Supplemental Document : BIG-IP 13.1.0.7 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 13.1.0

BIG-IP APM

  • 13.1.0

BIG-IP Link Controller

  • 13.1.0

BIG-IP Analytics

  • 13.1.0

BIG-IP LTM

  • 13.1.0

BIG-IP AFM

  • 13.1.0

BIG-IP PEM

  • 13.1.0

BIG-IP DNS

  • 13.1.0

BIG-IP FPS

  • 13.1.0

BIG-IP ASM

  • 13.1.0
Original Publication Date: 05/21/2018 Updated Date: 06/22/2020

BIG-IP Release Information

Version: 13.1.0.7
Build: 1.0

NOTE: This release includes fixes for the Spectre Variant 1 and Meltdown vulnerabilities (CVE-2017-5753, CVE-2017-5754).
In some configurations, installing software containing these fixes might impact performance. You can disable these fixes to recover performance. Please see K91229003 for additional Spectre and Meltdown information.

Cumulative fixes from BIG-IP v13.1.0.6 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.5 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.1 that are included in this release
Known Issues in BIG-IP v13.1.x

Functional Change Fixes

ID Number Severity Solution Article(s) Description
712429 1-Blocking   Serverside packets excluded from DoS stats


TMOS Fixes

ID Number Severity Solution Article(s) Description
716392-1 1-Blocking   Support for 24 vCMP guests on a single 4450 blade
707100 2-Critical   Potentially fail to create user in AzureStack
706688 2-Critical   Automatically add additional certificates to BIG-IP system in C2S and IC environments
709936 3-Major K38121141 Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.
707585-1 3-Major   Use native driver for 82599 NICs instead of UNIC
703869 3-Major   Waagent updated to 2.2.21


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
713273 2-Critical   BIG-IP sys db variable avr.stats.internal.maxentitiespertable resets back to default value on services restart
715153-1 3-Major   AVR can generate many files in /var/avr/loader folder, which might cause disk-usage problem


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
716746 3-Major   Possible tmm restart when disabling single endpoint vector while attack is ongoing
712710 3-Major   TMM may halt and restart when threshold mode is set to stress-based mitigation


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
699103-1 3-Major   tmm continuously restarts after provisioning AFM



Cumulative fixes from BIG-IP v13.1.0.6 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
709972-6 CVE-2017-12613 K52319810 CVE-2017-12613: APR Vulnerability
707186-1 CVE-2018-5514 K45320419 TMM may crash while processing HTTP/2 traffic
702232-1 CVE-2018-5517 K25573437 TMM may crash while processing FastL4 TCP traffic
693312-1 CVE-2018-5518 K03165684 vCMPd may crash when processing bridged network traffic
688516-1 CVE-2018-5518 K03165684 vCMPd may crash when processing bridged network traffic
589233-2 CVE-2018-5518 K03165684 vCMPd may crash when processing bridged network traffic
706176-1 CVE-2018-5512 K51754851 TMM crash can occur when using LRO
706086-3 CVE-2018-5515 K62750376 PAM RADIUS authentication subsystem hardening
688011-7 CVE-2018-5520 K02043709 Dig utility does not apply best practices
688009-7 CVE-2018-5519 K46121888 Appliance Mode TMSH hardening
632875-5 CVE-2018-5516 K37442533 Non-Administrator TMSH users no longer allowed to run dig


Functional Change Fixes

ID Number Severity Solution Article(s) Description
708389 3-Major   BADOS monitoring with Grafana requires admin privilege
680850-2 3-Major K48342409 Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage.


TMOS Fixes

ID Number Severity Solution Article(s) Description
694897-2 1-Blocking   Unsupported Copper SFP can trigger a crash on i4x00 platforms.
710314-1 2-Critical   TMM may crash while processing HTML traffic
708054-1 2-Critical   Web Acceleration: TMM may crash on very large HTML files with conditional comments
706305-1 2-Critical   bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled
706087 2-Critical   Entry for SSL key replaced by config-sync causes tmsh load config to fail
703761-2 2-Critical   Disable DSA keys for public-key and host-based authentication in Common Criteria mode
696113-3 2-Critical   Extra IPsec reference added per crypto operation overflows connflow refcount
692683-1 2-Critical   Core with /usr/bin/tmm.debug at qa_device_mgr_uninit
690793-1 2-Critical   TMM may crash and dump core due to improper connflow tracking
689577-3 2-Critical K45800333 ospf6d may crash when processing specific LSAs
688911-1 2-Critical K94296004 LTM Policy GUI incorrectly shows conditions with datagroups
563661-1 2-Critical   Datastor may crash
704282-2 3-Major   TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy
703298-2 3-Major   Licensing and phonehome_upload are not using the sync'd key/certificate
701626-2 3-Major   GUI resets custom Certificate Key Chain in child client SSL profile
698429-1 3-Major   Misleading log error message: Store Read invalid store addr 0x3800, len 10
693964-1 3-Major   Qkview utility may generate invalid XML in files contained in Qkview
691497-2 3-Major   tmsh save sys ucs <file> fails due to missing patch file in /config/.diffVersions
691210-1 3-Major   Traffic stops on tmm restart when guest VLAN tagging is used for BIG-IP VE.
687353-1 3-Major K35595105 Qkview truncates tmstat snapshot files
677088-2 3-Major   Qkview does not follow current best practices
631316-2 3-Major K62532020 Unable to load config with client-SSL profile error
514703-3 4-Minor   gtm listener cannot be listed across partitions


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
709334-1 2-Critical   Memory leak when SSL Forward proxy is used and ssl re-negotiates
708114-1 2-Critical   TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed
707447-1 2-Critical   Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles.
707246-1 2-Critical   TMM would crash if SSL Client profile could not load cert-key-chain successfully
706631-2 2-Critical   A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured.
705611-2 2-Critical   The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used
704666-1 2-Critical   memory corruption can occur when using certain certificates
704435-1 2-Critical   Client connection may hang when NTLM and OneConnect profiles used together
703914-2 2-Critical   TMM SIGSEGV crash in poolmbr_conn_dec.
703191-2 2-Critical   HTTP2 requests may contain invalid headers when sent to servers
701244-1 2-Critical   An incorrect data manipulation in cipher encrypt and decrypt could cause TMM crash with SIGABRT
701202-3 2-Critical   SSL memory corruption
700393-3 2-Critical   Under certain circumstances a stale http2 stream can cause a tmm crash
697259-2 2-Critical K14023450 Different versioned vCMP guests on the same chassis may crash.
694656-1 2-Critical K05186205 Routing changes may cause TMM to restart
686228-1 2-Critical   TMM may crash in some circumstances with VLAN failsafe
680074-2 2-Critical K09225420 TMM crashes when serverssl cannot provide certificate to backend server.
667770-1 2-Critical K12472293 SIGSEGV to tmm when performing multiple, repeated SSL profile updates, or during UCS restore
648320-5 2-Critical K38159538 Downloading via APM tunnels could experience performance downgrade.
708653-1 3-Major   TMM may crash while processing TCP traffic
705794-2 3-Major   Under certain circumstances a stale http2 stream can cause a tmm crash
703940-2 3-Major   Malformed HTTP/2 frame consumes excessive system resources
701147-2 3-Major K36563645 ProxySSL does not work properly with Extended Master Secret and OCSP
700057-4 3-Major   LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved
699346-3 3-Major   NetHSM capacity reduces when handling errors
693910-4 3-Major   Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)
693244-2 3-Major   BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned
690042-1 3-Major K43412307 Potential Tcl leak during iRule suspend operation
689561-1 3-Major   HTTPS request hangs when multiple virtual https servers shares the same ip address
686972-4 3-Major   The change of APM log settings will reset the SSL session cache.
686305-1 3-Major   TMM may crash while processing SSL forward proxy traffic
685615-4 3-Major K24447043 Incorrect source mac for TCP Reset with vlangroup for host traffic
677525-2 3-Major K06831814 Translucent VLAN group may use unexpected source MAC address
663821-1 3-Major K41344010 SNAT Stats may not include port FTP traffic
653976-4 3-Major K00610259 SSL handshake fails if server certificate contains multiple CommonNames
594751-1 3-Major K90535529 LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
710424-2 2-Critical K00874337 Possible SIGSEGV in GTMD when GTM persistence is enabled.
678861-1 2-Critical K00426059 DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
711011-2 3-Major   'API Security' security policy template changes
683241-1 3-Major K70517410 Improve CSRF token handling


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
710947-1 2-Critical   AVR does not send errdef for entity DosIpLogReporting.
710110-1 2-Critical   AVR does not publish DNS statistics to external log when usr-offbox is enabled.
711929-1 3-Major   AVR should not send statistic on hidden rows for module InterfaceTraffic and module InterfaceHealth


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
679221-2 1-Blocking   APMD may generate core file or appears locked up after APM configuration changed
708005-1 2-Critical   Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources
703208-1 2-Critical   PingAccessAgent causes TMM core
702278-2 2-Critical   Potential XSS security exposure on APM logon page.
700522-1 2-Critical   APMD restarts when worker threads are stuck
700090-2 2-Critical   tmm crash during execution of a per-request policy when modified during execution.
699686-1 2-Critical   localdbmgr crash
697452-1 2-Critical   Websso crashes because of bad argument in logging
712924-1 3-Major   In VPE SecurID servers list are not being displayed in SecurID authentication dialogue
703793-3 3-Major   tmm restarts when using ACCESS::perflow get' in certain events
703171-1 3-Major   High CPU usage for apmd, localdbmgr and oauth processes
702487-3 3-Major   AD/LDAP admins with spaces in names are not supported
684937-3 3-Major   [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users
683113-3 3-Major   [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users
681415-3 3-Major   Copying of profile with advanced customization or images might fail
678427-1 3-Major K03138339 Safari 11 displays F5 EPI and F5 VPN launch confirmation dialogs twice
675775-4 3-Major   TMM crashes inside dynamic ACL building session db callback
671597-3 3-Major   Import, export, copy and delete is taking too long on 1000 entries policy
673717-3 4-Minor   VPE loading times can be very long


Service Provider Fixes

ID Number Severity Solution Article(s) Description
701889-1 2-Critical   Setting log.ivs.level to informational causes crash
679114-4 3-Major K92585400 Persistence record expires early if an error is returned for a BYE command


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
710870 2-Critical   Temporary browser challenge failure after installing older ASU
708888-1 2-Critical K79814103 Some DNS truncated responses may not be processed by BIG-IP
667353 2-Critical   Intermittent TMM crash when AFM dynamic (behavioral) signature is enabled and past attack signatures incorrectly exist in the correlation stats table


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
702705-2 2-Critical   Core observed during lease query testing when RADIUS Authentication is configured in DHCP profile
699531-1 2-Critical   Potential TMM crash due to incorrect number of attributes in a PEM iRule command
696294-1 2-Critical   TMM core may be seen when using Application reporting with flow filter in PEM
711093-1 3-Major   PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled
709610-3 3-Major   Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM
697718-1 3-Major   Increase PEM HSL reporting buffer size to 4K.
677494-1 3-Major   Flow filter with Periodic content insertion action could leak insert content record
677148-1 3-Major   Periodic content insertion creates duplicate records if same policy is added to Global high and subscriber specific
676346-2 3-Major   PEM displays incorrect policy action counters when the gate status is disabled.
648802-1 3-Major   Required custom AVPs are not included in an RAA when reporting an error.


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
710701-1 3-Major   "Application Layer Encryption" option is not saved in DataSafe GUI
709319-2 3-Major   Post-login client-side alerts are missing username in bigIQ
706835 3-Major   When cloning a profile, URL parameters are not shown
706771-1 3-Major   FPS ajax-mapping property may be set even when it should be blocked
706651-1 3-Major   Cloning URL does not clone "Description" field
706276-1 4-Minor   Unnecessary pop-up appears


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
714369 2-Critical   ADM may fail when processing HTTP traffic
714350 2-Critical   BADOS mitigation may fail


Device Management Fixes

ID Number Severity Solution Article(s) Description
708305-2 3-Major   Discover task may get stuck in CHECK_IS_ACTIVE step
705593-5 4-Minor   CVE-2015-7940: Bouncy Castle Java Vulnerability



Cumulative fixes from BIG-IP v13.1.0.5 that are included in this release


Functional Change Fixes

None


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
708189 4-Minor   OAuth Discovery Auto Pilot is implemented


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
708840 3-Major   13.0.0-to-13.1.0 upgrade operation on VIPRION 2250 blades might fail if global whitelist is configured



Cumulative fixes from BIG-IP v13.1.0.4 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
700556-1 CVE-2018-5504 K11718033 TMM may crash when processing WebSockets data
699012-1 CVE-2018-5502 K43121447 TMM may crash when processing SSL/TLS data
698080-3 CVE-2018-5503 K54562183 TMM may consume excessive resources when processing with PEM
691504-1 CVE-2018-5503 K54562183 PEM content insertion in a compressed response may cause a crash.
701447-1 CVE-2017-5754 K91229003 CVE-2017-5754 (Meltdown)
701445-1 CVE-2017-5753
CVE-2017-9074
CVE-2017-7542
CVE-2017-11176
K91229003 CVE-2017-5753 (Spectre Variant 1)
701359-4 CVE-2017-3145 K08613310 BIND vulnerability CVE-2017-3145
699451-3 CVE-2018-5511 K30500703 OAuth reports do not follow best practices
640766-2 CVE-2016-10088
CVE-2016-9576
K05513373 Linux kernel vulnerability: CVE-2016-10088 CVE-2016-9576


Functional Change Fixes

ID Number Severity Solution Article(s) Description
686389-1 3-Major   APM does not honor per-farm HTML5 client disabling at the View Connection Server
678524-1 3-Major   Join FF02::2 multicast group when router-advertisement is configured
693007-1 4-Minor   Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC


TMOS Fixes

ID Number Severity Solution Article(s) Description
707226 1-Blocking   DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations
700315-2 1-Blocking K26130444 Ctrl+C does not terminate TShark
667148-3 1-Blocking K02500042 Config load or upgrade can fail when loading GTM objects from a non-/Common partition
706998-3 2-Critical   Memory leak when OCSP is configured in clientSSL profile for C3D, or in serverSSL profile for server authentication
692890-3 2-Critical   Adding support for BIG-IP 800 in 13.1.x
685458-7 2-Critical   merged fails merging a table when a table row has incomplete keys defined.
665354-1 2-Critical K31190471 Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log
703848-1 3-Major   Possible memory leak when reusing statistics rows in tables
702520-2 3-Major   Same AZ failover in AWS fails in some configurations with two or more objects sharing the same IP address.
694740-3 3-Major   BIG-IP reboot during a TMM core results in an incomplete core dump
692753-1 3-Major   shutting down trap not sent when shutdown -r or shutdown -h issued from shell
689691-2 3-Major   iStats line length greater than 4032 bytes results in corrupted statistics or merge errors
686029-2 3-Major K00026204 A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces
669462-2 3-Major   Error adding /Common/WideIPs as members to GTM Pool in non-Common partition
589083-6 3-Major K46205123 TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.
699281-1 4-Minor   Version format of hypervisor bundle matches Version format of ISO
685475-1 4-Minor K93145012 Unexpected error when applying hotfix


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
706534-1 1-Blocking   L7 connection mirroring may not be fully mirrored on standby BigIP
698424-1 1-Blocking K11906514 Traffic over a QinQ VLAN (double tagged) will not pass
700862-1 2-Critical K15130240 tmm SIGFPE 'valid node'
699298-2 2-Critical K83285053 13.0.0 Hotfix HF3 3.0.1679 TMM CORED due to SIGSEGV.
698461-1 2-Critical   tmm may crash in fastl4 TCP
692970-2 2-Critical   Using UDP port 67 for purposes other than DHCP might cause TMM to crash
691095-1 2-Critical   CA bundle manager loses certificates in the CA bundle if the serial number is longer than 4 bytes
687635-1 2-Critical   Tmm becomes unresponsive and might restart
687205-2 2-Critical   Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart
681175-3 2-Critical K32153360 TMM may crash during routing updates
674576-3 2-Critical   Outage may occur with VIP-VIP configurations
452283-5 2-Critical   An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows
440620-1 2-Critical   New connections may be reset when a client reuses the same port as it used for a recently closed connection
704073-1 3-Major K24233427 Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm
702439 3-Major K04964898 Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset
698916-1 3-Major   TMM crash with HTTP/2 under specific condition
698379-2 3-Major K61238215 HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR(
698000-3 3-Major K04473510 Connections may stop passing traffic after a route update
695901-1 3-Major   TMM may crash when processing ProxySSL data
695707-5 3-Major   BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection
691806-1 3-Major   RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state
689449-1 3-Major   Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured
688571-2 3-Major K40332712 Untrusted cert might be accepted by the server-ssl even though when 'untrusted-cert-response-control drop' is configured in the server-ssl profile.
688570-5 3-Major   BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes
686307-3 3-Major   Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later
686065-2 3-Major   RESOLV::lookup iRule command can trigger crash with slow resolver
682104-3 3-Major   HTTP PSM leaks memory when looking up evasion descriptions
680264-2 3-Major K18653445 HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags
677666-2 3-Major K60909141 /var/tmstat/blades/scripts segment grows in size.
676457-5 3-Major   TMM may consume excessive resource when processing compressed data
664528-2 3-Major K53282793 SSL record can be larger than maximum fragment size (16384 bytes)
251162-1 3-Major   The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name
685467-1 4-Minor K12933087 Certain header manipulations in HTTP profile may result in losing connection.


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
699135-1 2-Critical   tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip
692941-1 2-Critical   GTMD and TMM SIGSEGV when changing wide IP pool in GTMD
691287-1 2-Critical   tmm crashes on iRule with GTM pool command
682335-1 2-Critical   TMM can establish multiple connections to the same gtmd
580537-3 2-Critical   The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data
562921-5 2-Critical K55736054 Cipher 3DES and iQuery encrypting traffic between BIG-IP systems
703702 3-Major   Fixed iControl REST not listing GTM Listeners
700527-3 3-Major   cmp-hash change can hang iRule DNS lookup
699339-3 3-Major K24634702 Geolocation upgrade files fail to replicate to secondary blades
696808-1 3-Major K35353213 Disabling a single pool member removes all GTM persistence records
691498-3 3-Major   Connection failure during iRule DNS lookup can crash TMM
690166-1 3-Major   ZoneRunner create new stub zone when creating a SRV WIP with more subdomains
687128-1 3-Major   gtm::host iRule validation for ipv4 and ipv6 addresses
680069-1 3-Major   zxfrd core during transfer while network failure and DNS server removed from DNS zone config
679149-1 3-Major   TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0]
667469-3 3-Major K35324588 Higher than expected CPU usage when using DNS Cache
636997-1 4-Minor   big3d may crash
636994-1 4-Minor   big3d may crash
636992-1 4-Minor   big3d may crash
636986-1 4-Minor   big3d may crash
636982-1 4-Minor   big3d may crash


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
705774-1 3-Major   Add a set of disallowed file types to RDP template
703833-1 3-Major   Some bot detected features might not work as expected on Single Page Applications
702946-3 3-Major   Added option to reset staging period for signatures
701841-2 3-Major   Unnecessary file recovery_db/conf.tar.gz consumes /var disk space
701327-2 3-Major   failed configuration deletion may cause unwanted bd exit
700812-1 3-Major   asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview
700726-2 3-Major   Search engine list was updated
698919-3 3-Major   Anti virus false positive detection on long XML uploads
697756-1 3-Major   Policy with CSRF URL parameter cannot be imported as binary policy file
697303-1 3-Major   BD crash
696265-5 3-Major   BD crash
696073-2 3-Major   BD core on a specific scenario
695563-1 3-Major   Improve speed of ASM initialization on first startup
694922-5 3-Major   ASM Auto-Sync Device Group Does Not Sync
691477-2 3-Major   ASM standby unit showing future date and high version count for ASM Device Group
679384-3 3-Major K85153939 The policy builder is not getting updates about the newly added signatures.
678293-2 3-Major K25066531 Uncleaned policy history files cause /var disk exhaustion
665992-2 3-Major K40510140 Live Update via Proxy No Longer Works
608988-1 3-Major   Error when deleting multiple ASM Policies


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
703233 3-Major   Some filters don't work in Security->Reporting->URL Latencies page


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
707676-1 2-Critical   memory leak in Machine Certificate Check agent of the apmd process
700724-2 2-Critical   Client connection with large number of HTTP requests may cause tmm to restart
692557-1 2-Critical   When BIG-IP as SAML IdP processes signed authentication requests from external SAML SP, a block of memory may become corrupted.
690116-1 2-Critical   websso might crash when logging set to debug
689591-2 2-Critical   When pingaccess SDK processes certain POST requests from the client, the TMM may restart
677368-2 2-Critical   Websso crash due to uninitialized member in websso context object while processing a log message
631286-3 2-Critical   URI cache entries should be replaced /expired for euie hash table
704580-1 3-Major   apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP
703429-2 3-Major   Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services
702263-1 3-Major   An access profile with large number of SAML Resources (>200) causes APM error ERR_TOOBIG while loading.
702222-1 3-Major   RADIUS and SecurID Auth fails with empty password
701740-1 3-Major   apmd leaks memory when updating Access V2 policy
701737-1 3-Major   apmd may leak memory on destroying kerberos cache
701736-1 3-Major   memory leak in Machine Certificate Check agent of the apmd process
701639-1 3-Major   Session variables in Requested Authentication Context Class in SP do not get resolved when Authentication Request is generated by BIG-IP as SP.
697636-3 3-Major   ACCESS is not replacing headers while replacing POST body
695953-1 3-Major   Custom URL Filter object is missing after load sys config TMSH command
694624-1 3-Major   SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor
693844-1 3-Major   APMD may restart continuously and cannot come up
692307-3 3-Major   User with 'operator' role may not be able to view some session variables
687937-1 3-Major   RDP URIs generated by APM Webtop are not properly encoded
685862-1 3-Major   BIG-IP as SAML IdP/SP may include last x509 certificate found in the configured bundle in signed SAML Response or single logout message
684583-1 3-Major   Buitin Okta Scopes Request object uses client -id and client-secret
684325-1 3-Major   APMD Memory leak when applying a specific access profile
683389-3 3-Major   Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file
683297-2 3-Major   Portal Access may use incorrect back-end for resources referenced by CSS
682500-2 3-Major K03903649 VDI Profile and Storefront Portal Access resource do not work together
678851-3 3-Major   Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase()
675866-4 3-Major   WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO
671627-3 3-Major K06424790 HTTP responces without body may contain chunked body with empty payload being processed by Portal Access.
632646-1 3-Major   APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server.
629334-1 3-Major   Portal Access: JavaScript expressions in parentheses may be rewritten incorrectly
612792-1 3-Major   Support RDP redirection for connections launched from APM Webtop on iOS
612118-2 3-Major   Nexthop explicit proxy is not used for the very first connection to communicate with the backend.
536831-1 3-Major   APM PAM module does not handle local-only users list correctly
699455-4 4-Minor   SAML export does not follow best practices


Service Provider Fixes

ID Number Severity Solution Article(s) Description
698338-1 2-Critical   Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection
689343-2 2-Critical   Diameter persistence entries with bi-directional flag created with 10 sec timeout
685708-4 2-Critical   Routing via iRule to a host without providing a transport from a transport-config created connection cores
700571-4 3-Major   SIP MR profile, setting incorrect branch param for CANCEL to INVITE
696049-1 3-Major K55660303 High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running
674747-4 3-Major K30837366 sipdb cannot delete custom bidirectional persistence entries.
656901-3 3-Major   MRF add 'existing_connection_only' and 'outgoing_connection_instance_seed' two iRule commands


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
704207-1 2-Critical   DNS query name is not showing up in DNS AVR reporting
703517 2-Critical K23520761 TMM may crash when processing TCP DNS traffic
692328-1 2-Critical   Tmm core due to incorrect memory allocation
705161-1 3-Major K23520761 TMM may crash when processing TCP DNS traffic
703959 3-Major   Manual thresholds for DoS Protection Dynamic Signatures are not accepted via TMUI
693780-1 3-Major   Proactive Bot Defense sends CAPTCHA to the UC browser on iOS devices
693663-1 3-Major   Proactive Bot Defense sends CAPTCHA to the Firefox browser on iOS only in desktop mode
631418-1 3-Major   Packets dropped by HW grey list may not be counted toward AVR.


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
696383-1 2-Critical   PEM Diameter incomplete flow crashes when sweeped
694717-1 2-Critical   Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.
616008-1 2-Critical K23164003 TMM core may be seen when using an HSL format script for HSL reporting in PEM
696789-1 3-Major   PEM Diameter incomplete flow crashes when TCL resumed
695968-1 3-Major   Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.
694319-1 3-Major   CCA without a request type AVP cannot be tracked in PEM.
694318-1 3-Major   PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.
684333-1 3-Major   PEM session created by Gx may get deleted across HA multiple switchover with CLI command
678820-1 3-Major   Potential memory leak if PEM Diameter sessions are not created successfully.
642068-4 3-Major   PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens
624231-4 3-Major   No flow control when using content-insertion with compression
680729-1 4-Minor K64307999 DHCP Trace log incorrectly marked as an Error log.


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
697363-1 2-Critical   FPS should forward all XFF header values
705559-1 3-Major   FPS: false positive "no strong integrity param" when none of the configured data-integrity params are present in request
662311-1 3-Major   CS alerts should contain actual client IP address in XFF header


Protocol Inspection Fixes

ID Number Severity Solution Article(s) Description
671716-1 3-Major   UCS version check was too strict for IPS hitless upgrade



Cumulative fixes from BIG-IP v13.1.0.3 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
660239-6 4-Minor   When accessing the dashboard, invalid HTTP headers may be present


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
677919-4 3-Major   Enhanced Data Manipulation AJAX Support



Cumulative fixes from BIG-IP v13.1.0.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
681955-1 CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 K23565223 Apache CVE-2017-9788
673595-9 CVE-2017-3167 CVE-2017-3169 K34125394 Apache CVE-2017-3167
694274-1 CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 CVE-2017-9798 K23565223 [RHSA-2017:3195-01] Important: httpd security update - EL6.7
673607-9 CVE-2017-3169 K83043359 Apache CVE-2017-3169
672667-6 CVE-2017-7679 K75429050 CVE-2017-7679: Apache vulnerability
641101-7 CVE-2016-8743 K00373024 httpd security and bug fix update CVE-2016-8743
684033-3 CVE-2017-9798 K70084351 CVE-2017-9798 : Apache Vulnerability (OptionsBleed)
661939-2 CVE-2017-2647 K32115847 Linux kernel vulnerability CVE-2017-2647


Functional Change Fixes

ID Number Severity Solution Article(s) Description
685056 3-Major   VE OVAs is not the supported platform to run VMware guest OS customization
670103-1 3-Major   No way to query logins to BIG-IP in TMUI


TMOS Fixes

ID Number Severity Solution Article(s) Description
693979 3-Major   Autoscale is not functional because of the change in file permission of the /shared/vadc/aws/iid-document document
683131-1 3-Major   Hotfix install fails on vCMP guest when both guest and host have the same base version ISO present
682213-1 3-Major K31623549 TLS v1.2 support in IP reputation daemon
669585-1 3-Major   The tmsh sys log filter is unable to display information in uncompressed log files.
668826-1 3-Major   File named /root/.ssh/bigip.a.k.bak is present but should not be
668276-1 3-Major   BIG-IP does not display failed login attempts since last login in GUI
668273-1 3-Major K12541531 Logout button not available in Configuration Utility when using Client Cert LDAP
471237-4 3-Major K12155235 BIG-IP VE instances do not work with an encrypted disk in AWS.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
699624-1 2-Critical   Config with custom 'SIP' or 'Firepass' monitor fails to load after upgrade
463097-5 3-Major K09247330 Clock advanced messages with large amount of data maintained in DNS Express zones


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
672504-2 2-Critical K52325625 Deleting zones from large databases can take excessive amounts of time.
667542-6 2-Critical   DNS Express does not correctly process multi-message DNS IXFR updates.
645615-6 2-Critical K70543226 zxfrd may fail and restart after multiple failovers between blades in a chassis.
655233-2 3-Major K93338593 DNS Express using wrong TTL for SOA RRSIG record in NoData response
648766-2 3-Major K57853542 DNS Express responses missing SOA record in NoData responses if CNAMEs present
646615-2 4-Minor   Improved default storage size for DNS Express database


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
699720-1 2-Critical   ASM crash when configuring remote logger for WebSocket traffic with response-logging:all
691670-5 2-Critical K02515009 Rare BD crash in a specific scenario
686108-1 2-Critical   User gets blocking page instead of captcha during brute force attack
684312-1 2-Critical K54140729 During Apply Policy action, bd agent crashes, causing the machine to go Offline
698940-1 3-Major   Add new security policy template for API driven systems - "API Security"
690883-1 3-Major   BIG-IQ: Changing learning mode for elements does not always take effect
686517-2 3-Major   Changes to a parent policy that has no active children are not synced to the secondary chassis slots.
686470-1 3-Major   Enable AJAX Response Page or Single Page Application support causes the part of the web page failed to load.
686452-1 3-Major   File Content Detection Formats are not exported in Policy XML
685964-1 3-Major   cs_qualified_urls bigdb does not cause configured URLs to be qualified.
685771-1 3-Major   Policies cannot be created with SAP, OWA, or SharePoint templates
685207-1 3-Major   DoS client side challenge does not encode the Referer header.
685164-1 3-Major K34646484 In partitions with default route domain != 0 request log is not showing requests
683508-1 3-Major   WebSockets: umu memory leak of binary frames when remote logger is configured
680353-1 3-Major   Brute force sourced based mitigation is not working as expected
674494-4 3-Major K77993010 BD memory leak on specific configuration and specific traffic
668184-2 3-Major   Huge values are shown in the AVR statistics for ASM violations
694073-3 4-Minor   All signature update details are shown in 'View update history from previous BIG-IP versions' popup
685193-1 4-Minor   If Inheritance is None in the Parent Policy and there are at least 1 child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
679861 1-Blocking   Weak Access Restrictions on the AVR Reporting Interface
697421 3-Major   Monpd core when trying to restart
688813-2 3-Major K23345645 Some ASM tables can massively grow in size.
686510-1 3-Major   If tmm was restarted during an attack, the attach might appear neverending in GUI
683474 3-Major   The case-sensitive problem during comparison of 2 Virtual Servers
679088-1 3-Major   Avr reporting and analytics does not display statistics of many source regions


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
684852-1 2-Critical   Obfuscator not producing deterministic output
692123 3-Major   GET parameter is grayed out if MobileSafe is not licensed


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
700320 2-Critical   tmm core under stress when BADOS configured and attack signatures enabled
691462-1 3-Major   Bad actors detection might not work when signature mitigation blocks bad traffic
687987 3-Major   Presentation of signatures in human-readable format
687986 3-Major   High CPU consumption during signature generation, not limited number of signatures per virtual server
687984 3-Major   Attacks with randomization of HTTP headers parameters generates too many signatures


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
698396-1 2-Critical   Config load failed after upgrade from 12.1.2 to 13.x or 14.x



Cumulative fixes from BIG-IP v13.1.0.1 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
686190-1 2-Critical   LRO performance impact with BWC and FastL4 virtual server
667173-1 2-Critical   13.1.0 cannot join a device group with 13.1.0.1


Performance Fixes

ID Number Severity Solution Article(s) Description
685628-1 1-Blocking   Performance regression on B4450 blade
673832-1 1-Blocking   Performance impact for certain platforms after upgrading to 13.1.0.
696525-1 2-Critical   B2250 blades experience degraded performance.

 

Cumulative fix details for BIG-IP v13.1.0.7 that are included in this release

716746 : Possible tmm restart when disabling single endpoint vector while attack is ongoing

Component: Advanced Firewall Manager

Symptoms:
tmm restarts.

Conditions:
-- AFM DoS single endpoint (sweep or flood) vector is configured.
-- The attack is ongoing.
-- The attack vector is being mitigated in hardware (HW).
-- The vector is manually disabled.

Impact:
tmm can crash and restart. Traffic disrupted while tmm restarts.

Workaround:
If you do not want to mitigate, set the mitigation_threshold to infinite.

Note: Do not disable the single endpoint vectors when an attack is ongoing and the vector is being mitigated in HW.

Fix:
tmm no longer restarts when disabling single endpoint vector while an attack is ongoing.


716392-1 : Support for 24 vCMP guests on a single 4450 blade

Component: TMOS

Symptoms:
Cannot create more than 12 vCMP guests per blade.

Conditions:
-- Using vCMP.
-- VIPRION blades.

Impact:
Cannot configure more than 12 vCMP guests.

Workaround:
None.

Fix:
This release supports 24 vCMP guests on 4450 blades. Increased vCMP density ensures that all guests can access the hardware capabilities available from the BIG-IP platforms and VIPRION blades.


715153-1 : AVR can generate many files in /var/avr/loader folder, which might cause disk-usage problem

Component: Application Visibility and Reporting

Symptoms:
-- The folder /var/avr/loader contains many files (e.g., more than 1500 files).
-- monpd is not running.

Conditions:
This occurs when the following conditions are met:
-- Avrd is running.
-- monpd is down.

Impact:
AVR write many files to /var/avr/loader. Depending on disk usage, this might cause disk-usage problems.

Workaround:
There are two possible workaround:
-- Restart monpd. When monpd starts up, it deletes the files under /var/avr/loader.
-- Delete all files under /var/avr/loader.

Fix:
There is now a limit for the /var/avr/loader folder, so that it can contain no more than 1100 files. This prevents disk-usage problems.


714369 : ADM may fail when processing HTTP traffic

Component: Anomaly Detection Services

Symptoms:
Under certain conditions, ADM may fail when processing HTTP traffic

Conditions:
ASM enabled

Impact:
ADM does not function as intended

Fix:
ADM processes HTTP traffic as expected


714350 : BADOS mitigation may fail

Component: Anomaly Detection Services

Symptoms:
Under certain conditions BADOS mitigation may fail

Conditions:
BADOS enabled

Impact:
BADOS does not function as intended =

Fix:
BADOS now functions as intended


713273 : BIG-IP sys db variable avr.stats.internal.maxentitiespertable resets back to default value on services restart

Component: Application Visibility and Reporting

Symptoms:
After a BIG-IP system reset, a modified setting for the BIG-IP sys db variable avr.stats.internal.maxentitiespertable returns to the default value.

Conditions:
1. avr.stats.internal.maxentitiespertable value is modified from the default.
2. The BIG-IP system restarts.

Impact:
avr.stats.internal.maxentitiespertable returns to its default value.

Workaround:
After BIG-IP system reset, specify the value of avr.stats.internal.maxentitiespertable again.

Fix:
A modified avr.stats.internal.maxentitiespertable value no longer returns to the default value after BIG-IP system restart.


712924-1 : In VPE SecurID servers list are not being displayed in SecurID authentication dialogue

Component: Access Policy Manager

Symptoms:
In VPE SecurID servers list are not being displayed in SecurID authentication dialogue. List is displaying only None.

Conditions:
Always when adding SecureID authentication action.

Impact:
Inability to (re)configure SecureId via VPE.

Workaround:
Manually modify RSA AAA server in SecurID Auth Agent via tmsh:

tmsh modify apm policy agent aaa-securid <aaa agent> server <securid server name>


712710 : TMM may halt and restart when threshold mode is set to stress-based mitigation

Component: Advanced Firewall Manager

Symptoms:
When auto-DoS vector's threshold mode is set to stress-based mitigation, but the vector is in disabled state, TMM may halt and restart.

Conditions:
-- Threshold mode is set to stress-based mitigation.
-- Vector is disabled.

Impact:
TMM restarts. Traffic disrupted while TMM restarts.

Workaround:
There is no workaround other than not setting threshold mode to stress-based mitigation if the vector is disabled.

Fix:
TMM no longer restarts when threshold mode is set to stress-based mitigation and the vector is in disabled state.


712429 : Serverside packets excluded from DoS stats

Component: Advanced Firewall Manager

Symptoms:
BIG-IP systems configured with L4 DoS Protection might not provide sufficiently granular DDoS detection and mitigation to ensure that legitimate traffic is not impacted.

Conditions:
Configured for DDoS detection and mitigation.

Impact:
Legitimate traffic might be impacted.

Workaround:
None.

Fix:
The following DoS vectors no longer count serverside packets.

-- Single-Endpoint Flood
-- Global-Device level aggregate vectors
-- Bad-actor/attacked-dst for all vectors

Additionally, hardware-accelerated, device-level (global) aggregate DoS vectors are now programmed dynamically when traffic is detected, rather than at configuration time.

These behavior changes provide greater granularity in DDoS detection and mitigation to ensure that legitimate traffic is not impacted.

Behavior Change:
The following DoS vectors no longer count serverside packets.

-- Single-Endpoint Flood
-- Global-Device level aggregate vectors
-- Bad-actor/attacked-dst for all vectors

Additionally, hardware-accelerated, device-level (global) aggregate DoS vectors are now programmed dynamically when traffic is detected, rather than at configuration time.

These behavior changes provide greater granularity in DDoS detection and mitigation to ensure that legitimate traffic is not impacted.


711929-1 : AVR should not send statistic on hidden rows for module InterfaceTraffic and module InterfaceHealth

Component: Application Visibility and Reporting

Symptoms:
AVR sends data on all interfaces, hidden and not hidden. It should send information only on not-hidden interfaces.

Conditions:
-- Tmstat table interface_stat exists.
-- Viewing statistics for module InterfaceTraffic and module InterfaceHealth.

Impact:
Irrelevant data is sent.

Workaround:
None.

Fix:
AVR now sends data only on not-hidden interfaces.


711093-1 : PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled

Component: Policy Enforcement Manager

Symptoms:
PEM sessions may stay in the marked-for-delete state after session deletion.

Conditions:
This occurs if Gx final usage reporting response comes before Gy delete response (CCA).

Impact:
PEM sessions remain in marked-for-delete state.

Workaround:
None.

Fix:
PEM sessions no longer stay in the marked-for-delete state after session delete


711011-2 : 'API Security' security policy template changes

Component: Application Security Manager

Symptoms:
Parameter-related Learn/Alarm/Block settings in 'API Security' security policy template should be 'ON' by default.

Conditions:
Learn/Alarm/Block settings in 'API Security' security policy template.

Impact:
Settings not active.

Workaround:
None.

Fix:
Parameter-related Learn/Alarm/Block settings in 'API Security' security policy template are now 'ON' by default.


710947-1 : AVR does not send errdef for entity DosIpLogReporting.

Component: Application Visibility and Reporting

Symptoms:
AVR does not send errdef for entity DosIpLogReporting.

Conditions:
-- AVR configured.
-- Viewing DosIpLogReporting report.

Impact:
There is no errdef for module DosIpLogReporting

Workaround:
None.

Fix:
Added errdef for module DosIpLogReporting.


710870 : Temporary browser challenge failure after installing older ASU

Component: Advanced Firewall Manager

Symptoms:
After installing an older ASM Signature Update (ASU) may cause the browser challenge to fail for the first few minutes after provisioning ASM.

Conditions:
-- Using BIG-IP version 13.1.0.5.
-- Installing an ASU from before April 2018.

Impact:
Browsers remain on whitepage after receiving a browser challenge.

Note: The problem should go away after 10-to-15 minutes of provisioning ASM, when more versions of JavaScript are generated.

Workaround:
Install the latest ASU.

Fix:
The browser challenges will succeed even after installing an older ASU.


710701-1 : "Application Layer Encryption" option is not saved in DataSafe GUI

Component: Fraud Protection Services

Symptoms:
"Application Layer Encryption" checkbox will remain enabled if un-checked via DataSafe GUI and will not be saved.

Conditions:
- Install DataSafe license
- Provision FPS
- Create URL

Impact:
Cannot enable/disable "Application Layer Encryption" via DataSafe GUI.

Workaround:
Application Layer Encryption can be enabled or disabled via TMSH command line or REST API.

Fix:
"Application Layer Encryption" option is saved if changed via DataSafe GUI.


710424-2 : Possible SIGSEGV in GTMD when GTM persistence is enabled.

Solution Article: K00874337

Component: Global Traffic Manager (DNS)

Symptoms:
When GTM persistence is enabled, GTMD may occasionally crash and restart.

Conditions:
GTM persistence is enabled.

Impact:
GTMD may occasionally restart.

Workaround:
Disable GTM persistence.

Fix:
GTMD will no longer crash and restart when persistence is enabled.


710314-1 : TMM may crash while processing HTML traffic

Component: TMOS

Symptoms:
Under certain conditions, TMM may crash while processing HTML traffic

Conditions:
HTML profile enabled

Impact:
TMM may crash, leading to a failover event

Fix:
TMM now processes HTML traffic as expected


710110-1 : AVR does not publish DNS statistics to external log when usr-offbox is enabled.

Component: Application Visibility and Reporting

Symptoms:
AVR does not send DNS statistics to external logs when analytics global setting usr-offbox is enabled, if the following security analytics settings are set to disable:
-- collected-stats-internal-logging.
-- collected-stats-external-logging.

Conditions:
-- Security analytics settings collected-stats-internal-logging is disabled.
-- Security analytics settings collected-stats-external-logging is disabled.
-- Analytics global settings usr-offbox is enabled.

Impact:
DNS statistic are not sent to external log.

Workaround:
To work around this issue, perform the following procedure:
1. Provision ASM or AFM.
2. Run the tmsh command to set to enabled the security analytics setting collected-stats-external-logging.
2. Deprovision ASM/AFM.

Fix:
AVR now publishes DNS statistics to external logs when usr-offbox is enabled, as expected.


709972-6 : CVE-2017-12613: APR Vulnerability

Solution Article: K52319810


709936 : Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.

Solution Article: K38121141

Component: TMOS

Symptoms:
/var/log/boot.log has this error:
dhcp_config: save error: 01070911:3: The requested host (ntp-servers-ip) is invalid for servers in ntp (/Common/ntp).

Conditions:
- The BIG-IP system has DHCP enabled for management interface.
- Multiple NTP servers or domain-search are specified in the dhclient lease (stored at /var/lib/dhclient/dhclient.leases).

Impact:
- DNS and NTP servers are not configured in MCPD.
- Name resolution can break.

Workaround:
None.

Fix:
Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.


709610-3 : Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM

Component: Policy Enforcement Manager

Symptoms:
Session replacement fails as a result of a race condition between multiple RADIUS Accounting Start and Stop messages for the same subscriber.

Conditions:
This occurs when the following conditions are met:
-- These SysDB variables are set as follows:
sys db tmm.pem.session.radius.retransmit.timeout {
    value "0"
}
sys db tmm.pem.session.provisioning.continuous {
    value "disable"
}

-- Actions occur in the following order:
 1. PEM receives RADIUS START with subscriber ID1 and IP1.
 2. PEM receives RADIUS STOP with subscriber ID1 and IP1.
 3. PEM receives RADIUS START with subscriber ID1 and IP2.
 4. PEM receives RADIUS STOP with subscriber ID1 and IP2.

-- The time interval between steps 1 and 2 is very small (less than ~1ms).

Impact:
Subscriber session creation via PEM may fail.

Workaround:
There is no workaround other than to leave SysDbs variables set to the default values.

Fix:
The system now handles PEM subscriber session updates properly, so this issue no longer occurs.


709334-1 : Memory leak when SSL Forward proxy is used and ssl re-negotiates

Component: Local Traffic Manager

Symptoms:
When looking at tmsh show sys memory you will see
ssl_compat continue to grow and fails to release memory.

Conditions:
-SSL Forward Proxy In use
-SSL Re-negotiations happening

Impact:
Eventually memory reaper will kick in.

Workaround:
There is no workaround at this time.

Fix:
ssl_compat now properly releases connections on re-negotiation.


709319-2 : Post-login client-side alerts are missing username in bigIQ

Component: Fraud Protection Services

Symptoms:
A client-side alert that contains a FPS-Username header with a value, but an empty fpm_username parameter - will be reported with "Unknown" username in bigIQ.

Conditions:
1. post login (alert is sent after submitting username parameter) client side alerts
2. alert-pool points to bigIQ IP (not Alert-Server)

Impact:
Post login client side alerts are missing username (will show as "Unknown" in bigIQ, works well with Alert-Server).

Workaround:
Route all client-side alerts to another virtual server and strip of the empty fpm_username parameter from payload/query-string.

Fix:
FPS will always send username in the fpm_username parameter in case it was empty and FPS has username value.


708888-1 : Some DNS truncated responses may not be processed by BIG-IP

Solution Article: K79814103

Component: Advanced Firewall Manager

Symptoms:
On 13.1.x DNS responses with truncated bit set are dropped when AFM DNS DoS is enabled.

Conditions:
-- AFM DNS DoS is enabled.
-- Using 13.1.x.

Impact:
Clients do not receive truncated DNS responses.

Workaround:
Disable DNS DoS protection by changing the dos.dnsport variable to another port for which there is no valid traffic. For instance:

tmsh modify sys db dos.dnsport value 54


708840 : 13.0.0-to-13.1.0 upgrade operation on VIPRION 2250 blades might fail if global whitelist is configured

Component: Advanced Firewall Manager

Symptoms:
Upgrading from 13.0.0 to 13.1.0 on VIPRION 2250 blades might fail if global whitelist is configured. After the upgrade, the system will stay offline.

Conditions:
-- Global whitelist configured.
-- Running on VIPRION 2250 blades.

Impact:
System fails to run normally.

Workaround:
Remove global whitelist before upgrading to 13.1.0, add it back after upgrading.

Fix:
This issue no longer occurs in fixed versions, so you can upgrade from 13.0.0 to a post-13.1.0 version of the software without encountering this issue.


708653-1 : TMM may crash while processing TCP traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing TCP traffic

Conditions:
TCP profile enabled

Impact:
TMM crash leading to a failover event

Fix:
TMM processes TCP traffic as expected


708389 : BADOS monitoring with Grafana requires admin privilege

Component: Anomaly Detection Services

Symptoms:
Current Grafana monitoring requires admin privilege.
Grafana stores its internal database in unencrypted format, so the admin password can be extracted from a compromised computer.

Conditions:
Monitoring using Grafana.

Impact:
Guest user cannot access data needed for Grafana.

Workaround:
None.

Fix:
There is now a REST call to pool the Grafana statistics. This allows any user (including guest), not just admin or root, to access data needed for Grafana.

Behavior Change:
This release introduces the following tmsh commands:
-- tmsh run util admdb - for help
   + list-element path_folder - lists folder
   + view-element path_file - view file contents
   + list-metrics path vs
   + table-query base_path db sRate tsfiles ts metric_columns_aliases

The path must be under /shared/admdb, for example:

-- run util admdb list-element /shared/admdb/default/_a_l_l

-- run util admdb view-element /shared/admdb/default/_a_l_l/info.sysinfo/1000/1522229248000.txt

-- run util admdb table-query /shared/admdb default 1000 '[1522233344000]' '[1522234774492,1522235074492]' '[["info.attack",["v0"],"Attack"],["sig.health",["v0"],"Health"],["info.learning",["v0"],"Learning"],["info.learning",["v2"],"Learned samples"]]'


708305-2 : Discover task may get stuck in CHECK_IS_ACTIVE step

Component: Device Management

Symptoms:
The discover tasks is running periodically after user creates the task. But it may get stuck in the middle steps and fail to run periodically.

Conditions:
When HA failover group is set up and a discover task is created on one of the devices.

Impact:
The discover task will periodically pull the OpenID information and update oauth jwt and jwk configurations in MCP. If the task sticks, the jwt and jwk configuration will not sync to the latest version and may cause access policy fail.

Workaround:
If the task is stuck in any step that is not SLEEP_AND_RUN_AGAIN for more than one minute, manually cancel and delete the task and create the same task again.

Fix:
Discover task no longer gets stuck in CHECK_IS_ACTIVE step.


708189 : OAuth Discovery Auto Pilot is implemented

Component: Access Policy Manager

Symptoms:
This now adds a new capability to allow user to select a period to have OAuth auto discovery automatically pull down JWT keys.

Conditions:
Follow the new added UI and configure frequency to start.

Impact:
No impact, it has usability improvement over manual discovery.

Workaround:
There is no workaround.

Fix:
New auto pilot capability is added for usability.


708114-1 : TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed

Component: Local Traffic Manager

Symptoms:
TMM crashes when receiving the HUDEVT_SSL_OCSP_RESUME_CLNT_HS after the SSL connection is closed.

Conditions:
-- The SSL connection has been closed.
-- SSL receives the HUDEVT_SSL_OCSP_RESUME_CLNT_HS message.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now ensures that SSL can still properly process the messages, even when the SSL connection is closed.


708054-1 : Web Acceleration: TMM may crash on very large HTML files with conditional comments

Component: TMOS

Symptoms:
Web Acceleration feature may not handle big HTML file with improper conditional comments inside in some cases. TMM may crash processing such files if Web Acceleration profile is attached to VIP.

Conditions:
- HTML file with conditional comments inside:
  <!--[if condition...]> ... <![endif]-->

- The size of "condition" from the pattern above is comparable with RAM size of BIG-IP box, i.e. ~8-10GB.

Impact:
TMM crash interrupts all active sessions.

Workaround:
There is no workaround at this time.

Fix:
Now Web Acceleration feature can handle long HTML conditional comments correctly.


708005-1 : Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources

Component: Access Policy Manager

Symptoms:
When using VMware View HTML5 client, end users are able to authenticate and see available View resources on the APM webtop. However, any attempt to launch the resource (desktop or application) in HTML5 mode momentarily appears to function, but then redirects to the initial APM login page.

Conditions:
This occurs when the following conditions are met:
-- BIG-IP APM is protecting VMware Horizon View 7.4 resources.
-- End user tries to launch a View resource from the APM webtop using the Horizon View HTML5 client.

Impact:
End user cannot launch VMware View resources with View HTML5 client.

Workaround:
You can use the following workarounds:

-- If you are already running Horizon 7.4, use native View clients instead.

-- If you have not upgraded to Horizon 7.4, stay on an older Horizon release until this issue is resolved.

-- If you are running BIG-IP APM release 13.1.0, you can add the following iRule to the virtual server that handles HTML5 client connections:

when HTTP_REQUEST {
    if { ([info exists tmm_apm_view_uuid]) &&
         ([HTTP::method] == "GET") &&
         ([HTTP::uri] ends_with "/portal/webclient/sessiondata")} {
        HTTP::cookie remove "sessionDataServiceId"
    }
}

when HTTP_RESPONSE {
    if { ([info exists tmm_apm_view_uuid]) } {
        set cookieNames [HTTP::cookie names]
        foreach aCookie $cookieNames {
            set path [HTTP::cookie path $aCookie]
            if {[string length $path] > 0} {
                HTTP::cookie path $aCookie "/f5vdifwd/vmview/$tmm_apm_view_uuid$path"
            }
        }
    }
}

Important:
-- After applying the iRule and before attempting a connection, be sure to clear all cache and cookies from the client systems. Otherwise, the test operation may need to be executed before exhibiting successful behavior.
-- The iRule workaround is for BIG-IP APM release 13.1.0. It is not supported for older BIG-IP releases.

Fix:
Horizon View version 7.4 in HTML5 mode now functions correctly with APM.


707676-1 : memory leak in Machine Certificate Check agent of the apmd process

Component: Access Policy Manager

Symptoms:
apmd process leaks memory in Machine Certificate Check agent

Conditions:
- Machine Certificate Check agent is configured in an Access Policy
- inspected machine certificate is revoked by CRL

Impact:
apmd may grow in size. this may lead to apmd process or some other processes at BIG-IP to be killed by OOM-killer

Workaround:
There is no workaround

Fix:
The memory leak is fixed.


707585-1 : Use native driver for 82599 NICs instead of UNIC

Component: TMOS

Symptoms:
-- Lower performance in TPS.
-- Increased CPU consumption for throughput.

Conditions:
-- Running BIG-IP Virtual Edition (VE) (UNIC is the default Virtual Function Network Driver for VE).
-- High data rates, perhaps particularly when connection mirroring is configured.

Impact:
Lower TPS performance numbers and higher CPU usage in throughput tests.

Workaround:
In case of UNIC, extra CPUs must be allocated to handle SoftIRQs for higher performance.

Fix:
This release provides a native driver based on F5's physical platforms.


707447-1 : Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles.

Component: Local Traffic Manager

Symptoms:
SSL SNI mechanism creates a hash containing a mapping between SAN entries in a given profile's certificate and the profile. This hash is owned by the default NI profile, however is held by the other profiles on the VIP without a reference. If a connection utilizes SNI to use a non-default SNI profile *and* the default SNI profile reinitializes its state for any reason, the prf->sni_certsn_hash can be cleared and freed, leaving the existing connection(s) with profiles that refer to the freed hash. If then the connection attempts a renegotiation that causes the hash to be used, the freed hash can cause a fault should it have been reused in the meantime (i.e. the contents are invalid).
       
The fix: When the default SNI profile is initializing, and SSL handshake is searching SAN/COMMON cert from
non-default SNI profile, stop the search and return NULL.

Conditions:
SNI configured with one default SNI profile, one or multiple SNI profiles. The default SNI profile is changed and renegotiation with SNI(with non-default SNI profile) is issued.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
There is no workaround at this time.

Fix:
When the default SNI profile is initializing, and SSL handshake is searching SAN/COMMON cert from non-default SNI profile, stop the search and return NULL.


707246-1 : TMM would crash if SSL Client profile could not load cert-key-chain successfully

Component: Local Traffic Manager

Symptoms:
TMM would crash if SSL Client profile could not load cert-key-chain successfully, and SSL is working in the fwd-proxy-mode.

Conditions:
1. SSL is working in the fwd-proxy-mode.
2. SSL could not load the cert-key-chain in the clientssl profile successfully. There could be couple of reasons:

2.1.We fail to configure the password required by the cert-key-chain.
2.2.Configured cert-key-chain type is not supported.
2.3.cert-key-chain name is incorrect.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure the cert-key-chain in the clientssl profile correctly.

Fix:
If we fail to load the cert-key-chain in the clientssl profile, and ssl is working in the fwd-proxy-mode, we will mark the corresponding ssl clientssl profile as invalid, then we will not accept the incoming SSL handshake destined to this profile.


707226 : DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations

Component: TMOS

Symptoms:
Mitigations might CVE-2017-5754 Meltdown/PTI (Page Table Isolation) can negatively impact performance.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Conditions:
Mitigations for CVE-2017-5754 Meltdown/PTI (Page Table Isolation) enabled.

Impact:
Meltdown/PTI mitigations may negatively impact performance.

Workaround:
Disable CVE-2017-5754 Meltdown/PTI mitigations.

To turn off mitigations for CVE-2017-5754 Meltdown/PTI, run the following command:

tmsh modify sys db kernel.pti value disable

Note: Turning off these mitigations renders the system vulnerable to CVE-2017-5754 Meltdown; but in order to take advantage of this vulnerability, they must already possess the ability to run arbitrary code on the system. Good access controls and keeping your system up-to-date with regards to security fixes will mitigate this risk on non-VCMP systems. vCMP systems with multiple tenants should leave these mitigations enabled.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Fix:
On releases that provide mitigations for CVE-2017-5754 Meltdown/PTI, the protection is enabled by default, but can be controlled using db variables.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.


707186-1 : TMM may crash while processing HTTP/2 traffic

Solution Article: K45320419


707100 : Potentially fail to create user in AzureStack

Component: TMOS

Symptoms:
Using Microsoft Azure Stack on the BIG-IP Virtual Edition (VE) configured with password authentication, the system sometimes fails to create the provided user, which means that the VE admin cannot ssh in after deployment. Note that an unexpected reboot causes this to occur during provisioning, and that Microsoft might have already fixed this issue.

Conditions:
Azure Stack VE provisioned with password authentication.

Impact:
Admin loses provisioned VE instance because there is no way to ssh in.

Workaround:
Deploy VE with key authentication.

Fix:
Extra handling was added to make user creation work even with unexpected reboots happening during Azure Stack provisioning.


706998-3 : Memory leak when OCSP is configured in clientSSL profile for C3D, or in serverSSL profile for server authentication

Component: TMOS

Symptoms:
There is a memory leak when OCSP is configured in the clientSSL profile for C3D feature, or in serverSSL profile for server certificate authentication.

Conditions:
OCSP is configured in the clientSSL profile for C3D feature, or in serverSSL profile for server certificate authentication.

Impact:
TMM will run out of memory.

Workaround:
There is no workaround at this time.

Fix:
The memory leak has been fixed.


706835 : When cloning a profile, URL parameters are not shown

Component: Fraud Protection Services

Symptoms:
In Fraud Protection Service GUI, cloning a profile and then navigating to a URL, its parameters are not shown.

Conditions:
Provision and license Fraud Protection Service.

Impact:
Fraud Protection Service GUI.

Workaround:
Navigating again from Profiles will show the parameters.

Fix:
Parameters are now shown on first attempt after cloning a profile.


706771-1 : FPS ajax-mapping property may be set even when it should be blocked

Component: Fraud Protection Services

Symptoms:
Ajax mapping may be set only when 1) ajax-encryption is enabled OR 2) ajax-integrity AND strong-integrity are enabled.

The bug allows to set ajax-mapping even for the following (invalid) configuration:

  ajax-encryption: disabled
  ajax-integrity: enabled
  strong-integrity: disabled

Conditions:
1)
  ajax-encryption: disabled
  ajax-integrity: enabled
  strong-integrity: disabled

2)
  non-empty ajax-mapping

Impact:
System will set the ajax-mapping field when it should have been blocked.

Workaround:
There is no workaround at this time.

Fix:
FPS should block ajax-mapping configuration when the pre-conditions weren't met.


706688 : Automatically add additional certificates to BIG-IP system in C2S and IC environments

Component: TMOS

Symptoms:
In order to function properly, the BIG-IP system's failover and autoscale features need extra certificates (which are used inside C2S environments) and endpoint URL. The extra certificates must be pointed to by the $AWS_CA_BUNDLE environment variable. The BIG-IP system's failover and autoscale feature use AWS CLI commands. Those AWS CLI commands need to have the $AWS_CA_BUNDLE pointing to the certificate files location and endpoint URL. These must be configured manually.

Conditions:
-- BIG-IP is running in AWS C2S (Commercial Cloud Services) where the domain is either c2s.ic.gov or sc2c.sgov.gov.

-- The BIG-IP system is configured to do failover or autoscale in those environments.

Impact:
Requires manual copying of the extra certificates, which are pointed to by AWS_CA_BUNDLE, to the BIG-IP system.

Workaround:
None.

Fix:
In this release, you can add all the needed certificates' URLs in the AWS user-data. The BIG-IP system then automatically downloads and stores the certificate and sets the $AWS_CA_BUNDLE environment variable and endpoint-url.

To use the functionality, when launching the BIG-IP system from the AWS web console, specify the C2S certificate URL and test URL in the following format:
 
c2s-keys-urls=url1,url2,url3;c2s-cert-test-url=ec2.us-iso-east-1.c2s.ic.gov:443;

Where the syntax explanation is as follows:
1. The string literal : c2s-keys-urls=
2. List of comma separated URLs.
3. A semicolon (;).
4. The string literal : c2s-cert-test-url=
5. A URL which is of following format
    <A service name (e.g., ec2)>.<The region where it is running (e.g., us-iso-east-1)>.<the domain name :443 (e.g., c2s.ic.gov:443)>
     
Example: ec2.us-iso-east-1.c2s.ic.gov:443;


706651-1 : Cloning URL does not clone "Description" field

Component: Fraud Protection Services

Symptoms:
When cloning URL using the "Clone URL" feature in FPS/DataSafe GUI, description field is not cloned to new URL.

Conditions:
Provision and license FPS/DataSafe.

Impact:
Not all expected configuration values of the URL are cloned.

Workaround:
There is no workaround.

Fix:
Description field is now cloned to the new URL.


706631-2 : A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured.

Component: Local Traffic Manager

Symptoms:
According to RFC2818, if the certificate sent by the TLS server has a valid Common Name, but the Subject Alternative Name does not match the Authenticate Name in the server-ssl profile, the connection should be terminated.

Conditions:
-- A server-ssl profile is enabled on a virtual server and has the 'authenticate-name' property set.

-- The TLS server presents a certificate in which the Subject Alternative Name does not match the configured authenticate-name.

-- Common Criteria mode licensed and configured.

Impact:
A TLS connection succeeds which should fail.

Workaround:
There is no workaround at this time.

Fix:
A remote TLS server certificate with a bad Subject Alternative Name is now rejected when Common Criteria mode is licensed and configured.


706534-1 : L7 connection mirroring may not be fully mirrored on standby BigIP

Component: Local Traffic Manager

Symptoms:
As a result of a known issue L7 connection mirroring may not be fully mirrored on standby BigIP

Conditions:
L7 VIP with mirroring configured
Connections with transfer of substantial size.

Impact:
Connections may be mirrored initially but removed after some time.
If there is a failover these connections may not be correctly handled.

Workaround:
Disabling LRO via
tmsh modify sys db tm.tcplargereceiveoffload value disable

May workaround this issue

Fix:
BIG-IP now fully mirrors all L7 connections


706305-1 : bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled

Component: TMOS

Symptoms:
bgpd may crash on a BIG-IP system configured for dynamic routing announcing multiple overlapping aggregate-addresses with extended asn capabilities enabled.

Conditions:
- BGP enabled on route-domain
- BGP configured to announce several overlapping aggregate-addresses
- BGP configured with extended-asn-cap enabled.

Impact:
Inability for the unit to use BGP

Workaround:
Disabling extended-asn-cap or not announcing multiple overlapping aggregate addresses may allow to workaround this issue.

Fix:
bgpd no longer crashes with overlapping aggregate addresses and extended-asn-cap enabled


706276-1 : Unnecessary pop-up appears

Component: Fraud Protection Services

Symptoms:
A pop-up dialog box appears when 'Enhanced Data Integrity Check' is clicked.

Conditions:
-- Provision and license FPS.
-- Add URL.
-- Disable 'Check Full AJAX for Data Manipulation'.

Impact:
Unnecessary dialog box appears.

Workaround:
None.

Fix:
The pop-up does not appear.


706176-1 : TMM crash can occur when using LRO

Solution Article: K51754851


706087 : Entry for SSL key replaced by config-sync causes tmsh load config to fail

Component: TMOS

Symptoms:
After config-sync, the secondary unit's key file does not match the passphrase stored for the key. This is a generic problem where config-sync is not synchronizing any differing file-objects on the secondary unit that happen to have the same cache_path as the primary.

Conditions:
If the cache_path of the encrypted key happens to be the same on the HA-pair, but the keys are different and have different passphrases.

Impact:
Secondary unit will fail to load the config during boot-up, so it will be offline. Other file-objects that had the same cache_path but where different files do not sync. The latter may not be noticed since nothing fails on the secondary unit.

Workaround:
Check if the cache_path of the encrypted key is the same on both systems prior to config-sync and that the sha1sum are different. If this is the case, remove the key on one of the systems and re-install the key and make sure the cache_path name is different.

Fix:
The key files (in the cache_path) will sync despite having the same name. The problem goes away. The same goes for any file-object that happened to have the same cache_path prior to sync.


706086-3 : PAM RADIUS authentication subsystem hardening

Solution Article: K62750376


705794-2 : Under certain circumstances a stale http2 stream can cause a tmm crash

Component: Local Traffic Manager

Symptoms:
A HTTP2 stream is getting overlooked when cleaning up a HTTP2 flow.

Conditions:
Currently only known is that the closing_stream is not empty. Exact entrance conditions not clear.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
HTTP2 flows are properly cleaned up to prevent a tmm crash.


705774-1 : Add a set of disallowed file types to RDP template

Component: Application Security Manager

Symptoms:
Universally dangerous filetypes are not included in RDP policy template.

Conditions:
The user creates a new policy using the RDP template.

Impact:
Universally dangerous filetypes are not disallowed.

Workaround:
Dangerous filetypes can be added to policies created from RDP template.

Fix:
Universally dangerous filetypes are now included in RDP policy template.


705611-2 : The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used

Component: Local Traffic Manager

Symptoms:
The TMM may later crash after a configuration change done under load if the HTTP/2 profile is used.

Conditions:
A configuration change occurs. The configuration change is large enough, or the TMM load large enough that the change is not synchronous. The change involves a HTTP/2 profile.

Data traffic progresses through a partially initialized HTTP/2 virtual server, potentially causing a later crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Large configuration changes to the TMM involving a HTTP/2 profile will no longer potentially cause a TMM crash.


705593-5 : CVE-2015-7940: Bouncy Castle Java Vulnerability

Component: Device Management

Symptoms:
An attacker could extract private keys used by Bouncy Castle in elliptic curve cryptography with a few thousand queries.

Conditions:
No specific conditions.

Impact:
None. BIG-IP software does not use the impacted library features.

Fix:
Version 1.59 of the library is installed on the BIG-IP system at the following paths:
/usr/share/java/rest/libs/bcprov-1.59.jar
/usr/share/java/rest/libs/bcpkix-1.59.jar


705559-1 : FPS: false positive "no strong integrity param" when none of the configured data-integrity params are present in request

Component: Fraud Protection Services

Symptoms:
A false positive "no strong integrity param" is sent when none of the configured data-integrity parameters are present in the request.

Conditions:
1. a protected URL has at least one parameter configured with data0integrity check enabled
2. enhanced data manipulation is enabled
3. a request without any of the data-integrity parameters is sent to the protected URL

Impact:
A false positive "no strong integrity param" alert is sent.

Workaround:
There is no workaround at this time.

Fix:
"No strong integrity param" alert should be suppressed in case that none of the data-integrity parameters were sent.

In case that forcing all data-integrity parameters was enabled (tmsh modify sys db antifraud.autotransactions.parameternameintegrity value enable) - the alert will be sent.


705161-1 : TMM may crash when processing TCP DNS traffic

Solution Article: K23520761

Component: Advanced Firewall Manager

Symptoms:
Under certain conditions, when processing TCP DNS traffic, TMM may crash

Conditions:
DNS profile enabled
TCP profile enabled
AVR enabled
ASM enabled

Impact:
TMM crash, leading to a failover event.

Fix:
TMM processes TCP DNS traffic as expected


704666-1 : memory corruption can occur when using certain certificates

Component: Local Traffic Manager

Symptoms:
If a certificate has an extremely long common name, or an extremely long alternative name and is attached to an SSL profile, memory corruption can occur when loading the profile.

Conditions:
An SSL profile is loaded with a certificate containing an extremely long common name or subject alternative name.

Impact:
TMM could crash.

Workaround:
Do not use certificates with extremely long common names

Fix:
A length check has been added to avoid corruption when using extremely long common names.


704580-1 : apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP

Component: Access Policy Manager

Symptoms:
Under certain conditions apmd service may restart when processing response from SAML IdP.

Conditions:
BIG-IP is configured as SAML SP. BIG-IP is processing SAML message from IdP

Impact:
Temporarily users will not be able to authenticate agains BIG-IP
until apmd service starts up.

Workaround:
There is no workaround at this time.

Fix:
apmd service will no longer restart when processing messages from IdP.


704435-1 : Client connection may hang when NTLM and OneConnect profiles used together

Component: Local Traffic Manager

Symptoms:
In deployments where a NT LanManager (NTLM) authentication profile and a OneConnect profile are used together in a LTM virtual server to label an authenticated connection to a Domain Controller (DC); if the persisted connection to the DC is re-used, the connection may hang. A connection in this state may not be cleaned up by the sweeper, resulting in a memory leak.

Conditions:
The NTLM and OneConnect profiles are associated with a LTM virtual server.

Impact:
A client connection won't be serviced and TMM memory will leak. Over a long time period, this may result in more widespread service disruptions.

Workaround:
Avoid the use of OneConnect profiles on virtual servers that use NTLM profiles. The connections to the Domain Controller won't be pooled, but all other features will be retained.

Fix:
Fixed a problem that prevented NTLM and OneConnect profiles from working properly on the same LTM virtual server.


704282-2 : TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy

Component: TMOS

Symptoms:
Rarely, TMM halts and restarts when calculating the BWC pass rate for dynamic bwc policy.

Conditions:
-- Using BWC dynamic bwc policy.
-- Fair share rate is low.

For this to happen, the fair share rate of the instance of dynamic policy has to be less than than 32 times the average packet size of the instance of policy.

For example, if the average packet size is 1 KB, then the fair share would be under 32 KB.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
F5 does not recommend running the BWC under 64Kbps.

Either decrease the number of subscribers or increase the max-rate of dynamic policy.

Fix:
TMM no longer halts and restarts when calculating the BWC pass rate for dynamic bwc policy when fair share rate is low.


704207-1 : DNS query name is not showing up in DNS AVR reporting

Component: Advanced Firewall Manager

Symptoms:
DNS query name is not showing up in DNS AVR reporting.

Conditions:
Sending traffic to Virtual with DNS profile.

Impact:
No query information for DNS is reported in AVR.

Workaround:
There is no workaround at this time.

Fix:
After fix, the query name is now showing up in AVR reporting.


704073-1 : Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm

Solution Article: K24233427

Component: Local Traffic Manager

Symptoms:
'bad transition' OOPS messages may be repeatedly logged to /var/log/ltm and /var/log/tmm over time, polluting the log files.

Conditions:
Although there are no definitive user-discernible conditions, use of SSL functionality might increase the likelihood of logging.

Impact:
Log pollution and potential for performance degradation.

Workaround:
Suppress the logging using the following command:
tmsh modify sys db tmm.oops value silent

Fix:
The 'bad transition' OOPS logging has been demoted to internal, debug builds only.


703959 : Manual thresholds for DoS Protection Dynamic Signatures are not accepted via TMUI

Component: Advanced Firewall Manager

Symptoms:
Manual thresholds for DoS Protection Dynamic Signatures are not accepted via TMUI. The "Infinite" values for detection and mitigation are retained. No error message is returned.

Conditions:
Attempting to configure manual AFM detection and mitigation threshold for DoS Protection Dynamic Signatures using the Management GUI.

Impact:
Administrator is not aware that config change failed to be applied.

Workaround:
Manual thresholds for Dynamic Signatures can be configured using TMSH.

Fix:
User can now change manual detection and mitigation threshold via TMUI.


703940-2 : Malformed HTTP/2 frame consumes excessive system resources

Component: Local Traffic Manager

Symptoms:
Malformed HTTP/2 frame consumes excessive system resources.

Conditions:
Virtual server with HTTP/2 profile enabled receives malformed frame.

Impact:
Excessive consumption of system resources.

Fix:
HTTP/2 frames are processed without consuming excessive resources


703914-2 : TMM SIGSEGV crash in poolmbr_conn_dec.

Component: Local Traffic Manager

Symptoms:
TMM cores in poolmbr_conn_dec function.

Conditions:
A connection limit is reached on a VS having an iRule using LB::reselect and a pool using request queueing.

Impact:
TMM core, traffic interruption, possible failover.

Workaround:
Do not use LB::reselect, disable request queueing on a pool associated with the VS.

Fix:
TMM correctly handles LB:reselect on virtual servers with pools using request queueing.


703869 : Waagent updated to 2.2.21

Component: TMOS

Symptoms:
Microsoft updates waagent via an opensource process, but it is not compatible with BIG-IP software, and so cannot be upgraded outside of BIG-IP releases. Without this, Microsoft will not support older releases of BIG-IP systems in their environment.

Conditions:
Using Microsoft Azure.

Impact:
Microsoft does not support the version of waagent shipped as part of BIG-IP software.

Workaround:
None.

Fix:
Waagent was updated to 2.2.21 from Microsoft along with F5 changes for compatibility with BIG-IP software.


703848-1 : Possible memory leak when reusing statistics rows in tables

Component: TMOS

Symptoms:
The handling of the pointers to memory in the statistics tables includes a path that zeros out a pointer to more memory that should be free'd. This means the memory is not free'd for that case.

Conditions:
This condition is usually only hit when the entire file is being deleted and so it doesn't matter that the list is not fully traversed.

Impact:
When slabs are being reused this bug may cause a memory leak.

Workaround:
There is no workaround at this time.

Fix:
The code has been fixed to properly follow the list.


703833-1 : Some bot detected features might not work as expected on Single Page Applications

Component: Application Security Manager

Symptoms:
Some client side features do not work correctly when enabling single page application.

Conditions:
Enabling single page application (on DoS or ASM), and Web Scraping-> Persistent Client Identification

Impact:
Captcha challenge causes a loop of ajax requests.

Workaround:
There is no workaround at this time.

Fix:
Fixing Persistent Client Identification for Single Page Applications.


703793-3 : tmm restarts when using ACCESS::perflow get' in certain events

Component: Access Policy Manager

Symptoms:
tmm will restart when using 'ACCESS::perflow get' if the per-request policy has not been started yet.

Conditions:
Use 'ACCESS::perflow get' iRule in an event that runs before the per-request policy (e.g., CLIENT_ACCEPTED).

Impact:
tmm cores and traffic flow will be interrupted while it restarts.

Workaround:
None.

Fix:
Initialization of certain variables was reworked so that the iRule command will not cause a core anymore if the per-flow value is unavailable due to the per-request policy not having been started yet.


703761-2 : Disable DSA keys for public-key and host-based authentication in Common Criteria mode

Component: TMOS

Symptoms:
On a BIG-IP system configured for Common Criteria (CC) mode, DSA keys can still be used for key-based authentication to the BIG-IP system.

Conditions:
-- Running a CC release with CC Mode enabled.
-- Attempt to SSH-connect to the BIG-IP system from another system with a DSA key.
-- That DSA key is present in the BIG-IP system's authorized_keys file.

Impact:
If the key is in the BIG-IP system's authorized_keys file, public-key authentication succeeds, when DSA authentication should be disabled in CC mode.

Workaround:
There is no workaround at this time.

Fix:
DSA SSH keys are now disabled for public-key and host-based authentication in Common Criteria mode, as expected.


703702 : Fixed iControl REST not listing GTM Listeners

Component: Global Traffic Manager (DNS)

Symptoms:
When using iControl REST to get a list of GTM Listeners, no listeners will be returned.

Conditions:
Use iControl REST to get a list of GTM Listeners

Impact:
Cannot get a list of GTM Listeners by iControl REST

Workaround:
Use iControl REST to get a list of all LTM Virtual Servers, and then look for virtual-servers with a DNS Profile

Fix:
Fixed issue preventing iControl REST from returning a list of GTM Listeners


703517 : TMM may crash when processing TCP DNS traffic

Solution Article: K23520761

Component: Advanced Firewall Manager

Symptoms:
Under certain conditions, when processing TCP DNS traffic, TMM may crash

Conditions:
DNS profile enabled
TCP profile enabled
AVR enabled
ASM enabled

Impact:
TMM crash, leading to a failover event.

Fix:
TMM processes TCP DNS traffic as expected


703429-2 : Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services

Component: Access Policy Manager

Symptoms:
Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services through F5 BIG-IP APM virtual server. The application closes just after entering the credentials.

Conditions:
-- Citrix Receiver for Android (v3.13.1) is used.
-- PNAgent replacement mode is configured for BIG-IP APM virtual server.

Impact:
No access to published Applications and Desktops through Citrix Receiver for Android.

Workaround:
None.

Fix:
System now provides valid data to Citrix Receiver for Android client.


703298-2 : Licensing and phonehome_upload are not using the sync'd key/certificate

Component: TMOS

Symptoms:
After config-sync, the secondary unit's key passphrase does not decrypt the cached key file.

Conditions:
The original file for f5_api_com.key is used instead of the cached file.

Impact:
phonehome_upload will fail on the secondary unit because the passphrase doesn't match the key file.

Workaround:
After sync, copy the file /config/filestore/files_d/Common_d/certificate_key_d/:Common:f5_api_com.key_xxxx over to /config/ssl/ssl.key/f5_api_com.key using the following commands:

# cd /config/filestore/files_d/Common_d/certificate_key_d
# cp -a :Common:f5_api_com.key_xxxx /config/ssl/ssl.key/f5_api_com.key :Common:f5_api_com.key_xxxx

Once the /config/ssl/ssl.key file is in sync, then loading the config with either cached or un-cached file will work fine.

Fix:
The system now removes the source-path files and only keeps the cache-path files. phonehome_upload now will work on the standby unit after a config-sync. Without the source-path files which do not get sync'd, there is no danger of re-loading them.


703233 : Some filters don't work in Security->Reporting->URL Latencies page

Component: Application Visibility and Reporting

Symptoms:
If a filter by Virtual Servers or URLs in Security->Reporting->URL Latencies page, the data is not filtered.

Conditions:
No special condition.

Impact:
It it impossible to filter data in the aforementioned page.

Workaround:
There is no workaround at this time.

Fix:
An incorrect SQL query was applied to the statistics database upon such data request. The SQL query is fixed.


703208-1 : PingAccessAgent causes TMM core

Component: Access Policy Manager

Symptoms:
PingAccessAgent can cause TMM to core due to accessing freed memory.

Conditions:
It happens in edge case situation. Exact steps are still under investigation. Suspicion is that the client aborts the connection while TMM/PingAccessAgent module is still awaiting response from the PingAccessAgent back-end server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


703191-2 : HTTP2 requests may contain invalid headers when sent to servers

Component: Local Traffic Manager

Symptoms:
HTTP requests handled by an HTTP/2 virtual server may have blank header names when proxied through to the server or when handled via iRules.

Conditions:
-- Virtual server has the HTTP/2 profile assigned.
-- Client and the BIG-IP system negotiate/use HTTP/2.

Impact:
HTTP/2 applications may generate CSRF-related errors. Alternately, the server may return intermittent (and from the client's perspective, spurious) 400 Bad Request responses.

Workaround:
There is no workaround other than to remove the HTTP/2 profile from the virtual server.


703171-1 : High CPU usage for apmd, localdbmgr and oauth processes

Component: Access Policy Manager

Symptoms:
High CPU Usage for apmd, localdbmgr, and oauthd with large configurations.

Conditions:
APM provisioned
BIG-IP has Large configuration (i.e Large number of Virtual servers).
A full config sync happens from one device-A(With large configuration) to device-B.
The above said processes on Device-B will have high CPU usage.

OR

Same situation occurs when loading BIG-IP configuration with a large number of virtual servers.

Impact:
The user traffic may not be processed by APM until it is done processing all the config changes. The amount of time service is down depends on how large the configuration is.

Workaround:
No Workaround.

Fix:
The software has been optimized to reduce the CPU Usage.


702946-3 : Added option to reset staging period for signatures

Component: Application Security Manager

Symptoms:
In cases where a staging period was started, but no traffic passed through security policy, you might want to reset the staging period when traffic starts, but there is no option to do so.

Conditions:
Staging enabled for signatures in policy.

Impact:
There is a suggestion to enforce the signature before any traffic can influence this decision.

Workaround:
If all signatures are staged, you can enforce them all, and then enable staging again.

Note: Apply policy is required between actions.

Fix:
Added option to reset the staging period for all or specific signatures. In modal windows shown after clicking 'Change properties...' on the Policy Signatures screen, when 'No' is not selected for 'Perform Staging', the system presents a checkbox: Reset Staging Period.


702705-2 : Core observed during lease query testing when RADIUS Authentication is configured in DHCP profile

Component: Policy Enforcement Manager

Symptoms:
Tmm may halt and restart when RADIUS Authentication is configured in DHCP profile.

Conditions:
1. RADIUS Authentication is configured in a DHCP profile.
2. DHCP response does not have proper info.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
This version handles these conditions, so tmm does not halt and restart.


702520-2 : Same AZ failover in AWS fails in some configurations with two or more objects sharing the same IP address.

Component: TMOS

Symptoms:
BIG-IP fails to reattach floating addresses to local interfaces during failover, when two or more objects are configured with the same IP address in a given traffic group.

Failover fails with the following error in /var/log/ltm: err logger: /usr/libexec/aws/aws-failover-tgactive.sh (traffic-group-1): Failed to reassign some or all address(es): <IP address> <the same IP address> on interface <eni address>.

Conditions:
-- AZ AWS failover.
-- Same IP address is used for two or more virtual addresses, self IPs, NAT, SNAT translation.

Note: Having two virtual servers with the same IP address (but different ports) does not cause the problem. Also, there is no conflict when using the same IP address for different traffic groups.

Impact:
Failover will fail; some or all IP addresses will not be transferred to the active BIG-IP system.

Workaround:
The only workaround is to change the configuration to use unique IP addresses for conflicting objects.

Fix:
This issue has been resolved.


702487-3 : AD/LDAP admins with spaces in names are not supported

Component: Access Policy Manager

Symptoms:
If admin is imported from Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) and the name contains spaces, Visual Policy Editor (VPE), import/export/copy/delete, etc., fail, and post an error message similar to the following: sourceMCPD::loadDll User 'test user' have no access to partition 'Common'.

Note: Names containing spaces are not supported on BIG-IP systems.

Conditions:
-- Admin name containing spaces is imported from AD or LDAP.
-- Attempt to perform operations in VPE.

Impact:
VPE, import/export/copy/delete do not work.

Workaround:
There is no workaround other than to not use admin names containing spaces.

Fix:
VPE and utilities operations are now supported, even for admins with spaces in names. However, F5 recommends against using spaces in admin names, and recommends that you modify the admin name to remove the spaces.


702439 : Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset

Solution Article: K04964898

Component: Local Traffic Manager

Symptoms:
If the HTTP/2 configuration header_table_size is changed from the default value of 4096, then streams will be reset with a RST_STREAM error.

Conditions:
The header_table_size field in the HTTP/2 profile is changed from the default.

Impact:
HTTP/2 connections will be unusable.

Workaround:
Set the header table size argument back to its default.

Fix:
The HTTP/2 filter correctly handles the dynamic header table resize notifications triggered by a non-default header table size. Streams will not be reset with a RST_STREAM error.

Additionally, the BIG-IP system will now send the correct number of dynamic header table resize notifications when the table is resized by the client multiple times between header blocks.


702278-2 : Potential XSS security exposure on APM logon page.

Component: Access Policy Manager

Symptoms:
Potential XSS security exposure on APM logon page.

Conditions:
-- A LTM virtual server with an Access Policy assigned to it.
-- The Access Policy is configured to use a 'Logon Page' VPE agent, followed by AAA agent with 'Max Logon Attempts Allowed' set to a value greater than 1.

Impact:
Potential XSS security exposure.

Workaround:
1. Using APM Advance Customization UI, remove setOrigUriLink(); call in logon.inc from the next JS function:

369 function OnLoad()
370 {
371 var header = document.getElementById("credentials_table_header");
372 var softTokenHeaderStr = getSoftTokenPrompt();
373 if ( softTokenHeaderStr ) {
374 header.innerHTML = softTokenHeaderStr;
375 }
376 setFormAttributeByQueryParams("auth_form", "action", "/subsession_logon_submit.php3");
377 setFormAttributeByQueryParams("v2_original_url", "href", "/subsession_logon_submit.php3");
378 // ===> REMOVE THIS ONE setOrigUriLink();
----

Fix:
Potential security exposure has been removed from APM logon page.


702263-1 : An access profile with large number of SAML Resources (>200) causes APM error ERR_TOOBIG while loading.

Component: Access Policy Manager

Symptoms:
Using a SAML SP intiated use case (APM is IdP) and having a large Access Policy with 200 or more SAML resources assigned to users. Each time a new SAML resource is added to the above Access Policy, the whole SSO service becomes unusable. No new sessions can be established. We generate an internal metadata that consists of the names of all the SAML resources and the SSO name in our code. This has a limit of size 4K and these errors are seen on hitting this limit.

Errors seen:

01490514:3: (null):Common:00000000: Access encountered error: ERR_TOOBIG. File: ../modules/hudfilter/access/access.c, Function: access_create_saml_meta_data, Line: 21001
014d1014:3: /Common/SAML_SSO_access:Common:7a34161c:SAML SSO: Error(16) Unable to find SAML SSO/SP Connector object matching SAML Authn Request

Conditions:
A SAML SSO Access policy has a large number of SAML Resources assigned to it (such that the combined length of their names >= 4K), we hit the hard limit of 4K in the code.

Impact:
We get error on running the Access Policy, the whole SSO service becomes unusable. No new sessions can be established.

Workaround:
Delete any unused SAML resources from SAML SSO access policy so that the combined length of the names of all SAML resources assigned to Access policy is < 4K.

Fix:
We removed the hard limit of 4K for the internal metadata we create so that we don't hit this issue.


702232-1 : TMM may crash while processing FastL4 TCP traffic

Solution Article: K25573437


702222-1 : RADIUS and SecurID Auth fails with empty password

Component: Access Policy Manager

Symptoms:
If password value is empty, the following error message will be logged in /var/log/apm:

err apmd[14259]: 014902f0:3: /Common/profile_name:Common:eb69a5gd: RADIUS Agent: Failed to read Password Source session variable:

Conditions:
This occurs only when following conditions are met:
- RADIUS or SecurID auth agent is included in the access policy.
- Empty password value is used for authentication.

Impact:
User may not be authenticated.

Workaround:
- Add variable assignment agent before RADIUS/SecurID auth agent in the access policy.
- Set 'session.logon.last.password' (or whatever password source is used for authentication) to a random value.

Fix:
RADIUS/SecurID auth agent allows empty password value for authentication.


701889-1 : Setting log.ivs.level to informational causes crash

Component: Service Provider

Symptoms:
Certain log messages for internal virtual server (IVS) at 'informational' log level, cause TMM to crash when they are logged. The messages are logged at the end of an HTTP transaction to or from an IVS.

Conditions:
"tmsh modify sys db log.ivs.level informational"
A transaction that passes HTTP to/from an internal virtual server.

Impact:
TMM crashes and restarts, causing loss of connections.

Workaround:
Avoid setting log.ivs.level to 'informational' or higher level. By default the level is 'error' which does not trigger the bug.

Fix:
Informational messages for internal virtual server (IVS) are logged as expected and TMM does not crash.


701841-2 : Unnecessary file recovery_db/conf.tar.gz consumes /var disk space

Component: Application Security Manager

Symptoms:
A file, /ts/var/install/recovery_db/conf.tar.gz ,is saved unnecessarily during UCS file save, and consumes /var disk space.

Conditions:
UCS file is saved.

Impact:
The /var filesystem can become full; this may degrade system performance over time, and can eventually lead to traffic disruptions.

Workaround:
Manually delete /ts/var/install/recovery_db/conf.tar.

Fix:
Unnecessary file recovery_db/conf.tar.gz is no longer written.


701740-1 : apmd leaks memory when updating Access V2 policy

Component: Access Policy Manager

Symptoms:
A small leak occurs in the apmd process when processing mcp notifications about configuration updates.

Conditions:
-- Changing an Access Policy configurations.
-- apmd receives a notification about it.

Impact:
apmd grows in size very slowly. The issue does not have any immediate and significant impact on BIG-IP system functionality.

Workaround:
There is no workaround at this time.

Fix:
apmd no longer leaks a small amount when processing MCP notifications.


701737-1 : apmd may leak memory on destroying kerberos cache

Component: Access Policy Manager

Symptoms:
ampd leaks memory in AD Query agent.

Conditions:
The leak happens on either:
1. A kerberos cache reset is requested (any of the caches - GROUP/PSO/KERBEROS).
OR
2. Any changes to associated AAA AD Server were made and new Access Policy is applied.
OR
3. AD Query was not able to make ldap_bind to KDC and the error is NOT a timeout (e.g. invalid administrator password).

Impact:
The ampd leaks memory and may cause unstable behavior.
The apmd process, or some other daemon may be killed by OOM killer when it tries to allocate memory.

Workaround:
There is no workaround at this time.

Fix:
After fix, there is no leak in AD Query agent of the apmd process.


701736-1 : memory leak in Machine Certificate Check agent of the apmd process

Component: Access Policy Manager

Symptoms:
apmd process leaks memory in Machine Certificate Check agent

Conditions:
Machine Certificate Check agent is configured in an Access Policy

Impact:
apmd may grow in size. this may lead to apmd process or some other processes at BIG-IP to be killed by OOM-killer

Workaround:
There is no workaround at this time.

Fix:
The memory leak is fixed.


701639-1 : Session variables in Requested Authentication Context Class in SP do not get resolved when Authentication Request is generated by BIG-IP as SP.

Component: Access Policy Manager

Symptoms:
Session variables in Requested Authentication Context Class in SP do not get resolved when Authentication Request is generated by the BIG-IP system as SP. They are sent as is. This is a behavior change from v12.1.2/v12.1.3/v13.0.0, where, the value gets substituted in the SP's AuthnRequest sent to IDP.

Conditions:
On configuring Requested Authentication Context Class in SP to define a session variable similar to the following:
%{session.client.type}

Impact:
The generated Authentication Request does not have the session variable resolved. The string is sent as is. The Authentication Request fails and the session cannot be established.

Workaround:
None.

Fix:
The system now resolves the session variable in the configured Authentication Context Class for SP while generating the Authentication Request.


701626-2 : GUI resets custom Certificate Key Chain in child client SSL profile

Component: TMOS

Symptoms:
In the GUI, editing a client SSL profile or selecting a different parent profile changes the Certificate Key Chain to default (i.e., /Common/default.crt and /Common/default.key).

Conditions:
This happens in the following scenario:

1. Using the GUI, create a client SSL profile.
2. Configure the new profile to inherit from a client SSL profile other than the default, clientssl.
3. Click the Custom box for Certificate Key Chain and select a different cert and key from the default.
4. Click Update.
5. In the GUI, change any setting in the newly created profile, or select a different parent profile (but not the clientssl profile).
6. Click Update again.

Impact:
The system resets Certificate Key Chain to default, even though the Custom box is checked.

Workaround:
To work around this issue in the GUI, click the Custom checkbox next to the 'Certificate Key Chain' option in the parent profile. This will set the value of inherit-certkeychain to false , preventing the issue from occurring.

You can also use tmsh to update parent profile settings to avoid the occurrence of this issue..

Fix:
GUI no longer resets custom Certificate Key Chain in child client SSL profiles.


701447-1 : CVE-2017-5754 (Meltdown)

Solution Article: K91229003


701445-1 : CVE-2017-5753 (Spectre Variant 1)

Solution Article: K91229003


701359-4 : BIND vulnerability CVE-2017-3145

Solution Article: K08613310


701327-2 : failed configuration deletion may cause unwanted bd exit

Component: Application Security Manager

Symptoms:
Immediately after the deletion of a configuration fails, bd exists.

Conditions:
When deleting a configuration fails.

Impact:
Unwanted bd restart.

Workaround:
None.

Fix:
bd will exit upon a failed configuration only when configured to exit on failure.


701244-1 : An incorrect data manipulation in cipher encrypt and decrypt could cause TMM crash with SIGABRT

Component: Local Traffic Manager

Symptoms:
TMM receives SIGABRT from failover daemon, sod, due to heartbeat failure shortly after TMM starts up.

Conditions:
In some rare scenarios, TCP fast open encrypt/decrypt key may not be properly initialized when traffic comes into the BIG-IP system.

Impact:
Multiple TMM threads can get into a loop, causing heartbeat failure. TMM restarts, Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The incorrect data manipulation in cipher encrypt and decrypt has been fixed.


701202-3 : SSL memory corruption

Component: Local Traffic Manager

Symptoms:
In some instances random memory can be corrupted.

Conditions:
SSL is configured (either client-ssl or server-ssl) and the crypto operations are offloaded - Cavium Card, Intel Card, FIPS box, etc.

Impact:
Random memory can be overwritten yielding unpredictable results.

Workaround:
None

Fix:
The memory corruption issue has been fixed.


701147-2 : ProxySSL does not work properly with Extended Master Secret and OCSP

Solution Article: K36563645

Component: Local Traffic Manager

Symptoms:
SSL handshake fails if the BIG-IP system is operating in ProxySSL mode, while client and server negotiate to use the Extended Master Secret and OCSP features together.

Conditions:
1. Virtual server is configured to work in ProxySSL mode.
2. Client and server negotiate the SSL handshake with the Extended Master Secret.
3. Client and Server negotiate to use the OCSP.

Impact:
ProxySSL does not work properly with Extended Master Secret and OCSP simultaneously.

Workaround:
None.

Fix:
Included the certificate status message in the calculation of Extended Master Secret.


700862-1 : tmm SIGFPE 'valid node'

Solution Article: K15130240

Component: Local Traffic Manager

Symptoms:
A rare TMM crash with tmm SIGFPE 'valid node' may occur if the host is unreachable.

Conditions:
The host is unreachable.

Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This fix handles a rare TMM crash when the host is unreachable.


700812-1 : asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview

Component: Application Security Manager

Symptoms:
asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview.

Conditions:
Try to deploy a qkview on a BIG-IP using the asmrepro tool
while BIG-IP has a 4 element version like 13.1.0.1.

Impact:
Cannot deploy a 4 element version qkview on a BIG-IP using the asmrepro tool.

Workaround:
n/a

Fix:
asmrepro now handles the version number properly.


700726-2 : Search engine list was updated

Component: Application Security Manager

Symptoms:
Default search engine list does not identify current search engines, and blocks traffic unnecessarily.

Conditions:
Site accessed by search engines.

Impact:
Traffic from search engines is blocked unnecessarily.

Workaround:
Manually add search engines.

Fix:
Search engine list has been updated to reflect current common search engine usage.


700724-2 : Client connection with large number of HTTP requests may cause tmm to restart

Component: Access Policy Manager

Symptoms:
tmm may restart while processing client request

Conditions:
- PingAccess profile is configured on the virtual server.

- Client connection sends over 64k HTTP requests that result in BIG-IP's connection to the PingAccess policy server.

Impact:
Traffic will be disrupted while TMM restarts.

Workaround:
Modify HTTP profile used by affected virtual to specify the limit of HTTP requests per connection "maximum requests per connection" to be less then 64k, e.g. 63000 or less.

Fix:
Traffic will no longer be disrupted when client sends over 64k uncached requests on the same TCP connection.


700571-4 : SIP MR profile, setting incorrect branch param for CANCEL to INVITE

Component: Service Provider

Symptoms:
BIG-IP SIP profile MR does not maintain the Via 'branch parameter' ID when the Via header insertion is enabled for INVITE and CANCEL for the same INVITE.

Conditions:
This happens only when the following conditions are both met:
-- The transport connection that issued INVITE has been terminated.
-- A new transport is used to issue CANCEL

Impact:
The result is different branch IDs for the BIG-IP system-generated Via header. INVITE is only cancelled on the calling side, while on the called side, the line will ring until time out.

Workaround:
None.

Fix:
The branch parameter value calculation now remains consistent throughout the connection.


700556-1 : TMM may crash when processing WebSockets data

Solution Article: K11718033


700527-3 : cmp-hash change can hang iRule DNS lookup

Component: Global Traffic Manager (DNS)

Symptoms:
An iRule that uses RESOLV::lookup can hang repeatedly when cmp-hash configuration is changed.

Conditions:
An iRule must be in the middle of a call to RESOLV::lookup when a vlan cmp-hash configuration is changed.

Impact:
The iRule call can hang repeatedly.

Workaround:
Restart the TMM. This will interrupt client traffic.

Fix:
The iRule connection is reestablished when the pending query expires, so subsequent RESOLV::lookup calls do not hang per TMM.


700522-1 : APMD restarts when worker threads are stuck

Component: Access Policy Manager

Symptoms:
APMD restarts and logs a message about all threads being stuck.

Conditions:
A race condition allows the busy thread count to remain higher than the actual value. If it reaches the maximum thread count, APMD will restart.

Impact:
APMD can restart unexpectedly.

Workaround:
There is no workaround.

Fix:
The race condition is corrected and the restarts are eliminated.


700393-3 : Under certain circumstances a stale http2 stream can cause a tmm crash

Component: Local Traffic Manager

Symptoms:
Tmm may crash due to a stale/stalled HTTP2 stream.

Conditions:
http2 profile in use.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Stale/stalled HTTP2 streams are handled correctly to prevent a tmm crash.


700320 : tmm core under stress when BADOS configured and attack signatures enabled

Component: Anomaly Detection Services

Symptoms:
Tmm core under stress. Note: This issue has a very low probability of occurring.

Conditions:
-- Out of memory.
-- BADOS configured.
-- Attack signatures enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None, except to not configure attack signatures.

Fix:
Added protection for the case when context adm_filters allocation is failed.


700315-2 : Ctrl+C does not terminate TShark

Solution Article: K26130444

Component: TMOS

Symptoms:
A running TShark process on the BIG-IP system has problems exiting when the user is finished capturing and presses CTRL+C while listening on a tmm VLAN or 0.0.

Conditions:
-- Using TShark on a tmm VLAN or 0.0.
-- Pressing Ctrl+C to exit.

Impact:
TShark does not exit as expected when pressing CTRL+C.

Workaround:
To recover, you can move the process to the background (CTRL+Z) and then halt the process, by running a command similar to the following: kill -9 'pidof tshark'

Fix:
Ctrl+C now terminates TShark as expected.


700090-2 : tmm crash during execution of a per-request policy when modified during execution.

Component: Access Policy Manager

Symptoms:
Modify/delete of per-request policy during heavy traffic flow causes tmm to crash.

Conditions:
While a per-request policy (macro) is getting executed.
Admin deletes the parent policy item (at the same time).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not modify per-request policy during heavy traffic flow.

Fix:
The situation is fixed, if the policy that is getting executed currently has been deleted, look for its continuation in the deleted policy list.


700057-4 : LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved

Component: Local Traffic Manager

Symptoms:
After upgrading to an affected build, the default key will have incorrect group ownership.

Conditions:
Upgrade or load a .ucs with SSL keys configured.

Impact:
File permissions are not preserved in the .ucs file. The httpd process will not be able to use the default key, so anything using it will fail.

Workaround:
Run the following two commands:
tmsh save /sys config
tmsh load /sys config

Fix:
The system now preserves correct permissions for default.key across upgrade and ucs load.


699720-1 : ASM crash when configuring remote logger for WebSocket traffic with response-logging:all

Component: Application Security Manager

Symptoms:
ASM may crash when configuring remote logger for WebSocket traffic virtual server.

Conditions:
-- Virtual server handling WebSocket traffic.
-- ASM remote logger on the same virtual server.

Impact:
ASM crash; system goes offline.

Workaround:
Use either of the following workarounds:

-- Remove remote logger.
-- Have response logging for illegal requests only.

Fix:
The system now handles memory correctly and avoids crashing in this specific scenario.


699686-1 : localdbmgr crash

Component: Access Policy Manager

Symptoms:
When localdbmgr process is restarted, occasionally, the process crashes and a core file will be generated.

Conditions:
-- APM is provisioned.
-- localdbmgr process is restarted.

Impact:
Although the process restarts, there is no impact to the APM functionality.

Workaround:
None.

Fix:
localdbmgr no longer crashes during shutdown.


699624-1 : Config with custom 'SIP' or 'Firepass' monitor fails to load after upgrade

Component: Local Traffic Manager

Symptoms:
A configuration that contains custom 'SIP' or 'FirePass' monitors that is upgraded from a version earlier than v13.1.0 may either fail to load, or may result in a configuration that loads the first time after the upgrade, but cannot be re-loaded from the text config files.

If the BIG-IP system has partitions other than 'Common', the initial configuration load may fail with an error such as:

01070726:3: monitor /Common/sip-monitor in partition Common cannot reference SSL profile monitor parameter /Common/sip-monitor 1 SSL_PROFILE_NAME= in partition name-of-other-partition

If the BIG-IP system only has a 'Common' partition, the initial configuration load will succeed, but subsequent attempts to load the configuration (e.g., 'tmsh load sys config') may fail with this error:

Syntax Error:(/config/bigip.conf at line: 63) "user-defined" unknown property

Which corresponds to a SIP or FirePass monitor in the configuration such as:

ltm monitor sip /Common/test_sip_monitor {
    cipherlist DEFAULT:+SHA:+3DES:+kEDH
    compatibility enabled
    debug no
    defaults-from /Common/sip
    destination *:*
    filter 488
    interval 5
    mode tcp
    time-until-up 0
    timeout 16
    user-defined SSL_PROFILE_NAME /Common/test_sip_monitor_ssl_profile
}

Conditions:
Custom 'SIP' or 'FirePass' monitor is configured, and the config is upgraded from a version earlier than v13.1.0 to version v13.1.0.

Impact:
After upgrade, the configuration fails to load with an error such as:

01070726:3: monitor /Common/sip-monitor in partition /Common cannot reference SSL profile monitor parameter /Common/sip-monitor 1 SSL_PROFILE_NAME= in partition name-of-other-partition.

Alternatively, the configuration loads after upgrade, but the config file is corrupted, and will fail to load (such as after a system restart, or upon explicit 'tmsh load sys config'), with an error such as:

Syntax Error:(/config/bigip.conf at line: 63) "user-defined" unknown property

Workaround:
Remove custom 'SIP' and 'FirePass' monitors from the configuration, and re-create them manually after upgrade is complete.

Fix:
In this release, a configuration that contains a custom 'SIP' or 'FirePass ' monitor from a version earlier than v13.1.0 now loads correctly and continues to load as expected.


699531-1 : Potential TMM crash due to incorrect number of attributes in a PEM iRule command

Component: Policy Enforcement Manager

Symptoms:
TMM crash.

Conditions:
An iRule with a PEM iRule command that does not have the minimum number of attributes.

Impact:
Loss of service. Traffic disrupted while tmm restarts.

Workaround:
Make sure the PEM iRule command is called with at least the minimum number of parameters.

For example, make sure to call 'PEM::subscriber config policy referential set' with referential policies.

Fix:
The system now provides the correct number of attributes, preventing a NULL pointer dereference.


699455-4 : SAML export does not follow best practices

Component: Access Policy Manager

Symptoms:
Export of SAML data does not follow current best practices

Conditions:
SAML data exported by administrator

Impact:
Administrative request processing does not follow current best practices

Workaround:
None.

Fix:
Update SAML export to follow current best practices


699451-3 : OAuth reports do not follow best practices

Solution Article: K30500703


699346-3 : NetHSM capacity reduces when handling errors

Component: Local Traffic Manager

Symptoms:
Under certain conditions NetHSM performance may be reduce while handling errors.

Conditions:
NetHSM enabled

Impact:
Reduced performance potentially leading to a failover event

Fix:
Process errors more efficiently when using NetHSM


699339-3 : Geolocation upgrade files fail to replicate to secondary blades

Solution Article: K24634702

Component: Global Traffic Manager (DNS)

Symptoms:
Geolocation upgrade files fail to replicate to secondary blades.

Conditions:
-- Multiblade VIPRION platforms/vCMP guests.
-- Upgrading geolocation files on the primary blade.
-- Viewing the geolocation files on the secondary blades.

Impact:
Geoip database is not updated to match primary blade.

Workaround:
Use either of the following workarounds:

-- Use the root account to manually create the /shared/GeoIP/v2 directory on secondary blades, and then run geoip_update_data on primary blade.

-- On primary blade:
1. Edit /etc/csyncd.conf as shown below.
2. Restart csyncd.
3. Run geoip_update_data.

To edit /etc/csyncd.conf:

Merge the following two terms:
 monitor dir /shared/GeoIP {...)
 monitor dir /shared/GeoIP/v2 {...}

into one term, as follows:
monitor dir /shared/GeoIP {
        queue geoip
        pull pri2sec
        recurse yes
        defer no
        lnksync yes
        md5 no
        post "/usr/local/bin/geoip_reload_data"
}

Fix:
Geolocation upgrade files now correctly replicate to secondary blades.


699298-2 : 13.0.0 Hotfix HF3 3.0.1679 TMM CORED due to SIGSEGV.

Solution Article: K83285053

Component: Local Traffic Manager

Symptoms:
TMM may crash when woodside congestion-control is in use.

Conditions:
When woodside congestion-control is in use.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Other congestion control algorithms can be used as a workaround.

Fix:
This fix handles a rare TMM crash when woodside congestion-control is in use.


699281-1 : Version format of hypervisor bundle matches Version format of ISO

Component: TMOS

Symptoms:
Recently F5 incorporated 4th element into versioning scheme. 4th and 5th are separated by dash (instead of dot) in ISO name. This change/bug insures that names of hypervisor bundles also use dash between 4th and 5th elements.

Conditions:
Applies to hypervisor bundles (for example ova files for vmware).

Impact:
Version format in names of hypervisor bundles matches version format of ISO file

Workaround:
Version format in names of hypervisor bundles matches version format of ISO file

Fix:
Version format in names of hypervisor bundles matches version format of ISO file (usage of dash between 4th and 5th elements).


699135-1 : tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip

Component: Global Traffic Manager (DNS)

Symptoms:
tmm cores with SIGSEGV in dns_rebuild_response.

Conditions:
1. Create a wideip of type other than A/AAAA.
2. Create a iRule with a host command for the previously created wideip.
3. Create a related zonerunner record with the same name and type.
4. Dig against the wideip with type any.
5. Observe that tmm cores.

Impact:
tmm cores.

Workaround:
Don't use host command for non type A/AAAA wideips.


699103-1 : tmm continuously restarts after provisioning AFM

Component: Traffic Classification Engine

Symptoms:
Webroot URL categorization is not supported for Traffic Classification on a BIG-IP system with less than 16 GB RAM when AFM is provisioned.

Conditions:
-- Webroot URL categorization configured for Traffic Classification.
-- BIG-IP system with less than 16 GB RAM when AFM is provisioned.

Impact:
tmm restarts.

Workaround:
There is no workaround other than to ensure that more than 16 GB RAM is available when AFM is provisioned.

Fix:
Webroot URL categorization is now supported for Traffic Classification on a BIG-IP system with less than 16 GB RAM when AFM is provisioned.


699012-1 : TMM may crash when processing SSL/TLS data

Solution Article: K43121447


698940-1 : Add new security policy template for API driven systems - "API Security"

Component: Application Security Manager

Symptoms:
No security policy template for API Security for API driven systems.

Conditions:
-- Using API.
-- Attempting to define REST API protection, Web Socket protection.

Impact:
No policy template.

Workaround:
None.

Fix:
Added new security policy template for API driven systems - 'API Security'.


698919-3 : Anti virus false positive detection on long XML uploads

Component: Application Security Manager

Symptoms:
A false positive virus-detected violation. The description of the violation explains that the ICAP server was not contacted.

Conditions:
-- A long XML upload or payload.
-- The assigned XML profile is configured to be inspected by the ICAP server.

Impact:
Violation is detected where no violation has occurred (false positive violation).

Workaround:
Increase the internal parameter max_raw_request_len to the required length of the XML.

Note: This workaround will affect the amount of logged data from ASM.

Fix:
Fixed a false positive virus-detected violation related to long XML uploads.


698916-1 : TMM crash with HTTP/2 under specific condition

Component: Local Traffic Manager

Symptoms:
TMM may crash when upgrading an HTTP/1.1 connection to an HTTP/2 connnection.

Conditions:
-- HTTP/2 gateway enabled.
-- Pool member supports protocol switching.

Impact:
TMM crash, leading to a failover event.

Workaround:
There is no workaround other than removing the HTTP/2 profile from the virtual server.

Fix:
TMM properly handles protocol upgrade requests from pool members when HTTP/2 is enabled, so no crash occurs.


698461-1 : tmm may crash in fastl4 TCP

Component: Local Traffic Manager

Symptoms:
tmm crash and BIGIP fail over.

Conditions:
Virtual with fastl4 and TCP profile configured and used.
LRO is used.

Impact:
tmm may crash

Fix:
the crash is fixed.


698429-1 : Misleading log error message: Store Read invalid store addr 0x3800, len 10

Component: TMOS

Symptoms:
On rare occasions, messages like these can appear in /var/log/ltm:

Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Loading keys from the file.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Read the unit key file if exists.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash from key header: 9d:e6:90:...
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash computed from read key:9d:e6:90:...
Oct 20 14:21:04 localhost err mcpd[4139]: 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071029:5: Symmmetric Unit Key decrypt
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071027:5: Master key OpenSSL error: 1506270960:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:587:
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Attempting Master Key migration to new unit key.
Oct 20 14:21:04 localhost warning chmand[5559]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
Oct 20 14:21:04 localhost warning chmand[5559]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
Oct 20 14:21:04 localhost warning mcpd[4139]: 012a0004:4: halStorageRead: unable to read storage on this platform.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071029:5: Cannot open unit key store
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Reloading the RSA unit to support config roll forward.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Loading keys from the file.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Read the unit key file if exists.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash from key header: 9d:e6:90:...

These messages are due to a transient failure reading the system's unit key from the virtual EEPROM on a vCMP guest. The error handling from this failure causes misleading messages, but it does successfully read the unit key during this error recovery.

Conditions:
These messages can only happen on a vCMP guest with SecureVault, and are very rare.

Impact:
None. These messages do not indicate an actual problem with the system.


698424-1 : Traffic over a QinQ VLAN (double tagged) will not pass

Solution Article: K11906514

Component: Local Traffic Manager

Symptoms:
Traffic on a QinQ VLAN will not pass.

Conditions:
This issue exists when a VLAN is configured as a QinQ VLAN (i.e., a double-tagged VLAN).

Impact:
Traffic on a QinQ VLAN will not pass.

Workaround:
Disabling LRO may workaround this issue.

Fix:
Traffic on a QinQ VLAN now passes successfully.


698396-1 : Config load failed after upgrade from 12.1.2 to 13.x or 14.x

Component: Traffic Classification Engine

Symptoms:
Sys load fails with following errors,
....
Loading schema version: 14.0.0
0107153e:3: Application id out of the valid range of [8192-16384).
Unexpected Error: Loading configuration process failed.

Conditions:
When an CEC IM is applied to 12.1.2 and then when we upgrade to 13.x or 14.x, sys load will fail.

Impact:
System will fail to come to Active state after upgrade.

Workaround:
It can be fixed by manually deleting /var/libdata/dpi/conf/classification_update.conf


698379-2 : HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR(

Solution Article: K61238215

Component: Local Traffic Manager

Symptoms:
Uploads for the HTTP2 virtual server fail intermittently with HTTP2 error error_code=FLOW_CONTROL_ERROR.

Conditions:
HTTP2 virtual server configured.

Impact:
Uploads for the HTTP2 virtual server might fail intermittently.

Workaround:
None.

Fix:
Uploads for the HTTP2 virtual server do not fail intermittently anymore.


698338-1 : Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection

Component: Service Provider

Symptoms:
The system may core.

Conditions:
-- Egress messages are queued waiting for MR_EGRESS event to be raised.
-- Current MR event exits with an error, thus aborting the connection.

Impact:
The system cores and will restart.

Workaround:
None.

Fix:
The system now returns pending messages back to the originator if the connection aborts due to an iRule error.


698080-3 : TMM may consume excessive resources when processing with PEM

Solution Article: K54562183


698000-3 : Connections may stop passing traffic after a route update

Solution Article: K04473510

Component: Local Traffic Manager

Symptoms:
When a pool is used with a non-translating virtual server, routing updates may lead to an incorrect lookup of the nexthop for the connection.

Conditions:
-- Pool on a non-translating virtual server.
-- Routing update occurs.

Impact:
Connections may fail after routing updates. New connections will not be affected.

Workaround:
Use a route to direct traffic to the ultimate destination rather than using a pool to indicate the nexthop.

Fix:
Routing updates no longer interrupts traffic to connections using a pool member to reach the nexthop.


697756-1 : Policy with CSRF URL parameter cannot be imported as binary policy file

Component: Application Security Manager

Symptoms:
A policy with at least 1 CSRF URL parameter defined cannot be imported as a binary policy file.

Conditions:
A policy has at least 1 CSRF URL parameter defined.

Impact:
The policy cannot be imported as a binary policy file.

Workaround:
There is no workaround at this time.

Fix:
A policy with CSRF URL parameters defined can now be imported as a binary policy file.


697718-1 : Increase PEM HSL reporting buffer size to 4K.

Component: Policy Enforcement Manager

Symptoms:
Before this fix, PEM HSL reporting buffer size is limited by 512 bytes.

Conditions:
If any PEM HSL flow reporting stream goes beyond 512 bytes, it will be truncated.

Impact:
Part of PEM HSL flow reporting information will be lost.

Fix:
We increase PEM HSL reporting buffer size to 4K, which should be enough for uses cases we currently know.


697636-3 : ACCESS is not replacing headers while replacing POST body

Component: Access Policy Manager

Symptoms:
If the first request for a session is a POST, APM will save the POST to replay after the policy completes. When the POST is restored after policy completion and released to the backend, the headers are the same as the most recent client request, not the original POST. In particular, the Content-Length header will not match the original POST.

Conditions:
First request for the session is a POST.

Impact:
Backend servers may complain of an incomplete HTTP POST due to a mismatching Content-Length header.

Workaround:
None.

Fix:
Now, the system takes all headers from the original POST, except the Authorization header that Kerberos RBA needs, which is taken from the most recent client request.


697452-1 : Websso crashes because of bad argument in logging

Component: Access Policy Manager

Symptoms:
Websso would crash because of bad argument in logging

Conditions:
Only when kerberos sso is configured

Impact:
Websso would crash and so single sign on may fail.

Workaround:
The workaround is not configure kerberos SSO

Fix:
This issue has been fixed.


697421 : Monpd core when trying to restart

Component: Application Visibility and Reporting

Symptoms:
Monpd tries to restart and tries to access a non-initiated variable

Conditions:
Monpd tries to restart due to change of primary blade

Impact:
Monpd cores

Workaround:
N/A

Fix:
Adding sanity check to the non-initiated variable before trying to access it


697363-1 : FPS should forward all XFF header values

Component: Fraud Protection Services

Symptoms:
For BIG-IP alerts, FPS will insert a single XFF with the client IP and discard all XFF values/headers in the original request (the request which triggered the alert)

Conditions:
Alert generated on BIG-IP side.

Impact:
Original XFF information will be lost: only a single XFF header (containing client IP) will be present.

Workaround:
None.

Fix:
FPS now copies all original XFF headers to the generated alert.


697303-1 : BD crash

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
-- The internal parameter relax_unicode_in_json is set to 1.
-- Specific traffic scenario.

Impact:
BD crash, failover, and traffic disturbance.

Workaround:
Turn off the internal parameter relax_unicode_in_json.

Fix:
BD no longer crashes under these conditions.


697259-2 : Different versioned vCMP guests on the same chassis may crash.

Solution Article: K14023450

Component: Local Traffic Manager

Symptoms:
The vCMP guest TMM crashes soon after startup.

Conditions:
-- You are using BIG-IP software versions 12.1.0-12.1.2.
-- vCMP guests are deployed in a chassis.
-- You configure a new guest running unaffected software alongside an existing or new guest running affected software. In other words, the issue occurs if you mix guests running affected and non-affected versions in a single vCMP host.

Impact:
vCMP guests running older versions of the software might crash. Blades continuously crash and restart. Traffic cannot pass. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Different versioned vCMP guests on the same chassis no longer crash.


696808-1 : Disabling a single pool member removes all GTM persistence records

Solution Article: K35353213

Component: Global Traffic Manager (DNS)

Symptoms:
Disabling a single pool member removes all GTM persistence records.

Conditions:
1. WideIP with persistence enabled.
2. drain-persistent-requests no.
3. GTM pool member toggled from enabled to disabled.

Impact:
All GTM persistence records are accidently cleared.

Workaround:
Set drain-persistent-requests yes.

Fix:
When drain-persistent-requests is set to no, only the persistence records associated with the affected pool members are cleared when a resource is disabled.


696789-1 : PEM Diameter incomplete flow crashes when TCL resumed

Component: Policy Enforcement Manager

Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, and the irule is resumed because of timeout.

Conditions:
PEM Diameter flow not fully created, suspended by iRule, and the iRule is resumed by timeout.

Impact:
The tmm will restart and all flows will reset.

Fix:
The PEM diameter flow is now created in such a way to prevent any crash by iRule resumed by timeout.


696525-1 : B2250 blades experience degraded performance.

Component: Performance

Symptoms:
B2250 blades have degraded performance by up to 17%. This is caused by connections not being offloaded to hardware as often as expected.

Conditions:
This occurs when the FastL4 profile is configured to offload to hardware and the service provider DAG is configured and in use on B2250 blades.

Impact:
Performance will be degraded due to more connections being handled in software.

Workaround:
None.

Fix:
The performance issue for the B2250 blades has been fixed.


696383-1 : PEM Diameter incomplete flow crashes when sweeped

Component: Policy Enforcement Manager

Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, the sweeper may encounter a tmm crash.

Conditions:
-- PEM Diameter flow not fully created.
-- The flow is suspended by an iRule.
-- There is a CMP state change (likely) or a manual cluster-mirror change (less likely) while the flow is suspended.

Impact:
The tmm restarts and all flows reset. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The PEM diameter flow is now created in such a way to prevent any crash by the sweeper.


696294-1 : TMM core may be seen when using Application reporting with flow filter in PEM

Component: Policy Enforcement Manager

Symptoms:
TMM core with flow filter when Application reporting action is enabled

Conditions:
If Application reporting is enabled along with flow filter

Impact:
TMM restart causing service interruption

Fix:
Initialize the application start buffer so as to prevent the TMM core


696265-5 : BD crash

Component: Application Security Manager

Symptoms:
BD crash.

Conditions:
ecard_max_http_req_uri_len is set to a value greater than 8 KB.

Impact:
Potential traffic disturbance and failover.

Workaround:
Change the value of ecard_max_http_req_uri_len to a size lower than 8 KB.

Fix:
Fixed a BD crash scenario.


696113-3 : Extra IPsec reference added per crypto operation overflows connflow refcount

Component: TMOS

Symptoms:
The size of the refcount field in connflow became smaller, making the length of some crypto queues in IPsec able to reach and exceed the maximum refcount value.

Conditions:
When a large data transfer under an IPsec SA creates a queue of crypto operations longer than the connflow's refcount can handle, the refcount can overflow.

Impact:
Unexpected tmm failover after refcount overflow.

Workaround:
There is no workaround at this time.

Fix:
An object tracking crypto operations now adds a sole reference to the connflow as long as the count of crypto operation pending is nonzero.


696073-2 : BD core on a specific scenario

Component: Application Security Manager

Symptoms:
bd process crashes, and core file created in the /shared/core/ directory.

Conditions:
Specific request and response characteristics that relates to CSP headers sent by the server.

Impact:
Failover in high availability units.

Workaround:
Disable CSP headers handling in ASM by running the following commands:

/usr/share/ts/bin/add_del_internal add csp_enabled 0
bigstart restart asm

Fix:
The system now reinitializes the CSP headers before each response headers event, so this issue no longer occurs.


696049-1 : High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running

Solution Article: K55660303

Component: Service Provider

Symptoms:
High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running.

Conditions:
Multiple response messages arrive on a connection while an asynchronous Tcl command is running on that connection.

Impact:
High CPU load might occur as multiple responses will be assigned the same request_sequence_number.

Workaround:
None.

Fix:
Request_sequence_numbers are not assigned to response messages until the Tcl event is executed for that message. This avoids assigning the same number to multiple events.


695968-1 : Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.

Component: Policy Enforcement Manager

Symptoms:
Memory leak resulting in a potential OOM scenario.

Conditions:
1. PEM configured with Gx
2. Flaky Diameter connection
3. Subscriber creation via PEM

Impact:
Potential loss of service.

Workaround:
There is no workaround at this time.

Fix:
Freed Diameter messages appropriately.


695953-1 : Custom URL Filter object is missing after load sys config TMSH command

Component: Access Policy Manager

Symptoms:
The user will not be able to see the custom URL Filter object that is created either through TMSH/GUI.
If the filter object is referred in Access Policy, the policy will fail to load during "load sys config" command.
01070712:3: Values (/Common/custurlfilter) specified for URL Filter Lookup Agent (/Common/prp_act_url_filter_lookup_ag): foreign key index (name_FK) do not point at an item that exists in the database.
Unexpected Error: Loading configuration process failed.

Conditions:
The custom URL Filter object is missing after the user does "load sys config" command in TMSH. Please note that SWG is not provisioned in this case.

Impact:
(1) The access policy will fail to load if it refers the URL Filter object. The user will not be able to use the URL Filter object in the policy.

Workaround:
(1) Provision SWG, and recreate the URL Filter
or
(2) Change bigip.conf to include the URL Filter object

Fix:
Fix is to make sure, during load sys config, custom URL filter gets saved properly and always visible, and usable in the policy.


695901-1 : TMM may crash when processing ProxySSL data

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash will processing SSL/TLS data via ProxySSL

Conditions:
ProxySSL enabled

Impact:
TMM crash leading to a failover event

Fix:
TMM processes SSL/TLS data via ProxySSL as expected


695707-5 : BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection

Component: Local Traffic Manager

Symptoms:
BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection.

Conditions:
Close an MPTCP connection.

Impact:
If a DATA_ACK is not received for the DATA_FIN, the connection will stall until it times out.

Workaround:
There is no workaround at this time.

Fix:
Keep the retransmission timer running if an MPTCP connection can retransmit a DATA_FIN.


695563-1 : Improve speed of ASM initialization on first startup

Component: Application Security Manager

Symptoms:
ASM initialization on first startup takes a long time.

Conditions:
Provision ASM.

Impact:
ASM initialization takes a long time.

Workaround:
There is no workaround at this time.

Fix:
ASM initialization on first startup is faster.


694922-5 : ASM Auto-Sync Device Group Does Not Sync

Component: Application Security Manager

Symptoms:
In rare circumstances a device may enter an untrusted state and confuse the device group.

Conditions:
1) ASM sync is enabled on an autosync device group
2) A new ASM entity is created on a device

Impact:
ASM configuration is not correctly synchronized between devices

Workaround:
1) Remove ASM sync from the device group (Under Security ›› Options : Application Security : Synchronization : Application Security Synchronization)
2) Restart asm_config_server.pl on both devices and wait until they come back up
3) Change the device group to a manual sync group
4) On the device with the good configuration re-enable ASM sync for the device group
5) Make a spurious ASM change, and push the configuration.
6) Change the sync type back to automatic

Fix:
Devices no longer spuriously enter an untrusted state


694897-2 : Unsupported Copper SFP can trigger a crash on i4x00 platforms.

Component: TMOS

Symptoms:
PFMAND can crash when an unsupported Proline Copper SFP is inserted in the 1G interfaces.

Conditions:
-- Using Proline CuSFP, Part number FCLF8521P2BTLTAA.
-- Inserted into 1 GB interfaces.
-- On i4x00 platforms.

Impact:
PFMAND cores.

Workaround:
Use only F5 branded Copper SFPs

Fix:
This release updates SFP string parsing in PFMAND to account for NULL terminated vendor information.


694740-3 : BIG-IP reboot during a TMM core results in an incomplete core dump

Component: TMOS

Symptoms:
If an HSB lockup occurs on i10600 and i10800 platforms, then HSB panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. On this platform, the reboot occurs before the core file is fully written, resulting in a truncated core.

Conditions:
An HSB lockup occurs, triggering a core dump and a nic_failsafe reboot.

Impact:
The reboot happens before the core dump completes, resulting in an incomplete core dump which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.

Workaround:
No workaround; does not hinder device operation, but does prevent post-crash analysis.

Fix:
Reboot is delayed until TMM core file is completed.


694717-1 : Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.

Component: Policy Enforcement Manager

Symptoms:
TMM crashes

Conditions:
PEM iRule command that would result in an inter-TMM lookup on a long lived flow that would result in the PEM iRule command being hit several times. For example, a long lived flow with multiple HTTP transactions.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Always release the connFlow reference associated with the TCL command to avoid a memory leak and potential crash.


694656-1 : Routing changes may cause TMM to restart

Solution Article: K05186205

Component: Local Traffic Manager

Symptoms:
When routing changes are made while traffic is passing through the BIG-IP system, TMM might restart. This isn't a general issue, but can occur when other functionality is in use (such as Firewall NAT).

Conditions:
-- Routing changes occurring while BIG-IP is active and passing traffic.

-- Dynamic routing, due to its nature, is likely increase the potential for the issue to occur.

-- Usage of Firewall NAT functionality is one specific case known to contribute to the issue (there may be others).

Impact:
TMM restarts, resulting in a failover and/or traffic outage.

Workaround:
If dynamic routing is not in use, avoiding static route changes may avoid the issue.

If dynamic routing is in use, there is no workaround.

Fix:
TMM now properly manages routing information for active connections.


694624-1 : SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor

Component: Access Policy Manager

Symptoms:
APM Webtop's SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor (e.g. BIG-IP 2000 (C112) or 4000 (C113)) from Mac, iOS and Android clients. Each launch attempt generates following errors in /var/log/apm:
... err vdi[123] ... {45.C} RsaDecryptData error: AsyncError:5: InvalidData
... err vdi[123] ... {45.C} An exception is thrown: handshake: decryption failed or bad record mac

Conditions:
Native RDP resource with enabled SSO is used on hardware BIG-IP with "Intel Cave Creek" coprocessor (e.g. BIG-IP 2000 (C112) or 4000 (C113)).
The client OS is Mac, iOS or Android.

Impact:
RDP client can't launch requested resource (desktop/application).

Workaround:
Disable crypto HW acceleration with following command:
tmsh modify sys db crypto.hwacceleration value disable

Fix:
SSO enabled Native RDP resources now can be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor (e.g. BIG-IP 2000 (C112) or 4000 (C113) platforms) from Mac, iOS and Android clients.


694319-1 : CCA without a request type AVP cannot be tracked in PEM.

Component: Policy Enforcement Manager

Symptoms:
May cause diagnostic issues as not all CCA messages cannot be tracked.

Conditions:
1. PEM with Gx/Gy configured
2. PCRF sends CCA's without a request type AVP

Impact:
May hamper effective diagnostics.

Workaround:
Mitigation:
Configure the PCRF to always include a request type in its CCAs.

Fix:
Add a statistics counter to track CCA's that do not request type AVPs.
Name of new counter:cca_unknown_type


694318-1 : PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.

Component: Policy Enforcement Manager

Symptoms:
Subscriber sessions in PEM will be stuck in a "Marked for Delete" state.

Conditions:
1. PEM provisioned with Gx.
2. PCRF responds to a CCR-t with a DIAMETER_TOO_BUSY return code and no Request type AVP.

Impact:
Subscriber sessions stuck in delete pending resulting in a potential increase in memry consumption over a period of time.

Workaround:
Mitigation:
PCRF (remote Diameter end point) must send a CCA-t with a request type AVP in case a DIAMETER_TOO_BUSY return code is present.

Fix:
Handle the DIAMETER_TOO_BUSY return code on a CCA-t regardless of the request type AVP.


694274-1 : [RHSA-2017:3195-01] Important: httpd security update - EL6.7

Solution Article: K23565223


694073-3 : All signature update details are shown in 'View update history from previous BIG-IP versions' popup

Component: Application Security Manager

Symptoms:
If you are running a BIG-IP release named with 4 digits (e.g., 12.1.3.1), all signature update details are shown only in 'View update history from previous BIG-IP versions' popup. The 'Latest update details' section is missing.

Conditions:
Running a BIG-IP software release named with 4 digits (e.g., 12.1.3.1).

Impact:
Low and incorrect visibility of signature update details.

Workaround:
Signature update details can be viewed in 'View update history from previous BIG-IP versions' popup.

Fix:
Signature updates are now shown correctly for all versions.


693979 : Autoscale is not functional because of the change in file permission of the /shared/vadc/aws/iid-document document

Component: TMOS

Symptoms:
The /shared/vadc/aws/iid-document's file permission changed and as a result the autoscale feature was failing.

Conditions:
Whenever autoscale is triggered

Impact:
The autoscale feature does not work

Workaround:
The permission of /shared/vadc/aws/iid-document was never set explicitly. It inherited file permission flags from /shared/vadc/. We set the file permission explicitly.

Fix:
The autoscale feature is functional after changing file permissions of /shared/vadc/aws/iid-document.


693964-1 : Qkview utility may generate invalid XML in files contained in Qkview

Component: TMOS

Symptoms:
When Qkview runs, it may gather XML files that are not well-formed, and contain ASCII control characters. This is most commonly seen with mcp_module.xml.

An XML validator may report an error such as:

    mcp_module.xml:536081: parser error : PCDATA invalid Char value 29
      <msgs></msgs>
            ^

Conditions:
-- Running Qkview.
-- An ASCII control character exists within a certain string field.

Impact:
The control character will be written verbatim into XML without encoding. Automated tools (e.g., iHealth) that attempt to process these files may fail.

Workaround:
iHealth automatically detects and corrects this issue in uploaded Qkviews.

You can analyze the XML files with some other tool, a tar.gz, so it can be unpacked, the XML files edited to correct the formatting, and then repacked. The xmllint command-line tool (present on the BIG-IP system) can also recover valid XML by removing the invalid characters.

To do so, you can run a command similar to the following:

    xmllint --recover mcp_module.xml --output mcp_module.xml

Fix:
Qkview no longer writes control characters in XML text, but instead processes them as expected.


693910-4 : Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)

Component: Local Traffic Manager

Symptoms:
Some MAC addresses might experience delayed forwarding after the interface on which they are learned transition to a STP blocked state. This is because the FDB entries are not being flushed on these interfaces after they change to a block state. Traffic destined to these MAC addresses gets dropped until their associated entries in the FDB age out.

Conditions:
MAC addresses are learned on a STP forwarding interface that transitions to a blocked interface following a topology change.

Impact:
Traffic interruption for up to a few minutes for MAC addresses learned on the affected interface.

Workaround:
None.

Fix:
FDB entries are now flushed by interface whenever an interface transitions to a STP block state.


693844-1 : APMD may restart continuously and cannot come up

Component: Access Policy Manager

Symptoms:
apmd process cannot start correctly and restarts in an infinite loop. When apmd initializes the Allow Ending agent, the process tries to load all resources (including ACLs, the webtop, and all resources for every webtop, app tunnels, rdp, etc.). The most likely configuration to encounter this issue is with ACLs. For example, if you have thousands of ACL records, the Allow agent pulls them all at once. If the mcpd process is consumed with other operations, it might be that apmd cannot initialize the Allow agent in 30 secs, so it restarts, at which point the process tries to load all resources, cannot complete within the 30 seconds, and restarts in a loop.

Conditions:
Too many resources assigned in an Access Policy profile
for example thousands of ACLs configured.

apmd cannot initialize the Allow Ending agent in 30 seconds and decides it has stopped responding. Then it restarts by it's own, but problem is not solved, so it restarts in a loop

Impact:
APM end users cannot authenticate.

Workaround:
Reduce amount of resources so every agent can initialize within the 30-second timeframe.


693780-1 : Proactive Bot Defense sends CAPTCHA to the UC browser on iOS devices

Component: Advanced Firewall Manager

Symptoms:
When a request arrives from UCBrowser running on iOS and without TSPD_101 (proactive bot defense cookie). The big-ip respond with captcha challenge.

Conditions:
Dos profile attached to a virtual.
Dos profile has application security enabled.
Dos profile has proactive bot defense enabled.

Impact:
UC browser end-user presented with captcha challenge.

Workaround:
Increase proactive bot defense score.
list sys db dosl7.browser_legit_min_score_captcha
sys db dosl7.browser_legit_min_score_captcha {
    value "60"
}

Fix:
User agent parser has been changed (adjusted) for the UC browser. The UC browser is detected as safari ios.


693663-1 : Proactive Bot Defense sends CAPTCHA to the Firefox browser on iOS only in desktop mode

Component: Advanced Firewall Manager

Symptoms:
When a request arrives from Firefox running on iOS in desktop mode and without TSPD_101 (proactive bot defense cookie). The big-ip respond with captcha challenge.

Conditions:
Dos profile attached to a virtual.
Dos profile has application security enabled.
Dos profile has proactive bot defense enabled.

Impact:
Firefox (iOS desktop mode only) end-user presented with captcha challenge.

Workaround:
Increase proactive bot defense score.
list sys db dosl7.browser_legit_min_score_captcha
sys db dosl7.browser_legit_min_score_captcha {
    value "60"
}

Fix:
User agent parser has been changed (adjusted) for the Firefox browser running in desktop mode. The browser is detected as safari pc and the browser version is taken from Mac version number.


693312-1 : vCMPd may crash when processing bridged network traffic

Solution Article: K03165684


693244-2 : BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned

Component: Local Traffic Manager

Symptoms:
BIG-IP silently drop the serverside TCP flow, when it receives a client-side reset and the server-side flow is still in the SYN-SENT state.

Conditions:
BIG-IP receives a client-side reset when client-side TCP flow is in ESTABLISHED state and server-side TCP flow is in SYN-SENT state, serverside flow is silently dropped.

Impact:
Since serverside pool member does not receive the RST, it remains in SYN-RECEIVED state until it runs out of syn retransmissions and eventually, due to timeout, it returns to LISTEN state.

Fix:
BIG-IP resets serverside TCP flow with RST when it receives a client-side reset and the server-side flow is still in the SYN-SENT state.


693007-1 : Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC

Component: Global Traffic Manager (DNS)

Symptoms:
The current IPv4 address for b.root-servers.net is 192.228.79.201. The IPv4 address for b.root-servers.net will be renumbered to 199.9.14.201, effective 2017-10-24. The older number will be invalid after that date.

Conditions:
Several profiles contain the b.root-servers.net IPv4 address as 192.228.79.201.

Impact:
The impact is likely minimal, at most a single timeout for pending TLD queries when they happen to round-robin onto an old IP address, probably not more often than the hint's TTL, which is more than a month, and even this should cause a timeout only when the old IP actually stops responding.

Workaround:
Update the root hints for all affected profiles manually except the hardwired ones.

Fix:
The IPv4 address for b.root-servers.net has been renumbered to 199.9.14.201, effective 2017-10-24.

Behavior Change:
The IPv4 address for b.root-servers.net has been renumbered to 199.9.14.201, effective 2017-10-24, according to InterNIC. The old IPv4 address (192.228.79.201) will continue to answer queries for at least 6 months.


692970-2 : Using UDP port 67 for purposes other than DHCP might cause TMM to crash

Component: Local Traffic Manager

Symptoms:
DHCP relay presumes that a flow found via lookup is always a server-side flow of type DHCP relay. Hence TMM can crash when DHCP relay makes a server connection if UDP port 67 is used for another purpose, in which case a wrong DHCP server flow could be selected.

Conditions:
A UDP port 67 is configured for a purpose other than DHCP relay.

Impact:
TMM restart causes traffic interruption or failover.

Workaround:
Do not use UDP port 67 for other virtual servers, or configure a drop listener on certain VLANs that cannot avoid using UDP port 67.

Fix:
TMM no longer crashes with DHCP flow validation.


692941-1 : GTMD and TMM SIGSEGV when changing wide IP pool in GTMD

Component: Global Traffic Manager (DNS)

Symptoms:
Changing wide IP causes gtmd and tmm core under certain conditions.

Conditions:
-- GTM pool is removed when it is referenced by a persist record.
-- That record is accessed before it is purged.

Impact:
gtmd and tmm core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Changing wide IP no longer causes gtmd and tmm core when GTM pool is removed when it is referenced by a persist record, and that record is accessed before it is purged.


692890-3 : Adding support for BIG-IP 800 in 13.1.x

Component: TMOS

Symptoms:
Installing software version 13.1.0 fails on BIG-IP 800.

# tmsh show sys soft


---------------------------------------------------------Sys::Software Status
Volume Product Version Build Active Status
---------------------------------------------------------
HD1.1 BIG-IP 13.1.0 0.0.1868 no failed (Failed to install.)
HD1.2 BIG-IP 13.0.0 0.0.1645 yes complete
HD1.3 BIG-IP 11.6.0 0.0.401 no complete

---------------------------
Sys::Software Update Check
---------------------------
  Check Enabled true
  Phonehome Enabled true
  Frequency weekly
  Status none
  Errors 0

The system logs the following messages in /var/log/liveinstall.log:

info: Hardware is lm capable
info: System is lm capable
info: Adding application-package ltm7-application/noarch to transaction.
info: Adding application-package ros7-application/noarch to transaction.
info: Adding application-package sam-main/noarch to transaction.
info: Adding application-package sum-application/noarch to transaction.
info: Adding application-package ts-application/noarch to transaction.
info: Adding application-package wa-master/noarch to transaction.
info: Adding application-package (lm) woc-application-lm/noarch to transaction.
error: Product has no root package for Mercury
error: couldn't get package list file for LTM.ROS.SAM.SUM.TS.WA.WOC group Terminal error: Failed to install.
*** Live install end at 2018/01/02 13:29:45: failed (return code 255) ***

Conditions:
-- Installing/upgrading to v13.1.x.
-- Using the BIG-IP 800 platform.

Impact:
Install/upgrade will fail.

Workaround:
None.

Fix:
Installation now completes successfully on the BIG-IP 800 platform.


692753-1 : shutting down trap not sent when shutdown -r or shutdown -h issued from shell

Component: TMOS

Symptoms:
Shutting down trap not sent when shutdown -r or shutdown -h issued from shell.

Conditions:
When user access the linux shell and issues "shutdown -h" or "shutdown -r", the BIG-IP does not send shutting down trap.

Impact:
None.
Since this is user triggered command, the user is aware of the shutdown event, so the lack of trap is not critical.

Workaround:
None

Fix:
The shutdown trap is sent when user issues "shutdown -r" or "shutdown -h" from the linux shell.


692683-1 : Core with /usr/bin/tmm.debug at qa_device_mgr_uninit

Component: TMOS

Symptoms:
Running a debug version of tmm (/usr/bin/tmm.debug) on BIG-IP 2xxx and 4xxx platforms, crashes at qa_device_mgr_uninit when issuing either of the following commands:
-- bigstart stop tmm
-- bigstart restart tmm

Conditions:
Running a debug version of tmm.
-- BIG-IP 2xxx and 4xxx platforms.
-- Running either of the following commands:
   + bigstart stop tmm
   + bigstart restart tmm

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not using a debug version of tmm on BIG-IP 2xxx and 4xxx platforms.

Fix:
tmm no longer halts and restarts under these conditions.


692557-1 : When BIG-IP as SAML IdP processes signed authentication requests from external SAML SP, a block of memory may become corrupted.

Component: Access Policy Manager

Symptoms:
After processing signed authentication requests from external SAML SP, SAML IdP may corrupt a block of tmm memory.

Conditions:
- BIG-IP system is configured as SAML IdP.
- IdP is configured with external SP's signing certificate.
- External SP sends signed authentication request.

Impact:
Various possible negative effects, including TMM core. Traffic disrupted while tmm restarts.

Workaround:
None.


692328-1 : Tmm core due to incorrect memory allocation

Component: Advanced Firewall Manager

Symptoms:
In a rare condition after providing afm, we get a tmm core.
You will see the following line in avrd.log
/usr/bin/avrinstall -c20 -t10 -s2401000 --provisionAVR=0 --provisionASM=0 --provisionAFM=0 --provisionPBD=0 --provisionAPM=0 --provisionFPS=0 --provisionPEM=0 --provisionVCMP=0

Conditions:
AFM provisioned.
Attack started.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
We check that the shared memory was allocated correctly before reporting on an attack.


692307-3 : User with 'operator' role may not be able to view some session variables

Component: Access Policy Manager

Symptoms:
When a user with 'operator' role tries to view the session variables, the GUI may show the following error: An error has occurred while trying to process you request.

Conditions:
This occurs when there is a huge blob of data associated with the user whose session variable is being viewed. For example Active Directory (AD) user accounts with thumbnailphoto and userCertificate user attributes containing binary data.

Impact:
User cannot view the session variables for those particular sessions. This data is available, however, via clicking on the Session ID.

Workaround:
Find this data via clicking on the session ID.

Fix:
User with 'operator' role can now view all expected session variables


692123 : GET parameter is grayed out if MobileSafe is not licensed

Component: Fraud Protection Services

Symptoms:
GET parameter is grayed out if MobileSafe is not licensed.

Conditions:
-- Provision FPS on a system whose license has at least one active feature.
-- Do not license MobileSafe.

Impact:
In FPS Parameter's list, the GET method is always grayed out.

Workaround:
Use either of the following workarounds:
-- License MobileSafe.
-- Use TMSH or REST.

Fix:
The GET method is not grayed out if MobileSafe is not licensed.


691806-1 : RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state

Component: Local Traffic Manager

Symptoms:
The BIG-IP system resets connection with RST if it receives FIN/ACK in SYN-RECEIVED state.

Conditions:
The BIG-IP system receives FIN/ACK when it is in SYN-RECEIVED state.

Impact:
The BIG-IP system resets connection with RST.

Workaround:
None.

Fix:
The BIG-IP system now responds with FIN/ACK to early FIN/ACK.


691670-5 : Rare BD crash in a specific scenario

Solution Article: K02515009

Component: Application Security Manager

Symptoms:
BD crash or False reporting of signature ID 200023003.

Conditions:
JSON/XML/parameters traffic (should not happen with the enforce value signature).

Impact:
Failover, traffic disturbance in the core case. False positive violation or blocking in the other scenario.

Workaround:
Removing attack signature 200023003 from the security policy stops the issue.

Fix:
Fix a bug in the signatures engine that causes a false positive reporting of a signature. In some rare cases, this false reporting may cause a crash.

A newly released attack signature update changes the signature in a way that it no longer causes the issue to happen.


691504-1 : PEM content insertion in a compressed response may cause a crash.

Solution Article: K54562183


691498-3 : Connection failure during iRule DNS lookup can crash TMM

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes in the DNS response cache periodic sweep.

Conditions:
The DNS resolver connection fails after a successful lookup response is cached. This has been reproduced with a failure due to a lost route. Other failures such as down ports do not cause a crash.

Impact:
The TMM cores and automatically restarts, Traffic disrupted while tmm restarts.

Workaround:
No known workaround.

Fix:
The reference counting of the resolver connection was fixed.


691497-2 : tmsh save sys ucs <file> fails due to missing patch file in /config/.diffVersions

Component: TMOS

Symptoms:
The .diffVersions directory has config change-diffs saved into patch files every time tmsh saves the configs. This is used for diagnostic purposes only.

Conditions:
When doing a 'tmsh save sys ucs <file>', it is possible that a background 'tmsh save sys config' gets run at the same time, causing a patch file to be deleted that the ucs-save feature now expected to exist.

Impact:
The ucs-save feature complains about the missing patch file and exits.

Workaround:
Re-run the 'tmsh save sys ucs <file>' ignoring the missing patch file message. That missing file doesn't need to be restored.

Fix:
With this defect fixed, patch files that end up missing once 'tmsh load sys ucs <file>' is started will not be reported as an error, and the tmsh command will complete normally.


691477-2 : ASM standby unit showing future date and high version count for ASM Device Group

Component: Application Security Manager

Symptoms:
Policy builder is changing configuration of standby unit.

Conditions:
The system state changes from active to standby (also when blade is changed from master to non-master).

Impact:
Unexpected changes are made to the policy on standby device (CID increment).

Workaround:
Restart pabnagd when switching device from active to standby (also when blade is changed from master no non-master):

killall -s SIGHUP pabnagd

Fix:
Policy builder now updates its state correctly and doesn't make changes to a policy on a standby device.


691462-1 : Bad actors detection might not work when signature mitigation blocks bad traffic

Component: Anomaly Detection Services

Symptoms:
When signature detected and mitigating no bad actors detection

Conditions:
1. Signatures detected and mitigating
2. Attack traffic is not significantly higher than the good traffic

Impact:
No bad actors detected.
Only signatures provides DoS protection.
BIG-IP CPU utilization is higher than necessary

Workaround:
No workaround at this time.

Fix:
The fix takes in account also SIGNATURES DROPS to decide when bad actors detection should be more agressive.


691287-1 : tmm crashes on iRule with GTM pool command

Component: Global Traffic Manager (DNS)

Symptoms:
tmm crashes with a SIGSEGV when a GTM iRule executes a 'pool' command against Tcl variables that have internal string representations, which can occur when a value is a result of (some) string commands (e.g., 'string tolower') or if the value comes from a built-in iRules command (such as 'class').

For example:

when DNS_REQUEST {
    pool [string tolower "Test.com"]
}

or:

when DNS_REQUEST {
    pool [class lookup pool-dg key-value]
}

Conditions:
GTM iRule executes a 'pool' command against Tcl variables that have internal string representations.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Pass the 'pool' argument through 'string trim'. For instance:

when DNS_REQUEST {
    pool [string trim [class lookup pool-dg key-value]]
}

Fix:
tmm no longer crashes on GTM iRules that use the 'pool' command.


691210-1 : Traffic stops on tmm restart when guest VLAN tagging is used for BIG-IP VE.

Component: TMOS

Symptoms:
Traffic stops after tmm restart. BIG-IP Virtual Edition (VE) becomes unresponsive and requires power cycle.

Conditions:
This occurs when the following conditions are met:
-- Using VE.
-- Data plane interfaces are SR-IOV VF.
-- Guest VLAN tagging is used.
-- tmm restart.

Impact:
BIG-IP system stops working, and management connection may be lost, requiring power cycle.

Workaround:
Use VLAN tagging from host.

Fix:
The BIG-IP system now continues to work after tmm restart when guest VLAN tagging is used with SR-IOV interfaces for BIG-IP VE.


691095-1 : CA bundle manager loses certificates in the CA bundle if the serial number is longer than 4 bytes

Component: Local Traffic Manager

Symptoms:
CA certificates with long but different serial numbers are treated identical and duplicate, thus get lost in the CA certificate merge operation. Only one would be left.

Conditions:
- The CA bundle file is managed by the CA bundle manager.

- The file contains certificates with large serial numbers.

Impact:
Certificates with large serial numbers are treated as duplicate, and removed.

Workaround:
There is no workaround at this time.

Fix:
Large serial numbers are treated correctly.


690883-1 : BIG-IQ: Changing learning mode for elements does not always take effect

Component: Application Security Manager

Symptoms:
When changing learning mode for an element type (e.g., WebSocket URLs), if no other changes are made to the default '*' entity, then suggestions are not created correctly.

Conditions:
Changes are deployed from a BIG-IQ device, where the learning mode for an element type (e.g., WebSocket URLs) is changed (e.g., from Never to Always), and no other changes are made to the default '*' entity.

Impact:
Suggestions are not created correctly.

Workaround:
Modify the '*' entity as well (change description).

Fix:
Learning mode changes are correctly handled from BIG-IQ.


690793-1 : TMM may crash and dump core due to improper connflow tracking

Component: TMOS

Symptoms:
In rare circumstances, it is possible for the embedded Packet Velocity Acceleration (ePVA) chip to try to process non-ePVA connflows. Due to this improper internal connflow tracking, TMM can crash and dump core.

Conditions:
This issue can occur on any system equipped with an ePVA and configured with virtual servers that make use of it to accelerate flows.

While no other conditions are required, it is known that modifying a FastL4 virtual server to Standard while the virtual server is processing traffic is very likely to cause the issue.

Impact:
TMM crashes and dumps core. A redundant unit will fail over. Traffic may be impacted while TMM restarts.

Workaround:
It is not recommended to switch virtual server profiles while running traffic. To change virtual server profiles, it is recommended to halt traffic to the system first.

However, this does not eliminate entirely the chances of running into this issue.

Fix:
The system now checks for HSB flow status update data and prevents false positive matches to virtual servers with non-FastL4 profiles.


690166-1 : ZoneRunner create new stub zone when creating a SRV WIP with more subdomains

Component: Global Traffic Manager (DNS)

Symptoms:
Creating SRV wideip will result in stub zone creation even there are already matching zones.

Conditions:
Creating SRV wideip with three more layers than existing zone.

Impact:
Unnecessary stub zones created.


690116-1 : websso might crash when logging set to debug

Component: Access Policy Manager

Symptoms:
If the authentication type is HTTP headers and the log level is set to debug, an incorrect parameter gets printed, and if it happens to be NULL the websso daemon crashes.

Conditions:
-- Authentication type is HTTP headers.
-- Log level is debug for websso (the single-sign-on (SSO) functionality for Web access through the BIG-IP APM system).

Impact:
websso might crash.

Workaround:
Set log level to Informational.

Note: The data logged specifically for debug level is targeted toward developers, and is rarely useful in a production environment.

Fix:
The correct data is logged and websso does not crash.


690042-1 : Potential Tcl leak during iRule suspend operation

Solution Article: K43412307

Component: Local Traffic Manager

Symptoms:
TMM's Tcl memory usage increases over time, and does not decrease. Memory leak of Tcl objects might cause TMM to core.

Conditions:
-- iRules are in use.
-- Some combination of nested proc calls and/or loops must go at least five levels deep.
-- Inside the nested calls, an iRule executes a suspend operation.

Impact:
Degraded performance. TMM out-of-memory crash. A failover or temporary outage might occur. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer leaks memory.


689691-2 : iStats line length greater than 4032 bytes results in corrupted statistics or merge errors

Component: TMOS

Symptoms:
You can create dynamic statistics using the istats command and iStats directive in iRules. The maximum length of the line (the sum of all columns) is 4032 bytes. If the user attempts to create an iStat whose column sizes when summed exceed this value then there will be errors in the ltm and logs, and the statistic will not be incremented or merged. Log messages appear similar to the following:
-- notice 4: tmstat_row_alloc(1520): tmstat segment blade/tmm0 appears to be damaged at 0x42e2d50.
-- err tmm[21822]: 01220001:3: TCL error: /Common/istat_it <HTTP_REQUEST> - Error: tmstat_row_alloc(1520): tmstat segment blade/tmm0 appears to be damaged (line 1) invoked from within "ISTATS::incr "ltm.virtual [virtual name] counter $host-$path" 1".

Conditions:
An iStat is created or modified such that the sum of the column widths is greater than 4032 bytes.

Impact:
Statistics corruption or merge errors occur. The statistic is not maintained. This is a system limit. An iStat should not be created such that its record length exceeds the 4032-byte limit.

Workaround:
This is a system limit. An istat should not be created such that it's record length exceeds the limit.

Fix:
Line length enforcement was added and an error log is output when the length is exceeded. Now, when the limit is reached, there are no corruption or merge errors. The system posts messages similar to the following in the tmm log file:

-- notice iStat for table 'ltm_virtual' column 'www_qqwabc3584' cannot be added as row size '4040' is too long at 0x46dcd90

To avoid errors like this, do not add columns to iStats in iRule directives.


689591-2 : When pingaccess SDK processes certain POST requests from the client, the TMM may restart

Component: Access Policy Manager

Symptoms:
BIG-IP's tmm may restart when processing certain client's POST requests body on which need to be inspected by the PingAccess policy server.

Conditions:
- BIG-IP virtual server is configured as policy decision point with PingAccess policy server.
- User sends a POST request to BIG-IP.
- Policy configured on PingAccess server requires inspection of the body of the POST request sent by the user.

Impact:
Traffic will be temporarily disrupted while tmm restarts.

Fix:
TMM will no longer restart when processing client's POST requests that need to be inspected by the PingAccess policy server.


689577-3 : ospf6d may crash when processing specific LSAs

Solution Article: K45800333

Component: TMOS

Symptoms:
When OSPFv3 is configured and another router in the network performs a graceful restart, ospf6d may crash.

Conditions:
-- OSPFv3 in use.
-- Graceful restart initiated by another system.

Impact:
OSPFv3 routing will interrupted while the daemon restarts and the protocol re-converges.

Workaround:
Disabling graceful restart on other network systems will prevent ospf6d from crashing on the BIG-IP system. However, it will cause a routing interruption on a system that restarts.

Fix:
The ospf6d daemon no longer crashes when a graceful restart occurs in the network.


689561-1 : HTTPS request hangs when multiple virtual https servers shares the same ip address

Component: Local Traffic Manager

Symptoms:
SSL forward proxy reuses the server ssl session when client ip, server ip and server port matches the ssl session. when multiple virtual https servers share the same ip address, it could happen server ssl reuse a session previously from other virtual server. in such a situation, client cannot forge certificate and hangs the ssh handshake.

Conditions:
multiple virtual https servers share the same ip address, and they internally share the ssl sessions. we saw it happens in several google domain.

Impact:
client cannot access some https web server.

Workaround:
A workaround is disabling the "Session Ticket" in the server ssl profile, since we do not support session id resumption in the server ssl, this will cause it do full handshake to web server every time, so server_certchain will not be NULL.

Fix:
it matches the client ip, server ip and port as well as the server name in the SNI to the server ssl session cache. it will not reuse the sessions does not match virtual server name after the fix.


689449-1 : Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, in some circumstances the system may experience an unconstrained TMM memory growth when a virtual server is configured for spdy/http2 and http with fallback-host.

Conditions:
- VIP configured with spdy/http2 and http with fallback-host.

Impact:
TMM may eventually enter aggressive sweeper mode where this memory will be released. In the process it is possible that some legitimate connections will killed.

Workaround:
No workaround at this time.

Fix:
BIG-IP no longer attempts to send a response with a configured fallback host in HTTP profile, when a connection is aborted by a client or due to an internal error. It prevents the internal flow to stay in memory after the connection has died.


689343-2 : Diameter persistence entries with bi-directional flag created with 10 sec timeout

Component: Service Provider

Symptoms:
Diameter persistence entries have timeout value less than 10 seconds, although the configured persistence timeout is 120 seconds

Conditions:
When Diameter custom persistence "DIAMETER::persist key 1" bi-directional iRule is used.

Impact:
The persist timeout is less than 10 seconds, thus subsequent requests will be dispatched to other pool member.

Workaround:
Don't use bi-directional persistence iRule. Use AVP persistence type with session-id as the persist key.

Fix:
When the Diameter custom persistence iRule "DIAMETER::persist key 1" is used, the persist timeout value will be set correctly as configured.


688911-1 : LTM Policy GUI incorrectly shows conditions with datagroups

Solution Article: K94296004

Component: TMOS

Symptoms:
When editing an LTM policy rule, the GUI defaults to using the datagroup value, overriding previous rule values, because the policy rule introduced the datagroups.

Conditions:
Editing a policy rule.

Impact:
The previous rule values are overridden by the datagroup's values.

Workaround:
Use TMSH to modify the rule.

Fix:
The GUI was updated to default to using the policy rule's values and not the datagroup values.


688813-2 : Some ASM tables can massively grow in size.

Solution Article: K23345645

Component: Application Visibility and Reporting

Symptoms:
/var/lib/mysql mount point gets full.

Conditions:
Many combinations of IP addresses, Device IDs (and other ASM dimensions) in traffic over very long period of time (potentially weeks/months).

Impact:
While other dimensions are being collapsed correctly, the Device ID field is not being collapsed causing the growth in size.
-- High disk usage.
-- Frequent need to clear AVR data.

Workaround:
Manually delete AVR mysql partitions located in /var/lib/mysql/AVR.

Fix:
Over time, no of the AVR_STAT_ASM_HTTP_CLIENT_IP_X#...MYD file exceeds 300 MB, so this problem no longer occurs.


688571-2 : Untrusted cert might be accepted by the server-ssl even though when 'untrusted-cert-response-control drop' is configured in the server-ssl profile.

Solution Article: K40332712

Component: Local Traffic Manager

Symptoms:
If the server-ssl profile is configured with 'untrusted-cert-response-control drop', and the system receives the certificate from the backend server which is not trusted by current BIG-IP system, the expected behavior is that the system should end the connection.

But the current server-side behavior is that the system still accepts the untrusted certificate and establishes the SSL connection with backend server.

Conditions:
-- The BIG-IP system receives a certificate from the backend server that is not trusted by the BIG-IP system.

-- Configure the 'untrusted-cert-response-control drop' in the server-ssl profile.

-- The corresponding server-ssl is configured at the virtual server.

Impact:
Virtual server might communicate with the backend server that sends the untrusted certificate to the BIG-IP system. Untrusted cert could still be accepted by the server-ssl virtual server even though 'untrusted-cert-response-control drop' is configured in the server-ssl profile.

Workaround:
None.

Fix:
When the system receives the untrusted certificate from backend server and the server-ssl profile is configured with 'untrusted-cert-response-control drop', the system will end the current SSL handshake procedure instead of continuing to proceed to finish it.


688570-5 : BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes

Component: Local Traffic Manager

Symptoms:
After an MPTCP connection closes properly, the BIG-IP will occasionally start sending MP_FASTCLOSE.

Conditions:
An MPTCP connection is closed.

Impact:
The MPTCP connection on the remote device is closed, but the connection on the BIG-IP remains open until the fastclose retransmission times out.

Workaround:
There is no workaround at this time.

Fix:
Fixed event processing at the end of a connection.


688516-1 : vCMPd may crash when processing bridged network traffic

Solution Article: K03165684


688011-7 : Dig utility does not apply best practices

Solution Article: K02043709


688009-7 : Appliance Mode TMSH hardening

Solution Article: K46121888


687987 : Presentation of signatures in human-readable format

Component: Anomaly Detection Services

Symptoms:
When publishing signature with predicates such as http.referer and http.uri, the system presents the result of the hash operation as follows: http.uri_file_hashes-to 42

Conditions:
Always when publishing signature with predicates such as http.referer and http.uri.

Impact:
It is not clear what '42' means.

Workaround:
None.

Fix:
When publishing signatures, the system now presents the hashes as follows:

http.referer_hashes-like '/zzz'
http.uri_file_hashes-like '/123'


687986 : High CPU consumption during signature generation, not limited number of signatures per virtual server

Component: Anomaly Detection Services

Symptoms:
The number of the signatures per virtual server is not limited. This can result in a very large number of generated signatures during sophisticated attacks that use changing patterns. After a time, when a system experiences a number of attacks, the list of generated signatures can be too long.

Conditions:
-- Sophisticated attacks that use changing patterns.
-- System experiences a large number of attacks.

Impact:
High CPU utilization when mitigating. Overloaded GUI signatures screen.

Workaround:
Manually remove old / not-often-used signatures.

Fix:
The system now limits the number of signatures per virtual servers, and optimizes per-signatures operation.


687984 : Attacks with randomization of HTTP headers parameters generates too many signatures

Component: Anomaly Detection Services

Symptoms:
When attackers randomize HTTP headers parameters, Behavioral DoS (BADoS) might generate too many signatures.

Conditions:
Attacks with randomization of HTTP headers parameters.

Impact:
The list of generated signatures is too long. It produces unnecessary CPU utilization for attack mitigation.

Workaround:
None.

Fix:
Improved algorithm that detects a randomization.


687937-1 : RDP URIs generated by APM Webtop are not properly encoded

Component: Access Policy Manager

Symptoms:
RDP URIs used to launch Native RDP resources form APM Webtop on Android/iOS/Mac are not properly encoded. As a result, RDP client might misinterpret the URI, in cases in which some RDP parameter contains the ampersand ( & ) symbol.

Conditions:
Native RDP resource is launched via RDP URI from APM Webtop.

One of RDP parameters contains symbol that should be URI encoded, e.g., '&'.

Impact:
RDP client misinterprets URI, which may result in failure to open RDP resource.

Workaround:
None.

Fix:
RDP URIs used to launch Native RDP resources from APM Webtop on Android/iOS/Mac are now properly encoded.


687635-1 : Tmm becomes unresponsive and might restart

Component: Local Traffic Manager

Symptoms:
Under certain conditions, the tmm process can become unresponsive, and eventually be restarted by the watchdog process.

Conditions:
Problem occurs when there is an unexpected interaction between HTTP and SSL handlers during an abnormal connection shutdown.

Impact:
Tmm becomes unresponsive and restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Tmm correctly shuts down HTTPS connection.


687353-1 : Qkview truncates tmstat snapshot files

Solution Article: K35595105

Component: TMOS

Symptoms:
Qkview truncates the snapshot files it collects in /shared/tmstat/snapshots/.

Conditions:
Files are larger than 5 MiB, or the 'max file size' limit specified when running Qkview (the -s argument).

Note: 5 MiB is qkview utility's default maximum file size value.

Impact:
Snapshot data may not be collected in qkview. This may result in data being lost if the issue is only identified once important data has rotated out of history.

Workaround:
To specify no file size limit when collecting qkviews, use the following tmsh command:
qkview -s0


687205-2 : Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart

Component: Local Traffic Manager

Symptoms:
During flow shutdown, SSL may deliver HUDEVT_SENT messages, causing additional messages to be queued by higher filters, which may result in a tmm crash and restart.

Conditions:
This happens in response to a relatively rare condition that occurs during shutdown, such as HUDEVT_SENT queued after HUDCTL_SHUTDOWN.

Impact:
Possible tmm restart. Traffic disrupted while tmm restarts.

Workaround:
None.


687128-1 : gtm::host iRule validation for ipv4 and ipv6 addresses

Component: Global Traffic Manager (DNS)

Symptoms:
gtm::host iRule isn't validating that the host given matches the type of WideIP it is attached to.

Conditions:
An AAAA-type wideip with a ipv4 gtm::host iRule, or A-type wideip with an ipv6 gtm::host iRUle.

Impact:
Incorrect host information was being returned.

Workaround:
Only attach gtm::host of IPv4 type to A-type WideIPs, and gtm::host rules of IPv6 to AAAA-type WideIPs.

Fix:
FIxed issue allowing incorrect gtm::host iRule commands to trigger on incorrect wideip types.


686972-4 : The change of APM log settings will reset the SSL session cache.

Component: Local Traffic Manager

Symptoms:
If you change the configuration of APM log settings, it might cause the SSL session cache to be reset. Also, subsequent resumption of SSL sessions may fail after such change causing a situation where full ssl handshakes may occur more frequently.

Conditions:
-- Change the configuration of APM log settings.
-- SSL session cache is not empty.

Impact:
The change of APM log settings resets the SSL session cache, which causes the SSL session to initiate full-handshake instead of abbreviated re-negotiation.

Workaround:
Follow this procedure:
1. Change access policy.
2. The status of that access policy changes to 'Apply Access Policy'.
3. Re-apply that.

Fix:
The change of APM log settings now limits its effect on APM module instead of affecting other (SSL) module's data.


686517-2 : Changes to a parent policy that has no active children are not synced to the secondary chassis slots.

Component: Application Security Manager

Symptoms:
Changes to a parent policy that has no active children are not synced to the secondary chassis slots.

Conditions:
-- ASM provisioned.
-- Having a parent policy that has no active children.

Impact:
On a chassis failover, the new Primary slot will have an outdated version of the parent policy.

Workaround:
None.

Fix:
Changes to a parent policy that has no active children are now synced to the secondary chassis slots.


686510-1 : If tmm was restarted during an attack, the attach might appear neverending in GUI

Component: Application Visibility and Reporting

Symptoms:
Attack appears ongoing, even though it ended.

Conditions:
Rare condition of tmm restart during an attack.

Impact:
The GUI falsely shows the attack as ongoing, even though it ended.

Workaround:
No workaround.

Fix:
Now, when tmm is restarted during an attack, this specific attack is shown as ended in DoS overview page after 15 minutes.


686470-1 : Enable AJAX Response Page or Single Page Application support causes the part of the web page failed to load.

Component: Application Security Manager

Symptoms:
AJAX requests are not sent, JavaScript errors, AJAX-based web-app malfunctions.

Conditions:
1a. Single page application enabled either via a DoS application profile or in an ASM policy.
1b. AJAX Response Page enabled via ASM policy.

2. Web Application client side code uses jQuery or any other AJAX clientside framework.

Impact:
AJAX request might not be sent, and the overall website's clientside functionality related to the AJAX requests might not work as expected.

Workaround:
Disable Single Page Application support.

Fix:
Fixed Single Page Application AJAX hook to support the AJAX response onload callback re-assignment.


686452-1 : File Content Detection Formats are not exported in Policy XML

Component: Application Security Manager

Symptoms:
If a policy is configured with Data Guard enabled with File Content Detection, the selected File Content Detection Formats are not correctly exported in the Policy XML.

When the policy is then imported, the Data Guard settings will be invalid and cannot be changed until the File Content Detection Formats are configured again.

Conditions:
A policy is configured with Data Guard enabled with File Content Detection, and then exported in XML format.

Impact:
When the policy is then imported, the Data Guard settings will be invalid and cannot be changed until the File Content Detection Formats are configured again.

The formerly selected file content formats will not be correctly identified.

Workaround:
Use Binary Policy import/export.

Fix:
File Content Detection Formats are correctly exported.


686389-1 : APM does not honor per-farm HTML5 client disabling at the View Connection Server

Component: Access Policy Manager

Symptoms:
Current logic for determining whether to offer HTML5 client option works for Horizon 6.x (and earlier) but it does not work for Horizon 7.x.

With Horizon 7.x, VMware has enhanced the XML so that each resource includes a flag to indicate whether HTML5 client is enabled (absence of <html-access-disabled/> tag). APM does not honor this flag to show HTML5 client option to APM end user only if it has been enabled for that resource.

Conditions:
-- APM webtop with a VMware View resource assigned.
-- HTML5 Access disabled for some of the RDS farms managed by the broker.

Impact:
APM offers HTML5 client launch option and actually runs it if requested, although it is disabled at the backend.

Workaround:
There is no workaround at this time.

Fix:
For Horizon 7.x, the system now honors the <html5-access-disabled> flag in broker responses to disable HTML5 client for those RDS desktops and apps that have this flag set.

Behavior Change:
Before this fix, all the RDS desktops and apps were available for HTML5 client if it was installed on VCS.
Now, for those desktops and apps where HTML5 access has been deliberately disabled at the broker, only the native client option will be available.


686307-3 : Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later

Component: Local Traffic Manager

Symptoms:
When upgrading, monitor attributes such as receive string and send string might contain escape sequences that must be processed after the upgrade. However, due to a problem introduced by the LTM policy upgrade script, this processing is not performed, resulting in monitors not functioning correctly after the upgrade.

Note: Without LTM policies in the configuration, monitors upgrade without problem.

Conditions:
-- Upgrading and rolling forward monitor configuration data.
-- LTM policy data present.

Impact:
Monitors may not work after upgrade.

Workaround:
No workaround at this time.

Fix:
This release addresses the underlying problem so the issue no longer occurs.


686305-1 : TMM may crash while processing SSL forward proxy traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing SSL forward proxy traffic

Conditions:
SSL forward proxy enabled

Impact:
TMM crash leading to a failover event

Workaround:
None.

Fix:
TMM now correctly processes SSL forward proxy traffic


686228-1 : TMM may crash in some circumstances with VLAN failsafe

Component: Local Traffic Manager

Symptoms:
TMM may crash when managing traffic in response to the VLAN failsafe traffic generating mechanisms

Conditions:
- VLAN failsafe is configured with low timers.
- VLAN failsafe is triggered and multiple responses are received for traffic generating in fast succession.

Impact:
A TMM may core file may be produced. Traffic disrupted while tmm restarts.

Workaround:
Relax the timer to the default VLAN failsafe timer setting.

Fix:
TMM no longer crashes in some circumstances with VLAN failsafe.


686190-1 : LRO performance impact with BWC and FastL4 virtual server

Component: TMOS

Symptoms:
Using Bandwidth controller (BWC) might result in a very large drop in performance of up to 75%. In this release, Large receive offload (LRO) is enabled by default.

Conditions:
-- BWC is configured.
-- Virtual server has a FastL4 profile assigned.
-- LRO is enabled (enabled by default in 13.1.0).

Impact:
Very large performance impact to the BWC policy (up to 75%). For example, if the BWC policy rate limit is set to 100Mb, the actual rate limit could be 25Mb.

Workaround:
Disabling LRO recaptures most of the performance degradation related to using FastL4. To disable LRO (this is a system-wide setting), run the following command:
 tmsh modify sys db tm.largereceiveoffload value disable

Important note: Although you can disable LRO to recapture much of the 13.0.0-level performance, you will likely still experience some impact: 2-5% for small files, 17-22% degradation for the '10 requests per connection' benchmark. The only guaranteed way to avoid performance degradation is to remain on version 13.0.0.


686108-1 : User gets blocking page instead of captcha during brute force attack

Component: Application Security Manager

Symptoms:
Unexpected blocking page while captcha is configured.

Conditions:
-- Brute force configured with alarm and captcha mitigation.
-- The only source configured is username.
-- These are the first failed login requests after a system start up or after a login page configuration change.

Impact:
Unexpected blocking page mitigation where captcha mitigation was expected.

Workaround:
There are two workarounds:

-- Access the login page at least 10 times within 5 minutes.

-- Run the following command: tmsh modify sys db asm.cs_qualified_urls value <YOUR_LOGIN_URL>

Fix:
Fixed an issue with unexpected blocking page while captcha is configured.


686065-2 : RESOLV::lookup iRule command can trigger crash with slow resolver

Component: Local Traffic Manager

Symptoms:
If thousands of connections are serviced by an iRule that performs a lookup for the same FQDN before the FQDN can be resolved, tmm may crash.

Conditions:
iRule with RESOLV::lookup.
Slow DNS resolver.
Thousand of connections triggering resolution of the same name.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove RESOLV::lookup from the workflow if it is not required.

Fix:
The scenario now works as expected and no longer results in a crash.


686029-2 : A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces

Solution Article: K00026204

Component: TMOS

Symptoms:
FDB flushing on VLAN deletes is performed by VLAN member interface reference only, without regard to VLAN tags. This can result in unrelated VLAN FDB entries also being flushed on shared VLAN member interfaces.

Conditions:
Issuing a VLAN delete with other VLANs using shared tagged member interfaces with the VLAN being deleted.

Impact:
FDB entries for unrelated VLANs will be flushed if they share the same tagged VLAN member interfaces as the VLAN being deleted.

Workaround:
None.

Fix:
Correct FDB flushing on VLAN deletes, by limiting the scope to be VLAN specific.


685964-1 : cs_qualified_urls bigdb does not cause configured URLs to be qualified.

Component: Application Security Manager

Symptoms:
cs_qualified_urls is configured but is not functional.

Conditions:
-- cs_qualified_urls is configured.
-- A request to the URL listed in the bigdb arrives.
-- The URL is seen as non-qualified although configured.

Impact:
URLs that are not supposed to getting through configuration.

Workaround:
None.

Fix:
Fixed a bigdb issue with cs_qualified_urls variable.


685862-1 : BIG-IP as SAML IdP/SP may include last x509 certificate found in the configured bundle in signed SAML Response or single logout message

Component: Access Policy Manager

Symptoms:
When BIG-IP is used as SAML IdP, and signing is configured, BIG-IP will sign the message by configured signing key, and include last certificate from the configured signing certificate chain in the SAML protocol message. Expected behavior is to include first certificate from the configured signing certificate chain.
The same applies to SAML SP generating SLO request/response messages.

Conditions:
All of the following:
- BIG-IP is used as SAML IdP or SAML as SP with SLO configured.
- BIG-IP generates signed SAML response containing assertion or SLO request/response
- Configured on BIG-IP signing certificate is a security chain and not a single certificate

Impact:
Impact is based on the SAML implementation on the receiving end of message sent by BIG-IP.
Some implementation may drop signed SAML message if last certificate from the bundle is included in the message. Other implementations will accept such signed messages. Note that signing operation itself is performed correctly by BIG-IP using configured signing certificate, and digital signature will contain correct value.

Workaround:
Instead of using signing certificate chain, change BIG-IP SAML IdP/SP configured signing certificate to refer to a standalone signing certificate (single X509 object) by extracting first certificate from the chain.

Fix:
After the fix, BIG-IP will include first certificate found within configured signing certificate (chain).


685771-1 : Policies cannot be created with SAP, OWA, or SharePoint templates

Component: Application Security Manager

Symptoms:
Attempting to create a security policy using "OWA Exchange", "SAP NetWeaver", or "SharePoint" Policy Template fails.

Conditions:
Attempt to create a security policy using "OWA Exchange", "SAP NetWeaver", or "SharePoint" Policy Templates

Impact:
Policy creation fails.

Workaround:
None.

Fix:
Policies can be created using these factory templates.


685708-4 : Routing via iRule to a host without providing a transport from a transport-config created connection cores

Component: Service Provider

Symptoms:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.

Conditions:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Specify a transport to use for creating a new outgoing connection in the MR::message route command.

Fix:
The system will no longer core.


685628-1 : Performance regression on B4450 blade

Component: Performance

Symptoms:
Performance degradation may occur for certain types of traffic when the system is under heavy traffic load. L4 and L7 performance may be degraded by up to 5% compared to previous BIG-IP releases.

Conditions:
- L4 and L7 traffic when system is under heavy traffic load.
- VIPRION B4450 blades.

Impact:
You may encounter a performance degradation for certain types of traffic upon upgrading.

Workaround:
None.

Fix:
Performance regression on B4450 blade has been eliminated.


685615-4 : Incorrect source mac for TCP Reset with vlangroup for host traffic

Solution Article: K24447043

Component: Local Traffic Manager

Symptoms:
BIG-IP outbound host TCP RST packets have incorrect source-mac-address.

Conditions:
BIG-IP host traffic is exiting via VLANs in a VLAN group.

Impact:
TCP Reset for traffic exiting the BIG-IP system with incorrect source-mac-address, which could include monitor traffic.

Workaround:
Use transparent mode on the VLAN group.

Fix:
source-mac-address for host traffic is correctly set.


685475-1 : Unexpected error when applying hotfix

Solution Article: K93145012

Component: TMOS

Symptoms:
Software 'install hotfix' commands fail with a message similar to the following: Image (BIGIP-11.6.1.0.0.317.iso) has a software image entry in MCP database but does not exist on the filesystem.

Conditions:
Before installing the hotfix, the necessary full (base) software image prerequisite was added to the images directory, but then was removed before issuing the hotfix command.

For example, to apply 'Hotfix-BIGIP-11.6.1.2.0.338-HF2.iso', the system must have access to the base image; 'BIGIP-11.6.1.0.0.317.iso'.

Impact:
Cannot apply hotfix until the full base image is present.

Workaround:
Perform the following procedure:
1. Copy the base image to the images directory on the BIG-IP system.
2. Restart the 'lind' daemon.
3. Try the hotfix installation process again.

Fix:
Issuing a 'install hotfix' command when the base image is not available sends the system into a 'wait' state. The process status is 'waiting for base image', which should make clear what needs to be done. When the base image becomes available (in the images directory), the hotfix installation proceeds.


685467-1 : Certain header manipulations in HTTP profile may result in losing connection.

Solution Article: K12933087

Component: Local Traffic Manager

Symptoms:
HTTP profile has an option 'Insert X-Forwarded-For' which adds a header when a request is forwarding to a pool member. When a virtual server has iRule with a collect command like SSL::collect, it is affected by the HTTP profile processing. Same issue has an option 'Request Header Erase' available in HTTP profile.

Conditions:
A virtual server meets the following conditions:
-- ClientSSL profile.
-- HTTP profile with option 'Insert X-Forwarded-For' enabled and/or configured option 'Request Header Erase'.
-- iRule that has an 'SSL::collect' command in at least two events (e.g., CLIENTSSL_HANDSHAKE and CLIENTSSL_DATA).

Impact:
TCP connection is reset, and no response is provided to a client.

Workaround:
Use iRule to insert X-Forwarded-For with an appropriate IP address and/or remove headers configured in 'Request Header Erase' option of HTTP profile.

Fix:
An issue of a resetting connections due to configuration options 'Insert X-Forwarded-For' and 'Request Header Erase' in HTTP profile no longer happens.


685458-7 : merged fails merging a table when a table row has incomplete keys defined.

Component: TMOS

Symptoms:
There is as timing issue in merged where it will fail processing a table row with incomplete keys defined.

Conditions:
There are no specific conditions required, only that merged is running, which is true on every BIG-IP system, when the BIG-IP system is processing a table row with incomplete keys defined.

Although this issue is not dependent on configuration or traffic, it appears that it is more prevalent on vCMP hosts.

Impact:
There will be a few second gap in available statistics during the time when a core is being created and merged restarts.

Workaround:
None.

Fix:
merged now detect this scenario, a table row with incomplete keys defined, and does not fail.


685207-1 : DoS client side challenge does not encode the Referer header.

Component: Application Security Manager

Symptoms:
XSS reflection when DoS client side is enabled as a mitigation, or a proactive bot defense is enabled.

Conditions:
1. Login to the client IP address and send the ab request.
2. Once the DoS attack starts, sends the curl request
hl=en&q=drpdrp'-alert(1)-'drpdrp".
3. Unencoded Referer header is visible.

Impact:
The XSS reflection occurs after triggering the DoS attack.

Workaround:
None.

Fix:
DoS client side challenge now encodes the Referer header.


685193-1 : If Inheritance is None in the Parent Policy and there are at least 1 child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies

Component: Application Security Manager

Symptoms:
If Inheritance is None in the Parent Policy and there is at least one child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies.

Conditions:
1) Create Parent policy and set some section's Inheritance to None.
2) Create child policy and assign it to the parent created above.
3) Go to the Parent Policy Inheritance Setting tab, you will see that number of comments for sections with None will be equal to number of child policies.

Impact:
There is an incorrect number of Comments shown in Inheritance Settings

Workaround:
None.

Fix:
The correct number of comments will be shown for each section in Inheritance Setting tab for Parent Policy. In case of None inheritance nothing will be shown.


685164-1 : In partitions with default route domain != 0 request log is not showing requests

Solution Article: K34646484

Component: Application Security Manager

Symptoms:
No requests in request log when partition selected, while they can be seen when 'All [Read Only]' is selected.

Conditions:
Select a partition whose default route domain is not 0 (zero).

Impact:
No requests in request log.

Workaround:
As a partial workaround, you can use [All], but it's read only.

Fix:
Fixed filter by Source IP, which worked incorrectly in partitions whose default route domain was not 0 (zero).


685056 : VE OVAs is not the supported platform to run VMware guest OS customization

Component: TMOS

Symptoms:
VMware vCenter fails to create customization specification wizard because the BIG-IP Virtual Edition (VE) OVA's OSType is set to 'Other 64-bit'.

Conditions:
When applying VMware guest OS customization on VMware BIG-IP VE.

Impact:
VMware guest OS customization fails (cannot create customization specification wizard).

Workaround:
You can use either of the following workarounds:
 - Apply VMware guest OS customization with 'ovftool'.
 - Manually set OSType to 'Other 3.x Linux 64-bit'.

Fix:
OS type embedded in .ovf file in VE OVAs has been changed from 'Other 64-bit' to 'Other 3.x Linux 64-bit' to enable VMware guest OS customization.

Behavior Change:
In this release, the OS type set in .ovf file in the BIG-IP VE SCSI OVA images for VMware has been changed from 'Other 64bit' to 'Other 3.x Linux 64bit'. This enables 'VMware Guest Customization' via VMware vCenter.


684937-3 : [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users

Component: Access Policy Manager

Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over period of time.
Websso process CPU usage is very high during this time. The latency can vary between APM end users.

Conditions:
-- A large number of APM end users have logged on and are using Kerberos SSO.
-- Running APM.

Impact:
Increased latency of HTTP request processing.

Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.

Fix:
LRU cache performance no longer drops linearly with the number of caches Kerberos tickets, the latency of HTTP request processing has been significantly improved.


684852-1 : Obfuscator not producing deterministic output

Component: Fraud Protection Services

Symptoms:
Proactive defense challenge is not passed.

Conditions:
The obfuscator does not produce the same output for the same pair of key and seed. Therefore, on multi-blade devices, or on active-active deployments, when the request to the page (url=/) and the request to the javascript (/TSPD/*?type=10) each go to a different blade or a different device.

More frequently, it happens when the page and javascript are loaded from the same blade, but the javascript is stored in the cache.

Then another refresh, and the request goes to the second blade. Because the javascript in the cache was received from the first blade, it does not match the page.

Impact:
Proactive defense challenge is not passed; challenge remains on blank page on chassis.

Workaround:
None.

Fix:
Obfuscator now uses common Random object.


684583-1 : Buitin Okta Scopes Request object uses client -id and client-secret

Component: Access Policy Manager

Symptoms:
Buitin Okta Scopes Request object uses client credentials instead of resource server credentials.

Conditions:
Buitin Okta Scopes Request object

Impact:
Scope request with Buitin Okta Scopes Request object fails.

Workaround:
Use modified Request object.

Fix:
Buitin Okta Scopes Request object is fixed to use resource server credentials.


684333-1 : PEM session created by Gx may get deleted across HA multiple switchover with CLI command

Component: Policy Enforcement Manager

Symptoms:
PEM sessions may get cleaned up with terminate cause of FATAL GRACE TIMEOUT, if multiple high availability (HA) failover is being performed using the following command: tmsh run sys failover standby.

Conditions:
Multiple HA failover performed using the following command: tmsh run sys failover standby.

Impact:
PEM session created using Gx may get deleted.

Workaround:
Initiate failover using alternate commands, such as the following:
 tmm big start restart.


684325-1 : APMD Memory leak when applying a specific access profile

Component: Access Policy Manager

Symptoms:
Access profile having CheckMachineCert agent, while updating profile using 'Apply access policy', each time it leaks 12096 bytes of memory.

Conditions:
-- Access profile configured with agent 'CheckMachineCert'.
-- Repeatedly update the profile using 'Apply access policy'.

Impact:
APMD process stops after repeated application of the script.

Workaround:
None.

Fix:
APMD no longer leaks memory when applying Access profile configured with agent 'CheckMachineCert'.


684312-1 : During Apply Policy action, bd agent crashes, causing the machine to go Offline

Solution Article: K54140729

Component: Application Security Manager

Symptoms:
During Apply Policy action, bd agent crashes, causing with this error:
--------------------
crit perl[21745]: 01310027:2: ASM subsystem error (bd_agent,): bd_agent exiting, error:[Bit::Vector::new_Dec(): input string syntax error at /usr/local/share/perl5/F5/CfgConvert.pm line 66, <$inf> line 1. ]
--------------------

Causing bd and bd_agent processes restart, and causing the machine to go Offline.

Conditions:
-- ASM provisioned.
-- Applying policy.
-- Corrupted data was attempted to be loaded during an Apply Policy action.

Impact:
bd and bd_agent processes restart, causing the machine to go Offline while the processes restart..

Workaround:
None.

Fix:
During Apply Policy action, bd agent no longer crashes when attempting to load corrupted data.


684033-3 : CVE-2017-9798 : Apache Vulnerability (OptionsBleed)

Solution Article: K70084351


683508-1 : WebSockets: umu memory leak of binary frames when remote logger is configured

Component: Application Security Manager

Symptoms:
ASM out of memory error messages in /var/log/asm.

Conditions:
-- Virtual server configured with WebSocket profile.
-- ASM remote logger configured and assigned to the virtual server.

Impact:
ASM out of memory, memory leak.

Workaround:
Remove ASM remote logging profile from a virtual server.

Fix:
This release correctly releases unused memory after WebSocket message is sent to the logging destination.


683474 : The case-sensitive problem during comparison of 2 Virtual Servers

Component: Application Visibility and Reporting

Symptoms:
Failed to load "incident types volume graph" if incident was filtered by Virtual Server

Impact:
Chart of incident data will not be displayed.

Workaround:
Avoid to create virtual servers that have the same letters, differing only by capital letters verses small letters.

Fix:
monpd process uses a case-sensitive comparison of virtual servers


683389-3 : Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file

Component: Access Policy Manager

Symptoms:
Flash ActionScript3 application shows Error #2134 when trying to call flash.net::SharedObject.getLocal with localPath specified.

Conditions:
Attempt to create local SharedObject.

Impact:
Affected Flash applications are not working when accessed through Portal Access.

Workaround:
None.

Fix:
Addressed an issue in Portal Access which caused rewritten Flash files to show Error #2134 on attempt to create local SharedObject.


683297-2 : Portal Access may use incorrect back-end for resources referenced by CSS

Component: Access Policy Manager

Symptoms:
If HTML page contains reference to external CSS file with URL beginning with '//', then host-less references in this CSS file are handled incorrectly by Portal Access.

Conditions:
- HTML page at http://example.host/page.html:

    <link rel=stylesheet href=//another.host/some/path/my.css>

- and this CSS contains reference with absolute path like this:

    html { background-image: url(/misc/image/some.png); }

Portal Access uses 'http://example.host' as back-end for this image instead of correct 'http://another.host'.

Impact:
Web application may not work correctly.

Workaround:
Use iRule to correct back-end host.

Fix:
Portal Access uses correct back-end host for references in CSS files included with scheme-less URL.


683241-1 : Improve CSRF token handling

Solution Article: K70517410

Component: Application Security Manager

Symptoms:
Under certain conditions, CSRF token handling does not follow current best practices.

Conditions:
CSRF is configured.

Impact:
CSRF token handling does not follow current best practices.

Workaround:
None.

Fix:
CSRF token handling now follows current best practices.


683131-1 : Hotfix install fails on vCMP guest when both guest and host have the same base version ISO present

Component: TMOS

Symptoms:
BIG-IP software installations will fail and report a status of:

    waiting for cleanup; multiple base builds found (BIG-IP 13.0.0)

Conditions:
- Perform software installation in a vCMP guest when guest is running v13.0.0 or newer.
- Ask the guest to install a hotfix (e.g. "tmsh install /sys software hotfix 13.0.0-hf2.iso volume HD1.2 create-volume") to a boot location that does not have a base software version installed.
- Hypervisor has a valid copy of the the correct base image (e.g. v13.0.0 build 0.0.1645)
- Guest has a valid copy of the correct base image (e.g. v13.0.0 build 0.0.1645)

Impact:
Software installation fails, and will not complete/continue.

Workaround:
Delete the base software image from either the hypervisor or guest's file system

Fix:
The condition no longer causes an error; the installation request successfully runs to completion.


683113-3 : [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users

Component: Access Policy Manager

Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over a period of time.

Websso CPU usage is very high.

Conditions:
-- A large number of APM end users have logged on and are using Kerberos SSO.
-- Running APM.

Impact:
Increased latency of HTTP request processing.

Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.

Fix:
Improvements to the krb5 library have been implemented for better scalability, so the latency of HTTP request processing has been significantly improved.


682500-2 : VDI Profile and Storefront Portal Access resource do not work together

Solution Article: K03903649

Component: Access Policy Manager

Symptoms:
Accessing a Citrix Storefront portal access resource and clicking on the application does not work since VDI returns HTTP status 404.

Conditions:
-- VDI profile is attached to the Virtual server.
-- Access policy has Citrix Storefront portal access resource.
-- Citrix remote-desktop resource is attached.

Impact:
Citrix Storefront portal access resource cannot be used to launch applications.

Workaround:
None.

Fix:
Citrix Storefront portal access resources can now be used with Citrix Remote desktop resources.


682335-1 : TMM can establish multiple connections to the same gtmd

Component: Global Traffic Manager (DNS)

Symptoms:
TMM can establish multiple connections to the same gtmd, and tmm may core.

Conditions:
This timing-related issue involves coordination between license blob arrival, gtmd connection teardown/establishment, and gtmd restart.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed, if there is an existing connflow, don't start another connection.


682213-1 : TLS v1.2 support in IP reputation daemon

Solution Article: K31623549

Component: TMOS

Symptoms:
The IP reputation daemon opens SSL connections to the Webroot BrightCloud server using TLS 1.0 protocol.

Conditions:
This occurs when using IP reputation.

Impact:
Because IP reputation services are used to accept/deny connections to critical business applications, there might be concerns about the service. Also some configurations might require that all transactions exfiltrating a PCI-controlled environment leverage secure protocols and ciphers, which won't be the case for IP reputation services.

Workaround:
None.

Fix:
Webroot updated BrightCloud servers to support TLS 1.2. This is additional support. To preserve backward compatiblity, the servers support TLS 1.0, TLS 1.1, TLS 1.2, SSL 2.0 and SSL 3.0.

In addition, this software version supports TLS 1.2 on the client side by customizing the SDK used by the IP reputation daemon.


682104-3 : HTTP PSM leaks memory when looking up evasion descriptions

Component: Local Traffic Manager

Symptoms:
http_psm_description_lookup leaks xfrags containing PSM evasion descriptions.

Conditions:
When PSM looks up evasion descriptions.

Impact:
Memory leaked each time might eventually cause out of memory to the TMM.

Workaround:
None.

Fix:
This fix will stop the memory leakage.


681955-1 : Apache CVE-2017-9788

Solution Article: K23565223


681415-3 : Copying of profile with advanced customization or images might fail

Component: Access Policy Manager

Symptoms:
Copying a profile with advanced customization or images produces an error message similar to the following: 'Please specify language code' or similar

Conditions:
Access Profile has advanced customization group or customization image assigned to any of object connected to profile.

Impact:
Unable to copy policy.

Workaround:
None.

Fix:
Copying of profile with advanced customization or images now succeeds as expected.


681175-3 : TMM may crash during routing updates

Solution Article: K32153360

Component: Local Traffic Manager

Symptoms:
When dynamic routing is configured and ECMP routes are received, certain routing updates may lead to a TMM crash.

Conditions:
-- Dynamic routing.
-- ECMP routes.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable ECMP routes by configuring "max-paths 1" in ZebOS.

Fix:
TMM no longer crashes on routing updates when ECMP is in use.


680850-2 : Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage.

Solution Article: K48342409

Component: Global Traffic Manager (DNS)

Symptoms:
Enabling debug logging on zxfrd (DNSX) can result in excessive CPU and disk usage, as well as errors during DNS AXFR or IXFR processing.

Conditions:
log.zxfrd.level is set to debug by running the following command: tmsh modify sys db log.zxfrd.level value debug

Impact:
IXFRs or AXFRs may fail and be rescheduled due to high CPU usage by zxfrd, which causes it to fail to process data packets during a transfer.

Workaround:
To avoid this issue, do not set log.zxfrd.level to debug.

Fix:
With this change, the dump to /var/tmp/zxfrd.out occurs only when a new db variable, dnsexpress.dumpastext, is set to true. This enables turning on logging for debug without consuming all the CPU and disk necessary to dump packets and zone contents.

Note: Setting this value to true will cause the information to be dumped to stderr, which reveals the original issue, potentially causing transfer failures and high system resource usage. F5 recommends that you enable it only when directed to do so by F5 support staff.

Behavior Change:
Previously, setting the zxfrd log level to debug caused all AXFR and IXFR requests and responses to be logged to /var/tmp/zxfrd.out. Doing so also caused the contents of all zones to be dumped, as text, to /var/tmp/zxfrd.out when the database was saved.

This was extremely CPU-, memory-, and disk-intensive. The CPU load could cause zxfrd to fail to process transfer data packets in a timely fashion, which could cause the master DNS server to close the connection.

With this fix, setting log.zxfrd.level debug no longer outputs this information.

Although it is not generally useful to output the contents of the transfer packets or the contents of the database, if this information is required for troubleshooting or information-verification purposes, you can set the new db variable: dnsexpress.dumpastext.

Note: Setting this value to true will cause the information to be dumped to stderr, which reveals the original issue, potentially causing transfer failures and high system resource usage. F5 recommends that you enable it only when directed to do so by F5 support staff.


680729-1 : DHCP Trace log incorrectly marked as an Error log.

Solution Article: K64307999

Component: Policy Enforcement Manager

Symptoms:
The following sample DHCP debug log may be found repeatedly in the TMM logs.

<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>

Conditions:
Send a DHCP request through a DHCP virtual and wait for 30 seconds for the DHCP callback to trigger.

Impact:
Possible clutter in the TMM logs.

Workaround:
Set the db variable to critical. To do so, run the following command: setdb tmm.dhcp.log.level critical

Fix:
The following log can be seen only when DHCP debug logs are set to enabled.
<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>


680353-1 : Brute force sourced based mitigation is not working as expected

Component: Application Security Manager

Symptoms:
Brute force mitigations are not working by the configured order under some conditions - for example a captcha is arriving instead of a drop.

Conditions:
-- Brute force is configured.
-- There is more than one source (for example, User and IP address).

Impact:
The incorrect mitigation is received.

Workaround:
None.

Fix:
Fixed an issue with brute force mitigations.


680264-2 : HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags

Solution Article: K18653445

Component: Local Traffic Manager

Symptoms:
Intermittently, HTTP2 experiences protocol resets.

Conditions:
-- xfrag is 2 bytes in length.
-- The header length is greater than 128.
-- xfrag starts.

For example, the following returns the incorrect header length:
 (0xFF BYTE1) next byte, http2_arbint_read.

Impact:
Unexpected loss of HTTP2 frames due to protocol resets.

Workaround:
No effective workaround.

Fix:
HTTP2 now parses the request, regardless of its xfrags distribution.


680074-2 : TMM crashes when serverssl cannot provide certificate to backend server.

Solution Article: K09225420

Component: Local Traffic Manager

Symptoms:
TMM halts and restarts when server SSL cannot provide a certificate to the backend server.

Conditions:
-- The backend server is configured to require a client certificate to complete the SSL handshake.
-- The server SSL profile is not configured with a client certificate.

Impact:
TMM halts and restarts. Traffic disrupted while tmm restarts.

Workaround:
No workaround at this time.

Fix:
TMM no longer halts and restarts when server SSL cannot provide a certificate to the backend server.


680069-1 : zxfrd core during transfer while network failure and DNS server removed from DNS zone config

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd cores and restarts.

Conditions:
While zone transfer is in progress, the network fails and the DNS server is removed from the DNS zone configuration.

Impact:
zxfrd cores.

Workaround:
None.

Fix:
zxfrd no longer cores during transfer while network failure and DNS server removed from DNS zone config.


679861 : Weak Access Restrictions on the AVR Reporting Interface

Component: Application Visibility and Reporting

Symptoms:
The AVR reporting interface does not follow best practices for access restrictions.

Conditions:
AVR provisioned

Impact:
If accessed the AVR reporting interface may disclose:
 - Client and server IP addresses
 - URIs from client requests
 - Metadata about attacks detected by BIG-IP

Workaround:
Ensure that network access to the management port is restricted and that Port Lockdown setting for Self-IPs is not set to "Allow All". The default port lockdown of "Allow Default" provides mitigation against access via Self-IP.

Fix:
Stronger access restrictions enforced on the AVR reporting interface.


679384-3 : The policy builder is not getting updates about the newly added signatures.

Solution Article: K85153939

Component: Application Security Manager

Symptoms:
The policy builder is not getting updates about the newly added signatures.

Conditions:
When ASU is installed or user-defined signatures are added/updated.

Impact:
No learning suggestions for some of the newly added signatures.

Workaround:
Use either of the following workarounds:
-- One workaround is restarting the policy builder. This will revert the learning progress made in the last 24 hours:
 killall -s SIGHUP pabnagd

-- Manually change some Policy Attack Signature Set in Learning and Blocking Settings (e.g., disabling and re-enabling Learn checkbox).

Fix:
After the fix, Policy Builder will be aware of all newly added signatures.


679221-2 : APMD may generate core file or appears locked up after APM configuration changed

Component: Access Policy Manager

Symptoms:
Right after clicking the 'Apply Access Policy' link, APMD may generate a core file and restart; or appears to be locked up.

Conditions:
-- Changing APM configuration, especially Per-Session and Per-Request Policy.
-- Configured for AD or LDAP Auth Agent.

Impact:
If APMD restarts, then AAA service will be interrupted for a brief period of time. If APMD appears to be locked up, then AAA service will be stopped until manually restarted.

Workaround:
None.

Fix:
APMD now processes the configuration changes correctly during 'modify apm profile access <profile name> generation-action increment' (TMSH) or 'Apply Access Policy' (GUI), and no service interruption occurs.


679149-1 : TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0]

Component: Global Traffic Manager (DNS)

Symptoms:
TMM may crash or LB::server returns unexpected result.

Conditions:
GTM rule command LB::server is executed before a load balance decision is made or the decision is not to a real pool member.

Impact:
GTM rule command LB::server returns unexpected result. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
GTM rule command LB::server is now executed at the correct time, so TMM does not crash and LB::server returns expected results.


679114-4 : Persistence record expires early if an error is returned for a BYE command

Solution Article: K92585400

Component: Service Provider

Symptoms:
When an error is returned for a SIP command, the persistence timeout is set to the transaction timeout.

Conditions:
An error is returned for a any SIP command.

Impact:
The persistence record will expire early when the call has not been ended.

Workaround:
None.

Fix:
For BYE commands, the timeout is not set to transaction timeout on failure.


679088-1 : Avr reporting and analytics does not display statistics of many source regions

Component: Application Visibility and Reporting

Symptoms:
1. The network reporting does not show the statistics related to some Source Regions.
2. In the Security=>Reporting=>Network=>Enforced Rules dashboard are impossible to select or find some Source Region using filtering .
For example, there are list of some missing Source Regions:
France, Ile-de-France, Ukraine, Kyyiv,Russian Federation, Tambovskaya oblast, South Africa, Western Cape and Spain,Madrid

Conditions:
This occurs when attempting to filter on the affected source regions.

Impact:
The network reporting does not show the statistics related to some Source Regions.


678861-1 : DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other

Solution Article: K00426059

Component: Global Traffic Manager (DNS)

Symptoms:
Upgrade fails with a message similar to the following.

emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 01070356:3: Link Controller feature not licensed. Unexpected Error: Loading configuration process failed.

Conditions:
Previously had Link Controller with DNS:: commands in an iRule proc.

Impact:
Upgrade fails.

Workaround:
Remove DNS:: commands from procs before upgrade.

Or use AFM instead of iRules.


678851-3 : Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase()

Component: Access Policy Manager

Symptoms:
Java applets containing call of getDocumentBase() through a reference to java.applet.AppletStub are incorrectly rewritten.

Attempt to call incorrectly patched method causes following exception:
java.lang.VerifyError: (...) Illegal type in constant pool

Conditions:
This occurs when using rewrite on Java applets that call getDocumentBase().

Impact:
Affected Java applets cannot be started through Portal Access.

Workaround:
None.

Fix:
Rewritten applets with calls of java.applet.AppletStub interface methods are no longer causing java.lang.VerifyError exception during execution.


678820-1 : Potential memory leak if PEM Diameter sessions are not created successfully.

Component: Policy Enforcement Manager

Symptoms:
Memory leak resulting in reduction in available memory.

Conditions:
1. PEM configured with Gx.
2. PCRF Gx end point operationally DOWN
3. Subscriber creation attempt.

Impact:
Loss of service

Workaround:
There is no workaround at this time.

Fix:
Diameter context is freed in case of a failed Diameter session creation.


678524-1 : Join FF02::2 multicast group when router-advertisement is configured

Component: Local Traffic Manager

Symptoms:
MLD snooping switches may not deliver router solicitation packets to BIG-IP, which breaks BIG-IP's router advertisement functionality. MLD snooping switches may not deliver the packets because BIG-IP has not joined the FF02::2 multicast group.

Conditions:
router-advertisement configured, MLD snooping switches.

Impact:
IPv6 hosts never receive router advertisements from BIG-IP in response to their router solicitations.

Workaround:
Disable MLD snooping on switches.

Fix:
BIG-IP now joins the FF02::2 multicast group when router-advertisements are configured.

Behavior Change:
BIG-IP now joins the FF02::2 multicast group when router-advertisement is configured.


678427-1 : Safari 11 displays F5 EPI and F5 VPN launch confirmation dialogs twice

Solution Article: K03138339

Component: Access Policy Manager

Symptoms:
Safari 11 displays confirmation dialogs to launch F5 EPI or F5 VPN app twice. Although functionality is not affected, the user experience might be confusing.

Conditions:
-- Safari 11, F5 EPI, or F5 VPN app installed.
-- Endpoint check or VPN configured in access policy.

Impact:
None. The extra dialog box does not affect system functionality.

Workaround:
None.

Fix:
Confirmation dialog is now displayed only once.


678293-2 : Uncleaned policy history files cause /var disk exhaustion

Solution Article: K25066531

Component: Application Security Manager

Symptoms:
There are hundreds of policy history files for non-existent policies stored under /ts/dms/policy/policy_versions, which might cause /var disk exhaustion.

Conditions:
There are hundreds of policy history files for non-existent policies stored under /ts/dms/policy/policy_versions.

Two possible causes might explain what caused the history files to be copied:
-- The device was synchronized from itself.
-- There was a UCS loaded on the device.

Impact:
/var disk usage is high.

Workaround:
Use the following one-liner to find unreferenced policy history files that can be deleted:

----------------------------------------------------------------------
perl -MData::Dumper -MF5::DbUtils -MFile::Find -e '$dbh = F5::DbUtils::get_dbh(); $sql = ($dbh->selectrow_array(q{show tables in PLC like ?}, undef, q{PL_POLICY_VERSIONS})) ? q{select policy_version, policy_id from PLC.PL_POLICY_VERSIONS} : q{select revision, policy_id from PLC.PL_POLICY_HISTORY}; %known_history_files = map { (qq{$_->[1]/$_->[0].plc} => 1) } @{$dbh->selectall_arrayref($sql)}; find({ wanted => sub { next unless -f $_; $_ =~ m|/policy_versions/(.*)$|; if (! $known_history_files{$1}) { print qq{$_\n} } }, no_chdir => 1, }, q{/ts/dms/policy/policy_versions});'
----------------------------------------------------------------------

Manually verity the file list output. If it seems correct, you can then delete the files by piping the output into 'xargs rm'.

In addition, you can delete the following file: /var/ts/var/install/recovery_db/conf.tar.gz.


677919-4 : Enhanced Data Manipulation AJAX Support

Component: Fraud Protection Services

Symptoms:
Need enhanced data manipulation detection to protect against modifying parameters in real-time (malware script in the browser) that are sent by JSON.

Conditions:
There is a malware script in the browser performing real-time modification of parameters that are sent by JSON.

Impact:
End-users already under attack could send manipulated JSON data to backend servers.

Workaround:
None.

Fix:
The Enhanced Data Manipulation Check has been improved so that it can now detect JSON data manipulation in the browser.


677666-2 : /var/tmstat/blades/scripts segment grows in size.

Solution Article: K60909141

Component: Local Traffic Manager

Symptoms:
Over time the /var/tmstat/blade/scripts file size grows.

Conditions:
-- Using istats.
-- Deleting configurations.
-- Using ASM.

Impact:
Virtual size of merged process grows linearly with /var/tmstat/blades/scripts segment. This could lead to out of memory condition.

Workaround:
No known workarounds.

Fix:
Condition corrected.


677525-2 : Translucent VLAN group may use unexpected source MAC address

Solution Article: K06831814

Component: Local Traffic Manager

Symptoms:
When a VLAN group is configured in translucent mode, IPv6 neighbor discovery packets sent from the BIG-IP system may have the locally unique bit flipped in the source MAC address.

Conditions:
VLAN group in translucent mode.

Impact:
In an HA configuration, switches in the network may have FDB entries for the standby system assigned to the port of the active system.

Workaround:
No workaround at this time.

Fix:
Translucent VLAN group no longer send neighbor discovery packets whose source MAC has the locally unique bit flipped.


677494-1 : Flow filter with Periodic content insertion action could leak insert content record

Component: Policy Enforcement Manager

Symptoms:
Subscriber using flow filter and periodic insert content could create multiple records for same insert content action.

Conditions:
If two flows belonging to the same subscriber matching 2 different rules of the same policy and alternates and in the meanwhile policy rule action is updated.

Impact:
More than one record being created for the same insert content action.

Workaround:
There is no workaround at this time.

Fix:
Update the insert content array as soon as the pemdb record is updated.


677368-2 : Websso crash due to uninitialized member in websso context object while processing a log message

Component: Access Policy Manager

Symptoms:
Websso crashes occasionally on processing a log message on TMEVT_CLOSE event. This happens when a TMEVT_CLOSE event is received without receiving a request.

Conditions:
TMEVT_CLOSE event is received without receiving a request.

Impact:
Websso process crash.

Workaround:
No workaround

Fix:
Websso core is fixed by removing the webssocontext object reference from the log message.


677148-1 : Periodic content insertion creates duplicate records if same policy is added to Global high and subscriber specific

Component: Policy Enforcement Manager

Symptoms:
If same pem policy with insert content is added to global high and subscriber specific, insert content could add duplicate records. This result in a case where if the periodic content tag is absent, the periodic content insertion will not scheduled immediately, but will add only after the expiry of the current interval.

Conditions:
If same pem policy with insert content is added to global high and subscriber specific.

Impact:
if the periodic content tag is absent, the periodic content insertion will not scheduled immediately.

Workaround:
This is a wrong configuration, a pem policy should be included either in Global High, or subscriber specific, not both.

Fix:
Re-use the already created record in case of same policy attached to Global high and subscriber specific


677088-2 : Qkview does not follow current best practices

Component: TMOS

Symptoms:
Qkview does not follow current best practices

Conditions:
Qkview does not follow current best practices

Impact:
Qkview does not follow current best practices

Fix:
Qkview now follows current best practices


676457-5 : TMM may consume excessive resource when processing compressed data

Component: Local Traffic Manager

Symptoms:
Under certain conditions TMM may consume an unusually large amount of system resources while processing compressed data

Conditions:
HTTP compression enabled

Impact:
Reduced system capacity, potentially leading to a failover event

Fix:
Avoid excessive resource consumption while processing compressed data


676346-2 : PEM displays incorrect policy action counters when the gate status is disabled.

Component: Policy Enforcement Manager

Symptoms:
Action counters are incorrect.

Conditions:
PEM policy actions enabled with gate status of disabled.

Impact:
May provide an inconsistent view of PEM actions.

Workaround:
There is no workaround.

Fix:
Counters are managed correctly regardless of the gate status.


675866-4 : WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO

Component: Access Policy Manager

Symptoms:
Kerberos rejects tickets with 2 minutes left in their ticket lifetime. This causes tickets to be rejected by KDC, causing APM to disable SSO.

Conditions:
This occurs with Kerberos-protected resources using Windows Server 2012-based DC due to issue described in the Microsoft KB: Kerberos authentication fails when the computer tries to request a service ticket from a Windows Server 2012-based DC, https://support.microsoft.com/en-us/help/2877460/kerberos-authentication-fails-when-the-computer-tries-to-request-a-ser.

Impact:
Cannot access the Kerberos-protected resources.

Workaround:
None.

Fix:
Tickets are not used when the remaining lifetime is less than 5 minutes. Existing tickets with more than half the configured lifetime or at least 1 hour of lifetime remaining are used. If there are no such tickets, then new tickets are acquired and used.


675775-4 : TMM crashes inside dynamic ACL building session db callback

Component: Access Policy Manager

Symptoms:
Race condition between PPP tunnel close and Session expired happening on different TMM almost at the same time may cause TMM restart in dynamic ACL building session db callback.

Conditions:
Race condition between PPP tunnel close and Session expired happening on different TMM almost at the same time.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Guard against NULL pointer dereference for dynamic ACL build.


674747-4 : sipdb cannot delete custom bidirectional persistence entries.

Solution Article: K30837366

Component: Service Provider

Symptoms:
Custom bidirectional SIP persistence entries cannot be deleted using the sipdb tool.

Conditions:
Rules and SIP messages created custom bidirectional SIP persistence entries.

Impact:
Custom bidirectional SIP persistence entries exist and can be viewed with the sipdb utility. They cannot be deleted,
however.

Workaround:
None.

Fix:
The sipdb tool now supports deletion of bidirectional SIP persistence entries.


674576-3 : Outage may occur with VIP-VIP configurations

Component: Local Traffic Manager

Symptoms:
In some VIP-VIP configurations, TMM may produce a core with a 'no trailing data' assert.

Conditions:
VIP-VIP configuration.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround at this time.

Fix:
TMM no longer produces a core with a 'no trailing data' assert.


674494-4 : BD memory leak on specific configuration and specific traffic

Solution Article: K77993010

Component: Application Security Manager

Symptoms:
RSS memory of the bd grows.

Conditions:
-- Remote logger is configured.
-- IP has ignore logging configured.
-- Traffic is coming from the ignored logging IP.

Impact:
Potential memory exhaustion. The kernel might run out of memory and may kill bd, causing traffic disruption.

Workaround:
None.

Fix:
Freeing up the remote loggers data when deciding not to log remotly.


673832-1 : Performance impact for certain platforms after upgrading to 13.1.0.

Component: Performance

Symptoms:
Performance impact for certain platforms after upgrading to 13.1.0.

Conditions:
The following platforms, with Fast HTTP/OneConnect/Full Proxy configured.

-- i2800
-- i4800
-- i5800
-- i7800
-- i10800
-- i11800
-- B2250
-- B4450

Impact:
The performance impacts occur on the following platforms under the associated conditions:

-- i2800 2%-3% Full Proxy traffic.
-- i4800 2%-3% Full Proxy traffic.
-- i5800 3%-8% Fast HTTP/Full Proxy traffic.
-- i7800 3%-7% Fast HTTP/Full Proxy traffic.
-- i10800 3%-7% Fast HTTP/Full Proxy traffic.
-- i11800 2%-3% Fast HTTP traffic.
-- B2250 3%-6% OneConnect/Full Proxy traffic.
-- B4450 4%-10% Fast HTTP/OneConnect/Full Proxy traffic.

Workaround:
None.

Fix:
Performance impact for certain platforms has been eliminated.


673717-3 : VPE loading times can be very long

Component: Access Policy Manager

Symptoms:
When a configuration contains 2000-3000 Access Policy objects, the Visual Policy Editor (VPE) loading operations can take tens of seconds to load.

Conditions:
-- Access Policy configured with 2000-3000 Access Policy objects.
-- Open in VPE.

Impact:
Policies with thousands of entries can take tens of seconds or more to load.

Workaround:
None.

Fix:
Configuration load has been optimized, so VPE loading time is significantly shorter for these types of configurations.


673607-9 : Apache CVE-2017-3169

Solution Article: K83043359


673595-9 : Apache CVE-2017-3167

Solution Article: K34125394


672667-6 : CVE-2017-7679: Apache vulnerability

Solution Article: K75429050


672504-2 : Deleting zones from large databases can take excessive amounts of time.

Solution Article: K52325625

Component: Global Traffic Manager (DNS)

Symptoms:
When deleting a zone or large number of Resource Records, zxfrd can reach 100% CPU for large amounts of time.

Conditions:
With a significantly sized database, deletes might be very time-intensive.

Impact:
Because zxfrd takes an excessive amount of time deleting records, it can delay transfer requests

Workaround:
None.

Fix:
Dramatically improved algorithm, to remove significant delay in deletions.


671716-1 : UCS version check was too strict for IPS hitless upgrade

Component: Protocol Inspection

Symptoms:
When we upgrade from one minor release to another, e.g. from 13.1 to 13.2, then UCS upgrade of IPS IM packages fail.

Conditions:
During upgrade from one minor release to another.

Impact:
The default library will be used instead of the last updated IM/IPS library in last build.

Workaround:
Install the IM package available for that new release.


671627-3 : HTTP responces without body may contain chunked body with empty payload being processed by Portal Access.

Solution Article: K06424790

Component: Access Policy Manager

Symptoms:
Some HTTP responses do not contain any body. For instance, responses with status codes 1xx, 204, or 304 must not include body. Portal Access adds 'Transfer-Encoding: chunked' header and may add chunked body with empty payload to such responses.

Conditions:
HTTP response without body processed by Portal Access

Impact:
Most browsers ignore invalid 'Transfer-Encoding' header and/or body for responses which must not include body at all. And yet, some traffic validators may refuse to pass invalid responses.

Workaround:
Use an iRule to remove 'Transfer-Encoding' header and/or body from HTTP responses with status codes 1xx, 204, and 304.

Fix:
Now Portal Access does not add invalid 'Transfer-Encoding' header and/or body to responses which have no body.


671597-3 : Import, export, copy and delete is taking too long on 1000 entries policy

Component: Access Policy Manager

Symptoms:
Huge policies with 10^3 items are impossible to import, export and copy.

Conditions:
When access policy has 1000+ entires.

Impact:
Import, export and copy are abandoned or fail due to out of memory condition.

Workaround:
Use ng_export, ng_import and ng_profile rather than UI to import/export.

Fix:
ng_export speed has been improved 5 times
ng_import and ng_profile are working 50 times faster because of avoiding denormalisation and optimisation

ng_export is still should be used from the console.


670103-1 : No way to query logins to BIG-IP in TMUI

Component: TMOS

Symptoms:
Cannot use the GUI to query logins to the BIG-IP system based on a time range or a specific user.

Conditions:
-- Using the GUI.
-- Gather login information.

Impact:
No support for queries.

Workaround:
None.

Fix:
Added support for using using the GUI to query logins to the BIG-IP system.

Behavior Change:
The ability to query logins on the BIG-IP, using the GUI, was added at System >> Logins : History. Users can query all available login data that is present on the BIG-IP. This information can be filtered by time, username, status, access method, and host.


669585-1 : The tmsh sys log filter is unable to display information in uncompressed log files.

Component: TMOS

Symptoms:
You notice missing log information when reviewing system logs using the tmsh show sys log command.

Conditions:
One or more of the BIG-IP sytem backup log files, designated with .1, .2, etc are not compressed.
Note: Backup log files should end with the .gz extension. For example, ltm.1.gz.
You use the tmsh show sys log command to view log information for one or more days in the past.

Impact:
Unable to view the full range of backup log information.

Workaround:
To log in to the Advanced shell (bash).
To ensure all backup logs for a particular log type are compressed, use the following command syntax:

gzip /var/log/<log>.*

For example, to compress the full set of backup logs for the ltm log type, type the following command:

Note: The following message is expected if the log file is already compressed: gzip: /var/log/<log>.gz already has .gz suffix -- unchanged'

gzip /var/log/ltm.*

Fix:
Increased flexibility of log reading mechanism, to look for both compressed (ending in .gz) and uncompressed (ending in .#) log files.


669462-2 : Error adding /Common/WideIPs as members to GTM Pool in non-Common partition

Component: TMOS

Symptoms:
Unable to use Pool Members from /Common/ when outside of /Common/

Conditions:
Adding /Common/WideIPs as members in non-Common GTM Pool

Impact:
Unable to use pool-members from /Common/ when outside of /Common/

Workaround:
No workaround at this time.

Fix:
Fixed issue preventing users from using GTM pool-members within /Common/ on GTM Pools outside of /Common/


668826-1 : File named /root/.ssh/bigip.a.k.bak is present but should not be

Component: TMOS

Symptoms:
In AWS instances, a file /root/.ssh/bigip.a.k.bak is present which should not be. It is harmless to users other than that it is confusing.

Conditions:
After the first boot, this file should be deleted, but it is not.

Impact:
No real impact other than possibly confusion as this file isn't used in this environment. The file does not contain any sensitive data as it's a dangling symlink.

Workaround:
No need to workaround as the presence of the file is harmless. Users could manually remove this file if desired.

Fix:
This file is no longer present which is the correct state.


668276-1 : BIG-IP does not display failed login attempts since last login in GUI

Component: TMOS

Symptoms:
The BIG-IP does not have a mechanism in the GUI to display information about login attempts.

Conditions:
n/a

Impact:
Administrators cannot use the GUI to evaluate login attempts to the BIG-IP.

Workaround:
Administrators can view the logs at /var/log/secure.

Fix:
New GUI pages were create to allow administrators, resource admins, and auditors to view information about login attempts to the BIG-IP. These pages are available at System >> Logins in the GUI.
The user logins summary, available at System >> Logins : Summary can be set as the default start screen for BIG-IP users. However, this process is not as straightforward as other pages, as these pages are available only to users with a role of admin, resource admin, or auditor. Because of these restrictions, setting this page as default is accomplished by setting a DB variable, UI.Users.RedirectSuperUsersToAuthSummary, to true.
When this DB variable is set to true, users with roles of admin, resource admin, or auditor will be redirected to the System >> Logins : Summary page. Users with other roles will be redirected to the Start Screen that is set in System >> Preferences.


668273-1 : Logout button not available in Configuration Utility when using Client Cert LDAP

Solution Article: K12541531

Component: TMOS

Symptoms:
When the BIG-IP system is configured to use the Client Cert LDAP for Remote Authorization, the Logout button is not available.

Conditions:
A BIG-IP system is configured to use Client Cert LDAP for Remote Authorization.

Impact:
BIG-IP system users cannot end the session on the BIG-IP system.

Workaround:
Close all windows to end the session.

Fix:
Now, when the BIG-IP system is configured to use Client Cert LDAP as the Remote Auth method, there is a Logout button in the window, and when the Logout button is clicked, the system displays a modal window to instruct the user on how to end the session.


668184-2 : Huge values are shown in the AVR statistics for ASM violations

Component: Application Security Manager

Symptoms:
Huge values are shown in the AVR statistics for ASM violations.

Conditions:
Out-of memory-condition in the ASM. Some other extreme conditions might also cause this behavior.

Impact:
ASM violation numbers are incorrectly reported.

Workaround:
None.

Fix:
An issue with bd sending wrong numbers to AVR was fixed.


667770-1 : SIGSEGV to tmm when performing multiple, repeated SSL profile updates, or during UCS restore

Solution Article: K12472293

Component: Local Traffic Manager

Symptoms:
The BIG-IP system sends a SIGSEGV to the TMM process when performing multiple change operations on configurations that contain a combination of SSL profiles and AVR (analytics).

Conditions:
-- Configuration contains a combination of SSL profiles and AVR.

-- Performing multiple, repeated SSL profile updates, or during UCS restore.

Impact:
The BIG-IP system sends a SIGSEGV to the TMM process. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround.

Fix:
TMM no longer halts and restarts when performing multiple change operations on configurations that contain a combination of SSL profiles and AVR (analytics).


667542-6 : DNS Express does not correctly process multi-message DNS IXFR updates.

Component: Global Traffic Manager (DNS)

Symptoms:
If DNS Express sends an IXFR query to a DNS server, and that server responds with an IXFR update that is larger than one DNS message, DNS Express processes only the first message.

DNS Express then updates the SOA serial number to match that of the IXFR, marks the IXFR as successful and the Zone as 'Green'.

There is no indication that the IXFR was incomplete.

DNS Express might then have, and might serve, incorrect data for that Zone.

Conditions:
An IXFR response from a DNS server spans multiple DNS messages.

Note: This is not a common condition, but it is possible.

Impact:
This might result in incomplete or otherwise inaccurate Zone data, which DNS Express will serve.

Workaround:
Note: Although this does have a workaround, there is no way for you to determine that the Zone is complete other than to query the entire zone and compare it to the zone from the master DNS server.

To workaround this issue:
1. Stop zxfrd.
2. Remove the database /var/db/zxfrd.bin.
3. Restart zxfrd.

This triggers a full transfer (AXFR) of the zone, as well as all the other zones.

Fix:
The system now continues the processing of DNS messages until the closing SOA RR is encountered.


667469-3 : Higher than expected CPU usage when using DNS Cache

Solution Article: K35324588

Component: Global Traffic Manager (DNS)

Symptoms:
CPU usage shows higher than expected usage when using the DNS Cache.

Conditions:
Usage of any of the 3 DNS Cache types, particularly on chassis with multiple blades.

Impact:
Higher than expected CPU usage.

Workaround:
No workaround at this time.

Fix:
Improvements have been made to the efficiency of the DNS Cache inter-tmm mirroring. These efficiencies may result in better CPU utilization and/or higher responses per second.


667353 : Intermittent TMM crash when AFM dynamic (behavioral) signature is enabled and past attack signatures incorrectly exist in the correlation stats table

Component: Advanced Firewall Manager

Symptoms:
Intermittent TMM crash when AFM dynamic (behavioral) signature is enabled and past attack signatures incorrectly exist in the correlation stats table - issue is due to TMM (self) abort due to memory corruption in one of the TMSTAT tables AFM uses for correlating dynamic signatures.

Conditions:
Following conditions suffice to trigger the TMM crash due to self abort in one of the TMSTAT tables:

a) Generate a set of N dynamic signatures (few context).

b) When attack stops, the current set of signatures are moved to 'past' attack state.

c) If in between, TMM restarts (or receives MCP config again e.g via load), these past attack signatures are incorrectly created in tmstat table which is used only for the current attack signatures - this is the *cause* of the issue!

d) New attack appears that somewhat overlap with the 'past' signatures and this causes the following TMSTAT table to be corrupted over period of time.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
This issue is fixed, the past attack signatures are never created in the correlation stats table (even for conditions explicitly described above)


667173-1 : 13.1.0 cannot join a device group with 13.1.0.1

Component: TMOS

Symptoms:
13.1.0.1 cannot form device trust with a 13.1.0 device.

Conditions:
A device running 13.1.0 wanting to establish device trust with a device running 13.1.0.1 or vice versa.

Impact:
Cannot form Device Trust.

Workaround:
13.1.0 cannot initially form device trust with a 13.1.0.1 device. However, if you establish trust from the 13.1.0.1 device and then bring in the 13.1.0 device from 13.1.0.1, you can mitigate this issue. Once trust is formed, there should be no issue.

Fix:
13.1.0.1 now can form device trust with a 13.1.0 device.


667148-3 : Config load or upgrade can fail when loading GTM objects from a non-/Common partition

Solution Article: K02500042

Component: TMOS

Symptoms:
GTM configuration fails to load.

Conditions:
GTM config referencing non-/Common partition objects from /Common.

Impact:
GTM configuration fails to load, which may keep a system from becoming active

Workaround:
No workaround.

Fix:
Fixed issue preventing GTM configurations from loading when non-Common partitioned items present.


665992-2 : Live Update via Proxy No Longer Works

Solution Article: K40510140

Component: Application Security Manager

Symptoms:
BIG-IP devices that need to use a proxy server to communicate with callhome.f5.com, no longer receive, or check for, automatic updates.

Conditions:
The BIG-IP device is behind a network firewall and outbound communication must be through a proxy.

Impact:
The BIG-IP will not be able to contact the callhome server to check for, or receive, updates.

Workaround:
Updates can be downloaded manually from the F5 Downloads server and installed directly on the BIG-IP.

Fix:
Proxy settings are correctly used when contacting the F5 callhome server.


665354-1 : Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log

Solution Article: K31190471

Component: TMOS

Symptoms:
The most common symptom is a reboot of the unit without much detail in the normal tmm or ltm logs. From there, inspect the SEL logs. In the SEL logs, you will see a message about a bad_tlp_status, followed shortly by a message about completion_time_out_status.

Those two messages together indicate this known issue.

Conditions:
-- There are empty 10 GB ports or 10 GB ports that have optics but are not connected to a proper link.
-- Running on one of the following platforms: i2600, i2800, i4600, i4800.

Impact:
The unit intermittently reboots.

Workaround:
To prevent the issue from occurring, you must populate all 10 Gb ports with optic cables and ensure they are connecting to a working peer link. A single 10 Gb empty or improperly connected port can cause a system reboot.

If that is not possible, however, there is no workaround, and you must contact F5 Technical Support to request a software update or engineering hotfix.

Important: A device Return Materials Authorization (RMA) will not prevent this issue.

Fix:
There is a BIG-IP system software update to disable the 10 Gb FPGA mac receiver until a valid link is detected. This eliminates the issue and prevents the ultra jumbo packet from being sent to the FPGA datapath.


664528-2 : SSL record can be larger than maximum fragment size (16384 bytes)

Solution Article: K53282793

Component: Local Traffic Manager

Symptoms:
SSL record containing handshake data can exceed maximum fragment size of 16384 bytes because handshake data is not fragmented.

Conditions:
This usually happen when a large certificate or certificate chain is configured for server or client authentication.

Impact:
SSL handshake will fail with client or server that properly checks the record size.

Workaround:
Use a certificate that is smaller in size.

Fix:
Properly fragment handshake data.


663821-1 : SNAT Stats may not include port FTP traffic

Solution Article: K41344010

Component: Local Traffic Manager

Symptoms:
Using 'tmsh show ltm snat' command or the GUI, SNAT stats are not updated for port 21 traffic (FTP).

Conditions:
-- SNAT is configured.
-- FTP connections transverse the SNAT.

Impact:
Stats are not incremented in tmsh or GUI

Workaround:
None.

Fix:
SNAT Stats now include port FTP traffic, and values are incremented as expected.


662311-1 : CS alerts should contain actual client IP address in XFF header

Component: Fraud Protection Services

Symptoms:
When no XFF header exists, the alert server will use the sender IP address as the client IP address. Doing so is incorrect behavior because the sender IP address is always the BIG-IP system's IP address. Even if XFF headers exist, the client IP address as known to the BIG-IP system may be missing in the XFF header.

Conditions:
This occurs under either of the following conditions:
-- There is no XFF header in the original request.
-- An XFF header exists, but it does not contain the actual client IP address (as seen by the BIG-IP system).

Impact:
Alert server/BIG-IQ does not show the actual client IP address.

Workaround:
None.

Fix:
FPS now always appends the client IP address to the end of the last XFF header in the alert request. If there is no XFF header, FPS inserts one.


661939-2 : Linux kernel vulnerability CVE-2017-2647

Solution Article: K32115847


660239-6 : When accessing the dashboard, invalid HTTP headers may be present

Component: TMOS

Symptoms:
When accessing parts of the BIG-IP dashboard via the GUI, there might be invalid HTTP headers in the responses.

Conditions:
Access the dashboard via Statistics :: Dashboard.

Impact:
The invalid HTTP headers might cause issues with the dashboard if there are intervening proxies between the browser and the BIG-IP.

You may see such errors in the http error logs

Feb 20 08:47:58 myBIG-IP err httpd[13777]: [error] [client 10.20.30.40] Response header name '<PostData><![CDATA[table=log%5Fstat]]></PostData>Cache-Control' contains invalid characters, aborting request, referer: https://mybigip.com/tmui/dashboard/MonitorDashboardModule.swf

Workaround:
There is no workaround at this time.

Fix:
Eliminated invalid header data.


656901-3 : MRF add 'existing_connection_only' and 'outgoing_connection_instance_seed' two iRule commands

Component: Service Provider

Symptoms:
If the MRF 'existing_connection_only' is not there, then MRF will forward the new message to either the existing connection or creating a new connection.

If the MRF 'outgoing_connection_instance_seed' is not there, then the generation of the connection's instance number will use some internal originating connection id. Same client IP with different src_port may end up to different outgoing connection.

Conditions:
If these two new iRule commands were not there.

Impact:
1. Won't always reuse the existing connection.
2. The requests from same client IP with different src_port, the outgoing connection may be different.

Workaround:
There is no workaround at this time.

Fix:
MR::message existing_connections_only <boolean> Gets or sets a flag that instructs the MRF to only forward the message using existing connections,
and if a connection to the selected host does not exist then the route will fail.

MR::message outgoing_connection_instance_seed <integer>Gets or if been set by this iRule then this seed will be used to generate the connection instance number instead of this generated by some internal originating connection id. (See MR::connection_instance iRule command).

If the number received is larger than 32 bit then the 64 bit number will be hashed to 32 bit number.


655233-2 : DNS Express using wrong TTL for SOA RRSIG record in NoData response

Solution Article: K93338593

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express returns an incorrect TTL for the SOA RRSIG record in a NoData response.

Conditions:
-- DNS Express configured.
-- A query that results in a NoData response and DNSSEC signing requested.

Impact:
This brings the behavior in line with RFC2308. There is no known functional impact.

Workaround:
There is no workaround.

Fix:
The TTL of the RRSIG record now matches the TTL of the covered SOA record.


653976-4 : SSL handshake fails if server certificate contains multiple CommonNames

Solution Article: K00610259

Component: Local Traffic Manager

Symptoms:
SSL server side handshake fails when the external server certificate's Subject field contains multiple CommonNames.

Conditions:
This issue occurs when both of the following conditions are met:
-- The external server certificate's Subject field contains multiple CommonNames.
-- The certificate does not contain subjAltName extension (or if it does, the same names are not included in the subjAltName's dNSName list).

Impact:
Connection with external server cannot be established. In case of forward proxy, bypass or intercept will fail.

Workaround:
In case of forward proxy bypass, configure IP address bypass instead of hostname bypass since IP address bypass check happens before SSL handshake.

The second option is to update the external server's certificate to include the list of CommonNames in subjAltName extension as dNSName.

Fix:
The system now checks all CommonNames in a certificate's Subject field instead of checking only the longest one in length.


648802-1 : Required custom AVPs are not included in an RAA when reporting an error.

Component: Policy Enforcement Manager

Symptoms:
Custom Attribute-Value-Pairs (AVPs) defined on the system will not be visible in a Re-Auth-Answer (RAA).

Conditions:
This occurs when the following conditions are met:
-- PEM enabled with Gx.
-- Custom AVPs configured.
-- PEM responds with an error code in an RAA against a Policy and Charging Rules Function (PCRF) triggered action.

Impact:
Lack of custom AVPs in such an RAA may result in loss of AVP dependent service.

Workaround:
There is no workaround at this time.

Fix:
Custom AVPs included regardless of an error code in an RAA.


648766-2 : DNS Express responses missing SOA record in NoData responses if CNAMEs present

Solution Article: K57853542

Component: Global Traffic Manager (DNS)

Symptoms:
A valid NoData response can contain CNAMEs if a partial chase occurred without final resolution. DNS Express is not including the expected SOA record in this scenario.

Conditions:
-- DNS Express configured.
-- Partial CNAME chase resulting in incomplete resolution.

Impact:
A valid DNS response with a a partial chase but missing the SOA record may not be considered authoritative due to the missing record.

Workaround:
None.

Fix:
The SOA record is now included as appropriate.


648320-5 : Downloading via APM tunnels could experience performance downgrade.

Solution Article: K38159538

Component: Local Traffic Manager

Symptoms:
Multiple DTLS records can be packed into one UDP packet. When packet size is too large, packet fragmentation is possible at IP layer. This causes high number of packet drops and therefore performance downgrade.

Conditions:
When downloading using APM tunnels.

Impact:
High number of packet drops and inferior performance.

Workaround:
None.

Fix:
One DTLS record is now contained in each UDP packet to avoid packet fragmentation.


646615-2 : Improved default storage size for DNS Express database

Component: Global Traffic Manager (DNS)

Symptoms:
A tweak has been made to the DNS Express database to improve the initial database size.

Conditions:
DNS Express with configured zones.

Impact:
Possibly reduced database size.

Workaround:
N/A as this is an improvement.

Fix:
A tweak has been made to the DNS Express database to improve the initial database size.


645615-6 : zxfrd may fail and restart after multiple failovers between blades in a chassis.

Solution Article: K70543226

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd may fail and restart after multiple failovers between blades in a single chassis.

Conditions:
DNS Express must be configured in a multi-blade chassis. If a blade transitions from active to backup to active states and the DNS Express (tmmdns.bin) database has been re-created while the blade was in backup status, zxfrd may fail when attempting to reference old data.

Impact:
zxfrd will create a core file and restart, picking up where it left off.

Workaround:
None.

Fix:
The cause of the failure is now addressed.


642068-4 : PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens

Component: Policy Enforcement Manager

Symptoms:
PEM sessions stay in the marked-for-delete state if CCR-T times out.

Conditions:
This occurs if PCRF does not respond to CCR-T packets from the BIG-IP system during session termination.

Impact:
PEM sessions remain in the marked-for-delete state.

Workaround:
Configure the required timeout value in the sys db variable tmm.pem.session.timeout.endpointdeleteresponse.

Note: The value must be greater than 0 (zero).

Fix:
PEM sessions no longer stay in the marked-for-delete state if CCR-T times out.


641101-7 : httpd security and bug fix update CVE-2016-8743

Solution Article: K00373024


640766-2 : Linux kernel vulnerability: CVE-2016-10088 CVE-2016-9576

Solution Article: K05513373


636997-1 : big3d may crash

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, big3d may crash or malfunction while processing GTM data

Conditions:
GTM enabled

Impact:
iQuery connection may be reset

Workaround:
None

Fix:
big3d processes GTM data as expected


636994-1 : big3d may crash

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, big3d may crash or malfunction while processing GTM data

Conditions:
GTM enabled

Impact:
iQuery connection may be reset

Workaround:
None

Fix:
big3d processes GTM data as expected


636992-1 : big3d may crash

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, big3d may crash or malfunction while processing GTM data

Conditions:
GTM enabled

Impact:
iQuery connection may be reset

Workaround:
None

Fix:
big3d processes GTM data as expected


636986-1 : big3d may crash

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, big3d may crash or malfunction while processing GTM data

Conditions:
GTM enabled

Impact:
iQuery connection may be reset

Workaround:
None

Fix:
big3d processes GTM data as expected


636982-1 : big3d may crash

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, big3d may crash or malfunction while processing GTM data

Conditions:
GTM enabled

Impact:
iQuery connection may be reset

Workaround:
None

Fix:
big3d processes GTM data as expected


632875-5 : Non-Administrator TMSH users no longer allowed to run dig

Solution Article: K37442533


632646-1 : APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server.

Component: Access Policy Manager

Symptoms:
APM - OAM login with invalid ObSSOCookie results in error page instead of redirecting to login page.

Conditions:
This happens occasionally if a session cookie (ObSSOCookie) is deleted from OAM server, or an OAM session is deleted from server.

Impact:
OAM login with invalid ObSSOCookie results in error page. However, expected behavior is that user is redirected to login page if login with ObSSOCokkie fails.

Workaround:
No Workaround

Fix:
Issue is fixed - On authenticate with ObSSOCookie, read getStatus() API call to check the ObSSOCookie status and redirect to IDP if it is not 1 (LOGGEDIN, AWAITINGLOGIN). With this fix user will be redirected to IDP on logging with cookie that is deleted manually from the OAM server.


631418-1 : Packets dropped by HW grey list may not be counted toward AVR.

Component: Advanced Firewall Manager

Symptoms:
If the system supports hardware grey list, packets dropped by HW grey list may not be counted toward AVR.

Conditions:
AFM license, HW grey list support.

Impact:
User visibility.

Workaround:
There is no workaround at this time.

Fix:
The issue is fixed.


631316-2 : Unable to load config with client-SSL profile error

Solution Article: K62532020

Component: TMOS

Symptoms:
Config loading fails with an error similar to the following: 'Client SSL profile cannot contain more than one set of same certificate/key type.'

Conditions:
This occurs when both of the following conditions are met:
 -- The system is loading config.
 -- The config contains a client SSL profile which has an RSA cert-key-chain whose key is default (/Common/default.key), but whose chain is non-empty, or the cert is different from /Common/default.crt. For example:

    cert-key-chain {
        cert /Common/default.crt <==== default cert
        chain /Common/chainCA.crt <==== non-empty
        key /Common/default.key <==== default key
        rsa {
            cert /Common/default.crt <==== default cert
            chain /Common/chainCA.crt <==== non-empty
            key /Common/default.key <==== default key
        }
    }

Impact:
Configuration can not be loaded.

Workaround:
Remove or adjust the problematic client SSL profile by editing the appropriate bigip.conf file (/config/bigip.conf or /config/partitions/<name>/bigip.conf, depending on the partition the profile resides in), and then load the configuration again.

Steps:
1. Open the configuration file in a text editor.
2. Load the file /config/bigip.conf (or /config/partitions/<name>/bigip.conf, if the client SSL profile is in a partition).
   
3. Update the client SSL profile by setting .crt and .key to non-default, as shown in the following example:

    cert-key-chain {
        cert /Common/kc.crt <==== changed to non-default
        chain /Common/chainCA.crt
        key /Common/kc.key <==== changed to non-default
        rsa {
            cert /Common/kc.crt <==== changed to non-default
            chain /Common/chainCA.crt
            key /Common/kc.key <==== changed to non-default
        }
    }

4. Save your changes, and then run the following command:
 tmsh load sys conf


631286-3 : URI cache entries should be replaced /expired for euie hash table

Component: Access Policy Manager

Symptoms:
Tmctl stats for "access_uri_info" gradually grows and can lead to TMM memory exhaustion.

Conditions:
APM or SWG use case.

Impact:
TMM memory exhaustion.

Workaround:
Restart tmm.

Fix:
A limit of how many entries will be stored in the URI cache is implemented. The default is 2048 entries, this DB variable can be set to control the max limit:

access.max.euie_uri.cache.entries

The DB variable allows a range of 2048 - 8192.


629334-1 : Portal Access: JavaScript expressions in parentheses may be rewritten incorrectly

Component: Access Policy Manager

Symptoms:
In some cases Portal Access rewrites incorrectly JavaScript expressions enclosed into parentheses.

Conditions:
JavaScript code with the following constructions:
- (a.b) (...)
- (a[b]) (...)
- (b) = ...
Assuming 'b' is an element to be rewritten.
Some examples:
- (window.open) ("", "_blank");
- (form["submit"])();
- (location) = "http://some.org/";

Impact:
JavaScript code may not work correctly. In some cases, JavaScript code becomes syntactically incorrect.

Workaround:
Use iRule to remove parentheses around JavaScript expressions where necessary.

Fix:
Now JavaScript expressions in parentheses are rewritten correctly.


624231-4 : No flow control when using content-insertion with compression

Component: Policy Enforcement Manager

Symptoms:
Packets can get queued in PEM and cause performance impact.
It could cause memory corruptions in some cases

Conditions:
This issue can happen when system there is are a lot of connections with compression enabled, hardware offload is not enabled, and content insertion is enabled

Impact:
Performance impact to flows and possible system crash.

Workaround:
Enable hardware offload and use the pem throttle feature for content insertion


616008-1 : TMM core may be seen when using an HSL format script for HSL reporting in PEM

Solution Article: K23164003

Component: Policy Enforcement Manager

Symptoms:
TMM core resulting in potential loss of service.

Conditions:
Requires a PEM HSL reporting action with an HSL format script against a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
In an iRule against the virtual server, set a Tcl variable in the first line after an iRule event. Unset the same Tcl variable in the last line of the iRule event.

Fix:
TMM core no longer occurs when using an HSL format script for HSL reporting in PEM.


612792-1 : Support RDP redirection for connections launched from APM Webtop on iOS

Component: Access Policy Manager

Symptoms:
Launching Native RDP resource from APM Webtop might fail on iOS.

Conditions:
1. Native RDP resource is launched from APM Webtop on iOS.
2. The RDP connection is redirected from one RDP server to another. This typically happens in RDP farm (multiple RDP servers) deployments.

Impact:
Native RDP resource can't be launched.

Workaround:
iOS RDP client version 8.1.35 allows workaround with following “Variable Assign” agent in Access Policy:
  Custom Variable:
    session.client.platform
  Custom Expression:
    set client_os [mcget {session.client.platform}];
    return [expr {$client_os == "iOS" ? "Android" : $client_os}];

Fix:
RDP redirection is now supported for connections launched from APM Webtop on iOS. Launching RDP resources from APM Webtop now requires at least version 8.1.35 of iOS RDP client.


612118-2 : Nexthop explicit proxy is not used for the very first connection to communicate with the backend.

Component: Access Policy Manager

Symptoms:
In SWG / forward proxy, nexthop explicit proxy is not used for the very first connection to communicate with the backend.

Conditions:
SWG per-request policy with proxy select agent.

Impact:
The BIG-IP system directly communicates with the backend to fetch server certificates.

Workaround:
None.

Fix:
Next-hop proxy gets used for all the connections that use proxy-select agent even for fetching the backend cert. In earlier version it would use the default route to fetch the certificate.

In transparent mode for https traffic, the proxy select agent is able to use the host & port information gathered from the backend certificate as the per-request policy can run before the cert fetching process. Therefore there is no longer a requirement for the per-request policy to have a category lookup agent before the proxy select agent.


608988-1 : Error when deleting multiple ASM Policies

Component: Application Security Manager

Symptoms:
Error when attempting to delete multiple ASM policies at once.

Conditions:
Multiple ASM policies are selected for deletion that have multiple XML profiles configured on their URLs.

Impact:
Operation fails with ASM subsystem error messages in asm log.

Workaround:
Delete policies one at a time.

Fix:
Multiple ASM policy delete finishes successfully.


594751-1 : LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN

Solution Article: K90535529

Component: Local Traffic Manager

Symptoms:
Vlan Name and Vlan Tag values are not seen by the LLDP neighbors of the BIG-IP system.

Conditions:
1. LLDP is enabled globally and per interface.

2. Interfaces are added to a trunk after it has already been assigned to a VLAN.

For instance, assume the following protocol were followed for creating an LLDP trunk:

tmsh modify net lldp-globals enabled
tmsh modify net interface 1.1 lldp-admin txrx lldp-tlvmap 114680
tmsh modify net interface 1.2 lldp-admin txrx lldp-tlvmap 114680
tmsh create net trunk myTrunk
tmsh create net vlan myVlan
tmsh modify net trunk myTrunk interfaces add { 1.1 1.2 }
tmsh modify net vlan myVlan interfaces add { myTrunk }

The neighbor to this BIG-IP unit would not see the Vlan Name and Vlan Tag information of this trunk because the interfaces were added after the trunk was already assigned to a VLAN.

Impact:
LLDP Neighbors are unable to see VLAN information for the LLDP interfaces of the BIG-IP.

Workaround:
If the configuration has not yet been performed, the issue can be prevented by assigning all the desired interfaces to a trunk before assigning the trunk to a VLAN.

If the problem already exists, it can be remedied by performing a restart of the LLDP service. This should not impact dataplane services outside of LLDP. To do so, run the following command:
 bigstart restart lldpd

Fix:
VLANs are now properly applied to any interfaces added to a trunk if the trunk already belongs to any VLANs.


589233-2 : vCMPd may crash when processing bridged network traffic

Solution Article: K03165684


589083-6 : TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.

Solution Article: K46205123

Component: TMOS

Symptoms:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation fails because of permission errors.

Using iControl, the system posts an error similar to the following: Error processing request for URI:http://localhost:8110/mgmt/tm/sys/config
{code:400,message: Can't create tmsh temp directory \"/config/.config.backup\" Permission denied, errorStack:[]}.

Using TMSH (e.g., running the command: tmsh save sys config), the system posts an error similar to the following:

Can't create tmsh temp directory "/config/.config.backup" Permission denied

Conditions:
This occurs when the following conditions are met:
-- Remote Authentication is configured.
-- User is logged in as a remote user who has the admin role.
-- Using TMSH or iControl for remotely authenticated user operations.

Impact:
Cannot save the configuration.

Workaround:
Use one of the following workarounds:
-- Use the GUI to save the configuration.
-- Have a locally authenticated user with admin role save the configuration.

Fix:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation now completes as expected, without permission errors.


580537-3 : The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data

Component: Global Traffic Manager (DNS)

Symptoms:
The geoip_update_data script will not install a City2 GeoIP data.

Conditions:
Attempting to install the City2 GeoIP data.

Impact:
The City2 GeoIP data must be installed manually.

Workaround:
The City2 GeoIP data can be installed manually by extracting the contents of the RPM and updating the associated files. The commands are:

rpm -U <full path to the City2 GeoIP RPM file>
rm /shared/GeoIP/F5GeoIP.dat
ln -s /shared/GeoIP/F5GeoIPCity2.dat /shared/GeoIP/F5GeoIP.dat
rm /shared/GeoIP/v2/F5GeoIP.dat

Fix:
The geoip_update_data script was updated to support installing City2 GeoIP data.


563661-1 : Datastor may crash

Component: TMOS

Symptoms:
In rare cases datastor may crash to protect the system from corruption. After datastor restarts, tmm may crash when attempting to communicate with datastor.

Conditions:
WAM provisioned and enabled

Impact:
Datastor and TMM crashes. Traffic disrupted while tmm restarts.


562921-5 : Cipher 3DES and iQuery encrypting traffic between BIG-IP systems

Solution Article: K55736054

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP systems use the iQuery protocol to securely communicate with other BIG-IP systems. The BIG-IP system supports the AES/3DES ciphers for encrypting iQuery traffic. Some of these ciphers are now considered unsecure.

Conditions:
The value is hardcoded into the product.

Note: This is completely independent of the TMM profiles or the httpd cipher values.

Impact:
There is no way to configure this; the value is hardcoded. Scanner operations performed on your configuration will report this as an unsecure cipher.

Workaround:
If you do not need iQuery at all, you can block port 4353 completely. For those who do need it, there is no workaround.

Fix:
The cipher list in use is now
"AESGCM:AES:!ADH:!AECDH:!PSK:!aECDH:!DSS:!ECDSA:!AES128:-SHA1:AES256-SHA"


536831-1 : APM PAM module does not handle local-only users list correctly

Component: Access Policy Manager

Symptoms:
The following log messages are shown in /var/log/secure, when remote-auth (APM based) is configured and when trying to authenticate local users:

-- notice httpd[8281]: pam_apm: module returning Failure, ClientHandler auth failed!(admin)
-- notice httpd[8281]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=X.X.X.X attempts=1 start="Wed Jan 17 14:49:21 2018"

This failure log shows that the system first attempts to authenticate local users (like admin, root, etc.) remotely.

Conditions:
This occurs when following conditions are met:
- APM is provisioned on a BIG-IP system.
- APM-based remote-auth is configured.
- Local users (like admin, root, etc.) attempt to log into the management interface of that BIG-IP system.

Impact:
Local users credentials are sent to remote authentication servers which will return auth failure. However, in the second attempt, the system attempts to authenticate a user locally, and it will succeed, as expected. Check below logs:

-- notice httpd[8281]: pam_apm: module returning Failure, ClientHandler auth failed!(admin)
-- notice httpd[8281]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=X.X.X.X attempts=1 start="Wed Jan 17 14:49:21 2018"

Workaround:
None.

Fix:
Local users are authenticated locally. The system no longer sends request to remote servers for local users.


514703-3 : gtm listener cannot be listed across partitions

Component: TMOS

Symptoms:
Unable to reference (perform operations: list, create, modify ...) gtm listeners across partitions.

Conditions:
-- In one partition.
-- Listener in another partition.
-- Attempt to perform operations on the listener in the other partition.

For example, the current partition is /Common, and a listener exists in /DifferentPartition, and you try to perform operations on the listener under /DifferentPartition.

Impact:
Cannot perform any operations on that listener. The listener will be listed as non-existent.

Workaround:
Change to the partition where the listener exists before performing any operations on it.

Fix:
The system can now reference GTM listeners across partitions.


471237-4 : BIG-IP VE instances do not work with an encrypted disk in AWS.

Solution Article: K12155235

Component: TMOS

Symptoms:
BIG-IP VE instances cannot use encrypted disks in AWS as encryption-decryption introduces some data corruption in the disk that causes failure in some of the TMOS daemons at run-time.

Conditions:
Deploy a BIG-IP VE guests in AWS with an encrypted disk.

Impact:
TMM cores at startup, and does not start.

Workaround:
Do not use encrypted disks in AWS for BIG-IP VE instances.

Fix:
BIG-IP VE instances can now work with an encrypted disk in AWS.


463097-5 : Clock advanced messages with large amount of data maintained in DNS Express zones

Solution Article: K09247330

Component: Local Traffic Manager

Symptoms:
Clock advanced messages with a large amount of data maintained in DNS Express (DNSX) zones, the TMM can suffer from clock advances when performing the DB reload.

Conditions:
Large enough zones into DNSX (several hundred thousand to several million records depending on hardware).

Impact:
Clock advance messages in log. No traffic can be passed for this duration. When DNS Express zones are updated, you may see messages similar to the following in the /var/log/ltm log: notice tmm[25454]: 01010029:5: Clock advanced by 121 ticks.

Workaround:
Prevent all updates to DNSX zones.

Fix:
AXFR and IXFR to DNS Express (DNSX) with large zones has been significantly improved. DNSX DB now reside in /shared to resolve DB size issues.


452283-5 : An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows

Component: Local Traffic Manager

Symptoms:
An MPTCP connection that never expires can be seen using the command "tmsh show sys conn". Its idle time periodically resets to 0.

Conditions:
A virtual server is configured with a TCP profile with "Multipath TCP" enabled.
BIG-IP receives an MP_FASTCLOSE while the BIG-IP is advertising a zero window.

Impact:
A connection remains that never expires; its idle time periodically resets to 0.

Workaround:
There is no workaround at this time.

Fix:
Fixed MP_FASTCLOSE handling.


440620-1 : New connections may be reset when a client reuses the same port as it used for a recently closed connection

Component: Local Traffic Manager

Symptoms:
If a client reuses the same port that it used for a recently closed connection, the new connection may receive a RST in response to the client's SYN.

Conditions:
A client reuses the same port that it used for a recently closed connection. The 4-tuple of local address, local port, remote address, and remote port must be the same to trigger this issue.

Impact:
New connections reusing a 4-tuple may be reset for a brief period following a connection close.

Workaround:
Lowering the "Close Wait" and "Fin Wait 1" timeouts in the TCP profile will shorten the amount of time that a particular 4-tuple remains unusable.

Fix:
Improved abort handling to better clean up hanging connections.


251162-1 : The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name

Component: Local Traffic Manager

Symptoms:
If you apply a custom HTTP profile to a virtual server, and the maximum header size defined in the profile is exceeded, the BIG-IP system lists the wrong profile name in the corresponding log message. Instead of logging the profile name associated with the virtual server, the BIG-IP system logs the profile name as http.

For example:

tmm1[5133]: 011f0005:3: HTTP header (34083) exceeded maximum allowed size of 32768 (Client side: vip=http_10.1.0.30 profile=http pool=apache2)

Conditions:
-- You apply a custom HTTP profile to a virtual server.
-- The maximum header size defined in the profile is exceeded.

Impact:
The BIG-IP system lists the wrong profile name in the corresponding log message. This is a cosmetic error, as the correct profile is affected. Only its name is incorrectly reported.

Workaround:
None.



Known Issues in BIG-IP v13.1.x


TMOS Issues

ID Number Severity Solution Article(s) Description
701826 0-Unspecified   qkview upload to ihealth fails or unable to untar qkview file
708956-1 1-Blocking   During system boots up, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'
698085 1-Blocking   Transparent mode vlan-group may not work on vcmp guests
697615-1 1-Blocking   neurond may restart indefinitely after boot
693611-3 1-Blocking   IKEv2 ike-peer might crash on stats object during peer modification update
719597 2-Critical   HA between Viprion chassises with B2250 blades might be broken when running v13.1.0 and v12.1.1
716391-2 2-Critical K76031538 High priority for MySQL on 2 core vCMP may lead to control plane process starvation
715820-1 2-Critical   vCMP in HA configuration with VIPRION chassis might cause unstable data plane
713380 2-Critical   Multiple B4450 blades in the same chassis run into inconsistent DAG state
711683-2 2-Critical   bcm56xxd crash with empty trunk in QinQ VLAN
710277-1 2-Critical   IKEv2 further child_sa validity checks
708968-2 2-Critical   OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address
706423-1 2-Critical   tmm may restart if an IKEv2 child SA expires during an async encryption or decryption
705730-1 2-Critical   Config fails to load due to invalid SSL cipher after upgrade from v13.1.0
703669-2 2-Critical   Eventd restarts on NULL pointer access
703045-1 2-Critical   If using TMSH commands with deprecated attributes in iAPP, the upgrade will fail.
700386-2 2-Critical   mcpd may dump core on startup
700247 2-Critical K60053504 APM Client Software may be missing after doing fresh install of BIG-IP VE
700086-1 2-Critical   AWS C5/M5 Instances do not support BIG-IP VE
697424-1 2-Critical   iControl-REST crashes on /example for firewall address-lists
696732-3 2-Critical K54431534 tmm may crash in a compression provider
693996-5 2-Critical K42285625 MCPD sync errors and restart after multiple modifications to file object in chassis
693206 2-Critical   iSeries LCD screen is frozen on a red spinning 'please wait' indicator
692158-1 2-Critical   iCall and CLI script memory leak when saving configuration
690819-1 2-Critical   Using an iRule module after a 'session lookup' may result in crash
689437-1 2-Critical   icrd_child cores due to infinite recursion caused by incorrect group name handling
689002-3 2-Critical   Stackoverflow when JSON is deeply nested
688148-3 2-Critical   IKEv1 racoon daemon SEGV during phase-two SA list iteration
681352-1 2-Critical   Performance of a client certificate validation with OCSP agent is degraded
677937-3 2-Critical K41517253 APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets
676203-3 2-Critical   Inter-blade mpi connection fails, does not recover, and eventually all memory consumed.
665362-2 2-Critical   MCPD might crash if the AOM restarts
658410-2 2-Critical   icrd_child generates a core when calling PUT on ltm/data-group/internal/
630137-2 2-Critical   Dynamic Signatures feature can fill up /config partition impacting system stability
593536-6 2-Critical   Device Group with incremental ConfigSync enabled can report "In Sync" when devices have differing configurations
581851-6 2-Critical K16234725 mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands
719396-1 3-Major   DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot.
718817-2 3-Major   Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail.
718800-2 3-Major   Cannot set a password to the current value of its encrypted password
716487-1 3-Major   Unable to upgrade APM Desktop Clients on BIG-IP Virtual Edition
715115 3-Major   Application Security roles are not showing all accessible objects in GUI
715061-2 3-Major   vCMP: tmm core in guest when stopping vCMP guest from host
714986-3 3-Major   Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot
714974-2 3-Major   Platform-migrate of UCS containing QinQ fails on VE
714903-2 3-Major   Errors in chmand
714654-2 3-Major   Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM
714626-2 3-Major K30491022 When licensing through a proxy, setting the db variables for proxy.host, proxy.port, etc., has no effect.
714216-2 3-Major   Folder in a partition may result in load sys config error
714187-5 3-Major   Changing console Baud-rate to a supported value requires reboot
713813-2 3-Major   Node monitor instances not showing up in GUI
713708 3-Major   Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI
712102-2 3-Major K11430165 customizing or changing the HTTP Profile's IPv6 field hides the field or the row
711249-1 3-Major   NAS-IP-Address added to RADIUS packet unexpectedly
710976-1 3-Major   Network Map might take a long time to load
710232-2 3-Major   platform-migrate fails when LACP trunks are in use
710173 3-Major   TMSH dns-resolver allows route-domain from another partition
709559-2 3-Major   LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name
709544-2 3-Major   VCMP guests in HA configuration become Active/Active during upgrade
709444-2 3-Major   "NTP not configured on device" warning seen when NTP symmetric key authentication is configured
709192-1 3-Major   GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart
708484-2 3-Major   Network Map might take a long time to load
707740-4 3-Major   Fixed issue preventing GTM Monitors from being deleted when used on mulitple Virtual Servers with the same ip:port combination
707509-1 3-Major   Initial vCMP guest creations can fail if certain hotfixes are used
707445-3 3-Major K47025244 Nitrox 3 compression hangs/unable to recover
707391-2 3-Major   BGP may keep announcing routes after disabling route health injection
707320-2 3-Major   Upgrades from pre-12.0.0 BIG-IPs to 12.0.0 with WideIPs with ipv6-no-error-response enabled will no longer delete AAAA-type WideIPs
705818-1 3-Major   GUI Network Map Policy with forward Rule to Pool, Pool does not show up
705651-1 3-Major   Async transaction may ignore polling requests
705456-1 3-Major   VCMP Guests unable to install block-device-image ISOs when http->https redirection is enabled
705037-2 3-Major   System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart
704804-1 3-Major   The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address
704733-1 3-Major   NAS-IP-Address will be sent with the bytes backwards
704546 3-Major   Symlinks may be corrupted by upgrade
704449-2 3-Major   Orphaned tmsh processes might eventually lead to an out-of-memory condition
704336-1 3-Major   Updating 3rd party device cert not copied correctly to trusted certificate store
704247-2 3-Major K07356404 BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted
703090 3-Major   With many iApps configured, scriptd may fail to start
702310-1 3-Major   The ':l' and ':h' options are not available on the tmm interface in tcpdump
701898-1 3-Major   Certain virtual address route-advertisement settings break upgrades from 13.0.0 hotfix rollups
701722-1 3-Major   Potential mcpd memory leak for signed iRules
701529-1 3-Major   Configuration may not load or not accept vlan or tunnel names as "default" or "all"
701387-2 3-Major   qkview will not collect files greater than 2 GB
701341-1 3-Major K52941103 If /config/BigDB.dat is empty, mcpd continuously restarts
701289-1 3-Major   LTM v12.1.2: Static BFD with BIG-IP floating IP address
701249-1 3-Major   RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1
700897-1 3-Major   sod is unable to handle the maximum (127) allowable traffic groups if there are 8 devices in the DG
700895-1 3-Major K34944451 GUI Network Map objects in subfolders are not being shown
700827-4 3-Major   B2250 blades may lose efficiency when source ports form an arithmetic sequence.
700757-1 3-Major   vcmpd may crash when it is exiting
700576-1 3-Major   GUI - Server SSL Profile shows irrelevant options when "Server Certificate" is set to "Ignore"
700426 3-Major K58033284 Switching partitions while viewing objects in GUI can result in empty list
700250-3 3-Major K59327012 qkviews for secondary blade appear to be corrupt
698947-2 3-Major   BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled.
698933-1 3-Major   Setting metric-type via ospf redistribute command may not work correctly
698619-2 3-Major   Disable port bridging on HSB ports for non-vCMP systems
698432-2 3-Major   Invalid error messages: warning chmand[5730]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
698084-3 3-Major K03776801 IPsec log messages in /var/log/ltm missing module ID to reach bigiq logs
698013-1 3-Major K27216452 TACACS+ system auth and file descriptors leak
696731-3 3-Major K94062594 The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled
696260-1 3-Major K53103420 GUI Network Map as Start Screen broken
694696-5 3-Major   On multiblade Viprion, creating a new traffic-group causes the device to go Offline
694547-2 3-Major   TMSH save sys config creates unneeded generate_config processes.
693884-1 3-Major   ospfd core on secondary blade during network unstability
693563-1 3-Major K22942093 No warning when LDAP is configured with SSL but with a client certificate with no matching key
693106-1 3-Major   IKEv1 newest established phase-one SAs should be found first in a search
692371 3-Major   Unexpected Octeon, Nitrox, and/or Super IO recovery warnings in LTM log
692189-1 3-Major   errdefsd fails to generate a core file on request.
692179-1 3-Major   Potential high memory usage from errdefsd.
691749-1 3-Major   Delete sys connection operations cannot be part of TMSH transactions
690928 3-Major   System posts error message: 01010054:3: tmrouted connection closed
690890-1 3-Major   Running sod manually can cause issues/failover
690259 3-Major   Benign message 'keymgmtd started' is reported at log-level alert.
689567-1 3-Major   Some WOM/AAM pages in the GUI are visible to users with iSeries platforms even when AAM cannot be provisioned
689375-1 3-Major K01512833 Unable configure 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled
688406-1 3-Major K14513346 HA-Group Score showing 0
688231 3-Major   Unable to set VET, AZOT, and AZOST timezones
687905-2 3-Major   OneConnect profile causes CMP redirected connections on the HA standby
687658 3-Major K03469520 Monitor operations in transaction will cause it to stay unchecked
687617-1 3-Major   DHCP request-options when set to "none" are reset to defaults when loading the config.
687534-1 3-Major   If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page
686926-2 3-Major   IPsec: responder N(cookie) in SA_INIT response handled incorrectly
686906-2 3-Major   Fragmented IPv6 packets not handled correctly on Virtual Edition
686816-1 3-Major   Link from iApps Components page to Policy Rules invalid
686124-1 3-Major   IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs
685020-3 3-Major   Enhancement to SessionDB provides timeout
684391-3 3-Major   Existing IPsec tunnels reload. tmipsecd creates a core file.
684218-1 3-Major   vADC 'live-install' Downgrade from v13.1.0 is not possible
683767-1 3-Major   Users are not able to complete the sync using GUI
681782-6 3-Major K30665653 Unicast IP address can be configured in a failover multicast configuration
680838-2 3-Major   IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator
679347-2 3-Major   ECP does not work for PFS in IKEv2 child SAs
678925-1 3-Major   Using a multicast VXLAN tunnel without a proper route may cause a TMM crash.
678488-1 3-Major   BGP default-originate not announced to peers if several are peering over different VLANs
678380-2 3-Major   Deleting an IKEv1 peer in current use could SEGV on race conditions.
676897-3 3-Major K25082113 IPsec keeps failing to reconnect
676092-3 3-Major   IPsec keeps failing to reconnect
674455-5 3-Major   Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS
673952-3 3-Major   1NIC VE in HA device-group shows 'Changes Pending' after reboot
671712-2 3-Major   The values returned for the ltmUserStatProfileStat table are incorrect.
670528-4 3-Major K20251354 Warnings during vCMP host upgrade.
670197-1 3-Major   IPsec: ASSERT 'BIG-IP_conn tag' failed
669255-5 3-Major K20100613 An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms
668041-2 3-Major K27535157 Config load fails when an iRule comment ends with backslash in a config where there is also a policy.
664017-9 3-Major   OCSP may reject valid responses
658716-1 3-Major   MCPd SIGSEGV in boost::checked_delete
657912-3 3-Major   PIM can be configured to use a floating self IP address
652877-5 3-Major   Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades
652502-2 3-Major   snmpd returns 'No Such Object available' for ltm OIDs
649682-1 3-Major   'list cm device build' data is not synchronized correctly across a device trust group
642923-6 3-Major K01951295 MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system
641450-5 3-Major K30053855 A transaction that deletes and recreates a virtual may result in an invalid configuration
638091-6 3-Major   Config sync after changing named pool members can cause mcpd on secondary blades to restart
627760-5 3-Major   gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card
626030-1 3-Major   TMM restart and failover.
624016 3-Major   Traffic data stats got lost on hardware accelerated flows when the flows are terminated earlier
620954-5 3-Major   Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable
617643-2 3-Major   iControl.ForceSessions enabled results in GUI error on certain pages
596020-5 3-Major   Devices in a device-group may report out-of-sync after one of the devices is rebooted
575372-5 3-Major   BIG-IQ Discovery may fail due to an invalid passphrase.
464650-6 3-Major   Failure of mcpd with invalid authentication context.
402691-1 3-Major   The fields displayed in the 'tmsh show net ipsec' should be visible through SNMP
720269-2 4-Minor   TACACS audit logging may append garbage characters to the end of log strings
715331-1 4-Minor   IKEv2 logs peers_id comparisons and cert verfication failures
713169 4-Minor   License String 'ASM-VE' was not recognized by the UI in the policy rule page
713134-2 4-Minor   Small tmctl memory leak when viewing stats for snapshot files
712241 4-Minor   A vCMP guest may not provide guest health stats to the vCMP host
708415-2 4-Minor   Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled
707631-2 4-Minor   The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI
707267 4-Minor   REST Framework HTTP header limit size increased to 8 KB
703509-2 4-Minor   Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled
697766-1 4-Minor K12431303 Cisco IOS XR ISIS routers may report 'Authentication TLV not found'
692172-1 4-Minor   rewrite profile causes "No available pool member" failures when connection limit reached
692165-1 4-Minor   A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token
691571 4-Minor   tmsh show sys software doesn't show the correct HF version
691491-5 4-Minor K13841403 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces
689211-3 4-Minor   IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 }
689147 4-Minor   Confusing log messages on certain user/role/partition misconfiguration when using remote role groups
687368-1 4-Minor K64414880 The Configuration utility may calculate and display an incorrect HA Group Score
686111-1 4-Minor K89363245 Searching and Reseting Audit Logs not working as expected
685582-7 4-Minor   Incorrect output of b64 unit key hash by command f5mku -f
685233-1 4-Minor K13125441 tmctl -d blade command does not work in an SNMP custom MIB
683029-1 4-Minor   Sync of virtual address and self IP traffic groups only happens in one direction
680856-2 4-Minor   IPsec config via REST scripts may require post-definition touch of both policy and traffic selector
680388-1 4-Minor   f5optics should not show function name in non-debug log messages
679135-2 4-Minor   IKEv1 and IKEv2 cannot share common local address in tunnels
678388-1 4-Minor K00050055 IKEv1 racoon daemon is not restarted when killed multiple times
678254-1 4-Minor   Error logged when restarting Tomcat
674145-1 4-Minor   chmand error log message missing data
673811-1 4-Minor   After an upgrade, IPsec tunnels may fail to start
653759-1 4-Minor   Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update
648917 4-Minor   Need to re-provision vCMP after upgrading to 13.1.x or later on the BIG-IP 10350F platform
627506-1 4-Minor   Unable to change management-ip address
611724 4-Minor   LTM v11.5.4 HF1 iApp folders removed on partition load
719555 5-Cosmetic   Interface listed as "disable" after SFP insertion and enable
713519-2 5-Cosmetic   Enabling MCP Audit logging does not produce log entry for audit logging change
713491-2 5-Cosmetic   IKEv1 logging shows spi of deleted SA with opposite endianess
679431-1 5-Cosmetic   In routing module the 'sh ipv6 interface <interface> brief' command may not show header


Local Traffic Manager Issues

ID Number Severity Solution Article(s) Description
718071-1 2-Critical   HTTP2 with ASM policy not passing traffic
716900-2 2-Critical   TMM core when using MPTCP
716213-1 2-Critical   BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic
715747 2-Critical   TMM may restart when running traffic through custom SSLO deployments.
715088 2-Critical   Changing WebSocket payload protocol profile from mqtt back to none causes TMM restart
713612-1 2-Critical   tmm might restart if the HTTP passthrough on pipeline option is used
710221-2 2-Critical K67352313 Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled
709828-2 2-Critical   fasthttp can crash with Large Receive Offload enabled
707244-3 2-Critical   iRule command clientside and serverside may crash tmm
707207-1 2-Critical   iRuleLx returning undefined value may cause TMM restart
706501 2-Critical   VCMP guest, tmm continues to restart on Cavium Nitrox PX platform
702792-1 2-Critical   Upgrade creates Server SSL profiles with invalid cipher strings
700597-1 2-Critical   Local Traffic Policy on HTTP/2 virtual server no longer matches
700056-1 2-Critical K05350542 MCPD may lock up and restart when applying Local Traffic Policy to virtual server
691706-5 2-Critical   HTTP2/SPDY profile can cause orphaned connections
690756-1 2-Critical   APM depends on undocumented internal behavior of HTTP iRule commands after a retry is initiated
682273-1 2-Critical   Connection rate limit on a pool member can be exceeded
673664-1 2-Critical   TMM crashes when sys db Crypto.HwAcceleration is disabled.
663925-1 2-Critical   Virtual server state not updated with pool- or node-based connection limiting
632553-3 2-Critical K14947100 DHCP: OFFER packets from server are intermittently dropped
601828-7 2-Critical K13338433 An untrusted certificate can cause tmm to crash.
571651-4 2-Critical   Reset crypto accelerator queue if it becomes stuck.
513310-5 2-Critical   TMM might core when a profile is changed.
431480-5 2-Critical   Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message
720219 3-Major   HSL::log command can fail to pick new pool member if last picked member is 'checking'
719600-2 3-Major   TCP::collect iRule with L7 policy present may result in connection reset
718867-2 3-Major   tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades
717346-2 3-Major   [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total
716716-2 3-Major   Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core
715883 3-Major   tmm crash due to invalid cookie attribute
715785-2 3-Major   Incorrect encryption error for monitors during sync or upgrade
715467-2 3-Major   Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY
715323 3-Major   iControl SOAP attribute ssl_profile not supported for in-tmm https monitor
714559-2 3-Major   Removal of http hash persistence cookie when a pool member goes down.
714503-2 3-Major   When creating a new iRulesLX rule, the GUI appends .tcl to rule filenames that already end in .tcl
714495-2 3-Major   When creating a new iRulesLX rule, TMSH appends ".tcl" to rule filenames that already end in ".tcl"
714384-3 3-Major   DHCP traffic may not be forwarded when BWC is configured
714292-1 3-Major   Transparent forwarding mode across multiple VLAN groups or virtual-wire
713951-5 3-Major   tmm core files produced by nitrox_diag may be missing data
713934-2 3-Major   Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response
713585-3 3-Major K31544054 When the system config has many iRules and they are installed on many virtual servers, the config loading time is significantly long
713388-1 3-Major   SSL handshake fails for OCSP + TLS false start + SSL hardware acceleration
712819-2 3-Major   'HTTP::hsts preload' iRule command cannot be used
712664-2 3-Major   IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address
712489-2 3-Major   TMM crashes with message 'bad transition'
712475-3 3-Major K56479945 DNS zones without servers will prevent DNS Express reading zone data
712437-3 3-Major K20355559 Records containing hyphens (-) will prevent child zone from loading correctly
711281-5 3-Major   nitrox_diag may run out of space on /shared
710996-2 3-Major   VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP
710930 3-Major   Enabling BigDB key bigd.tmm may cause SSL monitors to fail
710564 3-Major   DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0
710028-2 3-Major   LTM SQL monitors may stop monitoring if multiple monitors querying same database
709963-2 3-Major   Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.
709952-1 3-Major   Disallow DHCP relay traffic to traverse between route domains
709837-2 3-Major   Cookie persistence profile may be configured with invalid parameter combination.
709381 3-Major   iRules LX plugin imported from another system with different version does not properly run, and the associated iRule times out.
709133-2 3-Major   When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur
709132-1 3-Major   When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur
708068-2 3-Major   Tcl commands like "HTTP::path -normalize" do not return normalized path.
707961-2 3-Major   Unable to add policy to virtual server; error = Failed to compile the combined policies
707691-4 3-Major   BIG-IP handles some pathmtu messages incorrectly
707109-1 3-Major   Memory leak when using C3D
706505-2 3-Major   iRule table lookup command may crash tmm when used in FLOW_INIT
706102-2 3-Major   SMTP monitor does not handle all multi-line banner use cases
705387 3-Major   HTTP/2, ALPN and SSL
704764-3 3-Major   SASP monitor marks members down with non-default route domains
704450-3 3-Major   bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration
703580-1 3-Major   TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host.
702450-1 3-Major   The validation error message generated by deleting certain object types referenced by a policy action is incorrect
702151-1 3-Major   HTTP/2 can garble large headers
701690-1 3-Major K53819652 Fragmented ICMP forwarded with incorrect icmp checksum
700889-3 3-Major K07330445 Software syncookies without TCP TS improperly include TCP options that are not encoded
700061-4 3-Major   Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file
699758 3-Major   Intermittent connection resets are seen in HTTP/2 gateway when HTTP/2 preface is sent to server
698420-1 3-Major   SSL handshake fails for some servers if their root certificates are not in the configured CA bundle
698211-1 3-Major K35504512 DNS express response to non-existent record is NOERROR instead of NXDOMAIN.
696755 3-Major   HTTP/2 may truncate a response body when served from cache
695925-1 3-Major   tmm crash when showing connections for a CMP disabled virtual server
695109-1 3-Major K15047377 Changes to fallback persistence profiles attached to a Virtual server are not effective
694778-1 3-Major   Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size
694697-1 3-Major K62065305 clusterd logs heartbeat check messages at log level info
693582-1 3-Major   Monitor node log not rotated for icmp monitor types
693308-1 3-Major   SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain
691785-1 3-Major   The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes
691224-3 3-Major K59327001 Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled
690778-1 3-Major K53531153 Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule
689361-1 3-Major   Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor)
689089-1 3-Major   VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot
688744-1 3-Major K11793920 LTM Policy does not correctly handle multiple datagroups
688629-1 3-Major   Deleting data-group in use by iRule does not trigger validation error
688553-3 3-Major   SASP GWM monitor may not mark member UP as expected
687044-3 3-Major   tcp-half-open monitors might mark a node up in error
686563-1 3-Major   WMI monitor on invalid node never transitions to DOWN
686547-1 3-Major   WMI monitor sends logging data for credentials when no credentials specified
686101-1 3-Major K73346501 Creating a pool with a new node always assigns the partition of the pool to that node.
685519-1 3-Major   Mirrored connections ignore the handshake timeout
685344-1 3-Major   Monitor 'min 1 of' not working as expected with FQDN nodes/members
685110-1 3-Major K05430133 With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.
683706-3 3-Major   Pool member status remains 'checking' when manually forced down at creation
683697-1 3-Major K00647240 SASP monitor may use the same UID for multiple HA device group members
683061-1 3-Major   Rapid creation/update/deletion of the same external datagroup may cause core
681757-3 3-Major K32521651 Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member'
681673-4 3-Major   tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results
679613-1 3-Major K23531420 i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1'
679494-1 3-Major   Change the default compression strategy to speed
678872-3 3-Major   Inconsistent behavior for virtual-address and selfip on the same ip-address
673399-3 3-Major   HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server.
672312-3 3-Major   IP ToS may not be forwarded to serverside with syncookie activated
655383-3 3-Major   Failure to extend database continues to execute rather than halting because of fragmented state.
652370-3 3-Major   The persist cookie insert iRule command may leak memory
649275-1 3-Major   RSASSA-PSS client certificates support in Client SSL
637613-5 3-Major K24133500 Cluster blade being disabled immediately returns to enabled/green
620053-2 3-Major   Gratuitous ARPs may be transmitted by active unit going offline
604880-5 3-Major   tmm assert "valid pcb" in tcp.c
602708-4 3-Major K84837413 Traffic may not passthrough CoS by default
504522-1 3-Major   Trailing space present after 'tmsh ltm pool members monitor' attribute value
495443-9 3-Major   ECDH negotiation failures logged as critical errors.
429124-5 3-Major K15069 ePVA does not work with lasthop pools with only one member
719247-2 4-Minor   HTTP::path and HTTP::query iRule functions cannot be set to a blank string
716922-2 4-Minor   Reduction in PUSH flags when Nagle Enabled
713533-2 4-Minor   list self-ip with queries does not work
712637-2 4-Minor   Host header persistence not implemented
708249-2 4-Minor   nitrox_diag utility generates QKView files with 5 MB maximum file size limit
700433-1 4-Minor K10870739 Memory leak when attaching an LTM policy to a virtual server
699426-1 4-Minor   RRD cpu files are not updated when statsd has no prior knowledge of blades joining a cluster.
699076-1 4-Minor   URI::path iRules command warns end and start values equal
697988-3 4-Minor   During config sync, if many client-ssl profiles are on a virtual server the CPU may briefly spike to 100%
692095-1 4-Minor K65311501 bigd logs monitor status unknown for FQDN Node/Pool Member
688557-1 4-Minor K50462482 Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull'
680680-1 4-Minor   The POP3 monitor used to send STAT command on v10.x, but now sends LIST command
679496-2 4-Minor   Add 'comp_req' to the output of 'tmctl compress'
675911-4 4-Minor K13272442 Dashboard CPU history file may contain incorrect values
618884-6 4-Minor   Behavior when using VLAN-Group and STP
594064-5 4-Minor K57004151 tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.
592503-1 4-Minor   TMM 'timer' device does not report 'busy' for non-priority timers.
495242-4 4-Minor   mcpd log messages: Failed to unpublish LOIPC object


Performance Issues

ID Number Severity Solution Article(s) Description
682209 2-Critical   Per Request Access Policy subroutine performance down by about 7%
698992-1 3-Major   Performance degraded


Global Traffic Manager (DNS) Issues

ID Number Severity Solution Article(s) Description
718885-3 2-Critical   Under certain conditions, monitor probes may not be sent at the configured interval
713066-1 2-Critical   Connection failure during iRule DNS lookup to disabled nameserver can crash TMM
716701-1 3-Major   iControl REST: Unable to create Topology when STATE name contains space
715448-2 3-Major K16055759 Providing LB::status with a GTM Pool name in a variable caused validation issues
714507-2 3-Major   [tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server
712500-1 3-Major   Unhandled Query Action Drops Stat does not increment after transparent cache miss
710032-1 3-Major   'No Access' error when viewing GSLB Server's Virtual Server that has a name indicating a partition that does not exist on that bigip.
704198-3 3-Major   GTM equivalent of ID663502 - replace-all-with can leave orphaned monitor_rule, monitor_rule_instance and monitor_instance
688335-5 3-Major K00502202 big3d may restart in a loop on secondary blades of a chassis system
679316-5 3-Major   iQuery connections reset during SSL key renegotiation
688266-5 4-Minor   big3d and big3d_install use different logics to determine which version of big3d is newer


Application Security Manager Issues

ID Number Severity Solution Article(s) Description
718152 2-Critical   ASM GUI request log does not load on cluster
713390-1 2-Critical   ASM Signature Update cannot be performed on hourly billing cloud instance
719459-2 3-Major   Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled
719005-1 3-Major   Login request may arrive corrupted to the backend server after CAPTCHA mitigation
718232-2 3-Major   Some FTP servers may cause false positive for ftp_security
717756-2 3-Major   High CPU usage from asm_config_server
715128-1 3-Major   Simple mode Signature edit does not escape semicolon
713282-1 3-Major   Remote logger violation_details field does not appear when virtual server has more than one remote logger
712362-3 3-Major   ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase
711818-3 3-Major   Connection might get reset when coming to virtual server with offload iRule
711405-1 3-Major K14770331 ASM GUI Fails to Display Policy List After Upgrade
710327-1 3-Major   Remote logger message is truncated at NULL character.
707147-1 3-Major   High CPU consumed by asm_config_server_rpc_handler_async.pl
706845-2 3-Major   False positive illegal multipart violation
706665-2 3-Major   ASM policy is modified after pabnagd restart
704143-1 3-Major   BD memory leak
700143-2 3-Major   ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages
694934-1 3-Major   bd crashes on a very specific and rare scenario
691897-3 3-Major   Names of the modified cookies do not appear in the event log
689982-3 3-Major   FTP Protocol Security breaks FTP connection
687759-1 3-Major   bd crash
686765-2 3-Major   Database cleaning failure may allow MySQL space to fill the disk entirely
686500-1 3-Major   Adding user defined signature on device with many policies is very slow
676416-4 3-Major   BD restart when switching FTP profiles
676223-4 3-Major   Internal parameter in order not to sign allowed cookies
674256-2 3-Major K60745057 False positive cookie hijacking violation
667414-1 3-Major   JSON learning of parameters in WebSocket context is not working
605649-2 3-Major K28782793 The cbrd daemon runs at 100% CPU utilization
592504-2 3-Major   False positive illegal length violation can appear
699898-2 4-Minor   Wrong policy version time in policy created after synchronization between active and stand by machines.
688833-3 4-Minor   Inconsistent XFF field in ASM log depending violation category
685743-5 4-Minor   When changing internal parameter 'request_buffer_size' in large request violations might not be reported
675232-6 4-Minor   Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction
665470-3 4-Minor   Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised


Application Visibility and Reporting Issues

ID Number Severity Solution Article(s) Description
718655 3-Major   DNS profile measurement unit name is incorrect.
706361 3-Major   IPS stats tables are empty after upgrade from 13.1.0 to 14.0.0
703225 3-Major   DoS Visibility does not support displaying more than 500 Attacks and/or Virtuals
703196-5 3-Major   Reports for AVR are missing data
700322-2 3-Major   Upgrade may fail on a multi blade system when there are scheduled reports in configuration
700035-5 3-Major   /var/log/avr/monpd.disk.provision not rotate
648242-2 3-Major K73521040 Administrator users unable to access all partition via TMSH for AVR reports
649161-2 4-Minor K42340304 AVR caching mechanism not working properly


Access Policy Manager Issues

ID Number Severity Solution Article(s) Description
719149-2 2-Critical   VDI plugin might hang while processing native RDP connections
716747-2 2-Critical   TMM core with SWG Transparent
715250-1 2-Critical   TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED
713820-1 2-Critical   Pass in IP to urldb categorization engine
713156-1 2-Critical   AGC cannot do redeploy in exchange and adfs use case
710116-1 2-Critical   VPN clients experience packet loss/disconnection
702296-1 2-Critical   Importing the LocalDB csv file fails
660826-3 2-Critical   BIG-IQ Deployment fails with customization-templates
720030-4 3-Major   [KERBEROS SSO][KRB5] Enable EDNS flag in kerberos DNS SRV queries
719079-1 3-Major   Portal Access: same-origin AJAX request may fail under some conditions.
715207-3 3-Major   coapi errors while modifying per-request policy in VPE
714961-1 3-Major   antserver creates large temporary file in /tmp directory
714902-1 3-Major   Restjavad may hang if discover task fails and the interval is 0
714700-2 3-Major   SSO for native RDP resources is not compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy
714043-1 3-Major   NPAPI inspection host plugin does not work with latest epsec image on macOS
710884-1 3-Major   Portal Access might omit some valid cookies when rewriting HTTP request.
710305-1 3-Major   When ASM and APM are configured on the same virtual server, ASM could throw some errors in its logging.
710044-3 3-Major   Portal Access: same-origin AJAX request may fail in some case.
709274-1 3-Major   RADIUS Accounting requests egress different self-IPs since upgrade to v13.1
707953-2 3-Major   Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page
706797-1 3-Major   Portal Access: some multibyte characters in JavaScript code may not be handled correctly
706374-4 3-Major   [Kerberos SSO] krb5 library need to use threadsafe res_ninit, res_nsearch instead of res_init, res_search
704587-2 3-Major K15450552 Authentication with UTF-8 chars in password fails for ActiveSync users
704524-4 3-Major   [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries
699267-2 3-Major   LDAP Query may fail to resolve nested groups
698984-1 3-Major   Auto-disable TMM.HTTP.TCL.Validation when APM is provisioned
688046-2 3-Major   Change condition and expression for Protocol Lookup agent expression builder
687213-3 3-Major   When access to APM is denied, system changes connection mode to ALWAYS_DISCONNECTED
684399-1 3-Major   Connectivity profiles UI shows (Not Licensed) when LTM base is presented
682751-7 3-Major   Kerberos keytab file content may be visible.
680855 3-Major   Safari 11 sometimes start more than one session
679735-3 3-Major   Multidomain SSO infinite redirects from session ID parameters
658278-1 3-Major   Network Access configuration with Layered-VS does not work with Edge Client
656784-1 3-Major K98510679 Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM
621158-3 3-Major   f5vpn does not close upon closing session
447565-9 3-Major   Renewing machine-account password does not update the serviceId for associated ntlm-auth.
719246 4-Minor   Tomcat process restarts and GUI hangs when trying to view large number of static ACL Group entries
685888-1 4-Minor   OAuth client stores incorrectly escaped JSON values in session variables
610436-1 4-Minor K13222132 DNS resolution does not work in a particular case of DNS Relay Proxy Service when two adapters have the same DNS Server address on Windows 10.


WebAccelerator Issues

ID Number Severity Solution Article(s) Description
706642-2 2-Critical   wamd may leak memory during configuration changes and cluster events
717397 3-Major   TMM restarted once, in response to an assertion that catches cache collisions.
701977-1 3-Major   Non-URL encoded links to CSS files are not stripped from the response during concatenation


Service Provider Issues

ID Number Severity Solution Article(s) Description
703515-3 2-Critical K44933323 MRF SIP LB - Message corruption when using custom persistence key
684068-1 2-Critical   FIX with PVA offload and late binding without flow release may not execute iRules on subsequent messages
709383-2 3-Major   DIAMETER::persist reset non-functional
699431-3 3-Major   Possible memory leak in MRF under low memory
692310-2 3-Major   ICAP modified HTTP 1.1 request/response without content-length gets "chunked" even with no body
691048-1 3-Major K34553736 Support DIAMETER Experimental-Result AVP response
688942-5 3-Major K82601533 ICAP: Chunk parser performs poorly with very large chunk


Advanced Firewall Manager Issues

ID Number Severity Solution Article(s) Description
717909 2-Critical   tmm can abort on sPVA flush if the HSB flush does not succeed
715450-1 2-Critical   tmm restarts under certain conditions
710755-1 2-Critical K30572159 Crash when cached route information becomes stale and the system accesses the information from it.
701637 2-Critical   Crash in bcm56xxd during TMM failover
698333-1 2-Critical K43392052 TMM core upon matching a past (saved) dynamic signature of a specific family (network or dns) after the dynamic signature is disabled for that family on the parent context (but still enabled for other families)
694849-1 2-Critical   TMM crash when packet sampling is turned for DNS BDOS signatures.
685820-3 2-Critical   Active connections are silently dropped after HA-failover if ASM licensed and provisioned but AFM is not
677473-3 2-Critical   MCPD core is generated on multiple add/remove of Mgmt-Rules
644822 2-Critical K19245372 FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned
702738-1 3-Major K32181540 Tmm might crash activating new blob when changing firewall rules
698361-1 3-Major   The ASM-FPS fingerprint is not presented in dashboard
696201-1 3-Major   Anomaly threshold floor calculation (for bins with very low learnt threshold) during signature generation
691367-1 3-Major   Attack-destination for a DoS vector was not predicting right thresholds in some cases
684369-2 3-Major K35423171 AFM ACL Rule Policy applied on Standby device
651169-1 3-Major   The Dashboard does not show an alert when a power supply is unplugged
613836-1 3-Major   Error message in ltm log when adding a DoS profile to virtual server in cluster setup
707054-1 4-Minor   SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162
701555-1 4-Minor   DNS Security Logs report Drop action for unhandled rejected DNS queries


Policy Enforcement Manager Issues

ID Number Severity Solution Article(s) Description
709670-2 3-Major K44067891 iRule triggered from RADIUS occasionally fails to create subscribers.
667700-1 3-Major   Web UI: PEM rule page only displays webroot categories for classification filter. Websense categories are not displayed
663874-2 3-Major K77173309 Off-box HSL logging does not work with PEM in SPAN mode.


Carrier-Grade NAT Issues

ID Number Severity Solution Article(s) Description
669645-3 2-Critical   tmm crashes after LSN pool member change
708830-2 3-Major   Inbound or hairpin connections may get stuck consuming memory.
673826-1 3-Major   Some FTP log messages may not be logged to /var/log/ltm


Fraud Protection Services Issues

ID Number Severity Solution Article(s) Description
719186-2 3-Major   Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts
716318-2 3-Major   Engine/Signatures automatic update check may fail to find/download the latest update
686422-1 3-Major   URI reported in alert may not contain the actual traffic URI
698307-1 4-Minor   Datasafe: Fingerprinting code runs, but is not needed.


Anomaly Detection Services Issues

ID Number Severity Solution Article(s) Description
691196-1 2-Critical   one Cisco NEXUS switch and 2 BIG-IP WCCP web caches do not work together


Traffic Classification Engine Issues

ID Number Severity Solution Article(s) Description
689614-1 3-Major   If DNS is not configured and management proxy is setup correctly, Webroot database fails to download


Device Management Issues

ID Number Severity Solution Article(s) Description
718796 2-Critical   iControl REST token issue after upgrade


iApp Technology Issues

ID Number Severity Solution Article(s) Description
693694-1 3-Major   tmsh::load within IApp template results in unpredicted behavior


Protocol Inspection Issues

ID Number Severity Solution Article(s) Description
715166 4-Minor   IPS only works over UDP or TCP virtual server

 

Known Issue details for BIG-IP v13.1.x

720269-2 : TACACS audit logging may append garbage characters to the end of log strings

Component: TMOS

Symptoms:
When using TACACS audit logging, one may see extra "garbage" characters appended to the end of logging strings.

Conditions:
Using audit forwarding with a remote TACACS server.

Impact:
Confusing log messages.

Workaround:
There is no workaround at this time.


720219 : HSL::log command can fail to pick new pool member if last picked member is 'checking'

Component: Local Traffic Manager

Symptoms:
This occurs in certain configurations where the HSL::log command is using a remote high speed log pool with failing pool members. If a pool member goes into a 'checking' state and the command attempts to send the log via that pool member, it can fail to send and all future log commands from that iRule will also fail, if that pool member is actually unavailable.

Conditions:
Using HSL::log command in an iRule with a remote high speed logging config.

Impact:
Failure to send log messages via HSL

Workaround:
Change the 'distribution' method of the remote high speed config to something new, save config, and then back again.


720030-4 : [KERBEROS SSO][KRB5] Enable EDNS flag in kerberos DNS SRV queries

Component: Access Policy Manager

Symptoms:
Kerberos DNS SRV requests are generated without enabling EDNS0. Without this, internal DNS server (dnscached) truncates the UDP responses if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in a lot of TIME_WAIT connections on the socket using dnscached.

Conditions:
APM users using Kerberos SSO to access backend resources.

Impact:
Ability to create new dns requests is affected, if there are lots of sockets in TIME_WAIT. This results in scalability issues.

Workaround:
This workaround applies to BIG-IP version 12.x and above. /etc/resolv.conf file need to be edited to add option EDNS0.


719600-2 : TCP::collect iRule with L7 policy present may result in connection reset

Component: Local Traffic Manager

Symptoms:
If an iRule utilizing TCP::collect and HTTP_REQUEST is on a virtual server with an L7 policy, the policy engine may cause the connection to be unexpectedly reset with a 'policy execution error' reset cause, and 'Unable to resume pending policy event on connflow' will be logged to /var/log/ltm.

Conditions:
TCP::collect and HTTP_REQUEST iRule with L7 policy on virtual server.

Impact:
Connections may be unexpectedly reset and errors logged to /var/log/ltm.

Workaround:
At the start of the HTTP_REQUEST event, issue an 'after 1' command to allow the policy engine to reach a consistent state before proceeding with the remainder of the iRule.


719597 : HA between Viprion chassises with B2250 blades might be broken when running v13.1.0 and v12.1.1

Component: TMOS

Symptoms:
When two VIPRION chassis with B2250 blades try to form a HA connection, with one running v12.1.1 and the other running v13.1.0, high availability (HA) connections between TMMs on Active and TMMs on Standby might fail.

Conditions:
-- Two VIPRION chassis with B2250 blades.
-- One blade running v12.1.1 and the other running v13.1.0.
-- Try to configure HA connection.

Impact:
Fail to form HA connection.

Workaround:
Install the same software on both blades. HA configuration works when both blades are running the same software.


719555 : Interface listed as "disable" after SFP insertion and enable

Component: TMOS

Symptoms:
If an unpopulated front panel interface is disabled, then an SFP inserted and the interface re-enabled, TMSH will continue to display the interface as "disabled" in 'tmsh show net interface output'

Conditions:
BIG-IP appliance or blade.

Impact:
Interface shows it is still disabled even though the interface is enabled and fully operational.

Workaround:
This issue is purely cosmetic; the interface is functional so it may be used. 'tmsh list net interface' may be used to correctly identify the enabled/disabled state of the interface.


719459-2 : Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled

Component: Application Security Manager

Symptoms:
Policy builder suggests adding already existing URLs (as HTTPS) learned from response.

Conditions:
-- Differentiate HTTP and HTTPS URLs is disabled.
-- Learn-from response is enabled.
-- Server responses contain HTTPS links for HTTP requests instead of using protocol-relative URLs.

Impact:
This is a cosmetic issue in that incorrect suggestions are created. There is no impact to functionality.

Workaround:
Add the incorrect suggestions to the 'ignore' list.


719396-1 : DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot.

Component: TMOS

Symptoms:
DHCP Client on the BIG-IP system sends host-name 'localhost' in DISCOVER packet after first boot.

Note: The problem goes away after the first boot.

Conditions:
-- DHCP is enabled (this is the default on BIG-IP systems).
-- Initial startup.

Impact:
This can affect the lease given out by the DHCP server in the given network if the DHCP server is configured in such a way as to dynamically update the DNS based on the host-name option in the lease.

Workaround:
-- Empty the /var/lib/dhclient/dhclient.leases file.
-- Run the following command: bigstart restart dhclient


719247-2 : HTTP::path and HTTP::query iRule functions cannot be set to a blank string

Component: Local Traffic Manager

Symptoms:
The HTTP::path and HTTP::query iRule functions generate an error if called with an argument that is a blank string, resulting in connection termination.

Conditions:
In an iRule where the argument is a blank string:
  HTTP::path ""
  HTTP::query ""

Impact:
Error encountered while executing iRule "HTTP::query $blank", and the connection is terminated with an error in the logs similar to the following:
   -- err tmm[17219]: 01220001:3: TCL error: /Common/ir_1-4045405141_query <HTTP_REQUEST>

Workaround:
To set HTTP::query to blank, use the following function:
HTTP::uri [HTTP::path]

To set HTTP::path to blank, use the following function:
HTTP::uri [HTTP::query]


719246 : Tomcat process restarts and GUI hangs when trying to view large number of static ACL Group entries

Component: Access Policy Manager

Symptoms:
Tomcat process restarts and UI hangs. LTM logs show the following messages:

-- notice logger: /usr/bin/syscalld ==> /usr/bin/bigstart restart tomcat
-- warning bigstart: get_db failed for is_provisioned wam - returning not-provisioned.

Conditions:
1. Under System :: Preferences, set 'Records Per Screen' to 272 or larger.
2. Populate more than 272 ACLs.
3. Go to Access :: Access Control Lists : User-defined ACLs.
4. On the dropdown 'pages' menu for the returned results, select 'Show All'.

Impact:
GUI freeze.

Workaround:
You can use either of the following workarounds:

-- Under System :: Preferences, set 'Records Per Screen' to a value of 271 or lower.

-- Using tmsh, run the following command:
tmsh modify sys db ui.system.preferences.recordsperscreen value


719186-2 : Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts

Component: Fraud Protection Services

Symptoms:
Multipart/form-data requests are not supported in FPS. FPS-protected pages which have the enhanced data-manipulation feature enabled, may generate a false-positive 'missing strong integrity parameter' alert for multipart/form-data requests.

Conditions:
-- FPS profile attached to a virtual server.
-- Multipart/form-data requests to a URL.
-- Enhanced data-manipulation feature enabled on a protected URL.

Impact:
False-positive 'missing strong integrity parameter' alert.

Workaround:
Use the ANTIFRAUD::disable_alert iRule command to drop the alert:

(set the static::drop_alert variable, probably matching URL name and checking that Content-Type header starts with 'multipart/form-data')

when ANTIFRAUD_ALERT {
    if {$static::drop_alert eq 1 &&
            [ANTIFRAUD::alert_type] eq "vtoken" &&
            [ANTIFRAUD::alert_component] eq "no_strong_integrity_param" } {
        ANTIFRAUD::disable_alert
        set static::drop_alert 0
    }
}


719149-2 : VDI plugin might hang while processing native RDP connections

Component: Access Policy Manager

Symptoms:
Rarely, during processing of native RDP connections, the VDI plugin might hang, which prevents launch of VDI resources (Native RDP, Citrix, VMware View) from the APM Webtop.

Conditions:
APM Webtop is configured with native RDP resource.

Impact:
VDI resources (Native RDP, Citrix, VMware View) cannot be launched from APM Webtop.

Workaround:
None.


719079-1 : Portal Access: same-origin AJAX request may fail under some conditions.

Component: Access Policy Manager

Symptoms:
Portal Access may reject response to same-origin AJAX request if host names in request and its origin differ in case.

Conditions:
Same-origin AJAX request with a host name whose case differs from the case of the origin page's host name, for example:

Request page: https://example.com/some/file
Page with URL: https://Example.com/origin/page.html

Impact:
Web application may not work correctly.

Workaround:
Use an iRule to remove 'F5_origin' parameter from the AJAX requests, for example:

when HTTP_REQUEST {
  if { [ HTTP::path ] contains "/iNotes/Forms9.nsf/iNotes/Proxy/" and [ HTTP::query ] contains "F5_origin=" } {
    regsub {F5_origin=[0-9a-f]+&F5CH=I} [ HTTP::query ] {F5CH=I} query
    HTTP::query $query
  }
}


719005-1 : Login request may arrive corrupted to the backend server after CAPTCHA mitigation

Component: Application Security Manager

Symptoms:
Login request arrives corrupted (specifically, some of the characters in the payload are changed).

Conditions:
-- A brute force CAPTCHA mitigation happens.
-- Specific traffic conditions.

Impact:
Login request fails.

Workaround:
None.


718885-3 : Under certain conditions, monitor probes may not be sent at the configured interval

Component: Global Traffic Manager (DNS)

Symptoms:
When sufficient resources are configured with the same monitor interval, and the monitor timeout value is no more than two times the monitor interval, the monitored resource may be marked as unavailable (due to a timeout) then immediately changed to available.

Conditions:
Monitor interval is lower than the number of resources configured with the same monitor interval.

Impact:
Monitor probes are not consistently performed at the configured interval.

Workaround:
Set the monitor interval to a value greater than the number of resources monitored using that same interval value.

The key to this workaround is to ensure that the sum of the resources monitored at a given interval is not greater than the interval. That can be accomplished several ways depending on your configuration and requirements.

For example, if the monitoring interval is 30 seconds and there are 40 different monitors with a 30-second interval and each monitor is assigned to exactly one resource, there are at least two options:

-- Change the interval for 10 of the monitors to a different value.

-- Set the monitor interval to 40.

Note: If you change the monitor interval, make sure to also change the timeout value to follow best practices:
timeout value = (3 x interval) + 1.


718867-2 : tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades

Component: Local Traffic Manager

Symptoms:
The db variable 'tmm.umem_reap_aggrlevel' (to set the memory-usage level at which aggressive connection-reaping begins) does not persist across upgrades; on upgrade it will be reset to its default value (80%).

Conditions:
-- The db variable 'tmm.umem_reap_aggrlevel' is set to a custom value (specifically, not '80').
-- The BIG-IP system is upgraded.

Impact:
The value for 'tmm.umem_reap_aggrlevel' has reset to '80', its default value.

Workaround:
Reset the variable's custom value after upgrade.


718817-2 : Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail.

Component: TMOS

Symptoms:
Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest fails due to a race condition.

There are log entries in /var/log/liveinstall.log:

-- error: status 256 returned by command: F5_INSTALL_SESSION_TYPE=install tmsh -f save sys ucs /var/tmp/kRf24pKXTQ.ucs.
-- info: tar: config/.ucs_base_mac: Cannot stat: No such file or directory.
-- info: Unexpected Error: UCS saving process failed.

Conditions:
-- Installing onto secondary VIPRION blade or onto VIPRION-based vCMP guest.
-- Missing /config/.ucs_base_mac.

Impact:
Software installation fails.

Workaround:
You can use either workaround:
-- Add 'ignore .ucs_base_mac' to the 'monitor dir /config' stanza in /etc/csyncd.conf on all blades.

-- Retry the installation until it succeeds.


718800-2 : Cannot set a password to the current value of its encrypted password

Component: TMOS

Symptoms:
Attempting to set a password to the current value of its encrypted password silently fails without changing the password. For example, running the following tmsh command sets the encrypted password to the value 'password':

modify auth user <username> encrypted-password password

Attempting to set the password to 'password' using the command does not report an error, but does not change the password (meaning that encrypted password remains 'password'):

modify auth user <username> password password

Conditions:
Changing a password to the value of encrypted-password.

Impact:
Difficult to recover from this situation because trying to simply change the password to the correct value doesnot work.

(It is likely this initially happened by accident: attempting to set 'password', but setting 'encrypted-password' instead.)

Workaround:
First, change the password to something else. Then, change it back to the correct value.


718796 : iControl REST token issue after upgrade

Component: Device Management

Symptoms:
When upgrading to version 13.1, sometimes a user who previously had permissions to make calls to iControl REST loses the ability to make REST calls.

Conditions:
Upgrading to version 13.1

Impact:
The user can no longer query iControl REST

Workaround:
1. You can repair the current users permissions with the following
   1) Delete the state maintained by IControlRoleMigrationWorker and let it rerun by restarting restjavad process
      # restcurl -X DELETE "shared/storage?key=shared/authz/icontrol-role-migrator"
      # bigstart restart restjavad.

   2) Update shared/authz/roles/iControl_REST_API_User userReference list to add repro user account using PUT
      # restcurl shared/authz/roles/iControl_REST_API_User > role.json
      # vim role.json and add { "link": "https://localhost/mgmt/shared/authz/users/[your-user-name]" } object to userReferences list
      # curl -u admin:admin -X PUT -d@role.json http://localhost/mgmt/shared/authz/roles/iControl_REST_API_User


2. If you create a new user, the permissions should start in a healthy state.


718655 : DNS profile measurement unit name is incorrect.

Component: Application Visibility and Reporting

Symptoms:
DNS profile statistics values are incorrect.

Conditions:
DNS profile statistics are collected and reported using the following command:
tmsh show analytics dns-profile report view-by vs-name/name measures { measures-list}

Impact:
Unexpected values are reported. Although the values are correct, the metric label is misleading. The values reported do not match individual totals, but rather the average/second over the data range, for example, when the statistics collected represent 3000 requests in 600 seconds, the system reports the following values:

/Common/test-dns | 10.00
_listener | 0.00


A more accurate label for each metric is 'average_<metric_name>', as follows:

average_per_second_/Common/test-dns | 10.00
average_per_second__listener | 0.00

Workaround:
None.


718232-2 : Some FTP servers may cause false positive for ftp_security

Component: Application Security Manager

Symptoms:
A login might get rejected after a lower number of failed logins than is configured for 'Maximum Username Login Retries'. BIG-IP system posts the following error message: 530 Too many failed login attempts by the user.

Conditions:
-- The server sends unexpected ingresses that are rejected.
-- There is a value specified for 'Maximum Username Login Retries'.

Impact:
A legitimate user might be rejected and have to wait until the configured 'Re-enable login' time.

Workaround:
There is no workaround at this time.


718152 : ASM GUI request log does not load on cluster

Component: Application Security Manager

Symptoms:
The ASM Request Log fails to load, and it keeps reading 'Loading Requests Log...'.
'Security :: Event Logs >> Application :: Requests'.

Conditions:
-- Any cluster device (vCMP or not), even if there is a single blade in use.
-- Running BIG-IP v13.1.0.4, v13.1.0.5, or v13.1.0.6. (Other releases are not affected.)

Impact:
Cannot view the Request Log in the GUI.

Workaround:
None


718071-1 : HTTP2 with ASM policy not passing traffic

Component: Local Traffic Manager

Symptoms:
HTTP2 traffic does not pass traffic if an ASM policy is applied.

Conditions:
-- HTTP2 virtual server.
-- ASM policy applied.

Impact:
Traffic does not pass.

Workaround:
No workaround.


717909 : tmm can abort on sPVA flush if the HSB flush does not succeed

Component: Advanced Firewall Manager

Symptoms:
When the BIG-IP system comes up, or when tmm/dwbld/iprepd restarts, tmm does a flush of sPVA. If the operation does not succeed, the system can wait for 10 seconds, which might cause an abort due to heartbeat failure. tmm crash

Conditions:
-- BIG-IP system comes up, or tmm/dwbld/iprepd restart.
-- HSB flush does not succeed within ~3 seconds (it is supposed to succeed within ~3 seconds unless something is wrong with the HSB).

Impact:
tmm will have to be restarted. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


717756-2 : High CPU usage from asm_config_server

Component: Application Security Manager

Symptoms:
Use of Automatic policy builder might result in high CPU usage of asm_config_server (and ASM slowdown).

Conditions:
- Automatic policy builder.
- Several entity types learning in 'Add all entities' configuration.

Impact:
ASM availability impacted.

Workaround:
-- Switch to Manual policy builder.
-- Set entity types learning to compact / selective / never.


717397 : TMM restarted once, in response to an assertion that catches cache collisions.

Component: WebAccelerator

Symptoms:
TMM restarted once, in response to an assertion that catches cache collisions.

Conditions:
The specific mix of requests, responses, and configuration variables to cause this issue is unknown.

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
None known.


717346-2 : [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total

Component: Local Traffic Manager

Symptoms:
WebSocket profile statistics for current and maximum connections are always very large, even right after restarting the system. The numbers are several orders of magnitude larger than the statistics for total connections.

Conditions:
Rarely occurring, unstable network could be one of the reasons.

Impact:
Cannot use stats for troubleshooting.

Workaround:
Reset the stats using the following command:
# tmsh reset-stats ltm profile websocket


716922-2 : Reduction in PUSH flags when Nagle Enabled

Component: Local Traffic Manager

Symptoms:
When Nagle is enabled in the TCP profile, the number of PUSH flags generated by the BIG-IP system drops substantially compared to the Nagle-disabled case, or to the Nagle-enabled case prior to v12.1.2-HF1. This matters most when there is a single outstanding unsent segment in the send buffer awaiting acknowledgment of all other data.

Conditions:
-- Nagle is enabled.
-- Running BIG-IP software versions later than v12.1.2-HF1.

Note: The problem is only impactful when the client withholds ACKs when there is no PUSH flag.

Impact:
If the client withholds ACKs, this can save handset power, but it also causes Nagle's algorithm to withhold the last bit of data, increasing latency.

Workaround:
Set Nagle to the 'Auto' setting or 'Disabled'.

Mote: To take advantage of some of the Nagle benefits, use 'Auto'.


716900-2 : TMM core when using MPTCP

Component: Local Traffic Manager

Symptoms:
In some cases TMM may crash when processing MPTCP traffic.

Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.

Impact:
Traffic interrupted while TMM restarts.

Workaround:
There is no workaround other than to disable MPTCP.


716747-2 : TMM core with SWG Transparent

Component: Access Policy Manager

Symptoms:
TMM core when running an SWG-Transparent. There will be a log message in /var/log/apm near the time of crash with this:

err tmm[20598]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_initiate_swgt_policy_done, Line: 17000.

Conditions:
Forward proxy with an access profile of type SWG-Transparent.

Happens every time with an On-Demand Cert Auth agent in the access policy. Is sometimes seen in other situations, but much less frequently.

Impact:
TMM core. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


716716-2 : Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core

Component: Local Traffic Manager

Symptoms:
TMM cores when the system has a kernel route configured, but no matching TMM route.

Conditions:
The scenario that can lead to this state is unknown.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
Either remove the kernel route, or add a matching TMM route.


716701-1 : iControl REST: Unable to create Topology when STATE name contains space

Component: Global Traffic Manager (DNS)

Symptoms:
Cannot use iControl REST to create topology records when whitespace exist in a STATE name.

Conditions:
STATE name contains a space (e.g., New Mexico).

Impact:
Unable to create a topology record using iControl REST.

Workaround:
Use TMSH with quotes or escaping to create topology records for a STATE with whitespace in the name.


716487-1 : Unable to upgrade APM Desktop Clients on BIG-IP Virtual Edition

Component: TMOS

Symptoms:
Upgrading the APM client images (a.k.a. Desktop Client) may fail on some BIG-IP Virtual Edition (VE) systems running v13.1.0 software versions, as a result of insufficient space in /var.

Conditions:
/var does not have sufficient free disk space for the APM client image ISO file (slightly less than ~300 MB).

Reasons for a lack of space might include:

-- UCS archives and SCF files, which default to being stored in /var
-- Other modules that store data in /var, e.g. APM, ASM or AFM

Impact:
Cannot upgrade Desktop Client 7.1.6.1. When this occurs:
-- In the GUI, the system posts the following error message: 'Image File Error: call tmsh to install image failed.'

-- In tmsh, the system posts the following error message:
Data Input Error: File operation failed on "/var/apm/images/apmclients-7160.2018.417.2013-4204.0.iso".

Workaround:
Before installing, increase the size of /var. For example, from the command line of a BIG-IP system, /var can be expanded by 1 GB by running the following and then rebooting the system for the changes to take effect:

NEW_SIZE=$(($(df -P /var | tail -1 | awk '{print $2}') + 1*1024*1024)); echo "Resizing /var to $NEW_SIZE (unit: 1K blocks); changes should take effect after a reboot"; tmsh modify sys disk directory /var new-size $NEW_SIZE; tmsh save sys config

Note: This workaround only applies to a single device, and will not persist across upgrades.

For more information about apmclients-7160.2018.417.2013-4204.0.iso, see Release Notes:
APM Desktop Client 7.1.6.1 https://support.f5.com/kb/en-us/products/big-ip_apm/releasenotes/related/relnote-desktop-client-7-1-6-1.html. For information about installing BIG-IP Edge Client, see K52547540: Updating BIG-IP Edge Client for the BIG-IP APM system :: https://support.f5.com/csp/article/K52547540.


716391-2 : High priority for MySQL on 2 core vCMP may lead to control plane process starvation

Solution Article: K76031538

Component: TMOS

Symptoms:
vCMP guest with only 2 cores may undergo control plane process starvation, which could lead to failover due to CPU starvation of sod.

Conditions:
-- A device using Intel Hyper-Threading Technology is configured with only 2 cores.
-- A module using MySQL is provisioned.

Impact:
Control plane processes may experience CPU starvation, including failover due to CPU starvation of sod. This is a rarely occurring issue.

Workaround:
Revert to pre-11.5.1 HF4 behavior by setting the scheduler.splitplanes.asmopt database key to false.
 
IMPORTANT: You should not revert to pre-11.5.1 HF4 behavior unless requested by F5 Support. However, if required, you can disable this new behavior and revert to pre-11.5.1-HF4 behavior. For instructions on how to do so, see K16469: Certain BIG-IP ASM control plane processes are now pinned to the highest-numbered logical CPU core :: https://support.f5.com/csp/article/K16469.


716318-2 : Engine/Signatures automatic update check may fail to find/download the latest update

Component: Fraud Protection Services

Symptoms:
Engine/Signatures automatic update check may fail to find/download the latest update if the timestamp of the factory update file is later than the timestamp of the update file in downloads.f5.com.

Note: This issue is relevant only for engineering hotfixes.

Conditions:
This occurs when the following conditions are met:
-- Engineering hotfix.
-- The factory update file timestamp is later than the timestamp of the update file in downloads.f5.com.

Impact:
Automatic update check will detect the wrong update file.

Workaround:
Manually check, and then download and install the update file from downloads.f5.com, if needed.


716213-1 : BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic

Component: Local Traffic Manager

Symptoms:
When APM connects to Active Directory Federation Services (ADFS), a blank page is observed. The log file /var/log/ltm exhibits a TCP reset issued by the BIG-IP system. The TCP capture informs that the issue is due to an out-of-bounds error that occurs when traffic gets parsed by the SSL Persistence Parser (SSID).

Conditions:
-- SSL persistence (SSID) is enabled for a virtual host.
-- APM connects to ADFS.

Impact:
A blank page is observed due to the TCP reset.

Workaround:
No workaround is available.


715883 : tmm crash due to invalid cookie attribute

Component: Local Traffic Manager

Symptoms:
tmm crash due to invalid request-side cookie attribute.

Conditions:
While processing an HTTP request, an iRule tries to add a cookie attribute to a cookie that is only valid in an HTTP response (for instance, an 'expires' attribute).

Impact:
TMM cored. Traffic disrupted while tmm restarts.

Workaround:
None.


715820-1 : vCMP in HA configuration with VIPRION chassis might cause unstable data plane

Component: TMOS

Symptoms:
When multiple vCMP guests are deployed in a high availability (HA) with VIPRION chassis, the data plane cluster might become unstable. When this issue occurs, the system posts repeated log messages in /var/log/ltm similar to the following:

-- CDP: exceeded 1/2 timeout for PG 3

Conditions:
-- Multiple vCMP guests are deployed.
-- HA configured.
-- Using VIPRION chassis.

Impact:
Unstable data plane might cause traffic disruption/packet drops.

Workaround:
None.


715785-2 : Incorrect encryption error for monitors during sync or upgrade

Component: Local Traffic Manager

Symptoms:
The system logs an error message similar to the following in /var/log/ltm:

err mcpd[6823]: 01071768:3: Encryption of the field (password) for object (<monitor name>) failed.

This may cause a configuration sync to fail, or an upgrade to fail.

Conditions:
The exact conditions are unknown, however it may occur under these circumstances:

-- Performing a config sync operation.
-- Performing an upgrade.

Impact:
Inability to sync peer devices, or an inability to upgrade.

Workaround:
There is no workaround at this time.


715747 : TMM may restart when running traffic through custom SSLO deployments.

Component: Local Traffic Manager

Symptoms:
TMM restarts with a SIGSEGV signal and dumps core.

Conditions:
This issue is known to happen when passing traffic through some custom SSLO deployments (e.g., iRule-based configurations).

Impact:
TMM restarts. If the system is in a high availability configuration, a failover occurs. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


715467-2 : Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY

Component: Local Traffic Manager

Symptoms:
If the 'A' record for an FQDN node is removed or replaced on the DNS server, then the BIG-IP system does not remove the old ephemeral pool member or create the new pool member and node.

Conditions:
-- FQDN nodes.
-- Pool members with a service port of ANY.

Impact:
Ephemeral pool member and nodes are not removed or updated when the DNS 'A' record is removed or changed.

Workaround:
There is no workaround at this time.


715450-1 : tmm restarts under certain conditions

Component: Advanced Firewall Manager

Symptoms:
tmm restarts in certain cases; no traffic goes through the BIG-IP system.

Conditions:
-- DoSL7 with Device ID enabled.
-- HTTP/2.0 profile configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable proactive bot defense (PBD) or HTTP/2.0


715448-2 : Providing LB::status with a GTM Pool name in a variable caused validation issues

Solution Article: K16055759

Component: Global Traffic Manager (DNS)

Symptoms:
When utilizing an LB::status iRule where the GTM Pool name was provided in a variable, instead of directly written into the command, the system posts the following error message: Can't read 'monkey': no such variable.

Conditions:
LB::status pool a <Variable containing string>.

Impact:
Unable to use LB::status iRule.

Workaround:
There is no workaround at this time.


715331-1 : IKEv2 logs peers_id comparisons and cert verfication failures

Component: TMOS

Symptoms:
Insufficient information is logged when a certificate fails verification, or when ID_I in an IKE_AUTH request does not match configuration for peers_id in the ike-peer description.

Conditions:
When IKE_AUTH fails due to either certificate verification failure or mismatch of ID_I and peers_id.

Impact:
Hard to diagnose proximate cause of IKE negotiation failure during IKE_AUTH exchange.

Workaround:
There is no workaround at this time.


715323 : iControl SOAP attribute ssl_profile not supported for in-tmm https monitor

Component: Local Traffic Manager

Symptoms:
iControl SOAP cannot be used to modify the 'ssl_profile' attribute on an 'https' monitor when 'in-tmm' monitoring is enabled.

Conditions:
-- 'https' monitor is configured.
-- 'in-tmm' monitors are enabled.
-- Use iControl SOAP to set/get the 'ssl_profile' attribute for an 'https' monitor.

Impact:
'ssl_profile' attribute on an 'https' monitor cannot be modified through iControl SOAP.

Workaround:
You can use either of the following workarounds:

-- Use a different mechanism, such as through the GUI or tmsh, to modify the 'ssl_profile' attribute associated with an 'https' monitor.

-- Disable 'in-tmm' monitors.


715250-1 : TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED

Component: Access Policy Manager

Symptoms:
TMM generates a core and restarts when RPC resumes iRule event ACCESS_SESSION_CLOSED.

Conditions:
Plugin RPC call has iRule event ACCESS_SESSION_CLOSED configured.

Impact:
System instability, failover, traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


715207-3 : coapi errors while modifying per-request policy in VPE

Component: Access Policy Manager

Symptoms:
System reports errors about coapi in /var/log/ltm when modifying a per-request policy in the Visual Policy Editor (VPE).

err coapi: PHP: requested conversion of uninitialized member.

Conditions:
-- The per-request policy being modified is attached to the virtual server.
-- Using VPE.

Impact:
The impact can vary by version.
-- In some versions it represents a stray error log.
-- In other versions the 'Accepted Languages' in the Logon Page agent does not have the full list.
-- In other versions, there are server 500 errors when modifying agents.

Workaround:
To work around this issue, perform the following procedure: 1. Remove the per-request policy from the virtual server.
2. Modify the policy.
3. Add the policy back to the virtual server.


715166 : IPS only works over UDP or TCP virtual server

Component: Protocol Inspection

Symptoms:
For Standard or FastL4 virtual, Protocol Inspection does notwork over SCTP/IPsec/Other protocols.

Conditions:
-- Standard virtual server with protocol configured as SCTP or IPsec.
-- Performance L4 virtual servers with protocol configured as Other.

Impact:
Protocol Inspection does not work.

Workaround:
Configure TCP/UDP virtual servers.


715128-1 : Simple mode Signature edit does not escape semicolon

Component: Application Security Manager

Symptoms:
When creating a user-defined ASM Signature in Simple mode, semicolon followed by space cannot be used in a keyword.

Conditions:
-- Using a user-defined ASM Signature in Simple mode.
-- There is a semicolon followed by a space in a keyword.

Impact:
The signature cannot be created.

Workaround:
The signature can be created in Advanced Mode by escaping semicolon as "|3B|".


715115 : Application Security roles are not showing all accessible objects in GUI

Component: TMOS

Symptoms:
Not all configuration objects are exposed to users of type Application Security Administrator and Application Security Editor that are technically accessible by the user role.

Conditions:
-- Users exist with roles of Application Security Administrator and Application Security Editor.
-- Attempting to work with certain configuration objects.

Impact:
Users configured with these roles cannot view all object types using the GUI. Certain pages cannot be reached from the menu, as the software hides most of the configuration pages for these roles.

Workaround:
Users can use TMSH.


715088 : Changing WebSocket payload protocol profile from mqtt back to none causes TMM restart

Component: Local Traffic Manager

Symptoms:
When WebSocket profile's payload protocol profile configuration value is modified from 'mqtt' to 'None', TMM restarts once upon receiving traffic.

Conditions:
-- The WebSocket profile is attached to a virtual server.
-- Protocol profile configuration value is modified from 'mqtt' to 'None'.

Impact:
TMM restarts when traffic is processed by the virtual server to which the WebSocket profile is attached.

Workaround:
After changing WebSocket profile's payload protocol profile configuration value from 'mqtt' to 'None', issue the following command in BIG-IP system shell, before processing any traffic.

# bigstart restart tmm


715061-2 : vCMP: tmm core in guest when stopping vCMP guest from host

Component: TMOS

Symptoms:
A tmm core in the guest on the primary blade, not the secondary blade, after the guest is disabled on the hypervisor.

Conditions:
-- A cross-blade vCMP guest.
-- Guest is disabled on the hypervisor.

Impact:
Because the guest is in the process of being disabled, there is no impact on traffic, however, the core file may take up space on the guest on the primary blade.

Workaround:
To mitigate the disk problem, manually delete the core file.


714986-3 : Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot

Component: TMOS

Symptoms:
On an iSeries platform, when the console baud rate is changed through TMSH, new terminal sessions revert back to the previous baud rate instead of adopting the new setting unless the unit is rebooted.

Conditions:
1. Modify the console baud rate in BIG-IP through TMSH on an iSeries platform (i2xxx, i4xxx, i5xxx, i7xxx, i10xxx, i15xxx), for example: tmsh modify sys console baud-rate 9600.

2. Exit from the login prompt in the current terminal session, or kill it and start a new session.

Impact:
The BIG-IP system reverts to the previous baud rate instead of the new setting. Inability to create any new serial console connections with the modified baud-rate without a reboot.

Workaround:
The problem can be mitigated by manually reprogramming the TTY device and restarting the agetty process and bash login sessions. This closes any existing console connections, but newly established connections will connect at the modified baud rate.

1. Use TMSH to modify the baud rate to the desired speed by running a command similar to the following:

tmsh modify sys console baud-rate 9600

2. Re-program the TTY device with the desired speed by running a command similar to the following:

stty -F /dev/ttyS0 9600

3. Kill the existing agetty process so it will re-start at the new baud rate by running the following command:

/usr/bin/killall -q agetty

4. Restart bash logins by running the following command:

/bin/kill -HUP `/bin/ps -A | /bin/grep ttyS0 | /bin/grep -v grep | /bin/grep bash | /bin/awk '{print $1}'` >/dev/null 2>&1


714974-2 : Platform-migrate of UCS containing QinQ fails on VE

Component: TMOS

Symptoms:
If you are doing platform-migrate from a hardware device to a Virtual Edition (VE) guest, and the UCS that came from the hardware device has a QinQ VLAN configuration, then the upgrade will fail.

Conditions:
-- VLAN with a QinQ configuration exists on the hardware configuration.
-- UCS file is saved on the hardware device.
-- UCS is copied to a VE guest.
-- Attempt to load the configuration using the following command: load sys ucs <UCS filename> no-license platform-migrate.

Impact:
The UCS load will fail and generate an error:

01071bd8:3: The tag-mode for requested member <VLAN name> has to be 'none' on platforms that do not support QinQ. Unexpected Error: Loading configuration process failed.

Workaround:
None.


714961-1 : antserver creates large temporary file in /tmp directory

Component: Access Policy Manager

Symptoms:
SWG Analytics (running through the antserver daemon) creates a large temporary file in the /tmp directory due to a lack of write permissions on the appropriate directory.

Conditions:
-- SWG provisioned.
-- Viewing SWG Analytics.

Impact:
/tmp is temporarily populated with a large file that might fill up the directory if it is already close to capacity.

Workaround:
There is no workaround at this time.


714903-2 : Errors in chmand

Component: TMOS

Symptoms:
VIPRION cluster does not form; only primary blade stays online. Chassis manager chmand generated a core file. System logs the following error in ltm log: err clusterd[11162]: 013a0004:3: Error adding cluster mgmt addr, HAL error 7.

Conditions:
-- Restoring UCS.
-- Chassis starting up.
-- System in stressed condition, where there is very little or no memory available.

Impact:
Cluster does not form.

Workaround:
None.


714902-1 : Restjavad may hang if discover task fails and the interval is 0

Component: Access Policy Manager

Symptoms:
If a discover task fails because of a network issue, the system tries to run the task again at the next scheduled time. If the discover interval is set to 0, the system retries immediately, which may cause restjavad hang.

Conditions:
If a provider has configured discover interval 0 and the discover task failed because of network issues.

Impact:
The discover task tries to use a lot CPU when restjavad continuously retries the task.

Workaround:
Change the discover interval to 1 hour or more.


714700-2 : SSO for native RDP resources is not compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy

Component: Access Policy Manager

Symptoms:
To address a vulnerability in their CredSSP implementation Microsoft released set of updates for all versions of Windows (https://aka.ms/credssp). Although the APM implementation is not affected by this vulnerability, the Microsoft Windows Server fix introduces compatibility issues. The update adds new Group Policy 'Encryption Oracle Remediation', which, if set to 'Force Updated Clients' on the server might break SSO for APM's native RDP resources.

Conditions:
-- RDP server has https://aka.ms/credssp update installed.
-- 'Encryption Oracle Remediation' Group Policy on the RDP server is set to 'Force Updated Clients'.

Impact:
SSO for native RDP resources does not work.

Workaround:
Set 'Encryption Oracle Remediation' Group Policy on the RDP server to 'Mitigated'.


714654-2 : Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM

Component: TMOS

Symptoms:
While creating a static route, tmrouted disconnects with error: existing entry is not a dynamic.

Conditions:
Creating a static route for a network that already has an advertised dynamic route.

Impact:
TMM's connection to tmrouted goes down, which results in loss of the dynamic route for TMM.

Workaround:
There is no workaround other than not creating a static route for routes received through dynamic routing.


714626-2 : When licensing through a proxy, setting the db variables for proxy.host, proxy.port, etc., has no effect.

Solution Article: K30491022

Component: TMOS

Symptoms:
When the BIG-IP system is behind a proxy server, the licensing process does not work, despite having set the db variables for proxy.host, proxy.port, proxy.protocol, etc.

Conditions:
-- The BIG-IP system is behind a proxy server that gates internet access.
-- Attempting to license (or revoke the license of) the BIG-IP system is not possible using GUI or tmsh since communications with the license server will fail.

Impact:
Cannot license, reactivate license, or revoke the license of the BIG-IP system.

Workaround:
Instead of using GUI or tmsh, run the following command, substituting your proxy specification for <proxy> and your license registration key for <reg-key>:

/usr/local/bin/SOAPLicenseClient --proxy <proxy> --basekey <reg-key> --certupdatecheck


714559-2 : Removal of http hash persistence cookie when a pool member goes down.

Component: Local Traffic Manager

Symptoms:
When http cookie hash persistence is configured the cookie is removed when a pool member goes down. This is incorrect if pool members are using session replication.

Conditions:
- Cookie hash persistence is configured.
- A pool member that the persistence record points to goes down.
- Pool members are using session replication.

Impact:
Users are forced to establish a new session.

Workaround:
Use an iRule to configure http cookie hash persistence.

when CLIENT_ACCEPTED {
    persist cookie hash JESSIONID
}


714507-2 : [tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server

Component: Global Traffic Manager (DNS)

Symptoms:
GTM pool member dependency cannot be listed correctly using the following command:
# tmsh list gtm pool

Conditions:
-- Virtual server dependency in GTM server.
-- Running the command: tmsh list gtm pool.

Impact:
1. Pool member dependencies are not listed.
2. Pool member dependency information is missing when saving config:
    # tmsh save sys config gtm-only

Workaround:
List specific gtm pools instead by running a command similar to the following:
# tmsh list gtm pool a p1


714503-2 : When creating a new iRulesLX rule, the GUI appends .tcl to rule filenames that already end in .tcl

Component: Local Traffic Manager

Symptoms:
When using the GUI to create a new iRulesLX rule with the extension .tcl as part of the rule name, the GUI will append another .tcl at the end of the file. This is problematic when attempting to view the iRule in the iRulesLX workspace (at Local Traffic :: iRules : LX Workspaces :: <workspace name>).

Conditions:
-- Creating a new iRulesLX iRule in the GUI.
-- Adding the extension .tcl.

Impact:
Cannot view or delete the iRule from the iRulesLX GUI.

Workaround:
Do not name rules with the .tcl extension. The system will do that for you.


714495-2 : When creating a new iRulesLX rule, TMSH appends ".tcl" to rule filenames that already end in ".tcl"

Component: Local Traffic Manager

Symptoms:
When using TMSH to create a new iRulesLX rule with the extension '.tcl' as part of the rule name, TMSH will append another '.tcl' at the end of the file. This is problematic when attempting to view the iRule in the GUI (in the iRulesLX workspace at Local Traffic :: iRules : LX Workspaces :: <workspace name>).

Conditions:
Creating a new iRulesLX iRule in TMSH.

Impact:
Cannot view or delete the iRule from the iRulesLX GUI.

Workaround:
Do not name rules with the '.tcl' extension.


714384-3 : DHCP traffic may not be forwarded when BWC is configured

Component: Local Traffic Manager

Symptoms:
DHCP traffic may not be forwarded when BWC is configured on the system.

Conditions:
-- DHCP virtual server configured.
-- BWC policy configured and attached to the route-domain.

Impact:
DHCP traffic may not be forwarded.

Workaround:
There is no workaround other than to remove the BWC policy.


714292-1 : Transparent forwarding mode across multiple VLAN groups or virtual-wire

Component: Local Traffic Manager

Symptoms:
This is a virtual-wire or vlan-group deployment scenario in which there is a BIG-IP system connecting two networks with more than one link. This scenario is referred as 'asymmetric deployment'. In this case. the outgoing packet does not have the correct VLAN configured.

Conditions:
-- Virtual-wire or vlan-group configured.
-- BIG-IP system is connecting two networks with more than one link.
-- There is more than one virtual-wire/vlan-group to handle the traffic across multiple links.
-- Packets belonging to a flow arrive on any link with a valid VLAN.

Impact:
The connectivity between the endpoints fails.

Workaround:
None.


714216-2 : Folder in a partition may result in load sys config error

Component: TMOS

Symptoms:
If you run the command 'tmsh load sys config current_partition' in a partition that includes a folder, the command may return an error.

Conditions:
This occurs in the following scenario:
-- Create a partition.
-- Create a folder in that partition.
-- In the newly-created partition.
-- Save the configuration with the command 'save sys conf'.
-- In the same partition, run the following command to load the configuration: 'tmsh load sys config current_partition'.

Impact:
The load configuration process fails with an error that the folder does not exist.

Workaround:
There is no workaround at this time.


714187-5 : Changing console Baud-rate to a supported value requires reboot

Component: TMOS

Symptoms:
Unable to modify console Baud-rate.

Conditions:
Running BIG-IP release 11.6.0 or later.

Impact:
System instability.

Workaround:
Reboot system after modification of console Baud-rate.


714043-1 : NPAPI inspection host plugin does not work with latest epsec image on macOS

Component: Access Policy Manager

Symptoms:
NPAPI inspection host plugin on macOS does not work with the latest Endpoint Security (EPSEC) update image because policyserver not being part of OESIS package since it's bundled with individual applications.

Conditions:
-- NPAPI plugin.
-- One of the recent EPSIC image 684.0, AV/FW endpoint inspection.
-- Safari web browser

Impact:
NPAPI plugin does not work.

Workaround:
There is no workaround at this time.


713951-5 : tmm core files produced by nitrox_diag may be missing data

Component: Local Traffic Manager

Symptoms:
When the nitrox_diag utility generates a tmm core file, that file might include data for only one tmm thread instead of all tmm threads.

Conditions:
-- Running the nitrox_diag utility.
-- Using devices with the Cavium Nitrox crypto card.
-- The nitrox_diag utility generates a tmm core file.

Impact:
The resulting core file might include data for only one tmm thread instead of all tmm threads, making it more difficult for F5 to diagnose reported problems with the Cavium Nitrox crypto card. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


713934-2 : Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response

Component: Local Traffic Manager

Symptoms:
Received malformed Truncated DNS response.

Conditions:
-- Using iRule 'DNS::question name' to shorten the name.
-- DNS response is longer than 4096 UDP limit.

Impact:
DNS request might not be resolved correctly.

Workaround:
There is no workaround at this time.


713820-1 : Pass in IP to urldb categorization engine

Component: Access Policy Manager

Symptoms:
Category lookup results might be less accurate. In some cases, the system returns 'uncategorized' when the reference (Forcepoint) returns a specific category.

Conditions:
Category Lookup agent is in per-request policy using the categorization engine to lookup up a website's classification.

Impact:
Actions leveraging categorization results will be applied incorrectly.

Workaround:
None.


713813-2 : Node monitor instances not showing up in GUI

Component: TMOS

Symptoms:
Navigating to Local Traffic :: Monitors :: <some_monitor> should show a list of nodes with some_monitor assigned to them. GUI does not list related nodes under Instances tab.

Conditions:
-- At Local Traffic :: Monitors :: <some_monitor>.
-- Under the Instances tab.

Impact:
No instances listed. Cannot use the GUI to determine which nodes are associated with a monitor.

Workaround:
Use tmsh to list nodes associated with a monitor.


713708 : Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI

Component: TMOS

Symptoms:
On the BIG-IP GUI, under System :: Software Management :: Update Check, after pressing 'Check now', the 'Available Update' shows a long string 'OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install' instead of the EPSEC version, e.g.: epsec-1.0.0-679.0.

Conditions:
-- Under System :: Software Management :: Update Check.
-- Press 'Check now'.

Impact:
Cannot determine what version is available by viewing 'Available Update'. Although this is how all the other updates work, it can result in a confusing BIG-IP user experience.

Workaround:
To have the browser show the link's destination address, view the browser's status fields while hovering the cursor over the following link text: OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install.


713612-1 : tmm might restart if the HTTP passthrough on pipeline option is used

Component: Local Traffic Manager

Symptoms:
The TMM may crash if the HTTP profile's 'passthrough_pipeline' field is set to 'passthrough'.

Conditions:
-- HTTP profile is configured as a transparent proxy.
-- HTTP profile has the 'passthrough_pipeline' field is set to 'passthrough'.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


713585-3 : When the system config has many iRules and they are installed on many virtual servers, the config loading time is significantly long

Solution Article: K31544054

Component: Local Traffic Manager

Symptoms:
Config load could be very long and CPU usage very high.

Conditions:
There are many iRule and they are installed on many virtual servers.

Impact:
BIG-IP system performance could be degraded during the load and may cause system lock up.

Workaround:
Run "tmsh modify sys db rule.validation value syntax", this causes iRule validation to check iRule syntax only; the semantic checks will not be performed.


713533-2 : list self-ip with queries does not work

Component: Local Traffic Manager

Symptoms:
"list net self" command always returns all Self IPs, regardless of the regex patterns.

Conditions:
list net self always returns all Self IPs

Impact:
You are unable to filter the Self IP list using a regex pattern.


713519-2 : Enabling MCP Audit logging does not produce log entry for audit logging change

Component: TMOS

Symptoms:
When you enable MCP audit logging, the action of changing the audit logging entry is not logged. All actions after the configuration change are logged.

Conditions:
This occurs when enabling MCP audit logging.

Impact:
The audit logging change itself is not logged in the audit logs.

Workaround:
None.


713491-2 : IKEv1 logging shows spi of deleted SA with opposite endianess

Component: TMOS

Symptoms:
Sometimes the IKEv1 racoon daemon logs a 32-bit child-SA spi with octets in backwards order (reversing the endianness).

Conditions:
When an SA is deleted.

Impact:
Logging typically shows a network byte order spi in the wrong order. Cosmetic interference with logging interpretation.

Workaround:
There is no workaround at this time.


713390-1 : ASM Signature Update cannot be performed on hourly billing cloud instance

Component: Application Security Manager

Symptoms:
ASM Signature Update cannot be performed on hourly billing cloud (AWS) instance. Licenses on these devices cannot be updated and have a fixed Service Check Date (SCD), which must be more recent to allow ASM Signature Update.

Conditions:
Attempt to perform ASM Signature Update on hourly billing cloud (AWS) instance.

Impact:
Performing ASM Signature Update fails.

Workaround:
There is no workaround at this time.


713388-1 : SSL handshake fails for OCSP + TLS false start + SSL hardware acceleration

Component: Local Traffic Manager

Symptoms:
SSL handshake will fail if Client initiate the handshake with TLS false start(Client SSL send the SSL record data to server before Server send out the CCS + FINISHED).

Conditions:
1. Client initiates the SSL handshake with False Start.
2. BIG-IP has SSL hardware acceleration enabled(which is default for for non-VE version).

Impact:
BIG-IP will send the RST to tear down the connection in TLS false start.

Workaround:
1. Disable TLS False Start - that needs to be done on all clients so might not be feasible;
2. Disable SSL acceleration.
3. Disable AES-GCM ciphers in clientssl profile. Without AES-GCM clients will not try to use TLS false start and still be able to use (EC)DHE.


713380 : Multiple B4450 blades in the same chassis run into inconsistent DAG state

Component: TMOS

Symptoms:
Multiple B4450 blades in the same chassis can run into inconsistent DAGv2 state.

Conditions:
More than one B4450 blade in the same chassis.

Impact:
Inconsistent DAG state can cause traffic disruption.

Workaround:
Restart tmm on one blade in the chassis and force the blades to reform the cluster in data plane.


713282-1 : Remote logger violation_details field does not appear when virtual server has more than one remote logger

Component: Application Security Manager

Symptoms:
Remote logger violation_details field appears empty.

Conditions:
-- More than one remote logger is attached to the virtual server.
-- A violation occurs.
-- Viewing the associated log.

Impact:
Violation_details field appears empty in logs.

Workaround:
There is no workaround at this time.


713169 : License String 'ASM-VE' was not recognized by the UI in the policy rule page

Component: TMOS

Symptoms:
When a BIG-IP system is licensed with the license string that includes 'ASM-VE' instead of the standard 'ASM', the policy page does not recognize it and does not provide the 'Enable ASM' option.

Conditions:
BIG-IP system is licensed with the license string that includes 'ASM-VE' instead of the standard 'ASM'.

Impact:
The policy page does not recognize it and does not provide the 'Enable ASM' option.

Workaround:
Use TMSH to create policy.


713156-1 : AGC cannot do redeploy in exchange and adfs use case

Component: Access Policy Manager

Symptoms:
In AGC exchanges or Active Directory Federation Services (ADFS) configurations, the system creates an SSL HTML form and SSO HTML form control object. Because of the limitation of ICRD, the system cannot directly delete SSO HTML form control objects.

Conditions:
-- Redeploy occurs in an AGC exchange ADFS configuration.
-- Modifying existing configurations.

Impact:
Redeploy fails, configuration remain unmodified.

Workaround:
Do a undeploy, followed by a deploy.


713134-2 : Small tmctl memory leak when viewing stats for snapshot files

Component: TMOS

Symptoms:
When viewing statistics for snapshot files, tmctl leaks a small amount of memory and displays the message:

tmctl: BUG: tmstat_dealloc invoked on a handle with rows outstanding; release all rows before calling tmstat_dealloc at <address>

Conditions:
Using tmctl to view statistics of snapshot files, for example:
tmctl -D /shared/tmstat/snapshots memory_usage_stat -s time,name,allocated,max_allocated name=access

Impact:
Errors written to output when running tmctl. The leak itself is very small and is only for tmctl (i.e., it does not have a cumulative, detrimental effect on the system that a TMM or MCP leak might).

Workaround:
None.


713066-1 : Connection failure during iRule DNS lookup to disabled nameserver can crash TMM

Component: Global Traffic Manager (DNS)

Symptoms:
TMM restart during iRule DNS lookup to disabled nameserver.

Conditions:
RESOLV::lookup command in iRule that tries to connect to a nameserver that is not reachable for any reason.

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
Verify connectivity to nameserver.

As an alternative, refrain from using RESOLV::lookup in iRules.


712819-2 : 'HTTP::hsts preload' iRule command cannot be used

Component: Local Traffic Manager

Symptoms:
Using the 'HTTP::hsts preload' iRule command in the GUI, you might see error message similar to the following:
01070151:3: Rule [/Common/test] error: /Common/test:3: error: ["invalid argument preload; expected syntax spec: "][HTTP::hsts preload enable].

The message is incorrect: the command has the correct format. However, the system does not run it.

Conditions:
Using the 'HTTP::hsts preload' iRule command in the GUI.

Impact:
The command does not run. Cannot use the 'HTTP::hsts preload' iRule command in the GUI.

Workaround:
None.


712664-2 : IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address

Component: Local Traffic Manager

Symptoms:
As a result of a known issue IPv6 NS may be dropped if corresponds for host on remote VLAN of transparent vlangroup and matches a Virtual address with disabled ARP setting

Conditions:
- transparent vlan-group
 - Virtual Address with ARP disabled
 - Virtual Address corresponds to remote IPv6 host address

Impact:
NS for the host is dropped.
Traffic will not reach the remote host as resolution does not complete.

Workaround:
Do not use overlapping Virtual-addresses with ARP disabled, or enable ARP.


712637-2 : Host header persistence not implemented

Component: Local Traffic Manager

Symptoms:
Online documentation describes a persistence mechanism which uses the HTTP Host: header. However, this mechanism is not implemented, and attempts to use it generates an error.

Conditions:
Online help for ltm persistence says that Host persistence can be enabled via iRule, but attempting to do so generates an error 'invalid argument host'.

Impact:
Although this does not impact any existing functionality, the documented function is not available.

Workaround:
There is no workaround at this time.


712500-1 : Unhandled Query Action Drops Stat does not increment after transparent cache miss

Component: Global Traffic Manager (DNS)

Symptoms:
After a transparent cache miss, if the LTM DNS profile has Unhandled Query Action set to Drop, the request is dropped without incrementing the Unhandled Query Action Drops stat.

Conditions:
LTM DNS profile with a Transparent Cache and Unhandled Query Action set to Drop.

Impact:
Inaccurate statistics for the Unhandled Query Action Drops

Workaround:
None.


712489-2 : TMM crashes with message 'bad transition'

Component: Local Traffic Manager

Symptoms:
TMM crashes under a set of conditions in which the system detects an internal inconsistency. The system posts an error similar to the following in the LTM and TMM logs:
crit tmm[18755]: 01010289:2: Oops @ 0x2285e10:5157: bad transition

Conditions:
Conditions that cause this to happen are not predictable, but these might make it more likely:
-- FastL4 virtual server and HTTP are configured
-- db variable tmm.oops set to 'panic'.
-- Client sends three GET requests at once, and then closes the connection after a few seconds.
-- The server sends a partial 'Connection: close' response.

Impact:
TMM crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
None.


712475-3 : DNS zones without servers will prevent DNS Express reading zone data

Solution Article: K56479945

Component: Local Traffic Manager

Symptoms:
DNS Express does not return dig requests.

Conditions:
DNS Express is configured a zone without a server.

Impact:
DNS Express does not return dig requests.

Workaround:
You can use either of the following workarounds:
-- Remove the zone without the server.
-- Configure a server for the zone.


712437-3 : Records containing hyphens (-) will prevent child zone from loading correctly

Solution Article: K20355559

Component: Local Traffic Manager

Symptoms:
The dig command returns no record with SOA from the parent zone even though dnsxdump shows that the record exists.

Conditions:
-- Parent zone has a record containing - (a hyphen) and the preceding characters match the child zone. For example,
 myzone.com -- parent
 foo.myzone.com -- child
 
-- In myzone.com, you have a record of the following form:
foo-record.myzone.com

Impact:
DNS can not resolve records correctly.

Workaround:
None.


712362-3 : ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase

Component: Application Security Manager

Symptoms:
When the WebSocket HTTP handshake response comes without 'Switching Protocols' reason phrase at the first line, the ASM does not follow up WebSocket frames on the WebSocket's connection.

The system posts the following messages in /ts/log/bd.log:
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0269|101 Switching Protocols HTTP status arrived, but the websocket hanshake failed.
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0270|Possible reasons are websocket profile isn't assigned on a virtual server or handshake is illegal.

Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- WebSocket backend server sends 101 response without the 'Switching Protocols' phrase.

Impact:
WebSocket frames stalls.

Workaround:
#1 Change the backend server:
Change WebSocket backend server to return 101 response to include the 'Switching Protocols' reason phrase:

HTTP/1.1 101 Switching Protocols


#2 Use an irRule:
when SERVER_CONNECTED {
    TCP::collect 15
}
when SERVER_DATA {
    if { [TCP::payload 15] contains "HTTP/1.1 101 \r\n" } {
        TCP::payload replace 0 12 "HTTP/1.1 101 Switching Protocols"
    }
}


712241 : A vCMP guest may not provide guest health stats to the vCMP host

Component: TMOS

Symptoms:
A vCMP guest usually provides the vCMP host with some guest health statistics as a convenience to the vCMP host administrator. These stats are:
-- mgmt/tm/sys/ha-status
-- mgmt/tm/sys/software/status
-- mgmt/tm/sys/software/provision

These tables are created by the host when host vcmpd queries the guest over the vmchannel using REST.

These RESTful queries may sometimes fail, causing the queried vCMP guest to be omitted in the display of the output of the following command: $ tmsh show vcmp guest

Conditions:
-- vCMP provisioned.
-- Guests are deployed.
-- Host vcmpd queries the guest over the vmchannel using REST.

Impact:
Some vCMP guests may not show up in the output of the following command: tmsh show vcmp health

Files containing guest information, kept in:
/var/run/vcmpd/<guestname>/json/(sys-ha-status.json|sys-provision.json|sys-software.json) may be missing from that directory.

In addition, there might be files present there named using the following structure:
 /var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.


There is no functional impact to the guests or to the host, other than these lost tables, which are provided as a convenience to the vCMP host administrator.

Workaround:
There is no workaround at this time.


712102-2 : customizing or changing the HTTP Profile's IPv6 field hides the field or the row

Solution Article: K11430165

Component: TMOS

Symptoms:
Customizing or changing the HTTP Profile's IPv6 field hides the field or the row.

Conditions:
Customizing or changing the HTTP Profile's IPv6 field.

Impact:
The HTTP Profile's IPv6 field cannot be customized or changed.

Workaround:
Use tmsh to set the HTTP Profile's IPv6 field.


711818-3 : Connection might get reset when coming to virtual server with offload iRule

Component: Application Security Manager

Symptoms:
When IN_DOSL7_ATTACK event is triggered, and iRule has an async command in it, events might be released out of order, causing connection RST.

Conditions:
1. Have DoS profile with iRule turned on.
2. iRule is async (such as wait, DNS resolving, etc.).
3. Send POST request.

Impact:
Connection receives a RST.

Workaround:
There is no workaround at this time.


711683-2 : bcm56xxd crash with empty trunk in QinQ VLAN

Component: TMOS

Symptoms:
When an empty trunk (no members) is configured 'tagged' in a QinQ VLAN, bcm56xxd will continuously crash.

Conditions:
Trunk with no members, configured as 'tagged' in a QinQ VLAN.

Impact:
bcm56xxd continuously crashes.

Workaround:
Use either of the following workarounds:
-- Add members to the trunk.

-- Remove the trunk from the QinQ VLAN.


711405-1 : ASM GUI Fails to Display Policy List After Upgrade

Solution Article: K14770331

Component: Application Security Manager

Symptoms:
After upgrade to version 13.1.0 or later, ASM GUI fails to display the Policy List.

Conditions:
Using an 11.5.0 to 11.5.4-HF1 version that is affected by the issue of policies with duplicate REST IDs that occurred after restoring from policy history or using Policy Diff to compare policies.

Impact:
ASM GUI starting using the REST API from version 13.1.0, so any systems that have been affected by this issue on a previous version now cause the GUI to fail to display the Policy List.

Workaround:
On the device run the following script:
---------------------------------
perl -MF5::DbUtils -MF5::Utils::Rest -MF5::ASMConfig::Entity::Policy -e '$dbh = F5::DbUtils::get_dbh();
 $dbh->begin_work();
 $dbh->do("UPDATE PLC.PL_POLICIES a SET a.rest_uuid = \"\" WHERE a.rest_uuid IN ( SELECT rest_uuid FROM (SELECT rest_uuid FROM PLC.PL_POLICIES GROUP BY rest_uuid having count(*) > 1) b)");
 F5::Utils::Rest::populate_uuids(dbh => $dbh);
 $dbh->commit();'
---------------------------------
Note: In a management environment, this change must be pushed to the peer as a full sync. The easiest way to do so is to ensure that the ASM sync device group is in manual sync mode, and to push the config to the peers from the device where the script was run.


711281-5 : nitrox_diag may run out of space on /shared

Component: Local Traffic Manager

Symptoms:
Running nitrox_diag may lose collected data if there is insufficient free space for the tar file to be created.

Conditions:
-- Running nitrox_diag.
-- Insufficient free space available on /shared.

Impact:
Might lose data required to diagnose problems with Cavium Nitrox chips.

Workaround:
The only workaround is to ensure there is enough free space for the files to be created.

In general, planning enough space for two copies of a tmm core file and two copies of a qkview works. That might require approximately one gigabyte. Though more might be needed for systems with a large amount of RAM.


711249-1 : NAS-IP-Address added to RADIUS packet unexpectedly

Component: TMOS

Symptoms:
RADIUS authentication request contains NAS-IP-Address attribute with value 127.0.0.1.

Conditions:
VIPRION (single or multiblade) with no cluster member IP addresses configured.

Impact:
Authentication does not work as it has invalid/unrecognized source NAS-IP-Address.

Workaround:
Configure cluster member IP address or define hostname and address via global-settings remote-host.


710996-2 : VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP

Component: Local Traffic Manager

Symptoms:
The behavior of outgoing IPv6 management and IPv4 management traffic from the primary blade differs:
IPv4 traffic is sourced from the cluster IP
IPv6 traffic is sourced from the cluster member IP

Conditions:
IPv6 configured on the 'cluster' address and 'cluster member' address.

Impact:
The blade IP address, rather than the cluster floating IP, will be used as the source IP when querying the RADIUS server for remote-auth login against the management port.

Workaround:
There is no workaround at this time.


710976-1 : Network Map might take a long time to load

Component: TMOS

Symptoms:
Network Map loading time is directly proportional to the number of profiles/policies associated with a virtual server. When there are a significant number, Network Map might take many tens of seconds to load; when there are fewer associated profiles/policies, loading time is shorter.

For example, consider a configuration that contains virtual servers with a large number of associated profiles/policies.

In the following example config, the virtual server has two associated profiles. The time to load the Network Map page increases with each additional profile/policy.

# tmsh list ltm virtual vs
ltm virtual vs {
    creation-time 2018-03-06:18:27:53
    destination 0.0.0.0:any
    ip-protocol tcp
    last-modified-time 2018-03-06:18:27:53
    mask any
    profiles {
        myhttp { }
        tcp { }
    }
    rules {
        myrule
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        socks-tunnel
    }
    vs-index 5
}

Conditions:
-- Navigate to Local Traffic :: Network Map in the BIG-IP Configuration Utility.

-- The configuration contains a significantly large number of profiles/policies associated with the virtual server.

Impact:
It takes tens of seconds to load the Network Map page.

Workaround:
None.


710930 : Enabling BigDB key bigd.tmm may cause SSL monitors to fail

Component: Local Traffic Manager

Symptoms:
When bigd.tmm is enabled, SSL monitors may begin to fail.

Conditions:
-- The in-tmm monitoring feature is enabled via the bigd.tmm db variable (it is disabled by default)
-- The cipher string of the attached SSL profile uses keywords that are invalid with TMM.

Impact:
The cipher string will no longer be valid when bigd.tmm is enabled and the keywords will need to be modified or removed. SSL monitors begin to fail after modifying bigd.tmm.

Workaround:
Modify or remove incompatible keywords from the ciphers string; the in-tmm monitoring feature only allows ciphers that are allowed by SSL profiles.


710884-1 : Portal Access might omit some valid cookies when rewriting HTTP request.

Component: Access Policy Manager

Symptoms:
Portal Access is not sending certain cookies to the backend application.

Conditions:
-- Request path and cookie path are equal.
-- The last character of request path is not a forward slash (/).

Impact:
Backend application will not receive some cookies and may decide that user is not authenticated.

Workaround:
There is no workaround at this time.


710755-1 : Crash when cached route information becomes stale and the system accesses the information from it.

Solution Article: K30572159

Component: Advanced Firewall Manager

Symptoms:
The crash happens intermittently when the cached route information becomes stale and the system accesses the information from it.

Conditions:
Use stale cached route information.

Impact:
This condition can lead to a crash as the route information is no longer valid, and can lead to illegal memory access.

Workaround:
None.


710564 : DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0

Component: Local Traffic Manager

Symptoms:
The DNS filter returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0.

Conditions:
- Virtual Server configured with 'DNS Profile' set to 'dns' or a 'dns'-derived profile.
- DNS queries with EDNS0 ECS option set.

Impact:
If the response ECS Scope Netmask has a value other than '0', LTM drops it, causing timeout and retry on client side.

Workaround:
There is no workaround at this time.


710327-1 : Remote logger message is truncated at NULL character.

Component: Application Security Manager

Symptoms:
When a request including binary null character has been sent to an remote logger, configured for ASM, the request will arrive to the remote destination and will be truncated exactly at binary NULL character.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM remote logger attached to a virtual server.
-- Request including binary NULL character is sent to the remote logger destination.

Impact:
Partial request is logged at the remote logger destination.

Workaround:
None.


710305-1 : When ASM and APM are configured on the same virtual server, ASM could throw some errors in its logging.

Component: Access Policy Manager

Symptoms:
When ASM and APM WebSSO are on same virtual server, WebSSO might generate a new request. When that happens, ASM might see multiple requests with same support ID. This can cause issues with ASM and log errors.

Conditions:
When APM WebSSO is configured (only for Basic, NTLM, Kerberos).

Impact:
ASM stops processing the HTTP requests that have duplicate support IDs, causing an issue to ASM/APM end users.

Workaround:
None.


710277-1 : IKEv2 further child_sa validity checks

Component: TMOS

Symptoms:
A tmm restart can occur when a child_sa is rekeyed at expiration time, provided a race condition occurs.

Conditions:
Encountering the issue in which rekeying a child_sa might core when race conditions allowed that child_sa to be destroyed while in use.

Impact:
Restart of tmm and outage of IPsec tunnels until renegotiated.

Workaround:
None.


710232-2 : platform-migrate fails when LACP trunks are in use

Component: TMOS

Symptoms:
Use of the platform-migrate option might fail due to some configurations being invalid on the new system. The error message generated appears as follows:

01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform.

Conditions:
You have a trunk with LACP enabled.
-- You are migrating from a hardware platform to a Virtual Edition (VE).

Impact:
Configuration fails to migrate.

Workaround:
After taking the old system offline, but before saving the UCS, disable LACP on all trunks.


710221-2 : Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled

Solution Article: K67352313

Component: Local Traffic Manager

Symptoms:
In an high availability (HA) configuration where an FQDN template-node on the 'active' unit is 'Force Offline', and the configuration is synchronized to the 'standby' unit, upon 'Enable' on that FQDN template-node in the 'active' unit (and the configuration is synchronized to the 'standby' unit), the ephemeral nodes associated with that FQDN template node remain Unavailable on the 'standby' unit.

Conditions:
HA configuration is configured with 'active' sync.
-- FQDN template-node is configured.
-- After ephemeral nodes are refreshed on the 'active' unit, it transitions to the 'standby' unit.
-- The FQDN template node on the (new-'active') unit is 'Force Offline' by the user.
-- The user explicitly 'Enable' that FQDN template node on the 'active' unit.

Impact:
The ephemerals on the 'standby' unit remain unavailable, even though the associated FQDN template node is 'available'. However, as no traffic is routed to the 'standby' unit, traffic is unaffected. Upon transition from 'standby' to' active', the ephemeral nodes will be refreshed and traffic should continue.

Workaround:
You can use either of these configuration options to prevent this issue from occurring:
-- Select 'Disabled' (rather than 'Force Offline') for the FQDN template node on the 'active' unit.
-- Configure the node without using FQDN.


710173 : TMSH dns-resolver allows route-domain from another partition

Component: TMOS

Symptoms:
User is able to modify a dns-resolver config object in the /Common partition such that TMSH accepts the route-domain name from another partition
Subsequent import of the BIG-IP LTM config into the BIG-IQ fails on this partition validation check.

Conditions:
Import LTM config into BIG-IQ

Impact:
Incorrect dns-resolver configuration and BIG-IQ import failure

Workaround:
N/A


710116-1 : VPN clients experience packet loss/disconnection

Component: Access Policy Manager

Symptoms:
VPN clients experience packet loss/disconnection.

Conditions:
In certain scenarios, the tunnel establishment procedure might leak a small memory. If the tmm is running for a longer duration, this small leak can accumulate and result in out-of-memory condition

Impact:
Connections start to drop as tmm runs out of memory. TMM will eventually run out of memory and connections could be terminated. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


710044-3 : Portal Access: same-origin AJAX request may fail in some case.

Component: Access Policy Manager

Symptoms:
If base URL for current HTML page contains default port number, same-origin AJAX request from this page may fail via Portal Access.

Conditions:
- HTML page with explicit default port in base URL, for example:
  <base href='https://some.com:443/path/'>

- Same-origin AJAX request from this page, for example:
  var xhr = new XMLHttpRequest;
  xhr.open('GET', 'some.file');

Impact:
Web application may not work correctly.

Workaround:
It is possible to use iRule to remove default port number from encoded back-end host definition in Portal Access requests, for example:

when RULE_INIT {
  # hex-encoded string for 'https://some.com'
  set ::encoded_backend {68747470733a2f2f736f6d652e636f6d}
  # '3a343433' is hex-encoded form for ':443'
  set ::pattern "/f5-w-${encoded_backend}3a343433\$"
  set ::remove_end [ expr { [ string length $::pattern ] - 2 } ]
  set ::remove_start [ expr {$::remove_end - 7} ]
}

when HTTP_REQUEST {
  if { [HTTP::path] starts_with "$::pattern" } {
    set path [ string replace [HTTP::path] $::remove_start $::remove_end "" ]
    HTTP::path "$path"
  }
}


710032-1 : 'No Access' error when viewing GSLB Server's Virtual Server that has a name indicating a partition that does not exist on that bigip.

Component: Global Traffic Manager (DNS)

Symptoms:
The user will get a 'No Access' error message instead of the virtual's properties.

Conditions:
At least 2 BIG-IP in a sync group.
One of the BIG-IP must have a partition that does not exist on the other with an LTM virtual server on that partition.
The issue will happen when a GSLB Server discovers that LTM virtual and displays it on its Virtual Server page.

Impact:
It makes the GSLB Server's virtual server's properties page unavailable in this case.

Workaround:
Use TMSH to view or edit the properties of that virtual server.


710028-2 : LTM SQL monitors may stop monitoring if multiple monitors querying same database

Component: Local Traffic Manager

Symptoms:
When using an SQL monitor to monitor the health of SQL database pool members, one of the health monitors may stop actively monitoring one or more pool members.

When this problem occurs, the following error messages may be logged in /var/log/DBDaemon-0.log:

[if debug = yes in monitor configuration]:
Using cached DB connection for connection string '<connection string>'

then multiple, periodic instances of the following message, referencing the same connection string:

Abandoning hung SQL query: '<query string>' for: '<connection string>'

or:

<connection string>(<thread-number>): Hung SQL query; abandoning

Conditions:
This may occur when all of the following conditions are met:
-- Using one of the following LTM monitors: mssql, mysql, oracle, postgresql.
-- Configuring multiple pool members for the same node (server).
-- Configuring multiple SQL monitors that query the same server and database.

And when one or both of the following conditions are met:
Either:
-- The SQL monitor is configured with a non-zero 'count' value.
Or:
-- An error occurs while querying a SQL database, such as [recorded in the DBDaemon log]:
java.io.EOFException: Can not read response from server. Expected to read 4 bytes, read 0 bytes before connection was unexpectedly lost.

Impact:
When this problem occurs, the affected pool members are reported down, even though the database is actually up and responding correctly to traffic.

Workaround:
When this problem occurs, successful monitoring can be temporarily restored by disabling then re-enabling monitoring of affected pool members.

To avoid one possible trigger for this issue (and thus reduce the likelihood of this issue occurring), configure the 'count' parameter in the SQL monitor configuration to a value of '0'.


709963-2 : Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.

Component: Local Traffic Manager

Symptoms:
For the i4x00 and 4000 platforms, egress trunk distribution will be unbalanced if the number of trunk members is not a power of 2.

Conditions:
A trunk is configured with an odd number of trunk interfaces or a trunk member goes down such that the number of working members is odd.

Impact:
Uneven traffic distribution. Some interfaces will see more traffic than others.

Workaround:
Insure the number of trunk interfaces is a power of 2: 2, 4, or 8.


709952-1 : Disallow DHCP relay traffic to traverse between route domains

Component: Local Traffic Manager

Symptoms:
DHCP traffic can traverse between route domains, e.g., when working with a route domain with a parent. Under certain circumstances, this is not desired.

Conditions:
DHCP relay in use on a route domain with a parent relationship or strict isolation disabled.

Impact:
The DHCP server side flow might get established to the parent route domain, and will persist even after the route in its own route domain becomes available again.

Workaround:
There is no workaround at this time.


709837-2 : Cookie persistence profile may be configured with invalid parameter combination.

Component: Local Traffic Manager

Symptoms:
Configuring Cookie persistence profile via TMSH or iControl REST allows invalid parameter combinations.

Conditions:
Cookie persistence profile is configured via TMSH or iControl REST. TMUI is not affected.

Impact:
Invalid parameters for any method type of a Cookie persistence profile are ignored by TMM, no functional impact.

Workaround:
Use only the allowed parameters of each method type when Cookie persistence is configured via TMSH or iControl REST.


709828-2 : fasthttp can crash with Large Receive Offload enabled

Component: Local Traffic Manager

Symptoms:
fasthttp and lro can lead to a tmm crash.

Conditions:
fasthttp and lro enabled. (lro is enabled by default >= 13.1.0)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use fasthttp


709670-2 : iRule triggered from RADIUS occasionally fails to create subscribers.

Solution Article: K44067891

Component: Policy Enforcement Manager

Symptoms:
The subscriber can not be added with the same IP address after retries. This is a rarely occurring issue: if the daily average of subscriber additions is ~30000 subscribers, 5 to 6 subscribers face this problem (0.02%).

Conditions:
Running iRule to create PEM sessions from RADIUS packets using the 'PEM::subscriber create' command.

Impact:
Intermittently (a few operations per day), the command silently fails. No session is created, and no TCL error is produced. Subscriber addition requires manual intervention.

Workaround:
Trigger a RADIUS START using a different IP address for the subscriber.


709559-2 : LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name

Component: TMOS

Symptoms:
Loading configuration fails on upgrade

Conditions:
Must have a profile named "/Common/ssh" and must be upgrading to v12.1.2

Impact:
The system won't be functional

Workaround:
Delete or rename "/Common/ssh"


709544-2 : VCMP guests in HA configuration become Active/Active during upgrade

Component: TMOS

Symptoms:
When devices in a Device Service Cluster (DSC) are upgraded, multiple devices might become Active simultaneously.

During upgrade, the process erroneously clears the management-ip during reboot, and then synchronizes to other members of the DSC. If the system is not performing an upgrade, the error is repaired as the device starts up, and has no visible effect. If an upgrade is being performed, the management-ip cannot be repaired, and the DSC members lose contact with each other, so they all become Active.

Conditions:
-- Running on VIPRION chassis systems, either natively, or as a vCMP guest.
-- Upgrading from any affected versions (TMOS v12.1.3, TMOS v13.0.0, TMOS v13.0.1, TMOS v13.1.0), to any other version.

Impact:
When multiple devices become Active simultaneously, traffic is disrupted.

Workaround:
There is no workaround other than to remain in Active/Active state until upgrade is complete on all chassis in the DSC are finished. See K43990943: VIPRION systems configured for high availability may become active-active during the upgrade process :: https://support.f5.com/csp/article/K43990943 for more information on how to mitigate this issue.


709444-2 : "NTP not configured on device" warning seen when NTP symmetric key authentication is configured

Component: TMOS

Symptoms:
When NTP symmetric key authentication is configured, as per https://support.f5.com/csp/article/K14120, and the BIG-IP is part of a device service cluster, then a warning similar to this will be seen periodically in /var/log/ltm:

warning mcpd[6317]: 01071af0:4: NTP not configured on device 1.2.3.4 - within a trust

Conditions:
- NTP symmetric key authentication must be configured.
- The BIG-IP must be part of a device service cluster.
- Non-authenticated NTP servers must not be in-use.

Impact:
Incorrect NTP warnings are seen periodically in /var/log/ltm.

Workaround:
There is no workaround at this time.


709383-2 : DIAMETER::persist reset non-functional

Component: Service Provider

Symptoms:
When the iRule DIAMETER::persist reset is called, it is meant to remove existing persistence records from diadb. Without this bug fix, calling DIAMETER::persist reset has no effect and the persistence record remains.

Conditions:
Diameter session profile has persistence enabled and an iRule attempts to remove a persistence record.

Impact:
not provided by ENE

Workaround:
none


709381 : iRules LX plugin imported from another system with different version does not properly run, and the associated iRule times out.

Component: Local Traffic Manager

Symptoms:
An iRules LX plugin imported from another system with different version does not properly run, and the associated iRule times out. This happens only when importing to 13.1.0 (i.e., does not happen when imported from 12.1.3 to 13.0.0).

Conditions:
When an ILX workspace archive is imported to 13.1.0.

Impact:
Cannot import iRules LX workspaces from older version to version 13.1.0.

Workaround:
Change the node version from 0.12.15 to 6.9.1 and back.


709274-1 : RADIUS Accounting requests egress different self-IPs since upgrade to v13.1

Component: Access Policy Manager

Symptoms:
RADIUS Accounting requests egress different self-IPs since upgrade to v13.1
* START accounting message egresses floating self-IP
* STOP accounting message egresses local self-IP
Some radius messages will come from Floating address, some from Self IP address. The Radius server should be configured to accept all self and floating address of all the devices in the HA group, to ensure all messages are received.

Conditions:
RADIUS server configured with pool option.

Impact:
Causes RADIUS server to be unable to reconcile accounting messages.

Workaround:
In order to reconcile accounting messages they can be tracked through the Acct-Session-Id in RADIUS AVP's message which would be the same for the corresponding START and STOP messages to uniquely identify the session.


709192-1 : GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart

Component: TMOS

Symptoms:
The export operation of SSL keys and certificate into a .tgz archive file fails when the httpd daemon is restarted.

Conditions:
-- Export SSL Keys and certificates into archive file.
-- httpd is restarted.

Impact:
Export of SSL Keys and certificates into archive file does not work immediately after httpd restart via GUI/iControl.

Workaround:
After httpd restart, perform other operation like creating a key/cert before exporting archive file.


709133-2 : When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur

Component: Local Traffic Manager

Symptoms:
When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error can occur.

Conditions:
-- The BigDB variable tmm.ssl.loggingcreatedcerts is set.
-- Forward proxy is being used.
-- An error occurs when reading the certificate serial number.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not setting the tmm.ssl.loggingcreatedcerts BigDB variable.


709132-1 : When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur

Component: Local Traffic Manager

Symptoms:
When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a buffer overflow can occur.

Conditions:
-- The BigDB variable tmm.ssl.loggingcreatedcerts is set.
-- Forward proxy is being used.
-- A malformed certificate with a serial number length equal to 256 bytes is parsed during forging.

Impact:
A off-by-one error causes one byte to write off the end of an array.

Workaround:
There is no workaround other than to not set tmm.ssl.loggingcreatedcerts BigDB variable.


708968-2 : OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address

Component: TMOS

Symptoms:
Route entries for IPv4-mapped IPv6 address (::ffff:<IPv4>) are not created in TMM when passed from Dynamic Routing protocols like OSPFv3.

Conditions:
- Route entry is for IPv4-mapped IPv6 address, that is ::ffff:<IPv4>.

Impact:
- Route entry is not created in TMM, packets addressed to such a destination might not be delivered at all or might not be delivered using the most efficient route.
- Connection between TMM and tmrouted is restarted that is a small performance overhead.

Workaround:
- If possible IPv4 address or IPv4-compatible IPv6 address should be passed instead of IPv4-mapped IPv6 address, however this depends on other routers.


708956-1 : During system boots up, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'

Component: TMOS

Symptoms:
During system bootup, the system occasionally posts the following error message and the system does not come up:
 Dataplane INOPERABLE - only 1 HSBes found on this platform.

Conditions:
This occurs occasionally at system bootup.
-- Using the following platforms:
i4600, i4800, i10600, i10800, i2600, i2800, i7600, i7800, i5600, i5800, i15600, i15800, i12600, i12800, HERCULON i2800, HERCULON i5800, HERCULON i10800, i11600, i11800, i11800-DS, i5820-DF, i7820-DF.

Impact:
System does not come up.

Workaround:
Reboot system.

Because this condition only happens occasionally, rebooting typically corrects the issue.


708830-2 : Inbound or hairpin connections may get stuck consuming memory.

Component: Carrier-Grade NAT

Symptoms:
When inbound or hairpin connections require a remote Session DB lookup and the lookup request or response messages get lost, the connections can get stuck in an embryonic state. They will be stuck in this state until they timeout and expire. In this state UDP connections will queue inbound packets. If the client application continues to send packets, the connection may never expire. The queued packets will accumulate consuming memory. If the memory consumption becomes excessive, connections may be killed and “TCP: Memory pressure activated” and “Aggressive mode activated” messages will appear in the logs.

Conditions:
A LSN pool with inbound and/or hairpin connections enabled. Lost Session DB messages due to heavy load or hardware failure. Remote lookups are more likely when using PBA mode or NAPT mode with default DAG.

Impact:
Excessive memory consumption that leads to dropped connections.

Workaround:
There is no workaround at this time.


708484-2 : Network Map might take a long time to load

Component: TMOS

Symptoms:
Network Map loading time is directly proportional to the number of profiles/policies associated with a virtual server. When there are a significant number, Network Map might take many tens of seconds to load; when there are fewer associated profiles/policies, loading time is shorter.

For example, consider a configuration that contains virtual servers with a large number of associated profiles/policies.

In the following example config, the virtual server has two associated profiles. The time to load the Network Map page increases with each additional profile/policy.

# tmsh list ltm virtual vs
ltm virtual vs {
    creation-time 2018-03-06:18:27:53
    destination 0.0.0.0:any
    ip-protocol tcp
    last-modified-time 2018-03-06:18:27:53
    mask any
    profiles {
        myhttp { }
        tcp { }
    }
    rules {
        myrule
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        socks-tunnel
    }
    vs-index 5
}

Conditions:
-- Navigate to Local Traffic :: Network Map in the BIG-IP Configuration Utility.

-- The configuration contains a significantly large number of profiles/policies associated with the virtual server.

Impact:
It takes tens of seconds to load the Network Map page.

Workaround:
None.


708415-2 : Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled

Component: TMOS

Symptoms:
When setting the flow control value of an interface with a copper SFP to any value other than 'none' and the link partner has flow control disabled on their end, the interface stats will not reflect the configured flow control setting. This is because the interface stats reflect the negotiated link state rather than the advertised capabilities.

Conditions:
BIG-IP device is using copper SFPs.
-- Flow control is enabled on an interface.
-- That interface is connected to another device where flow control has not been enabled.

For example, an administrator might perform the following on a BIG-IP system with a copper SFP on interface 1.1:

# modify net interface 1.1 flow-control tx-rx

# show net interface 1.1 all-properties

Under the 'Flow Ctrl' column of the interface properties, the value will indicate 'none' even though the interface was configured to enable transmit and receive flow control. This is because the column does not indicate the advertised capabilities but rather the negotiated property of the link.

Impact:
There is no functional impact, as flow control cannot be performed until both link partners agree to support it.

Workaround:
Flow control must be enabled on the remote device and the link must be re-negotiated, in order for the flow control configuration to take effect and be reflected in the interface properties of the link.


708249-2 : nitrox_diag utility generates QKView files with 5 MB maximum file size limit

Component: Local Traffic Manager

Symptoms:
When nitrox_diag generates a QKView file, the utility does not use the -s0 flag for the qkview command. That means there is a 5 MB file-size limit for the resulting QKView file nitrox_diag generates.

Conditions:
Run the nitrox_diag command.

Impact:
QKView files generated in response to running the nitrox_diag command might not contain all necessary information, for example, the result might contain truncated log files.

Workaround:
After running nitrox_diag, run the following command to generate a complete QKView file: qkview -s0


708068-2 : Tcl commands like "HTTP::path -normalize" do not return normalized path.

Component: Local Traffic Manager

Symptoms:
When using HTTP::path with the -normalized parameter:

"%2E%2E" is converted to ".." (expected)
"/foo/../bar" is converted to "/bar" (expected)
"/foo/%2E%2E/bar" is converted to "/foo/../bar" (unexpected)

Conditions:
The TCL command HTTP::path -normalize does not return normalized path as expected.

Impact:
Unexpected result.

Workaround:
There is no workaround.


707961-2 : Unable to add policy to virtual server; error = Failed to compile the combined policies

Component: Local Traffic Manager

Symptoms:
LTM policy does not compile if it has more than one similar condition, and some of them refer to datagroup and others to non-datagroup types. The policy compiles if similar conditions all refer to datagroups or to non-datagroups.

Conditions:
-- LTM policy that has more than one similar condition.
-- Some conditions refer to datagroup types.
-- Some conditions refer to non-datagroup types.

Impact:
LTM policy does not compile. Cannot use the policy.

Workaround:
Create a datagroup for the non-datagroup type and use it in policy instead.


707953-2 : Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page

Component: Access Policy Manager

Symptoms:
APM and APM Lite licenses are not distinguishable from the Provisioning UI: they both show as Licensed but APM lite only includes licenses for 10 sessions.

Conditions:
Viewing APM and APM Lite licenses in the GUI.

Impact:
Cannot distinguish the difference in types of licenses.

Workaround:
Check license file and verify what type of apm license is enabled: mod_apm (Full APM) or mod_apml (APM Lite).


707740-4 : Fixed issue preventing GTM Monitors from being deleted when used on mulitple Virtual Servers with the same ip:port combination

Component: TMOS

Symptoms:
User would get "monitor is in use" when attempting to delete a GTM Monitor, even after removing that monitor from all GTM Virtual Servers

Conditions:
Attach a gtm monitor to multiple gtm virtual servers in the same transaction, where both of the virtual servers are monitoring the same ip:port

Impact:
User will not be able to ever delete the un-used gtm monitor

Workaround:
There is no workaround at this time.


707691-4 : BIG-IP handles some pathmtu messages incorrectly

Component: Local Traffic Manager

Symptoms:
FastL4 virtual servers incorrectly handle some pathmtu messages, such as ICMPv4 unreachable/fragmentation needed and ICMPv6 packet too big.

Conditions:
This occurs when the following conditions are true:
-- The client sends a window scaling factor greater than 0 (zero).
-- The server sends a window scaling factor equal to 0 (zero).
-- The pmtu message is within the window, but does not reflect the exact expected sequence number. The delta is bigger than the advertised window scaled at a factor of 0 (zero).

Impact:
pmtu message is erroneously ignored.

Workaround:
There is no workaround at this time.


707631-2 : The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI

Component: TMOS

Symptoms:
The 'SYN Challenge Handling' setting of a TCP profile can be reverted to defaults when a TCP profile is updated using the BIG-IP management GUI.

Conditions:
The SYN Challenge Handling settings of a TCP profile have previously been set to non-default values, and a configuration change is later made to the same TCP profile using the GUI.

Impact:
Loss of TCP profile syn challenge configuration settings

Workaround:
In the GUI, specifically set the SYN Challenge Handling fields after making an update to other TCP profile fields, or use tmsh to make the changes instead

SYN Challenge

GUI Setting: Nominal
TMSH:
    syn-cookie-enable enabled
    syn-cookie-whitelist disabled

GUI Setting: Challenge and Remember
TMSH:
    syn-cookie-enable enabled
    syn-cookie-whitelist enabled


GUI Setting: Disable Challenges:
    syn-cookie-enable disabled
    syn-cookie-whitelist disabled


707509-1 : Initial vCMP guest creations can fail if certain hotfixes are used

Component: TMOS

Symptoms:
vCMP guest fails to enter the 'provisioned' or 'deployed' states and similar messages can be seen in /var/log/ltm:

-- vcmpd[14254]: 01510003:2: Guest (guest_name): Install failed.
-- vcmpd[14254]: 01510004:3: Guest (guest_name): Install to VDisk /shared/vmdisks/guest_name.img FAILED: Child exited with non-zero exit code: 255

Conditions:
Creating vCMP guest using certain hotfix images, such as BIG-IP HF software released as partial .iso software images, and engineering hotfixes.

Impact:
vCMP guest cannot be created.

Workaround:
1. Create and deploy the vCMP guest using the full .iso base software image.
2. Log in to the vCMP guest once it has finished starting up.
3. Apply the hotfix image or engineering hotfix.


707445-3 : Nitrox 3 compression hangs/unable to recover

Solution Article: K47025244

Component: TMOS

Symptoms:
LTM logs show the following message:

    Nitrox 3, Hang Detected: compression device was reset

When the error manifests, there will be three error messages sent to the log over a period of several seconds. The device is then considered unrecoverable and marked down, and will no longer accept compression requests.

Conditions:
This applies only to vCMP guests. Some compression requests can stall the device after a bad compression request is made.

Note: Traffic volume and concurrence, along with the type of error have to occur together in order to result in this issue, so the issue is not easily reproduced.

Impact:
Once the device is marked down, compression will be sent to the software compression provider, until tmm on the device is restarted. This can cause local CPU utilization to climb.

Workaround:
There is no complete workaround without a software fix. However, compression will always default to the software compression provider when hardware cannot be recovered.

There are three recovery options available if the TMM-internal reset fails to recover the compression device automatically. These should be employed in this order:

A. Restart tmm using the command: bigstart restart tmm.
B. Restart the vCMP guest.
C. Restart the host (which restarts all guests).

Note: Because of the traffic volume, timing, and error type that cause this condition, this error might recur. This issue appears to be caused by a particular compression request. So regardless of the recovery method you execute, the problem may recur in a short time, or months later.


707391-2 : BGP may keep announcing routes after disabling route health injection

Component: TMOS

Symptoms:
As a result of a known issue BIG-IP with BGP configured may continue to announce routes even after disabling the virtual address or disabling route announcement on the virtual address.

Conditions:
BGP configured with multiple routes announced via Virtual-address route announcements.
Configuration changes made on the BGP configuration itself.
Virtual address or its route health announcement disabled.

Impact:
Prefixes continue to exist in the BGP table even after disabling the virtual address (visible via imish with the "show ip bgp" command); which will continue to announce the prefix to configured peers.

Workaround:
Workaround would be to restart the dynamic routing process.


707320-2 : Upgrades from pre-12.0.0 BIG-IPs to 12.0.0 with WideIPs with ipv6-no-error-response enabled will no longer delete AAAA-type WideIPs

Component: TMOS

Symptoms:
A pre-12.0.0 WideIP with ipv6-no-error-response enabled and a IPv4 last-resort-pool will only spawn an A-type WideIP after the upgrade

Conditions:
Pre-12.0.0 WideIP with an IPv4 last-resort-pool and ipv6-no-error-response enabled.

Impact:
Loss of the AAAA-type WideIP configuration item

Workaround:
There is no workaround at this time.


707267 : REST Framework HTTP header limit size increased to 8 KB

Component: TMOS

Symptoms:
HTTP Header size limit causing 'Error getting auth token from login provider' GUI messages.

Conditions:
A client uses an HTTP Header larger than 4kb to make a request to the REST framework.

Impact:
Users will not be able to login or access certain pages in the UI.

Workaround:
Clear browser cookies, or otherwise reduce the size of the HTTP headers, so that the entire content HTTP headers is smaller than 4kb.


707244-3 : iRule command clientside and serverside may crash tmm

Component: Local Traffic Manager

Symptoms:
Using clientside and serverside command in iRules may crash tmm.

Conditions:
Using such HTTP commands as HTTP::password in clientside and serverside nesting script.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this point.


707207-1 : iRuleLx returning undefined value may cause TMM restart

Component: Local Traffic Manager

Symptoms:
When an iRulesLX rule returns an undefined value, TMM may restart. An example of an undefined value is one where
its jsonrpc v2.0 representation is missing required fields, such as "result".

Conditions:
iRulesLX is licensed, and a rule is run that returns an undefined value.

Impact:
Traffic is interrupted.

Workaround:
There is no workaround at this time.


707147-1 : High CPU consumed by asm_config_server_rpc_handler_async.pl

Component: Application Security Manager

Symptoms:
During a period of heavy learning from Policy Builder, typically due to Collapse Common elements, the backlog of events can cause a process to consume high CPU.

Conditions:
1) Automatic Policy Builder is enabled
2) An element is configured to "Always" learn new entities, and collapse common elements
3) An extended period of heavy learning due to traffic is enountered

Impact:
A process may consume high CPU even after the high traffic period is finished.

Workaround:
Kill asm_config_server.pl (This will not affect traffic)

Optionally modify one of the following
A) Learn "Always" to another mode
B) Turn off Collapse common URLs
C) Change from Automatic Learning to Manual


707109-1 : Memory leak when using C3D

Component: Local Traffic Manager

Symptoms:
When using the Client Certificate Constrained Delegation Support (C3D) feature, memory can leak.

Conditions:
Traffic passes through a virtual server with C3D enabled.

Impact:
Memory is leaked.

Workaround:
There is no workaround.


707054-1 : SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162

Component: Advanced Firewall Manager

Symptoms:
User cannot configure SYN Cookie MSS values for Fast L4 Profiles outside of 256-9162.

Conditions:
Under syncookie activated condition, SYN Cookie MSS value is set to < 256.

Impact:
Under syncookie activated condition, server side MSS lower than SYN Cookie MSS lower limit cannot be honored on client side. As a result, server side MSS discards data segment if larger than SYN Cookie MSS lower limit.


706845-2 : False positive illegal multipart violation

Component: Application Security Manager

Symptoms:
A false positive multipart violation.

Conditions:
Uploading a file with a filename value that is encoded in non utf-8 encoding.

Impact:
A false positive violation, request rejected.

Workaround:
Might be workaround using an irule


706797-1 : Portal Access: some multibyte characters in JavaScript code may not be handled correctly

Component: Access Policy Manager

Symptoms:
If JavaScript code contains multi-byte character which contains 0x0A in the last byte after conversion to UTF-32 form, then this character is handled as NEW LINE by Portal Access server-side JavaScript parser. If NEW LINE is not valid in this place, JavaScript code cannot be parsed.

Conditions:
JavaScript code with multi-byte character which contains 0x0A in the last byte after conversion to UTF-32 form, for example:

  //上 aa bb

(上) gives (4E 0A) in UTF32 form. So this line is processed as the following TWO lines:

  //
  aa bb

The second line is not a valid JavaScript code.

Impact:
Web application may not work correctly.

Workaround:
There is no workaround at this time.


706665-2 : ASM policy is modified after pabnagd restart

Component: Application Security Manager

Symptoms:
ASM policy modifications might occur after the the pabnagd daemon is restarted. Modifications include the following:

-- Length attributes might change from 'any' to a low auto learning value.
-- Check signature / metachars might change from unchecked to checked.

This applies for the following entity types:
filetypes, URLs, parameters, cookies, WS URLs, content profiles.

Conditions:
-- Configuration containing a policy in which automatic learning mode is configured.
-- Restart of pabnagd (the automated policy-building operations daemon).

Impact:
ASM policy is modified.

Workaround:
Switch policy builder to manual learning mode.


706642-2 : wamd may leak memory during configuration changes and cluster events

Component: WebAccelerator

Symptoms:
wamd memory consumption increases over time.

Conditions:
-- AAM is provisioned so wamd is running.
-- User-initiated configuration change and/or other internal configuration or cluster events.

Impact:
wamd grows slowly over time, eventually crashing due to lack of memory. Temporary outage of services provided by wamd such as PDF linearization, invalidation, etc.

Workaround:
No workaround available.


706505-2 : iRule table lookup command may crash tmm when used in FLOW_INIT

Component: Local Traffic Manager

Symptoms:
iRule table lookup command may crash tmm when used in FLOW_INIT.

Conditions:
iRule table lookup command is used in FLOW_INIT.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use table lookup in the events after the flow is constructed.


706501 : VCMP guest, tmm continues to restart on Cavium Nitrox PX platform

Component: Local Traffic Manager

Symptoms:
TMM continues to restart on vCMP guest.
/var/log/tmm shows:
<13> Feb 1 00:00:30 slot1/hostname notice ** SIGSEGV **
<13> Feb 1 00:00:30 slot1/hostname notice fault addr: 0x1d8
<13> Feb 1 00:00:30 slot1/hostname notice fault code: 0x1
.
.
.

Conditions:
-- Using the following platforms:
  + BIG-IP 800, 1600, 3600, 3900, 6900, 89xx, 11xxx.
  + VIPRION 42xx/43xx and B21xx blades.
-- Configure vCMP host and guest.

System has Common Criteria or FIPS mode enabled.

Impact:
vCMP guest can't become active.

Workaround:
There is no workaround.


706423-1 : tmm may restart if an IKEv2 child SA expires during an async encryption or decryption

Component: TMOS

Symptoms:
TMM may discard an existing child-SA via timer during the moment it is in use for encryption or decryption. And in another spot, an error aborting negotiation can cause multiple timers associated with one child-SA, which fight one another.

Conditions:
Errors in IPsec config that fail negotiation can happen when a child-SA is in a state that does not manage timers correctly.

A config with short SA lifetime, causing frequent re-keying, can have the effect of searching for a race condition when expire happens during active use in crypto.

Impact:
TMM restarts, disrupting traffic and causing HA failover.

Workaround:
Ensure that the IPsec IKEv2 configuration in the IPsec policy is correct (the same) on both IPsec peers. Also, ensure SA lifetime has longer duration, instead of merely seconds. (The default is one day.)


706374-4 : [Kerberos SSO] krb5 library need to use threadsafe res_ninit, res_nsearch instead of res_init, res_search

Component: Access Policy Manager

Symptoms:
Kerberos library uses deprecated and non-threadsafe functions to perform DNS SRV requests.

Conditions:
APM users using Kerberos SSO to access backend resources.

Impact:
This might result in unpredictable behaviour such as memory corruption or core. However, the occurence is rare since it only impacts concurrent DNS SRV requests to resolve different kdcs.

Workaround:
There is no workaround.


706361 : IPS stats tables are empty after upgrade from 13.1.0 to 14.0.0

Component: Application Visibility and Reporting

Symptoms:
The IPS stats tables are empty after upgrade from 13.1.0 to 14.0.0

Impact:
Lost statistics which related to IPS module

Workaround:
Before upgrade run the following SQL command:
update AVR_CONF_FACT_TABLES set export_dir='/shared/avr_afm' where fact_name="AVR_STAT_IPS";


706102-2 : SMTP monitor does not handle all multi-line banner use cases

Component: Local Traffic Manager

Symptoms:
An SMTP monitor does not handle all multi-line banner use cases, such as when the banner is physically split across two packets. This issue is due to attempting to parse the banner value from the first packet without a portion of the banner value that may arrive in a second packet.

Conditions:
An SMTP monitor is configured; and uses a multi-line banner; and the SMTP monitor banner is split across two physical packets.

Impact:
The SMTP monitor sends an RST after the first packet, and marks the resource down.

Workaround:
Use an SMTP monitor with a single-line banner. Or, rather than using an SMTP monitor, instead use a TCP monitor with send/recv strings.


705818-1 : GUI Network Map Policy with forward Rule to Pool, Pool does not show up

Component: TMOS

Symptoms:
When a Virtual Server has a Policy with a rule to forward request to a Pool, the Pool should be associated to the Virtual Server on the Network Map.

Conditions:
Create a Virtual Server with a Policy to forward requests to a Pool.

Impact:
The relationship of the Virtual Server to the Pool via the indirect Policy Rule is not visible in the network map.

Workaround:
No workaround to the visual.


705730-1 : Config fails to load due to invalid SSL cipher after upgrade from v13.1.0

Component: TMOS

Symptoms:
Config with apparently invalid SSL cipher entry fails to load after upgrade from v13.1.0, and requires a manual config load after upgrade: 'tmsh load sys config'

This occurs because starting in v13.1.0, 'https' monitors rely upon SSL-attributes configured through a 'serverssl' profile, which does not support the 'kEDH' cipher; but the 'kEDH' cipher was a default cipher for previous releases (where 'https' relied upon 'OpenSSL').

Conditions:
-- Config uses 'https' monitors.
-- Upgrade occurs from v13.1.0 to a later version.

Impact:
The configuration fails to load, an error message is issued, and the device remains offline until a manual config load is performed.

Workaround:
You can use either of the following workarounds:

-- After upgrade from v13.1.0, perform manual config load by running the following command: tmsh load sys config

(This works because upon a manual config load command ('tmsh load sys config'), the system replaces the existing 'https' ciphers with defaults appropriate for a 'serverssl' profile in the new version of the software. Even though the system posts an error referencing the invalid 'kEDH' cipher, the device will become 'Active' seconds later, and new default ciphers will be established for 'https' monitors.)

-- Remove 'https' monitors prior to upgrade, and add again after upgrade.


705651-1 : Async transaction may ignore polling requests

Component: TMOS

Symptoms:
Querying for the status of an asynchronous transaction by making a GET request may cause the query to block. The transaction will complete, even though the query may return an error status (400) to indicate that the GET request timed out.

Conditions:
A typical asynchronous transaction that returns a 202 status to indicate that you successfully created a transaction.

Impact:
The query returns an error.

Workaround:
To avoid having the query request block, refrain from querying the transaction for status.


705456-1 : VCMP Guests unable to install block-device-image ISOs when http->https redirection is enabled

Component: TMOS

Symptoms:
ISOs of type block-device-image do not show up on VCMP Guests and are not available for installation when http->https redirection is enabled.

Conditions:
VCMP Guest has http->https redirection enabled.

Impact:
Not all available images are installable.

Workaround:
User must manually copy images to VCMP guest.


705387 : HTTP/2, ALPN and SSL

Component: Local Traffic Manager

Symptoms:
The SSL filter will not always add the ALPN extension.

Conditions:
If the negotiated cipher is not HTTP/2 compliant, the SSL filter may not add the ALPN extension.

Impact:
The failure to add the ALPN extension may result in the failure to negotiate the proper protocol.

Workaround:
There is no workaround at this time.


705037-2 : System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart

Component: TMOS

Symptoms:
It is possible for the BIG-IP system to present duplicate if_index statistics of network objects, either viewed internally or polled via SNMP.

Conditions:
-- High availability (HA) configuration.
-- Tunnels configured.
-- If dynamic routing is configured, additional impact may be noted.

Impact:
-- Unreliable or confusing statistics via SNMP polling.

-- If dynamic routing is also configured, possible nsm daemon restart, which may lead to loss of dynamic routes.

Workaround:
None.


704804-1 : The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address

Component: TMOS

Symptoms:
The NAS-IP-Address in RADIUS remote authentication requests is set to the loopback address, not the management IP.

Conditions:
This applies to remote authentication for the control plane, not APM.

Impact:
Login may be impacted.

Workaround:
There is no workaround at this time.


704764-3 : SASP monitor marks members down with non-default route domains

Component: Local Traffic Manager

Symptoms:
The LTM SASP monitor marks pool members down, whose address include non-default route domains.

Conditions:
1. Using the SASP health monitor to monitor a pool or pool member.
2. The address of the pool member includes a non-default route domain, such as:

ltm pool rd_test {
    members {
        test_1:http {
            address 12.34.56.78%99
        }
    }
    monitor my_sasp
}

Impact:
Pool members with non-default route domains will never be marked up by the SASP monitor.

Workaround:
Do not specify non-default route domains in the addresses of pool members monitored by the SASP health monitor.

The SASP protocol does not support the use of route domains in member addresses. Thus, the SASP GWM (Global Workload Manager) will ignore route domain information included in the member addresses when registered by the SASP monitor in BIG-IP, and will report the status of members using addresses without route domains.

Therefore, even with a fixed version of the SASP monitor, BIG-IP LTM administrators must be careful to avoid configuring multiple pool members with the same address except for different route domains, to be monitored by the SASP monitor. If case of such a configuration error, the status of the member reported by the SASP GWM may not accurately reflect the status of one or more of the pool members with matching IP addresses.


704733-1 : NAS-IP-Address will be sent with the bytes backwards

Component: TMOS

Symptoms:
The NAS-IP-Address will have the address of the local device sent with the bytes backwards (78.56.30.172 where 172.30.56.78 would be expected).

Conditions:
This affects IPv4 addresses only.

Impact:
The server may be configured to check the NAS-IP-Address before allowing logins, in which case it would fail.

Workaround:
There is no workaround at this time.


704587-2 : Authentication with UTF-8 chars in password fails for ActiveSync users

Solution Article: K15450552

Component: Access Policy Manager

Symptoms:
ActiveSync end users cannot login to the server.

Conditions:
-- ActiveSync end users.
-- UTF-8 characters in the password.

Impact:
ActiveSync service will be unavailable.

Workaround:
Put a Variable Assign agent after Logon Page with following assignment:

(check the secure checkbox)
session.logon.last.password = set pass [mcget -secure session.logon.last.password]; binary scan $pass c* chars; set newpass ""; foreach {ch} $chars { append newpass [format %c [expr $ch & 0xFF]] }; return $newpass


704546 : Symlinks may be corrupted by upgrade

Component: TMOS

Symptoms:
In rare cases after a software version upgrade, a corrupted symbolic link that points to a nonexistent file may exist. Processes that try to use the file will fail, often generating the message 'No such file or directory'.

Conditions:
Happens after an upgrade.

This rarely encountered issue occurs when the symlink points to an absolute path (/a/b/c/d) rather than a relative one (if you are in /a/b, then the target would be c/d).

Impact:
A symlink is broken, but it depends on whether the symlink is necessary to BIG-IP operation as to whether a problem will be immediately apparent.

Workaround:
If creating a symlink is necessary, use a relative path rather than an absolute one.

If this condition is found, use the following command to rebuild the symlink:

ln -fs <target> <symlink_name>


704524-4 : [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries

Component: Access Policy Manager

Symptoms:
Kerberos DNS SRV requests do not contain EDNS headers. Without this header, DNS server truncates the UDP responses if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in unnecessary round trips in order to resolve DNS SRV queries.

Conditions:
APM users using Kerberos SSO to access backend resources.

Impact:
Increased latency of HTTP request processing. If the number of APM users is large, then this issue is magnified.

Workaround:
There is no workaround at this time.


704450-3 : bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration

Component: Local Traffic Manager

Symptoms:
A rarely seen scenario exists where 'bigd' crashes when the BIG-IP system is under extremely heavy load, due to 'bigd' running with an incomplete configuration and attempting to interact with 'mcpd' prior to being fully configured by 'mcpd'. This may occur when 'mcpd' is sufficiently delayed in configuring 'bigd' upon 'bigd' process start (at system-start, or upon 'bigd' process re-start), such that 'bigd' attempts to report monitoring results to 'mcpd' prior to fully receiving its configuration (from 'mcpd').

Conditions:
BIG-IP is under heavy load; and 'bigd' process is (re-)started; and 'mcpd' is delayed in relaying the full configuration to 'bigd'; and 'bigd' attempts to report monitoring results to 'mcpd'.

Impact:
Monitoring is delayed while bigd is restarting. If the load lasts for a long enough period of time, bigd might repeatedly fail to start and monitoring will not resume. In some cases 'bigd' may run with an incomplete configuration.

Workaround:
Reduce the load on the system.


704449-2 : Orphaned tmsh processes might eventually lead to an out-of-memory condition

Component: TMOS

Symptoms:
Occasionally, tmsh processes are orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects.

An orphaned tmsh process will have a parent pid (PPID) of 1. You can check for orphaned tmsh processes using the following shell command:

/bin/ps -o pid,ppid,comm -C tmsh
PID PPID COMMAND
8255 1 tmsh

If this issue occurs often enough, it might cause the BIG-IP system to run out of memory.

Conditions:
-- Using tmsh to connect to the BIG-IP system via SSH.
-- Running commands.
-- Quitting the session or disconnecting.

Impact:
Orphaned tmsh processes are created, which might eventually lead to an out-of-memory condition, if it occurs often enough.

Workaround:
There are several workarounds for this issue:

-- Change the default shell to bash for users that are going to use the script.
-- Use iControl.
-- Halt orphaned tmsh processes.


704336-1 : Updating 3rd party device cert not copied correctly to trusted certificate store

Component: TMOS

Symptoms:
When a BIG-IP admin updates the Device Certificate which also includes multiple CA intermediate and root certificates, it's expected that the new Device Certificate and its trust chain certificates are written to /config/big3d/client.crt and /config/gtm/server.crt. However, if the new Device Certificate is signed by a third party, only the Device Certificate is copied to client.crt and server.crt, even though root and intermediate certificates are written to /config/httpd/conf/ssl.crt/server.crt.

Conditions:
Updating Device certificate which also includes multiple intermediate and root certificates.

Impact:
The Trusted Device and Trusted server Certificates do not include intermediate CA and root certificates.

Workaround:
Manually copy/append the missing intermediate and root certificate to /config/big3d/client.crt and /config/gtm/server.crt.


704247-2 : BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted

Solution Article: K07356404

Component: TMOS

Symptoms:
BIG-IP .iso images may fail to install if multiple copies of the same image are present and have been deleted.

Conditions:
-- Have multiple copies of the same image .iso in the /shared directory on a BIG-IP system.
-- Delete one of them.

Impact:
Installation attempt of the remaining image(s) might fail.

Workaround:
Restart the lind process, so the installation can continue.


704198-3 : GTM equivalent of ID663502 - replace-all-with can leave orphaned monitor_rule, monitor_rule_instance and monitor_instance

Component: Global Traffic Manager (DNS)

Symptoms:
Orphaned monitor_instance records in mcpd;
Secondary blade restarting in a loop.

Conditions:
Modify monitor for gtm objects using tmsh with replace-all-with.

Impact:
There is an leaked/extra monitor instance;
Restarting secondary slot will result in a restart loop.

Workaround:
Restart services, but this might change primary slot:
# bigstart restart


704143-1 : BD memory leak

Component: Application Security Manager

Symptoms:
A BD memory leak.

Conditions:
websocket traffic with specific configuration

Impact:
Resident memory increases, swap getting used.

Workaround:
Make sure the web socket violations are not due to bad websocket URL configuration, that they are turned on in Learn/Alarm or block and that there is a local logger configured and attached.


703669-2 : Eventd restarts on NULL pointer access

Component: TMOS

Symptoms:
The loop that reads /config/eventd.xml to load configuration data processes data in 1024-byte chunks. If the size of the file is a multiple of 1024 bytes, the end of file condition that terminates the file read does not occur until the subsequent read. The subsequent read returns zero (0) bytes and passes an empty buffer to the parser, which causes eventd to restart repeatedly.

Conditions:
The length of the file /config/eventd.xml is a multiple of 1024 bytes.

Impact:
Causes eventd to crash.

Workaround:
To work around the problem, insert whitespace in /config/eventd.xml to pad the file to a size that is not a multiple of 1024 bytes.


703580-1 : TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host.

Component: Local Traffic Manager

Symptoms:
TLS1.1 handshake failure on guest. The following error appears in /var/log/ltm:
warning tmm[11611]: 01260009:4: Connection error: ssl_hs_cn_vfy_fin:2339: corrupt Finished (20)

Conditions:
-- Using the VIPRION 42xx/43xx and B21xx blades.
-- Running BIG-IP software earlier than v12.1.3 (for example v12.1.2-hf2) on the vCMP host system.
-- Deploying vCMP guest running v12.1.3.
-- Using TLS1.1.

Impact:
TLS1.1 handshake fails on the guest.

Workaround:
Use the same software version on the vCMP host and vCMP guests.


703515-3 : MRF SIP LB - Message corruption when using custom persistence key

Solution Article: K44933323

Component: Service Provider

Symptoms:
If the custom persistence key is not a multiple of 3 bytes, the SIP request message may be corrupted when the via header is inserted.

Conditions:
Custom persistence key is not a multiple of 3 bytes

Impact:
The SIP request message may be corrupted when the via header is inserted.

Workaround:
Pad the custom persistence key to a multiple of 3 bytes in length.


703509-2 : Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled

Component: TMOS

Symptoms:
Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled.

...notice tmsh[32418]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.
...notice tmsh[32418]: 01420003:5: The current session has been terminated.
...err tmsh[32417]: 01420006:3: Project-Id-Version: f5_tmsh 9.7.0 POT-Creation-Date: 2008-05-13 16:18-0700 PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE Last-Translator: F5 Networks <support@f5.com> Language-Team: LANGUAGE <en@li.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit
...err tmsh[32415]: 01420006:3: UCS saving process failed.

Conditions:
The default admin account is disabled, using an alternate user that has the administrator role.

Impact:
User is unable to save the configuration.

Workaround:
A user with the administrator role can save the config.
The root user can save the config.


703225 : DoS Visibility does not support displaying more than 500 Attacks and/or Virtuals

Component: Application Visibility and Reporting

Symptoms:
If there are more than 500 Attacks or Virtual Servers in the system at a given time, DoS Visibility is unable to consistently show all relevant data. The reasons are both technical and due to performance considerations.

This applies to the attacks chart and table, and the virtuals table in the center of the dashboard page, not the dimension widgets on the right side. They work consistently.

Conditions:
More than 500 Virtual Servers exist, or/and more than 500 DoS Attacks are logged in the selected time period.

Impact:
Not all attacks/virtuals will be displayed on the DoS Visibility overview page.

Workaround:
Zoom in to a shorter time period or use filters to limit the amount of displayed data. Once number of attacks and virtuals go under 500, data should be correct.


703196-5 : Reports for AVR are missing data

Component: Application Visibility and Reporting

Symptoms:
Some data collected by AVR is missing on some aggregation levels and thus missing from the reports.

Conditions:
Using AVR statistics.

Impact:
Expected AVR statistics may be missing.

Workaround:
Run the following shell command on BIG-IP:

sed -i "s|\(\s\)*SET\ p_aggr_to_ts.*$|$1$(grep "SET p_aggr_to_ts" /var/avr/avr_srv_code.sql | sed 's/truncate(/CEILING/' | sed 's/,0)//')|" /var/avr/avr_srv_code.sql


703090 : With many iApps configured, scriptd may fail to start

Component: TMOS

Symptoms:
If many iApp instances are installed, scriptd may have issues starting up, including the log message:

"script has exceeded its time to live, terminating the script"

Conditions:
This occurs when many iApp instances exist. F5's internal testing has been able to show that it occurs with 70 instances.

Impact:
The error message will show up, and some instances of the script will not run.

Workaround:
Restarting scriptd will resolve the issue.


703045-1 : If using TMSH commands with deprecated attributes in iAPP, the upgrade will fail.

Component: TMOS

Symptoms:
TMSH commands with deprecated attributes will fail if used in iAPP.

Conditions:
TMSH commands with deprecated attributes will fail if used in iAPP. This is so whether the iAPP is activated during the upgrade process or simply run under iAPP service at the user display.

Impact:
TMSH commands will not execute like create command will result in no objects (eg monitor, virtual server etc) being created.

Workaround:
Try to avoid deprecated attributes of the object in the iAPP.


702792-1 : Upgrade creates Server SSL profiles with invalid cipher strings

Component: Local Traffic Manager

Symptoms:
Upgrade of BIG-IP creates Server SSL profiles for custom HTTPS monitors that may have an invalid Ciphers attribute. This will not prevent the configuration from loading, but attempting to modify the existing SSL profile or create a new one with matching configuration will fail:

    01070312:3: Invalid keyword 'kedh' in ciphers list for profile /Common/name-of-server-ssl-profile

Conditions:
Custom HTTPS monitors configured prior to an upgrade will result in these profiles being created during the upgrade. The default HTTPS cipherlist is 'DEFAULT:+SHA:+3DES:+kEDH', which is a valid OpenSSL cipher list, but is not a valid Client SSL / Server SSL cipher list.

Impact:
Upgrade creates configurations that are challenging to manage as a result of MCPD validation.

Workaround:
Reconfigure the cipher list to be valid according to both the OpenSSL cipher list and the Client SSL / Server SSL cipher list expectations.

For instance, "DEFAULT:+SHA:+3DES:+EDH" instead of "DEFAULT:+SHA:+3DES:+kEDH".


702738-1 : Tmm might crash activating new blob when changing firewall rules

Solution Article: K32181540

Component: Advanced Firewall Manager

Symptoms:
TMM crashes with core when changing firewall rules. TMM can enter a crash-loop, so it will crash again after restarting.

Conditions:
Updating, removing, or adding firewall rules.

Specific characteristics of change that can cause this issue are unknown; this issue occurs rarely.

Impact:
Data traffic processing stops.

Workaround:
There are two workaround options:
Option A
1. Delete all policies.
2. Create them again without allowing blob compilation.
3. Repeat steps 1 and 2 until all the policies have been created (enable on-demand-compilation).

Option B
Modify all the rules simultaneously.

For example, the following steps will resolve this issue:
1. Enable on-demand-compilation
2. Select an IP address that is not used in any rules, e.g., 1.1.1.1.
3. Add that IP address to all the rules/source in all of the policies. To do so, run the following command for each policy:
tmsh modify security firewall policy POLICY_NAME rules modify { all { source { addresses add { 1.1.1.1 } } } }

4. Delete the IP address (restore rules) in all of the policies. To do so, run the following command for each policy:
tmsh modify security firewall policy POLICY_NAME rules modify { all { source { addresses delete { 1.1.1.1 } } } }
5. Disable on-demand-compilation. Doing so starts new blob compilation.


702450-1 : The validation error message generated by deleting certain object types referenced by a policy action is incorrect

Component: Local Traffic Manager

Symptoms:
When deleting certain objects that are referenced by policy actions, you may see a validation error like this:

# tmsh delete ltm virtual test-vs
01071726:3: Cannot delete policy action '/Common/test-vs'. It is in use by ltm policy '/Common/test-policy'.

The referenced object is not a "policy action" in this case, but is a virtual server.

Conditions:
LTM policies must be in use, and at least one policy action must forward to an object. The user must attempt to delete that object.

Impact:
Possible confusion at the error message.

Workaround:
There is no workaround at this time.


702310-1 : The ':l' and ':h' options are not available on the tmm interface in tcpdump

Component: TMOS

Symptoms:
The ':l' and ':h' options are not available on the tmm interface in tcpdump.

Conditions:
Running tcpdump.

Impact:
Packet capture on the tmm interface from the Linux side or the host side of tmm interface is not possible.

Workaround:
There is no workaround at this time.


702296-1 : Importing the LocalDB csv file fails

Component: Access Policy Manager

Symptoms:
Using the Excel sheet to edit and save the LocalDB CSV breaks the Import functionality.

Conditions:
Admin Exports the LocalDB CSV file ( Access->Authentication->Local User DB->Users -> Export to CSV)
Admin edits the file using Excel Sheet and saves it
Admin Imports the CSV file

Impact:
File saved using Excel Sheet cannot be used for Import

Workaround:
Dont use excel sheet to edit the file.
Use a simple text editor (like Textpad , vim) to edit and save the file.


702151-1 : HTTP/2 can garble large headers

Component: Local Traffic Manager

Symptoms:
The HTTP/2 filter may incorrectly encode large headers.

Conditions:
A header that encodes to larger than 2048 bytes may be incorrectly encoded.

Impact:
The garbled header may no longer conform to the HPACK spec, and cause the connection to be dropped. The garbled header may be correctly formed, but contain incorrect data.


701977-1 : Non-URL encoded links to CSS files are not stripped from the response during concatenation

Component: WebAccelerator

Symptoms:
Non-URL encoded links to CSS files are not stripped from the response during concatenation.

Conditions:
White space in the URLs.

Impact:
As above.

Workaround:
No workaround at this time.


701898-1 : Certain virtual address route-advertisement settings break upgrades from 13.0.0 hotfix rollups

Component: TMOS

Symptoms:
Upgrading from a version of 13.0.0 other than the base build may result in failure depending on the values of the virtual address route-advertisement setting. If set to "selective", "any", or "all", the configuration will fail with an error similar to this in /var/ltm/log:

load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- Loading schema version: 13.0.0 Syntax Error:(/config/bigip.conf at line: 1790) invalid property value "route-advertisement":"selective"

Conditions:
- Upgrading from a version of 13.0.0 other than the base (i.e. HF1 or later).
- Upgrading to 13.1.0 or later.
- At least one virtual address with its route-advertisement value set to "selective", "any", or "all".

Impact:
Configuration will not load.

Workaround:
Prior to the upgrade:
1. Note any virtual address route-advertisement settings that are "selective", "any", or "all".
2. Change all of these values to either "enabled" or "disabled" (note that this will change their route advertisement behavior temporarily).
3. Perform the upgrade.
4. Change the route advertisement settings back to their original values.


701826 : qkview upload to ihealth fails or unable to untar qkview file

Component: TMOS

Symptoms:
qkview upload to ihealth fails unable to untar qkview file.

Conditions:
When qkview file is untarred, it creates a same directory name in loop as below and fails to untar successfully.

.../dir1/
.../dir1/dir1/
.../dir1/dir1/dir1/
...

This happens due to dangling symlink dir1 which points to nothing.

[root@localhost:Active:Standalone] config # ls -l /config/bigip/auth/pam.d/dir1
lrwxrwxrwx. 1 root root 64 2018-01-30 08:56 /config/bigip/auth/pam.d/dir1 ->
[root@localhost:Active:Standalone] config # stat /config/bigip/auth/pam.d/dir1
  File: `/config/bigip/auth/pam.d/dir1' -> `'
  Size: 64 Blocks: 8 IO Block: 4096 symbolic link
Device: fd16h/64790d Inode: 112045 Links: 1
Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2018-01-30 08:56:20.000000000 -0800
Modify: 2018-01-30 08:56:20.000000000 -0800
Change: 2018-01-31 08:39:35.000000000 -0800
[root@localhost:Active:Standalone] config #

Impact:
Unable to untar qkview or qkview upload to ihealth fails.

Workaround:
Identify the dangling symlink and delete. Then generate qkview or use ihealth to generate qkview and upload to ihealth.


701722-1 : Potential mcpd memory leak for signed iRules

Component: TMOS

Symptoms:
There is an MCP memory leak that occurs when th message "Signature encryption failed" is seen in /var/log/ltm.

Conditions:
Signing of iRules must be in use. Signature encryption must be problematic.

Impact:
MCP leak memory.

Workaround:
Resolve the signature encryption issue.


701690-1 : Fragmented ICMP forwarded with incorrect icmp checksum

Solution Article: K53819652

Component: Local Traffic Manager

Symptoms:
Large fragmented ICMP packets that traverse the BIG-IP might have their source or destination IP addresses changed and transmitted with the checksum incorrectly calculated.

Conditions:
A FastL4 virtual server able to transmit ICMP frames (ip-protocol ICMP or any), or SNAT/NAT only when a fragmented ICMP packet is received and is expected to be passed through the virtual server (or SNAT or NAT).

Impact:
Large ICMP echo packets (greater than MTU) will be dropped by the recipient due to the checksum error. No echo response will be seen.

Workaround:
Turn on IP fragment reassembly on the FastL4 profile associated with the virtual server.


701637 : Crash in bcm56xxd during TMM failover

Component: Advanced Firewall Manager

Symptoms:
During a TMM failover, such as after an upgrade to 13.1.0; bcm56xxd may crash.

Conditions:
TMM failover.

Impact:
Restart of bcm56xxd, temporary loss of network connectivity.


701555-1 : DNS Security Logs report Drop action for unhandled rejected DNS queries

Component: Advanced Firewall Manager

Symptoms:
DNS Security Logs report Drop action for unhandled rejected DNS queries.

Conditions:
DNS profile set unhandled-query-action reject.

Impact:
Incorrect event log. This is an incorrectly logged event and doe not indicate an issue with the system

Workaround:
None.


701529-1 : Configuration may not load or not accept vlan or tunnel names as "default" or "all"

Component: TMOS

Symptoms:
As a result of a known issue, configurations containing vlan or tunnels named "default" or "all" are no longer accepted.

Conditions:
Attempting to configure this will result in a log message similar to the following:

root@(f5-ve)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net tunnels tunnel default profile ppp
01070712:3: Cannot create tunnel 'default' in rd1 - ioctl failed: Invalid argument

Impact:
A configuration that contained this in earlier versions and upgraded to the affected version will fail to load.

Workaround:
Change or rename all instances of vlans and/or tunnels named "default" or "all"


701387-2 : qkview will not collect files greater than 2 GB

Component: TMOS

Symptoms:
Due to a limitation of the file compression library employed by qkview, it cannot collect files greater than 2 gb in size. qkview will abort when encountering such a file, and not produce a resulting qkview file.

Conditions:
A file exists in a directory that qkview normally collects.

Impact:
No qkview diagnostics file is created.

Workaround:
Remove the file greater than 2gb in size.


701341-1 : If /config/BigDB.dat is empty, mcpd continuously restarts

Solution Article: K52941103

Component: TMOS

Symptoms:
If another issue causes /config/BigDB.dat to be empty, mcpd will fail to start up.

Conditions:
The event causing BigDB.dat to be truncated is unknown at this time.

Impact:
The system will fail to start up, and mcpd will continually restart.

Workaround:
Remove this empty file. (If BigDB.dat is nonexistent, the issue will not occur.)


701289-1 : LTM v12.1.2: Static BFD with BIG-IP floating IP address

Component: TMOS

Symptoms:
In a HA configuration BFD session on both Active and Standby nodes can be configured with the same floating Self IP as a source IP address. This ends up with both Active and Standby nodes to actively send BFD Control packets to BFD neighbor. Responses from BFD neighbor are delivered to the Active node only. In effect not only the state of the session mismatches on Active and Standby node, also BFD Control packets send different information that disturbs the session.

Conditions:
- BFD sessions on HA Active and Standby have the same floating Self IP as a source IP address.

Impact:
BFD session gets disturbed both on HA Active node and BFD neighbor that might end up with invalidation of the route to the BigIP.

Workaround:
Workaround can be to manually disable BFD session on Standby node, however on failover the session would need to be manually restored.

Other workaround can be to use non-floating Self IP as a source IP address of BFD Control packets, this however might require some additional logic on the BFD neighbor side.


701249-1 : RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1

Component: TMOS

Symptoms:
RADIUS requests from BIG-IP have attribute NAS-IP-Address = 127.0.0.1, which might cause authentication to fail.

The NAS-IP-Address is essentially the resource an end user client is trying to authenticate to. This is typically the management IP address of the BIG-IP system, but the BIG-IP system always sends 127.0.0.1 instead. That might fail or it might work, depending on how the server is configured.

Conditions:
This is an issue for all RADIUS authentication requests that use the attribute NAS-IP-Address.

Note: This affects remote control plane authentication only, not APM or other uses of RADIUS.

Impact:
BIG-IP system always sends 127.0.0.1 instead of the BIG-IP system's management IP address. RADIUS server might not service the request, so authentication fails.

Workaround:
There is no workaround.


700897-1 : sod is unable to handle the maximum (127) allowable traffic groups if there are 8 devices in the DG

Component: TMOS

Symptoms:
sod consumes excessive amount of CPU time, and the traffic-group Active and Next-Active locations do not stabilize.

Conditions:
When the number of devices in the failover device group or the number of traffic groups is large. The limit varies by platform capacity, but any Device Service Cluster with more than 4 devices or more than 32 traffic groups can experience this issue.

Impact:
If the Active location is unstable, traffic will not be processed correctly. Excessive CPU consumption and network traffic interferes with other control plane functions including the UI.

Workaround:
There is no workaround at this time.


700895-1 : GUI Network Map objects in subfolders are not being shown

Solution Article: K34944451

Component: TMOS

Symptoms:
Objects created in subfolders under a partition are not showing up in the GUI Network Map when selecting the partition.

Conditions:
-- Create a virtual server under a subfolder.
-- View Network Map while /Common is the active partition.

For example:

1. Create a subfolder such as /Common/subfolder.
2. In that subfolder, create a virtual server such as /Common/subfolder/virtualserver1.
3. Select /Common as the partition.
4. View the Network Map.

The virtual server /Common/subfolder/virtualServer1 is not shown on the Network Map.

Impact:
Cannot see the objects in the subfolder.

Workaround:
Select the partition 'All[Read Only]' to see all objects in subfolders.


700889-3 : Software syncookies without TCP TS improperly include TCP options that are not encoded

Solution Article: K07330445

Component: Local Traffic Manager

Symptoms:
When sending a software syncookie and there is no TCP timestamp option, tmm sends back TCP options like window scaling (WS), sackOK, etc. The values for these options are encoded in the timestamp field which is not sent. When the final ACK of the 3WHS arrives (without a timestamp), there is no way to know that the BIG-IP system negotiated the use of SACK, WS and other options that were encoded in the timestamp. This will leave the client believing that options are enabled and the BIG-IP believing that they are not.

Conditions:
TCP timestamps are disabled by the client, or in the TCP profile.

Impact:
In one known case, the client was Windows 7 which apparently disables timestamps by default. Users might experience poor connection performance because the client believed it was using WS, and that the BIG-IP system would scale up the advertised window. However, the BIG-IP system does not using WS in this case, and used the window size from the TCP header directly, causing the BIG-IP system to send small packets (believing it had filled the window) and wait for a response.

Workaround:
Specifically prevent the WS issue by lowering the send_buffer_size and receive_window_size to less than or equal to 65535.


700827-4 : B2250 blades may lose efficiency when source ports form an arithmetic sequence.

Component: TMOS

Symptoms:
Traffic imbalance between tmm threads. It can be observed for example by running "tmsh show sys tmm-traffic".

Conditions:
Source ports used to connect to B2250 blade form an arithmetic sequence.

Impact:
Traffic imbalance between tmm threads may result in sub-optimal performance.

Workaround:
Randomize source ports when connecting via a Big-Ip.


700757-1 : vcmpd may crash when it is exiting

Component: TMOS

Symptoms:
vcmpd may crash when it is exiting. The system logs an error message similar to the following in /var/log/ltm:

err vcmpd[14604]: 01510000:3: Uncaught exception: basic_string::_S_create

It's possible that vcmpd will then not start up, logging errors similar to the following in /var/log/ltm:

umount(/var/tmstat-vcmp/<guest name>) failed: (16, Device or resource busy

Conditions:
vCMP must be in use.

Impact:
vcmpd cores, but does so when already exiting. It is possible that vcmpd will then be unable to restart itself, and will need to be manually restarted.

Workaround:
If vcmpd cannot restart itself, you can manually restart it by running the following command:

tmsh restart sys service vcmpd


700597-1 : Local Traffic Policy on HTTP/2 virtual server no longer matches

Component: Local Traffic Manager

Symptoms:
Local Traffic Policies may not match properly when a virtual server is handling HTTP/2 traffic.

Conditions:
Virtual server with Local Traffic Policy and HTTP/2 profile.

Impact:
Traffic fails to pass through the virtual server, or fails to be processed as expected.

Workaround:
If able, use HTTP rather than HTTP/2. Or disable the policy. Otherwise there is no workaround.


700576-1 : GUI - Server SSL Profile shows irrelevant options when "Server Certificate" is set to "Ignore"

Component: TMOS

Symptoms:
In the GUI, the ServerSSL Profile options "Expire Certificate Response Control" and "Untrusted Certificate Response Control" are shown as stand alone options, yet those settings are not honored when the "Server Certificate" option is set to "Ignore" (default).

Conditions:
Create server SSL profile with "Server Certificate" option is set to "Ignore" (default).
It shows "Expire Certificate Response Control" and "Untrusted Certificate Response Control" options, yet those settings are not honored.

Impact:
No functional Impact, it may cause confusion allowing view/modify for irrelevant options.

Workaround:
No functional Impact, Expire Certificate Response Control" and "Untrusted Certificate Response Control" options can be ignored when "Server Certificate" option is set to "Ignore" (default).


700433-1 : Memory leak when attaching an LTM policy to a virtual server

Solution Article: K10870739

Component: Local Traffic Manager

Symptoms:
MCP's memory increases when deleting and adding an LTM policy attached to a virtual server.

Conditions:
-- LTM policies must be in use.
-- A policy with at least one rule. (Note: A rule with actions or conditions will leak more memory.)
-- Add the policy to a virtual server.

Impact:
MCP may run slower when memory is low. If all memory is used up, MCP will crash, which will cause a failover or outage.

Workaround:
None.


700426 : Switching partitions while viewing objects in GUI can result in empty list

Solution Article: K58033284

Component: TMOS

Symptoms:
In LTM Pool List, Node List, and Address Translations pages, switching partitions while viewing objects in the GUI can result in empty list.

Conditions:
This issue is present when all of the following conditions are met:
-- One partition contains multiple pages of objects.
-- The page count in one partition is greater than the page count in another.
-- The active page number is greater than 1.
-- You switch to a partition whose max number of pages is lower than the active page number.

For example, in the GUI:
1. Create two non-Common partitions.
2. In one partition, create enough pools so that they do not fit on one page.
3. In the second partition, create only enough pools for one page.
4. On the Local Traffic :: Pools list page in the first partition, navigate to the second page of objects.
5. Switch to the other partition.
6. Note that the displayed page contains no objects.

Impact:
The list of pools is empty despite the fact that there are pools available.

Workaround:
Return to the first page of objects before switching to any other partition.


700386-2 : mcpd may dump core on startup

Component: TMOS

Symptoms:
mcpd may generate a core file upon startup, with a message being logged that overdog restarted it because mcpd failed to send a heartbeat for five minutes.

Conditions:
This can happen only at startup.

Impact:
mcpd restarts, but resumes normal operation.

Workaround:
None.


700322-2 : Upgrade may fail on a multi blade system when there are scheduled reports in configuration

Component: Application Visibility and Reporting

Symptoms:
Unable to upgrade to newer version or hotfix fail. Secondary slot always fails upgrade with the following error in var/log/liveinstall.log:

error: status 256 returned by command: F5_INSTALL_SESSION_TYPE=install tmsh -f save sys ucs /var/tmp/fbSBcyXrsz.ucs
info: >++++ result:
info: Saving active configuration...
info: Thrift: Tue Dec 19 10:53:45 2017 TSocket::open() connect() <Host: localhost Port: 9090>Connection refused
info: Error during config save.
info: Unexpected Error: UCS saving process failed.

Conditions:
1) System has two or more slots (multi-blade)
2) There are scheduled reports in configuration.

Impact:
Upgrade fails.

Workaround:
1) Save configuration for scheduled reports aside.
2) Remove all scheduled reports from configuration.
3) Perform upgrade.
4) Add scheduled reports back to configuration.


700250-3 : qkviews for secondary blade appear to be corrupt

Solution Article: K59327012

Component: TMOS

Symptoms:
Normally, a qkview created on a multi-blade system will include a qkview for every blade on the system. Those qkview files have an error that makes the tar-ball appear corrupt.

Conditions:
Running a qkview on a system with blades.
Attempt to access the tar-ball using the following command: tar -tvzf 127.3.0.2.qkview | tail.

Impact:
The system posts the following messages:
    gzip: stdin: unexpected end of file
    tar: Child returned status 1
    tar: Error is not recoverable: exiting now


Confuses troubleshooters into thinking that the blade qkview files are corrupt, which they are not.

Workaround:
None.


700247 : APM Client Software may be missing after doing fresh install of BIG-IP VE

Solution Article: K60053504

Component: TMOS

Symptoms:
apm client software checks is broken in VM created with BIG-IP-13.1.0.1.0.0.8.ALL-scsi.ova.

Conditions:
Any software instance created by deployment of any OVA for the affected software versions.

Impact:
APM endpoint inspection feature (for Mac, windows and Linux clients). [Users affected]
Configuration of APM client software check APM Visual policy editor. [Admin UI]
APM Client package @ Connectivity / VPN : Connectivity : Profiles if you select "Web Browser Add-ons for BIG-IP Edge Client" option. [Admin UI]

Workaround:
Try the "epsec refresh" commands again after removing all environment locks on the shared RPM database using the following command:

rm /shared/lib/rpm/__db.*
epsec refresh


700143-2 : ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages

Component: Application Security Manager

Symptoms:
Attempting to delete request logs by a filter (10,000 at a time), only works once. Subsequent delete by filter actions do not remove additional earlier logs.

Conditions:
System has over 10,000 ASM request logs by a selected filter, and delete all by filter is used multiple times.

Impact:
Only the latest 10,000 events are deleted.

Workaround:
No work around for deleting by a filter.
Delete all (without filter) works, and deleting selected requests works.


700086-1 : AWS C5/M5 Instances do not support BIG-IP VE

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) does not function on AWS C5/M5 instances.

Conditions:
BIG-IP VE on AWS C5/M5 instances.

Impact:
Cannot use BIG-IP VE on AWS C5/M5 instances.

Workaround:
None.


700061-4 : Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file

Component: Local Traffic Manager

Symptoms:
Restarting service MCPD or rebooting the BIG-IP device adds Unix 'other' read file permissions for key files.
Key files Unix permission changes from '-rw-r-----' to
'-rw-r--r--'

Conditions:
1. Restarting the service MCPD
2. Rebooting BIG-IP device.

Impact:
Key file Unix read permission changes from '-rw-r-----' to
'-rw-r--r--'

Workaround:
There is no workaround at this time.


700056-1 : MCPD may lock up and restart when applying Local Traffic Policy to virtual server

Solution Article: K05350542

Component: Local Traffic Manager

Symptoms:
mcpd becomes unresponsive and restarts every five minutes while trying to load the configuration, or trying to apply a configuration change that associates a particular Local Traffic Policy to a virtual server.

Conditions:
- Virtual servers configured.
- Specific policies configured and attached used by virtual servers.

Only policies configured in a specific way will trigger this situation. The specifics are not well understood, however, the vast majority of Local Traffic Policies are unaffected by this issue.

Impact:
The BIG-IP system will be inoperative as mcpd will be unresponsive and restarts every five minutes.

Workaround:
There is no workaround.


700035-5 : /var/log/avr/monpd.disk.provision not rotate

Component: Application Visibility and Reporting

Symptoms:
the log file may fill-up /var partition

Conditions:
there is no special condition for this issue - if the log is big it won't rotate

Impact:
the log file may fill-up /var partition

Workaround:
1. gzip /var/log/avr/monpd.disk.provision
2. touch /var/log/avr/monpd.disk.provision


699898-2 : Wrong policy version time in policy created after synchronization between active and stand by machines.

Component: Application Security Manager

Symptoms:
After synchronization, the policy version time in the policy created on the standby BIG-IP system is different from the policy version time on the original policy on the active BIG-IP system.

Conditions:
Synchronizing the new policies on the active system with new policies on the standby system.

Impact:
Policy version timestamp on standby system is not synchronized properly.

Workaround:
Run full synchronization again from active system to the group.


699758 : Intermittent connection resets are seen in HTTP/2 gateway when HTTP/2 preface is sent to server

Component: Local Traffic Manager

Symptoms:
HTTP/2 connection in gateway scenario is reset when HTTP/2 preface makes it to the server instead of being consumed by the BIG-IP system. The backend connection to the server in gateway scenario is an HTTP/1 connection. The connection is reset when HTTP/2 preface is sent on the backend connection instead of being consumed by the BIG-IP system.

Conditions:
HTTP/2 gateway is configured.

Impact:
HTTP/2 connection reset is seen.

Workaround:
None.


699431-3 : Possible memory leak in MRF under low memory

Component: Service Provider

Symptoms:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.

Conditions:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.

Impact:
The table entry will be remain until the box resets.

Workaround:
There is no workaround at this time.


699426-1 : RRD cpu files are not updated when statsd has no prior knowledge of blades joining a cluster.

Component: Local Traffic Manager

Symptoms:
If a blade already known to statsd goes down, statsd continues to update the blade's /var/rrd/bladeXcpu file
If a new blade joins and is announced to statsd, statsd stops updating all /var/rrd/bladeXcpu files especillay if it did not have prior knowledge of the blade.

Conditions:
If statsd is restarted after the blade is disabled, or goes down, and after that the blade rejoins the cluster, the /var/rrd/bladeXcpu files stop updating (where X is the blade number).

Impact:
Data of those files is not updated. This impacts the graphs generated from these files.

Workaround:
Execute the command "bigstart restart statsd" after the new blade has joined the cluster.


699267-2 : LDAP Query may fail to resolve nested groups

Component: Access Policy Manager

Symptoms:
LDAP Query agent may fail to resolve nested groups for a user.
/var/log/apm logfile contains the following error messages when 'debug' log level is enabled for Access Profile:
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while getting group membership down with error (No such object.).
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while querying LDAP with error (No such object.).

Conditions:
LDAP Query agent is configured in an Access Policy.
'Fetch groups to which the user or group belong' option is enabled

Impact:
LDAP Query agent fails.
unable to get user identity.
unable to finalize Access Policy.


699076-1 : URI::path iRules command warns end and start values equal

Component: Local Traffic Manager

Symptoms:
URI::path iRules command warns end and start values equal

Conditions:
The end and start values equal

Impact:
Warning message shows in console.

Workaround:
Ignore the warning.


698992-1 : Performance degraded

Component: Performance

Symptoms:
Portal access performance had a slight performance degradation. This was identified to be due to a new queuing strategy implemented to improve per-request policy auth use-case performance for higher end platforms in the 13.0 release. The nature of the problem is such that overall system degradation may be observed if APM is provisioned and per-request policy is not used.

Conditions:
APM is provisioned, but functionality is not related to per-request policy.

Impact:
Performance will be slightly lower under load.

Workaround:
None.


698984-1 : Auto-disable TMM.HTTP.TCL.Validation when APM is provisioned

Component: Access Policy Manager

Symptoms:
The db variable Tmm.HTTP.TCL.Validation is enabled by default. This db variable should be disabled when APM is provisioned/enabled, and when ACCESS::restrict_irule_event is disabled and HTTP_RESPONSE_RELEASE events are detected with the assigned iRules.

Conditions:
Steps to Reproduce:
1. Define the following iRule in the virtual server.

when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
    set u [ HTTP::uri ]
    log local0. "XXX: [ HTTP::uri ]"
}
when HTTP_RESPONSE_RELEASE {
    log local0. "XXX: [ HTTP::status ] [ HTTP::header Location ]"
    set l [ HTTP::header Location ]
    if { $l starts_with {/my.policy} } {
       append l {?modified_by_irule=1}
       HTTP::header replace Location $l
    } elseif { $l starts_with {/renderer/agent_logon_page_form.eui} } {
        # Next response will be the real response to the client.
        ACCESS::log "XXX: lp_seen"
        set lp_seen 1
    }
    if { [ HTTP::status ] == 200 && [ info exists lp_seen ] && $lp_seen == 1 } {
        unset lp_seen
        HTTP::header insert X-MyAppSpecialHeader 1
    }
}
2. Configure START :: LOGON PAGE :: ALLOW policy.
3. Access the virtual server.

Impact:
TCP reset triggered when it should not. With respect to the specific condition described, the system should post the logon page.

Workaround:
Manually disable Tmm.HTTP.TCL.Validation.


698947-2 : BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled.

Component: TMOS

Symptoms:
The BIG-IP system may incorrectly drop packets from a GRE point-to-point tunnel with auto-lasthop disabled.

Conditions:
The auto-lasthop of a GRE point-to-point tunnel is disabled.

Impact:
The decapsulated packets may be dropped in the BIG-IP system.


698933-1 : Setting metric-type via ospf redistribute command may not work correctly

Component: TMOS

Symptoms:
When using a dynamic routing configuration, where an OSPF process redistributes routes setting a metric-type from another OSPF process the metric type is not changed.

Conditions:
Dynamic routing configuration with 2 or more OSPF processes redistributing routes using the "redistribute ospf <other process number> metric-type <type>"

Impact:
Metric type is not changed.

Workaround:
Change metric-type using a route-map applied to the redistribute command.


698619-2 : Disable port bridging on HSB ports for non-vCMP systems

Component: TMOS

Symptoms:
Internal packets flooded on internal switch interfaces by the HSB can be bridged back to the HSB on BIG-IP 5000/7000 and VIPRION B2100 blades configured to enable port bridging by the switch.

Conditions:
-- Packets being flooded from the HSB to VLAN members when adding/deleting VLANs.
-- Non-vCMP systems.
-- Virtual server configured for Direct Server Return (DSR or nPath Routing).

Impact:
This triggers a FDB flush and can result in packet flooding back to the HSB and potential network saturation.

Workaround:
None.


698432-2 : Invalid error messages: warning chmand[5730]: 012a0004:4: Store Read invalid store addr 0x3800, len 10

Component: TMOS

Symptoms:
Loading a UCS in a vCMP guest which was taken from a different guest or a hardware device can produce the following error messages:

warning mcpd[5953]: 012a0004:4: halStorageRead: unable to read storage on this platform.
warning chmand[5730]: 012a0004:4: Store Read invalid store addr 0x3800, len 10

This is a cosmetic issue that occurs when the encrypted master key on a VCMP guest cannot be decrypted with the unit key of that system. This most often occurs when a UCS taken on a different guest is loaded.

Conditions:
Taking a UCS from one vCMP guest or hardware device and loading it onto a different vCMP guest.

Note: F5 does not support this configuration.

Impact:
Although there is no adverse effect on the system, error messages will be logged.

Workaround:
None.


698420-1 : SSL handshake fails for some servers if their root certificates are not in the configured CA bundle

Component: Local Traffic Manager

Symptoms:
SSL code builds the chain only until it can find the first trust anchor. However, the OCSP and CRL code builds the chain all the way up to the root. In a case where the intermediate cert was found, but the root was not found in the CA bundle, the cert chain building fails and the handshake will be aborted.

Conditions:
Forward Proxy and OCSP are enabled on a serverssl profile

Impact:
SSL handshake fails for some servers if their root certificates are not in the configured CA bundle.

Workaround:
Upgrade the ca bundle used to configure 'Trusted Certificate Authorities' on ServerSSL profile to include the root certificate for the server.


698361-1 : The ASM-FPS fingerprint is not presented in dashboard

Component: Advanced Firewall Manager

Symptoms:
The fingerprint is not presented in dashboard.

Conditions:
An iRule selects the FPS profile (by using ANTIFRAUD::enable).

Impact:
No fingerprint presented. Missing reporting.

Workaround:
None.


698333-1 : TMM core upon matching a past (saved) dynamic signature of a specific family (network or dns) after the dynamic signature is disabled for that family on the parent context (but still enabled for other families)

Solution Article: K43392052

Component: Advanced Firewall Manager

Symptoms:
TMM would core upon matching a past (saved) dynamic signature of a specific family (network or dns) after the dynamic signature is disabled for that family on the parent context (but still enabled for other families).

Conditions:
This occurs in the following scenario:
-- Enable Network and DNS BDOS simultaneously (on DoS Device config).
-- Generate dynamic signature that has both network and DNS metrics.
-- Wait for signature to be moved to 'past' (persist) state.
-- Disable either network or DNS BDOS (but not both).
-- TMM cores if the traffic matches this signature.

Impact:
Traffic interruption due to TMM restart. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


698307-1 : Datasafe: Fingerprinting code runs, but is not needed.

Component: Fraud Protection Services

Symptoms:
When both datasafe and fingerprint are enabled, fingerprint collection code will be unnecessarily run on the clientside. The results of this collection are not used.

Conditions:
Both datasafe and fingerprint are enabled.

Impact:
Extra resources requested from the BIG-IP system by the client.

Workaround:
To turn off fingerprint, use the following syntax:

tmsh modify security anti-fraud profile <PROFILE_NAME> { fingerprint { collect disabled} }


698211-1 : DNS express response to non-existent record is NOERROR instead of NXDOMAIN.

Solution Article: K35504512

Component: Local Traffic Manager

Symptoms:
The DNS express response to a non-existent record is NOERROR instead of NXDOMAIN.

Conditions:
Delete a wildcard resource record to the related DNS express zone.

Impact:
DNS returns the incorrect response.

Workaround:
Delete the old db files: /var/db/tmmdns.bin and /var/db/zxfrd.bin, and then restart zxfrd.


698085 : Transparent mode vlan-group may not work on vcmp guests

Component: TMOS

Symptoms:
Traffic not being passed through

Conditions:
Steps to Reproduce:
1) configure a vcmp guest and map the vlans(serverside and clientside) on the host to the vcmp guest
2) configure a vlan-group with transparent mode and attach the vlans configured above on the vcmp guest.
3) Set the vlan group to bridge all traffic.
4) Configure a host each on clientside and serverside host and attach the corresponding vlans.
5) Configure selfips from the same subnet on client, vcmp guest and server.
6) Try to send traffic from client to server or vice-versa.

Impact:
No traffic flow between client-server under this configuration.

Workaround:
N/A


698084-3 : IPsec log messages in /var/log/ltm missing module ID to reach bigiq logs

Solution Article: K03776801

Component: TMOS

Symptoms:
Some groups of messages logged by tmipsecd are missing the errdefs annotation that identifies IPsec as the module. Messages reported when tunnels go up and down, or problems with listeners, go only to ltm logs, with no visibility to bigiq logs.

Conditions:
Missing the IPsec module subset ID.

Impact:
Missing IPsec messages in the bigiq logs.

Workaround:
No workaround at this time.


698013-1 : TACACS+ system auth and file descriptors leak

Solution Article: K27216452

Component: TMOS

Symptoms:
Administrative access to the system with remote authenticated accounts fails, and the following is seen in the security log (/var/log/secure):

-- httpd[###]: PAM [error: /lib/security/pam_bigip_authz.so: cannot open shared object file: Too many open files].
-- httpd[###]: PAM audit_open() failed: Too many open files
-- Other errors that refer to 'Too many open files'.

This might eventually lead to lack of HTTP-based access to the BIG-IP system.

Conditions:
-- Remote system authentication configured to use TACACS+.
-- Administrative access to the BIG-IP system using any HTTP-based results in leaked file descriptors. Relevant access methods include Web UI, iControl and iControl-REST.
-- Repeated automated access using iControl is the fastest route.

Impact:
In some circumstances, the leak might accumulate to the point that no file descriptors are available and administrative access using remote authenticated accounts is no longer possible. This also includes access from SSH and console. The root account, which always uses local authentication, is not affected.

Workaround:
Workaround options:
1. Use only SSH for administrative access.
2. Restart httpd as needed.


697988-3 : During config sync, if many client-ssl profiles are on a virtual server the CPU may briefly spike to 100%

Component: Local Traffic Manager

Symptoms:
During config sync, if many (hundreds) of client-ssl profiles are attached to a virtual server, the CPU may spike to 100%.

Conditions:
-- Many (hundreds) of client-ssl profiles are attached to a virtual server.
-- Config sync is executed.

Impact:
If enough client-ssl profiles are attached, the watchdog could fire, crashing tmm and causing service disruption. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not attaching hundreds of client-ssl profiles to a virtual server, or disabling config sync.


697766-1 : Cisco IOS XR ISIS routers may report 'Authentication TLV not found'

Solution Article: K12431303

Component: TMOS

Symptoms:
When peering with ISIS to Cisco IOS XR routers, messages similar to the following may be seen

isis[1003]: %ROUTING-ISIS-5-AUTH_FAILURE_DROP : Dropped L2 LSP from TenGigE0/0/0/1 SNPA 0001.47fd.a801 due to authentication TLV not found.

Conditions:
The BIG-IP system is configured for dynamic routing using the ISIS protocol, and is peered with an IOS XR router, or with another BIG-IP system running software older than than version 11.6.1.

In addition, authentication needs to be configured, and a value needs to be set for lsp-refresh-interval, or for max-lsp-lifetime. For example:


   router isis isisrouter
   is-type level-2-only
   authentication mode md5
   authentication key-chain keychain-isis
   lsp-refresh-interval 5
   max-lsp-lifetime 65535
   net 49.8002.00c1.0000.0000.f523.00

Impact:
This is a cosmetic issue. Routing is not impacted. LSPs containing actual routing information do contain the Auth TLV, as expected.

Workaround:
None.


697615-1 : neurond may restart indefinitely after boot

Component: TMOS

Symptoms:
The neurond daemon may continually restart after a reboot. The problem may persist even after a reboot of the BIG-IP. Manually stopping and starting neurond will not resolve the problem.

Conditions:
- 13.1.0 and later.
- Only happens after a reboot of the BIG-IP.

Impact:
The BIG-IP system constantly logs:

emerg logger: Re-starting neurond

The /var/log/neurond logfile will contain these messages similar to:


<7> Feb 2 10:53:59 neurond_i2c_config_steps: STEP 20 Checking for Lane Alignment
<0> Feb 2 10:54:00 neurond_i2c_config_steps: Timeout waiting for good rx_align for ILK1 of NSP
<0> Feb 2 10:54:00 neurond_i2c_config: neurond_i2c_config_steps failed.

Workaround:
If you are not using FIX, disabling the neurond service is a safe option.

If you rely on the FIX feature, a cold reboot by removing the BIG-IP from the power may resolve the problem.


697424-1 : iControl-REST crashes on /example for firewall address-lists

Component: TMOS

Symptoms:
Making a call to /example on firewall address-list crashes iControl-REST.

Conditions:
Making a call to /example on firewall address-list.

Impact:
The icrd_child process crashes.

Workaround:
There is no workaround other than not calling /example on firewall address-lists.


696755 : HTTP/2 may truncate a response body when served from cache

Component: Local Traffic Manager

Symptoms:
BIG-IP provides a client side HTTP/2 Gateway protocol implementation in conjunction with HTTP 1.x on a server side. A response can be cached in BIG-IP with a web acceleration profile. Sometimes a response served from cache is prematurely marked with END_STREAM flag causing the client to ignore the rest of the response body.

Conditions:
BIG-IP has a virtual where HTTP/2 and Web Acceleration profiles are configured.

Impact:
Some clients' browsers do not retry a resource causing incorrect rendering of an HTML page.

Workaround:
Adding the following iRule causes the body to be displayed:

when HTTP_RESPONSE_RELEASE {
    set con_len [string trim [HTTP::header value Content-Length]]
    HTTP::header remove Content-Length
    HTTP::header insert Content-Length "$con_len"
}


696732-3 : tmm may crash in a compression provider

Solution Article: K54431534

Component: TMOS

Symptoms:
TMM may crash with the following panic message in the log files:

panic: ../codec/compress/compress.c:1161: Assertion "context active" failed.

Conditions:
-- Running on the following platforms: BIG-IP i-series or VIPRION 4400 blades.
-- Virtual servers are performing compression.

Impact:
TMM crashes, Traffic disrupted while tmm restarts.

Workaround:
Do not use compression, or use software compression instead of hardware compression. To configure for software compression, run the following command:

tmsh modify sys db compression.strategy value softwareonly


696731-3 : The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled

Solution Article: K94062594

Component: TMOS

Symptoms:
The standard LinkUp/LinkDown traps are issued when a port's status changes; that is, the link goes up or down. Additionally, the network manager can administratively enable and disable ports. For some platforms, there is no reliably issued standard LinkUp/LinkDown trap when a port is administratively enabled/disabled.

Conditions:
Administrative disabling an interface on BIG-IP

Impact:
May issue only the F5 Link change trap and not the additional standard MIB trap. The standard LinkUp/LinkDown traps may not be issued.

Workaround:
Use the F5-proprietary MIB: 1.3.6.1.4.1.3375.2.4.0.37 F5-BIG-IP-COMMON-MIB::BIG-IPExternalLinkChange trap to track administrative changes to links.


696260-1 : GUI Network Map as Start Screen broken

Solution Article: K53103420

Component: TMOS

Symptoms:
If the Network Map is set as the Preferences Start Screen, the GUI will display a database error page.

Conditions:
Set System :: Preferences : Start Screen to Network Map.

Impact:
Error page is displayed.

Workaround:
Navigate to the Network Map via the left navigation menu: Local Traffic :: Network Map.


696201-1 : Anomaly threshold floor calculation (for bins with very low learnt threshold) during signature generation

Component: Advanced Firewall Manager

Symptoms:
AFM might generate a dynamic signature for those bins that have a very low learnt threshold during the learning phase, if the current traffic rate spikes and increases above the anomaly threshold floor db variable value as specified by l4bdos.anomaly.threshold.floor

Conditions:
AFM dynamic signature feature is enabled.

Impact:
This might cause AFM to generate signatures with higher false positives.

This is specifically due to incorrect application of db variable setting 'l4bdos.anomaly.threshold.floor' that should be interpreted as the 'floor' value of learnt thresholds for any bin. So, if the learnt threshold of a bin is lower than this db variable, the baseline threshold of the bin should be set to the db variable for anomaly detection phase.

Workaround:
There is no workaround at this time.


695925-1 : tmm crash when showing connections for a CMP disabled virtual server

Component: Local Traffic Manager

Symptoms:
tmm crashes when performing 'tmsh show sys connection' and there is a connection from a secondary blade to a CMP-disabled virtual server.

Conditions:
This occurs when all of the following conditions are met:

-- There is a CMP-disabled virtual server.

-- There is a connection to that server from the control plane of a secondary blade (this can include monitoring traffic).

-- Connections are displayed that include the connection from the secondary blade ('tmsh show sys connection').

Impact:
tmm crashes and restarts impacting traffic.

Workaround:
Do not use 'cmp-enabled no' virtual servers when there will be connections from the BIG-IP control plane to the virtual server.

Avoid using tmsh show sys connection


695109-1 : Changes to fallback persistence profiles attached to a Virtual server are not effective

Solution Article: K15047377

Component: Local Traffic Manager

Symptoms:
Changes to fallback persistence profiles attached to a Virtual server may not be effective.

Conditions:
-- Virtual server configured with persistence and a fallback persistence profile.
-- Changes made to the fallback persistence profile.

Impact:
Changes to the fallback persistence profile are not effective with new connections until a change is made to the virtual server or TMM is restarted.

Workaround:
Make a simple change, for instance to the description field, to the virtual servers that have the changed fallback persistence profile configured.


694934-1 : bd crashes on a very specific and rare scenario

Component: Application Security Manager

Symptoms:
When the system is configured in a specific way and the request sender responds incorrectly, bd crashes.

Conditions:
This rarely encountered crash occurs when there is a very specific BIG-IP system configuration, and ICAP is configured but not responding.

Impact:
bd crashes.

Workaround:
None.


694849-1 : TMM crash when packet sampling is turned for DNS BDOS signatures.

Component: Advanced Firewall Manager

Symptoms:
TMM crashes upon traffic matching a DNS BDOS signature if packet sampling is turned on by enabling db variable (l4bdos.signature.sample.packet.frequency).

Conditions:
DB variable l4bdos.signature.sample.packet.frequency is modified to a non-zero value (to collect DNS packet info upon matching a DNS dynamic signature).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable the packet sampling feature for BDOS signatures by setting the db variable l4bdos.signature.sample.packet.frequency to default value (0).


694778-1 : Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size

Component: Local Traffic Manager

Symptoms:
SSO-enabled Native RDP resources cannot be accessed via hardware (HW) BIG-IP systems with 'Intel Cave Creek' coprocessor (i.e., SSL connection cannot be established with the db variable 'crypto.hwacceleration' enabled, and RSA key used).

Conditions:
The failure might occur in the following scenario:
-- Running on Intel Cave Creek Engine (e.g., BIG-IP 2000 (C112) or 4000 (C113)).
-- Client OS is Mac, iOS, or Android.
-- HW crypto is enabled
-- Using a virtual server with a client SSL profile and 2048 bit RSA key on.
-- Native RDP resource with enabled SSO is used on hardware BIG-IP with 'Intel Cave Creek' coprocessor.
-- Output buffer size differs from RSA private key size.

Impact:
-- SSL connection fails.
-- RDP client cannot launch the requested resource (desktop/application).

Workaround:
There is no workaround other than to disable crypto HW acceleration with following command:
tmsh modify sys db crypto.hwacceleration value disable


694697-1 : clusterd logs heartbeat check messages at log level info

Solution Article: K62065305

Component: Local Traffic Manager

Symptoms:
The system reports clusterd logs heartbeat check messages at log level info, similar to the following.

-- info clusterd[6161]: 013a0007:6: Skipping heartbeat check on peer slot 3: Slot is DOWN.
-- info clusterd[5705]: 013a0007:6: Checking heartbeat of peer slot: 2 (Last heartbeat 0 seconds ago)

Conditions:
log.clusterd.level set to info.

Impact:
This is a cosmetic issue: clusterd heartbeat messages will be logged at info to the /var/log/ltm.

Workaround:
Set log.clusterd.level to notice.


694696-5 : On multiblade Viprion, creating a new traffic-group causes the device to go Offline

Component: TMOS

Symptoms:
All devices in the failover device group will go offline, resulting in traffic disruption and possible failovers.

Conditions:
When a new traffic-group is created on a multiblade Viprion system that is a member of a sync-failover device group.

Impact:
Traffic to all other traffic-groups is disrupted for several seconds.

Workaround:
There is no workaround at this time.


694547-2 : TMSH save sys config creates unneeded generate_config processes.

Component: TMOS

Symptoms:
When saving a configuration through TMSH or iControl REST, a process called generate_config is created.

Conditions:
Run tmsh save sys config, or the same command through iControl REST.

Impact:
One generate_config process will be generated per save operation. If config save occurs often, these extraneous processes can slowly fill up the process table.

Workaround:
There is no real workaround except to not save the config often enough to fill up process table with these extraneous processes.

If the process table is full, to recover, you can restart tmsh, scriptd, or restjavad to clear out these unneeded processes.


693996-5 : MCPD sync errors and restart after multiple modifications to file object in chassis

Solution Article: K42285625

Component: TMOS

Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:

1. Errors are logged to /var/log/ltm similar to the following:

-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..

2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.

Conditions:
Making multiple changes to the same file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group.

Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.

Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.


693884-1 : ospfd core on secondary blade during network unstability

Component: TMOS

Symptoms:
ospfd core on secondary blade while network is unstable.

Conditions:
-- Dynamic routing configured with OSPF on a chassis.
-- During a period of network instability.

Impact:
Dynamic routing process ospfd core on secondary blade.

Workaround:
None.


693694-1 : tmsh::load within IApp template results in unpredicted behavior

Component: iApp Technology

Symptoms:
tmsh::load command within IApp template triggers transaction within transaction and it is not supported by the MCP. One of the unexpected behavior seen is with the template having ASM policy and LTM policy. IApp framework doesn't let user to reconfigure the application service without turning off strict updates and also on rerunning, breaks association of LTM Policy with ASM Policy

Conditions:
tmsh::load command need to be used in in template to create ASM policy. With this tmsh::create there is no issue seen.

Impact:
Association b/w LTM Policy and ASM Policy broken

Workaround:
Use tmsh::create or tmsh::modify to create/update ASM policy through IApp template


693611-3 : IKEv2 ike-peer might crash on stats object during peer modification update

Component: TMOS

Symptoms:
A crash occurs upon passing traffic through the IPsec interface.

Conditions:
When an ike-peer is updated, or first defined at startup.

Impact:
Tmm restarts on crash.

Workaround:
No workaround is known at this time.


693582-1 : Monitor node log not rotated for icmp monitor types

Component: Local Traffic Manager

Symptoms:
When Monitor Logging is enabled for an LTM node or pool member using certain monitor types, the monitor node log under /var/log/monitors/ is not rotated or compressed when log rotation occurs.

Conditions:
This occurs if Monitor Logging is enabled for an LTM node or pool member and the LTM node or pool member uses any of the following monitor types:
- icmp
- gateway-icmp

Impact:
Depending on the affected BIG-IP version in use, affects may include:
1. The active monitor node log is not rotated (not renamed from *.log to *.log.1).
2. The active monitor node log is rotated (renamed from *.log to *.log.1), but subsequent messages are logged to the rotated log file (*.log.1) instead of to the 'current' log file name (*.log).
3. The active monitor node log is not compressed (*.log.2.gz) when log rotation occurs.

Workaround:
To allow logging to the correct monitor node log file to occur, and for rotated monitor node log files to be compressed, disable Monitor Logging for the affected node or pool member(s).
If symptom #1 (from Impact section above) occurs, Monitor Logging can be re-enabled after log rotation has occurred.
To address symptom #2 or #3 (from Impact section above), Monitor Logging can be re-enabled immediately.
For more information on Monitor Logging, see:
K12531: Troubleshooting health monitors


693563-1 : No warning when LDAP is configured with SSL but with a client certificate with no matching key

Solution Article: K22942093

Component: TMOS

Symptoms:
When LDAP auth is configured with SSL:

- Authentication attempts fail
- Packet captures between the BIG-IP system and the LDAP server show the BIG-IP system sending FIN after TCP handshake.

Conditions:
LDAP auth is configured with SSL with client cert set but no matching key.

Impact:
LDAP auth fails. There is no warning that the auth failed.

Workaround:
Configure a key that matches the specified client certificate.


693308-1 : SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain

Component: Local Traffic Manager

Symptoms:
When a very large Client Certificate Chain, typically exceeding 16,384 bytes, is received by BIG-IP on a virtual service, and Session Persistence is enabled, the handshake hangs.

Conditions:
[1] SSL client authentication is enabled on the backend server
[2] No SSL profile is specified on the BIG-IP device for the virtual service, on both, client and server side
[3] An SSL connection is initiated from the front-end client, via the BIG-IP's virtual service, to the backend server.
[4] The client certificate chain is passed to the BIG-IP device as part of initiating the connection.

Impact:
The backend server will not be securely accessible via SSL because the connection hangs

Workaround:
Disable SSL Session Persistence.


693206 : iSeries LCD screen is frozen on a red spinning 'please wait' indicator

Component: TMOS

Symptoms:
There are conditions where the LCD looks frozen on a red spinning 'please wait' indicator. Known conditions include: power supply swaps, AC power cycles, or LCD connection issues to the host or AOM.

Conditions:
This occurs during power supply swaps, AC power cycles, or LCD connection issues to the host or AOM.

Impact:
iSeries LCD screen is frozen on a red spinning 'please wait' indicator. At this point the LCD screen is not usable until it is reset.

Workaround:
Using a command line prompt, from either the front panel management port or serial port, issue the following IPMI commands to reset the LCD module:

ipmiutil cmd 00 20 e8 29 5 1
ipmiutil cmd 00 20 e8 29 5 0


693106-1 : IKEv1 newest established phase-one SAs should be found first in a search

Component: TMOS

Symptoms:
Some IKEv1 implementations might delete "duplicate" phase one IKE SAs, even though not yet expired, keeping only the most recently negotiated IKE-SA. If this happens, and BIG-IP uses an older SA to negotiate, then phase two negotiation can fail.

If at all possible, we want BIG-IP to prefer the newest SA for a given remote peer. If a peer deletes a second SA without notifying BigIP, preferring a newest SA may mitigate the problem.

Conditions:
The situation seems mostly easily arranged when two peers initiate a new IKE-SA at the same time, so that both are negotiated concurrently, since neither has yet been established. Afterward, there are two IKE-SAs for one remote peer, nearly the same age.

If the other end deletes a duplicate without sending a DELETE message to BigIP, we might accidently use the older SA of a pair.

Impact:
If BIG-IP picks a mature IKE-SA for phase two negotiation that has been deleted by a peer, then BIG-IP's attempt to negotiate a new phase two SA will fail.

Workaround:
Try to configure other IPsec implementations to avoid deleting duplicate IKE-SAs.


692371 : Unexpected Octeon, Nitrox, and/or Super IO recovery warnings in LTM log

Component: TMOS

Symptoms:
Unexpected warnings in the LTM log indicating Octeon, Nitrox, and/or Super IO recovery happening in BIOS.

Messages appear similar to the following:
-- warning chmand[5972]: 012a0004:4: Nitrox recoveries: 1
-- warning chmand[5972]: 012a0004:4: Octeon recoveries: 1
-- warning chmand[6018]: 012a0004:4: Host CPU subsystem power-off event caused by Super IO

Conditions:
-- Currently released BIOS with error recovery enabled.
-- VIPRION B2150 and B2250 blades.

Impact:
There is no functional impact to the system. The BIOS shipping with the VIPRION B2150 and B2250 blades configures the PCIe interfaces in such an order that BIOS recovery may have to take over. These messages are generated as BIOS error recovery is implemented to correct the PCIe interfaces configuration issues after which the system will boot normally. These messages are then benign.

Workaround:
These are benign messages in the LTM and shows that BIOS error recovery is working. The messages may be ignored.


692310-2 : ICAP modified HTTP 1.1 request/response without content-length gets "chunked" even with no body

Component: Service Provider

Symptoms:
When a modified HTTP v1.1 request or response is returned from an ICAP server and has no body (and also no content-length), a 'Transfer-Encoding: chunked' header is added and a zero-length chunk is appended.

Conditions:
-- HTTP profile.
-- Either request-adapt or response-adapt profile.
-- Modified HTTP v1.1 request/response has no body (and no content-length header).

Impact:
The HTTP server or client to which the modified request or response is destined, receives invalid HTTP and might behave in an unexpected manner.

Workaround:
Use an iRule to detect the lack of a Content-Length header in the modified request or response, and insert 'Content-Length: 0'.

For example with modified request:

when ADAPT_REQUEST_HEADERS {
    if {([HTTP::method] eq "GET") and (not [HTTP::header exists 'Content-Length'])} {
        HTTP::header insert Content-Length 0
    }
}

Similarly when ADAPT_RESPONSE_HEADERS {} for a response.


692189-1 : errdefsd fails to generate a core file on request.

Component: TMOS

Symptoms:
Should errdefsd crash or be manually cored for the purpose of gathering diagnostic information, no core file will be generated.

Conditions:
Forcing errdefsd to core for diagnostic purposes.

Impact:
Increased communication required with F5 Support when attempting to diagnose problems with errdefsd.

Workaround:
1. Add the following lines to the official errdefsd script, /etc/bigstart/scripts/errdefsd:
16a17,19
> # set resource limits, affinity, etc
> setproperties ${service}
>
2. Run the following command: bigstart restart errdefsd


692179-1 : Potential high memory usage from errdefsd.

Component: TMOS

Symptoms:
errdefsd memory usage grows with each config-sync or config update.

Conditions:
Ever increasing errdefsd memory usage is visible when the following conditions are met:
-- Config updates are frequent.
-- management-port logging is not being used.

Impact:
In extreme cases, errdefsd memory usage might increase userland memory-pressure. Note, however, that it isn't actually using the extra memory, so while Virtual Memory Size (VSZ) might be high, Resident Set Size (RSS) need not be.

Workaround:
A workaround for this problem is to periodically send logs to a management-port destination. The destination may be as simple as a dummy UDP port on 127.0.0.1. Adding such a destination to the publisher for an existing, active log source will work. errdefsd just needs a reason to process and flush accumulating configurations.


692172-1 : rewrite profile causes "No available pool member" failures when connection limit reached

Component: TMOS

Symptoms:
ltm rewrite profile (with mode uri-translation) can cause connections on ltm forwarding virtual server to be terminated with reason "No available pool member".

Conditions:
Virtual server configured with ltm rewrite profile. Default pool has request queuing enabled and connection limits configured for all its nodes.

Impact:
When the connection limit is reached, further connections are terminated with "No available pool member" cause instead of being queued.

Workaround:
An iRule which selects default pool on HTTP_REQUEST:

when HTTP_REQUEST priority 1000 {
    pool [LB::server pool]
}


692165-1 : A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token

Component: TMOS

Symptoms:
For some HTTP requests, a request-log profile can log nothing for the $VIRTUAL_POOL_NAME token (which expands to an empty string in the resulting logs).

Conditions:
- The virtual server where the request-log profile is used also uses OneConnect.

- The client uses HTTP Keep-Alive and sends multiple HTTP requests over the same TCP connection.

Impact:
For all HTTP requests the client sends except the first one, the $VIRTUAL_POOL_NAME token logs nothing. As a result, a BIG-IP Administrator may struggle to determine which pool serviced which request.

Workaround:
The $SERVER_IP and $SERVER_PORT tokens work for all requests, and so if those are also being logged it may be possible to deduce the pool name from that information.

However, there is no workaround to make the $VIRTUAL_POOL_NAME token work all of the time.


692158-1 : iCall and CLI script memory leak when saving configuration

Component: TMOS

Symptoms:
Whenever an iCall script or CLI script saves the configuration, the scriptd process on the device will leak memory.

Conditions:
Use of iCall or CLI scripts for saving config.

Impact:
Repeated invocation may cause the system to run out of memory causing tmm to restart disrupting traffic.

Workaround:
Do not save the configuration from iCall or CLI scripts.


692095-1 : bigd logs monitor status unknown for FQDN Node/Pool Member

Solution Article: K65311501

Component: Local Traffic Manager

Symptoms:
While monitoring FQDN nodes or pool members, bigd may log the current or previous monitor status of the node or pool member as 'unknown' in messages where that state internally could have been logged as 'checking' or 'no address' for FQDN template nodes. Other states for FQDN configured nodes or pool members log monitor status as expected. Messages are similar to the following:

notice bigd[####]: 01060141:5: Node /Common/node_name monitor status unknown [ ip.address: unknown ] [ was up for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: unknown ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: up ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status unknown. [ ] [ was unchecked for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status up. [ ] [ was unknown for ##hrs:##mins:##sec ]

Conditions:
This may occur of the FQDN template node or pool member is in a 'checking' or 'no address' state.
The 'checking' state may occur if the DNS resolution of the FQDN node or pool member name is in progress.
The 'no address' state may occur if no IP addresses were returned by the DNS server for the configured FQDN node or pool member name.

Impact:
Unable to triage state of FQDN nodes or pool members identified in these log messages, to determine whether further troubleshooting is required, or what specific problem condition might require further investigation.

Workaround:
None.


691897-3 : Names of the modified cookies do not appear in the event log

Component: Application Security Manager

Symptoms:
A modified domain cookies violation happened. When trying to see additional details by clicking the violation link, the name and value of the modified cookie is empty.

Conditions:
A modified domain cookies violation happens.

Note: This can happen only if there are also non-modified or staged cookies.

Impact:
Expected violation details are not displayed.

Workaround:
There is no workaround at this time.


691785-1 : The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes

Component: Local Traffic Manager

Symptoms:
The bcm570x driver will cause TMM to core with the log message:

panic: ifoutput: packet_data_compact failed to reduce pkt size below 4.

Conditions:
-- Running on a platform that uses the bcm570x driver (BIG-IP 800, 1600, 3600).
-- A packet larger than 6144 bytes is transmitted from the BIG-IP system.

Impact:
TMM core. Failover or outage. Traffic disrupted while tmm restarts.

Workaround:
None.


691749-1 : Delete sys connection operations cannot be part of TMSH transactions

Component: TMOS

Symptoms:
TMSH operations that delete sys connection cannot be part of transactions. Once the TMSH transaction is submitted, TMSH freezes up if a 'delete sys connection ...' command is included.

Conditions:
Include delete sys connection operations in TMSH transactions.

Impact:
TMSH freezes up and transactions do not complete.

Workaround:
Only use tmsh delete sys connection outside of TMSH transactions.


691706-5 : HTTP2/SPDY profile can cause orphaned connections

Component: Local Traffic Manager

Symptoms:
When tearing down a HTTP2 connection, which is composed of a clientside HTTP2 connection and 'n' serverside HTTP1.1 connections, the system might leave a subset of the 'n' serverside HTTP1.1 connection behind. Those left behind connections are still referencing the clientside PCB, which might result in a crash should they ever be expired, e.g., due to an AFM firewall policy change triggering the sweeper.

Conditions:
-- HTTP2 leaves serverside connections behind.
-- AFM firewall policy change occurs that triggers the sweeper.

Impact:
Orphaned connections might result in various behaviors, from a small memory leak to a tmm restart, which has the possibility of disrupting traffic.

Workaround:
None.


691571 : tmsh show sys software doesn't show the correct HF version

Component: TMOS

Symptoms:
tmsh show sys software does not show the correct hotfix version. Instead, it shows the base 12.1.2 release, not the 12.1.2 HF1 hotfix version. However, selecting it boots the correct version. At the login prompt, in /VERSION and in tmsh show sys version the correct hotfix version is shown.

Conditions:
Using tmsh command: tmsh show sys software

Impact:
Hotfix version is not correct.

Workaround:
At the login prompt, using /VERSION or using tmsh show sys version, the correct hotfix version will be shown.


691491-5 : 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces

Solution Article: K13841403

Component: TMOS

Symptoms:
2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces

Conditions:
-- 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms.
-- SNMP query of network interfaces via OID sysIfxStatHighSpeed.

Impact:
Value returned for 10G/40G/100G interfaces may be incorrect.

Workaround:
Use OID sysInterfaceMediaActiveSpeed.


691367-1 : Attack-destination for a DoS vector was not predicting right thresholds in some cases

Component: Advanced Firewall Manager

Symptoms:
When attack-destination is enabled for a vector, then thresholds predicted by attack-destination (bad dest ip) were not correct in some cases.

Conditions:
It can occur when attack-destination is enabled for a DoS vector in a config.

Impact:
Some times wrong threshold values could be predicted for the DoS vector if attack-destination is enabled.

Workaround:
There is no workaround at this time.


691224-3 : Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled

Solution Article: K59327001

Component: Local Traffic Manager

Symptoms:
Node Server rejects received-and-incomplete ClientHello message and connection terminates.

Conditions:
This occurs when the following conditions are met:
-- SSL Persistence is enabled.
-- There is no ClientSSL and ServerSSL profile.
-- The BIG-IP device receives fragments of a ClientHello message (typically, 11 bytes each) from an SSL front-end client.

Impact:
With Session Persistence enabled
-- The parser fails to reassemble fragmented ClientHello messages prior to passing it on to the backend server.
-- As a result, the backend server responds as if it has received an incomplete ClientHello message, rejects the handshake, and terminates the connection.

Workaround:
The issue disappears when SSL Persistence is disabled.


691196-1 : one Cisco NEXUS switch and 2 BIG-IP WCCP web caches do not work together

Component: Anomaly Detection Services

Symptoms:
The one Cisco CATALIST switch and 2 BIG-IP WCCP works perfect.
The one Cisco NEXUSswitch and 2 BIG-IP WCCP does not work together.
The difference is in the "WCCP Message Type: 2.0 I see you (11)" generated by NEXUS router.

Existing code did not support offset (expect "Number of elements" always equal 0) as CATALIST and other switches set.
But NEXUS use this element and it produce some offset in frames.

As result BIG-IP can't understand it for case 1 NEXUS and two (or more) BIG-IP's

This point is badly described in WCCP draft and investigation was based on WireShark dissector.

Conditions:
1 NEXUS and two (or more) BIG-IP's have interability problem

Impact:
1 NEXUS and two (or more) BIG-IP's can't work together.

Workaround:
avoid such configuration.


691048-1 : Support DIAMETER Experimental-Result AVP response

Solution Article: K34553736

Component: Service Provider

Symptoms:
When the Diameter server returns an answer message with an Experimental-Result AVP, but doesn't have Result-Code AVP inside, then the server side flow is aborted.

Conditions:
Diameter answer message doesn't have Result-Code AVP available, but with Experimental-Result AVP.

Impact:
The server side flow is aborted.

Workaround:
Use iRule to insert Result-Code AVP in all Diameter answer messages.


690928 : System posts error message: 01010054:3: tmrouted connection closed

Component: TMOS

Symptoms:
Beginning in BIG-IP 12.0.0, the tmrouted process pushes dynamic routes directly to the Traffic Management Microkernel (TMM). This message indicates the system is shutting down and is expected behavior during the reboot or shutdown process. The appearance of this message on a stable running system may indicate an issue with tmrouted functionality.

System posts the following message in /var/log/ltm: 01010054:3: tmrouted connection closed

Conditions:
This message occurs when all of the following conditions are met:

-- You have configured the BIG-IP system to use dynamic routing.
-- The BIG-IP system is in the process of shutting down or rebooting.

Impact:
This message is benign, unless you view the message on a stable running system. In this case, the message may indicate an issue with the tmrouted process.

Workaround:
None.


690890-1 : Running sod manually can cause issues/failover

Component: TMOS

Symptoms:
If multiple instances of the system failover daemon are executed, improper behavior results. The system failover daemon is run internally by the system service manager (bigstart). When accidentally or intentionally executing the command 'sod', the second running instance will disrupt the failover system.

Conditions:
Accidentally or intentionally executing the command 'sod'.

Impact:
System might failover, reboot, or perform other undesirable actions that result in traffic interruption.

Workaround:
Do not attempt to invoke the 'sod' daemon directly. There is no use case for executing 'sod' directly, it is managed by 'bigstart'.


690819-1 : Using an iRule module after a 'session lookup' may result in crash

Component: TMOS

Symptoms:
'session lookup' does not clean up an internal structure after the call finishes. If another iRule module uses the values in this internal structure after a 'session lookup', it may result in a core or other undesired behavior.

Conditions:
Calling 'session lookup' in an iRule where a result is successfully retrieved, and then calling another module.

Impact:
The system may core, or result in undefined and/or undesired behavior.

Workaround:
Check the return value of 'session lookup' before using another iRule module.

If 'session lookup' says that the entry exists, call 'session lookup' again for a key that is known to not exist.


690778-1 : Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule

Solution Article: K53531153

Component: Local Traffic Manager

Symptoms:
Memory leak; the memory_usage_stat cur_allocs will increase each time the iRule is invoked.

Conditions:
This occurs when using an iRule that calls the STREAM::replace command more than once in the iRule's STREAM_MATCHED event.

Impact:
Memory leak; eventually the system will run out of memory and TMM will restart (causing a failover or outage). Traffic disrupted while tmm restarts.

Workaround:
Change the way the iRule is written so that the STREAM::replace command is not called more than once in the iRule's STREAM_MATCHED event.


690756-1 : APM depends on undocumented internal behavior of HTTP iRule commands after a retry is initiated

Component: Local Traffic Manager

Symptoms:
Using the ACCESS::restrict_irule_events disable command to allow iRule events triggered by APM-generated responses to be visible to the iRule no longer works.

Conditions:
-- ACCESS::restrict_irule_events disable.
-- HTTP iRules commands used in HTTP_RESPONSE_RELEASE after a retry has been triggered by APM.

Impact:
iRule execution is aborted.

Workaround:
The only possible workaround is to abandon the iRule, and implement the functionality using a VIP-targeting-VIP configuration.

Note: This might not be acceptable in many cases either because of functionality loss (e.g., client certificate auth), or because there are complicated issues specifically solved by iRules.


690259 : Benign message 'keymgmtd started' is reported at log-level alert.

Component: TMOS

Symptoms:
Whenever keymgmtd starts, a benign message reporting that keymgmtd has started is reported in ltm logs at log-level alert: alert keymgmtd[7853]: 01a40000:1: keymgmtd started.

Note: The keymgmtd daemon provides CA-bundle management functionality.

Conditions:
Whenever keymgmtd starts.

Impact:
No functional impact. This is a benign message that you can safely ignore.

Workaround:
None.


689982-3 : FTP Protocol Security breaks FTP connection

Component: Application Security Manager

Symptoms:
FTP Protocol Security breaks FTP connection.

Conditions:
-- ASM provisioned
-- FTP profile (Local Traffic :: Profiles : Services : FTP) with 'Protocol Security' enabled is assigned to a virtual server.

Impact:
-- RST on transaction.
-- bd PLUGIN_TAG_ABORT messages in mpidump.

Workaround:
Create and use a custom "FTP Security Profile" instead of the system default one.

1. Navigate to Security :: Protocol Security : Security Profiles : FTP.
2. Create a custom FTP Security Profile alongside the system default named 'ftp_security'.
3. Navigate to Security :: Protocol Security : Profiles Assignment : FTP.
4. From the Assigned Security Profile drop-down menu, choose the newly created custom FTP Security Profile, instead of the pre-selected system default 'ftp_security'.


689614-1 : If DNS is not configured and management proxy is setup correctly, Webroot database fails to download

Component: Traffic Classification Engine

Symptoms:
If DNS is not configured and management proxy is setup correctly, Webroot database fails to download and cloud lookup fails as well.

Conditions:
DNS is not configured and management proxy is setup.

Impact:
Webroot database download & cloud lookup fails.

Workaround:
There is no workaround at this time.


689567-1 : Some WOM/AAM pages in the GUI are visible to users with iSeries platforms even when AAM cannot be provisioned

Component: TMOS

Symptoms:
Several pages in the Acceleration tab (e.g., Acceleration :: Quick Start : Symmetric Properties) display a warning message that directs you to provision AAM in order to access WOM utilities. These pages are visible even if it is impossible for you to provision AAM, which is confusing.

Conditions:
You have an iSeries platform with no AAM license.

Impact:
The impact is cosmetic only. The page is confusing because it suggests that AAM can be provisioned without the proper license (e.g., that WOM/AAM can be set up with only an LTM license), which it cannot. You can safely ignore the warning messages.

Workaround:
No workaround at this time.


689437-1 : icrd_child cores due to infinite recursion caused by incorrect group name handling

Component: TMOS

Symptoms:
Every time the virtual server stats are requested via REST, icrd_child consumes high CPU, grows rapidly toward the 4 GB max process size (32-bit process), and might eventually core.

Conditions:
Virtual server stats are requested via iControl REST with a special string that includes the dotted group names.

Impact:
icrd_child consumes high CPU, grows rapidly, and might eventually core.

Workaround:
Clear the virtual server stats via reset-stats and icrd_child no longer cores.


689375-1 : Unable configure 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled

Solution Article: K01512833

Component: TMOS

Symptoms:
TMUI hides several SSL client/server settings when 'Proxy SSL' is enabled, including the 'Generic Alert' setting, so you cannot set it.

Conditions:
Enable 'Proxy SSL' on SSL client/server profile in TMUI.

Impact:
TMUI hides many config settings, including 'Generic Alert'. You cannot modify 'Generic Alert' setting on SSL client/server profile using the GUI when 'Proxy SSL' is enabled.

Workaround:
Modify the same setting through TMSH modify client/server SSL profile command, as follows:

tmsh modify ltm profile client-ssl <profile_name> generic-alert disabled

tmsh modify ltm profile server-ssl <profile_name> generic-alert disabled


689361-1 : Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor)

Component: Local Traffic Manager

Symptoms:
It is possible for an overwrite-configsync to change an 'unchecked' monitor to 'up', when that unchecked monitor references a node that does not respond to ICMP requests. This may occur when a node does not respond to ICMP requests for exactly one of two paired devices, but a configuration change made to one device causes the 'up' status to be propagated to the 'unchecked' device.

Conditions:
Two pool members are monitored; and one references a node not responding to ICMP requests; and a gateway_icmp monitor is on both nodes; and an overwrite-configsync is initiated from a paired device, where the node does respond to ICMP requests from that paired device.

Impact:
The overwrite-configsync causes the 'unchecked' monitor to transition to 'up', when it should remain 'unchecked' for the device to which the node does not respond to ICMP requests.

Workaround:
Ensure network configuration such that a monitored node responds to ICMP requests from both (or neither) of each paired-device. Alternatively, initiate configuration changes only from the device to which the node will not respond to ICMP requests.


689211-3 : IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 }

Component: TMOS

Symptoms:
If you accidentally change an ike-peer version to { v1 v2 } for both IKEv1 and IKEv2 support then IKEv1 does not work when version is changed to { v1 }. Note: This is not a recommended action.

Packets from a remote peer after this appear to arrive via IPv6 and will not match the IPv4 config of the actual peer, so tunnels cannot be established.

Conditions:
Transiently changing an ike-peer version to { v1 v2 } before fixing it with 'version replace-all-with { v1 }' to target IKEv1 alone.

Impact:
IKEv1 tunnels cannot be established when the remote peer initiates. (If the local peer initiates, negotiation may succeed anyway, until the SA is expired or deleted.) After this, tmm forwards packets to racoon improperly.

Workaround:
After changing version to v1 alone, issue the following command to have the config work correctly:
 bigstart restart


689147 : Confusing log messages on certain user/role/partition misconfiguration when using remote role groups

Component: TMOS

Symptoms:
When using remote role groups to set user/role/partition information, user login fails, but logs in /var/log/secure indicate that authentication was successful.

Errors similar to the following appear in /var/log/ltm:

-- User restriction error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition.
-- Input error: invalid remote user credentials, partition does not exist, broken-partition

Errors similar to the following appear in /var/log/secure:

tac_authen_pap_read: invalid reply content, incorrect key?

Conditions:
Using remote role groups to set user/role/partition information for remote users, and either of the following:
-- A remote user is configured with the role of administrator, resource administrator, auditor, or web application security administrator, with access to a particular partition, rather than all. (These roles require access to all partitions.)
-- A remote user is configured with partition access set to a partition that does not exist on the BIG-IP system.

Impact:
The messages in /var/log/secure may be confusing and make it more difficult to diagnose the login failure.

Workaround:
Check /var/log/ltm for more specific error messages.


689089-1 : VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot

Component: Local Traffic Manager

Symptoms:
The cluster configuration file can be lost or corrupted, resulting in the out-of-band cluster management IP reverting to the default value.

Conditions:
Unexpected system restart while the configuration file is being updated may cause the file to become corrupted. If this occurs, the following error will be logged during blade startup:

"err clusterd[8171]: 013a0027:3: Chassis has N slots, config file has 0, ignoring config file"

Where "N" is the number of physical slots in the chassis (2, 4, or 8).

Impact:
Management IP reverts to 192.168.1.246, resulting in loss of access to the chassis through the out-of-band management network.

Workaround:
If this occurs, the management IP can be restored using TMSH or the UI through an in-band self IP, or with TMSH through the management console port.


689002-3 : Stackoverflow when JSON is deeply nested

Component: TMOS

Symptoms:
When the returned JSON payload from iControl REST is very large and deeply nested, the JSON destruction could trigger stack overflow due to deep recursion. This will crash icrd_child.

Conditions:
Deeply nested JSON returned from iControl-REST.

Impact:
icrd_child process coredumps.

Workaround:
None.


688942-5 : ICAP: Chunk parser performs poorly with very large chunk

Solution Article: K82601533

Component: Service Provider

Symptoms:
When an ICAP response contains a very large chunk (MB-GB), the BIG-IP system buffers the entire chunk and reevaluates the amount of data received as each new packet arrives.

Conditions:
ICAP server returns large payload entirely in a single chunk, or otherwise generates very large chunks (MB to GB range).

Impact:
The BIG-IP system uses memory to buffer the entire chunk. In extreme cases the parser can peg the CPU utilization at 100% as long as packets are arriving.

Workaround:
If possible, configure the ICAP server to chunk the response payload in mulitple normal sized chunks (up to a few tens of KB).


688833-3 : Inconsistent XFF field in ASM log depending violation category

Component: Application Security Manager

Symptoms:
Depending on the violation category, the xff ip field is reported as 'xff_ip' and sometimes as 'xff ip'.

Conditions:
Viewing the XFF results in ASM log.

Impact:
This might cause problems with the syslog filters configured on the remote loggers.

Workaround:
Put in the rules that the client is using both 'xff ip' and 'xff_ip'.


688744-1 : LTM Policy does not correctly handle multiple datagroups

Solution Article: K11793920

Component: Local Traffic Manager

Symptoms:
Policy in use where the conditions reference two or more datagroups, but only the conditions that refer to the first datagroup have any effect.

Conditions:
LTM Policy where the conditions reference two or more datagroups.

Impact:
LTM Policy conditions do not check against second and subsequent datagroups, resulting in policy not working as intended.

Workaround:
Only mitigation is to refactor the policy so that it does not refer to more than one datagroup-based condition.


688629-1 : Deleting data-group in use by iRule does not trigger validation error

Component: Local Traffic Manager

Symptoms:
iRule aborts due to failed commands, causing connflow aborts.

Conditions:
-- Delete a data group.
-- iRule uses that data-group on a virtual server

Impact:
In use data-group can be deleted without error. iRule aborts leading to connflow aborts.

Workaround:
Don't delete data-groups in use by an iRule.


688557-1 : Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull'

Solution Article: K50462482

Component: Local Traffic Manager

Symptoms:
The description of the 'mode' parameter shown by tmsh help for the ltm sasp monitor indicates that the default value for the 'mode' parameter is 'pull' (where the load balancer sends Get Weight Requests to the GWM).
As of BIG-IP v13.0.0 and v12.1.2-hf1, the default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).
This is a change from prior versions of BIG-IP, where the default value for the 'mode' parameter was 'pull'.

Conditions:
The incorrect description appears when issuing the 'tmsh help ltm monitor sasp' command on BIG-IP v13.0.0, v12.1.2-hf1, and later.

Impact:
Incorrect information about the default value for the 'mode' parameter for the ltm sasp monitor.

Workaround:
The default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).


688553-3 : SASP GWM monitor may not mark member UP as expected

Component: Local Traffic Manager

Symptoms:
Pool members monitored by the SASP monitor may be incorrectly marked DOWN when they should be marked UP.

Conditions:
This may occur on affected BIG-IP versions when using the SASP monitor targeting a Load Balancing Advisor GWM (Global Workload Manager).

This is more likely to occur if pool members monitored by the SASP monitor are also monitored by an additional monitor which has marked the members DOWN, or if one or more pool members monitored by the SASP monitor have been manually marked down (state user-down via tmsh, or Disabled in the GUI).

This is not expected to occur with non-affected BIG-IP versions or when using the SASP monitor targeting a Lifeline GWM (Global Workload Manager).

Impact:
Traffic handled by pool members monitored by the SASP monitor may be disrupted.

Workaround:
Removing the SASP monitor from the pool or pool member configuration then re-adding the SASP monitor may reset the pool member status to the correct state.


688406-1 : HA-Group Score showing 0

Solution Article: K14513346

Component: TMOS

Symptoms:
The 'show sys ha-group' command incorrectly displays a "0" for the total score even if the pools/trunks/clusters components have non-zero scores.

Conditions:
If the sys ha-group object is not currently assigned to any traffic-group.

Impact:
The total score is not calculated. An incorrect score value is displayed.

Workaround:
Refer to the component Score Contributions displayed using the following command: show sys ha-group detail.


688335-5 : big3d may restart in a loop on secondary blades of a chassis system

Solution Article: K00502202

Component: Global Traffic Manager (DNS)

Symptoms:
After big3d_install is run against a target system, and this target system is a multi-blade chassis, the big3d utility may begin restarting in a loop on all secondary blades of the target system. The primary blade is not affected, where big3d continues to run stable.

Conditions:
The following conditions are required to encounter this issue:

-- The big3d_install utility is used against a target system.
-- The target system is a multi-blade chassis.
-- The big3d_install utility picks the iQuery installation method (and not the SSH one).
-- The big3d_install utility incorrectly determines that the local version of the big3d utility should be copied to the remote system.

Impact:
big3d does not typically do anything on secondary blades, so this issue should have no immediate material impact.

However, should the cluster elect a new primary blade, and should big3d still be restarting on that blade, this could cause iQuery communication failures between that system and remote BIG-IP systems.

Workaround:
To stop secondary blades from restarting, manually restart big3d on the primary blade using the following command:
 bigstart restart big3d

To prevent this issue from happening, you can run the big3d_install by specifying that the SSH installation method be used using the following command:
 big3d_install -use_ssh <target IP>


688266-5 : big3d and big3d_install use different logics to determine which version of big3d is newer

Component: Global Traffic Manager (DNS)

Symptoms:
The big3d_install utility includes logic to determine whether the local system should copy its version of the big3d daemon to the remote system specified by the user.

This logic is incorrect and may result in the local copy of the big3d daemon being unnecessarily copied to the remote system or not copied when actually necessary.

Conditions:
A user runs the big3d_install utility.

Impact:
If the local big3d daemon was unnecessarily copied over to the remote system, there is no tangible impact (other than the fact big3d restarts on the remote system, which is expected). Eventually, the remote system restores and uses its version of the big3d daemon.

If the local big3d daemon was not copied over when it should have been, then the remote system may continue to run an older version of the big3d daemon, which may impede iQuery communication.

Workaround:
If the local big3d daemon was unnecessarily copied over to the remote system, you do not need to perform any remedial action. The remote system will automatically resolve this situation by restoring the intended (i.e., newer) big3d version.

If the local big3d daemon was not copied over when it should have been, you can invoke the big3d_install utility using the -f argument, which forces an install of the big3d daemon regardless of the local and remote versions.


688231 : Unable to set VET, AZOT, and AZOST timezones

Component: TMOS

Symptoms:
Unable to set VET, AZOT, and AZOST timezones

Conditions:
This occurs under normal operation.

Impact:
Cannot set these timezones.

Workaround:
Use the following zones with the same offset:

The AZOT timezone is the same offset as
N – November Time Zone.

The AZOST timezone is the same offset as
Z – Zulu Time Zone,
GMT – Greenwich Mean Time,
WET – Western European Time.

The VET timezone is the same offset as
AST – Atlantic Standard Time,
CDT – Cuba Daylight Time, CLT – Chile Standard Time,
EDT – Eastern Daylight Time,
FKT – Falkland Island Time,
Q – Quebec Time Zone.


688148-3 : IKEv1 racoon daemon SEGV during phase-two SA list iteration

Component: TMOS

Symptoms:
The wrong list linkage is iterated when phase-two SAs are deleted.

Conditions:
Deleting phase-two SAs, either manually or in response to notifications.

Impact:
IKEv1 tunnel outage until the racoon daemon restarts.

Workaround:
None.


688046-2 : Change condition and expression for Protocol Lookup agent expression builder

Component: Access Policy Manager

Symptoms:
Protocol lookup agent shows the incorrect condition and expression in the expression builder when included in the per-request policy.

Conditions:
This occurs when the protocol lookup agent is used in the expression builder for branching.

Impact:
Cannot follow successful branch in per-request policy.

Workaround:
To work around this issue:
1. Include Protocol lookup agent in the expression builder.
2. Click the 'change' link right next to the existing expression.
3. Go to the Advanced tab and change the expression to one of the following (depending on whether you are using HTTPS or HTTP):
-- "expr { [mcget {perflow.protocol_lookup.result}] == "https" }"
-- "expr { [mcget {perflow.protocol_lookup.result}] == "http" }"
4. Click Finished.


687905-2 : OneConnect profile causes CMP redirected connections on the HA standby

Component: TMOS

Symptoms:
When virtual server uses OneConnect profile in HA setup, it can cause Clustered Multiprocessing (CMP) redirected connections and memory leak on high availability (HA) standby systems, including high memory usage on standby units.

Conditions:
-- Virtual server uses OneConnect profile in HA.
-- BIG-IP platform that supports CMP.

Impact:
Redirected connections and memory leak on a standby device.

Workaround:
Remove OneConnect profile from the virtual server.


687759-1 : bd crash

Component: Application Security Manager

Symptoms:
A bd crash.

Conditions:
-- A config change follows a bd crash.
-- There is a policy that is misconfigured, for example, a form-data parsing is applied on a non-form-data payload (such as XML or JSON).

Impact:
bd crashes; system fails over; traffic disturbance occurs.

Workaround:
Set the following internal parameter to 0: max_converted_length_to_cache


687658 : Monitor operations in transaction will cause it to stay unchecked

Solution Article: K03469520

Component: TMOS

Symptoms:
If a monitored object is deleted and created or modified in the same transaction, and any of its monitor configuration is changed (either the monitor, or the state user-down), the monitor state will become unchecked.

Conditions:
This only happens within transactions.

Note: Using the command 'modify ltm pool <name> members replace-all-with' is considered a transaction containing a delete and create of pool members.

Impact:
Monitor state never returns to its correct value.

Workaround:
Do not do these operations in transactions. For pool members, use 'modify ltm pool <name> members modify' instead of replace-all-with.


687617-1 : DHCP request-options when set to "none" are reset to defaults when loading the config.

Component: TMOS

Symptoms:
Config load resets the request-option in "tmsh sys management-dhcp" to its default value when they are set to "none" in configuration.

Conditions:
- A config load in which request-option in "tmsh sys management-dhcp" is set to "none".

Impact:
User configuration is reverted as a side-effect of config load.

Workaround:
request-option specify the minimal set of configuration that DHCP server must provide as part of the lease. Setting it to "none" defeats the whole purpose of DHCP. It's better to set it to a minimal value like "routers, subnet-mask" in order to have management connectivity.


687534-1 : If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page

Component: TMOS

Symptoms:
- Create a pool with name containing two dots (that is, the string '..')
- Go to the GUI Local Traffic :: Pools : Member List page and click the Add button to add a member.
- There is a No Access error preventing you from adding a member to the pool

Conditions:
This issue occurs when a pool name contains .. in the name.

Impact:
Cannot add a Member to the pool using the GUI.

Workaround:
Use tmsh to add pool members to an existing pool using a command similar to the following.
 tmsh modify ltm pool <pool name> members add { <member info> }


687368-1 : The Configuration utility may calculate and display an incorrect HA Group Score

Solution Article: K64414880

Component: TMOS

Symptoms:
The Configuration utility may calculate and display a high availability (HA) Group Score of 0, while in reality the correct HA Group Score is greater than 0.

Conditions:
This issue occurs when a particular HA Group object (for example, a Pool) has no available members, and the 'Minimum Member Count' option is not used (this is the default).

Impact:
This issue is cosmetic as it is limited to what the Configuration utility calculates and displays to the user. Internally, the system uses the correct HA Group Score to determine the role of the unit. However, it is possible for a BIG-IP Administrator to be mislead by this issue and take a wrong or unnecessary corrective action because of it.

Workaround:
You can use the TMSH utility from the command line to display the correct HA Group Score.


687213-3 : When access to APM is denied, system changes connection mode to ALWAYS_DISCONNECTED

Component: Access Policy Manager

Symptoms:
When access to APM is denied, Edge Client goes into ALWAYS_DISCONNECTED mode. Hence, it does not retry to establish VPN tunnel.

Conditions:
-- Edge Client installed in ALWAYS_CONNECTED mode (locked client).
-- Access to APM is denied.

Impact:
No VPN tunnel is established, even if APM becomes accessible momentarily.

Workaround:
None.


687044-3 : tcp-half-open monitors might mark a node up in error

Component: Local Traffic Manager

Symptoms:
The tcp-half-open monitor might mark a node or pool member up when it is actually down, when multiple transparent monitors within multiple 'bigd' processes probe the same IP-address/port.

Conditions:
All of the following are true:
-- There are multiple bigd processes running on the BIG-IP system.
-- There are multiple tcp-half-open monitors configured to monitor the same IP address.
-- One or more of the monitored objects are up and one or more of the monitored objects are down.

Impact:
The BIG-IP system might occasionally have an incorrect node or pool-member status, where future probes may fix an incorrect status.

Workaround:
You can use any of the following workarounds:

-- Configure bigd to run in single process mode by running the following command:
   tmsh modify sys db bigd.numprocs value 1

-- Use a tcp monitor in place of the tcp-half-open monitor.

-- Configure each transparent monitor for different polling cycles to reduce the probability that an 'up' response from the IP address/port is mistakenly viewed as a response to another monitor that is currently 'down'.


686926-2 : IPsec: responder N(cookie) in SA_INIT response handled incorrectly

Component: TMOS

Symptoms:
IKEv2 negotiation fails when a responder uses N(cookie) in the SA_INIT response, because the BIG-IP system does not expect a second response with the same zero message_id always used by SA_INIT.

Conditions:
Any time a responder sends N(cookie) in the first response to SA_INIT from a BIG-IP initiator.

Impact:
The SA negotiation fails when a responder includes N(cookie) in a SA_INIT response, because a second response appears to have an out-of-order message ID when BIG-IP believe the first message_id of zero was already handled earlier.

Workaround:
None.


686906-2 : Fragmented IPv6 packets not handled correctly on Virtual Edition

Component: TMOS

Symptoms:
Use of IP fragmentation with IPv6 packets might not be handled correctly by BIG-IP Virtual Edition (VE) platforms. The initial fragmented are received, but subsequent fragments are discarded.

Conditions:
VE with IPv6 packets and IP fragmentation.

Impact:
Traffic which depends upon fragmented IPv6 packets will not be successfully processed.

Workaround:
There is no workaround at this time.


686816-1 : Link from iApps Components page to Policy Rules invalid

Component: TMOS

Symptoms:
In an application that contains a Local Traffic policy, the link from the Components page to the Rule will not be valid.

Conditions:
-- Application creates or contains a Local Traffic Policy.
-- Click the link from the iApps Components page to the Policy Rules page.

Impact:
Cannot navigate to the policy rule directly from the Components page.

Workaround:
Click on the Policy within the Components page to navigate to the Rule from that page.


686765-2 : Database cleaning failure may allow MySQL space to fill the disk entirely

Component: Application Security Manager

Symptoms:
Database cleaning failure may allow MySQL space to fill the disk entirely, which prevents any modification of ASM policy configuration.

In /var/log/ts/asm_config_server.log you might see these errors repeatedly:

Jun 9 09:38:45 10gal-f5-5000-2 crit g_server_rpc_handler.pl[16654]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::handle_error): Code: 999, Error message = DBD::mysql::db do failed: The table 'NEGSIG_SIGNATURES' is full

Conditions:
This occurs if database cleaning failures occur.

Impact:
Disk will fill up, and you will be unable to modify ASM policies.


686563-1 : WMI monitor on invalid node never transitions to DOWN

Component: Local Traffic Manager

Symptoms:
A WMI monitor configured for an invalid node defaults to 'UP', and never transitions to 'DOWN'. Upon loading a configuration, a node defaults to 'UP' as an initial probe is sent based on the monitor configuration, and the node is then marked 'DOWN' as probes timeout or monitor responses indicate an error. However, an WMI monitor probe sent to a non-existent node is not detected as an error, and that node may persist in an 'UP' state (not transitioning to 'DOWN' as expected, such as after expiration of the configured monitor timeout).

Conditions:
WMI monitor is configured for an invalid node address, or for a node address on which no WMI service is running.

Impact:
The node persists in an 'UP' state, even though no WMI service is available, or that node does not exist.

Workaround:
An additional node monitor can be created to confirm the node is available (which may be a partial solution in some configurations). Using a non-WMI monitor (such as TCP) to probe availability of the WMI service on the target node may be possible in other scenarios.


686547-1 : WMI monitor sends logging data for credentials when no credentials specified

Component: Local Traffic Manager

Symptoms:
A properly configured WMI monitor requires username and password credentials; but when these are omitted from the configuration, logging data is sent in place of the username and password (with the monitored object likely being marked 'down'). Because username/password credentials are required, the monitor should have been identified as wrongly configured before the monitor is marked down.

Conditions:
A WMI monitor is configured without including the required username/password credentials.

Impact:
The monitored object will be marked 'down'.

Workaround:
Configure the WMI monitor to include the username/password credentials.


686500-1 : Adding user defined signature on device with many policies is very slow

Component: Application Security Manager

Symptoms:
Adding or modifying a user-defined signature on a device with many policies is very slow.

Conditions:
The user adds or modifies a user-defined signature.

Impact:
The process takes a long time.


686422-1 : URI reported in alert may not contain the actual traffic URI

Component: Fraud Protection Services

Symptoms:
URI reported in alert may not contain the actual traffic URI.

Conditions:
The alert was triggered for a wildcard-configured URL.

Impact:
Request URI is not reported correctly. The reported URI will contain the configured URL instead of traffic URL. For example:
-- A configured URL: /*.
-- Traffic URI: /a/b/c?n=v.
-- Reported URI: /*.
-- Reported URI should be traffic URI: /a/b/c?n=v.

Workaround:
None.


686124-1 : IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs

Component: TMOS

Symptoms:
Deleting SAs on a remote peer can cause improper handling in the IKEv1 racoon daemon when invalid SPI notifications are processed.

Conditions:
Events causing deletion of phase one IKE SAs.

Impact:
IPsec IKEv1 tunnels will halt or restart. Connectivity between remote private networks will be interrupted.

Workaround:
None.


686111-1 : Searching and Reseting Audit Logs not working as expected

Solution Article: K89363245

Component: TMOS

Symptoms:
Clicking the Search and Reset buttons on Audit Logs might post the following error message: An error has occurred while trying to process your request.

Conditions:
Clicking the 'Search' or 'Reset' button on Audit Logs.

Impact:
Cannot search Audit Logs.

Workaround:
Use tmsh or bash.


686101-1 : Creating a pool with a new node always assigns the partition of the pool to that node.

Solution Article: K73346501

Component: Local Traffic Manager

Symptoms:
When creating a node while creating a pool, the partition of the node is set to the one of the pool regardless of what was expected. For example, after running the command below, the new node will be assigned to differentpartition:
root@(v13)(Active)(/differentpartition)(tmos)# create ltm pool my_pool2 members add { /Common/172.16.199.33:0 }

Conditions:
Creating a node while creating a pool in a partition different from the node.

Impact:
The node is displayed in the wrong partition.

Workaround:
Create a node separately and then add it to the pool.


685888-1 : OAuth client stores incorrectly escaped JSON values in session variables

Component: Access Policy Manager

Symptoms:
1) The slash (/) is double escaped (\\/). The slash is common in URLs.
2) Unicode escaped characters (\uXXXX) are not correctly un-escaped into UTF-8 characters, ends up unrecognizable.

Conditions:
Occurs in 13.1 and earlier releases when OAuth servers response in JSON, such as the OIDC User Info.

Impact:
APM applications who read JSON node session variables may not get the correct values.

Workaround:
1) For double escaped slash, workaround is like,
session.oauth.client.last.UserInfo.picture = return [string map {{\\/} /} [ mcget {session.oauth.client.last.UserInfo.picture} ]]

2) For incorrect UTF-8 characters, there is no workaround.


685820-3 : Active connections are silently dropped after HA-failover if ASM licensed and provisioned but AFM is not

Component: Advanced Firewall Manager

Symptoms:
If ASM licensed and provisioned, but AFM is not licensed/provisioned, active connections are silently dropped after HA-failover.

In earlier versions, active connections were reset after HA-failover if only ASM was licensed/provisioned. When AFM is also licensed/provisioned, existing active connections were always silently dropped after HA-failover.

Conditions:
-- ASM licensed and provisioned, but AFM is not licensed/provisioned.
-- HA-failover occurs.

Impact:
ASM client connections are not reset, but are silently dropped after HA-failover event.

Workaround:
None.


685743-5 : When changing internal parameter 'request_buffer_size' in large request violations might not be reported

Component: Application Security Manager

Symptoms:
When the internal 'request_buffer_size' is set to a large value, long requests might be blocked, and no violation is reported.

Conditions:
-- Internal parameter 'request_buffer_size' is set to a large value (~50 KB or larger).
-- Request is long (~50 KB or longer).
-- Violations found.

Impact:
Requests might be blocked, and no reason is reported.

Workaround:
Reset internal 'request_buffer_size' to default.


685582-7 : Incorrect output of b64 unit key hash by command f5mku -f

Component: TMOS

Symptoms:
The output of the b64 unit key hash is inconsistent upon each 'f5mku -f' command, whereas the hex version of the unit key hash was always correct/consistent.

Conditions:
Viewing output of 'f5mku -f' command.

Impact:
Inconsistent output of the b64 unit key.

Workaround:
Adding the verbose option (v) to the f5mku command will print additional information. The following command prints the hex version of the unit key header hash, which will be stable and can be used to detect changes to the unit key:

 f5mku -vf

For example:

# f5mku -vf
...
-- hdr.hash = c9:0d:13:2a:74:d4:7e:31:a4:78:5e:c8:3e:9c:b5:3d:7b:65:9c:7d
...


685519-1 : Mirrored connections ignore the handshake timeout

Component: Local Traffic Manager

Symptoms:
Mirrored connections that do not complete the TCP 3-way-handshake do not honor the configured TCP handshake timeout on active and standby systems.

Conditions:
High availability mirroring enabled on virtual server with attached FastL4 profile.

Impact:
Unestablished TCP sessions in the connection table stay open for the duration of the TCP idle-timeout.

Workaround:
None.


685344-1 : Monitor 'min 1 of' not working as expected with FQDN nodes/members

Component: Local Traffic Manager

Symptoms:
A pool with a monitor configured as 'min 1 of {...}' may be unavailable when one or more members configured with FQDN are down, rather than remain available as long as at least one pool member remains up.

Conditions:
-- Pool nodes/members are configured with FQDN.
-- At least one associated monitor is defined with the 'min 1 of {...}' feature.

Impact:
The pool may be seen as 'offline' when one or more members are down, rather than remaining available as long as a single pool member is 'UP'.

Workaround:
To configure a pool with 'min 1 of{...}', specify static pool members, do not use FQDN to configure pool members.


685233-1 : tmctl -d blade command does not work in an SNMP custom MIB

Solution Article: K13125441

Component: TMOS

Symptoms:
tmctl -d blade commands run in an SNMP custom MIB fail.

Conditions:
-- Using an SNMP custom MIB.
-- Running tmctl -d blade commands.

Impact:
Unable to configure a custom MIB to gather data via a tmctl -d blade command.

Workaround:
Instead of tmctl -d blade, use the following command:
 tmctl -d /var/tmstat/blade.


685110-1 : With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.

Solution Article: K05430133

Component: Local Traffic Manager

Symptoms:
1. FQDN Node/pools fails to populate with members.

2. An error similar to the following is logged in /var/log/ltm when an FQDN node or pool member is created:

err mcpd[####]: 01070356:3: Ratio load balancing feature not licensed.

Conditions:
1. License a BIG-IP system with non-LTM license lacking the ltm_lb_ratio feature.
Such licenses include APM and/or ASM licenses for certain newer platforms which do not support the AAM module.
Affected platforms include certain iSeries and Virtual Edition (VE) releases.
2. Configure an FQDN node/pool member. Do not specify a 'ratio' value.

Impact:
Unable to use FDQN nodes/pool members with non-LTM license.

Workaround:
None.


685020-3 : Enhancement to SessionDB provides timeout

Component: TMOS

Symptoms:
In some cases, calls made to SessionDB never return from the remote TMM.

Conditions:
-- Using add, update, delete, and lookup commands to remote TMM.
-- SessionDB request is not returned.

Impact:
Calls made to SessionDB never return from the remote TMM.

Workaround:
None.


684399-1 : Connectivity profiles UI shows (Not Licensed) when LTM base is presented

Component: Access Policy Manager

Symptoms:
In APM, the connectivity profile UI shows (Not Licensed) when LTM base is presented

Conditions:
when LTM and APM is provisioned.

Impact:
UI shows FEC profile as not licensed. But user can still choose FEC profile.

Workaround:
Ignore the not licensed warning.


684391-3 : Existing IPsec tunnels reload. tmipsecd creates a core file.

Component: TMOS

Symptoms:
Existing IPsec tunnels reload. tmipsecd creates a core file.

Conditions:
Although an exact replication of the issue has not been reliable, the one instance occurred after the following conditions:
-- Remote peer repeatedly tries to establish a tunnel.
-- The IPsec IKEv1 daemon 'racoon' is dead.

Impact:
Existing IPsec tunnels reload when tmipsecd aborts. tmipsecd creates a core file.

Workaround:
None.


684369-2 : AFM ACL Rule Policy applied on Standby device

Solution Article: K35423171

Component: Advanced Firewall Manager

Symptoms:
In a Active/Standby setup, with a Virtual Server configured to Mirror Connection State, the Standby Device is aware of the state of connections. The Standby device apart from maintaining the state of connections, need not apply ACL policy to the mirrored connections.

But in a specific case where a ACL Policy happens to have Rule with Schedules attached, the Standby happens to apply policy on mirrored connections, which also generates ACL rule hit logs.

Conditions:
1) Active/Standby device setup.
2) Virtual Server with Connection Mirroring enabled.
3) ACL Policy with a Rule having a Schedule attached, and during periods of transition when a Schedule may cause a Rule to be enforced or expired.

Impact:
Does not impact handling of traffic.

Generation of ACL Rule hit logs from Standby is unexpected, and is not desirable.

Workaround:
Objective:
- Disable sweeper applying ACL policy on Standby device.
- Sys DB tunable must disable only on Standby device. Because sys db settings are auto-sync'd to Active device as well, you must do so using the following procedure.
 
Steps to Apply Sys DB setting only on Standby device:
1. Turn off auto-sync for the device-group.
2. Apply settings just before Rule Schedule expiry on Standby device.
3. Wait till Rule Schedule change takes effect.
4. Revert the settings to normal, and enable auto-sync again.


TMSH Command Sequence:

root@(BIG-IP-primary)(cfg-sync In Sync)(Standby)(/Common)(tmos)
 # list sys db tm.sweeper.flow.acl value

 sys db tm.sweeper.flow.acl {
    value "enable" <<<< Set this to 'disable'
 }

root@(BIG-IP-primary)(cfg-sync In Sync)(Standby)(/Common)(tmos)
 # modify cm device-group <device-group-for-failover> auto-sync disabled

root@(BIG-IP-primary)(cfg-sync In Sync)(Standby)(/Common)(tmos)
 # modify sys db tm.sweeper.flow.acl value disable

root@(BIG-IP-primary)(cfg-sync Changes Pending)(Standby)(/Common)(tmos)
 # list sys db tm.sweeper.flow.acl value

 sys db tm.sweeper.flow.acl {
    value "disable"
 }

On Active, it's still 'enable':

root@(BIG-IP-secondary)(cfg-sync Changes Pending)(Active)(/Common)(tmos)
 # list sys db tm.sweeper.flow.acl value

 sys db tm.sweeper.flow.acl {
    value "enable"
 }

Enable auto-sync again:

root@(BIG-IP-primary)(cfg-sync In Sync)(Standby)(/Common)(tmos)
 # modify cm device-group <device-group-for-failover> auto-sync enable

Might have to issue this run command if the device is reported as 'requiring sync'.

root@(BIG-IP-primary)(cfg-sync Changes Pending)(Standby)(/Common)(tmos)
 # run cm config-sync to-group <device-group-for-failover>


684218-1 : vADC 'live-install' Downgrade from v13.1.0 is not possible

Component: TMOS

Symptoms:
vADC v13.1.0 has a new storage format that is incompatible with earlier versions. It should be possible to use the '--format' option of 'image2disk' to downgrade a v13.1.0 vADC system, but it is not.

Conditions:
Running v13.1.0, attempt software downgrade to 11.5.4, for example:

image2disk --format=volumes --nosaveconfig 11.5.4

Impact:
request is not allowed. no changes are made.

Workaround:
deploy a new 11.5.4 software image via the hypervisor environment


684068-1 : FIX with PVA offload and late binding without flow release may not execute iRules on subsequent messages

Component: Service Provider

Symptoms:
With a virtual server configured with a fastL4 profile and a FIX profile where the fast L4 profile is configured with late binding and explicit flow migration, the first connection after a setup or restart may not correctly execute FIX iRules if the flow is not handed off to ePVA after the first FIX message.

Conditions:
Configure a virtual server with a fastL4 profile and a FIX profile. Configure the FastL4 profile to have late binding and explicit flow migration. Place iRules on the virtual server that trigger on FIX_MESSAGE or FIX_HEADER. Restart the BIG-IP, connect to the virtual server and begin sending FIX messages.

Impact:
The iRules may not trigger on the second and further messages sent to the FIX virtual server on the first connection after the restart.


683767-1 : Users are not able to complete the sync using GUI

Component: TMOS

Symptoms:
A validation error occurred while syncing to a remote device
Sync error on unitA.lab.local: Load failed from /Common/unitB.lab.local 01070080:3: The requested pool member is already in use as a self IP address (1.1.2.1)

The above is expected as unit B is unable to validate the config for unit A. Incremental sync adds and removes configuration on unit A, hence the error.

Conditions:
1.Units A and B in HA with manual incremental sync, unit B is active.
2.On unit B add a pool with a member having IP address matching the self IP of unit A. Then delete it.
3.create ltm pool p1 members add { 1.1.2.1:80 }
4.delete ltm pool p1
5.Try config-sync (using GUI). You will end up with a Sync Failed message:
  A validation error occurred while syncing to a remote device
Sync error on unitA.lab.local: Load failed from /Common/unitB.lab.local 01070080:3: The requested pool member is already in use as a self IP address (1.1.2.1

Impact:
Users are not able to complete the sync using GUI

Workaround:
using tmsh to force a full sync


683706-3 : Pool member status remains 'checking' when manually forced down at creation

Component: Local Traffic Manager

Symptoms:
When a pool member is created with an associated monitor, and initially forced offline (e.g., '{session user-disabled state user-down}'), that pool member status remains in 'checking'. By default, the pool member status initializes to 'checking' until the first monitor probe confirms the pool member is available. However, by creating-and-forcing-offline the pool member, no monitoring is performed and the status remains in 'checking'.

Conditions:
Pool member is created with an associated monitor, and that pool member is simultaneously forced offline.

Example: create ltm pool test1 members add { 10.1.108.2:80 { session user-disabled state user-down } } monitor http

Impact:
Pool member remains offline as directed, but pool member status indicates 'checking' rather than 'user-down'.

Workaround:
Create the pool member with associated monitor, and in a separate step, force the pool member offline.


683697-1 : SASP monitor may use the same UID for multiple HA device group members

Solution Article: K00647240

Component: Local Traffic Manager

Symptoms:
Under rare timing conditions, the SASP monitor running on one member of an HA group (failover device group) may use the same LB UID as another member of the device group.

The LB UID used to connect to the Server/Application State Protocol (SASP) Group Workload Manager (GWM) is required to be unique for each client connecting to the GWM.

As a result, only the first HA group member using the duplicated UID is able to successfully use the SASP monitor.

The SASP monitor instance running on the HA group member using the duplicated UID will fail to connect to the SASP GWM.

Conditions:
This occurs under rare timing conditions when using the SASP monitor on a BIG-IP system that belongs to an HA group.

It is possible that the necessary timing conditions may occur if the external SASP monitor daemon is forcibly restarted (such as for troubleshooting purposes).

Impact:
The SASP monitor is unable to monitor pool member availability on all members of the HA group.

Workaround:
Forcing the mcpd process to reload the configuration (as described in article K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030) allows recovery from this condition.

It is possible that less-intrusive measures such as restarting the external SASP monitor daemon (such as by sending a SIGTERM to the SASPD_monitor process) may also allow recovery. Due to the rare occurrence of this symptom, this solution has not been confirmed.


683061-1 : Rapid creation/update/deletion of the same external datagroup may cause core

Component: Local Traffic Manager

Symptoms:
-- notice tmm[15187]: 01010259:5: External Datagroup (/Common/Datagroup_1) queued.
-- notice tmm[15187]: 01010259:5: External Datagroup (/Common/Datagroup_1) queued for update.
-- err tmm[15187]: 01010258:3: External Datagroup (/Common/Datagroup_1) creation failed: initial load error, deleting.

Conditions:
Using external datagroup, rapidly creating updating and then deleting it.

Impact:
TMM fails

Workaround:
Allow TMM enough time to finish processing external data-group before starting another operation. Depending on the size of the datagroup anywhere from 1s to 10s or more may be needed. The LTM log can be examined for the create/finished message to help determine how much wait time is required.


683029-1 : Sync of virtual address and self IP traffic groups only happens in one direction

Component: TMOS

Symptoms:
If you have a virtual address and a self IP that both listen on the same IP address, changing the traffic group of the self IP will make an equivalent change to the traffic group of the virtual address. However, this does not work in reverse. Changing the traffic group of the virtual address will not cause a change of the traffic group of the self IP.

Conditions:
You have a virtual address and a self IP that both listen on the same IP address. (The subnet mask need not be the same.)

Impact:
This is by design, but is counterintuitive, and there is no warning message that this is the case. Setting the traffic group on both objects will always work properly.

Workaround:
Care should be taken to ensure that the desired traffic group is set on both objects.


682751-7 : Kerberos keytab file content may be visible.

Component: Access Policy Manager

Symptoms:
Kerberos keytab file content may be visible.

Conditions:
Import a Kerberos keytab file.

From the command line, check the file permissions. It is readable.

Impact:
keytab is similar to a private key file and should not be readable.

Workaround:
Use chmod to change the keytab file permission manually so that it is not world-readable.


682273-1 : Connection rate limit on a pool member can be exceeded

Component: Local Traffic Manager

Symptoms:
The connection rate-limit to a pool member can exceeded.

Conditions:
When a virtual is configured with UDP, FastL4, and pva acceleration is enabled.

Impact:
The connection rate limit on the pool member can be exceeded.

Workaround:
Disable pva acceleration using the following command:
"tmsh modify sys db pva.acceleration value none".


682209 : Per Request Access Policy subroutine performance down by about 7%

Component: Performance

Symptoms:
The performance of the per-request access policy with subroutines, even an empty one (in->out) is down by about 7%.

Conditions:
All of the following must be true for this issue to be exposed.
1) APM is provisioned.
2) An APM profile is attached to the virtual server.
3) A Per-Request access policy containing a subroutine is attached to the virtual server.

Impact:
Maximum RADIUS TPS is degraded (~7%).

Workaround:
No workaround at this time.


681782-6 : Unicast IP address can be configured in a failover multicast configuration

Solution Article: K30665653

Component: TMOS

Symptoms:
Failover multicast configuration does not work when configured with a unicast IP address. Although this is an invalid configuration, the system does not prevent it.

Conditions:
Specify a unicast IP address under 'Failover Multicast Configuration' for network failover in high availability configurations.

Impact:
Failover multicast configuration does not work.

Workaround:
Specify a multicast IP address under 'Failover Multicast Configuration' for network failover.


681757-3 : Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member'

Solution Article: K32521651

Component: Local Traffic Manager

Symptoms:
In response to this issue, you might see the following symptoms:
-- System remains inoperative
-- Screen alerts similar to the following are posted: 'Configuration has not yet loaded'.
-- Configuration fails to load after upgrade to v12.1.0 or higher.

The system records an error message similar to the following in the ltm log file:

 emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 010716de:3: Policy '/Common/Policy', rule 'Policy-Rule'; target 'forward' action 'select' does not support parameter of type 'member'. Unexpected Error: Loading configuration process failed.

Conditions:
Local Traffic Policy with a forward action that selects a target of type 'member'.

Impact:
Configuration fails to load on upgrade.

Workaround:
Modify the local traffic policies to use a target type of 'node' before upgrading, or, after upgrading, edit the config file and modify 'member' to 'node' in the local traffic policy, and then reload the configuration.


681673-4 : tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results

Component: Local Traffic Manager

Symptoms:
TMSH does not block modify FDB commands that add a multicast MAC addresses.

Conditions:
This occurs when the following is configured using tmsh commands when the mac-address is multicast:
 fdb vlan <vlan> records add {<mac-address> {interface <slot>/<port>}}.

Impact:
There is not enough information to map the outgoing MAC address to a multi-cast group, and therefore it gets a default entry added that has no ports mapped. The result is that the frame will not go out the interface indicated in the tmsh command yet no warning is provided.

Workaround:
None.


681352-1 : Performance of a client certificate validation with OCSP agent is degraded

Component: TMOS

Symptoms:
Performance is being degraded for OCSP agent. This can lead to Access Policy performance degradation if there are no more heavy agents configured.

Conditions:
OCSP agent is configured in an Access Policy.

Impact:
Fewer logons processed per second by the access policy that contains OCSP agent configured.

Workaround:
There is no workaround at this time.


680856-2 : IPsec config via REST scripts may require post-definition touch of both policy and traffic selector

Component: TMOS

Symptoms:
A new IPsec tunnel may not work after being configured over REST. While the configuration is correct, a log message similar to the following may appear in ipsec.log (IKEv2 example):

info tmm[24203]: 017c0000 [0.0] [IKE] [INTERNAL_ERR]: selector index (/Common/Peer_172.16.4.1) does not have corresponding policy

Conditions:
A new IPsec tunnel is configured over REST.

Impact:
The newly configured IPsec tunnel does not start.

Workaround:
The following methods cause the traffic-selector and ipsec-policy to be correctly related to one another:
-- Restart tmm.
-- Change the configuration, for example the Description field, of both the policy and the traffic selector. This may also be done using REST.


680855 : Safari 11 sometimes start more than one session

Component: Access Policy Manager

Symptoms:
In Safari 11 after session is finished and being restarted by "Click here to establish a new session" more than one session appears. It looks like Safari 11 beta and release bug.

Conditions:
Safari 11 beta and official release
Policy with webtop
Several passes from start to finish

Impact:
At certain point browser is reaching max sessions per IP and hangs on webtop.

Workaround:
Don't use Safari 11 for now


680838-2 : IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator

Component: TMOS

Symptoms:
A tmm restart and corefile can occur in rare cases while negotiating an IKEv2 IPsec tunnel.

A child_sa managed to process GETSPI_DONE once in the IDLING state, where the ike_sa was expected to be the initiator, but it appeared not to be -- failing an assert.

Conditions:
The BIG-IP is negotiating an IPsec tunnel as the Initiator, but an unexpected state change associated with being the Responder occurs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


680680-1 : The POP3 monitor used to send STAT command on v10.x, but now sends LIST command

Component: Local Traffic Manager

Symptoms:
in BIG-IP version 10.x, the POP3 monitor sent STAT command (which returned a count of messages in the mailbox). Now, the monitor sends the LIST command (which returns a list of messages and their sizes).

Conditions:
POP3 monitor set up on a mailbox.

Impact:
If the polled mailbox used in the monitoring has a huge amount of messages, the STAT command might fail to return results in time.

Workaround:
1. Create a mail account that does not receive many emails.
2. Make sure that the mailbox is nearly empty all the time (copy /dev/null periodically to the mailbox file).


680388-1 : f5optics should not show function name in non-debug log messages

Component: TMOS

Symptoms:
For logging thresholds other than debug, the function name appears in log messages created by f5optics.

Conditions:
-- BIG-IP is running.
-- Logging thresholds is set to a value other than debug.

Impact:
Log files contain unexpected data.

Workaround:
There is no workaround at this time.


679735-3 : Multidomain SSO infinite redirects from session ID parameters

Component: Access Policy Manager

Symptoms:
If an application uses a URL parameter of 'sid', 'sess', or 'S', the APM can enter an infinite redirect loop.

In a packet capture, the policy will complete on the auth virtual server. After policy completion, the client is redirected back to the resource virtual server. The resource virtual server will not be able to find the session, and will redirect back to the auth virtual server. This begins the infinite loop of redirecting between resource and auth virtual servers.

Conditions:
Application with URL paramater containing 'sid', 'sess', or 'S' while using multidomain SSO.

Impact:
Applications that use 'sid', 'sess', or 'S' parameters cannot be fronted by an APM.

Workaround:
None.


679613-1 : i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1'

Solution Article: K23531420

Component: Local Traffic Manager

Symptoms:
When an interface is associated with a VLAN whose tag value is '1', traffic is incorrectly sent out as untagged.

Conditions:
1. Create a VLAN with a tag value of '1'.
2. Associate an interface with the VLAN whose value is '1'.
3. Send traffic out that interface.

Impact:
Incorrect routing/switching of traffic.

Workaround:
Use VLANs with a tag value different from '1'.


679496-2 : Add 'comp_req' to the output of 'tmctl compress'

Component: Local Traffic Manager

Symptoms:
The output of 'tmctl compress' displays the total numbers of requests (tot_req), but does not distinguish between deflate (compression) requests and inflate (decompression) requests.

Conditions:
Viewing the output of the 'tmctl compress' command.

Impact:
Cannot determine the different types of requests.

Workaround:
There is no workaround at this time.


679494-1 : Change the default compression strategy to speed

Component: Local Traffic Manager

Symptoms:
The current default compression.strategy is 'latency', which does not perform properly, i.e., the provider selection algorithm does not react to load change fast enough.

Conditions:
Using compression.strategy to distribute workload among hardware and software compression providers.

Impact:
The work load may not be distributed evenly among hardware and software compression providers when compression.strategy is 'latency'.

Workaround:
Modify the tmsh sys db variable compression.strategy to 'speed'.


679431-1 : In routing module the 'sh ipv6 interface <interface> brief' command may not show header

Component: TMOS

Symptoms:
In the BIG-IP Advanced Routing module the 'sh ipv6 interface <interface> brief' command does not show header

Conditions:
- Advanced Routing module licensed and configured
- From within imish shell, run the command 'sh ipv6 interface <interface> brief'.

Impact:
The header is not shown.

Workaround:
Run the equivalent command without indicating the interface:
sh ipv6 interface brief


679347-2 : ECP does not work for PFS in IKEv2 child SAs

Component: TMOS

Symptoms:
The original racoon2 code has no support for DH generate or compute using elliptic curve algorithms for (perfect forward security).

Additionally, the original interfaces are synchronous, but the only ECP support present uses API with async organization and callbacks, so adding ECP does not work.

Conditions:
Changing an ike-peer definition from the default phase1-perfect-forward-secrecy value of modp1024 to something using ECP: ecp256, ecp384, or ecp512.

Note: The first child SA is negotiated successfully.

Impact:
Once the first child SA expires (or is deleted), the IKEv2 tunnel goes down when another SA cannot be negotiated.

Workaround:
Use MODP for perfect-forward-secrecy instead of ECP.


679316-5 : iQuery connections reset during SSL key renegotiation

Component: Global Traffic Manager (DNS)

Symptoms:
Error in /var/log/gtm:
err gtmd[14797]: 011ae0fa:3: iqmgmt_receive: SSL error: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record

Conditions:
When iQuery data is sent during SSL key renegotiation.

Impact:
The BIG-IP system is marked 'down' until the connection is reestablished. This usually takes no longer than one second.

Workaround:
None.


679135-2 : IKEv1 and IKEv2 cannot share common local address in tunnels

Component: TMOS

Symptoms:
When IKEv1 and IKEv2 IPsec tunnels are configured to use the same local IP address, either all the IKEv1 or all the IKEv2 tunnels will not establish.

Note: This is as designed: the system does not support using the same local self IP to establish both IKEv1 and IKEv2 tunnels. However, the system does not prevent it, and there is no indication of the reason for the failure.

Conditions:
-- Use the same self IP as the local address of an IPsec tunnel for IKEv1, as well as the local address of a tunnel for IKEv2.
-- Try to create competing listeners.

Impact:
Either the IKEv1 or IKEv2 tunnel will not work, because the listener for that tunnel fails to establish. Usually the IKEv1 tunnel will not work after tmm restart or BIG-IP reboot.

Workaround:
Use another self IP for the tunnel local address to keep IKEv1 and IKEv2 local tunnel addresses separate.

Note: If IKEv1 tunnels use one local address, while IKEv2 tunnels use another, everything works as expected.


678925-1 : Using a multicast VXLAN tunnel without a proper route may cause a TMM crash.

Component: TMOS

Symptoms:
Using a multicast VXLAN tunnel without a proper route associated with the tunnel's local-address may cause a TMM crash.

Conditions:
When the following conditions are met:
- No route is associated with the tunnel's local-address.
- A selfip address is assigned to the tunnel.

Then, a connection using the tunnel may cause a TMM crash.

Note that the user can use the TMSH command "show net route lookup <address>" to check if there is a route associated with the tunnel's local-address.

Impact:
The TMM crashes and traffic is disrupted.

Workaround:
Make sure that there is a route associated with the tunnel's local-address, before using the tunnel.


678872-3 : Inconsistent behavior for virtual-address and selfip on the same ip-address

Component: Local Traffic Manager

Symptoms:
Inconsistent ICMP/ARP behavior for self IP address or virtual-address when virtual-address and self IP address have the same IP address.

Conditions:
Virtual-address and self IP address have the same IP address.
-- Virtual-address ICMP and ARP disabled.

Impact:
ICMP echo reply and ARP for the IP address might be inconsistent. Self IP address might override the ARP setting of a virtual address.

Workaround:
No workaround.


678488-1 : BGP default-originate not announced to peers if several are peering over different VLANs

Component: TMOS

Symptoms:
BGP default-originate is not announced to peers if several are configured as peers over different VLANs.

Conditions:
-- default-originate is configured on four similar neighbors.
-- The neighbors are reachable over different interfaces/subnets.

Impact:
Only some of the peered neighbors get the default route.

Workaround:
Add the following to the the BGP configuration:
 network 0.0.0.0/0


678388-1 : IKEv1 racoon daemon is not restarted when killed multiple times

Solution Article: K00050055

Component: TMOS

Symptoms:
IPsec IKEv1 tunnels will fail and stay down indefinitely if the IKEv1 racoon daemon crashes. racoon does not get restarted by tmipsecd. This can occur if racoon has crashed more than once beforehand.

Conditions:
The IPsec IKEv1 racoon daemon crashes, or is killed manually, multiple times.

Impact:
IPsec IKEv1 tunnels cannot be established because the racoon daemon is dead. The user will receive no CLI or web UI clues to indicate that racoon is dead. Attempts to reconfigure IPsec while racoon is dead will not resolve the problem.

Workaround:
Run the following command to restart the IPsec IKEv1 racoon and tmipsecd daemons at the same time:
tmsh restart sys service tmipsecd


678380-2 : Deleting an IKEv1 peer in current use could SEGV on race conditions.

Component: TMOS

Symptoms:
When either deleting a peer in IKEv1 or updating it, this problem causes the v1 racoon daemon to crash with a SIGSEGV under some race conditions, intermittently.

Conditions:
This requires a peer using IKEv1, which gets updated or deleted while the IKEv1 racoon daemon is performing operations related to this peer.

Impact:
If the problem occurs, the IKEv1 racoon daemon restarts and interrupts IPsec traffic.

Workaround:
None.


678254-1 : Error logged when restarting Tomcat

Component: TMOS

Symptoms:
An error is logged after restarting Tomcat and using the web UI.

Conditions:
Using the web UI to restart tomcat.

Impact:
An error is logged after restarting Tomcat and using the web UI.

Workaround:
There is no workaround.


677937-3 : APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets

Solution Article: K41517253

Component: TMOS

Symptoms:
APM client cannot connect to server when the APM tunnel is encapsulated in an IPsec tunnel.

Conditions:
This requires a relatively complicated network setup of configuring an APM tunnel over an IPsec tunnel (and iSession is in use).

Impact:
No connectivity between the client and the server.

Workaround:
Do not encapsulate APM tunnel in an IPsec tunnel. (The APM tunnel has its own TLS.)


677473-3 : MCPD core is generated on multiple add/remove of Mgmt-Rules

Component: Advanced Firewall Manager

Symptoms:
MCP crashes with core. MCP automatically restarts causing other dependent daemons, including tmm, to restart. Corresponding messages (restarting mcp, restarting tmm, and so on) are broadcast in all command line connections (terminals). Core files are written into /shared/core directory. The BIG-IP system might become unusable while daemons restart, so both control-plane (tmsh/GUI) and data traffic processing are stopped until all daemons restart.

Conditions:
-- AFM is licensed and provisioned.
-- There are firewall policies/rules defined in configuration.
-- Remove firewall rules/policies, especially rules attached to management-IP (might have to repeat this).

Impact:
The BIG-IP system might become unusable for few minutes while daemons restart, so both control-plane (tmsh/GUI) and data traffic processing are stopped. Traffic disrupted while tmm restarts.

Workaround:
None.


676897-3 : IPsec keeps failing to reconnect

Solution Article: K25082113

Component: TMOS

Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.

Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.

Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.

Workaround:
Manually delete the SA.


676416-4 : BD restart when switching FTP profiles

Component: Application Security Manager

Symptoms:
Switching a Virtual Server from an FTP profile with Protocol Security enabled to an FTP profile with Protocol Security disabled, causes the BIG-IP system to go offline, generates errors in the bd log, and causes BD to restart.

Conditions:
-- Running FTP traffic with FTP profile with Protocol Security enabled.
-- On FTP service, change to FTP profile with Protocol Security disabled.

Impact:
BD restart, traffic disrupted, and failover in high availability (HA) configuration.

Workaround:
There is no workaround at this time.


676223-4 : Internal parameter in order not to sign allowed cookies

Component: Application Security Manager

Symptoms:
ASM TS cookies may get big (up to 4k).

Conditions:
policy building is turned on (manual or automatic). There are allowed cookies.

Impact:
This increases web site throughput.

Workaround:
N/A


676203-3 : Inter-blade mpi connection fails, does not recover, and eventually all memory consumed.

Component: TMOS

Symptoms:
TMM memory usage suddenly increases rapidly.

Conditions:
The inter-blade mpi connection fails and does not recover.

Impact:
Inter-blade mpi requests do not complete and the system eventually exhausts memory.

Workaround:
None.


676092-3 : IPsec keeps failing to reconnect

Component: TMOS

Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.

Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.

Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.

Workaround:
Manually delete the SA.


675911-4 : Dashboard CPU history file may contain incorrect values

Solution Article: K13272442

Component: Local Traffic Manager

Symptoms:
Values such as 33%, 66% and 99% may appear in the CSV file exported from the dashboard utility

Conditions:
htsplit is enabled.

Impact:
CPU history in exported CSV file does not match actual CPU usage.

Workaround:
You can obtain CPU history through various other means.
One way is to use the sar utility:

In 12.x and 13.x:
  sar -f /var/log/sa6/sa
or for older data
  sar -f /var/log/sa6/sa.1
The oldest data is found compressed in /var/log/sa6 and must be gunzipped before use.

In 11.x:
  sar -f /var/log/sa/sa
or for older data
  sar -f /var/log/sa/sa.1
The oldest data is found compressed in /var/log/sa and must be gunzipped before use.


675232-6 : Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction

Component: Application Security Manager

Symptoms:
Errors encountered -

In TMSH CLI transaction:
----------------
transaction failed: 01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------

In iApp template implementation:
----------------
script did not successfully complete: (01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------

Conditions:
In an iApp template implementation or TMSH CLI transaction, create a new ASM policy and then try to modify it's active state.

Impact:
The policy is created but the modify action cannot find the policy.

Workaround:
iApps are built to work with ASM Policy Templates.

A new ASM Policy Template can be created from the desired ASM Policy.

That can be done via GUI and starting from from v13.0 via REST as well.

Then, the newly created ASM Policy Template can be referenced in the iApp template implementation or TMSH CLI transaction as follows:
-----------------
tmsh::create asm policy <some_policy> active policy-template NEWLY_CREATED_POLICY_TEMPLATE
-----------------


674455-5 : Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS

Component: TMOS

Symptoms:
When booted into the Maintenance OS image from the grub boot menu, running tmidiag -r drops the serial console from the grub kernel line, which causes a loss of communication on the serial console after rebooting.

Conditions:
-- Booted into Maintenance OS.
-- Running the command: tmidiag -r

Impact:
Serial console baud rate settings are incorrect. Uses the bios baud rate on the console.

Workaround:
When booting, edit the grub kernel line to include console=ttyS0.

Note: The value is "tty", an uppercase "S" character, and zero, so ttyS0.


674256-2 : False positive cookie hijacking violation

Solution Article: K60745057

Component: Application Security Manager

Symptoms:
A false positive cookie hijacking violation.

Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.

Impact:
False positive violation / blocking.

Workaround:
Cookie hijacking violation when the device ID feature is turned off is almost never relevant, as it should be able to detect only cases where some of the TS cookies were taken. The suggestion is to turn off this violation.


674145-1 : chmand error log message missing data

Component: TMOS

Symptoms:
When there is an error with communication between chmand and lopd, a message is logged giving information about the problem. That message is missing data useful to F5 for determining the cause of the communications error.

Messages similar to:
Jul 11 11:10:19 localhost warning chmand[7815]: 012a0004:4: getLopReg: lop response data does not match request, u16DataLen=0xb expected=0xb, u8Length=0x8 expected=0x, u8Page=0x28 expected=0x$, u8Register=0x50 expected=0xP

The expected data values are missing in this message, making it more difficult for F5 engineers to determine what caused the original communications problem.

Conditions:
This issue only occurs when there is some problem with the communication channel between chmand and lopd.

Impact:
Added difficulty for F5 to determine what problem caused the error message to be logged.


673952-3 : 1NIC VE in HA device-group shows 'Changes Pending' after reboot

Component: TMOS

Symptoms:
When Virtual Edition (VE) is configured for 1NIC, you will see the following logs on reboot indicating that configuration has been loaded from file:

 notice tmsh[12232]: 01420002:5: AUDIT - pid=12232 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all base
 notice tmsh[12392]: 01420002:5: AUDIT - pid=12392 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all

Conditions:
- VE configured in 1NIC mode.
- Unit booted either through reboot or power on.

Impact:
This is unlikely to have any impact if the VE is in standalone mode but could result in an unexpected config if the configuration files differ.
If the VE is part of an HA device-group, then this will result in a commit id update and the units will show 'Changes pending'.

Workaround:
None.


673826-1 : Some FTP log messages may not be logged to /var/log/ltm

Component: Carrier-Grade NAT

Symptoms:
Some FTP log messages may not be logged to /var/log/ltm

Conditions:
Virtual with FTP profile is configured

Impact:
Some FTP_SETUP/FTP_TEARDOWN and FTP_DATA_SETUP/FTP_DATA_TEARDOWN logs may not be logged to /var/log/ltm.

Workaround:
Use remote HSL logging


673811-1 : After an upgrade, IPsec tunnels may fail to start

Component: TMOS

Symptoms:
After an upgrade, the post-upgrade ipsec-policy or ike-peer configuration may be different to the pre-upgrade version.

Conditions:
-- ipsec-policy or ike-peer uses default setting(s).
-- BIG-IP's software is upgraded.

Impact:
After an upgrade, tunnels may fail to establish or establish using a stronger cipher set.

Workaround:
After upgrade, set the configuration objects to the required values.


673664-1 : TMM crashes when sys db Crypto.HwAcceleration is disabled.

Component: Local Traffic Manager

Symptoms:
TMM crashes when sys db Crypto.HwAcceleration is disabled.

Conditions:
This occurs when sys db Crypto.HwAcceleration is disabled.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
Enable crypto hardware acceleration using the following command:
tmsh modify sys db crypto.hwacceleration value enable


673399-3 : HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server.

Component: Local Traffic Manager

Symptoms:
The client sends a GET request with switching protocols and the server responds with a 401. Subsequent GET request from client is dropped.

Conditions:
HTTP and Websocket profiles are attached to the virtual server. The client sends a GET request with switching protocols indicating upgrade to Websockets, and the server responds with a 401. Subsequent GET request from client is dropped.

Impact:
Connection is reset.

Workaround:
Disable Websockets profile on the virtual server.


672312-3 : IP ToS may not be forwarded to serverside with syncookie activated

Component: Local Traffic Manager

Symptoms:
IP ToS field may not be preserved on forwarding in a FastL4 virtual server when syncookie is activated.

Conditions:
-- FastL4 ip-forwarding virtual server.
-- ToS in passthrough mode.
-- Syncookie is activated in hardware mode.
-- On a hardware platform with ePVA.

Impact:
IP ToS header is not forwarded to the serverside.

Workaround:
None.


671712-2 : The values returned for the ltmUserStatProfileStat table are incorrect.

Component: TMOS

Symptoms:
An SNMP table entry that intermittently comes back incorrectly. Specifically, an LTM profile user statistic value is returned with an OID that is off by one in the table.

Conditions:
A statistics profile is attached to a virtual server with an iRule that increments statistics on the profile. The SNMP walk of the table created by the statistics profile intermittently returns the values shifted up one OID such that the last row is zero and the first row is lost. A subsequent request is correct.

Impact:
Incorrect data returned in SNMP walk of LTM profile table.

Workaround:
The statistics themselves are kept correctly and can be accessed without using SNMP.


670528-4 : Warnings during vCMP host upgrade.

Solution Article: K20251354

Component: TMOS

Symptoms:
- Log message repeats every 5 seconds in /var/log/ltm
     slot<#>/<host> warning vcmpd[<pid>]: 01510005:4: Failed to find value for enum::cli_id (ha_feature_t::provisioning-failed).

Conditions:
- Configure vCMP host in 12.1.x or 11.6.x.
 - Deploy 13.x guest.
 - Monitor /var/log/ltm.

Impact:
Warning message displayed every 5 seconds.

Workaround:
Run the following command:
 tmsh create sys log-config filter stop_vcmpd_log message-id 01510005 publisher none


670197-1 : IPsec: ASSERT 'BIG-IP_conn tag' failed

Component: TMOS

Symptoms:
When using IPsec, tmm assert with 'BIG-IP_conn tag' failed.

Conditions:
The conditions under which this assert occurs when using IPsec are unknown.

Impact:
The tmm restarts and all connections are reset. Traffic disrupted while tmm restarts.

Workaround:
None.


669645-3 : tmm crashes after LSN pool member change

Component: Carrier-Grade NAT

Symptoms:
Changing LSN pool members while processing traffic may cause tmm to crash.

Conditions:
-- Changing, using, or removing an LSN pool.
-- Traffic is being processed.

Impact:
When tmm crashes, traffic processing will stop until tmm restarts. Note that this can occur, even if the change was on a high-availability peer unit and config-sync has taken place.

Workaround:
Recommend to change LSN pool members during a maintainence window with low traffic or ideally to use an HA pair with a standby unit for implementing configuration changes on live traffic.


669255-5 : An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms

Solution Article: K20100613

Component: TMOS

Symptoms:
If the BIG-IP configuration includes at least one enabled sFlow receiver, certain platforms will experience poor TMM performance. Symptoms will include one or more of the following:

- Higher than normal ping latency to the BIG-IP Self-IP addresses.
- Higher than normal latency for applications flowing through BIG-IP virtual servers.
- TMM clock advanced messages in the /var/log/ltm file.
- Continuous activation and then quick deactivation of the idle enforcer for all TMM instances in the /var/log/kern.log file.

Conditions:
The BIG-IP configuration must include at least one enabled sFlow receiver (it doesn't matter whether this is reachable or not) and the platform type must be one of the following:

- BIG-IP i10000 series
- BIG-IP i7000 series
- BIG-IP i5000 series
- BIG-IP i4000 series
- BIG-IP i2000 series
- VIPRION B4450 blade

Impact:
The BIG-IP system operates at a suboptimal performance level.

Workaround:
If the sFlow receiver is not strictly necessary for the correct functioning of your deployment, this can be disabled or removed to work around the issue.


668041-2 : Config load fails when an iRule comment ends with backslash in a config where there is also a policy.

Solution Article: K27535157

Component: TMOS

Symptoms:
Config load fails when an iRule contains a commented line that ends with an escape character (backslash), and the config also contains an LTM policy. Depending on the iRule, you might also see the following error: Syntax Error:(/config/bigip.conf at line: 42078) double quotes are not balanced.

Conditions:
An iRule contains commented line that ends with a backslash, and the config also contains a policy, for example, an iRule similar to the first example, and a policy similar to the second:

ltm rule /Common/log_info {
  when HTTP_RESPONSE {
    #log local0. "Original Location header value: [HTTP::header value Location],\
     updated: [string map ":[TCP::remote_port]/ /" [HTTP::header value Location]]"
}
}

...

ltm policy /Common/Test_Policy {
    controls { forwarding }
    requires { http tcp }
    rules {
        TestPol_Rule1 {
            actions {
                0 {
                    forward
                    select
                    node 10.2.10.20
                }
            }
            conditions {
                0 {
                    tcp
                    address
                    matches
                    values { 10.1.10.20 }
                }
            }
        }
    }
    strategy /Common/first-match
}

Impact:
Config load fails.

Workaround:
You can use any of the following wordarounds:
-- Delete the comment line.
-- Merge the multiple-lines.
-- Make separate multi-line comments


667700-1 : Web UI: PEM rule page only displays webroot categories for classification filter. Websense categories are not displayed

Component: Policy Enforcement Manager

Symptoms:
PEM rule page only displays webroot categories for classification filter. Websense categories are not displayed. So User cannot create PEM rule with web sense classification filters from Web UI.

Conditions:
Creation of PEM rule with classification filter from Web UI

Impact:
None. User can update the configuration from TMSH.

Workaround:
Use TMSH to add websense classification filter to a PEM rule.


667414-1 : JSON learning of parameters in WebSocket context is not working

Component: Application Security Manager

Symptoms:
When a JSON parameter arrives in WebSocket, it is not sent to policy builder, and thus is not learned.

Conditions:
1. WebSocket traffic contains JSON data.
2. In the JSON profile, parse parameter is enabled.

Impact:
JSON parameter arriving in WebSocket is not learned.

Workaround:
None.


665470-3 : Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised

Component: Application Security Manager

Symptoms:
Failed to Learn page malicious IP addresses in a specific case.

Conditions:
-- IP intelligence is turn on.
-- Logging is turned off.

Impact:
Requests that should be learned are not.

Workaround:
Turn on logging.


665362-2 : MCPD might crash if the AOM restarts

Component: TMOS

Symptoms:
In very rare circumstances, mcpd might crash when the AOM restarts.

Conditions:
This can occur while AOM is restarting.

Impact:
System goes offline for a few minutes.

Workaround:
None.


664017-9 : OCSP may reject valid responses

Component: TMOS

Symptoms:
If OCSP is configured with certain responders, a valid response may be rejected with the following error:

OCSP response: got EOF

Conditions:
This is entirely dependent on the behavior of the server. If a responder sends null or blank data (but does not close the connection) OCSP simply ends the response.

Impact:
Valid OCSP responses may be rejected.

Workaround:
None.


663925-1 : Virtual server state not updated with pool- or node-based connection limiting

Component: Local Traffic Manager

Symptoms:
Rate- or connection-limited pool members and nodes do not immediately affect virtual server status.

Conditions:
The connection count reaches the configured connection limit.

Impact:
Virtual server is not automatically disabled when connection limit is reached and does not return from the unavailable state after connections decrease.

Workaround:
None.


663874-2 : Off-box HSL logging does not work with PEM in SPAN mode.

Solution Article: K77173309

Component: Policy Enforcement Manager

Symptoms:
While on-box HSL logging works, off-box HSL logging does not work with PEM in SPAN mode.

Conditions:
-- PEM in SPAN mode.
-- Off-box HSL logging is configured.

Impact:
Cannot use off-box HSL logging with PEM in SPAN mode; must use on-box HSL logging instead.

Workaround:
There is no workaround at this time.


660826-3 : BIG-IQ Deployment fails with customization-templates

Component: Access Policy Manager

Symptoms:
BIG-IQ involving multiple commands in a transaction to modify customization group fails.

Conditions:
Simulation by tmsh for what's done in BIG-IQ:

1) Add a log-on agent in your policy.

2) Edit the log-on agent customization (Advanced Customication: logon.inc and view.inc both)
This should create two customization templates.

3) Make a backup of the customization template files in some folder (/tmp). For example: To copy logon.inc and view.inc for logon agent in sjc-access policy?(sjc-access_act_logon_page_ag) below cp statements worked.

cp Common_d/customization_template_d/\:Common\:sjc-access_act_logon_page_ag\:\:logon.inc_74991_2 /tmp/logon.inc
:Common:sjc-access_act_logon_page_ag::logon.inc_74991_2

cp Common_d/customization_template_d/\:Common\:sjc-access_act_logon_page_ag\:\:view.inc_74991_2 /tmp/view.inc

4) tmsh

5) create /cli transaction

6) modify /apm policy customization-group sjc-access_act_logon_page_ag templates modify { logon.inc { local-path /tmp/logon.inc } }

7) modify /apm policy customization-group sjc-access_act_logon_page_ag templates modify { view.inc { local-path /tmp/view.inc } }

8) submit /cli transaction

Impact:
BIG IQ operation failed with scenario involving change to customization group.

Workaround:
There is no workaround.


658716-1 : MCPd SIGSEGV in boost::checked_delete

Component: TMOS

Symptoms:
MCPd SIGSEGV during tear down of DSC connections. System logs messages similar to the following to /var/log/ltm:
 warning mcpd[4822]: 01071aea:4: CMI heartbeat timer expired, status: 192.168.254.253.

Conditions:
During tear down of DSC connections, a heartbeat operation may be attempted on an already deleted connection.

Impact:
MCPd will be restarted, possibly resulting in other daemons restarting as well.

Workaround:
There is no workaround at this time.


658410-2 : icrd_child generates a core when calling PUT on ltm/data-group/internal/

Component: TMOS

Symptoms:
icrd_child generates a core file when calling PUT on ltm/data-group/internal/.

Conditions:
Calling PUT on ltm/data-group/internal/.

Impact:
The iControl REST API is temporarily not available for configuration queries or modifications.

Workaround:
There is no workaround at this time.


658278-1 : Network Access configuration with Layered-VS does not work with Edge Client

Component: Access Policy Manager

Symptoms:
When Network Access is configured in virtual server-to-virtual server targeting, the Edge client cannot connect.

Conditions:
Network Access is configured as follows :
-- The external-client-facing virtual server has the SSL profile attached.
-- The internal virtual server has the Access profile and connectivity profile attached.
-- The external-client-facing virtual server has an iRule that forwards the HTTP requests to the internal virtual server.

Impact:
When Edge client connects, the external-client-facing virtual server issues a request for '/pre/config.php?version=2.0', and the Edge client hangs.

Workaround:
None.


657912-3 : PIM can be configured to use a floating self IP address

Component: TMOS

Symptoms:
Using PIM-Sparse Mode for multicast traffic with BGP for unicast routing/reverse path filtering may prevent PIM neighbor routers from switching from the RPT to the SPT.

Conditions:
-- PIM-Sparse Mode.
-- BGP.
-- Floating self IP address.

Impact:
Routers upstream and including BIG-IP will never receive PIM JOIN messages from the rendezvous point, which is required for traffic to switch from the RPT to the SPT. The sender's DR may continue to send traffic to the RP in register messages indefinitely.

Workaround:
Remove the floating self IP address from the traffic group or select a routing protocol that does not use it, such as OSPF.


656784-1 : Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM

Solution Article: K98510679

Component: Access Policy Manager

Symptoms:
After upgrading to Windows 10 Creators Update (version 1703), when attempting to connect to a remote desktop through APM with the Remote Desktop Gateway (RDG) feature, the remote desktop client is not able to authenticate and connect.

Windows 10 Version 1703 RDP client is using Negotiate HTTP authentication scheme, while APM requires NTLM scheme for RD Gateway.

Conditions:
- You are accessing Microsoft Remote Desktop through BIG-IP APM using Remote Desktop Gateway (RDG) feature.
- You upgrade to Windows 10 Creators Update (version 1703).

Impact:
Remote desktop client is not able to authenticate and connect to the desktop.

Workaround:
Use either of the following workarounds:

-- Force the Windows RDP client to use NTLM authentication scheme (instead of Negotiate) by setting Group Policy 'User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\RD Gateway\Set RD Gateway authentication method' to 'Ask for credentials, use NTLM protocol'.

-- Use the following iRule to convert Negotiate to NTLM:
when HTTP_REQUEST {
    set is_rdg_request [expr { [HTTP::method] starts_with "RDG_" }]
    if {!$is_rdg_request} { return; }

    set auth [HTTP::header Authorization]
    set is_nego_auth [expr { $auth contains "Negotiate" }]

    if { $is_nego_auth } {
        set auth [string map {"Negotiate" "NTLM"} $auth]
        HTTP::header replace Authorization $auth
    }
}
when HTTP_RESPONSE_RELEASE {
    if {!$is_rdg_request || !$is_nego_auth} { return; }

    catch {
        set auth [HTTP::header WWW-Authenticate]
        if { $auth contains "NTLM" } {
            set auth [string map {"NTLM" "Negotiate"} $auth]
            HTTP::header replace WWW-Authenticate $auth
        }
    }
}


655383-3 : Failure to extend database continues to execute rather than halting because of fragmented state.

Component: Local Traffic Manager

Symptoms:
Rarely occurring failure to extend database results in operations continuing to execute rather than halting because of fragmented state. Various behavior might occur, for example: unexpected traffic to disabled pool members, intermittent updated cert usage, receipt of messages such as 'MCP message handling failed' or 'Memory allocation failed: can't allocate memory to extend db size', and others.

Conditions:
TMM heap is fragmented such that memory allocation fails when extending the database.

Impact:
Operations continues to execute rather than halting, as might be expected. The system might report a variety of unexpected log messages and/or behaviors due to subsequent inconsistent state.

Note: This is an extremely rare condition that occurs only when TMM is left in an inconsistent state. Although it is possible that this might eventually lead to bad behavior downstream, the event itself does not cause memory issues.

Workaround:
None.


653759-1 : Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update

Component: TMOS

Symptoms:
No Chassis Variant number is not specified when checking the log file /var/log/ltm, for example:

#grep queryFDD /var/log/ltm
...debug chmand[12982]: 012a0007:7: queryFDD returned 1 items for: update|F100|||NONE|NONE|NONE|0x0

This should contain the Variant number 400-0028-04, as follows:
...debug chmand[32663]: 012a0007:7: queryFDD returned 1 items for: update|F100|400-0028-04||NONE|NONE|NONE|0x0

Conditions:
-- B2100/B2150/B2200 blade in C2200/C2400 chassis.
-- Checking for the Chassis Variant number.

Impact:
This has no impact, since there are no Variants currently defined for the C2200/C2400 chassis.

Workaround:
There is no workaround at this time.


652877-5 : Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades

Component: TMOS

Symptoms:
All services on a/all secondary blade(s) in a VIPRION chassis restart, and MCPD logs errors such as:

slot2/localhost err mcpd[9063]: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)
slot2/localhost err mcpd[9063]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3:Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)... failed validation with error 17237812.

In versions prior to v11.6.0, the error will say "Can't save/checkpoint DB object," rather than "Can't update_indexes/checkpoint DB object".

Conditions:
Multi-bladed VIPRION system, where the "if-index" value for VLANs differs between blades (as checked via "tmsh list net vlan all if-index" on each blade).

Impact:
MCPD restart on all secondary blades results in partial service outage.

Workaround:
Only reactivate the license on a system that is standy/offline.


652502-2 : snmpd returns 'No Such Object available' for ltm OIDs

Component: TMOS

Symptoms:
When the BIG-IP starts with an expired license snmp queries for ltm related OIDs will return 'No Such Object available on this agent at this OID'.

Even if you re-activate the license or install a new one snmpd will not be notified of the change in license and will stil return 'No Such Object available on this agent at this OID' until the snmpd process is restarted.

Conditions:
The BIG-IP starts with an expired licensed which is reactivated later.

Impact:
snmp queries to the ltm OIDs like ltmRst and ltmVirtual will not return any data.

Workaround:
A restart of snmpd (bigstart restart) after the license is re-activated or a new one is installed will resolve the issue.


652370-3 : The persist cookie insert iRule command may leak memory

Component: Local Traffic Manager

Symptoms:
In some situations, the persist cookie insert iRule command may leak memory.

Conditions:
The persist cookie insert iRule command is used.

Impact:
Eventually, the TMM will run out of memory due to the leak.


651169-1 : The Dashboard does not show an alert when a power supply is unplugged

Component: Advanced Firewall Manager

Symptoms:
The TMUI Dashboard's alert panel will not show any warning if the cord to one of the power supplies is unplugged.

Conditions:
One of the power supplies is unplugged.

Impact:
Watching the Dashboard will not alert the administrator to an unplugged power supply.

Workaround:
None.


649682-1 : 'list cm device build' data is not synchronized correctly across a device trust group

Component: TMOS

Symptoms:
The output of 'tmsh list /cm device' shows different version/build numbers for different devices, although all devices in the device-group are running the same software version.

Conditions:
Running the following command to view build information on multiple devices: tmsh list /cm device.

Impact:
The output reports different version/build numbers for different devices, although all devices in the device-group are running the same software version. Shows different/misleading build information about hotfix/engineering hotfix status across the trust.

Note: This information is displayed in the UI Device Management :: Devices screen.

Workaround:
There is no workaround at this time.


649275-1 : RSASSA-PSS client certificates support in Client SSL

Component: Local Traffic Manager

Symptoms:
Client certificate verification in BIG-IP v11.6.0 through 13.1.0 does not support client certificates that are signed using the RSASSA-PSS signature algorithm. Validation of such client certificates will fail.

Conditions:
- Client certificate signed with RSASSA-PSS algorithm.
- Client Certificate is set to 'Required' in Client SSL profile.
- Running any version from BIG-IP v11.6.0 through 13.1.0.

Impact:
SSL connections using client PSS certificates are rejected.

Workaround:
None.


649161-2 : AVR caching mechanism not working properly

Solution Article: K42340304

Component: Application Visibility and Reporting

Symptoms:
The AVR caching mechanism fails to store dimension-based queries properly, which leads to incorrect reports.

Conditions:
Using AVR caching mechanism (turned-on by default).

Impact:
Reports will be incorrect.

Workaround:
Using the following TMSH command should solve the problem:
tmsh modify sys db avr.requestcache value disable

* NOTE: the above might cause AVR to perform a bit slower.


648917 : Need to re-provision vCMP after upgrading to 13.1.x or later on the BIG-IP 10350F platform

Component: TMOS

Symptoms:
With vCMP provisioned, upgrading to 13.1.x or later release will not enable IOMMU support after the upgrade.

Conditions:
-- Upgrading to 13.1.x or later.
-- vCMP already provisioned.
-- Running on the BIG-IP 10350F platform.

Impact:
Guests will not have FIPS functionality until IOMMU is enabled.

Workaround:
Re-provision vCMP after the upgrade to enable IOMMU support.


648242-2 : Administrator users unable to access all partition via TMSH for AVR reports

Solution Article: K73521040

Component: Application Visibility and Reporting

Symptoms:
Using the TMSH for AVR reports can fail if it contains partition based entities, even with an administrator user (which should have permissions to all partitions).

Conditions:
Using the TMSH for querying partitioned based stats with an administrator user.

Impact:
AVR reports via TMSH will fail when using partition based entities.

Workaround:
None.


644822 : FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned

Solution Article: K19245372

Component: Advanced Firewall Manager

Symptoms:
If AFM provisioned, a FastL4 virtual server with enabled loose-init option drops all RST packets that do not relate to any existing flows.

This behavior does not match the BIG-IP behavior when AFM is not provisioned.

Conditions:
AFM provisioned.
-- FastL4 virtual server.
-- Loose-init option enabled.

Impact:
RST packets that do not relate to any existing flows are dropped, while they should not be dropped if the loose-init option enabled.

Workaround:
No workaround.


642923-6 : MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system

Solution Article: K01951295

Component: TMOS

Symptoms:
MCP may timeout and be killed by the sod watchdog, causing mcpd to restart.

Conditions:
Certain operations, under certain conditions, on certain platforms, may take longer to complete than the mcpd heartbeat timeout (300 seconds). When that happens, the system considers mcpd unresponsive, and will kill mcpd before it has finished its task, resulting in this issue.

There are a number of ways that this issue may manifest.

For example, the default mcpd heartbeat timeout might be reached when loading a configuration file with a large number* of file objects configured (e.g., SSL certificates and keys, data-groups, APM customizations, EPSEC file updates, external monitors, or other data present in the filestore (/config/filestore)).

*Note: Depending the operations mcpd is performing, the performance of the hardware, the speed of disk access, and other potential factors, 3,000 is a relative estimate of the number of filestore objects that might cause this issue to occur.

Impact:
mcpd restarts, which causes a system to go offline and restart services.

Workaround:
To prevent the issue from occurring, you can temporarily disable the heartbeat timeout using the following command:

   modify sys daemon-ha mcpd heartbeat disable

Important: Disabling the heartbeat timer means that, should the mcpd process legitimately become unresponsive, the system will not automatically restart mcpd to recover.

Note: If you have a large number of objects (more than 3,000) in the filestore, and are able to reduce this by deleting their related configuration objects, you may be able to work around the issue.

To determine the specific cause of the issue, you can open a support case with F5, to inspect the resulting mcpd core file.


641450-5 : A transaction that deletes and recreates a virtual may result in an invalid configuration

Solution Article: K30053855

Component: TMOS

Symptoms:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp) may result in an invalid in-memory configuration. This may also result in traffic failing to pass, because TMM rejects the invalid configuration.

Config load error:
    01070095:3: Virtual server /Common/vs_icr_test lists incompatible profiles.

Configuration-change-time error in /var/log/ltm:
    err tmm[22370]: 01010007:3: Config error: Incomplete hud chain for listener: <name>

Conditions:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp).

Impact:
Configuration fails to load in the future.
Traffic fails to pass, because TMM rejects the configuration.

Workaround:
Within tmsh, use the following command: profiles replace-all-with.
Within iControl REST, use three separate calls:
   1. Delete virtual server.
   2. Create virtual server (with an empty profile list).
   3. Modify the virtual server's profile list.


638091-6 : Config sync after changing named pool members can cause mcpd on secondary blades to restart

Component: TMOS

Symptoms:
After performing a ConfigSync, mcpd restarts and the following error is seen in /var/log/ltm:

     01070734:3: Configuration error: Invalid mcpd context, folder not found <foldername>

Conditions:
- Chassis cluster with at least two blades
- sync-failover device group set to full-sync and auto-sync disabled
- Changing a named pool-member in non-default partition without syncing between delete and create

Impact:
Secondary blades do not process traffic as they restart

Workaround:
To prevent blade restart, follow the workaround in K16592: ConfigSync may fail when deleting and recreating a pool member with a node name set (https://support.f5.com/csp/article/K16592).

To work around this issue, you can synchronize the configuration just after deleting the pool member and node, before re-creating the pool member. To do so, perform the following procedure:

Impact of workaround: Performing the following procedure may impact client connectivity to the node. You should perform this procedure only during a maintenance window.

1. Log in to the BIG-IP system Configuration utility.
2. Navigate to Local Traffic :: Pools, and select the Pool with the member you want to delete.
3. From the top of the menu, click Members.
4. Select the checkbox next to the pool member you want to delete, and click Remove.
5. Navigate to Local Traffic :: Nodes.
6. Select the checkbox next to the node with the same name, and click Delete.
7. Navigate to Device Management :: Overview.
8. Select the local device by hostname (self).
9. Click the Sync option.
10. If the ConfigSync was successful, you may now re-create the pool member.


637613-5 : Cluster blade being disabled immediately returns to enabled/green

Solution Article: K24133500

Component: Local Traffic Manager

Symptoms:
In some scenarios, disabling a blade will result in the blade immediately returning to online.

Conditions:
This can occur intermittently under these conditions:

- 2 chassis in an HA pair configured with min-up-members (for example, 2 chassis, 2 blades each, and min-up-members=2)
- You disable a primary blade on the active unit, causing the cluster to failover due to insufficient min-up-members.

Impact:
Disabling the primary blade fails and it remains the primary blade with a status of online.

Workaround:
This is an intermittent issue, and re-trying may work. If it does not, you can configure min-up-members to a lower value or disable it completely while you are disabling the primary blade. The issue is triggered when the act of disabling the primary blade would cause the number of members to drop below min-up-members.


632553-3 : DHCP: OFFER packets from server are intermittently dropped

Solution Article: K14947100

Component: Local Traffic Manager

Symptoms:
With a DHCP relay virtual server, OFFER packets from DHCP server are intermittently not forwarded to the client and dropped on BIG-IP.

Conditions:
It is not known exactly what triggers this condition, but it occurs intermittently when the DHCP relay virtual server is in use.

Impact:
Client machines joining the network do not receive DHCP OFFER messages.

Workaround:
You may be able to work around this condition by issuing the following tmsh command:

tmsh delete sys connection cs-server-addr 255.255.255.255 cs-server-port 67


630137-2 : Dynamic Signatures feature can fill up /config partition impacting system stability

Component: TMOS

Symptoms:
When the AFM DoS Dynamic Signatures feature is enabled, inadequate file housekeeping results in the /config/filestore partition filling up. mcpd halts the other running daemons and the system becomes unresponsive.

Conditions:
AFM DoS Dynamic Signatures feature enabled

Configuration changes made but not saved

Device receives traffic.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Make all configuration changes via Configuration Tool (UI) or issue a 'save sys config partitions all' command.

If rolling back the configuration is a requirement, before making changes to the configuration, save a configuration snapshot to a file with the 'save sys config file <filename>' command. You can then load the previous configuration with a 'load sys config file <filename>' command.


627760-5 : gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card

Component: TMOS

Symptoms:
When running gtm_add from one BIG-IP system to another, if the system being added already has the same DNSSEC key (dictated by DNSSEC key name), and you synchronize the FIPS card, then the FIPS card is wiped out (as expected), but the key is not re-added.

Conditions:
-- There is an existing DNSSEC key on one system.
-- A second system has a DNSSEC key of the same name.
-- Run gtm_add, with instructions to synchronize FIPS cards.

Impact:
No DNSSEC key of that name is present on FIPS card.

Workaround:
None.


627506-1 : Unable to change management-ip address

Component: TMOS

Symptoms:
After the management-ip address is changed, the BIG-IP system continues to use the old management-ip address. You might see the following error in /var/log/ltm:
-- warning chmand[6584]: 012a0004:4: mcp_admin_ip_remove, delMgmtAddr() catch exception: Network Socket: Open Error [No such device], possibly nonexistent.

Conditions:
Running on platforms that use eth0 interface for management traffic.

To determine whether the platform you have uses the eth0 interface for management traffic, run following command: ifconfig eth0.

Impact:
Unable to change management-ip address. After changing the management-ip, the old address will continue to be listed.

Workaround:
Save the change and reboot the system. After the changes have been saved, they will be applied after the unit is rebooted.


626030-1 : TMM restart and failover.

Component: TMOS

Symptoms:
Under rare circumstances, an HSB-received failure can cause can cause TMM to restart

Conditions:
The conditions required for this issue to occur are unknown.

Impact:
TMM restart and failover. Traffic disrupted while tmm restarts.

Workaround:
None.


624016 : Traffic data stats got lost on hardware accelerated flows when the flows are terminated earlier

Component: TMOS

Symptoms:
When the clients tend to reset HTTP keep alive connections immediately after data are received, instead of gracefully closing the connections per RFC, it presents a problem for TMOS, as we rely on the hardware FSUs (flow status updates) to calculate the packet counts for offloaded flows, but these flows were reset before the FSUs were sent from the hardware. So, we lost these packet stats for the offloaded flows, because BIG-IP can not determine the traffic direction without the connection flow information. FIN packets will have the same effects to close the connection. If there are FSUs after the FIN packets, they won’t be counted either.

Conditions:
Clients that reset connection immediately after data is received.

Impact:
pva traffic stats may not accurately show the packets/bytes counts for the offloaded flows.

Workaround:
One workaround fix is to consult with the hardware ePVA packet and byte forward counters in addition to the global PVA traffic stats. For verification purposes, this can be quickly used without any code changes with the following command:

# tmctl -d blade -s name,active,bus,rqm_epva_fwd_pkts,rqm_epva_fwd_bytes tmm/hsbe2_internal_pde


These rqm_epva_fwd_pkts/bytes counters are the current hardware counters from the ePVA registers, whare are more up to date. The only catch is that you will need to correspond the lbb_pde number to the individual PVA numbers in the output of "tmsh show sys pva-traffic". To get the global stats for all PDEs as in "tmsh show sys pva-traffic global", you will have to add thses number up with a script.


621158-3 : f5vpn does not close upon closing session

Component: Access Policy Manager

Symptoms:
f5vpn does not close upon closing session.

Conditions:
-- With Network Access started and connected to BIG-IP using browser.
-- Clicking 'Logout' button on webtop.

Impact:
Session closes. Network Access window does not close, but instead remains in disconnected state.

Workaround:
None.


620954-5 : Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable

Component: TMOS

Symptoms:
Contention for /var/log/tallylog lock might result in users failing to authenticate correctly. As a result of this issue, you might see the following message:
 PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable.

Conditions:
High concurrent authentication attempts may trigger this issue. For example, open a connection, using basic authentication, performing a query (for example, get node list, get virtual address list, and set pool min active members), then close the connection. If done frequently enough, there is an occasional authentication failure.

Impact:
This intermittent authentication failure results in users not being able to login.

Workaround:
Since this is an intermittent authentication failure, wait a few seconds and then attempt to log in again.


620053-2 : Gratuitous ARPs may be transmitted by active unit going offline

Component: Local Traffic Manager

Symptoms:
When cluster's active goes offline, the non-primary blades may send gratuitous ARPs.

Conditions:
Cluster's active goes offline.

Impact:
Potential impact to traffic if the gratuitous ARPs of the blade which goes offline is received before the unit taking over as primary, or if gratuitous ARPs are rate-limited on upstream or downstream devices.

Workaround:
Failover the cluster before forcing offline or configure mac masquerading.


618884-6 : Behavior when using VLAN-Group and STP

Component: Local Traffic Manager

Symptoms:
May not see ICMP response traffic when using Ping within the same VLAN when STP mode is configured.

Conditions:
-- STP mode is configured.
-- Ping is issued in the same VLAN.

Note: This issue is a constraint to soft switched platforms.

Impact:
May not see ICMP response traffic.

Workaround:
None.


617643-2 : iControl.ForceSessions enabled results in GUI error on certain pages

Component: TMOS

Symptoms:
GUI pages display "An error has occurred while trying to process your request."

Conditions:
Visiting pages related to PKI (cert/key), SNMP, AFM or licensing tasks when iControl.ForceSessions is enabled.

Impact:
Unable to use GUI for certain tasks when iControl.ForceSessions is enabled.

Workaround:
Use shell for related administrative tasks or if feature is not used, disable with the following command:

tmsh# modify sys db icontrol.forcesessions value disable


613836-1 : Error message in ltm log when adding a DoS profile to virtual server in cluster setup

Component: Advanced Firewall Manager

Symptoms:
In a cluster environment, when adding DoS profile to a virtual server, ltm log shows a configuration exception error message complaining about a file missing.

Conditions:
-- The setup is a cluster.
-- DoS profile is created and attached to a virtual server.

Impact:
No functional impact, but unnecessary error message is seen in ltm log.

Workaround:
None.


611724 : LTM v11.5.4 HF1 iApp folders removed on partition load

Component: TMOS

Symptoms:
Folder is missing after loading partition.

Conditions:
Must have configured a folder, saved the partition, and then loaded the partition.

Impact:
Unable to restore iApp configuration saved from particular partition.

Workaround:
Save and load the entire configuration, or manually add the missing folder to the partition config being loaded.


610436-1 : DNS resolution does not work in a particular case of DNS Relay Proxy Service when two adapters have the same DNS Server address on Windows 10.

Solution Article: K13222132

Component: Access Policy Manager

Symptoms:
DNS resolution does not work in a particular case of DNS Relay Proxy Service, when two adapters have the same DNS Server address on Microsoft Windows version 10.

Conditions:
* Windows 10.
* Client system is connected to two networks.
* Both networks have the same DNS server address.
* Before VPN establishment interface with lower index is disconnected.
* After VPN establishment interface with lower index is reconnected.

Impact:
DNS resolution completely stops working on client systems until the VPN is disconnected.

Workaround:
<p>To work around this issue, add the following registry key:</p>
<p><userinput>HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DnsClient</userinput></p> with DWORD <varname>EnableMultiHomedRouteConflicts</varname> set to <userinput>0</userinput>. <p>This reverts the Windows DNS client behavior to pre-Windows 10 behavior, so the DNS relay proxy creates listeners on loopback for incoming requests, and the driver redirects DNS requests to the listener on the loopback.</p>
<note type="important">Use extreme care when editing Windows registry keys. Incorrect modification of keys might cause unexpected behavior.</note>


605649-2 : The cbrd daemon runs at 100% CPU utilization

Solution Article: K28782793

Component: Application Security Manager

Symptoms:
The cbrd daemon runs at 100% CPU utilization.

You may notice this issue while inspecting:

- The performance graphs for the BIG-IP device.
- SNMP reports from the BIG-IP device.
- The output of utilities such as top or ps.

Note: The cbrd daemon performs XML Content-Based Routing on the BIG-IP system. However, the daemon runs regardless of provisioning and whether the feature is actually being utilized or not.

Conditions:
This is a rarely occurring event whose cause is not known.

Impact:
The cbrd daemon may run inefficiently. Additionally, other control-plane processes running on the BIG-IP device may also be detrimentally affected (depending on the size of the BIG-IP device and its configuration).

Workaround:
You can try to work around this issue by restarting the cbrd daemon using the following command:
bigstart restart cbrd

As the issue occurs rarely, you may not experience this issue again for a long time. This is, however, only a temporary workaround, and will have to be repeated as needed.


604880-5 : tmm assert "valid pcb" in tcp.c

Component: Local Traffic Manager

Symptoms:
tmm panic tcp.c:2435: Assertion "valid pcb" failed

Conditions:
Unknown.

Impact:
Traffic disrupted while tmm restarts.


602708-4 : Traffic may not passthrough CoS by default

Solution Article: K84837413

Component: Local Traffic Manager

Symptoms:
Traffic being forwarded by TMM may not passthrough the Class of Service (CoS) received.

Conditions:
-- IP forwarding Virtual server.
-- Traffic received with priority other than 3.

Impact:
Traffic is set to priority 3 and may cause issues on other networking devices.

Workaround:
Create a default CoS configuration or apply QoS settings in the FastL4 profile.


601828-7 : An untrusted certificate can cause tmm to crash.

Solution Article: K13338433

Component: Local Traffic Manager

Symptoms:
If the certificate sent by an SSL server to the server-side BIG-IP profile is untrusted, tmm might crash.

Conditions:
-- Server-side SSL profile is attached to a virtual server.
-- The SSL server sends an untrusted certificate to the BIG-IP system.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


596020-5 : Devices in a device-group may report out-of-sync after one of the devices is rebooted

Component: TMOS

Symptoms:
Devices in a device-group may report out-of-sync after one of the devices is rebooted.

As a result of this issue, you may encounter the following symptoms:

- After the reboot, the config-sync originator reports 'Not All Devices Synced'.
- After the reboot, the other devices in the device-group report 'Changes Pending'.

Conditions:
This issue occurs when all of the following conditions are met:

- You have a Sync or Sync-Failover device-group with multiple devices in it.
- On a device (the config-sync originator, you modify the configuration, triggering the devices to become out of synchronization.
- Using the Overwrite Configuration option in the GUI, you manually initiate a synchronization of the configuration from the device where the configuration was modified, to the device-group.
- The devices in the device-group display that they are in the synchronized state.
- You reboot the config-sync originator device.

Impact:
After the reboot, the devices report out-of-sync.

Note: This issue is purely cosmetic; no configuration is lost as result of this issue.

Workaround:
You can work around this issue by not using the Overwrite Configuration option in the Configuration utility if you know you will have to reboot the device soon.

Also note that once the issue occurs, you can restore normal config-sync status on the devices by performing a new config-sync operation.


594064-5 : tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.

Solution Article: K57004151

Component: Local Traffic Manager

Symptoms:
When the tcpdump utility is used with the ':p' modifier, it appears that the first few serverside packets are not captured.

Conditions:
-- Using the ':p' modifier with the tcpdump utility to capture serverside flows associated with clientside flows that match a tcpdump filter.
-- FastL4 or standard virtual server UDP flows are being captured.

Impact:
Typically, the peer flow will not be captured until the second packet is processed on the original flow that is captured by the tcpdump filter. Although there is no operational impact, it might cause confusion when looking for serverside traffic when capturing using a command similar to the following: tcpdump -i <vlan>:p host <client-ip>

Typical examples of missing packets include:
  -- Serverside syn and syn-ack from FastL4 TCP traffic.
  -- All serverside packets for single packet request/reply traffic, e.g., dns request/reply.

Workaround:
Specify filter that includes serverside traffic (e.g., include pool member addresses as 'host <addr>').


593536-6 : Device Group with incremental ConfigSync enabled can report "In Sync" when devices have differing configurations

Component: TMOS

Symptoms:
Devices do not have matching configuration, but system reports device group as being "In Sync".

Conditions:
Device Service Cluster Device Group with incremental sync enabled. A ConfigSync occurred where a configuration transaction failed validation, and then a subsequent (or the final) configuration transaction was successful.

Impact:
BIG-IP incorrectly reports configuration is in-sync, despite the fact that it is not in sync. All sorts of failures or odd behavior or traffic impact can result from this.

Workaround:
Turn off incremental sync (by enabling "Full Sync" / "full load on sync") for affected device groups.


592504-2 : False positive illegal length violation can appear

Component: Application Security Manager

Symptoms:
A false positive illegal length violation.

Conditions:
A chunked request where the request length is more than half of the configured max request length.

Impact:
False positive illegal length violation.

Workaround:
Configure a higher max request length violation.


592503-1 : TMM 'timer' device does not report 'busy' for non-priority timers.

Component: Local Traffic Manager

Symptoms:
A discrepancy in CPU utilization reporting can observed when looking at different utilities or reporting systems (i.e. top, tmctl, SNMP, the performance graphs in the GUI, etc.).

Specifically, certain utilities may report that TMM hyperthreads are 100% busy, while other utilities may indicate that TMM instances are only moderately busy.

In this case, the utilities or systems reporting the higher CPU utilization are correct.

Conditions:
This issue has been seen extremely rarely, as it requires some other edge condition to also be occurring (TMM firing non-priority timers in a looping manner).

Impact:
A BIG-IP Administrator monitoring CPU utilization on the system may be confused about how busy TMM actually is.

Although the main impacted system here is the tmm/stat tmctl table, these values are also exposed via the sysTmmStatTmUsageRatio5s MIB (which is more likely to be monitored by a BIG-IP Administrator).

Workaround:
Refer to utilities such as 'top' to monitor the CPU utilization of TMM hyperthreads.


581851-6 : mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands

Solution Article: K16234725

Component: TMOS

Symptoms:
The Master Control Program Daemon (MCPD) on secondary blades may unexpectedly restart when the BIG-IP system processes multiple, concurrent TMOS Shell (tmsh) commands.

Under these circumstances, a race condition may occur and cause the mcpd process on the secondary blades to fail to correctly process concurrent updates from the primary blade.

As a result of this issue, you may encounter one or more of the following symptoms:

-- The mcpd process on secondary blades unexpectedly restarts.
-- You notice error messages in the /var/log/ltm file on the BIG-IP system that appears similar to the following example:
 + err mcpd[<PID>]: 01070823:3: Read Access Denied: The current update partition ([None]) does not match the object's partition (Common), stats not reset

 + err mcpd[<PID>]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070823:3: Read Access Denied: The current update partition ([None]) does not match the object's partition (Common), stats not reset

-- Depending on your high availability (HA) configuration, the device may unexpectedly fail over to another system in the device group.

Conditions:
This issue occurs when all of the following conditions are met:

-- You have a VIPRION platform or Virtual Clustered Multiprocessing (vCMP) guest configuration that uses two or more blades.
-- You attempt to run multiple, concurrent tmsh commands on the BIG-IP system. For example, you run a tmsh command to continually reset persistence records and at the same time run another tmsh command to continually reset the TCP statistics.

Impact:
The BIG-IP system may experience performance degradation when the secondary blades become unavailable while the mcpd process restarts. Depending on your HA configuration, the device may fail over.

Workaround:
None.


575372-5 : BIG-IQ Discovery may fail due to an invalid passphrase.

Component: TMOS

Symptoms:
BIG-IQ Local Traffic & Management discovery may fail due to an invalid passphrase. Log messages might include the error: Failed to transform secure field value.

Conditions:
-- The BIG-IP systems are configured in a DSC configuration.
-- There is one or more profiles configured with a passphrase.

Impact:
As a result, the LTM service cannot be managed for that BIG-IP system.

Workaround:
Run the following command on the BIG-IP system:
bigstart restart restjavad


571651-4 : Reset crypto accelerator queue if it becomes stuck.

Component: Local Traffic Manager

Symptoms:
Certain configuration parameters used during an SSL handshake can elicit a 'queue stuck' message from the accelerator. When this happens, the /var/log/ltm log file will contain a message similar to the following:

    'n3-cryptoX request queue stuck'.

Conditions:
An SSL handshake sent to the BIG-IP system is incorrectly configured or contains bad information.

Impact:
In-flight and queued contexts for the specific accelerator are dropped. After device recovery, new requests will be accelerated.

Workaround:
Disable crypto acceleration.


513310-5 : TMM might core when a profile is changed.

Component: Local Traffic Manager

Symptoms:
TMM might core when a profile is changed.

Conditions:
A "standard" type virtual server configured with the TCP or SCTP protocol profile, and a Persistence, Access or Auth profile. This issue might occur in either of the following scenarios:
-- Change profile on the active device.
-- Change profile on the standby device and perform a config sync to the active ones.

Impact:
TMM might core. Traffic disrupted while tmm restarts.

Workaround:
None.


504522-1 : Trailing space present after 'tmsh ltm pool members monitor' attribute value

Component: Local Traffic Manager

Symptoms:
Values returned from the tmsh command 'ltm pool pool members monitor' have a trailing space, such as returning '/Common/myhttps ' (note the trailing-space). This trailing-space is also observed for the value returned from a REST call.

Conditions:
'tmsh' or a REST call is used to return the 'monitor' for pool members.

Impact:
Scripts or custom applications processing this returned output may wish to 'trim' whitespace on the value (as a trailing space is present); or should not assume the trailing space will be present in the future (as this behavior is not guaranteed).

Workaround:
Use a script or custom applications to 'trim' trailing whitespace for returned values.


495443-9 : ECDH negotiation failures logged as critical errors.

Component: Local Traffic Manager

Symptoms:
When a failure occurs in an SSL negotiation involving Elliptic Curve Diffie-Hellman (ECDH) key agreement, a critical error may be logged. However, an SSL negotiation failure is not a critical issue.

Conditions:
An SSL negotiation failure involving ECDH key agreement.

Impact:
Spurious critical error logs.

Workaround:
Treat SSL ECDH negotiation failures as non-critical errors.


495242-4 : mcpd log messages: Failed to unpublish LOIPC object

Component: Local Traffic Manager

Symptoms:
The system posts the following message in the mcpd log: Failed to unpublish LOIPC object.

Conditions:
This is an intermittent issue that occurs on standby systems in High Availability configurations. In this case, the system is attempting to remove a file/directory that does not exist. Either it has already been removed or it was not created.

Impact:
The system posts the following error: err mcpd[7143]: 010716d6:3: Failed to unpublish LOIPC object for (loipc_name.1417443578.297505208). Call to (shm_unlink) failed with errno (2) errstr (No such file or directory). This is a benign error that can be safely ignored.

Workaround:
None.


464650-6 : Failure of mcpd with invalid authentication context.

Component: TMOS

Symptoms:
MCPd cores.

Conditions:
It is not known what triggers this core.

Impact:
Mcpd restarts

Workaround:
None.


447565-9 : Renewing machine-account password does not update the serviceId for associated ntlm-auth.

Component: Access Policy Manager

Symptoms:
Renewing machine-account password does not update the serviceId for associated ntlm-auth.

Because of this issue, you might see the following symptoms:
-- End users report that they cannot access email.
-- NTLM logons stop working for all users.
-- Log file shows errors similar to the following:
err nlad[12384]: 01620000:3: <0x566d4b90> nlclnt[71601c70a] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC.

Conditions:
This occurs when the system has an NTLM machine account configured, but it is not known exactly what triggers the error. It can be triggered if the machine account credentials change, but the symptom might not show up for days since the connection can be reused.

Impact:
End users will be unable to connect.

Workaround:
Correct the problem by running the following command:
bigstart restart eca.


431480-5 : Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message

Component: Local Traffic Manager

Symptoms:
Occasionally, you might encounter a situation in which tmm dumps a core, and the system writes to the logs a message similar to the following: notice panic: ../base/listener.c:1116: Assertion 'laddr is not NULL' failed.

Conditions:
The exact conditions that result in this error are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time, but the system recovers without any user action.


429124-5 : ePVA does not work with lasthop pools with only one member

Solution Article: K15069

Component: Local Traffic Manager

Symptoms:
ePVA does not work with lasthop pools with only one member.

Conditions:
ePVA does not work with lasthop pools with only one member.

Impact:
ePVA does not work with lasthop pools with only one member.

Workaround:
None.


402691-1 : The fields displayed in the 'tmsh show net ipsec' should be visible through SNMP

Component: TMOS

Symptoms:
The status information about traffic selectors in IPsec can be displayed with the TMSH command 'show net ipsec', but there is no way to manage the BIG-IP system and gather data using SNMP.

Conditions:
Using SNMP to query the BIG-IP system for IPsec traffic selector status.

Impact:
Use TMSH or customized SNMP solutions.

Workaround:
None.




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************