Applies To:
Show Versions
BIG-IP AAM
- 13.0.1
BIG-IP APM
- 13.0.1
BIG-IP Link Controller
- 13.0.1
BIG-IP Analytics
- 13.0.1
BIG-IP LTM
- 13.0.1
BIG-IP AFM
- 13.0.1
BIG-IP PEM
- 13.0.1
BIG-IP DNS
- 13.0.1
BIG-IP FPS
- 13.0.1
BIG-IP ASM
- 13.0.1
BIG-IP Release Information
Version: 13.0.1
Build: 3.0
NOTE: This release includes fixes for the Spectre Variant 1 and Meltdown vulnerabilities (CVE-2017-5753, CVE-2017-5754).
In some configurations, installing software containing these fixes might impact performance. You can disable these fixes to recover performance. Please see K91229003 for additional Spectre and Meltdown information.
Cumulative fixes from BIG-IP v13.0.0 Hotfix 3 that are included in this release
Cumulative fixes from BIG-IP v13.0.0 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v13.0.0 Hotfix 1 that are included in this release
Known Issues in BIG-IP v13.0.x
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 700556-3 | CVE-2018-5504 | K11718033 | TMM may crash when processing WebSockets data |
| 699012-2 | CVE-2018-5502 | K43121447 | TMM may crash when processing SSL/TLS data |
| 684879-1 | CVE-2017-6164 | K02714910 | Malformed TLS1.2 records may result in TMM segmentation fault. |
| 673595-1 | CVE-2017-3167 CVE-2017-3169 | K34125394 | Apache CVE-2017-3167 |
| 670405-5 | CVE-2017-1000366 | K20486351 | K20486351: glibc vulnerability CVE-2017-1000366: |
| 668501-1 | CVE-2017-6151 | K07369970 | HTTP2 does not handle some URIs correctly |
| 662022-1 | CVE-2017-6138 | K34514540 | The URI normalization functionality within the TMM may mishandle some malformed URIs. |
| 660725 | CVE-2017-6135 | K43322910 | CVE-2017-6135: Linux kernel vulnerability |
| 653993-4 | CVE-2017-6132 | K12044607 | A specific sequence of packets to the HA listener may cause tmm to produce a core file |
| 653879-1 | CVE-2017-6214 | K81211720 | CVE-2017-6214 |
| 651221-3 | CVE-2017-6133 | K25033460 | Parsing certain URIs may cause the TMM to produce a core file. |
| 650059-3 | CVE-2017-6129 | K20087443 | TMM may crash when processing VPN traffic |
| 649907-1 | CVE-2017-3137 | K30164784 | BIND vulnerability CVE-2017-3137 |
| 649904-1 | CVE-2017-3136 | K23598445 | BIND vulnerability CVE-2017-3136 |
| 644904-6 | CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929, CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933, CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, CVE-2016-8575, CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984, CVE-2016-7985 CVE-2017-5202, CVE-2017-5203, CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342, CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, CVE-2017-5486 |
K55129614 | tcpdump 4.9 |
| 644693-1 | CVE-2016-2183, CVE-2017-3272, CVE-2017-3289, CVE-2017-3253, CVE-2017-3261, CVE-2017-3231,CVE-2016-5547,CVE-2016-5552, CVE-2017-3252, CVE-2016-5546, CVE-2016-5548, CVE-2017-3241 | K15518610 | Fix for multiple CVE for openjdk-1.7.0 |
| 634779-5 | CVE-2017-6147 | K43945001 | In SSL Forward Proxy, an uninitialized variable may overflow a buffer and cause TMM to produce a core file |
| 630446-5 | CVE-2016-0718 | K52320548 | Expat vulnerability CVE-2016-0718 |
| 701447-3 | CVE-2017-5754 | K91229003 | CVE-2017-5754 (Meltdown) |
| 701445-2 | CVE-2017-5753 CVE-2017-9074 CVE-2017-7542 CVE-2017-11176 |
K91229003 | CVE-2017-5753 (Spectre Variant 1) |
| 701359-5 | CVE-2017-3145 | K08613310 | BIND vulnerability CVE-2017-3145 |
| 694274-6 | CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 CVE-2017-9798 | K23565223 | [RHSA-2017:3195-01] Important: httpd security update - EL6.7 |
| 671638-2 | CVE-2018-5500 | K33211839 | TMM crash when load-balancing mptcp traffic |
| 659791-1 | CVE-2017-6136 | K81137982 | TFO and TLP could produce a core file under specific circumstances |
| 655059-4 | CVE-2017-6134 | K37404773 | TMM Crash |
| 653065 | CVE-2016-6136 | K90803619 | CVE-2016-6136: Linux kernel vulnerability |
| 651243-1 | CVE-2017-2636 | K18015201 | CVE-2017-2636: Linux kernel vulnerability |
| 645480-2 | CVE-2017-6139 | K45432295 | Unexpected APM response |
| 645101-1 | CVE-2017-3731, CVE-2017-3732 | K44512851 | OpenSSL vulnerability CVE-2017-3732 |
| 642659-1 | CVE-2015-8870, CVE-2016-5652, CVE-2016-9533, CVE-2016-9534, CVE-2016-9535, CVE-2016-9536, CVE-2016-9537, CVE-2016-9540 | K34527393 | Multiple LibTIFF Vulnerabilities |
| 640766-1 | CVE-2016-10088 CVE-2016-9576 |
K05513373 | CVE-2016-10088 CVE-2016-9576 |
| 617273-10 | CVE-2016-5300 | K70938105 | Expat XML library vulnerability CVE-2016-5300 |
| 593139 | CVE-2014-9761 | K31211252 | glibc vulnerability CVE-2014-9761 |
| 673607-1 | CVE-2017-3169 | K83043359 | Apache CVE-2017-3169 |
| 672667-5 | CVE-2017-7679 | K75429050 | CVE-2017-7679: Apache vulnerability |
| 656912-5 | CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464, CVE-2017-6451, CVE-2017-6458 | K32262483 | Various NTP vulnerabilities |
| 578983 | CVE-2015-8778 | K51079478 | glibc: Integer overflow in hcreate and hcreate_r |
| 684033-2 | CVE-2017-9798 | K70084351 | CVE-2017-9798 : Apache Vulnerability (OptionsBleed) |
| 655021-1 | CVE-2017-3138 | K23598445 | BIND vulnerability CVE-2017-3138 |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 686389-2 | 3-Major | APM does not honor per-farm HTML5 client disabling at the View Connection Server | |
| 663521-3 | 3-Major | Intermittent dropping of multicast packets on certain BIG-IP platforms | |
| 652146-1 | 3-Major | K07269132 | Email agent does not send email if the remote server does not provide a 200 OK response to VRFY request. |
| 651772-4 | 3-Major | IPv6 host traffic may use incorrect IPv6 and MAC address after route updates | |
| 643034-2 | 3-Major | Turn off TCP Proxy ICMP forwarding by default | |
| 632875-4 | 3-Major | Non-Administrator TMSH users no longer allowed to run dig |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 707226-5 | 1-Blocking | DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations | |
| 667148-2 | 1-Blocking | K02500042 | Config load or upgrade can fail when loading GTM objects from a non-/Common partition |
| 665354-3 | 2-Critical | Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log | |
| 664894-2 | 2-Critical | K11070206 | PEM sessions lost when new blade is inserted in chassis |
| 664549-3 | 2-Critical | K55105132 | TMM restart while processing rewrite filter |
| 660577-2 | 2-Critical | openldap; prevent crash on rc==LDAP_SUCCESS && res==NULL | |
| 651173 | 2-Critical | Security hardening of qkview | |
| 651084-1 | 2-Critical | K17330535 | 'tmsh show sys memory raw' command shows a slow build up of memory usage. |
| 448409-3 | 2-Critical | K15491 | 'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle |
| 703848-2 | 3-Major | Possible memory leak when reusing statistics rows in tables | |
| 689691-1 | 3-Major | istats line length is limited to 4032 bytes | |
| 688011-6 | 3-Major | Dig utility does not apply best practices | |
| 687353-2 | 3-Major | K35595105 | Qkview truncates tmstat snapshot files |
| 675188-2 | 3-Major | CVE-2017-9233: Expat vulnerability | |
| 669818-1 | 3-Major | Higher CPU usage for syslog-ng when a syslog server is down | |
| 668048-2 | 3-Major | K02551403 | TMM memory leak when manually enabling/disabling pool member used as HSL destination |
| 667302-1 | 3-Major | Cannot create CE policies when only APM is provisioned. | |
| 664057-1 | 3-Major | Upgrading GTM from pre-12.0.0 to post 12.0.0 no longer removes WideIPs without pools attached if they have an iRule attached | |
| 664017-4 | 3-Major | OCSP may reject valid responses | |
| 663063-1 | 3-Major | Disabling pool member used in busy HSL TCP destination can result service disruption. | |
| 662913-1 | 3-Major | K17213048 | GUI LTM Virtual Server page cannot open. Virtual Server cannot be created or updated. |
| 658636-3 | 3-Major | K51355172 | When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped. |
| 655649-1 | 3-Major | BGP last update timer incorrectly resets to 0 | |
| 648317-1 | 3-Major | Upgrade to 13.0.0 on B2100/B2150 with IOMMU enabled prevents vCMP guests from starting★ | |
| 647988-2 | 3-Major | K15331432 | HSL Balanced distribution to Two-member pool may not be balanced correctly. |
| 645179-1 | 3-Major | Traffic group becomes active on more than one BIG-IP after a long uptime | |
| 642982-1 | 3-Major | K23241518 | tmrouted may continually restart after upgrade, adding or renaming an interface★ |
| 635703-2 | 3-Major | K14508857 | Interface description may cause some interface level commands to be removed |
| 604547-4 | 3-Major | Unix daemon configuration may lost or not be updated upon reboot | |
| 598724-2 | 3-Major | Abandoned indefinite lifetime SessionDB entries on STANDBY devices. | |
| 544906-4 | 3-Major | K07388310 | Issues when using remote authentication when users have different partition access on different devices |
| 543208-2 | 3-Major | Upgrading to v12.x or later in a sync-failover group might cause mcpd to become unresponsive.★ | |
| 673165-1 | 4-Minor | CVE-2017-7895: Linux Kernel Vulnerability | |
| 660239-1 | 4-Minor | When accessing the dashboard, invalid HTTP headers may be present | |
| 644975-2 | 4-Minor | /var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost | |
| 644799-2 | 4-Minor | K42882011 | TMM may crash when the BIG-IP system processes CGNAT traffic. |
| 613275-1 | 4-Minor | K62581339 | SNMP get/MIB walk returns incorrect speed for sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed when the interface is not up |
| 514703-2 | 4-Minor | gtm listener cannot be listed across partitions | |
| 479471-2 | 4-Minor | K00342205 | CPU statistics reported by the tmstat command may spike or go negative |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 670011-1 | 1-Blocking | SSL forward proxy does not create the server certchain when ignoring server certificates | |
| 699298-1 | 2-Critical | K83285053 | 13.0.0 Hotfix HF3 3.0.1679 TMM CORED due to SIGSEGV. |
| 692970-1 | 2-Critical | Using UDP port 67 for purposes other than DHCP might cause TMM to crash | |
| 687635-2 | 2-Critical | Tmm becomes unresponsive and might restart | |
| 686685 | 2-Critical | LTM Policy internal compilation error | |
| 686305-3 | 2-Critical | TMM may crash while processing SSL forward proxy traffic | |
| 677975 | 2-Critical | K59237122 | SSL may cause the TMM to core when forging a certificate due to race condition |
| 676028-1 | 2-Critical | K09689143 | SSL forward proxy bypass may fail to release memory used for ssl_hs instances |
| 674576-2 | 2-Critical | Outage may occur with VIP-VIP configurations | |
| 670096-1 | 2-Critical | TMM may crash when a DHCP virtual server is used with an iRule involving SERVER_DATA event and TCL 'after' command. | |
| 667259-1 | 2-Critical | K15364500 | Memory Leak in RAM Cache |
| 665924-2 | 2-Critical | K24847056 | The HTTP2 and SPDY filters may cause a TMM crash in complicated scenarios |
| 664461-1 | 2-Critical | K16804728 | Replacing HTTP payload can cause tmm restart |
| 661716 | 2-Critical | K05655212 | TMM core when session ticket and OCSP Stapling is enabled on the clientSSL profile★ |
| 655628-2 | 2-Critical | TCP analytics does not release resources under specific sequence of packets | |
| 655211-4 | 2-Critical | K25384206 | bigd crash (SIGSEGV) when running FQDN node monitors |
| 653495-1 | 2-Critical | K05411532 | Incorrect SNI hostname attached to serverside connections |
| 652973-3 | 2-Critical | Coredump observed at system bootup time when many DHCP packets arrive | |
| 648320-2 | 2-Critical | Downloading via APM tunnels could experience performance downgrade. | |
| 646604-1 | 2-Critical | K21005334 | Client connection may hang when NTLM and OneConnect profiles used together |
| 621870-1 | 2-Critical | Outage may occur with VIP-VIP configurations | |
| 699346-4 | 3-Major | NetHSM capacity reduces when handling errors | |
| 695901-7 | 3-Major | TMM may crash when processing ProxySSL data | |
| 688009-6 | 3-Major | Appliance Mode TMSH hardening | |
| 687193 | 3-Major | TMM may leak memory when processing SSL Forward Proxy traffic | |
| 686065-3 | 3-Major | RESOLV::lookup iRule command can trigger crash with slow resolver | |
| 681710-3 | 3-Major | Malformed HTTP/2 requests may cause TMM to crash | |
| 680264-1 | 3-Major | K18653445 | HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags |
| 677666-1 | 3-Major | K60909141 | /var/tmstat/blades/scripts segment grows in size. |
| 677119-2 | 3-Major | HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE | |
| 673052-1 | 3-Major | On i-Series platforms, HTTP/2 is limited to 10 streams | |
| 670822-1 | 3-Major | TMM may crash when processing SOCKS data | |
| 669025-3 | 3-Major | K11425420 | Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate |
| 668522-2 | 3-Major | bigd might try to read from a file descriptor that is not ready for read | |
| 666032-1 | 3-Major | K05145506 | Secure renegotiation is set while data is not available. |
| 663821-2 | 3-Major | K41344010 | SNAT Stats may not include port FTP traffic |
| 662881-1 | 3-Major | K10443875 | L7 mirrored packets from standby to active might cause tmm core when it goes active. |
| 662663-1 | 3-Major | Decryption failure Nitrox platforms in vCMP mode | |
| 662085-2 | 3-Major | iRules LX Workspace editor in TMUI fails to display all workspace contents after install of large Node.js packages | |
| 659519-2 | 3-Major | K42400554 | Non-default header-table-size setting on HTTP2 profiles may cause issues |
| 658214-1 | 3-Major | K20228504 | TCP connection fail intermittently for mirrored fastl4 virtual server |
| 657858-3 | 3-Major | K85425460 | TMM can restart when VLAN keyed connections are disabled. |
| 657626-1 | 3-Major | User with role 'Manager' cannot delete/publish LTM policy. | |
| 655793-2 | 3-Major | K04178391 | SSL persistence parsing issues due to SSL / TCP boundary mismatch |
| 655432-6 | 3-Major | K85522235 | SSL renegotiation failed intermittently with AES-GCM cipher |
| 653511-3 | 3-Major | K45770397 | Intermittent connection failure with SNAT/automap, SP-DAG and virtual server source-port=preserve |
| 652535-2 | 3-Major | K54443700 | HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented. |
| 651651-1 | 3-Major | K54604320 | bigd can crash when a DNS response does not match the expected value |
| 651135-2 | 3-Major | K41685444 | LTM Policy error when rule names contain slash (/) character★ |
| 650292-1 | 3-Major | DNS transparent cache can return non-recursive results for recursive queries | |
| 648954-1 | 3-Major | K01102467 | Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls |
| 646443-2 | 3-Major | Ephemeral Node may be errantly created in bigd, causing crash | |
| 644418-1 | 3-Major | Do not consider self-signed certificate in hash algorithm selection when Forward Proxy forges a certificate | |
| 643777-1 | 3-Major | K27629542 | LTM policies with more than one IP address in TCP address match may fail |
| 643041-1 | 3-Major | K64451315 | Less than optimal interaction between OneConnect and proxy MSS |
| 631862-5 | 3-Major | K32107573 | Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk |
| 628721-6 | 3-Major | In rare conditions, DNS cache resolver outbound TCP connections fail to expire. | |
| 599177-1 | 3-Major | Regression in Route Domain and Partition GUI load times due to high CPU utilization in merged. | |
| 680729-2 | 4-Minor | K64307999 | DHCP Trace log incorrectly marked as an Error log. |
| 668802-2 | 4-Minor | K83392557 | GTM link graphs fail to display in the GUI |
| 667318-1 | 4-Minor | BIG-IP DNS/GTM link graphs fail to display in the GUI. | |
| 627764-1 | 4-Minor | Prevent sending a 2nd RST for a TCP connection | |
| 522302-1 | 4-Minor | TCP Receive Window error messages are inconsistent on UI |
Performance Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 588752-1 | 1-Blocking | APM Login Performance may be degraded | |
| 620903-2 | 2-Critical | Decreased performance of ICMP attack mitigation. |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 580537-2 | 2-Critical | The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data | |
| 677526-1 | 3-Major | Memory leak may occur during connflow failures. | |
| 667469-2 | 3-Major | K35324588 | Higher than expected CPU usage when using DNS Cache |
| 665347-1 | 3-Major | K17060443 | GTM listener object cannot be created via tmsh while in non-Common partition |
| 663310-2 | 3-Major | K50871313 | named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files★ |
| 654599-4 | 3-Major | K74132601 | The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed |
| 643813-1 | 3-Major | K32906881 | ZoneRunner does not properly process $ORIGIN directives |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 661699-1 | 2-Critical | BD crash under specific conditions | |
| 657925-1 | 2-Critical | K33646141 | Error when enabling ASM via iRule |
| 654873-1 | 2-Critical | ASM Auto-Sync Device Group | |
| 653292-1 | 2-Critical | MySQL does not initialize correctly on first system start | |
| 653014-2 | 2-Critical | Apply Policy failure if an custom Blocking Page is configured with an underscore in the header name | |
| 652200-2 | 2-Critical | K81349220 | Failure to update ASM enforcer about account change. |
| 672695-2 | 3-Major | Internal perl process listening on all interfaces when ASM enabled | |
| 668181-1 | 3-Major | Policy automatic learning mode changes to manual after failover | |
| 667076-1 | 3-Major | K92494571 | WebSocket URLs over SSL don't match when differentiate HTTP/HTTPS is disabled |
| 666986-1 | 3-Major | K50320144 | Filter by Support ID is not working in Request Log |
| 666118-1 | 3-Major | K58571155 | High CPU usage from asm_config_server |
| 665494-1 | 3-Major | Several factory policy templates have delayed blocking enabled | |
| 664930-3 | 3-Major | Policy automatic learning mode changes to manual after failover | |
| 662281-1 | 3-Major | Inconsistencies in Automatic sync ASM Device Group | |
| 660327-1 | 3-Major | Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded. | |
| 660326-1 | 3-Major | K91072177 | Upgrade fails when a websecurity profile assigned to virtual server but ASM is not provisioned.★ |
| 658062-1 | 3-Major | 'Default' plain text profile is created upon import policy with Disallowed WebSocket URLs | |
| 654996-2 | 3-Major | K50345236 | Closed connections remains in memory |
| 652781 | 3-Major | K19003278 | Learn from responses checkbox can appear checked and disabled in manual mode |
| 648639-2 | 3-Major | K92201230 | TS cookie name contains NULL or other raw byte |
| 647726-1 | 3-Major | ASM REST: POST disallowed to /mgmt/tm/asm/policies/<ID>/server-technologies endpoint | |
| 638857-1 | 4-Minor | Challenging AJAX-qualified requests cover only GET and POST HTTP methods |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 653136-1 | 2-Critical | transaction capturing sends binary data without escaping | |
| 643411-1 | 2-Critical | K59119323 | High memory usage for avrd statistics |
| 665477-1 | 3-Major | Analytics based on tmstat-tables might cause high CPU usage | |
| 664725-1 | 3-Major | AVR publishes tmstat statistics to internal store (SQL) when disable-all-internal-logging is set. | |
| 659527-1 | 3-Major | K32271142 | Custom Predefined Reports are not displayed in ASM Analytics Schedules |
| 658996-1 | 3-Major | Some published externally AVR data can be corrupted when HTTP Traffic external publisher is on | |
| 658343-3 | 3-Major | K33043439 | AVR tcp-analytics: per-host RTT average may show incorrect values |
| 654915-1 | 3-Major | Traffic Capturing: Pool member that has a special name (internal activity) should be exported with its name, not an IP address | |
| 654275-1 | 3-Major | Traffic Capturing is not reported to external log when "use-offbox" is set. | |
| 639395-3 | 3-Major | K91614278 | AVR does not display 'Max read latency' units. |
| 629573 | 3-Major | No drill-down filter for virtual-servers is mentioned on exported reports when using partition |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 647108-2 | 1-Blocking | Deletion of saml-idp-connector may fail depending on the order in which related objects are deleted within a transaction | |
| 702278-1 | 2-Critical | Potential XSS security exposure on APM logon page. | |
| 701944-3 | 2-Critical | machine certificate check crash for 'match issuer' configuration on macOS Sierra 10.12.6 | |
| 700724-1 | 2-Critical | Client connection with large number of HTTP requests may cause tmm to restart | |
| 697452 | 2-Critical | Websso crashes because of bad argument in logging | |
| 693739-2 | 2-Critical | K70644505 | VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled |
| 692557-2 | 2-Critical | When BIG-IP as SAML IdP processes signed authentication requests from external SAML SP, a block of memory may become corrupted. | |
| 689591-1 | 2-Critical | When pingaccess SDK processes certain POST requests from the client, the TMM may restart | |
| 682043-2 | 2-Critical | K41041660 | Chrome v60 and newer might incorrectly report that F5 VPN and F5 EPI status |
| 679235-6 | 2-Critical | Inspection Host NPAPI Plugin for Safari can not be installed | |
| 676904-1 | 2-Critical | tmm may crash while printing VDI logging information | |
| 675326-1 | 2-Critical | TMM core with Modify Header with 'remove header' option | |
| 671579-1 | 2-Critical | Macro and macrocall creation issues when policy is in folder | |
| 668849-2 | 2-Critical | Upgrade failure for apm-log-setting objects★ | |
| 667594-1 | 2-Critical | Rewrite plugin could crash on rewriting of some URLs in POST data | |
| 664758-1 | 2-Critical | URLDB SIGFPE - 'urldb tcl result not overwritten' | |
| 658462-1 | 2-Critical | K10251490 | Portal Access: tmm may crash if web application uses long cookie names and/or values |
| 652004-1 | 2-Critical | K45320415 | Show /apm access-info all-properties causes memory leaks in tmm |
| 651229-1 | 2-Critical | K14429395 | tmm may restart when SAML SLO is initiated by SP using redirect binding |
| 649234-1 | 2-Critical | TMM crash from a possible memory corruption. | |
| 639929-3 | 2-Critical | Session variable replace with value containing these characters ' " & < > = may case tmm crash | |
| 631286-2 | 2-Critical | URI cache entries should be replaced /expired for euie hash table | |
| 570841-1 | 2-Critical | Cannot create or edit a new document from SharePoint 2013 ribbon buttons via Portal Access | |
| 704580-2 | 3-Major | apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP | |
| 704535-3 | 3-Major | Chrome v64.0.3282.119 changed way it launches custom protocol handlers causing F5 VPN and F5 EPI not to work properly on Windows | |
| 703984-3 | 3-Major | Machine Cert agent improperly matches hostname with CN and SAN | |
| 703429-3 | 3-Major | Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services | |
| 703081 | 3-Major | Benign mc_delete_key notice message | |
| 702490-3 | 3-Major | Windows Credential Reuse feature may not work | |
| 697636-1 | 3-Major | ACCESS is not replacing headers while replacing POST body | |
| 695953-2 | 3-Major | Custom URL Filter object is missing after load sys config TMSH command | |
| 694624-2 | 3-Major | SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor | |
| 693994-2 | 3-Major | K11043437 | F5 VPN or Edge Client may drop DTLS and use TLS if DTLS packet reordering happens |
| 692307-2 | 3-Major | User with 'operator' role may not be able to view some session variables | |
| 689826-1 | 3-Major | Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese) | |
| 689415 | 3-Major | APM configuration snapshots missing due to APMD's failure to detect TMM state transition | |
| 684937-2 | 3-Major | [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users | |
| 684325-2 | 3-Major | APMD Memory leak when applying a specific access profile | |
| 683389-2 | 3-Major | Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file | |
| 683297-1 | 3-Major | Portal Access may use incorrect back-end for resources referenced by CSS | |
| 683113-2 | 3-Major | [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users | |
| 682500-3 | 3-Major | VDI Profile and Storefront Portal Access resource do not work together | |
| 682271-1 | 3-Major | Portal Access may handle JavaScript getter/setter definitions incorrectly | |
| 678976-1 | 3-Major | K24756214 | Do not print all HTTP headers to avoid printing user credentials to /var/log/apm. |
| 678851-2 | 3-Major | Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase() | |
| 678001-1 | 3-Major | K21519702 | Websso crash due to uninitialized member in websso context object while processing a log message |
| 677368-1 | 3-Major | Websso crash due to uninitialized member in websso context object while processing a log message | |
| 677058-1 | 3-Major | Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text | |
| 675866-2 | 3-Major | WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO | |
| 674593-2 | 3-Major | APM configuration snapshot takes a long time to create | |
| 674410-1 | 3-Major | K59281892 | AD auth failures due to invalid Kerberos tickets |
| 673860-1 | 3-Major | App-service is not supported by import/export | |
| 672818-1 | 3-Major | When 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows, VPN cannot be established | |
| 672040-1 | 3-Major | Access Policy Causing Duplicate iRule Event Execution | |
| 671883-1 | 3-Major | [APM] Ping Access Agent does not correctly handle HTTP request with invalid version | |
| 671880-1 | 3-Major | [APM] Ping Access Agent's internal request processing state needs improvement | |
| 671597-2 | 3-Major | Import, export, copy and delete is taking too long on 1000 entries policy | |
| 671138-2 | 3-Major | FireFox and Chrome users are asked to re-install windows "Endpoint Inspector Application" after upgrade from 13.0.0 | |
| 670910-3 | 3-Major | Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined | |
| 670456-2 | 3-Major | Flash AS3 mx.core::CrossDomainRSLItem() wrapper issue with arguments number | |
| 669154-2 | 3-Major | Creating new invalid SAML IdP configuration object may cause tmm restart in rare cases. | |
| 668623-6 | 3-Major | K85991425 | macOS Edge client fails to detect correct system language for regions other than USA |
| 668247-1 | 3-Major | Machine Certificate Checker service may not be used when UAC is disabled on windows machine | |
| 667577-1 | 3-Major | Access profile 'Restrict to Single Client IP' setting not enforced with DTLS tunnel | |
| 666689-2 | 3-Major | Occasional "profile not found" errors following activate access policy | |
| 666233 | 3-Major | Localdbmgr process cores | |
| 665416-1 | 3-Major | Old versions of APM configuration snapshots need to be reaped more aggressively if not used | |
| 664507-4 | 3-Major | When BIG-IP is used as SP with IdP-connector automation, updates to remotely published metadata may remove certificate reference from the local configuration | |
| 663510-1 | 3-Major | F5 EPI or F5 VPN browser helper apps in some cases throw error and quit | |
| 660868-1 | 3-Major | Resets after adding URL Branching item | |
| 659460-1 | 3-Major | URL encoded Authorization code does not work with APM OAuth client | |
| 658664-1 | 3-Major | VPN connection drops when 'prohibit routing table change' is enabled | |
| 655209-2 | 3-Major | Automatically launched applications run with root permission on VPN establishment | |
| 655146-1 | 3-Major | APM Profile access stats are not updated correctly | |
| 654513-1 | 3-Major | K11003951 | APM daemon crashes when the LDAP query agent returns empty in its search results. |
| 654485-1 | 3-Major | K85549136 | Portal Access: Same-origin AJAX rquest may fail if response contains non-wildcard Access-Control-Allow-Origin header |
| 654046-2 | 3-Major | BIG-IP as SAML IdP may fail to process signed authentication requests from some external SPs. | |
| 653771-1 | 3-Major | tmm crash after per-request policy error | |
| 652910-1 | 3-Major | Native RDP published on webtop does not connect if allowed vlans specified explicitly | |
| 651910-1 | 3-Major | Cannot change 'Enable Access System Logs' or 'Enable URL Request Logs' via the GUI after upgrading from 12.x to 13.0.0 or later | |
| 649929-2 | 3-Major | saml_sp_connector not properly deleted in a transaction that removes the saml resource and servers referring to it | |
| 647706-1 | 3-Major | iOS RDP client fails to connect to RD Connection Broker via APM's Native RDP resource | |
| 645684-3 | 3-Major | Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting. | |
| 642589-1 | 3-Major | VPE endings/terminals incorrectly saved | |
| 640521-2 | 3-Major | EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices | |
| 639283-1 | 3-Major | Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate | |
| 632646-3 | 3-Major | APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server. | |
| 616104-1 | 3-Major | VMware View connections to pool hit matching BIG-IP virtuals | |
| 612792-2 | 3-Major | Support RDP redirection for connections launched from APM Webtop on iOS | |
| 612118-1 | 3-Major | Nexthop explicit proxy is not used for the very first connection to communicate with the backend. | |
| 583272-3 | 3-Major | "Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth | |
| 572567-1 | 3-Major | Portal Access: JavaScript errors accessing MS SharePoint 2010 / 2013 / 2016 in Internet Explorer 11 | |
| 699455-5 | 4-Minor | SAML export does not follow best practices | |
| 699451-5 | 4-Minor | OAuth reports do not follow best practices | |
| 673717-2 | 4-Minor | VPE loading times can be very long | |
| 667304-2 | 4-Minor | K68108551 | Logon page shows 'Save Password' checkbox even if 'Allow Password Caching' is not enabled |
| 667237-2 | 4-Minor | Edge Client logs the routing and IP tables repeatedly | |
| 629411-1 | 4-Minor | OAuth Client/RS and Authorization Server don't work together on the same BIG-IP |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 640407-2 | 2-Critical | K41344483 | Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 665888-1 | 2-Critical | Upgrade from v12.1.1, v12.1.2, v12.1.3, or v13.0.0 fails when DoS application profile has heavy URLs configured | |
| 664625-1 | 2-Critical | K08041607 | Connection resets on Virtual Server with APM Access Profile and ASM Security Policy |
| 652278-1 | 2-Critical | K81003383 | dwbld process may leak memory during extended uptime |
| 651001-2 | 2-Critical | massive prints in tmm log: "could not find conf for profile crc" | |
| 632388-1 | 3-Major | K34214852 | Sync all autodos history files from active to standby units every 5 mins |
| 519612-2 | 3-Major | JavaScript challenge fails when coming within iframe with different domain than main page |
Policy Enforcement Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 696383-4 | 2-Critical | PEM Diameter incomplete flow crashes when sweeped | |
| 694717-2 | 2-Critical | Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup. | |
| 668252-3 | 2-Critical | K22784428 | TMM crash in PEM_DIAMETER component |
| 658261-3 | 2-Critical | TMM core after HA during GY reporting | |
| 658148-4 | 2-Critical | K23150504 | TMM core after intra-chassis failover for some instances of subscriber creation |
| 657632-5 | 2-Critical | Rarely if a subscriber delete is performed following HA switchover, tmm may crash | |
| 653285-2 | 2-Critical | PEM rule deletion with HSL reporting may cause tmm coredump | |
| 628311-4 | 2-Critical | K87863112 | Potential TMM crash due to duplicate installed PEM policies by the PCRF |
| 626851-4 | 2-Critical | K37665112 | Potential crash in a multi-blade chassis during CMP state changes. |
| 616008-2 | 2-Critical | K23164003 | TMM core may be seen when using an HSL format script for HSL reporting in PEM |
| 696789-4 | 3-Major | PEM Diameter incomplete flow crashes when TCL resumed | |
| 695968-2 | 3-Major | Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues. | |
| 684333-2 | 3-Major | PEM session created by Gx may get deleted across HA multiple switchover with CLI command | |
| 678820-3 | 3-Major | Potential memory leak if PEM Diameter sessions are not created successfully. | |
| 678714-1 | 3-Major | After HA failover, subscriber data has stale session ID information | |
| 660187-4 | 3-Major | TMM core after intra-chassis failover for some instances of subscriber creation | |
| 652052-2 | 3-Major | PEM:sessions iRule made the order of parameters strict | |
| 642068-3 | 3-Major | PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens | |
| 638594-4 | 3-Major | TMM crash when handling unknown Gx messages. | |
| 634015-4 | 3-Major | Potential TMM crash due to a PEM policy content triggered buffer overflow | |
| 678822-1 | 4-Minor | Gx/Gy stats display provision pending sessions if there is no route to PCRF or the app is unlicensed |
Carrier-Grade NAT Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 663333-2 | 2-Critical | TMM may core in PBA mode id LSN pool is under provisioned or the utilization is high |
Fraud Protection Services Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 676808-1 | 2-Critical | FPS: tmm may crash on response with large payload from server | |
| 669364-2 | 2-Critical | TMM core when server responds fast with server responses such as 404. | |
| 636371-1 | 2-Critical | Upgrade from pre-v13.0.0 software might fail | |
| 674909-1 | 3-Major | Application CSS injection might break when connection is congested | |
| 667872-2 | 3-Major | Websafe's 'Apply cookies to base domain' feature doesn't work for non standard ports | |
| 658315-1 | 3-Major | WebSafe Login Validation may break response | |
| 657502-1 | 3-Major | JS error when leaving page opened for several minutes | |
| 643889-1 | 3-Major | blacklist and whitelist words backwards compatibility is broken | |
| 643602-1 | 4-Minor | 'Select All' checkbox selects items on hidden pages | |
| 639750-2 | 4-Minor | username aliases are not supported |
iApp Technology Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 654696-1 | 2-Critical | iCall script may log an error on execution |
Cumulative fixes from BIG-IP v13.0.0 Hotfix 3 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 693211-2 | CVE-2017-6168 | K21905460 | CVE-2017-6168 |
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 664063 | 2-Critical | K03203976 | Azure displays failure for deployment of BIG-IP from a Resource Manager template |
Cumulative fixes from BIG-IP v13.0.0 Hotfix 2 that are included in this release
Functional Change Fixes
None
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 660170-2 | 4-Minor | K28505910 | tmm may crash at ~75% of VLAN failsafe timeout expiration |
Cumulative fixes from BIG-IP v13.0.0 Hotfix 1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 652151 | CVE-2017-6131 | K61757346 | Azure VE: Initialization improvement |
| 658764 | CVE-2017-6135 | K43322910 | Linux kernel lasthop driver memory issue |
| 648867-1 | CVE-2017-6074 | K82508682 | Kernel vulnerability: CVE-2017-6074 |
| 648786-1 | CVE-2017-6169 | K31404801 | TMM crashes when categorizing long URLs |
| 643187-1 | CVE-2017-3135 | K80533167 | BIND vulnerability CVE-2017-3135 |
| 641445-2 | CVE-2017-6145 | K22317030 | iControl improvements |
| 641360-1 | CVE-2017-0303 | K30201296 | SOCKS proxy protocol error |
| 638556-1 | CVE-2016-10045 | K73926196 | PHP Vulnerability: CVE-2016-10045 |
| 636702-4 | CVE-2016-9444 | K40181790 | BIND vulnerability CVE-2016-9444 |
| 636700-1 | CVE-2016-9147 | K02138183 | BIND vulnerability CVE-2016-9147 |
| 636699-6 | CVE-2016-9131 | K86272821 | BIND vulnerability CVE-2016-9131 |
| 643554-2 | CVE-2017-3731 CVE-2017-3732 CVE-2016-7055 | K37526132 K44512851 K43570545 | OpenSSL vulnerabilities - OpenSSL 1.0.2k library update |
| 641612-1 | CVE-2017-0302 | K87141725 | APM crash |
| 639729-1 | CVE-2017-0304 | K39428424 | Request validation failure in AFM UI Policy Editor |
| 637666-1 | CVE-2016-10033 | K74977440 | PHP Vulnerability: CVE-2016-10033 |
| 631688-8 | CVE-2016-9311 CVE-2016-9310 CVE-2016-7427 CVE-2016-7428 CVE-2016-9312 CVE-2016-7431 CVE-2016-7434 CVE-2016-7429 CVE-2016-7426 CVE-2016-7433 | K55405388 K87922456 K63326092 K51444934 K80996302 | Multiple NTP vulnerabilities |
| 627747 | CVE-2017-6142 | K20682450 | Improve cURL Usage |
| 615267 | CVE-2016-2183 | K13167034 | OpenSSL vulnerability CVE-2016-2183 |
| 606710-11 | CVE-2016-2834 CVE-2016-5285 CVE-2016-8635 | K15479471 | Mozilla NSS vulnerability CVE-2016-2834 |
| 578076 | CVE-2016-0800 | K23196136 | OpenSSL vulnerability CVE-2016-0800 |
| 578017 | CVE-2016-0800 | K23196136 | CVE-2016-0800 : SSLV2 "DROWN" Vulnerability |
| 635933 | CVE-2004-0790 | K23440942 K13361021 | The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable |
| 615226 | CVE-2015-8925 CVE-2015-8933 CVE-2016-8688 CVE-2015-8919 CVE-2016-8689 CVE-2015-8931 CVE-2015-8923 CVE-2015-8930 CVE-2015-8922 CVE-2016-5844 CVE-2015-8917 CVE-2016-8687 CVE-2015-8932 CVE-2015-8916 CVE-2016-4809 CVE-2015-8934 CVE-2015-8924 CVE-2015-8920 CVE-2016-4302 CVE-2015-8921 CVE-2015-8928 CVE-2015-8926 CVE-2016-7166 CVE-2016-4300 | K13074505 | Libarchive vulnerabilities: CVE-2016-8687 and others |
| 600205-1 | CVE-2016-2178 | K53084033 | OpenSSL Vulnerability: CVE-2016-2178 |
| 598002-9 | CVE-2016-2178 | K53084033 | OpenSSL vulnerability CVE-2016-2178 |
| 624722 | CVE-2016-7117 CVE-2016-6828 | K51201255 | Linux kernel vulnerability CVE-2016-7117 |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 649369-1 | 2-Critical | DES, 3DES and HIGH cipher string includes/excludes wrong ciphers | |
| 641724 | 2-Critical | BIG-IP VE support for GCE | |
| 644870 | 3-Major | Improvements of protocol for sending data to AppIQ offbox via TCP | |
| 638967-2 | 3-Major | SSL Forward Proxy not to cache forged certificate if soft_vfyresult indicating an 'untrusted CA' or 'expired cert' | |
| 633723-4 | 3-Major | New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot | |
| 633391-2 | 3-Major | GUI Error trying to modify IP Data-Group | |
| 626594-3 | 3-Major | No way to perform a soft server certificate verification | |
| 641169 | 4-Minor | Role permissions for actions on the iRules LX Workspace editor page | |
| 618332-3 | 4-Minor | No event triggered when the system receives a certificate message from the server. | |
| 572272 | 4-Minor | BIG-IP - Anonymous Certificate ID Enumeration | |
| 501258-1 | 4-Minor | Unable to modify 'gtm region region-members' via iControl REST |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 642058 | 1-Blocking | CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances | |
| 641390-2 | 1-Blocking | Backslash removal in LTM monitors after upgrade | |
| 636479 | 1-Blocking | Hyper-V VE image fails to boot, stuck on "monpd: - Running monpd bigstart script." displayed on console at startup | |
| 636016 | 1-Blocking | VADC: when using an Intel XL710 SR-IOV nic a bigstart restart can re-order the interfaces and impact traffic | |
| 648056-3 | 2-Critical | K16503454 | bcm56xxd core when configuring QinQ VLAN with vCMP provisioned. |
| 645805-2 | 2-Critical | LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain bad ethernet src mac address | |
| 641013-6 | 2-Critical | GRE tunnel traffic pinned to one TMM | |
| 634132 | 2-Critical | VE: virtio high performance driver (Linux/KVM) | |
| 634085-1 | 2-Critical | IPsec tmm assert "ike_ctx tag" | |
| 626861-1 | 2-Critical | K31220138 | Ensure unique IKEv2 sequence numbers |
| 615372 | 2-Critical | Occasional TCP resets during connection initiation (RST cause is "No local listener") | |
| 508113-2 | 2-Critical | tmsh load sys config base merge file <filename> fails | |
| 649617-1 | 3-Major | qkview improvement for OVSDB management | |
| 645219 | 3-Major | Switching to native virtio driver | |
| 644490-2 | 3-Major | Finisar 100G LR4 values need to be revised in f5optics | |
| 639774-1 | 3-Major | K30598276 | mysqld.err rollover log files are not collected by qkview |
| 639575-2 | 3-Major | K63042400 | Using libtar with files larger than 2 GB will create an unusable tarball |
| 639530 | 3-Major | Kernel.el7.2: xhci: off by one error in TRB DMA address boundary check | |
| 639049-1 | 3-Major | Virtual Server creation ignores translate-address setting with wild card destination | |
| 638825-1 | 3-Major | SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD | |
| 638215 | 3-Major | iHealth auto-upload script may get stuck in unusual circumstances | |
| 637561-2 | 3-Major | Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice | |
| 637141-1 | 3-Major | TMM core after deleting POLICY and executing command: show net ipsec ike-sa. | |
| 635116-3 | 3-Major | K34100550 | Memory leak when using replicated remote high-speed logging. |
| 633879-2 | 3-Major | K52833014 | Fix IKEv1 md5 phase1 hash algorithm so config takes effect |
| 630610-1 | 3-Major | K43762031 | BFD session interface configuration may not be stored on unit state transition |
| 629085-2 | 3-Major | K55278069 | Any CSS content truncated at a quoted value leads to a segfault |
| 628164-4 | 3-Major | K20766432 | OSPF with multiple processes may incorrectly redistribute routes |
| 624580 | 3-Major | K37147352 | BigDB.dat may become truncated |
| 620659-4 | 3-Major | The BIG-IP system may unecessarily run provisioning on successive reboots | |
| 610307-4 | 3-Major | Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber | |
| 610122 | 3-Major | Hotfix installation fails: can't create /service/snmpd/run★ | |
| 609200-1 | 3-Major | Hotfix installation failure using certain version 11.x software to host incremental hotfix application of version 12.x software.★ | |
| 605792 | 3-Major | Installing a new version changes the ownership of administrative users' files★ | |
| 569100 | 3-Major | Virtual server using NTLM profile results in benign Tcl error | |
| 561596 | 3-Major | Hotfixes can optionally update FPS engine file | |
| 561592 | 3-Major | Hotfixes can update FPS engine file | |
| 559080 | 3-Major | High Speed Logging to specific destinations stops from individual TMMs | |
| 541320-8 | 3-Major | K50973424 | Sync of tunnels might cause restore of deleted tunnels. |
| 489499-2 | 3-Major | chmand needs to check for LopUnsSensClientExists status after registering for unsolicited alerts with lopd | |
| 644805 | 4-Minor | Kernel.el7.2: BIG-IP VIPRION B4450 - ACPI complaints about unpopulated cpu cores | |
| 643404-1 | 4-Minor | K30014507 | 'tmsh system software status' does not display properly in a specific cc-mode situation★ |
| 639528 | 4-Minor | Kernel.el7.2: Broadwell Home Agent devices have non-compliant BAR. | |
| 636520-1 | 4-Minor | K88813435 | Detail missing from power supply 'Bad' status log messages |
| 633091 | 4-Minor | Avr debug messages are printed to screen when saving/loading sys config | |
| 632668-6 | 4-Minor | When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds | |
| 632069-2 | 4-Minor | Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076 | |
| 631572 | 4-Minor | Cryptic error relating to the liveinstall.movelicense DB variable | |
| 627554-1 | 4-Minor | Partition of LTM policies is displayed in breadcrumb rather than properties table row | |
| 624896-1 | 4-Minor | GUI LTM Virtual Server Connection Limit and Connection Rate Limit | |
| 623362-1 | 4-Minor | Oversized pool member input | |
| 617901-9 | 4-Minor | GUI to handle file path manipulation to prevent GUI instability. | |
| 614804-1 | 4-Minor | libcurl vulnerabilities: CVE-2016-5420, CVE-2016-5421, CVE-2016-7141 | |
| 598289 | 4-Minor | TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port> | |
| 598024-1 | 4-Minor | FastL4 profile with immediate idle timeout is not honored for ePVA offloaded flows | |
| 588414-1 | 4-Minor | Displaying application components reports an error | |
| 541550-2 | 4-Minor | Defining more than 10 remote-role groups can result in authentication failure | |
| 417720 | 4-Minor | BIG-IP LTM Log Indicates Chassis Power Turned Off During Fan Speed Failures | |
| 247527-1 | 4-Minor | K14890 | Mgmt interface cannot be disabled via tmsh |
| 642015-4 | 5-Cosmetic | SSD Manufacturer "unavailable" | |
| 636663 | 5-Cosmetic | "monpd: - Running monpd bigstart script." displayed on console at startup | |
| 619593-1 | 5-Cosmetic | Provisioning page table cells overlap | |
| 609995-1 | 5-Cosmetic | Device Connectivity tabs not properly highlighted | |
| 594228-1 | 5-Cosmetic | Resetting mgmt interface statistics doesn't work on VE or VCMP |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 651476-1 | 2-Critical | bigd may core on non-primary bigd when FQDN in use | |
| 648715-3 | 2-Critical | BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0 | |
| 647962-1 | 2-Critical | B2250: Interface is dropping traffic in passive mode | |
| 644112 | 2-Critical | K56150996 | Permanent connections may be expired when endpoint becomes unreachable |
| 643396-1 | 2-Critical | K34553627 | Using FLOW_INIT iRule may lead to TMM memory leak or crash |
| 642400-3 | 2-Critical | Path MTU discovery occasionally fails | |
| 642090 | 2-Critical | ILXFlow.lbSelect does not work inside 'requestStart' or 'requestComplete' events | |
| 640352-1 | 2-Critical | K01000259 | Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet |
| 639764-1 | 2-Critical | Crash when searching external data-groups with records that do not have values | |
| 639744-3 | 2-Critical | K84228882 | Memory leak in STREAM::expression iRule |
| 639565 | 2-Critical | Core when accessing MQTT::Type after drop | |
| 639383 | 2-Critical | ILX HTTP headerNames are not being properly treated as case insensitive | |
| 637181-1 | 2-Critical | VIP-on-VIP traffic may stall after routing updates | |
| 626311-1 | 2-Critical | K75419237 | Potential failure of DHCP relay functionality credits to incorrect route lookup. |
| 608304-2 | 2-Critical | K55292305 | TMM crash on memory corruption |
| 581746-6 | 2-Critical | K42175594 | MPTCP or SSL traffic handling may cause a BIG-IP outage |
| 654368-1 | 3-Major | ClientSSL/ServerSSL profile does not report an error when a certain invalid CRL is associated with it when authentication is set to require | |
| 651106-1 | 3-Major | memory leak on non-primary bigd with changing node IPs | |
| 649571-2 | 3-Major | Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello | |
| 648990-1 | 3-Major | Serverside SSL renegotiation does not occur after block cipher data limit is exceeded | |
| 644041 | 3-Major | K51884304 | HTTP response-headers-permitted profile option removes listed headers |
| 640376-2 | 3-Major | STPD leaks memory on 2000/4000/i2000/i4000 series | |
| 638779 | 3-Major | Help file for MQTT profile is missing. | |
| 637094 | 3-Major | The iRules LX streaming external data-group API may incorrectly not find a match. | |
| 636613 | 3-Major | GUI allows creating New client SSL profile in read-only partition | |
| 636289-1 | 3-Major | Fixed a memory issue while handling TCP::congestion iRule | |
| 633564-1 | 3-Major | Route unavailable when static route depends on another static route | |
| 633333-1 | 3-Major | During an MPTCP connection, the serverside connection will occasionally be aborted before all data has been sent | |
| 626386-2 | 3-Major | K28505256 | SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled |
| 622160 | 3-Major | ICMPv6 packets can have the wrong source IP if a IPv6 VIP has IPv4 pool members | |
| 620625-3 | 3-Major | K38094257 | Changes to the Connection.VlanKeyed DB key may not immediately apply |
| 618430-1 | 3-Major | iRules LX data not included in qkview | |
| 611691-6 | 3-Major | Packet payload ignored when DSS option contains DATA_FIN | |
| 607246-8 | 3-Major | Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires | |
| 603609-1 | 3-Major | Policy unable to match initial path segment when request-URI starts with "//" | |
| 575642 | 3-Major | rst_cause of "Internal error" | |
| 572234-1 | 3-Major | When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10. | |
| 517756-5 | 3-Major | Existing connections can choose incorrect route when crossing non-strict route-domains | |
| 429213 | 3-Major | Some monitor types assigned to the same node IP:port in different Route Domains may collide and mark the object down. | |
| 419741-4 | 3-Major | Rare crash with vip-targeting-vip and stale connections on VIPRION platforms | |
| 367226-3 | 3-Major | Outgoing RIP advertisements may have incorrect source port | |
| 352957-2 | 3-Major | K03005026 | Route lookup after change in route table on established flow ignores pool members |
| 627695-1 | 4-Minor | [netHSM SafeNet] The 'Yes' and 'No' options to proceed or cancel the unisntall during "safenet-sync.sh -u " are not operational | |
| 625892-1 | 4-Minor | Nagle Algorithm Not Fully Enforced with TSO | |
| 621379-1 | 4-Minor | TCP Lossfilter not enforced after iRule changes TCP settings | |
| 611161-4 | 4-Minor | K28540353 | VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default. |
| 610201-1 | 4-Minor | Undefined behavior when calling HTTP::payload within HTTP_REQUEST_SEND iRule event | |
| 570855-1 | 4-Minor | DB variable log.csyncd.level cannot be set to certain values | |
| 569814 | 4-Minor | K30240351 | iRule "nexthop IP_ADDR" rejected by validator |
| 552988-1 | 4-Minor | Cannot enable MPTCP on some profiles in GUI. |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 642330 | 3-Major | GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★ | |
| 636853-4 | 3-Major | Under some conditions, a change in the order of GTM topology records does not take effect. | |
| 636790-4 | 3-Major | Manager role has Create, Update, and Release access to Datacenter/links/servers/prober-pool/Topology objects but throws general error when complete. | |
| 366695-9 | 3-Major | Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed | |
| 582773 | 4-Minor | DNS server for child zone can continue to resolve domain names after revoked from parent | |
| 644817-1 | 5-Cosmetic | Unexpected behaviour during a DNS(GTM) server creation with wrong option in product field: nullGeneral database error. |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 646511-2 | 2-Critical | BD crashes repeatedly after interrupted roll-forward upgrade★ | |
| 642119-1 | 2-Critical | Websocket URLs can't be explicitly excluded per attack signature | |
| 641083-1 | 2-Critical | Policy Builder Persistence is not saved while config events are received | |
| 640829-1 | 2-Critical | bd crash scenario | |
| 639500-1 | 2-Critical | BD crash fix | |
| 641547-1 | 3-Major | Possible dead-lock on accept of multiple suggestions at once | |
| 640824-2 | 3-Major | K20770267 | Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★ |
| 639767-1 | 3-Major | Policy with Session Awareness Statuses may fail to export | |
| 639630-1 | 3-Major | Searching for signatures with overrides in the policy returns incorrect results | |
| 638629-1 | 3-Major | Bot can be classified as human | |
| 638576-1 | 3-Major | Modified ASM Cookie violation is off by default | |
| 635754-2 | 3-Major | K65531575 | Wildcard URL pattern match works inncorectly in Traffic Learning |
| 635111-1 | 3-Major | New Application Ready Templates Available | |
| 633985-1 | 3-Major | CS challenged URL is rejected on complex CPM/irule configurations | |
| 631715-2 | 3-Major | ASM::disable does not disable client side challenges | |
| 630390-1 | 3-Major | Client Side challenges and device ID doesn't work on a virtual server that has also APM | |
| 608245-1 | 3-Major | Reporting missing parameter details when attack signature is matched against parameter value | |
| 642874-2 | 4-Minor | K15329152 | Ready to be Enforced filter for Policy Signatures returns too many signatures |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 642613 | 2-Critical | Improve loading time when landing in dashboard page | |
| 639406 | 2-Critical | On stress traffic wrong TPS reported to DOS | |
| 635688 | 2-Critical | backend<->GUI rest requests optimizations | |
| 651627 | 3-Major | IP addresses may appear "Aggregated" in "COMMON" section of dashboard but not Aggregated when applying module-specific filter | |
| 649048 | 3-Major | SSLI statistic and Traffic classification statistic lost after upgrade | |
| 643332 | 3-Major | DoS Health and Severity analysis charts | |
| 643330 | 3-Major | DoS Virtual Servers table has no health column and shows health/severity as numeric value | |
| 643328 | 3-Major | Activity Type filter is applied even when ASM is not used | |
| 643327 | 3-Major | DoS Visibility Attacks Graph tooltip does not provide sufficient information | |
| 643326 | 3-Major | Max Concurrent Server Connections will be hidden by default | |
| 643325 | 3-Major | Tooltips and help hints are inconsistent across the page | |
| 642449 | 3-Major | Standard deviation for Request Duration is calculated incorrectly | |
| 642221-1 | 3-Major | Incorrect entity is used when exporting TCP analytics from GUI | |
| 642124 | 3-Major | mixed statistics between two intervals | |
| 641963 | 3-Major | Average CPU usage is calculated differently in DOS Visability page | |
| 639526 | 3-Major | Configuring lots of Virtual IPs + stress traffic can cause avrd to crash | |
| 638115-1 | 3-Major | DoS Visibility page on a system under stress can cause GUI timeouts and disconnections | |
| 637847 | 3-Major | Removed "(conn/s)" text from Average Concurrent Connections graph | |
| 636155 | 3-Major | Countries table bottom rows are hidden | |
| 635680-1 | 3-Major | Link to DoS Visibility from a signature page starts with incorrect time-range | |
| 629752 | 3-Major | On DoS Visiblity pages, metrics from unprovisioned modules are displayed in the widgets | |
| 629017 | 3-Major | Comparison Charts are alive only during while staying on the page | |
| 629013 | 3-Major | Right pane displaying doesn't respect pin selected function when filter just applied | |
| 610485-1 | 3-Major | Attacks chart has no time axis | |
| 570926 | 3-Major | Provide a way to configure where in payload the CSPM JS is injected. | |
| 630712 | 4-Minor | After provisioning change, Dimension Widgets on DoS Visibility pages are incorrect |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 645339-1 | 1-Blocking | TMM may crash when processing APM data | |
| 650450 | 2-Critical | K91200585 | After upgrade to v13.0.0, users may be met with a javascript error on the logon page or other APM pages |
| 645203-1 | 2-Critical | K72361514 | Configuration load fails after upgrade when a SAML SSO config object is put in a sync-only device group★ |
| 637308-1 | 2-Critical | K41542530 | apmd may crash when HTTP Auth agent is used in an Access Policy |
| 643547-2 | 3-Major | K43036745 | APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP |
| 642926-1 | 3-Major | Increased MySQL Memory usage when APM is provisioned on lower-end systems. | |
| 639288-1 | 3-Major | OAuth Authorization Server - OAuth Profile is not listing associated Access Profiles appropriately. | |
| 638799-2 | 3-Major | Per-request policy branch expression evaluation fails | |
| 638780 | 3-Major | Handle 302 redirects for VMware Horizon View HTML5 client | |
| 636675 | 3-Major | It is impossible to open MS Word document in MS SharePoint 2013 using Internet Explorer 11 or MS Edge via Portal Access. | |
| 636044-2 | 3-Major | K68018520 | Large number of glob patterns affects custom category lookup performance |
| 632504-2 | 3-Major | K31277424 | APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list |
| 632499-2 | 3-Major | K70551821 | APM Policy Sync: Resources under webtop section are not sync'ed automatically |
| 629921-3 | 3-Major | [[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work. | |
| 621976-5 | 3-Major | OneDrive for Business thick client shows javascript errors when rendering APM logon page | |
| 621974-5 | 3-Major | Skype For Business thick client shows javascript errors when rendering APM logon page | |
| 550547-1 | 3-Major | URL including a "token" query fails results in a connection reset |
WebAccelerator Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 603746 | 4-Minor | DCDB security hardening | |
| 603658 | 4-Minor | AAM security hardening |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 649933-2 | 3-Major | Fragmented RADIUS messages may be dropped | |
| 642211-1 | 3-Major | Warning logged when GENERICMESSAGE::message drop iRule command used | |
| 620759-3 | 3-Major | Persist timeout value gets truncated when added to the branch parameter. | |
| 590091-4 | 3-Major | K79075081 | Single-line Via headers separated by single comma result in first character second header being stripped. |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 643752-1 | 2-Critical | Specific configuration change sequence crashes TMM | |
| 638838 | 2-Critical | Dynamic Signatures are not copied to peers in a device group | |
| 638495-1 | 2-Critical | Auto-thresholds are not applied for two vectors on per-VS DNS/SIP DoS profile | |
| 596924-1 | 2-Critical | Bot signatures are not reported in the PBD log when the PBD is turned off | |
| 644855-1 | 3-Major | irules with commands which may suspend processing cannot be used with proactive bot defense | |
| 642562 | 3-Major | TMM may crash with a very high number of concurrent TCP connections | |
| 638219 | 3-Major | L4 BDoS incorrectly learns traffic after learning period in learn-only mode |
Policy Enforcement Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 641482-3 | 3-Major | Subscriber remains in delete pending state until CCR-t ack has success as result code is received | |
| 640510-2 | 3-Major | BWC policy category attachment may fail during a PEM policy update for a subscriber. | |
| 640457-3 | 3-Major | Session Creation failure after HA | |
| 639486-1 | 3-Major | TMM crash due to PEM usage reporting after a CMP state change. | |
| 630611-3 | 3-Major | K84324392 | PEM module crash when subscriber not fund |
| 563165 | 3-Major | New Diameter session event triggers registered for by the PCRF should not be appended to existing registered event triggers in PEM. |
Fraud Protection Services Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 635126-2 | 3-Major | Allow substitute value on fields sent by AJAX | |
| 628337-2 | 3-Major | Forcing a single injected tag configuration is restrictive | |
| 637664-1 | 4-Minor | Vector (multi-options) lists values are not inherited if parent profile is changed. | |
| 640854 | 5-Cosmetic | Inject CSS link Tag "Customize" checkbox also check Inject CSS link Position |
Device Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 642983-2 | 3-Major | K94534313 | Update to max message size limit doesn't work sometimes |
| 629491-1 | 4-Minor | REST token storage improvement |
iApp Technology Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 632060-2 | 3-Major | restjavad is unable to read the dtca.key files resulting in Error: Failed to read key: invalid header★ |
Cumulative fix details for BIG-IP v13.0.1 that are included in this release
707226-5 : DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations
Component: TMOS
Symptoms:
Mitigations for CVE-2017-5754 Meltdown/PTI (Page Table Isolation) can negatively impact performance.
Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.
Conditions:
Mitigations for CVE-2017-5754 Meltdown/PTI (Page Table Isolation) enabled.
Impact:
Meltdown/PTI mitigations may negatively impact performance.
Workaround:
Disable CVE-2017-5754 Meltdown/PTI mitigations.
To turn off mitigations for CVE-2017-5754 Meltdown/PTI, run the following command:
tmsh modify sys db kernel.pti value disable
Note: Turning off these mitigations renders the system vulnerable to CVE-2017-5754 Meltdown; but in order to take advantage of this vulnerability, the attacker must already possess the ability to run arbitrary code on the system. Good access controls and keeping your system up-to-date with regards to security fixes will mitigate this risk on non-VCMP systems. vCMP systems with multiple tenants should leave these mitigations enabled.
Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.
Fix:
On releases that provide mitigations for CVE-2017-5754 Meltdown/PTI, the protection is enabled by default, but can be controlled using db variables.
Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.
704580-2 : apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP
Component: Access Policy Manager
Symptoms:
Under certain conditions apmd service may restart when processing response from SAML IdP.
Conditions:
BIG-IP is configured as SAML SP. BIG-IP is processing SAML message from IdP
Impact:
Temporarily users will not be able to authenticate agains BIG-IP
until apmd service starts up.
Workaround:
There is no workaround at this time.
Fix:
apmd service will no longer restart when processing messages from IdP.
704535-3 : Chrome v64.0.3282.119 changed way it launches custom protocol handlers causing F5 VPN and F5 EPI not to work properly on Windows
Component: Access Policy Manager
Symptoms:
Either of the following symptoms:
-- F5 VPN and F5 EPI do not start from Google Chrome 64+ browser.
-- Depending on the version of F5 VPN/F5 EPI, F5 VPN and F5 EPI do not update itself or other components when launched from F5 BIG-IP Webtop by Chrome 64+ browser.
Conditions:
-- Microsoft Windows clients connecting using Google Chrome 64.0.3282.119 or later.
-- Launching from BIG-IP Webtop
Impact:
Either of the following outcomes:
-- Cannot establish VPN or pass Endpoint Inspection.
-- F5 Networks components are not updated properly.
Workaround:
You can use Firefox or Edge browser to launch F5 VPN/F5 EPI.
There is no workaround for Chrome.
Fix:
F5 VPN and F5 EPI now properly consume data processed by Chrome 64+.
Because earlier versions of F5 VPN or F5 EPI do not work properly with Chrome 64+ browser, you must launch applications out-of-band (by standalone installer), or by launching F5 VPN/F5 EPI from another browser (such as Firefox or Edge).
703984-3 : Machine Cert agent improperly matches hostname with CN and SAN
Component: Access Policy Manager
Symptoms:
The Machine Cert check improperly matches the hostname with CN and SAN. The option Match CN with FQDN should match the certificate's CN with the exact FQDN, but this option currently identifies the CN as a match with the FQDN even if only the initial characters of the FQDN match the CN.
Conditions:
Machine cert agent configured with 'match CN with FQDN' settings.
Impact:
Serious issue. Machine cert check passes for incorrect matches as well.
Workaround:
None.
703848-2 : Possible memory leak when reusing statistics rows in tables
Component: TMOS
Symptoms:
The handling of the pointers to memory in the statistics tables includes a path that zeros out a pointer to more memory that should be free'd. This means the memory is not free'd for that case.
Conditions:
This condition is usually only hit when the entire file is being deleted and so it doesn't matter that the list is not fully traversed.
Impact:
When slabs are being reused this bug may cause a memory leak.
Workaround:
There is no workaround at this time.
Fix:
The code has been fixed to properly follow the list.
703429-3 : Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services
Component: Access Policy Manager
Symptoms:
Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services through F5 BIG-IP APM virtual server. The application closes just after entering the credentials.
Conditions:
-- Citrix Receiver for Android (v3.13.1) is used.
-- PNAgent replacement mode is configured for BIG-IP APM virtual server.
Impact:
No access to published Applications and Desktops through Citrix Receiver for Android.
Workaround:
None.
Fix:
System now provides valid data to Citrix Receiver for Android client.
703081 : Benign mc_delete_key notice message
Component: Access Policy Manager
Symptoms:
The /var/log/apm log contains a notice-level message similar to the following, where <RandomKey> is a random string:
notice localdbmgr[13537]: 01490000:5: mc_delete_key() [<RandomKey>] failed with error [12].
For example:
01490000:5: mc_delete_key() [b] failed with error [12].
Conditions:
-- APM provisioned.
-- Access policy is configured to create localdb dynamic user (i.e., uses LocalDB agent to create dynamic user).
Impact:
No specific action is required to cause the message to be written to the log. However, the message does not indicate an issue with the system, and does not impact functionality. The only impact is that the apm log file contains the messages. You can safely ignore these log messages.
Workaround:
None.
Fix:
Benign mc_delete_key notice message is no longer logged.
702490-3 : Windows Credential Reuse feature may not work
Component: Access Policy Manager
Symptoms:
Windows Credential Reuse feature may not work thus making a user to enter credentials in EdgeClient login window (as well as at Windows logon screen) instead of getting Single Sign-On.
Next logs are observed in logterminal.txt when the issue happens:
<Date and time>, 1312,1320,, 48, \certinfo.cpp, 926, CCertInfo::IsSignerTrusted(), the file is signed by 3rd party certificate
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1004, CCertInfo::IsSignerTrusted(), EXCEPTION - CertFindCertificateInStore() failed, -2146885628 (0x80092004) Cannot find object or property.
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1009, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 256, IsTrustedClient, EXCEPTION - File signed by untrusted certificate
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 264, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 360, GetCredentials, EXCEPTION - Access Denied - client not trusted
Conditions:
A specific combination of versions of F5 Credential Manager Service and EdgeClient is being used on Windows operation system. Reuse Credential option is enabled in the Connectivity Profile.
Impact:
A user has to type credentials in EdgeClient login windows instead of smooth login with no credentials.
Workaround:
There is no workaround at this time.
Fix:
The issue causing feature not to work has been fixed.
702278-1 : Potential XSS security exposure on APM logon page.
Component: Access Policy Manager
Symptoms:
Potential XSS security exposure on APM logon page.
Conditions:
-- A LTM virtual server with an Access Policy assigned to it.
-- The Access Policy is configured to use a 'Logon Page' VPE agent, followed by AAA agent with 'Max Logon Attempts Allowed' set to a value greater than 1.
Impact:
Potential XSS security exposure.
Workaround:
1. Using APM Advance Customization UI, remove setOrigUriLink(); call in logon.inc from the next JS function:
369 function OnLoad()
370 {
371 var header = document.getElementById("credentials_table_header");
372 var softTokenHeaderStr = getSoftTokenPrompt();
373 if ( softTokenHeaderStr ) {
374 header.innerHTML = softTokenHeaderStr;
375 }
376 setFormAttributeByQueryParams("auth_form", "action", "/subsession_logon_submit.php3");
377 setFormAttributeByQueryParams("v2_original_url", "href", "/subsession_logon_submit.php3");
378 // ===> REMOVE THIS ONE setOrigUriLink();
----
Fix:
Potential security exposure has been removed from APM logon page.
701944-3 : machine certificate check crash for 'match issuer' configuration on macOS Sierra 10.12.6
Component: Access Policy Manager
Symptoms:
Machine certificate check crashes a Mac BIG-IP Edge Client running on macOS Sierra 10.12.6 (16G29) when 'match issuer' is specified in the configuration.
Conditions:
- Machine certificate check configured for with 'match issuer' configuration.
- macOS Sierra 10.12.6 (16G29).
- BIG-IP Edge client.
- F5 EPI.
Impact:
Machine certificate check does not pass because Edge client crashes.
Workaround:
None.
Fix:
Machine certificate check now completes successfully using the Mac BIG-IP Edge Client running on macOS Sierra 10.12.6 (16G29) when 'match issuer' is specified in the configuration.
701447-3 : CVE-2017-5754 (Meltdown)
Solution Article: K91229003
701445-2 : CVE-2017-5753 (Spectre Variant 1)
Solution Article: K91229003
701359-5 : BIND vulnerability CVE-2017-3145
Solution Article: K08613310
700724-1 : Client connection with large number of HTTP requests may cause tmm to restart
Component: Access Policy Manager
Symptoms:
tmm may restart while processing client request
Conditions:
- PingAccess profile is configured on the virtual server.
- Client connection sends over 64k HTTP requests that result in BIG-IP's connection to the PingAccess policy server.
Impact:
Traffic will be disrupted while TMM restarts.
Workaround:
Modify HTTP profile used by affected virtual to specify the limit of HTTP requests per connection "maximum requests per connection" to be less then 64k, e.g. 63000 or less.
Fix:
Traffic will no longer be disrupted when client sends over 64k uncached requests on the same TCP connection.
700556-3 : TMM may crash when processing WebSockets data
Solution Article: K11718033
699455-5 : SAML export does not follow best practices
Component: Access Policy Manager
Symptoms:
Export of SAML data does not follow current best practices
Conditions:
SAML data exported by administrator
Impact:
Administrative request processing does not follow current best practices
Workaround:
None.
Fix:
Update SAML export to follow current best practices
699451-5 : OAuth reports do not follow best practices
Component: Access Policy Manager
Symptoms:
The OAuth report does not follow current best practices
Conditions:
Authorized administrative user requests an OAuth report from the WebUI
Impact:
The OAuth report does not follow current best practices
Workaround:
None
Fix:
OAuth reports follow best practices
699346-4 : NetHSM capacity reduces when handling errors
Component: Local Traffic Manager
Symptoms:
Under certain conditions NetHSM performance may be reduce while handling errors.
Conditions:
NetHSM enabled
Impact:
Reduced performance potentially leading to a failover event
Fix:
Process errors more efficiently when using NetHSM
699298-1 : 13.0.0 Hotfix HF3 3.0.1679 TMM CORED due to SIGSEGV.
Solution Article: K83285053
Component: Local Traffic Manager
Symptoms:
TMM may crash when woodside congestion-control is in use.
Conditions:
When woodside congestion-control is in use.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Other congestion control algorithms can be used as a workaround.
Fix:
This fix handles a rare TMM crash when woodside congestion-control is in use.
699012-2 : TMM may crash when processing SSL/TLS data
Solution Article: K43121447
697636-1 : ACCESS is not replacing headers while replacing POST body
Component: Access Policy Manager
Symptoms:
If the first request for a session is a POST, APM will save the POST to replay after the policy completes. When the POST is restored after policy completion and released to the backend, the headers are the same as the most recent client request, not the original POST. In particular, the Content-Length header will not match the original POST.
Conditions:
First request for the session is a POST.
Impact:
Backend servers may complain of an incomplete HTTP POST due to a mismatching Content-Length header.
Workaround:
None.
Fix:
Now, the system takes all headers from the original POST, except the Authorization header that Kerberos RBA needs, which is taken from the most recent client request.
697452 : Websso crashes because of bad argument in logging
Component: Access Policy Manager
Symptoms:
Websso would crash because of bad argument in logging
Conditions:
Only when kerberos sso is configured
Impact:
Websso would crash and so single sign on may fail.
Workaround:
The workaround is not configure kerberos SSO
Fix:
This issue has been fixed.
696789-4 : PEM Diameter incomplete flow crashes when TCL resumed
Component: Policy Enforcement Manager
Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, and the irule is resumed because of timeout.
Conditions:
PEM Diameter flow not fully created, suspended by iRule, and the iRule is resumed by timeout.
Impact:
The tmm will restart and all flows will reset.
Fix:
The PEM diameter flow is now created in such a way to prevent any crash by iRule resumed by timeout.
696383-4 : PEM Diameter incomplete flow crashes when sweeped
Component: Policy Enforcement Manager
Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, the sweeper may encounter a tmm crash.
Conditions:
-- PEM Diameter flow not fully created.
-- The flow is suspended by an iRule.
-- There is a CMP state change (likely) or a manual cluster-mirror change (less likely) while the flow is suspended.
Impact:
The tmm restarts and all flows reset. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The PEM diameter flow is now created in such a way to prevent any crash by the sweeper.
695968-2 : Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.
Component: Policy Enforcement Manager
Symptoms:
Memory leak resulting in a potential OOM scenario.
Conditions:
1. PEM configured with Gx
2. Flaky Diameter connection
3. Subscriber creation via PEM
Impact:
Potential loss of service.
Workaround:
There is no workaround at this time.
Fix:
Freed Diameter messages appropriately.
695953-2 : Custom URL Filter object is missing after load sys config TMSH command
Component: Access Policy Manager
Symptoms:
The user will not be able to see the custom URL Filter object that is created either through TMSH/GUI.
If the filter object is referred in Access Policy, the policy will fail to load during "load sys config" command.
01070712:3: Values (/Common/custurlfilter) specified for URL Filter Lookup Agent (/Common/prp_act_url_filter_lookup_ag): foreign key index (name_FK) do not point at an item that exists in the database.
Unexpected Error: Loading configuration process failed.
Conditions:
The custom URL Filter object is missing after the user does "load sys config" command in TMSH. Please note that SWG is not provisioned in this case.
Impact:
(1) The access policy will fail to load if it refers the URL Filter object. The user will not be able to use the URL Filter object in the policy.
Workaround:
(1) Provision SWG, and recreate the URL Filter
or
(2) Change bigip.conf to include the URL Filter object
Fix:
Fix is to make sure, during load sys config, custom URL filter gets saved properly and always visible, and usable in the policy.
695901-7 : TMM may crash when processing ProxySSL data
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash will processing SSL/TLS data via ProxySSL
Conditions:
ProxySSL enabled
Impact:
TMM crash leading to a failover event
Fix:
TMM processes SSL/TLS data via ProxySSL as expected
694717-2 : Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.
Component: Policy Enforcement Manager
Symptoms:
TMM crashes
Conditions:
PEM iRule command that would result in an inter-TMM lookup on a long lived flow that would result in the PEM iRule command being hit several times. For example, a long lived flow with multiple HTTP transactions.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Always release the connFlow reference associated with the TCL command to avoid a memory leak and potential crash.
694624-2 : SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor
Component: Access Policy Manager
Symptoms:
APM Webtop's SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor (e.g. BIG-IP 2000 (C112) or 4000 (C113)) from Mac, iOS and Android clients. Each launch attempt generates following errors in /var/log/apm:
... err vdi[123] ... {45.C} RsaDecryptData error: AsyncError:5: InvalidData
... err vdi[123] ... {45.C} An exception is thrown: handshake: decryption failed or bad record mac
Conditions:
Native RDP resource with enabled SSO is used on hardware BIG-IP with "Intel Cave Creek" coprocessor (e.g. BIG-IP 2000 (C112) or 4000 (C113)).
The client OS is Mac, iOS or Android.
Impact:
RDP client can't launch requested resource (desktop/application).
Workaround:
Disable crypto HW acceleration with following command:
tmsh modify sys db crypto.hwacceleration value disable
Fix:
SSO enabled Native RDP resources now can be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor (e.g. BIG-IP 2000 (C112) or 4000 (C113) platforms) from Mac, iOS and Android clients.
694274-6 : [RHSA-2017:3195-01] Important: httpd security update - EL6.7
Solution Article: K23565223
693994-2 : F5 VPN or Edge Client may drop DTLS and use TLS if DTLS packet reordering happens
Solution Article: K11043437
Component: Access Policy Manager
Symptoms:
F5 VPN or Edge Client may drop DTLS and use TLS if DTLS packet reordering happens. Only Mac and Linux clients are affected.
Messages in svpn log indicate bad HTTP header, for example:
2017-10-18,20:20:37:764, 56666,2126506,svpn, 1, /UHTTPChannel.cpp, 414, UHTTPChannel::beginConnection(), EXCEPTION - Could not parse HTTP header.
Conditions:
-- F5 VPN or EdgeClient is used.
-- Linux or Mac clients.
Impact:
UDP packet reordering happens at a specific point of PPP negotiation. TLS is used instead of DTLS.
Workaround:
None.
Fix:
Previously, clients connecting via F5 VPN or Edge Client on Mac or Linux using DTLS might switch to TLS if DTLS packet reordering occurred. Now, Mac and Linux Edge Clients can handle UDP packet reordering and continue to use DTLS.
693739-2 : VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled
Solution Article: K70644505
Component: Access Policy Manager
Symptoms:
For some Network Access configurations, VPN cannot establish a connection with client systems running macOS High Sierra 10.13.1 using F5 Edge client or Browser helper apps.
Conditions:
The following conditions must be true:
-- The Network Access resource Traffic Options setting is configured for Force all Traffic Through Tunnel.
-- The Network Access resource Allow Local Subnet setting is disabled.
(Both of these options are defaults.)
-- Client running macOS High Sierra 10.13.1.
Impact:
The Edge Client unsuccessfully tries to connect, resulting in a loop. The client cannot establish VPN.
Workaround:
1. Navigate to the Network Access resource.
2. Set the Network Access resource Allow Local Subnet checkbox to Enabled.
3. Save the setting, and apply the Access Policy.
Fix:
Edge Client operation does not go into a reconnect loop and is able to establish and maintain connection successfully on macOS High Sierra 10.13.1.
693211-2 : CVE-2017-6168
Solution Article: K21905460
692970-1 : Using UDP port 67 for purposes other than DHCP might cause TMM to crash
Component: Local Traffic Manager
Symptoms:
DHCP relay presumes that a flow found via lookup is always a server-side flow of type DHCP relay. Hence TMM can crash when DHCP relay makes a server connection if UDP port 67 is used for another purpose, in which case a wrong DHCP server flow could be selected.
Conditions:
A UDP port 67 is configured for a purpose other than DHCP relay.
Impact:
TMM restart causes traffic interruption or failover.
Workaround:
Do not use UDP port 67 for other virtual servers, or configure a drop listener on certain VLANs that cannot avoid using UDP port 67.
Fix:
TMM no longer crashes with DHCP flow validation.
692557-2 : When BIG-IP as SAML IdP processes signed authentication requests from external SAML SP, a block of memory may become corrupted.
Component: Access Policy Manager
Symptoms:
After processing signed authentication requests from external SAML SP, SAML IdP may corrupt a block of tmm memory.
Conditions:
- BIG-IP system is configured as SAML IdP.
- IdP is configured with external SP's signing certificate.
- External SP sends signed authentication request.
Impact:
Various possible negative effects, including TMM core. Traffic disrupted while tmm restarts.
Workaround:
None.
692307-2 : User with 'operator' role may not be able to view some session variables
Component: Access Policy Manager
Symptoms:
When a user with 'operator' role tries to view the session variables, the GUI may show the following error: An error has occurred while trying to process you request.
Conditions:
This occurs when there is a huge blob of data associated with the user whose session variable is being viewed. For example Active Directory (AD) user accounts with thumbnailphoto and userCertificate user attributes containing binary data.
Impact:
User cannot view the session variables for those particular sessions. This data is available, however, via clicking on the Session ID.
Workaround:
Find this data via clicking on the session ID.
Fix:
User with 'operator' role can now view all expected session variables
689826-1 : Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese)
Component: Access Policy Manager
Symptoms:
On a Microsoft Windows 10 system configured for a Unicode language (Japanese, Korean, or Chinese, for example) the client proxy autoconfig file is not assigned in the Microsoft Internet Explorer browser after the VPN connection is established.
Conditions:
- Client proxy settings provided in Network Access settings, or client is configured with proxy prior to establishing VPN tunnel.
- Windows 10 configured for a unicode-language (Japanese/Korean/Chinese/etc.).
- VPN tunnel is established using either a browser or the Edge Client.
Impact:
Proxy settings are not applied on client side after VPN is established.
Workaround:
There are two possible workarounds:
Workaround A
============
-- Change the language to English from Control panel :: Region :: Administrative :: Language for non-Unicode programs :: Change System locale.
Workaround B
============
-- Add a variable assign agent in the access policy, after the logon item and before the resource is assigned. To do so, follow this procedure:
1. Set the custom variable name to the following value:
config.connectivity_resource_network_access./Common/<network_access_resource_name>.client.ConnectionTrayIcon
Note: <network access resource name> is the name of the network access resource.
2. Set the value to be of the type 'custom expression' and populate it with the following value (including the quotation marks):
return "</ConnectionTrayIcon><connection_name_txt>F5VPN</connection_name_txt><ConnectionTrayIcon>"
Note: The <connection_name_txt> tag contains the name of the adapter that the client will create.
3. After making these two changes, apply the access policy. The next time the VPN is established, a new virtual adapter entry will be created with the name provided in <connection_name_txt> tag.
Fix:
Previously, on a Windows 10 system configured for a Unicode language (for example, Japanese, Korean, or Chinese) the client proxy autoconfig file was not assigned with Internet Explorer after the VPN connection was established. This issue has been fixed.
689691-1 : istats line length is limited to 4032 bytes
Component: TMOS
Symptoms:
The user can create dynamic statistics using the istats command and istats directive in irules. The maximum length of the line (the sum of all columns) is 4032 bytes. If the user attempts to create an istat whose column sizes when summed exceed this value then there will be errors in the ltm log and the statistic will not be incremented or merged.
Conditions:
This error is encountered if an istat is created or modified such that the sum of the column widths is greater than 4032 bytes.
Impact:
The statistic is not maintained.
Workaround:
This is a system limit. An istat should not be created such that it's record length exceeds the limit.
Fix:
Istats best practice is documented here:
https://docs.f5net.com/display/~dktaylor/iStats+Best+Practice
689591-1 : When pingaccess SDK processes certain POST requests from the client, the TMM may restart
Component: Access Policy Manager
Symptoms:
BIG-IP's tmm may restart when processing certain client's POST requests body on which need to be inspected by the PingAccess policy server.
Conditions:
- BIG-IP virtual server is configured as policy decision point with PingAccess policy server.
- User sends a POST request to BIG-IP.
- Policy configured on PingAccess server requires inspection of the body of the POST request sent by the user.
Impact:
Traffic will be temporarily disrupted while tmm restarts.
Fix:
TMM will no longer restart when processing client's POST requests that need to be inspected by the PingAccess policy server.
689415 : APM configuration snapshots missing due to APMD's failure to detect TMM state transition
Component: Access Policy Manager
Symptoms:
User failed to log in with the following error message displayed on logon page:
Access policy configuration has changed on gateway. Please login again to comply with new access policy configuration.
In the /var/log/apm, there are error messages indicating configuration snapshots were found missing and the attempt to recreate them failed.
-- err apmd[14462]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:430 function: resetTimeout - Config snapshot could not be found
-- notice apmd[14462]: 01490165:5: Access profile: /Common/my_access_profile initialized with configuration snapshot catalog: /.0/tmm.session.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-- notice apmd[14462]: 01490166:5: Current snapshot ID: 1506842644 retrieved from session db for access profile: /Common/my_access_profile
-- err apmd[14462]: 01490000:3: AccessPolicyProcessor/ProfileAccess.cpp func: "snapshotConfigVariables()" line: 358 Msg: EXCEPTION AccessPolicyProcessor/ProfileAccess.cpp line:298 function: snapshotConfigVariables - Config variable snapshot: Couldn't create catalog key (/.0/tmm.session.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx./Common/my_access_profile.1506842645)
Conditions:
1. APMD detects TMM restart
2. APMD then recreates configuration snapshots when TMM becomes ready.
3. TMM restarts and becomes ready again.
4. APMD checks TMM status again but concludes that TMM is still down.
Impact:
APM end users will not be able to log in.
Workaround:
Restart APMD to recover when there is configuration snapshot.
688011-6 : Dig utility does not apply best practices
Component: TMOS
Symptoms:
The dig utility does not apply current best practices when processing administrator requests from TMSH
Conditions:
Appliance mode
TMSH access
Impact:
Dig does not apply current best practices
Workaround:
None.
Fix:
Dig now applies current best practices
688009-6 : Appliance Mode TMSH hardening
Component: Local Traffic Manager
Symptoms:
TMSH does not follow current best practices when Appliance Mode is active
Conditions:
BIG-IP system is operating in Appliance mode
Authorized TMSH access
Impact:
TMSH does not follow current best practices
Fix:
TMSH updated to follow current best practices
687635-2 : Tmm becomes unresponsive and might restart
Component: Local Traffic Manager
Symptoms:
Under certain conditions, the tmm process can become unresponsive, and eventually be restarted by the watchdog process.
Conditions:
Problem occurs when there is an unexpected interaction between HTTP and SSL handlers during an abnormal connection shutdown.
Impact:
Tmm becomes unresponsive and restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Tmm correctly shuts down HTTPS connection.
687353-2 : Qkview truncates tmstat snapshot files
Solution Article: K35595105
Component: TMOS
Symptoms:
Qkview truncates the snapshot files it collects in /shared/tmstat/snapshots/.
Conditions:
Files are larger than 5 MiB, or the 'max file size' limit specified when running Qkview (the -s argument).
Note: 5 MiB is qkview utility's default maximum file size value.
Impact:
Snapshot data may not be collected in qkview. This may result in data being lost if the issue is only identified once important data has rotated out of history.
Workaround:
To specify no file size limit when collecting qkviews, use the following tmsh command:
qkview -s0
687193 : TMM may leak memory when processing SSL Forward Proxy traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may leak memory when processing SSL Forward Proxy traffic.
Conditions:
SSL forward proxy enabled.
Impact:
Increasing memory consumption over time, potentially leading to a TMM crash and failover event.
Workaround:
None.
Fix:
TMM no longer leaks memory when processing SSL Forward Proxy traffic
686685 : LTM Policy internal compilation error
Component: Local Traffic Manager
Symptoms:
To enable maximum performance, LTM Policies undergo a compilation process, where they are transformed to a compact binary representation. An issue was discovered where the transformation is being done incorrectly under certain circumstances.
Conditions:
While not common, certain LTM Policy combinations will be transformed to binary representation where certain internal parameters are incorrect.
Impact:
The tmm process may experience an unexpected restart, or a policy action may not run as expected.
Workaround:
None.
Fix:
LTM Policies are correctly transformed to their high-performance, compact binary representations.
686389-2 : APM does not honor per-farm HTML5 client disabling at the View Connection Server
Component: Access Policy Manager
Symptoms:
Current logic for determining whether to offer HTML5 client option works for Horizon 6.x (and earlier) but it does not work for Horizon 7.x.
With Horizon 7.x, VMware has enhanced the XML so that each resource includes a flag to indicate whether HTML5 client is enabled (absence of <html-access-disabled/> tag). APM does not honor this flag to show HTML5 client option to APM end user only if it has been enabled for that resource.
Conditions:
-- APM webtop with a VMware View resource assigned.
-- HTML5 Access disabled for some of the RDS farms managed by the broker.
Impact:
APM offers HTML5 client launch option and actually runs it if requested, although it is disabled at the backend.
Workaround:
There is no workaround at this time.
Fix:
For Horizon 7.x, the system now honors the <html5-access-disabled> flag in broker responses to disable HTML5 client for those RDS desktops and apps that have this flag set.
Behavior Change:
Before this fix, all the RDS desktops and apps were available for HTML5 client if it was installed on VCS.
Now, for those desktops and apps where HTML5 access has been deliberately disabled at the broker, only the native client option will be available.
686305-3 : TMM may crash while processing SSL forward proxy traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing SSL forward proxy traffic
Conditions:
SSL forward proxy enabled
Impact:
TMM crash leading to a failover event
Workaround:
None.
Fix:
TMM now correctly processes SSL forward proxy traffic
686065-3 : RESOLV::lookup iRule command can trigger crash with slow resolver
Component: Local Traffic Manager
Symptoms:
If thousands of connections are serviced by an iRule that performs a lookup for the same FQDN before the FQDN can be resolved, tmm may crash.
Conditions:
iRule with RESOLV::lookup.
Slow DNS resolver.
Thousand of connections triggering resolution of the same name.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Remove RESOLV::lookup from the workflow if it is not required.
Fix:
The scenario now works as expected and no longer results in a crash.
684937-2 : [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users
Component: Access Policy Manager
Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over period of time.
Websso process CPU usage is very high during this time. The latency can vary between APM end users.
Conditions:
-- A large number of APM end users have logged on and are using Kerberos SSO.
-- Running APM.
Impact:
Increased latency of HTTP request processing.
Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.
Fix:
LRU cache performance no longer drops linearly with the number of caches Kerberos tickets, the latency of HTTP request processing has been significantly improved.
684879-1 : Malformed TLS1.2 records may result in TMM segmentation fault.
Solution Article: K02714910
684333-2 : PEM session created by Gx may get deleted across HA multiple switchover with CLI command
Component: Policy Enforcement Manager
Symptoms:
PEM sessions may get cleaned up with terminate cause of FATAL GRACE TIMEOUT, if multiple high availability (HA) failover is being performed using the following command: tmsh run sys failover standby.
Conditions:
Multiple HA failover performed using the following command: tmsh run sys failover standby.
Impact:
PEM session created using Gx may get deleted.
Workaround:
Initiate failover using alternate commands, such as the following:
tmm big start restart.
684325-2 : APMD Memory leak when applying a specific access profile
Component: Access Policy Manager
Symptoms:
Access profile having CheckMachineCert agent, while updating profile using 'Apply access policy', each time it leaks 12096 bytes of memory.
Conditions:
-- Access profile configured with agent 'CheckMachineCert'.
-- Repeatedly update the profile using 'Apply access policy'.
Impact:
APMD process stops after repeated application of the script.
Workaround:
None.
Fix:
APMD no longer leaks memory when applying Access profile configured with agent 'CheckMachineCert'.
684033-2 : CVE-2017-9798 : Apache Vulnerability (OptionsBleed)
Solution Article: K70084351
683389-2 : Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file
Component: Access Policy Manager
Symptoms:
Flash ActionScript3 application shows Error #2134 when trying to call flash.net::SharedObject.getLocal with localPath specified.
Conditions:
Attempt to create local SharedObject.
Impact:
Affected Flash applications are not working when accessed through Portal Access.
Workaround:
None.
Fix:
Addressed an issue in Portal Access which caused rewritten Flash files to show Error #2134 on attempt to create local SharedObject.
683297-1 : Portal Access may use incorrect back-end for resources referenced by CSS
Component: Access Policy Manager
Symptoms:
If HTML page contains reference to external CSS file with URL beginning with '//', then host-less references in this CSS file are handled incorrectly by Portal Access.
Conditions:
- HTML page at http://example.host/page.html:
<link rel=stylesheet href=//another.host/some/path/my.css>
- and this CSS contains reference with absolute path like this:
html { background-image: url(/misc/image/some.png); }
Portal Access uses 'http://example.host' as back-end for this image instead of correct 'http://another.host'.
Impact:
Web application may not work correctly.
Workaround:
Use iRule to correct back-end host.
Fix:
Portal Access uses correct back-end host for references in CSS files included with scheme-less URL.
683113-2 : [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users
Component: Access Policy Manager
Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over a period of time.
Websso CPU usage is very high.
Conditions:
-- A large number of APM end users have logged on and are using Kerberos SSO.
-- Running APM.
Impact:
Increased latency of HTTP request processing.
Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.
Fix:
Improvements to the krb5 library have been implemented for better scalability, so the latency of HTTP request processing has been significantly improved.
682500-3 : VDI Profile and Storefront Portal Access resource do not work together
Component: Access Policy Manager
Symptoms:
Accessing a Citrix Storefront portal access resource and clicking on the application does not work since VDI returns HTTP status 404.
Conditions:
-- VDI profile is attached to the Virtual server.
-- Access policy has Citrix Storefront portal access resource.
-- Citrix remote-desktop resource is attached.
Impact:
Citrix Storefront portal access resource cannot be used to launch applications.
Workaround:
None.
Fix:
Citrix Storefront portal access resources can now be used with Citrix Remote desktop resources.
682271-1 : Portal Access may handle JavaScript getter/setter definitions incorrectly
Component: Access Policy Manager
Symptoms:
In JavaScript, literal object definition may contain getter/setter definitions for some property, for example:
var c = { get a() { return a; }, set a(v) { if (v) a = v; } };
The object 'c' has the property 'a' with explicit getter/setter functions.
If name of such property is equal to any name to be rewritten, then Portal Access may generate incorrect JavaScript code.
Conditions:
- JavaScript code with literal object definition;
- Property with getter/setter definition in this object;
- Property name is one of rewritten names, like 'location' or 'onerror'.
Impact:
JavaScript code cannot be executed due to incorrect syntax after rewriting.
Workaround:
Use iRule to replace rewritten property names by original ones.
Fix:
Now Portal Access does not rewrite property names in getter/setter definitions for JavaScript objects.
682043-2 : Chrome v60 and newer might incorrectly report that F5 VPN and F5 EPI status
Solution Article: K41041660
Component: Access Policy Manager
Symptoms:
Chrome v60 and newer might incorrectly report that F5 VPN and F5 EPI applications have not provided any status update to the browser. However, both applications are being launched and function properly.
Conditions:
Chrome v60 and newer on Microsoft Windows, Apple Macintosh, or Linux-based systems.
Impact:
F5 VPN: the webtop displays the following message:
Waiting for Network Access Application status.
VPN or Application Tunnels work properly, and the APM end user may safely close the message box.
F5 EPI: the webtop displays the following message:
Waiting for Endpoint Inspection status.
The latter message never goes away; however, F5 EPI applications are launched and function properly, and Security checks are performed in the background. Unless the APM end user refreshes the browser screen, the Access Policy never moves forward, causing browser never to refresh the page.
Workaround:
Use another browser: Internet Explorer 11, Microsoft Edge, Mozilla Firefox, or Safari, as available.
If using F5 EPI, refreshing the page after a one-minute since the check start should advance the position in the Access Policy, allowing the APM end user to properly log in.
Fix:
Now Chrome v60 and newer properly gets F5 VPN and F5 EPI application updates from the BIG-IP system, so this issue no longer occurs.
681710-3 : Malformed HTTP/2 requests may cause TMM to crash
Component: Local Traffic Manager
Symptoms:
Malformed HTTP/2 requests can cause TMM to crash
Conditions:
Specially crafted request is sent through an HTTP/2 configured virtual server.
Impact:
TMM crash leading to a failover event
Workaround:
N/A
Fix:
HTTP/2 configured virtual server properly handles requests
680729-2 : DHCP Trace log incorrectly marked as an Error log.
Solution Article: K64307999
Component: Local Traffic Manager
Symptoms:
The following sample DHCP debug log may be found repeatedly in the TMM logs.
<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>
Conditions:
Send a DHCP request through a DHCP virtual and wait for 30 seconds for the DHCP callback to trigger.
Impact:
Possible clutter in the TMM logs.
Workaround:
Set the db variable to critical. To do so, run the following command: setdb tmm.dhcp.log.level critical
Fix:
The following log can be seen only when DHCP debug logs are set to enabled.
<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>
680264-1 : HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags
Solution Article: K18653445
Component: Local Traffic Manager
Symptoms:
Intermittently, HTTP2 experiences protocol resets.
Conditions:
-- xfrag is 2 bytes in length.
-- The header length is greater than 128.
-- xfrag starts.
For example, the following returns the incorrect header length:
(0xFF BYTE1) next byte, http2_arbint_read.
Impact:
Unexpected loss of HTTP2 frames due to protocol resets.
Workaround:
No effective workaround.
Fix:
HTTP2 now parses the request, regardless of its xfrags distribution.
679235-6 : Inspection Host NPAPI Plugin for Safari can not be installed
Component: Access Policy Manager
Symptoms:
Inspection Host NPAPI Plugin for Safari on macOS High Sierra can not be installed.
Conditions:
macOS High Sierra, Inspection Host Plugin package installation triggered.
Impact:
Inspection Host plugin cannot be installed, therefore, endpoint checks will not work.
Workaround:
There is no workaround at this time.
Fix:
Previously, the Inspection Host NPAPI Plugin for Safari on macOS High Sierra could not be successfully installed. This plugin can now be successfully installed.
678976-1 : Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.
Solution Article: K24756214
Component: Access Policy Manager
Symptoms:
VDI debug logs print user credentials to /var/log/apm.
Conditions:
VDI debug logs are enabled and VDI functionality is used on the virtual server.
Impact:
User credentials are written to /var/log/apm.
Workaround:
Set VDI debug level to Notice.
Fix:
The system no longer prints user credentials to VDI debug logs.
678851-2 : Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase()
Component: Access Policy Manager
Symptoms:
Java applets containing call of getDocumentBase() through a reference to java.applet.AppletStub are incorrectly rewritten.
Attempt to call incorrectly patched method causes following exception:
java.lang.VerifyError: (...) Illegal type in constant pool
Conditions:
This occurs when using rewrite on Java applets that call getDocumentBase().
Impact:
Affected Java applets cannot be started through Portal Access.
Workaround:
None.
Fix:
Rewritten applets with calls of java.applet.AppletStub interface methods are no longer causing java.lang.VerifyError exception during execution.
678822-1 : Gx/Gy stats display provision pending sessions if there is no route to PCRF or the app is unlicensed
Component: Policy Enforcement Manager
Symptoms:
If the PEM subscribers are brought up with diameter apps (Gx/Gy) configured and the PCRF is not reachable since there is no route or simply because there is no license configured for those apps. The Provision pending for sessions will get incremented and never rollback to zero even after the subscribers are cleaned up.
Conditions:
If the route to PCRF/OCS is missing or not reachable.
Impact:
Non-Zero stats for provision pending sessions
Workaround:
Disable the Gx/Gy profile if not required or configure the route.
Fix:
The system no longer increments the stats for diameter apps if the PCRF/OCS is not reachable, so this issue no longer occurs.
678820-3 : Potential memory leak if PEM Diameter sessions are not created successfully.
Component: Policy Enforcement Manager
Symptoms:
Memory leak resulting in reduction in available memory.
Conditions:
1. PEM configured with Gx.
2. PCRF Gx end point operationally DOWN
3. Subscriber creation attempt.
Impact:
Loss of service
Workaround:
There is no workaround at this time.
Fix:
Diameter context is freed in case of a failed Diameter session creation.
678714-1 : After HA failover, subscriber data has stale session ID information
Component: Policy Enforcement Manager
Symptoms:
After a failover in a high availability (HA) configuration, subscriber local data is populated with stale session id information
Conditions:
-- HA failover.
-- PEM subscriber.
Impact:
Subscriber data with stale session ID information might cause invalid reference to incorrect subscriber data.
Workaround:
None.
Fix:
Subscriber local data is now populated with new, generated session ID information.
678001-1 : Websso crash due to uninitialized member in websso context object while processing a log message
Solution Article: K21519702
Component: Access Policy Manager
Symptoms:
Websso crashes occasionally on processing a log message on TMEVT_CLOSE event. This happens when a TMEVT_CLOSE event is received without receiving a request.
Conditions:
TMEVT_CLOSE event is received without receiving a request.
Impact:
Websso process crash.
Workaround:
None.
Fix:
Websso process no longer produces a crash in rare cases when trying to write a log message when no APM log setting applied.
677975 : SSL may cause the TMM to core when forging a certificate due to race condition
Solution Article: K59237122
Component: Local Traffic Manager
Symptoms:
In SSL-O environment, due to race condition, SSL may cause the TMM to core.
Conditions:
-- After server side completes the SSL handshake.
-- Client side SSL starts to forge a server certificate.
Impact:
Some contexts may be changed due to race condition. TMM might crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes under these conditions.
677666-1 : /var/tmstat/blades/scripts segment grows in size.
Solution Article: K60909141
Component: Local Traffic Manager
Symptoms:
Over time the /var/tmstat/blade/scripts file size grows.
Conditions:
-- Using istats.
-- Deleting configurations.
-- Using ASM.
Impact:
Virtual size of merged process grows linearly with /var/tmstat/blades/scripts segment. This could lead to out of memory condition.
Workaround:
No known workarounds.
Fix:
Condition corrected.
677526-1 : Memory leak may occur during connflow failures.
Component: Global Traffic Manager (DNS)
Symptoms:
Memory leak may occur during connflow failures.
Conditions:
Connflow failures occur.
Impact:
TMM memory usage grows.
Workaround:
None.
Fix:
Fixed TMM memory leak
677368-1 : Websso crash due to uninitialized member in websso context object while processing a log message
Component: Access Policy Manager
Symptoms:
Websso crashes occasionally on processing a log message on TMEVT_CLOSE event. This happens when a TMEVT_CLOSE event is received without receiving a request.
Conditions:
TMEVT_CLOSE event is received without receiving a request.
Impact:
Websso process crash.
Workaround:
No workaround
Fix:
Websso core is fixed by removing the webssocontext object reference from the log message.
677119-2 : HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE
Component: Local Traffic Manager
Symptoms:
When HTTP2 connection's parameters are negotiated, either side may report about its limits in SETTINGS type frame where one of the parameters SETTINGS_MAX_HEADER_LIST_SIZE determines a maximum size of headers list it is willing to accept. BIG-IP incorrectly interchanged this parameter with another one called SETTINGS_HEADER_TABLE_SIZE, limiting value of the former one to 32,768.
Conditions:
HTTP2 is configured and an opposite endpoint (user agent using HTTP2 protocol) tries to set SETTINGS_MAX_HEADER_LIST_SIZE to a value above 32,768.
Impact:
BIG-IP doesn't accept the value and terminates the connection using GOAWAY frame with PROTOCOL_ERROR as a reason.
Fix:
BIG-IP no longer generates an error due to this issue and allows value for SETTINGS_MAX_HEADER_LIST_SIZE to exceed 32,768.
677058-1 : Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text
Component: Access Policy Manager
Symptoms:
Logon page agent with more than one password variable or Citrix logon prompt will log plain text password when debug logging is turned on for access policy.
Conditions:
This occurs when following conditions are met:
- Citrix Logon Prompt with two factor auth or Logon page agent with more than one password variable is added in the Access Policy.
- Access Policy logging is set to debug.
Impact:
APM logs plain text password when debug logging is turned on for access policy.
Workaround:
None.
Fix:
Password values are no longer written in APM logs when debug logging is enabled for access policy.
676904-1 : tmm may crash while printing VDI logging information
Component: Access Policy Manager
Symptoms:
tmm crashes and core dump is seen on /var/core/ directory.
Conditions:
VDI profile is attached to the virtual server.
Note: The crash might be more frequent if VDI debugging is enabled in Access profile log settings.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed the crash while using VDI profile attached to the virtual server.
676808-1 : FPS: tmm may crash on response with large payload from server
Component: Fraud Protection Services
Symptoms:
A request to a unprotected FPS URL may cause tmm crash if response payload is large and the URL was configured via live update.
Conditions:
1. Page is not protected.
2. Large response payload (e.g.,50 KB).
3. FPS registered for response event (this will happen if a global URL (configured via live update) was matched).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
FPS will check for fast response situation and will act accordingly.
676028-1 : SSL forward proxy bypass may fail to release memory used for ssl_hs instances
Solution Article: K09689143
Component: Local Traffic Manager
Symptoms:
TMM leaks memory used for ssl_hs instances when using SSL forward proxy when bypass is enabled.
Conditions:
The leak can be triggered by iRules, where a duplicate forward proxy lookup is initiated and interferes with the initial asynchronous lookup.
Impact:
TMM will core after running out of memory, which impacts availability.
Workaround:
None.
Fix:
Resolved by preventing duplicate forward proxy lookup.
675866-2 : WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO
Component: Access Policy Manager
Symptoms:
Kerberos rejects tickets with 2 minutes left in their ticket lifetime. This causes tickets to be rejected by KDC, causing APM to disable SSO.
Conditions:
This occurs with Kerberos-protected resources using Windows Server 2012-based DC due to issue described in the Microsoft KB: Kerberos authentication fails when the computer tries to request a service ticket from a Windows Server 2012-based DC, https://support.microsoft.com/en-us/help/2877460/kerberos-authentication-fails-when-the-computer-tries-to-request-a-ser.
Impact:
Cannot access the Kerberos-protected resources.
Workaround:
None.
Fix:
Tickets are not used when the remaining lifetime is less than 5 minutes. Existing tickets with more than half the configured lifetime or at least 1 hour of lifetime remaining are used. If there are no such tickets, then new tickets are acquired and used.
675326-1 : TMM core with Modify Header with 'remove header' option
Component: Access Policy Manager
Symptoms:
TMM core when Modify Header with 'remove header' option is used in policy before proxy select.
Conditions:
'Modify header' agent with 'remove header' option occurs before proxy select agent in per-request policy.
Impact:
TMM cores because HTTP data is not available at this point and the headers cannot be modified. Traffic disrupted while tmm restarts.
Workaround:
Do not configure the per-request policy in such a way that the Modify Header agent is used before the Proxy Select agent. This is an invalid setup.
Fix:
A conditional check has been added, and the following error will be logged instead of a TMM core if the invalid configuration is used for traffic: HTTP data unavailable due to SSL Bypass mode. HTTP Header Agent unable to modify header ([header name here]) with value ([header value here]). Error: (ERR_NOT_SUPPORTED).
675188-2 : CVE-2017-9233: Expat vulnerability
Component: TMOS
Symptoms:
An infinite loop vulnerability due to malformed XML in external entity was found in entityValueInitProcessor function affecting versions of Expat 2.2.0 and earlier.
Conditions:
Version of expat in use on BIG-IP is v2.2.0 or earlier.
Impact:
BIG-IP is vulnerable to CVE-2017-9233 via the iControl interface.
Fix:
Update to expat v2.2.2
674909-1 : Application CSS injection might break when connection is congested
Component: Fraud Protection Services
Symptoms:
Large CSS files configured for phishing protection injection in FPS (not fictive websafe CSS files) may be truncated upon response to client.
Conditions:
Inject into Application CSS enabled in Anti-Fraud Profile » Advanced » Phishing Detection
Large CSS file such as bootstrap files configured for Application CSS Locations.
Network congestion engaging TMM flow control.
Impact:
Pages may display incorrectly in client browser depending on application requirements with specific CSS. May break application functionality.
Workaround:
1) Remove affected large files from Application CSS Locations.
or
2) Disable Inject into Application CSS entirely.
Fix:
FPS now handles the case where injecting to application css was interrupted by congestion.
674593-2 : APM configuration snapshot takes a long time to create
Component: Access Policy Manager
Symptoms:
It takes a long time to create the configuration snapshot for a file. This may be accompanied by MEMCACHED related log message, as shown below.
notice apmd[12928]: 0149016a:5: Initiating snapshot creation: tmm.session.10b9e255c7bb0_28oooooooooooooooo for access profile: /Common/workspace-acess
notice apmd[12928]: 0149016f:5: Waiting for MEMCACHED to be ready
notice apmd[12928]: 01490000:5: ApmD.cpp func: "wait_for_memcached_ready()" line: 1273 Msg: Unable to connect to tmm (sessiondb). Trying again...
notice apmd[12928]: 01490000:5: ApmD.cpp func: "wait_for_memcached_ready()" line: 1280 Msg: Successfully connected to tmm (sessiondb)...
notice apmd[12928]: 0149016b:5: Completed snapshot creation: tmm.session.10b9e255c7bb0_28oooooooooooooooo for access profile: /Common/workspace-acess
notice apmd[12928]: 01490171:5: MEMCACHED is up
Conditions:
The issue happens if an access profile contains many resources, the resulting configuration
snapshot will have even more configuration variables.
Impact:
TMM will run out of memory If the issue persists. User will not be able to log in due to profile not found error similar to the following:
err apmd[13681]: 01490114:3: /Common/workspace-acess2:Common:a6b495ce: process_request(): Profile '/Common/workspace-acess2' was not found
Workaround:
None.
Fix:
APM policy configuration snapshot generation performance for very large configurations has been improved.
674576-2 : Outage may occur with VIP-VIP configurations
Component: Local Traffic Manager
Symptoms:
In some VIP-VIP configurations, TMM may produce a core with a 'no trailing data' assert.
Conditions:
VIP-VIP configuration.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround at this time.
Fix:
TMM no longer produces a core with a 'no trailing data' assert.
674410-1 : AD auth failures due to invalid Kerberos tickets
Solution Article: K59281892
Component: Access Policy Manager
Symptoms:
User can not login.
Conditions:
- AAA AD server is configured on BIG-IP.
- AD Auth/Query agent is used in Access Policy.
- Cached Kerberos ticket is invalid or backend AD server is not reachable for some reason
Impact:
AD Auth/Query fails. APM end user won't be able to take successful branch in Access Policy.
Workaround:
None.
Fix:
Invalid Kerberos tickets for AD Query are now automatically renegotiated by APM.
673860-1 : App-service is not supported by import/export
Component: Access Policy Manager
Symptoms:
If Access Profile is created by an iApp and the configuration is grouped by app-service mechanism (i.e., it can be locked or managed via app-service filed in various objects), import/export does not work.
Conditions:
Access Profile that is created by iApp with app-service-based grouping.
Impact:
No import/export support. Difficult to backup and restore these types of profiles.
Workaround:
None.
Fix:
There is no longer an import error in this instance.
673717-2 : VPE loading times can be very long
Component: Access Policy Manager
Symptoms:
When a configuration contains 2000-3000 Access Policy objects, the Visual Policy Editor (VPE) loading operations can take tens of seconds to load.
Conditions:
-- Access Policy configured with 2000-3000 Access Policy objects.
-- Open in VPE.
Impact:
Policies with thousands of entries can take tens of seconds or more to load.
Workaround:
None.
Fix:
Configuration load has been optimized, so VPE loading time is significantly shorter for these types of configurations.
673607-1 : Apache CVE-2017-3169
Solution Article: K83043359
673595-1 : Apache CVE-2017-3167
Solution Article: K34125394
673165-1 : CVE-2017-7895: Linux Kernel Vulnerability
Component: TMOS
Symptoms:
The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lacked certain checks for the end of a buffer. A remote attacker could trigger a pointer-arithmetic error or possibly cause other unspecified impacts using crafted requests related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.
Conditions:
Unsupported NFS configuration
Impact:
None. NFS servers are not part of any default, standard or recommended configuration.
Fix:
Applied RHSA-2017:1723
673052-1 : On i-Series platforms, HTTP/2 is limited to 10 streams
Component: Local Traffic Manager
Symptoms:
On i-Series platforms, HTTP/2 is limited to 10 streams by licensing.
"HTTP2 limited to 10 concurrent streams: Web Accelerator feature not licensed." appears in /var/log/ltm
Conditions:
Using an i-Series platform where WAM is unlicensable.
Impact:
HTTP/2 performance may be less than desired
Fix:
It is possible to configure HTTP/2 with more than 10 streams on i-Series platforms.
672818-1 : When 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows, VPN cannot be established
Component: Access Policy Manager
Symptoms:
When 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows, VPN cannot be established.
Conditions:
-- Install Traditional Chinese Windows.
-- Change the 'Region and Language' setting format to Simplified Chinese.
-- Edge Client or browser.
Impact:
Cannot establish VPN.
Workaround:
There is no workaround if there is a to change the 'Region and language' setting must be Simplified Chinese.
Fix:
VPN can now be established when 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows.
672695-2 : Internal perl process listening on all interfaces when ASM enabled
Component: Application Security Manager
Symptoms:
ASM configuration processes are available on unprotected network interfaces.
Conditions:
ASM provisioned
Impact:
Connections to the ASM configuration processes may interfere with normal ASM operations, leading to reduced performance
Workaround:
None
Fix:
ASM-config Event Dispatcher now listens only on protected interfaces
672667-5 : CVE-2017-7679: Apache vulnerability
Solution Article: K75429050
672040-1 : Access Policy Causing Duplicate iRule Event Execution
Component: Access Policy Manager
Symptoms:
iRule event gets triggered twice in clientless mode when access policy is executed.
Conditions:
This only occurs when using iRule in clientless-mode.
Impact:
HTTP_REQUEST event is logged twice in /var/log/ltm.
See below example:
when HTTP_REQUEST {
HTTP::header insert {clientless-mode} 1
set myCount [expr {$myCount + 1}]
log local0. "Count is $myCount"
}
LTM logs:
-----------
Jul 3 12:29:35 BIG-IP10002-vcmp2 info tmm1[23908]: Rule /Common/test_irule <HTTP_REQUEST>: Count is 1
Jul 3 12:29:36 BIG-IP10002-vcmp2 info tmm1[23908]: Rule /Common/test_irule <HTTP_REQUEST>: Count is 2
When this iRule is used, you will see duplicate HTTP_REQUEST with increased count in logs. If this count is used in further calculation, it gives you incorrect result.
Fix:
HTTP_REQUEST iRule event is no longer executed multiple times when using APM clientless-mode.
671883-1 : [APM] Ping Access Agent does not correctly handle HTTP request with invalid version
Component: Access Policy Manager
Symptoms:
Ping Access Agent processes HTTP requests based on the assumption that the version in the request will be formatted as follows: HTTP/1.0, HTTP/1.1, etc. If the version is invalid and is specificied without a slash, Ping Access Agent generates a core.
Conditions:
This occurs when both of the following conditions are met:
-- The HTTP request contains an invalid value for the HTTP version field.
-- That provided invalid value does not contain a slash (/) character.
Impact:
Ping Access Agent generates core, which might cause service outage.
Workaround:
* Write an iRule that uses HTTP request events to detect such invalid requests and to generate an error when encountered (e.g.: "ping_access_agent does not process requests with invalid HTTP version values").
* Attach the iRule to the virtual server.
With such an iRule attached to the virtual server, Ping Access Agent will continue to provide the requested service for valid requests.
Fix:
Ping Access Agent now properly handles requests with
invalid HTTP version values.
671880-1 : [APM] Ping Access Agent's internal request processing state needs improvement
Component: Access Policy Manager
Symptoms:
Ping Access Agent maintains the HTTP requests headers in a dictionary. While looking up an HTTP header, it accesses one extra element in the array.
Conditions:
The memory layout of the extra element in the dictionary has the same value as the HTTP header's name.
Impact:
ping_access_agent generates a core, which might cause a service outage.
Workaround:
None.
Fix:
APM Ping Access Agent's internal request processing state has been improved to be more robust.
671638-2 : TMM crash when load-balancing mptcp traffic
Solution Article: K33211839
671597-2 : Import, export, copy and delete is taking too long on 1000 entries policy
Component: Access Policy Manager
Symptoms:
Huge policies with 10^3 items are impossible to import, export and copy.
Conditions:
When access policy has 1000+ entires.
Impact:
Import, export and copy are abandoned or fail due to out of memory condition.
Workaround:
Use ng_export, ng_import and ng_profile rather than UI to import/export.
Fix:
ng_export speed has been improved 5 times
ng_import and ng_profile are working 50 times faster because of avoiding denormalisation and optimisation
ng_export is still should be used from the console.
671579-1 : Macro and macrocall creation issues when policy is in folder
Component: Access Policy Manager
Symptoms:
Attempting creation of macro or macrocall fails when the policy is located in a folder.
Conditions:
-- Access Profile or Per Rq Policy.
-- Location address is similar to the following:
/partition/foldername/policy
Impact:
Cannot freely use VPE to edit policies.
Workaround:
To work around this:
1. Export Access Profile or Per Rq Policy.
2. Import it to root (/partition/newpolicy) of the partition.
3. Keep it under the root.
Fix:
Issue is resolved. Creation of macro or macrocalls in folders has been recovered.
671138-2 : FireFox and Chrome users are asked to re-install windows "Endpoint Inspector Application" after upgrade from 13.0.0
Component: Access Policy Manager
Symptoms:
After upgrade from 13.0.0 to 13.1.0, or a later release, all APM end users running FireFox and Chrome browsers on Microsoft Windows are asked to re-install 'Endpoint Inspector Application'.
The following page appears:
'Browser is waiting for status from Endpoint Inspector Application.' 'Please confirm that this application is launched and is not waiting for your input. This application may be behind other windows on your desktop.'
Link and installation instructions provided behind 'More Option' link.
Conditions:
Endpoint inspection configured in BIG-IP APM access policy.
Impact:
APM end users are prompted to install the endpoint inspector application.
Workaround:
No workaround. APM end users must follow instructions to install application.
Note: When 'Endpoint Inspector Application' is not installed, the instruction screen is clearly visible, as it is part of normal APM usage. However, when 'Endpoint Inspector Application' is installed, the instructions window is hidden behind the 'More Option' link, and the APM end users must click the link to view the instructions.
Fix:
Previously, APM end users running FireFox or Chrome browsers on Microsoft Windows were asked to re-install the Endpoint Inspector Application after upgrading. The issue is resolved for upgrades from 13.1.0 to newer releases.
Note: The specific upgrade path from 13.0.0 to 13.1.0 cannot be fixed, so the issue will still occur in that particular case.
670910-3 : Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined
Component: Access Policy Manager
Symptoms:
Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined.
Conditions:
This might occur when using the following definition:
<?xml version="1.0" encoding="utf-8"?>
<s:Application xmlns:fx="http://ns.adobe.com/mxml/2009"
<-->xmlns:s="library://ns.adobe.com/flex/spark"
<-->width="100%" height="100%"
<-->minWidth="256" minHeight="64"
<-->creationComplete="initApp()">
<--><s:VGroup width="100%" height="100%" verticalAlign="middle" horizontalAlign="center">
<--><--><s:TextInput id="f_output" text="..." width="100%" />
<--><--><fx:Script><![CDATA[
<--><--><-->import flash.external.ExternalInterface;
<--><--><-->private function initApp():void {
<--><--><--><-->f_output.text = ExternalInterface.call("function(v){window.alert(/a\\dc/.toString());return '\\\\Done: '+v+' URL: '+location.href;}", "\\\\Ok?");
<--><--><-->}
<--><-->]]></fx:Script>
<--></s:VGroup>
</s:Application>
Impact:
Flash application malfunction.
Workaround:
None.
Fix:
APM Portal Access Rewrite now correctly handles flash.external.ExternalInterface.call() when the loaderInfo object is not defined.
670822-1 : TMM may crash when processing SOCKS data
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash when processing SOCKS data
Conditions:
SOCKS profile enabled
Impact:
TMM crash leading to a failover event
Fix:
TMM now processes SOCKS data as expected
670456-2 : Flash AS3 mx.core::CrossDomainRSLItem() wrapper issue with arguments number
Component: Access Policy Manager
Symptoms:
Flash AS3 mx.core::CrossDomainRSLItem() wrapper fails when being called with a number of arguments different than 7.
Conditions:
Any flash that have a call of mx.core::CrossDomainRSLItem() with a number of arguments different than 7.
Impact:
Flash application malfunction.
Fix:
APM Portal Access ActionScript 3 Flash Patching has been improved to handle mx.core::CrossDomainRSLItem() in a more flexible way.
670405-5 : K20486351: glibc vulnerability CVE-2017-1000366:
Solution Article: K20486351
670096-1 : TMM may crash when a DHCP virtual server is used with an iRule involving SERVER_DATA event and TCL 'after' command.
Component: Local Traffic Manager
Symptoms:
When the BIG-IP system is configured with a DHCP virtual server with an iRule, the TMM may crash when a DHCP server sends back multiple identical offers for a single request to the BIG-IP system within a certain period of time.
Conditions:
When the following conditions are met:
- The BIG-IP system is configured with a virtual server with a DHCP profile and an iRule involving SERVER_DATA event and Tcl 'after' command.
- A DHCP server sends back multiple identical offers for a single request to the BIG-IP system within a certain period of time.
Impact:
The TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The TMM no longer crashes.
670011-1 : SSL forward proxy does not create the server certchain when ignoring server certificates
Component: Local Traffic Manager
Symptoms:
Forward proxy not working correctly when the server certificates are ignored. SSL forward proxy does not create the server certchain when ignoring server certificates, this prevents the client side from trusting the server cert and the SSL handshake hangs and fails after timeout.
Conditions:
-- SSL forward proxy or SSL intercept is configured.
-- Ignore server certificate configured in the server SSL profile.
Impact:
Client cannot establish SSL connection with server due to SSL handshake always timing out.
Workaround:
None.
Fix:
The system now generates the server certchain (even when the server SSL profile ignores server certificates) and passes it to the client SSL, so that the client SSL can forge the cert and finish the SSL handshake.
669818-1 : Higher CPU usage for syslog-ng when a syslog server is down
Component: TMOS
Symptoms:
Higher CPU usage for syslog-ng when a syslog server is down.
Conditions:
A remote log server is added but it is not available.
Impact:
Potentially higher than expected CPU usage.
Workaround:
To mitigate this issue, use either of the following:
-- Ensure that the remote log server is available.
-- Remove the remote log server from the configuration.
669364-2 : TMM core when server responds fast with server responses such as 404.
Component: Fraud Protection Services
Symptoms:
TMM core when server responds fast with server responses such as 404.
Conditions:
-- FPS gets a request with a WebSafe URL (usually global URL - declared by signatures update).
-- Server response is fast (based on URL/headers).
-- FPS need to take some action on response.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
FPS now handles these conditions without a tmm crash.
669154-2 : Creating new invalid SAML IdP configuration object may cause tmm restart in rare cases.
Component: Access Policy Manager
Symptoms:
Adding new SAML IdP configuration object containing empty attribute values via tmsh may cause tmm to restart.
Conditions:
New SSO SAML configuration contains one or more attribute values containing a session variable, following by another empty value "", for example:
multi-values { "%{session.ad.last.attr.name}" "" }
Note: This is not a valid configuration: empty values must not be provided in the list of SAML attributes.
Impact:
TMM may restart when new configuration is added. Traffic disrupted while tmm restarts.
Workaround:
Remove empty attribute values from configuration.
Fix:
SAML object validation has been improved so that empty SAML SSO object attribute values will no longer be accepted.
669025-3 : Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate
Solution Article: K11425420
Component: Local Traffic Manager
Symptoms:
SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain except the self-signed certificate.
Some of the intermediate CA certificates in the cert chain use the SHA1 hash algorithm. This kind of intermediate CAs usually is are the BIG-IP system's ca-bundle. BIG-IP receives the cert chain including the intermediate CA and forges the cert with SHA1, which is rejected by some web clients.
Conditions:
-- The BIG-IP system is configured to use SSL Forward Proxy or SSL Intercept.
-- Some intermediate CA in the web server's cert chain is using a weak algorithm like SHA1 to sign certificates.
-- The web client rejects the weak-algorithm-signed certificate.
Impact:
Clients cannot access the web server due to SSL handshake failure.
Workaround:
There is no workaround at this time.
Fix:
This fix excludes trusted CA certificates in hash algorithm selection. This may prevent forged certificate from using SHA1 hash algorithm.
668849-2 : Upgrade failure for apm-log-setting objects★
Component: Access Policy Manager
Symptoms:
After upgrade to 13.1.0, the configuration will fail to load with error: 01070734:3: Configuration error: In apm log-config (/p1/f1/sso-log-setting-Critical) there can only be one instance of access log configuration
Unexpected Error: Loading configuration process failed.
Conditions:
If before upgrade, you have sso form-basedv2 object or saml sso config objects in your configuration
Impact:
mcpd will fail to start
Workaround:
manually edit the bigip.conf and remove all the sso form-basedv2 objects and saml sso config objects and then do tmsh load sys config
Fix:
After fix, upgrade will success
668802-2 : GTM link graphs fail to display in the GUI
Solution Article: K83392557
Component: Local Traffic Manager
Symptoms:
When a BIG-IP administrator tries to view the GTM link graphs in the GUI, the system reports 'General database error retrieving information'.
statsd reports an error in /var/log/ltm
err statsd[6318]: 011b030d:3: Graph '/Common/Link_AS394043' not found
Conditions:
-- BIG-IP DNS/GTM is licensed and provisioned.
-- BIG-IP DNS/GTM links are configured.
-- Trying to view the GTM link graphs in the GUI.
Impact:
Unable to view BIG-IP DNS/GTM link graphs.
Workaround:
None.
Fix:
The GTM graphs are available as expected.
668623-6 : macOS Edge client fails to detect correct system language for regions other than USA
Solution Article: K85991425
Component: Access Policy Manager
Symptoms:
macOS Edge client fails to detect correct system language for regions other than USA.
Conditions:
-- macOS Sierra.
-- Non-English language (e.g., Korean with different regions).
Impact:
Incorrect customization of Edge client for certain items, such as: logo, banner color, banner text color, and tray icon type.
Workaround:
Run one of the following command on the Terminal and re-launch Edge client:
For English:
$ defaults write -globalDomain AppleLanguages -array "en" "en-US"
For German:
$ defaults write -globalDomain AppleLanguages -array "de" "de-US"
For Korean:
$ defaults write -globalDomain AppleLanguages -array "ko" "ko-US"
For Japanese:
$ defaults write -globalDomain AppleLanguages -array "ja" "ja-US"
For French:
$ defaults write -globalDomain AppleLanguages -array "fr" "fr-US"
For Spanish:
$ defaults write -globalDomain AppleLanguages -array "es" "es-US"
For Chinese traditional:
$ defaults write -globalDomain AppleLanguages -array "zh-Hant" "zh-Hant-TW" "zh-Hant-US"
For Chinese simplified:
$ defaults write -globalDomain AppleLanguages -array "zh-Hans" "zh-Hans-US"
Fix:
Customization of the following items for Edge client now correctly reflect the region's language selection.
-- Edge client logo.
-- Banner color.
-- Banner text color.
-- Tray icon.
668522-2 : bigd might try to read from a file descriptor that is not ready for read
Component: Local Traffic Manager
Symptoms:
The bigd process might consume excessive CPU resources or monitor probes might be erroneously marked as failed.
Conditions:
External monitors are in use. External monitors include user-defined external monitors as well as built-in external monitors (for example, SNMP, LDAP, etc.).
Impact:
The bigd process might consume excessive CPU resources for for various amounts of time.
Single monitor probes might fail. Depending upon the timing of these failures, it might be possible to see monitor flapping when multiple probes for a specific monitored object happen to fail.
Workaround:
None.
Fix:
An issue was resolved where the bigd process might consume excessive CPU resources or monitor probes might be erroneously marked as failed.
668501-1 : HTTP2 does not handle some URIs correctly
Solution Article: K07369970
668252-3 : TMM crash in PEM_DIAMETER component
Solution Article: K22784428
Component: Policy Enforcement Manager
Symptoms:
TMM crashes when the route to PCRF is lost.
Conditions:
-- PEM establishes connection with the diameter endpoint (Gx / Gy).
-- The route to the diameter endpoint is lost (interface down / route deleted).
Impact:
TMM diameter module tries to communicate, does not handle the error, and crashes. Module reboot. Traffic disrupted while tmm restarts.
Workaround:
Mitigation: Ensure that the network interface configuration routing diameter packet is not manually brought down.
No workaround for externally triggered failures.
Fix:
The system now handles connections established with the diameter endpoint when the route to PCRF is lost.
668247-1 : Machine Certificate Checker service may not be used when UAC is disabled on windows machine
Component: Access Policy Manager
Symptoms:
Machine Certificate Checker service may not be used when UAC is disabled on windows machine causing Machine Cert Auth to either fail or go to 'Found' branch
Conditions:
Machine Certificate Checker is installed.
Access Policy has Machine Cert Auth configured.
Windows machine has UAC disabled.
Impact:
Machine Cert Auth agent either fails or goes to 'Found' branch
Workaround:
Enable UAC or Use elevation helper app (requires user to be an local admnistrator).
Fix:
Previously, on Windows, the Machine Certificate service was not used when UAC was disabled. Now, the Machine Certificate is used even when UAC is disabled.
668181-1 : Policy automatic learning mode changes to manual after failover
Component: Application Security Manager
Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.
Conditions:
-- ASM provisioned.
-- Device group with ASM policy sync configured for multi-blade devices.
-- ASM Policy is in automatic learning mode.
-- A failover occurs.
Impact:
The policy changes from automatic learning mode to manual.
Workaround:
None.
Fix:
Policy automatic learning mode no longer changes to manual when a failover occurs. Automatic learning mode will now be disabled only in active/active configurations.
668048-2 : TMM memory leak when manually enabling/disabling pool member used as HSL destination
Solution Article: K02551403
Component: TMOS
Symptoms:
High Speed Logging fails to free an allocated cache memory resulting in memory leak. A small linear increase in mds_btree_nodes memory utilization may occur.
Conditions:
- Remote High Speed Logging configured.
- Server-side connections dropped or closed. OR
- High Speed Logging pool members removed.
Impact:
Increase in mds_btree_nodes memory utilization.
Workaround:
There is no workaround at this time.
Fix:
High Speed Logging frees allocated memory correctly.
667872-2 : Websafe's 'Apply cookies to base domain' feature doesn't work for non standard ports
Component: Fraud Protection Services
Symptoms:
'Apply cookies to base domain' feature doesn't work for non standard ports.
Conditions:
'Apply cookies to base domain' is enabled and
connection is over non-standard ports (not 80, 443, etc.).
Impact:
Cookies won't be applied to base domain, thus WebSafe functionality will be broken and missing cookie alerts will be sent.
Workaround:
Use only standard ports.
Fix:
FPS now correctly parses base-domain, including port (if exists).
667594-1 : Rewrite plugin could crash on rewriting of some URLs in POST data
Component: Access Policy Manager
Symptoms:
Rewrite might crash on rewriting POST data with specific characters in the URL.
Conditions:
Rewrite of POST data with specific characters in the URL.
Impact:
Temporary outage of Portal Access services.
Workaround:
None.
Fix:
Fixed an issue which could cause crash of rewrite plugin when patching links in POST request body.
667577-1 : Access profile 'Restrict to Single Client IP' setting not enforced with DTLS tunnel
Component: Access Policy Manager
Symptoms:
After APM end users establish a session from one client IP address, if they roam and get a different client IP address, the DTLS tunnel will still be able to establish, because the system does not enforce 'Restrict to Single Client IP'.
Conditions:
The client IP used to establish the session is different from the client IP used to establish DTLS tunnel and the 'Restrict to Single Client IP' setting is enabled.
Impact:
The DTLS tunnel will be established, which allows the client to access internal network resources from forbidden subnet.
Workaround:
Disable usage of DTLS tunnel.
Fix:
The 'Restrict to Single Client IP' setting is enforced correctly for DTLS tunnel.
667469-2 : Higher than expected CPU usage when using DNS Cache
Solution Article: K35324588
Component: Global Traffic Manager (DNS)
Symptoms:
CPU usage shows higher than expected usage when using the DNS Cache.
Conditions:
Usage of any of the 3 DNS Cache types, particularly on chassis with multiple blades.
Impact:
Higher than expected CPU usage.
Workaround:
No workaround at this time.
Fix:
Improvements have been made to the efficiency of the DNS Cache inter-tmm mirroring. These efficiencies may result in better CPU utilization and/or higher responses per second.
667318-1 : BIG-IP DNS/GTM link graphs fail to display in the GUI.
Component: Local Traffic Manager
Symptoms:
When a BIG-IP administrator tries to view the GTM link graphs in the GUI, the system reports 'General database error retrieving information'.
statsd reports an error in /var/log/ltm
err statsd[6318]: 011b030d:3: Graph '/Common/Link_AS394043' not found
Conditions:
-- BIG-IP DNS/GTM is licensed and provisioned.
-- BIG-IP DNS/GTM links are configured.
Impact:
Unable to view BIG-IP DNS/GTM link graphs.
Workaround:
None.
Fix:
BIG-IP DNS/GTM link graphs are now available in the GUI.
667304-2 : Logon page shows 'Save Password' checkbox even if 'Allow Password Caching' is not enabled
Solution Article: K68108551
Component: Access Policy Manager
Symptoms:
'Save Password' checkbox is shown even if the feature is not enabled.
Conditions:
-- APM end user tries to authenticate to APM/BIG-IP Server.
-- 'Save Password' is not enabled.
Impact:
APM end user receives the login page with 'Save Password' checkbox. Checking the box has no effect unless 'Save Password' is enabled.
Workaround:
None.
Fix:
'Save Password' checkbox is not shown unless the feature is enabled.
667302-1 : Cannot create CE policies when only APM is provisioned.
Component: TMOS
Symptoms:
Cannot create CE policies when only APM is provisioned because the Type select is not displayed.
Conditions:
-- Provision and license APM only (no PEM or AFM).
-- Go to Local Traffic :: Policies : Policy List.
-- Create a policy and try to change type to CE Profile.
Impact:
Cannot create CE policies.
Workaround:
Use tmsh to create CE policies when only APM is provisioned.
Fix:
Users can now create CE policies when only APM is provisioned.
667259-1 : Memory Leak in RAM Cache
Solution Article: K15364500
Component: Local Traffic Manager
Symptoms:
A slow increase in the magnitude of the value in the tm_header bucket of the memory_usage_stat table.
Conditions:
This occurs during a refresh of a cached document.
Impact:
A memory leak whose speed is relative to the life time of the documents in the cache, and the number of documents that can be refreshed.
Workaround:
If the document cannot be refreshed, the memory leak won't occur.
A server configuration change or a response iRule that removes the Last-Modified, Expires, and Cache-Control headers will allow the BIG-IP system to cache documents and serve them from cache, but will not attempt to refresh them and thus avoid this leak.
This workaround results in retrieving the whole document from the server when it has expired.
Fix:
Memory Leak in RAM Cache has been fixed.
667237-2 : Edge Client logs the routing and IP tables repeatedly
Component: Access Policy Manager
Symptoms:
Edge Client logs the routing and IP tables repeatedly - in each reconnecting attempt.
Conditions:
Edge Client is in reconnecting state and gateway is reachable. However, APM server is not reachable/responding.
Impact:
It fills up the log file with information that is not useful.
Workaround:
There is no workaround at this time.
Fix:
When Edge Client is in re-connection state and the APM server is not reachable/responding, skip logging the Routing/IP tables in each reconnecting attempts.
667148-2 : Config load or upgrade can fail when loading GTM objects from a non-/Common partition
Solution Article: K02500042
Component: TMOS
Symptoms:
GTM configuration fails to load.
Conditions:
GTM config referencing non-/Common partition objects from /Common.
Impact:
GTM configuration fails to load, which may keep a system from becoming active
Workaround:
No workaround.
Fix:
Fixed issue preventing GTM configurations from loading when non-Common partitioned items present.
667076-1 : WebSocket URLs over SSL don't match when differentiate HTTP/HTTPS is disabled
Solution Article: K92494571
Component: Application Security Manager
Symptoms:
A WebSocket URL is not detected as such in the switch-protocol request.
Conditions:
-- ASM policy with 'Differentiate between HTTP/WS and HTTPS/WSS URLs' disabled.
-- Explicit WebSocket URLs, '/wss' configured.
-- The ASM policy is attached to both a non-SSL virtual server and an SSL virtual server.
-- Requests arrives, one from the SSL connection and one from the non-SSL connection.
Impact:
Over the SSL connection the request URL is not detected as '/wss' but as the wildcard URL.
Over the non-SSL connection the request will be detected as '/wss' the WebSocket URL.
Workaround:
Enable 'Differentiate between HTTP/WS and HTTPS/WSS URLs'.
Fix:
A WebSocket URL is now detected as such in the switch-protocol request.
666986-1 : Filter by Support ID is not working in Request Log
Solution Article: K50320144
Component: Application Security Manager
Symptoms:
In some cases the Support ID of a request might be shorter than 19 digits. In this case filter by Support ID does not work in Request Logs.
Conditions:
-- Support ID is shorter than 19 digits.
-- Trying to filter by Support ID.
Impact:
Filter by Support ID is not displayed in filter bar and does not affect the list.
Workaround:
You can try to filter by last 4 digits of Support ID. Although that does not replace filter by Support ID functionality, it might help.
Fix:
Filter by Support ID works for any length but 4 digits (in this case search uses the last 4 digits; also a 4-digit Support ID is not a realistic occurrence).
666689-2 : Occasional "profile not found" errors following activate access policy
Component: Access Policy Manager
Symptoms:
Immediately following the applying of a modified access policy it is possible for some profiles to disappear.
It is transient and within a minute or two the profiles are available again.
Conditions:
Clicking "apply access policy" in the GUI or using tmsh to increment snapshot ids will clear the list of profiles and policies and then rebuild those lists. Authentication requests using profiles or policies not yet rebuilt returned the "profile not found" error.
Impact:
Some authentication attempts fail while the lists get rebuilt.
Retrying the authentication a minute or two later succeeds.
Workaround:
Retry the authentication.
Fix:
Applying Access Policies in APM is improved to avoid a short dead time between when the old policies are removed and the new policies are activated.
666233 : Localdbmgr process cores
Component: Access Policy Manager
Symptoms:
You see continuous "emerg logger: Re-starting localdbmgr" messages and localdbmgr continually cores.
Conditions:
When localdbmgr process tries to persist local user information to the MySQL Database.
Impact:
localdbmgr cores, APM local user database does not initialize.
Workaround:
None.
Fix:
localdbmgr no longer crashes when trying to persist local user information to the MySQL Database.
666118-1 : High CPU usage from asm_config_server
Solution Article: K58571155
Component: Application Security Manager
Symptoms:
Use of Automatic policy builder might result in high CPU usage of asm_config_server (and ASM slowdown).
Conditions:
- Automatic policy builder.
- Several entity types learning in 'Add all entities' configuration.
Impact:
ASM availability impacted.
Workaround:
- Switch to Manual policy builder.
- Set entity types learning to compact / selective / never.
Fix:
prevented policy builder unnecessary load on asm config
666032-1 : Secure renegotiation is set while data is not available.
Solution Article: K05145506
Component: Local Traffic Manager
Symptoms:
Secure renegotiation is set while data is not available, which causes a crash in certain connections.
Conditions:
This occurs when handling SSL secure renegotiation in certain connections.
Impact:
Crashes happen to certain SSL connections.
Workaround:
None.
Fix:
Secure renegotiation is set while data is not available no longer causes a crash in certain connections.
665924-2 : The HTTP2 and SPDY filters may cause a TMM crash in complicated scenarios
Solution Article: K24847056
Component: Local Traffic Manager
Symptoms:
A TMM crash caused by a double-free of memory within the HTTP2 and SPDY filters. This crash could occur in other TMM sub-systems unrelated to HTTP2 or SPDY.
Conditions:
The HTTP2 or SPDY filter is used, together with many other TMM modules. This situation is difficult to trigger.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The HTTP2 and SPDY filters will no longer double-free memory in rare situations.
665888-1 : Upgrade from v12.1.1, v12.1.2, v12.1.3, or v13.0.0 fails when DoS application profile has heavy URLs configured
Component: Advanced Firewall Manager
Symptoms:
When heavy URLs are configured within a DoS application profile, an upgrade from v12.1.1, v12.1.2, v12.1.3, or v13.0.0 to a later version fails with an error: Cannot update_indexes/checkpoint DB object, class:dos_user_heavy_urls status:13 - EdbCfgObj.cpp, line 127
Conditions:
-- BIG-IP v12.1.1, v12.1.2, v12.1.3, or v13.0.0 installed.
-- Heavy URLs configured within DoS application profile.
-- Upgrading to later version.
Impact:
Upgrade fails.
Workaround:
Before upgrading from v12.1.1, v12.1.2, v12.1.3, or v13.0.0 to any later version, remove heavy URLs from all DoS profiles, and then re-add manually after successful upgrade.
Fix:
Upgrade now supports correct upgrading of DoS application heavy URLs.
665494-1 : Several factory policy templates have delayed blocking enabled
Component: Application Security Manager
Symptoms:
Several factory Application Ready policy templates have delayed blocking in Session Tracking enabled by default.
Conditions:
Create a new policy using a factory Application Ready policy template.
Impact:
Delayed blocking in Session Tracking is enabled by default.
Workaround:
Disable delayed blocking in Session Tracking.
Fix:
Factory Application Ready policy templates have delayed blocking in Session Tracking correctly disabled by default.
665477-1 : Analytics based on tmstat-tables might cause high CPU usage
Component: Application Visibility and Reporting
Symptoms:
High CPU usage on some configuration due to inefficient joining process for AVR statistics based on tmstat-tables.
Conditions:
Having any of the tmstat-based analytics available on machine.
Impact:
Might cause high CPU usage.
Workaround:
N/A
Fix:
Joining process for analytics based on tmstat tables was refactored to be more efficient.
665416-1 : Old versions of APM configuration snapshots need to be reaped more aggressively if not used
Component: Access Policy Manager
Symptoms:
Currently, it takes 24 hrs for old versions of APM config snapshots that are not being used to time out and to release the memory. If access profiles are complex and are updated frequently within 24 hrs, memory resource is likely to be exhausted.
Conditions:
If access profiles are updated frequently within 24 hrs and each version of the configuration snapshot contains many variables.
Impact:
TMM may run out of memory and crash, causing service interruption.
Workaround:
None.
Fix:
Per-session access policy snapshots are now deleted after 60 minutes instead of 24 hours.
665354-3 : Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log
Component: TMOS
Symptoms:
The most common symptom is a reboot of the unit without much detail in the normal tmm or ltm logs. From there, inspect the SEL logs. In the SEL logs, you will see a message about a bad_tlp_status, followed shortly by a message about completion_time_out_status.
Those two messages together indicate this known issue.
Conditions:
-- There are empty 10 GB ports or 10 GB ports that have optics but are not connected to a proper link.
-- Running on one of the following platforms: i2600, i2800, i4600, i4800.
Impact:
The unit intermittently reboots.
Workaround:
To prevent the issue from occurring, you must populate all 10 Gb ports with optic cables and ensure they are connecting to a working peer link. A single 10 Gb empty or improperly connected port can cause a system reboot.
If that is not possible, however, there is no workaround, and you must contact F5 Technical Support to request a software update or engineering hotfix.
Important: A device Return Materials Authorization (RMA) will not prevent this issue.
Fix:
There is a BIG-IP system software update to disable the 10 Gb FPGA mac receiver until a valid link is detected. This eliminates the issue and prevents the ultra jumbo packet from being sent to the FPGA datapath.
665347-1 : GTM listener object cannot be created via tmsh while in non-Common partition
Solution Article: K17060443
Component: Global Traffic Manager (DNS)
Symptoms:
Cannot use tmsh to create a GTM listener in a non-Common partition.
Conditions:
-- In a non-Common partition.
-- Create a listener using a command similar to the following:
(/Common/newpart)(tmos)# create gtm listener new address 10.2.2.2
Impact:
The listener will not be created. The system outputs an error similar to the following:
01020036:3: The requested profile (/Common/newpart/udp_gtm_dns) was not found.
Workaround:
None.
Fix:
GTM Listener parser now correctly handles validation and selections of profiles for GTM listeners.
664930-3 : Policy automatic learning mode changes to manual after failover
Component: Application Security Manager
Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.
Conditions:
-- ASM provisioned.
-- Device group with ASM policy sync configured for multi-blade devices.
-- ASM Policy is in automatic learning mode.
-- A failover occurs.
Impact:
The policy changes from automatic learning mode to manual.
Workaround:
None.
Fix:
Policy automatic learning mode no longer changes to manual when a failover occurs. Automatic learning mode will now be disabled only in active/active configurations.
664894-2 : PEM sessions lost when new blade is inserted in chassis
Solution Article: K11070206
Component: TMOS
Symptoms:
Inserting a blade into a chassis that is using high availability (HA) is configured for 'between clusters' can cause data loss in the SessionDB. This includes iRule table command as well as entries stored in the SessionDB from modules.
Conditions:
HA in use 'between clusters'.
Impact:
Data loss of some SessionDB entries.
Workaround:
In order to cleanly add a blade, put the setting from 'between clusters' to 'within cluster'; then add the new blade(s) to both clusters. Wait 60 seconds, then restore the HA connection to 'between clusters'
Fix:
PEM sessions are now retained when new blade is inserted in chassis when using 'between clusters'.
664758-1 : URLDB SIGFPE - 'urldb tcl result not overwritten'
Component: Access Policy Manager
Symptoms:
TMM cores with the the following notice: Assertion 'urldb tcl result not overwritten' failed.
Conditions:
Use of CATEGORY::lookup iRule in a case where the system fails to resume normal traffic flow after setting the result.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Added a check to ensure that upon failure to resume normal traffic flow, the result is cleared and reset so that the core does not occur.
664725-1 : AVR publishes tmstat statistics to internal store (SQL) when disable-all-internal-logging is set.
Component: Application Visibility and Reporting
Symptoms:
AVR publishes tmstat statistics to the internal store (SQL) when disable-all-internal-logging is set.
When disable-all-internal-logging is set (in analytics global-settings) AVR shouldn't publish any statistics to the internal storage.
Conditions:
Disable-all-internal-logging is set in the analytics global-settings.
Impact:
Statistics published to the database although it shouldn't.
Workaround:
There is no workaround at this time.
Fix:
After the fix, AVR doesn't publish any statistics to the database when disable-all-internal-logging is set.
664625-1 : Connection resets on Virtual Server with APM Access Profile and ASM Security Policy
Solution Article: K08041607
Component: Advanced Firewall Manager
Symptoms:
Connections to a Virtual Server will be reset and not handled by the system.
Conditions:
This happens on Virtual Servers which have an APM Access Profile and an ASM Security Policy assigned to it.
Impact:
As a result, APM and ASM end users cannot access the site.
Workaround:
To prevent the problem from happening:
Add a DoS profile with 'Application' enabled to the Virtual Server.
Fix:
Virtual Servers with APM Access Profile and ASM Security Policy no longer cause connection resets.
664549-3 : TMM restart while processing rewrite filter
Solution Article: K55105132
Component: TMOS
Symptoms:
TMM restart and failover occurs while processing rewrite filter.
Conditions:
-- Virtual server with rewrite-uri-translation profile.
-- Serverside attempts to get data from clientside when connection flow does not exist.
Impact:
TMM restart and failover. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM restart and failover no longer occurs while processing rewrite filter.
664507-4 : When BIG-IP is used as SP with IdP-connector automation, updates to remotely published metadata may remove certificate reference from the local configuration
Component: Access Policy Manager
Symptoms:
IdP-connector automation removes certificate reference when update to metadata file is detected, and metadata file contains multiple signing certificates
Conditions:
- BIG-IP is used as SAML SP with configured IdP-connector automation via remotely published metadata.
- Remotely published SAML metadata contains multiple signing certificates.
- Remotely published SAML metadata is periodically updated.
Impact:
Certificate reference to remotely published metadata is removed from local configuration (saml-idp-connector object). As a result, assertions generated by external IdP will not be accepted until proper certificate is configured on saml-idp-connector object again.
Workaround:
When remote metadata is changed, manually update certificate reference on saml-idp-connector object.
Fix:
When changes to remotely published SAML metadata are detected by IdP-connector automation, certificate is no longer removed from saml-idp-connector object.
664461-1 : Replacing HTTP payload can cause tmm restart
Solution Article: K16804728
Component: Local Traffic Manager
Symptoms:
Under certain conditions, using the [ HTTP::payload replace ... ] iRule can result in the tmm restarting.
Conditions:
Occurs when server response is non-chunked, does not contain a Content-Length header, an iRule adds a Content-Length header and performs an HTTP::payload replace command where the length is shorter than the original body length.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The HTTP::payload replace command no longer causes tmm restarts under certain conditions.
664063 : Azure displays failure for deployment of BIG-IP from a Resource Manager template
Solution Article: K03203976
Component: TMOS
Symptoms:
When deploying BIG-IP images through Azure Resource Manager or Marketplace Solution templates, the Azure portal will never display success. A timeout will eventually occur and the deployment will appear to have failed.
Conditions:
Deployment from an Azure Resource Manager or Solution template, including the BIG-IP WAF Solution from the Azure Security Center.
Impact:
A successful deployment will appear to have failed when monitoring the status in the Azure portal.
Workaround:
None.
Fix:
Deployments of BIG-IP from Azure Resource Manager or Marketplace Solution templates, or the BIG-IP WAF Solution from the Azure Security Center, now show the correct deployment status.
664057-1 : Upgrading GTM from pre-12.0.0 to post 12.0.0 no longer removes WideIPs without pools attached if they have an iRule attached
Component: TMOS
Symptoms:
Upgrades from pre-12.0.0 to 12.0.0 or beyond would delete WideIPs without pools attached even if they had an iRule attached.
Conditions:
Pre-12.0.0 configuration with an WideIP without any pools, but with an iRule.
Impact:
Some or all of a post-upgrade "GSLB-typed" wideip would be lost during the upgrade process.
Workaround:
Manually add missing WideIPs after upgrade.
Fix:
Fixed issue that could delete certain types of GTM WideIPs after an upgrade from a pre-12.0.0 version to a post 12.0.0 version.
664017-4 : OCSP may reject valid responses
Component: TMOS
Symptoms:
If OCSP is configured with certain responders, a valid response may be rejected with the following error:
OCSP response: got EOF
Conditions:
This is entirely dependent on the behavior of the server. If a responder sends null or blank data (but does not close the connection) OCSP simply ends the response.
Impact:
Valid OCSP responses may be rejected.
Workaround:
None.
Fix:
These responses are now accepted.
663821-2 : SNAT Stats may not include port FTP traffic
Solution Article: K41344010
Component: Local Traffic Manager
Symptoms:
Using 'tmsh show ltm snat' command or the GUI, SNAT stats are not updated for port 21 traffic (FTP).
Conditions:
-- SNAT is configured.
-- FTP connections transverse the SNAT.
Impact:
Stats are not incremented in tmsh or GUI
Workaround:
None.
Fix:
SNAT Stats now include port FTP traffic, and values are incremented as expected.
663521-3 : Intermittent dropping of multicast packets on certain BIG-IP platforms
Component: TMOS
Symptoms:
The switch device on the VIPRION B2250 and B4300 blades and the BIG-IP 10x00, i10x00, i7x00 and i5x00 platforms might drop multicast packets under certain high traffic conditions.
Conditions:
-- Certain high-traffic conditions.
-- Running on the specified blades/platforms.
Note: These dropped packets are counted under the 'drop_out' column from 'show net interface all-properties'.
Impact:
Dropped multicast packets, possibly impacting multicast protocols.
Workaround:
None.
Behavior Change:
Under certain high traffic conditions, multicast and broadcast packets will no longer be dropped.
663510-1 : F5 EPI or F5 VPN browser helper apps in some cases throw error and quit
Component: Access Policy Manager
Symptoms:
F5 EPI or F5 VPN browser helper apps in some cases throw error if they are not configured properly during installation. These apps will not start from browser. In reality, applications are starting but they quit as soon as they are started because of misconfiguration
Conditions:
F5 EPI or F5 VPN browser helper apps
Impact:
Session from browser will appear to be hung if endpoint inspection is configured. Or Network access would appear to be not launching from browser
Fix:
F5 EPI and F5 VPN app now launch properly and are configured correctly during installation.
663333-2 : TMM may core in PBA mode id LSN pool is under provisioned or the utilization is high
Component: Carrier-Grade NAT
Symptoms:
TMM may core while trying to allocate a new block
Conditions:
If LSN pool is under provisioned OR if the utilization is high, TMM may need to send MPI messages to other TMMs to search for other blocks. The TMM may core if these operations time out
Impact:
Traffic disrupted while tmm restarts.
663310-2 : named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files★
Solution Article: K50871313
Component: Global Traffic Manager (DNS)
Symptoms:
named reports "file format mismatch", zone files are renamed randomly to db-XXXX files, and zone cannot be loaded.
Conditions:
-- Upgrade from BIG-IP containing pre-9.9.X versions of Bind, to BIG-IP versions with Bind versions later than 9.9.x.
-- Slave zone files are in text format.
-- No options set for masterfile-format text.
Impact:
Zones cannot be loaded.
Workaround:
Before upgrading, add the following line to the named.conf options:
masterfile-format text;
Fix:
BIND 9.9.x changes the default behavior governing the storage format of slave zone files to "raw" from "text".
On upgrade, the config needs to be parsed looking for slave zones that do not specify the masterfile-format and set them to "text".
663063-1 : Disabling pool member used in busy HSL TCP destination can result service disruption.
Component: TMOS
Symptoms:
Manually disabling an otherwise available pool member from a pool used as HSL TCP destination can result in tmm crash and service disruption.
This is more likely to occur when HSL destination is using 'balanced' distribution.
Conditions:
-- Busy HSL destination configured with TCP protocol, balanced distribution, and using pool.
-- Manually disabling a pool member.
Impact:
Service disruption while tmm recovers. HA fail-over event. Traffic disrupted while tmm restarts.
Workaround:
You can avoid the issue in either of these ways:
-- Do not manually disable busy pool members that can still respond to TCP handshake.
-- Disable the service on the pool member first.
Fix:
TMM crash no longer occurs when HSL TCP pool member with pending connection is manually disabled.
662913-1 : GUI LTM Virtual Server page cannot open. Virtual Server cannot be created or updated.
Solution Article: K17213048
Component: TMOS
Symptoms:
In the GUI when a user tries to create or edit a Virtual Server, the page is blank. There is an error that prevents the page from loading properly.
Conditions:
When provisioning BIG-IP with APM license.
Impact:
Users cannot access the Virtual Server page from the GUI.
Workaround:
User can create and edit the Virtual Server using TMSH command line tool.
Fix:
Resolve the error on the page that prevented it from loading.
662881-1 : L7 mirrored packets from standby to active might cause tmm core when it goes active.
Solution Article: K10443875
Component: Local Traffic Manager
Symptoms:
L7 mirrored packets from standby to active might cause tmm core when it goes active.
Conditions:
-- Spurious ACK sent to the standby unit that is mirrored over to the active unit for processing.
-- Matching connection on the active has not been fully initialized.
Impact:
tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.
662663-1 : Decryption failure Nitrox platforms in vCMP mode
Component: Local Traffic Manager
Symptoms:
Under certain circumstances, Nitrox devices cannot correctly decrypt records from established SSL sessions
Conditions:
-- Cavium Nitrox PX (VIPRION Blade 2100, 4200, and 4300).
-- vCMP active.
-- Small MTU.
Impact:
SSL connections are terminated unexpectedly.
Workaround:
Increase MSS (maximum segment size).
Fix:
SSL records are now decrypted as expected.
662281-1 : Inconsistencies in Automatic sync ASM Device Group
Component: Application Security Manager
Symptoms:
Some ASM calls are not propagated correctly across an automatic sync device group.
This can cause any of the following depending on the change:
A) Superfluous full syncs
B) Updating the wrong element on the remote devices
C) Missing changes on the remote devices
Conditions:
Automatic Sync is configured for a Device Group with ASM enabled.
Impact:
Any of the following depending on the change:
A) Superfluous full syncs
B) Updating the wrong element on the remote devices
C) Missing changes on the remote devices
Workaround:
Disable automatic sync on the device group, and periodically push changes manually.
Fix:
Calls are correctly propagated across Automatic sync Device Groups
662085-2 : iRules LX Workspace editor in TMUI fails to display all workspace contents after install of large Node.js packages
Component: Local Traffic Manager
Symptoms:
Using Node.js package manager (NPM) to install a large Node.js package in the TMUI results in truncated contents in the workspace.
Conditions:
Installing large Node.js packages using the TMUI.
Impact:
The workspace contents will be truncated. Some of the package contents will be missing, or boilerplate F5 elements (f5-nodejs, package.json, etc.) will not be shown.
Workaround:
None.
Note: TMSH recognizes the entire file structure of node_modules (e.g., package.json and module folders of f5-nodejs and async), but TMUI does not.
Fix:
All contents from the workspace filesystem are now shown and are editable from the TMUI.
662022-1 : The URI normalization functionality within the TMM may mishandle some malformed URIs.
Solution Article: K34514540
661716 : TMM core when session ticket and OCSP Stapling is enabled on the clientSSL profile★
Solution Article: K05655212
Component: Local Traffic Manager
Symptoms:
TMM core when session ticket and OCSP Stapling is enabled on the clientSSL profile.
Conditions:
-- ocsp-stapling enabled
-- session-ticket enabled
The client sends a valid session ticket along with status_request extension.
Impact:
tmm cores. Traffic disrupted while tmm restarts.
Workaround:
Disable session tickets for the clientssl profile.
661699-1 : BD crash under specific conditions
Component: Application Security Manager
Symptoms:
BD crash in a specific scenario.
Conditions:
1. Have iRule extracting signature IDs/Names.
2. Have more than five sigs matched on request.
3. Have more than two sigs matched on response.
Impact:
BD crash and traffic interruption.
Workaround:
Disable the ASM signature iRule.
Fix:
Fixed the scenario causing the crash.
660868-1 : Resets after adding URL Branching item
Component: Access Policy Manager
Symptoms:
Clients receiving resets, and these error logs in /var/log/apm:
Apr 25 14:23:12 ip-10-1-1-4 err tmm[12329]: 01870029:3: /Common/Allow_Access:Common:780e1b9f: [C] 10.1.10.9:57991 -> 10.1.10.102:443:ERR_NOT_FOUND: failed to find next policy item
Conditions:
A URL Branching item was added to the per-request policy. The item template for URL Branching contains single-quotes in the expression, which are considered invalid by the TCL interpreter.
Impact:
The invalid expression causes a non-recoverable failure in the control plane of TMM. Changing the expression has no effect.
Workaround:
Because of the non-recoverable failure caused by the invalid expression, there are only two workarounds:
1) Do not use the URL Branching template. Equivalent functionality is achieved by adding an empty item and using the expression builder. The templates in the expression builder are correct.
2) If a URL Branching template was already used, fix the expression by replacing all single-quotes with double-quotes. Then `bigstart restart tmm` to reset the affected part of the control plane.
Fix:
Now the URL Branching item in an APM Per-Request policy can successfully operate using templates.
660725 : CVE-2017-6135: Linux kernel vulnerability
Solution Article: K43322910
660577-2 : openldap; prevent crash on rc==LDAP_SUCCESS && res==NULL
Component: TMOS
Symptoms:
openldap library routine segfaults on certain condition.
Conditions:
RST in the middle of auth process.
Impact:
apmd crashes.
Fix:
This is a preventive fix for the issue.
660327-1 : Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded.
Component: Application Security Manager
Symptoms:
Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded.
This happens only if before the upgrade, there was an ASM logging profile which had both remote logging and local logging enabled on it.
In the case of a single logging profile with local-plus-remote ASM enabled on it, upon an upgrade, the logging profile is split into two profiles. One has the '_local' extension added to it. Another attempt to load the config of the pre-upgrade system will fail. This only happens when using 'load sys config' or 'load sys config file', and does not happen when using 'load sys ucs'.
Upon failure, the following error is seen on the terminal:
01070710:3: Cannot update_indexes/checkpoint DB object, class:fw_log_profile status:13 - EdbCfgObj.cpp, line 127
Unexpected Error: Loading configuration process failed.
And in /var/log/ltm:
err mcpd[6618]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:fw_log_profile status:13 - EdbCfgObj.cpp, line 127.
Conditions:
-- Using a configuration that contains a Log Profile with ASM enabled and both Remote Log and Local Log enabled.
-- Upgrade to 12.1.2 or later (Use roll-forward upgrade, or instead use clean install and afterwards load the saved config file).
Impact:
Config load fails. Upgrade fails.
Workaround:
Use one of the following Workarounds:
1.
Save the new configuration before editing and re-loading, using the following commands:
tmsh save sys config partitions all
tmsh load sys config partitions all
(Note: Saving the UCS also saves the configuration.)
2.
Instead of loading the full configuration directly, first load the base and then load the full configuration:
tmsh -c 'load sys config partitions all base; load sys config partitions all'
660326-1 : Upgrade fails when a websecurity profile assigned to virtual server but ASM is not provisioned.★
Solution Article: K91072177
Component: Application Security Manager
Symptoms:
Upgrade fails when a websecurity profile assigned to virtual server but ASM is not provisioned.
Conditions:
-- Websecurity profile assigned to a virtual server.
-- ASM not provisioned.
-- Upgrade to v12.1.0 or later.
Impact:
Upgrade fails.
Note: Although this is an invalid configuration, upgrade should not fail.
Workaround:
There are two workarounds.
-- Provision ASM.
-- Remove all websecurity profiles (and LTM policies that control ASM) from all virtual servers
Note: The first workaround must be done before the update. The second can be done before the upgrade, or by editing the config files and re-loading config (first base, then all) using the following command:
tmsh -c 'load sys config partitions all base; load sys config partitions all'
660239-1 : When accessing the dashboard, invalid HTTP headers may be present
Component: TMOS
Symptoms:
When accessing parts of the BIG-IP dashboard via the GUI, there might be invalid HTTP headers in the responses.
Conditions:
Access the dashboard via Statistics :: Dashboard.
Impact:
The invalid HTTP headers might cause issues with the dashboard if there are intervening proxies between the browser and the BIG-IP.
You may see such errors in the http error logs
Feb 20 08:47:58 myBIG-IP err httpd[13777]: [error] [client 10.20.30.40] Response header name '<PostData><![CDATA[table=log%5Fstat]]></PostData>Cache-Control' contains invalid characters, aborting request, referer: https://mybigip.com/tmui/dashboard/MonitorDashboardModule.swf
Workaround:
There is no workaround at this time.
Fix:
Eliminated invalid header data.
660187-4 : TMM core after intra-chassis failover for some instances of subscriber creation
Component: Policy Enforcement Manager
Symptoms:
If intra-chassis failover is triggered in a loaded chassis, the tmm crashes in some cases of subscriber creation.
Conditions:
-- The chassis is loaded with many blades.
-- The high availability (HA) configuration is intra-chassis.
-- RADIUS subscriber is added with custom attributes.
-- The subscriber attributes are corrupted or erased.
Impact:
TMM crashes. The slot reboots, potentially triggering further daglib hash changes. May result in cascading core under load. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Verify the validity of the AVPs before copying the attributes
660170-2 : tmm may crash at ~75% of VLAN failsafe timeout expiration
Solution Article: K28505910
Component: Local Traffic Manager
Symptoms:
When VLAN failsafe is configured, and the VLAN failsafe timeout is 3/4 expired, tmm wants to generate ICMP traffic to evoke a network response. When this occurs, the system might experience a crash.
Conditions:
- VLAN failsafe is configured on a VLAN, for example with the recommended VLAN failsafe timeout of 90 sec.
- The VLAN does not observe ARP/ndp traffic for 3/4 of the timeout, 67.5 seconds.
- ICMP traffic generated to provoke a network response can under certain circumstances cause a TMM crash.
Impact:
TMM crashes, failover is triggered, as it would with a fully expired VLAN-failsafe-timeout condition (note that failover with a fully expired VLAN failsafe is correct behavior).
Traffic on other VLANs might be disrupted while TMM restarts. (Traffic on the VLAN-failsafe-triggered VLAN is already disrupted, causing the timeout to expire.)
Workaround:
1. To allow for VLAN failsafe to be updated for any frame, run the following command with VLAN failsafe enabled, run the following command:
tmsh modify failover.vlanfailsafe.resettimeronanyframe enable
This configuration increases the confidence that in the case of a timeout expiry a real traffic disruption is detected.
2. Set the timeout of VLAN failsafe to 4/3 of the setting you want, for example, to have a timeout setting of 90, specify 120. With this setting, failover occurs at 90 seconds for a fully quiescent network.
Note: Having a fully quiescent network is a rare occurrence and likely indicates that another issue is occurring anyway.
Fix:
Generating ICMP traffic from TMM is no longer exposed to a potential crash in an invalid configuration or a completely quiet network, when generating ICMP traffic to provoke a network response on an expiring timer of VLAN failsafe, assuming the following configuration:
- VLAN failsafe is configured.
- VLAN failsafe expired 3/4 of the configured timeout (e.g., 67.5 seconds of 90 seconds ).
659791-1 : TFO and TLP could produce a core file under specific circumstances
Solution Article: K81137982
659527-1 : Custom Predefined Reports are not displayed in ASM Analytics Schedules
Solution Article: K32271142
Component: Application Visibility and Reporting
Symptoms:
When creating custom predefined filters, either via Requests page or via ASM Statistics, these custom reports are not displayed as part of the predefined reports list when creating/modifying an ASM Schedule.
Conditions:
Creating custom predefined filters, either via Requests page or via ASM Statistics.
Impact:
Reports created by user can not be easily used in GUI to create a scheduled report.
Workaround:
N/A
Fix:
ASM Requests/Stats pages now use the correct internal field name to store the reference to the report, thus it will be accessible by all screens.
659519-2 : Non-default header-table-size setting on HTTP2 profiles may cause issues
Solution Article: K42400554
Component: Local Traffic Manager
Symptoms:
HTTP2 connection sent RST_STREAM due to protocol error in response to headers frame.
Conditions:
HTTP2 profile configured with header-table-size with value exceeding 4096.
Impact:
Periodic HTTP2 connection failure to the virtual.
Workaround:
Restore the default header-table-size setting for the HTTP2 profile.
659460-1 : URL encoded Authorization code does not work with APM OAuth client
Component: Access Policy Manager
Symptoms:
When the Authorization Server (AS) generates an authorization code which includes URL special character, in order to pass this code safely, AS encodes it with URL encoding. APM does not properly process this, and when OAuth client used it for retrieving an access token for a given code, OAuth client unnecessarily re-encode it, which causes the AS to reject the token request.
Conditions:
AS generates an OAuth Authorization code contains URL encoded characters.
Impact:
OAuth client fails to retrieve the token with the provided code.
Workaround:
Use the iRule to either decode the authorization code when APM receives it, or when APM sends it out.
Fix:
URL encoded authorization code now works with APM OAuth client.
658996-1 : Some published externally AVR data can be corrupted when HTTP Traffic external publisher is on
Component: Application Visibility and Reporting
Symptoms:
When publishing statistics to external destination (HSL or TCP) some messages contain wrong data. It happens only when HTTP traffic report is activated. One can see corrupted data also in debug output.
Conditions:
HTTP traffic report is activated. To activate it via GUI go to "Set up : Local Traffic ›› Profiles : Analytics : HTTP Analytics", choose or create analytics profile associated with VS that passes traffic, mark "External" checkbox next to "Traffic Capturing Logging Type".
Impact:
Some AVR data reported by HSL or TCP protocol to an external destination are corrupted.
Workaround:
There is no workaround.
Fix:
Escaping and Base64 functions used in external message text processing turned to thread safe.
658764 : Linux kernel lasthop driver memory issue
Solution Article: K43322910
658664-1 : VPN connection drops when 'prohibit routing table change' is enabled
Component: Access Policy Manager
Symptoms:
When there is a brief network outage and 'prohibit routing table change' is enabled, VPN gets disconnected and no further attempts are made to re-establish the VPN connection.
Conditions:
-- A brief network outage occurs.
-- The 'prohibit routing table change' option is enabled.
Impact:
APM end users must click 'Connect' and re-authenticate in order to re-establish the VPN connection.
Workaround:
To re-establish the VPN connection, click 'Connect' and re-authenticate.
Fix:
Now the Windows Edge Client VPN connection stays active during a brief network outage, regardless of the state of the 'prohibit routing table changes' option.
658636-3 : When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped.
Solution Article: K51355172
Component: TMOS
Symptoms:
- LTM/DNS monitors created via tmsh batch/transactions improperly escape newline characters.
- Expected escaping: \r\n
- Actual escaping: \\r\\n
- Impact: The URI sent is not correct,
Conditions:
When creating LTM or DNS monitors through batch/transaction mode when strings contain newline characters. For example, using the following commands to batch-create:
create gtm monitor http one_test_mon { send "GET / HTTP/1.0\r\nHost: abc.example.com\r\nUser-Agent: slb-healthcheck\r\nConnection: Close\r\n\r\n" recv "200"}
submit cli transaction
list gtm monitor http one_test_mon
The system creates the following monitor:
gtm monitor http one_test_mon {
defaults-from http
destination *:*
interval 30
probe-timeout 5
recv 200
send "GET / HTTP/1.0\\r\\nHost: abc.example.com\\r\\nUser-Agent: slb-healthcheck\\r\\nConnection: Close\\r\\n\\r\\n"
Impact:
Cannot use batch/transaction mode in TMSH to create LTM or DNS monitors. Cannot use LTM or DNS monitors created using batch/transaction mode in tmsh.
Workaround:
Create the monitor directly in tmsh without using batch/transaction mode.
Fix:
When creating LTM or DNS monitors through batch/transaction mode newlines are now properly escaped.
658462-1 : Portal Access: tmm may crash if web application uses long cookie names and/or values
Solution Article: K10251490
Component: Access Policy Manager
Symptoms:
If JavaScript code sets a very long cookie value or uses very long cookie name (longer than 450 bytes), tmm may crash processing this cookie change.
Conditions:
This issue occurs when all of the following conditions are met:
-- Your BIG-IP APM system is configured with a portal access profile.
-- A user establishes a portal access session using a Google Chrome or Microsoft Edge browser.
-- Content processed by the portal access includes a JavaScript-generated HTTP cookie in which the cookie name or cookie value exceed 450 bytes.
Impact:
tmm crashes. Traffic disrupted while tmm restarts. System failover.
Workaround:
Use an iRule to remove 'Origin' header from any request to '/private/fm/volatile.html'.
Note: This iRule has to enable events for internal requests using 'ACCESS::restrict_irule_events enable' command.
Fix:
TMM no longer crashes when an APM Portal Access web application uses long cookie values and/or names.
658343-3 : AVR tcp-analytics: per-host RTT average may show incorrect values
Solution Article: K33043439
Component: Application Visibility and Reporting
Symptoms:
When viewing the Statistics :: Analytics :: TCP :: RTT, then selecting (in the table below the graph), View By: "Remote Host IP Address", the values presented RTT Avg (ms) may be incorrect (they could even be larger than the RTT Max column).
As values are aggregated through the data tables, the reported rtt average value becomes larger and larger.
Conditions:
AVR is provisioned, and a tcp-analytics profile is attached to a virtual server.
Impact:
The values reported in the RTT Avg column when viewing by Remote Host IP Address may be incorrect.
Workaround:
None.
Fix:
The rtt_count, rtt_max, rtt_avg, rtt_sum metrics after day aggregation and week aggregations are now correct in the day, week, month reports. The rtt_sum is now aggregated with correct value (exceed max int), as expected.
658315-1 : WebSafe Login Validation may break response
Component: Fraud Protection Services
Symptoms:
Response will be dropped, client will get an Err_Connection_Closed error
Conditions:
1. WebSafe and APM are both provisioned and enabled
2. request for a WebSafe protected URL results in successful Login Validation
Impact:
response is dropped and application breaks
Workaround:
Do Not use WebSafe's Login-Validation, when a "connection terminating" filter (like APM) enabled
Fix:
Fixed an issue with WebSafe Login Validation causing responses to be dropped.
658261-3 : TMM core after HA during GY reporting
Component: Policy Enforcement Manager
Symptoms:
If intra-chassis failover is triggered in a loaded chassis, the tmm crashes in some cases of GY reporting
Conditions:
-- Failover is triggered,
-- The daglib hash redistributes the subscriber DATA to different slots.
-- Existing flows continue on the slots that were allocated using the old hash of daglib.
Note: This is a rarely encountered issue that occurred in a setup with 8 slots and 750 thousand subscribers.
Impact:
Slot reboots. May trigger more hash rearrangement. Traffic disrupted while tmm restarts.
Workaround:
None.
658214-1 : TCP connection fail intermittently for mirrored fastl4 virtual server
Solution Article: K20228504
Component: Local Traffic Manager
Symptoms:
In some cases, a mirrored FastL4 virtual server may fail to forward the SYN on the server-side after receiving the context-ack from the peer. Note: This is a connection-failure through the active system, not simply a failure to mirror to the peer.
Symptoms include:
-- TCP connection failures.
-- Possibly other packets lost.
Conditions:
-- FastL4 virtual server.
-- Mirroring is enabled.
-- Certain traffic interleaving might be necessary for this intermittent problem to occur.
Impact:
FastL4 mirroring does not always forward SYN to server after receiving context ACK. Connections fail.
Workaround:
Set the tm.fastl4_ack_mirror dv variable using the following command: tmsh modify sys db tm.fastl4_ack_mirror value disable.
Fix:
In this release, mirrored FastL4 virtual server now forward the SYN on the server-side after receiving the context-ack from the peer as expected.
658148-4 : TMM core after intra-chassis failover for some instances of subscriber creation
Solution Article: K23150504
Component: Policy Enforcement Manager
Symptoms:
If intra-chassis failover is triggered in a loaded chassis, the tmm crashes in some cases of subscriber creation.
Conditions:
-- The chassis is loaded with many blades.
-- The HA configuration is intra-chassis.
-- RADIUS subscriber is added with custom attributes.
-- The subscriber attributes are corrupted or erased.
Impact:
TMM crashes. The slot reboots, potentially triggering further daglib hash changes. May result in cascading core under load. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
If intra-chassis failover is triggered in a loaded chassis, the tmm no longer crashes in some cases of subscriber creation.
658062-1 : 'Default' plain text profile is created upon import policy with Disallowed WebSocket URLs
Component: Application Security Manager
Symptoms:
A plain text profile named 'Default' is created upon import of a policy with Disallowed WebSocket URLs.
Conditions:
The user imports a policy with Disallowed WebSocket URLs.
Impact:
A plain text profile named 'Default' is created. It has no functional purpose.
Workaround:
Delete the plain text profile named 'Default' after import.
Fix:
No additional plain text profile is created upon import of policy with Disallowed WebSocket URLs.
657925-1 : Error when enabling ASM via iRule
Solution Article: K33646141
Component: Application Security Manager
Symptoms:
The following error occurs in tmm log
err tmm3[26234]: 01220001:3: TCL error: /Common/irule_switch <HTTP_REQUEST> - while executing "ASM::disable".
Conditions:
Enabling or disabling ASM using an iRule, for example, using an iRule similar to the following:
when HTTP_REQUEST {
ASM::disable
if { ([IP::local_addr] equals "1.1.1.1") } {
ASM::enable /Common/http_asm_policy
log local0. "1 access"
}
elseif { ([IP::local_addr] equals "1.1.1.2") } {
ASM::enable /Common/http_asm_policy_2
log local0. "2 access"
}
}
Impact:
Getting dropped request.
Workaround:
None.
Fix:
Better handling of enable/disable ASM policy via an iRule.
657858-3 : TMM can restart when VLAN keyed connections are disabled.
Solution Article: K85425460
Component: Local Traffic Manager
Symptoms:
TMM may restart intermittently when VLAN-keyed connections are disabled.
Conditions:
VLAN-keyed connections are disabled. Several types of traffic can cause this, including FTP traffic and multicast traffic.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None.
Fix:
Disabling VLAN-keyed connections no longer causes TMM to restart.
657632-5 : Rarely if a subscriber delete is performed following HA switchover, tmm may crash
Component: Policy Enforcement Manager
Symptoms:
If a subscriber delete is performed following a HA switchover, tmm may coredump. The probability of this scenario is rare, where a subscriber may have been freed during switchover and a subsequent forced delete command quickly follows.
Conditions:
-- A subscriber delete command followed by a HA switchover.
-- During the switchover, the subscriber was freed.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now removes the subscriber index from the table if present in these cases.
657626-1 : User with role 'Manager' cannot delete/publish LTM policy.
Component: Local Traffic Manager
Symptoms:
User with role 'Manager' cannot delete/publish LTM policy.
audit.log contains a message similar to the following:
notice icrd_child[18194]: 01420002:5: AUDIT - pid=18194 user=Manager folder=/Manager module=(tmos)# status=[01070822:3: Access Denied: User (Manager) may not delete objects in partition (Common)] cmd_data=publish ltm policy /Manager/Drafts/draft-test.
Conditions:
-- User with 'Manager' role.
-- Attempting to delete or publish an LTM policy.
Impact:
Operation does not complete, and system posts error.
Workaround:
None.
657502-1 : JS error when leaving page opened for several minutes
Component: Fraud Protection Services
Symptoms:
Google Chrome delays JS execution when the tab is not active.
Therefore anti-debug module acts as if someone is trying to debug JS code.
Conditions:
-- JS runs in hidden tab in Google Chrome.
-- Anti-debug functionality is active.
-- Page is left open for several minutes.
Impact:
Errors in console and JS logic is incorrectly executed.
Workaround:
Identify hidden tab and pause anti-debug functionality.
Fix:
The system now correctly handles JS code running in a hidden tab and pauses anti-debug check.
656912-5 : Various NTP vulnerabilities
Solution Article: K32262483
655793-2 : SSL persistence parsing issues due to SSL / TCP boundary mismatch
Solution Article: K04178391
Component: Local Traffic Manager
Symptoms:
When the SSL client or server system is set up to send SSL messages whose boundaries do not align with underlying TCP boundaries, the parser fails when SSL persistence is enabled.
So, any SSL record spanning over multiple TCP segments (in this case it's ServerHello, Certificate, and ServerHelloDone) triggers the issue with the SSID error RST cause.
This can also result from a message size exceeding the maximum configured size (default is 32K).
Conditions:
[1] SSL persistence is enabled.
[2a] SSL message boundary does not align with underlying TCP segment boundary. One example of boundary mismatch is when the TCP MTU size is changed to a lower value (around 1200 bytes). Even then there may be specific values for which the boundaries match and parsing succeeds.
[2b] The message size is greater than the maximum configured size (default 32k).
Impact:
When the parsing fails, the SSL client or server hangs and times out. In other words, SSL traffic is affected.
The SSL parsing should succeed regardless of a match or mismatch between SSL message boundary and TCP segment boundary.
Workaround:
Disable SSL persistence.
Fix:
The system now switches the state of the SSL persistence to pass through all remaining messages, since no further parsing is needed.
655649-1 : BGP last update timer incorrectly resets to 0
Component: TMOS
Symptoms:
In ZebOS, every time the scan timer resets it also incorrectly resets the BGP last update timer as shown under the imish command 'sh ip route'.
Output from 'sh ip route':
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:32
[20/0] via 10.10.1.6, eno33554952, 00:00:32
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:33
[20/0] via 10.10.1.6, eno33554952, 00:00:33
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:00 <<<< shouldn't reset
[20/0] via 10.10.1.6, eno33554952, 00:00:00
Conditions:
Once ZebOS has learned a route from a BGP peer the route will show up under 'sh ip route' and the BGP last update timer will incorrectly reset.
Impact:
If BGP routes are being redistributed into other protocols, the route may flap in the destination process.
Workaround:
None.
Fix:
BIG-IP no longer resets the last update time of learned routes via BGP and BGP routes redistributed into other protocols no longer flap.
655628-2 : TCP analytics does not release resources under specific sequence of packets
Component: Local Traffic Manager
Symptoms:
TCP analytics does not release memory when a specific sequence of packets is observed, and memory usage increases as more such flows occur.
Conditions:
-- A TCP analytics profile is configured to collect clientside/serverside analytics data.
-- AVR is provisioned.
-- FastL4 and HTTP profiles are configured.
-- A specific sequence of packets (on the serverside) occurs.
Impact:
Main memory occupied by TCP analytics is not released which might lead to memory exhaustion on the BIG-IP system.
Workaround:
Turn off collecting TCP analytics data for the virtual server.
Fix:
TCP analytics now releases resources properly.
655432-6 : SSL renegotiation failed intermittently with AES-GCM cipher
Solution Article: K85522235
Component: Local Traffic Manager
Symptoms:
SSL failed to renegotiate intermittently with AES-GCM cipher because IV is not properly updated when a change cipher spec message is received.
Conditions:
This failure is more likely to occur during mutual authentication.
Impact:
Some servers authenticate client using renegotiation. This issue prevents their clients from properly connecting to the servers.
Workaround:
Disable AES-GCM cipher.
Fix:
The system now properly updates AES-GCM IV when a change cipher spec message is received.
655211-4 : bigd crash (SIGSEGV) when running FQDN node monitors
Solution Article: K25384206
Component: Local Traffic Manager
Symptoms:
bigd processing FQDN node monitors may crash due to a timing issue when processing probe responses.
Conditions:
bigd is configured for FQDN node monitors.
Impact:
bigd crashes (SIGSEGV). The system restarts bigd automatically, and monitoring resumes. No other action is needed.
Workaround:
Although no workaround is available for bigd configured for FQDN node monitors, this crash occurs due to a timing issue, and should be rare.
Fix:
bigd no longer crashes (SIGSEGV) when running FQDN node monitors due to a timing issue.
655209-2 : Automatically launched applications run with root permission on VPN establishment
Component: Access Policy Manager
Symptoms:
Configured applications are launched with root permissions on VPN establishment.
Conditions:
Network access rsource is configured to automatically launch application on VPN establishment.
Impact:
Application is launched as root. If application is interactive, user may be able to get root privilege
Workaround:
There is no workaround except not enabling automatic application launch in network access resource.
Fix:
Now application launches with the user privilege.
655146-1 : APM Profile access stats are not updated correctly
Component: Access Policy Manager
Symptoms:
The active and established sessions counts in the output of 'tmsh show apm profile access' command are not getting updated as sessions are established and terminated. At the same time, the following errors are showing up in the APM log:
err tmm1[19902]: 01490574:3: (null):Common:00000000: Could not find tmstat. (/Common/Google_vsstats_key)
Conditions:
-- When session is established and terminated.
-- Running the command: tmsh show apm profile access to view stats.
Impact:
APM profile access stats are not accurate.
Workaround:
None.
Fix:
Now the tmsh command "tmsh show apm profile access" displays the correct profile access stats.
655059-4 : TMM Crash
Solution Article: K37404773
655021-1 : BIND vulnerability CVE-2017-3138
Solution Article: K23598445
654996-2 : Closed connections remains in memory
Solution Article: K50345236
Component: Application Security Manager
Symptoms:
A connection remains open, which results in memory leaks in the tmm for the connections.
The following command shows connections on traffic that was already closed: tmsh show sys conn.
Conditions:
A ASM_RESPONSE_VIOLATION iRule on the ASM-enabled virtual server.
A request with connection: close.
Impact:
Memory increase due to connections left open.
Incoming connections to the virtual server may fail and result in the BIG-IP sending a reset with a reset cause of "TCP closed".
Workaround:
If possible, remove this event from the iRule and/or add the OneConnect profile to the virtual server.
654915-1 : Traffic Capturing: Pool member that has a special name (internal activity) should be exported with its name, not an IP address
Component: Application Visibility and Reporting
Symptoms:
For traffic capturing, if a pool member is assigned a special name (e.g., 'for internal activity'), the external AVR log will report the internal IP address instead of the pool member name.
Conditions:
1. Assign name to internal pool member.
2. Enable HTTP traffic capturing.
3. Allow AVR to collect HTTP statistics.
4. View pool member name in external AVR log.
Impact:
External log reports internal IP address instead of pool member name.
Workaround:
There is no workaround at this time.
Fix:
The external AVR log now reports the pool member name as expected.
654873-1 : ASM Auto-Sync Device Group
Component: Application Security Manager
Symptoms:
Some messages that were meant to be sent to peers in a device group are not successfully sent.
Conditions:
A mix of the following uses in GUI or REST API:
1) Creating/importing/deleting policies.
2) Accepting many suggestions at once.
3) Adjusting Policy Building Settings.
Impact:
1) Overuse of full sync between devices.
2) Possible inconsistencies between devices.
3) Possibility of memory leak in rare cases.
Workaround:
Use manual sync groups for ASM sync.
Fix:
Communication for auto-sync groups repaired.
654696-1 : iCall script may log an error on execution
Component: iApp Technology
Symptoms:
An iCall script may log errors during execution while manipulating iStats. An example error is as follows: Failure in iCall script ${folder}/publish_stats while collecting application statistics.
The error messages are due to file locking on the stats segment when multiple threads from multiple invocations of iCall scripts access the same file.
Conditions:
Multiple iCall scripts accessing the same data segment and log error messages.
Impact:
The script cannot record statistics for the interval during which it cannot access the data segment. Over time, the script daemon recovers and updates statistics. There is no impact on functionality.
Workaround:
None.
654599-4 : The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed
Solution Article: K74132601
Component: Global Traffic Manager (DNS)
Symptoms:
Tomcat can potentially drop requests made by the client via the Web GUI on the GSLB Pool Members Manage page.
Conditions:
The config contains a large amount (in the thousands) of GSLB virtual servers or wide IP's, resulting in the action not being completed.
Impact:
The "Finished" button on that page does not save the changes made on that page.
Workaround:
Use TMSH.
Fix:
Fixed an issue with saving GSLB data via the GUI in large configurations.
654513-1 : APM daemon crashes when the LDAP query agent returns empty in its search results.
Solution Article: K11003951
Component: Access Policy Manager
Symptoms:
APM daemon crashes when the LDAP query agent returns no search results.
Conditions:
This issue occurs when all of the following conditions are met:
-- Your BIG-IP access profile access policy is configured with an AD Auth agent.
-- The access policy is configured with an LDAP query agent.
-- A user successfully authenticates to the access profile.
-- The LDAP query agent returns no query results.
Impact:
APM daemon crashes, need to restart RBA and WebSSO. This is a very rarely encountered issue.
Workaround:
Add LDAP Auth agent before the LDAP query to the existing policy.
Note: Adding the extra agent, LDAP Auth agent, in the policy will preserve the functionality and features, enabling the policy to fail in LDAP Auth agent, instead of crash in LDAP Query agent.
Fix:
Now APM daemon no longer crashes when the LDAP query agent returns a specific type of null result from its search.
654485-1 : Portal Access: Same-origin AJAX rquest may fail if response contains non-wildcard Access-Control-Allow-Origin header
Solution Article: K85549136
Component: Access Policy Manager
Symptoms:
Same-origin AJAX request fails via Portal Access if back-end response includes Access-Control-Allow-Origin header and its value differs from '*' and request origin.
Conditions:
- Same-origin AJAX request, for example:
GET /some/file.ext HTTP/1.1
Host: http://example.com
Origin: http://example.com
- Back-end response with Access-Control-Allow-Origin header:
HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://another.com
Without Portal Access, such a response is valid and accessible to client web application, if there were no redirects. But via Portal Access, the response is rejected.
Impact:
Web application may not work correctly.
Workaround:
Use iRule to remove special query parameter 'F5_origin' from same-origin AJAX requests via Portal Access to disable CORS check emulation.
Fix:
Now same-origin AJAX requests are handled correctly in spite of Access-Control-Allow-Origin response header.
654368-1 : ClientSSL/ServerSSL profile does not report an error when a certain invalid CRL is associated with it when authentication is set to require
Component: Local Traffic Manager
Symptoms:
Error is not reported if the profile is associated with an invalid Certificate Revocation List (CRL) that is not signed by trusted CAs, if the CRL issuer has the same subject name as one of the certs in trusted CA.
Conditions:
This occurs when associating CRLs with virtual servers.
Impact:
Error is not reported for invalid CRL.
Workaround:
OpenSSL command can be used to check if the CRL is signed by trusted CA.
Fix:
Error is reported in TMM logs if the CRL is not signed by trusted CA.
654275-1 : Traffic Capturing is not reported to external log when "use-offbox" is set.
Component: Application Visibility and Reporting
Symptoms:
When use-offbox is set in "analytics global-settings" transaction capturing is not send to the external log.
Conditions:
1. use-offbox is set.
2. in analytics profile "Traffic Capturing Logging Type internal " is set.
Impact:
Traffic Capturing won't be reported to the external log.
Workaround:
Set Traffic Capturing Logging Type - external" in analytics profile.
Fix:
After the fix when use-offbox is set AVR will send traffic capturing data to the external log.
654046-2 : BIG-IP as SAML IdP may fail to process signed authentication requests from some external SPs.
Component: Access Policy Manager
Symptoms:
When an external Service Provider (SP) canonicalizes authentication requests with the use of inclusive namespaces, a BIG-IP system used as SAML IdP may fail to process such requests. User's SSO will fail with following errors contained in /var/log/tmm:
err tmm1[13063]: 014d0002:3: 9c7802e1: SSOv2 Digest from SAML message is invalid
err tmm1[13063]: 014d0002:3: 9c7802e1: SSOv2 Error(12) Signature verification failed for SAML Authentication
Conditions:
- BIG-IP is used as SAML IdP.
- User performs SP-initiated SAML SSO.
- External SAML SP sends signed authentication request, in which canonicalization was done with use of inclusive namespaces.
Impact:
Users are unable to perform SAML SSO with certain external service providers.
Workaround:
None.
Fix:
Now BIG-IP APM as IdP SAML canonicalized authentication requests containing inclusive namespaces can be processed successfully.
653993-4 : A specific sequence of packets to the HA listener may cause tmm to produce a core file
Solution Article: K12044607
653879-1 : CVE-2017-6214
Solution Article: K81211720
653771-1 : tmm crash after per-request policy error
Component: Access Policy Manager
Symptoms:
TMM core is seen when reject ending in per-request policy encounters error.
Conditions:
The conditions which trigger this are unknown at this time, it was seen once on a per-request policy error.
Impact:
Traffic disrupted while tmm restarts.
Fix:
TMM no longer cores when reject ending encounters error in per-request policy
653511-3 : Intermittent connection failure with SNAT/automap, SP-DAG and virtual server source-port=preserve
Solution Article: K45770397
Component: Local Traffic Manager
Symptoms:
Connections can fail intermittently when multiple clients use the same ephemeral port to connect to BIG-IP and are SNATted to the same address.
Conditions:
When SNAT/Automap is configured with SP-DAG and virtual server source-port setting is "preserve".
Impact:
Service interruption due to intermittent connection failures.
Workaround:
None.
Fix:
Connections no longer fail intermittently with SNAT/automap, SP-DAG and virtual server source-port=preserve.
653495-1 : Incorrect SNI hostname attached to serverside connections
Solution Article: K05411532
Component: Local Traffic Manager
Symptoms:
SNI hostname submitted to a virtual server on the client side is sent to server side, even if there is a different hostname specified in the server SSL profile.
Conditions:
-- Client side ClientHello contains SNI.
Impact:
SNI is sent from client to server without stripping or rewriting the SNI.
Workaround:
None.
Fix:
SNI hostname submitted to a virtual server on the client side is no longer sent to server side unless specifically requested (for example when forward proxy is enabled). When there is a different hostname specified in the server SSL profile the SNI is also rewritten to the specified hostname.
653292-1 : MySQL does not initialize correctly on first system start
Component: Application Security Manager
Symptoms:
MySQL is not yet setup, failed to initialize.
Shutting down MySQL...... SUCCESS!
Conditions:
avr or asm are provisioned
Impact:
AVR, loadmanager etc dependent on mysql are down
Workaround:
Run of 'bigstart restart mysql' should solve the issue
Fix:
Allow MySQL enough time to properly initialize
653285-2 : PEM rule deletion with HSL reporting may cause tmm coredump
Component: Policy Enforcement Manager
Symptoms:
tmm coredump caused by deletion of a PEM policy rule with HSL reporting configured and passing active traffic. tmm crash.
Conditions:
PEM policy rule with HSL reporting is deleted while passing subscriber traffic.
Impact:
tmm coredump causes traffic disruption and restart of tmm.
Workaround:
None.
Fix:
PEM rule deletion with HSL reporting no longer causes tmm coredump.
653136-1 : transaction capturing sends binary data without escaping
Component: Application Visibility and Reporting
Symptoms:
If the transaction body contains binary data and transaction capturing is on. AVR will send to external log the binary data unescaping.
Conditions:
1. Transaction capturing is on.
2. The transaction (response or request) contains binary data.
Impact:
AVR reports binary data unescaping.
Workaround:
There is no workaround at this time.
Fix:
After the fix AVR will send the binary data escaping.
653065 : CVE-2016-6136: Linux kernel vulnerability
Solution Article: K90803619
653014-2 : Apply Policy failure if an custom Blocking Page is configured with an underscore in the header name
Component: Application Security Manager
Symptoms:
An issue was introduced when dealing with custom Blocking pages containing an HTTP Header that has an underscore in the name.
Conditions:
A custom Blocking page is defined containing an HTTP Header that has an underscore in the name.
Impact:
Set Active fails
Workaround:
Use hyphens instead of underscores in the header name.
Fix:
Underscores in HTTP Headers in Blocking Response pages are handled correctly.
652973-3 : Coredump observed at system bootup time when many DHCP packets arrive
Component: Local Traffic Manager
Symptoms:
During system bootup, system coredump is observed when many DHCP packets arrive before system is fully ready and many flow entry creation failures are observed
Conditions:
-- BIG-IP DHCP proxy is in forwarding mode.
-- DHCP relay agent in front of BIG-IP modifies giaddr field of DHCP packets to its own IP address.
-- DHCP packets arrive during system bootup and before system is fully ready (i.e., some VLANs, interfaces and routes are not fully up).
Impact:
System crash and coredump.
Workaround:
Make sure system has come up completely before sending DHCP packets to the system.
Fix:
Coredump no longer occurs under these conditions.
652910-1 : Native RDP published on webtop does not connect if allowed vlans specified explicitly
Component: Access Policy Manager
Symptoms:
Native RDP hosts published on webtop does not connect if allowed vlans specified explicitly on the virtual server. It downloads the rdp file but opening the rdp file gets error message from rdp client something like "Your computer can't connect to remote computer".
Conditions:
- Native RDP host type published in webtop mode.
- RDP Virtual server specified the allowed vlans explicitly.
- MSRDP NTLM configuration is not specified in vdi profile.
Impact:
Could not connect to Native RDP host published on webtop
Workaround:
You can use either one of the below workarounds,
- Have the virtual server with "All the vlans and tunnels" configuration.
- Have MSRDP NTLM auth configuration in VDI profile which is attached to virtual server.
Fix:
Now Native Remote Desktop (RDP) resources can be delivered from APM virtual servers that have the "VLAN and Tunnel Traffic" set to a non-default value.
652781 : Learn from responses checkbox can appear checked and disabled in manual mode
Solution Article: K19003278
Component: Application Security Manager
Symptoms:
A security policy can get the 'Learn from responses' checkbox turned on in automatic mode. After moving to manual mode, the checkbox remains checked and it is not possible to uncheck it in manual mode.
Conditions:
This occurs when the following actions are performed, in this order:
1. Have a policy in automatic mode
2. Check the learn from responses.
3. Move the policy to manual
Impact:
Cannot uncheck the 'Lean from responses' checkbox in manual mode.
Workaround:
Move to automatic, uncheck the checkbox, and move back to manual.
652535-2 : HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented.
Solution Article: K54443700
Component: Local Traffic Manager
Symptoms:
HTTP/2 RST_STREAM is seen with PROTOCOL_ERROR when frame header is fragmented.
Conditions:
HTTP/2 profile is enabled on the virtual. The frame header gets fragmented because of TCP segmentation.
Impact:
HTTP/2 stream is reset.
Workaround:
None.
Fix:
HTTP/2 parser changed to handle header splitting across multiple buffers.
652278-1 : dwbld process may leak memory during extended uptime
Solution Article: K81003383
Component: Advanced Firewall Manager
Symptoms:
The dwbld process may leak memory during extended uptime.
As a result of this issue, you may encounter one or more of the following symptoms:
You notice a progressive increase in the amount of memory used by the dwbld process.
When configured as part of a high availability (HA) group, the device fails over due to memory exhaustion.
When configured as a standalone device, the device stops responding due to memory exhaustion.
Conditions:
This issue occurs when all of the following conditions are met:
-- Your system is licensed and provisioned with the BIG-IP AFM or BIG-IP ASM modules.
-- The BIG-IP system uptime is extensive (many hours).
Impact:
Memory leak affects overall system performance.
dwbld gradually leaks memory even when idle. This causes system going low on resident memory and affects performance of rest of the system.
Workaround:
Periodically run the following command:
bigstart restart dwbld
Fix:
The dwbld memory leak was identified and fixed.
652200-2 : Failure to update ASM enforcer about account change.
Solution Article: K81349220
Component: Application Security Manager
Symptoms:
There is an error updating BD with the following information:
Errors:
------------
bd_agent|ERR|...|F5::BdAgent::handle_bd_pipe_message,,Some records sent to enforcer were not handled
ECARD|ERR |...|account_id_table_management.cpp:0222|Failed to PUT table
ECARD|ERR |...|temp_func.c:0850|CONFIG_TYPE_ACCOUNTS message had errors in block_index: 0. status=9
-------------
Conditions:
In a high availability environment (with manual failover and ASM) with a UCS load that contains policies with the same names.
Impact:
Traffic is blocked due to Unknown HTTP selector
Workaround:
Use one of the following Workaround:
A) Deactivate and reactivate the affected policy.
B) Restart ASM on the affected device.
Fix:
The system now correctly handles a UCS containing policies with the same names in a high availability environment (with manual failover and ASM).
652151 : Azure VE: Initialization improvement
Solution Article: K61757346
652146-1 : Email agent does not send email if the remote server does not provide a 200 OK response to VRFY request.
Solution Article: K07269132
Component: Access Policy Manager
Symptoms:
Access Policy Email Agent does not send email if the remote server does not provide a 200 OK response to VRFY request.
Conditions:
The version of CURL included in 13.0.0 uses VRFY requests to confirm recipients are valid before sending mail. Many servers consider VRFY a potential leak of information and will respond '252 - Not verified' and the BIG-IP system will not send the message.
Impact:
The Access Policy Email Agent does not send mail messages or log an error about mail not being sent.
Workaround:
None.
Fix:
The APM Email agent no longer attempts to verify recipient addresses and will blindly send emails to the requested addresses. This is correct behavior.
Behavior Change:
The APM Email agent (v13.1.0 and later) will not verify recipient addresses before sending email messages. This is correct behavior.
652052-2 : PEM:sessions iRule made the order of parameters strict
Component: Policy Enforcement Manager
Symptoms:
In the versions before 12.0, the order of parameters for "PEM::SESSIONS" rule was flexible. It was made strict because of the new validation infrastructure in 12.0. This breaks some existing iRules.
The system will report a validation error such as:
01070151:3: Rule [/Common/test_irule] error: /Common/test_irule:2: error: ["invalid argument subscriber-type"][PEM::session create $ip subscriber-type e164 user-name $user imsi $imsi subscriber-id $callingstationid]
Conditions:
Some parameters, for example, subscriber-id come before the parameter user-name.
Impact:
Configuration that was valid in earlier versions is not accepted in newer versions. This may result in the configuration failing to load during an upgrade and return an MCP validation error.
Workaround:
Change the order of the parameters.
652004-1 : Show /apm access-info all-properties causes memory leaks in tmm
Solution Article: K45320415
Component: Access Policy Manager
Symptoms:
When tmsh is used to view session information, memory will leak on each request to pull the session information from tmm. This is a small leak but can be significant issue when all sessions are examined or the sessions are examined multiple times in a short time interval.
Conditions:
when using show /apm access-info all-properties
Impact:
Memory will leak in tmm daemons. This affects all modules that use tmm.
Workaround:
The only workaround is not to use the mcp interface by tmm daemon, or to restart the tmms periodically after using the interface multiple times.
Fix:
Accessing APM session variables via tmsh (e.g., 'tmsh show /apm access-info all-properties') no longer causes a small TMM memory leak.
651910-1 : Cannot change 'Enable Access System Logs' or 'Enable URL Request Logs' via the GUI after upgrading from 12.x to 13.0.0 or later
Component: Access Policy Manager
Symptoms:
You cannot change the 'Enable Access System Logs' and 'Enable URL Request Logs' properties via the GUI.
Conditions:
After upgrade from 12.x to 13.0.0 (where these new fields were added) or later.
Impact:
You cannot change 'Enable Access System Logs' and 'Enable URL Request Logs'.
Workaround:
Manually add the properties via tmsh. To do so, follow these steps (substituting your affected log setting for abc in the following example):
modify log-setting abc access add { general-log { publisher sys-db-access-publisher } }
modify log-setting abc url-filters add { test_logsetting_swg { enabled true publisher sys-db-access-publisher }}
Fix:
Now it is possible to use the GUI to successfully use and configure log-setting objects that were created with tmsh.
651772-4 : IPv6 host traffic may use incorrect IPv6 and MAC address after route updates
Component: Local Traffic Manager
Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, may use an MAC and IPv6 source address from a different VLAN.
Conditions:
- Multiple vlans with IPv6 configured addresses.
- Multiple routes to the same destination, either the same or more specific, default routes, etc. that cover the traffic destination.
- Changes in routes that will cause the traffic to the destination to shift from one vlan and gateway to another. This can be typically observed with dynamic routing updates.
Impact:
Traffic to the destination may fail due to using incorrect source IPv6/MAC address.
This may cause monitor traffic to fail.
Workaround:
Continuous traffic to the IPv6 link-local nexthops can avoid this issue.
This may be achieved by a script or an external monitor pinging the nexthop link-local address using the specific vlan.
Fix:
IPv6 host traffic no longer use incorrect IPv6 and MAC address after route updates.
Behavior Change:
Introduction of sys db ipv6.host.router_probe_interval, to control sysctl net.ipv6.conf.default.router_probe_interval value. This value is default to 5s.
651651-1 : bigd can crash when a DNS response does not match the expected value
Solution Article: K54604320
Component: Local Traffic Manager
Symptoms:
bigd can crash when a response returned from a DNS request does not match the expected value.
Conditions:
Monitoring DNS server(s), or using FQDN.
Impact:
Potential bigd core and restart; may cause endless restart loop as long as DNS monitor instance is configured.
Workaround:
No workaround at this time.
Fix:
Prevented bigd from crashing when a response returned from a DNS request does not match the expected value.
651627 : IP addresses may appear "Aggregated" in "COMMON" section of dashboard but not Aggregated when applying module-specific filter
Component: Application Visibility and Reporting
Symptoms:
Some IP addresses may appear as "Aggregated" in the "COMMON" section of the dashboard but not Aggregated when applying a module-specific filter.
This occurs because lack of memory space causes information to be aggregated in the "COMMON" section before being aggregated in the module-specific DB.
Conditions:
A lot of diverse traffic (for some module) from many IP addresses (for example) on a system with a small amount of memory allocated for AVR.
Impact:
User sees a specific number (x) of IP addresses upon landing on the dashboard with "Aggregated" IP addresses, but when selecting a module-specific filter, statistics show a number plus another number (x+y) IP addresses (that is, essentially not aggregated).
Workaround:
Provision more memory to AVR.
Fix:
With this fix, aggregation does not happen in COMMON before it happens in the specific module. This is correct behavior.
651476-1 : bigd may core on non-primary bigd when FQDN in use
Component: Local Traffic Manager
Symptoms:
When using FQDN node/pool member resolution, a non-primary bigd process may core under certain circumstances. A non-primary bigd is any process instance other than zero in a multi-bigd scenario, or any bigd process on a non-primary blade in a chassis.
Conditions:
FQDN is in use.
Impact:
bigd may core and be restarted in a loop, causing some monitor instances to not be serviced. This may cause node/pool member flapping, or may cause certain nodes or pool members to be effectively not monitored.
Workaround:
Use static IPs instead of FQDN for node/pool member address assignment.
Fix:
Known causes of the bug have been fixed.
651243-1 : CVE-2017-2636: Linux kernel vulnerability
Solution Article: K18015201
651229-1 : tmm may restart when SAML SLO is initiated by SP using redirect binding
Solution Article: K14429395
Component: Access Policy Manager
Symptoms:
When the BIG-IP system is configured as SAML SP, there are two bindings supported for SLO profile: HTTP-Redirect and HTTP-POST (default option). If the BIG-IP system is configured to initiate SAML SP SLO profile with redirect binding - tmm may restart.
Conditions:
-- Configure the BIG-IP system as SAML SP.
-- Configure HTTP-Redirect binding for SLO profile.
-- Initiate SLO on SAML SP.
Impact:
tmm restarts. Traffic disrupted while tmm restarts.
Workaround:
Reconfigure the BIG-IP system to use HTTP-POST binding for SLO profile. Configuration should be changed on IDP connector objects.
Fix:
tmm no longer restarts when SAML SLO is initiated by SP using redirect binding.
651221-3 : Parsing certain URIs may cause the TMM to produce a core file.
Solution Article: K25033460
651173 : Security hardening of qkview
Component: TMOS
Symptoms:
qkview may collect sensitive information from BIG-IP system.
Conditions:
Collecting qkview.
Impact:
qkview may collect sensitive information.
Workaround:
None.
Fix:
qkview no longer collects sensitive information
651135-2 : LTM Policy error when rule names contain slash (/) character★
Solution Article: K41685444
Component: Local Traffic Manager
Symptoms:
Beginning with v12.0.0, there has been additional validation for LTM Policy rule names to allow only certain valid characters. Prior to v13.1.0, the slash (/) character was included in the set of valid characters.
But because the slash character is used as a delimiter in the BIG-IP virtual path hierarchy (e.g., /Common/my_policy/my_rule), extra slashes in a rule name causes validation problems because the rule appears to the system as having additional path segments.
Conditions:
LTM Policy rule contains the slash (/) character.
Impact:
Configuration will not load.
Configuration may load, but admin GUI may not show policy rule.
Workaround:
In the bigip.conf file, the LTM Policy rule names can be manually edited to either remove the illegal character or to substitute a valid character.
For example, the following policy won't load because the rule name contains a slash (/) character:
ltm policy mypolicy {
...
rules {
/testperson/a {
...
}
But it will load when the slash (/) characters are changed to a legal character, such as underscores (_):
ltm policy mypolicy {
...
rules {
_testperson_a {
...
}
Fix:
For upgraded configurations, the roll-forward process will automatically translate slash (/) to underscore (_) in LTM Policy rule names. When creating new rules, validation will not succeed if a rule name contains an illegal character, such as a slash, so the issue will be prevented.
651106-1 : memory leak on non-primary bigd with changing node IPs
Component: Local Traffic Manager
Symptoms:
On BIG-IP systems with the multiple blades, or a BIG-IP system with multiple bigd processes running (bigd.1, bigd.2, etc.), if the system has FQDN nodes configured, all secondary bigd processes will consume an unusually high amount of memory, and bigd cores may exist when the FQDN node IP addresses change frequently.
Conditions:
FQDN nodes configured on a system, and the system (as a whole) has multiple bigd processes running, either across multiple blades or multiple bigd instances on a single blade. As configuration changes are made to FQDN nodes causing IP addresses to change, bigd on the non-primary places memory consumption may be unusually high.
Impact:
bigd memory leak; possible bigd crash.
Workaround:
Mitigation: use static IP nodes and pool members rather than FQDN.
651084-1 : 'tmsh show sys memory raw' command shows a slow build up of memory usage.
Solution Article: K17330535
Component: TMOS
Symptoms:
The usage of istats_incr and istats_set commands do not release memory used during the processing of those commands. TMM might eventually core.
Conditions:
-- Configure SSL Orchestrator.
-- Use istats_incr and istats_set commands.
Impact:
Heap memory usage goes up. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The usage of istats_incr and istats_set commands now release memory used during the processing of those commands, so TMM no longer cores.
651001-2 : massive prints in tmm log: "could not find conf for profile crc"
Component: Advanced Firewall Manager
Symptoms:
Massive messages in tmm log:
"could not find conf for profile crc"
messages are shown while traffic is passing.
Conditions:
1. Have dos profile attached to vs. dos profile does not have dos application enabled.
2. Have ASM policy attached to VS with Web Scraping on/session hijacking/session awarness with DID collection/brute force with DID collection.
Impact:
Massive prints in tmm log that can cause tmm to abort. Traffic disrupted while tmm restarts.
Workaround:
Have DOS application enabled (even if doing nothing).
Fix:
disable prints.
650450 : After upgrade to v13.0.0, users may be met with a javascript error on the logon page or other APM pages
Solution Article: K91200585
Component: Access Policy Manager
Symptoms:
BIG-IP APM v13.0.0 has modified javascript to better handle more flexible session timeout parameters. This necessitated a modification in the timeout code in APM.
Unfortunately, that means that after upgrade, your users may receive a script error: 'APMSessionTimeout is undefined' when using the F5 Edge Client, or when using a browser that has the old code cached.
Conditions:
Upgrade to BIG-IP APM v13.0.0 with a login page or other Policy Item that presents a GUI to end users connecting using the F5 Edge Client or a browser with the previous version's timeout javascript code cached.
Impact:
Users receive confusing script errors in Edge Client or their web browser.
Workaround:
Use one of the following workarounds. Note: If possible, use the first one. Only perform the manual workaround if the first one is not possible.
-- Check the Knowledgebase Article (https://support.f5.com/csp/article/K91200585) to determine available fix versions, and then contact F5 Networks Technical Support to obtain any available Engineering Hotfix or version Hotfix to address this issue.
-- Perform this manual workaround:
First, locate the items such as Logon Page and add a '?13' after the include for session_check.js.
For example, the following steps:
1. Logon to the GUI as Admin.
2. Click Profiles/Policies :: Customization :: Advanced.
3. Navigate to your Access Policy.
4. Navigate to Access Policy, then to the page that has the issue, such as Logon Page.
Note: The page is "logon.inc" for a logon page.
5. Locate the following line:
<script language="JavaScript" src="/public/include/js/session_check.js" ></script>.
6. Insert ?13 after session_check.js in the script language line, for example:
<script language="JavaScript" src="/public/include/js/session_check.js?13" ></script>.
7. Click Save Draft.
8. Click Save.
Note: Using the specific text "13" in "?13" isn't critical; it just must be some text.
Fix:
End users with Edge Client or other browser no longer receive javascript errors.
650292-1 : DNS transparent cache can return non-recursive results for recursive queries
Component: Local Traffic Manager
Symptoms:
If a non recursive query is cached by the DNS transparent cache, subsequent recursive queries provide the non-recursive answer.
Conditions:
DNS transparent cache that receives a non-recursive query whose result is stored in the cache.
Impact:
Non recursive responses for recursive requests.
Workaround:
An iRule can be attached to the listener to disable the cache if the "rd bit" is not set in the DNS request.
Fix:
The RD bit is now handled as expected. If a recursive request is received, a non-recursive cached entry is ignored, and replaced, when the recursive request is answered.
650059-3 : TMM may crash when processing VPN traffic
Solution Article: K20087443
649933-2 : Fragmented RADIUS messages may be dropped
Component: Service Provider
Symptoms:
Large RADIUS messages may be dropped when processed by iRules.
Conditions:
This occurs when a RADIUS message that exceeds 2048 bytes is processed by an iRule containing the RADIUS::avp command.
Impact:
The RADIUS message will be dropped, and an error will be logged that resembles:
Illegal argument (line 1) (line 1) invoked from within "RADIUS::avp 61 "integer""
Workaround:
Remove RADIUS::avp commands from iRules processing large messages, or ensure that no RADIUS client or server will send large messages.
649929-2 : saml_sp_connector not properly deleted in a transaction that removes the saml resource and servers referring to it
Component: Access Policy Manager
Symptoms:
Cannot delete saml_sp_connector from a transaction even when all related objects are specified.
Conditions:
When deleting saml_sp_connector from a transaction along their associated objects.
Impact:
Cannot delete saml_sp_connector and associated objects.
Workaround:
Delete objects in the following order:
SSOResource
SSOSAMLConfig
SPConnector
Fix:
The apm sso saml_sp_connector object can now be deleted from a transaction involving all the related objects regardless of the order in which the objects are specified.
649907-1 : BIND vulnerability CVE-2017-3137
Solution Article: K30164784
649904-1 : BIND vulnerability CVE-2017-3136
Solution Article: K23598445
649617-1 : qkview improvement for OVSDB management
Component: TMOS
Symptoms:
The user can configure ovsdb-server in the BIG-IP system to communicate with an OVSDB-capable controller.
If the user wants the BIG-IP system to connect to an OVSDB-capable controller via a SSL connection, the user needs to configure a certificate and a certificate key in the TMSH command "sys management-ovsdb". Later on, if the user invokes qkview to collect system information, the configured certificate key can be collected in qkview.
Conditions:
The following conditions need to be met:
- BIG-IP has the SDN services license.
- The TMSH command "sys management-ovsdb" is set to "enabled". Note that this is set to "disabled" by default.
- The TMSH command "sys management-ovsdb cert-key-file" is set to a certificate key. Note that this is set to "none" by default.
Impact:
If the user invokes qkview to collect system information, the certificate key configured in the command "sys management-ovsdb cert-key-file" will be collected in qkview.
Workaround:
If OVSDB management is currently set to "enabled" in the BIG-IP system, then the user can reset "sys management-ovsdb cert-file" and "sys management-ovsdb cert-key-file" to "none" before calling qkview to collect system information.
In general, if OVSDB management has ever been set to "enabled", the user with the bash shell access can check if the file /var/run/openvswitch/BIG-IP_ovs_cert_key exists and delete it before calling qkview to collect system information.
Fix:
The certificate key configured in the "sys management-ovsdb" will not be collected when invoking qkview.
649571-2 : Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello
Component: Local Traffic Manager
Symptoms:
The BIG-IP system does not act on the absence of renegotiation.
Conditions:
A BIG-IP system acts as TLS client, a TLS server ignores renegotiation request. Finite TLS session data or time limits are configured in Server SSL Profile on the BIG-IP system.
An example of such a TLS server is Apache/2.4.10 on Fedora Linux.
Impact:
Limits, such as data limits ("Renegotiate Size" in Server SSL) or time limits ("Renegotiate Period" in Server SSL) are not enforced with finite "Handshake Timeout".
Workaround:
None.
Fix:
BIG-IP system acting as TLS client (Server SSL Profile) now shuts down the connection if a TLS server did not continue with TLS renegotiation within "Handshake Timeout" seconds after the ClientHello, corresponding to the renegotiation initiation, was sent by the BIG-IP system.
649369-1 : DES, 3DES and HIGH cipher string includes/excludes wrong ciphers
Component: Local Traffic Manager
Symptoms:
When cipher string contains "DES", 3DES ciphers are also included. The keyword "3DES" does not impact the included/excluded ciphers. HIGH no longer includes 3DES ciphers.
Conditions:
Cipher string contains DES, 3DES and/or HIGH.
Impact:
Additional ciphers being offered to the client or ciphers not being omitted.
Behavior Change:
3DES ciphers moved from "high" to "medium".
649234-1 : TMM crash from a possible memory corruption.
Component: Access Policy Manager
Symptoms:
When APM resumes an iRule event from an asynchronous session data lookup, the resumption fails due to a bad memory access resulting in a crash.
Conditions:
The following must be true for this to happen:
- APM provisioned and licensed.
- Use of APM iRule events.
- Session data lookup from iRule events.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Access to an invalid or stale Access session result from custom iRules no longer causes TMM crash.
649048 : SSLI statistic and Traffic classification statistic lost after upgrade
Component: Application Visibility and Reporting
Symptoms:
If you upgrade from 13.0 to 13.1 (or above), SSLI and traffic classification statistis will be lost.
Conditions:
This occurs when upgrading SSLI from version 13.0.0
Impact:
SSLI and traffic classification statistic will be lost.
Fix:
Fixed an issue with statistics being lost during upgrade.
648990-1 : Serverside SSL renegotiation does not occur after block cipher data limit is exceeded
Component: Local Traffic Manager
Symptoms:
If you have a virtual server with a serverssl profile configured that serves large (>2GB) files, you may see these errors in /var/log/ltm:
info tmm[17859]: 01260034:6: Block cipher data limit exceeded.
Conditions:
This occurs when a serverssl profile is in use, and the server-side traffic exceeds 2GB.
Impact:
Serverssl renegotiation does not occur, log message is displayed.
648954-1 : Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls
Solution Article: K01102467
Component: Local Traffic Manager
Symptoms:
Configuration validation fails spuriously, including potentially as a result of a ConfigSync or modifying an iRule, with an error similar to the following:
01020036:3: The requested rule (/Common/rule_uses_procs) was not found.
Referencing an iRule that previously existed, but has been deleted (or is being deleted as a result of a ConfigSync).
Conditions:
-- iRule using procedures in a different iRule.
-- iRule attached to virtual server.
Impact:
iRule procs are still referenced after deletion. Configuration validation fails spuriously.
Workaround:
Force reloading of the MCP binary database.
For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).
648867-1 : Kernel vulnerability: CVE-2017-6074
Solution Article: K82508682
648786-1 : TMM crashes when categorizing long URLs
Solution Article: K31404801
648715-3 : BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0
Component: Local Traffic Manager
Symptoms:
LACP, STP, and LLDP PDUs sent from either of the i2x00 or i4x00 platforms have a VLAN tag added to the PDU when they shouldn't.
Conditions:
Provision any of the three protocols: LLDP, STP, or LACP and the PDU sent by the BIG-IP will incorrectly have a VLAN tag with a tag-id of 0 added to the PDU.
Impact:
Some 3rd party devices may reject the packet. This will adversely affect operation of the affected protocol.
Workaround:
None.
Fix:
This release ensures that the VLAN tag is stripped before the PDU is sent onto the wire.
648639-2 : TS cookie name contains NULL or other raw byte
Solution Article: K92201230
Component: Application Security Manager
Symptoms:
The TS cookie name may intermittently contain NULL.
Conditions:
This can occur intermittently when ASM is provisioned and has a unique combination of security policy name and the server's cookie attributes (path and domain).
Impact:
False positives triggered on modified domain cookies.
Workaround:
To resolve this, change the policy security name.
Fix:
Fixed an issue with the TS cookie name length.
648320-2 : Downloading via APM tunnels could experience performance downgrade.
Component: Local Traffic Manager
Symptoms:
Multiple DTLS records can be packed into one UDP packet. When packet size is too large, packet fragmentation is possible at IP layer. This causes high number of packet drops and therefore performance downgrade.
Conditions:
When downloading using APM tunnels.
Impact:
High number of packet drops and inferior performance.
Workaround:
None.
Fix:
One DTLS record is now contained in each UDP packet to avoid packet fragmentation.
648317-1 : Upgrade to 13.0.0 on B2100/B2150 with IOMMU enabled prevents vCMP guests from starting★
Component: TMOS
Symptoms:
vCMP guests will fail to start on B2100 and B2150 when the user had enabled the input/ output memory management unit (IOMMU) before upgrading.
Conditions:
* Run a pre-13.0.0 version of the software.
* Run on a VIPRION B2100/B2150 blade.
* Enable IOMMU before upgrading, using the following command: sys db kernel.iommu.
* Upgrade to 13.0.0.
* vCMP is provisioned.
Impact:
Cannot deploy vCMP guests.
Workaround:
Use the grub_open and grub_close commands to manually add "intel_iommu=on" to their kernel command line, as follows:
~$ grub_open
/var/run/grub.conf.mdfy.24145
~$ <edit the file above>
~$ grub_close
Fix:
Upgrade on VIPRION B2100/B2150 blades with IOMMU enabled no longer prevents vCMP guests from starting.
648056-3 : bcm56xxd core when configuring QinQ VLAN with vCMP provisioned.
Solution Article: K16503454
Component: TMOS
Symptoms:
bcm56xxd constantly crashes, device goes off-line.
Conditions:
Reboot the system with QinQ VLANs configured and vCMP provisioned.
Impact:
Device goes off-line.
Workaround:
None.
Fix:
bcm56xxd no longer crashes when QinQ VLANs are configured and vCMP provisioned.
647988-2 : HSL Balanced distribution to Two-member pool may not be balanced correctly.
Solution Article: K15331432
Component: TMOS
Symptoms:
When configuring a two-member pool as HSL destination and using "balanced" distribution, logs from iRule HSL::send may end up balanced to a single pool member.
Conditions:
- Two-member pool configured as remote-high-speed-log destination.
- The remote-high-speed-log distribution is set to "balanced"
- Data-Plane logging using for example but not limited to: iRule HSL::send.
Impact:
Log message may not be distributed correctly resulting in more load on a single pool member.
Workaround:
None.
Fix:
Logs are distributed more equally on pool members in "balanced" distribution HSL.
647962-1 : B2250: Interface is dropping traffic in passive mode
Component: Local Traffic Manager
Symptoms:
Passive mode is a new mode of operation introduced in BIG-IP version 13.0.0. In this mode of operation, the BIG-IP system processes data offline to detect DoS attacks and/or to collect HTTP analytics data, etc.
The results are reported by the BIG-IP system might not be accurate.
Conditions:
-- Device is operating on passive mode data.
-- VIPRION 2250 blade.
Impact:
This will impact BIG-IP system's ability to operate in passive mode.
Workaround:
None.
Fix:
Passive mode is now fully supported on the B2250.
647726-1 : ASM REST: POST disallowed to /mgmt/tm/asm/policies/<ID>/server-technologies endpoint
Component: Application Security Manager
Symptoms:
POST was disallowed against the collection, but BIG-IQ needs this functionality to add the server technology with no side-effects.
Conditions:
BIG-IQ is used to manage a device, and a server technology is added to an ASM policy.
Impact:
BIG-IQ deployments that add a new server technologies on a policy will fail.
Workaround:
Non-BIG-IQ usage can and should be using mgmt/tm/asm/tasks/apply-server-technologies to add server technologies.
For BIG-IQ there is no workaround.
Fix:
Simple POST to /mgmt/tm/asm/policies/<ID>/server-technologies is now allowed.
647706-1 : iOS RDP client fails to connect to RD Connection Broker via APM's Native RDP resource
Component: Access Policy Manager
Symptoms:
iOS RDP client fails to connect to Windows Server 2012/2016 with RD Connection Broker role installed via APM's Native RDP resource.
When user launches Native RDP resource from APM Webtop, RDP client shows following error messages:
-- Can't connect to the Remote Desktop Gateway. Contact your network administrator for assistance. (Error code: 0x03000008).
-- Disconnected from server vpn.example.com with error code 0x00000003.
Conditions:
Using iOS client to connect to Windows Server 2012/2016 with RD Connection Broker role installed via APM's Native RDP resource.
Impact:
Connection from RD client to Terminal Server via BIG-IP APM fails.
Workaround:
iOS does not work in this case, but you can connect using a client device besides iOS such as Android.
Fix:
iOS RDP client now can connect to Windows Server 2012/2016 with RD Connection Broker role installed via APM's Native RDP resource.
647108-2 : Deletion of saml-idp-connector may fail depending on the order in which related objects are deleted within a transaction
Component: Access Policy Manager
Symptoms:
The system posts messages similar to the following even when the server associated to the connector is also being deleted in the same transaction:
01070734:3: Configuration error: apm aaa saml-idp-connector: Cannot delete saml-idp-connector /Common/saml_connector because it is being used by aaa-saml-server (/Common/saml_server_test1
Conditions:
When deleting saml-idp-connector first then the associated saml server.
Impact:
Cannot delete saml-idp-connector and associated server in that specific order.
Workaround:
Delete saml server first and then delete the saml connector.
Fix:
Now saml-idp-connector can be deleted with associated objects in any order from a transaction.
646604-1 : Client connection may hang when NTLM and OneConnect profiles used together
Solution Article: K21005334
Component: Local Traffic Manager
Symptoms:
In deployments where a NT LanManager (NTLM) authentication profile and a OneConnect profile are used together in a LTM virtual server to label an authenticated connection to a Domain Controller (DC); if the persisted connection to the DC is re-used, the connection may hang. A connection in this state may not be cleaned up by the sweeper, resulting in a memory leak.
Conditions:
The NTLM and OneConnect profiles are associated with a LTM virtual server.
Impact:
A client connection won't be serviced and TMM memory will leak. Over a long time period, this may result in more widespread service disruptions.
Workaround:
Avoid the use of OneConnect profiles on virtual servers that use NTLM profiles. The connections to the Domain Controller won't be pooled, but all other features will be retained.
Fix:
Fixed a problem that prevented NTLM and OneConnect profiles from working properly on the same LTM virtual server.
646511-2 : BD crashes repeatedly after interrupted roll-forward upgrade★
Component: Application Security Manager
Symptoms:
After roll-forward upgrade of version 12.1.x with ASM traffic data is interrupted, BD crashes repeatedly.
Conditions:
Roll-forward upgrade with ASM traffic data from version 12.1.x (with or without hotfixes) to any 12.1.x or later is interrupted by restart/reboot.
Impact:
BD crashes repeatedly on subsequent attempts to start ASM.
Workaround:
Disable roll-forward upgrade of ASM traffic data before upgrade:
tmsh modify sys db ucs.asm.traffic_data.save value disable
Fix:
ASM completes roll-forward upgrade with traffic data correctly, even after upgrade process is interrupted.
646443-2 : Ephemeral Node may be errantly created in bigd, causing crash
Component: Local Traffic Manager
Symptoms:
When FQDN Ephemeral Nodes are being used at the same time as static Node objects, and there is change in those objects, either via DNS resolver changes or manual changes to static nodes, there exists a chance where one may be misidentified as the other during an update, causing a crash in bigd.
Conditions:
FQDN Nodes and Static Nodes being used. Change in node settings or creation/deletion of nodes.
Impact:
Bigd crashes, causing interruption in monitoring.
Workaround:
Avoid use of FQDN Nodes and Pool Members; use only static-IP Nodes/Members instead.
Fix:
Fixed case where misidentification may occur, resulting in bigd running without crashing.
645805-2 : LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain bad ethernet src mac address
Component: TMOS
Symptoms:
LACP PDUs generated by the 'lacpd' on the i4x00 & i2x00 platforms contain the wrong Ethernet source MAC address.
Conditions:
LACP configured on an trunk interface on i4x00 or i2x00 platforms.
Impact:
Some Cisco and Juniper switches discard these PDUs. They send PDUs as if the BIG-IP is not transmitting with a all-zeros 'Partner' section System ID. This renders LACP inoperable, and simply does nothing if the far end is configured for 'Passive'.
Fix:
Insure correct Source MAC address is inserted into the PDU.
645684-3 : Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting.
Component: Access Policy Manager
Symptoms:
Flash ActionScript3 application components are loaded into incorrect ApplicationDomain and in some rare cases this may cause errors in application.
Conditions:
This can occur when viewing Flash video while connected to APM.
Impact:
Flash applications might fail to render through Portal Access.
Workaround:
None
Fix:
Flash files accessed through Portal Access are now loading components into correct Application Domain. This improves compatibility with Flash apps.
645480-2 : Unexpected APM response
Solution Article: K45432295
645339-1 : TMM may crash when processing APM data
Component: Access Policy Manager
Symptoms:
Under certain conditions TMM may crash while processing APM data
Conditions:
APM enabled
Impact:
TMM crash leading to a failover event
Fix:
TMM processes APM data as expected
645219 : Switching to native virtio driver
Component: TMOS
Symptoms:
UNIC is the default driver for virtio devices.
Conditions:
BIG-IP system with a virtio device.
Impact:
Native virtio driver won't be used by default. Therefore, the benefits of using native virtio driver, such as lower CPU utilization, higher throughput won't be available.
Workaround:
Native virtio can be used as follows:
1. Create /config/tmm_init.tcl if the file does not exist.
2. Append the following line in the file:
device driver vendor_dev 1af4:1000 virtio
3. bigstart restart tmm
4. Check if the driver in use is "virtio" after running the following command:
tmctl -dblade -i tmm/device_probed
Fix:
A DB variable has been provided with this fix to conveniently switch to native virtio driver.
To switch to native virtio driver, run the following commands:
1. tmsh modify sys db tmm.drivers.net.virtio value native
2. bigstart restart tmm
Use of virtio is recommended for data plane interface when there is a separate management interface.
Note: Do not switch to native virtio driver when single nic configuration is provisioned (management is also used as dataplane).
645203-1 : Configuration load fails after upgrade when a SAML SSO config object is put in a sync-only device group★
Solution Article: K72361514
Component: Access Policy Manager
Symptoms:
Configuration load fails after upgrading BIG-IP from a previous version. The system posts an error similar to the following:
01070734:3: Configuration error: Invalid Devicegroup Reference. The sso_config_saml (/Common/Auth/<object>) requires apm_log_config (/Common/sso-log-setting-Notice) to be syncd to the same devices
Unexpected Error: Loading configuration process failed.
Conditions:
When a SAML SSO config object or a Form-Based SSO config object is configured in a folder and that folder is in a Sync-Only device group. When upgrading with the existing configuration, the configuration load will fail.
Impact:
The configuration does not load.
Workaround:
1. Disassociate the folder from Sync-Only device group using the following commands:
tmsh modify sys folder <folder name> device-group none
tmsh save sys config.
2. Upgrade and verify config loads.
3. Create log-setting in each folder.
root@(temp12)(cfg-sync In Sync (Sync Only))(/S1-green-P:Active)(/Common)(tmos)# cd <folder name>/
root@(temp12)(cfg-sync In Sync (Sync Only))(/S1-green-P:Active)(/Common/<folder name>)(tmos)# create apm log-setting sso-log-setting-Notice { access add { general-log { log-level { access-control notice } publisher sys-sso-access-publisher } } }
Repeat this step for each log level: Alert, Critical, Debug, Emergency, Error, Informational, Notice, Warning, and use the appropriate log level accordingly.
4. Modify SSO log-settings to use log-setting created under the folder (<folder name>), according to their previous log level before upgrading. For example,
root@(temp12)(cfg-sync In Sync (Sync Only))(/S1-green-P:Active)(/Common)(tmos)# modify apm sso saml <folder name>/<sso object name> apm-log-config <folder name>/sso-log-setting-Notice
5. Associate Sync-Only device group SO1 to folder, as shown in the following example:
root@(temp12)(cfg-sync In Sync (Sync Only))(/S1-green-P:Active)(/Common)(tmos)# modify sys folder <folder name>/ device-group <DG name>
6. Verify config load.
Fix:
Configuration load now completes successfully after upgrade when a SAML SSO config object is put in a sync-only device group.
645179-1 : Traffic group becomes active on more than one BIG-IP after a long uptime
Component: TMOS
Symptoms:
Traffic-groups become active/active for 30 seconds after a long uptime interval.
Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime.
For example:
-- For 7 traffic groups, the interval is ~710 days.
-- For 15 traffic groups, the interval is ~331 days.
Conditions:
-- Two or more BIG-IP systems defined in a device group for sync/failover.
-- There is one or more traffic groups configured.
-- The BIG-IP systems have a long uptime.
Impact:
Outage due to traffic-group members being active on both systems at the same time.
Workaround:
There is no workaround.
The only option is to reboot all the BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.
Fix:
Traffic groups no longer becomes active on more than one BIG-IP system in a device group after a long uptime interval.
645101-1 : OpenSSL vulnerability CVE-2017-3732
Solution Article: K44512851
644975-2 : /var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost
Component: TMOS
Symptoms:
Entries in /var/log/maillog similar to the following:
err sSMTP[25793]: Unable to connect to "localhost" port 25.
Conditions:
This happens when certain crontab configuration files do not specify MAILTO="" at the top, and some of the scripts appearing in those files output something to STDOUT or STDERR. This causes the system to try to send an email with that output, which will fail when ssmtp is not configured to use a valid mailhost.
Impact:
Error messages logged to /var/log/maillog. Note that the maillog file is rotated so it doesn't fill up the /var/log volume.
Workaround:
1) Run the "crontab -e -u root" command; this will open the root user's crontab configuration in your default text editor.
2) Move the MAILTO="" line to the top of the file, right under the "# cron tab for root" banner.
3) Save the file and exit the text editor to install the root user's new crontab configuration.
4) Using a text editor of your choice, replace MAILTO=root with MAILTO="" in the /etc/crontab file.
5) Using a text editor of your choice, replace MAILTO=root with MAILTO="" in the /etc/cron.d/0hourly file.
6) To verify that MAILTO=root does not appear anywhere else, run the following command: grep -i -r mailto /etc/cron*.
7) If the previous command shows MAILTO=root still appears in some files, also modify those file so that MAILTO=root becomes MAILTO="".
Fix:
The crontab configuration files now specify MAILTO="" at the top, so the /var/log/maillog errors no longer occur.
644904-6 : tcpdump 4.9
Solution Article: K55129614
644870 : Improvements of protocol for sending data to AppIQ offbox via TCP
Component: Application Visibility and Reporting
Symptoms:
BIG-IP fails to handle these cases:
1. One AppIQ node is down, and so TCP connection need to be established to another node in AppIQ.
2. All nodes are down, no TCP connection can be established. The number of retries in this case need to be limited per snapshot, so resources are not consumed on the BIG-IP side if AppIQ system is down (current logic is a retry to open connection for every message, need to have few retries per snapshot).
Conditions:
BIG-IP is configured to send statistics to offbox via TCP protocol.
Impact:
1. Data are not sent when they can be sent (to another AppIQ node)
2. BIG-IP resources are consumed by multiple number of reties.
3. When TCP connections can't be established the systen doesn't free connection file descriptors, so at some point the avrd process goes out of file descriptors.
Fix:
1. Added an ability to configure multiple AppIQ IP addresses in external text file /etc/avr/ecm_ip_list.cfg
2. For every type of messages (tmstat, stst snapshots, etc.) BIG-IP makes only 2 attempts to reconnect to every IP provided. If it can't establish connection it doesn't try to send the messages of this type.
3. File descriptors are freed after every not successful connection attempt.
4. An upgrade mechanism for /etc/avr/ecm_ip_list.cfg is implemented.
Behavior Change:
1. Added an ability to configure multiple AppIQ IP addresses in external text file /etc/avr/ecm_ip_list.cfg
2. For every type of messages (tmstat, stst snapshots, etc.) BIG-IP makes only 2 attempts to reconnect to every IP provided. If it can't establish connection it doesn't try to send the messages of this type.
3. File descriptors are freed after every not successful connection attempt.
4. An upgrade mechanism for /etc/avr/ecm_ip_list.cfg is implemented.
644855-1 : irules with commands which may suspend processing cannot be used with proactive bot defense
Component: Advanced Firewall Manager
Symptoms:
A request is dropped.
Conditions:
1. The proactive bot defense is assigned to the virtual.
2. An iRule which suspends processing is assigned to the virtual. (includes a command like the "after" commands")
For more information on which TCL commands park, see K12962: Some iRule commands temporarily suspend iRule processing, available at https://support.f5.com/csp/article/K12962
Impact:
All requests which issue the proactive bot defense and the iRule will get dropped.
Workaround:
N/A
Fix:
irules which suspends the execution won't cause a request drop when the proactive bot defense is assigned.
644817-1 : Unexpected behaviour during a DNS(GTM) server creation with wrong option in product field: nullGeneral database error.
Component: Global Traffic Manager (DNS)
Symptoms:
On a GSLB Server create page, in the Product dropdown, you are able to select a separator option which causes an error when pressing the Finished button.
Conditions:
This occurs when you pick the separator option "-----------" in the product dropdown.
Impact:
Null General Database error is thrown.
Workaround:
Avoid picking the separator option as GSLB Server product type.
Fix:
The separator option is now non-selectable.
644805 : Kernel.el7.2: BIG-IP VIPRION B4450 - ACPI complaints about unpopulated cpu cores
Component: TMOS
Symptoms:
Due to the way modern Intel Haswell CPU BIOSes are typically configured, the BIOS presents an ACPI table, which includes details for unpopulated CPU sockets and on each socket unpopulated CPU cores.
Note: This is not F5-platform-specific, as the same can be seen on many high-end servers.
For physical cpu socket#0 and socket#1, the actual number of CPUs is 24 per socket. The possible number of CPUs is 36 per socket. For unpopulated socket#2 and socket#3, the actual number of CPUs is 0. The symptom is dmesg output similar to the following:
[ 3.198255] ACPI: \_SB_.SCK0.CP18: failed to get CPU physical ID.
[ 3.198266] ACPI: \_SB_.SCK0.CP19: failed to get CPU physical ID.
[ 3.198276] ACPI: \_SB_.SCK0.CP1A: failed to get CPU physical ID.
[ 3.198286] ACPI: \_SB_.SCK0.CP1B: failed to get CPU physical ID.
[ 3.198296] ACPI: \_SB_.SCK0.CP1C: failed to get CPU physical ID.
[ 3.198306] ACPI: \_SB_.SCK0.CP1D: failed to get CPU physical ID.
[ 3.198316] ACPI: \_SB_.SCK0.CP1E: failed to get CPU physical ID.
[ 3.198326] ACPI: \_SB_.SCK0.CP1F: failed to get CPU physical ID.
[ 3.198336] ACPI: \_SB_.SCK0.CP20: failed to get CPU physical ID.
[ 3.198346] ACPI: \_SB_.SCK0.CP21: failed to get CPU physical ID.
[ 3.198356] ACPI: \_SB_.SCK0.CP22: failed to get CPU physical ID.
[ 3.198366] ACPI: \_SB_.SCK0.CP23: failed to get CPU physical ID.
...
The normal at-boot dmesg output should show 96 lines of output since the maximum populated would be 4 * 36 which is 144, but there are only 48 CPUs present.
Conditions:
Booting of BIG-IP 7.2 kernels on VIPRION B4450 blades will show this routinely at each boot.
Impact:
None. This is purely cosmetic output due to to how the BIOS is configured.
There is nothing functionally wrong; the messages are simply diagnostic output that appears in dmesg output. The messages can be safely ignored.
Workaround:
None.
Fix:
The system now silences the cosmetic 'failed to get CPU physical ID' messages for the Intel Haswell BIOS.
644799-2 : TMM may crash when the BIG-IP system processes CGNAT traffic.
Solution Article: K42882011
Component: TMOS
Symptoms:
TMM may crash when the BIG-IP system processes CGNAT traffic.
Conditions:
A TMM connflow related to CGNAT traffic is expired.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes when the BIG-IP system processes CGNAT traffic.
644693-1 : Fix for multiple CVE for openjdk-1.7.0
Solution Article: K15518610
644490-2 : Finisar 100G LR4 values need to be revised in f5optics
Component: TMOS
Symptoms:
The original tuning values for the Finisar 100G LR4 optics don't support module tuning. You might see FCS errors.
Conditions:
FCS errors can be observed with the shipping Finisar 100G LR4 tuning values.
Impact:
Occasional packet loss at the 100G physical layer.
Workaround:
Use 100G SR4 optics modules on the link if possible.
Fix:
FCS errors no longer occur using the latest Finisar 100G LR4 tuning values.
For information on installing and using the latest f5optics package (build 48.0 or later) that contains these tuning values, see F5 Platforms: Accessories (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/f5-plat-accessories.html).
644418-1 : Do not consider self-signed certificate in hash algorithm selection when Forward Proxy forges a certificate
Component: Local Traffic Manager
Symptoms:
SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain including the self-signed certificate.
Many of the self-signed certificates use the SHA1 hash algorithm, which is not acceptable to many sites. The SSL handshake may be rejected.
Conditions:
This may occur when SSL Forward Proxy is in use.
Impact:
Forged certificate with SHA1 hash algorithm may be rejected during SSL handshake and the SSL handshake will then fail.
Workaround:
None.
Fix:
In this release, the system excludes self-signed certificates in hash algorithm selection (which is correct behavior). This may prevent forged certificate from using SHA1 hash algorithm
644112 : Permanent connections may be expired when endpoint becomes unreachable
Solution Article: K56150996
Component: Local Traffic Manager
Symptoms:
Permanent connections, such as those used between tunnel endpoints, can be deleted when the route to the remote endpoint is removed.
Conditions:
-- Permanent connection, such as a tunnel.
-- Routing updates, either from explicit static or dynamic routes, or modifying self IP addresses.
Impact:
Tunnel, or other affected connection, will not pass traffic.
Workaround:
Remove and re-add the affected connection: e.g., delete and re-configure tunnel.
Fix:
Routing updates can no longer lead to expired permanent connections.
644041 : HTTP response-headers-permitted profile option removes listed headers
Solution Article: K51884304
Component: Local Traffic Manager
Symptoms:
The HTTP response-headers-permitted option should remove headers, but not the ones listed. However, it currently will also remove the listed headers by mistake. This makes this profile option remove all HTTP headers, except for a hard-coded whitelist of headers.
Conditions:
The HTTP response-headers-permitted profile option is used.
Impact:
Extra headers will be removed from HTTP responses.
Workaround:
None.
Fix:
The HTTP response-headers-permitted profile option now works as designed again.
643889-1 : blacklist and whitelist words backwards compatibility is broken
Component: Fraud Protection Services
Symptoms:
Blacklist-words is deprecated since 13.0 and detected-malware should be used instead. However, the deprecated method below won't work:
tmsh modify security anti-fraud profile fps_profile malware { blacklist-words add { bword }}
tmsh modify security anti-fraud profile fps_profile add { /url { malware { whitelist-words add { bword }}}}
010719b7:3: URL whitelist words can only be selected from malware blacklist words in the Anti-Fraud profile '/Common/fps_profile'.
Conditions:
This will happen when using the deprecated method to configure blacklist-words list. It impacts also whitelist-words, since adding a word to the whitelist is possible only for words that exist in a blacklist.
Impact:
Config transaction will fail.
Workaround:
Use the new object for blacklist-words:
tmsh modify security anti-fraud profile fps_profile malware { detected-malware add { mal { blacklist-words add { bword } } } }
modify security anti-fraud profile fps_profile urls modify { /url { malware { whitelist-words add { bword } } } }
Fix:
FPS now supports the deprecated method for configuring blacklist-words.
643813-1 : ZoneRunner does not properly process $ORIGIN directives
Solution Article: K32906881
Component: Global Traffic Manager (DNS)
Symptoms:
During an import zone operation, ZoneRunner incorrectly associates the "@" directive with the zone name and not $ORIGIN specified.
Conditions:
If the zone file to be imported contains the $ORIGIN directive, the following "@" directives will reference the zone name, which is incorrect.
Impact:
Zones will not be imported correctly.
Workaround:
Use the named-compilezone tool to "normalize" the zone file before importing into ZoneRunner.
The syntax for this command is similar to the following:
named-compilezone -s full -o outputfilename zone_name input.file
(For information about the other available options, see the named-compilezone tool's man page.)
For example, given a zone file named example.com.file that contains the following information:
"example.com"
$TTL 3600
example.com. 86400 IN SOA ns1.example.com. hostmaster.ns1.example.com. 2017020201 10800 3600 604800 86400
@ IN NS ns1.example.com.
ns1.example.com. IN A 1.1.1.1
$ORIGIN alpha.example.com.
@ IN A 2.2.2.2
$ORIGIN bravo.example.com.
@ IN A 3.3.3.3
The command is as follows:
named-compilezone -s full -o example.com.file.full example.com example.com.file
The contents of the new file are:
example.com. 86400 IN SOA ns1.example.com. hostmaster.ns1.example.com. 2017020201 10800 3600 604800 86400
example.com. 3600 IN NS ns1.example.com.
alpha.example.com. 3600 IN A 2.2.2.2
bravo.example.com. 3600 IN A 3.3.3.3
ns1.example.com. 3600 IN A 1.1.1.1
Which is correct. This file can then be used to import into ZoneRunner.
643777-1 : LTM policies with more than one IP address in TCP address match may fail
Solution Article: K27629542
Component: Local Traffic Manager
Symptoms:
An LTM policy using a rule that attempts to match based on a list of IP addresses may fail if more than one IP address is used.
Conditions:
LTM policy rule with a 'tcp match address' statement that attempts to match against more than one IP address.
Impact:
The action configured with the match may not be taken.
Workaround:
Use one of the following workarounds:
- Use a subnet instead of single IP addresses.
- Use a datagroup with the list of IP addresses to match.
* Datagroup option available beginning in v13.0.0.
Fix:
The BIG-IP system now correctly matches several IP addresses in LTM policies.
643752-1 : Specific configuration change sequence crashes TMM
Component: Advanced Firewall Manager
Symptoms:
TMM crashes while making a configuration change.
Conditions:
1. insert ip "::" and "::/128" to ip list in dos profile.
2. remove it
3. insert it again.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
Fixed a configuration crash sequence scenario
643602-1 : 'Select All' checkbox selects items on hidden pages
Component: Fraud Protection Services
Symptoms:
In FPS GUI, clicking 'Select All' when the list contains more than 10 items, selects all items and not just the items on the current page, as expected.
Conditions:
-- FPS provisioned and licensed.
-- Check 'Select All' and click Delete on a list page containing enough items to span more than one page, for example:
On the Security :: Fraud Protection Service :: Anti-Fraud Profile :: Mobile Security :: Man in the Middle Detection page, add 20 domains. This creates two pages of domains on the list page. When you then check 'Select all' and click Delete, all 20 domains are deleted instead of the expected 10 visible on the page.
Impact:
Unexpected behavior: items are deleted from pages that are not visible.
Workaround:
Check one or more items individually for deletion.
Fix:
Clicking the 'Select All' checkbox now selects all items on the currently visible page.
643554-2 : OpenSSL vulnerabilities - OpenSSL 1.0.2k library update
Solution Article: K37526132 K44512851 K43570545
643547-2 : APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP
Solution Article: K43036745
Component: Access Policy Manager
Symptoms:
Requests to /my.policy are not getting HTTP responses.
Log file '/var/log/apm' contains large number of error messages about failed XML data creation:
err apmd[5076]: 01490207:3: SAML Agent XML thread specific data creation error: ERR_FAIL.
Conditions:
This issue occurs when all of the following conditions are met:
-- Your BIG-IP APM system is configured with a large number of access policy agents.
-- You are performing an operation that requires the apmd process to start.
-- For example, your BIG-IP APM system is reloaded, you install a new image, or you manually restart the apmd process.
Impact:
APMD will not able to process any requests.
Workaround:
For some configurations and platforms, you can use the following steps to recover:
- Remove all unused access policies (if applicable).
- Restart apmd.
Fix:
Now APMD initialization will no longer fail at XML initialization when a large number of access policies/agents are present in the configuration.
643411-1 : High memory usage for avrd statistics
Solution Article: K59119323
Component: Application Visibility and Reporting
Symptoms:
On B4450 blade, the avrd log receives constant error messages similar to the following in ltm.log/avrd.log:
err merged[40445]: 011b0900:3: TMSTAT error tmstat_create_scripts: Resource temporarily unavailable.
User timeout 5 is reached
failed subscribe to avr_blade:
Conditions:
Configuration includes:
1. DoS profile enabled for L7 and L3-4.
2. ASM policy is attached.
3. AVR profile with traffic capture is enabled, with remote logger profile.
4. Off-system processing is enabled.
Impact:
This causes an increase in tmstat memory usage.
Workaround:
There is no workaround at this time.
Fix:
Source of error message is fixed, avrd log no longer receives constant error messages.
643404-1 : 'tmsh system software status' does not display properly in a specific cc-mode situation★
Solution Article: K30014507
Component: TMOS
Symptoms:
If software image verification is enabled, the system must first verify a software archive with a cryptographic signature file before using it. If that file is not available, the software change will (intentionally) not proceed. It is also intended that 'tmsh system software status' will explain the condition. But instead, it shows 'failed (reason unknown)'.
Conditions:
Trying to initiate a software change, but there is no signature file available that corresponds to the selected software archive if any of the following is also true:
-- The system is in Common Criteria mode (db var Security.CommonCriteria).
-- The system is in FIPS compliance mode (db var security.fips140.compliance).
-- Signature checking is manually enabled (db var LiveInstall.CheckSig).
Impact:
It is difficult to ascertain why the software change cannot be made.
Workaround:
The installation logs a more detailed explanation for the failure. In the case of Common Criteria mode, it is essential to have the signature file in the same images directory as the .iso image you intend to install.
To do so, copy the .sig file from the F5 Downloads site to the image location, and try the installation again.
Fix:
The 'tmsh show system software status' now displays the relevant issue, for example:
failed (No signature verification possible for image /shared/images/BIG-IP-12.1.2.0.0.249.iso).
Although you must still download the .sig file from F5 Downloads, it's clear what the failure is and what to do next.
643396-1 : Using FLOW_INIT iRule may lead to TMM memory leak or crash
Solution Article: K34553627
Component: Local Traffic Manager
Symptoms:
Memory leak in TMM or even crash may be observed if using FLOW_INIT event in iRules.
Conditions:
iRule triggered by FLOW_INIT event is in use. Note: The leak is difficult to observe, and the crash requires specific steps, so encountering this issue is relatively uncommon.
Impact:
TMM memory leak or crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a memory leak in the FLOW_INIT iRule event.
643332 : DoS Health and Severity analysis charts
Component: Application Visibility and Reporting
Symptoms:
Severity of attacks and virtual server health over time is not available.
Conditions:
This occurs while looking at the DoS Analysis page.
Impact:
Unable to see certain key statistics.
Workaround:
N/A
Fix:
Both charts are now available on the DoS Analysis page.
643330 : DoS Virtual Servers table has no health column and shows health/severity as numeric value
Component: Application Visibility and Reporting
Symptoms:
Virtual servers table doesn't have a column for virtual server health.
In addition, the attacks table displays severity as a numeric value.
Conditions:
This can be seen when looking at the DoS Visibility page.
Impact:
Cannot determine virtual server health from the numerical values.
Workaround:
N/A
Fix:
Health is now displayed for virtual servers as a textual representation of the condition, and attacks' severity follows the same pattern.
643328 : Activity Type filter is applied even when ASM is not used
Component: Application Visibility and Reporting
Symptoms:
When opening DoS Dashboard pages, Activity Type is automatically being applied to hide internal BIG-IP traffic. However, this classification exists only for Application Security, but not AFM.
Conditions:
ASM is not provisioned.
Impact:
Meaningless filtering is being done.
Workaround:
No workaround at this time.
Fix:
When ASM is not provisioned, the irrelevant Activity Type filter is not applied.
643327 : DoS Visibility Attacks Graph tooltip does not provide sufficient information
Component: Application Visibility and Reporting
Symptoms:
Attacks Graph tooltip lacks relevant information.
Conditions:
This can be seen when looking at the Attacks Graph tooltip.
Impact:
Cannot determine the function of the DoS Visibility Attacks Graph.
Workaround:
N/A
Fix:
A detailed tooltip was added with details about the pointed attack.
643326 : Max Concurrent Server Connections will be hidden by default
Component: Application Visibility and Reporting
Symptoms:
All metrics are visible in the DoS Dashboard Virtual Servers table although they may take space and not all have the same importance.
Conditions:
This can be seen while looking at the DoS Dashboard page.
Impact:
Cannot specify which data-table columns are visible by default and which are hidden.
Workaround:
None.
Fix:
Table columns are now selectable. Max Concurrent Server Connections will be hidden by default.
643325 : Tooltips and help hints are inconsistent across the page
Component: Application Visibility and Reporting
Symptoms:
Help tooltips on the (i) icon are not consistent.
Conditions:
This can be seen when looking at the Dos Visibility page.
Impact:
Some widgets have the tooltip, others don't.
Workaround:
N/A
Fix:
More tooltips were added and text was revised.
643187-1 : BIND vulnerability CVE-2017-3135
Solution Article: K80533167
643041-1 : Less than optimal interaction between OneConnect and proxy MSS
Solution Article: K64451315
Component: Local Traffic Manager
Symptoms:
When a client with low MSS is the first to establish a OneConnect flow pair and proxy MSS is enabled, the serverside will share the same low MSS. Successive connections from full-MSS clients may utilize this server-side flow, resulting in suboptimal throughput.
Conditions:
Configure a virtual server with both OneConnect and proxy MSS. Note: Proxy MSS is enabled by default beginning with v12.1.0.
Impact:
Decreased throughput, possible congestion due to small segments.
Workaround:
In some instances, it may be sufficient to disable proxy MSS. This too has the potential to increase segment count and decrease throughput.
Fix:
This release provides improved interaction between OneConnect and proxy MSS.
643034-2 : Turn off TCP Proxy ICMP forwarding by default
Component: Local Traffic Manager
Symptoms:
Forwarding of ICMP PMTU messages through the BIG-IP can negatively impact performance if OneConnect or SNAT functionality is active.
Conditions:
Forwarding of ICMP PMTU messages through the BIG-IP when OneConnect or SNAT are active.
Impact:
Peers use suboptimal Path Maximum Transmission Units (PMTUs).
Workaround:
For TCP and UDP proxies, ensure proxy-mss is disabled in the profile.
OR
Disable MTU caching on pool members.
Fix:
There are legitimate reasons to forward ICMP messages through BIG-IP, so in some cases mitigation must occur at pool members. However, we have introduced more control (tm.tcp.enforcepathmtu) to tune this more precisely.
Behavior Change:
The default behavior on TCP proxies is now to not forward ICMP messages, restoring the default from TMOS 12.0.0 and earlier.
For TCP proxies to forward ICMP PMTU messages now requires BOTH proxy-mss 'enabled' in the TCP profile (which is the default setting) and 'tm.tcp.enforcepathmtu' set to 'enabled' (not the default).
642983-2 : Update to max message size limit doesn't work sometimes
Solution Article: K94534313
Component: Device Management
Symptoms:
There is a cap on all REST request/response message size. By default it is set to 32 MB, and you can modify it to higher limit using /mgmt/shared/server/messaging/settings/8100 REST endpoint. But the REST framework may not apply this change.
When this occurs, you will see 501 Bad Gateway error from Apache and error message link "java.lang.IllegalArgumentException: 47177925 is more than 33554432" in restjavad log (/var/log/restjavad.0.log).
Conditions:
This can occur when requesting or receiving more than 32 MB of data via iControl REST.
Impact:
REST framework applies message body limit only on incoming request and response. If incoming request results in requests to iControl REST or restnoded, the same settings (message body limit) are not applied.
Workaround:
None.
Fix:
Messaging settings are applied on requests/responses, rather than on RestServer as forwarded outgoing requests/responses will not have server instance attached to request.
642982-1 : tmrouted may continually restart after upgrade, adding or renaming an interface★
Solution Article: K23241518
Component: TMOS
Symptoms:
tmrouted continually restarts when it fails to resolve the interface index for a VLAN, VLAN group, or tunnel.
Conditions:
-- Dynamic routing configured.
-- Non-default partition name or VLAN names greater than 15 characters.
Impact:
Dynamic routing does not function. This may include monitors not functioning properly and marking pool members down incorrectly.
Workaround:
Shorten VLAN, VLAN group, or tunnel name, or move the interface into the Common partition.
Fix:
tmrouted no longer restarts when using long VLAN, VLAN group, or tunnel names in a non-default partition.
642926-1 : Increased MySQL Memory usage when APM is provisioned on lower-end systems.
Component: Access Policy Manager
Symptoms:
You may notice mysql process continuously consuming high amount of CPU and memory resources when APM is provisioned. This can be seen in the results of 'top' command where mysql will be continuously listed. The issue applies to BIG-IP with 32 GB or less system memory available.
Conditions:
When APM module is provisioned, if either of the following is true:
* logging configuration uses on-box publisher and log-level setting leads to high amount of logging data (e.g., DEBUG).
* LocalDB or OAuth Authorization server is configured with a DB instance and traffic is being processed.
Impact:
You may notice general performance issues on BIG-IP systems with system memory 32 GB or lower when MySQL usage is high.
Workaround:
1) Remove following 2 lines from file '/var/lib/mysql/cnf/apm.cnf' --
innodb_buffer_pool_size = 1G
sort_buffer_size = 256M
and save file before exiting.
2) Restart MySQL service using -- 'bigstart restart mysql'
Fix:
MySQL configuration when APM is provisioned now works as expected on lower-memory BIG-IP systems.
642874-2 : Ready to be Enforced filter for Policy Signatures returns too many signatures
Solution Article: K15329152
Component: Application Security Manager
Symptoms:
Signatures that have not passed the staging period are shown when the filter is set to only show those that are ready to be enforced.
Conditions:
Signatures exist on a policy that have not passed their staging period and have no learning suggestions for them.
Impact:
Incorrect results are shown as a result of the filter.
Workaround:
The result should be inspected to see if the staging period has passed for each individual signature.
Fix:
The "Ready to be Enforced" filter works correctly.
642659-1 : Multiple LibTIFF Vulnerabilities
Solution Article: K34527393
642613 : Improve loading time when landing in dashboard page
Component: Application Visibility and Reporting
Symptoms:
When data contains a very large number of different IP addresses, it can result in a long loading time for the dashboard page.
Conditions:
When opening Dashboard/Analysis page when DB contains a lot of data.
Impact:
Slow loading of the page.
Workaround:
None.
Fix:
This release provides improved loading time when opening Dashboard/Analysis page with a very large number of different IP addresses.
642589-1 : VPE endings/terminals incorrectly saved
Component: Access Policy Manager
Symptoms:
When a single transaction is used to create and move a terminal/ending, the move is not saved. When using macros, this can result in the terminal creation failing.
Scenario 1: Click 'Edit Endings', click 'Add Ending', use the arrows to move the new ending, and click Save. Now open the 'Edit Endings' page again, the new ending is back at the top.
Scenario 2: For a macro that is NOT currently being used, the same steps as scenario 1 apply for editing terminals. If you add a terminal and move it in the same transaction, the move is not saved.
Scenario 3: For a macro that is being used, follow the same steps of creating a terminal and moving it within the same transaction. The save will fail with an error message that looks like this:
Unable to execute transaction because of: 01071203:3: Caption (Out) of the rule in macrocall (/Common/alan-test_mac_empty) must be identical to the caption (Terminal 1) of terminalout.
Conditions:
Incorrect ordering occurs when the terminal/ending creation and move are done in the same transaction.
MCPD error only occurs when these steps are done to a macro that is currently being used in the policy.
Impact:
Usability
Workaround:
Create the terminal/ending in one transaction. Then reopen the dialogue to move the terminal/ending.
Fix:
Fixed a calculation error in determining the ordering number for new terminals/endings.
642562 : TMM may crash with a very high number of concurrent TCP connections
Component: Advanced Firewall Manager
Symptoms:
TMM may crash with a very high number of concurrent connections (e.g., 30 million).
Conditions:
This happens if BIG-IP has a lot of concurrent connections and encounters HSB ring drops. At that time if ICMP monitors are configured, then LTM will QoS promote those ICMP monitor flows and if those are for the same endpoints, then tmm might crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes with a very high number of concurrent TCP connections.
642449 : Standard deviation for Request Duration is calculated incorrectly
Component: Application Visibility and Reporting
Symptoms:
In the HSL report, the Standard deviation for Request Duration is incorrect.
Conditions:
There are requests sent with delay reported in AVR reports.
Impact:
Wrong data in AVR reports. Standard deviation should be not 0 (zero), but it is reported as 0.
Workaround:
None.
Fix:
Fixed an issue with standard deviaiton calculation.
642400-3 : Path MTU discovery occasionally fails
Component: Local Traffic Manager
Symptoms:
Connections using a TCP profile that receive an ICMP needsfrag message may incorrectly ignore the message. This may cause Path MTU discovery to fail.
Conditions:
TCP profile assigned to VIP. Smaller MTU on data path than on TCP endpoints.
Impact:
The connection may stall as large TCP segments are continually retransmitted.
Workaround:
Configure the MSS in the TCP profile to match the lowest MSS. Use or disable Path MTU discovery with the tm.pathmtudiscovery database key.
Fix:
Path MTU discovery functions correctly with the TCP profile.
642330 : GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★
Component: Global Traffic Manager (DNS)
Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.
Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.
Impact:
Configuration fails to load.
Workaround:
Manually edit each string in the BIG-IP_gtm.conf to include enclosing quotes in order to get the config to load the first time.
Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the BIG-IP_gtm.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list gtm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.
642221-1 : Incorrect entity is used when exporting TCP analytics from GUI
Component: Application Visibility and Reporting
Symptoms:
When exporting statistics from the TCP Analytics page, the resulted data is for the default "view by" entity rather than the one that's actually selected
Conditions:
This occurs in Statistics :: Analytics : TCP, when you are viewing any dimension other than the default, and clicking Export.
Impact:
Incorrect data is being exported.
Workaround:
Use tmsh.
Fix:
The correct entity is now used when exporting TCP analytics from GUI, so the correct data is being exported.
642211-1 : Warning logged when GENERICMESSAGE::message drop iRule command used
Component: Service Provider
Symptoms:
When submitting an iRule script using GENERICMESSAGE::message drop iRule command, a warning message is returned.
Conditions:
This occurs when saving an iRule that contains GENERICMESSAGE::message drop.
Impact:
A warning message is returned.
Workaround:
NA
Fix:
iRule validation was improved to allow GENERICMESSAGE::message drop commands.
642124 : mixed statistics between two intervals
Component: Application Visibility and Reporting
Symptoms:
There are two collection intervals in AVR for collecting data: one every 10 sec for real time display and one every 5 min (or else set) for general statistics.
The 5 min statistics is accumulated from the 30 intervals of 10 seconds.
Sometimes, the last 10 seconds interval is missings the 5 min interval accumulation and entered the next 5 min interval resulting in an inaccurate accumulation of the 5 min interval.
Conditions:
This happens when the 10 seconds interval is taking too long to write it self
Impact:
Inaccurate accumulation of the 5 min interval statistics.
Workaround:
No workaround, some statistics will leak to next interval.
Fix:
The statistics for every 5 min interval will be display correctly (no leak between adjacent intervals).
642119-1 : Websocket URLs can't be explicitly excluded per attack signature
Component: Application Security Manager
Symptoms:
A signature matches a websocket URL where it is defined as an excluded signature on the URL.
Conditions:
A websocket URL has a signature defined as excluded on this URL.
Impact:
A false positive signature match
Workaround:
disable the signature on the policy level when applicable.
Fix:
Signatures can now be excluded on the websocket URLs.
642090 : ILXFlow.lbSelect does not work inside 'requestStart' or 'requestComplete' events
Component: Local Traffic Manager
Symptoms:
ILXFlow.lbSelect does not work inside the 'requestStart' or 'requestComplete' events.
Conditions:
Writing an ILX plugin that uses ILXFlow.lbSelect in the 'requestStart' or 'requestComplete' events.
Impact:
Load balancing selection fails. The plugin script fails.
Workaround:
None.
Fix:
ILXFlow.lbSelect can now be called in the 'requestStart' and 'requestComplete' events.
642068-3 : PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens
Component: Policy Enforcement Manager
Symptoms:
PEM sessions stay in the marked-for-delete state if CCR-T times out.
Conditions:
This occurs if PCRF does not respond to CCR-T packets from the BIG-IP system during session termination.
Impact:
PEM sessions remain in the marked-for-delete state.
Workaround:
Configure the required timeout value in the sys db variable tmm.pem.session.timeout.endpointdeleteresponse.
Note: The value must be greater than 0 (zero).
Fix:
PEM sessions no longer stay in the marked-for-delete state if CCR-T times out.
642058 : CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances
Component: TMOS
Symptoms:
CBL-0138-01 will not come up or show link on i2000/i4000/HRC-i2800 series appliances.
The following message will appear on the LCD:
0 01/30/17 09:02:59 error 0x1660016 Interface 5.0 detected a non 10GbE optic
The following message will appear in /var/log/ltm:
err pfmand[7630]: 01660016:3: Interface 5.0 detected a non 10GbE optic
The interface will report in tmsh as down:
tmsh show net interface 5.0
--------------------------------------------------------
Net::Interface
Name Status Bits Bits Pkts Pkts Drops Errs Media
In Out In Out
--------------------------------------------------------
5.0 down 0 0 0 0 0 0 none
Conditions:
i2000/i4000/HRC-i2800 series appliances and CBL-0138-01.
Impact:
The CBL-0138-01 will not work.
Workaround:
None.
Fix:
CBL-0138-01 Active Copper now works correctly on i2000/i4000/HRC-i2800 Series appliances.
642015-4 : SSD Manufacturer "unavailable"
Component: TMOS
Symptoms:
On systems with an SSD, the manufacturer displayed in 'tmsh show sys hardware' may appear as "unavailable"..
Conditions:
BIG-IP system with SSD installed.
Impact:
No functional impact, cosmetic only.
Workaround:
No workaround but the issue is only cosmetic and does not indicate an issue with the system.
Fix:
SSD Manufacturer now displays "Samsung" as expected.
641963 : Average CPU usage is calculated differently in DOS Visability page
Component: Application Visibility and Reporting
Symptoms:
On systems with HT Split CPU the Average CPU usage shown in DOS Visibility page was calculated as average of all available CPU-s. On other hand, on other screens it is calculated as an average of maximum of data plane and control plane CPU-s. It causes inconsistency in displayed data.
Conditions:
HT Split is enabled on the system (tmsh list sys db scheduler.splitplanes.ltm results in "True")
Impact:
Inconsistency in CPU usage values displayed in DOS Visibility and other screens
Fix:
After the fix on systems with HT Split average CPU usage is calculated only for data plane CPU-s. The GUI title is changed correspondingly.
641724 : BIG-IP VE support for GCE
Component: TMOS
Symptoms:
There is no support for Google Compute Engine (GCE) in BIG-IP Virtual Edition (VE).
Conditions:
Trying to use GCE with BIG-IP VE.
Impact:
No support for GCE.
Workaround:
None.
Fix:
The BIG-IP Virtual Edition (VE) now supports Google Cloud infrastructure using BYOL licenses. F5's Good, Better and Best license bundles are supported up to 5 Gbps. This release supports single NIC configurations only.
Behavior Change:
The BIG-IP Virtual Edition (VE) now supports Google Cloud infrastructure using BYOL licenses. F5's Good, Better and Best license bundles are supported.
641612-1 : APM crash
Solution Article: K87141725
641547-1 : Possible dead-lock on accept of multiple suggestions at once
Component: Application Security Manager
Symptoms:
When accepting multiple suggestions at once it's possible that action fails
Conditions:
Accept of multiple suggestions for the same entities
Impact:
Action fails
Workaround:
One-by-one accept always works
Fix:
Multiple accept mechanism improve to prevent possible dead-locks
641482-3 : Subscriber remains in delete pending state until CCR-t ack has success as result code is received
Component: Policy Enforcement Manager
Symptoms:
BIG-IP subscriber session will remain in delete pending (stale) state if the Result-code received Acknowledgement from Gx or Gy and is marked as Failure for CCR-T request.
Conditions:
The stale session happens, during subscriber termination and if any CCR-T request for Gx or Gy receives an acknowledgement with non-SUCCESS in Result-code AVP
Impact:
The subscriber session in BIG-IP will stay in delete pending state (stale)
Workaround:
A tmm restart will cleanup all the stale sessions
Fix:
Fix will cleanup the session if a CCR-T acknowledgement is received irrespective of the Result-code AVP
641445-2 : iControl improvements
Solution Article: K22317030
641390-2 : Backslash removal in LTM monitors after upgrade
Component: TMOS
Symptoms:
After upgrading, BIG-IP fails to load the configuration and reports that a monitor failed to load.
Conditions:
-- Specific backslash escaping in LTM monitors.
-- Upgrading from 11.5.x, 11.6.0, 11.6.1, 11.6.2, or 11.6.3 to 12.0.0, 12.1.0, 12.1.1, 12.1.2, or 13.0.0.
Note: This issue is specific to LTM monitors. It does not occur in BIG-IP DNS/GTM monitors.
For example, to have two backslashes in the value, you specify three backslashes. The first backslash is the 'escape' character.
ltm monitor https /Common/my_https {
adaptive disabled
cipherlist DEFAULT:+SHA:+3DES:+kEDH
compatibility enabled
defaults-from /Common/https
destination *:*
interval 5
ip-dscp 0
recv "Test string"
recv-disable \\\"Test\\\"me\\\" <-- pertinent string value (can be in recv, send or username attributes too).
send Test
time-until-up 0
timeout 16
username test\\\"me
}
Impact:
The monitor fails to load.
Workaround:
Manually correct the string to be the way it was before upgrade, then the configuration will load.
Fix:
Upgrade no longer results in incorrectly removing backslashes for some LTM monitor attributes.
641360-1 : SOCKS proxy protocol error
Solution Article: K30201296
641169 : Role permissions for actions on the iRules LX Workspace editor page
Component: Local Traffic Manager
Symptoms:
Mutable actions (delete, save, etc.) are available to roles with lower privilege than Manager.
Conditions:
Being logged in with a role with lower privileges than Manager allows access to mutable actions.
Impact:
The iRules LX filesystem can be modified by a non-privileged user.
Workaround:
None.
Fix:
The system now correctly enforce roles on the iRules LX Workspace editor page.
Behavior Change:
The system now enforces roles on the iRules LX Workspace editor page, so that users cannot add, delete, or save edits unless they have a role of Manager or higher.
641083-1 : Policy Builder Persistence is not saved while config events are received
Component: Application Security Manager
Symptoms:
Policy Builder Persistence is not saved while config events are received.
Conditions:
This occurs when there are many changes made to the policy.
Impact:
Statistics are lost after pabnagd restarts.
Workaround:
None.
Fix:
Persistence is now saved every 24 hours.
641013-6 : GRE tunnel traffic pinned to one TMM
Component: TMOS
Symptoms:
GRE tunnel traffic can be sent to one TMM if BIG-IP doesn't proxy the GRE tunnel and uses forwarding virtual to handle GRE tunnel traffic.
Conditions:
Use forwarding virtual to handle GRE tunnel traffic.
Impact:
GRE tunnel traffic can overwhelm the one TMM and cause performance degradation.
Workaround:
None.
Fix:
Improved GRE tunnel traffic handling so traffic does not overwhelm one TMM and cause performance degradation.
640854 : Inject CSS link Tag "Customize" checkbox also check Inject CSS link Position
Component: Fraud Protection Services
Symptoms:
Check/uncheck status of "Customize" in the "Tag" input field, and also check/uncheck status of "Customize" in the "Position" option.
Conditions:
-- Provision and license FPS.
-- Add new profile.
Impact:
Inject CSS link Position may not inherit values from parent profile.
Workaround:
None.
Fix:
"Customize" of Inject CSS link Position is not checked if "Customize" of Inject CSS link Tag is checked.
640829-1 : bd crash scenario
Component: Application Security Manager
Symptoms:
The bd crashes, switch-over, some traffic outage.
Conditions:
A specific cross domain configuration exists. Specific traffic scenario happens.
Impact:
The bd crashes, switch-over, some traffic outage.
Workaround:
None.
Fix:
Fixed a bd crash scenario.
640824-2 : Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★
Solution Article: K20770267
Component: Application Security Manager
Symptoms:
Upon first start after upgrade, the following error messages appear in asm log:
-------------------------
notice boot_marker : ---===[ HD1.2 - BIG-IP 12.1.1 Build 0.0.184 <HD1.2> ]===---
info set_ibdata1_size.pl[18523]: Setting ibdata1 size finished successfully, a new size is: 8466M
info tsconfig.pl[21351]: ASM initial configration script launched
info tsconfig.pl[21351]: ASM initial configration script finished
info asm_start[19802]: ASM config loaded
crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined
crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Cannot remove all partitions, use DROP TABLE instead
crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::ConfigSync::load_traffic_data): Could not import table data PRX.REQUEST_LOG - ASM configuration save aborted
info perl[21860]: 01310053:6: ASM starting
-------------------------
Conditions:
-- ASM provisioned.
-- Local request logging enabled.
-- Upgrade of a maintenance release, hotfix, or engineering hotfix.
Impact:
Upgrade fails.
Workaround:
Upgrade by the means of saving a UCS, performing a clean install and then loading the UCS.
In the manual save/load UCS process, the upgrade of the Request Log can be disabled, which will workaround the error and the UCS will load fine.
There are two options to disable the upgrade of the Request Log, when upgrading by the means of a UCS:
-------------------
1) Do not load a Request Log, when loading a UCS:
# tmsh modify sys db ucs.asm.traffic_data.load value never
2) Do not save a Request Log, when saving a UCS:
# tmsh modify sys db ucs.asm.traffic_data.save value disable
-------------------
Fix:
Roll-forward upgrade including traffic data now works correctly.
640766-1 : CVE-2016-10088 CVE-2016-9576
Solution Article: K05513373
640521-2 : EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices
Component: Access Policy Manager
Symptoms:
Connect to a public network which has Captive Portal and the Captive Portal uses jQuery library for mobile devices. EdgeClient does not render login page for such Captive Portal.
Conditions:
Use public network with Captive Portal that uses jQuery library for mobile devices.
Impact:
EdgeClient can not establish VPN connection.
Workaround:
Use a browser to authenticate to Captive Portal. For locked client, there is no suitable workaround.
Fix:
Now Edge Client can successfully interact with a greater number of wifi captive portals.
640510-2 : BWC policy category attachment may fail during a PEM policy update for a subscriber.
Component: Policy Enforcement Manager
Symptoms:
The correct BWC category is not applied resulting in incorrect BWC handling of subscriber traffic.
Conditions:
PEM policies against a subscriber should be modified such that the BWC policy stays the same while the BWC category changes.
Impact:
Use cases dependent on BWC can be impacted.
Fix:
Code changes were added such that BWC policy and category changes through PEM are handled correctly.
640457-3 : Session Creation failure after HA
Component: Policy Enforcement Manager
Symptoms:
Under some HA scenarios, the subscriber session will be lost. If such a deleted session is added (the same subscriber-id), the addition attempt fails.
Conditions:
Intra-chassis HA is configured. One of the blades goes down & comes back up very rapidly & some subscriber sessions are lost.
An attempt to add the lost subscriber again fails.
Impact:
A set of subscribers lost during HA will never be added back.
Workaround:
No workaround.
640407-2 : Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF
Solution Article: K41344483
Component: Service Provider
Symptoms:
A core may occur with message routing framework (MRF) virtuals or transport-config connections if trying to use certain iRule commands during CLIENT_CLOSED event.
Conditions:
Use of an iRule command that gets or sets state in a MRF protocol filter or MR proxy during CLIENT_CLOSED iRule event may core. This is because CLIENT_CLOSED event is raised after all state has been freed for the current connection.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use iRule command to get or set state during CLIENT_CLOSED iRule event.
640376-2 : STPD leaks memory on 2000/4000/i2000/i4000 series
Component: Local Traffic Manager
Symptoms:
STPD process on any 2000/4000/i2000/i4000 series platform that sends BPDUs will grow in physical memory usage indefinitely so long as its role in the tree results in sending BPDU packets. The memory usage will be faster for each interface that is sending BPDUs.
Conditions:
Spanning tree is enabled on any 2000/4000/i2000/i4000 series platform and the device has a role in the tree that results in sending BPDUs on one or more interfaces. Memory can be seen to increase when tracking with Linux top commands.
ex. top -b -n 1 | grep stpd
The 5th and 6th columns 'VIRT' and 'RES' slowly increase over time, indicating the memory leak.
Impact:
Memory leak resulting in indefinite consumption of available physical memory over time.
Workaround:
While the memory leak itself cannot be mitigated without a hotfix, the problem can be avoided if the tree can be configured in such a way that the defect affected platforms don't generate BPDUs. This can be done by choosing a root such that the defect affected platforms will have its interfaces to be in blocking mode, or if possible, to be in passthrough mode.
Fix:
BPDU process source code fixed to release memory allocated for each BPDU packet created and sent.
640352-1 : Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet
Solution Article: K01000259
Component: Local Traffic Manager
Symptoms:
Connflow entry memory are leaked when BIG-IP DHCP proxy is configured in forwarding mode and the DHCP relay agent between
the DHCP client and the BIG-IP system sets giaddr field to itself after connflows created are aged out in a particular order.
Conditions:
1) BIG-IP DHCP proxy is configured in forwarding mode.
2) DHCP relay agent sits between the DHCP client and the BIG-IP system sets giaddr field in DHCP renewal packet to itself (this has been observed in Cisco devices), so that DHCP renewal packet will be sent to a relay agent by DHCP servers.
3) Connflow created to giaddr(relay agent) ages out before
connflows created to DHCP clients.
Impact:
Some connflows are not freed. Memory leak occurs. Eventually memory is exhausted.
Workaround:
None.
Fix:
Ref count handing for giaddr connflows are now decremented when the client side connflow is removed, preventing the memory leak.
639929-3 : Session variable replace with value containing these characters ' " & < > = may case tmm crash
Component: Access Policy Manager
Symptoms:
TMM crash with session variable replace with value containing these characters ' " & < > =
Conditions:
Session variable replace with value containing these characters ' " & < > =
Impact:
Traffic disrupted while tmm restarts.
Workaround:
avoid session variable values containing ' " & < > = if possible. Otherwise, there is no workaround.
Fix:
Session variable overwrite operation with value containing special characters now works correctly
639774-1 : mysqld.err rollover log files are not collected by qkview
Solution Article: K30598276
Component: TMOS
Symptoms:
Only the file /var/lib/mysql/mysqld.err is collected in qkview without truncation rules normally used for log files. Also, the mysqld.err.1 and mysqld.err.2.gz, etc are not collected at all.
Conditions:
This occurs when generating a qkview.
Impact:
You cannot see other mysqld.err rollover files in the qkview, and since the one mysqld.err file might be huge (larger than 2 GB) the output of qkview will be unusable.
Workaround:
The missing files must be manually copied into the qkview output. If the mysqld.err is greater than 2 GB in size, it must first be truncated to smaller than 2 GB.
Fix:
With this fix, the files /usr/lib/mysql/mysqld.err and associated rollover files (up through .7.gz) will be collected by qkview. Also the truncation/transformation rules that are used for log files will also apply (using -s <size> to modify default behavior), meaning that files greater than 5 MB (by default) will be truncated and there is a maximum limit of 75 MB for any given log file (using -s0).
639767-1 : Policy with Session Awareness Statuses may fail to export
Component: Application Security Manager
Symptoms:
ASM policy with many Session Awareness Statuses may fail to export.
Conditions:
There are many Session Awareness Statuses configured for the policy.
Impact:
ASM policy export will fail.
Workaround:
Remove all Session Awareness Statuses before export.
Fix:
ASM policy export only includes Session Awareness Statuses set to "Block All", and completes reliably.
639764-1 : Crash when searching external data-groups with records that do not have values
Component: Local Traffic Manager
Symptoms:
The TMM may crash when search through an external data-group that has at least one value with empty value.
Conditions:
For example, this occurs if data-group is defined as follows:
the key for network 10.40.0.0/13 has no value:
network 10.0.0.0/9 := "network 10.0.0.0/9",
network 10.40.0.0/13,
network 10.10.0.0/17 := "network 10.10.0.0/17",
A search in the data-group above with -value or -element options where at least one of the result records has no value will most likely result in a TMM crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Make sure that every record in the external data-groups has a value.
Fix:
Searching values in an external data-group where result will contain at least one value with an empty value no longer results in a TMM crash. A -value search will yield an empty string for the records that do not have a value.
639750-2 : username aliases are not supported
Component: Fraud Protection Services
Symptoms:
in is a common practice to use aliases for username. for example, an app might allow users to login with either their ID, cell number, or nickname.
WebSafe doesn't support username aliases.
Conditions:
This is encountered when your application uses username aliases.
Impact:
You are unable to use username aliases in your applications.
Workaround:
None.
Fix:
providing new ANTIFRAUD irule command for setting username (replace username alias with the "real" username)
639744-3 : Memory leak in STREAM::expression iRule
Solution Article: K84228882
Component: Local Traffic Manager
Symptoms:
If you are using the STREAM::expression iRule with APM, the stream filter can leak memory.
Conditions:
This can occur when using the STREAM::expression iRule with an APM virtual.
Impact:
This causes a memory leak in tmm.
Workaround:
None.
Fix:
This release fixes a memory leak in STREAM::expression iRule.
639729-1 : Request validation failure in AFM UI Policy Editor
Solution Article: K39428424
639630-1 : Searching for signatures with overrides in the policy returns incorrect results
Component: Application Security Manager
Symptoms:
1) Searching for Policy Attack Signatures with Overrides "On URLs" or "On HTTP headers" then all signatures are shown, regardless of whether they have overrides or not.
2) Searching for Policy Attack Signatures with Overrides "On XML profiles"/"On JSON profiles"/"On GWT profiles"/"On Plain Text profiles" then no signatures are shown, regardless of whether they have overrides or not.
Conditions:
Signature specific overrides are applied on URLs, Headers, or Content Profiles.
Impact:
No easy way to search for which signatures have overrides defined.
Workaround:
None.
Fix:
Searching for signatures with overrides now works correctly.
639575-2 : Using libtar with files larger than 2 GB will create an unusable tarball
Solution Article: K63042400
Component: TMOS
Symptoms:
Programs such as qkview will create a .tar file (tarball) using libtar and if any of the files collected is greater than 2 GB, the output tar file cannot be read by /bin/tar.
Conditions:
The file collected via libtar (e.g., by qkview or other program dynamically linking with /usr/lib/libtar-1.2.11) is greater than 2 GB.
Impact:
You will be unable to submit a qkview to iHealth for analysis. Other applications using libtar will produce invalid tar files.
Workaround:
The qkview tarball can be extracted with /usr/bin/libtar, but the offending file will be a zero-length file. Alternatively, the offending file that is greater than 2 GB must be removed from the system prior to running qkview or other program that uses libtar.
Fix:
With the fix to 3rd party software, libtar, programs using libtar no longer create an unusable tarball when dealing with files larger than 2 GB.
639565 : Core when accessing MQTT::Type after drop
Component: Local Traffic Manager
Symptoms:
Core when accessing NULL MQTT::Type after drop.
Conditions:
iRule configured with NULL MQTT::Type and a MQTT::drop.
Impact:
tmm cores. Traffic disrupted while TMM restarts.
Workaround:
None.
Fix:
The system now logs a Tcl error when accessing a NULL MQTT::Type after drop, and performs the drop as expected.
639530 : Kernel.el7.2: xhci: off by one error in TRB DMA address boundary check
Component: TMOS
Symptoms:
Due to an off-by-one error in the xHCI driver, it is possible on BIG-IP platforms with xHCI controllers to
see the following dmesg output when booting an affected platform:
[ 164.552195] xhci_hcd 0000:00:14.0: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 0 comp_code 1
[ 164.552200] xhci_hcd 0000:00:14.0: Looking for event-dma 00000000fffe6000 trb-start 00000000fffe7fe0 trb-end 00000000fffe8000 seg-start 00000000fffe7000 seg-end 00000000fffe7ff0
Conditions:
On any of the following BIG-IP platforms that have xHCI controllers and the system is booting normally:
- BIG-IP 5000/7000
- BIG-IP i2800/i4800
- HRC-i2800
- BIG-IP VIPRION 4450
Impact:
It is not clear what the impact is if nothing is connected to the USB 3.0 ports, which are not accessible except on BIG-IP VIPRION 4450.
Workaround:
None.
Fix:
Redhat integrated the fix for the off-by-one error from upstream kernel.org as part of the RHEL7.3 GA release, which is included in the BIG-IP 7.2 kernels in this release.
639528 : Kernel.el7.2: Broadwell Home Agent devices have non-compliant BAR.
Component: TMOS
Symptoms:
Broadwell-EP CPUs have UNCORE devices known as the "Broadwell Home Agent" devices.
For both single-socket and dual-socket platforms, this is pci 0000:ff:12.*.
These devices have non-compliant BAR's and when the systems with the Broadwell-EP CPUs boot, dmesg output includes as part of early kernel booting messages similar to the following:
[ 2.345303] pci 0000:ff:12.0: BAR 2: failed to assign [mem size 0x00000040]
[ 2.345306] pci 0000:ff:12.0: BAR 4: failed to assign [mem size 0x00000040]
[ 2.345309] pci 0000:ff:12.0: BAR 1: failed to assign [mem size 0x00000010]
[ 2.345312] pci 0000:ff:12.0: BAR 3: failed to assign [mem size 0x00000010]
[ 2.345315] pci 0000:ff:12.0: BAR 5: failed to assign [mem size 0x00000010]
Not related, but also seen is the following:
[ 20.123776] mei_me 0000:00:16.0: initialization failed.
This is due to the bios configuration not permitting access to the ME (Management Engine). The kernel module for the ME should not be loaded as a result.
Conditions:
Affects the following platforms:
- BIG-IP i10600/i10800
- BIG-IP i7600/i7800
- BIG-IP i5600/i5800
- BIG-IP i4600/i4800
- BIG-IP i2600/i2800
- HRC-i2800
- HRC-i5800
- HRC-i10800
Impact:
None. This is cosmetic and should not be cause for alarm.
The Broadwell-EP Home Agent devices are not used by BIG-IP software, and appear only as part of the UNCORE devices
associated with each physical socket.
Workaround:
None needed: this is cosmetic.
Fix:
This release includes RHEL7.3 kernels in the BIG-IP 7.2 kernels. RHEL7.3 kernels adds PCI handling for the Broadwell-EP Home Agent devices, which informs the kernel to not attempt to probe or configure the PCI BARs for such devices.
Also, this release disables loading the MEI driver, which prevents the mei_me message posting.
639526 : Configuring lots of Virtual IPs + stress traffic can cause avrd to crash
Component: Application Visibility and Reporting
Symptoms:
Avrd crash.
Conditions:
lots of Virtual IPs + stress traffic
Impact:
Avrd restarts.
Workaround:
No workaround.
Fix:
avrd no longer crashes under stress traffic with large numbers of virtual IPs.
639500-1 : BD crash fix
Component: Application Security Manager
Symptoms:
A crash of the bd daemon.
Conditions:
Specific configuration and traffic.
Impact:
Traffic resets and /or failover.
Workaround:
N/A
Fix:
BD crash scenario was fixed.
639486-1 : TMM crash due to PEM usage reporting after a CMP state change.
Component: Policy Enforcement Manager
Symptoms:
TMM crash due to a code assertion resulting in potential loss of service.
Conditions:
A CMP state change due to a card reboot, disable, enable, insert or remove should have occurred while or right before a PEM usage reporting action.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Instead of asserting, handled the error condition gracefully.
639406 : On stress traffic wrong TPS reported to DOS
Component: Application Visibility and Reporting
Symptoms:
Stress traffic sent to AVR reports higher TPS than actual to ASM.
Conditions:
ASM is been useed
Impact:
ASM can declares wrongly on attack.
Fix:
The real TPS reported to ASM
639395-3 : AVR does not display 'Max read latency' units.
Solution Article: K91614278
Component: Application Visibility and Reporting
Symptoms:
AVR does not display units for 'Max Read Latency'.
Conditions:
AVR, ASM, DoS, or AFM are provisioned.
Impact:
No units are displayed.
Workaround:
1. Edit the following file: /etc/avr/monpd/monp_disk_info_measures.cfg.
2. Add the following line at line 63: units=microsecond.
3. Restart monpd.
Fix:
Added units (microsecond) to AVR report.
639383 : ILX HTTP headerNames are not being properly treated as case insensitive
Component: Local Traffic Manager
Symptoms:
ILX HTTP headerNames are treated as case-sensitive. They should be treated as case-insensitive.
Conditions:
Using an ILX plugin with a virtual server that has an HTTP profile.
Impact:
The ILX plugin must be written to be aware of case when handling HTTP headerNames.
Workaround:
None.
Fix:
headerNames are now handled as case-insensitive.
639288-1 : OAuth Authorization Server - OAuth Profile is not listing associated Access Profiles appropriately.
Component: Access Policy Manager
Symptoms:
OAuth Authorization Server - OAuth Profile is not listing associated Access Profiles appropriately. The Access Profiles list shows duplicate OAuth profile names.
Conditions:
An OAuth profile is associated with multiple Access Profile.
Impact:
Selection of Access Profile (i.e., clicking link) on OAuth Profiles list, doesn't show the expected Access Profile properties page.
Workaround:
Switch to Access profiles list page and select the profile directly.
Fix:
Now the GUI displays associated Access Profiles with the OAuth profile on OAuth Profiles list page correctly.
639283-1 : Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate
Component: Access Policy Manager
Symptoms:
Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate
Conditions:
* Virtual Server has untrusted certificate
* Using Custom Dialer or Windows logon integration features on client machine for establishing secure VPN
Impact:
Windows logon integration doesn't work. Cannot establish secure VPN connection before logging in to the machine.
Custom dialer doesn't work. Cannot establish secure VPN using Dial-up entry.
Workaround:
- Install trusted certificate to Virtual Server or whitelist untrusted certificate on the client machine.
or
- Use Edge Client to establish secure VPN connection.
Fix:
The Custom Dialer/Windows Logon Integration feature now shows a certificate warning when the certificate is untrusted by the client. This allows the logon to proceed if the user accepts the certificate.
639049-1 : Virtual Server creation ignores translate-address setting with wild card destination
Component: TMOS
Symptoms:
translate-address attribute ignored during virtual server creation, when destination is all zeroes and net mask is not specified.
Conditions:
Creating virtual server with wild card destination, no net mask, and translate-address set to enabled.
Impact:
translate-address can only be set to disabled during creation.
Workaround:
Either set translate-address after creation, or specify net mask for virtual server creation.
Fix:
Translate-address flag will now be honored when set while creating virtual server.
638967-2 : SSL Forward Proxy not to cache forged certificate if soft_vfyresult indicating an 'untrusted CA' or 'expired cert'
Component: Local Traffic Manager
Symptoms:
The system caches a forged certificate when Forward Proxy (FWDP) server-side soft_vfyresult shows an untrusted CA or an expired cert. There is no method of overriding that behavior.
Conditions:
Using FWDP.
Server-side soft_vfyresult shows an untrusted CA or an expired cert.
Impact:
No method to override the caching behavior.
Workaround:
None.
Fix:
In this release, you can configure SSL forward proxy to not cache the forged certificate on the client side if the server-side SSL enables the sys db variable tmm.ssl.servercert_softval and the backend server certificate soft verify_result showing a 'untrusted CA' or 'expired certificate'.
Behavior Change:
In this release, you can configure SSL forward proxy to not cache the forged certificate on the client side if the server-side SSL enables the sys db variable tmm.ssl.servercert_softval and the backend server certificate soft verify_result showing a 'untrusted CA' or 'expired certificate'.
638857-1 : Challenging AJAX-qualified requests cover only GET and POST HTTP methods
Component: Application Security Manager
Symptoms:
When the Single Page Application flag enabled within DoS Application profile, and there is an AJAX request being sent using an HTTP method that is not a GET or POST (e.g., PATCH, PUT, DELETE), the Proactive Bot Defense does not display CAPTCHA pop-up.
Conditions:
-- ASM provisioned.
-- DoS Application profile assigned to a virtual server.
-- Proactive Bot Defense enabled.
-- Single Page Application flag enabled within DoS Application profile.
-- HTTP method is not GET or POST.
Impact:
CAPTCHA or challenge does not work.
Workaround:
Disable Proactive Bot Defense, Single Page Application.
Fix:
Single Page Application (SpearHead) AJAX hook has been updated to support non-GET/POST HTTP methods.
638838 : Dynamic Signatures are not copied to peers in a device group
Component: Advanced Firewall Manager
Symptoms:
During a failover event, a newly active BIG-IP will generate its own Dynamic Signatures rather than use a copy of the previous Active unit's signatures.
Conditions:
HA configuration with Dynamic Signatures enabled.
Impact:
During failover events, there will be a lag of a few seconds while the Dynamic Signatures are generated and collated.
Workaround:
1. Use the following command to verify that the device-group is set to none:
list sys folder dos-common
2. If it is, you can associate dos-common to device group dos-global-dg using the following command:
tmsh modify sys folder dos-common/ device-group dos-global-dg
3. Save the config using the following command:
tmsh save sys config
Fix:
The system now explicitly adds folder and device group association, so the issue no longer occurs.
638825-1 : SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD
Component: TMOS
Symptoms:
Value returned for sysInterfaceMediaActiveSpeed OID has value of 80 for interface with type 100000SR4-FD instead of value of 100000.
Conditions:
This always occurs for this type of interface.
Impact:
User sees wrong value for this interface in SNMP get. Value is correct in tmsh 'show net interface'.
Workaround:
Use tmsh to obtain the value by running the following command: show net interface. Note: There is no workaround in SNMP.
638799-2 : Per-request policy branch expression evaluation fails
Component: Access Policy Manager
Symptoms:
Per-request policy branch expression evaluation fails and you see the following in /var/log/ltm:
info tmm[20278]: 01870007:6: /Common/<policy>:Common:640446c9: Executed expression (expr { [mcget {perflow.category_lookup.failure}] == 1 || [mcget {perflow.response_analytics.failure}] == 1 }) from policy item (Category Lookup) with return value (Failed)
Conditions:
Per-request policy branch expression evaluation fails for any non-Access (non-APM) iRule events that are attached to the virtual server.
The evaluation does not trigger for some requests when, in the same connection, the virtual server gets a request for an internal Access whitelisted URL, and then request for backend resource URIs.
Impact:
Per-request policy branch expression evaluation fails. If Access gets a request for whitelisted URL, the system disables all iRule events except the following:
#define ACCESS_ALLOWED_IRULE_EVENTS ( \
((UINT64)1 << TCLRULE_ACCESS_SESSION_STARTED) | \
((UINT64)1 << TCLRULE_ACCESS_SESSION_CLOSED) | \
((UINT64)1 << TCLRULE_ACCESS_POLICY_AGENT_EVENT) | \
((UINT64)1 << TCLRULE_ACCESS_POLICY_COMPLETED))
Workaround:
None.
Fix:
Per-request policy branch expression evaluation now complete successfully for non-Access (non-APM) iRule events that are attached to the virtual server.
638780 : Handle 302 redirects for VMware Horizon View HTML5 client
Component: Access Policy Manager
Symptoms:
Starting from v4.4, Horizon View HTML5 client is using new URI for launching remote sessions, and supports 302 redirect from old URI for backward compatibility.
Conditions:
APM webtop with a VMware View resource assigned.
HTML5 client installed on backend is of version 4.4 or later.
Impact:
This fix allows for VMware HTML5 clients v4.4 or later to work properly through APM.
Workaround:
For versions 11.6.x and 12.x:
===============================
priority 2
when HTTP_REQUEST {
regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] vmview_html5_prefix dummy
}
when HTTP_RESPONSE {
if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
if { [info exists vmview_html5_prefix] } {
set location [HTTP::header "Location"]
set location_path [URI::path $location]
if { $location_path starts_with "/portal/" } {
set path_index [string first $location_path $location]
set new_location [substr $location $path_index]
regsub "/portal/" $new_location $vmview_html5_prefix new_location
HTTP::header replace "Location" $new_location
}
unset vmview_html5_prefix
}
}
}
======================
For version 13.0:
priority 2
when HTTP_REQUEST {
regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] dummy vmview_html5_prefix
}
when HTTP_RESPONSE {
if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
if { [info exists vmview_html5_prefix] } {
set location [HTTP::header "Location"]
set location_path [URI::path $location]
if { $location_path starts_with "/portal/" } {
set path_index [string first $location_path $location]
set new_location "$vmview_html5_prefix[substr $location $path_index]"
HTTP::header replace "Location" $new_location
}
unset vmview_html5_prefix
}
}
}
Fix:
Handle 302 redirects for VMware View HTML5 client are now handled properly.
638779 : Help file for MQTT profile is missing.
Component: Local Traffic Manager
Symptoms:
Help file for MQTT profile is missing.
Conditions:
MQTT profile man page.
Impact:
MQTT profile man page contains no info.
Workaround:
None.
Fix:
There is now man-page help for MQTT profile.
638629-1 : Bot can be classified as human
Component: Application Security Manager
Symptoms:
A bot is classified as human in a rare case.
Conditions:
Web scraping is turned on. The CSHUI is tried on the user.
Impact:
Bot traffic gets classified as human by ASM.
Workaround:
N/a
Fix:
Fixed the CSHUI algorithm to have better bot detection.
638594-4 : TMM crash when handling unknown Gx messages.
Component: Policy Enforcement Manager
Symptoms:
TMM crash resulting in potential loss of service.
Conditions:
PCRF sends unsupported Gx messages to PEM.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Add support for identifying unknown messages types and handle them gracefully.
638576-1 : Modified ASM Cookie violation is off by default
Component: Application Security Manager
Symptoms:
Modified ASM Cookie violation is not active by default when creating a new policy.
Conditions:
This occurs when creating a new policy.
Impact:
The Modified ASM Cookie Violation isn't enabled.
Workaround:
Manually enable the Modified ASM Cookie Violation.
Fix:
Modified ASM Cookie violation will be activated in new Policy.
638556-1 : PHP Vulnerability: CVE-2016-10045
Solution Article: K73926196
638495-1 : Auto-thresholds are not applied for two vectors on per-VS DNS/SIP DoS profile
Component: Advanced Firewall Manager
Symptoms:
Auto-thresholds are not applied for two vectors on per-VS DNS/SIP DoS profile.
Conditions:
DNS and SIP DoS profiles have enabled all vectors that have auto-thresholds support.
Impact:
No auto-threshold detection for SIP OTHER DOS, SIP PRACK method DOS, DNS IXFR query DOS, DNS OTHER DOS.
Workaround:
None.
Fix:
Auto-thresholds now work for all expected vectors on per-VS DNS/SIP DoS profile.
638219 : L4 BDoS incorrectly learns traffic after learning period in learn-only mode
Component: Advanced Firewall Manager
Symptoms:
L4 BDoS incorrectly learns traffic after learning period in learn-only mode.
Conditions:
-- L4 BDoS.
-- Learn-only mode.
-- Expired learning period.
Impact:
Traffic that has already been learned is learned again.
Workaround:
None.
Fix:
The delayed threshold is now propagated (at least once) after the traffic stops and then delayed threshold is reset so that traffic is learned as expected.
638215 : iHealth auto-upload script may get stuck in unusual circumstances
Component: TMOS
Symptoms:
If iHealth auto-upload is correctly configured, and an upload in progress is aborted due to power loss, or other such calamity, the state for future invocations will result in the iHealth script being non-functional, and displaying the message"ihealth is already executing (2). Exiting."
Conditions:
auto-upload to iHealth is correctly configured, and an upload in progress is aborted due to power loss. When the BIG-IP is restarted, iHealth is no longer reachable.
Impact:
the iHealth script is not usable, and the System-Support page cannot be used to create a qkview.
Workaround:
Execute the command,
guishell -c "update diags_ihealth_request set ihealth_status=0"
638115-1 : DoS Visibility page on a system under stress can cause GUI timeouts and disconnections
Component: Application Visibility and Reporting
Symptoms:
On a system with a lot of AVR related data for DoS Attacks, it might take a while to load the data needed for display on DoS Visibility pages. GUI queries the backend for all the required data simultaneously, which can cause the web server to attempt to handle too many open connections, and result high CPU usage.
Conditions:
Large amounts of data for DoS Attacks
Impact:
Instability in GUI usage. Performance degradation. Potential disconnections.
Workaround:
None.
Fix:
Optimizations were done both on the back-end/database side and on the GUI side. GUI will now throttle its queries to the server.
637847 : Removed "(conn/s)" text from Average Concurrent Connections graph
Component: Application Visibility and Reporting
Symptoms:
The unit of connections/sec is incorrect for the Average Concurrent Connections graph.
Conditions:
This is seen when looking at the Average Concurrent Connections graph.
Impact:
Potentially confusing information. The value is actually a general number of concurrent connections.
Workaround:
None.
Fix:
Removed "(conn/s)" text from Average Concurrent Connections graph.
637666-1 : PHP Vulnerability: CVE-2016-10033
Solution Article: K74977440
637664-1 : Vector (multi-options) lists values are not inherited if parent profile is changed.
Component: Fraud Protection Services
Symptoms:
Vector (multi-options) lists values, (like "Application CSS Locations" or "Allow URLs from these external domains") are not inherited if parent profile is changed.
Conditions:
Provision and license FPS.
Create 2 or more Anti-Fraud profiles.
Impact:
Can cause a mismatched configuration.
Workaround:
Manually fill the appropriate values or use tmsh or Rest API to edit those values.
Fix:
Vectors now inherit values from parent profile.
637561-2 : Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice
Component: TMOS
Symptoms:
The wildcard wideip is not functioning as a wildcard wideip, but as a regular wideip.
Conditions:
Run tmsh load after the wildcard wideip is created:
# tmsh load sys conf gtm-only.
Impact:
Wildcard wideips are not returning wildcard requests correctly.
Workaround:
reload mcpdb using commands:
# touch /service/mcpd/forceload
# bigstart restart mcpd
Fix:
Wildcard wideips now handle matching queries after tmsh load sys from gtm conf file twice.
637308-1 : apmd may crash when HTTP Auth agent is used in an Access Policy
Solution Article: K41542530
Component: Access Policy Manager
Symptoms:
apmd may crash when HTTP Auth agent is used in an Access Policy.
Conditions:
This might occur on heavy load, when AAA HTTP Server is configured in 'Form based' or 'Custom body' mode.
The probability of occurrence is greater if there are session variables specified in the AAA HTTP Server configuration.
Impact:
apmd daemon crash. APM cannot process requests until apmd starts up again.
Workaround:
Use basic auth, or do not use HTTP Auth.
Fix:
apmd no longer crashes when HTTP Auth agent is used in an Access Policy.
637181-1 : VIP-on-VIP traffic may stall after routing updates
Component: Local Traffic Manager
Symptoms:
After a routing update traffic for an existing connection sent to a VIP-on-VIP virtual server may be sent directly to the destination address instead of to the inner virtual server.
Conditions:
VIP-on-VIP configuration and static or dynamic routing changes.
Impact:
Existing connections to the outer VIP may stall.
Workaround:
None.
Fix:
Connections to VIP-on-VIP virtual servers no longer stall after routing updates.
637141-1 : TMM core after deleting POLICY and executing command: show net ipsec ike-sa.
Component: TMOS
Symptoms:
TMM core after deleting POLICY and executing the following command: show net ipsec ike-sa.
Conditions:
-- IKEv1 configured and tunnel established.
-- Traffic is running.
-- IKEv1 peer reconfigured with proxy support as disabled.
Impact:
TMM cores after some hours, or immediately after running the command: show net ipsec ike-sa. Traffic disrupted while tmm restarts.
Workaround:
Do not delete a policy while an IPsec connection is active.
Fix:
TMM no longer cores after deleting POLICY and executing the following command: show net ipsec ike-sa.
637094 : The iRules LX streaming external data-group API may incorrectly not find a match.
Component: Local Traffic Manager
Symptoms:
The iRules LX streaming data-group API for external data-groups may incorrectly not find a match when the following commands are used:
- searchStartsWith (case insensitive search only)
- matchEndsWith/searchEndsWith (any search types).
- matchContains/searchContains (any search types).
The following commands are not affected:
- matchEquals/searchEquals.
- matchStartsWith.
Conditions:
There are no conditions for the failure. Using the specified commands will most likely fail. Note: If the data-group is relatively small in size (e.g., approximately 10 records), it is possible that the issue will not happen.
Impact:
The specified commands will incorrectly not find a match when there is one.
Workaround:
None.
Fix:
The iRules LX streaming external data-group API now correctly find a match when the following commands are used:
- searchStartsWith (case insensitive search only).
- matchEndsWith/searchEndsWith (any search types).
- matchContains/searchContains (any search types).
.
636853-4 : Under some conditions, a change in the order of GTM topology records does not take effect.
Component: Global Traffic Manager (DNS)
Symptoms:
A change in the order of topology records does not take effect in GTM until the configuration is reloaded or a topology record is added or deleted.
Conditions:
This occurs only when Longest Match is disabled and the order of topology records is changed without adding or deleting records.
Impact:
In certain configurations, the topology load balancing decision may not be made correctly.
Workaround:
Reload the GTM configuration or add/delete a topology record.
Fix:
Changes in the order of topology records now take effect immediately.
636790-4 : Manager role has Create, Update, and Release access to Datacenter/links/servers/prober-pool/Topology objects but throws general error when complete.
Component: Global Traffic Manager (DNS)
Symptoms:
While logged in as a Manager role, if a user attempts to modify an object this role does not have access to, the GUI will post a validation error.
Conditions:
This occurs when users in the Manager role make changes to Datacenter links/servers/prober-pool/Topology.
Impact:
The system posts generic validation errors when Create, Update, Delete actions are initiated by a user without proper permissions. These permissions are not allowed for the Manager, but the GUI makes it appear as if they are.
Workaround:
None.
Fix:
The GUI now properly hides or disables the action buttons if a user does not have proper permissions to perform the action.
636702-4 : BIND vulnerability CVE-2016-9444
Solution Article: K40181790
636700-1 : BIND vulnerability CVE-2016-9147
Solution Article: K02138183
636699-6 : BIND vulnerability CVE-2016-9131
Solution Article: K86272821
636675 : It is impossible to open MS Word document in MS SharePoint 2013 using Internet Explorer 11 or MS Edge via Portal Access.
Component: Access Policy Manager
Symptoms:
It is impossible to open MS Word document in MS SharePoint 2013 using Internet Explorer 11 or MS Edge via Portal Access:
the browser shows error message.
Conditions:
- MS SharePoint 2013 accessed via Portal Access session;
- Internet Explorer 11 or MS Edge;
- MS Word installed locally;
- MS Word document in SharePoint library.
Impact:
User cannot edit/browse MS Word documents from SharePoint library in local MS Word application.
Workaround:
There is no workaround for this bug.
Fix:
Now MS Word documents in SharePoint 2013 library can be opened in local MS Word application via Portal Access.
636663 : "monpd: - Running monpd bigstart script." displayed on console at startup
Component: TMOS
Symptoms:
The following message seen on the console "monpd: - Running monpd bigstart script." when starting BIG-IP.
Conditions:
AVR, SWG, APM, AFM, PEM or ASM is provisioned.
Impact:
Unnecessary message is seen on the console, it can be safely ignored.
Fix:
Message removed.
636613 : GUI allows creating New client SSL profile in read-only partition
Component: Local Traffic Manager
Symptoms:
Client SSL Profile Ciphers Group/String option is not grayed out when in a partition where editing is not allowed. This enables the option to click "Create New Cipher Group[+]" button, which is leads to the create client SSL profile page.
Conditions:
New client SSL profile creation page displayed in read-only partition when New Cipher Group(+) button clicked in any Client SSL profile properties page.
Impact:
GUI shows edit/create option when user is in read-only mode.
Workaround:
GUI just displays the create client SSL profile page, save will fail.
Fix:
Ciphers Group/String option should be grayed out in client SSL profile page. If Cipher Group is selected, [+] should be grayed out.
636520-1 : Detail missing from power supply 'Bad' status log messages
Solution Article: K88813435
Component: TMOS
Symptoms:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, no detail is included which indicates which characteristic of the power supply's state is resulting in a 'Bad' overall status for the power supply.
In this scenario, the message logged at default logging level contains information similar to the following:
... crit chmand[...]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(SPAFFIV03G): Bad
Conditions:
This occurs when the system posts an internal hardware sensor alert.
Impact:
Unable to diagnose cause of 'Bad' power supply status at default logging level to determine whether the probable cause is due to a power supply hardware fault or a possible external power source issue.
Workaround:
If power supply errors continue to be logged:
1. Set the libhal logging level to 'Debug':
tmsh mod sys db log.libhal.level { value "Debug" }
2. Let the system run in this configuration for at least a few minutes to collect a number of chmand error logs, such as:
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x3 pin:0x2 action:0xd
... debug chmand[...]: 012a0007:7: Received Sensor Alert: sensor id 0x16f slot 0xff
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x1 pin:0x2 action:0x3.
3. Set the libhal logging level back to 'Notice':
tmsh mod sys db log.libhal.level { value "Notice" }
4. Take a qkview or an archive of /var/log/ltm, and engage F5 Professional Services for further analysis.
Fix:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, additional detail is now logged to help identify the cause of the 'Bad' overall status for the power supply.
636479 : Hyper-V VE image fails to boot, stuck on "monpd: - Running monpd bigstart script." displayed on console at startup
Component: TMOS
Symptoms:
The following message seen on the console "monpd: - Running monpd bigstart script." when starting BIG-IP. When booting in Hyper-V, this causes the VE to fail to fully boot.
Conditions:
AVR, SWG, APM, AFM, PEM or ASM is provisioned.
Impact:
The BIG-IP VE fails to fully boot in Hyper-V
Fix:
Message removed.
636371-1 : Upgrade from pre-v13.0.0 software might fail
Component: Fraud Protection Services
Symptoms:
A new malware object was introduced in version 13.0.0. This object replaces some of the functionalities that were previously configured on the FPS profile itself.
If you upgrade a pre-13.0.0 software version, the operation might fail if the ;general; malware object already exists.
Conditions:
This occurs when the following conditions are met:
-- Profile-level blacklist-words or whitelist-words lists from the previous version are not empty.
-- The general malware appears in the antifraud.domainavailabilityurls db variable.
-- Upgrade from pre-v13.0.0 software.
Impact:
Upgrade will fail.
Workaround:
None.
Fix:
FPS now checks to determine whether the 'general' object already exists and modifies it instead of creating it.
636289-1 : Fixed a memory issue while handling TCP::congestion iRule
Component: Local Traffic Manager
Symptoms:
Increased memory usage in tmm.
Conditions:
TCP::congestion highspeed iRule is executed for the TCP connection. The issue is only observed for highspeed congestion control.
Impact:
The memory allocated for congestion control is not freed.
Workaround:
If it is desired to use highspeed congestion control under some conditions, it is possible to start with highspeed by choosing highspeed congestion control in the TCP profile and switch to other desired congestion control when condition does not hold. With this workaround, once congestion control is changed to something other than highspeed, it is not possible to switch back to highspeed again.
Fix:
Improved memory utilization while using TCP::congestion iRule.
636155 : Countries table bottom rows are hidden
Component: Application Visibility and Reporting
Symptoms:
When "Ignored filters" message appears for the Countries widget on DoS Visibility screen, scrolling to the bottom of the list is impossible since the bottom-most rows are hidden.
Conditions:
This can be seen on the DoS Visibility screen when scrolling to the bottom of the list.
Impact:
The country at the end of the table is not visible.
Workaround:
Change sorting from Descending to Ascending to view the list in reverse
Fix:
All rows are displayed regardless of what else is on the page
636044-2 : Large number of glob patterns affects custom category lookup performance
Solution Article: K68018520
Component: Access Policy Manager
Symptoms:
The number of glob patterns in a custom category linearly affects custom category lookup compute times. For example, twice as many glob patterns will roughly double the CPU resources required to compute a match.
Conditions:
A large number of custom category glob patterns. The precise number is not so important as the observed effect of slow response times. However, more than 1000 glob patterns is known to cause a significant observed performance degradation.
Impact:
Slow response times to HTTP requests.
Workaround:
It may be possible to compress the large collection of glob patterns into fewer patterns.
Fix:
Glob pattern matching has been extended to be context sensitive. If the pattern includes the marker "://", a glob immediately before it is restricted to the scheme, and a glob immediately after it is restricted to the hostname. If the match can be satisfied with prefix matching, the pattern will be processed with a prefix comparison rather than as a glob. Also, multiple glob patterns are combined together to create a more optimal match pattern. If custom categories patterns use the context sensitive feature, custom category lookup will be optimized.
636016 : VADC: when using an Intel XL710 SR-IOV nic a bigstart restart can re-order the interfaces and impact traffic
Component: TMOS
Symptoms:
After a bigstart restart, traffic no longer flows because interface ordering can change.
Conditions:
A Virtual Edition configuration with more than one XL710 SR-IOV interface.
Impact:
The VLANs will be assigned to the wrong interfaces, network traffic is blocked.
Workaround:
If VLANs do not exist or the config is not saved before bigstart restart, there is nothing to be done except assigning the right VLAN to the desired interface (1.X) after restart. The MAC address of interfaces can be used to identify the desired interface.
If a config with VLANs is saved before bigstart restart, run the following command:
-- bigstart stop (this brings the data plane ethX devices down)
-- f5-swap-eth -s (this reassigns the interfaces)
-- bigstart start (this restarts the system).
Or you can reboot the guest.
635933 : The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable
Solution Article: K23440942 K13361021
635754-2 : Wildcard URL pattern match works inncorectly in Traffic Learning
Solution Article: K65531575
Component: Application Security Manager
Symptoms:
In the policy with URL learning mode set to ALWAYS, wildcard URL matching for *.[Pp][Nn][Gg]", "*.[Jj][Pp][Gg]", "*.[Gg][Ii][Ff]" will prevent you from adding other wildcard destinations using policy builder.
Conditions:
Policy builder enabled. PolicyBuilder creates the wildcard urls "*.[Pp][Nn][Gg]", "*.[Jj][Pp][Gg]", "*.[Gg][Ii][Ff]".
If you need to manually create another wildcard url "/polo/images/*", the pattern match will be incorrect and you will not be able to accept the learning suggestion.
Impact:
You will not be able to accept the learning suggestion to the correct wildcard URL.
Workaround:
In order to get suggestions on the correct wildcard match, remove "png" from the URL list in the policy: To do so, navigate to Security :: Application Security :: Policy Building :: Learning and Blocking Settings :: URLs :: File types for which wildcard HTTP URLs will be configured (e.g., *.jpg).
Also make sure that you have correct wildcard order. Go to
Security :: Application Security :: URLs :: Wildcards Order :: HTTP URLs.
"/polo/images/*" should be above "*.[Pp][Nn][Gg]" in the list. If it is not, move it using "Up" button".
Fix:
Wildcard URL pattern match now works as expected in Traffic Learning
635703-2 : Interface description may cause some interface level commands to be removed
Solution Article: K14508857
Component: TMOS
Symptoms:
Adding a description to the interface from within ZebOS may cause interface level routing protocol commands to be lost on restart.
Conditions:
- Add interface level description to a configuration with interface level routing protocol commands.
- Restart services, tmrouted, or reboot.
Impact:
Interface level commands after the description will not appear in the imish running config and will not be loaded/functional.
Workaround:
To prevent this issue, do not use interface-level descriptions.
If the issue has already occurred, and the configuration is not loading, you can manually correct it using the following procedure:
1. Stop tmrouted using the following command: bigstart stop tmrouted
2. Edit the ZebOS.conf from the corresponding route-domain file manually and remove the interface-level 'description' and 'no shutdown' commands.
3. Restart tmrouted using the following command: bigstart restart tmrouted.
Note: Performing the workaround procedure will temporarily disrupt dynamic routing, so care and adequate planning must be taken into consideration.
Fix:
Routing protocol interface commands are no longer lost with the addition of interface descriptions.
635688 : backend<->GUI rest requests optimizations
Component: Application Visibility and Reporting
Symptoms:
The BIG-IP GUI times out, or you are logged out periodically.
Conditions:
This can occur during normal use of the AVR GUI and is due to potential communication issues between the GUI and the BIG-IP via the REST API.
Impact:
You see a time-out window, pages not fully displayed.
Fix:
Fixed some GUI timeout issues when fetching data from the BIG-IP
635680-1 : Link to DoS Visibility from a signature page starts with incorrect time-range
Component: Application Visibility and Reporting
Symptoms:
Link to DoS Visibility from a signature page starts with incorrect time-range
Conditions:
This can occur on the Security :: DoS Protection : Behavioral Signatures page
Impact:
Data is displayed for Last Hour, even though the signature might have been older
Workaround:
Change the time-range manually
Fix:
Correct time-range is loaded
635126-2 : Allow substitute value on fields sent by AJAX
Component: Fraud Protection Services
Symptoms:
"Full ajax encryption" was incompatible with substitute value
Conditions:
Requirement to enable substitute value on ajax forms
Impact:
Could not enable substitute value
Workaround:
n/a
Fix:
Susbstitute value and ajax encryption can now be activated together.
635116-3 : Memory leak when using replicated remote high-speed logging.
Solution Article: K34100550
Component: TMOS
Symptoms:
As a result of a known issue when a system uses a High Speed Logging (HSL) configuration with replication across the HSL pool TMM may leak memory.
Conditions:
Remote HSL setup with distribution set to replicated in the log destination configuration.
More than one poolmember, and one of them becomes unavailable.
Impact:
TMM will leak memory at a rate proportional to the amount of logging.
Over time this may cause an outage should TMM run out of memory.
Workaround:
Do not use replication in the HSL destination configuration.
Fix:
TMM no longer leaks memory when using a replicated HSL setup.
635111-1 : New Application Ready Templates Available
Component: Application Security Manager
Symptoms:
Application Ready Templates for Drupal, Joomla, and Wordpress were missing from the 13.0.0 release.
Conditions:
None.
Impact:
Predefined templates for Drupal, Joomla, and Wordpress were missing.
Workaround:
Templates could be downloaded from https://devcentral.f5.com/d/new-asm-templates
Fix:
Application Ready Templates for Drupal, Joomla, and Wordpress are now available in policy creation.
634779-5 : In SSL Forward Proxy, an uninitialized variable may overflow a buffer and cause TMM to produce a core file
Solution Article: K43945001
634132 : VE: virtio high performance driver (Linux/KVM)
Component: TMOS
Symptoms:
By default, the UNIC driver is used for virtio devices on Linux/KVM hypervisors, and at higher network speeds, the soft IRQ interrupt load competes with tmm. This can be observed under load with the "top" linux command showing ksoftirqd soft IRQ load.
Conditions:
Version 13.0.0 default behavior on Linux/KVM hypervisor with virtio nic(s) presented to the guest.
Note: To determine what driver is in use for each nic, use following command: tmctl -d blade tmm/device_probed.
Impact:
Potential performance issues (CPU utilization, throughput, connections/second).
Workaround:
None.
Fix:
For higher performance with virtio nics (relevant on Linux/KVM hypervisors), a new sys db variable supports switching to a TMM native driver.
634085-1 : IPsec tmm assert "ike_ctx tag"
Component: TMOS
Symptoms:
The tmm asserts with the message "ike_ctx tag."
Conditions:
It looks to be happening only on VE with ikev2 and ipv4, and the probable cause is timing related corruptions.
Impact:
Traffic disrupted while tmm restarts.
Fix:
The "ike_ctx tag" assert was replaced with an OOPS and the system logs the error and continues.
634015-4 : Potential TMM crash due to a PEM policy content triggered buffer overflow
Component: Policy Enforcement Manager
Symptoms:
Failure to add a PEM policy to a subscriber session in addition to a TMM crash.
Conditions:
PEM configured with a large number of policy rules that goes beyond the maximum supported PEM resources.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Buffer allocation checks have been added in that result in an error log along in case of a buffer overflow.
633985-1 : CS challenged URL is rejected on complex CPM/irule configurations
Component: Application Security Manager
Symptoms:
A request is rejected.
Conditions:
CS challege is happening.
There is a complex CPM configuration or an irule.
Impact:
The request is rejected.
Workaround:
N/A
Fix:
Request is not rejected in complex CPM configuration.
633879-2 : Fix IKEv1 md5 phase1 hash algorithm so config takes effect
Solution Article: K52833014
Component: TMOS
Symptoms:
BIG-IP does not recognize the choice of md5 as hash algorithm in phase1 negotiation for IKEv1, but the GUI indicates it is available and configured.
Conditions:
Using either the command line or web UI to change hash algorithm to md5 in IKEv1 phase1.
Impact:
You are unable to configure md5 as hash algorithm in IKEv1, despite the UI and command line indicating this as an option.
Workaround:
You may be able to select md5, then save and then restart, this would set up the daemon from a config file instead of via incremental config parsing. So while it would not work right after being changed in the UI, the md5 option may work after a restart.
Fix:
The choice of md5 for hash algorithm now works correctly and immediately for an IKEv1 peer. The message causing this is now parsed correctly so md5 is recognized and used.
633723-4 : New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot
Component: Local Traffic Manager
Symptoms:
A new db variable has been added to print diagnostic information when Cavium Nitrox devices encounter a 'request queue stuck' error. When this occurs, the system posts a log message such as:
crit tmm1[19936]: 01010260:2: Hardware Error(Co-Processor): cn1 request queue stuck.
Conditions:
-- A Cavium Nitrox 'request queue stuck' error occurs.
-- The db variable 'crypto.ha.action' is set to reboot.
Impact:
The system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.
The system immediately fails over to the standby system, but will then spend approximately one minute gathering diagnostic information before rebooting.
See https://support.f5.com/csp/article/K95944198 for more information about nitrox_diag.
Workaround:
None.
Fix:
The system now automatically gathers nitrox data collection when request queue stuck errors occur.
Behavior Change:
Under rare conditions, the system will take approximately one additional minute to reboot.
If a Cavium Nitrox 'request queue stuck' error occurs and the db variable 'crypto.ha.action' is set to reboot, the system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.
When the error happens, failover to the standby system will still happen immediately. The delay occurs only on rebooting the system that has already gone to standby mode.
633564-1 : Route unavailable when static route depends on another static route
Component: Local Traffic Manager
Symptoms:
Static route on the BIG-IP becomes unavailable after TMM restart, even though it's configured, and shows up in "list net route".
Conditions:
This occurs after restart, when a static route exists that depends on another static route. For example, a gateway route depends on an interface route.
Impact:
Route unavailable for use, traffic depends on the route is dropped if there are no alternate routes.
Workaround:
Removed the broken static route, and re-add it again.
Fix:
Route inter-dependencies no longer cause static routes to be unavailable after restart.
633391-2 : GUI Error trying to modify IP Data-Group
Component: TMOS
Symptoms:
While trying to add/remove/edit IPv6&IPv4 within an existing data group list for iRules, the properties page throws a parsing error.
Conditions:
Try to modify the value field under Address Records Row whether string/int, and click Update
Impact:
There is an "Error parsing IP address" messave at the top of the page. You cannot modify internal data groups using GUI. You can delete and re-create the entry, but cannot modify it.
Workaround:
Use tmsh to modify the record field of the data groups.
Fix:
You can now modify the IPv6&IPv4 value within an existing data group.
Behavior Change:
users would be able to modify and update data groups
633333-1 : During an MPTCP connection, the serverside connection will occasionally be aborted before all data has been sent
Component: Local Traffic Manager
Symptoms:
During an MPTCP connection, the serverside connection will occasionally be aborted before all data has been sent.
Conditions:
A TCP profile with Multipath TCP enabled is attached to a virtual server, and an MPTCP connection is established.
Impact:
The serverside connection is reset before all data has been sent, causing the tail end of the data stream to not be proxied.
Workaround:
There is no workaround
Fix:
Fixed sequence of events on connection closure.
633091 : Avr debug messages are printed to screen when saving/loading sys config
Component: TMOS
Symptoms:
Avr debug messages are printed to screen
Conditions:
When running:
tmsh save sys ucs someUcs
or
tmsh load sys ucs someUcs
Impact:
You see debug messages, these can be ignored.
Workaround:
No workaround
Fix:
Run tmsh save/load sys ucs someUcs
and verify avr messages are not printed.
Example of debug message:
11:24:42 Running cs_save_pre_script on Mon Dec 12 11:24:42 PST 2016
632875-4 : Non-Administrator TMSH users no longer allowed to run dig
Component: Global Traffic Manager (DNS)
Symptoms:
TMSH users without the Administrator role are allowed to run dig, which may allow access to files in the local filesystem.
Conditions:
Execute dig via TMSH
Impact:
File access restrictions for TMSH users without the Administrator role are not properly enforced when executing the dig command.
Fix:
TMSH users who are do not have Administrator roles can no longer run the dig utility through TMSH.
Behavior Change:
dig command is no longer allowed to be run through TMSH by non-admin users.
632668-6 : When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds
Component: TMOS
Symptoms:
When a BIG-IP using statically configured BFD sessions (i.e. "bfd session <IP> <IP>" in the ZebOS configuration) is forced offline, it continues to send "State Up" BFD packets for an additional ~30 seconds.
Conditions:
System is using statically configured BFD sessions. System is forced offline.
Impact:
The BFD peer thinks the BIG-IP is still online and may send packets to it.
Fix:
Ensure BFD "State Up" packets are not sent when the BIG-IP is forced offline.
632646-3 : APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server.
Component: Access Policy Manager
Symptoms:
APM - OAM login with invalid ObSSOCookie results in error page instead of redirecting to login page.
Conditions:
This happens occasionally if a session cookie (ObSSOCookie) is deleted from OAM server, or an OAM session is deleted from server.
Impact:
OAM login with invalid ObSSOCookie results in error page. However, expected behavior is that user is redirected to login page if login with ObSSOCokkie fails.
Workaround:
No Workaround
Fix:
Issue is fixed - On authenticate with ObSSOCookie, read getStatus() API call to check the ObSSOCookie status and redirect to IDP if it is not 1 (LOGGEDIN, AWAITINGLOGIN). With this fix user will be redirected to IDP on logging with cookie that is deleted manually from the OAM server.
632504-2 : APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list
Solution Article: K31277424
Component: Access Policy Manager
Symptoms:
Non-LSO resources such as webtop, even they are assigned via a normal resource assign agent, are listed under dynamic resource as opposed to static one.
Conditions:
- Create a webtop resource.
- Create an access profile.
- Launch VPE to assign webtop resource via a normal resource assign agent ("Advanced Resource Assign").
- Click on "Sync policy" button to bring up the policy sync dialog, click on "Advanced Settings" drop-down button and select "Static resources".
Impact:
No impact when default settings are configured for policy sync. Only in advanced setting is it confusing that a static resource is only listed in the dynamic resource list, with a prompt to include it as dynamic resource. Doing so does not cause any harm, but is unnecessary.
Workaround:
If it is a static resource, do not select it as dynamic resource.
Fix:
Static non-LSO resources such as webtop will be listed in static resource list in the advanced setting dialog for policy sync.
632499-2 : APM Policy Sync: Resources under webtop section are not sync'ed automatically
Solution Article: K70551821
Component: Access Policy Manager
Symptoms:
Resources put under webtop section such as webtop link, portal access requires to be included as dynamic resource or else sync will fail.
Conditions:
- Create a webtop section source such as portal access.
- Create a webtop section and add the above-create portal access to it.
- Create an access profile and add the webtop section resource via a resource assign agent in VPE.
- Sync the profile.
Impact:
Sync will fail and some configured resources will not be available on the other devices.
Workaround:
Includes those resources as dynamic resources in Policy Sync advanced settings.
Fix:
Now administrators can sync access profiles with resources under webtop sections without including them manually as dynamic resources.
632388-1 : Sync all autodos history files from active to standby units every 5 mins
Solution Article: K34214852
Component: Advanced Firewall Manager
Symptoms:
In a high availability (HA) environment, MCP usage increases to 100% every 5 minutes on active devices and 65% on standby devices, which can negatively impact GUI performance. This occurs because the autodosd daemon individually syncs each autodos history file every 5 minutes. (The autodosd daemon is a control plane process which supports the BIG-IP AFM DoS Auto Threshold feature.)
Conditions:
-- AFM provisioned.
-- HA configured.
Impact:
Performance of the BIG-IP system can temporarily be impacted.
Workaround:
None.
Fix:
The system now uses one sync transaction to sync all autodos history files together from active to standby devices every five mins, so the performance impact is avoided.
632069-2 : Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076
Component: TMOS
Symptoms:
On VE platforms, under certain conditions, the sudo utility does not correctly enforce all restrictions specified in its configuration file.
Conditions:
VE platform
Authenticated user with advanced shell access
Impact:
BIG-IP does not depend on the restrictions related to these vulnerabilities, and sudo is only present on VE platforms. Only VE users who have modified the sudo configuration by editing its configuration file directly are impacted.
Fix:
Update sudo package to improve security
632060-2 : restjavad is unable to read the dtca.key files resulting in Error: Failed to read key: invalid header★
Component: iApp Technology
Symptoms:
when upgrading to 12.1.1, 12.1.2 or 13.0 releases, executing a command similar to
curl -k -u admin:admin https://127.0.0.1:443/mgmt/shared/device-discovery-tasks causes the following error:
"errorMessage": "Could not connect to host 10.0.0.160. Please ensure there are no licensing, firewall, port lockdown or network connectivity issues. Error: Failed to read key /config/filestore/files_d/Common_d/trust_certificate_key_d/:Common:dtca.key_12100_2: invalid header",
Conditions:
Upgrading from releases prior to 12.1.1 to 12.1.1 or 12.1.2 or 13.0
Impact:
if your device has an iApps LX application, then that application sill not synchronize to the standby device. So if a failover occurs, then the iApps LX application will seem to disappear, and traffic will not pass through the application.
Workaround:
If you have upgraded and are in this condition, and you need to use iAppsLX, you can perform the following procedure to recover.
Impact of procedure: this procedure disables HA and requires you to rebuild your HA environment. You only need to use this procedure if you absolutely need to run an iAppLX.
1. Reset device trust, then re-establish device trust, your device group(s), and your traffic group(s)
2. At the BIG-IP command line for each of the devices, run the following command:
clear-rest-storage
Fix:
Upgrade to 13.1 or 13.0.x hot fix
631862-5 : Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk
Solution Article: K32107573
Component: Local Traffic Manager
Symptoms:
When OWS sends a chunked response and the only chunk has a zero size, HTTP2 profile receives neither the response's body nor indication that the response has zero size.
Conditions:
A virtual server must have HTTP2 profile, and OWS must serve a response with Transfer-Encoding: chunked and a zero size chunk (empty body).
Impact:
On a stream with such response, BIG-IP doesn't generate a frame which would have END_STREAM flag. Some browsers may not handle the response properly. For example, a redirect may not be performed when the stream is not finalized. It results in incorrect page rendering on a client.
Workaround:
Use following iRule for broken URLs:
when HTTP_RESPONSE {
if {[HTTP::header exists "Transfer-Encoding"] && [HTTP::status] eq 301} {
HTTP::respond 301 -version 1.1 noserver Location [HTTP::header Location] Date [HTTP::header Date] Content-Type [HTTP::header Content-Type] Connection [HTTP::header Connection]
}
}
A condition may be changed to narrow the iRule for specific URLs.
HTTP::respond may be modified to include other important headers and serve a proper status code.
Fix:
When OWS serves Transfer-Encoding chunked with zero size chuck, BIG-IP properly handles the response and sends END_STREAM flag finalizing the response.
631715-2 : ASM::disable does not disable client side challenges
Component: Application Security Manager
Symptoms:
ASM::disable command was run but a challenge was still sent.
Conditions:
irule with ASM::disable. CS or DID challenge is configured.
Impact:
An unexpected JS challenge arrives
Workaround:
N/A
Fix:
Challenges are now not sent when ASM::disable command happens.
631688-8 : Multiple NTP vulnerabilities
Solution Article: K55405388 K87922456 K63326092 K51444934 K80996302
631572 : Cryptic error relating to the liveinstall.movelicense DB variable
Component: TMOS
Symptoms:
Unable to install, with an error containing, "Could not access license source".
Conditions:
liveinstall.movelicense needs to be disabled (with the config saved).
lind may need to be restarted (or the system rebooted after the change).
A new slot (nonexistent volume) needs to be chosen for the new installation.
Impact:
Installation fails when this DB variable is set.
Workaround:
Enable liveinstall.movelicense (or reset-to-default).
Save the configuration.
bigstart restart lind.
Either the aborted installation will resume, or a new one will succeed.
Fix:
A more helpful message is now provided:
failed (--nomovelicense specified, but target volume (1) does not exist.)
631286-2 : URI cache entries should be replaced /expired for euie hash table
Component: Access Policy Manager
Symptoms:
Tmctl stats for "access_uri_info" gradually grows and can lead to TMM memory exhaustion.
Conditions:
APM or SWG use case.
Impact:
TMM memory exhaustion.
Workaround:
Restart tmm.
Fix:
A limit of how many entries will be stored in the URI cache is implemented. The default is 2048 entries, this DB variable can be set to control the max limit:
access.max.euie_uri.cache.entries
The DB variable allows a range of 2048 - 8192.
630712 : After provisioning change, Dimension Widgets on DoS Visibility pages are incorrect
Component: Application Visibility and Reporting
Symptoms:
Dimension Widgets list is defined upon first access to a DoS page during a browsing session. This means that if provisioning changes during that sessions, the widgets that are displayed may be incorrect.
When un-provisioning modules it is not a problem since every widget goes through a licensing/provisioning validation before being added to the page.
However, if adding a new module to provisioning, new widgets will not be added until the window/tab is closed and a new browsing session starts, or until "Reset Layout" is performed.
Conditions:
Change of provisioning modules during browsing session
Impact:
List of dimension widgets is not up to date with current provisioning
Workaround:
Workaround 1: closing and opening the window or tab.
Workaround 2: choosing "Reset Layout" option from the cog menu.
Fix:
List of widgets is now determined by what's actually provisioned.
630611-3 : PEM module crash when subscriber not fund
Solution Article: K84324392
Component: Policy Enforcement Manager
Symptoms:
Under rare circumstances, PEM usage reporting for a subscriber will cause a crash.
Conditions:
PEM subscriber info is missing for the current tmm, e.g., after a CMP state change.
Impact:
PEM/TMM SIGSEV.
Workaround:
None.
Fix:
PEM usage reporting for a subscriber no longer causes a crash when PEM subscriber info is missing for the current tmm.
630610-1 : BFD session interface configuration may not be stored on unit state transition
Solution Article: K43762031
Component: TMOS
Symptoms:
'bfd session' statements missing in ZebOS 'running-config'.
Conditions:
State transitions from online to offline.
Impact:
BFD configuration will become missing in ZebOS running config and no BFD sessions will be established.
Workaround:
Re-add statements manually.
Fix:
BFD session interface configuration is now stored on unit state transition.
630446-5 : Expat vulnerability CVE-2016-0718
Solution Article: K52320548
630390-1 : Client Side challenges and device ID doesn't work on a virtual server that has also APM
Component: Application Security Manager
Symptoms:
Client side challenges do not work when APM is enabled in clientless mode.
Conditions:
APM is on the virtual server as ASM.
APM is running in clientless mode.
Impact:
device ID related features doesn't work correctly.
Workaround:
N/S
Fix:
challenges are now sent in when APM in on the chain.
629921-3 : [[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work.
Component: Access Policy Manager
Symptoms:
With SWG client side NTLM auth configuration while doing the NTLM auth for backend, ECA plugin is trapping the Authorization credentials (NTLMSSP_NEGOTIATE) sent by the client, it sinks the request and generates the 407 to the client to do proxy authentication.
Conditions:
Set-up SWG for auth with ntlm credentials
Access a proxied resource which also requires ntlm auth
Impact:
Backend server access is restricted.
Workaround:
None
Fix:
Now when using SWG in explicit proxy mode with NTLM authentication with the Proxy-Authenticate header, BIG-IP allows NTLM authentication to proceed simultaneously to protected resource servers that also use NTLM authentication with the Authenticate header.
629752 : On DoS Visiblity pages, metrics from unprovisioned modules are displayed in the widgets
Component: Application Visibility and Reporting
Symptoms:
When either ASM or AFM are not provisioned, Dimension Widgets are still showing metrics that belong to these modules.
Conditions:
Have either ASM or AFM provisioned, but not both
Impact:
We're showing metrics that aren't applicable to the given system
Workaround:
N/A
Fix:
Only metrics belonging to provisioned modules will be presented to the user.
629573 : No drill-down filter for virtual-servers is mentioned on exported reports when using partition
Component: Application Visibility and Reporting
Symptoms:
The selected filters will not appear in exported reports for virtual servers created under non 'Common' partitions.
Conditions:
When using virtual-servers and ASM policies under a non 'Common' partition, exported reports will not display the the selected drill-down filters.
Impact:
Exported reports will be displayed without the filters.
Workaround:
None.
Fix:
Exported reports will take into consideration partitions which will make the drill-down filters appear as expected.
629491-1 : REST token storage improvement
Component: Device Management
Symptoms:
Under some conditions, it is possible to exceed the capacity of the REST token storage subsystem
Conditions:
REST interface in heavy use by authenticated users
Impact:
Unable to generate additional REST tokens
Fix:
Improve handling of REST tokens under high usage conditions
629411-1 : OAuth Client/RS and Authorization Server don't work together on the same BIG-IP
Component: Access Policy Manager
Symptoms:
OAuth Client/RS and Authorization Server don't work together on the same BIG-IP system. These two features cannot be configured on the same BIG-IP system, and have to be configured on separate BIG-IP systems.
Beginning with version 13.0.0, APM supports OAuth Client and RS functionality as one feature. APM also supports AS (an F5-specific implementation) as another feature. These two features are dependent on each other in that OAuth Client/RS communicate with AS for authorization decisions.
Conditions:
When APM OAuth client/RS and AS are configured on the same BIG-IP system.
Impact:
APM OAuth Client/RS and AS cannot communicate each other when configured on the same BIG-IP system.
Workaround:
Configure OAuth ClientRS on one BIG-IP system and AS on another BIG-IP system.
Fix:
Now OAuth Resource Server (RS), Authorization Server (AS), and Client role can be used simultaneously in the same BIG-IP.
629085-2 : Any CSS content truncated at a quoted value leads to a segfault
Solution Article: K55278069
Component: TMOS
Symptoms:
Any CSS content truncated at a quoted value leads to a segfault.
Example:
...
.c1 {background-image: url('some
Conditions:
CSS ends without closing quote in value.
Example:
...
.c1 {background-image: url('some
Impact:
TMM or rewrite segfault. Traffic disrupted while tmm restarts.
Workaround:
Use a particular iRule.
Fix:
CSS content truncated at a quoted value no longer leads to a segfault.
629017 : Comparison Charts are alive only during while staying on the page
Component: Application Visibility and Reporting
Symptoms:
Comparison Charts are not persisted and if the page is reloaded or navigated away from in any other way, the charts will be lost.
Conditions:
Refreshing the page while looking at comparison charts.
Impact:
Settings are not preserved; you must reconfigure them to see the comparison.
Workaround:
None.
Fix:
All charts configuration, including comparison charts will be persisted during navigation session (as long as the browser tab is open), even if the page is reloaded or being navigated away from.
629013 : Right pane displaying doesn't respect pin selected function when filter just applied
Component: Application Visibility and Reporting
Symptoms:
When applying a filter when Pin Selected function is enabled, it doesn't work. If disabling and enabling it again, everything will be fine and filtered entities will be pinned.
Conditions:
N/A
Impact:
N/A
Workaround:
Disable and re-enable Pin Selected option
Fix:
When changing filters from outside of the widget, the widget will update the position of its selected entities.
628721-6 : In rare conditions, DNS cache resolver outbound TCP connections fail to expire.
Component: Local Traffic Manager
Symptoms:
If a TCP connection is initiated by the DNS cache resolver but fails to be fully created, it may be leaked until the next restart of tmm.
Conditions:
This is only known to occur when other internal issues are affecting the tmm's functionality. If there are ongoing log messages in the tmm logs of the form: "hud_msg_queue is full," and a DNS cache resolver is attempting new outbound TCP connections, then it is possible to leak these connections.
Impact:
If enough connections are leaked, the tmm will not be able to create new connections even if the conditions causing the "hud_msg_queue" log messages resolve.
Workaround:
Restarting tmm will clear the leaked connections.
Fix:
The connections are now properly cleaned up if they are unsuccessfully created.
628337-2 : Forcing a single injected tag configuration is restrictive
Component: Fraud Protection Services
Symptoms:
Injected tags configuration in profile is globally controlled from the db variable antifraud.injecttags, and forces all protected pages to have a common set of HTML tags. If your web application has pages that do not work with the injected tags, then this will cause the application to work improperly.
Conditions:
This occurs when the injected tags db variable (antifraud.injecttags) is configured.
Impact:
Your web application may have pages that do not handle the tags properly and may malfunction.
Workaround:
Configure injected tags in a way which can applied to all URLs protected in a profile. If it is not possible due to some URL HTML structure, HTML must be modified.
Fix:
Injected tags configuration has been moved to the URL level.
628311-4 : Potential TMM crash due to duplicate installed PEM policies by the PCRF
Solution Article: K87863112
Component: Policy Enforcement Manager
Symptoms:
Potential TMM crash due to duplicate installed PEM policies by the PCRF.
Conditions:
- PEM enabled with Gx and Gy.
- PEM policies configured with Gy quota management.
- PCRF installs an already-installed policy against a subscriber.
Impact:
Loss of service. Traffic disrupted while tmm restarts.
Workaround:
Configure the PCRF to not install an already-installed policy against a subscriber.
Fix:
PEM now prevents PCRF from installing an already-installed policy against a subscriber.
628164-4 : OSPF with multiple processes may incorrectly redistribute routes
Solution Article: K20766432
Component: TMOS
Symptoms:
When OSPF is configured with multiple processes that each redistribute different type routes, LSAs may be created in a process for a route of the type other than the one configured for redistribution into that process.
Conditions:
OSPF routing with multiple processes configured. Each OSPF process configured with a different route type redistributed.
Impact:
Incorrect routing information in the network when OSPF converges.
Workaround:
Redistribute the leaked route type into the affected OSPF process and use a route map that filters out all routes.
Fix:
OSPF no longer leaks LSAs between processes redistributing different types of routes.
OSPF routes are now created synchronously when the LSA database is updated. If routes are rapidly deleted and re-added, OSPF will send maxage LSAs followed by new LSAs. This is potentially a behavior change where, previously, only a single updated LSA would have been sent.
627764-1 : Prevent sending a 2nd RST for a TCP connection
Component: Local Traffic Manager
Symptoms:
After a specific sequence of packets resulting in sending a RST packet, TCP connection was kept alive and sent another RST when connection expired.
Conditions:
A specific sequence of packets (a second SYN segment within the TCP window) is received by a TCP connection.
Impact:
2 RST segments is sent to the client instead of 1. In addition, the TCP connection was kept alive until the sweeper cleaned it.
Workaround:
There is no workaround at this time.
Fix:
TCP sends a single RST for specific sequence of packets
627747 : Improve cURL Usage
Solution Article: K20682450
627695-1 : [netHSM SafeNet] The 'Yes' and 'No' options to proceed or cancel the unisntall during "safenet-sync.sh -u " are not operational
Component: Local Traffic Manager
Symptoms:
'Yes' and 'No' options to proceed or cancel the uninstall operation are not operational.
Conditions:
Issue happens when running safenet-sync.sh -u.
Impact:
No impact.
Workaround:
None.
Fix:
In this release, there is no Yes or No option for the SafeNet uninstall 'safenet-sync.sh -u.' command.
627554-1 : Partition of LTM policies is displayed in breadcrumb rather than properties table row
Component: TMOS
Symptoms:
There is no 'Partition/Path' row on LTM policies properties page. Instead the partition is displayed in the breadcrumb at the top of the page.
Conditions:
This is encountered when selecting a LTM policy.
Impact:
Partition/Path not displayed.
Workaround:
None.
Fix:
The partition was removed from the properties page breadcrumb and added as a 'Partition/Path' row to match the behavior of other LTM properties pages.
626861-1 : Ensure unique IKEv2 sequence numbers
Solution Article: K31220138
Component: TMOS
Symptoms:
Although BIG-IP generates random sequence numbers for use in protocol negotiation, it is possible to allocate a new number already in use by a phase-one ike-SA or a phase-two child-SA.
Conditions:
When a sufficiently large number of tunnels are in use (e.g., numbering in thousands), odds of generating a duplicate sequence number is relatively high, given the number of random bits used to generate the number. More tunnels makes it more likely to occur.
Impact:
On sequence number collision, this might confuse an old SA, and probably never complete negotiation of a new SA. In addition, the system might crash if updating an old SA happened in a state where update is not expected.
Workaround:
None.
Fix:
Now BIG-IP uses more random bits in generated sequence numbers, and it always checks whether a new sequence number is currently in use anywhere else before proceeding. Thus collisions cannot be generated in sequence number allocation. New numbers should always be guaranteed unique now.
626851-4 : Potential crash in a multi-blade chassis during CMP state changes.
Solution Article: K37665112
Component: Policy Enforcement Manager
Symptoms:
CMP state change can result in a blade crash.
Conditions:
CMP state change with a PEM profile enabled on a virtual. The former can be triggered using a TMM restart/unrelated crash, blade insertion or blade administrative state change.
Impact:
Blade crash resulting in potential loss of service.
Workaround:
Deploy PEM in an HA-pair with a chassis fail over configured to occur if at most one blade on the active chassis fails.
Fix:
The system now gracefully handles sessionDB errors due to a CMP state change.
626594-3 : No way to perform a soft server certificate verification
Component: Local Traffic Manager
Symptoms:
There is no way to perform a soft server certificate verification.
Conditions:
Server-side SSL forward proxy when 'server certificate is set to 'require' and 'untrusted CA response control' and 'expired certificate response control' are both set to 'ignore'.
Impact:
No way to perform a soft server certificate verification and continue the handshake as though the verification is OK, even if it is not OK.
Workaround:
None.
Fix:
There is a new sys db variable: tmm.ssl.servercert_softval with default value 'disabled'.
When this sys db variable is 'enabled', calling SSL::verify_result will return a soft verfiy_result value.
Typical use case:
It is used in the server-side SSL forward proxy when 'server certificate is set to 'require' and 'untrusted CA response control' and 'expired certificate response control' are both set to 'ignore' but would like to perform a soft server certificate verification.
Behavior Change:
There is a new sys db variable: tmm.ssl.servercert_softval with default value 'disabled'.
When this sys db variable is 'enabled', calling SSL::verify_result will return a soft verfiy_result value.
Typical use case:
It is used in the server-side SSL forward proxy when 'server certificate is set to 'require' and 'untrusted CA response control' and 'expired certificate response control' are both set to 'ignore' but would like to perform a soft server certificate verification.
626386-2 : SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled
Solution Article: K28505256
Component: Local Traffic Manager
Symptoms:
On a BIG-IP device, whenever a large-sized client certificate is sent by an SSL client to a virtual service, and SSL persistence is enabled, the SSID parser does not reassemble fragmented ClientKeyExchange messages correctly. It interprets the next incoming fragment - part of the CertificateVerify message - as a new record, incorrectly calculates its length and ends up waiting endlessly for more bytes to receive the record.
Conditions:
When SSL persistence is enabled and a large-sized client
certificate is sent by the SSL client to the BIG-IP device.
Impact:
Client connection hangs during the handshake. No impact to any other module.
Workaround:
Disable SSL persistence.
Fix:
SSL now reassembles fragments correctly with a large-sized client certificate when SSL persistence is enabled.
626311-1 : Potential failure of DHCP relay functionality credits to incorrect route lookup.
Solution Article: K75419237
Component: Local Traffic Manager
Symptoms:
DHCP requests from client to server may not make it through.
Conditions:
-- BIG-IP system configured as a DHCP relay.
-- Input variable (flow_key) incorrectly initialized.
Impact:
Clients might not get an IP address from the DHCP server.
Workaround:
None.
Fix:
Input variable (flow_key) is initialized properly to prevent a potential route-lookup failure.
625892-1 : Nagle Algorithm Not Fully Enforced with TSO
Component: Local Traffic Manager
Symptoms:
Sub MSS packets are more numerous than Nagle's algorithm would imply.
Conditions:
TCP Segmentation Offload is enabled.
Impact:
Sub-MSS packets increase overhead and client power consumption.
Workaround:
Disable TCP Segmentation Offload by running the following command:
tmsh modify sys db tm.tcpsegmentationoffload value disable
Fix:
Deliver Integer Multiples of MSS to the TSO hardware when Nagle's algorithm applies.
624896-1 : GUI LTM Virtual Server Connection Limit and Connection Rate Limit
Component: TMOS
Symptoms:
Depending on the Virtual Server Type selection the Connection Limit and Connection Rate Limit may or may not be supported.
When changing the Virtual Server Type the GUI sometimes displays or hides the Connection Limit and/or Connection Rate Limit inconsistently.
Conditions:
When switching between Types, the Connection Limit and Connection Rate Limit may or may not be displayed or hidden correctly for the selected type.
Impact:
When updating the Virtual Server, if a value is persisted when it is not supported, the user will get an error. Or if a value is supported, but not visible, you cannot set the value through the GUI.
Workaround:
For values that are saved when they are not supported and the user gets an error, the user can set the value to 0. If the Connection Limit or Connection Rate Limit is not displayed in the GUI, the user can use tmsh to set the value.
Fix:
Ensure GUI is displaying and hiding Connection Limit and Connection Rate Limit correctly for each Virtual Server Type.
624722 : Linux kernel vulnerability CVE-2016-7117
Solution Article: K51201255
624580 : BigDB.dat may become truncated
Solution Article: K37147352
Component: TMOS
Symptoms:
BigDB.dat may become truncated.
Conditions:
The conditions under which this occurs are not well understood.
Impact:
Tomcat and possibly mcpd may restart due to having incorrectly generated configuration.
Workaround:
None.
Fix:
A truncated BigDB.dat no longer causes Tomcat mcpd to restart.
623362-1 : Oversized pool member input
Component: TMOS
Symptoms:
In the System :: High Availability : Fail-safe : Gateway property page in the GUI, you are allowed to enter a pool member count higher than the maximum of 65535.
Conditions:
This occurs when entering a minimum pool member count. The limit is 0-65535 but the GUI allows you to enter a higher number.
Impact:
If you enter a higher number, a validation error will occur: "Value out of range. Correct Range: 0 - 65535"
Fix:
The pool member input is now 5 characters long.
622160 : ICMPv6 packets can have the wrong source IP if a IPv6 VIP has IPv4 pool members
Component: Local Traffic Manager
Symptoms:
ICMPV6 packet has the source IP of IPv4 Mapped IPv6 selfIP address instead of the IPv6 selfIP address configured on the unit
Conditions:
IPv6 forwarding VIP with no translation references IPv4 poolmembers and the PMTU to the nexthop is less than the packet size sent by the server.
Impact:
ICMPv6 packets with wrong source IP addresses
621976-5 : OneDrive for Business thick client shows javascript errors when rendering APM logon page
Component: Access Policy Manager
Symptoms:
OneDrive for Business thick client shows javascript errors when rendering APM logon page
Conditions:
APM is used as federated auth provider for Microsoft Azure. User uses OneDrive for Business thick client to authenticate.
Impact:
User experience is impacted, however clicking thru javascript errors eventually leads to successful authentication and working OneDrive for Business app.
Workaround:
Click thru javascript error dialogs.
Fix:
OneDrive for Business thick client is now fully supported when authenticating against APM as federation provider for Microsoft Azure.
621974-5 : Skype For Business thick client shows javascript errors when rendering APM logon page
Component: Access Policy Manager
Symptoms:
Skype For Business thick client shows javascript errors when rendering APM logon page
Conditions:
APM is used as federated auth provider for Microsoft Azure. User uses Skype For Business thick client to authenticate.
Impact:
User experience is impacted, however clicking thru javascript errors eventually leads to successful authentication and working Skype For Business app.
Workaround:
Click thru javascript error dialogs.
Fix:
Skype For Business thick client is now fully supported when authenticating against APM as federation provider for Microsoft Azure.
621870-1 : Outage may occur with VIP-VIP configurations
Component: Local Traffic Manager
Symptoms:
In some VIP-VIP configurations, a system outage may occur while processing traffic.
Conditions:
VIP-VIP configuration
Impact:
System outage
Workaround:
None.
621379-1 : TCP Lossfilter not enforced after iRule changes TCP settings
Component: Local Traffic Manager
Symptoms:
TCP Lossfilter function doesn't work properly, although the first few losses will be properly ignored.
Conditions:
TCP profile has ALL of the following settings:
mptcp disabled; rate-pace disabled; tail-loss-probe disabled; fast-open disabled; cmetrics-cache-timeout = 0; congestion ctrl is reno, new-reno, high-speed, or scalable; nagle enabled or disabled; rtx_thresh = 3; loss-filter settings are both > 0.
an iRule changes any of the above settings except loss-filter.
Impact:
Sending rate declines due to packet losses improperly interpreted as congestion.
Workaround:
Change any of the conditions above.
Fix:
Properly handle loss-filter state when switching TCP stacks.
620903-2 : Decreased performance of ICMP attack mitigation.
Component: Performance
Symptoms:
Decreased performance of ICMP attack mitigation.
Conditions:
A Big-Ip is under attack, for example a ICMP flood attack.
Impact:
Decreased performance of ICMP attack mitigation.
Workaround:
NA
Fix:
Increased performance of ICMP attack mitigation.
620759-3 : Persist timeout value gets truncated when added to the branch parameter.
Component: Service Provider
Symptoms:
Persist timeout value gets truncated when added to the branch parameter due to difference in storage type.
Conditions:
If the persist timeout value was higher that 65535 then the value gets truncated.
Impact:
Incorrect persist timeout get into affect for the call other than the value set in the config.
Workaround:
None.
Fix:
Persist timeout value no longer gets truncated when added to the branch parameter.
620659-4 : The BIG-IP system may unecessarily run provisioning on successive reboots
Component: TMOS
Symptoms:
After the first boot, the system runs provisioning and boots successfully, but there is a file left on the system /mprov_firstboot. This will appear in /var/log/ltm:
info mprov:4614:: \'\'provision.initialized\' indicates force TMOS only provisioning - forcing.\'
During a subsequent boot, provisioning will run again, potentially unnecessarily, due to the existence of this file. The following will appear in /var/log/ltm during the second boot:
info mprov:4609:: \'Existence of file \'/mprov_firstboot\' indicates force TMOS only provisioning - forcing.\'
Conditions:
The memory size of the host changes and there is some other need for reprovisioning (for example a new configuration load).
Impact:
On a vCMP host, the second provisioning may not complete properly and guest systems will not pass traffic.
The vCMP host will continually try to start more than one tmm and fail when there should only be one tmm running. The /var/log/tmm logfile on the vCMP host will contain:
<13> Sep 25 01:33:28 vcmphost1 notice Too small memsize (60) -- need at least 136 MB
The /var/log/tmm logfile on the vCMP guest will contain:
<13> Sep 25 01:38:21 bigip1 notice Failed to write /var/run/libdag.so_2, err: -30
<13> Sep 25 01:38:21 bigip1 notice panic: vdag failed to attach
<13> Sep 25 01:38:21 bigip1 notice ** SIGFPE **
Workaround:
If the vCMP host is in a tmm restart loop due to this issue, reboot the vCMP host to allow the system to come up properly.
Fix:
The BIG-IP software now always removes the /mprov_firstboot file when the system is reprovisioned.
620625-3 : Changes to the Connection.VlanKeyed DB key may not immediately apply
Solution Article: K38094257
Component: Local Traffic Manager
Symptoms:
Changes to the Connection.VlanKeyed DB key may not immediately apply to all TMMs
Conditions:
The Connection.VlanKeyed DB key is changed
Impact:
Asymmetrically routed connections may fail with Connection.VlanKeyed disabled
Workaround:
Restarting TMM will resolve the issue, though this will interrupt traffic so should be performed during a maintenance window. To do so, run one of the following tmsh commands:
-- on an appliance (BIG-IP platform): bigstart restart tmm
-- on a clustered system (a VIPRION or VIPRION-based vCMP guest): clsh bigstart restart tmm
Fix:
Asymmetrically routed connections no longer fail with Connection.VlanKeyed disabled.
619593-1 : Provisioning page table cells overlap
Component: TMOS
Symptoms:
Cells in the provisioning page table overlap when they contain long strings.
Conditions:
Cells in the provisioning page table contain long strings.
Impact:
The cells will overlap.
Workaround:
None.
Fix:
Cells in the provisioning page table no longer overlap when they contain long strings.
618430-1 : iRules LX data not included in qkview
Component: Local Traffic Manager
Symptoms:
Qkview does not contain any of the iRuleLX information.
Conditions:
N/A
Impact:
Support engineers will have to ask for the iRuleLX information separately. No iHealth heuristics possible at the moment.
Fix:
The following ILX information was added to the qkview:
TMSH commands:
list ilx workspace all-properties
list ilx plugin all-properties
list ilx global-settings (13.0.0+)
list ltm profile ilx all-properties (13.0.0+)
show ilx plugin all
show ltm profile ilx all (13.0.0+)
The files in the following folders:
/var/ilx - master copies of workspaces
/var/sdm - running files of the plugins
/var/log/ilx - ILX specific logs
618332-3 : No event triggered when the system receives a certificate message from the server.
Component: Local Traffic Manager
Symptoms:
There is no event triggered when the system receives a certificate message from the server.
Conditions:
System receives a certificate message from the server.
Impact:
No event triggered.
Workaround:
None.
Fix:
A new event SERVERSSL_SERVERCERT is raised after the server certificate is received and verified on the server side.
Behavior Change:
A new event SERVERSSL_SERVERCERT is raised after the server certificate is received and verified.
617901-9 : GUI to handle file path manipulation to prevent GUI instability.
Component: TMOS
Symptoms:
Request file path may be incorrectly processed
Conditions:
Authenticated administrative user makes a GUI request
Impact:
The GUI becomes unstable because it cannot process the request.
Fix:
Redirect the user to a No Access page.
617273-10 : Expat XML library vulnerability CVE-2016-5300
Solution Article: K70938105
616104-1 : VMware View connections to pool hit matching BIG-IP virtuals
Component: Access Policy Manager
Symptoms:
When a VMware View resource is configured to use a pool as a destination, for all the connections to this pool, except the very first one, a matching virtual lookup is performed.
This doesn't align with the typical BIG-IP behavior on pool connections that should go directly to the chosen pool member and not hit matching virtual servers.
Conditions:
If a VMware View resource is configured to connect to a pool and there is a virtual server matching some or all the IP/port values of pool members, connections to those members will go through the matching virtual server, except for the very first one.
Impact:
If a matching virtual is not intended to pass the traffic through (e.g., a 'reject-all' virtual), those connections routed to this virtual server will fail.
Workaround:
None.
Fix:
All the connections to VMWare View pool members now go directly without hitting matching BIG-IP virtual servers.
616008-2 : TMM core may be seen when using an HSL format script for HSL reporting in PEM
Solution Article: K23164003
Component: Policy Enforcement Manager
Symptoms:
TMM core resulting in potential loss of service.
Conditions:
Requires a PEM HSL reporting action with an HSL format script against a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
In an iRule against the virtual server, set a Tcl variable in the first line after an iRule event. Unset the same Tcl variable in the last line of the iRule event.
Fix:
TMM core no longer occurs when using an HSL format script for HSL reporting in PEM.
615372 : Occasional TCP resets during connection initiation (RST cause is "No local listener")
Component: TMOS
Symptoms:
Occasionally, the BIG-IP will send a TCP RST in response to an initial SYN with the reset cause "No local listener". This does not affect subsequent connections from the client, so they are likely to succeed.
The reset cause for a packet can be logged by setting the DB variable TM.rstcause.log to enable. The reset cause can be sent in the RST packet by setting the DB variable TM.rstcause.pkt to enable.
Conditions:
A virtual server is configured to use TCP and a client initiates a connection.
Impact:
The attempted connection is reset. Subsequent attempts are likely to succeed.
Workaround:
None.
Fix:
The icr_eventd daemon was updated to use TCP connections more efficiently.
615267 : OpenSSL vulnerability CVE-2016-2183
Solution Article: K13167034
615226 : Libarchive vulnerabilities: CVE-2016-8687 and others
Solution Article: K13074505
614804-1 : libcurl vulnerabilities: CVE-2016-5420, CVE-2016-5421, CVE-2016-7141
Component: TMOS
Symptoms:
Under certain conditions, processes using libcurl may reuse existing TCP connections that should be isolated.
Conditions:
Custom programs installed on BIG-IP and using libcurl may be affected.
Impact:
Libcurl is present on BIG-IP systems but is not used in a vulnerable way by any standard processes.
Fix:
Update libcurl to non-vulnerable version
613275-1 : SNMP get/MIB walk returns incorrect speed for sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed when the interface is not up
Solution Article: K62581339
Component: TMOS
Symptoms:
The values returned during an SNMP get/MIB walk are incorrect for the sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed objects.
The values should match what is displayed in tmsh list net interface media-max and tmsh list net interface media-active respectively which are correct.
Conditions:
-- Performing an SNMP get or MIB walk.
-- Viewing values for the sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed objects.
Impact:
The system reports inaccurate information for these objects.
Workaround:
To get the correct results, use the following commands:
tmsh list net interface media-max
tmsh list net interface media-active
Fix:
SNMP get/MIB walk now return correct information for the sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed objects.
612792-2 : Support RDP redirection for connections launched from APM Webtop on iOS
Component: Access Policy Manager
Symptoms:
Launching Native RDP resource from APM Webtop might fail on iOS.
Conditions:
1. Native RDP resource is launched from APM Webtop on iOS.
2. The RDP connection is redirected from one RDP server to another. This typically happens in RDP farm (multiple RDP servers) deployments.
Impact:
Native RDP resource can't be launched.
Workaround:
iOS RDP client version 8.1.35 allows workaround with following “Variable Assign” agent in Access Policy:
Custom Variable:
session.client.platform
Custom Expression:
set client_os [mcget {session.client.platform}];
return [expr {$client_os == "iOS" ? "Android" : $client_os}];
Fix:
RDP redirection is now supported for connections launched from APM Webtop on iOS. Launching RDP resources from APM Webtop now requires at least version 8.1.35 of iOS RDP client.
612118-1 : Nexthop explicit proxy is not used for the very first connection to communicate with the backend.
Component: Access Policy Manager
Symptoms:
In SWG / forward proxy, nexthop explicit proxy is not used for the very first connection to communicate with the backend.
Conditions:
SWG per-request policy with proxy select agent.
Impact:
The BIG-IP system directly communicates with the backend to fetch server certificates.
Workaround:
None.
Fix:
Next-hop proxy gets used for all the connections that use proxy-select agent even for fetching the backend cert. In earlier version it would use the default route to fetch the certificate.
In transparent mode for https traffic, the proxy select agent is able to use the host & port information gathered from the backend certificate as the per-request policy can run before the cert fetching process. Therefore there is no longer a requirement for the per-request policy to have a category lookup agent before the proxy select agent.
611691-6 : Packet payload ignored when DSS option contains DATA_FIN
Component: Local Traffic Manager
Symptoms:
The payload of a packet is ignored when an MPTCP DSS option has DATA_FIN set.
Conditions:
A packet contains both a payload and an MPTCP DSS option with DATA_FIN set. This has been observed when uploading files from a Linux client to a server.
Impact:
The last packet of data is not received.
Workaround:
Disable MPTCP.
Fix:
Accept data when a packet contains both a payload and an MPTCP DSS option with DATA_FIN set.
611161-4 : VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.
Solution Article: K28540353
Component: Local Traffic Manager
Symptoms:
VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.
Conditions:
VLAN failsafe configured on a non-default cmp-hash VLAN.
When the VLAN failsafe situation occurs, and the generated arp requests are not being answered, VLAN failsafe resorts to ICMP.
Impact:
There are very rare situations in which failsafe triggers but it should have not.
Workaround:
None.
Fix:
VLAN failsafe no longer generates traffic using ICMP, and now supports non-default cmp-hash on VLAN.
610485-1 : Attacks chart has no time axis
Component: Application Visibility and Reporting
Symptoms:
Attacks chart has no time axis.
Conditions:
Viewing the Attacks chart in AVR.
Impact:
There is no grid. Difficult to determine time values.
Workaround:
None.
Fix:
Standard AVR Chart time axis has been added
610307-4 : Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber
Component: TMOS
Symptoms:
This error message may be generated once or twice at shutdown:
01070069:3: Subscription not found in mcpd for subscriber Id BIGD_Subscriber.
Conditions:
Occurs once or twice per boot as a BIG-IP is being shut down or restarted.
Impact:
None. This can be ignored.
Workaround:
No workaround necessary. This message indicates no ill effects and can be ignored.
Fix:
This error message could have been generated once or twice at shutdown:
01070069:3: Subscription not found in mcpd for subscriber Id BIGD_Subscriber.
It no longer appears. Note that even when it was present, it only occurred at system shutdown and could be ignored.
610201-1 : Undefined behavior when calling HTTP::payload within HTTP_REQUEST_SEND iRule event
Component: Local Traffic Manager
Symptoms:
The invocation of HTTP::payload iRule API within the HTTP_REQUEST_SEND iRule event may lead to undefined behavior, such as retrieval of invalid HTTP data, or system crash.
Conditions:
The problem manifests itself exclusively with iRules attached to HTTP virtual servers, where the iRules are using the HTTP::payload API invocation within the HTTP_REQUEST_SEND server-side event.
Impact:
Corrupted HTTP data or system crash may result from the invocation of the HTTP::payload API within the HTTP_REQUEST_SEND iRule event.
Workaround:
The HTTP::payload API should not be invoked within the HTTP_REQUEST_SEND iRule event. According to the underlying API documentation, the valid HTTP events should be limited to CACHE_REQUEST, CACHE_RESPONSE, HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_RESPONSE, HTTP_RESPONSE_CONTINUE, HTTP_RESPONSE_DATA.
Fix:
The HTTP::payload API should not be invoked within the HTTP_REQUEST_SEND iRule event. According to the underlying API documentation, the valid HTTP events should be limited to CACHE_REQUEST, CACHE_RESPONSE, HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_RESPONSE, HTTP_RESPONSE_CONTINUE, HTTP_RESPONSE_DATA.
610122 : Hotfix installation fails: can't create /service/snmpd/run★
Component: TMOS
Symptoms:
Hotfix installation fails with RPM transaction errors.
The system posts several errors similar to the following in /var/log/liveinstall.log: info: RPM: can't create /service/snmpd/run at usr/share/perl5/vendor_perl/daemon.pm line 99.
Conditions:
12.x hotfix installation from 11.6.0 on top of a 12.x base image that was previously booted.
Impact:
It is not possible to perform a hotfix installation to a 12.x volume from 11.6.0 after the 12.x volume has been booted.
Workaround:
- Install the hotfix directly to a new slot which has not been booted into before using a command similar to the following:
tmsh install sys software hotfix 12.1.0-hf1 create-volume volume HD1.4
609995-1 : Device Connectivity tabs not properly highlighted
Component: TMOS
Symptoms:
The Failover Network and Mirroring tabs in Device Connectivity aren't properly highlighted.
Conditions:
Clicking on "System :: High Availability :: Device Connectivity :: Failover Network" menu option and the "System :: High Availability :: Device Connectivity :: Mirroring" menu option.
Impact:
Displays the "Device Management :: Devices :: [device name]" page but doesn't highlight the tab. Highlighting works for ConfigSync tab only. "Failover Network and Mirroring" should be highlighted as well.
Workaround:
None.
Fix:
The Failover Network and Mirroring tabs in Device Connectivity are now highlighted as expected.
609200-1 : Hotfix installation failure using certain version 11.x software to host incremental hotfix application of version 12.x software.★
Component: TMOS
Symptoms:
Hotfix installation fails using certain version 11.x software to host incremental hotfix application of version 12.x software.
Conditions:
This issue occurs when the following conditions are met:
-- Active software is v11.x.
-- Target software is v12.x.
-- This is the first attempt install a hotfix to the installation target.
Impact:
Cannot install hotfix.
Workaround:
Delete the target location, and perform the hotfix installation again.
Subsequent attempts to install the hotfix will automatically install the base release first, which includes the needed DB hash type, and the hotfix will succeed.
608304-2 : TMM crash on memory corruption
Solution Article: K55292305
Component: Local Traffic Manager
Symptoms:
In rare cases tmm might crash on memory corruption.
Conditions:
It is not known what sequence of events triggers this condition.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
tmm no longer crashes on memory corruption in rare cases.
608245-1 : Reporting missing parameter details when attack signature is matched against parameter value
Component: Application Security Manager
Symptoms:
A parameter is shown without parameters details or with garbled parameter details in the local logging GUI.
Conditions:
An attack signature was detected in a parameter value.
Impact:
Bad reporting
Workaround:
N/A
607246-8 : Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires
Component: Local Traffic Manager
Symptoms:
You notice erratic persistence behavior when you set cookie persistence to "required" in your cookie persistence profile
Conditions:
Encrypted cookie persistence with fallback where the fallback persistence has a reasonable short timer such that a request containing a valid cookie is handled after the fallback entry has expired.
Impact:
Persistence fails after fallback expired.
Workaround:
Change cookie-encryption to preferred which allows persistence on either encrypted or decrypted cookie.
606710-11 : Mozilla NSS vulnerability CVE-2016-2834
Solution Article: K15479471
605792 : Installing a new version changes the ownership of administrative users' files★
Component: TMOS
Symptoms:
Installing a new version changes the ownership of administrative users' files to a different, nonzero UID.
Conditions:
A user is an administrative user who has advanced shell (bash) access and custom files in their home directory.
Impact:
Low in most cases, since the administrative user can still access most files. One exception is that SSH requires that the authorized_keys file be owned by the user ID in question. This is 0 when a user has an administrative role, so the authorized_keys file will be ignored and a password will still be required for login.
Workaround:
Run the following command, substituting a different filename as needed: chown 0 /home/theuser/.ssh/authorized_keys.
Fix:
Installing a new version changes the ownership of administrative users' files to a different, nonzero UID. This still happens by design, but no longer applies to the user's SSH configuration files, which stay at UID 0. Therefore, these users are no longer be prevented from using stored public keys in authorized_keys.
604547-4 : Unix daemon configuration may lost or not be updated upon reboot
Component: TMOS
Symptoms:
The confpp script is invoked to pass TMOS configuration information to other non-TMOS daemons running on a BIG-IP system. When a BIG-IP system is rebooted, if TMOS configuration elements are parsed or configuration changes or other events occur early in the boot process, the corresponding changes may not be propagated to the confpp.dat file and processed by the confpp script. As a result, configuration information may not be propagated as expected to non-TMOS daemons.
A common symptom of this issue is that syslog-ng configuration is not updated to reflect the selection of the primary blade in a VIPRION chassis.
Conditions:
This issue may occur when booting an affected version of BIG-IP, such as:
- Rebooting blades in a VIPRION chassis.
- Rebooting a BIG-IP appliance or Virtual Edition instance.
Impact:
Expected configuration settings may not be applied to non-TMOS daemons upon a reboot.
For example, syslog-ng configuration may not be updated to include expected logging on the primary blade in a VIPRION chassis.
Workaround:
On a running BIG-IP system that shows symptoms of this issue, changing a db variable will trigger the confpp script to run and update the relevant non-TMOS daemons with appropriate settings from the current configuration. To implement this workaround, use the Traffic Management Shell (tmsh) to update a db variable.
For example:
tmsh modify sys db log.clusterd.level value "Informational"
This issue can be avoided by forcing the MCP configuration to be reloaded from configuration files instead of from the MCP binary database (mcpdb.bin).
For details, see:
K13030: Forcing the mcpd process to reload the BIG-IP configuration.
Fix:
Configuration data/changes that occur early in the BIG-IP boot process are propagated successfully to non-TMOS daemons by the confpp script.
603746 : DCDB security hardening
Component: WebAccelerator
Symptoms:
The DCDB utility, as used in AAM processing, does not use current secure coding practices.
Conditions:
AAM active
Impact:
DCDB usage does not follow current secure coding practices.
Fix:
Update DCDB use to meet current secure coding standards.
603658 : AAM security hardening
Component: WebAccelerator
Symptoms:
The wamd process, as used in AAM processing of images and PDFs, does not use current secure coding practices.
Conditions:
AAM active
Image and/or PDF optimization enabled by policy
Impact:
wamd does not follow current secure coding practices.
Fix:
Update wamd to meet current secure coding standards.
603609-1 : Policy unable to match initial path segment when request-URI starts with "//"
Component: Local Traffic Manager
Symptoms:
HTTP URI path policy does not match when request-URI starts with "//".
Conditions:
Policy unable to catch request when HTTP URI path configured to match value anywhere in path or in initial path segment when the request-URI starts with "//".
Impact:
The policy does not match in this case.
Workaround:
The policy could be modified to scan the full URI instead of just the path element however care should be taken to correctly handle potential matches with absolute URIs or in the query string.
600205-1 : OpenSSL Vulnerability: CVE-2016-2178
Solution Article: K53084033
599177-1 : Regression in Route Domain and Partition GUI load times due to high CPU utilization in merged.
Component: Local Traffic Manager
Symptoms:
With large configuration load, the time it takes to load the configuration might take minutes.
Conditions:
Loading Route Domain and Partition pages in the TMUI.
Impact:
Long loading times.
Merged uses a lot of CPU cycles. Using the tmctl command 'tmctl -f /var/tmstat/istats' shows .icomplete and .irequest tables have a large number of rows in them, resulting in merged spending a lot of time merging these rows.
Workaround:
Restart mcpd using the following command: bigstart restart mcpd.
Warning! Restarting mcpd causes the system to reinitialize all processes, which affects traffic. This workaround should be used with caution.
Fix:
mcpd and merged now provide improved handling of loading large pages so performance issues when loading Route Domain and Partition pages in the TMUI no longer occur.
598724-2 : Abandoned indefinite lifetime SessionDB entries on STANDBY devices.
Component: TMOS
Symptoms:
Memory hold/leak in SessionDB due to poor HA connection. Active device cannot tell the Standby device that an entry has been deleted because of poor HA connection. These entries accumulate on the Standby device, consuming extra memory which is not released.
Conditions:
A poor HA or insufficient connection exists, one that is not capable of handling the required HA traffic between devices.
Impact:
Eventual out-of-memory errors on standby device.
Workaround:
The mitigation steps in ID 555465 apply to this as well:
You can mitigate by temporarily disabling HA:
- Disable session mirroring: tmsh modify sys db statemirror.mirrorsessions value disable
- Wait a minute for HA connections to stabilize
- Sync the config changes
- Reboot the standby
- Re-enable session mirroring: tmsh modify sys db statemirror.mirrorsessions value enable
Fix:
On the Next Active ("Standby") device, SessionDB will remove all Subkey entries that the Next Active did not receive HA (re)mirror messages for during the HA sync that occurs after an HA (re)connect; the Next Active not receiving a (re)mirror for an entry generally indicates that the entry no longer exists on the Active.
598289 : TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port>
Component: TMOS
Symptoms:
In TMSH, when trying to add a pool member that has name in the format of <ipv4>:<number>:<service port>, TMSH gives an error. It also corrupts bigip.conf.
Conditions:
-- Use TM Shell to load configuration.
-- ltm pools have members that have names in the format of <ipv4>:<number>:<service port>
Impact:
TMSH fails to load system configuration file
Workaround:
None.
Fix:
TMSH now allows pool members have names in the format of <ipv4>:<number>:<service port>, so the valid pool member could pass TMSH checks without error.
598024-1 : FastL4 profile with immediate idle timeout is not honored for ePVA offloaded flows
Component: TMOS
Symptoms:
On ePVA platforms, if fastL4 profile is configured with immediate idle timeout and the flow was offloaded at embryonic, the server still acts as the flow has not timeout, and continues to send packets to client.
Conditions:
Users have flows that passes through virtual IP with a "idle-timeout immediate" setting may not have the expected behaviors.
Impact:
Some flows that should have timed-out and should no longer exist is still alive.
Workaround:
Set "pva-acceleration" to "none" for the FastL4 profile.
Fix:
Now all flows goes through the virtual IP configured with a fastL4 profile and has idle-timeout to immediate will timeout immediate as expected.
598002-9 : OpenSSL vulnerability CVE-2016-2178
Solution Article: K53084033
596924-1 : Bot signatures are not reported in the PBD log when the PBD is turned off
Component: Advanced Firewall Manager
Symptoms:
Bot signatures are matched and not reported
Conditions:
Proactive bot defense (PBD) is turned off. Bot signatures is turned on.
Impact:
Missing logs on bot signatures.
Workaround:
N/A
Fix:
Matched bot signatures are now reported .
594228-1 : Resetting mgmt interface statistics doesn't work on VE or VCMP
Component: TMOS
Symptoms:
$ tmsh reset-stats net interface mgmt
Doesn't reset mgmt interface statistics.
Conditions:
Only on VE or VCMP
Impact:
You cannot reset the management interface statistics, but this has no impact elsewhere in the system.
Fix:
This command
$ tmsh reset-stats net interface mgmt
resets mgmt interface statistics properly.
593139 : glibc vulnerability CVE-2014-9761
Solution Article: K31211252
590091-4 : Single-line Via headers separated by single comma result in first character second header being stripped.
Solution Article: K79075081
Component: Service Provider
Symptoms:
Removing the first Via header strips the leading character from the second Via when headers are separated by a comma (',').
Conditions:
Multiple Via headers on single-line separated by a single comma (',').
Impact:
Leading character of 2nd Via header will be stripped e.g. 'SIP/2.0/TCP' becomes 'IP/2.0/TCP'.
Workaround:
None.
Fix:
Removing the first Via header no longer strips the leading character from the second Via when headers are separated by a comma (',').
588752-1 : APM Login Performance may be degraded
Component: Performance
Symptoms:
A high number of logins per second can cause increased latency. The actual login rate that can cause the increased latency depends on the Access Policy configuration and network characteristics. In a typical configuration and network setup, you should not observe noticeable latency if logins per second is less than a few hundred.
Conditions:
Very high rate of login requests. More noticeable if the login-per-second rate is more than several hundred.
Impact:
End users will experience slower login or login failure.
Workaround:
None.
588414-1 : Displaying application components reports an error
Component: TMOS
Symptoms:
Displaying an iApp which contains an iRule from an iLX workspace reports an error.
Conditions:
Displaying an iApp which contains an iRule from an iLX workspace.
Impact:
The components page reports an error.
Workaround:
Use tmsh.
Fix:
Displaying application components no longer reports an error.
583272-3 : "Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth
Component: Access Policy Manager
Symptoms:
Browser shows a "corrupted connect error" when access policy runs On-Demand Cert Auth on an IPv6 virtual server.
The root cause is that in packet capture, the APM sends an HTTP 302 with invalid brackets around the hostname, like this:
Location: https://[login.example.com]/my.policy
Brackets around IPv6 addresses are for raw IPv6 addresses. They are illegal for DNS names that represent an IPv6 address.
Conditions:
IPv6 virtual server, and On-Demand Cert Auth in the access policy. Only applies if a DNS hostname is used. Raw IPv6 addresses are not affected.
Impact:
Client is unable to authenticate.
Workaround:
None.
Fix:
Clients connecting to an APM access policy with on-demand certificate authentication to an IPv6 virtual server now transmit the client certificate correctly when executing the access policy.
582773 : DNS server for child zone can continue to resolve domain names after revoked from parent
Component: Global Traffic Manager (DNS)
Symptoms:
See CVE-2012-1192. A domain name in a child server may continue to be resolved by the child server even after the parent server revokes the NS record for the child server.
Conditions:
A steady series of DNS queries for a domain name in the child. The TTL for the domain name A record is shorter than the TTL for the NS record for the child name server. The NS record is removed from the parent server.
Impact:
The revoked child server will still be used by a client after it is revoked.
Workaround:
Restart the TMM to clear out the cache.
Fix:
Do not update the NS record TTL to the value returned from the child server.
581746-6 : MPTCP or SSL traffic handling may cause a BIG-IP outage
Solution Article: K42175594
Component: Local Traffic Manager
Symptoms:
Occasional BIG-IP outages may occur when MPTCP or SSL traffic is being handled by a virtual server.
Conditions:
MPTCP has been enabled on a TCP profile on a virtual server, or SSL is in use.
Impact:
A system outage may occur.
Workaround:
None.
Fix:
An issue with handling of MPTCP and SSL traffic has been corrected.
580537-2 : The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data
Component: Global Traffic Manager (DNS)
Symptoms:
The geoip_update_data script will not install a City2 GeoIP data.
Conditions:
Attempting to install the City2 GeoIP data.
Impact:
The City2 GeoIP data must be installed manually.
Workaround:
The City2 GeoIP data can be installed manually by extracting the contents of the RPM and updating the associated files. The commands are:
rpm -U <full path to the City2 GeoIP RPM file>
rm /shared/GeoIP/F5GeoIP.dat
ln -s /shared/GeoIP/F5GeoIPCity2.dat /shared/GeoIP/F5GeoIP.dat
rm /shared/GeoIP/v2/F5GeoIP.dat
Fix:
The geoip_update_data script was updated to support installing City2 GeoIP data.
578983 : glibc: Integer overflow in hcreate and hcreate_r
Solution Article: K51079478
578076 : OpenSSL vulnerability CVE-2016-0800
Solution Article: K23196136
578017 : CVE-2016-0800 : SSLV2 "DROWN" Vulnerability
Solution Article: K23196136
575642 : rst_cause of "Internal error"
Component: Local Traffic Manager
Symptoms:
The rst_cause may be logged as "Internal Error". rst_cause of "Internal error" does not give a narrow reason for the reset. It means that one of the other reset causes was not matched but the exact issue cannot be determined from this generic error.
Conditions:
Heavy/normal production network usage.
Impact:
System problem diagnosis is more difficult.
Workaround:
N/A
572567-1 : Portal Access: JavaScript errors accessing MS SharePoint 2010 / 2013 / 2016 in Internet Explorer 11
Component: Access Policy Manager
Symptoms:
Microsoft Internet Explorer version 11 (IE11) shows numerous JavaScript errors in debug console opening SharePoint pages with document lists via Portal Access. As a result, part of SharePoint functionality is unavailable (document submenus, for instance). System posts the following message:
Export to database failed. To export a list, you must have a Microsoft SharePoint Foundation-compatible application.
Conditions:
- Using Portal Access in IE11.
- Accessing SharePoint 2010 / 2013 / 2016.
- Opening document library page in SharePoint.
Impact:
SharePoint application may not work correctly.
Workaround:
None, although you can successfully access the library directly using IE11.
Fix:
Now SharePoint pages with shared document lists can be opened correctly via Portal Access.
572272 : BIG-IP - Anonymous Certificate ID Enumeration
Component: TMOS
Symptoms:
Invalid requests to the BIG-IP mgmt API verify may reveal the specific cause of the failure to unauthenticated clients.
Conditions:
--
Impact:
Possible disclosure of the em_server_ip field of valid client certificates. This does not reveal the certificate needed for authentication.
Workaround:
--
Fix:
Error responses no longer indicates the specific cause. The cause is still logged in the apache logs for administrator review.
Behavior Change:
When communication first starts between BIG-IQ and BIG-IP, if communication fails the transmitted response no longer indicates the specific cause. Detailed error information is still logged in the apache logs.
572234-1 : When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10.
Component: Local Traffic Manager
Symptoms:
When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10. This is the MAC address of Linux's tmm0 or tmm interface.
Conditions:
The traffic destination is the BIG-IP Linux host, e.g. big3d iQuery server.
The traffic is proxied via fastL4, e.g. ConfigSync "Local Address" is set to None.
The return route is a pool route.
The traffic is interrupted, e.g. a router between the iQuery server and the client is switched off for several seconds.
Impact:
The traffic is sourced from invalid ethernet MAC 00:98:76:54:32:10.
The iQuery connection cannot continue.
Workaround:
Increase the lasthop module's TCP idle timeout.
echo 121 > /proc/sys/net/lasthop/idle_timeout/tcp
Fix:
TCP connections no longer emit packets that have a source MAC address of 00:98:76:54:32:10.
570926 : Provide a way to configure where in payload the CSPM JS is injected.
Component: Application Visibility and Reporting
Symptoms:
This is an enhancement that allows you to choose where in the document the CSPM script will be injected.
Conditions:
You are using some application that can't read the document if something appears after closing the html tag.
Impact:
Today we append the CSPM payload (for client latency measurements) at the end of the HTML document (after the html tag).
This works in browsers but it's not compliant to the HTML standard and may break some applications that rely on this standard (not browsers).
Workaround:
Un-checking "Page Load Time" in analytics profile.
Fix:
Verify that script was injected to the chosen location in the returned document.
570855-1 : DB variable log.csyncd.level cannot be set to certain values
Component: Local Traffic Manager
Symptoms:
The DB variable log.csyncd.level lists some values for tab completion, but validation prevents you from setting them. The error message looks like this:
01070911:3: The requested enumerated (alert) is invalid (critical, error, warning, notice, informational, debug) for loglevel in daemon_csyncd (/Common/daemon_csyncd)
Conditions:
You are trying to use the DB variable log.csyncd.level to increase the amount of information logged by csyncd. csyncd is a system service that on chassis mirrors certain portions of the filesystem between blades, and on all BIG-IP devices runs certain commands after detecting filesystem changes.
Impact:
You cannot set the log level to certain values.
Workaround:
If you want more debugging information, set the log level to 'debug', which is still accepted.
Fix:
The DB variable log.csyncd.level lists some values for tab completion, but validation formerly prevented you from setting them. This has now been resolved; all advertised values will now be accepted.
570841-1 : Cannot create or edit a new document from SharePoint 2013 ribbon buttons via Portal Access
Component: Access Policy Manager
Symptoms:
Cannot create or modify a new document from SharePoint 2013 ribbon buttons via Portal Access.
Conditions:
-- Attempting to create or edit a new document.
-- Using SharePoint 2013 ribbon buttons via Portal Access.
Impact:
Cannot create or modify SharePoint 2013 documents via Portal Access. Document cannot be opened, edited, or saved to the server.
Workaround:
None.
Fix:
Can now create and modify a new document from SharePoint 2013 ribbon buttons via Portal Access from Mac.
569814 : iRule "nexthop IP_ADDR" rejected by validator
Solution Article: K30240351
Component: Local Traffic Manager
Symptoms:
The nexthop command allows an administrator the ability to specify a forwarding address in an iRule. The form which takes an IP address may be rejected by the validator with an error message of the form:
01070151:3: Rule [/Common/irule_example] error: Unable to find vlan, vlangroup or tunnel (10.0.0.1) referenced at line 2: [nexthop 10.0.0.1]
Conditions:
This occurs when the nexthop command contains only the IP address, for example:
when HTTP_REQUEST {
nexthop 10.0.0.1
}
Impact:
The iRule containing the 'nexthop IP_ADDR' command cannot be associated with a virtual server.
Workaround:
The 'nexthop VLAN IP_ADDR' form of the command does pass the validator. Choose the named vlan on which IP_ADDR can be reached. For example:
when HTTP_REQUEST {
nexthop internal 10.0.0.1
}
Fix:
Validator now allows 'nexthop IP_ADDR' in iRules.
569100 : Virtual server using NTLM profile results in benign Tcl error
Component: TMOS
Symptoms:
Tcl error in /var/log/ltm.
Tcl error: bad option "serverside": must be require or preclude while executing "constrain NTLM require clientside {HTTP} serverside {CONNPOOL} preclude FTP
Conditions:
Virtual server using the NTLM profile. Only logged when the first virtual server is created or when TMM restarts.
Impact:
If you are using TMSH to configure virtual server and NTLM profile, validation/constraint is not performed/enforced.
Workaround:
This is a benign, cosmetic error. There should be no functional impact to the system.
Fix:
Fixed the unexpected error message encountered and added validation when creating a virtual server with an NTLM profile.
563165 : New Diameter session event triggers registered for by the PCRF should not be appended to existing registered event triggers in PEM.
Component: Policy Enforcement Manager
Symptoms:
PCRF may receive old event triggers it is not interested in.
Conditions:
PEM with a valid Gx interface should receive more than one set of event triggers that the PCRF needs to register for.
Impact:
Increase in Diameter traffic.
Fix:
Discard previously registered event triggers while registering a new set.
561596 : Hotfixes can optionally update FPS engine file
Component: TMOS
Symptoms:
Previously, to receive a full solution that required changes on the FPS BIG-IP side and FPS client-side, both a hotfix and a live update were required.
Conditions:
FPS hotfix
Impact:
No ability to opt in/out of engine and signature changes from the hotfix
Workaround:
N/A
Fix:
Two new DB variables to enable/disabled taking update from hotfix:
datasync.update_engine_from_factory
datasync.update_signatures_from_factory
561592 : Hotfixes can update FPS engine file
Component: TMOS
Symptoms:
Previously, to receive a full solution that required changes on the FPS BIG-IP side and FPS client-side, both a hotfix and a live update were required.
Conditions:
FPS hotfix
Impact:
You have to install both the hotfix and the engine update
Workaround:
Install live update separately
Fix:
Hotfix can now update the FPS javascript engine
559080 : High Speed Logging to specific destinations stops from individual TMMs
Component: TMOS
Symptoms:
High Speed Logging to specific destinations stops from individual TMMs. The flows appear to have very large idle times. Attempts to delete the flows sets the idle time to zero, but does not kill the flow.
Conditions:
This appears to be the result of a failure on the part of the log destination (for example, a log server) wherein the server's TCP stack ACKs a FIN request from the TMM, but does not follow through with a matching FIN or RST. The logging code expects another timeout (essentially a FIN-WAIT2 timeout), but never receives one because the flow has already been marked as expired. As a result, the flow goes into a state in which it appears to be viable but is not actually delivering.
Impact:
Logs are silently lost.
Workaround:
Create an additional virtual server to act as a proxy for the log server, and sent the logs to this virtual server. This essentially uses the TMM itself as a sanitizing proxy.
Fix:
The system now resets the expire timer when it initiates the close. If the server fails to reset or complete the close, the flow is aborted on the next expiration event.
552988-1 : Cannot enable MPTCP on some profiles in GUI.
Component: Local Traffic Manager
Symptoms:
Version 12.1 Cannot enable MPTCP on some profiles in GUI. Get error message: 01070734:3: Configuration error: In profile /Common/proxy-client to enable MPTCP, Hardware SYN Cookie must be disabled.
Conditions:
Version 12.1 Enabling MPTCP on some profiles in GUI.
Impact:
Version 12.1 Cannot enable MPTCP.
Workaround:
Use tmsh to enable MPTCP on some profiles.
Fix:
Eliminate validation: it is reasonable to have MPTCP function until entering syncookie mode.
550547-1 : URL including a "token" query fails results in a connection reset
Component: Access Policy Manager
Symptoms:
Per Request Policy access to URL containing a "token" query parameter fails and results in a connection reset with the following error:
"ERR_NOT_FOUND: access2 token not found; subsession might be inactive"
Conditions:
Configure an Explicit SWG with a PRP that includes [protocol lookup (https) + category-lookup]
It does not matter ntlm or basic auth.
This is triggered on sites that have "token" in the query parameters.
Impact:
Clients receive this response:
"ERR_NOT_FOUND: access2 token not found; subsession might be inactive"
Workaround:
Workaround iRule:
when HTTP_REQUEST {
if { [HTTP::query] contains "token" } {
set fix 1
HTTP::query [string map "token aabbcc" [HTTP::query]]
}
}
when HTTP_REQUEST_SEND {
if { [info exists fix] && $fix equals 1 } {
clientside {
HTTP::query [string map "aabbcc token" [HTTP::query]]
unset fix
}
}
}
Fix:
Customization namespace for subsession state prefix with default value as "000fffff" has been added controlled via db variable "tmm.access.subsessionstateprefix" before state/token query param and validation is ensured to check for the prefix value before triggering serialize/deserialize code to avoid RST.
In case if a UCS is being restored and used for a Hotfix, the newly added DB variable may not be present in /config/Bigdb.dat file. The following information needs to be added in /config/Bigdb.dat file followed by a "bigstart restart" to ensure proper working.
#
# This string is used as the prefix for the subsession state value that is sent as
# part of the redirect URI being sent to the client.
#
[Tmm.Access.SubsessionStatePrefix]
default=000fffff
type=string
realm=local
display_name=Tmm.Access.SubsessionStatePrefix
scf_config=true
max=32
544906-4 : Issues when using remote authentication when users have different partition access on different devices
Solution Article: K07388310
Component: TMOS
Symptoms:
User validation failing when adding a partition when the [All] partition already exists, or when adding [All] partition if a specific (non-All) partition is already configured for that user.
For example, on config sync, the system might post an error similar to the following: error 01070821:3: User Restriction Error: Once configured for specific partition(s), user cannot have [all].
Conditions:
Devices configured for remote authentication.
User A on device 1 with role on all-partitions.
User A on device 2 with role restricted to a single partition.
Perform operation that involves accessing partitions on each device. For example, a config sync operation. The config sync issue occurs because one device is trying to sync an [All] partition to a peer that has a non-All partition already configured for a user.
Impact:
The system posts User Restriction Errors and operations (such as config sync) fail.
Workaround:
Switch to local authentication on device 1 to perform operations on multiple devices on which a single user has different partition access configured. After completing the operations, switch back to remote authentication on device 1.
Fix:
User authentication completes successfully for operations on multiple devices on which a single user has different partition access configured.
543208-2 : Upgrading to v12.x or later in a sync-failover group might cause mcpd to become unresponsive.★
Component: TMOS
Symptoms:
Failover event on traffic-group-1 causes mcpd to generate messages like this:
01070711:3: Caught runtime exception, Failed to collect files (Invalid IP Address: )..
01070712:3: Caught configuration exception (0), Failed to sync files..
...
0107134b:3: (Child rsync being terminated due to timeout. Total size in Kb: 0 timeout in secs: 10 start-time: Mon Aug 24 11:35:42 2015 max-end-time: Mon Aug 24 11:35:42 2015 time now: Mon Aug 24 11:35:42 2015 ) errno(0) errstr().
01070712:3: Caught configuration exception (0), Failed to sync files..
Conditions:
This occurs when the following sets of conditions are met:
Condition set 1
===============
-- Your BIG-IP high availability (HA) device group members are running BIG-IP 11.6.0 or 11.6.1.
-- You upgrade a peer HA device to BIG-IP 12.x or later.
-- After you upgrade that peer, a failover event occurs.
Condition set 2
===============
-- Your BIG-IP HA device group members are running BIG-IP 12.0.0, 12.1.0, 12.1.1, or 12.1.2.
-- You upgrade a peer HA device to BIG-IP 13.x or later.
-- After you upgrade that peer, a failover event occurs.
Note: This might be most evident with APM configurations.
Impact:
mcpd on the devices running the affected versions may become unresponsive. Upgrade fails. This is fundamentally the result of device group members running different software versions.
Workaround:
None.
Fix:
This release corrects an issue in which a group of devices in a trust domain could potentially cause mcpd to become unresponsive and log failure messages.
541550-2 : Defining more than 10 remote-role groups can result in authentication failure
Component: TMOS
Symptoms:
Authentication fails, indicating the affected user is associated with an "unknown" role:
notice httpd[2112]: pam_bigip_authz: authenticated user bob with role 12345678 ([unknown]) in partition /bin/false
Conditions:
Define more than 10 remote-role groups and authenticate with a user having more than 10 roles.
Impact:
User cannot authenticate.
Workaround:
None.
541320-8 : Sync of tunnels might cause restore of deleted tunnels.
Solution Article: K50973424
Component: TMOS
Symptoms:
After a full load sync, tunnels may be spuriously added to the default route domain for the partition that contains them.
Conditions:
Viewing tunnels after a full load sync.
Impact:
This might result in a deleted tunnel being restored to the configuration.
Workaround:
None.
Fix:
Sync of tunnels no longer causes restore of deleted tunnels.
522302-1 : TCP Receive Window error messages are inconsistent on UI
Component: Local Traffic Manager
Symptoms:
Different invalid inputs for Receive Window resulted in inconsistent error messages in TMUI.
Conditions:
Input invalid options (e.g, -1 and 0) for TCP Receive Window in TMUI.
Impact:
User is presented with two different input ranges whereas for both invalid options one correct input range should have been present.
Workaround:
There is no workaround at this time.
Fix:
TMUI for TCP Receive Window is fixed for invalid inputs.
519612-2 : JavaScript challenge fails when coming within iframe with different domain than main page
Component: Advanced Firewall Manager
Symptoms:
The JavaScript Challenge fails when coming within an iframe that is on a different domain than the main page.
Conditions:
1. The web application uses an iframe coming from a different domain than the main page, AND
2. Any of the following options are enabled on an ASM Policy or Application DoS Profile attached to the Virtual Server which is handling the iframe:
a. DoS Client-Side Integrity Defense Mitigation (affecting only during attack mitigation)
b. DoS CAPTCHA Mitigation (affecting only during attack mitigation)
c. Device-ID (fingerprint)
d. Web Scraping Bot Detection Challenge
e. Proactive Bot Defense (with/without "Block Suspicious Browsers")
Impact:
On the browser, the iframe will fail to load, leaving a white box, or the following message:
"Please enable browser cookies to view the page content."
There may be error messages in the browser's console.
Workaround:
It is possible to workaround the problem using Proactive Bot Defense (DoS Profile) and iRules.
This works even if the problem is in Web Scraping and DoS profile was not previously used.
The following steps must be done for the Virtual Server handling the iframe, as well as the one handling the main page.
1. Attach a DoS profile to the Virtual Server (if not already attached).
2. Disable TPS-based detection (unless already enabled, or it is desired).
3. Enable Proactive Bot Defense on the DoS profile (if not already enabled).
a. Disable "Block Suspicious Browsers" (unless already enabled, or it is desired).
b. Configure Cross-Domain Requests to "Allow configured domains; validate upon request".
c. Add the domain of the main page to the Related Site Domains.
4. Attach the following iRule to the virtual server:
ltm rule rule_fix_cross_domain_challenges {
when HTTP_REQUEST {
set refdom ""
regexp -nocase {^https?://([^/]*).*$} [HTTP::header referer] -> refdom
log local0. "uri [HTTP::uri] host [HTTP::host] referer [HTTP::header referer] refdom $refdom"
if { $refdom ne "" && $refdom ne [HTTP::host] } {
BOTDEFENSE::cs_allowed false
}
}
}
NOTES:
1. The challenges must run on the main page. The following rule block could be used to force the challenges to run on a specified URL or URLs.
when HTTP_REQUEST {
if { [HTTP::uri] eq "/" } {
BOTDEFENSE::cs_allowed true
}
}
2. If additional URLs are getting blocked or challenged as a result of Proactive Bot Defense and it is unwanted, it is possible to control them in the iRule by checking for URLs and using the "BOTDEFENSE::action allow" command.
Fix:
JavaScript challenges no longer fail when coming within an iframe on a different domain than the main page.
517756-5 : Existing connections can choose incorrect route when crossing non-strict route-domains
Component: Local Traffic Manager
Symptoms:
After modifying the BIG-IP system's routing table, traffic for some existing connections might be interrupted because an incorrect route starts being used.
Conditions:
After a routing table modification, routes might be reselected for a portion of connections through the BIG-IP system. When a connection crosses non-strict route-domains, the routing table from a route-domain that is different from the route-domain used during connection start-up may be used.
Impact:
This might lead to traffic following a different path to the destination and traffic interruption. New connections will work properly, this only affects existing connections.
Workaround:
None.
Fix:
Existing connections now choose the correct route when crossing non-strict route-domains.
514703-2 : gtm listener cannot be listed across partitions
Component: TMOS
Symptoms:
Unable to reference (perform operations: list, create, modify ...) gtm listeners across partitions.
Conditions:
-- In one partition.
-- Listener in another partition.
-- Attempt to perform operations on the listener in the other partition.
For example, the current partition is /Common, and a listener exists in /DifferentPartition, and you try to perform operations on the listener under /DifferentPartition.
Impact:
Cannot perform any operations on that listener. The listener will be listed as non-existent.
Workaround:
Change to the partition where the listener exists before performing any operations on it.
Fix:
The system can now reference GTM listeners across partitions.
508113-2 : tmsh load sys config base merge file <filename> fails
Component: TMOS
Symptoms:
Save sys config file.
(tmos)# save sys config file demo.scf no-passphrase
Saving running configuration...
/var/local/scf/demo.scf
/var/local/scf/demo.scf.tar
Try to load the base configuration within this file.
(tmos)# load sys config base merge file demo.scf
Loading configuration...
/var/local/scf/demo.scf
Syntax Error:(/var/local/scf/demo.scf at line: 6) "apm" unexpected argument
The error is from a system configuration, not user created.
apm report default-report {
report-name sessionReports/sessionSummary
user /Common/admin
}
Basically the configuration fails to load all components for unprovisioned modules and features.
Conditions:
Running the command: load sys config base merge file <filename> when the system contains unprovisioned modules and features.
Impact:
tmsh load sys config base merge file <filename> fails.
Workaround:
None.
Fix:
The provisioning checks were modified to let this command succeed.
501258-1 : Unable to modify 'gtm region region-members' via iControl REST
Component: TMOS
Symptoms:
Unable to modify 'gtm region region-members' via iControl REST. The system posts error 400 Invalid region type messages.
Conditions:
Attempt to modify gtm region region-members via iControl REST.
Impact:
Unable to use iControl REST to configure this portion of the GTM/DNS configuration.
Workaround:
Use tmsh to modify GTM Regions.
Fix:
You can once again modify GTM Regions via iControl REST.
Behavior Change:
Escaping use has changed to more closely match tmsh command.
v11.x
"regionMembers":[{"name": "state\ \"US/New Mexico\""}]
v13.x
"regionMembers":[{"name": "state\ US/New Mexico"}]
489499-2 : chmand needs to check for LopUnsSensClientExists status after registering for unsolicited alerts with lopd
Component: TMOS
Symptoms:
chmand fails to register for unsolicited LOP events, meaning that asynchronous alerts from lopd will not seen or reported by chmand. A message is seen in /var/log/ltm that contains the phrase, "failed to register for LOP at <address>"
Conditions:
Occurs when chmand has been re-started after it has already synchronized once with lopd.
Impact:
Asynchronous events from lopd will not be reported or handled, such as fan tray removal/insertion and PSU removal/insertion. Alerts that are driven by system_check through polling sensor values and comparing them to specified limits, however, will still be operational.
Workaround:
Re-start lopd:
# bigstart restart lopd
Fix:
Modified chmand to recognize the case where unsolicited alert registration with lopd has already occurred so that it no longer treats it as an error.
479471-2 : CPU statistics reported by the tmstat command may spike or go negative
Solution Article: K00342205
Component: TMOS
Symptoms:
On bladed systems, the results from the 'tmstat' and 'tmstat cpu' commands may spike high or go negative due to a issue with how per-blade statistics are collected.
Conditions:
Error in the timing of statistics collection such that display is incorrect.
Impact:
Incorrect display of CPU statistics.
Workaround:
There is no workaround.
Fix:
The CPU statistics display has been fixed.
448409-3 : 'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle
Solution Article: K15491
Component: TMOS
Symptoms:
The commands 'load sys config from-terminal verify' and 'load sys config file <filename> verify' causes loss of sync configuration and initiates a provisioning cycle. The 'verify' option on the 'load sys config' command is designed to ensure that a configuration (either from a file or pasted to the terminal) is valid, but not have it take effect.
Conditions:
This affects the ConfigSync communication channel if configured.
Impact:
The ConfigSync connection, including the connections to other devices, might be lost. In addition, provisioning might be impacted.
Workaround:
You can avoid this issue by using the 'load sys config from-terminal verify' and 'load sys config file <filename> verify' commands 'merge' option, which keeps the current configuration during the validation step. Once affected by this issue, the workaround is to re-load the full configuration using the following command: tmsh load sys config partitions all.
Fix:
Previously, the commands 'load sys config from-terminal verify' and 'load sys config file <filename> verify' did some operations related to sync and provisioning, though they are supposed to check only the validity of the configuration (without changing it). This has been resolved.
429213 : Some monitor types assigned to the same node IP:port in different Route Domains may collide and mark the object down.
Component: Local Traffic Manager
Symptoms:
A race condition may occur in which a monitor instance is killed abruptly if another copy of the same monitor attempts to check health of the same node IP:port in a different route domain. The killed monitor will then contribute to a monitoring timeout and potentially mark the node as down.
This issue occurs because the PID file created to prevent duplicate monitoring of the same pool member is not sufficiently unique to distinguish between route domains. For example, SIP monitor named "sip_london" applied to pool members 1.2.3.4%100 and 1.2.3.4%200 would share the same PID file:
/var/run/SIP__Common_sip_london.::ffff:1.2.3.40..5060.pid
Conditions:
For health monitor types which execute outside of the bigd process (see list below), a health monitor profile is assigned to monitor 2 different nodes which have the same IP:port in different route domains.
The affected monitor types include:
Diameter
IMAP
LDAP
NNTP
POP3
Radius
Radius Accounting
RPC
Scripted
SIP
SMB
SMTP
WAP
Impact:
Pool members may flap down/up.
Workaround:
To work around this, perform the following steps:
1. Create a duplicate copy of the monitor profile, and add the route domain to the name of the monitor profile. For example:
ltm monitor radius /Common/radius_seattle_rd43 {
default-from /Common/radius_seattle
}
2. For nodes or pool members in that route domain, replace the old monitor profile with the new duplicate monitor profile.
419741-4 : Rare crash with vip-targeting-vip and stale connections on VIPRION platforms
Component: Local Traffic Manager
Symptoms:
Rare TMM crash bug with vip-targeting-vip. Core analysis is typically necessary to determine whether this bug is the cause.
Conditions:
Triggering this bug is difficult and seems to require vip-targeting-vip (e.g., use of the 'virtual' command in an iRule) and more than one blade.
Impact:
In rare situations, the TMM crashes.
Workaround:
None. This occurs rarely, and the system recovers automatically. Although this workaround has not be verified, in situations where virtual A targets virtual B via the 'virtual' command, it should be sufficient for virtual A to have shorter timeouts than virtual B.
417720 : BIG-IP LTM Log Indicates Chassis Power Turned Off During Fan Speed Failures
Component: TMOS
Symptoms:
If a power supply fan unit becomes jammed or experiences a failure that prohibits the minimum RPM threshold to be met, the LTM log will erroneously indicate that the power supply has been turned off. For example:
localhost crit chmand[8482]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(73-610-125): Bad
localhost crit chmand[8482]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power supply #2 fan-1: Bad
localhost warning chmand[8482]: 012a0018:4: Chassis power module 2 turned off.
Conditions:
Any kind of power supply fan failure that prevents the unit from achieving the minimum spec. for RPMs.
Impact:
Misleading log message.
Workaround:
None.
367226-3 : Outgoing RIP advertisements may have incorrect source port
Component: Local Traffic Manager
Symptoms:
TMM may change the source port of RIP packets send by ripd to something other than 520. Neighbor routers will not accept these packets and RIP routing will not work.
If the TMM instance handling the outgoing packet would not be selected to handle return traffic by the hashing algorithm in use, the source port of the traffic will be modified so the hashing algorithm returns the same TMM instance.
Conditions:
Multiple TMM instances, RIP routing configured.
Impact:
Dynamic routing using RIP will not work if the traffic hash of the packets does not match the TMM handling the outgoing traffic.
Fix:
TMM no longer modifies the source port of RIP traffic.
366695-9 : Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed
Component: Global Traffic Manager (DNS)
Symptoms:
A "Manager" role has the ability to create/modify/delete GTM data centers, links, servers, prober pools, and topology objects from TMSH, but they do not have this permission in the database, so they get an error.
Conditions:
Someone of "Manager" roll attempts to create/modify/delete a GTM datacenter, link, server, prober-pools, or topology objects.
Impact:
Error message thrown
Workaround:
Error thrown is correct, but user's shouldn't be able to even get this far in tmsh.
Fix:
Removed Manager's ability to create/modify/delete GTM data centers, links, servers, prober-pools, and topology objects. This was already prevented through validation code, but now TMSH users only have access to view these objects.
352957-2 : Route lookup after change in route table on established flow ignores pool members
Solution Article: K03005026
Component: Local Traffic Manager
Symptoms:
Established flows via Virtual Servers with iRules using the 'nexthop vlan addr' command to set the nexthop to a different address than the gateway returned in route lookup, or transparent flows to a pool member, might fail after a route table change, even if the change does not affect any of the addresses used in the flow.
Conditions:
An iRule with 'nexthop vlan addr' on the CLIENT_ACCEPTED state is added to a virtual server with pool members and the address in the nexthop command is different from the gateway.
Impact:
A flow established before a route table change may fail if the destination was set in an iRule using 'nexthop'. New flows established after the route table change work as expected.
Workaround:
Modify iRule to fire 'nexthop' on every client packet. If the flow has been modified due to a route change, then the next client packet that fires 'nexthop' will correct it.
Fix:
The nexthop for established flows, set using "nexthop vlan addr" in an iRule for CLIENT_ACCEPTED state, does not change when there are changes in the route table. This is correct behavior.
247527-1 : Mgmt interface cannot be disabled via tmsh
Solution Article: K14890
Component: TMOS
Symptoms:
Issuing a tmsh command to disable the management interface of a blade or appliance appears to succeed, but the management interface is not actually disabled.
Conditions:
This problem occurs on the following hardware platforms:
BIG-IP 1500, 3400, 3410, 6400, 6800, 8400, and 8800 appliances.
This problem does not occur on the following hardware platforms:
BIG-IP 1600, 3600, 3900, 6900, 8900-series and 11000-series appliances.
Impact:
After using the tmsh utility to set the mgmt interface to a disabled state, the tmsh utility will show the mgmt interface as disabled. However, the mgmt interface still responds to network traffic, including ping and ssh.
Workaround:
There are three possible ways to work around this issue:
1) Unplug the management interface if it is not intended to be used.
2) Bring down the switch interface to which the management port connects.
3) Disable the management interface using the following information below.
Important: This workaround might cause unintended consequences. Only use this option as a last resort, as disabling the management interface may remove the ability for the Linux host to communicate with several of the BIG-IP subsystems. As a result of this loss of communication, certain BIG-IP features may not function as expected or at all.
For platforms that expose a 'mgmt' interface via ifconfig, run the command: ifconfig mgmt down. To bring the 'mgmt' interface back up, run the command ifconfig mgmt up.
For platforms that do not expose a 'mgmt' interface via ifconfig, run the command: ifconfig eth0 down. To bring 'eth0' interface back up, run the command ifconfig eth0 up.
Known Issues in BIG-IP v13.0.x
TMOS Issues
| ID Number | Severity | Solution Article(s) | Description |
| 655500-2 | 1-Blocking | Rekey SSH sessions after one hour | |
| 708968-3 | 2-Critical | OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address | |
| 708054-2 | 2-Critical | Web Acceleration: TMM may crash on very large HTML files with conditional comments | |
| 707831 | 2-Critical | Improper blade insertion can cause kernel panic | |
| 706087-2 | 2-Critical | Entry for SSL key replaced by config-sync causes tmsh load config to fail | |
| 697424-2 | 2-Critical | iControl-REST crashes on /example for firewall address-lists | |
| 696732-2 | 2-Critical | K54431534 | tmm may crash in a compression provider |
| 696113-2 | 2-Critical | Extra IPsec reference added per crypto operation overflows connflow refcount | |
| 696072 | 2-Critical | Fix a race condition in ixlv driver which was causing a tmm panic | |
| 693996-4 | 2-Critical | MCPD sync errors and restart after multiple modifications to file object in chassis | |
| 693246 | 2-Critical | SOD may send SIGABRT to TMM when TMM has not reported its heartbeat for a long enough period of time. | |
| 691589-1 | 2-Critical | When using LDAP client auth, tamd may become stuck | |
| 690091 | 2-Critical | mod_timer list corruption followed by BUG_ON() in timer-based function, cascade() | |
| 689577-2 | 2-Critical | K45800333 | ospf6d may crash when processing specific LSAs |
| 689002-2 | 2-Critical | Stackoverflow when JSON is deeply nested | |
| 688148-2 | 2-Critical | IKEv1 racoon daemon SEGV during phase-two SA list iteration | |
| 685458-6 | 2-Critical | merged fails merging a table when a table row has incomplete keys defined. | |
| 681081 | 2-Critical | K48366429 | Running tmsh show commands may cause mcpd memory leak |
| 677937-2 | 2-Critical | K41517253 | APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets |
| 673484-2 | 2-Critical | K85405312 | IKEv2 does not support NON_FIRST_FRAGMENTS_ALSO |
| 671314-3 | 2-Critical | K37093335 | BIG-IP system cores when sending SIP SCTP traffic |
| 671008 | 2-Critical | Kernel panic in netlink_compare in Red Hat Enterprise Linux 7.2 | |
| 667405-1 | 2-Critical | K61251939 | Fragemented IPsec encrypted packets with fragmented original payloads may cause memory leak in the TMM. |
| 667404-3 | 2-Critical | K77576404 | Fragmented IP over IPsec tunnels might capture mcp flows and provoke restarts |
| 667114-3 | 2-Critical | K32622880 | TCP flows going through the IP forwarding and L2 forwarding virtual server might get very low bandwidth. |
| 666165-1 | 2-Critical | iApp - f5.forward_proxy + checksum - config error upgrading from v12 to v13★ | |
| 665656-2 | 2-Critical | BWC with iSession may memory leak | |
| 665362-3 | 2-Critical | MCPD might crash if the AOM restarts | |
| 663366-4 | 2-Critical | SEGV fault can occur during tmm 'panic' on i4x00 and i2x00 platforms. | |
| 658410-1 | 2-Critical | icrd_child core when calling PUT on ltm/data-group/internal/ | |
| 657459 | 2-Critical | K51358480 | Setting MGMT GUI Port to 443 on Single Nic not honored on reboot. |
| 655357-3 | 2-Critical | K06245820 | Corrupted L2 FDB entries on B4450 blades might result in dropped traffic |
| 653453-2 | 2-Critical | ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs. | |
| 653376-1 | 2-Critical | bgpd may crash on receiving a BGP update with >= 32 extended communities | |
| 649866-2 | 2-Critical | fsck should not run during first boot on public clouds | |
| 645770 | 2-Critical | MAC address must be configured on virtual function | |
| 638997-1 | 2-Critical | Reboot required after disk size modification in a running BIG-IP VE instance. | |
| 624635-1 | 2-Critical | BIG-IP doesn't support more than 4 NICs on Hyper-V on Windows Server 2012 | |
| 583306 | 2-Critical | Using management port as config sync address might allow its deletion. | |
| 581851 | 2-Critical | K16234725 | mcpd restarts due to interleaving of messages / folder contexts from primary to secondary blade |
| 580697-1 | 2-Critical | VIPRION 2200 platform might not pass traffic properly after FPGA firmware switch. | |
| 419345-1 | 2-Critical | Changing Master Key on the standby might cause secondaries to restart processes | |
| 709936-4 | 3-Major | Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration. | |
| 709471 | 3-Major | Azure: A failure to load mcpd configuration during the startup triggers "load sys config default" after an hour, if the config load failure is not corrected. | |
| 707391-3 | 3-Major | BGP may keep announcing routes after disabling route health injection | |
| 704449-3 | 3-Major | Orphaned tmsh processes might eventually lead to an out-of-memory condition | |
| 704336-2 | 3-Major | Updating 3rd party device cert not copied correctly to trusted certificate store | |
| 704282-1 | 3-Major | TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy | |
| 703298-1 | 3-Major | Licensing and phonehome_upload are not using the sync'd key/certificate | |
| 703090 | 3-Major | With many iApps configured, scriptd may fail to start | |
| 702520-1 | 3-Major | Same AZ failover in AWS fails in some configurations with two or more objects sharing the same IP address. | |
| 701387-3 | 3-Major | qkview will not collect files greater than 2 GB | |
| 700897-2 | 3-Major | sod is unable to handle the maximum (127) allowable traffic groups if there are 8 devices in the DG | |
| 700827-1 | 3-Major | B2250 blades may lose efficiency when source ports form an arithmetic sequence. | |
| 700426-5 | 3-Major | K58033284 | Switching partitions while viewing objects in GUI can result in empty list |
| 700250-2 | 3-Major | qkviews for secondary blade appear to be corrupt | |
| 698947-3 | 3-Major | BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled. | |
| 698933-2 | 3-Major | Setting metric-type via ospf redistribute command may not work correctly | |
| 698429-2 | 3-Major | Misleading log error message: Store Read invalid store addr 0x3800, len 10 | |
| 698084-2 | 3-Major | K03776801 | IPsec log messages in /var/log/ltm missing module ID to reach bigiq logs |
| 698013-2 | 3-Major | TACACS+ system auth and file descriptors leak | |
| 696731-2 | 3-Major | K94062594 | The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled |
| 695873 | 3-Major | Entry for ssl key removed from tmsh causes tmsh load config to fail | |
| 694740-2 | 3-Major | BIG-IP reboot during a TMM core results in an incomplete core dump | |
| 694696-4 | 3-Major | On multiblade Viprion, creating a new traffic-group causes the device to go Offline | |
| 694547-1 | 3-Major | TMSH save sys config creates unneeded generate_config processes. | |
| 694490 | 3-Major | vCloud Director images not available★ | |
| 693884-2 | 3-Major | ospfd core on secondary blade during network unstability | |
| 693563-2 | 3-Major | No warning when LDAP is configured with SSL but with a client certificate with no matching key★ | |
| 692753-2 | 3-Major | shutting down trap not sent when shutdown -r or shutdown -h issued from shell | |
| 692189-2 | 3-Major | errdefsd fails to generate a core file on request. | |
| 692179-2 | 3-Major | Potential high memory usage from errdefsd. | |
| 691749-2 | 3-Major | Delete sys connection operations cannot be part of TMSH transactions | |
| 691497-1 | 3-Major | tmsh save sys ucs <file> fails due to missing patch file in /config/.diffVersions | |
| 690890-2 | 3-Major | Running sod manually can cause issues/failover | |
| 689567-2 | 3-Major | Some WOM/AAM pages in the GUI are visible to users with iSeries platforms even when AAM cannot be provisioned | |
| 689375-2 | 3-Major | Unable configure 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled | |
| 688406-2 | 3-Major | K14513346 | HA-Group Score showing 0 |
| 687659 | 3-Major | A SAML IdP connector causes a sync failure when created | |
| 687617-2 | 3-Major | DHCP request-options when set to "none" are reset to defaults when loading the config. | |
| 687534-2 | 3-Major | If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page | |
| 686926-1 | 3-Major | IPsec: responder N(cookie) in SA_INIT response handled incorrectly | |
| 686816-2 | 3-Major | Link from iApps Components page to Policy Rules invalid | |
| 686124-2 | 3-Major | IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs | |
| 686029-3 | 3-Major | K00026204 | A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces |
| 684649 | 3-Major | Inconsistent DAGv2 state between B4400 blades after upgrade★ | |
| 684391-2 | 3-Major | Existing IPsec tunnels reload. tmipsecd creates a core file. | |
| 684218-2 | 3-Major | vADC 'live-install' Downgrade from v13.1.0 is not possible | |
| 683767-2 | 3-Major | Users are not able to complete the sync using GUI | |
| 683131-2 | 3-Major | Hotfix install fails on vCMP guest when both guest and host have the same base version ISO present★ | |
| 682213-2 | 3-Major | K31623549 | TLS v1.2 support in IP reputation daemon |
| 681782-5 | 3-Major | K30665653 | Unicast IP address can be configured in a failover multicast configuration |
| 680838-1 | 3-Major | IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator | |
| 679901 | 3-Major | iControl-REST timeout value is not configurable. | |
| 679347-1 | 3-Major | ECP does not work for PFS in IKEv2 child SAs | |
| 678925-2 | 3-Major | Using a multicast VXLAN tunnel without a proper route may cause a TMM crash. | |
| 678488-2 | 3-Major | BGP default-originate not announced to peers if several are peering over different VLANs | |
| 678456-1 | 3-Major | ZebOS BGP peer-group configuration not fixed up on upgrade★ | |
| 678380-1 | 3-Major | Deleting an IKEv1 peer in current use could SEGV on race conditions. | |
| 677928-1 | 3-Major | A wrong source MAC address may be used in the outgoing IPsec encapsulated packets. | |
| 676897-2 | 3-Major | IPsec keeps failing to reconnect | |
| 676442-1 | 3-Major | K37113440 | Changes to RADIUS remote authentication may not fully sync |
| 676092-2 | 3-Major | IPsec keeps failing to reconnect | |
| 675718-2 | 3-Major | IPsec keeps failing to reconnect | |
| 675236-1 | 3-Major | K03293523 | 'Require consistent IP address' does not apply to some management GUI menu items |
| 674328-2 | 3-Major | Multicast UDP from BIG-IP may have incorrect checksums | |
| 674320-1 | 3-Major | K11357182 | Syncing a large number of folders can prevent the configuration getting saved on the peer systems |
| 674288-1 | 3-Major | K62223225 | FQDN nodes - monitor attribute doesn't reliably show in GUI |
| 673952-2 | 3-Major | 1NIC VE in HA device-group shows 'Changes Pending' after reboot | |
| 672988-1 | 3-Major | K03433341 | MCP memory leak when performing incremental ConfigSync |
| 671553-1 | 3-Major | iCall scripts may make statistics request before the system is ready | |
| 671447-1 | 3-Major | ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form | |
| 671372-1 | 3-Major | K01930721 | When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified. |
| 671261-1 | 3-Major | K32306231 | MCP does not recognize 'Notify Status to Virtual Address' when using 'Selective' setting of ICMP Echo |
| 671236-1 | 3-Major | K27343382 | BGP local-as command may not work when applied to peer-group |
| 671082-2 | 3-Major | snmpd constantly restarting | |
| 670197-2 | 3-Major | IPsec: ASSERT 'BIG-IP_conn tag' failed | |
| 669462-3 | 3-Major | Error adding /Common/WideIPs as members to GTM Pool in non-Common partition | |
| 667278-2 | 3-Major | DSC connections between BIG-IP units may fail to establish | |
| 667082-1 | 3-Major | K21090061 | Dynamic Routing ZebOS using ip ospf <IP> message-digest-key command may fail. |
| 666884-1 | 3-Major | K27056204 | cpcfg cannot copy a configuration on a chassis platform★ |
| 666117-5 | 3-Major | Network failover without a management address causes active-active after unit1 reboot | |
| 665725-1 | 3-Major | K10773217 | Second block device image install fails to install |
| 664829-2 | 3-Major | BIG-IP sometimes performs unnecessary reboot on first boot | |
| 664737-1 | 3-Major | Do not reboot on ctrl-alt-del | |
| 663492-1 | 3-Major | Reconfigured istat may stop being recomputed | |
| 662331-2 | 3-Major | K24331010 | BIG-IP logs INVALID-SPI messages but does not remove the associated SAs. |
| 660833-1 | 3-Major | merged repeatedly cores due to unused istats-trigger object | |
| 660532-1 | 3-Major | K21050223 | Cannot specify the event parameter for redirects on the policy rule screen. |
| 657834-1 | 3-Major | K45005512 | Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent |
| 657727-1 | 3-Major | K39694060 | Running tcpdump from TMSH cannot capture the local "tmm" interface |
| 655671-2 | 3-Major | Polling time waiting for I2C bus transactions in the bcm56xxd daemon needs to be reduced | |
| 655506 | 3-Major | Guest configurations with mergeable buffers disabled are not supported. | |
| 655005-2 | 3-Major | K23355841 | "Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync |
| 654011-1 | 3-Major | K33210520 | Pool member's health monitors set to Member Specific does not display the active monitors |
| 653888-1 | 3-Major | BGP advertisement-interval attribute ignored in peer group configuration | |
| 653772-3 | 3-Major | fastL4 fails to evict flows from the ePVA | |
| 652968-3 | 3-Major | K88825548 | IKEv2 PFS CREATE_CHILD_SA in rekey does not negotiate new keys |
| 652877-4 | 3-Major | Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades | |
| 652671-5 | 3-Major | K31326690 | Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit. |
| 652502-1 | 3-Major | snmpd returns 'No Such Object available' for ltm OIDs | |
| 652484-3 | 3-Major | tmsh show net f5optics shows information for only 1 chassis slot in a cluster | |
| 651253 | 3-Major | tmipsecd down after provisioning modules | |
| 651155-2 | 3-Major | HSB continually logs 'loopback ring 0 tx not active' | |
| 651136-1 | 3-Major | K36893451 | ReqLog profile on FTP virtual server with default profile can result in service disruption. |
| 650002-2 | 3-Major | tzdata bug fix and enhancement update | |
| 648873-4 | 3-Major | K93513131 | Traffic-group failover-objects cannot be retrieved via iControl REST |
| 648621-4 | 3-Major | SCTP: Multihome connections may not expire | |
| 648544-6 | 3-Major | K75510491 | HSB transmitter failure may occur when global COS queues enabled |
| 647944-1 | 3-Major | MCP may crash when making specific changes to a FIX profile attached to more than one virtual server | |
| 647834-5 | 3-Major | Failover DB variables do not correctly implement 'reset-to-default' | |
| 647151-2 | 3-Major | CPU overtemp condition threshold is 75C | |
| 646890-2 | 3-Major | K12068427 | IKEv1 auth alg for ike-phase2-auth-algorithm sha256, sha384, and sha512 |
| 646804-1 | 3-Major | call to tmctl in diskmonitor for the tmstat vmcp_stat table results in error: tmctl: vcmp_stat: No such table. | |
| 645206-2 | 3-Major | K23105004 | Missing cipher suites in outgoing LDAP TLS ClientHello★ |
| 644979-1 | 3-Major | Errors not logged from hourly 1k key generation cron job | |
| 644184-3 | 3-Major | K36427438 | ZebOS daemons hang while AgentX SNMP daemon is waiting. |
| 643799-4 | 3-Major | Deleting a partition may cause a sync validation error | |
| 643459-4 | 3-Major | K81809012 | Unable to login to BIG-IP Configuration Utility when BIG-IP is behind a Reverse proxy |
| 642923-1 | 3-Major | K01951295 | MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system |
| 642422-1 | 3-Major | BFD may not remove dependant static routes when peer sends BFD Admin-Down | |
| 642314-1 | 3-Major | K24276198 | CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x★ |
| 641450-4 | 3-Major | K30053855 | A transaction that deletes and recreates a virtual may result in an invalid configuration |
| 641001-2 | 3-Major | BWC: dynamic policy category sees lower bandwidth than expected in Congested policies | |
| 639619-1 | 3-Major | UCS created on 11.6.0 that contains a secure attribute DWBL (Dynamic White/Black lists) feed list fails to upgrade to 13.0.0 with AFM and LTM on Virtual Edition (VE).★ | |
| 639505-2 | 3-Major | BGP may not send all configured aggregate routes | |
| 638091 | 3-Major | Config sync after changing named pool members can cause mcpd on secondary blades to restart | |
| 637979-2 | 3-Major | IPsec over isession not working | |
| 637827 | 3-Major | VADC: after re-deploying a single-nic VM with multiple nics, a load can fail due to stp member 1.0 | |
| 633824-1 | 3-Major | K39319200 | Cannot add pool members containing a colon in the node name |
| 633413-2 | 3-Major | IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI | |
| 631316-3 | 3-Major | K62532020 | Unable to load config with client-SSL profile error★ |
| 631172-1 | 3-Major | GUI user logged off when idle for 30 minutes, even when longer timeout is set | |
| 629915 | 3-Major | Cannot login with Firefox and IE after toggling between wireless and wired networks. | |
| 627760-4 | 3-Major | gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card | |
| 626589-5 | 3-Major | K73230273 | iControl-SOAP prints beyond log buffer |
| 624692-4 | 3-Major | Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying | |
| 624626-4 | 3-Major | Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility | |
| 622619-6 | 3-Major | BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD | |
| 621314-4 | 3-Major | K55358710 | SCTP virtual server with mirroring may cause excessive memory use on standby device |
| 620954-4 | 3-Major | Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable | |
| 619873-1 | 3-Major | Secure Vault: Key cleanup for 5000- and 7000-series platforms★ | |
| 616021-6 | 3-Major | K93089152 | Name Validation missing for some GTM objects |
| 612086 | 3-Major | K32857340 | Virtual server CPU stats can be above 100% |
| 611724-1 | 3-Major | LTM v11.5.4 HF1 iApp folders removed on partition load | |
| 609967-1 | 3-Major | K55424912 | qkview missing some HugePage memory data |
| 605840-6 | 3-Major | HSB receive failure lockup due to unreceived loopback packets | |
| 598650-5 | 3-Major | apache-ssl-cert objects do not support certificate bundles | |
| 596020-4 | 3-Major | Devices in a device-group may report out-of-sync after one of the devices is rebooted | |
| 593845-2 | 3-Major | K24093205 | VE interface limit |
| 589856-3 | 3-Major | iControl REST : possible to get duplicate transaction ids when transactions are created by multiple clients | |
| 588929-3 | 3-Major | SCTP emits 'address conflict detected' log messages during failover | |
| 588794-3 | 3-Major | Misconfigured SCTP alternate addresses may emit incorrect ARP advertisements | |
| 588771-3 | 3-Major | SCTP needs traffic-group validation for server-side client alternate addresses | |
| 587821 | 3-Major | K91818030 | vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor. |
| 586938-5 | 3-Major | K57360106 | Standby device will respond to the ARP of the SCTP multihoming alternate address |
| 585043-1 | 3-Major | Question mark prevents TMSH from loading configuration file | |
| 579760 | 3-Major | K55703840 | HSL::send may fail to resume after log server pool member goes down/up |
| 575372-4 | 3-Major | BIG-IQ Discovery may fail due to an invalid passphrase. | |
| 571333-7 | 3-Major | K36155089 | fastL4 TCP handshake timeout not honored for offloaded flows |
| 567490-1 | 3-Major | db.proxy.__iter__ value is overwritten if it's manually set | |
| 563905-3 | 3-Major | K62975642 | vCMP guest fails to go Active after the host system is rebooted |
| 550739-3 | 3-Major | TMSH mv virtual command will cause iRules on the virtual to be dis-associated | |
| 535717 | 3-Major | Password history is not enforced when root, Administrator, or User Manager changes another user's password | |
| 528314 | 3-Major | K16816 | Generating new default certificate and key pairs for BIG-IP ssl profiles via CLI will not be reflected in GUI or in tmsh |
| 528295-11 | 3-Major | K40735404 | Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later. |
| 523985-1 | 3-Major | Certificate bundle summary information does not propagate to device group peers | |
| 523797-1 | 3-Major | Upgrade: file path failure for process name attribute in snmp.★ | |
| 517829 | 3-Major | K16803 | BIG-IP system resets client without sending error report when certificate is revoked |
| 516167-1 | 3-Major | K21382264 | TMSH listing with wildcards prevents the child object from being displayed |
| 499348-6 | 3-Major | System statistics may fail to update, or report negative deltas due to delayed stats merging | |
| 469366-4 | 3-Major | K16237 | ConfigSync might fail with modified system-supplied profiles |
| 469035-1 | 3-Major | K16559 | A SecureVault rekey operation may fail if configuration contains a blank password protected by SecureVault |
| 468505-1 | 3-Major | K16177 | TMSH crypto commands do not work with the TMSH batch mode |
| 464650-5 | 3-Major | Failure of mcpd with invalid authentication context. | |
| 455066-3 | 3-Major | Read-only account can save system config | |
| 428498 | 3-Major | TCP stalls in tagged vlan-group with unic | |
| 378967-12 | 3-Major | Users are not synchronized if created in a partition | |
| 375434 | 3-Major | HSB lockup might occur when TMM tries unsuccessfully to reset HSB. | |
| 224665-1 | 3-Major | K12711 | Proxy Exclusion List setting is not aware of administrative partitions |
| 707631-1 | 4-Minor | The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI | |
| 697766-2 | 4-Minor | K12431303 | Cisco IOS XR ISIS routers may report 'Authentication TLV not found' |
| 691491-4 | 4-Minor | K13841403 | 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces |
| 689491 | 4-Minor | cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled | |
| 689211-1 | 4-Minor | IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 } | |
| 687368-2 | 4-Minor | K64414880 | The Configuration utility may calculate and display an incorrect HA Group Score |
| 687343-2 | 4-Minor | Running 'load sys config merge verify' will add new users to the PostGres database | |
| 686111-2 | 4-Minor | K89363245 | Searching and Reseting Audit Logs not working as expected |
| 685582-6 | 4-Minor | Incorrect output of b64 unit key hash by command f5mku -f | |
| 685475-2 | 4-Minor | K93145012 | Unexpected error when applying hotfix |
| 683029-5 | 4-Minor | Sync of virtual address and self IP traffic groups only happens in one direction | |
| 680856-1 | 4-Minor | IPsec config via REST scripts may require post-definition touch of both policy and traffic selector | |
| 679135-1 | 4-Minor | IKEv1 and IKEv2 cannot share common local address in tunnels | |
| 678662-1 | 4-Minor | K14222230 | In the GUI System :: High Availability : HA Groups edit page, pools created outside the Common partition cannot be modified |
| 678388-2 | 4-Minor | K00050055 | IKEv1 racoon daemon is not restarted when killed multiple times |
| 675368-1 | 4-Minor | Unable to reorder rules when one of the rule names contain % or / | |
| 674992-1 | 4-Minor | AAM traffic report's time period doesn't always apply | |
| 674145-2 | 4-Minor | chmand error log message missing data | |
| 669255-1 | 4-Minor | K20100613 | An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms |
| 668964-1 | 4-Minor | K81873940 | 'bgp neighbor <peer -IP> update-source <IP>' command may apply change to all peers in peer-group |
| 663911-1 | 4-Minor | When running out of memory, MCP can report an incorrect allocation size | |
| 663580-2 | 4-Minor | K31981624 | logrotate does not automatically run when /var/log reaches 90% usage |
| 662372-2 | 4-Minor | K41250179 | Uploading a new device certificate file via the GUI might not update the device certificate |
| 660760-2 | 4-Minor | K75105750 | DNS graphs fail to display in the GUI |
| 658298-2 | 4-Minor | SMB monitor marks node down when file not specified | |
| 655085-1 | 4-Minor | While one chassis in a DSC is being rebooted, other members report spurious HA Group configuration errors | |
| 652056-1 | 4-Minor | K42295253 | [api-status-warning] are generated at stderr and /var/log/ltm when listing config in tmsh from top level namespace or at module level |
| 652048-1 | 4-Minor | K14526459 | TMSH save sys config contains [api-status-warning] that do not correspond to any configuration instances |
| 651413-1 | 4-Minor | tmsh list ltm node does not return an error when node does not exist | |
| 650019-1 | 4-Minor | The commented-out sample functions in audit_forwarder.tcl are incorrect | |
| 647812-4 | 4-Minor | /tmp/wccp.log file grows unbounded | |
| 644723-2 | 4-Minor | cm56xxd logs link 'DOWN' message when an interface is admin DISABLED | |
| 643768-1 | 4-Minor | Invalid entries in SNMP allowed-address and SNMP community fields can cause upgrade failure.★ | |
| 640863-1 | 4-Minor | K29231946 | Disabling partition selector in DNS Resolver's Forward Zones |
| 638960-1 | 4-Minor | A subset of the BIG-IP default profiles can be incorrectly deleted | |
| 638893-2 | 4-Minor | Reference to SOL14556 instead of K14556 in tmsh modify net interface X.X media command | |
| 636823-4 | 4-Minor | Node name and node address | |
| 636031-1 | 4-Minor | K23313837 | GUI LTM Monitor Configuration String adding CR for type Oracle |
| 633181-2 | 4-Minor | A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section | |
| 625428-2 | 4-Minor | SNMP reports incorrect values for F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit | |
| 624909-1 | 4-Minor | Static route create validation is less stringent than static route delete validation | |
| 623536-7 | 4-Minor | SNMP traps for TCP resets sent due to maintenance mode enabled may not be sent | |
| 606799-5 | 4-Minor | K16703796 | GUI total number of records not correctly initialized with search string on several pages. |
| 605891 | 4-Minor | Enable ASM option disappears from L7 policy actions | |
| 602074-1 | 4-Minor | K46583034 | Management.KeyCertificate.get_certificate_validator() doesn't throw not-found exception when a given certificate doesn't exist. |
| 598437-2 | 4-Minor | SNMP process monitoring is incorrect for tmm and bigd | |
| 591732-1 | 4-Minor | Local password policy not enforced when auth source is set to a remote type. | |
| 590415-2 | 4-Minor | Partition can be removed when remote role info entries refer to it | |
| 584504-3 | 4-Minor | K36912228 | Allowing non-English characters on login screen |
| 583930-1 | 4-Minor | VE supports only 2 NUMA domains | |
| 583084-4 | 4-Minor | K15101680 | iControl produces 404 error while creating records successfully |
| 582595-4 | 4-Minor | K52029952 | default-node-monitor is reset to none for HA configuration. |
| 571727-2 | 4-Minor | K52707821 | 'force-full-load-push' is not tab expandable |
| 565603 | 4-Minor | Large number of static arp entries on a BIG-IP system | |
| 530927-7 | 4-Minor | Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed | |
| 530530-5 | 4-Minor | tmsh sys log filter is displays in UTC time | |
| 527720-6 | 4-Minor | Rare 'No LopCmd reply match found' error in getLopReg | |
| 520877-2 | 4-Minor | Alerts sent by the lcdwarn utility are not shown in tmsh | |
| 679431-2 | 5-Cosmetic | In routing module the 'sh ipv6 interface <interface> brief' command may not show header | |
| 659141-1 | 5-Cosmetic | K11435321 | Support tcpdump file has qkview extension |
| 651826-1 | 5-Cosmetic | SPI fields of IPsec ike-sa, byte order of displayed numbers rendered incorrectly | |
| 617578 | 5-Cosmetic | Inconsistent info between tmsh and WebUI for profile radiusLB-subscriber-aware | |
| 602390-3 | 5-Cosmetic | K87506901 | Cannot use a foreign charset, such as Cyrillic, Arabic, etc., to customize Advisory Banner, Username Prompt, or Password Prompt in TMUI. |
| 542347-3 | 5-Cosmetic | Denied message in audit log on first time boot | |
| 396273-1 | 5-Cosmetic | Error message in dmesg and kern.log: vpd r/w failed |
Local Traffic Manager Issues
| ID Number | Severity | Solution Article(s) | Description |
| 707244-2 | 2-Critical | iRule command clientside and serverside may crash tmm | |
| 705611-3 | 2-Critical | The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used | |
| 704435-2 | 2-Critical | Client connection may hang when NTLM and OneConnect profiles used together | |
| 703914-3 | 2-Critical | TMM SIGSEGV crash in poolmbr_conn_dec. | |
| 701202-2 | 2-Critical | SSL memory corruption | |
| 700393-1 | 2-Critical | Under certain circumstances a stale http2 stream can cause a tmm crash | |
| 695117-2 | 2-Critical | K30081842 | bigd cores and sends corrupted MCP messages with many FQDN nodes |
| 694656-2 | 2-Critical | Routing changes may cause TMM to restart | |
| 687205-1 | 2-Critical | Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart | |
| 686228-2 | 2-Critical | TMM may crash in some circumstances with VLAN failsafe | |
| 682682-2 | 2-Critical | tmm asserts on a virtual server-to-virtual server connection | |
| 681175-2 | 2-Critical | K32153360 | TMM may crash during routing updates |
| 676721-1 | 2-Critical | K33325265 | Missing check for NULL condition causes tmm crash. |
| 674004-2 | 2-Critical | K34448924 | tmm may crash when after deleting pool member in traffic |
| 673664-2 | 2-Critical | TMM crashes when sys db Crypto.HwAcceleration is disabled.★ | |
| 671714-1 | 2-Critical | Empty persistence cookie name inserted from policy can cause TMM to crash | |
| 670814-1 | 2-Critical | Wrong SE Linux label breaks nethsm DNSSEC keys | |
| 670804-3 | 2-Critical | K03163260 | Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP |
| 670238 | 2-Critical | K26297385 | TMM may crash due to wrong flow assigned to fragmented IPv4 packet |
| 667648-1 | 2-Critical | K20210720 | TMM can crash when it exits while still processing traffic |
| 665732-3 | 2-Critical | K45001711 | FastHTTP may crash when receiving a fragmented IP packet |
| 659899-3 | 2-Critical | K10589537 | Rare, intermittent system instability observed in dynamic load-balancing modes |
| 658989-1 | 2-Critical | Memory leak when connection terminates in iRule process | |
| 657713-1 | 2-Critical | K05052273 | Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart. |
| 656898-1 | 2-Critical | "oops" "bad transition" messages occur | |
| 650317-2 | 2-Critical | The TMM on the next-active panics with message: "Missing oneconnect HA context" | |
| 649171-3 | 2-Critical | tmm core in iRule with unreachable remote address | |
| 648245-1 | 2-Critical | K29101604 | When using a route TMM may use a smaller MTU |
| 648037-1 | 2-Critical | LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash | |
| 646643-1 | 2-Critical | K43005132 | HA standby virtual server with non-default lasthop settings may crash. |
| 643210-3 | 2-Critical | K45444280 | Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM |
| 639039-5 | 2-Critical | K33754014 | Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons |
| 634369-1 | 2-Critical | Bigd crash (SIGABRT) while running iControl REST scripts against monitor configuration with FQDN nodes | |
| 629178-2 | 2-Critical | K42206046 | Incorrect initial size of connection flow-control window |
| 619071-5 | 2-Critical | OneConnect with verified accept issues | |
| 618463-4 | 2-Critical | artificial low route mtu can cause SIGSEV core from monitor traffic | |
| 615303-3 | 2-Critical | K47381511 | bigd crash with Tcl monitors |
| 614702-3 | 2-Critical | K24172560 | Race condition when using SSL Orchestrator can cause TMM to core |
| 513310-2 | 2-Critical | TMM might core when a profile is changed. | |
| 452283-1 | 2-Critical | An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows | |
| 710564-2 | 3-Major | DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0 | |
| 709963-3 | 3-Major | Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members. | |
| 707691-3 | 3-Major | BIG-IP handles some pathmtu messages incorrectly | |
| 707540-3 | 3-Major | K74714343 | bigd core due to memory leak, especially with FQDN nodes |
| 706505-4 | 3-Major | iRule table lookup command may crash tmm when used in FLOW_INIT | |
| 705794-5 | 3-Major | Under certain circumstances a stale http2 stream can cause a tmm crash | |
| 704073-2 | 3-Major | Repeated "bad transition" OOPS logging may appear in /var/log/ltm and /var/log/tmm | |
| 703580-2 | 3-Major | TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host. | |
| 702450-3 | 3-Major | The validation error message generated by deleting certain object types referenced by a policy action is incorrect | |
| 702439-2 | 3-Major | K04964898 | Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset |
| 701690-2 | 3-Major | K53819652 | Fragmented ICMP forwarded with incorrect icmp checksum |
| 701147-1 | 3-Major | K36563645 | ProxySSL does not work properly with Extended Master Secret and OCSP |
| 701033 | 3-Major | Tcl actions not run if conditions have overlapping IP ranges | |
| 698943 | 3-Major | Incorrect serverside throughput stats observed when PVA disabled on virtual server | |
| 698916-2 | 3-Major | TMM crash with HTTP/2 under specific condition | |
| 698379-1 | 3-Major | K61238215 | HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR( |
| 698211-2 | 3-Major | K35504512 | DNS express response to non-existent record is NOERROR instead of NXDOMAIN. |
| 698000-2 | 3-Major | K04473510 | Connections may stop passing traffic after a route update |
| 696755-1 | 3-Major | HTTP/2 may truncate a response body when served from cache | |
| 695925-2 | 3-Major | tmm crash when showing connections for a CMP disabled virtual server | |
| 695707-4 | 3-Major | BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection | |
| 695109-2 | 3-Major | Changes to fallback persistence profiles attached to a Virtual server are not effective | |
| 694697-2 | 3-Major | K62065305 | clusterd logs heartbeat check messages at log level info |
| 693910-3 | 3-Major | Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series) | |
| 693582-2 | 3-Major | Monitor node log not rotated for icmp monitor types | |
| 693244-1 | 3-Major | BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned | |
| 691806-2 | 3-Major | RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state | |
| 691785-2 | 3-Major | The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes | |
| 690778-2 | 3-Major | K53531153 | Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule |
| 690699-1 | 3-Major | Fragmented SSL handshake messages cause Proxy SSL handshake to fail | |
| 690042-2 | 3-Major | K43412307 | Potential Tcl leak during iRule suspend operation |
| 689449-2 | 3-Major | Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured | |
| 689361-2 | 3-Major | Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor) | |
| 689089-2 | 3-Major | VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot | |
| 688744-2 | 3-Major | K11793920 | LTM Policy does not correctly handle multiple datagroups |
| 688629-2 | 3-Major | Deleting data-group in use by iRule does not trigger validation error | |
| 688571-1 | 3-Major | Untrusted cert might be accepted by the server-ssl even though when 'untrusted-cert-response-control drop' is configured in the server-ssl profile. | |
| 688570-4 | 3-Major | BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes | |
| 688553-2 | 3-Major | SASP GWM monitor may not mark member UP as expected | |
| 687807-2 | 3-Major | The presence of a file with the suffix ".crt.csr" in folder /config/ssl/ssl.csr/ causes a GUI exception | |
| 687044-1 | 3-Major | tcp-half-open monitors might mark a node up in error | |
| 686972-3 | 3-Major | The change of APM log settings will reset the SSL session cache. | |
| 686563-2 | 3-Major | WMI monitor on invalid node never transitions to DOWN | |
| 686547-2 | 3-Major | WMI monitor sends logging data for credentials when no credentials specified | |
| 686307-2 | 3-Major | Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later | |
| 686101-2 | 3-Major | K73346501 | Creating a pool with a new node always assigns the partition of the pool to that node. |
| 685615-3 | 3-Major | K24447043 | Incorrect source mac for TCP Reset with vlangroup for host traffic |
| 685519-2 | 3-Major | Mirrored connections ignore the handshake timeout | |
| 685110-2 | 3-Major | K05430133 | With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members. |
| 683706-2 | 3-Major | Pool member status remains 'checking' when manually forced down at creation | |
| 683697-2 | 3-Major | K00647240 | SASP monitor may use the same UID for multiple HA device group members |
| 683061-3 | 3-Major | Rapid creation/update/deletion of the same external datagroup may cause core | |
| 682104-2 | 3-Major | HTTP PSM leaks memory when looking up evasion descriptions | |
| 681757-2 | 3-Major | K32521651 | Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member' |
| 681673-3 | 3-Major | tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results | |
| 680145-1 | 3-Major | K82484604 | HA mirroring for flows without autolasthop cause a crash on the standby |
| 680074-1 | 3-Major | TMM crashes when serverssl cannot provide certificate to backend server. | |
| 679687 | 3-Major | LTM Policy applied to large number of virtual servers causes mcpd restart | |
| 678872-1 | 3-Major | Inconsistent behavior for virtual-address and selfip on the same ip-address | |
| 678450-2 | 3-Major | No 'F5RST port in use' sent when new connection arrives to port in use with strict preserve. | |
| 678337-1 | 3-Major | K00463452 | Route Advertisement setting for virtual-address disabled after upgrade from pre-13.0.0 versions★ |
| 677525-1 | 3-Major | K06831814 | Translucent VLAN group may use unexpected source MAC address |
| 677400-2 | 3-Major | K82502883 | pimd daemon may exit on failover |
| 676828-1 | 3-Major | K09012436 | Host IPv6 traffic is generated even when ipv6.enabled is false |
| 676355-1 | 3-Major | DTLS retransmission does not comply with RFC in certain resumed SSL session | |
| 675367-1 | 3-Major | K95393925 | The IMAP and POP3 monitors might fail if the mail server supports GSSAPI authentication |
| 673951-1 | 3-Major | K56466330 | Memory leak when using HTTP2 profile |
| 673399-2 | 3-Major | HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server. | |
| 673075 | 3-Major | Reduced Issues for Monitors configured with FQDN | |
| 672963 | 3-Major | MSSQL monitor fails when monitored DB requires charset | |
| 672312-1 | 3-Major | IP ToS may not be forwarded to serverside with syncookie activated | |
| 672008-2 | 3-Major | K22122208 | NUL character inserted into syslog message when system time rolls over to exactly 1000000 microseconds |
| 671999-1 | 3-Major | Re-extract the the thales software everytime the installation script is run | |
| 671112-1 | 3-Major | Internal IP Datagroups not matching against some IPv6 network addresses | |
| 670816-4 | 3-Major | K44519487 | HTTP/HTTPS/TCP Monitor response code for 'last fail reason' can include extra characters |
| 670520-4 | 3-Major | FastL4 not sending keepalive at proper interval when other side gets response | |
| 670258-1 | 3-Major | Multicast pings not forwarded by TMM | |
| 670245-1 | 3-Major | IP forwarding virtual server drops packets with TTL of 1 in TTL preserve mode | |
| 668521-3 | 3-Major | Bigd might stall while waiting for an external monitor process to exit | |
| 668459-1 | 3-Major | Asymmetric transparent nexthop traffic only updates ingress interface | |
| 668196-1 | 3-Major | Connection limit continues to be enforced with least-connections and pool member flap, member remains down | |
| 668041-1 | 3-Major | K27535157 | Config load fails when an iRule comment ends with backslash in a config where there is also a policy. |
| 667560-2 | 3-Major | K69205908 | FQDN nodes: Pool members can become unknown (blue) after monitor configuration is changed |
| 666616-1 | 3-Major | K82565029 | Some HTTP iRule commands should always return results as Tcl lists, but do not. |
| 666595-1 | 3-Major | Monitor node log fd leak by bigd instances not actively monitoring node | |
| 665652-1 | 3-Major | K41193475 | Multicast traffic not forwarded to members of VLAN group |
| 663326-1 | 3-Major | Thales HSM: "fipskey.nethsm --export" fails to make stub keys | |
| 663181-1 | 3-Major | VDI plugin-initiated connections may select inappropriate SNAT address | |
| 662911-3 | 3-Major | K93119070 | SASP monitor uses same UID for all vCMP guests in a chassis or appliance |
| 662816-1 | 3-Major | K61902543 | Monitor node log fd leak for certain monitor types |
| 661881-1 | 3-Major | K00030614 | Memory and performance issues when using certain ASN.1 decoding formats in iRules |
| 657883-1 | 3-Major | K34442339 | tmm cache resolver should not cache response with TTL=0 |
| 655767-4 | 3-Major | MCPD does not prevent deleting an iRule that contains in-use procedures | |
| 655724-4 | 3-Major | K15695 | MSRDP persistence does not work across route domains. |
| 654981-1 | 3-Major | Local Traffic Policies operating in First Match mode do not stop executing after the first matched rule if this has no action | |
| 654086-2 | 3-Major | K18323013 | Incorrect handling of HTTP2 data frames larger than minimal frame size |
| 653976-3 | 3-Major | K00610259 | SSL handshake fails if server certificate contains multiple CommonNames |
| 653930-1 | 3-Major | K69713140 | Monitor with description containing backslash may fail to load. |
| 653228-3 | 3-Major | K34312110 | SNAT does not work properly on FTP VIP2VIP |
| 653137-3 | 3-Major | K24159492 | Virtual flaps when FQDN node and pool configured with autopopulate |
| 652370 | 3-Major | The persist cookie insert iRule command may leak memory | |
| 651901-3 | 3-Major | Removed unnecessary ASSERTs in MPTCP code | |
| 651713 | 3-Major | Passive mode and untagged frames | |
| 651681-3 | 3-Major | K49562354 | Orphaned bigd instances may exist (within multi-process bigd) |
| 651541-1 | 3-Major | K83955631 | Changes to the HTTP profile do not trigger validation for virtual servers using that profile |
| 647071-1 | 3-Major | Stats for SNATs do not work when configured in a non-zero route domain | |
| 645635-1 | 3-Major | Sflow may use 0.0.0.0 as Agent Address in 2 core vCMP guests | |
| 645220-1 | 3-Major | bigd identified as username "(user %-P)" or "(user %-S)" in mcpd debug logs | |
| 645197-4 | 3-Major | Monitors receiving unique HTTP "success" response codes may stop monitoring after status change | |
| 645058-4 | 3-Major | Modifying SSL profiles in GUI may fail when key is protected by passphrase | |
| 645036 | 3-Major | K85772089 | Removing pool from virtual server does not update its status |
| 644873-3 | 3-Major | K97237310 | ssldump can fail to decrypt captures with certain TCP segmenting |
| 643860-5 | 3-Major | Attempt to read or write to the file /dev/vnic can cause TMM to restart and TMM may not startup properly | |
| 642786-1 | 3-Major | K01833444 | TMM may drop tunneled traffic when the sys db variable 'connection.vlankeyed' is set to 'disable'. |
| 641512-5 | 3-Major | K51064420 | DNSSEC key generations fail with lots of invalid SSL traffic |
| 641491-1 | 3-Major | K37551222 | TMM core while running iRule LB::status pool poolname member ip port |
| 640565-2 | 3-Major | K11564859 | Incorrect packet size sent to clone pool member |
| 640395-2 | 3-Major | When upgrading from 10.x to a version that supports spanning VIPs, the virtual address spanning property may not be set properly | |
| 640369-1 | 3-Major | TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan | |
| 638715-1 | 3-Major | K77010072 | Multiple Diameter monitors to same server ip/port may race on PID file |
| 637613-4 | 3-Major | K24133500 | Cluster blade being disabled immediately returns to enabled/green |
| 636149-1 | 3-Major | Multiple monitor response codes to single monitor probe failure | |
| 633464-3 | 3-Major | Content-length header is not passed on to the client when HTTP/2 profile is attached to virtual. | |
| 633110-3 | 3-Major | K09293022 | Literal tab character in monitor send/receive string causes config load failure, unknown property |
| 624044-2 | 3-Major | K42806722 | LTM Monitor custom recv/send/recv-disable parameters have backslash at the end may fail to load★ |
| 623084-5 | 3-Major | mcpd fails validation of dhcp type virtual servers if the configured profile is /Common/udp★ | |
| 620556-2 | 3-Major | Fragmented packets on clone pool for L7 virtual server targeting another L7 virtual server through iRule | |
| 619844-3 | 3-Major | Packet leak if reject command is used in FLOW_INIT rule | |
| 602708-3 | 3-Major | K84837413 | Traffic may not passthrough CoS by default |
| 601727 | 3-Major | Some FQDN nodes are not correctly created | |
| 599567-2 | 3-Major | APM assumes snat automap, does not use snat pool | |
| 598707-2 | 3-Major | Path MTU does not work in self-IP flows | |
| 594751-2 | 3-Major | K90535529 | LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN |
| 586621 | 3-Major | K36008344 | SQL monitors 'count' config value does not work as expected. |
| 582331 | 3-Major | Maximum connections is not accurate when TMM load is uneven | |
| 579252 | 3-Major | Traffic can be directed to a less specific virtual during virtual modification | |
| 570281 | 3-Major | Cannot modify 'ip-address' attribute of static ARP / NDP entries | |
| 563689-1 | 3-Major | ZebOS configuration cannot be loaded via imish when service password-encryption is set | |
| 562267 | 3-Major | FQDN nodes do not support monitor alias destinations. | |
| 549927-1 | 3-Major | iRule validation does not check RULE_INIT/virtual are disallowed in proc calling | |
| 516280-3 | 3-Major | bigd process uses a large percentage of CPU | |
| 505037 | 3-Major | K01993279 | Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop |
| 495443-8 | 3-Major | K16621 | ECDH negotiation failures logged as critical errors. |
| 486735 | 3-Major | Maximum connections is not accurate when TMM load is uneven | |
| 463097-2 | 3-Major | K09247330 | Clock advanced messages with large amount of data maintained in DNS Express zones |
| 454640-1 | 3-Major | mcpd instances on secondary blades might restart on boot | |
| 449158 | 3-Major | Using an iRule nexthop to "vlan:mac address" does not forward the packet | |
| 251162-2 | 3-Major | The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name | |
| 248914-3 | 3-Major | K00612197 | ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address |
| 225492-2 | 3-Major | Ramcache might disallow valid cache configurations that are very near the limit. | |
| 222690-1 | 3-Major | K10281 | The persist none iRule command does not disable cookie persistence for the connection when used with the LB::reselect command. |
| 711230 | 4-Minor | FQDN template nodes resolving to same IP address cannot be used in multiple non-Common partitions | |
| 708249-3 | 4-Minor | nitrox_diag generates qkviews with 5mb max file limit | |
| 699426-2 | 4-Minor | RRD cpu files are not updated when statsd has no prior knowledge of blades joining a cluster. | |
| 699076-2 | 4-Minor | URI::path iRules command warns end and start values equal | |
| 694491 | 4-Minor | Errant log message appears as an error | |
| 692095-2 | 4-Minor | K65311501 | bigd logs monitor status unknown for FQDN Node/Pool Member |
| 688557-2 | 4-Minor | Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull' | |
| 677270-1 | 4-Minor | K76116244 | Trailing comments in iRules are removed from the config when entered/loaded in TMSH |
| 675911-2 | 4-Minor | K13272442 | Dashboard CPU history file may contain incorrect values |
| 664596 | 4-Minor | One LTM policy causes a different policy to not execute | |
| 653746-1 | 4-Minor | K83324551 | Unable to display detailed CPU graphs if the number of CPU is too large |
| 652577-1 | 4-Minor | Changes to MAC Masquerading may cause the Standby unit not reach the floating Self-IP address | |
| 651005-4 | 4-Minor | FTP data connection may use incorrect auto-lasthop settings. | |
| 646495-1 | 4-Minor | BIG-IP may send oversized TCP segments on traffic it originates | |
| 645729-2 | 4-Minor | SSL connection is not mirrored if ssl session cache is cleared and resume attempted | |
| 641273-2 | 4-Minor | port-fwd-mode mode configuration object value | |
| 636348-2 | 4-Minor | BIG-IP systems configured for high availability (HA) and System Gateway Failsafe may fail to load their configuration after device trust is reset. | |
| 628016-1 | 4-Minor | MP_JOIN always fails if MPTCP never receives payload data | |
| 618884-5 | 4-Minor | Behavior when using VLAN-Group and STP | |
| 618595 | 4-Minor | K88501407 | Duplicate SQL monitors updating pool member status incorrectly |
| 603380-7 | 4-Minor | Very large number of log messages in /var/log/ltm with ICMP unreachable packets. | |
| 599048-5 | 4-Minor | BIG-IP connections to OCSP servers do not use the TCP TIMESTAMPS option | |
| 594064-4 | 4-Minor | tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows. | |
| 592503 | 4-Minor | TMM 'timer' device does not report 'busy' for non-priority timers. | |
| 571622 | 4-Minor | "Exceeding pool member limit" error with FQDN pool members and non-LTM license | |
| 558893-4 | 4-Minor | TMM may fail to forward FTP data connections when multiple PORT/EPRT commands are used in succession referring to the same IP/PORT | |
| 539026-4 | 4-Minor | Stats refinements for reporting Unhandled Query Actions :: Drops | |
| 523814-1 | 4-Minor | When iRule or Web-Acceleration profile demotes HTTP request from HTTP/1.1 to HTTP/1.0, OneConnect may not pool serverside connections | |
| 477992-4 | 4-Minor | K07450534 | Instance-specific monitor logging fails for pool members created in iApps |
| 477786 | 4-Minor | Inconsistent behavior sending RST on self IP with Port Lockdown None | |
| 462043-3 | 4-Minor | DB variable 'qinq.cos' does not work in all cases on 5000 and C2400 platforms | |
| 222409-7 | 4-Minor | K9952 | The HTTP::path iRule command may return more information than expected |
| 699262 | 5-Cosmetic | FQDN pool member status remains in 'checking' state after full config sync | |
| 572111-1 | 5-Cosmetic | Rate shaper drop policy sometimes show value is zero which is equivalent of default value | |
| 462658 | 5-Cosmetic | FQDN Nodes: mcp validation check error msg verb tense: "Modify of ephemeral nodes not permitted" |
Performance Issues
| ID Number | Severity | Solution Article(s) | Description |
| 634022-1 | 3-Major | Active Directory authentication with Step-Up-Auth has degraded performance. | |
| 600458-1 | 3-Major | TCP resets occuring under high load |
Global Traffic Manager (DNS) Issues
| ID Number | Severity | Solution Article(s) | Description |
| 710424-4 | 2-Critical | Possible SIGSEGV in GTMD when GTM persistence is enabled. | |
| 699135-3 | 2-Critical | tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip | |
| 692941-2 | 2-Critical | GTMD and TMM SIGSEGV when changing wide IP pool in GTMD | |
| 691287-2 | 2-Critical | tmm crashes on iRule with pool command after string command | |
| 682335-2 | 2-Critical | TMM can establish multiple connections to the same gtmd | |
| 678861-2 | 2-Critical | K00426059 | DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other★ |
| 672504-4 | 2-Critical | K52325625 | Deleting zones from large databases can take excessive amounts of time. |
| 667028-3 | 2-Critical | DNS Express does not run on i11000 platforms with htsplit disabled. | |
| 649564-1 | 2-Critical | Crash related to GTM monitors with long RECV strings | |
| 642039-1 | 2-Critical | TMM core when persist is enabled for wideip with certain iRule commands triggered. | |
| 704198-2 | 3-Major | GTM equivalent of ID663502 - replace-all-with can leave orphaned monitor_rule, monitor_rule_instance and monitor_instance | |
| 700527-2 | 3-Major | cmp-hash change can hang iRule DNS lookup | |
| 699339-2 | 3-Major | K24634702 | Geolocation upgrade files fail to replicate to secondary blades |
| 696808-2 | 3-Major | K35353213 | Disabling a single pool member removes all GTM persistence records |
| 691498-2 | 3-Major | Connection failure during iRule DNS lookup can crash TMM | |
| 690166-2 | 3-Major | ZoneRunner create new stub zone when creating a SRV WIP with more subdomains | |
| 688335-4 | 3-Major | K00502202 | big3d may restart in a loop on secondary blades of a chassis system |
| 687128-2 | 3-Major | gtm::host iRule validation for ipv4 and ipv6 addresses | |
| 680850-3 | 3-Major | K48342409 | Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage. |
| 680069-2 | 3-Major | zxfrd core during transfer while network failure and DNS server removed from DNS zone config | |
| 679316-4 | 3-Major | iQuery connections reset during SSL key renegotiation | |
| 679149-5 | 3-Major | TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0] | |
| 675539-2 | 3-Major | Inter-system communications targeted at a Management IP address might not work in some cases. | |
| 672491-1 | 3-Major | K10990182 | net resolver uses internal IP as source if matching wildcard forwarding virtual server |
| 671326-1 | 3-Major | K81052338 | DNS Cache debug logging might cause tmm to crash. |
| 663073-3 | 3-Major | GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list. | |
| 659912-2 | 3-Major | GSLB Pool Member Manage page display issues and error message | |
| 656807-1 | 3-Major | iRule DNS::ttl does not allow 0 (zero) | |
| 655807-1 | 3-Major | K40341291 | With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score |
| 653775-4 | 3-Major | K05397641 | Ampersand (&) in GTM synchronization group name causes synchronization failure. |
| 651875-1 | 3-Major | GSLB Server properties page should show the iQuery section when type is BIG-IP System | |
| 648286-1 | 3-Major | GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button. | |
| 645615-1 | 3-Major | K70543226 | zxfrd may fail and restart after multiple failovers between blades in a chassis. |
| 644447-1 | 3-Major | sync_zones script increasingly consumes memory when there is network connectivity failure | |
| 640903-2 | 3-Major | Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen | |
| 615222-2 | 3-Major | GTM configuration fails to load when it has gslb pool with members containing more than one ":"★ | |
| 517609-4 | 3-Major | K77005041 | GTM Monitor Needs Special Escape Character Treatment |
| 693007-2 | 4-Minor | Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC | |
| 688266-4 | 4-Minor | big3d and big3d_install use different logics to determine which version of big3d is newer | |
| 674754-1 | 4-Minor | ZoneRunner: GUI "Email Contact" field silently ignores invalid char '@' in Email Contact | |
| 669262-1 | 4-Minor | K91122850 | [GUI][ZoneRunner] reverse zones should be treated case insensitive when creating resource record |
| 666258-1 | 4-Minor | GTM/DNS manual resume pool member not saved to config when disabled | |
| 665117-1 | 4-Minor | K33318158 | DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping |
| 659969-4 | 4-Minor | tmsh command for gtm-application disabled contexts does not work with none and replace-all-with | |
| 648806-2 | 4-Minor | Invalid "with the first highest ratio counter" logging for pool member ratio load balance | |
| 644220-4 | 4-Minor | K37049259 | Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page |
Application Security Manager Issues
| ID Number | Severity | Solution Article(s) | Description |
| 699720-2 | 2-Critical | ASM crash when configuring remote logger for WebSocket traffic with response-logging:all | |
| 691670-4 | 2-Critical | K02515009 | Rare BD crash in a specific scenario |
| 681109-1 | 2-Critical | K46212485 | BD crash in a specific scenario |
| 679603-1 | 2-Critical | K15460886 | bd core upon request, when profile has sensitive element configured. |
| 678462-3 | 2-Critical | after chassis failover: asmlogd CPU 100% on secondary | |
| 678228-2 | 2-Critical | K27568142 | Repeated Errors in ASM Sync |
| 672301-1 | 2-Critical | ASM crashes when using a logout object configuration in ASM policy | |
| 665992-1 | 2-Critical | Live Update via Proxy No Longer Works | |
| 701792-1 | 3-Major | JS Injection into cached HTML response causes TCP RST on the fictive URLs | |
| 701327-3 | 3-Major | failed configuration deletion may cause unwanted bd exit | |
| 700726-3 | 3-Major | Search engine list was updated | |
| 699868-1 | 3-Major | Filter by custom period is not working properly in some cases | |
| 698919-2 | 3-Major | Anti virus false positive detection on long XML uploads | |
| 697303-2 | 3-Major | BD crash | |
| 696265-4 | 3-Major | BD crash | |
| 696073-1 | 3-Major | BD core on a specific scenario | |
| 694934-2 | 3-Major | bd crashes on a very specific and rare scenario | |
| 694922-6 | 3-Major | ASM Auto-Sync Device Group Does Not Sync | |
| 689982-2 | 3-Major | FTP Protocol Security breaks FTP connection | |
| 686517-1 | 3-Major | Changes to a parent policy that has no active children are not synced to the secondary chassis slots. | |
| 686470-2 | 3-Major | Enable AJAX Response Page or Single Page Application support causes the part of the web page failed to load. | |
| 685164-2 | 3-Major | K34646484 | In partitions with default route domain != 0 request log is not showing requests |
| 683508-2 | 3-Major | WebSockets: umu memory leak of binary frames when remote logger is configured | |
| 683241-2 | 3-Major | Improve CSRF token handling | |
| 679384-2 | 3-Major | K85153939 | The policy builder is not getting updates about the newly added signatures. |
| 676416-1 | 3-Major | BD restart when switching FTP profiles | |
| 676223-3 | 3-Major | Internal parameter in order not to sign allowed cookies | |
| 674527-2 | 3-Major | TCL error in ltm log when server closes connection while ASM irules are running | |
| 674494-2 | 3-Major | K77993010 | BD memory leak on specific configuration and specific traffic |
| 673311-1 | 3-Major | When 'Web Scraping Configuration' has 'Bot Detection' set to 'Alarm', the type=7 JavaScript challenge is sent. | |
| 672828-1 | 3-Major | Different ASM logging profiles can have cross-impact on response logging decision | |
| 670501-6 | 3-Major | K85074430 | ASM policies are either not (fully) created or not (fully) deleted on the HA peer device |
| 664714 | 3-Major | Client-side challenge is changing POST parameter value under some circumstances | |
| 657531-1 | 3-Major | K02310615 | High memory usage when using the ICAP server |
| 654925-3 | 3-Major | K25952033 | Memory Leak in ASM Sync Listener Process |
| 653017-3 | 3-Major | Bot signatures cannot be created after upgrade with DoS profile in non-Common partition | |
| 650070-1 | 3-Major | K23041827 | iRule that uses ASM violation details may cause the system to reset the request |
| 649513-1 | 3-Major | IP Intelligence: Policy diff doesn't work for categories | |
| 646800-1 | 3-Major | A part of the request is not sent to ICAP server in a specific case | |
| 644725-2 | 3-Major | K01914292 | Configuration changes while removing ASM from the virtual server may cause graceful ASM restart |
| 694073-2 | 4-Minor | All signature update details are shown in 'View update history from previous BIG-IP versions' popup | |
| 688833-4 | 4-Minor | Inconsistent XFF field in ASM log depending violation category | |
| 685743-4 | 4-Minor | When changing internal parameter 'request_buffer_size' in large request violations might not be reported | |
| 675232-4 | 4-Minor | Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction |
Application Visibility and Reporting Issues
| ID Number | Severity | Solution Article(s) | Description |
| 688813 | 2-Critical | K23345645 | Some ASM tables can massively grow in size. |
| 703196-4 | 3-Major | Reports for AVR are missing data | |
| 700322-1 | 3-Major | Upgrade may fail on a multi blade system when there are scheduled reports in configuration★ | |
| 700035-4 | 3-Major | /var/log/avr/monpd.disk.provision not rotate | |
| 683177-1 | 3-Major | Can't drilldown or filter by 'Client Countries' | |
| 665425-2 | 3-Major | K24182390 | AVR Max metrics shows wrong values |
| 649177-1 | 3-Major | K54018808 | Testing for connection to SMTP Server always returns "OK" |
| 648242-1 | 3-Major | Administrator users unable to access all partition via TMSH for AVR reports | |
| 636104 | 3-Major | If pool member is defined with port 0, member may not be visible on the HTTP dimension pane. | |
| 574160-8 | 3-Major | Publishing DNS statistics if only Global Traffic and AVR are provisioned | |
| 685787 | 4-Minor | SMTP Profile: "Use Authentication" cannot be disabled using the GUI | |
| 649873 | 4-Minor | DoS Visibility charts don't display information for dropped messages | |
| 633217 | 4-Minor | Countries in new DoS visibility tables will appear "N/A" after upgrade★ |
Access Policy Manager Issues
| ID Number | Severity | Solution Article(s) | Description |
| 679221-3 | 1-Blocking | APMD may generate core file or appears locked up after APM configuration changed | |
| 618420-1 | 1-Blocking | IE browser fails to establish VPN and throws error "Failed to initialize local Tunnel Server" sporadically | |
| 708005-2 | 2-Critical | Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources | |
| 700522-2 | 2-Critical | APMD restarts when worker threads are stuck | |
| 690116-2 | 2-Critical | websso might crash when logging set to debug | |
| 666454-3 | 2-Critical | K05520115 | Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update |
| 663377 | 2-Critical | apmd logs stops being sent to all logging destinations intermittently | |
| 660826 | 2-Critical | BIG-IQ Deployment fails with customization-templates | |
| 660711-2 | 2-Critical | K05265457 | MCPd might crash when user trying to import a access policy |
| 644750 | 2-Critical | 'epsec' tool fails in older version after use in newer version. | |
| 710407-1 | 3-Major | F5 VPN and EPI apps quit on Linux distributions with Qt version 5.10.1 or higher | |
| 710044-2 | 3-Major | Portal Access: same-origin AJAX request may fail in some case. | |
| 704587-1 | 3-Major | Authentication with UTF-8 chars in password fails for ActiveSync users | |
| 704524-3 | 3-Major | [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries | |
| 703275 | 3-Major | German Webtop help window is empty | |
| 702487-2 | 3-Major | AD/LDAP admins with spaces in names are not supported | |
| 700783-5 | 3-Major | Machine certificate check does not check against all FQDN hostnames | |
| 688046-1 | 3-Major | Change condition and expression for Protocol Lookup agent expression builder | |
| 687937-2 | 3-Major | RDP URIs generated by APM Webtop are not properly encoded | |
| 687213-2 | 3-Major | When access to APM is denied, system changes connection mode to ALWAYS_DISCONNECTED | |
| 684399-3 | 3-Major | Connectivity profiles UI shows (Not Licensed) when LTM base is presented | |
| 682751-6 | 3-Major | Kerberos keytab file content may be visible. | |
| 679735-2 | 3-Major | Multidomain SSO infinite redirects from session ID parameters | |
| 679074-1 | 3-Major | K04024241 | VPN tunnel cannot be established if allow local DNS is enabled and only one DNS is specified on client |
| 678427-3 | 3-Major | K03138339 | Safari 11 displays F5 EPI and F5 VPN launch confirmation dialogs twice |
| 676854-2 | 3-Major | CRL Authentication agent will hang waiting on unresponsive authentication server. | |
| 676690-2 | 3-Major | Windows Edge Client sometimes crashes when user signs out from Windows | |
| 675775-1 | 3-Major | TMM crashes inside dynamic ACL building session db callback | |
| 675597-1 | 3-Major | APM may prematurely close client-side RD Gateway connections on server-side disconnect | |
| 675399-1 | 3-Major | Network Access does not work when empty variables are assigned for WINS and DNS | |
| 671234-1 | 3-Major | HTTP Authentication agent will hang waiting on unresponsive authentication server. | |
| 671149-2 | 3-Major | Captive portal login page is not rendered until it is refreshed | |
| 670583-1 | 3-Major | EdgeClient does not failover when primary APM server goes down | |
| 669510-1 | 3-Major | When network changes after VPN is established, network access tunnel is closed when network access configuration has 'Allow local DNS servers' and 'Prohibit routing table changes during Network Access connection' options enabled. | |
| 669153-1 | 3-Major | On demand cert authentication does not work with Linux CLI client | |
| 669021-1 | 3-Major | Application Tunnel fails to start with the following message: Failed, Couldn't open proxy server. | |
| 668503-1 | 3-Major | Edge Client fails to reconnect to virtual server after disabling Network Adapter | |
| 668129-2 | 3-Major | BIG-IP as SAML SP support for multiple signing certificates in SAML metadata from external identity providers. | |
| 667763-1 | 3-Major | K24852255 | APM Network Tunnel not connecting when Virtual Server has Application DoS profile |
| 667599-1 | 3-Major | Edge client reevaluates access policy upon system wake up from sleep | |
| 667167-1 | 3-Major | Indirect invocation for History object methods fails using Portal Access | |
| 666783-1 | 3-Major | K11974816 | svpn goes into a reconnect loop when another adapter is connected after VPN is connected. |
| 666058-1 | 3-Major | K86091857 | XenApp 6.5 published icons are not displayed on APM Webtop |
| 665611-1 | 3-Major | K36337390 | Cannot create a Citrix or VMware View resource from Admin UI in a non-Common partition with a non-default route domain using pool as a destination |
| 663506-2 | 3-Major | K30533350 | apmd crash during ldap cache initialization |
| 660654 | 3-Major | 'epsec refresh' works incorrectly if install package is deleted | |
| 659371-1 | 3-Major | apmd crashes executing iRule policy evaluate | |
| 658852-6 | 3-Major | Empty User-Agent in iSessions requests from APM client on Windows | |
| 658278-2 | 3-Major | Network Access configuration with Layered-VS does not work with Edge Client | |
| 654508-1 | 3-Major | SharePoint MS-OFBA browser window displays Javascript errors | |
| 653324-2 | 3-Major | K87979026 | On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly |
| 651947-1 | 3-Major | Token validate response session variables created with no prefix might collide with other session variables. | |
| 649613-2 | 3-Major | Multiple UDP/TCP packets packed into one DTLS Record | |
| 648060-1 | 3-Major | K85067418 | EdgeClient locked mode exclusion list admin UI doesn't allow underscore character |
| 640924-2 | 3-Major | On macOS Sierra (10.12) LED icons on Edge client's main UI buttons (connect, disconnect and auto-connect) are scaled incorrectly | |
| 634576-2 | 3-Major | K48181045 | TMM core in per-request policy |
| 632958-1 | 3-Major | APM MIB gauges not reset on standby device | |
| 625165-1 | 3-Major | Routes added by 'Allow local DNS servers' are not removed even if these DNS servers are no longer among client's local DNS servers. | |
| 621158-4 | 3-Major | f5vpn does not close upon closing session | |
| 620529-1 | 3-Major | Changes to routing table are not prohibited even when access to local networks is disallowed in Network Access configuration | |
| 582606 | 3-Major | IPv6 downloads stall when NA IPv4&IPv6 is used. | |
| 552444-3 | 3-Major | Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD | |
| 547692-4 | 3-Major | Firewall-blocked KPASSWD service does not cause domain join operation to fail | |
| 527119-5 | 3-Major | Iframe document body could be null after iframe creation in rewritten document. | |
| 447565-8 | 3-Major | Renewing machine-account password does not update the serviceId for associated ntlm-auth. | |
| 435419-2 | 3-Major | K10402225 | Install of partial EPSEC file causes mcpd to crash, followed by multiple cores. |
| 417819-3 | 3-Major | K69046914 | APM - when Edge Clients, some JS contents are different causing warning |
| 381258-7 | 3-Major | 'with' statement in web applications works wrong in some cases | |
| 307037-2 | 3-Major | Dynamic Resources Are Assigned But Not Accessible | |
| 686718-2 | 4-Minor | VPN tunnel adapter stays up in some cases | |
| 671627-2 | 4-Minor | K06424790 | HTTP responces without body may contain chunked body with empty payload being processed by Portal Access. |
| 670083-1 | 4-Minor | APMD debug messages about the file descriptor queue are not correct. | |
| 666497-1 | 4-Minor | Some of the Korean translations in Windows Edge Client were incorrect | |
| 636866-2 | 4-Minor | OAuth Client/RS secret issue with export/import | |
| 610436-2 | 4-Minor | K13222132 | DNS resolution does not work in a particular case of DNS Relay Proxy Service when two adapters have the same DNS Server address on Windows 10. |
WebAccelerator Issues
| ID Number | Severity | Solution Article(s) | Description |
| 701977-2 | 3-Major | Non-URL encoded links to CSS files are not stripped from the response during concatenation | |
| 440572-1 | 4-Minor | Empty X-WA-Surrogate header in WAM symmetric deployment |
Wan Optimization Manager Issues
| ID Number | Severity | Solution Article(s) | Description |
| 673463-1 | 2-Critical | K68275280 | SDD v3 symmetric deduplication may start performing poorly after a failover event |
Service Provider Issues
| ID Number | Severity | Solution Article(s) | Description |
| 703515-4 | 2-Critical | K44933323 | MRF SIP LB - Message corruption when using custom persistence key |
| 698338-3 | 2-Critical | Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection | |
| 689343-1 | 2-Critical | Diameter persistence entries with bi-directional flag created with 10 sec timeout | |
| 685708-2 | 2-Critical | Routing via iRule to a host without providing a transport from a transport-config created connection cores | |
| 669739-2 | 2-Critical | Potential core when using MRF SIP with SCTP | |
| 664535-2 | 2-Critical | Diameter failure: load balancing fails when all pool members use same IP Address | |
| 662844-2 | 2-Critical | K87735013 | TMM crashes if Diameter MRF mirroring is enabled in v12.x.x. Diameter MRF mirroring is not implemented in v12.x.x. |
| 659173-2 | 2-Critical | K76352741 | Diameter Message Length Limit Changed from 1024 to 4096 Bytes |
| 643785-1 | 2-Critical | diadb crashes if it cannot find pool name | |
| 639236-4 | 2-Critical | K66947004 | Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute |
| 709383-3 | 3-Major | DIAMETER::persist reset non-functional | |
| 703821 | 3-Major | Enable DIAMETER::persist reset in MR_EGRESS events | |
| 700571-3 | 3-Major | SIP MR profile, setting incorrect branch param for CANCEL to INVITE | |
| 699431-4 | 3-Major | Possible memory leak in MRF under low memory | |
| 696049-2 | 3-Major | K55660303 | High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running |
| 692310-1 | 3-Major | ICAP modified HTTP 1.1 request/response without content-length gets "chunked" even with no body | |
| 691048-2 | 3-Major | K34553736 | Support DIAMETER Experimental-Result AVP response |
| 688942-4 | 3-Major | K82601533 | ICAP: Chunk parser performs poorly with very large chunk |
| 679114-3 | 3-Major | K92585400 | Persistence record expires early if an error is returned for a BYE command |
| 676131-1 | 3-Major | MRF Diameter: persistence entry not created if message routed via iRule command | |
| 674747-3 | 3-Major | K30837366 | sipdb cannot delete custom bidirectional persistence entries. |
| 673814-5 | 3-Major | K37822302 | Custom bidirectional persistence entries are not updated to the session timeout |
| 669978-2 | 3-Major | SIP monitor - Via header's branch parameter collision. | |
| 656811-7 | 3-Major | Memory usage with MBLB SIP ingress buffer on standby | |
| 651886-2 | 3-Major | Certain FIX messages are dropped | |
| 647158-4 | 3-Major | K76581555 | Internal virtual server inherits CMP hash mode from parent virtual server |
| 644565-2 | 3-Major | MRF Message metadata lost when routing message to a connection on a different TMM | |
| 634078-3 | 3-Major | MRF: Routing using a virtual with SNAT set to none may select a source port of zero | |
| 625098-7 | 3-Major | SCTP::local_port iRule not supported in MRF events | |
| 624155-3 | 3-Major | MRF Per-Client mode connections unable to return responses if used by another client connection | |
| 618222-1 | 3-Major | Loop detection implemention logic violates branch parameter compliance with RFC3261 | |
| 651640-2 | 4-Minor | queue full dropped messages incorrectly counted as responses |
Advanced Firewall Manager Issues
| ID Number | Severity | Solution Article(s) | Description |
| 456376-6 | 1-Blocking | K53153545 | BIG-IP does not support IPv4-mapped-IPv6 notation in the configuration with prefix length greater than 32 |
| 685820-2 | 2-Critical | Active connections are silently dropped after HA-failover if ASM licensed and provisioned but AFM is not | |
| 679440-1 | 2-Critical | K14120433 | MCPD Cores with SIGABRT |
| 677473-2 | 2-Critical | MCPD core is generated on multiple add/remove of Mgmt-Rules | |
| 674903-1 | 2-Critical | TMM halts and restarts in response to certain requests. | |
| 671052-1 | 2-Critical | K50324413 | AFM NAT security RST the traffic with (FW NAT) dst_trans failed |
| 666221-1 | 2-Critical | tmm may crash from DoSL7 | |
| 664708-1 | 2-Critical | TMM memory leak when DoS profile is attached to VS | |
| 663122 | 2-Critical | tmm might crash if auto-threshold is enabled for AFM DoS TCP Psh Flood vector | |
| 655470-4 | 2-Critical | K79924625 | IP Intelligence logging publisher removal can cause tmm crash |
| 644822-1 | 2-Critical | K19245372 | FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned |
| 632731 | 2-Critical | specific external logging configuration can cause TMM service restart | |
| 693780-2 | 3-Major | Proactive Bot Defense sends CAPTCHA to the UC browser on iOS devices | |
| 693663-2 | 3-Major | Proactive Bot Defense sends CAPTCHA to the Firefox browser on iOS only in desktop mode | |
| 684369-1 | 3-Major | K35423171 | AFM ACL Rule Policy applied on Standby device |
| 666112-2 | 3-Major | TMM 'DoS Layer 7' memory leak during config load | |
| 663946-3 | 3-Major | K92111062 | VCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments |
| 663770 | 3-Major | K04025134 | AFM rules are bypassed / ignored when traffic is internally forwarded to a redirected virtual server |
| 663748-1 | 3-Major | tmm might crash if AFM DoS address-list whitelist is present in sPVA HW platforms | |
| 657708-1 | 3-Major | K50308190 | Packet Tester is still available in the GUI when AFM is not provisioned |
| 651961-1 | 3-Major | AVR is not called for DNS packets when AFM is not provisioned. | |
| 651169-2 | 3-Major | The Dashboard does not show an alert when a power supply is unplugged | |
| 639859 | 3-Major | The CPU utilization of MCP can be high on standby box with autodos enabled | |
| 632723-2 | 3-Major | K05079458 | tmm core with remote logging pool in non-zero route domain |
| 701555-2 | 4-Minor | DNS Security Logs report Drop action for unhandled rejected DNS queries | |
| 688841 | 4-Minor | Configuration validation does not catch enabling DoS Application Security Behavioral DoS from Local Traffic Policy rule |
Policy Enforcement Manager Issues
| ID Number | Severity | Solution Article(s) | Description |
| 699531-2 | 2-Critical | Potential TMM crash due to incorrect number of attributes in a PEM iRule command | |
| 696294-2 | 2-Critical | TMM core may be seen when using Application reporting with flow filter in PEM | |
| 650422-3 | 2-Critical | TMM core after a switchover involving GY quota reporting | |
| 709670-1 | 3-Major | iRule triggered from RADIUS occasionally fails to create subscribers. | |
| 697718-2 | 3-Major | Increase PEM HSL reporting buffer size to 4K. | |
| 694319-2 | 3-Major | CCA without a request type AVP cannot be tracked in PEM. | |
| 694318-2 | 3-Major | PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP. | |
| 675928-3 | 3-Major | Periodic content insertion could add too many inserts to multiple flows if http request is outstanding | |
| 674686-3 | 3-Major | Periodic content insertion of new flows fails, if an outstanding flow is a long flow | |
| 673683-3 | 3-Major | Periodic content insertion fails, if pem and classification profile are detached and reattached to the Listener | |
| 673678-3 | 3-Major | Periodic content insertion fails, if http request/response get interleaved by second subscriber http request | |
| 673472-3 | 3-Major | After classification rule is updated, first periodic Insert content action fails for existing subscriber | |
| 667700-2 | 3-Major | Web UI: PEM rule page only displays webroot categories for classification filter. Websense categories are not displayed | |
| 659567-2 | 3-Major | K94685557 | iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions |
| 648802-2 | 3-Major | Required custom AVPs are not included in an RAA when reporting an error. | |
| 635257-3 | 3-Major | K41151808 | Inconsistencies in Gx usage record creation. |
| 635233-4 | 3-Major | Missing some Custom AVPs in CCRu for non-existent policy and CCRt messages | |
| 624231-3 | 3-Major | No flow control when using content-insertion with compression |
Carrier-Grade NAT Issues
| ID Number | Severity | Solution Article(s) | Description |
| 663531-2 | 2-Critical | TMM crashes when PPTP finds a non-ALG flow when checking for an existing tunnel | |
| 691338-1 | 3-Major | Using an iRule to change virtual servers prevents correct DAG detection for PBA and DNAT modes | |
| 663974-1 | 3-Major | TMM crash when using LSN inbound connections | |
| 667295-2 | 4-Minor | K51601122 | 'RTSP::header exists' iRule command always returns True |
Fraud Protection Services Issues
| ID Number | Severity | Solution Article(s) | Description |
| 666553 | 2-Critical | KeyLogger fails to work properly with jQuery 1.11.1 | |
| 648650 | 2-Critical | Upgrade from 11.6.1 to 13.0.0 fails when two parameters in URL added to anti-fraud profile get 'identify-as-username enabled'.★ | |
| 705559-2 | 3-Major | FPS: false positive "no strong integrity param" when none of the configured data-integrity params are present in request | |
| 692123-1 | 3-Major | GET parameter is grayed out if MobileSafe is not licensed | |
| 682671-2 | 3-Major | The username is updated in the alert dashboard even if login validation fails. | |
| 674297-2 | 3-Major | Custom headers are removed on cross-origin requests | |
| 667892-3 | 4-Minor | FPS: BLFN inheritance won't take effect until GUI refresh |
Anomaly Detection Services Issues
| ID Number | Severity | Solution Article(s) | Description |
| 617324-1 | 3-Major | Service health calculation creates unjustified CPU utilization | |
| 653573-2 | 4-Minor | ADMd not cleaning up child rsync processes |
Device Management Issues
| ID Number | Severity | Solution Article(s) | Description |
| 694485-1 | 2-Critical | Configuration sync does not sync iControl LX or iApp LX objects | |
| 650115 | 2-Critical | iApp LX app does not sync to standby in a HA pair | |
| 667775-1 | 3-Major | The lastRestoreLog field is missing from the tm/shared/sys/backup REST endpoint | |
| 667661-3 | 3-Major | K69015104 | Adding HA devices to Access Group in BIG-IQ fails with error : 'Failed to download file (null). java.lang.IllegalArgumentException: REMOTE_SOURCE_FILE requires remoteFilePath' |
| 688177 | 4-Minor | Local user with Administrator role may be changed to Guest role after BIG-IP software upgrade | |
| 619397-2 | 4-Minor | K04055706 | LCD shows error screen on boot or after license expires |
iApp Technology Issues
| ID Number | Severity | Solution Article(s) | Description |
| 666505-1 | 2-Critical | Gossip between Viprion blades | |
| 665778-2 | 2-Critical | K34503519 | Non-admin BIG-IP users can now view/re-deploy iApps through TMUI. |
Known Issue details for BIG-IP v13.0.x
711230 : FQDN template nodes resolving to same IP address cannot be used in multiple non-Common partitions
Component: Local Traffic Manager
Symptoms:
If an FQDN template node is created in a partition (not Common), then another FQDN template node is created in different partition but resolves to same IP address as the first FQDN template node, adding the second FQDN template node to a pool in the second partition will fail.
An error message will be logged similar to the following:
err mcpd[...]: 01020036:3: The requested Pool Member (/part1/pool_1 /part2/node2-192.168.172.246 80) was not found.
Conditions:
-- Creating FQDN template node in a partition other than Common.
-- Creating another FQDN template node in different partition.
-- Each node resolves to same IP address.
Impact:
Cannot add FQDN node to pool.
Workaround:
Create the first FQDN template node in the Common partition.
Then, when FQDN template nodes are created on a different partition, they use the ephemeral node in Common.
710564-2 : DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0
Component: Local Traffic Manager
Symptoms:
The DNS filter returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0.
Conditions:
- Virtual Server configured with 'DNS Profile' set to 'dns' or a 'dns'-derived profile.
- DNS queries with EDNS0 ECS option set.
Impact:
If the response ECS Scope Netmask has a value other than '0', LTM drops it, causing timeout and retry on client side.
Workaround:
There is no workaround at this time.
710424-4 : Possible SIGSEGV in GTMD when GTM persistence is enabled.
Component: Global Traffic Manager (DNS)
Symptoms:
When GTM persistence is enabled, GTMD may occasionally crash and restart.
Conditions:
GTM persistence is enabled.
Impact:
GTMD may occasionally restart.
Workaround:
Disable GTM persistence.
710407-1 : F5 VPN and EPI apps quit on Linux distributions with Qt version 5.10.1 or higher
Component: Access Policy Manager
Symptoms:
F5 VPN and EPI apps quit on Linux distributions with Qt version 5.10.1 or higher.
Conditions:
-- Linux distributions with Qt version 5.10.0 or higher.
-- F5 VPN and F5 EPI application.
Impact:
F5 VPN and F5 EPI apps quit.
Workaround:
Install Qt version 5.9.0 or lower, and make it the default installation.
710044-2 : Portal Access: same-origin AJAX request may fail in some case.
Component: Access Policy Manager
Symptoms:
If base URL for current HTML page contains default port number, same-origin AJAX request from this page may fail via Portal Access.
Conditions:
- HTML page with explicit default port in base URL, for example:
<base href='https://some.com:443/path/'>
- Same-origin AJAX request from this page, for example:
var xhr = new XMLHttpRequest;
xhr.open('GET', 'some.file');
Impact:
Web application may not work correctly.
Workaround:
It is possible to use iRule to remove default port number from encoded back-end host definition in Portal Access requests, for example:
when RULE_INIT {
# hex-encoded string for 'https://some.com'
set ::encoded_backend {68747470733a2f2f736f6d652e636f6d}
# '3a343433' is hex-encoded form for ':443'
set ::pattern "/f5-w-${encoded_backend}3a343433\$"
set ::remove_end [ expr { [ string length $::pattern ] - 2 } ]
set ::remove_start [ expr {$::remove_end - 7} ]
}
when HTTP_REQUEST {
if { [HTTP::path] starts_with "$::pattern" } {
set path [ string replace [HTTP::path] $::remove_start $::remove_end "" ]
HTTP::path "$path"
}
}
709963-3 : Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.
Component: Local Traffic Manager
Symptoms:
For the i4x00 and 4000 platforms, egress trunk distribution will be unbalanced if the number of trunk members is not a power of 2.
Conditions:
A trunk is configured with an odd number of trunk interfaces or a trunk member goes down such that the number of working members is odd.
Impact:
Uneven traffic distribution. Some interfaces will see more traffic than others.
Workaround:
Insure the number of trunk interfaces is a power of 2: 2, 4, or 8.
709936-4 : Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.
Component: TMOS
Symptoms:
/var/log/boot.log has this error:
dhcp_config: save error: 01070911:3: The requested host (ntp-servers-ip) is invalid for servers in ntp (/Common/ntp).
Conditions:
- The BIG-IP system has DHCP enabled for management interface.
- Multiple NTP servers or domain-search are specified in the dhclient lease (stored at /var/lib/dhclient/dhclient.leases).
Impact:
- DNS and NTP servers are not configured in MCPD.
- Name resolution can break.
Workaround:
None.
709670-1 : iRule triggered from RADIUS occasionally fails to create subscribers.
Component: Policy Enforcement Manager
Symptoms:
The subscriber can not be added with the same IP address after retries. This is a rarely occurring issue: if the daily average of subscriber additions is ~30000 subscribers, 5 to 6 subscribers face this problem (0.02%).
Conditions:
Running iRule to create PEM sessions from RADIUS packets using the 'PEM::subscriber create' command.
Impact:
Intermittently (a few operations per day), the command silently fails. No session is created, and no TCL error is produced. Subscriber addition requires manual intervention.
Workaround:
Trigger a RADIUS START using a different IP address for the subscriber.
709471 : Azure: A failure to load mcpd configuration during the startup triggers "load sys config default" after an hour, if the config load failure is not corrected.
Component: TMOS
Symptoms:
- An "load sys config default" is reported in /var/log/ltm that wasn't initiated by the user manually. This can break password based SSH connectivity as the default config load wipes out the MCPD configuration.
Conditions:
- BIG-IP is running in Azure.
- A mis-configuration in MCPD on-disk config in /config/*.conf files that fails "load sys config" during the startup.
- The broken configuration stays that way for more than an hour. If the "load sys config" failure isn't corrected for an hour, the azure-init vadc startup script loads the default config to correct the problem, thus wiping out user configuration.
Impact:
User could lose the BIG-IP configuration.
Workaround:
- If user has access to the BIG-IP, they should try to fix the "load sys config" failure manually by modifying the mcpd configuration in /config/*.conf files. This would prevent the eventual "load sys config default".
- If user doesn't have access to the BIG-IP, there isn't really a workaround for this issue.
709383-3 : DIAMETER::persist reset non-functional
Component: Service Provider
Symptoms:
When the iRule DIAMETER::persist reset is called, it is meant to remove existing persistence records from diadb. Without this bug fix, calling DIAMETER::persist reset has no effect and the persistence record remains.
Conditions:
Diameter session profile has persistence enabled and an iRule attempts to remove a persistence record.
Impact:
not provided by ENE
Workaround:
none
708968-3 : OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address
Component: TMOS
Symptoms:
Route entries for IPv4-mapped IPv6 address (::ffff:<IPv4>) are not created in TMM when passed from Dynamic Routing protocols like OSPFv3.
Conditions:
- Route entry is for IPv4-mapped IPv6 address, that is ::ffff:<IPv4>.
Impact:
- Route entry is not created in TMM, packets addressed to such a destination might not be delivered at all or might not be delivered using the most efficient route.
- Connection between TMM and tmrouted is restarted that is a small performance overhead.
Workaround:
- If possible IPv4 address or IPv4-compatible IPv6 address should be passed instead of IPv4-mapped IPv6 address, however this depends on other routers.
708249-3 : nitrox_diag generates qkviews with 5mb max file limit
Component: Local Traffic Manager
Symptoms:
When nitrox_diag generates a qkview, the -s0 flag is not used, so there is a 5mb filesize limit in the qkview generated.
Conditions:
Run nirtox_diag command without any flags. - default settings.
Impact:
qkviews generated by nitrox_diag might not have all necessary information.
Workaround:
After running nitrox_diag, run qkview -s0 to generate a full qkview.
708054-2 : Web Acceleration: TMM may crash on very large HTML files with conditional comments
Component: TMOS
Symptoms:
Web Acceleration feature may not handle big HTML file with improper conditional comments inside in some cases. TMM may crash processing such files if Web Acceleration profile is attached to VIP.
Conditions:
- HTML file with conditional comments inside:
<!--[if condition...]> ... <![endif]-->
- The size of "condition" from the pattern above is comparable with RAM size of BIG-IP box, i.e. ~8-10GB.
Impact:
TMM crash interrupts all active sessions.
Workaround:
There is no workaround at this time.
708005-2 : Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources
Component: Access Policy Manager
Symptoms:
When using VMware View HTML5 client, end users are able to authenticate and see available View resources on the APM webtop. However, any attempt to launch the resource (desktop or application) in HTML5 mode momentarily appears to function, but then redirects to the initial APM login page.
Conditions:
This occurs when the following conditions are met:
-- APM is protecting VMware Horizon View 7.4 resources.
-- End user tries to launch a View resource from the APM webtop using the Horizon View HTML5 client.
Impact:
End user cannot launch VMware View resources with View HTML5 client.
Workaround:
-- If you are already running Horizon 7.4, use native View clients instead.
-- If you have not upgraded to Horizon 7.4, stay on older Horizon releases until a workaround/fix is implemented for this issue.
707831 : Improper blade insertion can cause kernel panic
Component: TMOS
Symptoms:
An improperly inserted blade might cause a kernel panic due to unstable power and signals.
Conditions:
Improper blade insertion.
Impact:
Kernel panic or many other kinds of problems.
Workaround:
Reinsert the blade.
Note: It is not possible to fix or handle unstable hardware signals caused by insecure contacts in the socket.
707691-3 : BIG-IP handles some pathmtu messages incorrectly
Component: Local Traffic Manager
Symptoms:
FastL4 virtual servers incorrectly handle some pathmtu messages, such as ICMPv4 unreachable/fragmentation needed and ICMPv6 packet too big.
Conditions:
This occurs when the following conditions are true:
-- The client sends a window scaling factor greater than 0 (zero).
-- The server sends a window scaling factor equal to 0 (zero).
-- The pmtu message is within the window, but does not reflect the exact expected sequence number. The delta is bigger than the advertised window scaled at a factor of 0 (zero).
Impact:
pmtu message is erroneously ignored.
Workaround:
There is no workaround at this time.
707631-1 : The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI
Component: TMOS
Symptoms:
The 'SYN Challenge Handling' setting of a TCP profile can be reverted to defaults when a TCP profile is updated using the BIG-IP management GUI.
Conditions:
The SYN Challenge Handling settings of a TCP profile have previously been set to non-default values, and a configuration change is later made to the same TCP profile using the GUI.
Impact:
Loss of TCP profile syn challenge configuration settings
Workaround:
In the GUI, specifically set the SYN Challenge Handling fields after making an update to other TCP profile fields, or use tmsh to make the changes instead
SYN Challenge
GUI Setting: Nominal
TMSH:
syn-cookie-enable enabled
syn-cookie-whitelist disabled
GUI Setting: Challenge and Remember
TMSH:
syn-cookie-enable enabled
syn-cookie-whitelist enabled
GUI Setting: Disable Challenges:
syn-cookie-enable disabled
syn-cookie-whitelist disabled
707540-3 : bigd core due to memory leak, especially with FQDN nodes
Solution Article: K74714343
Component: Local Traffic Manager
Symptoms:
The bigd daemon may core due to excessive memory consumption caused by a slow memory leak that occurs when creating or updating an LTM node or pool member.
This memory leak occurs much more quickly when using FQDN nodes/pool members with the 'autopopulate' feature enabled.
Conditions:
The bigd memory leak occurs slowly with non-FQDN nodes/pool members, but much more quickly when using FQDN nodes/pool members with the 'autopopulate' feature enabled.
An additional leak occurs each time an FQDN name is resolved for an FQDN node or pool member. The rate of the leak in this case is determined by the number of FQDN nodes/pool members configured with the 'autopopulate' feature enabled, and the FQDN name resolution interval (determined by the 'interval' setting of the 'fqdn' configuration for the FQDN node).
Impact:
The bigd daemon may core due to excessive memory consumption.
Workaround:
It is possible to work around this issue by one of the following methods:
1. Configure a longer 'interval' value in the 'fqdn' configuration for configured FQDN nodes.
2. Configure FQDN nodes/pool members without the 'autopopulate' setting enabled.
3. Restart the bigd daemon before memory consumption becomes excessive. (Note that this may interrupt traffic to configured pool members.)
707391-3 : BGP may keep announcing routes after disabling route health injection
Component: TMOS
Symptoms:
As a result of a known issue BIG-IP with BGP configured may continue to announce routes even after disabling the virtual address or disabling route announcement on the virtual address.
Conditions:
BGP configured with multiple routes announced via Virtual-address route announcements.
Configuration changes made on the BGP configuration itself.
Virtual address or its route health announcement disabled.
Impact:
Prefixes continue to exist in the BGP table even after disabling the virtual address (visible via imish with the "show ip bgp" command); which will continue to announce the prefix to configured peers.
Workaround:
Workaround would be to restart the dynamic routing process.
707244-2 : iRule command clientside and serverside may crash tmm
Component: Local Traffic Manager
Symptoms:
Using clientside and serverside command in iRules may crash tmm.
Conditions:
Using such HTTP commands as HTTP::password in clientside and serverside nesting script.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this point.
706505-4 : iRule table lookup command may crash tmm when used in FLOW_INIT
Component: Local Traffic Manager
Symptoms:
iRule table lookup command may crash tmm when used in FLOW_INIT.
Conditions:
iRule table lookup command is used in FLOW_INIT.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use table lookup in the events after the flow is constructed.
706087-2 : Entry for SSL key replaced by config-sync causes tmsh load config to fail
Component: TMOS
Symptoms:
After config-sync, the secondary unit's key file does not match the passphrase stored for the key. This is a generic problem where config-sync is not synchronizing any differing file-objects on the secondary unit that happen to have the same cache_path as the primary.
Conditions:
If the cache_path of the encrypted key happens to be the same on the HA-pair, but the keys are different and have different passphrases.
Impact:
Secondary unit will fail to load the config during boot-up, so it will be offline. Other file-objects that had the same cache_path but where different files do not sync. The latter may not be noticed since nothing fails on the secondary unit.
Workaround:
Check if the cache_path of the encrypted key is the same on both systems prior to config-sync and that the sha1sum are different. If this is the case, remove the key on one of the systems and re-install the key and make sure the cache_path name is different.
705794-5 : Under certain circumstances a stale http2 stream can cause a tmm crash
Component: Local Traffic Manager
Symptoms:
A HTTP2 stream is getting overlooked when cleaning up a HTTP2 flow.
Conditions:
Currently only known is that the closing_stream is not empty. Exact entrance conditions not clear.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
705611-3 : The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used
Component: Local Traffic Manager
Symptoms:
The TMM may later crash after a configuration change done under load if the HTTP/2 profile is used.
Conditions:
A configuration change occurs. The configuration change is large enough, or the TMM load large enough that the change is not synchronous. The change involves a HTTP/2 profile.
Data traffic progresses through a partially initialized HTTP/2 virtual server, potentially causing a later crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
705559-2 : FPS: false positive "no strong integrity param" when none of the configured data-integrity params are present in request
Component: Fraud Protection Services
Symptoms:
A false positive "no strong integrity param" is sent when none of the configured data-integrity parameters are present in the request.
Conditions:
1. a protected URL has at least one parameter configured with data0integrity check enabled
2. enhanced data manipulation is enabled
3. a request without any of the data-integrity parameters is sent to the protected URL
Impact:
A false positive "no strong integrity param" alert is sent.
Workaround:
There is no workaround at this time.
704587-1 : Authentication with UTF-8 chars in password fails for ActiveSync users
Component: Access Policy Manager
Symptoms:
ActiveSync end users cannot login to the server.
Conditions:
-- ActiveSync end users.
-- UTF-8 characters in the password.
Impact:
ActiveSync service will be unavailable.
Workaround:
Put a Variable Assign agent after Logon Page with following assignment:
(check the secure checkbox)
session.logon.last.password = set pass [mcget -secure session.logon.last.password]; binary scan $pass c* chars; set newpass ""; foreach {ch} $chars { append newpass [format %c [expr $ch & 0xFF]] }; return $newpass
704524-3 : [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries
Component: Access Policy Manager
Symptoms:
Kerberos DNS SRV requests do not contain EDNS headers. Without this header, DNS server truncates the UDP responses if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in unnecessary round trips in order to resolve DNS SRV queries.
Conditions:
APM users using Kerberos SSO to access backend resources.
Impact:
Increased latency of HTTP request processing. If the number of APM users is large, then this issue is magnified.
Workaround:
There is no workaround at this time.
704449-3 : Orphaned tmsh processes might eventually lead to an out-of-memory condition
Component: TMOS
Symptoms:
Occasionally, tmsh processes are orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects.
An orphaned tmsh process will have a parent pid (PPID) of 1. You can check for orphaned tmsh processes using the following shell command:
/bin/ps -o pid,ppid,comm -C tmsh
PID PPID COMMAND
8255 1 tmsh
If this issue occurs often enough, it can cause the BIG-IP system to run out of memory.
Conditions:
-- Using tmsh to connect to the BIG-IP system via SSH.
-- Running commands.
-- Quitting the session or disconnecting.
Impact:
Orphaned tmsh processes are created, which might eventually lead to an out-of-memory condition, if it occurs often enough.
Workaround:
There are several workarounds for this issue:
-- Change the default shell to bash for users that are going to use the script.
-- Use iControl.
-- Halt orphaned tmsh processes.
704435-2 : Client connection may hang when NTLM and OneConnect profiles used together
Component: Local Traffic Manager
Symptoms:
In deployments where a NT LanManager (NTLM) authentication profile and a OneConnect profile are used together in a LTM virtual server to label an authenticated connection to a Domain Controller (DC); if the persisted connection to the DC is re-used, the connection may hang. A connection in this state may not be cleaned up by the sweeper, resulting in a memory leak.
Conditions:
The NTLM and OneConnect profiles are associated with a LTM virtual server.
Impact:
A client connection won't be serviced and TMM memory will leak. Over a long time period, this may result in more widespread service disruptions.
Workaround:
Avoid the use of OneConnect profiles on virtual servers that use NTLM profiles. The connections to the Domain Controller won't be pooled, but all other features will be retained.
704336-2 : Updating 3rd party device cert not copied correctly to trusted certificate store
Component: TMOS
Symptoms:
When a BIG-IP admin updates the Device Certificate which also includes multiple CA intermediate and root certificates, it's expected that the new Device Certificate and its trust chain certificates are written to /config/big3d/client.crt and /config/gtm/server.crt. However, if the new Device Certificate is signed by a third party, only the Device Certificate is copied to client.crt and server.crt, even though root and intermediate certificates are written to /config/httpd/conf/ssl.crt/server.crt.
Conditions:
Updating Device certificate which also includes multiple intermediate and root certificates.
Impact:
The Trusted Device and Trusted server Certificates do not include intermediate CA and root certificates.
Workaround:
Manually copy/append the missing intermediate and root certificate to /config/big3d/client.crt and /config/gtm/server.crt.
704282-1 : TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy
Component: TMOS
Symptoms:
Rarely, TMM halts and restarts when calculating the BWC pass rate for dynamic bwc policy.
Conditions:
-- Using BWC dynamic bwc policy.
-- Fair share rate is low.
For this to happen, the fair share rate of the instance of dynamic policy has to be less than than 32 times the average packet size of the instance of policy.
For example, if the average packet size is 1 KB, then the fair share would be under 32 KB.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
F5 does not recommend running the BWC under 64Kbps.
Either decrease the number of subscribers or increase the max-rate of dynamic policy.
704198-2 : GTM equivalent of ID663502 - replace-all-with can leave orphaned monitor_rule, monitor_rule_instance and monitor_instance
Component: Global Traffic Manager (DNS)
Symptoms:
Orphaned monitor_instance records in mcpd;
Secondary blade restarting in a loop.
Conditions:
Modify monitor for gtm objects using tmsh with replace-all-with.
Impact:
There is an leaked/extra monitor instance;
Restarting secondary slot will result in a restart loop.
Workaround:
Restart services, but this might change primary slot:
# bigstart restart
704073-2 : Repeated "bad transition" OOPS logging may appear in /var/log/ltm and /var/log/tmm
Component: Local Traffic Manager
Symptoms:
"bad transition" OOPS messages may be repeatedly logged to /var/log/ltm and /var/log/tmm over time, polluting the log files.
Conditions:
No definitive user-discernable conditions. Use of SSL functionality may cause this form of logging.
Impact:
Log pollution and potential for performance degradation.
Workaround:
The logging can be suppressed via 'tmsh modify sys db tmm.oops value silent'
703914-3 : TMM SIGSEGV crash in poolmbr_conn_dec.
Component: Local Traffic Manager
Symptoms:
TMM cores in poolmbr_conn_dec function.
Conditions:
A connection limit is reached on a VS having an iRule using LB::reselect and a pool using request queueing.
Impact:
TMM core, traffic interruption, possible failover.
Workaround:
Do not use LB::reselect, disable request queueing on a pool associated with the VS.
703821 : Enable DIAMETER::persist reset in MR_EGRESS events
Component: Service Provider
Symptoms:
"DIAMETER::persist reset" is prohibited in MR_EGRESS by .jet rules.
TCL error: /Common/persist-irule <MR_EGRESS> - invalid command name "}" while executing "}
Conditions:
Load balancing Diameter service.
Configure iRule for bi-directional persistence.
Impact:
Unable to maintain desired persistence in fail over.
Workaround:
There is no workaround at this time.
703580-2 : TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host.
Component: Local Traffic Manager
Symptoms:
TLS1.1 handshake failure on guest. The following error appears in /var/log/ltm:
warning tmm[11611]: 01260009:4: Connection error: ssl_hs_cn_vfy_fin:2339: corrupt Finished (20)
Conditions:
-- Using the following platforms:
+ VIPRION 42xx/43xx and B21xx blades.
-- Running BIG-IP software earlier than v12.1.3 (for example v12.1.2-hf2) on the vCMP host system.
-- Deploying vCMP guest running v12.1.3.
-- Using TLS1.1.
Impact:
TLS1.1 handshake fails on the guest.
Workaround:
Use the same software version on the vCMP host and vCMP guests.
703515-4 : MRF SIP LB - Message corruption when using custom persistence key
Solution Article: K44933323
Component: Service Provider
Symptoms:
If the custom persistence key is not a multiple of 3 bytes, the SIP request message may be corrupted when the via header is inserted.
Conditions:
Custom persistence key is not a multiple of 3 bytes
Impact:
The SIP request message may be corrupted when the via header is inserted.
Workaround:
Pad the custom persistence key to a multiple of 3 bytes in length.
703298-1 : Licensing and phonehome_upload are not using the sync'd key/certificate
Component: TMOS
Symptoms:
After config-sync, the secondary unit's key passphrase does not decrypt the cached key file.
Conditions:
The original file for f5_api_com.key is used instead of the cached file.
Impact:
phonehome_upload will fail on the secondary unit because the passphrase doesn't match the key file.
Workaround:
After sync, copy the file /config/filestore/files_d/Common_d/certificate_key_d/:Common:f5_api_com.key_xxxx over to /config/ssl/ssl.key/f5_api_com.key using the following commands:
# cd /config/filestore/files_d/Common_d/certificate_key_d
# cp -a :Common:f5_api_com.key_xxxx /config/ssl/ssl.key/f5_api_com.key :Common:f5_api_com.key_xxxx
Once the /config/ssl/ssl.key file is in sync, then loading the config with either cached or un-cached file will work fine.
703275 : German Webtop help window is empty
Component: Access Policy Manager
Symptoms:
APM end user configured to use the German language sees empty Webtop help window.
Conditions:
-- APM end user configured to use the German language.
-- Webtop has been reached and help button clicked.
Impact:
Help window is empty. Cannot read help.
Workaround:
The following workarounds are available.
For each existing Webtop, perform these steps:
1. Go [Text] tab of Customization.
2. Go to Webtop : name : Full Webtop : Help.
3. Replace all double quotation marks: " with single quotation marks: '.
4. Save/Apply
For new Webtops, edit the default_webtop.xml to use single quotation marks for language "de", for example, using the vi editor, follow these steps:
1. Type vi and press return.
2. Open /var/sam/www/php_include/webtop/renderer/customization/webtop/default_webtop.xml.
2. For language "de" inside <help_webtop_text> all double quotation marks: " with single quotation marks: '.
Now, all new groups have ' by default.
703196-4 : Reports for AVR are missing data
Component: Application Visibility and Reporting
Symptoms:
Some data collected by AVR is missing on some aggregation levels and thus missing from the reports.
Conditions:
Using AVR statistics.
Impact:
Expected AVR statistics may be missing.
Workaround:
Run the following shell command on BIG-IP:
sed -i "s|\(\s\)*SET\ p_aggr_to_ts.*$|$1$(grep "SET p_aggr_to_ts" /var/avr/avr_srv_code.sql | sed 's/truncate(/CEILING/' | sed 's/,0)//')|" /var/avr/avr_srv_code.sql
703090 : With many iApps configured, scriptd may fail to start
Component: TMOS
Symptoms:
If many iApp instances are installed, scriptd may have issues starting up, including the log message:
"script has exceeded its time to live, terminating the script"
Conditions:
This occurs when many iApp instances exist. F5's internal testing has been able to show that it occurs with 70 instances.
Impact:
The error message will show up, and some instances of the script will not run.
Workaround:
Restarting scriptd will resolve the issue.
702520-1 : Same AZ failover in AWS fails in some configurations with two or more objects sharing the same IP address.
Component: TMOS
Symptoms:
BIG-IP fails to reattach floating addresses to local interfaces during failover, when two or more objects are configured with the same IP address in a given traffic group.
Failover fails with the following error in /var/log/ltm: err logger: /usr/libexec/aws/aws-failover-tgactive.sh (traffic-group-1): Failed to reassign some or all address(es): <IP address> <the same IP address> on interface <eni address>.
Conditions:
-- AZ AWS failover.
-- Same IP address is used for two or more virtual addresses, self IPs, NAT, SNAT translation.
Note: Having two virtual servers with the same IP address (but different ports) does not cause the problem. Also, there is no conflict when using the same IP address for different traffic groups.
Impact:
Failover will fail; some or all IP addresses will not be transferred to the active BIG-IP system.
Workaround:
The only workaround is to change the configuration to use unique IP addresses for conflicting objects.
702487-2 : AD/LDAP admins with spaces in names are not supported
Component: Access Policy Manager
Symptoms:
If admin is imported from Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) and the name contains spaces, Visual Policy Editor (VPE), import/export/copy/delete, etc., fail, and post an error message similar to the following: sourceMCPD::loadDll User 'test user' have no access to partition 'Common'.
Note: Names containing spaces are not supported on BIG-IP systems.
Conditions:
-- Admin name containing spaces is imported from AD or LDAP.
-- Attempt to perform operations in VPE.
Impact:
VPE, import/export/copy/delete do not work.
Workaround:
There is no workaround other than to not use admin names containing spaces.
702450-3 : The validation error message generated by deleting certain object types referenced by a policy action is incorrect
Component: Local Traffic Manager
Symptoms:
When deleting certain objects that are referenced by policy actions, you may see a validation error like this:
# tmsh delete ltm virtual test-vs
01071726:3: Cannot delete policy action '/Common/test-vs'. It is in use by ltm policy '/Common/test-policy'.
The referenced object is not a "policy action" in this case, but is a virtual server.
Conditions:
LTM policies must be in use, and at least one policy action must forward to an object. The user must attempt to delete that object.
Impact:
Possible confusion at the error message.
Workaround:
There is no workaround at this time.
702439-2 : Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset
Solution Article: K04964898
Component: Local Traffic Manager
Symptoms:
If the HTTP/2 configuration header_table_size is changed from the default value of 4096, then streams will be reset with a RST_STREAM error.
Conditions:
The header_table_size field in the HTTP/2 profile is changed from the default.
Impact:
HTTP/2 connections will be unusable.
Workaround:
Set the header table size argument back to its default.
701977-2 : Non-URL encoded links to CSS files are not stripped from the response during concatenation
Component: WebAccelerator
Symptoms:
Non-URL encoded links to CSS files are not stripped from the response during concatenation.
Conditions:
White space in the URLs.
Impact:
As above.
Workaround:
No workaround at this time.
701792-1 : JS Injection into cached HTML response causes TCP RST on the fictive URLs
Component: Application Security Manager
Symptoms:
TCP RST being sent when a browser requests a fictive URL that starts with either of the following strings:
-- /TSPD/xxx...xxx?type=x
-- /TSbd/xxx...xxx?type=x.
Conditions:
This occurs in either of the following scenarios:
-- ASM policy is attached to a virtual server, and any of the following is enabled: Cross-Site Request Forgery (CSRF), Web Scraping/Single Page Application/AJAX Blocking internal.
-- DoS profile with Single Page Application enabled is attached to a virtual server.
Impact:
CSRF/Web Scraping/Single Page Application/AJAX Blocking page features might not work. This happens intermittently when the back-end server's HTML page (the one where the fictive URL is injected) is cached in the browser for more than two days.
Workaround:
Use an iRule to disable caching for HTML pages where a fictive URL is injected.
701690-2 : Fragmented ICMP forwarded with incorrect icmp checksum
Solution Article: K53819652
Component: Local Traffic Manager
Symptoms:
Large fragmented ICMP packets that traverse the BIG-IP might have their source or destination IP addresses changed and transmitted with the checksum incorrectly calculated.
Conditions:
A FastL4 virtual server able to transmit ICMP frames (ip-protocol ICMP or any), or SNAT/NAT only when a fragmented ICMP packet is received and is expected to be passed through the virtual server (or SNAT or NAT).
Impact:
Large ICMP echo packets (greater than MTU) will be dropped by the recipient due to the checksum error. No echo response will be seen.
Workaround:
Turn on IP fragment reassembly on the FastL4 profile associated with the virtual server.
701555-2 : DNS Security Logs report Drop action for unhandled rejected DNS queries
Component: Advanced Firewall Manager
Symptoms:
DNS Security Logs report Drop action for unhandled rejected DNS queries.
Conditions:
DNS profile set unhandled-query-action reject.
Impact:
Incorrect event log. This is an incorrectly logged event and doe not indicate an issue with the system
Workaround:
None.
701387-3 : qkview will not collect files greater than 2 GB
Component: TMOS
Symptoms:
Due to a limitation of the file compression library employed by qkview, it cannot collect files greater than 2 gb in size. qkview will abort when encountering such a file, and not produce a resulting qkview file.
Conditions:
A file exists in a directory that qkview normally collects.
Impact:
No qkview diagnostics file is created.
Workaround:
Remove the file greater than 2gb in size.
701327-3 : failed configuration deletion may cause unwanted bd exit
Component: Application Security Manager
Symptoms:
Immediately after the deletion of a configuration fails, bd exists.
Conditions:
When deleting a configuration fails.
Impact:
Unwanted bd restart.
Workaround:
None.
701202-2 : SSL memory corruption
Component: Local Traffic Manager
Symptoms:
In some instances random memory can be corrupted.
Conditions:
SSL is configured (either client-ssl or server-ssl) and the crypto operations are offloaded - Cavium Card, Intel Card, FIPS box, etc.
Impact:
Random memory can be overwritten yielding unpredictable results.
Workaround:
None
701147-1 : ProxySSL does not work properly with Extended Master Secret and OCSP
Solution Article: K36563645
Component: Local Traffic Manager
Symptoms:
SSL handshake fails if the BIG-IP system is operating in ProxySSL mode, while client and server negotiate to use the Extended Master Secret and OCSP features together.
Conditions:
1. Virtual server is configured to work in ProxySSL mode.
2. Client and server negotiate the SSL handshake with the Extended Master Secret.
3. Client and Server negotiate to use the OCSP.
Impact:
ProxySSL does not work properly with Extended Master Secret and OCSP simultaneously.
Workaround:
None.
701033 : Tcl actions not run if conditions have overlapping IP ranges
Component: Local Traffic Manager
Symptoms:
Overlapping CIDR subnets in rule's condition cause unexpected result.
Conditions:
-- LTM policy with more than one IP-address-based condition.
-- The IP address ranges overlap.
-- An associated action that invokes a Tcl command.
Impact:
Tcl action is not run.
Workaround:
None.
700897-2 : sod is unable to handle the maximum (127) allowable traffic groups if there are 8 devices in the DG
Component: TMOS
Symptoms:
sod consumes excessive amount of CPU time, and the traffic-group Active and Next-Active locations do not stabilize.
Conditions:
When the number of devices in the failover device group or the number of traffic groups is large. The limit varies by platform capacity, but any Device Service Cluster with more than 4 devices or more than 32 traffic groups can experience this issue.
Impact:
If the Active location is unstable, traffic will not be processed correctly. Excessive CPU consumption and network traffic interferes with other control plane functions including the UI.
Workaround:
There is no workaround at this time.
700827-1 : B2250 blades may lose efficiency when source ports form an arithmetic sequence.
Component: TMOS
Symptoms:
Traffic imbalance between tmm threads. It can be observed for example by running "tmsh show sys tmm-traffic".
Conditions:
Source ports used to connect to B2250 blade form an arithmetic sequence.
Impact:
Traffic imbalance between tmm threads may result in sub-optimal performance.
Workaround:
Randomize source ports when connecting via a Big-Ip.
700783-5 : Machine certificate check does not check against all FQDN hostnames
Component: Access Policy Manager
Symptoms:
macOS machine can be on multiple networks simultaneously, so it might have multiple hostnames. Machine certificate check does not check against all FQDN hostnames. This causes failure in certain scenarios.
Conditions:
-- macOS configuration with multiple hostnames.
-- The 'match FQDN with subject alt name. option is specified for machine certificate check.
Impact:
Machine cert check might fail.
Workaround:
No workaround at this time.
700726-3 : Search engine list was updated
Component: Application Security Manager
Symptoms:
Default search engine list does not identify current search engines, and blocks traffic unnecessarily.
Conditions:
Site accessed by search engines.
Impact:
Traffic from search engines is blocked unnecessarily.
Workaround:
Manually add search engines.
700571-3 : SIP MR profile, setting incorrect branch param for CANCEL to INVITE
Component: Service Provider
Symptoms:
BIG-IP SIP profile MR does not maintain the Via 'branch parameter' ID when the Via header insertion is enabled for INVITE and CANCEL for the same INVITE.
Conditions:
This happens only when the following conditions are both met:
-- The transport connection that issued INVITE has been terminated.
-- A new transport is used to issue CANCEL
Impact:
The result is different branch IDs for the BIG-IP system-generated Via header. INVITE is only cancelled on the calling side, while on the called side, the line will ring until time out.
Workaround:
None.
700527-2 : cmp-hash change can hang iRule DNS lookup
Component: Global Traffic Manager (DNS)
Symptoms:
An iRule that uses RESOLV::lookup can hang repeatedly when cmp-hash configuration is changed.
Conditions:
An iRule must be in the middle of a call to RESOLV::lookup when a vlan cmp-hash configuration is changed.
Impact:
The iRule call can hang repeatedly.
Workaround:
Restart the TMM. This will interrupt client traffic.
700522-2 : APMD restarts when worker threads are stuck
Component: Access Policy Manager
Symptoms:
APMD restarts and logs a message about all threads being stuck.
Conditions:
A race condition allows the busy thread count to remain higher than the actual value. If it reaches the maximum thread count, APMD will restart.
Impact:
APMD can restart unexpectedly.
Workaround:
There is no workaround.
700426-5 : Switching partitions while viewing objects in GUI can result in empty list
Solution Article: K58033284
Component: TMOS
Symptoms:
In LTM Pool List, Node List, and Address Translations pages, switching partitions while viewing objects in the GUI can result in empty list.
Conditions:
This issue is present when all of the following conditions are met:
-- One partition contains multiple pages of objects.
-- The page count in one partition is greater than the page count in another.
-- The active page number is greater than 1.
-- You switch to a partition whose max number of pages is lower than the active page number.
For example, in the GUI:
1. Create two non-Common partitions.
2. In one partition, create enough pools so that they do not fit on one page.
3. In the second partition, create only enough pools for one page.
4. On the Local Traffic :: Pools list page in the first partition, navigate to the second page of objects.
5. Switch to the other partition.
6. Note that the displayed page contains no objects.
Impact:
The list of pools is empty despite the fact that there are pools available.
Workaround:
Return to the first page of objects before switching to any other partition.
700393-1 : Under certain circumstances a stale http2 stream can cause a tmm crash
Component: Local Traffic Manager
Symptoms:
Tmm may crash due to a stale/stalled HTTP2 stream.
Conditions:
http2 profile in use.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
700322-1 : Upgrade may fail on a multi blade system when there are scheduled reports in configuration★
Component: Application Visibility and Reporting
Symptoms:
Unable to upgrade to newer version or hotfix fail. Secondary slot always fails upgrade with the following error in var/log/liveinstall.log:
error: status 256 returned by command: F5_INSTALL_SESSION_TYPE=install tmsh -f save sys ucs /var/tmp/fbSBcyXrsz.ucs
info: >++++ result:
info: Saving active configuration...
info: Thrift: Tue Dec 19 10:53:45 2017 TSocket::open() connect() <Host: localhost Port: 9090>Connection refused
info: Error during config save.
info: Unexpected Error: UCS saving process failed.
Conditions:
1) System has two or more slots (multi-blade)
2) There are scheduled reports in configuration.
Impact:
Upgrade fails.
Workaround:
1) Save configuration for scheduled reports aside.
2) Remove all scheduled reports from configuration.
3) Perform upgrade.
4) Add scheduled reports back to configuration.
700250-2 : qkviews for secondary blade appear to be corrupt
Component: TMOS
Symptoms:
Normally, a qkview created on a multi-blade system will include a qkview for every blade on the system. Those qkview files have an error that makes the tar-ball appear corrupt.
Conditions:
Running a qkview on a system with blades.
Attempt to access the tar-ball using the following command: tar -tvzf 127.3.0.2.qkview | tail.
Impact:
The system posts the following messages:
gzip: stdin: unexpected end of file
tar: Child returned status 1
tar: Error is not recoverable: exiting now
Confuses troubleshooters into thinking that the blade qkview files are corrupt, which they are not.
Workaround:
None.
700035-4 : /var/log/avr/monpd.disk.provision not rotate
Component: Application Visibility and Reporting
Symptoms:
the log file may fill-up /var partition
Conditions:
there is no special condition for this issue - if the log is big it won't rotate
Impact:
the log file may fill-up /var partition
Workaround:
1. gzip /var/log/avr/monpd.disk.provision
2. touch /var/log/avr/monpd.disk.provision
699868-1 : Filter by custom period is not working properly in some cases
Component: Application Security Manager
Symptoms:
When in Requests (Event Correlation, Brute Force) page custom time period defined in filter - it is not working correctly, wrong dates filtered
Conditions:
Sever and client machines use different time zones
Impact:
User cannot filter effectively by custom time period
Workaround:
User can shift time period to compensate difference between server and his client machine
699720-2 : ASM crash when configuring remote logger for WebSocket traffic with response-logging:all
Component: Application Security Manager
Symptoms:
ASM may crash when configuring remote logger for WebSocket traffic virtual server.
Conditions:
-- Virtual server handling WebSocket traffic.
-- ASM remote logger on the same virtual server.
Impact:
ASM crash; system goes offline.
Workaround:
Use either of the following workarounds:
-- Remove remote logger.
-- Have response logging for illegal requests only.
699531-2 : Potential TMM crash due to incorrect number of attributes in a PEM iRule command
Component: Policy Enforcement Manager
Symptoms:
TMM crash.
Conditions:
An iRule with a PEM iRule command that does not have the minimum number of attributes.
Impact:
Loss of service. Traffic disrupted while tmm restarts.
Workaround:
Make sure the PEM iRule command is called with at least the minimum number of parameters.
For example, make sure to call 'PEM::subscriber config policy referential set' with referential policies.
699431-4 : Possible memory leak in MRF under low memory
Component: Service Provider
Symptoms:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.
Conditions:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.
Impact:
The table entry will be remain until the box resets.
Workaround:
There is no workaround at this time.
699426-2 : RRD cpu files are not updated when statsd has no prior knowledge of blades joining a cluster.
Component: Local Traffic Manager
Symptoms:
If a blade already known to statsd goes down, statsd continues to update the blade's /var/rrd/bladeXcpu file
If a new blade joins and is announced to statsd, statsd stops updating all /var/rrd/bladeXcpu files especillay if it did not have prior knowledge of the blade.
Conditions:
If statsd is restarted after the blade is disabled, or goes down, and after that the blade rejoins the cluster, the /var/rrd/bladeXcpu files stop updating (where X is the blade number).
Impact:
Data of those files is not updated. This impacts the graphs generated from these files.
Workaround:
Execute the command "bigstart restart statsd" after the new blade has joined the cluster.
699339-2 : Geolocation upgrade files fail to replicate to secondary blades
Solution Article: K24634702
Component: Global Traffic Manager (DNS)
Symptoms:
Geolocation upgrade files fail to replicate to secondary blades.
Conditions:
-- Multiblade VIPRION platforms/vCMP guests.
-- Upgrading geolocation files on the primary blade.
-- Viewing the geolocation files on the secondary blades.
Impact:
Geoip database is not updated to match primary blade.
Workaround:
Use either of the following workarounds:
-- Use the root account to manually create the /shared/GeoIP/v2 directory on secondary blades, and then run geoip_update_data on primary blade.
-- On primary blade:
1. Edit /etc/csyncd.conf as shown below.
2. Restart csyncd.
3. Run geoip_update_data.
To edit /etc/csyncd.conf:
Merge the following two terms:
monitor dir /shared/GeoIP {...)
monitor dir /shared/GeoIP/v2 {...}
into one term, as follows:
monitor dir /shared/GeoIP {
queue geoip
pull pri2sec
recurse yes
defer no
lnksync yes
md5 no
post "/usr/local/bin/geoip_reload_data"
}
699262 : FQDN pool member status remains in 'checking' state after full config sync
Component: Local Traffic Manager
Symptoms:
After performing a full config-sync (with overwrite config option checked) the sync target (peer) shows FQDN pool members stuck in the 'checking' state.
Conditions:
This occurs after a full config sync is forced between peers using FQDN pool members:
tmsh modify cm device-group <dg_name> devices modify { <local_member> { set-sync-leader } }
Impact:
Affected pools show an Availability state of 'unknown', although pool members are available and can pass traffic.
Workaround:
Restart bigd on the affected peer after the config sync.
699135-3 : tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip
Component: Global Traffic Manager (DNS)
Symptoms:
tmm cores with SIGSEGV in dns_rebuild_response.
Conditions:
1. Create a wideip of type other than A/AAAA.
2. Create a iRule with a host command for the previously created wideip.
3. Create a related zonerunner record with the same name and type.
4. Dig against the wideip with type any.
5. Observe that tmm cores.
Impact:
tmm cores.
Workaround:
Don't use host command for non type A/AAAA wideips.
699076-2 : URI::path iRules command warns end and start values equal
Component: Local Traffic Manager
Symptoms:
URI::path iRules command warns end and start values equal
Conditions:
The end and start values equal
Impact:
Warning message shows in console.
Workaround:
Ignore the warning.
698947-3 : BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled.
Component: TMOS
Symptoms:
The BIG-IP system may incorrectly drop packets from a GRE point-to-point tunnel with auto-lasthop disabled.
Conditions:
The auto-lasthop of a GRE point-to-point tunnel is disabled.
Impact:
The decapsulated packets may be dropped in the BIG-IP system.
698943 : Incorrect serverside throughput stats observed when PVA disabled on virtual server
Component: Local Traffic Manager
Symptoms:
Serverside throughput stats may be doubled when ingress and egress flows are split across two TMMs.
Conditions:
- Ingress and egress flows are split across different TMMs.
- PVA is disabled on a virtual server.
Impact:
The BIG-IP system reports inconsistent traffic.
Workaround:
Enable PVA on the virtual server.
698933-2 : Setting metric-type via ospf redistribute command may not work correctly
Component: TMOS
Symptoms:
When using a dynamic routing configuration, where an OSPF process redistributes routes setting a metric-type from another OSPF process the metric type is not changed.
Conditions:
Dynamic routing configuration with 2 or more OSPF processes redistributing routes using the "redistribute ospf <other process number> metric-type <type>"
Impact:
Metric type is not changed.
Workaround:
Change metric-type using a route-map applied to the redistribute command.
698919-2 : Anti virus false positive detection on long XML uploads
Component: Application Security Manager
Symptoms:
A false positive virus-detected violation. The description of the violation explains that the ICAP server was not contacted.
Conditions:
-- A long XML upload or payload.
-- The assigned XML profile is configured to be inspected by the ICAP server.
Impact:
Violation is detected where no violation has occurred (false positive violation).
Workaround:
Increase the internal parameter max_raw_request_len to the required length of the XML.
Note: This workaround will affect the amount of logged data from ASM.
698916-2 : TMM crash with HTTP/2 under specific condition
Component: Local Traffic Manager
Symptoms:
TMM may crash when upgrading an HTTP/1.1 connection to an HTTP/2 connnection.
Conditions:
-- HTTP/2 gateway enabled.
-- Pool member supports protocol switching.
Impact:
TMM crash, leading to a failover event.
Workaround:
There is no workaround other than removing the HTTP/2 profile from the virtual server.
698429-2 : Misleading log error message: Store Read invalid store addr 0x3800, len 10
Component: TMOS
Symptoms:
On rare occasions, messages like these can appear in /var/log/ltm:
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Loading keys from the file.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Read the unit key file if exists.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash from key header: 9d:e6:90:...
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash computed from read key:9d:e6:90:...
Oct 20 14:21:04 localhost err mcpd[4139]: 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071029:5: Symmmetric Unit Key decrypt
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071027:5: Master key OpenSSL error: 1506270960:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:587:
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Attempting Master Key migration to new unit key.
Oct 20 14:21:04 localhost warning chmand[5559]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
Oct 20 14:21:04 localhost warning chmand[5559]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
Oct 20 14:21:04 localhost warning mcpd[4139]: 012a0004:4: halStorageRead: unable to read storage on this platform.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071029:5: Cannot open unit key store
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Reloading the RSA unit to support config roll forward.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Loading keys from the file.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Read the unit key file if exists.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash from key header: 9d:e6:90:...
These messages are due to a transient failure reading the system's unit key from the virtual EEPROM on a vCMP guest. The error handling from this failure causes misleading messages, but it does successfully read the unit key during this error recovery.
Conditions:
These messages can only happen on a vCMP guest with SecureVault, and are very rare.
Impact:
None. These messages do not indicate an actual problem with the system.
698379-1 : HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR(
Solution Article: K61238215
Component: Local Traffic Manager
Symptoms:
Uploads for the HTTP2 virtual server fail intermittently with HTTP2 error error_code=FLOW_CONTROL_ERROR.
Conditions:
HTTP2 virtual server configured.
Impact:
Uploads for the HTTP2 virtual server might fail intermittently.
Workaround:
None.
698338-3 : Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection
Component: Service Provider
Symptoms:
The system may core.
Conditions:
-- Egress messages are queued waiting for MR_EGRESS event to be raised.
-- Current MR event exits with an error, thus aborting the connection.
Impact:
The system cores and will restart.
Workaround:
None.
698211-2 : DNS express response to non-existent record is NOERROR instead of NXDOMAIN.
Solution Article: K35504512
Component: Local Traffic Manager
Symptoms:
The DNS express response to a non-existent record is NOERROR instead of NXDOMAIN.
Conditions:
Delete a wildcard resource record to the related DNS express zone.
Impact:
DNS returns the incorrect response.
Workaround:
Delete the old db files: /var/db/tmmdns.bin and /var/db/zxfrd.bin, and then restart zxfrd.
698084-2 : IPsec log messages in /var/log/ltm missing module ID to reach bigiq logs
Solution Article: K03776801
Component: TMOS
Symptoms:
Some groups of messages logged by tmipsecd are missing the errdefs annotation that identifies IPsec as the module. Messages reported when tunnels go up and down, or problems with listeners, go only to ltm logs, with no visibility to bigiq logs.
Conditions:
Missing the IPsec module subset ID.
Impact:
Missing IPsec messages in the bigiq logs.
Workaround:
No workaround at this time.
698013-2 : TACACS+ system auth and file descriptors leak
Component: TMOS
Symptoms:
Administrative access to the system with remote authenticated accounts fails, and the following is seen in the security log (/var/log/secure):
-- httpd[###]: PAM [error: /lib/security/pam_bigip_authz.so: cannot open shared object file: Too many open files].
-- httpd[###]: PAM audit_open() failed: Too many open files
-- Other errors that refer to 'Too many open files'.
This might eventually lead to lack of HTTP-based access to the BIG-IP system.
Conditions:
-- Remote system authentication configured to use TACACS+.
-- Administrative access to the BIG-IP system using any HTTP-based results in leaked file descriptors. Relevant access methods include Web UI, iControl and iControl-REST.
-- Repeated automated access using iControl is the fastest route.
Impact:
In some circumstances, the leak might accumulate to the point that no file descriptors are available and administrative access using remote authenticated accounts is no longer possible. This also includes access from SSH and console. The root account, which always uses local authentication, is not affected.
Workaround:
Workaround options:
1. Use only SSH for administrative access.
2. Restart httpd as needed.
698000-2 : Connections may stop passing traffic after a route update
Solution Article: K04473510
Component: Local Traffic Manager
Symptoms:
When a pool is used with a non-translating virtual server, routing updates may lead to an incorrect lookup of the nexthop for the connection.
Conditions:
-- Pool on a non-translating virtual server.
-- Routing update occurs.
Impact:
Connections may fail after routing updates. New connections will not be affected.
Workaround:
Use a route to direct traffic to the ultimate destination rather than using a pool to indicate the nexthop.
697766-2 : Cisco IOS XR ISIS routers may report 'Authentication TLV not found'
Solution Article: K12431303
Component: TMOS
Symptoms:
When peering with ISIS to Cisco IOS XR routers, messages similar to the following may be seen
isis[1003]: %ROUTING-ISIS-5-AUTH_FAILURE_DROP : Dropped L2 LSP from TenGigE0/0/0/1 SNPA 0001.47fd.a801 due to authentication TLV not found.
Conditions:
The BIG-IP system is configured for dynamic routing using the ISIS protocol, and is peered with an IOS XR router, or with another BIG-IP system running software older than than version 11.6.1.
In addition, authentication needs to be configured, and a value needs to be set for lsp-refresh-interval, or for max-lsp-lifetime. For example:
router isis isisrouter
is-type level-2-only
authentication mode md5
authentication key-chain keychain-isis
lsp-refresh-interval 5
max-lsp-lifetime 65535
net 49.8002.00c1.0000.0000.f523.00
Impact:
This is a cosmetic issue. Routing is not impacted. LSPs containing actual routing information do contain the Auth TLV, as expected.
Workaround:
None.
697718-2 : Increase PEM HSL reporting buffer size to 4K.
Component: Policy Enforcement Manager
Symptoms:
Before this fix, PEM HSL reporting buffer size is limited by 512 bytes.
Conditions:
If any PEM HSL flow reporting stream goes beyond 512 bytes, it will be truncated.
Impact:
Part of PEM HSL flow reporting information will be lost.
697424-2 : iControl-REST crashes on /example for firewall address-lists
Component: TMOS
Symptoms:
Making a call to /example on firewall address-list crashes iControl-REST.
Conditions:
Making a call to /example on firewall address-list.
Impact:
The icrd_child process crashes.
Workaround:
There is no workaround other than not calling /example on firewall address-lists.
697303-2 : BD crash
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
-- The internal parameter relax_unicode_in_json is set to 1.
-- Specific traffic scenario.
Impact:
BD crash, failover, and traffic disturbance.
Workaround:
Turn off the internal parameter relax_unicode_in_json.
696808-2 : Disabling a single pool member removes all GTM persistence records
Solution Article: K35353213
Component: Global Traffic Manager (DNS)
Symptoms:
Disabling a single pool member removes all GTM persistence records.
Conditions:
1. WideIP with persistence enabled.
2. drain-persistent-requests no.
3. GTM pool member toggled from enabled to disabled.
Impact:
All GTM persistence records are accidently cleared.
Workaround:
Set drain-persistent-requests yes.
696755-1 : HTTP/2 may truncate a response body when served from cache
Component: Local Traffic Manager
Symptoms:
BIG-IP provides a client side HTTP/2 Gateway protocol implementation in conjunction with HTTP 1.x on a server side. A response can be cached in BIG-IP with a web acceleration profile. Sometimes a response served from cache is prematurely marked with END_STREAM flag causing the client to ignore the rest of the response body.
Conditions:
BIG-IP has a virtual where HTTP/2 and Web Acceleration profiles are configured.
Impact:
Some clients' browsers do not retry a resource causing incorrect rendering of an HTML page.
Workaround:
Adding the following iRule causes the body to be displayed:
when HTTP_RESPONSE_RELEASE {
set con_len [string trim [HTTP::header value Content-Length]]
HTTP::header remove Content-Length
HTTP::header insert Content-Length "$con_len"
}
696732-2 : tmm may crash in a compression provider
Solution Article: K54431534
Component: TMOS
Symptoms:
TMM may crash with the following panic message in the log files:
panic: ../codec/compress/compress.c:1161: Assertion "context active" failed.
Conditions:
-- Running on the following platforms: BIG-IP i-series or VIPRION 4400 blades.
-- Virtual servers are performing compression.
Impact:
TMM crashes, Traffic disrupted while tmm restarts.
Workaround:
Do not use compression, or use software compression instead of hardware compression. To configure for software compression, run the following command:
tmsh modify sys db compression.strategy value softwareonly
696731-2 : The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled
Solution Article: K94062594
Component: TMOS
Symptoms:
The standard LinkUp/LinkDown traps are issued when a port's status changes; that is, the link goes up or down. Additionally, the network manager can administratively enable and disable ports. For some platforms, there is no reliably issued standard LinkUp/LinkDown trap when a port is administratively enabled/disabled.
Conditions:
Administrative disabling an interface on BIG-IP
Impact:
May issue only the F5 Link change trap and not the additional standard MIB trap. The standard LinkUp/LinkDown traps may not be issued.
Workaround:
Use the F5-proprietary MIB: 1.3.6.1.4.1.3375.2.4.0.37 F5-BIG-IP-COMMON-MIB::BIG-IPExternalLinkChange trap to track administrative changes to links.
696294-2 : TMM core may be seen when using Application reporting with flow filter in PEM
Component: Policy Enforcement Manager
Symptoms:
TMM core with flow filter when Application reporting action is enabled
Conditions:
If Application reporting is enabled along with flow filter
Impact:
TMM restart causing service interruption
696265-4 : BD crash
Component: Application Security Manager
Symptoms:
BD crash.
Conditions:
ecard_max_http_req_uri_len is set to a value greater than 8 KB.
Impact:
Potential traffic disturbance and failover.
Workaround:
Change the value of ecard_max_http_req_uri_len to a size lower than 8 KB.
696113-2 : Extra IPsec reference added per crypto operation overflows connflow refcount
Component: TMOS
Symptoms:
The size of the refcount field in connflow became smaller, making the length of some crypto queues in IPsec able to reach and exceed the maximum refcount value.
Conditions:
When a large data transfer under an IPsec SA creates a queue of crypto operations longer than the connflow's refcount can handle, the refcount can overflow.
Impact:
Unexpected tmm failover after refcount overflow.
Workaround:
There is no workaround at this time.
696073-1 : BD core on a specific scenario
Component: Application Security Manager
Symptoms:
bd process crashes, and core file created in the /shared/core/ directory.
Conditions:
Specific request and response characteristics that relates to CSP headers sent by the server.
Impact:
Failover in high availability units.
Workaround:
Disable CSP headers handling in ASM by running the following commands:
/usr/share/ts/bin/add_del_internal add csp_enabled 0
bigstart restart asm
696072 : Fix a race condition in ixlv driver which was causing a tmm panic
Component: TMOS
Symptoms:
TMM panic with "extract succeeded" error message
Conditions:
Ixlv driver is in use and number of TMMs are more than 4
Impact:
TMM restart
Workaround:
Reduce TMM count to 4 or less
696049-2 : High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running
Solution Article: K55660303
Component: Service Provider
Symptoms:
High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running.
Conditions:
Multiple response messages arrive on a connection while an asynchronous Tcl command is running on that connection.
Impact:
High CPU load might occur as multiple responses will be assigned the same request_sequence_number.
Workaround:
None.
695925-2 : tmm crash when showing connections for a CMP disabled virtual server
Component: Local Traffic Manager
Symptoms:
tmm crashes when performing 'tmsh show sys connection' and there is a connection from a secondary blade to a CMP-disabled virtual server.
Conditions:
This occurs when all of the following conditions are met:
-- There is a CMP-disabled virtual server.
-- There is a connection to that server from the control plane of a secondary blade (this can include monitoring traffic).
-- Connections are displayed that include the connection from the secondary blade ('tmsh show sys connection').
Impact:
tmm crashes and restarts impacting traffic.
Workaround:
Do not use 'cmp-enabled no' virtual servers when there will be connections from the BIG-IP control plane to the virtual server.
Avoid using tmsh show sys connection
695873 : Entry for ssl key removed from tmsh causes tmsh load config to fail
Component: TMOS
Symptoms:
As part of phonehome, the licensing process uses an encrypted key which keeps it's passphrase securely in tmsh.
Conditions:
If the tmsh entry is deleted, then the key can no longer be used and issuing a new registration key will fail to create a new key and the bigip.conf will no longer load.
Impact:
The bigip.conf will not load without having to edit out the key and certificate entries. Also, phonehome will not work since there is no passphrase for the encrypted key.
Workaround:
Edit out the section for f5_api_com.key in /config/bigip.conf and run tmsh load sys config. Then remove the key: rm -f /config/ssl/ssl.key/f5_api_com.key and reinstall the license registration key.
695707-4 : BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection
Component: Local Traffic Manager
Symptoms:
BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection.
Conditions:
Close an MPTCP connection.
Impact:
If a DATA_ACK is not received for the DATA_FIN, the connection will stall until it times out.
Workaround:
There is no workaround at this time.
695117-2 : bigd cores and sends corrupted MCP messages with many FQDN nodes
Solution Article: K30081842
Component: Local Traffic Manager
Symptoms:
When configured to monitor large numbers of nodes and/or pool members including FQDN nodes and/or pool members, the following symptoms may occur:
- bigd may core (aborted by sod due to missed heartbeat).
- bigd may produce corrupted MCP messages.
- FQDN nodes and/or pool members may remain in a Checking state indefinitely.
Conditions:
These symptoms may occur on affected versions of BIG-IP when a large number of nodes and/or pool members including FQDN nodes and/or pool members are configured. Depending on the capabilities of the platform in use, approximately one thousand (1,000) or more total nodes and/or pool members may be required to produce these symptoms.
FQDN nodes and/or pool members generate a more significant workload for the bigd daemon than nodes and/or pool members with statically-configured IP addresses. This additional load contributes to high CPU usage and the other observed symptoms.
Impact:
This issue produces the following impacts:
- bigd may core.
- nodes and/or pool members may remain in a Checking state indefinitely.
- bigd may produce corrupted MCP messages, which generate error messages in the LTM log of the following form:
... err mcpd[####]: 01070712:3: Caught configuration exception (0), Can't parse MCP message, ...
Examination of the corrupted MCP message shows objects at the point of corruption that have no hierarchical relationship with the objects referenced at the beginning of the message.
Workaround:
To work around this issue, use the following approaches singly or in combination:
1. Reduce the number of nodes and/or pool members configured for a given BIG-IP system.
2. Configure nodes and/or pool members with statically-configured IP addresses.
695109-2 : Changes to fallback persistence profiles attached to a Virtual server are not effective
Component: Local Traffic Manager
Symptoms:
Changes to fallback persistence profiles attached to a Virtual server may not be effective.
Conditions:
-- Virtual server configured with persistence and a fallback persistence profile.
-- Changes made to the fallback persistence profile.
Impact:
Changes to the fallback persistence profile are not effective with new connections until a change is made to the virtual server or TMM is restarted.
Workaround:
Make a simple change, for instance to the description field, to the virtual servers that have the changed fallback persistence profile configured.
694934-2 : bd crashes on a very specific and rare scenario
Component: Application Security Manager
Symptoms:
When the system is configured in a specific way and the request sender responds incorrectly, bd crashes.
Conditions:
This rarely encountered crash occurs when there is a very specific BIG-IP system configuration, and ICAP is configured but not responding.
Impact:
bd crashes.
Workaround:
None.
694922-6 : ASM Auto-Sync Device Group Does Not Sync
Component: Application Security Manager
Symptoms:
In rare circumstances a device may enter an untrusted state and confuse the device group.
Conditions:
1) ASM sync is enabled on an autosync device group
2) A new ASM entity is created on a device
Impact:
ASM configuration is not correctly synchronized between devices
Workaround:
1) Remove ASM sync from the device group (Under Security ›› Options : Application Security : Synchronization : Application Security Synchronization)
2) Restart asm_config_server.pl on both devices and wait until they come back up
3) Change the device group to a manual sync group
4) On the device with the good configuration re-enable ASM sync for the device group
5) Make a spurious ASM change, and push the configuration.
6) Change the sync type back to automatic
694740-2 : BIG-IP reboot during a TMM core results in an incomplete core dump
Component: TMOS
Symptoms:
If an HSB lockup occurs on i10600 and i10800 platforms, then HSB panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. On this platform, the reboot occurs before the core file is fully written, resulting in a truncated core.
Conditions:
An HSB lockup occurs, triggering a core dump and a nic_failsafe reboot.
Impact:
The reboot happens before the core dump completes, resulting in an incomplete core dump which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.
Workaround:
No workaround; does not hinder device operation, but does prevent post-crash analysis.
694697-2 : clusterd logs heartbeat check messages at log level info
Solution Article: K62065305
Component: Local Traffic Manager
Symptoms:
The system reports clusterd logs heartbeat check messages at log level info, similar to the following.
-- info clusterd[6161]: 013a0007:6: Skipping heartbeat check on peer slot 3: Slot is DOWN.
-- info clusterd[5705]: 013a0007:6: Checking heartbeat of peer slot: 2 (Last heartbeat 0 seconds ago)
Conditions:
log.clusterd.level set to info.
Impact:
This is a cosmetic issue: clusterd heartbeat messages will be logged at info to the /var/log/ltm.
Workaround:
Set log.clusterd.level to notice.
694696-4 : On multiblade Viprion, creating a new traffic-group causes the device to go Offline
Component: TMOS
Symptoms:
All devices in the failover device group will go offline, resulting in traffic disruption and possible failovers.
Conditions:
When a new traffic-group is created on a multiblade Viprion system that is a member of a sync-failover device group.
Impact:
Traffic to all other traffic-groups is disrupted for several seconds.
Workaround:
There is no workaround at this time.
694656-2 : Routing changes may cause TMM to restart
Component: Local Traffic Manager
Symptoms:
When routing changes are made while traffic is passing through the BIG-IP system, TMM might restart. This isn't a general issue, but can occur when other functionality is in use (such as Firewall NAT).
Conditions:
-- Routing changes occurring while BIG-IP is active and passing traffic.
-- Dynamic routing, due to its nature, is likely increase the potential for the issue to occur.
-- Usage of Firewall NAT functionality is one specific case known to contribute to the issue (there may be others).
Impact:
TMM restarts, resulting in a failover and/or traffic outage.
Workaround:
If dynamic routing is not in use, avoiding static route changes may avoid the issue.
If dynamic routing is in use, there is no workaround.
694547-1 : TMSH save sys config creates unneeded generate_config processes.
Component: TMOS
Symptoms:
When saving a configuration through TMSH or iControl REST, a process called generate_config is created.
Conditions:
Run tmsh save sys config, or the same command through iControl REST.
Impact:
One generate_config process will be generated per save operation. If config save occurs often, these extraneous processes can slowly fill up the process table.
Workaround:
There is no real workaround except to not save the config often enough to fill up process table with these extraneous processes.
If the process table is full, to recover, you can restart tmsh, scriptd, or restjavad to clear out these unneeded processes.
694491 : Errant log message appears as an error
Component: Local Traffic Manager
Symptoms:
A log message similar to the following appears in /var/log/ltm:
err mcpd[]: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (31624).
Conditions:
No specific conditions trigger this message. You might see this message when you inspect the LTM log after booting.
Impact:
There is no negative impact to the system. You can safely ignore this message.
Workaround:
No need for a workaround. The message can be ignored or filtered.
694490 : vCloud Director images not available★
Component: TMOS
Symptoms:
There is no dedicated vCloud Director BIG-IP image of v13.0.0 HF3 to use for install/upgrade operations.
Conditions:
-- Installing BIG-IP v13.0.0 HF3.
-- Upgrading to BIG-IP v13.0.0 HF3 from a prior release.
Impact:
Cannot use previously available method of installing/upgrading using a dedicated vCloud Director image.
Note: Separate vCloud Director images are not available for BIG-IP v13.0.0 HF3. However, you can upgrade using the hotfix ISO or install using the general OVA images.
Workaround:
Upgrade a prior release using the hotfix ISO, or install using OVA for other VMware environments.
694485-1 : Configuration sync does not sync iControl LX or iApp LX objects
Component: Device Management
Symptoms:
Configuration sync operations do not sync iControl LX or iApp LX objects. In DHD DDos appliances, protected objects are essentially iApp LX blocks, and sometimes the system does not sync them to high availability (HA) peer.
Conditions:
This issue occurs when there are dtca.key and dtca.crt files under the /config/ssl/ssl.key/ and /config/ssl/ssl.crt/ directories that do not match the same files on a peer device.
Impact:
iControl LX or iApp LX objects do not sync to HA peer. The Config Sync indicator on the BIG-IP system will say 'in sync'.
Workaround:
One possible workaround is to manually discover other BIG-IP devices in the REST device group by providing usernames and passwords. To do so, you can use a curl command similar to the following:
curl -X POST -d '{"address":"other_BIG-IP_mgmt_ip", "userName": "admin", "password":"admin_pw"}' http://localhost:8100/shared/resolver/device-groups/tm-shared-all-big-ips/devices
694319-2 : CCA without a request type AVP cannot be tracked in PEM.
Component: Policy Enforcement Manager
Symptoms:
May cause diagnostic issues as not all CCA messages cannot be tracked.
Conditions:
1. PEM with Gx/Gy configured
2. PCRF sends CCA's without a request type AVP
Impact:
May hamper effective diagnostics.
Workaround:
Mitigation:
Configure the PCRF to always include a request type in its CCAs.
694318-2 : PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.
Component: Policy Enforcement Manager
Symptoms:
Subscriber sessions in PEM will be stuck in a "Marked for Delete" state.
Conditions:
1. PEM provisioned with Gx.
2. PCRF responds to a CCR-t with a DIAMETER_TOO_BUSY return code and no Request type AVP.
Impact:
Subscriber sessions stuck in delete pending resulting in a potential increase in memry consumption over a period of time.
Workaround:
Mitigation:
PCRF (remote Diameter end point) must send a CCA-t with a request type AVP in case a DIAMETER_TOO_BUSY return code is present.
694073-2 : All signature update details are shown in 'View update history from previous BIG-IP versions' popup
Component: Application Security Manager
Symptoms:
If you are running a BIG-IP release named with 4 digits (e.g., 12.1.3.1), all signature update details are shown only in 'View update history from previous BIG-IP versions' popup. The 'Latest update details' section is missing.
Conditions:
Running a BIG-IP software release named with 4 digits (e.g., 12.1.3.1).
Impact:
Low and incorrect visibility of signature update details.
Workaround:
Signature update details can be viewed in 'View update history from previous BIG-IP versions' popup.
693996-4 : MCPD sync errors and restart after multiple modifications to file object in chassis
Component: TMOS
Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:
1. Errors are logged to /var/log/ltm similar to the following:
-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..
2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.
Conditions:
Making multiple changes to the same file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group.
Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.
Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.
693910-3 : Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)
Component: Local Traffic Manager
Symptoms:
Some MAC addresses might experience delayed forwarding after the interface on which they are learned transition to a STP blocked state. This is because the FDB entries are not being flushed on these interfaces after they change to a block state. Traffic destined to these MAC addresses gets dropped until their associated entries in the FDB age out.
Conditions:
MAC addresses are learned on a STP forwarding interface that transitions to a blocked interface following a topology change.
Impact:
Traffic interruption for up to a few minutes for MAC addresses learned on the affected interface.
Workaround:
None.
693884-2 : ospfd core on secondary blade during network unstability
Component: TMOS
Symptoms:
ospfd core on secondary blade while network is unstable.
Conditions:
-- Dynamic routing configured with OSPF on a chassis.
-- During a period of network instability.
Impact:
Dynamic routing process ospfd core on secondary blade.
Workaround:
None.
693780-2 : Proactive Bot Defense sends CAPTCHA to the UC browser on iOS devices
Component: Advanced Firewall Manager
Symptoms:
When a request arrives from UCBrowser running on iOS and without TSPD_101 (proactive bot defense cookie). The big-ip respond with captcha challenge.
Conditions:
Dos profile attached to a virtual.
Dos profile has application security enabled.
Dos profile has proactive bot defense enabled.
Impact:
UC browser end-user presented with captcha challenge.
Workaround:
Increase proactive bot defense score.
list sys db dosl7.browser_legit_min_score_captcha
sys db dosl7.browser_legit_min_score_captcha {
value "60"
}
693663-2 : Proactive Bot Defense sends CAPTCHA to the Firefox browser on iOS only in desktop mode
Component: Advanced Firewall Manager
Symptoms:
When a request arrives from Firefox running on iOS in desktop mode and without TSPD_101 (proactive bot defense cookie). The big-ip respond with captcha challenge.
Conditions:
Dos profile attached to a virtual.
Dos profile has application security enabled.
Dos profile has proactive bot defense enabled.
Impact:
Firefox (iOS desktop mode only) end-user presented with captcha challenge.
Workaround:
Increase proactive bot defense score.
list sys db dosl7.browser_legit_min_score_captcha
sys db dosl7.browser_legit_min_score_captcha {
value "60"
}
693582-2 : Monitor node log not rotated for icmp monitor types
Component: Local Traffic Manager
Symptoms:
When Monitor Logging is enabled for an LTM node or pool member using certain monitor types, the monitor node log under /var/log/monitors/ is not rotated or compressed when log rotation occurs.
Conditions:
This occurs if Monitor Logging is enabled for an LTM node or pool member and the LTM node or pool member uses any of the following monitor types:
- icmp
- gateway-icmp
Impact:
Depending on the affected BIG-IP version in use, affects may include:
1. The active monitor node log is not rotated (not renamed from *.log to *.log.1).
2. The active monitor node log is rotated (renamed from *.log to *.log.1), but subsequent messages are logged to the rotated log file (*.log.1) instead of to the 'current' log file name (*.log).
3. The active monitor node log is not compressed (*.log.2.gz) when log rotation occurs.
Workaround:
To allow logging to the correct monitor node log file to occur, and for rotated monitor node log files to be compressed, disable Monitor Logging for the affected node or pool member(s).
If symptom #1 (from Impact section above) occurs, Monitor Logging can be re-enabled after log rotation has occurred.
To address symptom #2 or #3 (from Impact section above), Monitor Logging can be re-enabled immediately.
For more information on Monitor Logging, see:
K12531: Troubleshooting health monitors
693563-2 : No warning when LDAP is configured with SSL but with a client certificate with no matching key★
Component: TMOS
Symptoms:
When LDAP auth is configured with SSL:
- Authentication attempts fail
- Packet captures between the BIG-IP system and the LDAP server show the BIG-IP system sending FIN after TCP handshake.
Conditions:
LDAP auth is configured with SSL with client cert set but no matching key.
Impact:
LDAP auth fails. There is no warning that the auth failed.
Workaround:
Configure a key that matches the specified client certificate.
693246 : SOD may send SIGABRT to TMM when TMM has not reported its heartbeat for a long enough period of time.
Component: TMOS
Symptoms:
This seems to happen very infrequently. Symptoms vary from a simple TMM restart up to a blade reset. LTM log will show a sod message complaining about TMM heartbeats, followed later by SIGABRT messages from TMM.
Conditions:
TMM has not reported its heartbeat for a long enough period of time. The specific circumstances are unknown, but the issue has been seen with moderate-to-heavy system loads.
Impact:
Interruptions in data path processing. The interruption can be short for a simple TMM restart, longer for a full blade restart. Though these events altogether are rare, when they happen, it appears the simple TMM restart is more common than the blade restart.
Workaround:
None.
693244-1 : BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned
Component: Local Traffic Manager
Symptoms:
BIG-IP silently drop the serverside TCP flow, when it receives a client-side reset and the server-side flow is still in the SYN-SENT state.
Conditions:
BIG-IP receives a client-side reset when client-side TCP flow is in ESTABLISHED state and server-side TCP flow is in SYN-SENT state, serverside flow is silently dropped.
Impact:
Since serverside pool member does not receive the RST, it remains in SYN-RECEIVED state until it runs out of syn retransmissions and eventually, due to timeout, it returns to LISTEN state.
693007-2 : Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC
Component: Global Traffic Manager (DNS)
Symptoms:
The current IPv4 address for b.root-servers.net is 192.228.79.201. The IPv4 address for b.root-servers.net will be renumbered to 199.9.14.201, effective 2017-10-24. The older number will be invalid after that date.
Conditions:
Several profiles contain the b.root-servers.net IPv4 address as 192.228.79.201.
Impact:
The impact is likely minimal, at most a single timeout for pending TLD queries when they happen to round-robin onto an old IP address, probably not more often than the hint's TTL, which is more than a month, and even this should cause a timeout only when the old IP actually stops responding.
Workaround:
Update the root hints for all affected profiles manually except the hardwired ones.
692941-2 : GTMD and TMM SIGSEGV when changing wide IP pool in GTMD
Component: Global Traffic Manager (DNS)
Symptoms:
Changing wide IP causes gtmd and tmm core under certain conditions.
Conditions:
-- GTM pool is removed when it is referenced by a persist record.
-- That record is accessed before it is purged.
Impact:
gtmd and tmm core. Traffic disrupted while tmm restarts.
Workaround:
None.
692753-2 : shutting down trap not sent when shutdown -r or shutdown -h issued from shell
Component: TMOS
Symptoms:
Shutting down trap not sent when shutdown -r or shutdown -h issued from shell.
Conditions:
When user access the linux shell and issues "shutdown -h" or "shutdown -r", the BIG-IP does not send shutting down trap.
Impact:
None.
Since this is user triggered command, the user is aware of the shutdown event, so the lack of trap is not critical.
Workaround:
None
692310-1 : ICAP modified HTTP 1.1 request/response without content-length gets "chunked" even with no body
Component: Service Provider
Symptoms:
When a modified HTTP v1.1 request or response is returned from an ICAP server and has no body (and also no content-length), a 'Transfer-Encoding: chunked' header is added and a zero-length chunk is appended.
Conditions:
-- HTTP profile.
-- Either request-adapt or response-adapt profile.
-- Modified HTTP v1.1 request/response has no body (and no content-length header).
Impact:
The HTTP server or client to which the modified request or response is destined, receives invalid HTTP and might behave in an unexpected manner.
Workaround:
Use an iRule to detect the lack of a Content-Length header in the modified request or response, and insert 'Content-Length: 0'.
For example with modified request:
when ADAPT_REQUEST_HEADERS {
if {([HTTP::method] eq "GET") and (not [HTTP::header exists 'Content-Length'])} {
HTTP::header insert Content-Length 0
}
}
Similarly when ADAPT_RESPONSE_HEADERS {} for a response.
692189-2 : errdefsd fails to generate a core file on request.
Component: TMOS
Symptoms:
Should errdefsd crash or be manually cored for the purpose of gathering diagnostic information, no core file will be generated.
Conditions:
Forcing errdefsd to core for diagnostic purposes.
Impact:
Increased communication required with F5 Support when attempting to diagnose problems with errdefsd.
Workaround:
1. Add the following lines to the official errdefsd script, /etc/bigstart/scripts/errdefsd:
16a17,19
> # set resource limits, affinity, etc
> setproperties ${service}
>
2. Run the following command: bigstart restart errdefsd
692179-2 : Potential high memory usage from errdefsd.
Component: TMOS
Symptoms:
errdefsd memory usage grows with each config-sync or config update.
Conditions:
Ever increasing errdefsd memory usage is visible when the following conditions are met:
-- Config updates are frequent.
-- management-port logging is not being used.
Impact:
In extreme cases, errdefsd memory usage might increase userland memory-pressure. Note, however, that it isn't actually using the extra memory, so while Virtual Memory Size (VSZ) might be high, Resident Set Size (RSS) need not be.
Workaround:
A workaround for this problem is to periodically send logs to a management-port destination. The destination may be as simple as a dummy UDP port on 127.0.0.1. Adding such a destination to the publisher for an existing, active log source will work. errdefsd just needs a reason to process and flush accumulating configurations.
692123-1 : GET parameter is grayed out if MobileSafe is not licensed
Component: Fraud Protection Services
Symptoms:
GET parameter is grayed out if MobileSafe is not licensed.
Conditions:
-- Provision FPS on a system whose license has at least one active feature.
-- Do not license MobileSafe.
Impact:
In FPS Parameter's list, the GET method is always grayed out.
Workaround:
Use either of the following workarounds:
-- License MobileSafe.
-- Use TMSH or REST.
692095-2 : bigd logs monitor status unknown for FQDN Node/Pool Member
Solution Article: K65311501
Component: Local Traffic Manager
Symptoms:
While monitoring FQDN nodes or pool members, bigd may log the current or previous monitor status of the node or pool member as 'unknown' in messages where that state internally could have been logged as 'checking' or 'no address' for FQDN template nodes. Other states for FQDN configured nodes or pool members log monitor status as expected. Messages are similar to the following:
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status unknown [ ip.address: unknown ] [ was up for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: unknown ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: up ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status unknown. [ ] [ was unchecked for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status up. [ ] [ was unknown for ##hrs:##mins:##sec ]
Conditions:
This may occur of the FQDN template node or pool member is in a 'checking' or 'no address' state.
The 'checking' state may occur if the DNS resolution of the FQDN node or pool member name is in progress.
The 'no address' state may occur if no IP addresses were returned by the DNS server for the configured FQDN node or pool member name.
Impact:
Unable to triage state of FQDN nodes or pool members identified in these log messages, to determine whether further troubleshooting is required, or what specific problem condition might require further investigation.
Workaround:
None.
691806-2 : RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state
Component: Local Traffic Manager
Symptoms:
The BIG-IP system resets connection with RST if it receives FIN/ACK in SYN-RECEIVED state.
Conditions:
The BIG-IP system receives FIN/ACK when it is in SYN-RECEIVED state.
Impact:
The BIG-IP system resets connection with RST.
Workaround:
None.
691785-2 : The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes
Component: Local Traffic Manager
Symptoms:
The bcm570x driver will cause TMM to core with the log message:
panic: ifoutput: packet_data_compact failed to reduce pkt size below 4.
Conditions:
-- Running on a platform that uses the bcm570x driver (BIG-IP 800, 1600, 3600).
-- A packet larger than 6144 bytes is transmitted from the BIG-IP system.
Impact:
TMM core. Failover or outage. Traffic disrupted while tmm restarts.
Workaround:
None.
691749-2 : Delete sys connection operations cannot be part of TMSH transactions
Component: TMOS
Symptoms:
TMSH operations that delete sys connection cannot be part of transactions. Once the TMSH transaction is submitted, TMSH freezes up if a 'delete sys connection ...' command is included.
Conditions:
Include delete sys connection operations in TMSH transactions.
Impact:
TMSH freezes up and transactions do not complete.
Workaround:
Only use tmsh delete sys connection outside of TMSH transactions.
691670-4 : Rare BD crash in a specific scenario
Solution Article: K02515009
Component: Application Security Manager
Symptoms:
BD crash or False reporting of signature ID 200023003.
Conditions:
JSON/XML/parameters traffic (should not happen with the enforce value signature).
Impact:
Failover, traffic disturbance in the core case. False positive violation or blocking in the other scenario.
Workaround:
Removing attack signature 200023003 from the security policy stops the issue.
691589-1 : When using LDAP client auth, tamd may become stuck
Component: TMOS
Symptoms:
When a virtual server uses an LDAP auth profile for client authentication, the system can get into a state where all authentications time out. This condition persists until tamd restarts. Traffic analysis between the BIG-IP system and the LDAP server shows that the BIG-IP system makes a TCP handshake with the server, then immediately sends FIN. Tamd cores may be seen.
Conditions:
-- Virtual server using LDAP auth profile.
-- BIG-IP system makes a TCP handshake with the server, then immediately sends FIN.
Impact:
Authentication to the virtual server fails until tamd is restarted.
Workaround:
To recover, restart tamd by running the following command: bigstart restart tamd
691498-2 : Connection failure during iRule DNS lookup can crash TMM
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM crashes in the DNS response cache periodic sweep.
Conditions:
The DNS resolver connection fails after a successful lookup response is cached. This has been reproduced with a failure due to a lost route. Other failures such as down ports do not cause a crash.
Impact:
The TMM cores and automatically restarts, Traffic disrupted while tmm restarts.
Workaround:
No known workaround.
691497-1 : tmsh save sys ucs <file> fails due to missing patch file in /config/.diffVersions
Component: TMOS
Symptoms:
The .diffVersions directory has config change-diffs saved into patch files every time tmsh saves the configs. This is used for diagnostic purposes only.
Conditions:
When doing a 'tmsh save sys ucs <file>', it is possible that a background 'tmsh save sys config' gets run at the same time, causing a patch file to be deleted that the ucs-save feature now expected to exist.
Impact:
The ucs-save feature complains about the missing patch file and exits.
Workaround:
Re-run the 'tmsh save sys ucs <file>' ignoring the missing patch file message. That missing file doesn't need to be restored.
691491-4 : 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces
Solution Article: K13841403
Component: TMOS
Symptoms:
2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces
Conditions:
-- 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms.
-- SNMP query of network interfaces via OID sysIfxStatHighSpeed.
Impact:
Value returned for 10G/40G/100G interfaces may be incorrect.
Workaround:
Use OID sysInterfaceMediaActiveSpeed.
691338-1 : Using an iRule to change virtual servers prevents correct DAG detection for PBA and DNAT modes
Component: Carrier-Grade NAT
Symptoms:
When redirecting the traffic by using iRule 'virtual <virtual_server>' on a PBA or DNAT LSN pool associated virtual server, the system resets the connection and logs errors similar to the following:
err tmm2[19158]: 01670024:3: Unsupported DAG mode for LSN pool(/Common/session1_pool) mode PBA on interface _loopback
err tmm2[19158]: 01670024:3: Unsupported DAG mode for LSN pool(/Common/dnat_pool) mode DNAT on interface _loopback
This occurs because using an iRule to change virtual servers prevents correct DAG detection for PBA and DNAT modes.
Conditions:
-- LSN pool is configured in either PBA or DNAT mode.
-- An iRule redirects traffic to a different virtual server.
Impact:
Connections fail using this iRule.
Workaround:
To work around this issue, configure the lsn-pools with NAPT mode.
691287-2 : tmm crashes on iRule with pool command after string command
Component: Global Traffic Manager (DNS)
Symptoms:
tmm crashes when a pool command immediately follows a string command in an iRule, for example:
when DNS_REQUEST {
pool [string tolower "Test.com"]
}
Conditions:
Similar GTM iRule with pool command after string command.
when DNS_REQUEST {
pool [string tolower "Test.com"]
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use a pool command immediately after a string command in an iRule.
691048-2 : Support DIAMETER Experimental-Result AVP response
Solution Article: K34553736
Component: Service Provider
Symptoms:
When the Diameter server returns an answer message with an Experimental-Result AVP, but doesn't have Result-Code AVP inside, then the server side flow is aborted.
Conditions:
Diameter answer message doesn't have Result-Code AVP available, but with Experimental-Result AVP.
Impact:
The server side flow is aborted.
Workaround:
Use iRule to insert Result-Code AVP in all Diameter answer messages.
690890-2 : Running sod manually can cause issues/failover
Component: TMOS
Symptoms:
If multiple instances of the system failover daemon are executed, improper behavior results. The system failover daemon is run internally by the system service manager (bigstart). When accidentally or intentionally executing the command 'sod', the second running instance will disrupt the failover system.
Conditions:
Accidentally or intentionally executing the command 'sod'.
Impact:
System might failover, reboot, or perform other undesirable actions that result in traffic interruption.
Workaround:
Do not attempt to invoke the 'sod' daemon directly. There is no use case for executing 'sod' directly, it is managed by 'bigstart'.
690778-2 : Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule
Solution Article: K53531153
Component: Local Traffic Manager
Symptoms:
Memory leak; the memory_usage_stat cur_allocs will increase each time the iRule is invoked.
Conditions:
This occurs when using an iRule that calls the STREAM::replace command more than once in the iRule's STREAM_MATCHED event.
Impact:
Memory leak; eventually the system will run out of memory and TMM will restart (causing a failover or outage). Traffic disrupted while tmm restarts.
Workaround:
Change the way the iRule is written so that the STREAM::replace command is not called more than once in the iRule's STREAM_MATCHED event.
690699-1 : Fragmented SSL handshake messages cause Proxy SSL handshake to fail
Component: Local Traffic Manager
Symptoms:
When the BIG-IP system uses Proxy-SSL mode, and the virtual server receives a fragmented SSL handshake message, SSL handshake might fail.
Conditions:
1. BIG-IP (VIP) uses Proxy-SSL mode.
2. The BIG-IP system receives a fragmented SSL handshake message (this is especially common when the certificate message is larger than 16 KB, which requires it to be fragmented).
Impact:
If the system receives SSL Fragmented SSL handshake message, SSL handshake is rejected.
Workaround:
The only workaround is to trim down the list of acceptable client CAs advertised in the CertificateRequest message.(specifically, use client certificate chains that are smaller than 16 KB).
690166-2 : ZoneRunner create new stub zone when creating a SRV WIP with more subdomains
Component: Global Traffic Manager (DNS)
Symptoms:
Creating SRV wideip will result in stub zone creation even there are already matching zones.
Conditions:
Creating SRV wideip with three more layers than existing zone.
Impact:
Unnecessary stub zones created.
690116-2 : websso might crash when logging set to debug
Component: Access Policy Manager
Symptoms:
If the authentication type is HTTP headers and the log level is set to debug, an incorrect parameter gets printed, and if it happens to be NULL the websso daemon crashes.
Conditions:
-- Authentication type is HTTP headers.
-- Log level is debug for websso (the single-sign-on (SSO) functionality for Web access through the BIG-IP APM system).
Impact:
websso might crash.
Workaround:
Set log level to Informational.
Note: The data logged specifically for debug level is targeted toward developers, and is rarely useful in a production environment.
690091 : mod_timer list corruption followed by BUG_ON() in timer-based function, cascade()
Component: TMOS
Symptoms:
The kernel detects an inconsistency in timer data structures and panics, with a silent reboot shortly afterward.
Conditions:
No specific conditions are required to encounter this issue. This is a timing-related race condition.
Impact:
Silent reboot. On a VIPRION platform, loss of cluster mgmt IP address.
Workaround:
None.
690042-2 : Potential Tcl leak during iRule suspend operation
Solution Article: K43412307
Component: Local Traffic Manager
Symptoms:
TMM's Tcl memory usage increases over time, and does not decrease. Memory leak of Tcl objects might cause TMM to core.
Conditions:
-- iRules are in use.
-- Some combination of nested proc calls and/or loops must go at least five levels deep.
-- Inside the nested calls, an iRule executes a suspend operation.
Impact:
Degraded performance. TMM out-of-memory crash. A failover or temporary outage might occur. Traffic disrupted while tmm restarts.
Workaround:
None.
689982-2 : FTP Protocol Security breaks FTP connection
Component: Application Security Manager
Symptoms:
FTP Protocol Security breaks FTP connection.
Conditions:
-- ASM provisioned
-- FTP profile (Local Traffic :: Profiles : Services : FTP) with 'Protocol Security' enabled is assigned to a virtual server.
Impact:
-- RST on transaction.
-- bd PLUGIN_TAG_ABORT messages in mpidump.
Workaround:
Create and use a custom "FTP Security Profile" instead of the system default one.
1. Navigate to Security :: Protocol Security : Security Profiles : FTP.
2. Create a custom FTP Security Profile alongside the system default named 'ftp_security'.
3. Navigate to Security :: Protocol Security : Profiles Assignment : FTP.
4. From the Assigned Security Profile drop-down menu, choose the newly created custom FTP Security Profile, instead of the pre-selected system default 'ftp_security'.
689577-2 : ospf6d may crash when processing specific LSAs
Solution Article: K45800333
Component: TMOS
Symptoms:
When OSPFv3 is configured and another router in the network performs a graceful restart, ospf6d may crash.
Conditions:
-- OSPFv3 in use.
-- Graceful restart initiated by another system.
Impact:
OSPFv3 routing will interrupted while the daemon restarts and the protocol re-converges.
Workaround:
Disabling graceful restart on other network systems will prevent ospf6d from crashing on the BIG-IP system. However, it will cause a routing interruption on a system that restarts.
689567-2 : Some WOM/AAM pages in the GUI are visible to users with iSeries platforms even when AAM cannot be provisioned
Component: TMOS
Symptoms:
Several pages in the Acceleration tab (e.g., Acceleration :: Quick Start : Symmetric Properties) display a warning message that directs you to provision AAM in order to access WOM utilities. These pages are visible even if it is impossible for you to provision AAM, which is confusing.
Conditions:
You have an iSeries platform with no AAM license.
Impact:
The impact is cosmetic only. The page is confusing because it suggests that AAM can be provisioned without the proper license (e.g., that WOM/AAM can be set up with only an LTM license), which it cannot. You can safely ignore the warning messages.
Workaround:
No workaround at this time.
689491 : cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled
Component: TMOS
Symptoms:
CPU usage stats are incorrect and system looks idle when it's actually busy
Conditions:
vcmp guests with 1-core or htsplit disabled
Impact:
CPU stats are incorrect and it might make it difficult to trouble shoot problems.
689449-2 : Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured
Component: Local Traffic Manager
Symptoms:
As a result of a known issue, in some circumstances the system may experience an unconstrained TMM memory growth when a virtual server is configured for spdy/http2 and http with fallback-host.
Conditions:
- VIP configured with spdy/http2 and http with fallback-host.
Impact:
TMM may eventually enter aggressive sweeper mode where this memory will be released. In the process it is possible that some legitimate connections will killed.
Workaround:
No workaround at this time.
689375-2 : Unable configure 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled
Component: TMOS
Symptoms:
TMUI hides several SSL client/server settings when 'Proxy SSL' is enabled, including the 'Generic Alert' setting, so you cannot set it.
Conditions:
Enable 'Proxy SSL' on SSL client/server profile in TMUI.
Impact:
TMUI hides many config settings, including 'Generic Alert'. You cannot modify 'Generic Alert' setting on SSL client/server profile using the GUI when 'Proxy SSL' is enabled.
Workaround:
Modify the same setting through TMSH modify client/server SSL profile command, as follows:
tmsh modify ltm profile client-ssl <profile_name> generic-alert disabled
tmsh modify ltm profile server-ssl <profile_name> generic-alert disabled
689361-2 : Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor)
Component: Local Traffic Manager
Symptoms:
It is possible for an overwrite-configsync to change an 'unchecked' monitor to 'up', when that unchecked monitor references a node that does not respond to ICMP requests. This may occur when a node does not respond to ICMP requests for exactly one of two paired devices, but a configuration change made to one device causes the 'up' status to be propagated to the 'unchecked' device.
Conditions:
Two pool members are monitored; and one references a node not responding to ICMP requests; and a gateway_icmp monitor is on both nodes; and an overwrite-configsync is initiated from a paired device, where the node does respond to ICMP requests from that paired device.
Impact:
The overwrite-configsync causes the 'unchecked' monitor to transition to 'up', when it should remain 'unchecked' for the device to which the node does not respond to ICMP requests.
Workaround:
Ensure network configuration such that a monitored node responds to ICMP requests from both (or neither) of each paired-device. Alternatively, initiate configuration changes only from the device to which the node will not respond to ICMP requests.
689343-1 : Diameter persistence entries with bi-directional flag created with 10 sec timeout
Component: Service Provider
Symptoms:
Diameter persistence entries have timeout value less than 10 seconds, although the configured persistence timeout is 120 seconds
Conditions:
When Diameter custom persistence "DIAMETER::persist key 1" bi-directional iRule is used.
Impact:
The persist timeout is less than 10 seconds, thus subsequent requests will be dispatched to other pool member.
Workaround:
Don't use bi-directional persistence iRule. Use AVP persistence type with session-id as the persist key.
689211-1 : IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 }
Component: TMOS
Symptoms:
If you accidentally change an ike-peer version to { v1 v2 } for both IKEv1 and IKEv2 support then IKEv1 does not work when version is changed to { v1 }. Note: This is not a recommended action.
Packets from a remote peer after this appear to arrive via IPv6 and will not match the IPv4 config of the actual peer, so tunnels cannot be established.
Conditions:
Transiently changing an ike-peer version to { v1 v2 } before fixing it with 'version replace-all-with { v1 }' to target IKEv1 alone.
Impact:
IKEv1 tunnels cannot be established when the remote peer initiates. (If the local peer initiates, negotiation may succeed anyway, until the SA is expired or deleted.) After this, tmm forwards packets to racoon improperly.
Workaround:
After changing version to v1 alone, issue the following command to have the config work correctly:
bigstart restart
689089-2 : VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot
Component: Local Traffic Manager
Symptoms:
The cluster configuration file can be lost or corrupted, resulting in the out-of-band cluster management IP reverting to the default value.
Conditions:
Unexpected system restart while the configuration file is being updated may cause the file to become corrupted. If this occurs, the following error will be logged during blade startup:
"err clusterd[8171]: 013a0027:3: Chassis has N slots, config file has 0, ignoring config file"
Where "N" is the number of physical slots in the chassis (2, 4, or 8).
Impact:
Management IP reverts to 192.168.1.246, resulting in loss of access to the chassis through the out-of-band management network.
Workaround:
If this occurs, the management IP can be restored using TMSH or the UI through an in-band self IP, or with TMSH through the management console port.
689002-2 : Stackoverflow when JSON is deeply nested
Component: TMOS
Symptoms:
When the returned JSON payload from iControl REST is very large and deeply nested, the JSON destruction could trigger stack overflow due to deep recursion. This will crash icrd_child.
Conditions:
Deeply nested JSON returned from iControl-REST.
Impact:
icrd_child process coredumps.
Workaround:
None.
688942-4 : ICAP: Chunk parser performs poorly with very large chunk
Solution Article: K82601533
Component: Service Provider
Symptoms:
When an ICAP response contains a very large chunk (MB-GB), the BIG-IP system buffers the entire chunk and reevaluates the amount of data received as each new packet arrives.
Conditions:
ICAP server returns large payload entirely in a single chunk, or otherwise generates very large chunks (MB to GB range).
Impact:
The BIG-IP system uses memory to buffer the entire chunk. In extreme cases the parser can peg the CPU utilization at 100% as long as packets are arriving.
Workaround:
If possible, configure the ICAP server to chunk the response payload in mulitple normal sized chunks (up to a few tens of KB).
688841 : Configuration validation does not catch enabling DoS Application Security Behavioral DoS from Local Traffic Policy rule
Component: Advanced Firewall Manager
Symptoms:
You can create a DoS profile that enables Application Security Behavioral Detection and Mitigation and invoke that DoS profile from a Local Traffic Policy rule via the Enable L7DoS Action. However, the Application Security Behavioral Detection and Mitigation setting will be ignored. Only the default DoS profile attached directly to the Virtual Server can successfully enable Application Security Behavioral Detection and Mitigation.
Conditions:
-- DoS policy that enables Application Security Behavioral Detection and Mitigation.
-- Local Traffic policy rule that invokes that DoS policy.
Impact:
The system silently ignores attempts to enable DoS Application Security Behavioral Detection and Mitigation.
Workaround:
Enable DoS Application Security Behavioral Detection and Mitigation in a DoS profile attached directly to the Virtual Server.
Note: Although you can invoke any number of other DoS profiles via Local Traffic policy rules, they cannot successfully enable DoS Application Security Behavioral Detection and Mitigation.
688833-4 : Inconsistent XFF field in ASM log depending violation category
Component: Application Security Manager
Symptoms:
Depending on the violation category, the xff ip field is reported as 'xff_ip' and sometimes as 'xff ip'.
Conditions:
Viewing the XFF results in ASM log.
Impact:
This might cause problems with the syslog filters configured on the remote loggers.
Workaround:
Put in the rules that the client is using both 'xff ip' and 'xff_ip'.
688813 : Some ASM tables can massively grow in size.
Solution Article: K23345645
Component: Application Visibility and Reporting
Symptoms:
/var/lib/mysql mount point gets full.
Conditions:
Many combinations of IP addresses, Device IDs (and other ASM dimensions) in traffic over very long period of time (potentially weeks/months).
Impact:
While other dimensions are being collapsed correctly, the Device ID field is not being collapsed causing the growth in size.
-- High disk usage.
-- Frequent need to clear AVR data.
Workaround:
Manually delete AVR mysql partitions located in /var/lib/mysql/AVR.
688744-2 : LTM Policy does not correctly handle multiple datagroups
Solution Article: K11793920
Component: Local Traffic Manager
Symptoms:
Policy in use where the conditions reference two or more datagroups, but only the conditions that refer to the first datagroup have any effect.
Conditions:
LTM Policy where the conditions reference two or more datagroups.
Impact:
LTM Policy conditions do not check against second and subsequent datagroups, resulting in policy not working as intended.
Workaround:
Only mitigation is to refactor the policy so that it does not refer to more than one datagroup-based condition.
688629-2 : Deleting data-group in use by iRule does not trigger validation error
Component: Local Traffic Manager
Symptoms:
iRule aborts due to failed commands, causing connflow aborts.
Conditions:
-- Delete a data group.
-- iRule uses that data-group on a virtual server
Impact:
In use data-group can be deleted without error. iRule aborts leading to connflow aborts.
Workaround:
Don't delete data-groups in use by an iRule.
688571-1 : Untrusted cert might be accepted by the server-ssl even though when 'untrusted-cert-response-control drop' is configured in the server-ssl profile.
Component: Local Traffic Manager
Symptoms:
If the server-ssl profile is configured with 'untrusted-cert-response-control drop', and the system receives the certificate from the backend server which is not trusted by current BIG-IP system, the expected behavior is that the system should end the connection.
But the current server-side behavior is that the system still accepts the untrusted certificate and establishes the SSL connection with backend server.
Conditions:
-- The BIG-IP system receives a certificate from the backend server that is not trusted by the BIG-IP system.
-- Configure the 'untrusted-cert-response-control drop' in the server-ssl profile.
-- The corresponding server-ssl is configured at the virtual server.
Impact:
Virtual server might communicate with the backend server that sends the untrusted certificate to the BIG-IP system. Untrusted cert could still be accepted by the server-ssl virtual server even though 'untrusted-cert-response-control drop' is configured in the server-ssl profile.
Workaround:
None.
688570-4 : BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes
Component: Local Traffic Manager
Symptoms:
After an MPTCP connection closes properly, the BIG-IP will occasionally start sending MP_FASTCLOSE.
Conditions:
An MPTCP connection is closed.
Impact:
The MPTCP connection on the remote device is closed, but the connection on the BIG-IP remains open until the fastclose retransmission times out.
Workaround:
There is no workaround at this time.
688557-2 : Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull'
Component: Local Traffic Manager
Symptoms:
The description of the 'mode' parameter shown by tmsh help for the ltm sasp monitor indicates that the default value for the 'mode' parameter is 'pull' (where the load balancer sends Get Weight Requests to the GWM).
As of BIG-IP v13.0.0 and v12.1.2-hf1, the default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).
This is a change from prior versions of BIG-IP, where the default value for the 'mode' parameter was 'pull'.
Conditions:
The incorrect description appears when issuing the 'tmsh help ltm monitor sasp' command on BIG-IP v13.0.0, v12.1.2-hf1, and later.
Impact:
Incorrect information about the default value for the 'mode' parameter for the ltm sasp monitor.
Workaround:
The default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).
688553-2 : SASP GWM monitor may not mark member UP as expected
Component: Local Traffic Manager
Symptoms:
Pool members monitored by the SASP monitor may be incorrectly marked DOWN when they should be marked UP.
Conditions:
This may occur on affected BIG-IP versions when using the SASP monitor targeting a Load Balancing Advisor GWM (Global Workload Manager).
This is more likely to occur if pool members monitored by the SASP monitor are also monitored by an additional monitor which has marked the members DOWN, or if one or more pool members monitored by the SASP monitor have been manually marked down (state user-down via tmsh, or Disabled in the GUI).
This is not expected to occur with non-affected BIG-IP versions or when using the SASP monitor targeting a Lifeline GWM (Global Workload Manager).
Impact:
Traffic handled by pool members monitored by the SASP monitor may be disrupted.
Workaround:
Removing the SASP monitor from the pool or pool member configuration then re-adding the SASP monitor may reset the pool member status to the correct state.
688406-2 : HA-Group Score showing 0
Solution Article: K14513346
Component: TMOS
Symptoms:
The 'show sys ha-group' command incorrectly displays a "0" for the total score even if the pools/trunks/clusters components have non-zero scores.
Conditions:
If the sys ha-group object is not currently assigned to any traffic-group.
Impact:
The total score is not calculated. An incorrect score value is displayed.
Workaround:
Refer to the component Score Contributions displayed using the following command: show sys ha-group detail.
688335-4 : big3d may restart in a loop on secondary blades of a chassis system
Solution Article: K00502202
Component: Global Traffic Manager (DNS)
Symptoms:
After big3d_install is run against a target system, and this target system is a multi-blade chassis, the big3d utility may begin restarting in a loop on all secondary blades of the target system. The primary blade is not affected, where big3d continues to run stable.
Conditions:
The following conditions are required to encounter this issue:
-- The big3d_install utility is used against a target system.
-- The target system is a multi-blade chassis.
-- The big3d_install utility picks the iQuery installation method (and not the SSH one).
-- The big3d_install utility incorrectly determines that the local version of the big3d utility should be copied to the remote system.
Impact:
big3d does not typically do anything on secondary blades, so this issue should have no immediate material impact.
However, should the cluster elect a new primary blade, and should big3d still be restarting on that blade, this could cause iQuery communication failures between that system and remote BIG-IP systems.
Workaround:
To stop secondary blades from restarting, manually restart big3d on the primary blade using the following command:
bigstart restart big3d
To prevent this issue from happening, you can run the big3d_install by specifying that the SSH installation method be used using the following command:
big3d_install -use_ssh <target IP>
688266-4 : big3d and big3d_install use different logics to determine which version of big3d is newer
Component: Global Traffic Manager (DNS)
Symptoms:
The big3d_install utility includes logic to determine whether the local system should copy its version of the big3d daemon to the remote system specified by the user.
This logic is incorrect and may result in the local copy of the big3d daemon being unnecessarily copied to the remote system or not copied when actually necessary.
Conditions:
A user runs the big3d_install utility.
Impact:
If the local big3d daemon was unnecessarily copied over to the remote system, there is no tangible impact (other than the fact big3d restarts on the remote system, which is expected). Eventually, the remote system restores and uses its version of the big3d daemon.
If the local big3d daemon was not copied over when it should have been, then the remote system may continue to run an older version of the big3d daemon, which may impede iQuery communication.
Workaround:
If the local big3d daemon was unnecessarily copied over to the remote system, you do not need to perform any remedial action. The remote system will automatically resolve this situation by restoring the intended (i.e., newer) big3d version.
If the local big3d daemon was not copied over when it should have been, you can invoke the big3d_install utility using the -f argument, which forces an install of the big3d daemon regardless of the local and remote versions.
688177 : Local user with Administrator role may be changed to Guest role after BIG-IP software upgrade
Component: Device Management
Symptoms:
Following a BIG-IP software upgrade (for example, from version 11.5.4 to version 11.6.1), local users with Administrator role may be changed to Guest role.
Conditions:
The BIG-IP configuration includes one or more local accounts with Administrator role (other than the 'admin' user).
Please note that this issue does not occur on every upgrade, but has roughly a 10% probability of occurring.
Impact:
Administrator users other than 'admin' have no access after the upgrade.
The 'admin' user has to change the role of affected users from Guest back to Administrator after the upgrade.
Workaround:
The 'admin' user has to change the role of affected users from Guest back to Administrator after the upgrade.
688148-2 : IKEv1 racoon daemon SEGV during phase-two SA list iteration
Component: TMOS
Symptoms:
The wrong list linkage is iterated when phase-two SAs are deleted.
Conditions:
Deleting phase-two SAs, either manually or in response to notifications.
Impact:
IKEv1 tunnel outage until the racoon daemon restarts.
Workaround:
None.
688046-1 : Change condition and expression for Protocol Lookup agent expression builder
Component: Access Policy Manager
Symptoms:
Protocol lookup agent shows the incorrect condition and expression in the expression builder when included in the per-request policy.
Conditions:
This occurs when the protocol lookup agent is used in the expression builder for branching.
Impact:
Cannot follow successful branch in per-request policy.
Workaround:
To work around this issue:
1. Include Protocol lookup agent in the expression builder.
2. Click the 'change' link right next to the existing expression.
3. Go to the Advanced tab and change the expression to one of the following (depending on whether you are using HTTPS or HTTP):
-- "expr { [mcget {perflow.protocol_lookup.result}] == "https" }"
-- "expr { [mcget {perflow.protocol_lookup.result}] == "http" }"
4. Click Finished.
687937-2 : RDP URIs generated by APM Webtop are not properly encoded
Component: Access Policy Manager
Symptoms:
RDP URIs used to launch Native RDP resources form APM Webtop on Android/iOS/Mac are not properly encoded. As a result, RDP client might misinterpret the URI, in cases in which some RDP parameter contains the ampersand ( & ) symbol.
Conditions:
Native RDP resource is launched via RDP URI from APM Webtop.
One of RDP parameters contains symbol that should be URI encoded, e.g., '&'.
Impact:
RDP client misinterprets URI, which may result in failure to open RDP resource.
Workaround:
None.
687807-2 : The presence of a file with the suffix ".crt.csr" in folder /config/ssl/ssl.csr/ causes a GUI exception
Component: Local Traffic Manager
Symptoms:
When there is a file named *.crt.csr in folder /config/ssl/ssl.csr/, the webgui will get an exception on page: System ›› Device Certificates : Device Certificate ›› Device Certificate
A message, "An error has occurred while trying to process your request." appears.
Conditions:
The presence of a file with the suffix ".crt.csr" in folder /config/ssl/ssl.csr/
Impact:
the webgui will get an exception on page: System ›› Device Certificates : Device Certificate ›› Device Certificate
A message, "An error has occurred while trying to process your request." appears.
Workaround:
rename the csr file suffix from ".crt.csr" to ".csr"
687659 : A SAML IdP connector causes a sync failure when created
Component: TMOS
Symptoms:
A SAML IdP connector causes a sync failure when created.
Conditions:
SAML IdP connector contains an embedded certificate.
Impact:
Sync fails.
Workaround:
Force a full load sync immediately after.
687617-2 : DHCP request-options when set to "none" are reset to defaults when loading the config.
Component: TMOS
Symptoms:
Config load resets the request-option in "tmsh sys management-dhcp" to its default value when they are set to "none" in configuration.
Conditions:
- A config load in which request-option in "tmsh sys management-dhcp" is set to "none".
Impact:
User configuration is reverted as a side-effect of config load.
Workaround:
request-option specify the minimal set of configuration that DHCP server must provide as part of the lease. Setting it to "none" defeats the whole purpose of DHCP. It's better to set it to a minimal value like "routers, subnet-mask" in order to have management connectivity.
687534-2 : If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page
Component: TMOS
Symptoms:
- Create a pool with name containing two dots (that is, the string '..')
- Go to the GUI Local Traffic :: Pools : Member List page and click the Add button to add a member.
- There is a No Access error preventing you from adding a member to the pool
Conditions:
This issue occurs when a pool name contains .. in the name.
Impact:
Cannot add a Member to the pool using the GUI.
Workaround:
Use tmsh to add pool members to an existing pool using a command similar to the following.
tmsh modify ltm pool <pool name> members add { <member info> }
687368-2 : The Configuration utility may calculate and display an incorrect HA Group Score
Solution Article: K64414880
Component: TMOS
Symptoms:
The Configuration utility may calculate and display a high availability (HA) Group Score of 0, while in reality the correct HA Group Score is greater than 0.
Conditions:
This issue occurs when a particular HA Group object (for example, a Pool) has no available members, and the 'Minimum Member Count' option is not used (this is the default).
Impact:
This issue is cosmetic as it is limited to what the Configuration utility calculates and displays to the user. Internally, the system uses the correct HA Group Score to determine the role of the unit. However, it is possible for a BIG-IP Administrator to be mislead by this issue and take a wrong or unnecessary corrective action because of it.
Workaround:
You can use the TMSH utility from the command line to display the correct HA Group Score.
687343-2 : Running 'load sys config merge verify' will add new users to the PostGres database
Component: TMOS
Symptoms:
Running 'load sys config merge verify' will add new users to the PostGres database. The system posts an error similar to the following:
010719a2:3: PostgreSQL database error: ERROR: duplicate key value violates unique constraint "auth_user_pkey"
DETAIL: Key (name)=(admin1) already exists.
Conditions:
Issue occurs only under the following conditions:
-- 'load config merge verify' of configurations including user definition.
-- Attempt to create user with same name using 'load config merge', 'create user', or GUI options.
Impact:
It is not possible to use the verify argument when using 'load sys config merge' with configurations containing user definitions.
'verify' argument to 'load sys config' does not prevent or rollback side effects
Workaround:
Manually remove the user data from the PSQL database; from a bash prompt:
psql -U postgres
\c tmdb
DELETE FROM auth_user WHERE name='admin1'
DROP OWNED BY admin1
DROP ROLE admin1
DROP SCHEMA admin1 CASCADE
\q
687213-2 : When access to APM is denied, system changes connection mode to ALWAYS_DISCONNECTED
Component: Access Policy Manager
Symptoms:
When access to APM is denied, Edge Client goes into ALWAYS_DISCONNECTED mode. Hence, it does not retry to establish VPN tunnel.
Conditions:
-- Edge Client installed in ALWAYS_CONNECTED mode (locked client).
-- Access to APM is denied.
Impact:
No VPN tunnel is established, even if APM becomes accessible momentarily.
Workaround:
None.
687205-1 : Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart
Component: Local Traffic Manager
Symptoms:
During flow shutdown, SSL may deliver HUDEVT_SENT messages, causing additional messages to be queued by higher filters, which may result in a tmm crash and restart.
Conditions:
This happens in response to a relatively rare condition that occurs during shutdown, such as HUDEVT_SENT queued after HUDCTL_SHUTDOWN.
Impact:
Possible tmm restart. Traffic disrupted while tmm restarts.
Workaround:
None.
687128-2 : gtm::host iRule validation for ipv4 and ipv6 addresses
Component: Global Traffic Manager (DNS)
Symptoms:
gtm::host iRule isn't validating that the host given matches the type of WideIP it is attached to.
Conditions:
An AAAA-type wideip with a ipv4 gtm::host iRule, or A-type wideip with an ipv6 gtm::host iRUle.
Impact:
Incorrect host information was being returned.
Workaround:
Only attach gtm::host of IPv4 type to A-type WideIPs, and gtm::host rules of IPv6 to AAAA-type WideIPs.
687044-1 : tcp-half-open monitors might mark a node up in error
Component: Local Traffic Manager
Symptoms:
The tcp-half-open monitor might mark a node or pool member up when it is actually down, when multiple transparent monitors within multiple 'bigd' processes probe the same IP-address/port.
Conditions:
All of the following are true:
-- There are multiple bigd processes running on the BIG-IP system.
-- There are multiple tcp-half-open monitors configured to monitor the same IP address.
-- One or more of the monitored objects are up and one or more of the monitored objects are down.
Impact:
The BIG-IP system might occasionally have an incorrect node or pool-member status, where future probes may fix an incorrect status.
Workaround:
You can use any of the following workarounds:
-- Configure bigd to run in single process mode by running the following command:
tmsh modify sys db bigd.numprocs value 1
-- Use a tcp monitor in place of the tcp-half-open monitor.
-- Configure each transparent monitor for different polling cycles to reduce the probability that an 'up' response from the IP address/port is mistakenly viewed as a response to another monitor that is currently 'down'.
686972-3 : The change of APM log settings will reset the SSL session cache.
Component: Local Traffic Manager
Symptoms:
If you change the configuration of APM log settings, it might cause the SSL session cache to be reset. Also, subsequent resumption of SSL sessions may fail after such change causing a situation where full ssl handshakes may occur more frequently.
Conditions:
-- Change the configuration of APM log settings.
-- SSL session cache is not empty.
Impact:
The change of APM log settings resets the SSL session cache, which causes the SSL session to initiate full-handshake instead of abbreviated re-negotiation.
Workaround:
Follow this procedure:
1. Change access policy.
2. The status of that access policy changes to 'Apply Access Policy'.
3. Re-apply that.
686926-1 : IPsec: responder N(cookie) in SA_INIT response handled incorrectly
Component: TMOS
Symptoms:
IKEv2 negotiation fails when a responder uses N(cookie) in the SA_INIT response, because the BIG-IP system does not expect a second response with the same zero message_id always used by SA_INIT.
Conditions:
Any time a responder sends N(cookie) in the first response to SA_INIT from a BIG-IP initiator.
Impact:
The SA negotiation fails when a responder includes N(cookie) in a SA_INIT response, because a second response appears to have an out-of-order message ID when BIG-IP believe the first message_id of zero was already handled earlier.
Workaround:
None.
686816-2 : Link from iApps Components page to Policy Rules invalid
Component: TMOS
Symptoms:
In an application that contains a Local Traffic policy, the link from the Components page to the Rule will not be valid.
Conditions:
-- Application creates or contains a Local Traffic Policy.
-- Click the link from the iApps Components page to the Policy Rules page.
Impact:
Cannot navigate to the policy rule directly from the Components page.
Workaround:
Click on the Policy within the Components page to navigate to the Rule from that page.
686718-2 : VPN tunnel adapter stays up in some cases
Component: Access Policy Manager
Symptoms:
In some cases, VPN tunnel adapter created by VPN client stays up even when tunnel is disconnected.
Conditions:
Application launch on VPN establishment is configured on APM and launched application is not closed
Impact:
Cosmetic. No functionality impact. Subsequent launch of VPN will create a new tunnel adapter
Workaround:
Close the launched application
686563-2 : WMI monitor on invalid node never transitions to DOWN
Component: Local Traffic Manager
Symptoms:
A WMI monitor configured for an invalid node defaults to 'UP', and never transitions to 'DOWN'. Upon loading a configuration, a node defaults to 'UP' as an initial probe is sent based on the monitor configuration, and the node is then marked 'DOWN' as probes timeout or monitor responses indicate an error. However, an WMI monitor probe sent to a non-existent node is not detected as an error, and that node may persist in an 'UP' state (not transitioning to 'DOWN' as expected, such as after expiration of the configured monitor timeout).
Conditions:
WMI monitor is configured for an invalid node address, or for a node address on which no WMI service is running.
Impact:
The node persists in an 'UP' state, even though no WMI service is available, or that node does not exist.
Workaround:
An additional node monitor can be created to confirm the node is available (which may be a partial solution in some configurations). Using a non-WMI monitor (such as TCP) to probe availability of the WMI service on the target node may be possible in other scenarios.
686547-2 : WMI monitor sends logging data for credentials when no credentials specified
Component: Local Traffic Manager
Symptoms:
A properly configured WMI monitor requires username and password credentials; but when these are omitted from the configuration, logging data is sent in place of the username and password (with the monitored object likely being marked 'down'). Because username/password credentials are required, the monitor should have been identified as wrongly configured before the monitor is marked down.
Conditions:
A WMI monitor is configured without including the required username/password credentials.
Impact:
The monitored object will be marked 'down'.
Workaround:
Configure the WMI monitor to include the username/password credentials.
686517-1 : Changes to a parent policy that has no active children are not synced to the secondary chassis slots.
Component: Application Security Manager
Symptoms:
Changes to a parent policy that has no active children are not synced to the secondary chassis slots.
Conditions:
-- ASM provisioned.
-- Having a parent policy that has no active children.
Impact:
On a chassis failover, the new Primary slot will have an outdated version of the parent policy.
Workaround:
None.
686470-2 : Enable AJAX Response Page or Single Page Application support causes the part of the web page failed to load.
Component: Application Security Manager
Symptoms:
AJAX requests are not sent, JavaScript errors, AJAX-based web-app malfunctions.
Conditions:
1a. Single page application enabled either via a DoS application profile or in an ASM policy.
1b. AJAX Response Page enabled via ASM policy.
2. Web Application client side code uses jQuery or any other AJAX clientside framework.
Impact:
AJAX request might not be sent, and the overall website's clientside functionality related to the AJAX requests might not work as expected.
Workaround:
Disable Single Page Application support.
686307-2 : Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later
Component: Local Traffic Manager
Symptoms:
When upgrading, monitor attributes such as receive string and send string might contain escape sequences that must be processed after the upgrade. However, due to a problem introduced by the LTM policy upgrade script, this processing is not performed, resulting in monitors not functioning correctly after the upgrade.
Note: Without LTM policies in the configuration, monitors upgrade without problem.
Conditions:
-- Upgrading and rolling forward monitor configuration data.
-- LTM policy data present.
Impact:
Monitors may not work after upgrade.
Workaround:
No workaround at this time.
686228-2 : TMM may crash in some circumstances with VLAN failsafe
Component: Local Traffic Manager
Symptoms:
TMM may crash when managing traffic in response to the VLAN failsafe traffic generating mechanisms
Conditions:
- VLAN failsafe is configured with low timers.
- VLAN failsafe is triggered and multiple responses are received for traffic generating in fast succession.
Impact:
A TMM may core file may be produced. Traffic disrupted while tmm restarts.
Workaround:
Relax the timer to the default VLAN failsafe timer setting.
686124-2 : IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs
Component: TMOS
Symptoms:
Deleting SAs on a remote peer can cause improper handling in the IKEv1 racoon daemon when invalid SPI notifications are processed.
Conditions:
Events causing deletion of phase one IKE SAs.
Impact:
IPsec IKEv1 tunnels will halt or restart. Connectivity between remote private networks will be interrupted.
Workaround:
None.
686111-2 : Searching and Reseting Audit Logs not working as expected
Solution Article: K89363245
Component: TMOS
Symptoms:
Clicking the Search and Reset buttons on Audit Logs might post the following error message: An error has occurred while trying to process your request.
Conditions:
Clicking the 'Search' or 'Reset' button on Audit Logs.
Impact:
Cannot search Audit Logs.
Workaround:
Use tmsh or bash.
686101-2 : Creating a pool with a new node always assigns the partition of the pool to that node.
Solution Article: K73346501
Component: Local Traffic Manager
Symptoms:
When creating a node while creating a pool, the partition of the node is set to the one of the pool regardless of what was expected. For example, after running the command below, the new node will be assigned to differentpartition:
root@(v13)(Active)(/differentpartition)(tmos)# create ltm pool my_pool2 members add { /Common/172.16.199.33:0 }
Conditions:
Creating a node while creating a pool in a partition different from the node.
Impact:
The node is displayed in the wrong partition.
Workaround:
Create a node separately and then add it to the pool.
686029-3 : A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces
Solution Article: K00026204
Component: TMOS
Symptoms:
FDB flushing on VLAN deletes is performed by VLAN member interface reference only, without regard to VLAN tags. This can result in unrelated VLAN FDB entries also being flushed on shared VLAN member interfaces.
Conditions:
Issuing a VLAN delete with other VLANs using shared tagged member interfaces with the VLAN being deleted.
Impact:
FDB entries for unrelated VLANs will be flushed if they share the same tagged VLAN member interfaces as the VLAN being deleted.
Workaround:
None.
685820-2 : Active connections are silently dropped after HA-failover if ASM licensed and provisioned but AFM is not
Component: Advanced Firewall Manager
Symptoms:
If ASM licensed and provisioned, but AFM is not licensed/provisioned, active connections are silently dropped after HA-failover.
In earlier versions, active connections were reset after HA-failover if only ASM was licensed/provisioned. When AFM is also licensed/provisioned, existing active connections were always silently dropped after HA-failover.
Conditions:
-- ASM licensed and provisioned, but AFM is not licensed/provisioned.
-- HA-failover occurs.
Impact:
ASM client connections are not reset, but are silently dropped after HA-failover event.
Workaround:
None.
685787 : SMTP Profile: "Use Authentication" cannot be disabled using the GUI
Component: Application Visibility and Reporting
Symptoms:
Once the "Use Authentication" option has been enabled in an SMTP profile, disabling this option using the GUI does not successfully disable this setting.
Conditions:
N/A
Impact:
N/A
Workaround:
Disable the "Use Authentication" option using tmsh by running the following command:
modify sys smtp-server <profile-name> authentication-disabled
685743-4 : When changing internal parameter 'request_buffer_size' in large request violations might not be reported
Component: Application Security Manager
Symptoms:
When the internal 'request_buffer_size' is set to a large value, long requests might be blocked, and no violation is reported.
Conditions:
-- Internal parameter 'request_buffer_size' is set to a large value (~50 KB or larger).
-- Request is long (~50 KB or longer).
-- Violations found.
Impact:
Requests might be blocked, and no reason is reported.
Workaround:
Reset internal 'request_buffer_size' to default.
685708-2 : Routing via iRule to a host without providing a transport from a transport-config created connection cores
Component: Service Provider
Symptoms:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.
Conditions:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Specify a transport to use for creating a new outgoing connection in the MR::message route command.
685615-3 : Incorrect source mac for TCP Reset with vlangroup for host traffic
Solution Article: K24447043
Component: Local Traffic Manager
Symptoms:
BIG-IP outbound host TCP RST packets have incorrect source-mac-address.
Conditions:
BIG-IP host traffic is exiting via VLANs in a VLAN group.
Impact:
TCP Reset for traffic exiting the BIG-IP system with incorrect source-mac-address, which could include monitor traffic.
Workaround:
Use transparent mode on the VLAN group.
685582-6 : Incorrect output of b64 unit key hash by command f5mku -f
Component: TMOS
Symptoms:
The output of the b64 unit key hash is inconsistent upon each 'f5mku -f' command, whereas the hex version of the unit key hash was always correct/consistent.
Conditions:
Viewing output of 'f5mku -f' command.
Impact:
Inconsistent output of the b64 unit key.
Workaround:
Adding the verbose option (v) to the f5mku command will print additional information. The following command prints the hex version of the unit key header hash, which will be stable and can be used to detect changes to the unit key:
f5mku -vf
For example:
# f5mku -vf
...
-- hdr.hash = c9:0d:13:2a:74:d4:7e:31:a4:78:5e:c8:3e:9c:b5:3d:7b:65:9c:7d
...
685519-2 : Mirrored connections ignore the handshake timeout
Component: Local Traffic Manager
Symptoms:
Mirrored connections that do not complete the TCP 3-way-handshake do not honor the configured TCP handshake timeout on active and standby systems.
Conditions:
High availability mirroring enabled on virtual server with attached FastL4 profile.
Impact:
Unestablished TCP sessions in the connection table stay open for the duration of the TCP idle-timeout.
Workaround:
None.
685475-2 : Unexpected error when applying hotfix
Solution Article: K93145012
Component: TMOS
Symptoms:
Software 'install hotfix' commands fail with a message similar to the following: Image (BIGIP-11.6.1.0.0.317.iso) has a software image entry in MCP database but does not exist on the filesystem.
Conditions:
Before installing the hotfix, the necessary full (base) software image prerequisite was added to the images directory, but then was removed before issuing the hotfix command.
For example, to apply 'Hotfix-BIGIP-11.6.1.2.0.338-HF2.iso', the system must have access to the base image; 'BIGIP-11.6.1.0.0.317.iso'.
Impact:
Cannot apply hotfix until the full base image is present.
Workaround:
Perform the following procedure:
1. Copy the base image to the images directory on the BIG-IP system.
2. Restart the 'lind' daemon.
3. Try the hotfix installation process again.
685458-6 : merged fails merging a table when a table row has incomplete keys defined.
Component: TMOS
Symptoms:
There is as timing issue in merged where it will fail processing a table row with incomplete keys defined.
Conditions:
There are no specific conditions required, only that merged is running, which is true on every BIG-IP system, when the BIG-IP system is processing a table row with incomplete keys defined.
Although this issue is not dependent on configuration or traffic, it appears that it is more prevalent on vCMP hosts.
Impact:
There will be a few second gap in available statistics during the time when a core is being created and merged restarts.
Workaround:
None.
685164-2 : In partitions with default route domain != 0 request log is not showing requests
Solution Article: K34646484
Component: Application Security Manager
Symptoms:
No requests in request log when partition selected, while they can be seen when 'All [Read Only]' is selected.
Conditions:
Select a partition whose default route domain is not 0 (zero).
Impact:
No requests in request log.
Workaround:
As a partial workaround, you can use [All], but it's read only.
685110-2 : With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.
Solution Article: K05430133
Component: Local Traffic Manager
Symptoms:
1. FQDN Node/pools fails to populate with members.
2. An error similar to the following is logged in /var/log/ltm when an FQDN node or pool member is created:
err mcpd[####]: 01070356:3: Ratio load balancing feature not licensed.
Conditions:
1. License a BIG-IP system with non-LTM license lacking the ltm_lb_ratio feature.
Such licenses include APM and/or ASM licenses for certain newer platforms which do not support the AAM module.
Affected platforms include certain iSeries and Virtual Edition (VE) releases.
2. Configure an FQDN node/pool member. Do not specify a 'ratio' value.
Impact:
Unable to use FDQN nodes/pool members with non-LTM license.
Workaround:
None.
684649 : Inconsistent DAGv2 state between B4400 blades after upgrade★
Component: TMOS
Symptoms:
B4400 blades in the VIPRION chassis might encounter inconsistent DAGv2 state after upgrading from v12.1.x to v13.0.0 or v13.1.0. You might see messages similar to the following continuously logged into /var/log/tmm on the Standby unit:
notice CDP: Selected DAG state from primary PG 0 for CMP state 03 with clock 6765
Conditions:
Upgrading VIPRION B4400 blades from v12.1.x to v13.0.0 or v13.1.0.
Impact:
There is no traffic impact on the Active BIG-IP system, but the issue causes the Standby BIG-IP system to constantly update its DAGv2 table.
Workaround:
Reboot one of the B4400 blades in the Active BIG-IP system.
684399-3 : Connectivity profiles UI shows (Not Licensed) when LTM base is presented
Component: Access Policy Manager
Symptoms:
In APM, the connectivity profile UI shows (Not Licensed) when LTM base is presented
Conditions:
when LTM and APM is provisioned.
Impact:
UI shows FEC profile as not licensed. But user can still choose FEC profile.
Workaround:
Ignore the not licensed warning.
684391-2 : Existing IPsec tunnels reload. tmipsecd creates a core file.
Component: TMOS
Symptoms:
Existing IPsec tunnels reload. tmipsecd creates a core file.
Conditions:
Although an exact replication of the issue has not been reliable, the one instance occurred after the following conditions:
-- Remote peer repeatedly tries to establish a tunnel.
-- The IPsec IKEv1 daemon 'racoon' is dead.
Impact:
Existing IPsec tunnels reload when tmipsecd aborts. tmipsecd creates a core file.
Workaround:
None.
684369-1 : AFM ACL Rule Policy applied on Standby device
Solution Article: K35423171
Component: Advanced Firewall Manager
Symptoms:
In a Active/Standby setup, with a Virtual Server configured to Mirror Connection State, the Standby Device is aware of the state of connections. The Standby device apart from maintaining the state of connections, need not apply ACL policy to the mirrored connections.
But in a specific case where a ACL Policy happens to have Rule with Schedules attached, the Standby happens to apply policy on mirrored connections, which also generates ACL rule hit logs.
Conditions:
1) Active/Standby device setup.
2) Virtual Server with Connection Mirroring enabled.
3) ACL Policy with a Rule having a Schedule attached, and during periods of transition when a Schedule may cause a Rule to be enforced or expired.
Impact:
Does not impact handling of traffic.
Generation of ACL Rule hit logs from Standby is unexpected, and is not desirable.
Workaround:
Objective:
- Disable sweeper applying ACL policy on Standby device.
- Sys DB tunable must disable only on Standby device. Because sys db settings are auto-sync'd to Active device as well, you must do so using the following procedure.
Steps to Apply Sys DB setting only on Standby device:
1. Turn off auto-sync for the device-group.
2. Apply settings just before Rule Schedule expiry on Standby device.
3. Wait till Rule Schedule change takes effect.
4. Revert the settings to normal, and enable auto-sync again.
TMSH Command Sequence:
root@(BIG-IP-primary)(cfg-sync In Sync)(Standby)(/Common)(tmos)
# list sys db tm.sweeper.flow.acl value
sys db tm.sweeper.flow.acl {
value "enable" <<<< Set this to 'disable'
}
root@(BIG-IP-primary)(cfg-sync In Sync)(Standby)(/Common)(tmos)
# modify cm device-group <device-group-for-failover> auto-sync disabled
root@(BIG-IP-primary)(cfg-sync In Sync)(Standby)(/Common)(tmos)
# modify sys db tm.sweeper.flow.acl value disable
root@(BIG-IP-primary)(cfg-sync Changes Pending)(Standby)(/Common)(tmos)
# list sys db tm.sweeper.flow.acl value
sys db tm.sweeper.flow.acl {
value "disable"
}
On Active, it's still 'enable':
root@(BIG-IP-secondary)(cfg-sync Changes Pending)(Active)(/Common)(tmos)
# list sys db tm.sweeper.flow.acl value
sys db tm.sweeper.flow.acl {
value "enable"
}
Enable auto-sync again:
root@(BIG-IP-primary)(cfg-sync In Sync)(Standby)(/Common)(tmos)
# modify cm device-group <device-group-for-failover> auto-sync enable
Might have to issue this run command if the device is reported as 'requiring sync'.
root@(BIG-IP-primary)(cfg-sync Changes Pending)(Standby)(/Common)(tmos)
# run cm config-sync to-group <device-group-for-failover>
684218-2 : vADC 'live-install' Downgrade from v13.1.0 is not possible
Component: TMOS
Symptoms:
vADC v13.1.0 has a new storage format that is incompatible with earlier versions. It should be possible to use the '--format' option of 'image2disk' to downgrade a v13.1.0 vADC system, but it is not.
Conditions:
Running v13.1.0, attempt software downgrade to 11.5.4, for example:
image2disk --format=volumes --nosaveconfig 11.5.4
Impact:
request is not allowed. no changes are made.
Workaround:
deploy a new 11.5.4 software image via the hypervisor environment
683767-2 : Users are not able to complete the sync using GUI
Component: TMOS
Symptoms:
A validation error occurred while syncing to a remote device
Sync error on unitA.lab.local: Load failed from /Common/unitB.lab.local 01070080:3: The requested pool member is already in use as a self IP address (1.1.2.1)
The above is expected as unit B is unable to validate the config for unit A. Incremental sync adds and removes configuration on unit A, hence the error.
Conditions:
1.Units A and B in HA with manual incremental sync, unit B is active.
2.On unit B add a pool with a member having IP address matching the self IP of unit A. Then delete it.
3.create ltm pool p1 members add { 1.1.2.1:80 }
4.delete ltm pool p1
5.Try config-sync (using GUI). You will end up with a Sync Failed message:
A validation error occurred while syncing to a remote device
Sync error on unitA.lab.local: Load failed from /Common/unitB.lab.local 01070080:3: The requested pool member is already in use as a self IP address (1.1.2.1
Impact:
Users are not able to complete the sync using GUI
Workaround:
using tmsh to force a full sync
683706-2 : Pool member status remains 'checking' when manually forced down at creation
Component: Local Traffic Manager
Symptoms:
When a pool member is created with an associated monitor, and initially forced offline (e.g., '{session user-disabled state user-down}'), that pool member status remains in 'checking'. By default, the pool member status initializes to 'checking' until the first monitor probe confirms the pool member is available. However, by creating-and-forcing-offline the pool member, no monitoring is performed and the status remains in 'checking'.
Conditions:
Pool member is created with an associated monitor, and that pool member is simultaneously forced offline.
Example: create ltm pool test1 members add { 10.1.108.2:80 { session user-disabled state user-down } } monitor http
Impact:
Pool member remains offline as directed, but pool member status indicates 'checking' rather than 'user-down'.
Workaround:
Create the pool member with associated monitor, and in a separate step, force the pool member offline.
683697-2 : SASP monitor may use the same UID for multiple HA device group members
Solution Article: K00647240
Component: Local Traffic Manager
Symptoms:
Under rare timing conditions, the SASP monitor running on one member of an HA group (failover device group) may use the same LB UID as another member of the device group.
The LB UID used to connect to the Server/Application State Protocol (SASP) Group Workload Manager (GWM) is required to be unique for each client connecting to the GWM.
As a result, only the first HA group member using the duplicated UID is able to successfully use the SASP monitor.
The SASP monitor instance running on the HA group member using the duplicated UID will fail to connect to the SASP GWM.
Conditions:
This occurs under rare timing conditions when using the SASP monitor on a BIG-IP system that belongs to an HA group.
It is possible that the necessary timing conditions may occur if the external SASP monitor daemon is forcibly restarted (such as for troubleshooting purposes).
Impact:
The SASP monitor is unable to monitor pool member availability on all members of the HA group.
Workaround:
Forcing the mcpd process to reload the configuration (as described in article K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030) allows recovery from this condition.
It is possible that less-intrusive measures such as restarting the external SASP monitor daemon (such as by sending a SIGTERM to the SASPD_monitor process) may also allow recovery. Due to the rare occurrence of this symptom, this solution has not been confirmed.
683508-2 : WebSockets: umu memory leak of binary frames when remote logger is configured
Component: Application Security Manager
Symptoms:
ASM out of memory error messages in /var/log/asm.
Conditions:
-- Virtual server configured with WebSocket profile.
-- ASM remote logger configured and assigned to the virtual server.
Impact:
ASM out of memory, memory leak.
Workaround:
Remove ASM remote logging profile from a virtual server.
683241-2 : Improve CSRF token handling
Component: Application Security Manager
Symptoms:
Under certain conditions, CSRF token handling does not follow current best practices
Conditions:
CSRF is configured.
Impact:
CSFR token handling does not follow current best practices
683177-1 : Can't drilldown or filter by 'Client Countries'
Component: Application Visibility and Reporting
Symptoms:
When drilling down or filtering by 'Client Countries' (Security :: Reporting : Application : Charts) there is an error in the GUI.
Conditions:
-- ASM is provisioned.
-- Attempt to drill down or filter by 'Client Countries'.
Impact:
Internal Error is displayed in the GUI.
Workaround:
1. Edit file: /etc/avr/monpd/monp_asm_entities.cfg.
2. Delete line 171: (dim_authz_filter=vip_crc).
3. Issue the command: bigstart restart monpd.
683131-2 : Hotfix install fails on vCMP guest when both guest and host have the same base version ISO present★
Component: TMOS
Symptoms:
BIG-IP software installations will fail and report a status of:
waiting for cleanup; multiple base builds found (BIG-IP 13.0.0)
Conditions:
- Perform software installation in a vCMP guest when guest is running v13.0.0 or newer.
- Ask the guest to install a hotfix (e.g. "tmsh install /sys software hotfix 13.0.0-hf2.iso volume HD1.2 create-volume") to a boot location that does not have a base software version installed.
- Hypervisor has a valid copy of the the correct base image (e.g. v13.0.0 build 0.0.1645)
- Guest has a valid copy of the correct base image (e.g. v13.0.0 build 0.0.1645)
Impact:
Software installation fails, and will not complete/continue.
Workaround:
Delete the base software image from either the hypervisor or guest's file system
683061-3 : Rapid creation/update/deletion of the same external datagroup may cause core
Component: Local Traffic Manager
Symptoms:
-- notice tmm[15187]: 01010259:5: External Datagroup (/Common/Datagroup_1) queued.
-- notice tmm[15187]: 01010259:5: External Datagroup (/Common/Datagroup_1) queued for update.
-- err tmm[15187]: 01010258:3: External Datagroup (/Common/Datagroup_1) creation failed: initial load error, deleting.
Conditions:
Using external datagroup, rapidly creating updating and then deleting it.
Impact:
TMM fails
Workaround:
Allow TMM enough time to finish processing external data-group before starting another operation. Depending on the size of the datagroup anywhere from 1s to 10s or more may be needed. The LTM log can be examined for the create/finished message to help determine how much wait time is required.
683029-5 : Sync of virtual address and self IP traffic groups only happens in one direction
Component: TMOS
Symptoms:
If you have a virtual address and a self IP that both listen on the same IP address, changing the traffic group of the self IP will make an equivalent change to the traffic group of the virtual address. However, this does not work in reverse. Changing the traffic group of the virtual address will not cause a change of the traffic group of the self IP.
Conditions:
You have a virtual address and a self IP that both listen on the same IP address. (The subnet mask need not be the same.)
Impact:
This is by design, but is counterintuitive, and there is no warning message that this is the case. Setting the traffic group on both objects will always work properly.
Workaround:
Care should be taken to ensure that the desired traffic group is set on both objects.
682751-6 : Kerberos keytab file content may be visible.
Component: Access Policy Manager
Symptoms:
Kerberos keytab file content may be visible.
Conditions:
Import a Kerberos keytab file.
From the command line, check the file permissions. It is readable.
Impact:
keytab is similar to a private key file and should not be readable.
Workaround:
Use chmod to change the keytab file permission manually so that it is not world-readable.
682682-2 : tmm asserts on a virtual server-to-virtual server connection
Component: Local Traffic Manager
Symptoms:
tmm might crash when using a virtual server-to-virtual server connection, and that connection has a TCP profile with keepalive configured.
Conditions:
-- L7 virtual server-to-virtual server connection (Virtual command, cpm rule, etc.).
-- TCP profile with keepalive configured.
-- (Deflate profile.)
-- At the beginning of the connection, there is a stall for longer than the specified keepalive timer interval.
-- The received response decompresses to a size that is greater than the advertised window size on the first virtual server's TCP stack.
Impact:
Shortly after the keepalive packet is received, which then is decompressed, the assert is triggered, and tmm restarts. Traffic disrupted while tmm restarts.
Workaround:
Remove keepalive from the TCP profiles of the two virtual servers involved.
682671-2 : The username is updated in the alert dashboard even if login validation fails.
Component: Fraud Protection Services
Symptoms:
The username is updated in the alert dashboard even if login validation fails.
Conditions:
This occurs when the following conditions are met:
-- 'trigger iRule' is enabled on the FPS profile.
-- ANTIFRAUD::username <user> command is used in the ANTIFRAUD_LOGIN Tcl event.
-- 'login validation' is enabled on the FPS profile.
Impact:
The new username will be updated in previous alerts in the alert dashboard.
Workaround:
Use the ANTIFRAUD::username <user> command only if ANTIFRAUD::result is SUCCESS.
Note: Reports to the risk engine will not contain the new username.
682335-2 : TMM can establish multiple connections to the same gtmd
Component: Global Traffic Manager (DNS)
Symptoms:
TMM can establish multiple connections to the same gtmd, and tmm may core.
Conditions:
This timing-related issue involves coordination between license blob arrival, gtmd connection teardown/establishment, and gtmd restart.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
682213-2 : TLS v1.2 support in IP reputation daemon
Solution Article: K31623549
Component: TMOS
Symptoms:
The IP reputation daemon opens SSL connections to the Webroot BrightCloud server using TLS 1.0 protocol.
Conditions:
This occurs when using IP reputation.
Impact:
Because IP reputation services are used to accept/deny connections to critical business applications, there might be concerns about the service. Also some configurations might require that all transactions exfiltrating a PCI-controlled environment leverage secure protocols and ciphers, which won't be the case for IP reputation services.
Workaround:
None.
682104-2 : HTTP PSM leaks memory when looking up evasion descriptions
Component: Local Traffic Manager
Symptoms:
http_psm_description_lookup leaks xfrags containing PSM evasion descriptions.
Conditions:
When PSM looks up evasion descriptions.
Impact:
Memory leaked each time might eventually cause out of memory to the TMM.
Workaround:
None.
681782-5 : Unicast IP address can be configured in a failover multicast configuration
Solution Article: K30665653
Component: TMOS
Symptoms:
Failover multicast configuration does not work when configured with a unicast IP address. Although this is an invalid configuration, the system does not prevent it.
Conditions:
Specify a unicast IP address under 'Failover Multicast Configuration' for network failover in high availability configurations.
Impact:
Failover multicast configuration does not work.
Workaround:
Specify a multicast IP address under 'Failover Multicast Configuration' for network failover.
681757-2 : Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member'
Solution Article: K32521651
Component: Local Traffic Manager
Symptoms:
In response to this issue, you might see the following symptoms:
-- System remains inoperative
-- Screen alerts similar to the following are posted: 'Configuration has not yet loaded'.
-- Configuration fails to load after upgrade to v12.1.0 or higher.
The system records an error message similar to the following in the ltm log file:
emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 010716de:3: Policy '/Common/Policy', rule 'Policy-Rule'; target 'forward' action 'select' does not support parameter of type 'member'. Unexpected Error: Loading configuration process failed.
Conditions:
Local Traffic Policy with a forward action that selects a target of type 'member'.
Impact:
Configuration fails to load on upgrade.
Workaround:
Modify the local traffic policies to use a target type of 'node' before upgrading, or, after upgrading, edit the config file and modify 'member' to 'node' in the local traffic policy, and then reload the configuration.
681673-3 : tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results
Component: Local Traffic Manager
Symptoms:
TMSH does not block modify FDB commands that add a multicast MAC addresses.
Conditions:
This occurs when the following is configured using tmsh commands when the mac-address is multicast:
fdb vlan <vlan> records add {<mac-address> {interface <slot>/<port>}}.
Impact:
There is not enough information to map the outgoing MAC address to a multi-cast group, and therefore it gets a default entry added that has no ports mapped. The result is that the frame will not go out the interface indicated in the tmsh command yet no warning is provided.
Workaround:
None.
681175-2 : TMM may crash during routing updates
Solution Article: K32153360
Component: Local Traffic Manager
Symptoms:
When dynamic routing is configured and ECMP routes are received, certain routing updates may lead to a TMM crash.
Conditions:
-- Dynamic routing.
-- ECMP routes.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable ECMP routes by configuring "max-paths 1" in ZebOS.
681109-1 : BD crash in a specific scenario
Solution Article: K46212485
Component: Application Security Manager
Symptoms:
BD crash occurs.
Conditions:
A specific, non-default configuration with specific traffic.
The issue is much more likely to occur when the policy is not tuned correctly, in which case you might receive a potentially huge number of false positive attack signature matches on that payload. The crash might then occur if there is a subsequent 'Parameter value does not comply with regular expression' violation on that same payload.
For example, nothing prevents you from incorrectly associating a Content-Type and <type-value> with a Request Body Handling parser that is not designed to parse that type of data, such as the following:
Content-Type :: *xml* :: form-data
This configuration is likely to result in a very long list of false-positive attack signatures. Because of the big message generated, The regex violation which is also likely to happen on the payload cannot be added to the filled message, which causes the crash.
Impact:
Failover, traffic disturbance.
Workaround:
In order to prevent this, correctly configure the header-based-content-profile property on URLs for cases where an unusual header requires a specific, potentially unexpected parsing mechanism.
A correctly configured header-based-content-profile property on URLs appears as follows:
In URL Properties, the Header-Based Content Profiles section of the wildcard URL is by default applying the value and content signature. Here, you can associate Content-Type with <type-value> with <parser-type>. By default, the correct definitions are as follows:
Content-Type :: *form* :: Form Data
Content-Type :: *json* :: JSON
Content-Type :: *xml* :: XML
681081 : Running tmsh show commands may cause mcpd memory leak
Solution Article: K48366429
Component: TMOS
Symptoms:
mcpd memory utilization increases.
Conditions:
Periodically running tmsh show commands.
Impact:
Might cause mcpd memory leak, which might causes mcpd to restart, ultimately.
Workaround:
None.
680856-1 : IPsec config via REST scripts may require post-definition touch of both policy and traffic selector
Component: TMOS
Symptoms:
A new IPsec tunnel may not work after being configured over REST. While the configuration is correct, a log message similar to the following may appear in ipsec.log (IKEv2 example):
info tmm[24203]: 017c0000 [0.0] [IKE] [INTERNAL_ERR]: selector index (/Common/Peer_172.16.4.1) does not have corresponding policy
Conditions:
A new IPsec tunnel is configured over REST.
Impact:
The newly configured IPsec tunnel does not start.
Workaround:
The following methods cause the traffic-selector and ipsec-policy to be correctly related to one another:
-- Restart tmm.
-- Change the configuration, for example the Description field, of both the policy and the traffic selector. This may also be done using REST.
680850-3 : Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage.
Solution Article: K48342409
Component: Global Traffic Manager (DNS)
Symptoms:
Enabling debug logging on zxfrd (DNSX) can result in excessive CPU and disk usage, as well as errors during DNS AXFR or IXFR processing.
Conditions:
log.zxfrd.level is set to debug by running the following command: tmsh modify sys db log.zxfrd.level value debug
Impact:
IXFRs or AXFRs may fail and be rescheduled due to high CPU usage by zxfrd, which causes it to fail to process data packets during a transfer.
Workaround:
To avoid this issue, do not set log.zxfrd.level to debug.
680838-1 : IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator
Component: TMOS
Symptoms:
A tmm restart and corefile can occur in rare cases while negotiating an IKEv2 IPsec tunnel.
A child_sa managed to process GETSPI_DONE once in the IDLING state, where the ike_sa was expected to be the initiator, but it appeared not to be -- failing an assert.
Conditions:
The BIG-IP is negotiating an IPsec tunnel as the Initiator, but an unexpected state change associated with being the Responder occurs.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
680145-1 : HA mirroring for flows without autolasthop cause a crash on the standby
Solution Article: K82484604
Component: Local Traffic Manager
Symptoms:
There is a tmm crash on a standby unit in a high availability (HA) configuration when fastL4 mirroring is configured and autolasthop is disabled.
Conditions:
FastL4 mirroring for flows without a lasthop, i.e. disabled autolasthop on the virtual server.
Impact:
tmm restarts on a standby device. No traffic is disrupted while tmm restarts on a standby device.
Workaround:
Enable autolasthop.
680074-1 : TMM crashes when serverssl cannot provide certificate to backend server.
Component: Local Traffic Manager
Symptoms:
TMM halts and restarts when server SSL cannot provide a certificate to the backend server.
Conditions:
-- The backend server is configured to require a client certificate to complete the SSL Handshake.
-- The server SSL profile is not configured with a client certificate.
Impact:
TMM halts and restarts. Traffic disrupted while tmm restarts.
Workaround:
No workaround at this time.
680069-2 : zxfrd core during transfer while network failure and DNS server removed from DNS zone config
Component: Global Traffic Manager (DNS)
Symptoms:
zxfrd cores and restarts.
Conditions:
While zone transfer is in progress, the network fails and the DNS server is removed from the DNS zone configuration.
Impact:
zxfrd cores.
Workaround:
None.
679901 : iControl-REST timeout value is not configurable.
Component: TMOS
Symptoms:
Updating a large (75 KB or more records) data-group results in errors. This occurs because the communication between icrd_child and restjavad times out, and consequently the system raises errors. The timeout is set to approximately 60 seconds.
Conditions:
Using iControl REST to update a data-group that contains 75 KB or more records.
Impact:
The operation times out and there is no way to configure the iControl REST timeout value.
Workaround:
None.
679735-2 : Multidomain SSO infinite redirects from session ID parameters
Component: Access Policy Manager
Symptoms:
If an application uses a URL parameter of 'sid', 'sess', or 'S', the APM can enter an infinite redirect loop.
In a packet capture, the policy will complete on the auth virtual server. After policy completion, the client is redirected back to the resource virtual server. The resource virtual server will not be able to find the session, and will redirect back to the auth virtual server. This begins the infinite loop of redirecting between resource and auth virtual servers.
Conditions:
Application with URL paramater containing 'sid', 'sess', or 'S' while using multidomain SSO.
Impact:
Applications that use 'sid', 'sess', or 'S' parameters cannot be fronted by an APM.
Workaround:
None.
679687 : LTM Policy applied to large number of virtual servers causes mcpd restart
Component: Local Traffic Manager
Symptoms:
When a large policy (on the order of several dozen rules), is applied to a large number of virtual servers (on the order of hundreds), the mcpd process compiles the policy to an optimized, intermediate form for each virtual server. The compilation occurs in the mcpd process, and because it becomes so busy/non-responsive, a watchdog process intervenes and restarts the mcpd process.
Conditions:
-- Relatively large policy (~30 or more rules) applied to large number of virtual servers (~100 or more).
-- Creating a draft of the policy that is currently applied to those virtual servers, when a similarly attached policy is published.
Impact:
The mcpd process becomes unresponsive and is reset by a watchdog process.
Workaround:
Two possible workarounds:
-- Make copies of the policy and apply a different copy of policy to different subsets of virtual servers.
-- Implement the policy using iRules.
679603-1 : bd core upon request, when profile has sensitive element configured.
Solution Article: K15460886
Component: Application Security Manager
Symptoms:
bd crash, system goes offline.
Conditions:
ASM provisioned.
-- ASM policy attached on a virtual server.
-- json profile configured with sensitive element.
Impact:
System goes offline/fails over.
Workaround:
Remove sensitive elements from the json profile in the ASM policy.
679440-1 : MCPD Cores with SIGABRT
Solution Article: K14120433
Component: Advanced Firewall Manager
Symptoms:
MCPD cores with SIGABRT.
Conditions:
This occurs while the dynamic white/black daemon (dwbld) processes auto-blacklisted IP addresses.
Impact:
MCPD core.
Workaround:
Run the following command:
tmsh modify sys db debug.afm.shun.notify_peers value disable
679431-2 : In routing module the 'sh ipv6 interface <interface> brief' command may not show header
Component: TMOS
Symptoms:
In the BIG-IP Advanced Routing module the 'sh ipv6 interface <interface> brief' command does not show header
Conditions:
- Advanced Routing module licensed and configured
- From within imish shell, run the command 'sh ipv6 interface <interface> brief'.
Impact:
The header is not shown.
Workaround:
Run the equivalent command without indicating the interface:
sh ipv6 interface brief
679384-2 : The policy builder is not getting updates about the newly added signatures.
Solution Article: K85153939
Component: Application Security Manager
Symptoms:
The policy builder is not getting updates about the newly added signatures.
Conditions:
When ASU is installed or user-defined signatures are added/updated.
Impact:
No learning suggestions for some of the newly added signatures.
Workaround:
Use either of the following workarounds:
-- One workaround is restarting the policy builder. This will revert the learning progress made in the last 24 hours:
killall -s SIGHUP pabnagd
-- Manually change some Policy Attack Signature Set in Learning and Blocking Settings (e.g., disabling and re-enabling Learn checkbox).
679347-1 : ECP does not work for PFS in IKEv2 child SAs
Component: TMOS
Symptoms:
The original racoon2 code has no support for DH generate or compute using elliptic curve algorithms for (perfect forward security).
Additionally, the original interfaces are synchronous, but the only ECP support present uses API with async organization and callbacks, so adding ECP does not work.
Conditions:
Changing an ike-peer definition from the default phase1-perfect-forward-secrecy value of modp1024 to something using ECP: ecp256, ecp384, or ecp512.
Note: The first child SA is negotiated successfully.
Impact:
Once the first child SA expires (or is deleted), the IKEv2 tunnel goes down when another SA cannot be negotiated.
Workaround:
Use MODP for perfect-forward-secrecy instead of ECP.
679316-4 : iQuery connections reset during SSL key renegotiation
Component: Global Traffic Manager (DNS)
Symptoms:
Error in /var/log/gtm:
err gtmd[14797]: 011ae0fa:3: iqmgmt_receive: SSL error: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record
Conditions:
When iQuery data is sent during SSL key renegotiation.
Impact:
The BIG-IP system is marked 'down' until the connection is reestablished. This usually takes no longer than one second.
Workaround:
None.
679221-3 : APMD may generate core file or appears locked up after APM configuration changed
Component: Access Policy Manager
Symptoms:
Right after clicking the 'Apply Access Policy' link, APMD may generate a core file and restart; or appears to be locked up.
Conditions:
-- Changing APM configuration, especially Per-Session and Per-Request Policy.
-- Configured for AD or LDAP Auth Agent.
Impact:
If APMD restarts, then AAA service will be interrupted for a brief period of time. If APMD appears to be locked up, then AAA service will be stopped until manually restarted.
Workaround:
None.
679149-5 : TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0]
Component: Global Traffic Manager (DNS)
Symptoms:
TMM may crash or LB::server returns unexpected result.
Conditions:
GTM rule command LB::server is executed before a load balance decision is made or the decision is not to a real pool member.
Impact:
GTM rule command LB::server returns unexpected result. Traffic disrupted while tmm restarts.
Workaround:
None.
679135-1 : IKEv1 and IKEv2 cannot share common local address in tunnels
Component: TMOS
Symptoms:
When IKEv1 and IKEv2 IPsec tunnels are configured to use the same local IP address, either all the IKEv1 or all the IKEv2 tunnels will not establish.
Note: This is as designed: the system does not support using the same local self IP to establish both IKEv1 and IKEv2 tunnels. However, the system does not prevent it, and there is no indication of the reason for the failure.
Conditions:
-- Use the same self IP as the local address of an IPsec tunnel for IKEv1, as well as the local address of a tunnel for IKEv2.
-- Try to create competing listeners.
Impact:
Either the IKEv1 or IKEv2 tunnel will not work, because the listener for that tunnel fails to establish. Usually the IKEv1 tunnel will not work after tmm restart or BIG-IP reboot.
Workaround:
Use another self IP for the tunnel local address to keep IKEv1 and IKEv2 local tunnel addresses separate.
Note: If IKEv1 tunnels use one local address, while IKEv2 tunnels use another, everything works as expected.
679114-3 : Persistence record expires early if an error is returned for a BYE command
Solution Article: K92585400
Component: Service Provider
Symptoms:
When an error is returned for a SIP command, the persistence timeout is set to the transaction timeout.
Conditions:
An error is returned for a any SIP command.
Impact:
The persistence record will expire early when the call has not been ended.
Workaround:
None.
679074-1 : VPN tunnel cannot be established if allow local DNS is enabled and only one DNS is specified on client
Solution Article: K04024241
Component: Access Policy Manager
Symptoms:
VPN tunnel cannot be established if 'allow local DNS' is enabled and only one DNS is specified on client on macOS High Sierra.
Conditions:
-- VPN tunnel.
-- macOS High Sierra.
-- Only one DNS configured (either manually or by DHCP) on client machine.
-- Allow local DNS server configured in access policy.
Impact:
VPN tunnel cannot be established.
Workaround:
Use either of the following workarounds:
-- Configure two DNS servers.
-- Disallow local DNS servers.
678925-2 : Using a multicast VXLAN tunnel without a proper route may cause a TMM crash.
Component: TMOS
Symptoms:
Using a multicast VXLAN tunnel without a proper route associated with the tunnel's local-address may cause a TMM crash.
Conditions:
When the following conditions are met:
- No route is associated with the tunnel's local-address.
- A selfip address is assigned to the tunnel.
Then, a connection using the tunnel may cause a TMM crash.
Note that the user can use the TMSH command "show net route lookup <address>" to check if there is a route associated with the tunnel's local-address.
Impact:
The TMM crashes and traffic is disrupted.
Workaround:
Make sure that there is a route associated with the tunnel's local-address, before using the tunnel.
678872-1 : Inconsistent behavior for virtual-address and selfip on the same ip-address
Component: Local Traffic Manager
Symptoms:
Inconsistent ICMP/ARP behavior for self IP address or virtual-address when virtual-address and self IP address have the same IP address.
Conditions:
Virtual-address and self IP address have the same IP address.
-- Virtual-address ICMP and ARP disabled.
Impact:
ICMP echo reply and ARP for the IP address might be inconsistent. Self IP address might override the ARP setting of a virtual address.
Workaround:
No workaround.
678861-2 : DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other★
Solution Article: K00426059
Component: Global Traffic Manager (DNS)
Symptoms:
Upgrade fails with a message similar to the following.
emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 01070356:3: Link Controller feature not licensed. Unexpected Error: Loading configuration process failed.
Conditions:
Previously had Link Controller with DNS:: commands in an iRule proc.
Impact:
Upgrade fails.
Workaround:
Remove DNS:: commands from procs before upgrade.
Or use AFM instead of iRules.
678662-1 : In the GUI System :: High Availability : HA Groups edit page, pools created outside the Common partition cannot be modified
Solution Article: K14222230
Component: TMOS
Symptoms:
In the HA Groups GUI edit page, only Pools created in the Common partition can be modified or deleted.
Conditions:
-- High Availability : HA Groups edit page.
-- Pools created outside the Common partition.
Impact:
Devices must be paired to access HA Group configuration.
Workaround:
Use TMSH to modify or delete any non-Common pools attached to an HA Group.
678488-2 : BGP default-originate not announced to peers if several are peering over different VLANs
Component: TMOS
Symptoms:
BGP default-originate is not announced to peers if several are configured as peers over different VLANs.
Conditions:
-- default-originate is configured on four similar neighbors.
-- The neighbors are reachable over different interfaces/subnets.
Impact:
Only some of the peered neighbors get the default route.
Workaround:
Add the following to the the BGP configuration:
network 0.0.0.0/0
678462-3 : after chassis failover: asmlogd CPU 100% on secondary
Component: Application Security Manager
Symptoms:
After a failover in a chassis:
- asmlogd CPU 0% on primary slot (which was secondary before the failover).
- asmlogd CPU 100% on secondary (which was primary before the failover).
Without traffic running through the chassis.
Conditions:
-- ASM provisioned.
-- Chassis with at least two active slots.
-- Chassis failover after some traffic was passed through the chassis.
Impact:
asmlogd CPU shows 100% on secondary (which was primary before the failover), and vice versa.
Workaround:
There is no workaround at this time.
678456-1 : ZebOS BGP peer-group configuration not fixed up on upgrade★
Component: TMOS
Symptoms:
ZebOS BGP configuration failed to load from upgrade to 13.0.0.
Conditions:
When configuration specifies neighbor peer-group inside the address-family clause
Impact:
loading of ZebOS configuration after upgrade
Workaround:
Modify the ZebOS configuration to put the neighbor peer-group clause outside of the address-family clause
678450-2 : No 'F5RST port in use' sent when new connection arrives to port in use with strict preserve.
Component: Local Traffic Manager
Symptoms:
When 'Source Port: Preserve Strict' option is configured in performance L4 virtual servers, the 'F5RST port in use' packet is not sent, and connection hangs until timeout.
Conditions:
-- Connect to client and launch:
# nc -p 8080 -v 10.10.10.40 80
-- Connect to client2 and launch:
# nc -p 8080 -v 10.10.10.40 80
-- Modify virtual server vs_web type on LTM and repeat.
When the virtual server is standard "F5RST port in use" is sent. When the virtual server is performance L4 is not.
Impact:
Connection hangs. No increase for port-in-use stats when using the following commands:
tmsh show /net rst-cause.
Workaround:
None.
678427-3 : Safari 11 displays F5 EPI and F5 VPN launch confirmation dialogs twice
Solution Article: K03138339
Component: Access Policy Manager
Symptoms:
Safari 11 displays confirmation dialogs to launch F5 EPI or F5 VPN app twice. Although functionality is not affected, the user experience might be confusing.
Conditions:
-- Safari 11, F5 EPI, or F5 VPN app installed.
-- Endpoint check or VPN configured in access policy.
Impact:
None. The extra dialog box does not affect system functionality.
Workaround:
None.
678388-2 : IKEv1 racoon daemon is not restarted when killed multiple times
Solution Article: K00050055
Component: TMOS
Symptoms:
IPsec IKEv1 tunnels will fail and stay down indefinitely if the IKEv1 racoon daemon crashes. racoon does not get restarted by tmipsecd. This can occur if racoon has crashed more than once beforehand.
Conditions:
The IPsec IKEv1 racoon daemon crashes, or is killed manually, multiple times.
Impact:
IPsec IKEv1 tunnels cannot be established because the racoon daemon is dead. The user will receive no CLI or web UI clues to indicate that racoon is dead. Attempts to reconfigure IPsec while racoon is dead will not resolve the problem.
Workaround:
Run the following command to restart the IPsec IKEv1 racoon and tmipsecd daemons at the same time:
tmsh restart sys service tmipsecd
678380-1 : Deleting an IKEv1 peer in current use could SEGV on race conditions.
Component: TMOS
Symptoms:
When either deleting a peer in IKEv1 or updating it, this problem causes the v1 racoon daemon to crash with a SIGSEGV under some race conditions, intermittently.
Conditions:
This requires a peer using IKEv1, which gets updated or deleted while the IKEv1 racoon daemon is performing operations related to this peer.
Impact:
If the problem occurs, the IKEv1 racoon daemon restarts and interrupts IPsec traffic.
Workaround:
None.
678337-1 : Route Advertisement setting for virtual-address disabled after upgrade from pre-13.0.0 versions★
Solution Article: K00463452
Component: Local Traffic Manager
Symptoms:
When Route Advertisement setting for virtual-address is enabled in a pre-13.0.0 configuration, it becomes disabled after upgrading.
Conditions:
-- Upgrading configuration containing an enabled Route Advertisement virtual-address setting.
-- Upgrading from 13.0.0 to a later version.
Impact:
The virtual-address route-advertisement setting will be incorrect after upgrading.
Workaround:
In TMSH, after an upgrade to 13.0.0, run the following command:
modify /ltm virtual-address /<partition>/<ip address> route-advertisement selective
678228-2 : Repeated Errors in ASM Sync
Solution Article: K27568142
Component: Application Security Manager
Symptoms:
If an error is encountered when building a full sync file for an ASM enabled Device Group, any future attempts at building a sync file will continue to fail.
Conditions:
An error such as a full disk or out of memory occurs when attempting to build a sync file for an ASM enabled Device Group
Impact:
Any future attempts at building a sync file will continue to fail.
Workaround:
Restart the ASM Config processes, or clear out /ts/var/sync.
677937-2 : APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets
Solution Article: K41517253
Component: TMOS
Symptoms:
APM client cannot connect to server when the APM tunnel is encapsulated in an IPsec tunnel.
Conditions:
This requires a relatively complicated network setup of configuring an APM tunnel over an IPsec tunnel (and iSession is in use).
Impact:
No connectivity between the client and the server.
Workaround:
Do not encapsulate APM tunnel in an IPsec tunnel. (The APM tunnel has its own TLS.)
677928-1 : A wrong source MAC address may be used in the outgoing IPsec encapsulated packets.
Component: TMOS
Symptoms:
A wrong source MAC address may be used in the outgoing IPsec encapsulated packets when the BIG-IP VE system is operated in Azure.
Conditions:
The BIG-IP VE system is first deployed in Azure with a single NIC. After the first reboot and then power off, a second NIC is added to the BIG-IP system. Then, an IPsec tunnel is configured to associate with a selfip on the second NIC.
Impact:
The Azure environment or a remote device may drop the outgoing IPsec encapsulated packets from the BIG-IP system because the source MAC address of the packets is wrong.
677525-1 : Translucent VLAN group may use unexpected source MAC address
Solution Article: K06831814
Component: Local Traffic Manager
Symptoms:
When a VLAN group is configured in translucent mode, IPv6 neighbor discovery packets sent from the BIG-IP system may have the locally unique bit flipped in the source MAC address.
Conditions:
VLAN group in translucent mode.
Impact:
In an HA configuration, switches in the network may have FDB entries for the standby system assigned to the port of the active system.
Workaround:
No workaround at this time.
677473-2 : MCPD core is generated on multiple add/remove of Mgmt-Rules
Component: Advanced Firewall Manager
Symptoms:
MCP crashes with core. MCP automatically restarts causing other dependent daemons, including tmm, to restart. Corresponding messages (restarting mcp, restarting tmm, and so on) are broadcast in all command line connections (terminals). Core files are written into /shared/core directory. The BIG-IP system might become unusable while daemons restart, so both control-plane (tmsh/GUI) and data traffic processing are stopped until all daemons restart.
Conditions:
-- AFM is licensed and provisioned.
-- There are firewall policies/rules defined in configuration.
-- Remove firewall rules/policies, especially rules attached to management-IP (might have to repeat this).
Impact:
The BIG-IP system might become unusable for few minutes while daemons restart, so both control-plane (tmsh/GUI) and data traffic processing are stopped. Traffic disrupted while tmm restarts.
Workaround:
None.
677400-2 : pimd daemon may exit on failover
Solution Article: K82502883
Component: Local Traffic Manager
Symptoms:
When multicast traffic is passing on a high availability (HA) pair, the pimd daemon on the unit that transitions to standby may exit and drop a core file.
Conditions:
-- Multicast routing configured.
-- PIM-Sparse Mode configured.
-- HA failover configuration.
Impact:
None. The system that goes active will reconverge, and multicast traffic will resume.
Workaround:
No workaround required.
677270-1 : Trailing comments in iRules are removed from the config when entered/loaded in TMSH
Solution Article: K76116244
Component: Local Traffic Manager
Symptoms:
Comments at the bottom of an iRule (outside of any event stanza) end up missing from the config.
Conditions:
-- Merging an iRule in a config file in TMSH or entering the iRule manually in TMSH.
-- iRule comments are outside of any event stanza.
Impact:
Trailing comments in iRules are lost.
Workaround:
Use one or both of the following workarounds:
-- Make sure comments are inside of an event stanza.
-- Enter the iRule using the web GUI.
676897-2 : IPsec keeps failing to reconnect
Component: TMOS
Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.
Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.
Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.
Workaround:
Manually delete the SA.
676854-2 : CRL Authentication agent will hang waiting on unresponsive authentication server.
Component: Access Policy Manager
Symptoms:
Some authentication requests never complete. APMD responsiveness degrades over time and eventually restarts.
Conditions:
The CRL Authentication server must be alive enough to accept connections but busy enough to drop requests without closing connections.
Impact:
APMD responsiveness degrades over time, usually weeks, before eventually restarting.
Workaround:
Restarting the CRL Authentication server usually releases the waiting threads and restores APMD responsiveness.
Using a BIG-IP monitor for the CRL backend can detect the issue and allow recovery before the need for APMD to restart.
676828-1 : Host IPv6 traffic is generated even when ipv6.enabled is false
Solution Article: K09012436
Component: Local Traffic Manager
Symptoms:
Observing IPv6 traffic from the BIG-IP system, even when ipv6.enabled is set to false.
Conditions:
sys db ipv6.enabled is false.
Impact:
Extraneous IPv6 traffic from the the BIG-IP system.
Workaround:
None.
676721-1 : Missing check for NULL condition causes tmm crash.
Solution Article: K33325265
Component: Local Traffic Manager
Symptoms:
Missing check for NULL condition causes tmm crash.
Conditions:
One possible route involves load balancing failure, but there may be other paths leading to this crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
676690-2 : Windows Edge Client sometimes crashes when user signs out from Windows
Component: Access Policy Manager
Symptoms:
In rare cases Windows Edge Client may crash when user signs out from Windows
Conditions:
User signs out from Windows or restarts Windows while EdgeClient is running and VPN is established
Impact:
No functional impact, user see a message box with error block sign out process. When the user closes the message box, sign out process continues.
676442-1 : Changes to RADIUS remote authentication may not fully sync
Solution Article: K37113440
Component: TMOS
Symptoms:
With multiple devices in a sync group, changes to remote authentication (for example, changes made using commands such as: tmsh modify auth radius system-auth servers replace-all-with { AAA_a AAA_b } ) will be effective on the device where the change was made.
And although the changes are synced to tmsh config on the other devices in the group, the changes are not effective on those devices, as may be observed by checking that the changes do not appear in /config/bigip/auth/pam.d/system-auth and /config/bigip/auth/pam.d/radius/system-auth.conf.
Conditions:
Devices in a sync group that will sync system-auth config.
Impact:
Changes to RADIUS authentication will not be effective throughout the device group.
Workaround:
After syncing RADIUS changes, run the following command on all devices:
tmsh save sys config && tmsh load sys config.
676416-1 : BD restart when switching FTP profiles
Component: Application Security Manager
Symptoms:
Switching a Virtual Server from an FTP profile with Protocol Security enabled to an FTP profile with Protocol Security disabled, causes the BIG-IP system to go offline, generates errors in the bd log, and causes BD to restart.
Conditions:
-- Running FTP traffic with FTP profile with Protocol Security enabled.
-- On FTP service, change to FTP profile with Protocol Security disabled.
Impact:
BD restart, traffic disrupted, and failover in high availability (HA) configuration.
Workaround:
There is no workaround at this time.
676355-1 : DTLS retransmission does not comply with RFC in certain resumed SSL session
Component: Local Traffic Manager
Symptoms:
The DTLS FINISHED message is not retransmitted if it is lost in the Cavium SSL offloading platform. Specifically, it is the CCS plus FINISHED messages that are not retransmitted.
Conditions:
-- In the Cavium SSL offloading platform.
-- DTLS FINISHED Message is lost.
Impact:
When the DTLS FINISHED Message is lost in the Cavium SSL offloading platform, the CCS and FINISHED messages do not get retransmitted.
Workaround:
None.
676223-3 : Internal parameter in order not to sign allowed cookies
Component: Application Security Manager
Symptoms:
ASM TS cookies may get big (up to 4k).
Conditions:
policy building is turned on (manual or automatic). There are allowed cookies.
Impact:
This increases web site throughput.
Workaround:
N/A
676131-1 : MRF Diameter: persistence entry not created if message routed via iRule command
Component: Service Provider
Symptoms:
MRF Diameter route table implementation does not add a persistence entry if the message is routed via an iRule.
Conditions:
-- MRF Diameter configured.
-- Message is routed via an iRule.
Impact:
A Diameter persistence entry will not be created. Since MRF Diameter persistence may be bidirectional, not having the persistence entry will keep message flowing in the opposite direction from being automatically routed via persistence.
Workaround:
Use an iRule to route messages directed towards the original client.
676092-2 : IPsec keeps failing to reconnect
Component: TMOS
Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.
Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.
Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.
Workaround:
Manually delete the SA.
675928-3 : Periodic content insertion could add too many inserts to multiple flows if http request is outstanding
Component: Policy Enforcement Manager
Symptoms:
Multiple flows of the same subscriber could get insert content enabled frequently, if the requests from those flows are outstanding
Conditions:
If the http request from the subscriber is outstanding when the new flow is triggered
Impact:
PEM insert content pem_acton will be enabled on multiple flows till the first response is received
675911-2 : Dashboard CPU history file may contain incorrect values
Solution Article: K13272442
Component: Local Traffic Manager
Symptoms:
Values such as 33%, 66% and 99% may appear in the CSV file exported from the dashboard utility
Conditions:
htsplit is enabled.
Impact:
CPU history in exported CSV file does not match actual CPU usage.
Workaround:
You can obtain CPU history through various other means.
One way is to use the sar utility:
In 12.x and 13.x:
sar -f /var/log/sa6/sa
or for older data
sar -f /var/log/sa6/sa.1
The oldest data is found compressed in /var/log/sa6 and must be gunzipped before use.
In 11.x:
sar -f /var/log/sa/sa
or for older data
sar -f /var/log/sa/sa.1
The oldest data is found compressed in /var/log/sa and must be gunzipped before use.
675775-1 : TMM crashes inside dynamic ACL building session db callback
Component: Access Policy Manager
Symptoms:
Race condition between PPP tunnel close and Session expired happening on different TMM almost at the same time may cause TMM restart in dynamic ACL building session db callback.
Conditions:
Race condition between PPP tunnel close and Session expired happening on different TMM almost at the same time.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
675718-2 : IPsec keeps failing to reconnect
Component: TMOS
Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.
Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.
Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.
Workaround:
Manually delete the SA.
675597-1 : APM may prematurely close client-side RD Gateway connections on server-side disconnect
Component: Access Policy Manager
Symptoms:
APM may prematurely close client-side RD Gateway connections on server-side disconnect. APM log would contain 'CallOutput on empty outputSink' error message, in this case.
In rare cases, this might prevent RDP client from following RDP redirection (between RDP hosts in RDP farm), so client won't be able to connect via APM.
Conditions:
RDP server closes the connection before client.
Impact:
Rarely, this might prevent RDP client from following RDP redirection (between RDP hosts in RDP farm), so client won't be able to connect via APM.
Workaround:
None.
675539-2 : Inter-system communications targeted at a Management IP address might not work in some cases.
Component: Global Traffic Manager (DNS)
Symptoms:
Inter-system communications fail to connect to a BIG-IP system using the Management IP address.
Conditions:
This occurs if the device connection is configured between a Self IP address on one BIG-IP system and the Management IP address on another.
This occurs because the big3d daemon acts as a proxy, listening on the Management IP address and will send proper SSL connections (using SNI) to TMM (since TMM does not listen on the Management IP address).
This is not an issue if either of the following is true:
-- If the source of the connection is coming from the Management IP,
the connection is clear text. (Not SSL encrypted and thus does not use SNI)
-- The destination of the connection is a Self IP address, because TMM (via an iRule) will
handle the connection.
Impact:
Device sync operations do not work.
Workaround:
Do not use the Management IP address for between-device communications.
675399-1 : Network Access does not work when empty variables are assigned for WINS and DNS
Component: Access Policy Manager
Symptoms:
Network Access does not work when empty variables are assigned for WINS and DNS.
Conditions:
If the admin configures empty values for WINS or DNS in the Variable Assign agent in the VPE.
Impact:
The system does not parse the XML tags correctly. Users may not be able establish VPN tunnel.
Workaround:
Do not leave the DNS or WINS values empty in the Variable assign Agent.
675368-1 : Unable to reorder rules when one of the rule names contain % or /
Component: TMOS
Symptoms:
Unable to reorder rules when one of the rule names contain % or /
Conditions:
One of the rule names contain % or /
Impact:
The rules cannot be reordered
Workaround:
Rename rules to make sure they don't contain % or /
675367-1 : The IMAP and POP3 monitors might fail if the mail server supports GSSAPI authentication
Solution Article: K95393925
Component: Local Traffic Manager
Symptoms:
The IMAP and POP3 monitors might fail if the mail server supports GSSAPI authentication.
Conditions:
An IMAP and POP3 monitor is configured and the server returns GSSAPI as an available authentication mechanism.
Impact:
The monitor fails and marks the server down, even when it might be available.
Workaround:
If possible, use one of the following workarounds:
-- Turn off GSSAPI authentication on the mail server.
-- Use an alternate monitor type.
675236-1 : 'Require consistent IP address' does not apply to some management GUI menu items
Solution Article: K03293523
Component: TMOS
Symptoms:
The configuration setting 'System :: Preferences :: Require A Consistent Inbound IP For the Entire Web Session' ('sys http auth-pam-validate-ip' in tmsh) does not apply to some menu items, and acts as if the setting is enabled (that a consistent IP address is required) regardless of the BIG-IP configuration.
Conditions:
BIG-IP administrator accesses the configuration utility from more than one source IP address, using the same session cookie.
Impact:
The 'sys http auth-pam-validate-ip' setting is ineffective on some menu items. These include ASM, AVR, and APM menu items.
Workaround:
Ensure the source IP address used when accessing the configuration utility does not change mid-session. This could happen if your management session is being load balanced across multiple HTTP proxies, for example.
675232-4 : Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction
Component: Application Security Manager
Symptoms:
Errors encountered -
In TMSH CLI transaction:
----------------
transaction failed: 01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------
In iApp template implementation:
----------------
script did not successfully complete: (01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------
Conditions:
In an iApp template implementation or TMSH CLI transaction, create a new ASM policy and then try to modify it's active state.
Impact:
The policy is created but the modify action cannot find the policy.
Workaround:
iApps are built to work with ASM Policy Templates.
A new ASM Policy Template can be created from the desired ASM Policy.
That can be done via GUI and starting from from v13.0 via REST as well.
Then, the newly created ASM Policy Template can be referenced in the iApp template implementation or TMSH CLI transaction as follows:
-----------------
tmsh::create asm policy <some_policy> active policy-template NEWLY_CREATED_POLICY_TEMPLATE
-----------------
674992-1 : AAM traffic report's time period doesn't always apply
Component: TMOS
Symptoms:
AAM traffic report's time period doesn't always apply.
Conditions:
Select a time period on the AAM traffic report page other than last hour.
Impact:
The table and graph still display last hour data.
674903-1 : TMM halts and restarts in response to certain requests.
Component: Advanced Firewall Manager
Symptoms:
TMM halts and restarts under certain conditions relating to Device ID or Fingerprinting.
Conditions:
Security policy or DoS Profile that uses Device ID or Fingerprinting.
Impact:
TMM halts and restarts. Traffic disrupted while tmm restarts.
Workaround:
Changing the Device ID matching mode to 'simple' will prevent this crash from happening. To do so, run the following command:
tmsh modify sys db did.match_mode value simple
674754-1 : ZoneRunner: GUI "Email Contact" field silently ignores invalid char '@' in Email Contact
Component: Global Traffic Manager (DNS)
Symptoms:
Changing the email address in ZoneRunner and using a '@' character does not work. System validation catches that the '@' is invalid, but the operation fails silently, and the new email address is not stored.
Note. The '@' character is invalid for the email field because it has other uses in zone files. A dot should be used instead of '@'.
Conditions:
Zone already exists in ZoneRunner.
Trying to update it with a new email address.
Impact:
Confusion as to why the GUI is ignoring the new email address they entered.
Workaround:
The '@' (at sign) character is invalid for ZoneRunner email fields because it has other uses in zone files. Use a '.' (dot, or period) character instead of '@'.
674747-3 : sipdb cannot delete custom bidirectional persistence entries.
Solution Article: K30837366
Component: Service Provider
Symptoms:
Custom bidirectional SIP persistence entries cannot be deleted using the sipdb tool.
Conditions:
Rules and SIP messages created custom bidirectional SIP persistence entries.
Impact:
Custom bidirectional SIP persistence entries exist and can be viewed with the sipdb utility. They cannot be deleted,
however.
Workaround:
None.
674686-3 : Periodic content insertion of new flows fails, if an outstanding flow is a long flow
Component: Policy Enforcement Manager
Symptoms:
If an outstanding flow with periodic insertion pem_action is very long, it prevents new flow matching the same rule from adding inert content pem_action even for a new periodic interval
Conditions:
If the outstanding flow with insert content pem_action spans multiple periodic interval.
Impact:
No content insertion during the time the long flow is outstanding for new flows matching the same rule as the long flow.
Workaround:
Long flows and short flows need to have separate rule configured
674527-2 : TCL error in ltm log when server closes connection while ASM irules are running
Component: Application Security Manager
Symptoms:
TCL error in ltm log, for example:
TCL error: /Common/bug <ASM_REQUEST_DONE> - plugin_tcl_command_execute: Command error. invoked from within "ASM::severity"
Conditions:
1. ASM irules are attached.
2. There was already one request passed to the web-server
3. Server closes connection.
Impact:
Error in ltm log.
674494-2 : BD memory leak on specific configuration and specific traffic
Solution Article: K77993010
Component: Application Security Manager
Symptoms:
RSS memory of the bd grows.
Conditions:
-- Remote logger is configured.
-- IP has ignore logging configured.
-- Traffic is coming from the ignored logging IP.
Impact:
Potential memory exhaustion. The kernel might run out of memory and may kill bd, causing traffic disruption.
Workaround:
None.
674328-2 : Multicast UDP from BIG-IP may have incorrect checksums
Component: TMOS
Symptoms:
BIG-IP may transmit UDP datagrams with a bad checksum.
Conditions:
Outgoing link-local multicast UDP traffic from the Linux host, such as RIP.
Impact:
Packets may be dropped by adjacent devices.
Workaround:
Disable checksum offloading on the virtual NIC for affected VLANS, e.g. "ethtool --offload vlan1274 rx on tx off"
674320-1 : Syncing a large number of folders can prevent the configuration getting saved on the peer systems
Solution Article: K11357182
Component: TMOS
Symptoms:
When syncing a large number of folders (more than 56), the configuration on the peer systems fails to save. An error similar to the following appears in the audit log, possibly followed by garbage characters:
notice tmsh[15819]: 01420002:5: AUDIT - pid=15819 user=root folder=/Common module=(tmos)# status=[Syntax Error: "}" is missing] cmd_data=save / sys config partitions { tf01 tf02 tf03 tf04 tf05 tf06 tf07 tf08 tf09 tf10 tf11 tf12 tf13 tf14 tf15 tf16 tf17 tf18 tf19 tf20 tf21 tf22 tf23 tf24 tf25 tf26 tf27 tf28 tf29 tf30 tf31 tf32 tf33 tf34 tf35 tf36 tf37 tf38 tf39 tf40 tf41 tf42 tf43 tf44 tf45 tf46 tf47 tf48 tf49 tf50 tf51 tf52 tf53 tf54 tf55 tf56 tf57 tf58 tf59
Note: These 'tfnn' folder names are examples. The audit log will contain a list of the actual folder names. (Folders are also called 'partitions'.)
Conditions:
-- System is in a device group.
-- Sync operation occurs on the device group.
-- There are a large number of folders (more than 56).
Impact:
Configuration on peer systems in a device group does not get saved after a sync.
Workaround:
Manually save the configuration on peer systems after a sync.
674297-2 : Custom headers are removed on cross-origin requests
Component: Fraud Protection Services
Symptoms:
Custom headers are removed on cross-origin requests.
Conditions:
A cross domain FPS request uses the FPS custom header. For example: AJAX encryption from one domain to another.
Impact:
The request will be blocked, FPS functionality breaks.
Workaround:
For HOST <HOST NAME> and FPS custom header <HEADER NAME>, a variant of the following iRule can be used:
when HTTP_REQUEST {
if {[HTTP::method] equals "OPTIONS" && [HTTP::host] equals "<HOST NAME>"} {
set modify_allowed_headers 1
}
}
when HTTP_RESPONSE {
if { [info exists modify_allowed_headers] && $modify_allowed_headers equals "1"} {
if { [HTTP::header exists "Access-Control-Allow-Headers"] } {
set hdr [HTTP::header value "Access-Control-Allow-Headers"]
append hdr ", <HEADER NAME>"
HTTP::header replace Access-Control-Allow-Headers $hdr
}
}
}
674288-1 : FQDN nodes - monitor attribute doesn't reliably show in GUI
Solution Article: K62223225
Component: TMOS
Symptoms:
When creating more than one node with FQDN configured with monitors, monitors are not displayed in the GUI properly.
Conditions:
Create more than one node with FQDN configured.
Impact:
The previously created FQDN node does not display monitors in the GUI. However, the subsequently created FQDN node does display the correct monitors.
Workaround:
Use tmsh to view monitors for Nodes with FQDN configured.
674145-2 : chmand error log message missing data
Component: TMOS
Symptoms:
When there is an error with communication between chmand and lopd, a message is logged giving information about the problem. That message is missing data useful to F5 for determining the cause of the communications error.
Messages similar to:
Jul 11 11:10:19 localhost warning chmand[7815]: 012a0004:4: getLopReg: lop response data does not match request, u16DataLen=0xb expected=0xb, u8Length=0x8 expected=0x, u8Page=0x28 expected=0x$, u8Register=0x50 expected=0xP
The expected data values are missing in this message, making it more difficult for F5 engineers to determine what caused the original communications problem.
Conditions:
This issue only occurs when there is some problem with the communication channel between chmand and lopd.
Impact:
Added difficulty for F5 to determine what problem caused the error message to be logged.
674004-2 : tmm may crash when after deleting pool member in traffic
Solution Article: K34448924
Component: Local Traffic Manager
Symptoms:
tmm may crash when after deleting pool member that is processing traffic.
Conditions:
-- Two or more pools share the same node as pool member.
-- A pool member (with the shared node) is deleted while traffic is passing.
-- Connpool is used.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
673952-2 : 1NIC VE in HA device-group shows 'Changes Pending' after reboot
Component: TMOS
Symptoms:
When Virtual Edition (VE) is configured for 1NIC, you will see the following logs on reboot indicating that configuration has been loaded from file:
notice tmsh[12232]: 01420002:5: AUDIT - pid=12232 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all base
notice tmsh[12392]: 01420002:5: AUDIT - pid=12392 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all
Conditions:
- VE configured in 1NIC mode.
- Unit booted either through reboot or power on.
Impact:
This is unlikely to have any impact if the VE is in standalone mode but could result in an unexpected config if the configuration files differ.
If the VE is part of an HA device-group, then this will result in a commit id update and the units will show 'Changes pending'.
Workaround:
None.
673951-1 : Memory leak when using HTTP2 profile
Solution Article: K56466330
Component: Local Traffic Manager
Symptoms:
Memory continues to grow despite reduced volume of traffic. Large number of spdy_frame and xdata allocated.
Conditions:
Virtual server configured with HTTP2 profile.
Impact:
Memory leak, which might eventually trigger aggressive sweeper and potential crash, resulting in failover.
Workaround:
None.
673814-5 : Custom bidirectional persistence entries are not updated to the session timeout
Solution Article: K37822302
Component: Service Provider
Symptoms:
Custom bidirectional persistence entries will be created using the transaction timeout when processing the request, but will not be updated to the session timeout on a successful response.
Conditions:
-- Using custom bidirectional persistence.
-- Successful response message is received.
Impact:
The persistence timeout will prematurely time out.
Workaround:
Set the transaction timeout to the session timeout value.
673683-3 : Periodic content insertion fails, if pem and classification profile are detached and reattached to the Listener
Component: Policy Enforcement Manager
Symptoms:
Periodic content insertion for a subscriber may stop working after one or more insertions.
Conditions:
When a subscriber action list have Insert content added and if pem and classification profiles are detached and re-attached to the Listener, periodic insertion may fail to insert the content. This happens when more than one subscriber is using the same policy rule and the listener.
Impact:
Periodic insert content action will fail to insert the content
Workaround:
Delete and recreate the subscriber for which insert content action no longer working
673678-3 : Periodic content insertion fails, if http request/response get interleaved by second subscriber http request
Component: Policy Enforcement Manager
Symptoms:
Periodic content insertion for a subscriber may stop working after one or more insertions.
Conditions:
When a subscriber action list have Insert content added and if the request/response for that http transaction get interleaved by another subscriber request. This happens when more than one subscriber is using the same policy rule
Impact:
Periodic insert content action will fail to insert the content
Workaround:
Delete and recreate the subscriber for which insert content action no longer working
673664-2 : TMM crashes when sys db Crypto.HwAcceleration is disabled.★
Component: Local Traffic Manager
Symptoms:
TMM crashes when sys db Crypto.HwAcceleration is disabled.
Conditions:
This occurs when sys db Crypto.HwAcceleration is disabled.
Impact:
TMM crash. Traffic disrupted while tmm restarts.
Workaround:
Enable crypto hardware acceleration using the following command:
tmsh modify sys db crypto.hwacceleration value enable
673484-2 : IKEv2 does not support NON_FIRST_FRAGMENTS_ALSO
Solution Article: K85405312
Component: TMOS
Symptoms:
IPsec IKEv2 tunnels cannot be established when the remote peer sends a NON_FIRST_FRAGMENTS_ALSO notification as part of the child Security Association (SA) establishment. This parameter is commonly sent by ASA devices.
Conditions:
-- IPsec IKEv2 with ASA peer.
-- Remote peer sends a NON_FIRST_FRAGMENTS_ALSO notification as part of the child SA establishment.
Impact:
IKEv2 IPsec tunnels cannot be established with ASA peer.
Workaround:
Use IKEv1.
673472-3 : After classification rule is updated, first periodic Insert content action fails for existing subscriber
Component: Policy Enforcement Manager
Symptoms:
Immediately after the classification rule associated with a static subscriber is updated and if the action list has Insert content, the first periodic insert content action fails for the subscribers. Subsequent Insert content action will proceed as expected
Conditions:
Update of the classification rule associated with the subscribers.
Impact:
First periodic Insert content action, immediately succeeding after the update of the classification rule will fail.
Workaround:
bigstart restart tmm, after updating the classification rule with insert content action will fix the issue
673463-1 : SDD v3 symmetric deduplication may start performing poorly after a failover event
Solution Article: K68275280
Component: Wan Optimization Manager
Symptoms:
In certain high availability (HA) configurations and after performing specific maintenance tasks involving failovers, SDD v3 symmetric deduplication may start performing poorly for some file transfers.
Conditions:
This issue occurs when all of the following conditions are met:
1) A BIG-IP HA configuration is deployed on each side of the WOM tunnel.
2) Symmetric deduplication is configured to use the SDD v3 codec.
3) The far side BIG-IP HA configuration (from the perspective of the client performing the download) is failed over.
4) Clients attempt to download files that had previously been transferred through the BIG-IP units.
Impact:
Symmetric deduplication is severely impacted (virtually no hits) for files that had previously been transferred through the units. This causes the amount of data transmitted over the WAN to increase. Files that were not transferred previously through the units are not affected by this issue.
Workaround:
To eliminate the impacted symmetric deduplication condition, restart the receiving (i.e., the near) side.
673399-2 : HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server.
Component: Local Traffic Manager
Symptoms:
The client sends a GET request with switching protocols and the server responds with a 401. Subsequent GET request from client is dropped.
Conditions:
HTTP and Websocket profiles are attached to the virtual server. The client sends a GET request with switching protocols indicating upgrade to Websockets, and the server responds with a 401. Subsequent GET request from client is dropped.
Impact:
Connection is reset.
Workaround:
Disable Websockets profile on the virtual server.
673311-1 : When 'Web Scraping Configuration' has 'Bot Detection' set to 'Alarm', the type=7 JavaScript challenge is sent.
Component: Application Security Manager
Symptoms:
The JavaScript challenge type=7 is sent when it should not be.
The challenge should be sent only when 'Bot Detection' is set to 'Alarm and Block' or when 'Fingerprint Usage' or 'Persistent Client Identification' is enabled in 'Web Scraping Configuration'.
Conditions:
-- ASM Policy.
-- 'Bot Detection' set to 'Alarm' in 'Web Scraping Configuration'.
Impact:
After 10 requests to a qualified URL, the JavaScript challenge type=7 is sent back.
Workaround:
None.
673075 : Reduced Issues for Monitors configured with FQDN
Component: Local Traffic Manager
Symptoms:
Monitors configured using FQDN might experience several edge cases in some deployment environments. For example, you might experience issues with FQDN-configured monitors when used in environments with volatile/unstable DNS servers, or when network configuration causes ICMP packets from an unreachable DNS server to be non-routable back to 'bigd'. In such cases, the monitor may experiences delay in rotating to the next available DNS server. This is due to complex edge cases that exist within the initial FQDN monitor implementation, where anomalous behavior is aggravated through some network configurations.
Conditions:
Monitors are configured using FQDN, and one-or-more environment conditions exist such as: Unstable DNS servers (i.e., 'flapping' DNS), or the network configuration causes ICMP packets from an unreachable DNS server to be non-routable back to 'bigd'.
Impact:
The monitor will not be updated with information from the (new) DNS server when the previous DNS server becomes unavailable. Other monitor behavior will continue to function normally.
Workaround:
In some cases network configuration can be changed to avoid these edge cases, such as: Ensuring stable DNS servers with only periodic rollovers to backup DNS servers; ensure network ICMP packets are routable back to 'bigd'. Alternatively, monitors may be configured without using FQDN.
672988-1 : MCP memory leak when performing incremental ConfigSync
Solution Article: K03433341
Component: TMOS
Symptoms:
MCP will leak memory when performing incremental ConfigSync operations to peers in its device group. The memory leak can be seen tmctl utility to watch the umem_alloc_80 cache over time.
This leak occurs on the device that is sending the configuration.
Conditions:
A device group that has incremental sync enabled. In versions prior to BIG-IP v13.0.0, this is controlled by the 'Full Sync' checkbox. When unchecked, the system attempts to perform incremental sync operations.
Impact:
MCP leaks a small amount of memory during each sync operation, and after an extended period of time, might eventually crash.
Workaround:
None.
672963 : MSSQL monitor fails when monitored DB requires charset
Component: Local Traffic Manager
Symptoms:
MSSQL monitor is failing against database using non-native charset.
Conditions:
MSSQL monitor configured to monitor DB that is using non-native charset (ISO-8859-1).
Impact:
MSSQL monitoring always marks node / member down.
Workaround:
None.
672828-1 : Different ASM logging profiles can have cross-impact on response logging decision
Component: Application Security Manager
Symptoms:
When attaching both local ASM logging profile and remote ASM logging profile to the same virtual server, response logging may not match configuration on logging profile for the remote logger.
Conditions:
-- Have both ASM local logging profile and ASM remote logging profile attached to the same virtual server.
-- Have response logging turned on for the remote profile, but disabled on the local.
Impact:
Response is not logged for the remote profile although it is turned on in config.
Workaround:
Enable response logging for local profile.
672504-4 : Deleting zones from large databases can take excessive amounts of time.
Solution Article: K52325625
Component: Global Traffic Manager (DNS)
Symptoms:
When deleting a zone or large number of Resource Records, zxfrd can reach 100% CPU for large amounts of time.
Conditions:
With a significantly sized database, deletes might be very time-intensive.
Impact:
Because zxfrd takes an excessive amount of time deleting records, it can delay transfer requests
Workaround:
None.
672491-1 : net resolver uses internal IP as source if matching wildcard forwarding virtual server
Solution Article: K10990182
Component: Global Traffic Manager (DNS)
Symptoms:
If a net resolver is created and contains a forwarding zone that matches an existing wildcard forwarding virtual server, an incorrect internal IP address will be used as the source.
Upon listener lookup for the net resolver, the wildcard virtual server will be matched to the forwarding zone resulting in a loopback IP address being used as the source IP address.
Conditions:
When creating an AFM policy that restricts FQDNs, a net resolver is needed to resolve the FQDNs. If the forwarding zone of this net resolver matches a wildcard server, DNS queries from the net resolver will use a loopback IP address as the source IP address.
Impact:
Failed DNS queries as a result of incorrect source IP address.
Workaround:
None.
672312-1 : IP ToS may not be forwarded to serverside with syncookie activated
Component: Local Traffic Manager
Symptoms:
IP ToS field may not be preserved on forwarding in a FastL4 virtual server when syncookie is activated.
Conditions:
-- FastL4 ip-forwarding virtual server.
-- ToS in passthrough mode.
-- Syncookie is activated in hardware mode.
-- On a hardware platform with ePVA.
Impact:
IP ToS header is not forwarded to the serverside.
Workaround:
None.
672301-1 : ASM crashes when using a logout object configuration in ASM policy
Component: Application Security Manager
Symptoms:
bd daemon crash and writes a core file in the /shared/core directory.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Logout object configured in the policy.
-- System receives a POST request.
Impact:
System goes offline for a few seconds, failover occurs.
Workaround:
Remove logout object configuration from ASM policy.
672008-2 : NUL character inserted into syslog message when system time rolls over to exactly 1000000 microseconds
Solution Article: K22122208
Component: Local Traffic Manager
Symptoms:
Remote syslog logging destinations configured for RFC5424 format might receive malformed timestamp values if the log message is sent when clock rolls over to 1,000,000 microseconds exactly. The resulting log message will have a NUL character appended to the microseconds value in the log's timestamp field.
Example:
Correct timestamp: 2003-08-24T05:14:15.000000-07:00
Malformed timestamp: 2003-08-24T05:14:14.100000\00-07:00
Conditions:
-- syslog destination configured for RFC5424 format.
-- Sending log message when clock rolls over to 1,000,000 microseconds.
Impact:
Some syslog collectors may fail to parse the message, resulting in incorrect log entry or warning.
Workaround:
Change syslog destination format to use RFC3164, which does not include microsecond resolution in timestamp fields.
671999-1 : Re-extract the the thales software everytime the installation script is run
Component: Local Traffic Manager
Symptoms:
If Thales has already been installed on the BIG-IP system, installing a new version does not overwrite the existing installed version.
Conditions:
/shared/nfast exists on the BIG-IP system before installing the Thales client software.
Impact:
The old version of the software will be used in the installation operation, instead of the expected new version of the software.
Workaround:
You can use either or both of the following workarounds before running the installation script:
-- Run the uninstallation script.
-- Delete the /shared/nfast folder.
671714-1 : Empty persistence cookie name inserted from policy can cause TMM to crash
Component: Local Traffic Manager
Symptoms:
Empty persistence cookie name inserted from policy can cause TMM to restart.
Conditions:
Empty persistence cookie name is used in a policy definition.
A connection is made that uses the policy.
Impact:
Traffic disrupted while tmm restarts
Workaround:
Use non-empty peristence cookie name in policy definition.
671627-2 : HTTP responces without body may contain chunked body with empty payload being processed by Portal Access.
Solution Article: K06424790
Component: Access Policy Manager
Symptoms:
Some HTTP responses do not contain any body. For instance, responses with status codes 1xx, 204, or 304 must not include body. Portal Access adds 'Transfer-Encoding: chunked' header and may add chunked body with empty payload to such responses.
Conditions:
HTTP response without body processed by Portal Access
Impact:
Most browsers ignore invalid 'Transfer-Encoding' header and/or body for responses which must not include body at all. And yet, some traffic validators may refuse to pass invalid responses.
Workaround:
Use an iRule to remove 'Transfer-Encoding' header and/or body from HTTP responses with status codes 1xx, 204, and 304.
671553-1 : iCall scripts may make statistics request before the system is ready
Component: TMOS
Symptoms:
iCall scripts may make statistics requests before statsd (a necessary service for stats collection) is ready.
Conditions:
Early during startup.
Impact:
The Tcl script may generate an error and stop working.
Workaround:
Use Tcl's 'catch' command to detect and handle the error.
671447-1 : ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form
Component: TMOS
Symptoms:
When using a BIG-IP system configured in an IS-IS network; adjacencies may fail to form with other vendor devices.
Conditions:
- BIG-IP configured to participate as a peer in a IS-IS network.
- IS-IS peers perform strict validation on the length of the Restart TLV.
-- The SystemID used by the BIG-IP system is of length 7 instead of 6. (ZebOS uses a 7-Byte SystemID.)
Impact:
IS-IS adjacencies may not form.
Workaround:
None.
671372-1 : When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.
Solution Article: K01930721
Component: TMOS
Symptoms:
When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.
Conditions:
-- Creating a pool.
-- Modifying all of its members in a single tmsh transaction.
Impact:
The pool will be created but the members will not be modified.
Workaround:
Create a pool in one transaction; followed by modifying members in another transaction.
671326-1 : DNS Cache debug logging might cause tmm to crash.
Solution Article: K81052338
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Cache debug logging might cause tmm to crash.
Conditions:
This occurs when the following conditions are met:
-- The dnscacheresolver.loglevel debug value is set to 1 - 5.
-- tmm.verbose is enabled.
Impact:
tmm crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
Do not enable the DNS Cache debug log when tmm.verbose is enabled.
671314-3 : BIG-IP system cores when sending SIP SCTP traffic
Solution Article: K37093335
Component: TMOS
Symptoms:
Virtual servers with an SCTP profile and a SIP message-routing profile may crash the TMM.
Conditions:
This flaw affects virtual servers that pass SCTP traffic, where the SIP message-routing profile has the record-route option enabled.
Impact:
TMM crashes and fails over, disrupting traffic processing. Traffic disrupted while TMM restarts.
Workaround:
Remove the record-route option, or change the traffic to use TCP or UDP instead of SCTP.
671261-1 : MCP does not recognize 'Notify Status to Virtual Address' when using 'Selective' setting of ICMP Echo
Solution Article: K32306231
Component: TMOS
Symptoms:
When selecting 'Notify Status to Virtual Address' on a virtual server, and using the 'Selective' setting of ICMP Echo for a corresponding virtual address, MCP does not recognize that this setting has changed and does not modify the ICMP echo settings of the virtual address accordingly. The previous setting will continue to take effect until another (unrelated) change is made to the virtual address.
Conditions:
The 'Selective' setting of ICMP Echo is used for a virtual address, and the user selects 'Notify Status to Virtual Address' on a virtual server associated with that address.
Impact:
The previous setting will continue to take effect, until an (unrelated) change is made to the virtual address, at which point the new setting will take effect.
Workaround:
After changing the 'Notify Status to Virtual Address' on a virtual server (where 'Selective' setting of ICMP Echo is used for the corresponding virtual address), make another change to the virtual address to cause the new setting to take effect.
671236-1 : BGP local-as command may not work when applied to peer-group
Solution Article: K27343382
Component: TMOS
Symptoms:
Using the BGP level command neighbor <peer-group> local-as <AS> might fail to apply on peers in the peer group.
Conditions:
Applying the BGP local-as command to a peer group.
For instance:
neighbor <peer-group> local-as <AS>.
Impact:
The command fails to apply, and the actual local AS sent to the peer is that of the BGP process and not the one specified in the command.
Workaround:
Apply the BGP local-as directly to the peer, not the peer-group.
671234-1 : HTTP Authentication agent will hang waiting on unresponsive authentication server.
Component: Access Policy Manager
Symptoms:
Some authentication requests never completes.
APMD responsiveness degrade over time and eventually restart.
Conditions:
The HTTP Authentication server must be alive enough to accept HTTP connections but busy enough to drop requests without closing connections.
Impact:
APMD responsiveness degrades over time, usually weeks, before eventually restarting.
Workaround:
Restarting the HTTP Authentication server usually releases the waiting threads and restores APMD responsiveness.
Using a BIG-IP monitor for the HTTP backend can detect the issue and allow recovery before the need for APMD to restart.
671149-2 : Captive portal login page is not rendered until it is refreshed
Component: Access Policy Manager
Symptoms:
Sometimes Edge Client shows an error page for captive portal-redirected URLs.
Conditions:
Some captive portal pages use cloud-based authentication and network management. Such captive portals rely on several HTTP redirects and/or HTML (auto-refresh). Sometimes Edge Client fails to download the page/content from the redirected URL. In such scenarios, a full browser re-attempts and successfully downloads and displays the page, but Edge Client does not re-attempt and shows an error page.
Impact:
For the locked client, an APM end user has no access to the internet until captive portal authentication is performed and the Network Access (VPN) tunnel is created.
Workaround:
None.
671112-1 : Internal IP Datagroups not matching against some IPv6 network addresses
Component: Local Traffic Manager
Symptoms:
The iRule class match command always returns 'not found' when trying to match an IP address against an internal datagroup for certain prefix lengths.
Conditions:
Using internal IP datagroup with IPv6 network addresses.
Impact:
iRule functions improperly.
Workaround:
None.
671082-2 : snmpd constantly restarting
Component: TMOS
Symptoms:
sod is restarting snmpd, which also produces a core.
SNMP clients are unable to walk the ifTable.
Conditions:
snmpd takes too long processing a request for the ifTable because there are a large amount of VLANs or VLAN groups configured.
Impact:
SNMP requests will not receive replies while snmpd is restarting.
SNMP clients are not able to walk the ifTable.
Workaround:
None.
671052-1 : AFM NAT security RST the traffic with (FW NAT) dst_trans failed
Solution Article: K50324413
Component: Advanced Firewall Manager
Symptoms:
In certain cases, destination translation fails with the following message: reset cause '(FW NAT) dst_trans failed'.
Conditions:
This issue may be seen with Source/Destination translation.
Impact:
Destination translation failure. In most of the cases, TMM restart resolves the issue. Traffic disrupted while tmm restarts.
Workaround:
None.
671008 : Kernel panic in netlink_compare in Red Hat Enterprise Linux 7.2
Component: TMOS
Symptoms:
This is a known issue for RHEL7.2 kernels newer than 3.10.0-327.22.2.el7. BIG-IP 13.0.0 kernels are based on 3.10.0-327.36.3.el7, which is last public update to the 7.2 kernel series prior to the release of RHEL 7.3.
Conditions:
it appears this panic is exacerbated by netlink paths being taken by the crond process, which is doing a sendto() over a netlink socket.
Impact:
The kernel panics.
Workaround:
None.
670816-4 : HTTP/HTTPS/TCP Monitor response code for 'last fail reason' can include extra characters
Solution Article: K44519487
Component: Local Traffic Manager
Symptoms:
An HTTP/HTTPS/TCP monitor response code may contain extraneous trailing characters, such as: 'Response Code: 200 (OKxxx)' where the server response code 'OK' is appended with unrelated characters 'xxx', when the server does not include a carriage-return/line-feed after the response status line.
Conditions:
An HTTP/HTTPS/TCP monitor is configured with a receive string, and the server does not include a carriage-return/line-feed in the TCP segments that match the receive string.
Impact:
The monitor status code displays the correct server response code, but with extraneous trailing characters appended. The monitor continues to function and respond to status changes as expected.
Workaround:
Configure HTTP/HTTPS/TCP servers to return a response that includes a carriage-return/line-feed after the response status line and before the receive string.
670814-1 : Wrong SE Linux label breaks nethsm DNSSEC keys
Component: Local Traffic Manager
Symptoms:
In /var/log/ltm:
(_Common_thales_key) create failed, retry attempt 1 [nfgk_new: Permission denied rfs-sync: error from NFastApp_Connect `(null)': Permission denied mv: cannot stat `/shared/tmp/_Common_thales_key': No such file or directory mv: cannot stat `/shared/tmp/_Common_thales_key_req': No such file or directory mv: cannot stat `/shared/tmp/_Common_thales_key_selfcert': No such file or directory str[cd /shared/tmp && /opt/nfast/bin/generatekey -b pkcs11 certreq=yes selfcert=yes protect=module size=1024 embedsavefile="_Common_thales_key" plainname="_Common_thales_key" digest=sha256] rfs-sync: error from NFastApp_Connect `(null)': Permission denied rfs-sync: error from NFastApp_Connect `(null)': Permission denied No updates. Update done. Create key pair done. ].
or the output of the following command:
ausearch -m AVC,SELINUX_ERR -ts recent
time->Fri Jun 23 04:38:06 2017
type=SYSCALL msg=audit(1498217886.574:24190): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffd059e2720 a2=6e a3=7ffd059e2470 items=0 ppid=3310 pid=3311 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="generatekey" exe="/shared/nfast/tcl/bin/generatekey" subj=system_u:system_r:mcpd_t:s0 key=(null)
type=AVC msg=audit(1498217886.574:24190): avc: denied { write } for pid=3311 comm="generatekey" name="nserver" dev=dm-1 ino=141191 scontext=system_u:system_r:mcpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=sock_file
----
time->Fri Jun 23 04:38:06 2017
type=SYSCALL msg=audit(1498217886.600:24191): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7ffd9dbc33a0 a2=6e a3=7ffd9dbc30f0 items=0 ppid=3313 pid=3316 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rfs-sync" exe="/shared/nfast/bin/rfs-sync" subj=system_u:system_r:mcpd_t:s0 key=(null)
type=AVC msg=audit(1498217886.600:24191): avc: denied { write } for pid=3316 comm="rfs-sync" name="nserver" dev=dm-1 ino=141191 scontext=system_u:system_r:mcpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=sock_file
----
Conditions:
trying to use a thales nethsm for DNSSEC
Impact:
cannot create DNSSEC keys protected by a thales nethsm
Workaround:
chcon -R --reference=/var/run/rd0.sock /shared/nfast/sockets/
NB: you should also apply the workaround for BZ671337 as well. It's almost certain that if this bug exists, that bug also exists.
670804-3 : Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP
Solution Article: K03163260
Component: Local Traffic Manager
Symptoms:
The system experiences a 'verify_accept' assert in server-side TCP.
Conditions:
-- Verified Accept enabled in TCP profile.
-- Hardware syncookies enabled.
-- OneConnect profile on virtual servers.
-- Syncookie threshold crossed.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Disable verified accept when used with OneConnect on a virtual server.
670583-1 : EdgeClient does not failover when primary APM server goes down
Component: Access Policy Manager
Symptoms:
EdgeClient does not re-establish VPN when primary APM server does down.
Conditions:
Primary APM server goes down while VPN is connected.
Impact:
No VPN connectivity.
Workaround:
Disconnect and reconnect.
670520-4 : FastL4 not sending keepalive at proper interval when other side gets response
Component: Local Traffic Manager
Symptoms:
FastL4 not sending keepalive at proper interval when other side gets response. With FastL4, when a response to an LTM-initiated keepalive is received from a device on one side is received, it is forwarded to the other.
It appears that causes a keepalive to not be sent on that other side. The keepalive interval is 20 seconds. If the LTM is scheduled to send a keepalive to the server, but receives a keepalive response on the client side, before it sends the serverside keepalive, the client side keepalive response is forwarded, but the actual keepalive is not sent to the server.
Conditions:
FastL4 and keepalive.
Impact:
Potential for failure as in FastL4: the timeout timer is not updated unless a response is returned. Since the LTM does not send the keepalive, there is not going to be a response for that interval.
Workaround:
None.
670501-6 : ASM policies are either not (fully) created or not (fully) deleted on the HA peer device
Solution Article: K85074430
Component: Application Security Manager
Symptoms:
Policies are either not (fully) created or not (fully) deleted on the peer device
Conditions:
-- Device Service Clustering configured.
-- High availability (HA) configuration with Sync-Only (no failover) device group (Auto, incremental) with ASM sync enabled.
-- Create/delete active/inactive ASM policies via TMSH/GUI.
Impact:
Policies are either not created/deleted, or not fully created/deleted.
Note: Fully created and fully deleted meaning that the following commands agree with each other:
# tmsh list asm policy one-line all-properties
# tmsh list asm policy one-line
Workaround:
Issue a forced full sync from the originating device to the device group.
670258-1 : Multicast pings not forwarded by TMM
Component: Local Traffic Manager
Symptoms:
When multicast routing is configured, ICMP or ICMP6 pings are not forwarded by TMM even though UDP and other protocol traffic to the same group addresses works.
Conditions:
Multicast routing configured, VIP configured to forward ICMP traffic.
Impact:
Multicast group addresses cannot be reached with ICMP or ICMP6 echo requests.
Workaround:
n/a
670245-1 : IP forwarding virtual server drops packets with TTL of 1 in TTL preserve mode
Component: Local Traffic Manager
Symptoms:
FastL4/IP forwarding virtual server configured to preserve TTL on forwarding, drops ingress packets with a TTL of 1.
Conditions:
- FastL4 IP forwarding virtual server with a ip-ttl-mode configured to 'preserve'.
- Packets with TTL of 1.
Impact:
Packets are dropped.
Workaround:
Change TTL mode on the FastL4 profile.
670238 : TMM may crash due to wrong flow assigned to fragmented IPv4 packet
Solution Article: K26297385
Component: Local Traffic Manager
Symptoms:
TMM may crash due to wrong flow assigned to fragmented IPv4 packet.
Conditions:
This occurs when either of the following conditions occur:
-- The connection is re-accepted.
-- The FLOW_INIT iRule event is used.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
670197-2 : IPsec: ASSERT 'BIG-IP_conn tag' failed
Component: TMOS
Symptoms:
When using IPsec, tmm assert with 'BIG-IP_conn tag' failed.
Conditions:
The conditions under which this assert occurs when using IPsec are unknown.
Impact:
The tmm restarts and all connections are reset. Traffic disrupted while tmm restarts.
Workaround:
None.
670083-1 : APMD debug messages about the file descriptor queue are not correct.
Component: Access Policy Manager
Symptoms:
When the file descriptor queue is logged, only the first entry is correct. The remainder are copies of the first entry.
Conditions:
You must run "kill -USR2 <pid of APMD>" on the command line on the BIG-IP to log the file descriptor queue.
Impact:
No functional or performance impact.
Workaround:
No workaround at this time
669978-2 : SIP monitor - Via header's branch parameter collision.
Component: Service Provider
Symptoms:
When there is a failover in a high availability (HA) setup with SIP monitors, the SIP backend servers start flapping on both units. The reason this occurs is that after the failover, the two BIG-IP systems send SIP monitoring messages to the pool members with the same branch parameter on their Via headers. The backend server internal logic gets confused by the request coming from LB2 because it uses the same branch parameters of the request coming from LB1.
Conditions:
SIP branch hash string length is small enough that when sufficient SIP monitor messages were inundated, possible branch collision.
Impact:
This causes the backend server erroneously to send a response message to LB1 instead of LB2.
Workaround:
None.
669739-2 : Potential core when using MRF SIP with SCTP
Component: Service Provider
Symptoms:
The system may core when using SCTP with MRF SIP if the outgoing connection receives more messages than it can process.
Conditions:
-- SCTP with MRF SIP configured.
-- Outgoing connection receives more messages than it can process.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
669510-1 : When network changes after VPN is established, network access tunnel is closed when network access configuration has 'Allow local DNS servers' and 'Prohibit routing table changes during Network Access connection' options enabled.
Component: Access Policy Manager
Symptoms:
- When network changes after VPN is established, network access tunnel is closed when network access configuration has 'Allow local DNS servers' and 'Prohibit routing table changes during Network Access connection' options enabled.
Conditions:
- Allow local DNS servers' option is enabled in Network Access configuration.
- Prohibit routing table changes during Network Access connection option is enabled in Network Access configuration.
- Network changes after VPN is established.
Impact:
- Network access tunnel is dropped due to routing table changes.
Workaround:
User needs to connect to VPN again.
669462-3 : Error adding /Common/WideIPs as members to GTM Pool in non-Common partition
Component: TMOS
Symptoms:
Unable to use Pool Members from /Common/ when outside of /Common/
Conditions:
Adding /Common/WideIPs as members in non-Common GTM Pool
Impact:
Unable to use pool-members from /Common/ when outside of /Common/
Workaround:
No workaround at this time.
669262-1 : [GUI][ZoneRunner] reverse zones should be treated case insensitive when creating resource record
Solution Article: K91122850
Component: Global Traffic Manager (DNS)
Symptoms:
Creating a reverse zone in ZoneRunner ending not exactly as .arpa but with other case variations like .ARPA, resulting that zone is not treated as reverse zone.
PTR is not available from the 'Type' dropbox menu when creating new resource record for that zone:
DNS :: Zones : ZoneRunner : Resource Record List :: New Resource Record.
Conditions:
Creating a reverse zone in ZoneRunner ending not exactly as .arpa but with other case variations like .ARPA.
Impact:
Cannot create PTR resource record for the created reverse zones.
Workaround:
Create reverse zones exactly ending with .arpa.
669255-1 : An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms
Solution Article: K20100613
Component: TMOS
Symptoms:
If the BIG-IP configuration includes at least one enabled sFlow receiver, certain platforms will experience poor TMM performance. Symptoms will include one or more of the following:
- Higher than normal ping latency to the BIG-IP Self-IP addresses.
- Higher than normal latency for applications flowing through BIG-IP virtual servers.
- TMM clock advanced messages in the /var/log/ltm file.
- Continuous activation and then quick deactivation of the idle enforcer for all TMM instances in the /var/log/kern.log file.
Conditions:
The BIG-IP configuration must include at least one enabled sFlow receiver (it doesn't matter whether this is reachable or not) and the platform type must be one of the following:
- BIG-IP i10000 series
- BIG-IP i7000 series
- BIG-IP i5000 series
- BIG-IP i4000 series
- BIG-IP i2000 series
- VIPRION B4450 blade
Impact:
The BIG-IP system operates at a suboptimal performance level.
Workaround:
If the sFlow receiver is not strictly necessary for the correct functioning of your deployment, this can be disabled or removed to work around the issue.
669153-1 : On demand cert authentication does not work with Linux CLI client
Component: Access Policy Manager
Symptoms:
If access policy is configured with on demand certificate authentication, Linux CLI client continually creates new sessions on APM until sessions are exhausted.
Conditions:
All conditions should be true
1) Linux CLI client is used
2) On demand certificate authentication is configured
Impact:
Client fails to establish connection. On APM, multiple sessions are created.
Workaround:
Use F5 helper apps client to launch VPN
669021-1 : Application Tunnel fails to start with the following message: Failed, Couldn't open proxy server.
Component: Access Policy Manager
Symptoms:
Application Tunnel fails to start, with the following message: Failed, Couldn't open proxy server.
Also, logterminal.txt might contain multiple entries similar to the following:
2017-05-28,10:44:11:080, 2724,2500,HOST, 48, , 1801, CHostCtrl::OnTimer(), TUNNEL_SERVER_READY_CHECK - TunnelServer is ready
2017-05-28,10:44:11:095, 2724,2500,HOST, 48, , 1801, CHostCtrl::OnTimer(), TUNNEL_SERVER_READY_CHECK - TunnelServer is ready
2017-05-28,10:44:11:111, 2724,2500,HOST, 48, , 1801, CHostCtrl::OnTimer(), TUNNEL_SERVER_READY_CHECK - TunnelServer is ready
Conditions:
Conditions are undefined. If a thread running in F5 components gets blocked by something such as Anti-Virus, WM_TIMER events might cause the Microsoft Windows message queue to overfill, resulting in unexpected behavior.
Note: This is an intermittent issue. Such instances of congestion happen when a thread, typically the main thread, is blocked by some long-standing (blocking) operation and does not happen in general use.
Impact:
Application Tunnel does not start.
Workaround:
None.
668964-1 : 'bgp neighbor <peer -IP> update-source <IP>' command may apply change to all peers in peer-group
Solution Article: K81873940
Component: TMOS
Symptoms:
When running the 'bgp neighbor <peer IP> update-source <IP>' command to a single peer, the changes may be applied to all peers in peer-group, if the peer IP belongs to a peer group.
Conditions:
- Using BGP with peer-groups.
- Run 'bgp neighbor <peer IP> update-source <IP>', where <peer IP> is an IP of a peer in a peer-group.
Impact:
Changes may apply to all peers in the group.
Workaround:
Depending on the network setup, it may be possible to workaround the issue using the interface version of the command:
bgp neighbor <peer IP> update-source <vlan name>.
668521-3 : Bigd might stall while waiting for an external monitor process to exit
Component: Local Traffic Manager
Symptoms:
The bigd process restarts due to a hearbeat failure. /var/log/ltm will contain a message similar to:
warning sod[5444]: 01140029:4: HA daemon_heartbeat bigd fails action is restart.
Conditions:
External monitors are in use. External monitors include user-defined external monitors as well as built-in external monitors (for example, SNMP, LDAP, etc.)
High system load makes this more likely to occur.
Impact:
bigd will restart due to a heartbeat failure and monitoring will be interrupted.
Workaround:
Mitigations:
-- If possible, reduce the system load on the BIG-IP system.
-- If possible, use a built-in monitor type.
668503-1 : Edge Client fails to reconnect to virtual server after disabling Network Adapter
Component: Access Policy Manager
Symptoms:
1. Connect to an APM Virtual Server.
2. Disable Network Adapter.
3. Enable the Network Adapter.
Edge Client fails to reconnect.
Conditions:
Network Adapter is disabled and re-enabled.
Impact:
Edge Client does not re-establish VPN when Network Adapter is re-enabled.
Workaround:
Disconnect and Connect Edge Client.
668459-1 : Asymmetric transparent nexthop traffic only updates ingress interface
Component: Local Traffic Manager
Symptoms:
When transparent nexthop traffic from server to client uses a different VLAN group than client-to-server traffic, the server-to-client traffic is sent out the VLAN group that handles the client-to-server traffic. The destination MAC address on the server-to-client traffic is preserved even though the VLAN group is not.
Conditions:
-- Transparent nexthop virtual server configured.
-- VLAN-keyed connections disabled.
-- Asymmetric traffic between two VLAN groups.
Impact:
Return traffic may be transmitted on a VLAN group with a destination MAC that does not match any host on that group.
Workaround:
None.
668196-1 : Connection limit continues to be enforced with least-connections and pool member flap, member remains down
Component: Local Traffic Manager
Symptoms:
In rare circumstances while using least-connections load balancing with a connection limit applied, if a pool member is at the connection limit and the node is stopped and restarted, the node will remain marked down.
Conditions:
This occurs under the following circumstances:
- Least Connections (node or member).
- Connection limit is set.
- Then a pool member hits the connection limit.
- The pool member is then marked down then up (e.g., manually).
Impact:
Pool member remains marked down.
Workaround:
This condition is very rare but if it occurs you can try removing the pool member or node and re-adding it.
668129-2 : BIG-IP as SAML SP support for multiple signing certificates in SAML metadata from external identity providers.
Component: Access Policy Manager
Symptoms:
Certain SAML implementations support configuration of multiple signing certificates to be used for signing SAML messages. In these deployments different signing certificates could be used when certificate rotation takes place. Until now BIG-IP as SP only supported single signing certificate from external IdPs.
When certificate rotation happens on external IdP, BIG-IP signing verification certificates have to be updated.
Conditions:
External IdP advertises multiple signing certificates in SAML metadata.
Impact:
When external IdP starts using new signing certificate previously advertised in metadata, authentication on BIG-IP as SAML SP will fail until administrator adjusts configuration to specify new signature validation certificate on appropriate SAML IdP connector object.
Workaround:
Signing certificates on BIG-IP as SAML SP can be reconfigured manually.
668041-1 : Config load fails when an iRule comment ends with backslash in a config where there is also a policy.
Solution Article: K27535157
Component: Local Traffic Manager
Symptoms:
Config load fails when an iRule contains a commented line that ends with an escape character (backslash), and the config also contains an LTM policy. Depending on the iRule, you might also see the following error: Syntax Error:(/config/bigip.conf at line: 42078) double quotes are not balanced.
Conditions:
An iRule contains commented line that ends with a backslash, and the config also contains a policy, for example, an iRule similar to the first example, and a policy similar to the second:
ltm rule /Common/log_info {
when HTTP_RESPONSE {
#log local0. "Original Location header value: [HTTP::header value Location],\
updated: [string map ":[TCP::remote_port]/ /" [HTTP::header value Location]]"
}
}
...
ltm policy /Common/Test_Policy {
controls { forwarding }
requires { http tcp }
rules {
TestPol_Rule1 {
actions {
0 {
forward
select
node 10.2.10.20
}
}
conditions {
0 {
tcp
address
matches
values { 10.1.10.20 }
}
}
}
}
strategy /Common/first-match
}
Impact:
Config load fails.
Workaround:
You can use any of the following wordarounds:
-- Delete the comment line.
-- Merge the multiple-lines.
-- Make separate multi-line comments
667892-3 : FPS: BLFN inheritance won't take effect until GUI refresh
Component: Fraud Protection Services
Symptoms:
1. Create fps profile with a "Additional function to be run before JavaScript load" (BLFN) configured.
2. Clone this profile.
3. In the cloned profile choose another profile to defaults from (where there is no BLFN).
4. Save configuration.
Conditions:
- Current profile has a BLFN configured.
- New parent profile has no BLFN.
Impact:
The original BLFN is still configured on the profile (should have inherited the empty BLFN from parent profile).
Workaround:
1. Use tmsh.
2. Refresh before save.
667775-1 : The lastRestoreLog field is missing from the tm/shared/sys/backup REST endpoint
Component: Device Management
Symptoms:
After a successful restore of a UCS backup via the REST API tm/shared/sys/backup, queries against that endpoint will return the expected results except for the lastRestoreLog field.
Conditions:
UCS restore triggered via the tm/shared/sys/backup REST endpoint on a BIG-IP version 13.0.X.
Impact:
The last UCS Restore log is not available for review.
Workaround:
None.
667763-1 : APM Network Tunnel not connecting when Virtual Server has Application DoS profile
Solution Article: K24852255
Component: Access Policy Manager
Symptoms:
APM Network Tunnel is not connecting when Virtual Server has Application DoS profile assigned to it.
Conditions:
This happens when the Virtual Server has both 'Network Access' and a DoS profile with 'Application' enabled.
Impact:
APM end users cannot connect to the Network Tunnel.
Workaround:
None.
667700-2 : Web UI: PEM rule page only displays webroot categories for classification filter. Websense categories are not displayed
Component: Policy Enforcement Manager
Symptoms:
PEM rule page only displays webroot categories for classification filter. Websense categories are not displayed. So User cannot create PEM rule with web sense classification filters from Web UI.
Conditions:
Creation of PEM rule with classification filter from Web UI
Impact:
None. User can update the configuration from TMSH.
Workaround:
Use TMSH to add websense classification filter to a PEM rule.
667661-3 : Adding HA devices to Access Group in BIG-IQ fails with error : 'Failed to download file (null). java.lang.IllegalArgumentException: REMOTE_SOURCE_FILE requires remoteFilePath'
Solution Article: K69015104
Component: Device Management
Symptoms:
Adding a secondary HA device to Access Group fails with error 'Failed to download file (null). java.lang.IllegalArgumentException: REMOTE_SOURCE_FILE requires remoteFilePath'.
Conditions:
Fails when adding a HA device to Access Group.
Impact:
Device cannot be added to Access Group.
Workaround:
None.
667648-1 : TMM can crash when it exits while still processing traffic
Solution Article: K20210720
Component: Local Traffic Manager
Symptoms:
Unexpected TMM crash during shutdown.
Conditions:
This is a randomly occurring, potentially timing-related issue that might be related to other operations also occurring during shutdown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
667599-1 : Edge client reevaluates access policy upon system wake up from sleep
Component: Access Policy Manager
Symptoms:
macOS edge client starts to re-evaluate access policy upon system wake up from sleep before access policy expires for any reason. Edge client should ideally reuse existing session but instead it requests for authentication again.
Conditions:
macOS edge client, macbook is put to sleep and is woken up before session expires.
Impact:
Usability. New request for authentication is shown.
667560-2 : FQDN nodes: Pool members can become unknown (blue) after monitor configuration is changed
Solution Article: K69205908
Component: Local Traffic Manager
Symptoms:
A pool member configured through an FQDN node and which has multiple associated monitors may become unknown (blue) after a monitor rule change to one of its associated monitors. The expected behavior is that the node should remain 'green' if monitoring is successful with the new rule, but the node may become unknown (blue) until bigd is restarted.
Conditions:
A pool member is configured through an FQDN node, and has multiple associated monitors, and a monitor rule change is made to one of the associated monitors.
Impact:
The pool member status correctly reflects whether monitoring is successful (green) or the pool member is unknown (blue), but the changed monitor rule may not take effect until bigd is restarted.
Workaround:
When making changes to a monitor rule associated with a pool member configured through FQDN, verify the node remains monitored (green or checking), or restart bigd. Alternatively, change monitor rules within the configuration file, and reload the configuration.
667405-1 : Fragemented IPsec encrypted packets with fragmented original payloads may cause memory leak in the TMM.
Solution Article: K61251939
Component: TMOS
Symptoms:
When the BIG-IP system receives fragmented IPsec encrypted packets that contain fragmented IP packets, memory leaks may occur in the TMM.
Conditions:
The BIG-IP system receives fragmented IPsec encrypted packets that contain fragmented IP packets.
Impact:
Memory leak in the TMM.
Workaround:
None.
667404-3 : Fragmented IP over IPsec tunnels might capture mcp flows and provoke restarts
Solution Article: K77576404
Component: TMOS
Symptoms:
If fragmented IP packets match an IPsec policy, then get forwarded to another tmm for actual processing, the flow lookup might accidentally grab a stale flow_key for another connflow, including internal MCP flows. When that happens, if IPsec does tunnel those flows, internal MCP heartbeats later miss and cause tmm restarts.
Conditions:
-- Packet fragmentation.
-- Packets are serviced by IPsec due to a matching policy for those packets.
Impact:
Tmm restarts. Traffic disrupted while tmm restarts.
Workaround:
You can prevent this using either of the following methods:
-- If you can, arrange that fragmented packets are re-assembled before reaching IPsec policy handling.
-- Modify MTU configuration so fragmentation does not happen.
Note: There is no mitigation when fragmented packets reach IPsec and need forwarding from one tmm to another.
667295-2 : 'RTSP::header exists' iRule command always returns True
Solution Article: K51601122
Component: Carrier-Grade NAT
Symptoms:
Using the 'RTSP::header exists' command in an iRule returns true even if the header is not present.
Conditions:
Using the 'RTSP::header exists' command in an iRule, e.g., [RTSP::header exists "Transmitting"].
Impact:
Returns 1 (TRUE) even if the header is not present. Should return 2 (ERR_NOT_FOUND) on failure.
Workaround:
None.
667278-2 : DSC connections between BIG-IP units may fail to establish
Component: TMOS
Symptoms:
The device service clustering (DSC) connection between two BIG-IP units may fail to establish. One unit will log messages similar to the following example:
-- err mcpd[7912]: 01071af4:3: Inbound CMI connection from IP (192.168.100.1) denied because it came from VLAN (v1542), not from expected VLAN (tmm).
While the unit at the other end of the connection will log messages similar to the following example:
-- notice mcpd[5730]: 01071432:5: CMI peer connection established to 192.168.200.1 port 6699 after 0 retries
May 31 20:58:04 BIG-IP-c-sea notice mcpd[5730]: 0107143c:5: Connection to CMI peer 192.168.200.1 has been removed
Conditions:
This issue occurs when the Self-IP addresses used for Config-Sync by the two BIG-IP units are not in the same IP subnet, and special routing is configured between the BIG-IP units. Examples of special routing include a gateway pool or dynamic routing configurations with multiple routes to the same destination (i.e., ECMP routing).
Impact:
Config-Sync and device discovery operations will fail between affected units.
Workaround:
You can work around this issue by using Self-IP addresses for Config-Sync that are on the same IP subnet or rely on simpler routing to achieve connectivity (i.e., a single route).
667167-1 : Indirect invocation for History object methods fails using Portal Access
Component: Access Policy Manager
Symptoms:
Web-application does not function as expected, as rule does not rewrite links.
Conditions:
Web-application code contains indirect reference for History object methods. For example:
hps = history.pushState;
hps.call(history,{},"test","/test-history-pushState-ok.html")
Impact:
Web-application does not function as expected.
Workaround:
Use a custom iRule.
667114-3 : TCP flows going through the IP forwarding and L2 forwarding virtual server might get very low bandwidth.
Solution Article: K32622880
Component: TMOS
Symptoms:
TCP flows going through the IP forwarding and L2 forwarding virtual server might get very low bandwidth.
Conditions:
-- BWC policy applied.
-- TCP traffic passes through the IP forwarding or L2 forwarding virtual server.
Impact:
Lower throughput than expected.
Workaround:
When using BWC, use a proxy virtual server instead of IP forwarding or L2 forwarding virtual servers.
667082-1 : Dynamic Routing ZebOS using ip ospf <IP> message-digest-key command may fail.
Solution Article: K21090061
Component: TMOS
Symptoms:
Failure occurs when attempting to configure or load OSPF configurations in imish using an interface-level command similar to the following:
ip ospf <IP> message-digest-key <key index> md5 <password>.
Conditions:
This occurs when using the following command:
ip ospf <IP> message-digest-key.
Impact:
The command causes an error and cannot be used or loaded. This may cause OSPFv2 adjacencies to fail.
Workaround:
If possible, use the non-IP version of the interface-level command, similar to the following:
ip ospf message-digest-key <key index> md5 <password>.
667028-3 : DNS Express does not run on i11000 platforms with htsplit disabled.
Component: Global Traffic Manager (DNS)
Symptoms:
tmm processes enter a restart loop when trying to run DNS Express (DNSX) on i11000 platforms with htsplit disabled.
Conditions:
-- i11000 platform.
-- htsplit disabled (sys db scheduler.splitplanes.ltm set to false).
-- Trying to run DNSX.
Impact:
tmm processes enter a restart loop. In this condition, DNSX does not run, though other DNS functions are unaffected.
Workaround:
Enable htsplit using the following command:
modify sys db scheduler.splitplanes.ltm value true
666884-1 : cpcfg cannot copy a configuration on a chassis platform★
Solution Article: K27056204
Component: TMOS
Symptoms:
cpcfg fails with errors similar to:
info: Getting configuration from HD1.3
info: Copying configuration to HD1.1
info: Applying configuration to HD1.1
error: status 256 returned by command: F5_INSTALL_MODE=install F5_INSTALL_SESSION_TYPE=hotfix chroot /mnt/tm_install/23102.e3MAZU /usr/local/bin/im -force /var/local/ucs/config.ucs
info: >++++ result:
info: Extracting manifest: /var/local/ucs/config.ucs
info: /shared: Not enough free space
info: 6144 bytes required
info: 0 bytes available
info: /var/local/ucs/config.ucs: Not enough free disk space to install!
info: Operation aborted.
Conditions:
Only on a chassis platform running 13.0.x.
Impact:
You cannot use cpcfg on a chassis platform.
Workaround:
Save a UCS from the source volume, reboot to the destination volume, then load that UCS file.
666783-1 : svpn goes into a reconnect loop when another adapter is connected after VPN is connected.
Solution Article: K11974816
Component: Access Policy Manager
Symptoms:
If you connect to VPN, and a previously disconnected network adapter (WiFi/ethernet) gets connected, then svpn goes into a reconnect loop due to routing table conflicts.
Conditions:
- Split tunnel configuration.
- 'Prohibit routing table changes during Network Access' is enabled.
- VPN is connected and a previously disconnected network adapter (WiFi/ethernet) gets connected.
Impact:
Reconnecting loop until you manually click Disconnect.
Workaround:
Disable the 'Prohibit routing table changes' option in Network Access.
666616-1 : Some HTTP iRule commands should always return results as Tcl lists, but do not.
Solution Article: K82565029
Component: Local Traffic Manager
Symptoms:
The HTTP iRule commands behave differently if they return only a single result. They will return a Tcl string rather than a Tcl list containing a string.
Conditions:
One or more of the following HTTP iRule commands are used, and the conditions exist such that a single result is returned:
HTTP::cookie names
HTTP::cookie attribute names
HTTP::header names
HTTP::header values
Impact:
A string is returned rather than a list. This may affect Tcl code that expects the result to be a list, leading to incorrect behavior.
Workaround:
If the result is not a list, this can be detected in a Tcl script, and the result handled as a special case.
666595-1 : Monitor node log fd leak by bigd instances not actively monitoring node
Component: Local Traffic Manager
Symptoms:
Each instance of bigd running on the BIG-IP appliance or on each blade in a VIPRION chassis opens a file descriptor for each node or pool member that has monitor logging enabled. However, only one instance of bigd is actively monitoring each individual node, and actively logging health monitor events to the node log. When LTM health monitors are configured with node logging enabled, the bigd daemon may leak file descriptors for the node logs when the monitor is removed from the LTM node, pool, or pool member configuration.
Note: This problem does not occur if node logging is disabled in the LTM node or pool member configuration ('logging' value set to 'disabled' in the LTM node or pool member configuration) prior to removing the monitor from the LTM node, pool or pool member configuration.
Conditions:
This may occur when the following conditions are met:
1. An LTM health monitor is assigned to an LTM node, pool or pool member with node logging enabled ('logging' value set to 'enabled' in the LTM node or pool member configuration).
2. The LTM health monitor is removed from the LTM node, pool or pool member configuration while logging is still enabled ('monitor' value set to 'none').
Impact:
When this problem occurs, the instance of bigd that is actively monitoring a particular node will close its file descriptor to that node's log file (under /var/log/monitors), but other instances of bigd running on the BIG-IP appliance or on each blade in a VIPRION chassis will leak their file descriptor to the node log.
File descriptors that are opened by the bigd daemon and not closed will count against bigd's internal file descriptor limit. This may result in file descriptor exhaustion and failure of LTM health monitoring.
Workaround:
Disable node logging (set 'logging' value to 'disabled') in the LTM node or pool member configuration prior to removing the monitor from the LTM node, pool, or pool member configuration.
666553 : KeyLogger fails to work properly with jQuery 1.11.1
Component: Fraud Protection Services
Symptoms:
'Invalid calling object' error message in the console.
Conditions:
- Edge Browser.
- jQuery 1.11.1.
- KeyLogger is enabled.
- The BIG-IP user moves the cursor to a protected password field.
Impact:
'Invalid calling object' error message in the console.
Workaround:
Disable KeyLogger in GUI.
666505-1 : Gossip between Viprion blades
Component: iApp Technology
Symptoms:
Gossip does not appear to run between Viprion blades in a device service cluster.
Conditions:
Two BIG-IP systems running the latest build, configured with device service clustering and an HA group.
Impact:
Enabling Gossip on the non-primary Viprion blade interferes with communication between the primary and the remote peer.
Workaround:
Do not enable Gossip on the non-primary Viprion blade.
666497-1 : Some of the Korean translations in Windows Edge Client were incorrect
Component: Access Policy Manager
Symptoms:
Some of the Korean translations in Microsoft Windows Edge Client's main windows are incorrect.
Conditions:
User uses Edge Client application on Windows.
Impact:
Confusion due to inaccurate translation.
Workaround:
None.
666454-3 : Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update
Solution Article: K05520115
Component: Access Policy Manager
Symptoms:
Edge client running on Macbook Pro 2016 with a touch bar interface cannot connect to VPN in a full tunneling configuration with 'Prohibit routing table modification' option selected.
Edge client's svpn.log shows an error entry similar to
2017-05-18,13:55:17:000, 16637,16638,svpn, 1, , 870, CMacOSXRouteTable::UpdateIpForwardEntry2(), EXCEPTION - write failed, 22, Invalid argument.
Conditions:
This occurs when all of the following conditions are met:
1) Edge client is running on Macbook Pro that has the iBridge interface (e.g., one with the touch bar).
2) VPN is configured in full tunneling configuration
3) Mac OS X version is v10.12.5.
Note: You can find the interface on the Macbook Pro in the Network Utility under the Info tab.
Impact:
VPN connection will fail.
Workaround:
Use one of the following workarounds:
- Disable 'Prohibit Routing table change' in the network access configuration.
- Enable 'Allow access to local subnets'.
- Enable a split tunneling configuration.
666258-1 : GTM/DNS manual resume pool member not saved to config when disabled
Component: Global Traffic Manager (DNS)
Symptoms:
manual-resume disabled pool member becomes available after reboot.
Conditions:
GTM pool is configured with manual-resume enabled and its pool member was once unavailable.
Impact:
Unexpected available pool member which should be disabled.
Workaround:
After the pool member becomes disabled, manually run:
# tmsh save sys config gtm-only
666221-1 : tmm may crash from DoSL7
Component: Advanced Firewall Manager
Symptoms:
tmm crash.
Conditions:
A virtual server configured with the following:
compression profile configuration, HTTP/DoSL7 with DoSL7 iRule, RamCache.
Impact:
SIGSEGV. Traffic disrupted while tmm restarts.
Workaround:
None.
666165-1 : iApp - f5.forward_proxy + checksum - config error upgrading from v12 to v13★
Component: TMOS
Symptoms:
v13.0.0 cli script f5.app_utils was released without a signature, causing signed iapps that refer to it to fail. 01070734:3: Configuration error: When updating status on AppTemplate ... signature verification of in
Unexpected Error: Validating configuration process failed.
Conditions:
1. Must be upgrading to 13.0.0. 2. Must have imported or created an iapp template that has a dependence, ie. tmsh::include. 3. Must have applied a checksum or signature to the imported template. Note: Deploying the iapp is not required. Config load will fail even if the iapp template is not used.
Impact:
Upgrade to v13.0.0 fails to load config.
Workaround:
Remove signatures and checksums from iApps that have script dependencies prior to upgrade.
666117-5 : Network failover without a management address causes active-active after unit1 reboot
Component: TMOS
Symptoms:
An appliance in a Device Service Cluster may erroneously claim Active status when it is rebooted. This results in an Active/Active situation, which may resolve itself by causing a failover.
Conditions:
Device Service Cluster with only self-ips configured for the failover network.
Impact:
Unexpected failover may cause traffic interruption.
Workaround:
Configuring multiple redundant network failover paths, including the management network will reduce the possibility of this problem.
666112-2 : TMM 'DoS Layer 7' memory leak during config load
Component: Advanced Firewall Manager
Symptoms:
Degraded performance; potential eventual out-of-memory.
Note: The 'DoS Layer 7' allocations increase by 'TMM count * #domains' after each config load.
Tip: You can watch the watch the 'DoS Layer 7' allocations increase on a shell on the BIG-IP system using the following command:
# watch -n1 -- 'tmctl -s name,allocated,max_allocated,cur_allocs memory_usage_stat | grep -E "^name|---|^DoS Layer 7 "'
Conditions:
-- Provision ASM.
-- Make sure the built-in 'security dos bot-signature' are added to the config.
-- Load the config from another shell using the following command:
tmsh load sys config
Impact:
Degraded performance; potential eventual out-of-memory.
Workaround:
None.
666058-1 : XenApp 6.5 published icons are not displayed on APM Webtop
Solution Article: K86091857
Component: Access Policy Manager
Symptoms:
While publishing XenApp 6.5 resources through APM Webtop, some applications are not displaying the icons correctly.
VDI Error logs are seen as follows:
failed to handle '/f5vdi/citrix/icon/': Incorrect bitmap size"
Conditions:
-- XenApp 6.5 is used with their rollup hotfix 6 or 7.
-- Some of the third-party applications more icon bitmap information than expected.
Impact:
Icons are not displayed on the APM Webtop
Workaround:
None.
665992-1 : Live Update via Proxy No Longer Works
Component: Application Security Manager
Symptoms:
BIG-IP devices that need to use a proxy server to communicate with callhome.f5.com, no longer receive, or check for, automatic updates.
Conditions:
The BIG-IP device is behind a network firewall and outbound communication must be through a proxy.
Impact:
The BIG-IP will not be able to contact the callhome server to check for, or receive, updates.
Workaround:
Updates can be downloaded manually from the F5 Downloads server and installed directly on the BIG-IP.
665778-2 : Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.
Solution Article: K34503519
Component: iApp Technology
Symptoms:
Non-admin BIG-IP users cannot view deployed iApps, so they cannot redeploy the iApp. The system presents an error and does not allow access to the component view or the reconfiguration view. The error shown is 'An error has occurred while trying to process your request.'
Conditions:
-- Login to the BIG-IP system as a non-admin.
-- Try to view components or reconfigure iApps.
Impact:
Cannot view/re-deploy iApps.
Workaround:
Use TMSH to view/re-deploy iApps.
There are two TMUI workarounds to view/re-deploy iApps. Once you employ one of the workarounds, a Manager user can reconfigure the iApp successfully.
Note: After successful submission, the system posts the error described, and the Manager still cannot access the Component list or iApps editing screens.
-- Click on 'app_name' link anywhere in the system where iApp-related objects are listed. For example, if the iApp created a virtual server, click the Application column link on the 'Local Traffic :: Virtual Servers : Virtual Server List' page.
-- Have an Admin user provide the direct link to app. To do so, perform the following procedure:
1. Login as Admin to the BIG-IP system.
2. Navigate to iApps :: Application Services : Applications :: <app_name>.
3. Get the direct link to the app reconfigure page by hovering over the Settings icon and then clicking 'Direct link to this page'. Note: This link will work as long as 'app_name' and template name have not been modified. The URL appears similar to the following:
https://10.10.10.10/tmui/Control/jspmap/tmui/application/reenter.jsp?mode=app&name=/ptn1/abcd.app/abcd&template_name=/Common/f5.microsoft_exchange_2010_2013_cas.v1.6.1
4. Logout as Admin and login as Manager.
5. Paste the app direct link in the browser's address bar and press Enter.
665732-3 : FastHTTP may crash when receiving a fragmented IP packet
Solution Article: K45001711
Component: Local Traffic Manager
Symptoms:
A virtual server configured to use FastHTTP may cause a TMM core if fragmented IP packets are received by the virtual. This can be observed by the following TMM log statement: panic: Assertion 'l4hdr set' failed.
Conditions:
A virtual server configured with a FastHTTP profile receiving fragmented IP packets.
Impact:
Intermittent TMM core, resulting in a TMM restart. Traffic disrupted while tmm restarts.
Workaround:
Use a different profile than FastHTTP, such as a full proxy with TCP/HTTP filters.
665725-1 : Second block device image install fails to install
Solution Article: K10773217
Component: TMOS
Symptoms:
'tmsh install sys software block-device-image' fails in a vCMP guest after a previous, successful installation.
Conditions:
vCMP guest install using the command 'tmsh install sys software block-device-image' executed a second time in succession.
Impact:
After one block device install succeeds, subsequent installations will fail before rebooting.
Workaround:
Restart lind on all blades of the vCMP guest using the following command:
clsh bigstart restart lind
665656-2 : BWC with iSession may memory leak
Component: TMOS
Symptoms:
A memory leak may occur when BWC is configured with iSession.
Conditions:
-- BWC is configured with iSession.
-- The BWC policy is removed or reset.
Impact:
A memory leak.
Workaround:
None.
665652-1 : Multicast traffic not forwarded to members of VLAN group
Solution Article: K41193475
Component: Local Traffic Manager
Symptoms:
Multicast traffic traversing through the BIG-IP system through a VLAN that is member of a VLAN group does not get forwarded to other members of the VLAN group.
Conditions:
Multicast traffic ingress from a VLAN in a VLAN group.
Impact:
Traffic is not forwarded to the other members of the VLAN group.
Workaround:
None.
665611-1 : Cannot create a Citrix or VMware View resource from Admin UI in a non-Common partition with a non-default route domain using pool as a destination
Solution Article: K36337390
Component: Access Policy Manager
Symptoms:
Administrator cannot create a Citrix or VMware View resource from Admin UI in a non-Common partition with a non-default route domain using pool as a destination. The system posts a message similar to the following:
01070734:3: Configuration error: apm resource remote-desktop: /subpart/sec-vdi-desktop :only one destination type is supported.
Conditions:
1) Non-default partition used (i.e., not the /Common partition).
2) This non-default partition uses a non-zero route domain.
3) A pool created in this partition.
Impact:
VDI resources (Citrix/VMware View) cannot be created using Admin UI in a non-default partition with a non-zero default route domain.
Workaround:
Use TMSH to create such a resource, using a set of commands similar to the following:
In the /Common partition, run the following command:
cd /subpart/
In subpart, run a command similar to the following:
create apm resource remote-desktop vmware-view test_res_subpart pool /subpart/pool_subpart_partition
665425-2 : AVR Max metrics shows wrong values
Solution Article: K24182390
Component: Application Visibility and Reporting
Symptoms:
In the AVR HTTP Page, metrics Max TPS and Max Throughput display incorrect values.
Conditions:
The root-cause is 32bit overflow, so the incorrect values are displayed when there are high volumes of traffic.
Impact:
Displayed metrics do not correctly show activity.
Workaround:
There is no workaround at this time.
665362-3 : MCPD might crash if the AOM restarts
Component: TMOS
Symptoms:
In very rare circumstances, mcpd might crash when the AOM restarts.
Conditions:
This can occur while AOM is restarting.
Impact:
System goes offline for a few minutes.
Workaround:
None.
665117-1 : DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping
Solution Article: K33318158
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Server status flapping from red-green-red.
Conditions:
-- Two generic hosts in two different DataCenters;
-- Two generic hosts are not available through DNS;
-- Same monitor with available alias IP/port configured.
Impact:
Server status flaps from red to green and back.
Workaround:
Check Transparent for these monitors.
664829-2 : BIG-IP sometimes performs unnecessary reboot on first boot
Component: TMOS
Symptoms:
Some versions of the BIG-IP Virtual Edition (VE) software incorrectly determine that the size of its disk has changed, and re-sizes the partition table and causes a reboot to occur. This is likely to occur only on VE guests.
Conditions:
-- First boot of VE.
-- Software version that exhibits this issue.
Note: A specific software version for a specific cloud environment either always exhibit this, or never does.
Impact:
Additional, unnecessary minor filesystem size adjustment and additional time for a reboot to occur.
Workaround:
None.
664737-1 : Do not reboot on ctrl-alt-del
Component: TMOS
Symptoms:
BIG-IP reboots on ctrl-alt-del keys
Conditions:
VE with ctrl-alt-del keys in the video console.
Impact:
BIG-IP reboots.
664714 : Client-side challenge is changing POST parameter value under some circumstances
Component: Application Security Manager
Symptoms:
A parameter arrives with a different value to the server than was sent from the client. Happens while a brute force attack or web scraping challenge or web scraping session client-side mitigation is happening,
Conditions:
-- POST request with URL-decoded parameters.
-- A parameter is escaped.
-- A client-side challenge is returned for this request.
Impact:
The wrong parameter arrives to the application. In response, the application may stop working or have other errors.
Workaround:
N/A
664708-1 : TMM memory leak when DoS profile is attached to VS
Component: Advanced Firewall Manager
Symptoms:
TMM memory leak when DoS profile is attached to VS
Conditions:
1. have DoS profile
2. traffic from search engine is coming to this VS
3. DNS resolver is configured
Impact:
TMM memory use increases over time.
Workaround:
There is no workaround at this time.
664596 : One LTM policy causes a different policy to not execute
Component: Local Traffic Manager
Symptoms:
Under certain circumstances, the presence of one LTM policy will preclude another LTM policy from running.
Conditions:
Two policies present on a virtual server, one policy with a condition at HTTP_RESPONSE time will prevent a policy that unconditionally acts at HTTP_REQUEST time.
Impact:
Expected LTM policy does not run.
Workaround:
None.
664535-2 : Diameter failure: load balancing fails when all pool members use same IP Address
Component: Service Provider
Symptoms:
Case1: Run 2 Servers with same IP but different ports. Send 10 request from 1 client.
Result: All 10 requests from client are delivered to 1 server. Same result when use-local-connection is disabled.
Case2: Run 2 Servers with same IP but different ports but this time use MR::message route iRule command to route messages between hosts. Send 10 request from 1 client.
Result: All 10 requests from client are delivered to 1 server.
Conditions:
Load balancing scenario with single client and two pool members. The servers use same IP, different ports.
Impact:
All the requests from the same client are delivered to 1 server only.
Workaround:
Use different IP address in the pool member. Or use different IP address as the client request.
663974-1 : TMM crash when using LSN inbound connections
Component: Carrier-Grade NAT
Symptoms:
TMM might crash when using an LSN pool with inbound connections.
Conditions:
LSN inbound connections configured.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
663946-3 : VCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments
Solution Article: K92111062
Component: Advanced Firewall Manager
Symptoms:
When DNS is under load greater than the AFM-configured rate limit, certain IPv4 packets are categorized as IPv6 atomic fragments and may be dropped due to rate limits.
Conditions:
-- AFM enabled.
-- DNS load greater than AFM-configured rate limit for IPv6 atomic fragments (default 10 KB).
Impact:
May result in lower than expected DNS load test results.
Workaround:
Use either of the following workarounds:
-- Disable AFM.
-- Increase detection limit for IPv6 atomic fragments under AFM.
Note: For AFM HW DoS protection, the host and vCMP guest must be the same version, disable hardware DoS checking on the vCMP guest to prevent this issue. To do so, set sys db dos.forceswdos to 'true'.
663911-1 : When running out of memory, MCP can report an incorrect allocation size
Component: TMOS
Symptoms:
If MCP runs out of memory, it may attempt to log how much memory it was allocating when this happened, with a message similar to the following:
Failed to allocate memory for size 260 at clone_message:952.
The memory size indicated in the message may be incorrect.
Conditions:
MCP runs out of memory while attempting an allocation.
Impact:
Misleading logs that make it more difficult to troubleshoot mcpd memory issues.
Workaround:
None.
663770 : AFM rules are bypassed / ignored when traffic is internally forwarded to a redirected virtual server
Solution Article: K04025134
Component: Advanced Firewall Manager
Symptoms:
AFM rules are bypassed / not evaluated on the 'redirected' virtual server when the traffic is internally forwarded to that virtual server.
This is a regression from 12.1.x behavior.
Conditions:
Incoming traffic matches a virtual server and then gets internally redirected to another virtual server either via an iRule or a LTM local traffic policy.
Impact:
This has the effect of potentially negating firewall protections for the traffic that is being redirected to a different virtual server (application) if that virtual server has an AFM policy enabled on it.
Workaround:
There is no workaround at this time.
663748-1 : tmm might crash if AFM DoS address-list whitelist is present in sPVA HW platforms
Component: Advanced Firewall Manager
Symptoms:
At bootup, there is a possibility of tmm crashing while coming up when the configuration contains an AFM address-list whitelist on an sPVA hardware platform.
Conditions:
Configuration contains AFM address-list whitelist on an sPVA HW platform, and the race condition happens in which tmm and mcpd start interacting before the hardware HSB is ready.
Impact:
tmm will crash and restart. Traffic disrupted while tmm restarts.
Workaround:
Remove the AFM address-list whitelist, and then configure it once the system is up.
663580-2 : logrotate does not automatically run when /var/log reaches 90% usage
Solution Article: K31981624
Component: TMOS
Symptoms:
The alertd daemon does not run logrotate when the diskmonitor utility detects that /var/log has less than 10% free space.
Conditions:
/var/log has less than 10% free space.
Impact:
The /var/log filesystem might become completely full, preventing new log messages from being written.
Note: K8865: Overview of the diskmonitor utility (https://support.f5.com/csp/article/K8865) provides a desription for expected behavior.
Workaround:
None.
663531-2 : TMM crashes when PPTP finds a non-ALG flow when checking for an existing tunnel
Component: Carrier-Grade NAT
Symptoms:
TMM crashes when PPTP finds a matching non-PPTP-GRE flow when checking for an existing tunnel.
Conditions:
PPTP-ALG and CGNAT on a BIG-IP system when a GRE tunnel matches a PPTP-GRE flow
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Possible mitigation by not using a forwarding virtual for non-PPTP GRE traffic.
663506-2 : apmd crash during ldap cache initialization
Solution Article: K30533350
Component: Access Policy Manager
Symptoms:
apmd crashes.
Conditions:
- LDAP module is in use in an access policy,
- APM end-users are logging in, while administrator modifies AAA LDAP Server or LDAP Agent,
- Cache update takes a while (too many groups in domain and/or slow network).
Impact:
BIG-IP cannot process user logon request, until apmd is restarted and LDAP cache is updated
Workaround:
The best practice is to update policy/AAA LDAP Server when BIG-IP is not under load. Then make one logon manually. apmd updates caches on first APM end-user's logon. Once caches update, all the further logons should happen much faster and should not cause any problems
663492-1 : Reconfigured istat may stop being recomputed
Component: TMOS
Symptoms:
When an istat is configured and used, it is possible to remove and then re-add the istat such that it does not get properly updated after it is re-added.
Conditions:
When an istat is removed and re-added.
Impact:
The istat does not get properly updated; for example, a counter won't increment.
Workaround:
If a removed istat needs to be re-added, give it a new name.
663377 : apmd logs stops being sent to all logging destinations intermittently
Component: Access Policy Manager
Symptoms:
In rare occasions, apmd logs could stop being sent to all logging destinations intermittently.
Conditions:
Condition for this issue to happen is unknoown, Possible conditions include vrious configuration changes to apmd; or large number of concurrent sessions.
Impact:
User cannot see any session-related apmd logs, from any destinations including local syslog, local-db, remote syslog.
Workaround:
1. Try to re-configure APM logging, i.e. change the association of log setting and access profile, then change it back
2. As a final resort, restart apmd.
663366-4 : SEGV fault can occur during tmm 'panic' on i4x00 and i2x00 platforms.
Component: TMOS
Symptoms:
On the i4x00 and i2x00 platforms, TMM can encounter a second SEGV fault while crashing from an initial 'panic'.
Conditions:
-- i4x00 and i2x00 platforms.
-- TMM encounters a second SEGV fault while crashing from an initial 'panic'.
Impact:
TMM is crashing due to a 'panic'. No additional impact, as traffic is already disrupted while tmm restarts.
Workaround:
None.
663326-1 : Thales HSM: "fipskey.nethsm --export" fails to make stub keys
Component: Local Traffic Manager
Symptoms:
When using "fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey" to export a key file from BIG-IP and import into HSM, the HSM fails to generate the stub key at /config/ssl/ssl.key/ on the BIG-IP system.
Conditions:
-- Thales HSM is installed.
-- Running 'fipskey.nethsm --export' to export a key file from BIG-IP and import it to the Thales HSM.
Impact:
Even the key has been stored in HSM, the BIG-IP is still unable to use it because of its lacking stub key to be configured on the BIG-IP system.
Workaround:
This can be worked around by directly using the Thales command, for example:
[root@localhost:Active:Standalone] config # generatekey --import pkcs11 certreq=yes
type: Key type? (DES3, RSA, DES2) [RSA] >
pemreadfile: PEM file containing RSA key? []
> /shared/tmp/testkey.pem
embedsavefile: Filename to write key to? []
> /config/ssl/ssl.key/thales2
plainname: Key name? [] > thales2
x509country: Country code? [] > US
x509province: State or province? [] > WA
x509locality: City or locality? [] >
x509org: Organisation? [] > F5
x509orgunit: Organisation unit? [] > AS
x509dnscommon: Domain name? [] >
x509email: Email address? [] > test@test.com
nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] >
digest: Digest to sign cert req with? (md5, sha1, sha256, sha384, sha512)
[default sha1] >
663181-1 : VDI plugin-initiated connections may select inappropriate SNAT address
Component: Local Traffic Manager
Symptoms:
When the VDI plugin makes outgoing connections, the source address is selected from a SNAT pool. Should the connection pass through another matching virtual server before reaching the external network, the selected SNAT address may be inappropriate for the egress VLAN.
Conditions:
-- APM configuration.
-- VDI functionality enabled.
-- Additional virtual server matching the VDI-initiated connections.
Impact:
Return traffic from destination may not be able to return to the BIG-IP system, thus breaking the VDI functionality.
Workaround:
No workaround short of removing the additional virtual server matching the VDI traffic.
663122 : tmm might crash if auto-threshold is enabled for AFM DoS TCP Psh Flood vector
Component: Advanced Firewall Manager
Symptoms:
tmm might crash when auto-threshold is enabled for AFM DoS TCP Psh Flood vector.
Conditions:
-- AFM DoS is licensed and provisioned.
-- Configure the TCP Psh Flood vector for auto-threshold.
Impact:
tmm might crash and service will not be available. Traffic disrupted while tmm restarts.
Workaround:
Do not enable auto-threshold for TCP Psh Flood vector.
663073-3 : GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.
Component: Global Traffic Manager (DNS)
Symptoms:
GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.
Conditions:
When adding a pool member via the combo box, if you click the arrow to expand the dropdown list and select a member by clicking on it, that member name is added to the text box.
If you then mouse over other members in the dropdown list, and then click the Add button, the system adds the selected member to the list, but also removes the wrong member from the combo box: more specifically, it removes the member that was last highlighted by the mouse over.
Impact:
Available pool members might be potentially lost from the combo box until a page reload.
Note: The pool members are not gone from the system; they are still present, just not displayed.
Workaround:
Either use TMSH or place the mouse cursor away from the combo box, and use the text box to narrow down the content in the dropdown list. Then use the arrow keys and the Enter key to select the desired pool member.
662911-3 : SASP monitor uses same UID for all vCMP guests in a chassis or appliance
Solution Article: K93119070
Component: Local Traffic Manager
Symptoms:
The SASP GWM monitor generates the LB UID from the chassis serial number of the platform on which BIG-IP is running. All vCMP guests running on the platform attempt to use the same UID.
The LB UID used to connect to the Server/Application State Protocol (SASP) Group Workload Manager (GWM) is required to be unique for each client connecting to the GWM.
As a result, only one vCMP guest running on each BIG-IP appliance or VIPRION chassis is able to successfully use the SASP monitor.
- The SASP monitor running on the first vCMP guest can successfully connect to the SASP GWM.
- Subsequent SASP monitor instances running on other vCMP guests will fail to connect to the SASP GWM.
Conditions:
This occurs when multiple vCMP guests are running on a single BIG-IP appliance or VIPRION chassis, each using a SASP monitor connecting to the same SASP GWM to monitor pool member availability.
Impact:
The SASP monitor is unable to monitor pool member availability on more than one vCMP guest running on a single BIG-IP appliance or VIPRION chassis.
Workaround:
None.
662844-2 : TMM crashes if Diameter MRF mirroring is enabled in v12.x.x. Diameter MRF mirroring is not implemented in v12.x.x.
Solution Article: K87735013
Component: Service Provider
Symptoms:
Mirroring for Diameter MRF was not implemented in v12.x.x. However, there is a option that allows the user to enable it. When enabled, tmm crashes.
Conditions:
-- Connection mirroring is enabled for Diameter MRF virtual server's router profile.
-- Using v12.x.x.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Note: Mirroring for Diameter MRF was implemented in v13.0.0. The presence of the option to enable the unimplemented functionality is erroneous.
Workaround:
Do not enable Diameter MRF router profile's connection mirroring setting for v12.x.x.
662816-1 : Monitor node log fd leak for certain monitor types
Solution Article: K61902543
Component: Local Traffic Manager
Symptoms:
When certain types of LTM health monitors are configured with node logging enabled, the bigd daemon may leak file descriptors for the node logs when the monitor is removed from the LTM node, pool or pool member configuration.
Conditions:
This may occur when:
1. One of the below-listed LTM health monitor types is assigned to an LTM node, pool, or pool member with node logging enabled ('logging' value set to 'enabled' in the LTM node or pool member configuration).
2. The LTM health monitor is removed from the LTM node, pool, or pool member configuration while logging is still enabled ('monitor' value set to 'none').
Affected LTM health monitor types include:
diameter, external, firepass, ftp, gateway_icmp, icmp, imap, ldap, module_score, mssql, mysql, nntp, oracle, pop3, postgresql, radius, radius_accounting, real_server, rpc, sasp, scripted, sip, smb, smtp, snmp_dca, snmp_dca_base, soap, virtual_location, wap, wmi.
This problem does not occur if node logging is disabled in the LTM node or pool member configuration ('logging' value set to 'disabled' in the LTM node or pool member configuration) prior to removing the monitor from the LTM node, pool, or pool member configuration.
The following LTM health monitor types are not affected:
dns, http, https, inband, mqtt, tcp, tcp_echo, tcp_half_open
Impact:
When this problem occurs, each instance of bigd running on the BIG-IP appliance or on each blade in a VIPRION chassis leaks one file descriptor for each node or pool member with monitor logging enabled.
File descriptors that are opened by the bigd daemon and not closed count against bigd's internal file descriptor limit. This can result in file descriptor exhaustion and failure of LTM health monitoring.
Workaround:
Disable node logging (set 'logging' value to 'disabled') in the LTM node or pool member configuration prior to removing the monitor from the LTM node, pool, or pool member configuration.
662372-2 : Uploading a new device certificate file via the GUI might not update the device certificate
Solution Article: K41250179
Component: TMOS
Symptoms:
After uploading a new device certificate via the 'Upload File' option in the GUI, the device certificate remains unchanged.
Conditions:
-- Upload a new device certificate file via the GUI.
-- There is already a file called /tmp/server.crt.
Impact:
The device certificate is not updated and no error is shown.
Workaround:
Use the 'Paste Text' option to import the certificate.
662331-2 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
Solution Article: K24331010
Component: TMOS
Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message.
Note: There are three parts to this issue, as recorded in the following bugs: 569236, 583285, and 662331.
Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.
Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.
Workaround:
Manually remove the invalid SA on the BIG-IP system by running the following command:
delete /net ipsec ipsec-sa spi <invalid_spi>
661881-1 : Memory and performance issues when using certain ASN.1 decoding formats in iRules
Solution Article: K00030614
Component: Local Traffic Manager
Symptoms:
Memory and performance issues when using calls to ASN1::decode with "a" or "B" characters in the format string. This occurs because these calls do not correctly free memory allocated by those functions.
Conditions:
iRules that contain calls to ASN1::decode with "a" or "B" characters in the format string.
Impact:
Memory leak, degraded performance, potential eventual out-of-memory crash.
Workaround:
None.
Note: Because of the memory leak associated with this issue, using calls to ASN1::decode with "a" or "B" characters in the format string should be avoided.
660833-1 : merged repeatedly cores due to unused istats-trigger object
Component: TMOS
Symptoms:
If any of the elements of the istats-trigger configuration are not defined, this issue occurs. For example, all the elements defined in the key of the istats-trigger definition must be defined before the trigger is created.
Conditions:
The merged process continuously cores.
Impact:
merged restarts.
Workaround:
None.
660826 : BIG-IQ Deployment fails with customization-templates
Component: Access Policy Manager
Symptoms:
BIG-IQ involving multiple commands in a transaction to modify customization group fails.
Conditions:
Simulation by tmsh for what's done in BIG-IQ:
1) Add a log-on agent in your policy.
2) Edit the log-on agent customization (Advanced Customication: logon.inc and view.inc both)
This should create two customization templates.
3) Make a backup of the customization template files in some folder (/tmp). For example: To copy logon.inc and view.inc for logon agent in sjc-access policy?(sjc-access_act_logon_page_ag) below cp statements worked.
cp Common_d/customization_template_d/\:Common\:sjc-access_act_logon_page_ag\:\:logon.inc_74991_2 /tmp/logon.inc
:Common:sjc-access_act_logon_page_ag::logon.inc_74991_2
cp Common_d/customization_template_d/\:Common\:sjc-access_act_logon_page_ag\:\:view.inc_74991_2 /tmp/view.inc
4) tmsh
5) create /cli transaction
6) modify /apm policy customization-group sjc-access_act_logon_page_ag templates modify { logon.inc { local-path /tmp/logon.inc } }
7) modify /apm policy customization-group sjc-access_act_logon_page_ag templates modify { view.inc { local-path /tmp/view.inc } }
8) submit /cli transaction
Impact:
BIG IQ operation failed with scenario involving change to customization group.
Workaround:
There is no workaround.
660760-2 : DNS graphs fail to display in the GUI
Solution Article: K75105750
Component: TMOS
Symptoms:
Can no longer view the DNS graphs in the GUI after upgrading from an earlier release. The system reports the following error in the GUI when visiting GUI Statistic :: Performance :: DNS: Error trying to access the database.
Conditions:
This occurs when the BIG-IP system is licensed for the GTM module (mod_gtm) instead of the DNS module (mod_dnsgtm). This might occur in the case where the system is upgraded from an earlier release such as v10.2.4 (where the module was GTM) to a later release such as v12.1.1 (where the module is DNS).
Impact:
Accessing the DNS graphs in the GUI fails.
Workaround:
None.
660711-2 : MCPd might crash when user trying to import a access policy
Solution Article: K05265457
Component: Access Policy Manager
Symptoms:
MCPd restarts during importing an access policy; other daemon might also restart because of MCPd restart.
Conditions:
This occurs when an access policy uses the same agent more than once.
Importing that access policy causes MCPd to crash.
this can happen when you don’t use GUI/VPE to manage access policy but directly modify the config file in exported access policy.
Only use the GUI/VPE to manage access policies.
You should not modify the config file for an exported access policy.
Impact:
MCPd and some other daemons restart. GUI unresponsive for a while.
Workaround:
Only use the GUI/VPE to manage access policies.
You should not modify the config file for an exported access policy.
660654 : 'epsec refresh' works incorrectly if install package is deleted
Component: Access Policy Manager
Symptoms:
If the install EPSEC package is deleted before running the 'epsec refresh' command, the existing EPSEC version is refreshed instead of the new version.
Conditions:
-- Upload and install EPSEC package with a later version than is on the system.
-- Delete the install package.
-- Run the command: epsec refresh.
Impact:
System package will be installed (essentially, a rollback to the previous version).
Workaround:
Leave the install package on the system until after you run the epsec refresh command.
660532-1 : Cannot specify the event parameter for redirects on the policy rule screen.
Solution Article: K21050223
Component: TMOS
Symptoms:
Cannot specify the event parameter for redirects on the policy rule screen.
System presents the following error: An error occurred: transaction failed:010716e2:3: Policy '/Common/Drafts/test', rule 'test-rule3'; an action precedes its conditions.
Conditions:
This occurs when setting a policy rule action's "event" parameter in the GUI when configuring redirects.
Impact:
Cannot specify the event parameter.
Workaround:
None.
659969-4 : tmsh command for gtm-application disabled contexts does not work with none and replace-all-with
Component: Global Traffic Manager (DNS)
Symptoms:
The command for distributed-app's disabled-contexts does not work with the options 'none' and 'replace-all-with'.
Conditions:
Issuing gtm-application disabled contexts commands including the options 'none' and 'replace-all-with'.
Impact:
Command does not complete successfully. This is an internal validation issue.
Workaround:
None.
659912-2 : GSLB Pool Member Manage page display issues and error message
Component: Global Traffic Manager (DNS)
Symptoms:
The GSLB Pool Member Manage page displays an error message 'Entry could not be matched against existing objects' when using the static-target checkbox to add a member that does not exist on the BIG-IP config.
Also when editing a pool member, the pool member's name will not be auto-selected in the combo box.
Conditions:
-- GSLB pool configured.
-- Members available for addition to the pool.
Note: This issue can happen when creating a pool in the members section as well as on the pool members manage page.
Impact:
Degraded usability.
Workaround:
Use TMSH to add a static-target and to edit pool members.
659899-3 : Rare, intermittent system instability observed in dynamic load-balancing modes
Solution Article: K10589537
Component: Local Traffic Manager
Symptoms:
The dynamic pool member load-balancing modes require a precision measurement of active connection counts and/or rates. Rare, intermittent system instability has been observed in dynamic pool member selection when a new connection arrives. TMM may restart, leaving a core file.
Conditions:
LTM pool configured to use a dynamic load-balancing mode ('ltm pool NAME load-balancing-mode MODE' where MODE is one of the dynamic load-balancing modes, such as dynamic-ratio-member, least-connections-node, predictive-node, etc.). The dynamic modes use the session database to share data among all TMM instances, and under extremely rare conditions, the session database may become unreliable.
Impact:
TMM restarts and leaves a core file. Traffic disrupted while tmm restarts.
Workaround:
None.
659567-2 : iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions
Solution Article: K94685557
Component: Policy Enforcement Manager
Symptoms:
When the RADIUS discovery virtual server and the traffic listener virtual server sit in two different route domains, the iRule command 'PEM::session info $sub subscriber-id' may not be able to fetch the subscriber-id.
Conditions:
-- Running v12.1.x or v13.0.0.
-- RADIUS server.
-- Use of iRule command PEM::session.
Impact:
'PEM::session info state/subscriber-id' commands might not return the expected session info.
Workaround:
None.
659371-1 : apmd crashes executing iRule policy evaluate
Component: Access Policy Manager
Symptoms:
Following a restart, if apmd executes an iRule policy evaluate before its reinitialization is complete, apmd can crash.
Conditions:
If apmd restarts due to a crash or explicit restart command but tmm remains active, then iRule policy evaluate commands can reach apmd before it completes initialization and it will crash.
Impact:
apmd crashes and restarts, preventing end users from logging in.
Workaround:
NOne.
659173-2 : Diameter Message Length Limit Changed from 1024 to 4096 Bytes
Solution Article: K76352741
Component: Service Provider
Symptoms:
Diameter messages longer than 1024 might cause core dumps.
Conditions:
Using Diameter messages longer than 1024.
Impact:
Diameter MRF virtual servers.
Workaround:
Make sure messages are less than 1024 bytes.
659141-1 : Support tcpdump file has qkview extension
Solution Article: K11435321
Component: TMOS
Symptoms:
The Support tcpdump file has a qkview extension.
Conditions:
On the Support page, generate a tcpdump file.
Impact:
The tcpdump file has a qkview extension. There is no functional issue with the system; only the file extension is incorrect.
Workaround:
None.
658989-1 : Memory leak when connection terminates in iRule process
Component: Local Traffic Manager
Symptoms:
Memory leak eventually leading to alloc failure and TMM crash.
Conditions:
Connection is aborted/terminated when iRule processing is suspended for the current connection.
Impact:
Memory leak and eventual TMM restart. Traffic disrupted while tmm restarts.
Workaround:
Avoid suspend/park commands in iRule processing.
658852-6 : Empty User-Agent in iSessions requests from APM client on Windows
Component: Access Policy Manager
Symptoms:
'User-Agent' might be empty in some '/isession' requests from APM client on Microsoft Windows. Having empty User-Agent headers is not in RFC compliance and forces some firewall to block the connection. This might result in failure to establish a VPN tunnel.
Conditions:
'/isession' requests from APM client on Windows.
Impact:
Failure to establish a VPN tunnel.
Workaround:
None.
658410-1 : icrd_child core when calling PUT on ltm/data-group/internal/
Component: TMOS
Symptoms:
icrd_child core when calling PUT on ltm/data-group/internal/ during high traffic. This does not occur during low traffic intervals.
Conditions:
Calling PUT on ltm/data-group/internal/ when traffic volume is high.
Impact:
icrd_child core.
Workaround:
None.
658298-2 : SMB monitor marks node down when file not specified
Component: TMOS
Symptoms:
The smb monitor may always mark the node down when the file is not specified in the monitor config.
Conditions:
Pool member monitored with smb monitor.
Impact:
Service impact due to node being marked down.
Workaround:
Configure monitor to fetch file (authenticated).
658278-2 : Network Access configuration with Layered-VS does not work with Edge Client
Component: Access Policy Manager
Symptoms:
When Network Access is configured in virtual server-to-virtual server targeting, the Edge client cannot connect.
Conditions:
Network Access is configured as follows :
-- The external-client-facing virtual server has the SSL profile attached.
-- The internal virtual server has the Access profile and connectivity profile attached.
-- The external-client-facing virtual server has an iRule that forwards the HTTP requests to the internal virtual server.
Impact:
When Edge client connects, the external-client-facing virtual server issues a request for '/pre/config.php?version=2.0', and the Edge client hangs.
Workaround:
None.
657883-1 : tmm cache resolver should not cache response with TTL=0
Solution Article: K34442339
Component: Local Traffic Manager
Symptoms:
tmm cache resolver caches responses with TTL=0, and it shouldn't.
Conditions:
TTL is set to 0 on the BIG-IP DNS system, so TMM will see TTL=0 from the DNS answer.
Impact:
tmm cache resolver caches responses with TTL=0.
Workaround:
None.
657834-1 : Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent
Solution Article: K45005512
Component: TMOS
Symptoms:
When using OSPF with high load and network recalculation there is a possibility of a race condition that can lead to additional OSPF retransmissions being sent out. This might also cause SNMP traps to be sent, if configured on the system.
Conditions:
-- OSPF routing protocol configured.
-- System configured to send SNMP traps.
-- OSPF instability/networking flaps.
Note: The greater the number of routes flapping, the more likely to see the condition.
Impact:
There is no impact on the OSPF processing itself. The additional traffic does not cause failing adjacencies or loss of routing information.
However, this might cause many additional OSPF related traps to be sent, which might cause additional load on the external network monitoring system.
Workaround:
While this does not have a direct workaround, you may want to investigate the cause of the network/OSPF instability that causes the additional retransmissions.
657727-1 : Running tcpdump from TMSH cannot capture the local "tmm" interface
Solution Article: K39694060
Component: TMOS
Symptoms:
Cannot run tcpdump against the "tmm" interface. System posts errors similar to the following:
tcpdump: pcap_loop: Device /Common/tmm not found
tcpdump: ioctl: No such device
This occurs because the 'tmm0' interface was renamed to 'tmm' beginning in v12.1.0, but the libbigpacket conditional logic to handle "special device names" still references 'tmm0'.
Conditions:
-- When running tmsh, an environment variable ("TMOS_PATH") is set.
-- The user logs in to the CLI with a default shell of tmsh (either as configured, or with a role assigned via remote-roles), or tries to run tcpdump via tmsh.
Impact:
Cannot run tcpdump on the 'tmm' internal interface.
Workaround:
Unset the 'TMOS_PATH' environment variable before running tcpdump.
657713-1 : Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart.
Solution Article: K05052273
Component: Local Traffic Manager
Symptoms:
As a result of this issue, you may encounter one or more of the following symptoms:
-- TMM generates a core file in the /shared/core directory.
-- Your BIG-IP system logs a SIGFPE to the /var/log/tmm file at the same time TMM produces a core file and restarts.
-- In one of the /var/log/tmm log files, you may observe error messages similar to the following example:
notice panic: ../modules/hudfilter/hudfilter.c:1063: Assertion "valid node" failed.
notice ** SIGFPE **
Conditions:
This issue occurs when all of the following conditions are met:
-- Your BIG-IP system is configured to route traffic using a gateway pool.
-- The gateway pool is configured with Action On Service Down = Reject.
-- The pool monitor marks all members of the gateway pool as unavailable.
-- A connection is rejected by the gateway pool.
Impact:
The BIG-IP system temporarily fails to process traffic while the TMM process restarts. If the BIG-IP system is configured for high availability (HA), the system fails over to a peer system.
Workaround:
Set service-down-action to none or reselect.
657708-1 : Packet Tester is still available in the GUI when AFM is not provisioned
Solution Article: K50308190
Component: Advanced Firewall Manager
Symptoms:
The Packet Tester is an AFM-only tool, but is available in the GUI when AFM is not provisioned.
Conditions:
BIG-IP system with AFM not licensed.
Impact:
The packet tester is available to use when it should not be.
Workaround:
None.
657531-1 : High memory usage when using the ICAP server
Solution Article: K02310615
Component: Application Security Manager
Symptoms:
High UMU memory when using the ICAP server.
Conditions:
-- ICAP is in use.
-- There are long requests (requests longer than 128 KB) that should get to the ICAP server.
Impact:
UMU memory goes up.
Workaround:
-- Decrease the max concurrent long requests.
-- Decrease the size for the long requests buffer size.
-- Make sure the ICAP server is up and running and responding quickly (the issue will be more visible when the ICAP server is lagging).
657459 : Setting MGMT GUI Port to 443 on Single Nic not honored on reboot.
Solution Article: K51358480
Component: TMOS
Symptoms:
Setting MGMT GUI Port to 443 on Single Nic not honored on reboot.
Conditions:
Setting MGMT GUI Port to 443 on Single Nic.
Impact:
The 443 value is not saved after reboot.
Workaround:
Reconfigure port after each reboot using the following command: modify sys httpd ssl-port 443.
656898-1 : "oops" "bad transition" messages occur
Component: Local Traffic Manager
Symptoms:
The /var/log/ltm log shows many "oops" "bad transition" messages.
Conditions:
These messages occur due to internal invariant violations on full proxy TCP virtual servers. Ramcache or SSL on these virtual servers are likely causes. There may be yet unknown causes.
Impact:
Connections encountering these errors are aborted.
Workaround:
The excess logging may be stopped by setting the DB variable tmm.oops to "silent". These errors won't be reported but connections will still be aborted.
656811-7 : Memory usage with MBLB SIP ingress buffer on standby
Component: Service Provider
Symptoms:
Memory usage increases to high levels when the ingress-max profile setting is set to a large value.
Conditions:
Incoming SIP messages are mirrored to standby, then the flow is aborted on active.
Impact:
Degraded performance. With the built-in MBLB profile allocations will go up to 50 and stay there until the 'while' is killed on the client and the flow is allowed to expire. With a non-default MBLB profile, allocations will go as high as the ingress-max setting.
Workaround:
- Make sure there is at least one available pool member.
- Use default MBLB profile, or at least ingress-max set close to the default (50).
656807-1 : iRule DNS::ttl does not allow 0 (zero)
Component: Global Traffic Manager (DNS)
Symptoms:
DNS::rr cannot set ttl to 0. The system returns the following message: error: [internal error "unexpected return code"][DNS::ttl $rr 0].
Conditions:
-- Using iRule DNS::ttl.
-- Trying to set ttl to 0.
Impact:
DNS::rr cannot set ttl to 0, the resolver cache can't be disabled, and the system returns an error: error: [internal error "unexpected return code"][DNS::ttl $rr 0]
Workaround:
None.
655807-1 : With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score
Solution Article: K40341291
Component: Global Traffic Manager (DNS)
Symptoms:
When choosing QoS Load balance, packet rate is dominating the score.
Conditions:
QoS load balance.
Impact:
Load balance decision is mostly impacted by packet rate.
Workaround:
None.
655767-4 : MCPD does not prevent deleting an iRule that contains in-use procedures
Component: Local Traffic Manager
Symptoms:
If an iRule that is attached to a virtual server makes a procedure call in a different iRule, it is possible to delete the different iRule with no error.
MCPD contains validation that should prevent a user from deleting an iRule that is currently in use by a virtual server, e.g.:
01070265:3: The rule (/Common/rule_uses_procs) cannot be deleted because it is in use by a virtual server (/Common/vs_http).
However, if an iRule attached to a virtual server makes a procedure call in a different iRule, it is possible to delete the different iRule with no error. This results in a configuration that will subsequently fail to load (during a config load, MCPD validation will catch this), or will fail if a full configuration sync is performed.
Conditions:
Must be using iRules that call into other iRules.
Impact:
System gets into a state where traffic may fail unexpectedly, and subsequent reboots, configuration loads, upgrades, or configuration sync operations will fail.
Workaround:
None. Use caution when deleting iRules, especially iRules that call into other iRules.
655724-4 : MSRDP persistence does not work across route domains.
Solution Article: K15695
Component: Local Traffic Manager
Symptoms:
MSRDP persistence doesn't work with non-default route domains.
Conditions:
Configure a virtual server with a MSRDP persistence profile and a pool using a non-default route domain.
Impact:
MSRDP persistence does not work.
Workaround:
Implement MSRDP persistence using iRules.
655671-2 : Polling time waiting for I2C bus transactions in the bcm56xxd daemon needs to be reduced
Component: TMOS
Symptoms:
On platforms that run the bcm56xxd daemon, the polling time that the system waits for I2C bus transactions to complete runs too long. On systems with I2C bus issues, this can lead to bcm56xxd core files, because the bcm56xxd daemon doesn't reset the watchdog so the watchdog timer kills the process.
Conditions:
This is an issue only when there is a stuck I2C bus, which occurs rarely.
Impact:
bcm56xxd process may core and restart. That typically resets the I2C bus, which resolves any issues.
Workaround:
None. Typically, the issue resolves itself.
655506 : Guest configurations with mergeable buffers disabled are not supported.
Component: TMOS
Symptoms:
Guest configurations with mergeable buffers disabled are not supported.
Conditions:
Guest configuration explicitly disables mergeable buffers:
<host mrg_rxbuf='off'/>.
Impact:
tmm core. Traffic disrupted while tmm restarts. When mergeable buffers are disabled, the 13.0.0 virtio driver crashes and the 13.1.0 driver stops processing, i.e., it does not attach to the device.
Workaround:
Do not disable mergeable buffers.
655500-2 : Rekey SSH sessions after one hour
Component: TMOS
Symptoms:
Common Criteria requires that SSH session be rekeyed at least every hour
Conditions:
SSH connections to or from the BIG-IP system.
Impact:
SSH sessions are rekeyed in response to the quantity of data transferred, or on user demand, but not on the basis of elapsed time
Workaround:
If time-based rekeying is required in your environment, edit the SSH configuration to include a RekeyLimit with both data and time parameters using a command similar to the following:
tmsh modify sys sshd include 'RekeyLimit 256M 3600s'
Outbound SSH client connections can be modified by adding the same RekeyLimit configuration to /config/ssh/ssh_config or by including that option on the command line when calling the ssh client.
655470-4 : IP Intelligence logging publisher removal can cause tmm crash
Solution Article: K79924625
Component: Advanced Firewall Manager
Symptoms:
TMM restart immediately after removing global ip-intelligence logging publisher.
Conditions:
1) Global IP Intelligence logging enabled.
2) While new incoming connections are handled by the system, delete the global logging publisher using the following command:
modify security log profile global-network ip-intelligence { log-publisher none }
Impact:
Traffic disrupted while tmm restarts. This is an intermittent, timing-related issue.
Note: Because deleting the global ip-intelligence logging configuration publisher is uncommon, and might occur once, at setup, this issue is unlikely to manifest.
Workaround:
There is no workaround, other than to not delete the ip-intelligence global logging publisher when heavy traffic is being handled.
655357-3 : Corrupted L2 FDB entries on B4450 blades might result in dropped traffic
Solution Article: K06245820
Component: TMOS
Symptoms:
ARP replies reach front panel port of B4450 blades but fail to reach TMMs.
This occurs because the switch in the B4450 blade has an L2 learning issue in the switch fabric that requires the system to correct the new L2 FDB entries learned on Higig trunks. The L2 module runs in poll mode by default, which is exposed to a 3-second race window in software, during which learning events in the switch hardware for a given L2 FDB entry can be lost. That can lead to corrupted L2 FDB entries and cause traffic hitting the corrupted L2 FDB entries to fail.
Conditions:
-- An L2 FDB entry is learned on Higig trunk.
-- Multiple L2 learning events happen on the L2 FDB entry during the 3-second race window in software.
Impact:
The traffic hitting the corrupted L2 FDB entry will be dropped by the switch.
Workaround:
Delete the corrupted L2 FDB entries and cause the switch to re-learn them.
To do so, identify the affected VLAN and flush L2 FDB entries on that VLAN using the following command: tmsh delete net fdb vlan {vlan_name}.
655085-1 : While one chassis in a DSC is being rebooted, other members report spurious HA Group configuration errors
Component: TMOS
Symptoms:
Message of the form
"notice sod[nnnn]: 010c006e:5: All devices in traffic group traffic-group-1(1 of 2) should have a HA group."
is logged on peer devices when a Viprion chassis is being rebooted.
Conditions:
Multiple Viprion chassis are configured in a sync-failover device group, using HA Group scores.
Impact:
Log message indicates a configuration error that does not exist.
Workaround:
If these messages occur during a peer reboot, they should be ignored.
655005-2 : "Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync
Solution Article: K23355841
Component: TMOS
Symptoms:
The "Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync.
Conditions:
Changing the "Inherit traffic group from current partition / path" setting and syncing to a peer unit using incremental sync.
Impact:
Peers in a Device Group will get out of sync.
Workaround:
Use a full sync instead.
654981-1 : Local Traffic Policies operating in First Match mode do not stop executing after the first matched rule if this has no action
Component: Local Traffic Manager
Symptoms:
Local Traffic Policies configured for First Match mode may not stop executing after the first matched rule.
Conditions:
This happens when the first matched rule has no action (i.e. is set to ignore).
Impact:
This may cause Local Traffic Policies to execute an unintended action.
Workaround:
Rework the rules in your affected Local Traffic Policies so that every rule has at least one associated action.
654925-3 : Memory Leak in ASM Sync Listener Process
Solution Article: K25952033
Component: Application Security Manager
Symptoms:
Following several sync errors, a memory leak occurs in the ASM sync listener process (asm_config_server.pl).
Conditions:
-- asm-sync is enabled on an auto-sync Device Group.
-- Errors occur during attempts to sync, either due to full disk or in response to one or more of the following uses in GUI or REST API:
+ Creating/importing/deleting policies.
+ Accepting many suggestions at once.
+ Adjusting Policy Building Settings.
Impact:
RAM is increasing consumed leading to swap usage until the device reaches a panic state.
Workaround:
Restart asm_config_server on all devices using the following command:
killall asm_config_server.pl
654508-1 : SharePoint MS-OFBA browser window displays Javascript errors
Component: Access Policy Manager
Symptoms:
SharePoint MS-OFBA browser window displays Javascript errors while doing authentication.
Conditions:
-- SharePoint Access through LTM and APM.
-- MS-OFBA iRule is used.
Impact:
JavaScript errors shown on the MS-OFBA browser window
Workaround:
None.
654086-2 : Incorrect handling of HTTP2 data frames larger than minimal frame size
Solution Article: K18323013
Component: Local Traffic Manager
Symptoms:
HTTP2 can vary frame size between 16K bytes (included) and 16 Mbytes (not included).
When a client sends a data frame spawning more than one TCP segment, the BIG-IP system incorrectly decrements the frame size twice from the receive window.
If the proxy flow control is disabled, this just creates an additional window update frame. If the proxy is in flow control, this causes a flow control error.
Conditions:
-- HTTP2 profile is configured on a virtual server.
-- Client sends a data frame larger than 16384 bytes, violating RFC.
Impact:
HTTP2 resets the stream with FLOW_CONTROL_ERROR.
Workaround:
None.
654011-1 : Pool member's health monitors set to Member Specific does not display the active monitors
Solution Article: K33210520
Component: TMOS
Symptoms:
When you configure a pool to have member-specific health monitoring, the active monitor no longer displays in the GUI.
Conditions:
Have a pool member with Health Monitors set to Member Specific.
Impact:
The specified active monitors will be saved but won't be displayed as active.
Workaround:
Use tmsh to view a pool member's active monitors.
653976-3 : SSL handshake fails if server certificate contains multiple CommonNames
Solution Article: K00610259
Component: Local Traffic Manager
Symptoms:
SSL server side handshake fails when the external server certificate's Subject field contains multiple CommonNames.
Conditions:
This issue occurs when both of the following conditions are met:
-- The external server certificate's Subject field contains multiple CommonNames.
-- The certificate does not contain subjAltName extension (or if it does, the same names are not included in the subjAltName's dNSName list).
Impact:
Connection with external server cannot be established. In case of forward proxy, bypass or intercept will fail.
Workaround:
In case of forward proxy bypass, configure IP address bypass instead of hostname bypass since IP address bypass check happens before SSL handshake.
The second option is to update the external server's certificate to include the list of CommonNames in subjAltName extension as dNSName.
653930-1 : Monitor with description containing backslash may fail to load.
Solution Article: K69713140
Component: Local Traffic Manager
Symptoms:
When a monitor description contains a \ (backslash) character, the system adds another backslash for every save-load operation. After enough saves/loads, the description eventually hits the maximum length, causing an error message: '01020057:3: The string with more than 65535 characters cannot be stored in a message' upon loading the config.
Conditions:
Monitor with description containing backslash.
Impact:
Configuration changes without human intervention. Potential load failure.
Workaround:
Don't use backslashes in monitor descriptions.
653888-1 : BGP advertisement-interval attribute ignored in peer group configuration
Component: TMOS
Symptoms:
BGP peer-group advertisement-interval attribute may be ignored with default settings set on individual peers belonging to the peer-group.
Conditions:
- BGP configured with peer-groups.
- advertisement-interval configured with a non-default value
Impact:
The BGP peer will have an additional statement added indicating a default value of the advertisement-interval.
Workaround:
Manually set the advertisement-interval of the peer, instead of using the peer-group for this particular setting.
653775-4 : Ampersand (&) in GTM synchronization group name causes synchronization failure.
Solution Article: K05397641
Component: Global Traffic Manager (DNS)
Symptoms:
A GTM synchronization-group-name containing an ampersand (&) might cause an XML parsing failure and GTM sync groups would fail to sync.
Conditions:
A GTM synchronization group name with an ampersand (&) in the name.
Impact:
GTM sync groups does not synchronize.
Workaround:
Remove ampersand from sync group name.
653772-3 : fastL4 fails to evict flows from the ePVA
Component: TMOS
Symptoms:
An accelerated flow is in the ePVA with no corresponding software connection.
Conditions:
-- FastL4.
-- ePVA.
-- The other conditions under which this occurs are not well defined.
Impact:
ePVA can continuously send a packet. This might eventually result in a network outage.
Workaround:
Disable HW acceleration.
653746-1 : Unable to display detailed CPU graphs if the number of CPU is too large
Solution Article: K83324551
Component: Local Traffic Manager
Symptoms:
Cannot display detail CPU graph. Go to Statistics :: Performance. Click 'View Detail Graph' under System CPU usage. Graph cannot display. System posts the message: Error trying to access the database.
Conditions:
VIPRION with 288 CPU cores or more totaled across all blades.
Impact:
Administrator is unable to view the detail CPU graphs.
Workaround:
None.
653573-2 : ADMd not cleaning up child rsync processes
Component: Anomaly Detection Services
Symptoms:
ADMd daemon on device is spinning up rsync processes and not cleaning them up properly, causing tons of this zombie processes
Conditions:
If rsync process ends via exit (in the case of some trouble)
Impact:
No technical impact, but there are many zombie processes
Workaround:
Restart admd (bigstart restart admd) to remove all existing rsync zombies.
653453-2 : ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs.
Component: TMOS
Symptoms:
ARP replies reach the front panel port of the B4450 blade, but fail to reach TMMs. This is caused by a L2 defect in the Broadcom Trident2+ switch B4450 blade uses.
Conditions:
The switch learned a corrupted L2 FDB entry on internal HiGig trunk.
Impact:
The traffic hitting the corrupted L2 FDB entry will be dropped by the switch.
Workaround:
Identify the affected VLAN and flush L2 FDB entries on that VLAN using the following command: tmsh delete net fdb vlan {vlan_name}.
653376-1 : bgpd may crash on receiving a BGP update with >= 32 extended communities
Component: TMOS
Symptoms:
bgpd may crash when receiving a BGP update with >= 32 extended communities
Conditions:
A configured BGP peer sends a route update including and attribute containing 32 or more extended communities.
Impact:
bgpd may crash causing the BGP peering to reset
Workaround:
Ensure that peers do not send 32 or more extended communities to the BIG-IP in BGP routing updates.
653324-2 : On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly
Solution Article: K87979026
Component: Access Policy Manager
Symptoms:
On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly; it appears very small.
Conditions:
On macOS Sierra (10.12), edge client, customized icon of size 48x48 pixels.
Impact:
This is a display issue only. There is no functional impact to the system.
Workaround:
Use a custom logo image with the pixel dimensions of 100x121 pixels.
653228-3 : SNAT does not work properly on FTP VIP2VIP
Solution Article: K34312110
Component: Local Traffic Manager
Symptoms:
SNAT does not work properly on FTP VIP2VIP.
Conditions:
-- FTP communicates VIP2VIP to second virtual server.
-- SNAT is configured on second virtual server.
Impact:
SNAT does not work properly on FTP VIP2VIP on data channel.
Workaround:
Do not configure SNAT on second virtual server.
653137-3 : Virtual flaps when FQDN node and pool configured with autopopulate
Solution Article: K24159492
Component: Local Traffic Manager
Symptoms:
Virtual address status flaps (RED :: BLUE :: DOWN :: UNCHECKED) when the FQDN node and pool are configured with autopopulate enabled, and the FQDN DNS response returns the same addresses.
Conditions:
-- FQDN node and pool are configured with autopopulate enabled.
-- FQDN DNS response returns the same addresses.
Impact:
The virtual server becomes unavailable, and later switches to unchecked.
Workaround:
None.
653017-3 : Bot signatures cannot be created after upgrade with DoS profile in non-Common partition
Component: Application Security Manager
Symptoms:
Bot signatures cannot be created after roll-forward upgrade of configuration with only a DoS profile in non-Common partition.
Conditions:
A DoS profile in non-Common partition has Proactive Bot Defense enabled
Impact:
Bot signatures are not created.
Workaround:
Delete DoS Profile before upgrade, and re-create after upgrade is successful.
Alternatively, another DoS Profile can be created in /Common, even if unused.
652968-3 : IKEv2 PFS CREATE_CHILD_SA in rekey does not negotiate new keys
Solution Article: K88825548
Component: TMOS
Symptoms:
During negotiations that use CREATE_CHILD_SA, IKEv2 will fail to send a KE in the payload when PFS (perfect forward security) is used in config.
Rekey in IKEv2 does not negotiate new keys; the PFS value in phase1-perfect-forward-secrecy is used in the first exchange, then this first key is re-used in later rekey negotiation. Vendor interop problems exist when PFS is required by the other peer.
Conditions:
Define phase1-perfect-forward-secrecy with value other than none. After IPsec SAs expire or are manually deleted, the CREATE_CHILD_SA phase to negotiate new keys has no KEi payload from the BIG-IP Initiator and so no new encryption key.
Impact:
PFS settings apply only to first negotiation and not to subsequent SA rekeys. PFS is therefore absent. When the BIG-IP enters CREATE_CHILD_SA with a third party IPsec peer, negotiation will fail if the peer requires PFS. Under the same conditions, BIG-IP to BIG-IP tunnels will not fail.
Workaround:
To resolve vendor interop problems, disable PFS in the IPsec policy of both peers.
652877-4 : Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades
Component: TMOS
Symptoms:
All services on a/all secondary blade(s) in a VIPRION chassis restart, and MCPD logs errors such as:
slot2/localhost err mcpd[9063]: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)
slot2/localhost err mcpd[9063]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3:Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)... failed validation with error 17237812.
In versions prior to v11.6.0, the error will say "Can't save/checkpoint DB object," rather than "Can't update_indexes/checkpoint DB object".
Conditions:
Multi-bladed VIPRION system, where the "if-index" value for VLANs differs between blades (as checked via "tmsh list net vlan all if-index" on each blade).
Impact:
MCPD restart on all secondary blades results in partial service outage.
Workaround:
Only reactivate the license on a system that is standy/offline.
652671-5 : Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit.
Solution Article: K31326690
Component: TMOS
Symptoms:
Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit. When provision.extramb is synced to the peer unit, mprov is called, which restarts tmm.
Conditions:
-- Configure two devices in a sync group.
-- tmsh modify sys db provision.extramb value 150.
-- Sync to peer unit.
Impact:
TMM restarts on the peer unit. Traffic halted while tmm restarts.
Workaround:
None.
652577-1 : Changes to MAC Masquerading may cause the Standby unit not reach the floating Self-IP address
Component: Local Traffic Manager
Symptoms:
As a result of a known issue, changes to the MAC Masquerading setting of a traffic group may cause the Standby unit to be unable to reach the floating Self-IP.
Conditions:
- HA pair
- Traffic-group with a MAC set in the MAC Masquerading setting.
- Floating Self-IP using the above traffic-group
- Make a change to the MAC Masquerading MAC address on the Active unit.
- Run a config-sync from Active to Standby
Impact:
Standby unit is unable to reach the floating Self-IP address.
No external or internet facing traffic will be affected.
Workaround:
Reboot or restart TMM.
652502-1 : snmpd returns 'No Such Object available' for ltm OIDs
Component: TMOS
Symptoms:
When the BIG-IP starts with an expired license snmp queries for ltm related OIDs will return 'No Such Object available on this agent at this OID'.
Even if you re-activate the license or install a new one snmpd will not be notified of the change in license and will stil return 'No Such Object available on this agent at this OID' until the snmpd process is restarted.
Conditions:
The BIG-IP starts with an expired licensed which is reactivated later.
Impact:
snmp queries to the ltm OIDs like ltmRst and ltmVirtual will not return any data.
Workaround:
A restart of snmpd (bigstart restart) after the license is re-activated or a new one is installed will resolve the issue.
652484-3 : tmsh show net f5optics shows information for only 1 chassis slot in a cluster
Component: TMOS
Symptoms:
When you run tmsh show net f5optics, f5optics version information is displayed for one blade of a multi-blade chassis.
Conditions:
This occurs when running the tmsh show net f5optics command on VIPRION.
Impact:
The f5optics version is not displayed for all of the blades.
652370 : The persist cookie insert iRule command may leak memory
Component: Local Traffic Manager
Symptoms:
In some situations, the persist cookie insert iRule command may leak memory.
Conditions:
The persist cookie insert iRule command is used.
Impact:
Eventually, the TMM will run out of memory due to the leak.
652056-1 : [api-status-warning] are generated at stderr and /var/log/ltm when listing config in tmsh from top level namespace or at module level
Solution Article: K42295253
Component: TMOS
Symptoms:
tmsh list at the top namespace or at module level or mode level generates unexpected [api-status-warning] messages.
(tmos)# list << top namespace
(tmos)# list ltm << ltm module
(tmos)# list ltm profile << profile mode
Each of the three illustrative examples generates unexpected [api-status-warning] messages at stderr and /var/log/ltm.
The warnings are expected only at component level.
The following example uses fastl4 as the component:
(tmos)# list ltm profile fastl4 myfast
[api-status-warning] ltm/profile/fastl4, properties : deprecated : software-syn-cookie <<— warning message; as expected
ltm profile fastl4 myfast {
app-service none
software-syn-cookie enabled
}
Conditions:
This occurs when typing "y" when being prompted to list all items:
(tmos)# list
Display all 155 items? (y/n) y
[api-status-warning] ltm/profile/fastl4, properties : deprecated : software-syn-cookie <<< unexpected warnings
These are displayed for several commands that give API warnings.
Impact:
Excessive [api-status-warning] at stderr and /var/log/ltm for tmsh list commands. These are spurious and can be ignored.
Workaround:
None.
652048-1 : TMSH save sys config contains [api-status-warning] that do not correspond to any configuration instances
Solution Article: K14526459
Component: TMOS
Symptoms:
There are multiple [api-status-warning] logs in /var/log/ltm present. Of these warnings the following do not correspond to existing configuration objects:
warning tmsh[1598]: 01420013:4: [api-status-warning] ltm/classification/url-cat-policy is deprecated.
warning tmsh[1598]: 01420013:4: [api-status-warning] sys/crypto/ca-bundle-manager is early_access.
Logs were generated based off the type, even though there are no instances of that type present. For example: sys/crypto/ca-bundle-manager type is early-access, but there is no instance of this type; still the warning is generated. This is unexpected behavior. Similarly unexpected warning for ltm/classification/url-cat-policy.
These [api-status-warning] messages should be created only for types that have been instantiated.
Conditions:
Issue a tmsh save sys config command. Look at the logs in /var/log/ltm corresponding to this operation.
Impact:
Excessive [api-status-warning] log message in /var/log/ltm file. The warnings can be ignored.
Workaround:
None.
651961-1 : AVR is not called for DNS packets when AFM is not provisioned.
Component: Advanced Firewall Manager
Symptoms:
AVR DNS analytics are not available with avr-dnsstat-sample-rate setting to non-zero on the DNS profile when AFM is not provisioned.
When this occurs, the system presents error messages.
-- In the GUI, Statistics :: Analytics :: DNS returns a message similar to the following: There is no data to display either due to the lack of relevant traffic, or due to the settings of the filter.
-- In tmsh, the command and return message appear as follows:
# tmsh show analytics dns report view-by domain-name
----------------------
Analytics query result
----------------------
No data available
Conditions:
This issue occurs when all of the following conditions in either scenario are met:
Scenario A
===========
-- AFM is not provisioned.
-- There is a virtual server configured with DNS and Analytics profiles.
-- The virtual server processes traffic.
Scenario B
===========
-- AFM is provisioned.
-- The DNS profile option 'enable-dns-firewall' is not set to 'yes' (DNS :: Delivery : Profiles : DNS :: Properties : <profile name> in the GUI).
-- A DoS profile (security dos profile) is associated with the virtual server.
Impact:
No DNS analytics data available. Cannot see AVR data for DNS resolutions.
Workaround:
None.
651947-1 : Token validate response session variables created with no prefix might collide with other session variables.
Component: Access Policy Manager
Symptoms:
Token validate responses create session variables without any sub-prefix, which may result in collisions with other session variables.
Conditions:
Executing policy containing 'introspect' session variables such as 'authresult' and 'errMsg'.
Impact:
May collide with other session variables. If they collide with token introspect responses, one or the other will be overwritten, depending on the order in which the variables are executed.
Workaround:
None.
651901-3 : Removed unnecessary ASSERTs in MPTCP code
Component: Local Traffic Manager
Symptoms:
There are many scenarios that call ASSERT in the MPTCP code, many of which can be handled without using ASSERT.
Conditions:
A virtual server is configured with a TCP profile with MPTCP enabled.
Impact:
If an ASSERT fails, traffic is disrupted while TMM restarts.
Workaround:
There is no workaround at this time.
651886-2 : Certain FIX messages are dropped
Component: Service Provider
Symptoms:
When a FIX message is received with a length, checksum, or message type field containing leading zeros, the message may be dropped.
Conditions:
This bug affects all FIX messages having a length (tag 9), checksum (tag 10) or message type (tag 35) field that contains at least one leading zero. Certain third-party FIX protocol implementations are known to insert leading zeros in these fields.
Impact:
FIX messages from these products cannot be processed by the FIX profile in BIG-IP.
651875-1 : GSLB Server properties page should show the iQuery section when type is BIG-IP System
Component: Global Traffic Manager (DNS)
Symptoms:
The iQuery section does not display on the GSLB Server properties page in the Web GUI.
Conditions:
There must be a GSLB Server created and configured to be of type BIG-IP System.
Impact:
The iQuery section does not display when it should on the properties page in the Web GUI.
Workaround:
the iQuery settings can be changed via TMSH.
651826-1 : SPI fields of IPsec ike-sa, byte order of displayed numbers rendered incorrectly
Component: TMOS
Symptoms:
When checking the SPI fields of an IKEv2 IPsec SA, the byte order of the displayed number is rendered incorrectly. The SPI details are seen in "tmsh show net ipsec ike-sa all-properties".
For example, the BIG-IP will render this:
Spi(local): 0x3c4742cab016098c
Spi(Remote): 0x959f0a013581e25d
When the actual SPIs viewed on the peer device are:
Local spi: 5DE28135010A9F95
Remote spi: 8C0916B0CA42473C
Conditions:
IKEv2 IPsec SAs are established or attempting to be established.
Impact:
Can confuse a BIG-IP Administrator who is attempting to verify that IPsec peers have the same SAs.
Workaround:
Rearrange the SPI numbers manually or examine the ipsec.log to see the established SA SPI numbers.
651713 : Passive mode and untagged frames
Component: Local Traffic Manager
Symptoms:
When port is configured in passive mode, to handle untagged frames, the system requires a VLAN to be configured on the system.
Conditions:
-- When port is operating in passive mode.
-- Handling untagged frames.
Impact:
Must define a VLAN to process untagged data received on port operating in Passive mode. Might impact system performance.
Workaround:
Use the following procedure:
1. Create a VLAN.
2. Assign passive mode port as an untagged member of the VLAN.
651681-3 : Orphaned bigd instances may exist (within multi-process bigd)
Solution Article: K49562354
Component: Local Traffic Manager
Symptoms:
When multi-process 'bigd' is configured, orphaned 'bigd' instances may be exit; such as an orphaned 'bigd.1' alongside the active 'bigd.1'.
Conditions:
-- db variable Bigd.NumProcs to 2 or higher.
-- System monitors with long timeouts (such as ~183 seconds or longer), might also be relevant.
When 'bigd' manages monitor configurations that results in no monitoring activity for a long time (such as due to long monitor timeouts), the operating system may temporarily suspend (and later resume) the 'bigd' process. The system might treat the 'bigd' process as if it were "hung", and start another 'bigd' instance without explicitly terminating the suspended 'bigd' process.
Impact:
The suspended 'bigd' process consumes process memory. The process might be suspended (consuming no CPU resources), or running, which might result in "double-monitoring" the resources assigned to that 'bigd' process.
Note: If double-monitoring occurs, monitor status should be correct, but the double-monitoring unnecessarily consumes extra resources.
Workaround:
Configure 'bigd' to run as a single process. To do so, set the db variable Bigd.NumProcs to 1.
Shortening monitor timeouts can reduce the possibility of a 'bigd' process being (temporarily) suspended by the operating system.
651640-2 : queue full dropped messages incorrectly counted as responses
Component: Service Provider
Symptoms:
negative number of active response messages reported on sipsession profile stats
Conditions:
If a request message is dropped because the sip filter's ingress message queue is full, the wrong stats is incremented
Impact:
Counting the dropped request messages as response messages causes the calculation of the accepted response messages to be incorrectly calculated, thus producing a negative value.
651541-1 : Changes to the HTTP profile do not trigger validation for virtual servers using that profile
Solution Article: K83955631
Component: Local Traffic Manager
Symptoms:
Changing the HTTP profile does not trigger validation for virtual servers, so no inter-profile dependencies are checked.
Conditions:
Using an HTTP profile with a virtual server that uses other profiles that have settings that are mutually exclusive with those of the HTTP profile.
Impact:
The system will be in an invalid state. One immediate way this can be seen is when syncing to a peer. The sync operation does not complete as expected.
Workaround:
Use the error messages in the logs to determine how to change the configuration to return the system to a valid state.
651413-1 : tmsh list ltm node does not return an error when node does not exist
Component: TMOS
Symptoms:
TMSH does not post an error message in response to the tmsh command to list a specific, non-existent LTM node, or when listing a set of non-existent nodes using regular expressions.
Conditions:
-- Running the command: tmsh list ltm node.
-- Running a regular expression to list a set of nodes.
-- The specified node does not exist.
Impact:
The command produces no output or error message. No indication of why there is no output, nor is there a description of the possible error condition.
Workaround:
None.
651253 : tmipsecd down after provisioning modules
Component: TMOS
Symptoms:
After provisioning a set of modules, tmipsecd may not be running.
Conditions:
After provisioning a set of modules.
Impact:
IPsec would not be operational.
Workaround:
Restart tmipsecd by running the following command: bigstart start tmipsecd.
651169-2 : The Dashboard does not show an alert when a power supply is unplugged
Component: Advanced Firewall Manager
Symptoms:
The TMUI Dashboard's alert panel will not show any warning if the cord to one of the power supplies is unplugged.
Conditions:
One of the power supplies is unplugged.
Impact:
Watching the Dashboard will not alert the administrator to an unplugged power supply.
Workaround:
None.
651155-2 : HSB continually logs 'loopback ring 0 tx not active'
Component: TMOS
Symptoms:
In the TMM log files, HSB reports that 'loopback ring 0 tx not active'.
Conditions:
Unknown.
Impact:
Excessive logging. This may also cause an HSB lockup to not be detected.
Workaround:
None.
651136-1 : ReqLog profile on FTP virtual server with default profile can result in service disruption.
Solution Article: K36893451
Component: TMOS
Symptoms:
When FTP's control channel and data channel arrive on different TMMs, ReqLog profile may fail to identify data channel's listener.
Conditions:
Default inherit FTP profile virtual server configured with ReqLog profile.
Impact:
Service disruption, fail-over event.
Workaround:
Create non-inheriting FTP profile for FTP virtual server with ReqLog profile.
651005-4 : FTP data connection may use incorrect auto-lasthop settings.
Component: Local Traffic Manager
Symptoms:
Due to known issue FTP data connection may fail to use auto-lasthop settings configured on the virtual server and use a value configured on VLAN level instead.
Conditions:
With the configuration below, FTP data connection will fail to use auto-lasthop:
(1)
- Global auto-lasthop set to 'disable'
- VLAN auto-lasthop set to 'default'
- Virtual server auto-lasthop set to 'enable'
(2)
- Global auto-lasthop set to 'disable'
- VLAN auto-lasthop set to 'disable'
- Virtual server auto-lasthop set to 'enable'
With the configuration below, FTP data connection will improperly use the auto-lasthop:
(1)
- Global auto-lasthop set to 'enable'
- VLAN auto-lasthop set to 'default'
- Virtual server auto-lasthop set to 'disable'
(2)
- VLAN auto-lasthop set to 'enable'
- Virtual server auto-lasthop set to 'disable'
Impact:
FTP data connection may fail to be established.
Workaround:
Use routing instead of auto-lasthop.
(or) Enable auto-lasthop on VLAN level.
650422-3 : TMM core after a switchover involving GY quota reporting
Component: Policy Enforcement Manager
Symptoms:
Core dump in the code path for async subscriber lookup causes core-dump.
Conditions:
This core happens in an intra-chassis HA configuration, if GY is configured & HA switchover is forced.
Impact:
An initial coredump (or HA switchover) forces multiple core dumps. Traffic disrupted while tmm restarts.
650317-2 : The TMM on the next-active panics with message: "Missing oneconnect HA context"
Component: Local Traffic Manager
Symptoms:
The next-active TMM panics with message: "Missing oneconnect HA context" on a virtual which doesn't have one-connect on the active.
Conditions:
A mirrored virtual is configured with one-connect on the next-active but no one-connect profile is present on the active. This can occur when the config-sync connection between peers is down or auto-sync on the device group is disabled. The next-active expects a one-connect HA context but the active does not send it.
Impact:
Connections on the active are not mirrored while the next-active restarts.
Workaround:
Resolving configuration differences between the active and next-active will prevent this panic.
650115 : iApp LX app does not sync to standby in a HA pair
Component: Device Management
Symptoms:
Take two BIG-IPs. Install some iApp LX package individually on each device. Then, join the devices as an Active/Standby Device Services Clustering pair. The iApps that created with that package may not be synced from the Active to the Standby. You will see this error in restjavad.0.log:
[WARNING] Failed to post to http://localhost:8100/shared/iapp/global-installed-packages: java.lang.IllegalArgumentException: Duplicate item. Key already exists
Conditions:
An iApp LX package was installed on two devices *before* those devices were joined into a Device Group.
Impact:
The standby device is missing critical iApp data.
Workaround:
To avoid this situation, join devices in a Device Group before installing packages. When the situation has not been avoided, to synchronize the standby device, run these two commands on it:
1. restcurl /shared/iapp/global-installed-packages -X DELETE
2. restcurl /shared/gossip -d '{"copyStateFrom":"1.2.3.4"}'
For the IP address in command 2, use the Management address of the active device.
650070-1 : iRule that uses ASM violation details may cause the system to reset the request
Solution Article: K23041827
Component: Application Security Manager
Symptoms:
When an iRule attempts to use the violation details such as attackSignature or MaliciousFingerprint, in some cases a legal request will be reset.
Conditions:
-- An ASM iRule that uses violation details is attached to the virtual server.
-- The request contains the violation
Impact:
A legal request is being reset.
Workaround:
None.
650019-1 : The commented-out sample functions in audit_forwarder.tcl are incorrect
Component: TMOS
Symptoms:
The commented-out sample "Transform" functions in audit_forwarder.tcl are not correct and should not be used.
Conditions:
Attempting to write your own Transform function in audit_forwarder.tcl using the examples.
Impact:
The Transform function may not work if the examples are followed.
Workaround:
Use the default Transform function as a starting point instead of one of the examples.
650002-2 : tzdata bug fix and enhancement update
Component: TMOS
Symptoms:
There have been changes to timezone data that impact tzdata packages:
* Mongolia no longer observes Daylight Saving Time (DST).
* The Magallanes Region of Chile has moved from a UTC-04/-03 scheme to UTC-03 all year. Starting 2017-05-13 at 23:00, the clocks for the Magallanes Region will differ from America/Santiago.
Conditions:
-- Mongolia during DST portion of the year.
-- Comparing clock times in the America/Santiago zone with those in the Magallanes Region.
Impact:
Timezone data provided in tzdata will not match the area's time. Clocks for the Magallanes Region will differ from America/Santiago (its current timezone).
Workaround:
None.
649873 : DoS Visibility charts don't display information for dropped messages
Component: Application Visibility and Reporting
Symptoms:
Collected information for dropped messages does not appear in the Security >> Reporting: DoS screens, and is not returned for REST-API queries.
Conditions:
When querying information about dropped messages, the returned value is '0', even when there were dropped messages.
Impact:
Dropped messages are not correctly reflected in the GUI and in the returned value for REST-API queries.
Workaround:
There is no workaround at this time
649866-2 : fsck should not run during first boot on public clouds
Component: TMOS
Symptoms:
Although it is not needed, filesystem check runs during the first boot. This increases the boot time, especially for images that were created more than 180 days before the first boot, because twice year, booting up runs a more comprehensive fsck operation.
Conditions:
This occurs when booting up public cloud configurations of Virtual Edition (VE).
Impact:
Potentially unacceptable long boot times.
Workaround:
None.
649613-2 : Multiple UDP/TCP packets packed into one DTLS Record
Component: Access Policy Manager
Symptoms:
The system converts the server provided packet into PPP buffers. These PPP packets are used to pack into DTLS records. Currently there is a limit of about 14 KB of DTLS records, such that the system can pack multiple PPP records into one DTLS record.
However, creating bigger DTLS record can cause server IP Fragmentation. In the lossy environment, losing one IP fragment can cause the complete DTLS record to be lost, resulting in poor performance.
Conditions:
Multiple UDP/TCP packets packed into one DTLS Record.
Impact:
In networks with packet losses, the APM end-user application might suffer poor network performance.
Workaround:
None.
649564-1 : Crash related to GTM monitors with long RECV strings
Component: Global Traffic Manager (DNS)
Symptoms:
gtmd core dump related to GTM monitors with long RECV strings.
Conditions:
Sufficiently large RECV (receive) string on a GTM Monitor.
Impact:
Core dump. Traffic might be disrupted while gtmd restarts.
Workaround:
None.
649513-1 : IP Intelligence: Policy diff doesn't work for categories
Component: Application Security Manager
Symptoms:
no validation for existence of fields for a nested struct
Conditions:
create 2 policies.
create difference in nested structs.
Impact:
compare policies with nested structs will not work as expected.
649177-1 : Testing for connection to SMTP Server always returns "OK"
Solution Article: K54018808
Component: Application Visibility and Reporting
Symptoms:
When you click the SMTP GUI config "Test Connection" button it always gives green "OK" response, even if there is no network, or if the DNS response is NXDomain.
Conditions:
This is encountered when testing the SMTP connection using the GUI.
Impact:
Validation of SMTP server availability is incorrect
Workaround:
You can test SMTP at the command line by attempting to send a test email, as in this example (substitute user@example.com with your valid email address):
# echo "ssmtp test mail" | mail -vs "Test email" user@example.com
649171-3 : tmm core in iRule with unreachable remote address
Component: Local Traffic Manager
Symptoms:
TCP::unused_port <remote_addr> <remote_port> <local_addr> [<hint_port>] with a non reachable remote_addr, tmm cores
Conditions:
This occurs when using TCP::unused_port in an iRule and the remote address is not reachable
Impact:
Traffic disrupted while tmm restarts.
Workaround:
create faux route for the destination address
648873-4 : Traffic-group failover-objects cannot be retrieved via iControl REST
Solution Article: K93513131
Component: TMOS
Symptoms:
When issuing a GET you get the following error message:
List property is not implemented! Detail [cm traffic-group failover-objects {...}].
(The ... represents the data that was presented as a list property.)
Conditions:
Trying to use iControl REST for getting failover-objects associated to floating traffic-groups
Impact:
No access to list of failover-objects associated to an specific floating traffic-group via the iControl REST interface
Workaround:
Use a different user interface (tmsh or GUI).
648806-2 : Invalid "with the first highest ratio counter" logging for pool member ratio load balance
Component: Global Traffic Manager (DNS)
Symptoms:
Invalid value for "with the first highest ratio counter" for wideip load balancing decision is logged.
Conditions:
Enabled logging for wideip load balancing decision.
Impact:
Invalid value is logged for "with the first highest ratio counter".
648802-2 : Required custom AVPs are not included in an RAA when reporting an error.
Component: Policy Enforcement Manager
Symptoms:
Custom Attribute-Value-Pairs (AVPs) defined on the system will not be visible in a Re-Auth-Answer (RAA).
Conditions:
This occurs when the following conditions are met:
-- PEM enabled with Gx.
-- Custom AVPs configured.
-- PEM responds with an error code in an RAA against a Policy and Charging Rules Function (PCRF) triggered action.
Impact:
Lack of custom AVPs in such an RAA may result in loss of AVP dependent service.
Workaround:
There is no workaround at this time.
648650 : Upgrade from 11.6.1 to 13.0.0 fails when two parameters in URL added to anti-fraud profile get 'identify-as-username enabled'.★
Component: Fraud Protection Services
Symptoms:
Upgrade from 11.6.1 to 13.0.0 fails when two parameters in URL added to anti-fraud profile get 'identify-as-username enabled'.
The system posts the following messages in /var/log/ltm:
emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed.
-- 010719b4:3: URL can have only a single parameter identified as username in the Anti-Fraud profile '/Common/antifraud'. Unexpected Error: Loading configuration process failed.
Conditions:
Adding two parameters with 'identify-as-username enabled' using GUI.
Impact:
Upgrade fails. Configuration fails to load.
Workaround:
Before upgrade, check that every ANTIFRAUD URL has no more than one parameter with "identify as username" enabled.
To do so, delete a parameter or disable "identify as username".
648621-4 : SCTP: Multihome connections may not expire
Component: TMOS
Symptoms:
SCTP: Multihome connections may not expire when forcibly deleted.
Conditions:
When the multi-homing connections have been forcibly deleted from tmsh command.
Impact:
The multi-homing connections won't be expired.
Workaround:
Don't manually deleted the multi-homing connections.
648544-6 : HSB transmitter failure may occur when global COS queues enabled
Solution Article: K75510491
Component: TMOS
Symptoms:
An HSB transmitter failure may occur if global COS queues enabled. The HSB transmitter failure is logged in the TMM log files.
Conditions:
With global COS queues enabled, the HSB's watchdog loopback packets are sent on HSB ring 2, instead of ring 0. If HSB ring 2 is heavily utilized, this could cause the loopback packets to be dropped. If this occurs, then the watchdog may trigger an HSB transmitter failure.
Impact:
If this issue occurs then the BIG-IP is rebooted.
Workaround:
Do not use global COS queues.
648286-1 : GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button.
Component: Global Traffic Manager (DNS)
Symptoms:
The combobox does not auto-select the next entry in the list of virtual servers/wide IPs after pressing the Add button and successfully adding an entry to the member list.
Conditions:
-- Have at least two entries in the combobox.
-- Add one of the entries to the member list.
Impact:
The other entry is not selected automatically (as it was in BIG-IP versions 12.1 and earlier). Must manually select each entry to add to the member list.
Loss of functionality from earlier releases.
Workaround:
Manually select each entry to add to the member list.
648245-1 : When using a route TMM may use a smaller MTU
Solution Article: K29101604
Component: Local Traffic Manager
Symptoms:
TMM uses a smaller MTU when connecting to a device via a configured route.
Conditions:
- Larger than 1500 bytes MTU configured on VLAN.
- Static, or dynamically learned route, to a destination, with no specific MTU defined.
Impact:
Effective MTU when using the route will be limited to 1500 bytes. This includes derived MSS in TCP connections.
Workaround:
Specify the required MTU on routes.
648242-1 : Administrator users unable to access all partition via TMSH for AVR reports
Component: Application Visibility and Reporting
Symptoms:
Using the TMSH for AVR reports can fail if it contains partition based entities, even with an administrator user (which should have permissions to all partitions).
Conditions:
Using the TMSH for querying partitioned based stats with an administrator user.
Impact:
AVR reports via TMSH will fail when using partition based entities.
Workaround:
None.
648060-1 : EdgeClient locked mode exclusion list admin UI doesn't allow underscore character
Solution Article: K85067418
Component: Access Policy Manager
Symptoms:
EdgeClient locked mode exclusion list admin UI doesn't allow underscore character
Conditions:
An administrator is trying to configure EdgeClient locked mode exclusion list with hostname containing underscore character ('_').
Impact:
Hostnames with underscore are not allowed in the list, and you can't whitelist them
Workaround:
Exclusion list feature for locked mode is also configurable using local registry on the client machine, registry configuration allows underscore characters.
To add my_domain.com to the exclusion list please create registry key (key, not value) under key
HKLM\SOFTWARE\WOW6432Node\F5 Networks\RemoteAccess\AlwaysConnected\Exclusions, e.g. HKLM\SOFTWARE\WOW6432Node\F5 Networks\RemoteAccess\AlwaysConnected\Exclusions\my_domain.com\
648037-1 : LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash
Component: Local Traffic Manager
Symptoms:
tmm crashes after the LB::reselect iRule fails to connect to the server.
Conditions:
This issue can occur when a virtual server is configured with HTTP and the LB::reselect iRule. If the LB::reselect fails to connect to the server and there is not a monitor on the pool, tmm will crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Configure a monitor for the pool.
647944-1 : MCP may crash when making specific changes to a FIX profile attached to more than one virtual server
Component: TMOS
Symptoms:
When a FIX profile is attached to more than one virtual server, making specific edits to the profile may result in MCP crashing and restarting.
Conditions:
A FIX profile is be in use and attached to more than one virtual server. You then edit the profile (and click "Update") in this order:
- Change the Error Action from "Don't Forward" to "Drop Connection"
- Add a new mapping to the Sender and Tag Substitution Data Group Mapping.
Impact:
Traffic disrupted while mcpd restarts.
647834-5 : Failover DB variables do not correctly implement 'reset-to-default'
Component: TMOS
Symptoms:
When the 'modify sys db' command option 'reset-to-default' is issued, the new value does not take effect, even though 'list sys db' displays the desired value.
Conditions:
This is known to affect at least the following failover-related DB variables:
log.failover.level
failover.nettimeoutsec
failover.debug
failover.usetty01
failover.rebootviasod
failover.packetcheck
failover.packetchecklog
failover.secure
mysqlhad.heartbeattimeout
mysqlhad.debug
mysqldfailure.enabled
mysqldfailure.haaction.primary
mysqldfailure.haaction.secondary
Impact:
The configuration change does not take effect.
Workaround:
Explicitly set the DB variable to the desired value.
647812-4 : /tmp/wccp.log file grows unbounded
Component: TMOS
Symptoms:
WCCP uses /tmp/wccp.log as output for Diagnostic information,
independent of log level or db key. This file can grow unbounded if there are never any WCCP packets sent. If packets are sent the file is cleaned up automatically.
Conditions:
This can occur if WCCP is configured but never goes beyond negotiation.
Impact:
/tmp/wccp.log grows unbounded, filling up the disk.
647158-4 : Internal virtual server inherits CMP hash mode from parent virtual server
Solution Article: K76581555
Component: Service Provider
Symptoms:
An internal virtual server might behave in unexpected ways, such as abort a client connection before connecting to the server.
Conditions:
Virtual server with request-adapt or response-adapt profile and a vlan with 'cmp-hash' mode 'src-ip'.
Internal virtual server without a VLAN or 'cmp-hash' setting.
Impact:
The internal virtual server might sometimes abort when attempting to make a connection to the server. This occurs after a successful load-balance pick indicated by the LB_SELECTED event, but before a TCP SYN packet is sent to the server. As a result the parent virtual performs the service-down-action configured in the request-adapt or response-adapt profile.
Workaround:
If possible, do not use the cmp-hash mode 'src-ip'.
647151-2 : CPU overtemp condition threshold is 75C
Component: TMOS
Symptoms:
A CPU overtemp condition is logged when a B4450 CPU reaches 75C.
Conditions:
CPU temperature is only 75C and ambient temperature in the blade is in the normal range.
Impact:
Since the temperature threshold is set too low, the warning does not indicate an actual problem.
Workaround:
None.
647071-1 : Stats for SNATs do not work when configured in a non-zero route domain
Component: Local Traffic Manager
Symptoms:
When creating SNAT in a Route Domain different from 0, the command 'tmsh show ltm snat' does not report any statistics.
Conditions:
This occurs on all SNATs in a route domain other than 0.
Impact:
No statistics for the SNATs
Workaround:
None.
646890-2 : IKEv1 auth alg for ike-phase2-auth-algorithm sha256, sha384, and sha512
Solution Article: K12068427
Component: TMOS
Symptoms:
Changing the IKEv1 phase2 authentication algorithm to sha256, sha384, or sha512 does not work immediately, without a restart of the tmipsecd daemon.
Conditions:
If you change the ike-phase2-auth-algorithm attribute (inside an instance of ipsec-policy) to a value of sha256, sha384, or sha512, this causes a parse error when received by racoon. Thus the change does not take affect without a racoon restart.
Impact:
Cannot switch IKEv1 ipsec-policy to sha256, sha384, or sha512 authentication without either restarting BIG-IP or restarting tmipsecd.
Workaround:
Restarting the tmipsecd daemon causes a restart of all racoon processes, which causes the config to be re-read and then IKEv1 IPsec works correctly with SHA authentication algorithms.
646804-1 : call to tmctl in diskmonitor for the tmstat vmcp_stat table results in error: tmctl: vcmp_stat: No such table.
Component: TMOS
Symptoms:
diskmonitor added monitoring functionality for VM disks. As a result there is an call to tmctl in diskmonitor for the tmstat vmcp_stat table.
However, this call is also done on non-vCMP systems, which results in an error: tmctl: vcmp_stat: No such table.
Conditions:
Run diskmonitor on a non-vCMP system.
Impact:
The system posts the following error: tmctl: vcmp_stat: No such table. There is no functional issue when receiving this message on non-vCMP systems, so you can disregard the message.
Workaround:
None.
646800-1 : A part of the request is not sent to ICAP server in a specific case
Component: Application Security Manager
Symptoms:
The portion of the request that is not sent is not checked for viruses
Conditions:
ICAP is configured.
Impact:
There might be a false negative on anti-virus check
Workaround:
N/A
646643-1 : HA standby virtual server with non-default lasthop settings may crash.
Solution Article: K43005132
Component: Local Traffic Manager
Symptoms:
A long-running high availability (HA) Standby Virtual Server with non-default lasthop settings may crash TMM.
Conditions:
-- HA standby virtual server is configured on the system with non-default lasthop configurations (e.g., lasthop pools or autolasthop disabled, etc).
-- That virtual server receives more than 2 billion connections (2 billion is the maximum value of a 32-bit integer).
Impact:
TMM on the next-active device crashes. The Active device is not affected. Traffic disrupted while tmm restarts.
Workaround:
None.
646495-1 : BIG-IP may send oversized TCP segments on traffic it originates
Component: Local Traffic Manager
Symptoms:
Traffic from the Linux host on BIG-IP may send TCP segments larger than the advertised TCP MSS of a remote host.
Conditions:
Received TCP MSS (plus protocol overhead) smaller than configured MTU of interface.
Linux host sending large TCP segments, such as SNMP getbulk replies.
Impact:
TMM may send traffic to a TCP host that exceeds the host's advertised MTU.
Workaround:
disable segmentation offload for the nvic
645770 : MAC address must be configured on virtual function
Component: TMOS
Symptoms:
There may be a system outage if the virtual function device is not provided a MAC address from the hypervisor.
Conditions:
-- Virtual Edition.
-- Fortville virtual function device not provided a MAC address from the hypervisor.
Impact:
System outage.
Workaround:
Ensure that a MAC address is configured for each virtual function.
645729-2 : SSL connection is not mirrored if ssl session cache is cleared and resume attempted
Component: Local Traffic Manager
Symptoms:
SSL connection is not mirrored if ssl session cache is cleared before attempting to resume the ssl connection.
Conditions:
A previous ssl session is attempting to resume the connection after the ssl session cache has been cleared.
Impact:
Connection is established but is not mirrored.
Workaround:
Could be avoided by disabling ssl session cache.
645635-1 : Sflow may use 0.0.0.0 as Agent Address in 2 core vCMP guests
Component: Local Traffic Manager
Symptoms:
VCMP clusters without configured slot-specific management-ip addresses will report 0.0.0.0 for: sFlow (Agent Address), High Speed Logging (in certain log messages), and IPFIX (domain ID).
When creating VCMP guests, the cluster's floating IP address is configured on the host using a command of the form: 'tmsh modify vcmp guest guest0 management-ip 10.1.2.3/24'; however, this will leave the slot-specific management IP address unconfigured. In this case, the affected services (sFlow, HSL, and IPFIX) will report 0.0.0.0 as their management IP address.
Conditions:
- vCMP guest deployed on a chassis with only Cluster IP set, and no individual blade IP addresses configured.
- sflow and/or HSL and/or IPFIX configured.
Impact:
sflow, HSL, and IPFIX may incorrectly use 0.0.0.0 when identifying the BIG-IP system by management IP address. For sFlow, this is the default Agent Address. For HSL, certain log messages which identify the origin BIG-IP system by its management IP address will use this default value. For IPFIX, the domain ID will use this default value.
Workaround:
Configure cluster blade IP addresses. For example, to set the slot-specific management IP address on a VCMP guest which runs on a single slot, use a command similar to the following:
tmsh modify sys cluster default members { 1 { address 10.1.2.3 } }
645615-1 : zxfrd may fail and restart after multiple failovers between blades in a chassis.
Solution Article: K70543226
Component: Global Traffic Manager (DNS)
Symptoms:
zxfrd may fail and restart after multiple failovers between blades in a single chassis.
Conditions:
DNS Express must be configured in a multi-blade chassis. If a blade transitions from active to backup to active states and the DNS Express (tmmdns.bin) database has been re-created while the blade was in backup status, zxfrd may fail when attempting to reference old data.
Impact:
zxfrd will create a core file and restart, picking up where it left off.
Workaround:
None.
645220-1 : bigd identified as username "(user %-P)" or "(user %-S)" in mcpd debug logs
Component: Local Traffic Manager
Symptoms:
When mcpd debug logging is enabled, mcp messages sent to or received from the bigd daemon are logged with a username of "(user %-P)" or "(user %-S)" instead of "(user %bigd.#)" [where # is the bigd process index] or "(user %bigd)".
Conditions:
mcpd debug messages with the "(user %-P)" identifier are logged on affected BIG-IP versions when mcpd debug logging is enabled and multiple instances of bigd are running.
mcpd debug messages with the "(user %-S)" identifier are logged on affected BIG-IP versions when mcpd debug logging is enabled and a single instance of bigd is running.
Impact:
Confusion about which daemon is referenced in mcpd debug logs with username "(user %-S)" or "(user %-P)".
645206-2 : Missing cipher suites in outgoing LDAP TLS ClientHello★
Solution Article: K23105004
Component: TMOS
Symptoms:
BIG-IP drops all SHA256 and SHA384 ciphers in the advertised ciphers list in the Client Hello when initiating LDAP/TLS with a pool member (in the case of a monitor). The same behavior is also seen for BIG-IP system auth via LDAP or AD when TLS is used.
Conditions:
You have LDAP servers requiring SHA256 and SHA384 ciphers for LDAP/TLS authentication.
Impact:
Servers requiring SHA for LDAP/TLS authentication will no longer be able to authenticate. This could suddenly break LDAP auth if you are upgrading from version 11.x where SHA256 and SHA384 existed.
Workaround:
Configure LDAP servers not to be dependent on SHA256 and SHA384 ciphers.
645197-4 : Monitors receiving unique HTTP "success" response codes may stop monitoring after status change
Component: Local Traffic Manager
Symptoms:
Monitors that return unique HTTP/1.1 200 codes (indicating success) will accumulate in the monitor history; upon monitor status change (such as to "fail"), this history is sent (from 'bigd' to 'mcpd') to indicate that monitor's new-status, plus historical context. This history may grow too large if no monitor status is detected for an extended time (such as days or weeks) when unique status codes are returned from the web server and accumulated in the history. Upon a monitor status change (such as from "success" to "fail"), notification from 'bigd' to 'mcpd' will fail due to this too-large history, resulting in the monitor remaining in its previous state (i.e., "success"). 'bigd' properly records the monitor status and continues to monitor; but 'mcpd' was not notified of that status change (due to message-send failure from the history being too large).
This is typically not an issue when the web server returns the same HTTP/1.1 200 code (indicating "success"), as 'bigd' will elide/merge the response-value into the monitor history (so the history does not continue to grow). However, for web servers generating a unique value for each success code (for example, by appending an always-unique transaction ID to the end of the HTTP/1.1 200 response), the history will continue to grow for that monitor until a status-change is detected.
Conditions:
Web server returns unique HTTP/1.1 200 (success) codes, such as an included date/time stamp; and success history is accumulated for that monitor without status-change for extended time (typically days-or-weeks); followed by a monitor status change (such as from "success" to "fail").
Impact:
The monitor will remain in the "success" state, as the status-change will be "lost" ('bigd' properly recognizes the changed monitor status, but 'mcpd' is not notified of the change). The system may eventually self-correct, such as when 'bigd' detects further monitor status changes, and again forwards status-change notifications for that monitor to 'mcpd'.
Workaround:
Modify the web server configuration to not respond with unique HTTP/1.1 200 codes; thus, receiving the same return-code will elide/merge with previously accumulated values in the monitor history.
645058-4 : Modifying SSL profiles in GUI may fail when key is protected by passphrase
Component: Local Traffic Manager
Symptoms:
When a client SSL profile has a Certificate Key Chain (CKC) entry with a passphrase-protected key, attempting to modify/update the profile via the GUI may fail, and produce an error similar to the following:
01070313:3: Error reading key PEM file <Key_File_Path> for profile <Profile_Name>: error:0906A068:PEM routines:PEM_do_header:bad password read.
This can occur even when the passphrase already in the SSL profile is correct.
Conditions:
Upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.
Alternately, creating an SSL profile with a custom cert-key-chain name that references a passphrase-protected key, e.g.:
tmsh create ltm profile client-ssl example-profile defaults-from clientssl cert-key-chain replace-all-with { no { cert protected.crt key protected.key passphrase password } }
Impact:
User cannot update client SSL profile via the GUI.
Workaround:
Modifications to the profile can be made from tmsh. Alternately, delete the CKC and recreate it.
645036 : Removing pool from virtual server does not update its status
Solution Article: K85772089
Component: Local Traffic Manager
Symptoms:
Removing a pool from a virtual server does not update the virtual server's status.
Conditions:
1) Create a pool and assign a monitor to it.
2) Ensure the pool goes green.
3) Create a virtual server without assigning the pool to it.
4) Ensure the virtual server stays blue (unknown).
5) Associate the pool to the virtual server.
6) Ensure the virtual server goes green (available).
7) Remove the pool from the virtual server.
8) The virtual server should go back to blue (unknown); however, it doesn't and stays green.
Impact:
The virtual will appear to be associated with a monitored pool when it is not. This should have no functional impact on the virtual server, since a virtual server without a pool has no traffic to pass, and associating a pool with the virtual server will reflect the pool status.
Workaround:
Restart the BIG-IP system. The status should be blue/unchecked once again after the BIG-IP is restarted.
Note: Restarting the BIG-IP system might have an impact on existing traffic. Because this issue is cosmetic, this workaround is not recommended for BIG-IP systems in production.
644979-1 : Errors not logged from hourly 1k key generation cron job
Component: TMOS
Symptoms:
Errors from the 1k key generation hourly cron job do not get logged as intended from the hourly 1024-bit key generation task.
Conditions:
This occurs during hourly generation of ephemeral keys.
Impact:
Errors from the 1k key generation hourly cron job do not get logged, and hourly generation of ephemeral keys fails.
Workaround:
Change "loggcercmd" to "loggercmd" in /etc/cron.hourly/genkeys-1024.
644873-3 : ssldump can fail to decrypt captures with certain TCP segmenting
Solution Article: K97237310
Component: Local Traffic Manager
Symptoms:
ssldump fails to decrypt a capture. In rare circumstances, ssldump can crash.
The ssldump might display output similar to the following:
1 25 0.4781 (0.0000) S>CShort record
Unknown SSL content type 224
1 26 0.4781 (0.0000) S>CShort record
Unknown SSL content type 142
...
1 30 0.4781 (0.0000) S>CShort record
1 31 0.6141 (0.1359) S>CV231.213(45857) application_data
Conditions:
ssldump is decrypting traffic where an SSL record header spans TCP segments.
Impact:
ssldump can fail to fully decrypt the capture starting at the frame where the SSL record spans a TCP segment. Depending on the remaining data in the TCP stream, ssldump can crash.
Workaround:
None.
644822-1 : FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned
Solution Article: K19245372
Component: Advanced Firewall Manager
Symptoms:
If AFM provisioned, a FastL4 virtual server with enabled loose-init option drops all RST packets that do not relate to any existing flows.
This behavior does not match the BIG-IP behavior when AFM is not provisioned.
Conditions:
AFM provisioned.
-- FastL4 virtual server.
-- Loose-init option enabled.
Impact:
RST packets that do not relate to any existing flows are dropped, while they should not be dropped if the loose-init option enabled.
Workaround:
No workaround.
644750 : 'epsec' tool fails in older version after use in newer version.
Component: Access Policy Manager
Symptoms:
Update to v13.0.0 removes EPSEC backward compatibility with BIG-IP systems running software versions earlier than 13.0.0.
Conditions:
Use 'System :: Software Management : Antivirus Check Updates' facilities in v13.0.0, boot back to 11.6.x or 11.5.x, and then run an EPSEC command such as the following: epsec -v version
Impact:
Errors are reported; EPSEC commands are not functional.
Workaround:
Try the EPSEC commands again after removing all environment locks on the shared RPM database using the following command:
rm /shared/lib/rpm__*.db
644725-2 : Configuration changes while removing ASM from the virtual server may cause graceful ASM restart
Solution Article: K01914292
Component: Application Security Manager
Symptoms:
Configuration changes while removing ASM from the virtual server may cause graceful ASM restart.
Conditions:
A reconfiguration / headers configuration happens while the ASM is removed from a VIP. This may happen especially in scripts that create a config or remove a config.
Impact:
ASM restarts. The system goes offline. A failover may happen.
Workaround:
Ensure that there is some time between setting a configuration to removing ASM from the VIP.
644723-2 : cm56xxd logs link 'DOWN' message when an interface is admin DISABLED
Component: TMOS
Symptoms:
If you disable an interface, the interface is erroneously logged as DOWN:
Feb 12 23:14:09 i5800-R18-S30 info bcm56xxd[8210]: 012c0015:6: Link: 1.1 is DOWN
Conditions:
This is logged when disabling an interface.
Impact:
Log message says the interface is DOWN, it should say DISABLED.
644565-2 : MRF Message metadata lost when routing message to a connection on a different TMM
Component: Service Provider
Symptoms:
The system might choose to create a new outgoing connection when there is an available exiting connection that can be used.
Conditions:
When a message is forwarded to another TMM for delivery, an internal state might be lost.
Impact:
Messages should be delivered correctly as the metadata is lost after routing. There might be an impact if routing is retried and the ignore-peer-port setting is lost. This might cause a new connection to be created when an available existing connection exists.
Workaround:
None.
644447-1 : sync_zones script increasingly consumes memory when there is network connectivity failure
Component: Global Traffic Manager (DNS)
Symptoms:
sync_zones memory usage exponentially increases during network disruption
Conditions:
Network interruption occurs during the "Retrieving remote DNS/named configuration" stage of a gtm_add operation.
Impact:
Memory increases exponentially, potentially resulting in an eventual out-of-memory condition.
Workaround:
None.
644220-4 : Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page
Solution Article: K37049259
Component: Global Traffic Manager (DNS)
Symptoms:
Under LTM :: Virtual Servers :: Properties, the "Link" value sometimes displays "none" when it should display an actual link name.
Conditions:
This happens under certain configuration of Self IP / GTM Servers / GTM Links / LTM Virtual Servers.
Impact:
When conditions are met, the Virtual Server's link information displayed is not correct.
Workaround:
None.
644184-3 : ZebOS daemons hang while AgentX SNMP daemon is waiting.
Solution Article: K36427438
Component: TMOS
Symptoms:
ZebOS daemons hang while AgentX SNMP daemon is unresponsive.
Conditions:
- Dynamic routing is enabled.
- SNMP is enabled.
- SNMP is unresponsive which could be caused by several issues such as snmpd calling an external script that takes several moments to return or mcpd is slow to respond to snmpd queries.
Impact:
Dynamic routing may be halted for the duration of AgentX daemon being busy.
Workaround:
If snmpd is calling external scripts that take several moments to return, then stop using the external script.
643860-5 : Attempt to read or write to the file /dev/vnic can cause TMM to restart and TMM may not startup properly
Component: Local Traffic Manager
Symptoms:
There is no indication that mcpd has restarted, but the system logs messages similar to the following:
-- In /var/log/tmm:
notice MCP connection expired early in startup; retrying.
In/var/log/ltm:
mcpd[5747]: 01070406:5: Removed publication with publisher id TMM1.
Conditions:
The file /dev/vnic is opened by something other than BIG-IP programs.
Impact:
The TMM processes will restart and fail to come up properly.
Workaround:
To recover, reboot the system.
Note: Do not perform file open operations on /dev/vnic. There is no need to.
643799-4 : Deleting a partition may cause a sync validation error
Component: TMOS
Symptoms:
Deleting a partition may cause the sync to peers to fail.
For example, on BIG-IP1:
tmsh delete auth partition P1
tmsh show cm sync-status
Sync Summary
Status Sync Failed
Summary A validation error occurred while syncing to a remote device
Details DG1: Sync error on BIG-IP2: Load failed from BIG-IP1 01070829:5: Input error: Invalid partition ID request, partition does not exist (P1)
Conditions:
Two or more BIG-IPs in a DSC device group, say DG1. A partition (P1) is created where the root partition folder (/P1) or a subfolder is assigned to DG1.
Objects have also been configured in the folder and the user deletes the partition, which will cause the folder and its contents to be deleted.
Impact:
The sync of this change may fail on peers.
Workaround:
Disable auto-sync on the device group if it's enabled, delete the partition on all of the peers, and re-enable auto-sync.
643785-1 : diadb crashes if it cannot find pool name
Component: Service Provider
Symptoms:
diadb utility crashes if it cannot find pool name.
Conditions:
-- diadb utility is running.
-- Pool name is not available in the Diameter persistence record.
Impact:
diadb utility crashes.
Workaround:
None.
643768-1 : Invalid entries in SNMP allowed-address and SNMP community fields can cause upgrade failure.★
Component: TMOS
Symptoms:
If there are invalid entries in the SNMP allowed-address field, or in the SNMP communities source field, upgrade to v13.0.0 fails to load the configuration on validation of the input, with this error signature:
01070911:3: The requested host (<host-ip-address>) is invalid for allow in snmpd (/Common/snmpd),
Unexpected Error: Loading configuration process failed.
Conditions:
This can happen when upgrading from a release older than 13.0.0, and there is an invalid entry in the SNMP allowed-address field or communities source field, such as:
sys snmp {
allowed-address { 1.0.0.0/2.0.0.0 "1.1.1.1 2.2.2.2" 3.3.3.3,4.4.4.4 }
communities {
/Common/test {
community-name test
source 1.0.0.0/foo
}
}
}
Impact:
Upgrade to 13.0.0 fails if the configuration contains these invalid values, due to input validation that was added in this version.
Workaround:
Remove the invalid entries from these 2 field types before doing an upgrade to 13.0.0.
643459-4 : Unable to login to BIG-IP Configuration Utility when BIG-IP is behind a Reverse proxy
Solution Article: K81809012
Component: TMOS
Symptoms:
When a BIG-IP management interface is accessed through a Reverse Proxy, you are not able to log in to the Configuration Utility. Instead you will see a login error, as the Reverse Proxy IP/hostname is in the Referer header instead of that of the BIG-IP.
Conditions:
You are accessing the BIG-IP Configuration Utility through a Reverse Proxy.
Impact:
You are unable to login to the Configuration Utility.
Workaround:
Configure their Reverse Proxy to place the IP address of the BIG-IP in the Referer header.
643210-3 : Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM
Solution Article: K45444280
Component: Local Traffic Manager
Symptoms:
When mcpd (re)starts on a secondary slot, part of the initialization process triggers the delete of any netHSM keys on the SafeNet HSM.
Conditions:
This occurs on a chassis that is configured to use a SafeNet netHSM.
Impact:
The key is removed from the HSM and must be reimported to the HSM from a backup, if it exists.
Workaround:
When rebooting a secondary blade, temporarily remove the BIG-IP from the network it uses to connect to the SafeNet HSM. Once the BIG-IP is Active, it is safe to reconnect it to the network.
642923-1 : MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system
Solution Article: K01951295
Component: TMOS
Symptoms:
MCP may timeout and be killed by the sod watchdog, causing mcpd to restart.
Conditions:
Certain operations, under certain conditions, on certain platforms, may take longer to complete than the mcpd heartbeat timeout (300 seconds). When that happens, the system considers mcpd unresponsive, and will kill mcpd before it has finished its task, resulting in this issue.
There are a number of ways that this issue may manifest.
For example, the default mcpd heartbeat timeout might be reached when loading a configuration file with a large number* of file objects configured (e.g., SSL certificates and keys, data-groups, APM customizations, EPSEC file updates, external monitors, or other data present in the filestore (/config/filestore)).
*Note: Depending the operations mcpd is performing, the performance of the hardware, the speed of disk access, and other potential factors, 3,000 is a relative estimate of the number of filestore objects that might cause this issue to occur.
Impact:
mcpd restarts, which causes a system to go offline and restart services.
Workaround:
To prevent the issue from occurring, you can temporarily disable the heartbeat timeout using the following command:
modify sys daemon-ha mcpd heartbeat disable
Important: Disabling the heartbeat timer means that, should the mcpd process legitimately become unresponsive, the system will not automatically restart mcpd to recover.
Note: If you have a large number of objects (more than 3,000) in the filestore, and are able to reduce this by deleting their related configuration objects, you may be able to work around the issue.
To determine the specific cause of the issue, you can open a support case with F5, to inspect the resulting mcpd core file.
642786-1 : TMM may drop tunneled traffic when the sys db variable 'connection.vlankeyed' is set to 'disable'.
Solution Article: K01833444
Component: Local Traffic Manager
Symptoms:
The BIG-IP system may drop tunneled traffic destined for it, even though the corresponding tunnel is created correctly.
Conditions:
The local-address of a tunnel is resided in a non-default route-domain and the sys db variable 'connection.vlankeyed' is set to 'disable'. Note that the default setting of that sys db variable is 'enable'.
Impact:
The BIG-IP system may drop tunneled traffic.
Workaround:
None.
642422-1 : BFD may not remove dependant static routes when peer sends BFD Admin-Down
Component: TMOS
Symptoms:
As a result of a known issue, the BFD feature used in an Dynamic routing configuration, may not remove static routes when configured to be dependant on the liveliness of the BFD peer.
Conditions:
- BFD configured and up.
- Static route configured and dependant on the BFD status of the BFD peer.
- BFD peer enters maintenance mode by user configuration, setting the BFD session to admin-down.
Impact:
Static route may not be removed on BFD session configured by peer to be and traffic may still be routed.
642314-1 : CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x★
Solution Article: K24276198
Component: TMOS
Symptoms:
gtm config load failure after upgrade from v11.x to v12.x or v13.x.
Conditions:
Create GTM pool with canonical-name ending with dot - for example "cname-with-dot.com." in v11.x and then upgrade to v12.x or v13.x.
Impact:
gtm config load failure after upgrade.
Workaround:
Remove trailing dots or set "Domain Validation" to "none".
642039-1 : TMM core when persist is enabled for wideip with certain iRule commands triggered.
Component: Global Traffic Manager (DNS)
Symptoms:
tmm cores with SIGSEGV.
Conditions:
This occurs when persist is enabled for wideip, and an iRule with the following commands triggered:
forward
reject
drop
discard
noerror
host
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable persist on wideip.
Note: Although this is not an ideal workaround, it provides a way that to use those iRule commands without causing a tmm core.
641512-5 : DNSSEC key generations fail with lots of invalid SSL traffic
Solution Article: K51064420
Component: Local Traffic Manager
Symptoms:
DNSSEC keys can rollover periodically. This will fail, leading to no keys to sign DNSSEC queries (no RRSIG records) when the BIG-IP is handling a lot of SSL traffic with invalid certificates.
The system posts the following log signature in /var/log/ltm:
err tmm1[12393]: 01010228:3: DNSSEC: Could not initialize cipher context for key /Common/x1-zsk.
Conditions:
DNSSEC keys configured with periodic rollover. The certificate path queues an error (situations include but not limited to lots of SSL traffic with invalid certificates).
Impact:
DNSSEC key generations fail to be accepted by the TMM so that when the prior generation expires there is no valid certificate to sign DNSSEC queries.
Workaround:
Restart the TMM after the new key generation is created.
641491-1 : TMM core while running iRule LB::status pool poolname member ip port
Solution Article: K37551222
Component: Local Traffic Manager
Symptoms:
An iRule response to a DNS request may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart. As a result of this issue, you may encounter one or more of the following symptoms:
-- The BIG-IP system may temporarily fail to process traffic as it recovers from the TMM restart, and devices configured as an HA pair may fail over.
-- The BIG-IP system generates a TMM core file to the /shared/core directory.
Conditions:
This issue occurs when all of the following conditions are met:
-- Your BIG-IP DNS system is configured with a wide IP that utilizes an iRule.
-- The iRule uses the DNS_REQUEST event command LB::status to check a pool member status.
-- The iRule pool address and port are separated by white space.
Example iRule syntax:
gtm rule pool_member_selection {
when DNS_REQUEST {
LB::status pool pool-one member 10.0.0.10 80
}
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use format 'ip:port' or vsname instead of 'ip port. Following are two examples:
1.
gtm rule rule_crash_test {
when DNS_REQUEST {
LB::status pool pool-one member 10.2.108.100:80
}
}
2.
gtm rule rule_crash_test {
when DNS_REQUEST {
LB::status pool pool-one member pool_vs_name
}
}
641450-4 : A transaction that deletes and recreates a virtual may result in an invalid configuration
Solution Article: K30053855
Component: TMOS
Symptoms:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp) may result in an invalid in-memory configuration. This may also result in traffic failing to pass, because TMM rejects the invalid configuration.
Config load error:
01070095:3: Virtual server /Common/vs_icr_test lists incompatible profiles.
Configuration-change-time error in /var/log/ltm:
err tmm[22370]: 01010007:3: Config error: Incomplete hud chain for listener: <name>
Conditions:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp).
Impact:
Configuration fails to load in the future.
Traffic fails to pass, because TMM rejects the configuration.
Workaround:
Within tmsh, use the following command: profiles replace-all-with.
Within iControl REST, use three separate calls:
1. Delete virtual server.
2. Create virtual server (with an empty profile list).
3. Modify the virtual server's profile list.
641273-2 : port-fwd-mode mode configuration object value
Component: Local Traffic Manager
Symptoms:
The port-fwd-mode object value of an interface object is not reset to the default value on loading a UCS.
Conditions:
Saved configuration / UCS must have port-fwd-mode in default (l3) state, and the current configuration must have port-fwd-mode set to "passive" mode.
Impact:
port-fwd-mode will continue to stay in the non-default state of "passive".
Workaround:
reconfigure the port-fwd-mode to the right value and save the configuration.
641001-2 : BWC: dynamic policy category sees lower bandwidth than expected in Congested policies
Component: TMOS
Symptoms:
When BWC policy is configured with category that is configured at lower rate than max-user-rate, when the system is congested, the system might experience lower bandwidth and is not able to fill the pipe.
Conditions:
BWC dynamic policy configured with category.
The number of sessions created is greater than max-rate/max-user-rate, utilizing all the policies.
For example: max-rate=10mbps, max user rate=5mbps, cat rate=3mbps.
Impact:
Lower bandwidth is seen.
Workaround:
Configure categories at the same rate as that of max-user-rate.
640924-2 : On macOS Sierra (10.12) LED icons on Edge client's main UI buttons (connect, disconnect and auto-connect) are scaled incorrectly
Component: Access Policy Manager
Symptoms:
On macOS Sierra (10.12) LED icons on Edge client's main UI, the buttons (Auto-Connect, Connect, Disconnect) are scaled incorrectly.
Conditions:
macOS Sierra (10.12.x) and Edge client application.
Impact:
This is a display issue only. There is no functional impact to the system.
Workaround:
N/A
640903-2 : Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen
Component: Global Traffic Manager (DNS)
Symptoms:
Extremely long page load on Link Controller Inbound Wide IP list page.
Conditions:
The preference settings "Records per screen" must be a high value. 50 or more will start causing the page to load very slowly.
Impact:
Extremely long page load time.
Workaround:
Prior to the fix, the workaround is to set the preference settings "Records per screen" to a low value. The default value of 10 is fine.
640863-1 : Disabling partition selector in DNS Resolver's Forward Zones
Solution Article: K29231946
Component: TMOS
Symptoms:
The partition selector is enabled in DNS Resolver's Forward Zones.
Conditions:
Having Forward Zones in DNS Resolvers inside different partitions.
Impact:
Changing the partition in the Forward Zones page may error out.
Workaround:
Change the partition in the DNS Resolver List or use tmsh.
640565-2 : Incorrect packet size sent to clone pool member
Solution Article: K11564859
Component: Local Traffic Manager
Symptoms:
Cloned packets do not obey the egress interface MTU, and clone pool members may get traffic exceeding the link MTU.
Conditions:
Clone pool is configured on a virtual server.
Impact:
Clone pool members may get traffic exceeding the link MTU.
Workaround:
Disable TSO using the following tmsh command:
tmsh modify sys db tm.tcpsegmentationoffload value disable.
640395-2 : When upgrading from 10.x to a version that supports spanning VIPs, the virtual address spanning property may not be set properly
Component: Local Traffic Manager
Symptoms:
When upgrading from 10.x to version 12.1.0 or later, a network virtual address that had ARP disabled will not have spanning automatically enabled.
Conditions:
Upgrading from 10.x to 12.1.0 or later. Must have a network virtual address configured with ARP disabled when upgrading.
Impact:
If you are not actually using the spanning feature, there is no impact.
If you are using the spanning feature, it will no longer work until it is explicitly enabled. This can result in the loss of traffic, as the upstream router will be sending packets to standby systems that will now refuse to process that traffic.
Workaround:
Upgrade to an intermediate version that implements the explicit ICMP-Echo setting for virtual addresses (e.g. 11.x) and then upgrade to the desired version.
Alternatively, you can manually set the spanning property on their virtual addresses as desired (after the upgrade).
640369-1 : TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan
Component: Local Traffic Manager
Symptoms:
As a result of a known issue, TMM may respond to an ICMPv6 echo request using the auto-lasthop mechanism, when this has been disabled on the vlan.
Conditions:
- Auto-lasthop disabled on the ingress vlan
- ICMPv6 echo request for a self-IP on the ingress vlan.
- Route to the client IP address via a different vlan
TMM may respond directly using the auto-lasthop feature and not via the route lookup.
Impact:
Traffic may not follow the expected path.
639859 : The CPU utilization of MCP can be high on standby box with autodos enabled
Component: Advanced Firewall Manager
Symptoms:
In an active-standby HA setup, with autodos enabled, the CPU utilization of MCP on standby box is high in high stress scenario. For example, the CPU utilization of the standby can be at 80% with 100 virtuals configured.
Conditions:
1. AFM Autodos enabled
2. Large number of virtuals configured
Impact:
Increase the CPU utilization by MCP on stand by box
639619-1 : UCS created on 11.6.0 that contains a secure attribute DWBL (Dynamic White/Black lists) feed list fails to upgrade to 13.0.0 with AFM and LTM on Virtual Edition (VE).★
Component: TMOS
Symptoms:
UCS created on 11.6.0 that contains a secure attribute DWBL (Dynamic White/Black lists) feed list fails to upgrade to 13.0.0 with AFM and LTM on Virtual Edition (VE).
Conditions:
-- 11.6.0 UCS.
-- AFM configured.
-- Running on VE.
-- DWBL configured.
Impact:
Cannot load UCS or upgrade to 13.0.0.
Workaround:
None.
639505-2 : BGP may not send all configured aggregate routes
Component: TMOS
Symptoms:
As a result of a known issue, BGP may not send all configured Aggregate routes if one is a supernet of another.
Conditions:
- BGP established sessions.
- BGP configuration contains several aggregate routes, one or more being a supernet of others.
Impact:
The smaller prefix aggregate (least specific), may not be sent to the BGP peer.
639236-4 : Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute
Solution Article: K66947004
Component: Service Provider
Symptoms:
Incoming SIP REGISTER messages are rejected by the SIP MRF parser when they contain Contact header expires value set to 0 that is not the last attribute
Conditions:
If the Contact header has an expires value of 0 and it's not the last attribute, for example:
Contact: <sip:+414000400@10.0.0.42:5060>;expires=0;q=0.1.
Impact:
REGISTER is rejected with a '400 Bad request' error message
Workaround:
None.
639039-5 : Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons
Solution Article: K33754014
Component: Local Traffic Manager
Symptoms:
Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons.
Conditions:
Dynamic routing in use, and you change the host name of the BIG-IP.
Impact:
Dynamic routing information is lost and must be relearned.
Workaround:
When using dynamic routing, only change the host name during a maintenance window.
638997-1 : Reboot required after disk size modification in a running BIG-IP VE instance.
Component: TMOS
Symptoms:
- BIG-IP VE supports disk size modification during the lifetime of a running instance to expand or reduce the disk size that was allocated at the time of deployment.
- A reboot is required after any such modification in the disk size for the changes to take effect. In previous versions, the reboot happened automatically but an affected BIG-IP VE will not have the reboot happening automatically.
- Due to the lack of reboot, changes in disk size do not take effect on the BIG-IP system.
Conditions:
Modifying disk size in a running BIG-IP VE instance.
Impact:
Changes in the disk size do not take effect till BIG-IP system is rebooted.
Workaround:
Manually reboot the running BIG-IP VE instance after making changes in disk size.
638960-1 : A subset of the BIG-IP default profiles can be incorrectly deleted
Component: TMOS
Symptoms:
On the BIG-IP system, default profiles should not be deletable. However, the system incorrectly allows a subset of them to be deleted. Known affected profiles include all default persistence and http profiles.
Conditions:
The issue occurs when someone attempts to delete a susceptible profile via TMSH, iControl SOAP or iControl REST. The issue does not occur when using the WebUI (where susceptible profiles are not selectable for deletion).
Impact:
If a default profile is missing from the configuration, several issues may arise. For instance, the configuration may fail to load or save, and the WebUI may fail to display certain screens.
638893-2 : Reference to SOL14556 instead of K14556 in tmsh modify net interface X.X media command
Component: TMOS
Symptoms:
Error message references solution number instead of Knowledgebase number:
err mcpd[6492]: 01071ab6:3: The requested media 100TX-FD for interface 1.0 is invalid. Valid settings are: auto, 1000T-FD. Please see SOL14556 for details.
Conditions:
Incorrectly configure net interface media, e.g.,
modify net interface 1.0 media 100TX-FD.
Impact:
Posted message references SOL14556. The Ask F5 site now uses K numbers instead of SOL numbers. At some point, the previously used SOL numbers might no longer redirect, and the information originally in that article would be lost.
Workaround:
View knowledgebase article K14556: Copper 1 Gbps modules configured with media other than the 'auto' setting may not function, https://support.f5.com/csp/article/K14556.
638715-1 : Multiple Diameter monitors to same server ip/port may race on PID file
Solution Article: K77010072
Component: Local Traffic Manager
Symptoms:
Two 'Diameter_monitor' instances probing the same server (IP/port) from different pools may interfere with each other, causing one of the monitor instances to fail. This is caused by a possible race in creating a PID file for this 'Diameter_monitor' configuration.
Conditions:
Configuration with multiple Diameter monitors probing the same server IP/port.
Impact:
One Diameter monitor may fail, while the other Diameter monitor to the same server IP/port succeeds. On subsequent probe-retry, the failed monitor may now succeed.
Workaround:
A possible work-around is to establish different monitor periods for the two pools (such as 28 seconds and 31 seconds), so a simultaneous probe-collision will fail one monitor once, which upon retry will succeed (as three monitor failures are required for a virtual server to be marked down).
638091 : Config sync after changing named pool members can cause mcpd on secondary blades to restart
Component: TMOS
Symptoms:
After performing a ConfigSync, mcpd restarts and the following error is seen in /var/log/ltm:
01070734:3: Configuration error: Invalid mcpd context, folder not found <foldername>
Conditions:
- Chassis cluster with at least two blades
- sync-failover device group set to full-sync and auto-sync disabled
- Changing a named pool-member in non-default partition without syncing between delete and create
Impact:
Secondary blades do not process traffic as they restart
Workaround:
To prevent blade restart, follow the workaround in K16592: ConfigSync may fail when deleting and recreating a pool member with a node name set (https://support.f5.com/csp/article/K16592).
To work around this issue, you can synchronize the configuration just after deleting the pool member and node, before re-creating the pool member. To do so, perform the following procedure:
Impact of workaround: Performing the following procedure may impact client connectivity to the node. You should perform this procedure only during a maintenance window.
1. Log in to the BIG-IP system Configuration utility.
2. Navigate to Local Traffic :: Pools, and select the Pool with the member you want to delete.
3. From the top of the menu, click Members.
4. Select the checkbox next to the pool member you want to delete, and click Remove.
5. Navigate to Local Traffic :: Nodes.
6. Select the checkbox next to the node with the same name, and click Delete.
7. Navigate to Device Management :: Overview.
8. Select the local device by hostname (self).
9. Click the Sync option.
10. If the ConfigSync was successful, you may now re-create the pool member.
637979-2 : IPsec over isession not working
Component: TMOS
Symptoms:
User cannot send IPsec encrypted application data traffic through a secured iSession connection, just by configuring symmetric optimization to use IPsec for IP encapsulation.
Conditions:
Configure IPSec with iSession through the Quick Start screen and/or under the "Local Endpoint" configuration. Do not create any new IKE peers or traffic selectors.
Impact:
User is unable to send encrypted traffic using IPsec over the tunnel without additional configuration required for a typical IPSec setup.
Workaround:
Configuration needed for a typical IPsec setup should be made explicitly.
isession encapsulation should be set to "none", and proper IKE-peer, IPsec policy, and traffic selectors should be configured to capture isession traffic between the isession endpoints.
BIG-IP1 GUI:
[Local Endpoint]
Acceleration->Symmetric Optimization : Local Endpoint->Properties
WAN Self IP Address: <BIG-IP1-local-endpoint-ipaddress>
IP Encapsulation Type: None
[Remote Endpoint]
Acceleration > Symmetric Optimization : Remote Endpoints >New Remote Endpoint...
IP Address: <BIG-IP2-local-endpoint-ipaddress>
[IKE peer]
Network->IPsec : IKE Peers->New IKE Peer...
Remote Address: <BIG-IP2-local-endpoint-ipaddress>
Version: Version1
Presented ID Value: <BIG-IP1-local-endpoint-ipaddress>
Verified ID Value: <BIG-IP2-local-endpoint-ipaddress>
[IPsec policy]
Network->IPsec : IPsec Policies->New IPsec Policy…
Name:<isession_policy_name>
Mode: Tunnel
Tunnel Local Address: <BIG-IP1-local-endpoint-ipaddress>
Tunnel Remote Address: <BIG-IP2-local-endpoint-ipaddress>
[Traffic selector]
Network ->IPsec : Traffic Selectors ->New Traffic Selector...
IPsec Policy Name: <isession_policy_name>
Source IP Address: <BIG-IP1-local-endpoint-ipaddress>
Destination IP Address: <BIG-IP2-local-endpoint-ipaddress>
BIG-IP2 GUI: Analogous--just swap the local and remote endpoint addresses where they appear above
637827 : VADC: after re-deploying a single-nic VM with multiple nics, a load can fail due to stp member 1.0
Component: TMOS
Symptoms:
The configuration fails to load with the following message:
01070523:3: No Vlan association for STP Interface Member 1.0
Unexpected Error: Loading configuration process failed.
Conditions:
In single-nic mode, the interface 1.0 exists and can be saved as a VLAN member. Upon re-deploying the virtual-machine from single nic mode to multi-nic, the 1.0 interface becomes pending and should no longer impact any configuration. However, a condition exists after a VLAN delete, where the associated (automatically created) stp member is not removed from the running config and can cause a load error.
Impact:
Load fails and requires manual intervention. Otherwise, the STP member is benign because vADC does not support STP.
Workaround:
Remove the STP interface member 1.0 and reload.
637613-4 : Cluster blade being disabled immediately returns to enabled/green
Solution Article: K24133500
Component: Local Traffic Manager
Symptoms:
In some scenarios, disabling a blade will result in the blade immediately returning to online.
Conditions:
This can occur intermittently under these conditions:
- 2 chassis in an HA pair configured with min-up-members (for example, 2 chassis, 2 blades each, and min-up-members=2)
- You disable a primary blade on the active unit, causing the cluster to failover due to insufficient min-up-members.
Impact:
Disabling the primary blade fails and it remains the primary blade with a status of online.
Workaround:
This is an intermittent issue, and re-trying may work. If it does not, you can configure min-up-members to a lower value or disable it completely while you are disabling the primary blade. The issue is triggered when the act of disabling the primary blade would cause the number of members to drop below min-up-members.
636866-2 : OAuth Client/RS secret issue with export/import
Component: Access Policy Manager
Symptoms:
When the access profile with a OAuth Client/RS agent is configured, the OAuth server objects has a client secret and/or resource server secret to be configured.
When such an access profile is exported and then imported, the client secret or resource server secret may not be imported properly.
Conditions:
In OAuth client/RS use case, when an access profile is configured with OAuth client or Scope Agent.
Impact:
The APM OAuth client or Scope Agent may not run properly and end up in the fallback branch.
Workaround:
After importing the access profile, the OAuth server object needs to be modified with the proper client secret or resource server secret.
636823-4 : Node name and node address
Component: TMOS
Symptoms:
If you create a node with a name that is an IP address but the IP address is different than the name, it can produce an error when adding the node to a pool.
Conditions:
This can occur if the node name is, for example, /Common/10.10.10.10 and the IP address is 10.10.10.10%1
Impact:
When you attempt to add the node to a pool, an error will occur:
Node name /Common/10.10.10.10 encodes IP address 10.10.10.10 which differs from supplied address field 10.10.10.10%1
Workaround:
If you set the node name to an IP address it must be identical to the actual IP address.
636348-2 : BIG-IP systems configured for high availability (HA) and System Gateway Failsafe may fail to load their configuration after device trust is reset.
Component: Local Traffic Manager
Symptoms:
In the /var/log/ltm file you may observe an error message similar to the following example
01071837:3: The pool (/Common/http_pool) contains a reference to a gateway failsafe device (/Common/bigip1.f5.com), which does not exist on the system. Please specify a valid device for this configuration. Unexpected Error: Loading configuration process failed.
Conditions:
This issue occurs when all the following conditions are met:
-You have multiple BIG-IP systems in a High Availability (HA) configuration.
-You have configured System Gateway Failsafe
-You reset device trust
-You attempt to reload the configuration or reboot the device before recreating the device trust
Impact:
Configuration may fail to load
Workaround:
Remove Gateway Failsafe before resetting device trust
636149-1 : Multiple monitor response codes to single monitor probe failure
Component: Local Traffic Manager
Symptoms:
A monitor probe failure to a monitor (such as HTTP) will be logged to '/var/log/ltm' when the probed resource is unavailable. In some cases for a probe resulting in an 'Unable to connect' error, multiple log entries will be made, with the *last* log entry being the error that triggered the log entry. The other monitor entries made during this event are not specifically relevant, as they are "stale" and due to previous monitor probe behavior that was previously logged.
This is due to an error where the 'Could not connect' event appends a previous error message, rather than overwriting a possibly-present previous error message.
Conditions:
A monitor probe to a monitor is attempted (such as over HTTP), resulting in an "Unable to connect" failure; and where that specific monitor previously reported an error (which is now appended).
Impact:
No system behavior is affected, but multiple log entries are made. The *final* log entry of "Could not connect" or "Unable to connect" is relevant, while the possible multiple log entries immediately above are "stale" and not relevant (as they are due to a previous issue that was previously successfully logged).
Workaround:
For an external monitor that generates a 'Could not connect' or 'Unable to connect' error, user should consider only the last-line for the '/var/log/ltm' log entry, and ignore possibly-present log entries associated with that specific monitor that might be appear immediately above the 'Could not connect' line.
636104 : If pool member is defined with port 0, member may not be visible on the HTTP dimension pane.
Component: Application Visibility and Reporting
Symptoms:
You are unable to see the pool member under the HTTP "pool" dimension.
Conditions:
Pool member is defined with port 0 and traffic is being sent to e.g. port 80.
Impact:
Not seeing the pool member under the HTTP "pool" dimension.
Workaround:
You can define a temporary pool member with the port that is being used (e.g. 80) and delete it after that.
But once defined once, it will go to the DB and will be shown from that point.
This is a partial workaround since it needs to be done for every port that is being used in traffic.
636031-1 : GUI LTM Monitor Configuration String adding CR for type Oracle
Solution Article: K23313837
Component: TMOS
Symptoms:
If the value entered in for the Configuration String textbox wraps in the GUI, a CR character is added to the configuration file.
Conditions:
Create or edit an LTM Monitor type Oracle. Enter a value in the Configuration String textbox so that it wraps to the next line. Click Finish/Update.
Impact:
The /config/bigip.conf file contains CR characters in the file.
Workaround:
Manually edit the /config/bigip.conf file and remove the CR characters.
635257-3 : Inconsistencies in Gx usage record creation.
Solution Article: K41151808
Component: Policy Enforcement Manager
Symptoms:
Duplicate usage records may be created or expected usage records may be missing.
Conditions:
A subscriber session is associated with the following policies:
1. At least 1 PEM policy with multiple rules containing the same usage monitoring key and applicationId or URLcat filter will result in the creation of duplicate usage records.
2. At least 2 PEM policies containing one or more rules with the same MK across policies will result in failure to create expected usage records.
Impact:
Failure to create usage records. Duplicate usage records will reduce the effective usage records supported per session. Both can result in inconsistencies with billing use cases.
Workaround:
To prevent duplicate usage records, do not create PEM policies with multiple rules that have the same usage monitoring key and applicationId or UrlCat filter.
To make sure all expected usage records are created, do not use the same monitoring key across multiple policies for the same subscriber.
635233-4 : Missing some Custom AVPs in CCRu for non-existent policy and CCRt messages
Component: Policy Enforcement Manager
Symptoms:
CCR-u or CCR-t sent in response to a non-existent policy may be missing some of the custom AVPs such as IMSI, E164, etc., even if the AVPs are marked mandatory.
Conditions:
This occurs when the BIG-IP system sends a CCR-u or CCR-t when the specified policy received from PCRF does not exist.
Impact:
CCR-u and CCR-t may miss some of the subscriber attributes such as IMSI, E164.
Workaround:
None.
634576-2 : TMM core in per-request policy
Solution Article: K48181045
Component: Access Policy Manager
Symptoms:
TMM might core in cases when per-request policy encounters a reject ending and the server-side flow is not available.
Conditions:
APM or SWG per-request policy with reject ending.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
634369-1 : Bigd crash (SIGABRT) while running iControl REST scripts against monitor configuration with FQDN nodes
Component: Local Traffic Manager
Symptoms:
Bigd crash (SIGABRT) while running iControl REST scripts against monitor configurations with FQDN nodes.
Conditions:
-- Bigd configured with FQDN nodes.
-- iControl REST calls are used to interact with system.
Impact:
Bigd crashes and restarts. Monitoring correctly resumes after the restart period.
Workaround:
None.
634078-3 : MRF: Routing using a virtual with SNAT set to none may select a source port of zero
Component: Service Provider
Symptoms:
If a virtual server has a SNAT setting of none and the 'source-port' attribute set to 'preserve' or 'preserve-strict', the outgoing connection will be created with a source port of zero (0) instead of the remote port of the originating connection.
Conditions:
This occurs when a message routing SIP profile is in use.
Impact:
Source port is set to 0.
Workaround:
None.
634022-1 : Active Directory authentication with Step-Up-Auth has degraded performance.
Component: Performance
Symptoms:
When using Active Directory to perform Step-Up-Authentication with APM, the number of authentications per second that APM can sustain is lower than what could be achieved with earlier releases. This is observed only on certain high end appliance platforms.
Conditions:
All the following must be true:
- APM is provisioned and configured to provide authentication services via the per-request access policy.
- Active Directory is used as the authentication method.
- A relatively high rate of authentication exists.
- One of the following BIG-IP appliances is in use:
i108xx
i78xx
10xxx
Impact:
Performance in terms of authentications per second is degraded.
Workaround:
None.
633824-1 : Cannot add pool members containing a colon in the node name
Solution Article: K39319200
Component: TMOS
Symptoms:
You are allowed to create nodes that contain a colon in the node name. If you later try to add the named node (e.g. 10.1.20.10:80), adding the node will fail and you will get an error similar to the following:
0107003a:3: Pool member node (/Common/10.1.20.10) and existing node (/Common/10.1.20.10:80) cannot use the same IP Address (10.1.20.10).
Conditions:
This occurs when attempting to add a node to a pool where the node name contains a colon in it
Impact:
You are unable to add the node to the pool and will get a validation error.
Workaround:
First rename the node to not contain a colon in it, then you can add the node to the pool without error.
633464-3 : Content-length header is not passed on to the client when HTTP/2 profile is attached to virtual.
Component: Local Traffic Manager
Symptoms:
Content-length header is not passed on to the client when HTTP/2 profile is attached to virtual.
Conditions:
HTTP/2 profile is attached to the virtual. Content-length header is sent by the server.
Impact:
If a client application requires the content length for HTTP/2, the application does not function as expected.
Workaround:
None.
633413-2 : IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI
Component: TMOS
Symptoms:
IPv6 addr can't be deleted; not able to add ports to addr in a data-group using the GUI. System posts an error similar to the following:
err mcpd[31438]: 01070378:3: The requested data group IP member network address (10.10.12.184) does match the netmask (ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff).
Conditions:
Modify IPv6 data-group in the GUI on the Local Traffic :: iRules :: Data Group List.
Impact:
Get error with unrelated IPv4 address.
Workaround:
Use tmsh to delete data group IP addresses in an iRules data group.
633217 : Countries in new DoS visibility tables will appear "N/A" after upgrade★
Component: Application Visibility and Reporting
Symptoms:
After upgrade, countries in new DoS visibility tables will appear "N/A" on dashboard page and on the dimension pane on the right. But if you select an HTTP filter, you can sometimes see the countries on the right.
Conditions:
This occurs after upgrading to version 13.0.0 or later.
Impact:
Countries appear "N/A" in the DoS visibility page
Workaround:
No workaround.
633181-2 : A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section
Component: TMOS
Symptoms:
Certificate signing requests generated from the Configuration Utility or in tmsh on affected versions may have an empty 'Attributes' or 'Requested Extensions' section if no data was supplied for these fields during CSR generation. The correct behavior is to supply an empty set (a0:00) for the Attributes section and to omit the 'Requested Extensions' section if no data were supplied for these fields.
Conditions:
- Running an affected version of BIG-IP software
- Using tmsh or the Configuration Utility to generate the CSR
- Not filling in 'E-mail Address' and/or 'Subject Alternative Name' sections while generating the CSR
Impact:
Impact varies according to the CA signing the request. An empty attribute section is generally well-tolerated but may be incompatible with some CA's.
Workaround:
Use openssl from the bash command line to generate CSR's.
Solution article K14534 contains the appropriate procedure.
633110-3 : Literal tab character in monitor send/receive string causes config load failure, unknown property
Solution Article: K09293022
Component: Local Traffic Manager
Symptoms:
BIG-IP allows you to paste in monitor send or receive strings that contains tabs, but the tabs do not get quoted when it gets saved to the configuration. This will cause the configuration load to fail, with this error signature:
Loading configuration...
/config/bigip_base.conf
/config/bigip_user.conf
/config/bigip.conf
Syntax Error:(/config/bigip.conf at line: <line>) "<text>" unknown property
Conditions:
This can occur if you copy/paste a monitor send or receive string and paste it into the send/recv string field in tmsh or the GUI.
Impact:
The monitor will not work as expected, and subsequent config loads will fail on unknown property.
Workaround:
Since you are still able to use the BIG-IP GUI, you can update the monitor send or receive string using \t to represent the tab, and save the changes.
632958-1 : APM MIB gauges not reset on standby device
Component: Access Policy Manager
Symptoms:
The following MIB gauges are not reset after the device transitions from active to standby:
F5-BIG-IP-APM-MIB::apmAccessStatCurrentActiveSessions
F5-BIG-IP-APM-MIB::apmAccessStatCurrentEndedSessions
F5-BIG-IP-APM-MIB::apmPaStatCurrentActiveSessions
F5-BIG-IP-APM-MIB::apmPaStatCurrentPendingSessions
F5-BIG-IP-APM-MIB::apmPaStatCurrentCompletedSessions
Conditions:
After failover happens
Impact:
Since these gauges represent current session counts, administrator may not be able to identify the active device by looking at these gauges.
632731 : specific external logging configuration can cause TMM service restart
Component: Advanced Firewall Manager
Symptoms:
When external logging is configured for ACL rule hits, and the logging server connection is routed through a Forwarding Virtual, the ACL logging causes a TMM crash and service disruption.
Conditions:
The problem is seen when all the following conditions match:
1. External Logging server configured for ACL rule match.
2. External logging server is routed through a Forwarding Virtual (the destination IP of the external logging server matches a Forwarding Virtual's destination address/mask and hence gets routed through the Forwarding VIP).
3. The forwarded logging destination connection causes a crash in TMM.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use one of the following workarounds:
--Avoid configuring remote logging to be forwarded through a Forwarding Virtual.
-- Do not have logging enabled on the forwarding Virtual.
632723-2 : tmm core with remote logging pool in non-zero route domain
Solution Article: K05079458
Component: Advanced Firewall Manager
Symptoms:
tmm cores every minute with a security log profile set to send log messages to pool members in a different route domain.
Conditions:
Remote logging pool configured, and the pool members are in a non-zero route domain that is different than that of the forwarding virtual.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure the logging pool members are in the zero route domain.
631316-3 : Unable to load config with client-SSL profile error★
Solution Article: K62532020
Component: TMOS
Symptoms:
Config loading fails with an error similar to the following: 'Client SSL profile cannot contain more than one set of same certificate/key type.'
Conditions:
This occurs when both of the following conditions are met:
-- The system is loading config.
-- The config contains a client SSL profile which has an RSA cert-key-chain whose key is default (/Common/default.key), but whose chain is non-empty, or the cert is different from /Common/default.crt. For example:
cert-key-chain {
cert /Common/default.crt <==== default cert
chain /Common/chainCA.crt <==== non-empty
key /Common/default.key <==== default key
rsa {
cert /Common/default.crt <==== default cert
chain /Common/chainCA.crt <==== non-empty
key /Common/default.key <==== default key
}
}
Impact:
Configuration can not be loaded.
Workaround:
Remove or adjust the problematic client SSL profile by editing the appropriate bigip.conf file (/config/bigip.conf or /config/partitions/<name>/bigip.conf, depending on the partition the profile resides in), and then load the configuration again.
Steps:
1. Open the configuration file in a text editor.
2. Load the file /config/bigip.conf (or /config/partitions/<name>/bigip.conf, if the client SSL profile is in a partition).
3. Update the client SSL profile by setting .crt and .key to non-default, as shown in the following example:
cert-key-chain {
cert /Common/kc.crt <==== changed to non-default
chain /Common/chainCA.crt
key /Common/kc.key <==== changed to non-default
rsa {
cert /Common/kc.crt <==== changed to non-default
chain /Common/chainCA.crt
key /Common/kc.key <==== changed to non-default
}
}
4. Save your changes, and then run the following command:
tmsh load sys conf
631172-1 : GUI user logged off when idle for 30 minutes, even when longer timeout is set
Component: TMOS
Symptoms:
GUI user is auto-logged off when idle for 30 minutes, even though the configured idle timeout is longer.
Conditions:
User logged in to gui and idle for 20-30 minutes
Impact:
User is logged out of the GUI.
Workaround:
None.
629915 : Cannot login with Firefox and IE after toggling between wireless and wired networks.
Component: TMOS
Symptoms:
Cannot log into BIG-IP's Web GUI on Firefox and Microsoft Internet Explorer (IE) for the first 3-5 attempts after toggling the host computer's network between wireless and wired connections.
Conditions:
Using Firefox or IE browsers.
Toggling between a wired and wireless network connections.
Impact:
BIG-IP shows a "login failed" page in the Web UI. The user cannot login with correct credentials for 3-5 attempts. Note: The number of attempts may be timing-dependent.
Workaround:
Use any of the following options:
-- Use a Chrome browser.
-- Do not toggle between different networks for internet access (i.e., wired and wireless).
-- Keep trying to logon (i.e., try more than five times, or for a few minutes after toggling between networks).
-- Restart the browser.
-- Clear cookies.
629178-2 : Incorrect initial size of connection flow-control window
Solution Article: K42206046
Component: Local Traffic Manager
Symptoms:
When a client establishes an HTTP2 connection, both endpoints can update their flow-control windows for the connection but their initial sizes of connection flow-control windows must be 65,535. BIG-IP erroneously sets it immediately to a configured value instead. Discrepancy in the window size calculation can result in cancelling of the client's requests.
Conditions:
A virtual server that has an HTTP2 profile with a custom value for receive-window exceeding 79 (Kilobytes).
Impact:
BIG-IP updates another endpoint with a WINDOW_UPDATE frame for the connection once it reaches a certain threshold. It doesn't happen when receive-window is set above 79 (Kilobytes). If a client has a large request (e.g., POST with a large amount of data), it resets the stream with HTTP2 RST_STREAM frame, canceling the request.
Workaround:
Configure receive-window attribute in HTTP2 profile to a value below 80 (Kilobytes).
628016-1 : MP_JOIN always fails if MPTCP never receives payload data
Component: Local Traffic Manager
Symptoms:
MP_JOIN during an MPTCP connection always fails if the BIG-IP never receives payload data.
Conditions:
A virtual server is configured with a TCP profile attached and "Multipath TCP" is enabled.
An MPTCP connection is established where payload data is never sent to the BIG-IP.
Impact:
Unidirectional data connections receiving data from the BIG-IP (like with FTP) cannot join additional subflows.
Workaround:
There is no workaround at this time.
627760-4 : gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card
Component: TMOS
Symptoms:
When running gtm_add from one BIG-IP system to another, if the system being added already has the same DNSSEC key (dictated by DNSSEC key name), and you synchronize the FIPS card, then the FIPS card is wiped out (as expected), but the key is not re-added.
Conditions:
-- There is an existing DNSSEC key on one system.
-- A second system has a DNSSEC key of the same name.
-- Run gtm_add, with instructions to synchronize FIPS cards.
Impact:
No DNSSEC key of that name is present on FIPS card.
Workaround:
None.
626589-5 : iControl-SOAP prints beyond log buffer
Solution Article: K73230273
Component: TMOS
Symptoms:
When trace logging is turned on, iControl SOAP can potentially print text beyond its log buffer.
Conditions:
Logging for iControl SOAP is turned on with trace level.
Impact:
iControl-SOAP can print out garbage log to /var/log/ltm and can potentially lead to instability with reading beyond a buffer.
Workaround:
Do not enable logging with trace level, which is not turned on by default.
625428-2 : SNMP reports incorrect values for F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit
Component: TMOS
Symptoms:
The F5 BIG-IP local mib has the wrong value definitions for
F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit
allowed(0),disallowed(1)
instead of
disabled(0),enabled(1)
Conditions:
This occurs on any platform that supports this MIB field and has LTM Pool configurations.
Impact:
Information mismatch
625165-1 : Routes added by 'Allow local DNS servers' are not removed even if these DNS servers are no longer among client's local DNS servers.
Component: Access Policy Manager
Symptoms:
-Routes to local DNS that get added due to 'allow local DNS' option in Network Access config do not get removed once network changes after VPN is established.
Conditions:
- 'Allow local DNS' option is selected in Network Access config.
- BIG-IP administrator changes the network configuration after VPN is connected.
Impact:
If the BIG-IP administrator changes the network after a VPN is connected, and if DNS servers have changed, then routes to old DNS servers (which may or may not be reachable) will be left in the routing table.
Workaround:
None.
625098-7 : SCTP::local_port iRule not supported in MRF events
Component: Service Provider
Symptoms:
SCTP::local_port iRule not supported in MRF events
Conditions:
If MRF events are used, such as MR_INGRESS, MR_EGRESS and MR_FAILED events are used.
Impact:
SCTP::local_port won't work under MR events.
624909-1 : Static route create validation is less stringent than static route delete validation
Component: TMOS
Symptoms:
When creating a static route the BIG-IP ensures that there is a self-IP on the same interface, but does not check to make sure that there is a self-IP on the same interface that uses the same IP protocol (IPv4 vs. IPv6). If the route is created with only self-IPs that use different IP protocols, then the system will not allow you to delete any self-IPs on the same interface as the static route.
Conditions:
Using a static route that has one IP protocol on a given interface along with self-IPs that, while on the same interface, use a different IP protocol.
Impact:
Unable to delete certain self-IPs.
Workaround:
In order to delete the self-IPs you can either:
1) Delete the static route.
or
2) Create a self-IP on the same interface and using the IP protocol as the static route.
624692-4 : Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying
Component: TMOS
Symptoms:
SSL Certificate List page displays "An error has occurred while trying to process your request." or unable to view certificate information via iControl/REST.
Conditions:
Certificate with multi-byte encoded strings.
Impact:
Unable to view certificate list page or view certificate information via iControl/REST.
624635-1 : BIG-IP doesn't support more than 4 NICs on Hyper-V on Windows Server 2012
Component: TMOS
Symptoms:
BIG-IP doesn't support more than 4 NICs.
As a result of this issue, you may encounter following symptoms:
- BIG-IP boot time is increased.
- Number of interfaces attached to tmm aren't more than 4 NICs.
- In the /var/log/boot.log file, you observe messages similar to the following examples:
+ info plymouthd: udev still not settled. Waiting.udevd[367]: worker [380] unexpectedly returned with status 0x0100
+ info plymouthd: udevd[367]: worker [380] failed while handling '/devices/LNXSYSTM:00/device:00/PNP0A03:00/device:08/VMBUS:01/vmbus_11'
+ info plymouthd: udevd[367]: worker [373] unexpectedly returned with status 0x0100
RHEL7.2 (or newer) guests are similarly affected, so this issue is not unique to BIG-IP 7.2 kernels.
The issue isn't reproduced on Hyper-V on Window Server 2012 R2.
Conditions:
This issue occurs when all of the following conditions are met:
- Your hypervisor version is Hyper-V on Windows Server 2012.
- You have more than 4 NIC attached to BIG-IP.
Impact:
BIG-IP doesn't support more than 4 NICs on Hyper-V on Windows Server 2012.
Workaround:
None.
624626-4 : Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility
Component: TMOS
Symptoms:
You cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility, which returns an error message similar to the following example:
01020036:3: The requested Certificate File (/Common/example.crt) was not found
Conditions:
The presence of SSL certificates and keys created without the .crt and .key extensions. This might have happened, for example, if the SSL certificates and keys were created using the tmsh utility.
Impact:
Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility.
Workaround:
You can use the tmsh utility to delete affected SSL certificates and keys. You would use commands similar to the following example:
tmsh delete sys crypto cert example
tmsh delete sys crypto key example
624231-3 : No flow control when using content-insertion with compression
Component: Policy Enforcement Manager
Symptoms:
Packets can get queued in PEM and cause performance impact.
It could cause memory corruptions in some cases
Conditions:
This issue can happen when system there is are a lot of connections with compression enabled, hardware offload is not enabled, and content insertion is enabled
Impact:
Performance impact to flows and possible system crash.
Workaround:
Enable hardware offload and use the pem throttle feature for content insertion
624155-3 : MRF Per-Client mode connections unable to return responses if used by another client connection
Component: Service Provider
Symptoms:
When an outgoing connection is created in per-client mode, that connection is exclusively for use by the client whose message was routed to the destination. All messages (response or requests) received by the server are automatically forwarded to the client. The messages received from the server are forwarded to the original connection from the client (even if it has been closed).
Conditions:
The connection from the client closes and the client connects again.
Impact:
Messages from the new client connection will be routed using the previously created outgoing connection. But messages received from the server will be forwarded to the original connection from the client which is closed. These message will fail to be delivered.
Workaround:
None.
624044-2 : LTM Monitor custom recv/send/recv-disable parameters have backslash at the end may fail to load★
Solution Article: K42806722
Component: Local Traffic Manager
Symptoms:
If LTM monitor configuration parameters have custom strings that end with backslash, the saved configuration will fail to load.
Conditions:
Any of the "recv", "send", or "recv-disable" parameters having a backslash at the end, and the configuration is saved.
Impact:
The new configuration fails upon reload.
Workaround:
Do not end custom strings with backslashes.
623536-7 : SNMP traps for TCP resets sent due to maintenance mode enabled may not be sent
Component: TMOS
Symptoms:
Due to a syntax issue in /etc/alert/alertd.conf, SNMP traps sent for notifying RSTs sent due to maintenance mode on are not being sent.
Conditions:
Reset cause logging and maintenance mode are enabled
Snmp trap destination is configured and routable
Impact:
snmp traps are not sent
Workaround:
Adding custom trap in /config/user_alert.conf with escaped characters will workaround the issue:
alert BIGIP_IP_REJECT_MAINT_MODE_FIX "RST sent from (.*) Maintenance mode \(all VIP\/SNAT\/Proxy connections disabled\)" {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.34"
}
623084-5 : mcpd fails validation of dhcp type virtual servers if the configured profile is /Common/udp★
Component: Local Traffic Manager
Symptoms:
mcpd fails to load the configuration if a pre-11.6.0 configuration has a DHCP virtual server configured using any profile that is not /Common/udp.
The following messages appears in /var/log/ltm:
01070095:3: Virtual server /Common/dhcp_relay-p-rd101 lists incompatible profiles.
This is because the profile in this case is /Common/fastL4 and is not 'converted' to a DHCP profile.
Conditions:
-- A pre 11.6.0.
-- DHCP-type virtual server configured with a profile other than /Common/udp.
-- Upgrade to 11.6.0 or later.
Impact:
mcpd fails to load the configuration. The BIG-IP system will not be operational until the configuration is changed and loaded.
Workaround:
Before the upgrade, change the profile to /Common/udp.
If you have already upgraded, manually change the bigip.conf file and load the config using the following command: tmsh load /sys config
622619-6 : BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD
Component: TMOS
Symptoms:
MCPd cpu utilization is high and renders it unresponsive.
Conditions:
A ranged log query where the log files are excessively large, e.g., 1 GB uncompressed.
Impact:
MCPd is killed due to being unresponsive, which restarts multiple daemons.
Workaround:
Lower the logging level, thereby decreasing the size of the file which must be parsed.
621314-4 : SCTP virtual server with mirroring may cause excessive memory use on standby device
Solution Article: K55358710
Component: TMOS
Symptoms:
If a SCTP virtual server has high availability (HA) mirroring enabled, the send buffer on the standby may have extremely high memory usage until the connections close.
Conditions:
SCTP virtual server has mirroring enabled.
Impact:
TMMs will have high memory usage on standby device.
Workaround:
Disable mirroring on the SCTP virtual server.
621158-4 : f5vpn does not close upon closing session
Component: Access Policy Manager
Symptoms:
f5vpn does not close upon closing session.
Conditions:
-- With Network Access started and connected to BIG-IP using browser.
-- Clicking 'Logout' button on webtop.
Impact:
Session closes. Network Access window does not close, but instead remains in disconnected state.
Workaround:
None.
620954-4 : Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable
Component: TMOS
Symptoms:
Contention for /var/log/tallylog lock might result in users failing to authenticate correctly. As a result of this issue, you might see the following message:
PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable.
Conditions:
High concurrent authentication attempts may trigger this issue. For example, open a connection, using basic authentication, performing a query (for example, get node list, get virtual address list, and set pool min active members), then close the connection. If done frequently enough, there is an occasional authentication failure.
Impact:
This intermittent authentication failure results in users not being able to login.
Workaround:
Since this is an intermittent authentication failure, wait a few seconds and then attempt to log in again.
620556-2 : Fragmented packets on clone pool for L7 virtual server targeting another L7 virtual server through iRule
Component: Local Traffic Manager
Symptoms:
Fragmented packets may be transmited to clone pool members of virtual server, which is also forwarding its traffic to another virtual server.
Conditions:
One virtual server should be configured to forward traffic to another one using iRule, i. e.
when CLIENT_ACCEPTED {
virtual another_virtual
}
This forwarding virtual should also have clone pool configured.
Impact:
Fragmented packet are transmitted to pool members, which affects performance and may trigger some intrusion detection systems.
620529-1 : Changes to routing table are not prohibited even when access to local networks is disallowed in Network Access configuration
Component: Access Policy Manager
Symptoms:
When administrator disallows access to local networks in Network Access configuration, "Prohibit routing table changes during Network Access connection" is not enabled automatically.
Conditions:
Administrator disallows access to local networks in Network Access configuration.
Impact:
End user may gain access to local networks after VPN is established by either:
1) Modifying routing table
OR
2) Roaming to a different network.
Workaround:
In network access configuration, make sure that "Prohibit routing table changes during Network Access connection" is checked if "Allow local subnet" option is unchecked.
619873-1 : Secure Vault: Key cleanup for 5000- and 7000-series platforms★
Component: TMOS
Symptoms:
Outdated and unused unit key is left on 5000- and 7000-series platforms after upgrade from an older version to v13.0.0.
Conditions:
-- Running on 5000- and 7000-series platforms.
-- Upgrading from a version earlier than v13.0.0 to v13.0.0.
-- Installing v13.0.0 hotfixes
Impact:
1) Unit key on disk is preferred over unit key in hardware.
2) Potential config load failures when upgrading from pre-v13.0.0 to v13.0.0, or installing v13.0.0 hotfixes on these devices.
Workaround:
NOTE: Impacts only 5000- and 7000-series platforms.
On or before upgrade to v13.0.0 or its associated hotfixes, perform the following procedure:
1) Set master key to a known value:
modify sys crypto master-key prompt-for-password
2) Save config:
tmsh save sys config
3) Remove the old unit key:
rm /config/bigip/kstore/.unitkey
4) Load config:
tmsh load sys config
5) Save config:
tmsh save sys config
619844-3 : Packet leak if reject command is used in FLOW_INIT rule
Component: Local Traffic Manager
Symptoms:
TMM memory usage (packets) increases steadily over time.
Conditions:
'reject' command is used in a FLOW_INIT rule
Impact:
Packet leak over time will consume TMM memory.
Workaround:
Do not use reject command in FLOW_INIT iRule
619397-2 : LCD shows error screen on boot or after license expires
Solution Article: K04055706
Component: Device Management
Symptoms:
The LCD on BIG-IP iSeries appliances may display an error screen.
Conditions:
This occurs if the appliance has just finished booting, or if the license has just expired.
Impact:
This may cause an unexpected error and subsequent navigation back to the LCD splash page.
Workaround:
Wait one minute and try to navigate the LCD screens again. If the system has already been licensed and is in the 'Active' state, subsequent attempts should work.
619071-5 : OneConnect with verified accept issues
Component: Local Traffic Manager
Symptoms:
System may experience an outage.
Conditions:
Verified Accept enabled in TCP profile
hardware syncookies enabled
OneConnect profile on VIP
Syncookie threshold crossed
Impact:
System outage.
Workaround:
Disabled verified accept when used with OneConnect on a VIP.
618884-5 : Behavior when using VLAN-Group and STP
Component: Local Traffic Manager
Symptoms:
May not see ICMP response traffic when using Ping within the same VLAN when STP mode is configured.
Conditions:
-- STP mode is configured.
-- Ping is issued in the same VLAN.
Note: This issue is a constraint to soft switched platforms.
Impact:
May not see ICMP response traffic.
Workaround:
None.
618595 : Duplicate SQL monitors updating pool member status incorrectly
Solution Article: K88501407
Component: Local Traffic Manager
Symptoms:
If you have two identical SQL monitors, this can cause pool members to be incorrectly marked down.
Conditions:
This occurs if you have more than 1 identical SQL monitor for a pool.
Impact:
Pool members may be incorrectly marked down.
Workaround:
Ensure you only have one SQL monitor associated with a pool.
618463-4 : artificial low route mtu can cause SIGSEV core from monitor traffic
Component: Local Traffic Manager
Symptoms:
When configuring a monitor instance targeting an address reachable via a route with an artificially low route mtu, tmm can crash repeatedly.
Conditions:
see above
Impact:
Traffic disrupted while tmm restarts.
Workaround:
configure correct MTU
618420-1 : IE browser fails to establish VPN and throws error "Failed to initialize local Tunnel Server" sporadically
Component: Access Policy Manager
Symptoms:
IE browser fails to establish VPN with error "Failed to initialize local Tunnel Server" sporadically because of a race condition in the code.
Conditions:
IE, network access with DTLS connection, tunnel server
Impact:
IE cannot be established 100% of the times
618222-1 : Loop detection implemention logic violates branch parameter compliance with RFC3261
Component: Service Provider
Symptoms:
Branch parameter compliance with RFC3261 dictates that:
ACK for a non-2xx response will have the same branch ID as the INVITE whose response it acknowledges.
However in BIG-IP if loop detection is enabled, the branch parameter value differs.
Conditions:
This occurs when loop detection flag is enabled in the sipsession object.
Impact:
Branch parameter value of INVITE and ACK for a non-2xx response even though its part of the same transaction. Violates RFC3261.
Workaround:
Disable loop detection flag in sipsession object.
617578 : Inconsistent info between tmsh and WebUI for profile radiusLB-subscriber-aware
Component: TMOS
Symptoms:
On a BIG-IP provisioned with LTM only, the radius profile called radiusLB-subscriber-aware displays inconsistent information between tmsh and configuration utility
Conditions:
This occurs when looking at the radiusLB-subscriber-aware profile in both tmsh and the GUI.
Impact:
On a device that does not have PEM licensed:
root@(v12)(cfg-sync Changes Pending)(Active)(/Common)(tmos)# list ltm profile radius radiusLB-subscriber-aware
ltm profile radius radiusLB-subscriber-aware {
app-service none
defaults-from radiusLB
}
However, viewing the profile in the configuration utility Local Traffic :: Profiles : Services : RADIUS : radiusLB-subscriber-aware
Settings field Custom checkbox
Persist Attribute disabled
Subscriber Discovery enabled
Client Spec disabled
Protocol Profile(_sys_radius_proto_imsi) enabled
On a device which does not PEM licensed, the Protocol profile should be set to None but shows as enabled.
617324-1 : Service health calculation creates unjustified CPU utilization
Component: Anomaly Detection Services
Symptoms:
When ASM provisioned service health is calculated and published to all VSs with security profile, even if stress-based detection is not configured
Conditions:
AFM provisioned and configured hundreds of VSs with security profile
Impact:
High CPU utilization
Workaround:
No
616021-6 : Name Validation missing for some GTM objects
Solution Article: K93089152
Component: TMOS
Symptoms:
The BIG-IP system fails to prevent control characters from being embedded within GTM object names. Once the objects exist in the configuration, the BIG-IP system fails to load GTM configurations where objects containing control characters are referenced by other objects.
The following GTM objects are susceptible to this control character issue:
gtm datacenter
gtm prober-pool
gtm device
gtm application
gtm region entry
gtm virtual server
gtm server
gtm link
gtm pool
Conditions:
-- A GTM object with a control character in the name.
-- That object is referenced by another object.
Note: This has been reproduced only with the ^M character within quotation marks, as shown in the following example:
create gtm datacenter "start^Mend"
create gtm server test datacenter "start^Mend" address add { 1.2.3.4 }
save sys config gtm-only
load sys config gtm-only
Impact:
Causes the config to fail to load.
Workaround:
Remove control characters prior to creating GTM objects.
615303-3 : bigd crash with Tcl monitors
Solution Article: K47381511
Component: Local Traffic Manager
Symptoms:
bigd crashes after logging an error similar to the following:
emerg bigd: PID: 38611 Received invalid magic '1213486160' in the stream
Conditions:
-- Tcl Monitors: FTP, SMTP, POP3, IMAP.
-- This issue might also occur if the Tcl worker is in a stuck state, due to pool member not responding within the configured timeout.
-- May be particularly likely if the monitor is configured with an interval value of 1 second.
Note: Although less frequent, this issue might still occur with proper monitor configurations (timeout: 3*interval + 1).
Impact:
bigd crashes and error messages.
Possible interruption of monitoring status, pool members going down, interruption of traffic.
Workaround:
For the case where a Tcl monitor is configured with a 1-second interval value, increase the interval value to 2 seconds. Also increase the timeout value to 7 seconds (3*interval + 1). This reduces the chances of this issue occurring but does not eliminate it entirely.
615222-2 : GTM configuration fails to load when it has gslb pool with members containing more than one ":"★
Component: Global Traffic Manager (DNS)
Symptoms:
GTM Virtual Servers or GTM Servers containing a colon ":" in their name would throw errors when attempting to use them as a GTM Pool Member through TMSH. If created through TMUI, and a configuration was saved and loaded, the same error would be thrown.
Example error:
01070226:3: Pool Member 20002 references a nonexistent Virtual Server.
Conditions:
1. Create virtual server of format <IP>:<PORT>.
2. Attempt to add this virtual server as a GTM Pool Member
Impact:
Unable to create GTM Pool Member from TMSH, or to load a configuration with this object in it.
Workaround:
None.
614702-3 : Race condition when using SSL Orchestrator can cause TMM to core
Solution Article: K24172560
Component: Local Traffic Manager
Symptoms:
When running SSL Forward Proxy in the SSL Orchestrator environment, tmm may crash.
Conditions:
This race condition occurs only when running SSL Orchestrator with large numbers of connections.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
612086 : Virtual server CPU stats can be above 100%
Solution Article: K32857340
Component: TMOS
Symptoms:
The CPU usage is reported as above 100%.
Conditions:
It is not known exactly what triggers this.
Impact:
The reported CPU usage values are invalid and do not properly report the actual CPU usage. The invalid values will be visible in results from tmsh commands, SNMP OID messages, and also in the GUI.
Workaround:
Use top to see the actual CPU usage, or tmctl to examine the stats for the individual CPUs.
611724-1 : LTM v11.5.4 HF1 iApp folders removed on partition load
Component: TMOS
Symptoms:
Folder is missing after loading partition.
Conditions:
Must have configured a folder, saved the partition, and then loaded the partition.
Impact:
Unable to restore iApp configuration saved from particular partition.
Workaround:
Save and load the entire configuration, or manually add the missing folder to the partition config being loaded.
610436-2 : DNS resolution does not work in a particular case of DNS Relay Proxy Service when two adapters have the same DNS Server address on Windows 10.
Solution Article: K13222132
Component: Access Policy Manager
Symptoms:
DNS resolution does not work in a particular case of DNS Relay Proxy Service, when two adapters have the same DNS Server address on Microsoft Windows version 10.
Conditions:
* Windows 10.
* Client system is connected to two networks.
* Both networks have the same DNS server address.
* Before VPN establishment interface with lower index is disconnected.
* After VPN establishment interface with lower index is reconnected.
Impact:
DNS resolution completely stops working on client systems until the VPN is disconnected.
Workaround:
<p>To work around this issue, add the following registry key:</p>
<p><userinput>HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DnsClient</userinput></p> with DWORD <varname>EnableMultiHomedRouteConflicts</varname> set to <userinput>0</userinput>. <p>This reverts the Windows DNS client behavior to pre-Windows 10 behavior, so the DNS relay proxy creates listeners on loopback for incoming requests, and the driver redirects DNS requests to the listener on the loopback.</p>
<note type="important">Use extreme care when editing Windows registry keys. Incorrect modification of keys might cause unexpected behavior.</note>
609967-1 : qkview missing some HugePage memory data
Solution Article: K55424912
Component: TMOS
Symptoms:
Some HugePage status data is missing from qkview, if the contents of /proc/meminfo does not list a units column for the Huge Page data.
Conditions:
/proc/meminfo file does not list units for HugePage data.
Impact:
HugePage data is missing from qkview diagnostics file.
Workaround:
Separately provide /proc/meminfo file.
606799-5 : GUI total number of records not correctly initialized with search string on several pages.
Solution Article: K16703796
Component: TMOS
Symptoms:
GUI total number of records not correctly initialized with search string on several pages.
Conditions:
Searching on the Data Group File List, iFile List, and lw4o6 File Object List pages.
Impact:
GUI shows that there are two pages, but advancing to the second page shows empty page.
Workaround:
Avoid searching in the Data Group File List, iFile List, and lw4o6 File Object List pages to view all items.
605891 : Enable ASM option disappears from L7 policy actions
Component: TMOS
Symptoms:
ASM cannot be enabled if 'Application Security Manager' is used in the license string instead of 'ASM'.
Conditions:
'Application Security Manager' is used in the license string instead of 'ASM'.
Impact:
The ASM module cannot be enabled using the GUI under certain licenses where ASM is licensed.
Workaround:
Enable ASM using tmsh instead of the GUI.
605840-6 : HSB receive failure lockup due to unreceived loopback packets
Component: TMOS
Symptoms:
HSB reports a lockup due to a receive failure. Analysis of the HSB receive/transmit rings indicate that this is a false positive. Loopback packets were successfully transmitted, but not received, resulting in the receive failure. /var/log/ltm contains this signature: notice *** TMM 9 - PDE 19 - receive failure ***
Conditions:
Unknown.
Impact:
The unit is rebooted.
Workaround:
None.
603380-7 : Very large number of log messages in /var/log/ltm with ICMP unreachable packets.
Component: Local Traffic Manager
Symptoms:
With ICMP unreachable packets, every packet generates a log message in /var/log/ltm. This results in a very large number of log messages, which takes up space without providing additional information.
Conditions:
You have a DNS virtual server with DNS resolver cache configured. The virtual server receives ICMP unreachable in response to the DNS query.
Impact:
You will see messages similar to the following in /var/log/ltm.
err tmm[5021]: comm_point_tmm_recv_from failed: Software caused connection abort
Workaround:
None.
602708-3 : Traffic may not passthrough CoS by default
Solution Article: K84837413
Component: Local Traffic Manager
Symptoms:
As a result of a known issue traffic being forwarded by TMM may not passthrough the CoS received.
Conditions:
IP forwarding Virtual server.
Traffic received with priority other than 3.
Impact:
Traffic is set to priority 3 and may cause issues on other networking devices.
Workaround:
Create a default Class of Service configuration or apply QoS settings in the FastL4 profile.
602390-3 : Cannot use a foreign charset, such as Cyrillic, Arabic, etc., to customize Advisory Banner, Username Prompt, or Password Prompt in TMUI.
Solution Article: K87506901
Component: TMOS
Symptoms:
Cannot use a foreign charset, such as Cyrillic, Arabic, etc., to customize Advisory Banner, Username Prompt, or Password Prompt in TMUI.
Conditions:
Customize Advisory Banner, Username Prompt, or Password Prompt in TMUI.
Impact:
Can use only English language characters to customize these fields.
Workaround:
None.
602074-1 : Management.KeyCertificate.get_certificate_validator() doesn't throw not-found exception when a given certificate doesn't exist.
Solution Article: K46583034
Component: TMOS
Symptoms:
The iControl SOAP call get_certificate_validator() is supposed to return the certificate-validators of the given certificates. The issue is that when an user inputs a non-existing certificate to the function, it just returns empty strings [[]] instead of presenting the exception for the non-existent certificate.
Conditions:
When the iControl SOAP function get_certificate_validator() is called to get the certificate-validators 's names of the given certificates.
Impact:
The impact should be limited. Since the function returns empty strings [[]] for a non-existing certificate, from the output the user is unable to distinguish whether the certificate is non-existing or the certificate has no certificate-validators configured.
Workaround:
None.
601727 : Some FQDN nodes are not correctly created
Component: Local Traffic Manager
Symptoms:
When an FQDN node resolves to multiple addresses, the nodes for the resolved-addresses may not be correctly created.
Conditions:
-- An FQDN node resolves to multiple addresses in an address pool.
-- The DNS resolution gives a subset of the addresses in the pool instead of returning all the addresses.
Impact:
Some addresses returned by DNS resolution may cause the node to disappear from the BIG-IP system.
Workaround:
Set up the DNS server to always return all the addresses. In other words, DNS information needs to be stable and complete to be used a source for auto populate.
600458-1 : TCP resets occuring under high load
Component: Performance
Symptoms:
When a BIG-IP is under a high load, a large number of TCP resets is occurring. This affects flow teardown only. Some of those resets are due to spurious retransmissions of client or server FIN-s. Some are due to ePVA reordering client's final ACK with FIN.
Conditions:
A BIG-IP is under a high load.
Impact:
Possible minimal performance loss.
Workaround:
Configure a small time-wait, for example, 0.5.
599567-2 : APM assumes snat automap, does not use snat pool
Component: Local Traffic Manager
Symptoms:
With a virtual configured to use a snat pool is also associated with APM (for example when configured as a RDP gateway), the snat pool setting is not honored.
Also snat configuration of "None" does not work. It always works as if it is configured with Automap
Conditions:
Snat pool configured, APM configured (one example is deploying Horizon View iApp for ApM).
Impact:
The VLAN Self IP address is used instead of the snat pool addresses.
599048-5 : BIG-IP connections to OCSP servers do not use the TCP TIMESTAMPS option
Component: Local Traffic Manager
Symptoms:
As part of the OCSP Stapling feature, the BIG-IP periodically connects to an OCSP server to certify to its clients that an SSL certificate has not been revoked. It was discovered that these side connections to OCSP servers incorrectly do not use the TCP TIMESTAMPS option.
Conditions:
Use of the OCSP Stapling feature.
Impact:
Usage of the TCP TIMESTAMPS option can help reduce the time a previously used tuple remains in TIME_WAIT on the OCSP server. Therefore, this can help ensure a new connection from the BIG-IP system to the OCSP server re-using a recent tuple is not rejected by the OCSP server. Note that there is little impact even if sporadically a single connection to the OCSP server fails. The BIG-IP will quickly try again, and clients that receive non-stapled SSL SERVER HELLO messages can perform their own validation of the returned SSL certificate.
Workaround:
None
598707-2 : Path MTU does not work in self-IP flows
Component: Local Traffic Manager
Symptoms:
While performing an Update Check, the network connection fails. Path MTU is not working in self-IP initiated flows.
Conditions:
Network flows initiated by the Self IP address (in this case it was encountered while running Update Check)
Impact:
If the downstream router sends ICMP Path MTU messages back to the Self IP, the messages will be ignored and MTU will not be adjusted.
598650-5 : apache-ssl-cert objects do not support certificate bundles
Component: TMOS
Symptoms:
The Traffic Management Shell (tmsh) documents command options for apache-ssl-cert objects that suggest that Apache SSL Certificates (apache-ssl-cert objects) support certificate bundles.
References to certificate bundles in context of the 'bundle-certificates', 'subject' and 'is_bundle' fields are in error, and should refer to single certificates only.
Apache SSL Certificates (apache-ssl-cert objects) do not actually support certificate bundles.
On BIG-IP v11.5.0 and later, attempting to create Apache SSL Certificate objects from a certificate bundle will result an error like the following:
01070712:3: Values (/Common/certificate_name) specified for Certificate Bundle Entity (/Common/certificate_name.0 /Common/certificate_name): foreign key index (certificate_file_object_FK) do not point at an item that exists in the database.
Conditions:
Attempting to create Apache SSL Certificate objects from a certificate bundle.
Impact:
Unable to create Apache SSL Certificate objects from a certificate bundle.
598437-2 : SNMP process monitoring is incorrect for tmm and bigd
Component: TMOS
Symptoms:
The default configuration for SNMP process monitoring causes an error of "Too many bigd running", and "No tmm process running".
snmpwalk -c public -v 2c localhost prErrMessage
UCD-SNMP-MIB::prErrMessage.1 = STRING: Too many bigd running (# = 2)
...
UCD-SNMP-MIB::prErrMessage.6 = STRING: No tmm process running
Conditions:
Depending on system capacity and configuration, more than one "bigd" process may be running, resulting in the incorrect report of "Too many bigd running".
The system does not properly count instances of the "tmm" process. In older releases, the system always detected a single "tmm" process, even if more than one existed. In the affected releases, no "tmm" process is detected.
Impact:
SNMP monitoring of system health incorrectly reports error conditions.
Workaround:
For the 'bigd' problem, the administrator can change the the process-monitor max-processes to allow for more instances of "bigd". For example:
(tmos)# modify sys snmp process-monitors modify { bigd { max-processes infinity } }
max-processes should be set to the same value as the sys dbvar bigdb.numprocs or "infinity" if the dbvar is set to "0", allowing bigd to dynamically adjust the number of processes.
For tmm process count
(twos)# modify sys snap process-monitors modify { tmm { process tmm.0 max-processes 1 } }
596020-4 : Devices in a device-group may report out-of-sync after one of the devices is rebooted
Component: TMOS
Symptoms:
Devices in a device-group may report out-of-sync after one of the devices is rebooted.
As a result of this issue, you may encounter the following symptoms:
- After the reboot, the config-sync originator reports 'Not All Devices Synced'.
- After the reboot, the other devices in the device-group report 'Changes Pending'.
Conditions:
This issue occurs when all of the following conditions are met:
- You have a Sync or Sync-Failover device-group with multiple devices in it.
- On a device (the config-sync originator, you modify the configuration, triggering the devices to become out of synchronization.
- Using the Overwrite Configuration option in the GUI, you manually initiate a synchronization of the configuration from the device where the configuration was modified, to the device-group.
- The devices in the device-group display that they are in the synchronized state.
- You reboot the config-sync originator device.
Impact:
After the reboot, the devices report out-of-sync.
Note: This issue is purely cosmetic; no configuration is lost as result of this issue.
Workaround:
You can work around this issue by not using the Overwrite Configuration option in the Configuration utility if you know you will have to reboot the device soon.
Also note that once the issue occurs, you can restore normal config-sync status on the devices by performing a new config-sync operation.
594751-2 : LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN
Solution Article: K90535529
Component: Local Traffic Manager
Symptoms:
Vlan Name and Vlan Tag values are not seen by the LLDP neighbors of the BIG-IP system.
Conditions:
1. LLDP is enabled globally and per interface.
2. Interfaces are added to a trunk after it has already been assigned to a VLAN.
For instance, assume the following protocol were followed for creating an LLDP trunk:
tmsh modify net lldp-globals enabled
tmsh modify net interface 1.1 lldp-admin txrx lldp-tlvmap 114680
tmsh modify net interface 1.2 lldp-admin txrx lldp-tlvmap 114680
tmsh create net trunk myTrunk
tmsh create net vlan myVlan
tmsh modify net trunk myTrunk interfaces add { 1.1 1.2 }
tmsh modify net vlan myVlan interfaces add { myTrunk }
The neighbor to this BIG-IP unit would not see the Vlan Name and Vlan Tag information of this trunk because the interfaces were added after the trunk was already assigned to a VLAN.
Impact:
LLDP Neighbors are unable to see VLAN information for the LLDP interfaces of the BIG-IP.
Workaround:
If the configuration has not yet been performed, the issue can be prevented by assigning all the desired interfaces to a trunk before assigning the trunk to a VLAN.
If the problem already exists, it can be remedied by performing a restart of the LLDP service. This should not impact dataplane services outside of LLDP. To do so, run the following command:
bigstart restart lldpd
594064-4 : tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.
Component: Local Traffic Manager
Symptoms:
When the tcpdump utility is used with the ':p' modifier, it appears that the first few serverside packets are not captured.
Conditions:
-- Using the ':p' modifier with the tcpdump utility to capture serverside flows associated with clientside flows that match a tcpdump filter.
-- FastL4 or standard virtual server UDP flows are being captured.
Impact:
Typically, the peer flow will not be captured until the second packet is processed on the original flow that is captured by the tcpdump filter. Although there is no operational impact, it might cause confusion when looking for serverside traffic when capturing using a command similar to the following: tcpdump -i <vlan>:p host <client-ip>
Typical examples of missing packets include:
-- Serverside syn and syn-ack from FastL4 TCP traffic.
-- All serverside packets for single packet request/reply traffic, e.g., dns request/reply.
Workaround:
Specify filter that includes serverside traffic (e.g., include pool member addresses as 'host <addr>').
593845-2 : VE interface limit
Solution Article: K24093205
Component: TMOS
Symptoms:
TMM fails to bootup successfully.
Conditions:
More than 10 interfaces assigned to Virtual Edition (VE).
Impact:
BIG-IP fails to pass traffic as TMM fails to load successfully.
Workaround:
Make sure VE is assigned 10 or fewer interfaces.
592503 : TMM 'timer' device does not report 'busy' for non-priority timers.
Component: Local Traffic Manager
Symptoms:
A discrepancy in CPU utilization reporting can observed when looking at different utilities or reporting systems (i.e. top, tmctl, SNMP, the performance graphs in the GUI, etc.).
Specifically, certain utilities may report that TMM hyperthreads are 100% busy, while other utilities may indicate that TMM instances are only moderately busy.
In this case, the utilities or systems reporting the higher CPU utilization are correct.
Conditions:
This issue has been seen extremely rarely, as it requires some other edge condition to also be occurring (TMM firing non-priority timers in a looping manner).
Impact:
A BIG-IP Administrator monitoring CPU utilization on the system may be confused about how busy TMM actually is.
Although the main impacted system here is the tmm/stat tmctl table, these values are also exposed via the sysTmmStatTmUsageRatio5s MIB (which is more likely to be monitored by a BIG-IP Administrator).
Workaround:
Refer to utilities such as 'top' to monitor the CPU utilization of TMM hyperthreads.
591732-1 : Local password policy not enforced when auth source is set to a remote type.
Component: TMOS
Symptoms:
Local password policy not enforced when auth source is set to a remote type. Any non-default password policy change is not enforced for local users.
Conditions:
1) Some part of the local password policy has been changed from the default values, for example, changing the password minimum-length to 12 where the default is 6.
2) The auth source is set to a remote source, such as LDAP, AD, TACACS.
Impact:
The system does not enforce any of the non-default local password policy options.
For example, even if the minimum-length is set to 12, a local user's password can be set to something less than 12.
Another example, even if the max-duration is set to 90 days, the password does not expire for 99999 days (the default).
Workaround:
None.
590415-2 : Partition can be removed when remote role info entries refer to it
Component: TMOS
Symptoms:
If you have a partition, and a remote-role info that mentions the partition, then you can delete the partition and the role info will not be modified. Once this configuration is saved, future loads will fail with an error like the following:
01070829:5: Input error: Invalid partition ID request, partition does not exist (your-partition-name)
Conditions:
A partition has been deleted, but the remote role configuration still names the partition.
Impact:
Load will fail.
Workaround:
Before removing a partition, ensure that any role-info entries mentioning the partition are also removed.
If you already have encountered a failure to load such a configuration, edit /config/bigip.conf to remove the offending entries in "auth remote-role".
589856-3 : iControl REST : possible to get duplicate transaction ids when transactions are created by multiple clients
Component: TMOS
Symptoms:
When 2 iControl REST clients using the same username create transactions simultaneously, they can potentially get the same transaction id. This completely messes up both the client code execution.
Conditions:
Client requests to create transaction are close to each other in time.
Impact:
Transaction semantics are not followed, and unintended errors may occur
588929-3 : SCTP emits 'address conflict detected' log messages during failover
Component: TMOS
Symptoms:
The system may advertise, on the client-side, SCTP alternate addresses that are in a route-domain different from that of the virtual server.
Conditions:
Configuring an SCTP virtual server with alternate-addresses that are not in the correct route domain.
Impact:
No impact to traffic processing. Some addresses advertised may fail to respond to negotiation, but the SCTP association overall will be stable.
Workaround:
Ensure that all addresses for SCTP virtual servers are in the same route domain.
588794-3 : Misconfigured SCTP alternate addresses may emit incorrect ARP advertisements
Component: TMOS
Symptoms:
SCTP alternate addresses may be advertised on the server-side that are in a route-domain that is different from that of the virtual server.
Conditions:
Alternate-addresses are configured on an SCTP virtual server that aren't in the correct route domain.
Impact:
There is no impact to traffic processing. Alternate-addresses will be advertised even though they are not in the correct domain. Some addresses advertised may fail to respond to negotiation, but the SCTP association overall will be stable.
Workaround:
Ensure that all addresses for SCTP virtual servers are in the same route domain.
588771-3 : SCTP needs traffic-group validation for server-side client alternate addresses
Component: TMOS
Symptoms:
Addresses may be advertised in an SCTP INIT chunk even though they are not usable by the BIG-IP.
Conditions:
When an SCTP virtual server has server-side-multihoming enabled and the snatpool used by the virtual server contains addresses from other traffic groups, it will advertise all of the addresses from the snatpool in the INIT chunk.
Impact:
Some of the paths advertised in the SCTP association establishment creation process will be unusable. A conformant SCTP implementation on the server-side should test and disregard these paths, causing no impact to traffic.
587821 : vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.
Solution Article: K91818030
Component: TMOS
Symptoms:
On the affected slot, the vCMP guest is unable to pass traffic to or from the VLANs. If the guest has multiple slots, the CMP state logged in /var/log/tmm on that slot differs from the CMP state logged by other slots of the same guest.
In the vCMP guest, 'tmsh show net interface -hidden' shows 0.x interfaces for the affected slot that differ from the 0.x interfaces shown by 'tmsh show vcmp guest all-properties' on the vCMP hypervisor for the same guest slot.
Conditions:
The MCPD daemon on one of the blades of the vCMP hypervisor crashes or restarts.
Impact:
The vCMP guests that are still running since before the MCPD daemon restarted may be unable to communicate to VLAN networks. Incoming traffic may also be affected, even though the vCMP guest has other functional slots to process traffic.
Workaround:
On the hypervisor, modify the vCMP guest configuration to not run on the affected slot. Wait to confirm the vCMP guest has stopped on the affected slot. Then modify the vCMP guest to run on the previously affected slot.
Alternatively, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.
586938-5 : Standby device will respond to the ARP of the SCTP multihoming alternate address
Solution Article: K57360106
Component: TMOS
Symptoms:
When there is a SCTP connection established, the router will request the ARP for the client-side multi-homing alternate address, but the standby device will reply to the ARP request as well.
Conditions:
When an SCTP profile has at least one alternate-address configured, and is used in an high availability (HA) scenario, this issue will manifest.
Impact:
Traffic for the alternate-addresses may be directed to the wrong device in an HA group. The multi-homing function will fail as the alternate connection cannot established on the standby device.
Workaround:
Do not use a VLAN address as an alternate address. Use only routed addresses, and route those addresses to the floating Self-IP address of the BIG-IP system.
586621 : SQL monitors 'count' config value does not work as expected.
Solution Article: K36008344
Component: Local Traffic Manager
Symptoms:
SQL monitors 'count' config value does not work as expected.
Conditions:
SQL monitor in use with the 'count' config value specified. The 'count' value is intended to record the number of times the connection to the back-end database is re-used before it is disconnected. However, the value is not correctly recording the number in this release.
Impact:
SQL monitor might use a 'count' value that is incorrect.
Workaround:
Add 101 to the desired value. For example, if the desired count is '5', use '106' instead.
585043-1 : Question mark prevents TMSH from loading configuration file
Component: TMOS
Symptoms:
When loading system configuration for TMSH, if some properties have the value ? (question mark), TMSH fails to complete the loading.
Conditions:
-- Use TMSH to load configuration.
-- string, vector of string properties have ? as value.
-- ? is the stand-alone value. That is, ? has no characters before or after it and it is not part of a string.
Impact:
TMSH fails to load system configuration file
Workaround:
None.
584504-3 : Allowing non-English characters on login screen
Solution Article: K36912228
Component: TMOS
Symptoms:
Passwords can contain non-English characters but it fails when logging in.
Conditions:
Passwords contain non-English characters.
Impact:
Users entering these characters on the login screen are unable to log in.
Workaround:
Make sure passwords contain only English characters.
583930-1 : VE supports only 2 NUMA domains
Component: TMOS
Symptoms:
VMware ESX version 5.5 and greater can expose NUMA topology to guests, sometimes exposing more NUMA nodes than the two that Virtual Edition (VE) supports. This causes a TMM core, with the following error message in /var/log/tmm:
sys_get_numa_info: <N> exceeds max nodes of 2
Conditions:
-- VE running on VMware ESX 5.5 or greater.
-- 16 vCPUs configured.
Impact:
TMM restarts. Traffic disrupted while tmm restarts.
Workaround:
In VMware ESX, modify the guest hardware configuration to present a maximum of two sockets to the VE guest.
For example, if you configure an 8 CPU VM, set Cores per Socket to 4.
583306 : Using management port as config sync address might allow its deletion.
Component: TMOS
Symptoms:
If you assign the management port as a config sync address, it's possible to later delete the management port without error. This causes quite a few problems in multiple places (updating the sys_device, adding devices to trust, etc.)
Conditions:
management-ip while configured as a config sync address.
Impact:
Can delete management-ip.
Workaround:
None, other than do not delete management-ip when it's configured as a config sync address.
583084-4 : iControl produces 404 error while creating records successfully
Solution Article: K15101680
Component: TMOS
Symptoms:
iControl produces 404 error while creating gtm topology record successfully.
Conditions:
Creating gtm topology record without using full path via iControl.
Impact:
Result code/information is not compatible with actual result.
Workaround:
Use full path while creating gtm topology record using iControl.
582606 : IPv6 downloads stall when NA IPv4&IPv6 is used.
Component: Access Policy Manager
Symptoms:
When downloading large files through network access, downloads can appear to stall for a period of time and then resume.
Conditions:
This occurs when Network Access is configured with an IPv4&IPv6 resource
Impact:
Downloads occasionally stall with download speed going to 0, and then they resume.
Workaround:
It is possible that disabling large receive offload will work as a mitigation. To do so, run the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable.
582595-4 : default-node-monitor is reset to none for HA configuration.
Solution Article: K52029952
Component: TMOS
Symptoms:
default-node-monitor is reset to none for high availability (HA) configuration.
Conditions:
Scenario #1
Upgrading HA active/standby configuration, and reboot standby.
Where configuration consists of the following:
* ltm node with a monitor.
* ltm default-node-monitor with a different monitor.
Scenario #2
Given a HA active/standby configuration with an ltm default-node-monitor configured, set device-group sync-leader.
Impact:
Monitoring will stop after upgrading or setting sync-leader for all nodes that relied on the default-node-monitor.
Workaround:
Reconfigure a default-node-monitor.
582331 : Maximum connections is not accurate when TMM load is uneven
Component: Local Traffic Manager
Symptoms:
Maximum connections is not accurate when TMM load is unevenly distributed. Maximum connection statistics report the sum of maximum connections per TMM, not the maximum connections per virtual server.
Conditions:
This occurs when the load disaggregated to available TMMs is uneven.
Impact:
This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in lower-than-expected maximum connections.
Workaround:
Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs.
581851 : mcpd restarts due to interleaving of messages / folder contexts from primary to secondary blade
Solution Article: K16234725
Component: TMOS
Symptoms:
MCPD on secondary blades restarts with a configuration error.
Conditions:
This issue affects clustered systems only (VIPRION or vCMP guest).
The issue occurs when the system interleaves commands from different contexts. For example, this might occur when one system requests continual persistence records resets, and another requests continual TCP statistics resets.
Impact:
Secondary blades restart services, resulting in performance degradation or failover.
Workaround:
None.
580697-1 : VIPRION 2200 platform might not pass traffic properly after FPGA firmware switch.
Component: TMOS
Symptoms:
After a FPGA firmware switch on VIPRION 2200 platforms without a system reboot, some internal higig ports might not operate properly.
Conditions:
Using tmsh or GUI to switch FPGA firmware on VIPRION 2200 platforms.
Impact:
This might result in the system not handling traffic properly.
Workaround:
After any FPGA firmware switch, reboot the entire chassis by running the following command: clsh reboot.
579760 : HSL::send may fail to resume after log server pool member goes down/up
Solution Article: K55703840
Component: TMOS
Symptoms:
High speed logging (HSL): asymmetric bandwidth loss might result in no bandwidth tracking.
Conditions:
This will occur if the log server pool only has a single member in it, and that member goes down and up while HSL::send is occurring during traffic processing.
Impact:
For a period of time after the logging node comes back up, HSL::send events will not be sent to the log server. Sometimes it never recovers and tmm needs to be restarted.
Workaround:
If possible, configure log server pools with multiple members to avoid this condition.
579252 : Traffic can be directed to a less specific virtual during virtual modification
Component: Local Traffic Manager
Symptoms:
Traffic can be directed to an less specific virtual during virtual modification. It could also be dropped if there is no less specific virtual server.
Conditions:
net self external-ipv4 {
address 10.124.0.19/16
traffic-group traffic-group-local-only
vlan external
}
net self internal-ipv4 {
address 10.125.0.19/16
traffic-group traffic-group-local-only
vlan internal
}
ltm pool redirect-echo {
members { 10.125.0.17:7 }
}
ltm virtual fw {
description "less-specific virtual"
destination 10.125.0.0:any
ip-forward
mask 255.255.255.0
profiles { fastL4 }
translate-address disabled
translate-port disabled
vlans-disabled
}
ltm virtual redirect-echo {
description "enable/disable this one"
destination 10.125.0.20:echo
ip-protocol udp
mask 255.255.255.255
pool redirect-echo
profiles { udp }
vlans { external }
vlans-enabled
}
Impact:
Traffic can be directed to less specific virtual server
Workaround:
No known workaround at this time other than applying configuration changes in a manner that avoids doing them on a unit that is handling the traffic. Applying changes on the standby and then failing over and syncing or utilizing a maintenance window would be common schemes to achieve a separation between production traffic and configuration changes.
575372-4 : BIG-IQ Discovery may fail due to an invalid passphrase.
Component: TMOS
Symptoms:
BIG-IQ Local Traffic & Management discovery may fail due to an invalid passphrase. Log messages might include the error: Failed to transform secure field value.
Conditions:
-- The BIG-IP systems are configured in a DSC configuration.
-- There is one or more profiles configured with a passphrase.
Impact:
As a result, the LTM service cannot be managed for that BIG-IP system.
Workaround:
Run the following command on the BIG-IP system:
bigstart restart restjavad
574160-8 : Publishing DNS statistics if only Global Traffic and AVR are provisioned
Component: Application Visibility and Reporting
Symptoms:
AVR does not publish DNS statistics if LTM is not provisioned.
Conditions:
LTM is not provisioned.
Impact:
The DNS chart does not show statistics.
572111-1 : Rate shaper drop policy sometimes show value is zero which is equivalent of default value
Component: Local Traffic Manager
Symptoms:
The default values for a drop policy's elements max-threshold and min-threshold may show as '0' under certain circumstances, and their actual values under other circumstances. This can actually lead to the values being displayed differently between configsync devices despite the traffic group showing in-sync (internally, the actual non-zero default value is always used, and so no config mismatch is detected). This leads to confusion.
Conditions:
This occurs when using rate-shaping drop policies.
Impact:
Confusion when you see the change in value from zero to something else when you change one value and see other value automatically changed.
Workaround:
No work around is needed.
571727-2 : 'force-full-load-push' is not tab expandable
Solution Article: K52707821
Component: TMOS
Symptoms:
The 'force-full-load-push' option for 'run cm config-sync' is not tab expandable unless it's the first option given.
Conditions:
This is encountered when trying to use tab complete in tmsh for the 'run cm config-sync' command.
Impact:
The keyword 'force-full-load-push' has to be typed out in full or used as the first option.
Workaround:
Use 'force-full-load-push' as the first option, or type it out in full.
571622 : "Exceeding pool member limit" error with FQDN pool members and non-LTM license
Component: Local Traffic Manager
Symptoms:
When configuring FQDN pool members on a BIG-IP system with a license that does not include the LTM module, an error similar to the following may be logged by mcpd:
01071732:3: Exceeding pool member limit (3). Cannot add pool member to pool:(/Common/pool_name).
Conditions:
This may occur if:
1. The active BIG-IP license does not include the LTM module. Specifically, the active license defines a pool member limit (ltm_lb_pool_member_limit) other than 'unlimited'. This currently applies to AFM, APM and ASM licenses.
2. FQDN pool members are configured with 'autopopulate' set to 'enabled'.
Under these conditions, the ephemeral FQDN pool members are counted against the pool member limit (ltm_lb_pool_member_limit) defined in the LTM license.
Impact:
Unable to configure FQDN pool members with autopopulate enabled on BIG-IP system without an LTM license.
Workaround:
To work around this issue:
1.a. Configure FQDN pool members with autopopulate disabled; and
1.b. Do not attempt to configure more pool members than are permitted by the active license.
OR
2. Add the LTM module to the license configuration.
571333-7 : fastL4 TCP handshake timeout not honored for offloaded flows
Solution Article: K36155089
Component: TMOS
Symptoms:
When a virtual server is configured with a fastl4 profile that enables full acceleration and offload state set to 'embryonic', and if a flow is offloaded to be hardware accelerated, the connection idle timeout during the TCP handshake is set to the 'idle timeout' value of the fastl4 profile, but it should be set to the 'tcp handshake timeout' instead.
Conditions:
-- Virtual server is configured with a fastl4 profile that enables full acceleration and offload state of 'embryonic'.
-- A flow is offloaded for hardware acceleration.
Impact:
The connection may remain in the half-open state longer than what is set in the TCP handshake timeout value.
Workaround:
Set the offload state to 'established'.
570281 : Cannot modify 'ip-address' attribute of static ARP / NDP entries
Component: Local Traffic Manager
Symptoms:
Attempting to modify the 'ip-address' attribute of a static ARP / NDP entry results in the following error:
Syntax Error: 'ip-address' may not be specified in the context of the 'modify' command. 'ip-address' may be specified using the following commands: create, list, show
Conditions:
Attempting to modify the 'ip-address' attribute of a static ARP / NDP entry.
Impact:
Note: Starting in 11.6.0, the 'ip-address' attribute of an ARP/NDP record can no longer be modified. This is as-designed functionality. However, the BIG-IQ SCVMM plugin fails to work properly as a result, which might impact some configurations. For example, when the LTM gateway device is running versions later than 11.5.3, it could fail because the syntax that worked in 11.5.3 no longer works in 11.6.0 and later.
Workaround:
None.
567490-1 : db.proxy.__iter__ value is overwritten if it's manually set
Component: TMOS
Symptoms:
When setting the "BIND Forwarder Server List" on the "Configuration : Device : DNS" page, the system stores the values in the sysdb variable db.proxy.__iter__. When changing the value using tmsh or iControl, the db.proxy.__iter__ value is overwritten when subsequently viewing the value in the GUI.
Conditions:
When setting these values in sysdb via tmsh or REST, the values are set, but then upon re-visiting Configuration : Device : DNS in the GUI, the values in the sysdb variable are reset to their former values.
Impact:
BIND Forwarder Server List values do not persist.
Workaround:
Use the GUI to change the BIND Forwarder Server List values.
565603 : Large number of static arp entries on a BIG-IP system
Component: TMOS
Symptoms:
Many static arp entries for 127.20.X.X network are set for the 'tmm_bp' device on a running BIG-IP system. These will appear with any command that displays the kernel arp table, such as the 'arp' command.
Conditions:
-- Any platform with any set of modules provisioned.
-- Running a command that displays the kernel arp table (for example, the 'arp' command).
Impact:
This is a cosmetic issue only. 'arp -an' will return over 520 entries.
Workaround:
None needed. This is cosmetic.
563905-3 : vCMP guest fails to go Active after the host system is rebooted
Solution Article: K62975642
Component: TMOS
Symptoms:
A vCMP guest fails to go Active after the host system is rebooted. When this occurs, the system posts the following message: confpp[9184]: rollback FAILED for 'unix_config_syslog'
Conditions:
The host of a vCMP guest is rebooted.
Impact:
The guest will not become active.
Workaround:
None.
563689-1 : ZebOS configuration cannot be loaded via imish when service password-encryption is set
Component: Local Traffic Manager
Symptoms:
When "service password-encryption" is configured in ZebOS, encrypted passwords cannot be loaded through imish. imish will print "% Invalid input detected at '^' marker." and the password will not be loaded.
Conditions:
Dynamic routing is configured with "service password-encryption" in ZebOS config file or running config, run "imish -f <file>" or paste encrypted password into imish.
Impact:
ZebOS configuration will be incompletely loaded.
Workaround:
The config will be properly read if tmrouted is restarted. Restarting tmrouted will interrupt all dynamic routing.
The config can also be loaded without restarting tmrouted by configuring the cleartext passwords manually. They will be encrypted when the configuration is saved.
562267 : FQDN nodes do not support monitor alias destinations.
Component: Local Traffic Manager
Symptoms:
FQDN nodes do not support monitor alias destinations.
Conditions:
Configure a monitor with an alias address or port. The system will either prevent you from configuring, or the monitor will only be directed to the node address or port.
Impact:
The BIG-IP system does not send health checks to the configured monitor alias port. Monitor doesn't work as expected.
Workaround:
Depending on the functionality needed, you might be able to work around this by using an alternative configuration.
558893-4 : TMM may fail to forward FTP data connections when multiple PORT/EPRT commands are used in succession referring to the same IP/PORT
Component: Local Traffic Manager
Symptoms:
TMM may fail to forward FTP data connections when PORT/EPRT commands are used in succession referring to the same IP/PORT.
Conditions:
FTP Virtual server configured with an FTP profile that does inherit-parent-profile disabled.
A client to request EPRT and then PORT commands referring to the same IP/PORT.
Impact:
TMM may reset the connection in some cases.
Workaround:
Change the ftp profile to enable the inherit-parent-profile option.
552444-3 : Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD
Component: Access Policy Manager
Symptoms:
Dynamic drive mapping in network access may not work if
mapping is configured to use session variable, and session variable is received from LDAP/AD.
Conditions:
Drive mapping is received from LDAP/AD and contains double slash in the path, e.g. "\\server\path"
Impact:
Dynamic drive mapping may not function.
Workaround:
For example using session.ad.last.attr.homeDirectory attribute value to drive map. Assign variable and escape the textra backslashes added by APM.
homeDirectory = return [regsub -all {\\\\} [mcget {session.ad.last.attr.homeDirectory}] {\\}]
550739-3 : TMSH mv virtual command will cause iRules on the virtual to be dis-associated
Component: TMOS
Symptoms:
After renaming a virtual server that has attached iRules, the resulting virtual server configuration in tmm no longer has the iRules attached. The configuration in mcpd does not match the running configuration in tmm.
Conditions:
Must use the 'mv' command on an ltm virtual with iRules.
Impact:
Configuration is not as expected.
Workaround:
After moving the virtual, remove the iRules on it and re-add them.
549927-1 : iRule validation does not check RULE_INIT/virtual are disallowed in proc calling
Component: Local Traffic Manager
Symptoms:
iRule validation does not check RULE_INIT/virtual are disallowed in proc calling
Conditions:
Under RULE_INIT event call a proc which has virtual command.
Impact:
Pass validation while it should not.
Workaround:
Do not call virtual command inside proc.
547692-4 : Firewall-blocked KPASSWD service does not cause domain join operation to fail
Component: Access Policy Manager
Symptoms:
KPASSWD service runs on tcp/464 and udp/464. If both of these ports were blocked, BIG-IP would not be able to properly set the machine account password for the created machine account. However, there is a bug on BIG-IP as well, which fails to report this failure back to the administrator.
As the machine account itself was successfully created on ActiveDirectory side without the correct password, and BIG-IP's failure to report the KPASSWD failure problem, the domain join operation seems had worked perfectly.
However, since the password information is never set on ActiveDirectory side, this causes this machine account effectively unusable because BIG-IP would never be able to establish a working SCHANNEL with ActiveDirectory server because of this password mismatch.
creation is LDAP (+ Kerberos GSS-API with SASL binding), the machine account itself is generated. Furthermore, as password setting for machine account is not allowed to be performed by administrator, this situation obfuscate the fact the KPASSWD was failing as AD server never receives thus AD never logged any failure on this matter, while BIG-IP fails to detect the KPASSWD failure, and so as administrator's user experience goes, everything seems perfectly worked for domain join.
Conditions:
Out of DNS, LDAP, KERBEROS, KPASSWD services which are required for domain join operation, only KPASSWD is blocked.
Impact:
Created machine account is effectively unusable due to password mismatch, and BIG-IP would never be able to establish a working SCHANNEL, this renders NTLM authentication feature to be not working.
Workaround:
Allow KPASSWD to reach ActiveDirectory server
542347-3 : Denied message in audit log on first time boot
Component: TMOS
Symptoms:
After booting BIG-IP for the first time, you may see a 'denied' message for the lastlog file in /var/log/audit.log:
type=AVC msg=audit(1440786377.593:32): avc: denied { read write } for pid=5922 comm="login" name="lastlog" dev=md2 ino=18 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file.
Conditions:
This can occur on first time boot of devices that contain version 11.x software in one of the image slots.
Impact:
This error message is benign and can be ignored.
Workaround:
None needed. This is cosmetic and does not indicate an issue with the system.
539026-4 : Stats refinements for reporting Unhandled Query Actions :: Drops
Component: Local Traffic Manager
Symptoms:
There are five drop down sections for Unhandled Query Actions:
Allow
Drop
Reject
Hint
No Error
but in statistics page, there are only four Unhandled Query Actions:
Drops
Rejects
Hints
No Errors
Drops refers to the dropped packets for the system, not specifically for Unhandled Query Actions. It would be more clear if there were one dropped packets stats for the system, and another specifically for Unhandled. And also add stats for Allow packets under Unhandled.
Conditions:
Statistics pages for Unhandled Query Actions :: Drops.
Impact:
May be confusing to determine what the statistics mean.
Workaround:
None.
535717 : Password history is not enforced when root, Administrator, or User Manager changes another user's password
Component: TMOS
Symptoms:
When logged in as root, or as a user with Administrator or User Manager role, an attempt to change a user's password will succeed, even if the new password is in password history. (An ordinary user changing their own password will be prevented from making this change.)
Conditions:
password-memory field of auth password-policy set to nonzero value
Impact:
Privileged users might circumvent the password history restriction.
Workaround:
To mitigate this, you should only permit management access to BIG-IP systems over a secure network, and limit shell access to trusted users.
530927-7 : Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed
Component: TMOS
Symptoms:
If a trunk is created from interfaces that have lower than max speed (e.g., 100full-duplex on 1GbE links) adding a new interface fails.
When this occurs, the system posts an error similar to the following:
01070619:3: Interface 1.4 media type is incompatible with other trunk members.
Conditions:
Interfaces use a lower speed then their capacity.
Trunk is created where the highest speed of any of the members is this reduced speed.
Interface, also lowered, is added to the trunk.
Impact:
Interface cannot be added to the trunk.
Workaround:
Remove all interfaces, readd them all at the same time.
530530-5 : tmsh sys log filter is displays in UTC time
Component: TMOS
Symptoms:
When using the time-based log filters hour, minute, and second, tmsh returns results based on UTC time.
Conditions:
Use range filter for 'tmsh show sys log' in either of the following ways:
Filter logs by hour.
Filter logs for less than 8 hours.
Impact:
tmsh does not filter the log correctly with 'range' filter.
Workaround:
Calculate the difference between the local BIG-IP system time and UTC, or change the system time to UTC.
528314 : Generating new default certificate and key pairs for BIG-IP ssl profiles via CLI will not be reflected in GUI or in tmsh
Solution Article: K16816
Component: TMOS
Symptoms:
Using CLI to generate new default certificate and key pairs for BIG-IP ssl profiles are not reflected in GUI or in tmsh.
Conditions:
Using OpenSSL commands to generate a new default certificate and key pair, as described in SOL13579: Generating new default certificate and key pairs for BIG-IP ssl profiles, available here: https://support.f5.com/kb/en-us/solutions/public/13000/500/sol13579.html.
Impact:
After the renewal, tmsh list sys file ssl-cert default.crt command or the general properties in the GUI SSL Cert List shows the old one. This is a cosmetic issue only. The system uses the new default.
Workaround:
Perform a force reload of mcpd by running the following commands: -- touch /service/mcpd/forceload. -- tmsh restart sys service mcpd.
528295-11 : Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later.
Solution Article: K40735404
Component: TMOS
Symptoms:
A 10.x UCS containing LTM virtual servers with ARP set to disable. Loading the 10.x UCS on 11.4.x or later system leads to the ARP and ICMP echo setting value being flipped each time the load occurs.
Conditions:
Reloading a 10.x UCS containing virtual servers on 11.4.x or later system.
Impact:
ARP and ICMP echo setting value being flipped each time the load occurs. Note that the ICMP echo virtual field will be flipped even if ARP is enabled.
Workaround:
Delete the LTM virtual servers on the 11.x/12.x version system prior to re-loading the 10.x UCS.
527720-6 : Rare 'No LopCmd reply match found' error in getLopReg
Component: TMOS
Symptoms:
An error message similar to the following might be logged at rare intervals while the BIG-IP system is operating normally:
warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff.
This message might be followed by a log message similar to one of the following:
err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0.
err chmand[32142]: 012a0003:3: GET_STAT failure (status=0xffffffff) page=0x%20 reg=0x50.
This message might be followed by a log message similar to the following:
warning chmand[5847]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7.
Conditions:
This problem might occur rarely on the BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances, and on VIPRION 2100, 2150, and 2250 blades.
Impact:
This problem might occur if the response to a request to read the status of the hardware registers for the management interface is delayed beyond the normally-expected timeout value. When this problem occurs, status of the management interface might be reported incorrectly, which might cause the management interface to flap momentarily. In this scenario, subsequent requests typically complete successfully, at which point status of the management interface is again reported normally, and expected functionality restored.
Workaround:
None.
527119-5 : Iframe document body could be null after iframe creation in rewritten document.
Component: Access Policy Manager
Symptoms:
End users report being unable to use certain page elements in chrome (such as the Portal Access menu), and it appears that Javascript has not properly initialized.
Conditions:
The body of a dynamically created iframe document could be initialized asynchronously after APM rewriting. The issue is specific to Chrome browser and results in JavaScript errors on the following kind of code:
iframe.contentDocument.write(html);
iframe.contentDocument.close();
<any operation with iframe.contentDocument.body>
One of applications known to contain such code and fail after APM rewriting is TinyMCE editor.
Impact:
Some JavaScript applications might not work correctly when accessed through Portal Access.
Workaround:
Revert rewriting of the document.write call with a post-processing iRule.
The workaround iRule will be unique for each affected application.
523985-1 : Certificate bundle summary information does not propagate to device group peers
Component: TMOS
Symptoms:
Certificate summary information about individual certificates in a bundle does not propagate to device group peers after a config sync.
Conditions:
A certificate file is create in a folder synced to a device group.
Impact:
Certificate information about the bundle is not displayed on peers. However, the bundle itself is intact and available.
Workaround:
None.
523814-1 : When iRule or Web-Acceleration profile demotes HTTP request from HTTP/1.1 to HTTP/1.0, OneConnect may not pool serverside connections
Component: Local Traffic Manager
Symptoms:
An HTTP virtual server with OneConnect and RAM Cache will not consistently keep server-side connections alive and idle (for reuse), depending on the HTTP version that the client uses.
Clients that use HTTP/1.1 will result in fewer serverside connections being reused.
Conditions:
HTTP virtual server with HTTP cache enabled (in RAM cache mode, not AAM mode) and OneConnect profile.
Alternately, an iRule that down-steps the HTTP request version to HTTP/1.0
Impact:
Increased server utilization and number of ports in use / timewait / finwait as a result of OneConnect and RAM Cache closing serverside connections more frequently than expected.
Inconsistent behavior as a result of client HTTP version.
Workaround:
An iRule can work around this issue by inserting a Connection: Keep-Alive header.
523797-1 : Upgrade: file path failure for process name attribute in snmp.★
Component: TMOS
Symptoms:
The upgrade operation might fail to update the file path name for snmp.process_name, causing a validation error.
Conditions:
Upgrade from 10.x. to 11.5.1 or later.
Impact:
The upgrade operation does not remove the parent path name from process-monitors, which might cause a validation error.
Workaround:
Edit the process name path in /config/BIG-IP_sys.conf to reflect the location. For more information, see K13540: The BIG-IP system may return inaccurate results for the prTable SNMP object at https://support.f5.com/csp/article/K13540.
520877-2 : Alerts sent by the lcdwarn utility are not shown in tmsh
Component: TMOS
Symptoms:
Beginning in BIG-IP version 12.1.0, the 'tmsh show sys alert lcd' command displays the list of alerts sent to the LCD front panel display.
The command-line utility lcdwarn can be used to send alert messages to the LCD front panel display.
Alert messages sent to the LCD front panel display by the lcdwarn utility are not included in the list of alerts shown by the 'tmsh show sys alert lcd' command.
Conditions:
This occurs when using the lcdwarn utility to send alert messages to the LCD front panel display. Such messages are typically sent for testing purposes.
This problem occurs on affected BIG-IP software versions running on all BIG-IP and VIPRION hardware platforms.
Impact:
The 'tmsh show sys alert lcd' command may not include all alert messages sent to the LCD front panel display. Messages sent by the lcdwarn utility are not shown.
Workaround:
None. This is a cosmetic issue.
517829 : BIG-IP system resets client without sending error report when certificate is revoked
Solution Article: K16803
Component: TMOS
Symptoms:
When the BIG-IP system is configured for OCSP authentication, if the OCSP server reports that a certificate has been revoked, client connections are reset without sending SSL error alerts.
Conditions:
BIG-IP system configured for OCSP authentication.
Impact:
Client connections are reset without sending SSL error alerts.
Workaround:
Use the following iRule for the OSCP authentication profile instead of the system-supplied iRule:
when CLIENT_ACCEPTED {
set tmm_auth_ssl_ocsp_sid 0
set tmm_auth_ssl_ocsp_done 0
}
when CLIENTSSL_CLIENTCERT {
if {[SSL::cert count] == 0} {
return
}
set ssl_version [SSL::cipher version]
set tmm_auth_ssl_ocsp_done 0
if {$tmm_auth_ssl_ocsp_sid == 0} {
set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]
AUTH::subscribe $tmm_auth_ssl_ocsp_sid
}
AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]
AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]
AUTH::authenticate $tmm_auth_ssl_ocsp_sid
SSL::handshake hold
}
when CLIENTSSL_HANDSHAKE {
set tmm_auth_ssl_ocsp_done 1
}
when AUTH_RESULT {
if {[info exists tmm_auth_ssl_ocsp_sid] && ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {
set tmm_auth_status [AUTH::status]
array set tmm_auth_response_data [AUTH::response_data]
if {$tmm_auth_status == 0} {
set tmm_auth_ssl_ocsp_done 1
SSL::handshake resume
}
elseif {($tmm_auth_status == 1) && ($tmm_auth_response_data(ocsp:response:status) eq "revoked")} {
if { $ssl_version equals "TLSv1.2" } { set hex_version "0303" }
elseif { $ssl_version equals "TLSv1.1" } { set hex_version "0302" }
elseif { $ssl_version equals "TLSv1.0" } { set hex_version "0301" }
else { reject }
set hex_response "15${hex_version}0002022C"
set bin_response [binary format H* $hex_response]
TCP::respond "$bin_response"
TCP::close
} elseif {($tmm_auth_status != -1) || ($tmm_auth_ssl_ocsp_done == 0)} {
reject
}
}
}
517609-4 : GTM Monitor Needs Special Escape Character Treatment
Solution Article: K77005041
Component: Global Traffic Manager (DNS)
Symptoms:
When searching received data for bytes that are regex metacharacters such as $ (dollar sign), . (period), ? (question mark), etc., the search string typically requires backslash characters to escape these. Such escaped characters result in non-matching behavior in GTM monitors without warning in the GUI. The GUI also validates Perl (non-POSIX) character classes such as \d rather than [:digit:], but these Perl extensions do not search properly.
Conditions:
Any running GTM monitor.
Impact:
If a GTM monitor's expression contains regex Perl extension character classes or escaped regex metacharacters, a member's status might be incorrectly labeled.
Workaround:
When escaping a regular expression metacharacter, an \x5C can be entered as a substitute for a backslash. If searching for whitespace or digits, use [:space:] and [:digit:] rather than \s and \d.
For example, searching for 'HTTP/ 1.1' in a GTM HTTP monitor, you can enter the search expression HTTP/ 1\x5C.1, which the regex compiler interprets as 'HTTP/ 1\.1', to search for the period character rather than interpreting the period ( . ) as the 'any non-null byte' metacharacter.
516280-3 : bigd process uses a large percentage of CPU
Component: Local Traffic Manager
Symptoms:
With a very large number of monitors, the bigd process can consume more than 80% CPU when a slow HTTP server returns an error.
Conditions:
~8000 HTTP/HTTPS monitors, and a slow HTTP server returns a 500 error.
Impact:
bigd process uses a large percentage of CPU.
Workaround:
None.
516167-1 : TMSH listing with wildcards prevents the child object from being displayed
Solution Article: K21382264
Component: TMOS
Symptoms:
The tmsh list command is attempted with an identifier that specifies use of wildcard match character (*) , the results returned may not print the nested objects contained within the parent object.
For example, the list ltm pool* command will print all pools that begin with the word pool, but will fail to list the profiles that are within the pool.
Conditions:
tmsh list with a wildcard character specified for parent object.
Impact:
Missing details of nested objects when tmsh list is invoked with wildcard character (*) specified in the object identifier
Workaround:
None.
513310-2 : TMM might core when a profile is changed.
Component: Local Traffic Manager
Symptoms:
TMM might core when a profile is changed.
Conditions:
A "standard" type virtual server configured with the TCP or SCTP protocol profile, and a Persistence, Access or Auth profile. This issue might occur in either of the following scenarios:
-- Change profile on the active device.
-- Change profile on the standby device and perform a config sync to the active ones.
Impact:
TMM might core. Traffic disrupted while tmm restarts.
Workaround:
None.
505037 : Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop
Solution Article: K01993279
Component: Local Traffic Manager
Symptoms:
Modifying a monitored pool with a gateway failsafe device might put secondary into restart loop.
Conditions:
Only occurs in clustered environments, when modifying a monitored pool to set the gateway failsafe device while the secondary is down. Symptom occurs when the secondary comes back up and attempts to update the health status of a pool.
Impact:
Secondary in a restart loop.
Workaround:
Remove the gateway failsafe device. Re-apply when the blade is up.
499348-6 : System statistics may fail to update, or report negative deltas due to delayed stats merging
Component: TMOS
Symptoms:
Under some conditions, the BIG-IP system might fail to report statistics over time. This can manifest as statistics reporting unchanging statistics (e.g., all zeroes (0)), or as sudden spikes in traffic, or as negative deltas in some counters.
The system performance graphs will also appear to have gaps / be missing data at the times that this occurs.
Conditions:
This occurs when there are frequent changes occurring to the underlying statistics data structures. This might occur under the following conditions:
-- The system is spawning/reaping processes on a frequent basis (e.g., when there is a large number of external monitors).
-- iRules are frequently using 'SSL::profile' to select different SSL profiles on a virtual server (this can cause per-virtual server, per-profile statistics to be created and deleted on a regular basis).
Impact:
Statistics fail to merge, which results in incorrect view of system behavior and operation.
Workaround:
This issue has two workarounds:
1. Reduce the frequency of changes in the statistics data structures. The specific action to take depends on what is triggering them. To do so, use any or all of the following:
-- Reduce the frequency of configuration changes.
-- Reduce the use of 'SSL::profile' in iRules.
-- Reduce the number/frequency of processes being spawned by the system.
2. Switch statistics roll-ups to the 'slow_merge' method, which causes the system to spend more CPU merging statistics. To do so, set the 'merged.method' DB key to 'slow_merge' using the following command:
tmsh modify sys db merged.method value slow_merge.
495443-8 : ECDH negotiation failures logged as critical errors.
Solution Article: K16621
Component: Local Traffic Manager
Symptoms:
When a failure occurs in an SSL negotiation involving Elliptic Curve Diffie-Hellman (ECDH) key agreement, a critical error may be logged. However, an SSL negotiation failure is not a critical issue.
Conditions:
An SSL negotiation failure involving ECDH key agreement.
Impact:
Spurious critical error logs.
Workaround:
Treat SSL ECDH negotiation failures as non-critical errors.
486735 : Maximum connections is not accurate when TMM load is uneven
Component: Local Traffic Manager
Symptoms:
Maximum connections is not accurate when TMM load is unevenly distributed. Maximum connection statistics report the sum of maximum connections per TMM, not the maximum connections virtual server.
Conditions:
This occurs when the load disaggregated to available TMMs is uneven.
Impact:
This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in higher-than-expected maximum connections.
Workaround:
Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs.
477992-4 : Instance-specific monitor logging fails for pool members created in iApps
Solution Article: K07450534
Component: Local Traffic Manager
Symptoms:
Errors when enabling Debug Monitoring for an iApp-created pool member and disabling strict updates for the iApp.
Conditions:
Create pool members via an iApp, and attempt to enable logging on the pool member.
Impact:
Instance-specific monitor logging fails for pool members created in iApps. The log is never created. The system posts error messages in /var/log/ltm stating the log file cannot be opened.
Workaround:
If logging is required, bigdlog is available. To enable logging, run the following command: tmsh modify sys db bigd.debug value enabled.
477786 : Inconsistent behavior sending RST on self IP with Port Lockdown None
Component: Local Traffic Manager
Symptoms:
Depending on the release, sending a SYN packet to a self IP address with Port Lockdown set to Allow None might respond to the SYN with a RST packet, or might silently drop the SYN.
Conditions:
With Port Lockdown configured to Allow None, the LTM behaves differently upon receiving a SYN packet. In 11.2.1 HF16, 11.3.0 and 11.4.1, when receiving a SYN packet the LTM replies with RST.
In 11.4.0, and in all other versions of the BIG-IP software, when receiving a SYN packet the LTM does not reply (sends a REJECT).
Impact:
Inconsistent behavior based on version; sometimes RST in response to SYN on closed port, and sometimes nothing (REJECT). Because the traffic is not allowed in either case, there is no fundamental impact. This is primarily a behavioral difference between releases.
Workaround:
None.
469366-4 : ConfigSync might fail with modified system-supplied profiles
Solution Article: K16237
Component: TMOS
Symptoms:
A config sync operation might fail with a parent-profile-not-found error message, despite the fact that the parent profile is present in the running configuration of both systems.
Conditions:
On the sync target (the system receiving the configuration, and the one that reports a sync failure), a system-supplied profile (e.g. /Common/serverssl) has been modified, and is present in /config/bigip.conf.
Impact:
An administrator is unable to synchronize system configurations. The system might post messages similar to the following example: '01020036:3: The requested parent profile (/Common/serverssl) was not found.'
Workaround:
One of the following: 1. Manually replicate the changes on the base profile to the system that is sourcing the config sync.
2. Undo the changes to the base profile on the system that is receiving the config sync (to do so, save the configuration, manually remove the base profile from /config/bigip.conf, and then re-load the configuration), and then perform a force sync operation. 3. Perform a sync in the other direction.
Important: Performing a sync in this direction overrides any unsync'd changes on the other system.
469035-1 : A SecureVault rekey operation may fail if configuration contains a blank password protected by SecureVault
Solution Article: K16559
Component: TMOS
Symptoms:
If the configuration includes encrypted items (for example, an LDAP bind password) that are empty strings, a SecureVault rekey operation fails.
Conditions:
Empty string as encrypted configuration item. This might occur when using the tmsh command 'modify /sys crypto master-key, or during the introduction of a device into a Trust Domain.
Impact:
The rekey operation fails, and the system posts an error similar to the following: with this error: 01071029:5: master_decrypt failed during rekey. This might result in a ConfigSync failure.
Workaround:
Do not use empty strings as passwords. Alternately, remove the problematic configuration object (which may require changing system authentication to a different source), perform the rekey operation, and then recreate the configuration.
468505-1 : TMSH crypto commands do not work with the TMSH batch mode
Solution Article: K16177
Component: TMOS
Symptoms:
tmsh crypto commands will fail when executed in tmsh batch mode.
Conditions:
tmsh batch mode and 'sys crypto' commands.
Impact:
tmsh crypto commands will fail when executed in tmsh batch mode.
Workaround:
Run the tmsh 'sys crypto' commands outside of a 'cli transaction' i.e. not in batch mode.
464650-5 : Failure of mcpd with invalid authentication context.
Component: TMOS
Symptoms:
MCPd cores.
Conditions:
It is not known what triggers this core.
Impact:
Mcpd restarts
Workaround:
None.
463097-2 : Clock advanced messages with large amount of data maintained in DNS Express zones
Solution Article: K09247330
Component: Local Traffic Manager
Symptoms:
Clock advanced messages with a large amount of data maintained in DNS Express (DNSX) zones, the TMM can suffer from clock advances when performing the DB reload.
Conditions:
Large enough zones into DNSX (several hundred thousand to several million records depending on hardware).
Impact:
Clock advance messages in log. No traffic can be passed for this duration. When DNS Express zones are updated, you may see messages similar to the following in the /var/log/ltm log: notice tmm[25454]: 01010029:5: Clock advanced by 121 ticks.
Workaround:
Prevent all updates to DNSX zones.
462658 : FQDN Nodes: mcp validation check error msg verb tense: "Modify of ephemeral nodes not permitted"
Component: Local Traffic Manager
Symptoms:
When attempting to Enable, Disable, Force Offline, or Delete an ephemeral node, the UI returns an error:
01070734:3: Configuration error: Modify of ephemeral nodes is not permitted.
Conditions:
Enabling, disabling, forcing offline, or deleting an ephemeral node.
Impact:
There is no functional impact on the system. This is a cosmetic issue. The wording of the returned error message is more accurately reflected as 'Modification of ephemeral nodes...' or 'Modifying ephemeral nodes...'
Workaround:
None.
462043-3 : DB variable 'qinq.cos' does not work in all cases on 5000 and C2400 platforms
Component: Local Traffic Manager
Symptoms:
On the 5000 and C2400 platforms, when the DB variable 'qinq.cos' is set to 'inner'; a packets inner priority bits do not determine the CoS mapping when the incoming packet is customer-tagged and the outgoing interface is service-tagged.
Conditions:
On 5000 and C2400 platforms.
Impact:
Incorrect egress CoS queue mapping. In this case, all packets are mapped to CoS queue 0.
Workaround:
None.
456376-6 : BIG-IP does not support IPv4-mapped-IPv6 notation in the configuration with prefix length greater than 32
Solution Article: K53153545
Component: Advanced Firewall Manager
Symptoms:
The BIG-IP system does not allow IPv4-mapped-IPv6 notation (with prefix length greater than 32) in tmsh or GUI. When trying to add '::ffff:0.0.0.0/96' to an address list or directly to a rule the system posts an error: Error parsing IP address: ::ffff:0.0.0.0/96.
Conditions:
-- IPv4-mapped-IPv6 notation in the configuration.
-- Adding prefix length greater than 32.
Impact:
Cannot successfully specify an IPv4-mapped-IPv6 block to be configured in AFM firewall rule (and possibly other AFM configurations as well).
Workaround:
To drop the IPv4-mapped-IPv6 block, enable the following DoS db variable: dos.dropv4mapped.
455066-3 : Read-only account can save system config
Component: TMOS
Symptoms:
A read-only user can run the tmsh save sys config command, which saves the configuration including changes made by other read/write users.
Conditions:
This occurs when logged in as a read-only user and running save sys config in tmsh.
Impact:
Read-only users are able to run save sys config in tmsh.
Workaround:
None.
454640-1 : mcpd instances on secondary blades might restart on boot
Component: Local Traffic Manager
Symptoms:
Secondary blades' mcpd instances might restart on boot.
Conditions:
This might occur intermittently on VIPRION bladed systems or VCMP guests. This might be the result of a race condition that occurs when /config is synced between the blades and when the mcpd process starts.
Impact:
The mcpd process restarts on secondary blades. The process eventually returns to normal, and the system finishes booting. The system posts messages similar to the following: 01071038:5: Secondaries couldn't load master key from the database. 01070734:3: Configuration error: Configuration from primary failed validation: 01071029:5: Master Key not present.
Workaround:
This issue has no workaround at this time.
452283-1 : An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows
Component: Local Traffic Manager
Symptoms:
An MPTCP connection that never expires can be seen using the command "tmsh show sys conn". Its idle time periodically resets to 0.
Conditions:
A virtual server is configured with a TCP profile with "Multipath TCP" enabled.
BIG-IP receives an MP_FASTCLOSE while the BIG-IP is advertising a zero window.
Impact:
A connection remains that never expires; its idle time periodically resets to 0.
Workaround:
There is no workaround at this time.
449158 : Using an iRule nexthop to "vlan:mac address" does not forward the packet
Component: Local Traffic Manager
Symptoms:
iRule: nexthop to 'vlan:mac address' does not forward the packet.
Conditions:
HTTP request to a port 80 virtual server with a default pool and an iRule that specifies nexthop to a MAC address on the internal VLAN.
Impact:
Packet forwarding does not occur.
Workaround:
None.
447565-8 : Renewing machine-account password does not update the serviceId for associated ntlm-auth.
Component: Access Policy Manager
Symptoms:
Renewing machine-account password does not update the serviceId for associated ntlm-auth.
Because of this issue, you might see the following symptoms:
-- End users report that they cannot access email.
-- NTLM logons stop working for all users.
-- Log file shows errors similar to the following:
err nlad[12384]: 01620000:3: <0x566d4b90> nlclnt[71601c70a] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC.
Conditions:
This occurs when the system has an NTLM machine account configured, but it is not known exactly what triggers the error. It can be triggered if the machine account credentials change, but the symptom might not show up for days since the connection can be reused.
Impact:
End users will be unable to connect.
Workaround:
Correct the problem by running the following command:
bigstart restart eca.
440572-1 : Empty X-WA-Surrogate header in WAM symmetric deployment
Component: WebAccelerator
Symptoms:
In WAM symmetric deployment, the X-WA-Surrogate header is used to communicate OWS lifetime values from the central device to the remote. In some cases, an empty X-WA-Surrogate header may be sent.
Conditions:
Occurs when central originates a 304 response when the original response from OWS does not contain cache-control headers.
Impact:
This occurs only when OWS sends no cache-control headers, so the remote still computes the correct lifetime, making the impact minimal.
Workaround:
None.
435419-2 : Install of partial EPSEC file causes mcpd to crash, followed by multiple cores.
Solution Article: K10402225
Component: Access Policy Manager
Symptoms:
Install of partial EPSEC file causes mcpd to crash, followed by multiple cores.
Conditions:
-- Attempt to upload a current EPSEC file.
-- Upload stalls and appears hung.
-- Close the web browser used for uploading epsec.
-- Attempt to install the partially uploaded file.
Impact:
mcpd crashes, followed by multiple cores.
Workaround:
Upload the EPSEC file completely, and try the installation again.
428498 : TCP stalls in tagged vlan-group with unic
Component: TMOS
Symptoms:
1. Error in tmm log -
ifoutput(992): Invalid TSO type error
2. Performance degradation or traffic may not pass.
Conditions:
1. Guest vlan tagging is in use.
2. For fastL4 profile, tm.tcplargereceiveoffload DB variable set to enable.
Impact:
Performance degradation or traffic stall.
Workaround:
Use one of the following:
1. Use host vlan tagging instead of guest vlan tagging.
2. Set tm.tcplargereceiveoffload DB to disable.
For some synthetic NICs #2 may not work and #1 is preferable.
419345-1 : Changing Master Key on the standby might cause secondaries to restart processes
Component: TMOS
Symptoms:
Changing Master Key on the standby of an HA configuration on a chassis might cause secondaries to restart processes.
Conditions:
This occurs when you modify the master key on standby chassis.
Impact:
Users might not be able to access the cluster. The secondary blades of that chassis might experience continuous restarts of mcpd and other daemons, accompanied by 'decrypt failure' messages in the ltm log.
Workaround:
Run the command bigstart restart on secondaries to return system functionality. In general, you should change master keys on the primary in the cluster.
417819-3 : APM - when Edge Clients, some JS contents are different causing warning
Solution Article: K69046914
Component: Access Policy Manager
Symptoms:
Intermittent JS Error in sesstimeout.js during access to full webtop by Edge Clients.
Conditions:
-- At least two different Edge Clients with User Agent strings based on Internet Explorer version 11 (IE11).
-- A version of IE earlier that IE11 is used to access full webtop resource.
Impact:
If 'Display notification about all script errors' is enabled in IE (Internet Options :: Advanced tab) IE displays JS error messages. One client might encounter a JS Syntax error, depending on TMM count and APM RAMCACHE content.
Note: There is no impact on product functionality, because Edge Clients do not call JS code from sesstimeout.js. The error is cosmetic only and can be ignored.
Workaround:
Special APM resource assignment branch for standalone Edge Clients can be configured in VPE to access 'webtop-type network', (NA_only_webtop resource does not include /vdesk/sesstimeout.js and /vdesk/hometab.js).
396273-1 : Error message in dmesg and kern.log: vpd r/w failed
Component: TMOS
Symptoms:
When running dmesg, you might see errors similar to the following: 0000:17:00.0: vpd r/w failed. This is typically considered a firmware issue on the device, and you can contact the card vendor for a firmware update.
This error can be seen in /var/log/kern.log as well.
Conditions:
This can occur whenever 'lspci -vv' (or 'lspci -vvv', e.g., during qkview generation) is executed.
Impact:
This is a benign firmware message, and you can safely ignore it.
Workaround:
There is no workaround, but this is not a functional issue.
381258-7 : 'with' statement in web applications works wrong in some cases
Component: Access Policy Manager
Symptoms:
Web-application misbehavior (exception, wrong rendering, and so on).
Conditions:
If the JavasScript operator 'with' is used in web-application code and, if after rewriting, 'F5_ScopeChain' is found within the 'with' statement in these contexts:
...F5_Inflate_xxxxx(F5_ScopeChain,...
...F5_Deflate_xxxxx(F5_ScopeChain,...
...F5_Invoke_xxxxx(F5_ScopeChain,...
then there is probability of this issue.
Impact:
Web-application functionality.
Workaround:
As a workaround, an iRule can be used for changing an 'interesting' variable name within the function's body. No general iRule exists. For each case, a custom iRule must be created as workaround.
378967-12 : Users are not synchronized if created in a partition
Component: TMOS
Symptoms:
Users in partitions attached to sync-only device groups do not sync to other devices in that device group.
Conditions:
There are users whose active partitions are attached to a sync-only device group.
Impact:
This affects sync-only device groups only, not the failover device group.
Workaround:
None.
375434 : HSB lockup might occur when TMM tries unsuccessfully to reset HSB.
Component: TMOS
Symptoms:
An HSB lockup might occur when the TMM driver tries to reset HSB and the effort is not successful. After several failed attempts, a bad DMA packet causes tmm to crash. This failure can also result in a "DMA lockup on transmitter failure" reported in the TMM log files.
Conditions:
This occurs on HSB platforms that have AMD processors, which include the BIG-IP 6900, 8900, 8950, 11000, and 11050N platforms, and the VIPRION B4200 and B4200N blades.
Impact:
The HSB is non-functional and requires reinitialization. This occurs after the BIG-IP is rebooted, which is automatically triggered when this condition occurs.
Workaround:
None.
307037-2 : Dynamic Resources Are Assigned But Not Accessible
Component: Access Policy Manager
Symptoms:
Resources appear assigned in session record but are not accessible by the client.
Conditions:
This issue occurs if the resources are assigned via Variable Assign agent.
Impact:
Resources are unavailable to client.
Workaround:
In the VPE, add a branch with Resource Assign agent that will never reach. With the Resource Assign agent, assign all the resources that are referenced by Variable Assign agent.
251162-2 : The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name
Component: Local Traffic Manager
Symptoms:
If you apply a custom HTTP profile to a virtual server, and the maximum header size defined in the profile is exceeded, the BIG-IP system lists the wrong profile name in the corresponding log message. Instead of logging the profile name associated with the virtual server, the BIG-IP system logs the profile name as http.
For example:
tmm1[5133]: 011f0005:3: HTTP header (34083) exceeded maximum allowed size of 32768 (Client side: vip=http_10.1.0.30 profile=http pool=apache2)
Conditions:
-- You apply a custom HTTP profile to a virtual server.
-- The maximum header size defined in the profile is exceeded.
Impact:
The BIG-IP system lists the wrong profile name in the corresponding log message. This is a cosmetic error, as the correct profile is affected. Only its name is incorrectly reported.
Workaround:
None.
248914-3 : ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address
Solution Article: K00612197
Component: Local Traffic Manager
Symptoms:
When self IP or virtual addresses are configured on a vlangroup, ARP replies for that address will have the locally administered bit set in the ARP payload, but the source MAC of the frame will have this bit clear.
Conditions:
vlangroup in translucent mode with self IP and/or virtual addresses configured.
Impact:
This may cause destination lookup failures on the layer 2 network.
Workaround:
Use transparent mode instead of translucent mode on the vlangroup.
225492-2 : Ramcache might disallow valid cache configurations that are very near the limit.
Component: Local Traffic Manager
Symptoms:
Ramcache might disallow valid cache configurations that are very near the limit.
Conditions:
Configurations whose aggregate ramcache size falls over the max value calculated by ramcache.
Impact:
The last cache will not be initialized, as it exceeds the max, per ramcache.
Workaround:
None.
224665-1 : Proxy Exclusion List setting is not aware of administrative partitions
Solution Article: K12711
Component: TMOS
Symptoms:
The Proxy Exclusion List setting is not aware of administrative partitions. As of BIG-IP 10.1.0, VLAN group objects reside in administrative partitions. This means that you can create a VLAN group in an administrative partition, and then give users the authority to view and manage the object in only that partition. Proxy exclusion is a VLAN group setting, so the partition restrictions should be in effect. However, the system does not prevent you from adding proxy exclusion for a VLAN group in another partition. Doing so may result in issues for the VLAN group.
Conditions:
Using VLAN groups and proxy exclusion.
Impact:
Results in issues for the VLAN group.
Workaround:
None. For more information, see SOL12711: The Proxy Exclusion List setting is not aware of administrative partitions , available here: http://support.f5.com/kb/en-us/solutions/public/12000/700/sol12711.html.
222690-1 : The persist none iRule command does not disable cookie persistence for the connection when used with the LB::reselect command.
Solution Article: K10281
Component: Local Traffic Manager
Symptoms:
The persist none iRule command disables persistence for the current connection. If cookie persistence is enabled for a virtual server referencing an iRule, and the LB::reselect command is called after the persist none iRule command, cookie persistence is not disabled for the connection.
Conditions:
For example, the following configuration illustrates the issue:
pool default_pool {
member 10.10.10.4:80 down session disable
}
pool fail_pool {
member 10.10.10.5:80
}
rule fail_rule {
when LB_FAILED {
persist none
LB::reselect pool fail_pool
}
}
virtual vs {
destination 10.10.10.6:80
ip protocol tcp
profile http tcp
persist cookie
pool default_pool
rule fail_rule
}
Impact:
In the example, the initial load balancing attempt to the default_pool pool will fail, since sessions are disabled for the pool member. The LB_FAILED iRule event will execute, which sets the persistence to none. In addition, the LB::reselect command will load balance the connection to the fail_pool pool. The connection to the pool member 10.10.10.5 will succeed, but the BIG-IP LTM will incorrectly place a persistence cookie in the response to the client.
Workaround:
You may be able to work around this issue by using the HTTP::cookie command in the HTTP_RESPONSE event to remove the BIG-IP cookie from the response before it is sent to the client.
For example, the following revised iRule removes the BIG-IP persistence cookie that would be set in the response when the fail_pool was selected:
rule fail_rule_no_cookie_for_you {
when LB_FAILED {
persist none
LB::reselect pool fail_pool
}
when HTTP_RESPONSE {
HTTP::cookie remove BIGipServerfail_pool
}
}
Note: The HTTP_RESPONSE event is triggered after the BIG-IP LTM has added the persistence cookie to the HTTP headers.
Note: The default persistence cookie name is derived from the name of the pool to which the request was sent. For more information about the BIG-IP persistence cookie, refer to SOL6917: Overview of BIG-IP persistence cookie encoding.
The workaround has the added benefit of preserving any persistence information for the original load balancing pool should it again become available. If you want to completely remove the persistence cookie from the client, you can use the HTTP::cookie command in the HTTP_RESPONSE event to set an expired version of the BIG-IP cookie in the response before it is sent to the client.
222409-7 : The HTTP::path iRule command may return more information than expected
Solution Article: K9952
Component: Local Traffic Manager
Symptoms:
The HTTP::path iRule command is intended to return only the path of the HTTP request. However, if the HTTP request specifies an absolute URI for the request URI, the HTTP::path command returns the entire URI, which includes not only the path, but also any protocol scheme, host name, and port included in the request URI value.
The first line of an HTTP request from a client to a server is referred to as the request line. The request line begins with a method token, followed by the request URI and the protocol version. A typical HTTP request line appears similar to the following example:
GET /dir1/dir2/file.ext HTTP/1.1
In this example, the method token is GET, the resource URI is /dir2/dir2/file.ext, and the protocol version is HTTP/1.1.
Conditions:
However, some clients (most notably proxies) may send an HTTP request for the same resource by specifying the absolute URI in the request, which appears similar to the following example:
GET http://www.example.org:80/dir1/dir2/file.ext
In this example, the method token is GET, the resource URI is http://www.example.org/dir2/dir2/file.ext, and the protocol version is HTTP/1.1.
Impact:
The HTTP::path iRule command should return the following path value for both requests:
/dir1/dir2/file.ext
However, since the HTTP::path command actually returns the value of the request URI, the entire absolute URI is returned for the request in the second example, which specifies the following absolute URI in the request URI:
www.example.org:80/dir1/duir2/file.ext
Note: Both requests in the example above conform to the HTTP request specification as defined in Section 5 of RFC2616: HyperText Transfer Protocol.
Note: For more information about the HTTP::path iRule command, refer to HTTP:path on the F5 Networks DevCentral website. A separate DevCentral login is required to access this content; you will be redirected to authenticate or register if necessary.
Workaround:
You can work around this issue by parsing the path element from the return value for the HTTP::path command. To do so, use the following iRule wherever HTTP::path is called:
when HTTP_REQUEST {
log local0. "Path: [URI::path [HTTP::uri]][URI::basename [HTTP::uri]]"
}
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/
