any failure on this matter, while BIG-IP fails to detect the KPASSWD failure, and so as administrator's user experience goes, everything seems perfectly worked for domain join.

Conditions:
Out of DNS, LDAP, KERBEROS, KPASSWD services which are required for domain join operation, only KPASSWD is blocked.

Impact:
Created machine account is effectively unusable due to password mismatch, and BIG-IP would never be able to establish a working SCHANNEL, this renders NTLM authentication feature to be not working.

Workaround:
Allow KPASSWD to reach ActiveDirectory server

---

547428-3 : Unexpected storage-format string causes asm restart

Component: Application Security Manager

Symptoms:
ASM restarts and bd generates a core.

Conditions:
Logging Format : Comma-Separated Values
Storage Format : User-Defined

And give format string like what is mentioned in Splunk document - https://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Setup

"f5_asm=Splunk-F5-ASM,attack_type=%attack_type%,blocking_exception_reason=%blocking_exception_reason%,client_type=%client_type%,credential_stuffing_lookup_result=%credential_stuffing_lookup_result%,date_time=%date_time%,dest_ip=%dest_ip%,dest_port=%dest_port%,device_id=%device_id%,enforced_by=%enforced_by%,enforcement_action=%enforcement_action%,epoch_time=%epoch_time%,geo_info=%geo_location%,headers=%headers%,http_class=%http_class_name%,ip_addr_intelli=%ip_address_intelligence%,ip_client=%ip_client%,ip_route_domain=%ip_with_route_domain%,is_trunct=%is_truncated%,login_result=%login_result%,manage_ip_addr=%management_ip_address%,method=%method%,mobile_application_name=%mobile_application_name%,mobile_application_version=%mobile_application_version%,policy_apply_date=%policy_apply_date%,policy_name=%policy_name%,protocol=%protocol%,protocol_info=%protocol_info%,query_str=%query_string%,req=%request%,req_status=%request_status% ...snip..."

Once the virtual server receives a request and bd tries to generate remote log message, bd crashes.

Impact:
ASM traffic disrupted while bd restarts.

Workaround:
Use items available in "Available Items" only.

---

544980-5 : BIG-IP Virtual Edition may have minimal disk space for the /var software partition when deploying from the OVA file for the Better or Best license bundle.

Component: TMOS

Symptoms:
The size of /var volume is 500 MB instead of 3 GB for BETTER and BEST license bundles.

Conditions:
BIG-IP VE BETTER and BEST vm_bundle images.

Impact:
Not enough space in /var.

Workaround:
In the current volume:

1. Modify global_attributes file.
* The global_attributes file is located at /shared/.tmi_config, so modify global_attributes file by using vi command.

From:
{"TMI_VOLUME_FIX_VAR_MIB":"500","TMI_VOLUME_FIX_CONFIG_MIB":"500"}

To:
{"TMI_VOLUME_FIX_VAR_MIB":"3000","TMI_VOLUME_FIX_CONFIG_MIB":"500"}

2. Install version.

3. Modify global_attributes file to back original value.

4. Switchboot to newly installed volume.

5. To change /var to 3 GB and from tmsh, run the following command:
modify /sys disk directory /var new-size 3145728

6. Reboot.

---

544958-4 : Monitors packets are sent even when pool member is 'Forced Offline'.

Component: Local Traffic Manager

Symptoms:
If you have a pool member associated with more than one virtual server and the pool member is marked Forced-Offline, the pool monitor will continue to function if the monitor is assigned to both pools.

Conditions:
-- Pools containing identical members.
-- Pool monitoring configured.
-- Pool members are Forced Offline.

Impact:
Monitors packets are sent even when pool member is 'Forced Offline'.

Workaround:
None.

---

544568-5 : Flows for a FastL4 profile that are forwarded may now be accelerated.

Component: TMOS

Symptoms:
Forwarded FastL4 profiles are not accelerated.

Conditions:
This occurs when any of the following conditions is met:
-- Using a preserve-strict setting on a virtual server.
-- Using the "snat" command in an iRule.
-- Using CGNAT with few available endpoints.

Impact:
Forwarded FastL4 flows are not accelerated.

Workaround:
None.

---

542347-2 : Denied message in audit log on first time boot

Component: TMOS

Symptoms:
After booting BIG-IP for the first time, you may see a 'denied' message for the lastlog file in /var/log/audit.log:

type=AVC msg=audit(1440786377.593:32): avc: denied { read write } for pid=5922 comm="login" name="lastlog" dev=md2 ino=18 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file.

Conditions:
This can occur on first time boot of devices that contain version 11.x software in one of the image slots.

Impact:
This error message is benign and can be ignored.

Workaround:
None needed. This is cosmetic and does not indicate an issue with the system.

---

542137 : TMM continually restarts due to HSB failure

Component: TMOS

Symptoms:
The HSB device returns invalid data to TMM, resulting in a TMM core. This condition persists for each TMM start and can be observed in the TMM logs as a series of SIGSEGV or SIGFPE signals every time TMM attempts to start.

Conditions:
-- It is unknown under what conditions this error occurs.
-- This occurs only on BIG-IP 6900 (D104), 3900 (C106), and 8900 (D106) platforms.

Impact:
TMM continually restarts, requiring manual intervention to reboot the unit. Traffic disrupted.

Workaround:
None.

---

542104-2 : In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades.

Solution Article: K33458192

Component: Local Traffic Manager

Symptoms:
In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades.

TCP monitors may fail because the server fails to respond to the initial TCP SYN.

TCP traffic that utilizes a SNAT may fail because the server fails to respond to the initial TCP SYN.

Conditions:
A server with tcp_tw_recycle enabled.

A multi-blade BIG-IP chassis.

Impact:
Monitor failures or traffic disruption.

Workaround:
After confirming that the time is properly synchronized across the chassis, reboot the chassis.

Alternatively, if your servers do not require tcp_tw_recycle to be enabled, it is recommended that you disable this setting on your servers.

---

541622-2 : APD/APMD Crashes While Verifying CAPTCHA

Component: Access Policy Manager

Symptoms:
APD (pre v12.0.0) or APMD (v12.0.0) crashes in libcurl function when verifying CAPTCHA

Conditions:
This issue shows up when multiple sessions are being verified for CAPTCHA at SimpleLogonPageAgent.

Impact:
Authentication service will be disrupted until APD/APMD is up again.

---

539026-5 : Stats refinements for reporting Unhandled Query Actions :: Drops

Component: Local Traffic Manager

Symptoms:
There are five drop down sections for Unhandled Query Actions:
Allow
Drop
Reject
Hint
No Error

but in statistics page, there are only four Unhandled Query Actions:
Drops
Rejects
Hints
No Errors

Drops refers to the dropped packets for the system, not specifically for Unhandled Query Actions. It would be more clear if there were one dropped packets stats for the system, and another specifically for Unhandled. And also add stats for Allow packets under Unhandled.

Conditions:
Statistics pages for Unhandled Query Actions :: Drops.

Impact:
May be confusing to determine what the statistics mean.

Workaround:
None.

---

538283-5 : iControl REST asynchronous tasks may block other tasks from running

Component: TMOS

Symptoms:
If an iControl REST asynchronous task is running, other iControl REST queries (synchronous or asynchronous) will wait until the asynchronous task completes before executing. If the asynchronous task is long-running, subsequent requests will block for a long time.

Conditions:
-- Executing an iControl REST task asynchronously.
-- Performing further iControl REST tasks (synchronous or asynchronous) while the asynchronous task is still running.

Impact:
Potential (and unexpected) long wait times while running a task asynchronously.

Workaround:
None.

---

537209-5 : Fastl4 profile sends RST packet when idle timeout value set to 'immediate'

Component: Local Traffic Manager

Symptoms:
When a virtual is configured with a Fastl4 profile and the idle timeout value is set to 'immediate', traffic is handled improperly and a RST is issued.

Conditions:
A virtual is processing traffic that contains a Fastl4 profile with idle timeout set to 'immediate'.

Impact:
Traffic is Reset on a virtual where it should properly handle the traffic.

Workaround:
Avoid using the 'immediate' setting for the idle timeout value on a Fastl4 profile.

---

535122-8 : [tmsh/iCRD/GUI] Do not automatically add extensions to SSL key/cert/crl/csr file objects

Component: TMOS

Symptoms:
Using iControl REST's process (iCRD) with 'sys crypto' always fails, and the GUI does not work with SSL file objects created without extensions using tmsh (with 'sys file') during the create process.

Conditions:
-- Creating SSL certificates/keys/CRL/CSR objects using iControl (with 'sys crypto') or tmsh (with 'sys file').
-- Specifying the file extension associated with the object: .crt/.key/.crl/.csr.

Impact:
The system creates a file with two extensions, for example, specifying the filename csrname.crt creates a file named csrname.crt.csr in folder /config/ssl/ssl.csr/.

-- Using iCRD with 'sys crypto' fails.
-- The BIG-IP GUI exhibits the following behavior:
   + Inconsistently manages those files improperly.
   + May return errors (e.g., 'An error has occurred while trying to process your request.' or 'No certificate.').
   + May confuse two objects (e.g., 'web-server' and 'web-server.crt').
   + GUI cannot create an archive (System :: File Management : SSL Certificate List :: Archive) containing one of these files, and reports an error similar to the following: Key management library returned bad status: -2, Not Found.

Workaround:
When creating SSL-related file objects via tmsh 'sys file' or iCRD with 'sys crypto', do include a file extension (.crt/.key/.crl/.csr) in the object name, even if it is the extension associated with the type of object. This is because the system explicitly adds the appropriate file extension during the create operation for ('sys crypto') but does not add extensions for ('sys file').

---

535119-1 : APM log tables initial rotation in MySQL may be wrong

Component: Access Policy Manager

Symptoms:
APM uses local MySQL to store logs and automatically rotate the log tables when the log table size exceeds a limit, which removes the oldest log table and make room for a new current log table.

However, the initial timestamps of those log tables may be very close--or the same in 1-second granularity of MySQL timestamps--right after the installation that initially creates those log tables. Due to the timestamp granularity, it may be wrong for APM to choose the oldest log table to remove in the first round of rotation, resulting in removal of log data that are not the oldest.

After the first rotation, the log table rotation should work as normal.

Conditions:
The first round of log table rotation after installation

Impact:
Log data that are not the oldest may be removed at the first round of log table rotation.

---

534187-2 : Passphrase protected signing keys are not supported by SAML IDP/SP

Component: Access Policy Manager

Symptoms:
Signing operation may fail if the BIG-IP system is used as a SAML Identity Provider or Service Provider and is configured to use passphrase-protected signing keys.

Conditions:
Private key used to perform digital signing operations is passphrase protected.

Impact:
SAML protocol will not function properly due to inability to sign messages.

Workaround:
To work around the problem, remove the passphrase from the signing key.

---

530092-2 : AD/LDAP groupmapping is overencoding group names with backslashes

Component: Access Policy Manager

Symptoms:
Adding a group value that contains space(s) manually in AD/LDAP Group Resource Assign actions will result in the space(s) being escaped and thus invalidating match attempts. For example, adding group 'Foo Bar' (without the quotes) will result in an expression found in bigip.conf as follows:

expression "expr { [mcget -decode {session.ldap.last.attr.memberOf}] contains \"CN=Foo\\\\ Bar\" }"

The value '\"CN=Foo\\\\ Bar\"' will not match a memberOf group returned that contains 'CN=Foo Bar,...'.

Conditions:
Spaces are encoded with backslashes.

Impact:
Matching for memberOf group will not working.

Workaround:
N/A

---

529896-2 : DNS Cache can use cached data from ADDITIONAL sections in answers after RRset cache cleared

Component: Global Traffic Manager (DNS)

Symptoms:
On deleting the RRset cache, an incorrect answer could be served out of the message cache.

Conditions:
The RRset cache is cleared but the message cache is not.

Impact:
A deleted or cleared answer may be served

---

528894-9 : Config sync after sub-partition config changes results extra lines in the partition's conf file

Component: TMOS

Symptoms:
Config sync after sub-partition config changes results extra lines in the partition's conf file.

Conditions:
Make changes under any partition except /Common and then config sync without overwrite.

Impact:
/config/partitions/partition_name/bigip_base.conf in the partitions folder has trunk and ha-group configuration. /config/bigip_base.conf no longer has the trunk and ha-group configuration.

Workaround:
'Sync Device to Group' with 'Overwrite Configuration' enabled.

---

528295-6 : Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later.

Solution Article: K40735404

Component: TMOS

Symptoms:
A 10.x UCS containing LTM virtual servers with ARP set to disable. Loading the 10.x UCS on 11.4.x or later system leads to the ARP and ICMP echo setting value being flipped each time the load occurs.

Conditions:
Reloading a 10.x UCS containing virtual servers on 11.4.x or later system.

Impact:
ARP and ICMP echo setting value being flipped each time the load occurs. Note that the ICMP echo virtual field will be flipped even if ARP is enabled.

Workaround:
Delete the LTM virtual servers on the 11.x/12.x version system prior to re-loading the 10.x UCS.

---

527119-4 : An iframe document body might be null after iframe creation in rewritten document.

Component: Access Policy Manager

Symptoms:
Cannot use certain page elements (such as the Portal Access menu) in Google Chrome, and it appears that JavaScript has not properly initialized, and results in JavaScript errors on the following kinds of code:
    iframe.contentDocument.write(html)
    iframe.contentDocument.close()
    <any operation with iframe.contentDocument.body>

Conditions:
-- The body of a dynamically created iframe document might be initialized asynchronously after APM rewriting.

-- Using the Chrome browser.

Impact:
Some JavaScript applications might not work correctly when accessed through Portal Access. For example, one of applications known to contain such code and fail after APM rewriting is TinyMCE editor.

Workaround:
Revert rewriting of the document.write call with a post-processing iRule.

The workaround iRule will be unique for each affected application.

---

527004-4 : Monitor delete-and-create within a transaction fails

Component: Local Traffic Manager

Symptoms:
A transaction fails when it attempts to delete a pool and associated monitor, and within that same transaction then attempts to create that same pool with a different monitor. The transaction fail message is:
'Monitor -old_monitor_name- is in use'

This behavior is due to transaction validation, where a delete-and-create of the pool within that same transaction causes validation to fail (and the transaction to be aborted). The monitor cannot be deleted as long as the pool uses that monitor, and the pool will not be deleted at the conclusion of the transaction because later in the same transaction that same pool will be (re-)created.

Conditions:
-- A pool exists with an associated monitor.
-- A transaction is attempted to delete that pool and monitor, and then recreate that pool with a different monitor.

Impact:
The transaction fails. The configuration is not changed, and the BIG-IP system continues to function as if the transaction had not been attempted.

Workaround:
Perform the desired steps outside a transaction to replace the monitor, and/or delete and recreate the pool.

---

526519-1 : APM sessiondump command can produce binary data

Component: Access Policy Manager

Symptoms:
New session variable "session.access.scope" includes a null character after the value. This will result in piped grep commands from sessiondump such as:
sessiondump <args> | grep <search value>

returning the text:
Binary file (standard input) matches

instead of the expected output.

Note that this problem exists in APM version 12.

Conditions:
Using sessiondump command with pipe to grep.

Impact:
Administrator cannot use "grep" command with sessiondump.

Workaround:
Use "-a" option with grep. For example:
sessiondump <args> | grep -a <search value>

---

525378 : iRule commands do not validate session scope

Component: Access Policy Manager

Symptoms:
Assume that a user establishes a session on one virtual server. If the user learns his session ID, he may attempt to reuse that session ID to gain access to resources guarded by a different virtual server. When this happens, the iRule access session commands like [ACCESS::session sid] and [ACCESS::session exists] do not validate the scope of the session. The iRules consider sessions from other virtual servers to be valid, which can cause unintended results and potentially lead to end-users gaining higher privileges than administrators intended.

Conditions:
There may be multiple access profiles assigned to multiple virtual servers, but the iRule session commands will treat all sessions the same.

Impact:
If the administrator is not careful with how the iRule session commands are used, it can result in a user bypassing the access policy and receiving higher privileges than the administrator intended.

Workaround:
Care must be used to ensure that iRules using the session commands do not result in unintended behavior. An iRule similar to one below can be used to restrict a session to the virtual server on which it was created:

when ACCESS_ACL_ALLOWED {
  set sessionlistener [ACCESS::session data get "session.server.listener.name"]
  set virtualname [virtual name]
  
  if { [HTTP::cookie MRHSession] != "" } {
    if { not ($sessionlistener equals $virtualname) } {
      # enter whatever command you wish to use to prevent the connection
      reject
    }
  }
}

---

524193-5 : Multiple Source addresses are not allowed on a TMSH SNMP community

Component: TMOS

Symptoms:
If multiple source addresses are specified on a TMSH snmp community command (add, modify,delete, replace-all). Only the first address will be saved.

Conditions:
Specifying multiple source addresses are specified on a TMSH snmp community command.

Impact:
The command is accepted, but only the first address will be allowed snmp access.

Workaround:
Add an additional source address to another snmp community object that has the same community string.

---

524123-1 : iRule ISTATS::remove does not work

Component: TMOS

Symptoms:
When an iRule invokes ISTATS::remove to remove an iStat, the iStat is not removed.

Conditions:
Invoking the ISTATS::remove command from an iRule.

Impact:
The value of the iStat remains defined.

Workaround:
Use istats-triggers and iCall scripts to invoke the iStats command line tool indirectly.

---

523198-1 : DNS resolver multiplexing might cause unexpected behaviors

Component: Global Traffic Manager (DNS)

Symptoms:
DNS resolver multiplexing might cause unexpected behaviors, resulting in multiple error message: notice hud_msg_queue is full.

Conditions:
This occurs with a DNS resolver configured.

Impact:
TMM cores or connflows not expiring. System posts messages similar to the following: notice hud_msg_queue is full.

Workaround:
None.

---

523158-1 : In vpe if the LDAP server returns "cn=" (lower case) dn/group match fails

Component: Access Policy Manager

Symptoms:
In rare case when dn is returned with cn= in lower case VPE is failing to match groupnames

Conditions:
Server that returns cn in low case

Impact:
Group mapping doesn't work

Workaround:
No workaround.

---

522241-3 : Using tmsh to display the number of elements in a DNS cache may cause high CPU utilization, and the tmsh command may not complete

Component: Local Traffic Manager

Symptoms:
After running the tmsh command "show ltm dns cache records <key|msg|nameserver|rrset> cache <name> count-only" you may experience the following symptoms:

- One of the TMM instances on the system climbs to 100% CPU utilization for a prolonged amount of time.

- The odd-numbered hyperthread (i.e. 1) corresponding to the even-numbered hyperthread (i.e. 0) where the busy TMM instance is running is partially halted by the HT-Split feature (this will be observable in utilities such as "top" and by the presence of "Idle enforce starting" log messages in the /var/log/kern.log file).

- After waiting for a very long time, the tmsh command may not actually return and display a record count.

- The tmsh command does not respond to CTRL+C and continues running.

Conditions:
A DNS cache contains a large number of records and the BIG-IP Administrator runs the following tmsh command to determine the exact record count:

"show ltm dns cache records <key|msg|nameserver|rrset> cache <name> count-only"

Impact:
Due to the high CPU utilization, traffic handling is impaired. Control-plane processes can also become affected, leading to different issues (this depends on the size and load of the BIG-IP system). For example, the lacpd process can become descheduled causing trunks to flap.

Workaround:
Do not run the specified tmsh command.

If you have run the specified tmsh command and this has not returned after a very long time and you want restore normal system operation, perform the following steps:

1) Press CTRL+Z to background execution of the command.

2) Enter the "killall -9 tmsh" command (if you have multiple tmsh commands running and only want to kill the affected one, you will have to identify the correct tmsh process using utilities such as ps and top).

If your login shell is tmsh and not bash, simply close your SSH session to the BIG-IP system (as you won't be able to perform the aforementioned steps).

---

520500-4 : Connection inside Windows VPN tunnel may break if renegotiation is enabled in SSL profile

Component: Access Policy Manager

Symptoms:
VPN connection on Microsoft Windows may temporary stop passing traffic while performing secure TLS renegotiation. Although this lasts only for a few seconds, for some applications, it may result in connection stall or loss.

Conditions:
- APM clients for Windows.
- Secure renegotiation (by time or a size) configured on TLS profile on BIG-IP APM.

Impact:
VPN connection on Windows momentarily stops passing traffic.

Workaround:
None.

---

517609-3 : GTM Monitor Needs Special Escape Character Treatment

Solution Article: K77005041

Component: Global Traffic Manager (DNS)

Symptoms:
When searching received data for bytes that are regex metacharacters such as $ (dollar sign), . (period), ? (question mark), etc., the search string typically requires backslash characters to escape these. Such escaped characters result in non-matching behavior in GTM monitors without warning in the GUI. The GUI also validates Perl (non-POSIX) character classes such as \d rather than [:digit:], but these Perl extensions do not search properly.

Conditions:
Any running GTM monitor.

Impact:
If a GTM monitor's expression contains regex Perl extension character classes or escaped regex metacharacters, a member's status might be incorrectly labeled.

Workaround:
When escaping a regular expression metacharacter, an \x5C can be entered as a substitute for a backslash. If searching for whitespace or digits, use [:space:] and [:digit:] rather than \s and \d.
 
For example, searching for 'HTTP/ 1.1' in a GTM HTTP monitor, you can enter the search expression HTTP/ 1\x5C.1, which the regex compiler interprets as 'HTTP/ 1\.1', to search for the period character rather than interpreting the period ( . ) as the 'any non-null byte' metacharacter.

---

516280-4 : bigd process uses a large percentage of CPU

Component: Local Traffic Manager

Symptoms:
With a very large number of monitors, the bigd process can consume more than 80% CPU when a slow HTTP server returns an error.

Conditions:
~8000 HTTP/HTTPS monitors, and a slow HTTP server returns a 500 error.

Impact:
bigd process uses a large percentage of CPU.

Workaround:
None.

---

514703-1 : gtm listener cannot be listed across partitions

Component: TMOS

Symptoms:
Unable to reference (perform operations: list, create, modify ...) gtm listeners across partitions.

Conditions:
-- In one partition.
-- Listener in another partition.
-- Attempt to perform operations on the listener in the other partition.

For example, the current partition is /Common, and a listener exists in /DifferentPartition, and you try to perform operations on the listener under /DifferentPartition.

Impact:
Cannot perform any operations on that listener. The listener will be listed as non-existent.

Workaround:
Change to the partition where the listener exists before performing any operations on it.

---

513887-8 : The audit logs report that there is an unsuccessful attempt to install a mysql user on the system

Component: Application Security Manager

Symptoms:
There are "/usr/sbin/useradd" and "/usr/sbin/groupmod" related errors in '/var/log/auditd/audit.log'

Conditions:
Provisioning AFM and/or APM after ASM is already provisioned.

Impact:
"/usr/sbin/useradd" and "/usr/sbin/groupmod" related errors in '/var/log/auditd/audit.log'

no other impact

Workaround:
none

---

512490-14 : Increased latency during connection setup when using FastL4 profile and connection mirroring.

Component: Local Traffic Manager

Symptoms:
Connection setup when using FastL4 profile and connection mirroring takes longer than previous versions.

Conditions:
FastL4 profile with connection mirroring.

Impact:
Slight delay during connection setup.

Workaround:
Disable tm.fastl4_ack_mirror. Optionally, enable tm.fastl4_mirroring_taciturn for signal to noise ratio improvements. This helps resolve connection setup latency.

---

510395-5 : Disabling some events while in the event, then running some commands can cause tmm to core.

Solution Article: K17485

Component: Local Traffic Manager

Symptoms:
If an event is disabled inside the event itself, and then a Tcl command that executes asynchronously is executed, TMM can core.

Conditions:
An event is disabled from inside the event, and then a parking command is issued.
Example:
when HTTP_REQUEST {
   if { $a == $b } {
       event disable HTTP_REQUEST
   }
   after 100
   log local0. "foo"
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable events as the last command before exiting the event. For example:

when HTTP_REQUEST {
   if { $a == $b } {
       event disable HTTP_REQUEST
       return
    }

}

---

510034-2 : Access Policy memory is not cleared between access policy executions

Component: Access Policy Manager

Symptoms:
APD has a Tcl interpreter that can process commands provided inside an Access policy, for variable assignment or other purposes.

The Tcl environment provided does not reliably clear Tcl variables assigned in prior executions, so care must be taken to initialize the potentially dirty variables if they are used.

Conditions:
User uses some Tcl variables that can potentially be not initialized. For example, a variable assign:
session.test = regexp {(.+)@example.com} "[mcget {session.logon.last.username}]" foo captured; return $captured

Note that here, the regex may match or not match depending on the user input. If it does not match, the variable "captured" *may* contain the results from a different user who logged in previously.

Impact:
Unexpected results from Access Policy execution.

Workaround:
To work around the problem, any variable that was used must be checked. For example, instead of the regex statement above, this could be used:

if { [regexp {(.+)example.com} "[mcget {session.logon.last.username}]" foo captured] == 1 } { return $captured; } else { return "nomatch"; }

This way, if the regex does NOT match, then the result will be "nomatch" instead of potentially containing results from a previous session.

---

509596-1 : iFrames with 'javascript:' scheme in SRC may not work

Solution Article: K44043455

Component: Access Policy Manager

Symptoms:
Some applications do not work with Portal Access, resulting in an error 'F5_Invoke_write is not defined' on JavaScript Console.

Conditions:
Web application that uses IFrames with 'javascript:' scheme in SRC attribute runs through Portal Access.

Impact:
Web application does not work through Portal Access.

Workaround:
There is no workaround at this time.

---

509497-1 : VCMP guests on a specific host may be restarted when that host system experiences large date/time changes

Component: TMOS

Symptoms:
After a large (longer than 7 months) change in system date/time, either manually or via NTPD, vCMP guests may be terminated and restarted.

Conditions:
-- vCMP is provisioned.
-- There is a large change (longer than 7 months, for example), to the system date/time.

Impact:
Temporary loss of service of data path elements, until terminated guests are restarted.

Workaround:
Avoid large changes in system time during critical hours of operation.

It may be better to bring down guests administratively, make the date/time change, and then bring the guests back up rather than allowing them to be terminated/restarted automatically due to heartbeat timer expiration.

---

505037-2 : Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop

Solution Article: K01993279

Component: Local Traffic Manager

Symptoms:
Modifying a monitored pool with a gateway failsafe device might put secondary into restart loop.

Conditions:
Only occurs in clustered environments, when modifying a monitored pool to set the gateway failsafe device while the secondary is down. Symptom occurs when the secondary comes back up and attempts to update the health status of a pool.

Impact:
Secondary in a restart loop.

Workaround:
Remove the gateway failsafe device. Re-apply when the blade is up.

---

501258-2 : Unable to modify 'gtm region region-members' via iControl REST

Component: TMOS

Symptoms:
Unable to modify 'gtm region region-members' via iControl REST. The system posts error 400 Invalid region type messages.

Conditions:
Attempt to modify gtm region region-members via iControl REST.

Impact:
Unable to use iControl REST to configure this portion of the GTM/DNS configuration.

Workaround:
Use tmsh to modify GTM Regions.

---

499404-1 : FastL4 does not honor the MSS override value in the FastL4 profile with syncookies

Solution Article: K15457342

Component: Local Traffic Manager

Symptoms:
FastL4 does not honor the MSS override value in the FastL4 profile when syncookies are in use. This can lead to cases where the advertised MSS value in the SYN/ACK is larger than the MSS override value.

Conditions:
The FastL4 profile specifies a non-zero MSS override value and syncookies mode is active.

Impact:
The wrong MSS value is advertised during 3WHS.

Workaround:
None.

---

499348-5 : System statistics may fail to update, or report negative deltas due to delayed stats merging

Component: TMOS

Symptoms:
Under some conditions, the BIG-IP system might fail to report statistics over time. This can manifest as statistics reporting unchanging statistics (e.g., all zeroes (0)), or as sudden spikes in traffic, or as negative deltas in some counters.

The system performance graphs will also appear to have gaps / be missing data at the times that this occurs.

Conditions:
This occurs when there are frequent changes occurring to the underlying statistics data structures. This might occur under the following conditions:

-- The system is spawning/reaping processes on a frequent basis (e.g., when there is a large number of external monitors).

-- iRules are frequently using 'SSL::profile' to select different SSL profiles on a virtual server (this can cause per-virtual server, per-profile statistics to be created and deleted on a regular basis).

Impact:
Statistics fail to merge, which results in incorrect view of system behavior and operation.

Workaround:
This issue has two workarounds:

1. Reduce the frequency of changes in the statistics data structures. The specific action to take depends on what is triggering them. To do so, use any or all of the following:

-- Reduce the frequency of configuration changes.
-- Reduce the use of 'SSL::profile' in iRules.
-- Reduce the number/frequency of processes being spawned by the system.

2. Switch statistics roll-ups to the 'slow_merge' method, which causes the system to spend more CPU merging statistics. To do so, set the 'merged.method' DB key to 'slow_merge' using the following command:
    tmsh modify sys db merged.method value slow_merge.

---

496621-1 : Portal Access incorectly rewrites expressions with JavaScript typeof operator

Component: Access Policy Manager

Symptoms:
The Portal Access module transforms intranet web application code to make it accessible via an APM virtual server. One of these transformations might incorrectly rewrite expressions with 'typeof' operator, though you might not see any immediate visible effect.

Conditions:
The issue affects expressions like 'typeof something' where 'something' is expected to be transformed by Portal Access.
For example, with the original code similar to 'var l = window.location; if (typeof l.href) {...}' unrewritten typeof argument causes condition to fail.

Impact:
When Portal Access accesses the intranet application containing such code, expressions with typeof operator may have wrong value, leading application to incorrect code paths. As a result, the application might fail with a very obscure and difficult to diagnose errors.

Workaround:
Use an iRule for each specific case. There is no global workaround.

---

494135-1 : HTML Event handlers may not work if 'eval' is redefined

Solution Article: K43101043

Component: Access Policy Manager

Symptoms:
If 'eval' JavaScript call is redefined in HTML page, event handlers may not work correctly.

Conditions:
There may be many ways to re-define 'eval'. For example:

<form>
<button name=eval onclick="someFunction();">Button</button>
</form>

In this case 'onclick' event handler will not work through Portal Access.

Impact:
Web application may not work correctly. In the worst case scenario, the browser (Internet Explorer 9 or later) may crash.

Workaround:
There is no workaround at this time.

---

493524 : ASM attack appear ongoing forever if restarting dosl7d during an attack

Component: Application Visibility and Reporting

Symptoms:
If dosl7d is restarted during an attack it doesn't write the "end attack" event to logdb.

Conditions:
Restarting dosl7d in the middle of an ASM attack (including actions that implicitly cause dosl7d restart like tmm restart or reboot).

Impact:
Attack appears ongoing in Dos Overview page (even though it should be marked "ended").

Workaround:
No workaround.

---

489960-2 : Memory type stats is incorrect

Component: WebAccelerator

Symptoms:
When tmm allocates memory, it adds up stats per memory type allocated. AAM is not properly marking memory type for strings objects, affecting other types of memory stats depending on configuration and release.

Conditions:
AAM is provisioned and there are virtuals in BIG-IP configuration which have web acceleration profiles associated with one or more AAM policies.

Impact:
Stats for some types of memory can be skewed causing troubleshooting issues.

Workaround:
None.

---

489499-3 : chmand needs to check for LopUnsSensClientExists status after registering for unsolicited alerts with lopd

Component: TMOS

Symptoms:
chmand fails to register for unsolicited LOP events, meaning that asynchronous alerts from lopd will not seen or reported by chmand. A message is seen in /var/log/ltm that contains the phrase, "failed to register for LOP at <address>"

Conditions:
Occurs when chmand has been re-started after it has already synchronized once with lopd.

Impact:
Asynchronous events from lopd will not be reported or handled, such as fan tray removal/insertion and PSU removal/insertion. Alerts that are driven by system_check through polling sensor values and comparing them to specified limits, however, will still be operational.

Workaround:
Re-start lopd:
# bigstart restart lopd

---

486997-1 : The vCMP guest lost watchdog heartbeat, and the host restarted it.

Component: TMOS

Symptoms:
The guest on one slot stops activating its watchdog for 30 seconds, and the host vcmpd restarts the guest. The host logs messages:

-- 01510014:1: vCMP guest <guestname> heartbeat timeout at the halfway mark.
-- 01510013:1: vCMP guest <guestname> lost heartbeat.

In a multi-slot guest, the other, unaffected guest slots /var/log/ltm can report 'clusterd FAILED' and show evidence of the faulty slot going down.

Conditions:
The conditions under which this occurs are unknown. This is a rarely encountered issue.

Impact:
Guest restart on one slot.

Workaround:
This issue has no workaround at this time.

To assist in capturing potential missed messages from the guest serial console, beginning in version 12.0.0, you can enable the db variables vcmp.guest.console and vcmp.guest.console.logging to log the output to a host-side file. To activate the logging, the guest must be re-deployed.

---

486735-5 : Maximum connections is not accurate when TMM load is uneven

Component: Local Traffic Manager

Symptoms:
Maximum connections is not accurate when TMM load is unevenly distributed. Maximum connection statistics report the sum of maximum connections per TMM, not the maximum connections virtual server.

Conditions:
This occurs when the load disaggregated to available TMMs is uneven.

Impact:
This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in higher-than-expected maximum connections.

Workaround:
Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs.

---

486712-7 : GUI PVA connection maximum statistic is always zero

Component: TMOS

Symptoms:
The GUI PVA connection maximum statistic is always zero, regardless of the number of PVA connections established.

Conditions:
This occurs when fastL4 connections are used.

Impact:
The customer cannot determine the maximum number of PVA connections because the stat is always zero.

---

484683-4 : Certificate_summary is not created at peer when the chain certificate is synced to high availability (HA) peer.

Component: TMOS

Symptoms:
-- After a configuration synchronization (ConfigSync) operation, the peer of a high-availability (HA) pair cannot show the summary of cert-chain using the command:
tmsh run sys crypto check-cert verbose enabled

-- After a ConfigSync operation, Certificate Subjects may be missing or empty when viewed in the Configuration Utility/GUI under System :: Certificate Management : Traffic Certificate Management : SSL Certificate List :: <certificate>.

Conditions:
Conditions leading to this issue include:
1. On the command line or in the GUI, set up an high availability (HA) configuration.
2. Import Certificate chain to one BIG-IP system.
3. Perform a ConfigSync operation to sync the certificate chain to the high availability (HA) peer.

Impact:
After a ConfigSync operation, the certificate chain summary is not created on other high availability (HA) peers.

Workaround:
1. Copy the cert-chain file to a location on the system (e.g., /shared/tmp/).

2. Update the cert-chain using a command similar to the following:
modify sys file ssl-cert Cert-Chain_Browser_Serv.crt source-path file:/shared/tmp/Cert-Chain_Browser_Serv.crt_5361_1.

Note: The step above causes the units to be out of sync, so an additional config-sync operation is required to bring the units 'In Sync' again.

---

482625-1 : Pages with utf-8 Content-Type and utf-16 META tag do not render

Component: Access Policy Manager

Symptoms:
Some pages cannot be displayed. A page has a Content-type header with charset utf-8. The payload has a META tag with charset utf-16. Actual data appears to be utf-8. Rewriting the page inserts a utf-16 BOM in the response, causing the page to not load.

Conditions:
Pages that contain utf-8 Content-Type headers but utf-16 META tags

Impact:
Web-application cannot display some pages.

Workaround:
An iRule can be used to fix the META charset and allow the page to load.

---

481235-2 : Rare Watchdog Restart of TMM and Datastor

Component: TMOS

Symptoms:
The TMM and Datastor get killed and restarted by the watchdog process.

Conditions:
If the server pool is inadequate, or responses are too slow, datastor can experience a resource starvation problem.

Impact:
TMM and Datastor will be killed by the watchdog process.

Workaround:
None. This usually occurs when your server pool is experiencing problems, delays, or simply has too few servers to handle the load.

---

480795 : GTM: Move address from one high availability (HA) redundant LTM to another might cause BIG-IP monitor failure

Component: Global Traffic Manager (DNS)

Symptoms:
Move address from one high availability (HA) redundant LTM to another might cause BIG-IP monitor failure.

Conditions:
-- LTM server high availability (HA) configuration with one address at 'Address List' and another at 'Peer Address List'.
-- One of the addresses is moved from another.

Impact:
Only one of the redundant LTM systems get probed. If the probed LTM is standby, it ignores the probe request. The available BIG-IP redundant LTM server is marked down, the monitor does not work, and all hosted virtual servers are marked down.

Workaround:
To work around this:

1. In the GUI, delete the address from either the 'Address List' or 'Peer Address List' and click 'Update'. .
2. Add the address to the other field and click 'Update'.

Note: Make sure to click 'Update' after step 1 before proceeding to step 2.

---

479262-4 : 'readPowerSupplyRegister error' in LTM log

Component: TMOS

Symptoms:
The 'readPowerSupplyRegister error' is logged in LTM log when DC PSU loses its power.

Conditions:
When a DC powered PSU loses its power, the system logs 'readPowerSupplyRegister error' messages in the LTM log. This occurs because PSU data is not available without power.

Impact:
The 'readPowerSupplyRegister error' messages occur because PSU data is not available without power. When the system is in this state, you can safely ignore these messages.

Workaround:
None. You can safely ignore this error message in this case.

---

478450-5 : Improve log details when "Detection invalid host header ()" is logged

Component: Access Policy Manager

Symptoms:
There is no way for the APM admin to determine the source of the sessions for the log message "Detected invalid host header ()", even at debug level logging.

Conditions:
1- Create APM virtual with any access policy
2- On another BIG-IP, create a pool with an HTTPS monitor to that APM virtual server.
3- Notice the logging in APM.

Impact:
It is difficult for admin to determine the source of the error.

---

477992-3 : Instance-specific monitor logging fails for pool members created in iApps

Solution Article: K07450534

Component: Local Traffic Manager

Symptoms:
Errors when enabling Debug Monitoring for an iApp-created pool member and disabling strict updates for the iApp.

Conditions:
Create pool members via an iApp, and attempt to enable logging on the pool member.

Impact:
Instance-specific monitor logging fails for pool members created in iApps. The log is never created. The system posts error messages in /var/log/ltm stating the log file cannot be opened.

Workaround:
If logging is required, bigdlog is available. To enable logging, run the following command: tmsh modify sys db bigd.debug value enabled.

---

477611-5 : ICMP monitor does not work on DAG Round Robin enabled VLANs

Component: TMOS

Symptoms:
ICMP monitor does not work on the VLANs with DAG Round Robin set to enabled.

Conditions:
For a VLAN, the DAG Round Robin option is enabled.

Impact:
ICMP monitor will be down.

Workaround:
Utilize another monitor or disable the DAG Round Robin option.

---

476544-2 : mcpd core during sync

Component: TMOS

Symptoms:
mcpd can run out of memory and core when a device in a sync group is sending an extremely high volume of sync messages.

Conditions:
The exact cause of this is unknown, and it has been seen very rarely with a large sync in a sync group. Large incremental syncs could be a symptom of other things happening between the devices which could trigger the core.

Impact:
mcpd cores and restarts if it runs out or memory. Only through inspection of the core file can this condition be detected.

Workaround:
None.

---

474901-1 : Profiles with a large number of regexps can cause excessive memory usage.

Component: Local Traffic Manager

Symptoms:
tmm crashes on out of memory.

Conditions:
This can occur if you are using a lot of profiles that rely on regular expressions, such as compression or deflate.

Impact:
Traffic disrupted while tmm restarts.

---

473755-1 : It's possible to exhaust monpd's Thrift server connections by simply not closing the connection on the client side

Component: Application Visibility and Reporting

Symptoms:
It's possible to open a connection to monpd's Thrift server and if the client does not actively close it, the connection will persist indefinitely (even if it's idle). As a result of this issue, you might experience the following symptoms: -- Cannot access event logs or reports.
-- Cannot run tmsh analytics commands.

Conditions:
Client system opens a connection to monpd's Thrift server (port 9090 or 9091), and does not close it.

Impact:
If the number of allowed connections to monpd's Thrift server is reached, monpd will not receive new connections. Since the idle connections can persist indefinitely this will deny service from monpd.

Workaround:
No workaround (except for manually killing open idle connections).

---

470807-3 : iRule data-groups are not checked for existence

Component: Local Traffic Manager

Symptoms:
When an iRule specifies a data-group that is not in Common, or that does not have an explicit path to it, it does not result in an error when the iRule is saved, or during runtime.

Conditions:
User saves an iRule with a data-group not in Common or with an explicit path to it.

Impact:
When such an iRule is saved, it can cause all traffic to fail.

Workaround:
None.

---

470346-5 : Some IPv6 client connections get RST when connecting to APM virtual

Component: Access Policy Manager

Symptoms:
IPv6 clients connecting to APM virtual server that renders some page, e.g., logon page, webtop, or message box, might get connection resets.

Conditions:
IPv6 client has the last 4 bytes of the IP address set to some special-purpose address, e.g., multicast address.

Impact:
Client connection is reset.

Workaround:
Change the last 4 bytes of the client IPv6 address to avoid the IPv4 special-address range.

---

469366-3 : ConfigSync might fail with modified system-supplied profiles

Solution Article: K16237

Component: TMOS

Symptoms:
A config sync operation might fail with a parent-profile-not-found error message, despite the fact that the parent profile is present in the running configuration of both systems.

Conditions:
On the sync target (the system receiving the configuration, and the one that reports a sync failure), a system-supplied profile (e.g. /Common/serverssl) has been modified, and is present in /config/bigip.conf.

Impact:
An administrator is unable to synchronize system configurations. The system might post messages similar to the following example: '01020036:3: The requested parent profile (/Common/serverssl) was not found.'

Workaround:
One of the following: 1. Manually replicate the changes on the base profile to the system that is sourcing the config sync.
2. Undo the changes to the base profile on the system that is receiving the config sync (to do so, save the configuration, manually remove the base profile from /config/bigip.conf, and then re-load the configuration), and then perform a force sync operation. 3. Perform a sync in the other direction.
Important: Performing a sync in this direction overrides any unsync'd changes on the other system.

---

467589-4 : Default cron script /usr/share/mysql/purge_mysql_logs.pl throws error.

Component: WebAccelerator

Symptoms:
The /usr/share/mysql/purge_mysql_logs.pl script that ships with the new install (and is run hourly via cron) throws an error. The script is meant to be exited if AAM, ASM and PSM are not provisioned, but the check is not done appropriately and it continues execution, failing later.

Conditions:
BIG-IP system with no AAM, ASM, and PSM provisioned, when running the script /etc/cron.hourly/purge_mysql_logs.pl (linked to /usr/share/mysql/purge_mysql_logs.pl)

Impact:
The script gives false output and attempts to execute invalid actions. The system posts the following error: Usage: $class->connect([$dsn [,$user [,$passwd [,\%attr]]]]) at /etc/cron.hourly/purge_mysql_logs.pl line 27.

Workaround:
Provision AAM, ASM, or PSM. Or modify the script using the following procedure:

Remount /usr partition as RW:
# mount -o remount -rw /usr

Edit /usr/share/mysql/purge_mysql_logs.pl and change the original check:

unless( $provisioned_am || $provisioned_asm || $provisioned_psm ) {
    exit 0;
}

to:

unless( $provisioned_am == 1 || $provisioned_asm == 1 || $provisioned_psm == 1 ) {
    exit 0;
}

---

463903-5 : Behavior Change: HA Score calculation when minimum-threshold attribute is in use

Solution Article: K68062382

Component: TMOS

Symptoms:
HA Groups periodically compute an HA health score to determine which BIG-IP device is the 'best' device to host a Traffic Group. If another device has a better score than the current device then the Traffic Group fails over to the other device. The HA Group provides a set of thresholds that, if not met, will evoke failover regardless of HA scores.

Some problems with this are the following:
The HA score measured by two devices may vary slightly over time. The device with the 'best' score may vary thus triggering unnecessary failovers even though the difference in the scores is negligible.

The current method is not flexible. HA groups cannot be easily incorporate other 'boolean' values (i.e VLAN failsafe) or other methods that pick the next active device, (i.e load-aware algorithm).

For these reasons, the HA Group has been refactored into two separate objects, HA Monitor and HA Score, to decouple failure detection from failure remediation. An HA Monitor determines when a traffic group can no longer run on the current device. The HA Score failover method picks the highest scoring device as the next device to host the traffic group. An HA monitor may be combined with other Failover Methods to, for example, failover to the next device in round robin order.

If any component (trunk, pool, cluster member) of a high availability (HA) group violates its 'minimum' requirement (defined by the 'minimum-threshold'), the total HA group score is not forced to 0 (zero) if there is an active bonus set.

Conditions:
-- Configuration contains an HA group with associated components (trunks, pools, cluster members).
-- 'Minimum-threshold' setting of any of those members is non-zero.
-- Non-zero number of members.

Impact:
Because of how HA group score is calculated, the system might incorrectly report a viable traffic group or may fail over unnecessarily.

Workaround:
Use tmsh to configure the 'minimum-threshold' parameter for each of the HA group components (trunks, pools, and cluster members) to a value that specifies the minimum number of monitored objects required to consider this contributor valid.

---

455066-2 : Read-only account can save system config

Component: TMOS

Symptoms:
A read-only user can run the tmsh save sys config command, which saves the configuration including changes made by other read/write users.

Conditions:
This occurs when logged in as a read-only user and running save sys config in tmsh.

Impact:
Read-only users are able to run save sys config in tmsh.

Workaround:
None.

---

451627-2 : If key associated with monitor is stored in external hsm, monitor fails.

Component: Local Traffic Manager

Symptoms:
Monitor does not work with netHSM keys.

Conditions:
Configure netHSM keys and monitor.

Impact:
Monitor does not work.

---

450136-3 : Occasionally customers see chunk boundaries as part of HTTP response

Component: Access Policy Manager

Symptoms:
Occasionally, users see chunk boundaries as part of HTTP response if the virtual server is configured with rewrite profile variant and some other profiles.

Conditions:
Virtual server with rewrite profile variant and some other profiles like OneConnect and NTLM could cause HTTP response to be double-chunked.

Impact:
End users may see random characters displayed on their web pages, or the page may fail to render because it contains invalid HTML markup.

Workaround:
To workaround this problem, use an iRule to rechunk the HTTP response always.

---

438574-1 : Web UI: iSession Profile properties page displays incorrect parent profile name.

Component: TMOS

Symptoms:
Local Traffic :: Profiles :: iSession Profile properties page displays incorrect parent profile name.

Conditions:
-- Viewing parent profile for an iSession profile.
-- 'iSession' is set as parent profile .
-- Another profile exists with name beginning from 'a' to 'h'.

Impact:
Incorrect information is displayed on the GUI even though the database has the correct information.

Workaround:
View the properties of iSession profile from tmsh.

---

435419-4 : Install of partial EPSEC file causes mcpd to crash, followed by multiple cores.

Solution Article: K10402225

Component: Access Policy Manager

Symptoms:
Install of partial EPSEC file causes mcpd to crash, followed by multiple cores.

Conditions:
-- Attempt to upload a current EPSEC file.
-- Upload stalls and appears hung.
-- Close the web browser used for uploading epsec.
-- Attempt to install the partially uploaded file.

Impact:
mcpd crashes, followed by multiple cores.

Workaround:
Upload the EPSEC file completely, and try the installation again.

---

433572-4 : DTLS does not work with rfcdtls cipher on the B2250 blade

Component: Local Traffic Manager

Symptoms:
DTLS does not work with rfcdtls cipher on the B2250 blade.

Conditions:
This occurs as a result of hardware acceleration offload on the B2250 blade when using dtls on vCMP.

Impact:
DTLS does not work with rfcdtls cipher on the B2250 blade

Workaround:
None.

---

431503-5 : TMSH crashes in rare initial tunnel configurations

Solution Article: K14838

Component: TMOS

Symptoms:
In rare BigIP configuration scenarios, TMM may crash during its startup process when the tunnel configurations are loaded.

Conditions:
During TMM startup, a tunnel is created, then immediately removed during the configuration load period, when TMM neighbor messages may be in flight via the tunnel. When the race condition fits, the neighbor message may land on an invalid tunnel.

Impact:
TMM crash in rare race conditions.

Workaround:
None.

---

431480-1 : Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message

Solution Article: K17297

Component: Local Traffic Manager

Symptoms:
Occasionally, you might encounter a situation in which tmm dumps a core, and the system writes to the logs a message similar to the following: notice panic: ../base/listener.c:1116: Assertion 'laddr is not NULL' failed.

Conditions:
The exact conditions that result in this error are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time, but the system recovers without any user action.

---

417819-2 : APM - when Edge Clients, some JS contents are different causing warning

Solution Article: K69046914

Component: Access Policy Manager

Symptoms:
Intermittent JS Error in sesstimeout.js during access to full webtop by Edge Clients.

Conditions:
-- At least two different Edge Clients with User Agent strings based on Internet Explorer version 11 (IE11).
-- A version of IE earlier that IE11 is used to access full webtop resource.

Impact:
If 'Display notification about all script errors' is enabled in IE (Internet Options :: Advanced tab) IE displays JS error messages. One client might encounter a JS Syntax error, depending on TMM count and APM RAMCACHE content.

Note: There is no impact on product functionality, because Edge Clients do not call JS code from sesstimeout.js. The error is cosmetic only and can be ignored.

Workaround:
Special APM resource assignment branch for standalone Edge Clients can be configured in VPE to access 'webtop-type network', (NA_only_webtop resource does not include /vdesk/sesstimeout.js and /vdesk/hometab.js).

---

414713-1 : Hosted Content connected object import issues

Solution Article: K51880413

Component: Access Policy Manager

Symptoms:
If object of policy is linked with hosted content, import will fail unless similarly named object is not created on target box.

The import error looks similar to the following:
"Configuration error: Cannot find sandbox file (Common/hosted-content:loginNew.html_1361913754973) referred in resource webtop (/Common/Import-ChangeProperty) Unexpected Error: Validating configuration process failed."

Conditions:
This can occur if you are using Hosted Content and you are using Export/Import to copy an access policy from one APM to a new APM that does not have the Hosted Content files already on it.

Impact:
The import will fail on the new device.

Workaround:
Unlink objects from hosted content or replicate similar objects under similar names in hosted content first

---

410549-1 : Changing the provision.tmmcount db variable value results in continuous tmm restarts

Component: TMOS

Symptoms:
Changing the 'provision.tmmcount' db variable value results in continuous tmm restarts.

Conditions:
Changing 'provision.tmmcount' db variable value.

Impact:
Continuous tmm restarts.

Workaround:
After making a change to the number of TMMs (provision.tmmcount), save the configuration and reboot the system.

---

405898-2 : If the OSPF derived MTU is different from the path MTU, OSPF may not function as expected

Component: Local Traffic Manager

Symptoms:
If the maximum transmission unit (MTU) for a network running OSPF is different from ZebOS, or if its neighbor router has configured for its interface MTU, OSPF adjacencies may not form, or some datagrams may be rejected.

Conditions:
TMM has cached a reduced path MTU for a network that is smaller than the configured MTU of the interface. OSPF running on that interface.

Impact:
OSPF adjacencies never fully form and routes are not exchanged.

Workaround:
Restarting TMM clears the cached maximum transmission unit (MTU), and allowing all interface MTUs to function with default values should prevent a mismatch.

---

396273-2 : Error message in dmesg and kern.log: vpd r/w failed

Component: TMOS

Symptoms:
When running dmesg, you might see errors similar to the following: 0000:17:00.0: vpd r/w failed. This is typically considered a firmware issue on the device, and you can contact the card vendor for a firmware update.
This error can be seen in /var/log/kern.log as well.

Conditions:
This can occur whenever 'lspci -vv' (or 'lspci -vvv', e.g., during qkview generation) is executed.

Impact:
This is a benign firmware message, and you can safely ignore it.

Workaround:
There is no workaround, but this is not a functional issue.

---

385013-6 : Certain user roles do not trigger a sync for a 'modify auth password' command

Component: TMOS

Symptoms:
If users with the certain roles change their password, the BIG-IP system does not detect that it is out-of-sync with its peer and does not trigger an automatic sync:

Conditions:
-- Multiple BIG-IP devices in a Device Service Cluster that sync configurations with each other.
-- A user with one of the following roles logs in and changes their password:
  + guest
  + operator
  + application-editor
  + manager
  + certificate-manager
  + irule-manager
  + resource-admin
  + auditor

Impact:
The system does not detect that it is out of sync with its peer, and does not report this condition. If automatic sync is enabled, a sync does not automatically occur.

Workaround:
Force a full sync to the peer systems.

---

382363-7 : min-up-members and using gateway-failsafe-device on the same pool.

Solution Article: K30588577

Component: TMOS

Symptoms:
The system does not require setting a pool's min-up-members greater than 0 (zero) when also using gateway-failsafe-device on the same pool.

Conditions:
A pool's min-up-members is 0 when gateway-failsafe-device is set.

Impact:
Failure to set min-up-members greater than 0 when using gateway-failsafe-device might cause errors. The tmm might crash.

Workaround:
Set min-up-members greater than 0 when using gateway-failsafe-device.

---

375434-6 : HSB lockup might occur when TMM tries unsuccessfully to reset HSB.

Component: TMOS

Symptoms:
An HSB lockup might occur when the TMM driver tries to reset HSB and the effort is not successful. After several failed attempts, a bad DMA packet causes tmm to crash. This failure can also result in a "DMA lockup on transmitter failure" reported in the TMM log files.

Conditions:
This occurs on HSB platforms that have AMD processors, which include the BIG-IP 6900, 89x0, and 110x0 platforms, and the VIPRION B4100, B4200, and B4200N blades.

Impact:
The HSB is non-functional and requires reinitialization. This occurs after the BIG-IP is rebooted, which is automatically triggered when this condition occurs.

Workaround:
None.

---

374067-7 : Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect virtual server interferes with keepalive connections

Solution Article: K14098

Component: Local Traffic Manager

Symptoms:
Using the 'snatpool' command in the CLIENT_ACCEPTED iRule event causes keepalive requests to originate from the self-IP of the BIG-IP system.

Conditions:
An iRule using the 'snatpool' command in CLIENT_ACCEPTED.

Impact:
Keepalive connections occasionally source from the BIG-IP system's self-IP address.

Workaround:
Use the HTTP_REQUEST event to set the SNAT pool.

---

370573-2 : iRule STREAM command internal error causes connection drop

Component: Local Traffic Manager

Symptoms:
The connection might drop when STREAM::expression command is used.

Conditions:
The regular expression in STREAM::expression command has look-ahead pattern.

Impact:
The connection gets dropped.

Workaround:
There is no workaround other than not using the look-ahead pattern.

---

369640-1 : Folder path objects in iRules can have only a single context per script

Solution Article: K17195

Component: Local Traffic Manager

Symptoms:
If an iRule is assigned to two different virtual servers in different contexts, the first time the rule runs any internal object conversions/lookups will be performed in the first context. When the second virtual runs the same rule, it will assume that the objects that have been looked up are correct, and point to the wrong members.

Conditions:
Two virtual servers in different folder paths use short names for objects like pools, procs, nodes and virtual servers.

Impact:
iRule can point to objects outside the current folder path.

Workaround:
Give each virtual servers its own copy of the iRule (it is not necessary to provide complete folder paths).

---

369407-3 : Access policy objects are created inconsistently depending on whether created using wizard or manually.

Component: Access Policy Manager

Symptoms:
Network Access (NA) wizard policy incorrectly labels 'Advanced Resource Assign' as 'Resource Assign' in VPE.

Conditions:
This is evident when viewing the label following completion of the NA wizard.

Impact:
The label in the VPE is 'Resource Assign', where it should be 'Advanced Resource Assign'.

Workaround:
None.

---

362511 : HTML entities in inline CSS style attributes may cause incorrect rewriting of URLs

Solution Article: K52162658

Component: Access Policy Manager

Symptoms:
Portal Access can incorrectly rewrite CSS in HTML style attributes if it contains HTML entities.

Conditions:
Inline CSS style attributes contains HTML entities.

For example,
  <div style="background:url(&#39;image.jpg&#39;)">
becomes
  <div style="background:url(&#39?F5CH=I;image.jpg&#39;)">
which cannot be interpreted correctly by a browser. As a result, the image won't be displayed.

Impact:
Some images on the page accessed through Portal Access may fail to load.

Workaround:
Before rewriting, use an iRule to substitute HTML entities in positions significant for parser (i.e., keywords, attribute names, quotes, brackets, colons, etc.) with the corresponding characters.

---

315765-5 : The BIG-IP system erroneously performs a SNAT translation after the SNAT translation address has been disabled.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system erroneously performs a SNAT translation after the SNAT translation address has been disabled. As a result of this issue, you may encounter the following symptom:

A network trace capturing the affected traffic on a BIG-IP system shows traffic continues to egress the BIG-IP system using the disabled SNAT translation address.

Conditions:
This issue occurs when the following condition is met: A SNAT translation address is configured, but disabled.

Impact:
Traffic egresses the BIG-IP system with the disabled SNAT translation address.

Workaround:
To work around this issue, you must delete the affected SNAT configuration instead of disabling it. To do so, perform the following procedure:

Impact of workaround: Deleting the affected SNAT configuration removes it entirely from the BIG-IP configuration. If you require the SNAT configuration later, you must recreate it manually.

BIG-IP 11.x/12.x

1. Log in to the tmsh utility.
2. Delete the affected SNAT configuration by entering the following command: delete /ltm snat <affected SNAT name>.

For example, to delete the test-315765 SNAT configuration, you would enter the following command: delete /ltm snat test-315765.

3. Save the modified configuration by entering the following command:
save /sys config

BIG-IP 9.x through 10.x

1. Log in to the command line.
2. Delete the affected SNAT configuration by entering the following command: bigpipe snat <affected SNAT name> delete.

For example, to delete the test-315765 SNAT configuration, you would enter the following command: bigpipe snat test-315765 delete.

3. Save the modified configuration by entering the following command: bigpipe save all.

---

291256-5 : Changing 'Minimum Length' and 'Required Characters' might result in an error

Component: TMOS

Symptoms:
When setting a value for the password policy attribute 'Minimum Length', and setting 'Required Characters' 'Numeric', 'Uppercase', 'Lowercase', and 'Other' to values whose sum is greater than 'Minimum Length' the system does not save changes, and instead reports an error:

err mcpd[1647]: 01070903:3: Constraint 'min length must be greater than or equal to the sum of all "required" types of characters' failed for 'password_policy'

Conditions:
-- Change the value of 'Minimum Length'.
-- Change the values in 'Required Characters' ('Numeric', 'Uppercase', 'Lowercase', and 'Other').
-- The sum of the values from 'Required Characters' is a greater than 'Minimum Length' value before you changed it.

Here is an example:
1. From the default of '6', change 'Minimum Length' to 10.
2. At the same time, change each of the 'Required Characters' options ('Numeric', 'Uppercase', 'Lowercase', and 'Other') to '2', for a total of 8.
3. Click Update.

(These values should be work because the value in 'Minimum Length' (10) is greater than the sum of the values in 'Required Characters' (8).)

Impact:
The changes are not saved, and an error is posted:
Constraint 'min length must be greater than or equal to the sum of all "required" types of characters' failed for 'password_policy'.

Workaround:
You can use either of the following workarounds:

-- To workaround this using the GUI, set 'Minimum Length' and 'Required Characters' separately (i.e., specify 'Minimum Length' and click Update, and then specify 'Required Characters' and click Update).

-- Use tmsh instead of the GUI.

---

264701-1 : GTM: zrd exits on error from bind about .jnl file error (Formerly CR 68608)

Solution Article: K10066

Component: Global Traffic Manager (DNS)

Symptoms:
The zrd process exits and cannot be restarted.

Conditions:
This occurs when the journal is out-of-sync with the zone.

Impact:
The zrd process cannot be restarted.

Workaround:
Before beginning, ensure that no one else is making config changes (i.e., consider making changes during a maintenance window).

I) On a working system, perform the following:
1. # rndc freeze $z

(Do this for all nonworking zones. Do not perform the thaw until you finish copying all needed files to the nonworking system.)

2. # tar zcvf /tmp/named.zone.files namedb/db.[nonworking zones].
3. # rndc thaw $z

II) On each nonworking system, perform the following:
1. # bigstart stop zrd; bigstart stop named
2. Copy the nonworking /tmp/named.zone.files from a working GTM system.
3. # bigstart start named; bigstart start zrd.

(Before continuing, review /var/log/daemon.log for named errors, and review /var/log/gtm for zrd errors0.)

Repeat part II until all previously nonworking systems are working.

III) On a working GTM system, run the following command:
# touch /var/named/config/named.conf.

---

247527-2 : Mgmt interface cannot be disabled via tmsh

Solution Article: K14890

Component: TMOS

Symptoms:
Issuing a tmsh command to disable the management interface of a blade or appliance appears to succeed, but the management interface is not actually disabled.

Conditions:
This problem occurs on the following hardware platforms:
BIG-IP 1500, 3400, 3410, 6400, 6800, 8400, and 8800 appliances.

This problem does not occur on the following hardware platforms:
BIG-IP 1600, 3600, 3900, 6900, 8900-series and 11000-series appliances.

Impact:
After using the tmsh utility to set the mgmt interface to a disabled state, the tmsh utility will show the mgmt interface as disabled. However, the mgmt interface still responds to network traffic, including ping and ssh.

Workaround:
There are three possible ways to work around this issue:

1) Unplug the management interface if it is not intended to be used.

2) Bring down the switch interface to which the management port connects.

3) Disable the management interface using the following information below.

Important: This workaround might cause unintended consequences. Only use this option as a last resort, as disabling the management interface may remove the ability for the Linux host to communicate with several of the BIG-IP subsystems. As a result of this loss of communication, certain BIG-IP features may not function as expected or at all.

For platforms that expose a 'mgmt' interface via ifconfig, run the command: ifconfig mgmt down. To bring the 'mgmt' interface back up, run the command ifconfig mgmt up.

For platforms that do not expose a 'mgmt' interface via ifconfig, run the command: ifconfig eth0 down. To bring 'eth0' interface back up, run the command ifconfig eth0 up.

---

224665-2 : Proxy Exclusion List setting is not aware of administrative partitions

Solution Article: K12711

Component: TMOS

Symptoms:
The Proxy Exclusion List setting is not aware of administrative partitions. As of BIG-IP 10.1.0, VLAN group objects reside in administrative partitions. This means that you can create a VLAN group in an administrative partition, and then give users the authority to view and manage the object in only that partition. Proxy exclusion is a VLAN group setting, so the partition restrictions should be in effect. However, the system does not prevent you from adding proxy exclusion for a VLAN group in another partition. Doing so may result in issues for the VLAN group.

Conditions:
Using VLAN groups and proxy exclusion.

Impact:
Results in issues for the VLAN group.

Workaround:
None. For more information, see SOL12711: The Proxy Exclusion List setting is not aware of administrative partitions , available here: http://support.f5.com/kb/en-us/solutions/public/12000/700/sol12711.html.

---

222409-6 : The HTTP::path iRule command may return more information than expected

Solution Article: K9952

Component: Local Traffic Manager

Symptoms:
The HTTP::path iRule command is intended to return only the path of the HTTP request. However, if the HTTP request specifies an absolute URI for the request URI, the HTTP::path command returns the entire URI, which includes not only the path, but also any protocol scheme, host name, and port included in the request URI value.

The first line of an HTTP request from a client to a server is referred to as the request line. The request line begins with a method token, followed by the request URI and the protocol version. A typical HTTP request line appears similar to the following example:

GET /dir1/dir2/file.ext HTTP/1.1

In this example, the method token is GET, the resource URI is /dir2/dir2/file.ext, and the protocol version is HTTP/1.1.

Conditions:
However, some clients (most notably proxies) may send an HTTP request for the same resource by specifying the absolute URI in the request, which appears similar to the following example:

GET http://www.example.org:80/dir1/dir2/file.ext

In this example, the method token is GET, the resource URI is http://www.example.org/dir2/dir2/file.ext, and the protocol version is HTTP/1.1.

Impact:
The HTTP::path iRule command should return the following path value for both requests:

/dir1/dir2/file.ext

However, since the HTTP::path command actually returns the value of the request URI, the entire absolute URI is returned for the request in the second example, which specifies the following absolute URI in the request URI:

www.example.org:80/dir1/duir2/file.ext

Note: Both requests in the example above conform to the HTTP request specification as defined in Section 5 of RFC2616: HyperText Transfer Protocol.

Note: For more information about the HTTP::path iRule command, refer to HTTP:path on the F5 Networks DevCentral website. A separate DevCentral login is required to access this content; you will be redirected to authenticate or register if necessary.

Workaround:
You can work around this issue by parsing the path element from the return value for the HTTP::path command. To do so, use the following iRule wherever HTTP::path is called:

when HTTP_REQUEST {
log local0. "Path: [URI::path [HTTP::uri]][URI::basename [HTTP::uri]]"
}

---

222220-1 : Distributed application statistics

Component: Global Traffic Manager (DNS)

Symptoms:
Distributed application statistics shows only requests passed to its first wide IP.

Conditions:
Using Distributed application statistics and multiple wide-IP-members.

Impact:
The system does not include statistics for requests passed to other wide-IP-members of the distributed application.

Workaround:
None.

---

★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade