BIG-IP 12.1.5 Fixes and Known Issues

Supplemental Document : BIG-IP 12.1.5 Fixes and Known Issues

Applies To:

Show Versions

BIG-IP AAM

12.1.5

BIG-IP APM

12.1.5

BIG-IP Analytics

12.1.5

BIG-IP Link Controller

12.1.5

BIG-IP LTM

12.1.5

BIG-IP AFM

12.1.5

BIG-IP PEM

12.1.5

BIG-IP DNS

12.1.5

BIG-IP ASM

12.1.5

Updated Date: 06/22/2020

ID Number	CVE	Solution Article(s)	Description
771873-2	CVE-2019-6642	K40378764	TMSH Hardening
757023-5	CVE-2018-5743	K74009656	BIND vulnerability CVE-2018-5743
737574-3	CVE-2019-6621	K20541896	iControl REST input sanitization★
737565-3	CVE-2019-6620	K20445457	iControl REST input sanitization
715923-3	CVE-2018-15317	K43625118	When processing TLS traffic TMM may terminate connections unexpectedly
794413-5	CVE-2019-6471	K10092301	BIND vulnerability CVE-2019-6471
745257-4	CVE-2018-14634	K20934447	Linux kernel vulnerability: CVE-2018-14634
702469-4	CVE-2019-6633	K73522927	Appliance mode hardening in scp
796469-1	CVE-2019-6649	K05123525	ConfigSync Hardening
797885-5	CVE-2019-6649	K05123525	ConfigSync Hardening
799589-5	CVE-2019-6649	K05123525	ConfigSync Hardening
799617-5	CVE-2019-6649	K05123525	ConfigSync Hardening
807477-4	CVE-2019-6650	K04280042	ConfigSync Hardening
810557-5	CVE-2019-6649	K05123525	ASM ConfigSync Hardening

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
707509-3	1-Blocking		Initial vCMP guest creations can fail if certain hotfixes are used
769809-1	2-Critical		vCMP guests 'INOPERATIVE' after upgrade
762453-4	2-Critical		Hardware cryptography acceleration may fail
757455-4	2-Critical		Excessive resource consumption when processing REST requests
750586-3	2-Critical		HSL may incorrectly handle pending TCP connections with elongated handshake time.
748205-2	2-Critical		SSD bay identification incorrect for RAID drive replacement★
744331-1	2-Critical		OpenSSH hardening
743790-4	2-Critical		BIG-IP system should trigger a HA failover event when expected HSB device is missing from PCI bus
734539-2	2-Critical		The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads
726487-1	2-Critical		MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.
710277-2	2-Critical		IKEv2 further child_sa validity checks
693996-3	2-Critical	K42285625	MCPD sync errors and restart after multiple modifications to file object in chassis
685458-5	2-Critical	K44738140	merged fails merging a table when a table row has incomplete keys defined.
671741-4	2-Critical		LCD on iSeries devices can lock at red 'loading' screen.
653152-1	2-Critical		Support RSASSA-PSS-SIGN in F5 crypto APIs.
788301-2	3-Major	K58243048	SNMPv3 Hardening
777261-1	3-Major		When SNMP cannot locate a file it logs messages repeatedly
758527-5	3-Major		BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode
758119-3	3-Major	K58243048	qkview may contain sensitive information
747592-4	3-Major		PHP vulnerability CVE-2018-17082
746266-4	3-Major		Vcmp guest vlan mac mismatch across blades.
745405	3-Major		Under heavy SSL traffic, sw crypto codec queue is stuck and taken out of service without failover
743803-5	3-Major		IKEv2 potential double free of object when async request queueing fails
739971-3	3-Major		Linux kernel vulnerability: CVE-2018-5391
738445-1	3-Major		IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup
737437-1	3-Major		IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages
663924-2	3-Major		Qkview archives includes Kerberos keytab files
641753-2	3-Major		Syncookies activated on a genuine connection gets reset almost 30-50% of the time
599543-3	3-Major		Cannot update (overwrite) PKCS#12 SSL cert & key while referenced in SSL profile
575919-3	3-Major		Running concurrent TMSH instances can result in error in access to history file
523797-2	3-Major		Upgrade: file path failure for process name attribute in snmp.★
726317-3	4-Minor		Improved debugging output for mcpd
692165-2	4-Minor		A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token
662372-1	4-Minor	K41250179	Uploading a new device certificate file via the GUI might not update the device certificate
631334-4	4-Minor		TMSH does not preserve \? for config save/load operations
520877-1	4-Minor		Alerts sent by the lcdwarn utility are not shown in tmsh
479471-1	4-Minor	K00342205	CPU statistics reported by the tmstat command may spike or go negative

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
759968-1	1-Blocking		Distinct vCMP guests are able to cluster with each other.
757391-1	2-Critical		Datagroup iRule command class can lead to memory corruption
756450-3	2-Critical		Traffic using route entry that's more specific than existing blackhole route can cause core
752930	2-Critical		Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state
740963-3	2-Critical		VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart
738046-3	2-Critical		SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby
726393-5	2-Critical		DHCPRELAY6 can lead to a tmm crash
724214-2	2-Critical		TMM core when using Multipath TCP
671714-2	2-Critical		Empty persistence cookie name inserted from policy can cause TMM to crash
667779-2	2-Critical		iRule commands may cause the TMM to crash in very rare situations.
474797-7	2-Critical		Nitrox crypto hardware may attempt soft reset while currently resetting
760550-2	3-Major		Retransmitted TCP packet has FIN bit set
759480-1	3-Major		HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash
758872-1	3-Major		TMM memory leak
758631-1	3-Major		ec_point_formats extension might be included in the server hello even if not specified in the client hello
756538-2	3-Major		Failure to open data channel for active FTP connections mirrored across an HA pair.
756270-1	3-Major		SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle
749414-1	3-Major		Invalid monitor rule instance identifier error
749294-1	3-Major		TMM cores when query session index is out of boundary
742237-1	3-Major		CPU spikes appear wider than actual in graphs
740959-1	3-Major		User with manager rights cannot delete FQDN node on non-Common partition
739963-1	3-Major		TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
727292-2	3-Major		SSL in proxy shutdown case does not deliver server TCP FIN
726232-1	3-Major		iRule drop/discard may crash tmm
720219-1	3-Major	K13109068	HSL::log command can fail to pick new pool member if last picked member is 'checking'
715467-3	3-Major		Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY
702450-4	3-Major		The validation error message generated by deleting certain object types referenced by a policy action is incorrect
699598-4	3-Major		HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR
688629-3	3-Major	K52334096	Deleting data-group in use by iRule does not trigger validation error
617382-1	3-Major		Csyncd memory leak on multi-bladed systems
599567	3-Major		APM assumes SNAT automap, does not use SNAT pool
576311-1	3-Major	K41335027	HTTP Strict Transport Security (HSTS) configuration error when no clientssl profile is present
511324-12	3-Major	K23159242	HTTP::disable does not work after the first request/response.
504522-2	3-Major		Trailing space present after 'tmsh ltm pool members monitor' attribute value
747585-1	4-Minor		TCP Analytics supports ANY protocol number
624168-2	4-Minor		DATA_ACK and DATA_FIN ignored on a subflow not currently used for transmission

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
735832-2	2-Critical		RAM Cache traffic fails on B2150

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
750213-1	3-Major	K25351434	DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.
744937-4	3-Major	K00724442	Make authenticated-denial-of-existence NSEC3 RR Types Bitmap reflect available Resource Records

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
723790-4	2-Critical		Idle asm_config_server handlers consumes a lot of memory
773553-5	3-Major		ASM JSON parser false positive.
761231-5	3-Major		Bot Defense Search Engines getting blocked after configuring DNS correctly
760878-1	3-Major		Incorrect enforcement of explicit global parameters
727107-1	3-Major		Request Logs are not stored locally due to shmem pipe blockage
721399-3	3-Major		Signature Set cannot be modified to Accuracy = 'All' after another value
695878-5	3-Major		Signature enforcement issue on specific requests
685164-3	3-Major		In partitions with default route domain != 0 request log is not showing requests
660327-2	3-Major		Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded.
653017-2	3-Major		Bot signatures cannot be created after upgrade with DoS profile in non-Common partition
605649-3	3-Major	K28782793	The cbrd daemon runs at 100% CPU utilization
758336-2	4-Minor		Incorrect recommendation in Online Help of Proactive Bot Defense

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
774301-1	3-Major		Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList
766577-5	3-Major		APMD fails to send response to client and it already closed connection.
758018-2	3-Major		APD/APMD may consume excessive resources
755507-1	3-Major		[App Tunnel] 'URI sanitization' error

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
758065-3	3-Major		TMM may consume excessive resources while processing FIX traffic

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
709670-5	3-Major		iRule triggered from RADIUS occasionally fails to create subscribers.

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
757088	2-Critical		TMM clock advances and cluster failover happens during webroot db nightly updates
754257	3-Major		URL lookup queries not working

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
658417-1	2-Critical		REST: Failure to authenticate/renew user who is using expired password

Cumulative fixes from BIG-IP v12.1.4.1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
757025-4	CVE-2018-5744	K00040234	BIND Update
754944-4	CVE-2019-6626	K00432398	AVR reporting UI does not follow best practices
754345-4	CVE-2019-6625	K79902360	WebUI does not follow best security practices
753776-3	CVE-2019-6624	K07127032	TMM may consume excessive resources when processing UDP traffic
749879	CVE-2019-6611	K47527163	Possible interruption while processing VPN traffic
748502-4	CVE-2019-6623	K72335002	TMM may crash when processing iSession traffic
744035-3	CVE-2018-15332	K12130880	APM Client Vulnerability: CVE-2018-15332
739970-3	CVE-2018-5390	K95343321	Linux kernel vulnerability: CVE-2018-5390
739947-3	CVE-2019-6610	K42465020	TMM may crash while processing APM traffic
757027-4	CVE-2019-6465	K01713115	BIND Update
753796-3	CVE-2019-6640	K40443301	SNMP does not follow best security practices
750460-4	CVE-2019-6639	K61002104	Subscriber management configuration GUI
750187-4	CVE-2019-6637	K29149494	ASM REST may consume excessive resources
745713-2	CVE-2019-6619	K94563344	TMM may crash when processing HTTP/2 traffic
745371-3	CVE-2019-6636	K68151373	AFM GUI does not follow best security practices
745165-4	CVE-2019-6617	K38941195	Users without Advanced Shell Access are not allowed SFTP access
742226-3	CVE-2019-6635	K11330536	TMSH platform_check utility does not follow best security practices
737910-1	CVE-2019-6609	K18535734	Security hardening on the following platforms
710857-4	CVE-2019-6634	K64855220	iControl requests may cause excessive resource usage
703835-4	CVE-2019-6616	K82814400	When using SCP into BIG-IP systems, you must specify the target filename
702472-4	CVE-2019-6615	K87659521	Appliance Mode Security Hardening
673842-3	CVE-2019-6632	K01413496	vCMP does not follow best security practices

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
666505-2	2-Critical		Gossip between VIPRION blades
745387-4	3-Major		Resource-admin user roles can no longer get bash access
698376-4	3-Major		Non-admin users have limited bash commands and can only write to certain directories
667257-2	3-Major		CPU Usage Reaches 100% With High FastL4 Traffic
607410-1	3-Major	K81239824	In the iRule output of X509 Certificate's subject and issuer, the display is not OpenSSL compatible
600811-2	3-Major		CATEGORY::lookup command change in behavior★

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
752835-1	2-Critical		Mitigate mcpd out of memory error with auto-sync enabled.
757026-4	3-Major		BIND Update
756153-1	3-Major		Add diskmonitor support for MySQL /var/lib/mysql
749153	3-Major		Cannot create LTM policy from GUI using iControl
735565-3	3-Major		BGP neighbor peer-group config element not persisting
726409-3	3-Major		Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077
723794-4	3-Major		PTI (Meltdown) mitigation should be disabled on AMD-based platforms
722682-1	3-Major		Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load★
720819-1	3-Major		Certain platforms may take longer than expected to detect and recover from HSB lock-ups
720269-3	3-Major		TACACS audit logging may append garbage characters to the end of log strings
720110-4	3-Major		0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session.
716166-3	3-Major		Dynamic routing not added when conflicting self IPs exist
714986-1	3-Major		Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot
714903-1	3-Major		Errors in chmand
714654-3	3-Major		Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM
709544-4	3-Major		VCMP guests in HA configuration become Active/Active during upgrade★
707740-3	3-Major		Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination
693388-1	3-Major		Log additional HSB registers when device becomes unresponsive
678488-3	3-Major	K59332320	BGP default-originate not announced to peers if several are peering over different VLANs
639619-3	3-Major		UCS may fail to load due to Master key decryption failure on EEPROM-less systems★
582792-7	3-Major		iRules are not updated in transactions through TMSH or iControl
581921-2	3-Major	K22327083	Required files under /etc/ssh are not moved during a UCS restore
671044-3	4-Minor	K78612407	FIPS certificate creation can cause failover to standby system
668964-2	4-Minor	K81873940	'bgp neighbor <peer -IP> update-source <IP>' command may apply change to all peers in peer-group
619706-1	4-Minor		tmsh appears to allow password change for internal lcd admin user
436116-1	4-Minor		The tcpdump utility may fail to capture packets

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
754103-3	2-Critical		iRulesLX NodeJS daemon does not follow best security practices
753912-1	2-Critical	K44385170	UDP flows may not be swept
747968-4	2-Critical		DNS64 stats not increasing when requests go through DNS cache resolver
744269-3	2-Critical		dynconfd restarts if FQDN template node deleted while IP address change in progress
741919-1	2-Critical		HTTP response may be dropped following a 100 continue message.
738945-1	2-Critical		SSL persistence does not work when there are multiple handshakes present in a single record
727206-4	2-Critical		Memory corruption when using SSL Forward Proxy on certain platforms
718210-3	2-Critical		Connections using virtual targeting virtual and time-wait recycle result in a connection being improperly reused
747131-1	3-Major		ARP table may not be updated properly by some TMMs
746922-3	3-Major		When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.
744536	3-Major		HTTP/2 may garble large headers
742078-1	3-Major		Incoming SYNs are dropped and the connection does not time out.
739638-1	3-Major		BGP failed to connect with neighbor when pool route is used
738523-3	3-Major		SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages
721621-2	3-Major		Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node
720799-3	3-Major		Virtual Server/VIP flaps with FQDN pool members when all IP addresses change
717896-1	3-Major		Monitor instances deleted in peer unit after sync
717100-4	3-Major		FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member
716716-3	3-Major		Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core
710564-3	3-Major		DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0
710355-1	3-Major		High CPU when using HTTP::collect for large chunked payloads
705112-1	3-Major		DHCP server flows are not re-established after expiration
685519-3	3-Major		Mirrored connections ignore the handshake timeout
651889-2	3-Major		persist record may be inconsistent after a virtual hit rate limit
625166-1	3-Major		Suspended iRules cannot complete on aborted flows
588720-1	3-Major	K44907534	Fast Forwarded UDP packets might be dropped if datagram-load-balancing is enabled.
273104-2	3-Major		Modulate tcp_now on a per-tuple basis to hide uptime in tcp timestamps
751586-1	4-Minor		http2 virtual does not honour translate-address disabled
684319-2	4-Minor		iRule execution logging
664618-3	4-Minor		Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block'
658382-1	5-Cosmetic		Large numbers of ERR_UNKNOWN appearing in the logs

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
756774-3	2-Critical		Aborted DNS queries to a cache may cause a TMM crash
756094-1	2-Critical		DNS express in restart loop, 'Error writing scratch database' in ltm log
739846-4	2-Critical		Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection
749508-4	3-Major		LDNS and DNSSEC: Various OOM conditions need to be handled properly
748902-8	3-Major		Incorrect handling of memory allocations while processing DNSSEC queries
746877-4	3-Major		Omitted check for success of memory allocation for DNSSEC resource record
744707-1	3-Major		Crash related to DNSSEC key rollover
723288-3	3-Major		DNS cache replication between TMMs does not always work for net dns-resolver
721895-1	3-Major		Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery)
748177-4	4-Minor		Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character
726412-1	4-Minor		Virtual server drop down missing objects on pool creation

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
691945-2	3-Major		Security Policy Configuration Changes When Disabling Learning
690215-1	3-Major		Missing requests in request log
641307-2	3-Major		Response Page contents are corrupted by XML policy import for non-UTF-8 policies
641083-2	3-Major		Policy Builder Persistence is not saved while config events are received
754365-2	4-Minor		Updated flags for countries that changed their flags since 2010
583402-1	4-Minor		ASM Policy Parameter's Filter: Search for at least 1 Override doesn't work

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
747192-3	2-Critical		Small memory leak while creating Access Policy items
714716-3	2-Critical	K10248311	Apmd logs password for acp messages when in debug mode
660913-1	2-Critical		For ActiveSync client type, browscap info provided is incorrect.★
597674-1	2-Critical		TunnelServer may crash due to division by zero under unknown circumstances while establishing AppTunnels.
758764-5	3-Major		APMD Core when CRLDP Auth fails to download revoked certificate
747725-1	3-Major		Kerberos Auth agent may override settings that manually made to krb5.conf
746768-2	3-Major		APMD leaks memory if access policy policy contains variable/resource assign policy items
745654-1	3-Major		Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server
722969-1	3-Major		Access Policy import with 'reuse' enabled instead rewrites shared objects
672818-2	3-Major		When 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows, VPN cannot be established
656784-2	3-Major	K98510679	Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM

Wan Optimization Manager Fixes

ID Number	Severity	Solution Article(s)	Description
674367-1	3-Major	K20983428	SDD v3 symmetric deduplication may stop working indefinitely

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
701680-1	3-Major		MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
747104-4	1-Blocking	K52868493	LibSSH Vulnerability: CVE-2018-10933
686376-1	3-Major		Scheduled blob and current blob no longer work after restarting BIG-IP or PCCD daemon
624314-1	3-Major		AVR reports incorrect 'actions' in ACL reports

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
726647-1	3-Major		PEM content insertion in a compressed response may truncate some data

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
744959-2	3-Major		SNMP OID for sysLsnPoolStatTotal not incremented in stats
708830-1	3-Major		Inbound or hairpin connections may get stuck consuming memory.

Cumulative fixes from BIG-IP v12.1.4 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
738119-3	CVE-2019-6589	K23566124	SIP routing UI does not follow best practices
714181-3	CVE-2019-6603	K14632915	TMM may crash while processing TCP traffic
671498-3	CVE-2017-3143	K02230327	BIND zone contents may be manipulated
745358-4	CVE-2019-6607	K14812883	ASM GUI does not follow best practices
737442-1	CVE-2019-6591	K32840424	Error in APM Hosted Content when set to public access
716900-1	CVE-2019-6594	K91026261	TMM core when using MPTCP
699452-3	CVE-2019-6597	K29280193	Web UI does not follow current best coding practices
658557-2	CVE-2019-6606	K35209601	The snmpd daemon may leak memory when processing requests.
643554-12	CVE-2017-3731 CVE-2017-3732 CVE-2016-7055	K37526132 K44512851 K43570545	OpenSSL vulnerabilities - OpenSSL 1.0.2k library update
603658-1	CVE-2019-6601	K25359902	AAM security hardening
530775-4	CVE-2019-6600	K23734425	Login page may generate unexpected HTML output
701785-3	CVE-2017-18017	K18352029	Linux kernel vulnerability: CVE-2017-18017

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
734527-4	3-Major		BGP 'capability graceful-restart' for peer-group not properly advertised when configured
600385-1	3-Major	K43295141	BIG-IP LTM and BIG-IP DNS monitors are allowed to be configured with interval value larger than timeout
597899-1	3-Major		Disabling all pool members may not be reflected in Virtual Server status

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
741423-1	2-Critical		Secondary blade goes offline when provisioning ASM/FPS on already established config-sync
738887-2	2-Critical		The snmpd daemon may leak memory when processing requests.
724680-3	2-Critical		OpenSSL Vulnerability: CVE-2018-0732
723722-3	2-Critical		MCPD crashes if several thousand files are created between config syncs.
723298-3	2-Critical		BIND upgrade to version 9.11.4
700386-1	2-Critical		mcpd may dump core on startup
697424	2-Critical		iControl-REST crashes on /example for firewall address-lists
691589	2-Critical		When using LDAP client auth, tamd may become stuck
689437-2	2-Critical	K49554067	icrd_child cores due to infinite recursion caused by incorrect group name handling
638091-4	2-Critical		Config sync after changing named pool members can cause mcpd on secondary blades to restart
594366-1	2-Critical	K21271097	Occasional crash of icrd_child when BIG-IP restarts
748187-1	3-Major		'Transaction Not Found' Error on PATCH after Transaction has been Created
720713-3	3-Major		TMM traffic to/from a i5800/i7800/i10800 device in vCMP host mode may fail
720651-3	3-Major		Running Guest Changed to Provisioned Never Stops
720461-3	3-Major		qkview prompts for password on chassis
711249-2	3-Major		NAS-IP-Address added to RADIUS packet unexpectedly
707391-4	3-Major		BGP may keep announcing routes after disabling route health injection
706354-1	3-Major		OPT-0045 optic unable to link
706104-2	3-Major		Dynamically advertised route may flap
705037-3	3-Major		System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart
704449-4	3-Major		Orphaned tmsh processes might eventually lead to an out-of-memory condition
700827-2	3-Major		B2250 blades may lose efficiency when source ports form an arithmetic sequence.
700757-2	3-Major		vcmpd may crash when it is exiting
693884-3	3-Major		ospfd core on secondary blade during network unstability
692189-3	3-Major		errdefsd fails to generate a core file on request.
689002-1	3-Major		Stackoverflow when JSON is deeply nested
676705-2	3-Major		do not run agetty on VE without serial port
673974-1	3-Major	K63225596	agetty auto detects parity on console port incorrectly
671447-2	3-Major		ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form
666884-2	3-Major	K27056204	Message: Not enough free disk space to install! cpcfg cannot copy a configuration on a chassis platform★
653888-2	3-Major		BGP advertisement-interval attribute ignored in peer group configuration
652877-3	3-Major		Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades
642923-2	3-Major		MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system
639575-5	3-Major		Using libtar with files larger than 2 GB will create an unusable tarball
628402-4	3-Major		Operator users receive 'can't get object count from mcpd' error in response to certain commands
613509-1	3-Major	K49101035	platforms using RSS DAG hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve
610449-2	3-Major		restarting mcpd on guest makes block-device-images disappear
602566-5	3-Major		sod daemon may crash during start-up
598289-4	3-Major		TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port>
598085-2	3-Major		Expected telemetry is not transmitted by sFlow on the standby-mode unit.
563905-2	3-Major		Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.
491560-1	3-Major		Using proxy for IP intelligence updates
737389	4-Minor		kern.log contains many messages: warning kernel: Tracklist initialized; Tracklist destroyed
674145-3	4-Minor		chmand error log message missing data
608348-4	4-Minor		Config sync after deleting iApp f5.citrix_vdi.v2.3.0 could leave an extra tunnel object on synced system

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
744117-6	2-Critical	K18263026	The HTTP URI is not always parsed correctly
740490-2	2-Critical		Configuration changes involving HTTP2 or SPDY may leak memory
739927-1	2-Critical		Bigd crashes after a specific combination of logging operations
737758-1	2-Critical		MPTCP Passthrough and VIP-on-VIP can lead to TMM core
727044-1	2-Critical		TMM may crash while processing compressed data
726239-3	2-Critical		interruption of traffic handling as sod daemon restarts TMM
724868-2	2-Critical		dynconfd memory usage increases over time
663178-1	2-Critical		tmm may crash sometimes usng VPN
606035-1	2-Critical		csyncd crash
738521-2	3-Major		i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.
714559-1	3-Major		Removal of HTTP hash persistence cookie when a pool member goes down.
710028-4	3-Major		LTM SQL monitors may stop monitoring if multiple monitors querying same database
708068-3	3-Major		Tcl commands like "HTTP::path -normalize" do not return normalized path.
706102-3	3-Major		SMTP monitor does not handle all multi-line banner use cases
701678-1	3-Major		Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded
695925-3	3-Major		tmm crash when showing connections for a CMP disabled virtual server
693910-2	3-Major		Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)
693582-3	3-Major		Monitor node log not rotated for certain monitor types
680264	3-Major		HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags
674591-2	3-Major	K37975308	Packets with payload smaller than MSS are being marked to be TSOed
672312-2	3-Major		IP ToS may not be forwarded to serverside with syncookie activated
666595-2	3-Major		Monitor node log fd leak by bigd instances not actively monitoring node
662816-2	3-Major	K61902543	Monitor node log fd leak for certain monitor types
653930-2	3-Major	K69713140	Monitor with description containing backslash may fail to load.
613618-1	3-Major		The TMM crashes in the websso plugin.
611482-4	3-Major	K71450348	Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule) .
610138-2	3-Major	K23284054	STARTTLS in SMTPS filter does not properly restrict I/O buffering
605147-1	3-Major		No mirroring for TCP TIME-WAIT reconnections and new TCP flows after HA reconnections.
598707-4	3-Major		Path MTU does not work in self-IP flows
586621-7	3-Major	K36008344	SQL monitors 'count' config value does not work as expected.
628016-2	4-Minor		MP_JOIN always fails if MPTCP never receives payload data
618884-1	4-Minor		Behavior when using VLAN-Group and STP

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
750488	3-Major		Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
750484	3-Major		Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
750472	3-Major		Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
750457	3-Major		Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
749774-2	3-Major		EDNS0 client subnet behavior inconsistent when DNS Caching is enabled
749675-2	3-Major		DNS cache resolver may return a malformed truncated response with multiple OPT records
737332-2	3-Major		It is possible for DNSX to serve partial zone information for a short period of time
723792-3	3-Major		GTM regex handling of some escape characters renders it invalid

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
741108	2-Critical		tmm dosl7 memory leak when X-Forwared-For header value contains a long list of comma separated ip addresses
744347-1	3-Major		Protocol Security logging profiles cause slow ASM upgrade and apply policy
739945-1	3-Major		JavaScript challenge on POST with 307 breaks application
738789-3	3-Major		ASM/XML family parser does not support us-ascii encoding when it appears in the document prolog
738647-1	3-Major		Add the login detection criteria of 'status code is not X'
737998	3-Major		Brute Force end attack condition isn't satisfied for successful logins only
698757-1	3-Major	K58143082	Standby system saves config and changes status after sync from peer
664714-1	3-Major		Client-side challenge is changing POST parameter value under some circumstances
642185-1	3-Major		Add support for IBM AppScan scanner schema changes
613728-1	3-Major		Import/Activate Security policy with 'Replace policy associated with virtual server' option fails
569195-1	3-Major	K41874435	A Set-Cookie for an existing ASM cookie without value change
542817-1	3-Major	K11619228	Specific numbers that are not credit card numbers are being masked as such
653895	4-Minor		Admin user cannot edit policy

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
616161-1	2-Critical		BD process crash and restarts
737597	3-Major		AVR DoS Attack report misses virtual server name in a specific config

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
740777-2	2-Critical		Secondary blades mcp daemon restart when subroutine properties are configured
672221	2-Critical		TMM cores if the certificate configured to validate message signature does not exist.
631060-1	2-Critical		BIG-IP may incorrectly reject serverside connection when REQLOG is configured.
745574-4	3-Major		URL is not removed from custom category when deleted
739744-2	3-Major		Import of Policy using Pool with members is failing
726592-2	3-Major		Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop
628712-1	3-Major	K53129098	Advanced customization doesn't work for Profiles in non-common partition with . (period) with name

WebAccelerator Fixes

ID Number	Severity	Solution Article(s)	Description
706642-3	2-Critical		wamd may leak memory during configuration changes and cluster events
603746-1	4-Minor		DCDB security hardening

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
724532-1	2-Critical		SIG SEGV during IP intelligence category match in TMM
710755-2	2-Critical		Crash when cached route information becomes stale and the system accesses the information from it.
699454-3	4-Minor		Web UI does not follow current best coding practices
627454	4-Minor		Trimming leading whitespaces at logging profile creation

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
744516-2	2-Critical		TMM panics after a large number of LSN remote picks
734446-3	2-Critical		TMM crash after changing LSN pool mode from PBA to NAPT
669645-1	2-Critical		tmm crashes after LSN pool member change
663531-1	2-Critical		TMM crashes when PPTP finds a non-ALG flow when checking for an existing tunnel

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
746868	2-Critical		memory leakage when "apply to base domain" is enabled

Cumulative fixes from BIG-IP v12.1.3.7 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
739094-4	CVE-2018-5546	K54431371	APM Client Vulnerability: CVE-2018-5546
737441-1	CVE-2018-5546	K54431371	Disallow hard links to svpn log files
726089-3	CVE-2018-15312	K44462254	Modifications to AVR metrics page
724339-2	CVE-2018-15314	K04524282	Unexpected TMUI output in AFM
724335-2	CVE-2018-15313	K21042153	Unexpected TMUI output in AFM
722677-3	CVE-2019-6604	K26455071	High-Speed Bridge may lock up
722387-2	CVE-2019-6596	K97241515	TMM may crash when processing APM DTLS traffic
722091-2	CVE-2018-15319	K64208870	TMM may crash while processing HTTP traffic
717742-3	CVE-2018-2798, CVE-2018-2811, CVE-2018-2795, CVE-2018-2790, CVE-2018-2783, CVE-2018-2825, CVE-2018-2826, CVE-2018-2796, CVE-2018-2799, CVE-2018-2815, CVE-2018-2800, CVE-2018-2814, CVE-2018-2797, CVE-2018-2794	K44923228	Oracle Java SE vulnerability CVE-2018-2783
707990-3	CVE-2018-15315	K41704442	Unexpected TMUI output in SSL Certificate Instance page
704184-3	CVE-2018-5529	K52171282	APM MAC Client create files with owner only read write permissions
701253-3	CVE-2018-15318	K16248201	TMM core when using MPTCP
721924-3	2018-17539	K17264695	bgpd may crash processing extended ASNs
719554-3	CVE-2018-8897	K17403481	Linux Kernel Vulnerability: CVE-2018-8897
674486-5	CVE-2017-9233	K03244804	Expat Vulnerability: CVE-2017-9233
661828-1	CVE-2019-6590	K55101404	TMM may consume excessive resources when processing SSL traffic

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
715750-3	3-Major		The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.
652671-4	3-Major	K31326690	Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit.

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
716391-3	2-Critical	K76031538	High priority for MySQL on 2 core vCMP may lead to control plane process starvation
690793-2	2-Critical	K25263287	TMM may crash and dump core due to improper connflow tracking
688148-1	2-Critical		IKEv1 racoon daemon SEGV during phase-two SA list iteration
613476-2	2-Critical		IKEv1 racoon daemon delayed timer use of ike-peer (rmconf) after deletion
704247-3	3-Major		BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted
686124-3	3-Major	K83576240	IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs
678380-3	3-Major	K26023811	Deleting an IKEv1 peer in current use could SEGV on race conditions.
671712	3-Major		The values returned for the ltmUserStatProfileStat table are incorrect.
670528-1	3-Major	K20251354	Warnings during vCMP host upgrade.
620746-1	3-Major		MCPD crash
580602-1	3-Major		Configuration containing LTM nodes with IPv6 link-local addresses fail to load.
551925-3	3-Major		Misdirected UDP traffic with hardware acceleration
464650-4	3-Major		Failure of mcpd with invalid authentication context.
689211-2	4-Minor		IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 }
678254-2	4-Minor		Error logged when restarting Tomcat

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
716213-3	2-Critical		BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic
697259-1	2-Critical	K14023450	Different versioned vCMP guests on the same chassis may crash.
694656-3	2-Critical	K05186205	Routing changes may cause TMM to restart
666401-2	2-Critical	K03294104	Memory might become corrupted when a Standby device transitions to Active during failover
659709-1	2-Critical		Mirroring persistence records may cause a TMM memory leak
641869-1	2-Critical	K62744980	Assertion "vmem_hashlist_remove not found" failed.
635191-1	2-Critical		Under rare circumstances TMM may crash
618106-1	2-Critical	K74714343	bigd core due to memory leak, especially with FQDN nodes
615097-1	2-Critical		Incorrect use of HTTP::collect leads to TMM core.
513310-1	2-Critical		TMM might core when a profile is changed.
722363-1	3-Major		Client fails to connect to server when using PVA offload at Established
720293-1	3-Major		HTTP2 IPv4 to IPv6 fails
713690-1	3-Major		IPv6 cache route metrics are locked
712664-4	3-Major		IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address
711981-3	3-Major		BIG-IP system accepts larger-than-egress MTU, PMTU update
700696-2	3-Major		SSID does not cache fragmented Client Certificates correctly via iRule
694697-3	3-Major	K62065305	clusterd logs heartbeat check messages at log level info
693308-3	3-Major		SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain
691224-1	3-Major	K59327001	Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled
671725-1	3-Major	K19920320	Connection leak on standby unit
632968-2	3-Major		supported_signature_algorithms extension in CertificateRequest sent by a TLS server fails
600812-1	3-Major		IPv6 virtual address with icmp-echo is enabled on a IPv6 Host IP forwarding ignores the neighbor advertisement packet.
578971-3	3-Major		When mcpd is restarted on a blade, cluster members may be temporarily marked as failed
572234-2	3-Major		When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10.
716922-4	4-Minor		Reduction in PUSH flags when Nagle Enabled
622148-5	4-Minor		flow generated icmp error message need to consider which side of the proxy they are
602708-2	4-Minor	K84837413	Traffic may not passthrough CoS by default

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
718885-1	2-Critical	K25348242	Under certain conditions, monitor probes may not be sent at the configured interval
726255-3	3-Major		dns_path lingering in memory with last_access 0 causing high memory usage
719644-1	3-Major		If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★
715448-1	3-Major		Providing LB::status with a GTM Pool name in a variable caused validation issues
710246-3	3-Major		DNS-Express was not sending out NOTIFY messages on VE
636790-3	3-Major		Manager role has Create, Update, and Release access to Datacenter/links/servers/prober-pool/Topology objects but throws general error when complete.

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
739798	2-Critical		Massive number of log messages being generated and written to the bd.log.
734622	2-Critical	K83093212	Policy change with newly enforced signatures causes sig collection failure in other policies
721741-2	2-Critical		BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative
716788-3	2-Critical		TMM may crash while response modifications are being performed within DoSL7 filter
685230-1	2-Critical		memory leak on a specific server scenario
666221-2	2-Critical	K47152503	tmm may crash from DoSL7
617391-1	2-Critical	K53345828	Custom ASM Search Engines causing sync, offline, and upgrade issues★
721752-1	3-Major		Null char returned in REST for Suggestion with more than MAX_INT occurrences
713282-3	3-Major		Remote logger violation_details field does not appear when virtual server has more than one remote logger
701856-2	3-Major		Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart
701039	3-Major		Requests do not appear in local logging due to rare file descriptor exhaustion
676223-2	3-Major		Internal parameter in order not to sign allowed cookies
650070-2	3-Major	K23041827	iRule that uses ASM violation details may cause the system to reset the request
648639-3	3-Major	K92201230	TS cookie name contains NULL or other raw byte
646800-2	3-Major		A part of the request is not sent to ICAP server in a specific case
644725-4	3-Major	K01914292	Configuration changes while removing ASM from the virtual server may cause graceful ASM restart
614730-1	3-Major		Session opening log shows incorrect number of challenged responses.
564324-2	3-Major		ASM scripts can break applications
463314-2	4-Minor		Enabling ASM AJAX blocking response page feature causing cross domain AJAX requests to fail

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
685741	3-Major		DoS Overview is very slow to load data, to the point of timeout
649177-2	3-Major	K54018808	Testing for connection to SMTP Server always returns "OK"

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
722013-3	2-Critical		MCPD restarts on all secondary blades post config-sync involving APM customization group
631286-1	2-Critical		TMM Memory leak caused by APM URI cache entries
546489-1	2-Critical		VMware View USB redirection stops working after client reconnect
739144-1	3-Major		Domain logoff scripts runs after VPN connection is closed
738397-2	3-Major		SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails.
726895-1	3-Major	K02205915	VPE cannot modify subroutine settings
713655-3	3-Major		RouteDomainSelectionAgent might fail under heavy control plane traffic/activities
703793-1	3-Major		tmm restarts when using ACCESS::perflow get' in certain events
702873-3	3-Major		Windows Logon Integration feature may cause Windows logon screen freeze
631626	3-Major		Unable to delete an access profile which contains a route domain agent
631048-1	3-Major		Portal Access [PeopleSoft] 'My Preferences' page does not have content
596166-1	3-Major		Cannot create email using Address Book
565347-2	3-Major		Rewrite engine behaves improperly in case of AS2 SWF with a badly formatted 'push' instruction
721375	4-Minor		Export then import of config with RSA server in it might fail

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
603755-1	2-Critical		dwbld core dump when Auto Blacklisting is configured, in a rare scenario
698806-2	3-Major		Firewall NAT Source Translation UI does not show the enabled VLAN on egress interfaces

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
738669-3	3-Major		Login validation may fail for a large request with early server response
716318-4	3-Major		Engine/Signatures automatic update check may fail to find/download the latest update

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
726303	3-Major		Unlock 10 million custom db entry limit

Cumulative fixes from BIG-IP v12.1.3.6 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
716992-3	CVE-2018-5539	K75432956	The ASM bd process may crash
710244-1	CVE-2018-5536	K27391542	Memory Leak of access policy execution objects
709972-4	CVE-2017-12613	K52319810	CVE-2017-12613: APR Vulnerability
709688-5	CVE-2017-3144 CVE-2018-5732 CVE-2018-5733	K08306700	dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733
693744-3	CVE-2018-5531	K64721111	CVE-2018-5531: vCMP vulnerability
710827-4	CVE-2019-6598	K44603900	TMUI dashboard daemon stability issue
710705-3	CVE-2018-7320, CVE-2018-7321, CVE-2018-7322, CVE-2018-7423, CVE-2018-7324, CVE-2018-7325, CVE-2018-7326, CVE-2018-7327, CVE-2018-7428, CVE-2018-7329, CVE-2018-7330, CVE-2018-7331, CVE-2018-7332, CVE-2018-7333, CVE-2018-7334, CVE-2018-7335, CVE-2018-7336, CVE-2018-7337, CVE-2018-7417, CVE-2018-7418, CVE-2018-7419, CVE-2018-7420, CVE-2018-7421	K34035645	Multiple Wireshark vulnerabilities
710314-2	CVE-2018-5537	K94105051	TMM may crash while processing HTML traffic
710148-4	CVE-2017-1000111 CVE-2017-1000112	K60250153	CVE-2017-1000111 & CVE-2017-1000112
705476-4	CVE-2018-15322	K28003839	Appliance Mode does not follow design best practices
703940-3	CVE-2018-5530	K45611803	Malformed HTTP/2 frame consumes excessive system resources
698813-3	CVE-2018-5538	K45435121	When processing DNSX transfers ZoneRunner does not enforce best practices
677088-4	CVE-2018-15321	K01067037	BIG-IP tmsh vulnerability CVE-2018-15321
672124-3	CVE-2018-5541	K12403422	Excessive resource usage when BD is processing requests
714879-1	CVE-2018-15326	K34652116	APM CRLDP Auth passes all certs
708653-3	CVE-2018-15311	K07550539	TMM may crash while processing TCP traffic
673165	CVE-2017-7895	K15004519	CVE-2017-7895: Linux Kernel Vulnerability

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
671999-2	3-Major		Re-extract the the thales software everytime the installation script is run
643034-1	3-Major	K52510343	Turn off TCP Proxy ICMP forwarding by default
620445-4	3-Major		New SIP::persist keyword to set the timeout without changing key
613023-4	3-Major		Update SIP::Persist to support resetting timeout value.
441079-2	3-Major	K55242686	BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved
693007-3	4-Minor		Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
700315-3	1-Blocking	K26130444	Ctrl+C does not terminate TShark
636774-1	1-Blocking		Potential TMM crash credits to BWC token distribution logic
723130-3	2-Critical	K13996	Invalid-certificate warning displayed when deploying BIG-IP VE OVA file
707003-2	2-Critical		Unexpected syntax error in TMSH AVR
706423-2	2-Critical		tmm may restart if an IKEv2 child SA expires during an async encryption or decryption
696113-1	2-Critical		Extra IPsec reference added per crypto operation overflows connflow refcount
692158-2	2-Critical		iCall and CLI script memory leak when saving configuration
690819-3	2-Critical		Using an iRule module after a 'session lookup' may result in crash
671314-4	2-Critical	K37093335	BIG-IP system cores when sending SIP SCTP traffic
665362-4	2-Critical		MCPD might crash if the AOM restarts
663197-3	2-Critical		Security hardening of files to prevent sensitive configuration from being stored in qkview.
626861-2	2-Critical	K31220138	Ensure unique IKEv2 sequence numbers
599223-1	2-Critical		Prevent static destructors in tmipsecd daemon
581851-2	2-Critical	K16234725	mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands
559980-1	2-Critical		Change console baud rate requires reboot to take effect
508113-3	2-Critical		tmsh load sys config base merge file <filename> fails
720880	3-Major		Attempts to license/re-license the BIG-IP system fail.
720756	3-Major		SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS
720104	3-Major		BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'
714848	3-Major		OPT-0031 and OPT-0036 log DDM warning every minute when interface disabled and DDM enabled
710602	3-Major		iCRD commands requiring 'root' user access fixed
707445	3-Major	K47025244	Nitrox 3 compression hangs/unable to recover
704336-3	3-Major		Updating 3rd party device cert not copied correctly to trusted certificate store
704282-3	3-Major		TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy
701900	3-Major	K55938217	DHCP configured domain-name-servers unavailable after reboot when there are more than two domain-name servers in the lease.
698947-1	3-Major		BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled.
694740-1	3-Major		BIG-IP reboot during a TMM core results in an incomplete core dump
693106-2	3-Major		IKEv1 newest established phase-one SAs should be found first in a search
692179-3	3-Major		Potential high memory usage from errdefsd.
687905	3-Major	K72040312	OneConnect profile causes CMP redirected connections on the HA standby
687534-3	3-Major		If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page
686926-3	3-Major		IPsec: responder N(cookie) in SA_INIT response handled incorrectly
684391-1	3-Major		Existing IPsec tunnels reload. tmipsecd creates a core file.
680838-3	3-Major		IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator
679347-3	3-Major	K44117473	ECP does not work for PFS in IKEv2 child SAs
678925-4	3-Major		Using a multicast VXLAN tunnel without a proper route may cause a TMM crash.
677928-2	3-Major		A wrong source MAC address may be used in the outgoing IPsec encapsulated packets.
676897-1	3-Major	K25082113	IPsec keeps failing to reconnect
676092-1	3-Major		IPsec keeps failing to reconnect
675718-1	3-Major		IPsec keeps failing to reconnect
669268	3-Major		Failover in the same availability zone of AWS may fail when AWS services are intermittently available.
667223	3-Major		The merge option for the tmsh load sys config command removes existing nested objects
666035-1	3-Major		Obscuring secrets in files collected by qkview
621314-6	3-Major	K55358710	SCTP virtual server with mirroring may cause excessive memory use on standby device
617865-1	3-Major		Missing health monitor information for FQDN members
605270-5	3-Major		On some platforms the SYN-Cookie status report is not accurate
588929-2	3-Major		SCTP emits 'address conflict detected' log messages during failover
588794-2	3-Major		Misconfigured SCTP alternate addresses may emit incorrect ARP advertisements
588771-2	3-Major		SCTP needs traffic-group validation for server-side client alternate addresses
586938-1	3-Major	K57360106	Standby device will respond to the ARP of the SCTP multihoming alternate address
586031-1	3-Major	K40453207	Configuration with LTM policy may fail to load
525580-1	3-Major	K51013874	tmsh load sys config merge file filename.scf base command does not work as expected
685475-3	4-Minor	K93145012	Unexpected error when applying hotfix
680856-3	4-Minor		IPsec config via REST scripts may require post-definition touch of both policy and traffic selector
679135-3	4-Minor		IKEv1 and IKEv2 cannot share common local address in tunnels
678388-3	4-Minor	K00050055	IKEv1 racoon daemon is not restarted when killed multiple times
658298-3	4-Minor		SMB monitor marks node down when file not specified
624484-2	4-Minor	K09023677	Timestamps not available in bash history on non-login interactive shells
573031-1	4-Minor		qkview may not collect certain configuration files in their entirety
720391-1	5-Cosmetic		BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware'
713491-1	5-Cosmetic		IKEv1 logging shows spi of deleted SA with opposite endianess
651826-2	5-Cosmetic		SPI fields of IPsec ike-sa, byte order of displayed numbers rendered incorrectly

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
718071-3	2-Critical		HTTP2 with ASM policy not passing traffic
709334-2	2-Critical		Memory leak when SSL Forward proxy is used and ssl re-negotiates
708114-3	2-Critical	K33319853	TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed
707447-2	2-Critical		Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles.
707207-2	2-Critical		iRuleLx returning undefined value may cause TMM restart
703914-1	2-Critical		TMM SIGSEGV crash in poolmbr_conn_dec.
686685-1	2-Critical		LTM Policy internal compilation error
683631-1	2-Critical		TMM crashes during stress test
678722-2	2-Critical		In SSL-O, TMM may core when SSL forward proxy cleanup certificate resources
676721-2	2-Critical	K33325265	Missing check for NULL condition causes tmm crash.
674004-1	2-Critical	K34448924	tmm may crash when after deleting pool member in traffic
670804-2	2-Critical	K03163260	Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP
656898-2	2-Critical		'oops' 'bad transition' messages occur
613524-3	2-Critical		TMM crash when call HTTP::respond twice in LB_FAILED
598110-1	2-Critical		pkcs11d daemon should not show status 'up' until all connections are established with HSM and BIG-IP is ready to process traffic.
586587-1	2-Critical		RatePaceMaxRate functionality does not work for the TCP flows where the round-trip time (RTT) is less than 6ms.
571651-3	2-Critical		Reset Nitrox3 crypto accelerator queue if it becomes stuck.
440620-2	2-Critical		New connections may be reset when a client reuses the same port as it used for a recently closed connection
713951-3	3-Major		tmm core files produced by nitrox_diag may be missing data
713934-4	3-Major		Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response
712475-1	3-Major	K56479945	DNS zones without servers will prevent DNS Express reading zone data
712464-1	3-Major		Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate
712437-1	3-Major	K20355559	Records containing hyphens (-) will prevent child zone from loading correctly
711281-3	3-Major		nitrox_diag may run out of space on /shared
707951	3-Major		Stalled mirrored flows on HA next-active when OneConnect is used.
704381-3	3-Major		SSL/TLS handshake failures and terminations are logged at too low a level
703580	3-Major		TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host.
702151-2	3-Major		HTTP/2 can garble large headers
700889-2	3-Major	K07330445	Software syncookies without TCP TS improperly include TCP options that are not encoded
700061-3	3-Major		Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file
700057-3	3-Major		LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved
698916-3	3-Major		TMM crash with HTTP/2 under specific condition
698379-3	3-Major	K61238215	HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR(
693838	3-Major		Adaptive monitor feature does not mark pool member down when hard limit set on UDP monitors
691806-3	3-Major	K61815412	RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state
688553-1	3-Major		SASP GWM monitor may not mark member UP as expected
685615-5	3-Major	K24447043	Incorrect source mac for TCP Reset with vlangroup for host traffic
681757-1	3-Major	K32521651	Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member'
678872-2	3-Major		Inconsistent behavior for virtual-address and selfip on the same ip-address
677525-3	3-Major		Translucent VLAN group may use unexpected source MAC address
676914-1	3-Major		The SSL Session Cache can grow indefinitely if the traffic group is changed.
676828-2	3-Major	K09012436	Host IPv6 traffic is generated even when ipv6.enabled is false
676355-2	3-Major		DTLS retransmission does not comply with RFC in certain resumed SSL session
675212-3	3-Major		The BIG-IP system incorrectly allows clients through as part of SSL Client Certificate Authentication
673052-2	3-Major		On i-Series platforms, HTTP/2 is limited to 10 streams
671337-1	3-Major		NetHSM DNSSEC key creation can attempt to change the SELinux label on a file
668196-2	3-Major		Connection limit continues to be enforced with least-connections and pool member flap, member remains down
668006-1	3-Major	K12015701	Suspended 'after' command leads to assertion if there are multiple pending events
667707-2	3-Major		LTM policy associations with virtual servers are not ConfigSynced correctly
659519-1	3-Major	K42400554	Non-default header-table-size setting on HTTP2 profiles may cause issues
657883-2	3-Major	K34442339	tmm cache resolver should not cache response with TTL=0
657626-2	3-Major		User with role 'Manager' cannot delete/publish LTM policy.
651541-2	3-Major	K83955631	Changes to the HTTP profile do not trigger validation for virtual servers using that profile
636289-2	3-Major		Fixed a memory issue while handling TCP::congestion iRule
633691-4	3-Major		HTTP transaction may not finish gracefully due to TCP connection is closed by RST
624846-1	3-Major		TCP Fast Open does not work for Responses < 1 MSS
604838-1	3-Major		TCP Analytics reports incorrectly reports entities as "Aggregated"
595281-1	3-Major		TCP Analytics reports huge goodput numbers
570277-1	3-Major	K16044231	SafeNet client not able to establish session to all HSMs on all blades.
367226-4	3-Major		Outgoing RIP advertisements may have incorrect source port
251162-3	3-Major	K11564	The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name
248914-4	3-Major	K00612197	ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address
713533-3	4-Minor		list self-ip with queries does not work
708249-4	4-Minor		nitrox_diag utility generates QKView files with 5 MB maximum file size limit
700433-2	4-Minor	K10870739	Memory leak when attaching an LTM policy to a virtual server
685467-2	4-Minor	K12933087	Certain header manipulations in HTTP profile may result in losing connection.
678801-2	4-Minor		WS::enabled returned empty string
677958-2	4-Minor		WS::frame prepend and WS::frame append do not insert string in the right place.
645729-1	4-Minor		SSL connection is not mirrored if ssl session cache is cleared and resume attempted
639970-3	4-Minor		GUI - Client SSL profile certificate extensions names switch to numbers in case of validation error
627764-2	4-Minor		Prevent sending a 2nd RST for a TCP connection
627695-2	4-Minor		[netHSM SafeNet] The 'Yes' and 'No' options to proceed or cancel the unisntall during "safenet-sync.sh -u " are not operational
621379-2	4-Minor		TCP Lossfilter not enforced after iRule changes TCP settings
618024-2	4-Minor		software switched platforms accept traffic on lacp trunks even when the trunk is down
604272-1	4-Minor		SMTPS profile connections_current stat does not reflect actual connection count.
523814-3	4-Minor		When iRule or Web-Acceleration profile demotes HTTP request from HTTP/1.1 to HTTP/1.0, OneConnect may not pool serverside connections
522302-2	4-Minor		TCP Receive Window error messages are inconsistent on UI
495242-3	4-Minor		mcpd log messages: Failed to unpublish LOIPC object

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
713066-3	2-Critical	K10620131	Connection failure during DNS lookup to disabled nameserver can crash TMM
707310-1	2-Critical		DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs)
706128-1	3-Major		DNSSEC Signed Zone Transfers Can Leak Memory
705503-1	3-Major		Context leaked from iRule DNS lookup
680069-3	3-Major	K81834254	zxfrd core during transfer while network failure and DNS server removed from DNS zone config★
675539-1	3-Major		Inter-system communications targeted at a Management IP address might not work in some cases.
672491-2	3-Major	K10990182	net resolver uses internal IP as source if matching wildcard forwarding virtual server
660263-4	3-Major		DNS transparent cache message and RR set activity counters not incrementing
653775-3	3-Major	K05397641	Ampersand (&) in GTM synchronization group name causes synchronization failure.
643813-2	3-Major		ZoneRunner does not properly process $ORIGIN directives
637227-4	3-Major	K60414305	DNS Validating Resolver produces inconsistent results with DNS64 configurations.
629421-1	3-Major		Big3d memory leak when adding/removing Wide IPs in a GTM sync pair.
609527-2	3-Major		DNS cache local zone not properly copying recursion desired (RD) flag in response
602300-1	3-Major		Zone Runner entries cannot be modified when sys DNS starts with IPv6 address
669262-2	4-Minor		[GUI][ZoneRunner] reverse zones should be treated case insensitive when creating resource record
638170-1	4-Minor	K36455356	Pagination broken or missing while viewing pool statistics for GTM wideip
605537-5	4-Minor	K03997964	Error when resetting statistics on GSLB Pool Members

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
639767-2	2-Critical		Policy with Session Awareness Statuses may fail to export
606983-3	2-Critical		ASM errors during policy import
580862-1	2-Critical		Policy disabled after enabled with apply-policy via REST, asm-sync removal fixes
712362-1	3-Major		ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase
710327-3	3-Major		Remote logger message is truncated at NULL character.
707888	3-Major		Some ASM operations delayed due to scheduled ASU update
707147-2	3-Major		High CPU consumed by asm_config_server_rpc_handler_async.pl
706845-1	3-Major		False positive illegal multipart violation
704143-2	3-Major		BD memory leak
700726-1	3-Major		Search engine list was updated, and fixing case of multiple entries
691897-1	3-Major		Names of the modified cookies do not appear in the event log
687759-2	3-Major		bd crash
686765-1	3-Major		Database cleaning failure may allow MySQL space to fill the disk entirely
683241-3	3-Major	K70517410	Improve CSRF token handling
674527-1	3-Major		TCL error in ltm log when server closes connection while ASM irules are running
666112-1	3-Major	K53708490	TMM 'DoS Layer 7' memory leak during config load
663396-1	3-Major		URL Method override is enforced incorrectly after upgrade
654996-1	3-Major	K50345236	Closed connections remains in memory
665470-1	4-Minor		Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised
700812-2	5-Cosmetic		asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
716747-4	2-Critical		TMM my crash while processing APM or SWG traffic
715250-2	2-Critical		TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED
681850-1	2-Critical		APMD process may fail to initialize on start either after upgrade or after adding certain configurations
671373-2	2-Critical		urldb core seen
632798-2	2-Critical	K30710317	Double-free may occur if Access initialization fails
720695-2	3-Major		Export then import of APM access Profile/Policy with advanced customization is failing
720030-3	3-Major		Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U)
718208-1	3-Major		Unable to install Network Access plugin on Linux Ubuntu 16.04 with Firefox v52 ESR using SUDO
715207-2	3-Major		coapi errors while modifying per-request policy in VPE
714542-1	3-Major		'Always Connected Mode' text is missing in EdgeClient tray
712924	3-Major		In VPE SecurID servers list are not being displayed in SecurID authentication dialogue
712857-1	3-Major		SWG-Explicit rejects large POST bodies during policy evaluation
706374-2	3-Major		Heavy use of APM Kerberos SSO can sometimes lead to memory corruption
704524-2	3-Major		[Kerberos SSO] Support for EDNS for kerberos DNS SRV queries
684937-6	3-Major	K26451305	[KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users
683113-6	3-Major	K22904904	[KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users
658664-3	3-Major	K21390304	VPN connection drops when 'prohibit routing table change' is enabled
609793-1	3-Major		HTTP header modify agent logs error message as it is disabled since it cannot modify headers/cookies in HTTP Response.
602429-1	3-Major		DNS suffix is not restored after disconnecting Network Access
543344-3	3-Major		ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event
516736-1	3-Major		URLs with backslashes in the path may not be handled correctly in Portal Access

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
703515-5	2-Critical	K44933323	MRF SIP LB - Message corruption when using custom persistence key
698338-2	2-Critical		Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection
685708-3	2-Critical		Routing via iRule to a host without providing a transport from a transport-config created connection cores
669739-1	2-Critical	K71963740	Potential core when using MRF SIP with SCTP
659173-1	2-Critical	K76352741	Diameter Message Length Limit Changed from 1024 to 4096 Bytes
700571-2	3-Major		SIP MR profile, setting incorrect branch param for CANCEL to INVITE
696049-3	3-Major		High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running
688942-3	3-Major		ICAP: Chunk parser performs poorly with very large chunk
679114-2	3-Major		Persistence record expires early if an error is returned for a BYE command
674747-2	3-Major	K30837366	sipdb cannot delete custom bidirectional persistence entries.
673814-4	3-Major	K37822302	Custom bidirectional persistence entries are not updated to the session timeout
642298-3	3-Major		Unable to create a bidirectional custom persistence record in MRF SIP
640384-3	3-Major		New iRule options for MR::message route command
620759-4	3-Major		Persist timeout value gets truncated when added to the branch parameter.
632658-4	4-Minor		Enable SIP::persist command to operate during SIP_RESPONSE event
617690-4	4-Minor		enable SIP::respond iRule command to operate during MR_FAILED event

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
677473-1	2-Critical		MCPD core is generated on multiple add/remove of Mgmt-Rules
663770-2	3-Major	K04025134	AFM rules are bypassed / ignored when traffic is internally forwarded to a redirected virtual server

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
699531-3	2-Critical		Potential TMM crash due to incorrect number of attributes in a PEM iRule command
696294-3	2-Critical		TMM core may be seen when using Application reporting with flow filter in PEM
715090	3-Major		PEM policy actions obtained via a PCRF are not applied for traffic generated subscribers
711570-1	3-Major		PEM iRule subscriber policy name query using subscriber ID, may not return applied policies
711093-2	3-Major		PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled
709610-1	3-Major		Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM
697718-3	3-Major		Increase PEM HSL reporting buffer size to 4K.
648802-3	3-Major		Required custom AVPs are not included in an RAA when reporting an error.

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
667662-1	3-Major	K06579313	Autolasthop does not work for PPTP-GRE traffic.

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
625114-2	2-Critical	K08062851	Internal sync-change conflict after update to local users table

Cumulative fixes from BIG-IP v12.1.3.5 that are included in this release

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
708956	1-Blocking	K51206433	During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'
696732	2-Critical	K54431534	tmm may crash in a compression provider
697616	3-Major		Report Device error: crypto codec qat-crypto0-0 queue is stuck on vCMP guests
692239-1	3-Major	K31554905	AOM menu power off then on results in 'Host Power Cycle Event' SEL log entries posted every two seconds
689730-2	3-Major		Software installations from v13.1.0 might fail★
674455-7	3-Major		Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS
680388-2	4-Minor		f5optics should not show function name in non-debug log messages
653759-2	4-Minor		Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update★

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
701538-1	2-Critical		SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured
662078-1	2-Critical		Occasionally connections are dropped in response to timing errors
694778-2	3-Major		Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size
686631-1	3-Major		Deselect a compression provider at the end of a job and reselect a provider for a new job
679494-2	3-Major		Change the default compression strategy to speed
632824-1	3-Major	K00722715	SSL TPS limit can be reached if the system clock is adjusted
495443-10	3-Major	K16621	ECDH negotiation failures logged as critical errors.
679496-1	4-Minor		Add 'comp_req' to the output of 'tmctl compress'

Cumulative fixes from BIG-IP v12.1.3.4 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
695901-2	CVE-2018-5513	K46940010	TMM may crash when processing ProxySSL data
693312-2	CVE-2018-5518	K03165684	vCMPd may crash when processing bridged network traffic
688516-2	CVE-2018-5518	K03165684	vCMPd may crash when processing bridged network traffic
704580-3	CVE-2018-5549	K05018525	apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP
701359-2	CVE-2017-3145	K08613310	BIND vulnerability CVE-2017-3145
688009-5	CVE-2018-5519	K46121888	Appliance Mode TMSH hardening
671497-4	CVE-2017-3142	K59448931	TSIG authentication bypass in AXFR requests
615269-1	CVE-2016-2183	K13167034	CVE-2016-2183: AFM SSH Proxy Vulnerability
603758-1	CVE-2018-5540	K82038789	Big3D security hardening

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
680850-1	3-Major	K48342409	Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage.
570570-5	3-Major		Default crypto failure action is now 'go-offline-downlinks'.

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
711547	1-Blocking		Update cipher support for Common Criteria compliance
708054-3	2-Critical		Web Acceleration: TMM may crash on very large HTML files with conditional comments
706305-2	2-Critical		bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled
703761-1	2-Critical		Disable DSA keys for public-key and host-based authentication in Common Criteria mode
677937-1	2-Critical	K41517253	APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets
673484-1	2-Critical	K85405312	IKEv2 does not support NON_FIRST_FRAGMENTS_ALSO
664549-2	2-Critical	K55105132	TMM restart while processing rewrite filter
599423-1	2-Critical	K24584925	merged cores and restarts
583111-1	2-Critical		BGP activated for IPv4 address family even when 'no bgp default ipv4-unicast' is configured
701626-1	3-Major	K16465222	GUI resets custom Certificate Key Chain in child client SSL profile
686029-1	3-Major		A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces
664737-2	3-Major		Do not reboot on ctrl-alt-del
655005-1	3-Major	K23355841	"Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync
646890-1	3-Major	K12068427	IKEv1 auth alg for ike-phase2-auth-algorithm sha256, sha384, and sha512
635703-1	3-Major	K14508857	Interface description may cause some interface level commands to be removed
614486-1	3-Major		BGP community lower bytes of zero is not allowed to be set in route-map
612721-4	3-Major		FIPS: .exp keys cannot be imported when the local source directory contains .key file
609967-2	3-Major	K55424912	qkview missing some HugePage memory data
586412-2	3-Major		BGP peer-group members address-family configuration not saved to configuration
583108-1	3-Major		Zebos issue: No neighbor x.x.x.x activate in address-family IPv6 lost on reboot/restart.
581101-1	3-Major		non-admin user running list cmd: can't get object count
557155-8	3-Major	K33044393	BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.
421797-3	3-Major		ePVA continues to accelerate IP Forwarding VS traffic even in Standby
651413-2	4-Minor	K34042229	tmsh list ltm node does not return an error when node does not exist
598437-1	4-Minor		SNMP process monitoring is incorrect for tmm and bigd

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
706631	2-Critical		A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured.
705611-1	2-Critical		The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used
704666-2	2-Critical		memory corruption can occur when using certain certificates
701202-1	2-Critical	K35023432	SSL memory corruption
700862-2	2-Critical	K15130240	tmm SIGFPE 'valid node'
700393-2	2-Critical	K53464344	Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash
685254-1	2-Critical	K14013100	RAM Cache Exceeding Watchdog Timeout in Header Field Search
678416-2	2-Critical		Some tmm/umem_usage_stat counters may be incorrect under memory pressure.
676028-2	2-Critical	K09689143	SSL forward proxy bypass may fail to release memory used for ssl_hs instances
673951-4	2-Critical	K56466330	Memory leak when using HTTP2 profile
670814-2	2-Critical		Wrong SE Linux label breaks nethsm DNSSEC keys
665185-1	2-Critical	K20994524	SSL handshake reference is not dropped if forward proxy certificate lookup failed
657463-2	2-Critical		SSL sends HUDEVT_SENT to TCP in wrong state which causes HTTP disconnect the handshake.
648320-3	2-Critical	K38159538	Downloading via APM tunnels could experience performance downgrade.
647757-2	2-Critical	K96395052	RATE-SHAPER:Fred not properly initialized may halt traffic
613088-3	2-Critical		pkcs11d thread has session initialization problem.
452283-2	2-Critical		An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows
705794-1	3-Major		Under certain circumstances a stale HTTP/2 stream might cause a tmm crash
690042-3	3-Major	K43412307	Potential Tcl leak during iRule suspend operation
689449-3	3-Major		Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured
687205-3	3-Major		Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart
686972-1	3-Major		The change of APM log settings will reset the SSL session cache.
686395	3-Major		With DTLS version1, when client hello uses version1.2, handshake shall proceed
683697-3	3-Major	K00647240	SASP monitor may use the same UID for multiple HA device group members
677962-3	3-Major		Invalid use of SETTINGS_MAX_FRAME_SIZE
677457	3-Major	K13036194	HTTP/2 Gateway appends semicolon when a request has one or more cookies
677400-3	3-Major	K82502883	pimd daemon may exit on failover
673399-1	3-Major		HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server.
665652-2	3-Major	K41193475	Multicast traffic not forwarded to members of VLAN group
664528-1	3-Major	K53282793	SSL record can be larger than maximum fragment size (16384 bytes)
663551-1	3-Major	K14942957	SERVERSSL_DATA is not triggered when iRule issues [SSL::collect] in the SERVERSSL_HANDSHAKE event
662911-2	3-Major	K93119070	SASP monitor uses same UID for all vCMP guests in a chassis or appliance
654368-7	3-Major	K15732489	ClientSSL/ServerSSL profile does not report an error when a certain invalid CRL is associated with it when authentication is set to require
654086-3	3-Major		Incorrect handling of HTTP2 data frames larger than minimal frame size
653976-2	3-Major	K00610259	SSL handshake fails if server certificate contains multiple CommonNames
651901-2	3-Major		Removed unnecessary ASSERTs in MPTCP code
640369-2	3-Major		TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan
633333-3	3-Major		During an MPTCP connection, the serverside connection will occasionally be aborted before all data has been sent
619844-2	3-Major		Packet leak if reject command is used in FLOW_INIT rule
611691-5	3-Major		Packet payload ignored when DSS option contains DATA_FIN
608991-7	3-Major		BIG-IP retransmits SYN/ACK on a subflow after an MPTCP connection is closed
605480-4	3-Major		BIG-IP sends MP_FASTCLOSE after completing active close of MPTCP connection
604880-4	3-Major		tmm assert "valid pcb" in tcp.c
604549-7	3-Major		MPTCP connection not closed properly when the segment with DATA_FIN also DATA_ACKs data
592731-1	3-Major	K34220124	Default value of device-request timeout factor might cause false alert: Hardware Error ni3-crypto request queue stuck.
653746-2	4-Minor	K83324551	Unable to display detailed CPU graphs if the number of CPU is too large
569814-2	4-Minor	K30240351	iRule "nexthop IP_ADDR" rejected by validator

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
710424-3	2-Critical	K00874337	Possible SIGSEGV in GTMD when GTM persistence is enabled.
699135-2	2-Critical		tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip
691287-3	2-Critical		tmm crashes on iRule with GTM pool command
682335-3	2-Critical		TMM can establish multiple connections to the same gtmd
699339-1	3-Major	K24634702	Geolocation upgrade files fail to replicate to secondary blades
696808-3	3-Major		Disabling a single pool member removes all GTM persistence records
687128-3	3-Major		gtm::host iRule validation for ipv4 and ipv6 addresses
679149-2	3-Major		TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0]
663310-3	3-Major		named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files★
619158-1	3-Major		iRule DNS request with trailing dot times out with empty response
595293-4	3-Major		Deleting GTM links could cause gtm_add to fail on new devices.

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
679221-1	1-Blocking		APMD may generate core file or appears locked up after APM configuration changed
702278-3	2-Critical		Potential XSS security exposure on APM logon page.
678715-1	2-Critical		Large volume of query result update to SessionDB fails and locks down ApmD
712315-1	3-Major		LDAP and AD Group Resource Assign are not displaying Static ACLs correctly
710211	3-Major		Cannot edit Terminals of Macro if one or more Macrocalls point to a given Macro.
702490-4	3-Major		Windows Credential Reuse feature may not work
702487-1	3-Major		AD/LDAP admins with spaces in names are not supported
700780-4	3-Major		F5 DNS Relay Proxy service now warns about and clears truncated flag in proxied DNS responses
699267-1	3-Major		LDAP Query may fail to resolve nested groups
681415-1	3-Major		Copying of profile with advanced customization or images might fail
675775-2	3-Major		TMM crashes inside dynamic ACL building session db callback
672250-1	3-Major		SessionDB update from ApmD with large volume fails
671149-3	3-Major		Captive portal login page is not rendered until it is refreshed
669459-2	3-Major		Efect of bad connection handle between APMD and memcachd
639283-4	3-Major		Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate
569542-1	3-Major		After upgrade, user cannot upload APM Sandbox hosted-content file in a partition existing before upgrade★
667237-3	4-Minor		Edge Client logs the routing and IP tables repeatedly

Wan Optimization Manager Fixes

ID Number	Severity	Solution Article(s)	Description
673463-2	2-Critical	K68275280	SDD v3 symmetric deduplication may start performing poorly after a failover event
685693	3-Major		APM AppTunnels memory leak

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
702738	3-Major	K32181540	Tmm might crash activating new blob when changing firewall rules
528499-3	4-Minor		AFM address lists are not sorted while trying to create a new rule.

Cumulative fixes from BIG-IP v12.1.3.3 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
706086-1	CVE-2018-5515	K62750376	PAM RADIUS authentication subsystem hardening
704490	CVE-2017-5754	K91229003	CVE-2017-5754 (Meltdown)
704483	CVE-2017-5753 CVE-2017-9074 CVE-2017-7542 CVE-2017-11176	K91229003	CVE-2017-5753 (Spectre Variant 1)

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
467709-1	4-Minor		FQDN nodes or pool members show Green (Available) when DNS responds with NXDOMAIN

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
707226-2	1-Blocking		DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations
704804-2	3-Major		The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address
704733-2	3-Major		NAS-IP-Address is sent with the bytes in reverse order
703869-1	3-Major		Waagent updated to 2.2.21
701249-2	3-Major		RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1
699147	3-Major		Hourly billed cloud images are now pre-licensed
687098	3-Major		IPv6 RADIUS servers not supported for remote authentication
674288-2	3-Major	K62223225	FQDN nodes - monitor attribute doesn't reliably show in GUI
649465-1	3-Major		SELinux warning messages regarding nsm daemon

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
695117	2-Critical	K30081842	bigd cores and sends corrupted MCP messages with many FQDN nodes
668883	2-Critical		FQDN pool member status may become out-of-sync when enabled/disabled through GUI
707675	3-Major		FQDN nodes or pool members flap when DNS response received
701609	3-Major		Static member of pool with FQDN members may revert to user-disabled after being re-enabled
685344-2	3-Major		Monitor 'min 1 of' not working as expected with FQDN nodes/members
673075-1	3-Major		Reduced Issues for Monitors configured with FQDN
671228-1	3-Major		Multiple FQDN ephemeral nodes may be created with autopopulate disabled
667560-3	3-Major	K69205908	FQDN nodes: Pool members can become unknown (blue) after monitor configuration is changed
573602-1	3-Major		FQDN pool members not shown by tmsh show ltm monitor
573302-1	3-Major		FQDN pool member remains in disabled state after removing monitor
571095-1	3-Major		Monitor probing to pool member stops after FQDN pool member with same IP address is deleted
699262-2	5-Cosmetic		FQDN pool member status remains in 'checking' state after full config sync

Cumulative fixes from BIG-IP v12.1.3.2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
700556-2	CVE-2018-5504	K11718033	TMM may crash when processing WebSockets data
698080-1	CVE-2018-5503	K54562183	TMM may consume excessive resources when processing with PEM
691504-3	CVE-2018-5503	K54562183	PEM content insertion in a compressed response may cause a crash.
686305-2	CVE-2018-5534	K64552448	TMM may crash while processing SSL forward proxy traffic
677193-2	CVE-2017-6154	K38243073	ASM BD Daemon Crash.
674189	CVE-2016-0718	K52320548	iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0
673078-1	CVE-2017-6150	K62712037	TMM may crash when processing FastL4 traffic
670822-3	CVE-2017-6148	K55225440	TMM may crash when processing SOCKS data
668501-2	CVE-2017-6151	K07369970	HTTP2 does not handle some URIs correctly
630446-1	CVE-2016-0718	K52320548	Expat vulnerability CVE-2016-0718
621233-1	CVE-2018-5509	K49440608	FastL4 and HTTP profile or hash persistence with ip-protocol not set to TCP can crash tmm
699455-3	CVE-2018-5523	K50254952	SAML export does not follow best practices
699346-2	CVE-2018-5524	K53931245	NetHSM capacity reduces when handling errors
694274-2	CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 CVE-2017-9798	K23565223	[RHSA-2017:3195-01] Important: httpd security update - EL6.7
688625-2	CVE-2017-11628	K75543432	PHP Vulnerability CVE-2017-11628
688011-5	CVE-2018-5520	K02043709	Dig utility does not apply best practices
676457-3	CVE-2017-6153	K52167636	TMM may consume excessive resource when processing compressed data
671638-4	CVE-2018-5500	K33211839	TMM crash when load-balancing mptcp traffic
670405-4	CVE-2017-1000366	K20486351	K20486351: glibc vulnerability CVE-2017-1000366:
662850-2	CVE-2015-2716	K50459349	Expat XML library vulnerability CVE-2015-2716
662663-6	CVE-2018-5507	K52521791	Decryption failure Nitrox platforms in vCMP mode
652848-2	CVE-2018-5501	K44200194	TCP DNS profile may impact performance
643375-1	CVE-2018-5508	K10329515	TMM may crash when processing compressed data
631204-1	CVE-2018-5521	K23124150	GeoIP lookups incorrectly parse IP addresses
617273-7	CVE-2016-5300	K70938105	Expat XML library vulnerability CVE-2016-5300
593139-9	CVE-2014-9761	K31211252	glibc vulnerability CVE-2014-9761
572272-5	CVE-2018-5506	K65355492	BIG-IP - Anonymous Certificate ID Enumeration
673607-2	CVE-2017-3169	K83043359	Apache CVE-2017-3169
672667-4	CVE-2017-7679	K75429050	CVE-2017-7679: Apache vulnerability
605579-8	CVE-2012-6702	K65460334	iControl-SOAP expat client library is subjected to entropy attack
578983-4	CVE-2015-8778	K51079478	glibc: Integer overflow in hcreate and hcreate_r
684033-1	CVE-2017-9798	K70084351	CVE-2017-9798 : Apache Vulnerability (OptionsBleed)

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
686389-3	3-Major		APM does not honor per-farm HTML5 client disabling at the View Connection Server
685020-1	3-Major		Enhancement to SessionDB provides timeout
653772-2	3-Major		fastL4 fails to evict flows from the ePVA
639505-3	3-Major		BGP may not send all configured aggregate routes
587107-3	3-Major		Allow iQuery to negotiate up to version TLS1.2

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
667148-1	1-Blocking	K02500042	Config load or upgrade can fail when loading GTM objects from a non-/Common partition
689577-1	2-Critical	K45800333	ospf6d may crash when processing specific LSAs
678833	2-Critical		IPv6 prefix SPDAG causes packet drop
676203-1	2-Critical		Inter-blade mpi connection fails, does not recover, and eventually all memory consumed.
667405-2	2-Critical	K61251939	Fragemented IPsec encrypted packets with fragmented original payloads may cause memory leak in the TMM.
667404-2	2-Critical	K77576404	Fragmented IP over IPsec tunnels might capture mcp flows and provoke restarts
651362	2-Critical		eventd crashes during boot
631700-1	2-Critical	K72453283	sod may kill bcm56xxd under heavy load
617733-1	2-Critical		Error message: subscriber id response; Subscription not found
580753-1	2-Critical	K82583534	eventd might core on transition to secondary.
563661-2	2-Critical		Datastor may crash
694696-3	3-Major		On multiblade Viprion, creating a new traffic-group causes the device to go Offline
687658-2	3-Major		Monitor operations in transaction will cause it to stay unchecked
687353-3	3-Major	K35595105	Qkview truncates tmstat snapshot files
682213-3	3-Major	K31623549	TLS v1.2 support in IP reputation daemon
679480-1	3-Major		User able to create node when an ephemeral with the same IP already exists
674320-2	3-Major	K11357182	Syncing a large number of folders can prevent the configuration getting saved on the peer systems
672815-2	3-Major		Incorrect disaggregation on VIPRION B4200 blades
671082-1	3-Major	K85168072	snmpd constantly restarting
669888-2	3-Major		No distinction between IPv4 addresses and IPv6 subnet ::ffff:0:0/96
669462-1	3-Major		Error adding /Common/WideIPs as members to GTM Pool in non-Common partition
669415-1	3-Major		Flow eviction for hardware-accelerated flow might fail
664894-1	3-Major	K11070206	PEM sessions lost when new blade is inserted in chassis
664057-2	3-Major		Upgrading GTM from pre-12.0.0 to post 12.0.0 no longer removes WideIPs without pools attached if they have an iRule attached
664017-3	3-Major		OCSP may reject valid responses
652968-2	3-Major	K88825548	IKEv2 PFS CREATE_CHILD_SA in rekey does not negotiate new keys
645723-2	3-Major	K74371937	Dynamic routing update can delete admin ip route from the kernel
632366-1	3-Major		Prevent a spurious Broadcom switch driver failure.
631316	3-Major	K62532020	Unable to load config with client-SSL profile error★
626990-1	3-Major	K64915164	restjavad logs flooded with messages from ChildWrapper
624362-1	3-Major		VCMP guest /shared file system growth due to /shared/tmp/guestagentd.out file
623803-2	3-Major	K12921801	General DB error when select Profiles: Protocol: SCTP profile. Error due to 'read access denied type Virtual Address profile SCTP'
610122-1	3-Major		Hotfix installation fails: can't create /service/snmpd/run★
598724-1	3-Major		Abandoned indefinite lifetime SessionDB entries on STANDBY devices.
586887-2	3-Major	K25883308	SCTP tmm crash with virtual server destination.
579760-3	3-Major	K55703840	HSL::send may fail to resume after log server pool member goes down/up
471237-2	3-Major	K12155235	BIG-IP VE instances do not work with an encrypted disk in AWS.
699281	4-Minor		Version format of hypervisor bundle matches Version format of ISO
669255-2	4-Minor	K20100613	An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms
660239-3	4-Minor		When accessing the dashboard, invalid HTTP headers may be present
655085-2	4-Minor		While one chassis in a DSC is being rebooted, other members report spurious HA Group configuration errors
613275-2	4-Minor	K62581339	SNMP get/MIB walk returns incorrect speed for sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed when the interface is not up
601168-1	4-Minor		Incorrect virtual server CPU utilization may be observed.
509980-1	4-Minor		Spurious HA group configuration errors can be displayed during reboot of other DSC cluster members.

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
692970-3	2-Critical		Using UDP port 67 for purposes other than DHCP might cause TMM to crash
687603-1	2-Critical	K36243347	tmsh query for dns records may cause tmm to crash
686228-3	2-Critical	K23243525	TMM may crash in some circumstances with VLAN failsafe
682682-3	2-Critical		tmm asserts on a virtual server-to-virtual server connection
681175-1	2-Critical	K32153360	TMM may crash during routing updates
676982-2	2-Critical	K21958352	Active connection count increases over time, long after connections expire
674576-4	2-Critical		Outage may occur with VIP-VIP configurations
665924-1	2-Critical	K24847056	The HTTP2 and SPDY filters may cause a TMM crash in complicated scenarios
665732-2	2-Critical	K45001711	FastHTTP may crash when receiving a fragmented IP packet
664461-3	2-Critical	K16804728	Replacing HTTP payload can cause tmm restart
658989-2	2-Critical		Memory leak when connection terminates in iRule process
639039-4	2-Critical	K33754014	Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons
614702-1	2-Critical	K24172560	Race condition when using SSL Orchestrator can cause TMM to core
704073-3	3-Major	K24233427	Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm
698000-1	3-Major	K04473510	Connections may stop passing traffic after a route update
689089-3	3-Major		VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot
686307-1	3-Major	K10665315	Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later
686065-1	3-Major		RESOLV::lookup iRule command can trigger crash with slow resolver
685955	3-Major		TMM hud_message_ctx leak
685110-3	3-Major	K05430133	With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.
683683-1	3-Major		ASN1::encode returns wrong binary data
682104-1	3-Major		HTTP PSM leaks memory when looking up evasion descriptions
680755-1	3-Major	K27015502	max-request enforcement no longer works outside of OneConnect
673621-2	3-Major		Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile.
670816-2	3-Major	K44519487	HTTP/HTTPS/TCP Monitor response code for 'last fail reason' can include extra characters
669974-1	3-Major	K90395411	Encoding binary data using ASN1::encode may truncate result
668522-1	3-Major		bigd might try to read from a file descriptor that is not ready for read
668419-1	3-Major	K53322151	ClientHello sent in multiple packets results in TCP connection close
666315	3-Major		Global SNAT sets TTL to 255 instead of decrementing
666160-1	3-Major	K63132146	L7 Policy reconfiguration causes a slow memory leak
665022-1	3-Major		Rateshaper stalls when TSO packet length exceeds max ceiling.
664769-1	3-Major		TMM may restart when using SOCKS profile and an iRule
663821-3	3-Major	K41344010	SNAT Stats may not include port FTP traffic
661881-2	3-Major	K00030614	Memory and performance issues when using certain ASN.1 decoding formats in iRules
659648-2	3-Major		LTM Policy rule name migration doesn't properly handle whitespace
657795-1	3-Major	K51498984	Possible performance impact on some SSL connections
655432-7	3-Major	K85522235	SSL renegotiation failed intermittently with AES-GCM cipher
651681-4	3-Major		Orphaned bigd instances may exist (within multi-process bigd)
651135-4	3-Major	K41685444	LTM Policy error when rule names contain slash (/) character★
645220-2	3-Major		bigd identified as username "(user %-P)" or "(user %-S)" in mcpd debug logs
645197-3	3-Major		Monitors receiving unique HTTP 'success' response codes may stop monitoring after status change
640565-1	3-Major	K11564859	Incorrect packet size sent to clone pool member
636149-3	3-Major		Multiple monitor response codes to single monitor probe failure
628721-1	3-Major		In rare conditions, DNS cache resolver outbound TCP connections fail to expire.
627926-1	3-Major	K21211001	Retrieving a server-side SSL session ID in iRules does not work
584865-1	3-Major		Primary slot mismatch after primary cluster member leaves and then rejoins the cluster
582487-2	3-Major	K22210514	'merged.method' set to 'slow_merge,' does not update system stats
574526-1	3-Major	K55542554	HTTP/2 and SPDY do not parse the path for the location/existence of the query parameter
573366-4	3-Major		parking command used in the nesting script of clientside and serverside command can cause tmm core
692095-3	4-Minor	K65311501	bigd logs monitor status unknown for FQDN Node/Pool Member
625892-2	4-Minor		Nagle Algorithm Not Fully Enforced with TSO
530877-7	4-Minor	K13887095	TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances.

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
692941-3	2-Critical		GTMD and TMM SIGSEGV when changing wide IP pool in GTMD
678861-3	2-Critical		DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other★
580537-1	2-Critical		The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data
562921-4	2-Critical		Cipher 3DES and iQuery encrypting traffic between BIG-IP systems
700527-1	3-Major		cmp-hash change can cause repeated iRule DNS-lookup hang
691498-1	3-Major		Connection failure during iRule DNS lookup can crash TMM
690166-3	3-Major		ZoneRunner create new stub zone when creating a SRV WIP with more subdomains
671326-2	3-Major	K81052338	DNS Cache debug logging might cause tmm to crash.
667469-1	3-Major	K35324588	Higher than expected CPU usage when using DNS Cache
665347-2	3-Major	K17060443	GTM listener object cannot be created via tmsh while in non-Common partition
636853-2	3-Major	K19401488	Under some conditions, a change in the order of GTM topology records does not take effect.
621374-1	3-Major		"abbrev" argument in "whereis" iRule returns nothing
487144-2	3-Major		tmm intermittently reports that it cannot find FIPS key

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
701327-1	2-Critical		failed configuration deletion may cause unwanted bd exit
699720-3	2-Critical		ASM crash when configuring remote logger for WebSocket traffic with response-logging:all
691670-3	2-Critical		Rare BD crash in a specific scenario
684312-2	2-Critical	K54140729	During Apply Policy action, bd agent crashes, causing the machine to go Offline
681109-2	2-Critical	K46212485	BD crash in a specific scenario
679603-2	2-Critical	K15460886	bd core upon request, when profile has sensitive element configured.
678462-2	2-Critical		after chassis failover: asmlogd CPU 100% on secondary
678228-1	2-Critical	K27568142	Repeated Errors in ASM Sync
672301-2	2-Critical		ASM crashes when using a logout object configuration in ASM policy
664708-2	2-Critical		TMM memory leak when DoS profile is attached to VS
662281-2	2-Critical		Inconsistencies in Automatic sync ASM Device Group
637252-1	2-Critical	K73107660	Rest worker becomes unreliable after processing a call that generated an error
633070-1	2-Critical		Sync Inconsistencies when using Autosync ASM Group between Chassis devices
631609-1	2-Critical		ASM Centralized Management Infrastructure Sync issues
614441-4	2-Critical	K04950182	False Positive for illegal method (GET)
611154-1	2-Critical		BD crash
599221-1	2-Critical		ASM Policy cannot be created in non-default partition via the Import Policy Task
576123-3	2-Critical	K23221623	ASM policies are created as inactive policies on the peer device
702946-2	3-Major		Added option to reset staging period for signatures
701841-1	3-Major		Unnecessary file recovery_db/conf.tar.gz consumes /var disk space
700564-2	3-Major		JavaScript errors shown when debugging a mobile device with ASM deviceID enabled
700330	3-Major		AJAX blocking page isn't shown when a webpage uses jQuery framework.
700143-1	3-Major		ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages
698919-1	3-Major		Anti virus false positive detection on long XML uploads
697303-3	3-Major		BD crash
696265-3	3-Major	K60985582	BD crash
694922-4	3-Major		ASM Auto-Sync Device Group Does Not Sync
691477-1	3-Major		ASM standby unit showing future date and high version count for ASM Device Group
685743-3	3-Major		When changing internal parameter 'request_buffer_size' in large request violations might not be reported
685207-2	3-Major		DoS client side challenge does not encode the Referer header.
683508-3	3-Major	K00152663	WebSockets: umu memory leak of binary frames when remote logger is configured
682612	3-Major		Event Correlation is disabled on vCMP even though all the prerequisites are met.
679384-1	3-Major	K85153939	The policy builder is not getting updates about the newly added signatures.
678293-1	3-Major	K25066531	Uncleaned policy history files cause /var disk exhaustion
676416-2	3-Major		BD restart when switching FTP profiles
675232-3	3-Major		Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction
674494-1	3-Major	K77993010	BD memory leak on specific configuration and specific traffic
671675-1	3-Major		Centralized Management Infrastructure: asm_config_server restart on device group change
668184-1	3-Major		Huge values are shown in the AVR statistics for ASM violations
668181-2	3-Major		Policy automatic learning mode changes to manual after failover
667922	3-Major	K44692860	Alternative unicode encoding in JSON objects not being parsed correctly
666986-2	3-Major	K50320144	Filter by Support ID is not working in Request Log
663535-1	3-Major		Sending ASM cookies with "secure" attribute even without client-ssl profile
654925-1	3-Major	K25952033	Memory Leak in ASM Sync Listener Process
654873-2	3-Major		ASM Auto-Sync Device Group
619516-1	3-Major		Inconsistencies in Automatic sync ASM Device Group
605982-1	3-Major		Policy settings change during export/import
434821-1	3-Major		Remote logging of staged signatures and staged sets
694073-1	4-Minor		All signature update details are shown in 'View update history from previous BIG-IP versions' popup
655159-1	4-Minor	K84550544	Wrong XML profile name Request Log details for XML violation
625602-3	4-Minor		ASM Auto-Sync Device Group Does Not Sync

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
658343-2	3-Major	K33043439	AVR tcp-analytics: per-host RTT average may show incorrect values
648242	3-Major	K73521040	Administrator users unable to access all partition via TMSH for AVR reports
582029-4	3-Major		AVR might report incorrect statistics when used together with other modules.
682105	4-Minor		Adding widget in Analytics Overview can cause measures list to empty out on Page change
649161-1	4-Minor	K42340304	AVR caching mechanism not working properly

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
693739-3	2-Critical		VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled
660711-1	2-Critical	K05265457	MCPd might crash when user trying to import a access policy
649234-3	2-Critical	K64131101	TMM crash from a possible memory corruption.
639929-2	2-Critical		Session variable replace with value containing these characters ' " & < > = may case tmm crash
632178-1	2-Critical		LDAP Query agent creates only two session variables when required attributes list is empty
703984-2	3-Major		Machine Cert agent improperly matches hostname with CN and SAN
703429-1	3-Major		Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services
700783-3	3-Major		Machine certificate check does not check against all FQDN hostnames
692307-1	3-Major		User with 'operator' role may not be able to view some session variables
689826-2	3-Major	K95422068	Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese)
686282-1	3-Major		APMD intermittently crash when processing access policies
684325-3	3-Major		APMD Memory leak when applying a specific access profile
683389-1	3-Major		Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file
682500-1	3-Major		VDI Profile and Storefront Portal Access resource do not work together
680112-1	3-Major	K18131781	SWG-Explicit rejects large POST bodies during policy evaluation
678851-1	3-Major		Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase()
676690-3	3-Major		Windows Edge Client sometimes crashes when user signs out from Windows
675866-1	3-Major		WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO
675399-3	3-Major	K14304639	Network Access does not work when empty variables are assigned for WINS and DNS
674593-1	3-Major		APM configuration snapshot takes a long time to create
674410-3	3-Major	K59281892	AD auth failures due to invalid Kerberos tickets
673748-1	3-Major	K19534801	ng_export, ng_import might leave security.configpassword in invalid state
672868-1	3-Major		Portal Access: JavaScript application with non-whitespace control characters may be processed incorrectly
672040-3	3-Major		Access Policy Causing Duplicate iRule Event Execution
671597-1	3-Major		Import, export, copy and delete is taking too long on 1000 entries policy
670910-2	3-Major		Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined
669510-2	3-Major		When network changes after VPN is established, network access tunnel is closed when network access configuration has 'Allow local DNS servers' and 'Prohibit routing table changes during Network Access connection' options enabled.
669154-1	3-Major	K25342114	Creating new invalid SAML IdP configuration object may cause tmm restart in rare cases.
668623-5	3-Major	K85991425	macOS Edge client fails to detect correct system language for regions other than USA
668503-3	3-Major		Edge Client fails to reconnect to virtual server after disabling Network Adapter
668129-1	3-Major		BIG-IP as SAML SP support for multiple signing certificates in SAML metadata from external identity providers.
666689-1	3-Major		Occasional "profile not found" errors following activate access policy
666058-2	3-Major	K86091857	XenApp 6.5 published icons are not displayed on APM Webtop
665416-3	3-Major	K02016491	Old versions of APM configuration snapshots need to be reaped more aggressively if not used
665330-1	3-Major		MSIE 11 should avoid compatibility mode
664507-3	3-Major		When BIG-IP is used as SP with IdP-connector automation, updates to remotely published metadata may remove certificate reference from the local configuration
663127-1	3-Major		Empty attribute values in SAML Identity Provider configuration may cause error when loading configuration.
655364-1	3-Major		Portal access rewriting window.opener causes JS exception
655146-2	3-Major		APM Profile access stats are not updated correctly
654508-2	3-Major		SharePoint MS-OFBA browser window displays Javascript errors
654046-1	3-Major	K22121533	BIG-IP as SAML IdP may fail to process signed authentication requests from some external SPs.
653771-2	3-Major		tmm crash after per-request policy error
653324-3	3-Major	K87979026	On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly
651910-2	3-Major		Cannot change 'Enable Access System Logs' or 'Enable URL Request Logs' via the GUI after upgrading from 12.x to 13.0.0 or later
649613-3	3-Major		Multiple UDP/TCP packets packed into one DTLS Record
632646-4	3-Major		APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server.
629921-4	3-Major		[[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work.
621682-1	3-Major		Portal Access: problem with specific JavaScript code
616104-2	3-Major		VMware View connections to pool hit matching BIG-IP virtuals
613373-2	3-Major		Access may be denied to users with Application Editor role when accessing SAML Authentication Context UI page
610582-2	3-Major		Device Guard prevents Edge Client connections
601420-3	3-Major		Possible SAML authentication loop with IE and multi-domain SSO.
596083-1	3-Major		Error running custom APM Reports with "session creation time" on Viprion Platform
590992-3	3-Major		If IP address on network adapter changes but DNS remains unchanged, DNS resolution stops working
578413-1	3-Major		Missing reference to customization-group from connectivity profile if created via portal access wizard
575444-1	3-Major		Wininfo agent incorrectly reports OS version on Windows 10 in some cases
563135-3	3-Major		SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt
466068-1	3-Major		Allow setting of the AAA Radius server timeout value larger than 60 seconds
447565-5	3-Major	K33692321	Renewing machine-account password does not update the serviceId for associated ntlm-auth.
691017-1	4-Minor		Preventing ng_export hangs
684414-1	4-Minor		Retrieving too many groups is causing out of memory errors in TMUI and VPE
673717-1	4-Minor		VPE loading times can be very long
671627-1	4-Minor	K06424790	HTTP responces without body may contain chunked body with empty payload being processed by Portal Access.
667304-1	4-Minor	K68108551	Logon page shows 'Save Password' checkbox even if 'Allow Password Caching' is not enabled
561892-2	4-Minor	K08121752	Kerberos cache is not cleared when Administrator password is changed in AAA AD Server

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
662844	2-Critical	K87735013	TMM crashes if Diameter MRF mirroring is enabled in v12.x.x. Diameter MRF mirroring is not implemented in v12.x.x.
643785-3	2-Critical		diadb crashes if it cannot find pool name
699431	3-Major		Possible memory leak in MRF under low memory

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
456376-4	1-Blocking	K53153545	BIG-IP does not support IPv4-mapped-IPv6 notation in the configuration with prefix length greater than 32
671052-3	2-Critical	K50324413	AFM NAT security RST the traffic with (FW NAT) dst_trans failed
644822-2	2-Critical	K19245372	FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned
564058-1	2-Critical	K91467162	AutoDoS daemon aborts intermittently after it's being up for several days
620543-1	3-Major		Security Address Lists and Port Lists can't change Description field

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
696383-2	2-Critical		PEM Diameter incomplete flow crashes when sweeped
694717-3	2-Critical		Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.
616008-3	2-Critical	K23164003	TMM core may be seen when using an HSL format script for HSL reporting in PEM
696789-2	3-Major		PEM Diameter incomplete flow crashes when TCL resumed
695968-3	3-Major		Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.
694319-3	3-Major		CCA without a request type AVP cannot be tracked in PEM.
694318-3	3-Major		PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.
684333-3	3-Major		PEM session created by Gx may get deleted across HA multiple switchover with CLI command
678820-2	3-Major		Potential memory leak if PEM Diameter sessions are not created successfully.
678714-3	3-Major		After HA failover, subscriber data has stale session ID information
660187-3	3-Major		TMM core after intra-chassis failover for some instances of subscriber creation
642068-1	3-Major		PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens
638594-3	3-Major		TMM crash when handling unknown Gx messages.
627616-3	3-Major		CCR-U missing upon VALIDITY TIMER expiry when quota is zero
624231-5	3-Major		No flow control when using content-insertion with compression
680729-3	4-Minor	K64307999	DHCP Trace log incorrectly marked as an Error log.
678822-3	4-Minor		Gx/Gy stats display provision pending sessions if there is no route to PCRF or the app is unlicensed

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
663333-1	2-Critical		TMM may core in PBA mode id LSN pool is under provisioned or the utilization is high
615432-1	2-Critical		Multiple TFTP data transfers cannot be initiated in a single session
663974-2	3-Major		TMM crash when using LSN inbound connections

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
692123-2	3-Major		GET parameter is grayed out if MobileSafe is not licensed
667892-2	3-Major		FPS: BLFN inheritance won't take effect until GUI refresh

Cumulative fixes from BIG-IP v12.1.3.1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
681710-4	CVE-2017-6155	K10930474	Malformed HTTP/2 requests may cause TMM to crash
673595-2	CVE-2017-3167 CVE-2017-3169	K34125394	Apache CVE-2017-3167
648786-5	CVE-2017-6169	K31404801	TMM crashes when categorizing long URLs

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
673129	3-Major	K41458656	New feature: revoke license

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
682837	1-Blocking		Compression watchdog period too brief.
675921	1-Blocking		Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running
696468	2-Critical		Active compression requests can become starved from too many queued requests.
667173	2-Critical		13.1.0 cannot join a device group with 13.1.0.1
665656-1	2-Critical		BWC with iSession may memory leak
663366-3	2-Critical		SEGV fault can occur during tmm 'panic' on i4x00 and i2x00 platforms.
621386-1	2-Critical	K91988084	restjavad spawns too many icrd_child instances
683114-1	3-Major		Need support for 4th element version in Update Check
679959-1	3-Major		Unable to ping self IP of VCMP guest configured on i5000, i7000, or i10000
672988-2	3-Major	K03433341	MCP memory leak when performing incremental ConfigSync
669288-3	3-Major	K76152943	Cannot run tmsh utils unix-* commands in Appliance mode when /shared/f5optics/images does not exist.
668352-2	3-Major		High Speed Logging unbalance in log distribution for multiple pool destination.
668048-1	3-Major	K02551403	TMM memory leak when manually enabling/disabling pool member used as HSL destination
663063-2	3-Major		Disabling pool member used in busy HSL TCP destination can result service disruption.
659057-1	3-Major		BIG-IP iSeries: Retrieving the gateway from the Host via REST through the LCD
658636-2	3-Major	K51355172	When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped.
652691-1	3-Major		Installation fails if only .iso.384.sig (new format signature file) is present★
652689-2	3-Major	K14243280	Displaying 100G interfaces
642952	3-Major		platform_check doesn't run PCI check on i11800
640636-3	3-Major		F5 Optics seen as unsupported instead of misconfigured when inserted into wrong port on B4450 Blade
638881-1	3-Major		Incorrect fan status displayed when fan tray is removed on BIG-IP iSeries appliances
628739-1	3-Major		BIG-IP iSeries does not disallow configuring of management IP outside the management subnet using the LCD
628735-1	3-Major		Displaying Hardware SYN Cookie Protection field in TCP/FastL4/FastHTTP profiles
604547-1	3-Major	K21551422	Unix daemon configuration may lost or not be updated upon reboot
674515	4-Minor		New revoke license feature for VE only implemented
663580-1	4-Minor	K31981624	logrotate does not automatically run when /var/log reaches 90% usage
644723-1	4-Minor		cm56xxd logs link 'DOWN' message when an interface is admin DISABLED
507206-1	4-Minor		Multicast Out stats always zero for management interface.

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
689080	2-Critical		Erroneous syncookie validation in HSB causes the BIG-IP system to choose the wrong MSS value
463097-3	3-Major		Clock advanced messages with large amount of data maintained in DNS Express zones

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
672504-1	2-Critical	K52325625	Deleting zones from large databases can take excessive amounts of time.
614788-1	2-Critical		zxfrd crash due to lack of disk space
655233-1	3-Major	K93338593	DNS Express using wrong TTL for SOA RRSIG record in NoData response
648766-1	3-Major	K57853542	DNS Express responses missing SOA record in NoData responses if CNAMEs present
645615-2	3-Major	K70543226	zxfrd may fail and restart after multiple failovers between blades in a chassis.
433678-2	3-Major	K32401561	A monitor removed from GTM link cannot be deleted: 'monitor is in use'
646615-1	4-Minor		Improved default storage size for DNS Express database

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
652796-1	1-Blocking		When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.
652792-1	2-Critical		When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.
678976-2	3-Major	K24756214	Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.
677058-3	3-Major	K31757417	Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
679440-2	2-Critical	K14120433	MCPD Cores with SIGABRT
591828-4	3-Major	K52750813	For unmatched connection, TCP RST may not be sent for data packet

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
668252-2	2-Critical	K22784428	TMM crash in PEM_DIAMETER component
628311-3	2-Critical	K87863112	Potential TMM crash due to duplicate installed PEM policies by the PCRF
675928-2	3-Major		Periodic content insertion could add too many inserts to multiple flows if http request is outstanding
674686-2	3-Major		Periodic content insertion of new flows fails, if an outstanding flow is a long flow
673683-2	3-Major		Periodic content insertion fails, if pem and classification profile are detached and reattached to the Listener
673678-2	3-Major		Periodic content insertion fails, if http request/response get interleaved by second subscriber http request
673472-2	3-Major		After classification rule is updated, first periodic Insert content action fails for existing subscriber
639486-4	3-Major		TMM crash due to PEM usage reporting after a CMP state change.
634015-3	3-Major	K49315364	Potential TMM crash due to a PEM policy content triggered buffer overflow
572568-2	3-Major		Gy CCR-i requests are not being re-sent after initial configured re-transmits

Cumulative fixes from BIG-IP v12.1.3 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
687193-1	CVE-2018-5533	K45325728	TMM may leak memory when processing SSL Forward Proxy traffic
684879-2	CVE-2017-6164	K02714910	TMM may crash while processing TLS traffic
662022-5	CVE-2017-6138	K34514540	The URI normalization functionality within the TMM may mishandle some malformed URIs.
653993-3	CVE-2017-6132	K12044607	A specific sequence of packets to the HA listener may cause tmm to produce a core file
653880	CVE-2017-6214	K81211720	Kernel Vulnerability: CVE-2017-6214
652539	CVE-2016-0634 CVE-2016-7543 CVE-2016-9401	K73705133	Multiple Bash Vulnerabilities
652516	CVE-2016-10088 CVE-2016-10142 CVE-2016-2069 CVE-2016-2384 CVE-2016-6480 CVE-2016-7042 CVE-2016-7097 CVE-2016-8399 CVE-2016-9576	K31603170	Multiple Linux Kernel Vulnerabilities
651221-2	CVE-2017-6133	K25033460	Parsing certain URIs may cause the TMM to produce a core file.
650286-2	CVE-2017-6167	K24465120	REST asynchronous tasks permissions issues
650059-1	CVE-2017-6129	K20087443	TMM may crash when processing VPN traffic
649907-2	CVE-2017-3137	K30164784	BIND vulnerability CVE-2017-3137
649904-2	CVE-2017-3136	K23598445	BIND vulnerability CVE-2017-3136
644904-5	CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929, CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933, CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, CVE-2016-8575, CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984, CVE-2016-7985 CVE-2017-5202, CVE-2017-5203, CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342, CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, CVE-2017-5486	K55129614	tcpdump 4.9
644693-3	CVE-2016-2183, CVE-2017-3272, CVE-2017-3289, CVE-2017-3253, CVE-2017-3261, CVE-2017-3231,CVE-2016-5547,CVE-2016-5552, CVE-2017-3252, CVE-2016-5546, CVE-2016-5548, CVE-2017-3241	K15518610	Fix for multiple CVE for openjdk-1.7.0
638556-2	CVE-2016-10045	K73926196	PHP Vulnerability: CVE-2016-10045
634779-1	CVE-2017-6147	K43945001	TMM may crash will processing SSL Forward Proxy traffic
625860-2	CVE-2017-6140	K55102452	Improved handling of crypto hardware decrypt failures on B4450 platform.
624903-6	CVE-2017-6140	K55102452	Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms.
600069-6	CVE-2017-0301	K54358225	Portal Access: Requests handled incorrectly
659791-2	CVE-2017-6136	K81137982	TFO and TLP could produce a core file under specific circumstances
655059-3	CVE-2017-6134	K37404773	TMM Crash
653224-1	CVE-2016-8610 CVE-2017-5335 CVE-2017-5336 CVE-2017-5337	K59836191	Multiple GnuTLS Vulnerabilities
653217-2	CVE-2016-2125 CVE-2016-2126	K03644631	Multiple Samba Vulnerabilities
645480-3	CVE-2017-6139	K45432295	Unexpected APM response
645101-2	CVE-2017-3731, CVE-2017-3732	K44512851	OpenSSL vulnerability CVE-2017-3732
642659-2	CVE-2015-8870, CVE-2016-5652, CVE-2016-9533, CVE-2016-9534, CVE-2016-9535, CVE-2016-9536, CVE-2016-9537, CVE-2016-9540	K34527393	Multiple LibTIFF Vulnerabilities
640768	CVE-2016-10088 CVE-2016-9576	K05513373	Kernel vulnerability: CVE-2016-10088
639729-2	CVE-2017-0304	K39428424	Request validation failure in AFM UI Policy Editor
637666-2	CVE-2016-10033	K74977440	PHP Vulnerability: CVE-2016-10033
635314-5	CVE-2016-1248	K22183127	vim Vulnerability: CVE-2016-1248
622178-1	CVE-2017-6158	K19361245	Improve flow handling when Autolasthop is disabled
597176-1	CVE-2015-8711 CVE-2015-8714 CVE-2015-8716 CVE-2015-8717 CVE-2015-8718 CVE-2015-8720 CVE-2015-8721 CVE-2015-8723 CVE-2015-8725 CVE-2015-8729 CVE-2015-8730 CVE-2015-8733 CVE-2016-2523 CVE-2016-4006 CVE-2016-4078 CVE-2016-4079 CVE-2016-4080 CVE-2016-4081 CVE	K01837042	Multiple Wireshark (tshark) vulnerabilities
583678-1	CVE-2016-3115	K93532943	SSHD session.c vulnerability CVE-2016-3115
582773-5	CVE-2018-5532	K48224824	DNS server for child zone can continue to resolve domain names after revoked from parent
567233-1	CVE-2015-5252, CVE-2015-5296, CVE-2015-5299	K92616530	Multiple samba vulnerabilities
353229-2	CVE-2018-5522	K54130510	Buffer overflows in DIAMETER
656912-4	CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464, CVE-2017-6451, CVE-2017-6458	K32262483	Various NTP vulnerabilities
632875-3	CVE-2018-5516	K37442533	Non-Administrator TMSH users no longer allowed to run dig
615226-5	CVE-2015-8925 CVE-2015-8933 CVE-2016-8688 CVE-2015-8919 CVE-2016-8689 CVE-2015-8931 CVE-2015-8923 CVE-2015-8930 CVE-2015-8922 CVE-2016-5844 CVE-2015-8917 CVE-2016-8687 CVE-2015-8932 CVE-2015-8916 CVE-2016-4809 CVE-2015-8934 CVE-2015-8924 CVE-2015-8920 CVE-2016-4302 CVE-2015-8921 CVE-2015-8928 CVE-2015-8926 CVE-2016-7166 CVE-2016-4300	K13074505	Libarchive vulnerabilities: CVE-2016-8687 and others
590840-2	CVE-2015-8325	K20911042	OpenSSH vulnerability CVE-2015-8325
655021-2	CVE-2017-3138	K23598445	BIND vulnerability CVE-2017-3138
652638-2	CVE-2016-10167	K23731034	php - Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
627203-1	CVE-2016-5542, CVE-2016-5554, CVE-2016-5573, CVE-2016-5582, CVE-2016-5597	K63427774	Multiple Oracle Java SE vulnerabilities

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
654549-1	2-Critical		PVA support for uncommon protocols DoS vector
653729-2	2-Critical		Support IP Uncommon Protocol
653234	2-Critical		Many objects must be reconfigured before use when loading a UCS from another device.★
652094-2	2-Critical	K49190243	Improve traffic disaggregation for uncommon IP protocols
643210-2	2-Critical	K45444280	Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM
643054-2	2-Critical		ARP and NDP packets should be CoS marked by the swtich on ingress
663521-2	3-Major		Intermittent dropping of multicast packets on certain BIG-IP platforms
651772-3	3-Major		IPv6 host traffic may use incorrect IPv6 and MAC address after route updates
643143-2	3-Major		ARP and NDP packets should be QoS/DSCP marked on egress
610710-2	3-Major		Pass IP TOS bits from incoming connection to outgoing connection
584545-2	3-Major		Failure to stabilize internal HiGig link will not trigger failover event
567177-1	4-Minor		Log all attempts of key export in ltm log
650074-1	5-Cosmetic		Changed Format of RAM Cache REST Status output.

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
642703-2	1-Blocking		Formatting installation using software v12.1.2 or v13.0.0 fails for i5000, i7000, i10000, i11000, i12000 platforms.★
619097	1-Blocking		iControl REST slow performace on GET request for virtual servers
539093-1	1-Blocking	K26104530	VE shows INOPERATIVE status until at least one VLAN is configured and attached to an interface.
697878	2-Critical		High crypto request completion time under some workload patterns
666790-2	2-Critical	K06619044	Use HSB HiGig MAC reset to recover both FCS errors and link instability
665354-2	2-Critical	K31190471	Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log
658574-2	2-Critical	K61847644	An accelerated flow transmits packets to a stale (incorrect) destination MAC address.
655357-2	2-Critical	K06245820	Corrupted L2 FDB entries on B4450 blades might result in dropped traffic
653376-5	2-Critical		bgpd may crash on receiving a BGP update with >= 32 extended communities
649866-1	2-Critical		fsck should not run during first boot on public clouds
638997-2	2-Critical		Reboot required after disk size modification in a running BIG-IP VE instance.
625456-5	2-Critical		Pending sector utility may write repaired sector incorrectly
624826-2	2-Critical	K36404710	mgmt bridge takes HWADDR of guest vm's tap interface
613415-2	2-Critical	K22750357	Memory leak in ospfd when distribute-list is used
609335-1	2-Critical		IPsec tmm devbuf memory leak.
604011-1	2-Critical		Sync fails when iRule or policy is in use★
595783	2-Critical		Changing console baud rate for B2100, B2150 and B2250 blades does not work
593137-1	2-Critical		userDefined property for bot signatures is not shown in REST
579210-3	2-Critical	K11418051	VIPRION B4400N blades might fail to go Active under rare conditions.
471860-10	2-Critical	K16209	Disabling interface keeps DISABLED state even after enabling
412817-3	2-Critical		BIG-IP system unreachable for IPv6 traffic via PCI pass-through interfaces as current ixgbevf drivers do not support multicast receive.
671920-1	3-Major		Accessing SNMP over IPv6 on non-default route domains
669818-2	3-Major	K64537114	Higher CPU usage for syslog-ng when a syslog server is down
667278-3	3-Major		DSC connections between BIG-IP units may fail to establish
667138-1	3-Major		LTM 12.1.2 HF1 - Upgrade to 12.1.2 HF1 fails with err "folder does not exist"★
664829-1	3-Major		BIG-IP sometimes performs unnecessary reboot on first boot
662331-1	3-Major	K24331010	BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
661764-2	3-Major	K53762147	It is possible to configure a number of CPUs that exceeds the licensed throughput
660532-2	3-Major	K21050223	Cannot specify the event parameter for redirects on the policy rule screen.
655671-1	3-Major		Polling time waiting for I2C bus transactions in the bcm56xxd daemon needs to be reduced
655649-2	3-Major	K88627152	BGP last update timer incorrectly resets to 0
654011-2	3-Major	K33210520	Pool member's health monitors set to Member Specific does not display the active monitors
651155-1	3-Major		HSB continually logs 'loopback ring 0 tx not active'
650349	3-Major	K50168519	Creation or reconfiguration of iApps fails if high speed logging is configured
650002-1	3-Major		tzdata bug fix and enhancement update
649949-1	3-Major		Intermittent failure to do a clean install on iSeries platforms from USB DVD-ROM★
647988-3	3-Major	K15331432	HSL Balanced distribution to Two-member pool may not be balanced correctly.
647944-2	3-Major		MCP may crash when making specific changes to a FIX profile attached to more than one virtual server
645179-6	3-Major		Traffic group becomes active on more than one BIG-IP after a long uptime
644404-1	3-Major		Extracting SSD from system leads to Emergency LCD alert★
644184-4	3-Major	K36427438	ZebOS daemons hang while AgentX SNMP daemon is waiting.
643294	3-Major		IGMP and PIM not in self-allow default list when upgrading from 10.2.x★
643121-1	3-Major		Failed installation volumes cannot be deleted in the GUI.
643013	3-Major		DAGv2 introduced on i5600, i5800, i7600, i7800, i10600, i10800 platforms in v12.1.3
642982-3	3-Major	K23241518	tmrouted may continually restart after upgrade, adding or renaming an interface★
642314-2	3-Major	K24276198	CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x★
638825-2	3-Major		SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD
637561-1	3-Major		Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice
636744-1	3-Major	K16918340	IKEv1 phase 2 SAs not deleted
631866-2	3-Major		Cannot access LTM policy rules in the web UI when the name contains certain characters
631172-4	3-Major	K54071336	GUI user logged off when idle for 30 minutes, even when longer timeout is set
624692-3	3-Major		Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying
623391-5	3-Major		cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size★
622619-5	3-Major		BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD
622133-1	3-Major		VCMP guests may incorrectly obtain incorrect MAC addresses
621259-3	3-Major		Config save takes long time if there is a large number of data groups
619060	3-Major		Reduction in boot time in BIG-IP Virtual Edition platforms
612752-1	3-Major		UCS load or upgrade may fail under certain conditions.★
610442-2	3-Major	K75051412	vcmp_media_insert failed message and lind restart loop on vCMP guest when installing with block-device-image with bad permissions on .iso★
607961-1	3-Major		Secondary blades restart when modifying a virtual server's route domain in a different partition.
605792-1	3-Major		Installing a new version changes the ownership of administrative users' files★
601709-2	3-Major	K02314881	I2C error recovery for BIG-IP 4340N/4300 blades
590938-3	3-Major		The CMI rsync daemon may fail to start
583475-1	3-Major		The BIG-IP may core while recompiling LTM policies
577474-3	3-Major	K35208043	Users with auditor role are unable to use tmsh list sys crypto cert
569100-1	3-Major		Virtual server using NTLM profile results in benign Tcl error
544906-2	3-Major	K07388310	Issues when using remote authentication when users have different partition access on different devices
507240-4	3-Major	K13811263	ICMP traffic cannot be disaggregated based on IP addresses
480983-4	3-Major		tmrouted daemon may core due to daemon_heartbeat
471029-2	3-Major		If the configuration contains a filename with the $ character, then saving the UCS fails.
656900-1	4-Minor		Blade family migration may fail
655314	4-Minor		When failing to load a UCS, the hostname is still changed, only in 12.1.2 or 13.0.0★
653225-1	4-Minor		coreutils security and bug fix update
645717	4-Minor		UCS load does not set directory owner
644975-4	4-Minor	K09554025	/var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost
644799-1	4-Minor	K42882011	TMM may crash when the BIG-IP system processes CGNAT traffic.
642723-3	4-Minor		Western Digital WD1600YS-01SHB1 hard drives not recognized by pendsect
634371-2	4-Minor		Cisco ethernet NIC driver
530927-8	4-Minor		Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed
530530-6	4-Minor	K07298903	tmsh sys log filter is displayed in UTC time
527720-1	4-Minor		Rare 'No LopCmd reply match found' error in getLopReg
448409-1	4-Minor	K15491	'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle
626596	5-Cosmetic		Statistics :: Analytics :: Hardware Acceleration menu contains misspelled menu item: 'Assited Connections'.

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
670011-2	1-Blocking		SSL forward proxy does not create the server certchain when ignoring server certificates
621452-1	1-Blocking	K58146172	Connections can stall with TCP::collect iRule
659899-1	2-Critical	K10589537	Rare, intermittent system instability observed in dynamic load-balancing modes
657713-5	2-Critical	K05052273	Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart.
655628-1	2-Critical		TCP analytics does not release resources under specific sequence of packets
655211-1	2-Critical		bigd crash (SIGSEGV) when running FQDN node monitors
650317-3	2-Critical		The TMM on the next-active panics with message: "Missing oneconnect HA context"
649171-4	2-Critical		tmm core in iRule with unreachable remote address
648037-2	2-Critical		LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash
646643-2	2-Critical	K43005132	HA standby virtual server with non-default lasthop settings may crash.
646604-5	2-Critical	K21005334	Client connection may hang when NTLM and OneConnect profiles used together
645663	2-Critical		Crypto traffic failure for vCMP guests provisioned with more than 12 vcpus.
644112-2	2-Critical	K56150996	Permanent connections may be expired when endpoint becomes unreachable
643631	2-Critical	K70938130	Serverside connections on virtual servers using VDI may become zombies.
635274-1	2-Critical	K21514205	SSL::sessionid command may return invalid values
634265-2	2-Critical	K34688632	Using route pools whose members aren't directly connected may crash the TMM.
632552-2	2-Critical	K08634156	tmm crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event
629178-1	2-Critical	K42206046	Incorrect initial size of connection flow-control window
611704-5	2-Critical		tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event
605983-1	2-Critical		tmrouted may crash when being restarted in debug mode
604926-3	2-Critical	K50041125	The TMM may become unresponsive when using SessionDB data larger than ~400K
604223-2	2-Critical		pkcs11d signal handler improvement to turn off all threads at time of "SIGTERM"
583700-3	2-Critical	K32784801	tmm core on out of memory
583355-1	2-Critical		The TMM may crash when changing profiles associated with plugins
566071-5	2-Critical		network-HSM may not be operational on secondary slots of a standby chassis.
559030-1	2-Critical	K65244513	TMM may core during ILX RPC activity if a connflow closes before the RPC returns
677119	3-Major		HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE
676471-1	3-Major		Insufficient space for core files on i11x00-series platforms
672008-1	3-Major	K22122208	NUL character inserted into syslog message when system time rolls over to exactly 1000000 microseconds
671935-2	3-Major		Possible uneven ephemeral port reuse.
669025-1	3-Major	K11425420	Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate
668521-2	3-Major		Bigd might stall while waiting for an external monitor process to exit
666032-3	3-Major	K05145506	Secure renegotiation is set while data is not available.
663326-2	3-Major		Thales HSM: "fipskey.nethsm --export" fails to make stub keys
662881-2	3-Major	K10443875	L7 mirrored packets from standby to active might cause tmm core when it goes active.
662085-1	3-Major		iRules LX Workspace editor in TMUI fails to display all workspace contents after install of large Node.js packages
658214-2	3-Major	K20228504	TCP connection fail intermittently for mirrored fastl4 virtual server
655793-1	3-Major	K04178391	SSL persistence parsing issues due to SSL / TCP boundary mismatch
654109-2	3-Major	K01102467	Configuration loading may fail when iRules calling procs in other iRules are deleted
653511-2	3-Major		Intermittent connection failure with SNAT/automap, SP-DAG and virtual server source-port=preserve
652535-1	3-Major	K54443700	HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented.
652445-2	3-Major	K87541959	SAN with uppercase names result in case-sensitive match or will not match
651651-3	3-Major	K54604320	bigd can crash when a DNS response does not match the expected value
650292-2	3-Major		DNS transparent cache can return non-recursive results for recursive queries
650152-1	3-Major		Support AES-GCM acceleration in Nitrox PX wlite VCMP platforms
648954-5	3-Major	K01102467	Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls
647137	3-Major		bigd/tmm con vCMP guests
646443-1	3-Major	K54432535	Ephemeral Node may be errantly created in bigd, causing crash
645058-3	3-Major		Modifying SSL profiles in GUI may fail when key is protected by passphrase
645036-3	3-Major	K85772089	Removing pool from virtual server does not update its status
644873-2	3-Major	K97237310	ssldump can fail to decrypt captures with certain TCP segmenting
644851-2	3-Major		Websockets closes connection on receiving a close frame from one of the peers
644418-2	3-Major		Do not consider self-signed certificate in hash algorithm selection when Forward Proxy forges a certificate
643777-2	3-Major	K27629542	LTM policies with more than one IP address in TCP address match may fail
643582-2	3-Major		Config load with large ssl profile configuration may cause tmm restart
641491-2	3-Major	K37551222	TMM core while running iRule LB::status pool poolname member ip port
640376-3	3-Major		STPD leaks memory on 2000/4000/i2000/i4000 series
638715-3	3-Major	K77010072	Multiple Diameter monitors to same server ip/port may race on PID file
632001-1	3-Major		For Thales net-HSMs, fipskey.nethsm now defaults to module protected keys
627574-1	3-Major		After upgrade to BIG-IP v12.1.x, Local Traffic Policies in partitions other than Common cannot be converted into a draft.
626434-6	3-Major	K65283203	tmm may be killed by sod when a hardware accelerator does not work
624805-1	3-Major		ILX node.js process may be restarted if a single operation takes more than 15 seconds
623940-3	3-Major		SSL Handshake fails if client tries to negotiate EC ciphers but does not present ec_point_formats extension in ClientHello
622017-8	3-Major	K54106058	Performance graph data may become permanently lost after corruption.
621736-6	3-Major	K00323105	statsd does not handle SIGCHLD properly in all cases
620788-1	3-Major	K05232247	FQDN pool created with existing FQDN node has RED status
618161-1	3-Major		SSL handshake fails when clientssl uses softcard-protected key-certs.
618121	3-Major		"persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x★
607246-10	3-Major		Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires
603609-2	3-Major		Policy unable to match initial path segment when request-URI starts with "//"
602040-3	3-Major		Truncated support ID for HTTP protocol security logging profile
600614-5	3-Major		External crypto offload fails when SSL connection is renegotiated
596433-3	3-Major		Virtual with lasthop configured rejects request with no route to client.
596242-1	3-Major	K17065223	[zxfrd] Improperly configured master name server for one zone makes DNS Express respond with previous record
595275-5	3-Major		Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN
593390-4	3-Major		Profile lookup when selected via iRule ('SSL::profile') might cause memory issues.
589006-5	3-Major		SSL does not cancel pending sign request before the handshake times out or is canceled.
587705-5	3-Major	K98547701	Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.
578573-1	3-Major		SSL Forward Proxy Forged Certificate Signature Algorithm
563933-4	3-Major		[DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs
536563-7	3-Major		Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets.
484542-1	3-Major		QinQ tag-mode can be set on unsupported platforms
668802-3	4-Minor	K83392557	GTM link graphs fail to display in the GUI
667318-3	4-Minor		BIG-IP DNS/GTM link graphs fail to display in the GUI.
584210-1	4-Minor		TMM may core when running two simultaneous WebSocket collect commands
578415-2	4-Minor		Support for hardware accelerated bulk crypto SHA256 missing
513288-7	4-Minor		Management traffic from nodes being health monitored might cause health monitors to fail.
462043-2	4-Minor		DB variable 'qinq.cos' does not work in all cases on 5000 and C2400 platforms

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
620903-1	2-Critical		Decreased performance of ICMP attack mitigation.

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
636541-3	1-Blocking		DNS Rapid Response filters large datagrams
667028-1	2-Critical		DNS Express does not run on i11000 platforms with htsplit disabled.
649564-2	2-Critical		Crash related to GTM monitors with long RECV strings
663073-1	3-Major		GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.
659912-1	3-Major	K81210772	GSLB Pool Member Manage page display issues and error message
655807-5	3-Major	K40341291	With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score
655445-2	3-Major		Provide the ability to globally specifiy a DSCP value.
654599-1	3-Major	K74132601	The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed
648286-2	3-Major		GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button.
644447-2	3-Major		sync_zones script increasingly consumes memory when there is network connectivity failure
626141-3	3-Major		DNSX Performance Graphs are not displaying Requests/sec"
615222-1	3-Major	K79580892	GTM configuration fails to load when it has GSLB pool with members containing more than one colon character★
605260-1	3-Major		[GUI] Changes can not be made to GTM listener in partition with default route domain <> 0
659969-1	4-Minor		tmsh command for gtm-application disabled contexts does not work with none and replace-all-with
644220-3	4-Minor		Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page
604371-1	4-Minor		Pagination controls missing for GSLB pool members

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
653014-1	2-Critical		Apply Policy failure if an custom Blocking Page is configured with an underscore in the header name
652200-1	2-Critical	K81349220	Failure to update ASM enforcer about account change.
651001-1	2-Critical		massive prints in tmm log: "could not find conf for profile crc"
638629-2	2-Critical		Bot can be classified as human
619110-1	2-Critical		Slow to delete URLs, CPU spikes with Automatic Policy Builder
672695-1	3-Major		Internal perl process listening on all interfaces when ASM enabled
665905	3-Major	K83305000	Signature System corruption from specific ASU prevents ASU load after upgrade
664930-2	3-Major		Policy automatic learning mode changes to manual after failover
655617-1	3-Major	K36442669	Safari, Firefox in incognito mode on iOS device cannot pass persistent client identification challenge
650081-1	3-Major	K53010710	FP feature causes the blank page/delay on IE11
648617	3-Major	K23432927	JavaScript challenge repeating in loop when URL has path parameters
644855-2	3-Major		irules with commands which may suspend processing cannot be used with proactive bot defense
631444-2	3-Major		Bot Name for ASM Search Engines is case sensitive
630356-1	3-Major		JavaScript challenge follow-up to POST is sent as GET in iframe from IE/Edge
628351-1	3-Major		Redirect loops on URLs with Path Parameters when Proactive Bot Defense is enabled
618656-2	3-Major		JavaScript challenge repeating in loop on Firefox when URL is longer than 1033 characters
606521-1	3-Major		Policy with UTF-8 encoding retains disallowed high ASCII meta-characters after upgrade
605616-1	3-Major		Creating 256 Fundamental Security policies will result in an out of memory error
602975-1	3-Major		Unable to update the HTTP URL's "Header-Based Content Profiles" values
596685-1	3-Major	K76841626	Request Log failure on request with XML format violation
595900-4	3-Major	K11833633	Cookie Signature overrides may be ignored after Signature Update
563727-1	3-Major		Issue a Body in Get sub violation for GET request with 'transfer-encoding: chunked'
534247-1	3-Major		Issue a Body in Get sub violation for GET request with content type header
519612-1	3-Major		JavaScript challenge fails when coming within iframe with different domain than main page

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
604191-1	2-Critical		AVR: Loading the configuration after upgrade might fail due to mishandling of scheduled-reports★
629573-1	3-Major	K66001885	No drill-down filter for virtual-servers is mentioned on exported reports when using partition
603875-2	3-Major		The statistic ASM memory Utilization - bd swap size: stats are wrong
601536-1	3-Major		Analytics load error stops load of configuration★
639395-2	4-Minor	K91614278	AVR does not display 'Max read latency' units.

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
647108-1	1-Blocking		Deletion of saml-idp-connector may fail depending on the order in which related objects are deleted within a transaction
679235-5	2-Critical		Inspection Host NPAPI Plugin for Safari can not be installed
669341	2-Critical		Category Lookup by Subject.CN will result in a reset
666454-2	2-Critical	K05520115	Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update
663506-7	2-Critical	K30533350	apmd crash during ldap cache initialization
652004-2	2-Critical	K45320415	Show /apm access-info all-properties causes memory leaks in tmm
662639-2	3-Major		Policy Sync fails when policy object include FIPS key
659371-2	3-Major	K54310201	apmd crashes executing iRule policy evaluate
658852-5	3-Major		Empty User-Agent in iSessions requests from APM client on Windows
654513-6	3-Major	K11003951	APM daemon crashes when the LDAP query agent returns empty in its search results.
649929-1	3-Major		saml_sp_connector not properly deleted in a transaction that removes the saml resource and servers referring to it
648053-1	3-Major	K94477320	Rewrite plugin may crash on some JavaScript files
646928-1	3-Major		Landing URI incorrect when changing URI
645684-2	3-Major		Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting.
618957-1	3-Major		Certificate objects are not properly imported from external SAML SP metadata when metadata contains both signing and encryption certificates
601919-2	3-Major		Custom categories and custom url filter assignment must be specific to partition instead of global lookup
583272-2	3-Major		"Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth
580567-1	3-Major		LDAP Query agent failed to resolve nested group membership
551795-1	3-Major		Portal Access: corrections to CORS support for XMLHttpRequest
550547-2	3-Major		URL including a "token" query fails results in a connection reset

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
664535-1	2-Critical		Diameter failure: load balancing fails when all pool members use same IP Address
640407-1	2-Critical		Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF
568545-2	2-Critical	K17124802	iRules commands that refer to a transport-config will fail validation
559953-1	2-Critical		tmm core on long DIAMETER::host value
662364-2	3-Major		MRF DIAMETER: IP ToS not passing through with DIAMETER
644946-2	3-Major	K05053251	Enabling mirroring on SIP or DIAMETER router profile effects per-client connection mode operation
644565-1	3-Major		MRF Message metadata lost when routing message to a connection on a different TMM
634078-2	3-Major		MRF: Routing using a virtual with SNAT set to none may select a source port of zero
624155-2	3-Major		MRF Per-Client mode connections unable to return responses if used by another client connection
620929-4	3-Major		New iRule command, MR::ignore_peer_port
651640-3	4-Minor		queue full dropped messages incorrectly counted as responses

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
670400-3	2-Critical		SSH Proxy public key authentication can be circumvented in some cases
655470	2-Critical	K79924625	IP Intelligence logging publisher removal can cause tmm crash
618902-4	3-Major		PCCD memory usage increases on configuration changes and recompilation due to small amount of memory leak on each compilation

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
658261-2	2-Critical	K12253471	TMM core after HA during GY reporting
658148-2	2-Critical	K23150504	TMM core after intra-chassis failover for some instances of subscriber creation
657632-4	2-Critical		Rarely if a subscriber delete is performed following HA switchover, tmm may crash
653285-1	2-Critical		PEM rule deletion with HSL reporting may cause tmm coredump
652973-2	2-Critical		Coredump observed at system bootup time when many DHCP packets arrive
650422-2	2-Critical		TMM core after a switchover involving GY quota reporting
659567-1	3-Major	K94685557	iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions
652052-3	3-Major		PEM:sessions iRule made the order of parameters strict
635257-2	3-Major	K41151808	Inconsistencies in Gx usage record creation.
623037-2	3-Major		delete of pem session attribute does not work after a update

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
676808-2	2-Critical		FPS: tmm may crash on response with large payload from server
669364-1	2-Critical		TMM core when server responds fast with server responses such as 404.
669359	2-Critical		WebSafe might cause connections to hang
674931	3-Major		FPS modified responses/injections might result in a corrupted response
674909-3	3-Major		Application CSS injection might not work as expected when connection is congested
667872-1	3-Major		Websafe's 'Apply cookies to base domain' feature doesn't work for non standard ports
658321-2	3-Major		Websafe features might break in IE8
657502-2	3-Major		JS error when leaving page opened for several minutes
644694	3-Major		FPS security update check ends up with an empty page when error occurs.
618185-1	3-Major		Mismatch in URL CRC32 calculation
643602-2	4-Minor		'Select All' checkbox selects items on hidden pages

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
605123-1	2-Critical		IAppLX objects fail to sync after establishing HA in auto-sync mode★

iApp Technology Fixes

ID Number	Severity	Solution Article(s)	Description
606316-4	1-Blocking		HTTPS request to F5 licensing server fails
665778-1	2-Critical	K34503519	Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.
599424-2	2-Critical		iApps LX fails to sync★
632060-1	4-Minor		restjavad is unable to read the dtca.key files resulting in Error: Failed to read key: invalid header★

Cumulative fixes from BIG-IP v12.1.2 Hotfix 2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
693211-3	CVE-2017-6168	K21905460	CVE-2017-6168

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
664063-1	2-Critical	K03203976	Azure displays failure for deployment of BIG-IP from a Resource Manager template

Cumulative fixes from BIG-IP v12.1.2 Hotfix 1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
652151-1	CVE-2017-6131	K61757346	Azure VE: Initialization improvement
623885-4	CVE-2016-9251	K41107914	Internal authentication improvements
621371-2	CVE-2016-9257	K43523962	Output Errors in APM Event Log
648865-2	CVE-2017-6074	K82508682	Linux kernel vulnerability: CVE-2017-6074
643187-2	CVE-2017-3135	K80533167	BIND vulnerability CVE-2017-3135
641445-1	CVE-2017-6145	K22317030	iControl improvements
641360-2	CVE-2017-0303	K30201296	SOCKS proxy protocol error
641256-1	CVE-2016-9257	K43523962	APM access reports display error
636702-3	CVE-2016-9444	K40181790	BIND vulnerability CVE-2016-9444
636699-5	CVE-2016-9131	K86272821	BIND vulnerability CVE-2016-9131
631582	CVE-2016-9250	K55792317	Administrative interface enhancement
630475-5	CVE-2017-6162	K13421245	TMM Crash
628836-4	CVE-2016-9245	K22216037	TMM crash during request normalization
626360	CVE-2017-6163	K22541983	TMM may crash when processing HTTP2 traffic
624570-1	CVE-2016-8864	K35322517	BIND vulnerability CVE-2016-8864
624526-3	CVE-2017-6159	K10002335	TMM core in mptcp
624457-5	CVE-2016-5195	K10558632	Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195
623093-1	CVE-2016-3990 CVE-2016-3632 CVE-2015-7554 CVE-2016-5320	K38871451	TIFF vulnerability CVE-2015-7554
620400-1	CVE-2017-6141	K21154730	TMM crash during TLS processing
610255-1	CVE-2017-6161	K62279530	CMI improvement
596340-8	CVE-2016-9244	K05121675	F5 TLS vulnerability CVE-2016-9244
580026-5	CVE-2017-6165	K74759095	HSM logging error
648879-2	CVE-2016-6136 CVE-2016-9555	K90803619	Linux kernel vulnerabilities: CVE-2016-6136 CVE-2016-9555
641612-2	CVE-2017-0302	K87141725	APM crash
638137	CVE-2016-7117 CVE-2016-4998 CVE-2016-6828	K51201255	CVE-2016-7117 CVE-2016-4998 CVE-2016-6828
635412	CVE-2017-6137	K82851041	Invalid mss with fast flow forwarding and software syn cookies
635252-1	CVE-2016-9256	K47284724	CVE-2016-9256
631688-7	CVE-2016-9311 CVE-2016-9310 CVE-2016-7427 CVE-2016-7428 CVE-2016-9312 CVE-2016-7431 CVE-2016-7434 CVE-2016-7429 CVE-2016-7426 CVE-2016-7433	K55405388 K87922456 K63326092 K51444934 K80996302	Multiple NTP vulnerabilities
630150-1	CVE-2016-9253	K51351360	Websockets processing error
627916-1	CVE-2017-6144	K81601350	Improve cURL Usage
627907-1	CVE-2017-6143	K11464209	Improve cURL usage
627747-1	CVE-2017-6142	K20682450	Improve cURL Usage
625372-5	CVE-2016-2179	K23512141	OpenSSL vulnerability CVE-2016-2179
623119	CVE-2016-4470	K55672042	Linux kernel vulnerability CVE-2016-4470
622496	CVE-2016-5829	K28056114	Linux kernel vulnerability CVE-2016-5829
622126-1	CVE-2016-7124 CVE-2016-7125 CVE-2016-7126 CVE-2016-7127	K54308010	PHP vulnerability CVE-2016-7124
621337-6	CVE-2016-7469	K97285349	XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469
618261-6	CVE-2016-2182	K01276005	OpenSSL vulnerability CVE-2016-2182
615267-2	CVE-2016-2183	K13167034	OpenSSL vulnerability CVE-2016-2183
613225-7	CVE-2016-2180, CVE-2016-6306, CVE-2016-6302	K90492697	OpenSSL vulnerability CVE-2016-6306
606710-10	CVE-2016-2834 CVE-2016-5285 CVE-2016-8635	K15479471	Mozilla NSS vulnerability CVE-2016-2834
605420-5	CVE-2016-5387, CVE-2007-6750	K80513384	httpd security update - CVE-2016-5387
600232-9	CVE-2016-2177	K23873366	OpenSSL vulnerability CVE-2016-2177
600223-2	CVE-2016-2177	K23873366	OpenSSL vulnerability CVE-2016-2177
599858-7	CVE-2015-8895 CVE-2015-8896 CVE-2015-8897 CVE-2015-8898 CVE-2016-5118 CVE-2016-5239 CVE-2016-5240	K68785753	ImageMagick vulnerability CVE-2015-8898
635933-3	CVE-2004-0790	K23440942	The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable
628832-4	CVE-2016-6161	K71581599	libgd vulnerability CVE-2016-6161
622662-7	CVE-2016-6306	K90492697	OpenSSL vulnerability CVE-2016-6306
617901-1	CVE-2018-5525	K00363258	GUI to handle file path manipulation to prevent GUI instability.
609691-1	CVE-2014-4617	K21284031	GnuPG vulnerability CVE-2014-4617
600205-9	CVE-2016-2178	K53084033	OpenSSL Vulnerability: CVE-2016-2178
600198-2	CVE-2016-2178 CVE-2016-6306 CVE-2016-6302 CVE-2016-2216	K53084033	OpenSSL vulnerability CVE-2016-2178
599285-2	CVE-2016-5094 CVE-2016-5095 CVE-2016-5096	K51390683	PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095
598002-10	CVE-2016-2178	K53084033	OpenSSL vulnerability CVE-2016-2178
621937-1	CVE-2016-6304	K54211024	OpenSSL vulnerability CVE-2016-6304
621935-6	CVE-2016-6304	K54211024	OpenSSL vulnerability CVE-2016-6304
606771-2	CVE-2016-5399 CVE-2016-6288 CVE-2016-6289 CVE-2016-6290 CVE-2016-5385 CVE-2016-6291 CVE-2016-6292 CVE-2016-6207 CVE-2016-6294 CVE-2015-8879 CVE-2016-6295 CVE-2016-6296 CVE-2016-6297	K35799130	Multiple PHP vulnerabilities
601268-5	CVE-2015-8874 CVE-2016-5770 CVE-2016-5772 CVE-2016-5768 CVE-2016-5773 CVE-2016-5769 CVE-2016-5766 CVE-2016-5771 CVE-2016-5767 CVE-2016-5093 CVE-2016-5094	K43267483	PHP vulnerability CVE-2016-5766

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
653453	2-Critical		ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs.
628972-2	2-Critical		BMC version 2.51.7 for iSeries appliances
624831-2	2-Critical		BWC: tmm crash can occur if dynamic BWC policy is used at max-user-rate over 2gbps
616918-1	2-Critical		BMC version 2.50.3 for iSeries appliances
633723-3	3-Major		New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot
633391-1	3-Major		GUI Error trying to modify IP Data-Group
609614-3	3-Major		Yafuflash 4.25 for iSeries appliances
597797-4	3-Major	K78449695	Allow users to disable enforcement of RFC 7057
584471-1	3-Major	K34343741	Priority order of clientssl profile selection of virtual server.
581840-5	3-Major	K46576869	Cannot use Administrator account other than 'admin' to manage BIG-IP systems through BIG-IQ.
564876-2	3-Major		New DB variable log.lsn.comma changes CGNAT logs to CSV format
609084-2	4-Minor	K03808942	Max number of chunks not configurable above 1000 chunks
597270-2	4-Minor		tcpdump support missing for VXLAN-GPE NSH

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
655500	1-Blocking		Rekey SSH sessions after one hour
642058-1	1-Blocking		CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances
641390-5	1-Blocking	K00216423	Backslash removal in LTM monitors after upgrade
627433-1	1-Blocking		HSB transmitter failure on i2x00 and i4x00 platforms
602830-1	1-Blocking		BIG-IP iSeries appliance LCD does not indicate when BIG-IP is in platform_check diagnostic mode
648056-2	2-Critical	K16503454	bcm56xxd core when configuring QinQ VLAN with vCMP provisioned.
645805	2-Critical	K92637255	LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain incorrect Ethernet source MAC addresses
641248	2-Critical		IPsec-related tmm segfault
641013-5	2-Critical		GRE tunnel traffic pinned to one TMM
638935-3	2-Critical		Monitor with send/receive string containing double-quote may cause upgrade to fail.★
636918-2	2-Critical		Fix for crash when multiple tunnels use the same traffic selector
636290	2-Critical		vCMP support for B4450 blade
627898-2	2-Critical	K53050234	tmm leaks memory in the ECM subsystem
625824-1	2-Critical		iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory
624263-4	2-Critical		iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response
618779-1	2-Critical		Route updates during IPsec tunnel setup can cause tmm to restart
616059-1	2-Critical	K19545861	Modifying license.maxcores Not Allowed Error
614296-1	2-Critical		Dynamic routing process ripd may core
613536-5	2-Critical		tmm core while running the iRule STATS:: command
610295-1	2-Critical	K32305923	TMM may crash due to internal backplane inconsistency after reprovisioning
583516-2	2-Critical		tmm ASSERT's "valid node" on Active, after timer fire..
567457-2	2-Critical		TMM may crash when changing the IKE peer config.
652484-2	3-Major		tmsh show net f5optics shows information for only 1 chassis slot in a cluster
649617-2	3-Major		qkview improvement for OVSDB management
648544-5	3-Major	K75510491	HSB transmitter failure may occur when global COS queues enabled
646760	3-Major		Common Criteria Mode Disrupts Administrative SSH Access
644892-1	3-Major		Files captured multiple times in qkview
644490-1	3-Major		Finisar 100G LR4 values need to be revised in f5optics
637559-1	3-Major		Modifying iRule online could cause TMM to be killed by SIGABRT
636535	3-Major	K24844444	HSB lockup in vCMP guest doesn't generate core file
635961-1	3-Major		gzipped and truncated files may be saved in qkview
635129	3-Major		Chassis systems in HA configuration become Active/Active during upgrade★
635116-1	3-Major	K34100550	Memory leak when using replicated remote high-speed logging.
634115-1	3-Major		Not all topology records may sync.
633879-1	3-Major	K52833014	Fix IKEv1 md5 phase1 hash algorithm so config takes effect
633512-1	3-Major	K20160253	HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION.
633413-1	3-Major		IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI
631627-4	3-Major		Applying BWC over route domain sometimes results in tmm not becoming ready on system start
630622-1	3-Major		tmm crash possible if high-speed logging pool member is deleted and reused
630610-5	3-Major	K43762031	BFD session interface configuration may not be stored on unit state transition
630546-1	3-Major		Very large core files may cause corrupted qkviews
629499-9	3-Major		tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found"
629085-1	3-Major	K55278069	Any CSS content truncated at a quoted value leads to a segfault
628202-4	3-Major		Audit-forwarder can take up an excessive amount of memory during a high volume of logging
628164-3	3-Major	K20766432	OSPF with multiple processes may incorrectly redistribute routes
628009-1	3-Major		f5optics not enabled on Herculon iSeries variants HRC-i2800, HRC-i5800, HRC-i10800
627961-3	3-Major	K15130343	nic_failsafe reboot doesn't trigger if HSB fails to disable interface
627914-1	3-Major		Unbundled 40GbE optics reporting as Unsupported Optic
627214-3	3-Major		BGP ECMP recursive default route not redistributed to TMM
626839	3-Major		sys-icheck error for /var/lib/waagent in Azure.
626721-5	3-Major		"reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart
625703-2	3-Major		SELinux: snmpd is denied access to tmstat files
625085	3-Major		lasthop rmmod causes kernel panic
624361-1	3-Major		Responses to some of the challenge JS are not zipped.
623930-3	3-Major		vCMP guests with vlangroups may loop packets internally
623401-1	3-Major		Intermittent OCSP request failures due to non-optimal default TCP profile setting
623336-4	3-Major		After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS★
623055-1	3-Major		Kernel panic during unic initialization
622183-5	3-Major		The alert daemon should remove old log files but it does not.
621909-4	3-Major	K23562314	Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members
621273-1	3-Major		DSR tunnels with transparent monitors may cause TMM crash.
620659-3	3-Major		The BIG-IP system may unecessarily run provisioning on successive reboots
620366-4	3-Major		Alertd can not open UDP socket upon restart
617628-1	3-Major		SNMP reports incorrect value for sysBladeTempTemperature OID
615934-1	3-Major		Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
615107-1	3-Major		Cannot SSH from AOM/SCCP to host without password (host-based authentication).
613765-3	3-Major		Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors.
612809-1	3-Major		Bootup script fails to run on on a vCMP guest due to a missing reference file.
611658-3	3-Major		"less" utility logs an error for remotely authenticated users using the tmsh shell
611512-1	3-Major		AWS: Pool member autoscaling in BIG-IP fails to add pool members when pool name is same as AWS Autoscaling Group name.
611487-3	3-Major		vCMP: VLAN failsafe does not trigger on guest
610417-1	3-Major	K54511423	Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.
609119-7	3-Major		Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:
608320-3	3-Major		iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response
604727-1	3-Major		Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4.★
604237-3	3-Major		Vlan allowed mismatch found error in VCMP guest
604061-2	3-Major		Link Aggregation Control Protocol May Lose Synchronization after TMM Crash
602376-1	3-Major		qkview excludes files
598498-7	3-Major		Cannot remove Self IP when an unrelated static ARP entry exists.
598134-1	3-Major		Stats query may generate an error when tmm on secondary is down
596067-2	3-Major		GUI on VIPRION hangs on secondary blade reboot
590211-2	3-Major		jitterentropy-rngd quietly fails to start
583754-7	3-Major		When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.
575027-1	3-Major		Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
562928-2	3-Major		Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled
559080-5	3-Major		High Speed Logging to specific destinations stops from individual TMMs
557471-3	3-Major		LTM Policy statistics showing zeros in GUI
543208-1	3-Major		Upgrading to v12.x or later in a sync-failover group might cause mcpd to become unresponsive.★
534520-1	3-Major		qkview may exclude certain log files from /var/log
424542-5	3-Major		tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments
418349-2	3-Major		Update/overwrite of FIPS keys error
643404-2	4-Minor	K30014507	'tmsh system software status' does not display properly in a specific cc-mode situation★
636520-3	4-Minor	K88813435	Detail missing from power supply 'Bad' status log messages
633181-1	4-Minor		A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section
632668-5	4-Minor		When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds
632069-3	4-Minor		Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076
621957-2	4-Minor		Timezone data on AOM not syncing with host
609107-1	4-Minor		mcpd does not properly validate missing 'sys folder' config in bigip_base.conf
599191-2	4-Minor		One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card
589379-2	4-Minor	K20937139	ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.
585097-1	4-Minor		Traffic Group score formula does not result in unique values.
541550-3	4-Minor		Defining more than 10 remote-role groups can result in authentication failure
541320-10	4-Minor	K50973424	Sync of tunnels might cause restore of deleted tunnels.
500452-8	4-Minor	K28520025	PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hardware
642015-2	5-Cosmetic		SSD Manufacturer "unavailable"
524277-2	5-Cosmetic		Missing power supplies issue warning message that should be just a notice message.

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
651476	2-Critical		bigd may core on non-primary bigd when FQDN in use
648715-2	2-Critical		BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0
643396-2	2-Critical	K34553627	Using FLOW_INIT iRule may lead to TMM memory leak or crash
642400-2	2-Critical		Path MTU discovery occasionally fails
640352-2	2-Critical	K01000259	Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet
639744-1	2-Critical	K84228882	Memory leak in STREAM::expression iRule
637181-4	2-Critical		VIP-on-VIP traffic may stall after routing updates
632685	2-Critical		bigd memory leak for FQDN nodes on non-primary bigd instance
630306-1	2-Critical		TMM crash in DNS processing on UDP virtual server with no available pool members
629145-1	2-Critical		External datagroups with no metadata can crash tmm
628890-1	2-Critical		Memory leak when modifying large datagroups
627403-2	2-Critical		HTTP2 can can crash tmm when stats is updated on aborting of a new connection
626311-2	2-Critical	K75419237	Potential failure of DHCP relay functionality credits to incorrect route lookup.
625198-1	2-Critical		TMM might crash when TCP DSACK is enabled
622856-1	2-Critical		BIG-IP may enter SYN cookie mode later than expected
621870-2	2-Critical		Outage may occur with VIP-VIP configurations
619663-3	2-Critical	K49220140	Terminating of HTTP2 connection may cause a TMM crash
619528-4	2-Critical		TMM may accumulate internal events resulting in TMM restart
619071-3	2-Critical		OneConnect with verified accept issues
614509-1	2-Critical		iRule use of 'all' keyword with 'class match' on large external datagroups may result in TMM restart
609027-1	2-Critical		TMM crashes when SSL forward proxy is enabled.
608304-1	2-Critical	K55292305	TMM crash on memory corruption
603667-2	2-Critical		TMM may leak or corrupt memory when configuration changes occur with plugins in use
603082-3	2-Critical		Ephemeral pool members are getting deleted/created over and over again.
602136-5	2-Critical		iRule drop/discard/reject commands causes tmm segfault or still sends 3-way handshake to the server.
601828-1	2-Critical	K13338433	An untrusted certificate can cause tmm to crash.
600982-5	2-Critical		TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0"
599720-2	2-Critical		TMM may crash in bigtcp due to null pointer dereference
597828-1	2-Critical		SSL forward proxy crashes in some cases
596450-1	2-Critical		TMM may produce a core file after updating SSL session ticket key
594642-3	2-Critical		Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.
581746-1	2-Critical	K42175594	MPTCP or SSL traffic handling may cause a BIG-IP outage
557358-5	2-Critical		TMM SIGSEGV and crash when memory allocation fails.
423629-3	2-Critical	K08454006	bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted
653201	3-Major		Update the default CA certificate bundle file to the latest version and remove expiring certificates from it
651106	3-Major		memory leak on non-primary bigd with changing node IPs
649571-1	3-Major		Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello
648990	3-Major		Serverside SSL renegotiation does not occur after block cipher data limit is exceeded
641512-4	3-Major	K51064420	DNSSEC key generations fail with lots of invalid SSL traffic
632324-2	3-Major		PVA stats does not show correct connection number
629412-3	3-Major		BIG-IP closes a connection when a maximum size window is attempted
627246-1	3-Major	K09336400	TMM memory leak when ASM policy configured on virtual server
626386-1	3-Major	K28505256	SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled
626106-3	3-Major		LTM Policy with illegal rule name loses its conditions and actions during upgrade★
625106-2	3-Major		Policy Sync can fail over a lossy network
624616-1	3-Major		Safenet uninstall is unable to remove libgem.so
620625-2	3-Major	K38094257	Changes to the Connection.VlanKeyed DB key may not immediately apply
620079-3	3-Major		Removing route-domain may cause monitors to fail
619849-4	3-Major		In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.
618430-2	3-Major		iRules LX data not included in qkview
618428	3-Major		iRules LX - Debug mode does not function in dedicated mode
618254-4	3-Major		Non-zero Route domain is not always used in HTTP explicit proxy
617858-2	3-Major		bigd core when using Tcl monitors
616022-2	3-Major	K46530223	The BIG-IP monitor process fails to process timeout conditions
613326-1	3-Major		SASP monitor improvements
612694-5	3-Major		TCP::close with no pool member results in zombie flows
610429-5	3-Major		X509::cert_fields iRule command may memory with subpubkey argument
610302-1	3-Major		Link throughput graphs might be incorrect.
609244-4	3-Major		tmsh show ltm persistence persist-records leaks memory
608551-3	3-Major		Half-closed congested SSL connections with unclean shutdown might stall.
607152-1	3-Major		Large Websocket frames corrupted
604496-4	3-Major		SQL (Oracle) monitor daemon might hang.
603979-4	3-Major		Data transfer from the BIG-IP system self IP might be slow
603723-2	3-Major		TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
603550-1	3-Major	K63164073	Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.
600827-8	3-Major	K21220807	Stuck Nitrox crypto queue can erroneously be reported
600593-1	3-Major		Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests
600052-1	3-Major		GUI displaying "Internal Server Error" page when there many (~3k) certs/keys in the system
599121-2	3-Major	K24036315	Under heavy load, hardware crypto queues may become unavailable.
592871-3	3-Major		Cavium Nitrox PX/III stuck queue diagnostics missing.
591666-3	3-Major		TMM crash in DNS processing on TCP virtual with no available pool members
589400-1	3-Major	K33191529	With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
586738-4	3-Major		The tmm might crash with a segfault.
584310-1	3-Major	K83393638	TCP:Collect ignores the 'skip' parameter when used in serverside events
584029-6	3-Major		Fragmented packets may cause tmm to core under heavy load
582769-1	3-Major	K99405272	WebSockets frames are not forwarded with Websocket profile and ASM enabled on virtual
579926-1	3-Major		HTTP starts dropping traffic for a half-closed connection when in passthrough mode
568543-4	3-Major		Syncookie mode is activated on wildcard virtuals
562267-3	3-Major		FQDN nodes do not support monitor alias destinations.
517756-6	3-Major		Existing connections can choose incorrect route when crossing non-strict route-domains
509858-5	3-Major		BIG-IP FastL4 profile vulnerability
419741-3	3-Major		Rare crash with vip-targeting-vip and stale connections on VIPRION platforms
352957-4	3-Major	K03005026	Route lookup after change in route table on established flow ignores pool members
660170-1	4-Minor	K28505910	tmm may crash at ~75% of VLAN failsafe timeout expiration
631862-1	4-Minor	K32107573	Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk
618517-1	4-Minor	K61255401	bigd may falsely complain of a file descriptor leak when it cannot open its debug log file; bigd stops monitoring
611161-3	4-Minor	K28540353	VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.
587966-1	4-Minor	K77283304	LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port
583943-1	4-Minor	K27491104	Forward proxy does not work when netHSM is configured on TMM interfaces
574020-5	4-Minor		Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}')

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
621115-1	2-Critical		IP/IPv6 TTL/hoplimit may not be preserved for host traffic

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
642039-2	2-Critical	K20140595	TMM core when persist is enabled for wideip with certain iRule commands triggered.
584374-2	2-Critical	K67622400	iRule cmd: RESOLV::lookup causes tmm crash when resolving an IP address.
642330-2	3-Major		GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★
640903-1	3-Major		Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen
632423-4	3-Major	K40256229	DNS::query can cause tmm crash if AXFR/IXFR types specified.
629530-2	3-Major	K53675033	Under certain conditions, monitors do not time out.
628897-1	3-Major		Add Hyperlink to gslb server and vs on the Pool Member List Page
625671-4	3-Major		The diagnostic tool dnsxdump may crash with non-standard DNS RR types.
624876-1	3-Major		Response Policy Zones can trigger even after entry removed from zone
624193-2	3-Major		Topology load balancing not working as expected
623023-1	3-Major		Unable to set DNS Topology Continent to Unknown via GUI
621239-2	3-Major		Certain DNS queries bypass DNS Cache RPZ filter.
620215-5	3-Major		TMM out of memory causes core in DNS cache
619398-7	3-Major		TMM out of memory causes core in DNS cache
612769-1	3-Major	K33842313	Hard to use search capabilities on the Pool Members Manage page.
601180-2	3-Major	K73505027	Link Controller base license does not allow DNS namespace iRule commands.★
567743-2	3-Major	K70663134	Possible gtmd crash under certain conditions.
557434-4	3-Major		After setting a Last Resort Pool on a Wide IP, cannot reset back to None
366695-1	5-Cosmetic		Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
646511-1	2-Critical		BD crashes repeatedly after interrupted roll-forward upgrade★
636397-1	2-Critical		bd cores when persistent storage configuration and under some memory conditions.
634001-2	2-Critical		ASM restarts after deleting a VS that has an ASM security policy assigned to it
627117-1	2-Critical		crash with wrong ceritifcate in WSS
625783-1	2-Critical		Chassis sync fails intermittently due to sync file backlog
618771-1	2-Critical		Some Social Security Numbers are not being masked
601378-2	2-Critical		Creating an ASM security policy with "Auto accept" language leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons
584082-3	2-Critical		BD daemon crashes unexpectedly
540928-1	2-Critical		Memory leak due to unnecessary logging profile configuration updates.
640824-1	3-Major	K20770267	Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★
635754-1	3-Major	K65531575	Wildcard URL pattern match works inncorectly in Traffic Learning
632344-2	3-Major		POP DIRECTIONAL FORMATTING causes false positive
632326-2	3-Major	K52814351	relax_unicode_in_xml/json internal may still trigger a false positive Malformed XML violation
631737-1	3-Major	K61367823	ArcSight cs4 (attack_type) is N/A for certain HTTP Compliance sub-violations
630929-1	3-Major	K69767100	Attack signature exception list upload times-out and fails
627360-1	3-Major		Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★
626438-1	3-Major		Frame is not showing in the browser and/ or an error appears
625832-4	3-Major		A false positive modified domain cookie violation
622913-2	3-Major		Audit Log filled with constant change messages
621524-2	3-Major		Processing Timeout When Viewing a Request with 300+ Violations
620635-2	3-Major		Request having upper case JSON login parameter is not detected as a failed login attempt
614563-3	3-Major		AVR TPS calculation is inaccurate
611151-2	3-Major		An upper case JSON sensitive parameter is not masked when ASM policy is case-insensitive
608245	3-Major		Reporting missing parameter details when attack signature is matched against parameter value
583024-1	3-Major		TMM restart rarely during startup
581406-1	3-Major		SQL Error on Peer Device After Receiving ASM Sync in a Device Group
580168-4	3-Major		Information missing from ASM event logs after a switchboot and switchboot back
576591-6	3-Major		Support for some future credit card number ranges
572885-1	3-Major		Policy automatic learning mode changes to manual after failover
392121-3	3-Major		TMSH Command to retrieve the memory consumption of the bd process
642874-1	4-Minor	K15329152	Ready to be Enforced filter for Policy Signatures returns too many signatures

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
634215-1	2-Critical		False detection of attack after restarting dosl7d
573764-1	2-Critical		In some cases, only primary blade retains it's statistics after upgrade on multi bladed system
642221-2	3-Major		Incorrect entity is used when exporting TCP analytics from GUI
641574	3-Major	K06503033	AVR doesn't report on virtual and client IP in DNS statistics
635561-1	3-Major		Heavy URLs statistics are not shown after upgrade.
631722	3-Major		Some HTTP statistics not displayed after upgrade
631131-3	3-Major		Some tmstat-adapters based reports stats are incorrect
605010-1	3-Major		Thrift::TException error
560114-6	3-Major		Monpd is being affected by an I/O issue which makes some of its threads freeze

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
645339-2	1-Blocking		TMM may crash when processing APM data
637308-8	2-Critical	K41542530	apmd may crash when HTTP Auth agent is used in an Access Policy
632005-1	2-Critical		BIG-IP as SAML SP: Objects created by IdP connector automation may not be updated when remote metadata changes
622244-2	2-Critical		Edge client can fail to upgrade when always connected is selected
617310-2	2-Critical		Edge client can fail to upgrade when Always Connected is selected★
614322-1	2-Critical	K31063537	TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway
608424-2	2-Critical		Dynamic ACL agent error log message contains garbage data
608408-2	2-Critical		TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library
593078-1	2-Critical		CATEGORY::filetype command may cause tmm to crash and restart
643547-1	3-Major	K43036745	APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP
638799-1	3-Major		Per-request policy branch expression evaluation fails
638780-3	3-Major		Handle 302 redirects for VMware Horizon View HTML5 client
636044-1	3-Major	K68018520	Large number of glob patterns affects custom category lookup performance
634576	3-Major	K48181045	TMM core in per-request policy
634252	3-Major	K99114539	TMM crash with per-request policy in SWG explicit
632504-1	3-Major	K31277424	APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list
632499-1	3-Major	K70551821	APM Policy Sync: Resources under webtop section are not sync'ed automatically
632472-1	3-Major		Frequently logged "Silent flag set - fail" messages
632386-1	3-Major		EdgeClient cannot establish iClient control connection to BIG-IP if another control connection exists
630571-1	3-Major	K35254214	Edge Client on Mac OSX Sierra stuck in a reconnect loop
629801-2	3-Major		Access policy is applied automatically on target device after policy sync, when there is a also a FODG in the trust domain.
629698-1	3-Major		Edge client stuck on "Initializing" state
629069-2	3-Major		Portal Access may delete scripts from HTML page in some cases
628687-2	3-Major		Edge Client reconnection issues with captive portal
628685-2	3-Major	K79361498	Edge Client shows several security warnings after roaming to a network with Captive Portal
627972-2	3-Major	K11327511	Unable to save advanced customization when using Exchange iApp
627059-1	3-Major		In some rare cases TMM may crash while handling VMware View client connection
626910-1	3-Major		Policy with assigned SAML Resource is exported with error
625474-1	3-Major		POST request body is not saved in session variable by access when request is sent using edge client
625159-1	3-Major		Policy sync status not shown on standby device in HA case
624966-2	3-Major		Edge client starts new APM session when Captive portal session expire
623562-3	3-Major		Large POSTs rejected after policy already completed
622790-1	3-Major		EdgeClient disconnect may take a lot of time when machine is moved to network with no connectivity to BIG-IP
621976-4	3-Major		OneDrive for Business thick client shows javascript errors when rendering APM logon page
621974-4	3-Major		Skype For Business thick client shows javascript errors when rendering APM logon page
621447-1	3-Major		In some rare cases, VDI may crash
621210-2	3-Major		Policy sync shows as aborted even if it is completed
621126-2	3-Major		Import of config with saml idp connector with reuse causes certificate not found error
620829-2	3-Major	K34213161	Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
620801-3	3-Major		Access Policy is not able to check device posture for Android 7 devices
620614-4	3-Major		Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account
619879-1	3-Major		HTTP iRule commands could lead to WEBSSO plugin being invoked
619811-2	3-Major		Machine Cert OCSP check fails with multiple Issuer CA
619486-3	3-Major		Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self
619473-2	3-Major		Browser may hang at APM session logout
618170-3	3-Major		Some URL unwrapping functions can behave bad
617063-1	3-Major		After VPN tunnel established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel
617002-1	3-Major		SWG with Response Analytics agent in a Per-Request policy fails with some URLs
616838-3	3-Major		Citrix Remote desktop resource custom parameter name does not accept hyphen character
615970-1	3-Major		SSO logging level may cause failover
615254-2	3-Major		Network Access Launch Application item fails to launch in some cases
612419-1	3-Major		APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))
611968-3	3-Major		JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow
611669-4	3-Major		Mac Edge Client customization is not applied on macOS 10.12 Sierra
610180-2	3-Major		SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.
597214-5	3-Major		Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
595819-1	3-Major		Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a http/2 enabled browser and HTTP/2 profile attached,
595272-1	3-Major		Edge client may show a windows displaying plain text in some cases
591246-1	3-Major		Unable to launch View HTML5 connections in non-zero route domain virtual servers
584582-1	3-Major		JavaScript: 'baseURI' property may be handled incorrectly
570217-2	3-Major		BIG-IP APM now uses Airwatch v2 API to retreive device posture information
533956-3	3-Major	K30515450	Portal Access: Space-like characters in EUC character sets may be handled incorrectly.
503842-4	3-Major		Microsoft WebService HTML component does not work after rewriting
640521-1	4-Minor		EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices
636254-2	4-Minor		Cannot reinitiate a sync on a target device when sync is completed
618404-1	4-Minor		Access Profile copying might be invalid if policies are named series of names.
606257-3	4-Minor	K56716107	TCP FIN sent with Connection: Keep-Alive header for webtop page resources

WebAccelerator Fixes

ID Number	Severity	Solution Article(s)	Description
630661-2	3-Major	K30241432	WAM may leak memory when a WAM policy node has multiple variation header rules

Wan Optimization Manager Fixes

ID Number	Severity	Solution Article(s)	Description
644970-1	2-Critical		Editing a virtual server config loses SSL encryption on iSession connections
644489-1	3-Major	K14899014	Unencrypted iSession connection established even though data-encrypt configured in profile

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
639236-1	2-Critical	K66947004	Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute
624023-3	2-Critical		TMM cores in iRule when accessing a SIP header that has no value
569316-1	2-Critical		Core occurs on standby in MRF when routing to a route using a transport config
649933-1	3-Major		Fragmented RADIUS messages may be dropped
629663-1	3-Major	K23210890	CGNAT SIP ALG will drop SIP INVITE
625542-1	3-Major		SIP ALG with Translation fails for REGISTER refresh.
625098-3	3-Major		SCTP::local_port iRule not supported in MRF events
601255-4	3-Major		RTSP response to SETUP request has incorrect client_port attribute

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
632731-2	2-Critical	K21964367	specific external logging configuration can cause TMM service restart
628623-1	2-Critical		tmm core with AFM provisioned
639193-1	3-Major	K03453591	BIG-IP devices configured with Manual Sync, deleting parent policy causes sync to fail.
631025-1	3-Major		500 internal error on inline rule editor for certain firewall policies
610129-3	3-Major	K43320840	Config load failure when cluster management IP is not defined, but instead uses address-list.
592113-5	3-Major		tmm core on the standby unit with dos vectors configured
590805-4	3-Major		Active Rules page displays a different time zone.
431840-3	3-Major		Cannot add vlans to whitelist if they contain a hyphen

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
627257-2	2-Critical		Potential PEM crash during a Gx operation
626851-2	2-Critical	K37665112	Potential crash in a multi-blade chassis during CMP state changes.
624744-1	2-Critical		Potential crash in a multi-blade chassis during CMP state changes.
624733-1	2-Critical		Potential crash in a multi-blade chassis during CMP state changes.
624228-1	2-Critical		Memory leak when using insert action in pem rule and flow gets aborted
623922-5	2-Critical	K64388805	TMM failure in PEM while processing Service-Provider Disaggregation
641482-2	3-Major		Subscriber remains in delete pending state until CCR-t ack has success as result code is received
640510-3	3-Major		BWC policy category attachment may fail during a PEM policy update for a subscriber.
640457-2	3-Major		Session Creation failure after HA
635233-3	3-Major	K80902149	Missing some Custom AVPs in CCRu for non-existent policy and CCRt messages
630611-1	3-Major	K84324392	PEM module crash when subscriber not fund
627798-3	3-Major		Buffer length check for quota bucket objects
627279-2	3-Major		Potential crash in a multi-blade chassis during CMP state changes.
623927-2	3-Major	K41337253	Flow entry memory leaked after DHCP DORA process
564281-3	3-Major		TMM (debug) assert seen during Failover with Gy
628869-4	4-Minor		Unconditional logs seen due to the presence of a PEM iRule.

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
609788	2-Critical		PCP may pick an endpoint outside the deterministic mapping
642284	3-Major		Closing a PCP connection while an asynchronous mapping request is in progress may result in memory corruption.
629871-2	3-Major		FTP ALG deployment should not rewrite PASV response 464 XLAT cases

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
639750-1	2-Critical		username aliases are not supported
636370	3-Major		Application Layer Encryption AJAX support
629627-1	3-Major		FPS Log Publisher is not grouped nor filtered by partition
629127-1	3-Major		Parent profiles cannot be saved using FPS GUI
628348-1	3-Major		Cannot configure any Mobile Security list having 11 records or more via the GUI
628337-1	3-Major		Forcing a single injected tag configuration is restrictive
625275-1	3-Major		Unable to add and modify URL parameters containing square brackets "[]" in FPS GUI
624198-1	3-Major		Unable to add multiple User-Defined alerts with the same search category
623518-1	3-Major		Unable to add users in User Enforcement list under user-defined partition. Update check fails in user-defined partition
594127-2	3-Major		Pages using Angular may hang when Websafe is enabled
635541	4-Minor		"Application CSS Locations" is not inherited if changing parent profile

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
625172-1	2-Critical		tmm crashes when classification is enabled and ftp traffic is flowing trough the box
631472-1	3-Major		Reseting classification signatures to default may result in non-working configuration

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
606518-3	2-Critical	K00762373	iControl REST with 3rd party auth does not function as expected with special characters in the username e.g., '$', '@' / email addresses as username.
642983-1	3-Major	K94534313	Update to max message size limit doesn't work sometimes
629845-2	3-Major		Disallowing TLSv1 connections to HTTP causes iControl/REST issues
626542-2	3-Major		Unable to set maxMessageBodySize in iControl REST after upgrade★

Cumulative fixes from BIG-IP v12.1.2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
618306-2	CVE-2016-9247	K33500120	TMM vulnerability CVE-2016-9247
616864-1	CVE-2016-2776	K18829561	BIND vulnerability CVE-2016-2776
613282-2	CVE-2016-2086, CVE-2016-2216, CVE-2016-1669	K15311661	NodeJS vulnerability CVE-2016-2086
611469-3	CVE-2016-7467	K95444512	Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector
597394-2	CVE-2016-9252	K46535047	Improper handling of IP options
591328-7	CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109	K36488941	OpenSSL vulnerability CVE-2016-2106
591325-8	CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109	K75152412	OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109
591042-17	CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109	K23230229	OpenSSL vulnerabilities
560109-7	CVE-2017-6160	K19430431	Client capabilities failure
618549-1	CVE-2016-9249	K71282001	Fast Open can cause TMM crash CVE-2016-9249
618263-1	CVE-2016-2182	K01276005	OpenSSL vulnerability CVE-2016-2182
614147-1	CVE-2017-6157	K02692210	SOCKS proxy defect resolution
614097-1	CVE-2017-6157	K02692210	HTTP Explicit proxy defect resolution
607314-1	CVE-2016-3500 CVE-2016-3508	K25075696	Oracle Java vulnerability CVE-2016-3500, CVE-2016-3508
605039-3	CVE-2016-2775	K92991044	lwresd and bind vulnerability CVE-2016-2775
601059-6	CVE-2016-1762 CVE-2016-1833 CVE-2016-1834 CVE-2016-1835 CVE-2016-1836 CVE-2016-1837 CVE-2016-1838 CVE-2016-1839 CVE-2016-1840 CVE-2016-3627 CVE-2016-3705 CVE-2016-4447 CVE-2016-4448 CVE-2016-4449	K14614344	libxml2 vulnerability CVE-2016-1840
599536-1	CVE-2017-6156	K05263202	IPsec peer with wildcard selector brings up wrong phase2 SAs
597023-1	CVE-2016-4954	K82644737	NTP vulnerability CVE-2016-4954
595242-1	CVE-2016-3705	K54225343	libxml2 vulnerabilities CVE-2016-3705
595231-1	CVE-2016-3627	K54225343	libxml2 vulnerabilities CVE-2016-3627 and CVE-2016-3705
594496-1	CVE-2016-4539	K35240323	PHP Vulnerability CVE-2016-4539
593447-1	CVE-2016-5024	K92859602	BIG-IP TMM iRules vulnerability CVE-2016-5024
592485	CVE-2015-5157 CVE-2015-8767	K17326	Linux kernel vulnerability CVE-2015-5157
592001-1	CVE-2016-4071 CVE-2016-4073	K64412100	CVE-2016-4073 PHP vulnerabilities
591455-7	CVE-2016-1550 CVE-2016-1548 CVE-2016-2516 CVE-2016-2518	K24613253	NTP vulnerability CVE-2016-2516
591447-1	CVE-2016-4070	K42065024	PHP vulnerability CVE-2016-4070
591358-1	CVE-2016-3425 CVE-2016-0695 CVE-2016-3427	K81223200	Oracle Java SE vulnerability CVE-2016-3425
585424-1	CVE-2016-1979	K20145801	Mozilla NSS vulnerability CVE-2016-1979
580747-1	CVE-2016-0739	K57255643	libssh vulnerability CVE-2016-0739
557190-3	CVE-2017-6166	K65615624	'packet_free: double free!' tmm core
597010-1	CVE-2016-4955	K03331206	NTP vulnerability CVE-2016-4955
596997-1	CVE-2016-4956	K64505405	NTP vulnerability CVE-2016-4956
591767-8	CVE-2016-1547	K11251130	NTP vulnerability CVE-2016-1547
591438-7	CVE-2015-8865	K54924436	PHP vulnerability CVE-2015-8865
575629-3	CVE-2015-8139	K00329831	NTP vulnerability: CVE-2015-8139
573343-1	CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158	K01324833	NTP vulnerability CVE-2015-8158

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
615377-3	3-Major		Unexpected rate limiting of unreachable and ICMP messages for some addresses.
590122-2	3-Major		Standard TLS version rollback detection for TLSv1 or earlier might need to be relaxed to interoperate with clients that violate TLS specification.
581438-2	3-Major		Allow more than 16 pool members to be chosen from a pool during a single load-balancing decision.
561348-7	3-Major		krb5.conf file is not synchronized between blades and not backed up
541549-2	3-Major		AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.
530109-3	3-Major		OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.
246726-1	3-Major	K8940	System continues to process virtual server traffic after disabling virtual address
225634-1	3-Major		The rate class feature does not honor the Burst Size setting.
599839-3	4-Minor		Add new keyords to SIP::persist command to specify how Persistence table is updated
591733-4	4-Minor	K83175883	Save on Auto-Sync is missing from the configuration utility.

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
625784	1-Blocking		TMM crash on i4x00 and i2x00 platforms with large ASM configuration.
617622	1-Blocking		In TM Shell, saving the AAM configuration removes value from matching rule causing system configuration loading failure
621422	2-Critical		i2000 and i4000 series appliances do not warn when an incorrect optic is in a port
620056-1	2-Critical		Assert on deletion of paired in-and-out IPsec traffic selectors
617935	2-Critical		IKEv2 VPN tunnels fail to establish
617481-1	2-Critical		TMM can crash when HTML minification is configured
614865-5	2-Critical		Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
610354-1	2-Critical		TMM crash on invalid memory access to loopback interface stats object
605476-3	2-Critical		statsd can core when reading corrupt stats files.
601527-4	2-Critical		mcpd memory leak and core
600894-1	2-Critical		In certain situations, the MCPD process can leak memory
598748	2-Critical		IPsec AES-GCM IVs are now based on a monotonically increasing counter
598697-1	2-Critical		vCMP guests may fail after vCMP host system is upgraded to BIG-IP v12.1.x when 'qemu' user isn't created★
595712-1	2-Critical		Not able to add remote user locally
591495-2	2-Critical		VCMP guests sflow agent can crash due to duplicate vlan interface indices
591104-1	2-Critical		ospfd cores due to an incorrect debug statement.
588686	2-Critical		High-speed logging to remote logging node stops sending logs after all logging nodes go down
587698-3	2-Critical		bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured
585745-2	2-Critical		sod core during upgrade from 10.x to 12.x.
583936-5	2-Critical		Removing ECMP route from BGP does not clear route from NSM
557680-4	2-Critical		Fast successive MTU changes to IPsec tunnel interface crashes TMM
355806-7	2-Critical		Starting mcpd manually at the command line interferes with running mcpd
622877-1	3-Major		i2000 and i4000 series appliances may show intermittent DDM alarms/warnings at powerup that clear right away
622199	3-Major		sys-icheck reports error with /var/lib/waagent
622194	3-Major		sys-icheck reports error with ssh_host_rsa_key
621423	3-Major		sys-icheck reports error with /config/ssh/ssh_host_dsa_key
621242-1	3-Major		Reserve enough space in the image for future upgrades.
621225	3-Major		LTM log contains misleading error messages for front panel interfaces, "PCI Device not found for Interface X.0"
620782	3-Major		Azure cloud now supports hourly billing
619410-1	3-Major		TMM hardware accelerated compression not registering for all compression levels.
617986-2	3-Major		Memory leak in snmpd
617229-1	3-Major	K54245014	Local policy rule descriptions disappear when policy is re-saved
616242-3	3-Major	K39944245	basic_string::compare error in encrypted SSL key file if the first line of the file is blank★
614530-2	3-Major		Dynamic ECMP routes missing from Linux host
614180-1	3-Major		ASM is not available in LTM policy when ASM is licensed as the main active module
610441-3	3-Major		When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.
610352-1	3-Major		sys-icheck reports error with /etc/sysconfig/modules/unic.modules
610350-1	3-Major		sys-icheck reports error with /config/bigpipe/defaults.scf
610273-3	3-Major		Not possible to do targeted failover with HA Group configured
605894-3	3-Major		Remote authentication for BIG-IP users can fail
603149-2	3-Major		Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy
602854-8	3-Major		Missing ASM control option from LTM policy rule screen in the Configuration utility
602502-2	3-Major		Unable to view the SSL Cert list from the GUI
601989-3	3-Major	K88516119	Remote LDAP system authenticated username is case sensitive★
601893-2	3-Major	K89212666	TMM crash in bwc_ctb_instance_recharge because of pkts_avg_size is zero.
601502-4	3-Major		Excessive OCSP traffic
600558-5	3-Major		Errors logged after deleting user in GUI
599816-2	3-Major		Packet redirections occur when using VLAN groups with members that have different cmp-hash settings.
598443-1	3-Major		Temporary files from TMSH not being cleaned up intermittently.
598039-6	3-Major		MCP memory may leak when performing a wildcard query
597729-5	3-Major		Errors logged after deleting user in GUI
596104-1	3-Major	K84539934	HA trunk unavailable for vCMP guest★
595773-4	3-Major		Cancellation requests for chunked stats queries do not propagate to secondary blades
594426-2	3-Major		Audit forwarding Radius packets may be rejected by Radius server
592870-2	3-Major		Fast successive MTU changes to IPsec tunnel interface crashes TMM
592320-5	3-Major		ePVA does not offload UDP when pva-offload-state set to establish in BIG-IP 12.1.0 and 12.1.1
589083-2	3-Major		TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.
586878-4	3-Major		During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.★
585833-3	3-Major		Qkview will abort if /shared partition has less than 2GB free space
585547-1	3-Major		NTP configuration items are no longer collected by qkview★
585485-3	3-Major		inter-ability with "delete IPSEC-SA" between AZURE, ASA, and the BIG-IP system
584583-3	3-Major	K18410170	Timeout error when using the REST API to retrieve large amount of data
583285-5	3-Major	K24331010	BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
582084-1	3-Major		BWC policy in device sync groups.
580500-1	3-Major		/etc/logrotate.d/sysstat's sadf fails to read /var/log/sa6 or fails to write to /var/log/sa6, disk space is not reclaimed.
578551-5	3-Major		bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot
576305-7	3-Major		Potential MCPd leak in IPSEC SPD stats query code
575649-5	3-Major		MCPd might leak memory in IPFIX destination stats query
575591-6	3-Major		Potential MCPd leak in IKE message stats query code
575589-5	3-Major		Potential MCPd leak in IKE event stats query code
575587-7	3-Major		Potential MCPd leak in BWC policy class stats query code
575176-1	3-Major	K58275035	Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic
575066-1	3-Major		Management DHCP settings do not take effect
570818-4	3-Major		Address lease-pool in IKEv2 might interfere with IKEv2 negotiations.
568672-1	3-Major		Down IPsec traffic-selector shows as 'up' in 'show net ipsec traffic-selector' and in GUI
566507-4	3-Major		Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment
553795-7	3-Major		Differing cert/key after successful config-sync
547479-5	3-Major		Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted
546145-1	3-Major		Creating local user for previously remote user results in incomplete user definition.
540872-1	3-Major		Config sync fails after creating a partition.
527206-5	3-Major		Management interface may flap due to LOP sync error
393270-1	3-Major		Configuration utility may become non-responsive or fail to load.
618421	4-Minor		Some mass storage is left un-used
617124	4-Minor		Cannot map hardware type (12) to HardwareType enumeration
581835-1	4-Minor		Command failing: tmsh show ltm virtual vs_name detail.
567546-1	4-Minor		Files with file names larger than 100 characters are omitted from qkview
564771-1	4-Minor		cron sends purge_mysql_logs.pl email error on LTM-only device
564522-2	4-Minor	K40547220	cron is configured with MAILTO=root but mailhost defaults to 'mail'
559837-4	4-Minor		Misleading error message in catalina.out when listing certificates.
551349-5	4-Minor	K80203854	Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade★
460833-5	4-Minor		MCPD sync errors and restart after multiple modifications to file object in chassis
572133-5	5-Cosmetic		tmsh save /sys ucs command sends status messages to stderr
442231-4	5-Cosmetic		Pendsect log entries have an unexpected severity

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
618905-1	1-Blocking		tmm core while installing Safenet 6.2 client
616215-4	2-Critical		TMM can core when using LB::detach and TCP::notify commands in an iRule
615388-1	2-Critical		L7 policies using normalized HTTP URI or Referrer operands may corrupt memory
612229-1	2-Critical		TMM may crash if LTM a disable policy action for 'LTM Policy' is not last
609628-2	2-Critical		CLIENTSSL_SERVERHELLO_SEND event in SSL forward proxy is not raised when client reuses session
609199-6	2-Critical		Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join
608555-1	2-Critical		Configuring asymmetric routing with a VE rate limited license will result in tmm crash
607724-2	2-Critical	K25713491	TMM may crash when in Fallback state.
607524-2	2-Critical		Memory leak when multiple DHCP servers are configured, and the last DHCP server configured is down.
607360-5	2-Critical		Safenet 6.2 library missing after upgrade★
606573-3	2-Critical		FTP traffic does not work through SNAT when configured without Virtual Server★
605865-4	2-Critical		Debug TMM produces core on certain ICMP PMTUD packets
604133-2	2-Critical		Ramcache may leave the HTTP Cookie Cache in an inconsistent state
603032-1	2-Critical		clientssl profiles with sni-default enabled may leak X509 objects
602326-1	2-Critical		Intermittent pkcs11d core when stopping or restarting pkcs11d service
599135-2	2-Critical		B2250 blades may suffer from high TMM CPU utilisation with tcpdump
588959-2	2-Critical	K34453301	TMM may crash or behave abnormally on a Standby BIG-IP unit
588351-5	2-Critical		IPv6 fragments are dropped when packet filtering is enabled.
586449-1	2-Critical		Incorrect error handling in HTTP cookie results in core when TMM runs out of memory
584213-1	2-Critical		Transparent HTTP profiles cannot have iRules configured
575011-1	2-Critical	K21137299	Memory leak. Nitrox3 Hang Detected.
574880-3	2-Critical		Excessive failures observed when connection rate limit is configured on a fastl4 virtual server.
549329-3	2-Critical	K02020031	L7 mirrored ACK from standby to active box can cause tmm core on active
545810-3	2-Critical	K14304373	TMM halts and restarts
459671-4	2-Critical		iRules source different procs from different partitions and executes the incorrect proc.
617862-2	3-Major		Fastl4 handshake timeout is absolute instead of relative
617824-3	3-Major		"SSL::disable/enable serverside" + oneconnect reuse is broken
615143-1	3-Major		VDI plugin-initiated connections may select inappropriate SNAT address
613429-2	3-Major		Unable to assign wildcard wide IPs to various BIG-IP DNS objects.
613369-4	3-Major		Half-Open TCP Connections Not Discoverable
613079-4	3-Major		Diameter monitor watchdog timeout fires after only 3 seconds
613065-1	3-Major		User can't generate netHSM key with Safenet 6.2 client using GUI
612040-4	3-Major		Statistics added for all crypto queues
611320-3	3-Major		Mirrored connection on Active unit of HA pair may be unexpectedly torndown
610609-3	3-Major		Total connections in bigtop, SNMP are incorrect
608024-3	3-Major		Unnecessary DTLS retransmissions occur during handshake.
607803-3	3-Major	K33954223	DTLS client (serverssl profile) fails to complete resumed handshake.
607304-5	3-Major		TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
606940-3	3-Major		Clustered Multiprocessing (CMP) peer connection may not be removed
606575-6	3-Major		Request-oriented OneConnect load balancing ends when the server returns an error status code.
606565-2	3-Major	K52231531	TMM may crash when /sys db tm.simultaneousopen is set to reset or drop_connection
604977-2	3-Major	K08905542	Wrong alert when DTLS cookie size is 32
603236-1	3-Major		1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware
602385-1	3-Major		Add zLib compression
602366-1	3-Major		Safenet 6.2 HA performance
602358-5	3-Major		BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version
601496-4	3-Major		iRules and OCSP Stapling
601178-6	3-Major		HTTP cookie persistence 'preferred' encryption
598874-2	3-Major		GTM Resolver sends FIN after SYN retransmission timeout
597978-2	3-Major		GARPs may be transmitted by active going offline
597879-1	3-Major		CDG Congestion Control can lead to instability
597532-1	3-Major		iRule: RADIUS avp command returns a signed integer
597089-8	3-Major		Connections are terminated after 5 seconds when using ePVA full acceleration
593530-6	3-Major	K26430211	In rare cases, connections may fail to expire
592784-2	3-Major		Compression stalls, does not recover, and compression facilities cease.
592497-1	3-Major		Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state.
591659-5	3-Major	K47203554	Server shutdown is propagated to client after X-Cnection: close transformation.
591476-7	3-Major	K53220379	Stuck crypto queue can erroneously be reported
591343-5	3-Major	K03842525	SSL::sessionid output is not consistent with the sessionid field of ServerHello message.
589223-1	3-Major		TMM crash and core dump when processing SSL protocol alert.
588115-1	3-Major		TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw
588089-3	3-Major		SSL resumed connections may fail during mirroring
587016-3	3-Major		SIP monitor in TLS mode marks pool member down after positive response.
585813-3	3-Major		SIP monitor with TLS mode fails to find cert and key files.
585412-4	3-Major		SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines
583957-6	3-Major		The TMM may hang handling pipelined HTTP requests with certain iRule commands.
582465-1	3-Major		Cannot generate key after SafeNet HSM is rebooted
580303-5	3-Major		When going from active to offline, tmm might send a GARP for a floating address.
579843-1	3-Major		tmrouted may not re-announce routes after a specific succession of failover states
579371-4	3-Major	K70126130	BIG-IP may generate ARPs after transition to standby
578951-2	3-Major		TCP Fast Open connection timeout during handshake does not decrement pre_established_connections
572281-5	3-Major		Variable value in the nesting script of foreach command get reset when there is parking command in the script
570057-2	3-Major		Can't install more than 16 SafeNet HSMs in its HA group
569288-6	3-Major		Different LACP key may be used in different blades in a chassis system causing trunking failures
565799-4	3-Major		CPU Usage increases when using masquerade addresses
551208-6	3-Major		Nokia alarms are not deleted due to the outdated alert_nokia.conf.
550161-4	3-Major		Networking devices might block a packet that has a TTL value higher than 230.
545796-5	3-Major		[iRule] [Stats] iRule is not generating any stats for executed iRules.
545450-5	3-Major		Log activation/deactivation of TM.TCPMemoryPressure
537553-8	3-Major		tmm might crash after modifying virtual server SSL profiles in SNI configuration
534457-4	3-Major		Dynamically discovered routes might fail to remirror connections.
530266-7	3-Major		Rate limit configured on a node can be exceeded
506543-5	3-Major		Disabled ephemeral pool members continue to receive new connections
483953-1	3-Major		Cached route MTUs may be set to the value of TM.MinPathMTU even if the path MTU is lower than that value.
472571-7	3-Major		Memory leak with multiple client SSL profiles.
464801-3	3-Major		Intermittent tmm core
423392-6	3-Major		tcl_platform is no longer in the static:: namespace
371164-1	3-Major		BIG-IP sends ND probes for all masquerading MAC addresses on all VLANs, so MAC might associated with multiple VLANs.
598860-4	4-Minor		IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address
587676-2	4-Minor		SMB monitor fails due to internal configuration issue
560471-1	4-Minor		Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down
544033-5	4-Minor	K30404012	ICMP fragmentation request is ignored by BIG-IP
222034-4	4-Minor		HTTP::respond in LB_FAILED with large header/body might result in truncated response

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
510631-1	3-Major		B4450 L4 No ePVA or L7 throughput lower than expected

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
603598-3	2-Critical		big3d memory under extreme load conditions
587656-2	2-Critical		GTM auto discovery problem with EHF for ID574052
587617-1	2-Critical		While adding GTM server, failure to configure new IP on existing server leads to gtmd core
615338-2	3-Major		The value returned by "matchregion" in an iRule is inconsistent in some cases.
613576-1	3-Major		QOS load balancing links display as gray
613045-7	3-Major		Interaction between GTM and 10.x LTM results in some virtual servers marked down
607658-1	3-Major		GUI becomes unresponsive when managing GSLB Pool
589256-1	3-Major	K71283501	DNSSEC NSEC3 records with different type bitmap for same name.
588289-1	3-Major		GTM is Re-ordering pools when adding pool including order designation
584623-2	3-Major		Response to -list iRules command gets truncated when dealing with MX type wide IP
574052-4	3-Major		GTM autoconf can cause high CPU usage for gtmd
370131-4	3-Major		Loading UCS with low GTM Autoconf Delay drops pool Members from config

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
609499-1	2-Critical		Compiled signature collections use more memory than prior versions
603945-2	2-Critical		BD config update should be considered as config addition in case of update failure
588087-1	2-Critical		Attack prevention isn't escalating under some conditions in session opening mitigation
587629-2	2-Critical		IP exceptions may have issues with route domain
575133-1	2-Critical		asm_config_server_rpc_handler_async.pl SIGSEGV and core
622386-1	3-Major		Internet Explorer getting blocked when Web Scraping and Proactive Bot Defense are both enabled
621808-1	3-Major		Proactive Bot Defense failing in IE11 with Compatibility View enabled
616169	3-Major		ASM Policy Export returns HTML error file
613459-1	3-Major		Non-common browsers blocked by Proactive Bot Defense
613396-1	3-Major		Invalid XML Policy Exported for Policies with Metachar Overrides on Websocket URLs
611385-1	3-Major		"Learn Explicit Entities" may continue to work as if it is 'Add All Entities'
610857-1	3-Major		DoSL7 Proactive Bot Defense should block requests from a browser (Chrome/Firefox) when it is running selenium webdriver.
610830-1	3-Major		FingerPrint javascript runs slow and causes bad user browsing experience when accessing a webapp's first page.
609496-2	3-Major		Improved diagnostics in BD config update (bd_agent) added
608509-1	3-Major		Policy learning is slow under high load
606875-1	3-Major		DoS Application - Block requests from suspicious browsers feature causes javascript latency for webapp first page
604923-5	3-Major		REST id for Signatures change after update
604612-1	3-Major	K20323120	Modified ASM cookie violation happens after upgrade to 12.1.x★
602221-2	3-Major		Wrong parsing of redirect Domain
601924-1	3-Major		Selenium detection by ports scanning doesn't work even if the ports are opened
596502-1	3-Major		Unable to force Bot Defense action to Allow in iRule
584642-1	3-Major		Apply Policy Failure
584103-2	3-Major		FPS periodic updates (cron) write errors to log
582683-2	3-Major		xpath parser doesn't reset a namespace hash value between each and every scan
582133-1	3-Major		Policy builder doesn't enable staging after policy change on "*" entities (file types, urls, etc.)
581315-1	3-Major		Selenium detection not blocked
579917-1	3-Major		User-defined signature set cannot be created/updated with Signature Type = "All"
579495-1	3-Major		Error when loading Upgrade UCS★
521204-2	3-Major		Include default values in XML Policy Export
501892-1	3-Major		Selenium is not detected by headless mechanism when using client version without server

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
602654-2	2-Critical		TMM crash when using AVR lookups
602434-1	2-Critical		Tmm crash with compressed response
601056	2-Critical		TCP-Analytics, error message not using rate-limit mechanism can halt TMM
622735	3-Major		TCP Analytics statistics does not list all virtual servers
618944-1	3-Major		AVR statistic is not save during the upgrade process
601035	3-Major		TCP-Analytics can fail to collect all the activity

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
618506	2-Critical		TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual.
618324-1	2-Critical		Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor
592868-3	2-Critical		Rewrite may crash processing HTML tag with HTML entity in attribute value
591117-3	2-Critical		APM ACL construction may cause TMM to core if TMM is out of memory
569563-3	2-Critical		Sockets resource leak after loading complex policy
619250-1	3-Major		Returning to main menu from "RSS Feed" breaks ribbon
617187-1	3-Major		APM CustomDialer can't connect to APM server with invalid/untrusted SSL certificate
614891-2	3-Major		Routing table doesn't get updated when EDGE client roams among wireless networks
613613-2	3-Major		Incorrect handling of form that contains a tag with id=action
611922-1	3-Major		Policy sync fails with policy that includes custom CA Bundle.
611240-3	3-Major		Import of config with securid might fail
610224-3	3-Major		APM client may fetch expired certificate when a valid and an expired certificate co-exist
608941-1	3-Major		AAA RADIUS system authentication fails on IPv6 network
604767-1	3-Major		Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.
601905-1	3-Major		POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server
600119-3	3-Major		DNS name resolution for servers outside of Network Access Name Split scope can be slow in some conditions
598981-3	3-Major	K06913155	APM ACL does not get enforced all the time under certain conditions
598211-1	3-Major		Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.
597431-2	3-Major		VPN establishment may fail when computer wakes up from sleep
596116-3	3-Major		LDAP Query does not resolve group membership, when required attribute(s) specified
595227-1	3-Major		SWG Custom Category: unable to have a URL in multiple custom categories
594288-1	3-Major		Access profile configured with SWG Transparent results in memory leak.
592414-4	3-Major		IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed
591840-1	3-Major		encryption_key in access config is NULL in whitelist
591590-1	3-Major		APM policy sync results are not persisted on target devices
591268-1	3-Major		VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions
590820-3	3-Major		Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
588888-3	3-Major	K80124134	Empty URI rewriting is not done as required by browser.
586718-1	3-Major		Session variable substitutions are logged
586006-1	3-Major		Failed to retrieve CRLDP list from client certificate if DirName type is present
585562-3	3-Major		VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari
583113-1	3-Major		NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event
582752-3	3-Major		Macrocall could be topologically not connected with the rest of policy.★
582526-3	3-Major		Unable to display and edit huge policies (more than 4000 elements)
580893-2	3-Major	K08731969	Support for Single FQDN usage with Citrix Storefront Integration mode
573643-3	3-Major		flash.utils.Proxy functionality is not negotiated
572558-1	3-Major		Internet Explorer: incorrect handling of document.write() to closed document
569309-3	3-Major		Clientside HTML parser does not recognize HTML event attributes without value
562636-2	3-Major	K05489319	Possible memory exhaustion in access end-user interface pages for transparent proxy/SWG cases.
525429-11	3-Major		DTLS renegotiation sequence number compatibility
455975-1	3-Major		Separate MIBS needed for tracking Access Sessions and Connectivity Sessions
389484-6	3-Major		OAM reporting Access Server down with JDK version 1.6.0_27 or later
386517-1	3-Major		Multidomain SSO requires a default pool be configured
238444-3	3-Major	K14219	An L4 ACL has no effect when a layered virtual server is used.
605627	4-Minor		Selinux denial seen for apmd when it is being shutdown.
584373-2	4-Minor		AD/LDAP resource group mapping table controls are not accessible sometimes
573611-1	4-Minor		Erroneous error message Access encountered error: ERR_NOT_FOUND may appear in APM logs
557411-1	4-Minor		Full Webtop resources appear overlapping in IE11 compatibility mode

Wan Optimization Manager Fixes

ID Number	Severity	Solution Article(s)	Description
619757-1	2-Critical		iSession causes routing entry to be prematurely freed

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
613297-3	2-Critical		Default generic message routing profile settings may core
612135-3	2-Critical		Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic
603397-2	2-Critical		tmm core on MRF when routing via MR::message route iRule command using a non-existant transport-config
596631-2	2-Critical		SIP MRF: Wrong listener may be deleted during media deny-listener deletions, causing crash later
609575-5	3-Major		BIG-IP drops ACKs containing no max-forwards header
609328-3	3-Major	K53447441	SIP Parser incorrectly parsers empty header
607713-3	3-Major		SIP Parser fails header with multiple sequential separators inside quoted string.
603019-3	3-Major		Inserted SIP VIA branch parameter not unique between INVITE and ACK
599521-5	3-Major		Persistence entries not added if message is routed via an iRule
598854-3	3-Major		sipdb tool incorrectly displays persistence records without a pool name
598700-6	3-Major		MRF SIP Bidirectional Persistence does not work with multiple virtual servers
597835-3	3-Major	K12228503	Branch parameter in inserted VIA header not consistent as per spec
583010-4	3-Major		Sending a SIP invite with 'tel' URI fails with a reset
578564-4	3-Major		ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response
573075-4	3-Major		ADAPT recursive loop when handling successive iRule events
566576-6	3-Major		ICAP/OneConnect reuses connection while previous response is in progress
401815-1	3-Major		BIG-IP system may reset the egress IP ToS to zero when load balancing SIP traffic
585807-2	4-Minor		'ICAP::method <method>' iRule is documented but is read-only
561500-4	4-Minor		ICAP Parsing improvement

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
612874-1	2-Critical		iRule with FLOW_INIT stage execution can cause TMM restart
609095-1	2-Critical		mcpd memory grows when updating firewall rules
622281-1	3-Major		Network DoS logging configuration change can cause TMM crash
614284-2	3-Major		Performance fix to not reset a data structure in the packet receive hotpath.
608566-1	3-Major		The reference count of NW dos log profile in tmm log is incorrect
605427-1	3-Major		TMM may crash when adding and removing virtual servers with security log profiles
594869-4	3-Major		AFM can log DoS attack against the internal mpi interface and not the actual interface
594075-2	3-Major		Sometimes when modifying the firewall rules, the blob does not compile and pccd restarts periodically
586070	3-Major		'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings
585823-1	3-Major		FW NAT translation fails if the matched FW NAT rule uses source address list and the source translation object in the rule is configured for dynamic-pat (with deterministic mode)

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
609005-2	1-Blocking		Crash: tmm crashing when 2nd client (srcPort=68) sends a DHCP renew with giaddr (Relay Agent IP) in the packet after 1st client (srcPort=67).
611467-3	2-Critical		TMM coredump at dhcpv4_server_set_flow_key().
608009-1	2-Critical		Crash: Tmm crashing when active system connections are deleted from cli
603825-2	2-Critical		Crash when a Gy update message is received by a debug TMM
593070-2	2-Critical		TMM may crash with multiple IP addresses per session
472860-5	2-Critical		RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.
623491-2	3-Major		After receiving the first Gx response from the PCRF, the BWC action against a rule is lost.
622220-2	3-Major		Disruption during manipulation of PEM data with suspected flow irregularity
618657-4	3-Major		Bogus ICMP unreachable messages in PEM with ipother profile in use
617014-3	3-Major		tmm core using PEM
608742-2	3-Major	K48561135	DHCP: DHCP renew ACK messages from server are getting dropped by BIG-IP in Forward mode.
608591-1	3-Major		Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers
592070-5	3-Major		DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied
588456-3	3-Major	K60250444	PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed).
577863-5	3-Major	K56504204	DHCP relay not forwarding server DHCPOFFER and DHCPACK message after some time

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
606066-2	2-Critical		LSN_DELETE messages may be lost after HA failover
605525-1	2-Critical		Deterministic NAT combined with NAT64 may cause a TMM core
587106-1	2-Critical		Inbound connections are reset prematurely when zombie timeout is configured.
602171-1	3-Major		TMM may core when remote LSN operations time out

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
617648	2-Critical		Surfing with IE8 sometimes results with script error
603234-3	2-Critical		Performance Improvements
597471	2-Critical		Some Alerts are sent with outdated username value
617688	3-Major		Encryption is not activated unless "real-time encryption" is selected
613671-2	3-Major		Error in the Console, when configured nonexistent parameter with Encryption and Obfuscation
610897-2	3-Major		FPS generated request failure throw "unspecified error" error in old IE.
609098-1	3-Major		Improve details of ajax failure
604885-1	3-Major		Redirect/Route action doesn't work if there is an alert logging iRule
601083-1	3-Major		FPS Globally Forbidden Words lists freeze in IE 11
588058-3	3-Major		False positive "failed to unseal" Source Integrity alerts from old versions of Internet Explorer
609114-1	4-Minor		Add the ability to control dropping of alerts by before-load-function
605125-2	4-Minor		Sometimes, passwords fields are readonly
592274-3	4-Minor		RAT-Detection alerts sent with incorrect duration details

Anomaly Detection Services Fixes

ID Number	Severity	Solution Article(s)	Description
588405-1	3-Major		BADOS - BIG-IP Self-protection during (D)DOS attack
608826-1	4-Minor		Greylist (bad actors list) is not cleaned when attack ends

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
624370-1	2-Critical		tmm crash during classification hitless upgrade if virtual server configuration is modified

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
621401	3-Major		When HA is configured on BIG-IPs managed by BIG-IQ, the AVR reporting from BIG-IQ may fail under the load

iApp Technology Fixes

ID Number	Severity	Solution Article(s)	Description
615824-1	3-Major		REST API calls to invalid REST endpoint log level change

Cumulative fixes from BIG-IP v12.1.1 Hotfix 2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
613127-3	CVE-2016-5696	K46514822	Linux TCP Stack vulnerability CVE-2016-5696

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
612564	1-Blocking		mysql does not start
618382-4	2-Critical		qkview may cause tmm to restart or may take 30 or more minutes to run
614766-1	3-Major		lsusb uses unknown ioctl and spams kernel logs
612952-1	3-Major		PSU FW revision not displayed correctly
611352	3-Major	K68092141	Benign message "replay num rollover error condition correctable errors" counter on iSeries platforms
610307	3-Major		Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber
609325	3-Major		Unsupported DDM F5 SFP modules do not write log message saying DDM is not supported
606807-1	3-Major		i5x00, i7x00, i10x00 series appliances may use sensor number instead of name "LCD health" reporting communication error
604459-1	3-Major		On i5x00, i7x00 and i10x00 platforms, bcm56xxd may restart on power-up
597309-2	3-Major		Increase the Maximum Members Per Trunk limit to 32 or 64 for high end platforms
561444-1	3-Major		LCD might display incorrect output.
521270-1	3-Major		Hypervisor might replace vCMP guest SYN-Cookie secrets
434573-6	3-Major	K25051022	Tmsh 'show sys hardware' displays Platform ID instead of platform name
609677-1	4-Minor		Dossier warning 14
607857-1	4-Minor		Some information displayed in "list net interface" will be stale for interfaces that change bundle state
607200-1	4-Minor		Switch interfaces may seem up after bcm56xxd goes down
602061	4-Minor		i5x00, i7x00, i10x00 series appliances have inconsistent firmware update messages
601309	4-Minor		Locator LED no longer persists across reboots
592716-1	4-Minor		BMC timezone value was not being synchronized by BIG-IP

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
597708-4	3-Major		Stats are unavailable and vCMP state and status are incorrect

Cumulative fixes from BIG-IP v12.1.1 Hotfix 1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
598294-1	CVE-2016-7472	K17119920	BIG-IP ASM Proactive Bot Defense vulnerability CVE-2016-7472
601938-2	CVE-2016-7474	K52180214	MCPD stores certain data incorrectly

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
542097-4	2-Critical		Update to RHEL6 kernel
601927-1	4-Minor	K52180214	Security hardening of control plane

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
602653-1	2-Critical		TMM may crash after updating bot-signatures
599769	2-Critical		TMM may crash when managing APM clients.
605682-2	3-Major		With forward proxy enabled, sometimes the client connection will not complete.
599054-2	3-Major		LTM policies may incorrectly use those of another virtual server

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
585120-1	2-Critical		Memory leak in bd under rare scenario

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
596674-2	2-Critical		High memory usage when using CS features with gzip HTML responses.
575170-2	2-Critical		Analytics reports may not identify virtual servers correctly
590074-1	3-Major		Wrong value for TCP connections closed measure

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
603997	2-Critical		Plugin should not inject nonce to CSP header with unsafe-inline
594910-1	3-Major		FPS flags no cookie when length check fails
590608-1	3-Major		Alert is not redirected to alert server when unseal fails
590578-4	3-Major		False positive "URL error" alerts on URLs with GET parameters
593355	4-Minor		FPS may erroneously flag missing cookie
589318-1	4-Minor		Clicking 'Customize All' checkbox does not work.

iApp Technology Fixes

ID Number	Severity	Solution Article(s)	Description
603605-1	2-Critical		Cannot install DoS Hybrid Defender on standby device in HA pair if it's already installed on active
608373-2	3-Major		Some iApp LX packages will not be saved during upgrade or UCS save/restore

Cumulative fixes from BIG-IP v12.1.1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
596488-1	CVE-2016-5118	K82747025	GraphicsMagick vulnerability CVE-2016-5118.
579955-6	CVE-2016-7475	K01587042	BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475
587077-1	CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118	K37603172	Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118
579220-1	CVE-2016-1950	K91100352	Mozilla NSS vulnerability CVE-2016-1950
570697-1	CVE-2015-8138	K71245322	NTP vulnerability CVE-2015-8138
580340-1	CVE-2016-2842	K52349521	OpenSSL vulnerability CVE-2016-2842
580313-1	CVE-2016-0799	K22334603	OpenSSL vulnerability CVE-2016-0799
579829-7	CVE-2016-0702	K79215841	OpenSSL vulnerability CVE-2016-0702
579085-6	CVE-2016-0797	K40524634	OpenSSL vulnerability CVE-2016-0797
578570-1	CVE-2016-0705	K93122894	OpenSSL Vulnerability CVE-2016-0705
569355-1	CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494	K50118123	Java vulnerabilities CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494
565895-1	CVE-2015-8389 CVE-2015-8388 CVE-2015-5073 CVE-2015-8395 CVE-2015-8393 CVE-2015-8390 CVE-2015-8387 CVE-2015-8391 CVE-2015-8383 CVE-2015-8392 CVE-2015-8386 CVE-2015-3217 CVE-2015-8381 CVE-2015-8380 CVE-2015-8384 CVE-2015-8394 CVE-2015-3210	K17235	Multiple PCRE Vulnerabilities
570667-2	CVE-2016-0701 CVE-2015-3197	K64009378	OpenSSL vulnerabilities

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
606509-4	2-Critical		Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover★
595605	2-Critical		Upgrades from 11.6.1 or recent hotfix rollups to 12.0.0 may fail★
591119	2-Critical		OOM with session messaging may result in TMM crash
601076	3-Major		Fix watchdog event for accelerated compression request overflow
597303	3-Major		"tmsh create net trunk" may fail
595693	3-Major		Incorrect PVA indication on B4450 blade
591261	3-Major		BIG-IP VPR-B4450N shows "unknown" SNMP Object ID
590904-1	3-Major		New HA Pair created using serial cable failover only will remain Active/Active
589661	3-Major		PS2 power supply status incorrect after removal
588327	3-Major		Observe "err bcm56xxd' liked log from /var/log/ltm
587735	3-Major		False alarm on LCD indicating bad fan
587668	3-Major		LCD Checkmark button does not always bring up clearing prompt on VIPRION blades.
585332	3-Major		Virtual Edition network settings aren't pinned correctly on startup★
584670	3-Major		Output of tmsh show sys crypto master-key
584661	3-Major		Last good master key
584655	3-Major		platform-migrate won't import password protected master-keys from a 10.2.4 UCS file
583177	3-Major		LCD text truncated by heartbeat icon on VIPRION
581945-2	3-Major		Device-group 'datasync-global-dg' becomes out-of-sync every hour
581811	3-Major		The blade alarm LED may not reflect the warning that non F5 optics is used.
579529	3-Major		Stats file descriptors kept open in spawned child processes
578064	3-Major		tmsh show sys hardwares show "unavailable" for hard disk manufacturer on B4400/B4450 blade
578036-1	3-Major		incorrect crontab can cause large number of email alerts
573584	3-Major		CPLD update success logs at the same error level as an update failure
563592	3-Major		Content diagnostics and LCD
559655	3-Major		Post RMA, system does not display correct platform name regardless of license
555039-4	3-Major	K24458124	VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration
539360	3-Major		Firmware update that includes might take over 15 minutes. Do not turn off device.
526708	3-Major		system_check shows fan=good on removed PSU of 4000 platform
433357	3-Major		Management NIC speed reported as 'none'
400778	3-Major		Message: err chmand[5011]: 012a0003:3: Physical disk CF1/HD1 not found for logical disk delete
400550	3-Major		LCD listener error during shutdown
587780	4-Minor		warning: HSBe2 XLMAC initial recovery failed after 11 retries.
478986	4-Minor		Powered down DC PSU is treated as not-present
418009	5-Cosmetic		Hardware data display inaccuracies

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
603700	2-Critical		tmm core on multiple SSL::disable calls
598052-1	2-Critical		SSL Forward Proxy "Cache Certificate by Addr-Port", cache lookup fails
591139	2-Critical		TMM QAT segfault after zlib/QAT compression conflation.
585654	2-Critical		Enhanced implementation of AES in Common Criteria mode
579953	2-Critical		Updated the list of Common Criteria ciphersuites
584926-1	3-Major		Accelerated compression segfault when devices are all in error state.
566342	3-Major		Cannot set 10T-FD or 10T-HD on management port

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
599803	1-Blocking		TMM accelerated compression incorrectly destroying in-flight contexts.
588879-2	2-Critical		apmd crash under rare conditions with LDAP

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
581824-2	3-Major		"Instance not found" error when viewing the properties of GSLB monitors gateway_icmp and bigip_link.

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
588049-1	2-Critical		Improve detection of browser capabilities
585352-2	2-Critical		bruteForce record selfLink gets corrupted by change to brute force settings in GUI
585054-1	2-Critical		BIG-IP imports delay violations incorrectly, causing wrong policy enforcement
583686-2	3-Major		High ASCII meta-characters can be disallowed on UTF-8 policy via XML import
581991-1	3-Major		Logging filter for remote loggers doesn't work correctly with more than one logging profile
521370-1	3-Major		Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8
518201-4	3-Major		ASM policy creation fails with after upgrading

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
587419-1	3-Major		TMM may restart when SAML SLO is performed after APM session is closed
585442-2	3-Major		Provisioning APM to 'none' creates a core file

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
596809-1	3-Major		It is possible to create ssh rules with blank space for auth-info
593925-1	3-Major		ssh profile should not contain rules that begin and end with spaces (cannot be deleted)
593696-1	3-Major		Sync fails when deleting an ssh profile

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
584921-1	2-Critical		Inbound connections fail to keep port block alive

Cumulative fixes from BIG-IP v12.1.0 Hotfix 2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
600662-9	CVE-2016-5745	K64743453	NAT64 vulnerability CVE-2016-5745
599168-7	CVE-2016-5700	K35520031	BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
598983-7	CVE-2016-5700	K35520031	BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
580596-1	CVE-2013-0169 CVE-2016-6907 CVE-2019-6593	K14190 K39508724 K10065173	TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
604211-1	2-Critical	K72931250	License not operational on Azure after upgrading from 12.0.0 HF1-EHF14 to 12.0.0-HF4 or 12.1.0-HF1 or 12.1.1.★
600859-2	2-Critical		Module not licensed after upgrade from 11.6.0 to 12.1.0 HF1 EHF.★
599033-5	2-Critical		Traffic directed to incorrect instance after network partition is resolved
595394-3	2-Critical		Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.★
606110-2	3-Major		BIG-IP VE dataplane interfaces change to using UNIC modules instead of sockets.
596814-4	3-Major		HA Failover fails in certain valid AWS configurations
596603-2	3-Major		AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
600357-2	3-Major		bd crash when asm policy is removed from virtual during specific configuration change

Cumulative fixes from BIG-IP v12.1.0 Hotfix 1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
569467-5	CVE-2016-2084	K11772107	BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.
591806-8	CVE-2016-3714	K03151140	ImageMagick vulnerability CVE-2016-3714
591918-2	CVE-2016-3718	K61974123	ImageMagick vulnerability CVE-2016-3718
591908-2	CVE-2016-3717	K29154575	ImageMagick vulnerability CVE-2016-3717
591894-2	CVE-2016-3715	K10550253	ImageMagick vulnerability CVE-2016-3715
591881-1	CVE-2016-3716	K25102203	ImageMagick vulnerability CVE-2016-3716

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
583631-2	1-Blocking		ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers.
590993	3-Major		Unable to load configs from /usr/libexec/aws/.
576478	3-Major		Enable support for the Purpose-Built DDoS Hybrid Defender Platform
544477	3-Major		New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support.

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
591039	2-Critical		DHCP lease is saved on the Custom AMI used for auto-scaling VE
590779	2-Critical		Rest API - log profile in json return does not include the partition but needs to
588140	2-Critical		Pool licensing fails in some KVM/OpenStack environments
587791-1	2-Critical		Set execute permission on /var/lib/waagent
565137	2-Critical	K12372003	Pool licensing fails in some KVM/OpenStack environments.
554713-2	2-Critical		Deployment failed: Failed submitting iControl REST transaction
592363	3-Major		Remove debug output during first boot of VE
592354	3-Major		Raw sockets are not enabled on Cloud platforms

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
592699-3	2-Critical		IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP performance
594302-1	3-Major		Connection hangs when processing large compressed responses from server
592854-1	3-Major		Protocol version set incorrectly on serverssl renegotiation
592682-1	3-Major		TCP: connections may stall or be dropped
531979-6	3-Major		SSL version in the record layer of ClientHello is not set to be the lowest supported version.

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
582629-1	2-Critical		User Sessions lookups are not cleared, session stats show marked as invalid

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
590601-2	3-Major		BIG-IP as SAML SP does not redirect users to original request URI after authentication is completed
590428-1	3-Major		The "ACCESS::session create" iRule command does not work
590345-1	3-Major		ACCESS policy running iRule event agent intermittently hangs
585905-1	3-Major		Citrix Storefront integration mode with pass-through authentication fails
581834-5	3-Major		Firefox signed plugin for VPN, Endpoint Check, etc

Anomaly Detection Services Fixes

ID Number	Severity	Solution Article(s)	Description
588399-1	3-Major		BIG-IP CPU utilization can be high even when all bad actors are detected and mitigated
582374-1	3-Major		Multiple 'Loading state for virtual server' messages in admd.log
569121-1	3-Major		Advanced Detection rate limiting can be incorrect in multi-blade clusters when rate limit is low
547053-1	4-Minor		Bad actor quarantining

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
590795-1	2-Critical		tmm crash when loading default signatures or updating classification signature★

Cumulative fix details for BIG-IP v12.1.5 that are included in this release

810557-5 : ASM ConfigSync Hardening

Solution Article: K05123525

807477-4 : ConfigSync Hardening

Solution Article: K04280042

799617-5 : ConfigSync Hardening

Solution Article: K05123525

799589-5 : ConfigSync Hardening

Solution Article: K05123525

797885-5 : ConfigSync Hardening

Solution Article: K05123525

796469-1 : ConfigSync Hardening

Solution Article: K05123525

794413-5 : BIND vulnerability CVE-2019-6471

Solution Article: K10092301

788301-2 : SNMPv3 Hardening

Solution Article: K58243048

Component: TMOS

Symptoms:
SNMPv3 agents do not follow current best practices.

Conditions:
SNMPv3 agents enabled.

Impact:
SNMPv3 agents do not follow current best practices.

Fix:
SNMPv3 features now follow current best practices.

777261-1 : When SNMP cannot locate a file it logs messages repeatedly

Component: TMOS

Symptoms:
When the SNMP daemon experiences an error when it attempts to statfs a file then it logs an error message. If the file is not present then this error is repeatedly logged and can fill up the log file.

Conditions:
When an SNMP request causes the daemon to query a file on disk it is possible that a system error occurs. If the file is not present then the error is logged repeatedly.

Impact:
This can fill up the log with errors.

Fix:
The SNMP daemon has been fixed to log this error once.

774301-1 : Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList

Component: Access Policy Manager

Symptoms:
When the BIG-IP system is configured as SAML IdP or SAML SP processes SAML Requests/Responses, the verification of digital signature fails in certain cases:

err apmd[19684]: 01490000:3: modules/Authentication/Saml/SamlSPAgent.cpp func: "verifyAssertionSignature()" line: 5321 Msg: ERROR: verifying the digest of SAML Response

Conditions:
-- BIG-IP system is configured as SAML IdP or SAML SP.

-- SAML sends the "ArtifactResponse" message with both "ArtifactResponse" and "Assertion" signed.

-- This is also applicable to any SAML requests/responses that are signed:
   a) SAML Authentication Request
   b) SAML Assertion
   c) SAML Artifact Response
   e) SAML SLO Request/Response

Impact:
Output does not match the 'Canonicalized element without Signature' calculated by APM. BIG-IP SAML IdP or SAM SP fails to process SAML Requests/Responses resulting in errors. Cannot deploy APM as SAML SP with Assertion Artifact binding.

Workaround:
None.

Fix:
Output now matches the Canonicalized element without Signature' calculated by APM, so deployment occurs without error.

773553-5 : ASM JSON parser false positive.

Component: Application Security Manager

Symptoms:
False positive JSON malformed violation.

Conditions:
-- JSON profile enabled (enabled is the default).
-- Specific JSON traffic is passed.

Impact:
HTTP request is blocked or an alarm is raised.

Workaround:
There is no workaround other than disabling the JSON profile.

Fix:
JSON parser has been fixed as per RFC8259.

771873-2 : TMSH Hardening

Solution Article: K40378764

769809-1 : vCMP guests 'INOPERATIVE' after upgrade

Component: TMOS

Symptoms:
After upgrading the host or creating new vCMP guests, the prompt in the vCMP guests report as INOPERATIVE.

Conditions:
-- The system truncates the unit key. (Note: This occurs because the unit key is designed to be a certain length, and the internally generated unit key for the guest has a NULL in it.)
-- Upgrading the host.
-- Creating new guests.

Impact:
vCMP guests are sent a truncated unit key and fail to decrypt the master key needed to load the config. vCMP Guests report 'INOPERATIVE' after upgrade.

Workaround:
None.

Fix:
The system now handles a guest unit key that has a NULL in it, so vCMP guests are no longer 'INOPERATIVE' after upgrade

766577-5 : APMD fails to send response to client and it already closed connection.

Component: Access Policy Manager

Symptoms:
APMD fails to send response to client and produces error message:
err apmd[8353]: 01490085:3: /pt-qp-campus/apm-cdp-qp-qa:pt-qp-campus:bb651ae6: Response could not be sent to remote client. Socket error: Connection reset by peer

APMD does most of its action with backend authentication servers (e.g., AD, LDAP, RADIUS). If the backend server response is very slow (because of various reasons such as network issues), it might cause slow apmd client response. Sometimes, the client has already closed the connection to the virtual server, so the client connection is no longer valid.

Conditions:
Backend server is slow, causing longer-than-usual response times.

Impact:
This causes the client to close the connection. APMD fails to respond to the client.

The cumulative slowness of the backend server causes delay in response. Most of the time, the client connection is already closed. As a result, the request queue gets full. When apmd starts processing the request from the queue, the client connection is already closed for some of them, and processing those requests still continues, which is unnecessary and causes more delay.

Fix:
The system now tests the client connection after picking up the request from the request queue and before processing.
-- If the connection is already closed, the system drops the request.
-- If the request is already in progress, the system checks the client connection before saving the session variables and sending the response to client.

762453-4 : Hardware cryptography acceleration may fail

Component: TMOS

Symptoms:
Host reports the following error message:
Device error: crypto codec qat-cryptoXX-Y queue is stuck.

Conditions:
Platform with access to Intel QAT cryptography hardware
Hardware cryptography acceleration enabled

Impact:
Hardware cryptography acceleration failure, leading to a failover event.

Workaround:
Disable hardware crypto acceleration for impacted device.

Fix:
Platforms with QAT accelerators now function as expected.

761231-5 : Bot Defense Search Engines getting blocked after configuring DNS correctly

Component: Application Security Manager

Symptoms:
Bot Defense performs a reverse DNS for requests with User-Agents of known Search Engines.

A cache is stored for legal / illegal requests to prevent querying the DNS again.

This cache never expires, so in case of an initial misconfiguration, after fixing the DNS configuration, or routing or networking issue, the Search Engines may still be blocked until TMM is restarted.

Conditions:
-- Initial misconfiguration of DNS or routing or networking issue.
-- Cache stores requests to prevent future queries to DNS.
-- Correct the misconfiguration.

Impact:
Cache does not expire and is never updated, so it retains the misconfigured requests. As a result, valid Search Engines are getting blocked by Bot Defense.

Workaround:
Restart TMM by running the following command:
bigstart restart tmm

Fix:
The internal DNS cache within Bot Defense and DoSL7 now expires after five minutes.

760878-1 : Incorrect enforcement of explicit global parameters

Component: Application Security Manager

Symptoms:
A false positive or false negative enforcement of explicit global parameter.

Conditions:
-- A configuration with more than 255 security policies.
-- Policies configured with an explicit parameter that is unique (for example, 'static', a disabled signature, etc.).
-- Attempt to enforce that parameter.

Impact:
Wrong blocking/violations. The parameter is not found, and the wildcard * parameter is enforced instead.

Workaround:
Make the explicit parameters a wildcard parameter.

Fix:
Explicit parameters are enforced correctly on all parameters.

760550-2 : Retransmitted TCP packet has FIN bit set

Component: Local Traffic Manager

Symptoms:
After TCP sends a packet with FIN, retransmitted data earlier in the sequence space might also have the FIN bit set.

Conditions:
-- Nagle is enabled.
-- TCP has already sent a FIN.
-- A packet is retransmitted with less than MSS bytes in the send queue.

Impact:
The retransmitted packet has the FIN bit set even if it does not contain the end of the data stream. This might cause the connection to stall near the end.

Workaround:
Set Nagle to disabled in the TCP profile.

Fix:
The incorrect FIN bit is removed.

759968-1 : Distinct vCMP guests are able to cluster with each other.

Component: Local Traffic Manager

Symptoms:
--Distinct vCMP guests are able to cluster with each other.

--Guests end up having duplicate rebroad_mac on one or more slots. This can be checked using below command:

clsh tmctl -d blade tmm/vcmp -w 200

Look at the "rebroad_mac" field.

Conditions:
--It is not yet clear under what circumstances the issue occurs.

--One of the ways this issue occurs is when guests are moved between blades and they end up having a non-null and duplicate "rebroad_mac" on one or more slots.

Impact:
Only the vCMP guest acting as primary will be operative.

Workaround:
--Disable clusterd from sending packets over tmm_bp by turning off the db variable clusterd.communicateovertmmbp:

modify sys db clusterd.communicateovertmmbp value false.

Note: This command should be issued on the guest acting as primary since config changes are only allowed on cluster primary.

759480-1 : HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash

Component: Local Traffic Manager

Symptoms:
When a request is sent to the virtual server which meets the conditions specified, TMM may crash.

Conditions:
When all of the following conditions are met:

-- Virtual server configured with iRule that contains HTTP::respond or HTTP::redirect in an LB_FAILED event.

-- A command in an LB_FAILED event (does not have to be in the same iRule as the previous point, but must be attached to the same virtual server), that parks the iRule (e.g., table, session, persist, after, HSL).

-- A CLIENT_CLOSED event is present.

-- The pool member fails in some manner, triggering LB_FAILED

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Add reject command to LB_FAILED event to force the serverside of the connection closed before response is sent to the client.

758872-1 : TMM memory leak

Component: Local Traffic Manager

Symptoms:
When a Clustered Multiprocessing (CMP) disabled virtual server enters syncookie mode the flows created on TMM instances other than tmm0 are not removed, resulting in a TMM memory leak.

Note: CMP-disabled virtual servers are not distributed among the available TMM processes, but instead are processed on tmm0.

Conditions:
-- Virtual server is CMP disabled.
-- The same virtual server enters syncookie mode.

Impact:
Elevated memory utilization that may impact performance. In extreme cases, it might lead to out-of-memory crash.

Workaround:
Make sure the virtual server is not CMP disabled, for example, avoid using global variables in iRules.

Fix:
Flows of CMP-disabled virtual servers are now properly removed from all TMM instances.

758764-5 : APMD Core when CRLDP Auth fails to download revoked certificate

Component: Access Policy Manager

Symptoms:
Download CRLDP Auth fails to download revoked certificates, so the list of revoked certificate remains empty (NULL). APMD cores while accessing this empty (NULL) list.

Conditions:
Empty revoked-certificate list handling.

Impact:
APMD core. No access policy enforcement for user session or any MPI-reliant processes, such as rewrite and websso while apmd restarts.

Workaround:
None.

Fix:
The system now checks for empty revoked certificate lists (for NULL) and lets the validation OK (because there is nothing to validate against).

758631-1 : ec_point_formats extension might be included in the server hello even if not specified in the client hello

Component: Local Traffic Manager

Symptoms:
RFC 5246 states that if an extension does not exist in the client hello, it must not exist in the server hello. When an EC cipher suite is selected, the server might send the ec_point_formats extension, even if none exists in the client hello.

Conditions:
-- An EC cipher suite is selected.
-- The client does not send an ec_point_formats extension.

Impact:
Some clients abort the connection in this case.

Workaround:
There is no workaround other than not configuring any EC cipher suites.

Fix:
With this change, the server does not send an unsolicited ec_point_formats extension.

758527-5 : BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode

Component: TMOS

Symptoms:
Under certain conditions BIG-IP may forward VLAN-tagged frames even if the VLAN is not defined on the ingress interface.

Conditions:
Tagged VLANs in use.
STP pass-through mode enabled.

Impact:
Frames not delivered as expected.

Workaround:
Disable global STP.

Fix:
Frames now delivered as expected.

758336-2 : Incorrect recommendation in Online Help of Proactive Bot Defense

Component: Application Security Manager

Symptoms:
The online help of Proactive Bot Defense within the DoS profile shows the following under the 'Cross-Domain Requests' section:

Allow configured domains; validate in bulk: ... We recommend this option if your web site has many cross-domain resources.

Allow configured domains; validate upon request: ... We recommend this option if your web site does not have many cross-domain resources.

The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.

Conditions:
Application has multiple cross-domain resources.

Impact:
Confusing documentation. The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.

Workaround:
For many cross-domain resources, it is better to use 'validate upon request'.

Fix:
The online help of Proactive Bot Defense has been corrected under the 'Cross-Domain Requests' section.

758119-3 : qkview may contain sensitive information

Solution Article: K58243048

Component: TMOS

Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048

Conditions:
For more information see: https://support.f5.com/csp/article/K58243048

Impact:
For more information see: https://support.f5.com/csp/article/K58243048

Workaround:
For more information see: https://support.f5.com/csp/article/K58243048

Fix:
For more information see: https://support.f5.com/csp/article/K58243048

758065-3 : TMM may consume excessive resources while processing FIX traffic

Component: Service Provider

Symptoms:
Under certain conditions, the TMM may consume excessive resources when processing traffic for a Virtual Server with FIX profile applied.

Conditions:
Virtual Server with FIX profile.

Impact:
Excessive resource consumption, potentially leading to a failover event.

Workaround:
None.

Fix:
TMM now processes FIX traffic as expected.

758018-2 : APD/APMD may consume excessive resources

Component: Access Policy Manager

Symptoms:
APD/APMD may consume excessive resources when processing certain requests

Conditions:
-- APM provisioned and enabled.
-- The service type is either SWG Explicit or Clientless Mode 3.

Impact:
Excessive resource consumption, potentially degrading overall throughput or leading to a failover event.

Workaround:
For Clientless Mode 3, replace with Clientless Mode 1 to work around the issue.

Fix:
APD/APMD now consumes the expected resources when processing requests

757455-4 : Excessive resource consumption when processing REST requests

Component: TMOS

Symptoms:
Under certain conditions, REST requests may consume excessive system resources

Conditions:
-- Advanced Shell on the BIG-IP system.
-- REST usage.

Impact:
Excessive resource consumption, potentially leading to a failover event.

Workaround:
None.

Fix:
BIG-IP now handles REST requests as expected.

757391-1 : Datagroup iRule command class can lead to memory corruption

Component: Local Traffic Manager

Symptoms:
When using the iRule command to access datagroups within a foreach loop, memory can be corrupted and tmm can crash.

Conditions:
A [class] command used within a foreach loop.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround aside from removing that iRule.

Fix:
tmm no longer crashes under these conditions.

757088 : TMM clock advances and cluster failover happens during webroot db nightly updates

Component: Traffic Classification Engine

Symptoms:
Webroot database mapping and unmapping takes a very long amount of time on TMM, so you might see clock advances occur. The long interval might result in a failover/state-transition in clustered environment.

Conditions:
-- Webroot database is downloaded.
-- TMM needs to swap to the new instance.

Impact:
TMM does not process traffic because of the long delay in mapping and unmapping, and failover might happen in a clustered environment.

Workaround:
You can avoid this issue by disabling BrightCloud updates, however, your environments will miss the latest updates as a result.

#vi /etc/wr_urldbd/bcsdk.cfg
  DoBcap=true
  DoRtu=false
  DownloadDatabase=false

Fix:
Mapping/Unmapping the database is done asynchronously and the delay is reduced so that the CDP failover doesn't happen.

757027-4 : BIND Update

Solution Article: K01713115

757026-4 : BIND Update

Component: TMOS

Symptoms:
Upgrade BIND to 9.11.5-P4 per recommendation from ISC

Conditions:
GTM provisioned.

Impact:
BIND not up-to-date

Workaround:
None.

Fix:
Upgrade to BIND 9.11.5-P4

757025-4 : BIND Update

Solution Article: K00040234

757023-5 : BIND vulnerability CVE-2018-5743

Solution Article: K74009656

756774-3 : Aborted DNS queries to a cache may cause a TMM crash

Component: Global Traffic Manager (DNS)

Symptoms:
TMM may crash if an attempt is made to send a response to a TCP connection that has already been torn down.

Conditions:
TCP connections that are aborted before receiving a RESPONSE from a cache.

Impact:
Loss of service until TMM is restarted. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Aborted DNS queries to a cache no longer cause a TMM crash.

756538-2 : Failure to open data channel for active FTP connections mirrored across an HA pair.

Component: Local Traffic Manager

Symptoms:
Occasionally, attempting to actively open a data channel from an FTP session that is mirrored across a BIG-IP high availability pair will fail. This is due to aggressive port reuse on the active BIG-IP system, causing ports that are still in a TIME_WAIT state to be used for the data connection.

Conditions:
-- Have a BIG-IP HA pair configured.
-- Create an FTP virtual server with mirroring enabled.
-- Have the pool member(s) of the virtual server be either 3CDaemon or IIS servers (this issue has been confirmed only for 3CDaemon and IIS, but it could affect other servers as well).
-- Client attempts to download data through the virtual server via active FTP.

Impact:
Data connections fail to open; data transfer is unsuccessful.

Workaround:
Use passive FTP, or do not use mirroring for FTP virtual servers.

Fix:
Mirrored, active FTP connections no longer fail to open data channels, and now successfully transmit data.

756450-3 : Traffic using route entry that's more specific than existing blackhole route can cause core

Component: Local Traffic Manager

Symptoms:
TMM asserts with 'Attempting to free loopback interface'message.

Conditions:
- Using blackhole routes.
- Have a route entry that is more specific than the existing blackhole route.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use /32 blackhole routes.

Fix:
TMM no longer cores when using blackhole routes that are less specific than non-blackhole routes.

756270-1 : SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle

Component: Local Traffic Manager

Symptoms:
If there are multiple certificates in the trusted CA bundle with the same common name, CRL signature verification checks only one of them while looking for CRL issuer.

Conditions:
Multiple certificates with the same subject name as the CRL issuer in the trusted CA bundle used for authentication in SSL profiles.

Impact:
Handshake failure.

Workaround:
None.

Fix:
This has been fixed to check for the issuer among all certificates that have the same subject name as the CRL issuer.

756153-1 : Add diskmonitor support for MySQL /var/lib/mysql

Component: TMOS

Symptoms:
If the disk partition /var/lib/mysql is filled to 100%, diskmonitor does not notify that the partition is nearly exhausted.

Conditions:
The disk partition /var/lib/mysql is filled to 100%.

Impact:
diskmonitor does not notify that disk partition /var/lib/mysql is nearly exhausted.

Workaround:
None.

756094-1 : DNS express in restart loop, 'Error writing scratch database' in ltm log

Component: Global Traffic Manager (DNS)

Symptoms:
DNS express (zxfrd) daemon gets stuck in a restart loop with the messages:
-- In /var/log/ltm:
Error writing scratch database (no error information available), serving database is unchanged. zxfrd will exit and restart.
-- The system posts the following message on the command line every few seconds:
emerg logger: Re-starting zxfrd

Conditions:
An update to an SOA record (and only an SOA) is received through a incremental zone transfer update (IXFR).

Impact:
Zone updates from the DNS master servers are not processed.

Workaround:
As a partial workaround, the DNS express cache files can be removed, forcing zxfrd to pull the entire zone using an AXFR request. To do so, use the following commands, in sequence:

   bigstart stop zxfrd
   rm /shared/zxfrd/*
   bigstart start zxfrd

Note: DNS express will not be able to service DNS responses until the zone transfers have completed. For this reason, this procedure should be carried out on the standby device, if possible.

Fix:
The system now properly handles IXFRs that contain only starting and ending SOA RRs, and no other RRs.

755507-1 : [App Tunnel] 'URI sanitization' error

Component: Access Policy Manager

Symptoms:
URI sanitization error with app tunnel (application tunnel). The system posts messages similar to the following:
-- APM log: warning tmm[19703]: 01490586:4: /Common/AP-AD:Common:ff776e4a: Invalid Resource Access For RESOURCENAME. RST due to URI sanitization
-- LTM log: err tmm[19703]: 01230140:3: RST sent from 10.0.0.1:80 to 10.0.0.1:228, [0x2263e2c:7382] Unrecognized resource access (RESOURCENAME)

Conditions:
Access Policy that includes a 'Logon Page' and 'Advanced Resource Assign' (full webtop and app tunnel).

Impact:
APM does not send a response after receiving a request to 'GET /vdesk/resource_app_tunnels_info.xml'.

Workaround:
None.

754944-4 : AVR reporting UI does not follow best practices

Solution Article: K00432398

754365-2 : Updated flags for countries that changed their flags since 2010

Component: Application Security Manager

Symptoms:
Old flags for countries that changed their flags since 2010.

Conditions:
Requests from one of the following counties:
-- Myanmar
-- Iraq
-- Libya

Impact:
Old flag is shown.

Workaround:
None.

Fix:
The three flags are now updated in ASM.

754345-4 : WebUI does not follow best security practices

Solution Article: K79902360

754257 : URL lookup queries not working

Component: Traffic Classification Engine

Symptoms:
Occasionally, there is no response to a url-categorization query.

Conditions:
This might occur under the following conditions:
-- When there are duplicate requests using tmsh.
-- When the connection is partially closed by the server.

Impact:
URL does not get classified. Cannot take any actions against those URLs.

Workaround:
None.

Fix:
URL lookup queries now work as expected.

754103-3 : iRulesLX NodeJS daemon does not follow best security practices

Component: Local Traffic Manager

Symptoms:
The iRulesLX NodeJS daemon, if explicitly launched with the --debug command-line option, does not follow best security practices.

Conditions:
Launch an iRulesLX plugin:extension with debug command line option (--debug).

Impact:
NodeJS daemon does not follow best security practices.

Workaround:
None.

Fix:
NodeJS daemon now follows best security practices.

753912-1 : UDP flows may not be swept

Solution Article: K44385170

Component: Local Traffic Manager

Symptoms:
Some UDP connection flows do not show in connection table but do show up in stats. This might occur with datagram_lb mode is enabled on the UDP profile under heavy load.

Conditions:
-- UDP profile with datagram_lb mode enabled.
-- System under heavy load.

Impact:
Increased memory utilization of TMM.

Workaround:
None.

Fix:
The system now correctly manages all expired flows.

753796-3 : SNMP does not follow best security practices

Solution Article: K40443301

753776-3 : TMM may consume excessive resources when processing UDP traffic

Solution Article: K07127032

752930 : Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state

Component: Local Traffic Manager

Symptoms:
Virtual Servers left in unknown state. Blade keeps restarting.

Conditions:
Change default route domain (RD) of partition with wildcard Virtual Servers.

Impact:
-- Cannot persist the wildcard virtual server RD configuration.
-- Changing virtual server description after moving route-domain fails.
-- Secondary blade in constant reboot loop.

Workaround:
1. Delete wildcard virtual servers before changing default route-domain on partition.

2. Execute the following commands, in sequence, substituting your values for the configuration-specific ones in this example:

# ssh slot2 bigstart stop

# modify auth partition pa-1098-blkbbsi0000csa21ad1142 default-route-domain 109

# save sys config

# clsh rm -f /var/db/mcpdb.bin

# ssh slot2 bigstart start

Note: This recovery method might have to be executed multiple times to restore a working setup.

752835-1 : Mitigate mcpd out of memory error with auto-sync enabled.

Component: TMOS

Symptoms:
If auto-sync is enabled and many configuration changes are sent quickly, it is possible for a peer system to fall behind in syncs. Once it does, it will exponentially get further behind due to extra sync data, leading to the sending mcpd running out of memory and core dumping.

Conditions:
-- Auto-sync enabled in an HA pair.
-- High volume of configuration changes made in rapid succession. Typically, this requires hundreds or thousands of changes per minute for several minutes to encounter this condition.

Impact:
mcpd crashes.

Workaround:
There are no workarounds other than not using auto-sync, or reducing the frequency of system configuration changes.

Fix:
This is not a complete fix. It is still possible for mcpd to run out of memory due to a peer not processing sync messages quickly enough. It does, however, make it more difficult for this scenario to happen, so configuration changes with auto-sync on can be sent somewhat more quickly without crashing mcpd as often.

751586-1 : http2 virtual does not honour translate-address disabled

Component: Local Traffic Manager

Symptoms:
translate-address disabled on a http2 virtual is getting ignored

Conditions:
http2 virtual and translate-address disabled configured

Impact:
The traffic is translated to the destination address to the pool member

Workaround:
none

Fix:
translate-address disabled is working correctly now.

750586-3 : HSL may incorrectly handle pending TCP connections with elongated handshake time.

Component: TMOS

Symptoms:
HSL may incorrectly handle TCP connections that are pending 3-way handshake completion that exceed default handshake timeout.

Conditions:
-- HSL or ReqLog configured to send logging data to pool via TCP protocol.
-- TCP 3-way handshake takes longer than 20 seconds (the default handshake timeout) to complete.

Impact:
-- Service interruption while TMM restarts.
-- Failover event.

Workaround:
None.

Fix:
HSL handles unusually long pending TCP handshakes gracefully and does not cause outage.

750488 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Cache does not always include an EDNS OPT Record in responses to queries that contain an EDNS OPT Record.

Conditions:
Responses to queries with EDNS0 record to DNS Cache do not contain the RFC-required EDNS0 record.

Impact:
Some compliance tools and upstream DNS servers may consider the BIG-IP non-compliant, and report it as such.

This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.

Workaround:
None.

Fix:
Corrected EDNS OPT record handling in DNS Cache.

Note: Any NOSOA and NOAA results from the EDNS Compliance Tester used for DNS Flag Day are false positives and are expected when testing against DNS Cache. The EDNS Compliance Tester assumes an authoritative server, and makes non-recursive queries. For example, you might see a Resolver response similar to the following:

example1.com. @10.10.10.126 (ns.example1.com.): dns=nosoa,noaa edns=nosoa,noaa edns1=ok edns@512=noaa ednsopt=nosoa,noaa edns1opt=ok do=nosoa,noaa ednsflags=nosoa,noaa optlist=nosoa,noaa,subnet signed=nosoa,noaa,yes ednstcp=noaa

These types of responses are expected when running the validation tool against DNS Cache.

750484 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Cache drops a DNS query that contains an EDNS OPT Record that it does not understand.

Conditions:
If a client (such as a DNS Flag Day compliance tool) or upstream DNS Server sends an invalid ENDS OPT record.

Impact:
DNS Cache drops the request. Clients (such as a DNS Flag Day compliance tool) or upstream DNS server will experience a timeout for that query.

This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.

Workaround:
None.

Fix:
When a query with an invalid EDNS OPT version is received by DNS Cache, the system now sends a response with the BADVERS error code, as stipulated by the RFC.

Note: Any NOSOA and NOAA results from the EDNS Compliance Tester used for DNS Flag Day are false positives and are expected when testing against DNS Cache. The EDNS Compliance Tester assumes an authoritative server, and makes non-recursive queries. For example, you might see a Resolver response similar to the following:

example1.com. @10.10.10.126 (ns.example1.com.): dns=nosoa,noaa edns=nosoa,noaa edns1=ok edns@512=noaa ednsopt=nosoa,noaa edns1opt=ok do=nosoa,noaa ednsflags=nosoa,noaa optlist=nosoa,noaa,subnet signed=nosoa,noaa,yes ednstcp=noaa

These types of responses are expected when running the validation tool against DNS Cache.

750472 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express drops a DNS query that contains an EDNS OPT Record that it does not understand.

Conditions:
If a client (such as a DNS Flag Day compliance tool) or upstream DNS Server sends an invalid ENDS OPT record.

Impact:
DNS Express drops the request. Clients (such as a DNS Flag Day compliance tool) or upstream DNS server will experience a timeout for that query.

This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.

Workaround:
None.

Fix:
When a query with an invalid EDNS OPT version is received by DNS Express, send a response with the BADVERS error code as stipulated by the RFC.

Note: The EDNS Compliance Tester should produce output similar to the following when run against DNS Express:

example1.com. @10.10.10.125 (ns.example1.com.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=ok

750460-4 : Subscriber management configuration GUI

Solution Article: K61002104

750457 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express does not always include an EDNS OPT Record in responses to queries that contain an EDNS OPT Record.

Conditions:
Queries to DNS Express containing an ENDS0 record it does not understand.

Impact:
DNS Express responses might not contain the RFC-required ENDS0 record. Some compliance tools and upstream DNS servers may consider the BIG-IP non-compliant, and report it as such.

This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.

Workaround:
None.

Fix:
Corrected EDNS OPT record handling in DNS Express.

Note: The EDNS Compliance Tester should produce output similar to the following when run against DNS Express:

example1.com. @10.10.10.125 (ns.example1.com.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=ok

750213-1 : DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.

Solution Article: K25351434

Component: Global Traffic Manager (DNS)

Symptoms:
FPGA hardware-accelerated DNS Cache can respond improperly to DNS queries that contain EDNS OPT Records. This improper response can take several forms, ranging from not responding with an OPT record, to a query timeout, to a badvers response.

Conditions:
-- Using VIPRION B2250 blades.
-- This may occur if a client sends a query with an EDNS OPT record that has an unknown version or other values that the Hardware-accelerated Cache does not understand. These errors only occur when matching the query to a hardware cached response.

Note: If the response is not in the hardware cache, then the query should be properly handled.

Impact:
Hardware-accelerated DNS Cache drops the request. Clients will experience a timeout for that query.

This is occurring now because of the changes coming to software from certain DNS software vendors that remove specific workarounds on February 1st, 2019. This is known as DNS Flag Day.

Workaround:
None.

750187-4 : ASM REST may consume excessive resources

Solution Article: K29149494

749879 : Possible interruption while processing VPN traffic

Solution Article: K47527163

749774-2 : EDNS0 client subnet behavior inconsistent when DNS Caching is enabled

Component: Global Traffic Manager (DNS)

Symptoms:
When EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled, the responses differ in their inclusion of EDNS0 client subnet information based on whether the response was supplied by the cache or not.

Conditions:
This occurs when EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled.

Impact:
Inconsistent behavior.

Workaround:
None.

Fix:
In this release, responses are now consistent when caching is enabled.

749675-2 : DNS cache resolver may return a malformed truncated response with multiple OPT records

Component: Global Traffic Manager (DNS)

Symptoms:
A configured DNS resolving cache returns a response with two OPT records when the response is truncated and not in the cache.

Conditions:
This can occur when:
-- A DNS resolving cache is configured.
-- The DNS query being handled is not already cached.
-- The response for the query must be truncated because it is larger than the size the client can handle (either 512 bytes or the buffer size indicated by an OPT record in the query).

Impact:
A DNS message with multiple OPT records is considered malformed and will likely be dropped by the client.

Workaround:
A second query will return the cached record, which will only have one OPT record.

Fix:
DNS cache resolver now returns the correct response under these conditions.

749508-4 : LDNS and DNSSEC: Various OOM conditions need to be handled properly

Component: Global Traffic Manager (DNS)

Symptoms:
Some LDNS and DNSSEC out-of-memory (OOM) conditions are not handled properly.

Conditions:
LDNS and DNSSEC OOM conditions.

Impact:
Various traffic-processing issue, for example, TMM panic during processing of DNSSEC activity.

Workaround:
None.

Fix:
The system contains improvements for handling OOM conditions properly.

749414-1 : Invalid monitor rule instance identifier error

Component: Local Traffic Manager

Symptoms:
Modifying nodes/pool-member can lose monitor_instance and monitor_rule_instances for unrelated objects.

Conditions:
-- BIG-IP system is configured with nodes, pool-members, and pools with monitors.
-- Modify one of the nodes that is in a pool.
-- Run the following command: tmsh load /sys config
-- Loading UCS/SCF file can trigger the issue also.
-- Nodes share the same monitor instance.
-- default-node-monitor is not configured.

Impact:
-- The system might delete monitor rule instances for unrelated nodes/pool-members.

-- Pool members are incorrectly marked down.

Workaround:
You can use either of the following:

-- Failover or failback traffic to the affected device.

-- Run the following command: tmsh load sys config.

749294-1 : TMM cores when query session index is out of boundary

Component: Local Traffic Manager

Symptoms:
TMM cores when the queried session index is out of boundary. This is not a usual case. It is most likely caused by the memory corrupted issue.

Conditions:
When session index equals the size of session caches.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The index boundary check now operates correctly in this situation, so tmm no longer cores.

749153 : Cannot create LTM policy from GUI using iControl

Component: TMOS

Symptoms:
LTM policy cannot be created from GUI using iControl REST.

Conditions:
Using iControl to create an LTM policy.

Impact:
LTM policy cannot be created from the GUI

Workaround:
Create LTM policy using TMSH.

Fix:
Can now create LTM policy from GUI using iControl.

748902-8 : Incorrect handling of memory allocations while processing DNSSEC queries

Component: Global Traffic Manager (DNS)

Symptoms:
tmm crashes.

Conditions:
-- Heavy DNS traffic using DNS security signatures.
-- Use of external HSM may aggravate the problem.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release corrects the handling of memory allocations while processing DNSSEC queries.

748502-4 : TMM may crash when processing iSession traffic

Solution Article: K72335002

748205-2 : SSD bay identification incorrect for RAID drive replacement★

Component: TMOS

Symptoms:
On iSeries platforms with dual SSDs, the 'bay' of a given SSD indicated in the 'tmsh show sys raid' command may be incorrect. If a drive fails, or for some other reason it is intended to be replaced, and you are using the bay number listed from the tmsh command, the wrong drive could be removed from the system resulting in system failure to operate or boot.

Conditions:
iSeries platform with dual SSDs.

Impact:
Removal of the one working drive could result in system failure and subsequent failure to boot

Workaround:
If you discover that you removed the incorrect drive, you can attempt to recover by re-inserting the drive into the bay that it was in, and powering on the device.

The following steps will help to avoid inadvertently removing the wrong drive:

As a rule for systems with this issue:
-- Power should be off when you remove a drive. This makes it possible to safely check the serial number of the removed drive.
-- Power should be on, and the system should be completely 'up' before you add a new drive.

Here are some steps to follow to prevent this issue from occurring.

1. Identify the failed drive, taking careful note of its serial number (SN). You can use any of the following commands to get the serial number:
     • tmsh show sys raid
     • tmsh show sys raid array
     • array
2. Logically remove the failed drive using the following command: tmsh modify sys raid array MD1 remove HD<>
3. Power down the unit.
4. Remove the fan tray and physically remove the failed drive.
5. Manually inspect the SN on the failed drive to ensure that the correct drive was removed.
6. Replace the fan tray.
7. Power on the unit with the remaining, single drive.
8. Once booted, wait for the system to identify the remaining (good) drive. You can confirm that this has happened when it appears in the 'array' command output.
9. Remove fan tray again (with the system running).
10. Install the new drive.
11. Use the 'array' command to determine that the new drive is recognized (Note: the tmsh commands do not show new drive at this stage.)
12. Logically add the new drive using the command command: tmsh modify sys raid array MD1 add HD<>
13. Monitor the rebuild using any of the commands shown in step 1.

Note: You must follow these steps exactly. If you insert the new drive while the system is off, and you then boot the system with the previously existing working drive and the new blank drive present, the system recognizes the blank drive as the working Array member, and you cannot add it to the array. That means system responds and replicates as if 'HD already exists'.

748187-1 : 'Transaction Not Found' Error on PATCH after Transaction has been Created

Component: TMOS

Symptoms:
In systems under heavy load of transactions with multiple icrd_child processes, the system might post an erroneous 'Transaction Not Found' response after the transaction has definitely been created.

Conditions:
Systems under heavy load of transactions with multiple icrd_child processes.

Impact:
Failure to provide PATCH to a transaction whose ID has been created and logged as created.

Workaround:
If transaction is not very large, configure icrd_child to only run single-threaded.

Fix:
Erroneous 'Transaction Not Found' messages no longer occur under these conditions.

748177-4 : Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character

Component: Global Traffic Manager (DNS)

Symptoms:
Multiple wildcards not matched to the most specific WideIP.

Conditions:
Two wildcard WideIPs differ on a '?' and a non-wildcard character.

Impact:
DNS request gets wrong answer.

Workaround:
There is no workaround at this time.

Fix:
Multiple wildcards are now matched to the most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character.

747968-4 : DNS64 stats not increasing when requests go through DNS cache resolver

Component: Local Traffic Manager

Symptoms:
DNS64 stats are not incrementing when running the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands if responses are coming from DNS cache resolver.

Conditions:
-- DNS responses are coming from DNS cache resolver.
-- Viewing statistics using the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands.

Impact:
DNS64 stats are not correct.

Workaround:
There is no workaround at this time.

747725-1 : Kerberos Auth agent may override settings that manually made to krb5.conf

Component: Access Policy Manager

Symptoms:
when apmd starts up, it can override settings in krb5.conf file with those required for Kerberos Auth agent

Conditions:
- Kerberos Auth is configured in an Access Policy,
- administrator made changes to krb5.conf manually
to the section [realms] of the configured realm

Impact:
Kerberos Auth agent behavior is not what administrator expects with the changes.
it may also affect websso(kerberos) to behave properly

Workaround:
None

Fix:
after fix, the configuration file changes are merged.
Kerberos Auth agent adds the lines it requires and does not override existing settings

747592-4 : PHP vulnerability CVE-2018-17082

Component: TMOS

Symptoms:
The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.

Conditions:
This exploit doesn't need any authentication and can be exploited via POST request. Because of 'Transfer-Encoding: Chunked' header php is echoing the body as response.

Impact:
F5 products not affected by this vulnerability. Actual impact of this vulnerability is possible XSS attack.

Workaround:
No known workaround.

Fix:
The brigade seems to end up in a messed up state if something fails in shutdown, so we clean it up.

747585-1 : TCP Analytics supports ANY protocol number

Component: Local Traffic Manager

Symptoms:
No TCP analytics data is collected for an ANY virtual server.

Conditions:
1. Provision AVR
2. Create a FastL4 server that accepts all protocols.
3. Attach a TCP Analytics profile
4. Try to run UDP traffic through it.

Impact:
No TCP analytics data is collected for TCP flows when a virtual server's protocol number is ANY.

Workaround:
There is no workaround this time.

Fix:
TCP analytics now supports both ANY and TCP protocol numbers and would collect analytics for TCP flows if protocol number is ANY or TCP.

747192-3 : Small memory leak while creating Access Policy items

Component: Access Policy Manager

Symptoms:
Memory slowly leaks for every access policy item added: 32 + 80 bytes for each item.

Conditions:
The leak occurs while creating new policy items in Access.

Impact:
After a long uptime interval, mcpd may crash due to lack of memory.

Workaround:
Restart mcpd periodically if you modify Access policies frequently by adding or deleting policy items.

Fix:
Leak was fixed by clearing the leaked objects.

747131-1 : ARP table may not be updated properly by some TMMs

Component: Local Traffic Manager

Symptoms:
When receiving ARP request coming from the client, some TMMs may not update the ARP table properly, leading to connectivity failures.

Conditions:
- BIG-IP with autolasthop disabled.
- Client blocking ARP responses.
- BIG-IP relies only on ARP requests coming from the client for sending the traffic back.

Impact:
This will have no impact in most of configurations, since BIG-IP will perform it's own resolution for client's MAC addresses.

In a case where client is not responding to ARP probes sent by Big-IP, the problem may lead to connectivity failures for particular clients.

Workaround:
Configure static ARP entries OR enable autolasthop.

747104-4 : LibSSH Vulnerability: CVE-2018-10933

Solution Article: K52868493

Component: Advanced Firewall Manager

Symptoms:
For more information see: https://support.f5.com/csp/article/K52868493

Conditions:
For more information see: https://support.f5.com/csp/article/K52868493

Impact:
For more information see: https://support.f5.com/csp/article/K52868493

Fix:
For more information see: https://support.f5.com/csp/article/K52868493

746922-3 : When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.

Component: Local Traffic Manager

Symptoms:
In a situation when a routing entity belonging to the child route domain is searching for an egress point for a traffic flow, it's searching for a routing entry in the child domain first, then if nothing is found, it searches for it in the parent route domain and returns the best found routing entry.

If the best routing entry from the parent route domain is selected, then it is held by a routing entity and is used to forward a traffic flow. Later, a new route entry is added to the child route domain's routing table and this route entry might be better than the current, previously selected, routing entry. But the previously selected entry doesn't get invalidated, thus the routing entity that is holding this entry is forwarding traffic to a less-preferable egress point.

#Example:
RD0(parent) -> RD1(child)
routing table: default gw for RD0 is 0.0.0.0/0%0
pool member is 1.1.1.1/32%1
-
Pool member searches for the best egress point and finds nothing in the routing table for route domain 1, and then later finds a routing entry, but from the parent route domain - 0.0.0.0/0%0.

Later a new gw for RD1 was added - 0.0.0.0/0%1, it's preferable for the 1.1.1.1/32%1 pool member. 0.0.0.0/0%0 should be (but is not) invalidated to force the pool member to search for a new routing entry and find a better one if it exists, as in this case, with - 0.0.0.0/0%1.

Conditions:
1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. New routing entry for child route domain is added.

Impact:
If a new added route is preferable to an existing one in a different route domain, the new, preferable, route is not going to be used by a routing object that has previously selected a route. Thus, traffic flows through these routing objects to an unexpected/incorrect egress point. This might result in undesirable behavior:
-- The route might be unreachable, and all traffic for a specific pool member is dropped.
-- The virtual server cannot find an available SNAT address.
-- Simply, the wrong egress interface is being used.

Workaround:
Use either of these workaround after a new route in child domain is added.

-- Recreate a route.
Recreate a parent route domain's routes. Restart tmrouted daemon if routes are gathered via routing protocols.

-- Recreate a routing object.
  - If a pool member is affected, recreate the pool member.
  - If a SNAT pool list is affected, recreate it.
  - And so on.

Fix:
Routing objects are now forced to reselect a routing entry after a new route is added to the child route domain's routing table.

746877-4 : Omitted check for success of memory allocation for DNSSEC resource record

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM may panic from SIGABRT while logging this message:
./rdata.c:25: ldns_rdf_size: Assertion `rd != ((void *)0)' failed.

Conditions:
During memory stress while handling DNSSEC traffic.

Impact:
TMM panic and subsequent interruption of network traffic.

Workaround:
Keeping the workload within normal ranges reduces the probability of encounter.

Fix:
The system now checks for success of memory allocation for DNSSEC resource record, so this issue no longer occurs.

746868 : memory leakage when "apply to base domain" is enabled

Component: Fraud Protection Services

Symptoms:
Memory leakage when "apply to base domain" is enabled. this can result in a crash or aggressive sweeper mode.

Conditions:
"apply to base domain" is enabled in the anti-fraud profile

Impact:
Aggressive connections sweeper mode, and traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

746768-2 : APMD leaks memory if access policy policy contains variable/resource assign policy items

Component: Access Policy Manager

Symptoms:
If an access policy contains variable/resource assign policy items, APMD will leak memory every time the policy is modified and applied.

Conditions:
1. Access policy has variable/resource assign policy items.
2. The access policy is modified and applied.

Impact:
APMD's memory footprint will increase whenever the access policy is applied.

Workaround:
There is no workaround.

Fix:
Memory growth has been addressed.

746266-4 : Vcmp guest vlan mac mismatch across blades.

Component: TMOS

Symptoms:
Guests running on blades in a single chassis report different MAC addresses on a single vlan upon host reboot for vcmp guest.

Conditions:
This issue may be seen when all of the following conditions are met:

- One (or more) blade(s) are turned off completely via AOM.
- Create two vlans.
- Deploy a multi-slot guest with the higher lexicographic vlan.
- Now, assign the smaller vlan to the guest.
- Reboot the host

Impact:
Incorrect MAC addresses are reported by some blades.

Workaround:
There is no workaround at this time.

745713-2 : TMM may crash when processing HTTP/2 traffic

Solution Article: K94563344

745654-1 : Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server

Component: Access Policy Manager

Symptoms:
When there are a lot of tcp connections that needs new kerberos ticket to be fetched from kdc, then the websso processes requests slower than the incoming requests. This could lead to low throughput and virtual server is very slow to respond to requests.

Conditions:
Large number of APM users using Kerberos SSO to access backend resources and all the tickets expire at the same time.

Impact:
Low throughput and slow responses from Virtual server.

Workaround:
There is no workaround at this time.

Fix:
Increase the size of websso worker queue, so that tmm and websso process can communicate effectively. This eliminates VS slowness and hence increase throughput.

745574-4 : URL is not removed from custom category when deleted

Component: Access Policy Manager

Symptoms:
When the admin goes to delete a certain URL from a custom category, it should be removed from the category and not be matched anymore with that category. In certain cases, the URL is not removed effectively.

Conditions:
This only occurs when the syntax "http*://" is used at the beginning of the URL when inserted into custom categories.

Impact:
When the URL with syntax "http*://" is deleted from the custom category, it will not take effect for SSL matches. For example, if "http*://www.f5.com/" was inserted and then deleted, and the user passed traffic for http://www.f5.com/ and https://www.f5.com/, the SSL traffic would still be categorized with the custom category even though it was deleted. The HTTP traffic would be categorized correctly.

Workaround:
"bigstart restart tmm" will resolve the issue.

Fix:
Made sure that the deletion takes effect properly and SSL traffic is no longer miscategorized after removal of the URL from the custom category.

745405 : Under heavy SSL traffic, sw crypto codec queue is stuck and taken out of service without failover

Component: TMOS

Symptoms:
Under heavy SSL traffic, it is observed that sw crypto codec queue is stuck and taken out of service, but no failover happened

Conditions:
Heavy SSL traffic

Impact:
Traffic is impacted and a large number of SSL handshakes to the BIG-IP are failing.

Workaround:
Increase crypto.queue.timeout to a much larger number(from 100 to 500 for example). Restart tmms for the change to take effect.

745387-4 : Resource-admin user roles can no longer get bash access

Component: TMOS

Symptoms:
Resource-admin users with bash access may write to system files beyond the scope of their assigned access.

Conditions:
Resource-admin users configured with bash shell access.

Impact:
Resource-admin users with bash access may write to system files causing security risks.

Workaround:
Do not assign bash access for resource-admin users.

Fix:
Resource-admin users restricted to tmsh access now. If a resource-admin user had bash access in a prior version and upgrades to this version, that user will get converted to tmsh access automatically after the upgrade process.

Behavior Change:
Resource-admin roles can no longer have bash shell access. And upon upgrade, resource-admin users with bash access will get converted to tmsh shell access.

745371-3 : AFM GUI does not follow best security practices

Solution Article: K68151373

745358-4 : ASM GUI does not follow best practices

Solution Article: K14812883

745257-4 : Linux kernel vulnerability: CVE-2018-14634

Solution Article: K20934447

745165-4 : Users without Advanced Shell Access are not allowed SFTP access

Solution Article: K38941195

744959-2 : SNMP OID for sysLsnPoolStatTotal not incremented in stats

Component: Carrier-Grade NAT

Symptoms:
SNMP OID for sysLsnPoolStatTotal is not incremented in stats totals.

Conditions:
This affects all of the global port block allocation (PBA) counters.

Impact:
SNMP OID for sysLsnPoolStatTotal is not incremented when it should be. Stats are not accurate.

Workaround:
None.

Fix:
SNMP OID for sysLsnPoolStatTotal is now incremented in stats totals.

744937-4 : Make authenticated-denial-of-existence NSEC3 RR Types Bitmap reflect available Resource Records

Solution Article: K00724442

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP does not know what resource records some external zone holds at the time the BIG-IP is responding to some dnssec query that asked for some record type at some owner name.
If the resource record type does not exist, then as part of the response, the BIG-IP generates an NSEC3 record (to authenticate denial of existence along with RRSIG) containing a types bitmap that is supposed to have the available RRs at the owner name.
With some new feature supported in BIND 9.12 (RFC 8198) called Aggressive use of Negative Cache, that negative response with the inaccurate types bitmap is cached which can then be re-used to show that some resource records do not exist but are in fact available at the owner name.

Conditions:
A query comes in for a zone that is not hosted on the BIG-IP where the BIG-IP is only responsible for DNSSEC signing.

Impact:
Validating resolvers implementing Aggressive Use of DNSSEC-Validated Cache may respond with NODATA for an existing resource record.

Workaround:
N/A

744707-1 : Crash related to DNSSEC key rollover

Component: Global Traffic Manager (DNS)

Symptoms:
When running out of memory, a DNSSKEY rollover event might cause a tmm crash and core dump.

Conditions:
-- System has low memory or is out of memory.
-- DNSSKEY rollover event occurs.

Impact:
tmm crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround.

Fix:
Fixed an issue in DNSSEC Key Rollover event that could cause a crash.

744536 : HTTP/2 may garble large headers

Component: Local Traffic Manager

Symptoms:
The HTTP/2 filter may incorrectly encode large headers.

Conditions:
A header that encodes to larger than 2048 bytes.

Impact:
Application functionality may be disrupted because large header values, such as for cookies, may be truncated when passed to the endpoint.

Workaround:
None.

Fix:
The HTTP/2 filter now correctly encodes large HTTP headers.

744516-2 : TMM panics after a large number of LSN remote picks

Component: Carrier-Grade NAT

Symptoms:
TMM panics with the assertion 'nexthop ref valid' failed. This occurs after a large number of remote picks cause the nexthop reference count to overflow.

Conditions:
An LSN Pool and remote picks. Remote picks occur when the local TMM does not have any addresses or port blocks available. Remote picks are more likely when inbound and hairpin connections are enabled.

Impact:
TMM restarts. Traffic is interrupted.

Workaround:
There is no workaround.

Fix:
TMM no longer panics regardless of the number of remote picks.

744347-1 : Protocol Security logging profiles cause slow ASM upgrade and apply policy

Component: Application Security Manager

Symptoms:
ASM upgrade and apply policy are delayed by an additional 3 seconds for each virtual server associated with a Protocol Security logging profile (regardless of whether ASM is active on that virtual server). During upgrade, all active policies are applied, which leads to multiple delays for each policy.

Conditions:
There are multiple virtual servers associated with Protocol Security logging profiles.

Impact:
ASM upgrade and apply policy are delayed.

Workaround:
There is no workaround at this time.

744331-1 : OpenSSH hardening

Component: TMOS

Symptoms:
The default OpenSSH configuration does not follow best practices for security hardening.

Conditions:
Administrative SSH access enabled.

Impact:
OpenSSH does not follow best practices.

Fix:
The default OpenSSH configuration includes best practices for security hardening.

744269-3 : dynconfd restarts if FQDN template node deleted while IP address change in progress

Component: Local Traffic Manager

Symptoms:
The dynconfd daemon may crash and restart if an FQDN template node is deleted (by user action or config sync) while ephemeral nodes are in the process of being created, and deleted as the result of new IP addresses being returned by a recent DNS query.

Conditions:
This may occur on BIG-IP version 14.0.0.3 (and BIG-IP versions 13.1.x or v12.1.x with engineering hotfixes for ID 720799, ID 721621 and ID 726319), under the following conditions:
1. A DNS query returns a different set of IP addresses for one or more FQDN names.
2. While new ephemeral node(s) are being created (for new IP addresses and deleted (for old IP addresses), an FQDN template node is deleted (either by user action or config sync).

Impact:
The dynconfd daemon crashes and restarts.
Ephemeral nodes may not be updated in a timely manner while the dynconfd daemon is restarting.

Fix:
The dynconfd daemon does not crash and restart if an FQDN template node is deleted while ephemeral nodes are in the process of being created and deleted as the result of new IP addresses being returned by a recent DNS query.

744117-6 : The HTTP URI is not always parsed correctly

Solution Article: K18263026

Component: Local Traffic Manager

Symptoms:
The HTTP URI exposed by the HTTP::uri iRule command, Traffic Policies, or used by ASM is incorrect.

Conditions:
-- HTTP profile is configured.
-- The URI is inspected.

Impact:
If the URI is used for security checks, then those checks might be bypassed.

Workaround:
None.

Fix:
The HTTP URI is parsed in a more robust manner.

744035-3 : APM Client Vulnerability: CVE-2018-15332

Solution Article: K12130880

743803-5 : IKEv2 potential double free of object when async request queueing fails

Component: TMOS

Symptoms:
TMM may core during an IPsec cleanup of a failed async operation.

Conditions:
When an async IPsec crypto operation fails to queue.

Impact:
Restart of tmm. All tunnels lost must be re-established.

Workaround:
No workaround known at this time.

743790-4 : BIG-IP system should trigger a HA failover event when expected HSB device is missing from PCI bus

Component: TMOS

Symptoms:
In some rare circumstances, the HSB device might drop off the PCI bus, resulting in the BIG-IP system not being able to pass traffic. However, no high availability (HA) failover condition is triggered, so the BIG-IP system stays active.

Conditions:
HSB drops off the PCI bus. This is caused in response to certain traffic patterns (FPGA issue) that are yet to be determined.

Impact:
No failover to standby unit after this error condition, causing site outage.

Workaround:
None.

Fix:
Now the active BIG-IP system fails over to the standby when HSB on the active unit drops off the PCI bus.

742237-1 : CPU spikes appear wider than actual in graphs

Component: Local Traffic Manager

Symptoms:
Graphs of CPU usage show spikes that are wider than actual CPU usage.

Conditions:
CPU usage has spikes.

Impact:
Graphs of CPU spikes appear to last longer than they actually last.

Workaround:
Perform the following procedure:

1. Run the following command to record the 5-second average rather than the 1-second average:

sed -i.bak 's/TMCOLNAME "ratio"/TMCOLNAME "five_sec_avg.ratio"/;s/TMCOLNAME "cpu_ratio_curr"/TMCOLNAME "cpu_ratio_5sec"/g' /config/statsd.conf

2. Restart statsd to load the new configuration:

bigstart restart statsd

Fix:
CPU samples for graphs are averaged over longer time to more closely represent actual time between samples.

742226-3 : TMSH platform_check utility does not follow best security practices

Solution Article: K11330536

742078-1 : Incoming SYNs are dropped and the connection does not time out.

Component: Local Traffic Manager

Symptoms:
There is a hard-coded limit on the number of SYNs forwarded on a FastL4 connection. This might cause a problem when a connection is reused, for example, if a connection is not correctly closed.

Conditions:
-- SYN forwarding on FastL4 connections.
-- The number of SYNs on a single connection reaches the hard-coded limit.

Impact:
If the number of SYNs on a single connection reaches this limit, subsequent incoming SYNs are dropped and the connection might not time out.

Workaround:
There is no workaround.

Fix:
The following command enables the forwarding of an an unlimited number of SYNs:
tmsh modify sys db tm.dupsynenforce value disable

741919-1 : HTTP response may be dropped following a 100 continue message.

Component: Local Traffic Manager

Symptoms:
When a 100 response a quickly followed by another HTTP response (2xx/4xx), the second response might be dropped.

Conditions:
When a 100 response is quickly followed by another HTTP response (i.e., a 2xx/4xx response arrives within a few microseconds).

Impact:
The second response might be dropped, so the end user client might not receive all the HTTP responses coming from the server.

Note: This does not happen all the time, and depends on how the underlying data packets are formed and delivered to the HTTP filter.

Workaround:
You can use either of the following workarounds:
-- Use an iRule to disable the HTTP filter in the HTTP_REQUEST event.

-- Disable LRO by running the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable

741423-1 : Secondary blade goes offline when provisioning ASM/FPS on already established config-sync

Component: TMOS

Symptoms:
When provisioning ASM for the first time on a device that is already linked in a high availability (HA) config-sync configuration, any other cluster device that is on the trust domain experiences mcpd restarting on all secondary blades due to a configuration error.

The system logs messages similar to the following in /var/log/ltm:
-- notice mcpd[12369]: 010718ed:5: DATASYNC: Done initializing datasync configuration for provisioned modules [ none ].
-- err mcpd[9791]: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.
-- err mcpd[9791]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.... failed validation with error 16908342.
-- notice mcpd[12369]: 0107092a:5: Secondary slot 2 disconnected.

Conditions:
-- Cluster devices are joined in the trust for HA or config-sync.
-- Provisioning ASM or FPS on clusters which are already joined in a trust.
-- ASM and FPS have not been provisioned on any of the devices: this is the first ASM/FPS provisioning in the trust.

Impact:
Traffic on all secondary blades is interrupted while mcpd restarts. Then, traffic is resumed.

Workaround:
Before provisioning ASM/FPS (but after setting up a trust configuration):

1. On the device on which ASM/FPS is about to be provisioned, create the datasync-global-dg device group and add all of the available devices.

For example, if there are two devices in the Trust Domain: test1.lab.com and test2.lab.com, and you plan to provision ASM/FPS for the first time on test1.lab.com, first run the following command from test1.lab.com:

tmsh create cm device-group datasync-global-dg devices add { test1.lab.com test2.lab.com }

2. Do not sync the device group.
3. Then on test1.lab.com, you can provision ASM/FPS.

Fix:
Secondary blades no longer go offline when provisioning ASM/FPS on already established HA or config-sync configurations.

741108 : tmm dosl7 memory leak when X-Forwared-For header value contains a long list of comma separated ip addresses

Component: Application Security Manager

Symptoms:
tmm memory leak can lead to tmm out-of-memory state.

Conditions:
-- ASM provisioned.
-- ASM policy attached on a virtual server.
-- ASM policy has device ID enabled.
-- HTTP profile accept_xff enabled.

Impact:
Unexpected tmm out-of-memory state can be reached, causing sweeper activity and disrupting traffic.

Workaround:
Disable accept_xff in HTTP profile that is assigned to a virtual server along with ASM policy.

Fix:
The leak is now fixed.

740963-3 : VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart

Component: Local Traffic Manager

Symptoms:
VIP-on-VIP traffic might cause TCP retransmit bursts, which in certain situations can cause tmm to restart.

Conditions:
- Virtual server handling TCP traffic.
- iRule using the 'virtual' command.

Impact:
Temporary memory consumption and potential for tmm to restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TCP retransmit bursts are now handled gracefully.

740959-1 : User with manager rights cannot delete FQDN node on non-Common partition

Component: Local Traffic Manager

Symptoms:
A user that has manager rights for a non-Common partition, but not for the /Common partition, may be denied delete privileges for an FQDN template node that is created on the non-Common partition for which the user does have manager rights.

This occurs because ephemeral nodes created from the FQDN template node are 'shared' in the /Common partition, so the delete transaction fails because the user has insufficient permissions to delete the dependent ephemeral nodes on the /Common partition.

Conditions:
-- A user is created with manager rights for a non-Common partition.

-- That user does not have manager rights for the /Common partition;

-- At least one ephemeral node is created from that FQDN template node (due to DNS lookup), which is not also shared by other FQDN template nodes.

-- That user attempts to delete an FQDN template node on the non-Common partition for which the user has manager rights.

Impact:
The transaction to delete the FQDN template node fails due to insufficient permissions. No configuration changes occur as a result of the FQDN template node-delete attempt.

Workaround:
You can use either of the following workarounds:

-- Perform the FQDN template node-delete operation with a user that has manager rights to the /Common partition.

-- Create the FQDN template node on the /Common partition.

Fix:
A user with manager rights for a non-Common partition that has no manager rights to the /Common partition, is now able to successfully delete an FQDN template node created on that non-Common partition.

740777-2 : Secondary blades mcp daemon restart when subroutine properties are configured

Component: Access Policy Manager

Symptoms:
Secondary blades' MCP daemons restart with the following error messages:
-- err mcpd[26818]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested Subroutine Properties (/Common/confirm_10 /Common/confirm_10) was not found.... failed validation with error 16908342.

Conditions:
When a subroutine is configured in the access policy.

Impact:
The secondary blade MCP daemon restarts. Cannot use subroutine in the access policy.

Workaround:
There is no workaround other than to not use subroutine in the access policy.

Fix:
You can now use subroutines in the access policy.

740490-2 : Configuration changes involving HTTP2 or SPDY may leak memory

Component: Local Traffic Manager

Symptoms:
If virtual servers which have HTTP2 or SPDY profiles are updated, then the TMM may leak memory.

Conditions:
-- A virtual server has a HTTP2 or SPDY profile.
-- Any configuration object attached to that virtual server changes.

Impact:
The TMM leaks memory, and may take longer to execute future configuration changes. If the configuration changes take too long, the TMM may be restarted by SOD.

Workaround:
None.

Fix:
The TMM no longer leaks memory when virtual servers that contain a HTTP2 or SPDY profile are reconfigured.

739971-3 : Linux kernel vulnerability: CVE-2018-5391

Component: TMOS

Symptoms:
IP fragments with random offsets allow a remote denial of service (FragmentSmack)

Conditions:
A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system.

Impact:
remote denial of service (FragmentSmack)

739970-3 : Linux kernel vulnerability: CVE-2018-5390

Solution Article: K95343321

739963-1 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup

Component: Local Traffic Manager

Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.

Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.

Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.

Workaround:
To restore the state of the member, remove it and add it back to the pool.

739947-3 : TMM may crash while processing APM traffic

Solution Article: K42465020

739945-1 : JavaScript challenge on POST with 307 breaks application

Component: Application Security Manager

Symptoms:
A JavaScript whitepage challenge does not reconstruct when the challenge is on a POST request and the response from the back-end server is 307 Redirect. This happens only if the challenged URL is on a different path than the redirected URL. This prevents the application flow from completing.

Conditions:
- JavaScript challenge / CAPTCHA is enabled from either Bot Defense, Proactive Bot Defense, Web Scraping, DoSL7 Mitigation or Brute Force Mitigation.
- The challenge is happening on a POST request on which the response from the server is a 307 Redirect to a different path.

Impact:
Server is not able to parse the request payload and application does not work. This issue occurs because the TS*75 cookie is set on the path of the challenged URL, so the redirected URL does not contain the cookie, and the payload is not reconstructed properly to the server.

Workaround:
As a workaround, you can construct an iRule to identify that the response from the server is 307 Redirect, retrieve the TS*75 cookie from the request, and add to the response a Set-Cookie header, setting the TS*75 cookie on the '/' path.

Fix:
Having a JavaScript challenge on a POST request with 307 Response no longer prevents the application from working.

739927-1 : Bigd crashes after a specific combination of logging operations

Component: Local Traffic Manager

Symptoms:
Bigd crashes. Bigd core will be generated.

Conditions:
1. Boot the system and set up any monitor.
2. Enable and disable bigd.debug:
-- tmsh modify sys db bigd.debug value enable
-- tmsh modify sys db bigd.debug value disable
3. Enable monitor logging.

Impact:
Bigd crashes.

Workaround:
None.

Fix:
Bigd no longer crashes under these conditions.

739846-4 : Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection

Component: Global Traffic Manager (DNS)

Symptoms:
When the big3d runs out of memory for iQuery connections, a segmentation fault might occur.

Conditions:
-- Not enough memory to create additional iQuery connections.
-- Receive an new iQuery connection.

Impact:
Segmentation fault and big3d restarts. No statistics collection or auto-discovery while big3d restarts.

Workaround:
None.

Fix:
The big3d process no longer gets a segmentation fault when reaching the limits of the memory footprint while trying to establish iQuery connections.

739798 : Massive number of log messages being generated and written to the bd.log.

Component: Application Security Manager

Symptoms:
Log messages regarding parameters might fill the bd.log file. The system logs messages appear similar to the following:

deleting job-> converterd key
deleting p_node

Conditions:
No special conditions are required to cause this to occur.

Impact:
Lots of I/O processing. Potentially large bd.log file.

Workaround:
None.

Fix:
Fixed a scenario that resulted in a massive number of log messages being generated and written to the bd.log.

739744-2 : Import of Policy using Pool with members is failing

Component: Access Policy Manager

Symptoms:
Import of Policy using Pool with members is failing with an error Pool member node (/Common/u.x.y.z%0) and existing node (/Common/u.x.y.z) cannot use the same IP Address (u.x.y.z)

Conditions:
Policy has pool attached to it with resource assign or chained objects

Impact:
Policy is not being imported on the same box

Workaround:
There is no workaround at this time.

Fix:
ng-import is now importing policy correctly.

739638-1 : BGP failed to connect with neighbor when pool route is used

Component: Local Traffic Manager

Symptoms:
BGP peering fails to be established.

Conditions:
- Dynamic routing enabled.
- BGP peer connect through a pool route or ECMP route.

Impact:
BGP dynamic route paths are not created.

Workaround:
Use a gateway route.

Fix:
BGP peering can be properly established through a pool route.

739144-1 : Domain logoff scripts runs after VPN connection is closed

Component: Access Policy Manager

Symptoms:
APM Network Access option: 'Execute logoff scripts on connection termination' does not work when script runs after VPN connection is closed.

Conditions:
Following options configured for Microsoft Windows clients:
* Synchronize with Active Directory policies on connection establishment.
and
* Execute logoff scripts on connection termination.

-- Windows client is part of a domain.
-- Domain logoff script is not available without VPN connection.

Impact:
'Execute logoff scripts on connection termination' does not work when script runs after VPN connection is closed.

Workaround:
None.

Fix:
Changes in APM client allow it to wait until domain logoff script execution completes before closing VPN connection, so this issue no longer occurs.

739094-4 : APM Client Vulnerability: CVE-2018-5546

Solution Article: K54431371

738945-1 : SSL persistence does not work when there are multiple handshakes present in a single record

Component: Local Traffic Manager

Symptoms:
SSL persistence hangs while parsing SSL records comprising multiple handshake messages.

Conditions:
This issue intermittently happens when an incoming SSL record contains multiple handshake messages.

Impact:
SSL persistence parser fails to parse such messages correctly. The start of the record may be forwarded on to server but then connection will stall and eventually idle timeout.

Workaround:
There is no workaround other than using a different persistence, or disabling SSL persistence altogether.

After changing or disabling persistence, the transaction succeeds and no longer hangs.

738887-2 : The snmpd daemon may leak memory when processing requests.

Component: TMOS

Symptoms:
Under certain conditions, the snmpd daemon may leak memory when processing requests.

Conditions:
This issue is known to occur on a multi-blade vCMP guest after specific maintenance operations have been carried out by an Administrator on the guest.

Impact:
Once enough memory has leaked, the system may become unstable and fail unpredictably.

Workaround:
If the snmpd daemon is consuming excessive memory, restart it with the following command:

bigstart restart snmpd

Fix:
The snmpd daemon no longer leaks memory when a multi-blade vCMP guest reaches a certain condition.

738789-3 : ASM/XML family parser does not support us-ascii encoding when it appears in the document prolog

Component: Application Security Manager

Symptoms:
ASM blocks requests when a request payload is an xml document with a prolog line at the begging with encoding="us-ascii".

Conditions:
- ASM provisioned.
- ASM policy attached to a virtual server.
- ASM handles XML traffic with encoding="us-ascii" (use of the value encoding="us-ascii" is very uncommon, the typical value is encoding="utf-8").

Impact:
Blocked XML requests.

Workaround:
You can use either of the following workarounds:

-- Remove XML profile from a URL in the ASM policy.

-- Disable XML malformed document detection via ASM policy blocking settings.

Fix:
XML parser now supports encoding="us-ascii".

738669-3 : Login validation may fail for a large request with early server response

Component: Fraud Protection Services

Symptoms:
in case of large request/response, if FPS needs to store ingress and ingress chunks in buffer for additional processing (ingress :: for parameter parsing, egress :: for login validation's banned/mandatory strings check or scripts injection), if the server responds fast enough, the buffer may contain mixed parts of request/response. This may have several effects, from incorrectly performing login-validation to generating a tmm core file.

Conditions:
-- Login validation is enabled and configured to check for banned/mandatory string.
-- A username parameter is configured.
-- There are no parameters configured for encrypt/HTML Field Obfuscation (HFO), and no decoy parameters.
-- There is a large request and response.
-- The system response very quickly.

Impact:
This results in one or more of the following:
-- Login validation failure/skip.
-- Bad response/script injection.
-- tmm core. In this case, traffic is disrupted while tmm restarts.

Workaround:
None.

Fix:
FPS now handles ingress/egress buffers separately, so this issue no longer occurs.

738647-1 : Add the login detection criteria of 'status code is not X'

Component: Application Security Manager

Symptoms:
There is a criterion needed to detect successful login.

Conditions:
Attempting to detect successful login when the response code is not X (where 'x' = some code).

Impact:
Cannot configure login criteria.

Workaround:
None.

Fix:
This release adds a new criterion to the login criteria.

738523-3 : SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages

Component: Local Traffic Manager

Symptoms:
When monitoring an SMTP server that emits multi-line '250' responses to the initial 'HELO' message, the monitor fails. If monitor logging is enabled on the pool member, the system posts an error similar to the following in the monitor log:

09:50:08.580145:(_Tcl /Common/mysmtp): ERROR: failed to complete the transfer, Failed to identify domain.

Conditions:
-- Monitoring an SMTP server.
-- SMTP server is configured to return a multi-line '250' response to the initial 'HELO' message.

Impact:
The pool member is marked down even though it is actually up.

Workaround:
None.

Fix:
The system now handles multi-line '250' responses to the initial 'HELO' message.

738521-2 : i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.

Component: Local Traffic Manager

Symptoms:
A trunk configured between a BIG-IP i4x00/i2x00 platform and an upstream switch may go down due to the presence of the VLAN tag.

Conditions:
LACP configured between a BIG-IP i4x00/i2x00 platform and an upstream switch.

Impact:
Trunks are brought down by upstream switch.

Workaround:
There are two workarounds:

-- Configure the trunk as 'untagged' in one of the VLANs in which it's configured.
-- Disable LACP.

Fix:
The system no longer transmits a VLAN tag for LACP PDUs, so this issue no longer occurs.

738445-1 : IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup

Component: TMOS

Symptoms:
INVALID_SPI notification does not delete the IPsec-SA with the SPI value that appears in the notify payload. This occurs because the handler of INVALID-SPI notifications performs the following incorrect actions:

-- Fetches SPI from payload as if it's a string, rather than the network byte order integer it actually is.

-- Attempts phase 2 lookup via selector ID (reqid) rather than SPI.

Either alone prevents finding the SA to delete.

Conditions:
An IKEv1 IPsec peer sends an INVALID-SPI notification to the BIG-IP system.

Impact:
The IPsec-SA with that SPI cannot be found and is not deleted.

Workaround:
From the BIG-IP command line, you can still manually delete any IPsec-SA, including the invalid SPI, using the following command:
# tmsh delete net ipsec ipsec-sa spi <spi number>

Fix:
SPI is now extracted correctly from the payload as a binary integer, and the phase 2 SA lookup is done with a proper SPI search, which also requires a match in the peer address.

738397-2 : SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails.

Component: Access Policy Manager

Symptoms:
For a BIG-IP system configured as IdP, in the SAML-IdP-initiated case: If the IdP has a Per-Request policy (in addition to a V1 policy), such that the Per-Request policy has a subroutine or a subroutine macro with a logon page, the system reports access failure on running the policy.

The error logged is similar to the following: '/Common/sso_access:Common:218f759e: Authorization failure: Denied request for SAML resource /Common/saml_resource_obj1&state=000fffff032db022'.

Conditions:
-- BIG-IP system configured as IdP.
-- SAML IdP initiated case in which the following is true:
+ The IdP has a Per-Request policy (in addition to a V1 policy).
+ That Per-Request policy has a subroutine or a subroutine macro with a logon page.

Impact:
Access is denied. The request URI has '&state=<per-flow-id>' appended to the SAML Resource name.

Workaround:
None.

Fix:
The system now checks for additional query parameters in the request_uri while extracting Resource name so it is not incorrectly set to 'ResourceName&state=<per-flow-id>' which causes the access failure.

738119-3 : SIP routing UI does not follow best practices

Solution Article: K23566124

738046-3 : SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby

Component: Local Traffic Manager

Symptoms:
For FastL4 connections, SERVER_CONNECTED currently doesn't fire on the standby device. If the standby device then becomes active, the first packet from the server on an existing FastL4 connection causes SERVER_CONNECTED to fire. Depending on what the iRule does in SERVER_CONNECTED, a variety of results can occur, including TMM coring due to commands being executed in unexpected states.

Conditions:
-- High availability configuration.
-- Mirrored FastL4 virtual server.
-- Attached iRule contains a SERVER_CONNECTED event.

Impact:
SERVER_CONNECTED does not fire when expected on standby device. When the standby device becomes active, the SERVER_CONNECTED iRule may cause TMM to core with traffic being disrupted while TMM restarts.

Workaround:
None.

Fix:
SERVER_CONNECTED now fires when expected on the standby device.

737998 : Brute Force end attack condition isn't satisfied for successful logins only

Component: Application Security Manager

Symptoms:
When brute force attack is detected and prevented by asm, asm continue to prevent login attempts even the attacking traffic has stopped 5 minutes ago.

Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- ASM Brute Force protection enabled in the asm policy
- There is an ongoing brute force attack on the backend server.

Impact:
ASM doesn't report that brute force attack is finished and logins mitigation continues to occur.

Workaround:
While ongoing endless brute force attack, change an arbitrary field in brute force configuration and apply policy. Brute force attack end event will be triggered and the system will stop brute force prevention, if the attacking traffic still being sent, new brute force attack event will be raised and the mitigation will reoccur.

Fix:
Fix brute force end condition check for a case when only successful logins are sent.

737910-1 : Security hardening on the following platforms

Solution Article: K18535734

737758-1 : MPTCP Passthrough and VIP-on-VIP can lead to TMM core

Component: Local Traffic Manager

Symptoms:
If a FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled, TMM may produce a core upon receiving certain traffic.

Conditions:
A FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with a TCP profile attached that has MPTCP passthrough enabled, and certain traffic is received.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not using an iRule with the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled.

Fix:
If MPTCP passthrough is enabled, the system now processes incoming MPTCP connections coming from the loop device as if MPTCP is disabled.

737597 : AVR DoS Attack report misses virtual server name in a specific config

Component: Application Visibility and Reporting

Symptoms:
DoS AVR Report GUI page is under:
Navigate to Security :: Reporting : DoS : Network

The report shows the attack, but categorizes the attack under 'Aggregated' in the Virtual Server name value, rather than the actual name of the Virtual Server on which the attack is happening.

Conditions:
-- A Virtual Server is configured with a IP/Subnet range.

For example,
-- Virtual Server with Destination Address: 10.10.10.0/27 (meaning the destination range is 10.10.10.32 - 10.10.10.63).
-- Destination Address of the Client Traffic and Attack: 10.10.10.63

View AVR Reporting, which does not resolve the to any specific Virtual Server, but instead categorizes the attack as 'Aggregate'.

Impact:
AVR report missing the Virtual Server information.

Workaround:
None.

737574-3 : iControl REST input sanitization★

Solution Article: K20541896

737565-3 : iControl REST input sanitization

Solution Article: K20445457

737442-1 : Error in APM Hosted Content when set to public access

Solution Article: K32840424

737441-1 : Disallow hard links to svpn log files

Solution Article: K54431371

737437-1 : IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages

Component: TMOS

Symptoms:
The BIG-IP system might fail to re-establish an IKEv1 phase 1 security association (ISAKMP-SA) when the Initiator starts the exchange using UDP port 4500. The exchange progresses to the point of NAT detection, whereupon the BIG-IP system stops using the Non-ESP marker and sends malformatted ISAKMP.

Conditions:
All of the following must be true:
-- The BIG-IP system is an IKEv1 Responder.
-- ISAKMP phase 1 negotiation starts on UDP port 4500.
-- NAT is detected on only one side during the phase 1 exchange.

Impact:
-- Establishment of an ISAKMP-SA will fail until the peer device switches to UDP port 500.
-- The remote peer may send INVALID-SPI messages quoting SPI numbers that do not exist.

Workaround:
To help workaround this issue, you can try the following:
-- Make sure the BIG-IP system is always the Initiator.
-- Bypass NAT.
-- Configure both the BIG-IP system and remote peer to use address IDs that are not the same as the IP addresses used in the ISAKMP exchange, thus causing the BIG-IP system to think there is NAT on both sides.

Fix:
The BIG-IP system now keeps the Non-ESP marker when NAT is detected.

737389 : kern.log contains many messages: warning kernel: Tracklist initialized; Tracklist destroyed

Component: TMOS

Symptoms:
There may be a large number of messages in /var/log/kern.log similar to the following:

Tracklist initialized
Tracklist destroyed

Conditions:
This can happen when vCMP is provisioned, which enables SR-IOV mode.

Impact:
It causes messages to show up in /var/log/kern.log, but does not affect traffic. This is a cosmetic issue and does not indicate a functionality issue.

Workaround:
None.

Fix:
Tracklist is now disabled, so this issue no longer occurs.

737332-2 : It is possible for DNSX to serve partial zone information for a short period of time

Component: Global Traffic Manager (DNS)

Symptoms:
During zone transfers into DNS Express, partial zone data may be available until the transfer completes.

Conditions:
-- Two zones being transferred during the same time period
+ zone1.example.net
+ zone2.example.net

-- Transfer of zone1 has started, but not finished.

-- zone2 starts a transfer and finishes before zone1 finishes, meaning that the database might be updated with all of the zone2 data, and only part of the zone1 data.

Impact:
Partial zone data will be served, including possible NXDOMAIN or NODATA messages. This happens until zone1 finishes and saves to the database, at which time both zones' data will be complete and correct.

Workaround:
The workaround is to limit the number of concurrent transfers to 1. However this severely limits the ability of DNS Express to update zones in a timely fashion if there are many zones and many updates.

Fix:
All zone transfers are now staged until they are complete. The zone transfer data is then saved to the database. Only when the zone data has completed updating to the database will the data be available to queries.

735832-2 : RAM Cache traffic fails on B2150

Component: Performance

Symptoms:
Rendering pages from RAM Cache fails. System does not pass RAM Cache traffic on B2150 platform.

Conditions:
-- VIPRION B2150 blade.
-- Attempting to pass traffic from RAM Cache.

Impact:
B2150 does not pass any RAM Cache traffic.

Workaround:
None.

Fix:
RAM Cache traffic now succeeds on B2150.

735565-3 : BGP neighbor peer-group config element not persisting

Component: TMOS

Symptoms:
neighbor peer-group configuration element not persisting after restart

Conditions:
- dynamic routing enabled
- BGP neighbor configured with peer-group
- BIG-IP or tmrouted daemon restart

Impact:
BGP peer-group configuration elements don't persist

Workaround:
Reconfigure BGP neighbor peer-group after restart

Fix:
BGP neighbor peer-group configuration is properly save to configuration, and persists after restart

734622 : Policy change with newly enforced signatures causes sig collection failure in other policies

Solution Article: K83093212

Component: Application Security Manager

Symptoms:
An ASM policy change with newly enforced signatures causes a signature collection failure in all other policies.

Conditions:
An ASM policy is changed by adding newly enforced signatures.

Impact:
Signature collection failures are logged for all other policies.

Workaround:
For each other policy on the device, make a spurious change (such as modifying policy description and saving) and apply the policy. Alternatively, a new user-defined signature which would be included in enforcement can be spuriously added and then immediately removed.

734539-2 : The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads

Component: TMOS

Symptoms:
When an IKEv1 peer sends an INVALID-SPI payload, and BIG-IP system cannot find the phase-two Security Association (SA) for that SPI but can find phase-one SA involved; the racoon daemon may crash if there are additional INVALID-SPI payloads afterward.

Conditions:
-- An INVALID-SPI notification is received.
-- That phase-two SA is already gone.
-- The phase-one parent SA is still around.
-- Subsequent notification INVALID-SPI payloads involve the same phase-one SA.

Impact:
The v1 racoon daemon cores, interrupting traffic until new tunnels can be established after racoon restarts.

Workaround:
There is no workaround at this time.

Fix:
The system no longer destroys the parent phase-one SA when an INVALID-SPI notification cannot find the target phase-two SA, so this issue does not occur.

734527-4 : BGP 'capability graceful-restart' for peer-group not properly advertised when configured

Component: TMOS

Symptoms:
BGP neighbor using peer-group with 'capability graceful-restart' enabled (which is the default). However, on the system, peer-group defaults to disable. Because there is no config statement to enable 'capability graceful-restart' after restart, it gets turned off after config load, which also turns it off for any BGP neighbor using it.

Conditions:
- Neighbor configured to use peer-group.
- Peer-group configured with capability graceful-restart, but with the default: disabled.

Impact:
Because peer-group is set to disable by default, and there is no operation to enable it after restart, 'capability graceful-restart' gets turned off after config load, and neighbors using it from peer-group get turned off as well.

Workaround:
Re-issue the commands to set peer-group 'capability graceful-restart' and 'clear ip bgp *' to reset BGP neighbors.

Fix:
The peer-group now has 'capability graceful-restart' enabled by default, so this issue no longer occurs.

Behavior Change:
In this release, peer-group has 'capability graceful-restart' enabled by default.

734446-3 : TMM crash after changing LSN pool mode from PBA to NAPT

Component: Carrier-Grade NAT

Symptoms:
TMM crashes after changing LSN pool mode from PBA to NAPT when long lived connections are killed due to the PBA block lifetime and zombie timeout expiring.

Conditions:
An LSN pool using PBA mode with a block lifetime and zombie timeout set and long lived connections.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Instead of changing the LSN pool mode from PBA to NAPT, create a new LSN pool configured for NAPT and change the source-address-translation pool on the virtual servers that use the PBA pool.

The PBA pool can be deleted after the virtual servers are no longer using it.

Fix:
TMM no longer crashes after changing LSN pool mode from PBA to NAPT.

727292-2 : SSL in proxy shutdown case does not deliver server TCP FIN

Component: Local Traffic Manager

Symptoms:
Connection is not torn down.

Conditions:
HTTPS server disconnects connection when in handshake.

Impact:
Potential resource exhaustion.

Workaround:
You can mitigate this condition in either of the following ways:

-- Wait for system to clean up lingering connections.

-- Use tmsh to clean up connections. (Note: Sometimes this might not work as expected depending on conditions.)

-- If this happens on the config-sync channel, use a different self-ip for config-sync on the affected device.

Fix:
SSL server side handles this error situation by sending out all remaining egress data and sending a shutdown signal to lower filters.

727206-4 : Memory corruption when using SSL Forward Proxy on certain platforms

Component: Local Traffic Manager

Symptoms:
When using SSL Forward proxy, memory corruption can occur, which can eventually lead to a tmm crash.

Conditions:
Client SSL profile on a virtual server with SSL Forward proxy enabled.

-- Using the following platforms:
   - vCMP host
   - 2000s / 2200s
   - 5000s / 5200v
   - 5050s / 5250v / 5250v-F
   - 10350V-F

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes under these conditions.

727107-1 : Request Logs are not stored locally due to shmem pipe blockage

Component: Application Security Manager

Symptoms:
An unknown issue causes the communication layer between pabnagd and asmlogd to be become stuck. Messages similar to the following appear in pabnagd.log:

----------------------------------------------------------------------
account |NOTICE|... src/Account.cpp:183|Skipped 36 repeated messages. Request Log protobuf subscription queue is full. Message dropped.
rqlgwriter |WARNIN|... src/RequestLogWriter.cpp:137|Skipped 599 repeated messages. No space to write in shmem.

Messages similar to the following appear in pabnagd.log:

Conditions:
Request Logs are not stored locally due to shmem pipe blockage.

Impact:
Event logs stop logging locally.

Workaround:
Restart policy builder with:
killall -s SIGHUP pabnagd

Fix:
The policy builder now detects the blockage, and restarts the connection with the request logger.

727044-1 : TMM may crash while processing compressed data

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing compressed data.

Conditions:
Compression enabled
Hardware compression disabled

Impact:
TMM crash leading to a failover event.

Workaround:
No workaround.

Fix:
TMM now correctly processes compressed traffic

726895-1 : VPE cannot modify subroutine settings

Solution Article: K02205915

Component: Access Policy Manager

Symptoms:
Open per-request policy in Visual Policy Editor (VPE) that has a subroutine. Click 'Subroutine Settings / Rename.

Numeric values like the inactivity timeout are displayed as 'NaN. Attempts to modify the values results in MCP validation errors such as one of these:
- Unable to execute transaction because of:
- Unable to execute transaction because of: 01020036:3: The requested user role partition (admin Common) was not found.

Conditions:
-- Per-request policy in the VPE.
-- Subroutine in the per-request policy.
-- Attempt to change the values.

Impact:
All fields say 'NaN', and error when trying to modify properties. Subroutine settings like the Inactivity Timeout and Gating Criteria cannot be modified through the VPE

Workaround:
Use tmsh to modify these values, for example:

tmsh modify apm policy access-policy <policy_name> subroutine properties modify { all { inactivity-timeout 301 } }

Fix:
The issue has been fixed; it is now possible to view and modify subroutine settings in the VPE.

726647-1 : PEM content insertion in a compressed response may truncate some data

Component: Policy Enforcement Manager

Symptoms:
HTTP compressed response with content insert action can truncate data.

Conditions:
PEM content insertion action with compressed HTTP response.

Impact:
Data might be truncated.

Workaround:
There is no workaround other than disabling compression accept-encoding attribute in the HTTP request.

Fix:
HTTP compressed response with content insert action no longer truncates data.

726592-2 : Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop

Component: Access Policy Manager

Symptoms:
Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop. This could be triggered by invalid state of our control plane daemons.

Conditions:
This is an extremely rare situation that can be caused by invalid logsetting config messaging between our daemons. However, once it happens it can impact multiple daemons at the same time causing all of them to hang.

Impact:
Once this happens it can impact multiple daemons (apmd, apm_websso, localdbmgr) at the same time causing all of them to hang.

Workaround:
There is no workaround at this time, you can recover by restarting the daemons that hang.

Fix:
We have fixed a memory corruption that can break the linkages in our data structure which would cause certain traversals to loop indefinitely.

726487-1 : MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.

Component: TMOS

Symptoms:
The MCPD daemon on secondary VIPRION or vCMP blades exits and restarts, logging errors similar to the following:

-- err mcpd[11869]: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5.

-- err mcpd[11869]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5... failed validation with error 17237812.

Or:

--- err mcpd[8320]: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).

--- err mcpd[8320]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).... failed validation with error 17236027.

Conditions:
This issue occurs when all of the following conditions are met:

-- VIPRION or vCMP platform with more than one blade.
-- A partition with a non-default route domain.
-- Creating a pool member in the aforementioned partition while a configuration save is taking place at the same time (either system or user initiated).

Impact:
If the system is Active, traffic will be disrupted as the secondary blades restart. The capacity of the system will be reduced until all blades are on-line again. Additionally, depending on the system configuration, the system may fail over to its peer (if one exists).

Workaround:
There is no workaround other than not to create pool members from a different client while saving configuration changes in another client. However, this does not help if the configuration save operation was system-initiated.

Fix:
MCPD on secondary blades no longer restarts if a pool member is created in a partition that uses a non-default route domain at the same as the configuration is being saved.

726412-1 : Virtual server drop down missing objects on pool creation

Component: Global Traffic Manager (DNS)

Symptoms:
Available virtual servers are not populated in the drop down list during Pool creation.

Conditions:
Virtual server names containing single quote, backslash, or greater-than and less-than signs: ' \ < >.

Impact:
Unable to add available virtual servers to pools.

Workaround:
After pool creation, go into that newly created pool, click 'Members', and then click 'Manage', and use the Virtual Server drop-down list to add any virtual servers.

Fix:
Fixed the drop down for virtual servers. Now virtual servers get loaded in the drop-down list during pool creation.

726409-3 : Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077

Component: TMOS

Symptoms:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890
The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allows attackers to cause a denial of service (double free) or
possibly have unspecified other impact by leveraging use of the accept system call.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075
The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076
The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077
The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.

Conditions:
For more information see: https://support.f5.com/csp/article/K02236463
https://support.f5.com/csp/article/K02613439

Impact:
denial of service

Workaround:
don't allow login

Fix:
For more information see: https://support.f5.com/csp/article/K02236463
https://support.f5.com/csp/article/K02613439

726393-5 : DHCPRELAY6 can lead to a tmm crash

Component: Local Traffic Manager

Symptoms:
tmm can crash when handling a DHCPv6 request via the DHCPv6 relay.

Conditions:
tmm handling a DHCPv6 request.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm crash related to DHCPv6 request via the DHCPv6 relay.

726317-3 : Improved debugging output for mcpd

Component: TMOS

Symptoms:
In some cases, mcpd debugging output is insufficient for diagnosing a problem.

Conditions:
Using debugging in mcpd, specifically, setting log.mcpd.level to debug.

Impact:
None. Has no effect without log.mcpd.level set to debug.

Workaround:
None.

Fix:
New output helps F5 engineers diagnose mcpd problems more easily.

726303 : Unlock 10 million custom db entry limit

Component: Traffic Classification Engine

Symptoms:
Cannot add more than 10 million custom db entries.

Conditions:
This happens when you try to add more than 10 million custom db entries.

Impact:
Not able to add more than 10 million entries.

Workaround:
There is no workaround at this time.

Fix:
This release provides a sys db var, tmm.urlcat.no_db_limit, to allow growth beyond the existing limit of 10 million custom db entries.

726255-3 : dns_path lingering in memory with last_access 0 causing high memory usage

Component: Global Traffic Manager (DNS)

Symptoms:
dns_path not released after exceeding the inactive path ttl.

Conditions:
1. Multiple tmm's in sync group
2. Multiple dns paths per GTM needed for load balancing.

Impact:
High memory usage.

Workaround:
There is no workaround at this time.

Fix:
dns_path memory will be released after ttl.

726239-3 : interruption of traffic handling as sod daemon restarts TMM

Component: Local Traffic Manager

Symptoms:
When the receiving host in a TCP connection has set its send window to zero (stopping the flow of data), following certain unusual protocol sequences, the logic in the TMM that persists in probing the zero window may enter an endless loop.

Conditions:
When the TCP implementation is probing a zero-window connection under control of a persist timer.

Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This fix handles a rare TMM crash when TCP persist timer is active.

726232-1 : iRule drop/discard may crash tmm

Component: Local Traffic Manager

Symptoms:
TMM crash after an iRule attempts to drop packet.

Conditions:
Virtual server with UDP profile, and following iRule:
when LB_SELECTED {
drop
# discard - drop is the same as discard
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
TMM correctly handles 'drop' command in 'LB_SELECTED' event.

726089-3 : Modifications to AVR metrics page

Solution Article: K44462254

724868-2 : dynconfd memory usage increases over time

Component: Local Traffic Manager

Symptoms:
dynconfd memory usage slowly increases over time as it processes various state-related messages.

Conditions:
No special conditions as dynconfd is a core LTM process. Large numbers of pool members combined with flapping might increase the rate of memory usage increase.

Impact:
dynconfd grows over time and eventually the system is pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.

Workaround:
Periodic restarts of dynconfd avoids the growth affecting the system.

Fix:
dynconfd no longer leaks memory when processing messages.

724680-3 : OpenSSL Vulnerability: CVE-2018-0732

Component: TMOS

Symptoms:
For more information see: https://support.f5.com/csp/article/K21665601

Conditions:
For more information see: https://support.f5.com/csp/article/K21665601

Impact:
For more information see: https://support.f5.com/csp/article/K21665601

Workaround:
None.

Fix:
For more information see: https://support.f5.com/csp/article/K21665601

724532-1 : SIG SEGV during IP intelligence category match in TMM

Component: Advanced Firewall Manager

Symptoms:
TMM restart while matching traffic from source IP to IP Intelligence category.

Conditions:
Multiple configuration changes that include deleting the custom IP intelligence categories.

Impact:
TMM restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer restarts while matching traffic from source IP to IP Intelligence category.

724339-2 : Unexpected TMUI output in AFM

Solution Article: K04524282

724335-2 : Unexpected TMUI output in AFM

Solution Article: K21042153

724214-2 : TMM core when using Multipath TCP

Component: Local Traffic Manager

Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.

Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.

Impact:
Traffic interrupted while TMM restarts.

Workaround:
There is no workaround other than to disable MPTCP.

Fix:
TMM no longer produces a core.

723794-4 : PTI (Meltdown) mitigation should be disabled on AMD-based platforms

Component: TMOS

Symptoms:
Platforms with AMD processors freeze when the PTI (Page Table Isolation) mitigation is enabled, after a period ranging from several hours to several days.

You can find information about which versions have the PTI (Meltdown) mitigations enabled in the AskF5 Article: Bug ID 707226: DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations :: https://cdn.f5.com/product/bugtracker/ID707226.html.

Conditions:
-- AMD-based platforms:
   + BIG-IP B4100 blades
   + BIG-IP B4200 blades
   + BIG-IP 6900 and NEBS appliances
   + BIG-IP 89x0 appliances
   + BIG-IP 6400 FIPS and NEBS platforms
   + BIG-IP 110x0 appliances

-- The database variable kernel.pti is set to enable (to address PTI (Meltdown)).

Impact:
System locks up and is rebooted by the watchdog timer.

Workaround:
Set the database variable kernel.pti to disable by running the following command:

tmsh modify sys db kernel.pti value disable

According to AMD, these AMD processors are not vulnerable to PTI (Meltdown), so there is no reason to leave the db variable enabled.

Fix:
PTI (Page Table Isolation) mitigation is no longer enabled on AMD-based platforms.

723792-3 : GTM regex handling of some escape characters renders it invalid

Component: Global Traffic Manager (DNS)

Symptoms:
The memory footprint of big3d increases.

Conditions:
GTM monitor recv string such as the following: ^http\/\d\.\d[23]\d\d

Impact:
Escaped characters are mishandled. This causes the regex compilation to fail and leak memory. The monitor marks the server it is monitoring UP as long as the server returns any response.

Workaround:
If you notice big3d memory footprint increase and you have a monitor recv string that has escaped characters such as '^http\/\d\.\d[23]\d\d', try changing the recv string to something similar to the following: ^HTTP/[0-9][.][0-9] [23][0-9]{2}

Fix:
Fixed handling of escape characters. Recv strings that previously failed to compile will now compile.

723790-4 : Idle asm_config_server handlers consumes a lot of memory

Component: Application Security Manager

Symptoms:
Idle asm_config_server handlers needlessly uses a large amount of memory.

Conditions:
This issue might result from several sets of conditions. Here is one:

Exporting a big XML ASM policy and then leaving the BIG-IP system idle. Relevant asm_config_server handler process increases its memory consumption and stays that way, holding on to the memory until it is released with a restart.

Impact:
Unnecessary memory consumption.

Workaround:
1) Lower the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server:
---------------
# perl -pi.bak -e 's/MaxMemorySize=471859200/MaxMemorySize=262144000/' /etc/ts/tools/asm_config_server.cfg
---------------

2) Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------

Notes:
-- The provided workaround does not permanently fix the issue. Instead it alleviates the symptoms of memory pressure, by (1) lowering the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server, and (2) freeing up all the memory that is currently taken by all asm_config_server processes.
-- This workaround does not cause any down time; the asm_config_server processes automatically start within ~30 seconds.

723722-3 : MCPD crashes if several thousand files are created between config syncs.

Component: TMOS

Symptoms:
If more than several thousand (typically 20,000, but number varies by platform) files, for example SSL certificates or keys, are created between config syncs, the next config sync operation will take too long and mcpd will be killed by sod.

Conditions:
Creation of several thousand SSL certificates or keys followed by a config sync operation.

Impact:
Traffic is disrupted while the MCPD process restarts.

Workaround:
Run a config sync operation after every ~5000 files created.

Fix:
MCPD no longer crashes if several thousand files are created between config sync operations.

723298-3 : BIND upgrade to version 9.11.4

Component: TMOS

Symptoms:
The BIG-IP system is running BIND version 9.9.9.

Conditions:
BIND on BIG-IP system.

Impact:
BIND 9.9 Extended Support Version was supported until June, 2018.

Workaround:
None.

Fix:
BIND version has been upgraded to 9.11.4.

723288-3 : DNS cache replication between TMMs does not always work for net dns-resolver

Component: Global Traffic Manager (DNS)

Symptoms:
System DNS resolvers (net dns-resolver objects) do not share DNS reply information between the dns resolver instances across TMMs, which can result in separate TMMs performing seemingly-unnecessary DNS lookups.

Conditions:
There are no LTM DNS *cache* objects present in the BIG-IP configuration.

Impact:
A performance impact resulting from each TMM having to perform unnecessary DNS lookups.

Workaround:
Use tmsh to create a placeholder LTM DNS cache resolver object. The object does not need to be used anywhere, just present in the config.

Note: This workaround is effective even without a DNS license (although in that case, the placeholder object must be created using tmsh, as the GUI menu would not be available without a DNS license.)

723130-3 : Invalid-certificate warning displayed when deploying BIG-IP VE OVA file

Solution Article: K13996

Component: TMOS

Symptoms:
The OVA signing certificate that signs BIG-IP Virtual Edition (VE) OVA files expired. When deploying a BIG-IP VE from an OVA file, an invalid-certificate warning might be displayed due to the expired OVA signing certificate.

Conditions:
This issue may be encountered during the creation of new instances of BIG-IP VE in clients that check the validity of the OVA signing certificate (e.g., VMware).

Note: Existing BIG-IP VE instances are not subject to this issue.

Impact:
There might be questions about the integrity of the OVA file, and in some cases, might not be able to deploy a new instance from an OVA file.

Workaround:
None.

Fix:
The expired OVA signing certificate has been replaced with a valid signing certificate.

722969-1 : Access Policy import with 'reuse' enabled instead rewrites shared objects

Component: Access Policy Manager

Symptoms:
If a policy is exported and then imported with 'reuse' it rewrites objects on the server instead of simply reusing them.

Conditions:
-- Exporting profile A.
-- Importing profile B, with 'reuse' configured.
-- The objects in both profiles are named the same and are the same type.

Impact:
-- 'Reused' objects on the system are modified.
-- Policy A requires 'apply', because objects shared with Policy B are overwritten.

Workaround:
None.

Fix:
Access policy import with 'reuse' option enabled no longer rewrites shared objects

722682-1 : Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load★

Component: TMOS

Symptoms:
Loading configuration process failed after upgrade when pool member names contain colons. The system posts errors similar to the following:
01070226:3: Pool Member 443:10.10.10.10 references a nonexistent Virtual Server
Unexpected Error: Loading configuration process failed.

Conditions:
-- GTM pool member has colon in its name.
-- Upgrade to any of the following versions:
  + 12.1.3.x
  + Any 13.0.x
  + All 13.1.x earlier than 13.1.1.2
  + 14.0.x earlier than 14.0.0.3

Impact:
The system removes the part of the pool member name that precedes the colon, and configuration load fails. For example, when the configuration contains a pool member named example_pm:443:10:10:10:10, the system removes the part of the pool member name that precedes the first colon, in this case, example_pm, leaving the pool member name 443:10.10.10.10.

Workaround:
After upgrade, add two backslash characters, \\ before the first colon, : character.

1. Upgrade the BIG-IP DNS system to the new version of software.
2. SSH to log into the bash prompt of the BIG-IP DNS system.
3. Run the following command to add the string \\ in front of the first colon character, : in the name of each affected GTM pool member:

for j in $(find /config/ -name bigip_gtm.conf); do for i in $(awk '$0 ~ /^gtm server.*:/ {gsub("[/:]"," ",$0); print $4}' ${j}); do sed -i "s, /Common/${i}, /Common/${i}\\\\\\\,g" ${j} | grep " /Common/${i}"; done; done

4. Run the following command: load sys config gtm-only

Fix:
Configuration load no longer fails when upgrading with a configuration that contains BIG-IP DNS pools with members whose names contain colon characters.

722677-3 : High-Speed Bridge may lock up

Solution Article: K26455071

722387-2 : TMM may crash when processing APM DTLS traffic

Solution Article: K97241515

722363-1 : Client fails to connect to server when using PVA offload at Established

Component: Local Traffic Manager

Symptoms:
A client can fail to connect to the server on subsequent attempts if using FastL4 with hardware (HW) acceleration.

When this issue occurs, the profile_bigproto_stat/rxsynatestablished stat is non-zero.

Conditions:
A FastL4 virtual server is configured with offload_state = EST.

Impact:
Clients fail to connect to the server.

Workaround:
There is no workaround other than to disable PVA acceleration.

722091-2 : TMM may crash while processing HTTP traffic

Solution Article: K64208870

722013-3 : MCPD restarts on all secondary blades post config-sync involving APM customization group

Component: Access Policy Manager

Symptoms:
After performing a series of specific config-sync operations between multi-blade systems, the MCPD daemon restarts on all secondary blades of one of the systems.

Each affected blade will log an error message similar to the following example:

-- err mcpd[5038]: 01070711:3: Caught runtime exception, Failed to collect files (snapshot path () req (7853) pmgr (7853) not valid msg (create_if { customization_group { customization_group_name "/Common/Test-A_secure_access_client_customization" customization_group_app_id "" customization_group_config_source 0 customization_group_cache_path "/config/filestore/files_d/Common_d/customization_group_d/:Common:Test-A_secure_access_client_customization_66596_1" customization_group_system_path "" customization_group_is_system 0 customization_group_access 3 customization_group_is_dynamic 0 customization_group_checksum "SHA1:62:fd61541c1097d460e42c50904684def2794ba70d" customization_group_create_time 1524643393 customization_group_last_update_time 1524643393 customization_group_created_by "admin" customization_group_last_updated_by "admin" customization_group_size 62 customization_group_mode 33188 customization_group_update_revision 1

Conditions:
This issue occurs when all of the following conditions are met:

- You have configured a device-group consisting of multi-blade systems (such as VIPRION devices or vCMP guests).

- Systems are provisioned for APM.

- The device-group is configured for incremental manual synchronizations.

- On one system (for example, source_system), you create an APM configuration object (for example, a connectivity profile) that causes the automatic creation of an associated customization group.

- You synchronize the configuration from the source_system to the device-group.

- On the source_system, you create a new configuration object of any kind (for example, an LTM node).

- Instead of synchronizing the newest configuration to the device-group, you synchronize the configuration from another device in the device-group to the source_system (which effectively undoes your recent change).

- The MCPD daemon restarts on all secondary blades of the source_system.

Impact:
While the MCPD daemon restarts, the blade is offline, and many other BIG-IP daemons need to restart along with MCPD.

-- If the source_system is Active, the load capacity of the system temporarily decreases proportionally to the number of blades restarting. Additionally, if the systems use the min-up-members or HA-Group features, losing a certain number of secondary blades may trigger a failover.

-- If the source_system is Standby, some of the previously mirrored information may become lost as TMM on secondary blades restarts along with MCPD. Should this system later become the Active system, traffic may be impacted by the lack of previously mirrored information.

Workaround:
None.

Fix:
The MCPD daemon no longer restarts on secondary blades after config-sync of APM.

721924-3 : bgpd may crash processing extended ASNs

Solution Article: K17264695

Component: TMOS

Symptoms:
Under certain conditions bgpd may crash while processing extended ASNs.

Conditions:
Dynamic routing enabled.
Extended ASP capabilities enabled: bgp extended-asn-cap enabled

Impact:
Dynamic routing disrupted while bgpd restarts.

Fix:
bgpd now processes extended ASNs as expected.

721895-1 : Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery)

Component: Global Traffic Manager (DNS)

Symptoms:
big3d advertises a TLSv1.0 version. Even though big3d requires previously exchanged certificates to validate a connection request, the TLSv1.0 advertisement triggers various vulnerability scanners and is flagged.

Conditions:
Running a vulnerability scanner or other SSL test tool.

Impact:
The scanner or tool reports that big3d might potentially accept a TLSv1.0 connection request (which is considered insecure). Vulnerability scanners then flag the BIG-IP system as vulnerable.

Workaround:
Although there is no workaround, because big3d accepts connections only from clients that match the certificates on the BIG-IP system, the risk is minimal.

In addition, you can deploy firewall rules to accept connections only on port 4353 from know BIG-IP systems.

Fix:
This version adds a db variable for the big3d
big3d.minimum.tls.version. By default the value is 'TLSv1'. You can also specify TLSV1.1 or TLSV1.2 (the setting is case insensitive).

After changing the DB variable, restart big3d. Change the value on all BIG-IP systems that are subject to scans. This includes GTM as well as LTM configurations.

721752-1 : Null char returned in REST for Suggestion with more than MAX_INT occurrences

Component: Application Security Manager

Symptoms:
Unable to view ASM event log details for a majority of violations.

Conditions:
Suggestion with more than MAX_INT (2,147,483,647) occurrences.

Impact:
Null char returned in REST for Suggestion with more than MAX_INT occurrences.

Workaround:
Use the following sql command:

UPDATE PLC.PL_SUGGESTIONS set occurrence_count = 2147483647 where occurrence_count < 0;

Fix:
Null char is no longer returned in REST for Suggestion with more than MAX_INT occurrences.

721741-2 : BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative

Component: Application Security Manager

Symptoms:
bd log spits this error.
-------
ECARD_POLICY|NOTICE|May 24 04:49:42.035|4143|table.h:2408|IPTableList::del_object key not found in table
ECARD|ERR |May 24 04:49:42.035|4143|table.h:0398|KEY_UPDATE: Failed to REMOVE data will continue to add
-------

Conditions:
Configuring IP Address Exceptions in certain order - w/ and w/o route domain.

Impact:
BD and BD_Agent out-of-sync for IP Address Exception, causes false positives / false negatives

Workaround:
There is no workaround at this time.

Fix:
System no longer generates these false positive/negative log entries.

721621-2 : Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node

Component: Local Traffic Manager

Symptoms:
If an LTM pool is configured with only FQDN members, the DNS server resolves the FQDN to IP addresses that match statically-configured LTM nodes, and the IP address records returned by the DNS server change, an ephemeral pool member may not be added to the pool for the new IP address.

When in this state, if the FQDN template pool member is deleted from the pool, a new ephemeral pool member may be added corresponding to the last IP address record returned by the DNS server.

Conditions:
This may occur when:
1. Static nodes are configured which match addresses that may be returned in the DNS query for a given FQDN name.
2. An FQDN node is created with autopopulate disabled, for an address which may resolve to the same address as one of the static nodes.
3. This FQDN node is added (as a pool member) with autopopulate disabled, to a pool with no other non-FQDN members.
4. The DNS server resolves the FQDN name to an address that matches one of the static nodes.
5. A subsequent DNS query resolves the FQDN name to a different address that matches a different static node.

Impact:
In this case:
-- The original ephemeral member is removed from the pool.
-- A new ephemeral member for the new address may NOT be added to the pool.
-- In this state, if the FQDN template member is deleted from the pool, a new ephemeral member (i.e., the missing ephemeral with new IP address) is re-added to the pool.

Note. This symptom can occur only if the statically-configured node is created prior to an ephemeral pool member being created for the same IP address. If an ephemeral pool member and node are created first, it is not possible to create a statically-configured node or pool member using the same IP address.

Overall, traffic for the affected pool may not be sent to correct pool member (new ephemeral address).

If no other members are defined in the pool, traffic will be interrupted.

Workaround:
This issue can be prevented by:
-- Avoiding configuring a static (non-FQDN) node with an IP address that matches any address that might be returned by the DNS server when resolving the FQDN.
-- Adding a statically-configured pool member to the pool in addition to the FQDN template member.

Once the symptom occurs, recovery is possible by performing either of the following actions:
-- Delete the statically-configured node with the conflicting IP address.
-- Recreate the node using the following procedure:
1. Delete the FQDN template member from the pool.
2. Delete the orphaned ephemeral member from the pool.
3. Re-add the FQDN template member to the pool.

Fix:
When an FQDN pool member address resolves to the same IP address as an existing static node, the corresponding ephemeral pool member is successfully created and deleted as expected, including when the IP address returned by the DNS query changes.

721399-3 : Signature Set cannot be modified to Accuracy = 'All' after another value

Component: Application Security Manager

Symptoms:
ASM Signature Set cannot be modified to Accuracy = 'All' after another value was used previously.

Conditions:
-- ASM Signature Set has a value set for Accuracy filter.
-- Accuracy is subsequently set to 'All'.

Impact:
The change to Accuracy = 'All' does not take effect. ASM Signature Set cannot be modified to Accuracy = 'All'.

Workaround:
You can use either of the following workarounds:

-- Delete and re-create the Signature Set with the desired value.
-- Modify the filter to a value that will match all results (such as Accuracy is greater than or equal to 'Low').

Fix:
ASM Signature Set can now be set to Accuracy = 'All' after a value was previously set.

721375 : Export then import of config with RSA server in it might fail

Component: Access Policy Manager

Symptoms:
If an exported policy configuration contains both an RSA server as well as the RSA-provided sdconf.rec and sdstatus.12 config files, policy import might fail.

Conditions:
-- RSA server and access profile are in the same, non-Common partition.
-- Exported policy contains an RSA server as well as both the RSA-provided sdconf.rec and sdstatus.12 config files.

Impact:
Unable to import the exported configuration. This occurs because of how the names for the files are resolved in the exported configuration.

Workaround:
Although there is no actual workaround, you can avoid this issue if the profile is outside of the partition. That case uses a different name resolution during the export, so import works as expected.

Fix:
You can now successfully import an exported policy containing an RSA server as well as both sdconf.rec and sdstatus.12 files.

720880 : Attempts to license/re-license the BIG-IP system fail.

Component: TMOS

Symptoms:
Attempts to activate or reactivate the license on the BIG-IP system results in failure messages.

Conditions:
No specific configurations are associated with this issue, but license activation/reactivation requests that include add-ons are more likely to fail.

This occurs under random conditions.

Impact:
The system is either unusable or very difficult to activate.

Workaround:
Because the conditions under which this issue occurs are random, additional licensing attempts might succeed.

Fix:
The source of the underlying problem has been corrected. No additional logs, error message, or user-interaction is involved.

720819-1 : Certain platforms may take longer than expected to detect and recover from HSB lock-ups

Component: TMOS

Symptoms:
In the unlikely event of a HSB lock-up, certain BIG-IP platforms may take longer than expected to detect and recover from the condition.

For instance, it may take several minutes for an affected unit to detect the condition and initiate the predefined failsafe action.

Instead, the recovery mechanism should trigger almost instantaneously.

Conditions:
This issue occurs when all of the following conditions are met:

-- The BIG-IP system is an i56xx/i58xx, i76xx/i78xx, or i106xx/i108xx platform.

-- The HSB locks-up due to a different issue.

Impact:
Traffic is negatively impacted until the BIG-IP system detects and remedies the condition. This might take up to 15 minutes before remedied by a reboot, depending on other traffic being processed.

Workaround:
None.

Fix:
The HSB lock-up is now promptly detected and remedied.

720799-3 : Virtual Server/VIP flaps with FQDN pool members when all IP addresses change

Component: Local Traffic Manager

Symptoms:
When using FQDN pool members, if all ephemeral members are removed and replaced by a DNS query that returns an entirely new set of IP addresses (no overlap with previous DNS query results), all ephemeral pool members are removed before the new ephemeral pool members are created.

This results in a brief moment when there are no ephemeral members (that can receive traffic) in the pool.

Conditions:
A DNS query for the FQDN node in which the pool members belong, returns an entirely new set of IP addresses (no overlap with previous DNS query results).

Impact:
The brief moment during which there are no ephemeral members (that can receive traffic) in the pool can cause a Virtual Server or Virtual Address using that pool to flap.

Workaround:
It is possible to work around this issue by:
1. Adding a pool member with a statically-configured IP address.
2. Including multiple FQDN pool members in the pool, to limit the effect of the ephemeral members changing for a single FQDN pool member.

Fix:
When using FQDN pool members, ephemeral members whose IP addresses are not present in the most DNS query results are not immediately deleted from the pool.

To prevent the brief condition in which there are no ephemeral members in the pool (which can cause a Virtual Server or Virtual Address using that pool to flap), creation of new ephemeral nodes and pool members occurs immediately, but deletion of old new ephemeral nodes and pool members occurs after a delay.

The duration of the delay follows the fqdn 'down-interval' value configured for the associated FQDN template node.

720756 : SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS

Component: TMOS

Symptoms:
The SNMP query for platform marketing name is 'unknown' for i11400-DS/i11600-DS/i11800-DS.

Conditions:
-- On licensed system, check OID marketing name.
-- Using i11400-DS/i11600-DS/i11800-DS platforms.

Impact:
Cannot tell the actual platform name in the SNMP query.

Workaround:
There is no workaround at this time.

Fix:
SNMP platform name is now reported correctly on BIG-IP i11400-DS/i11600-DS/i11800-DS platforms.

720713-3 : TMM traffic to/from a i5800/i7800/i10800 device in vCMP host mode may fail

Component: TMOS

Symptoms:
When a BIG-IP iSeries i5800, i7800, or i10800 device is configured as a vCMP host and at least one vCMP guest is running (or ever ran), TMM traffic to the vCMP host may fail.

Note: Management port traffic to/from the device is unaffected.

Note: TMM traffic to/from the vCMP guests running on the device is unaffected. This issue affects only the vCMP host.

The most visible symptom is that TMM on the vCMP host fails to answer ARP requests that it receives for its own Self-IP addresses.

Conditions:
This issue occurs when all of the following conditions apply:

- BIG-IP iSeries i5800, i7800, or i10800 device in vCMP host mode.

- At least one vCMP guest is deployed or was deployed, at some point.

Impact:
Inability to communicate to/from the vCMP host via its Self-IP addresses.

Workaround:
Ensure that the host is running a compatible version of BIG-IP. For more information on supported host/guest versions, see K14088: vCMP host and compatible guest version matrix, available at https://support.f5.com/csp/article/K14088

Fix:
The vCMP host continues to handle traffic correctly once a guest is started.

720695-2 : Export then import of APM access Profile/Policy with advanced customization is failing

Component: Access Policy Manager

Symptoms:
An exported policy containing advanced customization fails to import.

Conditions:
-- Export policy containing advanced customization.
-- Import the same policy.

Impact:
Import fails.

Workaround:
None.

Fix:
Access policy import containing advanced customization now succeeds.

720651-3 : Running Guest Changed to Provisioned Never Stops

Component: TMOS

Symptoms:
After changing a vCMP guest status to provisioned the guest remains running showing a status of stopping.

Conditions:
-- Guests deployed on a BIG-IP VCMP host.
-- Changing the state from deployed to provisioned.

Impact:
Guests do not stop and change status until vcmpd process is restarted.

Workaround:
There is no workaround.

Fix:
The guest now stops when the state is changed from deployed to provisioned.

720461-3 : qkview prompts for password on chassis

Component: TMOS

Symptoms:
Qkview prompts for a password when executing getnodedates from the chassis module.

Conditions:
SSH auth keys are missing or corrupted.

Impact:
This blocks collecting qkview.

Workaround:
Edit the /user/bin/getnodedates script and add -oBatchMode=yes for the SSH command as shown in the following example:

$date = `/usr/bin/ssh -q -oBatchMode=yes -oStrictHostKeyChecking=no $ip /bin/date`;

Fix:
The qkview is no longer blocked with a password prompt.

720391-1 : BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware'

Component: TMOS

Symptoms:
BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' and 'unknown' when OID sysObjectID is queried.

Conditions:
1. Execute 'tmsh show sys hardware'.
2. Query for OID sysObjectID using snmpwalk.

Impact:
System is reported as 'none', when it should be i7800-D. Platform with dual SSD not correctly identified using tmsh command or snmpwalk.

Workaround:
None.

Fix:
Added new SNMP OID for BIG-IP i7800 Dual SSD, reported as BIG-IP i7800-D, which is the correct designation.

720293-1 : HTTP2 IPv4 to IPv6 fails

Component: Local Traffic Manager

Symptoms:
An IPv4-formatted virtual server with an IPv6-formatted pool member cannot establish the connection to the pool member if HTTP2 is configured.

Conditions:
-- IPv4 virtual Server.
-- IPv6 pool member.
-- HTTP2 profile.

Impact:
Traffic connection does not establish; no traffic passes.

Workaround:
None.

Fix:
In this release, an IPv4-formatted virtual server with an IPv6-formatted pool member works with HTTP2.

720269-3 : TACACS audit logging may append garbage characters to the end of log strings

Component: TMOS

Symptoms:
When using TACACS audit logging, you might see extra 'garbage' characters appended to the end of logging strings.

Conditions:
Using audit forwarding with a remote TACACS server.

Impact:
Confusing log messages. Remote TACACS logging might stop altogether after some time.

Workaround:
There is no workaround at this time.

Fix:
Prevented extra characters from being appended to TACACS audit logs.

720219-1 : HSL::log command can fail to pick new pool member if last picked member is 'checking'

Solution Article: K13109068

Component: Local Traffic Manager

Symptoms:
This occurs in certain configurations where the HSL::log command is using a remote high speed log (HSL) pool with failing pool members. If a pool member goes into a 'checking' state and the command attempts to send the log via that pool member, it can fail to send and all future log commands from that iRule will also fail, if that pool member is actually unavailable.

Conditions:
-- Using HSL::log command.
-- iRule with a remote high speed logging configured.

Impact:
Failure to send log messages via HSL.

Workaround:
Follow this procedure:
1. Change the 'distribution' method of the remote high speed config to something else.
2. Save the configuration.
3. Change the method back.

Fix:
This issue no longer occurs. If a 'down' pool member is picked, it will eventually be bypassed to find an 'up' pool member, if possible.

720110-4 : 0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session.

Component: TMOS

Symptoms:
Neither learned nor default-originate default routes (0.0.0.0/0) are sent to the BGP peer if the BGP peer has terminated the BGP session with TCP FIN, without BGP notify message.

Conditions:
1. BGP session is terminated without BGP notify (just TCP FIN).
2. Either learned (not originated in DUT) and default-originate (originated in DUT) routes are not sent.

Impact:
Default routes are not propagated in the network after the BGP peer restart.

Workaround:
There is no workaround at this time.

Fix:
Default routes are now always sent after the BGP session reset. Consistent behavior between BGP session reset with and without BGP notify message.

720104 : BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'

Component: TMOS

Symptoms:
BIG-IP i2800/i2600 650W AC PSU is missing marketing name under 'show sys hardware' and displays 'unknown' when OID sysObjectID is queried.

Conditions:
-- Execute 'tmsh show sys hardware'.
-- Query for OID sysObjectID using snmpwalk.
-- Using BIG-IP i2800/i2600 platforms.

Impact:
System reports an empty marketing name when queried. Platform with 650W AC PSU not identified using tmsh command or snmpwalk.

Workaround:
There is no workaround at this time.

Fix:
Added new SNMP OID for BIG-IP i2800/i2600 650W AC PSU.

720030-3 : Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U)

Component: Access Policy Manager

Symptoms:
Kerberos DNS SRV requests are generated without enabling EDNS0. Without this, internal DNS server (dnscached) truncates the UDP response if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in a lot of TIME_WAIT connections on the socket using dnscached.

Conditions:
APM end users using Kerberos SSO to access backend resources.

Impact:
Ability to create new DNS requests is affected, if there are numerous sockets in TIME_WAIT. This can result in scalability issues.

Workaround:
For BIG-IP software v12.x and later,

Edit the /etc/resolv.conf file to add an EDNS0 option.

There is no workaround if you are running a version earlier than 12.x.

Fix:
Kerberos DNS SRV requests now support EDNS0, so that UDP responses greater than 512 bytes can be received correctly, eliminating the need to re-send the request on TCP while communicating to the internal DNS server (dnscached).

719644-1 : If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★

Component: Global Traffic Manager (DNS)

Symptoms:
When an LTM configuration has virtual server names containing period (.), a GTM configuration with auto-discovery enabled is upgraded from v11.5.x to a later version might lose consistency.

Conditions:
-- Upgrading GTM from v11.5.x to later versions (e.g., BIG-IP DNS v12.x).
-- Auto-discovery is enabled.
-- LTM configuration containing virtual server names containing the period character (.).
-- The same virtual server name is used in multiple partitions.

Impact:
The configuration after the upgrade might be affected in the following ways:
-- Missing virtual servers.
-- Deletion of some pool members.
-- Virtual servers with incorrect addresses.

Workaround:
There is no workaround at this time.

Fix:
This release supports GTM upgrades from 11.x to BIG-IP DNS 12.x and later versions for cases where:
-- Auto-discovery is enabled.
-- LTM virtual server name a period character (.).
-- The same virtual server name is used in multiple partitions.

719554-3 : Linux Kernel Vulnerability: CVE-2018-8897

Solution Article: K17403481

718885-1 : Under certain conditions, monitor probes may not be sent at the configured interval

Solution Article: K25348242

Component: Global Traffic Manager (DNS)

Symptoms:
When sufficient resources are configured with the same monitor interval, and the monitor timeout value is no more than two times the monitor interval, the monitored resource may be marked as unavailable (due to a timeout) then immediately changed to available.

Conditions:
Monitor interval is lower than the number of resources configured with the same monitor interval.

Impact:
Monitor probes are not consistently performed at the configured interval.

Workaround:
Set the monitor interval to a value greater than the number of resources monitored using that same interval value.

The key to this workaround is to ensure that the sum of the resources monitored at a given interval is not greater than the interval. That can be accomplished several ways depending on your configuration and requirements.

For example, if the monitoring interval is 30 seconds and there are 40 different monitors with a 30-second interval and each monitor is assigned to exactly one resource, there are at least two options:

-- Change the interval for 10 of the monitors to a different value.

-- Set the monitor interval to 40.

Note: If you change the monitor interval, make sure to also change the timeout value to follow best practices:
timeout value = (3 x interval) + 1.

Fix:
Monitoring is now consistently performed at the configured interval regardless of the number of resources with the same monitor interval.

718210-3 : Connections using virtual targeting virtual and time-wait recycle result in a connection being improperly reused

Component: Local Traffic Manager

Symptoms:
In very rare circumstances, connections that use virtual targeting virtual server and time-wait recycle result in a connection being improperly reused.

Conditions:
Virtual server targeting virtual server (usually occurs in an iRule) with time-wait recycle being used on the virtual server's TCP profile.

Note: This is the default value, so any virtual servers defined internally are using it.

Impact:
A connection might be reused even though it is a new one. TMM can crash and restart. Traffic disrupted while tmm restarts.

Note: This is an extremely rare issue.

Workaround:
None.

Fix:
This issue has been fixed.

718208-1 : Unable to install Network Access plugin on Linux Ubuntu 16.04 with Firefox v52 ESR using SUDO

Component: Access Policy Manager

Symptoms:
When using Firefox v52 ESR to install SVPN client, the SVPN client keeps prompting to enter SUDO credentials.

Conditions:
Using Firefox v52 ESR to install SVPN client.

Impact:
Cannot install SVPN client using Firefox v52 ESR browser.

Workaround:
Follow this procedure to work around this problem:

1. Delete the NPAPI plugin from the browser. To do so, remove the browser plugin, which you can find in either or both of the following locations:

~/.mozilla/plugins/np_F5_SSL_VPN_x86_64.so

~/.mozilla/firefox/w8wdvzyy.default/extensions/{5984e8a4-b593-11e5-ad1f-ac88bb8e7f8b}/

2. Launch the browser; connect to APM and install the SVPN client manually.
3. Install the plugin through the browser, or copy the plugin to the browser plugin directory.
4. Restart Firefox v52 ESR to connect to APM.

Fix:
This issue has been fixed, and now you can install the Network Access plugin on Linux Ubuntu 16.04 with Firefox v52 ESR browser.

718071-3 : HTTP2 with ASM policy not passing traffic

Component: Local Traffic Manager

Symptoms:
HTTP2 traffic does not pass traffic if an ASM policy is applied.

Conditions:
-- HTTP2 virtual server.
-- ASM policy applied.

Impact:
Traffic does not pass.

Workaround:
No workaround.

Fix:
HTTP2 and ASM now work correctly together.

717896-1 : Monitor instances deleted in peer unit after sync

Component: Local Traffic Manager

Symptoms:
An incremental-sync from a modified-node that was set to 'user-down' causes the target-node on the target-device to have only a single monitor instance, rather than the several monitor instances that were present on the from-node.

During the incremental sync, the system issues several messages similar to the following: err mcpd[6900]: 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 24913.

Conditions:
-- In high availability (HA) configurations.
-- A node is modified, and then manually set to 'user-down'.
-- That node has more than one associated monitor.
-- An incremental-sync occurs to the paired device.

Impact:
After incremental-sync, a single monitor instance exists for the node on a 'backup' unit in an HA configuration, rather than the several monitor instances that exist for that node on the 'active' unit; and that node session is 'enabled' (where the 'from-node' was 'disabled); and that node status may be 'up' (where the 'from-node' was 'user-down'), and later transition to 'down' from a monitor-fail.

Thus, after incremental-sync, the target-node may then be 'down', while the active unit in the HA configuration continues to function as expected.

Workaround:
There are several workarounds:
-- Perform a 'full-sync' (rather than an 'incremental-sync').
-- Ensure the node is 'user-up' (not 'user-down') before the incremental-sync.
-- Perform 'tmsh load sys config' on the target unit. In this case, the 'Invalid monitor rule instance identifier' messages will be seen, but the configuration will successfully load, and the target-unit will run correctly with the expected configuration.

Fix:
An incremental-sync from a modified-node that was set to 'user-down' successfully replicates the several monitor instances on that node to the target-node on the backup device in an HA configuration.

717742-3 : Oracle Java SE vulnerability CVE-2018-2783

Solution Article: K44923228

717100-4 : FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member

Component: Local Traffic Manager

Symptoms:
FQDN ephemeral pool members and corresponding FQDN ephemeral nodes may not be created if multiple FQDN template pool members are created rapidly, without the corresponding FQDN template nodes being created first.

The missing FQDN ephemeral pool members may be created an hour after initial operations.

Conditions:
This may occur when all of the following conditions are true:
-- Multiple FQDN template pool members are created rapidly, such as during config load or multiple FQDN template pool members created in a single tmsh cli transaction, without the corresponding FQDN template nodes being created first.
-- The FQDN names in the newly-created FQDN template nodes all resolve to the same IP address.

Impact:
One or more FQDN ephemeral pool members may not be created, which could result in a pool with no members, and any virtual servers using that pool to fail to pass traffic.

Workaround:
The following steps, alone or in combination, may help avoid this issue:

1. Avoid rapid creation of multiple FQDN template pool members (such as by creating multiple in a single tmsh CLI transaction).
2. Create the corresponding FQDN template nodes first, before creating the FQDN template pool members.

Once this issue occurs (such as, after a config load), you can recover from this condition by deleting and recreating the FQDN template pool members that have no corresponding FQDN ephemeral pool members.

In addition, creating the corresponding FQDN template nodes first, with an FQDN 'interval' value set to a shorter timeout than the default (3600 seconds) allows automatic recovery from this condition after the configured FQDN 'interval' period (instead of after the default period of one hour).

Fix:
Ephemeral pool members are now created for each pool under these conditions.

716992-3 : The ASM bd process may crash

Solution Article: K75432956

716922-4 : Reduction in PUSH flags when Nagle Enabled

Component: Local Traffic Manager

Symptoms:
When Nagle is enabled in the TCP profile, the number of PUSH flags generated by the BIG-IP system drops substantially compared to the Nagle-disabled case, or to the Nagle-enabled case prior to v12.1.2-HF1. This matters most when there is a single outstanding unsent segment in the send buffer awaiting acknowledgment of all other data.

Conditions:
-- Nagle is enabled.
-- Running BIG-IP software versions later than v12.1.2-HF1.

Note: The problem is only impactful when the client withholds ACKs when there is no PUSH flag.

Impact:
If the client withholds ACKs, this can save handset power, but it also causes Nagle's algorithm to withhold the last bit of data, increasing latency.

Workaround:
Set Nagle to the 'Auto' setting or 'Disabled'.

Mote: To take advantage of some of the Nagle benefits, use 'Auto'.

Fix:
Revised PUSH flag setting logic to set the flag in cases where sending is Nagle-limited.

716900-1 : TMM core when using MPTCP

Solution Article: K91026261

716788-3 : TMM may crash while response modifications are being performed within DoSL7 filter

Component: Application Security Manager

Symptoms:
TMM might crash when a response is modified by the DoSL7 filter while injecting an HTML response from a backend server.

Conditions:
-- ASM provisioned.
-- DoS application profile is attached to a virtual server.

Impact:
Traffic disrupted while tmm restarts, failover may occur.

Workaround:
There is no workaround other than to remove the DoS application profile from the virtual server.

Fix:
Response modification handler has been modified so that this issue no longer occurs.

716747-4 : TMM my crash while processing APM or SWG traffic

Component: Access Policy Manager

Symptoms:
Under certain circumstances, TMM may crash when processing APM or SWG.

There will be a log message in /var/log/apm near the time of crash with this:

err tmm[20598]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_initiate_swgt_policy_done, Line: 17000.

Conditions:
APM or SWG enabled.

Impact:
TMM crash, leading to a failover event.

Workaround:
There is no workaround at this time.

Fix:
TMM now processes APM and SWG traffic as expected.

716716-3 : Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core

Component: Local Traffic Manager

Symptoms:
TMM cores when the system has a kernel route configured, but no matching TMM route.

Conditions:
The scenario that can lead to this state is unknown.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
Either remove the kernel route, or add a matching TMM route.

Fix:
This release prevents the core that occurred when the kernel has a route that has no corresponding TMM route.

716391-3 : High priority for MySQL on 2 core vCMP may lead to control plane process starvation

Solution Article: K76031538

Component: TMOS

Symptoms:
vCMP guest with only 2 cores (or 2 cores per blade for multi-blade guests) may undergo control plane process starvation, which could lead to failover due to CPU starvation of sod.

Conditions:
-- A device using Intel Hyper-Threading Technology is configured with only 2 cores (or 2 cores per blade for multi-blade vCMP guests).
-- A module using MySQL is provisioned, MySQL, for example BIG-IP ASM and BIG-IP Analytics (AVR). These other modules also implicitly provision AVR: ASM, AFM, DOS, APM, PEM, and vCMP.

Impact:
Control plane processes may experience CPU starvation, including failover due to CPU starvation of sod. This is a rarely occurring issue.

Workaround:
Revert to pre-11.5.1 HF4 behavior by setting the scheduler.splitplanes.asmopt database key to false.

IMPORTANT: You should not revert to pre-11.5.1 HF4 behavior unless requested by F5 Support. However, if required, you can disable this new behavior and revert to pre-11.5.1-HF4 behavior. For instructions on how to do so, see K16469: Certain BIG-IP ASM control plane processes are now pinned to the highest-numbered logical CPU core :: https://support.f5.com/csp/article/K16469.

716318-4 : Engine/Signatures automatic update check may fail to find/download the latest update

Component: Fraud Protection Services

Symptoms:
Engine/Signatures automatic update check may fail to find/download the latest update if the timestamp of the factory update file is later than the timestamp of the update file in downloads.f5.com.

Note: This issue is relevant only for engineering hotfixes.

Conditions:
This occurs when the following conditions are met:
-- Engineering hotfix.
-- The factory update file timestamp is later than the timestamp of the update file in downloads.f5.com.

Impact:
Automatic update check will detect the wrong update file.

Workaround:
Manually check, and then download and install the update file from downloads.f5.com, if needed.

Fix:
The factory update file timestamp is now set to 0, unless there is a reason to install the factory file over the current update file in downloads.f5.com.

716213-3 : BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic

Component: Local Traffic Manager

Symptoms:
When APM connects to Active Directory Federation Services (ADFS), a blank page is observed. The log file /var/log/ltm exhibits a TCP reset issued by the BIG-IP system. The TCP capture informs that the issue is due to an out-of-bounds error that occurs when traffic gets parsed by the SSL Persistence Parser (SSID).

Conditions:
-- SSL persistence (SSID) is enabled for a virtual host.
-- APM connects to ADFS.

Impact:
A blank page is observed due to the TCP reset.

Workaround:
No workaround is available.

Fix:
The SSL persistence parser now validates the handshake message data-bytes are available prior to fetching them, so the bounds error does not get raised.

716166-3 : Dynamic routing not added when conflicting self IPs exist

Component: TMOS

Symptoms:
Missing dynamic route in dynamic routing daemon as shown via 'show ip route'.

Conditions:
When a self IP host address is the same as the network address of the dynamic route being propagated. For example: self IP 10.10.10.0/31 versus dynamic route 10.10.10.0/24; or 10.10.0.0/24 versus dynamic route 10.10.0.0/16.

Impact:
Propagation of the dynamic route to the kernel, TMM.

Workaround:
There is no workaround other than not creating self IPs on the network address of a prefix.

715923-3 : When processing TLS traffic TMM may terminate connections unexpectedly

Solution Article: K43625118

715750-3 : The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.

Component: Local Traffic Manager

Symptoms:
Upon receiving a FIN midstream in an SSL connection, the BIG-IP system will immediately proxy the FIN to the remote host on the peer side. At this point, depending on the specific configuration of the remote host on the peer side, the BIG-IP system may exhibit behaviors that may be deemed undesirable.

For instance, if the remote host on the peer side acknowledges the FIN but ignores it and keeps sending data to the BIG-IP system, the BIG-IP system will drop all ingress data (i.e., not proxy it) while keeping the side that transmitted the original FIN open indefinitely.

Once the remote host on the peer side completes transmitting data and sends a FIN of its own, the BIG-IP system will finally release the side that sent the original FIN by allowing it to close.

Conditions:
This issue occurs when the following conditions are met:

-- A standard virtual server with the clientssl and serverssl profiles in use.

-- As part of a connection handled by the virtual server, one side sends a FIN midstream to the BIG-IP system.

Impact:
There is no real impact to the BIG-IP system because of this issue. However, both the client and the server can be negatively impacted by this issue.

For example, if the original FIN was received by the BIG-IP system on the clientside:

-- The client connection is not allowed to close for potentially a very long time. During this time, the client does not receive anything other than Keep-Alive packets from the BIG-IP system. This can delay or adversely impact applications on the client.

-- The server continues to send data to the BIG-IP system unnecessarily. After accounting for the fact this could be a lot of data and many connections could be in this state, the server and/or its surrounding network could become impacted/congested. At a minimum, this might cause a waste of resources.

Workaround:
There is no workaround at this time.

Fix:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.

Behavior Change:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.

715467-3 : Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY

Component: Local Traffic Manager

Symptoms:
If the 'A' record for an FQDN node is removed or replaced on the DNS server, then the BIG-IP system does not remove the old ephemeral pool member or create the new pool member and node.

Conditions:
-- FQDN nodes.
-- Pool members with a service port of ANY.

Impact:
Ephemeral pool member and nodes are not removed or updated when the DNS 'A' record is removed or changed.

Workaround:
There is no workaround at this time.

Fix:
Upon a DNS 'A' record being removed or changed, the ephemeral pool members and nodes based on the old value are removed or changed.

715448-1 : Providing LB::status with a GTM Pool name in a variable caused validation issues

Component: Global Traffic Manager (DNS)

Symptoms:
When utilizing an LB::status iRule where the GTM Pool name was provided in a variable, instead of directly written into the command, the system posts the following error message: Can't read 'monkey': no such variable.

Conditions:
LB::status pool a <Variable containing string>.

Impact:
Unable to use LB::status iRule.

Workaround:
There is no workaround at this time.

Fix:
Can now use LB::status iRule command to display the status of a GTM Pool when the name of the pool is provided in a variable.

715250-2 : TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED

Component: Access Policy Manager

Symptoms:
TMM generates a core and restarts when RPC resumes iRule event ACCESS_SESSION_CLOSED.

Conditions:
Plugin RPC call has iRule event ACCESS_SESSION_CLOSED configured.

Impact:
System instability, failover, traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

715207-2 : coapi errors while modifying per-request policy in VPE

Component: Access Policy Manager

Symptoms:
System reports errors about coapi in /var/log/ltm when modifying a per-request policy in the Visual Policy Editor (VPE).

err coapi: PHP: requested conversion of uninitialized member.

Conditions:
-- The per-request policy being modified is attached to the virtual server.
-- Using VPE.

Impact:
The impact can vary by version.
-- In some versions it represents a stray error log.
-- In other versions the 'Accepted Languages' in the Logon Page agent does not have the full list.
-- In other versions, there are server 500 errors when modifying agents.

Workaround:
To work around this issue, perform the following procedure: 1. Remove the per-request policy from the virtual server.
2. Modify the policy.
3. Add the policy back to the virtual server.

Fix:
Now per-request access policies can be simultaneously used and edited without causing spurious 'coapi' log errors.

715090 : PEM policy actions obtained via a PCRF are not applied for traffic generated subscribers

Component: Policy Enforcement Manager

Symptoms:
Policy and Charging Rules Function (PCRF) policy actions will have no effect on the subscribers' traffic.

Conditions:
PEM creates a traffic generated subscriber that has PCRF-provided policies associated with it.

Impact:
Potential loss of service depending on the policy actions that do not take effect.

Workaround:
There is no workaround at this time.

Fix:
This issue has been fixed.

714986-1 : Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot

Component: TMOS

Symptoms:
On an iSeries platform, when the console baud rate is changed through TMSH, new terminal sessions revert back to the previous baud rate instead of adopting the new setting unless the unit is rebooted.

Conditions:
1. Modify the console baud rate in BIG-IP through TMSH on an iSeries platform (i2xxx, i4xxx, i5xxx, i7xxx, i10xxx, i15xxx), for example: tmsh modify sys console baud-rate 9600.

2. Exit from the login prompt in the current terminal session, or kill it and start a new session.

Impact:
The BIG-IP system reverts to the previous baud rate instead of the new setting. Inability to create any new serial console connections with the modified baud-rate without a reboot.

Workaround:
The problem can be mitigated by manually reprogramming the TTY device and restarting the agetty process and bash login sessions. This closes any existing console connections, but newly established connections will connect at the modified baud rate.

1. Use TMSH to modify the baud rate to the desired speed by running a command similar to the following:

tmsh modify sys console baud-rate 9600

2. Re-program the TTY device with the desired speed by running a command similar to the following:

stty -F /dev/ttyS0 9600

3. Kill the existing agetty process so it will re-start at the new baud rate by running the following command:

/usr/bin/killall -q agetty

4. Restart bash logins by running the following command:

/bin/kill -HUP `/bin/ps -A | /bin/grep ttyS0 | /bin/grep -v grep | /bin/grep bash | /bin/awk '{print $1}'` >/dev/null 2>&1

Fix:
In addition to reprogramming the UART with the new baud rate, the BIG-IP system now re-initializes the TTY device and agetty process with the correct speed so that new terminal sessions reflect the change.

714903-1 : Errors in chmand

Component: TMOS

Symptoms:
VIPRION cluster does not form; only primary blade stays online. Chassis manager chmand generated a core file. System logs the following error in ltm log: err clusterd[11162]: 013a0004:3: Error adding cluster mgmt addr, HAL error 7.

Conditions:
-- Restoring UCS.
-- Chassis starting up.
-- System in stressed condition, where there is very little or no memory available.

Impact:
Cluster does not form.

Workaround:
None.

Fix:
These errors in chmand are fixed.

714879-1 : APM CRLDP Auth passes all certs

Solution Article: K34652116

714848 : OPT-0031 and OPT-0036 log DDM warning every minute when interface disabled and DDM enabled

Component: TMOS

Symptoms:
DDM transmit power too low warning continually appear in /var/log/ltm, and in SNMP traps. Messages appear similar to the following:
DDM interface:3/1.0 transmit power too low warning. Transmit power(mWatts) 0.0001 0.0001 0.0001 0.0001

A single warning message is expected, not repeating messages.

Conditions:
This occurs when all of the following conditions are met:
-- The interface is disabled.
-- DDM is enabled.
-- OPT-0031 or OPT-0036.

Impact:
There are multiple messages in /var/log/ltm, and SNMP DDM traps. There is no impact on traffic.

Workaround:
There is no workaround other than to enable the interface or disable DDM.

Fix:
DDM errors no longer continually appear on disabled interfaces containing OPT-0031 or OPT-0036.

714716-3 : Apmd logs password for acp messages when in debug mode

Solution Article: K10248311

Component: Access Policy Manager

Symptoms:
Apmd logs password when executing policy via iRule.

Conditions:
-- APM is licensed and provisioned
-- Executing policy via iRule using iRule command 'ACCESS::policy evaluate'.
-- Clear text password is supplied for authentication
-- Debug mode active

Impact:
Apmd logs clear text password

Fix:
Apmd now no longer logs password in debug mode when evaluating policy via iRule.

714654-3 : Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM

Component: TMOS

Symptoms:
While creating a static route, tmrouted disconnects with error: existing entry is not a dynamic.

Conditions:
Creating a static route for a network that already has an advertised dynamic route.

Impact:
TMM's connection to tmrouted goes down, which results in loss of the dynamic route for TMM.

Workaround:
There is no workaround other than not creating a static route for routes received through dynamic routing.

Fix:
Creating static routes for advertised dynamic route no longer causes the tmrouted-to-TMM connection to drop.

714559-1 : Removal of HTTP hash persistence cookie when a pool member goes down.

Component: Local Traffic Manager

Symptoms:
When HTTP cookie hash persistence is configured the cookie is removed when a pool member goes down. This is incorrect if pool members are using session replication.

Conditions:
- Cookie hash persistence is configured.
- A pool member that the persistence record points to goes down.
- Pool members are using session replication.

Impact:
Connected clients must establish a new session.

Workaround:
To configure HTTP cookie hash persistence, use an iRule similar to the following:

when CLIENT_ACCEPTED {
persist cookie hash JSESSIONID
}

Fix:
HTTP hash persistence cookie is no longer removed when a pool member goes down.

If you need to remove the cookie, use an iRule similar to the following:

when PERSIST_DOWN {
HTTP::cookie remove JSESSIONID
}

714542-1 : 'Always Connected Mode' text is missing in EdgeClient tray

Component: Access Policy Manager

Symptoms:
When right-clicking the EdgeClient tray icon, the pop-up menu shows a grey box instead of the 'Always Connected Mode' text.

Conditions:
EdgeClient installed in 'Always Connected Mode' with 'Allow' traffic when VPN is disconnected.

Impact:
No functional impact. Previously, the message appeared only for blocked mode.

Workaround:
None.

Fix:
Now, when a user right-clicks the Edge Client tray icon in Always Connected mode, the <uicontrol>Always Connected Mode</uicontrol> text is displayed on the tray icon pop-up menu.

714181-3 : TMM may crash while processing TCP traffic

Solution Article: K14632915

713951-3 : tmm core files produced by nitrox_diag may be missing data

Component: Local Traffic Manager

Symptoms:
When the nitrox_diag utility generates a tmm core file, that file might include data for only one tmm thread instead of all tmm threads.

Conditions:
-- Running the nitrox_diag utility.
-- Using devices with the Cavium Nitrox crypto card.
-- The nitrox_diag utility generates a tmm core file.

Impact:
The resulting core file might include data for only one tmm thread instead of all tmm threads, making it more difficult for F5 to diagnose reported problems with the Cavium Nitrox crypto card. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
When the nitrox_diag utility generates a tmm core file, that file now includes data for all tmm threads instead of only one.

713934-4 : Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response

Component: Local Traffic Manager

Symptoms:
Received malformed Truncated DNS response.

Conditions:
-- Using iRule 'DNS::question name' to shorten the name.
-- DNS response is longer than 4096 UDP limit.

Impact:
DNS request might not be resolved correctly.

Workaround:
There is no workaround at this time.

Fix:
In this release, when DNS::query name changes the query name, the software ensures that the request is updated with proper lengths.

713690-1 : IPv6 cache route metrics are locked

Component: Local Traffic Manager

Symptoms:
Under certain circumstances IPv6 route metrics are locked for the lifetime of a route metrics cache entry.

Conditions:
Under certain circumstances IPv6 route metrics cache entries are created locked.

Impact:
IPV6 route metrics are locked for the lifetime of a route metrics cache entry. When receiving subsequent icmpv6 packet to big messages with a larger MTU, the value does not get updated.

Workaround:
None.

Fix:
IPv6 route metrics are not locked anymore.

713655-3 : RouteDomainSelectionAgent might fail under heavy control plane traffic/activities

Component: Access Policy Manager

Symptoms:
If per-session access policy requests route domain selection during policy evaluation, the agent might hang and fail to retrieve route domain information. APMD might restart and produce a core file.

Conditions:
-- Policy sync operation.
-- System receives a query for route domain information.
-- There is a heavy load of control plane traffic to process.

Impact:
Poor performance and/or APMD restarts with a core file, causing brief disruption of the authentication service.

Workaround:
None.

Fix:
Route domain selection operations no longer fail under heavy control-plane traffic/activities.

713533-3 : list self-ip with queries does not work

Component: Local Traffic Manager

Symptoms:
"list net self" command always returns all Self IPs, regardless of the regex patterns.

Conditions:
list net self always returns all Self IPs

Impact:
You are unable to filter the Self IP list using a regex pattern.

Fix:
You can now use pattern matching to list Self IPs

713491-1 : IKEv1 logging shows spi of deleted SA with opposite endianess

Component: TMOS

Symptoms:
Sometimes the IKEv1 racoon daemon logs a 32-bit child-SA spi with octets in backwards order (reversing the endianness).

Conditions:
When an SA is deleted.

Impact:
Logging typically shows a network byte order spi in the wrong order. Cosmetic interference with logging interpretation.

Workaround:
There is no workaround at this time.

Fix:
The spi values are shown in the correct endianness now.

713282-3 : Remote logger violation_details field does not appear when virtual server has more than one remote logger

Component: Application Security Manager

Symptoms:
Remote logger violation_details field appears empty.

Conditions:
-- More than one remote logger is attached to the virtual server.
-- A violation occurs.
-- Viewing the associated log.

Impact:
Violation_details field appears empty in logs.

Workaround:
There is no workaround at this time.

Fix:
Remote logger violation_details field is now populated as expected when the virtual server has more than one remote logger.

713066-3 : Connection failure during DNS lookup to disabled nameserver can crash TMM

Solution Article: K10620131

Component: Global Traffic Manager (DNS)

Symptoms:
TMM restart as a result of a DNS lookup to disabled nameserver.

Conditions:
DNS lookup that tries to connect to a nameserver that is not reachable for some reason.

This could be an explicit 'RESOLV::lookup' command in iRule, or it could be DNS lookups internally triggered by APM or HTTP.

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
Verify connectivity to nameserver.

As an alternative, refrain from using RESOLV::lookup in iRules.

Fix:
This issue is now fixed.

712924 : In VPE SecurID servers list are not being displayed in SecurID authentication dialogue

Component: Access Policy Manager

Symptoms:
In VPE SecurID servers list are not being displayed in SecurID authentication dialogue. List is displaying only None.

Conditions:
Always when adding SecureID authentication action.

Impact:
Inability to (re)configure SecureId via VPE.

Workaround:
Manually modify RSA AAA server in SecurID Auth Agent via tmsh:

tmsh modify apm policy agent aaa-securid <aaa agent> server <securid server name>

712857-1 : SWG-Explicit rejects large POST bodies during policy evaluation

Component: Access Policy Manager

Symptoms:
When an access profile of type SWG-Explicit is being used, there is a 128 KB limit on POST bodies while the policy is being evaluated.

The system posts an error message similar to the following in /var/log/apm:
err tmm[13751]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 3048

Conditions:
This applies only during policy evaluation. After the policy has been set to 'Allow', there is no limit to the POST body.

Impact:
Unable to start an SWG-Explicit policy with a large POST body.

Workaround:
None.

Fix:
This release introduces a db variable 'tmm.access.maxrequestbodysize'. You can now avoid this issue by setting a value larger than the 128 KB POST body size. The maximum supported value is 25000000 (25 MB).

712664-4 : IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address

Component: Local Traffic Manager

Symptoms:
As a result of a known issue IPv6 NS may be dropped if corresponds for host on remote VLAN of transparent vlangroup and matches a Virtual address with disabled ARP setting

Conditions:
- transparent vlan-group
- Virtual Address with ARP disabled
- Virtual Address corresponds to remote IPv6 host address

Impact:
NS for the host is dropped.
Traffic will not reach the remote host as resolution does not complete.

Workaround:
Do not use overlapping Virtual-addresses with ARP disabled, or enable ARP.

Fix:
IPv6 NS is no longer dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address.

712475-1 : DNS zones without servers will prevent DNS Express reading zone data

Solution Article: K56479945

Component: Local Traffic Manager

Symptoms:
DNS Express does not return dig requests.

Conditions:
DNS Express is configured a zone without a server.

Impact:
DNS Express does not return dig requests.

Workaround:
You can use either of the following workarounds:
-- Remove the zone without the server.
-- Configure a server for the zone.

Fix:
DNS zones without servers no longer prevent DNS Express reading zone data.

712464-1 : Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate

Component: Local Traffic Manager

Symptoms:
SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain except the self-signed certificate.

Some of the intermediate CA certificates in the cert chain use the SHA1 hash algorithm. This kind of intermediate CAs is usually in the BIG-IP system's ca-bundle. BIG-IP receives the cert chain including the intermediate CA and forges the cert with SHA1, which is rejected by some web clients.

Conditions:
-- The BIG-IP system is configured to use SSL Forward Proxy or SSL Intercept.
-- Some intermediate CA in the web server's cert chain is using a weak algorithm like SHA1 to sign certificates.
-- The web client rejects the weak-algorithm-signed certificate.

Impact:
Clients cannot access the web server due to SSL handshake failure.

Workaround:
There is no workaround at this time.

Fix:
This fix excludes trusted CA certificates in hash algorithm selection. This may prevent forged certificate from using SHA1 hash algorithm.

712437-1 : Records containing hyphens (-) will prevent child zone from loading correctly

Solution Article: K20355559

Component: Local Traffic Manager

Symptoms:
The dig command returns no record with SOA from the parent zone even though dnsxdump shows that the record exists.

Conditions:
-- Parent zone has a record containing - (a hyphen) and the preceding characters match the child zone. For example,
myzone.com -- parent
foo.myzone.com -- child

-- In myzone.com, you have a record of the following form:
foo-record.myzone.com

Impact:
DNS can not resolve records correctly.

Workaround:
None.

Fix:
DNS now handles the case in which the parent zone has a record containing - (a hyphen) and the preceding characters match the child zone.

712362-1 : ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase

Component: Application Security Manager

Symptoms:
When the WebSocket HTTP handshake response comes without 'Switching Protocols' reason phrase at the first line, the ASM does not follow up WebSocket frames on the WebSocket's connection.

The system posts the following messages in /ts/log/bd.log:
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0269|101 Switching Protocols HTTP status arrived, but the websocket hanshake failed.
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0270|Possible reasons are websocket profile isn't assigned on a virtual server or handshake is illegal.

Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- WebSocket backend server sends 101 response without the 'Switching Protocols' phrase.

Impact:
WebSocket frames stalls.

Workaround:
#1 Change the backend server:
Change WebSocket backend server to return 101 response to include the 'Switching Protocols' reason phrase:

HTTP/1.1 101 Switching Protocols

#2 Use an irRule:
when SERVER_CONNECTED {
    TCP::collect 15
}
when SERVER_DATA {
    if { [TCP::payload 15] contains "HTTP/1.1 101 \r\n" } {
        TCP::payload replace 0 12 "HTTP/1.1 101 Switching Protocols"
    }
}

Fix:
This release correctly handles 101 responses even without the 'Switching Protocols' reason phrase.

712315-1 : LDAP and AD Group Resource Assign are not displaying Static ACLs correctly

Component: Access Policy Manager

Symptoms:
In VPE LDAP and AD Group Resource Assign are not displaying static acls when they are configured.

Conditions:
While attempting to assign Static ACls via AD or LDAP Group Resource assign (aka Group Mapping) Static ACLs are not displayed.

Impact:
Users are not able to assign Static ACLs with AD and LDAP Group Mapping via VPE.

Workaround:
Static ACLs are assignable with TMSH.

Fix:
Functionality is restored and Static ACLs are being displayed in AD and Ldap Group Resource Assign aka Group Mapping

use:
tmsh modify apm policy agent resource-assign

711981-3 : BIG-IP system accepts larger-than-egress MTU, PMTU update

Component: Local Traffic Manager

Symptoms:
A Path MTU (PMTU) message can lead to the BIG-IP system to falsely assume an egress MTU on the related flow to be larger than the interface egress MTU.

Conditions:
A valid PMTU message.

Impact:
BIG-IP sends larger-than-configured interface egress MTU messages.

Workaround:
None.

Fix:
The BIG-IP system now limits the flow egress MTU to the interface egress MTU.

711570-1 : PEM iRule subscriber policy name query using subscriber ID, may not return applied policies

Component: Policy Enforcement Manager

Symptoms:
PEM::subscriber config policy get <subscriber id> does not return policy names

Conditions:
PEM iRule using subscriber ID to get policy name.

Impact:
Subscriber policy names are not returned.

Workaround:
Use PEM::subscriber config policy get <IP address> instead.

Fix:
Subscriber policy names are now returned when running PEM iRules using subscriber ID to get policy names.

711547 : Update cipher support for Common Criteria compliance

Component: TMOS

Symptoms:
Default cipher selection may not be compliant with Common Criteria requirements. Please see the Common Criteria guidance documentation for details about cipher strings in CC mode.

Conditions:
Common Criteria mode active

Impact:
Please see the Common Criteria guidance documentation for details about cipher strings in CC mode.

Workaround:
Please see the Common Criteria guidance documentation for details about cipher strings in CC mode.

Fix:
Improved Common Criteria compliance in default cipher strings.

711281-3 : nitrox_diag may run out of space on /shared

Component: Local Traffic Manager

Symptoms:
Running nitrox_diag may lose collected data if there is insufficient free space for the tar file to be created.

Conditions:
-- Running nitrox_diag.
-- Insufficient free space available on /shared.

Impact:
Might lose data required to diagnose problems with Cavium Nitrox chips.

Workaround:
The only workaround is to ensure there is enough free space for the files to be created.

In general, planning enough space for two copies of a tmm core file and two copies of a qkview works. That might require approximately one gigabyte. Though more might be needed for systems with a large amount of RAM.

Fix:
nitrox_diag now clears the older data before gathering new data, instead of after. Note, however, that if there is insufficient free space on /shared to collect the raw data, the operation still cannot succeed.

711249-2 : NAS-IP-Address added to RADIUS packet unexpectedly

Component: TMOS

Symptoms:
RADIUS authentication request contains NAS-IP-Address attribute with value 127.0.0.1.

Conditions:
VIPRION (single or multiblade) with no cluster member IP addresses configured.

Impact:
Authentication does not work as it has invalid/unrecognized source NAS-IP-Address.

Workaround:
Configure cluster member IP address or define hostname and address via global-settings remote-host.

711093-2 : PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled

Component: Policy Enforcement Manager

Symptoms:
PEM sessions may stay in the marked-for-delete state after session deletion.

Conditions:
This occurs if Gx final usage reporting response comes before Gy delete response (CCA).

Impact:
PEM sessions remain in marked-for-delete state.

Workaround:
None.

Fix:
PEM sessions no longer stay in the marked-for-delete state after session delete

710857-4 : iControl requests may cause excessive resource usage

Solution Article: K64855220

710827-4 : TMUI dashboard daemon stability issue

Solution Article: K44603900

710755-2 : Crash when cached route information becomes stale and the system accesses the information from it.

Component: Advanced Firewall Manager

Symptoms:
The crash happens intermittently when the cached route information becomes stale and the system accesses the information from it.

Conditions:
Use stale cached route information.

Impact:
This condition can lead to a crash as the route information is no longer valid, and can lead to illegal memory access.

Workaround:
None.

Fix:
The system now fetches the latest egress route/interface information before accessing it.

710705-3 : Multiple Wireshark vulnerabilities

Solution Article: K34035645

710602 : iCRD commands requiring 'root' user access fixed

Component: TMOS

Symptoms:
Some of the iCRD calls that run commands on the base operating system that require elevated permissions fail because iCRD was not correctly executing the commands in the right context.

Conditions:
Use an iCRD endpoint that requires elevated permissions to succeed.

Impact:
Only impacts iCRD endpoints which run commands that require root access.

Workaround:
There is no workaround at this time.

Fix:
This fix resolves this issue by running the commands with the correct user context.

710564-3 : DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0

Component: Local Traffic Manager

Symptoms:
The DNS filter returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0.

Conditions:
- Virtual Server configured with 'DNS Profile' set to 'dns' or a 'dns'-derived profile.
- DNS queries with EDNS0 ECS option set.

Impact:
If the response ECS Scope Netmask has a value other than '0', LTM drops it, causing timeout and retry on client side.

Workaround:
There is no workaround at this time.

710424-3 : Possible SIGSEGV in GTMD when GTM persistence is enabled.

Solution Article: K00874337

Component: Global Traffic Manager (DNS)

Symptoms:
When GTM persistence is enabled, GTMD may occasionally crash and restart.

Conditions:
GTM persistence is enabled.

Impact:
GTMD may occasionally restart.

Workaround:
Disable GTM persistence.

Fix:
GTMD will no longer crash and restart when persistence is enabled.

710355-1 : High CPU when using HTTP::collect for large chunked payloads

Component: Local Traffic Manager

Symptoms:
When collecting large amounts of chunked payload, approximately one million bytes, the processing to parse each chunk for the chunk headers and offsets results in large CPU utilization.

Conditions:
-- HTTP profile is attached to virtual server.
-- Server sends chunked response.
-- An iRule on the virtual server uses the HTTP::collect command to collect and parse large chunked payloads.

Impact:
High CPU utilization.

Workaround:
None.

710327-3 : Remote logger message is truncated at NULL character.

Component: Application Security Manager

Symptoms:
When a request including binary null character has been sent to an remote logger, configured for ASM, the request will arrive to the remote destination and will be truncated exactly at binary NULL character.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM remote logger attached to a virtual server.
-- Request including binary NULL character is sent to the remote logger destination.

Impact:
Partial request is logged at the remote logger destination.

Workaround:
None.

Fix:
Binary NULL character is now escaped before being sent to the remote logger destination, so the request is no longer truncated.

710314-2 : TMM may crash while processing HTML traffic

Solution Article: K94105051

710277-2 : IKEv2 further child_sa validity checks

Component: TMOS

Symptoms:
A tmm restart can occur when a child_sa is rekeyed at expiration time, provided a race condition occurs.

Conditions:
Encountering the issue in which rekeying a child_sa might core when race conditions allowed that child_sa to be destroyed while in use.

Impact:
Restart of tmm and outage of IPsec tunnels until renegotiated.

Workaround:
None.

Fix:
The validity of a child_sa and its traffic selector are checked now before use, to prevent failure when freed objects are accidentally used.

710246-3 : DNS-Express was not sending out NOTIFY messages on VE

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express is not sending out NOTIFY messages on BIG-IP Virtual Edition (VE).

Conditions:
-- DNS Express configured to send out NOTIFY messages.
-- Running on BIG-IP VE configuration.

Impact:
DNS secondary servers serving stale data.

Workaround:
There is no workaround at this time.

Fix:
DNS Express now sends out NOTIFY messages on VE.

710244-1 : Memory Leak of access policy execution objects

Solution Article: K27391542

710211 : Cannot edit Terminals of Macro if one or more Macrocalls point to a given Macro.

Component: Access Policy Manager

Symptoms:
Cannot edit Terminals of Macro if one or more Macrocalls point to a given Macro. The system posts a message similar to the following:

Unable to execute transaction because of: 01071203:3: Caption (XYZ1) of the rule in macrocall (/Common/abc_macro) must be identical to the caption (XYZ2) of terminalout.

Conditions:
-- Using Access Policy.
-- Policy includes one or more macros.
-- There is a macrocall on one of the macros.
-- You attempt to add a new terminal to that macro.

Impact:
Cannot edit macro terminals.

Workaround:
None.

Fix:
Can now edit Terminals of Macro if one or more Macrocalls point to a given Macro.

710148-4 : CVE-2017-1000111 & CVE-2017-1000112

Solution Article: K60250153

710028-4 : LTM SQL monitors may stop monitoring if multiple monitors querying same database

Component: Local Traffic Manager

Symptoms:
When using an SQL monitor to monitor the health of SQL database pool members, one of the health monitors may stop actively monitoring one or more pool members.

When this problem occurs, the following error messages may be logged in /var/log/DBDaemon-0.log:

[if debug = yes in monitor configuration]:
Using cached DB connection for connection string '<connection string>'

then multiple, periodic instances of the following message, referencing the same connection string:

Abandoning hung SQL query: '<query string>' for: '<connection string>'

or:

<connection string>(<thread-number>): Hung SQL query; abandoning

Conditions:
This may occur when all of the following conditions are met:
-- Using one of the following LTM monitors: mssql, mysql, oracle, postgresql.
-- Configuring multiple pool members for the same node (server).
-- Configuring multiple SQL monitors that query the same server and database.

And when one or both of the following conditions are met:
Either:
-- The SQL monitor is configured with a non-zero 'count' value.
Or:
-- An error occurs while querying a SQL database, such as [recorded in the DBDaemon log]:
java.io.EOFException: Can not read response from server. Expected to read 4 bytes, read 0 bytes before connection was unexpectedly lost.

Impact:
When this problem occurs, the affected pool members are reported down, even though the database is actually up and responding correctly to traffic.

Workaround:
When this problem occurs, successful monitoring can be temporarily restored by disabling then re-enabling monitoring of affected pool members.

To avoid one possible trigger for this issue (and thus reduce the likelihood of this issue occurring), configure the 'count' parameter in the SQL monitor configuration to a value of '0'.

Fix:
LTM SQL monitors continue monitoring when multiple monitors/ query the same server and database.

709972-4 : CVE-2017-12613: APR Vulnerability

Solution Article: K52319810

709688-5 : dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733

Solution Article: K08306700

709670-5 : iRule triggered from RADIUS occasionally fails to create subscribers.

Component: Policy Enforcement Manager

Symptoms:
The subscriber can not be added with the same IP address after retries. This is a rarely occurring issue: if the daily average of subscriber additions is ~30000 subscribers, 5 to 6 subscribers face this problem (0.02%).

Conditions:
Running iRule to create PEM sessions from RADIUS packets using the 'PEM::subscriber create' command.

Impact:
Intermittently (a few operations per day), the command silently fails. No session is created, and no TCL error is produced. Subscriber addition requires manual intervention.

Workaround:
Trigger a RADIUS START using a different IP address for the subscriber.

709610-1 : Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM

Component: Policy Enforcement Manager

Symptoms:
Session replacement fails as a result of a race condition between multiple RADIUS Accounting Start and Stop messages for the same subscriber.

Conditions:
This occurs when the following conditions are met:
-- These SysDB variables are set as follows:
sys db tmm.pem.session.radius.retransmit.timeout {
value "0"
}
sys db tmm.pem.session.provisioning.continuous {
value "disable"
}

-- Actions occur in the following order:
1. PEM receives RADIUS START with subscriber ID1 and IP1.
2. PEM receives RADIUS STOP with subscriber ID1 and IP1.
3. PEM receives RADIUS START with subscriber ID1 and IP2.
4. PEM receives RADIUS STOP with subscriber ID1 and IP2.

-- The time interval between steps 1 and 2 is very small (less than ~1ms).

Impact:
Subscriber session creation via PEM may fail.

Workaround:
There is no workaround other than to leave SysDbs variables set to the default values.

Fix:
The system now handles PEM subscriber session updates properly, so this issue no longer occurs.

709544-4 : VCMP guests in HA configuration become Active/Active during upgrade★

Component: TMOS

Symptoms:
When devices in a Device Service Cluster (DSC) are upgraded, multiple devices might become Active simultaneously.

During upgrade, the process erroneously clears the management-ip during reboot, and then synchronizes to other members of the DSC. If the system is not performing an upgrade, the error is repaired as the device starts up, and has no visible effect. If an upgrade is being performed, the management-ip cannot be repaired, and the DSC members lose contact with each other, so they all become Active.

Conditions:
-- Running on VIPRION chassis systems, either natively, or as a vCMP guest.
-- Upgrading from any affected versions (TMOS v12.1.3, TMOS v13.0.0, TMOS v13.0.1, TMOS v13.1.0), to any other version.

Impact:
When multiple devices become Active simultaneously, traffic is disrupted.

Workaround:
There is no workaround other than to remain in Active/Active state until upgrade is complete on all chassis in the DSC are finished. See K43990943: VIPRION systems configured for high availability may become active-active during the upgrade process :: https://support.f5.com/csp/article/K43990943 for more information on how to mitigate this issue.

Fix:
The erroneous management-ip change is not made, and the HA failover mechanism operates correctly across upgrade.

709334-2 : Memory leak when SSL Forward proxy is used and ssl re-negotiates

Component: Local Traffic Manager

Symptoms:
When looking at tmsh show sys memory you will see
ssl_compat continue to grow and fails to release memory.

Conditions:
-SSL Forward Proxy In use
-SSL Re-negotiations happening

Impact:
Eventually memory reaper will kick in.

Workaround:
There is no workaround at this time.

Fix:
ssl_compat now properly releases connections on re-negotiation.

708956 : During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'

Solution Article: K51206433

Component: TMOS

Symptoms:
During system bootup, the system occasionally posts the following error message and the system does not come up:
Dataplane INOPERABLE - only 1 HSBes found on this platform.

Conditions:
This occurs occasionally at system bootup.
-- Using the following platforms:
i4600, i4800, i10600, i10800, i2600, i2800, i7600, i7800, i5600, i5800, i15600, i15800, i12600, i12800, HERCULON i2800, HERCULON i5800, HERCULON i10800, i11600, i11800, i11800-DS, i5820-DF, i7820-DF.

Impact:
System does not come up.

Workaround:
Reboot system.

Because this condition only happens occasionally, rebooting typically corrects the issue.

Fix:
This release fixes a race condition that might have occurred while reading FPGA firmware loading status.

708830-1 : Inbound or hairpin connections may get stuck consuming memory.

Component: Carrier-Grade NAT

Symptoms:
When inbound or hairpin connections require a remote Session DB lookup, and the lookup request or response messages get lost, the connections can get stuck in an embryonic state. They remain stuck in this state until they time out and expire. In this state, UDP connections queue inbound packets. If the client application continues to send packets, the connection may never expire. The queued packets accumulate, consuming memory. If the memory consumption becomes excessive, connections may be killed and 'TCP: Memory pressure activated' and 'Aggressive mode activated' messages appear in the logs.

Conditions:
-- An LSN pool with inbound and/or hairpin connections enabled.
-- Lost Session DB messages due to heavy load or hardware failure.
-- Remote lookups are more likely when using PBA mode or NAPT mode with default DAG.

Impact:
Excessive memory consumption that leads to dropped connections.

Workaround:
There is no workaround at this time.

Fix:
When Session DB messages are lost, the connection is killed and any queued packets are discarded. If the client application resends packets, they are treated as new connections.

708653-3 : TMM may crash while processing TCP traffic

Solution Article: K07550539

708249-4 : nitrox_diag utility generates QKView files with 5 MB maximum file size limit

Component: Local Traffic Manager

Symptoms:
When nitrox_diag generates a QKView file, the utility does not use the -s0 flag for the qkview command. That means there is a 5 MB file-size limit for the resulting QKView file nitrox_diag generates.

Conditions:
Run the nitrox_diag command.

Impact:
QKView files generated in response to running the nitrox_diag command might not contain all necessary information, for example, the result might contain truncated log files.

Workaround:
After running nitrox_diag, run the following command to generate a complete QKView file: qkview -s0

Fix:
Nitrox_diag utility now uses the -s0 command to generate QKView files, so there is no longer a 5 MB maximum file size limit, and the full QKView file is created.

708114-3 : TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed

Solution Article: K33319853

Component: Local Traffic Manager

Symptoms:
TMM crashes when receiving the HUDEVT_SSL_OCSP_RESUME_CLNT_HS after the SSL connection is closed.

Conditions:
-- The SSL connection has been closed.
-- SSL receives the HUDEVT_SSL_OCSP_RESUME_CLNT_HS message.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now ensures that SSL can still properly process the messages, even when the SSL connection is closed.

708068-3 : Tcl commands like "HTTP::path -normalize" do not return normalized path.

Component: Local Traffic Manager

Symptoms:
When using HTTP::path with the -normalized parameter:

"%2E%2E" is converted to ".." (expected)
"/foo/../bar" is converted to "/bar" (expected)
"/foo/%2E%2E/bar" is converted to "/foo/../bar" (unexpected)

Conditions:
The TCL command HTTP::path -normalize does not return normalized path as expected.

Impact:
Unexpected result.

Workaround:
There is no workaround.

Fix:
The TCL command HTTP::path -normalize should return normalized path.

708054-3 : Web Acceleration: TMM may crash on very large HTML files with conditional comments

Component: TMOS

Symptoms:
Web Acceleration feature may not handle big HTML file with improper conditional comments inside in some cases. TMM may crash processing such files if Web Acceleration profile is attached to VIP.

Conditions:
- HTML file with conditional comments inside:


- The size of "condition" from the pattern above is comparable with RAM size of BIG-IP box, i.e. ~8-10GB.

Impact:
TMM crash interrupts all active sessions.

Workaround:
There is no workaround at this time.

Fix:
Now Web Acceleration feature can handle long HTML conditional comments correctly.

707990-3 : Unexpected TMUI output in SSL Certificate Instance page

Solution Article: K41704442

707951 : Stalled mirrored flows on HA next-active when OneConnect is used.

Component: Local Traffic Manager

Symptoms:
-- 'tmctl -d blade tmm/umem_usage_stat | grep xdata' may show increased memory usage.
-- 'tmsh show sys connect' shows idle flows.

Conditions:
- OneConnect profile is configured.
- High availability (HA) mirroring is enabled.

Impact:
- Some flows are mirrored incorrectly.
- Stalled flows may occupy a lot of memory.

Workaround:
Disable OneConnect.

Fix:
Stalled mirrored flows no longer appear when OneConnect is used.

707888 : Some ASM operations delayed due to scheduled ASU update

Component: Application Security Manager

Symptoms:
Some ASM operations (such as Apply Policy) are delayed while a scheduled ASU update is in progress. This issue affects only 12.1.3.x from 12.1.3.2 and later.

Conditions:
A scheduled ASM update is in progress on systems running v12.1.3.x.

Impact:
Some ASM operations, such as Apply Policy, are delayed.

Workaround:
There is no workaround at this time.

Fix:
Other ASM operations are no longer blocked by scheduled ASU update.

707740-3 : Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination

Component: TMOS

Symptoms:
When attempting to delete a GTM monitor, the system indicates that it is in use, even after removing that monitor from all GTM virtual servers. The system posts a message similar to the following:
01070083:3: Monitor /Common/mon-A is in use.

Conditions:
1. Attach a GTM monitor to multiple GTM virtual servers in the same transaction, where both of the virtual servers are monitoring the same ip:port.
2. Remove the monitor from all virtual servers.
3. Attempt to delete the monitor from the configuration.

Impact:
Cannot delete the unused monitor.

Workaround:
After removing the monitor from all virtual servers, reload the GTM configuration using the following command:
tmsh load sys config gtm-only

You can now delete the monitor.

Fix:
You can now delete an unused GTM monitor, if that monitor was attached to multiple GTM virtual servers of the same ip+port combination.

707675 : FQDN nodes or pool members flap when DNS response received

Component: Local Traffic Manager

Symptoms:
When an LTM pool is configured with FQDN nodes or pool members, the LTM pool and associated virtual server(s) may transition from an UP to DOWN state and back over a period of a few seconds.

Such an event is accompanied by log messages similar to the following:

-- notice mcpd[#]: 01071682:5: SNMP_TRAP: Virtual /Common/vs_test has become unavailable
-- notice mcpd[#]: 010719e7:5: Virtual Address /Common/123.45.67.89 general status changed from GREEN to RED.
-- notice mcpd[#]: 010719e8:5: Virtual Address /Common/123.45.67.89 monitor status changed from UP to DOWN.
-- err mcpd[#]: 01020066:3: The requested Pool Member (/Common/Test_Pool /Common/test-dummy.com-12.34.56.78 443) already exists in partition Common.
-- notice bigd[##]: 01060144:5: Pool /Common/Test_Pool member /Common/test-dummy.com-12.34.56.78 session status enabled by monitor
-- notice bigd[##]: 01060145:5: Pool /Common/Test_Pool member /Common/test-dummy.com-12.34.56.78 monitor status up. [ /Common/mon_test_https: UP ] [ was checking for 0hr:0min:2sec ]
-- notice mcpd[#]: 01071681:5: SNMP_TRAP: Virtual /Common/vs_test has become available
-- notice mcpd[#]: 010719e7:5: Virtual Address /Common/123.45.67.89 general status changed from RED to GREEN.
-- notice mcpd[#]: 010719e8:5: Virtual Address /Common/123.45.67.89 monitor status changed from DOWN to UP.

This symptom repeats each time a DNS query is performed to resolve the FQDN node/pool-member name to its IP addresses, based on the 'interval' value configured for the FQDN node.

This symptom occurs only when the 'autopopulate' value is set to 'enabled' for the FQDN node/pool-member.

Conditions:
-- LTM pool is configured with FQDN nodes or pool members.
-- The 'autopopulate' value is set to 'enabled' for the FQDN node/pool-member.

Impact:
LTM pool and virtual server are briefly and periodically marked DOWN. Traffic may be impacted.

Workaround:
Either of the following methods can be used to work around this issue:

-- Configure static IP addresses instead of FQDN nodes/pool-members.

-- Set the 'autopopulate' value to 'disabled' for the FQDN node/pool-member, if possible (that is, if only one IP address is required/expected to be returned for the FQDN name, which means that the 'autopopulate' feature of FQDN nodes/pool-members is not required).

Fix:
FQDN node/pool-member and corresponding pool and virtual server are no longer briefly marked DOWN when the DNS server is queried to resolve the FQDN name, with the 'autopopulate' feature enabled for the FQDN node/pool-member. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

707509-3 : Initial vCMP guest creations can fail if certain hotfixes are used

Component: TMOS

Symptoms:
vCMP guest fails to enter the 'provisioned' or 'deployed' states and similar messages can be seen in /var/log/ltm:

-- vcmpd[14254]: 01510003:2: Guest (guest_name): Install failed.
-- vcmpd[14254]: 01510004:3: Guest (guest_name): Install to VDisk /shared/vmdisks/guest_name.img FAILED: Child exited with non-zero exit code: 255

Conditions:
Creating vCMP guest using certain hotfix images, such as BIG-IP HF software released as partial .iso software images, and engineering hotfixes.

Impact:
vCMP guest cannot be created.

Workaround:
1. Create and deploy the vCMP guest using the full .iso base software image.
2. Log in to the vCMP guest once it has finished starting up.
3. Apply the hotfix image or engineering hotfix.

Fix:
Guest creation succeeds.

707447-2 : Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles.

Component: Local Traffic Manager

Symptoms:
SSL SNI mechanism creates a hash containing a mapping between SAN entries in a given profile's certificate and the profile. This hash is owned by the default SNI profile, however is held by the other profiles on the VIP without a reference. If a connection utilizes SNI to use a non-default SNI profile *and* the default SNI profile reinitializes its state for any reason, the prf->sni_certsn_hash can be cleared and freed, leaving the existing connection(s) with profiles that refer to the freed hash. If then the connection attempts a renegotiation that causes the hash to be used, the freed hash can cause a fault should it have been reused in the meantime (i.e. the contents are invalid).

The fix: When the default SNI profile is initializing, and SSL handshake is searching SAN/COMMON cert from
non-default SNI profile, stop the search and return NULL.

Conditions:
SNI configured with one default SNI profile, one or multiple SNI profiles. The default SNI profile is changed and renegotiation with SNI(with non-default SNI profile) is issued.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
There is no workaround at this time.

Fix:
When the default SNI profile is initializing, and SSL handshake is searching SAN/COMMON cert from non-default SNI profile, stop the search and return NULL.

707445 : Nitrox 3 compression hangs/unable to recover

Solution Article: K47025244

Component: TMOS

Symptoms:
LTM logs show the following message:

Nitrox 3, Hang Detected: compression device was reset

When the error manifests, there will be three error messages sent to the log over a period of several seconds. The device is then considered unrecoverable and marked down, and will no longer accept compression requests.

Conditions:
This applies only to vCMP guests. Some compression requests can stall the device after a bad compression request is made.

Note: Traffic volume and concurrence, along with the type of error have to occur together in order to result in this issue, so the issue is not easily reproduced.

Impact:
Once the device is marked down, compression will be sent to the software compression provider, until tmm on the device is restarted. This can cause local CPU utilization to climb.

Workaround:
There is no complete workaround without a software fix. However, compression will always default to the software compression provider when hardware cannot be recovered.

There are three recovery options available if the TMM-internal reset fails to recover the compression device automatically. These should be employed in this order:

A. Restart tmm using the command: bigstart restart tmm.
B. Restart the vCMP guest.
C. Restart the host (which restarts all guests).

Note: Because of the traffic volume, timing, and error type that cause this condition, this error might recur. This issue appears to be caused by a particular compression request. So regardless of the recovery method you execute, the problem may recur in a short time, or months later.

Fix:
Compression device reset recovery made more robust for some compression failures.

707391-4 : BGP may keep announcing routes after disabling route health injection

Component: TMOS

Symptoms:
As a result of a known issue BIG-IP with BGP configured may continue to announce routes even after disabling the virtual address or disabling route announcement on the virtual address.

Conditions:
BGP configured with multiple routes announced via Virtual-address route announcements.
Configuration changes made on the BGP configuration itself.
Virtual address or its route health announcement disabled.

Impact:
Prefixes continue to exist in the BGP table even after disabling the virtual address (visible via imish with the "show ip bgp" command); which will continue to announce the prefix to configured peers.

Workaround:
Workaround would be to restart the dynamic routing process.

Fix:
BGP may no longer keeps announcing routes after disabling route health injection

707310-1 : DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs)

Component: Global Traffic Manager (DNS)

Symptoms:
It is possible that when performing a sufficiently large DNSSEC signed zone transfer (e.g., ~1 KB records) that the final packet (or several packets) of NSEC3s and RRSIGs could be missing from the zone. This issue can be detected using a free third-party tool such as ldns-verify-zone or some other DNSSEC validating tool.

Conditions:
-- Dynamic DNSSEC signing of zone transfers is configured for a given zone from an authoritative DNS Server (this could be on-box BIND, off-box BIND, etc.), or from DNS Express.

Impact:
The DNSSEC signed zone transfer could be incomplete, that is missing some NSEC3s and RRSIGs. An incomplete DNSSEC zone is considered an invalid zone.

Workaround:
There is no workaround at this time.

Fix:
DNSSEC signed zone transfers from general authoritative DNS Servers as well as from DNS Express are now complete regardless of the number of records in the zone.

707226-2 : DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations

Component: TMOS

Symptoms:
Mitigations might CVE-2017-5754 Meltdown/PTI (Page Table Isolation) can negatively impact performance.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Conditions:
Mitigations for CVE-2017-5754 Meltdown/PTI (Page Table Isolation) enabled.

Impact:
Meltdown/PTI mitigations may negatively impact performance.

Workaround:
Disable CVE-2017-5754 Meltdown/PTI mitigations.

To turn off mitigations for CVE-2017-5754 Meltdown/PTI, run the following command:

tmsh modify sys db kernel.pti value disable

Note: Turning off these mitigations renders the system vulnerable to CVE-2017-5754 Meltdown; but in order to take advantage of this vulnerability, they must already possess the ability to run arbitrary code on the system. Good access controls and keeping your system up-to-date with regards to security fixes will mitigate this risk on non-VCMP systems. vCMP systems with multiple tenants should leave these mitigations enabled.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Fix:
On releases that provide mitigations for CVE-2017-5754 Meltdown/PTI, the protection is enabled by default, but can be controlled using db variables.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

707207-2 : iRuleLx returning undefined value may cause TMM restart

Component: Local Traffic Manager

Symptoms:
When an iRulesLX rule returns an undefined value, TMM may restart. An example of an undefined value is one where
its jsonrpc v2.0 representation is missing required fields, such as "result".

Conditions:
iRulesLX is licensed, and a rule is run that returns an undefined value.

Impact:
Traffic is interrupted.

Workaround:
There is no workaround at this time.

Fix:
A TMM restart resulting from an iRulesLX rule returning an undefined value was fixed.

707147-2 : High CPU consumed by asm_config_server_rpc_handler_async.pl

Component: Application Security Manager

Symptoms:
During a period of heavy learning from Policy Builder, typically due to Collapse Common elements, the backlog of events can cause a process to consume high CPU.

Conditions:
1) Automatic Policy Builder is enabled
2) An element is configured to "Always" learn new entities, and collapse common elements
3) An extended period of heavy learning due to traffic is enountered

Impact:
A process may consume high CPU even after the high traffic period is finished.

Workaround:
Kill asm_config_server.pl (This will not affect traffic)

Optionally modify one of the following
A) Learn "Always" to another mode
B) Turn off Collapse common URLs
C) Change from Automatic Learning to Manual

707003-2 : Unexpected syntax error in TMSH AVR

Component: TMOS

Symptoms:
The following tmsh command does not work: tmsh show analytics http report view-by virtual measures { transactions } drilldown

It fails with the following error message: 'Syntax Error: "drilldown" property requires at least one of (device device-list) to be specified before using.'

Conditions:
Whenever the affected tmsh command is run.

Impact:
The following tmsh command will not run: tmsh show analytics http report view-by virtual measures { transactions } drilldown

Workaround:
There is no workaround besides not running the affected command.

Fix:
The following command now works as expected: tmsh show analytics http report view-by virtual measures { transactions } drilldown

706845-1 : False positive illegal multipart violation

Component: Application Security Manager

Symptoms:
A false positive multipart violation.

Conditions:
Uploading a file with a filename value that is encoded in non utf-8 encoding.

Impact:
A false positive violation, request rejected.

Workaround:
Might be workaround using an irule

Fix:
Corrected ASM multipart parsing.

706642-3 : wamd may leak memory during configuration changes and cluster events

Component: WebAccelerator

Symptoms:
wamd memory consumption increases over time.

Conditions:
-- AAM is provisioned so wamd is running.
-- User-initiated configuration change and/or other internal configuration or cluster events.

Impact:
wamd grows slowly over time, eventually crashing due to lack of memory. Temporary outage of services provided by wamd such as PDF linearization, invalidation, etc.

Workaround:
No workaround available.

Fix:
wamd n longer leaks memory during configuration changes and cluster events.

706631 : A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured.

Component: Local Traffic Manager

Symptoms:
According to RFC2818, if the certificate sent by the TLS server has a valid Common Name, but the Subject Alternative Name does not match the Authenticate Name in the server-ssl profile, the connection should be terminated.

Conditions:
-- A server-ssl profile is enabled on a virtual server and has the 'authenticate-name' property set.

-- The TLS server presents a certificate in which the Subject Alternative Name does not match the configured authenticate-name.

-- Common Criteria mode licensed and configured.

Impact:
A TLS connection succeeds which should fail.

Workaround:
There is no workaround at this time.

Fix:
A remote TLS server certificate with a bad Subject Alternative Name is now rejected when Common Criteria mode is licensed and configured.

706423-2 : tmm may restart if an IKEv2 child SA expires during an async encryption or decryption

Component: TMOS

Symptoms:
TMM may discard an existing child-SA via timer during the moment it is in use for encryption or decryption. And in another spot, an error aborting negotiation can cause multiple timers associated with one child-SA, which fight one another.

Conditions:
Errors in IPsec config that fail negotiation can happen when a child-SA is in a state that does not manage timers correctly.

A config with short SA lifetime, causing frequent re-keying, can have the effect of searching for a race condition when expire happens during active use in crypto.

Impact:
TMM restarts, disrupting traffic and causing HA failover.

Workaround:
Ensure that the IPsec IKEv2 configuration in the IPsec policy is correct (the same) on both IPsec peers. Also, ensure SA lifetime has longer duration, instead of merely seconds. (The default is one day.)

Fix:
Now we ensure only one timer can be associated with a child-SA related to short-term progress toward maturity during negotiation, even if an error happens.

Now we also ensure a child-SA is safe during async crypto operations, even if they expire while currently in use.

706374-2 : Heavy use of APM Kerberos SSO can sometimes lead to memory corruption

Component: Access Policy Manager

Symptoms:
Kerberos SSO under high load can sometimes lead to system instability.

Conditions:
APM users using Kerberos SSO to access backend resources.

Impact:
This might result in unpredictable behavior such as memory corruption or core. However, the occurrence is rare since it only impacts concurrent DNS SRV requests to resolve different KDCs.

Workaround:
There is no workaround.

Fix:
Stability problems in DNS lookups in APM Kerberos SSO (S4U) have been corrected.

706354-1 : OPT-0045 optic unable to link

Component: TMOS

Symptoms:
The OPT-0045 optical transceiver when inserted into a 40G port does not function. The following error appears in /var/log/ltm:
Invalid module for bundle configuration of interface <portNumber>.0.

Conditions:
OPT-0045 in a 40G port.

Impact:
Optic does not work; interface does not come up.

Workaround:
None.

Fix:
This release supports the OPT-0045 optical transceiver.

706305-2 : bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled

Component: TMOS

Symptoms:
bgpd may crash on a BIG-IP system configured for dynamic routing announcing multiple overlapping aggregate-addresses with extended asn capabilities enabled.

Conditions:
- BGP enabled on route-domain
- BGP configured to announce several overlapping aggregate-addresses
- BGP configured with extended-asn-cap enabled.

Impact:
Inability for the unit to use BGP

Workaround:
Disabling extended-asn-cap or not announcing multiple overlapping aggregate addresses may allow to workaround this issue.

Fix:
bgpd no longer crashes with overlapping aggregate addresses and extended-asn-cap enabled

706128-1 : DNSSEC Signed Zone Transfers Can Leak Memory

Component: Global Traffic Manager (DNS)

Symptoms:
TMM might leak memory when performing DNSSEC signed zone transfers. You can detect this issue by examining system memory before and after performing zone transfers.

For example:

tmsh show sys memory raw | grep dnssec

Conditions:
-- Dynamic DNSSEC signing of zone transfers is configured for a given zone from an authoritative DNS Server (this could be on-box BIND, off-box BIND, etc) or from DNS Express.

Impact:
TMM leaks memory related to the signed zone transfer.

Workaround:
There is no workaround at this time.

Fix:
TMM no longer leaks DNSSEC zone transfer related memory.

706104-2 : Dynamically advertised route may flap

Component: TMOS

Symptoms:
ZebOS may repeatedly add and delete the routes from protocol daemons. This may cause the protocol daemons to delete and re-advertise the default route.

Conditions:
- Dynamic routing in use
- Kernel routes redistributed into a routing protocol
- Static route configure in TMOS
- Route advertisement enabled on the virtual-address that's the same as the static route

Impact:
Route flapping may cause instability in the network, including inability to reach the default network advertised by the BIG-IP.

Workaround:
Since the static route will be redistributed in the same way as the virtual-address, there is no need to enable route-advertisement on the VIP virtual-address. Disabling this will resolve the problem.

The problem will also be resolved by moving the route from tmsh into ZebOS.
- In imish config mode, "ip route <route> <gateway>"
- In tmsh, "delete net route <route>"

Fix:
Configuring a static route in TMOS and enabling route-advertisement on the same virtual-address no longer causes route flapping in ZebOS.

706102-3 : SMTP monitor does not handle all multi-line banner use cases

Component: Local Traffic Manager

Symptoms:
An SMTP monitor does not handle all multi-line banner use cases, such as when the banner is physically split across two packets. This issue is due to attempting to parse the banner value from the first packet without a portion of the banner value that may arrive in a second packet.

Conditions:
An SMTP monitor is configured; and uses a multi-line banner; and the SMTP monitor banner is split across two physical packets.

Impact:
The SMTP monitor sends an RST after the first packet, and marks the resource down.

Workaround:
Use an SMTP monitor with a single-line banner. Or, rather than using an SMTP monitor, instead use a TCP monitor with send/recv strings.

Fix:
An SMTP monitor handles all use cases that include a multi-line banner.

706086-1 : PAM RADIUS authentication subsystem hardening

Solution Article: K62750376

705794-1 : Under certain circumstances a stale HTTP/2 stream might cause a tmm crash

Component: Local Traffic Manager

Symptoms:
A HTTP/2 stream is getting overlooked when cleaning up a HTTP/2 flow.

Conditions:
The only known condition is that the closing_stream is not empty. Exact entrance conditions are not clear.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
HTTP/2 flows are now properly cleaned up to prevent a tmm crash.

705611-1 : The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used

Component: Local Traffic Manager

Symptoms:
The TMM may later crash after a configuration change done under load if the HTTP/2 profile is used.

Conditions:
A configuration change occurs. The configuration change is large enough, or the TMM load large enough that the change is not synchronous. The change involves a HTTP/2 profile.

Data traffic progresses through a partially initialized HTTP/2 virtual server, potentially causing a later crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Large configuration changes to the TMM involving a HTTP/2 profile will no longer potentially cause a TMM crash.

705503-1 : Context leaked from iRule DNS lookup

Component: Global Traffic Manager (DNS)

Symptoms:
The memory usage increases, and stats are inaccurate.

Conditions:
Call RESOLV::lookup from an iRule.

Impact:
Memory leak that accumulates over time and inaccurate stats.

Workaround:
There is no workaround other than not using RESOLV::lookup in an iRule.

Fix:
Memory leak no longer occurs.

705476-4 : Appliance Mode does not follow design best practices

Solution Article: K28003839

705112-1 : DHCP server flows are not re-established after expiration

Component: Local Traffic Manager

Symptoms:
DHCP relay agent doesn't have server flows connecting to all active DHCP servers after a while.

Conditions:
- More than one DHCP servers configured for a DHCP virtual.
- Server flows timeout in 60 seconds

Impact:
DHCP server traffic not load balanced.

Workaround:
None.

Fix:
A new logic to re-establish server flows is introduced to ensure a relay agent will have all DHCP servers connected.

705037-3 : System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart

Component: TMOS

Symptoms:
It is possible for the BIG-IP system to present duplicate if_index statistics of network objects, either viewed internally or polled via SNMP.

Conditions:
-- High availability (HA) configuration.
-- Tunnels configured.
-- If dynamic routing is configured, additional impact may be noted.

Impact:
-- Unreliable or confusing statistics via SNMP polling.

-- If dynamic routing is also configured, possible nsm daemon restart, which may lead to loss of dynamic routes.

Workaround:
None.

Fix:
System no longer exhibits duplicate if_index statistics.

704804-2 : The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address

Component: TMOS

Symptoms:
The NAS-IP-Address in RADIUS remote authentication requests is set to the loopback address, not the management IP.

Conditions:
This applies to remote authentication for the control plane, not APM.

Impact:
Login may be impacted.

Workaround:
There is no workaround at this time.

Fix:
NAS-IP-Address Attribute is now set correctly when the the BIG-IP system is configured to use RADIUS authentication.

704733-2 : NAS-IP-Address is sent with the bytes in reverse order

Component: TMOS

Symptoms:
The NAS-IP-Address has the address of the local device sent with the bytes in reverse order (e.g., 78.56.30.172, where 172.30.56.78 is expected).

Conditions:
-- This affects IPv4 addresses only.
-- BIG-IP system is configured for RADIUS authentication.

Impact:
The server may be configured to check the NAS-IP-Address before allowing logins, in which case it would fail.

Workaround:
There is no workaround at this time.

Fix:
This has been corrected.

704666-2 : memory corruption can occur when using certain certificates

Component: Local Traffic Manager

Symptoms:
If a certificate has an extremely long common name, or an extremely long alternative name and is attached to an SSL profile, memory corruption can occur when loading the profile.

Conditions:
An SSL profile is loaded with a certificate containing an extremely long common name or subject alternative name.

Impact:
TMM could crash.

Workaround:
Do not use certificates with extremely long common names

Fix:
A length check has been added to avoid corruption when using extremely long common names.

704580-3 : apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP

Solution Article: K05018525

704524-2 : [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries

Component: Access Policy Manager

Symptoms:
Kerberos DNS SRV requests do not contain EDNS headers. Without this header, DNS server truncates the UDP responses if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in unnecessary round trips in order to resolve DNS SRV queries.

Conditions:
APM users using Kerberos SSO to access backend resources.

Impact:
Increased latency of HTTP request processing. If the number of APM users is large, then this issue is magnified.

Workaround:
There is no workaround at this time.

Fix:
Kerberos DNS SRV requests now support EDNS0 so that UDP responses greater than 512 bytes can be received correctly, eliminating delays caused by TCP retransmission.

704490 : CVE-2017-5754 (Meltdown)

Solution Article: K91229003

704483 : CVE-2017-5753 (Spectre Variant 1)

Solution Article: K91229003

704449-4 : Orphaned tmsh processes might eventually lead to an out-of-memory condition

Component: TMOS

Symptoms:
Occasionally, tmsh processes are orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects.

An orphaned tmsh process will have a parent pid (PPID) of 1. You can check for orphaned tmsh processes using the following shell command:

/bin/ps -o pid,ppid,comm -C tmsh
PID PPID COMMAND
8255 1 tmsh

If this issue occurs often enough, it might cause the BIG-IP system to run out of memory.

Conditions:
-- Using tmsh to connect to the BIG-IP system via SSH.
-- Running commands.
-- Quitting the session or disconnecting.

Impact:
Orphaned tmsh processes are created, which might eventually lead to an out-of-memory condition, if it occurs often enough.

Workaround:
There are several workarounds for this issue:

-- Change the default shell to bash for users that are going to use the script.
-- Use iControl.
-- Halt orphaned tmsh processes.

Fix:
tmsh processes are no longer orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects under these conditions.

704381-3 : SSL/TLS handshake failures and terminations are logged at too low a level

Component: Local Traffic Manager

Symptoms:
SSL/TLS handshake failures and terminations are being logged at too low of a level (INFO).

Conditions:
-- SSL/TLS connections are received or sent.
-- Handshake failures are logged.

Impact:
Sometimes other errors are produced, and the cause is a SSL/TLS handshake failure, but this failure is not being logged.

Workaround:
There is no workaround.

Fix:
SSL/TLS handhake failures and terminations are now logged at a higher level (WARNING).

704336-3 : Updating 3rd party device cert not copied correctly to trusted certificate store

Component: TMOS

Symptoms:
When a BIG-IP admin updates the Device Certificate which also includes multiple CA intermediate and root certificates, it's expected that the new Device Certificate and its trust chain certificates are written to /config/big3d/client.crt and /config/gtm/server.crt. However, if the new Device Certificate is signed by a third party, only the Device Certificate is copied to client.crt and server.crt, even though root and intermediate certificates are written to /config/httpd/conf/ssl.crt/server.crt.

Conditions:
Updating Device certificate which also includes multiple intermediate and root certificates.

Impact:
The Trusted Device and Trusted server Certificates do not include intermediate CA and root certificates.

Workaround:
Manually copy/append the missing intermediate and root certificate to /config/big3d/client.crt and /config/gtm/server.crt.

Fix:
The fix will now add all the intermediate and root certificate including device certificate to Trusted Server and Trusted Device certificate bundle.

704282-3 : TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy

Component: TMOS

Symptoms:
Rarely, TMM halts and restarts when calculating the BWC pass rate for dynamic bwc policy.

Conditions:
-- Using BWC dynamic bwc policy.
-- Fair share rate is low.

For this to happen, the fair share rate of the instance of dynamic policy has to be less than than 32 times the average packet size of the instance of policy.

For example, if the average packet size is 1 KB, then the fair share would be under 32 KB.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
F5 does not recommend running the BWC under 64Kbps.

Either decrease the number of subscribers or increase the max-rate of dynamic policy.

Fix:
TMM no longer halts and restarts when calculating the BWC pass rate for dynamic bwc policy when fair share rate is low.

704247-3 : BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted

Component: TMOS

Symptoms:
BIG-IP .iso images may fail to install if multiple copies of the same image are present and have been deleted.

Conditions:
-- Have multiple copies of the same image .iso in the /shared directory on a BIG-IP system.
-- Delete one of them.

Impact:
Installation attempt of the remaining image(s) might fail.

Workaround:
Restart the lind process, so the installation can continue.

Fix:
The BIG-IP system now installs an image if multiple copies of the same image are present and have been deleted

704184-3 : APM MAC Client create files with owner only read write permissions

Solution Article: K52171282

704143-2 : BD memory leak

Component: Application Security Manager

Symptoms:
A BD memory leak.

Conditions:
websocket traffic with specific configuration

Impact:
Resident memory increases, swap getting used.

Workaround:
Make sure the web socket violations are not due to bad websocket URL configuration, that they are turned on in Learn/Alarm or block and that there is a local logger configured and attached.

704073-3 : Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm

Solution Article: K24233427

Component: Local Traffic Manager

Symptoms:
'bad transition' OOPS messages may be repeatedly logged to /var/log/ltm and /var/log/tmm over time, polluting the log files.

Conditions:
Although there are no definitive user-discernible conditions, use of SSL functionality might increase the likelihood of logging.

Impact:
Log pollution and potential for performance degradation.

Workaround:
Suppress the logging using the following command:
tmsh modify sys db tmm.oops value silent

Fix:
The 'bad transition' OOPS logging has been demoted to internal, debug builds only.

703984-2 : Machine Cert agent improperly matches hostname with CN and SAN

Component: Access Policy Manager

Symptoms:
MacOS Machine certificate agent matches the configured hostname with the actual hostname upon a beginning partial string match.

Conditions:
MacOS APM client using Machine Certificate Check agent.

Impact:
Hostname match may be incorrect in these cases.

Workaround:
There is no workaround at this time.

Fix:
The MacOS machine certificate check agent now matches on the whole host string rather than a sub string.

703940-3 : Malformed HTTP/2 frame consumes excessive system resources

Solution Article: K45611803

703914-1 : TMM SIGSEGV crash in poolmbr_conn_dec.

Component: Local Traffic Manager

Symptoms:
TMM cores in poolmbr_conn_dec function.

Conditions:
A connection limit is reached on a VS having an iRule using LB::reselect and a pool using request queueing.

Impact:
TMM core, traffic interruption, possible failover.

Workaround:
Do not use LB::reselect, disable request queueing on a pool associated with the VS.

Fix:
TMM correctly handles LB:reselect on virtual servers with pools using request queueing.

703869-1 : Waagent updated to 2.2.21

Component: TMOS

Symptoms:
Microsoft updates waagent via an opensource process, but it is not compatible with BIG-IP software, and so cannot be upgraded outside of BIG-IP releases. Without this, Microsoft will not support older releases of BIG-IP systems in their environment.

Conditions:
Using Microsoft Azure.

Impact:
Microsoft does not support the version of waagent shipped as part of BIG-IP software.

Workaround:
None.

Fix:
Waagent was updated to 2.2.21 from Microsoft along with F5 changes for compatibility with BIG-IP software.

703835-4 : When using SCP into BIG-IP systems, you must specify the target filename

Solution Article: K82814400

703793-1 : tmm restarts when using ACCESS::perflow get' in certain events

Component: Access Policy Manager

Symptoms:
tmm will restart when using 'ACCESS::perflow get' if the per-request policy has not been started yet.

Conditions:
Use 'ACCESS::perflow get' iRule in an event that runs before the per-request policy (e.g., CLIENT_ACCEPTED).

Impact:
tmm cores and traffic flow will be interrupted while it restarts.

Workaround:
None.

Fix:
Initialization of certain variables was reworked so that the iRule command will not cause a core anymore if the per-flow value is unavailable due to the per-request policy not having been started yet.

703761-1 : Disable DSA keys for public-key and host-based authentication in Common Criteria mode

Component: TMOS

Symptoms:
On a BIG-IP system configured for Common Criteria (CC) mode, DSA keys can still be used for key-based authentication to the BIG-IP system.

Conditions:
-- Running a CC release with CC Mode enabled.
-- Attempt to SSH-connect to the BIG-IP system from another system with a DSA key.
-- That DSA key is present in the BIG-IP system's authorized_keys file.

Impact:
If the key is in the BIG-IP system's authorized_keys file, public-key authentication succeeds, when DSA authentication should be disabled in CC mode.

Workaround:
There is no workaround at this time.

Fix:
DSA SSH keys are now disabled for public-key and host-based authentication in Common Criteria mode, as expected.

703580 : TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host.

Component: Local Traffic Manager

Symptoms:
TLS1.1 handshake failure on guest. The following error appears in /var/log/ltm:
warning tmm[11611]: 01260009:4: Connection error: ssl_hs_cn_vfy_fin:2339: corrupt Finished (20)

Conditions:
-- Using the VIPRION 42xx/43xx and B21xx blades.
-- Running BIG-IP software earlier than v12.1.3 (for example v12.1.2-hf2) on the vCMP host system.
-- Deploying vCMP guest running v12.1.3.
-- Using TLS1.1.

Impact:
TLS1.1 handshake fails on the guest.

Workaround:
Use the same software version on the vCMP host and vCMP guests.

Fix:
TLS1.1 handshake no longer fails running v12.x/v13.x vCMP guest with earlier BIG-IP software version on vCMP host.

703515-5 : MRF SIP LB - Message corruption when using custom persistence key

Solution Article: K44933323

Component: Service Provider

Symptoms:
If the custom persistence key is not a multiple of 3 bytes, the SIP request message may be corrupted when the via header is inserted.

Conditions:
Custom persistence key is not a multiple of 3 bytes

Impact:
The SIP request message may be corrupted when the via header is inserted.

Workaround:
Pad the custom persistence key to a multiple of 3 bytes in length.

Fix:
All persistence key lengths work as expected.

703429-1 : Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services

Component: Access Policy Manager

Symptoms:
Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services through F5 BIG-IP APM virtual server. The application closes just after entering the credentials.

Conditions:
-- Citrix Receiver for Android (v3.13.1) is used.
-- PNAgent replacement mode is configured for BIG-IP APM virtual server.

Impact:
No access to published Applications and Desktops through Citrix Receiver for Android.

Workaround:
None.

Fix:
System now provides valid data to Citrix Receiver for Android client.

702946-2 : Added option to reset staging period for signatures

Component: Application Security Manager

Symptoms:
In cases where a staging period was started, but no traffic passed through security policy, you might want to reset the staging period when traffic starts, but there is no option to do so.

Conditions:
Staging enabled for signatures in policy.

Impact:
There is a suggestion to enforce the signature before any traffic can influence this decision.

Workaround:
If all signatures are staged, you can enforce them all, and then enable staging again.

Note: Apply policy is required between actions.

Fix:
Added option to reset the staging period for all or specific signatures. In modal windows shown after clicking 'Change properties...' on the Policy Signatures screen, when 'No' is not selected for 'Perform Staging', the system presents a checkbox: Reset Staging Period.

702873-3 : Windows Logon Integration feature may cause Windows logon screen freeze

Component: Access Policy Manager

Symptoms:
Windows Logon Integration feature might cause a Microsoft Windows logon screen freeze, making Windows OS unresponsive to any client end user actions.

Conditions:
-- Client user putting laptop into sleep mode and waking it up multiple times.
-- Possibly, only Windows 10 is affected.

Impact:
Logon screen may hang, not allowing client user to type in credentials.

Workaround:
Reinstall EdgeClient without the Windows Logon Integration Feature.

Fix:
Previously, the Windows Logon Integration feature sometimes caused the Windows Logon screen to freeze. Now, this issue has been fixed.

As a side effect of the fix, the Logon screen now shows duplicates of the pre-logon VPN Entries, which might be confusing for client users. One duplicate comes from the Microsoft Credentials Provider. For information on how to disable the default Microsoft Credentials Provider, see the Microsoft Windows article: How to disable additional credential providers :: https://social.technet.microsoft.com/Forums/windows/en-US/9c23976a-3e2b-4b71-9f19-83ee3df0848b/how-to-disable-additional-credential-providers.

702738 : Tmm might crash activating new blob when changing firewall rules

Solution Article: K32181540

Component: Advanced Firewall Manager

Symptoms:
TMM crashes with core when changing firewall rules. TMM can enter a crash-loop, so it will crash again after restarting.

Conditions:
Updating, removing, or adding firewall rules.

Specific characteristics of change that can cause this issue are unknown; this issue occurs rarely.

Impact:
Data traffic processing stops.

Workaround:
There are two workaround options:
Option A
1. Delete all policies.
2. Create them again without allowing blob compilation.
3. Repeat steps 1 and 2 until all the policies have been created (enable on-demand-compilation).

Option B
Modify all the rules simultaneously.

For example, the following steps will resolve this issue:
1. Enable on-demand-compilation
2. Select an IP address that is not used in any rules, e.g., 1.1.1.1.
3. Add that IP address to all the rules/source in all of the policies. To do so, run the following command for each policy:
tmsh modify security firewall policy POLICY_NAME rules modify { all { source { addresses add { 1.1.1.1 } } } }

4. Delete the IP address (restore rules) in all of the policies. To do so, run the following command for each policy:
tmsh modify security firewall policy POLICY_NAME rules modify { all { source { addresses delete { 1.1.1.1 } } } }
5. Disable on-demand-compilation. Doing so starts new blob compilation.

Fix:
TMM no longer crashes when changing firewall rules.

702490-4 : Windows Credential Reuse feature may not work

Component: Access Policy Manager

Symptoms:
Windows Credential Reuse feature may not work requiring that the EdgeClient end user enter credentials in the EdgeClient login window as well as at the Microsoft Windows logon screen, instead of getting Single Sign-On (SSO).

The logterminal.txt file contains messages similar to the following:

<Date and time>, 1312,1320,, 48, \certinfo.cpp, 926, CCertInfo::IsSignerTrusted(), the file is signed by 3rd party certificate
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1004, CCertInfo::IsSignerTrusted(), EXCEPTION - CertFindCertificateInStore() failed, -2146885628 (0x80092004) Cannot find object or property.
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1009, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 256, IsTrustedClient, EXCEPTION - File signed by untrusted certificate
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 264, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 360, GetCredentials, EXCEPTION - Access Denied - client not trusted

Conditions:
-- Using a specific combination of versions of F5 Credential Manager Service and EdgeClient on Windows systems.
-- The Reuse Credential option is enabled in the Connectivity Profile.

Impact:
The EdgeClient end user must retype credentials in EdgeClient login windows instead of having the login occur without requiring credentials, as SSO supports.

Workaround:
There is no workaround at this time.

Fix:
Previously, in some situations, Windows Credential Reuse did not work, requiring the EdgeClient end user to log in separately. This issue has been fixed.

702487-1 : AD/LDAP admins with spaces in names are not supported

Component: Access Policy Manager

Symptoms:
If admin is imported from Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) and the name contains spaces, Visual Policy Editor (VPE), import/export/copy/delete, etc., fail, and post an error message similar to the following: sourceMCPD::loadDll User 'test user' have no access to partition 'Common'.

Note: Names containing spaces are not supported on BIG-IP systems.

Conditions:
-- Admin name containing spaces is imported from AD or LDAP.
-- Attempt to perform operations in VPE.

Impact:
VPE, import/export/copy/delete do not work.

Workaround:
There is no workaround other than to not use admin names containing spaces.

Fix:
VPE and utilities operations are now supported, even for admins with spaces in names. However, F5 recommends against using spaces in admin names, and recommends that you modify the admin name to remove the spaces.

702472-4 : Appliance Mode Security Hardening

Solution Article: K87659521

702469-4 : Appliance mode hardening in scp

Solution Article: K73522927

702450-4 : The validation error message generated by deleting certain object types referenced by a policy action is incorrect

Component: Local Traffic Manager

Symptoms:
When deleting certain objects that are referenced by policy actions, you may see a validation error like this:

# tmsh delete ltm virtual test-vs
01071726:3: Cannot delete policy action '/Common/test-vs'. It is in use by ltm policy '/Common/test-policy'.

The referenced object is not a "policy action" in this case, but is a virtual server.

Conditions:
LTM policies must be in use, and at least one policy action must forward to an object. The user must attempt to delete that object.

Impact:
Possible confusion at the error message.

Workaround:
There is no workaround at this time.

Fix:
Made the error message accurately reflect what the user was attempting to delete.

702278-3 : Potential XSS security exposure on APM logon page.

Component: Access Policy Manager

Symptoms:
Potential XSS security exposure on APM logon page.

Conditions:
-- A LTM virtual server with an Access Policy assigned to it.
-- The Access Policy is configured to use a 'Logon Page' VPE agent, followed by AAA agent with 'Max Logon Attempts Allowed' set to a value greater than 1.

Impact:
Potential XSS security exposure.

Workaround:
1. Using APM Advance Customization UI, remove setOrigUriLink(); call in logon.inc from the next JS function:

369 function OnLoad()
370 {
371 var header = document.getElementById("credentials_table_header");
372 var softTokenHeaderStr = getSoftTokenPrompt();
373 if ( softTokenHeaderStr ) {
374 header.innerHTML = softTokenHeaderStr;
375 }
376 setFormAttributeByQueryParams("auth_form", "action", "/subsession_logon_submit.php3");
377 setFormAttributeByQueryParams("v2_original_url", "href", "/subsession_logon_submit.php3");
378 // ===> REMOVE THIS ONE setOrigUriLink();
----

Fix:
Potential security exposure has been removed from APM logon page.

702151-2 : HTTP/2 can garble large headers

Component: Local Traffic Manager

Symptoms:
The HTTP/2 filter may incorrectly encode large headers.

Conditions:
A header that encodes to larger than 2048 bytes may be incorrectly encoded.

Impact:
The garbled header may no longer conform to the HPACK spec, and cause the connection to be dropped. The garbled header may be correctly formed, but contain incorrect data.

Fix:
The HTTP/2 filter correctly encodes large HTTP headers.

701900 : DHCP configured domain-name-servers unavailable after reboot when there are more than two domain-name servers in the lease.

Solution Article: K55938217

Component: TMOS

Symptoms:
DHCP-configured domain-name-servers (DNS) unavailable after reboot when there are more than two domain-name-servers in the lease.

Conditions:
- DHCP is enabled on the mgmt interface.
- DHCP server provides more than 2 domain-name-servers in its lease.

Impact:
Name resolution on mgmt interface fails due to misconfiguration in DNS information for mgmt interface.

Workaround:
No workaround at this time.

Fix:
This release corrects the handling of multiple DNS name-servers.

701856-2 : Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart

Component: Application Security Manager

Symptoms:
In rare circumstance, when Policy Builder restarts continuously (in response to a different issue in which there are many shmem segments allocated and used by tmm), ASM-config Event Dispatcher memory usage grows uncontrollably.

Conditions:
In rare circumstances, Policy Builder restarts continuously (in response to a different issue in which there are many shmem segments allocated and used by tmm).

Impact:
ASM-config Event Dispatcher memory usage grows continuously until the device eventually fails over.

Workaround:
Restart asm_config_server on all devices using the following command:
killall asm_config_server.pl

Fix:
ASM-config Event Dispatcher memory usage remains stable even upon multiple Policy Builder restarts.

701841-1 : Unnecessary file recovery_db/conf.tar.gz consumes /var disk space

Component: Application Security Manager

Symptoms:
A file, /ts/var/install/recovery_db/conf.tar.gz ,is saved unnecessarily during UCS file save, and consumes /var disk space.

Conditions:
UCS file is saved.

Impact:
The /var filesystem can become full; this may degrade system performance over time, and can eventually lead to traffic disruptions.

Workaround:
Manually delete /ts/var/install/recovery_db/conf.tar.

Fix:
Unnecessary file recovery_db/conf.tar.gz is no longer written.

701785-3 : Linux kernel vulnerability: CVE-2017-18017

Solution Article: K18352029

701680-1 : MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds

Component: Service Provider

Symptoms:
Applying rate-limiting to MBLB SIP or Diameter virtual servers might cause the virtual server to periodically stop sending packets to the pool member server for a few seconds.

Conditions:
-- MBLB SIP or Diameter virtual server.
-- Rate-limited is applied.

Impact:
The virtual server might intermittently stop sending packets to the pool member server for a few seconds.

Workaround:
There is no workaround at this time.

Fix:
MBLB rate-limited virtual server now correctly sends packets to the server.

701678-1 : Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded

Component: Local Traffic Manager

Symptoms:
TMM may periodically stop sending packets to the server for a few seconds when the configured virtual server rate-limited value is exceeded.

Conditions:
-- Virtual configured with rate-limit.
-- Uses a UDP profile (i.e., not using TCP or FastL4).
-- The idle-timeout is set to immediate.

Impact:
The virtual server might intermittently stop sending packets to the pool member server for a few seconds.

Workaround:
None.

Fix:
UDP rate-limited virtual server now correctly sends packets to the server.

701626-1 : GUI resets custom Certificate Key Chain in child client SSL profile

Solution Article: K16465222

Component: TMOS

Symptoms:
In the GUI, editing a client SSL profile or selecting a different parent profile changes the Certificate Key Chain to default (i.e., /Common/default.crt and /Common/default.key).

Conditions:
This happens in the following scenario:

1. Using the GUI, create a client SSL profile.
2. Configure the new profile to inherit from a client SSL profile other than the default, clientssl.
3. Click the Custom box for Certificate Key Chain and select a different cert and key from the default.
4. Click Update.
5. In the GUI, change any setting in the newly created profile, or select a different parent profile (but not the clientssl profile).
6. Click Update again.

Impact:
The system resets Certificate Key Chain to default, even though the Custom box is checked.

Workaround:
To work around this issue in the GUI, click the Custom checkbox next to the 'Certificate Key Chain' option in the parent profile. This will set the value of inherit-certkeychain to false , preventing the issue from occurring.

You can also use tmsh to update parent profile settings to avoid the occurrence of this issue..

Fix:
GUI no longer resets custom Certificate Key Chain in child client SSL profiles.

701609 : Static member of pool with FQDN members may revert to user-disabled after being re-enabled

Component: Local Traffic Manager

Symptoms:
Within an LTM pool containing both FQDN members and members configured with static IP addresses; a statically-configured member that had been disabled (session = user-disabled) and then re-enabled (session = user-enabled) may become disabled again after making other changes affecting the state of other FQDN members of the pool.

Conditions:
This may occur under the following conditions:
- An LTM pool containing a mix of FQDN and statically-configured members.
- A statically-configured pool member is disabled (session = user-disabled) and then re-enabled (session = user-enabled).
- Other changes occur which affect the availability of FQDN pool members.
For example, if a route to an FQDN pool member is deleted and recreated, a previously-disabled statically-configured member may revert to a disabled state.

Depending on circumstances, the issue may only occur once after BIG-IP, TMM, bigd, or a related daemon restarts.

Impact:
A pool member may be unexpectedly disabled after being re-enabled, and thus would not receive traffic.

Workaround:
It may be possible to work around this issue by disabling and re-enabling the statically-configured pool member again.

Fix:
Statically-configured pool members of a pool that also contains FQDN members remain enabled after being manually disabled then re-enabled. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

701538-1 : SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured

Component: Local Traffic Manager

Symptoms:
SSL handshake fails if the client initiates the handshake with TLS false start (specifically, client SSL sends the SSL record data to the server before the Server sends out the CSS is FINISHED notification).

Conditions:
1. Client initiates the SSL handshake with False Start.
2. The BIG-IP system has SSL hardware acceleration enabled (which is default for for non-virtual edition (VE) versions).

Impact:
The BIG-IP system sends the RST to tear down the connection in TLS false start.

Workaround:
There are no true workarounds. You must disable one of the conditions to workaround the issue:

-- Disable TLS False Start. (Note: this might not be feasible because it needs to be done on all clients.)
-- Disable SSL acceleration.
-- Disable AES-GCM ciphers in the client SSL profile. Without AES-GCM, clients do not try to use TLS false start and still be able to use (EC)DHE.

Fix:
The system no longer processes application data before verifying that the finished message arrives and handshake is complete.

701359-2 : BIND vulnerability CVE-2017-3145

Solution Article: K08613310

701327-1 : failed configuration deletion may cause unwanted bd exit

Component: Application Security Manager

Symptoms:
Immediately after the deletion of a configuration fails, bd exists.

Conditions:
When deleting a configuration fails.

Impact:
Unwanted bd restart.

Workaround:
None.

Fix:
bd will exit upon a failed configuration only when configured to exit on failure.

701253-3 : TMM core when using MPTCP

Solution Article: K16248201

701249-2 : RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1

Component: TMOS

Symptoms:
RADIUS requests from BIG-IP have attribute NAS-IP-Address = 127.0.0.1, which might cause authentication to fail.

The NAS-IP-Address is essentially the resource an end user client is trying to authenticate to. This is typically the management IP address of the BIG-IP system, but the BIG-IP system always sends 127.0.0.1 instead. That might fail or it might work, depending on how the server is configured.

Conditions:
This is an issue for all RADIUS authentication requests that use the attribute NAS-IP-Address.

Note: This affects remote control plane authentication only, not APM or other uses of RADIUS.

Impact:
BIG-IP system always sends 127.0.0.1 instead of the BIG-IP system's management IP address. RADIUS server might not service the request, so authentication fails.

Workaround:
There is no workaround.

701202-1 : SSL memory corruption

Solution Article: K35023432

Component: Local Traffic Manager

Symptoms:
In some instances random memory can be corrupted causing TMM core.

Conditions:
SSL is configured (either client-ssl or server-ssl) and SNI is used to select a non-default profile.

Impact:
TMM crash, disrupting traffic.

Workaround:
There is no workaround at this time.

Fix:
The memory corruption issue has been fixed.

701039 : Requests do not appear in local logging due to rare file descriptor exhaustion

Component: Application Security Manager

Symptoms:
In an extremely rare circumstance, requests do not appear in local logging due to file descriptor exhaustion in asmlogd.

Conditions:
-- ASM configured.
-- ASM policy with an associated 'Log all requests' logging profile.
-- Requests sent to virtual server.
-- View Request Log.

Impact:
Requests do not appear in local logging.

Workaround:
Restart ASM, or pkill -f asmlogd.

Fix:
Requests appear in local logging correctly.

700889-2 : Software syncookies without TCP TS improperly include TCP options that are not encoded

Solution Article: K07330445

Component: Local Traffic Manager

Symptoms:
When sending a software syncookie and there is no TCP timestamp option, tmm sends back TCP options like window scaling (WS), sackOK, etc. The values for these options are encoded in the timestamp field which is not sent. When the final ACK of the 3WHS arrives (without a timestamp), there is no way to know that the BIG-IP system negotiated the use of SACK, WS and other options that were encoded in the timestamp. This will leave the client believing that options are enabled and the BIG-IP believing that they are not.

Conditions:
TCP timestamps are disabled by the client, or in the TCP profile.

Impact:
In one known case, the client was Windows 7 which apparently disables timestamps by default. Users might experience poor connection performance because the client believed it was using WS, and that the BIG-IP system would scale up the advertised window. However, the BIG-IP system does not using WS in this case, and used the window size from the TCP header directly, causing the BIG-IP system to send small packets (believing it had filled the window) and wait for a response.

Workaround:
Specifically prevent the WS issue by lowering the send_buffer_size and receive_window_size to less than or equal to 65535.

Fix:
Added dependency between the window scale option and the timestamp option in a SYN/ACK response.

700862-2 : tmm SIGFPE 'valid node'

Solution Article: K15130240

Component: Local Traffic Manager

Symptoms:
A rare TMM crash with tmm SIGFPE 'valid node' may occur if the host is unreachable.

Conditions:
The host is unreachable.

Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This fix handles a rare TMM crash when the host is unreachable.

700827-2 : B2250 blades may lose efficiency when source ports form an arithmetic sequence.

Component: TMOS

Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command:
tmsh show sys tmm-traffic

Conditions:
Source ports used to connect to B2250 blade form an arithmetic sequence.

For example, some servers always use randomly selected even source port numbers. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8... 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.

Impact:
Traffic imbalance between tmm threads may result in sub-optimal performance.

Workaround:
Randomize source ports when connecting via a BIG-IP system.

Fix:
This release introduces a new variable mhdag.pu.table.size.multiplier. Setting it to 2 or 3 mitigates the issue.

700812-2 : asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview

Component: Application Security Manager

Symptoms:
asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview.

Conditions:
Try to deploy a qkview on a BIG-IP using the asmrepro tool
while BIG-IP has a 4 element version like 13.1.0.1.

Impact:
Cannot deploy a 4 element version qkview on a BIG-IP using the asmrepro tool.

Workaround:
n/a

Fix:
asmrepro now handles the version number properly.

700783-3 : Machine certificate check does not check against all FQDN hostnames

Component: Access Policy Manager

Symptoms:
macOS machine can be on multiple networks simultaneously, so it might have multiple hostnames. Machine certificate check does not check against all FQDN hostnames. This causes failure in certain scenarios.

Conditions:
-- macOS configuration with multiple hostnames.
-- The 'match FQDN with subject alt name' option is specified for machine certificate check.

Impact:
Machine cert check might fail.

Workaround:
No workaround at this time.

Fix:
Previously, with a macOS system that had multiple hostnames, the machine certificate check could not check against all hostnames, causing failures in some scenarios. Now, the machine certificate check compares all hostnames on macOS devices.

700780-4 : F5 DNS Relay Proxy service now warns about and clears truncated flag in proxied DNS responses

Component: Access Policy Manager

Symptoms:
F5 DNS Relay Proxy service does not support DNS-over-TCP requests, so if, in some configuration, the client resolver decides to use TCP for DNS resolution, this packet is not re-routed/proxied by the DNS Relay Proxy service, and may be causing DNS to be resolved using an incorrect DNS server (where the system decides to send it).

Typically, if a client receives DNS response with the TC flag set, it retries using TCP. Clearing the TC flag makes client resolver not use TCP at all, preventing DNS packets leakage.

Conditions:
-- DNS server responds with TC flag set in DNS response packet.
-- Windows only is affected.

Impact:
DNS resolution may not work as designed, as the system might send a packet to an incorrect DNS server.

Workaround:
None.

Fix:
Now F5 DNS Relay Proxy service clears TC flag in all proxied packets, preventing client DNS resolvers from using TCP. An appropriate log entry is printed into the service's log.

700757-2 : vcmpd may crash when it is exiting

Component: TMOS

Symptoms:
vcmpd may crash when it is exiting. The system logs an error message similar to the following in /var/log/ltm:

err vcmpd[14604]: 01510000:3: Uncaught exception: basic_string::_S_create

It's possible that vcmpd will then not start up, logging errors similar to the following in /var/log/ltm:

umount(/var/tmstat-vcmp/<guest name>) failed: (16, Device or resource busy

Conditions:
vCMP must be in use.

Impact:
vcmpd cores, but does so when already exiting. It is possible that vcmpd will then be unable to restart itself, and will need to be manually restarted.

Workaround:
If vcmpd cannot restart itself, you can manually restart it by running the following command:

tmsh restart sys service vcmpd

Fix:
Prevented vcmpd from crashing when exiting.

700726-1 : Search engine list was updated, and fixing case of multiple entries

Component: Application Security Manager

Symptoms:
Default search engine list does not identify current search engines, and blocks traffic unnecessarily. Part of the issue is that when adding custom search engines, there may be multiple search engines which match the User-Agent header, and this causes the match to fail.

Conditions:
Site accessed by search engines.

Impact:
Traffic from search engines is blocked unnecessarily.

Workaround:
Manually add search engines.

Fix:
Search engine list has been updated to reflect current common search engine usage. Also, this version removes the check of multiple search engines, so that now when multiple Search Engines are matched, the Search Engine bypasses the challenges.

700696-2 : SSID does not cache fragmented Client Certificates correctly via iRule

Component: Local Traffic Manager

Symptoms:
The last few bytes of a very large-sized Client Certificate (typically greater than 16,384 bytes) are not cached correctly if the certificate is received fragmented by the SSL Session ID (SSID) parser.

Conditions:
-- Client Authentication is enabled.
-- A very large Client Certificate is supplied (typically greater than 16,384 bytes).
-- SSL Session ID Persistence is enabled.
-- The iRule CLIENTSSL_CLIENTCERT is enabled.

Impact:
The client certificate is not stored on the BIG-IP device correctly. The last few bytes are missing.

Workaround:
Disable the CLIENTSSL_CLIENTCERT iRule when SSL Session ID (SSID) persistence is in use. Even though the Client Certificate does not get cached, that is preferable to caching an incorrect client certificate.

Fix:
This release supports caching of fragmented client certificates in the SSL Session ID (SSID) persistence feature to properly cache very large-size client certificates (typically exceeding 16,384 bytes).

700571-2 : SIP MR profile, setting incorrect branch param for CANCEL to INVITE

Component: Service Provider

Symptoms:
BIG-IP SIP profile MR does not maintain the Via 'branch parameter' ID when the Via header insertion is enabled for INVITE and CANCEL for the same INVITE.

Conditions:
This happens only when the following conditions are both met:
-- The transport connection that issued INVITE has been terminated.
-- A new transport is used to issue CANCEL

Impact:
The result is different branch IDs for the BIG-IP system-generated Via header. INVITE is only cancelled on the calling side, while on the called side, the line will ring until time out.

Workaround:
None.

Fix:
The branch parameter value calculation now remains consistent throughout the connection.

700564-2 : JavaScript errors shown when debugging a mobile device with ASM deviceID enabled

Component: Application Security Manager

Symptoms:
When debugging a mobile device with ASM Device ID enabled, the Google Chrome browser console log contains JavaScript errors similar to the following: net::ERR_UNKNOWN_URL_SCHEME.

Note: In order to view the Chrome browser console log, you must use BrowserStack from a developer's console, or physically connect the phone by cable, enable 'usb debug',
enable 'device discovery' on Chrome on the desktop, and view the console from there.

Conditions:
-- ASM policy is attached on a virtual server with deviceID enabled.
-- Device ID collection request has been sent from a mobile device.
-- Chrome browser console log is opened.

Impact:
Mobile device app developers might be concerned about the errors, potentially asking about why the ASM JavaScript code attempts to access UNKNOWN_URL_SCHEME in a mobile device.

The errors occur because Device ID enabled on an ASM policy uses the JavaScript request URI argument 'chrome-extension' to detect the existence of malicious browser extension. However, Chrome on Android/iOS does not support 'chrome-extension'.

Workaround:
Disable Device ID in ASM policy.

Fix:
The system now avoids checking Chrome extensions on mobile devices, so no UNKNOWN_URL_SCHEME errors occur.

700556-2 : TMM may crash when processing WebSockets data

Solution Article: K11718033

700527-1 : cmp-hash change can cause repeated iRule DNS-lookup hang

Component: Global Traffic Manager (DNS)

Symptoms:
An iRule that uses RESOLV::lookup can hang repeatedly when cmp-hash configuration is changed.

Conditions:
-- iRule is in the middle of a call to RESOLV::lookup.
-- A change is made to VLAN cmp-hash configuration.

Impact:
The iRule call can hang repeatedly.

Workaround:
Restart the TMM. This will interrupt client traffic while TMM restarts.

Fix:
The iRule connection is reestablished when the pending query expires, so subsequent RESOLV::lookup calls do not hang per TMM.

700433-2 : Memory leak when attaching an LTM policy to a virtual server

Solution Article: K10870739

Component: Local Traffic Manager

Symptoms:
BIG-IP LTM policies may cause an mcpd process memory leak.

As a result of this issue, you may encounter one or more of the following symptoms:

-- Latency when configuring the BIG-IP system.
-- Error messages logged in /var/log/ltm similar to the following example:
01140029:4: HA daemon_heartbeat mcpd fails action is restart.
-- The mcpd process may generate a core file in the /var/core directory.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your configuration includes one or more virtual servers with an associated BIG-IP LTM policy.
-- The BIG-IP LTM policy has at least one rule.
Note: Rules with actions or conditions can leak increased amounts of memory.

-- You delete and add BIG-IP LTM policies that are associated with the virtual server.
Note: This modification causes the memory leak to increase over time.

Impact:
The mcpd process might run slower as memory is consumed, and can fail when all system memory is exhausted. Devices in a high availability (HA) configuration may experience a failover event.

Workaround:
None.

Fix:
The system now prevents MCP from leaking memory when attaching an LTM policy to a virtual server.

700393-2 : Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash

Solution Article: K53464344

Component: Local Traffic Manager

Symptoms:
Tmm might crash due to a stale/stalled HTTP/2 stream.

Conditions:
HTTP/2 profile in use.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Stale/stalled HTTP2 streams are handled correctly to prevent a tmm crash.

700386-1 : mcpd may dump core on startup

Component: TMOS

Symptoms:
mcpd may generate a core file upon startup, with a message being logged that overdog restarted it because mcpd failed to send a heartbeat for five minutes.

Conditions:
This can happen only at startup.

Impact:
mcpd restarts, but resumes normal operation.

Workaround:
None.

Fix:
mcpd no longer generates a core on startup.

700330 : AJAX blocking page isn't shown when a webpage uses jQuery framework.

Component: Application Security Manager

Symptoms:
Request is blocked by an ASM policy, but the ASM end user does not see the blocking page with a unique support id for the blocked request.

Conditions:
1. ASM policy Asynchronous JavaScript and XML (AJAX) blocking page enabled.
2. ASM policy is working in blocking mode.
3. ASM policy attached to a virtual server.
4. AJAX request has been sent and blocked.

Impact:
ASM end user has no visual indication that there has been a blocked AJAX request.

Workaround:
None.

Fix:
The system now handles Ajax requests being sent via the JQuery framework.

700315-3 : Ctrl+C does not terminate TShark

Solution Article: K26130444

Component: TMOS

Symptoms:
A running TShark process on the BIG-IP system has problems exiting when the user is finished capturing and presses CTRL+C while listening on a tmm VLAN or 0.0.

Conditions:
-- Using TShark on a tmm VLAN or 0.0.
-- Pressing Ctrl+C to exit.

Impact:
TShark does not exit as expected when pressing CTRL+C.

Workaround:
To recover, you can move the process to the background (CTRL+Z) and then halt the process, by running a command similar to the following: kill -9 'pidof tshark'

Fix:
Ctrl+C now terminates TShark as expected.

700143-1 : ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages

Component: Application Security Manager

Symptoms:
Attempting to delete request logs by a filter (10,000 at a time), only works once. Subsequent delete by filter actions do not remove additional earlier logs.

Conditions:
System has over 10,000 ASM request logs by a selected filter, and delete all by filter is used multiple times.

Impact:
Only the latest 10,000 events are deleted.

Workaround:
No work around for deleting by a filter.
Delete all (without filter) works, and deleting selected requests works.

Fix:
Deletion by filter correctly deletes subsequent sets of 10,000 rows per action.

700061-3 : Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file

Component: Local Traffic Manager

Symptoms:
Restarting service MCPD or rebooting the BIG-IP device adds Unix 'other' read file permissions for key files.
Key files Unix permission changes from '-rw-r-----' to
'-rw-r--r--'

Conditions:
1. Restarting the service MCPD
2. Rebooting BIG-IP device.

Impact:
Key file Unix read permission changes from '-rw-r-----' to
'-rw-r--r--'

Workaround:
There is no workaround at this time.

Fix:
Fix made sure restart of service MCPD and reboot of device does not change key files Unix read permissions from '-rw-r-----' to
'-rw-r--r--'

700057-3 : LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved

Component: Local Traffic Manager

Symptoms:
After upgrading to an affected build, the default key will have incorrect group ownership.

Conditions:
Upgrade or load a .ucs with SSL keys configured.

Impact:
File permissions are not preserved in the .ucs file. The httpd process will not be able to use the default key, so anything using it will fail.

Workaround:
Run the following two commands:
tmsh save /sys config
tmsh load /sys config

Fix:
The system now preserves correct permissions for default.key across upgrade and ucs load.

699720-3 : ASM crash when configuring remote logger for WebSocket traffic with response-logging:all

Component: Application Security Manager

Symptoms:
ASM may crash when configuring remote logger for WebSocket traffic virtual server.

Conditions:
-- Virtual server handling WebSocket traffic.
-- ASM remote logger on the same virtual server.

Impact:
ASM crash; system goes offline.

Workaround:
Use either of the following workarounds:

-- Remove remote logger.
-- Have response logging for illegal requests only.

Fix:
The system now handles memory correctly and avoids crashing in this specific scenario.

699598-4 : HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR

Component: Local Traffic Manager

Symptoms:
HTTP/2 requests with a large body may result in the BIG-IP system sending RST_STREAM with FRAME_SIZE_ERROR.

Conditions:
-- HTTP/2 profile is configured on the virtual server.
-- Request has body size greater than 16 KB.

Impact:
HTTP/2 stream is reset with FRAME_SIZE_ERROR and transfer does not complete.

Workaround:
None.

Fix:
Large HTTP/2 requests are now processed as expected.

699531-3 : Potential TMM crash due to incorrect number of attributes in a PEM iRule command

Component: Policy Enforcement Manager

Symptoms:
TMM crash.

Conditions:
An iRule with a PEM iRule command that does not have the minimum number of attributes.

Impact:
Loss of service. Traffic disrupted while tmm restarts.

Workaround:
Make sure the PEM iRule command is called with at least the minimum number of parameters.

For example, make sure to call 'PEM::subscriber config policy referential set' with referential policies.

Fix:
The system now provides the correct number of attributes, preventing a NULL pointer dereference.

699455-3 : SAML export does not follow best practices

Solution Article: K50254952

699454-3 : Web UI does not follow current best coding practices

Component: Advanced Firewall Manager

Symptoms:
The web UI does not follow current best coding practices while processing URL DB updates.

Conditions:
Authenticated web UI user.

Impact:
UI does not respond as intended.

Workaround:
None.

Fix:
The web UI now follows current best coding practices while processing URL DB updates.

699452-3 : Web UI does not follow current best coding practices

Solution Article: K29280193

699431 : Possible memory leak in MRF under low memory

Component: Service Provider

Symptoms:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.

Conditions:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.

Impact:
The table entry will be remain until the box resets.

Workaround:
There is no workaround at this time.

Fix:
The code has been fixed to remove the table entry when a memory allocation failure occurs while adding the record.

699346-2 : NetHSM capacity reduces when handling errors

Solution Article: K53931245

699339-1 : Geolocation upgrade files fail to replicate to secondary blades

Solution Article: K24634702

Component: Global Traffic Manager (DNS)

Symptoms:
Geolocation upgrade files fail to replicate to secondary blades.

Conditions:
-- Multiblade VIPRION platforms/vCMP guests.
-- Upgrading geolocation files on the primary blade.
-- Viewing the geolocation files on the secondary blades.

Impact:
Geoip database is not updated to match primary blade.

Workaround:
Use either of the following workarounds:

-- Use the root account to manually create the /shared/GeoIP/v2 directory on secondary blades, and then run geoip_update_data on primary blade.

-- On primary blade:
1. Edit /etc/csyncd.conf as shown below.
2. Restart csyncd.
3. Run geoip_update_data.

To edit /etc/csyncd.conf:

Merge the following two terms:
monitor dir /shared/GeoIP {...)
monitor dir /shared/GeoIP/v2 {...}

into one term, as follows:
monitor dir /shared/GeoIP {
        queue geoip
        pull pri2sec
        recurse yes
        defer no
        lnksync yes
        md5 no
        post "/usr/local/bin/geoip_reload_data"
}

Fix:
Geolocation upgrade files now correctly replicate to secondary blades.

699281 : Version format of hypervisor bundle matches Version format of ISO

Component: TMOS

Symptoms:
Recently F5 incorporated 4th element into versioning scheme. 4th and 5th are separated by dash (instead of dot) in ISO name. This change/bug insures that names of hypervisor bundles also use dash between 4th and 5th elements.

Conditions:
Applies to hypervisor bundles (for example ova files for vmware).

Impact:
Version format in names of hypervisor bundles matches version format of ISO file

Workaround:
Version format in names of hypervisor bundles matches version format of ISO file

Fix:
Version format in names of hypervisor bundles matches version format of ISO file (usage of dash between 4th and 5th elements).

699267-1 : LDAP Query may fail to resolve nested groups

Component: Access Policy Manager

Symptoms:
LDAP Query agent may fail to resolve nested groups for a user.
/var/log/apm logfile contains the following error messages when 'debug' log level is enabled for Access Profile:
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while getting group membership down with error (No such object.).
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while querying LDAP with error (No such object.).

Conditions:
LDAP Query agent is configured in an Access Policy.
'Fetch groups to which the user or group belong' option is enabled

Impact:
LDAP Query agent fails.
unable to get user identity.
unable to finalize Access Policy.

Fix:
after fix, LDAP Query resolves all nested groups as expected and session.ldap.last.attr.memberOf attributes contains user's groups

699262-2 : FQDN pool member status remains in 'checking' state after full config sync

Component: Local Traffic Manager

Symptoms:
After performing a full config-sync (with overwrite config option checked) the sync target (peer) shows FQDN pool members stuck in the 'checking' state.

Conditions:
This occurs after a full config sync is forced between peers using FQDN pool members:

tmsh modify cm device-group <dg_name> devices modify { <local_member> { set-sync-leader } }

Impact:
Affected pools show an Availability state of 'unknown', although pool members are available and can pass traffic.

Workaround:
Restart bigd on the affected peer after the config sync.

Fix:
After performing a full config-sync (with overwrite config option checked) the sync target (peer) no longer shows FQDN pool members stuck in the 'checking' state. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

699147 : Hourly billed cloud images are now pre-licensed

Component: TMOS

Symptoms:
Hourly billed images in cloud environments require outbound internet access to the F5 public license server in order to retrieve a license. This causes some sites with strict network access policies to fail to license.

Conditions:
Using hourly billing.

Impact:
Hourly instances do not receive licenses and thus could not pass traffic without outbound internet access.

Workaround:
Enable outbound internet access when the guest instance is created to allow it to license, then revoke it.

Fix:
Hourly billed cloud images are now pre-licensed and so do not require internet access to receive a license.

699135-2 : tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip

Component: Global Traffic Manager (DNS)

Symptoms:
tmm cores with SIGSEGV in dns_rebuild_response.

Conditions:
1. Create a wideip of type other than A/AAAA.
2. Create a iRule with a host command for the previously created wideip.
3. Create a related zonerunner record with the same name and type.
4. Dig against the wideip with type any.
5. Observe that tmm cores.

Impact:
tmm cores.

Workaround:
Don't use host command for non type A/AAAA wideips.

698947-1 : BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled.

Component: TMOS

Symptoms:
The BIG-IP system may incorrectly drop packets from a GRE point-to-point tunnel with auto-lasthop disabled.

Conditions:
The auto-lasthop of a GRE point-to-point tunnel is disabled.

Impact:
The decapsulated packets may be dropped in the BIG-IP system.

Fix:
The BIG-IP system correctly processes decapsulated packets from a GRE point-to-point tunnel.

698919-1 : Anti virus false positive detection on long XML uploads

Component: Application Security Manager

Symptoms:
A false positive virus-detected violation. The description of the violation explains that the ICAP server was not contacted.

Conditions:
-- A long XML upload or payload.
-- The assigned XML profile is configured to be inspected by the ICAP server.

Impact:
Violation is detected where no violation has occurred (false positive violation).

Workaround:
Increase the internal parameter max_raw_request_len to the required length of the XML.

Note: This workaround will affect the amount of logged data from ASM.

Fix:
Fixed a false positive virus-detected violation related to long XML uploads.

698916-3 : TMM crash with HTTP/2 under specific condition

Component: Local Traffic Manager

Symptoms:
TMM may crash when upgrading an HTTP/1.1 connection to an HTTP/2 connnection.

Conditions:
-- HTTP/2 gateway enabled.
-- Pool member supports protocol switching.

Impact:
TMM crash, leading to a failover event.

Workaround:
There is no workaround other than removing the HTTP/2 profile from the virtual server.

Fix:
TMM properly handles protocol upgrade requests from pool members when HTTP/2 is enabled, so no crash occurs.

698813-3 : When processing DNSX transfers ZoneRunner does not enforce best practices

Solution Article: K45435121

698806-2 : Firewall NAT Source Translation UI does not show the enabled VLAN on egress interfaces

Component: Advanced Firewall Manager

Symptoms:
Egress Interfaces are not checked in the Source Translation page even if they are configured.

Conditions:
Create a source translation object with egress Interfaces set to 'Enabled on...', select Egress Interfaces from the list, and hit 'Finished'. Egress Interfaces will not be checked with the originally configured values.

Impact:
Egress Interfaces will not be checked even if they are configured.

Workaround:
Use tmsh to check if the object is actually configured with Egress Interfaces

Fix:
Egress Interfaces will be selected whenever a user tries to create a source Translation object with Egress Interfaces.

698757-1 : Standby system saves config and changes status after sync from peer

Solution Article: K58143082

Component: Application Security Manager

Symptoms:
After running config sync from an Active to a Standby device, the sync status is in SYNC for a short period time.
After a while, it automatically goes to Changes Pending status.

Conditions:
-- Manual sync device-group configuration.
-- Modify existing policy encoding to uppercase (via tmsh).
-- ASM configuration.

Impact:
The high availability (HA) configuration goes out of SYNC.

Workaround:
Use either of the following workarounds:
-- Push the sync back from the Standby device to the Active device, and then again from the Active to Standby.

-- Put the device group into auto-sync state and push the config from the Active to the Standby. After the Sync state resolves and the ASM configuration is finished loading, the device group can be put back to Manual sync.

Fix:
Change requested encoding to lowercase.

698379-3 : HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR(

Solution Article: K61238215

Component: Local Traffic Manager

Symptoms:
Uploads for the HTTP2 virtual server fail intermittently with HTTP2 error error_code=FLOW_CONTROL_ERROR.

Conditions:
HTTP2 virtual server configured.

Impact:
Uploads for the HTTP2 virtual server might fail intermittently.

Workaround:
None.

Fix:
Uploads for the HTTP2 virtual server do not fail intermittently anymore.

698376-4 : Non-admin users have limited bash commands and can only write to certain directories

Component: TMOS

Symptoms:
TMSH access to Linux utilities does not follow best security practices.

Conditions:
Users without Advanced Shell Access running Linux utilities from inside TMSH.

Impact:
TMSH does not follow best security practices

Workaround:
None.

Fix:
TMSH access to Linux utilities now follows best security practices.

Behavior Change:
Some tmsh util commands will be restricted to writing files to certain directories.

698338-2 : Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection

Component: Service Provider

Symptoms:
The system may core.

Conditions:
-- Egress messages are queued waiting for MR_EGRESS event to be raised.
-- Current MR event exits with an error, thus aborting the connection.

Impact:
The system cores and will restart.

Workaround:
None.

Fix:
The system now returns pending messages back to the originator if the connection aborts due to an iRule error.

698080-1 : TMM may consume excessive resources when processing with PEM

Solution Article: K54562183

698000-1 : Connections may stop passing traffic after a route update

Solution Article: K04473510

Component: Local Traffic Manager

Symptoms:
When a pool is used with a non-translating virtual server, routing updates may lead to an incorrect lookup of the nexthop for the connection.

Conditions:
-- Pool on a non-translating virtual server.
-- Routing update occurs.

Impact:
Connections may fail after routing updates. New connections will not be affected.

Workaround:
Use a route to direct traffic to the ultimate destination rather than using a pool to indicate the nexthop.

Fix:
Routing updates no longer interrupts traffic to connections using a pool member to reach the nexthop.

697878 : High crypto request completion time under some workload patterns

Component: TMOS

Symptoms:
The tmctl tmm/crypto table shows heavily loaded bulk crypto queues backed up into associated waiting queue. The crypto requests continue to complete, but are significantly delayed.

Conditions:
High crypto usage often in conjunction with high compression usage.

Impact:
Crypto requests can be delayed as long as 1.5 seconds.

Workaround:
Disable hardware crypto by setting the "crypto.hwacceleration" DB key to "disable":
tmsh modify sys db crypto.hwacceleration value disable

Fix:
Improve accelerated crypto poll-timing calculation.

697718-3 : Increase PEM HSL reporting buffer size to 4K.

Component: Policy Enforcement Manager

Symptoms:
Before this fix, PEM HSL reporting buffer size is limited by 512 bytes.

Conditions:
If any PEM HSL flow reporting stream goes beyond 512 bytes, it will be truncated.

Impact:
Part of PEM HSL flow reporting information will be lost.

Fix:
We increase PEM HSL reporting buffer size to 4K, which should be enough for uses cases we currently know.

697616 : Report Device error: crypto codec qat-crypto0-0 queue is stuck on vCMP guests

Component: TMOS

Symptoms:
Failure in SSL traffic in vCMP configurations. The system logs the following device error:
-- crit tmm[17083]: 01010025:2: Device error: crypto codec qat-crypto0-0 queue is stuck.
-- warning sod[7759]: 01140029:4: HA crypto_failsafe_t qat-crypto0-0 fails action is failover.

Conditions:
-- vCMP guests when performing crypto operations.
-- i5600, i5800, i7600, i7800, i10600, i10800, i12600, i12800, i15600, i15800 platforms.

Impact:
The 'crypto queue stuck' message is reported, and failover will be triggered.

Workaround:
None.

Fix:
The 'crypto queue stuck' issue on vCMP platforms no longer occurs.

697424 : iControl-REST crashes on /example for firewall address-lists

Component: TMOS

Symptoms:
Making a call to /example on firewall address-list crashes iControl-REST.

Conditions:
Making a call to /example on firewall address-list.

Impact:
The icrd_child process crashes.

Workaround:
There is no workaround other than not calling /example on firewall address-lists.

697303-3 : BD crash

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
-- The internal parameter relax_unicode_in_json is set to 1.
-- Specific traffic scenario.

Impact:
BD crash, failover, and traffic disturbance.

Workaround:
Turn off the internal parameter relax_unicode_in_json.

Fix:
BD no longer crashes under these conditions.

697259-1 : Different versioned vCMP guests on the same chassis may crash.

Solution Article: K14023450

Component: Local Traffic Manager

Symptoms:
The vCMP guest TMM crashes soon after startup.

Conditions:
-- You are using BIG-IP software versions 12.1.0-12.1.2.
-- vCMP guests are deployed in a chassis.
-- You configure a new guest running unaffected software alongside an existing or new guest running affected software. In other words, the issue occurs if you mix guests running affected and non-affected versions in a single vCMP host.

Impact:
vCMP guests running older versions of the software might crash. Blades continuously crash and restart. Traffic cannot pass. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Different versioned vCMP guests on the same chassis no longer crash.

696808-3 : Disabling a single pool member removes all GTM persistence records

Component: Global Traffic Manager (DNS)

Symptoms:
Disabling a single pool member removes all GTM persistence records.

Conditions:
1. WideIP with persistence enabled.
2. drain-persistent-requests no.
3. GTM pool member toggled from enabled to disabled.

Impact:
All GTM persistence records are accidently cleared.

Workaround:
Set drain-persistent-requests yes.

Fix:
When drain-persistent-requests is set to no, only the persistence records associated with the affected pool members are cleared when a resource is disabled.

696789-2 : PEM Diameter incomplete flow crashes when TCL resumed

Component: Policy Enforcement Manager

Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, and the irule is resumed because of timeout.

Conditions:
PEM Diameter flow not fully created, suspended by iRule, and the iRule is resumed by timeout.

Impact:
The tmm will restart and all flows will reset.

Fix:
The PEM diameter flow is now created in such a way to prevent any crash by iRule resumed by timeout.

696732 : tmm may crash in a compression provider

Solution Article: K54431534

Component: TMOS

Symptoms:
TMM may crash with the following panic message in the log files:

panic: ../codec/compress/compress.c:1161: Assertion "context active" failed.

Conditions:
-- Running on the following platforms: BIG-IP i-series or VIPRION 4400 blades.
-- Virtual servers are performing compression.

Impact:
TMM crashes, Traffic disrupted while tmm restarts.

Workaround:
Do not use compression, or use software compression instead of hardware compression. To configure for software compression, run the following command:

tmsh modify sys db compression.strategy value softwareonly

696468 : Active compression requests can become starved from too many queued requests.

Component: TMOS

Symptoms:
From the "tmctl compress" table: the cur_ctx value for QAT is equal or higher than 512, and the cur_active remains at zero.

CPU utilization per tmm in this condition may be quite high.

Conditions:
At least 512 contexts with no traffic wait in the compression queue and prevent new requests from getting compression service.

Impact:
Compression on a per-tmm basis can stop servicing new requests.

Workaround:
Switch to software compression.

Fix:
Soften the restriction so that accumulated contexts with no traffic cannot not prevent busy contexts from getting compression time.

696383-2 : PEM Diameter incomplete flow crashes when sweeped

Component: Policy Enforcement Manager

Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, the sweeper may encounter a tmm crash.

Conditions:
-- PEM Diameter flow not fully created.
-- The flow is suspended by an iRule.
-- There is a CMP state change (likely) or a manual cluster-mirror change (less likely) while the flow is suspended.

Impact:
The tmm restarts and all flows reset. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The PEM diameter flow is now created in such a way to prevent any crash by the sweeper.

696294-3 : TMM core may be seen when using Application reporting with flow filter in PEM

Component: Policy Enforcement Manager

Symptoms:
TMM core with flow filter when Application reporting action is enabled

Conditions:
If Application reporting is enabled along with flow filter

Impact:
TMM restart causing service interruption

Fix:
Initialize the application start buffer so as to prevent the TMM core

696265-3 : BD crash

Solution Article: K60985582

Component: Application Security Manager

Symptoms:
BD crash.

Conditions:
ecard_max_http_req_uri_len is set to a value greater than 8 KB.

Impact:
Potential traffic disturbance and failover.

Workaround:
Change the value of ecard_max_http_req_uri_len to a size lower than 8 KB.

Fix:
Fixed a BD crash scenario.

696113-1 : Extra IPsec reference added per crypto operation overflows connflow refcount

Component: TMOS

Symptoms:
The size of the refcount field in connflow became smaller, making the length of some crypto queues in IPsec able to reach and exceed the maximum refcount value.

Conditions:
When a large data transfer under an IPsec SA creates a queue of crypto operations longer than the connflow's refcount can handle, the refcount can overflow.

Impact:
Unexpected tmm failover after refcount overflow.

Workaround:
There is no workaround at this time.

Fix:
An object tracking crypto operations now adds a sole reference to the connflow as long as the count of crypto operation pending is nonzero.

696049-3 : High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running

Component: Service Provider

Symptoms:
High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running.

Conditions:
Multiple response messages arrive on a connection while an asynchronous Tcl command is running on that connection.

Impact:
High CPU load might occur as multiple responses will be assigned the same request_sequence_number.

Workaround:
None.

Fix:
Request_sequence_numbers are not assigned to response messages until the Tcl event is executed for that message. This avoids assigning the same number to multiple events.

695968-3 : Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.

Component: Policy Enforcement Manager

Symptoms:
Memory leak resulting in a potential OOM scenario.

Conditions:
1. PEM configured with Gx
2. Flaky Diameter connection
3. Subscriber creation via PEM

Impact:
Potential loss of service.

Workaround:
There is no workaround at this time.

Fix:
Freed Diameter messages appropriately.

695925-3 : tmm crash when showing connections for a CMP disabled virtual server

Component: Local Traffic Manager

Symptoms:
tmm crashes when performing 'tmsh show sys connection' and there is a connection from a secondary blade to a CMP-disabled virtual server.

Conditions:
This occurs when all of the following conditions are met:

-- There is a CMP-disabled virtual server.

-- There is a connection to that server from the control plane of a secondary blade (this can include monitoring traffic).

-- Connections are displayed that include the connection from the secondary blade ('tmsh show sys connection').

Impact:
tmm crashes and restarts impacting traffic.

Workaround:
Do not use 'cmp-enabled no' virtual servers when there will be connections from the BIG-IP control plane to the virtual server.

Avoid using tmsh show sys connection

695901-2 : TMM may crash when processing ProxySSL data

Solution Article: K46940010

695878-5 : Signature enforcement issue on specific requests

Component: Application Security Manager

Symptoms:
Request payload does not get enforced by attack signatures on a certain policy configuration with specific traffic.

Conditions:
-- The violation 'Request exceeds max buffer size' is turned off.

-- The request is longer than the max buffer size (i.e., a request is larger than the internal long_request_buffer_size).

Impact:
Attack signatures are not enforced on the payload of this request at all.

Workaround:
Turn on the violation in blocking 'Request exceed max buffer size'.

Fix:
The operation now looks into part of the payload for the attack signatures enforcement.

695117 : bigd cores and sends corrupted MCP messages with many FQDN nodes

Solution Article: K30081842

Component: Local Traffic Manager

Symptoms:
When configured to monitor large numbers of nodes and/or pool members including FQDN nodes and/or pool members, the following symptoms may occur:
- bigd may core (aborted by sod due to missed heartbeat).
- bigd may produce corrupted MCP messages.
- FQDN nodes and/or pool members may remain in a Checking state indefinitely.

Conditions:
These symptoms may occur on affected versions of BIG-IP when a large number of nodes and/or pool members including FQDN nodes and/or pool members are configured. Depending on the capabilities of the platform in use, approximately one thousand (1,000) or more total nodes and/or pool members may be required to produce these symptoms.

FQDN nodes and/or pool members generate a more significant workload for the bigd daemon than nodes and/or pool members with statically-configured IP addresses. This additional load contributes to high CPU usage and the other observed symptoms.

Impact:
This issue produces the following impacts:
- bigd may core.
- nodes and/or pool members may remain in a Checking state indefinitely.
- bigd may produce corrupted MCP messages, which generate error messages in the LTM log of the following form:

... err mcpd[####]: 01070712:3: Caught configuration exception (0), Can't parse MCP message, ...

Examination of the corrupted MCP message shows objects at the point of corruption that have no hierarchical relationship with the objects referenced at the beginning of the message.

Workaround:
To work around this issue, use the following approaches singly or in combination:
1. Reduce the number of nodes and/or pool members configured for a given BIG-IP system.
2. Configure nodes and/or pool members with statically-configured IP addresses.

Fix:
bigd no longer produces corrupted MCP messages, resulting in nodes and/or pool members remaining in a 'checking' state, with up to 2,000 nodes and/or pool members including FQDN nodes and/or pool members configured. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

694922-4 : ASM Auto-Sync Device Group Does Not Sync

Component: Application Security Manager

Symptoms:
In rare circumstances a device may enter an untrusted state and confuse the device group.

Conditions:
1) ASM sync is enabled on an autosync device group
2) A new ASM entity is created on a device

Impact:
ASM configuration is not correctly synchronized between devices

Workaround:
1) Remove ASM sync from the device group (Under Security ›› Options : Application Security : Synchronization : Application Security Synchronization)
2) Restart asm_config_server.pl on both devices and wait until they come back up
3) Change the device group to a manual sync group
4) On the device with the good configuration re-enable ASM sync for the device group
5) Make a spurious ASM change, and push the configuration.
6) Change the sync type back to automatic

Fix:
Devices no longer spuriously enter an untrusted state

694778-2 : Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size

Component: Local Traffic Manager

Symptoms:
SSO-enabled Native RDP resources cannot be accessed via hardware (HW) BIG-IP systems with 'Intel Cave Creek' coprocessor (i.e., SSL connection cannot be established with the db variable 'crypto.hwacceleration' enabled, and RSA key used).

Conditions:
The failure might occur in the following scenario:
-- Running on Intel Cave Creek Engine (e.g., BIG-IP 2000 (C112) or 4000 (C113)).
-- Client OS is Mac, iOS, or Android.
-- HW crypto is enabled
-- Using a virtual server with a client SSL profile and 2048 bit RSA key on.
-- Native RDP resource with enabled SSO is used on hardware BIG-IP with 'Intel Cave Creek' coprocessor.
-- Output buffer size differs from RSA private key size.

Impact:
-- SSL connection fails.
-- RDP client cannot launch the requested resource (desktop/application).

Workaround:
There is no workaround other than to disable crypto HW acceleration with following command:
tmsh modify sys db crypto.hwacceleration value disable

Fix:
SSL connection can now be established as expected. SSO-enabled Native RDP resources now can now be accessed via hardware BIG-IP systems with 'Intel Cave Creek' coprocessor (e.g., BIG-IP 2000 (C112) or 4000 (C113) platforms) from Mac, iOS, and Android clients.

694740-1 : BIG-IP reboot during a TMM core results in an incomplete core dump

Component: TMOS

Symptoms:
If an HSB lockup occurs on i10600 and i10800 platforms, then HSB panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. On this platform, the reboot occurs before the core file is fully written, resulting in a truncated core.

Conditions:
An HSB lockup occurs, triggering a core dump and a nic_failsafe reboot.

Impact:
The reboot happens before the core dump completes, resulting in an incomplete core dump which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.

Workaround:
No workaround; does not hinder device operation, but does prevent post-crash analysis.

Fix:
Reboot is delayed until TMM core file is completed.

694717-3 : Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.

Component: Policy Enforcement Manager

Symptoms:
TMM crashes

Conditions:
PEM iRule command that would result in an inter-TMM lookup on a long lived flow that would result in the PEM iRule command being hit several times. For example, a long lived flow with multiple HTTP transactions.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Always release the connFlow reference associated with the TCL command to avoid a memory leak and potential crash.

694697-3 : clusterd logs heartbeat check messages at log level info

Solution Article: K62065305

Component: Local Traffic Manager

Symptoms:
The system reports clusterd logs heartbeat check messages at log level info, similar to the following.

-- info clusterd[6161]: 013a0007:6: Skipping heartbeat check on peer slot 3: Slot is DOWN.
-- info clusterd[5705]: 013a0007:6: Checking heartbeat of peer slot: 2 (Last heartbeat 0 seconds ago)

Conditions:
log.clusterd.level set to info.

Impact:
This is a cosmetic issue: clusterd heartbeat messages will be logged at info to the /var/log/ltm.

Workaround:
Set log.clusterd.level to notice.

Fix:
The log level of clusterd logs heartbeat check messages has changed. For 'Skipping heartbeat check' messages, the log level is now debug, and 'Checking heartbeat of peer slot' messages log level is verbose and now reports on which bp the heartbeat was received.

694696-3 : On multiblade Viprion, creating a new traffic-group causes the device to go Offline

Component: TMOS

Symptoms:
All devices in the failover device group will go offline, resulting in traffic disruption and possible failovers.

Conditions:
When a new traffic-group is created on a multiblade Viprion system that is a member of a sync-failover device group.

Impact:
Traffic to all other traffic-groups is disrupted for several seconds.

Workaround:
There is no workaround at this time.

Fix:
Creating a new traffic-group does not disrupt existing traffic-groups.

694656-3 : Routing changes may cause TMM to restart

Solution Article: K05186205

Component: Local Traffic Manager

Symptoms:
When routing changes are made while traffic is passing through the BIG-IP system, TMM might restart. This isn't a general issue, but can occur when other functionality is in use (such as Firewall NAT).

Conditions:
-- Routing changes occurring while BIG-IP is active and passing traffic.

-- Dynamic routing, due to its nature, is likely increase the potential for the issue to occur.

-- Usage of Firewall NAT functionality is one specific case known to contribute to the issue (there may be others).

Impact:
TMM restarts, resulting in a failover and/or traffic outage.

Workaround:
If dynamic routing is not in use, avoiding static route changes may avoid the issue.

If dynamic routing is in use, there is no workaround.

Fix:
TMM now properly manages routing information for active connections.

694319-3 : CCA without a request type AVP cannot be tracked in PEM.

Component: Policy Enforcement Manager

Symptoms:
May cause diagnostic issues as not all CCA messages cannot be tracked.

Conditions:
1. PEM with Gx/Gy configured
2. PCRF sends CCA's without a request type AVP

Impact:
May hamper effective diagnostics.

Workaround:
Mitigation:
Configure the PCRF to always include a request type in its CCAs.

Fix:
Add a statistics counter to track CCA's that do not request type AVPs.
Name of new counter:cca_unknown_type

694318-3 : PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.

Component: Policy Enforcement Manager

Symptoms:
Subscriber sessions in PEM will be stuck in a "Marked for Delete" state.

Conditions:
1. PEM provisioned with Gx.
2. PCRF responds to a CCR-t with a DIAMETER_TOO_BUSY return code and no Request type AVP.

Impact:
Subscriber sessions stuck in delete pending resulting in a potential increase in memry consumption over a period of time.

Workaround:
Mitigation:
PCRF (remote Diameter end point) must send a CCA-t with a request type AVP in case a DIAMETER_TOO_BUSY return code is present.

Fix:
Handle the DIAMETER_TOO_BUSY return code on a CCA-t regardless of the request type AVP.

694274-2 : [RHSA-2017:3195-01] Important: httpd security update - EL6.7

Solution Article: K23565223

694073-1 : All signature update details are shown in 'View update history from previous BIG-IP versions' popup

Component: Application Security Manager

Symptoms:
If you are running a BIG-IP release named with 4 digits (e.g., 12.1.3.1), all signature update details are shown only in 'View update history from previous BIG-IP versions' popup. The 'Latest update details' section is missing.

Conditions:
Running a BIG-IP software release named with 4 digits (e.g., 12.1.3.1).

Impact:
Low and incorrect visibility of signature update details.

Workaround:
Signature update details can be viewed in 'View update history from previous BIG-IP versions' popup.

Fix:
Signature updates are now shown correctly for all versions.

693996-3 : MCPD sync errors and restart after multiple modifications to file object in chassis

Solution Article: K42285625

Component: TMOS

Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:

1. Errors are logged to /var/log/ltm similar to the following:

-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..

2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.

Conditions:
Making multiple changes to the same file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group.

Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.

Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.

693910-2 : Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)

Component: Local Traffic Manager

Symptoms:
Some MAC addresses might experience delayed forwarding after the interface on which they are learned transition to a STP blocked state. This is because the FDB entries are not being flushed on these interfaces after they change to a block state. Traffic destined to these MAC addresses gets dropped until their associated entries in the FDB age out.

Conditions:
MAC addresses are learned on a STP forwarding interface that transitions to a blocked interface following a topology change.

Impact:
Traffic interruption for up to a few minutes for MAC addresses learned on the affected interface.

Workaround:
None.

Fix:
FDB entries are now flushed by interface whenever an interface transitions to a STP block state.

693884-3 : ospfd core on secondary blade during network unstability

Component: TMOS

Symptoms:
ospfd core on secondary blade while network is unstable.

Conditions:
-- Dynamic routing configured with OSPF on a chassis.
-- During a period of network instability.

Impact:
Dynamic routing process ospfd core on secondary blade.

Workaround:
None.

693838 : Adaptive monitor feature does not mark pool member down when hard limit set on UDP monitors

Component: Local Traffic Manager

Symptoms:
Member of pool is not marked down when response time exceeds hard limit.

Conditions:
Adaptive monitoring enabled for UDP monitor and server response time exceeds hard limit.

Impact:
Member remains in pool despite exceeding hard limit which may result in degraded services.

Workaround:
None.

693744-3 : CVE-2018-5531: vCMP vulnerability

Solution Article: K64721111

693739-3 : VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled

Component: Access Policy Manager

Symptoms:
For some Network Access configurations, VPN cannot establish a connection with client systems running macOS High Sierra 10.13.1 using F5 Edge client or Browser helper apps.

Conditions:
The following conditions must be true:
-- The Network Access resource Traffic Options setting is configured for Force all Traffic Through Tunnel.
-- The Network Access resource Allow Local Subnet setting is disabled.
(Both of these options are defaults.)
-- Client running macOS High Sierra 10.13.1.

Impact:
The Edge Client unsuccessfully tries to connect, resulting in a loop. The client cannot establish VPN.

Workaround:
1. Navigate to the Network Access resource.
2. Set the Network Access resource Allow Local Subnet checkbox to Enabled.
3. Save the setting, and apply the Access Policy.

Fix:
Edge Client operation does not go into a reconnect loop and is able to establish and maintain connection successfully on macOS High Sierra 10.13.1.

693582-3 : Monitor node log not rotated for certain monitor types

Component: Local Traffic Manager

Symptoms:
When Monitor Logging is enabled for an LTM node or pool member using certain monitor types, the monitor node log under /var/log/monitors/ is not rotated or compressed when log rotation occurs.

Conditions:
This occurs if Monitor Logging is enabled for an LTM node or pool member, and the LTM node or pool member uses any of the following monitor types:
- icmp
- gateway-icmp
- external

Impact:
Depending on the affected BIG-IP version in use, effects may include the following symptoms:

1. The active monitor node log is not rotated (not renamed from *.log to *.log.1).

2. The active monitor node log is rotated (renamed from *.log to *.log.1), but subsequent messages are logged to the rotated log file (*.log.1) instead of to the 'current' log file name (*.log).

3. The active monitor node log is not compressed (*.log.2.gz) when log rotation occurs.

Workaround:
To allow logging to the correct monitor node log file to occur, and for rotated monitor node log files to be compressed, disable Monitor Logging for the affected node or pool member(s).

-- If symptom #1 occurs, Monitor Logging can be re-enabled after log rotation has occurred.

-- To address symptoms #2 or #3, Monitor Logging can be re-enabled immediately.

For more information on Monitor Logging, see:
K12531: Troubleshooting health monitors :: https://support.f5.com/csp/article/K12531.

Fix:
Monitor node logs are now rotated/compressed as expected.

693388-1 : Log additional HSB registers when device becomes unresponsive

Component: TMOS

Symptoms:
HSB becomes unresponsive, and logs no registers to indicate the state of the device. There is no logging of additional registers to assist in diagnosing the failure.

Conditions:
It is unknown under what conditions the HSB becomes unresponsive.

Impact:
Limited visibility into the HSB state when it becomes unresponsive.

Workaround:
None.

Fix:
There is now logging of additional registers to assist in diagnosing the failure.

The registers can be seen in the TMM log files when there is either an HSB transmitter or receive failure.

693312-2 : vCMPd may crash when processing bridged network traffic

Solution Article: K03165684

693308-3 : SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain

Component: Local Traffic Manager

Symptoms:
When a very large Client Certificate Chain, typically exceeding 16,384 bytes, is received by BIG-IP on a virtual service, and Session Persistence is enabled, the handshake hangs.

Conditions:
[1] SSL client authentication is enabled on the backend server
[2] No SSL profile is specified on the BIG-IP device for the virtual service, on both, client and server side
[3] An SSL connection is initiated from the front-end client, via the BIG-IP's virtual service, to the backend server.
[4] The client certificate chain is passed to the BIG-IP device as part of initiating the connection.

Impact:
The backend server will not be securely accessible via SSL because the connection hangs

Workaround:
Disable SSL Session Persistence.

Fix:
Whenever a fragmented message is received by a BIG-IP virtual service, subsequent messages contain a 5-byte header, each, which should be accounted for. Upon taking this into consideration, no more multiple-of-5 bytes are found missing while the message is being parsed by the Session Persistence parser, and the parser no longer hangs.

693211-3 : CVE-2017-6168

Solution Article: K21905460

693106-2 : IKEv1 newest established phase-one SAs should be found first in a search

Component: TMOS

Symptoms:
Some IKEv1 implementations might delete "duplicate" phase one IKE SAs, even though not yet expired, keeping only the most recently negotiated IKE-SA. If this happens, and BIG-IP uses an older SA to negotiate, then phase two negotiation can fail.

If at all possible, we want BIG-IP to prefer the newest SA for a given remote peer. If a peer deletes a second SA without notifying BigIP, preferring a newest SA may mitigate the problem.

Conditions:
The situation seems mostly easily arranged when two peers initiate a new IKE-SA at the same time, so that both are negotiated concurrently, since neither has yet been established. Afterward, there are two IKE-SAs for one remote peer, nearly the same age.

If the other end deletes a duplicate without sending a DELETE message to BigIP, we might accidently use the older SA of a pair.

Impact:
If BIG-IP picks a mature IKE-SA for phase two negotiation that has been deleted by a peer, then BIG-IP's attempt to negotiate a new phase two SA will fail.

Workaround:
Try to configure other IPsec implementations to avoid deleting duplicate IKE-SAs.

Fix:
At the momenet a new IKE-SA is established, we now move that SA to the head of the hashmap bucket searched for that remote peer in the future. This makes us more likely to use the newest SA from the perspective of a remote peer, the next time we initiate another phase two negotiation ourselves.

693007-3 : Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC

Component: Global Traffic Manager (DNS)

Symptoms:
The current IPv4 address for b.root-servers.net is 192.228.79.201. The IPv4 address for b.root-servers.net will be renumbered to 199.9.14.201, effective 2017-10-24. The older number will be invalid after that date.

Conditions:
Several profiles contain the b.root-servers.net IPv4 address as 192.228.79.201.

Impact:
The impact is likely minimal, at most a single timeout for pending TLD queries when they happen to round-robin onto an old IP address, probably not more often than the hint's TTL, which is more than a month, and even this should cause a timeout only when the old IP actually stops responding.

Workaround:
Update the root hints for all affected profiles manually except the hardwired ones.

Fix:
The IPv4 address for b.root-servers.net has been renumbered to 199.9.14.201, effective 2017-10-24.

Behavior Change:
The IPv4 address for b.root-servers.net has been renumbered to 199.9.14.201, effective 2017-10-24, according to InterNIC. The old IPv4 address (192.228.79.201) will continue to answer queries for at least 6 months.

692970-3 : Using UDP port 67 for purposes other than DHCP might cause TMM to crash

Component: Local Traffic Manager

Symptoms:
DHCP relay presumes that a flow found via lookup is always a server-side flow of type DHCP relay. Hence TMM can crash when DHCP relay makes a server connection if UDP port 67 is used for another purpose, in which case a wrong DHCP server flow could be selected.

Conditions:
A UDP port 67 is configured for a purpose other than DHCP relay.

Impact:
TMM restart causes traffic interruption or failover.

Workaround:
Do not use UDP port 67 for other virtual servers, or configure a drop listener on certain VLANs that cannot avoid using UDP port 67.

Fix:
TMM no longer crashes with DHCP flow validation.

692941-3 : GTMD and TMM SIGSEGV when changing wide IP pool in GTMD

Component: Global Traffic Manager (DNS)

Symptoms:
Changing wide IP causes gtmd and tmm core under certain conditions.

Conditions:
-- GTM pool is removed when it is referenced by a persist record.
-- That record is accessed before it is purged.

Impact:
gtmd and/or tmm core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Changing wide IP no longer causes gtmd and tmm core when GTM pool is removed when it is referenced by a persist record, and that record is accessed before it is purged.

692307-1 : User with 'operator' role may not be able to view some session variables

Component: Access Policy Manager

Symptoms:
When a user with 'operator' role tries to view the session variables, the GUI may show the following error: An error has occurred while trying to process you request.

Conditions:
This occurs when there is a huge blob of data associated with the user whose session variable is being viewed. For example Active Directory (AD) user accounts with thumbnailphoto and userCertificate user attributes containing binary data.

Impact:
User cannot view the session variables for those particular sessions. This data is available, however, via clicking on the Session ID.

Workaround:
Find this data via clicking on the session ID.

Fix:
User with 'operator' role can now view all expected session variables

692239-1 : AOM menu power off then on results in 'Host Power Cycle Event' SEL log entries posted every two seconds

Solution Article: K31554905

Component: TMOS

Symptoms:
When using the AOM menu, LCD touchscreen, or the operating system 'halt' command to power off then on the host CPU on i5600, i5800, i7600, i7800, i10600, i10800 platforms, the AOM creates a 'Host Power Cycle Event' SEL log entry every two seconds. The SEL log will continue to grow until external power to the appliance is fully power cycled.

Conditions:
-- Running on i5600, i5800, i7600, i7800, i10600, i10800 platforms.

-- With an older version of CPLD code installed (e.g., CPLD 0x45), power-off the host using the AOM menu, the LCD touchscreen, or the operating system's 'halt' command.

   + Bring up the AOM menu using ESC shift-9, then select 'p' and '0' from the menu to power off the host CPU complex.
   + On the LCD touchscreen, navigate to [System] menu and select [Power Off] to power off the host CPU complex.
   + Run the 'halt' command on the BIG-IP host subsystem.

-- Wait a few seconds, and power on the host.

   + On the AOM menu, select 'p' and '1' to power on the host CPU complex.
   + On the LCD touchscreen, navigate to [System] menu and select [Power On] to power on the host CPU complex.
   + There is no equivalent shell method to turn the power back on after running the 'halt' command.

Impact:
This results in ongoing 'Host Power Cycle Event' messages to post in the SEL log (tail /var/log/sel) every two seconds.

The SEL log will continue to grow and wrap as this message continues to post to the SEL log every two seconds.

This results in a very large number of SEL entry fetches by the host CPU to the AOM and can place a substantial load on the AOM interface.

Workaround:
The actual fix is to install a newer version of i5600, i5800, i7600, i7800, i10600, i10800 platform CPLD code (e.g., CPLD 0x54 or CPLD 0x55).

Another workaround is to fully power cycle the appliance.
However, every time the AOM menu is used to power off then on the host, the SEL log entries re-appear.

Fix:
This issue is fixed in newer versions of the i5600, i5800, i7600, i7800, i10600, i10800 platforms CPLD (e.g., CPLD 0x54 or CPLD 0x55).

692189-3 : errdefsd fails to generate a core file on request.

Component: TMOS

Symptoms:
Should errdefsd crash or be manually cored for the purpose of gathering diagnostic information, no core file will be generated.

Conditions:
Forcing errdefsd to core for diagnostic purposes.

Impact:
Increased communication required with F5 Support when attempting to diagnose problems with errdefsd.

Workaround:
1. Add the following lines to the official errdefsd script, /etc/bigstart/scripts/errdefsd:
16a17,19
> # set resource limits, affinity, etc
> setproperties ${service}
>
2. Run the following command: bigstart restart errdefsd

Fix:
errdefsd now generates a core file when forced to core.

692179-3 : Potential high memory usage from errdefsd.

Component: TMOS

Symptoms:
errdefsd memory usage grows with each config-sync or config update.

Conditions:
Ever increasing errdefsd memory usage is visible when the following conditions are met:
-- Config updates are frequent.
-- management-port logging is not being used.

Impact:
In extreme cases, errdefsd memory usage might increase userland memory-pressure. Note, however, that it isn't actually using the extra memory, so while Virtual Memory Size (VSZ) might be high, Resident Set Size (RSS) need not be.

Workaround:
A workaround for this problem is to periodically send logs to a management-port destination. The destination may be as simple as a dummy UDP port on 127.0.0.1. Adding such a destination to the publisher for an existing, active log source will work. errdefsd just needs a reason to process and flush accumulating configurations.

Fix:
The changes in this bug force errdefsd to check for config changes once every second in addition to checking whenever management-port destination logs come in.

692165-2 : A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token

Component: TMOS

Symptoms:
For some HTTP requests, a request-log profile can log nothing for the $VIRTUAL_POOL_NAME token (which expands to an empty string in the resulting logs).

Conditions:
- The virtual server where the request-log profile is used also uses OneConnect.

- The client uses HTTP Keep-Alive and sends multiple HTTP requests over the same TCP connection.

Impact:
For all HTTP requests the client sends except the first one, the $VIRTUAL_POOL_NAME token logs nothing. As a result, a BIG-IP Administrator may struggle to determine which pool serviced which request.

Workaround:
The $SERVER_IP and $SERVER_PORT tokens work for all requests, and so if those are also being logged it may be possible to deduce the pool name from that information.

However, there is no workaround to make the $VIRTUAL_POOL_NAME token work all of the time.

692158-2 : iCall and CLI script memory leak when saving configuration

Component: TMOS

Symptoms:
Whenever an iCall script or CLI script saves the configuration, the scriptd process on the device leaks memory.

Conditions:
Use of iCall or CLI scripts to save the configuration.

Impact:
Repeated invocation might cause the system to run out of memory eventually, causing tmm to restart and disrupting traffic.

Workaround:
There is no workaround other than not saving the configuration from iCall or CLI scripts.

Fix:
scriptd process on the device no longer leaks memory when iCall and CLI scripts are used to save the configuration.

692123-2 : GET parameter is grayed out if MobileSafe is not licensed

Component: Fraud Protection Services

Symptoms:
GET parameter is grayed out if MobileSafe is not licensed.

Conditions:
-- Provision FPS on a system whose license has at least one active feature.
-- Do not license MobileSafe.

Impact:
In FPS Parameter's list, the GET method is always grayed out.

Workaround:
Use either of the following workarounds:
-- License MobileSafe.
-- Use TMSH or REST.

Fix:
The GET method is not grayed out if MobileSafe is not licensed.

692095-3 : bigd logs monitor status unknown for FQDN Node/Pool Member

Solution Article: K65311501

Component: Local Traffic Manager

Symptoms:
While monitoring FQDN nodes or pool members, bigd may log the current or previous monitor status of the node or pool member as 'unknown' in messages where that state internally could have been logged as 'checking' or 'no address' for FQDN template nodes. Other states for FQDN configured nodes or pool members log monitor status as expected. Messages are similar to the following:

notice bigd[####]: 01060141:5: Node /Common/node_name monitor status unknown [ ip.address: unknown ] [ was up for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: unknown ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: up ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status unknown. [ ] [ was unchecked for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status up. [ ] [ was unknown for ##hrs:##mins:##sec ]

Conditions:
This may occur of the FQDN template node or pool member is in a 'checking' or 'no address' state.
The 'checking' state may occur if the DNS resolution of the FQDN node or pool member name is in progress.
The 'no address' state may occur if no IP addresses were returned by the DNS server for the configured FQDN node or pool member name.

Impact:
Unable to triage state of FQDN nodes or pool members identified in these log messages, to determine whether further troubleshooting is required, or what specific problem condition might require further investigation.

Workaround:
None.

Fix:
An FQDN-configured node or pool member logs each internal monitor status, including for scenarios of 'checking' and 'no address' for FQDN template nodes which were previously logged as 'unknown'.

691945-2 : Security Policy Configuration Changes When Disabling Learning

Component: Application Security Manager

Symptoms:
When Learning is enabled in either manual or automatic mode, and is then disabled. This was considered to be the end of the learning process, and so changes are automatically made to the default wildcard entities ("*" URL, Parameter, Filetype) such as removing the element from staging.

The user is not notified of these changes, and they may not be expected, leading to undesired security enforcement.

Conditions:
-- Learning is enabled in Manual or Automatic mode.
-- Learning is then disabled.

Impact:
Unexpected changes to the default wildcard elements in the policy can lead to undesired security enforcement.

Workaround:
The audit log shows all changes that were made to the policy, and undesired changes can be remedied before the policy changes are applied.

Fix:
No changes are made to the default wildcard entities upon disabling of learning.

691897-1 : Names of the modified cookies do not appear in the event log

Component: Application Security Manager

Symptoms:
A modified domain cookies violation happened. When trying to see additional details by clicking the violation link, the name and value of the modified cookie is empty.

Conditions:
A modified domain cookies violation happens.

Note: This can happen o

Subscriptions

Product Usage

Trials

Registration Keys

Downloads

Applies To:

BIG-IP AAM

BIG-IP APM

BIG-IP Analytics

BIG-IP Link Controller

BIG-IP LTM

BIG-IP AFM

BIG-IP PEM

BIG-IP DNS

BIG-IP ASM

Cumulative fix details for BIG-IP v12.1.5 that are included in this release

810557-5 : ASM ConfigSync Hardening

807477-4 : ConfigSync Hardening

799617-5 : ConfigSync Hardening

799589-5 : ConfigSync Hardening

797885-5 : ConfigSync Hardening

796469-1 : ConfigSync Hardening

794413-5 : BIND vulnerability CVE-2019-6471

788301-2 : SNMPv3 Hardening

777261-1 : When SNMP cannot locate a file it logs messages repeatedly

774301-1 : Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList

773553-5 : ASM JSON parser false positive.

771873-2 : TMSH Hardening

769809-1 : vCMP guests 'INOPERATIVE' after upgrade

766577-5 : APMD fails to send response to client and it already closed connection.

762453-4 : Hardware cryptography acceleration may fail

761231-5 : Bot Defense Search Engines getting blocked after configuring DNS correctly

760878-1 : Incorrect enforcement of explicit global parameters

760550-2 : Retransmitted TCP packet has FIN bit set

759968-1 : Distinct vCMP guests are able to cluster with each other.

759480-1 : HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash

758872-1 : TMM memory leak

758764-5 : APMD Core when CRLDP Auth fails to download revoked certificate

758631-1 : ec_point_formats extension might be included in the server hello even if not specified in the client hello

758527-5 : BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode

758336-2 : Incorrect recommendation in Online Help of Proactive Bot Defense

758119-3 : qkview may contain sensitive information

758065-3 : TMM may consume excessive resources while processing FIX traffic

758018-2 : APD/APMD may consume excessive resources

757455-4 : Excessive resource consumption when processing REST requests

757391-1 : Datagroup iRule command class can lead to memory corruption

757088 : TMM clock advances and cluster failover happens during webroot db nightly updates

757027-4 : BIND Update

757026-4 : BIND Update

757025-4 : BIND Update

757023-5 : BIND vulnerability CVE-2018-5743

756774-3 : Aborted DNS queries to a cache may cause a TMM crash

756538-2 : Failure to open data channel for active FTP connections mirrored across an HA pair.

756450-3 : Traffic using route entry that's more specific than existing blackhole route can cause core

756270-1 : SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle

756153-1 : Add diskmonitor support for MySQL /var/lib/mysql

756094-1 : DNS express in restart loop, 'Error writing scratch database' in ltm log

755507-1 : [App Tunnel] 'URI sanitization' error

754944-4 : AVR reporting UI does not follow best practices

754365-2 : Updated flags for countries that changed their flags since 2010

754345-4 : WebUI does not follow best security practices

754257 : URL lookup queries not working

754103-3 : iRulesLX NodeJS daemon does not follow best security practices

753912-1 : UDP flows may not be swept

753796-3 : SNMP does not follow best security practices

753776-3 : TMM may consume excessive resources when processing UDP traffic

752930 : Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state

752835-1 : Mitigate mcpd out of memory error with auto-sync enabled.

751586-1 : http2 virtual does not honour translate-address disabled

750586-3 : HSL may incorrectly handle pending TCP connections with elongated handshake time.

750488 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

750484 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

750472 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

750460-4 : Subscriber management configuration GUI

750457 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

750213-1 : DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.

750187-4 : ASM REST may consume excessive resources

749879 : Possible interruption while processing VPN traffic

749774-2 : EDNS0 client subnet behavior inconsistent when DNS Caching is enabled

749675-2 : DNS cache resolver may return a malformed truncated response with multiple OPT records