Applies To:
Show VersionsBIG-IP AAM
- 13.0.0
BIG-IP APM
- 13.0.0
BIG-IP Link Controller
- 13.0.0
BIG-IP Analytics
- 13.0.0
BIG-IP LTM
- 13.0.0
BIG-IP AFM
- 13.0.0
BIG-IP PEM
- 13.0.0
BIG-IP DNS
- 13.0.0
BIG-IP ASM
- 13.0.0
BIG-IP Release Information
Version: BIGIP-13.0.0
Build: 1645.0
Known Issues in BIG-IP v13.0.x
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
600662 | CVE-2016-5745 | K64743453 | NAT64 vulnerability CVE-2016-5745 |
599168 | CVE-2016-5700 | K35520031 | BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700 |
598983 | CVE-2016-5700 | K35520031 | BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700 |
596488 | CVE-2016-5118 | K82747025 | GraphicsMagick vulnerability CVE-2016-5118. |
591806 | CVE-2016-3714 | K03151140 | ImageMagick vulnerability CVE-2016-3714 |
574060 | CVE-2015-7547 | K47098834 | glibc: getaddrinfo stack-based buffer overflow |
569467-8 | CVE-2016-2084 | K11772107 | BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084. |
624570 | CVE-2016-8864 | K35322517 | BIND vulnerability CVE-2016-8864 |
624459 | CVE-2016-5195 | K10558632 | Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195 |
618306 | CVE-2016-9247 | K33500120 | TMM vulnerability CVE-2016-9247 |
616864 | CVE-2016-2776 | K18829561 | BIND vulnerability CVE-2016-2776 |
613282 | CVE-2016-2086, CVE-2016-2216, CVE-2016-1669 | K15311661 | NodeJS vulnerability CVE-2016-2086 |
612128-6 | CVE-2016-6515 | K31510510 | OpenSSH vulnerability CVE-2016-6515 |
608601 | CVE-2014-8127 CVE-2014-8129 CVE-2014-8130 CVE-2014-9330 CVE-2014-9655 CVE-2015-1547 CVE-2015-7554 CVE-2015-8665 CVE-2015-8668 CVE-2015-8683 CVE-2015-8781 CVE-2015-8782 CVE-2015-8783 CVE-2015-8784 CVE-2016-3632 CVE-2016-3945 CVE-2016-3990 CVE-2016-3991 | K35155453 | Multiple LibTIFF vulnerabilities |
598294 | CVE-2016-7472 | K17119920 | BIG-IP ASM Proactive Bot Defense vulnerability CVE-2016-7472 |
596340 | CVE-2016-9244 | K05121675 | F5 TLS vulnerability CVE-2016-9244 |
591328 | CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 | K36488941 | OpenSSL vulnerability CVE-2016-2106 |
591327 | CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 | K36488941 | OpenSSL vulnerability CVE-2016-2106 |
591325 | CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 | K75152412 | OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 |
591042 | CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 | K23230229 | OpenSSL vulnerabilities |
580596-2 | CVE-2013-0169 CVE-2016-6907 | K14190 K39508724 | TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907 |
579955 | CVE-2016-7475 | K01587042 | BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475 |
573778 | CVE-2016-1714 | K75248350 | QEMU vulnerability CVE-2016-1714 |
569455 | CVE-2016-0728 | K01948202 | Linux kernel vulnerability CVE-2016-0728 |
563670 | CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 | K86772626 | OpenSSL vulnerabilities |
630856 | CVE-2016-6816 | K50116122 | Apache Tomcat vulnerability CVE-2016-6816 |
625372 | CVE-2016-2179 | K23512141 | OpenSSL vulnerability CVE-2016-2179 |
622495 | CVE-2016-5829 | K28056114 | Linux kernel vulnerability CVE-2016-5829 |
622126 | CVE-2016-7124 CVE-2016-7125 CVE-2016-7126 CVE-2016-7127 | K54308010 | PHP vulnerability CVE-2016-7124 |
621337 | CVE-2016-7469 | K97285349 | XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469 |
618549 | CVE-2016-9249 | K71282001 | Fast Open can cause TMM crash CVE-2016-9249 |
618263 | CVE-2016-2182 | K01276005 | OpenSSL vulnerability CVE-2016-2182 |
618261 | CVE-2016-2182 | K01276005 | OpenSSL vulnerability CVE-2016-2182 |
613225 | CVE-2016-2180, CVE-2016-6306, CVE-2016-6302 | K90492697 | OpenSSL vulnerability CVE-2016-6306 |
607314 | CVE-2016-3500, CVE-2016-3508 | K25075696 | Oracle Java vulnerability CVE-2016-3500, CVE-2016-3508 |
605039 | CVE-2016-2775 | K92991044 | lwresd and bind vulnerability CVE-2016-2775 |
601059 | CVE-2016-1762 CVE-2016-1833 CVE-2016-1834 CVE-2016-1835 CVE-2016-1836 CVE-2016-1837 CVE-2016-1838 CVE-2016-1839 CVE-2016-1840 CVE-2016-3627 CVE-2016-3705 CVE-2016-4447 CVE-2016-4448 CVE-2016-4449 | K14614344 | libxml2 vulnerability CVE-2016-1840 |
600232-1 | CVE-2016-2177 | K23873366 | OpenSSL vulnerability CVE-2016-2177 |
599858 | CVE-2015-8895 CVE-2015-8896 CVE-2015-8897 CVE-2015-8898 CVE-2016-5118 CVE-2016-5239 CVE-2016-5240 | K68785753 | ImageMagick vulnerability CVE-2015-8898 |
597023 | CVE-2016-4954 | K82644737 | NTP vulnerability CVE-2016-4954 |
595242 | CVE-2016-3705 | K54225343 | libxml2 vulnerabilities CVE-2016-3705 |
595231 | CVE-2016-3627 | K54225343 | libxml2 vulnerabilities CVE-2016-3627 and CVE-2016-3705 |
594496 | CVE-2016-4539 | K35240323 | PHP Vulnerability CVE-2016-4539 |
593447 | CVE-2016-5024 | K92859602 | BIG-IP TMM iRules vulnerability CVE-2016-5024 |
592001 | CVE-2016-4071 CVE-2016-4073 | K64412100 | CVE-2016-4073 PHP vulnerabilities |
591918 | CVE-2016-3718 | K61974123 | ImageMagick vulnerability CVE-2016-3718 |
591908 | CVE-2016-3717 | K29154575 | ImageMagick vulnerability CVE-2016-3717 |
591894 | CVE-2016-3715 | K10550253 | ImageMagick vulnerability CVE-2016-3715 |
591881 | CVE-2016-3716 | K25102203 | ImageMagick vulnerability CVE-2016-3716 |
591455 | CVE-2016-1550 CVE-2016-1548 CVE-2016-2516 CVE-2016-2518 | K24613253 | NTP vulnerability CVE-2016-2516 |
591447 | CVE-2016-4070 | K42065024 | PHP vulnerability CVE-2016-4070 |
587077 | CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118 | K37603172 | Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118 |
585502 | CVE-2016-1978 CVE-2016-1979 | K37540306 | nss, nspr, and nss-util vulnerabilities: CVE-2016-1978 and CVE-2016-1979 |
580747 | CVE-2016-0739 | K57255643 | libssh vulnerability CVE-2016-0739 |
579220 | CVE-2016-1950 | K91100352 | Mozilla NSS vulnerability CVE-2016-1950 |
572599 | CVE-2015-7504 CVE-2015-7512 | K63519101 | QEMU vulnerabilities CVE-2015-7504 CVE-2015-7512 |
572597 | CVE-2015-5279 | K63519101 | CVE-2015-5279: A heap buffer overflow in QEMU's NE2000 NIC |
572596 | CVE-2015-5165 | K63519101 | CVE-2015-5165; leak flaw in QEMU's RTL8139 emulation. |
570697 | CVE-2015-8138 | K71245322 | NTP vulnerability CVE-2015-8138 |
564111 | CVE-2015-8395 CVE-2015-8384 CVE-2015-8392 CVE-2015-8394 CVE-2015-8391 CVE-2015-8390 CVE-2015-8389 CVE-2015-8388 CVE-2015-8387 CVE-2015-8386 CVE-2015-8385 CVE-2015-8383 CVE-2015-8382 CVE-2015-8381 CVE-2015-8380 CVE-2015-2328 CVE-2015-2327 CVE-2015-8393 | K05428062 | Multiple PCRE vulnerabilities |
556740 | CVE-2015-7613 | K90230486 | Kernel vulnerability CVE-2015-7613 |
548295 | CVE-2015-5073 | K17331 | PCRE library vulnerability CVE-2015-5073 |
406550 | CVE-2012-5784 | K14371 | CVE-2012-5784: Apache Axis vulnerability |
622662 | CVE-2016-6306 | K90492697 | OpenSSL vulnerability CVE-2016-6306 |
600198-1 | CVE-2016-2178 CVE-2016-6306 CVE-2016-6302 | K53084033 | OpenSSL vulnerability CVE-2016-2178 |
599285-1 | CVE-2016-5094 CVE-2016-5095 CVE-2016-5096 | K51390683 | PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095 |
597010 | CVE-2016-4955 | K03331206 | NTP vulnerability CVE-2016-4955 |
596997 | CVE-2016-4956 | K64505405 | NTP vulnerability CVE-2016-4956 |
591767-1 | CVE-2016-1547 | K11251130 | NTP vulnerability CVE-2016-1547 |
591438 | CVE-2015-8865 | K54924436 | PHP vulnerability CVE-2015-8865 |
580340 | CVE-2016-2842 | K52349521 | OpenSSL vulnerability CVE-2016-2842 |
580313 | CVE-2016-0799 | K22334603 | OpenSSL vulnerability CVE-2016-0799 |
579975 | CVE-2016-0702 | K79215841 | OpenSSL vulnerability |
579829 | CVE-2016-0702 | K79215841 | OpenSSL vulnerability CVE-2016-0702 |
579237 | CVE-2016-0705 | K93122894 | OpenSSL Vulnerability CVE-2016-0705 |
579098 | CVE-2016-0797 | K40524634 | OpenSSL vulnerability CVE-2016-0797 |
579085 | CVE-2016-0797 | K40524634 | OpenSSL vulnerability CVE-2016-0797 |
578570 | CVE-2016-0705 | K93122894 | OpenSSL Vulnerability CVE-2016-0705 |
576883 | CVE-2016-0706 | K30971148 | BIG-IP vulnerable to CVE-2016-0706 |
576881 | CVE-2015-5345 | K30971148 | BIG-IP vulnerable to CVE-2015-5345 |
576878 | CVE-2015-5174 | K30971148 | BIG-IP vulnerable to CVE-2015-5174 |
575629-1 | CVE-2015-8139 | K00329831 | NTP vulnerability: CVE-2015-8139 |
573451 | CVE-2015-7974 | K13304944 | NTP vulnerability CVE-2015-7974 |
573343 | CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158 | K01324833 | NTP vulnerability CVE-2015-8158 |
569355 | CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494 | K50118123 | Java vulnerabilities CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494 |
568151 | CVE-2015-5219 | K60352002 | SNTP vulnerability CVE-2015-5219 |
568054 | CVE-2015-5195 | K02360853 | NTP vulnerabilities CVE-2015-5194 and CVE-2015-5195 |
568052 | CVE-2015-5194 | K02360853 | NTP vulnerabilities CVE-2015-5194 and CVE-2015-5195 |
567379 | CVE-2013-4397 | K16015326 | libtar vulnerability CVE-2013-4397 |
565895 | CVE-2015-3217 | K17235 | Multiple PCRE Vulnerabilities |
545718 | CVE-2015-5352 | K17461 | CVE-2015-5352 : OpenSSH Vulnerability |
531877 | CVE-2015-5146 | K17114 | NTP vulnerability CVE-2015-5146 |
505251 | CVE-2014-8116 CVE-2014-8117 | K16347 | Linux file utility vulnerabilities CVE-2014-8116 and CVE-2014-8117 |
630877 | CVE-2016-8735 | K49820145 | Apache Tomcat vulnerability CVE-2016-8735 |
630870 | CVE-2016-6817 | K49160100 | Apache Tomcat vulnerability CVE-2016-6817 |
625505 | CVE-2016-2181 | K59298921 | OpenSSL vulnerability CVE-2016-2181 |
625392 | CVE-2016-2179 | K23512141 | OpenSSL vulnerability CVE-2016-2179 |
621937 | CVE-2016-6304 | K54211024 | OpenSSL vulnerability CVE-2016-6304 |
621935 | CVE-2016-6304 | K54211024 | OpenSSL vulnerability CVE-2016-6304 |
570667 | CVE-2016-0701 CVE-2015-3197 | K64009378 | OpenSSL vulnerabilities |
538672 | CVE-2011-4969 | K16967 | BIG-IP utilizes version of jQuery vulnerable to CVE-2011-4969 |
Functional Change Fixes
ID Number | Severity | Description |
596128 | 1-Blocking | Allow configuration of secondary addresses for multipoint VXLAN tunnels |
624831 | 2-Critical | BWC: tmm crash can occur if dynamic BWC policy is used at max-user-rate over 2gbps |
563488 | 2-Critical | Support Extended Master Secret Extension (RFC7627) for ProxySSL |
631727 | 3-Major | Analytics data is displayed per collection interval instead of per second. |
619667 | 3-Major | Allow Local DNS Servers is not honored on Mac OS X |
616106 | 3-Major | Client-type in access policy does not detect Edge Client after failing authentication. |
615377 | 3-Major | Unexpected rate limiting of unreachable and ICMP messages for some addresses. |
609674 | 3-Major | machine certificate check creates issuer string with DC with reverse order |
606072 | 3-Major | User deletion doesn't delete tokens issued for that user at max 15 seconds |
602568 | 3-Major | Updated Default Ciphersuite Group |
600385 | 3-Major | BIG-IP LTM and BIG-IP DNS monitors are allowed to be configured with interval value larger than timeout |
599536 | 3-Major | IPsec peer with wildcard selector brings up wrong phase2 SAs |
598204 | 3-Major | In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK. |
593409 | 3-Major | [Portal Access] URL normalization is required for some Javascript interfaces |
591819 | 3-Major | Upgrade script for SSO log-level★ |
590122 | 3-Major | Standard TLS version rollback detection for TLSv1 or earlier might need to be relaxed to interoperate with clients that violate TLS specification. |
586657 | 3-Major | PPTP log entries now includes route-domain information |
576521 | 3-Major | If you have MSSQL proxy feature configured, you will lose it upon upgrading to v12.1.0 or later.★ |
572309 | 3-Major | URL is not enforced correctly in some cases |
568768 | 3-Major | CSR attribute email and certificate Subject's DN email are not distinguished |
568229 | 3-Major | [LTM][DNS] save-on-auto-sync with partitions fails for LTM DNS partition objects |
561348 | 3-Major | krb5.conf file is not synchronized between blades and not backed up |
541549 | 3-Major | AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination. |
533755 | 3-Major | Required syntax for iRule command DIAMETER::avp create has changed |
532685 | 3-Major | PAC file download errors disconnect the tunnel |
530109 | 3-Major | OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled. |
515180 | 3-Major | Matched ASM signatures cannot be accessed easily from iRules. |
499404 | 3-Major | FastL4 does not honor the MSS override value in the FastL4 profile with syncookies |
497100 | 3-Major | APM Migrates to Google reCAPTCHA API Version 2.0 |
441079 | 3-Major | BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved |
407411 | 3-Major | New APIs for iControl SOAP Trust management |
390196 | 3-Major | Support Route Domains for VDI deployments (Citrix, VMware View, RDP) |
246726 | 3-Major | System continues to process virtual server traffic after disabling virtual address |
609084 | 4-Minor | Max number of chunks not configurable above 1000 chunks |
605690 | 4-Minor | tmsh "ip-whitelist" field DOS application is deprecated |
599839 | 4-Minor | Add new keyords to SIP::persist command to specify how Persistence table is updated |
598200 | 4-Minor | Migrating iControl SOAP interface and logic for OCSP related configuration |
598199 | 4-Minor | Migrating tmsh commands and logic for OCSP related configuration |
591733 | 4-Minor | Save on Auto-Sync is missing from the configuration utility. |
526642-3 | 4-Minor | iRule with HTML commands inside can be attached to Virtual server without HTML profile |
511049 | 4-Minor | tmsh run sys crypto check-cert to support arbitrary certificate file name. |
571527 | 5-Cosmetic | "list sys crypto csr" output is not consistent |
TMOS Fixes
ID Number | Severity | Description |
638935 | 1-Blocking | Monitor with send/receive string containing double-quote may cause upgrade to fail.★ |
627433 | 1-Blocking | HSB transmitter failure on i2x00 and i4x00 platforms |
625784-1 | 1-Blocking | TMM crash on BigIP i4x00 and i2x00 with large ASM configuration. |
539093 | 1-Blocking | VE shows INOPERATIVE status until at least one VLAN is configured and attached to an interface. |
340702 | 1-Blocking | Controlplane Auth - Fallback to local accounts if remote auth fails |
636918 | 2-Critical | Fix for crash when multiple tunnels use the same traffic selector |
631582-6 | 2-Critical | Administrative interface enhancement |
627898 | 2-Critical | TMM leaks memory in the ECM subsystem |
625824 | 2-Critical | iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory |
625456 | 2-Critical | Pending sector utility may write repaired sector incorrectly |
624826 | 2-Critical | mgmt bridge takes HWADDR of guest vm's tap interface |
624263 | 2-Critical | iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response |
621422-1 | 2-Critical | i2000 and i4000 series appliances do not warn when an incorrect optic is in a port |
620056 | 2-Critical | Assert on deletion of paired in-and-out IPsec traffic selectors |
618779 | 2-Critical | Route updates during IPsec tunnel setup can cause tmm to restart |
618421-1 | 2-Critical | Some mass storage is left un-used |
618382 | 2-Critical | qkview may cause tmm to restart or may take 30 or more minutes to run |
616059 | 2-Critical | Modifying license.maxcores Not Allowed Error |
614865-4 | 2-Critical | Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors. |
614586 | 2-Critical | tmm assert "invalid racoon2 block header prefix" |
614296 | 2-Critical | Dynamic routing process ripd may core |
613536-1 | 2-Critical | tmm core while running the iRule STATS:: command |
610354 | 2-Critical | TMM crash on invalid memory access to loopback interface stats object |
610295 | 2-Critical | TMM may crash due to internal backplane inconsistency after reprovisioning |
606509 | 2-Critical | Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover★ |
605983 | 2-Critical | tmrouted may crash when being restarted in debug mode |
602642 | 2-Critical | tmm assert "cipher_init_dual failed" |
601527 | 2-Critical | mcpd memory leak and core |
600894 | 2-Critical | In certain situations, the MCPD process can leak memory |
600859-1 | 2-Critical | Module not licensed after upgrade from 11.6.0 to 12.1.0 HF1 EHF.★ |
599033 | 2-Critical | Traffic directed to incorrect instance after network partition is resolved |
598697-2 | 2-Critical | vCMP guests may fail after vCMP host system is upgraded to BIG-IP v12.1.x when 'qemu' user isn't created★ |
597900 | 2-Critical | iControl REST may core when logging in immediately after a reboot |
595712 | 2-Critical | Not able to add remote user locally |
595394 | 2-Critical | Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.★ |
591495 | 2-Critical | VCMP guests sflow agent can crash due to duplicate vlan interface indices |
591104 | 2-Critical | ospfd cores due to an incorrect debug statement. |
587698 | 2-Critical | bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured |
585745 | 2-Critical | sod core during upgrade from 10.x to 12.x. |
584583 | 2-Critical | Timeout error when attempting to retrieve large dataset. |
584242 | 2-Critical | tmm assert "wrong selector tag" |
583936 | 2-Critical | Removing ECMP route from BGP does not clear route from NSM |
583516 | 2-Critical | tmm ASSERT's "valid node" on Active, after timer fire.. |
580753 | 2-Critical | eventd might core on transition to secondary. |
574116 | 2-Critical | MCP may crash when syncing configuration between device groups |
574055-1 | 2-Critical | TMM crash after changing raccoon log level |
567457-1 | 2-Critical | TMM may crash when changing the IKE peer config. |
562122-4 | 2-Critical | Adding a trunk might disable vCMP guest |
560109 | 2-Critical | Client capabilities failure |
557680 | 2-Critical | Fast successive MTU changes to IPsec tunnel interface crashes TMM |
554713-1 | 2-Critical | Deployment failed: Failed submitting iControl REST transaction |
471860-8 | 2-Critical | Disabling interface keeps DISABLED state even after enabling |
470238 | 2-Critical | tmm restart issue when number of cores in license differs from number of system CPUs. |
460833 | 2-Critical | MCPD sync errors and restart after multiple modifications to file object in chassis |
448477 | 2-Critical | devmgmtd may crash during provisioning |
412817 | 2-Critical | BIG-IP system unreachable for IPv6 traffic via PCI pass-through interfaces as current ixgbevf drivers do not support multicast receive. |
355806 | 2-Critical | Starting mcpd manually at the command line interferes with running mcpd |
641582 | 3-Major | Rarely, an HSB transmitter failure occurs |
637559 | 3-Major | Modifying iRule online could cause TMM to be killed by SIGABRT |
637279-1 | 3-Major | Pool member discovery/autoscale does not work in eu-central-1 (Germany) region of AWS. |
635129-3 | 3-Major | Chassis systems in HA configuration become Active/Active during upgrade★ |
634115 | 3-Major | Not all topology records may sync. |
633512 | 3-Major | HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION. |
632204 | 3-Major | Local Traffic Policies rule page is incorrectly showing all partition's objects in 'Forward traffic' actions |
631866 | 3-Major | Cannot access LTM policy rules in the web UI when the name contains certain characters |
631627 | 3-Major | Applying BWC over route domain sometimes results in tmm not becoming ready on system start |
631334-2 | 3-Major | TMSH does not preserve \? for config save/load operations |
630622 | 3-Major | tmm crash possible if high-speed logging pool member is deleted and reused |
630546-2 | 3-Major | Very large core files may cause corrupted qkviews |
628460 | 3-Major | Core happen when we try to delete PH2 struct does not have a proper PH1 reference. |
628202 | 3-Major | Audit-forwarder can take up an excessive amount of memory during a high volume of logging |
627914 | 3-Major | Unbundled 40GbE optics reporting as Unsupported Optic |
627214 | 3-Major | BGP ECMP recursive default route not redistributed to TMM |
626721 | 3-Major | "reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart |
625703-3 | 3-Major | SELinux: snmpd is denied access to tmstat files |
624404 | 3-Major | Missing warning when typing current volume during a hotfix installation★ |
624361 | 3-Major | Responses to some of the challenge JS are not zipped. |
623930 | 3-Major | vCMP guests with vlangroups may loop packets internally |
623401 | 3-Major | Intermittent OCSP request failures due to non-optimal default TCP profile setting |
623391 | 3-Major | cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size★ |
623336 | 3-Major | After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS★ |
623019 | 3-Major | Disabling an interface when DDM is enabled may result in transmit power too low DDM mesages |
622877 | 3-Major | i2000 and i4000 series appliances may show intermittent DDM alarms/warnings at powerup that clear right away |
622378 | 3-Major | Inconsistent hardware syncookie protection mode on B2100/B4300 blades and 5000/7000/10000 appliances |
622199-4 | 3-Major | sys-icheck reports error with /var/lib/waagent |
622194-1 | 3-Major | sys-icheck reports error with ssh_host_rsa_key |
622183 | 3-Major | The alert daemon should remove old log files but it does not. |
622133 | 3-Major | VCMP guests may incorrectly obtain incorrect MAC addresses |
621909 | 3-Major | Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members |
621423-1 | 3-Major | sys-icheck reports error with /config/ssh/ssh_host_dsa_key |
621273 | 3-Major | DSR tunnels with transparent monitors may cause TMM crash. |
621259-4 | 3-Major | Config save takes long time if there is a large number of data groups |
621225-1 | 3-Major | LTM log contains misleading error messages for front panel interfaces, "PCI Device not found for Interface X.0" |
620969-1 | 3-Major | iControl doesn't give correct valid key sizes for FIPS keys on BIG-IP 5250, 7200F, 10200F, and 11050F platforms running the Cavium Nitrox XL FIPS cards. |
620366 | 3-Major | Alertd can not open UDP socket upon restart |
619410 | 3-Major | TMM hardware accelerated compression not registering for all compression levels. |
619097-1 | 3-Major | iControl REST slow performace on GET request for virtual servers |
618336 | 3-Major | mkdisk utility fails if the USB device has a GUID partition table |
618319 | 3-Major | HA pair will go Active/Active, and report peer as "offline" is network-failover service is blocked |
617986-1 | 3-Major | Memory leak in snmpd |
617628 | 3-Major | SNMP reports incorrect value for sysBladeTempTemperature OID |
617335 | 3-Major | Deleting self IP prompting error with subnet network address |
617229 | 3-Major | Local policy rule descriptions disappear when policy is re-saved |
617124-1 | 3-Major | Cannot map hardware type (12) to HardwareType enumeration |
616242 | 3-Major | basic_string::compare error in encrypted SSL key file if the first line of the file is blank★ |
615107-2 | 3-Major | Cannot SSH from AOM/SCCP to host without password (host-based authentication). |
614530 | 3-Major | Dynamic ECMP routes missing from Linux host |
614486 | 3-Major | BGP community lower bytes of zero is not allowed to be set in route-map |
614180 | 3-Major | ASM is not available in LTM policy when ASM is licensed as the main active module |
613788 | 3-Major | List GTM pools and wideips in a partition may result in objects from all partitions |
613765 | 3-Major | Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors. |
613574 | 3-Major | Snapshots may be kept longer than expected in the file store |
613509 | 3-Major | 2000/4000 platform reuses source port too fast when fastL4 virtual sets source-port preserve |
613415 | 3-Major | Memory leak in ospfd when distribute-list is used |
612809 | 3-Major | Bootup script fails to run on on a vCMP guest due to a missing reference file. |
612752-2 | 3-Major | UCS load or upgrade may fail under certain conditions.★ |
611658-4 | 3-Major | "less" utility logs an error for remotely authenticated users using the tmsh shell |
611513 | 3-Major | Non-zero Route domain is not always used with OSCP, HTTP explicit proxy |
611512 | 3-Major | AWS: Pool member autoscaling in BIG-IP fails to add pool members when pool name is same as AWS Autoscaling Group name. |
611487 | 3-Major | vCMP: VLAN failsafe does not trigger on guest |
611054 | 3-Major | Network failover "enable" setting is sometimes ignored on chassis systems |
610449 | 3-Major | restarting mcpd on guest makes block-device-images disappear |
610442 | 3-Major | lind on vcmp guest spins in restart loop if block-device-image with bad permissions is installed★ |
610441 | 3-Major | When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received. |
610417 | 3-Major | Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported. |
610352 | 3-Major | sys-icheck reports error with /etc/sysconfig/modules/unic.modules |
610350 | 3-Major | sys-icheck reports error with /config/bigpipe/defaults.scf |
610273 | 3-Major | Not possible to do targeted failover with HA Group configured |
609119 | 3-Major | Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3: |
609107 | 3-Major | mcpd does not properly validate missing 'sys folder' config in bigip_base.conf |
608320 | 3-Major | iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response |
607961 | 3-Major | Secondary blades restart when modifying a virtual server's route domain in a different partition. |
607716 | 3-Major | Licensing causes SELinux denied messages for mcpd★ |
606330 | 3-Major | The BIG-IP system does not accept BGP connection requests when using peer-groups and no default address family. |
606110 | 3-Major | BIG-IP VE dataplane interfaces change to using UNIC modules instead of sockets. |
605894 | 3-Major | Remote authentication for BIG-IP users can fail |
605270 | 3-Major | On some platforms the SYN-Cookie status report is not accurate |
604938 | 3-Major | Log IPsec tunnel up/down events |
604469 | 3-Major | Successive remote log operations trigger iRule Tcl error |
604237 | 3-Major | Vlan allowed mismatch found error in VCMP guest |
604061 | 3-Major | Link Aggregation Control Protocol May Lose Synchronization after TMM Crash |
603772 | 3-Major | Floating tunnels with names more than 15 characters may cause issues during config-sync. |
603149 | 3-Major | Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy |
602854 | 3-Major | Missing ASM control option from LTM policy rule screen in the Configuration utility |
602566 | 3-Major | sod daemon may crash during start-up |
602502 | 3-Major | Unable to view the SSL Cert list from the GUI |
601989 | 3-Major | Remote LDAP system authenticated username is case sensitive★ |
601938 | 3-Major | MCPD stores certain data incorrectly |
601888 | 3-Major | IKE Peer name not validated against special characters |
601709-1 | 3-Major | I2C error recovery for BIGIP 4340N/4300 blades |
601502 | 3-Major | Excessive OCSP traffic |
601414 | 3-Major | Combined use of session and table irule commands can result in intermittent session lookup failures |
600970 | 3-Major | IPsec racoon daemon 100% cpu busy |
600570 | 3-Major | VE License may enforce improper TMM count |
600558 | 3-Major | Errors logged after deleting user in GUI |
599816 | 3-Major | Packet redirections occur when using VLAN groups with members that have different cmp-hash settings. |
599543 | 3-Major | Cannot update (overwrite) PKCS#12 SSL cert & key while referenced in SSL profile |
598498 | 3-Major | Cannot remove Self IP when an unrelated static ARP entry exists. |
598443 | 3-Major | Temporary files from TMSH not being cleaned up intermittently. |
598039 | 3-Major | MCP memory may leak when performing a wildcard query |
597823 | 3-Major | Erroneous syncookie validation in HSB causes the BIG-IP system choose the wrong MSS value |
597818 | 3-Major | Unable to configure IPsec NAT-T to "force" |
597766 | 3-Major | FPS Live update after re-license |
597729 | 3-Major | Errors logged after deleting user in GUI |
597309 | 3-Major | Increase the Maximum Members Per Trunk limit to 32 or 64 for high end platforms |
596826 | 3-Major | Don't set the mirroring address to a floating self IP address |
596815 | 3-Major | System DNS nameserver and search order configuration does not always sync to peers |
596814 | 3-Major | HA Failover fails in certain valid AWS configurations |
596556 | 3-Major | Deleting self-ip that could possibly strand pool member will throw warning instead |
596104 | 3-Major | HA trunk unavailable for VCMP guest★ |
596067-3 | 3-Major | GUI on VIPRION hangs on secondary blade reboot |
595773 | 3-Major | Cancellation requests for chunked stats queries do not propagate to secondary blades |
595317 | 3-Major | Forwarding address for Type 7 in ospfv3 is not updated in the database |
594426 | 3-Major | Audit forwarding Radius packets may be rejected by Radius server |
592870 | 3-Major | Fast successive MTU changes to IPsec tunnel interface crashes TMM |
592700 | 3-Major | iControl SOAP method System.Failover.get_peer_address might return incorrect value. |
592320 | 3-Major | ePVA does not offload UDP when pva-offload-state set to establish in BIG-IP 12.1.0 and 12.1.1 |
590938 | 3-Major | The CMI rsync daemon may fail to start |
590904 | 3-Major | New HA Pair created using serial cable failover only will remain Active/Active |
589083 | 3-Major | TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors. |
588606 | 3-Major | HTML_TAG_MATCHED fired for not matching tags. |
587668-1 | 3-Major | LCD Checkmark button does not always bring up clearing prompt on VIPRION blades. |
586887 | 3-Major | SCTP tmm crash with virtual server destination. |
586878 | 3-Major | During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.★ |
585833-2 | 3-Major | Qkview will abort if /shared partition has less than 2GB free space |
585786 | 3-Major | BWC policy object retrieval through XConfig interface fails |
585547 | 3-Major | NTP configuration items are no longer collected by qkview★ |
585485 | 3-Major | inter-ability with "delete IPSEC-SA" between AZURE, ASA and BIGIP |
585332-4 | 3-Major | Virtual Edition network settings aren't pinned correctly on startup★ |
583502 | 3-Major | Considerations for transferring files from F5 devices |
583475 | 3-Major | The BIG-IP may core while recompiling LTM policies |
583285 | 3-Major | BIG-IP logs INVALID-SPI messages but does not remove the associated SAs. |
583108 | 3-Major | Zebos issue: No neighbor x.x.x.x activate in address-family IPv6 lost on reboot/restart. |
583043 | 3-Major | tmm segfault: ikev2_noncecmp (n1=0x0, n2=0x0) |
582127 | 3-Major | VE OVA logrotate max-file-size too big for /var/log partition size |
582084 | 3-Major | BWC policy in device sync groups. |
581945 | 3-Major | Device-group "datasync-global-dg" becomes out-of-sync every hour |
580602 | 3-Major | Configuration containing LTM nodes with IPv6 link-local addresses fail to load. |
580500 | 3-Major | /etc/logrotate.d/sysstat's sadf fails to read /var/log/sa6 or fails to write to /var/log/sa6, disk space is not reclaimed. |
579843 | 3-Major | tmrouted may not re-announce routes after a specific succession of failover states |
579565 | 3-Major | FIPS (ngfips) card-sync fails due to its lacking ability to properly handle "\" in the SO (security officer) password. |
579529-1 | 3-Major | Stats file descriptors kept open in spawned child processes |
579047-2 | 3-Major | Unable to update the default http-explicit profile using the GUI. |
578551 | 3-Major | bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot |
576305 | 3-Major | Potential MCPd leak in IPSEC SPD stats query code |
575919-1 | 3-Major | Running concurrent TMSH instances can result in error in access to history file |
575735-4 | 3-Major | Potential MCPd leak in global CPU info stats code |
575708-4 | 3-Major | MCPd might leak memory in CPU info stats. |
575671-4 | 3-Major | MCPd might leak memory in host info stats. |
575649-4 | 3-Major | MCPd might leak memory in IPFIX destination stats query |
575619-4 | 3-Major | Potential MCPd leak in pool member stats query code |
575608-4 | 3-Major | MCPd might leak memory in virtual server stats query. |
575591 | 3-Major | Potential MCPd leak in IKE message stats query code |
575589 | 3-Major | Potential MCPd leak in IKE event stats query code |
575587 | 3-Major | Potential MCPd leak in BWC policy class stats query code |
575176 | 3-Major | Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic |
575066 | 3-Major | Management DHCP settings do not take effect |
575027-4 | 3-Major | Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues. |
573355 | 3-Major | Object properties values containing spaces are prefixed by the partition name |
573249 | 3-Major | Setting Encryption Algorithm for AH IPsec Policy is now ignored. |
573247 | 3-Major | GRE PPTP tunnels created via the relate_client and relate_server iRules commands may fail. |
573245 | 3-Major | IPsec Phase 1 and Phase 2 authentication algorithms now defaults to SHA-256. |
573235 | 3-Major | IPsec Phase 1 and Phase 2 authentication algorithms default to SHA-1 in the GUI |
572871 | 3-Major | TMM logs an incorrect error message when invalid regex pattern is used for LTM profiles |
570845 | 3-Major | Configuration infrastructure should reject invalid 'None' option for IKE Peer Phase 1 Perfect Forward Secrecy |
570839 | 3-Major | IPsec IKE-v2 Peer UI does not prevent configuration of 'NONE' option using Microsoft Internet Explorer. |
570818 | 3-Major | Address lease-pool in IKEv2 might interfere with IKEv2 negotiations. |
569609 | 3-Major | Wireshark vulnerabilities |
569331 | 3-Major | Recovery from Amazon Network Failure may associate some virtual addresses to the standby BIG-IP |
569025 | 3-Major | iControl query does not respect global cli settings when returning service values (number vs name). |
568765 | 3-Major | CSR administrative Email attribute and Certificate Subject’s DN Email address |
568672 | 3-Major | Down IPsec traffic-selector shows as 'up' in 'show net ipsec traffic-selector' and in GUI |
566507 | 3-Major | Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment |
566327 | 3-Major | 1 tmm allocated per 2GB of RAM |
562928-4 | 3-Major | Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled |
562676 | 3-Major | No virtual servers display on multi-page, multiple partition configurations. |
561444 | 3-Major | LCD might display incorrect output. |
559855 | 3-Major | Device rename on standalone device will cause it to momentarily go offline |
557471 | 3-Major | LTM Policy statistics showing zeros in GUI |
553795 | 3-Major | Differing certificate/key after successful config-sync |
551349-2 | 3-Major | Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade★ |
549593 | 3-Major | postgres database configuration details are now captured by qkview |
547479 | 3-Major | Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted |
546940 | 3-Major | Per VLAN/tmm based hardware SYN-cookie enhancement is a hardware-only feature |
546145 | 3-Major | Creating local user for previously remote user results in incomplete user definition. |
545946 | 3-Major | Vlangroup may have its MAC address set to 02:00:00:00:00 on first configuration load★ |
540872 | 3-Major | Config sync fails after creating a partition. |
536475 | 3-Major | As more virtual addresses are added to the BIG-IP running in AWS, the network failover time increases. |
534520 | 3-Major | qkview may exclude certain log files from /var/log |
530010 | 3-Major | FIPS firmware v2.2 update on BIG-IP 5250, 7200F, 10200F, and 11050F platforms running the Cavium Nitrox XL FIPS cards. |
528684 | 3-Major | Guest cannot ping any management IP on the local host system when guest-to-host communication is enabled |
527206 | 3-Major | Management interface may flap due to LOP sync error |
525580 | 3-Major | tmsh load sys config merge file filename.scf base command does not work as expected |
524193 | 3-Major | Multiple Source addresses are not allowed on a TMSH SNMP community |
524123 | 3-Major | iRule ISTATS::remove does not work |
521270 | 3-Major | Hypervisor might replace vCMP guest SYN-Cookie secrets |
512147 | 3-Major | No SNMP traps from APM |
509497 | 3-Major | VCMP guests on a specific host may be restarted when that host system experiences large date/time changes |
500452-5 | 3-Major | PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hareware |
490643 | 3-Major | iControl REST API is unable to retrieve any sys service attributes via GET request |
488430 | 3-Major | Suspend/save/migrate LTM VE functionality is not supported for Community XEN. |
483141 | 3-Major | mcpd might restart when creating large numbers of traffic groups and devices |
481001 | 3-Major | Software auto update schedule settings are not synced |
472553 | 3-Major | eventd sweep timer scheduling on deleted consumer can cause CPU and memory consumption to grow |
471029-1 | 3-Major | If the configuration contains a filename with the $ character, then saving the UCS fails. |
466016 | 3-Major | Graceful Restart does not function when primary blade is rebooted |
464572 | 3-Major | Validation of IP/mask for SNMP allowed-addresses list. |
427223-1 | 3-Major | VIPRION C4800-series chassis Annunciator card numbering appears backwards |
424542 | 3-Major | tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments |
421851-2 | 3-Major | Config load does not skip leading whitespaces if iRule starts with # |
401569 | 3-Major | VADC: Virtual Servers are not accessible through VLAN without any interface. |
393270 | 3-Major | Configuration utility may become non-responsive or fail to load. |
392140 | 3-Major | GTM Device IP translation address not available from iControl |
625291 | 4-Minor | dhclient doesn't honor 'interface-mtu' request-options |
619706 | 4-Minor | tmsh appears to allow password change for internal lcd admin user |
603087 | 4-Minor | Cannot access Security tab (needed for assigning ASM/FPS profiles) when viewing the Resources tab. |
602508 | 4-Minor | Capture historical changes of config files |
601927 | 4-Minor | Security hardening of control plane |
601168 | 4-Minor | Incorrect virtual server CPU utilization may be observed. |
599515 | 4-Minor | TCP Keep Alive Interval Indefinite mapped to the 0 value instead of 4294967295. |
598917 | 4-Minor | TMSH and GUI might display a different common name from that is used by the system and displayed in the past. |
591437 | 4-Minor | Unexpected/incorrect max CPU utilization statistics/performance values. |
589862 | 4-Minor | HA Grioup percent-up display value is truncated, not rounded |
589379 | 4-Minor | ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route. |
586858 | 4-Minor | Modifications to custom provisioning ratios via GUI are not saved in System :: Resource Provisioning. |
586368 | 4-Minor | Permissions problem on /var/log/sa6 |
585097 | 4-Minor | Traffic Group score formula does not result in unique values. |
584788 | 4-Minor | Directed failover of HA pair using only hardwire failover will fail |
584504 | 4-Minor | Allowing non-English characters on login screen |
584113 | 4-Minor | "Util% (last 10 sec)" Field in "tmsh show sys cpu" when 5 second average is computed |
583777 | 4-Minor | [TMSH] sys crypto cert missing tab completion function |
581835 | 4-Minor | Command failing: tmsh show ltm virtual vs_name detail. |
578843 | 4-Minor | GUI strips out 0.0.0.0 masks from the SNMP Client Allow Lists. |
573031 | 4-Minor | qkview may not collect certain configuration files in their entirety |
571789 | 4-Minor | cert-key-chain drop-downs are not set to inherited values. |
567546 | 4-Minor | Files with file names larger than 100 characters are omitted from qkview |
564771 | 4-Minor | cron sends purge_mysql_logs.pl email error on LTM-only device |
564522-1 | 4-Minor | cron is configured with MAILTO=root but mailhost defaults to 'mail' |
562257 | 4-Minor | Route domain addresses can be selected when configuring device connectivity |
559837 | 4-Minor | Misleading error message in catalina.out when listing certificates. |
558237 | 4-Minor | No Audit logging on 'Clear Performance Data' from statistics page in GUI. |
515764-7 | 4-Minor | PVA stats only being reported on virtual-server and system-level basis. |
505947 | 4-Minor | SSL Client Certificate LDAP host IP address does not allow port entry in field. |
497725 | 4-Minor | Qkview does not include the incremental ConfigSync cache |
420558 | 4-Minor | External Datagroup records not listed |
617161 | 5-Cosmetic | Cosmetic: duplicated partition names in the "Resource Management" window when assigning iRules to Virtual Servers. |
590399 | 5-Cosmetic | Unnecessary logging during startup: 'Unable to connect to MCPD' and Errdefsd is starting'. |
583754 | 5-Cosmetic | When TMM is down, executing 'show ltm persist persist-records' results in a blank error message. |
582844 | 5-Cosmetic | Start Screen Guest List is not available |
555380 | 5-Cosmetic | "Data publisher not found or not implemented" messages in ltm log when running qkview |
466285 | 5-Cosmetic | In Chrome browser, displayed user role switches to Unknown for few seconds after switching partitions. |
425339 | 5-Cosmetic | GUI shows incorrect number of members of pool in HA group after pool config is sync'ed from peer unit. |
Local Traffic Manager Fixes
ID Number | Severity | Description |
621452 | 1-Blocking | Connections can stall with TCP::collect iRule |
618905 | 1-Blocking | tmm core while installing Safenet 6.2 client |
589006 | 1-Blocking | SSL does not cancel pending sign request before the handshake times out or is canceled. |
634265 | 2-Critical | Using route pools whose members aren't directly connected may crash the TMM. |
632685-1 | 2-Critical | bigd memory leak for FQDN nodes on non-primary bigd instance |
632552 | 2-Critical | tmm crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event |
630475 | 2-Critical | TMM Crash |
630306 | 2-Critical | TMM crash in DNS processing on UDP virtual server with no available pool members |
630150 | 2-Critical | Websockets processing error |
629145 | 2-Critical | External datagroups with no metadata can crash tmm |
628890 | 2-Critical | Memory leak when modifying large datagroups |
628836 | 2-Critical | TMM crash during request normalization |
627403 | 2-Critical | HTTP2 can can crash tmm when stats is updated on aborting of a new connection |
626360-1 | 2-Critical | TMM may crash when processing HTTP2 traffic |
625198 | 2-Critical | TMM might crash when TCP DSACK is enabled |
624526 | 2-Critical | TMM core in mptcp |
619663 | 2-Critical | Terminating of HTTP2 connection may cause a TMM crash |
619528 | 2-Critical | TMM may accumulate internal events resulting in TMM restart |
619071 | 2-Critical | OneConnect with verified accept issues |
616215 | 2-Critical | TMM can core when using LB::detach and TCP::notify commands in an iRule |
615388 | 2-Critical | L7 policies using normalized HTTP URI or Referrer operands may corrupt memory |
614509 | 2-Critical | iRule use of 'all' keyword with 'class match' on large external datagroups may result in TMM restart |
613088 | 2-Critical | pkcs11d thread has session initialization problem. |
612229 | 2-Critical | TMM may crash if LTM a disable policy action for 'LTM Policy' is not last |
611704 | 2-Critical | tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event |
610862 | 2-Critical | TCP retransmits unnecessarily when IPv4 ICMP frag needed and tm.enforcepathmtu disabled. |
609628 | 2-Critical | CLIENTSSL_SERVERHELLO_SEND event in SSL forward proxy is not raised when client reuses session |
609199 | 2-Critical | Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join |
609027 | 2-Critical | TMM crashes when SSL forward proxy is enabled. |
608555 | 2-Critical | Configuring asymmetric routing with a VE rate limited license will result in tmm crash |
607724 | 2-Critical | TMM may crash when in Fallback state. |
607524 | 2-Critical | Memory leak when multiple DHCP servers are configured, and the last DHCP server configured is down. |
607360 | 2-Critical | Safenet 6.2 library missing after upgrade★ |
607304-6 | 2-Critical | TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap. |
606573 | 2-Critical | FTP traffic does not work through SNAT when configured without Virtual Server★ |
605865 | 2-Critical | Debug TMM produces core on certain ICMP PMTUD packets |
604926 | 2-Critical | The TMM may become unresponsive when using SessionDB data larger than ~400K |
603690 | 2-Critical | CPU Saver option not working while the "latency" compression provider selection algorithm is in use. |
603667 | 2-Critical | TMM may leak or corrupt memory when configuration changes occur with plugins in use |
603082 | 2-Critical | Ephemeral pool members are getting deleted/created over and over again. |
603032 | 2-Critical | clientssl profiles with sni-default enabled may leak X509 objects |
602326 | 2-Critical | Intermittent pkcs11d core when installing Safenet 6.2 software |
602136 | 2-Critical | iRule drop command causes tmm segfault or still sends 3-way handshake to the server. |
601828 | 2-Critical | An untrusted certificate can cause TMM to crash. |
600982 | 2-Critical | TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0" |
599769-2 | 2-Critical | TMM may crash when managing APM clients. |
599720 | 2-Critical | TMM may crash in bigtcp due to null pointer dereference |
599135 | 2-Critical | B2250 blades may suffer from high TMM CPU utilisation with tcpdump |
598052 | 2-Critical | SSL Forward Proxy "Cache Certificate by Addr-Port", cache lookup fails |
597978 | 2-Critical | GARPs may be transmitted by active going offline |
597828 | 2-Critical | SSL forward proxy crashes in some cases |
596450 | 2-Critical | TMM may produce a core file after updating SSL session ticket key |
594642 | 2-Critical | Stream filter may require large allocations by Tcl leading TMM to core on allocation failure. |
592699-2 | 2-Critical | IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP performance |
591139-1 | 2-Critical | TMM QAT segfault after zlib/QAT compression conflation. |
589223 | 2-Critical | TMM crash and core dump when processing SSL protocol alert. |
588959 | 2-Critical | Standby box may crash or behave abnormally |
588351 | 2-Critical | IPv6 fragments are dropped when packet filtering is enabled. |
588115 | 2-Critical | TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw |
586862 | 2-Critical | Tcl evaluation outside of an iRule can lead to tmm crash when the payload is synchronously released from below HTTP via an iRule. |
586587 | 2-Critical | RatePaceMaxRate functionality does not work for the TCP flows where the round-trip time (RTT) is less than 6ms. |
586449 | 2-Critical | Incorrect error handling in HTTP cookie results in core when TMM runs out of memory |
584926 | 2-Critical | Accelerated compression segfault when devices are all in error state. |
584213 | 2-Critical | Transparent HTTP profiles cannot have iRules configured |
583700 | 2-Critical | tmm core on out of memory |
583355 | 2-Critical | The TMM may crash when changing profiles associated with plugins |
580303 | 2-Critical | When going from active to offline, tmm might send a GARP for a floating address. |
580026 | 2-Critical | HSM logging error |
578045 | 2-Critical | The HTTP_PROXY_REQUEST iRule event can cause the TMM to crash if pipelined ingress occurs when the iRule parks |
575011 | 2-Critical | Fix memory leak. |
574880 | 2-Critical | Excessive failures observed when connection rate limit is configured on a fastl4 virtual server. |
566071 | 2-Critical | network-HSM may not be operational on secondary slots of a standby chassis. |
565409-1 | 2-Critical | Invalid MSS with HW syncookies and flow forwarding |
559030 | 2-Critical | TMM may core during ILX RPC activity if a connflow closes before the RPC returns |
557358 | 2-Critical | TMM SIGSEGV and crash when memory allocation fails. |
545810-4 | 2-Critical | ASSERT in CSP in packet_reuse |
540568 | 2-Critical | TMM core due to SIGSEGV |
527976 | 2-Critical | pagemem tmctl table changed to page_stats |
459671 | 2-Critical | iRules source different procs from different partitions and executes the incorrect proc. |
423629 | 2-Critical | bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted |
632968 | 3-Major | supported_signature_algorithms extension in CertificateRequest sent by a TLS server fails |
632324 | 3-Major | PVA stats does not show correct connection number |
632001 | 3-Major | For Thales net-HSMs, fipskey.nethsm now defaults to module protected keys |
629412 | 3-Major | BIG-IP closes a connection when a maximum size window is attempted |
627926 | 3-Major | iRule decryption does not work |
626434 | 3-Major | tmm may be killed by sod when a hardware accelerator does not work |
626106 | 3-Major | LTM Policy with illegal rule name loses its conditions and actions during upgrade★ |
624903 | 3-Major | Zero length SSL records improperly processed with AES-GCM on 2000s/2200s, 4000s/4200v, B4450 platforms |
624846 | 3-Major | TCP Fast Open does not work for Responses < 1 MSS |
624616 | 3-Major | Safenet uninstall is unable to remove libgem.so |
623940 | 3-Major | SSL Handshake fails if client tries to negotiate EC ciphers but does not present ec_point_formats extension in ClientHello |
622148 | 3-Major | flow generated icmp error message need to consider which side of the proxy they are |
622017 | 3-Major | RRD files are not backed up if the /shared/rrd.backup directory already exists |
621843 | 3-Major | the ipother proxy is sending icmp error messages to the wrong side |
621736 | 3-Major | statsd does not handle SIGCHLD properly in all cases |
620079 | 3-Major | Removing route-domain may cause monitors to fail |
619872 | 3-Major | BigIP upgrading doesn't carry over Thales configuration on the secondary slot |
619849 | 3-Major | In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled. |
619701 | 3-Major | rate_limit can affect to iClient connectivity |
618517 | 3-Major | bigd may falsely complain of a file descriptor leak when it cannot open its debug log file |
618428-1 | 3-Major | iRules LX - Debug mode does not function in dedicated mode |
618161 | 3-Major | SSL handshake fails when clientssl uses softcard-protected key-certs. |
618104 | 3-Major | Connection Using TCP::collect iRule May Not Close |
618024 | 3-Major | software switched platforms accept traffic on lacp trunks even when the trunk is down |
617862 | 3-Major | Fastl4 handshake timeout is absolute instead of relative |
617858 | 3-Major | bigd core when using Tcl monitors |
617824 | 3-Major | "SSL::disable/enable serverside" + oneconnect reuse is broken |
616022 | 3-Major | The BIG-IP monitor process fails to process timeout conditions |
615143 | 3-Major | VDI plugin-initiated connections may select inappropriate SNAT address |
614147 | 3-Major | SOCKS proxy defect resolution |
614097 | 3-Major | HTTP Explicit proxy defect resolution |
613618 | 3-Major | The TMM crashes in the websso plugin. |
613483 | 3-Major | Some SSL certificate SHA verification fails for different SHA prefix used by crypto codec. |
613429 | 3-Major | Unable to assign wildcard wide IPs to various BIG-IP DNS objects. |
613369 | 3-Major | Half-Open TCP Connections Not Discoverable |
613079 | 3-Major | Diameter monitor watchdog timeout fires after only 3 seconds |
613065 | 3-Major | User can't generate netHSM key with Safenet 6.2 client using GUI |
612694 | 3-Major | TCP::close with no pool member results in zombie flows |
612554 | 3-Major | Some SSL certificate SHA verification fails for different SHA prefix used by Crypto |
612040-5 | 3-Major | Statistics added for all crypto queues |
611652 | 3-Major | iRule script validation presents incorrect warning for 'HTTP::cookie cookie-name' command. |
611482 | 3-Major | Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule) . |
611320 | 3-Major | Mirrored connection on Active unit of HA pair may be unexpectedly torndown |
610609 | 3-Major | Total connections in bigtop, SNMP are incorrect |
610429 | 3-Major | X509::cert_fields iRule command may memory with subpubkey argument |
610302 | 3-Major | Link throughput graphs might be incorrect. |
609244-5 | 3-Major | tmsh show ltm persistence persist-records leaks memory |
608551 | 3-Major | Half-closed congested SSL connections with unclean shutdown might stall. |
608024 | 3-Major | Unnecessary DTLS retransmissions occur during handshake. |
607803 | 3-Major | DTLS client (serverssl profile) fails to complete resumed handshake. |
607410 | 3-Major | In the iRule output of X509 Certificate's subject & issuer, the display is wrong. |
607152 | 3-Major | Large Websocket frames corrupted |
606940 | 3-Major | Clustered Multiprocessing (CMP) peer connection may not be removed |
606575 | 3-Major | Request-oriented OneConnect load balancing ends when the server returns an error status code. |
606565 | 3-Major | TMM may crash when /sys db tm.simultaneousopen is set to reset or drop_connection |
605682 | 3-Major | With forward proxy enabled, sometimes the client connection will not complete. |
604977 | 3-Major | Wrong alert when DTLS cookie size is 32 |
604880 | 3-Major | tmm assert "valid pcb" in tcp.c |
604838 | 3-Major | TCP Analytics reports incorrectly reports entities as "Aggregated" |
604496 | 3-Major | SQL (Oracle) monitor daemon might hang. |
604133 | 3-Major | Ramcache may leave the HTTP Cookie Cache in an inconsistent state |
603979 | 3-Major | Data transfer from the BIG-IP system self IP might be slow |
603723 | 3-Major | TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup |
603550 | 3-Major | Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats. |
603236 | 3-Major | 1k/4k creation issue at Safenet 6.2 + 6.10.9 fw |
602385 | 3-Major | Add zLib compression |
602366 | 3-Major | Safenet 6.2 HA performance |
602358 | 3-Major | BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version |
602040 | 3-Major | Truncated support ID for HTTP protocol security logging profile |
601496 | 3-Major | iRules and OCSP Stapling |
601178 | 3-Major | HTTP cookie persistence 'preferred' encryption |
600944 | 3-Major | tmsh does not reset route domain to 0 after cd /Common and loading bash |
600827 | 3-Major | Stuck nitrox crypto queue can erroneously be reported |
600614 | 3-Major | External crypto offload fails when SSL connection is renegotiated |
600593 | 3-Major | Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests |
600052 | 3-Major | GUI displaying "Internal Server Error" page when there many (~3k) certs/keys in the system |
599054 | 3-Major | LTM policies may incorrectly use those of another virtual server |
598874 | 3-Major | GTM Resolver sends FIN after SYN retransmission timeout |
597899 | 3-Major | Disabling all pool members may not be reflected in Virtual Server status |
597879 | 3-Major | CDG Congestion Control can lead to instability |
597708 | 3-Major | Stats are unavailable and VCMP state and status is incorrect |
597621 | 3-Major | Packet filter does not work. |
597532 | 3-Major | iRule: RADIUS avp command returns a signed integer |
597405 | 3-Major | Mitigate SSL handshake delay when TCP nagle is enabled. |
597253 | 3-Major | HTTP::respond tcl command may incorrectly identify parameters as ifiles |
597089 | 3-Major | Connections are terminated after 5 seconds when using ePVA full acceleration |
596433 | 3-Major | Virtual with lasthop configured rejects request with no route to client. |
595966 | 3-Major | SSL hardware acceleration statistics might be incorrect. |
595921 | 3-Major | VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses. |
595385 | 3-Major | HTTP:respond causes a keepalive connection to be RST after second request and "Invalid action" log. |
595281 | 3-Major | TCP Analytics reports huge goodput numbers |
595275-1 | 3-Major | Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN |
594302 | 3-Major | Connection hangs when processing large compressed responses from server |
593530 | 3-Major | In rare cases, connections may fail to expire |
593390 | 3-Major | Profile lookup when selected via iRule ('SSL::profile') might cause memory issues. |
592871 | 3-Major | Cavium Nitrox PX/III stuck queue diagnostics missing. |
592854 | 3-Major | Protocol version set incorrectly on serverssl renegotiation |
592784-1 | 3-Major | Compression stalls, does not recover, and compression facilities cease. |
592682 | 3-Major | TCP: connections may stall or be dropped |
592620 | 3-Major | iRule validation does not catch incorrect 'after' syntax |
592497 | 3-Major | Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state. |
591666 | 3-Major | TMM crash in DNS processing on TCP virtual with no available pool members |
591659 | 3-Major | Server shutdown is propagated to client after X-Cnection: close transformation. |
591476 | 3-Major | Stuck nitrox crypto queue can erroneously be reported |
591343 | 3-Major | SSL::sessionid output is not consistent with the sessionid field of ServerHello message. |
590244 | 3-Major | False alert cn decryption failure log when peer (client) drops the TCP session during decryption. |
590156 | 3-Major | Connections to an APM virtual server may be reset and fail on appliance and VE platforms. |
589400 | 3-Major | With Nagle disabled, TCP does not send all of xfrags with size greater than MSS. |
588720 | 3-Major | Fast Forwarded UDP packets might be dropped if datagram-load-balancing is enabled. |
588089 | 3-Major | SSL resumed connections may fail during mirroring |
587966 | 3-Major | LTM fastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port |
587773 | 3-Major | Add support for Thales version 12.10.01 |
587705-2 | 3-Major | Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools. |
587678 | 3-Major | LTM SSL should do a full handshake when peer attempts to resume a session with a different client TLS version. |
587096 | 3-Major | Incorrect result returned from IP::tos iRule in the FLOW_INIT event. |
587016 | 3-Major | SIP monitor in TLS mode marks pool member down after positive response. |
586738 | 3-Major | The tmm might crash with a segfault. |
586660 | 3-Major | HTTP/ramcache2 and RAM Cache are not compatible. |
585813-1 | 3-Major | SIP monitor with TLS mode fails to find cert and key files. |
585412 | 3-Major | SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines |
584471 | 3-Major | Priority order of clientssl profile selection of virtual server. |
584310-5 | 3-Major | TCP:Collect ignores the 'skip' parameter when used in serverside events |
584029-1 | 3-Major | Fragmented packets may cause tmm to core under heavy load |
583957 | 3-Major | The TMM may hang handling pipelined HTTP requests with certain iRule commands. |
582769 | 3-Major | WebSockets frames are not forwarded with Websocket profile and ASM enabled on virtual |
582487-1 | 3-Major | 'merged.method' set to 'slow_merge,' does not update system stats |
582465 | 3-Major | Cannot generate key after SafeNet HSM is rebooted |
582207 | 3-Major | MSS may exceed MTU when using HW syncookies |
581077 | 3-Major | Connection can’t be established when multiple clientssl profiles are attached if the default profile is disabled. |
580591 | 3-Major | HTTP monitor NTLM authentication requires domain to be uppercase |
580031 | 3-Major | Using OneConnect with forwarded flows might cause resets |
579926 | 3-Major | HTTP starts dropping traffic for a half-closed connection when in passthrough mode |
579371 | 3-Major | BigIP may generate ARPs after transition to standby |
578971 | 3-Major | When mcpd is restarted on a blade, cluster members may be temporarily marked as failed |
578951 | 3-Major | TCP Fast Open connection timeout during handshake does not decrement pre_established_connections |
578573 | 3-Major | SSL Forward Proxy Forged Certificate Signature Algorithm |
576311 | 3-Major | HTTP Strict Transport Security (HSTS) configuration error when no clientssl profile is present |
575347 | 3-Major | Unexpected backslashes remain in monitor 'username' attribute after upgrade |
573608 | 3-Major | BIG-IP's Proxy-SSL is unable to handle fragmented SSL handshakes |
573366 | 3-Major | parking command used in the nesting script of clientside and serverside command can cause tmm core |
572895-1 | 3-Major | TCP forwarded flows are reset when time wait recycle of port happens |
572281 | 3-Major | Variable value in the nesting script of foreach command get reset when there is parking command in the script |
570570 | 3-Major | Default crypto failure action is now "go-offline-downlinks". |
570277 | 3-Major | SafeNet client not able to establish session to all HSMs on all blades. |
570057 | 3-Major | Can't install more than 16 SafeNet HSMs in its HA group |
569288 | 3-Major | Different LACP key may be used in different blades in a chassis system causing trunking failures |
569206 | 3-Major | After connectivity loss and restoration between HSM and pkcs11d, SSL fails on some blades. |
565799 | 3-Major | CPU Usage increases when using masquerade addresses |
565757 | 3-Major | kernel static route can become invalid in a SelfIp transaction |
563933 | 3-Major | [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs |
563491 | 3-Major | BIG-IP SSL does not support Extended Master Secret Extension (RFC7627) |
561841 | 3-Major | Floating IPv6 anycast address for HA results in intermittent communication loss |
560471 | 3-Major | Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down |
559819 | 3-Major | DNS queries with OPT have no OPT in response for RFC 6891 compliance. |
554761-8 | 3-Major | Unexpected handling of TCP timestamps under syncookie protection. |
551208 | 3-Major | Nokia alarms are not deleted due to the outdated alert_nokia.conf. |
550161 | 3-Major | Networking devices might block a packet that has a TTL value higher than 230. |
549329 | 3-Major | L7 mirrored ACK from standby to active box can cause tmm core on active |
545796 | 3-Major | [iRule] [Stats] iRule is not generating any stats for executed iRules. |
545450 | 3-Major | Log activation/deactivation of TM.TCPMemoryPressure |
543994 | 3-Major | Expose pre_established_connections in tmm.tcp and tmm.tcp4 |
537553 | 3-Major | tmm might crash after modifying virtual server SSL profiles in SNI configuration under load |
536563 | 3-Major | Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets. |
535041 | 3-Major | BIG-IP system drops UDP packets while iRule is suspended |
534457-3 | 3-Major | Dynamically discovered routes might fail to remirror connections. |
531979 | 3-Major | SSL version in the record layer of ClientHello is not set to be the lowest supported version. |
530266-5 | 3-Major | Rate limit configured on a node can be exceeded |
528007-8 | 3-Major | Memory leak in ssl |
523318 | 3-Major | Creating too many iFiles causes tmm crash. |
522310 | 3-Major | ICMP errors cause the associated FastL4/TCP connection to be reset |
515635 | 3-Major | Tcl monitor not working with Courier IMAP server |
511324 | 3-Major | HTTP::disable does not work after the first request/response. |
509858-4 | 3-Major | BIG-IP FastL4 profile vulnerability |
506543-2 | 3-Major | Disabled ephemeral pool members continue to receive new connections |
490771 | 3-Major | There is no configurable TCP timewait timer for Fast L4 virtual servers. |
484542 | 3-Major | QinQ tag-mode can be set on unsupported platforms |
483953 | 3-Major | Cached route MTUs may be set to the value of TM.MinPathMTU even if the path MTU is lower than that value. |
476524 | 3-Major | SSL handshake delay when SSL mirroring enabled or mirrored connection fails to recover after failover. |
472571-8 | 3-Major | Memory leak with multiple client SSL profiles. |
464923 | 3-Major | Insufficient error information when netHSM is used without proper licensing |
464801 | 3-Major | Intermittent tmm core |
462754 | 3-Major | SSL connection may not survive multiple failovers or delay response |
423392 | 3-Major | tcl_platform is no longer in the static:: namespace |
415608 | 3-Major | ICMP messages can be throttled without log message |
409340 | 3-Major | https/ssl monitor closes immediately (rather than awaiting remote close-notify) |
408599 | 3-Major | The iRule node command does not function as expected when invoked from the LB_SELECTED event. |
405898 | 3-Major | If the OSPF derived MTU is different from the path MTU, OSPF may not function as expected |
371164 | 3-Major | BIG-IP sends ND probes for all masquerading MAC addresses on all VLANs, so MAC might associated with multiple VLANs. |
364285 | 3-Major | Improve the documentation of the HTTP::respond command |
360047 | 3-Major | RAM Cache Ignores All but Last Cache-Control Header in OWS Response |
348000 | 3-Major | HTTP response status 408 request timeout results in error being logged. |
225634 | 3-Major | The rate class feature does not honor the Burst Size setting. |
627246 | 4-Minor | TMM memory leak when ASM policy configured on virtual |
602159 | 4-Minor | The field "Maximum" connections of websocket and http2 profile statistics show different values between tmsh and GUI |
598860 | 4-Minor | IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address |
597385 | 4-Minor | Support for the Maximum Fragment Length TLS extension |
592707 | 4-Minor | Validation against routes where the network route-domain does not match VLAN route-domain |
589039 | 4-Minor | Clearing masquerade MAC results in unexpected link-local self IPs. |
587915 | 4-Minor | Improved SMTPS reset cause codes |
587676 | 4-Minor | SMB monitor fails due to internal configuration issue |
584772-3 | 4-Minor | ssldump may crash when decrypting bad records |
583943 | 4-Minor | Forward proxy does not work when netHSM is configured on TMM interfaces |
577846-1 | 4-Minor | NPN configuration options are obsolete |
574020 | 4-Minor | Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}') |
572015 | 4-Minor | HTTP Class profile is upgraded to a case-insensitive policy★ |
567665 | 4-Minor | SNMP TMM memory stats need to be presented per TMM process |
559110 | 4-Minor | Luna FIPS request errors are logged as the same generic error. |
544033 | 4-Minor | Fragmented ICMP Echo to Virtual Address may not receive response |
530877 | 4-Minor | TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances. |
488876 | 4-Minor | SSL persistence uses noticeably more memory |
455560 | 4-Minor | HTTP filter waits until part of the body is received before sending small headers |
433323 | 4-Minor | Ramcache handling of Cache-Control: no-cache directive in Response |
222034 | 4-Minor | HTTP::respond in LB_FAILED with large header/body might result in truncated response |
558053-1 | 5-Cosmetic | Pool's 'active_member_cnt' attribute may not be updated as expected. |
Performance Fixes
ID Number | Severity | Description |
621115 | 2-Critical | IP/IPv6 TTL/hoplimit may not be preserved for host traffic |
588879 | 2-Critical | apmd crash under rare conditions with LDAP in BIGIP 12.0 and beyond |
617307 | 3-Major | FastL4 with full PVA acceleration: Average connections per second decreased 5-7% since v12.1.1 on i5800 platforms |
510631 | 3-Major | B4450 L4 No ePVA or L7 throughput lower than expected |
Global Traffic Manager Fixes
ID Number | Severity | Description |
603598 | 2-Critical | big3d memory under extreme load conditions |
591124 | 2-Critical | gtmd core while adding a new GTM to an existing sync group. |
587656 | 2-Critical | GTM auto discovery problem with EHF for ID574052 |
587617 | 2-Critical | While adding GTM server, failure to configure new IP on existing server leads to gtmd core |
629530-1 | 3-Major | Under certain conditions, monitors do not time out. |
626141 | 3-Major | DNSX Performance Graphs are not displaying Requests/sec" |
621374 | 3-Major | "abbrev" argument in "whereis" iRule returns nothing |
615338-1 | 3-Major | The value returned by "matchregion" in an iRule is inconsistent in some cases. |
613576 | 3-Major | QOS load balancing links display as gray |
613045-6 | 3-Major | Interaction between GTM and 10.x LTM results in some virtual servers marked down |
602300 | 3-Major | Zone Runner entries cannot be modified when sys DNS starts with IPv6 address |
601180 | 3-Major | Link Controller base license does not allow DNS namespace iRule commands.★ |
595293 | 3-Major | Deleting GTM links could cause gtm_add to fail on new devices. |
589256 | 3-Major | DNSSEC NSEC3 records with different type bitmap for same name. |
588289 | 3-Major | GTM is Re-ordering pools when adding pool including order designation |
584623 | 3-Major | Response to -list iRules command gets truncated when dealing with MX type wide IP |
574052 | 3-Major | GTM autoconf can cause high CPU usage for gtmd |
487144 | 3-Major | tmm intermittently reports that it cannot find FIPS key |
442226 | 3-Major | Link Controller fails to auto-create a self-server |
370131-5 | 3-Major | Loading UCS with low GTM Autoconf Delay drops pool Members from config |
364774-1 | 3-Major | TMSH required for creating redundant-bigip server object for Link Controller |
425108 | 4-Minor | Tab completion in the tmsh might not list all transparent monitors |
Application Security Manager Fixes
ID Number | Severity | Description |
636397 | 2-Critical | bd cores when persistent storage configuration and under some memory conditions. |
634001 | 2-Critical | ASM restarts after deleting a VS that has an ASM security policy assigned to it |
627117 | 2-Critical | crash with wrong ceritifcate in WSS |
608509 | 2-Critical | Policy learning is slow under high load |
601378 | 2-Critical | Creating an ASM security policy with "Auto accept" language leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons |
600357 | 2-Critical | bd crash when asm policy is removed from virtual during specific configuration change |
599582 | 2-Critical | BD keep-alive self crashes due to lack of IO or CPU resources |
591113 | 2-Critical | CSRF injection leading to blank page |
587629 | 2-Critical | IP exceptions may have issues with route domain |
585352 | 2-Critical | bruteForce record selfLink gets corrupted by change to brute force settings in GUI |
585120 | 2-Critical | Memory leak in bd under rare scenario |
585054 | 2-Critical | BIG-IP imports delay violations incorrectly, causing wrong policy enforcement |
584840 | 2-Critical | The "Maximum Line Length" violation is not detected in the last line of a websocket frame. |
584082 | 2-Critical | BD daemon crashes unexpectedly |
581991 | 2-Critical | Logging filter for remote loggers doesn't work correctly with more than one logging profile |
575133 | 2-Critical | asm_config_server_rpc_handler_async.pl SIGSEGV and core |
631737 | 3-Major | ArcSight cs4 (attack_type) is N/A for certain HTTP Compliance sub-violations |
631444 | 3-Major | Bot Name for ASM Search Engines is case sensitive |
630929 | 3-Major | Attack signature exception list upload times-out and fails |
627360 | 3-Major | Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★ |
625832 | 3-Major | A false positive modified domain cookie violation |
623514 | 3-Major | Duplicate ASM Policies Appear in GUI |
622913 | 3-Major | Audit Log filled with constant change messages |
622386 | 3-Major | Internet Explorer getting blocked when Web Scraping and Proactive Bot Defense are both enabled |
621524 | 3-Major | Processing Timeout When Viewing a Request with 300+ Violations |
620635 | 3-Major | Request having upper case JSON login parameter is not detected as a failed login attempt |
618771 | 3-Major | Some Social Security Numbers are not being masked |
617391 | 3-Major | Device sync constantly showing Changes Pending when using custom ASM Search Engines |
614441 | 3-Major | False Positive for illegal method (GET) |
613396 | 3-Major | Invalid XML Policy Exported for Policies with Metachar Overrides on Websocket URLs |
611151 | 3-Major | An upper case JSON sensitive parameter is not masked when ASM policy is case-insensitive |
609499 | 3-Major | Compiled signature collections use more memory than prior versions |
609496 | 3-Major | Improved diagnostics in BD config update (bd_agent) added |
605616 | 3-Major | Creating 256 Fundamental Security policies will result in an out of memory error |
604923 | 3-Major | REST id for Signatures change after update |
604893 | 3-Major | ComplexType child elements in XML schema cannot have different values set in "fixed" attribute |
604612 | 3-Major | Modified ASM cookie violation happens after upgrade to 12.1.x★ |
603945 | 3-Major | BD config update should be considered as config addition in case of update failure |
603479 | 3-Major | "ASM starting" while it's already running, causing the restart of all ASM daemons |
602691 | 3-Major | Regular expression in XML schema pattern validation fails (libxml bug) |
602221 | 3-Major | Wrong parsing of redirect Domain |
600174 | 3-Major | Wildcard "*" redirection domain cannot be deleted if list is scrollable |
599655 | 3-Major | When ramcache is configured with CPM, the ASM blocking page will get cached |
595946 | 3-Major | Expired Timestamp violation is triggered too often |
593681 | 3-Major | CSRF doesn't look correctly into relative urls in the location header |
593360 | 3-Major | repeated failures on scheduled Signature Update (ASU) |
592504 | 3-Major | False positive illegal length violation can appear |
590851 | 3-Major | "never log" IPs are still reported to AVR |
589606 | 3-Major | CSRF enabled within iframe request causes to unpredictable behavior on a website. |
588087 | 3-Major | Attack prevention isn't escalating under some conditions in session opening mitigation |
588049 | 3-Major | Improve detection of browser capabilities |
585946 | 3-Major | ASM Disallowed Geolocations without a full country name known to BIG-IP are lost on update. |
584642 | 3-Major | Apply Policy Failure |
584103 | 3-Major | FPS periodic updates (cron) write errors to log |
583686 | 3-Major | High ASCII meta-characters can be disallowed on UTF-8 policy via XML import |
583629 | 3-Major | ASM subsystem error appears in asm log after changing XML/JSON profile for parameter |
582683 | 3-Major | xpath parser doesn't reset a namespace hash value between each and every scan |
582133 | 3-Major | Policy builder doesn't enable staging after policy change on "*" entities (file types, urls, etc.) |
581406 | 3-Major | SQL Error on Peer Device After Receiving ASM Sync in a Device Group |
581315 | 3-Major | Selenium detection not blocked |
580168 | 3-Major | Information missing from ASM event logs after a switchboot and switchboot back |
579917 | 3-Major | User-defined signature set cannot be created/updated with Signature Type = "All" |
579495 | 3-Major | Error when loading Upgrade UCS★ |
578399 | 3-Major | Adding an option for negative validation of occurence of a string in the header |
576619 | 3-Major | Online help in the GUI missing details in description of "Bad multipart parameters parsing" HTTP validation |
576591 | 3-Major | Support for some future credit card number ranges |
575298 | 3-Major | No violation details for illegal metachar violation when shift-jis is the web app language |
564324 | 3-Major | ASM scripts can break applications |
540928 | 3-Major | Memory leak due to unnecessary logging profile configuration updates. |
522040 | 3-Major | Individual attack signature can't be disabled on a specific header |
521370 | 3-Major | Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8 |
521204 | 3-Major | Include default values in XML Policy Export |
518201 | 3-Major | ASM policy creation fails with after upgrading |
428928 | 3-Major | Policy with auto-detect encoding is not configured on target of device group sync |
392121 | 3-Major | TMSH Command to retrieve the memory consumption of the bd process |
618693 | 4-Minor | Web Scraping session_opening_anomaly reports the wrong route domain for the source IP |
607001 | 4-Minor | ASM policy diff issue for HTTP method HEAD |
603071 | 4-Minor | XHTML validation fails on obfuscated JavaScript |
574214 | 4-Minor | Content Based Routing daemon (cbrd) logging control |
572885 | 4-Minor | Policy automatic learning mode changes to manual after failover |
542817 | 4-Minor | Specific numbers that are not credit card numbers are being masked as such |
249484 | 4-Minor | Blocking icon does not appear on response violation |
Application Visibility and Reporting Fixes
ID Number | Severity | Description |
602654 | 2-Critical | TMM crash when using AVR lookups |
602434 | 2-Critical | Tmm crash with compressed response |
601536 | 2-Critical | Analytics load error stops load of configuration★ |
596674 | 2-Critical | High memory usage when using CS features with gzip HTML responses. |
582629 | 2-Critical | User Sessions lookups are not cleared, session stats show marked as invalid |
575170 | 2-Critical | Analytics reports may not identify virtual servers correctly |
630103 | 3-Major | AVR statistics is not saved during the upgrade process |
618944 | 3-Major | AVR statistic is not save during the upgrade process |
605414 | 3-Major | Mysqld and bcm56xxd seem to run at 100% on vCMP host. |
605010 | 3-Major | Thrift::TException error |
601035-1 | 3-Major | TCP-Analytics can fail to collect all the activity |
600634 | 3-Major | Schedule-reports can break the upgrade process★ |
590074 | 3-Major | Wrong value for TCP connections closed measure |
582029-3 | 3-Major | AVR might report incorrect statistics when used together with other modules. |
560114 | 3-Major | Monpd is being affected by an I/O issue which makes some of its threads freeze |
Access Policy Manager Fixes
ID Number | Severity | Description |
633349-2 | 2-Critical | localdbmgr hangs and eventually crashes |
632798 | 2-Critical | Double-free may occur if Access initialization fails |
622244 | 2-Critical | Edge client can fail to upgrade when always connected is selected |
621371 | 2-Critical | Output Errors in APM Event Log |
618324 | 2-Critical | Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor |
617310 | 2-Critical | Edge client can fail to upgrade when Always Connected is selected★ |
612129 | 2-Critical | tmm crash (SIGABRT) when creating url filter with large number of categories |
608408 | 2-Critical | TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library |
593078 | 2-Critical | CATEGORY::filetype command may cause tmm to crash and restart |
592868 | 2-Critical | Rewrite may crash processing HTML tag with HTML entity in attribute value |
591117 | 2-Critical | APM ACL construction may cause TMM to core if TMM is out of memory |
588686-2 | 2-Critical | High-speed logging to remote logging node stops sending logs after all logging nodes go down |
585442 | 2-Critical | Provisioning APM to "none" creates a core file |
582440 | 2-Critical | Linux client does not restore route to the default GW on Ubuntu 15.10 |
581299-2 | 2-Critical | DNSRelay Proxy re-transmits DNS requests indefinitely every second if NA DNS servers do not respond |
580817 | 2-Critical | Edge Client may crash after upgrade★ |
580059-2 | 2-Critical | DNS Relay proxy component of edge client on windows consumes lot of CPU cycles |
579559 | 2-Critical | DTLS Networks Access may not work with some hardware platforms with Nitrox hardware acceleration |
572563-2 | 2-Critical | PWS session does not launch on Internet Explorer |
569563-1 | 2-Critical | Sockets resource leak after loading complex policy |
569306 | 2-Critical | Edge client does not use logon credentials even when "Reuse Windows Logon Credentials" is selected |
568576 | 2-Critical | Version Check fails when upgrading across a major version boundary★ |
565056 | 2-Critical | Fail to update VPN correctly for non-admin user. |
555272 | 2-Critical | Endpoint Security client components (OPSWAT, EPSEC) may fail to upgrade★ |
450136 | 2-Critical | Occasionally customers see chunk boundaries as part of HTTP response |
433242 | 2-Critical | SAML SLO does not work if one of SLO Request URL, SLO Response URL not configured |
634125 | 3-Major | Access Profile with incorrect topology may be imported in some cases. |
632386 | 3-Major | EdgeClient cannot establish iClient control connection to BIG-IP if another control connection exists |
629803 | 3-Major | "HTTP 401 Response" agent reuses incorrect credentials |
629801 | 3-Major | Access policy is applied automatically on target device after policy sync, when there is a also a FODG in the trust domain. |
628790 | 3-Major | Adding new item in VPE might end up with error |
628712 | 3-Major | Advanced customization doesn't work for Profiles in non-common partition with . (period) with name |
628687 | 3-Major | Edge Client reconnection issues with captive portal |
628685 | 3-Major | Edge Client shows several security warnings after roaming to a network with Captive Portal |
627972 | 3-Major | Unable to save advanced customization when using Exchange iApp |
627384 | 3-Major | eamtest tool fails with Segmentation fault after initialization. |
625474 | 3-Major | POST request body is not saved in session variable by access when request is sent using edge client |
625376 | 3-Major | In some cases, download of PAC file by edge client may fail |
625159 | 3-Major | Policy sync status not shown on standby device in HA case |
623562 | 3-Major | Large POSTs rejected after policy already completed |
623173 | 3-Major | unused error messages for SecurID |
622790 | 3-Major | EdgeClient disconnect may take a lot of time when machine is moved to network with no connectivity to BIG-IP |
621447 | 3-Major | In some rare cases, VDI may crash |
621210 | 3-Major | Policy sync shows as aborted even if it is completed |
621202 | 3-Major | Portal Access: document.write() with very long string as argument may be handled incorrectly. |
621126 | 3-Major | Import of config with saml idp connector with reuse causes certificate not found error |
620829 | 3-Major | Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly |
620801 | 3-Major | Access Policy is not able to check device posture for Android 7 devices |
620614-1 | 3-Major | Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account |
619879 | 3-Major | HTTP iRule commands could lead to WEBSSO plugin being invoked |
619811 | 3-Major | Machine Cert OCSP check fails with multiple Issuer CA |
619486 | 3-Major | Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self |
619473 | 3-Major | Browser may hang at APM session logout |
619250 | 3-Major | Returning to main menu from "RSS Feed" breaks ribbon |
618957 | 3-Major | Certificate objects are not properly imported from external SAML SP metadata when metadata contains both signing and encryption certificates |
618170 | 3-Major | Some URL unwrapping functions can behave bad |
617629 | 3-Major | Same report is downloaded repeatedly after user clicks on "export csv" and then click on another tab |
617187 | 3-Major | APM CustomDialer can't connect to APM server with invalid/untrusted SSL certificate |
617063 | 3-Major | After VPN tunnel established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel |
617002 | 3-Major | SWG with Response Analytics agent in a Per-Request policy fails with some URLs |
616838-2 | 3-Major | Citrix Remote desktop resource custom parameter name does not accept hyphen character |
615407 | 3-Major | EAM core during shutdown |
615254 | 3-Major | Network Access Launch Application item fails to launch in some cases |
614891 | 3-Major | Routing table doesn't get updated when EDGE client roams among wireless networks |
614072 | 3-Major | Source Address Translation to SNAT pool breaks SWG explicit use case for IP based session. |
613613-3 | 3-Major | Incorrect handling of form that contains a tag with id=action |
612419 | 3-Major | APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable)) |
611922 | 3-Major | Policy sync fails with policy that includes custom CA Bundle. |
611669 | 3-Major | Mac Edge Client customization is not applied on macOS 10.12 Sierra |
611485 | 3-Major | APM AAA RADIUS server address cannot be a multicast IPv6 address.★ |
611469 | 3-Major | Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector |
611325 | 3-Major | VPE edit action issues with Firefox if policy is in read only mode. |
611240 | 3-Major | Import of config with securid might fail |
610961 | 3-Major | pre-define default list of required attributes for AD Query |
610224 | 3-Major | APM client may fetch expired certificate when a valid and an expired certificate co-exist |
610180 | 3-Major | SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin. |
609625 | 3-Major | Portal Access: RSS XML files may contain non-rewritten URLs |
608941 | 3-Major | AAA RADIUS system authentication fails on IPv6 network |
608427 | 3-Major | LocalDB auth agent is not available for APM based system auth |
607886 | 3-Major | Cannot delete partition when APM Sandbox configuration is present |
606831 | 3-Major | Multidomain SSO slave virtual cannot be reached |
606426 | 3-Major | coapi error on the shell, when user clicks on session in the manage sessions page |
606416 | 3-Major | apm client-packaging object missing in existing partitions after provisioning APM |
606101 | 3-Major | Support launching multiple Horizon View client instances from APM webtop |
605438 | 3-Major | Manager role should be allowed to create 'Custom Categories' |
604768 | 3-Major | ACCESS::session iRules did not work with IP-based sessions |
604767 | 3-Major | Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object. |
603679 | 3-Major | Edge client does not log configuration parameters recieved from server |
603293 | 3-Major | Incorrect handling of L4 Dynamic ACL when it is processed together with L7 ACLs |
603081 | 3-Major | EdgeClient now supports hosts whitelisting in locked mode |
602887 | 3-Major | User-friendly message regarding SSL connection errors via Portal Access. |
602154 | 3-Major | Multidomain SSO loses POST data because of HTTP 302 |
601919 | 3-Major | Custom categories and custom url filter assignment must be specific to partition instead of global lookup |
601905 | 3-Major | POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server |
601420 | 3-Major | Possible SAML authentication loop with IE and multi-domain SSO. |
600811 | 3-Major | CATEGORY::lookup command change in behaviour★ |
600119 | 3-Major | DNS name resolution for servers outside of Network Access Name Split scope can be slow in some conditions |
600069 | 3-Major | Portal Access: Requests handled incorrectly |
600024 | 3-Major | Managed Endpoint Notification and Managed Endpoint Status agents are only available for type "All" profiles |
599220 | 3-Major | AD/LDAP groupmapping have no webtop-section assign |
598981 | 3-Major | APM ACL does not get enforced all the time under certain conditions |
598211 | 3-Major | Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode. |
597431 | 3-Major | VPN establishment may fail when computer wakes up from sleep |
597421 | 3-Major | DNS server setting configured on APM may not take effect on Linux |
597214 | 3-Major | Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly |
596336 | 3-Major | SSO object is not assigned to Access Profile on usage of Wizard |
596116 | 3-Major | LDAP Query does not resolve group membership, when required attribute(s) specified |
596083 | 3-Major | Error running custom APM Reports with "session creation time" on Viprion Platform |
595819 | 3-Major | Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a http/2 enabled browser and HTTP/2 profile attached, |
595272 | 3-Major | Edge client may show a windows displaying plain text in some cases |
595227 | 3-Major | SWG Custom Category: unable to have a URL in multiple custom categories |
594288 | 3-Major | Access profile configured with SWG Transparent results in memory leak. |
592591 | 3-Major | Deleting access profile prompts for apply access policy for other untouched access profiles |
592414 | 3-Major | IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed |
591840 | 3-Major | encryption_key in access config is NULL in whitelist |
591590 | 3-Major | APM policy sync results are not persisted on target devices |
591268 | 3-Major | VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions |
591246 | 3-Major | Unable to launch View HTML5 connections in non-zero route domain virtual servers |
590820 | 3-Major | Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser. |
590734 | 3-Major | Configuration of Timeout in AAA LDAP/AD Servers |
590601 | 3-Major | BIG-IP as SAML SP does not redirect users to original request URI after authentication is completed |
590428 | 3-Major | The "ACCESS::session create" iRule command does not work |
590345 | 3-Major | ACCESS policy running iRule event agent intermittently hangs |
588888 | 3-Major | Empty URI rewriting is not done as required by browser. |
588854 | 3-Major | Windows integrated logon client take long time to log on in some case |
587716 | 3-Major | Webtop doesn't notify user about ended session when F5 VPN application is used |
587493 | 3-Major | MAC Edge client selects wrong network access resource if webtop contains multiple resources |
587419 | 3-Major | TMM may restart when SAML SLO is performed after APM session is closed |
586758 | 3-Major | View HTML5 client doesn't work when APM is set to offload SSL from VCS |
586718 | 3-Major | Session variable substitutions are logged |
586170 | 3-Major | RADIUS Auth Challenge message with Non-ASCII characters in it is rendered to users in hex-encoded form |
586006 | 3-Major | Failed to retrieve CRLDP list from client certificate if DirName type is present |
585905 | 3-Major | Citrix Storefront integration mode with pass-through authentication fails |
585562 | 3-Major | VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari |
584914 | 3-Major | Unsupported customization fields are shown for VMware View Logon Page policy agent |
584716 | 3-Major | SAML XML Canonicalization on BIG-IP as IdP may return invalid value if AuthnRequest is formed in a special way |
584582 | 3-Major | JavaScript: 'baseURI' property may be handled incorrectly |
583627 | 3-Major | Portal Access code does not check if methods of XMLHttpRequest Javascript object are redefined by application |
583113 | 3-Major | NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event |
582752 | 3-Major | Macrocall could be topologically not connected with the rest of policy.★ |
582526 | 3-Major | Unable to display and edit huge policies (more than 4000 elements) |
581983 | 3-Major | Incorreect PMTU discovery causes unstable VPN tunnel on Linux and MAC |
581834 | 3-Major | Firefox signed plugin for VPN, Endpoint Check, etc |
580893 | 3-Major | Support for Single FQDN usage with Citrix Storefront Integration mode |
580567 | 3-Major | LDAP Query agent failed to resolve nested group membership |
580565 | 3-Major | Creating and immediately deleting an Access policy can cause APMD to crash |
580512 | 3-Major | Sometimes launching RemoteApps from APM webtop fails after logout/login |
580421 | 3-Major | Edge Client may not register DLLs correctly |
580403 | 3-Major | SNMP query shows stats for deleted access profiles |
579820 | 3-Major | Edge Client creates duplicate server list if cp has no alias |
579227 | 3-Major | GUI does not display the field for entering port number for pool members in 'use pool' mode for CRLDP AAA server configuration screen |
578455 | 3-Major | Priority group value of the AAA server pool members changed on change of monitor |
578413 | 3-Major | Missing reference to customization-group from connectivity profile if created via portal access wizard |
577939 | 3-Major | DNS suffixes on user's machine may not be restored correctly in some cases |
577906 | 3-Major | Safari 9 and Safari 10 don't use autoconfig script from NA on OSX 10.11 and 10.12 if pac file is downloaded via tunnel |
577495 | 3-Major | APM Sandbox configuration is missing if a partition was created before APM was provisioned |
576748 | 3-Major | Default Session Summary reports are not present for new users with report access. |
576069 | 3-Major | Rewrite can crash in some rare corner cases |
575444 | 3-Major | Wininfo agent incorrectly reports OS version on Windows 10 in some cases |
575292 | 3-Major | DNS Relay proxy service does not respond to SCM commands in timely manner |
574578 | 3-Major | failed to load configuration, when cache_cleanup property is defined for AAA AD/LDAP server |
574435 | 3-Major | BIG-IP as a SAML Service Provider may fail to resolve Artifact for Assertion when route domains are configured |
574264 | 3-Major | Hundreds of images are taking hours to import |
573643 | 3-Major | flash.utils.Proxy functionality is not negotiated |
573581 | 3-Major | DNS Search suffix are not restored properly in some cases after VPN establishment |
572900 | 3-Major | Two-factor auth not supported in step-up auth |
572893 | 3-Major | error "The modem (or other connecting device) is already in use or is not configured properly" |
572887 | 3-Major | DNS doesn't work properly on Ubuntu 15.10 when using f5fpc CLI client |
572825 | 3-Major | write to sessiondb fails for localdb password reset |
572558 | 3-Major | Internet Explorer: incorrect handling of document.write() to closed document |
572420 | 3-Major | Session ID is not shown for some messages in System-> Logs-> Access Policy |
571410 | 3-Major | LocalDB Auth in subroutines |
571408 | 3-Major | Step-Up Auth cannot validate SSL certificate revocations |
570217 | 3-Major | BIG-IP APM now uses Airwatch v2 API to retreive device posture information |
570064 | 3-Major | IE gives a security warning asking: "Do you want to run ... InstallerControll.cab" |
569542 | 3-Major | After upgrade, user cannot upload APM Sandbox hosted-content file in a partition existing before upgrade★ |
569309 | 3-Major | Clientside HTML parser does not recognize HTML event attributes without value |
569278 | 3-Major | Request to /my.policy.php3 will return 302 redirect to /vdesk/webtop.eui?webtop=... with rotated MRHSession. |
569255 | 3-Major | Network Access incorrectly manipulates routing table when second adapter being connected if "Allow Local subnet access' is set to ON |
568445 | 3-Major | User cannot perform endpoint check or launch VPN from Firefox on Windows 10 |
568418 | 3-Major | Linux CLI client does not follow redirect response coming from APM |
567707 | 3-Major | Edge client uninstaller on windows leaves some client components on user's machine |
567199 | 3-Major | NLA-awareness works incorrectly in "Always Connected Mode" |
566998 | 3-Major | Edge client upgrade fails if client was configured in locked mode★ |
566947 | 3-Major | Errors in IMsTscAxEvents::OnDisconnected doesn't have a text description |
566908-1 | 3-Major | Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN with proxy.pac file |
566600 | 3-Major | Export button in EDGE client now creates a CTU report |
565686 | 3-Major | Route domain behavior is inconsistent |
565519 | 3-Major | URL filter policy enforcement interprets "recommend to scan" as "uncategorized" all the time |
565347 | 3-Major | Rewrite engine behaves improperly in case of AS2 SWF with a badly formatted 'push' instruction |
564521 | 3-Major | JavaScript passed to ExternalInterface.call() may be erroneously unescaped |
564262 | 3-Major | Network Access does not work if DNS cannot be resolved on client and PAC file contains DNS resolution code |
564253 | 3-Major | Firefox signed plugin for VPN, Endpoint Check, etc |
563135 | 3-Major | SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt |
562636 | 3-Major | Possible memory exhaustion in access end-user interface pages for transparent proxy/SWG cases. |
562509 | 3-Major | Incorrect form action path may be used if it is changed inside 'onsubmit' event handler |
560601 | 3-Major | HTML5 File API and MediaSource URLs are blocked in Portal Access |
559402 | 3-Major | Client initiated form based SSO fails when username and password not replaced correctly while posting the form |
559334-2 | 3-Major | Network Access fails on Windows platform |
558870 | 3-Major | Protected workspace does not work correctly with third party products |
558283 | 3-Major | Show template javascript on Client initiated SSO v2 |
556092 | 3-Major | Password copying in Variable Assign Agent may fail if user decides not to change password |
553063 | 3-Major | Epsec version rolls back to previous version on a reboot |
551803 | 3-Major | [Portal Access] Links targeting new window must not be rewritten as script |
551795 | 3-Major | Portal Access: corrections to CORS support for XMLHttpRequest |
551225 | 3-Major | SAML IdP requests may fail when Sharepoint is opened through Portal Access in the same browser |
549996 | 3-Major | VPN connection cannot be established from browser on MAC in some cases |
547332 | 3-Major | Portal access should send request url with "/" in path to backend |
546489 | 3-Major | VMware View USB redirection stops working after client reconnect |
543344 | 3-Major | ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event |
541363-1 | 3-Major | Component installation appears hung if wrong password is entered |
534187 | 3-Major | Passphrase protected signing keys are not supported by SAML IDP/SP |
534057 | 3-Major | [JavaPatcher] Java Applet class methods not properly implemented |
528598 | 3-Major | SharePoint ActiveX wrappers should check object type before rewriting URL |
525429-9 | 3-Major | DTLS renegotiation sequence number compatibility |
516736 | 3-Major | URLs with backslashes in the path may not be handled correctly in Portal Access |
516711 | 3-Major | Portal Access: JavaScript in Shift-JIS encoding may be handled incorrectly |
513480 | 3-Major | ldap query fails when user is assigned to newly created group and that group is set as primary group |
505925 | 3-Major | Show internal Citrix XML Broker error (MPSError/BrowserError) in the logs and to the user on APM Webtop |
503847 | 3-Major | Support Citrix HTML5 client bundle in non-default partition |
503842 | 3-Major | MS WebService html component doesn't work after rewriting |
501505 | 3-Major | [Portal Access] Rewrite helpers do not work with documents created with createHTMLDocument() call |
500901 | 3-Major | Manager Role inconsistency between GUI and TMSH |
488326 | 3-Major | SWG database download via proxy |
483957 | 3-Major | Configure the client of choice to be launched from APM webtop |
483570 | 3-Major | TMM/APMD fail to communicate when handling a large amount of data under high load conditions. |
482976 | 3-Major | AppTunnel fails with two resources one with protocol type and other with port range |
478657 | 3-Major | HTTP URLs with embedded credentials are not working in Portal Access |
476644 | 3-Major | User logged in as Auditor can't view SAML IdP configuration data; Edit button greyed out. |
475715 | 3-Major | Plugin based endpoint checking clients do not work with Chrome and Firefox |
475403-5 | 3-Major | Tunnel reconnect with v2.02 does not occur |
470231 | 3-Major | HTML5 WebSocket API is not supported in Portal Access |
468130 | 3-Major | When Kerberos authentication is used with RBA enabled, the first POST request sent to the BIG-IP system could be lost under certain conditions. |
455975 | 3-Major | Separate MIBS needed for tracking Access Sessions and Connectivity Sessions |
447689 | 3-Major | [Portal Access] Version disclosure |
447565 | 3-Major | Renewing machine-account password does not update the serviceId for associated ntlm-auth. |
441525 | 3-Major | Support RDP connections to arbitrary servers from APM Webtop |
438135 | 3-Major | APM does not support multimon and monitors custom properties for RDP resources |
434773 | 3-Major | Oracle Access Manager 'Clear local Config Cache' button deletes incorrect config.cache file |
431764 | 3-Major | Full webtop title is not localized |
402793-19 | 3-Major | APM Network Accces tunnel slows down and loses data in secure renegotiation on Linux and Mac clients |
399857 | 3-Major | Access Policy Export / Import fails when folders are used★ |
389881 | 3-Major | Flash items on webpage do not load correctly through APM portal |
389484 | 3-Major | OAM reporting Access Server down with JDK version 1.6.0_27 or later |
386517 | 3-Major | Multidomain SSO requires a default pool be configured |
384405 | 3-Major | web-acceleration profile not working with access profile |
369407 | 3-Major | Access policy objects are created inconsistently depending on whether created using wizard or manually. |
367670 | 3-Major | APM allows only limited resources to be added to webtop |
366149 | 3-Major | ACL support for VPN tunnels |
238444 | 3-Major | An L4 ACL has no effect when a layered virtual server is used. |
620922 | 4-Minor | Online help for Network Access needs update |
618404 | 4-Minor | Access Profile copying might end up in invalid way if series of names. |
617544 | 4-Minor | References to DTLS may show up in client logs even when DTLS is disabled |
612758 | 4-Minor | Exception within function F5_Inflate_innerHTML. |
611968 | 4-Minor | JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow |
610594 | 4-Minor | Authorization grant using auth code fails with IE11 when OAuth AS clientssl profile is using untrusted certificate |
608453 | 4-Minor | Shrink/Expand imgs of Webtop Section is customizable |
606257 | 4-Minor | TCP FIN sent with Connection: Keep-Alive header for webtop page resources |
599526 | 4-Minor | SWG redirect omits the port |
598419 | 4-Minor | Edge client requests include ID |
597331 | 4-Minor | Portal Access: HTML 'PARAM' tag cannot be handled correctly by Internet Explorer in IE5.5, IE7, or IE8 emulation modes. |
596330 | 4-Minor | Portal Access do not preserve tag order in popup window's document |
594388 | 4-Minor | Separate signature validation and encryption certificates used by SAML IdP |
592352 | 4-Minor | Launching RDP resources of "Native" type requires downloading .rdp files which are not cleaned automatically |
584373 | 4-Minor | AD/LDAP resource group mapping table controls are not accessible sometimes |
583600 | 4-Minor | Portal Access could send to backend application wrong URL query separator |
581765 | 4-Minor | Tooltip displayed in tray icon of Edge Client does not show text correctly in some cases |
581459 | 4-Minor | F5_Invoke_replace() should accept more than 2 arguments |
580429 | 4-Minor | CTU does not show second Class ID for InstallerControll.dll |
578848 | 4-Minor | APM Webtop displays "Applications and Links" number is off by 1 |
574664 | 4-Minor | 'ACCESS::session exists' returns TCL error if there is no APM session associated with connflow |
574079 | 4-Minor | Network access webtop does not prompt the user if user closes browser window |
573611 | 4-Minor | Erroneous error message Access encountered error: ERR_NOT_FOUND may appear in APM logs |
572543 | 4-Minor | User is prompted to install components repeatedly after client components are updated. |
561892 | 4-Minor | kerberos cache is not cleared when Administrator password is changed in AAA AD Server |
557411 | 4-Minor | Full Webtop resources appear overlapping in IE11 compatibility mode |
555102 | 4-Minor | Disk Serial number reported with incorrect formatting |
544148 | 4-Minor | document.parentWindow value should be preserved |
541156 | 4-Minor | Network Access clients experience delays when resolving a host |
538770 | 4-Minor | Save Password checkbox setting is not remembered on Mac Edge Client. |
535780 | 4-Minor | Microsoft Edge browser is not supported |
533956 | 4-Minor | Portal Access: Space-like characters in EUC character sets may be handled incorrectly. |
514742 | 4-Minor | OCSP Responder URL is case sensitive, scheme part is required |
495830-1 | 4-Minor | UI Breadcrumb text does not always match the menu or tab selected |
470612 | 4-Minor | ACCESS logs non-fatal snapshot errors |
WebAccelerator Fixes
ID Number | Severity | Description |
630661 | 3-Major | WAM may leak memory when a WAM policy node has multiple variation header rules |
621284 | 3-Major | Incorrect TMSH help text for the 'max-response' RAMCACHE attribute |
596569 | 3-Major | Memory leak on Central device in Symmetric deployment |
Wan Optimization Manager Fixes
ID Number | Severity | Description |
619757 | 2-Critical | iSession causes routing entry to be prematurely freed |
593597 | 3-Major | iSession can't connect over default gateway pool |
505031 | 3-Major | wom_verify_config is slow when there are a large number of virtuals configured |
499124 | 4-Minor | wom_verify_config produces unneccesarily elevated messages in ltm log |
Service Provider Fixes
ID Number | Severity | Description |
629663-3 | 2-Critical | CGNAT SIP ALG will drop SIP INVITE |
625542-3 | 2-Critical | SIP ALG with Translation fails for REGISTER refresh. |
624023 | 2-Critical | TMM cores in iRule when accessing a SIP header that has no value |
613297 | 2-Critical | Default generic message routing profile settings may core |
612135 | 2-Critical | Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic |
603397 | 2-Critical | tmm core on MRF when routing via MR::message route iRule command using a non-existant transport-config |
596631 | 2-Critical | SIP MRF: Wrong listener may be deleted during media deny-listener deletions, causing crash later |
570363 | 2-Critical | Potential segfault when MRF messages cross from one TMM to another. |
569316 | 2-Critical | Core occurs on standby in MRF when routing to a route using a transport config |
618121-2 | 3-Major | "persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x★ |
609575 | 3-Major | BIG-IP drops ACKs containing no max-forwards header |
609328 | 3-Major | SIP Parser incorrectly parsers empty header |
608927 | 3-Major | SIP Parser logging improvements |
607713 | 3-Major | SIP Parser fails header with multiple sequential separators inside quoted string. |
603019 | 3-Major | Inserted SIP VIA branch parameter not unique between INVITE and ACK |
601255 | 3-Major | RTSP response to SETUP request has incorrect client_port attribute |
599521-1 | 3-Major | Persistence entries not added if message is routed via an iRule |
598854-4 | 3-Major | sipdb tool incorrectly displays persistence records without a pool name |
598700-1 | 3-Major | MRF SIP Bidirectional Persistence does not work with multiple virtual servers |
597835 | 3-Major | Branch parameter in inserted VIA header not consistent as per spec |
585639 | 3-Major | SIP rport value not set in the BIG-IP system response to client RFC 3581 |
583101 | 3-Major | ADAPT::result bypass after continue causes bad state transition |
583010-1 | 3-Major | Sending a SIP invite with "tel" URI fails with a reset |
578564 | 3-Major | ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response |
573075 | 3-Major | ADAPT recursive loop when handling successive iRule events |
566576 | 3-Major | ICAP/OneConnect reuses connection while previous response is in progress |
401815-2 | 3-Major | IP ToS not passing through with SIP LB |
600431 | 4-Minor | DIAMETER::avp data get "id" ip4|ip6 errors on valid AVP |
585807 | 4-Minor | 'ICAP::method <method>' iRule is documented but is read-only |
561500 | 4-Minor | ICAP Parsing improvement |
494019 | 4-Minor | System matches messages to previous Diameter Route Application ID after modifying ID value |
493206 | 4-Minor | Diameter traffic not restricted to virtual server assigned to static route |
493061 | 4-Minor | Priority order of Diameter Router Profile static routes determined by order in bigip.conf |
Advanced Firewall Manager Fixes
ID Number | Severity | Description |
641137 | 2-Critical | SSH Proxy does not correctly parse public keys containing comments |
612874 | 2-Critical | iRule with FLOW_INIT stage execution can cause TMM restart |
609095 | 2-Critical | mcpd memory grows when updating firewall rules |
605427 | 2-Critical | TMM may crash when adding and removing virtual servers with security log profiles |
605383 | 2-Critical | Requsts are dropped when custom captcha response page is longer than 1024 bytes |
602653 | 2-Critical | TMM may crash after updating bot-signatures |
564058 | 2-Critical | AutoDoS daemon aborts intermittently after it's being up for several days |
560871 | 2-Critical | TMM crash when deleting several thousands of address-list objects with address-list references on VE using the command 'tmsh delete security firewall address-list all'. |
639193 | 3-Major | BIG-IP devices configured with Manual Sync, deleting parent policy causes sync to fail. |
632731 | 3-Major | specific external logging configuration can cause TMM service restart |
631025 | 3-Major | 500 internal error on inline rule editor for certain firewall policies |
630356 | 3-Major | JavaScript challenge follow-up to POST is sent as GET in iframe from IE/Edge |
626438 | 3-Major | Frame is not showing in the browser and/ or an error appears |
625523 | 3-Major | CAPTCHA Challenge on Edge 14 Browser when Proactive Bot Defense is enabled |
622281 | 3-Major | Network DoS logging configuration change can cause TMM crash |
621808 | 3-Major | Proactive Bot Defense failing in IE11 with Compatibility View enabled |
617620 | 3-Major | Firewall rule with Multicast/Link Local IPv6 addresses netmask bigger than 32 will not work |
614563 | 3-Major | AVR TPS calculation is inaccurate |
614284 | 3-Major | Performance fix to not reset a data structure in the packet receive hotpath. |
613459 | 3-Major | Non-common browsers blocked by Proactive Bot Defense |
610857 | 3-Major | DoSL7 Proactive Bot Defense should block requests from a browser (Chrome/Firefox) when it is running selenium webdriver. |
610129 | 3-Major | Config load failure when cluster management IP is not defined, but instead uses address-list. |
608566 | 3-Major | The reference count of NW dos log profile in tmm log is incorrect |
606875 | 3-Major | DoS Application - Block requests from suspicious browsers feature causes javascript latency for webapp first page |
601924 | 3-Major | Selenium detection by ports scanning doesn't work even if the ports are opened |
596809 | 3-Major | It is possible to create ssh rules with blank space for auth-info |
596502 | 3-Major | Unable to force Bot Defense action to Allow in iRule |
595832 | 3-Major | SSH Proxy profile visible in GUI available without AFM provision |
594869-1 | 3-Major | AFM can log DoS attack against the internal mpi interface and not the actual interface |
594075 | 3-Major | Sometimes when modifying the firewall rules, the blob does not compile and pccd restarts periodically |
593925 | 3-Major | ssh profile should not contain rules that begin and end with spaces (cannot be deleted) |
593696 | 3-Major | Sync fails when deleting an ssh profile |
592113-4 | 3-Major | tmm core on the standby unit with dos vectors configured |
591828 | 3-Major | For unmatched connection TCP RST may not be sent for data packet |
590805 | 3-Major | Active Rules page displays a different time zone. |
585823 | 3-Major | FW NAT translation fails if the matched FW NAT rule uses source address list and the source translation object in the rule is configured for dynamic-pat (with deterministic mode) |
583024 | 3-Major | TMM restart rarely during startup |
578987 | 3-Major | Whitelisted IPs of non-default DoS profile are ignored |
572029 | 3-Major | Using ECDSA Keys for User Public Key Auth or the Backend Server is configured to use ECDSA keys |
525158 | 3-Major | Rebooting active device before syncing a manual sync device group causes both devices to compile and deploy the blob |
523111 | 3-Major | Disabling on-demand-compile/on-demand-deploy on standby, sometimes the setting will revert back to enabled on the active or standby automatically |
522043 | 3-Major | ASM triggers geo-based dos mitigation against RFC1918 addresses. |
501892 | 3-Major | Selenium is not detected by headless mechanism when using client version without server |
431840-1 | 3-Major | Cannot add vlans to whitelist if they contain a hyphen |
623779 | 4-Minor | Adding a client side challenge whitelist URL wildcard list |
546823 | 4-Minor | PCCD Firewall compilation takes a long time |
495432 | 5-Cosmetic | Add new log messages for AFM rule blob load/activation in datapath. |
Policy Enforcement Manager Fixes
ID Number | Severity | Description |
609005-1 | 1-Blocking | Crash: tmm crashing when 2nd client (srcPort=68) sends a DHCP renew with giaddr (Relay Agent IP) in the packet after 1st client (srcPort=67). |
627279 | 2-Critical | Potential crash in a multi-blade chassis during CMP state changes. |
627257 | 2-Critical | Potential PEM crash during a Gx operation |
624744 | 2-Critical | Potential crash in a multi-blade chassis during CMP state changes. |
624733 | 2-Critical | Potential crash in a multi-blade chassis during CMP state changes. |
624228 | 2-Critical | Memory leak when using insert action in pem rule and flow gets aborted |
623922 | 2-Critical | TMM failure in PEM while processing Service-Provider Disaggregation |
622220 | 2-Critical | Disruption during manipulation of PEM data with suspected flow irregularity |
611467 | 2-Critical | TMM coredump at dhcpv4_server_set_flow_key(). |
608009 | 2-Critical | Crash: Tmm crashing when active system connections are deleted from cli |
603825 | 2-Critical | Crash when a Gy update message is received by a debug TMM |
593070 | 2-Critical | TMM may crash with multiple IP addresses per session |
628869-3 | 3-Major | Unconditional logs seen due to the presence of a PEM iRule. |
627798 | 3-Major | Buffer length check for quota bucket objects |
627616 | 3-Major | CCR-U missing upon VALIDITY TIMER expiry when quota is zero |
623927 | 3-Major | Flow entry memory leaked after DHCP DORA process |
623491 | 3-Major | After receiving the first Gx response from the PCRF, the BWC action against a rule is lost. |
623037 | 3-Major | delete of pem session attribute does not work after a update |
618657 | 3-Major | Bogus ICMP unreachable messages in PEM with ipother profile in use |
617014 | 3-Major | tmm core using PEM |
608742 | 3-Major | DHCP: DHCP renew ack messages from server are getting dropped by BIGIP in Forward mode. |
608591 | 3-Major | Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers |
592070 | 3-Major | DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied |
588456 | 3-Major | PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed). |
577863 | 3-Major | DHCP relay not forwarding server DHCPOFFER and DHCPACK message after sometime |
572568 | 3-Major | Gy CCR-i requests are not being re-sent after initial configured re-transmits |
564281 | 3-Major | TMM (debug) assert seen during Failover with Gy |
472860-6 | 3-Major | RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented. |
Carrier-Grade NAT Fixes
ID Number | Severity | Description |
606066 | 2-Critical | LSN_DELETE messages may be lost after HA failover |
605525 | 2-Critical | Deterministic NAT combined with NAT64 may cause a TMM core |
584921 | 2-Critical | Inbound connections fail to keep port block alive |
629871-1 | 3-Major | FTP ALG deployment should not rewrite PASV response 464 XLAT cases |
602171 | 3-Major | TMM may core when remote LSN operations time out |
587106 | 3-Major | Inbound connections are reset prematurely when zombie timeout is configured. |
576752 | 3-Major | Licensing Warning displays when CGNAT is licensed and LTM is provisioned |
548105 | 3-Major | PCP and inbound-entry iRules command does not work with under-provisioned PBA LSN pool |
Fraud Protection Services Fixes
ID Number | Severity | Description |
603234 | 2-Critical | Performance Improvements |
629627 | 3-Major | FPS Log Publisher is not grouped nor filtered by partition |
628337 | 3-Major | Forcing a single injected tag configuration is restrictive |
625275 | 3-Major | Unable to add and modify URL parameters containing square brackets "[]" in FPS GUI |
623518 | 3-Major | Unable to add users in User Enforcement list under user-defined partition. Update check fails in user-defined partition |
609098-2 | 3-Major | Improve details of ajax failure |
604885 | 3-Major | Redirect/Route action doesn't work if there is an alert logging iRule |
603997-1 | 3-Major | Plugin should not inject nonce to CSP header with unsafe-inline |
603029 | 3-Major | Secure alerts and phishing alerts are shown URL-encoded |
597528 | 3-Major | define default score for fps-generated alerts |
597471-1 | 3-Major | Some Alerts are sent with outdated username value |
594910-2 | 3-Major | FPS flags no cookie when length check fails |
590608 | 3-Major | Alert is not redirected to alert server when unseal fails |
590578 | 3-Major | False positive "URL error" alerts on URLs with GET parameters |
588058 | 3-Major | False positive "failed to unseal" Source Integrity alerts from old versions of Internet Explorer |
583367-2 | 3-Major | AJAX encryption may send corrupted payload when configuration is incorrect |
577697-1 | 3-Major | WebSafe features do not support Non-UTF8 encodings. |
564779-1 | 3-Major | Compatibility issues with phishing detection and dosL7 |
621811 | 4-Minor | Alert Component and Malware values are reset when deleting unsaved user-defined alert |
605125 | 4-Minor | Sometimes, passwords fields are readonly |
601083 | 4-Minor | FPS Globally Forbidden Words lists freeze in IE 11 |
592274 | 4-Minor | RAT-Detection alerts sent with incorrect duration details |
591351 | 4-Minor | False positive browser automation alert |
589318 | 4-Minor | Clicking 'Customize All' checkbox does not work. |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Description |
620215 | 2-Critical | TMM out of memory causes core in DNS cache |
584374 | 2-Critical | iRule cmd: RESOLV::lookup causes tmm crash when resolving an IP address. |
570575 | 2-Critical | RESOLV::lookup against a TCP virtual will cause tmm core |
637227-5 | 3-Major | DNS Validating Resolver produces inconsistent results with DNS64 configurations. |
632423 | 3-Major | DNS::query can cause tmm crash if AXFR/IXFR types specified. |
628180 | 3-Major | DNS Express may fail after upgrade★ |
625671 | 3-Major | The diagnostic tool dnsxdump may crash with non-standard DNS RR types. |
624193-3 | 3-Major | Topology load balancing improvement |
623023 | 3-Major | Unable to set DNS Topology Continent to Unknown via GUI |
621239 | 3-Major | Certain DNS queries bypass DNS Cache RPZ filter. |
619398 | 3-Major | TMM out of memory causes core in DNS cache |
619158 | 3-Major | iRule DNS request with trailing dot times out with empty response |
612769 | 3-Major | Added better search capabilities on the Pool Members Manage page. |
609527 | 3-Major | DNS cache local zone not properly copying recursion desired (RD) flag in response |
607658 | 3-Major | GUI becomes unresponsive when managing GSLB Pool |
605260 | 3-Major | [GUI] Changes can not be made to GTM listener in partition with default route domain <> 0 |
596242 | 3-Major | [zxfrd] Improperly configured master name server for one zone makes dns express responds with previoius record |
581824 | 3-Major | "Instance not found" error when viewing the properties of GSLB monitors gateway_icmp and bigip_link. |
557434 | 3-Major | After setting a Last Resort Pool on a Wide IP, cannot reset back to None |
523198 | 3-Major | DNS resolver multiplexing might cause unexpected behaviors |
433678 | 3-Major | A monitor removed from GTM link cannot be deleted: 'monitor is in use' |
604371 | 4-Minor | Pagination controls missing for GSLB pool members |
Anomaly Detection Services Fixes
ID Number | Severity | Description |
588405 | 3-Major | BADOS - BIG-IP Self-protection during (D)DOS attack |
588399 | 3-Major | BIG-IP CPU utilization can be high even when all bad actors are detected and mitigated |
582374 | 3-Major | Multiple 'Loading state for virtual server' messages in admd.log |
569121 | 3-Major | Advanced Detection rate limiting can be incorrect in multi-blade clusters when rate limit is low |
547053 | 3-Major | Bad actor quarantining |
608826 | 4-Minor | Greylist (bad actors list) is not cleaned when attack ends |
Traffic Classification Engine Fixes
ID Number | Severity | Description |
625172 | 2-Critical | tmm crashes when classification is enabled and ftp traffic is flowing trough the box |
624370 | 2-Critical | tmm crash during classification hitless upgrade if virtual server configuration is modified |
592952 | 2-Critical | Configuring connection mirroring when using AFM send_to_virtual action |
590795 | 2-Critical | tmm crash when loading default signatures or updating classification signature★ |
631472 | 3-Major | Reseting classification signatures to default may result in non-working configuration |
511710 | 4-Minor | URL Categorization: URL lookup is performed on URL without query string starting v13.0 |
378094 | 4-Minor | Support for SPDY over TLS |
Device Management Fixes
ID Number | Severity | Description |
606518 | 2-Critical | iControl REST with 3rd party auth does not function as expected with '@' / email addresses as username. |
627341 | 3-Major | TMUI loginProviderName is invalid when requesting a REST token |
626542 | 3-Major | Unable to set maxMessageBodySize in iControl REST after upgrade★ |
621401-4 | 3-Major | When HA is configured on BIG-IPs managed by BIG-IQ, the AVR reporting from BIG-IQ may fail under the load |
608373 | 3-Major | Some iApp LX packages will not be saved during upgrade or UCS save/restore |
580726 | 3-Major | License state information from REST worker is out of sync with device |
iApp Technology Fixes
ID Number | Severity | Description |
603605 | 2-Critical | Cannot install DoS Hybrid Defender on standby device in HA pair if it's already installed on active |
599424 | 2-Critical | iApps LX fails to sync★ |
615824-2 | 3-Major | REST API calls to invalid REST endpoint log level change |
Cumulative fix details for BIG-IP v13.0.0 that are included in this release
641582 : Rarely, an HSB transmitter failure occurs
Component: TMOS
Symptoms:
A very rare HSB transmitter failure occurs. This is indicated by the following message in the tmm logs:
panic: hsb interface 1 DMA lockup on transmitter failure.
Conditions:
Although the exact conditions for this issue are unknown, this might be related to a 5250 platform or to a configuration containing a vCMP guest.
Impact:
Reboot of the unit.
Workaround:
None.
Fix:
The reboot of the unit occurs very rarely, and the conditions for this issue are not well understood. In this release, an internal counter has been added to track occurrences of HSB transmitter failures of this type, which will enable better understanding of the issue and a more thorough investigation into its cause.
641137 : SSH Proxy does not correctly parse public keys containing comments
Component: Advanced Firewall Manager
Symptoms:
The BIG-IP will RST the server side and client side connections upon connection initialization. If you have logging set up, log messages will inform you that the keys were mismatched.
Conditions:
Configuring the SSH Proxy feature's Real Server Auth public key field, using a public key that contains a comment, such as a trailing "root@myserver.local".
Impact:
SSH proxy fails.
Workaround:
Strip any comments from the Real Server Auth public key, such as "root@host.example.com".
Fix:
SSH Proxy now correctly parses public keys containing comments.
639193 : BIG-IP devices configured with Manual Sync, deleting parent policy causes sync to fail.
Component: Advanced Firewall Manager
Symptoms:
In high availability (HA) environment where BIG-IP devices are configured for Manual Sync, deleting parent policy causes sync to fail.
Conditions:
This occurs when you delete the parent of a policy that was used as the parent of another policy. For example:
1. Clone Policy A and create Policy B.
2. Clone Policy B and create Policy C.
3. Delete Policy B.
Impact:
Manual sync operation fails.
Workaround:
Use one of the following Workarounds:
A. Enable automatic sync for HA configurations.
B. Run the following commands:
tmsh save sys config partitions all
tmsh load sys config partitions all
Sync
Fix:
In HA environments containing BIG-IP devices configured for Manual Sync, deleting parent policy no longer causes sync to fail.
638935 : Monitor with send/receive string containing double-quote may cause upgrade to fail.★
Component: TMOS
Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.
Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.
Impact:
Configuration fails to load.
Workaround:
Manually edit each string in the bigip.conf to include enclosing quotes in order to get the config to load the first time.
Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the bigip.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list ltm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, wuch as losing a level of escape in monitor strings.
637559 : Modifying iRule online could cause TMM to be killed by SIGABRT
Component: TMOS
Symptoms:
If iRule is used by several virtual servers, and you edit the iRule online, it could cause TMM to be eventually killed by SOD (watchdog).
Conditions:
This can occur under the following conditions:
1. The iRule is used by large number of virtual servers.
2. You edit the iRule and save changes.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
If iRule is used by several virtual servers, and you edit the iRule online, it no longer causes TMM to be eventually killed by SOD (watchdog).
637279-1 : Pool member discovery/autoscale does not work in eu-central-1 (Germany) region of AWS.
Component: TMOS
Symptoms:
Pool member discovery does not work and produces the following error: as-describe-auto-scaling-groups: Refused: The security token included in the request is invalid.
Conditions:
This occurs in the eu-central-1 region only. Does not apply for failover. Note: This error might happen even when correct IAM credentials are specified.
Impact:
Pool member discovery cannot be run in eu-central-1 region.
Workaround:
Create autoscale configuration in regions other than eu-central-1.
Fix:
Pool member discovery/autoscale now works in eu-central-1 (Germany) region of AWS.
637227-5 : DNS Validating Resolver produces inconsistent results with DNS64 configurations.
Component: Global Traffic Manager (DNS)
Symptoms:
A DNS Validating Resolver incorrectly validates DNS responses received from A queries made as a result of a front-end AAAA query received on a profile with DNS64 configured.
A SERVFAIL response may be sent to the client unless the Validating Resolver cache has previously successfully validated a front-end A query. In this scenario where the A records already exist in the cache, the expected DNS64 AAAA records are synthesized.
Conditions:
This issue may be observed with a DNS Validating Resolver configured on a DNS profile with DNS64 configured when processing AAAA queries.
Impact:
Incorrect SERVFAIL responses for AAAA queries that should get valid responses.
Workaround:
None.
Fix:
DNS validation now occurs as expected, resulting in valid answers to AAAA queries.
636918 : Fix for crash when multiple tunnels use the same traffic selector
Component: TMOS
Symptoms:
Given multiple tunnels with the same traffic selector, a crash could sometimes occur.
Conditions:
Same traffic selector used with more than one tunnel.
Impact:
Possible tmm restart if problem happens. Traffic disrupted while tmm restarts.
Workaround:
Use different traffic selectors for different tunnels.
Fix:
Fixed a tmm crash related to traffic selectors used with more than one tunnel.
636397 : bd cores when persistent storage configuration and under some memory conditions.
Component: Application Security Manager
Symptoms:
bd cores. Log signature in /var/log/bd looks similar to the following:
BD_MISC|ERR |Jan 02 14:24:06.422|27867|io_manager_init.c:0395|internal_keep_alive: BD shrinking...,going down - BD will be right back.
ptr BD_MISC|CRIT |Jan 02 14:24:06.422|27867|signals.c:0073|Received SIGSEGV - Core Dumping.
Conditions:
There is persistent storage configuration. There is high memory usage.
Impact:
bd crash. Traffic resets and/or failover
Workaround:
None.
Fix:
This release fixes a bd crash due to specific memory conditions and persistent storage.
635129-3 : Chassis systems in HA configuration become Active/Active during upgrade★
Component: TMOS
Symptoms:
When devices in a Device Service Cluster are upgraded, multiple devices will become Active simultaneously.
The affected versions erroneously clear their management-ip during reboot and synchronize this to other members of the Device Service Cluster. If the system is not performing an upgrade, the error is repaired as the device starts up, and has no visible effect. If an upgrade is being performed, the management-ip cannot be repaired, and the Device Service Cluster members lose contact with each other, and all become Active.
Conditions:
This problem occurs on VIPRION chassis systems, either running natively, or as a VCMP guest, when upgrading from the affected versions (12.1.0, 12.1.1, 12.1.2), to any other version. The problem occurs on any upgrade, whether on the list of affected versions, or a later version.
Impact:
When multiple devices become Active simultaneously, traffic is disrupted.
Workaround:
There is no workaround other than to remain in Active/Active state until all Chassis are finished upgrade. See https://support.f5.com/csp/article/K43990943 for more information on how to mitigate this issue.
Fix:
The erroneous management-ip change is not made, and the HA failover mechanism operates correctly across upgrade.
634265 : Using route pools whose members aren't directly connected may crash the TMM.
Component: Local Traffic Manager
Symptoms:
The TMM crashes when trying to resolve routes using route pools whose members are not directly connected.
Conditions:
A configuration has route pools whose members aren't directly connected. Additionally, this is an issue only in configurations where the TMM doesn't proxy traffic but sources traffic. An example is an sFLOW configuration.
Impact:
Traffic disrupted while tmm restarts. The TMM crashes whenever a connection tries to resolve such a route.
Workaround:
Create route pools with directly connected members.
Fix:
Using route pools whose members aren't directly connected no longer crashes the TMM.
634125 : Access Profile with incorrect topology may be imported in some cases.
Component: Access Policy Manager
Symptoms:
Access Profile with several references to the same macrocall Access Policy Item may be imported without errors. Such profile cannot be displayed by VPE; it may cause APM crash as well.
Conditions:
Importing Access Profile with several references to the same macrocall API.
Impact:
Client may not be connected to Virtual Server.
Workaround:
Manually edit bigip.conf file to replace invalid reference with reference to Default Ending.
Fix:
Now, an Access Policy containing duplicated references to macrocall API cannot be imported. At upgrade time, such a policy is corrected by replacing invalid references with references to Default Ending.
634115 : Not all topology records may sync.
Component: TMOS
Symptoms:
Some GTM topology records may silently not be synchronized to other devices in the sync group.
Conditions:
One known case occurs when topology records have overlapping subnet specifiers (such as 1.0.0.0/8 and 1.0.0.0/9). It is possible that there are other conditions that might cause this issue.
Impact:
Other devices in the GTM sync group will have an incomplete set of topology records, so the returned DNS answers may differ from the expected values.
Workaround:
After updating topology records, run the following command to force a push of all GTM objects: run cm config-sync force-full-load-push to-group gtm.
Fix:
Some GTM topology records may have silently not been synchronized to other devices in the sync group. This is now resolved; all topology objects will be synchronized to all expected devices.
634001 : ASM restarts after deleting a VS that has an ASM security policy assigned to it
Component: Application Security Manager
Symptoms:
ASM restarts with the following errors:
'ltm' log error:
--------
err mcpd[9458]: 0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------
'ts_debug.log' error:
--------
asm|INFO|0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------
Conditions:
ASM provisioned
Deleting a virtual server that has an ASM security policy assigned to it.
Impact:
ASM restart
Workaround:
None.
Fix:
ASM no longer restarts when deleting a virtual server that has an ASM security policy assigned to it.
633512 : HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION.
Component: TMOS
Symptoms:
When a preferred device becomes available and takes over due to an Auto-Failback configuration, the takeover is not performed as a smooth handoff, but instead results in both devices becoming Active for the network failover timeout period (3 seconds).
Conditions:
This problem affects traffic groups on VIPRION systems configured with HA Order and Auto-Failback enabled.
Impact:
Since both nodes are Active for (by default) 3 seconds, this may cause network traffic to be dropped or interrupted during the overlap interval. In addition, the Active/Active overlap may not resolve in favor of the preferred device. When this happens, the preferred device attempts to Auto-Failback again after the Auto-Failback expires, and the process repeats forever.
Workaround:
Do not configure Auto-Failback on VIPRION.
Fix:
The devices perform a clean handoff during Auto-Failback, with no Active/Active overlap.
633349-2 : localdbmgr hangs and eventually crashes
Component: Access Policy Manager
Symptoms:
localdbmgr hangs and eventually crashes due to a rare condition where the program is trapped inside an internal infinite loop upon logging configuration changes.
Conditions:
Rare condition upon logging configuration changes.
Impact:
localdbmgr crashes.
Workaround:
localdbmgr restarts and recovers from this crash.
Fix:
Added safety check in logging configuration code to protect against unwanted config insertions.
632968 : supported_signature_algorithms extension in CertificateRequest sent by a TLS server fails
Component: Local Traffic Manager
Symptoms:
Clients are unable to establish an SSL session.
If the backend server sends a Certificate Request with Signature Hash Algorithms set to SHA256, the serverssl profile responds with Certificate + Certificate Verify containing signature signed by SHA1 when ssl-sign-hash in that profile is set to 'ANY'.
Since the backend server does not expect SHA1 the handshake fails.
Conditions:
* BIG-IP is communicating with a TLS server (applies to serverssl profile).
* TLS server is requesting client authentication (this is less common).
* TLS client using the supported_signature_algorithms extension (this is very common)
* TLS 1.2 is likely needed. TLS 1.0 doesn't support extensions.
Impact:
BIG-IP will sign the TLS handshake with the SHA1 algorithm, which will fail on the server.
Note that this issue is orthogonal to the issue of hash algorithm in X.509 certificates, e.g. "SHA1 in X.509 certificates".
Workaround:
No mitigation is known.
Fix:
BIG-IP now properly parses the following extension in CertificateRequest by a TLS server.:
SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>.
This allows the existing logic to work, in particular, to learn that the server supports SHA2 family of hash algorithms and use them with the signature in the TLS handshake.
632798 : Double-free may occur if Access initialization fails
Component: Access Policy Manager
Symptoms:
Double-free may occur if Access initialization fails.
Conditions:
Access initialization failure occurs, possibly due to license issues.
Impact:
tmm crashes and cores. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release fixes a double free condition so that the associated tmm crash no longer occurs.
632731 : specific external logging configuration can cause TMM service restart
Component: Advanced Firewall Manager
Symptoms:
When external logging is configured for ACL rule hits, and the logging server connection is routed through a Forwarding Virtual, the ACL logging causes a TMM crash and service disruption.
Conditions:
The problem is seen when all the following conditions match:
1. External Logging server configured for ACL rule match.
2. External logging server is routed through a Forwarding Virtual (the destination IP of the external logging server matches a Forwarding Virtual's destination address/mask and hence gets routed through the Forwarding VIP).
3. The forwarded logging destination connection causes a crash in TMM.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use one of the following workarounds:
--Avoid configuring remote logging to be forwarded through a Forwarding Virtual.
-- Do not have logging enabled on the forwarding Virtual.
Fix:
Connections originated from the BIG-IP to the remote logging server are not subjected to ACL checks, which prevents generation of logs for log server connection, which prevents the error conditions.
632685-1 : bigd memory leak for FQDN nodes on non-primary bigd instance
Component: Local Traffic Manager
Symptoms:
On the non-primary blade with FQDN nodes configured, bigd.1 or bigd.2 (etc.) are consuming an unusually high amount of memory, and bigd cores may exist.
Conditions:
FQDN nodes configured on a VIPRION system. As configuration changes are made to FQDN nodes, bigd on the non-primary places memory consumption may be unusually high.
Impact:
bigd memory leak; possible bigd crash.
Workaround:
None.
632552 : tmm crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event
Component: Local Traffic Manager
Symptoms:
tmm crashes.
Conditions:
When CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event which is fired before either event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Move the script in _CLOSED events to another events.
Fix:
tmm no longer crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event.
632423 : DNS::query can cause tmm crash if AXFR/IXFR types specified.
Component: Global Traffic Manager (DNS)
Symptoms:
Passing "AXFR" or "IXFR" as the type to the DNS::query iRule command can cause a tmm crash.
Conditions:
DNS Express must be enabled when one of the XFR types is used in the DNS::query iRule command.
Impact:
tmm will crash and restart every time this command is issued. Traffic disrupted while tmm restarts.
Workaround:
Do not explicitly use AXFR or IXFR query types.
If the [DNS::question type] command is being used to dynamically pass in the type, add a preceding check similar to the following:
if { not [DNS::question type] ends_with "XFR" } {
set rrs [DNS::query dnsx [DNS::question name] [DNS::question type]]
}
Fix:
The iRule now provides an error message in /var/log/ltm indicating that AXFR and IXFR are not valid types to use with the DNS::query command, and no tmm crash occurs as a result.
632386 : EdgeClient cannot establish iClient control connection to BIG-IP if another control connection exists
Component: Access Policy Manager
Symptoms:
When a iClient control connection, between Edge Client and BIG-IP, exists for a given session id, a new iClient control connection for the same session id cannot be established until the existing connection is torn down. When the client interface is down or the client changes networks, it takes time for the BIG-IP to detect that the existing control connection is down. During this time, if the client attempts to establish a new control connection (interface up or different network), BIG-IP rejects the new connection request.
Conditions:
EdgeClient attempts to open a new iClient control connection with the same session id as that of an existing control connection and without explicitly closing the current connection. This could happen when the client interface is down or clients changes the network it is on.
Impact:
Edge Client cannot establish a iClient control connection and hence a tunnel to the BIG-IP.
Fix:
When BIG-IP sees a new iClient control connection request for a session id for which another iClient control connection exists, the existing connection is closed and the new connection request is attempted to be accepted.
632324 : PVA stats does not show correct connection number
Component: Local Traffic Manager
Symptoms:
do command tmsh show sys pva-traffic global
The current connection number showed up may not be correct
Conditions:
This occurs when there is PVA Traffic
Impact:
Wrong stats number for current PVA connections
Fix:
Fixed incorrect statistics for PVA Traffic
632204 : Local Traffic Policies rule page is incorrectly showing all partition's objects in 'Forward traffic' actions
Component: TMOS
Symptoms:
When creating an LTM policy rule action 'Forward Traffic' and selecting from a list of pools or virtual servers, objects from partitions other than the current partition and the Common partition show up.
Conditions:
This occurs on the LTM policy rule creation page within a specific partition, and there are objects of the same type in other partitions.
Impact:
Users without access to the associated partition receive an error when selecting an object from that partition and clicking submit.
Workaround:
Do not select objects other than the ones in the current or Common partition from a dropdown.
Fix:
Local Traffic Policies rule page now shows only objects within the current partition or Common partition. This is correct behavior.
632001 : For Thales net-HSMs, fipskey.nethsm now defaults to module protected keys
Component: Local Traffic Manager
Symptoms:
fipskey.nethsm uses a Thales utility to actually generate/export keys. This utility looks at files in .../kmdata/local to determine what type of protection to use. If there are any softcard or OCS files, then the key will be token protected. If there aren't any files then the key will be module protected.
This can be a problem for BIG-IP since that entire folder is synced down to it, so OCS or softcard files unrelated to the BIG-IP operation will change fipskey.nethsm's behavior.
Conditions:
Use fipskey.nethsm to generate/export a nethsm-protected key while there are OCS or softcard files in the BIG-IP system's .../kmdata/localfolder.
Impact:
Key protection type changes based on the presence of softcard or OCS files in .../kmdata/local.
Workaround:
Explicitly use the -c or --protect option to define the protection type when generating/exporting keys.
Fix:
fipskey.nethsm will now default to making a module-protected key regardless of the presence of OCS or softcard files in .../kmdata/local.
Scripts that export or generate token or softcard protected keys will now need to explicitly set the protection type via the -c or the --protect option in all situations.
631866 : Cannot access LTM policy rules in the web UI when the name contains certain characters
Component: TMOS
Symptoms:
Access LTM policy rules in the web UI when the name contains ampersand (%) or slash (/) displays an empty page.
Conditions:
The LTM policy rule name being accessed must contains the characters ampersand (%) or slash (/).
Impact:
The policy rule properties page displays an empty page.
Workaround:
Update the LTM policy rule using tmsh.
Fix:
LTM policy rules can be accessed as expected in the web UI regardless of their names.
631737 : ArcSight cs4 (attack_type) is N/A for certain HTTP Compliance sub-violations
Component: Application Security Manager
Symptoms:
ArcSight cs4 (attack_type) is reported as "N/A" for a violation whose sub-violation does not have a specific attack_type_code.
Conditions:
This occurs when there are HTTP Compliance sub-violations such as "Header name with no header value" that do not correlate to any attack_type. Other attack types are as follows:
-- HTTP Protocol Compliance/ High ASCII characters in headers.
-- HTTP Protocol Compliance/ Host header contains IP address.
-- HTTP Protocol Compliance/ CRLF characters before request start.
-- HTTP Protocol Compliance/ Header without header value.
-- HTTP Protocol Compliance/ Body in GET/HEAD requests.
-- Evasion technique/ directories traversals.
Impact:
When one of these violations occurs, the system does not assign the appropriate attack type to the logged request in the log or in the remote logger. The system reports the ArcSight remote logger message as attack_type="N/A". (If no other violation was found.)
Workaround:
None.
Fix:
Now, when ArcSight cs4 (attack_type) HTTP Compliance sub-violations do not correlate to any attack_type, the system assigns the parent violation's attack type when reporting the violation.
631727 : Analytics data is displayed per collection interval instead of per second.
Component: Application Visibility and Reporting
Symptoms:
Analytics data is displayed as total number of events per selected interval (5 minutes by default) instead of average number of events per second in the selected interval.
Conditions:
Analytics data on the following pages is affected:
Statistics :: Analytics :: IP (All).
Statistics :: Analytics :: Disk :: Disk Activity (All).
Statistics :: Analytics :: Disk :: Disk Sizes (All).
Statistics :: Analytics :: Virtual Servers :: Traffic Details :: Bits (All).
Statistics :: Analytics :: Virtual Servers :: Traffic Details :: Packets (All).
Statistics :: Analytics :: Virtual Servers :: Traffic Details :: Connections::Client Side Connections.
Statistics :: Analytics :: Virtual Servers :: Traffic Details :: Connections::Server Side Connections.
Statistics :: Analytics :: Virtual Servers :: TCP :: SynCookies (All).
Statistics :: Analytics :: Virtual Servers :: TCP :: Packets (All).
Statistics :: Analytics :: Virtual Servers :: TCP :: Connections (All *except* for 'Avg Active Connections').
Statistics :: Analytics :: Virtual Servers :: UDP :: Datagrams (All).
Statistics :: Analytics :: Virtual Servers :: UDP :: Connections (All *except* for 'Avg Active Connections').
Impact:
Analytics data is accurate, but not displayed as expected, potentially leading to inaccurate interpretations.
Workaround:
The user can divide the displayed results by the number of seconds in the selected interval to get the average per second values.
Fix:
All Analytics data is displayed as average per second, and is not affected by changes to the selected collection interval.
Behavior Change:
Analytics data is displayed per collection interval instead of per second.
Previously, the count of bytes/packets/new connections and so on, was displayed as total number of events that took place during a collection interval (5 minutes by default). This resulted in potential converting the 5 minute interval to "per second," which required dividing every displayed value by 300. Beginning with this release, metrics are displayed as average per second, and not total activity. Using a "per second" is much more intuitive rather than "per 5 minutes".
Analytics data on the following pages is affected:
Statistics :: Analytics :: IP (All).
Statistics :: Analytics :: Disk :: Disk Activity (All).
Statistics :: Analytics :: Disk :: Disk Sizes (All).
Statistics :: Analytics :: Virtual Servers :: Traffic Details :: Bits (All).
Statistics :: Analytics :: Virtual Servers :: Traffic Details :: Packets (All).
Statistics :: Analytics :: Virtual Servers :: Traffic Details :: Connections::Client Side Connections.
Statistics :: Analytics :: Virtual Servers :: Traffic Details :: Connections::Server Side Connections.
Statistics :: Analytics :: Virtual Servers :: TCP :: SynCookies (All).
Statistics :: Analytics :: Virtual Servers :: TCP :: Packets (All).
Statistics :: Analytics :: Virtual Servers :: TCP :: Connections (All *except* for 'Avg Active Connections').
Statistics :: Analytics :: Virtual Servers :: UDP :: Datagrams (All).
Statistics :: Analytics :: Virtual Servers :: UDP :: Connections (All *except* for 'Avg Active Connections').
631627 : Applying BWC over route domain sometimes results in tmm not becoming ready on system start
Component: TMOS
Symptoms:
Rebooting after applying BWC to route domain stops vlan traffic on VCMP guest. You will experience connection failures when bandwidth Controller (bwc) and Web Accelerator are enabled.
Running the tmsh show sys ha-status all-properties command will indicate that tmm is in "ready-for-world", but the Fail status will read "Yes" when this is triggered.
Conditions:
BWC enabled and associated with a route domain, Web Accelerator is enabled, and the system is rebooted.
Impact:
The system does not comes up fully. TMM does not reach a ready state and will not pass traffic.
Workaround:
Remove BWC from route domain and then reapply the BWC back.
Fix:
BWC enabled and associated with a route domain, Web Accelerator enabled, and the system is rebooted, now results in the system and TMM coming up fully and passing traffic.
631582-6 : Administrative interface enhancement
Component: TMOS
Symptoms:
In some cases the administrative interface does not respond as designed
Conditions:
In some cases the administrative interface does not respond as designed
Impact:
In some cases the administrative interface does not respond as designed
Fix:
Enhance administrative interface
631472 : Reseting classification signatures to default may result in non-working configuration
Component: Traffic Classification Engine
Symptoms:
Configuration will not load when running "tmsh load ltm classification signature default" or clicking Reset to Defaults button on Traffic Intelligence :: Applications : Signature Update page.
Conditions:
1. You upgrade classification signatures to an IM package, and reference one of the newly added applications / categories in your configuration (e.g., PEM classification filter).
2. You reset classification signatures back to default by running "tmsh load ltm classification signature default" or selecting "Reset To Defaults" on the Traffic Intelligence :: Applications : Signature Update page.
Impact:
Configuration will not load.
Workaround:
Remove application that came with the new IM from the configuration.
Fix:
The release solves the problem of potentially non-working configurations after classification signatures were reset to default.
631444 : Bot Name for ASM Search Engines is case sensitive
Component: Application Security Manager
Symptoms:
CS challenge is returned for request with known search engine which is sent with different case than configured.
Conditions:
ASM profile is configured on the VS; DoS profile is not configured on the VS.
Impact:
Known search engines will get CS challenge.
Workaround:
Have DoS profile on the VS, in which the only feature turned on is Bot Signature, in report only, where only search engine category is turned on.
Fix:
making the ASM Search Engines case insensitive
631334-2 : TMSH does not preserve \? for config save/load operations
Component: TMOS
Symptoms:
TMSH strips the escape characters for literal strings '\?' to be '?' in ltm monitor send/recv strings.
Conditions:
This condition manifests whenever the send/recv string in ltm monitor contains '\?'.
Impact:
This causes the BIG-IP to load incorrect monitor send/recv strings.
Workaround:
None.
631025 : 500 internal error on inline rule editor for certain firewall policies
Component: Advanced Firewall Manager
Symptoms:
While attempting to use the inline rule editor on a firewall policy, the system returns a 500 internal error. Viewing and editing the same policy in tmsh works as expected.
Conditions:
This occurs when editing certain firewall policies in the GUI.
Impact:
Unable to view or edit the policy, page returns an error
Workaround:
You can view these rules in the GUI by disabling the inline rule editor.
Fix:
Fixed an issue with certain AFM rules generating a 500 internal error in the GUI.
630929 : Attack signature exception list upload times-out and fails
Component: Application Security Manager
Symptoms:
httpd_errors log:
------------
err httpd[<PID>]: [error] [client <client_IP>] PHP Fatal error: Maximum execution time of 30 seconds exceeded in /var/ts/dms/common/classes/Thrift/packages/asmconfig/f5_thrift.php on line <line_ID>, referer: https://<BIG-IP_MGMT_IP>/dms/policy/pl_header_normalization.php
------------
Conditions:
ASM provisioned.
Attack signature exception list uploaded.
Impact:
Attack signature exception list upload times-out and fails.
Workaround:
N/A
Fix:
Improved the Attack signature exception list upload process to take much less time.
630877 : Apache Tomcat vulnerability CVE-2016-8735
Vulnerability Solution Article: K49820145
630870 : Apache Tomcat vulnerability CVE-2016-6817
Vulnerability Solution Article: K49160100
630856 : Apache Tomcat vulnerability CVE-2016-6816
Vulnerability Solution Article: K50116122
630661 : WAM may leak memory when a WAM policy node has multiple variation header rules
Component: WebAccelerator
Symptoms:
When a WAM policy node has multiple variation header rules, a memory leak occurs upon evaluation of each request.
Conditions:
WAM policy with node utilizing multiple variation header rules.
Impact:
Potential per-request memory leakage driven by client traffic.
Workaround:
The only workaround is to ensure that individual WAM policy nodes have fewer than two header variation rules.
Fix:
WAM no longer leaks memory when evaluation policy nodes which utilize two or more header variation rules.
630622 : tmm crash possible if high-speed logging pool member is deleted and reused
Component: TMOS
Symptoms:
When deleting and then re-using a high-speed logging pool member that is in use, a rare tmm crash may occur.
Conditions:
High-speed logging profile configured, high-speed logging pool configured, and a pool member is removed and re-added while the pool is in use.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Rare tmm crash no longer occurs if high-speed logging pool member is deleted and reused.
630546-2 : Very large core files may cause corrupted qkviews
Component: TMOS
Symptoms:
If a large core file exists, the qkview command may generate a corrupted qkview.
Conditions:
qkview is run when core files greater than 2.4 GB exist in /var/core.
Impact:
qkview is unusable.
Workaround:
None.
Fix:
qkview files run when core files greater than 2.4 GB exist in /var/core now complete as expected.
630475 : TMM Crash
Component: Local Traffic Manager
Symptoms:
In some cases TMM may crash when processing TCP traffic.
Conditions:
In some cases TMM may crash when processing TCP traffic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Enable Verified Accept.
Fix:
TMM no longer produces a core.
630356 : JavaScript challenge follow-up to POST is sent as GET in iframe from IE/Edge
Component: Advanced Firewall Manager
Symptoms:
The JavaScript challenge that is sent to a POST request within an iframe will have a follow-up request of GET when coming from Microsoft Internet Explorer or Edge browser. The request reconstruction is incorrect, and the back-end server does not receive the request payload.
This is relevant to all types JavaScript challenges: Proactive Bot Defense, DoSL7 Client-Side Integrity Defense, Device-ID Challenge, or CAPTCHA Challenge.
Conditions:
JavaScript challenge is used in a POST request, when one of the following features in enabled: Proactive Bot Defense, DoSL7 Client-Side Integrity Defense, Device-ID Challenge, or CAPTCHA Challenge.
Impact:
POST requests will be sent as GET and the request payload will not reach the back-end server.
Workaround:
None.
Fix:
JavaScript challenges to POST requests are sent correctly to the back-end server when coming from iframe in Microsoft Internet Explorer/Edge browsers.
630306 : TMM crash in DNS processing on UDP virtual server with no available pool members
Component: Local Traffic Manager
Symptoms:
TMM crash when processing requests to a DNS virtual server.
Conditions:
The issue can occur if a UDP DNS virtual receives a request when no pool members are available to service the request and a DNS iRule is suspended due to previous requests.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Mitigation is to ensure at least one pool member is available whenever the DNS virtual is processing traffic, or to avoid iRule commands that can suspend processing.
Ensure datagram LB mode is enabled on UDP DNS virtuals.
Fix:
This release prevents a crash in DNS processing on UDP virtual server with no available pool members.
630150 : Websockets processing error
Component: Local Traffic Manager
Symptoms:
In some cases TMM may crash when processing Websockets traffic.
Conditions:
Websockets profile is attached to a virtual.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Improve Websockets processing
630103 : AVR statistics is not saved during the upgrade process
Component: Application Visibility and Reporting
Symptoms:
All AVR statistics will be reset after upgrade from 12.1.0 or 12.1.1.
Conditions:
AVR statistics collected on 12.1.0 or 12.1.1.
The BIG-IP is upgraded.
Impact:
AVR statistics are reset.
Workaround:
1. before upgrade edit the following file:
./usr/libdata/configsync/avr_save_pre
2. change the following line " [ $(is_provisioned avr) -eq 1 -o $(is_provisioned pem) -eq 1 -o $(is_provisioned afm) -eq 1 -o $(is_provisioned swg) -eq 1 $(is_provisioned asm) -eq 1 ] && "
with " [ $(is_provisioned avr) -eq 1 -o $(is_provisioned pem) -eq 1 -o $(is_provisioned afm) -eq 1 -o $(is_provisioned swg) -eq 1 -o $(is_provisioned asm) -eq 1 ] && "
Fix:
AVR upgrade script is fixed, so AVR statistics are now saved during the upgrade process.
629871-1 : FTP ALG deployment should not rewrite PASV response 464 XLAT cases
Component: Carrier-Grade NAT
Symptoms:
Deploying NAT64 part of a 464 XLAT solution may overwrite PASV response 464 XLAT cases.
Conditions:
FTP ALG deployment.
Impact:
PASV response 464 XLAT cases overwritten.
Workaround:
None.
Fix:
Deploying NAT64 part of a 464 XLAT solution no longer overwrites PASV response 464 XLAT cases.
629803 : "HTTP 401 Response" agent reuses incorrect credentials
Component: Access Policy Manager
Symptoms:
In case of invalid credentials, user gets prompted less number of times than the 'Max Logon Attempts Allowed' count defined in auth agent.
Conditions:
The issue occurs only when "HTTP 401 Response" agent is used before authentication agent in access policy.
Impact:
User won't get same number of logon attempts as defined in Auth Agent.
Workaround:
In auth agent, "Max Logon Attempts Allowed" should be set to 5 in order to get 3 logon attempts.
Fix:
User will get same number of logon attempts as defined in auth agent in case of invalid credentials.
629801 : Access policy is applied automatically on target device after policy sync, when there is a also a FODG in the trust domain.
Component: Access Policy Manager
Symptoms:
After syncing an access policy, the access policy change on the other device should be prompting you to apply the policy, but instead it applies the policy automatically.
Conditions:
Two or more devices configured in a trust group, one device group is a failover device group, and one device group is a sync-only device group with automatic sync enabled.
A key component that triggers this symptom is that the failover device group is listed first in the configuration. When this occurs, the policy will be applied automatically, which shouldn't occur.
Impact:
Policy changes are automatically applied, when they should only be synced with a prompt to apply after the sync.
Workaround:
None.
Fix:
After syncing an access policy, the access policy change on the other device in the trust group now prompts you to apply the policy, which is correct behavior.
629663-3 : CGNAT SIP ALG will drop SIP INVITE
Component: Service Provider
Symptoms:
SIP INVITE message is dropped.
Conditions:
Subscriber registers and then attempts to call out.
Impact:
Subscriber not able to make calls.
Workaround:
None.
Fix:
The system now uses the expiration value from the SIP message i.e. either from expires parameter or the Expire header to update the timeout of the registration record.
629627 : FPS Log Publisher is not grouped nor filtered by partition
Component: Fraud Protection Services
Symptoms:
If there are several log publishers assigned to different partitions, it is not clear which log publisher is assigned to which partition.
All log publishers are displayed regardless of the partition selected.
Conditions:
Provision FPS.
Two or more partitions
Two or more log publishers assigned to different partitions
Impact:
All log publishers are displayed regardless of partition.
Workaround:
None.
Fix:
Log publishers are now grouped in GUI and filtered by the currently selected partition.
629530-1 : Under certain conditions, monitors do not time out.
Component: Global Traffic Manager
Symptoms:
Some monitored resources are marked as "Unknown" when the actual status is "offline".
Conditions:
This can rarely occur when the monitor timeout period elapses when either no response has been received, or a response has been received indicating that the resource is "down" and the monitor is configured to ignore down responses. It is more likely to occur when many monitor timeout periods elapse at the same time, and the monitor timeout value is evenly divisible by the monitor's monitor interval.
Impact:
The status of the monitored resource is incorrect. This does not materially affect the operation of the system since resources marked "Unknown" will not be used.
Workaround:
Disable the affected resources, and then enable them again.
Fix:
The resource status is now correct under all monitor timeout conditions.
629412 : BIG-IP closes a connection when a maximum size window is attempted
Component: Local Traffic Manager
Symptoms:
HTTP2 provides flow control options which allow you to limit the amount of data on flight. A client can send an increment for a window size to an initial value set by standard to 65,535 bytes. BIG-IP used 64K value inherited from SPDY, causing overflow when the client tried to increment the value to its maximum.
Conditions:
HTTP2 profile is configured on a virtual, and client sends a WINDOW_UPDATE frame to increment the value to its maximum.
Impact:
BIG-IP considers the window size overflow as a protocol violation thus it shuts the connection down not serving any request.
Workaround:
None.
Fix:
With a correct value for initial window size (for both a connection and a stream) BIG-IP correctly processes an increment request of the window size to its maximum.
629145 : External datagroups with no metadata can crash tmm
Component: Local Traffic Manager
Symptoms:
If a large data group exists or the db variable tmm.classallocatemetadata is set to disabled, tmm may crash if the class match iRule matches 9 or more items in the datagroup.
Conditions:
External datagroups in use, a class match iRule will produce at least 9 matches, and the datagroup is extremely large or the db variable tmm.classallocatemetadata is set to disabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a tmm crash related to large datagroups.
628890 : Memory leak when modifying large datagroups
Component: Local Traffic Manager
Symptoms:
When modifying large external datagroups, a significant memory leak may occur.
Conditions:
This can occur when a large datagroup is in use and is modified.
Impact:
Memory is leaked, and the amount of memory leaked can be significant.
Workaround:
None.
Fix:
Fixed a memory leak related to modifying large datagroups.
628869-3 : Unconditional logs seen due to the presence of a PEM iRule.
Component: Policy Enforcement Manager
Symptoms:
TMM log files will fill up.
Conditions:
Execution of an iRule with the following iRule command:
PEM::subscriber config policy get <subscriber-id> <e164 | imsi | nai | private | mac-address | dhcp | mac-dhcp | dhcp-custom | sip-uri>.
Impact:
Limits the gathering and traversal of relevant data from the TMM logs if the condition is encountered several times.
Workaround:
Do not use an iRule containing the following iRule command: PEM::subscriber config policy get.
Fix:
Unconditional logs are no longer seen in response to the presence of a PEM iRule.
628836 : TMM crash during request normalization
Component: Local Traffic Manager
Symptoms:
TMM may crash during request normalization
Conditions:
This could occur with APM virtual servers, or if an HTTP virtual server is configured with a local traffic policy or iRule that performs normalization.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
Improve request normalization
628790 : Adding new item in VPE might end up with error
Component: Access Policy Manager
Symptoms:
Certain policies or macros can't be edited properly, usually after import. Errors like "Agent (XYZ) is already referenced by another access policy item" or "Access policy item type Action (XYZ) is already referenced by more than one access policy item."
Conditions:
When adding new item in certain (usually imported) policies where situation like %PROFILE%_logon_page_1 uses %PROFLE%_logon_page_2_ag might end up that %PROFILE%_logon_page_2 wouldn't be able to create agent
Impact:
VPE is unable to add action / create agent of certain types.
Workaround:
Editing bigip.conf and restoring enumeration for offending item (better for item rather than agent) would help to avoid this bug
Fix:
VPE now properly checks for existing agent names, so policies or macros can be edited properly.
628712 : Advanced customization doesn't work for Profiles in non-common partition with . (period) with name
Component: Access Policy Manager
Symptoms:
Advanced customization doesn't work for Profiles in non-common partition with . (period) with name.
For example, when selecting logon.inc, it shows no source in the window.
Conditions:
Access Profile outside of Common partition.
Impact:
Unable to modify advanced customizaiton. Other functionality is not affected.
Workaround:
Rename profile and policy to non-period version or import profile and then reexport with no periods.
Fix:
Advanced customization now works for Profiles in non-Common partition with . (period) with name
628687 : Edge Client reconnection issues with captive portal
Component: Access Policy Manager
Symptoms:
Edge Client stuck at 'Reconnecting' when losing connection to Captive Portal with certificate warning.
Conditions:
Connect to APM through a captive portal.
Impact:
EdgeClient stuck at "Reconnecting".
Workaround:
None.
Fix:
Edge Client no longer hangs at 'Reconnecting' when losing connection to Captive Portal with certificate warning.
628685 : Edge Client shows several security warnings after roaming to a network with Captive Portal
Component: Access Policy Manager
Symptoms:
Network is blocked by a captive portal. Captive portal uses HTTPS. Periodic-session-check reports SSL certificate is not trusted because access to APM is redirected (to captive portal).
Conditions:
Create a VPN tunnel over WiFi.
Place the computer in sleep/hibernate.
Move to a new network with Captive Portal with SSL and resume from sleep/hibernate.
Impact:
Numerous security warnings.
Workaround:
None.
Fix:
Edge Client no longer shows several security warnings after roaming to a network with Captive Portal.
628460 : Core happen when we try to delete PH2 struct does not have a proper PH1 reference.
Component: TMOS
Symptoms:
Racoon cored.
Conditions:
It is not known what triggered the core, it has been observed only once.
Impact:
Racoon crash and restore. Usually end user can't see it.
Fix:
Added protection from using an internal structure without proper tag.
628337 : Forcing a single injected tag configuration is restrictive
Component: Fraud Protection Services
Symptoms:
Injected tags configuration in profile is globally controlled from the db variable antifraud.injecttags, and forces all protected pages to have a common set of HTML tags. If your web application has pages that do not work with the injected tags, then this will cause the application to work improperly.
Conditions:
This occurs when the injected tags db variable (antifraud.injecttags) is configured.
Impact:
Your web application may have pages that do not handle the tags properly and may malfunction.
Workaround:
Configure injected tags in a way which can applied to all URLs protected in a profile. If it is not possible due to some URL HTML structure, HTML must be modified.
Fix:
Injected tags configuration has been moved to the URL level.
628202 : Audit-forwarder can take up an excessive amount of memory during a high volume of logging
Component: TMOS
Symptoms:
During a period where a lot of data is logged (such as the loading of a large configuration), audit_forwarder can use up a large amount of memory.
Conditions:
audit_forwarder is used with config.auditing.forward.type set to either "none" or "radius" and config.auditing set to "verbose" or "all".
Impact:
The excessive memory usage may result in processes getting restarted. Once the logging is done, audit_forwarder will not release all of the used memory.
Workaround:
Setting config.auditing value to "enable" or "disable" will slow or stop the excessive memory usage.
Fix:
Prevented audit_forwarder from using more memory than it needs.
628180 : DNS Express may fail after upgrade★
Component: Global Traffic Manager (DNS)
Symptoms:
TMM may not answer DNSX zones without TMM restart / DNSX zone refresh on upgrade.
Conditions:
Upgrading from previous version.
Impact:
DNS Express may fail after TMM.
Workaround:
Restart TMM, or force TMM to reload the DNS express database by running "tmsh load ltm dns dns-express-db".
Fix:
TMM now answers DNSX zones without requiring TMM restart / DNSX zone refresh on upgrade.
627972 : Unable to save advanced customization when using Exchange iApp
Component: Access Policy Manager
Symptoms:
When Policy created using Microsoft Exchange iApp script, Advanced Customization (usually of logon page) might fail with error similar to the following: 01020066:3: The requested Customization Template File (/Common/Exchange.app/exch_custom_logon_ag logon.inc) already exists in partition Common.
Conditions:
Usually: HA Pair, iApp exchange created profile, in general any advanced customization where name not equals customization_group_name:filename is affected.
Impact:
Unable to edit advanced customization, functionality is unaffected.
Workaround:
edit bigip.conf
apm policy customization-group /Common/Exchange_2010.app/exch_custom_logon_ag {
templates {
logon.inc {
name /Common/Exchange_2010.app/exch_custom_logon:logon.inc
}
}
}
change
name /Common/Exchange_2010.app/exch_custom_logon:logon.inc
to customizaton_group_name:filename i.e.
name /Common/Exchange_2010.app/exch_custom_logon_ag:logon.inc
Fix:
Can now save advanced customization when using Microsoft Exchange iApp.
627926 : iRule decryption does not work
Component: Local Traffic Manager
Symptoms:
Retrieving the server-side SSL session ID using iRule does not work.
Conditions:
Retrieve server-side SSL Session ID using an iRule.
Impact:
Server-side traffic cannot be decrypted for non-RSA cipher suites.
Workaround:
None.
Fix:
The server-side SSL session ID can now be retrieved with an iRule.
627914 : Unbundled 40GbE optics reporting as Unsupported Optic
Component: TMOS
Symptoms:
When a 40G interface is configured "bundle disabled" the optic module in use on the interface will be declared as an "Unsupported optic" module even though the optic module is F5 branded.
Conditions:
Using unbundled 40GbE optics.
Impact:
This is a cosmetic problem. The interface is able to function as intended.
Workaround:
No workaround, problem is cosmetic.
Fix:
The fix for the defect results in no longer declaring an otherwise supported optics module as unsupported when bundling is configured disabled on the interface.
627898 : TMM leaks memory in the ECM subsystem
Component: TMOS
Symptoms:
TMM leaks memory in the ECM subsystem.
Conditions:
This issue occurs when the user has imported one or more SSL certificates onto the system and named them in such a way that the "ca-bundle.crt" string appears in their names. For example, "my-ca-bundle.crt". With this configuration in place, TMM leaks memory each time the configuration is modified.
Impact:
TMM will run out of free memory. This will initially impact traffic and could eventually lead to TMM crashing. Traffic disrupted while tmm restarts.
Workaround:
You can work around this issue by renaming your SSL certificates so that their names don't contain the "ca-bundle.crt" string.
Fix:
TMM no longer leaks memory in the ECM subsystem.
627798 : Buffer length check for quota bucket objects
Component: Policy Enforcement Manager
Symptoms:
For quota bucket (Rating Groups) object, BIG-IP allocates a large buffer locally, and doesn't expect it to be over-run as the objects are expected to be smaller
Conditions:
Any quota bucket objects which are being inserted in PEM database
Impact:
For quota bucket objects which are in PEM database, the buffer is usually large enough, so there should not be any impact. But if the quota bucket ever gets larger, then potential corruption of the quota bucket information could occur. This could trigger a tmm core. Traffic disrupted while tmm restarts.
Workaround:
quota bucket with fewer rules
627616 : CCR-U missing upon VALIDITY TIMER expiry when quota is zero
Component: Policy Enforcement Manager
Symptoms:
CCR-U is not sent upon VALIDITY TIMER experts.
Conditions:
If PCRF does not grant any GSU (no quota), but only specifies the VALIDITY timer.
Impact:
OCS does not get the CCR-U message and misses the information about quota.
Workaround:
Configure the quota deletion of depletion timeout to be non-zero.
Fix:
CCR-U is now sent upon VALIDITY TIMER experts.
627433 : HSB transmitter failure on i2x00 and i4x00 platforms
Component: TMOS
Symptoms:
On the BIG-IP i2x00 and i4x00 platforms, tmm enters an infinite 'restart' loop after a 'bigstart restart' or 'bigstart restart tmm' command if traffic is actively flowing through the TMM. This is the result of an HSB transmitter failure.
Conditions:
Traffic actively flowing through the tmm and you issue 'bigstart restart' or 'bigstart restart tmm'.
Another instance occurs when syncing the datasync-global-dg device-group for an HA configuration on iSeries platforms.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure all traffic is stopped before issuing the 'bigstart restart' or 'bigstart restart tmm' commands.
Set HSB::failures_before_reset in /config/tmm_init.tcl to a high value, such as 1000 (default is 50) may resolve the issue, depending on the conditions this issue occurred.
Fix:
TMM restart loop no longer occurs following 'bigstart restart' on i2x00 and i4x00 platforms.
627403 : HTTP2 can can crash tmm when stats is updated on aborting of a new connection
Component: Local Traffic Manager
Symptoms:
HTTP2 allocates a block of memory for collecting stats on a connection. If the connection is aborted for any reason, tmm may try to update stats prior the memory is allocated.
Conditions:
HTTP2 profile is configured and assigned to a virtual.
Impact:
Traffic disrupted while tmm restarts.
Fix:
A fix stops HTTP2 from accessing stats prior memory is allocated preventing TMM crash for this reason.
627384 : eamtest tool fails with Segmentation fault after initialization.
Component: Access Policy Manager
Symptoms:
Tests done with eamtest tool fail with Segmentation fault after initialization.
Conditions:
Run eamtest tool.
Impact:
eamtest tool fails, which affects troubleshooting using the tool.
Workaround:
Run eamtest with LD_PRELOAD=libeam_asdk_preload.so prefix.
Fix:
Wrapper script for eamtest tool now adds the =libeam_asdk_preload.so prefix automatically, so eamtest tool can be used to troubleshoot successfully.
627360 : Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★
Component: Application Security Manager
Symptoms:
These errors come up in asm log, upon first start after upgrade:
-------------------------
2016-11-02T08:33:09-06:00 localhost notice boot_marker : ---===[ HD1.2 - BIG-IP 12.1.1 Build 0.0.184 <HD1.2> ]===---
Nov 2 08:35:34 c5af5ltm1b info set_ibdata1_size.pl[18523]: Setting ibdata1 size finished successfully, a new size is: 8466M
Nov 2 08:36:03 c5af5ltm1b info tsconfig.pl[21351]: ASM initial configration script launched
Nov 2 08:36:17 c5af5ltm1b info tsconfig.pl[21351]: ASM initial configration script finished
Nov 2 08:36:23 c5af5ltm1b info asm_start[19802]: ASM config loaded
Nov 2 08:37:40 c5af5ltm1b crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined
Nov 2 08:38:28 c5af5ltm1b crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Cannot remove all partitions, use DROP TABLE instead
Nov 2 08:38:28 c5af5ltm1b crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::ConfigSync::load_traffic_data): Could not import table data PRX.REQUEST_LOG - ASM configuration save aborted
Nov 2 08:38:33 c5af5ltm1b info perl[21860]: 01310053:6: ASM starting
-------------------------
Conditions:
ASM provisioned
Local request logging enabled
Upgrade of a maintenance release, HF or EHF
Impact:
Upgrade fails
Workaround:
Upgrade by the means of saving a UCS, performing a clean install and then loading the UCS.
In the manual save/load UCS process, the upgrade of the Request Log can be disabled, which will workaround the error and the UCS will load fine.
There are two options to disable the upgrade of the Request Log, when upgrading by the means of a UCS:
-------------------
1) do not load a Request Log, when loading a UCS:
# tmsh modify sys db ucs.asm.traffic_data.load value never
2) do not save a Request Log, when saving a UCS:
# tmsh modify sys db ucs.asm.traffic_data.save value disable
-------------------
627341 : TMUI loginProviderName is invalid when requesting a REST token
Component: Device Management
Symptoms:
Requests for X-F5-Auth-Token fail when a TMUI view is loaded that requires a X-F5-Auth-Token used for REST requests.
Conditions:
On startup if the tmos login provider takes too long to become available it will cause the login provider to be unavailable, and requests for auth tokens will fail. This is a race condition and happens intermittently. Typically on lower end devices.
Impact:
GUI cannot retrieve F5-Auth-Token for REST requests
Workaround:
bigstart restart restjavad
Fix:
Added retry to add login provider if unavailable.
627279 : Potential crash in a multi-blade chassis during CMP state changes.
Component: Policy Enforcement Manager
Symptoms:
tmm on a blade may crash during a CMP and PEM change.
Conditions:
Multi-blade chassis undergoing a CMP state change. Additionally requires PEM policy changes resulting in usage record updates.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use an HA pair and have the active chassis fail over during a CMP state change. Allow for the new stand by chassis to complete its CMP state change activity.
Fix:
Handle sessionDB failures gracefully.
627257 : Potential PEM crash during a Gx operation
Component: Policy Enforcement Manager
Symptoms:
Tmm may core during a Gx operation
Conditions:
Requires a PEM virtual with Gx, Sd or Gy enabled. This occurs when tmm starts.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Perform proper validation checks as part of API processing.
627246 : TMM memory leak when ASM policy configured on virtual
Component: Local Traffic Manager
Symptoms:
TMM memory leak in hud_oob when ASM policy configured on virtual server.
Conditions:
Memory leak could be observed via output of this TMSH command:
tmctl -c memory_usage_stat | grep -P '^name|hud_oob'
when ASM policy is configured on a virtual server. However this condition is not unique.
Impact:
TMM might run out of memory and eventually crash.
Workaround:
Try to disable ASM policy configuration on virtual server.
Fix:
A memory leak in hud_oob when ASM policy configured on virtual server has been fixed.
627214 : BGP ECMP recursive default route not redistributed to TMM
Component: TMOS
Symptoms:
ECMP recursive routes are not properly redistributed to TMM, resulting in an incorrect routing table.
Conditions:
Dynamic routing configured with multiple equal cost paths reachable through a recursive nexthop.
Impact:
Packets are not routed to all ECMP nexthops.
Workaround:
None.
Fix:
ECMP routes with a recursive nexthop are now used correctly by TMM.
627117 : crash with wrong ceritifcate in WSS
Component: Application Security Manager
Symptoms:
BD crash.
Conditions:
Web services security is turned on.
a bad / wrong / missing certificate is attached.
Impact:
Traffic drop until the BD is back (or failover).
Workaround:
The workaround would be to fix the attached certificate.
Fix:
Fix an issue with wrong certificates.
626721 : "reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart
Component: TMOS
Symptoms:
Running the command "tmsh reset-stats auth login-failures <username>" on a bladed system can cause the mcpd process to restart on secondary blades if the <username> is not an actual user on the system. The /var/log/ltm log file will contain errors messages similar to:
Configuration error: Configuration from primary failed validation: 01020036:3: The requested username (username) was not found.... failed validation with error 16908342
Conditions:
This occurs on VIPRION systems when running the command for a user that doesn't exist on the other blades.
Impact:
mcpd processes on secondary blades restart, possibly causing loss of traffic and a failover (if in a device cluster).
Workaround:
Run the command "tmsh reset-stats auth login-failure <username>" using only valid usernames.
Fix:
Prevented the command "tmsh reset-stats auth login-failure <username>" from restarting mcpd instances on secondary blades when <username> is an unknown user. The bad command is intercepted at the primary blade and is dealt with there.
626542 : Unable to set maxMessageBodySize in iControl REST after upgrade★
Component: Device Management
Symptoms:
After upgrading and attempting to set maxMessageBodySize via iControl REST, you get an error indicating the command is not implemented:
{"code":400,"message":"onPut Not implemented","originalRequestBody":"{\"maxMessageBodySize\": \"111111111\"}","referer":"127.0.0.1","restOperationId":216941,"kind":":resterrorresponse"}
Conditions:
This occurs when upgrading from v11.6.1 to v12.1.0, v12.1.1,or v12.1.2, and applying the UCS from the 11.6.1 release. The error is generated because new defaults were added but they are not set on UCS restore.
Impact:
Command fails, unable to set maxMessageBodySize.
Workaround:
If you encounter this after an upgrade and UCS restore, you can run the following commands from the BIG-IP command line:
1. curl -X DELETE http://localhost:8100/shared/storage?key=shared/server/messaging/settings/8100.
2. bigstart restart restjavad.
Fix:
You can now set maxMessageBodySize via iControl REST after upgrading.
626438 : Frame is not showing in the browser and/ or an error appears
Component: Advanced Firewall Manager
Symptoms:
frame going blank when ASM policy enabled. this will trigger the following JS error in clients console:
Uncaught TypeError: Cannot read property '3' of undefined
Conditions:
Asm policy enabled. Device id is enabled theough one of the supporting features
Impact:
Site not operating correctly.
Workaround:
N/a
Fix:
Fixed device id javascript issue that prevented a frame from being displayed .
626434 : tmm may be killed by sod when a hardware accelerator does not work
Component: Local Traffic Manager
Symptoms:
tmm may hang and crash (killed by the switchover daemon, sod), when the Cavium hardware accelerator does not come back after the reset from the driver.
Conditions:
This is a rarely seen occurrence. It is triggered when the Cavium hardware accelerator stops working.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Power cycling the system might correct the error.
Fix:
The system now prints out an error message in the log file, improving the way tmm handles the failure.
626360-1 : TMM may crash when processing HTTP2 traffic
Component: Local Traffic Manager
Symptoms:
In some cases TMM may crash when processing HTTP2 traffic.
Conditions:
A virtual configured with HTTP2 and ClientSSL profiles
Impact:
Traffic disrupted while tmm restarts.
Fix:
Improve HTTP2 processing.
626141 : DNSX Performance Graphs are not displaying Requests/sec"
Component: Global Traffic Manager
Symptoms:
The DNSX Performance graphs have a X and Y axis of Requests/second but the data actually shows total requests.
Conditions:
Always.
Impact:
The data displayed in the graph is not correct.
626106 : LTM Policy with illegal rule name loses its conditions and actions during upgrade★
Component: Local Traffic Manager
Symptoms:
BIG-IP version 12.0.0 introduced more strict checking on the characters allowed in policy and rule names, and it also introduced an auto-migration feature to convert any disallowed characters to an underscore (_). Allowed characters in policy and rule names are:
A-Z a-z 0-9 . / : % -
Spaces are allowed between these characters.
When there is a pre-v12.0 Policy that contains an illegal character, the rule has each illegal character converted to a legal one. But conditions and actions, which are joined to the rule by name were not similarly adjusted. After migration, LTM Policy rule does not have any conditions or actions referring to its new name.
Conditions:
- Pre-v12.0 BIG-IP
- Policy and/or rule names contain illegal characters like: * < > ( ) [ ]
- Upgrade to v12.0 or later
Impact:
Policy rule name is changed, illegal characters converted to benign underscore (_). The upgraded configuration will load successfully, but the Rule's associated conditions and actions are not changed, and still point to the policy by its former name, effectively becoming orphaned. Inspecting rule using UI or tmsh shows conditions and actions missing.
Workaround:
The bigip.conf file can be manually edited to fix illegal characters and configuration reloaded.
625832 : A false positive modified domain cookie violation
Component: Application Security Manager
Symptoms:
An unexpected modified domain cookie violation on system that has more than 127 policies configured.
Conditions:
This occurs when more than 127 policies are configured. The violation modified domain cookie is turned on and there are enforced cookies.
Impact:
A false positive violation.
Workaround:
Remove the modified domain cookie violation from blocking.
Fix:
Fixed a false positive modified domain cookie violation.
625824 : iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory
Component: TMOS
Symptoms:
iControl calls related to Management::KeyCertificate might leak memory slowly, that causes swap space to increase continuously and might lead to exhaustion of swap space
Conditions:
This occurs with the iControl command bigip.Management.KeyCertificate.certificate_export_to_pem
Impact:
iControlPortal.cgi memory increases
Workaround:
Restart httpd to reload the iControl daemon.
Fix:
Fixed a memory leak associated with iControl
625784-1 : TMM crash on BigIP i4x00 and i2x00 with large ASM configuration.
Component: TMOS
Symptoms:
With large ASM configurations (50 virtual servers, 50 ASM policies), TMM will continuously crash on boot-up or restart.
Conditions:
Large ASM configurations (50 virtual servers, 50 ASM policies).
Impact:
TMM continuously crashes and restarts, system is unusable.
Workaround:
None
Fix:
None
625703-3 : SELinux: snmpd is denied access to tmstat files
Component: TMOS
Symptoms:
When a custom SNMP MIB is created by using Tcl scripts or other methods, the snmpwalk will fail to access the created MIB data.
Conditions:
Custom created MIBs.
Impact:
Access to that MIB is denied.
Workaround:
None.
Fix:
When a custom SNMP MIB is created by using a Tcl scripts or other methods, the snmpwalk no longer fails to access the created MIB data.
625671 : The diagnostic tool dnsxdump may crash with non-standard DNS RR types.
Component: Global Traffic Manager (DNS)
Symptoms:
If the dnsxdump diagnostic tool is run when the DNS Express database has a DNS resource record using a non-standard type, the process may crash providing incomplete diagnostic output.
Conditions:
Running dnsxdump with a DNS Express database containing non-standard resource record types.
Impact:
dnsxdump provide incomplete diagnostic output, stopping on the zone containing the resource record with the non-standard type.
Workaround:
This is primarily known to be caused by non-standard RR types created for WINS records. Removing the WINS records from the master nameserver, will allow dnsxdump to work again after the next zone transfer.
Fix:
dnsxdump handles non-standard resource record types.
625542-3 : SIP ALG with Translation fails for REGISTER refresh.
Component: Service Provider
Symptoms:
SIP-MBLB-ALG-Translation mode doesn't translate SIP REGISTER refresh message when arriving on the original flow.
Conditions:
1. LSN Pool selected on CLIENT_ACCEPTED event.
2. SIP REGISTER request refresh happens on the original flow.
Impact:
SIP Register message egressed will not have translation applied i.e. the CONTACT and VIA header will not be translated.
Workaround:
None
Fix:
SIP REGISTER refresh processing identifies the translation used for the original SIP REGISTER and applies that translation to the SIP REGISTER refresh message.
625523 : CAPTCHA Challenge on Edge 14 Browser when Proactive Bot Defense is enabled
Component: Advanced Firewall Manager
Symptoms:
The Edge 14 browser on Windows 10 will receive the CAPTCHA challenge when Proactive Bot Defense is enabled on the DoS profile and the "Block requests from suspicious browsers" checkbox is enabled.
Conditions:
Proactive Bot Defense is enabled on the DoS profile and the "Block requests from suspicious browsers" checkbox is enabled.
Impact:
Edge 14 browser gets CAPTCHA challenge instead of passing through to the server.
Workaround:
None
Fix:
The Edge 14 Browser no longer gets the CAPTCHA challenge when Proactive Bot Defense is enabled.
625505 : OpenSSL vulnerability CVE-2016-2181
Vulnerability Solution Article: K59298921
625474 : POST request body is not saved in session variable by access when request is sent using edge client
Component: Access Policy Manager
Symptoms:
POST body sent by Edge Client is not saved in the session db session variable by access hudfilter.
Conditions:
- Configure BIG-IP as SAML Service Provider. To simplify reproduction change Access Policy execution timeout to few seconds.
- Use Edge Client to connect to BIG-IP.
- Saml Agent will redirect user for authentication to IdP
- Wait for few seconds for access policy to time out on BIG-IP.
- Enter credentials/complete authentication on IdP
- User will be redirected back to BIG-IP as SP. At this moment APM will create a new session, and will evaluate access policy again.
Impact:
SAML Agent will now fail with the following error:
SAML Agent: <AgentNameHere> cannot find assertion information in SAML request
Workaround:
Removing the ‘Origin’ header from the request with iRule does fix the issue, and the POST body becomes available to access hudfilter.
Fix:
Check for receipt of HUDEVT_REQUEST_DONE before falling through from EV_ACCESS_TCL_COMPLETION to EV_ACCESS_REQUEST_DONE in client wait for request body to ensure proper storage of POST request body in sessiondb.
625456 : Pending sector utility may write repaired sector incorrectly
Component: TMOS
Symptoms:
When the pendsect process detects a pending sector and performs a repair of that sector, incorrect data may be written to an incorrect location on the hard disk.
This may result in corruption of files on the BIG-IP volume that may not be detected for an indeterminate period of time after the pending sector was repaired.
When a pending sector is repaired, a message similar to the following is logged to :
warning pendsect[17377]: Recovered Pending LBA:#########
(where ######### is the Logical Block Address of the repaired sector)
For more information on the pendsect utility, see:
SOL14426: Hard disk error detection and correction improvements
Conditions:
This may occur on BIG-IP appliances or VIPRION blades which contain hard disks which use 4096-byte physical sectors.
Currently-known affected platforms include:
BIG-IP 5000-/7000-series appliances
BIG-IP 10000-series appliances
VIPRION B4300 blades
VIPRION B2100 blades
Due to manufacturing changes and RMA replacements, additional platforms may potentially be affected.
The smartctl utility can be used to identify hard disks using 4096-byte physical sectors:
# smartctl --scan
/dev/sda -d scsi # /dev/sda, SCSI device
# smartctl -i /dev/sda | grep "Sector Size"
Affected:
Sector Sizes: 512 bytes logical, 4096 bytes physical
Not Affected:
Sector Size: 512 bytes logical/physical
Impact:
Potential corruption of unknown files on BIG-IP volumes.
625392 : OpenSSL vulnerability CVE-2016-2179
Vulnerability Solution Article: K23512141
625376 : In some cases, download of PAC file by edge client may fail
Component: Access Policy Manager
Symptoms:
Edge client may fail to download PAC file and incorrectly apply proxy configuration after VPN connection.
Conditions:
- User machine proxy configuration points to a proxy auto configuration file.
- Network access proxy configuration points to a proxy auto configuration file.
- PAC file URI in either case has uppercase characters.
- PAC file is hosted on a server where resource names are case sensitive.
Impact:
PAC file download will fail and client will use incorrect proxy settings due to unavailability of PAC file.
Workaround:
Use only lowercase characters in PAC file URI.
Fix:
Now Edge client can download PAC files from URIs that have uppercase as well as lowercase characters.
625372 : OpenSSL vulnerability CVE-2016-2179
Vulnerability Solution Article: K23512141
625291 : dhclient doesn't honor 'interface-mtu' request-options
Component: TMOS
Symptoms:
Requesting MTU value from DHCP server is explicitly disabled using a configuration similar to the following:
tmsh modify sys management-dhcp sys-mgmt-dhcp-config request-options delete { interface-mtu }.
But if DHCP send MTU value in its reply, this MTU will be configured on BIG-IP management interface.
Conditions:
DHCP server ignoring option sent by BIG-IP DHCP client.
Impact:
BIG-IP accepts the MTU value provided.
Workaround:
1. Add supersede interface-mtu 1500; to interface "mgmt" section of the /etc/dhclient.conf file.
2. Restart dhclient.
Fix:
dhclient now honors 'interface-mtu' request-options.
625275 : Unable to add and modify URL parameters containing square brackets "[]" in FPS GUI
Component: Fraud Protection Services
Symptoms:
When trying to add URL parameters containing square brackets "[]" in FPS GUI >> URL the parameters name become "0". If trying to modify, the parameters are not saved.
Conditions:
Provision FPS
Create URL
Impact:
FPS GUI
Workaround:
via tmsh, an example:
tmsh modify security anti-fraud profile criteria urls modify { /xml.php { parameters add { "mouse\[2]" } } }
Fix:
It is now possible to add parameters containing square brackets in FPS GUI.
625198 : TMM might crash when TCP DSACK is enabled
Component: Local Traffic Manager
Symptoms:
TMM crashes
Conditions:
All of the below are required to see this behavior:
DSACK is enabled
MPTCP, rate-pace, tail-loss-probe, and fast-open are disabled.
cmetrics-cache-timeout is set to zero; congestion control is high-speed, new-reno, reno, or scalable; AND Nagle is not set to 'auto'.
an iRule exists that changes any of the conditions above besides DSACK.
various client packet combinations interact in certain ways with the iRule logic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Change any of the conditions above.
Fix:
TCP maintains state appropriately to avoid crash.
625172 : tmm crashes when classification is enabled and ftp traffic is flowing trough the box
Component: Traffic Classification Engine
Symptoms:
tmm crash
Conditions:
1. classification profile attached to the virtual server
2. ftp traffic flows through the system
3. complex configuration with iRules and multiple modules enabled
Impact:
Traffic disrupted while tmm restarts.
Workaround:
remove classification profile from the virtual server
Fix:
Incorrect memory management in one of classification matching mechanisms led to a crash.
625159 : Policy sync status not shown on standby device in HA case
Component: Access Policy Manager
Symptoms:
After policy sync, policy sync statuses are not shown in admin GUI on standby device in a failover device group.
Conditions:
- Create a failover device group whose members are in a bigger sync-only device group for policy.
- Initiate a policy sync from an active device
- Check policy sync stats on standby device
Impact:
It does not affect sync functionality and user still can see the sync status on an active device.
Workaround:
Check sync status on an active device in the group.
Fix:
User will be able to see the sync statuses on a standby device, including itself as well as the list of devices in the whole sync-only group where sync is performed.
624903 : Zero length SSL records improperly processed with AES-GCM on 2000s/2200s, 4000s/4200v, B4450 platforms
Component: Local Traffic Manager
Symptoms:
If a 2000s/2200s, 4000s/4200v, B4450 platform negotiates an AES-GCM SSL connection and is given an SSL record with a zero length plaintext payload, it will improperly process it, resulting in a bad record.
Conditions:
AES-GCM SSL record with a zero length plaintext payload on the BIG-IP 2000s/2200s, 4000s/4200v, B4450 platform.
Impact:
Bad record errors.
Fix:
AES-GCM SSL records with zero length plaintext will no longer result in a bad record.
624846 : TCP Fast Open does not work for Responses < 1 MSS
Component: Local Traffic Manager
Symptoms:
BIG-IP does not send the data until receiving the first client ACK.
Conditions:
TCP Fast Open requests an object of less than 1 MSS in size.
Fast open and delayed acks enabled.
Impact:
Delayed completion of the connection.
Workaround:
Disable delayed acks.
Fix:
TCP sends SYN/ACK immediately after receiving the SYN, and the response as soon as it arrives from the server.
624831 : BWC: tmm crash can occur if dynamic BWC policy is used at max-user-rate over 2gbps
Component: TMOS
Symptoms:
tmm crashes while using Bandwidth Control (BWC) dynamic policies.
Conditions:
max-user-rate is set at 2gbps or higher.
Impact:
tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
Use a maximum of 1gbps for dynamic BWC policy max-user-rate.
Fix:
tmm crashes while using Bandwidth Control (BWC) dynamic policies with max-user-rate set at 2gbps or higher.
Behavior Change:
no
624826 : mgmt bridge takes HWADDR of guest vm's tap interface
Component: TMOS
Symptoms:
MGMT interface becomes unreachable and stops responding to traffic. Whenever guest is in provisioned state MAC address assigned to mgmt is correct (taken from base MAC). Whenever guest is in deployed state MAC address on host mgmt interface changes and is exactly the same as mgmt_vm_tap MAC.
Conditions:
The platform shipped with a "low" F5 base_mac
A Linux bridge by default takes as its mac the lowest mac of its constituent interfaces. This did not cause a problem before because F5 Networks systems' baseMacs have historically been "low", e.g., with legacy_baseMacs in {00:01:D7, 00:0A:49, 00:23:E9}.
When a guest tap interface is added to the mgmt bridge, the bridge takes its Linux default action, which is to take as its mac the lowest mac address of its constituent interfaces. With the comparison min(eth0's mac, guestTap's mac) returning guestTap's mac, the mgmt bridge incorrectly assumes a guestTapIntfc mac.
Impact:
Connectivity to the vCMP host platform is lost when the guest is deployed.
Workaround:
Use ifconfig to ensure that the mac address of the mgmt bridge never changes from eth0. For example, the following command sets as the mac of this bridge, the value passed in Mac.
ifconfig <bridgeName= mgmt> hw ether <Mac of Eth0>
Note: This assumes that eth0 will always be contained in the mgmt bridge.
Fix:
The system now uses ifconfig to assign the mac of interface eth0 to bridge mgmt.
624744 : Potential crash in a multi-blade chassis during CMP state changes.
Component: Policy Enforcement Manager
Symptoms:
Potential TMM crash resulting in flows being impacted.
Conditions:
A multi-blade chassis with PEM needs to undergo a CMP state change with flows on the active blade.
Impact:
Traffic disrupted while tmm restarts.
Fix:
NULL check has been added prior to calling a callback for asynchronous handling.
624733 : Potential crash in a multi-blade chassis during CMP state changes.
Component: Policy Enforcement Manager
Symptoms:
Potential TMM crash resulting in flows being impacted.
Conditions:
A multi-blade chassis with PEM needs to undergo a CMP state change with flows on the active blade.
Impact:
Traffic disrupted while tmm restarts.
Fix:
NULL check has been added to facilitate a graceful failure during asynchronous handling.
624616 : Safenet uninstall is unable to remove libgem.so
Component: Local Traffic Manager
Symptoms:
When uninstalling Safenet client 6.2 from a BIG-IP chassis, it can't remove libgem.so and generates the following error:
rm: cannot remove `/usr/lib64/openssl/engines/libgem.so': Read-only file system.
Conditions:
This can be triggered when uninstalling the safenet client using the command safenet-sync.sh -u.
Impact:
Uninstall is unable to complete.
Workaround:
None.
Fix:
When uninstalling Safenet client 6.2 from a BIG-IP chassis, the system can now remove libgem.so, so there is no error condition, and uninstall can complete as expected.
624570 : BIND vulnerability CVE-2016-8864
Vulnerability Solution Article: K35322517
624526 : TMM core in mptcp
Component: Local Traffic Manager
Symptoms:
When MPTCP is enabled on a virtual server, TMM may generate a core file and restart.
Conditions:
MPTCP must be in use.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable MPTCP.
Fix:
Prevented TMM core.
624459 : Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195
Vulnerability Solution Article: K10558632
624404 : Missing warning when typing current volume during a hotfix installation★
Component: TMOS
Symptoms:
When installing a hotfix, typing the current volume throws no warning.
Conditions:
Typing the current volume.
Impact:
Cosmetic, the installation doesn't continue.
Workaround:
Do not select the current volume when installing a hotfix.
Fix:
A warning message is displayed when typing current volume during a hotfix installation.
624370 : tmm crash during classification hitless upgrade if virtual server configuration is modified
Component: Traffic Classification Engine
Symptoms:
tmm crash
Conditions:
1. classification hitless upgrade is triggered
2. pending (not saved) changes on any of the virtual servers
Impact:
Traffic disrupted while tmm restarts.
Fix:
Change of virtual server configuration triggers new library to be loaded during upgrade which wasn't expected by hitless upgrade mechanism and led to tmm crash. This is fixed in versions starting with 12.1.2.
624361 : Responses to some of the challenge JS are not zipped.
Component: TMOS
Symptoms:
Performance is affected on the JS challenge.
Conditions:
The following is turned on in the application dos configuration :
CS challenge, or PBD challenge when Suspicious browsers are disabled or the Device-ID challenge.
Impact:
1. These responses consume more CPU and more Bandwidth than needed.
2. Client-side latency is degraded.
3. More disk space is utilized than needed
Workaround:
None.
Fix:
Some of the JS challenge have better performance now.
624263 : iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response
Component: TMOS
Symptoms:
For profiles, iControl REST does not provide visibility for profile property override when "none" is specified, including references, passwords, and array of strings.
Conditions:
-- Use iControl REST API.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.
Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for profile property overrides.
Workaround:
None.
Fix:
iControl REST API now returns elements (i.e., string, enum, or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.
624228 : Memory leak when using insert action in pem rule and flow gets aborted
Component: Policy Enforcement Manager
Symptoms:
Memory keeps increasing in PEM after several hours of live service.
Conditions:
Insert action in pem rule and response spawning multiple segments. Connection gets aborted midway.
Impact:
Connections can get reset once memory usage increases beyond threshold
Fix:
free xfrags when aborting flows
624193-3 : Topology load balancing improvement
Component: Global Traffic Manager (DNS)
Symptoms:
Under certain conditions, load balancing decisions can result in an unequal or unexpected distribution.
Conditions:
Occurs when topology load balancing is used for a wide IP and more than one pool share the highest assigned score for a particular load balancing decision.
Impact:
The resulting load balancing decisions can lead to an unequal or unexpected distribution of pool selections.
Workaround:
Topology records and pools can be configured to avoid the conditions which cause the condition.
Fix:
A system DB variable, gtm.wideiptoporandom, has been added. When this system DB variable is assigned the value of "enable" and more than one pool shares the highest assigned score for a given load balancing decision, a random pool is selected.
624023 : TMM cores in iRule when accessing a SIP header that has no value
Component: Service Provider
Symptoms:
When used an iRule to access a SIP header attribute with no value, TMM cores.
Conditions:
Use iRule to access the value of SIP message header attribute with no value.
Eg:
"Supported: " IEOL
"Session-Expires:" IEOL
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No Workaround.
Fix:
Fix includes adjusting the buffer offset properly to handle the empty header attributes while parsing the SIP message.
623940 : SSL Handshake fails if client tries to negotiate EC ciphers but does not present ec_point_formats extension in ClientHello
Component: Local Traffic Manager
Symptoms:
If client tries to negotiate EC ciphers but does not present ec_point_formats extension, SSL handshake fails.
The ltm error log message looks like:
*****************************************************
Oct 12 11:25:08 gtm2 warning tmm1[21167]: 01260009:4: Connection error: ssl_select_suite:6799: no shared ciphers (40)
Oct 12 11:25:08 gtm2 warning tmm1[21167]: 01260026:4: No shared ciphers between SSL peers 10.1.6.50.36563:10.1.6.15.443.
*****************************************************
Conditions:
If client tries to negotiate EC ciphers but does not present ec_point_formats extension, SSL handshake fails.
Impact:
SSL Handshake fails.
623930 : vCMP guests with vlangroups may loop packets internally
Component: TMOS
Symptoms:
If a vlangroup is configured within a vCMP guest, under some circumstances unicast packets may be looped between the switchboard and the BIG-IP guest. This is most likely to occur when the guest is part of an HA pair.
Conditions:
vCMP guest, vlangroups.
Impact:
High CPU utilization and potentially undelivered packets.
Workaround:
Correctly configure proxy ARP excludes on the vlangroup and increase the FDB timeout by setting the vlan.fdb.timeout database key to a larger value such as 3600.
Fix:
Packets are no longer looped between vlangroup children on vCMP guests.
623927 : Flow entry memory leaked after DHCP DORA process
Component: Policy Enforcement Manager
Symptoms:
After DHCP discover/offer/request/ack process (DORA), client side connection flow entry memory is not freed.
Conditions:
Run the DHCP DORA process through BIG-IP (in relay mode or forwarding mode, and wait for client connection flow entry ages out.
Impact:
The system leaks flow entry memory. Over a long period of time, system memory will eventually run out.
Workaround:
None.
Fix:
After DHCP discover/offer/request/ack process (DORA), client side connection flow entry memory is now freed, so no memory leak occurs.
623922 : TMM failure in PEM while processing Service-Provider Disaggregation
Component: Policy Enforcement Manager
Symptoms:
TMM failure in PEM while processing Service-Provider Disaggregation.
Conditions:
System crashes when traffic flows and rules get executed on the flow.
Impact:
System crashes.
Workaround:
Set Service-Provider Disaggregation to sp as suggested by documentation.
Fix:
There is no longer a TMM failure in PEM while processing Service-Provider Disaggregation.
623779 : Adding a client side challenge whitelist URL wildcard list
Component: Advanced Firewall Manager
Symptoms:
There is no way to tell that a URL wildcard is always qualified for client side challenges. Thus dynamic URLs system can't use the CS defense to dos attack or the proactive bot defense.
Conditions:
dynamic URLs are running in a dos attack and the system has cs mitigation enabled.
Impact:
the cs mitigation is not effective and the dos mitigation moves to the rate limit.
Workaround:
N/A
623562 : Large POSTs rejected after policy already completed
Component: Access Policy Manager
Symptoms:
When the policy has already completed, access still rejects POSTs greater than 64k. Client will see a reset, and these error messages will appear on the BIG-IP:
/var/log/ltm
Oct 18 19:10:04 bigip6 err tmm[14242]: 01230140:3: RST sent from 10.2.61.80:8080 to 10.2.61.10:55280, [0x1d4cb2c:2863] APM HTTP body too big
/var/log/apm
Oct 19 09:42:37 bigip3922mgmt err tmm1[7636]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 2960
Conditions:
Policy has already been fully evaluated to allow. Then the client sends a large POST. Only applies to POSTs made to '/'. Would not apply if the URL is something else like '/test'. Also does not apply to clientless modes, where the db key tmm.access.maxrequestbodysize can be used to increase the maximum POST body size allowed.
Impact:
Clients are unable to send POST bodies to '/' that are larger than 64kb, even though the policy has already been evaluated to allow.
Workaround:
Move the resource from '/' to another URL.
Fix:
The logic of '/' in this area was changed to be consistent with other URLs.
623518 : Unable to add users in User Enforcement list under user-defined partition. Update check fails in user-defined partition
Component: Fraud Protection Services
Symptoms:
If a profile is assigned to a user-defined partition, it is not possible to add users to User Enforcement list.
Also, if a user-defined partition is selected, the GUI will not display a message if a there are available signatures/engine updates.
Conditions:
Provision and license FPS.
Create user-defined partition.
Impact:
You are unable to manage the profile in the user-defined partition.
Workaround:
Use tmsh to add users.
Fix:
Users can be added to User Enforcement list and a message will be displayed if a new update is available.
623514 : Duplicate ASM Policies Appear in GUI
Component: Application Security Manager
Symptoms:
After upgrade multiple entries with the same policy name appeared in the ASM policy list.
Conditions:
A system where multiple Policy history entries exist with the same revision number for the same policy undergoes upgrade.
It is not clear how a device gets into this state.
Impact:
This appears to be a display issue only, and does not affect enforcement or performance.
There are no actual duplicate policies in the system, the GUI is only displaying two rows for the affected policies.
REST is also affected, which will cause problems for BIG-IQ management of a device that encountered this error.
Workaround:
To repair the state for that policy, make a minor change in an affected policy (e.g., updating the Description), and then run Apply Policy.
Fix:
ASM now correctly displays one entry per policy.
623491 : After receiving the first Gx response from the PCRF, the BWC action against a rule is lost.
Component: Policy Enforcement Manager
Symptoms:
The BWC action against a rule is lost and the traffic flow is capped at the maximum bandwidth configured in the BWC policy.
Conditions:
A flow should be associated with a PEM rule that has atleast a BWC action along with a Gx reporting action.
Impact:
The traffic flow is not capped by the correct BWC action, instead it is capped by the maximum configured bandwidth in the BWC policy.
Fix:
The BWC policy is restored correctly after a policy update.
623401 : Intermittent OCSP request failures due to non-optimal default TCP profile setting
Component: TMOS
Symptoms:
The connection between BIG-IP and OCSP responder is not reliable since it uses the default internal TCP configuration which doesn't fit the usage well.
Conditions:
When the OCSP stapling option is enabled in the clientSSL profile that is in use by a virtual server.
Impact:
The BIG-IP as a SSL server fails to staple the OCSP response to the SSL client. In other words, the certificate status messages are not added in the Server Hello message in the TLS handshakes to the SSL client.
Workaround:
The fix proposed an optimal TCP configuration used by the connection between BIG-IP and OCSP responder which makes the connection reliable now. Therefore the virtual server can now always correctly staple the certificate status in the Server Hello message to the SSL client.
623391 : cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size★
Component: TMOS
Symptoms:
cpcfg fails with errors similar to:
Getting configuration from HD1.2
info: Copying configuration to HD1.1
info: Applying configuration to HD1.1
info: >++++ result:
info: Extracting manifest: /var/local/ucs/config.ucs
info: /: Not enough free space info: 739487744 bytes required
info: 259965952 bytes available
info: /var/local/ucs/config.ucs: Not enough free disk space to install!
info: Operation aborted.
Conditions:
Use cpcfg for a UCS that is larger than free space on root filesystem of target volume set.
Impact:
You cannot use cpcfg to copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size
Workaround:
Run the below to fix /etc/mtab on target (HD1.3 is used in this example; substitute the correct target volume) before cpcfg:
- volumeset -f mount HD1.3
- grep HD1.3 /proc/mounts | sed 's_/mnt/HD1.3_/_g;s_//_/_g' > /mnt/HD1.3/etc/mtab
- volumeset -f umount HD1.3
Fix:
cpcfg could incorrectly calculate the amount of free space required, refusing to do the copy unless the / filesystem on the target volume had sufficient space to do the copy (not taking into account /config, /usr, /var, and other filesystems). This has been resolved and this free space calculation is done correctly.
623336 : After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS★
Component: TMOS
Symptoms:
When installing a new version of TMOS, the installer will choose the bundle by looking at the current installation and what came with the target version, choosing the newer one. This check is performed incorrectly, and the old bundle may accidentally be chosen.
Conditions:
This happens when /config/ssl/ssl.crt/ca-bundle.crt in the old version contains an RCS revision number near the top of the file, and the newer TMOS version does not contain a revision number. (This is a change in the format of the file generated by the organization providing F5 with this bundle.)
Impact:
Upgrades to versions that ship the "non-RCS" files will incorrectly retain the ca-bundle.crt from the previous version, instead of keeping the newer version that shipped with those versions.
This can result in certificate verification failures (e.g. for an OCSP stapling profile), or a BIG-IP creating an inconsistent/incomplete certificate chain for a virtual server.
Workaround:
On every device affected by this, or on every blade in a VIPRION system affected by this:
1. Update /config/ssl/ssl.crt/ca-bundle.crt with the version that ships with this software version:
cp /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt
2. Reboot the system and clear the MCPD binary database. Refer to SOL13030, but essentially:
touch /service/mcpd/forceload && reboot
3. After reboot, verify that the two files match (they should have the same checksum):
md5sum /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt
Fix:
When installing a new version of TMOS, the installer will choose the bundle by looking at the current installation and what came with the target version, choosing the newer one. This check was performed incorrectly, and the old bundle could accidentally have been chosen. This has been fixed, and the newer version of the file is correctly chosen.
623173 : unused error messages for SecurID
Component: Access Policy Manager
Symptoms:
The following customization messages can be found at Access ›› Profiles / Policies : Customization : General
then on the left pane, click "text" and goto
customization settings -> access profiles -> <someAP> -> error messages -> securid prompt messages
SecurID authentication: unexpected error
SecurID authentication: invalid username
SecurID authentication: invalid passcode
SecurID authentication: invalid PIN
these messages can never be seen by end user, there is no need to customize them
Conditions:
some securid messages customized
Impact:
end user will never see messages regardless of customized the messages or default
Workaround:
workaround is not necessary, the module is functioning as designed. the only problem is - some extended error messages do not appear. end user only see "access denied" or "unknown error"
Fix:
messages are not available for customization
623037 : delete of pem session attribute does not work after a update
Component: Policy Enforcement Manager
Symptoms:
it will not be possible to delete the session attribute through rules.
Conditions:
rules with session attribute update & delete
Impact:
unable to delete session attribute
623023 : Unable to set DNS Topology Continent to Unknown via GUI
Component: Global Traffic Manager (DNS)
Symptoms:
No option in dropdown menu to select Unknown Continent when configuring DNS Topology Record via GUI. Existing Topology Records will be displayed as "Continent is", instead of "Continent is Unknown".
Conditions:
Attempting to configure a DNS Topology Record via the GUI.
Impact:
Unable to set the Continent field to 'Unknown' via GUI.
Workaround:
Set the continent via tmsh using the command `create gtm topology ldns: continent -- server: continent --`
Fix:
The dropdown menu now has an option to select an "Unknown" Continent.
623019 : Disabling an interface when DDM is enabled may result in transmit power too low DDM mesages
Component: TMOS
Symptoms:
messages in /var/log/ltm and their associated SNMP traps:
Oct 21 08:22:40 localhost err bcm56xxd[21079]: 012c0017:3: DDM interface:1.1 transmit power too low warning. Transmit power:0.0211 mWatts
or
Oct 21 08:04:25 localhost err bcm56xxd[19986]: 012c0018:3: DDM interface: 1.1 transmit power too low alarm. Transmit power:0.0206 mWatt
Conditions:
1 - DDM enabled
2 - optics that support DDM
3 - the interface is administratively disabled via tmsh or GUI
Impact:
cosmetic
Workaround:
Ignore DDM messages about transmit power on disabled ports. BIG-IP disables the transmit laser when interfaces are disabled to ensure the link does not come up. Some optics will consider that a DDM transmit power too low error.
622913 : Audit Log filled with constant change messages
Component: Application Security Manager
Symptoms:
Frequent changes by Policy Builder fill the audit log too quickly and can affect viewing the Security Logs:
Error 502 Bad Gateway when clicking "Application Security" logs
Conditions:
Frequent Policy Builder changes occur and no ASM device group is configured.
Impact:
Disk space usage and errors viewing the Application Security logs
Workaround:
Workarounds:
1) Turn off "Recommend Sync when Policy is not applied". (Security ›› Options : Application Security : Preferences)
2) Enable ASM sync on a device group.
Fix:
Updates to the audit log are throttled at max 1/minute.
622877 : i2000 and i4000 series appliances may show intermittent DDM alarms/warnings at powerup that clear right away
Component: TMOS
Symptoms:
Messages like the following in /var/log/ltm:
Oct 14 12:22:26 localhost err pfmand[5637]: 01660011:3: DDM interface: 6.0 transmit power too low alarm. Transmit power:0.0515 mWatts
Oct 14 12:22:26 localhost err pfmand[5637]: 01660011:3: DDM interface:6.0 receive power too low alarm. Received power:0.0000 mWatts
Oct 14 12:23:29 localhost err pfmand[5637]: 01660013:3: DDM interface:6.0 transmit power too low alarm cleared
Oct 14 12:23:29 localhost err pfmand[5637]: 01660013:3: DDM interface:6.0 receive power too low alarm cleared
'
Conditions:
i2000 or i4000 series appliances with DDM enabled and a reboot or restart of the pfmand daemon
Impact:
No functional impact, these are not valid DDM alarms or warnings.
Workaround:
Ignore DDM errors that clear right away after powerup or pfmand restart.
Fix:
During DDM initialization clear any alarms or warnings cached in the hardware registers.
622790 : EdgeClient disconnect may take a lot of time when machine is moved to network with no connectivity to BIG-IP
Component: Access Policy Manager
Symptoms:
Edge Client takes a lot of time to disconnect when machine is moved to network with no connectivity to BIG-IP
Conditions:
* VPN is established
* Machine is moved to different network (with no BIG-IP) connectivity
* EdgeClient stays in "Disconnecting..." state for few minutes
Impact:
User have to wait until Disconnect procedure is complete
Fix:
Now Edge Client uses 5000msec timeout in order to complete logout HTTP request. This is enough in normal conditions
622662 : OpenSSL vulnerability CVE-2016-6306
Vulnerability Solution Article: K90492697
622495 : Linux kernel vulnerability CVE-2016-5829
Vulnerability Solution Article: K28056114
622386 : Internet Explorer getting blocked when Web Scraping and Proactive Bot Defense are both enabled
Component: Application Security Manager
Symptoms:
Internet Explorer browsers will get into an endless loop of requests, never reaching the back-end server, when accessing a Virtual Server which is enabled with both the Web Scraping feature, and the Proactive Bot Defense, if the mode of Proactive Bot Defense is set to During Attacks.
Conditions:
1. ASM Security Policy is attached to the Virtual Server, and has Web Scraping's Bot Detection set to Alarm & Block.
2. Within Web Scraping, both Fingerprint and Persistent Client Identification are disabled.
3. DoS profile is attached to the Virtual Server, and has Proactive Bot Defense set to During Attacks.
4. Users are using the Internet Explorer browser.
Impact:
Internet Explorer browser users are getting blocked from accessing the back-end server.
Workaround:
Two options for workaround:
1. Set Proactive Bot Defense to Always instead of During Attacks.
2. Enable either Fingerprint or Persistent Client Identification in the Web Scraping configuration.
Fix:
Internet Explorer users are no longer blocked when accessing a Virtual Server which has both Web Scraping enabled, and Proactive Bot Defense set to During Attacks.
622378 : Inconsistent hardware syncookie protection mode on B2100/B4300 blades and 5000/7000/10000 appliances
Component: TMOS
Symptoms:
BIG-IP may enter a state where the software indicates it is not in syncookie protection mode for a virtual IP, but the FPGA is still in that mode.
Conditions:
This only occurs on the following platforms (B2100/B4300 blades, 5000/7000/10000 appliances) with Xilinx FPGA. It can be triggered if BIG-IP enters and exits syncookie protection frequently in a short interval as SYN traffic varies.
Impact:
This may lead to undesired behavior in processing traffic. For example it would cause the VIP to remain in hardware syncookie protection mode while SYN traffic is nominal.
Workaround:
Usually "bigstart restart tmm" would clear this error condition.
Fix:
BIG-IP hardware and software would have consistent syncookie protection state. However, this also introduces a behavior change on the following platforms (B2100/B4300 blades, 5000/7000/10000 appliances). When SYN traffic returns to nominal, it requires some legitimate traffic to trigger BIG-IP to exit syncookie protection mode.
622281 : Network DoS logging configuration change can cause TMM crash
Component: Advanced Firewall Manager
Symptoms:
Whenever a DoS Network logging profile is assigned or removed from a Virtual Server, it could cause random TMM crash.
Conditions:
The problem happens only with runtime config change.
Any logging profile config settings which was configured already and which gets loaded on TMM startup does not have this problem. Since this problem is a one time event on config change, TMM restart will pickup the config change and will work without any problem after the one time crash and TMM restart.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Invalid memory reference after free resulted in crash, which is fixed.
622244 : Edge client can fail to upgrade when always connected is selected
Component: Access Policy Manager
Symptoms:
Attempt to upgrade an Edge client may fail if the Always Connected mode is enabled
Conditions:
Always Connected is selected in BIG-IP when upgrading the client
Impact:
Upgrade will fail
Workaround:
Disable the Always Connected mode
Fix:
Upgrade functions as intended regardless of connection mode
622220 : Disruption during manipulation of PEM data with suspected flow irregularity
Component: Policy Enforcement Manager
Symptoms:
tmm crashes.
Conditions:
It is not known exactly what conditions trigger this; it was observed with Policy Enforcement Manager configured. It may occur when a new blade is added or HA event occurs and flows get rebalanced before the session is established.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a tmm crash related to manipulating Policy Enforcement Manager data.
622199-4 : sys-icheck reports error with /var/lib/waagent
Component: TMOS
Symptoms:
On Azure cloud, running sys-icheck may report an error with /var/lib/waagent.
On BIG-IP version 12.0.0:
ERROR: ....L.... /var/lib/waagent
L - readLink(2) path mismatch
On BIG-IP version 12.1.0 and 12.1.1:
ERROR: .M....... /var/lib/waagent
M - Mode differs (includes permissions and file type)
Conditions:
This occurs on BIG-IP running on Azure cloud.
Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.
Fix:
Fixed an issue with waagent that was causing sys-icheck to fail.
622194-1 : sys-icheck reports error with ssh_host_rsa_key
Component: TMOS
Symptoms:
On Azure cloud, running sys-icheck may report an error with /config/ssh/ssh_host_rsa_key and ssh_host_rsa_key.pub
ERROR: SM5...... /config/ssh/ssh_host_rsa_key
ERROR: SM5...... /config/ssh/ssh_host_rsa_key.pub
Conditions:
This occurs on BIG-IP running on Azure cloud when running the sys-icheck utility.
Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.
Fix:
Fixed an issue with ssh_host_rsa_key and ssh_host_rsa_key.pub that was causing sys-icheck to generate an error.
622183 : The alert daemon should remove old log files but it does not.
Component: TMOS
Symptoms:
When the utilization of the log filesystem goes above the configuration setting 'sys db logcheck.alertthres' (default 90%), it is intended that the alert daemon should delete old log files. It does not.
Conditions:
System activity generates a high number of log messages, and/or a user puts large files in /var/log.
Impact:
The log filesystem may become completely full, and new log messages cannot be saved.
Fix:
The alert daemon will now remove old log files as intended.
622148 : flow generated icmp error message need to consider which side of the proxy they are
Component: Local Traffic Manager
Symptoms:
when generating an error message from a flow, the icmp6 code does not check which side the messages needs to be crafted for.
Conditions:
error handling
Impact:
As a result generated ICMP error message might contain the wrong addressing
Workaround:
no workaround
Fix:
now the code checks flow type before crafting the error message
622133 : VCMP guests may incorrectly obtain incorrect MAC addresses
Component: TMOS
Symptoms:
vCMP guests may be re-configured to use MAC addresses based off an all zero MAC address (00:00:00:00:00:00).
The 'tmsh show net vlan' command will show the vlan interfaces having mostly 0's in the MAC address:
-------------------------------------
Net::Vlan: external
-------------------------------------
Interface Name external
Mac Address (True) 00:00:00:00:00:01
MTU 1500
Tag 3702
Customer-Tag
-------------------------------------
Net::Vlan: internal
-------------------------------------
Interface Name internal
Mac Address (True) 00:00:00:00:00:02
MTU 1500
Tag 3703
Customer-Tag
Conditions:
For this to manifest the vCMP host vcmpd process will have to have had a prior crash or be killed.
In this scenario vcmpd on restart uses a default zero-base MAC address for the guests.
The guests will not use the new zero-based MAC until services are restarted on the guest, on which the new MAC address will take effect.
Impact:
This can cause network issues and conflicts if occurring on multiple guests in the same VLAN as the same MAC addresses will be used.
Workaround:
Restart the guest from the hypervisor.
Fix:
vCMP no longer uses zero-based MACs on vcmpd crash/kill.
622126 : PHP vulnerability CVE-2016-7124
Vulnerability Solution Article: K54308010
622017 : RRD files are not backed up if the /shared/rrd.backup directory already exists
Component: Local Traffic Manager
Symptoms:
Performance graphs do not display.
rrdshim cpu time does not increase.
Issuing "rrdtool dump /var/rrd/blade0cpu | grep lastupdate" shows a time in the past (prior to last system boot).
Conditions:
/shared/rrd.backup directory must not exist.
incorrect info hash in /var/rrd/<filename>.info
Impact:
rrd files do not get backed up.
Workaround:
restart statsd
"bigstart restart statsd"
621937 : OpenSSL vulnerability CVE-2016-6304
Vulnerability Solution Article: K54211024
621935 : OpenSSL vulnerability CVE-2016-6304
Vulnerability Solution Article: K54211024
621909 : Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members
Component: TMOS
Symptoms:
When a trunk on the BigIP 5000 or 10000 platforms has an odd number of members, the traffic distribution to those interfaces will be unbalanced. Some interfaces will see more traffic than others.
Conditions:
This can occur for two reasons:
Either purposefully configuring an odd number of members or a port goes down in a trunk that has an even number of members.
Impact:
Uneven traffic distribution.
621843 : the ipother proxy is sending icmp error messages to the wrong side
Component: Local Traffic Manager
Symptoms:
the ipother proxy error handling sends ICMP error messages down the wrong side of the proxy. when a client-side error occurs, the error message is being sent to the server side
Conditions:
error handling of the ipother proxy
Impact:
ICMP error messages show up on the wrong side
Workaround:
no workaround
Fix:
fixed the error handling, messages are now sent to the correct side
621811 : Alert Component and Malware values are reset when deleting unsaved user-defined alert
Component: Fraud Protection Services
Symptoms:
When adding multiple user-defined alerts, Alert Component and Malware values are reset if deleting another alert from the list.
Conditions:
Provision and license FPS.
Impact:
FPS GUI.
Workaround:
Add alerts without deleting.
Fix:
Alert Component and Malware values are no longer reset when deleting unsaved user-defined alert
621808 : Proactive Bot Defense failing in IE11 with Compatibility View enabled
Component: Advanced Firewall Manager
Symptoms:
Internet Explorer 11 browsers which have "Compatibility View" enabled (under Compatibility View Settings IE menu), will fail the JavaScript challenge, when Proactive Bot Defense is enabled and the "Block requests from suspicious browsers" checkbox is checked.
The challenged request will be blocked using a TCP_RST flag, and the browser will show "This page can’t be displayed" is seen in the browser.
Conditions:
1. DoS profile that is attached to the Virtual Server has Proactive Bot Defense is enabled and "Block requests from suspicious browsers" checkbox is checked.
2. Internet Explorer 11 browsers in which the site's domain is inserted to the "Compatibility View Settings" in the browser's menu.
Impact:
Legitimate browsers get blocked when accessing the site.
Workaround:
None
Fix:
Internet Explorer 11 browsers with "Compatibility View" enabled on the site no longer get blocked when Proactive Bot Defense is enabled on the DoS profile.
621736 : statsd does not handle SIGCHLD properly in all cases
Component: Local Traffic Manager
Symptoms:
- Performance graphs are not updating or are not existant.
- proc_pid_stat shows statsd time not increasing
- Top also shows that statsd is not taking any processor time.
Infact statsd is stuck on a wait in a signal handler.
Conditions:
If statsd receives a SIGCHLD signal it will get stuck and not process anything.
The following can trigger the issue:
rm -rf /shared/rrd.backup
- sed -i "s/^#CRC.*$/#CRC $RANDOM/" /var/rrd/throughput.info
- kill -HUP $(pgrep -f /usr/bin/statsd)
Impact:
No performance graphs are collected / generated
Workaround:
Restart statsd:
- bigstart restart statsd
621524 : Processing Timeout When Viewing a Request with 300+ Violations
Component: Application Security Manager
Symptoms:
When attempting to view a request that triggered hundreds or thousands of violations, a timeout is encountered.
Conditions:
Attempting to view a request that triggered hundreds or thousands of violations
Impact:
A timeout is encountered.
Workaround:
increase the "max_execution_time" timeout in /usr/loca/lib/php.ini from 30 to 240 seconds.
Fix:
Processing high violation requests is now more efficient.
621452 : Connections can stall with TCP::collect iRule
Component: Local Traffic Manager
Symptoms:
Connection does not complete
Conditions:
A TCP::collect command with two arguments defers collection beyond the first client message, which should be sufficient to produce a response.
The Initial Sequence number in the SYN is < 2^31.
The first received packet after the SYN carries data.
Impact:
Connection fails.
Fix:
Properly set state variables associated with TCP::collect
621447 : In some rare cases, VDI may crash
Component: Access Policy Manager
Symptoms:
VDI process crashes and connections to VDI resources are aborted.
Conditions:
VDI receives unexpected session variable result which is meant for some other VDI thread.
Impact:
Existing VDI connections are aborted and the user needs to login again.
Fix:
VDI should gracefully handle the error condition and should not crash
621423-1 : sys-icheck reports error with /config/ssh/ssh_host_dsa_key
Component: TMOS
Symptoms:
On Azure cloud, running sys-icheck may report an error with /config/ssh/ssh_host_dsa_key and other files:
ERROR: missing /config/ssh/ssh_host_dsa_key
ERROR: missing /config/ssh/ssh_host_dsa_key.pub
ERROR: missing /config/ssh/ssh_host_key
ERROR: missing /config/ssh/ssh_host_key.pub
Conditions:
This occurs on BIG-IP running on Azure cloud.
Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.
Fix:
Fixed an issue with files in /config/ssh/ that was causing sys-icheck to report errors.
621422-1 : i2000 and i4000 series appliances do not warn when an incorrect optic is in a port
Component: TMOS
Symptoms:
A 1G optic is inserted in a port that only supports 10G optics, or a 10G optic is inserted in a port that only supports 1G optics.
The invalid optic may show a link light, and no warning appears on the LCD.
Conditions:
i2000 or i4000 platforms ports do not auto-negotiate between 1G and 10G optics. Ports are assigned to one or the other speed.
Impact:
User may not understand why optic is not working correctly
Workaround:
Move the optic to the correct port.
621401-4 : When HA is configured on BIG-IPs managed by BIG-IQ, the AVR reporting from BIG-IQ may fail under the load
Component: Device Management
Symptoms:
When BIG-IQ is monitoring more than 1 BIG-IP in a HA clustser, AVR reporting on the BIG-IQ may fail if one of the BIG-IPs is under heavy load.
Conditions:
BIG-IQ monitoring BIG-IPs in a HA cluster
BIG-IPs running AFM and/or ASM
BIG-IQ used to monitor AFM and/or ASM reporting.
At least one of the BIG-IPs is under significant load so as to cause delays in responding to BIG-IQ requests.
Impact:
AVR reporting will stop functioning.
Workaround:
bigstart restart restjavad
621374 : "abbrev" argument in "whereis" iRule returns nothing
Component: Global Traffic Manager
Symptoms:
The iRule [whereis <ip|ldns> abbrev] does not return a value.
Conditions:
iRule relying on whereis abbrev is used.
Impact:
The whereis iRule command will not return the expected value.
621371 : Output Errors in APM Event Log
Component: Access Policy Manager
Symptoms:
In some cases the HTML used to display APM event logs is generated incorrectly.
Conditions:
APM enabled
Administrative user views APM event logs via WebUI
Impact:
Inaccurate HTML rendered in user browser.
Fix:
Corrected HTML errors when displaying APM event logs
621337 : XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469
Vulnerability Solution Article: K97285349
621284 : Incorrect TMSH help text for the 'max-response' RAMCACHE attribute
Component: WebAccelerator
Symptoms:
The TMSH help text for the 'max-response' RAMCACHE attribute incorrectly states that for the default value of 0 (zero) unlimited cache entries are allowed. In reality the number of cache entries is limited to 10.
Conditions:
Invoking the TMSH man/help page on RAMCACHE.
Impact:
Incorrect TMSH help text
Workaround:
N/A
Fix:
max-response:
Displays the maximum number of entries in the RAM cache. The default value is 0 (zero), which is equivalent with no max-response value being specified. Without the max-response option the system will limit the number of entries to 10 per Traffic Management Microkernel (TMM).
621273 : DSR tunnels with transparent monitors may cause TMM crash.
Component: TMOS
Symptoms:
The TMM may crash if the BIG-IP system is configured with a DSR tunnel with a transparent monitor.
Conditions:
The BIG-IP system is configured with a DSR tunnel with a transparent monitor and the DB variable tm.monitorencap is set to "enable".
Impact:
Traffic disrupted while tmm restarts.
Fix:
The TMM does not crash.
621259-4 : Config save takes long time if there is a large number of data groups
Component: TMOS
Symptoms:
Config save takes a long time to complete
Conditions:
This occurs when there is a large number (~2000) of data-group objects in the configuration
Impact:
When take longer than 90 seconds soap iControl will time out.
This make it impossible to manage via EM
621239 : Certain DNS queries bypass DNS Cache RPZ filter.
Component: Global Traffic Manager (DNS)
Symptoms:
A DNS query with the DO-bit set to 1 will bypass the RPZ filter on a DNS Cache.
Conditions:
A DNS Cache configured with RPZ.
Impact:
Queries with DO-bit set to 1 will bypass the RPZ filter and be answered normally.
Fix:
The DO-bit is now ignored with respect to RPZ filtering.
621225-1 : LTM log contains misleading error messages for front panel interfaces, "PCI Device not found for Interface X.0"
Component: TMOS
Symptoms:
When BIG-IP is initially booted or re-started, there are certain conditions under which the LTM log may report the following message for front panel interfaces, "PCI Device not found for Interface <X.0>", where X can be in the range of 1-6. These messages are misleading because the front panel interfaces do not have any PCI devices associated with them and should not have been flagged as errors.
Conditions:
i2600/i2800 products intermittently produce these messages upon power-up or BIG-IP re-start.
Impact:
They are false alarms in the log. The associated interfaces do not have said PCI devices.
Fix:
Removed the possibility of getting false alarm messages in the LTM log for front panel interfaces 1.0-6.0 that claim, "PCI Device not found for Interface X.0".
621210 : Policy sync shows as aborted even if it is completed
Component: Access Policy Manager
Symptoms:
After syncing a policy in a sync-only device group, the policy appears to be synced to the target successfully, however, the remote HA pair devices show status as canceled/aborted.
Conditions:
It is not known exactly what triggers this condition. It was observed in a 4-device trust group consisting of 2 sync/failover groups and a single sync-only device group for all 4 devices. After the sync the status reported as cancelled/aborted.
Impact:
Sync status is displayed incorrectly, even after the sync was successful.
Workaround:
None.
Fix:
Policy sync now shows as completed when it is completed.
621202 : Portal Access: document.write() with very long string as argument may be handled incorrectly.
Component: Access Policy Manager
Symptoms:
JavaScript code may include document.write() calls with very long strings (> 60K). In some cases these strings may be rewritten incorrectly.
Conditions:
- document.write() with very long string as argument.
- argument string contains HTML tags with quoted attribute values which include '>' inside.
Impact:
rewritten HTML page may not work correctly.
Fix:
Now document.write() calls with long HTML strings are handled correctly by Portal Access.
621126 : Import of config with saml idp connector with reuse causes certificate not found error
Component: Access Policy Manager
Symptoms:
Export and then Import with reuse of config that has SAML Idp Connector as part of configuration would fail with Object not found or Certificate not found error:
Import Error: 01070734:3: Configuration error: /Common/my_cert.crt certificate not found.
Conditions:
Exporting and then importing with "Reuse existing objects" checked. Normal import is ok.
Impact:
Importing fails.
Workaround:
On From box:Disconnect Idp configuration, export config.
On To box:Recereate Idp configuration, import, reconnect it.
Fix:
Importing with reuse is fixed.
621115 : IP/IPv6 TTL/hoplimit may not be preserved for host traffic
Component: Performance
Symptoms:
Traffic to and from the Linux host has TTL set to 255 or hop limit set to 64. This may impact any protocols that scrutinize the TTL such as IGMP or BGP.
Conditions:
IP/IPv6 TTL/hoplimit for host traffic.
Impact:
IGMP packets will not be passed from TMM to the Linux host and remote routers may reject IGMP packets from the BIG-IP.
BGP neighbors may reject packets from the BIG-IP.
Workaround:
Adjust TTL verification restrictions on peer devices.
Fix:
The IP/IPv6 TTL/hoplimit of host traffic is no longer modified when it traverses TMM.
620969-1 : iControl doesn't give correct valid key sizes for FIPS keys on BIG-IP 5250, 7200F, 10200F, and 11050F platforms running the Cavium Nitrox XL FIPS cards.
Component: TMOS
Symptoms:
Using the get_valid_key_sizes() for querying the valid key sizes, 1024 is returned, which is not valid when the FIPS firmware is version 2.2 or above.
Conditions:
FIPS firmware is version 2.2 or above.
Impact:
Unsupported key-size is returned.
Fix:
This issue has been fixed to return the supported key-sizes in versions after 12.x.x.
620922 : Online help for Network Access needs update
Component: Access Policy Manager
Symptoms:
Online help for advanced network settings does not tell users that if they fill in the DNS Address Space setting, they also need to install the DNS Relay Proxy service on Windows-based systems to get the desired result.
Conditions:
Split tunneling configured. Windows-based system in use. DNS Address Space setting filled in.
Impact:
Use of DNS Address Space setting does not provide the expected result.
Workaround:
Install the DNS Relay Proxy server on Windows-based systems.
Fix:
Network Access online help now states that for DNS Address Space to work properly on a Windows-based system, the DNS Relay Proxy service must be installed and running on the client.
620829 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
Component: Access Policy Manager
Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.
Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:
var a = { default: 1, continue: 2 };
Impact:
JavaScript code is not rewritten and may not work correctly.
Workaround:
None.
Fix:
Now JavaScript with literal object definition containing reserved keywords as field names is handled correctly by Portal Access.
620801 : Access Policy is not able to check device posture for Android 7 devices
Component: Access Policy Manager
Symptoms:
APM identifies Android devices based on their MAC address. With Android 7, it is not possible to retrieve device MAC address and hence APM is not able to check for device compliance against configured Endpoint Management System (EMS) using the Managed Endpoint Status Policy Item.
If the Access Policy is configured to restrict access based on APM's Managed Endpoint Status, and the user attempts to connect to APM using an Android 7 device with the F5 Edge Client app, access will be disallowed.
Conditions:
- Access policy is configured to deny access on endpoint compliance failure with Managed Endpoint Status
- User accesses APM from an Android 7 device using F5 Edge Client app.
Impact:
Connection is denied because F5 Edge Client is not able to determine the device MAC address to transmit to APM. The lookup for endpoint posture will result in a compliance check failure.
Workaround:
This workaround only applies to IBM Maas360:
Add Variable Assign agent just before Managed Endpoint Status agent with the following variables:
session.client.platform_tmp = expr {[mcget session.client.platform]}
session.client.platform = expr {"iOS"}
session.client.unique_id = expr {"Android[mcget session.client.unique_id]"}
And add Variable Assign agent after Managed Endpoint Status agent to reset session.client.platform to its original state:
session.client.platform = expr {[mcget session.client.platform_tmp]}
Fix:
Access policy now uses multiple fallback types to correlate the device identity with endpoint management systems: Device Serial Number, IMEI number, and MAC address, respectively.
620635 : Request having upper case JSON login parameter is not detected as a failed login attempt
Component: Application Security Manager
Symptoms:
Not able to detect failed login attempt if ASM policy is case insensitive, and incoming JSON string contains upper case.
Conditions:
ASM provisioned
ASM policy is case-insensitive
JSON profile, w/ JSON login parameter with an upper-case character
Impact:
Not able to detect failed login attempt if ASM policy is case insensitive, and incoming JSON string contains upper case.
Workaround:
N/A
Fix:
We've made sure that JSON login parameter are always treated as case sensitive, regardless of the ASM policy case sensitivity setting.
620614-1 : Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account
Component: Access Policy Manager
Symptoms:
iOS Citrix receiver fails to add new store account and touching on the Save option after providing the credentials displays "Loading" and comes back to previous save option.
/var/log/apm displays "An exception is thrown: EVP_CipherFinal_ex failed: EVP_DecryptFinal_ex:bad decrypt" from VDI.
The above error, otherwise, below error which deletes the session id abruptly.
Oct 24 16:33:12 slot2/vip-guest7-test notice tmm[11547]: 01490567:5: /Common/mvdi-r_ap:Common:e19516fd: Session deleted (internal_cause).
Conditions:
APM is configured with Citrix replacement mode. Provide wrong passcode values for RSA SecurId auth for continuously three times which trigger the next token input for the fourth time entering the right passcode. APM rotate session is enabled.
Impact:
iOS Citrix receiver could not add the account after providing wrong token values for two factor auth
Workaround:
Kill the iOS Citrix receiver application and click on the receiver again to add the account.
Fix:
Use the right session id for decrypting the password.
620366 : Alertd can not open UDP socket upon restart
Component: TMOS
Symptoms:
alertd fails to restart due to the following error:
Sep 29 18:29:44 B2200-R76-S19 err alertd[16882]: 01100009:3: Couldn't open file UDP listener
Conditions:
alertd has spawned a long-running process (e.g. ntpd) which does not close inherited file descriptors.
Impact:
alertd fails to restart
Fix:
Mark alertd file descriptors for automatic closure in child processes.
620215 : TMM out of memory causes core in DNS cache
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.
Conditions:
This can occur when the TMM memory is exhausted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Provision sufficient memory for the TMM or reduce load.
Fix:
The fix was to properly handle the failure allocating memory.
620079 : Removing route-domain may cause monitors to fail
Component: Local Traffic Manager
Symptoms:
Removing route-domain may cause icmp and gateway-icmp monitors in unrelated route-domains to fail.
Conditions:
Route-domain is removed and icmp/gateway-icmp monitor is used.
Impact:
Monitor marking node down resulting in partial service outrage.
Workaround:
Restart bigd (bigstart restart bigd).
620056 : Assert on deletion of paired in-and-out IPsec traffic selectors
Component: TMOS
Symptoms:
When two traffic-selectors, one in and one out, mirror each other by reversing source and destination addresses, then deleting one can miss-fire an assert, restarting tmm.
Conditions:
Defining two clearly related traffic selectors, one for in and one for out, can confuse a later check of their names.
Impact:
When a traffic selector is deleted, from such a pair, an assert can fail that restarts tmm processes. Traffic disrupted while tmm restarts.
Workaround:
Using one traffic selector with direction=both would avoid the problem, before this change appears in a release.
Fix:
The confusion of over names for such paired traffic selectors is now fixed, so the assert cannot occur. Such traffic selectors -- just like each other execpt for reversed source and destination -- will work correctly for IKEv1 configs. For IKEv2 it is still best to use single TS insances with direction=both.
619879 : HTTP iRule commands could lead to WEBSSO plugin being invoked
Component: Access Policy Manager
Symptoms:
With SSO logs set to 'Debug' in Access log configuration, the following log messages are seen in '/var/log/apm':
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: constructor
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext constructor ...
Sep 30 12:46:17 bigip3900mgmt err websso.3[14520]: 014d0005:3: Unsupported SSO Method
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914b510, SERVER: TMEVT_REQUEST
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914a718, CLIENT: TMEVT_ABORT_PROXY
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext destructor ...
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: webssoConfig destructor
With 'rstcause' enabled, the following log message is seen in '/var/log/ltm':
Sep 30 12:46:17 bigip3900mgmt err tmm2[13116]: 01230140:3: RST sent from 172.17.90.92:57611 to 127.0.0.1:10001, [0x24ccbbc:820] Internal error (APM::WEBSSO requested abort (Unsupported SSO Method))
Conditions:
HTTP::disable followed by HTTP::enable.
when CLIENT_ACCEPTED {
HTTP::disable
// do some other stuff
HTTP::enable
}
Impact:
client receives a HTTP 503 reset
Workaround:
When the access profile is added to the virtual server, the websso plugin profile is automatically added. Manually removing the websso plugin fixes this bug.
Fix:
The server-side access hudfilter was mistakenly enabling the websso plugin. The logic has been updated so that this does not happen.
619872 : BigIP upgrading doesn't carry over Thales configuration on the secondary slot
Component: Local Traffic Manager
Symptoms:
After BIG-IP upgrading in the multi-blade platform configured with Thales, the secondary platform fails to carry over Thales configuration.
When running enquiry at primary slot, you will get response about Thales config. At secondary slot, you will not be able to run "enquiry".
Conditions:
Thales installed on chassis.
Impact:
Secondary slot doesn't have Thales HSM configured.
Workaround:
Wait for csynced finish syncing /shared/nfast from primary slot to the secondary slot. Then run "clsh bigstart restart pkcs11d".
While waiting, run this command to compare the folder size of /shared/nfast/.
[root@localhost:/S1-green-P:Active:Standalone] config # clsh "du -sh /shared/nfast/"
=== slot 2 addr 127.3.0.2 color green ===
220M /shared/nfast/
=== slot 3 addr 127.3.0.3 color red ===
=== slot 4 addr 127.3.0.4 color blue ===
=== slot 1 addr 127.3.0.1 color green ===
220M /shared/nfast/
Another workaround(maybe faster) is to reinstall Thales after upgrading. Csyncd could take 10+ minutes to finish sync'ing.
A third workaround is to scp /shared/nfast/ from primary slot to secondary slot. After that, run "bigstart restart pkcs11d"
e.g.,
[root@localhost:/S1-green-P:Active:Standalone]scp -r /shared/nfast/ slot2:/shared/
619849 : In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.
Component: Local Traffic Manager
Symptoms:
TMM crashes with a SIGABRT (killed by sod)
Conditions:
TCP (full proxy) virtual servers with verified-accept enabled in the TCP profiles, that must be handling traffic.
This issue occurs extremely rarely.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
disable verify accept.
Fix:
the loop is fixed.
619811 : Machine Cert OCSP check fails with multiple Issuer CA
Component: Access Policy Manager
Symptoms:
If there are multiple CAs in the CA bundle and issuing CA is not first in it, the OCSP responder returns "unauthorized" response.
Conditions:
This can only happen when issuing CA is not first in the CA file.
Impact:
OSCP check in machine cert will fail and user won't be able to follow successful branch in Access Policy. This might result in Authentication failure even though the machine cert is valid.
Workaround:
Use iRule Event and variable Assign agent in between Machine Cert and OCSP Auth agent.
Follow these steps:
iRule:
1) Loop through the CA bundle until you find matching issuer cert
2) Set this new issuer cert to "session.check_machinecert.last.cert.issuer.cert"
Variable Assign:
3) Read this issuer cert from the session db and assign it back to the same session variable:
session.check_machinecert.last.cert.issuer.cert = expr { [mcget -nocache {session.check_machinecert.last.cert.issuer.cert}] }
Fix:
Issuer cert is now looked up and set properly from the CA bundle. So there is no longer any failure response from OCSP responder.
619757 : iSession causes routing entry to be prematurely freed
Component: Wan Optimization Manager
Symptoms:
iSession may cause TMM to prematurely free a routing entry resulting in memory corruption and TMM restarting.
Conditions:
iSession-enabled virtual.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
No reasonable workaround short of not using iSession functionality.
Fix:
iSession no longer causes routing entries to be prematurely freed.
619706 : tmsh appears to allow password change for internal lcd admin user
Component: TMOS
Symptoms:
The 'tmsh modify auth password' command appears to allow the password to be changed for the f5hubblelcdadmin user.
Conditions:
Using the 'modify auth password' command under tmsh, and manually specifying the 'f5hubblelcdadmin' user (which does not appear among the list of available users, such as via tab-completion).
Impact:
This operation appears to succeed, but has no actual effect on BIG-IP operations.
This is an internal user account which provides the context for communication with the lcd front panel display on newer BIG-IP appliances. Changing the stored password for this user account does not affect these operations.
Fix:
Removed the appearance of the ability to change the password for the internal lcd admin user.
619701 : rate_limit can affect to iClient connectivity
Component: Local Traffic Manager
Symptoms:
Sometimes iClient (using iSession) can't connect to server.
In TMM log:
iSession: Connection error: isession_handle_syn:3630: No peer
Conditions:
If a rate limit is set for an iClient virtual (with iSession defined) it can sometimes prevent iClient from connecting.
Impact:
iClient randomly can't connect
Workaround:
remove rate limit from virtual
Fix:
avoid rate_limit check for iSession control connection.
619667 : Allow Local DNS Servers is not honored on Mac OS X
Component: Access Policy Manager
Symptoms:
In some cases of split tunnel local DNS resolution on client does not work.
Its "emulated" full tunnel mode i.e. split tunnel and IPv4 LAN address space of 0.0.0.0/0.0.0.0 and don't allow local subnet access.
Conditions:
Configure Allow Local DNS Servers is not honored on Mac OS X.
Configure split tunnel and IPv4 LAN address space of 0.0.0.0/0.0.0.0.
Disable local subnet access.
System has only one physical adapter (ethernet or wifi) available for networking.
Impact:
DNS resolution fails for some split tunnel deployment cases.
Workaround:
Specify "*" in DNS included address space to forward all DNS traffic over the tunnel.
Fix:
Allow local DNS configuration is honored on Mac OS X now.
Behavior Change:
Allow local DNS configuration is honored on Mac OS X now.
619663 : Terminating of HTTP2 connection may cause a TMM crash
Component: Local Traffic Manager
Symptoms:
TMM crashes when an HTTP2 connection is being terminating on client and server sides concurrently.
Conditions:
HTTP2 profile is configured and assigned to a virtual.
A client SSL profile is also used on the same virtual.
Client interrupting a connection as well as server is also terminating a connection at the same time.
Impact:
Traffic disrupted while tmm restarts.
Fix:
A fix stops HTTP2 from further processing when a connection is terminating preventing TMM crash for this reason.
619528 : TMM may accumulate internal events resulting in TMM restart
Component: Local Traffic Manager
Symptoms:
Under some uncommon circumstances, long-lived connections may cause internal events to be accumulated causing excessive memory usage potentially resulting in TMM restarting.
Conditions:
HTTP virtual with long-lived connections.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
The issue can be mitigated by setting the HTTP 'max-requests' profile option to a reasonably low value - this value will depend on application requirements.
Fix:
Internal events are no longer accumulated thus avoiding low memory conditions.
619486 : Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self
Component: Access Policy Manager
Symptoms:
Attempts to call some JavaScript methods (such as XMLHttpRequest.open) on a page accessed through Portal Access could fail if application modifies window.self builtin object. As a result, the application will stop working and optionally log an undefined variable/reference exception into Developer Tools console.
To verify that window.self is modified, run 'window.self == window' command in Developer Tools console of the page with error and check if it returns 'false'.
Conditions:
This can occur if a web application has javascript that modifies the value of window.self.
Impact:
Affected web-applications will not work when accessed through Portal Access.
Workaround:
None
Fix:
Scripts on pages accessed through Portal Access are no longer failing when web application code modifies window.self.
619473 : Browser may hang at APM session logout
Component: Access Policy Manager
Symptoms:
Browser hangs at logout from APM session with RDP client and/or VMware View client.
Conditions:
- APM Virtual server with RDP client and/or VMware View client on webtop;
- active session on this webtop with opened client.
Impact:
Logout from APM session may take a long time (several minutes). In some cases, it may be necessary to restart browser.
Fix:
Now browser does not hangs at logout from APM session with RDP client and/or VMvare View client.
619410 : TMM hardware accelerated compression not registering for all compression levels.
Component: TMOS
Symptoms:
DEFLATE/gzip/zlib compression levels other than level 1 were bypassing the hardware accelerator and being serviced in software, resulting in higher CPU utilization and slower compression times.
Conditions:
Compression requests for DEFLATE/gzip/zlib levels other than level 1.
Impact:
Compression requests serviced by software are scheduled on local CPUs. During heavy compression traffic, overall system traffic flow may be reduced. Compression requests serviced in software may take significantly longer to complete.
Fix:
Hardware accelerator correctly registers for all DEFLATE/gzip/zlib compression levels, not just level 1.
619398 : TMM out of memory causes core in DNS cache
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.
Conditions:
This can occur when the TMM memory is exhausted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Provision sufficient memory for the TMM or reduce load.
Fix:
The fix was to properly handle the failure allocating memory.
619250 : Returning to main menu from "RSS Feed" breaks ribbon
Component: Access Policy Manager
Symptoms:
When you go to "RSS Feed" configuration page for Document, Picture Library, List etc. and go back to SharePoint Dashboard using link at the top pointing to "RSS FEED for ..." and then click any option on the ribbon, you got "500 Internal Server Error" and ribbon stops working. When you use built-in browser button "go back" instead, everything works Ok.
Conditions:
"500 Internal Server Error" occurred. Ribbon stop working.
Impact:
Ribbon stop working.
Workaround:
Use built-in browser "go back" button instead.
Fix:
Returning to main menu from "RSS FEED for ...", ribbon continue to work. No more "500 Internal Server Error".
619158 : iRule DNS request with trailing dot times out with empty response
Component: Global Traffic Manager (DNS)
Symptoms:
The DNS request takes about 20 seconds to respond and the response is empty.
Conditions:
An iRule uses RESOLV::lookup or NAME::lookup to resolve a domain name that ends with a dot.
Impact:
The request does not properly resolve to an IP address.
Workaround:
Strip the trailing dot from the domain name before calling RESOLV::lookup or NAME::lookup.
Fix:
Domain names with trailing dots are properly resolved from iRules. The trailing dot is stripped when the request is saved to later match with the response.
619097-1 : iControl REST slow performace on GET request for virtual servers
Component: TMOS
Symptoms:
Performing a GET request on a BIG-IP with a large number of virtual servers may result in slow performance and timeout errors.
Conditions:
When a significant number of virtual servers reference persistence profiles.
Impact:
Unable to perform large GET query on virtual servers.
Workaround:
None.
Fix:
Improved iControl REST performance for Performing a GET request on a BIG-IP with a large number persistence profiles on virtual servers.
619071 : OneConnect with verified accept issues
Component: Local Traffic Manager
Symptoms:
System may experience an outage.
Conditions:
Verified Accept enabled in TCP profile
hardware syncookies enabled
OneConnect profile on VIP
Syncookie threshold crossed
Impact:
System outage.
Workaround:
Disabled verified accept when used with OneConnect on a VIP.
Fix:
Verified accept, OneConnect and hardware syncookies work
correctly together.
618957 : Certificate objects are not properly imported from external SAML SP metadata when metadata contains both signing and encryption certificates
Component: Access Policy Manager
Symptoms:
BIG-IP supports import of external SAML SP metadata to create SP-Connector objects. When such metadata file contains two certificates (one with 'signing' and one with 'encryption use) then BIG-IP will import certificate that is positioned 'second' in metadata twice.
Conditions:
Imported metadata contains two certificates with different use types: 'signing' and 'encryption'
Impact:
There is no impact if in metadata signing and encryption certificates are the same. If certificates are different - SAML SSO may not function properly due to incorrect certificate imported in configuration.
Workaround:
Import certificates manually, and assign them to created from metadata SAML SP connector
Fix:
Issue is now fixed: both certificates are imported correctly.
618944 : AVR statistic is not save during the upgrade process
Component: Application Visibility and Reporting
Symptoms:
All AVR statistics will be lost after upgrade from 12.1.0 or 12.1.1.
Conditions:
AVR statistic was collected on 12.1.0 or 12.1.1.
The BIG-IP was upgraded.
Impact:
Old AVR statistics will be lost
Workaround:
1. before upgrade edit the following file:
./usr/libdata/configsync/avr_save_pre
2. change the following line " [ $(is_provisioned avr) -eq 1 -o $(is_provisioned pem) -eq 1 -o $(is_provisioned afm) -eq 1 -o $(is_provisioned swg) -eq 1 $(is_provisioned asm) -eq 1 ] && "
with " [ $(is_provisioned avr) -eq 1 -o $(is_provisioned pem) -eq 1 -o $(is_provisioned afm) -eq 1 -o $(is_provisioned swg) -eq 1 -o $(is_provisioned asm) -eq 1 ] && "
Fix:
AVR upgrade script fixed
618905 : tmm core while installing Safenet 6.2 client
Component: Local Traffic Manager
Symptoms:
tmm core while installing Safenet 6.2 client.
Conditions:
Safenet 6.2 client installation
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm core related to Safenet 6.2 client installation.
618779 : Route updates during IPsec tunnel setup can cause tmm to restart
Component: TMOS
Symptoms:
During the setup of IPsec tunnel flows, tmm depends on a valid route being available towards a remote peer to correctly create the IPsec inbound tunnel flows. The absence of the route at this stage, causes tmm to crash and restart. This is more likely to happen if the route towards the endpoint is dynamic.
Conditions:
IPsec tunnels are being set up with a given remote peer and the route towards that peer is not reliably present (as is in the case of dynamic route updates)
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure that there is always a valid route towards each of the remote peers.
Fix:
The tmm process no longer restarts if there is no valid route towards the remote peer during IPsec tunnel setup.
618771 : Some Social Security Numbers are not being masked
Component: Application Security Manager
Symptoms:
ASM does not block or mask some SSN numbers.
Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains social security numbers with specific ranges.
Impact:
The traffic passes neither masked nor blocked to the end client.
Workaround:
None.
Fix:
The system now correctly masks and/or blocks all relevant social security numbers.
618693 : Web Scraping session_opening_anomaly reports the wrong route domain for the source IP
Component: Application Security Manager
Symptoms:
When generating a web scraping attack of session opening anomaly type, there is an attack start/end event shown in the /var/log/asm and GUI: Security :: Event Logs : Application : Web Scraping Statistics. The event has a "source ip" field which should come along with the route domain. In the case of "session opening anomaly" the route domain is always zero. (For example: 127.0.0.1%0). Even there is a non-zero route domain configured.
Conditions:
Route domain is configured and a web scraping attack event triggers.
Impact:
Incorrect route domain field is shown in the GUI and /var/log/asm.
Workaround:
None. This is a cosmetic error. The system uses the correct route domain
Fix:
The fix is to set the correct route domain for the "session opening anomaly" events shown in the GUI and /var/log/asm
618657 : Bogus ICMP unreachable messages in PEM with ipother profile in use
Component: Policy Enforcement Manager
Symptoms:
The ipother virtual server will send bogus ICMP unreachable messages caused by incorrect error handling in the PEM filter.
Conditions:
A VS with ipother profile configured together with the PEM profile. In the field defect the additional piece needed was the missing classification, but this is due to code ordering, so in non-fixed versions this can also happen with the classification profile present.
Impact:
Unnecessary ICMP traffic
Fix:
Fixed an issue related to unnecessary ICMP traffic in the PEM filter.
618549 : Fast Open can cause TMM crash CVE-2016-9249
Vulnerability Solution Article: K71282001
618517 : bigd may falsely complain of a file descriptor leak when it cannot open its debug log file
Component: Local Traffic Manager
Symptoms:
- On 11.6.1, bigd will report erroneously mark pool members down and messags similar to the following will be seen in the ltm log file:
Sep 23 10:45:59 bipve1 warning bigd[7413]: 01060154:4: Bigd PID 7413 throttling monitor instance probe because file descriptor limit 65436 reached.
- On 12.1.x, this bug has negligible impact.
Conditions:
Monitoring must be in use, bigd debug logging must be enabled, and the bigd debug log file (/var/log/bigdlog) must be full.
Impact:
- On 11.6.1 this can cause bigd to stop monitoring, resulting in pool members being marked down erroneously.
- In 12.1.x, some of the underlying logging code changed and there is no real impact.
Workaround:
You can rotate the log file, using the following command:
logrotate -f bigdlog
Fix:
Stopped bigd from thinking it was out of file descriptors when it was unable to open its debug log file.
618428-1 : iRules LX - Debug mode does not function in dedicated mode
Component: Local Traffic Manager
Symptoms:
In case if the debug option is enabled in the dedicated mode, sometimes some of the nodejs process can be allocated a "in-use" port, which prevents it from starting successfully.
By design every process is guaranteed a debug port in the configured range as long as there are enough ports available in the system. In-use ports are skipped, so consecutive port allocation is not guaranteed.
Conditions:
some of the ports in the range are busy.
Impact:
Some of the nodejs processes fail to start which prevents normal iRuleLX operation.
Workaround:
Consult with netstat output and set the debug-port-range-low to a higher value (eg. 10000+) to minimise the change of a port conflict.
618421-1 : Some mass storage is left un-used
Component: TMOS
Symptoms:
It is intended that all mass storage capacity be available for use by application data, site-local configuration, or sofwtare. In some conditions, about 10% of the mass storage capacity is not made available for application data.
Conditions:
This occurs on the BIG-IP i-Series platforms.
Impact:
Applications that use a lot of storage may not function optimally.
Fix:
The storage is optimally reallocated.
618404 : Access Profile copying might end up in invalid way if series of names.
Component: Access Policy Manager
Symptoms:
After copying an access policy, you receive an error when trying to open the copy: "Unable to load accessPolicy '/Common/my_policy_access_1_1' from source."
Conditions:
When items with names ending with _#_#_1 and _#_#_2, _# reduction is working.
Impact:
Unable to copy policy properly.
Workaround:
Export policy, import with reuse.
Fix:
Copying is fixed for this conditions.
618382 : qkview may cause tmm to restart or may take 30 or more minutes to run
Component: TMOS
Symptoms:
When taking a qkview on a heavily loaded BIG-IP device (with lots of connections) running 12.1.0 or 12.1.1, the qkview utility may take a very long time to complete (30+ minutes) or cause tmm to restart. This is due to a new qkview command that was added to gather a list of recent connections with the tmsh show sys connection command, which has a significant performance impact when run while the BIG-IP is heavily loaded.
Conditions:
This can occur on the following versions:
- 12.1.0 including 12.1.0 HF1 and 12.1.0 HF2
- 12.1.1 including 12.1.1 HF1
This can occur when the BIG-IP is heavily loaded and while running the qkview command.
Impact:
Qkview command can take an exceedingly long time to run (30+ minutes).
Traffic disrupted while tmm restarts.
Workaround:
Do not run the qkview command if the device is heavily loaded.
Fix:
Removed offending "show sys connection" command from qkview utility.
618336 : mkdisk utility fails if the USB device has a GUID partition table
Component: TMOS
Symptoms:
'mkdisk' utility will fail under some circumstances, exiting with :
Failed to add partition: Invalid argument
Leaving
Conditions:
-- hosting system has 'sfdisk' version 2.26 or above
-- USB device has a GUID partition table
Impact:
USB device formatting cannot proceed
Workaround:
convert the USB device partition table from GPT to MBR before using 'mkdisk'
for example, use 'diskpart' in a Windows shell. run two commands on the disk:
-- clean
-- convert mbr
Then use 'mkdisk' as usual.
618324 : Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor
Component: Access Policy Manager
Symptoms:
When upgrading from OPSWAT SDK V3 to V4, opening Access Policy in VPE if one of the opswat checker (e.g. Anti-Virus checker) contains an Undefined (i.e. previously defined but out of support) ID it will display as "Any." The correct display should be "Unsupported" or "Invalid" product.
Conditions:
Wrongful information displayed.
Impact:
Wrongful information displayed.
Workaround:
N/A
Fix:
Correct (*** Invalid ***) information displayed.
618319 : HA pair will go Active/Active, and report peer as "offline" is network-failover service is blocked
Component: TMOS
Symptoms:
All members of a Sync/Failover Device Group report "Active" for all traffic-groups, and "Offline" for all peers. Configuration sync works appropriately.
Conditions:
This can occur if the network failover configuration is incorrect. Each device should have multiple network failover addresses (either unicast or multicast) configured, and any self-IPs configured as unicast addresses must not block the configured unicast UDP source-port (default value: 1026).
If this port is blocked, the devices cannot exchange failover status information.
Impact:
When devices cannot reach the failover address of their peer devices, failover traffic will not be processed correctly and the device will become active for all traffic groups. This will result in duplicate IP addresses on the network for the objects in the traffic groups, which will cause a disruption of service.
Workaround:
Ensure that the "allow-service" parameter for the self-IP includes the configured network-failover port. Normally this is done with "allow-service { default }" if using the default default-list, or an explicit entry can be used with "allow-service { udp:1026 }".
Fix:
The system has been changed to validate input of unicast self-IPs, and issue a TMSH warning and log a message if a unicast address is configured that does not have the correct allow-service attribute.
"Unicast IP address x.x.x.x does not allow service on UDP port xxxx, network failover may not work."
618306 : TMM vulnerability CVE-2016-9247
Vulnerability Solution Article: K33500120
618263 : OpenSSL vulnerability CVE-2016-2182
Vulnerability Solution Article: K01276005
618261 : OpenSSL vulnerability CVE-2016-2182
Vulnerability Solution Article: K01276005
618170 : Some URL unwrapping functions can behave bad
Component: Access Policy Manager
Symptoms:
Some URL unwrapping functions can behave incorrectly with different web application malfunctions as a result.
Conditions:
JavaScript with "location.pathname" like fields at the right side of an expression.
Impact:
Different web application malfunctions. One example is SharePoint 2010 using IE11, clicking the Edit button results in "Only secure content is displayed" at the bottom of the page.
Fix:
Fixed.
618161 : SSL handshake fails when clientssl uses softcard-protected key-certs.
Component: Local Traffic Manager
Symptoms:
SSL handshake fails when clientssl uses softcard-protected key-certs.
Conditions:
Softcard-protection is enabled and token protection is disabled.
Impact:
SSL handshake fails
Workaround:
None known.
Fix:
SSL handshake no longer fails when clientssl uses softcard-protected key-certs.
618121-2 : "persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x★
Component: Service Provider
Symptoms:
"persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x
Conditions:
When the RTSP_RESPONSE event and "persist add" iRule are used and upgrade to v12.x.x.
Impact:
"persist add" iRule validation failed. The iRule will not be loaded.
Workaround:
possible workaround is to bypass validation
when RULE_INIT {
set static::persist_cmd { persist add uie $SessionID $static::persist_timeout }
}
when RTSP_RESPONSE {
set SessionID [RTSP::header value "Session"]
if { $SessionID != "" }{
#persist add uie $SessionID $static::persist_timeout
eval $static::persist_cmd
}
}
618104 : Connection Using TCP::collect iRule May Not Close
Component: Local Traffic Manager
Symptoms:
The BIG-IP never sends a TCP FIN in response to a client FIN.
Conditions:
A finite TCP::collect iRule is in progress.
This is repeatable in the debug kernel; in the default kernel, there has to be execution delay in a CLIENT_DATA iRule.
Impact:
The connection does not close until the sweeper causes a RST.
Workaround:
Adding a TCP::close command to a CLIENT_DATA iRule may work.
Fix:
Handle execution delay correctly.
618024 : software switched platforms accept traffic on lacp trunks even when the trunk is down
Component: Local Traffic Manager
Symptoms:
On software switched platforms tmm owned LCAP trunks still accept traffic even though the trunk is down from the control plane ( LACP status down).
Conditions:
LACP trunk with status down
Impact:
VLAN failsafe timers are erroneous reset, VLAN failsafe is broken.
Workaround:
no workaround
Fix:
tmm now checks the link status on tmm owned lacp trunks before accepting traffic.
617986-1 : Memory leak in snmpd
Component: TMOS
Symptoms:
Memory usage in snmpd is increases until the OOM process kills snmpd.
Conditions:
BIG-IP configured with virtual servers that have the same destination IP address
Impact:
snmp disrupted while snmp restarts.
Workaround:
No workaround
Fix:
Fixed memory leaks.
617862 : Fastl4 handshake timeout is absolute instead of relative
Component: Local Traffic Manager
Symptoms:
TCP connections that are pending completion of the three-way handshake are expired based on the absolute value of handshake timeout. For example, if handshake timeout is 5 seconds, then the connection is reset after 5 seconds of receiving the initial SYN from the client.
Conditions:
A TCP connection in three-way handshake.
Impact:
Connections are expired prematurely if they are still in three-way handshake.
Workaround:
Disable handshake timeout.
Impact of workaround: Your TCP handshake will not prematurely timeout and connections remains open until the Idle Timeout expires.
Fix:
The handshake timeout now expires based on idleness of the connection, taking into consideration of any SYN retransmissions, etc., that might occur.
617858 : bigd core when using Tcl monitors
Component: Local Traffic Manager
Symptoms:
If a Tcl monitor encounters an error, it may exit with an assert which causes bigd to core.
Conditions:
This can occur rarely when Tcl monitors are in use (specifically, SMTP, FTP, IMAP, POP3 monitors).
Impact:
bigd can core, which temporarily suspends monitoring while bigd restarts.
Workaround:
None.
Fix:
Now, when a Tcl monitor encounters an error, it no longer exits with an assert, so bigd no longer cores.
617824 : "SSL::disable/enable serverside" + oneconnect reuse is broken
Component: Local Traffic Manager
Symptoms:
If "SSL::disable/enable serverside" is configured in an iRule and oneConnect is configured in the iRule or in the Virtual Server profile, BIG-IP may not receive the backend server's HTTP response for every client's HTTP Request.
Conditions:
1. "SSL::disable/enable serverside" exists in the iRule
2. OneConnect is configured in the iRule or in the VS profile
3. apply the iRule and oneConnect Profile to the VS.
Impact:
The oneConnect behavior is unexpected, and may not get the backend Server's HTTP response for every client's HTTP Request.
Workaround:
You can work around the problem by disabling oneConnect.
617629 : Same report is downloaded repeatedly after user clicks on "export csv" and then click on another tab
Component: Access Policy Manager
Symptoms:
If you click on the "export csv" button and then switch to another report, the same csv file will be download again when you click on the tab of another report.
Conditions:
Creating multiple reports in Access Report page and clicking on the "export csv" button in one report.
Impact:
Same file will be downloaded repeatedly.
Workaround:
Refresh the page before switching to another report.
617628 : SNMP reports incorrect value for sysBladeTempTemperature OID
Component: TMOS
Symptoms:
SNMP reports incorrect value for sysBladeTempTemperature OID, while TMSH reports the corresponding value correctly.
# snmpwalk -v2c -c public localhost .1.3.6.1.4.1.3375.2.1.3.2.4.2.1.2.8.1
F5-BIGIP-SYSTEM-MIB::sysBladeTempTemperature.8.1 = Gauge32: 4294967245
# tmsh show sys hardware
Sys::Hardware
Blade Temperature Status
Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
...
1 8 0 -48 0 Blade CPU #1 TControl Delta tem
...
The negative "Blade CPU #1 TControl Delta" temperature is being incorrectly reported as a large positive temperature by SNMP.
Impact:
A negative temperature may be incorrectly reported by SNMP as an impossibly high positive value.
Workaround:
Use tmsh show sys hardware to view blade temperatures. Negative temperatures are properly reported.
config # tmsh show /sys hardware
Sys::Hardware
Blade Temperature Status
Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
1 1 0 19 49 Blade air outlet temperature 1
1 2 0 14 41 Blade air inlet temperature 1
1 3 0 21 57 Blade air outlet temperature 2
1 4 0 16 41 Blade air inlet temperature 2
1 5 0 25 60 Mezzanine air outlet temperatur
1 6 0 27 72 Mezzanine HSB temperature 1
1 7 0 17 63 Blade PECI-Bridge local tempera
1 8 0 -48 0 Blade CPU #1 TControl Delta tem
1 9 0 25 68 Mezzanine BCM56846 proximity te
1 10 0 22 69 Mezzanine BCM5718 proximity tem
1 11 0 19 57 Mezzanine Nitrox3 proximity tem
1 12 0 16 46 Mezzanine SHT21 Temperature
617620 : Firewall rule with Multicast/Link Local IPv6 addresses netmask bigger than 32 will not work
Component: Advanced Firewall Manager
Symptoms:
For AFM firewall rule with IPV6 source or destination addresses matching multicast or link local pattern, if the netmask is set to greater than 32, the rule will not match.
Conditions:
IPV6 source or destination addresses matching patterns:
FF02:xxxx::
FE08:xxxx::
Impact:
The firewall rule will not be applied if there's traffic matching the rule.
Workaround:
N/A
Fix:
Fixed an issue with AFM firewall rule netmasks
617544 : References to DTLS may show up in client logs even when DTLS is disabled
Component: Access Policy Manager
Symptoms:
Edge client logs contain entries that reference DTLS even when DTLS is disabled and is not used.
Conditions:
DTLS is disabled on APM and user establishes a VPN tunnel to APM using TLS.
Impact:
May cause confusion during troubleshooting connection issues; the log entries can be ignored if DTLS is not configured.
Workaround:
Ignore references to DTLS when DTLS is disabled.
Fix:
References to DTLS no longer show up in client logs even when DTLS is disabled.
617391 : Device sync constantly showing Changes Pending when using custom ASM Search Engines
Component: Application Security Manager
Symptoms:
The Device sync status will constantly show "Changes Pending" when a custom ASM Search Engine is added with a new Bot Name to an existing Search Engine name.
For example, the Yandex search engine is a built-in search engine with Bot Name "Yandex". When adding a custom search engine with the same name "Yandex", but a different Bot Name, for example "yandexbot", the issue will happen.
When the issue appears, the device sync status shows "Changes Pending". Running a config-sync will bring the status to "In Sync", but a few seconds later, the status will change back to "Changes Pending".
Conditions:
1. Multiple devices are joined in sync-failover device-group and ASM sync is enabled.
2. (AND) A custom ASM Search Engine is added with a new Bot Name but an existing Search Engine Name.
Impact:
1. Device sync status constantly showing Changes Pending
2. The custom ASM Search Engine may not be bypassed for JavaScript challenges which are sent as a result of either the Web Scraping Feature, or Device-ID. This applies also to standalone deployments.
Workaround:
Add the custom ASM Search Engine under a new name. For example, if adding the "yandexbox" search engine, then use the Search Engine name "Yandex-yandexbot" instead of simple "Yandex".
Fix:
The device sync status properly remains "In Sync" when custom ASM Search Engines are added.
617335 : Deleting self IP prompting error with subnet network address
Component: TMOS
Symptoms:
Incorrect error message when attempting to delete the last non-floating self IP
Conditions:
Attempting to delete the last non-floating self IP
Impact:
Incorrect error message indicates that it includes the self IP being deleted but actually includes the network address of the self IP
Workaround:
Interpret the error message to indicate that one or more floating self IPs are configured in the specified network and that they must be removed before deleting the non-floating self IP.
617310 : Edge client can fail to upgrade when Always Connected is selected★
Component: Access Policy Manager
Symptoms:
Attempt to upgrade from an Edge client version to a current version fails when Always Connected is enabled
Conditions:
Always Connected is selected in BIG-IP when upgrading the client.
Impact:
Upgrade fails. Must turn off Always Connected to upgrade client.
Workaround:
Turn off Always Connected before upgrading.
Fix:
Edge client now succeeds during upgrade when Always Connected is selected.
617307 : FastL4 with full PVA acceleration: Average connections per second decreased 5-7% since v12.1.1 on i5800 platforms
Component: Performance
Symptoms:
Custom BIG-IP hardware provides a significant assist to the main CPU complex for FastL4 traffic with full PVA acceleration enabled; however, the main CPU still performs significant per-connection packet processing. Bug fixes and stability improvements in v12.1.1-HF1 and -HF2 have increased this load slightly. With a traffic profile that results in a high number of new connections and very little data exchanged per connection, if the CPU reaches 100% utilization, the average connections per second will be decreased.
Conditions:
BIG-IP v12.1.1_HF1 and _HF2, with a virtual server configured for FastL4 traffic, and including a profile that enables Full PVA Acceleration is affected. The traffic includes an extreme number of new connections, with minimal data exchanged during each connection. i5800 appliances have shown a 5-7% decrease.
Impact:
The average CPS will decrease over the same configuration running v12.1.1 by approximately 5 percent, as observed with internal F5 traffic stress testing.
617229 : Local policy rule descriptions disappear when policy is re-saved
Component: TMOS
Symptoms:
Local policy rule descriptions disappear when policy is re-saved.
Conditions:
A rule with description exists, and the policy it's under is saved.
Impact:
An existing rule description disappears when the policy it's under is saved.
Workaround:
Use TMSH to modify the policy's properties.
Fix:
Local policy rule descriptions now remain visible when policy is re-saved.
617187 : APM CustomDialer can't connect to APM server with invalid/untrusted SSL certificate
Component: Access Policy Manager
Symptoms:
If APM server uses untrusted SSL certificate/or it is accessed using IP address CustomDilaer, access is refused and there is no prompt to confirm the security warning.
Conditions:
APM has invalid certificate
User uses CustomDialer to access VPN
Impact:
VPN connection can't be established
Workaround:
Use valid SSL certificate on APM or add particular invalid certificate to trusted store on Windows
Fix:
Now CustomDialer warns user about invalid certificate and allows to proceed with invalid certificate.
617161 : Cosmetic: duplicated partition names in the "Resource Management" window when assigning iRules to Virtual Servers.
Component: TMOS
Symptoms:
There is a cosmetic issue that results in duplicated partition names in the "Resource Management" window when assigning iRules to Virtual Servers (in Local Traffic ›› Virtual Servers : Virtual Server List ›› Virtual_Server_name).
Conditions:
1) Go to Local Traffic :: Virtual Servers : Virtual Server List :: Virtual_Server_name --: Resources --: Manage iRules).
2) Move any 2 available iRules (created in Common partition) left to the "Enabled" column.
3) Select the bottom iRule from the "Enabled" column and click the "Up" button.
4) Add an additional iRule (created in Common partition) to the "Enabled" column.
Impact:
Instead of showing all iRules under one partition name (Common), the system is duplicating the partition name.
Workaround:
None. This is cosmetic.
Fix:
Partition names are no longer duplicated in the "Resource Management" window when assigning iRules to Virtual Servers.
617124-1 : Cannot map hardware type (12) to HardwareType enumeration
Component: TMOS
Symptoms:
iControl-SOAP throws an error whenever a method call to SystemInfo::get_hardware_information() is made.
Conditions:
This is reproducible in under all conditions.
Impact:
iControl-SOAP crashes when this call is made.
Workaround:
Don't call this SystemInfo::get_hardware_information().
Fix:
Call this method no longer leads to a crash.
617063 : After VPN tunnel established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel
Component: Access Policy Manager
Symptoms:
After VPN tunnel is established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel.
Conditions:
VPN tunnel is established. Place the computer in hibernation. Resume from hibernation and connect to a new network where a Captive Portal is present, e.g. Starbucks.
Impact:
EdgeClient may show an error page for captive portal or stay in Reconnecting state for extended period. Disconnect button may not be responsive.
Fix:
If captive portal is detected during reconnect, close VPN resources before showing captive portal authentication page.
617014 : tmm core using PEM
Component: Policy Enforcement Manager
Symptoms:
tmm core when using PEM with cloning monitored traffic
Conditions:
Using PEM with iRules and cloning traffic
Impact:
Traffic disrupted while tmm restarts.
Fix:
The problem with PEM and cloning traffic via iRule has been corrected.
617002 : SWG with Response Analytics agent in a Per-Request policy fails with some URLs
Component: Access Policy Manager
Symptoms:
SWG with Response Analytics agent in a Per-Request policy fails with some URLs
Conditions:
Response analytics agent is added to per-request policy and per-request policy is attached to the virtual. APM and SWG are provisioned and licensed.
Impact:
Client might receive resets for some URLs when response analytics doesn't function correctly.
Workaround:
Remove response analytics agent from the per-request policy and perform categorization based only on URLs.
Fix:
Correctly handle the response analytics for these URLs and dont send resets to client.
616864 : BIND vulnerability CVE-2016-2776
Vulnerability Solution Article: K18829561
616838-2 : Citrix Remote desktop resource custom parameter name does not accept hyphen character
Component: Access Policy Manager
Symptoms:
While adding the custom parameter in Citrix Resource would give parser error as following,
01070734:3: Configuration error: apm resource remote-desktop /Common/ctx_resource: Parse error on line 1: DesktopViewer-ForceFullScreenStartup=On"
Conditions:
Having Citrix resource with custom parameter name with hyphen character
Impact:
Custom parameter can not be used with hyphen character
Workaround:
None
Fix:
Accept custom parameter name with hyphen character
616242 : basic_string::compare error in encrypted SSL key file if the first line of the file is blank★
Component: TMOS
Symptoms:
Trying to load a configuration that references an encrypted SSL key file may fail if the first line of the SSL key file is blank. When this occurs, the system will report a vague error message:
01070711:3: basic_string::compare
If this happens during an upgrade, the system will not load the configuration under the new software version, and will remain inoperative.
Conditions:
This can occur if an affected configuration is present on a system running BIG-IP v11.3.0 or earlier, and is upgraded to BIG-IP v11.4.0 or later.
Impact:
Configuration fails to load on upgrade with extremely unhelpful error message, and absolutely no indication as to what file was being processed at the time (or that this relates to a filestore file).
Workaround:
Remove the newlines at the beginning of any SSL key files that begin with a newline. During an upgrade scenario, edit the files in the filestore.
616215 : TMM can core when using LB::detach and TCP::notify commands in an iRule
Component: Local Traffic Manager
Symptoms:
TMM cores when running an iRule that has the LB::detach command before the TCP::notify command.
Conditions:
A virtual server with an iRule that has the LB::detach command executed before the TCP::notify command.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid the combination of the TCP::notify and LB::detach commands.
Fix:
TMM no longer cores in this instance.
616106 : Client-type in access policy does not detect Edge Client after failing authentication.
Component: Access Policy Manager
Symptoms:
Users connecting to a virtual server using Edge Client and fails authentication are directed to the policy's deny page, which directs them to a new session link.
Once the user clicks that link, the new session is launched, but the user is denied and keeps getting directed to the same Deny page with a link to new session.
Conditions:
Have an access policy that allows Client-Type Edge Client but denies Full Browser/Mobile.
There is no Message Box on the Full Browser/Mobile branch in Client-Type.
Impact:
Once the user clicks new session link from the deny page, new session is launched but client-type gets detected as Full Browser/Mobile and user is denied.
This continues until user cancels the external logon dialog.
Workaround:
In the "Full or Mobile Browser" branch, add a "Message Box".
Fix:
The new behavior is that on Edge Client, the new session link will not be shown. The user can click Cancel and then Connect to try to login to the VPN again.
On browsers, the behavior is same. The link will be shown and user can click it to launch new session.
Behavior Change:
Older versions of client were being detected as Browser if user failed authentication the first time and created new session from the client UI.
With this fix, Edge client will be detected as edge client in the above scenario.
616059 : Modifying license.maxcores Not Allowed Error
Component: TMOS
Symptoms:
Your sync-failover device group status says "Sync Failed" and reports the following error in Device Management :: Overview "- Sync error on <device name>: Load failed from /Common/BIG-IP1 0107178a:3: Modifying license.maxcores to a value other than 8 is not allowed."
Conditions:
Non-homogeneous Virtual Editions configured with different licenses in a device group, or with hardware-based BIG-IPs. If the license variable called perf_VE_cores is different among licenses, it will create this condition.
Impact:
The device group will fail to sync.
Workaround:
If you are using Virtual Editions in a Device Group, ensure that their licenses are the same.
Fix:
The variable doesn't sync so there is no error message.
616022 : The BIG-IP monitor process fails to process timeout conditions
Component: Local Traffic Manager
Symptoms:
Pool members that are down are not marked down by the monitor. The BIG-IP system continues to attempt to monitor the object.
Conditions:
It is not known exactly what triggers this condition. It was encountered on an https monitor.
Impact:
Incorrect monitor state. Pool members may not be marked down even though the target pool-member is down.
Workaround:
No known work-around
Fix:
The monitor process no longer inadvertently skips processing monitor timeouts and correctly marks monitored objects down.
615824-2 : REST API calls to invalid REST endpoint log level change
Component: iApp Technology
Symptoms:
In Big-IP 12.x versions before 12.1.2 invalid requests to a REST endpoint were being recorded in the FINE level logs, making it difficult to audit when an invalid request to a REST endpoint was coming in. In version 12.1.2, the log level was changed to INFO so that these messages are more easily consumed by users attempting to audit the log.
Conditions:
Any request made to an invalid REST endpoint will trigger a log message at the FINE level indicating that a request came in to an invalid REST endpoint.
Impact:
Auditing the REST Framework logs is more difficult, requiring you to look at messages logged at the FINE level.
Workaround:
Users can increase the log level of the REST Framework to FINE by making the following change to the file '/etc/restjavad.log.conf':
Before:
.level=FINE
After:
.level=INFO
Fix:
This message is included in the INFO log level on BIG-IP v12.1.2.
615407 : EAM core during shutdown
Component: Access Policy Manager
Symptoms:
During a graceful system shutdown, a core file eam.bld1.0.1447.core.gz may be created in /var/core.
Conditions:
This can occur intermittently during normal shutdown when Oracle Access Manager is configured.
Impact:
There is no impact to system operation, since this occurs on shutdown.
Workaround:
No workaround needed. There is no impact to system operation, since this occurs on shutdown.
Fix:
EAM no longer cores during shutdown.
615388 : L7 policies using normalized HTTP URI or Referrer operands may corrupt memory
Component: Local Traffic Manager
Symptoms:
TMM may restart when using a L7 policy that contains the 'normalized' keyword for HTTP URI or Referrer operands.
Conditions:
Normalized HTTP URI or Referrer operands used in L7 policies.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
No workaround short of removing use of normalization for HTTP URI and Referrer instances in L7 policies.
Fix:
Use of URI or Referrer normalization in L7 policies no longer results in memory corruption.
615377 : Unexpected rate limiting of unreachable and ICMP messages for some addresses.
Component: Local Traffic Manager
Symptoms:
The BIG-IP system might fail to send RSTs, ICMP unreachable, or ICMP echo responses for some addresses.
/var/log/ltm might contain messages similar to the following:
-- Limiting icmp unreach response from 251 to 250 packets/sec.
-- Limiting icmp ping response from 251 to 250 packets/sec.
-- Limiting closed port RST response from 251 to 250 packets/sec.
Conditions:
Certain traffic patterns to addresses in two or more different traffic-groups.
Impact:
Certain response messages from addresses in one or more traffic-groups (but not all) might be rate limited by the BIG-IP system even though the level of traffic has not exceeded the tm.maxrejectrate setting.
Workaround:
None known.
Fix:
The rate limiting messages in the ltm log will now include the name of the traffic group that is being rate limited.
Example old log message:
warning tmm[6167]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec.
Example new log message:
warning tmm[19109]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec for traffic group /Common/traffic-group-1.
Behavior Change:
The rate limiting messages in the ltm log will now include the name of the traffic group that is being rate limited.
Example old log message:
warning tmm[6167]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec.
Example new log message:
warning tmm[19109]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec for traffic group /Common/traffic-group-1.
615338-1 : The value returned by "matchregion" in an iRule is inconsistent in some cases.
Component: Global Traffic Manager
Symptoms:
The value returned by "matchregion" in an iRule is inconsistent when the GTM global setting, "cache-ldns-servers", is set to "yes" and the region contains a region, continent, country, state, or ISP.
Conditions:
The GTM global setting, "cache-ldns-servers" must be set to "yes" and the region must contain a region, continent, country, state, or ISP.
Impact:
The value returned by "matchregion" in an iRule is inconsistent and may lead to inconsistent behavior in the iRule.
Workaround:
Set the GTM global setting, "cache-ldns-servers" to "no".
Fix:
"Matchregion" returns the correct value under all conditions.
615254 : Network Access Launch Application item fails to launch in some cases
Component: Access Policy Manager
Symptoms:
If multiple applications are configured to automatically launch on network access, only the first application will launch.
Conditions:
Network access resource has multiple applications configured
Impact:
Only the first application launches. Other applications won't launch automatically.
Workaround:
Launch applications manually after VPN is established.
Fix:
Multiple applications are now detected and launched correctly.
615143 : VDI plugin-initiated connections may select inappropriate SNAT address
Component: Local Traffic Manager
Symptoms:
When the VDI plugin makes outgoing connections, the source address is selected from a SNAT pool. Should the connection pass through another matching virtual before reaching the external network, the selected SNAT address may be inappropriate for the egress vlan.
Conditions:
APM configuration with VDI functionality enabled and additional virtual matching the VDI-initiated connections.
Impact:
Return traffic from destination may not be able to return to the BIG-IP, thus breaking the VDI functionality.
Workaround:
No workaround short of removing the additional virtual matching the VDI traffic.
Fix:
Outgoing VDI connections now select an appropriate SNAT address even when passing through additional matching virtuals before reaching the external network.
615107-2 : Cannot SSH from AOM/SCCP to host without password (host-based authentication).
Component: TMOS
Symptoms:
Issuing commands from the AOM/SCCP menu to the host do not function, or password is required when SSH from AOM/SCCP to the host.
Conditions:
Presence of /etc/ssh directory on host.
Impact:
AOM/SCCP unable to connect to host without password.
Workaround:
None.
Fix:
Can now SSH from AOM/SCCP to host without password (host-based authentication).
614891 : Routing table doesn't get updated when EDGE client roams among wireless networks
Component: Access Policy Manager
Symptoms:
Clients using the EDGE client report that they are unable to reach the VPN when they switch wifi networks.
Conditions:
This is triggered when a device running the EDGE client is on a wifi network, then roams to another wifi network that has a different default route.
Impact:
Clients have an incorrect route to the VPN and are forced to re-connect.
614865-4 : Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
Component: TMOS
Symptoms:
Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
Specifically, the functions are:
key_import_from_pem()
certificate_import_from_pem()
key_import_from_pem_v2()
certificate_import_from_pem_v2()
Conditions:
When there is an existing key or certificate on the BIG-IP system, and you want to overwrite them using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls, it results in errors stating that the key or certificate already exists on the BIG-IP system.
Impact:
Cannot overwrite the key/certificate file-objects using these iControl calls.
Workaround:
There are two workarounds:
- Delete and import the key/certificate using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls.
- Use key_import_from_file and certificate_import_from_file iControl calls as an alternative to import key/certificate from a file.
Fix:
Overwrite flag in iControl functions key/certificate_import_from_pem_v2() functions are now processed correctly and no longer produce errors.
614586 : tmm assert "invalid racoon2 block header prefix"
Component: TMOS
Symptoms:
tmm asserted and cored.
Conditions:
IPsec IKEv2 in use.
Impact:
tmm restarts and all connections are reset.
Workaround:
None.
Fix:
The tmm will continue processing by logging and discarding the invalid memory block.
614563 : AVR TPS calculation is inaccurate
Component: Advanced Firewall Manager
Symptoms:
The TPS that AVR calculates for DoS is 11% more than the real TPS.
Conditions:
DoS profile attached to the virtual server.
Impact:
Attack can wrongly be detected.
Workaround:
None.
Fix:
TPS that AVR calculates for DoS now reflects the actual TPS.
614530 : Dynamic ECMP routes missing from Linux host
Component: TMOS
Symptoms:
When an ECMP route is learned via dynamic routing, it is not added to the Linux host and local processes may not be able to reach the destination prefix. Load balanced traffic is not affected.
Conditions:
Dynamic routing in use, ECMP configured, ECMP route received from neighbors.
Impact:
Monitors may fail, other host-originated traffic may be sent out the wrong interface or nowhere at all.
Workaround:
Disable ECMP in ZebOS by setting "maximum-paths 1" in imish.
Fix:
ECMP routes are correctly added to the Linux host.
614509 : iRule use of 'all' keyword with 'class match' on large external datagroups may result in TMM restart
Component: Local Traffic Manager
Symptoms:
When the 'all' keyword is used with 'class match' on large external datagroups, the results will be incorrect and may result in TMM restarting.
Conditions:
iRule utilizing 'all' keyword with 'class match' on large external datagroups. A more unusual case is external datagroups with the tmm.classallocatemetadata bigdb entry set to the non-default 'disable' value.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No reasonable workaround short of not using 'all' keyword with 'class match' in iRules.
Fix:
'all' keyword with 'class match' now returns the correct results and TMM does not restart.
614486 : BGP community lower bytes of zero is not allowed to be set in route-map
Component: TMOS
Symptoms:
The bgpd process does not accept community attributes that contain values of the form ASN:0.
Conditions:
set the BGP community value to a value of form ASN:0
Impact:
if you attempt to configure a BGP daemon community attribute with a value of the form ASN:0, the system does not set the community value. This could also impact upgrading from the old versions to the version that doesn't support community values of the form ASN:0.
Workaround:
None
Fix:
BGP community can be set to values of the form ASN:0.
614441 : False Positive for illegal method (GET)
Component: Application Security Manager
Symptoms:
False Positive for illegal method (GET) and errors in BD log on Apply Policy:
----
ECARD|ERR |Sep 04 07:38:47.992|23835|table.h:0287|KEY_REMOVE: Failed to REMOVE data
----
Conditions:
This was seen after upgrade and/or failover.
Impact:
-- False positives.
-- BD has the incorrect security configuration.
Workaround:
Run the following command: restart asm.
614296 : Dynamic routing process ripd may core
Component: TMOS
Symptoms:
As a result of a known issue the dynamic routing protocol daemon ripd, used for the RIP protocol may produce a core file when configuring it to use a interface configured with multiple self IP addresses on different subnets on the same VLAN.
Conditions:
- Use the RIP dynamic routing on an affected version.
- Have multiple self IP addresses belonging to different subnets on the same VLAN
- Add one of the subnets with the network command within the "router RIP" stanza.
Impact:
ripd will core and the configuration will not be allowed.
Workaround:
Configure one subnet/self IP address per VLAN.
Fix:
ripd no longer cores when configured with multiple subnets on the same VLAN.
614284 : Performance fix to not reset a data structure in the packet receive hotpath.
Component: Advanced Firewall Manager
Symptoms:
No symptoms. This is a performance fix.
Conditions:
This will happen always in the packet receive hotpath.
Impact:
No impact. Without this fix BIG-IP could have 0.5% (hard to measure) performance impact.
Workaround:
No workaround.
Fix:
Made an optimization to the packet receive hotpath.
614180 : ASM is not available in LTM policy when ASM is licensed as the main active module
Component: TMOS
Symptoms:
ASM is not available in LTM policy rule creation when ASM is licensed as the main active module
Conditions:
ASM is licensed as the main active module
Impact:
ASM is not available in LTM policy rule creation
Workaround:
Use a license that has ASM as a sub-module. For example, LTM with Best Bundle.
Fix:
Fixed license data parsing so that the main module is also included in the license map used to determine whether a module is licensed or not.
614147 : SOCKS proxy defect resolution
Component: Local Traffic Manager
Symptoms:
Internal F5 code review found potential errors.
Conditions:
Virtual server configured with SOCKS proxy.
Impact:
Erroneous behavior of SOCKS proxy
Fix:
Resolved issues found in SOCKS proxy.
614097 : HTTP Explicit proxy defect resolution
Component: Local Traffic Manager
Symptoms:
Internal F5 code reviewed found potential errors.
Conditions:
Virtual server configured with HTTP Explicit proxy.
Impact:
Erroneous behavior of HTTP Explicit proxy
Fix:
Resolved issues found in HTTP Explicit proxy.
614072 : Source Address Translation to SNAT pool breaks SWG explicit use case for IP based session.
Component: Access Policy Manager
Symptoms:
All SWG session maps to SNAT pool IP and many requests will get stuck.
Conditions:
SWG virtual with Source Address Translation to SNAT pool, create session and send traffic for expired session
Impact:
Request will get stuck in ACCESS filter and browser will keep looping..
Workaround:
Change source address translation to AUTOMAP instead of SNAT Pool.
Fix:
Store client IP into scratch memory and use it to session lookup/creation instead of SNAT Pool IP.
613788 : List GTM pools and wideips in a partition may result in objects from all partitions
Component: TMOS
Symptoms:
Listing GTM pools or wideips from the GUI, tmsh, iControl in a particular partition may return objects from all partitions.
Conditions:
GTM provisioned, multiple partitions configured, and GTM pools or wide IPs configuration in multiple partitions.
Impact:
BIG-IP users may be able to view objects that are in partitions they don't have access to.
Workaround:
No workaround other than don't use multiple partitions.
Fix:
This was an issue unique to GTM pools and wide IPs that resulted in the wrong set of objects being returned despite the partition context being given. The issue has been corrected, so that only valid objects are displayed for different users in different partitions.
613765 : Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors.
Component: TMOS
Symptoms:
Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors.
Conditions:
When a virtual server with a destination address of 0.0.0.0:0 is in the list, sorting the list is slow because of extra name resolution performed.
Impact:
Degraded user experience waiting for the extra logic and misleading error in logs.
Workaround:
None.
Fix:
Creating 0.0.0.0:0 Virtual Server in TMUI no longer results in slow-loading virtual server page and name resolution errors.
613618 : The TMM crashes in the websso plugin.
Component: Local Traffic Manager
Symptoms:
The TMM core and plugins operate asynchronously. A connection may abort and the TMM may deallocate connection context before the plugin has finished processing asynchronous events. The TMM crashes when a plugin accesses deallocated connection context.
Conditions:
Events raised during normal use of the sessiondb store may be processed after the connection context has been deallocated.
Impact:
Traffic disrupted while tmm restarts.
Fix:
The TMM will no longer crash.
613613-3 : Incorrect handling of form that contains a tag with id=action
Component: Access Policy Manager
Symptoms:
In some cases, a form with an absolute path in the action is handled incorrectly in Internet Explorer (IE) versions 7, 8, and 9. The resulting action path is wrong and the form cannot be submitted.
Conditions:
This issue occurs under these conditions:
-- HTML Form with absolute action path.
-- A tag with id=action inside this form.
-- A submit button in the form.
-- IE versions 7 through 9.
Impact:
The impact of this issue is that the web application can not work as expected.
Workaround:
This issue has no workaround at this time.
Fix:
Forms with absolute action paths and tag with id=action inside are handled correctly.
613576 : QOS load balancing links display as gray
Component: Global Traffic Manager
Symptoms:
All links in all data centers appear gray. After this patch all link appear to be green and the functional of load balancing to the first available link in each pool is restored.
Conditions:
This bug only affects devices licensed after 9/1/2016 which contain the gtm_lc: disabled field.
Impact:
Any GTM/LC devices licensed after 9/1/2016 and using links as part of their configuration will have the links reported as gray.
Workaround:
Remove all ilnks from configuration or install this hotfix.
613574 : Snapshots may be kept longer than expected in the file store
Component: TMOS
Symptoms:
Files in /config/filestore/.snapshots_d may be kept longer than expected. This error message may be generated by mcpd later on:
01071350:3: subscriber(%icr_eventd): Snapshot for req_id(12345) getting removed due to timeout.
Conditions:
These will be generated on any creation of file objects, such as iFile objects, SSL keys, or certificates.
Impact:
A slight amount of additional disk space may be used. The error message may be ignored; it does not indicate a harmful state. Traffic is not at risk of being dropped.
Workaround:
A timer will automatically clean up these files after one hour. Alternately, run 'bigstart restart icr_eventd'.
613536-1 : tmm core while running the iRule STATS:: command
Component: TMOS
Symptoms:
With an iRule that runs the STATS::set command inside the ACCESS_SESSION_CLOSED event, tmm cores.
Conditions:
STATS:: command invoked inside the ACCESS_SESSION_CLOSED event. This event does not have all of the connection information so invoking STATS:: to store data from the connection will fail and cause tmm to crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use STATS::set inside ACCESS_SESSION_CLOSED
613509 : 2000/4000 platform reuses source port too fast when fastL4 virtual sets source-port preserve
Component: TMOS
Symptoms:
2000/4000 platforms only support IPPORT hash due to the hardware nature of the platform. That means the source port has to change even if fastL4 virtual sets source-port preserve. A software defect causes fast source port reuse when fastL4 virtual sets source-port preserve.
Conditions:
fastL4 virtual sets source-port preserve.
Impact:
Can cause throughput degradation.
Workaround:
Set source-port to change.
Fix:
2000/4000 platform now reuses source port at the correct rate when fastL4 virtual sets source-port preserve.
613483 : Some SSL certificate SHA verification fails for different SHA prefix used by crypto codec.
Component: Local Traffic Manager
Symptoms:
For PKCS#1, the SHA256 header should be:
30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20.
However, there might also be this alternate header:
30 2f 30 0b 06 09 60 86 48 01 65 03 04 02 01 04 20,
Some implementation use the alternate. According to PKCS#1, the first one is used when producing signature, but both should be accepted when verifying signatures.
In BIG-IP, SSL uses the 1st header: 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20, whereas crypto uses the 2nd header format for some cert verification: 30 2f 30 0b 06 09 60 86 48 01 65 03 04 02 01 04 20, which causes the inconsistent and signature verification fail.
Conditions:
For some particular certificates, crypto uses alternative SHA prefix for verification.
Impact:
SSL handshake fails because of certificate verification failure.
Workaround:
None.
Fix:
Added crypto codec support for PKCS 1 RSA padding that adds hash DER encoding.
613459 : Non-common browsers blocked by Proactive Bot Defense
Component: Advanced Firewall Manager
Symptoms:
Some non-common browsers may get blocked by the Proactive Bot Defense feature. This has been seen in rare cases, and causes these browsers to remain in a white page while the request is not being sent to the back-end server.
Conditions:
Proactive Bot Defense enable on the DoS profile.
Impact:
In rare cases, some non-common browsers may get blocked.
Workaround:
None
Fix:
Non-common browsers no longer get blocked when Proactive Bot Defense is enabled.
613429 : Unable to assign wildcard wide IPs to various BIG-IP DNS objects.
Component: Local Traffic Manager
Symptoms:
Assigning a wide IP with wildcard characters in the name to a DHS distributed application may not work properly when done via tmsh, and such configurations created via the GUI will result in configuration files that fail to load.
Conditions:
A wide IP with a wildcard character in its name.
Impact:
Unable to assign wide IP to BIG-IP DNS distributed-app.
Workaround:
None.
Fix:
Fixed issue preventing wide IPs to be assigned to BIG-IP DNS distributed apps if those wide IPs have a wildcard character in their name.
613415 : Memory leak in ospfd when distribute-list is used
Component: TMOS
Symptoms:
Memory might be leaked when a distribute-list is used to filter routes between OSPFv2 and the Routing Information Base (RIB). The leak may lead to a the daemon being terminated via the oom-killer.
Conditions:
OSPFv2 in use with a distribute-list, and Link State Advertisements (LSAs) in the database whose prefixes will be filtered by the distribute-list.
Impact:
ospfd may leak memory until the system terminates the process via the oom-killer.
Workaround:
Position the BIG-IP system in the network so there are no LSAs that need to be filtered using a distribute-list, such as in a stub area.
Fix:
ospfd no longer leaks memory when a distribute-list is configured.
613396 : Invalid XML Policy Exported for Policies with Metachar Overrides on Websocket URLs
Component: Application Security Manager
Symptoms:
Exported Policy in XML format cannot be imported.
Conditions:
Metacharacter overrides are defined on a Websocket URL in the policy.
Impact:
Exported XML policies cannot be imported back into the system without manual manipulation
Workaround:
If such a policy has already been exported only manual manipulation would allow it to be imported again.
Fix:
Policy export now correctly creates valid XML Policies for configurations with metachar overrides configured on Websocket URLs.
613369 : Half-Open TCP Connections Not Discoverable
Component: Local Traffic Manager
Symptoms:
New TCP connection requests are reset after a specific sequence of TCP packets.
Conditions:
A TCP connection in half-open state.
Impact:
Half-open TCP connections are not discoverable
Fix:
Properly acknowledge half-open TCP connections.
613297 : Default generic message routing profile settings may core
Component: Service Provider
Symptoms:
If a virtual is created using the default generic message profile, the first packet received will produce an infinite number of messages and overflow the internal buffers.
Conditions:
The default generic message profile has the internal parser enabled but a zero byte message separator pattern. This causes the parser when receiving traffic to create an infinite number of empty packets and overflow the system.
Impact:
The infinite number of message will cause an internal panic producing a core. Traffic disrupted while tmm restarts.
Workaround:
Each usage of generic message should either provide a separator pattern or disable the internal parser.
Fix:
In this release, the system automatically disables the internal parser if no separator is provided, so if a virtual is created using the default generic message profile, the first packet received no longer produces an infinite number of messages and overflows the internal buffers.
613282 : NodeJS vulnerability CVE-2016-2086
Vulnerability Solution Article: K15311661
613225 : OpenSSL vulnerability CVE-2016-6306
Vulnerability Solution Article: K90492697
613088 : pkcs11d thread has session initialization problem.
Component: Local Traffic Manager
Symptoms:
pkcs11d does not initialize, especially in the secondary slot(s). SafeNet connections cannot be established on the secondary blades.
Conditions:
This occurs when SafeNet is configured with VIPRION chassis
Impact:
When this occurs, BIG-IP is unable to establish SafeNet connections from the secondary blades.
Workaround:
None.
Fix:
Fixed a pkcs11d thread session initialization problem that prevented SafeNet connections.
613079 : Diameter monitor watchdog timeout fires after only 3 seconds
Component: Local Traffic Manager
Symptoms:
The Diameter monitor has a 3-second timeout that overrides the interval and timeout settings configured for the monitor.
Conditions:
A Diameter monitor must be configured.
Impact:
If the Diameter server takes longer than 3 seconds to reply to requests, it will be marked down.
Workaround:
None.
Fix:
Removed the 3-second Diameter monitor watchdog timeout so that interval and timeout can be used like other external monitors.
613065 : User can't generate netHSM key with Safenet 6.2 client using GUI
Component: Local Traffic Manager
Symptoms:
With Safenet6.2, creating key using GUI may hang and timeout. The GUI eventually quits with error message.
Conditions:
Installing Safenet6.2 client and attempting to create netHSM key from the GUI
Impact:
netHSM key creation fails, GUI hang.
Workaround:
You can use the corresponding tmsh command to create key.
Fix:
NetHSM key waiting time has been increased and you can now create a netHSM key using GUI.
613045-6 : Interaction between GTM and 10.x LTM results in some virtual servers marked down
Component: Global Traffic Manager
Symptoms:
Some GTM virtual servers are never marked up when interacting with 10.x LTM.
Conditions:
1. On a GTM server, with autoconf off, manually create a virtual server that is using translated IP/port and either no LTM virtual server name or an incorrect LTM virtual server name.
2. Make sure the LTM virtual server is available.
Impact:
On the GTM side, that LTM virtual server will never get marked up.
Workaround:
None.
Fix:
Interaction between GTM and 10.x LTM now works, so virtual servers are correctly marked up.
612874 : iRule with FLOW_INIT stage execution can cause TMM restart
Component: Advanced Firewall Manager
Symptoms:
If you have an iRule that has FLOW_INIT stage execution, it is likely to result in random TMM crashes.
Conditions:
iRule that has FLOW_INIT stage action in it.
The FLOW_INIT stage iRule could be executed either because it was attached to a Virtual Server or configured on an AFM ACL Rule.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use iRule with FLOW_INIT action. Other stage iRules does not cause this problem.
Fix:
Memory allocation and release during iRule FLOW_INIT execution was not handled right in a specific scenario, which was corrected.
612809 : Bootup script fails to run on on a vCMP guest due to a missing reference file.
Component: TMOS
Symptoms:
Script /etc/sysconfig/sysinit/10virtual-platform.sysinit fails to run. sod log spamming.
Conditions:
Startup in a vCMP guest.
Impact:
vCMP guests shows dbg_echo related errors in /var/log/boot.log.
Workaround:
Disable sys db variable "failover.usetty01" and restart sod.
If unable to restart sod at the moment, apply a filter with no publisher matching message-id 012a0003:
sys log-config filter no-serial-failover-logs {
message-id 012a0003
}
Fix:
This release adds a separate sysinit file for vCMP instead of using sysinit-virtual-platform.
612769 : Added better search capabilities on the Pool Members Manage page.
Component: Global Traffic Manager (DNS)
Symptoms:
With hundreds of potential pool members the GUI was not making it easy to search for them. The combobox was only allowing for searches that matched the beginning of the pool member's name.
Conditions:
Have more than just a few potential pool members.
Impact:
Frustrating user experience.
Workaround:
No workaround.
Fix:
Added better search capabilities on the Pool Members Manage page.
612758 : Exception within function F5_Inflate_innerHTML.
Component: Access Policy Manager
Symptoms:
Using the Mozilla FireFox browser might cause portal access to keep reloading.
Conditions:
Web-application contains object created by application code with following properties:
o = {tagName: true, setAttribute: true}
o.innerHTML = "any_value";
Impact:
Web-application does not work as expected.
Workaround:
Use the following iRule (customization required for /PATTERN_PATH):
# Updated workaround for SR 1-2326181581
when REWRITE_REQUEST_DONE {
if { [HTTP::path] contains "/PATTERN_PATH" } {
# log "URI=([HTTP::path])"
# Found the file we wanted to modify
REWRITE::post_process 1
}
}
when REWRITE_RESPONSE_DONE {
set strt [string first {<script>} [REWRITE::payload]]
if {$strt > 0} {
REWRITE::payload replace $strt 0 {
<script>
if (typeof F5_Inflate_index !== 'undefined' && typeof F5_old_Inflate_index === 'undefined') {
var F5_old_Inflate_index = F5_Inflate_index;
F5_Inflate_index = function(o, s, incr, v) {
if (typeof v !== 'boolean') return F5_old_Inflate_index (o,s,incr,v);
return (o[s] = incr ? o[s] + v : v)
}
}
</script>
}
}
}
Fix:
Using the Mozilla FireFox browser no longer causes portal access to keep reloading.
612752-2 : UCS load or upgrade may fail under certain conditions.★
Component: TMOS
Symptoms:
UCS load fails, with the following error message: loaddb[20786]: 01080023:3: Error return while getting reply from mcpd: 0x10718e6, 010718e6:3: The requested primary admin user (user1) must exist in local user database.
Conditions:
Root login is disabled and the primary administrative user is set to anything other than 'admin', the default.
Impact:
UCS load or upgrade will fail.
Workaround:
Before upgrading or generating the UCS, re-enable the root account by setting DB variable systemauth.disablerootlogin to 'false'.
Unset the custom primary administrative user by setting DB variable systemauth.primaryadminuser to 'admin'.
These settings may be safely reinstated after the upgrade is complete.
612694 : TCP::close with no pool member results in zombie flows
Component: Local Traffic Manager
Symptoms:
'tmsh show sys conn all-properties' shows connections whose idle time exceeds the timeout.
Conditions:
There is no pool member, and a TCP::close iRule activates (typically after a TCP::respond).
Impact:
Connection does not tear itself down.
Workaround:
Make TCP::close conditional on pool failure, and rely on the pool failure to RST the connection rather than perform a clean TCP close.
Fix:
The system now properly handles TCP teardown when TCP::close has already torn down the rest of the stack.
612554 : Some SSL certificate SHA verification fails for different SHA prefix used by Crypto
Component: Local Traffic Manager
Symptoms:
For PKCS#1, the SHA256 header should be:
30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20.
However, there might also be this alternate header:
30 2f 30 0b 06 09 60 86 48 01 65 03 04 02 01 04 20,
Some implementation use the alternate. According to PKCS#1, the first one is used when producing signature, but both should be accepted when verifying signatures.
In BIG-IP, SSL uses the 1st header: 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20, whereas crypto uses the 2nd header format for some cert verification: 30 2f 30 0b 06 09 60 86 48 01 65 03 04 02 01 04 20, which causes the inconsistent and signature verification fail.
Conditions:
For some particular certificates, crypto uses alternative SHA prefix for verification.
Impact:
SSL handshake fails because of certificate verification failure.
Workaround:
None.
Fix:
BIG-IP systems now also accept alternative SHA prefixes during the certificate SHA verification.
612419 : APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))
Component: Access Policy Manager
Symptoms:
When there are multiple network access resources, and users switch between them within the same connection, a small memory leak happens.
Conditions:
Network access; full webtop, multiple Network Access resources.
Impact:
Memory usage increases over time.
Workaround:
There is no workaround. It is a relatively slow leak though. In the case where it was observed, the leak was about 130MB per month.
Fix:
Fixed a memory leak related to network access.
612229 : TMM may crash if LTM a disable policy action for 'LTM Policy' is not last
Component: Local Traffic Manager
Symptoms:
TMM may crash while processing an LTM policy.
Conditions:
- VIP with LTM policy attached.
- LTM policy contains rule with 2 or more actions.
- Policy action of disable - LTMN Policy is not the last one in the list of actions.
Impact:
TMM crash with the following in one of the /var/log/tmm log files:
notice ** SIGABRT **
Traffic disrupted while tmm restarts.
Workaround:
Ensure any LTM policy disable action is the last in the list of actions.
Fix:
TMM no longer crashes if LTM a disable policy action for 'LTM Policy' is not last in the list of actions in the rule.
612135 : Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic
Component: Service Provider
Symptoms:
Configuring a virtual server with generic message profile without message routing profile will core when a packet is received by the virtual.
Conditions:
Configuring a virtual server with generic message profile without message routing profile.
Impact:
The system will core when a packet is received by the virtual server. Traffic disrupted while tmm restarts.
Workaround:
Each virtual server that contains a generic message profile should also have a message routing profile.
Fix:
Validation has been improved to fail unless both a generic message profile and a message routing profile are used.
612129 : tmm crash (SIGABRT) when creating url filter with large number of categories
Component: Access Policy Manager
Symptoms:
When a category contains a large (about 5000) URL entries, tmm will crash on creation of a URL filter.
Conditions:
Create a category containing a large number of URLs, then create a new URL filter.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Break URLs up into smaller categories.
Fix:
Fixed a crash related to loading large URL categories
612128-6 : OpenSSH vulnerability CVE-2016-6515
Vulnerability Solution Article: K31510510
612040-5 : Statistics added for all crypto queues
Component: Local Traffic Manager
Symptoms:
Requests for crypto operations that have been issued but not yet actively queued in the crypto hardware will not show up in the "tmm/crypto" statistics table.
Conditions:
Crypto requests issued but not actively queued in the crypto hardware.
Impact:
Crypto requests do not show up in the "tmm/crypto" statistics table.
Fix:
New rows have been added to the "tmm/crypto" statistics table that will count requests that have been issued but not actively queued to the crypto hardware.
611968 : JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow
Component: Access Policy Manager
Symptoms:
JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow.
Conditions:
- IE8 only.
- Significant number of links: >1000.
- JavaScript event handlers presence.
Impact:
Web application performance slowdown.
Workaround:
None
Fix:
Fixed.
611922 : Policy sync fails with policy that includes custom CA Bundle.
Component: Access Policy Manager
Symptoms:
Policy sync fails with a policy that includes a custom CA Bundle with an error similar to the following: mcpd[6191]: 01070710:3: Database error (65), Can't set attribute value, type:certificate_summary attribute:name.
Conditions:
- Add a custom certificate bundle
- Add it to a policy, e.g. create an LTM SSL CA profile and add it to the endpoint security check agent in the access policy.
- Initiate a policy sync.
Impact:
Policy sync fails.
Workaround:
Use a built-in certificate bundle on source device and sync the policy.
Import the custom certificate bundle to all devices
Replace the built-in certificate bundle with the custom one in the policy.
Fix:
Policy sync now succeeds when the policy includes a custom certificate bundle.
611704 : tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event
Component: Local Traffic Manager
Symptoms:
A tmm crash was discovered during internal testing.
Conditions:
HTTPS virtual server configured with an iRule that uses TCP::close in the CLIENTSSL_CLIENTCERT iRule event.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm crash related to TCP::close in CLIENTSSL_CLIENTCERT
611669 : Mac Edge Client customization is not applied on macOS 10.12 Sierra
Component: Access Policy Manager
Symptoms:
Mac Edge Client's Icon, application name, company name amongst other things can be customized on BIG-IP before deploying on end user's machine. But on Mac Edge Client on macOS 10.12 Sierra this customization is not applied.
Conditions:
macOS Sierra 10.12, Edge client, customization
Impact:
Mac Edge Client customization is not applied on macOS 10.12 Sierra. Functionally there should be no impact except that user will see default application visually.
Workaround:
run following command on Terminal and re-launch Edge client:
$ defaults write -globalDomain AppleLanguages -array "en" "en-US"
Fix:
Edge client honors customization on macOS Sierra 10.12 now.
611658-4 : "less" utility logs an error for remotely authenticated users using the tmsh shell
Component: TMOS
Symptoms:
when using 'less' Syntax Error: unexpected argument "/usr/bin/lesspipe.sh"
Conditions:
admin user configured with tmsh shell
Impact:
admin user cannot use the less command from shell
Workaround:
configure admin user to use the bash shell
611652 : iRule script validation presents incorrect warning for 'HTTP::cookie cookie-name' command.
Component: Local Traffic Manager
Symptoms:
While saving an iRule containing HTTP::cookie without the value parameter, you get a validation warning: 'warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. 'unexpected end of arguments;expected argument spec:COOKIE_NAME"160 25][HTTP::cookie $cookie_name]'.
The offending iRule command looks similar to this:
[HTTP::cookie $cookie_name]
Conditions:
iRules containing HTTP::cookie, but missing the optional value parameter, e.g. [HTTP::cookie $cookie_name].
Impact:
Validation warning incorrectly occurs if the optional 'value' parameter is left off. Note that the iRule is still loaded into the configuration.
Workaround:
Use the 'value' parameter in the HTTP::cookie command:
[HTTP::cookie value $cookie_name].
611513 : Non-zero Route domain is not always used with OSCP, HTTP explicit proxy
Component: TMOS
Symptoms:
Customer may experience connectivity failure in certain situations where a sideband communications are required as part of the transaction. One example would be when a BIG-IP needs to check with an OSCP responder.
Conditions:
BIG-IP has http-explicit configuration, where a sideband connection is required, say in the case of getting an OCSP response or a DNS resolver response when those services are associated with a different route domain.
Impact:
End-to-end connectivity failure.
Workaround:
Change configuration so that all services required are on the default route domain, 0.
611512 : AWS: Pool member autoscaling in BIG-IP fails to add pool members when pool name is same as AWS Autoscaling Group name.
Component: TMOS
Symptoms:
In AWS, Pool member autoscaling in BIG-IP fails to add pool members when pool name in BIG-IP is same as Autoscaling Group name in AWS.
Conditions:
- BIG-IP is configured to perform autoscaling of pool members in AWS.
- Pool name in BIG-IP is same as the autoscaling group name in AWS attached with it.
Impact:
- Pool member autoscaling doesn't occur correctly without user intervention.
Workaround:
When configuring pool member auto-scaling in AWS, you must choose a different name for the pool compared to the autoscaling group name attached with it.
Fix:
Choose different names for Pool in BIG-IP and autoscaling group in AWS to correctly configure Pool member autoscaling in BIG-IP .
611487 : vCMP: VLAN failsafe does not trigger on guest
Component: TMOS
Symptoms:
vCMP: VLAN failsafe does not trigger on guest due to IPv6 link-local neighbor discovery traffic from host.
Conditions:
vCMP host configured, VLAN failsafe enabled on a VLAN, one or more VCMP guests enabled that use that VLAN
Impact:
Since the heartbeat messages going over IPv6 link-local addresses continue to be successfully passed from host to guest, VLAN failsafe does not trigger if a downstream router or switch goes down that's connected to the VLAN.
Workaround:
If you are able to, disabling IPv6 on the host will allow VLAN failsafe to work as expected.
611485 : APM AAA RADIUS server address cannot be a multicast IPv6 address.★
Component: Access Policy Manager
Symptoms:
In the 13.0.0 release, support for AAA RADIUS direct IPv6 is added. However, validation will prevent using a multicast address for AAA radius IPv6 address. If you upgrade from a previous version to this version, you will see a validation error when the configuration loads.
Conditions:
The validation error occurs if APM AAA RADIUS address is an IPv6 multicast address on BIG-IP version 13.0.0 and beyond.
Impact:
Support for AAA RADIUS direct IPV6 is added in BIG-IP version 13.0.0. And the new validation affects only IPv6 multicast address. So any working IPv4 configuration will not be affected by this validation.
Workaround:
Multicast IPv6 addresses are not supported for direct IPv6 RADIUS, ensure you are using unicast addresses.
Fix:
Nothing fixed. This is a new validation which needs to be documented in upgrade release note.
611482 : Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule) .
Component: Local Traffic Manager
Symptoms:
Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule).
Conditions:
Universal persistence is configured. A loop of HTTP request is sent to tmm which doesn't own the record. Persistence lookup is performed, but finally the pool command is used for load-balancing pick.
Impact:
Discrepancy between persistence records.
Workaround:
Use persist, not pool command, to bind persistence record to a flow.
Fix:
Fixed keeping alive the owner record.
611469 : Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector
Component: Access Policy Manager
Symptoms:
Traffic may be disrupted or failover initiated when malformed, signed SAML authentication request from an authenticated user is sent via SP connector on a BIG-IP configured as a SAML Identity Provider (IdP).
Conditions:
- BIG-IP is configured as IdP.
- BIG-IP as IdP is configured to require Authentication request to be signed, and attached SP connector has signing certificate configured.
- External SP generates authentication request with invalid signature.
Impact:
Traffic is temporarily disrupted while services restart.
Workaround:
Reconfigure BIG-IP as IdP to remove requirement of signed authentication requests. Remove signing certificate from appropriate sp-connectors.
Fix:
Traffic no longer disrupted when a malformed SAML authentication request is forwarded via an SP connector.
611467 : TMM coredump at dhcpv4_server_set_flow_key().
Component: Policy Enforcement Manager
Symptoms:
TMM coredump at dhcpv4_server_set_flow_key().
Conditions:
1. You are using Policy Enforcement Manager (PEM) DHCP to discover subscribers.
2. You have configured a DHCP relay virtual server.
3. Two PEM DHCP subscriber connections share the same connection to a remote DHCP server.
4. One of the PEM DHCP subscriber connections expires.
5. The non-expired PEM DHCP subscriber connection sends a new DHCP request.
6. The remote PEM DHCP server responds to the new PEM subscriber request.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
The client uses broadcast to do DHCP renewal is an indication the client did not get ACK from DHCP server when it uses unicast to talk to DHCP server directly. The most likely reason for this to happen is the server routing table is not configured to send DHCP ACK packets back to the client.
You can work around this problem by configuring DHCP server routing table so that it knows how to send DHCP ACK to the client.
611325 : VPE edit action issues with Firefox if policy is in read only mode.
Component: Access Policy Manager
Symptoms:
In Firefox, when VPE is opening a policy in read only mode, the Edit action dialogue doesn't switch to branch rules tab.
Conditions:
This occurs when using Firefox if the policy is read-only
Impact:
Subadmin is unable to view branch rules
Workaround:
Use different browser
Fix:
Fixed an issue with edit action on Firefox
611320 : Mirrored connection on Active unit of HA pair may be unexpectedly torndown
Component: Local Traffic Manager
Symptoms:
Mirrored connection on Active unit is torn down. TCP connection is RST with cause of 'HA Expire flow'.
Conditions:
Mirrored connection on Standby unit times out due state mismatch with connection on Active unit.
Impact:
Traffic loss.
Workaround:
Disable mirroring.
Fix:
The system no longer mirrors connflow expiration from Standby to Active. This is correct behavior.
611240 : Import of config with securid might fail
Component: Access Policy Manager
Symptoms:
Import of the profile used for securid auth might fail if the profile has already been used for auth purposes at the moment of export.
Conditions:
This occurs when the following conditions are met:
-- Profile configured for securid authenticaiton with securid server attached.
-- Profile has been used for authentication more than 0 times.
-- Full import (no reuse) or Reuse import when secureid server under the same name is not present.
Impact:
Unable to import certain configurations.
Workaround:
1. In VPE, open securid auth item and set server to none before export.
2. Export profile.
3. Import profile.
4. Re-create the aaa securid server.
5. In VPE, open the securid auth item and set server to one from step #4.
Or
1. Export profile.
2. Create aaa securid server under the same name.
2. Import profile with reuse.
It is also possible to remove securid entry from config-files of securid server configuration in .conf.tar.gz, which would also work.
Fix:
It is now possible to successfully export and the import profile using securid in any state.
611151 : An upper case JSON sensitive parameter is not masked when ASM policy is case-insensitive
Component: Application Security Manager
Symptoms:
If you configure a sensitive parameter with an upper-case character (like "Password"), the data masking does not take place. When the sensitive parameter is all lower-case (like "password"), the data masking takes place as expected.
Conditions:
ASM provisioned
ASM policy is case-insensitive
JSON profile, w/ a sensitive parameter with an upper-case character
Impact:
no data masking for a JSON sensitive parameter
Workaround:
N/A
Fix:
We've made sure that JSON parameters are always treated as case sensitive, regardless of the ASM policy case sensitivity setting.
611054 : Network failover "enable" setting is sometimes ignored on chassis systems
Component: TMOS
Symptoms:
The failover device group network-failover attribute has an effect on chassis systems. The high availability subsystem will continue to send network failover packets, and continue to operate normally, even if this is set to "disable".
Conditions:
This only affects chassis systems. On appliances, the setting takes effect, causing all devices to become Active simultaneously.
Impact:
System appears to failover normally even when the configuration is incorrect; however, if the system contains more than one traffic-group, the next-active calculation and other failover features do not function correctly.
Workaround:
Enable network-failover in the sync-failover device-group.
610961 : pre-define default list of required attributes for AD Query
Component: Access Policy Manager
Symptoms:
AD Query agent does not have any pre-defined required attributes. by default it fetches (*) all attributes from AD for a user. in some cases the response may contain huge attributes that cause vcmp synchronization and other issues
Conditions:
AD Query is configured with default (empty) required attributes list
Impact:
tmm may crash on vcmp
Workaround:
limit the list of attributes to be fetched from AD by AD Query agent (define required attributes in the list)
Fix:
some important attributes pre-defined for a newle created AD Query agent.
the list is:
"cn","displayName","distinguishedName","dn","employeeID","givenName","homeMDB","mail","memberOf","mobile","msDS-ResultantPSO","name","objectGUID","otherMobile","pager","primaryGroupID","pwdLastSet","sAMAccountName","sn","telephoneNumber","userAccountControl","userPrincipalName"
610862 : TCP retransmits unnecessarily when IPv4 ICMP frag needed and tm.enforcepathmtu disabled.
Component: Local Traffic Manager
Symptoms:
When receiving an IPv4 ICMP fragmentation needed with MTU enforcement disabled, the MSS and MTU are not updated for the connection, however TCP retransmits unacknowledged data at the existing MSS/MTU size generally resulting in further ICMP fragmentation messages and subsequent retransmissions.
Conditions:
MTU enforcement has been disabled via tm.enforcepathmtu and connection receives an IPv4 ICMP fragmentation needed.
Impact:
Repeated retransmissions until the connection is torn down.
Workaround:
No reasonable workaround except re-enabling MTU enforcement.
Fix:
TCP no longer retransmits when receiving IPv4 ICMP fragmentation needed messages, thus eliminating the unnecessary retransmissions.
610857 : DoSL7 Proactive Bot Defense should block requests from a browser (Chrome/Firefox) when it is running selenium webdriver.
Component: Advanced Firewall Manager
Symptoms:
When selenium client webdriver is detected running a browser Chrome or Firefox it is not being blocked due to low score being assigned by PBD (Suspicious Browsers) mechanism.
Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled.
Impact:
A bot which running selenium Chrome or Firefox webdriver isn't mitigated by DoSL7 PBD mechanism.
Workaround:
N/A
Fix:
Adjusted scoring for selenium detection to trigger CAPTCHA upon an attempt to access a website without TSPD101 cookie (usually occurs upon accessing a website's first page)
610609 : Total connections in bigtop, SNMP are incorrect
Component: Local Traffic Manager
Symptoms:
While looking at total connections for the active BIG-IP using bigtop or SNMP, the connections are reported too high. For example if you sent a single connection through BIG-IP it is reported as 2 connections. Meanwhile, the standby device with mirroring configured accurately shows the number of connections.
Conditions:
This occurs on PVA-enabled hardware platforms.
Impact:
The total connection count statistic is incorrect.
610594 : Authorization grant using auth code fails with IE11 when OAuth AS clientssl profile is using untrusted certificate
Component: Access Policy Manager
Symptoms:
IE11 modifies the HTTP method from GET to POST after certificate warning ERROR_INTERNET_SEC_CERT_ERRORS.
Conditions:
When IE11 is used in conjunction with BIGIP OAuth Client and OAuth AS clientssl profile is using untrusted certificate.
Impact:
This behavior fails the protocol and AS responds with invalid_request due to missing response_type in POST body.
Workaround:
Avoid untrusted certificate in OAuth AS clientssl profile.
Fix:
Functions as designed.
610449 : restarting mcpd on guest makes block-device-images disappear
Component: TMOS
Symptoms:
tmsh list sys software block-device-images typically shows available BIG-IP images saved on the platform which are available for install via tmsh install sys software ...
When running BIG-IP on a vcmp guest, GuestAgentDaemon is responsible for fetching from the host these available images and displaying them to the user.
When mcpd goes down, GuestAgentDaemon loses the connection required to fetch and display this information.
If mcpd has gone down since GuestAgentDaemon came up, running "(tmos)# show sys software block-device-image" a second time will no longer display the BIG-IP images available for install.
Restarting GuestAgentDaemon when mcpd restart ensures that GuestAgentDaemon will reestablish the required connection. With this fix, GuestAgentDaemon will restart only in response to mcpd going down and subsequently coming back up. Once both daemons are up and running again, the command '(tmos)# list sys software block-device-image' will again function as designed.
Conditions:
vCMP is provisioned to level dedicated.
One or more guests is provisioned and deployed.
The user is operating inside a deployed guest.
The user attempts to use a block-device-image,
but mcpd has restarted since GuestAgentDaemon began execution.
No block-device-images are shown by GuestAgentDaemon
Impact:
tmsh list sys software block-device-images returns nothing from inside the guest.
Workaround:
Restart GuestAgentDaemon in response to mcpd successfully restarting.
Fix:
GuestAgentDaemon now automatically restarts in response to McpDaemon successfully restarting.
610442 : lind on vcmp guest spins in restart loop if block-device-image with bad permissions is installed★
Component: TMOS
Symptoms:
On a vcmp guest, If a user attempts to
(tmos)# install sys software block-device-image <some.iso>,
where <some.iso> has bad file permissions
(e.g. $chmod 600 <some.iso>),
then lind on the guest will enter a restart loop.
Conditions:
On the guest, the user is running
tmsh install sys software block-device-image <some.iso>
and <some.iso> has bad permissions, e.g. -r--------
Impact:
On the guest, lind restarts continuously, logging its restart to /var/log/ltm each time.
Workaround:
Avoid installing block-device-images known to have bad permissions.
From the host, attempt to repair the file with bad permissions and copy the repaired file to /shared/images/:
$ chmod 644 <some.iso>
$ scp <some.iso> mybox:/shared/images/
From the guest, the user should run:
$ bigstart restart lind
$ tmsh install sys software block-device-image <some.iso>
Fix:
Instead of throwing a runtime error, lind will log an error to /var/log/ltm and return.
610441 : When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.
Component: TMOS
Symptoms:
When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.
Conditions:
This occurs when adding a new member to an existing pool using iControl REST.
Impact:
Unable to tell if the request has succeeded or failed via iControl REST.
Workaround:
Add the following to partitionInfo in icrd.conf.
{"gtm/pool/a/members":[true, true]},
{"gtm/pool/aaaa/members":[true, true]}
610429 : X509::cert_fields iRule command may memory with subpubkey argument
Component: Local Traffic Manager
Symptoms:
The X509::cert_fields iRule command can leak memory in the 'method' memory subsystem if called with the 'subpubkey' argument, when the 'subpubkey' argument is not the last argument.
Conditions:
Create an iRule using X509::cert_fields where the subpubkey is not the last argument.
Example/signature to look for:
ltm rule rule_leak {
when HTTP_REQUEST {
if { [SSL::cert 0] ne "" } {
HTTP::respond 200 content "[X509::cert_fields [SSL::cert 0] 0 subpubkey hash]\n"
} else {
HTTP::respond 200 content "no client cert (WRONG!)"
}
}
}
Impact:
Memory will leak, eventually impacting the operation of tmm.
Workaround:
Ensure that 'subpubkey' is the last argument to X509::cert_fields
610417 : Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.
Component: TMOS
Symptoms:
When adding a device to the trust, the SSL connection can use insecure ciphers. Also it will use the undesirable TLSv1 protocol instead of negotiating to the highest safest protocol available which is TLSv1.2
Conditions:
This exists when configuring devices in a device cluster.
Impact:
Unable to configure stronger ciphers for device trust.
Workaround:
None.
Fix:
Advertised client ciphers reduced to what the common criteria compliance standard approves.
Changed the initial OpenSSL call to use the correct one to negotiate to the highest available TLS protocol (1.2).
610354 : TMM crash on invalid memory access to loopback interface stats object
Component: TMOS
Symptoms:
TMM can crash with segmentation fault when TMM drops packets on its internal loopback interface. TMM needs to update interface stats associated with the loopback interface when dropping packets on that interface. The interface stats object for loopback interface is not allocated yet. That results in segmentation fault.
Conditions:
TMM drops packets on its internal loopback interfaces.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No Workaround.
610352 : sys-icheck reports error with /etc/sysconfig/modules/unic.modules
Component: TMOS
Symptoms:
On Azure cloud, running sys-icheck may report an error with /etc/sysconfig/modules/unic.modules:
ERROR: S.5...... /etc/sysconfig/modules/unic.modules
Conditions:
This occurs on BIG-IP running on Azure cloud.
Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.
Fix:
Fixed an issue with files in /etc/sysconfig/modules/unic.modules that was causing sys-icheck to report errors.
610350 : sys-icheck reports error with /config/bigpipe/defaults.scf
Component: TMOS
Symptoms:
n Azure cloud, running sys-icheck may report an error with /config/bigpipe/defaults.scf and /usr/share/defaults/defaults.scf:
ERROR: S.5...... c /config/bigpipe/defaults.scf (no backup)
ERROR: S.5...... /usr/share/defaults/defaults.scf
Conditions:
This occurs on BIG-IP running on Azure cloud.
Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.
Fix:
Fixed an issue with files in /config/bigpipe/defaults.scf that was causing sys-icheck to report errors.
610302 : Link throughput graphs might be incorrect.
Component: Local Traffic Manager
Symptoms:
The link throughput performance graphs available in the GTM, DNS or Link Controller modules might show the throughput for the wrong link in the graph.
Conditions:
Multiple links exist and one of the links has a name that is a prefix for the name of one or more other links.
For example, there are two links defined and named "mylink" and "mylink2".
Impact:
The graphs for all links that contain the prefix might show the throughput for the link whose name matches the prefix.
For example, the throughput graphs for both "mylink" and "mylink2" might both show the throughput data for "mylink"
As a result of this issue, the historical link throughput data is gathered and stored incorrectly. This data is used to generate the throughput graphs.
Workaround:
Do not create links where the name of one link forms a prefix for the name of other links.
Fix:
Link throughput graphs now collect and show the throughput for the proper link when one link name is a prefix of one or more other links. Note that historical information gathered before the fix will not be corrected.
610295 : TMM may crash due to internal backplane inconsistency after reprovisioning
Component: TMOS
Symptoms:
In some scenarios on VE platforms TMM may crash due to backplane inconsistency shortly after a provisioning change.
Conditions:
- BigIP VE with performance limited license.
- Additional licensing/provisioning of modules raises performance limits. New TMM processes are started.
- No reboot has occurred after provisioning.
Impact:
TMM may core with panic: "Unexpected backplane address" in /var/log/tmm log files. Traffic disrupted while tmm restarts.
Workaround:
Reboot after provisioning if new license add-on keys raises performance of the BigIP.
610273 : Not possible to do targeted failover with HA Group configured
Component: TMOS
Symptoms:
With a traffic-group configured to use HA Group, it is not possible to disable the HA Group to perform targeted failover. Running tmsh run sys failover standby traffic-group traffic-group-1 produces an error:
"Unexpected Error: SOD command standby may not be issued for traffic group /Common/traffic-group-1 because it is configured to use HA group."
Conditions:
Traffic-group configured to use HA Group. Versions prior to 12.0.0 allowed you to disable the HA Group to do targeted failover.
Impact:
Unable to force the traffic-group to standby if HA Group is configured. You would need to change it to use a different mode, such as HA Order.
Workaround:
Temporarily change the traffic group to use a different Failover Method such as Load Aware or HA Order in order to failover. Note that this will disable HA Group functionality until the Failover Method is restored.
610224 : APM client may fetch expired certificate when a valid and an expired certificate co-exist
Component: Access Policy Manager
Symptoms:
APM client does not consider the expiration when it matches certificates for Machine Cert Check. If a matching but expired certificate is found before a valid certificate, the expired certificate is used for Machine Cert Check on Windows.
Conditions:
A valid and an expired certificate co-exist in the certificate store.
Impact:
Machine Certificate check fails.
Workaround:
Remove the expired certificate from the store.
Fix:
When a valid and an expired certificate co-exist, the system now matches the valid certificate.
610180 : SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.
Component: Access Policy Manager
Symptoms:
When BIG-IP is used as SAML SP, and SLO is not properly configured on associated saml-idp-connector objects, IdP initiated SAML SLO may result in memory leak in SSO plugin.
Conditions:
- BIG-IP is used as SP.
- Associated saml-idp-connector object has 'single-logout-uri' property configured, but 'single-logout-response-uri' property is empty.
- User performs IdP initiated SAML SLO
Impact:
SSO plugin leaks memory
Workaround:
There are two possible workarounds:
- Fix misconfiguration: Configure SLO correctly by adding value to 'single-logout-response-uri' property of IdP connector object.
- Disable SLO by removing single-logout-uri' property of IdP connector object.
Fix:
When fixed, memory will no longer leak in SSO plugin even when SLO is misconfigured.
610129 : Config load failure when cluster management IP is not defined, but instead uses address-list.
Component: Advanced Firewall Manager
Symptoms:
In Cluster setup with multiple blades, if configurations do not have management IP addresses assigned to individual blades, but instead assign a cluster management IP address list to the cluster of blades. The configuration load will fail. System posts an error message similar to the following: err mcpd[24235]: 01071824:3: The address list is referenced by one of the rules of the admin IP either directly or in a nested manner, and the entry is of a different address family from that of the Admin IP.
Conditions:
1. Cluster setup with multiple blades.
2. No management IP assigned to individual blades.
3. Assign cluster management IP address list to the cluster of blades.
Impact:
After reboot, configuration load failure on secondary blades.
Workaround:
Define the cluster management IP address as the destination (in rule) without using address list.
Fix:
Config load failure no longer occurs when cluster management IP is not defined, but instead uses address-list.
609674 : machine certificate check creates issuer string with DC with reverse order
Component: Access Policy Manager
Symptoms:
Machine certificate check on MAC creates issuer string with incorrect domain component (DC) order if it has any domain component in the certificate.
For example, if DC in certificate says f5net.com, issuer DC string should look like "DC=f5net, DC=com" but instead, it's in reverse order (DC="com", DC="f5net").
Conditions:
Machine certificate check configured on BIG-IP systems, certificate contains DC components.
Impact:
Machine certificate check might fail.
Workaround:
For access policies with machine certificate check targeted towards MAC, the order of DC should be reversed (compared to access policy with machine certificate check targeted towards Microsoft Windows) in the regex configured in machine certificate check.
Fix:
DC order evaluated by MAC is correctly ordered now and matches with that of Microsoft Windows.
Behavior Change:
Previously, machine certificate check on MAC creates issuer string with incorrect domain component (DC) order if it has any domain component in the certificate.
For example, if DC in certificate says f5net.com, issuer DC string should look like "DC=f5net, DC=com" but instead, it's in reverse order (DC="com", DC="f5net"). Now, DC order evaluated by MAC is correctly ordered now and matches with that of Microsoft Windows.
609628 : CLIENTSSL_SERVERHELLO_SEND event in SSL forward proxy is not raised when client reuses session
Component: Local Traffic Manager
Symptoms:
When a client performs an abbreviated handshake by reusing the session from a previously established full handshake, the SSL forward proxy does not raise the CLIENTSSL_SERVERHELLO_SEND event.
Conditions:
This occurs when the following conditions are met:
-- SSL forward proxy configured
-- Session cache is enabled.
Impact:
iRule commands inside of the CLIENTSSL_SERVERHELLO_SEND are only executed for full handshakes but not for abbreviated handshakes; thus any logic that's applied per SSL connection should not run inside of CLIENTSSL_SERVERHELLO_SEND event since it is not reliably raised under all types of handshakes.
Workaround:
To make sure that the CLIENTSSL_SERVERHELLO_SEND event is reliably raised, disable session cache in the client SSL profile.
609625 : Portal Access: RSS XML files may contain non-rewritten URLs
Component: Access Policy Manager
Symptoms:
Some URLs in RSS XML files may not be rewritten if the file uses additional XML namespaces.
Conditions:
In the following example the content of <link> tag is not rewritten by Portal Access:
<rss xmlns:a10="http://www.w3.org/2005/Atom" version="2.0">
<channel>
<a10:author> author </a10:author>
<link> http://domain.com </link>
Impact:
RSS pages may contain direct links if accessed via Portal Access.
Workaround:
Use an iRule to replace non-rewritten URLs with rewritten ones.
Fix:
Now Portal Access rewrites all necessary URLs in RSS XML pages with additional namespaces.
609575 : BIG-IP drops ACKs containing no max-forwards header
Component: Service Provider
Symptoms:
When a sip profile is in use and receives an acknowledgment packet missing the Max-Forwards header, BIG-IP will treat the packet as un-forwardable and does not forward the ACK. This can be experienced as a specific cilent being unable to make a call.
Conditions:
This would only be seen when BIG-IP is connected to specific clients that fail to populate the Max-Forwards header on an ACK.
Impact:
BIG-IP treats packets with the missing header as having a value of 0, which means "Do not forward".
609527 : DNS cache local zone not properly copying recursion desired (RD) flag in response
Component: Global Traffic Manager (DNS)
Symptoms:
When a DNS query sets the RD flag, that setting is supposed to be copied to the response. When a DNS query is handled by a cache local zone, the RD flag is not set properly.
Conditions:
A DNS cache local zone must be configured and a DNS query with the RD flag set must be handled by this local zone.
Impact:
The flag is not set properly in the DNS response. This most likely will only be noticed by protocol validation tools as standard DNS clients generally do not check this bit.
Workaround:
Use an equivalent DNS Express configuration instead of the local zone.
Fix:
The fix is to properly check the RD flag on the query so that it can be copied to the response.
609499 : Compiled signature collections use more memory than prior versions
Component: Application Security Manager
Symptoms:
Compiled signature collections use more memory than prior versions.
Conditions:
Different signature sets are used for different policies.
Impact:
BD memory usage for compiled signature collections is increased.
Fix:
Compiled signature collections memory usage was consolidated and reduced.
609496 : Improved diagnostics in BD config update (bd_agent) added
Component: Application Security Manager
Symptoms:
Improved diagnostics in BD config update (bd_agent) are needed.
Conditions:
Further troubleshooting of BD config update transmission is needed.
Impact:
No diagnostics are available.
Workaround:
None.
Fix:
Improved diagnostics in BD config update (bd_agent) were added.
609328 : SIP Parser incorrectly parsers empty header
Component: Service Provider
Symptoms:
If a SIP message contains an empty header, the following header will be included as the value of the empty header.
Conditions:
A SIP header without any value will incorrectly cause the next header to be used as the value.
Impact:
If the following header is needed for processing the message, it will not be seen (since it is incorrectly considered the value of the previous header).
Fix:
Parser has been corrected to terminate an empty header when a line ending is seen.
609244-5 : tmsh show ltm persistence persist-records leaks memory
Component: Local Traffic Manager
Symptoms:
A small memory leak is detected when running the following command: tmsh show ltm persistence persist-records.
Conditions:
This occurs when running tmsh show ltm persistence persist-records.
Impact:
The memory leak is small, however if the command is run constantly the memory growth can become large.
Workaround:
None.
Fix:
tmsh show ltm persistence persist-records no longer leaks memory.
609199 : Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join
Component: Local Traffic Manager
Symptoms:
If an MPTCP connection times out while a subflow is still performing the three-way handshake, the TMM produces a core. This only affects the debug TMM, not the default one.
Conditions:
An MPTCP connection times out while a subflow is still performing the three-way handshake with MP_JOIN. This only affects the debug TMM.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable MPTCP.
Fix:
Remove unestablished joining subflows when freeing the MPTCP connection structure.
609119 : Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:
Component: TMOS
Symptoms:
Occasionally the logging system prints out a blank message, similar to the following example:
-- err mcpd[19114]: 01070711:3:
For this log statement, there is text associated with the error in the bigip_mcpd_error_defs.in file, so something should be logged.
Conditions:
The problem is the result of an exception handler issue in mcpd's File Object validator. The damaged logs can come from anywhere in mcpd, but appear only after a File Object configuration change fails validation. If the problem occurs, it will happen only once per validation error. The damage caused by the exception handler is automatically corrected when the system rewrites the log.
Impact:
Except for the missing log text, the state and behavior of the BIG-IP system is unaffected.
Workaround:
None. The problem corrects automatically when the system rewrites the log.
Fix:
The logging system prints out a blank message in response to failed file object configuration change validations.
609107 : mcpd does not properly validate missing 'sys folder' config in bigip_base.conf
Component: TMOS
Symptoms:
If a 'sys folder' is manually removed from bigip_base.conf, and the config is then reloaded, mcpd does not produce any warning or error messages, and allows the config to load.
Conditions:
A folder is removed from a previously valid configuration file.
Impact:
Inconsistent configuration between devices in the same device-group, shows in-sync when they are not, prevents config loading after mcpd has been reset.
Workaround:
Do not remove folders from the configuration file.
Fix:
mcpd now properly validates missing 'sys folder' config in bigip_base.conf, so the config performs as expected.
609098-2 : Improve details of ajax failure
Component: Fraud Protection Services
Symptoms:
When AJAX request fails, insufficient information is provided to debug the failure.
Conditions:
AJAX failure
Impact:
Difficult to diagnose the failure.
Workaround:
Not relevant
Fix:
Add information to alert about AJAX failure.
609095 : mcpd memory grows when updating firewall rules
Component: Advanced Firewall Manager
Symptoms:
While updating firewall rules such as adding/deleting a blacklist, mcpd memory grows by a small amount with each update.
Conditions:
This can occur when making changes to firewall policies.
Impact:
mcpd memory grows unbounded; over a significant amount of time with many changes and no restarts, mcpd can run out of memory and oom killer can trigger a failover.
609084 : Max number of chunks not configurable above 1000 chunks
Component: Application Security Manager
Symptoms:
If you want to support requests larger than 1000 chunks, the request is blocked and the system posts the following message in the ASM event log:
Unparsable request content Chunks number exceeds request chunks limit: 1000.
Conditions:
This occurs when the request exceeds 1000 chunks.
Impact:
Requests that are valid from the server side are being rejected.
Workaround:
None.
Fix:
This release adds an internal parameter "request_max_chunks_number" to enable configuring a greater than 1000 max number of chunks. The default value is 1000
Behavior Change:
This release adds an internal parameter "request_max_chunks_number" to enable configuring a greater than 1000 max number of chunks. The default value is 1000
609027 : TMM crashes when SSL forward proxy is enabled.
Component: Local Traffic Manager
Symptoms:
TMM crashes when SSL forward proxy is enabled.
Conditions:
This can occur when SSL forward proxy is enabled and there is a server handshake done when client SSL handshake is not ongoing.
Impact:
Traffic disrupted while tmm restarts.
Fix:
SSL forward proxy now ignores server handshake done when client SSL handshake is not ongoing, so an intermittent TMM crash no longer occurs.
609005-1 : Crash: tmm crashing when 2nd client (srcPort=68) sends a DHCP renew with giaddr (Relay Agent IP) in the packet after 1st client (srcPort=67).
Component: Policy Enforcement Manager
Symptoms:
Two client side DHCP packets with giaddr field set, one with source port 67 and another client side packet with source port 68 (not conforming to RFC since giaddr set DHCP packet (from relay agent) should use 67 as source port per RFC),
tmm will crash during err message logging.
Conditions:
1) Two client side DHCP packets arrive one after another.
2) Both DHCP packets have giaddr fields set
3) One packet uses 67 as source port, the other uses 68
Impact:
Traffic disrupted while tmm restarts.
Workaround:
The conditions that cause the crash should not happen in a normal network setup. A DHCP relay agent should only use 67 as source port.
608941 : AAA RADIUS system authentication fails on IPv6 network
Component: Access Policy Manager
Symptoms:
APM supports RADIUS authentication to IPv6 servers for APM clients if the IPv6 servers are in a pool, but using RADIUS for system authentication directly to a RADIUS server fails on invalid IP address. The signature in the log file is as follows:
err apmd[13481]: 01490108:3: /Common/profilename: RADIUS module: authentication with 'aa' failed: Invalid Server IP(0)/Port(0) (1)
Conditions:
RADIUS authentication configured for system authentication direct to a RADIUS server, and the RADIUS server is an IPv6 server.
Impact:
RADIUS is unable to connect directly to the IPv6 RADIUS server, clients unable to log into the system.
608927 : SIP Parser logging improvements
Component: Service Provider
Symptoms:
The SIP parser logging and tracing can be vague and not helpful to field troubleshooting when SIP messages are unable to be parsed.
Conditions:
This occurs when SIP logs an error due to a malformed or unsupported SIP message to the SIP parser.
Impact:
Isolating the specifc issue with a defective SIP message is difficult
Workaround:
Do not pass malformed or unsupported SIP messages into the BIGIP.
Fix:
Logging of SIP parser message rejection has been improved.
608826 : Greylist (bad actors list) is not cleaned when attack ends
Component: Anomaly Detection Services
Symptoms:
When attack ends the greylist (detected bad actors) remains till the timeout expiration.
Conditions:
Detected bad actors and attack end.
Impact:
If new attack will start sooner than greylist expiration time, greylist member will be mitigated even if they are not related to the current attack.
Workaround:
It it's necessary it's possible to clear greylist manually using ipidr utility.
Fix:
Clear the greylist upon attack end.
608742 : DHCP: DHCP renew ack messages from server are getting dropped by BIGIP in Forward mode.
Component: Policy Enforcement Manager
Symptoms:
When BIGIP is configured in Forwarding mode, renewal ack message from server in response to unicast renewal message from DHCP clients is getting dropped.
Conditions:
BIG IP in forwarding mode. DHCP clients sending unicast renewal message to DHCP server
Impact:
Unicast DHCP renewal requests are not acked. DHCP clients will send broadcast renewal messages and will be acked by servers.
Workaround:
After unable to receive acks from DHCP servers for unicast DHCP renewal messages, DHCP client will send broadcast DHCP renewal messages and will be acked by DHCP server and acks forwarded by BIGIP and received by DHCP clients.
608601 : Multiple LibTIFF vulnerabilities
Vulnerability Solution Article: K35155453
608591 : Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers
Component: Policy Enforcement Manager
Symptoms:
CCR-I requests from PEM to PCRF have subscriber ID type set to 6 (UNKNOWN) for DHCP subscribers instead of 3 (NAI).
Conditions:
Occurs for DHCP discovered subscribers on a BIG-IP system that uses a PCRF for policy determination.
Impact:
Might impact the way policies are provided from the PCRF.
Workaround:
None
Fix:
Subscrbier ID type is marked as NAI for DHCP discovered subscribers.
608566 : The reference count of NW dos log profile in tmm log is incorrect
Component: Advanced Firewall Manager
Symptoms:
In certain circumstances when virtual servers are configured with security log profiles, the log message in tmm log is showing incorrect reference cnt to the log profiles.
Conditions:
Creation, modification and deletion of many virtual servers with security log profiles attached.
Impact:
This may lead to issues such as TMM crash if the reference count is not calculated correctly
Fix:
The reference count now is showing correct number in the log message after the fix
608555 : Configuring asymmetric routing with a VE rate limited license will result in tmm crash
Component: Local Traffic Manager
Symptoms:
Configuring asymmetric routing with a VE rate limited license results in tmm crash.
Conditions:
Asymmetric routing is configured (i.e., client and/or server ingress and egress travel on different VLANs), and a VE rate limited license is used.
Impact:
tmm might continually crash when passing traffic. Traffic disrupted while tmm restarts.
Workaround:
Do not use asymmetric routing with a rate limited license.
Fix:
The VE rate shaper now works correctly when asymmetric routing is configured, tmm does not crash.
608551 : Half-closed congested SSL connections with unclean shutdown might stall.
Component: Local Traffic Manager
Symptoms:
Half-closed congested SSL connections with unclean shutdown might stall.
Conditions:
If SSL egress is congested and the client FINs with no Close Notify, connection might stall as SSL does not request more egress data from HTTP.
Impact:
Possible stalled flow.
Workaround:
Use SSL client that sends clean shutdown.
Fix:
Resolved half-closed congested SSL connections with unclean shutdown, so connections no longer stall.
608509 : Policy learning is slow under high load
Component: Application Security Manager
Symptoms:
On systems with high load, policy learning is slow and learning suggestions are slow to arrive.
Conditions:
Policy builder generates many learning suggestions on a system that processes intense traffic.
Impact:
Learning suggestions appear with considerable delay, policy learning speed goes down.
Workaround:
No workaround
Fix:
Fixed an issue with slow policy learning on heavily loaded systems.
608453 : Shrink/Expand imgs of Webtop Section is customizable
Component: Access Policy Manager
Symptoms:
Changing images for Shrink/Expand of Webtop Section in Webtop Customization does not actually change images on client; users see default images instead
Conditions:
This is encountered when using Webtop Customization.
Impact:
The default image is displayed instead of the customized image.
Workaround:
None.
Fix:
Customization of Shrink/Expand images is working properly now in Webtop Section in Webtop Customization.
608427 : LocalDB auth agent is not available for APM based system auth
Component: Access Policy Manager
Symptoms:
LocalDB auth agent is not available for APM based system auth.
Conditions:
Try to add LocalDB auth agent to access profile for APM profile type of system auth. VPE does not show LocalDB auth agent for System auth access profiles.
Impact:
You are unable to assign a LocalDB auth agent for APM based system auth.
Workaround:
No workaround
Fix:
LocalDB auth agent is now available for APM based system auth. LocalDB auth agent can be added in VPE for access profiles with type system auth.
608408 : TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library
Component: Access Policy Manager
Symptoms:
TMM may restart when new SAML SSO configuration is created on BIG-IP systems as SAML IdP. This could also happen when BIG-IP is restarted, or a saved configuration containing SAML SSO objects is loaded on running BIG-IP.
Conditions:
All of the following
- The BIG-IP system is used as SAML IdP
- New SAML SSO configuration is added on BIG-IP
- Rarely occurring internal tmconf error happens when processing newly added configuration.
Impact:
TMM may restart.
Workaround:
None.
Fix:
TMM no longer restarts when internal error happens upon adding new SAML SSO configurations. Instead, the system logs the following error in /var/log/apm to indicate problematic configuration object: Internal error processing sso config <name>.
608373 : Some iApp LX packages will not be saved during upgrade or UCS save/restore
Component: Device Management
Symptoms:
iApp LX packages that include dependencies on system utilities (like /bin/sh, /bin/bash, python etc.) cannot be imported to iApp LX RPM database.
Conditions:
oApp LX packages that depends on system utilities.
Impact:
iApp LX packages with dependencies will not be restored during upgrade or UCS restore process.
Workaround:
None.
Fix:
iApp LX UCS save process is updated turn off automatic dependency generation by rpmbuild so iApp LX package can be imported during UCS restore or upgrade.
608320 : iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response
Component: TMOS
Symptoms:
For persistence profiles, iControl REST does not provide visibility for property override when "none" is specified, including references, passwords, and array of strings.
Conditions:
-- Use iControl REST API with persistence profiles.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.
Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for persistence profile property overrides.
Workaround:
None.
Fix:
iControl REST API now returns persistence profile elements (i.e., string, enum , or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.
608024 : Unnecessary DTLS retransmissions occur during handshake.
Component: Local Traffic Manager
Symptoms:
Unnecessary DTLS retransmissions occur during handshake.
Conditions:
During DTLS handshake, unnecessary retransmissions of handshake message may occur on VE platform.
Impact:
Possible DTLS handshake failure on VE platform.
Workaround:
None.
Fix:
This release fixes a possible failed DTLS handshake on VE platforms.
608009 : Crash: Tmm crashing when active system connections are deleted from cli
Component: Policy Enforcement Manager
Symptoms:
When the BIG-IP is in DHCP forwarding mode, if the giaddr field in the unicast DHCP renewal packet is set to DHCP relay agent IP address by relay agent, tmm may crash when active system connections are deleted from cli or via aging.
Conditions:
1) BIG-IP in forwarding mode
2) giaddr field in unicast DHCP renewal packet is set to IP address of relay agent (Typically, it is set to 0 by the DHCP client)
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This is not a typical network setup. Usually DHCP relay agent will not modify DHCP renewal packet to insert its own address as giaddr.
607961 : Secondary blades restart when modifying a virtual server's route domain in a different partition.
Component: TMOS
Symptoms:
Secondary blades restart when modifying a virtual server's route domain in a different partition. This log signature is in /var/log/ltm before the secondaries restart: err mcpd[1255]: 0107004d:3: Virtual address (/stef/1.1.1.1%0) encodes IP address (1.1.1.1) which differs from supplied IP address field (1.1.1.1%1).
Conditions:
- Multiple blades of vCMP guests in a sync-failover group.
- Route domains created on each device.
- Route domain assigned to a new partition after they were created.
Impact:
Traffic disrupted while secondary blades restart.
Workaround:
None.
Fix:
Secondary blades no longer restart when modifying a virtual server's route domain in a different partition.
607886 : Cannot delete partition when APM Sandbox configuration is present
Component: Access Policy Manager
Symptoms:
A partition cannot be removed when the APM Sandbox configuration is present and APM is not provisioned.
Conditions:
-- APM Sandbox configuration exists in partition other than Common.
-- APM is not provisioned.
Impact:
Partition cannot be deleted.
Workaround:
To work around this issue, you can first provision APM and then delete the partition. This will require a restart of services.
Another work around is to remove the bigip.conf file from under /config/partitions/<partition folder> and reload the full configuration. For example:
1) rm /config/partitions/<partition>/bigip.conf
2) tmsh load sys config
3) tmsh delete sys folder /<partition>
Fix:
Now, you can delete partition when APM Sandbox configuration is present.
607803 : DTLS client (serverssl profile) fails to complete resumed handshake.
Component: Local Traffic Manager
Symptoms:
DTLS client (serverssl profile) fails to complete resumed handshake.
Conditions:
This occurs when the BIG-IP system acts as a DTLS client.
Impact:
Possible failed resumed handshake.
Workaround:
Disable session reuse.
Fix:
This release fixes a possible failed resumed DTLS handshake.
607724 : TMM may crash when in Fallback state.
Component: Local Traffic Manager
Symptoms:
There is a chance, when HTTP in Fallback mode, HTTP filter sends Abort event to TCP filter (causing tear down) prematurely while the Aborting triggered by upper filter/proxy is in flight.
TMM may crash when this happens.
Conditions:
It is not known exactly what conditions need to exist to trigger this, but it has been known to trigger when issuing HTTP::respond in the LB_FAILED event in an iRule, and it has been seen only rarely.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
no work around
Fix:
Fixed a tmm crash
607716 : Licensing causes SELinux denied messages for mcpd★
Component: TMOS
Symptoms:
After you apply a license, you see the following in /var/log/audit/auditd.log: type=AVC msg=audit(1469642592.548:489): avc: denied { relabelto } for pid=6908 comm="mcpd" name="bigip.license.chs600493s" dev=dm-10 ino=25 scontext=system_u:system_r:mcpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file.
Conditions:
This may be seen when licensing or during reactivation of a license.
Impact:
The errors are benign and can be safely ignored.
Workaround:
None needed. This is a cosmetic error.
Fix:
Licensing no longer causes SELinux denied messages for mcpd.
607713 : SIP Parser fails header with multiple sequential separators inside quoted string.
Component: Service Provider
Symptoms:
SIP Parser fails header with multiple sequential separators inside quoted string.
Conditions:
If a SIP header contains multiple attribute separators ',' or ';' in an attribute.
Impact:
The SIP parser flags the message as an error. If this occurs in a quote within the attribute, it should be allowed, but it will still fail, Valid SIP messages are failing to be parsed.
Workaround:
None.
Fix:
The SIP parser has been improved to ignore multiple sequential separators if within quotes.
607658 : GUI becomes unresponsive when managing GSLB Pool
Component: Global Traffic Manager (DNS)
Symptoms:
GUI Locks Up and becomes unresponsive. Most major web browsers will complain about slow javascript and prompt you to kill the script.
Conditions:
Managing an A type GSLB pool when hundereds of virtual servers exist. These virtual servers do not have to be associated with the pool you are attempting to manage.
Impact:
Page takes a significantly long time to load.
Workaround:
Manage pools through tmsh, or wait for it to load.
607524 : Memory leak when multiple DHCP servers are configured, and the last DHCP server configured is down.
Component: Local Traffic Manager
Symptoms:
When the last member of a list of multiple DHCP servers is down, the original DHCP packet from client is not freed and memory is leaked.
Conditions:
Multiple DHCP servers are configured, and the last DHCP server configured is down.
Impact:
Packet memory is leaked.
Workaround:
Remove the last DHCP server that is down, or move it to the middle or front of the server member list.
Fix:
Free the original packet memory when last DHCP server is down.
607410 : In the iRule output of X509 Certificate's subject & issuer, the display is wrong.
Component: Local Traffic Manager
Symptoms:
When using iRule to output X509 Certificate's subject & issuer, the display is wrong.
Conditions:
Using iRule command "X509::subject" & "X509::issuer" to get the Cert's subject &issuer, and then using log to display them.
Impact:
The iRule output of X509 Certificate's subject & issuer is wrong.
Workaround:
N/A
Fix:
In the iRule output of X509 Cert's subject & issuer, we should use the the more readable flag XN_FLAG_ONELINE in the X509_NAME_print_ex() as openssl used.
607360 : Safenet 6.2 library missing after upgrade★
Component: Local Traffic Manager
Symptoms:
After upgrading BIG-IP, a symbolic link is missing to the core Safenet library.
Conditions:
This occurs when a BIG-IP installation with Safenet 6.2 already installed is upgraded.
Impact:
Safenet 6.2 is not functional.
Workaround:
Reinstall Safenet 6.2. Or,
run this command at all blades of BIG-IP after the installation.
ln -sf /shared/safenet/toolkit/libgem.so /usr/lib64/openssl/engines/libgem.so
Fix:
Add symbolic link to libgem at time of pkcs11d daemon start/restart.
607314 : Oracle Java vulnerability CVE-2016-3500, CVE-2016-3508
Vulnerability Solution Article: K25075696
607304-6 : TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
Component: Local Traffic Manager
Symptoms:
TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
Conditions:
This can occur under normal operation, while running the geo_update command.
Impact:
Traffic disrupted while tmm restarts.
607152 : Large Websocket frames corrupted
Component: Local Traffic Manager
Symptoms:
If large Websocket frames are being sent by the end-point and this transfer is interleaved with frames being sent by the other endpoint, corrupted frames could be sent by BIG-IP.
Conditions:
Websocket profile is attached to the virtual. Large Websocket frames are sent by the end-point. This transfer is interleaved with frames being sent in the other direction.
Impact:
Connection reset because of corrupted frames being received by the end-point.
607001 : ASM policy diff issue for HTTP method HEAD
Component: Application Security Manager
Symptoms:
Policy diff erroneously indicates a difference with the HTTP HEAD method.
Conditions:
This always occurs for the HEAD method.
Impact:
Wrong results in policy diff.
Workaround:
None.
Fix:
Policy diff no longer erroneously indicates a difference with the HTTP HEAD method.
606940 : Clustered Multiprocessing (CMP) peer connection may not be removed
Component: Local Traffic Manager
Symptoms:
- High memory usage due to connflow allocations
- conn_remove_cf_not_found stat is non-zero
Conditions:
CMP with multiple TMMs. CMP peer connection is removed before it has been established.
Impact:
Low memory may lead to allocation failures that may lead to tmm core
Fix:
Fix validation performed on parsed CMP flow keys that allows unknown CMP connections to be removed.
606875 : DoS Application - Block requests from suspicious browsers feature causes javascript latency for webapp first page
Component: Advanced Firewall Manager
Symptoms:
When an end-user accesses a web-site's first page there is a noticeable latency until it gets the page content.
Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled, when accessing the page for a first time.
Impact:
Bad user experience when accessing the website's first page.
Workaround:
N/A
Fix:
The javascript has improved as much as possible to reduce the time to get the website's first page.
606831 : Multidomain SSO slave virtual cannot be reached
Component: Access Policy Manager
Symptoms:
One or multiple slave virtual servers cannot be reached in a Multidomain SSO use case. This happens due to a bug during the configuration of the SSO Auth Domains in the Access Profile. When a user attempts to access the virtual, it will not be reachable.
The following message will appear on Warning level in the TMM logs:
Multidomain SSO enabled for profile: <access-profile>. No matching domain found for request host: <host>.
Conditions:
This happens intermittently only after adding and deleting many auth domains.
Impact:
The virtual server is not reachable.
Workaround:
Restart TMM
Fix:
The auth domain is added correctly when configured and can be found at runtime for proper execution of Multidomain SSO.
606575 : Request-oriented OneConnect load balancing ends when the server returns an error status code.
Component: Local Traffic Manager
Symptoms:
Request-oriented OneConnect load balancing ends when the server returns an error status code.
Conditions:
OneConnect is enabled and the server responds with a HTTP error status code.
Impact:
The client remains connected to the server, and no further load-balancing decisions are made.
Workaround:
It may be possible to detect the HTTP status code in the response, and manually detach the client-side.
To do so, use an iRule similar to the following:
when HTTP_RESPONSE {
if { [HTTP::status] == 200 } { return }
if { [HTTP::status] == 401 } {
set auth_header [string tolower [HTTP::header values "WWW-Authenticate"]]
if { $auth_header contains "negotiate" || $auth_header contains "ntlm" } {
# Connection-oriented auth. System should already be doing the right thing
unset auth_header
return
}
unset auth_header
}
catch { ONECONNECT::detach enable }
}.
Note: These workarounds should not be used when the backend server is using connection-oriented HTTP authentication (e.g., NTLM or Negotiate authentication).
Fix:
With OneConnect, the client-side remains detachable when the server-side returns an HTTP error status code.
606573 : FTP traffic does not work through SNAT when configured without Virtual Server★
Component: Local Traffic Manager
Symptoms:
After upgrading to 12.1.0 or 12.1.1, FTP traffic no longer works correctly with SNAT, when SNAT is configured without a virtual server.
Conditions:
The BIG-IP system configured to allow FTP traffic through, and SNAT is configured without a virtual server.
Impact:
The BIG-IP system does not SNAT port 21 traffic. In rare circumstances this can cause tmm to restart.
Workaround:
None.
Fix:
FTP traffic now works through SNAT when SNAT is configured without a virtual server.
606565 : TMM may crash when /sys db tm.simultaneousopen is set to reset or drop_connection
Component: Local Traffic Manager
Symptoms:
When the /sys db tm.simultaneousopen variable is set to 'reset' or 'drop_connection', TMM may crash during a TCP simultaneous 4 way handshake.
Conditions:
1. The /sys db tm.simultaneousopen variable is set to 'reset' or 'drop_connection'.
2. A TCP 4 way handshake (simultaneous open) occurs as described in RFC 793.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
The crash can be avoided, while still mitigating TCP 4 way handshakes, by setting the /sys db tm.simultaneousopen variable to 'drop_pkt'.
606518 : iControl REST with 3rd party auth does not function as expected with '@' / email addresses as username.
Component: Device Management
Symptoms:
Cannot use username containing an 'at' ( @ ) character, or specify the email address when requesting authentication token using iControl REST when 3rd party authentication provider being used.
Conditions:
Set-up the BIG-IP system to use 3rd party RADIUS or LDAP authentication and configure a username containing an 'at' ( @ ) character, or specify the email address.
Impact:
Cannot authenticate and get authentication token using iControl REST.
Workaround:
Do not use username with special characters, such as 'at' ( @ ), period ( . ), and so on).
Fix:
Updated logic to allow any special characters in username and password when 3rd party authentication system is used on the BIG-IP system.
606509 : Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover★
Component: TMOS
Symptoms:
Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover.
Conditions:
This occurs when the following conditions are met:
* vCMP provisioned.
* vCMP hypervisor (host) running 12.1.0
* vCMP guest with 2 or more cores deployed and running 11.5.0 or greater.
* vCMP guest has HT-Split enabled (tmsh list sys db scheduler.splitplanes.ltm).
Impact:
vCMP guests may experience control-plane issues (such as failures to send or receive network failover traffic in an HA-pair, causing a failover).
Fix:
This release restores the process nice value of VCMP guest control-plane, so the vCMP guest no longer experiences potential frequent failovers.
606426 : coapi error on the shell, when user clicks on session in the manage sessions page
Component: Access Policy Manager
Symptoms:
Shows the error message similar to the following in console:
err coapi: [error] [client 165.160.15.20] PHP Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/sam/www/admin/reports/index.php on line 8, referer:
Conditions:
When you click on the GUI's session page, the error shows up in the console.
Impact:
There is no functional impact to APM or the BIG-IP system.
Workaround:
None. This is cosmetic.
Fix:
The system now uses the correct timezone, so no error occurs when clicking on the GUI's session page.
606416 : apm client-packaging object missing in existing partitions after provisioning APM
Component: Access Policy Manager
Symptoms:
apm client packaging is missing for the partitions that are created before provisioning APM. This will prevent users customizing client package
.
Conditions:
This happens to all the partitions that are created before APM is provisioned. Prevents users to customize the client package.
Impact:
User cannot customize the client packages
Workaround:
Create partition after APM is provisioned.
Fix:
Create apm client packaging object for all the partitions at the provisioning time.
606330 : The BIG-IP system does not accept BGP connection requests when using peer-groups and no default address family.
Component: TMOS
Symptoms:
The BIG-IP system does not accept incoming or initiate outgoing BGP connections when using peer-groups and no default address family.
Conditions:
BGP configured with 'no bgp default ipv4-unicast' and neighbors configured using a peer group that's explicitly activated for IPv4.
Impact:
The BGP connection to any neighbor in the peer group will not come up until 'clear ip bgp' is run on the neighbor or tmrouted is restarted.
Workaround:
Clear the BGP neighbor after changing the configuration.
Fix:
BGP connections for neighbors in a peer group come up correctly when 'no bgp default ipv4-unicast' is configured.
606257 : TCP FIN sent with Connection: Keep-Alive header for webtop page resources
Component: Access Policy Manager
Symptoms:
When using customized webtops (for example, using custom images for the webtop links), sometimes a TCP FIN flag will be sent with a packet with an HTTP "Connection: Keep-Alive" header. Not all clients recover from this.
Conditions:
Use a customized webtop link.
Impact:
The webtop links page does not render correctly.
Fix:
Weptop page resources no longer send FIN flags with Keep-Alive headers.
606110 : BIG-IP VE dataplane interfaces change to using UNIC modules instead of sockets.
Component: TMOS
Symptoms:
On AWS and Azure, dataplane interfaces use socket-based networking instead of UNIC modules. After upgrading a version later than 12.1.0, the default module for dataplane interfaces is UNIC modules instead of socket-based networking.
Conditions:
Upgrading BIG-IP VE on AWS or Azure running versions 12.0.0 or 12.1.0.
Impact:
The raw socket-based tmm driver is replaced by a UNIC driver. The socket-based driver eliminates kernel driver dependencies and provides better portability during kernel/driver upgrades.
Workaround:
None.
Fix:
BIG-IP VE socket-based networking driver retained after upgrade on AWS or Azure.
606101 : Support launching multiple Horizon View client instances from APM webtop
Component: Access Policy Manager
Symptoms:
If there are two different virtuals with APM webtops and VMware View resources, launching the Horizon View client from one of them automatically closes the existing instance of Horizon View client.
Conditions:
Two different APM virtual servers with VMware View resources assigned to webtop.
Impact:
Cannot have multiple remote desktop sessions opened from different APM virtuals simultaneously.
Workaround:
None.
Fix:
APM webtop now makes use of the "useExisting" flag supported by newer versions of Horizon View client, which allows multiple simultaneous instances to run.
606072 : User deletion doesn't delete tokens issued for that user at max 15 seconds
Component: TMOS
Symptoms:
REST Framework polls for any changes in user every 15 seconds. When user is removed from MCP directly using tmsh or BIG-IP GUI, for REST that user will be still valid for at most 15 seconds. So any authentication tokens issued will not be invalidated and all REST API requests will work as that user remains valid until user deletion is synced.
Conditions:
This occurs when users are deleted and the user is still using iControl REST.
Impact:
After user deletion from MCP, tokens issued for that user will not immediately deleted from REST
Workaround:
After user deletion, customer need to wait at most 15 seconds for change to take effect in REST API
Fix:
When user is removed from REST, all tokens issued for that user is invalidated immediately. If a user is removed from MCP either using TMUI or tmsh, that change will be synced to REST after 15 seconds in the worse case.
Behavior Change:
Auth token is removed upon user deletion.
606066 : LSN_DELETE messages may be lost after HA failover
Component: Carrier-Grade NAT
Symptoms:
After a failover, an LSN_DELETE message may be lost if the connection continued after the failover.
Conditions:
CGNAT configured as an HA pair, with session logging enabled.
Impact:
An LSN_DELETE message may be missing from the logs.
Fix:
After the fix, the LSN_DELETE message will not be lost.
605983 : tmrouted may crash when being restarted in debug mode
Component: TMOS
Symptoms:
tmrouted may restart after it being manually restarted with debug level equal or higher than 2.
Conditions:
tmrouted is manually restarted with debug level equal or higher than 2.
Multi route-domain setup with independent routing processes enabled on several route-domains.
Impact:
tmrouted may restart additional times which can add delay to getting back to service after manually restarting tmrouted.
Any restart of tmrouted already causes loss of dynamic routing sessions.
Workaround:
Do not use equal or higher than 2 debug level for tmrouted. This should be carried out only under recommendation from F5 Support.
Fix:
tmrouted no longer crashes when being restarted in debug mode
605894 : Remote authentication for BIG-IP users can fail
Component: TMOS
Symptoms:
While trying to log into the command line of BIG-IP as a remotely authenticated user, login will intermittently fail. You may see the following in /var/log/secure: "err httpd[19596]: pam_ldap: ldap_simple_bind Can't contact LDAP server" but the LDAP server is up and is accessible by the BIG-IP
Conditions:
Remote authentication configured, users configured to use remote authentication, ssl-check-peer is enabled and one or more of these properties are different than "none": ssl-ca-cert-file, ssl-client-cert, ssl-client-key.
Impact:
The remote authentication service will fail to initiate a connection to the LDAP server with the ssl-check-peer setting enabled, even if the ssl-ca-cert-file is valid. It will terminate the connection and remote authentication will fail.
Workaround:
Disabling ssl-check-peer and setting ssl-ca-cert-file, ssl-client-cert and ssl-client-key to "none" can work around this issue.
605865 : Debug TMM produces core on certain ICMP PMTUD packets
Component: Local Traffic Manager
Symptoms:
The debug TMM will produce a core on the assert "cwnd or ssthresh too low" when receiving an ICMP PMTUD packet with an MTU larger than the current MTU. This does not affect the default TMM.
Conditions:
While using the debug TMM, an ICMP PMTUD packet is received with an MTU larger than the current MTU.
Impact:
Debug TMM crashes on assert "cwnd or ssthresh too low." Traffic disrupted while tmm restarts.
Workaround:
Block incoming ICMP PMTUD packets. Note that this will cause Path MTU Discovery to fail, and IP packets sent by the BIG-IP system with the Don't Fragment (DF) bit set may be dropped silently if the MTUs of the devices on the path are configured incorrectly.
Fix:
The system now always updates TCP MSS after an ICMP PMTUD packet, so there is no debug TMM core.
605690 : tmsh "ip-whitelist" field DOS application is deprecated
Component: Advanced Firewall Manager
Symptoms:
tmsh "ip-whitelist" field DOS application is deprecated, but is still included for backward-compatibility.
Since 13.x, it is not recommended to use the following tmsh command to add/modify white IP addresses for DOS application profiles. The "ip-whitelist" field is deprecated in 13.x. To configure the whitelist, use a generic global IP addresses list object.
*NOT recommended usage*
modify security dos profile dos application modify { all { ip-whitelist add { 8.8.8.8 } } }.
*Recommended usage*
create security shared-objects address-list dos_auto_http_white_ips_list addresses add { 8.8.8.8 }
modify security dos profile dos http-whitelist dos_auto_http_white_ips_list
Conditions:
ASM or Purpose built DoS provisioned and a white IP address needs to be configured on the DOS application profile.
Impact:
When using the deprecated commands to configure a white IP address list for the DOS application profile. Although there is a warning displayed, the white IP address is added to the profile automatically via a generic global IPs list object, and the list is auto generated using the following name: dos_auto_http_white_ips_list.
Workaround:
Use the following commands:
create security shared-objects address-list dos_auto_http_white_ips_list addresses add { 8.8.8.8 }.
modify security dos profile dos http-whitelist dos_auto_http_white_ips_list.
Fix:
This version provides an option to configure a white IP address on the DOS application profile using a deprecated "ip-whitelist" field, the command works and creates a generic IP addresses list automatically, and attaches the list to the DOS profile.
Behavior Change:
When using the deprecated commands to configure a white IP address list for the DOS application profile. Although there is a warning displayed, the white IP address is added to the profile automatically via a generic global IPs list object, and the list is auto generated using the following name: dos_auto_http_white_ips_list.
605682 : With forward proxy enabled, sometimes the client connection will not complete.
Component: Local Traffic Manager
Symptoms:
If forward proxy is enabled, and a required forged certificate is not in the cache, the connection might not complete.
Conditions:
Forward proxy is enabled, and a required forged certificate is not in the cache.
Impact:
Degraded service due to connections not completing.
Workaround:
None.
Fix:
The stalling caused by a missing forged certificate no longer happens.
605616 : Creating 256 Fundamental Security policies will result in an out of memory error
Component: Application Security Manager
Symptoms:
ASM out of memory error will occur when 256 fundamental security policies are created.
Conditions:
Create 256 fundamental security policies.
Impact:
Out of memory error.
Workaround:
None.
Fix:
Improved memory allocations for shared XML profiles to enable more than 256 fundamental security policies.
605525 : Deterministic NAT combined with NAT64 may cause a TMM core
Component: Carrier-Grade NAT
Symptoms:
TMM crashes when a virtual is configured with nat64 enabled, and a deterministic NAT lsn-pool, and there is traffic.
Conditions:
lsn-pool in deterministic mode is attached to a virtual server with nat64 enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Deterministic NAT is not supported with nat64, and should not be configured.
605438 : Manager role should be allowed to create 'Custom Categories'
Component: Access Policy Manager
Symptoms:
When logged into the platform as a User with the role of "Manager" the user will be unable to create custom categories.
Conditions:
This only occurs within the GUI.
Impact:
GUI is unusable for the creation of new custom categories when user is of role type "Manager"
Workaround:
Use TMSH commands instead of GUI
Fix:
Now the users operating the GUI as role type "Manager" can create new custom categories.
605427 : TMM may crash when adding and removing virtual servers with security log profiles
Component: Advanced Firewall Manager
Symptoms:
In certain circumstances when virtual servers are configured with security log profiles TMM may crash.
Conditions:
Creation, modification and deletion of many virtual servers with security log profiles attached.
Impact:
TMM may crash with the following log in /var/log/tmm:
<13> Apr 18 13:23:04 <hostname> notice panic: ../base/fw_log_profile.c:3368: Assertion "fw_log_profile_protocol_sip_dos ref non-zero" failed.
Traffic disrupted while tmm restarts.
Fix:
TMM no longer crashes with multiple creation, modification and deletion of many virtual servers with security log profiles attached.
605414 : Mysqld and bcm56xxd seem to run at 100% on vCMP host.
Component: Application Visibility and Reporting
Symptoms:
Mysqld and bcm56xxd seem to run at 100% on vCMP host.
Conditions:
When the hypervisor collects statistical data from itself and all hosted guests, too many system resources are used, leading to constant updates of data to mysql.
Impact:
This results in the hypervisor not functioning properly.
Workaround:
Execute the following command:
bigstart stop monpd.
Impact of this workaround: Although no statistical data will be collected, the hypervisor will perform all other functions.
Fix:
The sampling rate of statistical data was reduced, and samples only the required data for vCMP. As a result, collecting statistical data does not cause a serious impact to system performance, so the vCMP guest no longer experiences potential frequent failovers.
605383 : Requsts are dropped when custom captcha response page is longer than 1024 bytes
Component: Advanced Firewall Manager
Symptoms:
When configuring custom Captcha response page bigger than 1024 bytes, requests are getting dropped instead of getting Captcha response.
There is also no indication of error.
Conditions:
1. During Captcha mitigation in DOSL7
2. Custom Captcha response page
3. Requests are getting dropped instead of getting Captcha response.
Impact:
Site availability decrease.
Workaround:
Change Captcha response to be smaller than 1024 bytes
Fix:
No limitation for Captcha page.
605270 : On some platforms the SYN-Cookie status report is not accurate
Component: TMOS
Symptoms:
On a vCMP guest, after a ePVA-enabled virtual server enters SYN Cookie mode, the FPGA will never leave SYN Cookie mode even though BIG-IP has returned to normal mode.
Conditions:
This occurs intermittently on virtual servers with ePVA enabled on a vCMP instance where SYN Protection is triggered.
Impact:
Since this occurs very intermittently, the entire impact is not known. Initially this is an incorrect SYN Cookie status reporting issue for LTM Virtual statistics, but it is possible that if SYN Cookie mode is triggered again, hardware SYN might not be enabled properly.
Workaround:
Upgrade with new fixes for this.
Fix:
BIG-IP FPGAs now correctly report hardware SYN Cookie mode.
605260 : [GUI] Changes can not be made to GTM listener in partition with default route domain <> 0
Component: Global Traffic Manager (DNS)
Symptoms:
When a listener is created in a partition that has a default route domain set, you cannot make changes to the listener in the GUI via DNS -> Delivery -> Listeners. It gives 'Instance not found' error when you try to save the change. Also, a listener in the /Common partition cannot even be viewed when a partition that has a default route domain other than 0 is selected.
Conditions:
This occurs when using partitions that have default-route-domain set to something other than 0.
Impact:
You will be unable to make changes to the listener.
Workaround:
Use TMSH or through LTM GUI: Local Traffic :: Virtual Servers.
605125 : Sometimes, passwords fields are readonly
Component: Fraud Protection Services
Symptoms:
Sometimes, passwords fields are readonly so the user won't be able to type any password.
Conditions:
WebSafe protection enabled on a site
Impact:
the user won't be able to type any password on the site.
Workaround:
N/A
Fix:
N/A
605039 : lwresd and bind vulnerability CVE-2016-2775
Vulnerability Solution Article: K92991044
605010 : Thrift::TException error
Component: Application Visibility and Reporting
Symptoms:
Trying to send a scheduled report might fail in some cases with the error "Thrift::TException=HASH(0x9a65410)".
Conditions:
This occurs when sending scheduled reports.
Impact:
Failure on sending scheduled-report.
Workaround:
Modify the script to use the explicit address instead of the 'localhost' value. This can be achieved with the following command:
mount -o remount -rw /usr
sed -i 's/localhost/127\.0\.0\.1/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm
mount -o remount -r /usr
Fix:
Changing script to use explicit address instead of 'localhost'.
604977 : Wrong alert when DTLS cookie size is 32
Component: Local Traffic Manager
Symptoms:
When ServerSSL profile using DTLS receives cookie with length of 32 bytes it throws fatal alert.
Conditions:
Another LTM with ClientSSL profile issues 32byte long cookie.
Impact:
DTLS with cookie size 32 is not supported.
604938 : Log IPsec tunnel up/down events
Component: TMOS
Symptoms:
There is no way to detect via logging that the IPsec tunnel state has changed.
Conditions:
When an IPsec tunnel becomes ready (up) or not ready (down).
Impact:
It is difficult to react to changing network conditions without notification.
Fix:
A log entry is made whenever the IPsec tunnel state changes.
tmm IPsec: Tunnel up <source IP address> - <destination IP address>
tmm IPsec: Tunnel down <source IP address> - <destination IP address>
604926 : The TMM may become unresponsive when using SessionDB data larger than ~400K
Component: Local Traffic Manager
Symptoms:
There is a hard limit on messages sizes sent on the backplane on chassis platforms. Messages larger than the limit (~400K) are refused from being sent at a lower layer but buffered for resending at a higher layer. The messages are never sent which cases backplane communication to lockup.
Conditions:
The BIGIP must be chassis with more than one blade and client traffic must trigger the creation of SessionDB data larger than ~400K.
Impact:
The TMM will become unresponsive to client traffic. If left running under load, the TMM may run out of memory from buffering SessionDB data and crash.
Workaround:
The workaround is the avoid sending large SessionDB data. The TMM may be restarted in the event it does get stuck.
Fix:
There is no longer a hard limit for sending SessionDB data on the backplane.
604923 : REST id for Signatures change after update
Component: Application Security Manager
Symptoms:
The REST id of existing signatures are unexpectedly modified after updating a User Defined Signature, or downloading an Attack Signature Update that modifies existing signatures.
Conditions:
A User-Defined Signature is updated, or an ASU containing updated signatures is downloaded.
Impact:
The REST id of the modified signatures is changed which may confuse REST clients.
Workaround:
Execution of the following script will repair an affected device:
perl -MF5::Utils::Rest -MF5::DbUtils -MF5::ASMConfig::Entity::Signature -e '$dbh = F5::DbUtils::get_dbh(); $dbh->begin_work(); $dbh->do("UPDATE PLC.NEGSIG_SIGNATURES SET rest_uuid = \"\" "); F5::Utils::Rest::populate_uuids(dbh => $dbh, rest_entities => ["F5::ASMConfig::Entity::Signature"]); $dbh->commit();'
Fix:
Updated Signatures now retain the correct REST id.
604893 : ComplexType child elements in XML schema cannot have different values set in "fixed" attribute
Component: Application Security Manager
Symptoms:
Within the XML schema definition, multiple child elements under a ComplexType cannot have different values set in "fixed" attribute.
Conditions:
Multiple child elements under a ComplexType in an XML schema are defined with different values set in "fixed" attribute.
Impact:
Subsequent elements are validated incorrectly with the initial element's definition.
Workaround:
Remove "fixed" attribute for subsequent elements in schema definition.
Fix:
Multiple child elements under a ComplexType may use different values set in "fixed" attribute.
604885 : Redirect/Route action doesn't work if there is an alert logging iRule
Component: Fraud Protection Services
Symptoms:
When "Trigger iRule Events" is enabled in FPS profile and there are configured FPS rules with Route/Redirect actions, the actions will not be performed.
Conditions:
"Trigger iRule Events" is enabled in FPS profile and the virtual server has at least one iRule with ANTIFRAUD_ALERT or ANTIFRAUD_LOGIN events.
Impact:
Configured FPS rules with Route/Redirect actions will not be performed.
Workaround:
Disabling the "Trigger iRule Events" in FPS profile.
Fix:
"Trigger iRule Events" no longer breaks FPS rules with configured Route/Redirect actions.
604880 : tmm assert "valid pcb" in tcp.c
Component: Local Traffic Manager
Symptoms:
tmm panic tcp.c:2435: Assertion "valid pcb" failed
Conditions:
Unknown.
Impact:
Traffic disrupted while tmm restarts.
604838 : TCP Analytics reports incorrectly reports entities as "Aggregated"
Component: Local Traffic Manager
Symptoms:
Although the user has configured TCP Analytics to store statistics for a certain entity, it reports data for that entity in a single "Aggregated" row.
Conditions:
ALL of these conditions must be true:
The TCP Analytics profile is attached to a virtual with both clientside or serverside collection turned off in the profile.
TCP profile has mptcp, rate-pace, tail-loss-probe, fast-open, AND enhanced-loss-recovery all disabled. Also, Nagle, send-buffer, receive-window, proxy-buffer are not in AUTO mode. Finally, rexmt-thresh is 3 and the congestion control algorithm is not delay-based (NewReno, HighSpeed, Cubic). Regrettably, this matches the default TCP profile.
An iRule enables TCP-Analytics when disabled by default in the tcp-analytics profile.
Impact:
Defect eliminates nearly all data granularity for TCP Analytics.
Workaround:
Change the TCP profile on the virtual to violate any of the conditions listed above. The easiest is probably to enable rate pace or mptcp. For all affected versions, this will result in a noticeable CPU performance penalty.
Fix:
Load entity information for both TCP stacks.
604768 : ACCESS::session iRules did not work with IP-based sessions
Component: Access Policy Manager
Symptoms:
IP-based sessions rely on an internal IP to session mapping table. The ACCESS::session iRules were not using this table, so in IP-based session scenarios they never find the session.
A simple iRule like this should generate a lot of logs. In an IP-based session scenario it would never log.
when HTTP_REQUEST {
if { [ACCESS::session exists] } {
log local0. "Found Access Session"
}
}
Conditions:
SWG configuration with IP-based sessions. Attach an iRule to the virtual that includes ACCESS::session commands. They will not work as expected.
Impact:
ACCESS::session commands are essentially unavailable to IP-based sessions.
Fix:
All ACCESS::session commands were updated to read the IP to session mapping table when an access profile with IP-based sessions is attached to the virtual.
ACCESS::session create has been updated, and it respects the 1-1 correspondence between IP addresses and sessions. If this IP address already has an associated session, APM returns that session. Otherwise we create a new session, and add it to the table.
604767 : Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.
Component: Access Policy Manager
Symptoms:
When importing SAML IdP's metadata, certificate object might not be assigned as 'idp-certificate' value of saml-idp-connector object.
Conditions:
BIG-IP is used as SAML SP.
Impact:
Described behavior will result in misconfiguration. SAML WebSSO will subsequently fail.
Workaround:
Manually assign imported certificate as a 'idp-certificate' value of saml-idp-connector object.
604612 : Modified ASM cookie violation happens after upgrade to 12.1.x★
Component: Application Security Manager
Symptoms:
False positive modified ASM cookie violation. Perhaps other false positive cookie related violations.
Conditions:
System upgraded to 12.1.x. Existing end users are connected with their browsers to the site.
Impact:
False positive violations. A blocking page will be shown in case the modified ASM cookie is set to blocking (which is the default for this violation in case the policy is in blocking state).
Workaround:
There are three options:
A. Set the modified ASM cookie violation to transparent after an upgrade for some time after the upgrade.
B. Use the erase cookie blocking page as the default blocking page for some time after the upgrade.
C. Use an iRule similar to the following:
when ASM_REQUEST_DONE {
if {[ASM::violation names] contains "VIOLATION_MOD_ASM_COOKIE"} {
log local0. "remove TS01d2cce8 cookie"
HTTP::respond 302 Location "http://sub.some_domain.com/index.html?[ASM::support_id]" "Set-Cookie" "TS01d2cce8=deleteOldTSCookie;expires=Thu, 01 Jan 1970 00:00:01 GMT"
}
Fix:
Modified ASM cookie violation no longer happens after upgrade to this version.
604496 : SQL (Oracle) monitor daemon might hang.
Component: Local Traffic Manager
Symptoms:
SQL (Oracle) monitor daemon might hang with high monitoring load (hundreds of monitors). DBDaemon debug log contains messages indicating hung connection aborting and that the address in use, unable to connect.
Conditions:
High number of SQL (Oracle, MSSQL, MySQL, PostgresSQL) monitors. Slow SQL responses might make the condition worse.
Impact:
Flapping pool members connected to SQL monitors. Frequent aborts and restarts of SQL monitor daemon.
Workaround:
You can mitigate this issue in the following ways:
-- Reduce number of monitored pool members.
-- Reduce frequency of monitor interval.
-- Split monitors among multiple devices.
-- Run monitors on bladed systems.
Fix:
This release fixes the address-in-use issue, and contains multiple monitor improvements to handle aborts and restarts of the SQL monitor daemon as well so that the system handles hung connections without aborting.
604469 : Successive remote log operations trigger iRule Tcl error
Component: TMOS
Symptoms:
iRule terminates unexpectedly with error:
01220001:3: TCL error: ... Traffic rejected
Conditions:
iRule must perform multiple log operations, where log destination is a remote host. Example:
log 192.0.2.1 "This will be sent to remote syslog"
log 192.0.2.1 "This will trigger Tcl error"
Impact:
iRule may not operate as expected.
Workaround:
Use High Speed Logging (HSL) as an alternative.
604371 : Pagination controls missing for GSLB pool members
Component: Global Traffic Manager (DNS)
Symptoms:
The pagination controls for GSLB pool members do not appear when there are more items in the list than can be displayed (Record Per Screen)
Conditions:
Customer is running 12.1.0 or 12.1.1
Impact:
Unable to view the status of, or modify GSLB pool members beyond those displayed on the screen
Workaround:
Increase the number of Records Per Screen (System / Preferences / Records Per Screen) to a number larger than the number of items in your pool
604237 : Vlan allowed mismatch found error in VCMP guest
Component: TMOS
Symptoms:
Your vCMP guests are unable to reach the network. You see in /var/log/ltm "mcpd[5503]: 01071322:4: Vlan allowed mismatch found: hypervisor "
Conditions:
When a VLAN exists in the vlan-allowed list contains a VLAN which matches the suffix of another VLAN in the list and both VLANs are configured on the VCMP guest. For example, xyz and abc_xyz will produce the error "warning mcpd[6374]: 01071322:4: Vlan allowed mismatch found: hypervisor (abc_xyz:1860), guest (/Common/xyz:1850)."
Impact:
Unable to use VLAN.
Workaround:
Rename the VLANs such that no VLAN matches suffix of any other VLAN.
604133 : Ramcache may leave the HTTP Cookie Cache in an inconsistent state
Component: Local Traffic Manager
Symptoms:
Ramcache may re-use internal HTTP data without clearing the cookie cache. If other filters later inspect that cache they may read corrupted cookie information, or cause a TMM crash.
Conditions:
Ramcache + another filter or iRule inspecting/modifying cookies in a Ramcache response.
Impact:
The modifications of the corrupt cookie cache may cause HTTP headers to be malformed. Inspecting the cookie cache may cause the TMM to crash with an assert. Traffic disrupted while tmm restarts.
Fix:
Ramcache clears the HTTP cookie cache in its responses.
604061 : Link Aggregation Control Protocol May Lose Synchronization after TMM Crash
Component: TMOS
Symptoms:
Traffic does not pass through a trunk interface and /var/log/ltm contains messages such as:
lacpd[6636]: 01160011:6: Link 2.2 Actor Out of Sync
lacpd[6636]: 01160012:6: Link 2.2 Partner Out of Sync
Conditions:
1) BIG-IP 2000/4000 or similar platform where "qprop tmos.lacpd_depends_on_tmm == true"
2) Passive LACP trunk
3) tmm has crashed after box has come up
4) tmm startup delayed by dumping large core file
5) tmm startup delayed by large config or busy control plane
Impact:
Trunks created by LACP do not pass traffic.
Workaround:
Restart lacpd after tmm has come up again: "bigstart restart lacpd"
Alternatively, modify /etc/bigstart/scripts/tmm.finish to restart lacpd on tmm going down
Modify this line:
for d in admd asm avrd dosl7d; do
With these:
for d in lacpd admd asm avrd dosl7d; do
if [ `$BIGSTART singlestatus $d` = "run" ]; then
$BIGSTART restart $d &
fi
done
603997-1 : Plugin should not inject nonce to CSP header with unsafe-inline
Component: Fraud Protection Services
Symptoms:
When injecting CSP header values to enable FPS Plugin to work, unnecessary injections may break user's 'allow inline script' policy, since the more restrictive directive is always applied.
Conditions:
Server response contains either header from the "Content-Security-Policy" header.= family
Impact:
User's inline scripts will refuse to run since FPS Plugin injects nonce. This breaks user's application.
Workaround:
A fix has been deployed which makes 'unsafe-inline' and 'nonce' directives mutually exclusive. If user's CSP header allows inline scripts, we do not inject nonce.
Fix:
CSP header's 'unsafe-inline' and 'nonce' directive injection has been made mutually exclusive.
603979 : Data transfer from the BIG-IP system self IP might be slow
Component: Local Traffic Manager
Symptoms:
When a large amount of data needs to be transferred using a selp IP address, the BIG-IP system might send out fragmented IP packets with both the DF and MF bits set. Setting both bits is RFC compliant and valid, however some routers drop such packets. This might result in retransmissions and low throughput
Conditions:
This occurs when a self IP address processes large data transfers, and the router between the two endpoints does not process the IP fragments that have both the DF and MF bits set.
Impact:
Data transfer from the BIG-IP system's self IP might be slow.
Workaround:
Run the following command: ethtool -K tmm tso off.
Note: This has a different effect from setting db key tm.tcpsegmentationoffload to "disable" (which will not workaround the issue).
Note: To persist the effect of this command across reboots, use the solution specified in K14397: Running a command or custom script based on a syslog message, available here: https://support.f5.com/csp/#/article/K14397. For example,
alert tmmready "Tmm ready" {
exec command="/sbin/ethtool -K tmm tso off"
}
603945 : BD config update should be considered as config addition in case of update failure
Component: Application Security Manager
Symptoms:
A configuration update fails when the system cannot find the item to update. Configuration failures are shown in bd.log.
Conditions:
The condition that leads to this scenario is not clear and is still under investigation.
Impact:
The update fails and the entity is not added.
Workaround:
Delete the faulty entity and re-add, and then issue the following command: restart asm.
This fixes the issue in the cases in which it is a single entity.
Fix:
A configuration update no longer fails when the system cannot find the item to update. Now, the system adds the item with its updated value if the entity does not already exist. Otherwise, the operation updates the value of the existing entry.
603825 : Crash when a Gy update message is received by a debug TMM
Component: Policy Enforcement Manager
Symptoms:
Debug TMM will crash when a Gy update message is received.
Conditions:
- Need a Debug TMM running
- Gy update message must be received by the BIG-IP
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use non-debug TMM.
Fix:
Added checks to detect Gy udpate messages and handle them accordingly in the debug TMM. Thus, preventing a crash in the debug TMM.
603772 : Floating tunnels with names more than 15 characters may cause issues during config-sync.
Component: TMOS
Symptoms:
Floating tunnels with names more than 15 characters may cause issues in config-sync, because such a long name is truncated when creating a corresponding Linux tunnel interface.
Conditions:
The BIG-IP system consists of both floating and non-floating tunnels and their names are longer than 15 characters.
Impact:
When the config-sync happens, the following error may occur:
Caught configuration exception (0), Cannot create tunnel 'g123456789abc~1' in rd0 - ioctl failed: File exists.
Workaround:
Some workarounds are available:
- Make sure that tunnel names are less than 16 characters; or
- Make sure that the names of floating and non-floating tunnels do not share a common prefix in the first 15 characters; or
- Make sure that the BIG-IP system does not have a mixture of floating and non-floating tunnels.
603723 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
Component: Local Traffic Manager
Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.
Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.
Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.
Workaround:
None.
Fix:
The system now successfully handles TLS v1.0 fallback when pool members are configured to use TLS v1.2 only, so pool members are correctly marked as being up.
603690 : CPU Saver option not working while the "latency" compression provider selection algorithm is in use.
Component: Local Traffic Manager
Symptoms:
CPU Saver option not working while the "latency" compression provider selection algorithm is in use.
Conditions:
APM Edge Client over VPN tunnel. The issue tends to occur when CPR Saver is configured on the Edge Client on devices where hardware compression cannot perform the specific type of compression/decompression being requested.
Impact:
Edge Client shows the VPN tunnel as "Connected" but no traffic flow. This is an intermittent issue.
Workaround:
#1 Enable CPU Saver in the secure connectivity profile:
GUI: Access Policy :: Secure Connectivity :: profile_name :: Compression Settings :: Network Access :: CPU Saver [checkbox].
SHELL: tmsh modify apm profile connectivity dummy compress-cpu-saver true.
#2 Configure compression strategy to "SPEED" (from LATENCY)
SHELL: tmsh modify sys db compression.strategy value "speed".
Fix:
Fixed an issue with the CPU Saver option not working while the "latency" compression provider selection algorithm was in use. This mitigates a bottleneck when Software Compression is in use, correcting a problem with the tunnel stalling.
603679 : Edge client does not log configuration parameters recieved from server
Component: Access Policy Manager
Symptoms:
Edge client does not log network access configuration parameters received from server. This makes troubleshooting of client issues difficult.
Conditions:
Edge client is used to establish VPN connection.
Impact:
Makes troubleshooting difficult,
Workaround:
None.
Fix:
Edge client now logs configuration parameters received from APM.
603667 : TMM may leak or corrupt memory when configuration changes occur with plugins in use
Component: Local Traffic Manager
Symptoms:
TMM may leak memory when plugins are in use and the plugin is re-initialized (typically due to configuration changes). In rare cases, memory corruption may occur causing TMM to restart.
Conditions:
Plugin-based functionality configured (ASM, APM, etc.) and configuration changes occur.
Impact:
The memory leakage generally occurs infrequently and at a rate that TMM operations are not affected. However, when memory corruption occurs, a traffic interruption may occur due to TMM restarting.
Workaround:
No workaround except disabling plugin-based functionality (such as ASM, APM, etc.).
Fix:
TMM now properly manages plugin memory, and no longer leaks or corrupts this memory.
603605 : Cannot install DoS Hybrid Defender on standby device in HA pair if it's already installed on active
Component: iApp Technology
Symptoms:
After installation, the rpm on active device applications will be replicated to the standby. If standby does not have DHD installed, the installation page is never shown.
Conditions:
HA setup for DoS Hybrid Defender, with DHD only installed on Active.
Impact:
HA cannot be supported for DHD application on 12.1.0 and 12.1.1.
Workaround:
None.
Fix:
Can now install DoS Hybrid Defender on standby device in HA pair if it's already installed on active.
603598 : big3d memory under extreme load conditions
Component: Global Traffic Manager
Symptoms:
big3d memory consumption can grow if big3d is unable to process monitor requests in a timely fashion.
This can be seen by monitoring the memory consumption of big3d using standard OS tools such as top.
Conditions:
big3d maintains a queue for monitor requests.
Incoming monitor requests are first placed in the Pending queue.
Requests are moved from the Pending queue to the Active queue, if there is room in the Active queue.
When the Pending queue is full, there is no room for the Monitor Request. big3d attempts to clean up the Monitor request, but fails to completely free the memory.
This might result in a significant memory leak.
For this to happen, the Active queue must be full as well as the Pending queue.
One possible condition that might cause this is if multiple Monitors time out. This results in Monitors having long life times, which keeps the Active queue full.
Thus the Pending queue might become full and the memory leak can occur.
In BIG-IP 11.1.0 versions of big3d,
the Active queue has 256 slots and
the Pending queue has 4096 slots.
In BIG-IP 11.1.0-hf3, the queue sizes were expanded to
2048 for the Active queue and 16384 for the Pending queue.
Since the queues were smaller n versions prior to
11.1.0-hf3, this leaks is more likely to manifest itself.
In later versions, the leak is still possible, but is less likely to occur.
Impact:
big3d memory consumption grows unbounded. This might result in a big3d restart or memory starvation of other processes.
Workaround:
This can be partially mitigated by ensuring that monitors
settings are reasonable and that big3d is not overloaded.
This will minimize the chances that the Pending queue
does not become full.
There is no mechanism to resize the queues.
Fix:
When a monitor request is unable to be placed in the queue, the memory for the request is freed properly.
603550 : Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.
Component: Local Traffic Manager
Symptoms:
Virtual server remains in syncookie mode even after the syn flood stops.
As a result of this issue, you might see the following symptoms:
-- Virtual servers that use both FastL4 and HTTP profiles might show incorrect 'Current SYN Cache' stats.
-- Virtual stats 'Current SYN Cache' does not decrease.
Conditions:
This issue occurs when the configuration contains a virtual server that uses FastL4 as a filter (for example, has both the FastL4 profile and layer 7 profile (HTTP) syn flood to the virtual server).
Impact:
The virtual server stays stuck in syncookie mode after the synflood is over, and does not recover.
Workaround:
None.
Fix:
Virtual servers that use both FastL4 and HTTP profiles will have correct syn cache stats.
603479 : "ASM starting" while it's already running, causing the restart of all ASM daemons
Component: Application Security Manager
Symptoms:
ASM daemons suddenly restart, w/ the message "ASM Starting" in '/var/log/asm', while ASM is already running and without ASM stopping first.
Conditions:
Unknown
Impact:
ASM daemons restart
Workaround:
N/A
Fix:
We have prevented the ASM start script from being executed if it is already running.
Thus, preventing the possibility of a spurious ASM Start while it's already running.
603397 : tmm core on MRF when routing via MR::message route iRule command using a non-existant transport-config
Component: Service Provider
Symptoms:
tmm will core if the transport config specified in a MR::message route iRule command does not exist.
Conditions:
the transport config specified in a MR::message route iRule command does not exist.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use the correct name for the trasnport-config object.
Fix:
fixed a tmm core.
603293 : Incorrect handling of L4 Dynamic ACL when it is processed together with L7 ACLs
Component: Access Policy Manager
Symptoms:
L4 Dynamic ACL is not applied to incoming traffic when assigned in combination with L7 ACL.
Conditions:
APM supports a combination of L7 ACL and L4 ACL to be assigned to one session. When L7 ACLs are assigned with higher priority than L4 ACLs, the processing of L4 ACLs is automatically deferred until L7 information is available. The issue here is that when none of L7 ACLs with higher priority match with the traffic, L4 ACL is incorrectly marked to be applied only to HTTP traffic. Therefore if the incoming traffic is not HTTP, for example, HTTPS, then this particular dynamic L4 ACL is bypassed.
Impact:
L4 Dynamic ACL is not applied correctly.
Workaround:
Reorder L4 ACLs with higher priority than L7 ACLs, if possible, or to prevent the issue from occurring, avoid assigning L7 ACLs if not needed.
Fix:
When L7 ACL is assigned in combination to L4 Dynamic ACL, L4 Dynamic ACL is correctly applied to all kinds of traffic, not only HTTP traffic.
603236 : 1k/4k creation issue at Safenet 6.2 + 6.10.9 fw
Component: Local Traffic Manager
Symptoms:
Creating 1024 and 4096 size keys fail when the safenet client version installed on bigip is 6.2 and Safenet appliance firmware is 6.10.9.
Conditions:
Safenet appliance: 6.2
Safenet firmware: 6.10.9
Safenet client: 6.2
Impact:
Can't create 1k/4k RSA key.
Fix:
Removed the config line, RSAKeyGenMechRemap = 1, that is conflicting with 6.10.9 firmware.
603234 : Performance Improvements
Component: Fraud Protection Services
Symptoms:
Certain detection algorithms can slow down the client application.
Conditions:
FPS enabled, full AJAX encryption enabled
Impact:
Client side AJAX detection can be slow.
Fix:
The performance of some detection algorithms has been improved
603149 : Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy
Component: TMOS
Symptoms:
Setting max data limit transmitted (in kilobytes) to a very large limit results in a smaller limit, causing SAs to expire too quickly. Values for ike-phase2-lifetime-kilobytes inside ipsec-policy can reach 2^32-1 kilobytes, but will be processed incorrectly, as if the value were smaller.
Conditions:
When lifetime-kilobytes is large enough, it can act as though it were smaller.
Impact:
Negotiated SAs expire too quickly when size lifetime is calculated too small.
Workaround:
Before the fix, decrease lifetime-kilobytes until properly stable.
Fix:
The fix should make every value no more than 4294967295 kilobytes work correctly, without becoming some smaller value. (Note this value is 2^32-1.) If the size of ike-phase2-lifetime-kilobytes becomes 64-bit in the future, this will also work, causing a 64-bit value for kilobytes to occur in isakmp negotiation.
603087 : Cannot access Security tab (needed for assigning ASM/FPS profiles) when viewing the Resources tab.
Component: TMOS
Symptoms:
Cannot access Security tab (needed for assigning ASM/FPS profiles) when viewing the Resources tab.
Conditions:
On the Virtual Server/Resources page.
Impact:
Usability impaired. User cannot assign ASM/FPS profiles from the Resources tab.
Workaround:
Go to Properties to access the Security tab.
Fix:
Security tab is now available under Virtual Server/Resources page if security-related ASM/FPS modules are provisioned.
603082 : Ephemeral pool members are getting deleted/created over and over again.
Component: Local Traffic Manager
Symptoms:
When fqdn nodes are configured, you may see ephemeral pool members getting created and deleted continuously. In severe cases, this can cause mcpd to run out of memory and crash.
Conditions:
It is not known exactly what triggers this condition, but it has been observed after running bigstart restart in a configuration containing many fqdn nodes.
Impact:
Traffic disrupted while mcpd restarts.
603081 : EdgeClient now supports hosts whitelisting in locked mode
Component: Access Policy Manager
Symptoms:
Edge client's locked mode blocks access to all network locations until the user establishes a VPN connection to a trusted APM. However, this does not work when APM is configured to use delegated auth because access to external identity provider (IdP) is blocked.
Conditions:
EdgeClient in locked mode on windows machine.
Impact:
No way to whitelist certain hosts when locked client mode is used.
Workaround:
None.
Fix:
The system now supports pre-configured hosts to which the traffic is never blocked until VPN is established, so you can whitelist known identity providers (IdPs) and other sites that are deemed harmless, which improves the usability of locked client mode. After VPN establishment client behaves according to Network Access resource configuration.
603071 : XHTML validation fails on obfuscated JavaScript
Component: Application Security Manager
Symptoms:
The obfuscated JavaScript injected by ASM for CSRF protection and other features causes web pages to fail w3c validation.
Conditions:
CSRF or WebScrapping enabled in ASM policy
Impact:
Threre is no end user impact, but if checking the page with w3c online validator it returns errors
Workaround:
N/A
Fix:
Wrapped the script in CDATA - the validator will not complain on errors.
603032 : clientssl profiles with sni-default enabled may leak X509 objects
Component: Local Traffic Manager
Symptoms:
SSL memory consumption grows when virtuals with sni-default-enabled clientssl profiles are modified.
Conditions:
clientssl profile with sni-default enabled combined with configuration manipulations of virtuals with such profiles.
Impact:
The amount of leakage will depending on the number of virtuals with sni-default-enabled clientssl profiles and frequency of configuration manipulations. For large configurations, the leakage can be very noticeable over time.
Workaround:
No workaround short of not using sni-default.
Fix:
SSL now handles sni-default-enabled clientssl profiles without leaking the X509 objects.
603029 : Secure alerts and phishing alerts are shown URL-encoded
Component: Fraud Protection Services
Symptoms:
Some alerts show in the dashboard in URL encoded form.
Conditions:
Secure alerts and phishing alerts contain special characters.
Impact:
Alerts are shown in the alert dashboard in URL encoded form.
Workaround:
None.
Fix:
Alerts are no longer sent double-URL encoded.
603019 : Inserted SIP VIA branch parameter not unique between INVITE and ACK
Component: Service Provider
Symptoms:
The branch parameter of the inserted VIA header is sometimes the same between an INVITE and ACK message.
Conditions:
If the CSEQ number of a SIP message is the same, the inserted VIA header will contain the same branch parameter.
Impact:
SIP proxy servers which perform strict message validations may reject the call.
Fix:
Included a hash of the branch parameter of the received top-most via header into the branch parameter of the inserted via header. Thus is the received top-most via conforms to the spec and generates a different branch parameter between INVITE and ACK, the inserted via will have a different branch parameter.
602887 : User-friendly message regarding SSL connection errors via Portal Access.
Component: Access Policy Manager
Symptoms:
If Virtual server with Portal Access is not configured to support SSL connections to back-end servers, client would see connection errors without any explanation trying to use HTTPS URLs.
Conditions:
Virtual server with Portal Access but without SSL support for back-end servers.
Impact:
Client cannot connect to HTTPS back-end via this Virtual server, but there is no any error messages describing real reason.
Fix:
Now client receives readable error page which explains why it is impossible to use HTTPS back-ends with such Virtual server.
It is expected that 'Use HTTP Status 503 for Error Pages' option is enabled in Access Profile to make this error condition recognizable by browser.
602854 : Missing ASM control option from LTM policy rule screen in the Configuration utility
Component: TMOS
Symptoms:
In the Configuration utility, when creating or editing a LTM policy, the ASM control option may be missing from the rule screen.
Conditions:
Whether the ASM control option is present or missing purely depends on the license installed on the system.
The system incorrectly reports certain licensed modules to the Configuration utility, which fails to parse them and ultimately to display the ASM control option. If you wish to determine whether you are affected by this issue, SSH to the advanced shell of the BIG-IP system and run this command:
# grep -E '^active module : [^|]*\|[^|]*$' /config/bigip.license
If any output is returned, then you are affected by this issue.
Impact:
ASM cannot be enabled in LTM policies using the Configuration utility.
Workaround:
Use the TMSH utility to enable ASM in LTM policies.
Fix:
ASM can now be enabled in LTM policies using the Configuration utility regardless of the license installed on the system.
602691 : Regular expression in XML schema pattern validation fails (libxml bug)
Component: Application Security Manager
Symptoms:
Regular expression in XML schema pattern validation fails (libxml bug). Violation "XML data does not comply with schema or WSDL document" triggered for SOAP request.
Conditions:
ASM process XML regexp such as the following: "[a-z][a-z\-]{0,10}[a-z]".
Impact:
XML WSDL document schema not comply for regular expression range of occurrences.
Workaround:
Change to an alternative regular expression.
Fix:
Upgrade libxml2 to libxml2-2.7.6-21.el6_8.1 to support XML regexp such as the following: "[a-z][a-z\-]{0,10}[a-z]".
602654 : TMM crash when using AVR lookups
Component: Application Visibility and Reporting
Symptoms:
When some module try to find/insert data into AVR lookups TMM/AVR core can occurs.
The Crash occur when two process try to "touch" the same cell in the lookup simultaneously×¥
Conditions:
AVR lookups is use by any modules.
Impact:
Traffic disrupted while tmm restarts.
Fix:
We removed wrong assert from the lookups code
602653 : TMM may crash after updating bot-signatures
Component: Advanced Firewall Manager
Symptoms:
TMM may crash after DOSL7 bot signatures config has changed.
Conditions:
This is likely to happen after DOSL7 bot signatures config has changed.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Try adding/removing some signatures, this should avoid the crash.
Fix:
Fixed a memory corruption when updating bot signatures.
602642 : tmm assert "cipher_init_dual failed"
Component: TMOS
Symptoms:
With the tmm under memory pressure, setup of a new IPsec tunnel resulted in an assert "cipher_init_dual failed" when memory was not available.
Conditions:
The tmm under memory pressure and a new IPsec tunnel being created.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Monitor memory usage.
Fix:
IPsec will gracefully handle the out of memory condition instead of asserting.
602568 : Updated Default Ciphersuite Group
Component: Local Traffic Manager
Symptoms:
Changes were made to DEFAULT in LTM SSL profiles in order to improve SSL ciphersuite group selection. When "DEFAULT" group is used, the following changes have been made.
Original Default Ciphersuite Group
RSA+DH
RSA
RSA+ECDH
Original Default + ECDHE_ECDSA
RSA+DH
RSA
RSA+ECDH
ECDSA+ECDH
Update to:
"DEFAULT" will contain ciphersuites in the following categories in this order in the BIG-IP system's view:
RSA+ECDH
RSA
ECDSA+ECDH
RSA+DH
In addition, each category will be sorted by speed with AES-128-equivalent as the minimum strength (commonly referred to as "128-bit security strength").
Conditions:
This is the new default in this release.
Impact:
Changes were made to DEFAULT in LTM SSL profiles in order to improve SSL ciphersuite group selection when "DEFAULT" group is used.
Workaround:
None. This is cosmetic.
Fix:
"DEFAULT" contains ciphersuites in the following categories in this order in the BIG-IP system's view:
RSA+ECDH
RSA
ECDSA+ECDH
RSA+DH
In addition, each category will be sorted by speed with AES-128-equivalent as the minimum strength (commonly referred to as "128-bit security strength").
Behavior Change:
Changes were made to DEFAULT in LTM SSL profiles in order to improve SSL ciphersuite group selection. When "DEFAULT" group is used, the following changes have been made.
Original Default Ciphersuite Group
RSA+DH
RSA
RSA+ECDH
Original Default + ECDHE_ECDSA
RSA+DH
RSA
RSA+ECDH
ECDSA+ECDH
Update to:
"DEFAULT" will contain ciphersuites in the following categories in this order in the BIG-IP system's view:
RSA+ECDH
RSA
ECDSA+ECDH
RSA+DH
In addition, each category will be sorted by speed with AES-128-equivalent as the minimum strength (commonly referred to as "128-bit security strength").
602566 : sod daemon may crash during start-up
Component: TMOS
Symptoms:
sod daemon produces core file during start-up
Conditions:
sod encounters an error during start-up and attempts to recover.
Impact:
sod restarts
Fix:
Reset freed pointers to prevent double free during error recovery.
602508 : Capture historical changes of config files
Component: TMOS
Symptoms:
Sometimes errors can be traced to config file changes but knowing what the config file had at the time of the problem is impossible to infer.
Conditions:
A user changes a config file and the system starts to have issues. The issues get reported, but the config file is changed again and we no longer can reproduce the issues.
Impact:
When investigating problems on BIGIP systems, the configuration files pose the biggest impact on how the system behaves. Having a historical recreation of the configuration files can help immensely in figuring out the problem.
Workaround:
The user can copy their config files into a backup directory every time a change is made and saved.
Fix:
The fix keeps a diff every time a config file is changed and this is then saved in a qkview that gets uploaded to ihealth. In post analysis, it is possible to reconstruct any of the captured config differences based on timestamps.
602502 : Unable to view the SSL Cert list from the GUI
Component: TMOS
Symptoms:
When you try to see information about any SSL certificates in the GUI, it displays an error: An error has occurred while trying to process your request.
Conditions:
Can not view any SSL certificates in the GUI if at least one certificate has a double extension(like test.crt.crt) in its name.
Impact:
Unable to view the any SSL Cert from the GUI
Workaround:
Delete such certificate through TMSH and reimport without .crt extension in the certificate name.
delete sys file ssl-cert test.crt.crt
Fix:
Should be able to view/delete/export certificates from GUI.
602434 : Tmm crash with compressed response
Component: Application Visibility and Reporting
Symptoms:
AVR decompressed all the traffic in order to do classification.
This can cause tmm core due to too many decompress request.
Conditions:
Sending stressed compressed traffic on virtual with dos profile.
Impact:
Traffic disrupted while tmm restarts.
Fix:
AVR will ask no more than 10 decompressed request simultaneously.
602385 : Add zLib compression
Component: Local Traffic Manager
Symptoms:
Current driver supports only compress GZip and compress deflate.
Conditions:
APM Network Access tunnel has an option for compression. Compression is implemented in GZIP hudfilter which uses COMPRESS_ZLIB compression method. Currently only 'zlib' compression provider (software based) is implementing this method. None of the hardware providers (such as Coleto Creek) support it; they support COMPRESS_DEFLATE and COMPRESS_GZIP. GZIP hudfilter could use all 3 methods, but only ZLIB is compatible with current and older versions of the client. To preserve backward compatibility it must use ZLIB.
Impact:
Current compression hardware (such as Coleto Creek) is needed to support ZLIB method, otherwise compression in APM Network Access tunnel does not scale.
Workaround:
None.
Fix:
zLib compression is now supported.
602366 : Safenet 6.2 HA performance
Component: Local Traffic Manager
Symptoms:
With Safenet 6.2 HA setup, you only sees the performance of one HSM.
Conditions:
Safenet 6.2 client is installed and Safenet HA is used.
Impact:
Only one HSM is used for the HA setup.
Workaround:
Add primary hsm to the newly created ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup createGroup -serialNumber 464683014 -label ha_test -password <pw>
or
echo "copy" | /shared/safenet/lunasa/bin/lunacm -c hagroup createGroup -serialNumber 464683014 -label ha_test -password <pw>
Add following hsm to the ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup addMember -serialNumber 470379014 -group ha_test -password <pw>
Enable HAonly
/shared/safenet/lunasa/bin/lunacm -c hagroup HAOnly -enable
Delete ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup deleteGroup -label ha_test
Fix:
Installation script is updated for Safenet 6.2 HA.
602358 : BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version
Component: Local Traffic Manager
Symptoms:
During SSL/TLS renegotiation, the TLS standard requires that the new ClientHello version matches the first session.
Usually, SSL/TLS servers require the new ClientHello version to match the previous negotiated (ServerHello) version. The BIG-IP ServerSSL default behavior is to match this requirement.
The problem occurs if the SSL/TLS server requires the ClientHello (both in the Record layer and Handshake Protocol) in the new ClientHello to be exactly the same as the SSL/TLS version of the first ClientHello; that is:
************************************************************
1st ClientHello record layer version == 2nd ClientHello record layer version;
1st ClientHello Handshake Protocol version == 2nd ClientHello Handshake Protocol version.
************************************************************
As a result, the SSL/TLS server will reject the renegotiation handshake, causing the connection to terminate.
Conditions:
This occurs when using virtual servers configured with one or more ServerSSL profiles, and an SSL/TLS renegotiation occurs, and the server requires the new ClientHello version to match the first ClientHello instead of the previous ServerHello version.
Impact:
SSL/TLS renegotiation between BIG-IP ServerSSL profile and server may fail, resulting in an unexpected connection close or reset.
Workaround:
Manually setting the ciphers in the ServerSSL to TLS1.0 can solve the issue.
Fix:
A new db variable called ssl.RenegotiateWithInitialClientHello has been added to control the SSL/TLS version in the 2nd ClientHello:
1. The default is disable, which means that the 2nd ClientHello SSL/TLS version will be set to the negotiated version in the 1st round ServerHello.
2. If it is set to enable, both ClientHello versions will be exactly the same.
602326 : Intermittent pkcs11d core when installing Safenet 6.2 software
Component: Local Traffic Manager
Symptoms:
Sometimes you may see pkcs11d core when stopping/restarting pkcs11d service.
Conditions:
bigstart issues "stop" to pkcs11d while pkcs11d receives message.
Impact:
pkcs11d may core intermittently.
Workaround:
pkcs11d may automatically restart without intervention.
Fix:
Fixed pkcs11d signal handler and avoid sys_call in the signal handler.
602300 : Zone Runner entries cannot be modified when sys DNS starts with IPv6 address
Component: Global Traffic Manager
Symptoms:
Zone Runner entries cannot be modified if an IPv6 DNS name server is listed first. This can happen when a user runs the tmsh command
tmsh modify sys dns name-servers add { <IPv6> }
as the first dns name-server.
This will show in the /etc/resolv.conf file (an example)
nameserver 2001::1
nameserver 192.168.100.1
Conditions:
When an IPv6 nameserver is the first server defined.
Impact:
ZoneRunner records cannot be modified.
Workaround:
Do not use DNS server with IPv6 address or add IPv4 server at top of the list.
Fix:
The IP address type was not set properly while communicating with BIND. This does not matter if the first nameserver listed is an IPv4 address or if there are no nameservers listed at all.
If the first nameserver listed is an IPv6 and the IP address type is not set to IPv4 (AF_INET), BIND libraries will attempt to use the IPv6 library from /etc/resolv.conf.
We not properly set the AF_INET type to IPv4.
602221 : Wrong parsing of redirect Domain
Component: Application Security Manager
Symptoms:
ASM learns wrong domain names
Conditions:
no '/' after domain name in the redirect domain
Impact:
wrong learning suggestion can lead to wrong policy
Workaround:
N/A
Fix:
Fixing an issue with parsing the URL in the location header
602171 : TMM may core when remote LSN operations time out
Component: Carrier-Grade NAT
Symptoms:
TMM configured with LSN may core during high utilization, when local endpoint resources are exhausted, and request for remote resources times out.
Conditions:
LSN remote operation time out. LSN can request remote TMM for resources when local resources are exhausted, when such request time out, this can result in a core in affected versions.
Impact:
Traffic disrupted while tmm restarts.
Fix:
TMM LSN remote operations will no longer cause core.
602159 : The field "Maximum" connections of websocket and http2 profile statistics show different values between tmsh and GUI
Component: Local Traffic Manager
Symptoms:
The field "Maximum" connections of websocket and http2 profile statistics show different values between tmsh and GUI.
Conditions:
Concurrent WebSocket or HTTP/2 connections are seen.
Impact:
Statistics mismatch between GUI and tmsh.
Workaround:
GUI statistics for the maximum connections field are accurate. Use those.
602154 : Multidomain SSO loses POST data because of HTTP 302
Component: Access Policy Manager
Symptoms:
In multidomain SSO, when accessing a virtual with a POST, the user may be redirected to the auth virtual. When the user is redirected back to the original url, we lose the original POST data. This is because we use HTTP 302, which allows the browser to change the method. In these situations we should use 307, which does not allow the browser to change the method.
Conditions:
This is difficult to avoid if the access policy needs to run on the auth virtual. This bug is about saving the POST when the policy has already run, and we are only redirecting to the auth virtual to receive the cookie.
Impact:
User sends a GET to the resource, instead of the POST that should have been sent.
Workaround:
An iRule can be used to change some of the 302 redirects to a 307.
when HTTP_REQUEST {
set uri [HTTP::uri]
}
when HTTP_RESPONSE_RELEASE {
if { [HTTP::status] contains "302" && ([HTTP::header value "Location"] contains "SSO_ORIG_URI" || $uri contains "SSO_ORIG_URI") } {
HTTP::header replace ":S" "307 Temporary Redirect"
}
}
Fix:
When redirecting to and from the auth virtual, we now use a 307. We continue using 302 with redirects to /my.policy and other parts of running the access policy. In those situations, a 307 could cause the browser to resend the POST made to an APM login page.
602136 : iRule drop command causes tmm segfault or still sends 3-way handshake to the server.
Component: Local Traffic Manager
Symptoms:
If you have a client-side iRule that drops a client-side connection, either tmm will segfault or the BIG-IP system still sends the SYN to the server, and then a RST. The reset cause will be 'TCP 3WHS rejected'.
Conditions:
Client-side iRule that drops a connection.
Impact:
TMM segfaults or the BIG-IP system still sends a SYN to the server.
Workaround:
None.
602040 : Truncated support ID for HTTP protocol security logging profile
Component: Local Traffic Manager
Symptoms:
The HTTP Protocol Security logging profile yields to incomplete support ID published in the local storage.
Conditions:
Configuration: LTM with Protocol Security Module provisioned, LTM virtual server with HTTP Protocol Security and local-storage logging profile attached. The log-db entries created by the HTTP Protocol Security logging profile have a truncated support ID.
Impact:
The support ID presented to the user does not match the one in the logs because the log entry is truncated (missing a few digits)
Workaround:
There is no workaround
601989 : Remote LDAP system authenticated username is case sensitive★
Component: TMOS
Symptoms:
Unable to login via ssh, with cause being reported as "user account has expired". Wrong role being assigned for remote-user.
Conditions:
The character-case for the username returned from LDAP must match the login username and the configured account name. This can be exposed on an upgrade from 11.6.0 to 12.1.0 or later.
Impact:
Unable to login via ssh with remote-user or remote-user being assigned incorrect role when multiple accounts exists with the same name and mixed case.
Workaround:
Avoid configure same account username with different case and the authenticated user account in TMOS and used to login should exactly match the user account name returned from LDAP.
Fix:
When logging in to BIG-IP via ssh, the case of the logged-in user name is preserved when authenticating against an LDAP source, and matched in a case-sensitive manner to the appropriate locally defined user role.
601938 : MCPD stores certain data incorrectly
Component: TMOS
Symptoms:
In some cases MCPD data is not stored as designed.
Conditions:
In some cases MCPD data is not stored as designed.
Impact:
MCPD data not stored as designed. MCPD continues to operate normally.
Workaround:
Rebooting BIG-IP will correct data storage.
Fix:
Improve MCPD data storage
601927 : Security hardening of control plane
Component: TMOS
Symptoms:
File permissions changes needed as found by internal testing
Conditions:
N/A
Impact:
N/A
Fix:
Apply latest security practices to control plane files.
601924 : Selenium detection by ports scanning doesn't work even if the ports are opened
Component: Advanced Firewall Manager
Symptoms:
When selenium server package is running on an end point and a traffic being sent from there, proactive bot defense mechanism doesn't see selenium server opened ports.
Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled.
Impact:
Low impact as the selenium detection by ports scan has a low score and doesn't mitigate a client, unless it has another suspicious client properties (for example tor browser)
Workaround:
N/A
Fix:
Ports scanning has fixed - wider range of ports are scanned.
601919 : Custom categories and custom url filter assignment must be specific to partition instead of global lookup
Component: Access Policy Manager
Symptoms:
Custom categories lookup and matching is not partition specific.
Conditions:
Create SWG Explicit VS, access policy, per-request policy, custom-category with a glob URL and URL filter in custom partition say partition1
and similarly create similar set in partition2 (Note make sure the glob URL is matched in custom categories in 2 different partitions). Set the browser to explicit proxy:port information of partition1 VS and access the URL to be matched to the custom category.
Impact:
Partition specific custom category match is not available if user specific whitelist needs to be applied.
Workaround:
None
Fix:
Code to check custom categories only for the partition that connflow belongs to and Common partition has been added
601905 : POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server
Component: Access Policy Manager
Symptoms:
POST requests appear to hang when they are sent through a virtual server with EAM plugin enabled.
Conditions:
Most likely, the POST request contains large post data.
Impact:
The POST request will fail.
Workaround:
The following iRule will workaround the issue:
when HTTP_REQUEST {
if {[HTTP::method] eq "POST"}{
# Trigger collection for up to $max_collect of data
set max_collect 1000000
if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= $max_collect}{
set content_length [HTTP::header "Content-Length"]
} else {
set content_length $max_collect
}
# Check if $content_length is not set to 0
if { $content_length > 0} {
HTTP::collect $content_length
}
}
601888 : IKE Peer name not validated against special characters
Component: TMOS
Symptoms:
GUI: User not able to view configuration of a an IpSec with special characters in its name.
Conditions:
IpSec with special characters in it name.
Impact:
GUI: User not able to view configuration of a an IpSec with special characters in its name.
Workaround:
Special characters should not be used in IPsec, IKE Peer and Traffic Selector names.
Fix:
Added URL encoding for IPsec, IKE Peer and Traffic Selector names since these fields can have special characters
601828 : An untrusted certificate can cause TMM to crash.
Component: Local Traffic Manager
Symptoms:
If the certificate sent by an SSL server to the server-side bigip profile is untrusted, TMM might crash.
Conditions:
A server-side SSL profile is attached to a virtual server, and the SSL server sends an untrusted certificate to the BIGIP.
Impact:
Traffic disrupted while tmm restarts.
Fix:
The BIGIP will now log the certificate name `unknown' if an SSL server sends an untrusted certificate.
601709-1 : I2C error recovery for BIGIP 4340N/4300 blades
Component: TMOS
Symptoms:
The I2C internal bus for the front switch may not work. The fix recovers from the problem when it happens.
Conditions:
This rarely happens.
Impact:
Corrupted serial number information from SFPs, and fiber SFPs may not come up.
Workaround:
bigstart restart bcm56xxd
Fix:
The system now ensures that the I2C internal bus can recover from occasional errors.
601536 : Analytics load error stops load of configuration★
Component: Application Visibility and Reporting
Symptoms:
After upgrading, the configuration fails to load and you see this log message: 01071ac1:3: Non-Comulative metric (max-request-throughput) cannot be calculated per single entity (pool-member).
Unexpected Error: Validating configuration process failed.
Conditions:
This can occur any time the analytics configuration was valid in a previous release and is no longer valid. For example, if you have an analytics profile set at pool-member granularity, it will load in 12.0.0 but will fail to load on 12.1.0 as granularity must be set at the virtual-server level, not the pool level.
Impact:
Configuration fails to load, will not pass traffic.
Workaround:
Fixing the configuration manually is the only option when this occurs. In the pool-member granularity example, you can check all your analytics profiles for granularity pool-member and set them to granularity virtual-server.
601527 : mcpd memory leak and core
Component: TMOS
Symptoms:
Mcpd can leak memory during config update or config sync.
Conditions:
All of the conditions that trigger this are not known but it seems to occur during full configuration sync and is most severe on the config sync peers. It was triggered making a single change on the primary by configuring a monitor rule, e.g., tmsh create ltm pool p members { 1.2.3.4:80 } monitor http
Impact:
Loss of memory over time, which may result in out-of-memory and mcpd core.
Fix:
Fixed a memory lean in mcpd
601502 : Excessive OCSP traffic
Component: TMOS
Symptoms:
With OCSP configured on a virtual server, you see excessive OCSP requests going to the OCSP server.
Conditions:
Virtual server configured with an OCSP profile
Impact:
OCSP responses are not cached properly and excessive requests are sent to the server.
Workaround:
None.
Fix:
OCSP responses are now cached properly, so excessive requests are no longer sent to the server.
601496 : iRules and OCSP Stapling
Component: Local Traffic Manager
Symptoms:
Using certain iRules on virtual servers with OCSP Stapling enabled on the Client SSL profile might cause OCSP requests to be reissued, resulting in a memory leak.
You may notice warning messages similar to the following in /var/log/ltm:
warning tmm[11300]: 011e0003:4: Aggressive mode sweeper: /Common/default-eviction-policy (0) (global memory) 115 Connections killed.
Conditions:
This occurs when the following conditions are met:
-- Virtual server with OCSP Stabling enabled.
-- iRule attached to the virtual server that uses SSL::renegotiate.
Impact:
TMM memory used increases gradually, eventually the aggressive mode sweeper is activated.
Workaround:
None.
Fix:
Using certain iRules on virtual servers with OCSP Stapling enabled on the Client SSL profile no longer causes OCSP requests to be reissued, so there is no associated memory leak.
601420 : Possible SAML authentication loop with IE and multi-domain SSO.
Component: Access Policy Manager
Symptoms:
When APM is configured with SAML authentication and multi-domain SSO, Internet Explorer may encounter authentication loop and never complete the access policy.
Conditions:
APM is configured with SAML authentication and multi-domain SSO.
Impact:
Using Internet Explorer, the client may not be unable to connect to its desired destination.
Workaround:
Chrome and Firefox do not seem to be affected.
Fix:
Use cookie for session for multi-domain if TOKEN lookup fails. Previously, the cookie was ignored for multi-domain response URI. However, with the introduction of TOKEN based session lookup, this causes a failure if the client retries the request (since the TOKEN was consumed in the request prior to the retry).
601414 : Combined use of session and table irule commands can result in intermittent session lookup failures
Component: TMOS
Symptoms:
[session lookup] commands do not return the expected result.
Conditions:
An iRule which combines use of [table] and [session lookup] commands.
Impact:
Intermittent session functionality.
Workaround:
If possible, use table commands in lieu of session commands.
601378 : Creating an ASM security policy with "Auto accept" language leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons
Component: Application Security Manager
Symptoms:
These errors can be observed in '/var/log/asm':
-------------------------
The caller:[F5::ASMConfig::Entity::Charset::get_policy_encoding_type] did not pass in a value for 'encoding_name' to retrieve the 'encoding_type' for -- aborting.
ASM subsystem error (asm_config_server.pl,): ASM Config server died unexpectedly
ASM subsystem error: (asm_start,F5::NwdUtils::Nwd::log_failure): Watchdog detected failure for process. Process name: pabnagd, Failure: Insufficient number of threads.
ASM subsystem error: (asm_start,F5::NwdUtils::Nwd::log_failure): Watchdog detected failure for process. Process name: asm_config_server.pl, Failure: Insufficient number of threads.
-------------------------
Conditions:
ASM provisioned.
Create security policy with "Auto accept" language.
Impact:
ASM daemons restart, numerous errors in asm log.
Workaround:
None.
Fix:
Creating an ASM security policy with "Auto accept" language no longer leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons
601255 : RTSP response to SETUP request has incorrect client_port attribute
Component: Service Provider
Symptoms:
- Clientside data is sent to UDP port 0
- RTSP response to SETUP request contains incorrect 'client_port' attribute (0)
Conditions:
- Virtual with RTSP profile.
- 200/OK is received from server in response to the initial SETUP request
- SETUP request was the initial message received on a new connection
Impact:
Unicast media may forwarded to incorrect UDP port (0).
Fix:
Initialize 'client_port' attribute to value received from server when re-writing response to client.
601180 : Link Controller base license does not allow DNS namespace iRule commands.★
Component: Global Traffic Manager
Symptoms:
The Link Controller base license was improperly preventing DNS namespace iRule commands.
Conditions:
A Link Controller license without an add-on that allowed Layer 7 iRule commands.
Impact:
An administrator would not be able add DNS namespace commands to an iRule or upgrade from a pre-11.5 configuration where the commands were working to 11.5.4 through 12.1.1.
Workaround:
To address the inability to upgrade, removal of DNS namespace commands from the configuration prior to upgrade will allow the upgrade to proceed. The commands will then be able to be re-added after a fixed version is installed.
Fix:
DNS namespace iRule commands are now properly accepted with a Link Controller base license.
601178 : HTTP cookie persistence 'preferred' encryption
Component: Local Traffic Manager
Symptoms:
When encryption is 'preferred' in the http cookie persistence profile, when the client presents a plain-text route domain formatted cookie the BIG-IP will ignore the cookie and re-load balance the connection.
Conditions:
This occurs when route-domain-compatible cookies are sent in plaintext.
Impact:
Cookie does not get accepted by the persistence profile and flow does not persist.
601168 : Incorrect virtual server CPU utilization may be observed.
Component: TMOS
Symptoms:
The virtual_server_cpu_stat table counters are always at zero.
Conditions:
ASM license is in effect.
Impact:
Wrong CPU utilization per virtual server.
Workaround:
No workaround.
Fix:
An issue in computing CPU averages for virtual server has been resolved.
601083 : FPS Globally Forbidden Words lists freeze in IE 11
Component: Fraud Protection Services
Symptoms:
When attempting to move more than 1 item in Globally Forbidden Words in Internet Explorer 11 browser, the lists freeze.
Conditions:
FPS Provisioned
Add 2 or words in "Search for malicious words in the HTML or JavaScript code"
Impact:
FPS GUI freezes
Workaround:
Add 1 item each time and save.
Use tmsh.
Fix:
Internet Explorer 11 will not freeze if moving more than one item at a time.
601059 : libxml2 vulnerability CVE-2016-1840
Vulnerability Solution Article: K14614344
601035-1 : TCP-Analytics can fail to collect all the activity
Component: Application Visibility and Reporting
Symptoms:
When the traffic reaching BIG-IP comes from very large number of different client-ips and subnets, the TCP-Analytics table can get full which leads to ignoring the activity that follows, until next snapshot of data.
Conditions:
TCP-Analytics profile is attached to a virtual server, incoming traffic from large amounts of client-ips and subnets (exact number to cause full table depends on machine type and provisioned modules).
Impact:
TCP Analytics is showing only some of the activity, not all of it.
There is also another impact described in bug: 601056,which is frequent errors in log.
Workaround:
Disable TCP-Analytics.
Fix:
Aggregation method of TCP Analytics was fixed, we are no longer reaching full table situation, no matter the distribution of the client-ips.
600982 : TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0"
Component: Local Traffic Manager
Symptoms:
When SSL is configured, the TMM might rarely crash, logging the following error in /var/log/ltm: notice panic: ../modules/hudfilter/ssl/ssl_session.c:538: Assertion "cached" failed.
Conditions:
This is a very rare crash related to SSL being configured.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
When SSL is configured, the TMM no longer intermittently crashes with the message: Assertion "cached" failed.
600970 : IPsec racoon daemon 100% cpu busy
Component: TMOS
Symptoms:
racoon daemon runs at 100% according to top and will not start or handle any IPsec tunnels. No logs, no ISAKMP initiation and so on. racoonctl will hang when executed.
Conditions:
racoon daemon in a 100% CPU busy loop
Impact:
IPsec tunnels cannot not be established or maintained.
Workaround:
bigstart restart racoon. bigstart restart tmispecd. One cannot use bigstart to restart racoon on version 12 software.
Fix:
In extremely rare cases, the racoon daemon will stop working, and report 100% CPU usage.
600944 : tmsh does not reset route domain to 0 after cd /Common and loading bash
Component: Local Traffic Manager
Symptoms:
In tmsh, you are in a partition with a custom route domain. When you run 'cd /Common' and run bash then run 'ip route', the routing table from the partition is displayed, not /Common
Conditions:
Attempting to see the route table from the /Common partition after leaving another parition
Impact:
You cannot get /Common's route table back without quitting and restarting tmsh.
Workaround:
Quit tmsh and restart.
600894 : In certain situations, the MCPD process can leak memory
Component: TMOS
Symptoms:
In certain situations, the MCPD process can leak memory. This has been observed, for example, while updating large external data-group file objects. Each time an external data-group file is updated, MCPD's memory utilization grows a little bit. Once enough iterations have occurred, the system may no longer be able to update the external data-group file, but instead return the following error message:
err mcpd[xxxx]: 01070711:3: Caught runtime exception, std::bad_alloc.
Conditions:
So far, this issue has only been observed while updating a large external data-group file object.
Impact:
The system may no longer be able to update the external data-group file object. It is also possible for MCPD to crash, or be killed by the Linux OOM killer, as a result of the memory leak.
600859-1 : Module not licensed after upgrade from 11.6.0 to 12.1.0 HF1 EHF.★
Component: TMOS
Symptoms:
After upgrading 11.6.0 Hourly instances to 12.1.0 EHF Hourly instances with Instance Registration support, instance license becomes invalid and BIG-IP is unable to acquire a new hourly license.
Conditions:
Upgrading 11.6.0, or earlier Hourly Licensing instance to 12.1.0 HF1 EHF.
Impact:
License is invalidated and instance becomes unusable.
Workaround:
- Run "/usr/libexec/autoLicense -l" from command-line.
Fix:
Module licenses correctly after upgrade from 11.6.0 to 12.1.0 HF2 or later.
600827 : Stuck nitrox crypto queue can erroneously be reported
Component: Local Traffic Manager
Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Nitrox systems (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The message "Hardware Error(Co-Processor): n3-crypto0 request queue stuck" will appear in the ltm log file.
Conditions:
Nitrox based system performing SSL under heavy load.
Impact:
Device errors reported in logs and crypto HA action is taken, possibly resulting in failing over.
Fix:
The Nitrox crypto driver uses a proper timeout value for crypto requests.
600811 : CATEGORY::lookup command change in behaviour★
Component: Access Policy Manager
Symptoms:
Starting in v12.1.1, the CATEGORY::lookup iRule command will no longer accept an HTTP URI in its argument to the command if the BIG-IP system has APM+URL Filtering provisioned or just URL Filtering provisioned along for SSL Bypass decisions.
Only a valid hostname can be used and then have it's category returned.
In versions prior to v12.1.1, the following iRule command would be valid:
when HTTP_REQUEST {
set this_uri http://[HTTP::host][HTTP::uri]
set reply [CATEGORY::lookup $this_uri]
log local0. "Category lookup for $this_uri returns $reply"
}
Starting in v12.1.1, the previous example you need to remove the HTTP::uri statement. If an HTTP::uri is provided to the command, an error will be returned
Jun 27 16:43:41 bigip4000-a41-1mgmt err tmm2[12601]: 01220001:3: TCL error: /Common/_1_categ_test <HTTP_REQUEST> - Categorization engine returned an error. invoked from within "CATEGORY::lookup $this_uri"
Started in v12.1.1, the example should be modified to pass in the HTTP::host only:
when HTTP_REQUEST {
set this_uri http://[HTTP::host]
set reply [CATEGORY::lookup $this_uri]
log local0. "Category lookup for $this_uri returns $reply"
}
If APM and SWG are licensed and provisioned, the CATEGORY::lookup iRule command will accept an HTTP URI as a part of the argument to the command.
Conditions:
- BIG-IP licensed and provisioned for:
- APM + URL Filtering
- URL Filtering (used for SSL Bypass decisions in SSL Air-Gap deployments)
- An iRule which supplies a URI path to the CATEGORY::lookup iRule command
Impact:
Upgrading to v12.1.1 from previous versions that use the CATEGORY::lookup iRule command and use an HTTP::uri or pass in a plain text string with contains anything other than an HTTP hostname will see an error returned from the command. This can cause errors in existing deployments.
Workaround:
The required mitigation is to update the iRule to only pass an HTTP hostname to the CATEGORY::lookup iRule command
600662 : NAT64 vulnerability CVE-2016-5745
Vulnerability Solution Article: K64743453
600634 : Schedule-reports can break the upgrade process★
Component: Application Visibility and Reporting
Symptoms:
A scheduled report (of predefined type) that is created via GUI can cause validation error on upgrade and thus might cause the upgrade process to fail. You may see this error in /var/log/ltm:
Syntax Error:(/config/bigip.conf at line: 86) "predefined-report-name" may not be specified with "multi-leveled-report.time-diff"
Conditions:
Creating predefined-scheduled-report from GUI
Impact:
Upgrade process can fail
Workaround:
If the config load fails, you can get the configuration to load by manually removing the scheduled report(s).
Impact of mitigation: this will remove scheduled reports from the configuration.
Edit bigip.conf, and look for analytics objects that have the scheduled-report in the declaration:
analytics application-security scheduled-report /Common/... {
Remove the object and the configuration will load.
Fix:
Improving validation mechanism to not allow creating one type (predefined vs multi-leveled) of scheduled-report with fields of the other one set to it.
Fixing GUI to not set fields of multi-leveled scheduled-report when creating a predefined-scheduled-report.
600614 : External crypto offload fails when SSL connection is renegotiated
Component: Local Traffic Manager
Symptoms:
If and external crypto offload client is configured with an SSL profile and renegotiation is enabled for the SSL profile, the crypto client connection will fail when the SSL connection is renegotiated.
Conditions:
External crypto offload client configured with an SSL profile with renegotiation enabled.
Impact:
Crypto client connection to the crypto server will fail.
Workaround:
Disable renegotiation on the SSL profile.
Fix:
The crypto client connection to the crypto server will no longer fail when the SSL connection is renegotiated.
600593 : Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests
Component: Local Traffic Manager
Symptoms:
After a CONNECT request is sent to the BIG-IP system and processed, if the client disconnects before a response is received from the server, the FIN is not propagated to the server-side and that connection remains open. If a client sends another CONNECT request to the same destination, the previous server-side flow is reused for the new request. Inspection of packet captures reveals that the BIG-IP system does not process the new CONNECT request as such, but instead forwards it to the server using the old server-side flow. This behaviour is incorrect. The CONNECT method should disable connection reuse, and the BIG-IP should close the server-side flow if the client disconnects first.
Conditions:
Use of HTTP Explicit Proxy and OneConnect together. CONNECT requests must arrive to the virtual server. The client must disconnect before the server responds.
Impact:
Some connections may fail. Depending on what data is sent to the server over an unintended connection, unpredictable results may be experienced.
Workaround:
You can apply the following iRule to the HTTP Explicit Proxy virtual server to mitigate the issue:
when HTTP_PROXY_REQUEST {
if { [HTTP::method] equals "CONNECT" } {
ONECONNECT::reuse disable
}
else {
ONECONNECT::reuse enable
}
}
600570 : VE License may enforce improper TMM count
Component: TMOS
Symptoms:
If a BIG-IP VE license enforces a number of TMM instances less than the system would otherwise run, and that license limit is not a power of two (e.g. 1, 2, 4, 8, 16), the BIG-IP system will incorrectly start with a non-power of two number of TMMs.
Conditions:
Certain license combinations can result in the BIG-IP VE system starting with a non power of two number of TMMs.
Impact:
This results in traffic disruption and connection failures where traffic leaves one TMM, but returns and is not processed by a different TMM.
Workaround:
Set the "provision.tmmcount" DB key to the next lower power of two (1, 2, 4, 8, 16) from the count listed in the license.
600558 : Errors logged after deleting user in GUI
Component: TMOS
Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may be observed:
1. After approximately 10 minutes, an error similar to the following appears in the LTM log (/var/log/ltm):
mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests
This message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.
2. After clicking Refresh, the GUI may not show the correct web page.
Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.
Impact:
Error messages logged.
GUI may not show the correct web page.
Workaround:
Use the CLI (tmsh) to delete local users.
Fix:
Errors are no longer logged after deleting user in GUI.
600431 : DIAMETER::avp data get "id" ip4|ip6 errors on valid AVP
Component: Service Provider
Symptoms:
TCL error in /var/log/ltm that looks like 'error Buffer error invoked from within "DIAMETER::avp data get 257 ip4 index 0"'
Conditions:
iRule that extracts ip address from a diameter avp.
Impact:
The iRule ends with an error.
Workaround:
Instead of
set data [DIAMETER::avp data get 257 ip4]
use an iRule such as
if { [DIAMETER::avp count 257] > 0 } {
set data [DIAMETER::avp data get 257]
binary scan $data S family
switch $family {
1 {
# ipv4 should contains 4 bytes
set ip [IP::addr parse -ipv4 $data 2]
log local0. "ip = $ip"
}
2 {
# ipv6 should contains 16 bytes
set ip [IP::addr parse -ipv6 $data 2]
log local0. "ip = $ip"
}
default {
log local0.alert "address family $family is not supported"
}
}
}
Fix:
DIAMETER::avp data get "id" ip4|ip6 now correctly returns an ip address on valid ip address AVPs.
600385 : BIG-IP LTM and BIG-IP DNS monitors are allowed to be configured with interval value larger than timeout
Component: Local Traffic Manager
Symptoms:
When configuring BIG-IP LTM and BIG-IP DNS monitors, administrators can set the interval value be larger than the timeout value.
Conditions:
Setting interval value to be larger than the timeout value.
Impact:
The misconfigured monitor setting might result in unexpected monitor behavior.
Workaround:
Set the interval value lower than the timeout value.
Fix:
Monitors are no longer allowed to set the interval value be larger than the timeout. This is correct behavior.
Behavior Change:
Monitors are no longer allowed to set the interval value be larger than the timeout. This is correct behavior.
600357 : bd crash when asm policy is removed from virtual during specific configuration change
Component: Application Security Manager
Symptoms:
BD restarts and produces a core file
Conditions:
A configuration change which involves headers configuration or a policy re-configuration and at the same time, while this update is taking place the ASM policy is removed from the virtual.
This is more likely to happen in scripted tests than in the field.
Impact:
Traffic gets dropped while the ASM gets restarted.
Workaround:
Don't change ASM configuration at the same time as changing the virtual server configuration.
Fix:
System will still restart but will not produce a core file when this happens.
600232-1 : OpenSSL vulnerability CVE-2016-2177
Vulnerability Solution Article: K23873366
600198-1 : OpenSSL vulnerability CVE-2016-2178
Vulnerability Solution Article: K53084033
600174 : Wildcard "*" redirection domain cannot be deleted if list is scrollable
Component: Application Security Manager
Symptoms:
Wildcard "*" redirection domain cannot be deleted if list is scrollable
Conditions:
Add redirection domains until list becomes scrollable (at least 4 or 5)
Impact:
first redirection domain in the list cannot be deleted
Workaround:
first delete redirection domains (not first one) to make list not scrollable, then re-add again
Fix:
Any redirection domain can be removed from the list
600119 : DNS name resolution for servers outside of Network Access Name Split scope can be slow in some conditions
Component: Access Policy Manager
Symptoms:
When connected to the vpn and wifi adapter is enabled (not connected to any wlan) access to websites outside the vpn is very slow.
Access is fine when wifi interface is disabled.
Conditions:
- number of DNS servers configured for active network adapters matches the number of DNS servers configured in Network Access resource
Impact:
User experience while navigating servers outside of VPN scope is impacted by increased connection time
Workaround:
Disable unused adapters or change the number of configured DNS servers
Fix:
DNS requests for names outside the VPN scope sent to VPN DNS server are redirected to DNS servers from NIC using Round Robin algorithm
600069 : Portal Access: Requests handled incorrectly
Component: Access Policy Manager
Symptoms:
In some cases Portal Access requests do not return the intended resource.
Conditions:
Portal Access configured
Impact:
In some cases Portal Access requests do not return the intended resource.
Fix:
Improve Portal Access request processing
600052 : GUI displaying "Internal Server Error" page when there many (~3k) certs/keys in the system
Component: Local Traffic Manager
Symptoms:
Cannot access SSL certs/keys using the GUI. GUI displays "Internal Server Error" page.
Conditions:
Having large (~3k) number of SSL certs/keys in the system.
Impact:
Cannot use the GUI to view/edit the SSL certs/keys.
Workaround:
User tmsh to access SSL certs/keys.
Fix:
Can now access SSL certs/keys using the GUI
600024 : Managed Endpoint Notification and Managed Endpoint Status agents are only available for type "All" profiles
Component: Access Policy Manager
Symptoms:
Managed Endpoint Notification and Managed Endpoint Status agents are not available for Access Profiles that are using type "ssl-vpn". They are only visible if the profile is of type "All"
Conditions:
Create Access Profile with type: "SSL-VPN"
Impact:
Managed Endpoint Notification and Managed Endpoint Status agents are not available in access policy
Workaround:
Create Access Profile with "All" type
599858 : ImageMagick vulnerability CVE-2015-8898
Vulnerability Solution Article: K68785753
599839 : Add new keyords to SIP::persist command to specify how Persistence table is updated
Component: Service Provider
Symptoms:
SIP::persist command keywords were not present prior to 12.1.2
Conditions:
Using the SIP::persist command in an iRule
Impact:
Limited control via SIP::persist
Workaround:
N/A
Fix:
The following new keywords were introduced with SIP::persist command that improve some key entry issues.
-reset: remove any persistence entry associated with the key stored with the message.
-use: normal persistence and routing operation.
-replace: replace any persistence existing with the result of the routing operation used on this message.
-bypass: route the message ignoring any persistence entry, if no entry exists, add a new entry based on the result of this message
-ignore: route the message ignoring any persistence entry. Do not add or update the persistence entry.
Behavior Change:
The following new keywords were introduced with SIP::persist command that improve some key entry issues.
-reset: remove any persistence entry associated with the key stored with the message.
-use: normal persistence and routing operation.
-replace: replace any persistence existing with the result of the routing operation used on this message.
-bypass: route the message ignoring any persistence entry, if no entry exists, add a new entry based on the result of this message
-ignore: route the message ignoring any persistence entry. Do not add or update the persistence entry.
599816 : Packet redirections occur when using VLAN groups with members that have different cmp-hash settings.
Component: TMOS
Symptoms:
Packets arriving on members of the VLAN group are CMP redirected. Redirections may be tracked with the tmm/flow_redir_stats table.
Conditions:
VLANs in the VLAN group must have different cmp-hash settings. For example, one VLAN may configure src-ip and another dst-ip.
Impact:
Throughput drops because of the redirections. However, because this is an error in the software disaggregator, components and features which depend on correct disaggregation may fail. Some features of PEM may fail.
Fix:
Packets are correctly disaggregated without redirections.
599769-2 : TMM may crash when managing APM clients.
Component: Local Traffic Manager
Symptoms:
When managing APM clients it is possible to encounter a rare tmm crash.
Conditions:
APM enabled and actively managing clients.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
There is no longer a rarely encountered TMM crash when managing APM clients.
599720 : TMM may crash in bigtcp due to null pointer dereference
Component: Local Traffic Manager
Symptoms:
TMM crashed in bigtcp_queue_pkt() due to null pointer dereference of clientside flow.
Conditions:
This only occurs for serverside flow whose peer no longer exists.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround.
Fix:
A problem of null pointer dereferece in bigtcp has been fixed.
599655 : When ramcache is configured with CPM, the ASM blocking page will get cached
Component: Application Security Manager
Symptoms:
ASM blocking page is cached
Conditions:
ramcache is configured using CPM
Impact:
The blocking page doesn't get reported by ASM and is missed from statistics. It can also cause false positives on traffic that shouldn't be blocking.
Workaround:
Add the following irule to the virtual:
when ASM_REQUEST_BLOCKING
{
CACHE::disable;
}
599582 : BD keep-alive self crashes due to lack of IO or CPU resources
Component: Application Security Manager
Symptoms:
The following message in the bd.log:
"internal_keep_alive: BD shrinking...,going down - BD will be right back."
Before this message, in the bd.log, the UMU prints are not arriving two on the same second.
Conditions:
There is a high CPU consumption on the system or lack of IO resource
Impact:
The bd restarts with a core file, traffic disrupted while bd restarts.
Workaround:
N/A
Fix:
Fixed a crash in bd.
599543 : Cannot update (overwrite) PKCS#12 SSL cert & key while referenced in SSL profile
Component: TMOS
Symptoms:
When PKCS#12 cert and key are in use by SSL profiles, importing key/cert fails with the below error message:
Import Failed: Exception caught in Management::urn:iControl:Management/KeyCertificate::pkcs12_import_from_file_v2()
0107160f:3: Profile /Common/z-cssl's SSL forward proxy CA key and certificate do not match
Conditions:
1. When the cert and key are in the PKCS#12 format.
2. When the cert and key are in use by SSL profiles.
Impact:
When PKCS#12 cert and key are in use by SSL profiles, they can not be directly updated (overwritten) using key/cert import.
Workaround:
Use tmsh to install the PKCS#12 key. For example, suppose the key/cert to be replaced is called orig.key and orig.crt, it can be overwritten using the below command:
tmsh install sys crypto pkcs12 orig from-local-file /shared/eee.pfx
599536 : IPsec peer with wildcard selector brings up wrong phase2 SAs
Component: TMOS
Symptoms:
If a remote IPsec peer sends a wildcard (0.0.0.0/0 <-> 0.0.0.0/0) traffic-selector in phase2, the BIG-IP system will find a match against a non-wildcard selector and use that policy to complete phase2 negotiation.
You may encounter this problem if you have one or more remote peers attempting to negotiate phase2 with wildcard traffic-selectors. An IPsec tunnel may start but fail to pass data and at the same time another IPsec tunnel may stop working.
Conditions:
The remote IPsec peer sends a wildcard (0.0.0.0/0 <-> 0.0.0.0/0) traffic-selector in phase2. Phase1 must be established first.
Impact:
A tunnel will start, but data communication (over ESP or AH) will fail.
Other tunnels may be subject to an accidental DOS when a peer establishes phase1 but uses wildcard traffic-selectors in phase2. A traffic-selector matched by wildcard might be bound to a tunnel already in use, which is then taken offline by the new Security Associations.
Fix:
Ensure that phase2 negotiation using a wildcard (0.0.0.0/0 <-> 0.0.0.0/0) traffic-selector does not establish a Security Association with an ipsec-policy associated with a non-wildcard traffic-selector.
Behavior Change:
Previously, a wildcard selector was able to match a non-wildcard selector, and thus engage the wrong (IPsec) tunnel to attempt negotiation, usually failing.
In effect, a wildcard selector was able to bind to the wrong peer; but after this change only the right peer should bind. This cleans up behavior of selector as identity key, and prevents subjecting random wrong peers from noise.
599526 : SWG redirect omits the port
Component: Access Policy Manager
Symptoms:
When using SWG transparent proxy with captive portal disabled, the final redirect omits the port that was specified in the original request
Conditions:
SWG transparent proxy with captive portal disabled; and initial request coming on non 80 or 443 ports.
Impact:
SWG redirects to the incorrect port.
Workaround:
Enable captive portal if possible.
Fix:
When using SWG transparent proxy with captive portal disabled, the final redirect now includes the port that was specified in the original request.
599521-1 : Persistence entries not added if message is routed via an iRule
Component: Service Provider
Symptoms:
MRF SIP route table implementation does not add a persistence entry if the message was routed via an iRule.
Conditions:
If the message is routed via an iRule, a SIP persistence entry will not be created.
Impact:
Since MRF SIP persistence may be bidirectional, not having the persistence entry will keep message flowing in the opposite direction from being automatically routed via persistence.
Workaround:
An iRule could be used to route messages directed towards the original client.
Fix:
MRF SIP will add a persistence entry for message routed via an iRule.
599515 : TCP Keep Alive Interval Indefinite mapped to the 0 value instead of 4294967295.
Component: TMOS
Symptoms:
Indefinite TCP Keep Alive Interval is mapped to 4294967295.
Conditions:
Selecting Indefinite on the TCP Keep Alive Interval field and listing it on tmsh.
Impact:
Indefinite is set to 4294967295 instead of 0.
Workaround:
Set the TCP Keep Alive Interval field using tmsh.
Fix:
The TCP Keep Alive Interval Indefinite value is now mapped to the 0 value instead of 4294967295. This is correct.
599424 : iApps LX fails to sync★
Component: iApp Technology
Symptoms:
In a device group, iApps LX applications fail to sync to the other devices. In restjavad.0.log you notice this log entry, approximately once per hour:
[8100/tm/shared/bigip-failover-state BigipFailoverStateWorker] Failed to discover [address]: java.lang.IllegalStateException: Authentication Failure to host [address]. Please check the credentials provided.
Conditions:
This occurs after upgrading devices in a device group from 12.1.1 to a version higher than 12.1.1, such as 12.1.1 HF1. It can also occur on UCS restore.
Impact:
If you do not have iApps LX configured, there should be no impact other than the warning in restjavad.0.log which you can safely ignore. If you have iApps LX configured and the iApp is not syncing, then this will impact traffic if a failover event occurs.
Workaround:
None.
Fix:
iApps LX now sync correctly.
599285-1 : PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095
Vulnerability Solution Article: K51390683
599220 : AD/LDAP groupmapping have no webtop-section assign
Component: Access Policy Manager
Symptoms:
Unlike full resource assign AD/LDAP groupmapping have no webtop-section assign
Conditions:
Always
Impact:
Unable to assign the resources to the webtop. It is still possible to configure in VPE using two agents.
Workaround:
1. Use full resource assign after group mapping
2. Configure sections in tmsh - agent is the same as in full resource assign
Fix:
Webtop Sections are added to Groupmapping UI
599168 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
Vulnerability Solution Article: K35520031
599135 : B2250 blades may suffer from high TMM CPU utilisation with tcpdump
Component: Local Traffic Manager
Symptoms:
B2250 blades may suffer from continuous TMM CPU utilization when tcpdump has been in use.
Conditions:
Run tcpdump on a B2250 platform
Impact:
Increment in TMM CPU utilization with every run of tcpdump.
Workaround:
Restart TMM, avoid the use of tcpdump.
Fix:
B2250 blades no longer suffer from high TMM CPU utilisation with tcpdump
599054 : LTM policies may incorrectly use those of another virtual server
Component: Local Traffic Manager
Symptoms:
LTM policies may use policies configured on another virtual server.
Conditions:
- A configurations with several virtual servers and several configured ltm policies attached to those virtual servers.
- Configuration load: manually using the command tmsh load sys conf, or automatically by an upgrade or full config-sync.
Impact:
LTM policies get incrementally added to virtual servers as the policies are compiled, causing unexpected traffic handling decisions based on other policies.
Workaround:
Do not run tmsh load sys conf if you have policies configured. After an upgrade or full config-sync issuing a bigstart restart command or restarting the device will fix this condition.
Fix:
LTM policies no longer incorrectly use those of another virtual server
599033 : Traffic directed to incorrect instance after network partition is resolved
Component: TMOS
Symptoms:
After a network partition is resolved, the BIG-IP high availability subsystem may select a different device to handle traffic than the external network.
Conditions:
If the external network does not respond to GARP (Gratuitous ARP) messages to direct IP traffic to the correct device after an Active/Active condition is resolved, then it may continue to send traffic to a device that is now in Standby mode.
Impact:
Traffic will be interrupted since the upstream network is sending traffic to a device that won't process it.
Workaround:
The administrator might be able to manually run a script or command to redirect traffic to the correct device that is hosting the virtual service.
Fix:
When a network partition is resolved, and an Active/Active high availability pair chooses a single Active node, it now invokes a script that can be used to automatically notify the external network infrastructure of the new location for the virtual service. This new script is located in /config/failover/tgrefresh, and is invoked in addition to the transmission of GARP messages.
598983 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
Vulnerability Solution Article: K35520031
598981 : APM ACL does not get enforced all the time under certain conditions
Component: Access Policy Manager
Symptoms:
APM ACL does not get enforced all the time under certain conditions
Conditions:
The following conditions individually increase the chances for this problem to occur:
1. The device is very busy. (Construction of ACL windows is prolonged.)
2. Concentration of connections into one TMM. (e.g., VPN feature.)
3. Small number of TMMs (e.g., BIG-IP low-end platform, Virtual Edition (VE) configurations.)
4. Application starts with a high number of concurrent connections.
Impact:
ACL is not applied for subsequent connections for that TMM. This issue does not consistently reproduce.
Workaround:
Mitigation:
Administrator can kill the affected session, which forces the user to re-login, and ultimately restarts the ACL construction process.
Fix:
Switching context when applying ACL is properly processed, and no longer cause ACL to be not enforced.
598917 : TMSH and GUI might display a different common name from that is used by the system and displayed in the past.
Component: TMOS
Symptoms:
When the certificate contains multiple common names in its subject, TMSH/GUI might display a different one from that is used by the system. This behavior is also inconsistent with it in the past.
Conditions:
When the certificate contains multiple common names in its subject.
Impact:
When the server name (SNI) is not configured in a clientSSL profile, the system will use the common name of its certificate as its server name, and use it to match/lookup clientSSL profiles when the SSL client specifies SNI in the clienthello. So when the clientSSL profile is using a certificate with multiple common names in the subject, the system might display a different common name from the one that is used to match/lookup clientSSL profiles whose server name is not configured.
Fix:
When multiple common names are listed in a certificate, the last CN will be displayed and used.
598874 : GTM Resolver sends FIN after SYN retransmission timeout
Component: Local Traffic Manager
Symptoms:
If a DNS server is not responding to TCP SYN, GTM Resolver sends a FIN after a retransmission timeout (RTO) of the SYN.
Conditions:
GTM Resolver tries to open a TCP connection to a server that does not respond.
Impact:
Firewalls may log the FIN as a possible attack.
Fix:
Do not send anything in response to a SYN retransmission timeout.
598860 : IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address
Component: Local Traffic Manager
Symptoms:
The IP::addr iRule can be used to translate an IPv6 address containing an IPv4 address, but instead it converts it into an IPv4 compatible IPv6 address.
Example:
ltm rule test_bug {
when CLIENT_DATA {
log local0. "[IP::addr 2A01:CB09:8000:46F5::A38:1 mask ::ffff:ffff]"
}
Expected result:
Rule /Common/test_bug <CLIENT_DATA>: 10.56.0.1
Actual result:
Rule /Common/test_bug <CLIENT_DATA>: ::10.56.0.1
Conditions:
using IP::addr to convert an IPv6 to an IPv4 address
Impact:
Address is converted into an IPv4-compatible IPv6 address.
598854-4 : sipdb tool incorrectly displays persistence records without a pool name
Component: Service Provider
Symptoms:
MRF SIP persistence records added for a forwarding route (a peer object without a pool), will not be displayed properly by sipdb
Conditions:
If a persistence record is added for a route that does not contain a pool, this persistence entry will not be displayed correctly.
Impact:
The persistence entry is correctly stored in the persistence table and will operate correctly. Due to the bug in the sipdb tool, this entry will not be viewable for debugging purposes.
Fix:
The fix corrects the sipdb tool so that entries which do not have a pool name will display correctly.
598700-1 : MRF SIP Bidirectional Persistence does not work with multiple virtual servers
Component: Service Provider
Symptoms:
Messages received by different virtual servers (sharing the same router) are not able to be properly routed using the call-id persistence.
Conditions:
A router with multiple virtual servers bridging between networks are not able to use the same call-id persistence entry for routing messages. Messages trying to use a persistence entry created by a different virtual server may be routed to the wrong device.
Impact:
Messages received on another virtual server trying to use the persistence entry will be routed to the wrong device.
Fix:
Fix corrects problems identifying which end of the bi-directional persistence the message has arrived on so that it can be forwarded to the proper device.
598697-2 : vCMP guests may fail after vCMP host system is upgraded to BIG-IP v12.1.x when 'qemu' user isn't created★
Component: TMOS
Symptoms:
After installing v12.1.0 on a vCMP host system the guests don't start anymore and remain in "failed" state.
Errors similar to these are logged in the ltm log file:
Jun 10 08:17:22 slot1/VIP4480-R68-S26 crit vcmpd[14354]: 01510003:2: User "qemu" doesn't exist
<..>
Jun 10 08:17:22 slot1/VIP4480-R68-S26 err vcmpd[14354]: 01510004:3: Guest (test-guest): Failure - Error starting VM.
Jun 10 08:17:22 slot1/VIP4480-R68-S26 info vcmpd[14354]: 01510007:6: Guest (test-guest): VS_STARTING->VS_FAILED
Conditions:
Upgrade vCMP host to v12.1.0 or higher
vCMP host system was originally installed with v11.6.0 or older builds.
Impact:
After installing v12.1.0 on a vCMP host system the guest don't start anymore and remain in "failed" state.
Workaround:
Workaround is to run the following command:
useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu
then:
bigstart restart vcmpd
598498 : Cannot remove Self IP when an unrelated static ARP entry exists.
Component: TMOS
Symptoms:
Cannot remove a self-IP when an unrelated static ARP entry exists. The system produces an error similar to the following: err mcpd[6743]: 01071907:3: Cannot delete IP <addr> because it would leave a static neighbor (ARP/NDP) entry unreachable.
Conditions:
Static arp entry exists, and there are no Self IP addresses on the same subnet as the static ARP entry. When in this condition, none of the Self IP addresses can be deleted.
Impact:
Must delete static ARP entries in order to delete Self IP addresses.
Workaround:
None.
Fix:
In this release, you can delete Self IP addresses if unrelated static ARP entries exist.
598443 : Temporary files from TMSH not being cleaned up intermittently.
Component: TMOS
Symptoms:
/var/tmp/tmsh and /var/system/tmp/tmsh can have left over unused directories if there was an abrupt termination wherein TMSH does not get a chance to clean up remaining directories.
Conditions:
This can occur if a running task creates a TMSH tmp file, then gets killed before it finishes its clean-up.
Impact:
This can cause the directories /var/tmp/tmsh and /var/system/tmp/tmsh to fill up and cause out of memory exceptions.
Workaround:
Manually delete all unused files in /var/tmp/tmsh and /var/system/tmp/tmsh.
Fix:
TMSH now removes all temporary files as expected.
598419 : Edge client requests include ID
Component: Access Policy Manager
Symptoms:
Edge client requests sometimes include a session ID in the URI.
Conditions:
Edge client is used to establish a VPN connection through a TLS-terminating proxy.
Impact:
Possible session ID disclosure to trusted intermediaries.
Workaround:
None.
Fix:
Session ID is not included in URI. This is correct behavior.
598294 : BIG-IP ASM Proactive Bot Defense vulnerability CVE-2016-7472
Vulnerability Solution Article: K17119920
598211 : Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.
Component: Access Policy Manager
Symptoms:
During the logon to Citrix StoreFront through an APM virtual server, after the login page, the BIG-IP system sends the client the following error: Error 404 file or directory not found.
Conditions:
This occurs when the following conditions are met:
- Citrix Android receiver 3.9.
- APM is in integration mode with Citrix StoreFront.
- Storefront unified experience mode is enabled.
Impact:
Cannot access Citrix StoreFront unified UI through Android Receiver 3.9.
Workaround:
For StoreFront integration mode, there is an iRule that is created by the iApp that redirects the root page to the store's URI. The workaround is to add an additional redirect for the receiver_uri ending with receiver.html. The iRule below contains this workaround.
It is also recommended to delete and recreate the existing store account.
when HTTP_REQUEST {
if { [regexp -nocase {/citrix/(.+)/receiver\.html} [HTTP::path] dummy store_name] } {
log -noname accesscontrol.local1.debug "01490000:7: setting http path to /Citrix/$store_name/"
HTTP::path "/Citrix/$store_name/"
}
}
Fix:
Citrix Android Receiver 3.9 now works through APM in StoreFront integration mode.
598204 : In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK.
Component: Local Traffic Manager
Symptoms:
In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK.
Conditions:
This occurs when the following conditions are met:
-- TCP profile.
-- syncookie mode.
Impact:
A TCP virtual server might use bigger MSS in syncookie mode and not honor the MSS specified in the profile. Some configurations require a smaller MSS for certain virtual servers, rather than using the VLAN's MTU to calculate the MSS.
Workaround:
None.
Fix:
In syncookie mode, the system now honors the MSS value set in the TCP profile when the BIG-IP system sends back the SYN-ACK.
Behavior Change:
In syncookie mode, the system now honors the MSS value set in the TCP profile when the BIG-IP system sends back the SYN-ACK.
598200 : Migrating iControl SOAP interface and logic for OCSP related configuration
Component: TMOS
Symptoms:
1. The interface LocalLB.OCSPStaplingParameters has been migrated to the Management.CertificateValidatorOCSP interface.
For example, to create a new OCSP object:
Old iControl API: proxy.LocalLB.OCSPStaplingParameters.create()
New iControl API: proxy.Management.CertificateValidatorOCSP.create()
Note that although the old iControl API calls are being deprecated, you can still see them working.
However they will internally be converted into the new API calls in the system. For example if you create an OCSP object using the old API proxy.LocalLB.OCSPStaplingParameters.create(), the system will perform as if the user is using proxy.Management.CertificateValidatorOCSP.create().
While the interface LocalLB.OCSPStaplingParameters is migrated to Management.CertificateValidatorOCSP, most of the origianal API calls are preserved except set_trusted_certificate_authority, get_trusted_certificate_authority, set_use_proxy_server_state, and get_use_proxy_server_state. They are no longer available in the new interface Management.CertificateValidatorOCSP.
use_proxy_server was used to specify whether the OCSP object to use proxy_server or dns_resolver. However starting from 13.0.0, only one of them (proxy_server and dns_resolver) is allowed to be configured to an OCSP object and therefore the use_proxy_server flag is no longer needed.
trusted_certificate_authority is meant for the issuer CA certificate for both of the OCSP server and the certificate to be monitored. Starting from 13.0.0 the configuration of trusted_certificate_authority is replaced by the issuer certificate configuration for the certificate to be monitored.
Example:
To assign the issuer certificate for the certificate to be monitored, use
Management.KeyCertificate.set_issuer_certificate()
2. OCSP monitoring for certificate
Starting from 13.0.0, the OCSP monitoring is directly associated with SSL certificate instead of clientSSL profile. In other words, if a certificate is associated with an OCSP object and enable the OCSP monitoring, then the system will keep connecting to the OCSP server based on the OCSP configuration, and update the certificate status periodically, regardless the configuration or activities of any clientSSL profile.
Example:
To associate a certificate with an OCSP object, use
Management.KeyCertificate.add_certificate_validator()
Example:
To enable OCSP monitoring for the certificate, use
Management.KeyCertificate.set_certificate_status_validation_options()
Example:
To check the status for the certificate and its OCSP connection, use
Management.KeyCertificate.get_certificate_validation_status()
3. Enable OCSP stapling for clientSSL profile
If any of the SSL certificates used by the clientSSL profile has OCSP monitoring enabled, then the clientSSL profile can enable the ocsp-stapling option to allow the BIG-IP to staple the OCSP response for the certificate status with the certificate to the SSL client during SSL handshake.
Example:
To enable OCSP stapling for the clientSSL profile, use
LocalLB.ProfileClientSSL.set_ocsp_stapling_state()
Old iControl method: add OCSP object to the clientSSL profile
LocalLB.ProfileClientSSL.set_certificate_key_chain_ocsp_stapling_parameters()
Note that although the old iControl calls are being deprecated, you can still see them working.
However they will internally be converted into the new API calls in the system. In other words if the user configure an OCSP object to a clientSSL profile, the system will perform the above Step 2 and 3, that is, assigning the OCSP object to the certificate (instead of the clientSSL profile), enabling OCSP monitoring for the certificate, and then enabling OCSP stapling for the clientSSL profile.
4. Documentation and redirection
The deprecation notes and redirection information are added to the IDL files and hence can be obtained in the instruction of the iControl methods.
Conditions:
When you need to configure OCSP object or use OCSP stapling for clientSSL profile using iControl SOAP.
Impact:
If you use an deprecated API, the system will internally convert it and perform as if you are using the new API. It is recommended that you use the new iControl SOAP API to configure OCSP related functions.
Workaround:
None needed.
Fix:
This version of the software has a new iControl SOAP API to configure OCSP related functions.
1. The interface LocalLB.OCSPStaplingParameters has been migrated to the Management.CertificateValidatorOCSP interface.
For example, to create a new OCSP object:
Old iControl API: proxy.LocalLB.OCSPStaplingParameters.create()
New iControl API: proxy.Management.CertificateValidatorOCSP.create()
Note that although the old iControl API calls are being deprecated, you can still see them working.
However they will internally be converted into the new API calls in the system. For example if you create an OCSP object using the old API proxy.LocalLB.OCSPStaplingParameters.create(), the system will perform as if the user is using proxy.Management.CertificateValidatorOCSP.create().
While the interface LocalLB.OCSPStaplingParameters is migrated to Management.CertificateValidatorOCSP, most of the origianal API calls are preserved except set_trusted_certificate_authority, get_trusted_certificate_authority, set_use_proxy_server_state, and get_use_proxy_server_state. They are no longer available in the new interface Management.CertificateValidatorOCSP.
use_proxy_server was used to specify whether the OCSP object to use proxy_server or dns_resolver. However starting from 13.0.0, only one of them (proxy_server and dns_resolver) is allowed to be configured to an OCSP object and therefore the use_proxy_server flag is no longer needed.
trusted_certificate_authority is meant for the issuer CA certificate for both of the OCSP server and the certificate to be monitored. Starting from 13.0.0 the configuration of trusted_certificate_authority is replaced by the issuer certificate configuration for the certificate to be monitored.
Example:
To assign the issuer certificate for the certificate to be monitored, use
Management.KeyCertificate.set_issuer_certificate()
2. OCSP monitoring for certificate
Starting from 13.0.0, the OCSP monitoring is directly associated with SSL certificate instead of clientSSL profile. In other words, if a certificate is associated with an OCSP object and enable the OCSP monitoring, then the system will keep connecting to the OCSP server based on the OCSP configuration, and update the certificate status periodically, regardless the configuration or activities of any clientSSL profile.
Example:
To associate a certificate with an OCSP object, use
Management.KeyCertificate.add_certificate_validator()
Example:
To enable OCSP monitoring for the certificate, use
Management.KeyCertificate.set_certificate_status_validation_options()
Example:
To check the status for the certificate and its OCSP connection, use
Management.KeyCertificate.get_certificate_validation_status()
3. Enable OCSP stapling for clientSSL profile
If any of the SSL certificates used by the clientSSL profile has OCSP monitoring enabled, then the clientSSL profile can enable the ocsp-stapling option to allow the BIG-IP to staple the OCSP response for the certificate status with the certificate to the SSL client during SSL handshake.
Example:
To enable OCSP stapling for the clientSSL profile, use
LocalLB.ProfileClientSSL.set_ocsp_stapling_state()
Old iControl method: add OCSP object to the clientSSL profile
LocalLB.ProfileClientSSL.set_certificate_key_chain_ocsp_stapling_parameters()
Note that although the old iControl calls are being deprecated, you can still see them working.
However they will internally be converted into the new API calls in the system. In other words if the user configure an OCSP object to a clientSSL profile, the system will perform the above Step 2 and 3, that is, assigning the OCSP object to the certificate (instead of the clientSSL profile), enabling OCSP monitoring for the certificate, and then enabling OCSP stapling for the clientSSL profile.
4. Documentation and redirection
The deprecation notes and redirection information are added to the IDL files and hence can be obtained in the instruction of the iControl methods.
Behavior Change:
1. The interface LocalLB.OCSPStaplingParameters has been migrated to the Management.CertificateValidatorOCSP interface.
For example, to create a new OCSP object:
Old iControl API: proxy.LocalLB.OCSPStaplingParameters.create()
New iControl API: proxy.Management.CertificateValidatorOCSP.create()
Note that although the old iControl API calls are being deprecated, you can still see them working.
However they will internally be converted into the new API calls in the system. For example if you create an OCSP object using the old API proxy.LocalLB.OCSPStaplingParameters.create(), the system will perform as if the user is using proxy.Management.CertificateValidatorOCSP.create().
While the interface LocalLB.OCSPStaplingParameters is migrated to Management.CertificateValidatorOCSP, most of the origianal API calls are preserved except set_trusted_certificate_authority, get_trusted_certificate_authority, set_use_proxy_server_state, and get_use_proxy_server_state. They are no longer available in the new interface Management.CertificateValidatorOCSP.
use_proxy_server was used to specify whether the OCSP object to use proxy_server or dns_resolver. However starting from 13.0.0, only one of them (proxy_server and dns_resolver) is allowed to be configured to an OCSP object and therefore the use_proxy_server flag is no longer needed.
trusted_certificate_authority is meant for the issuer CA certificate for both of the OCSP server and the certificate to be monitored. Starting from 13.0.0 the configuration of trusted_certificate_authority is replaced by the issuer certificate configuration for the certificate to be monitored.
Example:
To assign the issuer certificate for the certificate to be monitored, use
Management.KeyCertificate.set_issuer_certificate()
2. OCSP monitoring for certificate
Starting from 13.0.0, the OCSP monitoring is directly associated with SSL certificate instead of clientSSL profile. In other words, if a certificate is associated with an OCSP object and enable the OCSP monitoring, then the system will keep connecting to the OCSP server based on the OCSP configuration, and update the certificate status periodically, regardless the configuration or activities of any clientSSL profile.
Example:
To associate a certificate with an OCSP object, use
Management.KeyCertificate.add_certificate_validator()
Example:
To enable OCSP monitoring for the certificate, use
Management.KeyCertificate.set_certificate_status_validation_options()
Example:
To check the status for the certificate and its OCSP connection, use
Management.KeyCertificate.get_certificate_validation_status()
3. Enable OCSP stapling for clientSSL profile
If any of the SSL certificates used by the clientSSL profile has OCSP monitoring enabled, then the clientSSL profile can enable the ocsp-stapling option to allow the BIG-IP to staple the OCSP response for the certificate status with the certificate to the SSL client during SSL handshake.
Example:
To enable OCSP stapling for the clientSSL profile, use
LocalLB.ProfileClientSSL.set_ocsp_stapling_state()
Old iControl method: add OCSP object to the clientSSL profile
LocalLB.ProfileClientSSL.set_certificate_key_chain_ocsp_stapling_parameters()
Note that although the old iControl calls are being deprecated, you can still see them working.
However they will internally be converted into the new API calls in the system. In other words if the user configure an OCSP object to a clientSSL profile, the system will perform the above Step 2 and 3, that is, assigning the OCSP object to the certificate (instead of the clientSSL profile), enabling OCSP monitoring for the certificate, and then enabling OCSP stapling for the clientSSL profile.
4. Documentation and redirection
The deprecation notes and redirection information are added to the IDL files and hence can be obtained in the instruction of the iControl methods.
598199 : Migrating tmsh commands and logic for OCSP related configuration
Component: TMOS
Symptoms:
Migrating tmsh commands and logic for OCSP related configuration
1. To create/modify/delete an OCSP object:
Old tmsh command: "ltm profile ocsp-stapling-params"
New tmsh command: "sys crypto cert-validator ocsp"
Example: create an OCSP object
tmsh create sys crypto cert-validator ocsp my_ocsp1 dns-resolver test-dns
Note that although the old tmsh commands are being deprecated, you can still see them working.
However they will internally be converted into the new commands in the system. In other words if the user configures an OCSP object using the old tmsh command "ltm profile ocsp-stapling-params", the system will perform as if the user is giving "sys crypto cert-validator ocsp".
While "ltm profile ocsp-stapling-params" are migrated to "sys crypto cert-validator ocsp", most of the original items are preserved except "use-proxy-server" and "trusted-ca". They will no longer appear in the new tmsh command "sys crypto cert-validator ocsp".
use-proxy-server was used to specify whether the OCSP object to use proxy_server or dns_resolver. However starting from 13.0.0, only one of them (proxy_server and dns_resolver) is allowed to be configured to an OCSP object and therefore the use-proxy-server flag is no longer needed.
trusted-ca is meant for the issuer CA certificate for both of the OCSP server and the certificate to be monitored. Starting from 13.0.0 the configuration of trusted-ca is replaced by the "issuer-cert" for the certificate to be monitored.
Example: configure issuer-cert for the certificate to be monitored
modify sys crypto cert dummy.crt issuer-cert chainCA.crt
2. OCSP monitoring for certificate
Starting from 13.0.0, the OCSP monitoring is directly associated with SSL certificate instead of clientSSL profile. In other words, if a certificate is associated with an OCSP object and enable the OCSP monitoring, then the system will keep connecting to the OCSP server based on the OCSP configuration, and update the certificate status periodically, regardless the configuration or activities of any clientSSL profile.
Example: associate a certificate with an OCSP object
tmsh modify sys crypto cert dummy.crt issuer-cert chainCA.crt cert-validators add { my_ocsp1 }
Example: enable OCSP monitoring for the certificate
tmsh modify sys crypto cert dummy.crt cert-validation-options { ocsp }
Example: check the status for the certificate and its OCSP connection
tmsh show sys crypto cert dummy.crt
3. Enable OCSP stapling for clientSSL profile
If any of the SSL certificates used by the clientSSL profile has OCSP monitoring enabled, then the clientSSL profile can enable the ocsp-stapling option to allow the BIG-IP to staple the OCSP response for the certificate status with the certificate to the SSL client during SSL handshake.
Example: enable OCSP stapling for the clientSSL profile
tmsh modify ltm profile client-ssl cssl ocsp-stapling enabled
Old tmsh command: add OCSP object to the clientSSL profile
tmsh modify ltm profile client-ssl cssl cert-key-chain modify { dummy { ocsp-stapling-params my_ocsp1 } }
Note that although the old tmsh commands are being deprecated, the user can still see them working.
However they will internally be converted into the new commands in the system. In other words if the user configure an OCSP object to a clientSSL profile, the system will perform the above Step 2 and 3, that is, assigning the OCSP object to the certificate (instead of the clientSSL profile), enabling OCSP monitoring for the certificate, and then enabling ocsp-stapling for the clientSSL profile.
4. tmsh warning messages
When the user uses the deprecating tmsh commands, they will see prompted tmsh warnings to warn the user that the commands are deprecated.
For example,
[api-status-warning] ltm/profile/ocsp-stapling-params is deprecated
[api-status-warning] ltm/profile/client-ssl, properties : deprecated : cert-key-chain/ocsp-stapling-params
These warning messages can be disabled by:
tmsh modify mgmt shared settings api-status log resource deprecatedApiAllowed false
tmsh modify mgmt shared settings api-status log resource-property deprecatedApiAllowed false
5. Documentation and redirection
Direction to new tmsh commands can be found in the documentation of the deprecating command. For example,
root@(big6)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify ltm profile ocsp-stapling-params ?
[object identifier] Deprecated since v13.0.0. Use sys crypto cert-validator ocsp instead. Name of the
object.
root@(big6)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify ltm profile client-ssl cssl cert-key-chain modify { dummy { ocsp-stapling-params ?
Deprecated since v13.0.0. Please use modify sys crypto cert to configure an OCSP validator for the
certificate and use modify ltm profile client-ssl to enable ocsp-stapling for the clientssl profile.
Specifies the OCSP Stapling Parameters object associated with this cert-key-chain object in a clientssl
profile.
Conditions:
When you need to configure OCSP object or use OCSP stapling for clientSSL profile using tmsh.
Impact:
You will need to use the new command to configure OCSP related functions. If you provide the old command, the system will internally convert it and perform as if you used the new command. Besides, warning messages will be prompted on the screen.
For example,
[api-status-warning] ltm/profile/ocsp-stapling-params is deprecated
[api-status-warning] ltm/profile/client-ssl, properties : deprecated : cert-key-chain/ocsp-stapling-params
These warning messages can be disabled by:
tmsh modify mgmt shared settings api-status log resource deprecatedApiAllowed false
tmsh modify mgmt shared settings api-status log resource-property deprecatedApiAllowed false
Workaround:
None needed. This is an Action Item.
Fix:
Migrating tmsh commands and logic for OCSP related configuration
1. To create/modify/delete an OCSP object:
Old tmsh command: "ltm profile ocsp-stapling-params"
New tmsh command: "sys crypto cert-validator ocsp"
Example: create an OCSP object
tmsh create sys crypto cert-validator ocsp my_ocsp1 dns-resolver test-dns
Note that although the old tmsh commands are being deprecated, you can still see them working.
However they will internally be converted into the new commands in the system. In other words if the user configures an OCSP object using the old tmsh command "ltm profile ocsp-stapling-params", the system will perform as if the user is giving "sys crypto cert-validator ocsp".
While "ltm profile ocsp-stapling-params" are migrated to "sys crypto cert-validator ocsp", most of the original items are preserved except "use-proxy-server" and "trusted-ca". They will no longer appear in the new tmsh command "sys crypto cert-validator ocsp".
use-proxy-server was used to specify whether the OCSP object to use proxy_server or dns_resolver. However starting from 13.0.0, only one of them (proxy_server and dns_resolver) is allowed to be configured to an OCSP object and therefore the use-proxy-server flag is no longer needed.
trusted-ca is meant for the issuer CA certificate for both of the OCSP server and the certificate to be monitored. Starting from 13.0.0 the configuration of trusted-ca is replaced by the "issuer-cert" for the certificate to be monitored.
Example: configure issuer-cert for the certificate to be monitored
modify sys crypto cert dummy.crt issuer-cert chainCA.crt
2. OCSP monitoring for certificate
Starting from 13.0.0, the OCSP monitoring is directly associated with SSL certificate instead of clientSSL profile. In other words, if a certificate is associated with an OCSP object and enable the OCSP monitoring, then the system will keep connecting to the OCSP server based on the OCSP configuration, and update the certificate status periodically, regardless the configuration or activities of any clientSSL profile.
Example: associate a certificate with an OCSP object
tmsh modify sys crypto cert dummy.crt issuer-cert chainCA.crt cert-validators add { my_ocsp1 }
Example: enable OCSP monitoring for the certificate
tmsh modify sys crypto cert dummy.crt cert-validation-options { ocsp }
Example: check the status for the certificate and its OCSP connection
tmsh show sys crypto cert dummy.crt
3. Enable OCSP stapling for clientSSL profile
If any of the SSL certificates used by the clientSSL profile has OCSP monitoring enabled, then the clientSSL profile can enable the ocsp-stapling option to allow the BIG-IP to staple the OCSP response for the certificate status with the certificate to the SSL client during SSL handshake.
Example: enable OCSP stapling for the clientSSL profile
tmsh modify ltm profile client-ssl cssl ocsp-stapling enabled
Old tmsh command: add OCSP object to the clientSSL profile
tmsh modify ltm profile client-ssl cssl cert-key-chain modify { dummy { ocsp-stapling-params my_ocsp1 } }
Note that although the old tmsh commands are being deprecated, the user can still see them working.
However they will internally be converted into the new commands in the system. In other words if the user configure an OCSP object to a clientSSL profile, the system will perform the above Step 2 and 3, that is, assigning the OCSP object to the certificate (instead of the clientSSL profile), enabling OCSP monitoring for the certificate, and then enabling ocsp-stapling for the clientSSL profile.
4. tmsh warning messages
When the user uses the deprecating tmsh commands, they will see prompted tmsh warnings to warn the user that the commands are deprecated.
For example,
[api-status-warning] ltm/profile/ocsp-stapling-params is deprecated
[api-status-warning] ltm/profile/client-ssl, properties : deprecated : cert-key-chain/ocsp-stapling-params
These warning messages can be disabled by:
tmsh modify mgmt shared settings api-status log resource deprecatedApiAllowed false
tmsh modify mgmt shared settings api-status log resource-property deprecatedApiAllowed false
5. Documentation and redirection
Direction to new tmsh commands can be found in the documentation of the deprecating command. For example,
root@(big6)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify ltm profile ocsp-stapling-params ?
[object identifier] Deprecated since v13.0.0. Use sys crypto cert-validator ocsp instead. Name of the
object.
root@(big6)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify ltm profile client-ssl cssl cert-key-chain modify { dummy { ocsp-stapling-params ?
Deprecated since v13.0.0. Please use modify sys crypto cert to configure an OCSP validator for the
certificate and use modify ltm profile client-ssl to enable ocsp-stapling for the clientssl profile.
Specifies the OCSP Stapling Parameters object associated with this cert-key-chain object in a clientssl
profile.
Behavior Change:
Migrating tmsh commands and logic for OCSP related configuration
1. To create/modify/delete an OCSP object:
Old tmsh command: "ltm profile ocsp-stapling-params"
New tmsh command: "sys crypto cert-validator ocsp"
Example: create an OCSP object
tmsh create sys crypto cert-validator ocsp my_ocsp1 dns-resolver test-dns
Note that although the old tmsh commands are being deprecated, you can still see them working.
However they will internally be converted into the new commands in the system. In other words if the user configures an OCSP object using the old tmsh command "ltm profile ocsp-stapling-params", the system will perform as if the user is giving "sys crypto cert-validator ocsp".
While "ltm profile ocsp-stapling-params" are migrated to "sys crypto cert-validator ocsp", most of the original items are preserved except "use-proxy-server" and "trusted-ca". They will no longer appear in the new tmsh command "sys crypto cert-validator ocsp".
use-proxy-server was used to specify whether the OCSP object to use proxy_server or dns_resolver. However starting from 13.0.0, only one of them (proxy_server and dns_resolver) is allowed to be configured to an OCSP object and therefore the use-proxy-server flag is no longer needed.
trusted-ca is meant for the issuer CA certificate for both of the OCSP server and the certificate to be monitored. Starting from 13.0.0 the configuration of trusted-ca is replaced by the "issuer-cert" for the certificate to be monitored.
Example: configure issuer-cert for the certificate to be monitored
modify sys crypto cert dummy.crt issuer-cert chainCA.crt
2. OCSP monitoring for certificate
Starting from 13.0.0, the OCSP monitoring is directly associated with SSL certificate instead of clientSSL profile. In other words, if a certificate is associated with an OCSP object and enable the OCSP monitoring, then the system will keep connecting to the OCSP server based on the OCSP configuration, and update the certificate status periodically, regardless the configuration or activities of any clientSSL profile.
Example: associate a certificate with an OCSP object
tmsh modify sys crypto cert dummy.crt issuer-cert chainCA.crt cert-validators add { my_ocsp1 }
Example: enable OCSP monitoring for the certificate
tmsh modify sys crypto cert dummy.crt cert-validation-options { ocsp }
Example: check the status for the certificate and its OCSP connection
tmsh show sys crypto cert dummy.crt
3. Enable OCSP stapling for clientSSL profile
If any of the SSL certificates used by the clientSSL profile has OCSP monitoring enabled, then the clientSSL profile can enable the ocsp-stapling option to allow the BIG-IP to staple the OCSP response for the certificate status with the certificate to the SSL client during SSL handshake.
Example: enable OCSP stapling for the clientSSL profile
tmsh modify ltm profile client-ssl cssl ocsp-stapling enabled
Old tmsh command: add OCSP object to the clientSSL profile
tmsh modify ltm profile client-ssl cssl cert-key-chain modify { dummy { ocsp-stapling-params my_ocsp1 } }
Note that although the old tmsh commands are being deprecated, the user can still see them working.
However they will internally be converted into the new commands in the system. In other words if the user configure an OCSP object to a clientSSL profile, the system will perform the above Step 2 and 3, that is, assigning the OCSP object to the certificate (instead of the clientSSL profile), enabling OCSP monitoring for the certificate, and then enabling ocsp-stapling for the clientSSL profile.
4. tmsh warning messages
When the user uses the deprecating tmsh commands, they will see prompted tmsh warnings to warn the user that the commands are deprecated.
For example,
[api-status-warning] ltm/profile/ocsp-stapling-params is deprecated
[api-status-warning] ltm/profile/client-ssl, properties : deprecated : cert-key-chain/ocsp-stapling-params
These warning messages can be disabled by:
tmsh modify mgmt shared settings api-status log resource deprecatedApiAllowed false
tmsh modify mgmt shared settings api-status log resource-property deprecatedApiAllowed false
5. Documentation and redirection
Direction to new tmsh commands can be found in the documentation of the deprecating command. For example,
root@(big6)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify ltm profile ocsp-stapling-params ?
[object identifier] Deprecated since v13.0.0. Use sys crypto cert-validator ocsp instead. Name of the
object.
root@(big6)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify ltm profile client-ssl cssl cert-key-chain modify { dummy { ocsp-stapling-params ?
Deprecated since v13.0.0. Please use modify sys crypto cert to configure an OCSP validator for the
certificate and use modify ltm profile client-ssl to enable ocsp-stapling for the clientssl profile.
Specifies the OCSP Stapling Parameters object associated with this cert-key-chain object in a clientssl
profile.
598052 : SSL Forward Proxy "Cache Certificate by Addr-Port", cache lookup fails
Component: Local Traffic Manager
Symptoms:
When enabling the SSL Forward Proxy "Cache Certificate by Addr-Port" on the client SSL profile, later flows on cached certificate lookups by "Addr-Port" do not hit the cache.
Conditions:
Enable SSL Forward Proxy and use "Cache certificate by Addr-Port".
Impact:
The client side certificate lookup failed, it may trigger the server side SSL handshake.
Fix:
With this fix, the certificate lookup by "Addr-Port" may have a cache hit.
598039 : MCP memory may leak when performing a wildcard query
Component: TMOS
Symptoms:
MCP's umem_alloc_80 cache (visible using tmctl -a) increases in size after certain wildcard queries. Accordingly, the MCP process shows increased memory usage.
Conditions:
Folders must be in use, and the user must execute a wildcard query for objects that are in the upper levels of the folder hierarchy (i.e. not at the very bottom of the folder tree).
Impact:
MCP loses available memory with each query. MCP could eventually run out of memory and core, resulting in an outage or failover (depending on whether or not the customer is running in a device cluster).
Workaround:
Do not perform wildcard queries.
Fix:
Stopped MCP leaking when wildcard queries are performed.
597978 : GARPs may be transmitted by active going offline
Component: Local Traffic Manager
Symptoms:
GARPs may be transmitted by the active when going offline. As the standby which takes over for the active will also transmit GARPs, it is not expected that this will cause impact.
Conditions:
Multiple traffic-groups configured and active goes offline.
Impact:
It is not expected that this will cause any impact.
Workaround:
Make the unit standby before forcing offline.
597900 : iControl REST may core when logging in immediately after a reboot
Component: TMOS
Symptoms:
In rare conditions, Control REST may core when logging in immediately after restarting the BIG-IP system.
Conditions:
This happens when all the necessary services required by iControl REST are not fully initialized upon restart.
Impact:
Impact usability of iControl REST. This is a rare occurrence.
Workaround:
Avoid logging in immediately to the BIG-IP after a reboot.
Fix:
iControl REST no longer rarely cores when logging in immediately after restarting the BIG-IP system.
597899 : Disabling all pool members may not be reflected in Virtual Server status
Component: Local Traffic Manager
Symptoms:
When all pool members are set to session-disable, the expectation is that persistent connections will be drained, and the virtual server shouldn't accept new incoming connections.
- Simply disabling (not forcing down) a node does not bubble up to pool status, because it switches from green-enabled to green-disabled (staying green is seen as a non-change).
- Since the pool enabled/disabled state is not updated, this does not bubble up to the virtual, which also stays green-enabled.
Conditions:
See above
Impact:
Disabling all members of a pool may not be reflected in Virtual Server status, indicating it is green enabled when in fact it has been disabled indirectly by disabling all members of the related pool.
Workaround:
N/A
Fix:
Green-Disabled status roll-up to Pool (from Pool Member / Node Address) is still necessary. But instead of marking the Virtual Server Yellow, which would stop existing traffic flows on the Virtual, BIG-IP will propagate the Green-Disabled status to the Virtual Server as well.
So in the case where all the Pools associated with a Virtual Server are Green-Disabled (because all the Pool Members for all the Pools are Green-Disabled), the status of the Virtual Server will become Green-Disabled. As soon as any Pool (Pool Member) becomes Green-Enabled, the Virtual Server will also become Green-Enabled.
Note that Green-Disabled shows up as Gray in the GUI.
597879 : CDG Congestion Control can lead to instability
Component: Local Traffic Manager
Symptoms:
Debug TMM crashes when the TCP congestion window allows an abnormally high or low congestion window. You can see this by looking at the bandwidth value in "tmsh show net cmetrics" if cmetrics-cache is enabled in the TCP profile.
Conditions:
Running the Debug TMM with CDG Congestion Control.
Impact:
Traffic disrupted while tmm restarts.
In the default TMM, the allowed sending rate will be abnormally high or low.
Workaround:
Use a congestion control algorithm other than CDG.
Switch to the default TMM.
Fix:
Fixed congestion window calculation in CDG.
597835 : Branch parameter in inserted VIA header not consistent as per spec
Component: Service Provider
Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This VIA header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP spec states that all messages in the same transaction should contain the same branch header. The code used to encrypt the branch field returns a different value each time.
Conditions:
Enabling SIP Via header insertion on the BIGIP on SIP MRF profile and need to cancel an INVITE
Impact:
Some servers have code to verify the brach fields in the VIA header do not change within a transaction. These servers complain when they see the fields change.
Fix:
The code has been improved to ensure the branch field in the via header does not change.
597828 : SSL forward proxy crashes in some cases
Component: Local Traffic Manager
Symptoms:
SSL forward proxy crashes when a check in the state machine is called with something other than a fwdp lookup result
Conditions:
SSL forward proxy is enabled.
Impact:
SSL forward proxy crashes sometimes.
Workaround:
None.
Fix:
Fixed a crash in the SSL forward proxy.
597823 : Erroneous syncookie validation in HSB causes the BIG-IP system choose the wrong MSS value
Component: TMOS
Symptoms:
When software encoding algorithm is being used by tmm to generate syn cookies in a SYN/ACK packet, there is a chance that HSB would mistakenly identify the ACK response to the SYN/ACK as valid syncookie response and stamp a SYNCOOID_VALID flag on the packet. In that case, software will try to extract the MSS (maximum segment size) value encoded in the syncookie which would be a wrong value. This may cause connection to fail in subsequent transactions or performance degradation.
Conditions:
When software syncookie protection mode is activated and software encoding algorithm is being used.
Impact:
Connections will either fail or smaller mss value causes performance degradation.
Fix:
If software syncookie encoding algorithm is being used, tmm would ignore the SYNCOOKIE_VALID flag stamped by HSB and correct MSS value will be calculated.
597818 : Unable to configure IPsec NAT-T to "force"
Component: TMOS
Symptoms:
When configuring IPsec NAT traversal to "Force", the behavior is as if the setting is "Off".
Conditions:
Configuring IPsec NAT Traversal to Force
Impact:
NAT-T does not work
Workaround:
Configure NAT-T to On instead.
597766 : FPS Live update after re-license
Component: TMOS
Symptoms:
Latest Update Details are lost in FPS Engine and Signatures Updates.
Conditions:
License renewal.
Impact:
You will not know when the update was created or the last time it was updated.
Workaround:
bigstart restart datasyncd
Fix:
Now details are restored automatically after re-license.
597729 : Errors logged after deleting user in GUI
Component: TMOS
Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may potentially be observed:
1. After approximately 10 minutes, an error similar to the following may appear in the LTM log (/var/log/ltm):
mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests
Such message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.
2. After clicking Refresh, the GUI may not show the correct web page.
Conditions:
It is possible that this error could be encountered when deleting local users (Access Policy :: Local User DB : Manage Users), and may theoretically be encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.
Impact:
Error messages logged.
GUI may not show the correct web page.
Workaround:
Use the CLI (tmsh) to delete local users.
597708 : Stats are unavailable and VCMP state and status is incorrect
Component: Local Traffic Manager
Symptoms:
Unable to retrieve statistics or statistics are all 0 (zero) when they should not be zero.
This is VCMP related.
Guest Virtual-disk always show in-use even when guest not in the running state.
When the guest OS is shut down, the GUI and TMSH do not show accurate information about status.
Conditions:
If a directory is removed from /shared/tmstat/snapshots merged might run at 100% CPU utilization and become unresponsive.
Impact:
No statistics are available. Some statistics, such as traffic stats from TMM, will not be updated, though they may be non-zero. Others, such as system CPU stats that are calculated by merged, will be zero. This will be evident through all management interfaces such as TMSH, TMUI, SNMP, etc.
VCMP guest O/S status is reportedly incorrectly.
Workaround:
If merged is hung, restart the daemon using the following command:
bigstart restart merged.
To prevent the issue from occurring, disable tmstat snapshots using the following command:
tmsh modify sys db merged.snapshots value false.
Fix:
The merged process no longer becomes unresponsive when a directory is removed from /shared/tmstat/snapshots.
597621 : Packet filter does not work.
Component: Local Traffic Manager
Symptoms:
- Packet filter has been created, can be seen in web GUI or as output of the following command: tmsh list net packet-filter.
- Packet filter does not work.
Conditions:
might result in complex Berkeley (or BSD) Packet Filter (BPF) code with a loop. TMM does not support BPF code with loops and does not instantiate the rule. As such, the rule is never triggered. For example, ip6 protochain 6 is a valid pcap expression accepted by MCP, but TMM is more strict and rejects it, because it contains a loop, which is not allowed.
Impact:
Filter does not work. The rule does not get triggered, and failure occurs silently.
Workaround:
Currently there is no easy way to determine whether a filter rules is working properly, specifically because there is no message indicating that the rule failed, and because the rule appears in the GUI and is listed via tmsh commands. The only way to diagnose the issue is by symptoms. For example, packets are not filtered as expected.
Fix:
In this release, when a packet filter definition results in a loop, or another unsupported expression, the system posts a message similar to the following: 01070087:3: Packet filter rule '/Common/protochain': This filter expression is not supported.
597532 : iRule: RADIUS avp command returns a signed integer
Component: Local Traffic Manager
Symptoms:
iRules that process attribute-value pairs from RADIUS treat integers as signed when they should be treated as unsigned.
Conditions:
iRules using RADIUS::avp to retrieve data
Impact:
iRules using the RADIUS::avp command will not work as expected.
Workaround:
The result can be casted to an unsigned integer after obtaining the value, as follows:
ltm rule radius_avp_integer {
when CLIENT_DATA {
set charid_integer [RADIUS::avp 26 "integer" index 0 vendor-id XXXXX vendor-type Y]
set unsigned_charid_integer [expr {$charid_integer & 0xFFFFFFFF}]
}
}
Note that tmm internally treats avp values as signed integers so this might not completely correct the issue.
Fix:
Ensure that we are using unsigned integers for RADIUS AVPs.
597528 : define default score for fps-generated alerts
Component: Fraud Protection Services
Symptoms:
Several fps-generated alerts do not have default score
Conditions:
FPS alert is generated.
Impact:
You are unable to differentiate alerts by score for multiple FPS alerts.
Workaround:
Default score has been added to all requested alerts.
Fix:
All requested alerts (components_validation, user_defined, referrer_check, encryption_failure) now have fpm_score field present with user-defined score.
597471-1 : Some Alerts are sent with outdated username value
Component: Fraud Protection Services
Symptoms:
user-defined, components validation and vtrack Alerts are sent with outdated username value
Conditions:
Log in, then log in again with different user (with conditions to generate an alert)
Impact:
Alert is sent with username of the first login
Fix:
Alerts sending is blocked until after parameters processing is done
597431 : VPN establishment may fail when computer wakes up from sleep
Component: Access Policy Manager
Symptoms:
EdgeClient doesn't cleanup routing table before windows goes to hibernate. This may result in establishment of VPN when computer wakes up. It may also result in other network connectivity issues
Conditions:
-VPN connection is not disconnected
-Computer goes in hibernation
Impact:
Issues with Network connectivity
Workaround:
Renew DHCP lease by running
ipconfig/renew.
or
reboot the machine.
597421 : DNS server setting configured on APM may not take effect on Linux
Component: Access Policy Manager
Symptoms:
In some cases DNS settings configured in network access configuration may not apply leading to DNS resolution failure for some backend DNS resources
Conditions:
-Linux CLI client is used
- existing /etc/host has more than 2 entries
Impact:
DNS resolution may fail for some names.
597405 : Mitigate SSL handshake delay when TCP nagle is enabled.
Component: Local Traffic Manager
Symptoms:
When TCP nagle is enabled, it adds some delay for SSL handshake message. Then SSL should send HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE to TCP to
remove the delay for all SSL handshake messages which are sent and wait for reply.
Conditions:
When TCP nagle is enabled
Impact:
it adds some delay for SSL handshake message. Then SSL should send HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE to TCP to
remove the delay for all SSL handshake messages which are sent and wait for reply.
Fix:
When TCP nagle is enabled, it adds some delay for SSL handshake message. Then SSL should send HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE to TCP to
remove the delay for all SSL handshake messages which are sent and wait for reply.
597385 : Support for the Maximum Fragment Length TLS extension
Component: Local Traffic Manager
Symptoms:
RFC 4366 defines a TLS extension which limits the maximum fragment length the SSL server will send. The system ignores this.
Conditions:
A TLS client sends the Maximum Fragment Length TLS extension.
Impact:
Smaller IoT clients cannot connect because the default maximum fragment length is larger than they can handle.
Workaround:
There is no workaround.
Fix:
The BIG-IP TLS stack now honors the maximum fragment length requested by the TLS client.
597331 : Portal Access: HTML 'PARAM' tag cannot be handled correctly by Internet Explorer in IE5.5, IE7, or IE8 emulation modes.
Component: Access Policy Manager
Symptoms:
If HTML page contains dynamically created and/or modified PARAM tag with URL list value, this tag may not be handled correctly in Internet Explorer in IE5.5, IE7, or IE8 emulation modes.
Conditions:
- Internet Explorer in IE5.5, IE7 or IE8 emulation modes or native Internet Explorer versions 7 or 8.
- HTML page with dynamically created/modified 'PARAM' tag with URL list in value.
Impact:
JavaScript error appears during 'PARAM' tag value processing.
Workaround:
Use an iRule to add necessary JavaScript corrections to affected page.
Fix:
Now HTML pages with dynamically created/changed 'PARAM' tags are handled correctly by Portal Access in Internet Explorer IE5.5, IE7, or IE8 emulation modes.
597309 : Increase the Maximum Members Per Trunk limit to 32 or 64 for high end platforms
Component: TMOS
Symptoms:
The Maximum Members Per Trunk limits is 8 or 16 depending on platform. This is due to
1. the limitation of an SDK from a third party vendor,
2. the number of external interfaces actually provided by earlier platforms
Conditions:
These platform limits are on the BIG-IP 10000 appliance and B2400, B4300, and B4450 blades.
Impact:
The existing number of interfaces per trunk is limited to either 8 or 16.
Workaround:
None
Fix:
New limit of 32 is implemented in 10000, Viprion 2400 and Viprion 4300. New limit 64 is implemented for Viprion 4450N.
597253 : HTTP::respond tcl command may incorrectly identify parameters as ifiles
Component: Local Traffic Manager
Symptoms:
The HTTP::respond iRule command may incorrectly identify parameters as an iFile parameter when attaching the iRule to a Virtual Server.
Conditions:
HTTP::respond command making use of a variable as a header name. For instance:
HTTP::respond 500 -version 1.1 content "<content>" "$VariableHeaderName" "header_value_text" "Connection" "close"
Configure a HTTP/TCP virtual server and attach the iRule.
Impact:
1070151:3: Rule [/Common/example_rule] error: Unable to find ifile (header_value_text) referenced at line 3: [HTTP::respond 500 -version 1.1 content "<content>" "$VariableHeaderName" "header_value_text" "Connection" "close"]
Workaround:
Ensure the offending header name and value are either both literal strings or variables.
Fix:
BigIP no longer incorrectly identifies parameters as an iFile parameter.
597214 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
Component: Access Policy Manager
Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.
Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:
var a = { default: 1, continue: 2 };
Impact:
JavaScript code is not rewritten and may not work correctly.
Workaround:
It is possible to use iRule to rename field names in original code.
Fix:
Now JavaScript with literal object definition containing reserved keywords as field names is handled correctly by Portal Access.
597089 : Connections are terminated after 5 seconds when using ePVA full acceleration
Component: Local Traffic Manager
Symptoms:
When using a fast L4 profile with ePVA full acceleration configured, the 5-second TCP 3WHS handshake timeout is not being updated to the TCP idle timeout after the handshake is completed. The symptom is an unusually high number of connections getting reset in a short period of time.
Conditions:
It is not known all of the conditions that trigger this, but it is seen when using the fast L4 profile with pva-acceleration set to full.
Impact:
High number of connections get reset, longer than expected idling TCP connections, and potential performance issues.
Workaround:
Disabling the PVA resolves the issue.
597023 : NTP vulnerability CVE-2016-4954
Vulnerability Solution Article: K82644737
597010 : NTP vulnerability CVE-2016-4955
Vulnerability Solution Article: K03331206
596997 : NTP vulnerability CVE-2016-4956
Vulnerability Solution Article: K64505405
596826 : Don't set the mirroring address to a floating self IP address
Component: TMOS
Symptoms:
Using tmsh, you can configure the mirroring IP address using the command tmsh modify cm device devicename mirror-secondary-ip ip_address
It is possible to set ip_address to a floating self IP address when using tmsh, but BIG-IP can't mirror to a floating self IP address. The tmsh command will complete without error.
Conditions:
Accidentally setting the mirroring IP address to the floating self IP address using tmsh.
Impact:
Mirroring does not work in this case. If you configured it this way using tmsh, the GUI will show the primary and secondary mirroring address as "None".
Workaround:
Change the mirroring address to a non floating self IP address. The GUI will only present non floating self IP addresses.
For more information about mirroring, see K13478: Overview of connection and persistence mirroring at https://support.f5.com/csp/#/article/K13478
596815 : System DNS nameserver and search order configuration does not always sync to peers
Component: TMOS
Symptoms:
Modifying the System DNS nameserver and search order configuration does not always sync during an incremental sync if modified in the GUI or tmsh modify sys db.
Conditions:
The device is in a failover device group with incremental sync turned on.
In the GUI, modify the DNS Lookup Server List or the DNS Search Domain List fields under System >> Configuration : Device : DNS.
In tmsh, tmsh modify sys db dns.nameserver (or dns.domainname), and in some cases tmsh modify sys dns name-servers (or search)
Impact:
Modifications will not change the sync status nor sync the change to peers.
Workaround:
Perform a full sync or use 'tmsh modify sys dns name-servers replace-all-with' or 'tmsh modify sys dns search replace-all-with'.
Optionally, to get this setting to sync, modify the file /config/BigDB.dat to set realm=common for [DNS.NameServers] and [DNS.DomainName] and restart mcpd on all devices in the failover device group. However, this file may get overridden on a hotfix or upgrade.
Fix:
The sys db variables dns.domainname and dns.nameserver will now always sync across your failover device group.
596814 : HA Failover fails in certain valid AWS configurations
Component: TMOS
Symptoms:
Some of the floating object's IPs might not be reattached to the instance acting as the new active device.
Conditions:
AWS deployments where there are multiple coincidences for the provided IP address (corresponding to other Amazon VPCs in the same Availability Zone containing unrelated instances but having the same IP address as the BIG-IP's floating IP address.
Impact:
Potential traffic disruption. Some of the floating object's IPs might not be reattached to the instance acting as the new active device.
Workaround:
Do not have AWS deployments with multiple VPCs sharing the same IP address as the BIG-IP's floating IP address.
Fix:
Failover now narrows network description by filtering with VPC id.
596809 : It is possible to create ssh rules with blank space for auth-info
Component: Advanced Firewall Manager
Symptoms:
In tmsh it is possible to create profile actions that contain blank spaces, such as in this example:
create security ssh profile ssh-test actions add { " " } rules add { " " { actions add { " " } identity-users add { " "} identity-groups add { " " } } } auth-info add { " " }
Conditions:
This occurs when creating profile actions.
Impact:
Actions can be created with blank spaces in them, you should be receiving a validation error. These rules also cannot be deleted.
Workaround:
Do not create profile actions with blank spaces.
Fix:
BIG-IP will now throw a validation error if you create a profile action containing only a blank space.
596674 : High memory usage when using CS features with gzip HTML responses.
Component: Application Visibility and Reporting
Symptoms:
AVR use consumes a lot of memory while trying to decompress responses. This can cause tmm core during stress traffic.
Conditions:
-- Enabled Dosl7d virtual server with CS features.
-- The server is sending compressed responses.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
High memory usage no longer occurs when using CS features with gzip HTML responses.
596631 : SIP MRF: Wrong listener may be deleted during media deny-listener deletions, causing crash later
Component: Service Provider
Symptoms:
A SIP media flow deny-listener was to have been deleted but an unrelated listener was deleted instead due to an incorrect address/port match.
For example, when the wrongly deleted listener is later meant to be deleted, there might be a SIGFPE with assertion failure "Assertion "bound listener" failed.".
Conditions:
A SIP MRF media flow existed and was deleted.
An unrelated flow exists with an address/port with wildcards such that it includes that of the media flow.
Impact:
Later when the wrongly deleted listener is referenced, the TMM crashes.
Fix:
When a SIP media flow deny-listener is searched for deletion, an exact match is required that uniquely identifies the deny-listener, so that an unrelated listener is not deleted.
596569 : Memory leak on Central device in Symmetric deployment
Component: WebAccelerator
Symptoms:
When AAM is provisioned and symmetric configuration is deployed, a central unit will suffer a memory leak.
Conditions:
AAM is provisioned and a symmetric deployment is used.
Impact:
Due to memory leak BIG-IP will run out of memory and won't be able to properly serve new requests.
Fix:
It immediately releases a memory allocation which previously leaked once the allocation is no longer required.
596556 : Deleting self-ip that could possibly strand pool member will throw warning instead
Component: TMOS
Symptoms:
Previously, validation would prevent self-ip from being deleted, if the self-ip could possibly strand a pool member.
Conditions:
Deleting a self-ip, and the self-ip could be use to reach an existing pool member
Impact:
You will be unable to delete the self-ip address. Mcpd will throw an error "Cannot delete IP 10.10.10.1 because it would leave a pool member (pool /Common/mypool) unreachable."
Workaround:
Delete the pool member first, and then delete the self-ip
Fix:
It's possible to delete a self-ip that have the same network as a pool member, which will throw a warning instead, where previously it was preventing the deletion from happening.
596502 : Unable to force Bot Defense action to Allow in iRule
Component: Advanced Firewall Manager
Symptoms:
When a request is being blocked (or challenged with CAPTCHA) due to being a suspicious browser, the action cannot be forced to allow in the iRule
Conditions:
This occurs when a bot defense action is triggered on suspicious browser, and you wish to allow the request to go through anyway and not send a RST.
Impact:
The bot defense action cannot be forced to "allow", the RST will still be sent.
596488 : GraphicsMagick vulnerability CVE-2016-5118.
Vulnerability Solution Article: K82747025
596450 : TMM may produce a core file after updating SSL session ticket key
Component: Local Traffic Manager
Symptoms:
When regenerating SSL session ticket key, TMM may restart unexpectedly, leaving a core file.
Conditions:
When the value of ssl.sessionticketkey.regen is reached (every 3 days by default), TMM will regenerate its SSL session ticket key. This operation may lead to an assert: "shared random data inited".
Impact:
TMM core and restart.
Workaround:
None.
Fix:
Resolved a problem that could cause TMM to restart when regenerating the SSL session ticket key
596433 : Virtual with lasthop configured rejects request with no route to client.
Component: Local Traffic Manager
Symptoms:
Virtual with lasthop pool configured rejects requests which are sourced from MAC address which is not configured in the lasthop pool.
Conditions:
This issue occurs when the following conditions are meet:
- Virtual with lasthop pool.
- Connection sourced from MAC address which is not configured in the lasthop pool.
- Lasthop pool member is local to TMM.
- tm.lhpnomemberaction db key is set to 2.
Impact:
Connection is erroneously reset with no route to client.
Workaround:
- Change tm.lhpnomemberaction db key to 0 or 1 (behavior change).
- Add IP address for lasthop member which client is originating from to lasthop pool.
596340 : F5 TLS vulnerability CVE-2016-9244
Vulnerability Solution Article: K05121675
596336 : SSO object is not assigned to Access Profile on usage of Wizard
Component: Access Policy Manager
Symptoms:
With successful creation of APM-specific objects using Wizard, assigning an SSO object to a profile does not add the SSO object to the access profile.
Conditions:
Wizard should complete all the user steps, and create all required objects along with associations.
Impact:
Misleading, because the chosen SSO object is not associated with the profile. You must manually assign the SSO object to the profile after completing the wizard.
Workaround:
Assign the SSO to Access Profile on Profile profile properties :: SSO :: Auth Domains tab on UI or using TMSH.
Fix:
The system now auto-create the association between Profile and SSO Object with successful creation of APM-specific objects using Wizard.
596330 : Portal Access do not preserve tag order in popup window's document
Component: Access Policy Manager
Symptoms:
Portal Access do not preserve tag order in popup window document body
Conditions:
Web-application which opens Pop-up windows.
Javascript code trying access 1st element in document body.
Impact:
Web-application misfunction.
Workaround:
Custom iRule can be provided.
Fix:
The issue is fixed.
596242 : [zxfrd] Improperly configured master name server for one zone makes dns express responds with previoius record
Component: Global Traffic Manager (DNS)
Symptoms:
Improperly configured master name server for one zone prevented updates to properly configured other zones
from propagating to tmm, thus making dns express respond with previous record.
Conditions:
A wrongly configured dns zone which could not get update correctly.
Impact:
DNS express returns incorrect answers.
Workaround:
Fix the wrongly configured dns zone.
596128 : Allow configuration of secondary addresses for multipoint VXLAN tunnels
Component: TMOS
Symptoms:
Currently the secondary address setting is not enabled for VXLAN tunnels.
Conditions:
VXLAN tunnels are configured.
Impact:
The setting is useful in scenarios where remote VTEPs are unable to dynamically re-learn IP address, MAC address, and endpoint associations upon failover events.
Fix:
This change enables the configuration of the secondary address setting for multipoint VXLAN tunnels.
When setting the secondary address a multipoint VXLAN tunnel, the tunnel creates an additional endpoint, the secondary endpoint. This is associated with the local-only traffic group and sources tunnel flows carrying monitor and host traffic. This endpoint is created in addition to the local address endpoint which is used to encapsulate frames associated with the configured tunnel traffic group.
Behavior Change:
When setting the secondary address a multipoint VXLAN tunnel, the tunnel creates an additional endpoint, the secondary endpoint. This is associated with the local-only traffic group and sources tunnel flows carrying monitor and host traffic. This endpoint is created in addition to the local address endpoint which is used to encapsulate frames associated with the configured tunnel traffic group.
596116 : LDAP Query does not resolve group membership, when required attribute(s) specified
Component: Access Policy Manager
Symptoms:
Corresponding session variable session.ldap.last.memberOf contains only the groups user has explicit membership.
Conditions:
This occurs when the following conditions are met:
-- When APM LDAP Query is configured with option "Fetch groups to which the user or group belong" is set to "All".
-- The Required Attribute includes the "memberOf" LDAP attribute.
Impact:
Only groups the user is a direct member of will be populated to the APM 'session.ldap.last.memberOf' variable.
Workaround:
Add the following attribute to the "Required Attributes" list:
"objectClass"
If APM is communicating via LDAP with Microsoft Active Directory, consider adding this attribute to the list:
"primaryGroupID"
Note: Adding the "primaryGroupID" attribute will cause APM to fetch all groups Microsoft Active Directory, including the primary group.
Fix:
LDAP Query now retrieves groups from the backend server in accordance with option "fetch groups to which the user or group belong". it doesn't matter if any required attribute set or not set.
596104 : HA trunk unavailable for VCMP guest★
Component: TMOS
Symptoms:
If a VCMP guest is configured with an HA trunk with a threshold value greater than 0, the HA trunk configuration will fail with a message similar to the following:
err mcpd[5926]: 01071569:3: Ha group ha_group threshold for trunk _your_trunk_name_here_ 1 is greater than the maximum number of members 0.
Conditions:
This occurs when an HA trunk is configured a VCMP guest, with a threshold value greater than 0. This may occur by any of the following means:
1) Attempting to upgrade a guest to an affected version of BIG-IP, with an HA trunk configured with a threshold value greater than 0. The upgrade will fail with the indicated error message.
2) Attempting to load a UCS from a guest with an HA trunk configured with a threshold value greater than 0. The UCS load will fail with the indicated error message.
3) Creating an HA group and then attempting to modify the threshold value for the HA trunk. The modify command will fail with the indicated error message.
Impact:
HA trunks will not work on affected BIG-IP versions.
You will be unable to upgrade to an affected version of BIG-IP or load a configuration with an HA trunk configured with a threshold value greater than 0.
Workaround:
Configuring the HA trunk threshold to 0 will allow the upgrade to succeed or the configuration to load.
However, this disables the HA trunk feature.
Fix:
HA trunks with a threshold value greater than 0 are supported.
596083 : Error running custom APM Reports with "session creation time" on Viprion Platform
Component: Access Policy Manager
Symptoms:
Error is encountered when running custom APM Reports with "session creation time" on Viprion Platform
Conditions:
- On Viprion platform
- Create a APM custom report
- Select "Session creation time" field
- Run the report
Impact:
Won't be able to run custom APM report on Viprion platform
596067-3 : GUI on VIPRION hangs on secondary blade reboot
Component: TMOS
Symptoms:
After rebooting a VIPRION chassis, the GUI suddenly becomes unresponsive several minutes after the reboot.
Conditions:
It is not known exactly triggers this as it is a race condition that occurs on system start, but it is believed that Enterprise Manager making queries against the VIPRION for non-chunked statistics while the blade(s) has not fully started will trigger this condition.
Impact:
GUI becomes unresponsive
Workaround:
bigstart restart httpd will clear this condition if it occurs.
595966 : SSL hardware acceleration statistics might be incorrect.
Component: Local Traffic Manager
Symptoms:
On a BIG-IP device, hardware acceleration is still showing as 'Full' for some ciphersuites that employ a combination of software and hardware acceleration. It should be showing an acceleration type of 'Partial' in these cases.
Conditions:
When some operations (such as handshakes) happen in software while others (such as bulk encryption / decryption) are hardware-accelerated, for some ciphersuites.
Impact:
No impact to any other module
Workaround:
None.
Fix:
Hardware acceleration statistics will be incremented as follows:
1. If all operations concerning the handshake and bulk encryption are done in hardware, the result is Full.
2. If some operations are done in software, while others are done in hardware the result is Partial.
3. If no operations are hardware accelerated the result is None (Software).
595946 : Expired Timestamp violation is triggered too often
Component: Application Security Manager
Symptoms:
Expired Timestamp violation is frequently encountered by benign traffic. This occurs whenever there is an interval of at least 10 minutes between requests by a particular browser.
Conditions:
The Expired Timestamp violation is enabled, and there is an interval of at least 10 minutes between requests by a particular browser.
Impact:
The Expired Timestamp violation is triggered and traffic may be blocked.
Workaround:
Disable Expired Timestamp violation.
Fix:
All predefined policy templates have Expired Timestamp disabled.
595921 : VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses.
Component: Local Traffic Manager
Symptoms:
VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses.
Conditions:
Configuration of a virtual server on a VLAN group that does not have a Self-IP configured.
Impact:
Traffic destined for the virtual server might be rejected with an ICMP unreachable sourced from a loopback address.
Workaround:
Use a Self IP address on the VLAN group.
Fix:
The BIG-IP system no longer sends ICMP from loopback addresses when in use with a VLAN group without a configured Self IP address.
595832 : SSH Proxy profile visible in GUI available without AFM provision
Component: Advanced Firewall Manager
Symptoms:
The SSH Proxy profile is visible in the virtual server configuration even if AFM is not provisioned.
Conditions:
This profile is visible in Security :: Protocol Security : Security Profiles : SSH Proxy in the configuration utility.
It is also visible in the Virtual Server configuration page as an available profile.
Impact:
The SSH Proxy profile appears as if it is available for the virtual server, but the profile cannot be used without an AFM license.
Workaround:
License and provision AFM in order to use the SSH Proxy profile.
Fix:
If AFM is not provisioned, the virtual server configuration page does not show SSH Proxy profile selection options.
595819 : Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a http/2 enabled browser and HTTP/2 profile attached,
Component: Access Policy Manager
Symptoms:
Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a HTTP/2 enabled browser and HTTP/2 profile attached.
Conditions:
This occurs when the following conditions are met:
- An HTTP/2 enabled browser is in use.
- APM and HTTP/2 are enabled on the same virtual.
Impact:
APM statistics for bytes in and out are not updated.
Workaround:
None.
Fix:
Access session 'Bytes In' and 'Bytes Out' are now getting updated when accessed with a http/2 enabled browser and HTTP/2 profile attached,
595773 : Cancellation requests for chunked stats queries do not propagate to secondary blades
Component: TMOS
Symptoms:
Canceling a request for a chunked stats query (e.g. hitting ctrl-c during "tmsh show sys connection") does not stop data flowing from secondary blades.
Conditions:
A chassis-based system with multiple blades. Users must execute a chunked stats query (e.g. "tmsh show sys connection") and then cancel it before it finishes (e.g. with ctrl-c in tmsh).
Impact:
Unnecessary data will be sent from TMM to secondary mcpd instances, as well as from secondary mcpd instances to the primary mcpd instance. This could cause mcpd to restart unexpectedly.
Fix:
Cancellations for chunked stats queries are now propagated to secondary blades.
595712 : Not able to add remote user locally
Component: TMOS
Symptoms:
When a user has logged in remotely, using tmsh to add a user with the same name will fail:
01020066:3: The requested user role partition (raduser TestPartition) already exists in partition Common.
Conditions:
Remote authentication is configured and a remote user has logged in.
Impact:
Changing remote user to local fails.
Workaround:
Use "replace-all-with" for partition access:
create auth user raduser password raduser1 partition-access replace-all-with { TestPartition {role manager }}
595394 : Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.★
Component: TMOS
Symptoms:
Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.
Conditions:
11.5.x/11.6.x Hourly Billing instances with multiple NICs attached.
Impact:
User might not be able to log-in to the instance.
Workaround:
Rebooting the instance corrects the problem.
Fix:
Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x works with new Hourly billing licenses.
595385 : HTTP:respond causes a keepalive connection to be RST after second request and "Invalid action" log.
Component: Local Traffic Manager
Symptoms:
Clients experience connection resets when using HTTP keep-alives. LTM log contains 'Invalid action' messages in the log that look similar to the following:
http_process_state_prepend - Invalid action:0x109010 (Server side: vip=/Common/myprofile=http pool=/Common/mypool server_ip=ip_address).
Conditions:
HTTP virtual server with an iRule attached. The invocation of the HTTP::respond API within the iRule's HTTP_REQUEST_SEND event for an HTTP keep-alive connection causes a reset of the keep-alive connection.
Impact:
HTTP keep-alive connections are being dropped when the iRule on the virtual server handling the HTTP traffic invokes the HTTP::respond API in the HTTP_REQUEST_SEND event.
Workaround:
Issue a HTTP::close before HTTP::respond
Example:
when HTTP_REQUEST_SEND {
clientside {
if {[HTTP::path] eq "/findex.html"} {
HTTP::close
HTTP::respond 200 content "This is my response"
}
}
}
Alternatively, issue HTTP::respond from a different event.
595317 : Forwarding address for Type 7 in ospfv3 is not updated in the database
Component: TMOS
Symptoms:
The ospf nssa-external database is not updated when the global address on an interface that is used as a forwarding address is changed
Conditions:
remove the global address on the forwarding interface
Impact:
the packets will be sent to an incorrect interface.
Workaround:
clear ipv6 ospf process
Fix:
The ospf nasa-external data shows correct forwarding address when the global address on the forwarding interface is changed.
595293 : Deleting GTM links could cause gtm_add to fail on new devices.
Component: Global Traffic Manager
Symptoms:
Once links are auto-discovered, if auto discovery is disabled and the links are deleted, they could become stuck in the Server > Virtual Server list, preventing new devices from joining the sync group. If gtm_add is run from a new device, the add will appear to succeed, but no GTM objects will show up on the unit.
Conditions:
Links are auto-discovered
Auto discovery is disabled
The links are deleted
Impact:
If gtm_add is run from a new device, the add will appear to succeed, but no GTM objects will show up on the unit.
Workaround:
None
Fix:
Cleanup all aspects of a GTM link when it is deleted.
595281 : TCP Analytics reports huge goodput numbers
Component: Local Traffic Manager
Symptoms:
TCP Analytics reports that 2^32 bytes have been delivered, rather than 0.
Conditions:
When the serverside connection attempt fails.
Impact:
TCP Analytics stats are inaccurate.
Fix:
Handle the failed connection case properly.
595275-1 : Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN
Component: Local Traffic Manager
Symptoms:
Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN when pool goes empty.
Conditions:
This occurs when the configuration contains a pool with only one FQDN pool member.
Impact:
VIP can go briefly RED and offline.
Workaround:
Configuring a fallback static IP node or multiple FQDN pool members removes this risk.
595272 : Edge client may show a windows displaying plain text in some cases
Component: Access Policy Manager
Symptoms:
Under captive portal environment, sometimes edge client may show a windows with some plain text content.
Conditions:
Edge client is launched when users machine is inside captive portal network.
Impact:
User may not be able to establish VPN
Workaround:
Authenticate to captive portal using browser and Launch edge client again.
595242 : libxml2 vulnerabilities CVE-2016-3705
Vulnerability Solution Article: K54225343
595231 : libxml2 vulnerabilities CVE-2016-3627 and CVE-2016-3705
Vulnerability Solution Article: K54225343
595227 : SWG Custom Category: unable to have a URL in multiple custom categories
Component: Access Policy Manager
Symptoms:
When configuring a url in multiple categories you receive a validation error message:
May 19 16:13:44 bigip12 err mcpd[8992]: 010717f3:3: Custom category (/Common/category_allow_group2) has invalid URL (http://172.16.20.1/*). Reason: You cannot have the same URL in two or more custom categories. URL used in category (/Common/category_allow_group1).
Conditions:
Configuring the same URL in multiple custom categories.
Impact:
Unable to have the same URL in multiple custom categories, and therefore cannot configure the system to have a URL allowed for one group but not for another.
Workaround:
None
Fix:
Validation preventing the configuration of same URL for multiple custom categories has been fixed.
594910-2 : FPS flags no cookie when length check fails
Component: Fraud Protection Services
Symptoms:
You see No Cookie errors for validation errors other than No Cookie.
Conditions:
Malformed component validation cookie
Impact:
No Cookie errors counted when the validation error was not due to No Cookie
Workaround:
No
Fix:
Fixed an issue with No Cookie error counting.
594869-1 : AFM can log DoS attack against the internal mpi interface and not the actual interface
Component: Advanced Firewall Manager
Symptoms:
While under an attack that matches a DoS profile, BIG-IP may indicate that the interface is the internal mpi interface and not the interface that the attack is happening on.
Conditions:
This can occur in CMP-enabled systems.
Impact:
A valid DoS attack will be misreported
594642 : Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.
Component: Local Traffic Manager
Symptoms:
Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.
Conditions:
Stream filter is active during low memory situations
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Stream may now be configured to parse xbufs in chunks. This limits the maximum amount of memory required and reduces the chance of an allocation failure.
594496 : PHP Vulnerability CVE-2016-4539
Vulnerability Solution Article: K35240323
594426 : Audit forwarding Radius packets may be rejected by Radius server
Component: TMOS
Symptoms:
The Accounting-Request packets are missing two required AVPs (Attribute Value Pair), Acct-Session-ID and Acct-Status-Type. Some Radius servers drop Radius Accounting-Requests which are missing these AVPs.
Conditions:
Configured to use audit forwarding with radius and audit messages are not logged on the Radius server.
Impact:
Unable to log audit messages from BIG-IP using audit forwarding.
594388 : Separate signature validation and encryption certificates used by SAML IdP
Component: Access Policy Manager
Symptoms:
In TMOS v.11.3 through v.11.6 releases there is only one certificate which can be configured for SAML SP connector ( apm sso saml-sp-connector, "sp-certificate" attribute).
This certificate is used by Identity Provider both for verifying the signature of incoming ArtifactResolve request and encrypting (if encryption is enabled in IdP settings) of assertion and/or specified SAML attributes.
Conditions:
This restriction does not allow for supporting SP configurations where separate keys/certs are used for encryption and signing.
Impact:
Limited support for external Service Providers that require different certificates for signing/decryption.
Fix:
In version 12.0 it is now possible to configure SP connector objects with two certificates:
sp-certificate < -- certificate used by IdP to validate signatures on messages received from SP.
sp-encryption-certificate < -- certificate used by IdP to encrypt assertion/subject/attributes when encryption is enabled.
===========
Similar symmetrical change was also implemented when BIG-IP is used as SAML SP.
When BIG-IP is used as SAML SP, it is also possible to configure two certificates in AAA SAML object:
sp-certificate < -- certificate used by SP to sign Authentication Requests.
sp-decryption-cert < -- certificate used by SP to decrypt assertions/subject/attributes.
594302 : Connection hangs when processing large compressed responses from server
Component: Local Traffic Manager
Symptoms:
When large compressed responses are sent by the server, the connection hangs when trying to send decompressed content to the client.
Conditions:
An LTM policy which enforces decompression for responses is attached to the virtual server. The virtual server also has http compression profile attached to it. Server sends large compressed responses.
Impact:
Connection hangs when trying to process the compressed response in order to send decompressed content to client.
Fix:
The large compressed responses are successfully processed and no connection hangs are seen.
594288 : Access profile configured with SWG Transparent results in memory leak.
Component: Access Policy Manager
Symptoms:
Access profile configured with SWG Transparent results in memory leak.
Conditions:
Create an access profile of type SWG Transparent, and assign to a virtual. Run traffic through this virtual.
Impact:
TMM leaks memory.
Workaround:
None
Fix:
Fixed the memory leak caused by access filter for SWG transparent use case.
594075 : Sometimes when modifying the firewall rules, the blob does not compile and pccd restarts periodically
Component: Advanced Firewall Manager
Symptoms:
With pccd.alwaysfromscratch set to true, the blob doesn't compile and pccd restarts periodically when firewall rules are modified.
Conditions:
1. pccd.alwaysfromscratch is set to true (default value is false)
2. Modify some firewall rules.
Impact:
The blob doesn't compile and pccd keeps restarting without loading new rules.
Workaround:
Remove saved blob files in /var/pktclass/ (rm -f /var/pktclass/*) and restart pccd.
593925 : ssh profile should not contain rules that begin and end with spaces (cannot be deleted)
Component: Advanced Firewall Manager
Symptoms:
When attempting to delete a rule for an ssh profile and committing the changes in the GUI, you get an error: "Operation is not supported on property /security/ssh/profile/~Common~ssh-test/rules."
Conditions:
This occurs if you previously created ssh profile rules that contain spaces in them, such as this example:
create security ssh profile ssh-test actions add { " " } rules add { " " { actions add { " " } identity-users add { " "} identity-groups add { " " } } } auth-info add { " " }
Impact:
Unable to delete the rules
Fix:
You can now delete ssh profile rules that contain spaces for the rules.
593696 : Sync fails when deleting an ssh profile
Component: Advanced Firewall Manager
Symptoms:
After creating an ssh profile and successfully syncing it to the sync group, you later delete the profile and sync fails with this error on the target device:
"err mcpd[5178]: 01071488:3: Remote transaction for device group /Common/syncme to commit id 6 6285666289815053813 /Common/bigip2.mysite.com 0 failed with error 01071aaf:3: SSH profile: [/Common/ssh1] default actions is required and cannot be removed."
Conditions:
This is triggered when deleting an ssh profile that has been synced in a sync group. Sync group is configured for manual sync. It is not known if automatic sync also exhibits this behavior.
Impact:
Sync fails.
593681 : CSRF doesn't look correctly into relative urls in the location header
Component: Application Security Manager
Symptoms:
CSRF does not correctly look into relative URLs in the location header.
Conditions:
There is a relative URL in the location header.
Impact:
in some cases the location header is searched in the configuration as is, and is not found since it doesn't match the wildcard, which can trigger false positive CSRF violations.
Workaround:
None.
Fix:
CSRF now correctly looks into relative URLs in the location header.
593597 : iSession can't connect over default gateway pool
Component: Wan Optimization Manager
Symptoms:
iSession can't make wocd (and data) connections if the required route defined as pool.
Conditions:
define WOM BIGIP peer in different subnets with router(s) in the middle. If the route from one BIG-IP to the other is defined as POOL the WOM daemons will be unable to connect.
Impact:
WOM cannot establish an iSession tunnel
Workaround:
This issue can be mitigated if you can use a default gateway IP address instead of a default gateway pool.
Fix:
iSessions can now be established when using a default gateway pool
593530 : In rare cases, connections may fail to expire
Component: Local Traffic Manager
Symptoms:
Connections have an idle timeout of 4294967295 seconds.
Conditions:
Any IP (ipother) profile is assigned to virtual server.
Impact:
Connections may linger.
Workaround:
None.
Fix:
Fixed idle initialization error when using Any IP (ipother) profile.
593447 : BIG-IP TMM iRules vulnerability CVE-2016-5024
Vulnerability Solution Article: K92859602
593409 : [Portal Access] URL normalization is required for some Javascript interfaces
Component: Access Policy Manager
Symptoms:
Several Javascript methods or properties should return normalized URL (i.e. without ports :80 for http: or :443 for https:, without /../ segments of path, etc.).
Current code of Portal Access does not implement this.
Impact:
Web applications could fail with security or logic errors when they expect to get normalized URL from affected Javascript methods or properties.
Behavior Change:
Now not normalized URLs are not included in browser history (only in modern browsers).
593390 : Profile lookup when selected via iRule ('SSL::profile') might cause memory issues.
Component: Local Traffic Manager
Symptoms:
If an iRule selects a profile using just its name, not the full path, the internal lookup might fail. This might cause a new version of the profile to be instantiated, leading to memory issues.
Conditions:
An iRule calls SSL::profile but does not supply the complete path (e.g., /Common/clientssl); rather, the iRule uses only the profile name.
Impact:
Higher memory usage than necessary.
Workaround:
Always have iRules select profiles using the complete path.
Fix:
If an iRule attempts to select a profile using only its name, the system now prepends the /Common path prior to looking it up, so there is no potential of instantiating another version of the profile, so no memory issue occurs.
593360 : repeated failures on scheduled Signature Update (ASU)
Component: Application Security Manager
Symptoms:
This produces errors similar to the following:
----------------------------------------------------------------------
asm_config_server.pl|INFO|Dec 11 04:02:03.697|9905|F5::Sigfile::AutoDownload::call_soap_server,,Calling 'https://10.10.10.10/esd/services/ASMUpdate' for new Signature version.
asm_config_server.pl|ERR|Dec 11 04:02:08.199|9905|F5::Sigfile::AutoDownload::call_soap_server,,SOAP request failed: 500 read failed:
----------------------------------------------------------------------
Conditions:
ASM Provisoned
Impact:
repeated failures on scheduled Signature Update (ASU)
Workaround:
change the time the job runs daily and see if that resolves the issue.
\\ First open up the cron job text file \\
# vi /etc/crontab
Change this line -
02 4 * * * root run-parts /etc/cron.daily
to -
10 4 * * * root run-parts /etc/cron.daily
Save and quit.
This will change the automatic updates to run @4:10 rather than 4:02.
Fix:
We've implemented a retry of a failed scheduled Signature Update (ASU).
593078 : CATEGORY::filetype command may cause tmm to crash and restart
Component: Access Policy Manager
Symptoms:
If an iRule command is created using the CATEGORY::filetype command, the tmm may eventually suffer a failure, and restart.
Conditions:
This can occur when using the CATEGORY::filetype iRule under normal operation.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm crash in CATEGORY::filetype
593070 : TMM may crash with multiple IP addresses per session
Component: Policy Enforcement Manager
Symptoms:
TMM crash
Conditions:
A session with multiple IP addresses with PCRF communication for dynamic policy management may have a crash credits to a race condition.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Check for timer expiration prior to processing the timer.
592952 : Configuring connection mirroring when using AFM send_to_virtual action
Component: Traffic Classification Engine
Symptoms:
Connection mirroring will not work if enabled only on the virtual server configured as send_to_virtual parameter.
Conditions:
Connection mirroring is only configured on the virtual server referenced by send_to_virtual parameter and not on the original virtual matched by traffic.
Impact:
Connection mirroring will not work
Workaround:
You must configure connection mirroring both on the original virtual server that would be matched by traffic and on the virtual referenced by send_to_virtual command
Fix:
User must configure connection mirroring both on the original virtual server that would be matched by traffic and on the virtual referenced by send_to_virtual command
592871 : Cavium Nitrox PX/III stuck queue diagnostics missing.
Component: Local Traffic Manager
Symptoms:
Diagnostics tool to investigate rare issue where the Cavium Nitrox PX/III crypto chip gets into a "request queue stuck" situation.
Conditions:
System with Cavium Nitrox PX/III chip(s) which includes the BIG-IP 5xxx, 7xxx, 10xxx, and 12xxx platforms as well as the VIPRIOn B2200 blade, that hits a rare issue which logs a "request queue stuck" message in /var/log/ltm.
Impact:
This tool enables F5 engineers to obtain more data about this problem to help diagnose the issue.
Workaround:
None.
Fix:
Provides a diagnostics tool. Does not directly mitigate the problem.
592870 : Fast successive MTU changes to IPsec tunnel interface crashes TMM
Component: TMOS
Symptoms:
Changing IPsec tunnel interface MTU attribute repeatedly in quick succession, TMM cores. This can occur whether or not traffic has flowed through the tunnel.
Conditions:
This occurs when quickly changing the IPsec tunnel interface MTU.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Change IPsec tunnel interface attributes at a rate of speed that allows each configuration modification to complete.
Fix:
TMM no longer cores if users quickly and repeatedly change interface attributes (for example, the MTU interface attribute).
592868 : Rewrite may crash processing HTML tag with HTML entity in attribute value
Component: Access Policy Manager
Symptoms:
If HTML page contains HTML entities in attribute values, rewrite may crash processing this page.
Conditions:
HTML tag like this:
<script src=" " type="text/javascript"></script>
Impact:
Web application may not work correctly.
Workaround:
In most cases HTML entities can be replaced by appropriate characters by iRule.
Fix:
Now rewrite correctly handles HTML entities in attribute values.
592854 : Protocol version set incorrectly on serverssl renegotiation
Component: Local Traffic Manager
Symptoms:
If the BIG-IP serverssl profile sends a new ClientHello request to renegotiate SSL, the protocol version will be set to 0. This will cause renegotiation to fail.
Conditions:
ServerSSL profile configured on a virtual server, and BIG-IP initiates a renegotiation.
Impact:
Protocol field is invalid (0), and the server will reset the connection.
Fix:
Fixed a reset issue with SSL renegotiation in the serverssl profile.
592784-1 : Compression stalls, does not recover, and compression facilities cease.
Component: Local Traffic Manager
Symptoms:
Compression stalls, does not recover, and compression facilities may cease.
Conditions:
A device error of any kind, or requests that result in the device reporting an error (for example, attempting to decompress an invalid compression stream).
Impact:
In general, compression stops altogether. Under some circumstances, compression requests may end up routed to zlib (software compression), but generally the SSL hardware accelerator card does not correctly report that it is unavailable when it stalls.
Workaround:
Select the softwareonly compression provider by running the following tmsh command: tmsh modify sys db compression.strategy value softwareonly.
Fix:
The compression device driver now attempts to recover after a failure. If it still cannot recover, new compression requests will be assigned to zlib (software) for compression.
592707 : Validation against routes where the network route-domain does not match VLAN route-domain
Component: Local Traffic Manager
Symptoms:
Kernel ioctl error when creating static route, "ioctl failed: No such device"
Conditions:
When creating static route where the network route-domain is not the same as the VLAN route-domain
Impact:
Prevent the creation of the static route.
Workaround:
Use the correct route-domain when specifying the network for the static route entry.
Fix:
When creating static route using a VLAN that have non-default route-domain, validation will either correct the network route-domain - when it is unspecified, or throw validation error when specified route-domain did not match VLAN route-domain.
592700 : iControl SOAP method System.Failover.get_peer_address might return incorrect value.
Component: TMOS
Symptoms:
iControl SOAP method System.Failover.get_peer_address returns no results.
In DSC sync (11.0.0 or later), there is no longer a concept of a 'secondary peer address', and one can connect with more than one other device, so this method no longer can always return acceptable values. Therefore, the alternate method Management.Device.get_configsync_address is recommended.
Conditions:
Any 11.0.0 or higher platform with CMI configured.
Impact:
If the iControl SOAP method System.Failover.get_peer_address method is being used to determine whether sync is configured between two devices, the system might falsely treat the device as a standalone.
Workaround:
Use the the following method instead: Management.Device.get_configsync_address.
Fix:
The iControl SOAP method System.Failover.get_peer_address has been immediately deprecated. Use the method Management.Device.get_configsync_address instead.
592699-2 : IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP performance
Component: Local Traffic Manager
Symptoms:
IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP might encounter significant performance impacts when initiated over a BIG-IP data port using IPv6.
Conditions:
-- Protocols: HTTPS, SCP, SSH, DNS, SMTP.
-- IPv6.
Note: Management port is not impacted.
Impact:
Performance impact pulling data over affected ports from the BIG-IP over IPv6.
BIG-IQ performance is impacted trying to manage BIG-IP devices over IPv6.
Workaround:
Disable TSO for IPv6 at the command line by running the following command: ethtool -K tmm tso off.
Note: This command must be run each time after reboot.
Fix:
The issue has been corrected, so that there is no performance impact pulling data over affected ports using HTTPS, SCP, SSH, DNS or SMTP from the BIG-IP over IPv6, and there is no BIG-IQ performance issue managing BIG-IP devices over IPv6.
592682 : TCP: connections may stall or be dropped
Component: Local Traffic Manager
Symptoms:
TCP connections stall or get dropped.
Conditions:
Under some network conditions especially with rateshaper enabled TCP connection could stall and ultimately get reset.
Impact:
This usually happens with rateshaper or BWC enabled. Rarely could also happen with very lossy networks.
Fix:
Properly manage re-transmissions after a tail drop by not not doing the exponential back-off. Reset the re-transmit timer for every partial ack received after a tail drop.
592620 : iRule validation does not catch incorrect 'after' syntax
Component: Local Traffic Manager
Symptoms:
iRule validation does not catch iRule with incorrect 'after' syntax, allowing an invalid iRule to be saved.
Conditions:
iRule with incorrect 'after' syntax. For example "after 5000 periodic" should be "after 5000 -periodic" (with a hyphen)
Impact:
Traffic handled by the iRule fails, generating the Tcl error 'invalid command name 'periodic' while executing 'periodic LB::reselect''.
Workaround:
Correct the syntax error.
592591 : Deleting access profile prompts for apply access policy for other untouched access profiles
Component: Access Policy Manager
Symptoms:
After deleting an access profile, the 'Apply Access Policy' link shows up and the status flags for some other untouched access profiles turn yellow. Also, there are APM log messages indicating that the configurations for those untouched access profile have been changed.
Conditions:
If an access profile containing macros is copied on the admin UI and is deleted subsequently.
Impact:
There is no change to the access profiles that are affected by the deletion. Admin can go ahead to click "Apply Access Policy" link to make the link disappear.
592504 : False positive illegal length violation can appear
Component: Application Security Manager
Symptoms:
A false positive illegal length violation.
Conditions:
A chunked request where the request length is more than half of the configured max request length.
Impact:
False positive illegal length violation.
Workaround:
Configure a higher max request length violation.
Fix:
Fixed a false positive request length violation.
592497 : Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state.
Component: Local Traffic Manager
Symptoms:
While passing normal traffic, CPU utilization of one or more tmms suddenly goes to 100% as viewed by top and remains there indefinitely.
Conditions:
Idle timeout for tcp flows in FIN_WAIT_2.
Impact:
There is a rare occurrence in which tmm might result in 100% CPU busy.
Workaround:
None.
Fix:
This release honors the idle timeout in FIN_WAIT_2 when server-side expired and HTTP in fallback state.
592414 : IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed
Component: Access Policy Manager
Symptoms:
IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed from dynamically generated child.
Conditions:
Browsers: IE11 and Chrome
When: After document.write() into its parent has been performed from dynamically generated child.
Impact:
Web application malfunction.
Workaround:
None.
Fix:
Fixed.
592352 : Launching RDP resources of "Native" type requires downloading .rdp files which are not cleaned automatically
Component: Access Policy Manager
Symptoms:
For now, in order to launch a native RDP resource, user needs to download an automatically generated .rdp file which is later used for launching RDP client.
Since MS RDP client doesn't support cleaning those files up automatically, users should bear in mind that those files may accrue in their "Downloads" folder over time.
Conditions:
Launching native RDP resource.
Impact:
Downloaded .rdp files are not automatically removed by RDP client.
Workaround:
Remove .rdp files manually from "Downloads" folder from time to time.
592320 : ePVA does not offload UDP when pva-offload-state set to establish in BIG-IP 12.1.0 and 12.1.1
Component: TMOS
Symptoms:
When a fastL4 profile's pva-offload-state set to establish (default is embryonic), the corresponding UDP virtual server using that profile won't offload UDP traffic and causes performance degradation.
Conditions:
This issue is introduced during v12.0.0 development and only impacts v12.1.0 and v12.1.1 releases.
A fastL4 UDP virtual server is using a fastL4 profile that has pva-offload-state set to establish.
Impact:
Performance degradation.
Workaround:
Use default setting for pva-offload-state of embryonic for fastL4 profile.
Fix:
With the fix in 12.1.2 and 13.0.0, ePVA will load UDP traffic when pva-offload-state set to establish.
592274 : RAT-Detection alerts sent with incorrect duration details
Component: Fraud Protection Services
Symptoms:
If a remote access trojan (RAT) detection alert is thrown immediately upon initialization, the timestamp of the alert will be incorrect.
Impact:
False positives
Workaround:
n/a
Fix:
When generating RAT Detected alert within 5 seconds from page load, actualCounter in alert details is lower than 5 seconds for example:
"timeToResetCounter":5000,"actualCounter":4296
592113-4 : tmm core on the standby unit with dos vectors configured
Component: Advanced Firewall Manager
Symptoms:
On the standby unit with mirrored connections configured, uninitialized dos_vectors may cause core dump
Conditions:
HA setup, mirroring enabled on a virtual that has dos vectors configured
Impact:
Traffic disrupted while tmm restarts.
592070 : DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied
Component: Policy Enforcement Manager
Symptoms:
Variables in the flow context when stored in the sessionDB cannot be shared since the traffic groups of the server and client flows are different.
Conditions:
DHCP virtual created in a non-local traffic group.
Impact:
Variable sharing in the TCL context will not work.
Workaround:
Modify SysDb variable "Tmm.SessionDB.match_ha_unit" to disable the use of traffic-group ID while accessing the sessionDB.
Fix:
Copy the traffic group from client to server connFlows such that both connFlows have the same traffic group.
592001 : CVE-2016-4073 PHP vulnerabilities
Vulnerability Solution Article: K64412100
591918 : ImageMagick vulnerability CVE-2016-3718
Vulnerability Solution Article: K61974123
591908 : ImageMagick vulnerability CVE-2016-3717
Vulnerability Solution Article: K29154575
591894 : ImageMagick vulnerability CVE-2016-3715
Vulnerability Solution Article: K10550253
591881 : ImageMagick vulnerability CVE-2016-3716
Vulnerability Solution Article: K25102203
591840 : encryption_key in access config is NULL in whitelist
Component: Access Policy Manager
Symptoms:
encryption_key in access config is NULL sometime when applying 404 whitelist action and will result in TMM crash.
Conditions:
All the following must be true:
- Access policy action resulted in a "not found".
- The session corresponding to above action must be expired.
- FIPS platform.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Data required to serve a "not found" action is retrieved and made available early so that such responses can be served correctly.
591828 : For unmatched connection TCP RST may not be sent for data packet
Component: Advanced Firewall Manager
Symptoms:
When AFM is enabled TCP RST will not be sent to client when client sends data packet to BIG-IP.
Conditions:
When AFM is enabled and in TCP profile , timeout of reset is disabled, after connection times out RST wont be sent. But if BIG-IP receives data packet bigip does not send TCP RST.
Impact:
When client does not receive TCP RST for data packet sent for unmatched connection , generally timed out, Client keeps retrying, but BIG-IP shouldn't send TCP RST to all the packets received for unmatched connections.
Workaround:
Reset on timeout option can be enabled which will send TCP RST to client when connection times out. But if the BIG-IP reboots, client wont get TCP RST.
591819 : Upgrade script for SSO log-level★
Component: Access Policy Manager
Symptoms:
In 12.1.0 and previous versions, SSO SAML and SSO FormBasedV2 object has log-level attribute, which has been replaced by an apm log config object.
Conditions:
If previous configuration contains SSO SAML objects or SSO FormBasedV2 objects upgraded to versions later than 12.1.0.
Impact:
After upgrade, no apm log config object is created for the SSO object.
Workaround:
None.
Fix:
The upgrade script will now create apm log config object to replace log-level. The publisher's destination for it will be local-syslog. SSO log-level in the new apm log config object will remain the same. The new apm log config's name will be sso-log-setting-<log level>, <log level> can be Debug, Notice, Alert and so on. Warning Message 'apm log-setting is created as the log setting for sso objects. Access : ' will show in /var/log/ltm.
Behavior Change:
The Upgrade script for SSO log-level will create apm log config object to replace log-level. The publisher's destination for it will be local-syslog. SSO log-level in the new apm log config object will remain the same. The new apm log config's name will be sso-log-setting-<log level>, <log level> can be Debug, Notice, Alert and so on. Warning Message 'apm log-setting is created as the log setting for sso objects. Access : ' will show in /var/log/ltm. There is no impact to traffic; the upgrade will automatically create the necessary log config object for you.
591806 : ImageMagick vulnerability CVE-2016-3714
Vulnerability Solution Article: K03151140
591767-1 : NTP vulnerability CVE-2016-1547
Vulnerability Solution Article: K11251130
591733 : Save on Auto-Sync is missing from the configuration utility.
Component: TMOS
Symptoms:
The option to configure save-on-auto-sync is missing in the Device Management GUI.
Conditions:
Devices configured in a DSC configuration.
Automatic with Full or Incremental Sync is enabled.
You attempt to configure the save-on-auto-sync option from the GUI.
Impact:
You will need to have TMSH access to the BIG-IP system to perform this task.
Workaround:
You will need to have TMSH access to the BIG-IP system to perform this task.
Fix:
This release adds per-device-group save_on_auto_sync flag to GUI: flag now shows in GUI and correctly saves.
GUI: The "Sync Type" option in the GUI must be set to "Automatic with Full/Incremental Sync" in order for "Save on Auto-Sync" option to show.
Behavior Change:
Beginning in version 11.5.0, the /cm trust-domain 'save-on-auto-sync' attribute is no longer configured as part of the trust-domain, but is part of the configuration of a device group. With this change, the option to set that attribute becomes available in the GUI on the condition that the "Sync Type" option is set to "Automatic with Full/Incremental Sync".
591666 : TMM crash in DNS processing on TCP virtual with no available pool members
Component: Local Traffic Manager
Symptoms:
TMM crash when processing requests to a DNS virtual server.
Conditions:
The issue can occur if a TCP DNS virtual receives a request when no pool members are available to service the request and a DNS iRule is suspended due to previous requests.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Mitigation is to ensure at least one pool member is available whenever the DNS virtual is processing traffic, or to avoid iRule commands that can suspend processing.
Ensure datagram LB mode is enabled on UDP DNS virtuals.
Fix:
Product corrected to prevent crash when there are no available members.
591659 : Server shutdown is propagated to client after X-Cnection: close transformation.
Component: Local Traffic Manager
Symptoms:
Server shutdown is propagated to client after X-Cnection: close transformation.
Conditions:
In OneConnect configurations, when a server's maximum number of keep-alives is exceeded, the server closes the connection between itself and the BIG-IP system. This Connection: Close is transformed to an X-Cnection: close and sent to the Client along with a TCP FIN.
Impact:
Client side connections are closed by the BIG-IP system too early, causing subsequent requests to be dropped.
Workaround:
Set the OneConnect profile "Maximum Reuse" value to 2 below the value of the pool members max keep-alive setting. This forces OneConnect to close the connection before the pool member.
Fix:
Server shutdown is no longer propagated to client after X-Cnection: close transformation, so client side connections are now kept open by the BIG-IP system as expected, and subsequent requests are no longer dropped.
591590 : APM policy sync results are not persisted on target devices
Component: Access Policy Manager
Symptoms:
Policy sync results, including profile, sync folder, new partition, statuses, history are not persisted on target devices after sync, when there are no LSO resolution.
Conditions:
- Create an APM policy with no LSO to resolve, or have an APM policy that has LSO resolved by previous sync
- Start a policy sync
Impact:
Sync results including the policy profiles won't be persisted so when the bigip restarts, all the sync data won't be lost.
Workaround:
Run tmsh command to save config:
tmsh save sys config
Fix:
Policy sync result will be persisted on target devices so even when those devices restart, the data will still be there.
591495 : VCMP guests sflow agent can crash due to duplicate vlan interface indices
Component: TMOS
Symptoms:
When a VCMP guest uses sflow, the sflow agent will crash when it tries to add a row to its internal data structure and finds the key already exists for some other entry.
Conditions:
The problem is specific to BIG-IP i-Series platforms (i5200, i7200, i10200) with VCMP guests of 4 or more cores. 8 cores causes it all the time.
Impact:
sflow agent will crash.
Fix:
Make sure the allocated interface index for a vlan is not already taken by another interface object.
591476 : Stuck nitrox crypto queue can erroneously be reported
Component: Local Traffic Manager
Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Nitrox systems (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The message "Device error: crypto codec cn-crypto-0 queue is stuck." will appear in the ltm log file.
Conditions:
Nitrox based system performing SSL under heavy load.
Impact:
Device errors reported in logs and crypto HA action is taken, possibly resulting in failing over.
Workaround:
Modify the crypto queue timeout value to 0 to prevent timeouts.
tmsh modify sys db crypto.queue.timeout value 0
Fix:
The Nitrox crypto driver will now only examine requests in the hardware DMA ring to detect a stuck queue.
591455 : NTP vulnerability CVE-2016-2516
Vulnerability Solution Article: K24613253
591447 : PHP vulnerability CVE-2016-4070
Vulnerability Solution Article: K42065024
591438 : PHP vulnerability CVE-2015-8865
Vulnerability Solution Article: K54924436
591437 : Unexpected/incorrect max CPU utilization statistics/performance values.
Component: TMOS
Symptoms:
CLI command 'tmsh show sys performance system' sometimes shows an incorrect (lower) 'Max CPU Utilization' value.
Conditions:
This occurs when the BIG-IP system experiences occasional large spikes in CPU Utilization.
Impact:
Incorrect statistics reporting.
Workaround:
None.
Fix:
CPU utilization data processing has been modified to more accurately report the maximum sampled value.
591351 : False positive browser automation alert
Component: Fraud Protection Services
Symptoms:
False positive browser automation alert containing details: "Cshui detected unknown (not human behavior)".
Conditions:
FPS automatic transaction detection feature activated.
Impact:
False positive browser automation alert containing details: "Cshui detected unknown (not human behavior)".
Workaround:
None.
Fix:
Cshui result is now read correctly.
591343 : SSL::sessionid output is not consistent with the sessionid field of ServerHello message.
Component: Local Traffic Manager
Symptoms:
SSL::sessionid output is not consistent with the sessionid field of ServerHello message. This is mostly cosmetic, but if an iRule depends upon the outcome, the result can be unexpected.
Conditions:
This occurs when using an iRule to inspect the session ID on server-side SSL.
Impact:
The values do not match. SSL::sessionid outputs the wrong sessionid.
Workaround:
None.
Fix:
The returned session ID in both the SERVERSSL_SERVERHELLO and SERVERSSL_HANDSHAKE events is the one presented by the SSL server.
591328 : OpenSSL vulnerability CVE-2016-2106
Vulnerability Solution Article: K36488941
591327 : OpenSSL vulnerability CVE-2016-2106
Vulnerability Solution Article: K36488941
591325 : OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109
Vulnerability Solution Article: K75152412
591268 : VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions
Component: Access Policy Manager
Symptoms:
VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions, it depends on client machine configuration. Symptom: negative record in windows DNS cache, can be verified by running ipconfig /displaydns
Conditions:
Specific client machine configuration
Impact:
VS hostname is not resolvable:
- 'Refresh' of webtop causes unavailable webtop
- Recurring check report may fail due to DNS resolve issue
Workaround:
* Clean windows DNS cache: ipconfig /flushdns
or
* Disable DNS Relay proxy service
Fix:
Now DNS Relay proxy service cleans up DNS cache after initialization mitigating issue described
591246 : Unable to launch View HTML5 connections in non-zero route domain virtual servers
Component: Access Policy Manager
Symptoms:
Currently APM always attempts to uze the RTDom 0 when VMware View HTML5 client is launched.
This doesn't work with the virtual servers in non-zero route domains.
Conditions:
APM configured as a PCoIP proxy on a VS in non-zero route domain.
Impact:
You cannot use virtuals in non-zero route domains if they need VMware View HTML5 client functionality
Fix:
APM now uses the proper route domain from the virtual server to handle VMware View HTML5 client connections.
591139-1 : TMM QAT segfault after zlib/QAT compression conflation.
Component: Local Traffic Manager
Symptoms:
TMM can segfault during prolonged mixture of software and hardware accelerated compression.
Conditions:
Continuous and prolonged mixture of software and hardware accelerated compression.
Impact:
TMM segfaults.
Workaround:
Disable hardware accelerated compression with:
tmsh modify sys db compression.strategy value speed
Fix:
TMM QAT compression added pointer-hardening for compression context.
591124 : gtmd core while adding a new GTM to an existing sync group.
Component: Global Traffic Manager
Symptoms:
While adding a new GTM to an existing sync group, the new system's configuration conflicts with configurations on the other GTM systems in the sync group and causes gtmd to core on the unit being added.
Conditions:
Adding a new GTM to sync group. Other, more specific conditions are not known. That makes this rarely encountered, intermittent issue difficult to predict and reproduce.
Impact:
New GTM unit being added generated a gtmd core file. Configs on other production GTM devices in the network might also be compromised, and might need to be restored from backup. The system might produce a core dump at the moment of sync group corruption.
Workaround:
None.
Fix:
Although the exact cause is unknown, the gtmd process has been modified to more gracefully handle the condition that generated the gtmd core while adding a new GTM to an existing sync group.
591117 : APM ACL construction may cause TMM to core if TMM is out of memory
Component: Access Policy Manager
Symptoms:
During ACL construction, TMM send queries regarding assigned ACL information. If the reply message contains error message of out-of-memory, TMM was not handling this error message properly, and cause TMM to core.
Conditions:
BIG-IP is extremely loaded and out of memory.
Impact:
Traffic disrupted while tmm restarts.
Fix:
When handling the error reply message of out-of-memory during ACL construction, TMM can handle it without causing TMM to crash.
591113 : CSRF injection leading to blank page
Component: Application Security Manager
Symptoms:
When CSRF JS is injected, a blank page is seen.
Conditions:
When CSRF JS is injected.
This page has has lots of iframes with the query parameters.
Impact:
Viewing the site causes some pages to show up blank.
Workaround:
Bypassing or disabling ASM for URL /apps/consumer/ITS/its_Lite/UpperFrame_Lite.jsp appears to fix the issue.
Fix:
Added new internal csrf_rewrite_frames_urls (default disabled) - if enabled bd will add the csrt token to the frame's src attributes when it has the query separator and will do it while response parsing.
591104 : ospfd cores due to an incorrect debug statement.
Component: TMOS
Symptoms:
ospfd cores due to an incorrect debug statement.
Conditions:
This occurs in NSSA configs when ASE OSPF debugging enabled in imish (for example, by running the command: debug ospf route ase). Affected configuration commands are (in imish):
debug ospf all.
debug ospf route.
debug ospf route ase.
Impact:
ospfd might crash, interrupting dynamic routing.
Workaround:
Do not enable debugging in ospf that includes 'route ase'.
Fix:
ospfd no longer crashes when debugging is enabled in imish.
591042 : OpenSSL vulnerabilities
Vulnerability Solution Article: K23230229
590938 : The CMI rsync daemon may fail to start
Component: TMOS
Symptoms:
CMI starts an instance of the rsync daemon used for synchronizing file objects. If this daemon is not running, but left its PID file, then it will not restart.
Conditions:
The rsync daemon failed unexpectedly.
Impact:
Sync of file objects will fail with an error like this:
01070712:3: Caught configuration exception (0), Failed to sync files...
Workaround:
Delete the PID file, "/var/run/rsyncd-cmi.pid". Then look up the configsync-ip of the local device and run "rsync-cmi start 1.2.3.4", replacing 1.2.3.4 with the current device's configsync-ip.
590904 : New HA Pair created using serial cable failover only will remain Active/Active
Component: TMOS
Symptoms:
After creating a new sync-failover device group without network failover enabled, both devices remain Active.
Conditions:
Create a new sync-failover device-group without enabling network failover.
Impact:
Both device in the HA pair will be Active, which is unlikely to pass traffic successfully.
Workaround:
After adding the 2nd device to the sync-failover group, restart sod with "bigstart restart sod" on both devices.
Fix:
After creating the sync-failover group with without network failover configured, but a serial failover cable installed, one of the devices becomes Standby and the other remains Active.
590851 : "never log" IPs are still reported to AVR
Component: Application Security Manager
Symptoms:
IP addresses marked as "never log" are reported to AVR regardless of the flag
Conditions:
Always
Impact:
Extra, unwanted logging for IP addresses flagged as "never log"
Workaround:
N/A
Fix:
N/A
590820 : Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
Component: Access Policy Manager
Symptoms:
Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
Conditions:
Intense usage of JavaScript methods such as: appendChild(), insertBefore(), and other, similar JavaScript methods, in a customer's web application code.
Impact:
Very low web application performance when using Microsoft Internet Explorer.
Workaround:
None.
Fix:
Applications that use appendChild() or similar JavaScript functions to build UI now experience expected performance in Microsoft Internet Explorer browser.
590805 : Active Rules page displays a different time zone.
Component: Advanced Firewall Manager
Symptoms:
Active Rules page displays a different time zone.
Conditions:
When Active Rules page is loaded after the BIG-IP system timezone has changed.
Impact:
GUI shows incorrect timezone.
Workaround:
Run the following command after changing BIG-IP timezone: bigstart restart tomcat.
Fix:
Active Rules page now shows the correct timezone after the BIG-IP system timezone has changed.
590795 : tmm crash when loading default signatures or updating classification signature★
Component: Traffic Classification Engine
Symptoms:
When upgrading classification signatures or downgrading to the default signatures, tmm will crash.
Conditions:
This occurs when loading updated classification signatures on versions 12.1.0 and 12.1.1.
Impact:
tmm will crash during the load. Traffic disrupted while tmm restarts.
Fix:
Fixed a crash when loading classification signatures.
590734 : Configuration of Timeout in AAA LDAP/AD Servers
Component: Access Policy Manager
Symptoms:
The Timeout configured in AAA LDAP/AD Servers controls only the network connection timeout and not operation timeout. The operation timeout is hardcoded to 180 seconds.
Conditions:
Configure a Timeout value in AAA LDAP/AD Servers.
Impact:
If the network connection has no issue, then it could take up to 180 seconds for the LDAP operation to fail.
Workaround:
No workaround. This is function as designed.
590608 : Alert is not redirected to alert server when unseal fails
Component: Fraud Protection Services
Symptoms:
Alert is not redirected to the alert server when unseal fails and iRule is enabled.
Conditions:
1. Unsealing alert failure.
2. iRule enabled.
Impact:
Alert is not redirected to the alert server and FPS returns 404 response.
Workaround:
Disable iRule.
Fix:
FPS now correctly redirects the alert.
590601 : BIG-IP as SAML SP does not redirect users to original request URI after authentication is completed
Component: Access Policy Manager
Symptoms:
After end-user successfully performs SP initiated SAML SSO with a original request URI other then "/", SP will redirect user back to '/' as landing URI.
Conditions:
BIG-IP is used as SAML SP and no relay state is configured on either SP or IdP
Impact:
User is not redirected to original request URI.
Workaround:
Workaround provided below works when first client request to BIG-IP as SP is 'GET'. This workaround is not applicable when first client request is 'POST'.
SP object can be configured with relay state pointing to the landing URI: %{session.server.landinguri}
After successful authentication, end-user will be redirected to the landing URI (reflected back by IdP in the relay-state).
Fix:
SAML SSO requests will now be redirected to the original request URI.
590578 : False positive "URL error" alerts on URLs with GET parameters
Component: Fraud Protection Services
Symptoms:
False-positive URL Error alerts are sometimes generated on URLs with GET parameters.
Conditions:
Use of URLs with GET parameters.
Impact:
Unwanted alerts in alert server.
Workaround:
None
Fix:
Hash calculation is done on slightly different URL inputs, causing mismatch.
590428 : The "ACCESS::session create" iRule command does not work
Component: Access Policy Manager
Symptoms:
When the "ACCESS::session create" iRule command is used with an APM virtual, the command does not resume properly and causing the sessions to disconnect/hang.
Conditions:
APM virtual configured with an iRule that includes "ACCESS::session create" iRule command.
Impact:
APM virtual won't function correctly.
Workaround:
The "ACCESS::session create" iRule command should be removed from the iRule attached to the virtual.
Fix:
Updated the session DB calls to include req_id parameter so that the TCL context gets updated/saved and used upon resume.
590399 : Unnecessary logging during startup: 'Unable to connect to MCPD' and Errdefsd is starting'.
Component: TMOS
Symptoms:
Unnecessary logging during startup: err errdefsd[5106]: 01940019:3: Unable to connect to MCPD, will try again in 30 seconds. err errdefsd[5106]: 0194001d:3: Errdefsd is starting. Old shared memory arena is now deprecated.
Conditions:
This occurs during system startup.
Impact:
No to low impact. This message is benign, and you can safely ignore it.
Workaround:
None needed.
Fix:
This release fixes the unnecessary benign error message logging that occurred during startup: 'Unable to connect to MCPD' and Errdefsd is starting'.
590345 : ACCESS policy running iRule event agent intermittently hangs
Component: Access Policy Manager
Symptoms:
If you are using iRule event agent on the 12.1.0 release, you may see an intermittent Access Policy execution hang. The hang occurs during the execution of ACCESS::policy agent_id.
Conditions:
iRule event agent is configured.
iRule uses ACCESS_POLICY_EVENT_AGENT event
Within this event, ACCESS::policy agent_id command is used.
Impact:
Policy execution intermittently hangs.
Workaround:
Please use this command:
ACCESS::session data get {session.custom_event.id}
Fix:
A hang related to the use of ACCESS::policy agent_id has been fixed.
590244 : False alert cn decryption failure log when peer (client) drops the TCP session during decryption.
Component: Local Traffic Manager
Symptoms:
False alert cn decryption failure log when peer (client) drops the TCP session during decryption when crypto process is canceled intentionally. ERROR: ssl_cn_decrypt_fin_cb:1985: fin decryption failed
Conditions:
This issue occurs when all of the following conditions are met:
1. Using a BIG-IP system with a Cavium Nitrox SSL accelerator card, and the handshake goes through the hardware path (Cavium Nitrox).
Note: Not all the handshake instances are handled by the hardware; some run the software path. Whether the hardware path is used depends on the SSL protocol and cipher selection.
2. The client (usually the Chrome browser) connects to the BIG-IP system's virtual server but immediately drop the connection (for instance, pressingCtrl-f5 very quickly). The error appears when this termination happens to interrupt the hardware decryption process.
Impact:
The crypto process is canceled intentionally, so there should be no error.
Workaround:
This typically does not cause problem because the client (browsers) could have dropped the connection or restarted another session.
Fix:
The system no longer posts an error message that indicates an incomplete connection decryption if the connection decryption was already canceled. This is correct behavior.
590156 : Connections to an APM virtual server may be reset and fail on appliance and VE platforms.
Component: Local Traffic Manager
Symptoms:
APM connections failing when mac masquerade is in use and source-port preserve-strict is enabled on the APM virtual server.
Conditions:
The traffic-group has mac-masquerade configured and source-port preserve-strict is in use on the APM virtual server
Impact:
Connections to an APM virtual server may be reset and fail on appliance and VE platforms.
Workaround:
Disable either mac-masquerade or source-port preserve-strict (or both)
590122 : Standard TLS version rollback detection for TLSv1 or earlier might need to be relaxed to interoperate with clients that violate TLS specification.
Component: Local Traffic Manager
Symptoms:
Standard TLS rollback detection for TLSv1 or earlier clients might be too strict for clients that do not comply with RFC 2246 and later. These clients may require 'tls-rollback-bug' option set.
Conditions:
Standard behaviour of TLS clients is to use ClientHello.client_version in pre-master secret (PMS).
Some clients, incorrectly, might use negotiated version in PMS.
Impact:
Failed TLS handshake.
Workaround:
Configure the BIG-IP client SSL profile to include tls-rollback-bug, using a command similar to the following:
create /ltm profile client-ssl xxx ciphers DEFAULT options { tls-rollback-bug }.
Fix:
Added support for tls-rollback-bug
Behavior Change:
This release provides improved support for "TLS rollback bug workaround" feature described in Managing SSL Traffic :: Configuring workarounds in the LTM documentation on AskF5. ([1] link below). The value is set by existing tls-rollback-bug option, using the command described in [2], below.
This is an existing option.
When this option is enabled in clientssl profile, RSA-only ciphersuites will have relaxed treatment of the version field set by the SSL/TLS client as part of the sequence of bytes encrypted to the server RSA key, called pre-master secret (PMS).
With the option enabled, PMS can contain either ClientHello.client_version, or negotiated version. Standard behaviour of TLS clients is to use ClientHello.client_version in PMS.
[1] https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_1/ltm_ssl_profiles.html.
[2] create /ltm profile client-ssl xxx ciphers DEFAULT options { tls-rollback-bug }.
590074 : Wrong value for TCP connections closed measure
Component: Application Visibility and Reporting
Symptoms:
In TCP analytics, the measure 'connections closed' displays the wrong value.
Conditions:
TMM_API debug enabled.
Impact:
Wrong value displayed.
Workaround:
Do not turn on debug printing.
Fix:
Memory corruption found and fixed. All debug printing organized together at the beginning of the function.
589862 : HA Grioup percent-up display value is truncated, not rounded
Component: TMOS
Symptoms:
The value displayed in "show sys ha-group detail" and "list sys ha-group" is shown as only the integer portion of the actual percent-up value.
Conditions:
When the number of "up" members in an HA Group results in a percent-up value that is not a whole number, the displayed value is truncated, not rounded.
Impact:
Incorrect display of the percent-up value. The score contribution is correct, and displayed rounded properly.
Fix:
The percent-up value is correctly rounded before display.
589606 : CSRF enabled within iframe request causes to unpredictable behavior on a website.
Component: Application Security Manager
Symptoms:
The csrf script changes the frame/iframe source attribute. When it happens the browser issue a request, as a result for each frame on a page 2 requests are being sent, the first is the original request when the frame is loaded and the second is when the csrf script changes the frame source attribute.
Conditions:
Enable ASM CSRF
Request a page with an iframe or frameset
Impact:
Viewing the site causes some pages to show up blank.
Workaround:
Bypassing or disabling ASM for URL appears to fix the issue.
589400 : With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
Component: Local Traffic Manager
Symptoms:
With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
Conditions:
Congestion window is small relative to message size; abc is enabled; also might manifest when serverside MTU is greater than clientside MTU.
Impact:
Additional connection latency.
Workaround:
Enabling proxy-mss on the serverside TCP profile significantly reduces incidence of this problem in observed cases.
If init-cwnd is low, raising it might also help.
Disabling abc can also reduce the problem, but might have other negative network implications.
Fix:
Incoming packets are now pulled more aggressively into the send buffer, if there are no negative implications for CPU performance.
589379 : ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.
Component: TMOS
Symptoms:
In a configuration with a summary route that is added to ZebOS and configured with 'not-advertise', when deleting the exactly matching route, ospfd sends LSA route with age 1, then immediately sends update with age 3600.
Conditions:
OSPF using route health injection for default route.
Impact:
No functional impact. The extraneous LSA is immediately aged out.
Workaround:
Configure a static default route in imish instead of using RHI for the default route.
Fix:
ZebOS no longer adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.
589318 : Clicking 'Customize All' checkbox does not work.
Component: Fraud Protection Services
Symptoms:
Clicking 'Customize All' in Safari browser does not check the checkboxes below, and the settings remain grayed out.
Conditions:
Provision and license FPS.
Impact:
FPS child profile page.
Workaround:
Use tmsh.
Fix:
Clicking 'Customize All' checkbox in Safari browser now checks the checkboxes below and changes the state of the cosponsoring settings.
589256 : DNSSEC NSEC3 records with different type bitmap for same name.
Component: Global Traffic Manager
Symptoms:
For a delegation from a secure zone to an insecure zone, BIG-IP returns different type bitmaps in the NSEC3 record depending on the query type. This causes BIND9's validator to reject the secure delegation to the insecure zone.
Conditions:
For insecure delegations, our DNSSEC implementation does not support the DS record. Those queries are forwarded to the backend, BIND if selected as fallback. Without ZSK/KSK for an insecure child zone, BIND responds SOA which we dynamically sign.
Impact:
DNS lookups may fail if BIND9's validator rejects the delegation.
Workaround:
None.
Fix:
If response is a NODATA from either the proxy or a transparent cache, and the query is a DS, set the types bitmap to NS.
589223 : TMM crash and core dump when processing SSL protocol alert.
Component: Local Traffic Manager
Symptoms:
TMM crash and core dump when processing SSL protocol alert.
Conditions:
During SSL handshake, if the server sends protocol Alert to the BIG-IP system, TMM might crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
A problem of TMM restarting when processing SSL protocol alert has been fixed.
589083 : TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.
Component: TMOS
Symptoms:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation fails because of permission errors.
Using iControl, the system posts an error similar to the following: Error processing request for URI:http://localhost:8110/mgmt/tm/sys/config
{code:400,message: Can't create tmsh temp directory \"/config/.config.backup\" Permission denied, errorStack:[]}.
Using TMSH (e.g., running the command: tmsh save sys config), the system posts an error similar to the following:
Can't create tmsh temp directory "/config/.config.backup" Permission denied
Conditions:
This occurs when the following conditions are met:
-- Remote Authentication is configured.
-- User is logged in as a remote user who has the admin role.
-- Using TMSH or iControl for remotely authenticated user operations.
Impact:
Cannot save the configuration.
Workaround:
Use one of the following workarounds:
-- Use the GUI to save the configuration.
-- Have a locally authenticated user with admin role save the configuration.
Fix:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation now completes as expected, without permission errors.
589039 : Clearing masquerade MAC results in unexpected link-local self IPs.
Component: Local Traffic Manager
Symptoms:
BigIP advertises fe80::200:ff:fe00:0 as a selfip
Conditions:
masquerade MAC is from non-zero to zero
Impact:
May cause IP conflicts between HA devices
Workaround:
Restart tmm after setting masquerade MAC to none
Fix:
Do not advertise invalid selfip on clearing masquerade MAC
589006 : SSL does not cancel pending sign request before the handshake times out or is canceled.
Component: Local Traffic Manager
Symptoms:
When TMM has many SSL handshake, for ephemeral key, SSL does not sign for ServerKeyExchange message. Then it is possible that sign request is pending on crypto SSL queue. Even the handshake is timeout or canceled, the sign request is still in the queue. This might cause memory accumulation.
Conditions:
When TMM has many SSL handshake, for ephermal key, SSL should sign for ServerKeyExchange message.
Impact:
Even if the handshake times out or canceled, the sign request is still in the queue. This might cause memory accumulation.
Workaround:
None.
Fix:
SSL now cancels sign pending request before it times out or is canceled.
588959 : Standby box may crash or behave abnormally
Component: Local Traffic Manager
Symptoms:
TMM crashes on the standby unit
Conditions:
It is not known the conditions that cause this, and has been seen very rarely.
Impact:
Tmm on the standby device crashes. Memory utilization before the crash can appear to be unusually high.
588888 : Empty URI rewriting is not done as required by browser.
Component: Access Policy Manager
Symptoms:
Empty URI must be rewritten at server side and client side rewriter in the same way: as empty URI (all browsers treat this type of URI in a specific way).
Conditions:
A tag with an empty 'src' or 'href' attribute.
Impact:
Web application malfunction, such as incorrect or unexpected behavior or error messages.
Workaround:
Use an application-specific iRule that modifies the empty URI.
-- For example, for JavaScript methods such as setAttribute(), an iRule should change this:
'F5_Invoke_setAttribute(o, "src", uri)'
to this:
'(uri=="")?o.setAttribute("src", uri):F5_Invoke_setAttribute(o, "src", uri)'.
-- As another example, for JavaScript methods such as write(str), writeln(str), innerHTML=str, outerHTML=str, and similar methods, if str contains <img src="" ... >, the iRule must remove the src attribute.
Fix:
This release fixes the issue of rewriting the empty URI the same way at the server side and client side: as empty URI (all browsers treat this type of URI in a specific way).
588879 : apmd crash under rare conditions with LDAP in BIGIP 12.0 and beyond
Component: Performance
Symptoms:
APM crashes during periods of high Active Directory lookups.
Conditions:
APM configured to use ldap. This was seen during stress testing of AD queries.
Impact:
APM crashes, clients unable to connect
588854 : Windows integrated logon client take long time to log on in some case
Component: Access Policy Manager
Symptoms:
If Microsoft Windows integrated logon is used with the Edge client in locked mode, user login and logout takes more that three minutes to logon.
Conditions:
1) Windows integrated logon (also known as credential provider) is used.
2) Edge client is configured in locked mode.
Impact:
Usability
Workaround:
None.
Fix:
Microsoft Windows integrated logon client used when the Edge client is configured in locked mode no longer takes more than three minutes to logon.
588720 : Fast Forwarded UDP packets might be dropped if datagram-load-balancing is enabled.
Component: Local Traffic Manager
Symptoms:
Fast Forwarded UDP packets might be dropped if datagram-load-balancing is enabled.
Conditions:
TMM is overloaded. UDP datagram load-balancing is used.
Impact:
UDP packets are dropped.
Workaround:
None.
Fix:
The fast-forwarding mechanism now properly handle packets
with invalidated flows. The packets are now sent back to the source tmm for reprocessing. The TCP and TCP4 filters were updated to properly work with the changed fast-forwarding implementation.
588686-2 : High-speed logging to remote logging node stops sending logs after all logging nodes go down
Component: Access Policy Manager
Symptoms:
All logging to external logging nodes (such as BIG-IQ) suddenly stop.
Conditions:
This occurs when all of the configured logging nodes go down. Even when they are brought back up, tmm will not send logs to the remote servers.
Impact:
Remote logging stops and will only resume if tmm is restarted.
588606 : HTML_TAG_MATCHED fired for not matching tags.
Component: TMOS
Symptoms:
HTML_TAG_MATCHED might be raised for tags not configured in HTML profile rules.
This issue only causes extra executions of iRule events and does not affect work of configured HTML tag-raise-event rules.
Conditions:
Erroneous extra match might happen in two situations:
- When the last HTML tag in the current chunk of data (network packet) contains event handler attributes.
- When the same tag in the current buffer has tag-remove and tag-raise-event HTML rules configured. The tag will be removed and HTML_TAG_MATCHED event will be raised for the last tag of current buffer instead.
Impact:
HTML_TAG_MATCHED might be executed with unexpected HTML::tag values. The event handler might fail if it does not verify tag and attribute values.
Workaround:
HTML_TAG_MATCHED event handler should contain checks for tag and attribute values. This is a recommended style for writing iRules with HTML_TAG_MATCHED, and DevCentral examples are already written this way.
588456 : PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed).
Component: Policy Enforcement Manager
Symptoms:
When the BigIp is in DHCP forwarding mode, if the giaddr field in the unicast DHCP renewal packet is set to DHCP relay agent IP address, the DHCP server sends the ACK to the renewal packet to the relay agent IP(giaddr) instead of ciaddr. Bigip DHCP module does not process the ACK and update the lease time, which causes PEM subscriber session to be aged out.
Conditions:
1)BigIP in forwarding mode
2)giaddr field in unicast DHCP renewal packet is set to
IP address of relay agent(Typically, it is set to 0 by DHCP client)
Impact:
PEM Subscriber Session will age out
588405 : BADOS - BIG-IP Self-protection during (D)DOS attack
Component: Anomaly Detection Services
Symptoms:
Problem: 100% accurate detection may not help to prevent an attack
It's necessary to protect BIG-IP CPU utilization during attack - for BAD actors (in addition to shunlist) and for unknown IPs.
This mechanism should allow bad actors detection and keep CPU utilization in reasonable limits.
Conditions:
High BIG-IP CPU utilization during (D)DOS attack
Impact:
Service impact due to BIG-IP CPU high utilization
Workaround:
No workaround
Fix:
Added additional CPU protection during a (D)DOS attack
588399 : BIG-IP CPU utilization can be high even when all bad actors are detected and mitigated
Component: Anomaly Detection Services
Symptoms:
BIG-IP CPU utilization can be excessively high even after mitigating bad actors.
Conditions:
This can occur when Bad Actor detection is used
Impact:
CPU utilization will be higher than expected.
Fix:
An issue with referencing bad actors that have been detected and affecting CPU utilization has been fixed.
588351 : IPv6 fragments are dropped when packet filtering is enabled.
Component: Local Traffic Manager
Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.
Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.
Impact:
IPv6 fragments with a non-zero offset are lost.
Workaround:
Disable packet filtering.
Fix:
IPv6 fragments are no longer dropped when packet filtering is enabled.
588289 : GTM is Re-ordering pools when adding pool including order designation
Component: Global Traffic Manager
Symptoms:
GTM re-orders, including the "0" order when adding the pool with specific order designation.
Conditions:
This occurs when adding pools with a specified order.
Impact:
This changes the pool order unexpectedly which will affect Load balancing using global-availability.
588115 : TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw
Component: Local Traffic Manager
Symptoms:
As a result of a known issue TMM may crash in some specific scenarios if there is an overlapping and more specific route to the floating self-IP range configured on the unit.
Conditions:
- Unit configured with a floating self-IP and allow-service != none.
- More specific route exists via GW to the self-IP.
- Configured gateway for the overlapping route is unreachable.
- Ingress traffic to the floating self-IP.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid the use of routes overlapping with configured floating self-IPs.
Fix:
TMM no longer crashes when floating self IPs are configured with more specific overlapping routes.
588089 : SSL resumed connections may fail during mirroring
Component: Local Traffic Manager
Symptoms:
SSL resumed connections when using SSL mirroring may fail during mirroring. This could result in SSL connections being unable to recover after failover.
Conditions:
Mirroring enabled on virtual with an associated client-ssl profile.
Impact:
SSL connections unable to recover after failover.
Workaround:
Disable session cache to prevent connections from resuming.
588087 : Attack prevention isn't escalating under some conditions in session opening mitigation
Component: Application Security Manager
Symptoms:
Attack is detected and isn't escalating in session opening
Conditions:
A session opening attack, challenges are being answered by the attacker.
Impact:
The attack continues.
Workaround:
Configure the attack prevention as rate limit.
Fix:
Fixed attack escalation in some cases on session opening.
588058 : False positive "failed to unseal" Source Integrity alerts from old versions of Internet Explorer
Component: Fraud Protection Services
Symptoms:
Large numbers of "failed to unseal" Source Integrity alerts.
Conditions:
Source integrity feature enabled. Clients using Internet Explorer 8 to 10.
Impact:
High number of false positive alerts in alert dashboard.
Workaround:
Create alert dashboard signature to ignore source integrity alerts containing "failed to unseal" and Internet Explorer 8 to 10 user agent.
Fix:
Fixed parsing in relevant browsers.
588049 : Improve detection of browser capabilities
Component: Application Security Manager
Symptoms:
Browsers can override native functions, and manipulate the PBD capabilities test.
Conditions:
1. Proactive Bot defense is on.
2. Attacker override its native functions.
Impact:
Malicious browsers can go undetected by PBD.
Workaround:
N/A
Fix:
Check that majority of browsers native functions are not overridden.
587966 : LTM fastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port
Component: Local Traffic Manager
Symptoms:
LTM fastL4 DNS virtual server or SNAT: first A query dropped when A and AAAA requested at the same time with same source IP:port.
Conditions:
A and AAAA DNS Query requested at the same time with the same source IP and Port.
Impact:
A Type DNS Query dropped intermittently.
Workaround:
Configure a standard virtual server with UDP profile for the traffic instead of using fastl4 or snat.
587915 : Improved SMTPS reset cause codes
Component: Local Traffic Manager
Symptoms:
All SMTPS TCP resets issue the same message from the same code line, making determining the exact cause difficult, if not impossible.
Conditions:
An exceptional situation (such as out of memory, missing STARTTLS command, or other internal error) occurs that causes the SMTPS hudfilter to tear down a connection.
Impact:
Usability - the connection will be torn down with only a vague indication of why.
Workaround:
None.
Fix:
Each connection teardown message is now unique, making it easier to determine the cause from the associated logs.
587773 : Add support for Thales version 12.10.01
Component: Local Traffic Manager
Symptoms:
BIG-IP versions prior to 13.0 do not support Thales version 12.10.01
Conditions:
This occurs on BIG-IP versions prior to 13.0
Impact:
If you have upgraded your Thales version, older versions of BIG-IP may not function correctly.
Workaround:
None
Fix:
This release adds support for Thales version 12.10.01.
587716 : Webtop doesn't notify user about ended session when F5 VPN application is used
Component: Access Policy Manager
Symptoms:
Internet Explorer based VPN solution will notify webtop window when APM session expires. New F5 VPN based solution (for Chrome and Firefox) has a technical limitation doing that, thus Webtop window still indicates webtop not a logout page like in case with Internet Explorer.
Conditions:
* Chrome or Firefox is used
* Windows, Mac or Linux machine is used
* User establishes VPN using F5 VPN application
* Session expires on server
Impact:
When the session expires/killed by an admin F5 VPN app exists leaving Webtop untouched. This may confuse a user that the session is still valid
Workaround:
N/A
Fix:
Session validity is now performed when a user clicks on resource tile on webtop. If session is expired, webtop will redirect to logout page
587705-2 : Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.
Component: Local Traffic Manager
Symptoms:
Persist lookups fail for source_addr with match-across-virtual servers when multiple entries exist for the client, but pointing to different pools.
Conditions:
'Match_across_virtual' enabled. Multiple persistence entries for a client address exist, and some of these persistence entries point to poolmembers from different pools. Some of these poolmembers do not belong to any of the current virtual server's pools.
Impact:
Source address persistence fails for this client, even though there is a valid persistence entry that can be used.
Workaround:
None.
Fix:
Persist lookups now succeed for source_addr with match-across-virtual servers when multiple entries exist with different pools.
587698 : bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured
Component: TMOS
Symptoms:
bgpd daemon crashes
Conditions:
bgp extended-asm-cap is configured before configuring
ip extcommunity-list standard with rt and soo fields.
Impact:
bgpd daemon crashes leading to route loss and traffic loss.
Fix:
bgpd does not crash when both bgp extended-asm-cap and
ip extcommunity-list standard with rt and soo parameters are configured.
587678 : LTM SSL should do a full handshake when peer attempts to resume a session with a different client TLS version.
Component: Local Traffic Manager
Symptoms:
When client hello reuses a previous session ID, and changes the SSL version from TLS 1.0 to TLS 1.2 in the handshake layer, but keeps the TLS 1.0 in the record layer, LTM accepts the session resumption, but changes the version of the record layer to TLS 1.2 as well, and finishes the resumption. However, the client aborts the connection due to the record layer version change.
Conditions:
When SSL client attempts to resume a session, but the client_version has changed.
Impact:
LTM accepts the session resumption, but changes the version of the record layer to TLS 1.2, and finishes the resumption. However, the client aborts the connection due to the record layer version change.
Workaround:
None.
Fix:
Instead of accept the session resumption, LTM SSL will do a SSL full handshake.
587676 : SMB monitor fails due to internal configuration issue
Component: Local Traffic Manager
Symptoms:
SMB monitor fails due to internal configuration issue
Conditions:
Configure the SMB monitor
Impact:
SMB monitor fails to execute
Fix:
Fixed an internal configuration issue so that the SMB monitor will load properly
587668-1 : LCD Checkmark button does not always bring up clearing prompt on VIPRION blades.
Component: TMOS
Symptoms:
Pressing the LCD checkmark button does not always bring up clearing prompt on VIPRION blades.
Conditions:
Pressing the LCD's checkmark button to clear an alert on VIPRION blades.
Impact:
Cannot clear the alert using the LCD.
Workaround:
Press the checkmark button followed by the left or right arrow buttons.
Fix:
In this release, unneeded LCD updates that might have clogged the message channel have been optimized, and the keypress passed along at a later time, so it is not lost. So pressing the LCD checkmark button now correctly brings up clearing prompt on VIPRION blades.
587656 : GTM auto discovery problem with EHF for ID574052
Component: Global Traffic Manager
Symptoms:
After applying EHF9-685.88-ENG to CRCGTMCS101, many WideIPs such as CRT-LEGAL-SERVICE.gslb.global or OneEvent.gslb.global are unexpectedly status Checking instead of Available.
Conditions:
After applying EHF9-685.88-ENG
Impact:
Many WideIPs such as CRT-LEGAL-SERVICE.gslb.global or OneEvent.gslb.global are unexpectedly status Checking instead of Available.
Workaround:
Skip to the next Eng HF
v11.4.1-hf10/hotfix/HF10-690.10-ENG
Fix:
This problem only occurs with the one faulty EHF9-685.88-ENG and does not occur anywhere else.
587629 : IP exceptions may have issues with route domain
Component: Application Security Manager
Symptoms:
The IP exception feature doesn't work as expected.
Conditions:
There are many defined same IPs but with different route domain.
There were config changes to these IPs regarding their exception properties.
Impact:
An ignored IP is not ignored etc.
Workaround:
bigstart restart asm
Fix:
Fixed an issue with IPs and route domain.
587617 : While adding GTM server, failure to configure new IP on existing server leads to gtmd core
Component: Global Traffic Manager
Symptoms:
gtmd core with SIGSEGV in selfip_needs_xlation.
Conditions:
No GTM server object configured with existent selfip.
Impact:
gtmd cores. GTM unable to respond to DNS queries. DNS traffic disrupted while gtmd restarts.
Workaround:
Configure the GTM server object with an existent selfip. For more information, see K15671: The BIG-IP GTM system must use a local self IP address to define a server to represent the BIG-IP GTM system at https://support.f5.com/csp/#/article/K15671
Fix:
gtmd will not core.
587493 : MAC Edge client selects wrong network access resource if webtop contains multiple resources
Component: Access Policy Manager
Symptoms:
MAC edge client chooses last network access resource instead of first one, if multiple network access resources are configured on the webtop.
Windows edge client selects the first resource. This may result in user confusion if multiple NA resources are configured
Conditions:
All conditions must be met
-Multiple network access resources are configured on webtop
-User uses MAC edge client to establish a network access connection
Impact:
User confusion and user may connect to incorrect network access resource
Workaround:
Any of the following workarounds would work
1) Do not configure multiple NA access resources
2) Create an access policy path which assigns correct NA resource based on client detection
3) Use Browser to establish NA connection
587419 : TMM may restart when SAML SLO is performed after APM session is closed
Component: Access Policy Manager
Symptoms:
TMM may core when user performs SAML SLO on external to BIG-IP SP/IdP, and BIG-IP's APM session is no longer valid.
Conditions:
- User initiated SAML SLO on external SAML provider, and external provider redirect users to BIG-IP with SLO request.
- User does not have a valid session on BIG-IP when SLO request is received.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable SAML SLO by removing SLO request/response URLs from configuration
Fix:
TMM will no longer restart in the case described above.
587106 : Inbound connections are reset prematurely when zombie timeout is configured.
Component: Carrier-Grade NAT
Symptoms:
When an LSN pool is configured in PBA mode with a non-zero zombie timeout, inbound connections are killed and reset prematurely, often in a matter of seconds.
Conditions:
PBA mode configured on the pool, and zombie_timeout set to a non-zero value.
Impact:
Inbound connections to PBA pools with a zombie timeout configured may not be usable.
Workaround:
None.
Fix:
Inbound connections are no longer reset when zombie_timout is configured to a non-zero value.
587096 : Incorrect result returned from IP::tos iRule in the FLOW_INIT event.
Component: Local Traffic Manager
Symptoms:
The result returned from the "IP::tos" iRule in the FLOW_INIT event is always zero (Normal-Service), even when the actual packet from the client has TOS set to a different value.
Conditions:
Calling the IP::tos iRule from within a FLOW_INIT event handler for a virtual server always returns zero. The following iRule demonstrates the issue:
when FLOW_INIT {
log local0. "TOS from [IP::client_addr] is [IP::tos]"
}
when CLIENT_ACCEPTED {
log local0. "TOS from [IP::client_addr] is [IP::tos]"
}
The logs will show that the IP::tos value is always 0 at FLOW_INIT, and always correct at CLIENT_ACCEPTED.
Impact:
Cannot make the correct service or routing decision at FLOW_INIT, based on the TOS provided in the initial packet in the flow.
Workaround:
None.
Fix:
The IP::tos iRule now correctly returns the TOS value from the initial client packet initiating a flow in the FLOW_INIT event handler.
587077 : Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118
Vulnerability Solution Article: K37603172
587016 : SIP monitor in TLS mode marks pool member down after positive response.
Component: Local Traffic Manager
Symptoms:
SIP monitor in TLS mode marks pool member down after positive response. The SIP monitor in TLS mode is constantly marked down.
Conditions:
SIP monitor configured in TLS mode.
Server does not send close_notify alert in response to the monitor's close_notify request.
Impact:
Unable to monitor the status of the TLS SIP server.
Workaround:
None.
Fix:
SIP monitor in TLS mode now marks pool member up after positive response. This is correct behavior.
586887 : SCTP tmm crash with virtual server destination.
Component: TMOS
Symptoms:
Rare configuration with SCTP can cause TMM core.
Conditions:
Complex configurations including wildcards, virtual servers and SCTP profiles.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release fixes a rare SCTP tmm crash with virtual server destination when using complex configurations including wildcards, virtual servers and SCTP profiles.
586878 : During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.★
Component: TMOS
Symptoms:
During upgrade, configuration fails to load due to invalid clientssl profile cert/key configuration. The validation to verify whether at least one valid key/cert pair exists in clientssl profiles was enforced in software versions through 11.5.0. This validation was not in effect in versions 11.5.1, 11.5.2, and 11.5.3.
The lack of validation resulted in invalid clientssl profiles (those containing empty key/certs or a cert/key of 'default'). When you upgrade such a configuration to 11.5.4 or later, you will receive a validation error, and the configuration will fail to load after upgrade.
Conditions:
The issue occurs when all the below conditions are met.
1. You have a clientssl profile in a configuration from a version without validation (that is, 11.5.1, 11.5.2, or 11.5.3).
2. The clientssl profile in the configuration has an empty cert/key, or a cert/key of 'default'.
3. You upgrade to a version that has the cert/key validation (specifically, 11.5.4, 11.6.0, 11.6.1, and versions 12.1.0 and later).
Impact:
Configuration fails to load. The system posts an error message that might appear similar to one of the following:
-- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed.
-- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file.
Unexpected Error: Loading configuration process failed.
Workaround:
To workaround this situation, modify the configuration file before upgrading:
1. Check the config file /config/bigip.conf.
2. Identify the clientssl profile without a cert/key.
For example, it might look similar to the following:
ltm profile client-ssl /Common/cssl_no-cert-key2 {
app-service none
cert none
cert-key-chain {
"" { }
}
chain none
defaults-from /Common/clientssl
inherit-certkeychain false
key none
passphrase none
}
Note: The profile might have cert-key-chain name but not the cert/key. In other words, it could also appear similar to the following example:
ltm profile client-ssl /Common/cssl_no-cert-key2 {
app-service none
cert none
cert-key-chain {
default { }
}
chain none
defaults-from /Common/clientssl
inherit-certkeychain false
key none
passphrase none
}
3. Remove the clientssl profile from /config/bigip.conf.
4. Run the command: tmsh load sys conf.
5. Re-create the clientssl profiles you need.
586862 : Tcl evaluation outside of an iRule can lead to tmm crash when the payload is synchronously released from below HTTP via an iRule.
Component: Local Traffic Manager
Symptoms:
Tcl expression evaluations (outside of an iRule) can lead to tmm crash when the payload is synchronously released from below HTTP via an iRule. A couple of examples where Tcl expressions are evaluated outside the context of an iRule include the tcl-setvar action of LTM Policy and the Request Header Insert feature of the HTTP profile.
Conditions:
Issue has been found on a virtual server with both an attached iRule and LTM Policy. The iRule calls TCP::collect when connection is accepted, and calls TCP::release at the CLIENT_DATA event. The LTM Policy has a single action to set a tcl set-variable expression.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Tcl evaluation outside of an iRule no longer leads to tmm crash when the payload is synchronously released from below HTTP via an iRule.
586858 : Modifications to custom provisioning ratios via GUI are not saved in System :: Resource Provisioning.
Component: TMOS
Symptoms:
Modifications to custom provisioning ratios via GUI are not saved in System :: Resource Provisioning.
Conditions:
Use the GUI to customize any of the modules provisioned.
Impact:
Cannot customize provisioned ratios using the GUI.
Workaround:
Use tmsh to change the ratios.
Fix:
Modifications to custom provisioning ratios via GUI are now saved in System :: Resource Provisioning.
586758 : View HTML5 client doesn't work when APM is set to offload SSL from VCS
Component: Access Policy Manager
Symptoms:
For the new integration of VMware View HTML5 client applicable to HTML5 clients v2.6 or later, it does not work if APM was configured for SSL offloading to the View Connection Server.
Conditions:
APM configured for PCoIP proxy case using APM webtop and VMware View HTML5 client.
Access to the VMware View backend is configured to take place over plain HTTP (SSL offloading mode) rather than HTTPS (SSL bridging mode).
Impact:
User cannot launch VMware View HTML5 client from APM webtop in case of SSL offloading mode.
Workaround:
Use SSL bridging mode to the backend.
Fix:
Now APM supports launching VMware View HTML5 client when SSL offloading mode is used.
586738 : The tmm might crash with a segfault.
Component: Local Traffic Manager
Symptoms:
The tmm might crash with a segfault.
Conditions:
Using IPsec with hardware encryption.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
IPsec is configured with hardware encryption error now returns an error code when appropriate, and manages the error as expected, so tmm no longer crashes with a segfault.
586718 : Session variable substitutions are logged
Component: Access Policy Manager
Symptoms:
With the log level set to debug, session variable substitutions are logged, including the encrypted password if you are substituting the password variable. You may see the following logs: debug apmd[3531]: 01490000:7: Util.cpp func: "ScanReplaceSessionVar()" line: 608 Msg: data: '%{session.logon.last.password}' start_pos: 0, count: 30 on 'session.logon.last.password' with the encrypted password logged
Conditions:
APM Access Policy log level set to debug, and session variable substitution is performed.
Impact:
Session variable substitution should not be logged, even if it is secure.
Workaround:
Set log level to informational or notice for normal operations. Logging at debug level is not recommended unless absolutely needed for specific troubleshooting as it adversely affects system performance.
Fix:
Session variable substitutions are no longer logged.
586660 : HTTP/ramcache2 and RAM Cache are not compatible.
Component: Local Traffic Manager
Symptoms:
A virtual server fails some requests where the response is served from cache.
Conditions:
If a virtual server has either SPDY or HTTP/2 enabled, it might fail requests that would normally be served from RAM cache.
Also, a normal HTTP virtual server that has an iRule attached that responds to the HTTP_RESPONSE_RELEASE event might give errors to Tcl commands that attempt to access the response headers.
Certain filters and plugins that required access to the response headers might also fail in unexpected ways.
Impact:
Errors in certain TCL commands or failed requests.
Workaround:
None.
Fix:
HTTP/ramcache2 and RAM Cache are now compatible, and documents served from cache always have accessible headers now.
Note: This change introduces a formatting variance in the response headers. Now, certain header values are right justified, where previously, they were left justified. This includes the Age and Content-Length headers, though the Connection header remains left justified.
Here is an iRule to remove this white space on cache service:
when HTTP_RESPONSE_RELEASE {
set age_val [string trim [HTTP::header value Age]]
set con_len [string trim [HTTP::header value Content-Length]]
HTTP::header remove Age
HTTP::header remove Content-Length
HTTP::header insert Age "$age_val"
HTTP::header insert Content-Length "$con_len"
}
586657 : PPTP log entries now includes route-domain information
Component: Carrier-Grade NAT
Symptoms:
Log entries for PPTP does not include route-domain
Conditions:
Logging for PPTP
Impact:
Log entries for PPTP
Fix:
Log entries for PPTP now includes route-domain
Behavior Change:
HSL Log entries for PPTP now includes route-domain in from (client) and nat fields.
586587 : RatePaceMaxRate functionality does not work for the TCP flows where the round-trip time (RTT) is less than 6ms.
Component: Local Traffic Manager
Symptoms:
RatePaceMaxRate functionality does not work for the TCP flows where the round-trip time (RTT) is less than 6ms. That results in sending data at higher rates than specified Max Rate.
Conditions:
RTT is less than 6ms.
Impact:
Packet loss might happen (queue overflow) due to sending at higher data rate than the specified max rate.
Workaround:
None.
Fix:
RatePaceMaxRate works as expected, irrespective of latency.
586449 : Incorrect error handling in HTTP cookie results in core when TMM runs out of memory
Component: Local Traffic Manager
Symptoms:
If an under provisioned TMM runs out of memory, then this may result in allocation failures. Incorrect error handling of allocation failures in HTTP cookie code results in TMM core.
Conditions:
Cookie persistence with encryption required is enabled on the virtual. If an under provisioned TMM runs out of memory, then this may result in allocation failures.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fix error handling in HTTP cookie code. Allocation errors result in connection resets as opposed to core due to assert.
586368 : Permissions problem on /var/log/sa6
Component: TMOS
Symptoms:
Non-root users or processes cannot read or write from /var/log/sa6 directory because of not having the executable bit set (0755 permissions).
Conditions:
Non-root users attempting to read or write from /var/log/sa6 directory.
Impact:
Processes not run by root cannot read or write to this directory and permissions' errors abound.
Workaround:
As root, run the following command: chmod 755 /var/log/sa6 /var/log/sa. Once the directory has the correct permissions, the errors disappear.
586170 : RADIUS Auth Challenge message with Non-ASCII characters in it is rendered to users in hex-encoded form
Component: Access Policy Manager
Symptoms:
If RADIUS sends a challenge with a non-ASCII characters (e.g., from French/Spanish), the user is presented with a hex string in the challenge. For example, the result for the accented characters 'á, é, Ã, ó' is the hex-encoded string '0xe12c20e92c20ed2c20f3'.
Conditions:
Using APM with a RADIUS server that sends a challenge response with non-ASCII characters.
Impact:
End user sees a hex string instead of the challenge response.
Workaround:
1. Navigate to Access Policy :: Customization :: Advanced. 2. Locate logon.inc (under Access Policy,Logon Pages, Logon Page in the Form Factor: Full/Mobile Browser frame of the screen.
3. Add code to logon.inc to decode the hex.
4. To do so, follow instructions for either BIG-IP v12.0.0 or for BIG-IP v11.6.0 HF6 to 12.0.0.
Search for function OnLoad() in logon.inc.
---In BIG-IP v12.0.0 and later, beginning on line 302 ---
302 function OnLoad()
303 {
304 var header = document.getElementById("credentials_table_header");
305 var softTokenHeaderStr = getSoftTokenPrompt();
306 if ( softTokenHeaderStr ) {
307 header.innerHTML = softTokenHeaderStr;
308 }
<? // ADD THE FOLLOWING CODE CHANGE INCLUDING THIS LINE
if($challenge == 1){?>
else if(header.innerHTML.substring(0,2) == "0x"){
var hex = header.innerHTML;
var str = '';
var i=0;
if (hex.charAt(0) == '0' && hex.charAt(1)== 'x') {
i = 2;
}
var ret;
for (; i < hex.length; i += 2) {
ret = parseInt(hex.substr(i, 2), 16);
if(isNaN(ret)){
break;
} else {
str += String.fromCharCode(ret);
}
}
if(isNaN(ret)){
ret = hex;
} else {
ret = str;
try{
ret = decodeURIComponent(escape(str));
} catch(e){};
}
header.innerHTML =String(ret).replace(/</g, '<').replace(/>/g, '>');
}
<?}?>
//END CHANGE
--- In BIG-IP v11.6.0 HF6 to 12.0.0, beginning on line 260 ---
260 function OnLoad()
261 {
262 var header = document.getElementById("credentials_table_header");
263 var softTokenHeaderStr = getSoftTokenPrompt();
264 if ( softTokenFieldId != "" && softTokenHeaderStr && edgeClientSoftTokenSupport()) {
265 header.innerHTML = softTokenHeaderStr;
266 }
<? // ADD THE FOLLOWING CODE CHANGE INCLUDING THIS LINE
if($challenge == 1){?>
else if(header.innerHTML.substring(0,2) == "0x"){
var hex = header.innerHTML;
var str = '';
var i=0;
if (hex.charAt(0) == '0' && hex.charAt(1)== 'x') {
i = 2;
}
var ret;
for (; i < hex.length; i += 2) {
ret = parseInt(hex.substr(i, 2), 16);
if(isNaN(ret)){
break;
} else {
str += String.fromCharCode(ret);
}
}
if(isNaN(ret)){
ret = hex;
} else {
ret = str;
try{
ret = decodeURIComponent(escape(str));
} catch(e){};
}
header.innerHTML =String(ret).replace(/</g, '<').replace(/>/g, '>');
}
<?}?>
//END CHANGE
586006 : Failed to retrieve CRLDP list from client certificate if DirName type is present
Component: Access Policy Manager
Symptoms:
Client certification revocation check will fail.
Conditions:
Two conditions will trigger this problem:
1. A CRLDP agent is configured in the access policy without server hostname and port, which is needed for DirName type processing. AND
2. At least one DirName type CRLDP is present in the client certification and it is the first in the list.
Impact:
Users may fail access policy evaluation when client certification is used.
Workaround:
Configure an LDAP server for the CRLDP object. It need not return a valid CRL.
585946 : ASM Disallowed Geolocations without a full country name known to BIG-IP are lost on update.
Component: Application Security Manager
Symptoms:
The mapping of country codes to their names that ASM REST and GUI use is not updated when the GeoIP database is updated, and some values are missing.
These country codes can still be added to the list of disallowed locations directly when viewing a request, but do not show up in the GUI or REST.
On a subsequent update, country codes are then lost.
Conditions:
A country code whose full country name mapping is missing from ASM is added to the list of disallowed Geolocations from the Request Log.
The GUI or REST interface is then used to update the list of disallowed geolocations.
Impact:
Traffic from the affected disallowed Geolocations are longer blocked.
Workaround:
None.
585905 : Citrix Storefront integration mode with pass-through authentication fails
Component: Access Policy Manager
Symptoms:
Citrix Storefront integration mode with pass-through authentication fails. Client fails with error message saying "Authentication service is not reachable"
Conditions:
Citrix Storefront integration mode with only pass-through authentication enabled on the Storefront.
Impact:
Could not use pass through authentication on the storefront for remote access of the store.
Workaround:
None
Fix:
Passthrough authentication could be used for remote-access of the store.
585833-2 : Qkview will abort if /shared partition has less than 2GB free space
Component: TMOS
Symptoms:
In order to inform the user that the /shared partition needed to be cleaned up, qkview was checking for at least 2GB of free space. This isn't a hard requirement to build a qkview which potentially could use much less than the 2GB limit. Additionally, some F5 VE systems are shipped with less than 2GB in /shared, thus qkviews cannot be produced.
Conditions:
The /shared partition is smaller than 2GB or has less than 2GB free.
Impact:
User is unable to create a qkview despite having enough room to build one.
Workaround:
Increase the size of /shared so that it has at least 2GB of free space. See https://support.f5.com/csp/#/article/K14952 for detailed instructions on resizing volumes.
Fix:
A warning about having less than 2GB will still be issued, but the qkview will continue to attempt to finish.
585823 : FW NAT translation fails if the matched FW NAT rule uses source address list and the source translation object in the rule is configured for dynamic-pat (with deterministic mode)
Component: Advanced Firewall Manager
Symptoms:
Firewall NAT translation failures are observed if the pre-translation connection matches a Firewall NAT policy rule that uses source address list to match the incoming source address and the source translation object in the rule is configured to do 'dynamic-pat' with mode = deterministic
Conditions:
Following conditions suffice for the issue:
a) FW NAT rule has source translation object of type 'dynamic-pat' and mode = deterministic
AND
b) FW NAT rule has match source address-list only (and no inline source addresses on the match side)
Impact:
Translation failure occurs as described resulting in the connection failures.
Workaround:
If a FW NAT rule has source translation object with dynamic-pat and deterministic mode, the source address(es) on the match side should be specified as inline address(es) instead of specifying the source address-list with such addresses.
Fix:
Fix involves using the addresses specified in the source address list of the FW NAT rule to match incoming connections and perform translation.
585813-1 : SIP monitor with TLS mode fails to find cert and key files.
Component: Local Traffic Manager
Symptoms:
SIP monitor with TLS enabled fails to find cert and key in filestore.
Conditions:
SIP monitor with TLS mode.
Impact:
Cannot create SIP monitor with TLS mode enabled and have the pool correctly checked.
Workaround:
Create an external monitor script to invoke the SIP monitor. Supply the correct arguments to the script.
Fix:
SIP monitor with TLS mode now finds cert and key files, so you can create SIP monitor with TLS mode enabled and have the pool correctly checked.
585807 : 'ICAP::method <method>' iRule is documented but is read-only
Component: Service Provider
Symptoms:
'ICAP::method' iRule function is documented as 'ICAP::method <REQMOD|RESPMOD>' which is said to get as well as set (modify) the ICAP method type in the ICAP_REQUEST event. Validation has at times rejected an argument, and at times accepted it. In fact the argument is ignored even if validation accepts it: the method type cannot be changed by the iRule. When validation rejects it, the system posts an error similar to the following: 01070151:3: Rule [/Common/icap_test] error: /Common/icap_test:2: error: [unexpected extra argument "REQMOD"][ICAP::method "REQMOD"]
Conditions:
iRule in ICAP_REQUEST event with 'ICAP::method REQMOD' or 'ICAP::method RESPMOD'.
Impact:
Users may attempt to change the method type. Usually the validator rejects it. In some versions the validator accepts it, but the methods only return the existing method type.
Workaround:
Do not attempt to change the method type with 'ICAP::method <method>'.
Fix:
ICAP::method is now documented as simply 'ICAP::method' with no argument, and it simply returns the current method type 'REQMOD' or 'RESPMOD'.
585786 : BWC policy object retrieval through XConfig interface fails
Component: TMOS
Symptoms:
BWC policy object retrieval through XConfig interface fails. If the customer uses EM, device discovery failures are noticed as well.
Conditions:
BWC policy objects
Impact:
BWC policy object retrieval through XConfig interface fails. If the customer uses EM, device discovery failures are noticed as well.
585745 : sod core during upgrade from 10.x to 12.x.
Component: TMOS
Symptoms:
The failover daemon (sod) may core during an upgrade, when the peer device upgrade completes and rejoins the trust.
Conditions:
Upgrading a high availability configuration from 10.x to 12.x or later.
Impact:
Corefile generated, and system will temporarily go offline, resulting in an interruption of service.
Workaround:
Upgrade multiple devices in the high availability configuration from 10.x to a supported 11.x release, and then upgrade to the desired 12.x release.
Fix:
The failover daemon (sod) no longer cores during an upgrade, when the peer device upgrade completes and rejoins the trust.
585639 : SIP rport value not set in the BIG-IP system response to client RFC 3581
Component: Service Provider
Symptoms:
Session Initiation Protocol (SIP) rport value not set in the BIG-IP system response to client.
Conditions:
Enabling SIP Via header insertion on the BIG-IP system on SIP MBLB profile or SIP MRF profile and client requests has Via header with rport set. RFC 3581 defines functionality of the rport parameter to request that the server send the response back to the source IP address and port from which the request originated.
Impact:
No rport value in the client response. SIP client/server or peer/peer communications do not work as expected. Connections might fail.
Workaround:
Use an iRule similar to the following to insert the rport value into the header when client requests it:
when SIP_REQUEST {
set topvia [SIP::via 0]
set replaceval ";rport=[UDP::remote_port];"
if { $topvia contains ";rport;" } {
set newtop [string map ";rport; $replaceval" $topvia]
SIP::header insert Via $newtop 0
SIP::header remove Via 1
}
}
Fix:
Session Initiation Protocol (SIP) rport value is now set as expected in the BIG-IP system response to client, as defined in RFC 3581.
585562 : VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari
Component: Access Policy Manager
Symptoms:
When using Google Chrome or Safari (WebKit-based) browser to launch VMware View HTML5 client for Horizon 7 from APM webtop, this attempt fails with a blank screen in place of remote desktop session.
Conditions:
-- BIG-IP APM configured as PCoIP proxy for Horizon 7.
-- APM webtop in which the HTML5 client is used to launch a remote desktop.
Impact:
Cannot use HTML5 client. Only native client (Horizon View client) is available.
Workaround:
when HTTP_REQUEST {
if { [HTTP::header "Origin"] ne "" } {
HTTP::header remove "Origin"
}
}
Fix:
VMware View HTML5 client shipped with Horizon 7 now work sthrough BIG-IP APM in Chrome/Safari.
585547 : NTP configuration items are no longer collected by qkview★
Component: TMOS
Symptoms:
qkview was collecting the file "/etc/ntp/keys" which in some cases, contains secret keys used for integrity verification of NTP messages.
Conditions:
Execute qkview to collect diagnostic information.
Impact:
Possibility for keys to be exposed.
Workaround:
1. Do not execute qkview.
2. If executing qkview, do not share this file with untrusted parties.
Fix:
With this release, qkview no longer collects this file.
585502 : nss, nspr, and nss-util vulnerabilities: CVE-2016-1978 and CVE-2016-1979
Vulnerability Solution Article: K37540306
585485 : inter-ability with "delete IPSEC-SA" between AZURE, ASA and BIGIP
Component: TMOS
Symptoms:
Some IKEv1 IPsec vendor implementations (for example Cisco ASA) send a delete SPI message for an IPsec-SA and expect that the sibling IPsec-SA (the SPI in the other direction) will also be deleted by the peer.
BIG-IP sends and expect messages with two SPI's inside.
Conditions:
An IPsec tunnel between a BIG-IP system and some other vendor may experience this. Azure and Cisco ASA are two such vendors.
Impact:
An IPsec tunnel goes down and in some situations may not renegotiate while the BIG-IP believes that the outgoing SPI is still active. The tunnel will stay down until the lifetime of the outbound SA expires.
Workaround:
Delete the outbound SA from the BIG-IP using the tmsh command by specifying the related SA:
(tmos)# delete net ipsec ipsec-sa ?
Properties:
"{" Optional delimiter
dst-addr Specifies the destination address of the security associations
spi Specifies the SPI of the security associations
src-addr Specifies the source address of the security associations
traffic-selector Specifies the name of the traffic selector
Fix:
The BIG-IP system will remove both SAs associated with one traffic-selector (tunnel) when the peer sends a delete SPI message.
585442 : Provisioning APM to "none" creates a core file
Component: Access Policy Manager
Symptoms:
Provisioning APM level to "none" may result in apmd creating a core file.
Conditions:
When the APM service is shut down, the apmd daemon may create a core file.
Impact:
Harmless
Workaround:
There is no loss in functionality.
585412 : SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines
Component: Local Traffic Manager
Symptoms:
Connections to a virtual server that uses an SMTPS profile may be reset with a reset cause of 'Out of memory.'
Conditions:
This might occur under the following conditions:
-- A virtual server that uses an SMTPS profile with activation-mode set to allow.
-- A client connection which does not use TLS that sends a DATA section with a text line that is longer than approximately 8192 characters.
8192 characters is an approximation for the maximum line length. The actual problem length can be affected by the MSS value and the particular way that the TCP traffic is segmented.
Impact:
The TCP connection is reset with a reset-cause of Out of memory' and the email will not be delivered.
Workaround:
None.
Fix:
A virtual server that uses an SMTPS profile with activation-mode set to allow no longer resets connections when the client does not use STARTTLS and the email body contains very long lines.
585352 : bruteForce record selfLink gets corrupted by change to brute force settings in GUI
Component: Application Security Manager
Symptoms:
If you update the brute force settings in the GUI, rest_uuid is updated as well, which breaks the self-link in the iControl REST API
Conditions:
Update brute force settings in GUI
Impact:
Unique record part updated
Workaround:
Update brute force settings using the REST API
Fix:
GUI is not changing rest_uuid when brute force settings are updated
585332-4 : Virtual Edition network settings aren't pinned correctly on startup★
Component: TMOS
Symptoms:
You notice unusually high CPU utilization on Virtual Edition after upgrading to 12.1.0 when compared to a previous release (such as version 11.6.1).
Conditions:
This occurs after upgrading to 12.1.0. In Virtual Edition version 12.1.0, there is an issue where network interface IRQs don't get pinned correctly at startup.
Impact:
Since CPU0 is unusually high compared to previous releases, upgrading could put Virtual Edition into an overloaded state.
Workaround:
bigstart restart tmm will start the network interfaces and pin them to the right IRQ.
Fix:
Fixed an issue where interfaces and their IRQs were not configured correctly during system boot.
585120 : Memory leak in bd under rare scenario
Component: Application Security Manager
Symptoms:
Under high traffic, bd may leak memory and cause an ASM restart under certain rare conditions
Conditions:
ASM enabled and under high traffic
Impact:
Causes traffic abort while restart is happening. High swap and memory.
Workaround:
None.
Fix:
A memory leak in the bd was fixed.
585097 : Traffic Group score formula does not result in unique values.
Component: TMOS
Symptoms:
In certain configurations, the Traffic Group score for a particular Traffic Group can be identical across devices in a device service cluster, resulting in the Traffic Group becoming Active on more than one device simultaneously.
Conditions:
The score is derived from the management-ip and other factors. If the device management-ips are not on the same /24 subnet, the score is not guaranteed to be unique.
The score can be observed with the tmsh "run cm watch_trafficgroup_device" command, and in some versions of BIG-IP, the "show cm traffic-group" command.
Impact:
When the problem occurs, Traffic Groups will be Active on multiple devices simultaneously. The problem can affect all Traffic Groups.
Workaround:
The only solution is to change the management-ip on one of the colliding devices. The workaround is not practical with DHCP, and in many other situations.
Fix:
The Active device selection logic has been changed to deterministically choose the Active device location, even in cases with identical static scores.
585054 : BIG-IP imports delay violations incorrectly, causing wrong policy enforcement
Component: Application Security Manager
Symptoms:
When you import an XML file that contain references to violations in the delay blocking session tracking configuration, extra violations get added to the list.
Conditions:
This occurs when importing delay-type violations in ASM
Impact:
A very large subset of the violations is added to the policy
Fix:
BIG-IP now imports delay-type violations correctly.
584926 : Accelerated compression segfault when devices are all in error state.
Component: Local Traffic Manager
Symptoms:
TMM segfaults. Kernel log contains "Uncorrectable Error" and "icp_qa_al err" messages.
Conditions:
All physical or virtual devices concurrently enter error state.
Impact:
Tmm segfaults and restarts. May require a reboot.
Workaround:
Disable QAT compression using tmsh:
tmsh modify sys db compression.strategy value softwareonly
Fix:
TMM QAT compression driver will not fail if all QAT devices concurrently go down.
584921 : Inbound connections fail to keep port block alive
Component: Carrier-Grade NAT
Symptoms:
Connections that use a PBA port block should keep the port block from expiring. However inbound connections to a client using a port block will fail to refresh the block, causing the block to expire pre-maturely. An inbound connection can remain active while the port block has been deleted.
Conditions:
An inbound connection with no outbound connections fails to keep a port block alive, resulting in an inbound connection to a client without a corresponding port block.
Impact:
When reverse mapping an inbound connection to a subscriber (e.g. trying to find who was using an ip address/port at a particular time), customers may find no corresponding port block, or a port block belonging to another client when the reverse map is performed at a time when the connection is closed.
Workaround:
When performing a reverse map, customers should use the start time of a connection to determine which port block was in use.
Fix:
Inbound connections properly refresh the port block, preventing premature expiration of the port block.
584914 : Unsupported customization fields are shown for VMware View Logon Page policy agent
Component: Access Policy Manager
Symptoms:
The following customization text fields are shown to the user for VMWare View Logon Page policy agent:
- Logon Page Input Field #1
- Logon Page Input Field #2
- Logon Page Original URL
In fact, those cannot be customized and hence are misleading.
Conditions:
User configuring an access policy for native Horizon View clients access through APM.
Impact:
User may suppose these fields will affect the Horizon View client look'n'feel although they can't.
Workaround:
No workaround, these issues should just be ignored until hidden.
Fix:
These fields are to be hidden.
584840 : The "Maximum Line Length" violation is not detected in the last line of a websocket frame.
Component: Application Security Manager
Symptoms:
The "Maximum Line Length" setting of the plain text profile does not inspect the last line sent in a web socket. This is true even if only a single line of text is sent to the web socket.
Conditions:
Plain text profile used, with Maximum Line Length set
Impact:
If a max-length violation occurs on the last line of text, ASM will not flag the violation.
Workaround:
None
Fix:
ASM now performs validation the length of all lines in a web socket when Maximum Line Length is specified in the profile.
584788 : Directed failover of HA pair using only hardwire failover will fail
Component: TMOS
Symptoms:
Units configured in a HA pair using only hardwire failover will not be able to use a targeted failover.
Conditions:
HA pair configured without network failover but with a hardwire failover.
Failover is attempted using one of the 2 following methods:
Via GUI
Device Management -> Traffic Groups
check <traffic group>
click "force to standby"
again click "force to standby"
via tmsh
tmsh run sys failover standby device <peer device> traffic-group <traffic group name>
Impact:
Failover may fail with the following logs in /var/log/ltm
Mar 15 10:27:57 <hostname> notice sod[8214]: 010c0044:5: Command: go standby <traffic group name> <device name> GUI.
Mar 15 10:27:57 <hostname> notice sod[8214]: 010c002b:5: Traffic group <traffic group name> received a targeted failover command for <peer mgmt IP>.
Mar 15 10:28:00 <hostname> notice sod[8214]: 010c004b:5: Target device <traffic group name> is not responding, cannot failover.
Workaround:
Use an alternative failover method:
- Device Management > Devices > Force to Standby
- Device Management > Traffic Groups > [traffic Group name] > Force to Standby
- tmsh run sys failover standby # without device
Fix:
BIG-IP now fails over using targeted failover when hardwire failover is configured.
584772-3 : ssldump may crash when decrypting bad records
Component: Local Traffic Manager
Symptoms:
ssldump crashes while decrypting.
Conditions:
Using ssldump to decrypt SSL which contains bad records.
Impact:
ssldump crashes making it difficult to decrypt SSL data.
584716 : SAML XML Canonicalization on BIG-IP as IdP may return invalid value if AuthnRequest is formed in a special way
Component: Access Policy Manager
Symptoms:
Signature validation fails on BIG-IP as IDP when AuthnRequest from external SP is signed, and contains a newline/linefeed character after '</Signature>' element
Conditions:
- BIG-IP is used as IdP
- External SP signs AuthnRequests
- Signed AuthnRequest contains newline/linefeed character after '</Signature>' element
Impact:
WebSSO will fail
Workaround:
n/a
Fix:
Issue is now fixed.
584642 : Apply Policy Failure
Component: Application Security Manager
Symptoms:
Some Policies cannot be successfully applied/activated
Conditions:
Signature overrides on Content Profiles are configured
Impact:
Policy cannot be applied
Workaround:
None.
Fix:
Policies can be successfully applied.
584623 : Response to -list iRules command gets truncated when dealing with MX type wide IP
Component: Global Traffic Manager
Symptoms:
GTM iRule "members" with the "-list" flag will truncate MX-type WideIP pool members when printed out to a log.
Conditions:
Use the GTM iRule "members" with the "-list" flag to print out the members of an MX WideIP pool during a DNS event.
Impact:
WideIP MX-type pool members are truncated in the log.
Workaround:
None
584583 : Timeout error when attempting to retrieve large dataset.
Component: TMOS
Symptoms:
The Rest API can timeout when attempting to retrieve large dataset, such as a large GTM pool list. The error signature when using the Rest API looks like "errorStack":["java.util.concurrent.TimeoutException: remoteSender:127.0.0.1, uri:http://localhost:8110/tm/gtm/pool, method:GET "
Conditions:
Configuration containing a large number of GTM pools and pool members (thousands).
Impact:
If using the Rest API to retrieve the pool list, you may receive timeout errors.
584582 : JavaScript: 'baseURI' property may be handled incorrectly
Component: Access Policy Manager
Symptoms:
If generic JavaScript object has 'baseURI' property, it may be handled incorrectly via Portal Access: web application may get 'undefined' value for this property.
Conditions:
User-defined JavaScript object with 'baseURI' property.
Impact:
Web application may work incorrectly.
Workaround:
iRule can be used to remove F5_Deflate_baseURI() calls from rewritten JavaScript code.
Fix:
Now JavaScript objects with 'baseURI' property are handled correctly by Portal Access.
584504 : Allowing non-English characters on login screen
Component: TMOS
Symptoms:
Usernames and passwords can contain non-English characters but it fails when logging in.
Conditions:
Usernames and/ or passwords contain non-English characters.
Impact:
Users entering these characters on the login screen are unable to log in.
Workaround:
Make sure Usernames and/ or passwords contain only English characters.
Fix:
Usernames and passwords with non-English characters can be used to log in.
584471 : Priority order of clientssl profile selection of virtual server.
Component: Local Traffic Manager
Symptoms:
When a SSL connection with specified server name is received in a virtual server from the client side, the BIG-IP system selects one clientssl profile for this connection based on the given server name. Currently the system matches the server name using the following rules:
(1) First try to match the server name with explicit server name configuration of the clientssl profiles.
(2) If (1) has no match, then try to match the common names of the certificates used by the clientssl profiles.
(3) If (2) has no match, then try to match the subject alternative names of the certificates used by the clientssl profiles.
The issue is, based on RFC6125, common name should be used as a 'last resort'. In other words, the third rule should be the second rule.
Conditions:
The issue occurs when all of the following conditions are met.
(1) The incoming SSL request includes SNI (server name) extension in the clienthello, used to specify its desirable SSL server.
(2) The given server name from the client side does not match any server name configured in all the clientssl profiles of the virtual server.
(3) The certificates used by the clientssl profile of the virtual server have subject alternative names (note that every certificate has common name but not necessarily subject alternative names).
Impact:
The virtual server might select a clientssl profile that is not preferred by the client side.
Workaround:
None.
Fix:
Priority order of clientssl profile selection of virtual server. The system now matches the server name using the following rules:
(1) First try to match the server name with explicit server name configuration of the clientssl profiles.
(2) If (1) has no match, then try to match the subject alternative names of the certificates used by the clientssl profiles.
(3) If (2) has no match, then try to match the common names of the certificates used by the clientssl profiles.
So the common-name match is last, which is correct according to RFC6125.
584374 : iRule cmd: RESOLV::lookup causes tmm crash when resolving an IP address.
Component: Global Traffic Manager (DNS)
Symptoms:
iRule command RESOLV::lookup causes tmm crash when resolving an IP address.
Conditions:
Using the RESOLV::lookup iRule command to resolve an IP address.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use the RESOLV::lookup command to resolve an IP address.
Fix:
TMM no longer crashes when the iRule command RESOLV::lookup is used.
584373 : AD/LDAP resource group mapping table controls are not accessible sometimes
Component: Access Policy Manager
Symptoms:
AD/LDAP resource group mapping
In case of both lengthy group names and resource names edit link and control buttons could disapper under dialogue bounds
Conditions:
very long group names and resource names
Impact:
Impossible to delete and move rows in table - still possible to edit tho.
Workaround:
Spread one assign thru multiple rows
Fix:
Scroll bar is appearing when needed
584310-5 : TCP:Collect ignores the 'skip' parameter when used in serverside events
Component: Local Traffic Manager
Symptoms:
When TCP::Collect is used with 'skip' and 'length' arguments in SERVER_CONNECTED, the "skip' argument does not take effect and is ignored. The Collect works, but collects only the length bytes from start.
Conditions:
TCP:Collect on server side events like SERVER_CONNECTED used with the 'skip' parameter. This is an intermittent issue that have happen only with IIS server.
Impact:
TCP:Collect collects bytes without taking into account the skip, so the bytes collected are not the correct ones.
Workaround:
None.
Fix:
The settings for TCP::Collect command skip and length arguments are now honored during packet processing.
584242 : tmm assert "wrong selector tag"
Component: TMOS
Symptoms:
The tmm will assert with "wrong selector tag."
Conditions:
This may happen with a high IPsec tunnel count, for example 24000 tunnels defined, and the system is out of memory.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Provision the system within working limits.
Fix:
The tmm assert has been corrected.
584213 : Transparent HTTP profiles cannot have iRules configured
Component: Local Traffic Manager
Symptoms:
When an HTTP profile is configured in transparent mode, but has a nonexisting iRule attached to it, then tmm will crash.
Conditions:
There is irule but proxy is transparent
when HTTP_PROXY_REQUEST {
after 1000
}
Change configuration from explicit->transparent while we were in the after command. We then attempt to use configuration that doesn't exist, and then crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This is incorrect configuration. Either detach the iRule or configure the profile in a mode other than transparent.
Fix:
Incorrectly configured proxy types from TMOS installations of earlier versions will be corrected at upgrade time. A warning will be logged that describes the change made.
584113 : "Util% (last 10 sec)" Field in "tmsh show sys cpu" when 5 second average is computed
Component: TMOS
Symptoms:
When the command "tmsh show sys cpu" is executed, the output has "Util% (last 10 sec)" field displayed with incorrect information for the total column.
Conditions:
This occurs when the command "tmsh show sys cpu" is invoked.
Impact:
The displayed data is not correct. Instead, the system is displaying the usage ratio which is calculated in an entirely different manner.
Workaround:
You can use the tmctl command to display the 5 sec average ratio which is what the output should be. The command is:
tmctl cpu_info_stat -s five_sec_avg.ratio
This provides the workaround to the output for the tmsh command "tmsh show sys cpu".
Fix:
"Util% (last 10 sec)" field output in "tmsh show sys cpu" when 5 second average is computed now displays the 5 seconds average data.
584103 : FPS periodic updates (cron) write errors to log
Component: Application Security Manager
Symptoms:
FPS periodic updates (run via cron) write errors to log when FPS is not provisioned.
Conditions:
FPS is not provisioned.
Impact:
Errors appears in FPS logs.
584082 : BD daemon crashes unexpectedly
Component: Application Security Manager
Symptoms:
bd crashes, with the following log signature immediately before the crash in /var/log/bd.log:
"IO_PLUGIN|ERR |Mar 29 20:48:02.217|17328|plugin_common.c:0085|plugin context doesn't match the argument which was originally set on it".
Conditions:
It is not known exactly what triggers this condition; it can occur intermittently during normal use of ASM.
Impact:
A bd crash, failover, traffic disturbance.
Workaround:
None.
Fix:
Fix a bd crash scenario.
584029-1 : Fragmented packets may cause tmm to core under heavy load
Component: Local Traffic Manager
Symptoms:
tmm core due to assertion
Conditions:
tmm offloads a fragmented packet via an ffwd operation.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
583957 : The TMM may hang handling pipelined HTTP requests with certain iRule commands.
Component: Local Traffic Manager
Symptoms:
Rarely, the TMM may hang during a HTTP::respond or HTTP::redirect iRule command if it is part of a pipelined HTTP request.
Conditions:
A HTTP::respond or HTTP::redirect iRule is used.
The iRule command is in an event triggered on the client-side.
A pipelined HTTP request is being handled.
Impact:
The TMM will be restarted by SOD.
Fix:
The TMM no longer hangs in rare situations when processing a pipelined HTTP request and invoking a HTTP::respond or HTTP::redirect iRule command.
583943 : Forward proxy does not work when netHSM is configured on TMM interfaces
Component: Local Traffic Manager
Symptoms:
Forward proxy feature does not always work when netHSM is configured on TMM interfaces.
Conditions:
When netHSM device is configured on TMM interface.
Impact:
The forward proxy feature does not work. This is an intermittent issue.
Workaround:
None.
Fix:
Forward proxy now works consistently when netHSM is configured on TMM interfaces.
583936 : Removing ECMP route from BGP does not clear route from NSM
Component: TMOS
Symptoms:
When configured to install multiple routes into the routing table, ZebOS does not withdraw BGP routes when a neighbor is shut down and it has more than two routes already installed for the same route prefix.
Conditions:
ECMP routing must be enabled and in-use.
Impact:
ECMP routes are not properly removed from the main routing table.
Fix:
Now properly removing ECMP routes from the routing table.
583777 : [TMSH] sys crypto cert missing tab completion function
Component: TMOS
Symptoms:
When pressing the tab key for the tmsh command "sys crypto cert", it does not display existing certificate names. You must manually type the certificate name that you want to operate.
Conditions:
This occurs in tmsh:
root@(big7)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys crypto cert <------- press <tab>.
Options:
all | <------------ nothing shows up.
root@(big7)(cfg-sync Standalone)(Active)(/Common)(tmos)# show sys crypto cert <------- press <tab>.
Options:
all | <------------ nothing shows up.
Impact:
Not possible to select a certificate using tab complete.
Workaround:
Manually type the certificate name.
Fix:
With the fix, you can now see the existing certificate names when pressing tab key for the tmsh command "sys crypto cert".
583754 : When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.
Component: TMOS
Symptoms:
Executing 'show ltm persist persist-records' results in a blank error message.
Conditions:
TMM must be down.
Impact:
Non-obvious / unhelpful error message is generated, leading to customer confusion.
Workaround:
N/A
583700 : tmm core on out of memory
Component: Local Traffic Manager
Symptoms:
tmm memory increases quickly, then crashes on out of memory condition
Conditions:
It is not known exactly what triggers this, but it was observed on a hardware platform processing a large number of ECDH ciphers.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Cancel ongoing crypto requests when handshake is dropped.
583686 : High ASCII meta-characters can be disallowed on UTF-8 policy via XML import
Component: Application Security Manager
Symptoms:
After importing an XML policy, you cannot view or edit policies containing high ASCII characters.
Conditions:
This occurs when importing XML policies containing high-ASCII meta-characters but high-ASCII is not allowed in a UTF-8 policy.
Impact:
Unable to view or edit the policy, and Illegal meta character in value violation is triggered
583629 : ASM subsystem error appears in asm log after changing XML/JSON profile for parameter
Component: Application Security Manager
Symptoms:
ASM subsystem error appears in asm log after changing XML/JSON profile for parameter
ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::save_events_to_config_log): Couldn't save to config log (Attempt to bless into a reference at /usr/local/share/perl5/F5/ASMConfig/Entity/Base.pm line 192. )
Conditions:
ASM rpovisioned
change one XML/JSON profile, assigned to a parameter, to another XML/JSON profile.
Impact:
ASM subsystem error appears in asm log after changing XML/JSON profile for parameter
Workaround:
N/A
Fix:
We've prevented an error from occurring when changing XML/JSON profile for parameter
583627 : Portal Access code does not check if methods of XMLHttpRequest Javascript object are redefined by application
Component: Access Policy Manager
Symptoms:
Portal Access code does not check if wrapped methods of XMLHttpRequest Javascript object were redefined by web application. In the worst case this allows application code to read or modify mangled URL before sending AJAX request.
Conditions:
Application redefines 'open' method of XMLHttpRequest object or prototype.
Impact:
Application code can read and modify already rewritten URL and send unmangled AJAX requests.
583600 : Portal Access could send to backend application wrong URL query separator
Component: Access Policy Manager
Symptoms:
If any query parameters were added into request URL after being processed with F5 rewriting code, backend application could receive URL with wrong query separator (';').
Conditions:
This occurs on Access Portal, some POST request parameters may have a semicolon as a query separator and not get rewritten.
Impact:
Applications expecting '&' as a query separator won't be able to parse query part of URL correctly and may return an error.
Workaround:
when REWRITE_REQUEST_DONE {
# Replace parameter_name with actual name of parameter which is added after F5CH.
if { [HTTP::query] contains {;parameter_name=} } {
HTTP::query [string map {;parameter_name= ¶meter_name=} [HTTP::query]]
}
}
Fix:
Now requests to back-end server with query parameters contain parameter delimiters from original web application request.
583516 : tmm ASSERT's "valid node" on Active, after timer fire..
Component: TMOS
Symptoms:
TMM crashes on ASSERT's "valid node".
Conditions:
The cause is unknown, and this happens rarely.
Impact:
tmm crash
Workaround:
no
Fix:
TMM no longer asserts on 'valid node'
583502 : Considerations for transferring files from F5 devices
Component: TMOS
Symptoms:
For more information, see K58243048: Considerations for transferring files from F5 devices, available at https://support.f5.com/csp/article/K58243048
Conditions:
For more information, see K58243048: Considerations for transferring files from F5 devices, available at https://support.f5.com/csp/article/K58243048
Impact:
For more information, see K58243048: Considerations for transferring files from F5 devices, available at https://support.f5.com/csp/article/K58243048
Fix:
For more information, see K58243048: Considerations for transferring files from F5 devices, available at https://support.f5.com/csp/article/K58243048
583475 : The BIG-IP may core while recompiling LTM policies
Component: TMOS
Symptoms:
In some rare and still unknown situations the BIG-IP Mcpd process may core when creating or modifying LTM policies. While the root cause of the crash is not fully understood at this time, one of the symptoms points to a nonexistent or invalid LTM policy.
Conditions:
Creating or modifying LTM policies.
Impact:
The BIG-IP control plane services restart thus affecting both, control plane and data plane functionality.
Workaround:
A possible workaround could be to attempt re-creating the LTM policy producing the crash under a different name. Avoid any special characters (or spaces) in the name of the LTM policy.
Fix:
Not fixed yet.
583367-2 : AJAX encryption may send corrupted payload when configuration is incorrect
Component: Fraud Protection Services
Symptoms:
AJAX encryption can fail when non-existent fields are configured.
Conditions:
Activate AJAX encryption and configure fields that don't exist in the page.
Impact:
Decryption of AJAX may fail.
Workaround:
n/a
Fix:
AJAX encryption now works as expected
583355 : The TMM may crash when changing profiles associated with plugins
Component: Local Traffic Manager
Symptoms:
The TMM may crash when changing profiles associated with plugins.
Conditions:
The must be a profile associated with a plugin already on a virtual server and traffic must be running. When the profile is removed or swapped for another, the crash may occur.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
A safe way to definitely avoid a crash is to stop the plugin before making changes to its profile.
583285 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
Component: TMOS
Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message. This is the second part of a fix provided for this issue. See fixes for bug 569236 for the first part.
Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.
Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.
Workaround:
Manually remove the invalid SA on the BIG-IP system.
Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again. This is part two of a two-part fix. Fixes for bug 569236 provide part one of the fix.
583113 : NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event
Component: Access Policy Manager
Symptoms:
The following iRule did not work as expected when the access profile had an NTLM auth. The client still received a 407 prompt to enter NTLM credentials.
when HTTP_PROXY_REQUEST {
if { [HTTP::uri] contains "disable" } {
ACCESS::disable
}
}
Conditions:
Access profile of an SWG type, with an NTLM auth profile attached.
Impact:
It was impossible to disable NTLM auth from the HTTP_PROXY_REQUEST event.
Workaround:
The following iRule works from HTTP_REQUEST
when HTTP_REQUEST {
if { [HTTP::uri] contains "disable" } {
ACCESS::disable
ECA::disable
}
}
Fix:
When ACCESS filter is disabled, it still processes certain messages. The logic in one of those message handlers was "if NTLM configured, then wake up the ECA plugin"
Fix changed the logic to "if NTLM configured and ACCESS filter is not disabled, then wake up the ECA plugin."
583108 : Zebos issue: No neighbor x.x.x.x activate in address-family IPv6 lost on reboot/restart.
Component: TMOS
Symptoms:
when a neighbor with ipv4 address is disabled in ipv6 address family, show running configuration displays that the neighbor is disabled. However, when we restart or reboot the tmrouted or bgp protocol, the neighbor is enabled again. The configuration persistence is not maintained.
Conditions:
1. disable a neighbor with ipv4 address in ipv6 address family.
2. reboot/restart tmrouted or bgp protocol
Impact:
configuration persistence is not maintained. This impacts the BIGIP upgrades as the configuration loaded is not the same as it was before the upgrade. Similarly, a restart/reboot will also have different configuration loaded than originally used. This might alter the intended behavior of the protocol that the use expects to function.
Workaround:
disable the neighbor again.
Fix:
configuration persistence is maintained for the disabled neighbor with ipv4 address in the ipv6 address family.
583101 : ADAPT::result bypass after continue causes bad state transition
Component: Service Provider
Symptoms:
Tcl command 'ADAPT::result bypass' does not work in ADAPT_REQUEST_RESULT when the ICAP server has previously returned 100-continue.
Conditions:
iRules exist on a VS with an adapt profile, containing:
when ADAPT_REQUEST_RESULT {
ADAPT::result bypass
}
or
when ADAPT_RESPONSE_RESULT {
ADAPT::result bypass
}
Impact:
ADAPT logs an unexpected state transition and resets the connection, making it impossible for iRules to replace the ICAP response.
Workaround:
Avoid 'ADAPT::result bypass' commands in cases where there is no preview (either configured for no preview, or after the preview has been dropped due to a 100-continue or 200-ok ICAP response).
Fix:
Tcl command 'ADAPT::result bypass' is allowed in ADAPT_REQUEST_RESULT and ADAPT_REPSONSE_RESULT at any time, even outside a preview (such as when the ICAP server has previously returned 100-continue and the preview has been dropped). No further payload is sent to the IVS, and further IVS response payload is ignored by ADAPT. The unmodified HTTP headers, any preview, and any future original payload bypass the IVS. A warning is logged in cases where some payload might have been lost (such as when there is no preview or it has been dropped, as is the case after ICAP 100-continue). The HTTP connections remain intact and amenable to user iRules replacing the content.
583043 : tmm segfault: ikev2_noncecmp (n1=0x0, n2=0x0)
Component: TMOS
Symptoms:
The tmm cores when using IPsec IKEv2.
Conditions:
A rare timing condition related to IPsec decryption and security association timeout.
Impact:
All connections reset.
583024 : TMM restart rarely during startup
Component: Advanced Firewall Manager
Symptoms:
A TMM crashes with a core file during startup. It restarts then correctly.
Conditions:
The system starts up.
Impact:
The system startup takes longer. A core file appears. Traffic is not impacted and a failover usually doesn't occur since the system didn't reach the active state.
Workaround:
None.
Fix:
TMM no longer crashes during startup.
583010-1 : Sending a SIP invite with "tel" URI fails with a reset
Component: Service Provider
Symptoms:
Using a "INVITE tel:" URI results in SIP error (Illegal value).
Conditions:
Sending a SIP "INVITE tel:" to BIG-IP does not work.
Impact:
"INVITE tel:" messages are not accepted by BIG-IP.
Workaround:
None
Fix:
An EHF will be released to address this issue. It will also be addressed in a future release.
582844 : Start Screen Guest List is not available
Component: TMOS
Symptoms:
Guest List is not available as a Start Screen.
Conditions:
vCMP is enabled.
Impact:
Cannot use Guest List as the Start Screen.
Workaround:
None.
Fix:
Guest List option has been added for the Start Screen.
582769 : WebSockets frames are not forwarded with Websocket profile and ASM enabled on virtual
Component: Local Traffic Manager
Symptoms:
WebSockets frames are not forwarded with WebSocket profile and ASM enabled on virtual.
Conditions:
Virtual has WebSocket profile attached to it. ASM is enabled on the virtual. WebSockets server replies with a "Connection: upgrade" header. The issue is also seen if multiple header values are present in Connection header.
Impact:
WebSockets frames are not forwarded to the pool member
Workaround:
Use a simple iRule similar to the following:
when HTTP_RESPONSE {
if { [HTTP::status] == 101 } {
HTTP::header replace "Connection" "Upgrade"
}
}
Fix:
The system now accepts "Connection: UPGRADE" or "Connection: upgrade" as valid header for WebSocket handshake, and supports a comma-separated list of values for the Connection response header.
582752 : Macrocall could be topologically not connected with the rest of policy.★
Component: Access Policy Manager
Symptoms:
It is possible to create macrocall access policy item that:
1. Belongs to policy items list.
2. Correctly connected to ending.
3. Have no incoming rules (i.e., no items pointing at it).
Conditions:
1. Create access policy with macrocall item in one of the branches.
2. Remove the item which refers to this macrocall item from AP
As a result, macrocall item remains.
Impact:
VPE fails to render this access policy.
Workaround:
Delete macrocall access policy item manually using tmsh commands.
Fix:
Any modification of access policy is not allowed if it makes any access policy item non-referenced.
At upgrade time, non-referenced access policy items are deleted. All subsequent access policy items are deleted as well. Resulting access policies can be rendered correctly by VPE. Note that only active configuration is corrected, saved configuration file (/config/bigip.conf) contains uncorrected version until any new configuration changes are done. Active configuration can be saved by explicit tmsh command ('tmsh save sys config partitions all").
582683 : xpath parser doesn't reset a namespace hash value between each and every scan
Component: Application Security Manager
Symptoms:
After a while the iRule event stops firing until the cbrd daemon is restarted.
Conditions:
The customer has a virtual server configured with an XML, along with an iRule that triggers on the XML_CONTENT_BASED_ROUTING event.
Impact:
XML content based routing does not work dependably.
Workaround:
N/A
Fix:
fixing xpath parer -- Restoring namespace declaration each time the xpath parser finishes to parse the document.
582629 : User Sessions lookups are not cleared, session stats show marked as invalid
Component: Application Visibility and Reporting
Symptoms:
AVR session statistics may be reported as excessively high, and when the sessions time out they get marked as invalid instead of being removed.
Conditions:
The exact conditions which cause this in a production configuration are unknown, as this was discovered during internal testing.
Impact:
Session statistics will report incorrectly
Fix:
An issue with session statistics not clearing after session timeout has been fixed.
582526 : Unable to display and edit huge policies (more than 4000 elements)
Component: Access Policy Manager
Symptoms:
It takes a very long time or is not possible to display huge policies (more than 4000 elements). VPE returns server timeout error or simple halts.
Conditions:
Huge Access Policy, for example, containing 4000 or more elements.
Impact:
Unable to edit policy because VPE times out.
Workaround:
None.
Fix:
VPE loading times for APM policies is greatly improved, so displaying very large policies (for example, 4000 elements) now completes successfully.
582487-1 : 'merged.method' set to 'slow_merge,' does not update system stats
Component: Local Traffic Manager
Symptoms:
When the statistics DB variable option 'merged.method' is set to 'slow_merge,' system stats is not updated and remains zero.
Conditions:
Merged.method is set to slow_merge.
Impact:
System stats such as overall CPU usage remain at zero.
Workaround:
Set Merged.method to fast_merge.
Fix:
When the statistics DB variable option 'merged.method' is set to 'slow_merge,' system stats are not updated as expected.
582465 : Cannot generate key after SafeNet HSM is rebooted
Component: Local Traffic Manager
Symptoms:
After the SafeNet Hardware Security Module (HSM) is restarted, users cannot generate a new key.
Conditions:
The BIG-IP system uses the SafeNet HSM.
Impact:
HSM service is not usable even after restarting pkcs11d. Users must re-authenticate.
Workaround:
To generate a new key, after HSM finishes starting up, run the following commands:
# /shared/safenet/toolkit/sautil -v -s 1 -i 10:11 -c
# /shared/safenet/toolkit/sautil -v -s 1 -i 10:11 -o -p <hsm_partition_password>
Or, you can reinstall SafeNet client.
Fix:
After the SafeNet Hardware Security Module (HSM) is restarted, users can now generate a new key.
582440 : Linux client does not restore route to the default GW on Ubuntu 15.10
Component: Access Policy Manager
Symptoms:
Default route may be deleted after network access connection is deleted on Linux Ubuntu 15.10 distribution.
Conditions:
Ubuntu 15.0, network access tunnel connect and then disconnect
Impact:
User will not be able to reach internet after disconnecting from network access.
Workaround:
If Wifi is in use then turn off and on again.
If Ethernet is used then unplugging and plugging cable again should solve the problem.
582374 : Multiple 'Loading state for virtual server' messages in admd.log
Component: Anomaly Detection Services
Symptoms:
When a dosl7d profile is configured on a BIG-IP that's in a device group and the BIG-IP is set to "Forced Offline" in the Device Management settings, admd will log multiple messages to admd.log similar to 47854390298368 Mar 22 02:38:50 [info] virtual bool CVirtualServerImpl::loadState() : Loading state for virtual server
Conditions:
- dosl7d profile attached to a virtual server
- BIG-IP is part of a DSC cluster
- a BIG-IP is forced offline in the cluster
Impact:
Excessive logging occurs to /var/log/adm/admd.log
Workaround:
None
Fix:
An issue with excessive logging to admd.log has been fixed.
582207 : MSS may exceed MTU when using HW syncookies
Component: Local Traffic Manager
Symptoms:
Packets larger than the interface's MTU can be transmitted.
Conditions:
A SYN packet is received with an MSS that exceeds the interface's MTU.
Impact:
Potential packet loss.
Workaround:
Disable HW syncookie mode.
582133 : Policy builder doesn't enable staging after policy change on "*" entities (file types, urls, etc.)
Component: Application Security Manager
Symptoms:
When conditions of "Track Site Change" settings are met the staging flag on "*" entities is supposed to be turned ON in order to learn sub-sequences of site changes without blocking traffic. However it doesn't happen. The staging flag stays OFF.
Conditions:
Staging was set OFF on "*" entity. After that conditions of "Track Site Change" settings are met.
Impact:
in a situation when the protected Web application was changed, ASM can block traffic when it should not be blocked.
Workaround:
Staging flag can be changed manually via GUI
Fix:
The problem was a sub-sequence of other code changes. The code was fixed he way it should count for "Track Site Change" conditions and change Staging flag when it is needed.
582127 : VE OVA logrotate max-file-size too big for /var/log partition size
Component: TMOS
Symptoms:
Virtual Edition (VE) OVA logrotate max-file-size is too big for the /var/log partition size.
Conditions:
This occurs on 11.5.0 and later, where the partition size was reduced from 6 GB to 500 MB, to better manage disk space.
Impact:
The BIG-IP VE system runs out of disk space due to increased logging. In this instance, logrotate should run and potentially free up space by rotating and compressing the actively written logs. With the current setting for max-file-size, however, that cannot happen, thus leading to increased likelihood of running out of space in /var/log.
Workaround:
You can extend the disk space for logs by performing the following procedure. (From K14952: Extending disk space on BIG-IP Virtual Edition, available here: https://support.f5.com/csp/article/K14952#proc3.)
Impact of procedure: You need to shut down the BIG-IP VE system during the disk provisioning steps, and the system will not be available for traffic processing. You should perform this procedure during a suitable maintenance window. Increasing the disk size on the VE system is irreversible, since F5 does not support disk shrinking.
1. Log in to the command line on the BIG-IP VE system.
2. Shut down the system by typing the following command:
shutdown -h now
3. Provision the desired disk space for the VE system on the hypervisor. For information about disk provisioning on the hypervisor, refer to the documentation from your hypervisor vendor.
4. Start up the BIG-IP VE guest instance on your hypervisor. For information about starting a guest instance on the hypervisor, refer to the documentation from your hypervisor vendor.
5. When the BIG-IP VE system is up, log in to the command line on the VE system.
6. Extend the /var/log directory by using the following command syntax:
tmsh modify /sys disk directory /var/log new-size <desired value in KB>.
--For example you would type the following command to extend the /var/log directory to 10 GB:
tmsh modify /sys disk directory /var/log new-size 10485760.
7. Save the configuration by typing the following command:
tmsh save /sys config.
8. Reboot the VE system by typing the following command:
reboot.
9. When the BIG-IP VE system is up, log in to the command line on the VE system.
10. Verify that the /var/log directory is successfully extended to the size you have specified in step 6 by typing the following command:
tmsh show /sys disk directory.
Fix:
In this release, the default /var/log partition size to prevent the issue that occurred because the log-rotate max-file-size was too big in VE.
582084 : BWC policy in device sync groups.
Component: TMOS
Symptoms:
When there is a BWC policy created in global sync group and also a local one, then the configuration displays an error.
Conditions:
If BWC policy is created both in global sync and local.
Impact:
Configuration error, BWC policies will not be synced due to errors.
Workaround:
Ensure that BWC policy is in global sync only.
Fix:
BWC policy is now configured for device group sync only in the global group and not local.
582029-3 : AVR might report incorrect statistics when used together with other modules.
Component: Application Visibility and Reporting
Symptoms:
When AVR is assigned to a virtual server that also has APM or Behavioral DoS, it can lead to AVR getting false readings of the activity and as result report on unexpectedly large numbers.
Conditions:
AVR Module is used together with other modules, and these module affect the traffic flow.
Impact:
AVR reports incorrect statistics: unexpectedly large numbers.
Workaround:
None.
Fix:
AVR now identifies the other modules' activity and collects the activity statistics accordingly.
581991 : Logging filter for remote loggers doesn't work correctly with more than one logging profile
Component: Application Security Manager
Symptoms:
A logging message arrived at a remote logger while the remote logger's filter have a criteria that doesn't match.
Conditions:
More than one logging profile is attached to a virtual server, the logging profiles have different filters conditions.
Impact:
A non related messages will be presented at the remote logger
Fix:
Fixed an issue with multiple remote logging with different filters.
581983 : Incorreect PMTU discovery causes unstable VPN tunnel on Linux and MAC
Component: Access Policy Manager
Symptoms:
In some cases, VPN connection will be unstable resulting in multiple disconnects and reconnects during the session.
Conditions:
MTU on local interface is configured lower than 1500
Impact:
VPN tunnel may disconnect and reconnect multiple times
581945 : Device-group "datasync-global-dg" becomes out-of-sync every hour
Component: TMOS
Symptoms:
The datasync-global-dg device-group may become out-of-sync unexpectedly without any user changes.
When this happens, the user can manually sync the device-group, but after about an hour the device-group becomes out-of-sync again.
Conditions:
1. This happens only in certain timezones, depending on the timezone configured on the BIG-IP. We have only seen this happening in the Europe/London timezone.
2. The problem will start happening about 3 days after the first installation of an ASM Signature Update (ASU) or FPS Engine/Signature Update.
Impact:
GUI/shell shows config-sync "possible change conflict" or "changes pending" in regards to the datasync-global-dg device-group.
Workaround:
None
Fix:
The datasync-global-dg device-group no longer becomes out-of-sync unexpectedly and repeatedly every hour.
581835 : Command failing: tmsh show ltm virtual vs_name detail.
Component: TMOS
Symptoms:
The following command fails: tmsh show ltm virtual vs_name detail. The system posts the following error:
01020036:3: The requested profile exchange: virtual server object (exchange_profile_name:vs_name) was not found.
Conditions:
Occurs when an APM Access Profile has an Exchange Profile attached and the access profile is then assigned to a virtual server.
Impact:
No information is displayed by the tmsh show command.
Workaround:
None.
Fix:
The tmsh show command now presents information, and 'tmsh show ltm virtual vs_name detail' shows the expected details without error.
581834 : Firefox signed plugin for VPN, Endpoint Check, etc
Component: Access Policy Manager
Symptoms:
clients are unable to use the Firefox plugin on Firefox version 47 and above
Conditions:
Clients using Firefox v47 and above attempting to use the Firefox plugin
Impact:
Clients will be unable to use the plugin if they are using Firefox version 47 and above
Fix:
The Firefox plugin now supports all versions.
581824 : "Instance not found" error when viewing the properties of GSLB monitors gateway_icmp and bigip_link.
Component: Global Traffic Manager (DNS)
Symptoms:
When you attempt to view the monitors' properties, the page throws an "Instance not found" error.
Conditions:
Viewing the GSLB Monitors tcp_half_open, gateway_icmp and bigip_link's properties page.
Impact:
You cannot view some of their monitors' properties.
Fix:
Fixed the "Instance not found" error.
581765 : Tooltip displayed in tray icon of Edge Client does not show text correctly in some cases
Component: Access Policy Manager
Symptoms:
In some languages (other than English), text displayed in tooltip created by Edge Client tray application is clipped.
Conditions:
Edge Client localized for Japanese language is used to establish VPN connection.
Impact:
Usability impact. Notifications are not visible completely.
Workaround:
View the notification by clicking on the Details buttons in the Edge Client application, and going to the Notification tab.
Fix:
Now tooltip displays localized text correctly.
581459 : F5_Invoke_replace() should accept more than 2 arguments
Component: Access Policy Manager
Symptoms:
Not rewritten request from web-application
Conditions:
web-application uses location.replace() with number of arguments > 2
Impact:
Web-application misfunction
Workaround:
Custom iRule can be used to fix issue.
Fix:
The issue is fixed
581406 : SQL Error on Peer Device After Receiving ASM Sync in a Device Group
Component: Application Security Manager
Symptoms:
When:
1) A "Block All" Session Tracking Status exists
and
2) A full sync occurs in an ASM CMI device group (always the case in manual sync device group)
Then upon loading the full sync in the peer an SQL error will appear during the load:
"Failed on insert to PLC.PL_SESSION_AWARENESS_DATA_POINT (DBD::mysql::db do failed: Duplicate entry '<ID>' for key 'PRIMARY')"
Conditions:
1) A "Block All" Session Tracking Status exists
and
2) A full sync occurs in an ASM CMI device group (always the case in manual sync device group)
Impact:
Benign error which does not affect configuration or enforcement.
Workaround:
None
Fix:
SQL error no longer occurs on CMI Sync with Session Awareness
581315 : Selenium detection not blocked
Component: Application Security Manager
Symptoms:
When selenium client webdriver is detected running the Chrome browser it is not being blocked due to low score being assigned by PBD (Suspicious Browsers) mechanism.
Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled.
Impact:
A bot which running selenium Chrome webdriver isn't mitigated by DoSL7 PBD mechanism.
Workaround:
N/A
Fix:
Only for Desktop Google Chrome browsers, the PBD javascript code checks if a plugin called "Widevine Content Decryption Module" doesn't exists, the browser considered as running via the selenium tool and will be blocked by PBD.
581299-2 : DNSRelay Proxy re-transmits DNS requests indefinitely every second if NA DNS servers do not respond
Component: Access Policy Manager
Symptoms:
DNS relay service will send lot of DNS requests inside the network access tunnel if the DNS server is unreachable or unresponsive.
Conditions:
DNS Relay proxy service is installed on user's machine
One or more DNS servers are not reachable or unresponsive
Impact:
Will generate lot of DNS traffic from user's machine and may have an adverse impact on customer infrastructure.
Workaround:
Stop DNS Relay proxy service from service control manager.
Fix:
Excessive DNS queries are no longer being sent from the EDGE client if the DNS server is unreachable.
581077 : Connection can’t be established when multiple clientssl profiles are attached if the default profile is disabled.
Component: Local Traffic Manager
Symptoms:
Connection can’t be established when multiple clientssl profiles are attached and the default clientssl profile Mode is set to disabled.
Conditions:
This can occur when configuring a virtual server to serve multiple HTTPS sites using the TLS SNI (see https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html), but you want the fallback to disable ssl processing if the client does not pass in a matching server name.
Impact:
Setting the default clientssl profile's Mode to disabled effectively disables all SNI processing that would be handled in the other clientssl profiles, which disables all SSL processing on the virtual server.
Workaround:
None.
Fix:
HTTPS virtual servers will now properly inspect the SNI in ClientHello and match against existing clientssl profiles if the fallback clientssl profile Mode is set to Disabled.
580893 : Support for Single FQDN usage with Citrix Storefront Integration mode
Component: Access Policy Manager
Symptoms:
Adding a new login account onto citrix receiver could enumerate the applications and desktop. But after logging off and trying to reconnect to the same account will start failing.
Conditions:
Citrix storefront integration mode with APM and using same FQDN for both accessing Storefront as well as APM virtual
Impact:
Clients are unable to connect.
Workaround:
No workaround other than using different FQDNs
Fix:
APM now does not modify the beacon urls when a single FQDN is used for internal as well as external beacons.
580817 : Edge Client may crash after upgrade★
Component: Access Policy Manager
Symptoms:
The Edge client may crash after upgrading to 11.4.1 through 12.0.0.
Conditions:
Access Policy with Firewall Checker
Update BIG-IP to 12.1.0
Impact:
Users are unable to use the Edge client
Fix:
Fixed a crash in the Edge client
580753 : eventd might core on transition to secondary.
Component: TMOS
Symptoms:
Upon transition to secondary, eventd shuts down its consumer list. However, during this shutdown, there could still be queued events yet to be process. This leads to a race condition between processing the events and freeing the memory of the consumer.
Conditions:
This happens when eventd is being shutdown while processing events.
Impact:
Causes eventd segmentation fault and core dump
Workaround:
None.
Fix:
eventd no longer cores on transition to secondary when eventd is being shutdown while processing events.
580747 : libssh vulnerability CVE-2016-0739
Vulnerability Solution Article: K57255643
580726 : License state information from REST worker is out of sync with device
Component: Device Management
Symptoms:
The license information returned from the REST endpoint /mgmt/tm/shared/licensing/registration does not match the information returned from tmsh show sys license
Conditions:
1. Device has an expired license (for example, an expired Eval period)
2. That license is re-activated, so that inspecting the device manually shows it is no longer expired.
Impact:
The license state information returned from REST workers maybe be out of date with the information on the device.
Workaround:
Restart REST services on the BIG-IP device by typing bigstart restart restjavad
580602 : Configuration containing LTM nodes with IPv6 link-local addresses fail to load.
Component: TMOS
Symptoms:
As a result of a known issue a configuration containing LTM nodes with IPv6 link-local addresses may fail to load.
Conditions:
Attempt to load a configuration containing a LTM node with a IPv6 link-local address.
Impact:
Configuration fails to load.
Workaround:
Use IPv6 global addresses instead.
Fix:
Bigip now loads correctly a configuration containing a LTM node with a IPv6 linbk-local address.
580596-2 : TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907
Vulnerability Solution Article: K14190 K39508724
580591 : HTTP monitor NTLM authentication requires domain to be uppercase
Component: Local Traffic Manager
Symptoms:
NTLMv2 authentication support in the bigd monitor only works reliably with Microsoft servers if the (NetBIOS) domain part of the ("Down-Level Logon Name" format, https://msdn.microsoft.com/en-us/library/windows/desktop/aa380525(v=vs.85).aspx#down_level_logon_name) username is either omitted or entered in uppercase (DOMAIN\user).
However, if it entered in lowercase (domain\user), authentication fails.
Conditions:
Monitor using NTLM authentication with domain not uppercase.
Impact:
HTTP monitor marks member down.
Workaround:
Change domain in monitor user string to uppercase.
580567 : LDAP Query agent failed to resolve nested group membership
Component: Access Policy Manager
Symptoms:
Not all of the nested group membership are resolved for a user
Conditions:
Several conditions need to be met:
1. LDAP Query agent is configured to connect to GC (Global Catalog) in AD environment; AND
2. There are sub domains in the AD environment; AND
3. A user who is a member of a group from one of the sub domains login in.
Impact:
User authentication might fail or not getting all the assigned resources due to missing nested group membership.
Fix:
after fix, LDAP agent retrieve group from server when talking to Global Catalog
580565 : Creating and immediately deleting an Access policy can cause APMD to crash
Component: Access Policy Manager
Symptoms:
If an Access Policy is created and deleted within a period of a few seconds, APMD can crash.
Conditions:
The new Access Policy must be deleted before APMD has finished creating the Access Policy.
Impact:
APMD restarts
580512 : Sometimes launching RemoteApps from APM webtop fails after logout/login
Component: Access Policy Manager
Symptoms:
Due to the RemoteApp session termination logic employed by Microsoft and described in https://blogs.msdn.microsoft.com/rds/2007/09/27/terminal-services-remoteapp-session-termination-logic/ , it may happen that, if user logs out and then logs back in to the APM webtop, the subsequent attempts to launch RemoteApps would fail.
This happens because of a bug in RDP client 8.1 that attempts to utilize the old authentication token although a new one is provided in the .rdp file.
Conditions:
User logs in to APM webtop, launches some RemoteApp, closes its window, logs out, logs in again and attempts to launch the same app or another app hosted at the same backend.
Impact:
Apps are not launched without any further notification.
Fix:
The fix has been implemented to make RDP client fail immediately on an attempt to use a wrong (expired) auth token. With this fix, it may only happen once to a user that RemoteApp launch would fail and an error will be shown immediately. The subsequent launches will succeed.
580500 : /etc/logrotate.d/sysstat's sadf fails to read /var/log/sa6 or fails to write to /var/log/sa6, disk space is not reclaimed.
Component: TMOS
Symptoms:
/etc/logrotate.d/sysstat fails to read /var/log/sa6 or fails to write to /var/log/sa6,, diskspace in /var/log/sa6 is not rotated and disk space reclaimed.
Conditions:
/var/log/sa6 becomes corrupt or disk space becomes full in /var/log/sa6
Impact:
Disk space is not reclaimed in /var/log/sa6
Workaround:
edit /etc/logrotate.d/sysstat
Add "exit 0" after sadf line
Fix:
When /etc/logrotate.d/sysstat's sadf fails, exit cleanly
so logrotate reclaims disk space
580429 : CTU does not show second Class ID for InstallerControll.dll
Component: Access Policy Manager
Symptoms:
Client troubleshooting utility does not display the registered class id of Installer control.dll.
Conditions:
Client troubleshooting utility is used to display all installed edge client components.
Impact:
No impact to end user or administrator. Impacts F5 support.
Workaround:
None.
Fix:
CTU now shows the class id of installer control.dll.
580421 : Edge Client may not register DLLs correctly
Component: Access Policy Manager
Symptoms:
After an end-user confirms that they want to install InstallerControll.cab, the browser gets stuck in 'Checking client'.
Conditions:
Client is using Internet Explorer
Impact:
Clients are unable to install the Edge client components
Fix:
Edge client components are now getting properly registered.
580403 : SNMP query shows stats for deleted access profiles
Component: Access Policy Manager
Symptoms:
After an access profile is deleted, running SNMP query will still return the stats for the delete access profile.
Conditions:
Deleting an existing access profile.
Impact:
You will continue to see those deleted access profile's SNMP stats.
Workaround:
Restarting apd/apmd will clear out the stats for the deleted access profiles.
580340 : OpenSSL vulnerability CVE-2016-2842
Vulnerability Solution Article: K52349521
580313 : OpenSSL vulnerability CVE-2016-0799
Vulnerability Solution Article: K22334603
580303 : When going from active to offline, tmm might send a GARP for a floating address.
Component: Local Traffic Manager
Symptoms:
When moving from active to offline, tmm might send one final GARP for a floating address from the device that is moving offline.
Conditions:
Using high availability, and switching a device from active to offline.
Impact:
The GARP from the offline device can arrive on upstream devices after the GARP from the newly active device, which might poison the address cache of the upstream device. The result is that failover takes longer, since the upstream devices must rediscover the active device.
Workaround:
Use MAC masquerading along with the floating address; the system sends a GARP for the MAC masqueraded address, which prevents the issue.
Fix:
tmm no longer sends a final GARP for a floating address immediately before going offline.
580168 : Information missing from ASM event logs after a switchboot and switchboot back
Component: Application Security Manager
Symptoms:
Information missing from ASM event logs after a switchboot and switchboot back
Conditions:
ASM provisioned
event logs available with violation details
install/upgrade to another volume and switchboot to it
wait for ASM to fully come up
switchboot back
event logs are still available but violation details are gone
Impact:
Information missing from ASM event logs after a switchboot and switchboot back
Workaround:
N/A
Fix:
N/A
580059-2 : DNS Relay proxy component of edge client on windows consumes lot of CPU cycles
Component: Access Policy Manager
Symptoms:
In certain conditions, DNS relay proxy component of edge clients goes in a state where it takes most of the CPU cycles and starts filling up the log file very quickly with messages of 'Unknown event signaled'
Conditions:
DNS Relay proxy is installed on user's machine
Impact:
User's machine will become very slow and appear to be unresponsive.
Workaround:
Stop DNS Relay proxy service from service control manager.
Fix:
Fixed DNS relay proxy so it does not go in a state where it starts consuming huge CPU cycles.
580031 : Using OneConnect with forwarded flows might cause resets
Component: Local Traffic Manager
Symptoms:
Using OneConnect with forwarded flows might cause resets. The first connection attempt from the client works properly and sets up the OneConnect flow pool on one tmm, and a forwarding flow on another tmm. Then, when the client attempts a second connection, the system tries to reuse the forwarding flow, which returns failure and resets the connection.
The system might report a reset cause such as 'Unable to obtain local port' or 'Out of ports', or in some versions, there might not be a specific reset cause reported.
Conditions:
Using OneConnect and forwarding flows. The system uses forwarding flows when source-port preserve-strict is configured, when a virtual server is configured for 'cmp-enabled no', and in certain other circumstances.
For example, this issue can be seen on 2000- and 4000-series platforms, when 'source-port preserve strict' is used with OneConnect.
Impact:
Client connections are reset.
Workaround:
Do not use preserve-strict and OneConnect together.
580026 : HSM logging error
Component: Local Traffic Manager
Symptoms:
In some cases HSM logging does not function as designed.
Conditions:
Installing SafeNet HSM to BIG-IP chassis.
Impact:
Inaccurate HSM logs
Fix:
Improve HSM logging
579975 : OpenSSL vulnerability
Vulnerability Solution Article: K79215841
579955 : BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475
Vulnerability Solution Article: K01587042
579926 : HTTP starts dropping traffic for a half-closed connection when in passthrough mode
Component: Local Traffic Manager
Symptoms:
HTTP starts dropping traffic for a half-closed connection when in passthrough mode.
Conditions:
HTTP is in passthrough mode. Traffic is flowing for a half-closed connection.
Impact:
Incomplete data transfer to end-point, when the connection is half-closed and HTTP is in passthrough mode.
Workaround:
No workaround.
579917 : User-defined signature set cannot be created/updated with Signature Type = "All"
Component: Application Security Manager
Symptoms:
When creating a User-Defined Signature Set the Signature Type cannot be set to "All". After saving the setting, it resets back to Request.
Conditions:
Creating a new signature set with Signature Type set to "All" (the dropdown defaults to "Request" when opening the create page).
Impact:
A Custom Signature Set cannot be created for with Request and Response Signatures
Workaround:
No workaround, but can be mitigated by creating two signature sets, or using manual sets.
Fix:
Signature Type can now successfully be set to "All" Signatures
579843 : tmrouted may not re-announce routes after a specific succession of failover states
Component: TMOS
Symptoms:
tmrouted does not re-announce RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.
Conditions:
- Active/Standby HA pair set up
- Both units configured with a dynamic routing protocol and Route Health Injection enabled on one or more Virtual-Addresses.
- Active unit has the following succession of failover states:
Active->Offline->Online->Standby->Active
Impact:
Tmrouted may not announce the Virtual addresses when coming back to Active state after the mention succession.
Workaround:
A failover to Standby and back to Active works around the issue.
Restarting tmrouted is also an alternative option.
Fix:
tmrouted now re-announces RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.
579829 : OpenSSL vulnerability CVE-2016-0702
Vulnerability Solution Article: K79215841
579820 : Edge Client creates duplicate server list if cp has no alias
Component: Access Policy Manager
Symptoms:
If you don't specify an alias for a cp on the virtual server, a duplicate virtual server will appear in the server selection list
Conditions:
This occurs when copying virtual servers and an alias is not specified.
Impact:
Duplicate entry will appear in the server selection list
Workaround:
Supply an alias in the server list on the configuration page
Fix:
Configured server will automatically apply the host name as the alias and will not be duplicated in the server list
579565 : FIPS (ngfips) card-sync fails due to its lacking ability to properly handle "\" in the SO (security officer) password.
Component: TMOS
Symptoms:
When setting up SO (security officer) password using "tmsh run util fips-util -f init", it accepts the password containing "\" without showing problems. However, card-sync will fail since it can't properly log on the fips with the password.
Conditions:
FIPS card with a security officer that contains "\"
Impact:
A password containing '\' will fail the card-sync process in FIPS HA setup.
Workaround:
Reset the password using command "tmsh run util fips-util -f init" and avoid the special character '\'.
Fix:
The fix makes fips (ngfips) able to properly handle "\" in the SO (security officer) password so that card-sync won't fail due to it.
579559 : DTLS Networks Access may not work with some hardware platforms with Nitrox hardware acceleration
Component: Access Policy Manager
Symptoms:
Network Access always fallbacks to TLS connection even if DTLS is configured when connecting to some hardware platforms.
Conditions:
Network Access is configured to use DTLS
Hardware BIG-IP with DTLS Nitrox acceleration is used,
Impact:
Network Access connection always fallbacks to TLS connection
Workaround:
N/A
Fix:
Previously, Network Access always fell back to a TLS connection even if DTLS was configured when connecting to some hardware platforms. Network Access no longer falls back to TLS.
579529-1 : Stats file descriptors kept open in spawned child processes
Component: TMOS
Symptoms:
No known user visible impact.
Conditions:
This occurs in all multi-blade platforms where clusterd is running.
Impact:
No known user visible impact.
Workaround:
None.
Fix:
Stats file descriptors are opened so that they are closed when a child process is spawned.
579495 : Error when loading Upgrade UCS★
Component: Application Security Manager
Symptoms:
When loading an older version UCS file while ASM is live an error may occur when processing the new configuration. You will see the following error in the asm log:
Mar 9 07:16:06 dut30 err perl[22696]: 01310011:3: ASM configuration error: event code T1499 Failed to update configuration table CONFIG_TYPE_DYNAMIC_TABLES
Conditions:
Loading an older version UCS on a live system.
Impact:
Enforcement of Allowed Methods may be incorrect
Workaround:
Restart ASM
Fix:
Configuration is correctly processed when loading a UCS file for upgrade on a live device.
579371 : BigIP may generate ARPs after transition to standby
Component: Local Traffic Manager
Symptoms:
tmm generates unexpected ARPs after entering standby
Conditions:
HA pair with a vlangroup with bridge-in-standby disabled
ARP is received just before transition to standby
Impact:
Unexpected ARP requests that may result in packet loops
Fix:
ARPs will no longer be proxied on vlangroups with bridge-in-standby disabled after entering standby.
579237 : OpenSSL Vulnerability CVE-2016-0705
Vulnerability Solution Article: K93122894
579227 : GUI does not display the field for entering port number for pool members in 'use pool' mode for CRLDP AAA server configuration screen
Component: Access Policy Manager
Symptoms:
The field for entering the port number is not shown initially at the time of creation when you select the "use pool" option.
Hoever, if you switch to direct mode and then comes back to use pool, you will be able to enter port
Conditions:
If you cannot enter the port for the pool member and save the
AAA CRLDP server, the port number for that pool member is saved as 0 (*) any port.
Impact:
Inconsistent UI behavior
Workaround:
Switch to direct mode and then switch back to use pool mode. This will continue to display the port number field.
579220 : Mozilla NSS vulnerability CVE-2016-1950
Vulnerability Solution Article: K91100352
579098 : OpenSSL vulnerability CVE-2016-0797
Vulnerability Solution Article: K40524634
579085 : OpenSSL vulnerability CVE-2016-0797
Vulnerability Solution Article: K40524634
579047-2 : Unable to update the default http-explicit profile using the GUI.
Component: TMOS
Symptoms:
Trying to update default Local Traffic :: Profiles : Services : HTTP :: http-explicit profile, the system posts the following error: 'Some fields below contain errors. Correct them before continuing.' Under the 'Explicit Proxy' section for 'DNS Resolver' option, the system posts the following error: '010717e8:3: Invalid 'dns-resolver' value for profile /Common/http-explicit. The dns-resolver does not exist.'
Conditions:
Updating default http-explicit profile using the GUI.
Impact:
Error messages. Unable to update the default http-explicit profile using the GUI.
Workaround:
Use tmsh to update the default http-explicit profile.
Fix:
You can now update the default http-explicit profile without error using the GUI.
578987 : Whitelisted IPs of non-default DoS profile are ignored
Component: Advanced Firewall Manager
Symptoms:
Only IP addresses included in the default DoS profile whitelist are treated as whitelisted. Transactions associated with a non-default DoS profile are put through DoS checks, even when their IP addresses are included in the non-default DoS profile's whitelist.
Conditions:
When configuring a DoS profile that is not used as the default profile, but rather is dynamically attached to certain transactions (via iRule or CPM), the IP addresses included in this DoS profile's whitelist are ignored and the IP addresses included in the default DoS profile's whitelist are implemented as whitelisted.
Impact:
IP addresses configured to be blocked or allowed may be processed differently than expected.
Workaround:
None.
Fix:
When a transaction is dynamically attached to a non-default DoS profile, the IP addresses defined in the selected profile's whitelist are correctly allowed or blocked, as expected.
578971 : When mcpd is restarted on a blade, cluster members may be temporarily marked as failed
Component: Local Traffic Manager
Symptoms:
When mcpd is restarted on a blade, the clusterd process on that blade may become blocked for some time. This may result in cluster member heartbeat timeouts, which are seen in the /var/log/ltm log file with messages that include:
"Slot 1 suffered heartbeat timeout ..."
This causes cluster members to be marked failed. The condition resolves itself within one minute, and the cluster fully recovers on its own.
Conditions:
Mcpd is restarted on a blade.
Impact:
Though all blades recover on their own, the cluster members being marked fail may result in a failover.
Workaround:
There is no workaround for this issue. It is recommended to avoid restarting mcpd on any blade belonging to the active unit of an HA group. The issue resolves itself within about a minute, and all cluster members will be marked as up again.
Fix:
The clusterd daemon has been fixed to no longer become blocked when mcpd is restarted. This prevents the cluster member heartbeat timeouts from occurring, and thus no cluster members will be marked failed.
578951 : TCP Fast Open connection timeout during handshake does not decrement pre_established_connections
Component: Local Traffic Manager
Symptoms:
If a TCP connection is started and contains a valid Fast Open cookie, then times out during the three-way handshake, the failure is not accounted for properly. If this occurs more than a threshold number of times, BIG-IP will stop performing TCP Fast Open.
Conditions:
A TCP connection using TCP Fast Open with a valid Fast Open cookie times out during the three-way handshake.
Impact:
Each connection that times out in this fashion decreases the number of valid pre-established connections that the BIG-IP can support. If the number of connections timed out in this fashion rises above a threshold, BIG-IP will act as if TCP Fast Open is disabled. This threshold cannot be changed.
Fix:
Decrement the pre-established connections counter when a TCP Fast Open connection times out during the initial handshake.
578848 : APM Webtop displays "Applications and Links" number is off by 1
Component: Access Policy Manager
Symptoms:
When "Applications and Links" section is collapsed on APM Webtop, the total number of items shown next to section name is off by 1.
Conditions:
"Applications and Links" section on APM Webtop is collapsed.
Impact:
"Applications and Links" number is off by 1
Workaround:
N/A
Fix:
Proper "Applications and Links" number is now shown on APM Webtop.
578843 : GUI strips out 0.0.0.0 masks from the SNMP Client Allow Lists.
Component: TMOS
Symptoms:
The GUI strips out 0.0.0.0 masks from the SNMP Client Allow List.
Conditions:
Using the GUI to specific SNMP Client Allow List containing 0.0.0.0 masks.
Impact:
The GUI strips the 0.0.0.0 masks.
Workaround:
Use tmsh to modify the SNMP Access if using 0.0.0.0 net masks.
Fix:
GUI no longer strips out 0.0.0.0 masks from the SNMP Client Allow Lists.
578573 : SSL Forward Proxy Forged Certificate Signature Algorithm
Component: Local Traffic Manager
Symptoms:
In SSL Forward Proxy, the signature algorithm used by the CA certificate configured on the client SSL profile can change the signature algorithm used by the server certificate.
For example, if the server certificate uses SHA1 but the CA certificate configured in client SSL profile uses SHA256, the forged certificate will use SHA256. If the server certificate uses SHA256 but the CA certificate configured in client SSL uses SHA1, the forged certificate will use SHA1.
Both scenarios are a problem for a customer.
Conditions:
when the signature algorithm of the CA certificate configured in client SSL profile differs from the signature algorithm of the server certificate.
Impact:
The signature algorithm of forged certificate may differ from the signature algorithm of the server certificate.
Workaround:
Configure the CA certificate in client SSL profile so that the signature algorithm matches that in server certificate.
578570 : OpenSSL Vulnerability CVE-2016-0705
Vulnerability Solution Article: K93122894
578564 : ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response
Component: Service Provider
Symptoms:
Connection aborted with RST "ADAPT unexpected state transition (old_state 22 event 7)"
Conditions:
An HTTP virtual has a request-adapt profile.
The ICAP server returns an HTTP response for REQMOD.
An iRule executes HTTP::respond in the HTTP_RESPONSE_RELEASE event.
Impact:
HTTP::respond cannot be used to modify an HTTP response returned by an ICAP server that is modifying an HTTP request.
Fix:
HTTP::respond works as expected even on an HTTP response returned by an ICAP server after request adaption.
578551 : bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot
Component: TMOS
Symptoms:
network 0.0.0.0/0 route-map Default is missing in bgp after a restart/reboot
Conditions:
"network 0.0.0.0/0 route-map Default" is configured in bgp
Impact:
The bgp doesn't have the same configuration after a restart/reboot. persistence of bgp protocol is not maintained leading to unexpected behavior of bgp
Fix:
the persistence of "network 0.0.0.0/0 route-map Default" in bgp is maintained after a restart/reboot
578455 : Priority group value of the AAA server pool members changed on change of monitor
Component: Access Policy Manager
Symptoms:
If you change or add a monitor to an AAA server priority group, the pool member priority may be changed.
Conditions:
This occurs when changing the monitor or adding a new pool member.
Impact:
Priority order of pool members are changed.
Workaround:
Use TMSH to update the priority, to reset the value
Fix:
The priority order of pool members are preserved when a monitor is changed or pool members are added.
578413 : Missing reference to customization-group from connectivity profile if created via portal access wizard
Component: Access Policy Manager
Symptoms:
An extra customization group is created for connectivity profile when the profile is created via portal access wizard and the configuration is reloaded.
Conditions:
Use portal access wizard to create configure objects.
Impact:
There is no functional impact since customization is not actually used for connectivity group.
Workaround:
Create configure object manually rather than via wizard.
Fix:
There will be a reference to customization group from connectivity profile when the profile is created by wizard.
578399 : Adding an option for negative validation of occurence of a string in the header
Component: Application Security Manager
Symptoms:
ASM doesn't have the option to filter a Login attempt according to a negative validation of occurrence of a header, which occurs in logins that issue a redirect.
Conditions:
This occurs for all Login Attempts if the login results in redirect
Impact:
It is not possible to filter redirect login pages
Workaround:
N/A
Fix:
ASM now has the ability to detect successful and failed logins when the result of login is a redirect.
578045 : The HTTP_PROXY_REQUEST iRule event can cause the TMM to crash if pipelined ingress occurs when the iRule parks
Component: Local Traffic Manager
Symptoms:
The TMM crashes while resuming from a HTTP_PROXY_REQUEST event.
Conditions:
A HTTP_PROXY_REQUEST iRule event parks. Pipelined ingress occurs.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Don't use parking iRule commands within the HTTP_PROXY_REQUEST event.
If a parking command must be used, the following may work:
Try using TCP::collect to disable ingress while a potentially parking iRule command executes. TCP::release can be used after the command completes to restore normal behavior.
Another work-around is to set max-requests to 1. (Disabling pipelining.)
577939 : DNS suffixes on user's machine may not be restored correctly in some cases
Component: Access Policy Manager
Symptoms:
DNS suffixes on user's may not be restored correctly if user reboots his machine without disconnecting VPN.
This may result in incorrect or failed DNS resolution.
Conditions:
1)DNS relay proxy components is installed on user's machine
2) User reboots the machine without disconnecting VPN first
Impact:
DNS suffixes are not restored correctly, which may lead to incorrect or failed DNS resolution
Workaround:
Disconnect VPN before rebooting machine
Fix:
DNS Suffixes are now restored properly.
577906 : Safari 9 and Safari 10 don't use autoconfig script from NA on OSX 10.11 and 10.12 if pac file is downloaded via tunnel
Component: Access Policy Manager
Symptoms:
Safari 9 and Safari 10 don't use autoconfig script from NA on OSX 10.11 and 10.12 if pac file is downloaded via tunnel
Conditions:
Safari 9 or 10 on El Capitan and Yosemite releases of macOS. Proxy.pac file configured on NA on BIG-IP. Proxy.pac file location is behind the corporate network
Impact:
Proxy.pac file is not applied when proxy.pac is behind corporate network. This may cause issues with accessing some of the internal websites.
577863 : DHCP relay not forwarding server DHCPOFFER and DHCPACK message after sometime
Component: Policy Enforcement Manager
Symptoms:
If routing table on DHCP server is mis-configured, so that DHCP server know how to send packets to BigIP selfIP(used by BigIP DHCP relay), but does not know how to send packets to DHCP clients, DCHP client will not receive DHCP reply for unicast request and will start to broadcast DHCP renewal. After a while, BigIP will stop to relay DHCPOFFER and DHCPACK back to DHCP clients all together.
Conditions:
DHCP server unicast reply back to client is not received by client, causing DHCP client to send broadcast DHCP packets(with client's IP as source IP).
Impact:
BigIP will stop to relay DHCPOFFER and DHCPACK back
to DHCP clients
Workaround:
Fix the DHCP server routing table, so that DHCP server can deliver DHCP reply packet back to client successfully.
577846-1 : NPN configuration options are obsolete
Component: Local Traffic Manager
Symptoms:
Next Protocol Negotiation (NPN) support is obsolete and will be removed from a future software version.
Conditions:
HTTP/2 configuration currently allows selection of NPN, ALPN or both.
Impact:
HTTP/2 will only use ALPN, irrespective of the configuration referencing NPN.
Workaround:
Configure applicable profiles to use ALPN.
577697-1 : WebSafe features do not support Non-UTF8 encodings.
Component: Fraud Protection Services
Symptoms:
Encrypted ISO-8859-2 data is sent to the application server in UTF8 encoded form instead of ISO-8859-2 encoding.
Conditions:
Webpage using non-UTF8 encoding.
Impact:
Application server receives data in an unexpected encoding.
Workaround:
None
Fix:
Added support for ISO-8859-2 encoding
577495 : APM Sandbox configuration is missing if a partition was created before APM was provisioned
Component: Access Policy Manager
Symptoms:
Partition configuration is missing APM default Sandbox configuration objects if the partition was created before APM was provisioned.
This may cause certain issues when APM Sandbox-related configuration is necessary in the new partition.
Conditions:
APM is not provisioned when the partition is being created, and the partition was created using tmsh create auth partition partition_name
Impact:
APM Sandbox related features may not work after APM is later provisioned.
Workaround:
Use the following command to create a partition:
tmsh create sys folder /partition_name
576883 : BIG-IP vulnerable to CVE-2016-0706
Vulnerability Solution Article: K30971148
576881 : BIG-IP vulnerable to CVE-2015-5345
Vulnerability Solution Article: K30971148
576878 : BIG-IP vulnerable to CVE-2015-5174
Vulnerability Solution Article: K30971148
576752 : Licensing Warning displays when CGNAT is licensed and LTM is provisioned
Component: Carrier-Grade NAT
Symptoms:
the CGNAT license allows the use of many features under the LTM UI tab. But in order to enable the LTM GUI tab, LTM must be provisioned. This causes a licensing warning to appear in the upper left corner of the GUI and on the command line.
Conditions:
-- CGNAT stand-alone license.
-- LTM is provisioned.
Impact:
Licensing Warning displays. User cannot confirm whether or not features are licensed features.
Workaround:
None. This is cosmetic only and has no effect on system operation.
Fix:
A Licensing Warning no longer displays when CGNAT is licensed and LTM is provisioned, which is correct functionality.
576748 : Default Session Summary reports are not present for new users with report access.
Component: Access Policy Manager
Symptoms:
Default Session Summary reports are not present for new users with report access.
Conditions:
Before you set the default report, the Default Session Summary report does not appear when you visit APM reports.
Impact:
Cannot see the session summary.
Workaround:
Run the Session Summary Report, and manualy set it as Default Report.
Fix:
Default Session Summary report now show when accessing the APM report.
576619 : Online help in the GUI missing details in description of "Bad multipart parameters parsing" HTTP validation
Component: Application Security Manager
Symptoms:
Online help in the GUI missing details in description of "Bad multipart parameters parsing" HTTP validation
Conditions:
This is seen in the online help for Security :: Application Security : Blocking : Settings for Bad multipart parameters missing.
Impact:
This makes it difficult to properly configure this setting.
Workaround:
N/A
Fix:
Updated the online help in the GUI for the "Bad multipart parameters parsing" sub-violation in the HTTP protocol compliance failed Violations list.
576591 : Support for some future credit card number ranges
Component: Application Security Manager
Symptoms:
ASM does not block or mask when a specific credit card number range (planned for the future) appears in the response.
Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains credit card number with specific ranges.
Impact:
The traffic passes unmasked or unblocked to the end client.
Workaround:
A custom pattern is possible for these cases, but should be adjusted to each customer specifically.
576521 : If you have MSSQL proxy feature configured, you will lose it upon upgrading to v12.1.0 or later.★
Component: Local Traffic Manager
Symptoms:
MSSQL proxy is removed from BIG-IP product.
Conditions:
This will occur on the upgrade to 12.1.0 or higher if you had the MSSQL proxy configured.
Impact:
MSSQL proxy is no longer supported.
Behavior Change:
If you have MSSQL proxy feature configured, you will lose it upon upgrading to v13.0 or later.
576311 : HTTP Strict Transport Security (HSTS) configuration error when no clientssl profile is present
Component: Local Traffic Manager
Symptoms:
A configuration error is encountered when creating or modifying a virtual server with HTTP profile and no "clientssl" (or derived) profile attached, when HTTP Strict Transport Security (HSTS) is enabled.
Conditions:
Creating or modifying a virtual server with HTTP profile and HTTP Strict Transport Security (HSTS) enabled, when no clientssl or derived profile is attached to the virtual server.
Impact:
Error while configuring a virtual server with HTTP profile and no "clientssl" (or derived) profile attached, when HTTP Strict Transport Security (HSTS) is enabled.
Workaround:
Add a "clientssl" (or derived) profile to the virtual server with HTTP profile and HTTP Strict Transport Security (HSTS) enabled.
Fix:
The system now provides validation of HTTP Strict Transport Security (HSTS) to require 'clientssl' (or derived) profile profile to a virtual server with HTTP profile and HTTP Strict Transport Security (HSTS) enabled.
576305 : Potential MCPd leak in IPSEC SPD stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying IPSEC SPD stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying IPSEC SPD stats.
576069 : Rewrite can crash in some rare corner cases
Component: Access Policy Manager
Symptoms:
Rewrite can crash in some rare corner cases when some specific erroneous elements are present in an HTML content.
Conditions:
Any of the strings:
<meta http-equiv="refresh" />
<meta http-equiv="location" />
<param name="general_servername" />
<param name="wmode" />
triggers guaranteed rewrite crash.
Impact:
Web application malfunction.
Workaround:
iRule or direct fix of improper HTML tag.
Fix:
Fixed.
575919-1 : Running concurrent TMSH instances can result in error in access to history file
Component: TMOS
Symptoms:
TMSH writes to the ~/.tmsh-history-username file whenever a command is issued. Running concurrent instances of TMSH can result in a race condition in writing this file.
Conditions:
Running multiple instances can cause one instance of TMSH to lock the history file while the other is trying to access it, resulting in an error.
Impact:
Updating the history file fails, so the file does not reflect the actual history of the commands that have been issued.
Workaround:
Only run a single instance of TMSH.
Fix:
Running concurrent TMSH instances no longer results in error in access to history file.
575735-4 : Potential MCPd leak in global CPU info stats code
Component: TMOS
Symptoms:
MCPd leaks memory; the umem_alloc_8 cache will grow.
Conditions:
In some cases, querying global CPU information stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying global CPU information stats.
575708-4 : MCPd might leak memory in CPU info stats.
Component: TMOS
Symptoms:
MCPd might leak memory in CPU info stats.
Conditions:
In some cases, querying CPU information stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying CPU information stats.
575671-4 : MCPd might leak memory in host info stats.
Component: TMOS
Symptoms:
MCPd might leak memory in host info stats.
Conditions:
In some cases, querying host information stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying host information stats.
575649-4 : MCPd might leak memory in IPFIX destination stats query
Component: TMOS
Symptoms:
MCPd might leak memory in IPFIX destination stats query.
Conditions:
In some cases, querying IPFIX destination stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying IPFIX destination stats.
575629-1 : NTP vulnerability: CVE-2015-8139
Vulnerability Solution Article: K00329831
575619-4 : Potential MCPd leak in pool member stats query code
Component: TMOS
Symptoms:
MCPd leaks memory; the umem_alloc_8 cache will grow.
Conditions:
In some cases, querying pool member stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying pool member stats.
575608-4 : MCPd might leak memory in virtual server stats query.
Component: TMOS
Symptoms:
MCPd might leak memory in virtual server stats query.
Conditions:
In some cases, querying virtual server stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying virtual server stats.
575591 : Potential MCPd leak in IKE message stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying IKE message stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying IKE message stats.
575589 : Potential MCPd leak in IKE event stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying IKE event stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying IKE event stats.
575587 : Potential MCPd leak in BWC policy class stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying BWC policy stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying BWC policy stats.
575444 : Wininfo agent incorrectly reports OS version on Windows 10 in some cases
Component: Access Policy Manager
Symptoms:
If Custom Dialer client is used to establish VPN, Wininfo agent incorrectly reports OS as Win8 on Microsoft Windows 10.
This could result in VPN establishment failure.
Conditions:
Custom Dialer client is used on Windows 10
Access policy uses Wininfo agent.
Impact:
VPN cannot be established.
Workaround:
None.
Fix:
Wininfo agent now correctly reports OS version when running Custom Dialer client on Microsoft Windows 10.
575347 : Unexpected backslashes remain in monitor 'username' attribute after upgrade
Component: Local Traffic Manager
Symptoms:
The monitor 'username' attribute contains unexpected backslashes.
Conditions:
Upgrading from an earlier version with a configuration that contains a monitor 'username' attribute with at least one escaped backslash ('\\').
Impact:
Monitor probes contain excess backslashes which can lead to monitor failures.
Workaround:
Un-escape backslashes after upgrade by transforming '\\' sequences to '\'.
Fix:
Removed excess backslashes from monitor 'username' attribute during upgrade process.
575298 : No violation details for illegal metachar violation when shift-jis is the web app language
Component: Application Security Manager
Symptoms:
No violation details in the GUI for the illegal metachar violation.
Conditions:
1. Web app language is shift-jis.
2. An illegal metachar violation (for example, %3b is semicolon ';', is illegal in the shift-jis encoding).
Impact:
There are no details to indicate which metachar caused the violation.
Workaround:
None.
Fix:
There are now violation details in the GUI for the illegal metachar violation.
575292 : DNS Relay proxy service does not respond to SCM commands in timely manner
Component: Access Policy Manager
Symptoms:
DNS relay proxy service may appear unresponsive when stopped/started through Service control manager and user may see a system dialog box saying "Service did not respond in a timely manner"
Conditions:
DNS relay services component of edge client is installed on user's machine
Impact:
Usability, User may think that service has failed.
Workaround:
Wait for service to respond proper status
Fix:
Service now reports correct status to service control manager immediately.
575176 : Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic
Component: TMOS
Symptoms:
In some scenarios UDP traffic can cause syncookie statistics to be incremented.
Conditions:
Virtual server with fastL4 profile with ePVA offload enabled.
Virtual server to handle UDP traffic.
Impact:
Statistics might be incorrectly incremented, and can lead to early syncookie activation if used in conjunction with TCP on the same virtual server.
Fix:
The BIG-IP system no longer increases Syn Cookie cache statistics on ePVA enabled devices with UDP traffic.
575170 : Analytics reports may not identify virtual servers correctly
Component: Application Visibility and Reporting
Symptoms:
In certain configurations, Analytics statistics on virtual server activity may not be reported correctly.
Conditions:
This occurs for virtual servers that are configured in one of these ways:
1. Two virtual servers have the same IP-Port-RouteDomain setting, but they use different protocols (such as TCP for one and UDP for the other) or different sources.
2. A virtual server is defined with a masked IP address rather than an explicit address (for example, 10.10.10.0/24).
Impact:
As a result, Analytics reports show an Aggregated Virtual Server or an incorrect one instead of displaying the correct virtual servers.
Workaround:
None.
Fix:
Correct identification of the virtual server and the activity reported in the charts is displaying to the right virtual server.
575133 : asm_config_server_rpc_handler_async.pl SIGSEGV and core
Component: Application Security Manager
Symptoms:
asm_config_server_rpc_handler_async.pl SIGSEGV and core
Conditions:
Import ASM XML security policy
Impact:
asm_config_server_rpc_handler_async.pl SIGSEGV and core. This occurs after the policy import completes.
Workaround:
N/A
Fix:
The asm_config_server_rpc_handler_async.pl no longer crashes upon import ASM XML security policy.
575066 : Management DHCP settings do not take effect
Component: TMOS
Symptoms:
Modifications to /sys management-dhcp do not take effect.
Conditions:
Custom management-dhcp settings configured.
Impact:
DHCP for management interface does not function correctly.
575027-4 : Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
Component: TMOS
Symptoms:
Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
Conditions:
This occurs when the following conditions are met:
1. Use of tagged VLANs in the configuration.
2. Change cmp-hash of the tagged VLAN.
Impact:
Throughput is lower than expected. Packets are not being hashed using the hash set in config. (This can be verified by looking at 'tmm/flow_redir_stat'.)
Workaround:
Use untagged VLANs and hypervisor side tagging.
Fix:
You can now use tagged VLAN configurations along with a cmp-hash setting for the VLAN, without compromising performance.
575011 : Fix memory leak.
Component: Local Traffic Manager
Symptoms:
System exhausts available memory due to compression memory leak. Prior to running out of memory, repeatedly logs "Nitrox3 Hang Detected".
Conditions:
Compression device unavailable during creation of a new context.
Impact:
System can run out of memory.
Workaround:
Disable hardware compression using tmsh:
% tmsh modify sys db compression.strategy softwareonly
Fix:
Repaired memory leak.
574880 : Excessive failures observed when connection rate limit is configured on a fastl4 virtual server.
Component: Local Traffic Manager
Symptoms:
When connection rate limit is set on a fastL4 virtual server,
client connections hang with high probability.
Conditions:
Set Connection Rate Limit on a fastL4 virtual server.
Impact:
Client connections hang with high probability.
Workaround:
Do rate limiting using iSession.
Fix:
Fixed Connection Rate Limiting on a fastL4 virtual server.
574664 : 'ACCESS::session exists' returns TCL error if there is no APM session associated with connflow
Component: Access Policy Manager
Symptoms:
'ACCESS::session exists' returns TCL error if there is no APM session associated with connflow
Conditions:
There is no APM session associated with connflow
Impact:
Uncaught TCL errors result in connection termination and RST being sent to client or backend.
Functionality that uses iRules with 'ACCESS::session exists' may be impacted.
Workaround:
Internal F5 iRules do not have workaround.
Customer iRules can be modified to run 'ACCESS::session exists' inside catch {}. This will not lead to connection termination / RST.
Fix:
'ACCESS::session exists' now returns false instead of TCL error when there is no APM session associated with connflow.
574578 : failed to load configuration, when cache_cleanup property is defined for AAA AD/LDAP server
Component: Access Policy Manager
Symptoms:
failure happens when loading configuration and creating AAA AD/LDAP server.
cannot load configuration, until AAA AD/LDAP server is modified.
the problem is indicated by error log message
"Cannot cleanup cache while creating AAA AD Server"
The same issue happens during creation of AAA AD/LDAP server if the option cache-cleanup is defined (not 0)
Conditions:
cache_cleanup property of AAA AD/LDAP server supposed to be set '0' all the time, except when cache cleanup is requested.
if, by any reason, the property is not set to '0' when system starts up, then the system tries to cleanup non existing caches and fails to load configuration.
Impact:
Unable to start the system
Workaround:
using tmsh,
modify object AAA AD/LDAP Server and set cache-cleanup propery to '0'
when creating AAA AD/LDAP server, never set cache-cleanup property
Fix:
when creating an AAA AD/LDAP Server object and cache-cleanup property is specified (other than none), the property is not applied, as there is no cache yet.
when modifying an AAA AD/LDAP Server object and cache-cleanup propery is speified along with any other setting, the cache-cleanup property is not applied, but other settings are modified as requested.
error log message generated that cache was not cleaned this time.
574435 : BIG-IP as a SAML Service Provider may fail to resolve Artifact for Assertion when route domains are configured
Component: Access Policy Manager
Symptoms:
BIG-IP as a SAML Service Provider fails to resolve Artifact for Assertion when using a default route domain other than 0 in administrative partitions other than "Common".
Conditions:
- SAML Service Provider objects 'apm aaa saml' and 'apm aaa saml-idp-connector' are created in an administrative partition other than 'Common'
- Default route domain other than 0 is used for a partition where objects are created.
- BIG-IP used as a SAML Service Provider and is configured to use Artifact binding.
Impact:
BIG-IP can fail to resolve Artifact for an Assertion, which subsequently will fail SAML SSO.
Workaround:
Configure SAML Service Provider to use HTTP-POST binding instead of Artifact binding.
Fix:
BIG-IP as SAML Service Provider will use default route domain from administrative partition "Common" to resolve Artifact for Assertion.
574264 : Hundreds of images are taking hours to import
Component: Access Policy Manager
Symptoms:
If access policy is linked to hundreds of images it might take hours to import. Import is possible only in shell, because gui is getting timeout with this.
Conditions:
Always with hundreds of images
Impact:
Unable to import images using the GUI. Only shell import is possible.
574214 : Content Based Routing daemon (cbrd) logging control
Component: Application Security Manager
Symptoms:
The cbrd logger might not produce enough useful output for troubleshooting purposes, and debug logging is not available.
Conditions:
Using xml profile, and you would like to see the xpath prints to a log file.
Impact:
Unable to see the xpath information
Fix:
It is now possible to enable xpath logging by adding these lines to /etc/cbr/logger.cfg:
MODULE=CBR_PLUGIN;
LOG_LEVEL=TS_INFO | TS_DEBUG;
FILE = 2;
Then:
bigstart restart cbrd
574116 : MCP may crash when syncing configuration between device groups
Component: TMOS
Symptoms:
mcpd on the sync target crashes when syncing configuration.
Conditions:
This can occur when a local non-synced object references an object that is synced (such as a local-only virtual server referencing a synced iRule), and a non-synced object on the target machine happens to be referencing the same synced object. In this condition, mcpd could crash if objects in a sync group are deleted and synced.
Impact:
Outage due to mcp crash which causes tmm to restart.
Workaround:
When you have devices with local-only resources that are referencing objects contained in a sync/failover group, avoid deleting any objects (such as iRules) that might be referenced by other local-only resources on other devices. Instead of a "this object is in use error", mcpd on the target machine will crash.
Fix:
Verify existence of rule objects when validating configuration.
574079 : Network access webtop does not prompt the user if user closes browser window
Component: Access Policy Manager
Symptoms:
On Microsoft Windows, if VPN is launched from a network access webtop, and user closes the browser window, VPN is killed immediately without warning the user that VPN will be closed
Conditions:
User launches VPN from browser on Windows.
Network access webtop is configured on APM.
Impact:
VPN session is closed without warning.
Workaround:
Do not use network access webtop. Use full webtop.
Fix:
Network access webtop now provides a prompt, if the user closes the browser window when VPN is launched from a network access webtop.
574060 : glibc: getaddrinfo stack-based buffer overflow
Vulnerability Solution Article: K47098834
574055-1 : TMM crash after changing raccoon log level
Component: TMOS
Symptoms:
TMM crashes after changing the raccoon log level to debug2
Conditions:
Debug level is set to debug2 while tmm is passing traffic
Impact:
Traffic disrupted while tmm restarts.
Workaround:
set debug level to INFO
Fix:
A tmm crash related to changing the debug level while passing traffic has been fixed.
574052 : GTM autoconf can cause high CPU usage for gtmd
Component: Global Traffic Manager
Symptoms:
The autoconf feature of GTM can cause high CPU utilization (~90%) under certain situations.
In large configurations of LTM vses that contain "." (dot) in the name.
Conditions:
Large configuration of LTM VS that contain "." in the name have the name converted ("." is replaced by "_") and the LTM VS name is saved to the config.
This causes the matching algorithm in autoconf to spend many CPU cycles walking the list of VS to find a match.
This problem is caused by large numbers of VSes on a GTM Server. (10k VSes on 10k Server is less of an issue
than 10k VSes on 1 GTM Server)
Impact:
CPU usage is high, which may impact monitoring and LB decisions.
Workaround:
There are some mitigations. The preferable (for performance
and stability) are listed first.
1. Rename the virtual servers on the LTM to remove the "."
This would require deleting the GTM configuration and
rediscovering it and recreating pools.
2. Turn off autoconf.
Run autoconf once to populate the config, then turn it
off.
3. Reduce the frequency of autoconf. It will still cause
a high CPU usage scenario, but it will be less frequent.
Versions 12.0.0 and higher do not convert the "." to "_". So that problem is eliminated for new configurations.
If a customer upgrades to 12.0.0 and the config still contains VS names that were previously converted, they still may run into high CPU usage.
Upgrading to 12.0.0 alone does not fix this issue, a reconfig would be necessary.
Fix:
Change algorithm used to match LTM VS names to GTM VS to reduce linear walk of all VSes on a server.
574020 : Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}')
Component: Local Traffic Manager
Symptoms:
Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}').
Conditions:
This issue occurs when the following conditions are met:
-- Safenet HSM installation.
-- Password contains special metacharacters (!#{}').
Impact:
Script fails to work properly, and fails to properly install/configure the HSMs, requiring manual intervention. Performing the operation manually is very complex, because the user must account for both tmsh and shell quoting, which the some user environments might not have.
Workaround:
Change password, or manually run tmsh command to define the /sys crypto fips external-hsm object (using proper shell quoting).
Fix:
Safenet HSM installation script install now completes successfully if partition password contains special metacharacters (!#{}').
Note: When using passwords with non-alphanumeric characters, make sure that they are escaped correctly, so that bash does not attempt to reinterpret or expand the password.
573778 : QEMU vulnerability CVE-2016-1714
Vulnerability Solution Article: K75248350
573643 : flash.utils.Proxy functionality is not negotiated
Component: Access Policy Manager
Symptoms:
Access to some field names of classes inherited from flash.utils.Proxy is broken.
Conditions:
Presence of flash.utils.Proxy descendants.
Impact:
Customer application malfunction.
Workaround:
None.
573611 : Erroneous error message Access encountered error: ERR_NOT_FOUND may appear in APM logs
Component: Access Policy Manager
Symptoms:
When a user session times out, then subsequently attempts access using the expired session ID, APM may log a log message at "err" level similar to this:
Aug 15 14:54:25 bigip.hostname err tmm[10206]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access_session.c, Function: access_session_delete, Line:
Conditions:
User is logged into APM and session times out.
Impact:
Error log messages may be confusing to BIG-IP APM administrators. The client is able to successfully reconnect.
Fix:
Erroneous messages of "Access encountered error: ERR_NOT_FOUND" are no longer logged in the APM log.
573608 : BIG-IP's Proxy-SSL is unable to handle fragmented SSL handshakes
Component: Local Traffic Manager
Symptoms:
An SSL client can fragment a handshake message into multiple pieces (a fragmented set of handshakes).
When BIG-IP receives such an SSL fragmented set of handshakes, it fails to recognize and reassemble the fragments.
One of the ways in which this is happening is when Big-IP receives an SSL client certificate chain containing a large number of issuers. BIG-IP receives this as a fragmented set of handshakes and is unable to recognize as such. For RSA-4096, if the certificate chain contains at least 20 issuers, a handshake error is reported from BIG-IP and the connection is aborted.
Conditions:
The condition, below, is one among a few possible cases if the clientssl profile is configured with proxy-ssl enabled.
- Client certificate chain has a depth of at least 20, for RSA-4096 client certificates and its issuers. (For RSA-2048, the depth is more. We don't know at the moment how much.)
This assumes that all certificates (including issuers) possess the same key-length (4096 for RSA). If the key length differs in any one, the depth threshold may be more (if shorter key length) or less (if larger key length).
Impact:
When receiving fragmented ssl handshake message, the handshake fails, if tmm debug logging is enabled you will see "debug tmm1[10284]: 01260009:7: Connection error: ssl_hs_pxy_scan:9143: malformed ssl record (47)"
Workaround:
One of the ways in which the issue is triggered is with very large client certificates. This particular case can be mitigated.
The workaround is to use client certificate chains that have a depth of up to 19 (for RSA-4096). The sub-case mentions the workaround through the removal of advertised certificates.
573581 : DNS Search suffix are not restored properly in some cases after VPN establishment
Component: Access Policy Manager
Symptoms:
Modified DNS suffix after VPN establishment and closure may result in failure to resolve some DNS names
Conditions:
DNS Relay proxy service is stopped in the middle of VPN session.
User's machine is rebooted.
Impact:
DNS suffixes are not restored properly which may lead to incorrect resolution of certain DNS names.
Workaround:
Any of the following workarounds
1) Do not stop DNS relay proxy service in the middle of a VPN session
2)Restore DNS search suffixes manually.
573451 : NTP vulnerability CVE-2015-7974
Vulnerability Solution Article: K13304944
573366 : parking command used in the nesting script of clientside and serverside command can cause tmm core
Component: Local Traffic Manager
Symptoms:
tmm cores in configuration using certain iRules
Conditions:
An iRule that parks the interpreter is used in the nesting script of clientside and serverside command. (e.g. when doing a table lookup).
For more information on iRule commands that park, see SOL12962: Some iRule commands temporarily suspend iRule processing, https://support.f5.com/kb/en-us/solutions/public/12000/900/sol12962.html
Impact:
Traffic disrupted while tmm restarts.
Workaround:
move the parking command outside the nesting script.
573355 : Object properties values containing spaces are prefixed by the partition name
Component: TMOS
Symptoms:
The object property values containing spaces are prefixed by the /Common partition name. The object property values not containing spaces are not prefixed by /Common partition.
Example:
post fix:
(tmos)# list security dos bot-signature one-line
...
security dos bot-signature "Nmap web server probe (nice ports Trinity)" { category "Network Scanner" rule "uricontent:\"nice ports,/Trinity.txt.bak\"; nocase;" }
...
prior to fix:
(tmos)# list security dos bot-signature one-line
...
security dos bot-signature "Nmap web server probe (nice ports Trinity)" { category "/Common/Network Scanner" rule "uricontent:\"nice ports,/Trinity.txt.bak\"; nocase;" }
security::dos::bot-signature is one example of this behavior. However, this may impact all property values that contain spaces in them.
Conditions:
Object property-values contain spaces in them.
Impact:
The tmsh list action or save config action will save the partition name /Common for property value of objects in /Common partition that contain spaces in them.
Workaround:
None, but this is a cosmetic issue. It does not lead to any incorrect configuration behavior. It is just a inconsistent listing depending upon whether the value contains the space character or not.
Fix:
The property values with or without spaces exhibit identical behavior. The listing of the property does not contain the /Common as a prefix.
573343 : NTP vulnerability CVE-2015-8158
Vulnerability Solution Article: K01324833
573249 : Setting Encryption Algorithm for AH IPsec Policy is now ignored.
Component: TMOS
Symptoms:
Setting Encryption Algorithm for AH IPsec Policy is meaningless and is treated as a configuration error.
Conditions:
Creating a 'net ipsec ipsec-policy' with the 'ip protocol' set to AH.
Impact:
Configuration error.
Workaround:
Set the encryption algorithm to NULL with configuring IPsec protocol AH.
Fix:
The setting for encryption algorithm is ignored and defaults to NULL when configuring IPsec protocol AH.
573247 : GRE PPTP tunnels created via the relate_client and relate_server iRules commands may fail.
Component: TMOS
Symptoms:
For GRE PPTP flows, the local port and remote port in the clientflow and serverflow have changed from any (port 0) to the PPP ethertype (0x880b). This affects iRules commands related to flow creation such as relate_client and relate_server. Using port 0 with these commands will no longer match incoming GRE PPTP packets and the packets will be dropped. These drops can be seen in the no_handler_deny counter in the tmm_stat table.
Conditions:
iRule that uses the relate_client or relate_server commands to create flows to handle GRE (IP protocol 47) PPTP traffic.
Impact:
All GRE PPTP packets are dropped.
Workaround:
The relate_client and relate_server commands in the iRule should be edited to use 34827 (0x880b) for the local and remote port.
573245 : IPsec Phase 1 and Phase 2 authentication algorithms now defaults to SHA-256.
Component: TMOS
Symptoms:
IPsec Phase 1 and Phase 2 authentication algorithms default to SHA-1.
Conditions:
When creating a 'net ipsec ipsec-policy' or creating a 'net ipsec ike-peer' and taking the defaults.
Impact:
Security is not as good as it could be.
Workaround:
Configure a higher level of security. e.g. SHA-256, SHA-384, or SHA-512.
Fix:
IPsec Phase 1 and Phase 2 authentication algorithms now defaults to SHA-256.
573235 : IPsec Phase 1 and Phase 2 authentication algorithms default to SHA-1 in the GUI
Component: TMOS
Symptoms:
IPsec Phase 1 and Phase 2 authentication algorithms default to SHA-1 in the GUI.
Conditions:
This happens when configuring IPsec via the GUI.
Impact:
The authentication algorithms may be configured as SHA-1 which may not be the best choice for the use case.
Workaround:
Select the appropriate level of authentication algorithm strength from the pull down menu for the use case.
573075 : ADAPT recursive loop when handling successive iRule events
Component: Service Provider
Symptoms:
After the first iRule resumes from being parked, ADAPT attempts to process the second iRule event repeatedly.
The connection is aborted with RST cause "ADAPT unexpected state transition".
The adapt profile statistic "records adapted" reaches a very high number as it counts every attempt.
Conditions:
A requestadapt or responseadapt profile is configured.
An iRule is triggered on the ADAPT_REQUEST_RESULT or ADAPT_RESPONSE_RESULT event, that parks.
The modified headers (from an ICAP server) arrive at the ADAPT filter while the first event is parked.
Any iRule on the ADAPT_REQUEST_HEADERS or ADAPT_RESPONSE_HEADERS event does not park.
Impact:
The connection is aborted with RST cause "ADAPT unexpected state transition".
The statistic "records adapted" reaches a very high number.
Eventually the TMM crashes and the Big-IP fails over.
Workaround:
If possible, arrange the iRules to avoid the conditions above.
In particular, if there is no better way, it is possible to avoid this if there is an iRule on the ADAPT_REQUEST_HEADERS or ADAPT_RESPONSE_HEADERS event that parks.
Fix:
ADAPT correctly processes successive iRule events exactly once for each adaptation, and the "records adapted" statistic reports the correct number.
573031 : qkview may not collect certain configuration files in their entirety
Component: TMOS
Symptoms:
If the following files exceed 5M in size, they will be truncated when collected by qkview:
/config/partitions/*/bigip.conf
/config/partitions/*/BIG-IP_base.conf
/config/BIG-IP_gtm.conf
Conditions:
Any of the listed files exceeds 5 Mbytes.
Impact:
Fault diagnosis may be affected.
Workaround:
Create a qkview, and examine the qkview_run.data file. If this file indicates that any of the listed files has been truncated, manually copy that file from the BIG-IP device.
572900 : Two-factor auth not supported in step-up auth
Component: Access Policy Manager
Symptoms:
Two factor auth solutions like DuoProxy are not supported for step-up auth. The first logon page will render and accept credentials. In the observed setups, the second logon page will fail to render. It will result in a deny page or a reset.
Conditions:
In a subroutine (per-request policy), configure an authentication agent like AD Auth or RADIUS Auth that uses a two-factor authentication solution. An example is the DuoProxy.
Impact:
Two factor auth solutions are not supported in step-up auth
Fix:
Two factor auth solutions are supported now.
572895-1 : TCP forwarded flows are reset when time wait recycle of port happens
Component: Local Traffic Manager
Symptoms:
You notice that port-reused connections are getting reset. When a flow is forwarded from one tmm to another, and the destination tmm finds that the client is reusing a port that is in time_wait, and time wait recycle is enabled, the source tmm terminates the connection with a RST sent to the SYN-ACK from the client.
Conditions:
Using time-wait recycle and a client reuses the port that is currently in time-wait, and the flow is forwarded to another tmm.
Impact:
Client flows are reset rather than accepted.
572893 : error "The modem (or other connecting device) is already in use or is not configured properly"
Component: Access Policy Manager
Symptoms:
Clients get an error: error "The modem (or other connecting device) is already in use or is not configured properly"
Conditions:
The exact reproduction steps are not known, but it was seen to occur on certain Windows 10 clients where the access components were removed and login was attempted afterward.
Impact:
Clients will be unable to connect to the VPN
Workaround:
Rebooting might correct the issue on the client machine.
Fix:
Network Access will no longer fail on client machines that first uninstall the components and then attempt to reconnect.
572887 : DNS doesn't work properly on Ubuntu 15.10 when using f5fpc CLI client
Component: Access Policy Manager
Symptoms:
DNS doesn't work properly on Ubuntu 15.10 when using f5fpc CLI client. This happens because f5fpc fails to patch /etc/resolv.conf on Ubuntu 15.10 release.
Conditions:
/etc/resolv.conf, Ubuntu 15.10, f5fpc CLI client and network access establishment.
Impact:
DNS doesn't work properly on Ubuntu 15.10
Fix:
Now DNS works fine on Ubuntu 15.10 because /etc/resolv.conf can be patched correctly now by f5fpc command line client.
572885 : Policy automatic learning mode changes to manual after failover
Component: Application Security Manager
Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.
Conditions:
ASM provisioned.
Device group w/ ASM policy sync configured.
ASM Policy is in automatic learning mode.
A failover occurs.
Impact:
The policy changes from automatic learning mode to manual.
Workaround:
None.
Fix:
Policy automatic learning mode no longer changes to manual when a failover occurs. Automatic learning mode will now be disabled only in active/active configurations.
572871 : TMM logs an incorrect error message when invalid regex pattern is used for LTM profiles
Component: TMOS
Symptoms:
When creating or editing LTM profiles with regex or GLOB-expression attributes using tmsh, if the regex or GLOB expression is invalid, the TMM logs an incorrect error message, similar to the following: Invalid command name.... The TMSH command line interface logs the correct message, similar to the following: Profile XYZ error - couldn't compile regular expression....
Conditions:
Specifying invalid regex or GLOB expressions in LTM profiles, using TMSH.
Impact:
No functional impact. This problem only affects the quality of diagnostics due to inaccurate TMM error logs.
Workaround:
There is no workaround at this time.
572825 : write to sessiondb fails for localdb password reset
Component: Access Policy Manager
Symptoms:
When the localdb instance name contains "." character, Apmd wont be able to store the memcache entry. The store operation will fail. You will see a log "notice apmd[15593]: 01490000:5: mc_set_mkey() failed with error [11]."
Conditions:
This can occur when doing a localdb password change and the localdb instance name has a period in it.
Impact:
The run time user information ( like login failure count ) is stored in memcache, if we are not able to store the entry in memcache, we will fail to authenticate the user.
Workaround:
Ensure your Localdb instance names do not contain a "." character.
572599 : QEMU vulnerabilities CVE-2015-7504 CVE-2015-7512
Vulnerability Solution Article: K63519101
572597 : CVE-2015-5279: A heap buffer overflow in QEMU's NE2000 NIC
Vulnerability Solution Article: K63519101
572596 : CVE-2015-5165; leak flaw in QEMU's RTL8139 emulation.
Vulnerability Solution Article: K63519101
572568 : Gy CCR-i requests are not being re-sent after initial configured re-transmits
Component: Policy Enforcement Manager
Symptoms:
For Gy interface, if OCS doesn't respond to the initial set of CCR-I requests as per the diameter-endpoint profile (1+ msg-max-retransmits <n>), the new set of CCR-I requests are not being generated, even after provisioning pending timeout happens.
Conditions:
This issues happens only for Gy interface and when initial set of CCR-I request doesn't get a CCA response.
Impact:
The subscriber will be left in Idle state till the default quota is breached and brought down or subscriber can reconnect once OCS CCA response is fixed.
Workaround:
Re-connect the subscriber once the CCA response is fixed in OCS
Fix:
The solution is to resend CCR-I requests once the provisioning timeout happens
572563-2 : PWS session does not launch on Internet Explorer
Component: Access Policy Manager
Symptoms:
Internet Explorer (IE) gets stuck entering Protected Work Space (PWS).
Conditions:
One of the DLLs provided by APM, vdeskctrl.dll, provides COM services. Internet Explorer (IE), consumes the COM services. The DLL is loaded by IE during upgrade of PWS components. For some reason (especially on slow systems), IE does not unload the the old DLL promptly after upgrading PWS. When COM services are invoked to initialize PWS after upgrade, old DLL provides the service. Due to the recent renewal of our signing certificate, old DLL can't certify the integrity of the new PWS components. We have researched the issue, but we have not found a way to instruct IE to unload the old DLL after upgrade.
Impact:
PWS session does not launch.
Workaround:
After upgrade, if Internet Explorer(IE) does not enter into PWS within 60 seconds, close IE and start a new session. This is an one time event.
Fix:
Internet Explorer can now launch a Protected Workspace session.
572558 : Internet Explorer: incorrect handling of document.write() to closed document
Component: Access Policy Manager
Symptoms:
HTML page with document.write() operations inside event handlers may not be processed correctly. Internet Explorer may show error on this page.
Conditions:
HTML page with document.write() calls inside event handlers or another scripts executed after document loading.
Strings passed to document.write() function contain HTML tags with URL or another re-writable content in attributes.
Impact:
HTML page is not shown at all or works incorrectly in Internet Explorer.
Workaround:
No workaround known
Fix:
Now HTML pages with document.write() calls for closed document are handled correctly by Portal Access.
572543 : User is prompted to install components repeatedly after client components are updated.
Component: Access Policy Manager
Symptoms:
After auto-update of client components from internet explorer, user will be prompted to install components again if he goes to VPN site again.
Conditions:
Administrator upgrades big-ip to 12.1.
User has client components from a release older than 12.1
Impact:
User is prompted to install components again and again
Workaround:
Restart browser after components are updated the first time.
572420 : Session ID is not shown for some messages in System-> Logs-> Access Policy
Component: Access Policy Manager
Symptoms:
Session ID is not shown (empty) for some messages in System :: Logs : Access Policy.
Conditions:
This is happening for all VDI messages and some APMD messages
Impact:
No session ID based report is available for these messages
Workaround:
For VDI it is by design not to print session ID, rather using a connection ID to track messages. For APMD it is known issue that some DEBUG messages don't have session IDs.
Fix:
This behavior is by design
572309 : URL is not enforced correctly in some cases
Component: Application Security Manager
Symptoms:
A URL is not enforced according to its configuration in the policy or the host name in the URL is not recognized when it exists. False positive or false negative happens.
Conditions:
A specific issue in the URL string.
Impact:
The URL is enforced incorrectly - false negative or false positive violations.
Workaround:
N.A
Fix:
The URL is now parsed correctly.
Behavior Change:
a slash is added to the beginning of the URL when it arrives without one. The modified URL will be enforced and reported as the URL.
572281 : Variable value in the nesting script of foreach command get reset when there is parking command in the script
Component: Local Traffic Manager
Symptoms:
When there is something like the following script:
foreach a [list 1 2 3 4] {
set a 10
after 100
}
There is parking command, after, in the script and it runs after "set a 10", when after command returns, the value of a goes back to the initial value set in the foreach, value of 10 is lost.
Conditions:
There is parking command in the nesting script of foreach. For more information on commands that park, see K12962: Some iRule commands temporarily suspend iRule processing at https://support.f5.com/csp/#/article/K12962
Impact:
Variable values get reset.
Workaround:
Set(or set again) the variable value after the parking command.
Fix:
Will fix in later release.
572029 : Using ECDSA Keys for User Public Key Auth or the Backend Server is configured to use ECDSA keys
Component: Advanced Firewall Manager
Symptoms:
Using ecdsa keys for user public key auth will result in a connection hang. Using ecdsa keys on the backend server will result in the client receiving a TCP Reset.
Conditions:
Either of two conditions need to be satisfied:
1) Client has ecdsa keys, e.g ~/.ssh contains id_ecdsa.pub and id_ecdsa keys.
2) Backend server is using ecdsa. e.g. the sshd config contains the following where rsa and dsa are disabled and ecdsa is enabled:
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
Impact:
No ssh connection can be established through the ssh proxy
Workaround:
Please use RSA and DSA keys only for both User Public Key Auth and Server Key Exchange
572015 : HTTP Class profile is upgraded to a case-insensitive policy★
Component: Local Traffic Manager
Symptoms:
If you upgrade to version 11.4.0 through 12.0.0, and your configuration contains a HTTP Class profile, the generated policy will be case-insensitive.
Conditions:
HTTP Class profile
Impact:
Generated policy does not match on the same conditions as original HTTP Class profile.
Workaround:
Manually edit generated policy
Fix:
The case-sensitive attribute is added to generated policies during upgrade.
571789 : cert-key-chain drop-downs are not set to inherited values.
Component: TMOS
Symptoms:
When overriding the cert-key-chain in an SSL profile, the three drop-down menus are not set to the values specified in the parent profile.
Conditions:
When overriding the cert-key-chain in an SSL profile.
Impact:
The chain file might be inadvertently set to 'None' when creating a child profile just to override a Certificate and Key.
Workaround:
None.
Fix:
When overriding the cert-key-chain in an SSL profile, the three drop-down menus are now set to the values specified in the parent profile.
571527 : "list sys crypto csr" output is not consistent
Component: TMOS
Symptoms:
"list sys crypto csr" prints the CSR file data along with the object information when there is only one CSR in the system. However, it only prints the object information when there exists multiple CSRs in the system.
Conditions:
1. When there is only one CSR file in the system.
2. The csr name is not specified in the "list sys crypto csr" command.
Impact:
"list sys crypto csr" output is not consistent.
Fix:
With the fix, when the system contains only one CSR file, "list sys crypto csr" will no longer print the CSR file, and hence the output format is consistent in terms of the CSR count in the system.
Note that if the csr name is specified in the comment, for example, "list sys crypto csr aaa.csr", the behavior is not changed, i.e., it will still prints the file content of the CSR.
Behavior Change:
With the fix, when the system contains only one CSR file, "list sys crypto csr" will no longer print the CSR file content (but will still display the CSR object information).
571410 : LocalDB Auth in subroutines
Component: Access Policy Manager
Symptoms:
LocalDB Auth is available in the session-based policy, but is not available in the subroutines.
Conditions:
This is encountered in APM when performing re-authentication at the virtual server level, e.g., to perform step-up auth on specific resources.
Impact:
You are unable to configure LocalDB Auth in subroutines.
Workaround:
None.
Fix:
LocalDB Auth is now available in subroutines. Password reset is supported.
571408 : Step-Up Auth cannot validate SSL certificate revocations
Component: Access Policy Manager
Symptoms:
CRLDP Auth and OCSP Auth are not available in the subroutine policies.
Conditions:
The subroutines have On Demand Cert Auth, but do not have CRLDP Auth or OCSP Auth available.
Impact:
On Demand Cert Auth will validate that the certificate was validly signed by the certificate authority. But for full feature support, we should also be able to check if the certificate authority has revoked the certificate. That is the role of CRLDP Auth and OCSP Auth, but the agents are not currently available.
Fix:
The CRLDP Auth and OCSP Auth agents have been added to the subroutines.
570845 : Configuration infrastructure should reject invalid 'None' option for IKE Peer Phase 1 Perfect Forward Secrecy
Component: TMOS
Symptoms:
The configuration infrastructure currently allows the invalid 'None' option to be configured on an IPsec IKE peer for phase 1 Perfect Forward Secrecy. Although the ability to configure the 'None' option is incorrect functionality which happens on specific browsers, the configuration infrastructure should have stronger checking and prevent the acceptance of an invalid 'None' option for configured IKE peers.
Conditions:
The ability to configure an IKE peer with an invalid 'None' option for Perfect Forward Secrecy occurs on Internet Explorer and Safari browsers, and the configuration infrastructure does not reject this invalid configuration for these cases.
Impact:
The racoon daemon will fail to start and all IPsec tunnels may fail to work. The racoon.log file may contain messages like:
INFO: Reading configuration from "/etc/racoon/racoon.conf"
ERROR: /etc/racoon/racoon.conf.bigip:59: "}" DH group required.
ERROR: fatal parse failure (1 errors)
ERROR: failed to parse configuration file.
Workaround:
Don't configure the 'None' option for Perfect Forward Secrecy in the IKE peer configuration section.
Fix:
Check for Perfect Forward Secrecy 'None' option in the configuration infrastructure and reject if this option is configured.
570839 : IPsec IKE-v2 Peer UI does not prevent configuration of 'NONE' option using Microsoft Internet Explorer.
Component: TMOS
Symptoms:
The IPsec configuration utility (web UI) allows configuration of an invalid option "NONE" for Perfect Forward Secrecy when Internet Explorer browser is in use.
Conditions:
IPsec IKE-v2 Peer created with 'None' option for Perfect Forward Secrecy from GUI.
Impact:
The racoon daemon will fail to start and all tunnels may fail to work. The racoon.log file may contain messages like:
2016-09-14 16:32:16: INFO: Reading configuration from "/etc/racoon/racoon.conf"
2016-09-14 16:32:16: ERROR: /etc/racoon/racoon.conf.bigip:59: "}" DH group required.
2016-09-14 16:32:16: ERROR: fatal parse failure (1 errors)
2016-09-14 16:32:16: ERROR: failed to parse configuration file.
Workaround:
'None' option for Perfect Forward Secrecy in IPsec IKE Peer creation page is an invalid option and should not be selected.
Fix:
Configuration utility (web UI): Removed 'None' option for Perfect Forward Secrecy in IPsec IKE Peer creation page.
570818 : Address lease-pool in IKEv2 might interfere with IKEv2 negotiations.
Component: TMOS
Symptoms:
LTM IPsec IKEv2 does not support dynamic remote-address CONFIG option, but still might potentially process that information sent by third-party devices. The configuration changes from this option might affect traffic-selector selection in IKEv2 negotiations, leading to wrong matching results and failure in establishing IPsec SA.
Conditions:
Certain third-party vendor devices are the remote IKEv2 peer, for example, a CISCO APIC device.
Impact:
Failure in establishing IPsec SA.
Workaround:
None.
Fix:
Address lease-pool in IKEv2 no longer interferes with IKEv2 negotiations.
570697 : NTP vulnerability CVE-2015-8138
Vulnerability Solution Article: K71245322
570667 : OpenSSL vulnerabilities
Vulnerability Solution Article: K64009378
570575 : RESOLV::lookup against a TCP virtual will cause tmm core
Component: Global Traffic Manager (DNS)
Symptoms:
tmm cores when RESOLV::lookup hitting a TCP dns listener.
Conditions:
RESOLV::lookup points to a TCP virtual.
Impact:
tmm might crash with assert: 'Must be syncookie'. Traffic is interrupted.
Fix:
RESOLVE::lookup verifies that the listener is a UDP dns listener.
570570 : Default crypto failure action is now "go-offline-downlinks".
Component: Local Traffic Manager
Symptoms:
Previously, if a crypto accelerator encountered a failure, the default action was "failover". Now, the default behavior is "go-offline-downlinks".
Conditions:
Failed crypto accelerator.
Impact:
BIG-IP with failing crypto accelerator on a chassis blade may remain in standby as primary blade.
Fix:
BIG-IP will now default to "go-offline-downlinks".
570363 : Potential segfault when MRF messages cross from one TMM to another.
Component: Service Provider
Symptoms:
Potential segfault when Message Routing Framework (MRF) messages cross from one TMM to another.
Conditions:
This issue occurs when MRF messages travel from one TMM to another, and an asynchronous operation also occurs (like persistence).
Impact:
It is possible for the message object to be removed before the asynchronous operation completes. If this occurs, a segfault may occur and the system might restart.
Workaround:
None.
Fix:
This release corrects the issue of potential segfault occurring when MRF messages cross from one TMM to another.
570277 : SafeNet client not able to establish session to all HSMs on all blades.
Component: Local Traffic Manager
Symptoms:
SafeNet client not able to establish session to all HSMs on all blades.
Conditions:
When the BIG-IP chassis is used with SafeNet HSM high availability (HA), and when BIG-IP tmm interface is used.
Impact:
SafeNet HSM HA is not being used at its maximal capacity.
Workaround:
Restart pkcs11d to mitigate this issue.
Fix:
We have adjusted the startup timing of pkcs11d to wait until tmm initialization finishes. Also we added retry for pkcs11d threads when connecting to HSM.
570217 : BIG-IP APM now uses Airwatch v2 API to retreive device posture information
Component: Access Policy Manager
Symptoms:
Airwatch version 8.3 and above no longer use the v1 REST API. APM is not be able to retrieve device information from Airwatch MDM version 8.3 and higher and device posture checking in APM policies fails.
Conditions:
- Airwatch configured on APM
- Airwatch is upgraded to version 8.3 or higher
Impact:
BIG-IP APM is unable to retrieve device information and device posture check will fail.
Workaround:
n/a
Fix:
BIG-IP APM now utilizes the Airwatch v2 API to access device posture information.
Important: you must be using Airwatch release 8.3 and up because older releases do not support the v2 REST API end points.
570064 : IE gives a security warning asking: "Do you want to run ... InstallerControll.cab"
Component: Access Policy Manager
Symptoms:
When logging into a VPN connection using Internet Explorer, Internet Explorer may prompt "Do you want to run ... InstallerControll.cab"
Conditions:
BIG-IP APM configured and is accessed by Internet Explorer. This can happen after an upgrade of BIG-IP.
Impact:
The prompt should not occur.
Fix:
Internet Explorer will no longer prompt to run InstallerControll.cab
570057 : Can't install more than 16 SafeNet HSMs in its HA group
Component: Local Traffic Manager
Symptoms:
With installation script on the BIG-IP, you can't install more than 16 SafeNet HSMs in its high availability group with versions 5.2 and 5.4.
Conditions:
Attempt to install more than 16 SafeNet HSMs.
Impact:
Installer script failure.
Workaround:
The limit is set by SafeNet. Currently, with F5-supported 5.2 and 5.4 client software, SafeNet doesn't allow more than 16 HSMs in one high availability configuration.
Fix:
Updated SafeNet installation scripts by replacing "vtl" to "lunacm" for high availability group creation and member adding operations for version 6.2.
569609 : Wireshark vulnerabilities
Component: TMOS
Symptoms:
Wireshark may crash or stop responding if it reads a malformed packet from a network capture.
CVE-2014-8710 CVE-2014-8711 CVE-2014-8712 CVE-2014-8713 CVE-2014-8714 CVE-2015-0562 CVE-2015-0564 CVE-2015-2189 CVE-2015-2191
Conditions:
These vulnerabilities are remotely exploitable only when an administrative user of the device is actively using the tshark utility, and the tshark utility receives attack packets as described in the CVEs.
Impact:
A remote attacker may be able to cause a denial-of-service (DoS) attack against the tshark process.
Workaround:
To mitigate this vulnerability, you can use the tcpdump utility to perform packet captures instead of the tshark utility.
Fix:
Updated tshark to non-vulnerable version.
569563-1 : Sockets resource leak after loading complex policy
Component: Access Policy Manager
Symptoms:
File descriptors used by apmd remain unclosed (TCP and UDP) after loading a complex access policy.
After some time, the APM process file descriptor table is exhausted and no more access policies are processed.
The following error messages may be observed in the logs:
err apmd[16013]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 86 Msg: epoll_create() failed [Too many open files].
Conditions:
This can happen at the initial stage after apmd starts, or later when policies are reloaded. Although this is not directly related to log-level, this problem is easier to observe when the access control log-level is Warning or lower (Notice, Info, Debug).
File descriptors leak (remain unclosed) after loading complex policies that contain many agents.
Impact:
The APM process is unable to create new sessions, leading to an inability to process access policy operations.
Workaround:
This can happen at the initial stage after apmd starts, or later when policies are reloaded.
Current preferred workaround is to set log level to ERROR or higher and restart apmd.
When a large number of file descriptors has already been observed, the only way to close them other than disabling logging is to raise log levels to ERROR or above, and then issue the following command:
bigstart restart apmd
Note 1: Do not use sys db variables to change log level for versions 12.0.0 and later.
Note 2: Double-check log levels using the following command: tmsh list apm log-setting all-properties
Note 3: Opened file descriptors do not close until apmd is restarted.
Note 4: When in doubt (about whether file descriptors are leaking), run the following command on the BIG-IP system:
lsof -p `pidof apmd` | grep TCP; lsof -p `pidof apmd` | grep UDP. This gives you the number of open files.
- Detailed steps to change logging-level to ERROR:
Step 1. Modify access control log level using the following command: tmsh modify apm log-setting all access modify { all { log-level { access-control err } } }
Step 2. Check the log levels using the following command: tmsh list apm log-setting all-properties
Step 3. Manually restart apmd using the following command: bigstart restart apmd
Fix:
Sockets are now closed properly, so there is no longer file descriptor leakage when loading or reloading complex access policies.
569542 : After upgrade, user cannot upload APM Sandbox hosted-content file in a partition existing before upgrade★
Component: Access Policy Manager
Symptoms:
After upgrade, an existing user-created partition will not be able to load any existing hosted-content file or upload a new one.
The issue happens because the required APM Sandbox directory w.r.t. this partition is missing after the upgrade.
01070734:3: Configuration error: Cannot create symbolic link to sandbox. Error: No such file or directory. If you have access to bash shell, try to run command: ln -s /config/filestore/files_d/p1_file_d/sandbox_file_d /var/sam/www/webtop/sandbox/files_d/p1_d/sandbox_file_d. Then try to upload file again.
Unexpected Error: Loading configuration process failed.
REPRODUCTION STEPS:
1) Before upgrade, create a partition (make sure APM is provisioned), say 'p1'.
2) Install the upgrade and reboot.
3) After upgrade, partition 'p1' is created but the required directory '/var/sam/www/webtop/sandbox/files_d/p1_d' is not created.
This can occur on upgrades from prior to 11.6.0 to 11.6.0 through 12.1.0.
Conditions:
Partition is created before the upgrade.
Impact:
Configuration load fails if the existing partition had any hosted-content file before upgrade. If it did not have any hosted-content file before upgrade, the configuration load will be successful, but the user cannot upload/create a new hosted-content file in this partition sandbox.
Workaround:
Workaround is manually create the required sandbox directory using bash command:
mkdir -p /var/sam/www/webtop/sandbox/files_d/p1_d
569467-8 : BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.
Vulnerability Solution Article: K11772107
569455 : Linux kernel vulnerability CVE-2016-0728
Vulnerability Solution Article: K01948202
569355 : Java vulnerabilities CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494
Vulnerability Solution Article: K50118123
569331 : Recovery from Amazon Network Failure may associate some virtual addresses to the standby BIG-IP
Component: TMOS
Symptoms:
Traffic will not pass to virtual servers of a traffic group
Conditions:
BIG-IP AWS
High Availability
AWS network outage
Impact:
Some of virtual addresses end up associated with the standby BIG-IP; traffic will not pass to their virtual servers.
Workaround:
If the desired BIG-IP is standby, failover to the BIG-IP.
If the desired BIG-IP is already active, failover from this BIG-IP and then failover back to this BIG-IP.
569316 : Core occurs on standby in MRF when routing to a route using a transport config
Component: Service Provider
Symptoms:
If routing a message to a route that uses a transport-config to define how to create an outgoing connection, the standby device will core.
Conditions:
routing a message to a route that uses a transport-config to define how to create an outgoing connection.
Impact:
The standby device will core.
Workaround:
NA
Fix:
Fix properly initializes a field on the standby.
569309 : Clientside HTML parser does not recognize HTML event attributes without value
Component: Access Policy Manager
Symptoms:
Assignment of a specific HTML content to tag.innerHTML could lead to a JavaScript error. This happens when one or more of tags in HTML text contain html event attributes without value (such as <div onclick />)
Following or similar error is logged in browser JavaScript console:
Unable to get property 'charAt' of undefined or null reference
Impact:
Web application does not work when accessed through Portal Access.
Workaround:
iRule could be provided for specific application.
Fix:
Now empty inline event handler attributes are not rewritten on client side.
569306 : Edge client does not use logon credentials even when "Reuse Windows Logon Credentials" is selected
Component: Access Policy Manager
Symptoms:
User is shown the logon page to connect to VPN after he logs on. Windows logon credentials are not used for VPN automatically.
Conditions:
Connectivity profile has "Reuse Windows Logon Credentials" selected
Impact:
User has to retype his credentials to connect to VPN
Workaround:
Enter the credentials again to connect to VPN
Fix:
Now logged on credentials are used automatically to connect to VPN
569288 : Different LACP key may be used in different blades in a chassis system causing trunking failures
Component: Local Traffic Manager
Symptoms:
In rare conditions, different blades in a chassis system may use different LACP keys for the same trunk in the LACP control frames. This will cause some of the LACP trunk members not able to aggregate successfully with peer switch.
Conditions:
This only happens in a chassis based system when certain race condition causes trunk id being modified after initial trunk creation.
Impact:
Non aggregated trunk members won't be able to pass traffic.
Workaround:
Restart lacpd in all the blades in the chassis by running command "clsh bigstart restart lacpd"
569278 : Request to /my.policy.php3 will return 302 redirect to /vdesk/webtop.eui?webtop=... with rotated MRHSession.
Component: Access Policy Manager
Symptoms:
If access policy looks like following:
Start --> Logon Page --> iRule event --> Full Resource assign --> Allow
Request to /my.policy.php3 will return 302 redirect to /vdesk/webtop.eui?webtop=... with rotated MRHSession.
In case when no iRule Event in AP it will return 200 code with rotated MRHSession.
Conditions:
1. Create the following access policy. NOTE: iRule event can be created after following this link http://support.f5.com/kb/en-us/solutions/public/11000/200/sol11225
Start --> Logon Page --> iRule event --> Full Resource assign --> Allow
2. Use Edge Client to connect to the box with this access policy. It will fail.
3. Now remove iRule event agent from access policy and connect using Edge Client again. It will pass now.
Impact:
Connecting to the box with this access policy will fail.
Workaround:
None.
Fix:
None.
569255 : Network Access incorrectly manipulates routing table when second adapter being connected if "Allow Local subnet access' is set to ON
Component: Access Policy Manager
Symptoms:
When Network Access is already established and a second network interface is being connected to client system, VPN quickly reconnects, which breaks existing TCP connections. Because reconnect occurs very quickly, it might appear to the user that nothing happened.
Conditions:
-- 'Allow Local subnet access' enabled.
-- Client system is getting second network interface connected.
Impact:
Long-standing TCP connection may break, for example, VPN over Network Access.
Workaround:
Disable 'Allow Local subnet access'.
Fix:
Now Network Access remains stable when a second network interface is being connected, so any long-standing TCP connections (such as VPN over Network Access) continue as expected.
569206 : After connectivity loss and restoration between HSM and pkcs11d, SSL fails on some blades.
Component: Local Traffic Manager
Symptoms:
After connectivity loss and restoration between HSM and pkcs11d, SSL fails on some blades.
Conditions:
Connectivity loss and restoration between HSM and pkcs11d.
Impact:
Sometimes, one or more blades have SSL failure consistently. Others are working fine after the network restoring.
Workaround:
None. This is an intermittent failure.
Fix:
All blades now recover the working condition after the network is restored.
569121 : Advanced Detection rate limiting can be incorrect in multi-blade clusters when rate limit is low
Component: Anomaly Detection Services
Symptoms:
If you have a large CMP configuration using Advanced Detection and rate limiting with a low rate limit applied, the per-core rate limit on attack traffic can end up being lower than the desired overall rate limit.
Conditions:
This was seen during internal testing with a large number of cores (3 blades / 24 cores) and a very low rate limit applied.
Impact:
Overall rate limit is lower than expected.
Fix:
Improvements were made to rate limiting in environments with a high number of tmms
569025 : iControl query does not respect global cli settings when returning service values (number vs name).
Component: TMOS
Symptoms:
iControl queries that return a service value do not respect the global cli service setting. The iControl query always returns the service name even when the cli service setting is set to 'number'.
Conditions:
The cli global settings are configured to always display the service number using the following command:
tmsh modify cli global-settings service number
Using iControl queries that expect a service number.
Impact:
The iControl query always returns the service name.
Workaround:
None.
Fix:
iControl query returns service name / port number based on global cli setting.
568768 : CSR attribute email and certificate Subject's DN email are not distinguished
Component: TMOS
Symptoms:
The email entered when creating a CSR is used as the CSR attribute email and the email in the certificate properties (SAN/subject)
Conditions:
Creating a CSR via iControl or TMSH
Impact:
Unable to generate a separate email attribute in the CSR as well as the certificate subject's DN email
Behavior Change:
With iControl or TMSH, When CSR with Subject's DN containing an EmailAddress created then a RFC822Name SAN entry with that EmailAddress is added automatically.
For iControl or TMSH, If provided SAN is not short enough(current max length is 4095 chars) to automatically add RFC822Name SAN entry, then it will throw an error saying "Certificates with Subject’s DN containing an Email Address must also have a RFC822Name SAN entry with that Email Address and failed to automatically include as the length exceeded 4095 characters."
568765 : CSR administrative Email attribute and Certificate Subject’s DN Email address
Component: TMOS
Symptoms:
The Email address entered in the GUI is also there in generated CSR certificate subject DN email address(without associated SAN rfc822name), thus generated CSR is not RFC5280 conforming.
And there is no way to use different email for CSR administrative email address and certificate subject DN email address.
Conditions:
CSR generated though GUI by providing Email address is not RFC5280 conforming.
Impact:
GUI generates non RFC5280 conforming CSR.
Workaround:
Email address field in GUI can only be used for certificate subjects DN email address and when entered also enter rfc822name in subject alternative field.
Example:
If "test@test.com" entered in 'Email Address' field, then also include "email:test@test.com" in 'Subject Alternative Name' field.
Fix:
Should be able enter different email in certificate properties (SAN/subject), administrative email of the CSR and generated CSR is RFC5280 conforming
568672 : Down IPsec traffic-selector shows as 'up' in 'show net ipsec traffic-selector' and in GUI
Component: TMOS
Symptoms:
After an SA goes down, 'show net ipsec traffic-selector' may report that the traffic-selector is up. The Web UI also reports up.
Conditions:
This occurs if a tunnel times out and goes to the down state.
Impact:
Confusion on the true state of the tunnel.
Workaround:
None needed.
Fix:
Now, when a tunnel times out and goes to the down state, the state is shown correctly.
568576 : Version Check fails when upgrading across a major version boundary★
Component: Access Policy Manager
Symptoms:
The Edge client's version check is failing to check across a major version boundary, which causes the installer to not automatically update. F5InstServLog.txt reports the the following message service.cpp, 2015, VerifyPackage(), (0x64d) EXCEPTION - this is an old or same version - do not upgrade
Conditions:
Install EdgeClient from BIG-IP v12.0.0. Use EdgeClient to connect to a BIG-IP v12.1.0
Impact:
Edge Client auto-installer fails.
Fix:
The Edge client version check now properly detects new versions.
568445 : User cannot perform endpoint check or launch VPN from Firefox on Windows 10
Component: Access Policy Manager
Symptoms:
If Firefox is used on Windows 10 to connect to APM, access policy may fail, or system fails to launch VPN.
Conditions:
Firefox is used to connect to APM on Windows 10. The following conditions are exclusive and have different impact:
1) Access policy requires client side inspection.
2) Attempt to launch VPN from WebTop.
Impact:
1) Access policy will fail.
2) VPN cannot be launched from WebTop.
Workaround:
None.
Fix:
User can now perform endpoint check or launch VPN from Firefox on Windows 10.
568418 : Linux CLI client does not follow redirect response coming from APM
Component: Access Policy Manager
Symptoms:
If access policy on APM has redirect ending, Linux CLI client will fail to establish VPN.
Conditions:
Linux CLI client is used to establish VPN
APM access policy has redirect ending.
Impact:
Cannot establish VPN.
Workaround:
Do not use redirection in access policy for Linux CLI client.
Fix:
Now Linux CLI client can follow redirect responses coming from APM.
568229 : [LTM][DNS] save-on-auto-sync with partitions fails for LTM DNS partition objects
Component: Global Traffic Manager (DNS)
Symptoms:
Even though 'auto-sync enabled' and 'save-on-auto-sync true' are set on a device group which has a partition assigned to it, creating an LTM DNS object in the partition is successfully transmitted to the running configuration of the peer device, but not written to bigip.conf.
Conditions:
1. auto-sync and save-on-auto-sync enabled for device group.
2. The device group has a partition assigned to it.
3. Creating a ltm dns partition object.
Impact:
Changes are not written to conf files as expected.
Workaround:
Save configuration manually at regular intervals on peer box.
Fix:
Fixed issue where ltm dns objects are not being saved to their proper partition bigip.conf files when in a partition other than /Common/. This means that partitioned objects will be saved automatically when save-on-auto-sync is enabled for corresponding device groups. This affects ltm dns nameservers, zones, and tsig-keys.
Behavior Change:
LTM DNS objects (zones, tsig-keys, and nameservers) are now partitioned, so they will be saved to their corresponding partitons bigip_gtm.conf file under /config/partitions/. Because these objects are now partitioned, it also means user permissions to read / modify these objects will match the user permissions assigned to that partition.
568151 : SNTP vulnerability CVE-2015-5219
Vulnerability Solution Article: K60352002
568054 : NTP vulnerabilities CVE-2015-5194 and CVE-2015-5195
Vulnerability Solution Article: K02360853
568052 : NTP vulnerabilities CVE-2015-5194 and CVE-2015-5195
Vulnerability Solution Article: K02360853
567707 : Edge client uninstaller on windows leaves some client components on user's machine
Component: Access Policy Manager
Symptoms:
BIG-IP Edge client is not uninstalled completely from user's machine.
Conditions:
msiexec /x "f5fpclients.msi"
is used to uninstall Edge Client.
Impact:
Edge Client is not uninstalled completely
Workaround:
Remove the remaining components using Windows "Add/Remove programs"
or
use the following command to remove the remaining components:
"C:\%ProgramData%\\F5 Networks\f5unistall.exe" [/r] /uninstall"
567665 : SNMP TMM memory stats need to be presented per TMM process
Component: Local Traffic Manager
Symptoms:
TMM memory stats presented by the enterprise MIB table sysTmmStatTable are presented per TmmId - which is defined as slot.cpu_number. However, a single TMM process can have multiple TmmIds with the number depending on the BIG-IP platform.
Conditions:
All
Impact:
No impact on services, but this places a burden on SNMP Monitors to summarize TmmId memory stats for a given TMM process.
Workaround:
The total memory allocated and used by a particular TMM process can be summarized at the SNMP Monitoring end using the sysTmmStatTmmPid to determine which TmmIds belong to the TMM process.
Fix:
A new enterprise MIB table, sysTmmProcStatTable, has been introduced that presents TMM memory statistics per TmmPid, where the TmmPid is the Linux Process Id for a TMM instance running on a specific slot.
567546 : Files with file names larger than 100 characters are omitted from qkview
Component: TMOS
Symptoms:
If the filename of a file being gathered by qkview happens to be larger than 100 characters, the qkview will simply not include it.
Conditions:
No conditions necessary. Any file with a name larger than 100 characters is automatically omitted.
Impact:
Files with names larger than 100 characters are being omitted from the qkview. Since UNIX files can be 256 characters long, this potentially could omit important files that could help diagnose problems.
Workaround:
One would have to rename any files with names larger than 100 characters to names with less than 100 characters.
Fix:
Qkview was fixed to not use POSIX as the tar format, but instead to use the "GNU" format which allows for up to 256 characters (the system limit). The fixed program now allows any length of characters possible.
567457-1 : TMM may crash when changing the IKE peer config.
Component: TMOS
Symptoms:
TMM might crash when changing the IKE peer config. It can happen with either IKEv1 or IKEv2 (TMM config crash).
Conditions:
This occurs when making changes to IPsec tunnels that causes the configuration to become invalid. For example, changing ISAKMP phase1 from SHA-1 to MD5 results in an invalid configuration.
Note: This occurs in the GUI only. The tmsh 'create' command does not cause this core.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can use tmsh to make the affected configuration changes... this occurs in the GUI only. The tmsh 'create' command does not cause this core.
Fix:
TMM no longer crashes when changing the IKEv1 or IKEv2 peer config, even if the changes are not valid for the configuration.
567379 : libtar vulnerability CVE-2013-4397
Vulnerability Solution Article: K16015326
567199 : NLA-awareness works incorrectly in "Always Connected Mode"
Component: Access Policy Manager
Symptoms:
Edge Clients configured with Network Location Awareness and Always Connected Mode will fail to connect if the client is outside of the enterprise LAN and "Allow traffic only in enterprise networks" is configured.
Conditions:
1. Generate package which contains EdgeClient in always connected code, specify "Allow traffic only in enterprise networks"
2. Connect client to LAN which is not enterprise (without suffix)
3. Install and run EdgeClient
Impact:
Clients will be unable to connect to enterprise resources
Workaround:
None.
Fix:
The Edge client will now pass through NLA Awareness events so that they can connect to enterprise resources.
566998 : Edge client upgrade fails if client was configured in locked mode★
Component: Access Policy Manager
Symptoms:
Edge client cannot be upgraded automatically to a newer version
Conditions:
Edge client package was downloaded with "Enable Always Connected mode" option checked
Server contains a newer version of edge client
Impact:
Automatic upgrade of edge client will fail
Workaround:
Manually uninstall and re-install client
566947 : Errors in IMsTscAxEvents::OnDisconnected doesn't have a text description
Component: Access Policy Manager
Symptoms:
The disconnect reason, extended disconnect reason are logged as numerical values. These values are not explained.
Conditions:
RDP session is disconnected
Impact:
Confusing logging, without any explanation given as to what is wrong
Workaround:
This (external) link to an MSDN page explaining the error codes may be helpful in interpreting the numerical values: https://msdn.microsoft.com/en-us/library/windows/desktop/aa382170(v=vs.85).aspx
Fix:
The results from GetErrorDescription are logged
566908-1 : Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN with proxy.pac file
Component: Access Policy Manager
Symptoms:
Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN if proxy.pac is defined in a way that forwards all web traffic over VPN.
Conditions:
proxy.pac, network access, OS X system.
Impact:
Local web server is inaccessible if proxy.pac is defined in a way that forwards all traffic over VPN to corporate proxy server.
Workaround:
None.
Fix:
Webserver listening on local Wifi or Ethernet IP can be accessed after VPN even if proxy.pac is defined in a way that forwards all web traffic over VPN to corporate proxy server.
566600 : Export button in EDGE client now creates a CTU report
Component: Access Policy Manager
Symptoms:
Export button created a Edge Client log, this log did not contain enough information for F5 to correctly diagnose many problems.
Conditions:
Open Edge Client, Open Details, Open view log -> Press Export
Impact:
F5 would have to ask customer to generate a CTU report from the Details page, delaying fixes
Workaround:
Use Generate CTU report button on the Details page
Fix:
Export button on View Logs page now generates CTU Log that contains full logging that F5 needs to diagnose problems.
566576 : ICAP/OneConnect reuses connection while previous response is in progress
Component: Service Provider
Symptoms:
ICAP with OneConnect sometimes initiates a new ICAP request (REQMOD or RESPMOD) on the server connection while a previous response on the same connection is still being streamed from the ICAP server. This can cause the server to append the new response after the end of the previous response, in the same packet.
Conditions:
There is a 'oneconnect' profile on the internal virtual server along with the 'icap' profile.
Triggered by a disconnection of the IVS by the parent HTTP virtual server, before the ICAP transaction is complete.
This can happen for a number of reasons, such as an error in detected on the HTTP virtual server, or an HTTP::respond iRule that replaces an IVS response in progress.
Impact:
The connection used by the interrupted transaction is returned to the pool for reuse, potentially resulting in a new ICAP transaction beginning before the end of the interrupted one, and its response may be concatenated to the incomplete tail of the first one. OneConnect is unable to separate the contiguous ICAP responses whose boundary is within a packet. All the packet payload goes to the first ICAP transaction, and any payload after the terminating chunk is discarded. Thus the beginning of the second response is lost and its header parser gets confused. It keeps waiting for more data and rescanning the entire response, resulting in increasing CPU use up to 100% until the connection is aborted.
Workaround:
Remove OneConnect.
Fix:
Big-IP with ICAP and OneConnect never reuses a server connection while a previous ICAP transaction is still in progress. Whenever the IVS disconnects prior to completion of an ICAP transaction, the connection is not pooled for reuse.
566507 : Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment
Component: TMOS
Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.
Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.
Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.
Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.
Fix:
The advertised next-hop in BGP is now the smallest floating-IP active on the current BIG-IP system. Note: The ZebOS routing protocol suite available for BIG-IP configurations does not support traffic groups, so this issue might still be seen in certain circumstances.
566327 : 1 tmm allocated per 2GB of RAM
Component: TMOS
Symptoms:
On Azure with 3.5GB 2vCPU configuration, only 1 tmm is started
Conditions:
BIG-IP Virtual Edition in Public Clouds.
Impact:
Only allocating 1 tmm can cause under-utilized CPUs in VMs in public clouds when RAM is not multiple of 2GB/per CPU.
Workaround:
None.
Fix:
The logic for determining number of CPUs to be used by BIGIP was changed to take into account different Cloud VE configurations like these:
* 2 vCPU / 3.5 GB RAM
* 4 vCPU / 7.0 GB RAM
* 8 vCPU / 14.0 GB RAM
Now BIG-IP will assume 1.5GB RAM/per CPU and better utilize above configuration using all available CPUs.
566071 : network-HSM may not be operational on secondary slots of a standby chassis.
Component: Local Traffic Manager
Symptoms:
pkcs11d may not be running on secondary slots of a chassis.
Conditions:
This might occur when the following conditions are true:
1. Network-HSM installed on BIG-IP chassis.
2. Chassis is in standby state OR Secondary slots do not have management IP configured.
Impact:
If SSL profiles are configured with keys of security-type 'nethsm' when the specified conditions are true, traffic for such profiles will fail when the affected slots process traffic.
Workaround:
Manually install netHSM on each secondary slot.
Fix:
netHSM install no longer depends on management IP of secondary slots and also successfully installs on slots of a standby chassis.
565895 : Multiple PCRE Vulnerabilities
Vulnerability Solution Article: K17235
565799 : CPU Usage increases when using masquerade addresses
Component: Local Traffic Manager
Symptoms:
When using masquerade addresses, CPU usage increases. This can ultimately lead to a reduction in device capacity.
Conditions:
This can occur if one or more of your traffic groups is configured to use a MAC Masquerade address.
Impact:
Possible performance degradation or reduction in capacity
Fix:
Performance of masquerade address checks is restored.
565757 : kernel static route can become invalid in a SelfIp transaction
Component: Local Traffic Manager
Symptoms:
kernel static route, default or otherwise, can become invalid, and be deleted from the kernel in a transaction, or loading configuration
Conditions:
Changing SelfIp address in a transaction where the address being change is the only address for a gateway or static route. Or loading a new configuration, where the SelfIp in the configuration and current SelfIp is the only address serving the static route
Impact:
Static route configured on the BIGIP, when loading configuration or changing SelfIp in a transaction or both add/delete is happening in the same transaction.
Workaround:
Delete all static routes before the transaction, or configuration load, and restore them after transaction, configuration load.
Fix:
SelfIp address changes in a transaction is ordered correctly to preserve affecting networking configurations.
565686 : Route domain behavior is inconsistent
Component: Access Policy Manager
Symptoms:
In an APM configuration, if the route domain of the connectivity profile does not match the route domain of
network access then egress traffic does not make it through
even though ingress traffic does.
Conditions:
Network Access configuration.
Route Domain
Differing Route domains.
Impact:
Traffic is allowed (ingress traffic above) that should have been blocked.
Workaround:
Ensure everything is in the same route domain.
565519 : URL filter policy enforcement interprets "recommend to scan" as "uncategorized" all the time
Component: Access Policy Manager
Symptoms:
Previously the URL Filter Assign agent was always expected to be after Categorization and Response Analytics. In the case where Categorization returned only "recommend to scan" and Response Analytics returned nothing, "recommend to scan" would be treated as "uncategorized" before enforcing actions.
BIG-IP now has Request Analytics. When this is used, there will be a URL Filter Assign agent after Request Analytics, and then another instance of this after Response Analytics. In such a situation, treating "recommend to scan" as "uncategorized" is incorrect in the instance of URL filter assign after Request Analytics.
Conditions:
Per request policy looks like:
Category Lookup -> Request Analytics -> URL Filter -> Response Analytics -> URL Filter
Impact:
A "recommend to scan" categorization after Request Analytics is treated as "uncategorized". This is undesirable because the first URL Filter Assign instance deals with it as uncategorized instead of evaluating further by sending it to Response Analytics. If the first URL Filter allowed it through, Response Analytics would no longer see the "recommend to scan" classification and would not scan.
Workaround:
None.
Fix:
Instead of switching "recommend to scan" to "uncategorized" in URL Filter, the system now leaves it as "recommend to scan" and takes the action of "uncategorized".
Response Analytics was changed to strip the "recommend to scan" category if other categories exist, and to otherwise change it to "uncategorize". Because the system expects that Response Analytics is the last category evaluation agent in the policy, this is reasonable and safe to do.
565409-1 : Invalid MSS with HW syncookies and flow forwarding
Component: Local Traffic Manager
Symptoms:
A packet may have an MSS set to 65536 when using HW syncookies and flow forwarding.
Conditions:
The conditions which cause this are not fully known.
Impact:
TMM core/reboot.
Workaround:
Disable HW syncookies or TSO.
565347 : Rewrite engine behaves improperly in case of AS2 SWF with a badly formatted 'push' instruction
Component: Access Policy Manager
Symptoms:
Rewrite engine behaves improperly in case of AS2 SWF with a string in 'push' instruction longer than the instruction length itself.
Conditions:
Any AS2 SWF with a string in 'push' instruction longer than the instruction length.
Impact:
Rewrite coredump.
Workaround:
It can be worked around by adding an Portal Access profile resource item with Flash patcher turned off for improper SWF content.
Fix:
Completely fixed.
565056 : Fail to update VPN correctly for non-admin user.
Component: Access Policy Manager
Symptoms:
VPN is not updated correctly for non-admin users.
Conditions:
Steps to Reproduce:
1. In BIG-IP 12.0, create Access Policy containing (Firewall Check, Machine Info, Machine Cert Auth, Cache and Session Control, Protected Workspace, VPN Resources with Optimized Applications.)
2. Login with a User without admin privileges
3. Run FF
4. Login to VS and install components
5. Click on NA resource on the webtop to start VPN tunnel => a user is asked for an admin password and VPN is successfully installed and established
6. Close FF and exit PWD
Impact:
VPN is not updated. A user is not asked to enter admin credentials and an error is given: "Error downloading required files (-1)"
Workaround:
None.
Fix:
VPN is now updated as expected for non-admin users.
564779-1 : Compatibility issues with phishing detection and dosL7
Component: Fraud Protection Services
Symptoms:
Alerts may not be sent by FPS if DOSL7 profile with proactive bot defense attached to the virtual server.
Conditions:
Both FPS and DOSL7 profile with proactive bot defense is attached to the virtual server.
Impact:
Alerts will not be sent.
Workaround:
Disable proactive.
Fix:
Phishing Detection now works properly and phishing alerts are sent to the Dashboard by avoiding mitigation FPS reporting requests by DOSL7 PBD.
564771 : cron sends purge_mysql_logs.pl email error on LTM-only device
Component: TMOS
Symptoms:
On a device provisioned with LTM only, cron may log or send an email containing the following perl error:
/etc/cron.hourly/purge_mysql_logs.pl:
Usage: $class->connect([$dsn [,$user [,$passwd [,\%attr]]]]) at /etc/cron.hourly/purge_mysql_logs.pl line 27
This script was only intended to be run with AM, ASM, or ASM provisioned and it generates an error if it is not.
Conditions:
Any device with AM, ASM, and PSM not provisioned. LTM-only devices are impacted.
Impact:
If cron can send email, it will send the perl error in the email once per hour.
564522-1 : cron is configured with MAILTO=root but mailhost defaults to 'mail'
Component: TMOS
Symptoms:
The crontab and ssmtp configurations environment is MAILTO="", which means no email and it is difficult to find where the email went.
Conditions:
This exists in the default crontab and ssmtp configurations.
Impact:
- You may receive unexpected messages addressed to "root" at a host named "mail" on your network
OR
- You may encounter messages similar to the following in /var/log/maillog:
Dec 10 03:25:24 BIG-IP-1 err sSMTP[8421]: Unable to connect to "mail" port 25.
Dec 10 03:25:24 BIG-IP-1 err sSMTP[8421]: Cannot open mail:25
Workaround:
Change outbound-smtp mailhub to localhost with tmsh:
tmsh modify /sys outbound-smtp mailhub localhost
Fix:
Default mailhub has been changed to localhost. Starting in 12.0.0, MAILTO is set to root instead of "" in /etc/crontab so that the output of cron jobs can be captured. However, ssmtp is configured by default with a mailhost of 'mail', which may result in either error messages logged to /var/log/maillog or unexpected messages received on another system.
564521 : JavaScript passed to ExternalInterface.call() may be erroneously unescaped
Component: Access Policy Manager
Symptoms:
JavaScript passed to ExternalInterface.call() may be erroneously unescaped.
Conditions:
Adobe ActionScript 3.0 version 24 or less.
Impact:
Adobe Flash application may crash.
Workaround:
None
Fix:
Completely fixed.
564324 : ASM scripts can break applications
Component: Application Security Manager
Symptoms:
ASM originated scripts are injected into places where they are not supposed to be, causing the script not to work and/or the application to break.
Conditions:
ASM is in front of a single page application, where injection is possible only for the main page. \
ASM has the CSRF or web scraping feature enabled.
Impact:
Application malfunctions, shows javascrip errors
Workaround:
Turn off the relevant feature that causes the injection.
564281 : TMM (debug) assert seen during Failover with Gy
Component: Policy Enforcement Manager
Symptoms:
When using the debug version of the tmm, HA fail over may cause the tmm to assert when Gy is configured.
Conditions:
Using PEM and Gy is configured.
Impact:
The TMM (debug version) may core and restart, resetting all connections.
Workaround:
Do not use the debug tmm with Gy.
Fix:
This debug assert has been changed to a debug log message.
564262 : Network Access does not work if DNS cannot be resolved on client and PAC file contains DNS resolution code
Component: Access Policy Manager
Symptoms:
Tunnel server component of Edge client crashes, and user cannot establish VPN.
Conditions:
-DNS names cannot be resolved on client system.
-PAC file used to determine proxy server uses JavaScript DNS resolution function.
Impact:
Tunnel server crashes and user cannot establish VPN.
Workaround:
Enable DNS resolution on client or do not use DNS resolution JavaScript functions in PAC file.
Fix:
Network Access now works as expected even when DNS cannot be resolved on client and PAC file contains DNS resolution code.
564253 : Firefox signed plugin for VPN, Endpoint Check, etc
Component: Access Policy Manager
Symptoms:
Firefox v44.0 and later does not allow loading of Netscape Plugin Application Programming Interface (NPAPI) plugins, which are not signed by Firefox.
Conditions:
Using APM with Firefox v44.0 and later.
Impact:
Firefox v44.0 and later cannot establish network access or perform endpoint checking.
Workaround:
- Use Firefox v43.0 and earlier on all platforms.
- Use Safari on Mac systems and Microsoft Internet Explorer on Microsoft Windows systems.
Fix:
Firefox v44.0 through v46.0 can now install F5 Network plugins, perform endpoint checking, and establish network access connections.
564111 : Multiple PCRE vulnerabilities
Vulnerability Solution Article: K05428062
564058 : AutoDoS daemon aborts intermittently after it's being up for several days
Component: Advanced Firewall Manager
Symptoms:
AutoDoS daemon aborts intermittently when accessing session db api for memcache interface.
Conditions:
This happens in control plan AutoDoS daemon. This is an intermittent issue that occurs in few platforms under specific stress testing.
Impact:
Core will be seen, but the daemon will restart, and there is no loss of state.
Workaround:
No workaround.
Fix:
AutoDoS daemon no longer aborts intermittently when accessing session db api for memcache interface.
563933 : [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs
Component: Local Traffic Manager
Symptoms:
A and AAAA RRsets in the additional section are dropped.
Conditions:
When dns64-additional-section-rewrite is 'v4-only' or 'v6-only'.
Impact:
Failure to include the additional RRs results in additional lookups by the client which could be glue records for a resolver.
Workaround:
Set dns64-additional-section-rewrite is 'any'.
Fix:
v4-only and v6-only options work as expected. Note that DNS64 prefix operations occur after all other DNS processing blocks -- including GTM.
563670 : OpenSSL vulnerabilities
Vulnerability Solution Article: K86772626
563491 : BIG-IP SSL does not support Extended Master Secret Extension (RFC7627)
Component: Local Traffic Manager
Symptoms:
BIG-IP SSL cannot negotiate Extended Master Secret with client or server.
Conditions:
If a client or server tries to negotiate Extended Master Secret with BIG-IP SSL, the negotiation will only succeed in using the legacy master secret calculation.
Impact:
BIG-IP SSL and its peer can not successfully negotiate an Extended Master Secret calculation, instead can only negotiate a legacy master secret calculation. Note: The SSL handshake will continue to work.
Workaround:
None.
Fix:
BIG-IP SSL now supports Extended Master Secret (RFC7627) for reverse/forward proxy.
563488 : Support Extended Master Secret Extension (RFC7627) for ProxySSL
Component: Local Traffic Manager
Symptoms:
In ProxySSL, if a client and backend server negotiated and agreed to use Extended Master Secret, ProxySSL will not be able to finish the handshake successfully.
Conditions:
ProxySSL is enabled in BIG-IP and the client and server both support Extended Master Secret and successfully exchang the Extended Master Secret Extensions.
Impact:
ProxySSL will not work.
Workaround:
Do not enable Extended Master Secret features in client or server.
Fix:
ProxySSL now supports Extended Master Secret Extension (RFC7627) for ProxySSL.
Behavior Change:
If the client and the server exchanges extended master secret extension in its client hello or server hello, and agree to use extended master secret calculation, then BIGIP SSL will use the agreed calculation method. There is no hardware support for extended master secret computation, only software path.
563135 : SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt
Component: Access Policy Manager
Symptoms:
When the SWG Explicit Proxy is configured to perform a 407 Authentication Request, if the client accesses a non-standard HTTP port (e.g. http://www.example.com:8080) the first request after authentication will fail.
Conditions:
SWG Explicit Proxy configured
HTTP 407 Authorization configured in Per-Request Policy for authentication
Client requests a non-standard HTTP port in request
Impact:
The first request after authentication will fail.
Workaround:
If the user refreshes their browser request, subsequent requests will work as expected.
562928-4 : Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled
Component: TMOS
Symptoms:
Certain url connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled with 'curl: (7) couldn't connect to host' error.
Conditions:
Using curl command with'--local-port' option causes the connections to fail on the BIG-IP system.
Impact:
TCP connections do not complete the three way handshake and traffic does not pass.
Workaround:
Disabling 'cmp' option in virtual server secures the traffic over IPsec tunnels.
Fix:
Using curl command with'--local-port' option no longer causes the connections to fail on the BIG-IP system.
562676 : No virtual servers display on multi-page, multiple partition configurations.
Component: TMOS
Symptoms:
No virtual servers display on multi-page, multiple partition configurations.
Conditions:
This occurs in the GUI on the virtual server list when there is more than one page of virtual server results in partition A and only one page in partition B, when you show page 2 in partition A and then switch to partition B.
Impact:
The list will be empty even though there are virtual servers configured on the system.
Workaround:
Switch to the partition you want to view before navigating to the virtual servers list page.
562636 : Possible memory exhaustion in access end-user interface pages for transparent proxy/SWG cases.
Component: Access Policy Manager
Symptoms:
When certain end user interface pages (e.g. 401 response) are served by the APM, these include a unique parameter in the URL. This results in the leak of objects representing caches for these pages, because their unique parameter renders caching ineffective.
Conditions:
This occurs when the following conditions are met:
-- Use of SWG in Transparent mode.
-- One of the following:
+ Use a logon page agent, an external logon page agent, or a 401 agent in the access policy.
+ Trigger an access policy evaluation when one is already in progress or when accessing a page that requires an established session.
Impact:
A memory leak in the TMM.
Workaround:
None (when the triggering conditions are encountered).
Fix:
This release corrects the possible memory exhaustion issue in access end-user interface pages for transparent proxy/SWG cases.
562509 : Incorrect form action path may be used if it is changed inside 'onsubmit' event handler
Component: Access Policy Manager
Symptoms:
If HTML form has 'onsubmit' event handler which assigns absolute path to form action, then non-rewritten path is used for form submission.
Conditions:
HTML form with 'onsubmit' event handler
Impact:
HTML form can not be submitted.
Workaround:
Correction with application-specific iRule is possible
Fix:
Now action path assignment inside 'onsubmit' event handler is handled correctly.
562257 : Route domain addresses can be selected when configuring device connectivity
Component: TMOS
Symptoms:
Route domain addresses can be selected when configuring a device connectivity. Doing so produces an error.
Conditions:
Having self IP addresses with a route domain.
Impact:
This is a cosmetic issue. The system presents an error and does not use the IP address, even though the user can select it.
Workaround:
None.
Fix:
The system now displays only relevant IP addresses that may be used as a device address, that is, those IP address that are in the default route domain, so the user cannot select an incorrect one.
562122-4 : Adding a trunk might disable vCMP guest
Component: TMOS
Symptoms:
If a vCMP guest is running when a trunk is added, the guest might fail until vCMP is restarted.
Conditions:
-- vCMP guest running
-- Trunk added.
Impact:
Guest failure. vCMP restart required.
Workaround:
Restart vCMP.
Fix:
Adding a trunk no longer disables vCMP guests.
561892 : kerberos cache is not cleared when Administrator password is changed in AAA AD Server
Component: Access Policy Manager
Symptoms:
when administrator's password is changed, the old ticket is still stored in kerberos cache, so AD Query failed
Conditions:
administrator's password is changed for AAA AD Server
Impact:
AD Query failed
Workaround:
as a workaround bigip administrator should remove kerberos cache files (krb5cc_0 and krb5cc_1) manually in /var/run/apmd/krb5cc/ and all subdirectories.
Fix:
after fix kerberos caches destroyed by apmd, if administrator's password is changed and access policy is applied
561841 : Floating IPv6 anycast address for HA results in intermittent communication loss
Component: Local Traffic Manager
Symptoms:
When a floating IPV6 anycast address is used in an HA configuration, neighbor solicitation responses maybe sent by the standby box in the HA configuration. The mac masquerade address is not used for responses.
Conditions:
Floating IPV6 anycast address is used and packets are first received by the standby box.
Impact:
Communication issues between an IPv6 host and the traffic group floating IP address.
Workaround:
Use a regular IPv6 address instead of an anycast address for floating addresses.
561500 : ICAP Parsing improvement
Component: Service Provider
Symptoms:
If a malformed ICAP message is sent to the Big-IP the ICAP parser can enter a state where it consumes an increasing amount of CPU and memory.
Conditions:
A request-adapt or response-adapt profile is configured.
An ICAP message is received from an ICAP server lacking "ICAP/1.0" as initial header line.
Impact:
Memory and CPU usage increase.
Eventually the TMM may crash causing Big-IP fail-over.
Fix:
ICAP parser checks for correct initial ICAP/1.0 header line and rejects message if missing.
561444 : LCD might display incorrect output.
Component: TMOS
Symptoms:
Incorrect LCD display due to garbled messages received from LCD panel.
Conditions:
This occurs in various situations. Multiple messages sent to LCD and user interaction on LCD seem to reproduce the issue.
Impact:
LCD may display incorrect data.
Workaround:
The LCD usually corrects itself eventually, but to restore it immediately to a good state, run the following command: bigstart restart fpdd.
Fix:
The issue allowing garbled messages between the front panel display daemon (fpdd) and the LCD daemon (LCDd) is now prevented from happening.
561348 : krb5.conf file is not synchronized between blades and not backed up
Component: Access Policy Manager
Symptoms:
krb5.conf file is not in sync across all blades.
this may cause a feature (Kerberos SSO / Kerberos Auth) to not work as expected.
Conditions:
When administrator made changes to krb5.conf file manually, the configuration file is not synchronized to all blades or is lost upon upgrade.
Impact:
Kerberos Auth / Kerberos SSO does not work properly on all blades.
Workaround:
None.
Fix:
The APM code now automatically synchronizes the changes to /etc/krb5.conf file to all devices in the Failover Device group. Any change made to this file either in Active Device or Standby device will be automatically synced to other device.
In Chassis, all the Secondary blades will mirror the file on the Primary blade. Any manual change done on the Secondary blade(s) will be lost. The admin has to do the changes on Primary blade only and it will be synchronized with all others blades.
Behavior Change:
When admin modifies /etc/krb5.conf file, the changes are automatically updated on other devices in the same Failover Device group.
When admin modifies the /etc/krb5.conf file on the primary blade of the chassis, the changes are automatically updated on all secondary blades.
560871 : TMM crash when deleting several thousands of address-list objects with address-list references on VE using the command 'tmsh delete security firewall address-list all'.
Component: Advanced Firewall Manager
Symptoms:
TMM crash when deleting several thousands of address-list objects with address-list references on VE using the command 'tmsh delete security firewall address-list all'.
Conditions:
1. This happens when there are a lot of address-lists to be deleted (3000 or more).
2. All the address lists need to be deleted in one shot using the command 'tmsh delete security firewall address-list all'.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Delete the address-lists in batches.
560601 : HTML5 File API and MediaSource URLs are blocked in Portal Access
Component: Access Policy Manager
Symptoms:
Web Application is not working and a message similar to following is logged to the developer tools console in the browser:
"Refused to load media from 'blob:https://...' because it violates the following Content Security Policy directive: ..."
Conditions:
This occurs on web applications that are using the HTML5 file API
Impact:
Applications with usage of HTML5 File API could stop working when accessed via APM Portal Access.
Workaround:
when HTTP_RESPONSE_RELEASE {
if { [HTTP::header exists Content-Security-Policy] } {
HTTP::header replace Content-Security-Policy \
[string map {"data:" "data: blob: mediasource: mediastream:"} [HTTP::header Content-Security-Policy]]
}
}
Fix:
blob: and mediasource: URL schemes are now allowed on pages accessed through APM Portal Access.
560471 : Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down
Component: Local Traffic Manager
Symptoms:
Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down.
Conditions:
Changing the monitor configuration of a pool. For example:
tmsh modify ltm pool http-pool monitor http and tcp
tmsh modify ltm pool http-pool monitor min 1 of { http tcp }
Impact:
Virtual server may be incorrectly marked down, when it should not be.
Fix:
Changing the monitor configuration of a pool no longer causes the virtual server to be marked as down.
560114 : Monpd is being affected by an I/O issue which makes some of its threads freeze
Component: Application Visibility and Reporting
Symptoms:
When Monpd is restarted, it starts printing non-stop error message to logs. Analytics statistics may be lost, and new data cannot be loaded. The ltm log contains this error signature - err stat_bridge_thread[8278]: monpd`ERR`date`11285` [stat_bridge_thread::validateCorrectNumberOfPartitions, ] Too many partitions (44) defined for DB table AVR_STAT_DISK_T
Conditions:
A system I/O issue (maybe caused by /var/log being full).
Impact:
AVR statistics are lost.
Monpd thread cannot load new data, and it prints non-stop error messages to the logs.
Workaround:
Run the following:
find /var/avr/loader/ -mindepth 1 -name "*" -print0 | xargs -0 rm
touch /var/avr/init_avrdb
bigstart restart monpd
560109 : Client capabilities failure
Component: TMOS
Symptoms:
In some cases client capabilities detection may fail, crashing TMM.
Conditions:
AVR and/or AAM provisioned and configured
Impact:
Traffic disrupted while TMM restarts
Workaround:
N/A
Fix:
Improve processing of client capabilities
559855 : Device rename on standalone device will cause it to momentarily go offline
Component: TMOS
Symptoms:
If the DSC sync device object is renamed on a standalone configuration, the system posts a log message indicating that the device is going momentarily offline for traffic-group-1. That message looks like this:
-- notice sod[...]: 010c0056:5: Deactivating traffic group /Common/traffic-group-1.
-- notice sod[...]: 010c0057:5: Activating traffic group /Common/traffic-group-1.
-- notice sod[...]: 010c0054:5: Offline for traffic group /Common/traffic-group-1.
notice sod[...]: 010c006d:5: Leaving Offline for Active for dbvar not redundant.
-- notice sod[...]: 010c0053:5: Active for traffic group /Common/traffic-group-1.
This action is illegal if the device is part of a device trust group. On standalone configurations, setting the hostname through the GUI also implicitly renames the self device.
Conditions:
This happens only when the device is not in trust with any other devices. There is no impact unless it occurs on a vCMP hypervisor.
Impact:
If this happens on a vCMP hypervisor, then guests on that chassis may momentarily go offline due to an HA table entry tripping:
warning chmand[...]: 012a0004:4: hypervisor_offline take action is set
warning sod[...]: 01140029:4: HA hypervisor_offline_t chmand fails action is go offline.
On devices that are not vCMP hypervisors, there is no impact to traffic. sod going offline for a traffic group does not stop traffic when the device is configured as standalone. The GUI shows this behavior only when the device is configured as standalone.
Workaround:
There is no workaround for renaming the self device. The hostname can be changed using tmsh ('modify sys global-settings hostname new-hostname.com'), which unlike the GUI does not rename the self device.
559837 : Misleading error message in catalina.out when listing certificates.
Component: TMOS
Symptoms:
GUI logs 'Table not found' in catalina.out when some exceptions are returned before/at table creation. The exceptions are the actual cause of the failure.
java.sql.SQLException: Table not found: SSL_CERTIFICATES_0_1652477104084229 in statement [DROP TABLE ssl_certificates_0_1652477104084229].
Conditions:
This occurs when listing certificates, and exceptions are returned.
Impact:
1. Throws table creation exceptions when randomly generated table name contains invalid character ('-').
2. Misleading 'Table not found" message in catalina.out.
Workaround:
Refreshing the page might fix the invalid table name issue because doing so generates a new table name. In some situations a restart of tomcat and httpd may be required.
Fix:
Errors occur when listing certificates that contain invalid characters from the randomly generated table names, so the GUI logs 'Table not found' in catalina.out when some exceptions are returned before/at table creation.
559819 : DNS queries with OPT have no OPT in response for RFC 6891 compliance.
Component: Local Traffic Manager
Symptoms:
BIG-IP DNS does not include an OPT record in responses to received requests that contain OPT records.
Conditions:
This occurs when the following condition is met:
-- The query includes OPT.
Impact:
A resolver, not seeing an OPT, might interprets this as a lack of support and might send duplicate TCP requests.
Workaround:
None.
Fix:
DNS queries with OPT now have OPT in response for RFC 6891 compliance. This fix also corrects other commonly found compliance issues with regard to EDNS handling as specified in clarifying RFC 6891.
559402 : Client initiated form based SSO fails when username and password not replaced correctly while posting the form
Component: Access Policy Manager
Symptoms:
Client initiated form based SSO fails when the username and password are not replaced correctly in post request. The reason for this is that client initiated form based SSO and browser urlencode special character in username/password differently. and the case sensitive comparison fails to find match between both these urlencoded values. So sso module adds the username password to the token again. This results in password attribute/value pair appears twice with both the f5-sso-token and the real password and so it fails
Conditions:
When the password contains special charaters like [ or ]
Impact:
SSO fails with password attribute/value pair appears twice with both the f5-sso-token and the real password in the token and so it fails
Workaround:
No workaround
Fix:
Not fixed yet.
559334-2 : Network Access fails on Windows platform
Component: Access Policy Manager
Symptoms:
Network Access fails on Windows platform when a Java AppTunnel resource has been assigned in Access Policy.
Conditions:
Windows clients connecting through Network Access VPN, and Java AppTunnel configured with local-ip setting
Impact:
Network Access fails on Windows platform, with the error message "Internal Error".
Fix:
Network Access works as expected on Windows platform even a Java AppTunnel resource has been assigned.
559110 : Luna FIPS request errors are logged as the same generic error.
Component: Local Traffic Manager
Symptoms:
Whenever the Luna FIPS card firmware returns any error resulting from an asynchronous request, it sets the status to ERR_HSM_ERROR (0x40000116) and the FIPS driver logs the error. This behavior hides the true fault as there is no indication of the actual error.
Conditions:
This occurs whenever an error is returned as the result of an asynchronous FIPS request to the Luna FIPS device.
Impact:
The actual error reported by the Luna FIPS device firmware is never logged, preventing analysis of FIPS issues on Luna equipped platforms.
Workaround:
None.
Fix:
Fixed FIPS module for Luna device to report HSM error when request completion status is ERR_HSM_ERROR and log non-fatal FIPS errors at warning level.
559030 : TMM may core during ILX RPC activity if a connflow closes before the RPC returns
Component: Local Traffic Manager
Symptoms:
TMM core with plugin context refcount error.
Conditions:
Using ILX RPC calls. Most likely to occur when using a low end box or virtual.
Impact:
Traffic disrupted while tmm restarts.
558870 : Protected workspace does not work correctly with third party products
Component: Access Policy Manager
Symptoms:
1) Internet Explorer and Firefox cannot be launched in Windows protected workspace if Norton Internet Security 22.x is present on user's machines.
2) Microsoft OneDrive does not work correctly inside protected workspace.
Conditions:
Norton Internet Security 22.x is installed on user's desktop.
Protected workspace is used.
Impact:
User cannot launch Internet Explorer or Firefox inside protected workspace.
Files cannot be synced to OneDrive.
Workaround:
There is no workaround.
Fix:
User can now launch Internet Explorer or Firefox inside protected workspace.
558283 : Show template javascript on Client initiated SSO v2
Component: Access Policy Manager
Symptoms:
On selection of Javascript injection with Custom, the template is blank.
Conditions:
With SSO - Forms client initiated, Selection of Injection method is Custom.
Impact:
On selection of Javascript injection with Custom, the template is blank, increasing the chance of creating errors with the custom Javascript.
Workaround:
To work around this issue:
1. Get the tcp dump of traffic.
2. From the dump, inspect the javascript used to submit the request.
3. Use it as the Custom script.
Fix:
Show default template javascript on user now chooses Javascript Injection - Custom, and the template is no longer blank.
558237 : No Audit logging on 'Clear Performance Data' from statistics page in GUI.
Component: TMOS
Symptoms:
There is no Audit logging on 'Clear Performance Data' from statistics page in GUI.
Conditions:
Clearing statistics in the GUI.
Impact:
Users can clear the performance data without leaving any trace.
Workaround:
None.
Fix:
Logging is now provided in /var/log/webui.log when a user clicks 'Clear Performance Data' from statistics page in GUI.
558053-1 : Pool's 'active_member_cnt' attribute may not be updated as expected.
Component: Local Traffic Manager
Symptoms:
If a pool has no associated monitors, new pool members added to the pool do not increment the active_member_cnt even if traffic will be passed to it. In other cases, for FQDN pool members, the active_member_cnt does not update in user-down scenarios, or other state transitions.
Conditions:
1) Configure a pool without a monitor, and make use of an iRule that attempts to use the 'active_member_cnt' attribute.
2) Configure a pool with FQDN nodes and change the state to user-down, and check the active_member_cnt via an iRule or GUIshell.
Impact:
Although this does not impact load balancing and is not visible in the GUI or tmsh, it is exposed as a consumable attribute in iRules, which can impact your scripts.
Workaround:
member_count returns total members with no status information.
Fix:
Pool's 'active_member_cnt' attribute is now updated as expected, even for pools that have no assigned monitors.
557680 : Fast successive MTU changes to IPsec tunnel interface crashes TMM
Component: TMOS
Symptoms:
Changing IPsec tunnel interface MTU attribute repeatedly in quick succession, TMM cores. This can occur whether or not traffic has flowed through the tunnel.
Conditions:
The issue occurs when the IPsec tunnel interface attributes has its configuration modified quickly and repeatedly.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Change IPsec tunnel interface attributes at a rate of speed that allows each configuration modification to complete.
Fix:
TMM no longer cores if users quickly and repeatedly change interface attributes (for example, the MTU interface attribute).
557471 : LTM Policy statistics showing zeros in GUI
Component: TMOS
Symptoms:
Statistics for LTM Policies, i.e. the total count of policy action invocations and number of successful policy action invocations, are not being updated in the GUI. The GUI shows zeros for both of these stats for every LTM Policy.
Conditions:
Occurs under all conditions.
Impact:
Through the GUI, Administrators cannot see invocation counts for general troubleshooting or to determine which policies are being used.
Workaround:
Accurate stats can be obtained from the command line using tmsh.
Stats for all policies can be obtained by the following:
# tmsh show ltm policy.
Stats for a specific policy can be obtained by specifying the policy name.
# tmsh show ltm policy <policy-name>.
Fix:
LTM Policy statistics now shows the correct values in the GUI.
557434 : After setting a Last Resort Pool on a Wide IP, cannot reset back to None
Component: Global Traffic Manager (DNS)
Symptoms:
After configuring a wide IP with a Last Resort Pool set to something other than None, you can no longer change the Last Resort Pool back to None.
Conditions:
Last Resort Pool is set to something other than None.
Impact:
There is no None option in TMSH or GUI.
Workaround:
Setting the Pool Name to an empty string via tmsh will set it to None.
For example
modify gtm wideip a wip.f5.com last-resort-pool a
Fix:
None options added to tmsh and GUI.
557411 : Full Webtop resources appear overlapping in IE11 compatibility mode
Component: Access Policy Manager
Symptoms:
Full Webtop resources appear overlapping each other in MSIE 11 in compartibility mode
Conditions:
MSIE 11, compartibility mode. Full Webtop in use
Impact:
Everything is working but the icons overlap.
Workaround:
1. modify advanced customization of apm.css
#webtop_favorites_inner_container span.favorite span.caption{
...
<? if( $_GET['ctype'] == 'IE' && $_GET['cversion'] < 9){ ?>
zoom: 1;
<? }elseif( $_GET['ctype'] == 'IE' && $_GET['cversion'] == 11){ ?>
zoom: 0;
<? } ?>
}
2. an irule that would change apm.css to
#webtop_favorites_inner_container SPAN.favorite SPAN.caption {
...
zoom: 1; /* <--- set 0 if msie 11 in compartibility mode */
}
Fix:
Everything is back to normal
557358 : TMM SIGSEGV and crash when memory allocation fails.
Component: Local Traffic Manager
Symptoms:
TMM SIGSEGV and crash when memory allocation fails.
Conditions:
Although the specific conditions under which this occurs are not well understood, it appears that the issue occurs when the SSL operation detects an error and processes the connection for removal from the SSL queue. Before the connection is removed, another command attempts to remove the connection a second time, which causes the issue to occur.
Impact:
TMM SIGSEGV and crash. Traffic disrupted while tmm restarts.
Workaround:
None known at this time.
Fix:
TMM SIGSEGV and crash no longer occur when memory allocation fails due to a command attempting to remove the connection for removal from the SSL queue a second time.
556740 : Kernel vulnerability CVE-2015-7613
Vulnerability Solution Article: K90230486
556092 : Password copying in Variable Assign Agent may fail if user decides not to change password
Component: Access Policy Manager
Symptoms:
Copying password using "mcget -secure" command in Variable Assignment agent will fail if user decides not to change password when prompted.
Conditions:
The problem happens with these three conditions:
1. AD Query Agent is configured with "Prompt user to change password before expiration"; AND
2. User's password is about to expire and is prompted to change password by AD Query Agent; AND
3. User has chosen not to change password.
Impact:
New session variable will not be created by the Variable Assign Agent.
Workaround:
Moving the Variable Assign Agent before the AD Query Agent.
Fix:
after fix, password is always stored as secure session variable session.logon.last.password in encrypted form.
555380 : "Data publisher not found or not implemented" messages in ltm log when running qkview
Component: TMOS
Symptoms:
When running a qkview, there are various "Data publisher not found or not implemented" messages in /var/log/ltm. This is benign and these messages can be safely ignored. The items are related to psu, cooling and chassis info.
Conditions:
Always present since the query is always made for these items that aren't available.
Impact:
A bit of concern by anybody monitoring /var/log/ltm and seeing these messages during a qkview which shouldn't have discernible impact on a system.
Workaround:
Ignore the messages as they are not caused by anything wrong in the system.
Fix:
Removed items from qkview, thus eliminating the messages. One still remains if there are various blades in a chassis caused "show sys memory" on the individual blade. A separate bug for this has been filed (bug 567330).
555272 : Endpoint Security client components (OPSWAT, EPSEC) may fail to upgrade★
Component: Access Policy Manager
Symptoms:
Previously, F5 Client components were signed using SHA1 certificate. SHA1 is now considered insecure and Windows will reject components signed using a SHA1 certificate after March 31st 2016.
To support this new requirement, F5 has changed the client component signing certificates to utilize a higher security validation algorithm.
The result of this change is that clients utilizing client components built prior to these versions:
Big-IP 12.0.0HF1 or earlier
Big-IP 11.6.0 HF6 or earlier
Big-IP 11.5.4 (base release) or earlier
cannot Endpoint Security updates build 431 or greater.
If you require updated Endpoint Security (OPSWAT / EPSEC) builds greater than 431 you must upgrade to these versions:
Big-IP 12.1.0 or later
Big-IP 12.0.0HF2 or later
Big-IP 11.6.1 or later
Big-IP 11.6.0 HF7
Big-IP 11.5.4 HF1 or later
Conditions:
Running incompatible BIG-IP version with EPSEC build 431 or later.
Impact:
User will see certificate warnings and installation of client component updates may fail. The failure may occur multiple times.
Workaround:
Upgrade BIG-IP to the correct version.
Use the BIG-IP Web GUI's Software Management :: Antivirus Check Check Updates section to install an EPSEC build prior to 431.
Fix:
Updated signing certificate to a sha256 certificate. Client components and EPSEC binaries are now signed using the new, higher security certificate. Please note that upgrade to a HF in which client is signed using updated certificate is needed to install updated EPSEC releases. Please review the information carefully.
555102 : Disk Serial number reported with incorrect formatting
Component: Access Policy Manager
Symptoms:
Depending on what operating system, and if the user is a normal user or an admin user - the serial number for the hard disk may be reported in the incorrect format
Conditions:
Customer is recording HDD.sn
User changes between admin user and non-admin user
Impact:
SN may be reported byte swapped
Workaround:
Only record hdd.sn from one type of user (Admin/non-Admin)
554761-8 : Unexpected handling of TCP timestamps under syncookie protection.
Component: Local Traffic Manager
Symptoms:
The BIG-IP system experiences intermittent packet drops.
Despite being negotiated during TCP handshake, the BIG-IP system fails to present timestamp option in subsequent segments.
The BIG-IP system calculates invalid round trip time immediately after handshake, which might result in delayed retransmissions.
Conditions:
This occurs when the following conditions are met:
- Virtual server configured with a TCP profile with timestamps enabled.
- The syncookie mode has been activated.
- Clients that support timestamps.
Impact:
Connection might be reset by remote TCP stack (e.g., NetBSD and FreeBSD), which requires timestamps to be maintained once negotiated.
Retransmission timeout (RTO) value may be skewed. Segments that are subject to RTO might take up to 64 segments to retransmit.
Workaround:
Choose or create a TCP profile that has timestamps disabled.
Fix:
TCP Timestamps are now maintained on all negotiated flows.
554713-1 : Deployment failed: Failed submitting iControl REST transaction
Component: TMOS
Symptoms:
When deploying an access control policy to a sync group, you notice the following error: Deployment failed:
Failed submitting iControl REST transaction 1445978291443908: remoteSender:ip_address
Conditions:
This can happen on policy sync with a large number of ACLs.
Impact:
The system will function properly, but some transactions may take longer than expected. BIG-IQ deployment of APM access control lists is one known case to fail due to timeouts.
Workaround:
None.
Fix:
The audit log contains every database modification request message sent to mcpd. Certain messages once took an unexpectedly long time to render, which has been fixed.
553795 : Differing certificate/key after successful config-sync
Component: TMOS
Symptoms:
1) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with the same name as the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer system(s)' FIPS chip will retain a copy of the original key.
2) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with a different name from the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer's client-ssl profile will still use the original certificate/key instead of the new one.
Conditions:
1) High Availability failover systems with FIPS configured with Manual Sync.
2) High Availability failover systems configured with Manual Sync.
Impact:
1) An abandoned FIPS key is left behind.
2) The systems claim to be synced, but one system's client-ssl profile uses one certificate/key pair, while the other system(s)' same client-ssl profile uses a different certificate/key pair.
Workaround:
1) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile.
Workaround #2: Delete the FIPS key by-handle on the peer system(s).
2) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile.
Workaround #2: Manually update the client-ssl profile then delete the old certificate/key on the peer system(s).
Fix:
Systems now have the same certificate/key after successful config-sync of High Availability configurations.
553063 : Epsec version rolls back to previous version on a reboot
Component: Access Policy Manager
Symptoms:
If administrator has installed multiple EPSEC packages, after a reboot the EPSEC version rolls back to the previously installed version.
Conditions:
The BIG-IP system needs to be rebooted for this issue to be seen, and multiple EPSEC packages must have been installed on the system before the reboot.
Impact:
OPSWAT version rolls back without prompting or logging. This might open up the end-point security issues that are supposed to be fixed by the latest installed OPSWAT package.
Workaround:
The workaround is to upload a dummy file in Sandbox.
1. Go to Access Policy :: Hosted Content :: Manage Files.
2. Upload any dummy file, even a 0 byte file. Change the security level to 'session'.
After this change, even if you reboot or shutdown-restart, the EPSEC version does not revert.
Fix:
The most recently installed EPSEC version now remains configured, and does not roll back after reboot or shutdown-restart.
551803 : [Portal Access] Links targeting new window must not be rewritten as script
Component: Access Policy Manager
Symptoms:
Code for dynamic <base> handling tries to rewrite absolute-path references as a 'javascript:location=...'. This does not work for links with target='_blank', or other ways to open link in a new document.
Conditions:
A Ref link with target not rewritten correctly.
Impact:
Can end up with broken links.
Workaround:
iRule workaround specific to the backend web application available upon request.
Fix:
Links with target must be correctly rewritten.
551795 : Portal Access: corrections to CORS support for XMLHttpRequest
Component: Access Policy Manager
Symptoms:
XMLHttpRequest to external domain should fail if the server does not include 'Access-Control-Allow-Origin' header into response. Current implementation of CORS support in Portal Access does not enforce this failure.
If XMLHttpRequest to same-origin resource is redirected to external one, it has to be treated as cross-domain request. Current implementation of CORS support in Portal Access does not handle this case correctly.
Conditions:
XMLHttpRequest to external domain via Portal Access succeeds even when the server response does not include 'Access-Control-Allow-Origin' header.
XMLHttpRequest to same-origin resource succeeds via Portal Access in spite of response redirection.
Impact:
Web application may work incorrectly; some data access restrictions may not work.
Fix:
Now Portal Access supports CORS in case of response redirection for XMLHttpRequest.
CORS support enforces error in the case when 'Access-Control-Allow-Origin' header is absent in server response.
551349-2 : Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade★
Component: TMOS
Symptoms:
A monitor destination address in the form of *:port (IPv4) is converted to *.port when upgrading from 10.2.4 to 11.5.x.
Conditions:
A monitor exists with a non-explicit address and explicit port on a BIG-IP system running 10.2.4. Then upgrade to 11.5.x (or install 10.2.4 ucs)
Impact:
Monitors appears to function normally but they will have the wrong format in the config file.
Workaround:
None.
Fix:
Determine if non-explicit (*) address is ipv4 or ipv6 based on next character to be parsed.
551225 : SAML IdP requests may fail when Sharepoint is opened through Portal Access in the same browser
Component: Access Policy Manager
Symptoms:
SAML IdP resources can't be opened from webtop if there is a Sharepoint resource window opened from the same webtop.
An attempt to open SAML IdP resource could result in 404 or connection reset.
This was happening because Portal Access code processed special cookie for Sharepoint before checking if the request is internal for APM.
Conditions:
This exists when a SAML IdP resource exists on a full webtop and a user attempts to connect to a SharePoint Portal Access resource.
Impact:
SAML resources can't be accessed from webtop.
Workaround:
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/saml" } {
HTTP::cookie remove "MRHSHint"
}
}
Fix:
Addressed an issue where SAML IdP requests were failing because of the special Sharepoint handling code in Portal Access.
551208 : Nokia alarms are not deleted due to the outdated alert_nokia.conf.
Component: Local Traffic Manager
Symptoms:
Some of the log messages watched by alertd changed between BIG-IP software versions 10.x to versions 11.x/12.x. However, the /etc/alertd/alert_nokia.conf file has not been updated accordingly.
Conditions:
Running versions 11.x/12.x and receiving targeted messages that match the 10.x regex key fields. This occurs when the Nokia snmp alarms are enabled. See K15435 at https://support.f5.com/csp/#/article/K15435
Impact:
Matching the specific fields in the log message fails, so the corresponding alarm is not deleted from the nokia_alarm table. This might cause SNMP alerts to not be broadcast in Nokia-specific environments.
Workaround:
None.
Fix:
The log messages watched by alertd and appearing in alert_nokia.conf now match each clear event key to its corresponding error definition, so alerts are recorded correctly.
550161 : Networking devices might block a packet that has a TTL value higher than 230.
Component: Local Traffic Manager
Symptoms:
Some networking devices block a packet that has a TTL value higher than 230. The TTL value for the BIG-IP system is set to 255 internally and cannot be changed.
Conditions:
The issue occurs when traffic originates from the BIG-IP system (as a client).
Impact:
No access to the resources.
Workaround:
None.
Fix:
The TTL value can now be changed from the hardcoded value of 255. This supports the requirement that some networking devices have to block a packet whose TTL value is higher than 230.
549996 : VPN connection cannot be established from browser on MAC in some cases
Component: Access Policy Manager
Symptoms:
VPN connection cannot be established from browser on MAC if network access settings has huge number of split tunneling entries
Conditions:
-VPN is launched from the browser
-Network access configuration is huge (around 200 split tunneling entries)
Impact:
User cannot launch VPN from browser
Workaround:
1) Use Edge client
or
2) reduce the size of network access configuration
Fix:
Now VPN can be established from browser even if Network Access configuration is big.
549593 : postgres database configuration details are now captured by qkview
Component: TMOS
Symptoms:
The postgres database service provided on BIG-IP devices is largely ignored by the qkview diagnostic collection utility.
Conditions:
Using qkview.
Impact:
No postgres database configuration details.
Workaround:
None needed. This is cosmetic.
Fix:
Qkview now collects the new postgres items every time it executes. Qkview will now collect the following items:
The files:
/var/local/pgsql/postgresql.conf
/var/local/pgsql/pg_hba.conf
/var/local/pgsql/PG_VERSION
A directory listing of:
/var/local/pgsql/data
and execute the following command:
/usr/bin/pg_dump -h localhost -U postgres
549329 : L7 mirrored ACK from standby to active box can cause tmm core on active
Component: Local Traffic Manager
Symptoms:
A spurious ACK sent to the standby unit will be mirrored over to the active unit for processing. If a matching connection on the active has not been fully initialized, tmm will crash.
Conditions:
HA active-standby pair setup for L7 packet mirroring.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.
548295 : PCRE library vulnerability CVE-2015-5073
Vulnerability Solution Article: K17331
548105 : PCP and inbound-entry iRules command does not work with under-provisioned PBA LSN pool
Component: Carrier-Grade NAT
Symptoms:
When an PBA LSN pool is under-provisioned, the LSN::inbound-entry iRule will not work. PCP will also not work with an under-provisioned PBA LSN pool.
Conditions:
Occurs when PCP or the iRules LSN::inbound-entry command is enabled on a PBA LSN pool that does not have many translation addresses.
Impact:
PCP or the LSN::inbound-entry iRule may not work. This would result in failing connections.
Workaround:
None.
547479 : Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted
Component: TMOS
Symptoms:
TMM crashes with a subkey that has master_record field set to true.
Conditions:
Unknown.
Impact:
Traffic disrupted while tmm restarts.
547332 : Portal access should send request url with "/" in path to backend
Component: Access Policy Manager
Symptoms:
Backend server responds with HTTP/1.1 400 Bad Request if target URI has empty path component.
Conditions:
Target URI has empty path component
Impact:
Backend server responds with HTTP/1.1 400 Bad Request
Workaround:
when HTTP_REQUEST {
# Bug547332: [Portal Access] Send "/" in place of empty path in request URLs to backend
if { [HTTP::path] contains "/2.0.0/link/" } {
set bug547332 1
} elseif { [info exists bug547332] } {
unset bug547332
}
}
when HTTP_RESPONSE {
if { [info exists bug547332] && \
[HTTP::header exists Location] } {
unset bug547332
HTTP::header replace Location [string map {
{.com?} {.com/?}
} [HTTP::header Location] ]
}
}
Fix:
Portal access should send request url with "/" in path to backend
547053 : Bad actor quarantining
Component: Anomaly Detection Services
Symptoms:
An issue was found where bad actors could be released from quarantine due to a timing issue
Conditions:
This is a timing issue related to an having unusually high number of bad actors at the same time.
Impact:
Traffic can be removed from quarantine and passed to the web server
Fix:
An issue was fixed related to bad actor quarantining
546940 : Per VLAN/tmm based hardware SYN-cookie enhancement is a hardware-only feature
Component: TMOS
Symptoms:
The new feature of Per VLAN/TMM based HW SYN-Cookie enhancement to protect BIG-IP device and network is a hardware-only feature. It can only be turned on with hardware platforms that are installed with the supported FPGA firmware bitstreams, namely, BIG-IP 2000/4000/5000 family (v1.11.20.0+), VIPRION B2250 (v2.5.5.0+), and VIPRION B4450 (all), and BIG-IP i5000/i7000/i10000 family (all). For the hardware platforms without the firmware support, there will be no fall-back mechanism to turn on the feature in software only.
Conditions:
Configure the per VLAN/tmm hardware SYN-cookie feature
Impact:
The feature is unavailable on platforms with no firmware support.
546823 : PCCD Firewall compilation takes a long time
Component: Advanced Firewall Manager
Symptoms:
PCCD Firewall compilation can take several minutes to complete if your config contains a lot of firewall contexts, even if they are relatively small (with very few rules per context, e.g., 5 or fewer rules per context).
Conditions:
1. Your configuration contains a lot of firewall contexts (e.g., 1500 or more virtual servers with enforced policies configured.)
2. Very few rules per context, e.g., 5 or fewer rules per context.
Impact:
Compiling the firewall policies might take several minutes.
Workaround:
None.
Fix:
Performance for compiling firewall policies containing a lot of firewall contexts has been restored.
546489 : VMware View USB redirection stops working after client reconnect
Component: Access Policy Manager
Symptoms:
VMware View USB redirection stops working
Conditions:
VMware View client reconnects due to network interruptions
Impact:
VMware View USB redirection stops working
Fix:
VMware View USB redirection works after client reconnect
546145 : Creating local user for previously remote user results in incomplete user definition.
Component: TMOS
Symptoms:
Creating a local user for a user who previously authenticated using a remote mechanism (e.g. LDAP, RADIUS) results in a user who has no partition-access. Additionally, the user cannot be modified via web UI.
Conditions:
Configure remote system authentication. Create a local user for remotely authenticated user.
Impact:
User cannot authenticate. User name does not appear in User List.
Workaround:
After initial creation, modify local user via tmsh to include appropriate partition-access.
545946 : Vlangroup may have its MAC address set to 02:00:00:00:00 on first configuration load★
Component: TMOS
Symptoms:
Transparent/translucent Vlangroup may have its MAC address set to 02:00:00:00:00 on either the first configuration load after an upgrade or on a manual mcpd db clear/reload.
Conditions:
Transparent/Translucent vlangroup configured.
Upgrade to later version (11.3.0 through 12.1.0) or manually delete mcpd DB binary.
Impact:
Vlangroup MAC address is incorrect and can adversely affect traffic transversing the vlangroup.
Workaround:
Reload configuration or alter vlangroup configuration: e.g: set back and forth between transparency modes.
Fix:
Vlangroups now correctly establish MAC addresses on first configuration load.
545810-4 : ASSERT in CSP in packet_reuse
Component: Local Traffic Manager
Symptoms:
Causes TMM to crash
Conditions:
This crash will happen on LTM virtuals that meet the following two configuration criteria:
- the virtual is configured with fasthttp profile.
- the virtual's enabled VLAN is mapped to the _loopback interface.
Impact:
Crash and restart of TMM
Workaround:
None
Fix:
Fixed the logic in determining if we are an L7 loopback connection. This way CSP receives only packets that it owns and can be re-used
545796 : [iRule] [Stats] iRule is not generating any stats for executed iRules.
Component: Local Traffic Manager
Symptoms:
iRule is not generating any stats for executed iRules when the rule is removed/edited and then re-added to the virtual server.
Conditions:
This occurs when the following steps are taken:
1. Move/edit an iRule that is attached to a virtual server.
2. Pass traffic to the virtual server.
3. Add the iRule back to the virtual server.
Impact:
No iRule usage stats available.
Workaround:
None.
Fix:
iRule now generates stats for executed iRules when the rule is removed/edited and then re-added to the virtual server.
545718 : CVE-2015-5352 : OpenSSH Vulnerability
Vulnerability Solution Article: K17461
545450 : Log activation/deactivation of TM.TCPMemoryPressure
Component: Local Traffic Manager
Symptoms:
The TCP memory pressure feature allows packets to be randomly dropped when the TMM is running low on available memory. The issue is that these packets are dropped silently.
Conditions:
TM.TCPMemoryPressure set to "enable".
Impact:
Packets are dropped, where the cause of the drop cannot be easily determined.
Fix:
Logging added in /var/log/ltm for activation and deactivation of TCP memory pressure. The deactivation message also includes the number of packets and bytes dropped.
544148 : document.parentWindow value should be preserved
Component: Access Policy Manager
Symptoms:
Web-application misfunction
Conditions:
Non IE web-application make some decision by checking document.parentWindow value.
Impact:
Web-application misfunction
Workaround:
Custom iRule can be used as workaround
Fix:
The issue is fixed.
544033 : Fragmented ICMP Echo to Virtual Address may not receive response
Component: Local Traffic Manager
Symptoms:
In a very specific scenario, a response to an IPv4 ICMP Echo to a Virtual address may not reach back to the originator.
Conditions:
- Client network MTU is lower than the BIG-IP system's ingress VLAN's MTU.
- Client ICMP Echo is larger than Client's MTU and fragmented.
Impact:
Response is not received at client.
Workaround:
In certain version 11.x/12.x environments, it may be acceptable to disable PathMTU discovery.
If it is, this can be worked around by disabling the following DB Key:
tmsh modify sys db tm.pathmtudiscovery value disable
Note this workaround is not possible in BIG-IP software versions 10.x. 10.x does not have a workaround.
Fix:
Client now receives correctly ICMP echo response from Virtual Address when echo request has been fragmented.
543994 : Expose pre_established_connections in tmm.tcp and tmm.tcp4
Component: Local Traffic Manager
Symptoms:
The pre_established_connections profile setting is used to ensure BIG-IP does not respond to the clients SYN with a SYN-ACK until it receives a SYN-ACK from the server, indicating that the port is open (default value is false). However these statistics are not visible in tmstat.
Conditions:
Profiles with pre_established_connections set to true
Impact:
Unable to see the statistics, network troubleshooting difficulty.
Fix:
pre_established_connections is exposed in tmm.tcp and tmm.tcp4 as pe_connects. This value is the current number of opened but not fully established connections when using either the Verified Accept or Fast Open TCP options.
543344 : ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event
Component: Access Policy Manager
Symptoms:
When a BIG-IP system is configured with explicit HTTP proxy, ACCESS iRule does not work reliably in HTTP_PROXY_REQUEST. The issue happens when the current ACCESS iRule searches the associated session ID from the connection itself in these ways: either the session ID is embedded in the request, or the connection has been processed by ACCESS previously. When neither condition is satisfied, then current ACCESS iRule cannot find the associated session ID.
Conditions:
ACCESS iRule such as ACCESS::session data get/set, ACCESS::session exists, session ID is not provided by the caller, and caller expects the session ID to be resolved internally.
Impact:
Whenever ACCESS iRule commands cannot find the associated session ID, ACCESS iRule commands are processed as if the caller provided an empty session ID in its arguments. As a result, ACCESS::iRule commands return an empty result.
Workaround:
If possible, use ACCESS_ACL_ALLOWED as the event for the iRule, when the session ID is known. This would work for a BIG-IP system configured for reverse proxy or forward proxy.
Fix:
Fixed to allow ACCESS iRule commands in commands such as HTTP_PROXY_REQUEST where previously there was not enough data for them to execute.
Note that this fix is only for IP based sessions where the access policy is NOT evaluated via iRule, but in the usual method (attached to virtual). A separate bug has been created to address the issue for NTLM based sessions and sessions where "ACCESS::policy evaluate" has been used.
542817 : Specific numbers that are not credit card numbers are being masked as such
Component: Application Security Manager
Symptoms:
ASM blocks or masks when a specific credit card number range with specific length appears in the response.
Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains credit card numbers with specific ranges.
Impact:
The traffic passes masked or blocked to the end client.
Workaround:
a partial workaround is to turn off the Data Guard feature, then none of the credit cards numbers will be masked nor blocked.
Fix:
The system now correctly masks and/or blocks only relevant credit cards, specifically not masking credit card numbers starting with specific number that are in a length range.
541549 : AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.
Component: TMOS
Symptoms:
The default settings of an AMI is not to delete an attached volume of an instance when the instance is terminated. This results in extra effort to delete a volume manually after terminating the instance. If not done always, the orphaned volume causes extra bills.
Conditions:
A BIG-IP VE is launched from an AMI in the marketplace.
Impact:
Volumes attached to BIG-IP VE instances will be deleted automatically when the instance is terminated. This option is set to be default now. If you want to keep a volume even after terminating a BIG-IP VE instance, you will have to set it to not be deleted upon termination during instance launch in AWS console.
Workaround:
None.
Fix:
A BIG-IP VE AWS image now has the option set such that when an instance is launched out of it, that BIG-IP VE instance will have volumes which are set to be deleted upon termination by default.
Behavior Change:
A BIG-IP VE AWS image now has the option set such that when an instance is launched out of it, that BIG-IP VE instance will have volumes which are set to be deleted upon termination by default.
541363-1 : Component installation appears hung if wrong password is entered
Component: Access Policy Manager
Symptoms:
While establishing network access with APM, APM might require admin password to install components responsible establishing network access. Installation appears hung if wrong "sudo" or "root" password is entered on this screen.
Conditions:
Network access, Linux OS, firefox browser client.
Impact:
Bad user experience.
Workaround:
Once the wrong password is entered restart the browser and reestablish connection with BIG-IP and enter correct password.
541156 : Network Access clients experience delays when resolving a host
Component: Access Policy Manager
Symptoms:
The DNS Relay proxy for Network Access clients operating in split-tunnel mode intercepts a client's DNS request for a non-matching host and will forward it to the client's local DNS server. If the client contains multiple NICs, one containing a down or invalid DNS server, this could cause a delay in resolving the host.
Conditions:
Network Access with the DNS Relay Proxy configured
A client machine has multiple NICs
One of the NICs has an invalid or down DNS server configured
Client attempts to resolve a host not matching the Network Access policy
Impact:
Clients will experience unusual delays (10+ seconds) when resolving hosts.
Workaround:
Clients can check their system setup and remove the affected interfaces that contain an invalid DNS server (virtual machine network adapters are becoming increasingly common and can exhibit this), or they can ensure that they are mapped only to valid DNS servers that can resolve the host.
Fix:
The DNS Relay proxy will now avoid sending DNS requests to down DNS servers for DNS requests that do not match the Network Access policy while Network Access is connected.
540928 : Memory leak due to unnecessary logging profile configuration updates.
Component: Application Security Manager
Symptoms:
There is a memory leak in ASM control plane daemons after processing many calls in a long lived process
Conditions:
A) Pool member state changes frequently.
or
B) Manual learning is enabled (versions 12.x)
Impact:
Memory consumption by ASM control plane daemons increases.
Workaround:
Restart ASM - which will cause a failover and a down time
OR just kill asm_config_server by:
-----------------------
pkill -f asm_config_server
-----------------------
which will get restarted back by ASM process watchdog in ~15 seconds and should not cause failover nor downtime.
Fix:
An async worker lifecycle was introduced so long lived processes will now dispatch a fixed number of calls to their workers before retiring them.
540872 : Config sync fails after creating a partition.
Component: TMOS
Symptoms:
Config sync fails after creating a partition. A config sync error similar to the following occurs:
Configuration error: Can't associate (/P1/pool1) with folder (/P1) folder does not exist
Conditions:
This error occurs when a folder is created in the same transaction that an object is also created in that folder.
This can be done either by explicitly using tmsh or iControl transaction mechanisms or through incremental sync of APM where folders get created.
Impact:
A transaction will fail or incremental sync on APM will fail on a peer.
Workaround:
In the case of transactions, create partitions and folders in a separate transaction from any object creation.
For incremental sync of APM, force a full sync by using the 'Overwrite Configuration' option in the UI.
540568 : TMM core due to SIGSEGV
Component: Local Traffic Manager
Symptoms:
TMM may core due to a SIGSEGV.
Conditions:
Occurs rarely. Specific conditions unknown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed an intermittent tmm core related to Bug 540571.
539093 : VE shows INOPERATIVE status until at least one VLAN is configured and attached to an interface.
Component: TMOS
Symptoms:
Virtual Edition (VE) deployed with 1 CPU only shows INOPERATIVE status until at least one VLAN is both configured and attached to an interface.
Conditions:
Install the BIG-IP Virtual Edition software on a VM with 1 CPU (1 CPU/2048 MB RAM option available in OVA) and license, but do not create any VLANs (or create VLANs, but do not attach them to an interface).
Impact:
In the CLI, device remains in INOPERATIVE state, but shows ACTIVE in the GUI. This might cause unneeded delay trying to rectify what appears to be a license issue when there is none.
Workaround:
To work around this, configure at least one VLAN and attach it to an interface.
538770 : Save Password checkbox setting is not remembered on Mac Edge Client.
Component: Access Policy Manager
Symptoms:
Save Password checkbox setting is not remembered on Mac Edge Client.
Conditions:
Mac Edge Client is used, and the Save Password checkbox is unchecked.
Impact:
Checkbox reverts to checked, so users must uncheck the box every time they don't want to save the password.
Workaround:
NOne.
Fix:
Now the Mac Edge Client remembers previous "Save Password" checkbox setting.
538672 : BIG-IP utilizes version of jQuery vulnerable to CVE-2011-4969
Vulnerability Solution Article: K16967
537553 : tmm might crash after modifying virtual server SSL profiles in SNI configuration under load
Component: Local Traffic Manager
Symptoms:
Making configuration changes to SSL profiles for the virtual server configured for SSL SNI might crash tmm under load.
The BIG-IP system may generate an assertion failure panic string in the /var/log/tmm file that appears similar to the following example:
panic: Assertion "valid type" failed.
Conditions:
1. LTM virtual server is configured with multiple SSL profiles, one of which is the default SNI profile.
2. The BIG-IP system is under traffic load.
3. A change is made to any of the SSL profiles configured on the virtual server, or SSL profiles are added or removed from the virtual server profile list.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Making SSL profiles configuration changes now complete successfully.
536563 : Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets.
Component: Local Traffic Manager
Symptoms:
Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' on subsequent packets.
Conditions:
This occurs when the existing connection is closing while waiting on an ACK to the last FIN.
Impact:
Unexpected RSTs (Clientside).
Workaround:
None.
536475 : As more virtual addresses are added to the BIG-IP running in AWS, the network failover time increases.
Component: TMOS
Symptoms:
As more virtual addresses are added to the BIG-IP running in AWS, the network failover time increases.
Conditions:
Same region failover in AWS.
Impact:
Network failover time degrades as the number of virtual addresses increases.
Workaround:
None.
Fix:
Failover time for BIG-IPs that have multiple virtual addresses on the same interface has been improved. Failover time mostly depends now on the number of the interfaces with floating objects (and only slightly depends on the number of floating objects). This significantly improves the failover duration for configurations which were previously showing the longest duration.
535780 : Microsoft Edge browser is not supported
Component: Access Policy Manager
Symptoms:
APM does not support the Microsoft Edge browser for various APM use cases, including SSLVPN and end point inspection.
Conditions:
Edge browser is used to establish connection to APM.
Impact:
Cannot establish connection APM using Edge browser.
Workaround:
Use Microsoft Internet Explorer.
Fix:
APM now supports Microsoft Edge browser.
535041 : BIG-IP system drops UDP packets while iRule is suspended
Component: Local Traffic Manager
Symptoms:
Any virtual server with UDP profile executing iRule using parking command such as table set. The BIG-IP system drops all UDP packets received while waiting for iRule execution to be completed.
Conditions:
This occurs when using iRules containing a parking command in virtual server with UDP profiles. For more information on iRules that suspend processing, see SOL12962: Some iRule commands temporarily suspend iRule processing at https://support.f5.com/kb/en-us/solutions/public/12000/900/sol12962.html
Impact:
BIG-IP system drops all UDP packets until iRule execution is completed.
Workaround:
Enable datagram-load-balancing in UDP profile associated with the virtual server. It will aggregate flows and process them in parallel based on the timeout setting.
534520 : qkview may exclude certain log files from /var/log
Component: TMOS
Symptoms:
After generating a qkview, the tmm.start log file is missing.
Conditions:
This can occur intermittently while generating a qkview.
Impact:
Certain key log files that might be needed for troubleshooting are missing from the qkview.
Workaround:
None.
Fix:
After generating a qkview, the tmm.start log file is now present.
534457-3 : Dynamically discovered routes might fail to remirror connections.
Component: Local Traffic Manager
Symptoms:
When using dynamic routing, it's possible that L4 connections fail to remirror after a restart on the standby device. Initial mirroring works as expected, but remirroring might not work.
Conditions:
Using dynamic routes and mirroring, and either the active or standby restarts. If the active restarts, failover completes correctly, but connections might not remirror to the previously active device after it comes back online.
Impact:
Dynamically discovered routes might fail to remirror connections. One-way failover, similar to L7 virtual servers. Initial failover works as expected; subsequent failovers might drop connections.
Workaround:
Provide a static route instead of dynamic routes.
Fix:
Remirroring L4 connections using dynamic routes works correctly. (Note that when using dynamic routes it is not guaranteed that the active and standby systems will use the same routes; if the same routing is required on both active and standby fails over, there might be some dropped connections.)
534187 : Passphrase protected signing keys are not supported by SAML IDP/SP
Component: Access Policy Manager
Symptoms:
Signing operation may fail if the BIG-IP system is used as a SAML Identity Provider or Service Provider and is configured to use passphrase-protected signing keys.
Conditions:
Private key used to perform digital signing operations is passphrase protected.
Impact:
SAML protocol will not function properly due to inability to sign messages.
Workaround:
To work around the problem, remove the passphrase from the signing key.
534057 : [JavaPatcher] Java Applet class methods not properly implemented
Component: Access Policy Manager
Symptoms:
Three F5 Java class methods, getImage(), getAudioClip(), and play(), cannot take more than one parameters.
Conditions:
F5 Java class methods not properly implemented.
Impact:
Backend video cannot be played.
Workaround:
iRule workaround specific to the backend web app available upon request.
533956 : Portal Access: Space-like characters in EUC character sets may be handled incorrectly.
Component: Access Policy Manager
Symptoms:
Extended Unix Code (EUC) character sets include several white space characters which have no ASCII equivalents. These characters are not recognized as white spaces by Portal Access. This may lead to incorrect handling of HTML pages, XML files and/or JavaScript files in these character sets.
Conditions:
- HTML page, XML file or JavaScript file in any EUC encoding scheme (EUC-JP, for example).
Impact:
Page or file in EUC encoding scheme may not be parsed correctly.
Workaround:
Use an iRule to replace non-ASCII compatible white space characters by ordinal spaces.
Fix:
Now text content using EUC character encoding schemes is handled correctly by Portal Access.
533755 : Required syntax for iRule command DIAMETER::avp create has changed
Component: Service Provider
Symptoms:
When saving an iRule which uses 'DIAMETER::avp create', if the command does not have a 'type' argument then a validation warning will be issued. In previous versions, this argument was optional.
Conditions:
This occurs when calls to 'DIAMETER::avp create' do not provide a 'type' argument.
Impact:
Behavior of the command itself has not changed, and iRules using it will continue to function as expected. This is a change only in the validation of the command.
Workaround:
Review all iRules and ensure that calls to 'DIAMETER::avp create' provide a 'type' argument.
Behavior Change:
When saving an iRule which uses 'DIAMETER::avp create', if the command does not have a 'type' argument then a validation warning will be issued. In previous versions, this argument was optional. Behavior of the command itself has not changed, and iRules using it will continue to function as expected. This is a change only in the validation of the command. You should review all iRules and ensure that calls to 'DIAMETER::avp create' provide a 'type' argument.
532685 : PAC file download errors disconnect the tunnel
Component: Access Policy Manager
Symptoms:
Any failure to download PAC file is treated as fatal error. If edge client fails to download PAC file VPN connection cannot be established.
Conditions:
-PAC file cannot be downloaded by edge client
Impact:
Tunnel disconnects in case of PAC file download errors.
Workaround:
Fix infrastructure issues that result in PAC file download failure
Fix:
PAC file download and merging issues were considered critical before and Edge Client disconnects the tunnel. This behavior is controlled by a new setting called "Ignore PAC download error" on BIG-IP now.
Behavior Change:
PAC file download and merging issues were considered critical before and BIG-IP Edge Client disconnects the tunnel. This behavior is controlled by a new setting called "Ignore PAC download error" on BIG-IP now.
531979 : SSL version in the record layer of ClientHello is not set to be the lowest supported version.
Component: Local Traffic Manager
Symptoms:
In the ClientHello message, the system is now setting the SSL version in the record layer to be the same as version value of ClientHello message, which is the highest SSL version now supported.
Although RFC 5246 appendix E.1 does not give specific advice on how to set the TLS versions, the de facto standard used by all major browsers and TLS stacks is to set the ClientHello as follows:
SSL Record:
Content Type: Handshake (22)
Version: $LOWEST_VERSION
Handshake Record:
Handshake Type: Client Hello (1)
Version: $HIGHEST_VERSION
The BIG-IP system implementation tells the SSL peer that the system supports only SSL versions from the $HIGHEST_VERSION through the $HIGHEST_VERSION instead of from the $LOWEST_VERSION through the $HIGHEST_VERSION, which effectively limits the range of SSL versions the system can negotiate with the SSL peer.
Conditions:
This issue occurs when the highest SSL version that the BIG-IP system supports does not fall into the range that an SSL peer supports.
For example, with SSL peer support configured for TLS1.0 or TLS1.1, if the BIG-IP system sets the highest SSL version to be TLS1.2, then there will be no version that the SSL peer thinks they have in common, and SSL handshake fails.
Impact:
SSL handshake fails.
Workaround:
There is no workaround for this issue.
Fix:
The SSL version in the record layer of ClientHello is now set to be the lowest supported version, which eliminates that issue that occurred when the highest SSL version that the BIG-IP system supports did not fall into the range that an SSL peer supports.
531877 : NTP vulnerability CVE-2015-5146
Vulnerability Solution Article: K17114
530877 : TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances.
Component: Local Traffic Manager
Symptoms:
A specific combination of configuration options might cause iRule processing to run the CLIENT_ACCEPTED event twice.
Conditions:
This occurs when all of the following conditions are met:
- Standard Virtual Server is configured.
- Virtual Server is configured with a TCP profile in which Verified Accept is enabled.
- Address translation is enabled on the Virtual Server.
- Node selection occurs in the iRule via node command.
- Client sends the initial data to be sent on the ACK of the three-way-handshake.
Impact:
Depending on the scenario, this might result in the specific connection being reset.
Workaround:
You can use the following workarounds:
- Disable Verified Accept in the TCP profile.
- Modify the iRule to run the commands in the CLIENT_ACCEPTED event once, by setting a variable and checking it on subsequent runs.
Fix:
The BIG-IP system now correctly processes initial data on the ACK of a three-way handshake when used with Verified Accept so iRule processing does not run the CLIENT_ACCEPTED event twice.
530266-5 : Rate limit configured on a node can be exceeded
Component: Local Traffic Manager
Symptoms:
Rate limit configured on a node is not honored and is exceeded. The excess per second can be as much as 10 (100%) when the limit is configured as 10.
Conditions:
More than 1 tmm needs to be there. Rate limit needs to be configured on the node.
Impact:
Node rate limit feature does not work as intended.
Workaround:
Rate limit can be shifted from the node to pool member and it works.
530109 : OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.
Component: Access Policy Manager
Symptoms:
OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.
Conditions:
-- User certificate has AIA configured.
-- Option 'Ignore AIA' is unchecked.
-- APM is configured.
Impact:
OCSP auth might fail as wrong URL is used.
Workaround:
1. Clean URL field.
2. Uncheck option 'Ignore AIA'.
Fix:
If the option 'Ignore AIA' is unchecked, APM uses AIA from certificate even if URL is configured for AAA OCSP responder. This is correct behavior.
Behavior Change:
If the option 'Ignore AIA' is unchecked, APM uses AIA from certificate even if URL is configured for AAA OCSP responder. To use the configured URL, the 'Ignore AIA' setting has to be checked.
530010 : FIPS firmware v2.2 update on BIG-IP 5250, 7200F, 10200F, and 11050F platforms running the Cavium Nitrox XL FIPS cards.
Component: TMOS
Symptoms:
On BIG-IP 5250, 7200F, 10200F, and 11050F platforms running the Cavium Nitrox XL FIPS cards, the FIPS firmware version 2.1 has been moved to the Legacy list by NIST as the RNG function does not meet modern-day FIPS standards. For more information, see the external resource, available here: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.
Conditions:
This impacts BIG-IP 5250, 7200F, 10200F, and 11050F FIPS platforms running FIPS firmware 2.1 or earlier.
You can tell what firmware you have installed by running the following command at the command line: fipsutil info
The firmware version listed should be the following: CN16XX-NFBE-FW-2.2-130013.
Impact:
All platforms shipped prior to June 30th, 2016, contain an older firmware version and must be updated to run the NIST-approved version.
To comply with current NIST requirements, the new firmware has deprecated support for 1024-bit key creation. Existing 1024-bit keys in the device can still be used normally.
Workaround:
F5 Networks has released a downloadable firmware installer that you can download and apply to the platforms containing the FIPS firmware 2.1 or earlier.
For more information about FIPS compliance, see SOL7837: Overview of FIPS 140-2 EAL Level 2 and 3 RoHS Certification Status, available here: https://support.f5.com/kb/en-us/solutions/public/7000/800/sol7837.html.
Fix:
FIPS firmware v2.2 update on BIG-IP 5250, 7200F, 10200F, and 11050F platforms running the Cavium Nitrox XL FIPS cards.
528684 : Guest cannot ping any management IP on the local host system when guest-to-host communication is enabled
Component: TMOS
Symptoms:
When guest-to-host communication is enabled by setting the "vcmp.mgmt.allow_host_guest_communication" to "true", a guest VM is unable to ping any management IP residing on the local host BIG-IP system. Note that SSH to such an IP works.
On clustered systems, a guest VM is unable to ping the cluster floating management IP of the local host cluster, if the local host blade is the primary blade of the host cluster. However, the guest VM is able to ping the cluster member management IP of non-local host blades and the cluster floating management IP, if a non-local host blade is the primary blade of the host cluster.
Conditions:
A guest VM attempts to ping a management IP that resides on the local host BIG-IP system.
Impact:
The user may mistakenly believe that, since they are unable to ping a management IP residing on the local host BIG-IP system, that they are also unable to SSH to that IP.
Workaround:
Note that a guest VM is still able to SSH to a management IP residing on the local host BIG-IP system, even if pinging that IP does not work. If pinging of such an IP is desirable from a guest VM whose host BIG-IP system does not include the fix for this issue, then the following commands can be run on the host BIG-IP system as the 'root' user to make pinging the IP work:
# iptables -I vcmp_mgmt 2 -p icmp -j ACCEPT
# iptables-save > /etc/sysconfig/iptables
Note: On clustered host BIG-IP systems, these commands should be run on every blade.
Note: These commands will result in pings working across reboots, but an upgrade will reset the saved iptables rules and thus result in pings not working once more, unless the host BIG-IP system is being upgraded to a version that includes the fix for this issue.
Fix:
Guest VMs are now able to ping any management IP residing on the local host BIG-IP system.
528598 : SharePoint ActiveX wrappers should check object type before rewriting URL
Component: Access Policy Manager
Symptoms:
Some our Invoke wrappers don't check if they are called against correct object and function. This may lead to a double rewriting of URLs, or to a corrupted URLs (like in the case of Sharepoint wrappers).
Conditions:
This occurs when using rewrite with SharePoint applications.
Impact:
The rewritten URL will be malformed, and end users may be unable to view certain document types.
Workaround:
iRule workaround for ID528598:
--------
when HTTP_REQUEST {
# ID528598: Sharepoint ActiveX wrappers should check object type before rewriting URL
# Rename ViewDocument to openDocument in order to avoid special rewriting.
if { [HTTP::path] ends_with "/EmployeeFormsAndVideos" } {
set bug528598 1
# log local0. "ID528598: modifying page at [HTTP::uri]"
if { [HTTP::version] eq "1.1" } {
if { [HTTP::header is_keepalive] } {
HTTP::header replace "Connection" "Keep-Alive"
}
HTTP::version "1.0"
}
} elseif { [info exists bug528598] } {
unset bug528598
}
}
when HTTP_RESPONSE {
if { [info exists bug528598] } {
if { [HTTP::header exists "Content-Length"] and \
[HTTP::header "Content-Length"] > 0 and \
[HTTP::header "Content-Length"] <= 1048576 } {
HTTP::collect [HTTP::header Content-Length]
} else {
HTTP::collect 1048576
}
}
}
when HTTP_RESPONSE_DATA {
if { [info exists bug528598] } {
unset bug528598
set location [string last {.ViewDocument} \
[HTTP::payload]]
while { $location > 0 && \
$location < [expr {[HTTP::payload length] - 13}]
} {
HTTP::payload replace $location 5 {.open}
set location [string last {.ViewDocument} \
[HTTP::payload]]
}
unset location
}
}
Fix:
A check is now performed to ensure the underlying object is really an ActiveX object before rewriting the object.
528007-8 : Memory leak in ssl
Component: Local Traffic Manager
Symptoms:
An intermittent memory leak was encountered in SSL
Conditions:
This can occur under certain conditions when using Client SSL profiles
Impact:
The amount of memory leaked is quite small, but over time enough memory would leak that TMM would have to reboot.
Workaround:
none
Fix:
An intermittent memory leak in SSL was fixed
527976 : pagemem tmctl table changed to page_stats
Component: Local Traffic Manager
Symptoms:
TMM has a tmctl statistic table called pagemem which shows two elements: available pages and used pages. These provide the totals across all TMM threads, and while accurate, they do not show fragmentation.
Conditions:
This occurs when looking at the pagemen statistics.
Impact:
This can lead to situations where TMM might try and allocate a large number of contiguous pages, which will fail, even though the pagemem avail stat shows the total pages being available.
Workaround:
None. This is a cosmetic issue.
Fix:
The pagemem tmctl table has been replaced with a new table called page_stats which provides much more detailed information about physical page clustering. The original 'avail' and 'used' statistics are still there, although they are reported on a per-thread basis. Additional statistic buckets for page diagnostics are introduced.
527206 : Management interface may flap due to LOP sync error
Component: TMOS
Symptoms:
An error that occurs while reading the management interface registers might cause incorrect interpretation of the management interface state, which might cause the management interface to flap.
Example error sequence:
-- warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff.
-- err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0 : File mgmtif/BourneMgmtIfSvc.cpp Line 357.
-- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7.
-- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x7 expected=0x5.
...
notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is DOWN.
...
notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is UP.
Conditions:
This problem might occur rarely on BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances and on VIPRION 2100, 2150, 2250 blades.
Impact:
The management interface on the affected blade or appliance might be down for several seconds, 15 seconds being a typical interval.
Workaround:
None.
Fix:
Rare Management interface flap due to LOP sync error no longer occurs on BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances and on VIPRION 2100, 2150, 2250 blades.
526642-3 : iRule with HTML commands inside can be attached to Virtual server without HTML profile
Component: TMOS
Symptoms:
If iRule with HTML commands inside is attached to Virtual server which has not HTML profile, this iRule may fail with 'Unknown error' message in the log.
Conditions:
- iRule with HTML commands
- Virtual server without HTML profile
- the iRule is attached to this server
Impact:
iRule does not work as expected
Workaround:
If Virtual server uses iRule with HTML commands, this server should use HTML profile.
Fix:
If BIGIP configuration contains iRule with HTML commands which is used by Virtual server without HTML profile, then the following error is logged at configuration load time:
HTML::<command name> in rule (<rule name>) requires an associated HTML profile on the virtual server (<server name>)
Behavior Change:
BIGIP configuration can not be loaded if it contains:
- iRule with HTML command(-s) inside
AND
- Virtual server without HTML profile which uses this iRule.
525580 : tmsh load sys config merge file filename.scf base command does not work as expected
Component: TMOS
Symptoms:
The presence of base option indicates that only the base objects in the configuration should be considered for the save operation. The non-base objects in the configuration should be ignored.
However, this is not true for the following command:
tmsh load sys config merge file filename.scf base.
Conditions:
Running the command: tmsh load sys config merge file filename.scf base.
Impact:
This command ignores the base option. When specified with the merge option the base option is ignored. It merges the non-base configuration objects. It does not load only the base config objects as specified in the command.
Workaround:
None.
Fix:
tmsh load sys config merge file filename.scf base command now loads only the base config objects as specified in the command.
525429-9 : DTLS renegotiation sequence number compatibility
Component: Access Policy Manager
Symptoms:
OpenSSL library was modified to keep it compatible with RFC 6347 complaint DTLS server renegotiation sequence number implementation.
Conditions:
The old OpenSSL library is not compatible with RFC6347, the new OpenSSL library is modified to be compatible with RFC6347.
The current APM client is compatible with old OpenSSL library, not the new OpenSSL library.
Impact:
The current APM client is not compatible with new OpenSSL libary.
Fix:
The APM client is now compatible with both the old and new OpenSSL library.
525158 : Rebooting active device before syncing a manual sync device group causes both devices to compile and deploy the blob
Component: Advanced Firewall Manager
Symptoms:
On a standby in a manual sync device group with pccd in pending compile state, rebooting the active before syncing causes both devices to compile and deploy the blob
Conditions:
This only happen when
1. The BIG-IP configuration contains device groups that are configured to "manual sync".
2. Active device is not in "quiescent" state when it is rebooted.
Impact:
Some parts of the configuration that are not manually compiled into blob earlier are now compiled and enforced automatically. It is recommended that the user checks the current firewall configuration and make any adjustment if needed.
524193 : Multiple Source addresses are not allowed on a TMSH SNMP community
Component: TMOS
Symptoms:
If multiple source addresses are specified on a TMSH snmp community command (add, modify,delete, replace-all). Only the first address will be saved.
Conditions:
Specifying multiple source addresses are specified on a TMSH snmp community command.
Impact:
The command is accepted, but only the first address will be allowed snmp access.
Workaround:
Add an additional source address to another snmp community object that has the same community string.
Fix:
The validation for source address from the snmp community object has been changed so that only one address can be entered at a time.
Multiple source address can be entered only one address at a time.
524123 : iRule ISTATS::remove does not work
Component: TMOS
Symptoms:
When an iRule invokes ISTATS::remove to remove an iStat, the iStat is not removed.
Conditions:
Invoking the ISTATS::remove command from an iRule.
Impact:
The value of the iStat remains defined.
Workaround:
Use istats-triggers and iCall scripts to invoke the iStats command line tool indirectly.
523318 : Creating too many iFiles causes tmm crash.
Component: Local Traffic Manager
Symptoms:
Tmm might crash when too many iFiles are created.
Conditions:
The crash has been seen with 1700 iFiles on a BIG-IP with 6 tmm threads.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
- Increase the number of file descriptors (ulimit -n) in /etc/bigstart/scripts/tmm.
- bigstart restart tmm.
Fix:
The maximum number of open file descriptors now scales with the number of tmm threads, so tmm no longer crashes when a very large number of iFiles (e.g., 1700) are created.
523198 : DNS resolver multiplexing might cause unexpected behaviors
Component: Global Traffic Manager (DNS)
Symptoms:
DNS resolver multiplexing might cause unexpected behaviors, resulting in multiple error message: notice hud_msg_queue is full.
Conditions:
This occurs with a DNS resolver configured.
Impact:
TMM cores or connflows not expiring. System posts messages similar to the following: notice hud_msg_queue is full.
Workaround:
None.
523111 : Disabling on-demand-compile/on-demand-deploy on standby, sometimes the setting will revert back to enabled on the active or standby automatically
Component: Advanced Firewall Manager
Symptoms:
On a HA pair disabling on-demand-compile/on-demand-deploy on standby gets synced across but finally causes on-demand-deploy to revert back to enabled on the active or standby
Conditions:
This only happen when
1. Active device is not in "quiescent" state when the on-demand feature is disabled.
2. The configuration change is done from standby device.
Impact:
on-demand-compile and on-demand-deploy may be enabled when not desired.
Workaround:
The general guideline of using the on-demand features is that all configuration changes should be done from Active device, not from standby devices.
522310 : ICMP errors cause the associated FastL4/TCP connection to be reset
Component: Local Traffic Manager
Symptoms:
When there are ICMP unreachable errors, the associated FastL4/TCP connection is reset by the BIG-IP.
Conditions:
There is an end to end connection from a client to server via BIG-IP and there is an ICMP error from the BIG-IP to pool member.
Impact:
FastL4/TCP connection from the client to BIG-IP will be reset.
Fix:
Provide a DB variable "TM.FastL4_rst_on_icmp" which is enabled by default. When enabled, the connection will be reset on ICMP errors. If the DB variable is disabled, ICMP errors will not result in the connection being torn down by the BIG-IP.
522043 : ASM triggers geo-based dos mitigation against RFC1918 addresses.
Component: Advanced Firewall Manager
Symptoms:
A geo-based IP mitigation dos attacked started against an internal IP address.
Conditions:
Traffic from internal addresses is arriving to the system. A geo location mitigation is configured for DosL7.
Impact:
All internal addresses getting blocked as a geo location.
Workaround:
Whitelist the internal addresses. Note: Doing this prevents all types of mitigation from these IP addresses.
Fix:
RFC1918 is not considered as a geolocation and during geolocation mitigation, traffic from these IPs will not get dropped. These IP addresses can still get mitigated during other mitigations.
A new internal parameter, DOSL7.geolocation_drop_private_ips, default disable, is introduced. When enabled, the system changes this behavior so internal IP addresses do mitigate in the geolocation mitigation.
522040 : Individual attack signature can't be disabled on a specific header
Component: Application Security Manager
Symptoms:
A specific attack signature is matched on a specific header or a specific allowed cookie. You are unable to disable it only on a specific header/cookie and not on the policy
Conditions:
a specific signature is matched only on a specific header or cookie.
Impact:
Disabling the signature on the policy may miss attacks. Enabling the signature will cause false positives on the occurrence on the header/cookie
Workaround:
N/A
Fix:
Added the functionality to disable specific attack signature on a specific header or cookie.
521370 : Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8
Component: Application Security Manager
Symptoms:
Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8, which results in suggestions for allowing meta-characters that cannot be accepted.
Conditions:
Auto-Detect Language policy is created, and then set to UTF-8 encoding.
Impact:
Suggestions for allowing high ASCII meta-characters cannot be accepted.
Fix:
Auto-Detect Language policy no longer contains disallowed high ASCII meta-characters.
521270 : Hypervisor might replace vCMP guest SYN-Cookie secrets
Component: TMOS
Symptoms:
Traffic suddenly stops passing on platforms in vCMP mode when SYN-cookie mode is triggered.
Occasionally, under HW-SYN-Cookie mode, HW-SYN-Cookie validation can fail, which triggers the software SYN-Cookie procedure, which does succeed.
Under vCMP guest, you might notice hwalgo_accept increasing under TMCTL table epva_hwvipstat. If this packet's destination is the local high-layer TCP stack, there is no functional impact. Otherwise, there might be a performance impact.
Under vCMP mirroring, however, the packet (failed to validate by FPGA), is sent to the remote TMM, which does not have the correct secret to validate, which causes the connection issue.
Conditions:
vCMP provisioning setup.
Impact:
Under vCMP guest, you might notice hwalgo_accept increased under TMCTL table epva_hwvipstat, which, if under HW-SYN-Cookie mode, everything will be validated automatically by FPGA instead.
You might also notice hwalgo_invalid, if the FPGA used
the updated secret for SYN-Cookie generation from the hypervisor, and when guest and hypervisor secret index overlaps.
Even though guest and hypervisor secret index might not be the same, the history secret might be updated by hypervisor, which might trigger additional hwalgo_accept.
Under vCMP mirroring, however, the packet (failed to validate by FPGA), is sent to the remote TMM, which does not have the correct secret to validate, so the error rate could be higher.
Workaround:
On the vCMP hypervisor, run the following commands.
1. echo "EPVA::enable_secret_diag true" > /config/tmm_init.tcl.
2. bigstart restart TMM.
On a multiple blade system, you must run these commands on all blades.
Fix:
Hypervisor no longer replaces vCMP guest SYN-Cookie secrets.
521204 : Include default values in XML Policy Export
Component: Application Security Manager
Symptoms:
XML Policy Export does not include some entities, unless their values are different from the system's default settings
Conditions:
ASM provisioned
export security policy in XML format
Impact:
XML Policy Export does not include some entities, unless their values are different from the system's default settings
Workaround:
n/a
Fix:
We now exclude defaults from XML policy export only when exporting a minimal XML.
518201 : ASM policy creation fails with after upgrading
Component: Application Security Manager
Symptoms:
You cannot create an ASM security policy after upgrading to version 11.6.x. You will see the following error message:
------------------
# tmsh create asm policy /Common/blabla active encoding utf-8
Unexpected Error: ASMConfig exception: [101] Policy 'Security Policy /Common/blabla' already exists in this policy.
------------------
It does not matter if the security policy was created by the command line or by the Configuration utility.
Conditions:
ASM provisioned
Upgrade to 11.6.X
Impact:
ASM policies cannot be created.
Workaround:
Please apply the following workaround, as root user, from the command line of the affected BIG-IP.
Please run these exact commands - copy and paste into the command line:
---------------------
# mysql -uroot -p`perl -MF5::DbUtils -e 'print F5::DbUtils::get_mysql_password(user => qw{root})'` -e 'DELETE FROM PLC.PL_SESSION_AWARENESS_VIOLATIONS WHERE policy_id NOT IN (SELECT id FROM PLC.PL_POLICIES)'
---------------------
Be advised that this operation will permanently affect the mentioned database table.
It is strongly advised to first create a backup of the running configuration by running the following command from the command line of the affected BIG-IP:
---------------------
# tmsh save sys ucs /shared/tmp/backup.ucs
---------------------
Before applying the workaround, first make sure that you indeed need one.
You can do that by running this in the command line:
---------------------
# mysql -uroot -p`perl -MF5::DbUtils -e 'print F5::DbUtils::get_mysql_password(user => qw{root})'` -e 'SELECT * FROM PLC.PL_SESSION_AWARENESS_VIOLATIONS WHERE policy_id NOT IN (SELECT id FROM PLC.PL_POLICIES)'
---------------------
In case this query does not return any output - it means that there is no need to apply the mentioned workaround.
In case you do need to apply the workaround, you can use the same "SELECT *" query to validate the workaround, after it has been applied. Namely, after the workaround was applied, the "SELECT *" query should return no output.
Fix:
We've fixed ASM policy creation so that it does not fail after upgrade
516736 : URLs with backslashes in the path may not be handled correctly in Portal Access
Component: Access Policy Manager
Symptoms:
Safari, Chrome, Edge and Internet Explorer support backslashes in URL path and treat them as slashes. But Portal Access converts backslashes in URLs to slashes explicitly; this may cause unexpected results in some web applications. Note that FireFox has no such support.
Conditions:
HTML page with URL with backslashes in the path, for example:
<a href=http://some.com\some\path/file.ext>
Impact:
Web application may not work correctly.
Workaround:
In some cases it is possible to modify rewritten URLs by iRule.
Fix:
Now URLs with backslashes are supported correctly by Portal Access for all browsers except for Internet Explorer 7--9 and FireFox.
516711 : Portal Access: JavaScript in Shift-JIS encoding may be handled incorrectly
Component: Access Policy Manager
Symptoms:
Since Shift-JIS character encoding scheme uses yen character in place of backslash, JavaScript code with backslashes may be handled incorrectly by Portal Access. This may lead to incorrect web application behavior.
Conditions:
- HTML page or JavaScript file with Shift-JIS encoding scheme.
- JavaScript code with backslashes.
Impact:
JavaScript code with backslashes cannot be parsed by Portal Access if the code uses Shift-JIS character encoding.
Workaround:
None.
Fix:
Now JavaScript code with Shift-JIS character encoding scheme and backslashes inside the code is handled correctly by Portal Access.
515764-7 : PVA stats only being reported on virtual-server and system-level basis.
Component: TMOS
Symptoms:
The VLAN/interfaces stats do not include PVA stats. PVA stats are reported on a per-virtual-server including virtual server plus pool and pool members.
Conditions:
Viewing PVA stats.
Impact:
Interfaces stats only count TMM software traffic stats, and do not include PVA traffic stats. Although this is by design, it makes it difficult to monitor per-VLAN throughput on their devices.
Workaround:
Retrieve pool member PVA stats for server-side PVA stats on the associated VLANs. Also look at PVA stats in the virtual server stats for client-side PVA stats. Note: On the client side, the virtual server might be configured to run on multiple VLANs, so the client-side details are not included in the stats.
Fix:
The system now reports per-device PVA traffic stats in VLAN and interface stats.
515635 : Tcl monitor not working with Courier IMAP server
Component: Local Traffic Manager
Symptoms:
Tcl monitor produces FTP error with Courier IMAP server.
Conditions:
Courier IMAP Server when there is no message in the mailbox.
Impact:
IMAP monitor fails, potentially resulting in downed pool members. The systems posts an error similar to the following: ERROR: failed to complete the transfer, error code: 8 error message: FTP: weird server reply.
Workaround:
Add a message to the monitored mailbox.
Fix:
IMAP TCL monitor now works without error with Courier IMAP server when the monitored mailbox is empty.
515180 : Matched ASM signatures cannot be accessed easily from iRules.
Component: Application Security Manager
Symptoms:
Matched ASM signatures cannot be accessed easily from iRules.
Conditions:
A signature was matched.
Impact:
It is very difficult to make rules that have different behavior according to specific signatures.
Workaround:
The signatures IDs can be seen through the violation_details, but difficult parsing is required to get these and act upon these.
Fix:
The following commands have been added to the ASM_REQUEST_DONE event.
ASM::signature ids - Returns the IDs of signatures.
ASM::signature names - Returns a list with the names of the signatures found in the transaction.
ASM::signature set_names - Returns a list with the set names of the signatures.
Also note that further fixes added the staged signatures:
ASM::signature staged_ids - Returns a list of staged signatures IDs.
ASM::signature staged_names - Returns a list of staged signatures names.
ASM::signature staged_set_names - Returns a list of staged signatures set names.
Note that the signature names list is limited to 3 signatures and the signature IDs list is limited to 10 signatures.
Behavior Change:
iRules commands have been added to retrieve the matched signature IDs, names and sets.
The following commands have been added to the ASM_REQUEST_DONE event.
ASM::signature ids - Returns the IDs of signatures.
ASM::signature names - Returns a list with the names of the signatures found in the transaction.
ASM::signature set_names - Returns a list with the set names of the signatures.
Also note that further fixes added the staged signatures:
ASM::signature staged_ids - Returns a list of staged signatures IDs.
ASM::signature staged_names - Returns a list of staged signatures names.
ASM::signature staged_set_names - Returns a list of staged signatures set names.
Note that the signature names list is limited to 3 signatures and the signature IDs list is limited to 10 signatures.
514742 : OCSP Responder URL is case sensitive, scheme part is required
Component: Access Policy Manager
Symptoms:
OCSP Responder fails to initialize if scheme is not specified ("myhost.org" instead of "http://myhost.org") OR
scheme is not lowercase ("myHost.org" instead of "http://myhost.org")
Conditions:
URL field doesn't contain scheme part (http/https) or scheme part is not all lowercase
Impact:
OCSP responder failed to initialize - OCSP authentication fails
Workaround:
configure URL starting with
http:// or https://
Fix:
apm will lowercase scheme part of the specified URL if it's http or https.
apm will throw configuration error if scheme is not specified for the URL or wrong scheme provided (anything other than http/https)
513480 : ldap query fails when user is assigned to newly created group and that group is set as primary group
Component: Access Policy Manager
Symptoms:
In MS Active Directory there is a special attribute primaryGroupID for a user.
BIG-IP caches AD groups to resolve primaryGroupID into group DN.
when new group is created in the domain and assigned to a user as primaryGroup, BIG-IP cannot find that group by ID in it's cache, and tries to fetch new group from domain using primaryGroupToken attribute. the query fails as primaryGroupToken is constructed attribute and cannot be a part of filter expression
Conditions:
new group is created in the domain,
the new group is assigned to the user,
the group is set as primary group for the user
Impact:
user cannot login
Workaround:
clear group cache for AAA LDAP Server.
during next user's login, the cache will be built from scratch and the new group will be in the cache - no need to retrieve it from server.
Fix:
after fix, group is retrieved from server using objectSid attribute.
512147 : No SNMP traps from APM
Component: TMOS
Symptoms:
APM does not support SNMP traps for its error messages.
Conditions:
This is on APM.
Impact:
It is not possible to monitor APM stability via SNMP.
Workaround:
No workaround possible.
Fix:
Now APM supports several types of SNMP traps (licensing issues, HA state transitions).
511710 : URL Categorization: URL lookup is performed on URL without query string starting v13.0
Component: Traffic Classification Engine
Symptoms:
Prior to v13.0, URL Category was looked up using the entire URL, which included the query string.
As of version 13.0.0, BIG-IP no longer uses the query string when looking up category by URL.
Conditions:
URL categorization feature is enbaled
Impact:
No visible impact
Fix:
BIG-IP now ignores the query string when looking up categories by URL.
511324 : HTTP::disable does not work after the first request/response.
Component: Local Traffic Manager
Symptoms:
The HTTP::disable command does not work correctly after the first request is complete. If called during the second request (or response), then the connection is reset with an error message.
Conditions:
HTTP::disable is called in a request after the first. The pass-through data reaches the server-side before the server-side HTTP filter expects it.
Impact:
The connection is reset.
Workaround:
None.
Fix:
HTTP::disable now works correctly after the first request or response.
511049 : tmsh run sys crypto check-cert to support arbitrary certificate file name.
Component: Local Traffic Manager
Symptoms:
tmsh run sys crypto check-cert does not support arbitrary certificate file names.
This syntax works for running check-cert:
[root@localhost:/S1-green-P:Active:Standalone] config # tmsh run sys crypto check-cert default.crt verbose enabled log enabled stdout enabled
However, this does not (with the file path specified):
[root@localhost:/S1-green-P:Active:Standalone] config # tmsh run sys crypto check-cert /config/ssl/ssl.crt/default.crt verbose enabled log enabled stdout enabled
Conditions:
N/A
Impact:
N/A
Fix:
Added new function support.
Behavior Change:
tmsh run sys crypto check-cert to support arbitrary certificate file name.
510631 : B4450 L4 No ePVA or L7 throughput lower than expected
Component: Performance
Symptoms:
L4 no ePVA and L7 performance was limited to as little as 146Gbps under some traffic conditions instead of the advertised capability of 160Gbps.
Conditions:
This occurs on the B4450 blade.
Impact:
Performance lower than expected
Fix:
Driver enhancements to 12.1.2 and 13.0 enable full 160G performance
509858-4 : BIG-IP FastL4 profile vulnerability
Component: Local Traffic Manager
Symptoms:
For more information, see SOL36300805: BIG-IP FastL4 profile vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/36/sol36300805.html
Conditions:
For more information, see SOL36300805: BIG-IP FastL4 profile vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/36/sol36300805.html
Impact:
For more information, see SOL36300805: BIG-IP FastL4 profile vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/36/sol36300805.html
Fix:
For more information, see SOL36300805: BIG-IP FastL4 profile vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/36/sol36300805.html
509497 : VCMP guests on a specific host may be restarted when that host system experiences large date/time changes
Component: TMOS
Symptoms:
After a large (> 7 months) change in system date/time, either manually or via NTPD, VCMP guests may be killed and restarted.
Impact:
Temporary loss of service of data path elements, until killed guests are restarted.
Workaround:
Avoid large changes in system time during critical hours of operation.
It may be better to bring down guests administratively, make the date/time change, and then bring the guest back up rather than allowing them to be killed/restarted automatically due to heartbeat timer expiration.
506543-2 : Disabled ephemeral pool members continue to receive new connections
Component: Local Traffic Manager
Symptoms:
Disabled ephemeral pool members continue to be selected for new connections.
Conditions:
FQDN parent node is disabled causing its derived ephemeral pool members to be marked disabled.
Impact:
Unexpected traffic load balanced to disabled pool members
Workaround:
None.
Fix:
Traffic will no longer be load balanced to disabled ephemeral pool members.
505947 : SSL Client Certificate LDAP host IP address does not allow port entry in field.
Component: TMOS
Symptoms:
After an upgrade to 11.6, combination of IP and port in the host field for creating LDAP SSL Client Certificate results in "Invalid Host Error". In 11.3.0, you were able to add a host IP address and port into the LDAP SSL Client Certificate host field, for example, 10.1.1.1:2389.
Conditions:
Creating a new Create "SSL CC LDAP". Adding IP:PORT in Host text field.
Impact:
Cannot add IP:PORT in host field.
Workaround:
The IP:Port combination fails when configuring LDAP SSL Client Certificate in the GUI but it will work in tmsh.
Fix:
In Local Traffic :: Profiles: Authentication: Configurations, you are now able to add "IP:PORT" to the Host list builder when creating an SSL Client Certificate LDAP profile.
505925 : Show internal Citrix XML Broker error (MPSError/BrowserError) in the logs and to the user on APM Webtop
Component: Access Policy Manager
Symptoms:
After clicking on the app/desktop resource on the APM webtop, if there is any problem in getting the ica file download, the webtop does not show any indication to the end user.
Conditions:
An error occurs in Citrix XML Broker
Impact:
No error message is shown to user on APM WebTop.
Workaround:
None.
Fix:
Now internal Citrix XML Broker error (MPSError/BrowserError) is shown in the logs and to the user on APM Webtop.
505251 : Linux file utility vulnerabilities CVE-2014-8116 and CVE-2014-8117
Vulnerability Solution Article: K16347
505031 : wom_verify_config is slow when there are a large number of virtuals configured
Component: Wan Optimization Manager
Symptoms:
wom_verify_config is slow when a large number of virtuals are defined (1000s). This affects qkview as well.
Conditions:
AAM needs to be provisioned with a large number of virtuals defined (1000s).
Impact:
wom_verify_config and quikview take a long time to complete.
Workaround:
None
Fix:
Removed wom_verify_config from qkview.
503847 : Support Citrix HTML5 client bundle in non-default partition
Component: Access Policy Manager
Symptoms:
If the Citrix html5 client bundle is configured in non-default partition, users cannot launch HTML5 Citrix application.
Conditions:
Citrix html5 client bundle is configured in non-default partition.
Impact:
Users cannot launch HTML5 Citrix application.
Workaround:
write an iRule that will replace /public/citrix with /Partition/public/citrix
Fix:
Now APM supports Citrix HTML5 client bundle in non-default partition
503842 : MS WebService html component doesn't work after rewriting
Component: Access Policy Manager
Symptoms:
MS webservice.htc component provides javascript interface for SOAP services for Internet Explorer. It stops working after rewriting through reverse proxy.
Conditions:
It works with F5CH=I, and other html components are working through APM too. That means that the issue is with something we change in this file.
Impact:
MS WebService component stops working.
Workaround:
---
when HTTP_REQUEST {
# Downgrade IE compatibility mode
set downgrade_ie_compat 0
if { [HTTP::path] contains "PreviewQualitySheet.aspx" } {
set UAString [string tolower [HTTP::header User-Agent]]
if { ! ($UAString contains "msie 8.") and ! ($UAString contains "msie 7.")} {
set downgrade_ie_compat 8
}
}
# do not rewrite WebService HTML Component
# because IE ignores it after rewriting.
# patching a few things manually instead
set ms_webservice_fix 0
if { [HTTP::uri] ends_with "webservice.htc"} {
set ms_webservice_fix 1
HTTP::uri "[HTTP::uri]?F5CH=I"
if { [HTTP::version] eq "1.1" } {
if { [HTTP::header is_keepalive] } {
HTTP::header replace "Connection" "Keep-Alive"
}
HTTP::version "1.0"
}
}
}
when HTTP_RESPONSE {
if { $downgrade_ie_compat > 0 && ! [HTTP::header exists X-UA-Compatible] } {
HTTP::header replace "X-UA-Compatible" "IE=$downgrade_ie_compat"
}
if { $ms_webservice_fix == 1 } {
if { [HTTP::header exists "Content-Length"] and \
[HTTP::header "Content-Length"] > 0 and \
[HTTP::header "Content-Length"] <= 1048576 } {
HTTP::collect [HTTP::header Content-Length]
} else {
HTTP::collect 1048576
}
}
}
when HTTP_RESPONSE_DATA {
if { $ms_webservice_fix == 1 } {
set location [string first \
{if (co.userName == null)} \
[HTTP::payload]]
if { $location > 0 } {
HTTP::payload replace $location 0 {loc=F5_WrapURL(loc);}
}
}
HTTP::release
}
501892 : Selenium is not detected by headless mechanism when using client version without server
Component: Advanced Firewall Manager
Symptoms:
DoSL7 Proactive Bot Defense (Block requests from suspicious browsers) detects selenium when the selenium server is running and a listener has opened on one of specific ports.
Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled, when accessing the page for a first time.
Impact:
If a bot is running selenium client package only it is not being blocked by DoSL7 Proactive Bot Defense mechanism.
Workaround:
N/A
Fix:
Selenium detection mechanism has improved and if a bot uses FF or Chrome selenium driver it is detected by PBD's javascript code via checking existence of required chrome plugins and FF webdriver.
501505 : [Portal Access] Rewrite helpers do not work with documents created with createHTMLDocument() call
Component: Access Policy Manager
Symptoms:
Result of document.implementation.createHTMLDocument("") lacks some properties (parentWindow,defaultView,etc...) rewrite wrappers are throwing exceptions when trying to access them. Examples of broken wrappers: F5_Inflate/Deflate_domain, F5_Invoke_appendChild.
Conditions:
Rewrite helpers failed to access documents created by createHTMLDocument()
Impact:
Oracle Web App graphs do not load on pages created by Portal Access.
Workaround:
when REWRITE_REQUEST_DONE {
# ID475163: F5_Invoke_submit() breaks forms without action
# ID501505: [Portal Access] Lots of our helpers don't work for documents created with createHTMLDocument.
set is_475163 0
set is_501505 0
if { [HTTP::uri] contains "1411250302/zenwebclient/web.do?cafWebSesInit=true"} {
set is_475163 1
REWRITE::post_process 1
}
if { [HTTP::uri] contains "/combined_static_includes_2.js"} {
set is_501505 1
REWRITE::post_process 1
}
}
when REWRITE_RESPONSE_DONE {
if { $is_475163 == 1 } {
set location [string first \
{<form id="form_client} \
[REWRITE::payload]]
if { $location > 0 } {
REWRITE::payload replace [expr $location + 5] 0 { action="" }
set is_475163 0
}
}
if { $is_501505 == 1 } {
set location [string first \
{createHTMLDocument("");} \
[REWRITE::payload]]
if { $location > 0 } {
REWRITE::payload replace [expr $location + 23 ] 0 {f.parentWindow=top;}
set is_501505 0
}
}
}
Fix:
Rewrite helpers should work with documents created by document.implementation.createHTMLDocument("")
500901 : Manager Role inconsistency between GUI and TMSH
Component: Access Policy Manager
Symptoms:
Users configured with the 'Manager' role who log into GUI cannot create or the following Secure Web Gateway objects:
-- Secure Web Gateway :: Applications.
-- Secure Web Gateway :: Application Filters.
-- Secure Web Gateway :: URL Categories.
Conditions:
This occurs when Users configured with the 'Manager' role log into GUI.
Impact:
User is unable to use GUI to as 'Manager' to create or delete the objects.
Workaround:
Use tmsh.
Fix:
Permissions have been corrected on the GUI, and the 'Manager' role now operates as expected with Secure Web Gateway objects.
500452-5 : PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hareware
Component: TMOS
Symptoms:
PB4300 blade tries to disaggregate the ESP traffic based on the IPsec ESP Security Parameter Index (SPI) value in hardware. But the blade used doesn’t have that capability, which causes ESP traffic being sent to one HSB and results in throughput degradation.
Conditions:
When PB4300 receives ESP traffic.
Impact:
Throughput degradation.
Workaround:
None.
Fix:
The PB4300 blade now uses IP addresses to disaggregate ESP traffic in hardware, so throughput is no longer impacted.
499404 : FastL4 does not honor the MSS override value in the FastL4 profile with syncookies
Component: Local Traffic Manager
Symptoms:
FastL4 does not honor the MSS override value in the FastL4 profile when syncookies are in use. This can lead to cases where the advertised MSS value in the SYN/ACK is larger than the MSS override value.
Conditions:
The FastL4 profile specifies a non-zero MSS override value and syncookies mode is active.
Impact:
The wrong MSS value is advertised during 3WHS.
Workaround:
None.
Fix:
FastL4 now honors the MSS override value in the FastL4 profile with syncookies.
Behavior Change:
The BIG-IP system advertises MSS in the SYN/ACK is based on the MSS override value in the FastL4 profile. Previously, this was only based on the VLAN's MTU.
499124 : wom_verify_config produces unneccesarily elevated messages in ltm log
Component: Wan Optimization Manager
Symptoms:
The wom_verify_config utility sometimes produces error-level messages in ltm log, that should be informational or warning.
Conditions:
When WOM is not fully configured.
Impact:
Error-level messages in the ltm log can result in unexpected action being taken, where an information or warning level message may not.
Fix:
The messages created by wom_verify_config have been cleaned up.
497725 : Qkview does not include the incremental ConfigSync cache
Component: TMOS
Symptoms:
Qkview does not include the incremental ConfigSync cache.
Conditions:
Running Qkview on a system on which incremental ConfigSync caches exist.
Impact:
Diagnostic data useful (or sometimes necessary) for troubleshooting ConfigSync issues is not captured as part of a Qkview.
Workaround:
Collect output of "tmsh show /cm device-group name-of-device-group-or-'all'-keyword incremental-config-sync-cache".
Fix:
Qkview now includes the incremental ConfigSync cache when running the following command:
/usr/bin/tmsh -a show cm device-group all incremental-config-sync-cache.
497100 : APM Migrates to Google reCAPTCHA API Version 2.0
Component: Access Policy Manager
Symptoms:
Google introduced reCAPTCHA API v2 in December 2014. The v2 API will not work with API key pair generated for v1 API. With APM migrating to reCAPTCHA v2, the key pair that works with previous releases of the APM will stop functioning after upgrade.
Google recommends sites that are using v1 API to register new keys and upgrade to v2. (See https://developers.google.com/recaptcha/docs/faq)
Conditions:
When key pair generated for v1 API is used in the reCAPTCHA configuration.
Impact:
Users will not be able to log in.
Fix:
N/A
Behavior Change:
Before upgrade, admin is required to register a new key pair with Google. After upgrade, the "secret" and "site key" fields on the reCAPTCHA admin UI are populated with the old keys. Replace the old keys with the new keys obtained from Google.
Furthermore, the "Verification URL", "Challenge URL", and "Noscript URL" fields are populated with the URLs for Google reCAPTCHA v2 service, not those that were specified before the upgrade. If a virtual server has been configured for v1 verification using HTTPS, the virtual server needs to add client side SSL profile and the "Verification URL" field should point to the virtual server.
Moreover, the "CAPTCHA Theme" is obsolete and is replaced by v2 CAPTCHA render configuration parameters with the following default values:
Data Theme = Light
Data Type = Image
Data Size = Normal
495830-1 : UI Breadcrumb text does not always match the menu or tab selected
Component: Access Policy Manager
Symptoms:
When an Admin visits the UI and clicks on an item within the left-hand menu the corresponding tab will also be selected at the top of the right content pane, and above that there will be corresponding breadcrumb text. In some cases the breadcrumb text does not change as expected.
Conditions:
This usually occurs when the admin visits screens using different GUI implementations. In this case if the admin clicked into "Local Traffic >> Profiles : Services : HTTP" from the menu on the left hand side, and then selected Rewrite from within the Services tab, the breadcrumb text would still read "Local Traffic >> Profiles : Services : HTTP" rather than the expected "Local Traffic >> Profiles : Services : Rewrite".
Impact:
The breadcrumb text does not change as expected.
Workaround:
None.
Fix:
The breadcrumb text now changes as expected, depending upon the menu or tab item the admin selects.
495432 : Add new log messages for AFM rule blob load/activation in datapath.
Component: Advanced Firewall Manager
Symptoms:
Prior to fix, as AFM rule blob is compiled/serialized by pktclass-daemon and TMM is notified to activate it in datapath, there is no visibility to identify if the activation failed or succeeded.
Conditions:
AFM rule serialization message is processed by TMM
Impact:
End user lacks any visibility if the AFM rule serialized blob is successfully being used in the data path.
Workaround:
None
Fix:
With the fix, now we log message (in /var/log/ltm) as AFM rule serialized blob is activated in data path.
494019 : System matches messages to previous Diameter Route Application ID after modifying ID value
Component: Service Provider
Symptoms:
System matches to previous Diameter Route Application ID after modifying the application ID value.
Conditions:
This occurs after modifying the application ID value for a Diameter Route object.
Impact:
The Diameter Route might continue to match Diameter messages against the old application ID until TMM is restarted.
Workaround:
Always restart TMM after changing the value of application ID in a Diameter Route.
Fix:
System now matches to the correct Diameter Route Application ID after modifying the application ID value.
493206 : Diameter traffic not restricted to virtual server assigned to static route
Component: Service Provider
Symptoms:
A virtual server that is assigned to a static route is not honored. Specifically, traffic is not filtered to be only on that virtual server.
Conditions:
A static route is configured with a virtual server.
Impact:
The traffic continues to be routed to the static route without matching the virtual server.
Workaround:
None.
Fix:
Diameter traffic is now restricted to the virtual server assigned to a static route, as expected.
493061 : Priority order of Diameter Router Profile static routes determined by order in bigip.conf
Component: Service Provider
Symptoms:
Priority order of Diameter Router Profile static routes is determined by order in bigip.conf. In the GUI, it appears that the user can assign priority order to static routes for a Diameter Router Profile.
Conditions:
If there are multiple static routes attached to a Diameter Router Profile, the first route that appears in the list of routes in bigip.conf is the one the system uses.
Impact:
This can cause BIG-IP to choose a route that is not what you expected.
Workaround:
To change the priority order of static routes for a Diameter Router Profile, the user must manually edit the bigip.conf configuration file, or use tmsh to manually order the static routes in the Router Profile.
490771 : There is no configurable TCP timewait timer for Fast L4 virtual servers.
Component: Local Traffic Manager
Symptoms:
Fast L4 does not have configurable TCP timewait support.
Conditions:
This is encountered on Fast L4 profiles, the TCP timewait is not configurable.
Impact:
Fast L4 TCP connflow will be torn down immediately after close. In some cases, a timewait period is needed before the connflow is torn down.
Workaround:
None.
Fix:
There is a new configurable TCP timewait option:
tmsh modify ltm profile tcp <profile_name> time-wait-timeout <value>.
490643 : iControl REST API is unable to retrieve any sys service attributes via GET request
Component: TMOS
Symptoms:
iControl REST API is unable to retrieve all sys service attributes or any individual sys service attribute via GET request
Conditions:
-- Use iControl REST API to retrieve any sys service via GET request
Impact:
The iControl REST API response doesn't have these elements. iControl REST does not provide visibility for sys service attributes
Workaround:
None.
Fix:
iControl REST API is now able to return sys service attribute information via GET request
488876 : SSL persistence uses noticeably more memory
Component: Local Traffic Manager
Symptoms:
In releases prior to 11.4.0, SSL persistence used very little memory. Beginning in version 11.4.0 and continuing, the amount of memory has increased.
Conditions:
This occurs when SSL persistence is enabled.
Impact:
This results in less memory being available for other flows, and might eventually result in TMM being out of memory.
Workaround:
None.
Fix:
SSL persistence memory handling has been improved, so that sufficient memory is available for other flows.
488430 : Suspend/save/migrate LTM VE functionality is not supported for Community XEN.
Component: TMOS
Symptoms:
LTM Virtual Edition (VE) does not support the cloud features suspend/save/migration for Community Xen Hypervisor.
Conditions:
Community Xen Hypervisor.
Impact:
Reduces migration functionality on Community Xen Hypervisor platform.
Workaround:
Save the standard configuration in a UCS file and migrate the UCS file to different instances as needed.
488326 : SWG database download via proxy
Component: Access Policy Manager
Symptoms:
You are required to setup an additional separate shared public Internet access to deal just with the downloads only for the SWG module. This is also against internal security policies, it is not allowed for a device initiated connections to the Internet without being handled by a proxy infrastructure.
Conditions:
SWG Database Download.
Impact:
Without this feature, your security policy cannot be satisfied for database downloads without which SWG functionality cannot work.
Workaround:
None.
Fix:
Device specific proxy configuration fields (proxy ip, proxy port, username and password) has been added to configure the proxy to be used. To enable SWG database download through proxy, new option "Use Proxy" has been added in SWG Database Settings to use the configured proxy for SWG database download.
487144 : tmm intermittently reports that it cannot find FIPS key
Component: Global Traffic Manager
Symptoms:
You may see the following critical error message in /var/log/ltm: "FIPS acceleration device failure: cannot locate key"
Conditions:
There is FIPS card in the BIG-IP and the key is retrieved. It is not known the exact conditions that cause this, but it seems to be related to GTM being enabled.
Impact:
SSL can not locate the key from the FIPS card, and SSL will not function properly.
Workaround:
None known, but restarting tmm or rebooting might correct the condition.
Fix:
SSL can now correctly locate the key from the FIPS card, and SSL will function properly.
484542 : QinQ tag-mode can be set on unsupported platforms
Component: Local Traffic Manager
Symptoms:
tmsh does not validate QinQ tag-mode and allows invalid values to be set.
Conditions:
This occurs when trying to set QinQ tag-mode to values other than 'none' on unsupported platforms. Only platforms with ePVA support QinQ tagging.
Impact:
Although you can set !in! tag-mode, the configuration has no effect. There is no negative impact on system functionality.
Workaround:
Only configure QinQ tag-mode on the following platforms: BIG-IP 5050s/5250v/7050s/7250v/10050s/10250v and VIPRION B2150 SSD-based models.
Fix:
QinQ tag-mode is now properly validated when configuring a VLAN via tmsh.
483957 : Configure the client of choice to be launched from APM webtop
Component: Access Policy Manager
Symptoms:
Currently, for VMware View resources a modal dialog prompting the user to choose the preferred client is shown whenever they launch an application.
For Citrix, the client used is determined by heuristics checking the presence of Citrix Receiver on the user system or HTML5 client bundle on APM.
Now, for both types of resources the preferred client can be set by the administrator.
For VMware View, this client will be launched immediately (if available) without a modal dialog.
For Citrix, this will also apply as long as the chosen client is available.
Conditions:
VMware View or Citrix resource configured and assigned to the webtop.
Impact:
Provide better control over the client to be used for launching applications to the administrator.
Fix:
Administrators can now enforce which VDI client is used on APM Webtop: native or HTML5.
For VMware View, the preferred client can be set in the VMware View Policy agent in VPE.
For Citrix, the session variable session.citrix.preferred_client needs to be set to either "html5" or "native".
483953 : Cached route MTUs may be set to the value of TM.MinPathMTU even if the path MTU is lower than that value.
Component: Local Traffic Manager
Symptoms:
ICMP type 3 code 4 (needsfrag) messages are elicited when TMM transmits packets at the TM.MinPathMTU size if the path MTU is lower than that value.
Conditions:
Path MTU discovery results are cached by default. If a client responds to an IP datagram with an ICMP needsfrag message with a very small MTU (smaller than the value of the TM.MinPathMTU database variable), the cached path MTU value will be set to the TM.MinPathMTU value even though this still isn't able to traverse the path.
This can affect multiple endpoints when a low MTU is advertised by an endpoint (misconfigured or malicious) behind a shared NAT address.
Impact:
TMM may use and enforce a low path MTU for clients capable of handling a higher path MTU, but may use an MTU too high to reach clients whose path MTU is lower than TM.MinPathMTU.
This metric will live for 10 minutes by default.
Workaround:
This issue has no workaround at this time.
The route metric lifetime can be lowered using route.metrics.timeout db key.
Fix:
Path MTUs lower than the value of TM.MinPathMTU will no longer be cached by TMM.
483570 : TMM/APMD fail to communicate when handling a large amount of data under high load conditions.
Component: Access Policy Manager
Symptoms:
VPN users begin to report that they are unable to connect to a normally functioning (but busy) APM virtual. The virtual server is using an iRule configured with ACCESS::POLICY evaluate.
Conditions:
This can occur when using the 'ACCESS::POLICY evaluate' iRule with a large number of new users per second when handling a large amount of data.
Impact:
Multiple failures. The system posts messages similar to the following in debug tmm logs with failing policy execution: notice acs_mpi_send/912: ACS: IPC send channel stuck!
Workaround:
None.
Fix:
TMM/APMD now properly communicates when handling a large amount of data under high load conditions.
483141 : mcpd might restart when creating large numbers of traffic groups and devices
Component: TMOS
Symptoms:
mcpd might core or become unresponsive and be restarted by sod.
Conditions:
A large (greater than 64) number of traffic groups are already configured, there are many (greater than 4) devices in trust, and the user creates additional traffic groups.
Impact:
mcpd will restart.
Workaround:
This can be mitigated by turning off mcpd heartbeat monitoring (tmsh modify sys daemon-ha mcpd heartbeat disabled) while traffic groups are being added, but it is not recommended to be left disabled.
Fix:
The system now handles updating the traffic group state as a result of creating a traffic group while there are many existing traffic groups and devices.
482976 : AppTunnel fails with two resources one with protocol type and other with port range
Component: Access Policy Manager
Symptoms:
AppTunnel fails with two resources, one with protocol type and the other with port range. This occurs when the following conditions are met: 1. The App tunnel resource contains a resource item configured with a protocol type and order 1. 2. The App tunnel has another resource item configured with port range and order 2.
Conditions:
This occurs when the following conditions are met: 1. The App tunnel resource contains a resource item configured with a protocol type and order 1. 2. The App tunnel has another resource item configured with port range and order 2.
Impact:
AppTunnel cannot be established.
Workaround:
To work around the problem, reverse the order, making the port range resource item order 1 and the protocol type order 2.
481001 : Software auto update schedule settings are not synced
Component: TMOS
Symptoms:
Software auto update settings are not synced between two devices in a sync group.
Conditions:
Conditions leading to this issue include performing a full sync with systems that have different auto-update settings.
Impact:
This can lead to software auto update settings not being consistent across two devices.
Workaround:
Adjust the software-update configuration on each device in a configuration synchronization group.
Fix:
Changed auto update settings to sync.
478657 : HTTP URLs with embedded credentials are not working in Portal Access
Component: Access Policy Manager
Symptoms:
If a web application uses HTTP URLs with embedded credentials, then they do not work with Portal Access.
Conditions:
Application with embedded credentials in the URL
Impact:
Web-application logic might not work as expected.
Workaround:
None
Fix:
Now URLs with embedded credentials are handled correctly in Portal Access. These credentials are not passed to back-end server, however.
476644 : User logged in as Auditor can't view SAML IdP configuration data; Edit button greyed out.
Component: Access Policy Manager
Symptoms:
A user that is logged in as Auditor cannot view SAML Identity Provider (IdP) configuration data; the Edit button is not available.
Conditions:
This happens to users that are not authorized and to any user in the partition "All [Read Only]".
Impact:
User cannot view object details in read-only mode only.
Workaround:
The user can view read-only object details using tmsh commands.
Fix:
Show Edit button' label as 'View', on login of user with out write permission.
476524 : SSL handshake delay when SSL mirroring enabled or mirrored connection fails to recover after failover.
Component: Local Traffic Manager
Symptoms:
SSL handshake delay when SSL mirroring enabled, or mirrored connection fails to recover after failover.
Conditions:
Mirroring enabled on TCP virtual server.
Impact:
- SSL handshake delayed for 80% of SSL handshake timeout.
- Mirrored connection fails to recover after failover.
- In rare situations the SSL handshake might be delayed after the ClientHello is transmitted or a mirrored connection may fail to recover after failover.
Workaround:
Set connection.syncookies.threshold (or, in the GUI, SYN Check Activation Threshold) to 0 and enable hardware syncookies in the TCP profile.
475715 : Plugin based endpoint checking clients do not work with Chrome and Firefox
Component: Access Policy Manager
Symptoms:
Because of browser restrictions, F5 Networks' VPN and endpoint checking client do not work on Chrome and Firefox browsers.
Conditions:
Chrome or Firefox is used to connect to APM
-Access policy contains client side end point checks
-User attempts to launch VPN from these browsers
Impact:
In first case, access policy will fail.
In second case, VPN cannot be launched from browser.
Workaround:
Use Internet Explorer.
Fix:
This release of APM contains web clients based on newer architecture which does not use plugins. These clients are launched using URL scheme, so they now work with Chrome and Firefox as well as Internet Explorer.
475403-5 : Tunnel reconnect with v2.02 does not occur
Component: Access Policy Manager
Symptoms:
Tunnel reconnect does not happen when DTLS is enabled
Conditions:
Configure SSL profile
Enable DTLS in NA resource
Establish NA connection from the device
Impact:
Reconnect does not happen
Workaround:
N/A
Fix:
A HelloRequest is re-transmitted if not responded by a ClientHello
472860-6 : RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.
Component: Policy Enforcement Manager
Symptoms:
The RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.
Conditions:
Session created via iRule running on the RADIUS virtual server.
Impact:
RADIUS session statistics are not incremented.
Workaround:
None.
Fix:
The session statistics for sessions created by RADIUS is now incremented whenever the user runs an iRule on the RADIUS virtual server, that creates a new session.
472571-8 : Memory leak with multiple client SSL profiles.
Component: Local Traffic Manager
Symptoms:
If multiple client SSL profiles are attached to a virtual server, memory will leak each time any profile is changed.
Conditions:
Multiple client SSL profiles are attached to a virtual server.
Impact:
Memory will leak a small amount of memory.
Workaround:
None.
Fix:
Multiple client SSL profiles attached to a virtual server no longer causes memory to be leaked.
472553 : eventd sweep timer scheduling on deleted consumer can cause CPU and memory consumption to grow
Component: TMOS
Symptoms:
eventd spins at 100% and memory consumption grows over time.
Conditions:
If an eventd consumer is deleted while there are events pending, eventd can spin at 100% and its memory consumption will grow.
Impact:
System may be impacted due to eventd cycle usage, and eventually experience increasing memory consumption.
Workaround:
None.
471860-8 : Disabling interface keeps DISABLED state even after enabling
Component: TMOS
Symptoms:
When you disable an interface, the state shows DISABLED. When you enable that interface, the indication for the interface still shows DISABLED.
Conditions:
This occurs when using both tmsh and the GUI.
Impact:
The state of the interface remains DISABLED. However, the interface passes traffic after enabling.
Workaround:
You can reboot correct the indicator.
Fix:
When you disable an interface, the state shows DISABLED. When you enable that interface, the indication for the interface now shows ENABLED.
471029-1 : If the configuration contains a filename with the $ character, then saving the UCS fails.
Component: TMOS
Symptoms:
If the configuration contains a filename or username with the $ character, then saving the UCS fails. Examples of filenames include cm cert cache-path and cm key cache-path.
tmsh save sys ucs <ucs-id> fails for such configuration.
The error displayed appears similar to the following.:
Fatal: executing: md5sum /var/tmp/filestore_temp/files_d/Common_d/certificate_d/:Common:?><.crt_53783_1
Operation aborted.
/var/tmp/configsync.spec: Error creating package.
Conditions:
Filenames or username in configuration contain $ character. For example, cm cert cache-path or cm key cache-path.
Impact:
Saving UCS fails.
Workaround:
Do not use the $ character as part of the filenames or usernames in the configuration.
470612 : ACCESS logs non-fatal snapshot errors
Component: Access Policy Manager
Symptoms:
Logs like this will appear in /var/log/apm:
Jun 25 11:45:24 JASSL302 err tmm[9517]: 01490514:3: 00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access_snapshot.c, Function: access_config_snapshot_list_delete, Line: 552
Jun 25 11:45:24 JASSL302 err tmm[9517]: 01490514:3: 00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access_snapshot.c, Function: access_config_snapshot_final_callback, Line: 233
Jun 25 11:45:24 JASSL302 err tmm[9517]: 01490537:3: tmm.session.51e51c88bb7a9_13oooooooooooooooo: Access failed to delete configuration snapshot. Err: Illegal argument.
Conditions:
These errors can occur during normal operating conditions due to configuration changes, HA failovers, or APD restarts. The error should be treated as non-fatal.
Impact:
Logging non-fatal error messages is confusing to administrators
Fix:
These errors are now logged at NOTICE level.
470238 : tmm restart issue when number of cores in license differs from number of system CPUs.
Component: TMOS
Symptoms:
tmm continuous restart issue when number of cores specified in the in license differs from the number of CPUs on the system.
Conditions:
The value of perf_VE_cores in /config/bigip.license is different from the number of CPUs on virtual machine.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Manually set the value of DB variable provision.tmmcount to the value of perf_VE_cores specified in the license. To do so, run the following command: tmsh modify sys db provision.tmmcount _value_.
470231 : HTML5 WebSocket API is not supported in Portal Access
Component: Access Policy Manager
Symptoms:
WebSocket API is currently not supported in Portal Access.
Impact:
Applications won't be able to establish WebSocket connection through Portal Access
Workaround:
It's possible to provide an iRule workaround for specific application and deployment on request.
468130 : When Kerberos authentication is used with RBA enabled, the first POST request sent to the BIG-IP system could be lost under certain conditions.
Component: Access Policy Manager
Symptoms:
When Kerberos authentication is used with request-based authentication (RBA) enabled, the first POST request sent to the BIG-IP system could be replaced by a dummy POST and authentication then fails. This can occur when the BIG-IP system is configured as a SAML Identity Provider (IdP) and the http-post SSO binding is used.
Conditions:
The problem occurs under these conditions:
1. RBA is enabled.
2. Kerberos Auth is used.
3. The first request to the BIG-IP system before session has been established is a POST request.
Impact:
Some functionality may not behave properly; for example, when the BIG-IP system is configured as a SAML IdP and an http-post SSO binding is used, AuthnRequest can get lost and authentication will fail.
Workaround:
To work around the problem, edit the access policy and, in the properties for the Kerberos Auth item, set Request Based Auth to Disabled.
466285 : In Chrome browser, displayed user role switches to Unknown for few seconds after switching partitions.
Component: TMOS
Symptoms:
When certain users switch partitions, their displayed role shows Unknown. After a few seconds, the appropriate role displays for the active partition.
Conditions:
A user with access only to specific partitions and switches partitions. This occurs only with the Chrome browser.
Impact:
Unknown is shown as their role in the top bar in the GUI. This issue is only cosmetic, the user's actual role changes immediately. Any activity in the intervening time period is performed as the user's true role in that partition.
Workaround:
Use Firefox or Internet Explorer browsers.
466016 : Graceful Restart does not function when primary blade is rebooted
Component: TMOS
Symptoms:
When primary blade in rebooted, the system halts all daemons, including those that maintain the routing table. This might flush routing table before the secondary blade becomes active, and that might cause traffic outages. Because of this issue, you might see the following symptom: Dynamic routes advertised by the BIG-IP system and by the neighbors, are deleted due to the shutdown. OSPF withdraws the routes advertised to the neighbor.
Conditions:
This occurs when the primary blade in rebooted.
Impact:
Traffic flow may be impacted. Note: The graceful restart process is initiated on the new primary blade at this point, which recovers the routes.
Workaround:
Force blade failover first before rebooting blade.
To force an active blade or cluster into a standby state:
1. Navigate to System :: High Availability :: Failover :: Redundancy.
2. Click Force to Standby.
With failover, the new blade becomes primary and picks up routing functions before the reboot halts the routing daemons.
Fix:
The shutdown process now forces blade failover first before rebooting the blade, which enables the secondary to pick up the routing table before becoming primary.
464923 : Insufficient error information when netHSM is used without proper licensing
Component: Local Traffic Manager
Symptoms:
Trying to use a netHSM key without the HSM license causes the SSL handshake to fail with the general error in sign server key exchange.
Conditions:
This issue might occur when using netHSM without HSM licensing.
Impact:
The system posts potentially confusing errors similar to the following (with ssl debug logs turned on):
-- debug tmm3[28399]: 01260009:7: Connection error: ssl_hs_vfy_sign_srvkeyxchg:8309: sign_srvkeyxchg (80)
-- info tmm3[28399]: 01260013:6: SSL Handshake failed for TCP 10.10.10.13:47804 -> 10.10.10.23:443
Workaround:
License HSM. To determine whether this is the issue related to these messages, you can turn on tmm.verbose. Then, if netHSM is not licensed, you can find the following message at /var/log/tmm: notice No license for external HSM.
Fix:
Now, if netHSM is not licensed, the system provides a clear error indicating that a license is needed.
464801 : Intermittent tmm core
Component: Local Traffic Manager
Symptoms:
tmm intermittently cores. Stack trace signature indicates "packet is locked by a driver"
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed an intermittent tmm core
464572 : Validation of IP/mask for SNMP allowed-addresses list.
Component: TMOS
Symptoms:
The GUI option Client Allow List and the TMSH allowed-address property require IP address values. However, the system does not prevent entering a non-IP address value.
Conditions:
The issue occurs on both BIG-IQ and BIG-IP system, and is always applicable when configuring SNMP allowed-addresses.
Impact:
The CLI and GUI do not validate IP/mask for SNMP configurations within the allowed-addresses list.
Workaround:
Double check IP/mask entries for the GUI option Client Allow List and the TMSH allowed-address property.
Fix:
Address, network address and hostname validation is now performed.
462754 : SSL connection may not survive multiple failovers or delay response
Component: Local Traffic Manager
Symptoms:
The system does not support SSL mirroring with L7 mirroring. When an SSL connection is mirrored, after a few failovers, the connection is reset or the response is delayed for up to several minutes.
Conditions:
This occurs when SSL connections are mirrored.
Impact:
The connection is reset or the response is delayed for up to several minutes. The BIG-IP system does not forward the request to the server. In addition, you cannot use L7 features like iRules on mirrored SSL virtual servers.
Workaround:
Do not use SSL mirroring with L7 mirroring. SSL mirroring is not supported with L7 mirroring.
460833 : MCPD sync errors and restart after multiple modifications to file object in chassis
Component: TMOS
Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:
1. Errors are logged to /var/log/ltm similar to the following:
err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..
2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.
Conditions:
This symptom may occur under the following conditions:
1. Two or more VIPRION chassis are configured in a device sync group.
2. File objects (such as SSL certificates) are added/modified/deleted on one chassis in the group.
3. These changes are synchronized to other members of the device sync group.
4. While the previous changes are still being synchronized to all blades in all chassis in the device sync group, an overlapping set of file objects are added/modified/deleted on a chassis in the group (typically the same chassis as in step 2).
5. While the previous sync operation is still in progress, these subsequent changes are synchronized to other members of the device sync group.
Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.
Workaround:
After performing one set of file-object modifications and synchronizing those changes to the HA group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing additional file-object changes.
Fix:
After performing one set of file-object modifications and synchronizing those changes to the HA group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing additional file-object changes.
459671 : iRules source different procs from different partitions and executes the incorrect proc.
Component: Local Traffic Manager
Symptoms:
iRules source different procs from different partitions and executes the incorrect proc.
Conditions:
Multiple iRule procs defined in multiple admin partitions.
Impact:
iRules "proc" lookup algorithm is not deterministic, or Virtual Servers are improperly caching and sharing the lookup results.
Workaround:
To work around this issue, ensure all iRule proc names defined in the BIG-IP configuration are unique.
455975 : Separate MIBS needed for tracking Access Sessions and Connectivity Sessions
Component: Access Policy Manager
Symptoms:
Using MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns displays incorrect information and description.
Conditions:
Using SNMP MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns.
Impact:
Using MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns displays incorrect information and description.
Workaround:
This issue has no workaround at this time.
Fix:
Access Sessions and Connectivity Sessions are now exposed correctly in SNMP MIBS.
455560 : HTTP filter waits until part of the body is received before sending small headers
Component: Local Traffic Manager
Symptoms:
If the HTTP filter expects a body attached to a response, the filter waits for part of that body to arrive before sending headers smaller than 16 KB.This is done for performance reasons, to minimize the number of packets sent. (Since the headers are usually smaller than a single packet.)
If a misconfigured server waits to send a body, or fails to send one at all, the BIG-IP system waits until the connection ends before sending the response. This has been seen to affect redirect responses with no content length header.
Conditions:
This occurs when the following conditions are met: -- A response indicating a body. -- The headers are smaller than 16 KB. -- The body takes time to arrive, or never arrives at all.
Impact:
The connection might appear to stall until the server-side sends a body or disconnects.
Workaround:
The headers can be padded to be larger than 16 KB by an iRule. (This causes the BIG-IP system not to wait.) HTTP::respond might also be useful to emulate a redirect response manually.
450136 : Occasionally customers see chunk boundaries as part of HTTP response
Component: Access Policy Manager
Symptoms:
Occasionally, users see chunk boundaries as part of HTTP response if the virtual server is configured with rewrite profile variant and some other profiles.
Conditions:
Virtual server with rewrite profile variant and some other profiles like OneConnect and NTLM could cause HTTP response to be double-chunked.
Impact:
End users may see random characters displayed on their web pages, or the page may fail to render because it contains invalid HTML markup.
Workaround:
To workaround this problem, use an iRule to rechunk the HTTP response always.
Fix:
Simple iRule is added inside code to rechunk the response in HTTP_RESPONSE event when the content is already chunked by backend/application servers.
448477 : devmgmtd may crash during provisioning
Component: TMOS
Symptoms:
devmgmtd (also known as devmgmtd++ on older versions) may crash during some provisioning operations.
Conditions:
This happens during some provisioning operations.
Impact:
A core dump will be left on the device, but no further ill effects.
Workaround:
None.
447689 : [Portal Access] Version disclosure
Component: Access Policy Manager
Symptoms:
Portal rewritten pages contain unencoded version information.
Conditions:
APM portal configured
Impact:
Software version disclosure
Workaround:
#
# Substitute plain text BIGIP version in 01000-rules.js cache-fm.js, cache-fm-debug.js
# by md5sum of this plain text.
#
# INSTUCTIONS:
#
# a) as root on BIG-IP system, change directory to /var/sam/www/webtop/private/fm and place this script there;
# b) backup files modified by this script:
# 01000-rules.js
# cache-fm.js
# cache-fm-debug.js
# c) execute this script;
# d) restart services:
# tmsh restart sys service tmm
# tmsh restart sys service rewrite
#
# Note: This should be done for all systems in the failover configuration.
#
STAMP=`grep BIGIP 01000-rules.js | sed "/F5_version/s/.*special_object[^']*'\([^']*\)'\".*/\1/"`
if [ -z "$STAMP" ] ; then
echo "Nothing is done. F5_version is already obfuscated"
exit;
else
STAMPMD5=`echo -n $STAMP | md5sum | awk '{print $1}'`
for i in 01000-rules.js cache-fm.js cache-fm-debug.js
do
sed "/F5_version/s/\(.*special_object[^']*'\)[^']*\('\".*\)/\1$STAMPMD5\2/" $i > $i.obfusc
cp $i.obfusc $i
rm $i.obfusc
done
echo "F5_version $STAMP is converted into md5sum $STAMPMD5"
fi
Fix:
[Portal Access] BIG-IP version is obfuscated.
447565 : Renewing machine-account password does not update the serviceId for associated ntlm-auth.
Component: Access Policy Manager
Symptoms:
Renewing machine-account password does not update the serviceId for associated ntlm-auth.
Because of this issue, you might see the following symptoms:
-- End users report that they cannot access email.
-- NTLM logons stop working for all users.
-- Log file shows errors similar to the following:
err nlad[12384]: 01620000:3: <0x566d4b90> nlclnt[71601c70a] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC.
Conditions:
This occurs when the system has an NTLM machine account configured, but it is not known exactly what triggers the error. It can be triggered if the machine account credentials change, but the symptom might not show up for days since the connection can be reused.
Impact:
End users will be unable to connect.
Workaround:
Correct the problem by running the following command:
bigstart restart eca.
442226 : Link Controller fails to auto-create a self-server
Component: Global Traffic Manager
Symptoms:
Link Controller will create a data center, but fails to create a GTM server for itself. Any LTM virtual servers configured will not show up as members in the Wide IP configuration.
Conditions:
Always
Impact:
Users must manually create and maintain the GTM server
Workaround:
Use tmsh to create a GTM server:
Standalone:
create gtm server <self host name> datacenter Default_DC addresses add { 10.20.0.1 { device-name <self host name> } } virtual-server-discovery enabled product single-bigip
Redundant:
create gtm server <self host name> datacenter Default_DC addresses add { 10.20.0.1 { device-name <self host name> } 10.20.0.2 { device-name <peer host name>} } virtual-server-discovery enabled product redundant-bigip
Fix:
Not fixed
441525 : Support RDP connections to arbitrary servers from APM Webtop
Component: Access Policy Manager
Symptoms:
VDI RDP resources must be statically defined by the administrator; end users connecting to the APM Webtop are unable to define their own RDP connections.
Conditions:
This occurs when accessing RDP resources from the Webtop.
Impact:
End users wanting to connect to an RDP resource not explicitly listed on the webtop are unable to configure a connection.
Workaround:
None.
Fix:
An RDP resource of type "User defined" has been added to APM. If you add this as a resource, end users will be able to specify their own RDP resources to connect to.
441079 : BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved
Component: Local Traffic Manager
Symptoms:
The BIG-IP system is modifying the source port on NAT connections.
Conditions:
This occurs when NAT is configured on the BIG-IP system. This occurs on BIG-IP 2000/4000 hardware platforms.
Impact:
This impacts any applications where the source port is expected to be preserved.
Workaround:
None.
Fix:
The source port is always preserved for NAT connections.
Behavior Change:
The source port is always preserved for NAT connections.
438135 : APM does not support multimon and monitors custom properties for RDP resources
Component: Access Policy Manager
Symptoms:
Remote desktop (RDP) resources does not support the custom parameters "use multimon" and "span monitors".
Conditions:
Accessing RDP resources through APM.
Impact:
Cannot use multiple monitors when accessing RDP resources through APM.
Workaround:
None.
Fix:
APM now supports custom parameters "use multimon" and "span monitors" for RDP resources when the resources are accessed through APM webtop. Note that this is supported only for native RDP clients.
434773 : Oracle Access Manager 'Clear local Config Cache' button deletes incorrect config.cache file
Component: Access Policy Manager
Symptoms:
Pressing the 'Clear Local Config Cache' button on the Access :: Oracle Access Manager properties page, will delete the /config/aaa/oam/config.cache file.
Conditions:
When Oracle Access Manger is configured along with one or more AccessGates, the system generates a config.cache file under a file path that includes Partition and AccessGate name. For example, for an AccessGate named AccessGate1 configured in the /Common partition, the system generates a local cache file at the following path:
/config/aaa/oam/Common/oampd/AccessGate1/config.cache.
By default the system has a template cache file found at:
/config/aaa/oam/config.cache.
Impact:
Pressing the 'Clear Local Config Cache' button will incorrectly delete the template file, but not the actual local config.cache generated for the configured AccessGate. Deletion of the template file has no impact to the admin or the system. However, since the system does not delete the correct file for a specific AccessGate, the system will not force Access Policy Manager to bootstrap the AccessGate, nor will it be reinitialized against the OAM access server.
Workaround:
None.
Fix:
The 'Clear Local Config Cache' button has been removed from the Oracle Access Manager properties page, and has moved to the AccessGate Properties page. Additional handling was added to process the request and delete the appropriate local config.cache file for the specific AccessGate.
433678 : A monitor removed from GTM link cannot be deleted: 'monitor is in use'
Component: Global Traffic Manager (DNS)
Symptoms:
A monitor removed from GTM link cannot be deleted. Attempting to delete the monitor results in an error message similar to the following: 01070083:3: Monitor /Common/custom_gtm_mon is in use.
Conditions:
Deleting a custom monitor that was formerly used by a GTM link.
1. Create a custom GTM monitor that can be used on a link.
2. Create a GTM link, and add the custom monitor to it.
3. Remove the monitor from the link.
4. Attempt to delete the monitor.
Impact:
Unable to delete monitor.
Workaround:
Reload the GTM config and delete the monitor.
Fix:
This release enables deletion of a monitor removed from GTM link, and no monitor-in-use error message is returned.
433323 : Ramcache handling of Cache-Control: no-cache directive in Response
Component: Local Traffic Manager
Symptoms:
Previously, when a Cache-Control header from the OWS contained a no-cache directive, RAM Cache mistakenly interpreted that the same as a no-store directive.
Conditions:
Configure a virtual server with HTTP caching.
Impact:
Failure to cache a cachable document.
Workaround:
This issue has no workaround at this time.
Fix:
RAM Cache will now cache the document, and then do a conditional get on each request (treating the document according to RFC 7234 semantics).
433242 : SAML SLO does not work if one of SLO Request URL, SLO Response URL not configured
Component: Access Policy Manager
Symptoms:
SAML Single Logout (SLO) does not work when all of the following are true: The BIG-IP system is acting as a SAML Identity Provider (IdP) or SAML Service Provier (SP); The other party configuration has SLO configured; The SP connector or IdP connector on the BIG-IP system is missing a SAML SLO Request URL or SAML SLO Response URL.
Conditions:
If SAML SLO is configured with SAML other party and other party does not have both SLO Request URL and SLO Response URL.
Impact:
SAML SLO does not work.
Workaround:
To work around the problem, configure both SAML SLO Request URL and SAML SLO Response URL for SP and IdP connectors.
431840-1 : Cannot add vlans to whitelist if they contain a hyphen
Component: Advanced Firewall Manager
Symptoms:
When attempting to add a vlan to the DoS protection whitelist and the vlan contains a hyphen, the following validation error is returned:
01071792:3: Vlan should be numeric form as vlan number / mask
Conditions:
Adding a vlan containing a hyphen to the whitelist
Impact:
Unable to add vlans that contain a hyphen
Workaround:
Instead of using the vlan by name, just specify the vlan tag #. Ignore the drop down menu offering the vlan names.
431764 : Full webtop title is not localized
Component: Access Policy Manager
Symptoms:
Full webtop title is not localized, it is only showing F5 Dynamic Webtop.
Conditions:
This issue is always occuring.
Impact:
This issue is cosmetic and does not prevent work.
Workaround:
This issue has no workaround at this time.
Fix:
The full webtop title is now localized with APM.
428928 : Policy with auto-detect encoding is not configured on target of device group sync
Component: Application Security Manager
Symptoms:
Device management: A security policy is not configured on the target device if the Auto detect option is selected for this security policy on the source device.
Conditions:
A security policy is created with auto-detect encoding with device group sync configured.
Impact:
On the target device of device group sync, the security policy appears as unconfigured.
Workaround:
After policy encoding has been detected, manually push sync to peer devices.
Fix:
Auto-detect encoding for security policy is preserved in device group sync.
427223-1 : VIPRION C4800-series chassis Annunciator card numbering appears backwards
Component: TMOS
Symptoms:
VIPRION C4800-series chassis contain two Annunciator cards which perform chassis-level hardware-management functionality. Each card is located in a numbered slot accessible via the chassis front panel after removing the LCD display.
BIG-IP utilities (such as the 'bladectl' utility or the 'tmsh show sys hardware' command) label the annunciator cards numerically opposite from the chassis front-panel slot labels.
- The annunciator card located in physical slot 2 is identified as 'Annunciator'.
- The annunciator card located in physical slot 1 is identified as 'Annunciator 2'.
Conditions:
VIPRION C4800-series chassis running affected versions of BIG-IP.
Impact:
Inconsistency between logical and physical numbering of the chassis annunciator cards can cause confusion when one of the annunciator cards requires replacement or other service.
Workaround:
Remember that numerical identification of chassis annunciator cards in the TMOS UI is reversed from the physical annunciator slot numbering.
425339 : GUI shows incorrect number of members of pool in HA group after pool config is sync'ed from peer unit.
Component: TMOS
Symptoms:
GUI shows incorrect number of members of pool in high availability (HA) group after pool config is sync'ed from peer unit.
Conditions:
This is triggered when automatic sync is configured with incremental synchronization on a sync-failover device group. It will be visible on the HA Groups page in the Pools section after a configuration sync is performed from a device where the pool members were modified.
Impact:
The number of pool members listed in the HA Groups page is incorrect (e.g., shows 2 when it should show 1, 3 when it should show 2). Although this issue is cosmetic, it makes it difficult to configure the HA Group on the affected device.
Workaround:
The incorrect pool member display can be fixed on the affected device, by running the following tmsh command:
Impact of procedure: This command loads the saved configuration, so any in-memory changes (i.e., changes that have not been saved to disk) will be lost. Since the affected device is a sync target, and no other changes should have been made, it should be safe to run this command.
tmsh load sys config
Fix:
High availability (HA) Groups page now displays the expected pool members on the sync target device after an automatic incremental sync is performed.
425108 : Tab completion in the tmsh might not list all transparent monitors
Component: Global Traffic Manager
Symptoms:
If you create or modify a GTM link in tmsh to include a monitor, and attempt to list the available monitors using tab completion, only monitors of type bigip-link or gateway-icmp are listed.
Conditions:
This issue occurs when all of the following conditions are met: -- Custom transparent monitor. -- Monitor type is not Gateway ICMP. -- Use tab completion in tmsh to display all available custom transparent.
Impact:
If the user attempts to apply a transparent http, https, tcp, tcp-half-open, or udp monitor, to a link, it will not be listed by tab completion.
Workaround:
You can work around this issue when associating the monitor with a GTM link using the tmsh utility. To do so, you can manually type the name of a custom transparent monitor.
424542 : tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments
Component: TMOS
Symptoms:
tmsh modify net interface commands with either invalid interface names, or invalid attribute names will appear to create new interfaces.
An invalid interface will show up in "show net interfaces"
Conditions:
Only happens on clustered or virtual environments, not on appliances.
Impact:
Cosmetic only - extraneous interfaces show up in tmsh show net interface.
Workaround:
guishell -c "delete from interface where name='12345/is_this_correct'"
423629 : bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted
Component: Local Traffic Manager
Symptoms:
bigd restarts once, and afterwards, subsequent pings from the monitor fails.
Conditions:
This can occur when assigning an ICMP monitor to a pool member, specifying a route domain that does not exist.
Impact:
For bigd, a single restart is actually harmless. The invalid config will cause monitor failures, since the route domain no longer exists, the pool member will be marked down.
423392 : tcl_platform is no longer in the static:: namespace
Component: Local Traffic Manager
Symptoms:
In previous versions of iRules, the variable tcl_platform was readable as: 'set myvar static::tcl_platform'. However with recent changes, the variable is in the global, not static namespace and should be accessed as '::tcl_platform'.
Conditions:
This occurs on pre-11.4.0 iRules that use the variable 'static::tcl_platform'.
Impact:
iRules that worked properly under earlier versions can result in runtime Tcl exceptions (disrupting traffic) after an upgrade to v11.4.0 or later, if those iRules reference static::tcl_platform.
Workaround:
To map tcl_platform into the static namespace in an iRule, use the following: when RULE_INIT { upvar #0 tcl_platform static::tcl_platform }. Or you can use ::tcl_platform instead of static::tcl_platform. Note: The latter workaround might demote a virtual server from CMP. For more information, see K14544: The tcl_platform iRules variable is not in the static:: namespace, available here: https://support.f5.com/csp/#/article/K14544.
421851-2 : Config load does not skip leading whitespaces if iRule starts with #
Component: TMOS
Symptoms:
When iRules are saved into bigip.conf, the first line is automatically indented with four whitespaces. Usually these whitespaces are removed when the config is loaded, but when an iRule starts with commented lines, the whitespace is not removed. Every subsequent save/load operation adds another four whitespaces. When users adds checksum to the iRule, loading fails at checksum verification error
Conditions:
This occurs when both conditions are true: 1. Line 1 begins with a # character and white spaces. 2. The checksum operation is performed on the iRule.
Impact:
Load failure.
Workaround:
Remove the whitespace at the beginning of the iRule
420558 : External Datagroup records not listed
Component: TMOS
Symptoms:
Using the list command does not display the records of an external datagroup.
Conditions:
Using an external datagroup.
Impact:
Can't see external datagroup entries.
Workaround:
None.
Fix:
Can now see entries using the following tmsh command:
show ltm data-group external XYZ external-records.
415608 : ICMP messages can be throttled without log message
Component: Local Traffic Manager
Symptoms:
When TM.MaxICMPRate is reached, TMM will drop ICMP requests.
There is no visibility in logs when that happens.
Conditions:
Excessive ICMP traffic.
Impact:
There is no functional impact but it is harder to troubleshoot such condition.
Workaround:
use TMM counters
412817 : BIG-IP system unreachable for IPv6 traffic via PCI pass-through interfaces as current ixgbevf drivers do not support multicast receive.
Component: TMOS
Symptoms:
The BIG-IP system is unreachable for IPv6 traffic via PCI pass-through interfaces, because current ixgbevf drivers do not support multicast receive.
Conditions:
When configured to see IPv6 traffic on a PCI pass-through interface, the BIG-IP guest is not able to see this traffic.
Impact:
PCI pass-through interfaces are unable to see IPv6 traffic.
Workaround:
None.
409340 : https/ssl monitor closes immediately (rather than awaiting remote close-notify)
Component: Local Traffic Manager
Symptoms:
SSL-based monitors (such as https) continue to maintain an open connection for up to ~15 seconds after the monitor probe is completed, when connecting to an SSL enabled web server that fails to send close-notify before FIN.
Conditions:
Configuration uses SSL-based monitors (such as https), where your SSL enabled web server fails to send close-notify before FIN.
Impact:
SSL-enabled monitors wait ~15 seconds before closing the connection and reclaiming resources. Although this behavior is correct according to the SSL protocol, it has the potential to introduce a limited amount of connection stacking on the monitored host.
Workaround:
Your SSL enabled web server should send close-notify before FIN for SSL-based monitors to close immediately.
Fix:
Previous behavior for an SSL-based monitor (such as https) sent a shutdown notification to the remote-server, and awaited a close-reply (shutdown acknowledgement) response for up to 15 seconds. When an SSL-enabled web server fails to send close-notify, the SSL-based monitor hangs in CLOSE_WAIT for ~15 seconds before sending FIN and closing the connection. This waiting consumes resources that are unavailable for other monitoring, which is observed to be significant on certain configurations with high https monitor loads.
New behavior is to close the connection immediately after sending shutdown notification to the remote server, and not await a shutdown acknowledgement.
408599 : The iRule node command does not function as expected when invoked from the LB_SELECTED event.
Component: Local Traffic Manager
Symptoms:
The iRule node command does not function properly when invoked from the LB_SELECTED event.
Conditions:
Using an iRule in which the 'node' command in the LB_SELECTED event modifies the node or port.
Impact:
Although logs from the iRule may indicate the node and/or port was modified, the changes are not applied, as a subsequent tcpdump confirms.
Workaround:
It is possible to use node under LB_SELECTED if it is paired with LB::reselect. If port is changed in the node command, the configuration with port-translation is required.
A load balancing decision can also be changed under other events, for example CLIENT_ACCEPTED.
407411 : New APIs for iControl SOAP Trust management
Component: TMOS
Symptoms:
iControl SOAP APIs do not include interfaces for getting the members of the trust, so you cannot retrieve the authority and non-authority devices that belong to the trust.
Conditions:
Using iControl APIs.
Impact:
Cannot retrieve authority and non-authority devices that belong to the trust.
Workaround:
None.
Fix:
This release adds two interfaces to Management/Trust iControl SOAP to retrieve the authority and non-authority devices that are part of the trust. The methods are called get_non_authority_device and get_authority_device.
Behavior Change:
This release adds two interfaces to Management/Trust iControl SOAP to retrieve the authority and non-authority devices that are part of the trust. The methods are called get_non_authority_device and get_authority_device.
406550 : CVE-2012-5784: Apache Axis vulnerability
Vulnerability Solution Article: K14371
405898 : If the OSPF derived MTU is different from the path MTU, OSPF may not function as expected
Component: Local Traffic Manager
Symptoms:
If the maximum transmission unit (MTU) for a network running OSPF is different from ZebOS, or if its neighbor router has configured for its interface MTU, OSPF adjacencies may not form, or some datagrams may be rejected.
Conditions:
TMM has cached a reduced path MTU for a network that is smaller than the configured MTU of the interface. OSPF running on that interface.
Impact:
OSPF adjacencies never fully form and routes are not exchanged.
Workaround:
Restarting TMM clears the cached maximum transmission unit (MTU), and allowing all interface MTUs to function with default values should prevent a mismatch.
Fix:
OSPF traffic is no longer subject to cached route MTUs and will not be obstructed by route metrics with MTUs smaller than the interface MTU.
402793-19 : APM Network Accces tunnel slows down and loses data in secure renegotiation on Linux and Mac clients
Component: Access Policy Manager
Symptoms:
VPN connection on Linux and Mac clients can slow down and may loose some packets while performing secure re-negotiation on TLS or DTLS Network Access tunnel.
Conditions:
Secure re-negotiation configured on APM virtual server.
Impact:
Users can experience disconnects or traffic loss on APM Network Access connection.
Workaround:
n/a
Fix:
APM clients for Linux and Mac modified to perform better during secure re-negotiation.
401815-2 : IP ToS not passing through with SIP LB
Component: Service Provider
Symptoms:
Egress flow doesn't show the ToS bit even though ingress flow has ToS bit set.
Conditions:
Non zero ToS value in the ingress flow
Impact:
Ingress flow ToS value is not propagated to egress flow
Workaround:
when CLIENT_ACCEPTED {
set client_tos [IP::tos]
}
when SERVER_CONNECTED {
IP::tos $client_tos
}
Fix:
Propagate the ToS bit from ingress flow to the egress flow.
401569 : VADC: Virtual Servers are not accessible through VLAN without any interface.
Component: TMOS
Symptoms:
On Virtual Edition (VE), if a VLAN was created without any assigned interface, then it will get 00:98:76:54:32:10 MAC address. This address is not functional for accessing any virtual server via such VLAN.
Conditions:
The issue is VE-specific due to vmw-compat VLAN MAC assignment policy.
Impact:
This behavior is different from BIG-IP v11.0.0 (and earlier) where VLANs without any interface had MAC address 00:00:00:00:00:00. The 00:98:76:54:32:10 MAC address is not functional for accessing any virtual server via such VLAN.
Workaround:
Possible workarounds:
1. Attach/detach an interface.
2. Manually assign 00:00:00:00:00:00 to VLAN (e.g., by using the ip command).
399857 : Access Policy Export / Import fails when folders are used★
Component: Access Policy Manager
Symptoms:
APM has an Import / Export function to import and expor Access Policies to import on a separate BIG-IP system. This fails when Access Policies are contained inside of subfolders.
Since most iApps (Microsoft Exchange, Citrix, or VMware View) produce Access Policies that contain subfolders, the effective result is that iApp-generated Access Policies cannot be imported or exported to another BIG-IP system.
On export you may see this error:
Export Error: Profile partition Common/OWA_F5.app is not admin's partition Common or Common.
On import you may see this error:
Import Error: 01070734:3: Configuration error: The object (Customization Group /Common/<resource>) is owned by a non-existent application (/Common/<iApp folder>/<resource>). Unexpected Error: Validating configuration process failed.
Conditions:
iApp generated configuration (Microsoft Exchange, Citrix, or VMware View).
Import / export of profile/policy.
Impact:
Cannot import / export iApp-generated Access Policies to / from another BIG-IP system.
Workaround:
No workaround, although Policy Sync might help with configuration migration / synchronization.
Fix:
iApp-generated Access Policies can now be imported from or exported to another BIG-IP system.
393270 : Configuration utility may become non-responsive or fail to load.
Component: TMOS
Symptoms:
While doing normal operations via the configuration utility, the status indicators may become non-responsive or fail to load, the GUI could become very sluggish, and you could be unable to load the GUI, or you could be taken to the license activation screen.
Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.
Impact:
Unable to log into the GUI or GUI shows blank page
Workaround:
Run the command 'bigstart restart tomcat' or reboot the BIG-IP system.
Fix:
Configuration utility now responds as expected when deleting local users (Access Policy :: Local User DB : Manage Users), or under other conditions in which an internal timeout results in GUI non-responsiveness because of an incomplete transaction close.
392140 : GTM Device IP translation address not available from iControl
Component: TMOS
Symptoms:
It is not possible to set the IP translation address from iControl.
Conditions:
Configuring a GTM Server that requires an IP translation address.
Impact:
A different interface must be used to configure the address.
Workaround:
Use the GUI or tmsh commands to configure the address.
Fix:
The GTM Device IP translation address is now configurable by iControl.
392121 : TMSH Command to retrieve the memory consumption of the bd process
Component: Application Security Manager
Symptoms:
There is no tmsh commands to retrieve the memory consumption of the bd process.
Conditions:
tmsh commands don't show bd process memory usage.
Impact:
Difficult to diagnose memory consumption issues.
Workaround:
Review messages individually in /var/log/ts/bd.log.
### For ASM bd current memory consumption use the following grep command
cat /ts/log/bd.log | grep "UMU: total"
UMU: total 106 ( 0M) VM (1639M) RSS (164M) SWAP ( 0M) trans 0
UMU: total 106 ( 0M) VM (1639M) RSS (163M) SWAP ( 0M) trans 0
UMU: total 5 ( 0M) VM (1612M) RSS (163M) SWAP ( 0M) trans 0
### For XML memory consumption in bd process do the following on a big-ip.
*WARNING*: The following steps enable debug prints to the bd.log it may cause to an excessive io, handle with care on production boxes.
1. add the following 3 lines the /etc/ts/bd/logger.cfg
MODULE=BD_XML;
LOG_LEVEL=TS_INFO | TS_DEBUG;
FILE = 2;
2. Run a CLI tool.
/usr/share/ts/bin/set_active.pl --update_logger_cfg
To stop the debug prints, remove the 3 mentioned lines from the logger.cfg file and run the CLI tool again.
Fix:
The following command now reports memory consumption of the bd process:
tmctl asm_memory_util_stats
For specific fields -s option can be used, for example:
tmctl asm_memory_util_stats -s total_xml_mem_used,total_xml_max_mem
390196 : Support Route Domains for VDI deployments (Citrix, VMware View, RDP)
Component: Access Policy Manager
Symptoms:
VDI deployments (Citrix, VMware Horizon View, and Microsoft Remote Desktop (RDP)) do not support non-default route domains for backend addresses.
Conditions:
APM deployment used for some remote desktop access (Citrix, VMware Horizon View, or RDP).
Impact:
Cannot use non-default route domains for VDI deployments.
Workaround:
None.
Fix:
For VDI deployments, the route domain to be used is either taken from session.assigned.route_domain variable or (if sessvar is not available) the route domain of the virtual server is used.
Note: This doesn't work for the environments that make use of other APM configuration objects that currently don't support non-default route domains, such as WebSSO.
Behavior Change:
Previously, VDI deployments (Citrix, VMware Horizon View, and RDP) did not support non-default route domains for backend addresses.
Now, the route domain to be used is either taken from session.assigned.route_domain variable or (if sessvar is not available) the route domain of the virtual server is used.
Note: This doesn't work for the environments that make use of other APM configuration objects that currently don't support non-default route domains, such as WebSSO.
389881 : Flash items on webpage do not load correctly through APM portal
Component: Access Policy Manager
Symptoms:
The Portal Access feature in APM does not support Flex Runtime Shared Libraries using ActionScript3.
Conditions:
Access Portal enabled
Applications contain flash content that were created with Flex.
Impact:
Flex applet does not work through Portal.
Workaround:
None.
Fix:
Portal Access is not able to rewrite signed .swz Flex framework library files.
389484 : OAM reporting Access Server down with JDK version 1.6.0_27 or later
Component: Access Policy Manager
Symptoms:
Cannot connect to Access Server.
When running eamtest tool to check the functionality between OAM and the access server are working correctly, the following error is seen:
Preparing to connect to Access Server. Please wait.
Access Server you specified is currently down. Please check your Access Server.oamconfig[2368]: Could not configure OAM
Conditions:
The problem occurs only when OAM server is installed with JDK version 1.6.0_27 or later.
Impact:
Cannot connect to backend OAM server using BIG-IP AccessGate.
Workaround:
Install older version of JDK than v1.6.0_27.
Fix:
Applied OAM ASDK patch given by Oracle, so OAM no longer reports Access Server down with JDK version 1.6.0_27 or later.
386517 : Multidomain SSO requires a default pool be configured
Component: Access Policy Manager
Symptoms:
When configuring multidomain SSO, a pool must be assigned to the virtual, even if one is not being used. A typical symptom of not assigning the pool is that after logon, the user will be redirected back to another logon page.
Conditions:
Any use case of multidomain SSO where there is no pool configured on the virtual servers, and there is not a webtop assigned.
Impact:
There are two known use cases where this is commonly encountered. 1) LTM + Secure Connectivity virtuals do not usually have a default pool configured.
2) The pool is being configured through an iRule
Workaround:
When configuring multidomain SSO, always assign a default pool to the virtual server.
Fix:
Some of the logic in ACCESS was updated to add consideration of dynamic pool assignments (eg. iRules) in addition to the default pool. Default pool is no longer needed for multidomain SSO.
384405 : web-acceleration profile not working with access profile
Component: Access Policy Manager
Symptoms:
With Access Policy Manager Portal Access, if you add a web-acceleration profile to the Local Traffic virtual server, it does not take effect until the you go to the command line and type "bigstart restart tmm". The web-acceleration profile is important to Portal Access performance, so this step is necessary to ensure caching occurs for Portal Access content.
Conditions:
Virtual Server configured with Access profile, and a web-accelerator profile is added to it
Impact:
Web acceleration is not enabled on the virtual server, which negatively impacts performance of APM on that virtual.
Workaround:
At the command line, type bigstart restart tmm.
378094 : Support for SPDY over TLS
Component: Traffic Classification Engine
Symptoms:
There is no support for SPDY over TLS.
Conditions:
Trying to use SPDY over TLS.
Impact:
Cannot use SPDY over TLS.
Workaround:
None.
Fix:
This release adds SPDY classification support.
371164 : BIG-IP sends ND probes for all masquerading MAC addresses on all VLANs, so MAC might associated with multiple VLANs.
Component: Local Traffic Manager
Symptoms:
Since traffic groups are not bound to any specific VLAN, so Neighbor Discovery (ND) for link-local addresses go out on all VLANs. This occurs because traffic groups are not bound to any particular VLAN or interface. Since MAC is bound to the traffic group, it is not bounded to particular VLAN either.
Conditions:
Using MAC masquerade addresses on VLANs. TMM creates new link-local address for each masquerading MAC. Thus, the same link-local address might be used on all interfaces, which means that the system might use the same MAC on different VLANs.
For example, in the following configuration, you might expect that traffic-group-1 and MAC 02:23:e9:74:e2:c4 are bound only to VLAN Internal. However, you can create another self IP address, assign it to different VLANs or route domains, and have them be part of the same traffic group. A traffic group is about availability and not about routing or partitioning.
Configuration
===========
net self 10.10.10.10%1 {
address 10.10.10.10%1/23
allow-service {
default
}
floating enabled
traffic-group traffic-group-1
unit 1
vlan Internal
}.
Impact:
Although this is intended functionality, some users might not expect the behavior. BIG-IP sends ND probes for all masquerading addresses on all VLANs. Although switches typically build up forwarding tables per VLAN, there are some switches that might not correctly, which results in failure to forward packets as expected. That might impact other traffic, including IPv4.
Workaround:
Set the db variable tm.macmasqaddr_per_vlan to True. This ensures that a single source MAC is associated with a single VLAN ID, and is guaranteed to be unique per VLAN.
370131-5 : Loading UCS with low GTM Autoconf Delay drops pool Members from config
Component: Global Traffic Manager
Symptoms:
Pool members loaded from the UCS are not in the configuration. If there are objects dependent on them, this may prevent the GTM config from loading completely.
Conditions:
GTM and LTM are enabled, Autoconf Delay is very low, there are GTM autoconfigured pool members from LTM virtual servers, and subsequently a UCS is loaded.
Impact:
GTM config loaded from the UCS might be overwritten and Pool Members might be lost from it.
Workaround:
bigstart stop gtmd during UCS load, or set the autoconf delay to be much higher than the time required to load the UCS.
Fix:
Loading UCS with low GTM Autoconf Delay now completes correctly.
369407 : Access policy objects are created inconsistently depending on whether created using wizard or manually.
Component: Access Policy Manager
Symptoms:
Network Access (NA) wizard policy incorrectly labels 'Advanced Resource Assign' as 'Resource Assign' in VPE.
Conditions:
This is evident when viewing the label following completion of the NA wizard.
Impact:
The label in the VPE is 'Resource Assign', where it should be 'Advanced Resource Assign'.
Workaround:
None.
Fix:
The label of Resource Assign agent created by the Network Access wizard is changed to Advanced Resource Assign, which is correct. Also the Wizard's user(admin) is presented with the choice of full/special webtop.
367670 : APM allows only limited resources to be added to webtop
Component: Access Policy Manager
Symptoms:
When trying to add more resources to a webtop that already contains a large number of resources, the command may fail.
Conditions:
This occurs when the webtop already has a large number (hundreds or thousands, depending on configuration) of resources configured, and new webtop resources are added.
Impact:
APM policy execution will have a problem.
Workaround:
Limit the number of resources that can be added to the webtop.
Fix:
Increased the limit of resources that can be configured for the webtop.
366149 : ACL support for VPN tunnels
Component: Access Policy Manager
Symptoms:
ACL is not supported for connections between VPN tunnel clients.
Conditions:
Using APM network access.
Impact:
Cannot use ACL for connections between VPN tunnel clients.
Workaround:
None.
Fix:
ACLs are now supported for connections between VPN tunnel clients. The following steps describe how to run ACLs for VPN/APM Network access tunnel clients:
1. Create an iRule :
root@(bigip3923mgmt)(cfg-sync Standalone)(Eval:Active)(/Common)(tmos)# list ltm rule na_acl_leasepool
ltm rule na_acl_leasepool {
when CLIENT_ACCEPTED {
if { [ACL::eval -l7 ] == 0 } {
log local0. "no l7 acl"
}
}
}
2. Attach it to related rules (not as iRule for virtual server) for network access virtual. To do so, use following tmsh command (there is no GUI to attach the iRule as related rules for a virtual server):
modify ltm virtual vs_https related-rules { na_acl_leasepool }
364774-1 : TMSH required for creating redundant-bigip server object for Link Controller
Component: Global Traffic Manager
Symptoms:
TMSH required for creating redundant-bigip server object for Link Controller.
Conditions:
This applies to BIG-IP systems with Link Controller active.
Impact:
Cannot create redundant configuration using the GUI.
Fix:
Redundant Link Controller should now work as expected.
364285 : Improve the documentation of the HTTP::respond command
Component: Local Traffic Manager
Symptoms:
Document that the HTTP::respond command works in the LB_FAILED event
Conditions:
None
Impact:
None
Workaround:
None
Fix:
The HTTP::respond command is now documented to work in the LB_FAILED event.
360047 : RAM Cache Ignores All but Last Cache-Control Header in OWS Response
Component: Local Traffic Manager
Symptoms:
If two Cache-Control headers exist in an HTTP response, RAM cache looks at only the last one.
Conditions:
Two Cache-Control headers exist in a response.
Impact:
If a web application fails to combine the bodies of two headers of the same key, the meta-data meaningful to RAM cache will not be complete, or might not impact cache processing as expected.
Workaround:
Use an iRule to combine the contents of headers into a meaningful semantic, where those headers have the same key value.
Fix:
RAM cache now properly combines all Cache-Control header values in the OWS response. Cache-Control headers are processed left to right, first to last. Where multiple key=value pairs exist, the first seen wins. Where no-store occurs, later values of max-age and s-maxage will be ignored.
355806 : Starting mcpd manually at the command line interferes with running mcpd
Component: TMOS
Symptoms:
Starting mcpd at the command line while mcpd is running causes issues.
Conditions:
Having a running mcpd and executing mcpd at the command line.
Impact:
Various issues on the system, such as some utilities may no longer interact with mcpd, etc.
Workaround:
Don't try to use the mcpd directly.
Fix:
You are now told the PID of the current mcpd and the executed command will exit abnormally.
348000 : HTTP response status 408 request timeout results in error being logged.
Component: Local Traffic Manager
Symptoms:
HTTP response status 408 request timeout results in error being logged.
Conditions:
HTTP profile is attached to a virtual server. 408 response status is received from server and is not preceded by request from the client.
Impact:
The 408 response status received is consumed and the connection is reset. The response never makes it to the client. The following error is reported in the log: http_process_state_prepend - Invalid action EV_INGRESS_DATA during ST_HTTP_PREPEND_HEADERS.
Workaround:
None.
Fix:
HTTP response status 408 request timeout no longer results in error being logged.
340702 : Controlplane Auth - Fallback to local accounts if remote auth fails
Component: TMOS
Symptoms:
When using remote authentication on BIG-IP, if the remote auth server is unreachable, authentication will fail for all accounts except root and admin (which are always authenticated locally).
Conditions:
Remote authentication configured, and the remote auth server becomes unreachable.
Impact:
Since BIG-IP does not fall back to local auth, BIG-IP users will not be able to log on, even if they have a local account on the BIG-IP.
Workaround:
None.
Fix:
Added setting to remote auth configuration to allow fallback to local accounts when the remote auth server is unavailable.
249484 : Blocking icon does not appear on response violation
Component: Application Security Manager
Symptoms:
If the system blocks a response due only to response violations, the Blocked Request icon does not appear near the blocked response in the Requests or the Security Alerts screens.
Conditions:
This occurs if the request was blocked due to a violation detected in the response.
Impact:
Inconsistent display of status
246726 : System continues to process virtual server traffic after disabling virtual address
Component: Local Traffic Manager
Symptoms:
A virtual address is defined as the IP address with which you associate one or more virtual servers. A virtual server is represented by an IP address and a service. The BIG-IP system continues to process traffic for virtual servers after disabling the related virtual address.
Conditions:
When a virtual address is disabled in LTM, TMM still processes traffic for the virtual IP addresses on that virtual address. For example, if you define virtual servers of 10.10.10.2:80, and 10.10.10.2:443 on the BIG-IP system, then 10.10.10.2 is the virtual address. If you disable the virtual address of 10.10.10.2, the BIG-IP system continues to process traffic for the virtual servers.
Impact:
Traffic is still processed.
Workaround:
Disable virtual servers instead. For more information, see SOL8940: The BIG-IP system processes traffic for virtual servers after disabling the virtual address, available here: https://support.f5.com/csp/#/article/K8940
Fix:
When disabling a VIP in LTM the VIP no longer passes traffic. This is correct behavior.
Behavior Change:
When disabling a VIP in LTM the VIP no longer passes traffic.
238444 : An L4 ACL has no effect when a layered virtual server is used.
Component: Access Policy Manager
Symptoms:
A layer 4 ACL is not applied to the network access tunnel. As a result of this issue, you may encounter the following symptoms:
Unexpected network traffic may be allowed to pass.
Expected network traffic may be blocked.
Conditions:
This issue occurs when the following conditions are met:
-- The APM virtual server is targeting a layered virtual server, such as an SSO layered virtual server.
-- The referenced BIG-IP APM access policy is configured with a layer 4 ACL.
-- When an ACL is applied to a BIG-IP APM access policy, the access policy dynamically creates an internal layered virtual server that is used to apply the ACL. However, if the BIG-IP APM virtual server targets a layered virtual server, such as an SSO layered virtual server, traffic bypasses the dynamically-created internal layered virtual server and the ACL is not applied.
Impact:
Access control using a layer 4 ACL will not work. This may allow unwanted traffic to pass, or can block valid traffic.
Workaround:
None. However, a layer 7 ACL may be implemented if the network traffic is HTTP.
Fix:
ACL::eval irule can now be attached to layered virtuals (apm use case) to evaluate L4 ACLs
225634 : The rate class feature does not honor the Burst Size setting.
Component: Local Traffic Manager
Symptoms:
The rate class feature does not honor a Burst Size setting other than the default of 0 (zero).
The Burst Size setting is intended to specify the maximum number of bytes that traffic is allowed to burst beyond the base rate configured for the rate class. When the burst rate is set to zero, no bursting is allowed.
Conditions:
When using a non-default Burst Size setting for a single rate class, the setting does not have the intended effect of allowing traffic to burst beyond the base rate configured for the rate class. When using a non-default Burst Size setting for a rate class referencing a hierarchical rate class (a child class referencing a parent class), traffic processed by the rate class may cause TMM to panic and generate a core file.
Impact:
Traffic does not burst beyond the base rate configured for the rate class. In the case of hierarchical rate classes, the BIG-IP may temporarily fail to process traffic.
Workaround:
To work around this issue, you can disable the Burst Size setting by changing the value to zero. To do so, perform the following procedure:
Impact of workaround: None.
Log in to the Configuration utility.
Click Network.
Click Rate Shaping.
Click the appropriate rate class.
Change the Burst Size to 0.
Click Update.
222034 : HTTP::respond in LB_FAILED with large header/body might result in truncated response
Component: Local Traffic Manager
Symptoms:
If HTTP::respond is called in LB_FAILED with large headers and/or body, the response might be truncated. The Content-Length header value is correct; it is the content itself that is truncated.
Conditions:
This issue occurs when all of the following conditions are met: -- HTTP::respond is used in the LB_FAILED event to return a large response. -- No other TCP data has been sent to the client.
Impact:
The response sent by the BIG-IP system will be truncated. For example, with slow-start enabled, and no data sent to the client yet, the response will be truncated after two packets. Other TCP profile configurations will truncate at different points.
Workaround:
To work around this issue modify the iRule. For example, instead of directly using HTTP::Respond inside of an LB_FAILED event, perform a 302 Redirect to another URI, which can then be handled by an unaffected event. For more information, see K9456: Using the HTTP::respond iRule command in the LB_FAILED event may result in truncated responses, available here: https://support.f5.com/csp/#/article/K9456.
Known Issues in BIG-IP v13.0.x
TMOS Issues
ID Number | Severity | Description |
642058 | 1-Blocking | CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances |
636016 | 1-Blocking | VADC: when using an Intel XL710 SR-IOV nic a bigstart restart can re-order the interfaces and impact traffic |
629792 | 1-Blocking | IPsec: Traffic continues when the ike-peers are disabled |
645805-2 | 2-Critical | LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain bad ethernet src mac address |
641013-6 | 2-Critical | GRE tunnel traffic pinned to one TMM |
624635-1 | 2-Critical | BIG-IP doesn't support more than 4 NICs on Hyper-V on Windows Server 2012 |
615372 | 2-Critical | Occasional TCP resets during connection initiation (RST cause is "No local listener") |
613542-1 | 2-Critical | tmm core while running the iRule STATS:: command |
583306 | 2-Critical | Using management port as config sync address might allow its deletion. |
580697-1 | 2-Critical | VIPRION 2200 platform might not pass traffic properly after FPGA firmware switch. |
419345-1 | 2-Critical | Changing Master Key on the standby might cause secondaries to restart processes |
645206-2 | 3-Major | Missing cipher suites in outgoing LDAP TLS ClientHello |
645179-1 | 3-Major | Traffic group becomes active on more than one BIG-IP after a long uptime |
644979-1 | 3-Major | Errors not logged from hourly 1k key generation cron job |
644184-3 | 3-Major | ZebOS daemons hang while AgentX SNMP daemon is waiting. |
642982-1 | 3-Major | tmrouted may continually restart after upgrade, adding or renaming an interface★ |
642422-1 | 3-Major | BFD may not remove dependant static routes when peer sends BFD Admin-Down |
642314-1 | 3-Major | CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x★ |
641450-4 | 3-Major | A transaction that deletes and recreates a virtual may result in an invalid configuration |
639774-1 | 3-Major | mysqld.err rollover log files are not collected by qkview |
639575-2 | 3-Major | Using libtar with files larger than 2 GB will create an unusable tarball |
639530 | 3-Major | kernel.el7.2: xhci: off by one error in TRB DMA address boundary check |
639505-2 | 3-Major | BGP may not send all configured aggregate routes |
639049-1 | 3-Major | Virtual Server creation ignores translate-address setting with wild card destination |
638825-1 | 3-Major | SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD |
638215 | 3-Major | iHealth auto-upload script may get stuck in unusual circumstances |
638091 | 3-Major | Config sync after changing named pool members can cause mcpd on secondary blades to restart |
637827 | 3-Major | VADC: after re-deploying a single-nic VM with multiple nics, a load can fail due to stp member 1.0 |
637561-2 | 3-Major | Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice |
636031-1 | 3-Major | GUI LTM Monitor Configuration String adding CR for type Oracle |
635703-2 | 3-Major | Interface description may cause some interface level commands to be removed |
635116-3 | 3-Major | Memory leak when using replicated remote high-speed logging. |
633879-2 | 3-Major | Fix IKEv1 md5 phase1 hash algorithm so config takes effect |
633824-1 | 3-Major | Cannot add pool members containing a colon in the node name |
633391-2 | 3-Major | GUI Error trying to modify IP Data-Group |
633110-3 | 3-Major | Literal tab character in monitor send/receive string causes config load failure, unknown property |
630610-1 | 3-Major | BFD session interface configuration may not be stored on unit state transition |
629915 | 3-Major | Cannot login with Firefox and IE after toggling between wireless and wired networks. |
629085-2 | 3-Major | Any CSS content truncated at a quoted value leads to a segfault |
628164-4 | 3-Major | OSPF with multiple processes may incorrectly redistribute routes |
624626-4 | 3-Major | Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility |
620659-4 | 3-Major | The BIG-IP system may unecessarily run provisioning on successive reboots |
616021-6 | 3-Major | Name Validation missing for some GTM objects |
610307-4 | 3-Major | Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber |
610122 | 3-Major | Hotfix installation fails: can't create /service/snmpd/run★ |
609200-1 | 3-Major | Hotfix installation failure using certain version 11.x software to host incremental hotfix application of version 12.x software.★ |
607693 | 3-Major | MTU values of range [9001-9198] is not supported in some Operating Systems. |
605840-6 | 3-Major | HSB receive failure lockup due to unreceived loopback packets |
605792 | 3-Major | Installing a new version changes the ownership of administrative users' files★ |
601076-1 | 3-Major | Fix watchdog event for accelerated compression request overflow |
598650-5 | 3-Major | apache-ssl-cert objects do not support certificate bundles |
597564 | 3-Major | 'tmsh load sys config' incorrectly allows the removal of the 'app-service' statement from configuration items |
592194 | 3-Major | Rarely, an HSB transmitter failure occurs |
588483 | 3-Major | Soft lockup may occur when vCMP host TMMs run realtime without yielding. |
587821 | 3-Major | vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor. |
585043-1 | 3-Major | Question mark prevents TMSH from loading configuration file |
581851 | 3-Major | mcpd, interleaving of messages / folder contexts from primary to secondary blade |
579760 | 3-Major | HSL::send may fail to resume after log server pool member goes down/up |
577831 | 3-Major | VE does not boot without a vga console |
571333-7 | 3-Major | fastL4 tcp handshake timeout not honored for offloaded flows |
569100 | 3-Major | Virtual server using NTLM profile results in benign TCL error |
559080 | 3-Major | High Speed Logging to specific destinations stops from individual TMMs |
557067 | 3-Major | Large compressed files can cause qkview to consume large amounts of memory. |
551572 | 3-Major | Status LED blinking Amber on BIG-IP 10000-series appliance |
550739-3 | 3-Major | TMSH mv virtual command will cause iRules on the virtual to be dis-associated |
544906-3 | 3-Major | Issues when using remote authentication when users have different partition access on different devices |
543208-2 | 3-Major | Upgrading v11.6.0 to v12.0.0 in a failover group might cause mcpd to become unresponsive. |
541842 | 3-Major | Sync-only device groups cannot be applied to iApp-generated configs |
541320-8 | 3-Major | Sync of tunnels might cause restore of deleted tunnels. |
535717 | 3-Major | Password history is not enforced when root, Administrator, or User Manager changes another user's password |
530138 | 3-Major | Crit tmm error messages due to race condition that occurs during RebootHost on 10000, 10050, 10055, 10200F, 10350N, 12050, and 12250 platforms. |
528314 | 3-Major | Generating new default certificate and key pairs for BIG-IP ssl profiles via CLI will not be reflected in GUI or in tmsh |
523985-1 | 3-Major | Certificate bundle summary information does not propagate to device group peers |
523797-1 | 3-Major | Upgrade: file path failure for process name attribute in snmp.★ |
517829 | 3-Major | BIG-IP system resets client without sending error report when certificate is revoked |
499348-4 | 3-Major | System statistics may fail to update, or report negative deltas due to delayed stats merging |
469366-4 | 3-Major | ConfigSync might fail with modified system-supplied profiles |
469035-1 | 3-Major | A SecureVault rekey operation may fail if configuration contains a blank password protected by SecureVault |
429013 | 3-Major | Log file permissions lock down |
399622 | 3-Major | mcpd and datastor volumes on blades |
378967-12 | 3-Major | Users are not synchronized if created in a partition |
375434 | 3-Major | HSB lockup might occur when TMM tries unsuccessfully to reset HSB. |
359491 | 3-Major | global-settings hostname change is not synced to peer when set locally using tmsh |
291584 | 3-Major | Escaping backslash in external class/datagroup gets duplicated each time saving the class |
Local Traffic Manager Issues
ID Number | Severity | Description |
646643-1 | 2-Critical | HA Standby Virtual Server with a lasthop pool may crash. |
643396-1 | 2-Critical | Using FLOW_INIT iRule may lead to TMM memory leak or crash |
643210-3 | 2-Critical | Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on Safenet HSM |
642400-3 | 2-Critical | Path MTU discovery occasionally fails |
640352-1 | 2-Critical | Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet |
639764-1 | 2-Critical | Crash when searching external data-groups with records that do not have values |
639744-3 | 2-Critical | Memory leak in STREAM::expression iRule |
637181-1 | 2-Critical | VIP-on-VIP traffic may stall after routing updates |
629178-2 | 2-Critical | Incorrect initial size of connection flow-control window |
621870-1 | 2-Critical | Outage may occur with VIP-VIP configurations |
608304-2 | 2-Critical | TMM crash on memory corruption |
581746-6 | 2-Critical | MPTCP traffic handling may cause a BIG-IP outage |
464437 | 2-Critical | Quickly repeated external datagroup loads might cause TMM crash. |
431480 | 2-Critical | Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message |
227281 | 2-Critical | TMM restarts with full-proxy HTTP virtual with ramcache, fallback, and deferred accept |
645635-1 | 3-Major | Sflow may use 0.0.0.0 as Agent Address in 2 core vCMP guests |
645058-4 | 3-Major | Unable to update Client SSL Profile upgraded from any version lower than 11.6.1 which has Passphrase protected CKC (Cert Key Chain) |
645036 | 3-Major | Removing pool from Virtual does not update Virtual status |
644873-3 | 3-Major | ssldump can fail to decrypt captures with certain TCP segmenting |
644041 | 3-Major | HTTP response-headers-permitted profile option removes listed headers |
643860-5 | 3-Major | Attempt to read or write to the file /dev/vnic can cause TMM to restart and TMM may not startup properly |
643777-1 | 3-Major | LTM policies with more than one IP address in TCP address match may fail |
643041-1 | 3-Major | Less than optimal interaction between OneConnect and proxy MSS |
641512-5 | 3-Major | DNSSEC key generations fail with lots of invalid SSL traffic |
641491-1 | 3-Major | TMM core while running iRule LB::status pool poolname member ip port |
640565-2 | 3-Major | Incorrect packet size sent to clone pool member |
640395-2 | 3-Major | When upgrading from 10.x to a version that supports spanning VIPs, the virtual address spanning property may not be set properly |
640376-2 | 3-Major | STPD leaks memory on 2000/4000/i2000/i4000 series |
640369-1 | 3-Major | TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan |
639039-5 | 3-Major | Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons |
638715-1 | 3-Major | Multiple Diameter monitors to same server ip/port may race on PID file |
637613-4 | 3-Major | Cluster blade being disabled immediately returns to enabled/green |
637094 | 3-Major | The iRules LX streaming external data-group API may incorrectly not find a match. |
631862-5 | 3-Major | Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk |
631801-2 | 3-Major | BIG-IP may send oversized TCP segments on traffic it originates |
626386-2 | 3-Major | SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled |
624325 | 3-Major | Device error: crypto codec queue is stuck |
623084-5 | 3-Major | mcpd fails validation of dhcp type virtual servers if the configured profile is /Common/udp★ |
622160 | 3-Major | ICMPv6 packets can have the wrong source IP if a IPv6 VIP has IPv4 pool members |
620625-3 | 3-Major | Changing Connection.VlanKeyed may cause asymmetric/npath connections to fail |
620556-2 | 3-Major | Fragmented packets on clone pool for L7 virtual server targeting another L7 virtual server through iRule |
619958 | 3-Major | Thales HSM in HA with Failure can cause key creation delay for over 1 minute |
619844-3 | 3-Major | Packet leak if reject command is used in FLOW_INIT rule |
618430-1 | 3-Major | iRules LX data not included in qkview |
611691-6 | 3-Major | Packet payload ignored when DSS option contains DATA_FIN |
607246-8 | 3-Major | Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires |
603681 | 3-Major | Updating pool members using iControl REST "PUT" resets monitors |
603609-1 | 3-Major | Policy unable to match initial path segment when request-URI starts with "//" |
602708-3 | 3-Major | Traffic may not passthrough CoS by default |
601727 | 3-Major | Some FQDN nodes are not correctly created |
588521 | 3-Major | Port/Protocol packet filter might fail to capture IPv6 fragments. |
586621 | 3-Major | SQL monitors 'count' config value does not work as expected. |
584414-1 | 3-Major | Deleting persistence-records via tmsh may result in persistence being created to different nodes |
582331-7 | 3-Major | Maximum connections is not accurate when TMM load is uneven |
579252 | 3-Major | Traffic can be directed to a less specific virtual during virtual modification |
575642 | 3-Major | rst_cause of "Internal error" |
572234-1 | 3-Major | When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10. |
570281 | 3-Major | Cannot modify 'ip-address' attribute of static ARP / NDP entries |
563689-1 | 3-Major | ZebOS configuration cannot be loaded via imish when service password-encryption is set |
562308-1 | 3-Major | FQDN pool members do not support manual-resume |
562267 | 3-Major | FQDN nodes do not support monitor alias destinations. |
549927-1 | 3-Major | iRule validation does not check RULE_INIT/virtual are disallowed in proc calling |
542104 | 3-Major | In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades. |
517756-5 | 3-Major | Existing connections can choose incorrect route when crossing non-strict route-domains |
516280-3 | 3-Major | bigd process uses a large percentage of CPU |
505037 | 3-Major | Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop |
486735 | 3-Major | Maximum connections is not accurate when TMM load is uneven |
454640-1 | 3-Major | mcpd instances on secondary blades might restart on boot |
449158 | 3-Major | Using an iRule nexthop to "vlan:mac address" does not forward the packet |
440431-12 | 3-Major | Response Logging generates a blank $HTTP_STATUS response when used with certain iRule commands. |
434517-18 | 3-Major | HTTP::retry doesn't work in an early server response |
429213 | 3-Major | Some monitor types assigned to the same node IP:port in different Route Domains may collide and mark the object down. |
424228 | 3-Major | Parking iRules in CLIENT_DATA on virtual without assigned pool may not return |
419741-4 | 3-Major | Rare crash with vip-targeting-vip and stale connections on VIPRION platforms |
408093 | 3-Major | Cache::Header content-length Returns Zero when Response Status is 304 |
384993 | 3-Major | A FastL4 virtual server does not always return from suspending commands. |
367226-3 | 3-Major | Outgoing RIP advertisements may have incorrect source port |
366193 | 3-Major | Very Long URIs May Cause Delays |
364588 | 3-Major | Run show cmd from /Common to display pool in another partition |
352957-2 | 3-Major | Route lookup after change in route table on established flow ignores pool members |
248914 | 3-Major | ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address |
225492-2 | 3-Major | Ramcache might disallow valid cache configurations that are very near the limit. |
222690-1 | 3-Major | The persist none iRule command does not disable cookie persistence for the connection when used with the LB::reselect command. |
222338 | 3-Major | Use of Cache::Disable in iRule |
221995 | 3-Major | Cache Setting feature honors only Vary headers containing User-Agent or Accept-Encoding entries |
221993 | 3-Major | Ramcache does not honor Vary header field containing the asterisk character |
Performance Issues
ID Number | Severity | Description |
599803-1 | 1-Blocking | TMM accelerated compression incorrectly destroying in-flight contexts. |
588752 | 1-Blocking | APM Login Performance may be degraded |
634022 | 3-Major | Active Directory authentication with Step-Up-Auth has degraded performance. |
600458-1 | 3-Major | TCP resets occuring under high load |
546213 | 3-Major | Performance degradation when mapping a custom TACDB with large number of entries |
Global Traffic Manager Issues
ID Number | Severity | Description |
643813-1 | 3-Major | ZoneRunner does not properly process $ORIGIN directives |
642330 | 3-Major | GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★ |
Application Security Manager Issues
ID Number | Severity | Description |
646511-2 | 2-Critical | BD crashes repeatedly after interrupted roll-forward upgrade★ |
640829-1 | 2-Critical | bd crash scenario |
644725-1 | 3-Major | Configuration changes while removing ASM from the virtual server may cause graceful ASM restart |
641307-1 | 3-Major | Response Page contents are corrupted by XML policy import for non-UTF-8 policies |
637516-1 | 3-Major | Copying a Child Security Policy as a Parent Security Policy Leaves Elements Uneditable |
635754-2 | 3-Major | Wildcard URL pattern match works inncorectly in Traffic Learning |
635551-1 | 3-Major | ASM/DoSL7 Challenges should support CORS requests |
630355-1 | 3-Major | Local Logs Missing Or Recorded Found For Incorrect Policy |
608245-1 | 3-Major | Reporting missing parameter details when attack signature is matched against parameter value |
564105-1 | 3-Major | ArcSight gives error on specific transactions |
Application Visibility and Reporting Issues
ID Number | Severity | Description |
642613 | 2-Critical | Improve loading time when landing in dashboard page |
642221-1 | 3-Major | Incorrect entity is used when exporting TCP analytics from GUI |
636104 | 3-Major | If pool member is defined with port 0, member may not be visible on the HTTP dimension pane. |
635280 | 3-Major | Some old DB rows will be aggregated into 1 row after upgrade to 13.0.0 |
635189-1 | 3-Major | The mitigation changed during the attack and the dimensions are different between COMMON table and HTTP table so it is "clubbed" to 1 or few rows |
574160-7 | 3-Major | Publishing DNS statistics if only Global Traffic and AVR are provisioned |
Access Policy Manager Issues
ID Number | Severity | Description |
592410 | 1-Blocking | libQt5WebKit.so.5 is required to install F5 web clients |
590291 | 1-Blocking | Web clients (f5epi and f5vpn) require version 5.5 of QT package on all distributions of Linux |
645203-1 | 2-Critical | Configuration load will fail after upgrade when a saml sso config object is put in a sync-only device group★ |
638706 | 2-Critical | Linux CLI client does not close connection immediately using fid/fname on SUSE Enterprise |
637308-1 | 2-Critical | apmd may crash when HTTP Auth agent is used in an Access Policy |
615816 | 2-Critical | APM session is terminated automatically if web based VPN client is running |
525555 | 2-Critical | TMM could miss heart beats when opening IP Reputation database file resulting in SIGABRT by sod |
643547-2 | 3-Major | APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP |
642926-1 | 3-Major | Increased MySQL Memory usage when APM is provisioned on lower-end systems. |
639288-1 | 3-Major | OAuth Authorization Server - OAuth Profile is not listing associated Access Profiles appropriately. |
639283-1 | 3-Major | Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate |
638799-2 | 3-Major | Per-request policy branch expression evaluation fails |
638780 | 3-Major | Handle 302 redirects for VMware Horizon View HTML5 client |
632504-2 | 3-Major | APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list |
632499-2 | 3-Major | APM Policy Sync: Resources under webtop section are not sync'ed automatically |
629921-3 | 3-Major | [[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work. |
629233 | 3-Major | Proxy configuration changes are not applied immediately by Firefox on OS X |
624061 | 3-Major | RSA authentication may fail on edge client on some older windows 10 builds |
623862 | 3-Major | Google Chrome may not launch F5 VPN app automatically in specific case |
621976-5 | 3-Major | OneDrive for Business thick client shows javascript errors when rendering APM logon page |
621974-5 | 3-Major | Skype For Business thick client shows javascript errors when rendering APM logon page |
619444 | 3-Major | Edge browser prompts user to install f5-vpn from Windows Store |
610360 | 3-Major | Browser cache cleanup may be required for endpoint check to work |
605018 | 3-Major | Citrix StoreFront integration mode with pass through authentication fails for browser access |
603298 | 3-Major | Citrix Storefront integration mode gateway access reconnect fails |
598401 | 3-Major | Google chrome prompts to launch xdg-open for end point inspection or network access lresource |
595863 | 3-Major | Native RDP resource fails to SSO to backend if username contains Greek small letter final sigma (Ï‚) |
595835 | 3-Major | SSL forward proxy chaining does not work with next hop Transparent proxy mode without adding route |
594782 | 3-Major | Active FTP data transfer via FTP AppTunnel is interrupted after 5 minutes. |
592612 | 3-Major | An Application can fail to connect to a backend server in some cases if Optimized tunnels configured using hostnames ony |
592118 | 3-Major | iOS Edge Client Per-App VPN and MobileSDK connections should consume CCU license |
583272-3 | 3-Major | "Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth |
582606 | 3-Major | IPv6 downloads stall when NA IPv4&IPv6 is used. |
574648 | 3-Major | Edge browser prompts user to install an application from Windows Store if Endpoint Inspection is configured |
564246 | 3-Major | VPN cannot be used in some cases when IP filtering engine is enabled |
558850 | 3-Major | Client can not connect to Windows 10 using ActiveX RDP client launched from the APM Webtop if "Allow connections only from computers running Remote Desktop with Network level Authentication" is disabled. |
552444-3 | 3-Major | Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD |
550547-1 | 3-Major | URL including a "token" query fails results in a connection reset |
547692-4 | 3-Major | Firewall-blocked KPASSWD service does not cause domain join operation to fail |
527119-5 | 3-Major | Iframe document body could be null after iframe creation in rewritten document. |
422516-1 | 3-Major | Notification for required reboot when Credential Management Service is changed. |
387457 | 3-Major | Geolocation information cannot be modified in New Session log entry |
381258-7 | 3-Major | 'with' statement in web applications works wrong in some cases |
307037-2 | 3-Major | Dynamic Resources Are Assigned But Not Accessible |
WebAccelerator Issues
ID Number | Severity | Description |
222201 | 2-Critical | Compression configuration changes may require clearing RAM cache |
618441 | 3-Major | Minification is not applied to HTML when configured |
530466 | 3-Major | MultiConnect is incompatible with CORS policy |
465901 | 3-Major | Large number inlining URLs may cause a connection reset |
465854 | 3-Major | Page rendering is incorrect when both CSS inline and JavaScript reordering are enabled |
441529 | 3-Major | Lifetime heuristic behavior changes between 10.x and 11.x |
420957 | 3-Major | Content cached compressed and uncompressed may invalidate separately |
420954 | 3-Major | invalidation may be delayed when compressed and uncompressed requests are present |
410879 | 3-Major | WAM/AAM does not inline content that is not already cached or served from OWS with status 200 OK. |
401471 | 3-Major | Parameter Value Substitution in Assembly cannot handle '&' in a link within an HTML doc. |
396167 | 3-Major | GETs for an unsatisfiable range on a compressed document results in full bypass on expiration. |
382976 | 3-Major | Erroneously enabling image optimization on policy nodes matching HTML or CSS content causes that content to become uncacheable, and the system posts S10206 codes. |
375477 | 3-Major | Four new settings 'IBR-to', 'IBR-within', 'MC-to', and 'MC-within' are added to replace 'IBR' and 'MC' settings at WAM policy assembly page. |
369961 | 3-Major | The space character in a path prefix is not evaluated correctly. |
362275 | 3-Major | Error Message when Web Acceleration Profile is attached without an Application |
359062 | 3-Major | Query parameter matching application/x-www-form-urlencoded not functional |
Service Provider Issues
ID Number | Severity | Description |
639236-4 | 2-Critical | Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute |
618222-1 | 3-Major | Loop detection implemention logic violates branch parameter compliance with RFC3261 |
590091-4 | 3-Major | Single-line Via headers separated by single comma result in first character second header being stripped. |
Advanced Firewall Manager Issues
ID Number | Severity | Description |
594585 | 2-Critical | tmm crashes when ACL iRule with virtual command is triggered |
644855-1 | 3-Major | irules with commands which may suspend processing cannot be used with proactive bot defense |
629017 | 3-Major | Comparison Charts are alive only during while staying on the page |
607980 | 3-Major | DoS/Firewall GUI will not work with IE versions 10 or lower |
600836 | 3-Major | Manager role functions differently in GUI and CLI. |
577359 | 3-Major | Invalid L4 packets might not match against AFM WhiteList properly |
558763-2 | 3-Major | "Show All" option for large no. of security objects can cause poor performance in some browsers |
519612-2 | 3-Major | JavaScript challenge fails when coming within iframe with different domain than main page |
Policy Enforcement Manager Issues
ID Number | Severity | Description |
641482-3 | 3-Major | Subscriber remains in delete pending state until CCR-t ack has success as result code is received |
640510-2 | 3-Major | BWC policy category attachment may fail during a PEM policy update for a subscriber. |
640457-3 | 3-Major | Session Creation failure after HA |
639486-1 | 3-Major | TMM crash due to PEM usage reporting after a CMP state change. |
635257-3 | 3-Major | Inconsistencies in Gx usage record creation. |
630611-3 | 3-Major | PEM module crash when subscriber not fund |
624231-3 | 3-Major | No flow control when using content-insertion with compression |
563165 | 3-Major | New Diameter session event triggers registered for by the PCRF should not be appended to existing registered event triggers in PEM. |
462034 | 3-Major | Change ip-address to ip-address-list in iControl REST because muliple IPs are supported in 11.6 |
Carrier-Grade NAT Issues
ID Number | Severity | Description |
639119-1 | 3-Major | LSN pool client connection limit is not enforced when NAT64 and FTP is configured on the virtual |
Fraud Protection Services Issues
ID Number | Severity | Description |
634257-1 | 3-Major | Missing Strong Integrity Parameter alert score is always 0 |
633449-1 | 3-Major | Browser autocomplete may cause login to fail |
632546-3 | 3-Major | Window.error handler is called when alert size is too large |
Global Traffic Manager (DNS) Issues
ID Number | Severity | Description |
642039-1 | 2-Critical | TMM core when persist is enabled for wideip with certain iRule commands triggered. |
645615-1 | 3-Major | zxfrd may fail and restart after multiple failovers between blades in a chassis. |
644447-1 | 3-Major | sync_zones script increasingly consumes memory when there is network connectivity failure |
640903-2 | 3-Major | Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen |
636853-4 | 3-Major | Under some conditions, a change in the order of GTM topology records does not take effect. |
636149-1 | 3-Major | Multiple monitor response codes to single monitor probe failure |
517609-4 | 3-Major | GTM Monitor Needs Special Escape Character Treatment |
Traffic Classification Engine Issues
ID Number | Severity | Description |
495460 | 3-Major | Use different application ID after user application is deleted |
Device Management Issues
ID Number | Severity | Description |
642983-2 | 3-Major | Update to max message size limit doesn't work sometimes |
Known Issue details for BIG-IP v13.0.x
646643-1 : HA Standby Virtual Server with a lasthop pool may crash.
Component: Local Traffic Manager
Symptoms:
A long-running HA Standby Virtual Server with a lasthop pool may crash.
Conditions:
HA Standby Virtual Server is configured with a lasthop pool.
It receives more then 2 billions (maximum value of 32 bit integer) connections.
Impact:
tmm on the next-active device crashes. The Active device isn't affected.
Workaround:
NA
646511-2 : BD crashes repeatedly after interrupted roll-forward upgrade★
Component: Application Security Manager
Symptoms:
After roll-forward upgrade with ASM traffic data is interrupted, BD crashes repeatedly.
Conditions:
Roll-forward upgrade with ASM traffic data is interrupted by restart/reboot.
Impact:
BD crashes repeatedly on subsequent attempts to start ASM.
Workaround:
Disable roll-forward upgrade of ASM traffic data before upgrade:
tmsh modify sys db ucs.asm.traffic_data.save value disable
645805-2 : LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain bad ethernet src mac address
Component: TMOS
Symptoms:
LACP PDUs generated by the 'lacpd' on the i4x00 & i2x00 platforms contain the wrong Ethernet source MAC address.
Conditions:
LACP configured on an trunk interface on i4x00 or i2x00 platforms.
Impact:
Some Cisco and Juniper switches discard these PDUs. They send PDUs as if the BIG-IP is not transmitting with a all-zeros 'Partner' section System ID. This renders LACP inoperable, and simply does nothing if the far end is configured for 'Passive'.
645635-1 : Sflow may use 0.0.0.0 as Agent Address in 2 core vCMP guests
Component: Local Traffic Manager
Symptoms:
As a result of a known issue, configured units with sflow may incorrectly use 0.0.0.0 as Agent Address.
Conditions:
- vCMP guest deployed on a chassis with only Cluster IP set, and no individual blade IP addresses configured.
- sflow configured
Impact:
sflow may incorrectly use 0.0.0.0 as Agent Address.
Workaround:
Posible workarounds (either):
- Using larger guests (more than 2 cores)
- Configuring cluster blade IP addresses
645615-1 : zxfrd may fail and restart after multiple failovers between blades in a chassis.
Component: Global Traffic Manager (DNS)
Symptoms:
zxfrd may fail and restart after multiple failovers between blades in a single chassis.
Conditions:
DNS Express must be configured in a multi-blade chassis. If a blade transitions from active to backup to active states and the DNS Express (tmmdns.bin) database has been re-created while the blade was backup, zxfrd may fail attempting to reference old data.
Impact:
zxfrd will create a core file and restart, picking up where it left off.
645206-2 : Missing cipher suites in outgoing LDAP TLS ClientHello
Component: TMOS
Symptoms:
BIG-IP drops all SHA256 and SHA384 ciphers in the advertised ciphers list in the Client Hello when initiating LDAP/TLS with a pool member (in the case of a monitor). The same behaviour is also seen for BIG-IP system auth via LDAP or AD when TLS is used.
Conditions:
You have LDAP servers requiring SHA256 and SHA384 ciphers for LDAP/TLS authentication.
Impact:
Servers requiring SHA for LDAP/TLS authentication will no longer be able to authenticate. This could suddenly break LDAP auth if you are upgrading from version 11.x where SHA256 and SHA384 existed.
Workaround:
Configure LDAP servers not to be dependant on SHA256 and SHA384 ciphers
645203-1 : Configuration load will fail after upgrade when a saml sso config object is put in a sync-only device group★
Component: Access Policy Manager
Symptoms:
Configuration load will fail when you upgrade BIG-IP from a previous version to 13.0, with the following error:
01070734:3: Configuration error: Invalid Devicegroup Reference. The sso_config_saml (/Common/Auth/<object>) requires apm_log_config (/Common/sso-log-setting-Notice) to be syncd to the same devices
Unexpected Error: Loading configuration process failed.
Conditions:
When a SAML SSO config object or a Form-Based SSO config object is configured in a folder and that folder is in a Sync-Only device group. When upgrading to 13.0 with the existing configuration, the configuration load will fail.
Impact:
the configuration is not load.
Workaround:
1. Disassociate Folder from Sync-Only device group.
tmsh modify sys folder <folder name> device-group none
tmsh save sys config.
2. Upgrade to 13.0 build. (and verify config loads fine).
3. Create log-setting in each folder.
root@(temp12)(cfg-sync In Sync (Sync Only))(/S1-green-P:Active)(/Common)(tmos)# cd <folder name>/
root@(temp12)(cfg-sync In Sync (Sync Only))(/S1-green-P:Active)(/Common/<folder name>)(tmos)# create apm log-setting sso-log-setting-Notice { access add { general-log { log-level { access-control notice } publisher sys-sso-access-publisher } } }
Repeat this step for each log level: Alert, Critical, Debug, Emergency, Error, Informational, Notice, Warning. And use the appropriate log level accordingly.
4. Modify SSO log-settings to use log-setting created under the folder (<folder name>), according to their previous log level before upgrading. For example,
root@(temp12)(cfg-sync In Sync (Sync Only))(/S1-green-P:Active)(/Common)(tmos)# modify apm sso saml <folder name>/id.f5.com_cloud-skytap-com_f5unity apm-log-config <folder name>/sso-log-setting-Notice
5. Associate Sync-Only device group SO1 to folder. For example,
root@(temp12)(cfg-sync In Sync (Sync Only))(/S1-green-P:Active)(/Common)(tmos)# modify sys folder <folder name>/ device-group <DG name>
6. Verify config load.
645179-1 : Traffic group becomes active on more than one BIG-IP after a long uptime
Component: TMOS
Symptoms:
Traffic-groups become active/active for 30s after an uptime of 331.40 days.
The amount of time that is required to trigger this issue is dependent on the number of traffic groups. The more traffic groups, the shorter amount of uptime required to encounter this issue.
For example:
For 7 traffic groups it would take ~710 days.
For 15 traffic groups it would take ~331 days.
Conditions:
Two more BIG-IPs defined in a device group for sync/failover.
There are multiple traffic groups configured.
The BIG-IPs have a long uptime.
Impact:
Outage due to traffic-group members being active on both systems at the same time.
Workaround:
There is no workaround.
You would have to reboot all the BIG-IPs in the device group every so often. And the time frame is dependent on the number of traffic groups.
645058-4 : Unable to update Client SSL Profile upgraded from any version lower than 11.6.1 which has Passphrase protected CKC (Cert Key Chain)
Component: Local Traffic Manager
Symptoms:
GUI Client SSL Profile update throws error "01070313:3: Error reading key PEM file <Key_File_Path> for profile <Profile_Name>: error:0906A068:PEM routines:PEM_do_header:bad password read" which has CKC with passphrase protected key and upgraded from any version lower than 11.6.1.
Conditions:
Have Client SSL Profile with passphrase protected key CKC on any version lower than 11.6.1 and upgrade, then same profile update from GUI always throws error.
Impact:
User cannot update client SSL profile.
Workaround:
Delete such CKC and recreate after upgrade through any interface. i.e. TMSH/GUI/iControl
645036 : Removing pool from Virtual does not update Virtual status
Component: Local Traffic Manager
Symptoms:
1) Create a pool and assign a monitor to it
2) Ensure the pool goes green
3) Create a virtual server without assigning the pool to it
4) Ensure the virtual server stays blue (unknown)
5) Associate the pool to the virtual server
6) Ensure the virtual server goes green (available)
7) Remove the pool from the virtual server
8) The virtual server should go back to blue (unknown); however, it doesn't and stays green
Impact:
The virtual will appear to be associated with a monitored pool when it is not. This should have no functional impact on the virtual, since a virtual without a pool has no traffic to pass, and associating a pool with the virtual will reflect the pool status.
Workaround:
The status should be blue/unchecked once again after the BIG-IP is restarted.
Associating a pool with the virtual should correctly update the virtual status.
644979-1 : Errors not logged from hourly 1k key generation cron job
Component: TMOS
Symptoms:
Errors from the 1k key generation hourly cron job do not get logged as intended from the hourly 1024-bit key generation task due to a typo in the script.
Conditions:
This occurs during hourly generation of ephemeral keys.
Impact:
Errors from the 1k key generation hourly cron job do not get logged, and hourly generation of ephemeral keys fails.
Workaround:
Change "loggcercmd" to "loggercmd" in /etc/cron.hourly/genkeys-1024
644873-3 : ssldump can fail to decrypt captures with certain TCP segmenting
Component: Local Traffic Manager
Symptoms:
ssldump fails to decrypt a capture. In rare circumstances, ssldump can crash.
The ssldump might display output similar to the following:
1 25 0.4781 (0.0000) S>CShort record
Unknown SSL content type 224
1 26 0.4781 (0.0000) S>CShort record
Unknown SSL content type 142
...
1 30 0.4781 (0.0000) S>CShort record
1 31 0.6141 (0.1359) S>CV231.213(45857) application_data
Conditions:
ssldump is decrypting traffic where an SSL record header spans TCP segments.
Impact:
ssldump can fail to fully decrypt the capture starting at the frame where the SSL record spans a TCP segment. Depending on the remaining data in the TCP stream, ssldump can crash.
Workaround:
None.
644855-1 : irules with commands which may suspend processing cannot be used with proactive bot defense
Component: Advanced Firewall Manager
Symptoms:
A request is dropped.
Conditions:
1. The proactive bot defense is assigned to the virtual.
2. An iRule which suspends processing is assigned to the virtual. (includes a command like the "after" commands")
For more information on which TCL commands park, see K12962: Some iRule commands temporarily suspend iRule processing, available at https://support.f5.com/csp/article/K12962
Impact:
All requests which issue the proactive bot defense and the iRule will get dropped.
Workaround:
N/A
644725-1 : Configuration changes while removing ASM from the virtual server may cause graceful ASM restart
Component: Application Security Manager
Symptoms:
Configuration changes while removing ASM from the virtual server may cause graceful ASM restart.
Conditions:
A reconfiguration / headers configuration happens while the ASM is removed from a VIP. This may happen especially in scripts that create a config or remove a config.
Impact:
ASM restarts. The system goes offline. A failover may happen.
Workaround:
Ensure that there is some time between setting a configuration to removing ASM from the VIP.
644447-1 : sync_zones script increasingly consumes memory when there is network connectivity failure
Component: Global Traffic Manager (DNS)
Symptoms:
sync_zones memory usage exponentially increases during network disruption
Conditions:
Network interruption occurs during the "Retrieving remote DNS/named configuration" stage of a gtm_add operation.
Impact:
Memory increases exponentially, potentially resulting in an eventual out-of-memory condition.
Workaround:
None.
644184-3 : ZebOS daemons hang while AgentX SNMP daemon is waiting.
Component: TMOS
Symptoms:
ZebOS daemons hang while AgentX SNMP daemon is waiting for return from external script.
Conditions:
Dynamic routing must be enabled.
SNMP is enabled.
SNMP must call an external script which takes a while to return.
Impact:
Dynamic routing may be halted for the duration of AgentX daemon waiting for return from external script.
Workaround:
Don't have AgentX call external script which will take a while to return.
644041 : HTTP response-headers-permitted profile option removes listed headers
Component: Local Traffic Manager
Symptoms:
The HTTP response-headers-permitted option should remove headers, but not the ones listed. However, it currently will also remove the listed headers by mistake. This makes this profile option remove all HTTP headers, except for a hard-coded whitelist of headers.
Conditions:
The HTTP response-headers-permitted profile option is used.
Impact:
Extra headers will be removed from HTTP responses.
Workaround:
None.
643860-5 : Attempt to read or write to the file /dev/vnic can cause TMM to restart and TMM may not startup properly
Component: Local Traffic Manager
Symptoms:
There is no indication that mcpd has restarted, but the system logs messages similar to the following:
-- In /var/log/tmm:
notice MCP connection expired early in startup; retrying.
In/var/log/ltm:
mcpd[5747]: 01070406:5: Removed publication with publisher id TMM1.
Conditions:
The file /dev/vnic is opened by something other than BIG-IP programs.
Impact:
The TMM processes will restart and fail to come up properly.
Workaround:
To recover, reboot the system.
Note: Do not perform file open operations on /dev/vnic. There is no need to.
643813-1 : ZoneRunner does not properly process $ORIGIN directives
Component: Global Traffic Manager
Symptoms:
During an import zone operation, ZoneRunner incorrectly associates the "@" directive with the zone name and not $ORIGIN specified.
Conditions:
If the zone file to be imported contains the $ORIGIN directive, the following "@" directives will reference the zone name, which is incorrect.
Impact:
Zones will not be imported correctly.
Workaround:
Use the named-compilezone tool to "normalize" the zone file before importing into ZoneRunner.
The syntax for this command is similar to the following:
named-compilezone -s full -o outputfilename zone_name input.file
(For information about the other available options, see the named-compilezone tool's man page.)
For example, given a zone file named example.com.file that contains the following information:
"example.com"
$TTL 3600
example.com. 86400 IN SOA ns1.example.com. hostmaster.ns1.example.com. 2017020201 10800 3600 604800 86400
@ IN NS ns1.example.com.
ns1.example.com. IN A 1.1.1.1
$ORIGIN alpha.example.com.
@ IN A 2.2.2.2
$ORIGIN bravo.example.com.
@ IN A 3.3.3.3
The command is as follows:
named-compilezone -s full -o example.com.file.full example.com example.com.file
The contents of the new file are:
example.com. 86400 IN SOA ns1.example.com. hostmaster.ns1.example.com. 2017020201 10800 3600 604800 86400
example.com. 3600 IN NS ns1.example.com.
alpha.example.com. 3600 IN A 2.2.2.2
bravo.example.com. 3600 IN A 3.3.3.3
ns1.example.com. 3600 IN A 1.1.1.1
Which is correct. This file can then be used to import into ZoneRunner.
643777-1 : LTM policies with more than one IP address in TCP address match may fail
Component: Local Traffic Manager
Symptoms:
An LTM policy using a rule that attempts to match based on a list of IP addresses may fail if more than one IP address is used.
Conditions:
LTM policy rule with a 'tcp match address' statement that attempts to match against more than one IP address.
Impact:
The action configured with the match may not be taken.
Workaround:
Use one of the following workarounds:
- Use a datagroup with the list of IP addresses to match.
- Use a subnet instead of single IP addresses.
643547-2 : APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP
Component: Access Policy Manager
Symptoms:
Requests to /my.policy are not getting HTTP responses.
Log file '/var/log/apm' contains large number of error messages about failed XML data creation:
err apmd[5076]: 01490207:3: SAML Agent XML thread specific data creation error: ERR_FAIL.
Conditions:
The BIG-IP system is used with APM provisioned, and there are a large number of access policy agents configured across all access policies.
The issue occurs only at APMD startup time, e.g., when the BIG-IP system is reloaded, a new image is installed, or the apmd service is manually restarted.
When issue happens /var/log/apm will contain a large number of similar error messages :
err apmd[5076]: 01490207:3: SAML Agent XML thread specific data creation error: ERR_FAIL
Impact:
APMD will not able to process any requests.
Workaround:
For some configurations and platforms, you can use the following steps to recover:
- Remove all unused access policies (if applicable).
- Restart apmd.
643396-1 : Using FLOW_INIT iRule may lead to TMM memory leak or crash
Component: Local Traffic Manager
Symptoms:
Memory leak in TMM or even crash may be observed if using FLOW_INIT event in iRules. Leak is hard to observe and the crash requires specific steps, making it pretty uncommon.
Conditions:
iRule triggered by FLOW_INIT event is in use.
Impact:
TMM memory leak or crash. Traffic disrupted while tmm restarts.
643210-3 : Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on Safenet HSM
Component: Local Traffic Manager
Symptoms:
When mcpd (re)starts on a secondary slot, part of the initialization process will trigger code that deletes any netHSM keys on the Safenet HSM.
Conditions:
This occurs on a chassis that is configured to use a safenet netHSM.
Impact:
The key is removed from the HSM and must be reimported to the HSM from a backup, if it exists.
Workaround:
When rebooting a secondary blade, temporarily remove the BIG-IP from the network it uses to connect to the Safenet HSM. Once the BIG-IP is Active, it is safe to reconnect it to the network.
643041-1 : Less than optimal interaction between OneConnect and proxy MSS
Component: Local Traffic Manager
Symptoms:
When a client with low MSS is the first to establish a OneConnect flow pair and proxy MSS is enabled, the serverside will share the same low MSS. Successive connections from full-MSS clients may utilize this server-side flow, resulting in suboptimal throughput.
Conditions:
Configure a virtual server with both OneConnect and proxy MSS. Note: Proxy MSS is enabled by default beginning with v12.1.0.
Impact:
Decreased throughput, possible congestion due to small segments.
Workaround:
In some instances, it may be sufficient to disable proxy MSS. This too has the potential to increase segment count and decrease throughput.
642983-2 : Update to max message size limit doesn't work sometimes
Component: Device Management
Symptoms:
There is a cap on all REST request/response message size. By default it is set to 32 MB and you can modify it to higher limit using /mgmt/shared/server/messaging/settings/8100 REST endpoint. But the REST framework may not apply this change.
When this occurs, you will see 501 Bad Gateway error from Apache and error message link "java.lang.IllegalArgumentException: 47177925 is more than 33554432" in restjavad log (/var/log/restjavad.0.log)
Conditions:
This can occur when requesting or receiving >32MB of data via iControl REST.
Impact:
REST framework applies message body limit only on incoming request and response. If incoming request result in request to iControl REST or restnoded, same settings (message body limit) are not applied.
Workaround:
None.
642982-1 : tmrouted may continually restart after upgrade, adding or renaming an interface★
Component: TMOS
Symptoms:
tmrouted continually restarts when it fails to resolve the interface index for a vlan, vlangroup or tunnel.
Conditions:
Dynamic routing configured, non-default partition name or vlan names greater than 15 characters.
Impact:
Dynamic routing will not function.
Workaround:
Shorten VLAN, vlangroup, or tunnel name or move the interface into the Common partition.
642926-1 : Increased MySQL Memory usage when APM is provisioned on lower-end systems.
Component: Access Policy Manager
Symptoms:
You may notice mysql process continuously consuming high amount of CPU and memory resources when APM is provisioned. This can be seen in the results of 'top' command where mysql will be continuously listed. The issue applies to BIG-IP with 32 GB or less system memory available.
Conditions:
When APM module is provisioned, if either of the following is true:
* logging configuration uses on-box publisher and log-level setting leads to high amount of logging data (e.g., DEBUG).
* LocalDB or OAuth Authorization server is configured with a DB instance and traffic is being processed.
Impact:
You may notice general performance issues on BIG-IP systems with system memory 32 GB or lower when MySQL usage is high.
Workaround:
1) Remove following 2 lines from file '/var/lib/mysql/cnf/apm.cnf' --
innodb_buffer_pool_size = 1G
sort_buffer_size = 256M
and save file before exiting.
2) Restart MySQL service using -- 'bigstart restart mysql'
642613 : Improve loading time when landing in dashboard page
Component: Application Visibility and Reporting
Symptoms:
When data contains a very large number of different IP addresses, it can result in a long loading time for the dashboard page.
Conditions:
When opening Dashboard/Analysis page when DB contains a lot of data.
Impact:
Slow loading of the page.
Workaround:
None.
642422-1 : BFD may not remove dependant static routes when peer sends BFD Admin-Down
Component: TMOS
Symptoms:
As a result of a known issue, the BFD feature used in an Dynamic routing configuration, may not remove static routes when configured to be dependant on the liveliness of the BFD peer.
Conditions:
- BFD configured and up.
- Static route configured and dependant on the BFD status of the BFD peer.
- BFD peer enters maintenance mode by user configuration, setting the BFD session to admin-down.
Impact:
Static route may not be removed on BFD session configured by peer to be and traffic may still be routed.
642400-3 : Path MTU discovery occasionally fails
Component: Local Traffic Manager
Symptoms:
Connections using a TCP profile that receive an ICMP needsfrag message may incorrectly ignore the message. This may cause Path MTU discovery to fail.
Conditions:
TCP profile assigned to VIP. Smaller MTU on data path than on TCP endpoints.
Impact:
The connection may stall as large TCP segments are continually retransmitted.
Workaround:
Configure the MSS in the TCP profile to match the lowest MSS. Use or disable Path MTU discovery with the tm.pathmtudiscovery database key.
642330 : GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★
Component: Global Traffic Manager
Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.
Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.
Impact:
Configuration fails to load.
Workaround:
Manually edit each string in the BIG-IP_gtm.conf to include enclosing quotes in order to get the config to load the first time.
642314-1 : CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x★
Component: TMOS
Symptoms:
gtm config load failure after upgrade from v11.x to v12.x or v13.x.
Conditions:
Create GTM pool with canonical-name ending with dot - for example "cname-with-dot.com." in v11.x and then upgrade to v12.x or v13.x.
Impact:
gtm config load failure after upgrade.
Workaround:
Remove trailing dots or set "Domain Validation" to "none".
642221-1 : Incorrect entity is used when exporting TCP analytics from GUI
Component: Application Visibility and Reporting
Symptoms:
When exporting statistics from the TCP Analytics page, the resulted data is for the default "view by" entity rather than the one that's actually selected
Conditions:
This occurs in Statistics :: Analytics : TCP, when you are viewing any dimension other than the default, and clicking Export.
Impact:
Incorrect data is being exported.
Workaround:
Use tmsh.
642058 : CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances
Component: TMOS
Symptoms:
CBL-0138-01 will not come up or show link on i2000/i4000/HRC-i2800 series appliances.
The following message will appear on the LCD:
0 01/30/17 09:02:59 error 0x1660016 Interface 5.0 detected a non 10GbE optic
The following message will appear in /var/log/ltm:
err pfmand[7630]: 01660016:3: Interface 5.0 detected a non 10GbE optic
The interface will report in tmsh as down:
tmsh show net interface 5.0
--------------------------------------------------------
Net::Interface
Name Status Bits Bits Pkts Pkts Drops Errs Media
In Out In Out
--------------------------------------------------------
5.0 down 0 0 0 0 0 0 none
Conditions:
i2000/i4000/HRC-i2800 series appliances and CBL-0138-01.
Impact:
The CBL-0138-01 will not work.
Workaround:
None.
642039-1 : TMM core when persist is enabled for wideip with certain iRule commands triggered.
Component: Global Traffic Manager (DNS)
Symptoms:
tmm cores with SIGSEGV.
Conditions:
This occurs when persist is enabled for wideip, and an iRule with the following commands triggered:
forward
reject
drop
discard
noerror
host
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable persist on wideip.
Note: Although this is not an ideal workaround, it provides a way that to use those iRule commands without causing a tmm core.
641512-5 : DNSSEC key generations fail with lots of invalid SSL traffic
Component: Local Traffic Manager
Symptoms:
DNSSEC keys can rollover periodically. This will fail, leading to no keys to sign DNSSEC queries (no RRSIG records) when the BIG-IP is handling a lot of SSL traffic with invalid certificates.
The system posts the following log signature in /var/log/ltm:
err tmm1[12393]: 01010228:3: DNSSEC: Could not initialize cipher context for key /Common/x1-zsk.
Conditions:
DNSSEC keys configured with periodic rollover. Lots of SSL traffic with invalid certificates.
Impact:
DNSSEC key generations fail to be accepted by the TMM so that when the prior generation expires there is no valid certificate to sign DNSSEC queries.
Workaround:
Restart the TMM after the new key generation is created.
641491-1 : TMM core while running iRule LB::status pool poolname member ip port
Component: Local Traffic Manager
Symptoms:
tmm core SIGSEGV
Conditions:
Attach an iRule to the wideip with LB:status with format of "ip port" that contains a space between the IP address and the port.
For example:
gtm rule rule_crash_test {
when DNS_REQUEST {
LB::status pool pool-one member 10.2.108.100 80
}
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use format "ip:port" or vsname instead of "ip port"
gtm rule rule_crash_test {
when DNS_REQUEST {
LB::status pool pool-one member 10.2.108.100:80
}
}
Or
gtm rule rule_crash_test {
when DNS_REQUEST {
LB::status pool pool-one member pool_vs_name
}
}
641482-3 : Subscriber remains in delete pending state until CCR-t ack has success as result code is received
Component: Policy Enforcement Manager
Symptoms:
BIG-IP subscriber session will remain in delete pending (stale) state if the Result-code received Acknowledgement from Gx or Gy and is marked as Failure for CCR-T request.
Conditions:
The stale session happens, during subscriber termination and if any CCR-T request for Gx or Gy receives an acknowledgement with non-SUCCESS in Result-code AVP
Impact:
The subscriber session in BIG-IP will stay in delete pending state (stale)
Workaround:
A tmm restart will cleanup all the stale sessions
641450-4 : A transaction that deletes and recreates a virtual may result in an invalid configuration
Component: TMOS
Symptoms:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp) may result in an invalid in-memory configuration. This may also result in traffic failing to pass, because TMM rejects the invalid configuration.
Config load error:
01070095:3: Virtual server /Common/vs_icr_test lists incompatible profiles.
Configuration-change-time error in /var/log/ltm:
err tmm[22370]: 01010007:3: Config error: Incomplete hud chain for listener: <name>
Conditions:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp).
Impact:
Configuration fails to load in the future.
Traffic fails to pass, because TMM rejects the configuration.
Workaround:
Within tmsh, use the following command: profiles replace-all-with.
Within iControl REST, use three separate calls:
1. Delete virtual server.
2. Create virtual server (with an empty profile list).
3. Modify the virtual server's profile list.
641307-1 : Response Page contents are corrupted by XML policy import for non-UTF-8 policies
Component: Application Security Manager
Symptoms:
If non-UTF-8 policy has Response Pages configured with non-ASCII characters, the Response Page contents will be corrupted by an XML export/import.
Conditions:
1) Response pages are configured with Non-ASCII characters in a non-UTF-8 Policy.
2) The Policy is exported via XML export.
Impact:
Response Page contents are corrupted
Workaround:
1) Use binary policy export/import for non-UTF-8 policies.
or
2) Encode the non-ascii characters using the html entities/code representations of them. (Example: 日本語 -> 日本語)
641013-6 : GRE tunnel traffic pinned to one TMM
Component: TMOS
Symptoms:
GRE tunnel traffic can be sent to one TMM if BIG-IP doesn't proxy the GRE tunnel and uses forwarding virtual to handle GRE tunnel traffic.
Conditions:
Use forwarding virtual to handle GRE tunnel traffic.
Impact:
GRE tunnel traffic can overwhelm the one TMM and cause performance degradation.
Workaround:
None.
640903-2 : Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen
Component: Global Traffic Manager (DNS)
Symptoms:
Extremely long page load on Link Controller Inbound Wide IP list page.
Conditions:
The preference settings "Records per screen" must be a high value. 50 or more will start causing the page to load very slowly.
Impact:
Extremely long page load time.
Workaround:
Prior to the fix, the workaround is to set the preference settings "Records per screen" to a low value. The default value of 10 is fine.
640829-1 : bd crash scenario
Component: Application Security Manager
Symptoms:
The bd crashes, switch-over, some traffic outage.
Conditions:
A specific cross domain configuration exists. Specific traffic scenario happens.
Impact:
The bd crashes, switch-over, some traffic outage.
Workaround:
None.
640565-2 : Incorrect packet size sent to clone pool member
Component: Local Traffic Manager
Symptoms:
Cloned packets do not obey the egress interface MTU, and clone pool members may get traffic exceeding the link MTU.
Conditions:
Clone pool is configured on a virtual server.
Impact:
Clone pool members may get traffic exceeding the link MTU.
Workaround:
Disable TSO using the following tmsh command:
tmsh modify sys db tm.tcpsegmentationoffload value disable.
640510-2 : BWC policy category attachment may fail during a PEM policy update for a subscriber.
Component: Policy Enforcement Manager
Symptoms:
The correct BWC category is not applied resulting in incorrect BWC handling of subscriber traffic.
Conditions:
PEM policies against a subscriber should be modified such that the BWC policy stays the same while the BWC category changes.
Impact:
Use cases dependent on BWC can be impacted.
640457-3 : Session Creation failure after HA
Component: Policy Enforcement Manager
Symptoms:
Under some HA scenarios, the subscriber session will be lost. If such a deleted session is added (the same subscriber-id), the addition attempt fails.
Conditions:
Intra-chassis HA is configured. One of the blades goes down & comes back up very rapidly & some subscriber sessions are lost.
An attempt to add the lost subscriber again fails.
Impact:
A set of subscribers lost during HA will never be added back.
Workaround:
No workaround.
640395-2 : When upgrading from 10.x to a version that supports spanning VIPs, the virtual address spanning property may not be set properly
Component: Local Traffic Manager
Symptoms:
When upgrading from 10.x to version 12.1.0 or later, a network virtual address that had ARP disabled will not have spanning automatically enabled.
Conditions:
Upgrading from 10.x to 12.1.0 or later. Must have a network virtual address configured with ARP disabled when upgrading.
Impact:
If you are not actually using the spanning feature, there is no impact.
If you are using the spanning feature, it will no longer work until it is explicitly enabled. This can result in the loss of traffic, as the upstream router will be sending packets to standby systems that will now refuse to process that traffic.
Workaround:
Upgrade to an intermediate version that implements the explicit ICMP-Echo setting for virtual addresses (e.g. 11.x) and then upgrade to the desired version.
Alternatively, you can manually set the spanning property on their virtual addresses as desired (after the upgrade).
640376-2 : STPD leaks memory on 2000/4000/i2000/i4000 series
Component: Local Traffic Manager
Symptoms:
STPD process on any 2000/4000/i2000/i4000 series platform that sends BPDUs will grow in physical memory usage indefinitely so long as its role in the tree results in sending BPDU packets. The memory usage will be faster for each interface that is sending BPDUs.
Conditions:
Spanning tree is enabled on any 2000/4000/i2000/i4000 series platform and the device has a role in the tree that results in sending BPDUs on one or more interfaces. Memory can be seen to increase when tracking with Linux top commands.
ex. top -b -n 1 | grep stpd
The 5th and 6th columns 'VIRT' and 'RES' slowly increase over time, indicating the memory leak.
Impact:
Memory leak resulting in indefinite consumption of available physical memory over time.
Workaround:
While the memory leak itself cannot be mitigated without a hotfix, the problem can be avoided if the tree can be configured in such a way that the defect affected platforms don't generate BPDUs. This can be done by choosing a root such that the defect affected platforms will have its interfaces to be in blocking mode, or if possible, to be in passthrough mode.
640369-1 : TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan
Component: Local Traffic Manager
Symptoms:
As a result of a known issue, TMM may respond to an ICMPv6 echo request using the auto-lasthop mechanism, when this has been disabled on the vlan.
Conditions:
- Auto-lasthop disabled on the ingress vlan
- ICMPv6 echo request for a self-IP on the ingress vlan.
- Route to the client IP address via a different vlan
TMM may respond directly using the auto-lasthop feature and not via the route lookup.
Impact:
Traffic may not follow the expected path.
640352-1 : Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet
Component: Local Traffic Manager
Symptoms:
Connflow entry memory are leaked when BIG-IP DHCP proxy is configured in forwarding mode and the DHCP relay agent between
the DHCP client and the BIG-IP system sets giaddr field to itself after connflows created are aged out in a particular order.
Conditions:
1) BIG-IP DHCP proxy is configured in forwarding mode.
2) DHCP relay agent sits between the DHCP client and the BIG-IP system sets giaddr field in DHCP renewal packet to itself (this has been observed in Cisco devices), so that DHCP renewal packet will be sent to a relay agent by DHCP servers.
3) Connflow created to giaddr(relay agent) ages out before
connflows created to DHCP clients.
Impact:
Some connflows are not freed. Memory leak occurs. Eventually memory is exhausted.
Workaround:
None.
639774-1 : mysqld.err rollover log files are not collected by qkview
Component: TMOS
Symptoms:
Only the file /var/lib/mysql/mysqld.err is collected in qkview without truncation rules normally used for log files. Also, the mysqld.err.1 and mysqld.err.2.gz, etc are not collected at all.
Conditions:
This occurs when generating a qkview.
Impact:
You cannot see other mysqld.err rollover files in the qkview, and since the one mysqld.err file might be huge (larger than 2 GB) the output of qkview will be unusable.
Workaround:
The missing files must be manually copied into the qkview output. If the mysqld.err is greater than 2 GB in size, it must first be truncated to smaller than 2 GB.
639764-1 : Crash when searching external data-groups with records that do not have values
Component: Local Traffic Manager
Symptoms:
The TMM may crash when search through an external data-group that has at least one value with empty value.
Conditions:
For example, this occurs if data-group is defined as follows:
the key for network 10.40.0.0/13 has no value:
network 10.0.0.0/9 := "network 10.0.0.0/9",
network 10.40.0.0/13,
network 10.10.0.0/17 := "network 10.10.0.0/17",
A search in the data-group above with -value or -element options where at least one of the result records has no value will most likely result in a TMM crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Make sure that every record in the external data-groups has a value.
639744-3 : Memory leak in STREAM::expression iRule
Component: Local Traffic Manager
Symptoms:
If you are using the STREAM::expression iRule with APM, the stream filter can leak memory.
Conditions:
This can occur when using the STREAM::expression iRule with an APM virtual.
Impact:
This causes a memory leak in tmm.
Workaround:
None.
639575-2 : Using libtar with files larger than 2 GB will create an unusable tarball
Component: TMOS
Symptoms:
Programs such as qkview will create a .tar file (tarball) using libtar and if any of the files collected is greater than 2 GB, the output tar file cannot be read by /bin/tar.
Conditions:
The file collected via libtar (e.g., by qkview or other program dynamically linking with /usr/lib/libtar-1.2.11) is greater than 2 GB.
Impact:
You will be unable to submit a qkview to iHealth for analysis. Other applications using libtar will produce invalid tar files.
Workaround:
The qkview tarball can be extracted with /usr/bin/libtar, but the offending file will be a zero-length file. Alternatively, the offending file that is greater than 2 GB must be removed from the system prior to running qkview or other program that uses libtar.
639530 : kernel.el7.2: xhci: off by one error in TRB DMA address boundary check
Component: TMOS
Symptoms:
Due to an off-by-one error in the xhci driver, it is possible on BIG-IP platforms with XHCI controllers to
see the following dmesg output when affected platforms
are booted booted:
[ 164.552195] xhci_hcd 0000:00:14.0: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 0 comp_code 1
[ 164.552200] xhci_hcd 0000:00:14.0: Looking for event-dma 00000000fffe6000 trb-start 00000000fffe7fe0 trb-end 00000000fffe8000 seg-start 00000000fffe7000 seg-end 00000000fffe7ff0
Conditions:
On any of the following BIG-IP platforms which have XHCI
controllers and the system is booting normally:
BIG-IP 5000/7000
BIG-IP i2800/i4800
HRC-i2800
BIG-IP VIPRION 4450
Impact:
It is not clear what the impact is if nothing
is connected to the usb 3.0 ports which are
not accessible except on BIG-IP VIPRION 4450.
This is a bug that has been fixed in upstream Linux kernels
including RHEL7.3.
639505-2 : BGP may not send all configured aggregate routes
Component: TMOS
Symptoms:
As a result of a known issue, BGP may not send all configured Aggregate routes if one is a supernet of another.
Conditions:
- BGP established sessions.
- BGP configuration contains several aggregate routes, one or more being a supernet of others.
Impact:
The smaller prefix aggregate (least specific), may not be sent to the BGP peer.
639486-1 : TMM crash due to PEM usage reporting after a CMP state change.
Component: Policy Enforcement Manager
Symptoms:
TMM crash due to a code assertion resulting in potential loss of service.
Conditions:
A CMP state change due to a card reboot, disable, enable, insert or remove should have occurred while or right before a PEM usage reporting action.
Impact:
Traffic disrupted while tmm restarts.
639288-1 : OAuth Authorization Server - OAuth Profile is not listing associated Access Profiles appropriately.
Component: Access Policy Manager
Symptoms:
OAuth Authorization Server - OAuth Profile is not listing associated Access Profiles appropriately. The Access Profiles list shows duplicate OAuth profile names.
Conditions:
An OAuth profile is associated with multiple Access Profile.
Impact:
Selection of Access Profile (i.e., clicking link) on OAuth Profiles list, doesn't show the expected Access Profile properties page.
Workaround:
Switch to Access profiles list page and select the profile directly.
639283-1 : Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate
Component: Access Policy Manager
Symptoms:
Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate
Conditions:
* Virtual Server has untrusted certificate
* Using Custom Dialer or Windows logon integration features on client machine for establishing secure VPN
Impact:
Windows logon integration doesn't work. Cannot establish secure VPN connection before logging in to the machine.
Custom dialer doesn't work. Cannot establish secure VPN using Dial-up entry.
Workaround:
- Install trusted certificate to Virtual Server or whitelist untrusted certificate on the client machine.
or
- Use Edge Client to establish secure VPN connection.
639236-4 : Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute
Component: Service Provider
Symptoms:
Incoming SIP REGISTER messages are rejected by the SIP MRF parser when they contain Contact header expires value set to 0 that is not the last attribute
Conditions:
If the Contact header has an expires value of 0 and it's not the last attribute, for example:
Contact: <sip:+414000400@10.0.0.42:5060>;expires=0;q=0.1.
Impact:
REGISTER is rejected with a '400 Bad request' error message
Workaround:
None.
639119-1 : LSN pool client connection limit is not enforced when NAT64 and FTP is configured on the virtual
Component: Carrier-Grade NAT
Symptoms:
LSN pool client connection limit is not enforced.
Conditions:
When NAT64 and FTP is configured on the virtual.
Impact:
LSN pool client connection limit is not enforced.
Workaround:
None.
639049-1 : Virtual Server creation ignores translate-address setting with wild card destination
Component: TMOS
Symptoms:
translate-address attribute ignored during virtual server creation, when destination is all zeroes and net mask is not specified.
Conditions:
Creating virtual server with wild card destination, no net mask, and translate-address set to enabled.
Impact:
translate-address can only be set to disabled during creation.
Workaround:
Either set translate-address after creation, or specify net mask for virtual server creation.
639039-5 : Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons
Component: Local Traffic Manager
Symptoms:
Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons.
Conditions:
Dynamic routing in use, and you change the host name of the BIG-IP.
Impact:
Dynamic routing information is lost and must be relearned.
Workaround:
When using dynamic routing, only change the host name during a maintenance window.
638825-1 : SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD
Component: TMOS
Symptoms:
Value returned for sysInterfaceMediaActiveSpeed OID has value of 80 for interface with type 100000SR4-FD instead of value of 100000.
Conditions:
This always occurs for this type of interface.
Impact:
User sees wrong value for this interface in SNMP get. Value is correct in tmsh 'show net interface'.
Workaround:
Use tmsh to obtain the value by running the following command: show net interface. Note: There is no workaround in SNMP.
638799-2 : Per-request policy branch expression evaluation fails
Component: Access Policy Manager
Symptoms:
Per-request policy branch expression evaluation fails and you see the following in /var/log/ltm:
info tmm[20278]: 01870007:6: /Common/<policy>:Common:640446c9: Executed expression (expr { [mcget {perflow.category_lookup.failure}] == 1 || [mcget {perflow.response_analytics.failure}] == 1 }) from policy item (Category Lookup) with return value (Failed)
Conditions:
Per-request policy branch expression evaluation fails for any non-access (non APM) irule events that are attached to the virtual don't trigger for some requests when in same connection virtual gets request for internal access whitelisted url and then request for backend resource uris
Workaround:
none
638780 : Handle 302 redirects for VMware Horizon View HTML5 client
Component: Access Policy Manager
Symptoms:
Starting from v4.4, Horizon View HTML5 client is using new URI for launching remote sessions, and supports 302 redirect from old URI for backward compatibility.
Conditions:
APM webtop with a VMware View resource assigned.
HTML5 client installed on backend is of version 4.4 or later.
Impact:
This fix allows for VMware HTML5 clients v4.4 or later to work properly through APM.
Workaround:
For versions 11.6.x and 12.x:
===============================
priority 2
when HTTP_REQUEST {
regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] vmview_html5_prefix dummy
}
when HTTP_RESPONSE {
if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
if { [info exists vmview_html5_prefix] } {
set location [HTTP::header "Location"]
set location_path [URI::path $location]
if { $location_path starts_with "/portal/" } {
set path_index [string first $location_path $location]
set new_location [substr $location $path_index]
regsub "/portal/" $new_location $vmview_html5_prefix new_location
HTTP::header replace "Location" $new_location
}
unset vmview_html5_prefix
}
}
}
======================
For version 13.0:
priority 2
when HTTP_REQUEST {
regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] dummy vmview_html5_prefix
}
when HTTP_RESPONSE {
if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
if { [info exists vmview_html5_prefix] } {
set location [HTTP::header "Location"]
set location_path [URI::path $location]
if { $location_path starts_with "/portal/" } {
set path_index [string first $location_path $location]
set new_location "$vmview_html5_prefix[substr $location $path_index]"
HTTP::header replace "Location" $new_location
}
unset vmview_html5_prefix
}
}
}
638715-1 : Multiple Diameter monitors to same server ip/port may race on PID file
Component: Local Traffic Manager
Symptoms:
Two 'Diameter_monitor' instances probing the same server (IP/port) from different pools may interfere with each other, causing one of the monitor instances to fail. This is caused by a possible race in creating a PID file for this 'Diameter_monitor' configuration.
Conditions:
Configuration with multiple Diameter monitors probing the same server IP/port.
Impact:
One Diameter monitor may fail, while the other Diameter monitor to the same server IP/port succeeds. On subsequent probe-retry, the failed monitor may now succeed.
Workaround:
A possible work-around is to establish different monitor periods for the two pools (such as 28 seconds and 31 seconds), so a simultaneous probe-collision will fail one monitor once, which upon retry will succeed (as three monitor failures are required for a virtual server to be marked down).
638706 : Linux CLI client does not close connection immediately using fid/fname on SUSE Enterprise
Component: Access Policy Manager
Symptoms:
In some cases, VPN connection is not closed immediately using command line client on SUSE Enterprise Linux.
Conditions:
- CLI client is used on SUSE Linux Enterprise.
- fid option is used.
Impact:
Connection is not closed immediately. As a result, the next attempt to establish a connection fails for a period of time.
Workaround:
Close connection without using fid option.
638215 : iHealth auto-upload script may get stuck in unusual circumstances
Component: TMOS
Symptoms:
If iHealth auto-upload is correctly configured, and an upload in progress is aborted due to power loss, or other such calamity, the state for future invocations will result in the iHealth script being non-functional, and displaying the message"ihealth is already executing (2). Exiting."
Conditions:
auto-upload to iHealth is correctly configured, and an upload in progress is aborted due to power loss. When the BIG-IP is restarted, iHealth is no longer reachable.
Impact:
the iHealth script is not usable, and the System-Support page cannot be used to create a qkview.
Workaround:
Execute the command,
guishell -c "update diags_ihealth_request set ihealth_status=0"
638091 : Config sync after changing named pool members can cause mcpd on secondary blades to restart
Component: TMOS
Symptoms:
After performing a ConfigSync, mcpd restarts and the following error is seen in /var/log/ltm:
01070734:3: Configuration error: Invalid mcpd context, folder not found <foldername>
Conditions:
- Chassis cluster with at least two blades
- sync-failover device group set to full-sync and auto-sync disabled
- Changing a named pool-member in non-default partition without syncing between delete and create
Impact:
Secondary blades do not process traffic as they restart
Workaround:
To prevent blade restart, follow the workaround in K16592: ConfigSync may fail when deleting and recreating a pool member with a node name set (https://support.f5.com/csp/article/K16592).
To work around this issue, you can synchronize the configuration just after deleting the pool member and node, before re-creating the pool member. To do so, perform the following procedure:
Impact of workaround: Performing the following procedure may impact client connectivity to the node. You should perform this procedure only during a maintenance window.
1. Log in to the BIG-IP system Configuration utility.
2. Navigate to Local Traffic :: Pools, and select the Pool with the member you want to delete.
3. From the top of the menu, click Members.
4. Select the checkbox next to the pool member you want to delete, and click Remove.
5. Navigate to Local Traffic :: Nodes.
6. Select the checkbox next to the node with the same name, and click Delete.
7. Navigate to Device Management :: Overview.
8. Select the local device by hostname (self).
9. Click the Sync option.
10. If the ConfigSync was successful, you may now re-create the pool member.
637827 : VADC: after re-deploying a single-nic VM with multiple nics, a load can fail due to stp member 1.0
Component: TMOS
Symptoms:
The configuration fails to load with the following message:
01070523:3: No Vlan association for STP Interface Member 1.0
Unexpected Error: Loading configuration process failed.
Conditions:
In single-nic mode, the interface 1.0 exists and can be saved as a VLAN member. Upon re-deploying the virtual-machine from single nic mode to multi-nic, the 1.0 interface becomes pending and should no longer impact any configuration. However, a condition exists after a VLAN delete, where the associated (automatically created) stp member is not removed from the running config and can cause a load error.
Impact:
Load fails and requires manual intervention. Otherwise, the STP member is benign because vADC does not support STP.
Workaround:
Remove the STP interface member 1.0 and reload.
637613-4 : Cluster blade being disabled immediately returns to enabled/green
Component: Local Traffic Manager
Symptoms:
In some scenarios, disabling a blade will result in the blade immediately returning to online.
Conditions:
This can occur intermittently under these conditions:
- 2 chassis in an HA pair configured with min-up-members (for example, 2 chassis, 2 blades each, and min-up-members=2)
- You disable a primary blade on the active unit, causing the cluster to failover due to insufficient min-up-members.
Impact:
Disabling the primary blade fails and it remains the primary blade with a status of online.
Workaround:
This is an intermittent issue, and re-trying may work. If it does not, you can configure min-up-members to a lower value or disable it completely while you are disabling the primary blade. The issue is triggered when the act of disabling the primary blade would cause the number of members to drop below min-up-members.
637561-2 : Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice
Component: TMOS
Symptoms:
The wildcard wideip is not functioning as a wildcard wideip, but as a regular wideip.
Conditions:
Run tmsh load after the wildcard wideip is created:
# tmsh load sys conf gtm-only.
Impact:
Wildcard wideips are not returning wildcard requests correctly.
Workaround:
reload mcpdb using commands:
# touch /service/mcpd/forceload
# bigstart restart mcpd
637516-1 : Copying a Child Security Policy as a Parent Security Policy Leaves Elements Uneditable
Component: Application Security Manager
Symptoms:
If a Parent copy is made Security Policy that had inherited elements, those elements may not be editable in the new Parent Policy.
Conditions:
A Parent copy is made Security Policy that had inherited elements.
Impact:
Elements may not be editable in the new Parent Policy.
Workaround:
Export the policy as XML and import it as a Parent Policy.
637308-1 : apmd may crash when HTTP Auth agent is used in an Access Policy
Component: Access Policy Manager
Symptoms:
apmd may crash when HTTP Auth agent is used in an Access Policy.
Conditions:
This might occur on heavy load, when AAA HTTP Server is configured in 'Form based' or 'Custom body' mode.
The probability of occurrence is greater if there are session variables specified in the AAA HTTP Server configuration.
Impact:
apmd daemon crash. APM cannot process requests until apmd starts up again.
Workaround:
Use basic auth, or do not use HTTP Auth.
637181-1 : VIP-on-VIP traffic may stall after routing updates
Component: Local Traffic Manager
Symptoms:
After a routing update traffic for an existing connection sent to a VIP-on-VIP virtual server may be sent directly to the destination address instead of to the inner virtual server.
Conditions:
VIP-on-VIP configuration and static or dynamic routing changes.
Impact:
Existing connections to the outer VIP may stall.
Workaround:
None.
637094 : The iRules LX streaming external data-group API may incorrectly not find a match.
Component: Local Traffic Manager
Symptoms:
The iRules LX streaming data-group API for external data-groups may incorrectly not find a match when the following commands are used:
- searchStartsWith (case insensitive search only)
- matchEndsWith/searchEndsWith (any search types).
- matchContains/searchContains (any search types).
The following commands are not affected:
- matchEquals/searchEquals.
- matchStartsWith.
Conditions:
There are no conditions for the failure. Using the specified commands will most likely fail. Note: If the data-group is relatively small in size (e.g., approximately 10 records), it is possible that the issue will not happen.
Impact:
The specified commands will incorrectly not find a match when there is one.
Workaround:
None.
636853-4 : Under some conditions, a change in the order of GTM topology records does not take effect.
Component: Global Traffic Manager (DNS)
Symptoms:
A change in the order of topology records does not take effect in GTM until the configuration is reloaded or a topology record is added or deleted.
Conditions:
This occurs only when Longest Match is disabled and the order of topology records is changed without adding or deleting records.
Impact:
In certain configurations, the topology load balancing decision may not be made correctly.
Workaround:
Reload the GTM configuration or add/delete a topology record.
636149-1 : Multiple monitor response codes to single monitor probe failure
Component: Global Traffic Manager (DNS)
Symptoms:
A monitor probe failure to an external monitor (such as HTTP) will be logged by 'bigd' to '/var/log/ltm' when the probed resource is unavailable. In some cases for a probe resulting in an 'Unable to connect' error, multiple log entries will be made, with the *last* log entry being the error that triggered the log entry. The other monitor entries made during this event are not specifically relevant, as they are "stale" and due to previous monitor probe behavior that was previously logged.
This is due to an error where the 'Could not connect' event appends a previous error message, rather than overwriting a possibly-present previous error message.
Conditions:
A monitor probe to an external monitor is attempted (such as over HTTP), resulting in an "Unable to connect" failure; and where that specific monitor previously reported an error (which is now appended).
Impact:
No system behavior is affected, but multiple log entries are made. The *final* log entry of "Could not connect" or "Unable to connect" is relevant, while the possible multiple log entries immediately above are "stale" and not relevant (as they are due to a previous issue that was previously successfully logged).
Workaround:
For an external monitor that generates a 'Could not connect' or 'Unable to connect' error, user should consider only the last-line for the '/var/log/ltm' log entry, and ignore possibly-present log entries associated with that specific monitor that might be appear immediately above the 'Could not connect' line.
636104 : If pool member is defined with port 0, member may not be visible on the HTTP dimension pane.
Component: Application Visibility and Reporting
Symptoms:
You are unable to see the pool member under the HTTP "pool" dimension.
Conditions:
Pool member is defined with port 0 and traffic is being sent to e.g. port 80.
Impact:
Not seeing the pool member under the HTTP "pool" dimension.
Workaround:
You can define a temporary pool member with the port that is being used (e.g. 80) and delete it after that.
But once defined once, it will go to the DB and will be shown from that point.
This is a partial workaround since it needs to be done for every port that is being used in traffic.
636031-1 : GUI LTM Monitor Configuration String adding CR for type Oracle
Component: TMOS
Symptoms:
If the value entered in for the Configuration String textbox wraps in the GUI, a CR character is added to the configuration file.
Conditions:
Create or edit an LTM Monitor type Oracle. Enter a value in the Configuration String textbox so that it wraps to the next line. Click Finish/Update.
Impact:
The /config/bigip.conf file contains CR characters in the file.
Workaround:
Manually edit the /config/bigip.conf file and remove the CR characters.
636016 : VADC: when using an Intel XL710 SR-IOV nic a bigstart restart can re-order the interfaces and impact traffic
Component: TMOS
Symptoms:
After a bigstart restart, traffic no longer flows because interface ordering can change.
Conditions:
A Virtual Edition configuration with more than one XL710 SR-IOV interface.
Impact:
The VLANs will be assigned to the wrong interfaces, network traffic is blocked.
Workaround:
If VLANs do not exist or the config is not saved before bigstart restart, there is nothing to be done except assigning the right VLAN to the desired interface (1.X) after restart. The MAC address of interfaces can be used to identify the desired interface.
If a config with VLANs is saved before bigstart restart, run the following command:
-- bigstart stop (this brings the data plane ethX devices down)
-- f5-swap-eth -s (this reassigns the interfaces)
-- bigstart start (this restarts the system).
Or you can reboot the guest.
635754-2 : Wildcard URL pattern match works inncorectly in Traffic Learning
Component: Application Security Manager
Symptoms:
In the policy with URL learning mode set to ALWAYS, wildcard URL matching for *.[Pp][Nn][Gg]", "*.[Jj][Pp][Gg]", "*.[Gg][Ii][Ff]" will prevent you from adding other wildcard destinations using policy builder.
Conditions:
Policy builder enabled. PolicyBuilder creates the wildcard urls "*.[Pp][Nn][Gg]", "*.[Jj][Pp][Gg]", "*.[Gg][Ii][Ff]".
If you need to manually create another wildcard url "/polo/images/*", the pattern match will be incorrect and you will not be able to accept the learning suggestion.
Impact:
You will not be able to accept the learning suggestion to the correct wildcard URL.
Workaround:
In order to get suggestions on the correct wildcard match, remove "png" from the URL list in the policy: To do so, navigate to Security :: Application Security :: Policy Building :: Learning and Blocking Settings :: URLs :: File types for which wildcard HTTP URLs will be configured (e.g., *.jpg).
Also make sure that you have correct wildcard order. Go to
Security :: Application Security :: URLs :: Wildcards Order :: HTTP URLs.
"/polo/images/*" should be above "*.[Pp][Nn][Gg]" in the list. If it is not, move it using "Up" button".
635703-2 : Interface description may cause some interface level commands to be removed
Component: TMOS
Symptoms:
Adding a description to the interface from within ZebOS may cause interface level routing protocol commands to be lost on restart.
Conditions:
- Add interface level description to a configuration with interface level routing protocol commands.
- Restart services, tmrouted, or reboot.
Impact:
Commands after the description will not appear in the imish running config and will not be loaded/functional.
Workaround:
Do not use interface level descriptions.
635551-1 : ASM/DoSL7 Challenges should support CORS requests
Component: Application Security Manager
Symptoms:
Bot protection is intermittently causing page not to load completely.
Conditions:
Enable ASM features that include challengers scripts such as : Web Scraping, Brute Force, Procative BOT Defense, DOSL7 Client Side mitigation, and then browse to a resource that makes a cross-origin HTTP request.
Impact:
Bot protection is intermittently causing page not to load completely.
Workaround:
Perform one of the following options:
1. Add this URL to whitelist url.
2. Insert "Access-Control-Allow-Origin" header via an iRule.
635280 : Some old DB rows will be aggregated into 1 row after upgrade to 13.0.0
Component: Application Visibility and Reporting
Symptoms:
Previously collected data is not migrated to the upgraded version as expected.
Conditions:
After upgrading to 13.0.0, two similar DB rows, with different DoS Profiles, for example, will become one row.
Impact:
Certain HTTP dimensions (for example, DoS Profile) are displayed with a value of "Aggregated" or "N/A", instead of the previously collected data values. For these dimensions, only data that reflects cumulative metrics will appear as expected.
Workaround:
None.
635257-3 : Inconsistencies in Gx usage record creation.
Component: Policy Enforcement Manager
Symptoms:
Duplicate usage records may be created or expected usage records may be missing.
Conditions:
A subscriber session is associated with the following policies:
1. At least 1 PEM policy with multiple rules containing the same usage monitoring key and applicationId or URLcat filter will result in the creation of duplicate usage records.
2. At least 2 PEM policies containing one or more rules with the same MK across policies will result in failure to create expected usage records.
Impact:
Failure to create usage records. Duplicate usage records will reduce the effective usage records supported per session. Both can result in inconsistencies with billing use cases.
Workaround:
To prevent duplicate usage records, do not create PEM policies with multiple rules that have the same usage monitoring key and applicationId or UrlCat filter.
To make sure all expected usage records are created, do not use the same monitoring key across multiple policies for the same subscriber.
635189-1 : The mitigation changed during the attack and the dimensions are different between COMMON table and HTTP table so it is "clubbed" to 1 or few rows
Component: Application Visibility and Reporting
Symptoms:
If the mitigation changes during a snapshot, the hits will still count for the old mitigation if no protocol specific filter applied.
Conditions:
Attack mitigation has changed.
Impact:
You will see hits count for the wrong mitigation.
635116-3 : Memory leak when using replicated remote high-speed logging.
Component: TMOS
Symptoms:
As a result of a known issue when a system uses a High Speed Logging (HSL) configuration with replication across the HSL pool TMM may leak memory.
Conditions:
Remote HSL setup with distribution set to replicated in the log destination configuration.
More than one poolmember, and one of them becomes unavailable.
Impact:
TMM will leak memory at a rate proportional to the amount of logging.
Over time this may cause an outage should TMM run out of memory.
Workaround:
Do not use replication in the HSL destination configuration.
634257-1 : Missing Strong Integrity Parameter alert score is always 0
Component: Fraud Protection Services
Symptoms:
Missing Strong Integrity Parameter alert score is always 0.
Conditions:
Using FPS.
Alert score.
Impact:
Incorrect alerts score in dashboard, which invalidates auto transaction rules.
Workaround:
None.
634022 : Active Directory authentication with Step-Up-Auth has degraded performance.
Component: Performance
Symptoms:
When using Active Directory to perform Step-Up-Authentication with APM, the number of authentications per second that APM can sustain is lower than what could be achieved with earlier releases. This is observed only on certain high end appliance platforms.
Conditions:
All the following must be true:
- APM is provisioned and configured to provide authentication services via the per-request access policy.
- Active Directory is used as the authentication method.
- A relatively high rate of authentication exists.
- One of the following BIG-IP appliances is in use:
i108xx
i78xx
10xxx
Impact:
Performance in terms of authentications per second is degraded.
Workaround:
None.
633879-2 : Fix IKEv1 md5 phase1 hash algorithm so config takes effect
Component: TMOS
Symptoms:
BIG-IP does not recognize the choice of md5 as hash algorithm in phase1 negotiation for IKEv1, but the GUI indicates it is available and configured.
Conditions:
Using either the command line or web UI to change hash algorithm to md5 in IKEv1 phase1.
Impact:
You are unable to configure md5 as hash algorithm in IKEv1, despite the UI and command line indicating this as an option.
Workaround:
You may be able to select md5, then save and then restart, this would set up the daemon from a config file instead of via incremental config parsing. So while it would not work right after being changed in the UI, the md5 option may work after a restart.
633824-1 : Cannot add pool members containing a colon in the node name
Component: TMOS
Symptoms:
You are allowed to create nodes that contain a colon in the node name. If you later try to add the named node (e.g. 10.1.20.10:80), adding the node will fail and you will get an error similar to the following:
0107003a:3: Pool member node (/Common/10.1.20.10) and existing node (/Common/10.1.20.10:80) cannot use the same IP Address (10.1.20.10).
Conditions:
This occurs when attempting to add a node to a pool where the node name contains a colon in it
Impact:
You are unable to add the node to the pool and will get a validation error.
Workaround:
First rename the node to not contain a colon in it, then you can add the node to the pool without error.
633449-1 : Browser autocomplete may cause login to fail
Component: Fraud Protection Services
Symptoms:
Browser autocomplete on fields with substitute value enabled may cause login to fail.
Conditions:
WebSafe configured with substitute autocomplete value enabled on field.
Browser saves substituted value.
Impact:
Login fails.
Workaround:
Disable substitute value use.
633391-2 : GUI Error trying to modify IP Data-Group
Component: TMOS
Symptoms:
While trying to add/remove/edit IPv6&IPv4 within an existing data group list for iRules, the properties page throws a parsing error.
Conditions:
Try to modify the value field under Address Records Row whether string/int, and click Update
Impact:
There is an "Error parsing IP address" messave at the top of the page. You cannot modify internal data groups using GUI. You can delete and re-create the entry, but cannot modify it.
Workaround:
Use tmsh to modify the record field of the data groups.
633110-3 : Literal tab character in monitor send/receive string causes config load failure, unknown property
Component: TMOS
Symptoms:
BIG-IP allows you to paste in monitor send or receive strings that contains tabs, but the tabs do not get quoted when it gets saved to the configuration. This will cause the configuration load to fail, with this error signature:
Loading configuration...
/config/bigip_base.conf
/config/bigip_user.conf
/config/bigip.conf
Syntax Error:(/config/bigip.conf at line: <line>) "<text>" unknown property
Conditions:
This can occur if you copy/paste a monitor send or receive string and paste it into the send/recv string field in tmsh or the GUI.
Impact:
The monitor will not work as expected, and subsequent config loads will fail on unknown property.
Workaround:
Since you are still able to use the BIG-IP GUI, you can update the monitor send or receive string using \t to represent the tab, and save the changes.
632546-3 : Window.error handler is called when alert size is too large
Component: Fraud Protection Services
Symptoms:
When large HTML code is attached to alerts, the page's Window.error handler may be called.
Conditions:
"attach HTML to alerts" is enabled.
The page's JavaScript assigns an "onError" listener on the window object.
Impact:
onError handler will be called.
Workaround:
Disable "attach HTML to alerts" on affected pages.
632504-2 : APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list
Component: Access Policy Manager
Symptoms:
Non-LSO resources such as webtop, even they are assigned via a normal resource assign agent, is listed under dynamic resource as opposed to static one.
Conditions:
- Create a webtop resource
- Create an access profile
- Launch VPE to assign webtop resource via a normal resource assign agent ("Advanced Resource Assign")
- Click on "Sync policy" button to bring up the policy sync dialog, click on "Advanced Settings" drop-down button and select "Static resources"
Impact:
It's a user experience issue. No impact if you take the default setting for policy sync. Only when you open up the advanced setting is it confusing that a static resource is only listed under dynamic resource list and prompts you to include it as dynamic resource. Doing so does not cause real harm but is unnecessary.
Workaround:
If you know it's a static resource, then simply do not select it as dynamic resource.
632499-2 : APM Policy Sync: Resources under webtop section are not sync'ed automatically
Component: Access Policy Manager
Symptoms:
Resources put under webtop section such as webtop link, portal access requires to be included as dynamic resource or else sync will fail.
Conditions:
- Create a webtop section source such as portal access
- Create a webtop section and add the above-create portal access to it
- Create an access profile and add the webtop section resource via a resource assign agent in VPE
- Sync the profile
Impact:
Sync will fail and some configured resources will not be available on the other devices.
Workaround:
Includes those resources as dynamic resources in Policy Synce advanced settings.
631862-5 : Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk
Component: Local Traffic Manager
Symptoms:
When OWS sends a chunked response and the only chunk has a zero size, HTTP2 profile receives neither the response's body nor indication that the response has zero size.
Conditions:
A virtual server must have HTTP2 profile, and OWS must serve a response with Transfer-Encoding: chunked and a zero size chunk (empty body).
Impact:
On a stream with such response, BIG-IP doesn't generate a frame which would have END_STREAM flag. Some browsers may not handle the response properly. For example, a redirect may not be performed when the stream is not finalized. It results in incorrect page rendering on a client.
Workaround:
Use following iRule for broken URLs:
when HTTP_RESPONSE {
if {[HTTP::header exists "Transfer-Encoding"] && [HTTP::status] eq 301} {
HTTP::respond 301 -version 1.1 noserver Location [HTTP::header Location] Date [HTTP::header Date] Content-Type [HTTP::header Content-Type] Connection [HTTP::header Connection]
}
}
A condition may be changed to narrow the iRule for specific URLs.
HTTP::respond may be modified to include other important headers and serve a proper status code.
631801-2 : BIG-IP may send oversized TCP segments on traffic it originates
Component: Local Traffic Manager
Symptoms:
Traffic from the Linux host on BIG-IP may send TCP segments larger than the advertised TCP MSS of a remote host.
Conditions:
Received TCP MSS (plus protocol overhead) smaller than configured MTU of interface.
Linux host sending large TCP segments, such as SNMP getbulk replies.
Impact:
TMM may send traffic to a TCP host that exceed the host's advertised MTU.
Workaround:
Reduce the interface MTU.
630611-3 : PEM module crash when subscriber not fund
Component: Policy Enforcement Manager
Symptoms:
Under rare circumstances, PEM usage reporting for a subscriber will cause a crash.
Conditions:
PEM subscriber info is missing for the current tmm, e.g., after a CMP state change.
Impact:
PEM/TMM SIGSEV.
Workaround:
None.
630610-1 : BFD session interface configuration may not be stored on unit state transition
Component: TMOS
Symptoms:
'bfd session' statements missing in ZebOS 'running-config'.
Conditions:
State transitions from online to offline.
Impact:
BFD configuration will become missing in ZebOS running config and no BFD sessions will be established.
Workaround:
Re-add statements manually.
630355-1 : Local Logs Missing Or Recorded Found For Incorrect Policy
Component: Application Security Manager
Symptoms:
When loading a UCS (manually or due to a UCS sync) which has a the same ASM Policy names, but created in a differing order, the local logging daemon does not update its internal mappings.
Conditions:
The configuration is replaced by a UCS load that had a different list of ASM Policies.
Impact:
Local logs may be missing or listed for an incorrect ASM policy
Workaround:
Restart asmlogd.
629921-3 : [[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work.
Component: Access Policy Manager
Symptoms:
With SWG client side NTLM auth configuration while doing the NTLM auth for backend, ECA plugin is trapping the Authorization credentials (NTLMSSP_NEGOTIATE) sent by the client, it sinks the request and generates the 407 to the client to do proxy authentication.
Conditions:
Set-up SWG for auth with ntlm credentials
Access a proxied resource which also requires ntlm auth
Impact:
Backend server access is restricted.
Workaround:
None
629915 : Cannot login with Firefox and IE after toggling between wireless and wired networks.
Component: TMOS
Symptoms:
Cannot log into BIG-IP's Web GUI on Firefox and Microsoft Internet Explorer (IE) for the first 3-5 attempts after toggling the host computer's network between wireless and wired connections.
Conditions:
Using Firefox or IE browsers.
Toggling between a wired and wireless network connections.
Impact:
BIG-IP shows a "login failed" page in the Web UI. The user cannot login with correct credentials for 3-5 attempts. Note: The number of attempts may be timing-dependent.
Workaround:
Use any of the following options:
-- Use a Chrome browser.
-- Do not toggle between different networks for internet access (i.e., wired and wireless).
-- Keep trying to logon (i.e., try more than five times, or for a few minutes after toggling between networks).
-- Restart the browser.
-- Clear cookies.
629792 : IPsec: Traffic continues when the ike-peers are disabled
Component: TMOS
Symptoms:
Disabling an ike-peer has no effect.
Conditions:
Trying to disable an IPsec ike-peer using the following tmsh command: tmsh modify net ipsec ike-peer <name> state disabled.
Impact:
Traffic continues when the ike-peers are disabled.
Workaround:
Delete the ike-peer instead of trying to disable it.
629233 : Proxy configuration changes are not applied immediately by Firefox on OS X
Component: Access Policy Manager
Symptoms:
Once the VPN is established and F5 Access updates the proxy configuration on the client, the first request sent from the Firefox browser does not use the updated proxy configuration. Subsequent requests use the correct proxy configuration.
Conditions:
Firefox browser is used on Mac OS X.
Impact:
Proxy configuration changes are not applied immediately by Firefox on OS X. Wrong proxy configuration will be used for first request. Depending on setup, the client might not be able to reach the site, or the request won't go through intended proxy server.
Workaround:
None.
629178-2 : Incorrect initial size of connection flow-control window
Component: Local Traffic Manager
Symptoms:
When a client establishes an HTTP2 connection, both endpoints can update their flow-control windows for the connection but their initial sizes of connection flow-control windows must be 65,535. BIG-IP erroneously sets it immediately to a configured value instead. Discrepancy in the window size calculation can result in cancelling of the client's requests.
Conditions:
A virtual server that has an HTTP2 profile with a custom value for receive-window exceeding 79 (Kilobytes).
Impact:
BIG-IP updates another endpoint with a WINDOW_UPDATE frame for the connection once it reaches a certain threshold. It doesn't happen when receive-window is set above 79 (Kilobytes). If a client has a large request (e.g., POST with a large amount of data), it resets the stream with HTTP2 RST_STREAM frame, canceling the request.
Workaround:
Configure receive-window attribute in HTTP2 profile to a value below 80 (Kilobytes).
629085-2 : Any CSS content truncated at a quoted value leads to a segfault
Component: TMOS
Symptoms:
Any CSS content truncated at a quoted value leads to a segfault.
Example:
...
.c1 {background-image: url('some
Conditions:
CSS ends without closing quote in value.
Example:
...
.c1 {background-image: url('some
Impact:
TMM or rewrite segfault. Traffic disrupted while tmm restarts.
Workaround:
Use a particular iRule.
629017 : Comparison Charts are alive only during while staying on the page
Component: Advanced Firewall Manager
Symptoms:
Comparison Charts are not persisted and if the page is reloaded or navigated away from in any other way, the charts will be lost.
Conditions:
Refreshing the page while looking at comparison charts.
Impact:
Settings are not preserved; you must reconfigure them to see the comparison.
Workaround:
None.
628164-4 : OSPF with multiple processes may incorrectly redistribute routes
Component: TMOS
Symptoms:
When OSPF is configured with multiple processes that each redistribute different type routes, LSAs may be created in a process for a route of the type other than the one configured for redistribution into that process.
Conditions:
OSPF routing with multiple processes configured. Each OSPF process configured with a different route type redistributed.
Impact:
Incorrect routing information in the network when OSPF converges.
Workaround:
Redistribute the leaked route type into the affected OSPF process and use a route map that filters out all routes.
626386-2 : SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled
Component: Local Traffic Manager
Symptoms:
On a BIG-IP device, whenever a large-sized client certificate is sent by an SSL client to a virtual service, and SSL persistence is enabled, the SSID parser does not reassemble fragmented ClientKeyExchange messages correctly. It interprets the next incoming fragment - part of the CertificateVerify message - as a new record, incorrectly calculates its length and ends up waiting endlessly for more bytes to receive the record.
Conditions:
When SSL persistence is enabled and a large-sized client
certificate is sent by the SSL client to the BIG-IP device.
Impact:
Client connection hangs during the handshake. No impact to any other module.
Workaround:
Disable SSL persistence.
624635-1 : BIG-IP doesn't support more than 4 NICs on Hyper-V on Windows Server 2012
Component: TMOS
Symptoms:
BIG-IP doesn't support more than 4 NICs.
As a result of this issue, you may encounter following symptoms:
- BIG-IP boot time is increased
- Number of interfaces attached to tmm aren't more than 4 NICs
- In the /var/log/boot.log file, you observe messages similar to the following example:
Feb 14 22:52:58 ltm-199 info plymouthd: udev still not settled. Waiting.udevd[367]: worker [380] unexpectedly returned with status 0x0100
Feb 14 22:52:58 ltm-199 info plymouthd: udevd[367]: worker [380] failed while handling '/devices/LNXSYSTM:00/device:00/PNP0A03:00/device:08/VMBUS:01/vmbus_11'
Feb 14 22:52:58 ltm-199 info plymouthd: udevd[367]: worker [373] unexpectedly returned with status 0x0100
RHEL7.2 (or newer) guests are similarly affected, so this issue is not unique to BIGIP 7.2 kernels
The issue isn't reproduced on Hyper-V on Window Server 2012 R2
Conditions:
This issue occurs when all of the following conditions are met:
- Your hypervisor version is Hyper-V on Windows Server 2012
- You have more than 4 NIC attached to BIGIP
Impact:
BIG-IP doesn't support more than 4 NICs on Hyper-V on Windows Server 2012
624626-4 : Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility
Component: TMOS
Symptoms:
You cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility, which returns an error message similar to the following example:
01020036:3: The requested Certificate File (/Common/example.crt) was not found
Conditions:
The presence of SSL certificates and keys created without the .crt and .key extensions. This might have happened, for example, if the SSL certificates and keys were created using the tmsh utility.
Impact:
Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility.
Workaround:
You can use the tmsh utility to delete affected SSL certificates and keys. You would use commands similar to the following example:
tmsh delete sys crypto cert example
tmsh delete sys crypto key example
624325 : Device error: crypto codec queue is stuck
Component: Local Traffic Manager
Symptoms:
Under some stress conditions, the N3FIPS device in the 10350F platform may stop responding to requests and cause the following error logs to appear in /var/log/ltm.log:
Oct 3 11:44:53 n3fips-1 crit tmm1[20259]: 01010025:2: Device error: crypto codec fips-crypto0-1 queue is stuck.
Oct 3 11:44:53 n3fips-1 crit tmm9[20259]: 01010025:2: Device error: crypto codec fips-crypto0-9 queue is stuck.
From this point on, the command "tmsh show sys crypto fips" will always return an error. As a result, the following SNMP trap will be generated:
V2Trap(140) .1.3.6.1.2.1.1.3.0=12682 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.4.1.3375.2.4.0.156 .1.3.6.1.4.1.3375.2.4.1.1="Vendor init error: -36 FIPS device fault" .1.3.6.1.6.3.1.1.4.3.0=.1.3.6.1.4.1.3375.2.4
Conditions:
This is seen randomly under some stress conditions.
Impact:
The unit can no longer process any FIPS related traffic and all FIPS operations will fail. Rebooting the unit will cause the FIPS device to disappear from the system and it will not find any supported FIPS devices.
Workaround:
Power cycling the unit will recover full FIPS functionality. This can be done by selecting "P --- Power on/off host subsystem" in the AOM Command Menu and then toggling the power state.
624231-3 : No flow control when using content-insertion with compression
Component: Policy Enforcement Manager
Symptoms:
Packets can get queued in PEM and cause performance impact.
It could cause memory corruptions in some cases
Conditions:
This issue can happen when system there is are a lot of connections with compression enabled, hardware offload is not enabled, and content insertion is enabled
Impact:
Performance impact to flows and possible system crash.
Workaround:
Enable hardware offload and use the pem throttle feature for content insertion
624061 : RSA authentication may fail on edge client on some older windows 10 builds
Component: Access Policy Manager
Symptoms:
Edge client on windows may fail to fetch passcode from RSA soft token even when user enters correct pin. Tis will result in authentication failure and client logs will contain the following log entry
UWebBrowserParser::Invoke, GetPasscode failed: No tokens found!
Conditions:
- Windows 10 machine is not updated with latest update
- RSA authentication is configured on server
- Integrated soft token is used to get token information
Impact:
Client authentication will fail
Workaround:
-Install latest windows 10 update.
623862 : Google Chrome may not launch F5 VPN app automatically in specific case
Component: Access Policy Manager
Symptoms:
Google Chrome may not launch F5 VPN app when an auto-launch is enabled for Network Access resource and previous agent in the Access Policy is some endpoint agent.
Conditions:
All conditions should be met:
- Google chrome is used to access APM;
- Webtop has configured auto-launch of Network Access resource or webtop has type 'Network Access';
- An endpoint agent check is last interactive agent before webtop in an Access Policy.
Impact:
Auto launch is not working
Workaround:
To launch application click on the tile
To avoid issue in general: Add MessageBox agent between last Endpoint Agent and 'Allow' ending to allow Google Chrome get focus before showing webtop
623084-5 : mcpd fails validation of dhcp type virtual servers if the configured profile is /Common/udp★
Component: Local Traffic Manager
Symptoms:
mcpd will fail to load the configuration if the pre 11.6.0 configuration had a dhcp virtual server is configured using any profile that is not /Common/udp.
Conditions:
In pre 11.6.0 having a dhcp type virtual server with a profile other than /Common/udp and then upgrading to 11.6.0 or above.
Impact:
mcpd fails to load the configuration. The BIGIP will not be operational until the configuration is changed and loaded.
Workaround:
Before the upgrade change the profile to /Common/udp.
The same change can be made to the bigip.conf file after the upgrade. Then load the config with tmsh load /sys config
622160 : ICMPv6 packets can have the wrong source IP if a IPv6 VIP has IPv4 pool members
Component: Local Traffic Manager
Symptoms:
ICMPV6 packet has the source IP of IPv4 Mapped IPv6 selfIP address instead of the IPv6 selfIP address configured on the unit
Conditions:
IPv6 forwarding VIP with no translation references IPv4 poolmembers and the PMTU to the nexthop is less than the packet size sent by the server.
Impact:
ICMPv6 packets with wrong source IP addresses
621976-5 : OneDrive for Business thick client shows javascript errors when rendering APM logon page
Component: Access Policy Manager
Symptoms:
OneDrive for Business thick client shows javascript errors when rendering APM logon page
Conditions:
APM is used as federated auth provider for Microsoft Azure. User uses OneDrive for Business thick client to authenticate.
Impact:
User experience is impacted, however clicking thru javascript errors eventually leads to successful authentication and working OneDrive for Business app.
Workaround:
Click thru javascript error dialogs.
621974-5 : Skype For Business thick client shows javascript errors when rendering APM logon page
Component: Access Policy Manager
Symptoms:
Skype For Business thick client shows javascript errors when rendering APM logon page
Conditions:
APM is used as federated auth provider for Microsoft Azure. User uses Skype For Business thick client to authenticate.
Impact:
User experience is impacted, however clicking thru javascript errors eventually leads to successful authentication and working Skype For Business app.
Workaround:
Click thru javascript error dialogs.
621870-1 : Outage may occur with VIP-VIP configurations
Component: Local Traffic Manager
Symptoms:
In some VIP-VIP configurations, a system outage may occur while processing traffic.
Conditions:
VIP-VIP configuration
Impact:
System outage
Workaround:
None.
620659-4 : The BIG-IP system may unecessarily run provisioning on successive reboots
Component: TMOS
Symptoms:
After the first boot, the system runs provisioning and boots successfully, but there is a file left on the system /mprov_firstboot. This will appear in /var/log/ltm:
info mprov:4614:: \'\'provision.initialized\' indicates force TMOS only provisioning - forcing.\'
During a subsequent boot, provisioning will run again, potentially unnecessarily, due to the existence of this file. The following will appear in /var/log/ltm during the second boot:
info mprov:4609:: \'Existence of file \'/mprov_firstboot\' indicates force TMOS only provisioning - forcing.\'
Conditions:
The memory size of the host changes and there is some other need for reprovisioning (for example a new configuration load).
Impact:
On a vCMP host, the second provisioning may not complete properly and guest systems will not pass traffic.
The vCMP host will continually try to start more than one tmm and fail when there should only be one tmm running. The /var/log/tmm logfile on the vCMP host will contain:
<13> Sep 25 01:33:28 vcmphost1 notice Too small memsize (60) -- need at least 136 MB
The /var/log/tmm logfile on the vCMP guest will contain:
<13> Sep 25 01:38:21 bigip1 notice Failed to write /var/run/libdag.so_2, err: -30
<13> Sep 25 01:38:21 bigip1 notice panic: vdag failed to attach
<13> Sep 25 01:38:21 bigip1 notice ** SIGFPE **
Workaround:
If the vCMP host is in a tmm restart loop due to this issue, reboot the vCMP host to allow the system to come up properly.
620625-3 : Changing Connection.VlanKeyed may cause asymmetric/npath connections to fail
Component: Local Traffic Manager
Symptoms:
When Connection.VlanKeyed is modified, asymmetric/npath connections may fail.
Conditions:
Connection.VlanKeyed bigd key is modified.
Impact:
Asymmetric/npath routed connections may fail.
Workaround:
Restarting TMM will resolve the issue, though this will interrupt traffic so should be performed during a maintenance window. To do so, run one of the following tmsh commands:
-- on an appliance (BIG-IP platform): bigstart restart tmm
-- on a clustered system (a VIPRION or VIPRION-based vCMP guest): clsh bigstart restart tmm
620556-2 : Fragmented packets on clone pool for L7 virtual server targeting another L7 virtual server through iRule
Component: Local Traffic Manager
Symptoms:
Fragmented packets may be transmited to clone pool members of virtual server, which is also forwarding its traffic to another virtual server.
Conditions:
One virtual server should be configured to forward traffic to another one using iRule, i. e.
when CLIENT_ACCEPTED {
virtual another_virtual
}
This forwarding virtual should also have clone pool configured.
Impact:
Fragmented packet are transmitted to pool members, which affects performance and may trigger some intrusion detection systems.
619958 : Thales HSM in HA with Failure can cause key creation delay for over 1 minute
Component: Local Traffic Manager
Symptoms:
When an HSM goes offline in an HA HSM configuration, the switchover to the other HSM will not occur immediately. After the failover timeout, the switchover will occur, but in the meantime SSL handshakes will fail.
Conditions:
Whenever there is a disruption to a Thales HSM configured in HA with at least one other HSM.
Impact:
SSL handshakes fail between when the HSM goes down and when the failover timeout occurs.
Workaround:
Lower the relevant settings in /opt/nfast/kmdata/config/config file. The Thales User Guide has a detailed explanation of what each of the settings does. Thales recommends that in a production setup, unless there is a solid reason to modify these settings, they recommend that it is best to use the default values.
Here are two example configs with lower timeouts:
Very tight settings
[server_settings]
connect_retry=1
connect_keepalive=10
connect_broken=1
connect_command_block=0
Please note that this can cause a module to be marked as failed when there is just a short network glitch from which it may well recover.
More relaxed settings
[server_settings]
connect_retry=3
connect_keepalive=4
connect_broken=10
connect_command_block=15
Following is more detailed information:
In order to limit the time where SSL connections will fail, edit the Thales config settings in /opt/nfast/kmdata/config/config.
The relevant settings are
-- connect_retry: This field specifies the number of seconds to wait before retrying a remote connection to a client hardserver. The default is 10.
-- connect_broken: This field specifies the number of seconds of inactivity allowed before a connection to a client hardserver is declared broken. The default is 90.
-- connect_keepalive: This field specifies the number of seconds between keepalive packets for remote connections to a client hardserver. The default is 10.
-- connect_command_block: When a netHSM has failed, this field specifies the number of seconds the hardserver should wait before failing commands directed to that netHSM with a NetworkError message. For commands to have a chance of succeeding after a netHSM has failed this value should be greater than that of connect_retry. If it is set to 0, commands to a netHSM are failed with NetworkError immediately, as soon as the netHSM fails. The default is 35.
A slightly tighter setting than the default settings looks similar to the following:
[server_settings]
connect_retry=3
connect_keepalive=4
connect_broken=10
connect_command_block=15
A very tight setting looks similar to the following (Note: This can cause a module to be marked as failed when there is just a short network glitch from which it may well recover):
[server_settings]
connect_retry=1
connect_keepalive=10
connect_broken=1
connect_command_block=0
Thales recommends that in a production setup, unless there is a solid reason to modify these settings, it is best to use the default values.
619844-3 : Packet leak if reject command is used in FLOW_INIT rule
Component: Local Traffic Manager
Symptoms:
TMM memory usage (packets) increases steadily over time.
Conditions:
'reject' command is used in a FLOW_INIT rule
Impact:
Packet leak over time will consume TMM memory.
Workaround:
Do not use reject command in FLOW_INIT iRule
619444 : Edge browser prompts user to install f5-vpn from Windows Store
Component: Access Policy Manager
Symptoms:
When there are no components installed and user launches Network Access resource using Edge browser, Edge browser prompts user to install f5-vpn from Windows Store.
This is confusing because there is no f5-vpn application in the Microsoft Store.
Conditions:
- No recent F5 Networks client components installed on the system.
- APM configured.
- Edge Browser is used.
Impact:
Potential confusion, which might generate support calls.
Workaround:
Have end users dismiss this dialog box and follow the prompts in the browser to download and install F5 client components.
618441 : Minification is not applied to HTML when configured
Component: WebAccelerator
Symptoms:
AAM policy has an option to minify JavaScript, CSS, and HTML content. When this option is turned on for a policy node matching HTML responses, BIG-IP no longer minifies the content.
Conditions:
AAM module is enabled and a virtual server has web acceleration profile with an AAM policy where HTML minification is enabled.
Impact:
Optimization for HTML content minification is not applied. Thus the size of a resulting response may be less optimal.
Workaround:
None.
618430-1 : iRules LX data not included in qkview
Component: Local Traffic Manager
Symptoms:
Qkview does not contain any of the iRuleLX information.
Conditions:
N/A
Impact:
Support engineers will have to ask for the iRuleLX information separately. No iHealth heuristics possible at the moment.
618222-1 : Loop detection implemention logic violates branch parameter compliance with RFC3261
Component: Service Provider
Symptoms:
Branch parameter compliance with RFC3261 dictates that:
ACK for a non-2xx response will have the same branch ID as the INVITE whose response it acknowledges.
However in BIG-IP if loop detection is enabled, the branch parameter value differs.
Conditions:
This occurs when loop detection flag is enabled in the sipsession object.
Impact:
Branch parameter value of INVITE and ACK for a non-2xx response even though its part of the same transaction. Violates RFC3261.
Workaround:
Disable loop detection flag in sipsession object.
616021-6 : Name Validation missing for some GTM objects
Component: TMOS
Symptoms:
BIG-IP fails to load GTM Configurations where names of some objects contain a control character.
Conditions:
User creates a GTM object with a control character in the name.
Impact:
Causes the config to fail to load.
Workaround:
Remove control characters prior to creating gtm objects.
615816 : APM session is terminated automatically if web based VPN client is running
Component: Access Policy Manager
Symptoms:
If user logs onto APM and launches the VPN client and then closes the browser, the VPN will continue to run and the session will not stop. This is a change in behavior from previous plugin-based web clients.
Conditions:
- VPN client is launched from the browser and is running when browser is closed.
Impact:
User will have to explicitly close VPN application as well as the browser to logout of session.
Workaround:
Close both the browser and the VPN client to stop the session.
615372 : Occasional TCP resets during connection initiation (RST cause is "No local listener")
Component: TMOS
Symptoms:
Occasionally, the BIG-IP will send a TCP RST in response to an initial SYN with the reset cause "No local listener". This does not affect subsequent connections from the client, so they are likely to succeed.
The reset cause for a packet can be logged by setting the DB variable TM.rstcause.log to enable. The reset cause can be sent in the RST packet by setting the DB variable TM.rstcause.pkt to enable.
Conditions:
A virtual server is configured to use TCP and a client initiates a connection.
Impact:
The attempted connection is reset. Subsequent attempts are likely to succeed.
613542-1 : tmm core while running the iRule STATS:: command
Component: TMOS
Symptoms:
With an iRule that runs the STATS::set command inside the ACCESS_SESSION_CLOSED event, tmm cores.
Conditions:
STATS:: command invoked inside the ACCESS_SESSION_CLOSED event. This event does not have all of the connection information so invoking STATS:: to store data from the connection will fail and cause tmm to crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use STATS::set inside ACCESS_SESSION_CLOSED
611691-6 : Packet payload ignored when DSS option contains DATA_FIN
Component: Local Traffic Manager
Symptoms:
The payload of a packet is ignored when an MPTCP DSS option has DATA_FIN set.
Conditions:
A packet contains both a payload and an MPTCP DSS option with DATA_FIN set. This has been observed when uploading files from a Linux client to a server.
Impact:
The last packet of data is not received.
Workaround:
Disable MPTCP.
610360 : Browser cache cleanup may be required for endpoint check to work
Component: Access Policy Manager
Symptoms:
Attempting to run APM endpoint check, browser shows "Checking Client.." and does not complete the operation. In some cases, you might need to clean JavaScript cached in the browser to run endpoint check.
Conditions:
- BIG-IP is upgraded to 13.0
- Connect to APM within an hour of connecting to a system running an older version of APM.
Impact:
Cannot finish connecting to APM
Workaround:
Clean browser's cache and connect again.
610307-4 : Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber
Component: TMOS
Symptoms:
This error message may be generated once or twice at shutdown:
01070069:3: Subscription not found in mcpd for subscriber Id BIGD_Subscriber.
Conditions:
Occurs once or twice per boot as a BIG-IP is being shut down or restarted.
Impact:
None. This can be ignored.
Workaround:
No workaround necessary. This message indicates no ill effects and can be ignored.
610122 : Hotfix installation fails: can't create /service/snmpd/run★
Component: TMOS
Symptoms:
Hotfix installation fails with RPM transaction errors.
The system posts several errors similar to the following in /var/log/liveinstall.log: info: RPM: can't create /service/snmpd/run at usr/share/perl5/vendor_perl/daemon.pm line 99.
Conditions:
12.x hotfix installation from 11.6.0 on top of a 12.x base image that was previously booted.
Impact:
It is not possible to perform a hotfix installation to a 12.x volume from 11.6.0 after the 12.x volume has been booted.
Workaround:
- Install the hotfix directly to a new slot which has not been booted into before using a command similar to the following:
tmsh install sys software hotfix 12.1.0-hf1 create-volume volume HD1.4
609200-1 : Hotfix installation failure using certain version 11.x software to host incremental hotfix application of version 12.x software.★
Component: TMOS
Symptoms:
Hotfix installation fails using certain version 11.x software to host incremental hotfix application of version 12.x software.
Conditions:
This issue occurs when the following conditions are met:
-- Active software is v11.x.
-- Target software is v12.x.
-- This is the first attempt install a hotfix to the installation target.
Impact:
Cannot install hotfix.
Workaround:
Delete the target location, and perform the hotfix installation again.
Subsequent attempts to install the hotfix will automatically install the base release first, which includes the needed DB hash type, and the hotfix will succeed.
608304-2 : TMM crash on memory corruption
Component: Local Traffic Manager
Symptoms:
In rare cases tmm might crash on memory corruption.
Conditions:
It is not known what sequence of events triggers this condition.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
608245-1 : Reporting missing parameter details when attack signature is matched against parameter value
Component: Application Security Manager
Symptoms:
A parameter is shown without parameters details or with garbled parameter details in the local logging GUI.
Conditions:
An attack signature was detected in a parameter value.
Impact:
Bad reporting
Workaround:
N/A
607980 : DoS/Firewall GUI will not work with IE versions 10 or lower
Component: Advanced Firewall Manager
Symptoms:
GUI pages may not be rendered at all (blank pages) or will show gibberish.
Conditions:
Using BIG-IP TMUI using IE 10 or lower.
Impact:
GUI pages may not be rendered at all (blank pages) or will show gibberish.
Workaround:
Use IE-11 or Microsoft Edge.
607693 : MTU values of range [9001-9198] is not supported in some Operating Systems.
Component: TMOS
Symptoms:
Some hypervisors don't support MTU value higher than 9000, thus modifying the MTU in [9001-9198] range is not supported.
Conditions:
Running on a hypervisor/host that doesn't support MTU value higher than 9000 for network interfaces.
Impact:
Trying to set MTU to a value within [9001-9198] will result in BIG-IP responding with "Invalid argument" error.
Workaround:
There is no workaround to this issue as this is the issue on the hypervisor side. Customer should read hypervisor documentation to find out what range of values the given host supports.
607246-8 : Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires
Component: Local Traffic Manager
Symptoms:
You notice erratic persistence behavior when you set cookie persistence to "required" in your cookie persistence profile
Conditions:
Encrypted cookie persistence with fallback where the fallback persistence has a reasonable short timer such that a request containing a valid cookie is handled after the fallback entry has expired.
Impact:
Persistence fails after fallback expired.
Workaround:
Change cookie-encryption to preferred which allows persistence on either encrypted or decrypted cookie.
605840-6 : HSB receive failure lockup due to unreceived loopback packets
Component: TMOS
Symptoms:
HSB reports a lockup due to a receive failure. Analysis of the HSB receive/transmit rings indicate that this is a false positive. Loopback packets were successfully transmitted, but not received, resulting in the receive failure. /var/log/ltm contains this signature: notice *** TMM 9 - PDE 19 - receive failure ***
Conditions:
Unknown.
Impact:
The unit is rebooted.
Workaround:
None.
605792 : Installing a new version changes the ownership of administrative users' files★
Component: TMOS
Symptoms:
Installing a new version changes the ownership of administrative users' files to a different, nonzero UID.
Conditions:
A user is an administrative user who has advanced shell (bash) access and custom files in their home directory.
Impact:
Low in most cases, since the administrative user can still access most files. One exception is that SSH requires that the authorized_keys file be owned by the user ID in question. This is 0 when a user has an administrative role, so the authorized_keys file will be ignored and a password will still be required for login.
Workaround:
Run the following command, substituting a different filename as needed: chown 0 /home/theuser/.ssh/authorized_keys.
605018 : Citrix StoreFront integration mode with pass through authentication fails for browser access
Component: Access Policy Manager
Symptoms:
Citrix StoreFront integration mode with pass through authentication fails for browser access. After providing the credentials, browser access continuously asks for 'Can not complete the request', press 'OK'.
Conditions:
This occurs when the following conditions are met:
- APM is configured in integration mode with StoreFront.
- External access virtual server IP is used in Citrix gateway configuration 'Subnet IP address' column.
- (Request Header Insert) :: [X-Citrix-Via-Vip:10.10.10.10], 10.10.10.10 is the virtual server IP address. Request Header Insert is configured on the HTTP profile of the same virtual server.
Impact:
No browser access to StoreFront.
Workaround:
StoreFront combines multiple headers of the same name and cannot use the resulting value. You can workaround this issue by stripping multiple headers of type x-citrix-via-vip.
Make 10.10.10.10 the corresponding External access virtual IP address.
when HTTP_REQUEST {
if { [HTTP::header count "X-Citrix-Via-Vip"] >= 2 } {
HTTP::header remove "X-Citrix-Via-Vip"
HTTP::header insert "X-Citrix-Via-Vip" "10.10.10.10"
}
}
603681 : Updating pool members using iControl REST "PUT" resets monitors
Component: Local Traffic Manager
Symptoms:
Issuing an iControl REST call using 'PUT' on a pool results in a "replace-all-with" behavior that deletes and recreates the pool members with the specified attributes, and uses system-defaults for unspecified attributes. This delete-and-replace behavior causes the monitor status to reset to 'unchecked' for the newly-created pool members; and if health monitors are applied to pool members, the status will eventually transition based on health checks (e.g., to "up" or "down").
This behavior may be surprising if the user expected the iControl REST call using 'PUT' on a pool to leave the monitor status unchanged for individual pool members.
Conditions:
Issuing an iControl REST call using 'PUT' to modify a pool.
Impact:
The iControl REST 'PUT' method on a collection overwrites all the members of that collection (e.g., all the members are deleted and re-created using the information provided).
Because modifying a pool using 'PUT' causes all the pool members to be deleted and recreated, each pool member health status reverts to 'unchecked' (because the pool member is newly-created). If health monitor(s) are applied to pool members, then each pool member will eventually transition to a new status based on the result of subsequent health checks (e.g., to "up" or "down").
Workaround:
Use the iControl REST 'PATCH' method to individually modify members of a pool. This method is "safe" in that it will modify only that pool member, and the monitor health status will persist (based on its previous state and any associated health monitors).
Note: You should generally prefer 'PATCH' over 'PUT' for iControl REST calls to modify collections. Using 'PATCH' will (safely) modify individual pool members, while using 'PUT' on the pool will cause "replace-all-with" to delete-and-recreate pool members (thereby resetting individual pool member health status).
603609-1 : Policy unable to match initial path segment when request-URI starts with "//"
Component: Local Traffic Manager
Symptoms:
HTTP URI path policy does not match when request-URI starts with "//".
Conditions:
Policy unable to catch request when HTTP URI path configured to match value anywhere in path or in initial path segment when the request-URI starts with "//".
Impact:
The policy does not match in this case.
Workaround:
The policy could be modified to scan the full URI instead of just the path element however care should be taken to correctly handle potential matches with absolute URIs or in the query string.
603298 : Citrix Storefront integration mode gateway access reconnect fails
Component: Access Policy Manager
Symptoms:
After logging out from Citrix Receiver, clicking "Refresh Apps" and providing credentials gives an error: "Your logon has expired. Please logon again to continue."
Conditions:
BIGIP APM is configured in Storefront integration mode. Storefront remote access gateway configurations for APM leave the "Subnet IP address" as blank.
Impact:
Citrix Receiver reconnect to the store does not work
Workaround:
On the http profile of the virtual server, have this header (X-Citrix-Via:<single fqdn url>) for "Request Header Insert" configuration.
602708-3 : Traffic may not passthrough CoS by default
Component: Local Traffic Manager
Symptoms:
As a result of a known issue traffic being forwarded by TMM may not passthrough the CoS received.
Conditions:
IP forwarding Virtual server.
Traffic received with priority other than 3.
Impact:
Traffic is set to priority 3 and may cause issues on other networking devices.
Workaround:
Create a default Class of Service configuration or apply QoS settings in the FastL4 profile.
601727 : Some FQDN nodes are not correctly created
Component: Local Traffic Manager
Symptoms:
When an FQDN node resolves to multiple addresses, the nodes for the resolved-addresses may not be correctly created.
Conditions:
When an FQDN node resolves to multiple addresses in an address pool, and the DNS resolution gives a subset of the addresses in the pool instead of returning all the addresses.
Impact:
Some addresses returned by the DNS resolution may cause the node disappear from BIGIP
Workaround:
Set up the DNS server to always return all the addresses. In other words, the DNS resolution should be stable.
601076-1 : Fix watchdog event for accelerated compression request overflow
Component: TMOS
Symptoms:
Accelerated compression requests that exceed 128 in-flight requests can cause a watchdog event.
Conditions:
Very rapid queuing of concurrent accelerated compression requests.
Impact:
TMM generates an HA failover driven by the accelerated compression watchdog timer.
Workaround:
Disable accelerated compression by disabling hardware accelerated compression with:
% tmsh modify sys db compression.strategy value softwareonly
600836 : Manager role functions differently in GUI and CLI.
Component: Advanced Firewall Manager
Symptoms:
The restriction of "Manager role" is different in GUI and CLI. Specifically:
GUI - Manager role can't modify security policy of virtual server.
CLI - Manager role can modify security policy of virtual server.
Conditions:
Using GUI and CLI with Manager role user account.
Impact:
Differing roles make usage confusing.
Workaround:
None.
600458-1 : TCP resets occuring under high load
Component: Performance
Symptoms:
When a BIG-IP is under a high load, a large number of TCP resets is occurring. This affects flow teardown only. Some of those resets are due to spurious retransmissions of client or server FIN-s. Some are due to ePVA reordering client's final ACK with FIN.
Conditions:
A BIG-IP is under a high load.
Impact:
Possible minimal performance loss.
Workaround:
Configure a small time-wait, for example, 0.5.
599803-1 : TMM accelerated compression incorrectly destroying in-flight contexts.
Component: Performance
Symptoms:
You see a tmm core while using compression profiles.
Conditions:
Related to use of hardware compression.
Impact:
Report of a watchdog event, or an ASSERT generated by the compression layer. Traffic disrupted while tmm restarts.
Workaround:
Disable accelerated compression using the following command:
% tmsh modify sys db compression.strategy value softwareonly.
598650-5 : apache-ssl-cert objects do not support certificate bundles
Component: TMOS
Symptoms:
The Traffic Management Shell (tmsh) documents command options for apache-ssl-cert objects that suggest that Apache SSL Certificates (apache-ssl-cert objects) support certificate bundles.
References to certificate bundles in context of the 'bundle-certificates', 'subject' and 'is_bundle' fields are in error, and should refer to single certificates only.
Apache SSL Certificates (apache-ssl-cert objects) do not actually support certificate bundles.
On BIG-IP v11.5.0 and later, attempting to create Apache SSL Certificate objects from a certificate bundle will result an error like the following:
01070712:3: Values (/Common/certificate_name) specified for Certificate Bundle Entity (/Common/certificate_name.0 /Common/certificate_name): foreign key index (certificate_file_object_FK) do not point at an item that exists in the database.
Conditions:
Attempting to create Apache SSL Certificate objects from a certificate bundle.
Impact:
Unable to create Apache SSL Certificate objects from a certificate bundle.
598401 : Google chrome prompts to launch xdg-open for end point inspection or network access lresource
Component: Access Policy Manager
Symptoms:
On some Linux distributions, Google Chrome will show a prompt to launch xdg-open to launch the f5epi:// and f5vpn:// URL schemes if f5vpn and f5epi applications are not installed. This may confuse the user trying to connect.
Conditions:
Chrome is used on linux to connec to VPN
Impact:
Usability impact. User will see a popup from APM to install missing components.
597564 : 'tmsh load sys config' incorrectly allows the removal of the 'app-service' statement from configuration items
Component: TMOS
Symptoms:
The 'tmsh load sys config' command incorrectly allows users to manually remove the 'app-service' statement from configuration items. For example, if a user is manually editing the bigip.conf file, and they remove the 'app-service' statement from a virtual server, 'tmsh load sys config' will not fail to load the config, which is incorrect.
Conditions:
A user manually edits a BIG-IP configuration file and improperly removes the 'app-service' statement from an object.
Impact:
The lack of the 'app-service' statement effectively disassociates the object from its Application Service. This can lead to further issues down the line. For example, if the object is then updated on a multi-blade VIPRION system, secondary blades will restart with an error similar to the following example:
May 6 08:18:27 slot2/VIP2400-R16-S10 err mcpd[32420]: 01070734:3: Configuration error: Configuration from primary failed validation: 010715bd:3: The parent folder is owned by application service (/Common/dummy.app/dummy), the object ownership cannot be changed to ().... failed validation with error 17241533.
Workaround:
Exercise caution when manually editing BIG-IP configuration files.
595863 : Native RDP resource fails to SSO to backend if username contains Greek small letter final sigma (Ï‚)
Component: Access Policy Manager
Symptoms:
Native RDP resource fails to SSO to backend if username contains Greek small letter final sigma (Ï‚)
Conditions:
Non-ASCII username containing Greek letter Ï‚ (http://www.charbase.com/03c2-unicode-greek-small-letter-final-sigma) causes SSO to the backend to fail.
Impact:
User with Greek small final sigma in the username cannot logon automatically to the RDP backend.
Workaround:
Do not use SSO for this particular user, e.g., assign non-SSO resource instead.
595835 : SSL forward proxy chaining does not work with next hop Transparent proxy mode without adding route
Component: Access Policy Manager
Symptoms:
SSL forward proxy chaining is not working for Explicit-Transparent and Transparent-Transparent proxy chaining modes if there is no route added for end destination network.
Conditions:
- Configure 1st Proxy as explicit or transparent and 2nd proxy as Transparent.
- Have a direct connection between them with no router in between
- Send SSL request
Impact:
SSL requests fail
Workaround:
Add a route in the bigip for the end destination network to know the nexthop for Explicit-Transparent or Transparent-Transparent proxy chaining modes.
594782 : Active FTP data transfer via FTP AppTunnel is interrupted after 5 minutes.
Component: Access Policy Manager
Symptoms:
The connection is getting closed by the server. RST is being sent to the client from virtual server after 5 minutes of the download starting while data is flowing.
Conditions:
If the settings for the TCP profile are default on BIG-IP then this issue will be encountered for FTP transfer of files that take longer than 5 minutes to download.
In a general case, if the idle timeout in the TCP profile is less than the keep-alive interval, and if FTP transfer takes more time than the specified TCP timeout, transfer gets interrupted.
Impact:
This affects FTP transfer of large-sized files that take more than 5 minutes (the default idle timeout in TCP profile on the BIG-IP system) to download.
Workaround:
Set the timeout to Indefinite or set the keep-alive interval to a value that is larger than idle timeout in the TCP profile. Then download does not get interrupted and completes as expected.
594585 : tmm crashes when ACL iRule with virtual command is triggered
Component: Advanced Firewall Manager
Symptoms:
If an ACL iRule with virtual command is triggered and redirect the traffic back to the same virtual server, it can form a infinite recursion and cause tmm crash.
Conditions:
ACL uses an iRule that chooses a virtual server inside CLIENT_ACCEPTED.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
iRules should be self-limiting as following to avoid infinite recursion:
when CLIENT_ACCEPTED {
if {[TCP::local_port] == 666 } {
log "=== Redirection Port [TCP::local_port] client port [TCP::remote_port] "
log local0. "virtual name is [virtual name]"
set my_virtual_name "/Common/VS3"
if { [virtual name] ne $my_virtual_name } {
virtual $my_virtual_name
} else {
log local0. "preventing recursive call"
}
}
}
592612 : An Application can fail to connect to a backend server in some cases if Optimized tunnels configured using hostnames ony
Component: Access Policy Manager
Symptoms:
If NA resource contains only Optimized tunnels, which uses hostnames only, application might fail to connect to a backend server if NA resource was manually reconnected and this application had already established a connection to this server before this reconnect.
Conditions:
- NA resource with Optimized Tunnels only
- Optimized tunnel configured using hostname only
- NA resource was manually reconnected or user created a new APM session
- User application established the first connection before the NA was manually disconnected and connected again.
Impact:
Unable to use the configured network resources.
Workaround:
Several options can be considered
Option #1
Add Optimised tunnels using IP address to this NA resource
Option #2
Configure Network Tunnel with a proper IP Split Scope for this NA resource
Option #3
Restarting the user application might help
592410 : libQt5WebKit.so.5 is required to install F5 web clients
Component: Access Policy Manager
Symptoms:
When installing web client packages downloaded from APM, installation may fail on certain Linux distributions with the following error message: nothing provides libQt5WebKit.so.5().
Conditions:
Installation is attempted on a Linux distribution running a pre-5.0 version of libQT.
Impact:
User cannot install F5 web clients for VPN and endpoint check on Linux.
Workaround:
As a workaround, either use a distribution of Linux that has libQt5WebKit.so.5 or later installed, or install libQt5WebKit.so.5 or later before installing web clients.
592194 : Rarely, an HSB transmitter failure occurs
Component: TMOS
Symptoms:
A very rare HSB transmitter failure occurs. This is indicated by the following message in the tmm logs:
panic: hsb interface 1 DMA lockup on transmitter failure.
Conditions:
Although the exact conditions for this issue are unknown, this might be related to a 5250 platform or to a configuration containing a vCMP guest.
Impact:
Reboot of the unit.
Workaround:
None.
592118 : iOS Edge Client Per-App VPN and MobileSDK connections should consume CCU license
Component: Access Policy Manager
Symptoms:
iOS Edge Client Per-App VPN and MobileSDK connections does not consume CCU license
Conditions:
iOS Edge Client Per-App VPN and MobileSDK
Impact:
CCU license not consumed
590291 : Web clients (f5epi and f5vpn) require version 5.5 of QT package on all distributions of Linux
Component: Access Policy Manager
Symptoms:
The new web client depends on Qt library version 5.5. On some Linux distributions, this version may not be available in standard repositories. Web client installation fails on such distributions.
Conditions:
Qt library version 5.5 is not available on Linux distribution on which web client is being installed
Impact:
Web client cannot install.
Workaround:
As a workaround, download and install the required qt library from the non-standard repository. Then build and install required Qt library on the distribution before installing the web client.
590091-4 : Single-line Via headers separated by single comma result in first character second header being stripped.
Component: Service Provider
Symptoms:
Removing the first Via header strips the leading character from the second Via when headers are separated by a comma (',').
Conditions:
Multiple Via headers on single-line separated by a single comma (',').
Impact:
Leading character of 2nd Via header will be stripped e.g. 'SIP/2.0/TCP' becomes 'IP/2.0/TCP'.
Workaround:
None.
588752 : APM Login Performance may be degraded
Component: Performance
Symptoms:
A high number of logins per second can cause increased latency. The actual login rate that can cause the increased latency depends on the Access Policy configuration and network characteristics. In a typical configuration and network setup, you should not observe noticeable latency if logins per second is less than a few hundred.
Conditions:
Very high rate of login requests. More noticeable if the login-per-second rate is more than several hundred.
Impact:
End users will experience slower login or login failure.
Workaround:
None.
588521 : Port/Protocol packet filter might fail to capture IPv6 fragments.
Component: Local Traffic Manager
Symptoms:
Port/Protocol packet filter might fail to capture IPv6 fragments.
Conditions:
This can occur under the following conditions:
- Virtual server is configured to use packet filters.
- Packet filter is based on a port number.
- Filter default action is discard.
- IPv6 protocol is being used.
Impact:
The BIG-IP system will not be able to process IPv6 traffic.
Workaround:
For IPv6, instead of using a rule such as 'dst port 50000', filter based on raw fragments offsets, for example:
'((udp dst port 50000) or (ip6[6]=44 and ip6[40]=17 and ip6[50]=50000)).
588483 : Soft lockup may occur when vCMP host TMMs run realtime without yielding.
Component: TMOS
Symptoms:
The host TMM is using 100% CPU.
Conditions:
There are no higher priority processes preempting the host TMMs.
Impact:
Soft lockup occurs.
Workaround:
Configure the vCMP host to run with a non-zero yield percentage and restart tmm. The yield value can be counfigured using a tcl option in /config/tmm_init.tcl
For example:
echo "realtime yield 10" >> /config/tmm_init.tcl
587821 : vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.
Component: TMOS
Symptoms:
On the affected slot, the vCMP guest is unable to pass traffic to or from the VLANs. If the guest has multiple slots, the CMP state logged in /var/log/tmm on that slot differs from the CMP state logged by other slots of the same guest.
In the vCMP guest, 'tmsh show net interface -hidden' shows 0.x interfaces for the affected slot that differ from the 0.x interfaces shown by 'tmsh show vcmp guest all-properties' on the vCMP hypervisor for the same guest slot.
Conditions:
The MCPD daemon on one of the blades of the vCMP hypervisor crashes or restarts.
Impact:
The vCMP guests that are still running since before the MCPD daemon restarted may be unable to communicate to VLAN networks. Incoming traffic may also be affected, even though the vCMP guest has other functional slots to process traffic.
Workaround:
On the hypervisor, modify the vCMP guest configuration to not run on the affected slot. Wait to confirm the vCMP guest has stopped on the affected slot. Then modify the vCMP guest to run on the previously affected slot.
Alternatively, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.
586621 : SQL monitors 'count' config value does not work as expected.
Component: Local Traffic Manager
Symptoms:
SQL monitors 'count' config value does not work as expected.
Conditions:
SQL monitor in use with the 'count' config value specified. The 'count' value is intended to record the number of times the connection to the back-end database is re-used before it is disconnected. However, the value is not correctly recording the number in this release.
Impact:
SQL monitor might use a 'count' value that is incorrect.
Workaround:
Add 101 to the desired value. For example, if the desired count is '5', use '106' instead.
585043-1 : Question mark prevents TMSH from loading configuration file
Component: TMOS
Symptoms:
When loading system configuration for TMSH, if some properties have value question mark, TMSH would fail to complete the loading.
Conditions:
-- Use TM Shell to load configuration.
-- string, vector of string properties have ? as value
Impact:
TMSH fails to load system configuration file
Workaround:
None.
584414-1 : Deleting persistence-records via tmsh may result in persistence being created to different nodes
Component: Local Traffic Manager
Symptoms:
After deleting the persistence records, a connection may use persistent records to two different nodes breaking persistence.
Conditions:
Deleting persistence records when there is high concurrency for particular persistence records (e.g., load testing).
Impact:
Client fails to persist to a particular node.
Workaround:
Avoid removing persistence records from tmsh or use iRules to remove persistence records.
583306 : Using management port as config sync address might allow its deletion.
Component: TMOS
Symptoms:
If you assign the management port as a config sync address, it's possible to delete the management port without complaint. This causes quite a few problems in multiple places (updating the sys_device, adding devices to trust, etc.)
Conditions:
management-ip while configured as a config sync address.
Impact:
Can delete management-ip.
Workaround:
None, other than do not delete management-ip when it's configured as a config sync address.
583272-3 : "Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth
Component: Access Policy Manager
Symptoms:
Browser shows a "corrupted connect error" when access policy runs On-Demand Cert Auth on an IPv6 virtual server.
The root cause is that in packet capture, the APM sends an HTTP 302 with invalid brackets around the hostname, like this:
Location: https://[login.example.com]/my.policy
Brackets around IPv6 addresses are for raw IPv6 addresses. They are illegal for DNS names that represent an IPv6 address.
Conditions:
IPv6 virtual server, and On-Demand Cert Auth in the access policy. Only applies if a DNS hostname is used. Raw IPv6 addresses are not affected.
Impact:
Client is unable to authenticate.
Workaround:
None.
582606 : IPv6 downloads stall when NA IPv4&IPv6 is used.
Component: Access Policy Manager
Symptoms:
When downloading large files through network access, downloads can appear to stall for a period of time and then resume.
Conditions:
This occurs when Network Access is configured with an IPv4&IPv6 resource
Impact:
Downloads occasionally stall with download speed going to 0, and then they resume.
Workaround:
It is possible that disabling large receive offload will work as a mitigation. To do so, run the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable.
582331-7 : Maximum connections is not accurate when TMM load is uneven
Component: Local Traffic Manager
Symptoms:
Maximum connections is not accurate when TMM load is unevenly distributed. Maximum connection statistics report the sum of maximum connections per TMM, not the maximum connections per virtual server.
Conditions:
This occurs when the load disaggregated to available TMMs is uneven.
Impact:
This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in lower-than-expected maximum connections.
Workaround:
Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs.
581851 : mcpd, interleaving of messages / folder contexts from primary to secondary blade
Component: TMOS
Symptoms:
MCPD on secondary blades restart with Configuration error.
Conditions:
Clustered system (VIPRION or vCMP guest). The issue occurs when the system interleaves commands from different contexts. For example, this might occur when one system requests continual persistence records resets, and another requests continual TCP statistics resets.
Impact:
Secondary blades restart services, resulting in performance degradation or failover.
Workaround:
Issue commands as part of a transaction.
581746-6 : MPTCP traffic handling may cause a BIG-IP outage
Component: Local Traffic Manager
Symptoms:
Occasional BIG-IP outages may occur when MPTCP traffic is being handled by a Virtual server.
Conditions:
MPTCP has been enabled on a TCP profile on a Virtual Server.
Impact:
A System outage may occur.
Workaround:
Do not enable MPTCP on any TCP profile
580697-1 : VIPRION 2200 platform might not pass traffic properly after FPGA firmware switch.
Component: TMOS
Symptoms:
After a FPGA firmware switch on VIPRION 2200 platforms without a system reboot, some internal higig ports might not operate properly.
Conditions:
Using tmsh or GUI to switch FPGA firmware on VIPRION 2200 platforms.
Impact:
This might result in the system not handling traffic properly.
Workaround:
After any FPGA firmware switch, reboot the entire chassis by running the following command: clsh reboot.
579760 : HSL::send may fail to resume after log server pool member goes down/up
Component: TMOS
Symptoms:
High speed logging: asymmetric bandwidth loss might result in no bandwidth tracking.
Conditions:
This will occur if the log server pool only has a single member in it, and that member goes down and up while HSL::send is occurring during traffic processing. For a period of time after the logging node comes back up, logging events will fail to be sent. Sometimes it never recovers and tmm needs to be restarted.
Impact:
While this condition occurs, HSL::send events will not be sent to the log server.
Workaround:
If possible, configure log server pools with multiple members to avoid this condition.
579252 : Traffic can be directed to a less specific virtual during virtual modification
Component: Local Traffic Manager
Symptoms:
Traffic can be directed to an less specific virtual during virtual modification. It could also be dropped if there is no less specific virtual server.
Conditions:
net self external-ipv4 {
address 10.124.0.19/16
traffic-group traffic-group-local-only
vlan external
}
net self internal-ipv4 {
address 10.125.0.19/16
traffic-group traffic-group-local-only
vlan internal
}
ltm pool redirect-echo {
members { 10.125.0.17:7 }
}
ltm virtual fw {
description "less-specific virtual"
destination 10.125.0.0:any
ip-forward
mask 255.255.255.0
profiles { fastL4 }
translate-address disabled
translate-port disabled
vlans-disabled
}
ltm virtual redirect-echo {
description "enable/disable this one"
destination 10.125.0.20:echo
ip-protocol udp
mask 255.255.255.255
pool redirect-echo
profiles { udp }
vlans { external }
vlans-enabled
}
Impact:
Traffic can be directed to less specific virtual server
Workaround:
No known workaround at this time other than applying configuration changes in a manner that avoids doing them on a unit that is handling the traffic. Applying changes on the standby and then failing over and syncing or utilizing a maintenance window would be common schemes to achieve a separation between production traffic and configuration changes.
577831 : VE does not boot without a vga console
Component: TMOS
Symptoms:
Virtual Edition (VE) does not boot and no boot messages are displayed.
Conditions:
This occurs when there is no video device present. This is an issue because by design VE grub and kernel configurations default to vga (tty0).
Impact:
VE does not boot.
Workaround:
Use a VGA console option when deploying the VE (via virt-admin, or the Xen configuration utility, etc.)
577359 : Invalid L4 packets might not match against AFM WhiteList properly
Component: Advanced Firewall Manager
Symptoms:
If BIG-IP receives invalid L4 packets, they might not match against AFM whitelist properly and hence might detect an attack from a known whitelisted IP address.
Conditions:
-- AFM DoS configured.
-- DoS "rich" whitelist configured with src IP address.
-- Sweep/Flood vector configured with pkt-type "all-pkts".
-- The BIG-IP system receives invalid Layer 4 pkts (i.e., IPv6 packets that don't have the correct next-header) specified
Impact:
The system could detect an attack, even though the packets are coming from a known whitelisted IP address. A false positive on a DoS attack could be triggered. There is no impact to the packet since if the packet is invalid it will be dropped anyway.
Workaround:
Instead of AFM DoS "rich" Whitelist, use the DoS AFM Address-List Whitelist to whitelist src IP addresses.
575642 : rst_cause of "Internal error"
Component: Local Traffic Manager
Symptoms:
The rst_cause may be logged as "Internal Error". rst_cause of "Internal error" does not give a narrow reason for the reset. It means that one of the other reset causes was not matched but the exact issue cannot be determined from this generic error.
Conditions:
Heavy/normal production network usage.
Impact:
System problem diagnosis is more difficult.
Workaround:
N/A
574648 : Edge browser prompts user to install an application from Windows Store if Endpoint Inspection is configured
Component: Access Policy Manager
Symptoms:
When a user connects to an APM device configured with Endpoint Inspection for the first time using the Edge browser, the browser prompts the user to install an application from the Windows Store. This is confusing because there is no application in the store.
Conditions:
- Edge Browser is used
- APM configured with Endpoint Inspection
- No recent F5 Networks client components installed on the system
Impact:
Potential confusion, which might generate support calls.
Workaround:
Have the end user dismiss this dialog box and follow the prompts in the browser to download and install the F5 client components.
574160-7 : Publishing DNS statistics if only Global Traffic and AVR are provisioned
Component: Application Visibility and Reporting
Symptoms:
AVR does not publish DNS statistics if LTM is not provisioned.
Conditions:
LTM is not provisioned.
Impact:
The DNS chart does not show statistics.
572234-1 : When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10.
Component: Local Traffic Manager
Symptoms:
When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10. This is the MAC address of Linux's tmm0 or tmm interface.
Conditions:
The traffic destination is the BIG-IP Linux host, e.g. big3d iQuery server.
The traffic is proxied via fastL4, e.g. ConfigSync "Local Address" is set to None.
The return route is a pool route.
The traffic is interrupted, e.g. a router between the iQuery server and the client is switched off for several seconds.
Impact:
The traffic is sourced from invalid ethernet MAC 00:98:76:54:32:10.
The iQuery connection cannot continue.
Workaround:
Increase the lasthop module's TCP idle timeout.
echo 121 > /proc/sys/net/lasthop/idle_timeout/tcp
571333-7 : fastL4 tcp handshake timeout not honored for offloaded flows
Component: TMOS
Symptoms:
When a VIP is configured with a fastl4 profile that enables full acceleration and offload state to embryonic, and if a flow is offloaded to be hardware accelerated, the connection idle timeout during the TCP handshake is set to the "idle timeout" value of the fastl4 profile, but it should be set to the "tcp handshake timeout" instead.
Conditions:
1. Configure fastl4 profile with ePVA=full, offload state=SYN, apply to network VS
2. Ensure ARP entry exists for server node (static arp, ping, etc.) to satisfy requirements for offloading initial SYN
3. Send over SYN packet from client to server via VS
Impact:
The connection may remain in the half-open state longer than what is set in the TCP handshake timeout value.
Workaround:
Set the offload state to "established"
570281 : Cannot modify 'ip-address' attribute of static ARP / NDP entries
Component: Local Traffic Manager
Symptoms:
Attempting to modify the 'ip-address' attribute of a static ARP / NDP entry results in the following error:
Syntax Error: 'ip-address' may not be specified in the context of the 'modify' command. 'ip-address' may be specified using the following commands: create, list, show
Conditions:
Attempting to modify the 'ip-address' attribute of a static ARP / NDP entry.
Impact:
Note: Starting in 11.6.0, the 'ip-address' attribute of an ARP/NDP record can no longer be modified. This is as-designed functionality. However, the BIG-IQ SCVMM plugin fails to work properly as a result, which might impact some configurations. For example, when the LTM gateway device is running versions later than 11.5.3, it could fail because the syntax that worked in 11.5.3 no longer works in 11.6.0 and later.
Workaround:
None.
569100 : Virtual server using NTLM profile results in benign TCL error
Component: TMOS
Symptoms:
TCL error in /var/log/ltm.
TCL error: bad option "serverside": must be require or preclude while executing "constrain NTLM require clientside {HTTP} serverside {CONNPOOL} preclude FTP
Conditions:
Virtual server using the NTLM profile. Only logged when the first virtual server is created or when TMM restarts.
Impact:
If you are using TMSH to configure virtual server and ntlm profile, validation/constraint is not performed/enforced.
Workaround:
There should be no impact to the system.
564246 : VPN cannot be used in some cases when IP filtering engine is enabled
Component: Access Policy Manager
Symptoms:
NA connects and disconnects within 30 seconds in some cases if IP filtering engine is enabled in NA configuration
Conditions:
-IP filtering engine is enabled in NA configuration
- Network Access virtual server connections are redirected to another internal virtual server in Big-IP connfiguration
Impact:
User cannot establish VPN
Workaround:
Do not redirect Virtual server connection or disable IP filtering engine.
There are a couple of other workarounds:
1. Have the same port number for both the virtual servers.
2. If the port numbers need to be different for the 2 virtual servers, insert variable assignment agent which assigns value of client facing port (443 in this case) to variable session.server.network.port. Use custom variable and Text selections of agent.
example:
apm policy agent variable-assign /Common/na_act_variable_assign_ag {
variables {
{
expression "return {443}"
varname session.server.network.port
}
}
}
564105-1 : ArcSight gives error on specific transactions
Component: Application Security Manager
Symptoms:
The Arcsight remote logger shows error messages when trying to parse messages from ASM.
Conditions:
An arcsight remote logger is configured. Specific transaction is coming out.
Impact:
Remote logging is not coming out.
Workaround:
N/A
563689-1 : ZebOS configuration cannot be loaded via imish when service password-encryption is set
Component: Local Traffic Manager
Symptoms:
When "service password-encryption" is configured in ZebOS, encrypted passwords cannot be loaded through imish. imish will print "% Invalid input detected at '^' marker." and the password will not be loaded.
Conditions:
Dynamic routing is configured with "service password-encryption" in ZebOS config file or running config, run "imish -f <file>" or paste encrypted password into imish.
Impact:
ZebOS configuration will be incompletely loaded.
Workaround:
The config will be properly read if tmrouted is restarted. Restarting tmrouted will interrupt all dynamic routing.
The config can also be loaded without restarting tmrouted by configuring the cleartext passwords manually. They will be encrypted when the configuration is saved.
563165 : New Diameter session event triggers registered for by the PCRF should not be appended to existing registered event triggers in PEM.
Component: Policy Enforcement Manager
Symptoms:
PCRF may receive old event triggers it is not interested in.
Conditions:
PEM with a valid Gx interface should receive more than one set of event triggers that the PCRF needs to register for.
Impact:
Increase in Diameter traffic.
562308-1 : FQDN pool members do not support manual-resume
Component: Local Traffic Manager
Symptoms:
FQDN pool members do not support manual-resume, but allow its configuration.
Conditions:
Attempting to use manual-resume for FQDN pool members.
Impact:
FQDN pool members do not honor manual-resume setting.
Workaround:
Do not configure manual-resume on FQDN pool members.
562267 : FQDN nodes do not support monitor alias destinations.
Component: Local Traffic Manager
Symptoms:
FQDN nodes do not support monitor alias destinations.
Conditions:
Configure a monitor with an alias address or port. The system will either prevent you from configuring, or the monitor will only be directed to the node address or port.
Impact:
The BIG-IP system does not send health checks to the configured monitor alias port. Monitor doesn't work as expected.
Workaround:
Depending on the functionality needed, you might be able to work around this by using an alternative configuration.
559080 : High Speed Logging to specific destinations stops from individual TMMs
Component: TMOS
Symptoms:
High Speed Logging to specific destinations stops from individual TMMs. The flows appear to have very large idle times. Attempts to delete the flows sets the idle time to zero, but does not kill the flow.
Conditions:
This appears to be the result of a failure on the part of the log destination (for example, a log server) wherein the server's TCP stack ACKs a FIN request from the TMM, but does not follow through with a matching FIN or RST. The logging code expects another timeout (essentially a FIN-WAIT2 timeout), but never receives one because the flow has already been marked as expired. As a result, the flow goes into a state in which it appears to be viable but is not actually delivering.
Impact:
Logs are silently lost.
Workaround:
Create an additional virtual server to act as a proxy for the log server, and sent the logs to this virtual server. This essentially uses the TMM itself as a sanitizing proxy.
558850 : Client can not connect to Windows 10 using ActiveX RDP client launched from the APM Webtop if "Allow connections only from computers running Remote Desktop with Network level Authentication" is disabled.
Component: Access Policy Manager
Symptoms:
Client can not connect to Windows 10 using ActiveX RDP client launched from the APM Webtop if "Allow connections only from computers running Remote Desktop with Network level Authentication" is disabled at the remote host.
The user is shown an error message: "The connections cannot proceed because authentication is not enabled and the remote computer requires that authentication be enabled to connect."
Conditions:
Remote server is Windows 10, "Allow connections only from computers running Remote Desktop with Network level Authentication" is not enabled on the server
Impact:
Client can not connect to remote server
Workaround:
Several workarounds are available here:
1) Enable "Allow connections only from computers running Remote Desktop with Network level Authentication" on the remote server
2) Edit the registry on the remote or deploy as GPO to your desktop:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
"SecurityLayer"=dword:00000001
"UserAuthentication"=dword:00000000
3) Using RDG may be considered as yet another possible workaround.
558763-2 : "Show All" option for large no. of security objects can cause poor performance in some browsers
Component: Advanced Firewall Manager
Symptoms:
Using "Show All" for showing a large number of security objects on GUI can be challenging for some browsers (especially IE)
Conditions:
Large number of security objects on GUI to display, use of particular browsers (especially IE)
Impact:
AFM Address List page and others may not render properly or responsively.
Workaround:
Use Chrome
557067 : Large compressed files can cause qkview to consume large amounts of memory.
Component: TMOS
Symptoms:
Large compressed files can cause qkview to consume large amounts of memory.
Conditions:
Less than 10% of system memory available or less than 96 KB of memory available. Large compressed files in qkview.
Impact:
Memory usage might be greater than 350200 kilobytes, which is the critical memory level. Might force other processes into swap. This can negatively impact performance.
Workaround:
None.
552444-3 : Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD
Component: Access Policy Manager
Symptoms:
Dynamic drive mapping in network access may not work if
mapping is configured to use session variable, and session variable is received from LDAP/AD.
Conditions:
Drive mapping is received from LDAP/AD and contains double slash in the path, e.g. "\\server\path"
Impact:
Dynamic drive mapping may not function.
Workaround:
For example using session.ad.last.attr.homeDirectory attribute value to drive map. Assign variable and escape the textra backslashes added by APM.
homeDirectory = return [regsub -all {\\\\} [mcget {session.ad.last.attr.homeDirectory}] {\\}]
551572 : Status LED blinking Amber on BIG-IP 10000-series appliance
Component: TMOS
Symptoms:
The LCD display may stop updating and the Status LED may begin blinking Amber on BIG-IP 10000-series appliances.
Conditions:
The Status LED will blink Amber if the LED/LCD module does not receive updates from the BIG-IP host for 3 minutes or longer. This condition may occur if data transfers between the BIG-IP host and the LED/LCD module over the connecting USB bus becomes stalled.
Impact:
When this condition occurs, the front-panel LCD display will not display the current BIG-IP host status, and the Status LED will blink Amber. There is no impact to BIG-IP host operations, and no disruption to traffic.
Workaround:
This condition can be cleared by pressing one of the buttons on the LCD display to navigate the LCD menus. The button-press event generates USB traffic which will trigger recovery from the USB stalled transfer condition.
550739-3 : TMSH mv virtual command will cause iRules on the virtual to be dis-associated
Component: TMOS
Symptoms:
After renaming a virtual server that has attached iRules, the resulting virtual server configuration in tmm no longer has the iRules attached. The configuration in mcpd does not match the running configuration in tmm.
Conditions:
Must use the 'mv' command on an ltm virtual with iRules.
Impact:
Configuration is not as expected.
Workaround:
After moving the virtual, remove the iRules on it and re-add them.
550547-1 : URL including a "token" query fails results in a connection reset
Component: Access Policy Manager
Symptoms:
Per Request Policy access to URL containing a "token" query parameter fails and results in a connection reset with the following error:
"ERR_NOT_FOUND: access2 token not found; subsession might be inactive"
Conditions:
Configure an Explicit SWG with a PRP that includes [protocol lookup (https) + category-lookup]
It does not matter ntlm or basic auth.
This is triggered on sites that have "token" in the query parameters.
Impact:
Clients receive this response:
"ERR_NOT_FOUND: access2 token not found; subsession might be inactive"
Workaround:
Workaround iRule:
when HTTP_REQUEST {
if { [HTTP::query] contains "token" } {
set fix 1
HTTP::query [string map "token aabbcc" [HTTP::query]]
}
}
when HTTP_REQUEST_SEND {
if { [info exists fix] && $fix equals 1 } {
clientside {
HTTP::query [string map "aabbcc token" [HTTP::query]]
unset fix
}
}
}
549927-1 : iRule validation does not check RULE_INIT/virtual are disallowed in proc calling
Component: Local Traffic Manager
Symptoms:
iRule validation does not check RULE_INIT/virtual are disallowed in proc calling
Conditions:
Under RULE_INIT event call a proc which has virtual command.
Impact:
Pass validation while it should not.
Workaround:
Do not call virtual command inside proc.
547692-4 : Firewall-blocked KPASSWD service does not cause domain join operation to fail
Component: Access Policy Manager
Symptoms:
KPASSWD service runs on tcp/464 and udp/464. If both of these ports were blocked, BIG-IP would not be able to properly set the machine account password for the created machine account. However, there is a bug on BIG-IP as well, which fails to report this failure back to the administrator.
As the machine account itself was successfully created on ActiveDirectory side without the correct password, and BIG-IP's failure to report the KPASSWD failure problem, the domain join operation seems had worked perfectly.
However, since the password information is never set on ActiveDirectory side, this causes this machine account effectively unusable because BIG-IP would never be able to establish a working SCHANNEL with ActiveDirectory server because of this password mismatch.
creation is LDAP (+ Kerberos GSS-API with SASL binding), the machine account itself is generated. Furthermore, as password setting for machine account is not allowed to be performed by administrator, this situation obfuscate the fact the KPASSWD was failing as AD server never receives thus AD never logged any failure on this matter, while BIG-IP fails to detect the KPASSWD failure, and so as administrator's user experience goes, everything seems perfectly worked for domain join.
Conditions:
Out of DNS, LDAP, KERBEROS, KPASSWD services which are required for domain join operation, only KPASSWD is blocked.
Impact:
Created machine account is effectively unusable due to password mismatch, and BIG-IP would never be able to establish a working SCHANNEL, this renders NTLM authentication feature to be not working.
Workaround:
Allow KPASSWD to reach ActiveDirectory server
546213 : Performance degradation when mapping a custom TACDB with large number of entries
Component: Performance
Symptoms:
When mapping a custom TACDB with a large number of entries (this was seen on a database containing more than 300K entries), a small performance degradation of throughput is seen for about 10 seconds.
Conditions:
Mapping a large custom TACDB.
Impact:
Throughput performance is impacted.
Workaround:
None.
544906-3 : Issues when using remote authentication when users have different partition access on different devices
Component: TMOS
Symptoms:
User validation failing when adding a partition when the [All] partition already exists, or when adding [All] partition if a specific (non-All) partition is already configured for that user.
For example, on config sync, the system might post an error similar to the following: error 01070821:3: User Restriction Error: Once configured for specific partition(s), user cannot have [all].
Conditions:
Devices configured for remote authentication.
User A on device 1 with role on all-partitions.
User A on device 2 with role restricted to a single partition.
Perform operation that involves accessing partitions on each device. For example, a config sync operation. The config sync issue occurs because one device is trying to sync an [All] partition to a peer that has a non-All partition already configured for a user.
Impact:
The system posts User Restriction Errors and operations (such as config sync) fail.
Workaround:
Switch to local authentication on device 1 to perform operations on multiple devices on which a single user has different partition access configured. After completing the operations, switch back to remote authentication on device 1.
543208-2 : Upgrading v11.6.0 to v12.0.0 in a failover group might cause mcpd to become unresponsive.
Component: TMOS
Symptoms:
Failover event on traffic-group-1 causes mcpd to generate messages like this:
01070711:3: Caught runtime exception, Failed to collect files (Invalid IP Address: )..
01070712:3: Caught configuration exception (0), Failed to sync files..
...
0107134b:3: (Child rsync being terminated due to timeout. Total size in Kb: 0 timeout in secs: 10 start-time: Mon Aug 24 11:35:42 2015 max-end-time: Mon Aug 24 11:35:42 2015 time now: Mon Aug 24 11:35:42 2015 ) errno(0) errstr().
01070712:3: Caught configuration exception (0), Failed to sync files..
Conditions:
-- The systems in the trust are running a pre-12.0.0 version of TMOS.
-- Only a subset of the systems in a device group have been upgraded to 12.0.0 or later.
-- A failover event occurs on traffic-group-1.
Impact:
mcpd may become unresponsive. Upgrade fails.
Workaround:
None.
542104 : In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades.
Component: Local Traffic Manager
Symptoms:
In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades.
TCP monitors may fail because the server fails to respond to the initial TCP SYN.
TCP traffic that utilizes a SNAT may fail because the server fails to respond to the initial TCP SYN.
Conditions:
A server with tcp_tw_recycle enabled.
A multi-blade BIG-IP chassis.
Impact:
Monitor failures or traffic disruption.
Workaround:
After confirming that the time is properly synchronized across the chassis, reboot the chassis.
Alternatively, if your servers do not require tcp_tw_recycle to be enabled, it is recommended that you disable this setting on your servers.
541842 : Sync-only device groups cannot be applied to iApp-generated configs
Component: TMOS
Symptoms:
Sync-only device groups cannot be applied to the /Common folder or any folder containing ties to /Common. iApps make reference to objects in /Common, often including the iApp template itself (e.g., /Common/f5.http). There is no issue with failover device-groups.
Conditions:
When sync-only device groups and iApps are used together.
Impact:
Sync cannot be set up.
Workaround:
Copy and reconfigure the iApp template to load in a folder other than /Common. If the iApp is tied to a CLI script, the script and all references to the script must also be moved to a non-Common folder.
541320-8 : Sync of tunnels might cause restore of deleted tunnels.
Component: TMOS
Symptoms:
After a full load sync, tunnels may be spuriously added to the default route domain for the partition that contains them.
Conditions:
Viewing tunnels after a full load sync.
Impact:
This might result in a deleted tunnel being restored to the configuration.
Workaround:
None.
535717 : Password history is not enforced when root, Administrator, or User Manager changes another user's password
Component: TMOS
Symptoms:
When logged in as root, or as a user with Administrator or User Manager role, an attempt to change a user's password will succeed, even if the new password is in password history. (An ordinary user changing their own password will be prevented from making this change.)
Conditions:
password-memory field of auth password-policy set to nonzero value
Impact:
Privileged users might circumvent the password history restriction.
Workaround:
To mitigate this, you should only permit management access to BIG-IP systems over a secure network, and limit shell access to trusted users.
530466 : MultiConnect is incompatible with CORS policy
Component: WebAccelerator
Symptoms:
The issue happens when MultiConnect is enabled and a resource is reloaded by a user request. If the browsers have CORS policy enforcement applied to the resource, the consequent requests for the resource are forwarded to a subdomain and a CORS header "Origin" is inserted into the request. In response the browser expects "Access-Control-Allow-Origin" header with a value allowing the subdomain as a host in the request.
AAM doesn't recognize the header and just ignores it or has it passed to OWS which doesn't expect it.
Conditions:
An AAM policy with MultiConnect option is configured and attached to a virtual. There are resource(s) in a page are used for which CORS policy is enforced in a client browser, for example, font file for CSS.
Impact:
Lack of loading of the resource which may result in incorrect rendering of the page.
Workaround:
1) Disable MultiConnect.
2) Create an iRule to properly process Origin header.
530138 : Crit tmm error messages due to race condition that occurs during RebootHost on 10000, 10050, 10055, 10200F, 10350N, 12050, and 12250 platforms.
Component: TMOS
Symptoms:
When the IOMMU is enabled, the system may report crit tmm error messages due to a race condition that might occurs during start-up. Error messages appear in /var/log/ltm, similar to the following:
crit tmm[14967]: 01010025:2: Device error: hsb interface 0 coalesce timed out.
crit tmm[14967]: 01010025:2: Device error: hsb interface pde 0 access failed.
crit tmm[14967]: 01230017:2: Unable to attach to PCI device 03:00.01 for Interface 0.1.
...
crit tmm[14967]: 01010260:2: Hardware Error(Co-Processor): n3-crypto1 request queue stuck.
Conditions:
This may occur on startup as a result of a race condition between chmand and tmm with IOMMU enabled.
Impact:
System remains INOPERATIVE and reports crit tmm error messages.
Note: Although IOMMU is disabled by default, you can enable it using the BIOS utility, and newer platforms might enable it by default.
Workaround:
To recover from the INOPERATIVE state, disable IOMMU with the following command and restart the BIG-IP system:
tmsh modify sys db kernel.iommu valued isable
528314 : Generating new default certificate and key pairs for BIG-IP ssl profiles via CLI will not be reflected in GUI or in tmsh
Component: TMOS
Symptoms:
Using CLI to generate new default certificate and key pairs for BIG-IP ssl profiles are not reflected in GUI or in tmsh.
Conditions:
Using OpenSSL commands to generate a new default certificate and key pair, as described in SOL13579: Generating new default certificate and key pairs for BIG-IP ssl profiles, available here: https://support.f5.com/kb/en-us/solutions/public/13000/500/sol13579.html.
Impact:
After the renewal, tmsh list sys file ssl-cert default.crt command or the general properties in the GUI SSL Cert List shows the old one. This is a cosmetic issue only. The system uses the new default.
Workaround:
Perform a force reload of mcpd by running the following commands: -- touch /service/mcpd/forceload. -- tmsh restart sys service mcpd.
527119-5 : Iframe document body could be null after iframe creation in rewritten document.
Component: Access Policy Manager
Symptoms:
End users report being unable to use certain page elements in chrome (such as the Portal Access menu), and it appears that Javascript has not properly initialized.
Conditions:
The body of a dynamically created iframe document could be initialized asynchronously after APM rewriting. The issue is specific to Chrome browser and results in JavaScript errors on the following kind of code:
iframe.contentDocument.write(html);
iframe.contentDocument.close();
<any operation with iframe.contentDocument.body>
One of applications known to contain such code and fail after APM rewriting is TinyMCE editor.
Impact:
Some JavaScript applications might not work correctly when accessed through Portal Access.
Workaround:
Revert rewriting of the document.write call with a post-processing iRule.
The workaround iRule will be unique for each affected application.
525555 : TMM could miss heart beats when opening IP Reputation database file resulting in SIGABRT by sod
Component: Access Policy Manager
Symptoms:
The IP Reputation database file is not loaded during initialization. It is loaded the first time it is needed. Sometimes the 'open' call on the database file and/or the subsequent 'mmap' call could take a very long time resulting in missed heartbeats from the tmm to sod.
Conditions:
Multiple open calls for IP Reputation database file.
Impact:
Results in sod sending SIGABRT to tmm.
Workaround:
None.
523985-1 : Certificate bundle summary information does not propagate to device group peers
Component: TMOS
Symptoms:
Certificate summary information about individual certificates in a bundle does not propagate to device group peers after a config sync.
Conditions:
A certificate file is create in a folder synced to a device group.
Impact:
Certificate information about the bundle is not displayed on peers. However, the bundle itself is intact and available.
Workaround:
None.
523797-1 : Upgrade: file path failure for process name attribute in snmp.★
Component: TMOS
Symptoms:
The upgrade operation might fail to update the file path name for snmp.process_name, causing a validation error.
Conditions:
Upgrade from 10.x. to 11.5.1 or later.
Impact:
The upgrade operation does not remove the parent path name from process-monitors, which might cause a validation error.
Workaround:
Edit the process name path in /config/BIG-IP_sys.conf to reflect the location. For more information, see K13540: The BIG-IP system may return inaccurate results for the prTable SNMP object at https://support.f5.com/csp/article/K13540.
519612-2 : JavaScript challenge fails when coming within iframe with different domain than main page
Component: Advanced Firewall Manager
Symptoms:
The JavaScript Challenge fails when coming within an iframe that is on a different domain than the main page.
Conditions:
1. The web application uses an iframe coming from a different domain than the main page, AND
2. Any of the following options are enabled on an ASM Policy or Application DoS Profile attached to the Virtual Server which is handling the iframe:
a. DoS Client-Side Integrity Defense Mitigation (affecting only during attack mitigation)
b. DoS CAPTCHA Mitigation (affecting only during attack mitigation)
c. Device-ID (fingerprint)
d. Web Scraping Bot Detection Challenge
e. Proactive Bot Defense (with/without "Block Suspicious Browsers")
Impact:
On the browser, the iframe will fail to load, leaving a white box, or the following message:
"Please enable browser cookies to view the page content."
There may be error messages in the browser's console.
Workaround:
It is possible to workaround the problem using Proactive Bot Defense (DoS Profile) and iRules.
This works even if the problem is in Web Scraping and DoS profile was not previously used.
The following steps must be done for the Virtual Server handling the iframe, as well as the one handling the main page.
1. Attach a DoS profile to the Virtual Server (if not already attached).
2. Disable TPS-based detection (unless already enabled, or it is desired).
3. Enable Proactive Bot Defense on the DoS profile (if not already enabled).
a. Disable "Block Suspicious Browsers" (unless already enabled, or it is desired).
b. Configure Cross-Domain Requests to "Allow configured domains; validate upon request".
c. Add the domain of the main page to the Related Site Domains.
4. Attach the following iRule to the virtual server:
ltm rule rule_fix_cross_domain_challenges {
when HTTP_REQUEST {
set refdom ""
regexp -nocase {^https?://([^/]*).*$} [HTTP::header referer] -> refdom
log local0. "uri [HTTP::uri] host [HTTP::host] referer [HTTP::header referer] refdom $refdom"
if { $refdom ne "" && $refdom ne [HTTP::host] } {
BOTDEFENSE::cs_allowed false
}
}
}
NOTES:
1. The challenges must run on the main page. The following rule block could be used to force the challenges to run on a specified URL or URLs.
when HTTP_REQUEST {
if { [HTTP::uri] eq "/" } {
BOTDEFENSE::cs_allowed true
}
}
2. If additional URLs are getting blocked or challenged as a result of Proactive Bot Defense and it is unwanted, it is possible to control them in the iRule by checking for URLs and using the "BOTDEFENSE::action allow" command.
517829 : BIG-IP system resets client without sending error report when certificate is revoked
Component: TMOS
Symptoms:
When the BIG-IP system is configured for OCSP authentication, if the OCSP server reports that a certificate has been revoked, client connections are reset without sending SSL error alerts.
Conditions:
BIG-IP system configured for OCSP authentication.
Impact:
Client connections are reset without sending SSL error alerts.
Workaround:
Use the following iRule for the OSCP authentication profile instead of the system-supplied iRule:
when CLIENT_ACCEPTED {
set tmm_auth_ssl_ocsp_sid 0
set tmm_auth_ssl_ocsp_done 0
}
when CLIENTSSL_CLIENTCERT {
if {[SSL::cert count] == 0} {
return
}
set ssl_version [SSL::cipher version]
set tmm_auth_ssl_ocsp_done 0
if {$tmm_auth_ssl_ocsp_sid == 0} {
set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]
AUTH::subscribe $tmm_auth_ssl_ocsp_sid
}
AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]
AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]
AUTH::authenticate $tmm_auth_ssl_ocsp_sid
SSL::handshake hold
}
when CLIENTSSL_HANDSHAKE {
set tmm_auth_ssl_ocsp_done 1
}
when AUTH_RESULT {
if {[info exists tmm_auth_ssl_ocsp_sid] && ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {
set tmm_auth_status [AUTH::status]
array set tmm_auth_response_data [AUTH::response_data]
if {$tmm_auth_status == 0} {
set tmm_auth_ssl_ocsp_done 1
SSL::handshake resume
}
elseif {($tmm_auth_status == 1) && ($tmm_auth_response_data(ocsp:response:status) eq "revoked")} {
if { $ssl_version equals "TLSv1.2" } { set hex_version "0303" }
elseif { $ssl_version equals "TLSv1.1" } { set hex_version "0302" }
elseif { $ssl_version equals "TLSv1.0" } { set hex_version "0301" }
else { reject }
set hex_response "15${hex_version}0002022C"
set bin_response [binary format H* $hex_response]
TCP::respond "$bin_response"
TCP::close
} elseif {($tmm_auth_status != -1) || ($tmm_auth_ssl_ocsp_done == 0)} {
reject
}
}
}
517756-5 : Existing connections can choose incorrect route when crossing non-strict route-domains
Component: Local Traffic Manager
Symptoms:
After modifying the BIG-IP system's routing table, traffic for some existing connections might be interrupted because an incorrect route starts being used.
Conditions:
After a routing table modification, routes might be reselected for a portion of connections through the BIG-IP system. When a connection crosses non-strict route-domains, the routing table from a route-domain that is different from the route-domain used during connection start-up may be used.
Impact:
This might lead to traffic following a different path to the destination and traffic interruption. New connections will work properly, this only affects existing connections.
Workaround:
None.
517609-4 : GTM Monitor Needs Special Escape Character Treatment
Component: Global Traffic Manager (DNS)
Symptoms:
When searching received data for bytes that are regex metacharacters such as $ (dollar sign), . (period), ? (question mark), etc., the search string typically requires backslash characters to escape these. Such escaped characters result in non-matching behavior in GTM monitors without warning in the GUI. The GUI also validates Perl (non-POSIX) character classes such as \d rather than [:digit:], but these Perl extensions do not search properly.
Conditions:
Any running GTM monitor.
Impact:
If a GTM monitor's expression contains regex Perl extension character classes or escaped regex metacharacters, a member's status might be incorrectly labeled.
Workaround:
When escaping a regular expression metacharacter, an \x5C can be entered as a substitute for a backslash. If searching for whitespace or digits, use [:space:] and [:digit:] rather than \s and \d.
For example, searching for 'HTTP/ 1.1' in a GTM HTTP monitor, you can enter the search expression HTTP/ 1\x5C.1, which the regex compiler interprets as 'HTTP/ 1\.1', to search for the period character rather than interpreting the period ( . ) as the 'any non-null byte' metacharacter.
516280-3 : bigd process uses a large percentage of CPU
Component: Local Traffic Manager
Symptoms:
With a very large number of monitors, the bigd process can consume more than 80% CPU when a slow HTTP server returns an error.
Conditions:
~8000 HTTP/HTTPS monitors, and a slow HTTP server returns a 500 error.
Impact:
bigd process uses a large percentage of CPU.
Workaround:
None.
505037 : Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop
Component: Local Traffic Manager
Symptoms:
Modifying a monitored pool with a gateway failsafe device might put secondary into restart loop.
Conditions:
Only occurs in clustered environments, when modifying a monitored pool to set the gateway failsafe device while the secondary is down. Symptom occurs when the secondary comes back up and attempts to update the health status of a pool.
Impact:
Secondary in a restart loop.
Workaround:
Remove the gateway failsafe device. Re-apply when the blade is up.
499348-4 : System statistics may fail to update, or report negative deltas due to delayed stats merging
Component: TMOS
Symptoms:
Under some conditions, the BIG-IP system might fail to report statistics over time. This can manifest as statistics reporting unchanging statistics (e.g., all zeroes (0)), or as sudden spikes in traffic, or as negative deltas in some counters.
The system performance graphs will also appear to have gaps / be missing data at the times that this occurs.
Conditions:
This occurs when there are frequent changes occurring to the underlying statistics data structures. This can occur when the system is spawning/reaping processes on a frequent basis (e.g., a large number of external monitors).
This can also occur if iRules are frequently using 'SSL::profile' to select different SSL profiles on a virtual server, as this can cause per-virtual server, per-profile statistics to be created and deleted on a regular basis.
Impact:
Statistics fail to merge, which results in incorrect view of system behavior and operation.
Workaround:
This issue can be mitigated by reducing the frequency of changes in the statistics data structures, which depends on what is triggering them. For instance, reducing the frequency of configuration changes, or the use of 'SSL::profile' in iRules (if those are the trigger), or reducing the number/frequency of processes being spawned by the system (if that is the trigger).
Alternately, an administrator can switch statistics roll-up to the 'slow_merge' method, which causes the system to spend more CPU merging statistics. This can be done by setting the 'merged.method' DB key to 'slow_merge' using the following command:
tmsh modify sys db merged.method value slow_merge
495460 : Use different application ID after user application is deleted
Component: Traffic Classification Engine
Symptoms:
When user creates a custom application and then deletes it, they cannot create another application with the previously used ID even though the old application no longer exists
Conditions:
Delete user application, create a new one with the same ID
Impact:
Error in tmm log. Cannot create the application.
Workaround:
Use different ID when creating new applications.
486735 : Maximum connections is not accurate when TMM load is uneven
Component: Local Traffic Manager
Symptoms:
Maximum connections is not accurate when TMM load is unevenly distributed. Maximum connection statistics report the sum of maximum connections per TMM, not the maximum connections virtual server.
Conditions:
This occurs when the load disaggregated to available TMMs is uneven.
Impact:
This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in higher-than-expected maximum connections.
Workaround:
Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs.
469366-4 : ConfigSync might fail with modified system-supplied profiles
Component: TMOS
Symptoms:
A config sync operation might fail with a parent-profile-not-found error message, despite the fact that the parent profile is present in the running configuration of both systems.
Conditions:
On the sync target (the system receiving the configuration, and the one that reports a sync failure), a system-supplied profile (e.g. /Common/serverssl) has been modified, and is present in /config/bigip.conf.
Impact:
An administrator is unable to synchronize system configurations. The system might post messages similar to the following example: '01020036:3: The requested parent profile (/Common/serverssl) was not found.'
Workaround:
One of the following: 1. Manually replicate the changes on the base profile to the system that is sourcing the config sync.
2. Undo the changes to the base profile on the system that is receiving the config sync (to do so, save the configuration, manually remove the base profile from /config/bigip.conf, and then re-load the configuration), and then perform a force sync operation. 3. Perform a sync in the other direction.
Important: Performing a sync in this direction overrides any unsync'd changes on the other system.
469035-1 : A SecureVault rekey operation may fail if configuration contains a blank password protected by SecureVault
Component: TMOS
Symptoms:
If the configuration includes encrypted items (for example, an LDAP bind password) that are empty strings, a SecureVault rekey operation fails.
Conditions:
Empty string as encrypted configuration item. This might occur when using the tmsh command 'modify /sys crypto master-key, or during the introduction of a device into a Trust Domain.
Impact:
The rekey operation fails, and the system posts an error similar to the following: with this error: 01071029:5: master_decrypt failed during rekey. This might result in a ConfigSync failure.
Workaround:
Do not use empty strings as passwords. Alternately, remove the problematic configuration object (which may require changing system authentication to a different source), perform the rekey operation, and then recreate the configuration.
465901 : Large number inlining URLs may cause a connection reset
Component: WebAccelerator
Symptoms:
Using AAM to inline a large number of JavaScripts in HTML code might result in resetting a connection and not serving the requested page to the client.
Conditions:
Provision AAM and have a policy with inlining enabled for a large number of configured JavaScripts used in a single HTML page. Send a request to this page.
Impact:
When conditions are met there is a chance that the connection will be reset and the content won't be served to the client.
Workaround:
Reducing the number of inlining-enabled JavaScripts might result in properly serving the page.
465854 : Page rendering is incorrect when both CSS inline and JavaScript reordering are enabled
Component: WebAccelerator
Symptoms:
When both CSS inline and JavaScript reordering are enabled, page rendering might be incorrect due to missing 'src' attribute in a script tag.
Conditions:
Have AAM provisioned and a policy with both CSS inline and JavaScript reordering enabled and attached to a virtual server. Have a page with both CSS and JavaScript resources associated requested via the virtual server.
Impact:
Web pages do render correctly.
Workaround:
Disable either of the optimizations.
464437 : Quickly repeated external datagroup loads might cause TMM crash.
Component: Local Traffic Manager
Symptoms:
TMM crashes while loading an external datagroup that has already been loaded.
Conditions:
External datagroup is already loaded, and is then re-loaded.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
To avoid this issue, wait a few seconds between load and reload the same external data group.
462034 : Change ip-address to ip-address-list in iControl REST because muliple IPs are supported in 11.6
Component: Policy Enforcement Manager
Symptoms:
Starting with the 11.6.0 release, multiple IP addresses are supported for pem subscribers. The previous iControl REST functionality used ip-address to expose the address, this has changed to ip-address-list. As a result, tm.pem.Subscriber ipAddress property support has been removed from TMSH. This causes issues with iControl-REST compatibility.
Conditions:
Using ip-address in iControl REST commands for pem subscribers.
Impact:
Scripts that configure pem subscriber ip-address will not work in 11.6.0 and later.
Workaround:
Change ip-address to ip-address-list.
454640-1 : mcpd instances on secondary blades might restart on boot
Component: Local Traffic Manager
Symptoms:
Secondary blades' mcpd instances might restart on boot.
Conditions:
This might occur intermittently on VIPRION bladed systems or VCMP guests. This might be the result of a race condition that occurs when /config is synced between the blades and when the mcpd process starts.
Impact:
The mcpd process restarts on secondary blades. The process eventually returns to normal, and the system finishes booting. The system posts messages similar to the following: 01071038:5: Secondaries couldn't load master key from the database. 01070734:3: Configuration error: Configuration from primary failed validation: 01071029:5: Master Key not present.
Workaround:
This issue has no workaround at this time.
449158 : Using an iRule nexthop to "vlan:mac address" does not forward the packet
Component: Local Traffic Manager
Symptoms:
iRule: nexthop to 'vlan:mac address' does not forward the packet.
Conditions:
HTTP request to a port 80 virtual server with a default pool and an iRule that specifies nexthop to a MAC address on the internal VLAN.
Impact:
Packet forwarding does not occur.
Workaround:
None.
441529 : Lifetime heuristic behavior changes between 10.x and 11.x
Component: WebAccelerator
Symptoms:
In version 10.x, lifetime heuristic runs on auto-pilot, that is, PVAC calculates the heuristic cache lifetime when 1) there is no OWS Cache-Control values or, 2) all honored OWS Cache-Control directives are absent. In v11.x, WebAccelerator (WA)/Application Acceleration Manager (AAM) use heuristic cache lifetime in these two cases, and there is no WebAccelerator Cache Settings Maximum Age configured.
Conditions:
This is observable when using WA/AAM and comparing lifetime heuristic behavior in versions 10.x and 11.x.
Impact:
The behavior differs.
Workaround:
None.
440431-12 : Response Logging generates a blank $HTTP_STATUS response when used with certain iRule commands.
Component: Local Traffic Manager
Symptoms:
Response Logging generates a blank $HTTP_STATUS response when used with certain iRule commands.
Conditions:
This issue occurs when the following condition is met:
A virtual server with Response Logging configured has an iRule assigned that uses either the HTTP::respond or HTTP::redirect command.
The Request Logging profile gives you the ability to specify the data and format for HTTP requests and responses that you want to include within the log file. Parameters, such as $HTTP_STATUS, are used to specify information that is included within the log file. The HTTP::respond and HTTP::redirect iRule commands allow you to customize the response sent to the client and are intended to run immediately when triggered. Therefore, no further processing of response data should occur. As a result, the system logs blank status information when using the $HTTP_STATUS parameter within the Request Logging profile for Response Logging.
Impact:
The system logs invalid information. As a result of this issue, you may encounter the following symptom: -- BIG-IP iHealth lists Heuristic H465653 on the Diagnostics :: Identified :: Medium screen. If $HTTP_STATUS is used within the Response Logging template, the output will be blank.
Workaround:
To work around this issue, you can use the iRule to generate the required logs, rather than the Request Logging profile. If an iRule is calling HTTP::respond or HTTP::redirect, you can log directly from that iRule using the log iRule command, and record parts of the old response, or the new one, depending on what is required.
434517-18 : HTTP::retry doesn't work in an early server response
Component: Local Traffic Manager
Symptoms:
If a HTTP_RESPONSE event fires due to the server sending an early response (i.e. a response before the entire request has been sent), then HTTP::retry does not work correctly.
Conditions:
Client begins sending a request. The server responds before that request is completely sent. A HTTP::retry is called in the HTTP_RESPONSE event.
Impact:
Typically, early server responses are error conditions.
Workaround:
HTTP::respond or HTTP::redirect may be used at the cost of an extra client-side request.
431480 : Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message
Component: Local Traffic Manager
Symptoms:
Occasionally, you might encounter a situation in which tmm dumps a core, and the system writes to the logs a message similar to the following: notice panic: ../base/listener.c:1116: Assertion 'laddr is not NULL' failed.
Conditions:
The exact conditions that result in this error are unknown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time, but the system recovers without any user action.
429213 : Some monitor types assigned to the same node IP:port in different Route Domains may collide and mark the object down.
Component: Local Traffic Manager
Symptoms:
A race condition may occur in which a monitor instance is killed abruptly if another copy of the same monitor attempts to check health of the same node IP:port in a different route domain. The killed monitor will then contribute to a monitoring timeout and potentially mark the node as down.
This issue occurs because the PID file created to prevent duplicate monitoring of the same pool member is not sufficiently unique to distinguish between route domains. For example, SIP monitor named "sip_london" applied to pool members 1.2.3.4%100 and 1.2.3.4%200 would share the same PID file:
/var/run/SIP__Common_sip_london.::ffff:1.2.3.40..5060.pid
Conditions:
For health monitor types which execute outside of the bigd process (see list below), a health monitor profile is assigned to monitor 2 different nodes which have the same IP:port in different route domains.
The affected monitor types include:
Diameter
IMAP
LDAP
NNTP
POP3
Radius
Radius Accounting
RPC
Scripted
SIP
SMB
SMTP
WAP
Impact:
Pool members may flap down/up.
Workaround:
To work around this, perform the following steps:
1. Create a duplicate copy of the monitor profile, and add the route domain to the name of the monitor profile. For example:
ltm monitor radius /Common/radius_seattle_rd43 {
default-from /Common/radius_seattle
}
2. For nodes or pool members in that route domain, replace the old monitor profile with the new duplicate monitor profile.
429013 : Log file permissions lock down
Component: TMOS
Symptoms:
Log file permissions for one specific log file were incorrectly set. This has been fixed to address an issue with CCE-26812-8, CCE-26821-9 and CCE-27190-8 syslog-ng configuration/permissions.
Conditions:
Since only Administrators can have advanced shell access, they are on the only ones who could be able to see the log files. This just sets the file permissions the same as the rest.
Impact:
Very little impact.
Workaround:
none
424228 : Parking iRules in CLIENT_DATA on virtual without assigned pool may not return
Component: Local Traffic Manager
Symptoms:
If a virtual server is created without an assigned pool (i.e. the pool is assigned in the iRule) and the iRule parks, the iRule may not return from suspension and the packet will be dropped.
Conditions:
A virtual server is created and an iRule is assigned that parks, and the virtual server has no assigned default pool.
Impact:
Packets are dropped.
Workaround:
Either use the CLIENT_ACCEPTED event for UDP data or assign a default pool.
422516-1 : Notification for required reboot when Credential Management Service is changed.
Component: Access Policy Manager
Symptoms:
The credential manager doesn't work without a reboot so the user is required to enter credentials again while logging in on APM.
Conditions:
Credential manager is updated.
Impact:
End users need to re-enter credentials
Workaround:
None.
420957 : Content cached compressed and uncompressed may invalidate separately
Component: WebAccelerator
Symptoms:
When static content is cached both compressed and uncompressed, they may not invalidate simultaneously.
Conditions:
This occurs when there is a mix of compressed and uncompressed requests for static content, combined with triggered or ESI invalidations of that content.
Impact:
This may result in their cache ages being different. This might result in extra revalidations after invalidations and unexpected cache lifetimes.
Workaround:
None.
420954 : invalidation may be delayed when compressed and uncompressed requests are present
Component: WebAccelerator
Symptoms:
invalidation may be delayed when compressed and uncompressed requests are present.
Conditions:
If content is cached only uncompressed before it is invalidated and after invalidation is requested only compressed, the invalidation may be delayed by several requests.
Impact:
Old content may be served several extra times.
Workaround:
Repeatedly request the contents until the invalidation happens.
419741-4 : Rare crash with vip-targeting-vip and stale connections on VIPRION platforms
Component: Local Traffic Manager
Symptoms:
Rare TMM crash bug with vip-targeting-vip. Core analysis is typically necessary to determine whether this bug is the cause.
Conditions:
Triggering this bug is difficult and seems to require vip-targeting-vip (e.g., use of the 'virtual' command in an iRule) and more than one blade.
Impact:
In rare situations, the TMM crashes.
Workaround:
None. This occurs rarely, and the system recovers automatically. Although this workaround has not be verified, in situations where virtual A targets virtual B via the 'virtual' command, it should be sufficient for virtual A to have shorter timeouts than virtual B.
419345-1 : Changing Master Key on the standby might cause secondaries to restart processes
Component: TMOS
Symptoms:
Changing Master Key on the standby of an HA configuration on a chassis might cause secondaries to restart processes.
Conditions:
This occurs when you modify the master key on standby chassis.
Impact:
Users might not be able to access the cluster. The secondary blades of that chassis might experience continuous restarts of mcpd and other daemons, accompanied by 'decrypt failure' messages in the ltm log.
Workaround:
Run the command bigstart restart on secondaries to return system functionality. In general, you should change master keys on the primary in the cluster.
410879 : WAM/AAM does not inline content that is not already cached or served from OWS with status 200 OK.
Component: WebAccelerator
Symptoms:
When configured to inline content, WAM/AAM does not inline content that is not already cached or served from OWS with status 200 OK.
Conditions:
When configured to inline content.
Impact:
WAM/AAM does not inline content.
Workaround:
None.
408093 : Cache::Header content-length Returns Zero when Response Status is 304
Component: Local Traffic Manager
Symptoms:
The Cache::Header content-length returns zero.
Conditions:
A 304 response.
Impact:
Inside an iRule, CACHE::header content-length is null on 304 responses, and CACHE::header exists content-length will be False.
Workaround:
The Content-Length header may not be present at all in the response, and it is inappropriate to add a content-length header to a 304 response that is not zero.
Optionally, the X-Cntnt-Length header value can be used, if you want to get the length of the cached document from a 304 response.
In short, the CACHE::header commands give access to the response headers, not the cached headers.
401471 : Parameter Value Substitution in Assembly cannot handle '&' in a link within an HTML doc.
Component: WebAccelerator
Symptoms:
Assembly parameter substitution option Query Parameter target does not recognize escaped XML entities. If the URL to be substituted has multiple query parameters, the parameters that follow the '&' may not work as expected. For example, if the URL to be substituted has a pattern of field1=x&field2=y, substitution works for both fields. However, if the URL is field1=x&field2=y, substitution works for the 'field1' parameter, but does not work for the 'field2' parameter.
Conditions:
Using '&' in a link within an HTML doc.
Impact:
Parameter Value Substitution does not work.
Workaround:
To work around this, include the escape sequence as part of the Query Parameter Name. In the example, a Query Parameter of 'field1=x&&field2' yields the expected substitution.
399622 : mcpd and datastor volumes on blades
Component: TMOS
Symptoms:
Mcpd validation will fail and cause daemons to restart if the datastor volume sizes on a cluster are not the same on all blades and the sum of the used web-acceleration profile cache sizes is higher than the datastor volume size on a secondary blade.
Conditions:
All of the following conditions must be met to cause this problem:
1) chassis with blades having different size hard drives (mixed blade types on a chassis)
2) AAM provisioned
3) having web-acceleration profiles configured with applications attached and large cache size values
4) virtual servers with web-acceleration profiles from above
5) sum of the different web-acceleration profiles' cache size values from above is greater than the datastor (AAM) volume on any secondary blade
Impact:
Mcpd and daemons go into a restart loop on secondary blades and managing the chassis becomes hard.
Workaround:
Make sure the sum of the web-acceleration profile cache size values is smaller than the smallest datastor volume. Ideally, don't configure the profiles for the maximum cache size possible.
396167 : GETs for an unsatisfiable range on a compressed document results in full bypass on expiration.
Component: WebAccelerator
Symptoms:
If you cache a compressed document normally, and then switch to asking for a range beyond the end of the document, you get a 416 Requested Range Not Satisfiable response from WAM, but only while the cached content has a positive lifetime. As soon as the document expires and needs re-validation with the OWS, the response from WAM is a complete bypass, with no WAM related headers at all, resulting in partial content reflecting the full uncompressed content-range.
Conditions:
Cache a compressed document normally, and then switch to requesting a range beyond the end of the document.
Impact:
416 Requested Range Not Satisfiable response.
Workaround:
None.
387457 : Geolocation information cannot be modified in New Session log entry
Component: Access Policy Manager
Symptoms:
The user is attempting to overwrite the output of geo-location database before the new session log entry is created.
Conditions:
This is an enhancement, where a user is attempting to change values of geo-location information in the log entry. The overwriting of the values is being attempted so as to further assist in reporting.
Impact:
The geo-location information values in the log entry cannot be changed.
Workaround:
The geo-location information (ST/CC/C) are available through session variables. In access policy these session variables can be overwritten using 'variable assignment agent' and a new log entry can be created using 'log agent'. The reporting tool can make use of this 'new' log entry and parse/use the overwritten geo-location information.
384993 : A FastL4 virtual server does not always return from suspending commands.
Component: Local Traffic Manager
Symptoms:
A FastL4 virtual server does not always return from suspending commands.
Conditions:
This occurs when using a suspending iRule command in CLIENT_DATA in FastL4.
Impact:
If an 'after' command is executed, it does not return until the connection times out. This is most noticeable in a DNS configuration.
Workaround:
Do not include parking commands in CLIENT_DATA in FastL4.
382976 : Erroneously enabling image optimization on policy nodes matching HTML or CSS content causes that content to become uncacheable, and the system posts S10206 codes.
Component: WebAccelerator
Symptoms:
Erroneously enabling image optimization on policy nodes matching HTML or CSS content causes that content to become uncacheable, and the system posts S10206 codes.
Conditions:
This occurs when enabling image optimization on nodes that match content that can be parsed (for example, HTML or CSS content).
Impact:
Content is not cached and responses return S10206 codes.
Workaround:
None.
381258-7 : 'with' statement in web applications works wrong in some cases
Component: Access Policy Manager
Symptoms:
Web-application misbehavior (exception, wrong rendering, and so on).
Conditions:
If the JavasScript operator 'with' is used in web-application code and, if after rewriting, 'F5_ScopeChain' is found within the 'with' statement in these contexts:
...F5_Inflate_xxxxx(F5_ScopeChain,...
...F5_Deflate_xxxxx(F5_ScopeChain,...
...F5_Invoke_xxxxx(F5_ScopeChain,...
then there is probability of this issue.
Impact:
Web-application functionality.
Workaround:
As a workaround, an iRule can be used for changing an 'interesting' variable name within the function's body. No general iRule exists. For each case, a custom iRule must be created as workaround.
378967-12 : Users are not synchronized if created in a partition
Component: TMOS
Symptoms:
Users in partitions attached to sync-only device groups do not sync to other devices in that device group.
Conditions:
There are users whose active partitions are attached to a sync-only device group.
Impact:
This affects sync-only device groups only, not the failover device group.
Workaround:
None.
375477 : Four new settings 'IBR-to', 'IBR-within', 'MC-to', and 'MC-within' are added to replace 'IBR' and 'MC' settings at WAM policy assembly page.
Component: WebAccelerator
Symptoms:
Beginning with version 11.2.0, WAM parses and IBR/MC links inside a CSS file. Four new settings 'IBR-to', 'IBR-within', 'MC-to', and 'MC-within' are added to replace 'IBR' and 'MC' settings at WAM policy assembly page.
Conditions:
Beginning with version 11.2.0.
Impact:
For custom policies that have 'IBR' and 'MC' enabled, 'IBR-to', 'IBR-within', 'MC-to', and 'MC-within' will be enabled too after migration to this release. In other words, WAM will IBR/MC CSS files for these policies.
Workaround:
If you prefer not to use this feature, you must disable the settings on corresponding policy nodes.
375434 : HSB lockup might occur when TMM tries unsuccessfully to reset HSB.
Component: TMOS
Symptoms:
An HSB lockup might occur when the TMM driver tries to reset HSB and the effort is not successful. After several failed attempts, a bad DMA packet causes tmm to crash. This failure can also result in a "DMA lockup on transmitter failure" reported in the TMM log files.
Conditions:
This occurs on HSB platforms that have AMD processors, which include the BIG-IP 6900, 8900, 8950, 11000, and 11050N platforms, and the VIPRION B4200 and B4200N blades.
Impact:
The HSB is non-functional and requires reinitialization. This occurs after the BIG-IP is rebooted, which is automatically triggered when this condition occurs.
Workaround:
None.
369961 : The space character in a path prefix is not evaluated correctly.
Component: WebAccelerator
Symptoms:
The space character in a path prefix is not evaluated correctly.
Conditions:
This occurs when there is a space character in a path prefix.
Impact:
The system does not evaluate the path prefix correctly.
Workaround:
To work around this, use the regular expression in a path segment match.
367226-3 : Outgoing RIP advertisements may have incorrect source port
Component: Local Traffic Manager
Symptoms:
TMM may change the source port of RIP packets send by ripd to something other than 520. Neighbor routers will not accept these packets and RIP routing will not work.
If the TMM instance handling the outgoing packet would not be selected to handle return traffic by the hashing algorithm in use, the source port of the traffic will be modified so the hashing algorithm returns the same TMM instance.
Conditions:
Multiple TMM instances, RIP routing configured.
Impact:
Dynamic routing using RIP will not work if the traffic hash of the packets does not match the TMM handling the outgoing traffic.
366193 : Very Long URIs May Cause Delays
Component: Local Traffic Manager
Symptoms:
Very long URI strings may cause delays in processing.
Conditions:
When a URI exceeds an average size, the system may slow down as it attempts to handle an excessively long string.
Impact:
Some processing delays.
Workaround:
This can be mitigated in application design, but there is no solution for existing applications that use excessively long URIs.
364588 : Run show cmd from /Common to display pool in another partition
Component: Local Traffic Manager
Symptoms:
Running the show cmd from /Common to display pool in another partition does not show all of the information.
Conditions:
This occurs when you run the show command from /Common partition to display the details of a pool in another partition.
Impact:
The monitor instance line is missing.
Workaround:
To work around this, navigate to the partition first. Then the show command presents the expected results.
362275 : Error Message when Web Acceleration Profile is attached without an Application
Component: WebAccelerator
Symptoms:
Setting the Web Acceleration Profile to optimized-acceleration for a virtual server without enabling a WebAccelerator Application will result in an error message similar to the following:
cache memory assigned to Web Acceleration profiles (6144 MB) exceeds the maximum amount (697 MB) defined by Ramcache.MaxMemoryPercent (50) The optimized-acceleration profile is designed for use with the WebAccelerator module.
Conditions:
Web Acceleration Profile to optimized-acceleration for a virtual server without enabling a WebAccelerator Application.
Impact:
Error message. Possible unexpected functionality.
Workaround:
If you are not using the WebAccelerator module with your virtual server and wish to use standard cache, you should use the optimized-caching profile, or create a customized webacceleration profile that uses either the optimized-caching profile or basic webacceleration profile as the parent.
359491 : global-settings hostname change is not synced to peer when set locally using tmsh
Component: TMOS
Symptoms:
When a system's hostname is set by the user via the tmsh setting 'modify sys global-settings hostname new-hostname.example.com' only the local copy of the self device is set. Remote copies of the hostname are not updated accordingly. Thus, running the command 'list cm device name-of-device hostname' would have the hostname 'new-hostname.example.com' on the local machine and 'old-hostname.example.com' on other machines in the trust domain.
Conditions:
Update or set the hostname using tmsh. Login to another host in the trust domain and check the first hostname.
Impact:
Hostname returned for a remote host in a trust domain does not match the host name defined on that host locally if set using tmsh.
Workaround:
The 'cm device hostname' property of devices is cosmetic, so this is harmless. Modifying an object in the trust will cause it to sync. For example, tmsh modify cm device <name> description <description> will trigger a sync and update the hostname.
359062 : Query parameter matching application/x-www-form-urlencoded not functional
Component: WebAccelerator
Symptoms:
This version does not include query parameters in a POST body for any rules: matching, variation, proxy, or invalidation.
Conditions:
Query parameter matching application/x-www-form-urlencoded.
Impact:
Query parameter matching does not work.
Workaround:
None.
352957-2 : Route lookup after change in route table on established flow ignores pool members
Component: Local Traffic Manager
Symptoms:
Established flows via Virtual Servers with iRules using the 'nexthop vlan addr' command to set the nexthop to a different address than the gateway returned in route lookup, or transparent flows to a pool member, might fail after a route table change, even if the change does not affect any of the addresses used in the flow.
Conditions:
An iRule with 'nexthop vlan addr' on the CLIENT_ACCEPTED state is added to a virtual server with pool members and the address in the nexthop command is different from the gateway.
Impact:
A flow established before a route table change may fail if the destination was set in an iRule using 'nexthop'. New flows established after the route table change work as expected.
Workaround:
Modify iRule to fire 'nexthop' on every client packet. If the flow has been modified due to a route change, then the next client packet that fires 'nexthop' will correct it.
307037-2 : Dynamic Resources Are Assigned But Not Accessible
Component: Access Policy Manager
Symptoms:
Resources appear assigned in session record but are not accessible by the client.
Conditions:
This issue occurs if the resources are assigned via Variable Assign agent.
Impact:
Resources are unavailable to client.
Workaround:
In the VPE, add a branch with Resource Assign agent that will never reach. With the Resource Assign agent, assign all the resources that are referenced by Variable Assign agent.
291584 : Escaping backslash in external class/datagroup gets duplicated each time saving the class
Component: TMOS
Symptoms:
When backslash is used to escape quote in external data group, the backslash is duplicated when the data group is saved.
Conditions:
Backslash is used to escape quote.
Impact:
More backslash is inserted to the data group and eventually leads to config load error.
Workaround:
Delete the extra backslash.
248914 : ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address
Component: Local Traffic Manager
Symptoms:
When self IP or virtual addresses are configured on a vlangroup, ARP replies for that address will have the locally administered bit set in the ARP payload, but the source MAC of the frame will have this bit clear.
Conditions:
vlangroup in translucent mode with self IP and/or virtual addresses configured.
Impact:
This may cause destination lookup failures on the layer 2 network.
Workaround:
Use transparent mode instead of translucent mode on the vlangroup.
227281 : TMM restarts with full-proxy HTTP virtual with ramcache, fallback, and deferred accept
Component: Local Traffic Manager
Symptoms:
When a full-proxy HTTP virtual with ramcache, fallback, and deferred accept configured; executes, a reject command in a CLIENT_ACCEPTED event TMM restarts.
Conditions:
This occurs when the virtual server is configured with all of the following elements: - HTTP profile configured with Cache Setting and a fallback host. - iRule that uses the CLIENT_ACCEPTED iRule event, along with a reject statement. - The TCP profile Deferred Accept setting is enabled.
Impact:
If a virtual server that is configured with the previous settings receives a connection that triggers the reject iRule statement, the TMM process may restart and temporarily fail to process traffic.
Workaround:
To work around this, remove the fallback host statement in the HTTP profile that is used by the virtual server.
225492-2 : Ramcache might disallow valid cache configurations that are very near the limit.
Component: Local Traffic Manager
Symptoms:
Ramcache might disallow valid cache configurations that are very near the limit.
Conditions:
Configurations whose aggregate ramcache size falls over the max value calculated by ramcache.
Impact:
The last cache will not be initialized, as it exceeds the max, per ramcache.
Workaround:
None.
222690-1 : The persist none iRule command does not disable cookie persistence for the connection when used with the LB::reselect command.
Component: Local Traffic Manager
Symptoms:
The persist none iRule command disables persistence for the current connection. If cookie persistence is enabled for a virtual server referencing an iRule, and the LB::reselect command is called after the persist none iRule command, cookie persistence is not disabled for the connection.
Conditions:
For example, the following configuration illustrates the issue:
pool default_pool {
member 10.10.10.4:80 down session disable
}
pool fail_pool {
member 10.10.10.5:80
}
rule fail_rule {
when LB_FAILED {
persist none
LB::reselect pool fail_pool
}
}
virtual vs {
destination 10.10.10.6:80
ip protocol tcp
profile http tcp
persist cookie
pool default_pool
rule fail_rule
}
Impact:
In the example, the initial load balancing attempt to the default_pool pool will fail, since sessions are disabled for the pool member. The LB_FAILED iRule event will execute, which sets the persistence to none. In addition, the LB::reselect command will load balance the connection to the fail_pool pool. The connection to the pool member 10.10.10.5 will succeed, but the BIG-IP LTM will incorrectly place a persistence cookie in the response to the client.
Workaround:
You may be able to work around this issue by using the HTTP::cookie command in the HTTP_RESPONSE event to remove the BIG-IP cookie from the response before it is sent to the client.
For example, the following revised iRule removes the BIG-IP persistence cookie that would be set in the response when the fail_pool was selected:
rule fail_rule_no_cookie_for_you {
when LB_FAILED {
persist none
LB::reselect pool fail_pool
}
when HTTP_RESPONSE {
HTTP::cookie remove BIGipServerfail_pool
}
}
Note: The HTTP_RESPONSE event is triggered after the BIG-IP LTM has added the persistence cookie to the HTTP headers.
Note: The default persistence cookie name is derived from the name of the pool to which the request was sent. For more information about the BIG-IP persistence cookie, refer to SOL6917: Overview of BIG-IP persistence cookie encoding.
The workaround has the added benefit of preserving any persistence information for the original load balancing pool should it again become available. If you want to completely remove the persistence cookie from the client, you can use the HTTP::cookie command in the HTTP_RESPONSE event to set an expired version of the BIG-IP cookie in the response before it is sent to the client.
222338 : Use of Cache::Disable in iRule
Component: Local Traffic Manager
Symptoms:
Use of Cache::Disable in iRule: A 304 response to a non-conditional get.
Conditions:
If a cached document has exceeded its life time, the BIG-IP system attempts to refresh it by issuing a conditional get to the OWS.
Impact:
If an HTTP_RESPONSE iRule exists and contains a Cache::Disable statement, then the OWS 304 response will be forwarded to the client. An illegal result code will be returned for some requests.
Workaround:
Do not disable the cache on 304 responses.
222201 : Compression configuration changes may require clearing RAM cache
Component: WebAccelerator
Symptoms:
If you change the compression or deduplication options for the iSession profile on a BIG-IP system that is running both the WAN Optimization Module (WOM) and the WebAccelerator (WA) system/Application Acceleration Module (AAM), you must also clear the RAM cache from the command line.
Conditions:
This might occur intermittently where there is both WOM optimized traffic and non-WOM optimized traffic. The reason for this is that RAM Cache cannot discriminate between the two modes (WOM/no WOM), but WA/AAM serves different responses.
Impact:
WA/AAM may not accelerate the HTTP traffic as expected.
Workaround:
To delete all HTTP cache entries for a specific Web Acceleration profile, use the following tmsh command syntax:
tmsh delete /ltm profile ramcache <profilename>
In the previous example, <profilename> is the name of the Web Acceleration profile for which you want to view the cache.
For example, to delete all the HTTP cache entries for the MyRamCache profile, you would type the following command:
tmsh delete /ltm profile ramcache MyRamCache
For versions earlier than 10.x, use the following syntax:
bigpipe profile http <profile_name> ramcache entry all delete
Note: Replace profile_name with the name of the HTTP profile whose RAM Cache entries should be displayed or deleted. Use the keyword all to manage entries for all profiles.
For example, to clear all RAM Cache entries for the http-lan-optimized-caching profile, you would type the following command:
bigpipe profile http http-lan-optimized-caching ramcache entry all delete
221995 : Cache Setting feature honors only Vary headers containing User-Agent or Accept-Encoding entries
Component: Local Traffic Manager
Symptoms:
The Cache Setting feature honors only Vary headers containing User-Agent or Accept-Encoding entries. RFC2616 specifies that the Vary header can include any HTTP header or even a list of headers that the origin web server (OWS) can use to provide guidance to proxy servers in the management of their local caches. However, the Cache Setting feature (referred to as RAM Cache in BIG-IP versions prior to 11.0.0) honors only User-Agent and Accept-Encoding as valid entries for the Vary header.
Conditions:
This occurs with Vary headers that include entries other than User-Agent or Accept-Encoding.
Impact:
The BIG-IP system ignores the headers.
Workaround:
None.
221993 : Ramcache does not honor Vary header field containing the asterisk character
Component: Local Traffic Manager
Symptoms:
The Cache Setting feature (referred to as RAM Cache in BIG-IP versions prior to 11.0.0) does not honor the Vary header field containing the asterisk character ( * ) in RFC-compliant fashion. RFC2616, section 13.6, states that a response containing a Vary header field value with an asterisk character is not cacheable. However, the BIG-IP system ignores the asterisk character and incorrectly stores responses with a Vary: * header in the Cache Setting feature.
Conditions:
This occurs when using a Vary header field containing the asterisk character.
Impact:
The system may inappropriately serve objects that should not be cached from the Cache Setting feature. A packet capture shows that when the initial response from the Cache Setting feature contains the Vary: * header, the second response for the same object contains the Age header, which indicates that the system served the object from the Cache Setting feature.
Workaround:
To work around this issue, you can create an iRule that prevents the BIG-IP system from caching Vary headers containing an asterisk:
when HTTP_RESPONSE {
if { [HTTP::header exists "Vary"] && ([HTTP::header "Vary"] equals "*") } {
CACHE::disable
}
}.
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/