Applies To:
Show Versions
BIG-IP AAM
- 13.1.1
BIG-IP APM
- 13.1.1
BIG-IP Analytics
- 13.1.1
BIG-IP Link Controller
- 13.1.1
BIG-IP LTM
- 13.1.1
BIG-IP AFM
- 13.1.1
BIG-IP PEM
- 13.1.1
BIG-IP DNS
- 13.1.1
BIG-IP FPS
- 13.1.1
BIG-IP ASM
- 13.1.1
BIG-IP Release Information
Version: 13.1.1.4
Build: 4.0
NOTE: This release includes fixes for the Spectre Variant 1 and Meltdown vulnerabilities (CVE-2017-5753, CVE-2017-5754).
In some configurations, installing software containing these fixes might impact performance. You can disable these fixes to recover performance. Please see K91229003 for additional Spectre and Meltdown information.
Cumulative fixes from BIG-IP v13.1.1.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.8 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.7 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.6 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.5 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.1 that are included in this release
Known Issues in BIG-IP v13.1.x
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
744035-4 | CVE-2018-15332 | K12130880 | APM Client Vulnerability: CVE-2018-15332 |
739970-2 | CVE-2018-5390 | K95343321 | Linux kernel vulnerability: CVE-2018-5390 |
701785-2 | CVE-2017-18017 | K18352029 | Linux kernel vulnerability: CVE-2017-18017 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
744685-1 | 2-Critical | BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension | |
744188 | 2-Critical | First successful auth iControl REST requests will now be logged in audit and secure log files | |
748851-1 | 3-Major | Bot Detection injection include tags which may cause faulty display of application | |
725878-2 | 3-Major | AVR does not collect all of APM TMStats | |
667257-4 | 3-Major | CPU Usage Reaches 100% With High FastL4 Traffic |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
737910-2 | 1-Blocking | Security hardening on Shuttle platforms | |
682837-2 | 1-Blocking | Compression watchdog period too brief. | |
744331 | 2-Critical | OpenSSH hardening | |
743790-3 | 2-Critical | BIG-IP system should trigger a HA failover event when expected HSB device is missing from PCI bus | |
741423-2 | 2-Critical | Secondary blade goes offline when provisioning ASM/FPS on already established config-sync | |
738887-3 | 2-Critical | The snmpd daemon may leak memory when processing requests. | |
738119-2 | 2-Critical | SIP routing UI does not follow best practices | |
726487-2 | 2-Critical | MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change. | |
723298-2 | 2-Critical | BIND upgrade to version 9.11.4 | |
713380 | 2-Critical | K23331143 | Multiple B4450 blades in the same chassis run into inconsistent DAG state |
712738-1 | 2-Critical | fpdd may core dump when the system is going down | |
710277-1 | 2-Critical | IKEv2 further child_sa validity checks | |
697424-1 | 2-Critical | iControl-REST crashes on /example for firewall address-lists | |
688148-3 | 2-Critical | IKEv1 racoon daemon SEGV during phase-two SA list iteration | |
680556-1 | 2-Critical | Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted | |
677937-3 | 2-Critical | APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets | |
668041-2 | 2-Critical | K27535157 | Config load fails when an iRule comment ends with backslash in a config where there is also a policy.★ |
751009-1 | 3-Major | Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out | |
748206 | 3-Major | Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position | |
743803-2 | 3-Major | IKEv2 potential double free of object when async request queueing fails | |
737536-1 | 3-Major | Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others. | |
737437-2 | 3-Major | IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages | |
737397-3 | 3-Major | User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP | |
724143-1 | 3-Major | IKEv2 connflow expiration upon ike-peer change | |
723579-4 | 3-Major | OSPF routes missing | |
722691 | 3-Major | Available datagroup list does not contain datagroups with the correct type. | |
721016 | 3-Major | vcmpd fails updating VLAN information on vcmp guest | |
720110-2 | 3-Major | 0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session. | |
718817-2 | 3-Major | Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail. | |
718405-1 | 3-Major | RSA signature PAYLOAD_AUTH mismatch with certificates | |
718397-1 | 3-Major | IKEv2: racoon2 appends spurious trailing null byte to ID payloads | |
710666-1 | 3-Major | VE with interface(s) marked down may report high cpu usage | |
706104-3 | 3-Major | Dynamically advertised route may flap | |
705442-1 | 3-Major | GUI Network Map objects search on Virtual Server IP Address and Port does not work | |
700827-4 | 3-Major | B2250 blades may lose efficiency when source ports form an arithmetic sequence. | |
698947-2 | 3-Major | BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled. | |
698619-2 | 3-Major | Disable port bridging on HSB ports for non-vCMP systems | |
693884-1 | 3-Major | ospfd core on secondary blade during network unstability | |
693106-1 | 3-Major | IKEv1 newest established phase-one SAs should be found first in a search | |
686926-2 | 3-Major | IPsec: responder N(cookie) in SA_INIT response handled incorrectly | |
686124-1 | 3-Major | K83576240 | IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs |
680838-2 | 3-Major | IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator | |
678925-1 | 3-Major | Using a multicast VXLAN tunnel without a proper route may cause a TMM crash. | |
678380-2 | 3-Major | K26023811 | Deleting an IKEv1 peer in current use could SEGV on race conditions. |
676897-3 | 3-Major | IPsec keeps failing to reconnect | |
676092-3 | 3-Major | IPsec keeps failing to reconnect | |
674145-1 | 3-Major | chmand error log message missing data | |
670197-1 | 3-Major | IPsec: ASSERT 'BIG-IP_conn tag' failed | |
658557-3 | 3-Major | The snmpd daemon may leak memory when processing requests. | |
652502-2 | 3-Major | snmpd returns 'No Such Object available' for ltm OIDs | |
639619-5 | 3-Major | UCS may fail to load due to Master key decryption failure on EEPROM-less systems★ | |
598085-1 | 3-Major | Expected telemetry is not transmitted by sFlow on the standby-mode unit. | |
491560-2 | 3-Major | Using proxy for IP intelligence updates | |
738985-2 | 4-Minor | BIND vulnerability: CVE-2018-5740 | |
689491 | 4-Minor | cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled | |
689211-3 | 4-Minor | IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 } | |
680856-2 | 4-Minor | IPsec config via REST scripts may require post-definition touch of both policy and traffic selector | |
530775-3 | 4-Minor | Login page may generate unexpected HTML output | |
713491-2 | 5-Cosmetic | IKEv1 logging shows spi of deleted SA with opposite endianess |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
744269-2 | 2-Critical | dynconfd restarts if FQDN template node deleted while IP address change in progress | |
744117-5 | 2-Critical | The HTTP URI is not always parsed correctly | |
743857 | 2-Critical | clientssl accepts non-SSL traffic when cipher-group is configured | |
742627-2 | 2-Critical | SSL session mirroring may cause memory leakage if HA channel is down | |
741919 | 2-Critical | HTTP response may be dropped following a 100 continue message. | |
740963-2 | 2-Critical | VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart | |
740490-1 | 2-Critical | Configuration changes involving HTTP2 or SPDY may leak memory | |
739003-1 | 2-Critical | TMM may crash when fastl4 is used on epva-capable BIG-IP | |
738945-2 | 2-Critical | SSL persistence does not work when there are multiple handshakes present in a single record | |
738046-2 | 2-Critical | SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby | |
737758-2 | 2-Critical | MPTCP Passthrough and VIP-on-VIP can lead to TMM core | |
734276-2 | 2-Critical | TMM may leak memory when SSL certificates with VDI or EAM in use | |
727206 | 2-Critical | Memory corruption when using SSL Forward Proxy | |
720136-1 | 2-Critical | Upgrade may fail on mcpd when external netHSM is used | |
718210-2 | 2-Critical | Connections using virtual targeting virtual and time-wait recycle result in a connection being improperly reused | |
716714-1 | 2-Critical | OCSP should be configured to avoid TMM crash. | |
702792-1 | 2-Critical | K82327396 | Upgrade creates Server SSL profiles with invalid cipher strings |
685254-2 | 2-Critical | K14013100 | RAM Cache Exceeding Watchdog Timeout in Header Field Search |
513310-5 | 2-Critical | TMM might core when a profile is changed. | |
752078 | 3-Major | Header Field Value String Corruption | |
739963-2 | 3-Major | TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup | |
739379-2 | 3-Major | Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error | |
739349-1 | 3-Major | LRO segments might be erroneously VLAN-tagged. | |
738521-1 | 3-Major | i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag. | |
726319-2 | 3-Major | 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses | |
724564-1 | 3-Major | A FastL4 connection can fail with loose-init and hash persistence enabled | |
724327-1 | 3-Major | Changes to a cipher rule do not immediately have an effect | |
721621-1 | 3-Major | Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node | |
720799-2 | 3-Major | Virtual Server/VIP flaps with FQDN pool members when all IP addresses change | |
717896-2 | 3-Major | Monitor instances deleted in peer unit after sync | |
717100-3 | 3-Major | FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member | |
716716-2 | 3-Major | Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core | |
714559-2 | 3-Major | Removal of HTTP hash persistence cookie when a pool member goes down. | |
711981-5 | 3-Major | BIG-IP system accepts larger-than-egress MTU, PMTU update | |
710028-2 | 3-Major | LTM SQL monitors may stop monitoring if multiple monitors querying same database | |
708068-2 | 3-Major | Tcl commands like "HTTP::path -normalize" do not return normalized path. | |
707691-4 | 3-Major | BIG-IP handles some pathmtu messages incorrectly | |
706102-2 | 3-Major | SMTP monitor does not handle all multi-line banner use cases | |
701678-2 | 3-Major | Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded | |
685519-1 | 3-Major | Mirrored connections ignore the handshake timeout | |
683697-1 | 3-Major | SASP monitor may use the same UID for multiple HA device group members | |
674591-3 | 3-Major | Packets with payload smaller than MSS are being marked to be TSOed | |
504522-1 | 3-Major | Trailing space present after 'tmsh ltm pool members monitor' attribute value | |
719247-2 | 4-Minor | K10845686 | HTTP::path and HTTP::query iRule functions cannot be set to a blank string |
618884-6 | 4-Minor | Behavior when using VLAN-Group and STP |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
739846-3 | 2-Critical | Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection | |
749774-3 | 3-Major | EDNS0 client subnet behavior inconsistent when DNS Caching is enabled | |
749675-3 | 3-Major | DNS cache resolver may return a malformed truncated response with multiple OPT records | |
744707-4 | 3-Major | Fixed crash related to DNSSEC key rollover | |
726255-2 | 3-Major | dns_path lingering in memory with last_access 0 causing high memory usage | |
723288-2 | 3-Major | DNS cache replication between TMMs does not always work for net dns-resolver | |
710246-2 | 3-Major | DNS-Express was not sending out NOTIFY messages on VE | |
702457-2 | 3-Major | DNS Cache connections remain open indefinitely | |
717113-2 | 4-Minor | It is possible to add the same GSLB Pool monitor multiple times |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
750922-3 | 2-Critical | BD crash when content profile used for login page has no parse parameters set | |
726537-1 | 2-Critical | Rare TMM crash when Single Page Application is enabled on DoSL7 | |
576123-4 | 2-Critical | K23221623 | ASM policies are created as inactive policies on the peer device |
750356-3 | 3-Major | Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted | |
747777-1 | 3-Major | Extractions are learned in manual learning mode | |
747550-1 | 3-Major | Error "This Logout URL already exists!" when updating logout page via GUI | |
745802-3 | 3-Major | Brute Force CAPTCHA response page truncates last digit in the support id | |
745358-3 | 3-Major | ASM GUI does not follow best practices | |
744347-2 | 3-Major | Protocol Security logging profiles cause slow ASM upgrade and apply policy | |
743961-3 | 3-Major | Signature Overrides for Content Profiles do not work after signature update | |
738864-1 | 3-Major | javascript functions in href are learned from response as new URLs | |
738211-3 | 3-Major | pabnagd core when centralized learning is turned on | |
734228-1 | 3-Major | False-positive illegal-length violation can appear | |
726377-1 | 3-Major | False-positive cookie hijacking violation | |
721752-2 | 3-Major | Null char returned in REST for Suggestion with more than MAX_INT occurrences | |
705925-1 | 3-Major | Websocket Message Type not displayed in Request Log | |
701792-2 | 3-Major | JS Injection into cached HTML response causes TCP RST on the fictive URLs | |
696333-1 | 3-Major | Threat campaign filter doesn't return campaign if filter contains quote | |
690215-2 | 3-Major | Missing requests in request log | |
676416-4 | 3-Major | BD restart when switching FTP profiles | |
676223-4 | 3-Major | Internal parameter in order not to sign allowed cookies | |
663535-2 | 3-Major | Sending ASM cookies with "secure" attribute even without client-ssl profile | |
605649-2 | 3-Major | K28782793 | The cbrd daemon runs at 100% CPU utilization |
748999-1 | 4-Minor | invalid inactivity timeout suggestion for cookies | |
747905-1 | 4-Minor | 'Illegal Query String Length' violation displays wrong length | |
745531-1 | 4-Minor | Puffin Browser gets blocked by Bot Defense | |
739345 | 4-Minor | Reporting invalid signature id after specific signature upgrade | |
685743-5 | 4-Minor | When changing internal parameter 'request_buffer_size' in large request violations might not be reported | |
665470-3 | 4-Minor | Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
746941 | 2-Critical | avrd memory leak when BIG-IQ fails to receive stats information | |
739446-2 | 2-Critical | Resetting SSL-socket correctly for AVR connection | |
737813-1 | 2-Critical | BIG-IP is unable to send statistics to BIG-IQ DCD node using IPv6 address | |
749464 | 3-Major | Race condition while BIG-IQ updates common file | |
749461 | 3-Major | Race condition while modifying analytics global-settings | |
746823 | 3-Major | AVRD crash when configured to send data externally, and there are large number of virtuals/pool-members | |
745027 | 3-Major | AVR is doing extra activity of DNS data collection even when it should not | |
744595-1 | 3-Major | DoS-related reports might not contain some of the activity that took place | |
744589-1 | 3-Major | Missing data for Firewall Events Statistics | |
741767-2 | 3-Major | ASM Resource :: CPU Utilization statistics are in wrong scale | |
740086 | 3-Major | AVR report ignore partitions for Admin users | |
716782-2 | 3-Major | AVR should add new field to the events it sends: Microtimestamp |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
753368 | 1-Blocking | Unable to import access policy with pool | |
747621-2 | 2-Critical | Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used | |
744556-1 | 2-Critical | Upgrade PingAccess SDK used by BIG-IP APM to v1.1.3 | |
737442-2 | 2-Critical | Error in APM Hosted Content when set to public access | |
714716-2 | 2-Critical | Apmd logs password for acp messages when in debug mode | |
754346-1 | 3-Major | Access policy was not found while creating configuration snapshot. | |
750496-1 | 3-Major | TMM crashes on traffic passthrough when SSO Config object is deleted while being used in SSO Configuration Select Agent in PRP | |
746771-1 | 3-Major | APMD recreates config snapshots for all access profiles every minute | |
746768-1 | 3-Major | APMD leaks memory if access policy policy contains variable/resource assign policy items | |
745654-2 | 3-Major | Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server | |
745574-3 | 3-Major | URL is not removed from custom category when deleted | |
743437-1 | 3-Major | Portal Access: Issue with long 'data:' URL | |
743150-1 | 3-Major | Increase the limit of the maximum allowed timestamp for OAuth token processing for OAuth Client | |
739744-1 | 3-Major | Import of Policy using Pool with members is failing | |
719079-1 | 3-Major | Portal Access: same-origin AJAX request may fail under some conditions. | |
718136-2 | 3-Major | 32-bit F5 VPN and Endpoint Inspector apps are discontinued on Linux |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
742829-3 | 3-Major | SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0 | |
741951-2 | 3-Major | Multiple extensions in SIP NOTIFY request cause message to be dropped. | |
699431-3 | 3-Major | Possible memory leak in MRF under low memory |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
747104-3 | 1-Blocking | K52868493 | LibSSH Vulnerability: CVE-2018-10933 |
753028-1 | 3-Major | AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule | |
747926 | 3-Major | Rare TMM restart due to NULL pointer access during AFM ACL logging | |
745809 | 3-Major | The /var partition may become 100% full requiring manual intervention to clear space |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
744516-1 | 2-Critical | TMM panics after a large number of LSN remote picks | |
744959-1 | 3-Major | SNMP OID for sysLsnPoolStatTotal not incremented in stats | |
727212-1 | 3-Major | Subscriber-id query using full length IPv6 address fails. |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
748976 | 3-Major | DataSafe Logging Settings page is missing when DataSafe license is active | |
742037-3 | 3-Major | FPS live updates do not install when minor version is different | |
741449-1 | 4-Minor | alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts | |
726039 | 5-Cosmetic | Information is not updated after installing FPS live update via GUI |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
748813-1 | 2-Critical | tmm cores under stress test on VS with Dos profile with admd enabled | |
748121-1 | 2-Critical | admd livelock under CPU starvation | |
741761-1 | 2-Critical | admd might fail the heartbeat, resulting in a core | |
704236-1 | 2-Critical | TMM Crash when attaching fastl4 profile | |
702936-1 | 2-Critical | TMM SIGSEGV under specific conditions. | |
653573-4 | 2-Critical | ADMd not cleaning up child rsync processes | |
741993-1 | 3-Major | The BIG-IP system does not answer the request matching L7 policy that disabled DOSL7 when BADOS configured. | |
741752-1 | 3-Major | [BADOS] state file is not saved when virtual server reuses a self IP of the device |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
724847 | 3-Major | K95010813 | DNS traffic does not get classified for AFM port misuse case |
Cumulative fixes from BIG-IP v13.1.1.3 that are included in this release
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
745783-3 | 3-Major | Anti-fraud: remote logging of login attempts |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
684370-1 | 3-Major | APM now supports VMware Workspace ONE integration with VIDM as ID Provider | |
683741-1 | 3-Major | APM now supports VMware Workspace ONE integration with vIDM as ID Provider | |
635509-1 | 3-Major | APM does not support Vmware'e Blast UDP |
Cumulative fixes from BIG-IP v13.1.1.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
726089-2 | CVE-2018-15312 | K44462254 | Modifications to AVR metrics page |
725815-1 | CVE-2018-15320 | K72442354 | vlangroup usage may cause a excessive resource consumption |
724339-1 | CVE-2018-15314 | K04524282 | Unexpected TMUI output in AFM |
724335-1 | CVE-2018-15313 | K21042153 | Unexpected TMUI output in AFM |
722091-3 | CVE-2018-15319 | K64208870 | TMM may crash while processing HTTP traffic |
717888 | CVE-2018-15323 | K26583415 | TMM may leak memory when a virtual server uses the MQTT profile. |
717742-5 | CVE-2018-2798, CVE-2018-2811, CVE-2018-2795, CVE-2018-2790, CVE-2018-2783, CVE-2018-2825, CVE-2018-2826, CVE-2018-2796, CVE-2018-2799, CVE-2018-2815, CVE-2018-2800, CVE-2018-2814, CVE-2018-2797, CVE-2018-2794 | K44923228 | Oracle Java SE vulnerability CVE-2018-2783 |
707990-2 | CVE-2018-15315 | K41704442 | Unexpected TMUI output in SSL Certificate Instance page |
704184-6 | CVE-2018-5529 | K52171282 | APM MAC Client create files with owner only read write permissions |
701253-5 | CVE-2018-15318 | K16248201 | TMM core when using MPTCP |
693810-6 | CVE-2018-5529 | K52171282 | CVE-2018-5529: APM Linux Client Vulnerability |
741858-1 | CVE-2018-15324 | K52206731 | TMM may crash while processing Portal Access requests |
734822-3 | CVE-2018-15325 | K77313277 | TMSH improvements |
726409-4 | CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077 |
K61429540 | Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077 |
725801-4 | CVE-2017-7889 | K80440915 | CVE-2017-7889: Kernel Vulnerability |
725635-2 | CVE-2018-3665 | K21344224 | CVE-2018-3665: Intel Lazy FPU Vulnerability |
724680-4 | CVE-2018-0732 | K21665601 | OpenSSL Vulnerability: CVE-2018-0732 |
719554-2 | CVE-2018-8897 | K17403481 | Linux Kernel Vulnerability: CVE-2018-8897 |
710705-2 | CVE-2018-7320, CVE-2018-7321, CVE-2018-7322, CVE-2018-7423, CVE-2018-7324, CVE-2018-7325, CVE-2018-7326, CVE-2018-7327, CVE-2018-7428, CVE-2018-7329, CVE-2018-7330, CVE-2018-7331, CVE-2018-7332, CVE-2018-7333, CVE-2018-7334, CVE-2018-7335, CVE-2018-7336, CVE-2018-7337, CVE-2018-7417, CVE-2018-7418, CVE-2018-7419, CVE-2018-7420, CVE-2018-7421 | K34035645 | Multiple Wireshark vulnerabilities |
705799-2 | CVE-2018-15325 | K77313277 | TMSH improvements |
699453-4 | CVE-2018-15327 | K20222812 | Web UI does not follow current best coding practices |
712876-2 | CVE-2017-8824 | K15526101 | CVE-2017-8824: Kernel Vulnerability |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
734527-1 | 3-Major | BGP 'capability graceful-restart' for peer-group not properly advertised when configured | |
715750-2 | 3-Major | The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
693611-3 | 1-Blocking | K76313256 | IKEv2 ike-peer might crash on stats object during peer modification update |
743810-1 | 2-Critical | AWS: Disk resizing in m5/c5 instances fails silently. | |
743082-1 | 2-Critical | Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members★ | |
739507 | 2-Critical | How to recover from a failed state due to FIPS integrity check | |
739505 | 2-Critical | Automatic ISO digital signature checking not required when FIPS license active★ | |
739285-1 | 2-Critical | GUI partially missing when VCMP is provisioned | |
725696-1 | 2-Critical | A timer loop might occur when OCSP Stapling is enabled resulting in tmm getting aborted | |
723722-2 | 2-Critical | MCPD crashes if several thousand files are created between config syncs. | |
721924-2 | 2-Critical | K17264695 | bgpd may crash processing extended ASNs |
721350-2 | 2-Critical | The size of the icrd_child process is steadily growing | |
717785-1 | 2-Critical | Interface-cos shows no egress stats for CoS configurations | |
716391-2 | 2-Critical | High priority for MySQL on 2 core vCMP may lead to control plane process starvation | |
711683-2 | 2-Critical | bcm56xxd crash with empty trunk in QinQ VLAN | |
707003-3 | 2-Critical | Unexpected syntax error in TMSH AVR | |
706423-1 | 2-Critical | tmm may restart if an IKEv2 child SA expires during an async encryption or decryption | |
703669-2 | 2-Critical | Eventd restarts on NULL pointer access | |
703045-1 | 2-Critical | If using TMSH commands with deprecated attributes in iApp, the upgrade will fail. | |
700386-2 | 2-Critical | mcpd may dump core on startup | |
693996-5 | 2-Critical | K42285625 | MCPD sync errors and restart after multiple modifications to file object in chassis |
692158-1 | 2-Critical | iCall and CLI script memory leak when saving configuration | |
691589-4 | 2-Critical | When using LDAP client auth, tamd may become stuck | |
690819-1 | 2-Critical | Using an iRule module after a 'session lookup' may result in crash | |
689437-1 | 2-Critical | icrd_child cores due to infinite recursion caused by incorrect group name handling | |
689002-3 | 2-Critical | Stackoverflow when JSON is deeply nested | |
658410-2 | 2-Critical | icrd_child generates a core when calling PUT on ltm/data-group/internal/ | |
652877-5 | 2-Critical | Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades | |
638091-6 | 2-Critical | Config sync after changing named pool members can cause mcpd on secondary blades to restart | |
739126 | 3-Major | Multiple VE installations may have different sized volumes | |
733585-3 | 3-Major | Merged can use %100 of CPU if all stats snapshot files are in the future | |
727467-1 | 3-Major | Some iSeries appliances can experience traffic disruption when the HA peer is upgraded from 12.1.3 and earlier to 13.1.0 or later. | |
722682-2 | 3-Major | Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load★ | |
721740-2 | 3-Major | CPU stats are not correctly recorded when snapshot files have timestamps in the future | |
720713-2 | 3-Major | TMM traffic to/from a i10600/i10800 device in vCMP host mode may fail | |
720461-2 | 3-Major | qkview prompts for password on chassis | |
718525-1 | 3-Major | PostGreSQL errors seen on startup after removing the mcpd binary database and rebooting | |
714974-2 | 3-Major | Platform-migrate of UCS containing QinQ fails on VE★ | |
714903-2 | 3-Major | Errors in chmand | |
714654-2 | 3-Major | Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM | |
713813-2 | 3-Major | Node monitor instances not showing up in GUI | |
712102-2 | 3-Major | K11430165 | customizing or changing the HTTP Profile's IPv6 field hides the field or the row |
710232-2 | 3-Major | platform-migrate fails when LACP trunks are in use | |
709444-2 | 3-Major | "NTP not configured on device" warning seen when NTP symmetric key authentication is configured | |
709192-1 | 3-Major | GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart | |
707740-4 | 3-Major | Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination | |
707509-1 | 3-Major | Initial vCMP guest creations can fail if certain hotfixes are used | |
707391-2 | 3-Major | BGP may keep announcing routes after disabling route health injection | |
706804-1 | 3-Major | SNMP trap destination configuration of network option is missing "default" keyword | |
706354-2 | 3-Major | OPT-0045 optic unable to link | |
706169-3 | 3-Major | tmsh memory leak | |
705456-1 | 3-Major | VCMP Guests unable to install block-device-image ISOs when http->https redirection is enabled | |
704755-1 | 3-Major | EUD_M package could not be installed on 800 platforms | |
704512-1 | 3-Major | Automated upload of qkview to iHealth can time out resulting in error | |
704336-1 | 3-Major | Updating 3rd party device cert not copied correctly to trusted certificate store | |
702227-3 | 3-Major | Memory leak in TMSH load sys config | |
700757-1 | 3-Major | vcmpd may crash when it is exiting | |
700576-1 | 3-Major | GUI - Server SSL Profile shows irrelevant options when "Server Certificate" is set to "Ignore" | |
700426 | 3-Major | K58033284 | Switching partitions while viewing objects in GUI can result in empty list |
700250-3 | 3-Major | K59327012 | qkviews for secondary blade appear to be corrupt |
698875-1 | 3-Major | Qkview Security Hardening | |
698084-3 | 3-Major | K03776801 | IPsec log messages in /var/log/ltm missing module ID to reach bigiq logs |
696731-3 | 3-Major | K94062594 | The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled |
693578-2 | 3-Major | switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0 | |
692189-1 | 3-Major | errdefsd fails to generate a core file on request. | |
692179-1 | 3-Major | Potential high memory usage from errdefsd. | |
691609-1 | 3-Major | 1NIC: Configuration error: Clearing IP on interface mgmt failed - Cannot assign requested address★ | |
690890-1 | 3-Major | Running sod manually can cause issues/failover | |
689375-1 | 3-Major | K01512833 | Unable configure 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled |
688406-1 | 3-Major | K14513346 | HA-Group Score showing 0 |
687905-2 | 3-Major | K72040312 | OneConnect profile causes CMP redirected connections on the HA standby |
687534-1 | 3-Major | If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page | |
684391-3 | 3-Major | Existing IPsec tunnels reload. tmipsecd creates a core file. | |
684218-1 | 3-Major | vADC 'live-install' Downgrade from v13.1.0 is not possible | |
681782-6 | 3-Major | Unicast IP address can be configured in a failover multicast configuration | |
679347-2 | 3-Major | K44117473 | ECP does not work for PFS in IKEv2 child SAs |
678488-1 | 3-Major | K59332320 | BGP default-originate not announced to peers if several are peering over different VLANs |
677485-1 | 3-Major | Discovery of DSC clustered BIG-IP systems fails due to secure value decryption error | |
671712-2 | 3-Major | The values returned for the ltmUserStatProfileStat table are incorrect. | |
670528-4 | 3-Major | K20251354 | Warnings during vCMP host upgrade. |
651413-4 | 3-Major | K34042229 | tmsh list ltm node does not return an error when node does not exist |
642923-6 | 3-Major | MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system | |
617643-2 | 3-Major | iControl.ForceSessions enabled results in GUI error on certain pages | |
551925-4 | 3-Major | Misdirected UDP traffic with hardware acceleration | |
464650-6 | 3-Major | Failure of mcpd with invalid authentication context. | |
727297-3 | 4-Minor | GUI TACACS+ remote server list should accept hostname | |
725612-1 | 4-Minor | syslog-ng remote destination needs unique name that changes on address change. | |
719770-2 | 4-Minor | tmctl -H -V and -l options without values crashed | |
714749-2 | 4-Minor | cURL Vulnerability: CVE-2018-1000120 | |
713947-1 | 4-Minor | stpd repeatedly logs "hal sendMessage failed" | |
713932-1 | 4-Minor | Commands are replicated to PostgreSQL even when not in use. | |
707631-2 | 4-Minor | The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI | |
707267 | 4-Minor | REST Framework HTTP header limit size increased to 8 KB | |
701826 | 4-Minor | qkview upload to ihealth fails or unable to untar qkview file | |
691491-5 | 4-Minor | K13841403 | 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces |
685582-7 | 4-Minor | Incorrect output of b64 unit key hash by command f5mku -f | |
683029-1 | 4-Minor | Sync of virtual address and self IP traffic groups only happens in one direction | |
679135-2 | 4-Minor | IKEv1 and IKEv2 cannot share common local address in tunnels | |
678388-1 | 4-Minor | K00050055 | IKEv1 racoon daemon is not restarted when killed multiple times |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
722594-2 | 1-Blocking | TCP flow may not work as expected if double tagging is used | |
737445-2 | 2-Critical | Use of TCP Verified Accept can disable server-side flow control | |
727044-2 | 2-Critical | TMM may crash while processing compressed data | |
726239-4 | 2-Critical | interruption of traffic handling as sod daemon restarts TMM | |
725545-1 | 2-Critical | Ephemeral listener might not be set up correctly | |
724906-1 | 2-Critical | sasp_gwm monitor leaks memory over time | |
724868-1 | 2-Critical | dynconfd memory usage increases over time | |
724213-1 | 2-Critical | K74431483 | Modified ssl_profile monitor param not synced correctly |
722893-1 | 2-Critical | K30764018 | The TMM - host interface may stall when the kernel memory is fragmented |
722387-3 | 2-Critical | TMM may crash when processing APM DTLS traffic | |
716900-2 | 2-Critical | TMM core when using MPTCP | |
716213-1 | 2-Critical | BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic | |
713612-1 | 2-Critical | tmm might restart if the HTTP passthrough on pipeline option is used | |
710221-2 | 2-Critical | K67352313 | Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled |
673664-1 | 2-Critical | TMM crashes when sys db Crypto.HwAcceleration is disabled.★ | |
635191-2 | 2-Critical | Under rare circumstances TMM may crash | |
727222-1 | 3-Major | 206 Partial Content responses from ramcache have malformed Content-Range header | |
723300-2 | 3-Major | TMM may crash when tracing iRules containing nameless listeners on internal virtual servers | |
722677-4 | 3-Major | High-Speed Bridge may lock up | |
722363-2 | 3-Major | Client fails to connect to server when using PVA offload at Established | |
721261-1 | 3-Major | v12.x Policy rule names containing slashes are not migrated properly | |
720293-3 | 3-Major | HTTP2 IPv4 to IPv6 fails | |
719600-2 | 3-Major | TCP::collect iRule with L7 policy present may result in connection reset | |
717346-2 | 3-Major | K13040347 | [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total |
715883 | 3-Major | tmm crash due to invalid cookie attribute | |
715785-2 | 3-Major | Incorrect encryption error for monitors during sync or upgrade | |
715756-2 | 3-Major | Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only | |
715467-2 | 3-Major | Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY | |
714384-3 | 3-Major | DHCP traffic may not be forwarded when BWC is configured | |
707951-2 | 3-Major | Stalled mirrored flows on HA next-active when OneConnect is used. | |
704764-3 | 3-Major | SASP monitor marks members down with non-default route domains | |
703580-1 | 3-Major | TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host. | |
703266-2 | 3-Major | Potential MCP memory leak in LTM policy compile code | |
702450-1 | 3-Major | The validation error message generated by deleting certain object types referenced by a policy action is incorrect | |
701690-1 | 3-Major | K53819652 | Fragmented ICMP forwarded with incorrect icmp checksum |
700696-1 | 3-Major | SSID does not cache fragmented Client Certificates correctly via iRule | |
699273-1 | 3-Major | TMM Core During FTP Monitor Use | |
695925-1 | 3-Major | tmm crash when showing connections for a CMP disabled virtual server | |
691785-1 | 3-Major | The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes | |
691224-3 | 3-Major | K59327001 | Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled |
690778-1 | 3-Major | K53531153 | Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule |
688629-1 | 3-Major | K52334096 | Deleting data-group in use by iRule does not trigger validation error |
685110-1 | 3-Major | K05430133 | With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members. |
681757-3 | 3-Major | K32521651 | Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member' |
681673-4 | 3-Major | tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results | |
679613-1 | 3-Major | K23531420 | i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1' |
672312-3 | 3-Major | IP ToS may not be forwarded to serverside with syncookie activated | |
602708-4 | 3-Major | K84837413 | Traffic may not passthrough CoS by default |
716922-2 | 4-Minor | Reduction in PUSH flags when Nagle Enabled | |
712637-2 | 4-Minor | Host header persistence not implemented | |
700433-1 | 4-Minor | K10870739 | Memory leak when attaching an LTM policy to a virtual server |
697988-3 | 4-Minor | During config sync, if many client-ssl profiles are on a virtual server the CPU may briefly spike to 100% | |
693966-1 | 4-Minor | TCP sndpack not reset along with other tcp profile stats | |
688557-1 | 4-Minor | K50462482 | Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull' |
495242-4 | 4-Minor | mcpd log messages: Failed to unpublish LOIPC object |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
718885-3 | 2-Critical | K25348242 | Under certain conditions, monitor probes may not be sent at the configured interval |
723792-2 | 3-Major | GTM regex handling of some escape characters renders it invalid | |
719644-2 | 3-Major | If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★ |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
737500-2 | 2-Critical | Apply Policy and Upgrade time degradation when there are previous enforced rules | |
726090-1 | 2-Critical | No Bot Defense Logs when ASM Policy is used without Proactive Bot Defense | |
724414-2 | 2-Critical | ASM UMU memory leak when WebSocket url has json profile with parse parameters enabled | |
724032-1 | 2-Critical | Searching Request Log for value containing backslash does not return expected result | |
721741-3 | 2-Critical | BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative | |
704143-1 | 2-Critical | BD memory leak | |
701856-1 | 2-Critical | Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart | |
740719-2 | 3-Major | ASM CSP header parser does not honor unsafe-inline attribute within script-src directive |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
737867-1 | 3-Major | Scheduled reports are being incorrectly displayed in different partitions |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
739716-2 | 1-Blocking | APM Subroutine loops without finishing | |
740777-1 | 2-Critical | Secondary blades mcp daemon restart when subroutine properties are configured | |
739947-1 | 2-Critical | TMM may crash while processing APM traffic | |
739674-1 | 2-Critical | TMM might core in SWG scenario with per-request policy. | |
722013 | 2-Critical | MCPD restarts on all secondary blades post config-sync involving APM customization group | |
713820-1 | 2-Critical | Pass in IP to urldb categorization engine | |
739939-1 | 3-Major | Ping Access Agent Module leaks memory in TMM. | |
739190 | 3-Major | Policies could be exported with not patched /Common partition | |
738582-1 | 3-Major | Ping Access Agent Module leaks memory in TMM. | |
738397-1 | 3-Major | SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails. | |
737355-1 | 3-Major | HTTP Strict-Transport-Security (HSTS) headers not being added to all APM generated files | |
737064-2 | 3-Major | ACCESS::session iRule commands may not work in serverside events | |
726895 | 3-Major | K02205915 | VPE cannot modify subroutine settings |
726616-1 | 3-Major | TMM crashes when a session is terminated | |
726592-1 | 3-Major | Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop | |
725867-2 | 3-Major | ADFS proxy does not fetch configuration for non-floating virtual servers | |
725412-1 | 3-Major | APM does not follow current best practices for HTTP headers | |
724571-1 | 3-Major | Importing access profile takes a long time | |
722969-2 | 3-Major | Access Policy import with 'reuse' enabled instead rewrites shared objects | |
722423-1 | 3-Major | Analytics agent always resets when Category Lookup is of type custom only | |
720757-1 | 3-Major | Without proper licenses Category Lookup always fails with license error in Allow Ending | |
713655-2 | 3-Major | RouteDomainSelectionAgent might fail under heavy control plane traffic/activities | |
711427-2 | 3-Major | Edge Browser does not launch F5 VPN App | |
710884-1 | 3-Major | Portal Access might omit some valid cookies when rewriting HTTP request. | |
701800-2 | 3-Major | SSO-enabled native RDP resources cannot be launched from APM Webtop with Mac RDP client 10.x | |
701056-1 | 3-Major | User is not able to reset their Active Directory password | |
698984-1 | 3-Major | Auto-disable TMM.HTTP.TCL.Validation when APM is provisioned | |
696669-1 | 3-Major | Users cannot change or reset RSA PIN | |
696544-1 | 3-Major | APM end users can not change/reset password when auth agents are included in per-req policy | |
671323-1 | 3-Major | Reset PIN Fail if Token input field is not 'password' field | |
734595-2 | 4-Minor | sp-connector is not being deleted together with profile | |
721375-1 | 4-Minor | Export then import of config with RSA server in it might fail |
WebAccelerator Fixes
ID Number | Severity | Solution Article(s) | Description |
706642-2 | 2-Critical | wamd may leak memory during configuration changes and cluster events |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
709383-2 | 3-Major | DIAMETER::persist reset non-functional | |
706750-1 | 3-Major | Changing CGNAT SIP ALG profile log settings while handling traffic may cause tmm crash. | |
691048-1 | 3-Major | K34553736 | Support DIAMETER Experimental-Result AVP response |
688942-5 | 3-Major | ICAP: Chunk parser performs poorly with very large chunk |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
724532-2 | 2-Critical | SIG SEGV during IP intelligence category match in TMM | |
720045-1 | 2-Critical | IP fragmented UDP DNS request and response packets dropped as DNS Malformed | |
710755-1 | 2-Critical | Crash when cached route information becomes stale and the system accesses the information from it. | |
698333-1 | 2-Critical | K43392052 | TMM core upon matching a past (saved) dynamic signature of a specific family (network or dns) after the dynamic signature is disabled for that family on the parent context (but still enabled for other families) |
694849-1 | 2-Critical | TMM crash when packet sampling is turned for DNS BDOS signatures. | |
672514-1 | 2-Critical | Local Traffic/Virtual Server/Security page crashed | |
630137-2 | 2-Critical | Dynamic Signatures feature can fill up /config partition impacting system stability | |
726154-2 | 3-Major | TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies | |
704528-2 | 3-Major | tmm may run out of memory during IP shunning | |
704369-2 | 3-Major | TMM on BIG-IP restarts if a dos profile is attached to a virtual with sip-routing enabled | |
696201-1 | 3-Major | Anomaly threshold floor calculation (for bins with very low learnt threshold) during signature generation | |
686376-2 | 3-Major | Scheduled blob and current blob no longer work after restarting BIG-IP or PCCD daemon | |
707054-1 | 4-Minor | SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162 | |
699454-4 | 4-Minor | Web UI does not follow current best coding practices | |
699452-4 | 4-Minor | Web UI does not follow current best coding practices |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
726647-3 | 3-Major | PEM content insertion in a compressed response may truncate some data | |
721704-1 | 3-Major | UDP flows are not deleted after subscriber deletion | |
709670-2 | 3-Major | iRule triggered from RADIUS occasionally fails to create subscribers. |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
721570-1 | 1-Blocking | K20285019 | TMM core when trying to log an unknown subscriber |
734446-2 | 2-Critical | TMM crash after changing LSN pool mode from PBA to NAPT | |
688246-1 | 2-Critical | An invalid mode in the LSN::persistence command causes TMM crash | |
708830-2 | 3-Major | Inbound or hairpin connections may get stuck consuming memory. |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
738669-2 | 3-Major | Login validation may fail for a large request with early server response | |
737368-1 | 3-Major | Fingerprint cookie large value may result in tmm core. |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
739277 | 2-Critical | TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode | |
720585-1 | 3-Major | Signatures generated by Behavioral DOS algorithm can create false-positive signatures | |
689540-1 | 3-Major | The same DOS attack generates new signatures even if there are signatures generated during previous attacks. |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
726303-1 | 3-Major | Unlock 10 million custom db entry limit |
iApp Technology Fixes
ID Number | Severity | Solution Article(s) | Description |
726872-2 | 3-Major | IApp LX directory disappears after upgrade or restoring from ucs★ |
Cumulative fixes from BIG-IP v13.1.1.1 that are included in this release
Functional Change Fixes
None
Cumulative fixes from BIG-IP v13.1.1 that are included in this release
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
693359-1 | 1-Blocking | AWS M5 and C5 instance families are supported |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
721364 | 1-Blocking | BIG-IP per-application VE BYOL license does not support three wildcard virtual servers | |
716469 | 1-Blocking | OpenSSL 1.0.1l fails with 512 bit DSA keys | |
697615-1 | 1-Blocking | K65013424 | Neurond may restart indefinitely after boot, with neurond_i2c_config message |
675921-2 | 1-Blocking | Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running | |
723130-1 | 2-Critical | K13996 | Invalid-certificate warning displayed when deploying BIG-IP VE OVA file |
700086-1 | 2-Critical | AWS C5/M5 Instances do not support BIG-IP VE | |
696732-3 | 2-Critical | K54431534 | tmm may crash in a compression provider |
721985 | 3-Major | PAYG License remains inactive as dossier verification fails. | |
721512 | 3-Major | Config tool fails to configure management-ip when default routes exist for both IPv4 and IPv6. | |
721342 | 3-Major | No support for Per-App VE LTM and Per-App VE WAF images for various cloud environments. | |
720961-1 | 3-Major | Upgrading in Intelligence Community AWS environment may fail | |
720756-1 | 3-Major | SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS | |
720651-2 | 3-Major | Running Guest Changed to Provisioned Never Stops | |
720104-1 | 3-Major | BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware' | |
719396-1 | 3-Major | K34339214 | DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot. |
717832 | 3-Major | Remove unneeded files from UCS backup directories | |
714303-1 | 3-Major | X520 virtual functions do not support MAC masquerading | |
712266-1 | 3-Major | Decompression of large buffer might fail with comp_code=11 with Nitrox 3 hardware | |
697616-2 | 3-Major | Report Device error: crypto codec qat-crypto0-0 queue is stuck on vCMP guests | |
680086 | 3-Major | md5sum check on BMC firmware fails | |
673996-2 | 3-Major | Unable to set 'media-fixed' on management port on BIG-IP i15000 platforms | |
680388-1 | 4-Minor | f5optics should not show function name in non-debug log messages | |
653759-1 | 4-Minor | Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update★ | |
720391-2 | 5-Cosmetic | BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
737550 | 2-Critical | State Mirroring between BIG-IP 13.0.x and 13.1.x systems may cause TMM core on standby system during upgrade★ | |
701538-2 | 2-Critical | SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured | |
720460-1 | 3-Major | Compression traffic still goes to hardware accelerator when compression.strategy is set to softwareonly | |
694778-1 | 3-Major | Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size | |
686631-2 | 3-Major | Deselect a compression provider at the end of a job and reselect a provider for a new job | |
679494-1 | 3-Major | Change the default compression strategy to speed | |
495443-9 | 3-Major | K16621 | ECDH negotiation failures logged as critical errors. |
679496-2 | 4-Minor | Add 'comp_req' to the output of 'tmctl compress' |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
717909 | 2-Critical | tmm can abort on sPVA flush if the HSB flush does not succeed | |
701637 | 2-Critical | Crash in bcm56xxd during TMM failover | |
644822 | 2-Critical | K19245372 | FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned |
702738-1 | 3-Major | K32181540 | Tmm might crash activating new blob when changing firewall rules |
698182 | 3-Major | Upgrading from 13.1.1 to newer release might cause config to not be copied over★ | |
697516 | 3-Major | Upgrading using a ucs or scf file does not autogenerate uuids when current config has the uuid-default-autogenerate flag enabled |
Cumulative fixes from BIG-IP v13.1.0.8 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
716992-2 | CVE-2018-5539 | K75432956 | The ASM bd process may crash |
715923-1 | CVE-2018-15317 | K43625118 | When processing TLS traffic TMM may reset connections |
710244-3 | CVE-2018-5536 | K27391542 | Memory Leak of access policy execution objects |
710140-1 | CVE-2018-5527 | K20134942 | TMM may consume excessive resources when processing SSL Intercept traffic |
709688-3 | CVE-2017-3144 CVE-2018-5732 CVE-2018-5733 |
K08306700 | dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733 |
695072-2 | CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558 |
K23030550 | CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558 |
693744-4 | CVE-2018-5531 | K64721111 | CVE-2018-5531: vCMP vulnerability |
651741-2 | CVE-2017-5970, | K60104355 | CVE-2017-5970 kernel.el7: ipv4: Invalid IP options could cause skb->dst drop |
717900-2 | CVE-2018-5528 | K27044729 | TMM crash while processing APM data |
710148-2 | CVE-2017-1000111 CVE-2017-1000112 |
K60250153 | CVE-2017-1000111 & CVE-2017-1000112 |
709256-2 | CVE-2017-9074 CVE-2017-7542 |
K61223103 | CVE-2017-9074: Local Linux Kernel Vulnerability |
705476-2 | CVE-2018-15322 | K28003839 | Appliance Mode does not follow design best practices |
698813-2 | CVE-2018-5538 | K45435121 | When processing DNSX transfers ZoneRunner does not enforce best practices |
688625-5 | CVE-2017-11628 | K75543432 | PHP Vulnerability CVE-2017-11628 |
662850-6 | CVE-2015-2716 | K50459349 | Expat XML library vulnerability CVE-2015-2716 |
714879-3 | CVE-2018-15326 | K34652116 | APM CRLDP Auth passes all certs |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
685020-3 | 3-Major | Enhancement to SessionDB provides timeout |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
708956-1 | 1-Blocking | K51206433 | During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform' |
719597 | 2-Critical | HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0 | |
715820-1 | 2-Critical | vCMP in HA configuration with VIPRION chassis might cause unstable data plane | |
712401-1 | 2-Critical | Enhanced administrator lock/unlock for Common Criteria compliance | |
676203-3 | 2-Critical | Inter-blade mpi connection fails, does not recover, and eventually all memory consumed. | |
665362-2 | 2-Critical | MCPD might crash if the AOM restarts | |
581851-6 | 2-Critical | K16234725 | mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands |
711249-1 | 3-Major | NAS-IP-Address added to RADIUS packet unexpectedly | |
710976-1 | 3-Major | Network Map might take a long time to load | |
710827-2 | 3-Major | TMUI dashboard daemon stability issue | |
708484-2 | 3-Major | Network Map might take a long time to load | |
707445-3 | 3-Major | Nitrox 3 compression hangs/unable to recover | |
705818-1 | 3-Major | GUI Network Map Policy with forward Rule to Pool, Pool does not show up | |
704804-1 | 3-Major | The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address | |
704733-1 | 3-Major | NAS-IP-Address is sent with the bytes in reverse order | |
704247-2 | 3-Major | BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted | |
701249-1 | 3-Major | RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1 | |
700895-1 | 3-Major | K34944451 | GUI Network Map objects in subfolders are not being shown |
696260-1 | 3-Major | K53103420 | GUI Network Map as Start Screen presents database error |
694696-5 | 3-Major | On multiblade Viprion, creating a new traffic-group causes the device to go Offline | |
694547-2 | 3-Major | K74203532 | TMSH save sys config creates unneeded generate_config processes. |
689730-3 | 3-Major | Software installations from v13.1.0 might fail★ | |
687658 | 3-Major | Monitor operations in transaction will cause it to stay unchecked | |
686906-2 | 3-Major | Fragmented IPv6 packets not handled correctly on Virtual Edition | |
674455-5 | 3-Major | Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS | |
678254-1 | 4-Minor | Error logged when restarting Tomcat |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
721571-1 | 2-Critical | State Mirroring between BIG-IP 12.1.3.* and 13.* or 14.* systems may cause TMM core on standby system during upgrade★ | |
718071-1 | 2-Critical | HTTP2 with ASM policy not passing traffic | |
715747 | 2-Critical | TMM may restart when running traffic through custom SSLO deployments. | |
709828-2 | 2-Critical | fasthttp can crash with Large Receive Offload enabled | |
707244-3 | 2-Critical | iRule command clientside and serverside may crash tmm | |
707207-1 | 2-Critical | iRuleLx returning undefined value may cause TMM restart | |
700597-1 | 2-Critical | Local Traffic Policy on HTTP/2 virtual server no longer matches | |
700056-1 | 2-Critical | MCPD process may lock up and restart when applying Local Traffic Policy to virtual server | |
690756-1 | 2-Critical | APM depends on undocumented internal behavior of HTTP iRule commands after a retry is initiated | |
571651-4 | 2-Critical | K66544028 | Reset Nitrox3 crypto accelerator queue if it becomes stuck. |
713951-5 | 3-Major | tmm core files produced by nitrox_diag may be missing data | |
713934-2 | 3-Major | Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response | |
712819-2 | 3-Major | 'HTTP::hsts preload' iRule command cannot be used | |
712475-3 | 3-Major | K56479945 | DNS zones without servers will prevent DNS Express reading zone data |
712437-3 | 3-Major | K20355559 | Records containing hyphens (-) will prevent child zone from loading correctly |
711281-5 | 3-Major | nitrox_diag may run out of space on /shared | |
710996-2 | 3-Major | VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP | |
709133-2 | 3-Major | When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur | |
709132-1 | 3-Major | When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur | |
707961-2 | 3-Major | K50013510 | Unable to add policy to virtual server; error = Failed to compile the combined policies |
707109-1 | 3-Major | Memory leak when using C3D | |
704381-5 | 3-Major | SSL/TLS handshake failures and terminations are logged at too low a level | |
702151-1 | 3-Major | HTTP/2 can garble large headers | |
700889-3 | 3-Major | K07330445 | Software syncookies without TCP TS improperly include TCP options that are not encoded |
700061-4 | 3-Major | Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file | |
699598-2 | 3-Major | HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR | |
696755 | 3-Major | HTTP/2 may truncate a response body when served from cache | |
693308-1 | 3-Major | SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain | |
689089-1 | 3-Major | VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot | |
688744-1 | 3-Major | K11793920 | LTM Policy does not correctly handle multiple datagroups |
686890-1 | 3-Major | X509_EXTENSION memory blocks leak when C3D forges the certificate. | |
682944-1 | 3-Major | key-id missing for installed netHSM key for standby BIG-IP system in HA setup | |
682283-2 | 3-Major | Malformed HTTP/2 request with invalid Content-Length value is served against RFC | |
678872-3 | 3-Major | Inconsistent behavior for virtual-address and selfip on the same ip-address | |
673399-3 | 3-Major | HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server. | |
653201-2 | 3-Major | Update the default CA certificate bundle file to the latest version and remove expiring certificates from it | |
713533-2 | 4-Minor | list self-ip with queries does not work | |
708249-2 | 4-Minor | nitrox_diag utility generates QKView files with 5 MB maximum file size limit | |
692095-1 | 4-Minor | K65311501 | bigd logs monitor status unknown for FQDN Node/Pool Member |
678801-4 | 4-Minor | WS::enabled returned empty string | |
677958-4 | 4-Minor | WS::frame prepend and WS::frame append do not insert string in the right place. |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
698992-1 | 3-Major | Performance degraded |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
713066-1 | 2-Critical | K10620131 | Connection failure during DNS lookup to disabled nameserver can crash TMM |
707310-2 | 2-Critical | DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs) | |
721895 | 3-Major | Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery) | |
715448-2 | 3-Major | Providing LB::status with a GTM Pool name in a variable caused validation issues | |
710032-1 | 3-Major | 'No Access' error when viewing GSLB Server's virtual server that has a name indicating a partition that does not exist on that BIG-IP system. | |
706128-2 | 3-Major | DNSSEC Signed Zone Transfers Can Leak Memory | |
703545-1 | 3-Major | DNS::return iRule "loop" checking disabled |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
718152 | 2-Critical | K14591455 | ASM GUI request log does not load on cluster |
716788-2 | 2-Critical | TMM may crash while response modifications are being performed within DoSL7 filter | |
713390-1 | 2-Critical | ASM Signature Update cannot be performed on hourly billing cloud instance | |
685230-3 | 2-Critical | memory leak on a specific server scenario | |
606983-2 | 2-Critical | ASM errors during policy import | |
719459-2 | 3-Major | Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled | |
719005-1 | 3-Major | Login request may arrive corrupted to the backend server after CAPTCHA mitigation | |
717756-2 | 3-Major | High CPU usage from asm_config_server | |
716940-2 | 3-Major | Traffic Learning screen graphs shows data for the last day only | |
715128-1 | 3-Major | Simple mode Signature edit does not escape semicolon | |
713282-1 | 3-Major | Remote logger violation_details field does not appear when virtual server has more than one remote logger | |
712362-3 | 3-Major | ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase | |
711405-1 | 3-Major | K14770331 | ASM GUI Fails to Display Policy List After Upgrade |
710327-1 | 3-Major | Remote logger message is truncated at NULL character. | |
707147-1 | 3-Major | High CPU consumed by asm_config_server_rpc_handler_async.pl | |
706845-2 | 3-Major | False positive illegal multipart violation | |
706665-2 | 3-Major | ASM policy is modified after pabnagd restart | |
704643-1 | 3-Major | Backslashes preceding a forward slash are mistakenly doubled in regular expression within Signature rule | |
702008-1 | 3-Major | ASM REST: Missing DB Cleanup for some tables | |
700143-2 | 3-Major | ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages | |
691897-3 | 3-Major | Names of the modified cookies do not appear in the event log | |
687759-1 | 3-Major | bd crash | |
686765-2 | 3-Major | Database cleaning failure may allow MySQL space to fill the disk entirely | |
674256-2 | 3-Major | K60745057 | False positive cookie hijacking violation |
675232-6 | 4-Minor | Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
710315-1 | 2-Critical | AVR-profile might cause issues when loading a configuration or when using config sync | |
698226-1 | 2-Critical | Filters under Security :: Reports :: DoS :: URL Latencies work incorrectly | |
696642-1 | 2-Critical | monpd core is sometimes created when the system is under heavy load. | |
721474-1 | 3-Major | AVR does not send all SSLO statistics to offbox machine. | |
715110 | 3-Major | AVR should report 'resolutions' in module GtmWideip | |
712118 | 3-Major | AVR should report on all 'global tags' in external logs | |
706361 | 3-Major | IPS stats tables are empty after upgrade from 13.1.0 to 14.0.0★ | |
696212-1 | 3-Major | monpd does not return data for multi-dimension query | |
648242-2 | 3-Major | K73521040 | Administrator users unable to access all partition via TMSH for AVR reports |
649161-2 | 4-Minor | K42340304 | AVR caching mechanism not working properly |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
720214-1 | 2-Critical | NTLM Authentication might fail if Strict Update in iApp is modified | |
720189-1 | 2-Critical | VDI settings in APM Webtop have the incorrect URL for Citrix Receiver client download | |
719149-2 | 2-Critical | VDI plugin might hang while processing native RDP connections | |
716747-2 | 2-Critical | TMM my crash while processing APM or SWG traffic | |
715250-1 | 2-Critical | TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED | |
713156-1 | 2-Critical | AGC cannot do redeploy in Exchange and ADFS use cases | |
710116-1 | 2-Critical | VPN clients experience packet loss/disconnection | |
694078-1 | 2-Critical | In rare cases, TMM may crash with high APM traffic | |
720695-1 | 3-Major | Export then import of APM access Profile/Policy with advanced customization is failing | |
719192 | 3-Major | In VPE Agent VMware View Policy shows no properties | |
715207-3 | 3-Major | coapi errors while modifying per-request policy in VPE | |
714961-1 | 3-Major | antserver creates large temporary file in /tmp directory | |
714700-2 | 3-Major | SSO for native RDP resources is not compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy | |
713111-1 | 3-Major | When ASM and APM are configured on the same virtual server, ASM might report some errors in its logging. | |
710305-1 | 3-Major | When ASM and APM are configured on the same virtual server, ASM could throw some errors in its logging. | |
709274-1 | 3-Major | RADIUS Accounting requests egress on different Self IP addresses than they did pre-v13.1.0 | |
699267-2 | 3-Major | LDAP Query may fail to resolve nested groups | |
658278-1 | 3-Major | Network Access configuration with Layered-VS does not work with Edge Client |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
703515-3 | 2-Critical | K44933323 | MRF SIP LB - Message corruption when using custom persistence key |
692310-2 | 3-Major | K69250459 | ICAP modified HTTP 1.1 request/response without content-length gets "chunked" even with no body |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
677473-3 | 2-Critical | MCPD core is generated on multiple add/remove of Mgmt-Rules |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
711570-3 | 3-Major | PEM iRule subscriber policy name query using subscriber ID, may not return applied policies | |
663874-2 | 3-Major | K77173309 | Off-box HSL logging does not work with PEM in SPAN mode. |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
719186-2 | 3-Major | Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts | |
716318-2 | 3-Major | Engine/Signatures automatic update check may fail to find/download the latest update |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
714334-1 | 2-Critical | admd stops responding and generates a core while under stress. | |
718772-2 | 3-Major | The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists) | |
718685-1 | 3-Major | The measured number of pending requests is two times higher than actual one | |
701288-1 | 3-Major | Server health significantly increases during DoSL7 TPS prevention |
iApp Technology Fixes
ID Number | Severity | Solution Article(s) | Description |
693694-1 | 3-Major | tmsh::load within IApp template results in unpredicted behavior |
Cumulative fixes from BIG-IP v13.1.0.7 that are included in this release
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
716392-1 | 1-Blocking | Support for 24 vCMP guests on a single 4450 blade | |
712429 | 1-Blocking | Serverside packets excluded from DoS stats | |
704552 | 3-Major | Support for ONAP site licensing |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
707100 | 2-Critical | Potentially fail to create user in AzureStack | |
706688 | 2-Critical | Automatically add additional certificates to BIG-IP system in C2S and IC environments | |
709936 | 3-Major | Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration. | |
707585-1 | 3-Major | Use native driver for 82599 NICs instead of UNIC | |
703869 | 3-Major | Waagent updated to 2.2.21 |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
713273 | 2-Critical | BIG-IP sys db variable avr.stats.internal.maxentitiespertable resets back to default value on services restart | |
715153-1 | 3-Major | AVR can generate many files in /var/avr/loader folder, which might cause disk-usage problem |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
716746 | 3-Major | Possible tmm restart when disabling single endpoint vector while attack is ongoing | |
712710 | 3-Major | TMM may halt and restart when threshold mode is set to stress-based mitigation |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
699103-1 | 3-Major | tmm continuously restarts after provisioning AFM |
Cumulative fixes from BIG-IP v13.1.0.6 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
709972-6 | CVE-2017-12613 | K52319810 | CVE-2017-12613: APR Vulnerability |
707186-1 | CVE-2018-5514 | K45320419 | TMM may crash while processing HTTP/2 traffic |
702232-1 | CVE-2018-5517 | K25573437 | TMM may crash while processing FastL4 TCP traffic |
693312-1 | CVE-2018-5518 | K03165684 | vCMPd may crash when processing bridged network traffic |
688516-1 | CVE-2018-5518 | K03165684 | vCMPd may crash when processing bridged network traffic |
686305-1 | CVE-2018-5534 | K64552448 | TMM may crash while processing SSL forward proxy traffic |
589233-2 | CVE-2018-5518 | K03165684 | vCMPd may crash when processing bridged network traffic |
714369 | CVE-2018-5526 | K62201098 | ADM may fail when processing HTTP traffic |
714350 | CVE-2018-5526 | K62201098 | BADOS mitigation may fail |
710314-1 | CVE-2018-5537 | K94105051 | TMM may crash while processing HTML traffic |
706176-1 | CVE-2018-5512 | K51754851 | TMM crash can occur when using LRO |
706086-3 | CVE-2018-5515 | K62750376 | PAM RADIUS authentication subsystem hardening |
703940-2 | CVE-2018-5530 | K45611803 | Malformed HTTP/2 frame consumes excessive system resources |
699346-3 | CVE-2018-5524 | K53931245 | NetHSM capacity reduces when handling errors |
688011-7 | CVE-2018-5520 | K02043709 | Dig utility does not apply best practices |
688009-7 | CVE-2018-5519 | K46121888 | Appliance Mode TMSH hardening |
677088-2 | CVE-2018-15321 | K01067037 | BIG-IP tmsh vulnerability CVE-2018-15321 |
708653-1 | CVE-2018-15311 | K07550539 | TMM may crash while processing TCP traffic |
632875-5 | CVE-2018-5516 | K37442533 | Non-Administrator TMSH users no longer allowed to run dig |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
708389 | 3-Major | BADOS monitoring with Grafana requires admin privilege | |
680850-2 | 3-Major | K48342409 | Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
694897-2 | 1-Blocking | Unsupported Copper SFP can trigger a crash on i4x00 platforms. | |
708054-1 | 2-Critical | Web Acceleration: TMM may crash on very large HTML files with conditional comments | |
706305-1 | 2-Critical | bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled | |
706087 | 2-Critical | Entry for SSL key replaced by config-sync causes tmsh load config to fail | |
703761-2 | 2-Critical | Disable DSA keys for public-key and host-based authentication in Common Criteria mode | |
696113-3 | 2-Critical | Extra IPsec reference added per crypto operation overflows connflow refcount | |
692683-1 | 2-Critical | Core with /usr/bin/tmm.debug at qa_device_mgr_uninit | |
690793-1 | 2-Critical | K25263287 | TMM may crash and dump core due to improper connflow tracking |
689577-3 | 2-Critical | K45800333 | ospf6d may crash when processing specific LSAs |
688911-1 | 2-Critical | K94296004 | LTM Policy GUI incorrectly shows conditions with datagroups |
563661-1 | 2-Critical | Datastor may crash | |
704282-2 | 3-Major | TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy | |
703298-2 | 3-Major | Licensing and phonehome_upload are not using the sync'd key/certificate | |
701626-2 | 3-Major | K16465222 | GUI resets custom Certificate Key Chain in child client SSL profile |
698429-1 | 3-Major | Misleading log error message: Store Read invalid store addr 0x3800, len 10 | |
693964-1 | 3-Major | Qkview utility may generate invalid XML in files contained in Qkview | |
691497-2 | 3-Major | tmsh save sys ucs <file> fails due to missing patch file in /config/.diffVersions | |
691210-1 | 3-Major | Traffic stops on tmm restart when guest VLAN tagging is used for BIG-IP VE. | |
687353-1 | 3-Major | K35595105 | Qkview truncates tmstat snapshot files |
631316-2 | 3-Major | K62532020 | Unable to load config with client-SSL profile error★ |
514703-3 | 4-Minor | gtm listener cannot be listed across partitions |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
709334-1 | 2-Critical | Memory leak when SSL Forward proxy is used and ssl re-negotiates | |
708114-1 | 2-Critical | K33319853 | TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed |
707447-1 | 2-Critical | Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles. | |
707246-1 | 2-Critical | TMM would crash if SSL Client profile could not load cert-key-chain successfully | |
706631-2 | 2-Critical | A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured. | |
705611-2 | 2-Critical | The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used | |
704666-1 | 2-Critical | memory corruption can occur when using certain certificates | |
704435-1 | 2-Critical | Client connection may hang when NTLM and OneConnect profiles used together | |
703914-2 | 2-Critical | TMM SIGSEGV crash in poolmbr_conn_dec. | |
703191-2 | 2-Critical | HTTP2 requests may contain invalid headers when sent to servers | |
701244-1 | 2-Critical | K81742541 | An incorrect data manipulation in cipher encrypt and decrypt could cause TMM crash with SIGABRT |
701202-3 | 2-Critical | K35023432 | SSL memory corruption |
700393-3 | 2-Critical | K53464344 | Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash |
697259-2 | 2-Critical | K14023450 | Different versioned vCMP guests on the same chassis may crash. |
694656-1 | 2-Critical | K05186205 | Routing changes may cause TMM to restart |
686228-1 | 2-Critical | K23243525 | TMM may crash in some circumstances with VLAN failsafe |
680074-2 | 2-Critical | TMM crashes when serverssl cannot provide certificate to backend server. | |
667770-1 | 2-Critical | K12472293 | SIGSEGV to tmm when performing multiple, repeated SSL profile updates, or during UCS restore |
648320-5 | 2-Critical | K38159538 | Downloading via APM tunnels could experience performance downgrade. |
705794-2 | 3-Major | Under certain circumstances a stale HTTP/2 stream might cause a tmm crash | |
701147-2 | 3-Major | K36563645 | ProxySSL does not work properly with Extended Master Secret and OCSP |
700057-4 | 3-Major | LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved | |
693910-4 | 3-Major | Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series) | |
693244-2 | 3-Major | BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned | |
690042-1 | 3-Major | K43412307 | Potential Tcl leak during iRule suspend operation |
689561-1 | 3-Major | HTTPS request hangs when multiple virtual https servers shares the same ip address | |
686972-4 | 3-Major | The change of APM log settings will reset the SSL session cache. | |
685615-4 | 3-Major | K24447043 | Incorrect source mac for TCP Reset with vlangroup for host traffic |
677525-2 | 3-Major | Translucent VLAN group may use unexpected source MAC address | |
663821-1 | 3-Major | K41344010 | SNAT Stats may not include port FTP traffic |
653976-4 | 3-Major | K00610259 | SSL handshake fails if server certificate contains multiple CommonNames |
594751-1 | 3-Major | K90535529 | LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
710424-2 | 2-Critical | K00874337 | Possible SIGSEGV in GTMD when GTM persistence is enabled. |
678861-1 | 2-Critical | DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other★ |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
710870 | 2-Critical | Temporary browser challenge failure after installing older ASU | |
711011-2 | 3-Major | 'API Security' security policy template changes | |
683241-1 | 3-Major | K70517410 | Improve CSRF token handling |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
710947-1 | 2-Critical | AVR does not send errdef for entity DosIpLogReporting. | |
710110-1 | 2-Critical | AVR does not publish DNS statistics to external log when usr-offbox is enabled. | |
711929-1 | 3-Major | AVR should not send statistic on hidden rows for module InterfaceTraffic and module InterfaceHealth |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
679221-2 | 1-Blocking | APMD may generate core file or appears locked up after APM configuration changed | |
708005-1 | 2-Critical | K12423316 | Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources |
703208-1 | 2-Critical | PingAccessAgent causes TMM core | |
702278-2 | 2-Critical | Potential XSS security exposure on APM logon page. | |
700522-1 | 2-Critical | APMD may unexpectedly restart when worker threads are stuck | |
700090-2 | 2-Critical | tmm crash during execution of a per-request policy when modified during execution. | |
699686-1 | 2-Critical | localdbmgr can occasionally crash during shutdown | |
697452-1 | 2-Critical | Websso crashes because of bad argument in logging | |
712924-1 | 3-Major | In VPE SecurID servers list are not being displayed in SecurID authentication dialogue | |
703793-3 | 3-Major | tmm restarts when using ACCESS::perflow get' in certain events | |
703171-1 | 3-Major | High CPU usage for apmd, localdbmgr and oauth processes | |
702487-3 | 3-Major | AD/LDAP admins with spaces in names are not supported | |
684937-3 | 3-Major | K26451305 | [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users |
683113-3 | 3-Major | K22904904 | [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users |
681415-3 | 3-Major | Copying of profile with advanced customization or images might fail | |
678427-1 | 3-Major | K03138339 | Safari 11 displays F5 EPI and F5 VPN launch confirmation dialogs twice |
675775-4 | 3-Major | TMM crashes inside dynamic ACL building session db callback | |
671597-3 | 3-Major | Import, export, copy and delete is taking too long on 1000 entries policy | |
673717-3 | 4-Minor | VPE loading times can be very long |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
701889-1 | 2-Critical | Setting log.ivs.level or log-config filter level to informational causes crash | |
679114-4 | 3-Major | Persistence record expires early if an error is returned for a BYE command |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
708888-1 | 2-Critical | K79814103 | Some DNS truncated responses may not be processed by BIG-IP |
667353 | 2-Critical | Intermittent TMM crash when AFM dynamic (behavioral) signature is enabled and past attack signatures incorrectly exist in the correlation stats table |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
702705-2 | 2-Critical | Core observed during lease query testing when RADIUS Authentication is configured in DHCP profile | |
699531-1 | 2-Critical | Potential TMM crash due to incorrect number of attributes in a PEM iRule command | |
696294-1 | 2-Critical | TMM core may be seen when using Application reporting with flow filter in PEM | |
711093-1 | 3-Major | PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled | |
709610-3 | 3-Major | Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM | |
697718-1 | 3-Major | Increase PEM HSL reporting buffer size to 4K. | |
677494-1 | 3-Major | Flow filter with Periodic content insertion action could leak insert content record | |
677148-1 | 3-Major | Periodic content insertion creates duplicate records if same policy is added to Global high and subscriber specific | |
676346-2 | 3-Major | PEM displays incorrect policy action counters when the gate status is disabled. | |
648802-1 | 3-Major | Required custom AVPs are not included in an RAA when reporting an error. |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
710701-1 | 3-Major | "Application Layer Encryption" option is not saved in DataSafe GUI | |
709319-2 | 3-Major | Post-login client-side alerts are missing username in bigIQ | |
706835 | 3-Major | When cloning a profile, URL parameters are not shown | |
706771-1 | 3-Major | FPS ajax-mapping property may be set even when it should be blocked | |
706651-1 | 3-Major | Cloning URL does not clone "Description" field | |
706276-1 | 4-Minor | Unnecessary pop-up appears |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
708305-2 | 3-Major | Discover task may get stuck in CHECK_IS_ACTIVE step | |
705593-5 | 4-Minor | CVE-2015-7940: Bouncy Castle Java Vulnerability |
Cumulative fixes from BIG-IP v13.1.0.5 that are included in this release
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
633441-1 | 3-Major | Datasync Background Tasks running even without features requiring it |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
708189 | 4-Minor | OAuth Discovery Auto Pilot is implemented |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
708840 | 3-Major | 13.0.0-to-13.1.0 upgrade operation on VIPRION 2250 blades might fail if global whitelist is configured |
Cumulative fixes from BIG-IP v13.1.0.4 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
700556-1 | CVE-2018-5504 | K11718033 | TMM may crash when processing WebSockets data |
699012-1 | CVE-2018-5502 | K43121447 | TMM may crash when processing SSL/TLS data |
698080-3 | CVE-2018-5503 | K54562183 | TMM may consume excessive resources when processing with PEM |
695901-1 | CVE-2018-5513 | K46940010 | TMM may crash when processing ProxySSL data |
691504-1 | CVE-2018-5503 | K54562183 | PEM content insertion in a compressed response may cause a crash. |
704580-1 | CVE-2018-5549 | K05018525 | apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP |
701447-1 | CVE-2017-5754 | K91229003 | CVE-2017-5754 (Meltdown) |
701445-1 | CVE-2017-5753 CVE-2017-9074 CVE-2017-7542 CVE-2017-11176 |
K91229003 | CVE-2017-5753 (Spectre Variant 1) |
701359-4 | CVE-2017-3145 | K08613310 | BIND vulnerability CVE-2017-3145 |
699455-4 | CVE-2018-5523 | K50254952 | SAML export does not follow best practices |
699451-3 | CVE-2018-5511 | K30500703 | OAuth reports do not follow best practices |
676457-5 | CVE-2017-6153 | K52167636 | TMM may consume excessive resource when processing compressed data |
640766-2 | CVE-2016-10088 CVE-2016-9576 |
K05513373 | Linux kernel vulnerability: CVE-2016-10088 CVE-2016-9576 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
686389-1 | 3-Major | APM does not honor per-farm HTML5 client disabling at the View Connection Server | |
678524-1 | 3-Major | Join FF02::2 multicast group when router-advertisement is configured | |
693007-1 | 4-Minor | Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
707226 | 1-Blocking | DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations | |
700315-2 | 1-Blocking | K26130444 | Ctrl+C does not terminate TShark |
667148-3 | 1-Blocking | K02500042 | Config load or upgrade can fail when loading GTM objects from a non-/Common partition |
706998-3 | 2-Critical | Memory leak when OCSP is configured in clientSSL profile for C3D, or in serverSSL profile for server authentication | |
692890-3 | 2-Critical | Adding support for BIG-IP 800 in 13.1.x | |
685458-7 | 2-Critical | K44738140 | merged fails merging a table when a table row has incomplete keys defined. |
665354-1 | 2-Critical | K31190471 | Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log |
703848-1 | 3-Major | Possible memory leak when reusing statistics rows in tables | |
702520-2 | 3-Major | K53330514 | Same AZ failover in AWS fails in some configurations with two or more objects sharing the same IP address. |
694740-3 | 3-Major | BIG-IP reboot during a TMM core results in an incomplete core dump | |
692753-1 | 3-Major | shutting down trap not sent when shutdown -r or shutdown -h issued from shell | |
689691-2 | 3-Major | iStats line length greater than 4032 bytes results in corrupted statistics or merge errors | |
686029-2 | 3-Major | A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces | |
669462-2 | 3-Major | Error adding /Common/WideIPs as members to GTM Pool in non-Common partition | |
589083-6 | 3-Major | TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors. | |
699281-1 | 4-Minor | Version format of hypervisor bundle matches Version format of ISO | |
685475-1 | 4-Minor | K93145012 | Unexpected error when applying hotfix |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
706534-1 | 1-Blocking | L7 connection mirroring may not be fully mirrored on standby BigIP | |
698424-1 | 1-Blocking | K11906514 | Traffic over a QinQ VLAN (double tagged) will not pass |
700862-1 | 2-Critical | K15130240 | tmm SIGFPE 'valid node' |
699298-2 | 2-Critical | 13.0.0 Hotfix HF3 3.0.1679 TMM CORED due to SIGSEGV. | |
698461-1 | 2-Critical | tmm may crash in fastl4 TCP | |
692970-2 | 2-Critical | Using UDP port 67 for purposes other than DHCP might cause TMM to crash | |
691095-1 | 2-Critical | CA bundle manager loses certificates in the CA bundle if the serial number is longer than 4 bytes | |
687635-1 | 2-Critical | K58002142 | Tmm becomes unresponsive and might restart |
687205-2 | 2-Critical | Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart | |
681175-3 | 2-Critical | K32153360 | TMM may crash during routing updates |
674576-3 | 2-Critical | Outage may occur with VIP-VIP configurations | |
452283-5 | 2-Critical | An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows | |
440620-1 | 2-Critical | New connections may be reset when a client reuses the same port as it used for a recently closed connection | |
704073-1 | 3-Major | K24233427 | Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm |
702439 | 3-Major | K04964898 | Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset |
698916-1 | 3-Major | TMM crash with HTTP/2 under specific condition | |
698379-2 | 3-Major | K61238215 | HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR( |
698000-3 | 3-Major | K04473510 | Connections may stop passing traffic after a route update |
695707-5 | 3-Major | BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection | |
691806-1 | 3-Major | K61815412 | RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state |
689449-1 | 3-Major | Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured | |
688571-2 | 3-Major | K40332712 | Untrusted cert might be accepted by the server-ssl even though when 'untrusted-cert-response-control drop' is configured in the server-ssl profile. |
688570-5 | 3-Major | BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes | |
686307-3 | 3-Major | K10665315 | Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later |
686065-2 | 3-Major | RESOLV::lookup iRule command can trigger crash with slow resolver | |
682104-3 | 3-Major | HTTP PSM leaks memory when looking up evasion descriptions | |
680264-2 | 3-Major | HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags | |
677666-2 | 3-Major | K60909141 | /var/tmstat/blades/scripts segment grows in size. |
664528-2 | 3-Major | K53282793 | SSL record can be larger than maximum fragment size (16384 bytes) |
251162-1 | 3-Major | K11564 | The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name |
685467-1 | 4-Minor | K12933087 | Certain header manipulations in HTTP profile may result in losing connection. |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
699135-1 | 2-Critical | tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip | |
692941-1 | 2-Critical | GTMD and TMM SIGSEGV when changing wide IP pool in GTMD | |
691287-1 | 2-Critical | tmm crashes on iRule with GTM pool command | |
682335-1 | 2-Critical | TMM can establish multiple connections to the same gtmd | |
580537-3 | 2-Critical | The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data | |
562921-5 | 2-Critical | Cipher 3DES and iQuery encrypting traffic between BIG-IP systems | |
705503-3 | 3-Major | Context leaked from iRule DNS lookup | |
703702 | 3-Major | Fixed iControl REST not listing GTM Listeners | |
700527-3 | 3-Major | cmp-hash change can cause repeated iRule DNS-lookup hang | |
699339-3 | 3-Major | K24634702 | Geolocation upgrade files fail to replicate to secondary blades |
696808-1 | 3-Major | Disabling a single pool member removes all GTM persistence records | |
691498-3 | 3-Major | Connection failure during iRule DNS lookup can crash TMM | |
690166-1 | 3-Major | ZoneRunner create new stub zone when creating a SRV WIP with more subdomains | |
687128-1 | 3-Major | gtm::host iRule validation for ipv4 and ipv6 addresses | |
680069-1 | 3-Major | K81834254 | zxfrd core during transfer while network failure and DNS server removed from DNS zone config★ |
679149-1 | 3-Major | TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0] | |
667469-3 | 3-Major | K35324588 | Higher than expected CPU usage when using DNS Cache |
636997-1 | 4-Minor | big3d may crash | |
636994-1 | 4-Minor | big3d may crash | |
636992-1 | 4-Minor | big3d may crash | |
636986-1 | 4-Minor | big3d may crash | |
636982-1 | 4-Minor | big3d may crash |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
705774-1 | 3-Major | Add a set of disallowed file types to RDP template | |
703833-1 | 3-Major | Some bot detected features might not work as expected on Single Page Applications | |
702946-3 | 3-Major | Added option to reset staging period for signatures | |
701841-2 | 3-Major | Unnecessary file recovery_db/conf.tar.gz consumes /var disk space | |
701327-2 | 3-Major | failed configuration deletion may cause unwanted bd exit | |
700812-1 | 3-Major | asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview | |
700726-2 | 3-Major | Search engine list was updated, and fixing case of multiple entries | |
698919-3 | 3-Major | Anti virus false positive detection on long XML uploads | |
697756-1 | 3-Major | Policy with CSRF URL parameter cannot be imported as binary policy file | |
697303-1 | 3-Major | BD crash | |
696265-5 | 3-Major | K60985582 | BD crash |
696073-2 | 3-Major | BD core on a specific scenario | |
695563-1 | 3-Major | Improve speed of ASM initialization on first startup | |
694922-5 | 3-Major | ASM Auto-Sync Device Group Does Not Sync | |
693780-1 | 3-Major | Proactive Bot Defense sends CAPTCHA to the UC browser on iOS devices | |
693663-1 | 3-Major | Proactive Bot Defense sends CAPTCHA to the Firefox browser on iOS only in desktop mode | |
691477-2 | 3-Major | ASM standby unit showing future date and high version count for ASM Device Group | |
679384-3 | 3-Major | K85153939 | The policy builder is not getting updates about the newly added signatures. |
678293-2 | 3-Major | K25066531 | Uncleaned policy history files cause /var disk exhaustion |
665992-2 | 3-Major | K40510140 | Live Update via Proxy No Longer Works |
608988-1 | 3-Major | Error when deleting multiple ASM Policies |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
703233 | 3-Major | Some filters don't work in Security->Reporting->URL Latencies page |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
707676-1 | 2-Critical | Memory leak in Machine Certificate Check agent of the apmd process | |
700724-2 | 2-Critical | Client connection with large number of HTTP requests may cause tmm to restart | |
692557-1 | 2-Critical | When BIG-IP as SAML IdP processes signed authentication requests from external SAML SP, a block of memory may become corrupted. | |
690116-1 | 2-Critical | websso daemon might crash when logging set to debug | |
689591-2 | 2-Critical | When pingaccess SDK processes certain POST requests from the client, the TMM may restart | |
677368-2 | 2-Critical | Websso crash due to uninitialized member in websso context object while processing a log message | |
631286-3 | 2-Critical | TMM Memory leak caused by APM URI cache entries | |
703429-2 | 3-Major | Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services | |
702263-1 | 3-Major | An access profile with large number of SAML Resources (greater than 200) causes APM error ERR_TOOBIG while loading. | |
702222-1 | 3-Major | RADIUS and SecurID Auth fails with empty password | |
701740-1 | 3-Major | apmd leaks memory when updating Access V2 policy | |
701737-1 | 3-Major | apmd may leak memory on destroying Kerberos cache | |
701736-1 | 3-Major | Memory leak in Machine Certificate Check agent of the apmd process | |
701639-1 | 3-Major | Session variables in Requested Authentication Context Class in SP do not get resolved when Authentication Request is generated by BIG-IP as SP. | |
697636-3 | 3-Major | ACCESS is not replacing headers while replacing POST body | |
695953-1 | 3-Major | Custom URL Filter object is missing after load sys config TMSH command | |
694624-1 | 3-Major | SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor | |
693844-1 | 3-Major | K58335157 | APMD may restart continuously and cannot come up |
692307-3 | 3-Major | User with 'operator' role may not be able to view some session variables | |
687937-1 | 3-Major | RDP URIs generated by APM Webtop are not properly encoded | |
685862-1 | 3-Major | BIG-IP as SAML IdP/SP may include last x509 certificate found in the configured bundle in signed SAML Response or single logout message | |
684583-1 | 3-Major | Buitin Okta Scopes Request object uses client -id and client-secret | |
684325-1 | 3-Major | APMD Memory leak when applying a specific access profile | |
683389-3 | 3-Major | Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file | |
683297-2 | 3-Major | Portal Access may use incorrect back-end for resources referenced by CSS | |
682500-2 | 3-Major | VDI Profile and Storefront Portal Access resource do not work together | |
678851-3 | 3-Major | Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase() | |
675866-4 | 3-Major | WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO | |
671627-3 | 3-Major | K06424790 | HTTP responces without body may contain chunked body with empty payload being processed by Portal Access. |
632646-1 | 3-Major | APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server. | |
629334-1 | 3-Major | Portal Access: JavaScript expressions in parentheses may be rewritten incorrectly | |
612792-1 | 3-Major | Support RDP redirection for connections launched from APM Webtop on iOS | |
612118-2 | 3-Major | Nexthop explicit proxy is not used for the very first connection to communicate with the backend. | |
536831-1 | 3-Major | APM PAM module does not handle local-only users list correctly |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
698338-1 | 2-Critical | Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection | |
689343-2 | 2-Critical | Diameter persistence entries with bi-directional flag created with 10 sec timeout | |
685708-4 | 2-Critical | Routing via iRule to a host without providing a transport from a transport-config created connection cores | |
700571-4 | 3-Major | SIP MR profile, setting incorrect branch param for CANCEL to INVITE | |
696049-1 | 3-Major | High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running | |
674747-4 | 3-Major | K30837366 | sipdb cannot delete custom bidirectional persistence entries. |
656901-3 | 3-Major | MRF add 'existing_connection_only' and 'outgoing_connection_instance_seed' two iRule commands |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
704207-1 | 2-Critical | DNS query name is not showing up in DNS AVR reporting | |
703517 | 2-Critical | K23520761 | TMM may crash when processing TCP DNS traffic |
692328-1 | 2-Critical | Tmm core due to incorrect memory allocation | |
705161-1 | 3-Major | K23520761 | TMM may crash when processing TCP DNS traffic |
703959 | 3-Major | Manual thresholds for DoS Protection Dynamic Signatures are not accepted via TMUI | |
631418-1 | 3-Major | Packets dropped by HW grey list may not be counted toward AVR. |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
696383-1 | 2-Critical | PEM Diameter incomplete flow crashes when sweeped | |
694717-1 | 2-Critical | Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup. | |
616008-1 | 2-Critical | K23164003 | TMM core may be seen when using an HSL format script for HSL reporting in PEM |
696789-1 | 3-Major | PEM Diameter incomplete flow crashes when TCL resumed | |
695968-1 | 3-Major | Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues. | |
694319-1 | 3-Major | CCA without a request type AVP cannot be tracked in PEM. | |
694318-1 | 3-Major | PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP. | |
684333-1 | 3-Major | PEM session created by Gx may get deleted across HA multiple switchover with CLI command | |
678820-1 | 3-Major | Potential memory leak if PEM Diameter sessions are not created successfully. | |
642068-4 | 3-Major | PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens | |
624231-4 | 3-Major | No flow control when using content-insertion with compression | |
680729-1 | 4-Minor | K64307999 | DHCP Trace log incorrectly marked as an Error log. |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
697363-1 | 2-Critical | FPS should forward all XFF header values | |
705559-1 | 3-Major | FPS: false positive "no strong integrity param" when none of the configured data-integrity params are present in request | |
662311-1 | 3-Major | CS alerts should contain actual client IP address in XFF header |
Protocol Inspection Fixes
ID Number | Severity | Solution Article(s) | Description |
671716-1 | 3-Major | UCS version check was too strict for IPS hitless upgrade |
Cumulative fixes from BIG-IP v13.1.0.3 that are included in this release
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
702419 | 3-Major | Protocol Inspection needs add-on license to work |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
660239-6 | 4-Minor | When accessing the dashboard, invalid HTTP headers may be present |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
677919-4 | 3-Major | Enhanced Data Manipulation AJAX Support |
Cumulative fixes from BIG-IP v13.1.0.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
681955-1 | CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 | K23565223 | Apache CVE-2017-9788 |
673595-9 | CVE-2017-3167 CVE-2017-3169 | K34125394 | Apache CVE-2017-3167 |
694274-1 | CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 CVE-2017-9798 | K23565223 | [RHSA-2017:3195-01] Important: httpd security update - EL6.7 |
672124-6 | CVE-2018-5541 | K12403422 | Excessive resource usage when BD is processing requests |
673607-9 | CVE-2017-3169 | K83043359 | Apache CVE-2017-3169 |
672667-6 | CVE-2017-7679 | K75429050 | CVE-2017-7679: Apache vulnerability |
641101-7 | CVE-2016-8743 | K00373024 | httpd security and bug fix update CVE-2016-8743 |
684033-3 | CVE-2017-9798 | K70084351 | CVE-2017-9798 : Apache Vulnerability (OptionsBleed) |
661939-2 | CVE-2017-2647 | K32115847 | Linux kernel vulnerability CVE-2017-2647 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
685056 | 3-Major | VE OVAs is not the supported platform to run VMware guest OS customization | |
670103-1 | 3-Major | No way to query logins to BIG-IP in TMUI | |
681385-2 | 4-Minor | Forward proxy forged cert lifespan can be configured from days into hours. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
700247 | 2-Critical | K60053504 | APM Client Software may be missing after doing fresh install of BIG-IP VE |
693979 | 3-Major | Autoscale is not functional because of the change in file permission of the /shared/vadc/aws/iid-document document | |
683131-1 | 3-Major | Hotfix install fails on vCMP guest when both guest and host have the same base version ISO present★ | |
682213-1 | 3-Major | K31623549 | TLS v1.2 support in IP reputation daemon |
669585-1 | 3-Major | The tmsh sys log filter is unable to display information in uncompressed log files. | |
668826-1 | 3-Major | File named /root/.ssh/bigip.a.k.bak is present but should not be | |
668276-1 | 3-Major | BIG-IP does not display failed login attempts since last login in GUI | |
668273-1 | 3-Major | K12541531 | Logout button not available in Configuration Utility when using Client Cert LDAP |
471237-4 | 3-Major | K12155235 | BIG-IP VE instances do not work with an encrypted disk in AWS. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
699624-1 | 2-Critical | Config with custom 'SIP' or 'Firepass' monitor fails to load after upgrade★ | |
463097-5 | 3-Major | Clock advanced messages with large amount of data maintained in DNS Express zones |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
672504-2 | 2-Critical | K52325625 | Deleting zones from large databases can take excessive amounts of time. |
667542-6 | 2-Critical | DNS Express does not correctly process multi-message DNS IXFR updates. | |
645615-6 | 2-Critical | K70543226 | zxfrd may fail and restart after multiple failovers between blades in a chassis. |
655233-2 | 3-Major | K93338593 | DNS Express using wrong TTL for SOA RRSIG record in NoData response |
648766-2 | 3-Major | K57853542 | DNS Express responses missing SOA record in NoData responses if CNAMEs present |
646615-2 | 4-Minor | Improved default storage size for DNS Express database |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
699720-1 | 2-Critical | ASM crash when configuring remote logger for WebSocket traffic with response-logging:all | |
691670-5 | 2-Critical | Rare BD crash in a specific scenario | |
686108-1 | 2-Critical | User gets blocking page instead of captcha during brute force attack | |
684312-1 | 2-Critical | K54140729 | During Apply Policy action, bd agent crashes, causing the machine to go Offline |
698940-1 | 3-Major | Add new security policy template for API driven systems - "API Security" | |
690883-1 | 3-Major | BIG-IQ: Changing learning mode for elements does not always take effect | |
686517-2 | 3-Major | Changes to a parent policy that has no active children are not synced to the secondary chassis slots. | |
686470-1 | 3-Major | Enable AJAX Response Page or Single Page Application support causes the part of the web page failed to load. | |
686452-1 | 3-Major | File Content Detection Formats are not exported in Policy XML | |
685964-1 | 3-Major | cs_qualified_urls bigdb does not cause configured URLs to be qualified. | |
685771-1 | 3-Major | Policies cannot be created with SAP, OWA, or SharePoint templates | |
685207-1 | 3-Major | DoS client side challenge does not encode the Referer header. | |
685164-1 | 3-Major | In partitions with default route domain != 0 request log is not showing requests | |
683508-1 | 3-Major | K00152663 | WebSockets: umu memory leak of binary frames when remote logger is configured |
680353-1 | 3-Major | Brute force sourced based mitigation is not working as expected | |
674494-4 | 3-Major | K77993010 | BD memory leak on specific configuration and specific traffic |
668184-2 | 3-Major | Huge values are shown in the AVR statistics for ASM violations | |
694073-3 | 4-Minor | All signature update details are shown in 'View update history from previous BIG-IP versions' popup | |
685193-1 | 4-Minor | If Inheritance is None in the Parent Policy and there are at least 1 child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
679861 | 1-Blocking | Weak Access Restrictions on the AVR Reporting Interface | |
697421 | 3-Major | Monpd core when trying to restart | |
688813-2 | 3-Major | K23345645 | Some ASM tables can massively grow in size. |
686510-1 | 3-Major | If tmm was restarted during an attack, the attack might appear ongoing in GUI | |
683474 | 3-Major | The case-sensitive problem during comparison of 2 Virtual Servers | |
679088-1 | 3-Major | Avr reporting and analytics does not display statistics of many source regions |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
684852-1 | 2-Critical | Obfuscator not producing deterministic output | |
692123 | 3-Major | GET parameter is grayed out if MobileSafe is not licensed |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
700320 | 2-Critical | tmm core under stress when BADOS configured and attack signatures enabled | |
691462-1 | 3-Major | Bad actors detection might not work when signature mitigation blocks bad traffic | |
687987 | 3-Major | Presentation of signatures in human-readable format | |
687986 | 3-Major | High CPU consumption during signature generation, not limited number of signatures per virtual server | |
687984 | 3-Major | Attacks with randomization of HTTP headers parameters generates too many signatures |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
698396-1 | 2-Critical | Config load failed after upgrade from 12.1.2 to 13.x or 14.x★ |
Cumulative fixes from BIG-IP v13.1.0.1 that are included in this release
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
686190-1 | 2-Critical | LRO performance impact with BWC and FastL4 virtual server | |
667173-1 | 2-Critical | 13.1.0 cannot join a device group with 13.1.0.1 | |
683114-2 | 3-Major | Need support for 4th element version in Update Check |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
685628-1 | 1-Blocking | Performance regression on B4450 blade★ | |
673832-1 | 1-Blocking | Performance impact for certain platforms after upgrading to 13.1.0. | |
696525-1 | 2-Critical | B2250 blades experience degraded performance. |
Cumulative fix details for BIG-IP v13.1.1.4 that are included in this release
754346-1 : Access policy was not found while creating configuration snapshot.
Component: Access Policy Manager
Symptoms:
APMD failed to create configuration snapshot with the following error:
Dec 28 14:21:50 bigip001 err apmd[16675]: 01490000:3: AccessPolicyProcessor/AccessPolicyProcessor.cpp func: "dispatchEvent()" line: 1195 Msg: EXCEPTION AccessPolicyProcessor/ProfileAccess.cpp line:234 function: snapshotConfigVariables - AccessPolicy ("/Common/myPolicy") not found while creating configuration snapshot!!!!
If you attempt to modify the policy in question, another error will show up:
Dec 28 16:59:44 bigip001 err apmd[16675]: 01490089:3: 00000000: Configuration change notification received for an unknown access profile: /Common/myPolicy
Conditions:
If TMM restarts and new access policy is added before TMM becomes up and running.
Impact:
Configuration snapshot will not be created and users will not be able to log on.
Workaround:
Recreate the access profile when TMM is stable.
Fix:
N/A
753368 : Unable to import access policy with pool
Component: Access Policy Manager
Symptoms:
If your exported policy has pool object in it (e.g. ad or ldap auth object) import of such policy will fail
Conditions:
exported policy with pool object
Impact:
Unable to import certain configurations
Fix:
Policies with pools are imported sucessfully
753028-1 : AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule
Component: Advanced Firewall Manager
Symptoms:
When Proxy ARP is enabled for destination addresses in an FW NAT rule performing destination NAT (static-nat/static-pat), forwarding ICMP traffic matching that rule is incorrectly dropped by AFM instead of being forwarded through the BIG-IP system.
Conditions:
-- Proxy ARP is enabled for destination addresses in an FW NAT rule.
-- The BIG-IP system (AFM) receives forwarding ICMP traffic for these (untranslated) destination addresses.
Impact:
Forwarding ICMP traffic is dropped by the BIG-IP system.
Workaround:
You can disable Proxy ARP functionality for FW NAT rules to cause the BIG-IP system (AFM) to handle forwarding ICMP traffic correctly and pass it through the system to the backend.
However, this causes the BIG-IP system to not respond to ARP requests anymore for destination addresses in such rules. As a further mitigation action, you can configure static ARP entries to handle this.
Fix:
The BIG-IP system (AFM) now correctly forwards ICMP traffic through to the backend when Proxy ARP is enabled on destination addresses in the matching FW NAT rule.
752078 : Header Field Value String Corruption
Component: Local Traffic Manager
Symptoms:
This is specific to HTTP/2.
In some rare cases, the header field value string can have one or more of its prefix characters removed by the BIG-IP.
Conditions:
If the header field value string is exceptionally long, and has embedded white space characters, this bug may occur.
Impact:
A header such as:
x-info: very_long_string that has white space characters
may be sent to the client thus:
x-info: ery_long_string that has white space characters
Fix:
Fixed.
751009-1 : Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out
Component: TMOS
Symptoms:
After generating a Qkview or collecting a tcpdump via the BIG-IP GUI, or using the 'tmsh run util ihealth' command to do the equivalent, the /var/tmp/mcpd.out file is missing.
Conditions:
-- Generating a Qkview or collecting a tcpdump via the BIG-IP GUI.
-- Using the 'tmsh run util ihealth' command to do the equivalent operation.
Impact:
The file /var/tmp/mpcd.out is a debug file used by mcpd, primarily for collecting debug-level log information from MCPD.
The file being deleted causes challenges with trying to collect diagnostic information from a BIG-IP system (turning on mcpd debug logging), because it now requires a service impact (restarting mcpd).
Additionally, may cause challenges in managing disk space on /shared filesystem, as mcpd keeps writing to a deleted file, and it cannot be truncated.
Workaround:
Generating Qkviews by invoking the 'qkview' command directly avoids this issue.
Edit the /usr/bin/ihealth.sh script to remove the corresponding line.
From a bash shell:
1. mount -o remount,rw /usr
2. /bin/cp /usr/bin/ihealth.sh{,751009.bak}
3. sed -i '/\/bin\/rm -f \/var\/tmp\/mcpd.out/d' /usr/bin/ihealth.sh
4. mount -o remount,ro /usr
Note: This workaround does not persist across software installs/upgrades, nor does it ConfigSync or replicate across blades in a VIPRION chassis.
Fix:
The problem line has been removed from the script, so this mcpd debug file is left alone (not deleted) after running ihealth.sh. Note that the GUI version of running qkview uses ihealth.sh script.
750922-3 : BD crash when content profile used for login page has no parse parameters set
Component: Application Security Manager
Symptoms:
Bd crashes. No traffic goes through ASM.
Conditions:
-- A Json Login page is configured.
-- The content profile used for the login page does not have parse parameters set.
Impact:
No traffic goes through ASM. Bd crashes.
Workaround:
Set the parse parameters setting.
Fix:
BD no longer crashes when the content profile used for login page has no parse parameters set.
750496-1 : TMM crashes on traffic passthrough when SSO Config object is deleted while being used in SSO Configuration Select Agent in PRP
Component: Access Policy Manager
Symptoms:
TMM crashes on traffic passthrough when SSO Config object is deleted while being used in SSO Configuration Select Agent in PRP.
Conditions:
Create a basic SSO item.
Create a PRP that has the SSO Assign in it and select the basic SSO item.
Create a PSP that is Start->Allow
Create a VS that uses the PRP, PSP, and an pool.
Delete the SSO item in the UI.
Run traffic through the VS
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not delete the SSO config object referenced by SSO Configuration Select agent in PRP.
Fix:
SSO Configuration Select agent should fail with error code when sso_config cannot be found (i.e. NULL).
750356-3 : Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted
Component: Application Security Manager
Symptoms:
In any Split View page (Request Log, Learning, etc.): All user-defined filters are removed if you delete a newly created filter without reloading the page first.
Conditions:
-- Create a new filter.
-- Remove the new filter.
Impact:
The system removes all user-defined filters.
Workaround:
Before you delete a newly created filter, reload the page.
Fix:
Filter removal now completes successfully for all scenarios.
749774-3 : EDNS0 client subnet behavior inconsistent when DNS Caching is enabled
Component: Global Traffic Manager (DNS)
Symptoms:
When EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled, the responses differ in their inclusion of EDNS0 client subnet information based on whether the response was supplied by the cache or not.
Conditions:
This occurs when EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled.
Impact:
Inconsistent behavior.
Workaround:
None.
Fix:
In this release, responses are now consistent when caching is enabled.
749675-3 : DNS cache resolver may return a malformed truncated response with multiple OPT records
Component: Global Traffic Manager (DNS)
Symptoms:
A configured DNS resolving cache returns a response with two OPT records when the response is truncated and not in the cache.
Conditions:
This can occur when:
-- A DNS resolving cache is configured.
-- The DNS query being handled is not already cached.
-- The response for the query must be truncated because it is larger than the size the client can handle (either 512 bytes or the buffer size indicated by an OPT record in the query).
Impact:
A DNS message with multiple OPT records is considered malformed and will likely be dropped by the client.
Workaround:
A second query will return the cached record, which will only have one OPT record.
Fix:
DNS cache resolver now returns the correct response under these conditions.
749464 : Race condition while BIG-IQ updates common file
Component: Application Visibility and Reporting
Symptoms:
The file /var/config/rest/downloads/app_mapping.json is being used by two processes: BIG-IQ and avrd.
This can cause a race-condition between the two and in some rare cases can cause avrd to crash.
Conditions:
BIG-IQ updating /var/config/rest/downloads/app_mapping.json while avrd is reading it.
Impact:
avrd might read incomplete data, and can even core in some rare cases.
Workaround:
None.
Fix:
This race condition no longer occurs.
749461 : Race condition while modifying analytics global-settings
Component: Application Visibility and Reporting
Symptoms:
Updating the analytics global-settings might cause a core for avrd.
The avrd.log contains the following record:
AVRD_CONFIG|NOTICE... 13931|lib/avrpublisher/infrastructure/avr_mcp_msg_parser.cpp:2985| Modified Analytics Global Settings, added "0" offbox TCP addresses
Conditions:
Analytics global-settings are updated either explicitly, using a tmsh command, or implicitly, by internal process script.
Impact:
Might cause a core for avrd. After coring once, avrd is expected to start normally without any additional cores. The configuration change is expected to be applied correctly after restart is complete.
Workaround:
None.
Fix:
Race condition no longer occurs while modifying analytics global-settings.
748999-1 : invalid inactivity timeout suggestion for cookies
Component: Application Security Manager
Symptoms:
ASM will report "invalid inactivity timeout" suggestions to delete a cookie, even though the cookies are being sent and are valid.
Conditions:
- Inactivity timeout feature is configured in Policy Builder
- Cookie entity is configured in the policy
- Valid, non-violating traffic containing cookies is passed
Impact:
Since non-violating traffic is not sent to the policy engine, the inactivity timeout timer is never reset, which will eventually lead to suggestions to delete the inactive cookie entities. These suggestions are erroneous because valid cookies are being sent in the traffic.
Workaround:
Ignore the inactive entity suggestions for cookies
Fix:
Inactivity learning for cookies has been deprecated, the feature does not cover cookies anymore.
748976 : DataSafe Logging Settings page is missing when DataSafe license is active
Component: Fraud Protection Services
Symptoms:
DataSafe Logging Settings page is missing when DataSafe license is active
Conditions:
1. DataSafe license is active
2. Logging of Login attempts feature enabled
Impact:
DataSafe Logging Settings page is missing in GUI.
Workaround:
Use tmsh to configure the logging of Login attempts feature.
Fix:
FPS GUI should display Logging Settings page also when DataSafe license is active.
748851-1 : Bot Detection injection include tags which may cause faulty display of application
Component: Application Security Manager
Symptoms:
The Bot Detection feature / Bot Defense profile includes JavaScript which is injected within <APM_DO_NOT_TOUCH> tags. Some web applications may be displayed incorrectly due to these tags.
Conditions:
- Your application includes JavaScript which dynamically adds HTML elements and expects a certain set of tags in the <head> section of the HTML.
- Bot Detection / Bot Defense are enabled.
Impact:
Some web applications may be displayed incorrectly.
Workaround:
None
Fix:
There is now an ASM Internal Parameter 'inject_apm_do_not_touch' and a db variable 'asm.inject_apm_do_not_touch', which can be disabled (modify sys db asm.inject_apm_do_not_touch value false) to prevent the <APM_DO_NOT_TOUCH> tag from being injected, thus allowing the application to be displayed correctly.
Behavior Change:
This release provides an ASM Internal Parameter 'inject_apm_do_not_touch', and a db variable 'asm.inject_apm_do_not_touch', which can be disabled (the default is enabled) to prevent the <APM_DO_NOT_TOUCH> tag from being injected, thus allowing the application to be displayed correctly.
To disable db variable, run the following command:
modify sys db asm.inject_apm_do_not_touch value false
748813-1 : tmm cores under stress test on VS with Dos profile with admd enabled
Component: Anomaly Detection Services
Symptoms:
tmm cores
Conditions:
Stress test, VS with Dos profile with admd enabled
Impact:
Traffic disrupted while tmm restarts.
Workaround:
turn off Behavioral DOS
Fix:
Fixed tmm core
748206 : Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position
Component: TMOS
Symptoms:
Browser becomes unresponsive.
Conditions:
Loading the network map with a virtual server that contains a forwarding rule policy in the second position.
Impact:
Browser becomes unresponsive and must be restarted.
Workaround:
Change the position of the forwarding rule policy.
Fix:
The browser now behaves as expected when loading the network map with a virtual server that contains a forwarding rule policy in the second position.
748121-1 : admd livelock under CPU starvation
Component: Anomaly Detection Services
Symptoms:
Due to the resources starvation the worker thread of admd does not get CPU for more than two minutes. At the same time, the configuration thread does get CPU.
The admd heartbeat failure occurs at 120 seconds. The SOD daemon kills admd.
The system posts messages similar to the following:
-- notice sod[6783]: 01140041:5: Killing /usr/bin/admd pid 6732
-- warning sod[6783]: 01140029:4: HA daemon_heartbeat ADMD.Anomaly0 fails action is restart.
-- warning sod[6783]: 01140029:4: HA daemon_heartbeat ADMD.Publisher0 fails action is restart.
Conditions:
-- High CPU / memory utilization,
-- Very large configuration.
Note: There are no known special configuration requirements to have this occur.
Impact:
admd restarts.
Behavioral DoS does not work.
Workaround:
Reboot the BIG-IP system.
Fix:
admd livelock event no longer occurs in response to CPU starvation in very large configurations.
747926 : Rare TMM restart due to NULL pointer access during AFM ACL logging
Component: Advanced Firewall Manager
Symptoms:
Tmm crashes while performing log ACL match logging.
Conditions:
The problem can happen only with the following configuration:
1) AFM Logging for ACLs enabled.
2) Security Network Logging profile has the property "log-translation-fields enabled"
The problem happens under extremely rare circumstances.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Defensive error handling to avoid the scenario of NULL pointer access.
747905-1 : 'Illegal Query String Length' violation displays wrong length
Component: Application Security Manager
Symptoms:
When the system decodes a query string that exceeds the allowed query string length, the system reports the incorrect 'Illegal Query String Length' violation string length.
Conditions:
-- 'Illegal Query String Length' violation is encountered.
-- The query string is decoded and reported.
Impact:
The system reports the decoded character count rather than bytes. For example, for a Detected Query String Length = 3391, the system posts a Detected Query String Length = 1995.
Workaround:
None.
747777-1 : Extractions are learned in manual learning mode
Component: Application Security Manager
Symptoms:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"
Conditions:
Direct cause: Policy contains parameters with dynamic type
Indirect cause: Policy Builder is configured to classify parameters as dynamic (related to bug 717525)
Impact:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"
Workaround:
- Change all dynamic parameters value types to User Input with Alpha Numeric data type
- Unset parameters' dynamic value type (or uncheck all parameters' dynamic classification options in 'Learning And Blocking Settings').
Fix:
Policy Builder does not set extractions for dynamic parameters in manual mode
747621-2 : Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used
Component: Access Policy Manager
Symptoms:
Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used, e.g. RADIUS server performs two factor authentication.
Conditions:
1. Native VMware Horizon client is used to connect via APM.
2. RADIUS authentication agent is present in Access Policy.
3. RADIUS server asks for challenge response (e.g. 2FA).
Impact:
Authentication fails. User can't get access to VMware Horizon resources.
Workaround:
None.
Fix:
Fixed issue preventing native VMware Horizon client to authenticate with RADIUS challenge.
747550-1 : Error "This Logout URL already exists!" when updating logout page via GUI
Component: Application Security Manager
Symptoms:
When you try to update the Logout Page you get an error about the URL existence: Error "This Logout URL already exists!"
Conditions:
1) Create any Logout page
2) Try to update it
Impact:
The properties of the Logout Page cannot be updated.
Workaround:
Delete the logout page and create a new one.
Fix:
The error about existense will not be thrown on updating Logout Page
747104-3 : LibSSH Vulnerability: CVE-2018-10933
Solution Article: K52868493
Component: Advanced Firewall Manager
Symptoms:
For more information see: https://support.f5.com/csp/article/K52868493
Conditions:
For more information see: https://support.f5.com/csp/article/K52868493
Impact:
For more information see: https://support.f5.com/csp/article/K52868493
Fix:
For more information see: https://support.f5.com/csp/article/K52868493
746941 : avrd memory leak when BIG-IQ fails to receive stats information
Component: Application Visibility and Reporting
Symptoms:
AVRD has memory leak when it is failing to send statistical information to BIG-IQ.
Conditions:
BIG-IP is used by BIG-IQ version 6.0.0 or higher, and stats collection is enabled.
Plus, BIG-IQ has some malfunction that prevents it from receiving the statistical information that BIG-IP is sending (for example: all DCDs are down, or not network connection between BIG-IP and BIG-IQ).
Impact:
avrd memory is increased over time, leading to avrd restart when it is getting too large
Workaround:
Connectivity issue between BIG-IP and BIG-IQ should be fixed, not just in order to prevent this memory leak, but for more important functionality such as visibility and alerts features in BIG-IQ.
Fix:
Memory leak is fixed.
746823 : AVRD crash when configured to send data externally, and there are large number of virtuals/pool-members
Component: Application Visibility and Reporting
Symptoms:
In a configuration that AVR is set to send telemetry data to external source (like connection with BIG-IQ), and there is large number of config objects in the system, such as virtual servers and pool-members. AVRD is constantly crashing.
Conditions:
1. AVR is set to send telemetry data to external source (like connection with BIG-IQ).
2. Large number of config objects in the system, such as virtual servers and pool-members.
Impact:
AVRD process is crashing and telemetry data is not collected.
Workaround:
N/A
Fix:
The issue is fixed, AVR can handle any number of virtuals/pool-members when sending its telemetry.
746771-1 : APMD recreates config snapshots for all access profiles every minute
Component: Access Policy Manager
Symptoms:
When the access profile configurations in APMD and MCPD are out of sync, APMD will detect the config snapshot for one access profile is missing. This triggers AMPD to recreates the config snapshots for all access profiles. The detect-recreate cycle will repeat every minute.
Sep 11 17:57:39 BIG-IP err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...
Sep 11 17:57:59 BIG-IP notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.
...
Sep 11 17:58:39 BIG-IP err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...
Sep 11 17:59:00 BIG-IP notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.
Conditions:
The condition under which the access profile configurations in APMD and MCPD become out of sync is unknown.
Impact:
TMM memory usage will increase due to excessive config snapshots created.
Workaround:
Restart APMD to clear the APMD and MCPD out of sync condition.
Fix:
N/A
746768-1 : APMD leaks memory if access policy policy contains variable/resource assign policy items
Component: Access Policy Manager
Symptoms:
If an access policy contains variable/resource assign policy items, APMD will leak memory every time the policy is modified and applied.
Conditions:
1. Access policy has variable/resource assign policy items.
2. The access policy is modified and applied.
Impact:
APMD's memory footprint will increase whenever the access policy is applied.
Workaround:
There is no workaround.
Fix:
Memory growth has been addressed.
745809 : The /var partition may become 100% full requiring manual intervention to clear space
Component: Advanced Firewall Manager
Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free
Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.
Conditions:
Process traffic while DoS Dashboard is open.
Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition
Workaround:
This workaround is temporary in nature, should the conditions of this bug still be met, and may need to be periodically performed either manually or from a script. While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.
Run the following commands, in sequence:
bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad
Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.
745802-3 : Brute Force CAPTCHA response page truncates last digit in the support id
Component: Application Security Manager
Symptoms:
Brute Force CAPTCHA response page shown to an end-user has a support id and the last digit is truncated.
Conditions:
- ASM Provisioned
- ASM policy attached to a virtual server
- ASM Brute Force Protection enabled in the asm policy
- ASM Brute Force sends captcha mitigation page when a website is under brute force attack.
Impact:
The support id presented to an end-user won't be matched to the one shown in the asm logs
Workaround:
There is no workaround at this time.
Fix:
The code is fixed, correct support id is shown in the captcha response page.
745783-3 : Anti-fraud: remote logging of login attempts
Component: Fraud Protection Services
Symptoms:
There is no support for logging of login attempts to a remote service.
Conditions:
Using high speed logging (HSL) to log login attempts.
Impact:
There is no support for logging of login attempts.
Workaround:
None.
Fix:
FPS now uses HSL to report login attempts using configured templates, rate-limit, and publisher to a remote service.
To enable this feature:
# via tmsh only
tmsh modify sys db antifraud.riskengine.reportlogins value enable
# via tmsh or GUI
tmsh modify sys db antifraud.internalconfig.string1 value "<login attempt log template>"
tmsh modify sys db antifraud.internalconfig.string2 value "<log-rate-exceeded log template>"
tmsh modify sys db antifraud.internalconfig.number1 value "<log-rate-exceeded threshold>"
tmsh modify security anti-fraud profile <fps profile> risk-engine-publisher <publisher>
It is recommended that you use encoding when composing an HTTP template. The default encoding level is 0, meaning 'never encode'.
To change encoding level:
tmsh modify sys db antifraud.internalconfig.number2 value <0/1/2>
Behavior Change:
FPS now includes the ability to perform High Speed Logging (HSL) of all login attempts to specific protected URLs. These events can be forwarded to remote services (e.g. SIEM Server), and, when enabled, can help indicate whether applications are under attack.
745654-2 : Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server
Component: Access Policy Manager
Symptoms:
When there are a lot of tcp connections that needs new kerberos ticket to be fetched from kdc, then the websso processes requests slower than the incoming requests. This could lead to low throughput and virtual server is very slow to respond to requests.
Conditions:
Large number of APM users using Kerberos SSO to access backend resources and all the tickets expire at the same time.
Impact:
Low throughput and slow responses from Virtual server.
Workaround:
There is no workaround at this time.
Fix:
Increase the size of websso worker queue, so that tmm and websso process can communicate effectively. This eliminates VS slowness and hence increase throughput.
745574-3 : URL is not removed from custom category when deleted
Component: Access Policy Manager
Symptoms:
When the admin goes to delete a certain URL from a custom category, it should be removed from the category and not be matched anymore with that category. In certain cases, the URL is not removed effectively.
Conditions:
This only occurs when the syntax "http*://" is used at the beginning of the URL when inserted into custom categories.
Impact:
When the URL with syntax "http*://" is deleted from the custom category, it will not take effect for SSL matches. For example, if "http*://www.f5.com/" was inserted and then deleted, and the user passed traffic for http://www.f5.com/ and https://www.f5.com/, the SSL traffic would still be categorized with the custom category even though it was deleted. The HTTP traffic would be categorized correctly.
Workaround:
"bigstart restart tmm" will resolve the issue.
Fix:
Made sure that the deletion takes effect properly and SSL traffic is no longer miscategorized after removal of the URL from the custom category.
745531-1 : Puffin Browser gets blocked by Bot Defense
Component: Application Security Manager
Symptoms:
Users using the Puffin Browser are blocked when accessing the Virtual Server when it is protected with either Proactive Bot Defense (within DoSL7 profile) or with the Bot Defense profile.
This applies to all version of the Puffin Browsers: Desktop, Android, iOS.
Conditions:
- Users using the Puffin Browser on Desktop, Android, iOS
- Bot Defense Profile, or: DoSL7 profile with Proactive Bot Defense is used while the "Block Suspicious Browsers" checkbox is enabled
Impact:
Users of the Puffin Browser cannot access the website
Workaround:
None
Fix:
Users of the Puffin Browser can now access the website that is protected by Bot Defense without getting blocked.
For the fix to be applied, both BIG-IP Release and ASU must be installed which contain the fix. Also, it is recommended to enable the following DB variables:
tmsh modify sys db dosl7.proactive_defense_validate_ip value disable
tmsh modify sys db dosl7.cs_validate_ip value disable
745358-3 : ASM GUI does not follow best practices
Component: Application Security Manager
Symptoms:
When processing requests to the administrative webUI, ASM does not follow best practices.
Conditions:
ASM provisioned and enabled.
Authenticated user with Administrator, Resource Administrator, or ASM Administrator roles.
Impact:
Unexpected HTML output.
Workaround:
None.
Fix:
When processing webUI requests ASM now follows best practices.
745027 : AVR is doing extra activity of DNS data collection even when it should not
Component: Application Visibility and Reporting
Symptoms:
When collecting DNS data, AVR generates data that is used only for BIG-IQ, even if not connected to BIG-IQ.
Conditions:
DNS Statistics collection or DNS-DoS is configured.
Impact:
avrd process is taking more CPU cycles for activity that is not needed. There is no impact to functionality.
Workaround:
None.
Fix:
The system no longer performs extra computation that is not needed in this case.
744959-1 : SNMP OID for sysLsnPoolStatTotal not incremented in stats
Component: Carrier-Grade NAT
Symptoms:
SNMP OID for sysLsnPoolStatTotal is not incremented in stats totals.
Conditions:
This affects all of the global port block allocation (PBA) counters.
Impact:
SNMP OID for sysLsnPoolStatTotal is not incremented when it should be. Stats are not accurate.
Workaround:
None.
Fix:
SNMP OID for sysLsnPoolStatTotal is now incremented in stats totals.
744707-4 : Fixed crash related to DNSSEC key rollover
Component: Global Traffic Manager (DNS)
Symptoms:
When running out of memory, a DNSSKEY rollover event can cause a tmm core dump.
Conditions:
System low/out of memory.
DNSSKEY rollover event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround.
Fix:
Fixed an issue in DNSSEC Key Rollover event that can cause a crash.
744685-1 : BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension
Component: Local Traffic Manager
Symptoms:
An intermediate CA certificate should be considered invalid if the certificate does not contain both "Basic Constraints: critical" and "CA:TRUE" in its extension. BIG-IP does not enforce this.
Conditions:
The SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop.
Impact:
The system might unexpectedly accept the SSL connection while the peer is using an inappropriate certificate.
Fix:
With the fix, if the SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, the system drops the SSL handshake if the peer's CA certificate does not contain both "Basic Constraints: critical" and "CA:TRUE" in its extension.
Behavior Change:
When authenticating a peer's SSL certificate, we require a CA certificate to have the "Basic Constraints" and "CA:True" in its extension, like this:
X509v3 Basic Constraints: critical
CA:TRUE
If an SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, we will drop the handshake if the peer's CA certificate does not satisfy the above requirement.
744595-1 : DoS-related reports might not contain some of the activity that took place
Component: Application Visibility and Reporting
Symptoms:
Occasionally, some telemetry data of DoS related activity is lost.
Conditions:
No specific condition other than using the BIG-IP system anti-DDoS feature.
Impact:
DoS related reports might not contain some of the activity that takes place.
Workaround:
None.
Fix:
Issue was fixed, all telemetry data is collected without errors.
744589-1 : Missing data for Firewall Events Statistics
Component: Application Visibility and Reporting
Symptoms:
Statistical information that is collected for Firewall event, has some data that is getting lost and not reported.
When this is taking place, the following message appears at avrd log:
Some rows of load_stat_firewall_events_<some number> not loaded
Conditions:
AFM is used, no particular condition that leads to this situation of losing some of the stats, usually takes place under heavy activity.
Impact:
Statistical reports of Firewall Events are missing some the the activity that actually took place.
Workaround:
There is no workaround at this time.
Fix:
Issue with missing data was fixed.
744556-1 : Upgrade PingAccess SDK used by BIG-IP APM to v1.1.3
Component: Access Policy Manager
Symptoms:
Upgrading PingAccess SDK from v1.0.0 to v1.1.3
Conditions:
The SDK is upgraded during system upgrade.
Impact:
BIG-IP APM will internally use PingAccess SDK v1.1.3 when interacting with PingAccess servers.
Workaround:
Not Applicable.
Fix:
Upgraded PingAccess SDK used by BIG-IP APM to the v1.1.3, applicable when BIG-IP APM interacts with PingAccess servers.
744516-1 : TMM panics after a large number of LSN remote picks
Component: Carrier-Grade NAT
Symptoms:
TMM panics with the assertion "nexthop ref valid" failed. This occurs after a large number of remote picks cause the nexthop reference count to overflow.
Conditions:
A LSN Pool and remote picks. Remote picks occur when the local TMM does not have any addresses or port blocks available. Remote picks are more likely when inbound and hairpin connections are enabled.
Impact:
TMM restarts. Traffic is interrupted.
Workaround:
There is no workaround.
Fix:
TMM no longer panics regardless of the number of remote picks.
744347-2 : Protocol Security logging profiles cause slow ASM upgrade and apply policy
Component: Application Security Manager
Symptoms:
ASM upgrade and apply policy are delayed by an additional 3 seconds for each virtual server associated with a Protocol Security logging profile (regardless of whether ASM is active on that virtual server). During upgrade, all active policies are applied, which leads to multiple delays for each policy.
Conditions:
There are multiple virtual servers associated with Protocol Security logging profiles.
Impact:
ASM upgrade and apply policy are delayed.
Workaround:
There is no workaround at this time.
744331 : OpenSSH hardening
Component: TMOS
Symptoms:
The default OpenSSH configuration does not follow best practices for security hardening.
Conditions:
Administrative SSH access enabled.
Impact:
OpenSSH does not follow best practices.
Fix:
The default OpenSSH configuration includes best practices for security hardening.
744269-2 : dynconfd restarts if FQDN template node deleted while IP address change in progress
Component: Local Traffic Manager
Symptoms:
The dynconfd daemon may crash and restart if an FQDN template node is deleted (by user action or config sync) while ephemeral nodes are in the process of being created, and deleted as the result of new IP addresses being returned by a recent DNS query.
Conditions:
This may occur on BIG-IP version 14.0.0.3 (and BIG-IP versions 13.1.x or v12.1.x with engineering hotfixes for ID 720799, ID 721621 and ID 726319), under the following conditions:
1. A DNS query returns a different set of IP addresses for one or more FQDN names.
2. While new ephemeral node(s) are being created (for new IP addresses and deleted (for old IP addresses), an FQDN template node is deleted (either by user action or config sync).
Impact:
The dynconfd daemon crashes and restarts.
Ephemeral nodes may not be updated in a timely manner while the dynconfd daemon is restarting.
Fix:
The dynconfd daemon does not crash and restart if an FQDN template node is deleted while ephemeral nodes are in the process of being created and deleted as the result of new IP addresses being returned by a recent DNS query.
744188 : First successful auth iControl REST requests will now be logged in audit and secure log files
Component: TMOS
Symptoms:
Previously, when making a REST request from a client for the first time and it is successful, this action was not logged.
Just subsequent REST calls were logged or initial failed REST calls from a client were logged.
Conditions:
Making a successfully auth-ed initial REST request from a new client to BIG-IP.
Impact:
BIG-IP admins would not know when a new client first made a successful REST call to BIG-IP.
Workaround:
None.
Fix:
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files.
Here's an example of what shows in audit log:
-- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user bart2 - RAW: httpd(pam_audit): user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".
Here's an example of what shows in secure log:
-- info httpd(pam_audit)[26561]: user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".
-- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user usr2 - RAW: httpd(pam_audit): user=usr2(usr2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".
Subsequent REST calls will continue to be logged normally.
Behavior Change:
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files.
Subsequent REST calls will continue to be logged normally.
744117-5 : The HTTP URI is not always parsed correctly
Component: Local Traffic Manager
Symptoms:
The HTTP URI exposed by the HTTP::uri iRule command, Traffic Policies, or used by ASM is incorrect.
Conditions:
-- HTTP profile is configured.
-- The URI is inspected.
Impact:
If the URI is used for security checks, then those checks might be bypassed.
Workaround:
None.
Fix:
The HTTP URI is parsed in a more robust manner.
744035-4 : APM Client Vulnerability: CVE-2018-15332
Solution Article: K12130880
743961-3 : Signature Overrides for Content Profiles do not work after signature update
Component: Application Security Manager
Symptoms:
JSON profile signature override does not include legacy signature after Automatic Signature Update (ASU).
Conditions:
Signature override on content profile ASU with major update to targeted sig.
Impact:
-- Unexpected block on a previously white-listed signature.
-- Confusing logging for why the signature was blocked (should indicate it was due to using an old signature version).
Workaround:
-- Create the signature override at higher context, e.g., the URL. Removing the URL context override again keeps it fixed.
-- Enforce new version of sig globally.
Fix:
Signature Overrides for Content Profiles now work after signature update.
743857 : clientssl accepts non-SSL traffic when cipher-group is configured
Component: Local Traffic Manager
Symptoms:
clientssl accepts Non-SSL traffic even when "Non-SSL Connections" is disabled.
Conditions:
In clientssl profile, Cipher Group is configured and one of the "No SSL/TLS/DTLS" option is enabled.
Impact:
Connections to VIP with clientssl profile are not encrypted.
If SSL client authentication is enabled, plaintext request is successful meaning that client can get access to resources otherwise requiring a valid client certificate.
Workaround:
Use Cipher String instead of Cipher Group when configuring clientssl profile.
Fix:
Properly validate cipher suites in a cipher group before use.
743810-1 : AWS: Disk resizing in m5/c5 instances fails silently.
Component: TMOS
Symptoms:
Resizing the disk in an m5/c5 instance in AWS has no impact on the disk size, and this operation fails silently.
Conditions:
BIG-IP system deployed in AWS with m5/c5 instance type that uses NVME disks instead of the usual native paravirt disks.
Impact:
Disk resizing fails; administrators cannot grow the instance disk in response to their requirements and instance utilization post-deployment.
Workaround:
There is no workaround.
Fix:
AWS: Disk resizing now works as expected.
743803-2 : IKEv2 potential double free of object when async request queueing fails
Component: TMOS
Symptoms:
TMM may core during an IPsec cleanup of a failed async operation.
Conditions:
When an async IPsec crypto operation fails to queue.
Impact:
Restart of tmm. All tunnels lost must be re-established.
Workaround:
No workaround known at this time.
743790-3 : BIG-IP system should trigger a HA failover event when expected HSB device is missing from PCI bus
Component: TMOS
Symptoms:
In some rare circumstances, the HSB device might drop off the PCI bus, resulting in the BIG-IP system not being able to pass traffic. However, no high availability (HA) failover condition is triggered, so the BIG-IP system stays active.
Conditions:
HSB drops off the PCI bus. This is caused in response to certain traffic patterns (FPGA issue) that are yet to be determined.
Impact:
No failover to standby unit after this error condition, causing site outage.
Workaround:
None.
Fix:
Now the active BIG-IP system fails over to the standby when HSB on the active unit drops off the PCI bus.
743437-1 : Portal Access: Issue with long 'data:' URL
Component: Access Policy Manager
Symptoms:
HTML page may contain a very long 'data:' URL. Portal Access cannot handle such URLs correctly.
Conditions:
HTML page with very long 'data:' similar to the following example:
data:image/png;base64,...
Such URLs might be several megabytes long.
Impact:
The rewrite plugin cannot process HTML pages with very long URLs and restarts. The page is not sent to the end user client; web application may not work correctly.
Workaround:
There is no workaround at this time.
Fix:
Now Portal Access handles very long 'data:' URLs correctly.
743150-1 : Increase the limit of the maximum allowed timestamp for OAuth token processing for OAuth Client
Component: Access Policy Manager
Symptoms:
During OAuth token processing for OAuth Client, if the timestamp is set to a value greater than INT32_MAX (2147483647), the BIG-IP system posts an error message, but the error is not descriptive enough to assist in troubleshooting. The error message appears similar to the following:
err apmd[14229]: 01490290:3: /Internet/Oauth_OpenAM_Preprod:Internet:46ea50d9:/Internet/server_act_oauth_client_ag: OAuth Client: failed for server '/Internet/server1' using 'authorization_code' grant type (client_id=oidc), error: stoi
Conditions:
-- OAuth token processing for OAuth Client.
-- Timestamp value greater than INT32_MAX.
Impact:
The APM end user is not granted access because the the policy does not complete successfully.
Workaround:
None.
Fix:
The maximum allowed timestamp is increased from INT32_MAX (2147483647) to 6249223209600, and now includes more descriptive error messages for better troubleshooting when the BIG-IP system receives invalid timestamps.
743082-1 : Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members★
Component: TMOS
Symptoms:
Upgrading to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 might result a configuration that fails to load due to a stray colon-character that gets added to the configuration file.
Conditions:
-- Upgrade from pre-12.1.3 to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2.
-- GTM Pool Members.
Impact:
Configuration fails to load.
Workaround:
Remove stray colon-character from bigip_gtm.conf.
Fix:
Fixed an issue preventing configurations from loading into 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from a version before 12.1.3.
742829-3 : SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0
Component: Service Provider
Symptoms:
The BIG-IP system incorrectly handles SDP media ports. UAC sends SDP message body publishing capable of handling voice, text, and video. UAS responds, publishing voice, text and video not desired by setting video port to '0'. The BIG-IP system does not honor the fact that UAS does not want video, and translates video port '0' to an ephemeral port, causing the UAC to believe it must open a video channel. When the UAC sends a video connection request, the BIG-IP system sends the request to the wrong port, i.e., to the media port for text, which causes the connection to fail.
Conditions:
RTP media port defined in the SIP message is set to 0.
Impact:
Improper media channel creation.
Workaround:
You can use an iRule workaround to remove the media attributes with ports set to 0 at the ingress, and update the message body size accordingly.
742627-2 : SSL session mirroring may cause memory leakage if HA channel is down
Component: Local Traffic Manager
Symptoms:
If SSL session mirroring is enabled, but the HA channel is down, attempts to mirror may result in memory leakage.
Conditions:
- SSL session mirroring enabled
- HA channel is down
Impact:
Memory leakage over time resulting in eventual memory pressure leading to performance degradation and possible TMOS restart.
Workaround:
Ensuring that the HA peer is present and connected will avoid the leakage. Otherwise, no reasonable workaround exists short of disabling SSL session mirroring.
Fix:
SSL session mirroring no longer leaks memory when the HA channel is down.
742037-3 : FPS live updates do not install when minor version is different
Component: Fraud Protection Services
Symptoms:
Install update file with a different minor version.
For example, install update file versioned 13.1.1 on BIG-IP version 13.1.0.
Conditions:
FPS is licensed and provisioned.
Impact:
FPS engine and signature cannot be updated.
Workaround:
N/A
Fix:
The minor version in update file is now ignored and only the major version is validated.
741993-1 : The BIG-IP system does not answer the request matching L7 policy that disabled DOSL7 when BADOS configured.
Component: Anomaly Detection Services
Symptoms:
The BIG-IP system does not answer the request matching the L7 policy that disabled DOSL7 when BADOS is configured. The connection hangs.
Conditions:
1. Create a DoS profile Behavioral & Stress-based (D)DoS Detection.
2. Create an L7 policy to disable DoS profile (even on all URLs).
3. Attach both to a virtual server.
4. Send a request to the virtual server.
Impact:
Connection hangs.
Workaround:
There is no workaround other than disabling the Behavioral & Stress-based (D)DoS Detection from the DoS profile.
Fix:
The system now correctly handles a disabled DOSL7 policy.
741951-2 : Multiple extensions in SIP NOTIFY request cause message to be dropped.
Component: Service Provider
Symptoms:
When SIP NOTIFY messages are sent with a request URI that contains multiple client extensions, the system does not forward the message as expected.
Conditions:
SIP NOTIFY messages sent with a request URI that contains multiple client extensions.
Impact:
NOTIFY message is not forwarded.
Workaround:
None.
Fix:
Improved SIP URI parser now correctly handles multiple extensions in a URI.
741919 : HTTP response may be dropped following a 100 continue message.
Component: Local Traffic Manager
Symptoms:
When a 100 response a quickly followed by another HTTP response (2xx/4xx), the second response might be dropped.
Conditions:
When a 100 response is quickly followed by another HTTP response (i.e., a 2xx/4xx response arrives within a few microseconds).
Impact:
The second response might be dropped, so the end user client might not receive all the HTTP responses coming from the server.
Note: This does not happen all the time, and depends on how the underlying data packets are formed and delivered to the HTTP filter.
Workaround:
You can use either of the following workarounds:
-- Use an iRule to disable the HTTP filter in the HTTP_REQUEST event.
-- Disable LRO by running the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable
741858-1 : TMM may crash while processing Portal Access requests
Solution Article: K52206731
741767-2 : ASM Resource :: CPU Utilization statistics are in wrong scale
Component: Application Visibility and Reporting
Symptoms:
Security :: Reporting : ASM Resources : CPU Utilization have the wrong scale for statistics.
Conditions:
Having the 'CPU Utilization' statistics under 'ASM Resources' available.
Impact:
Wrong scale of statistics.
Workaround:
To work around this issue:
1. Edit the following file: /etc/avr/monpd/monp_asm_cpu_info_measures.cfg
2. Remove all division by 100 on 'formula' of each entity.
3. Save the change and restart monpd (bigstart restart monpd).
Fix:
Scale is now fixed and is not pre-divided by 100.
741761-1 : admd might fail the heartbeat, resulting in a core
Component: Anomaly Detection Services
Symptoms:
When the system is under heavy I/O stress, admd might fail the heartbeat (which is required by sod, the failover daemon), so sod kills the admd daemon, resulting in a core.
Conditions:
-- System is under heavy I/O stress.
-- admd fails the heartbeat.
Impact:
The system generates an admd core file. Traffic disrupted while admd restarts.
Workaround:
None.
741752-1 : [BADOS] state file is not saved when virtual server reuses a self IP of the device
Component: Anomaly Detection Services
Symptoms:
BADOS state file is not saved.
Conditions:
Virtual server reuses a self IP of the device.
Impact:
After admd restarts, learned information - baseline and good dataset can disappear.
Workaround:
None.
Fix:
This system now handles this situation without impact, so the state file is saved as expected.
741449-1 : alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts
Component: Fraud Protection Services
Symptoms:
JAVASCRIPT_THRESHOLD alert should contain 2 timestamps:
1. component-validation cookie timestamp (set on cookie creation)
2. current BIG-IP timestamp
currently, these timestamps are not available in the alert details
Conditions:
JAVASCRIPT_THRESHOLD alert is triggered
Impact:
it is impossible to analyze the alert
Workaround:
There is no workaround at this time.
Fix:
FPS should always include both timestamps when triggering the JAVASCRIPT_THRESHOLD alert
741423-2 : Secondary blade goes offline when provisioning ASM/FPS on already established config-sync
Component: TMOS
Symptoms:
When provisioning ASM for the first time on a device that is already linked in a high availability (HA) config-sync configuration, any other cluster device that is on the trust domain experiences mcpd restarting on all secondary blades due to a configuration error.
The system logs messages similar to the following in /var/log/ltm:
-- notice mcpd[12369]: 010718ed:5: DATASYNC: Done initializing datasync configuration for provisioned modules [ none ].
-- err mcpd[9791]: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.
-- err mcpd[9791]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.... failed validation with error 16908342.
-- notice mcpd[12369]: 0107092a:5: Secondary slot 2 disconnected.
Conditions:
-- Cluster devices are joined in the trust for HA or config-sync.
-- Provisioning ASM or FPS on clusters which are already joined in a trust.
-- ASM and FPS have not been provisioned on any of the devices: this is the first ASM/FPS provisioning in the trust.
Impact:
Traffic on all secondary blades is interrupted while mcpd restarts. Then, traffic is resumed.
Workaround:
Before provisioning ASM/FPS (but after setting up a trust configuration):
1. On the device on which ASM/FPS is about to be provisioned, create the datasync-global-dg device group and add all of the available devices.
For example, if there are two devices in the Trust Domain: test1.lab.com and test2.lab.com, and you plan to provision ASM/FPS for the first time on test1.lab.com, first run the following command from test1.lab.com:
tmsh create cm device-group datasync-global-dg devices add { test1.lab.com test2.lab.com }
2. Do not sync the device group.
3. Then on test1.lab.com, you can provision ASM/FPS.
Fix:
Secondary blades no longer go offline when provisioning ASM/FPS on already established HA or config-sync configurations.
740963-2 : VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart
Component: Local Traffic Manager
Symptoms:
VIP-on-VIP traffic might cause TCP retransmit bursts, which in certain situations can cause tmm to restart.
Conditions:
- Virtual server handling TCP traffic.
- iRule using the 'virtual' command.
Impact:
Temporary memory consumption and potential for tmm to restart. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TCP retransmit bursts are now handled gracefully.
740777-1 : Secondary blades mcp daemon restart when subroutine properties are configured
Component: Access Policy Manager
Symptoms:
Secondary blades' MCP daemons restart with the following error messages:
-- err mcpd[26818]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested Subroutine Properties (/Common/confirm_10 /Common/confirm_10) was not found.... failed validation with error 16908342.
Conditions:
When a subroutine is configured in the access policy.
Impact:
The secondary blade MCP daemon restarts. Cannot use subroutine in the access policy.
Workaround:
There is no workaround other than to not use subroutine in the access policy.
Fix:
You can now use subroutines in the access policy.
740719-2 : ASM CSP header parser does not honor unsafe-inline attribute within script-src directive
Component: Application Security Manager
Symptoms:
Browser reports Content-Security-Policy error when ASM modifies the 'Content-Security-Policy' (CSP) header.
Conditions:
1. ASM provisioned.
2. ASM policy attached to a virtual server.
3. CSRF or Ajax blocking page enabled within ASM policy
4. Backend server sends 'Content-Security-Policy' header with 'script-src' 'unsafe-inline' directive.
Impact:
Browser posts 'Content-Security-Policy' error and stops JavaScript execution.
Workaround:
Disable 'Content-Security-Policy' header parsing for ASM policies. To do so, follow these steps:
1. In /usr/share/ts/bin/add_del_internal, run the following command:
add csp_enabled 0
2. Restart ASM by running the following command:
bigstart restart asm
Fix:
ASM 'Content-Security-Policy' header parser no longer modifies the 'Content-Security-Policy' header when there is 'script-src' 'unsafe-inline' directive arriving from a backend server. This is correct behavior.
740490-1 : Configuration changes involving HTTP2 or SPDY may leak memory
Component: Local Traffic Manager
Symptoms:
If virtual servers which have HTTP2 or SPDY profiles are updated, then the TMM may leak memory.
Conditions:
-- A virtual server has a HTTP2 or SPDY profile.
-- Any configuration object attached to that virtual server changes.
Impact:
The TMM leaks memory, and may take longer to execute future configuration changes. If the configuration changes take too long, the TMM may be restarted by SOD.
Workaround:
None.
Fix:
The TMM no longer leaks memory when virtual servers that contain a HTTP2 or SPDY profile are reconfigured.
740086 : AVR report ignore partitions for Admin users
Component: Application Visibility and Reporting
Symptoms:
The behavior of AVR's reporting feature changed after an upgrade.
Reports generated for specific partition include data from all partitions.
Conditions:
-- Users with Admin role.
-- AVR provisioned.
-- AVR profile configured and attached to a virtual server.
-- User with Admin role creates Scheduled Reports or uses GUI to view AVR reports.
Impact:
AVR GUI pages or Scheduled Reports defined for one partition include AVR data from other partitions.
Workaround:
One workaround is to have non-Admin users generate reports.
For non-Admin users, the partition is honored.
Fix:
AVR GUI pages or Scheduled Reports defined for one partition now show all users AVR data from only that partition.
739970-2 : Linux kernel vulnerability: CVE-2018-5390
Solution Article: K95343321
739963-2 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
Component: Local Traffic Manager
Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.
Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.
Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.
Workaround:
To restore the state of the member, remove it and add it back to the pool.
739947-1 : TMM may crash while processing APM traffic
Component: Access Policy Manager
Symptoms:
Under certain condition TMM may crash while processing APM traffic
Conditions:
APM enabled.
Impact:
TMM crash leading to a failover event.
Workaround:
None.
Fix:
TMM now correctly processes APM traffic.
739939-1 : Ping Access Agent Module leaks memory in TMM.
Component: Access Policy Manager
Symptoms:
Whenever a ping access request traverses through apm_ivs (internal virtual server) to the Ping Access Agent (e.g., Cache-Miss), a memory leak occurs.
Conditions:
Ping Access Agent request that is not served from local cache (e.g., in the Cache-Miss case).
Impact:
The slow memory leak might eventually cause TMM to restart. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Ping Access Agent Module no longer leaks memory in TMM.
739846-3 : Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection
Component: Global Traffic Manager (DNS)
Symptoms:
When the big3d runs out of memory for iQuery connections, a segmentation fault might occur.
Conditions:
-- Not enough memory to create additional iQuery connections.
-- Receive an new iQuery connection.
Impact:
Segmentation fault and big3d restarts. No statistics collection or auto-discovery while big3d restarts.
Workaround:
None.
Fix:
The big3d process no longer gets a segmentation fault when reaching the limits of the memory footprint while trying to establish iQuery connections.
739744-1 : Import of Policy using Pool with members is failing
Component: Access Policy Manager
Symptoms:
Import of Policy using Pool with members is failing with an error Pool member node (/Common/u.x.y.z%0) and existing node (/Common/u.x.y.z) cannot use the same IP Address (u.x.y.z)
Conditions:
Policy has pool attached to it with resource assign or chained objects
Impact:
Policy is not being imported on the same box
Workaround:
There is no workaround at this time.
Fix:
ng-import is now importing policy correctly.
739716-2 : APM Subroutine loops without finishing
Component: Access Policy Manager
Symptoms:
Some APM subroutines never finish. In authentication use cases, the end-users will continue to see logon pages, even after submitting correct credentials. In SWG confirm-and-continue use cases, the end-users will continue to see confirm boxes, even if they had already clicked "continue".
Conditions:
APM with a subroutine. Reproducibility will vary by platform and deployment.
Impact:
Subroutines never finish. End-users are not able to access resources.
Workaround:
TMM restart does resolve the issue.
Fix:
The memory corruption issue was resolved and the subroutines now correctly finish.
739674-1 : TMM might core in SWG scenario with per-request policy.
Component: Access Policy Manager
Symptoms:
TMM can core when Secure Web Gateway (SWG) is configured, and SSL is resumed through per-request policy.
Conditions:
-- SWG is configured.
-- SSL is resumed through per-request policy.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM does not core now when using SWG scenario with per-request policy.
739507 : How to recover from a failed state due to FIPS integrity check
Component: TMOS
Symptoms:
After FIPS 140-2 license is installed on FIPS-certified hardware devices, and the device rebooted, the system halts upon performing FIPS integrity check.
Conditions:
[1] Some system applications, monitored by FIPS 140-2, get routinely changed.
[2] The device was containing a FIPS 140-2 enabled license installed.
[3] The device operator installs a FIPS 140-2 enabled license
[4] The device is rebooted
Impact:
The device is halted and cannot be used.
Workaround:
Workaround:
[1] The device needs to have serial console access (Telnet).
[2] From the Telnet console, enter the GRUB menu and boot into a different partition not having a FIPS 140-2 enabled license.
[3] Examine the contents of file /config/fipserr which will show the files that were changed, leading to failure of the FIPS 140-2 license-enabled partition.
[4] Restore those files to their original ones and reboot.
If system still halts, repeat from Step [1] above, until this no longer happens.
Fix:
Here are the steps, in summary form.
[1] Connect a terminal to the BIG-IP serial console port
[2] From the Telnet console, enter the GRUB menu.
[3] Before the countdown expires, use the Up Arrow and Down Arrow keys to stop the countdown, and select the appropriate boot image.
[4] Press the key 'E' to start the edit options. A new GRUB menu displays.
[5] Use the Up Arrow and Down Arrow keys to navigate to the line that contains the keyword "module".
[6] Add a space, followed by NO_FIPS_INTEGRITY=1. DO NOT press ENTER.
[7] Press the Ctrl-X sequence or the F10 key to restart the system using the modified options.
The machine will boot into the partition containing FIPS 140-2-enabled license.
[8] Examine the content of file /config/f5_public/fipserr to ascertain the cause of the FIPS module startup error.
[9] Fix the problem reported in the aforementioned error file.
[10] Run the test tool /usr/libexec/sys-eicheck.py to ensure that no fatal error is reported, such as:
Integrity Check Result: [ FAIL ]
If fatal error persists, DO NOT REBOOT (otherwise the system will go into the halt state, and the steps starting from Step [1] will need to be repeated). Instead, fix the problematic files reported. Re-run the test tool until no error is seen.
739505 : Automatic ISO digital signature checking not required when FIPS license active★
Component: TMOS
Symptoms:
When the FIPS license is active, digital signature checking of the ISO is automatically performed. This requires that both the ISO and the digital signature (.sig) file are uploaded to the system. Installation will not complete if the .sig file is not present or not valid.
Conditions:
The .sig file corresponding to the ISO to be installed is either missing or invalid.
Impact:
Installation failure.
Workaround:
Follow the procedure in K2434114 (https://support.f5.com/csp/article/K24341140) to validate the ISO on the BIG-IP.
Fix:
The restriction of requiring automatic signature checking of the ISO is removed. The procedure in the KB article above to perform the checks on or off BIG-IP is still valid, but that checking is optional.
739446-2 : Resetting SSL-socket correctly for AVR connection
Component: Application Visibility and Reporting
Symptoms:
SSL socket is being corrupted.
Conditions:
The conditions under which this occurs have not been fully identified.
Impact:
AVR fails to make an SSL connection and report externally correctly.
Workaround:
None.
Fix:
Resetting the SSL-connection whenever required.
739379-2 : Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error
Component: Local Traffic Manager
Symptoms:
In situation where multiple SSL forward proxies are connected via virtual targeting, the SNI value extracted from ClientHello and saved in 1st layer of SSL forward proxy may get overwritten by the 2nd layer of SSL forward proxy. When this happens, certification verification will fail when 1st layer of SSL forward proxy attempts to validate certificate.
Conditions:
Two SSL forward proxies connected via virtual command in iRule.
Impact:
Client traffic gets random reset.
Workaround:
None.
Fix:
The search scope of storing parsed SNI is now local to each SSL forward proxy.
739349-1 : LRO segments might be erroneously VLAN-tagged.
Component: Local Traffic Manager
Symptoms:
Segments being processed for large receive offload (LRO) (the action the system performs to aggregate multiple incoming packets within a buffer before passing them up)
might be erroneously VLAN-tagged when LRO is enabled.
Conditions:
-- TCP LRO enabled.
-- Egress VLAN untagged.
Impact:
Egress traffic might sometimes be tagged.
Workaround:
Disable TCP LRO. To enable or disable LRO functionality, you can use the following command syntax:
tmsh modify sys db tm.tcplargereceiveoffload value <enable | disable>
Fix:
The system now ensures that fragment packet flags are correctly set.
739345 : Reporting invalid signature id after specific signature upgrade
Component: Application Security Manager
Symptoms:
An incorrect/invalid signature id is reported.
Conditions:
The signature was changed in an upgrade.
Impact:
Not able to confirm successful signature update.
Workaround:
When the signature id prefix is 6, replace it with 2 when looking for the actual signature.
Fix:
Fixed a reporting issue with signature ids after upgrade.
739285-1 : GUI partially missing when VCMP is provisioned
Component: TMOS
Symptoms:
GUI may be partially missing.
Conditions:
VCMP must be provisioned.
Impact:
GUI may be partially missing.
Workaround:
Use tmsh or deprovision VCMP.
Fix:
the GUI now works as expected when VCMP is provisioned.
739277 : TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode
Component: Anomaly Detection Services
Symptoms:
TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode
Conditions:
-- The virtual server is deleted during POST data.
-- BADOS configured in standard/aggressive mode.
Impact:
TMM core / traffic does not path through till TMM restarts.
Workaround:
You can work around this issue using either of the following options if you plan to delete a virtual server:
-- First detach the DoS protection profile.
-- Remove BADOS configuration or change BADOS mitigation to Conservative.
Fix:
This release corrects an TMM crash that occurred when the virtual server was deleted during POST data and BADOS was in standard/aggressive mode.
739190 : Policies could be exported with not patched /Common partition
Component: Access Policy Manager
Symptoms:
Policies could be exported with not patched /Common partition and it's heading to profiles that are not being imported.
Conditions:
Policy has objects outside of partition of the policy.
Impact:
Policy cannot be imported on the same system it was exported from.
Workaround:
There is no workaround.
Fix:
Proper naming of partitions has been restored, import is back to working.
739126 : Multiple VE installations may have different sized volumes
Component: TMOS
Symptoms:
When installing a 2nd, 3rd, (or more) version of BIG-IP to a Virtual Edition (VE) instance, the sizes of the non-shared volumes may be smaller than the first. This can be an issue if, for example, /var is smaller and fills up due to UCS archives, data gathered during troubleshooting, etc.
Conditions:
Install an additional version of BIG-IP to an existing VE instance.
Impact:
Disk volumes may run out of space sooner than expected, leading to issues when that space is needed for other operations.
Workaround:
Provision additional disk space to expand the available storage.
Fix:
In this release, the installer handles this condition without issue.
739003-1 : TMM may crash when fastl4 is used on epva-capable BIG-IP
Component: Local Traffic Manager
Symptoms:
TMM may crash when fastl4 is used on epva-capable BIG-IP.
Conditions:
The virtual server has fastl4 profile installed, has iRule installed and the iRule uses SERVER_CONNECTED event. The pool member is route-able but does not exist.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
The issue is fixed.
738985-2 : BIND vulnerability: CVE-2018-5740
Component: TMOS
Symptoms:
deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an assertion failure in name.c.
Conditions:
"deny-answer-aliases" feature is explicitly enabled
Impact:
Crash of the BIND process and loss of service while the process is restarted
Workaround:
Only servers which have explicitly enabled the "deny-answer-aliases" feature are at risk and disabling the feature prevents exploitation.
Fix:
BIND patched to correct CVE-2018-5740
738945-2 : SSL persistence does not work when there are multiple handshakes present in a single record
Component: Local Traffic Manager
Symptoms:
SSL persistence hangs while parsing SSL records comprising multiple handshake messages.
Conditions:
This issue intermittently happens when an incoming SSL record contains multiple handshake messages.
Impact:
SSL persistence parser fails to parse such messages correctly. The start of the record may be forwarded on to server but then connection will stall and eventually idle timeout.
Workaround:
There is no workaround other than using a different persistence, or disabling SSL persistence altogether.
After changing or disabling persistence, the transaction succeeds and no longer hangs.
738887-3 : The snmpd daemon may leak memory when processing requests.
Component: TMOS
Symptoms:
Under certain conditions, the snmpd daemon may leak memory when processing requests.
Conditions:
This issue is known to occur on a multi-blade vCMP guest after specific maintenance operations have been carried out by an Administrator on the guest.
Impact:
Once enough memory has leaked, the system may become unstable and fail unpredictably.
Workaround:
If the snmpd daemon is consuming excessive memory, restart it with the following command:
bigstart restart snmpd
Fix:
The snmpd daemon no longer leaks memory when a multi-blade vCMP guest reaches a certain condition.
738864-1 : javascript functions in href are learned from response as new URLs
Component: Application Security Manager
Symptoms:
New urls representing javascript functions are learned from response.
Conditions:
Learn from response is turned on and URLs learning set to 'Always'
Impact:
Wrong URLs are created and added to the policy (not really interfering with enforcement but adds redundant noise to the policy)
Workaround:
Either:
- Change URL learning from 'Always' to any of the other learning options (Compact \ Selective \ Never).
- Disable learn from response
Fix:
javacript functions are no longer learned from responses as new URLs.
738669-2 : Login validation may fail for a large request with early server response
Component: Fraud Protection Services
Symptoms:
in case of large request/response, if FPS needs to store ingress and ingress chunks in buffer for additional processing (ingress :: for parameter parsing, egress :: for login validation's banned/mandatory strings check or scripts injection), if the server responds fast enough, the buffer may contain mixed parts of request/response. This may have several effects, from incorrectly performing login-validation to generating a tmm core file.
Conditions:
-- Login validation is enabled and configured to check for banned/mandatory string.
-- A username parameter is configured.
-- There are no parameters configured for encrypt/HTML Field Obfuscation (HFO), and no decoy parameters.
-- There is a large request and response.
-- The system response very quickly.
Impact:
This results in one or more of the following:
-- Login validation failure/skip.
-- Bad response/script injection.
-- tmm core. In this case, traffic is disrupted while tmm restarts.
Workaround:
None.
Fix:
FPS now handles ingress/egress buffers separately, so this issue no longer occurs.
738582-1 : Ping Access Agent Module leaks memory in TMM.
Component: Access Policy Manager
Symptoms:
While handling Ping Access Request, if the internal events passing between modules fail, it might cause a memory leak inside TMM.
Conditions:
Internal events passing between Ping Access Request processing modules fail.
Impact:
Ping Access Agent Module leaks memory in TMM.
Workaround:
None.
738521-1 : i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.
Component: Local Traffic Manager
Symptoms:
A trunk configured between a BIG-IP i4x00/i2x00 platform and an upstream switch may go down due to the presence of the VLAN tag.
Conditions:
LACP configured between a BIG-IP i4x00/i2x00 platform and an upstream switch.
Impact:
Trunks are brought down by upstream switch.
Workaround:
There are two workarounds:
-- Configure the trunk as 'untagged' in one of the VLANs in which it's configured.
-- Disable LACP.
Fix:
The system no longer transmits a VLAN tag for LACP PDUs, so this issue no longer occurs.
738397-1 : SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails.
Component: Access Policy Manager
Symptoms:
For a BIG-IP system configured as IdP, in the SAML-IdP-initiated case: If the IdP has a Per-Request policy (in addition to a V1 policy), such that the Per-Request policy has a subroutine or a subroutine macro with a logon page, the system reports access failure on running the policy.
The error logged is similar to the following: '/Common/sso_access:Common:218f759e: Authorization failure: Denied request for SAML resource /Common/saml_resource_obj1&state=000fffff032db022'.
Conditions:
-- BIG-IP system configured as IdP.
-- SAML IdP initiated case in which the following is true:
+ The IdP has a Per-Request policy (in addition to a V1 policy).
+ That Per-Request policy has a subroutine or a subroutine macro with a logon page.
Impact:
Access is denied. The request URI has '&state=<per-flow-id>' appended to the SAML Resource name.
Workaround:
None.
Fix:
The system now checks for additional query parameters in the request_uri while extracting Resource name so it is not incorrectly set to 'ResourceName&state=<per-flow-id>' which causes the access failure.
738211-3 : pabnagd core when centralized learning is turned on
Component: Application Security Manager
Symptoms:
pabnagd (the process responsible for automated and manual policy building operations) restarts and generates a core file. This might result in a loss of learning progress.
Note: This is a very rarely occurring issue.
Conditions:
Centralized learning is enabled for a policy.
Impact:
If there are locally learned policies, the system might lose some number of hours of learning progress. How many hours might be lost depends on the version, as follows:
-- For 13.1.0: 24 hours (12 hours, on average).
-- For 14.0.0: 1 hour (1/2 hour, on average).
Workaround:
None.
Fix:
The pabnagd process no longer restarts/cores when centralized learning is enabled.
738119-2 : SIP routing UI does not follow best practices
Component: TMOS
Symptoms:
The SIP routing UI does not follow best practices.
Conditions:
Administrative access to the SIP Profile web UI.
Impact:
Unexpected HTML output.
Workaround:
None.
Fix:
The SIP routing UI does now follows best practices.
738046-2 : SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby
Component: Local Traffic Manager
Symptoms:
For FastL4 connections, SERVER_CONNECTED currently doesn't fire on the standby device. If the standby device then becomes active, the first packet from the server on an existing FastL4 connection causes SERVER_CONNECTED to fire. Depending on what the iRule does in SERVER_CONNECTED, a variety of results can occur, including TMM coring due to commands being executed in unexpected states.
Conditions:
-- High availability configuration.
-- Mirrored FastL4 virtual server.
-- Attached iRule contains a SERVER_CONNECTED event.
Impact:
SERVER_CONNECTED does not fire when expected on standby device. When the standby device becomes active, the SERVER_CONNECTED iRule may cause TMM to core with traffic being disrupted while TMM restarts.
Workaround:
None.
Fix:
SERVER_CONNECTED now fires when expected on the standby device.
737910-2 : Security hardening on Shuttle platforms
Component: TMOS
Symptoms:
Improve hardware security on Shuttle platforms (i850, i2000, i4000, i5000, i7000, i10000, i15000, HRC-xxx)
Conditions:
Shuttle platforms (i850, i2000, i4000, i5000, i7000, i10000, i15000, HRC-xxx)
Impact:
Shuttle platforms do not use all available hardware security enhancements
Fix:
Shuttle platforms now use hardware security enhancements
737867-1 : Scheduled reports are being incorrectly displayed in different partitions
Component: Application Visibility and Reporting
Symptoms:
Scheduled analytics reports are being displayed in the list regardless of selected partition. However, you can only open reports belonging to the selected partition, even if they belong to 'Common'.
Conditions:
System configured with multiple partitions.
Impact:
It makes it difficult to modify reports from different partitions.
Workaround:
Switch to the report's partition before editing it.
Fix:
Report's partition is now indicated in the list and correct handling is performed according to standard partition rules.
737813-1 : BIG-IP is unable to send statistics to BIG-IQ DCD node using IPv6 address
Component: Application Visibility and Reporting
Symptoms:
When IPv6 is used for transfer data from BIG-IP to BIG-IQ DCD nodes - no traffic arrive to the BIG-IQ.
Conditions:
DCD node uses IPv6 interface for collecting data from BIG-IP-s. BIG-IP is registered on BIG-IQ as "BIG-IP device" the regular way (not necessary via IPv6 management interface).
Impact:
No statistics from BIG-IPs collected.
Workaround:
Use IPv4 address instead.
Fix:
A bug is fixed in the code that interprets IPv6 addresses in BIG-IP avrd
737758-2 : MPTCP Passthrough and VIP-on-VIP can lead to TMM core
Component: Local Traffic Manager
Symptoms:
If a FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled, TMM may produce a core upon receiving certain traffic.
Conditions:
A FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with a TCP profile attached that has MPTCP passthrough enabled, and certain traffic is received.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than not using an iRule with the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled.
Fix:
If MPTCP passthrough is enabled, the system now processes incoming MPTCP connections coming from the loop device as if MPTCP is disabled.
737550 : State Mirroring between BIG-IP 13.0.x and 13.1.x systems may cause TMM core on standby system during upgrade★
Component: Local Traffic Manager
Symptoms:
BIG-IP devices running 13.0.x (13.0.x or a 13.0.x point release) and 13.1.x software versions in a High-Availability (HA) configuration with state mirroring enabled may cause a standby system to produce a TMM core file.
Conditions:
-- State mirroring configured on two or more BIG-IP systems (state mirroring is enabled by default).
-- For VIPRION clusters or VIPRION-based vCMP guests, the systems are configured to mirror 'Between Clusters'.
-- The active system is running v13.0.x, and the standby system is running v13.1.x, e.g., as a result of an in-progress upgrade.
Impact:
TMM may crash on a standby system during upgrade.
This issue should not disrupt traffic, because the TMM is coring only on the standby unit.
Workaround:
To workaround this issue, disable State Mirroring prior to upgrading, and re-enable it once both devices are running v13.1.x, or complete the upgrade of both devices to v13.1.x.
1. You can disable mirroring using either the GUI or the command line.
1a. In the GUI:
-- Set the Primary and Secondary Local Mirror Address configurations to 'None' under Device Management :: Devices :: [Self] device :: Mirroring Configuration.
1b. From the command-line:
-- Run the following command:
tmsh modify cm device <name-of-self-device> mirror-ip any6 mirror-secondary-ip any6 && tmsh save sys config
Important: This action results in connection state loss on failover.
2. Once all devices are running the same software version, re-enable state mirroring by re-adding the device mirror IPs removed previously.
Note: F5 recommends that BIG-IP systems run with the same software version on all devices.
Fix:
TMM on standby no longer cores during upgrade.
737536-1 : Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.
Component: TMOS
Symptoms:
The use case is the following:
|OSPF 1|---|Network1|------[|OSPF process 1|---BIG-IP system---|OSPF process 2|]-----|Network2|---|OSPF 2|
Attempting to redistribute default route received from OSPF process that is peering with the Internet to OSPF process 2. However, if that route is removed (e.g., an Internet link goes down), OSPF process 2 removes the associated route and the 'default-information originate' command is the ideal choice, because as long as the OSPF process 1 default route is in the routing table, the default route is redistributed into OSPF process 2. If that route is gone, OSPF process 2 immediately removes it from routing table. Enabling 'default-information originate' on OSPF process 2 does not affect the outcome, and a default route is not injected like it should be.
Conditions:
-- On the BIG-IP system, OSPF routing protocol is enabled on a route-domain.
-- Routing configuration example:
OSPF router config examples:
***
OSPF 1:
!router ospf 1
ospf router-id 10.13.0.7
redistribute ospf
network 10.13.0.0/16 area 0.0.0.1
default-information originate
OSPF 2:
router ospf 1
ospf router-id 10.14.0.5
redistribute ospf
network 10.14.0.0/16 area 0.0.0.1
BIG-IP system:
router ospf 1
ospf router-id 10.13.0.2
network 10.13.0.0/16 area 0.0.0.1
router ospf 2
ospf router-id 10.14.0.9
network 10.14.0.0/16 area 0.0.0.1
***
-- Enable 'default-information originate' on BIG-IP OSPF process 2 should allow OSPF process 2 to receive advertised default route from BIG-IP OSPF process 1 if such exists.
# expected OSPF routers configuration on the BIG-IP system:
router ospf 1
ospf router-id 10.13.0.2
network 10.13.0.0/16 area 0.0.0.1
router ospf 2
ospf router-id 10.14.0.9
network 10.14.0.0/16 area 0.0.0.1
default-information originate
Impact:
A default route from OSPF process 1 is not advertised into OSPF process 2 routing table.
Workaround:
None.
Fix:
Enabling 'default-information originate' on OSPF process 2 forces OSPF process 2 to receive a default route from OSPF process 1 if such exists.
737500-2 : Apply Policy and Upgrade time degradation when there are previous enforced rules
Component: Application Security Manager
Symptoms:
When there are previously enforced rules present in the system, the time to apply changes made to a policy, and the time to upgrade the configuration to a new version suffers.
Conditions:
-- Signature Staging is enabled.
-- Updated Signature Enforcement is set to 'Retain previous rule enforcement and place updated rule in staging'.
-- Signatures are enforced on a policy.
-- A new ASM Signature Update is installed, which modifies the matching rule for some enforced signatures.
Impact:
The time to apply changes made to a policy, and the time to upgrade the configuration to a new version, suffers from a inefficiently performing query related to the existence of previously enforced rules.
Workaround:
There is no workaround at this time.
Fix:
Query indexing and performance is fixed: Apply Policy executes in the same time whether there are previously enforced rules in the system or not.
Enforcing all signatures in a set now correctly removes the previously enforced rule from the signature.
737445-2 : Use of TCP Verified Accept can disable server-side flow control
Component: Local Traffic Manager
Symptoms:
Unexpectedly high memory usage, aggressive sweeper messages, TCP memory pressure messages in logs.
Conditions:
Verified Accept is enabled in TCP profiles that are associated with virtual servers.
Impact:
Excessive memory usage.
Workaround:
There is no workaround other than disabling Verified Accept.
Fix:
Fixed server-side flow control.
737442-2 : Error in APM Hosted Content when set to public access
Component: Access Policy Manager
Symptoms:
Error when rendering APM Hosted content when set to public access.
Conditions:
APM enabled
Hosted content enabled
Hosted content set to public access
Impact:
Unexpected HTML output in webtop pages
Workaround:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
if {[HTTP::uri] starts_with "/vdesk/resource_info_v2.xml?" && [URI::decode [HTTP::query]] contains "<"} {
HTTP::uri [HTTP::path]
}
}
Fix:
None.
737437-2 : IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages
Component: TMOS
Symptoms:
The BIG-IP system might fail to re-establish an IKEv1 phase 1 security association (ISAKMP-SA) when the Initiator starts the exchange using UDP port 4500. The exchange progresses to the point of NAT detection, whereupon the BIG-IP system stops using the Non-ESP marker and sends malformatted ISAKMP.
Conditions:
All of the following must be true:
-- The BIG-IP system is an IKEv1 Responder.
-- ISAKMP phase 1 negotiation starts on UDP port 4500.
-- NAT is detected on only one side during the phase 1 exchange.
Impact:
-- Establishment of an ISAKMP-SA will fail until the peer device switches to UDP port 500.
-- The remote peer may send INVALID-SPI messages quoting SPI numbers that do not exist.
Workaround:
To help workaround this issue, you can try the following:
-- Make sure the BIG-IP system is always the Initiator.
-- Bypass NAT.
-- Configure both the BIG-IP system and remote peer to use address IDs that are not the same as the IP addresses used in the ISAKMP exchange, thus causing the BIG-IP system to think there is NAT on both sides.
Fix:
The BIG-IP system now keeps the Non-ESP marker when NAT is detected.
737397-3 : User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP
Component: TMOS
Symptoms:
Unable to archive certificates or keys using GUI and iControlSOAP.
Conditions:
When the user is in Certificate Manager role.
Impact:
Unable to backup certificates or keys.
Workaround:
The user in Certificate Manager role is still be able to export the key and see its PEM string. So you can manually create an archive file by copying the PEM string into a file.
737368-1 : Fingerprint cookie large value may result in tmm core.
Component: Fraud Protection Services
Symptoms:
The JavaScript component calculates part of the fingerprint cookie value. In some rare cases, large values are generated and may result in tmm core.
Conditions:
A large value (more than 35 characters) inside the fingerprint cookie.
Impact:
Memory overrun, tmm core in some cases.
Workaround:
N/A
Fix:
FPS will check the value and truncate it if it exceeds the maximum length.
737355-1 : HTTP Strict-Transport-Security (HSTS) headers not being added to all APM generated files
Component: Access Policy Manager
Symptoms:
HTTP Strict-Transport-Security (HSTS) headers are missing for some APM-generated files.
Conditions:
This occurs when the following conditions are met:
-- HTTP profile is configured with HSTS enabled.
-- HTTP GET requests for APM renderer files, including CSS, JS, and image files from the webtop.
Impact:
Without these headers, the user agent (browser) may switch to non-secure communication.
Workaround:
None.
Fix:
When the HTTP profile is configured with HSTS enabled, all APM renderer files are now sent with HSTS headers.
737064-2 : ACCESS::session iRule commands may not work in serverside events
Component: Access Policy Manager
Symptoms:
-- 'ACCESS::session sid' will returns empty.
-- 'ACCESS::session data get <varname>' returns empty.
Conditions:
-- Using IP-based sessions
-- ACCESS::session iRule commands in a serverside iRule event, such as HTTP_PROXY_CONNECT.
-- Using SSL Bypass. Note: This issue is known to occur when using SSL Bypass, but this is not the only configuration that exhibits the problem.
Impact:
iRules may not work as expected.
Workaround:
There is no workaround at this time.
Fix:
The ACCESS::session iRules now work in serverside events when doing IP-based sessions.
734822-3 : TMSH improvements
Solution Article: K77313277
734595-2 : sp-connector is not being deleted together with profile
Component: Access Policy Manager
Symptoms:
If a profile is connected to an SSO SAML IdP configuration with an SP connector, the sp-connector is not available for delete when the profile is deleted.
Conditions:
-- Profile is connected to an SSO SAML IdP configuration with an SP connector.
-- Deleting the profile and attempting to delete the sp-connector.
Impact:
The SP connector is not listed for delete when the profile is deleted.
Workaround:
To delete the SP connector, run the following command:
tmsh delete apm sso saml-sp-connector NAME
Fix:
SP connectors are now available for delete when profile is deleted.
734527-1 : BGP 'capability graceful-restart' for peer-group not properly advertised when configured
Component: TMOS
Symptoms:
BGP neighbor using peer-group with 'capability graceful-restart' enabled (which is the default). However, on the system, peer-group defaults to disable. Because there is no config statement to enable 'capability graceful-restart' after restart, it gets turned off after config load, which also turns it off for any BGP neighbor using it.
Conditions:
- Neighbor configured to use peer-group.
- Peer-group configured with capability graceful-restart, but with the default: disabled.
Impact:
Because peer-group is set to disable by default, and there is no operation to enable it after restart, 'capability graceful-restart' gets turned off after config load, and neighbors using it from peer-group get turned off as well.
Workaround:
Re-issue the commands to set peer-group 'capability graceful-restart' and 'clear ip bgp *' to reset BGP neighbors.
Fix:
The peer-group now has 'capability graceful-restart' enabled by default, so this issue no longer occurs.
Behavior Change:
In this release, peer-group has 'capability graceful-restart' enabled by default.
734446-2 : TMM crash after changing LSN pool mode from PBA to NAPT
Component: Carrier-Grade NAT
Symptoms:
TMM crashes after changing LSN pool mode from PBA to NAPT when long lived connections are killed due to the PBA block lifetime and zombie timeout expiring.
Conditions:
An LSN pool using PBA mode with a block lifetime and zombie timeout set and long lived connections.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Instead of changing the LSN pool mode from PBA to NAPT, create a new LSN pool configured for NAPT and change the source-address-translation pool on the virtual servers that use the PBA pool.
The PBA pool can be deleted after the virtual servers are no longer using it.
Fix:
TMM no longer crashes after changing LSN pool mode from PBA to NAPT.
734276-2 : TMM may leak memory when SSL certificates with VDI or EAM in use
Component: Local Traffic Manager
Symptoms:
TMM 'method' memory usage grows over time when VDI and serverssl *or* EAM and clientssl are configured on the same VIP.
Conditions:
One or both of the following:
-- VDI and serverssl are configured on the same VIP
-- EAM and clientssl are configured on the same VIP
Impact:
TMM memory usage grows over time leading to eventual performance degradation and potential traffic outage if TMM cores.
Workaround:
No workaround short of not using these combinations of features.
Fix:
TMM no longer leaks memory when VDI and serverssl *or* EAM and clientssl are configured together on the same VIP.
734228-1 : False-positive illegal-length violation can appear
Component: Application Security Manager
Symptoms:
A false-positive illegal-length violation.
Conditions:
A chunked request where the request length is more than half of the configured max-request length.
Impact:
False-positive illegal-length violation.
Workaround:
Configure a higher max request length violation.
Fix:
Fixed a false-positive request-length violation.
733585-3 : Merged can use %100 of CPU if all stats snapshot files are in the future
Component: TMOS
Symptoms:
Merged uses %100 of CPU if it cannot remove the oldest snapshot file, due to all snapshot files having timestamps in the future.
Conditions:
All stats snapshot file having timestamps in the future, release has the fix for issue 721740, but not this issue.
Impact:
Merged using %100 of the CPU.
Workaround:
Remove snapshot stats files that have timestamps in the future and restart merged.
Fix:
Correctly exit cleanup logic when all stats snapshot files have timestamps in the future.
727467-1 : Some iSeries appliances can experience traffic disruption when the HA peer is upgraded from 12.1.3 and earlier to 13.1.0 or later.
Component: TMOS
Symptoms:
-- CPU core 0 can be seen utilizing 100% CPU.
-- Other even cores may show a 40% increase in CPU usage.
-- Pool monitors are seen flapping in /var/log/ltm.
-- System posts the following messages:
+ In /var/log/ltm:
- err tmm4[21025]: 01340004:3: HA Connection detected dissimilar peer: local npgs 1, remote npgs 1, local npus 8, remote npus 8, local pg 0, remote pg 0, local pu 4, remote pu 0. Connection will be aborted.
+ In /var/log/tmm:
- notice DAGLIB: Invalid table size 12
- notice DAG: Failed to consume DAG data
Conditions:
-- Active unit on a pre-12.1.3.1 release.
-- Standby peer upgraded to a 13.1.0 or later release.
-- Device is an iSeries device (i5600 or later).
Important: This issue may also affect iSeries HA peers on the same software version if the devices do not share the same model number.
Note: Although this also occurs when upgrading to 12.1.3.8 and 13.0.x, the issue is not as severe.
Impact:
- High CPU usage.
- Traffic disruption.
Workaround:
Minimize impact on affected active devices by keeping the upgraded post-13.1.0 unit offline as long as possible before going directly to Active.
For example, on a 12.1.3 unit to be upgraded (pre-upgrade):
-- Run the following command: tmsh run sys failover offline persist
-- Run the following command: tmsh save sys config
-- Upgrade to 13.1.0.8.
-- Unit comes back up on 13.1.0.8 as 'Forced Offline' and does not communicate with the active unit running 12.1.3 at all.
-- Set up HA group and make sure the 12.1.3 Active unit's HA score is lower than 13.1.0.8.
-- To cause the 13.1.0.8 unit to go directly to Active and take over traffic, run the following command on the unit running 13.1.0.8:
tmsh run sys failover online
At this point, the 12.1.3 unit starts to show symptoms of this issue, however, because it is no longer processing traffic, there is no cause for concern.
Fix:
This release introduces a new bigdb variable DAG.OverrideTableSize. To prevent the issue on an upgraded post-13.1.0 unit, set DAG.OverrideTableSize to 3.
In order to return the system to typical CPU usage, you must set the db variable, and then restart tmm by running the following command:
bigstart restart tmm
(Restarting tmm is required for 13.1.1.2 and newer 13.1.1.x releases.)
Note: Because the restart is occurring on the Standby unit, no traffic is disrupted while tmm restarts.
727297-3 : GUI TACACS+ remote server list should accept hostname
Component: TMOS
Symptoms:
Cannot add hostnames to the Remote - TACACS+ server list in the GUI.
Conditions:
-- On the System :: Users : Authentication page with Remote - TACACS+ specified.
-- Add hostname to the server list.
Impact:
Validation does not accept a hostname. Cannot add hostname as a server.
Workaround:
Use tmsh to add a hostname.
Fix:
The system now allows hostname to be added with proper validation in this case.
727222-1 : 206 Partial Content responses from ramcache have malformed Content-Range header
Component: Local Traffic Manager
Symptoms:
When ramcache serves a 206 Partial Content response from cache, the Content-Range header repeats the name:
Content-Range: Content-Range: bytes 0-5/28
Conditions:
Request from client for partial document (Range header) against a virtual server with a web-acceleration profile having no applications (ramcache), where the requested document is present in ramcache.
Impact:
The client may mishandle the response, as the Content-Range header is malformed. This may cause additional traffic as the client may retrieve the entire document in a subsequent request due to the malformed response.
Workaround:
Remove the duplicate portion of the Content-Range header using an iRule at HTTP_RESPONSE_RELEASE time.
Fix:
The Content-Range header is now correctly formed for 206 Partial Content responses served from ramcache.
727212-1 : Subscriber-id query using full length IPv6 address fails.
Component: Carrier-Grade NAT
Symptoms:
FW NAT / CGNAT modules query the subscriber ID using IPv6 address. If the query is done using the IPv6 mask, under some circumstances the query fails.
Conditions:
The network is using an IPv6 mask other than 128. Subscribers are created using the masked IP address as the key. If NAT module uses the complete IP address as the query key, the subscriber will not be found.
Impact:
Logs contain UNKNOWN subscriber-id.
Workaround:
There is no workaround at this time.
Fix:
Subscriber ID queries using IPv6 address are now returning the subscriber-id.
727206 : Memory corruption when using SSL Forward Proxy
Component: Local Traffic Manager
Symptoms:
When using SSL Forward proxy, memory corruption can occur, which can eventually lead to a tmm crash.
Conditions:
Client SSL profile on a virtual server with SSL Forward proxy enabled.
Impact:
TMM crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes under these conditions.
727044-2 : TMM may crash while processing compressed data
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing compressed data.
Conditions:
Compression enabled
Hardware compression disabled
Impact:
TMM crash leading to a failover event.
Workaround:
No workaround.
Fix:
TMM now correctly processes compressed traffic
726895 : VPE cannot modify subroutine settings
Solution Article: K02205915
Component: Access Policy Manager
Symptoms:
Open per-request policy in Visual Policy Editor (VPE) that has a subroutine. Click 'Subroutine Settings / Rename.
Numeric values like the inactivity timeout are displayed as 'NaN. Attempts to modify the values results in MCP validation errors.
Conditions:
-- Per-request policy in the VPE.
-- Subroutine in the per-request policy.
-- Attempt to change the values.
Impact:
All fields say 'NaN', and error when trying to modify properties. Subroutine settings like the Inactivity Timeout and Gating Criteria cannot be modified through the VPE
Workaround:
Use tmsh to modify these values, for example:
tmsh modify apm policy access-policy <policy_name> subroutine properties modify { all { inactivity-timeout 301 } }
Fix:
The issue has been fixed; it is now possible to view and modify subroutine settings in the VPE.
726872-2 : IApp LX directory disappears after upgrade or restoring from ucs★
Component: iApp Technology
Symptoms:
After BIG-IP version upgrade or restoring from UCS, iApps/Application Services/Applications LX screen displays instances of iApps LX, but their UI is not functional. That is caused by the software defect causing iApp LX directory to disappear from /var/config/rest/iapps.
Conditions:
This issue can only happen during initial start after BIG-IP version upgrade or restoring from UCS. The more iApps LX instances and the more configuration they use, the more likely this issue to happen. We observed this issue with 90+ instances of f5-ddos-hybrid-defender iApp LX.
Impact:
The code of iAppLX is removed from the system because of the defect. That makes iAppLX UI unusable. The configuration deployed by the iApp LX instances remains in effect. The iApp LX configuration data remain intact and UI can be completely restored after manual installation of iApp LX code.
Workaround:
1. Copy iAppLX code from an unaffected BIG-IP to the BIG-IP impacted by this defect. For example,
/var/config/rest/iapps/f5-ddos-hybrid-defender.
2. Create a symlink to UI code for UI to work. For example,
ln -sfvn /var/config/rest/iapps/f5-ddos-hybrid-defender/presentation /var/iapps/www/f5-ddos-hybrid-defender
3. Restart restjavad:
bigstart restart restjavad
4. Restart restnoded:
bigstart restart restnoded
Fix:
The issue should not happen when upgrading to the BIG-IP version with the fix or restoring from UCS on the BIG-IP version with the fix.
726647-3 : PEM content insertion in a compressed response may truncate some data
Component: Policy Enforcement Manager
Symptoms:
HTTP compressed response with content insert action can truncate data.
Conditions:
PEM content insertion action with compressed HTTP response.
Impact:
Data might be truncated.
Workaround:
There is no workaround other than disabling compression accept-encoding attribute in the HTTP request.
Fix:
HTTP compressed response with content insert action no longer truncates data.
726616-1 : TMM crashes when a session is terminated
Component: Access Policy Manager
Symptoms:
TMM crashes when it is releasing the memory used by a session that is terminated. Either one of the following error messages might appear in the TMM log:
-- notice panic: ../kern/umem.c:4166: Assertion "valid type" failed.
-- notice panic: ../kern/page_alloc.c:705: Assertion "vmem_hashlist_remove not found" failed.
Conditions:
The memory used by a session is corrupted during the lifetime of the session. This issue happens infrequently.
Impact:
TMM restarts, causing service interruption if the BIG-IP system is not part of a high-availability setup.
Workaround:
There is no workaround at this time.
Fix:
TMM no longer crashes when removing an access session.
726592-1 : Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop
Component: Access Policy Manager
Symptoms:
Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop. This could be triggered by invalid state of our control plane daemons.
Conditions:
This is an extremely rare situation that can be caused by invalid logsetting config messaging between our daemons. However, once it happens it can impact multiple daemons at the same time causing all of them to hang.
Impact:
Once this happens it can impact multiple daemons (apmd, apm_websso, localdbmgr) at the same time causing all of them to hang.
Workaround:
There is no workaround at this time, you can recover by restarting the daemons that hang.
Fix:
We have fixed a memory corruption that can break the linkages in our data structure which would cause certain traversals to loop indefinitely.
726537-1 : Rare TMM crash when Single Page Application is enabled on DoSL7
Component: Application Security Manager
Symptoms:
There is a rare TMM crash that may happen when Single Page Application is enabled on the DoS Application profile.
Conditions:
Single Page Application is enabled on the DoS Application profile.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a TMM crash
726487-2 : MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.
Component: TMOS
Symptoms:
The MCPD daemon on secondary VIPRION or vCMP blades exits and restarts, logging errors similar to the following:
-- err mcpd[11869]: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5.
-- err mcpd[11869]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5... failed validation with error 17237812.
Or:
--- err mcpd[8320]: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).
--- err mcpd[8320]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).... failed validation with error 17236027.
Conditions:
This issue occurs when all of the following conditions are met:
-- VIPRION or vCMP platform with more than one blade.
-- A partition with a non-default route domain.
-- Creating a pool member in the aforementioned partition while a configuration save is taking place at the same time (either system or user initiated).
Impact:
If the system is Active, traffic will be disrupted as the secondary blades restart. The capacity of the system will be reduced until all blades are on-line again. Additionally, depending on the system configuration, the system may fail over to its peer (if one exists).
Workaround:
There is no workaround other than not to create pool members from a different client while saving configuration changes in another client. However, this does not help if the configuration save operation was system-initiated.
Fix:
MCPD on secondary blades no longer restarts if a pool member is created in a partition that uses a non-default route domain at the same as the configuration is being saved.
726409-4 : Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077
Solution Article: K61429540
726377-1 : False-positive cookie hijacking violation
Component: Application Security Manager
Symptoms:
A false-positive cookie hijacking violation.
Conditions:
-- Several sites are configured on the policy, without subdomains.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.
Impact:
False positive violation / blocking.
Workaround:
Cookie hijacking violation when the device ID feature is turned off is almost never relevant, as it should be able to detect only cases where some of the TS cookies were taken. The suggestion is to turn off this violation.
Fix:
False-positive cookie hijacking violation no longer happens working with multiple domains on some scenarios.
726319-2 : 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses
Component: Local Traffic Manager
Symptoms:
When FQDN nodes and pool members are used in LTM pools, a message similar to the following may be logged if the DNS server returns a different set of IP address records to resolve the FQDN name:
err mcpd[20479]: 01020066:3: The requested Pool Member (****) already exists in partition ****.
Conditions:
This message may be logged when the DNS server returns a different set of IP address records to resolve the FQDN name, and new ephemeral pool members are created corresponding to the new IP addresses.
This may occur intermittently depending on timing conditions.
Impact:
These log messages are cosmetic and do not indicate any impact to traffic or BIG-IP operations.
Workaround:
None.
Fix:
'The requested Pool Member ... already exists' messages are no longer logged occasionally when an FQDN pool member name resolves to different IP addresses.
726303-1 : Unlock 10 million custom db entry limit
Component: Traffic Classification Engine
Symptoms:
Cannot add more than 10 million custom db entries.
Conditions:
This happens when you try to add more than 10 million custom db entries.
Impact:
Not able to add more than 10 million entries.
Workaround:
There is no workaround at this time.
Fix:
This release provides a sys db var, tmm.urlcat.no_db_limit, to allow growth beyond the existing limit of 10 million custom db entries.
726255-2 : dns_path lingering in memory with last_access 0 causing high memory usage
Component: Global Traffic Manager (DNS)
Symptoms:
dns_path not released after exceeding the inactive path ttl.
Conditions:
1. Multiple tmm's in sync group
2. Multiple dns paths per GTM needed for load balancing.
Impact:
High memory usage.
Workaround:
There is no workaround at this time.
Fix:
dns_path memory will be released after ttl.
726239-4 : interruption of traffic handling as sod daemon restarts TMM
Component: Local Traffic Manager
Symptoms:
When the receiving host in a TCP connection has set its send window to zero (stopping the flow of data), following certain unusual protocol sequences, the logic in the TMM that persists in probing the zero window may enter an endless loop.
Conditions:
When the TCP implementation is probing a zero-window connection under control of a persist timer.
Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This fix handles a rare TMM crash when TCP persist timer is active.
726154-2 : TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies
Component: Advanced Firewall Manager
Symptoms:
TMM might restart when changing firewall or NAT configurations on a virtual server with the same name as a route-domain.
Conditions:
- There is a virtual server and a route-domain that have the same name in the configuration.
- A firewall or NAT policy is being attached or removed from one or both of the virtual server or route-domain.
Impact:
TMM might halt and traffic processing temporarily ceases. TMM restarts and traffic processing resumes.
Workaround:
There is no workaround other than not to use the same name for virtual server and route-domain objects.
Fix:
TMM no longer crashes under the conditions described. Firewall and NAT configurations are applied correctly on virtual servers with the same names as route-domains.
726090-1 : No Bot Defense Logs when ASM Policy is used without Proactive Bot Defense
Component: Application Security Manager
Symptoms:
Device ID challenges are not logged in the Bot Defense Request Log (local and remote) when associating the Bot Defense logging profile to the virtual server.
Conditions:
-- Device ID is enabled on the ASM Policy.
-- DoS profile with Proactive Bot Defense is not associated with the virtual server.
Impact:
There are no logs to show the browser challenges and the requests from clients that do not support JavaScript.
Workaround:
There is no workaround at this time.
Fix:
Requests are now logged to the Bot Defense Request Log with Device ID enabled on the ASM Policy and no associated DoS profile.
726089-2 : Modifications to AVR metrics page
Solution Article: K44462254
726039 : Information is not updated after installing FPS live update via GUI
Component: Fraud Protection Services
Symptoms:
The GUI does not display the updated information after installing an update.
Conditions:
FPS is licensed and provisioned.
Impact:
Cosmetic only.
Workaround:
Refreshing the page.
Fix:
The information is updated after installing an update.
725878-2 : AVR does not collect all of APM TMStats
Component: Application Visibility and Reporting
Symptoms:
AVR does not collect all of APM TMStats
Conditions:
Using AVR to view APM stats.
Impact:
Cannot view all values.
Workaround:
None.
Fix:
This release now provides stats for the following:
-- License Stats :: show apm license
-- Session Stats (ACL Stats) :: show apm acl
-- Access Profile Stats :: show apm profile access
-- OAuth Client Stats :: show apm aaa oauth-server
-- OAuth Profile Stats :: show apm profile oauth
-- Network Access Stats :: show net tunnels ppp
Behavior Change:
This release now provides stats for the following:
-- License Stats :: show apm license
-- Session Stats (ACL Stats) :: show apm acl
-- Access Profile Stats :: show apm profile access
-- OAuth Client Stats :: show apm aaa oauth-server
-- OAuth Profile Stats :: show apm profile oauth
-- Network Access Stats :: show net tunnels ppp
725867-2 : ADFS proxy does not fetch configuration for non-floating virtual servers
Component: Access Policy Manager
Symptoms:
If the virtual address of a virtual server has a non-floating traffic group (e.g., traffic-group-local-only), ADFS proxy does not perform periodic configuration updates, including listing allowed URIs from ADFS, and thus blocks all the requests (by responding with 404).
Conditions:
-- Virtual address of virtual server has non-floating traffic group.
-- ADFS proxy feature is enabled on the virtual server.
Impact:
All the requests to ADFS are blocked.
Workaround:
Set floating traffic group for virtual address (e.g., traffic-group-1).
Fix:
ADFS proxy now fetches configuration from ADFS for non-floating virtual servers.
725815-1 : vlangroup usage may cause a excessive resource consumption
Solution Article: K72442354
725801-4 : CVE-2017-7889: Kernel Vulnerability
Solution Article: K80440915
725696-1 : A timer loop might occur when OCSP Stapling is enabled resulting in tmm getting aborted
Component: TMOS
Symptoms:
When OCSP Stapling is enabled on a client SSL profile, certain uncommon operations might result in a tmm timer queue getting into a loop, which results in tmm being aborted by sod. tmm restart
Conditions:
-- There are SSL handshakes waiting for an OCSP response, and one of the following:
+ There is a CMP transition.
+ There are changes made to the OCSP object.
Impact:
tmm restarts. Traffic interrupted while tmm restarts.
Workaround:
There is no workaround other than disabling OCSP stapling.
Fix:
The timer issue has been corrected.
725635-2 : CVE-2018-3665: Intel Lazy FPU Vulnerability
Solution Article: K21344224
725612-1 : syslog-ng remote destination needs unique name that changes on address change.
Component: TMOS
Symptoms:
Changing syslog server IP address requires syslog-ng restart to take effect. Syslog operations do not use the new remote destination address on syslog service reconfiguration.
Conditions:
1. Add Remote Syslog server (Server A) using System :: Logs :: Configuration :: Remote Syslog.
2. Click Update (Syslog messages go out toward Server A).
3. Remove Server A from configuration.
4. Add new Server B (different IP address).
5. Click Update.
Impact:
Syslog messages still go out toward Server A.
Workaround:
Restart the syslog service using the following command:
bigstart restart syslog-ng
Messages now properly go out toward Server B (the new IP address).
Fix:
Syslog operations now use the new remote destination address on syslog service reconfiguration.
725545-1 : Ephemeral listener might not be set up correctly
Component: Local Traffic Manager
Symptoms:
When ephemeral listeners are set up across a cluster, the transaction might fail.
Conditions:
When using Network Access tunnel with proxy ARP and no SNAT.
Impact:
The client-assigned IP address might intermittently fail to be resolved via ARP on the serverside/leasepool VLAN.
Workaround:
None.
Fix:
The ephemeral listener is now set up correctly.
725412-1 : APM does not follow current best practices for HTTP headers
Component: Access Policy Manager
Symptoms:
APM does not follow current best practices for HTTP headers
Conditions:
APM enabled
Impact:
HTTP headers not generated as intended
Workaround:
None.
Fix:
APM now follows current best practices for HTTP headers
724906-1 : sasp_gwm monitor leaks memory over time
Component: Local Traffic Manager
Symptoms:
The Server/Application State Protocol (SASP) monitor, sasp_gwm memory usage slowly increases over time.
Conditions:
The Server/Application State Protocol (SASP) monitor is configured.
The leakage occurs during normal operation of the monitor and is not tied to any specific user or traffic action.
Impact:
sasp_gwm grows over time and eventually the system may be pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.
Workaround:
Periodic restarts of sasp_gwm processes avoids the growth affecting the system.
Fix:
The sasp_gwm monitor no longer leaks memory when processing messages.
724868-1 : dynconfd memory usage increases over time
Component: Local Traffic Manager
Symptoms:
dynconfd memory usage slowly increases over time as it processes various state-related messages.
Conditions:
No special conditions as dynconfd is a core LTM process. Large numbers of pool members combined with flapping might increase the rate of memory usage increase.
Impact:
dynconfd grows over time and eventually the system is pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.
Workaround:
Periodic restarts of dynconfd avoids the growth affecting the system.
Fix:
dynconfd no longer leaks memory when processing messages.
724847 : DNS traffic does not get classified for AFM port misuse case
Solution Article: K95010813
Component: Traffic Classification Engine
Symptoms:
When DNS query name has a label length of greater than 23 bytes, it does not get classified as DNS.
Conditions:
-- AFM provisioned.
-- A port misuse policy for DNS and a service policy configured.
-- DNS query name with label length of greater than 23 bytes.
Impact:
DNS does not get classified properly for some cases.
Workaround:
There is no workaround at this time.
Fix:
Allowed DNS label length is now 64 bytes, so any DNS query name where each label name is fewer than 64 byes is now properly classified.
724680-4 : OpenSSL Vulnerability: CVE-2018-0732
Solution Article: K21665601
724571-1 : Importing access profile takes a long time
Component: Access Policy Manager
Symptoms:
It takes a long time for the 'Apply Access Policy' link to show up on the admin UI after importing an access profile.
Conditions:
-- Access policy with many macros.
-- Import exported profile multiple times with Reuse Existing Objects checked
-- As the number of imports increases, so does the latency.
Impact:
The imported access policy takes a long time to be imported and ready to use.
Workaround:
None.
724564-1 : A FastL4 connection can fail with loose-init and hash persistence enabled
Component: Local Traffic Manager
Symptoms:
The BIG-IP system fails to create a connection after 3WHS when using loose-init and hash persistence.
This can happen if traffic is redirected from one BIG-IP system to another, with the second BIG-IP system failing to create the connection, causing an interruption of traffic on that connection.
Conditions:
-- Virtual server configured with hash persistence.
-- FastL4 profile with loose-init enabled.
Impact:
Traffic fails when redirected from one BIG-IP system to another.
Workaround:
There is no workaround other than to disable hash persistence.
Fix:
A FastL4 connection no longer fails with loose-init and hash persistence enabled.
724532-2 : SIG SEGV during IP intelligence category match in TMM
Component: Advanced Firewall Manager
Symptoms:
TMM restart while matching traffic from source IP to IP Intelligence category.
Conditions:
Multiple configuration changes that include deleting the custom IP intelligence categories.
Impact:
TMM restart. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer restarts while matching traffic from source IP to IP Intelligence category.
724414-2 : ASM UMU memory leak when WebSocket url has json profile with parse parameters enabled
Component: Application Security Manager
Symptoms:
When ASM inspects WebSocket frames, the bd daemon memory is leaking; eventually ASM stops inspecting traffic and sends resets or bypass requests.
Conditions:
ASM module is provisioned.
-- ASM policy and WebSocket profile are attached to a virtual server.
-- WebSocket URL has JSON profile attached to it.
-- JSON profile has parse parameters flag enabled (this is the default).
Impact:
ASM may reset connections; failover might occur.
Workaround:
There are two workarounds:
-- Remove JSON profile from WebSocket URL in the ASM policy.
-- Disable parse parameters flag in the json profile.
Fix:
The system now frees the allocated memory when it finishes the inspect of a WebSocket frame.
724339-1 : Unexpected TMUI output in AFM
Solution Article: K04524282
724335-1 : Unexpected TMUI output in AFM
Solution Article: K21042153
724327-1 : Changes to a cipher rule do not immediately have an effect
Component: Local Traffic Manager
Symptoms:
If a cipher rule is changed, and a cipher group that uses the rule is attached to an SSL profile, the change will not take effect until something else on the SSL profile changes.
Conditions:
A cipher group is used by an SSL profile, and one of its cipher rules changes.
Impact:
Unexpected behavior occurs as the user expects the cipher rule change to take effect immediately.
Workaround:
After changing the cipher rule that's used by a cipher group, make a change to any SSL profile that uses the associated cipher group.
Fix:
Any changes to a cipher rule or cipher group will take immediate effect.
724213-1 : Modified ssl_profile monitor param not synced correctly
Solution Article: K74431483
Component: Local Traffic Manager
Symptoms:
After modifying the ssl_profile attribute on an HTTPS monitor on a device in a high availability (HA) configuration, and after performing a full ConfigSync, the corresponding monitor on the peer-sync unit does not have the updated value.
Conditions:
-- An HTTPS monitor is used on BIG-IP systems in an HA configuration.
-- The ssl_profile field is modified on an HTTPS monitor.
-- A sync-to-peer (full ConfigSync, not incremental sync) is attempted to propagate the modified ssl_profile value to the peer units.
Impact:
The ssl_profile value for the HTTPS monitor on the peer unit is set to none, resulting in the two devices reporting themselves as in-sync, but having potentially different HTTPS monitor configurations.
Workaround:
-- Do not run HTTPS monitors using in-tmm monitors,
-- Use the traditional HTTPS monitor configuration for SSL-attributes (cipherlist, key, cert, and compatibility attributes on HTTPS monitor).
Note: Using these attributes generates deprecation warnings, but the configuration still takes effect.
Fix:
After modifying the ssl_profile attribute on an HTTPS monitor on a system within an HA configuration, and after performing a full ConfigSync, the corresponding monitor on the peer unit now receives the updated monitor attribute, as expected.
724143-1 : IKEv2 connflow expiration upon ike-peer change
Component: TMOS
Symptoms:
Altering the definition of an ike-peer does not expire the connflow used for the tunnel, so it remains in use for the tunnel.
Conditions:
-- Making any change to an IKEv2 ike-peer, even insignificant changes such as a description change.
-- Running a system version that has new attribute auth-rule inside ike-peer.
Note: This is not likely to occur in older system versions where no ike-peer state exists inside a connflow, because any ike-peer changes do replace the associated objects. In those cases, even though the same connflow is used, the system uses new algorithms for the ike-peer.
Impact:
In effect, you cannot change the configuration of the flow by changing the peer definition.
Workaround:
There is no workaround at this time.
Fix:
Changes in ike-peer now expire any existing connflow for that ike-peer. This affects only a system version that has new attribute auth-rule inside ike-peer.
724032-1 : Searching Request Log for value containing backslash does not return expected result
Component: Application Security Manager
Symptoms:
Searching within Request Log for a value containing backslash does not return the expected result. This happens because escaping of backslashes in REST API access is handled differently with 'eq' and 'contains' filters.
Conditions:
Searching within Request Log for a value containing backslash.
Impact:
Search within Request Log record containing backslash does not return the expected result.
Workaround:
Backslashes in REST API requests should be doubled when searching using 'contains' filter, but must not be doubled when searching with 'eq' filter.
Fix:
Searching within Request Log for a value containing backslash returns the expected result.
723792-2 : GTM regex handling of some escape characters renders it invalid
Component: Global Traffic Manager (DNS)
Symptoms:
The memory footprint of big3d increases.
Conditions:
GTM monitor recv string such as the following: ^http\/\d\.\d[23]\d\d
Impact:
Escaped characters are mishandled. This causes the regex compilation to fail and leak memory. The monitor marks the server it is monitoring UP as long as the server returns any response.
Workaround:
If you notice big3d memory footprint increase and you have a monitor recv string that has escaped characters such as '^http\/\d\.\d[23]\d\d', try changing the recv string to something similar to the following: ^HTTP/[0-9][.][0-9] [23][0-9]{2}
Fix:
Fixed handling of escape characters. Recv strings that previously failed to compile will now compile.
723722-2 : MCPD crashes if several thousand files are created between config syncs.
Component: TMOS
Symptoms:
If more than several thousand (typically 20,000, but number varies by platform) files, for example SSL certificates or keys, are created between config syncs, the next config sync operation will take too long and mcpd will be killed by sod.
Conditions:
Creation of several thousand SSL certificates or keys followed by a config sync operation.
Impact:
Traffic is disrupted while the MCPD process restarts.
Workaround:
Run a config sync operation after every ~5000 files created.
Fix:
MCPD no longer crashes if several thousand files are created between config sync operations.
723579-4 : OSPF routes missing
Component: TMOS
Symptoms:
When newer link-state advertisement (LSA) (with greater seq) comes in, the Open Shortest Path First (OSPF) discards the old one by marking it DISCARD. The SPF calculation function suspends the calculation every 100 vertexes. If the discard happens during such a suspend, then after the calculation resumes, the discarded LSAs are ignored,n which can cause route unreachable, and eventually route withdraws.
Conditions:
A very large number (~500, beyond best practices) of routers in a single OSPF area.
Impact:
Intermittent route flaps occur that might cause unreachable destination or increased network traffic due to the non-optimal route choice.
Workaround:
There is no workaround.
Fix:
The 'vertex threshold' IMISH parameter is now provided for OSPF/OSPF6, and it is meant to control the amount of vertexes calculated in one bunch (the default value is 100). This value can be increased to prevent LSA discards. The value of 0 means that SPF calculation is not suspended at all, and in case of large areas this may cause slow responsiveness of OSPF and LSA drops, eventually.
723300-2 : TMM may crash when tracing iRules containing nameless listeners on internal virtual servers
Component: Local Traffic Manager
Symptoms:
TMM may crash when tracing iRules containing nameless listeners on internal virtual servers.
Conditions:
-- Using iRule tracing.
-- Internal virtual servers.
-- Listener iRule, where the listener has no name.
Impact:
TMM crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes when tracing iRules containing nameless listeners on internal virtual servers.
723298-2 : BIND upgrade to version 9.11.4
Component: TMOS
Symptoms:
The BIG-IP system is running BIND version 9.9.9.
Conditions:
BIND on BIG-IP system.
Impact:
BIND 9.9 Extended Support Version was supported until June, 2018.
Workaround:
None.
Fix:
BIND version has been upgraded to 9.11.4.
723288-2 : DNS cache replication between TMMs does not always work for net dns-resolver
Component: Global Traffic Manager (DNS)
Symptoms:
System DNS resolvers (net dns-resolver objects) do not share DNS reply information between the dns resolver instances across TMMs, which can result in separate TMMs performing seemingly-unnecessary DNS lookups.
Conditions:
There are no LTM DNS *cache* objects present in the BIG-IP configuration.
Impact:
A performance impact resulting from each TMM having to perform unnecessary DNS lookups.
Workaround:
Use tmsh to create a placeholder LTM DNS cache resolver object. The object does not need to be used anywhere, just present in the config.
Note: This workaround is effective even without a DNS license (although in that case, the placeholder object must be created using tmsh, as the GUI menu would not be available without a DNS license.)
723130-1 : Invalid-certificate warning displayed when deploying BIG-IP VE OVA file
Solution Article: K13996
Component: TMOS
Symptoms:
The OVA signing certificate that signs BIG-IP Virtual Edition (VE) OVA files expired. When deploying a BIG-IP VE from an OVA file, an invalid-certificate warning might be displayed due to the expired OVA signing certificate.
Conditions:
This issue may be encountered during the creation of new instances of BIG-IP VE in clients that check the validity of the OVA signing certificate (e.g., VMware).
Note: Existing BIG-IP VE instances are not subject to this issue.
Impact:
There might be questions about the integrity of the OVA file, and in some cases, might not be able to deploy a new instance from an OVA file.
Workaround:
The expired OVA signing certificate has been replaced with a valid signing certificate.
Fix:
The expired OVA signing certificate has been replaced with a valid signing certificate.
722969-2 : Access Policy import with 'reuse' enabled instead rewrites shared objects
Component: Access Policy Manager
Symptoms:
If a policy is exported and then imported with 'reuse' it rewrites objects on the server instead of simply reusing them.
Conditions:
-- Exporting profile A.
-- Importing profile B, with 'reuse' configured.
-- The objects in both profiles are named the same and are the same type.
Impact:
-- 'Reused' objects on the system are modified.
-- Policy A requires 'apply', because objects shared with Policy B are overwritten.
Workaround:
None.
Fix:
Access policy import with 'reuse' option enabled no longer rewrites shared objects
722893-1 : The TMM - host interface may stall when the kernel memory is fragmented
Solution Article: K30764018
Component: Local Traffic Manager
Symptoms:
MCP logs 'Removed publication with publisher id TMMx' and the affected TMM restarts.
Conditions:
This occurs when the following conditions are met:
-- Linux kernel memory fragmentation exists.
-- Another operation is occurring, including (among others):
+ Config-sync with full reload is initiated.
+ Running tcpdump.
Impact:
Degraded performance and unexpected failover when tmm restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The internal driver has been improved, allowing it to work in low- and/or fragmented-memory conditions.
722691 : Available datagroup list does not contain datagroups with the correct type.
Component: TMOS
Symptoms:
Available datagroup list contains only datagroups with type string and is not repopulated with datagroups that have a different type to match when the operand/selector changes.
Conditions:
-- Using the GUI.
-- Operand or selector in a condition is changed to a combination that is not compatible with string-type datagroups.
Impact:
Cannot assign a non string-type datagroup to a condition.
Workaround:
Use TMSH to configure the policy rule condition.
Fix:
Datagroups list is repopulated with datagroups of the appropriate type when its rule condition's operand or selector is changed.
722682-2 : Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load★
Component: TMOS
Symptoms:
Loading configuration process failed after upgrade when pool member names contain colons. The system posts errors similar to the following:
01070226:3: Pool Member 443:10.10.10.10 references a nonexistent Virtual Server
Unexpected Error: Loading configuration process failed.
Conditions:
-- GTM pool member has colon in its name.
-- Upgrade to any of the following versions:
+ 12.1.3.x
+ Any 13.0.x
+ All 13.1.x earlier than 13.1.1.2
+ 14.0.x earlier than 14.0.0.3
Impact:
The system removes the part of the pool member name that precedes the colon, and configuration load fails. For example, when the configuration contains a pool member named example_pm:443:10:10:10:10, the system removes the part of the pool member name that precedes the first colon, in this case, example_pm, leaving the pool member name 443:10.10.10.10.
Workaround:
After upgrade, add two backslash characters, \\ before the first colon, : character.
1. Upgrade the BIG-IP DNS system to the new version of software.
2. SSH to log into the bash prompt of the BIG-IP DNS system.
3. Run the following command to add the string \\ in front of the first colon character, : in the name of each affected GTM pool member:
for j in $(find /config/ -name bigip_gtm.conf); do for i in $(awk '$0 ~ /^gtm server.*:/ {gsub("[/:]"," ",$0); print $4}' ${j}); do sed -i "s, /Common/${i}, /Common/${i}\\\\\\\,g" ${j} | grep " /Common/${i}"; done; done
4. Run the following command: load sys config gtm-only
Fix:
Configuration load no longer fails when upgrading with a configuration that contains BIG-IP DNS pools with members whose names contain colon characters.
722677-4 : High-Speed Bridge may lock up
Component: Local Traffic Manager
Symptoms:
Under certain conditions, hardware systems with a High-Speed Bridge and using Layer 2 forwarding configurations may experience a lockup of the High-Speed Bridge.
Conditions:
Hardware platform with High-Speed Bridge.
Layer 2 forwarding enabled.
vlangroup.flow.allocate disabled.
Impact:
High-Speed Bridge lockup, leading to a failover event.
Workaround:
The vlangroup.flow.allocate DB variable is enabled by default.
Ensure that vlangroup.flow.allocate is enabled with the command:
modify /sys db vlangroup.flow.allocate value enable
722594-2 : TCP flow may not work as expected if double tagging is used
Component: Local Traffic Manager
Symptoms:
TCP flow may have an incorrect ACK number, and the flow may stall or reset. The BIG-IP system sends an ACK that is higher than it should be based on the data received from the client.
Conditions:
Double tagging is used.
Impact:
TCP connection fails.
Workaround:
Change the db variable tm.tcplargereceiveoffload value to disable.
Fix:
TCP flow now has the correct ACK number when double tagging is used.
722423-1 : Analytics agent always resets when Category Lookup is of type custom only
Component: Access Policy Manager
Symptoms:
Analytics errors out with a log that says you cannot use custom lookup only along with analytics (/var/log/apm). Even if the Analytics agent is set to disable RST on failure, the agent will send a RST.
Conditions:
In the per-request policy, Category Lookup agent is set to custom lookup only.
Impact:
This configuration leads to an Analytics agent with 'RST on Failure' disabled. The BIG-IP Admin cannot make the choice to disable RST on failure for this particular setup (even though it is a misconfiguration).
Workaround:
You can avoid the RST and error by modifying the configuration to use a standard category lookup before the analytics agent.
Using a custom-only 'Category Lookup' immediately followed by 'Response Analytics' is not a valid configuration. In this configuration, Analytics cannot run the way it is supposed to because it does not have the right information. 'Response Analytics' gives the option to choose what to do on error: RST, or continue on, implying that the non-RST option is valid. If the admin chooses to not reset, the system should log the error and continue. In this case, the system actually does send a RST, even though the RST is not what the BIG-IP admin intended to configure.
Fix:
Disabling RST on failure now works properly in this scenario now. The configuration is still technically incorrect, but now the system takes the correct specified action-upon-error.
722387-3 : TMM may crash when processing APM DTLS traffic
Component: Local Traffic Manager
Symptoms:
When processing DTLS traffic for APM, TMM may crash.
Conditions:
APM provisioned and configured.
DTLS enabled in APM configuration.
Impact:
TMM crash, leading to a failover event.
Workaround:
None.
Fix:
DTLS traffic is now processed as expected.
722363-2 : Client fails to connect to server when using PVA offload at Established
Component: Local Traffic Manager
Symptoms:
A client can fail to connect to the server on subsequent attempts if using FastL4 with hardware (HW) acceleration.
When this issue occurs, the profile_bigproto_stat/rxsynatestablished stat is non-zero.
Conditions:
A FastL4 virtual server is configured with offload_state = EST.
Impact:
Clients fail to connect to the server.
Workaround:
There is no workaround other than to disable PVA acceleration.
722091-3 : TMM may crash while processing HTTP traffic
Solution Article: K64208870
722013 : MCPD restarts on all secondary blades post config-sync involving APM customization group
Component: Access Policy Manager
Symptoms:
After performing a series of specific config-sync operations between multi-blade systems, the MCPD daemon restarts on all secondary blades of one of the systems.
Each affected blade will log an error message similar to the following example:
-- err mcpd[5038]: 01070711:3: Caught runtime exception, Failed to collect files (snapshot path () req (7853) pmgr (7853) not valid msg (create_if { customization_group { customization_group_name "/Common/Test-A_secure_access_client_customization" customization_group_app_id "" customization_group_config_source 0 customization_group_cache_path "/config/filestore/files_d/Common_d/customization_group_d/:Common:Test-A_secure_access_client_customization_66596_1" customization_group_system_path "" customization_group_is_system 0 customization_group_access 3 customization_group_is_dynamic 0 customization_group_checksum "SHA1:62:fd61541c1097d460e42c50904684def2794ba70d" customization_group_create_time 1524643393 customization_group_last_update_time 1524643393 customization_group_created_by "admin" customization_group_last_updated_by "admin" customization_group_size 62 customization_group_mode 33188 customization_group_update_revision 1
Conditions:
This issue occurs when all of the following conditions are met:
- You have configured a device-group consisting of multi-blade systems (such as VIPRION devices or vCMP guests).
- Systems are provisioned for APM.
- The device-group is configured for incremental manual synchronizations.
- On one system (for example, source_system), you create an APM configuration object (for example, a connectivity profile) that causes the automatic creation of an associated customization group.
- You synchronize the configuration from the source_system to the device-group.
- On the source_system, you create a new configuration object of any kind (for example, an LTM node).
- Instead of synchronizing the newest configuration to the device-group, you synchronize the configuration from another device in the device-group to the source_system (which effectively undoes your recent change).
- The MCPD daemon restarts on all secondary blades of the source_system.
Impact:
While the MCPD daemon restarts, the blade is offline, and many other BIG-IP daemons need to restart along with MCPD.
-- If the source_system is Active, the load capacity of the system temporarily decreases proportionally to the number of blades restarting. Additionally, if the systems use the min-up-members or HA-Group features, losing a certain number of secondary blades may trigger a failover.
-- If the source_system is Standby, some of the previously mirrored information may become lost as TMM on secondary blades restarts along with MCPD. Should this system later become the Active system, traffic may be impacted by the lack of previously mirrored information.
Workaround:
None.
Fix:
The MCPD daemon no longer restarts on secondary blades after config-sync of APM.
721985 : PAYG License remains inactive as dossier verification fails.
Component: TMOS
Symptoms:
- BIG-IP is deployed in a cloud environment (AWS/Azure/GCE) with PAYG licenses. The license won't activate on the startup.
Conditions:
- There are multiple ways this can happen but all of those come down to user networking issue where the http calls to the cloud metadata service fails.
- This can be a simple routing issue to the metadata service or a firewall issue.
Impact:
As license activation fails, the instance becomes unusable.
Workaround:
User should look at /var/log/ltm to determine the networking issue that is causing the dossier verification failure. This would be typically printed in the following way:
Curl request to metadata service failed with error(<error-code>): '<error-message>'
By resolving this networking error, license activation should succeed.
Fix:
PAYG License remains inactive as dossier verification fails.
721924-2 : bgpd may crash processing extended ASNs
Solution Article: K17264695
Component: TMOS
Symptoms:
Under certain conditions bgpd may crash while processing extended ASNs.
Conditions:
Dynamic routing enabled.
Extended ASP capabilities enabled: bgp extended-asn-cap enabled
Impact:
Dynamic routing disrupted while bgpd restarts.
Fix:
bgpd now processes extended ASNs as expected.
721895 : Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery)
Component: Global Traffic Manager (DNS)
Symptoms:
big3d advertises a TLSv1.0 version. Even though big3d requires previously exchanged certificates to validate a connection request, the TLSv1.0 advertisement triggers various vulnerability scanners and is flagged.
Conditions:
Running a vulnerability scanner or other SSL test tool.
Impact:
The scanner or tool reports that big3d might potentially accept a TLSv1.0 connection request (which is considered insecure). Vulnerability scanners then flag the BIG-IP system as vulnerable.
Workaround:
Although there is no workaround, because big3d accepts connections only from clients that match the certificates on the BIG-IP system, the risk is minimal.
In addition, you can deploy firewall rules to accept connections only on port 4353 from know BIG-IP systems.
Fix:
This version adds a db variable for the big3d
big3d.minimum.tls.version. By default the value is 'TLSv1'. You can also specify TLSV1.1 or TLSV1.2 (the setting is case insensitive).
After changing the DB variable, restart big3d. Change the value on all BIG-IP systems that are subject to scans. This includes GTM as well as LTM configurations.
721752-2 : Null char returned in REST for Suggestion with more than MAX_INT occurrences
Component: Application Security Manager
Symptoms:
Unable to view ASM event log details for a majority of violations.
Conditions:
Suggestion with more than MAX_INT (2,147,483,647) occurrences.
Impact:
Null char returned in REST for Suggestion with more than MAX_INT occurrences.
Workaround:
Use the following sql command:
UPDATE PLC.PL_SUGGESTIONS set occurrence_count = 2147483647 where occurrence_count < 0;
Fix:
Null char is no longer returned in REST for Suggestion with more than MAX_INT occurrences.
721741-3 : BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative
Component: Application Security Manager
Symptoms:
bd log spits this error.
-------
ECARD_POLICY|NOTICE|May 24 04:49:42.035|4143|table.h:2408|IPTableList::del_object key not found in table
ECARD|ERR |May 24 04:49:42.035|4143|table.h:0398|KEY_UPDATE: Failed to REMOVE data will continue to add
-------
Conditions:
Configuring IP Address Exceptions in certain order - w/ and w/o route domain.
Impact:
BD and BD_Agent out-of-sync for IP Address Exception, causes false positives / false negatives
Workaround:
There is no workaround at this time.
Fix:
System no longer generates these false positive/negative log entries.
721740-2 : CPU stats are not correctly recorded when snapshot files have timestamps in the future
Component: TMOS
Symptoms:
One symptom is that a message similar to the following comes out in the log files frequently.
May 24 16:31:53 lusia_60.F5.COM warning merged[6940]: 011b0914:4: No individual CPU information is available.
Merged CPU stats will be 0.
Conditions:
If all of the snapshot stats files have timestamps in the future, CPU stats will not be correctly merged.
Impact:
Frequent error messages in the logs, and incorrect merged CPU stats.
Workaround:
Remove all of the stats snapshot files that have timestamps in the future and restart merged.
Fix:
Merged has been update to correctly deal with the case where all of the stats snapshot file have timestamps in the future, and will correctly merge the CPU stats.
721704-1 : UDP flows are not deleted after subscriber deletion
Component: Policy Enforcement Manager
Symptoms:
UDP flows continue to live till UDP idle time occurs, even after the subscriber is gone and the option for immediate deletion of the flow is enabled.
Conditions:
-- The option to delete flows upon subscriber deletion is enabled.
-- The UDP flow is established with an idle time greater than the re-evaluate timeout.
Impact:
The UDP flows continue to be alive after the required time, but only act to drop the traffic.
Workaround:
To work around this issue:
1. Modify the UDP idle timer to a suitable value.
2. Force delete the UDP flow from CLI.
Fix:
UDP flows are now deleted after subscriber deletion.
721621-1 : Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node
Component: Local Traffic Manager
Symptoms:
If an LTM pool is configured with only FQDN members, the DNS server resolves the FQDN to IP addresses that match statically-configured LTM nodes, and the IP address records returned by the DNS server change, an ephemeral pool member may not be added to the pool for the new IP address.
When in this state, if the FQDN template pool member is deleted from the pool, a new ephemeral pool member may be added corresponding to the last IP address record returned by the DNS server.
Conditions:
This may occur when:
1. Static nodes are configured which match addresses that may be returned in the DNS query for a given FQDN name.
2. An FQDN node is created with autopopulate disabled, for an address which may resolve to the same address as one of the static nodes.
3. This FQDN node is added (as a pool member) with autopopulate disabled, to a pool with no other non-FQDN members.
4. The DNS server resolves the FQDN name to an address that matches one of the static nodes.
5. A subsequent DNS query resolves the FQDN name to a different address that matches a different static node.
Impact:
In this case:
-- The original ephemeral member is removed from the pool.
-- A new ephemeral member for the new address may NOT be added to the pool.
-- In this state, if the FQDN template member is deleted from the pool, a new ephemeral member (i.e., the missing ephemeral with new IP address) is re-added to the pool.
Note. This symptom can occur only if the statically-configured node is created prior to an ephemeral pool member being created for the same IP address. If an ephemeral pool member and node are created first, it is not possible to create a statically-configured node or pool member using the same IP address.
Overall, traffic for the affected pool may not be sent to correct pool member (new ephemeral address).
If no other members are defined in the pool, traffic will be interrupted.
Workaround:
This issue can be prevented by:
-- Avoiding configuring a static (non-FQDN) node with an IP address that matches any address that might be returned by the DNS server when resolving the FQDN.
-- Adding a statically-configured pool member to the pool in addition to the FQDN template member.
Once the symptom occurs, recovery is possible by performing either of the following actions:
-- Delete the statically-configured node with the conflicting IP address.
-- Recreate the node using the following procedure:
1. Delete the FQDN template member from the pool.
2. Delete the orphaned ephemeral member from the pool.
3. Re-add the FQDN template member to the pool.
Fix:
When an FQDN pool member address resolves to the same IP address as an existing static node, the corresponding ephemeral pool member is successfully created and deleted as expected, including when the IP address returned by the DNS query changes.
721571-1 : State Mirroring between BIG-IP 12.1.3.* and 13.* or 14.* systems may cause TMM core on standby system during upgrade★
Component: Local Traffic Manager
Symptoms:
BIG-IP devices running 12.1.3.x (12.1.3 or a 12.1.3 point release) and 13.x or 14.x software versions in a high-availability (HA) configuration with state mirroring enabled may cause a standby system to produce a TMM core file.
Conditions:
-- State mirroring configured on two or more BIG-IP systems (state mirroring is enabled by default).
-- The active system is running v12.1.3.x, and the standby system is running v13.x or v14.x, as a result of an in-progress upgrade.
-- For VIPRION clusters or VIPRION-based vCMP guests, the systems are configured to mirror 'Between Clusters'.
Impact:
TMM may crash on a standby system during upgrade.
This issue should not disrupt traffic, because the TMM is coring only on the standby unit.
Workaround:
To workaround this issue, disable State Mirroring prior to upgrading, and re-enable it once both devices are running v13.x or v14.x, or complete the upgrade of both devices to v13.x or v14.x.
1. You can disable mirroring using either the GUI or the command line.
1a. In the GUI: -- Set the Primary and Secondary Local Mirror Address configurations to 'None' under Device Management :: Devices :: [Self] device :: Mirroring Configuration.
1b. From the command-line: -- Run the following command:
tmsh modify cm device <name-of-self-device> mirror-ip any6 mirror-secondary-ip any6 && tmsh save sys config
Important: This action results in connection state loss on failover.
2. Once all devices are running the same software version, re-enable state mirroring by re-adding the device mirror IP addresses removed previously.
Note: F5 recommends that BIG-IP systems in HA configurations run with the same software version on all devices.
721570-1 : TMM core when trying to log an unknown subscriber
Solution Article: K20285019
Component: Carrier-Grade NAT
Symptoms:
Using CGNAT or FW-NAT with subscriber-id logging enabled can cause a TMM core when the subscriber ID is unknown.
Conditions:
-- A LSN pool or FW-NAT source translation that has a logging profile with subscriber-id enabled.
-- A PEM profile that allows unknown subscribers.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Config PEM to deny connections from unknown subscribers.
Fix:
The system no longer crashes. It logs 'unknown' for unknown subscribers.
721512 : Config tool fails to configure management-ip when default routes exist for both IPv4 and IPv6.
Component: TMOS
Symptoms:
Configuration tool fails to configure management-ip when default routes exist for both IPv4 and IPv6.
Conditions:
This can happen in following two scenarios:
-- A configured IPv4 management-ip that is switched to IPv6.
-- A configured IPv6 management-ip that is switched to IPv4.
Impact:
Cannot successfully change an IPv4 or IPv6 management-ip address using config.
For either of the above cases, if the IP addresses are switched back to IPv4/IPv6, the config tools fails to configure management-ip with this error:
ERROR: route_mgmt_entry count is 2
Workaround:
Manually delete the default6 (if current management-ip is IPv4) or default (if current management-ip is IPv6) management-route by running the following command:
tmsh delete sys management-route <default/default6>
Fix:
Config tool now works to configure management-ip when default routes exist for both IPv4 and IPv6, so you can switch back and forth between IPv4 and IPv6 IP addresses without error.
721474-1 : AVR does not send all SSLO statistics to offbox machine.
Component: Application Visibility and Reporting
Symptoms:
When using the 'use-offbox' option, AVR does not send SSLO statistics to the offbox system.
Conditions:
-- AVR provisioned.
-- Use-offbox is enabled.
Impact:
SSLO statistics are not available for BIG-IQ analytics.
Workaround:
There is no workaround.
Fix:
AVR now sends SSLO statistics to offbox systems when the 'use-offbox' option is enabled.
721375-1 : Export then import of config with RSA server in it might fail
Component: Access Policy Manager
Symptoms:
If an exported policy configuration contains both an RSA server as well as the RSA-provided sdconf.rec and sdstatus.12 config files, policy import might fail.
Conditions:
-- RSA server and access profile are in the same, non-Common partition.
-- Exported policy contains an RSA server as well as both the RSA-provided sdconf.rec and sdstatus.12 config files.
Impact:
Unable to import the exported configuration. This occurs because of how the names for the files are resolved in the exported configuration.
Workaround:
Although there is no actual workaround, you can avoid this issue if the profile is outside of the partition. That case uses a different name resolution during the export, so import works as expected.
Fix:
You can now successfully import an exported policy containing an RSA server as well as both sdconf.rec and sdstatus.12 files.
721364 : BIG-IP per-application VE BYOL license does not support three wildcard virtual servers
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) admin can create only 1 wildcard virtual servers for per-application BYOL license.
Note: If you are using BIG-IQ 6.0.0 or 6.0.1 to manage AWS-based, per-app BIG-IP VE systems running versions 13.1.0.5 through 13.1.0.8, you must use the following AWS templates:
-- Default-AWS-f5-HTTPS-WAF-lb-template
-- Default-AWS-f5-HTTPS-offload-lb-template
For these two templates, ports 443 and 80 (for HTTP redirect) are hard-coded in an iRule, which enable this functionality.
Conditions:
Per-app VE with BYOL license.
Impact:
Per-app VE with BYOL license does not work as expected.
Workaround:
N/A
Fix:
Per-app VE BYOL license now supports three wildcard virtual servers.
721350-2 : The size of the icrd_child process is steadily growing
Component: TMOS
Symptoms:
The resident segment size (rss) for the icrd_child process continues to increase on issuing iCR GET requests. This increase is permanent and the rss does not drop back to its original size.
Conditions:
The following is an example config under which this issue occurs. Note this is an illustrative example; the actual issue might occur for various config objects.
GET tm/ltm/virtual?expandSubcollections=true wherein the virtual has some profiles associated with it.
ltm pool p-http { }
ltm virtual novel-1000 {
...
pool p-http
profiles {
analytics { }
http { }
tcp { }
}
....
}
# tmctl proc_pid_stat 'proc_name=icrd_child' -s proc_name,ppid,vsize,rss
On subsequent GET requests the rss size continues to increase.
Impact:
Increase in the rss of the icrd_child process. This increase could lead to icrd_child core or swapping of processes into the rss due to limited memory left for other processes.
Workaround:
There is no workaround.
Fix:
The memory leak was identified and fixed.
721342 : No support for Per-App VE LTM and Per-App VE WAF images for various cloud environments.
Component: TMOS
Symptoms:
No Per-App Virtual Edition (VE) LTM or Per-App VE WAF images for various cloud environments.
Conditions:
Various Cloud environments (i.e., Azure, Google, AWS).
Impact:
No options to use various Per-App VE features.
Workaround:
None.
Fix:
There are now offerings for various cloud environments (Azure, Google, AWS). There are two types of Per-App VE LTM and two of Per-App VE WAF images.
721261-1 : v12.x Policy rule names containing slashes are not migrated properly
Component: Local Traffic Manager
Symptoms:
When migrating from v12.x to v13.0.x, 13.1.x, or 14.0.x, LTM polices that have rules containing the slash character will not migrate properly, and roll-forward migration will fail.
Conditions:
-- BIG-IP systems running v12.x.
-- Configuration contains LTM Policy rules whose names include the slash (/) character.
-- Upgrading to v13.0.x, 13.1.x, or 14.0.x.
Impact:
Roll-forward migration fails with the error: illegal characters in rule name.
Workaround:
Edit the rule names within LTM Policies, replacing the now-illegal slash (/) character with a legal alternative, such as the underscore (_).
Alternately, prior to migration, rename the rules on the v12.x system, and then perform the upgrade.
Fix:
BIG-IP software v12.x Policy rule names containing slashes are properly migrated.
721016 : vcmpd fails updating VLAN information on vcmp guest
Component: TMOS
Symptoms:
VLANs are not properly attached to a vCMP guest. They are in fact absent from the VLAN shared memory segment.
In the host /var/log/ltm, this message is observed:
err vcmpd[7839]: 01510004:3: Error updating vlan shm seg: -39
In the guest, these messages are observed:
warning chmand[8827]: 012a0004:4: VcmpShmIntf::querySeg: err code -30
warning chmand[8827]: 012a0004:4: readShmData: vCmpShmIntf: Query segment error
warning chmand[8827]: 012a0004:4: VcmpShmIntf::querySeg: err code -30
Conditions:
-- vCMPd provisioned on a BIG-IP system.
-- vCMP guests deployed.
-- More than 3259 VLANs attached to guests from host.
Impact:
Cannot use newly deployed VLAN in the guest. Running the following command does not show the attached VLANs.
$ tmsh list net vlan in the guest
Workaround:
None.
720961-1 : Upgrading in Intelligence Community AWS environment may fail
Component: TMOS
Symptoms:
After importing an AWS instance into the Intelligence Community (IC) AWS environment you cannot upgrade to 13.1.0.2 (or later) because their license fails to validate afterwards.
Conditions:
-- Manually imported BIG-IP image into AWS IC.
-- Upgraded to 13.1.0.2 or newer.
Impact:
The system fails to validate the license after rebooting into the new software. Licenses are inoperative after the upgrade.
Workaround:
To work around this issue, perform the following procedure:
1. Redeploy a BYOL image from the IC marketplace.
2. Move over the license.
3. Configure the system.
Fix:
This release provides improved license validation to address this situation by detecting the IC environment, but allowing prior licenses to function.
720799-2 : Virtual Server/VIP flaps with FQDN pool members when all IP addresses change
Component: Local Traffic Manager
Symptoms:
When using FQDN pool members, if all ephemeral members are removed and replaced by a DNS query that returns an entirely new set of IP addresses (no overlap with previous DNS query results), all ephemeral pool members are removed before the new ephemeral pool members are created.
This results in a brief moment when there are no ephemeral members (that can receive traffic) in the pool.
Conditions:
A DNS query for the FQDN node in which the pool members belong, returns an entirely new set of IP addresses (no overlap with previous DNS query results).
Impact:
The brief moment during which there are no ephemeral members (that can receive traffic) in the pool can cause a Virtual Server or Virtual Address using that pool to flap.
Workaround:
It is possible to work around this issue by:
1. Adding a pool member with a statically-configured IP address.
2. Including multiple FQDN pool members in the pool, to limit the effect of the ephemeral members changing for a single FQDN pool member.
Fix:
When using FQDN pool members, ephemeral members whose IP addresses are not present in the most DNS query results are not immediately deleted from the pool.
To prevent the brief condition in which there are no ephemeral members in the pool (which can cause a Virtual Server or Virtual Address using that pool to flap), creation of new ephemeral nodes and pool members occurs immediately, but deletion of old new ephemeral nodes and pool members occurs after a delay.
The duration of the delay follows the fqdn 'down-interval' value configured for the associated FQDN template node.
720757-1 : Without proper licenses Category Lookup always fails with license error in Allow Ending
Component: Access Policy Manager
Symptoms:
When a per-request policy's Category Lookup agent queries Standard Categories with an expired SWG/URLF license (and has 'RST on failure' disabled), the execution always ends with the following log messages:
Error: Global concurrent url filter session limit reached
The connection is aborted.
Conditions:
Category Lookup agent set to query the urldb engine (standard categories) with either no SWG/URLF license or an expired license.
Impact:
Even if 'RST on failure' is disabled, traffic cannot reach the allow ending successfully.
Workaround:
Remove the Category Lookup with standard category lookup from the per-request policy if the licenses do not allow for its use.
Fix:
The allow ending is now reached successfully and does not error out if Category Lookup fails due to licensing errors but is set to disable 'RST on failure'.
720756-1 : SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS
Component: TMOS
Symptoms:
The SNMP query for platform marketing name is 'unknown' for i11400-DS/i11600-DS/i11800-DS.
Conditions:
-- On licensed system, check OID marketing name.
-- Using i11400-DS/i11600-DS/i11800-DS platforms.
Impact:
Cannot tell the actual platform name in the SNMP query.
Workaround:
There is no workaround at this time.
Fix:
SNMP platform name is now reported correctly on BIG-IP i11400-DS/i11600-DS/i11800-DS platforms.
720713-2 : TMM traffic to/from a i10600/i10800 device in vCMP host mode may fail
Component: TMOS
Symptoms:
When a i10600/i10800 device is configured as a vCMP host and at least one vCMP guest is running (or ever ran), TMM traffic to the vCMP host may fail.
Note: Management port traffic to/from the device is unaffected.
Note: TMM traffic to/from the vCMP guests running on the device is unaffected. This issue affects only the vCMP host.
The most visible symptom is that TMM on the vCMP host fails to answer ARP requests that it receives for its own Self-IP addresses.
Conditions:
This issue occurs when all of the following conditions apply:
- i10600/i10800 device in vCMP host mode.
- At least one vCMP guest is deployed or was deployed, at some point.
Impact:
Inability to communicate to/from the vCMP host via its Self-IP addresses.
Workaround:
None.
Fix:
The vCMP host continues to handle traffic correctly once a guest is started.
720695-1 : Export then import of APM access Profile/Policy with advanced customization is failing
Component: Access Policy Manager
Symptoms:
An exported policy containing advanced customization fails to import.
Conditions:
-- Export policy containing advanced customization.
-- Import the same policy.
Impact:
Import fails.
Workaround:
None.
Fix:
Access policy import containing advanced customization now succeeds.
720651-2 : Running Guest Changed to Provisioned Never Stops
Component: TMOS
Symptoms:
After changing a vCMP guest status to provisioned the guest remains running showing a status of stopping.
Conditions:
-- Guests deployed on a BIG-IP VCMP host.
-- Changing the state from deployed to provisioned.
Impact:
Guests do not stop and change status until vcmpd process is restarted.
Workaround:
There is no workaround.
Fix:
The guest now stops when the state is changed from deployed to provisioned.
720585-1 : Signatures generated by Behavioral DOS algorithm can create false-positive signatures
Component: Anomaly Detection Services
Symptoms:
There is probability that the generated signatures will block unknown traffic (the traffic that was not presenting before the attack) even if it's not necessary from service health perspective
Conditions:
Run attack traffic.
In parallel run unknown traffic.
It should exceed the learned baseline together with the good traffic.
Impact:
The signatures may block unknown traffic even if it's not necessary from S/H perspective
Workaround:
There is no workaround at this time.
Fix:
Implement adaptive ratio threshold for covering current bad traffic samples. The ratio increases as long as the health is not good.
If the health returns to good levels (below one) the ratio is restarted to the initial value.
720461-2 : qkview prompts for password on chassis
Component: TMOS
Symptoms:
Qkview prompts for a password when executing getnodedates from the chassis module.
Conditions:
SSH auth keys are missing or corrupted.
Impact:
This blocks collecting qkview.
Workaround:
Edit the /user/bin/getnodedates script and add -oBatchMode=yes for the SSH command as shown in the following example:
$date = `/usr/bin/ssh -q -oBatchMode=yes -oStrictHostKeyChecking=no $ip /bin/date`;
Fix:
The qkview is no longer blocked with a password prompt.
720460-1 : Compression traffic still goes to hardware accelerator when compression.strategy is set to softwareonly
Component: Local Traffic Manager
Symptoms:
The sys db compression.strategy is used to control the compression-provider selection. When it is set to 'softwareonly', compression somehow still selects a hardware accelerator.
Conditions:
This always happens when compression.strategy is set to 'softwareonly'.
Impact:
Compression.strategy set to 'softwareonly' does not work, and if there is a problem in a hardware accelerator, compression will still select the hardware accelerator, even though software compression is desired.
Workaround:
There is no workaround.
Fix:
The system now supports software compression when the sys db variable compression.strategy is set to 'softwareonly'.
720391-2 : BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware'
Component: TMOS
Symptoms:
BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' and 'unknown' when OID sysObjectID is queried.
Conditions:
1. Execute 'tmsh show sys hardware'.
2. Query for OID sysObjectID using snmpwalk.
Impact:
System is reported as 'none', when it should be i7800-D. Platform with dual SSD not correctly identified using tmsh command or snmpwalk.
Workaround:
None.
Fix:
Added new SNMP OID for BIG-IP i7800 Dual SSD, reported as BIG-IP i7800-D, which is the correct designation.
720293-3 : HTTP2 IPv4 to IPv6 fails
Component: Local Traffic Manager
Symptoms:
An IPv4-formatted virtual server with an IPv6-formatted pool member cannot establish the connection to the pool member if HTTP2 is configured.
Conditions:
-- IPv4 virtual Server.
-- IPv6 pool member.
-- HTTP2 profile.
Impact:
Traffic connection does not establish; no traffic passes.
Workaround:
None.
Fix:
In this release, an IPv4-formatted virtual server with an IPv6-formatted pool member works with HTTP2.
720214-1 : NTLM Authentication might fail if Strict Update in iApp is modified
Component: Access Policy Manager
Symptoms:
Exchange Proxy NTLM Authentication failure when iApp strict updates is disabled initially and then turned on. NTLM authentication fails with STATUS_NO_LOGON_SERVERS.
Conditions:
The Strict Update option in the iApp is modified.
Impact:
Any service using NTLM authentication will be disrupted.
Workaround:
Restart ECA and NLAD modules to work correctly again. To do so, run the following commands:
bigstart restart nlad
bigstart restart eca
Fix:
NTLM authentication now works as expected when Strict Update in the iApp is modified.
720189-1 : VDI settings in APM Webtop have the incorrect URL for Citrix Receiver client download
Component: Access Policy Manager
Symptoms:
VDI settings have HTML5 package URL instead of Citrix Receiver download link. Hyperlink directs to HTML5 package link.
Conditions:
-- Citrix VDI is configured in Replacement mode.
-- HTML5 package is configured using Citrix client bundle.
-- Citrix HTML5 client bundle is used with Connectivity profile attached to the virtual server.
Impact:
The incorrect package is downloaded to the APM Webtop user.
Workaround:
None.
Fix:
Fixed the hyperlink for Citrix Receiver download in VDI settings of Webtop.
720136-1 : Upgrade may fail on mcpd when external netHSM is used
Component: Local Traffic Manager
Symptoms:
When upgrading from 13.1 to 14.1, there might be deadlock between mcpd and mcpd. "bigstart status pkcs11d" might return
"pkcs11d down, waiting for mcpd to release running semaphore".
Conditions:
Upgrading from 13.1 to 14.1 for BIG-IP with external netHSM enabled.
Impact:
External netHSM is not functional or the whole appliance/blade is not functional.
Workaround:
Try reinstalling external netHSM.
Fix:
The fix broke the circular dependency between mcpd's validation and pkcs11d.
720110-2 : 0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session.
Component: TMOS
Symptoms:
Neither learned nor default-originate default routes (0.0.0.0/0) are sent to the BGP peer if the BGP peer has terminated the BGP session with TCP FIN, without BGP notify message.
Conditions:
1. BGP session is terminated without BGP notify (just TCP FIN).
2. Either learned (not originated in DUT) and default-originate (originated in DUT) routes are not sent.
Impact:
Default routes are not propagated in the network after the BGP peer restart.
Workaround:
There is no workaround at this time.
Fix:
Default routes are now always sent after the BGP session reset. Consistent behavior between BGP session reset with and without BGP notify message.
720104-1 : BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'
Component: TMOS
Symptoms:
BIG-IP i2800/i2600 650W AC PSU is missing marketing name under 'show sys hardware' and displays 'unknown' when OID sysObjectID is queried.
Conditions:
-- Execute 'tmsh show sys hardware'.
-- Query for OID sysObjectID using snmpwalk.
-- Using BIG-IP i2800/i2600 platforms.
Impact:
System reports an empty marketing name when queried. Platform with 650W AC PSU not identified using tmsh command or snmpwalk.
Workaround:
There is no workaround at this time.
Fix:
Added new SNMP OID for BIG-IP i2800/i2600 650W AC PSU.
720045-1 : IP fragmented UDP DNS request and response packets dropped as DNS Malformed
Component: Advanced Firewall Manager
Symptoms:
AFM/DHD treats the IP fragmented UDP DNS packet (request or response) as DNS Malformed packet and drops these packets.
Conditions:
-- AFM/DHD is enabled (provisioned and licensed).
-- DNS Malformed vector is enabled at Device context (by default, it's always enabled).
-- AFM/DHD receives fragmented IP packet for UDP DNS request or response.
Impact:
AFM/DHD incorrectly treats such packets as DNS malformed and drops them.
If AFM/DHD receives any DNS request/response UDP packet that is fragmented at the IP layer, the system drops the packet, interrupting DNS service between client/servers through BIG-IP systems.
Workaround:
None.
Fix:
This issue is now fixed, as follows:
a) For IP fragmented UDP DNS request packet, AFM parses the first IP fragment to retrieve the L4 (UDP) header and DNS header and Question section.
- If this information is available in the first IP fragment, AFM processes the packet for further DoS checks.
- If this information is not available in first IP fragment, AFM drops the fragment as DNS Malformed.
b) For IP fragmented UDP DNS response packet, AFM parses the first IP fragment to retrieve the L4 (UDP) header and DNS header and Question section.
- If this information is available in the first IP fragment, AFM processes the packet for further DOS checks.
- If, however, this information is not available in first IP fragment, default behavior is that AFM allows such fragmented DNS response packet through. This behavior can be changed to drop incomplete IP fragmented DNS response packet by setting db variable 'Dos.dns.respfrag.allow' to 'false'.
719770-2 : tmctl -H -V and -l options without values crashed
Component: TMOS
Symptoms:
When the -H, -V or -l options were passed to tmctl without a following value, then tmctl crashed.
Conditions:
Use one of these options without the required value.
Impact:
Core file. No other impact.
Workaround:
Be sure to pass the required value with these options.
Fix:
The missing value is now reported as an error.
719644-2 : If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★
Component: Global Traffic Manager (DNS)
Symptoms:
When an LTM configuration has virtual server names containing period (.), a GTM configuration with auto-discovery enabled is upgraded from v11.5.x to a later version might lose consistency.
Conditions:
-- Upgrading GTM from v11.5.x to later versions (e.g., BIG-IP DNS v12.x).
-- Auto-discovery is enabled.
-- LTM configuration containing virtual server names containing the period character (.).
-- The same virtual server name is used in multiple partitions.
Impact:
The configuration after the upgrade might be affected in the following ways:
-- Missing virtual servers.
-- Deletion of some pool members.
-- Virtual servers with incorrect addresses.
Workaround:
There is no workaround at this time.
Fix:
This release supports GTM upgrades from 11.x to BIG-IP DNS 12.x and later versions for cases where:
-- Auto-discovery is enabled.
-- LTM virtual server name a period character (.).
-- The same virtual server name is used in multiple partitions.
719600-2 : TCP::collect iRule with L7 policy present may result in connection reset
Component: Local Traffic Manager
Symptoms:
If an iRule utilizing TCP::collect and HTTP_REQUEST is on a virtual server with an L7 policy, the policy engine may cause the connection to be unexpectedly reset with a 'policy execution error' reset cause, and 'Unable to resume pending policy event on connflow' will be logged to /var/log/ltm.
Conditions:
TCP::collect and HTTP_REQUEST iRule with L7 policy on virtual server.
Impact:
Connections may be unexpectedly reset and errors logged to /var/log/ltm.
Workaround:
At the start of the HTTP_REQUEST event, issue an 'after 1' command to allow the policy engine to reach a consistent state before proceeding with the remainder of the iRule.
719597 : HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0
Component: TMOS
Symptoms:
When two VIPRION chassis with B2250 blades try to form a high availability (HA) connection, with one running v12.1.1 and the other running v13.1.0, HA connections between TMMs on Active and TMMs on Standby might fail.
Conditions:
-- Two VIPRION chassis with B2250 blades.
-- One blade running v12.1.1 and the other running v13.1.0.
-- Try to configure HA connection.
Impact:
Fail to form HA connection.
Workaround:
There is no workaround other than installing the same software on both blades.
Fix:
A new sys db mhdag.bitshift is added to support HA configurations using B2250 blades running v12.1.1 and v13.1.x. Set mhdag.bitshift to 5 on VIPRION chassis with B2250 blades running v13.1.x by running the following command: tmsh modify sys db mhdag.bitshift value 5
HA between VIPRION chassis running v12.1.1 and v13.1.x with B2250 blades now works as expected.
719554-2 : Linux Kernel Vulnerability: CVE-2018-8897
Solution Article: K17403481
719459-2 : Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled
Component: Application Security Manager
Symptoms:
Policy builder suggests adding already existing URLs (as HTTPS) learned from response.
Conditions:
-- Differentiate HTTP and HTTPS URLs is disabled.
-- Learn-from response is enabled.
-- Server responses contain HTTPS links for HTTP requests instead of using protocol-relative URLs.
Impact:
This is a cosmetic issue in that incorrect suggestions are created. There is no impact to functionality.
Workaround:
Add the incorrect suggestions to the 'ignore' list.
Fix:
Policy builder no longer creates suggestions to add already existing URLs.
719396-1 : DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot.
Solution Article: K34339214
Component: TMOS
Symptoms:
DHCP Client on the BIG-IP system sends host-name 'localhost' in DISCOVER packet after first boot.
Note: The problem goes away after the first boot.
Conditions:
-- DHCP is enabled (this is the default on BIG-IP systems).
-- Initial startup.
Impact:
This can affect the lease given out by the DHCP server in the given network if the DHCP server is configured in such a way as to dynamically update the DNS based on the host-name option in the lease.
Workaround:
-- Empty the /var/lib/dhclient/dhclient.leases file.
-- Run the following command: bigstart restart dhclient
Fix:
DHCP Client on the BIG-IP system no longer sends 'localhost' as the host-name in DISCOVER packet after first boot.
719247-2 : HTTP::path and HTTP::query iRule functions cannot be set to a blank string
Solution Article: K10845686
Component: Local Traffic Manager
Symptoms:
The HTTP::path and HTTP::query iRule functions generate an error if called with an argument that is a blank string, resulting in connection termination.
Conditions:
In an iRule where the argument is a blank string:
HTTP::path ""
HTTP::query ""
Impact:
Error encountered while executing iRule "HTTP::query $blank", and the connection is terminated with an error in the logs similar to the following:
-- err tmm[17219]: 01220001:3: TCL error: /Common/ir_1-4045405141_query <HTTP_REQUEST>
Workaround:
To set HTTP::query to blank, use the following function:
HTTP::uri [HTTP::path]
To set HTTP::path to blank, use the following function:
HTTP::uri [HTTP::query]
Fix:
HTTP::path and HTTP::query iRule functions now accept blank string arguments.
719192 : In VPE Agent VMware View Policy shows no properties
Component: Access Policy Manager
Symptoms:
When opened in Visual Policy Editor (VPE) VMware View, the policy shows an empty properties page instead of the expected policy options.
Conditions:
Open a policy in VPE VMware View.
Impact:
Unable to configure VMware view policy from VPE.
Workaround:
Use tmsh to configure VMware View policies.
Fix:
Properties are now displayed correctly in Visual Policy Editor (VPE) VMware View.
719186-2 : Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts
Component: Fraud Protection Services
Symptoms:
Multipart/form-data requests are not supported in FPS. FPS-protected pages which have the enhanced data-manipulation feature enabled, may generate a false-positive 'missing strong integrity parameter' alert for multipart/form-data requests.
Conditions:
-- FPS profile attached to a virtual server.
-- Multipart/form-data requests to a URL.
-- Enhanced data-manipulation feature enabled on a protected URL.
Impact:
False-positive 'missing strong integrity parameter' alert.
Workaround:
Use the ANTIFRAUD::disable_alert iRule command to drop the alert:
(set the static::drop_alert variable, probably matching URL name and checking that Content-Type header starts with 'multipart/form-data')
when ANTIFRAUD_ALERT {
if {$static::drop_alert eq 1 &&
[ANTIFRAUD::alert_type] eq "vtoken" &&
[ANTIFRAUD::alert_component] eq "no_strong_integrity_param" } {
ANTIFRAUD::disable_alert
set static::drop_alert 0
}
}
Fix:
FPS no longer sends automatic-transaction alerts for unsupported requests, so multipart/form-data requests no longer generate false positive 'missing strong integrity parameter' alerts.
719149-2 : VDI plugin might hang while processing native RDP connections
Component: Access Policy Manager
Symptoms:
Rarely, during processing of native RDP connections, the VDI plugin might hang, which prevents launch of VDI resources (Native RDP, Citrix, VMware View) from the APM Webtop.
Conditions:
APM Webtop is configured with native RDP resource.
Impact:
VDI resources (Native RDP, Citrix, VMware View) cannot be launched from APM Webtop.
Workaround:
None.
Fix:
Fixed rare VDI plugin hang caused by processing of native RDP connections.
719079-1 : Portal Access: same-origin AJAX request may fail under some conditions.
Component: Access Policy Manager
Symptoms:
Portal Access may reject response to same-origin AJAX request if host names in request and its origin differ in case.
Conditions:
Same-origin AJAX request with a host name whose case differs from the case of the origin page's host name, for example:
Request page: https://example.com/some/file
Page with URL: https://Example.com/origin/page.html
Impact:
Web application may not work correctly.
Workaround:
Use an iRule to remove 'F5_origin' parameter from the AJAX requests, for example:
when HTTP_REQUEST {
if { [ HTTP::path ] contains "/iNotes/Forms9.nsf/iNotes/Proxy/" and [ HTTP::query ] contains "F5_origin=" } {
regsub {F5_origin=[0-9a-f]+&F5CH=I} [ HTTP::query ] {F5CH=I} query
HTTP::query $query
}
}
Fix:
Now Portal Access handles same-origin AJAX requests correctly when host name case differs from the host name of origin page.
719005-1 : Login request may arrive corrupted to the backend server after CAPTCHA mitigation
Component: Application Security Manager
Symptoms:
Login request arrives corrupted (specifically, some of the characters in the payload are changed).
Conditions:
-- A brute force CAPTCHA mitigation happens.
-- Specific traffic conditions.
Impact:
Login request fails.
Workaround:
None.
Fix:
CAPTCHA request-handling now works as expected.
718885-3 : Under certain conditions, monitor probes may not be sent at the configured interval
Solution Article: K25348242
Component: Global Traffic Manager (DNS)
Symptoms:
When sufficient resources are configured with the same monitor interval, and the monitor timeout value is no more than two times the monitor interval, the monitored resource may be marked as unavailable (due to a timeout) then immediately changed to available.
Conditions:
Monitor interval is lower than the number of resources configured with the same monitor interval.
Impact:
Monitor probes are not consistently performed at the configured interval.
Workaround:
Set the monitor interval to a value greater than the number of resources monitored using that same interval value.
The key to this workaround is to ensure that the sum of the resources monitored at a given interval is not greater than the interval. That can be accomplished several ways depending on your configuration and requirements.
For example, if the monitoring interval is 30 seconds and there are 40 different monitors with a 30-second interval and each monitor is assigned to exactly one resource, there are at least two options:
-- Change the interval for 10 of the monitors to a different value.
-- Set the monitor interval to 40.
Note: If you change the monitor interval, make sure to also change the timeout value to follow best practices:
timeout value = (3 x interval) + 1.
Fix:
Monitoring is now consistently performed at the configured interval regardless of the number of resources with the same monitor interval.
718817-2 : Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail.
Component: TMOS
Symptoms:
Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest fails due to a race condition.
There are log entries in /var/log/liveinstall.log:
-- error: status 256 returned by command: F5_INSTALL_SESSION_TYPE=install tmsh -f save sys ucs /var/tmp/kRf24pKXTQ.ucs.
-- info: tar: config/.ucs_base_mac: Cannot stat: No such file or directory.
-- info: Unexpected Error: UCS saving process failed.
Conditions:
-- Installing onto secondary VIPRION blade or onto VIPRION-based vCMP guest.
Impact:
Software installation fails.
Workaround:
You can use either workaround:
-- Add 'ignore .ucs_base_mac' to the 'monitor dir /config' stanza in /etc/csyncd.conf on all blades, and then restart csyncd on all blades by running "clsh bigstart restart csyncd"
-- Retry the installation until it succeeds.
718772-2 : The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists)
Component: Anomaly Detection Services
Symptoms:
The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists).
Conditions:
Attack with traffic with 'unknown' header, for example
'Upgrade-Insecure-Requests: 1'.
Impact:
In the GUI, when the signature with the predicate 'unknown_header' is edited, this predicate is empty (instead of exists / does not exist).
Workaround:
There is no workaround.
Fix:
1. Change 'http.unknown_header' predicate into 'http.unknown_header_exists'.
2. Keep supporting the old format 'http.unknown_header'.
718685-1 : The measured number of pending requests is two times higher than actual one
Component: Anomaly Detection Services
Symptoms:
The measured number of pending requests is two times higher than actual.
Conditions:
Virtual server configured with a Behavioral DoS profile.
Impact:
Server stress mechanism is more sensitive than planned. A temporary traffic spike can cause unnecessary DoS mitigation start.
Note: The admd process provides stress-based DoS detection and mitigation control. When admd is not running, there is no stress-based anomaly detection or behavioral statistics aggregation.
Workaround:
Modify the adm.health.sensitivity value.
For example, to change health sensitivity from 50 to 500, run the following command:
tmsh modify sys db adm.health.sensitivity value 500
Fix:
Fixed initial adm flow sampling, so that the measured number of pending requests now equals actual.
718525-1 : PostGreSQL errors seen on startup after removing the mcpd binary database and rebooting
Component: TMOS
Symptoms:
After removing the mcpd binary database and restarting, occasionally there are errors similar to the following in /var/log/ltm:
warning postgres[7663]: [3-1] ERROR: duplicate key value violates unique constraint "vlan_pkey"
(The object type may be something other than 'vlan_pkey'.)
Conditions:
This occurs when you remove the mcpd binary database and reboot the system.
Impact:
The configuration does not load until 'bigstart restart' is executed.
Workaround:
None.
Fix:
The 'duplicate key value' errors are no longer seen when removing the mcpd binary database and restarting.
718405-1 : RSA signature PAYLOAD_AUTH mismatch with certificates
Component: TMOS
Symptoms:
IPsec IKEv2 negotiation with other vendors may fail to establish tunnels when certificate authentication is configured, using either RSA signature or DSS.
The value of PAYLOAD_AUTH does not match when the BIG-IP system compares it with what the remote peer sends. The same certificate works when the BIG-IP system is the initiator, but not when another vendor is the initiator.
Conditions:
Interoperating with other vendors under IKEv2 while using certificates.
Impact:
IKEv2 tunnels fail to establish, failing the second IKE_AUTH exchange in the protocol.
Workaround:
Use pre-shared key authentication.
Fix:
BIG-IP systems now correctly build -- and verify -- AUTH payloads for RSA signatures and DSS, which should match other vendors and succeed, resulting in IKEv2 tunnels being created using certificates.
The DSS signature is no longer DER encoded, and the RSA signature now includes the 15-byte DER prefix (mandated by RFC3447, page 42) before the 20-byte SHA1 digest is signed by RSA.
718397-1 : IKEv2: racoon2 appends spurious trailing null byte to ID payloads
Component: TMOS
Symptoms:
IPsec clients implementing RFC5996 correctly cannot interoperate with the BIG-IP system when the peers-id-type is anything other than address, because racoon2 inside BIG-IP appends a null byte to any string-based ID type (for both peers_id and my_id). This makes the IKE_AUTH exchange fail, usually because the ID_I from the initiator cannot match the peers-id-value in config for that ike-peer, because there is a one-byte difference between the compared strings.
Conditions:
When any non-BIG-IP client initiates an IKE negotiation using any id-type that is not IPv4 or IPv6. In particular, fqdn and asn1dn for peers-id-type in local BIG-IP configurations.
Impact:
IKE negotiation fails during the second IKE_AUTH exchange of messages, preventing any tunnel from being established. Outage with a non-BIG-IP client is permanent until the config is changed to use peers-id-type=address.
Workaround:
Use peers-id-type=address to interoperate with non-BIG-IP clients for IPsec.
Fix:
Because RFC5996 forbids trailing null bytes in ID payloads, the BIG-IP software was actually not compliant with the RFC by encoding payloads this way itself. It only worked because both initiator and responder did the same thing. Now the BIG-IP software does not add the extra trailing null byte into ID payloads and local ID values, so the BIG-IP system can accept IKE_AUTH messages from non-BIG-IP clients.
Note: this fix creates an incompatibility with previous BIG-IP version when peers-id-type is any other type than address.
718210-2 : Connections using virtual targeting virtual and time-wait recycle result in a connection being improperly reused
Component: Local Traffic Manager
Symptoms:
In very rare circumstances, connections that use virtual targeting virtual server and time-wait recycle result in a connection being improperly reused.
Conditions:
Virtual server targeting virtual server (usually occurs in an iRule) with time-wait recycle being used on the virtual server's TCP profile.
Note: This is the default value, so any virtual servers defined internally are using it.
Impact:
A connection might be reused even though it is a new one. TMM can crash and restart. Traffic disrupted while tmm restarts.
Note: This is an extremely rare issue.
Workaround:
None.
Fix:
This issue has been fixed.
718152 : ASM GUI request log does not load on cluster
Solution Article: K14591455
Component: Application Security Manager
Symptoms:
The ASM Request Log fails to load, and it keeps reading 'Loading Requests Log...'.
'Security :: Event Logs :: Application :: Requests'.
Conditions:
-- Any cluster device (vCMP or not), even if there is a single blade in use.
-- Running BIG-IP v13.1.0.4, v13.1.0.5, v13.1.0.6, or v13.1.0.7. (Other releases are not affected.)
Impact:
Cannot view the Request Log in the GUI.
Workaround:
None
Fix:
The ASM request log can now be loaded correctly on cluster devices.
718136-2 : 32-bit F5 VPN and Endpoint Inspector apps are discontinued on Linux
Component: Access Policy Manager
Symptoms:
32-bit F5 VPN and Endpoint Inspector apps are not available for new installation or update on Linux.
Conditions:
Use a browser (Mozilla Firefox or Google Chrome) to establish network access (VPN) for 32-bit F5 VPN and Endpoint Inspector apps.
Impact:
APM end user cannot establish network access (VPN) on 32-bit Linux using a browser. APM does not offer 32-bit F5 VPN and Endpoint Inspector apps for installations or update.
Workaround:
Use 32-bit CLI VPN client.
Fix:
Because of increased size, low usage, and industry trends, F5 has discontinued support of the desktop Linux 32-bit VPN and Endpoint Inspection apps.
718071-1 : HTTP2 with ASM policy not passing traffic
Component: Local Traffic Manager
Symptoms:
HTTP2 traffic does not pass traffic if an ASM policy is applied.
Conditions:
-- HTTP2 virtual server.
-- ASM policy applied.
Impact:
Traffic does not pass.
Workaround:
No workaround.
Fix:
HTTP2 and ASM now work correctly together.
717909 : tmm can abort on sPVA flush if the HSB flush does not succeed
Component: Advanced Firewall Manager
Symptoms:
When the BIG-IP system comes up, or when tmm/dwbld/iprepd restarts, tmm does a flush of sPVA. If the operation does not succeed, the system can wait for 10 seconds, which might cause an abort due to heartbeat failure. tmm crash
Conditions:
-- BIG-IP system comes up, or tmm/dwbld/iprepd restart.
-- HSB flush does not succeed within ~3 seconds (it is supposed to succeed within ~3 seconds unless something is wrong with the HSB).
Impact:
tmm will have to be restarted. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
The system now checks asynchronously to determine whether or not the flush sPVA has succeeded.
717900-2 : TMM crash while processing APM data
Solution Article: K27044729
717896-2 : Monitor instances deleted in peer unit after sync
Component: Local Traffic Manager
Symptoms:
An incremental-sync from a modified-node that was set to 'user-down' causes the target-node on the target-device to have only a single monitor instance, rather than the several monitor instances that were present on the from-node.
During the incremental sync, the system issues several messages similar to the following: err mcpd[6900]: 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 24913.
Conditions:
-- In high availability (HA) configurations.
-- A node is modified, and then manually set to 'user-down'.
-- That node has more than one associated monitor.
-- An incremental-sync occurs to the paired device.
Impact:
After incremental-sync, a single monitor instance exists for the node on a 'backup' unit in an HA configuration, rather than the several monitor instances that exist for that node on the 'active' unit; and that node session is 'enabled' (where the 'from-node' was 'disabled); and that node status may be 'up' (where the 'from-node' was 'user-down'), and later transition to 'down' from a monitor-fail.
Thus, after incremental-sync, the target-node may then be 'down', while the active unit in the HA configuration continues to function as expected.
Workaround:
There are several workarounds:
-- Perform a 'full-sync' (rather than an 'incremental-sync').
-- Ensure the node is 'user-up' (not 'user-down') before the incremental-sync.
-- Perform 'tmsh load sys config' on the target unit. In this case, the 'Invalid monitor rule instance identifier' messages will be seen, but the configuration will successfully load, and the target-unit will run correctly with the expected configuration.
Fix:
An incremental-sync from a modified-node that was set to 'user-down' successfully replicates the several monitor instances on that node to the target-node on the backup device in an HA configuration.
717888 : TMM may leak memory when a virtual server uses the MQTT profile.
Solution Article: K26583415
717832 : Remove unneeded files from UCS backup directories
Component: TMOS
Symptoms:
When using auto scale cloud formation templates, the system creates large bigip.ucs files that require additional storage space.
Conditions:
Deploy BIG-IP as part of auto scale cloud formation template (CFT).
Impact:
Large bigip.ucs file created requires additional storage space and might increase network traffic. (Size greater than 100 MB.)
Workaround:
Delete /config/cloud/* directories from the bigip.ucs file.
Fix:
This system no longer saves /config/cloud/ directories in UCS files, so the issue no longer occurs.
717785-1 : Interface-cos shows no egress stats for CoS configurations
Component: TMOS
Symptoms:
No egress packet counts per CoS queue are reported on B21x0 and 5x00/7x00 platforms. The issue affects the egress packet statistics reporting per CoS queue only. The operation of the CoS feature is not affected and the egress packets statistics reporting per external interface is also not affected.
Conditions:
-- Valid 8 HW CoS feature configuration has been enabled and passing traffic.
-- BIG-IP 5x00/7x00 platforms and VIPRION 21x0 blades.
-- Running the show net interface-cos command.
Impact:
Egress packet statistics reported per CoS queue shows no counts.
Workaround:
None.
Fix:
This release supports per egress CoS queue packet count statistics reporting for BIG-IP 5x00/7x00 platforms and VIPRION 21x0 blades.
717756-2 : High CPU usage from asm_config_server
Component: Application Security Manager
Symptoms:
Use of Automatic policy builder might result in high CPU usage of asm_config_server (and ASM slowdown).
Conditions:
- Automatic policy builder.
- Several entity types learning in 'Add all entities' configuration.
Impact:
ASM availability impacted.
Workaround:
-- Switch to Manual policy builder.
-- Set entity types learning to compact / selective / never.
Fix:
Policy builder no longer puts unnecessary load on ASM configurations.
717742-5 : Oracle Java SE vulnerability CVE-2018-2783
Solution Article: K44923228
717346-2 : [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total
Solution Article: K13040347
Component: Local Traffic Manager
Symptoms:
WebSocket profile statistics for current and maximum connections are always very large, even right after restarting the system. The numbers are several orders of magnitude larger than the statistics for total connections.
Conditions:
Rarely occurring, unstable network could be one of the reasons.
Impact:
Cannot use stats for troubleshooting.
Workaround:
Reset the stats using the following command:
# tmsh reset-stats ltm profile websocket
717113-2 : It is possible to add the same GSLB Pool monitor multiple times
Component: Global Traffic Manager (DNS)
Symptoms:
After adding a monitor in the Web GUI and updating, the monitor does not get removed from the Available list and can be added again.
Conditions:
This issue affects the GSLB Pool create and properties pages.
Impact:
The impact is only for those adding the monitor. No extra system resources are used when adding multiple identical monitors to a pool.
Workaround:
None.
Fix:
Once a monitor is added via the Web GUI, that monitor is now removed from the Available list.
717100-3 : FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member
Component: Local Traffic Manager
Symptoms:
FQDN ephemeral pool members and corresponding FQDN ephemeral nodes may not be created if multiple FQDN template pool members are created rapidly, without the corresponding FQDN template nodes being created first.
The missing FQDN ephemeral pool members may be created an hour after initial operations.
Conditions:
This may occur when all of the following conditions are true:
-- Multiple FQDN template pool members are created rapidly, such as during config load or multiple FQDN template pool members created in a single tmsh cli transaction, without the corresponding FQDN template nodes being created first.
-- The FQDN names in the newly-created FQDN template nodes all resolve to the same IP address.
Impact:
One or more FQDN ephemeral pool members may not be created, which could result in a pool with no members, and any virtual servers using that pool to fail to pass traffic.
Workaround:
The following steps, alone or in combination, may help avoid this issue:
1. Avoid rapid creation of multiple FQDN template pool members (such as by creating multiple in a single tmsh CLI transaction).
2. Create the corresponding FQDN template nodes first, before creating the FQDN template pool members.
Once this issue occurs (such as, after a config load), you can recover from this condition by deleting and recreating the FQDN template pool members that have no corresponding FQDN ephemeral pool members.
In addition, creating the corresponding FQDN template nodes first, with an FQDN 'interval' value set to a shorter timeout than the default (3600 seconds) allows automatic recovery from this condition after the configured FQDN 'interval' period (instead of after the default period of one hour).
Fix:
Ephemeral pool members are now created for each pool under these conditions.
716992-2 : The ASM bd process may crash
Solution Article: K75432956
716940-2 : Traffic Learning screen graphs shows data for the last day only
Component: Application Security Manager
Symptoms:
Traffic Learning screen graphs shows data for the last day only.
Conditions:
Visit Learning screen 1 hour after policy creation.
Impact:
Statistics shown are for the last day. No statistics for longer or for shorter periods of time.
Workaround:
There is no workaround.
Fix:
Statistics are shown for the correct time interval, at most 2 weeks/policy creation date. Possible statistics intervals are as follows: 1 hour, 1 day, 2 weeks.
716922-2 : Reduction in PUSH flags when Nagle Enabled
Component: Local Traffic Manager
Symptoms:
When Nagle is enabled in the TCP profile, the number of PUSH flags generated by the BIG-IP system drops substantially compared to the Nagle-disabled case, or to the Nagle-enabled case prior to v12.1.2-HF1. This matters most when there is a single outstanding unsent segment in the send buffer awaiting acknowledgment of all other data.
Conditions:
-- Nagle is enabled.
-- Running BIG-IP software versions later than v12.1.2-HF1.
Note: The problem is only impactful when the client withholds ACKs when there is no PUSH flag.
Impact:
If the client withholds ACKs, this can save handset power, but it also causes Nagle's algorithm to withhold the last bit of data, increasing latency.
Workaround:
Set Nagle to the 'Auto' setting or 'Disabled'.
Mote: To take advantage of some of the Nagle benefits, use 'Auto'.
Fix:
Revised PUSH flag setting logic to set the flag in cases where sending is Nagle-limited.
716900-2 : TMM core when using MPTCP
Component: Local Traffic Manager
Symptoms:
In some cases TMM may crash when processing MPTCP traffic.
Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.
Impact:
Traffic interrupted while TMM restarts.
Workaround:
There is no workaround other than to disable MPTCP.
Fix:
TMM no longer produces a core.
716788-2 : TMM may crash while response modifications are being performed within DoSL7 filter
Component: Application Security Manager
Symptoms:
TMM might crash when a response is modified by the DoSL7 filter while injecting an HTML response from a backend server.
Conditions:
-- ASM provisioned.
-- DoS application profile is attached to a virtual server.
Impact:
Traffic disrupted while tmm restarts, failover may occur.
Workaround:
There is no workaround other than to remove the DoS application profile from the virtual server.
Fix:
Response modification handler has been modified so that this issue no longer occurs.
716782-2 : AVR should add new field to the events it sends: Microtimestamp
Component: Application Visibility and Reporting
Symptoms:
When AVR send events to 'offbox' devices, the time stamp it uses is in seconds resolution.
Conditions:
Viewing AVR events in external logs.
Impact:
Measurement is in seconds.
Workaround:
None.
Fix:
This release adds a Microtimestamp field for AVR events (external log only).
716747-2 : TMM my crash while processing APM or SWG traffic
Component: Access Policy Manager
Symptoms:
Under certain circumstances, TMM may crash when processing APM or SWG.
There will be a log message in /var/log/apm near the time of crash with this:
err tmm[20598]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_initiate_swgt_policy_done, Line: 17000.
Conditions:
APM or SWG enabled.
Impact:
TMM crash, leading to a failover event.
Workaround:
There is no workaround at this time.
Fix:
TMM now processes APM and SWG traffic as expected.
716746 : Possible tmm restart when disabling single endpoint vector while attack is ongoing
Component: Advanced Firewall Manager
Symptoms:
tmm restarts.
Conditions:
-- AFM DoS single endpoint (sweep or flood) vector is configured.
-- The attack is ongoing.
-- The attack vector is being mitigated in hardware (HW).
-- The vector is manually disabled.
Impact:
tmm can crash and restart. Traffic disrupted while tmm restarts.
Workaround:
If you do not want to mitigate, set the mitigation_threshold to infinite.
Note: Do not disable the single endpoint vectors when an attack is ongoing and the vector is being mitigated in HW.
Fix:
tmm no longer restarts when disabling single endpoint vector while an attack is ongoing.
716716-2 : Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core
Component: Local Traffic Manager
Symptoms:
TMM cores when the system has a kernel route configured, but no matching TMM route.
Conditions:
The scenario that can lead to this state is unknown.
Impact:
TMM cores. Traffic disrupted while tmm restarts.
Workaround:
Either remove the kernel route, or add a matching TMM route.
Fix:
This release prevents the core that occurred when the kernel has a route that has no corresponding TMM route.
716714-1 : OCSP should be configured to avoid TMM crash.
Component: Local Traffic Manager
Symptoms:
TMM generates a core if OCSP is not configured in the SSL profile.
Conditions:
OCSP not configured in the SSL profile.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than configuring OCSP in SSL profiles.
Fix:
In this release, TMM skips processing OCSP if it is not enabled.
716469 : OpenSSL 1.0.1l fails with 512 bit DSA keys
Component: TMOS
Symptoms:
In certain cases with FIPS enabled the box would fail to boot because of attempts to use 512 bit DSA keys.
Conditions:
During BIG-IP booting and fips is enabled.
Impact:
BIG-IP failed to boot.
Workaround:
There is no workaround at this time.
Fix:
Boot will no longer fail with OpenSSL and 512 bit DSA keys.
716392-1 : Support for 24 vCMP guests on a single 4450 blade
Component: TMOS
Symptoms:
Cannot create more than 12 vCMP guests per blade.
Conditions:
-- Using vCMP.
-- VIPRION blades.
Impact:
Cannot configure more than 12 vCMP guests.
Workaround:
None.
Fix:
This release supports 24 vCMP guests on 4450 blades. Increased vCMP density ensures that all guests can access the hardware capabilities available from the BIG-IP platforms and VIPRION blades.
Behavior Change:
This release supports 24 vCMP guests on VIPRION 4450 blades. Increased vCMP density ensures that all guests can access the hardware capabilities available from BIG-IP platforms and VIPRION blades.
716391-2 : High priority for MySQL on 2 core vCMP may lead to control plane process starvation
Component: TMOS
Symptoms:
vCMP guest with only 2 cores (or 2 cores per blade for multi-blade guests) may undergo control plane process starvation, which could lead to failover due to CPU starvation of sod.
Conditions:
-- A device using Intel Hyper-Threading Technology is configured with only 2 cores (or 2 cores per blade for multi-blade vCMP guests).
-- A module using MySQL is provisioned, MySQL, for example BIG-IP ASM and BIG-IP Analytics (AVR). These other modules also implicitly provision AVR: ASM, AFM, DOS, APM, PEM, and vCMP.
Impact:
Control plane processes may experience CPU starvation, including failover due to CPU starvation of sod. This is a rarely occurring issue.
Workaround:
Revert to pre-11.5.1 HF4 behavior by setting the scheduler.splitplanes.asmopt database key to false.
IMPORTANT: You should not revert to pre-11.5.1 HF4 behavior unless requested by F5 Support. However, if required, you can disable this new behavior and revert to pre-11.5.1-HF4 behavior. For instructions on how to do so, see K16469: Certain BIG-IP ASM control plane processes are now pinned to the highest-numbered logical CPU core :: https://support.f5.com/csp/article/K16469.
716318-2 : Engine/Signatures automatic update check may fail to find/download the latest update
Component: Fraud Protection Services
Symptoms:
Engine/Signatures automatic update check may fail to find/download the latest update if the timestamp of the factory update file is later than the timestamp of the update file in downloads.f5.com.
Note: This issue is relevant only for engineering hotfixes.
Conditions:
This occurs when the following conditions are met:
-- Engineering hotfix.
-- The factory update file timestamp is later than the timestamp of the update file in downloads.f5.com.
Impact:
Automatic update check will detect the wrong update file.
Workaround:
Manually check, and then download and install the update file from downloads.f5.com, if needed.
Fix:
The factory update file timestamp is now set to 0, unless there is a reason to install the factory file over the current update file in downloads.f5.com.
716213-1 : BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic
Component: Local Traffic Manager
Symptoms:
When APM connects to Active Directory Federation Services (ADFS), a blank page is observed. The log file /var/log/ltm exhibits a TCP reset issued by the BIG-IP system. The TCP capture informs that the issue is due to an out-of-bounds error that occurs when traffic gets parsed by the SSL Persistence Parser (SSID).
Conditions:
-- SSL persistence (SSID) is enabled for a virtual host.
-- APM connects to ADFS.
Impact:
A blank page is observed due to the TCP reset.
Workaround:
No workaround is available.
Fix:
The SSL persistence parser now validates the handshake message data-bytes are available prior to fetching them, so the bounds error does not get raised.
715923-1 : When processing TLS traffic TMM may reset connections
Solution Article: K43625118
715883 : tmm crash due to invalid cookie attribute
Component: Local Traffic Manager
Symptoms:
tmm crash due to invalid request-side cookie attribute.
Conditions:
While processing an HTTP request, an iRule tries to add a cookie attribute to a cookie that is only valid in an HTTP response (for instance, an 'expires' attribute).
Impact:
TMM cored. Traffic disrupted while tmm restarts.
Workaround:
None.
715820-1 : vCMP in HA configuration with VIPRION chassis might cause unstable data plane
Component: TMOS
Symptoms:
When multiple vCMP guests are deployed in a high availability (HA) with VIPRION chassis, the data plane cluster might become unstable. When this issue occurs, the system posts repeated log messages in /var/log/ltm similar to the following:
-- CDP: exceeded 1/2 timeout for PG 3
Conditions:
-- Multiple vCMP guests are deployed.
-- HA configured.
-- Using VIPRION chassis.
Impact:
Unstable data plane might cause traffic disruption/packet drops.
Workaround:
None.
Fix:
This issue no longer occurs.
715785-2 : Incorrect encryption error for monitors during sync or upgrade
Component: Local Traffic Manager
Symptoms:
The system logs an error message similar to the following in /var/log/ltm:
err mcpd[6823]: 01071768:3: Encryption of the field (password) for object (<monitor name>) failed.
This may cause a configuration sync to fail, or an upgrade to fail.
Conditions:
The exact conditions are unknown, however it may occur under these circumstances:
-- Performing a config sync operation.
-- Performing an upgrade.
Impact:
Inability to sync peer devices, or an inability to upgrade.
Workaround:
There is no workaround at this time.
Fix:
This error is no longer triggered erroneously.
715756-2 : Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only
Component: Local Traffic Manager
Symptoms:
When filesystems critical to TMOS functional operation are mounted read-only, clusterd on that blade should trigger a primary election if it was primary. Either way, the cluster should be informed of this critical error state.
Conditions:
A critical filesystem (e.g., '/', '/var', '/var/run', '/config', '/shared') has been mounted read-only.
Impact:
The blade with read-only filesystems and degraded functionality might stay primary and claim to be passing traffic.
Workaround:
There is no workaround other than to avoid mounting filesystems read-only on a BIG-IP system.
Fix:
The blade with read-only filesystems and degraded functionality now yields primaryship to a more healthy cluster member.
715750-2 : The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.
Component: Local Traffic Manager
Symptoms:
Upon receiving a FIN midstream in an SSL connection, the BIG-IP system will immediately proxy the FIN to the remote host on the peer side. At this point, depending on the specific configuration of the remote host on the peer side, the BIG-IP system may exhibit behaviors that may be deemed undesirable.
For instance, if the remote host on the peer side acknowledges the FIN but ignores it and keeps sending data to the BIG-IP system, the BIG-IP system will drop all ingress data (i.e., not proxy it) while keeping the side that transmitted the original FIN open indefinitely.
Once the remote host on the peer side completes transmitting data and sends a FIN of its own, the BIG-IP system will finally release the side that sent the original FIN by allowing it to close.
Conditions:
This issue occurs when the following conditions are met:
-- A standard virtual server with the clientssl and serverssl profiles in use.
-- As part of a connection handled by the virtual server, one side sends a FIN midstream to the BIG-IP system.
Impact:
There is no real impact to the BIG-IP system because of this issue. However, both the client and the server can be negatively impacted by this issue.
For example, if the original FIN was received by the BIG-IP system on the clientside:
-- The client connection is not allowed to close for potentially a very long time. During this time, the client does not receive anything other than Keep-Alive packets from the BIG-IP system. This can delay or adversely impact applications on the client.
-- The server continues to send data to the BIG-IP system unnecessarily. After accounting for the fact this could be a lot of data and many connections could be in this state, the server and/or its surrounding network could become impacted/congested. At a minimum, this might cause a waste of resources.
Workaround:
There is no workaround at this time.
Fix:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.
Behavior Change:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.
715747 : TMM may restart when running traffic through custom SSLO deployments.
Component: Local Traffic Manager
Symptoms:
TMM restarts with a SIGSEGV signal and dumps core.
Conditions:
This issue is known to happen when passing traffic through some custom SSLO deployments (e.g., iRule-based configurations).
Impact:
TMM restarts. If the system is in a high availability configuration, a failover occurs. Traffic disrupted while TMM restarts.
Workaround:
There is no workaround at this time.
Fix:
TMM no longer restarts.
715467-2 : Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY
Component: Local Traffic Manager
Symptoms:
If the 'A' record for an FQDN node is removed or replaced on the DNS server, then the BIG-IP system does not remove the old ephemeral pool member or create the new pool member and node.
Conditions:
-- FQDN nodes.
-- Pool members with a service port of ANY.
Impact:
Ephemeral pool member and nodes are not removed or updated when the DNS 'A' record is removed or changed.
Workaround:
There is no workaround at this time.
Fix:
Upon a DNS 'A' record being removed or changed, the ephemeral pool members and nodes based on the old value are removed or changed.
715448-2 : Providing LB::status with a GTM Pool name in a variable caused validation issues
Component: Global Traffic Manager (DNS)
Symptoms:
When utilizing an LB::status iRule where the GTM Pool name was provided in a variable, instead of directly written into the command, the system posts the following error message: Can't read 'monkey': no such variable.
Conditions:
LB::status pool a <Variable containing string>.
Impact:
Unable to use LB::status iRule.
Workaround:
There is no workaround at this time.
Fix:
Can now use LB::status iRule command to display the status of a GTM Pool when the name of the pool is provided in a variable.
715250-1 : TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED
Component: Access Policy Manager
Symptoms:
TMM generates a core and restarts when RPC resumes iRule event ACCESS_SESSION_CLOSED.
Conditions:
Plugin RPC call has iRule event ACCESS_SESSION_CLOSED configured.
Impact:
System instability, failover, traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
715207-3 : coapi errors while modifying per-request policy in VPE
Component: Access Policy Manager
Symptoms:
System reports errors about coapi in /var/log/ltm when modifying a per-request policy in the Visual Policy Editor (VPE).
err coapi: PHP: requested conversion of uninitialized member.
Conditions:
-- The per-request policy being modified is attached to the virtual server.
-- Using VPE.
Impact:
The impact can vary by version.
-- In some versions it represents a stray error log.
-- In other versions the 'Accepted Languages' in the Logon Page agent does not have the full list.
-- In other versions, there are server 500 errors when modifying agents.
Workaround:
To work around this issue, perform the following procedure: 1. Remove the per-request policy from the virtual server.
2. Modify the policy.
3. Add the policy back to the virtual server.
Fix:
Now per-request access policies can be simultaneously used and edited without causing spurious 'coapi' log errors.
715153-1 : AVR can generate many files in /var/avr/loader folder, which might cause disk-usage problem
Component: Application Visibility and Reporting
Symptoms:
-- The folder /var/avr/loader contains many files (e.g., more than 1500 files).
-- monpd is not running.
Conditions:
This occurs when the following conditions are met:
-- Avrd is running.
-- monpd is down.
Impact:
AVR writes many files to /var/avr/loader. Depending on disk usage, this might cause disk-usage problems.
Workaround:
There are two possible workarounds:
-- Restart monpd. When monpd starts up, it deletes the files under /var/avr/loader.
-- Delete all files under /var/avr/loader.
Fix:
There is now a limit for the /var/avr/loader folder, so that it can contain no more than 1100 files. This prevents disk-usage problems.
715128-1 : Simple mode Signature edit does not escape semicolon
Component: Application Security Manager
Symptoms:
When creating a user-defined ASM Signature in Simple mode, semicolon followed by space cannot be used in a keyword.
Conditions:
-- Using a user-defined ASM Signature in Simple mode.
-- There is a semicolon followed by a space in a keyword.
Impact:
The signature cannot be created.
Workaround:
The signature can be created in Advanced Mode by escaping semicolon as "|3B|".
715110 : AVR should report 'resolutions' in module GtmWideip
Component: Application Visibility and Reporting
Symptoms:
AVR does not report 'resolutions' in GtmWideip module.
Conditions:
One of the following modules is provisioned: AVR, AFM, or DNS/GTM.
Impact:
There are no statistics reported on 'resolutions' in GtmWideip module.
Workaround:
There is no workaround.
Fix:
AVR now reports 'resolutions' in GtmWideip module.
714974-2 : Platform-migrate of UCS containing QinQ fails on VE★
Component: TMOS
Symptoms:
If you are doing platform-migrate from a hardware device to a Virtual Edition (VE) guest, and the UCS that came from the hardware device has a QinQ VLAN configuration, then the upgrade will fail.
Conditions:
-- VLAN with a QinQ configuration exists on the hardware configuration.
-- UCS file is saved on the hardware device.
-- UCS is copied to a VE guest.
-- Attempt to load the configuration using the following command: load sys ucs <UCS filename> no-license platform-migrate.
Impact:
The UCS load will fail and generate an error:
01071bd8:3: The tag-mode for requested member <VLAN name> has to be 'none' on platforms that do not support QinQ. Unexpected Error: Loading configuration process failed.
Workaround:
None.
Fix:
The configuration now loads successfully, disables QinQ on the associated VLAN, and warns that this action was automatically taken.
714961-1 : antserver creates large temporary file in /tmp directory
Component: Access Policy Manager
Symptoms:
SWG Analytics (running through the antserver daemon) creates a large temporary file in the /tmp directory due to a lack of write permissions on the appropriate directory.
Conditions:
-- SWG provisioned.
-- Viewing SWG Analytics.
Impact:
/tmp is temporarily populated with a large file that might fill up the directory if it is already close to capacity.
Workaround:
There is no workaround at this time.
Fix:
System now writes to /shared/tmp/ant_server so that it no longer writes to /tmp, so the issue no longer occurs.
714903-2 : Errors in chmand
Component: TMOS
Symptoms:
VIPRION cluster does not form; only primary blade stays online. Chassis manager chmand generated a core file. System logs the following error in ltm log: err clusterd[11162]: 013a0004:3: Error adding cluster mgmt addr, HAL error 7.
Conditions:
-- Restoring UCS.
-- Chassis starting up.
-- System in stressed condition, where there is very little or no memory available.
Impact:
Cluster does not form.
Workaround:
None.
Fix:
These errors in chmand are fixed.
714879-3 : APM CRLDP Auth passes all certs
Solution Article: K34652116
714749-2 : cURL Vulnerability: CVE-2018-1000120
Component: TMOS
Symptoms:
It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, resulting in a crash, or an unspecified behavior.
Conditions:
BIG-IP systems are not affected by this vulnerability.
Impact:
None.
Workaround:
None.
Fix:
Patched CVE-2018-1000120
714716-2 : Apmd logs password for acp messages when in debug mode
Component: Access Policy Manager
Symptoms:
Apmd logs password when executing policy via iRule.
Conditions:
-- APM is licensed and provisioned
-- Executing policy via iRule using iRule command 'ACCESS::policy evaluate'.
-- Clear text password is supplied for authentication
-- Debug mode active
Impact:
Apmd logs clear text password
Fix:
Apmd now no longer logs password in debug mode when evaluating policy via iRule.
714700-2 : SSO for native RDP resources is not compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy
Component: Access Policy Manager
Symptoms:
To address a vulnerability in their CredSSP implementation Microsoft released set of updates for all versions of Windows (https://aka.ms/credssp). Although the APM implementation is not affected by this vulnerability, the Microsoft Windows Server fix introduces compatibility issues. The update adds new Group Policy 'Encryption Oracle Remediation', which, if set to 'Force Updated Clients' on the server might break SSO for APM's native RDP resources.
Conditions:
-- RDP server has https://aka.ms/credssp update installed.
-- 'Encryption Oracle Remediation' Group Policy on the RDP server is set to 'Force Updated Clients'.
Impact:
SSO for native RDP resources does not work.
Workaround:
Set 'Encryption Oracle Remediation' Group Policy on the RDP server to 'Mitigated'.
Fix:
SSO for native RDP resources is now compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy.
714654-2 : Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM
Component: TMOS
Symptoms:
While creating a static route, tmrouted disconnects with error: existing entry is not a dynamic.
Conditions:
Creating a static route for a network that already has an advertised dynamic route.
Impact:
TMM's connection to tmrouted goes down, which results in loss of the dynamic route for TMM.
Workaround:
There is no workaround other than not creating a static route for routes received through dynamic routing.
Fix:
Creating static routes for advertised dynamic route no longer causes the tmrouted-to-TMM connection to drop.
714559-2 : Removal of HTTP hash persistence cookie when a pool member goes down.
Component: Local Traffic Manager
Symptoms:
When HTTP cookie hash persistence is configured the cookie is removed when a pool member goes down. This is incorrect if pool members are using session replication.
Conditions:
- Cookie hash persistence is configured.
- A pool member that the persistence record points to goes down.
- Pool members are using session replication.
Impact:
Connected clients must establish a new session.
Workaround:
To configure HTTP cookie hash persistence, use an iRule similar to the following:
when CLIENT_ACCEPTED {
persist cookie hash JSESSIONID
}
Fix:
HTTP hash persistence cookie is no longer removed when a pool member goes down.
If you need to remove the cookie, use an iRule similar to the following:
when PERSIST_DOWN {
HTTP::cookie remove JSESSIONID
}
714384-3 : DHCP traffic may not be forwarded when BWC is configured
Component: Local Traffic Manager
Symptoms:
DHCP traffic may not be forwarded when BWC is configured on the system.
Conditions:
-- DHCP virtual server configured.
-- BWC policy configured and attached to the route-domain.
Impact:
DHCP traffic may not be forwarded.
Workaround:
There is no workaround other than to remove the BWC policy.
Fix:
DHCP traffic is now forwarded when BWC is configured,
714369 : ADM may fail when processing HTTP traffic
Solution Article: K62201098
714350 : BADOS mitigation may fail
Solution Article: K62201098
714334-1 : admd stops responding and generates a core while under stress.
Component: Anomaly Detection Services
Symptoms:
admd stops responding and generates a core while under stress.
Conditions:
-- The BIG-IP system is under stress.
-- CPU starvation is occurring.
Impact:
admd core and restart.
Note: The admd process provides stress-based DoS detection and mitigation control. When admd is not running, there is no stress-based anomaly detection or behavioral statistics aggregation.
Workaround:
None.
Fix:
This issue no longer occurs.
714303-1 : X520 virtual functions do not support MAC masquerading
Component: TMOS
Symptoms:
MAC masquerading is not supported when using X520 virtual functions via SR-IOV in Virtual Edition (VE). This is due to a lack of functionality in the underlying hardware.
Conditions:
-- Use SR-IOV virtual functions as interfaces within VE.
-- Configure MAC masquerading with a shared MAC that should follow the active system after traffic group failovers.
Impact:
MAC masquerading will not function in this environment.
Workaround:
There is no workaround other than not to use MAC masquerading, as conventional failover works for this environment.
Fix:
MAC masquerading is now supported when using X520 virtual functions via SR-IOV in Virtual Edition (VE).
713951-5 : tmm core files produced by nitrox_diag may be missing data
Component: Local Traffic Manager
Symptoms:
When the nitrox_diag utility generates a tmm core file, that file might include data for only one tmm thread instead of all tmm threads.
Conditions:
-- Running the nitrox_diag utility.
-- Using devices with the Cavium Nitrox crypto card.
-- The nitrox_diag utility generates a tmm core file.
Impact:
The resulting core file might include data for only one tmm thread instead of all tmm threads, making it more difficult for F5 to diagnose reported problems with the Cavium Nitrox crypto card. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
When the nitrox_diag utility generates a tmm core file, that file now includes data for all tmm threads instead of only one.
713947-1 : stpd repeatedly logs "hal sendMessage failed"
Component: TMOS
Symptoms:
On non-primary clustered blades in a BIG-IP chassis environment, stpd may repeatedly log "hal sendMessage failed"
Conditions:
Two or more blades clustered in a chassis with STP enabled on one or more ports.
Impact:
All BIG-IP blades
Workaround:
No workaround except to ignore log messages - they are spurious and have no ill effect on the system besides log spam.
713934-2 : Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response
Component: Local Traffic Manager
Symptoms:
Received malformed Truncated DNS response.
Conditions:
-- Using iRule 'DNS::question name' to shorten the name.
-- DNS response is longer than 4096 UDP limit.
Impact:
DNS request might not be resolved correctly.
Workaround:
There is no workaround at this time.
Fix:
In this release, when DNS::query name changes the query name, the software ensures that the request is updated with proper lengths.
713932-1 : Commands are replicated to PostgreSQL even when not in use.
Component: TMOS
Symptoms:
In MCP, PostgreSQL is used only by AFM. Even when AFM is not provisioned, however, commands are being replicated to PostgreSQL.
Conditions:
AFM is not provisioned.
Impact:
Unnecessary CPU cycles spent by MCP replicating commands to PostgreSQL.
Workaround:
None.
Fix:
Prevented replication of commands to PostgreSQL when it is not in use.
713820-1 : Pass in IP to urldb categorization engine
Component: Access Policy Manager
Symptoms:
Category lookup results might be less accurate. In some cases, the system returns 'uncategorized' when the reference (Forcepoint) returns a specific category.
Conditions:
Category Lookup agent is in per-request policy using the categorization engine to lookup up a website's classification.
Impact:
Actions leveraging categorization results will be applied incorrectly.
Workaround:
None.
Fix:
This release can now pass in more information to the urldb categorization engine, which supports finger-grained categorization.
713813-2 : Node monitor instances not showing up in GUI
Component: TMOS
Symptoms:
Navigating to Local Traffic :: Monitors :: <some_monitor> should show a list of nodes with some_monitor assigned to them. GUI does not list related nodes under Instances tab.
Conditions:
-- At Local Traffic :: Monitors :: <some_monitor>.
-- Under the Instances tab.
Impact:
No instances listed. Cannot use the GUI to determine which nodes are associated with a monitor.
Workaround:
Use tmsh to list nodes associated with a monitor.
Fix:
The GUI now lists all associated nodes under Local Traffic ›› Monitors :: <some_monitor> :: Instances tab.
713655-2 : RouteDomainSelectionAgent might fail under heavy control plane traffic/activities
Component: Access Policy Manager
Symptoms:
If per-session access policy requests route domain selection during policy evaluation, the agent might hang and fail to retrieve route domain information. APMD might restart and produce a core file.
Conditions:
-- Policy sync operation.
-- System receives a query for route domain information.
-- There is a heavy load of control plane traffic to process.
Impact:
Poor performance and/or APMD restarts with a core file, causing brief disruption of the authentication service.
Workaround:
None.
Fix:
Route domain selection operations no longer fail under heavy control-plane traffic/activities.
713612-1 : tmm might restart if the HTTP passthrough on pipeline option is used
Component: Local Traffic Manager
Symptoms:
The TMM may crash if the HTTP profile's 'passthrough_pipeline' field is set to 'passthrough'.
Conditions:
-- HTTP profile is configured as a transparent proxy.
-- HTTP profile has the 'passthrough_pipeline' field is set to 'passthrough'.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
tmm no longer crashes when HTTP switches to passthrough mode in some cases.
713533-2 : list self-ip with queries does not work
Component: Local Traffic Manager
Symptoms:
"list net self" command always returns all Self IPs, regardless of the regex patterns.
Conditions:
list net self always returns all Self IPs
Impact:
You are unable to filter the Self IP list using a regex pattern.
Fix:
You can now use pattern matching to list Self IPs
713491-2 : IKEv1 logging shows spi of deleted SA with opposite endianess
Component: TMOS
Symptoms:
Sometimes the IKEv1 racoon daemon logs a 32-bit child-SA spi with octets in backwards order (reversing the endianness).
Conditions:
When an SA is deleted.
Impact:
Logging typically shows a network byte order spi in the wrong order. Cosmetic interference with logging interpretation.
Workaround:
There is no workaround at this time.
Fix:
The spi values are shown in the correct endianness now.
713390-1 : ASM Signature Update cannot be performed on hourly billing cloud instance
Component: Application Security Manager
Symptoms:
ASM Signature Update cannot be performed on hourly billing cloud (AWS) instance. Licenses on these devices cannot be updated and have a fixed Service Check Date (SCD), which must be more recent to allow ASM Signature Update.
Conditions:
Attempt to perform ASM Signature Update on hourly billing cloud (AWS) instance.
Impact:
Performing ASM Signature Update fails.
Workaround:
There is no workaround at this time.
Fix:
ASM Signature Update can now be performed on hourly billing cloud instance.
713380 : Multiple B4450 blades in the same chassis run into inconsistent DAG state
Solution Article: K23331143
Component: TMOS
Symptoms:
Multiple B4450 blades in the same chassis can run into inconsistent DAGv2 state.
Conditions:
More than one B4450 blade in the same chassis.
Impact:
Inconsistent DAG state can cause traffic disruption.
Workaround:
Restart tmm on one blade in the chassis and force the blades to reform the cluster in data plane.
Fix:
Multiple B4450 blades in the same chassis no longer experiences an inconsistent DAG state.
713282-1 : Remote logger violation_details field does not appear when virtual server has more than one remote logger
Component: Application Security Manager
Symptoms:
Remote logger violation_details field appears empty.
Conditions:
-- More than one remote logger is attached to the virtual server.
-- A violation occurs.
-- Viewing the associated log.
Impact:
Violation_details field appears empty in logs.
Workaround:
There is no workaround at this time.
Fix:
Remote logger violation_details field is now populated as expected when the virtual server has more than one remote logger.
713273 : BIG-IP sys db variable avr.stats.internal.maxentitiespertable resets back to default value on services restart
Component: Application Visibility and Reporting
Symptoms:
After a BIG-IP system reset, a modified setting for the BIG-IP sys db variable avr.stats.internal.maxentitiespertable returns to the default value.
Conditions:
1. avr.stats.internal.maxentitiespertable value is modified from the default.
2. The BIG-IP system restarts.
Impact:
avr.stats.internal.maxentitiespertable returns to its default value.
Workaround:
After BIG-IP system reset, specify the value of avr.stats.internal.maxentitiespertable again.
Fix:
A modified avr.stats.internal.maxentitiespertable value no longer returns to the default value after BIG-IP system restart.
713156-1 : AGC cannot do redeploy in Exchange and ADFS use cases
Component: Access Policy Manager
Symptoms:
In AGC exchanges or Active Directory Federation Services (ADFS) configurations, the system creates an SSL HTML form and SSO HTML form control object. Because of the limitation of ICRD, the system cannot directly delete SSO HTML form control objects.
Conditions:
-- Redeploy occurs in an AGC exchange ADFS configuration.
-- Modifying existing configurations.
Impact:
Redeploy fails, configuration remain unmodified.
Workaround:
Do a undeploy, followed by a deploy.
Fix:
Redeploy now succeeds when using AGC with Exchange and ADFS use cases.
713111-1 : When ASM and APM are configured on the same virtual server, ASM might report some errors in its logging.
Component: Access Policy Manager
Symptoms:
When APM (SSO feature) and ASM are configured on the same virtual server, WebSSO recreates requests on 401 responses. Such requests have the same support ID, so ASM logs errors.
Conditions:
APM (WebSSO) and ASM are configured on same virtual server.
Impact:
ASM might potentially block such requests, so APM SSO functionality may not work.
Workaround:
There is no workaround except to not configure APM (WebSSO) and ASM on same virtual server.
Fix:
This issue has been fixed.
713066-1 : Connection failure during DNS lookup to disabled nameserver can crash TMM
Solution Article: K10620131
Component: Global Traffic Manager (DNS)
Symptoms:
TMM restart as a result of a DNS lookup to disabled nameserver.
Conditions:
DNS lookup that tries to connect to a nameserver that is not reachable for some reason.
This could be an explicit 'RESOLV::lookup' command in iRule, or it could be DNS lookups internally triggered by APM or HTTP.
Impact:
TMM restarts. Traffic disrupted while tmm restarts.
Workaround:
Verify connectivity to nameserver.
As an alternative, refrain from using RESOLV::lookup in iRules.
Fix:
This issue is now fixed.
712924-1 : In VPE SecurID servers list are not being displayed in SecurID authentication dialogue
Component: Access Policy Manager
Symptoms:
In VPE SecurID servers list are not being displayed in SecurID authentication dialogue. List is displaying only None.
Conditions:
Always when adding SecureID authentication action.
Impact:
Inability to (re)configure SecureId via VPE.
Workaround:
Manually modify RSA AAA server in SecurID Auth Agent via tmsh:
tmsh modify apm policy agent aaa-securid <aaa agent> server <securid server name>
712876-2 : CVE-2017-8824: Kernel Vulnerability
Solution Article: K15526101
712819-2 : 'HTTP::hsts preload' iRule command cannot be used
Component: Local Traffic Manager
Symptoms:
Using the 'HTTP::hsts preload' iRule command in the GUI, you might see error message similar to the following:
01070151:3: Rule [/Common/test] error: /Common/test:3: error: ["invalid argument preload; expected syntax spec: "][HTTP::hsts preload enable].
The message is incorrect: the command has the correct format. However, the system does not run it.
Conditions:
Using the 'HTTP::hsts preload' iRule command in the GUI.
Impact:
The command does not run. Cannot use the 'HTTP::hsts preload' iRule command in the GUI.
Workaround:
None.
Fix:
'HTTP::hsts preload' iRule command now works as expected.
712738-1 : fpdd may core dump when the system is going down
Component: TMOS
Symptoms:
fpdd may core dump when the system is going down. This is because the LED manager in the daemon cannot use the hal library to talk to other daemons.
Conditions:
The problem happens when the system is going down.
Impact:
This is a rarely occurring issue. When it happens, fpdd creates a core file. The LEDs may not reflect the status right before the shutdown. But the LEDs are reinitialized after the bootup.
Workaround:
None.
Fix:
fpdd no longer core dumps when the system is going down.
712710 : TMM may halt and restart when threshold mode is set to stress-based mitigation
Component: Advanced Firewall Manager
Symptoms:
When auto-DoS vector's threshold mode is set to stress-based mitigation, but the vector is in disabled state, TMM may halt and restart.
Conditions:
-- Threshold mode is set to stress-based mitigation.
-- Vector is disabled.
Impact:
TMM restarts. Traffic disrupted while TMM restarts.
Workaround:
There is no workaround other than not setting threshold mode to stress-based mitigation if the vector is disabled.
Fix:
TMM no longer restarts when threshold mode is set to stress-based mitigation and the vector is in disabled state.
712637-2 : Host header persistence not implemented
Component: Local Traffic Manager
Symptoms:
Online documentation describes a persistence mechanism which uses the HTTP Host: header. However, this mechanism is not implemented, and attempts to use it generates an error.
Conditions:
Online help for ltm persistence says that Host persistence can be enabled via iRule, but attempting to do so generates an error 'invalid argument host'.
Impact:
Although this does not impact any existing functionality, the documented function is not available.
Workaround:
There is no workaround at this time.
Fix:
LTM Host: header persistence is implemented.
712475-3 : DNS zones without servers will prevent DNS Express reading zone data
Solution Article: K56479945
Component: Local Traffic Manager
Symptoms:
DNS Express does not return dig requests.
Conditions:
DNS Express is configured a zone without a server.
Impact:
DNS Express does not return dig requests.
Workaround:
You can use either of the following workarounds:
-- Remove the zone without the server.
-- Configure a server for the zone.
Fix:
DNS zones without servers no longer prevent DNS Express reading zone data.
712437-3 : Records containing hyphens (-) will prevent child zone from loading correctly
Solution Article: K20355559
Component: Local Traffic Manager
Symptoms:
The dig command returns no record with SOA from the parent zone even though dnsxdump shows that the record exists.
Conditions:
-- Parent zone has a record containing - (a hyphen) and the preceding characters match the child zone. For example,
myzone.com -- parent
foo.myzone.com -- child
-- In myzone.com, you have a record of the following form:
foo-record.myzone.com
Impact:
DNS can not resolve records correctly.
Workaround:
None.
Fix:
DNS now handles the case in which the parent zone has a record containing - (a hyphen) and the preceding characters match the child zone.
712429 : Serverside packets excluded from DoS stats
Component: Advanced Firewall Manager
Symptoms:
BIG-IP systems configured with L4 DoS Protection might not provide sufficiently granular DDoS detection and mitigation to ensure that legitimate traffic is not impacted.
Conditions:
Configured for DDoS detection and mitigation.
Impact:
Legitimate traffic might be impacted.
Workaround:
None.
Fix:
The following DoS vectors no longer count serverside packets.
-- Single-Endpoint Flood
-- Global-Device level aggregate vectors
-- Bad-actor/attacked-dst for all vectors
Additionally, hardware-accelerated, device-level (global) aggregate DoS vectors are now programmed dynamically when traffic is detected, rather than at configuration time.
These behavior changes provide greater granularity in DDoS detection and mitigation to ensure that legitimate traffic is not impacted.
Behavior Change:
The following DoS vectors no longer count serverside packets.
-- Single-Endpoint Flood
-- Global-Device level aggregate vectors
-- Bad-actor/attacked-dst for all vectors
Additionally, hardware-accelerated, device-level (global) aggregate DoS vectors are now programmed dynamically when traffic is detected, rather than at configuration time.
These behavior changes provide greater granularity in DDoS detection and mitigation to ensure that legitimate traffic is not impacted.
712401-1 : Enhanced administrator lock/unlock for Common Criteria compliance
Component: TMOS
Symptoms:
The Network Device and Firewall collaborative Protection Profiles v2.0 require certain behavior for locking and unlocking administrative-user accounts on the BIG-IP system. BIG-IP software needs to be enhanced for compliance with those requirements.
Conditions:
The ccmode script must be run to activate these enhancements. Also, see the Common Criteria Guidance document (published when the certificate is obtained) for more details.
Impact:
Without these enhancements activated, the BIG-IP system is not compliant with Common Criteria requirements.
Workaround:
Risk acceptance for Common Criteria non-compliance.
Fix:
To meet Common Criteria requirements, the BIG-IP system is enhanced in two areas:
1. The primary administrative user account (generally 'admin') can be locked out, as any other administrative-user account can be. However, it is never locked out when signing in from the serial console.
2. Locked out administrative-users are unlocked only after an administrator-specified time period has passed. The default is 10 minutes, and is set in the ccmode script.
712362-3 : ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase
Component: Application Security Manager
Symptoms:
When the WebSocket HTTP handshake response comes without 'Switching Protocols' reason phrase at the first line, the ASM does not follow up WebSocket frames on the WebSocket's connection.
The system posts the following messages in /ts/log/bd.log:
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0269|101 Switching Protocols HTTP status arrived, but the websocket hanshake failed.
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0270|Possible reasons are websocket profile isn't assigned on a virtual server or handshake is illegal.
Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- WebSocket backend server sends 101 response without the 'Switching Protocols' phrase.
Impact:
WebSocket frames stalls.
Workaround:
#1 Change the backend server:
Change WebSocket backend server to return 101 response to include the 'Switching Protocols' reason phrase:
HTTP/1.1 101 Switching Protocols
#2 Use an irRule:
when SERVER_CONNECTED {
TCP::collect 15
}
when SERVER_DATA {
if { [TCP::payload 15] contains "HTTP/1.1 101 \r\n" } {
TCP::payload replace 0 12 "HTTP/1.1 101 Switching Protocols"
}
}
Fix:
This release correctly handles 101 responses even without the 'Switching Protocols' reason phrase.
712266-1 : Decompression of large buffer might fail with comp_code=11 with Nitrox 3 hardware
Component: TMOS
Symptoms:
Messages like the following may show up in /var/log/ltm:
-- crit tmm5[28908]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=11): ctx dropped.
This occurs because the decompression of large compressed data failed.
Conditions:
This issue occurs when compressed data cannot be decompressed in a single request to the Nitrox 3 hardware accelerator.
Impact:
Requests fail with a connection reset.
Workaround:
Use zlib software decompression.
Fix:
This release fixes this decompression issue in the Nitrox 3 driver.
712118 : AVR should report on all 'global tags' in external logs
Component: Application Visibility and Reporting
Symptoms:
AVR reports only 'ssgName' from the global tags.
Conditions:
-- A BIG-IQ operation configures the 'tag file' (/var/config/rest/downloads/app_mapping.json) on the BIG-IP system.
-- Statistics are sent to the BIG-IQ system.
Impact:
Not all the tags are sent to the BIG-IQ system.
Workaround:
There is no workaround at this time.
Fix:
AVR now reports statistics on all tags to the BIG-IQ system.
712102-2 : customizing or changing the HTTP Profile's IPv6 field hides the field or the row
Solution Article: K11430165
Component: TMOS
Symptoms:
Customizing or changing the HTTP Profile's IPv6 field hides the field or the row.
Conditions:
Customizing or changing the HTTP Profile's IPv6 field.
Impact:
The HTTP Profile's IPv6 field cannot be customized or changed.
Workaround:
Use tmsh to set the HTTP Profile's IPv6 field.
Fix:
Customizing or changing the HTTP Profile's IPv6 field doesn't hide the field or the row.
711981-5 : BIG-IP system accepts larger-than-egress MTU, PMTU update
Component: Local Traffic Manager
Symptoms:
A Path MTU (PMTU) message can lead to the BIG-IP system to falsely assume an egress MTU on the related flow to be larger than the interface egress MTU.
Conditions:
A valid PMTU message.
Impact:
BIG-IP sends larger-than-configured interface egress MTU messages.
Workaround:
None.
Fix:
The BIG-IP system now limits the flow egress MTU to the interface egress MTU.
711929-1 : AVR should not send statistic on hidden rows for module InterfaceTraffic and module InterfaceHealth
Component: Application Visibility and Reporting
Symptoms:
AVR sends data on all interfaces, hidden and not hidden. It should send information only on not-hidden interfaces.
Conditions:
-- Tmstat table interface_stat exists.
-- Viewing statistics for module InterfaceTraffic and module InterfaceHealth.
Impact:
Irrelevant data is sent.
Workaround:
None.
Fix:
AVR now sends data only on not-hidden interfaces.
711683-2 : bcm56xxd crash with empty trunk in QinQ VLAN
Component: TMOS
Symptoms:
When an empty trunk (no members) is configured 'tagged' in a QinQ VLAN, bcm56xxd will continuously crash.
Conditions:
Trunk with no members, configured as 'tagged' in a QinQ VLAN.
Impact:
bcm56xxd continuously crashes.
Workaround:
Use either of the following workarounds:
-- Add members to the trunk.
-- Remove the trunk from the QinQ VLAN.
Fix:
Do not program QinQ switch hardware if the trunk has no members.
711570-3 : PEM iRule subscriber policy name query using subscriber ID, may not return applied policies
Component: Policy Enforcement Manager
Symptoms:
PEM::subscriber config policy get <subscriber id> does not return policy names
Conditions:
PEM iRule using subscriber ID to get policy name.
Impact:
Subscriber policy names are not returned.
Workaround:
Use PEM::subscriber config policy get <IP address> instead.
Fix:
Subscriber policy names are now returned when running PEM iRules using subscriber ID to get policy names.
711427-2 : Edge Browser does not launch F5 VPN App
Component: Access Policy Manager
Symptoms:
On Microsoft Windows v10, use Edge Browser to establish VPN. Edge Browser does not launch F5 VPN App.
Conditions:
On Windows 10, use Edge Browser to establish VPN.
Impact:
APM end user cannot establish VPN tunnel using Edge Browser.
Workaround:
Use Mozilla Firefox or Google Chrome.
Fix:
You can now use Windows 10 to launch Edge Browser to establish VPN connections.
711405-1 : ASM GUI Fails to Display Policy List After Upgrade
Solution Article: K14770331
Component: Application Security Manager
Symptoms:
After upgrade to version 13.1.0 or later, ASM GUI fails to display the Policy List.
Conditions:
Using an 11.5.0 to 11.5.4-HF1 version that is affected by the issue of policies with duplicate REST IDs that occurred after restoring from policy history or using Policy Diff to compare policies.
Impact:
ASM GUI starting using the REST API from version 13.1.0, so any systems that have been affected by this issue on a previous version now cause the GUI to fail to display the Policy List.
Workaround:
On the device run the following script:
---------------------------------
perl -MF5::DbUtils -MF5::Utils::Rest -MF5::ASMConfig::Entity::Policy -e '$dbh = F5::DbUtils::get_dbh();
$dbh->begin_work();
$dbh->do("UPDATE PLC.PL_POLICIES a SET a.rest_uuid = \"\" WHERE a.rest_uuid IN ( SELECT rest_uuid FROM (SELECT rest_uuid FROM PLC.PL_POLICIES GROUP BY rest_uuid having count(*) > 1) b)");
F5::Utils::Rest::populate_uuids(dbh => $dbh);
$dbh->commit();'
---------------------------------
Note: In a management environment, this change must be pushed to the peer as a full sync. The easiest way to do so is to ensure that the ASM sync device group is in manual sync mode, and to push the config to the peers from the device where the script was run.
Fix:
This data inconsistency is now repaired on upgrade, and the GUI loads the policy list successfully.
711281-5 : nitrox_diag may run out of space on /shared
Component: Local Traffic Manager
Symptoms:
Running nitrox_diag may lose collected data if there is insufficient free space for the tar file to be created.
Conditions:
-- Running nitrox_diag.
-- Insufficient free space available on /shared.
Impact:
Might lose data required to diagnose problems with Cavium Nitrox chips.
Workaround:
The only workaround is to ensure there is enough free space for the files to be created.
In general, planning enough space for two copies of a tmm core file and two copies of a qkview works. That might require approximately one gigabyte. Though more might be needed for systems with a large amount of RAM.
Fix:
nitrox_diag now clears the older data before gathering new data, instead of after. Note, however, that if there is insufficient free space on /shared to collect the raw data, the operation still cannot succeed.
711249-1 : NAS-IP-Address added to RADIUS packet unexpectedly
Component: TMOS
Symptoms:
RADIUS authentication request contains NAS-IP-Address attribute with value 127.0.0.1.
Conditions:
VIPRION (single or multiblade) with no cluster member IP addresses configured.
Impact:
Authentication does not work as it has invalid/unrecognized source NAS-IP-Address.
Workaround:
Configure cluster member IP address or define hostname and address via global-settings remote-host.
711093-1 : PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled
Component: Policy Enforcement Manager
Symptoms:
PEM sessions may stay in the marked-for-delete state after session deletion.
Conditions:
This occurs if Gx final usage reporting response comes before Gy delete response (CCA).
Impact:
PEM sessions remain in marked-for-delete state.
Workaround:
None.
Fix:
PEM sessions no longer stay in the marked-for-delete state after session delete
711011-2 : 'API Security' security policy template changes
Component: Application Security Manager
Symptoms:
Parameter-related Learn/Alarm/Block settings in 'API Security' security policy template should be 'ON' by default.
Conditions:
Learn/Alarm/Block settings in 'API Security' security policy template.
Impact:
Settings not active.
Workaround:
None.
Fix:
Parameter-related Learn/Alarm/Block settings in 'API Security' security policy template are now 'ON' by default.
710996-2 : VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP
Component: Local Traffic Manager
Symptoms:
The behavior of outgoing IPv6 management and IPv4 management traffic from the primary blade differs:
IPv4 traffic is sourced from the cluster IP
IPv6 traffic is sourced from the cluster member IP
Conditions:
IPv6 configured on the 'cluster' address and 'cluster member' address.
Impact:
The blade IP address, rather than the cluster floating IP, will be used as the source IP when querying the RADIUS server for remote-auth login against the management port.
Workaround:
There is no workaround at this time.
710976-1 : Network Map might take a long time to load
Component: TMOS
Symptoms:
Network Map loading time is directly proportional to the number of profiles/policies associated with a virtual server. When there are a significant number, Network Map might take many tens of seconds to load; when there are fewer associated profiles/policies, loading time is shorter.
For example, consider a configuration that contains virtual servers with a large number of associated profiles/policies.
In the following example config, the virtual server has two associated profiles. The time to load the Network Map page increases with each additional profile/policy.
# tmsh list ltm virtual vs
ltm virtual vs {
creation-time 2018-03-06:18:27:53
destination 0.0.0.0:any
ip-protocol tcp
last-modified-time 2018-03-06:18:27:53
mask any
profiles {
myhttp { }
tcp { }
}
rules {
myrule
}
source 0.0.0.0/0
translate-address disabled
translate-port disabled
vlans {
socks-tunnel
}
vs-index 5
}
Conditions:
-- Navigate to Local Traffic :: Network Map in the BIG-IP Configuration Utility.
-- The configuration contains a significantly large number of profiles/policies associated with the virtual server.
Impact:
It takes tens of seconds to load the Network Map page.
Workaround:
None.
Fix:
The data loading performance was improved to load the page faster.
710947-1 : AVR does not send errdef for entity DosIpLogReporting.
Component: Application Visibility and Reporting
Symptoms:
AVR does not send errdef for entity DosIpLogReporting.
Conditions:
-- AVR is configured.
-- View the DosIpLogReporting report.
Impact:
There is no errdef for module DosIpLogReporting
Workaround:
None.
Fix:
Added errdef for module DosIpLogReporting.
710884-1 : Portal Access might omit some valid cookies when rewriting HTTP request.
Component: Access Policy Manager
Symptoms:
Portal Access is not sending certain cookies to the backend application.
Conditions:
-- Request path and cookie path are equal.
-- The last character of request path is not a forward slash (/).
Impact:
Backend application does not receive some cookies and may decide that APM end users are not authenticated, when they are.
Workaround:
There is no workaround at this time.
Fix:
Fixed an issue in Portal Access which could cause web-applications to lose some valid cookies.
710870 : Temporary browser challenge failure after installing older ASU
Component: Application Security Manager
Symptoms:
After installing an older ASM Signature Update (ASU) may cause the browser challenge to fail for the first few minutes after provisioning ASM.
Conditions:
-- Using BIG-IP version 13.1.0.5.
-- Installing an ASU from before April 2018.
Impact:
Browsers remain on whitepage after receiving a browser challenge.
Note: The problem should go away after 10-to-15 minutes of provisioning ASM, when more versions of JavaScript are generated.
Workaround:
Install the latest ASU.
Fix:
The browser challenges will succeed even after installing an older ASU.
710827-2 : TMUI dashboard daemon stability issue
Component: TMOS
Symptoms:
Some dashboard requests may cause a crash of TMUI dashboard daemons, affecting the TMUI dashboard.
Conditions:
Request sent to BIG-IP dashboard.
Impact:
Only the TMUI dashboard goes offline. Other TMUI functionality is not affected by this issue.
Workaround:
None available.
Fix:
Setup a correct exception handling prevented TMUI dashboard service failure.
710755-1 : Crash when cached route information becomes stale and the system accesses the information from it.
Component: Advanced Firewall Manager
Symptoms:
The crash happens intermittently when the cached route information becomes stale and the system accesses the information from it.
Conditions:
Use stale cached route information.
Impact:
This condition can lead to a crash as the route information is no longer valid, and can lead to illegal memory access.
Workaround:
None.
Fix:
The system now fetches the latest egress route/interface information before accessing it.
710705-2 : Multiple Wireshark vulnerabilities
Solution Article: K34035645
710701-1 : "Application Layer Encryption" option is not saved in DataSafe GUI
Component: Fraud Protection Services
Symptoms:
"Application Layer Encryption" checkbox will remain enabled if un-checked via DataSafe GUI and will not be saved.
Conditions:
- Install DataSafe license
- Provision FPS
- Create URL
Impact:
Cannot enable/disable "Application Layer Encryption" via DataSafe GUI.
Workaround:
Application Layer Encryption can be enabled or disabled via TMSH command line or REST API.
Fix:
"Application Layer Encryption" option is saved if changed via DataSafe GUI.
710666-1 : VE with interface(s) marked down may report high cpu usage
Component: TMOS
Symptoms:
The "tmm" process may appear to be running at 90% or above in linux cpu reporting utilities such as "top" or "ps", even if the system is not handling a large amount of traffic.
In this case, "tmsh show sys tmm-info" continues to report tmm's cpu usage accurately.
Conditions:
- BIG-IP Virtual Edition
- One or more interfaces configured and used in the BIG-IP configuration is marked down
Impact:
tmm consumes cpu cycles even when idle. This may impact other guests running on the same hardware if the hypervisor has oversubscribed its cpu resources.
Workaround:
Disable any interface that is currently marked down.
For example:
tmsh modify net interface 1.1 disabled
and then restart tmm:
bigstart restart tmm
710424-2 : Possible SIGSEGV in GTMD when GTM persistence is enabled.
Solution Article: K00874337
Component: Global Traffic Manager (DNS)
Symptoms:
When GTM persistence is enabled, GTMD may occasionally crash and restart.
Conditions:
GTM persistence is enabled.
Impact:
GTMD may occasionally restart.
Workaround:
Disable GTM persistence.
Fix:
GTMD will no longer crash and restart when persistence is enabled.
710327-1 : Remote logger message is truncated at NULL character.
Component: Application Security Manager
Symptoms:
When a request including binary null character has been sent to an remote logger, configured for ASM, the request will arrive to the remote destination and will be truncated exactly at binary NULL character.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM remote logger attached to a virtual server.
-- Request including binary NULL character is sent to the remote logger destination.
Impact:
Partial request is logged at the remote logger destination.
Workaround:
None.
Fix:
Binary NULL character is now escaped before being sent to the remote logger destination, so the request is no longer truncated.
710315-1 : AVR-profile might cause issues when loading a configuration or when using config sync
Component: Application Visibility and Reporting
Symptoms:
Some fields in AVR-profile contain lists of items. Those lists can be set only if the relevant flag is set to 'true'. In case of a flag configuration change, the system must keep the lists as they were and not reset them, so they can be available in case the flag changes back again.
Validation settings were created such that the lists flag is set to 'true' by default, but this can cause the load/merge process to break if the list was set, and afterwards the flag was set to 'false'.
Conditions:
Setting the relevant flag to 'false' after creating a list of items.
The relevant fields in AVR-profile that have that logic are:
-- IPs-list.
-- Subnets-list.
-- Countries-list.
-- URLs-list.
Impact:
Management load and sync process may not work as expected.
Workaround:
None.
Fix:
Validation for those fields when the associated flag is set to 'false' will be skipped in a load/merge scenario.
710314-1 : TMM may crash while processing HTML traffic
Solution Article: K94105051
710305-1 : When ASM and APM are configured on the same virtual server, ASM could throw some errors in its logging.
Component: Access Policy Manager
Symptoms:
When ASM and APM WebSSO are on same virtual server, WebSSO might generate a new request. When that happens, ASM might see multiple requests with same support ID. This can cause issues with ASM and log errors.
Conditions:
When APM WebSSO is configured (only for Basic, NTLM, Kerberos).
Impact:
ASM stops processing the HTTP requests that have duplicate support IDs, causing an issue to ASM/APM end users.
Workaround:
None.
Fix:
When ASM and APM WebSSO are on same virtual server, WebSSO no longer generates a new request, so duplicate support IDs are no longer created.
710277-1 : IKEv2 further child_sa validity checks
Component: TMOS
Symptoms:
A tmm restart can occur when a child_sa is rekeyed at expiration time, provided a race condition occurs.
Conditions:
Encountering the issue in which rekeying a child_sa might core when race conditions allowed that child_sa to be destroyed while in use.
Impact:
Restart of tmm and outage of IPsec tunnels until renegotiated.
Workaround:
None.
Fix:
The validity of a child_sa and its traffic selector are checked now before use, to prevent failure when freed objects are accidentally used.
710246-2 : DNS-Express was not sending out NOTIFY messages on VE
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Express is not sending out NOTIFY messages on BIG-IP Virtual Edition (VE).
Conditions:
-- DNS Express configured to send out NOTIFY messages.
-- Running on BIG-IP VE configuration.
Impact:
DNS secondary servers serving stale data.
Workaround:
There is no workaround at this time.
Fix:
DNS Express now sends out NOTIFY messages on VE.
710244-3 : Memory Leak of access policy execution objects
Solution Article: K27391542
710232-2 : platform-migrate fails when LACP trunks are in use
Component: TMOS
Symptoms:
Use of the platform-migrate option might fail due to some configurations being invalid on the new system. The error message generated appears as follows:
01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform.
Conditions:
You have a trunk with LACP enabled.
-- You are migrating from a hardware platform to a Virtual Edition (VE).
Impact:
Configuration fails to migrate.
Workaround:
After taking the old system offline, but before saving the UCS, disable LACP on all trunks.
710221-2 : Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled
Solution Article: K67352313
Component: Local Traffic Manager
Symptoms:
In an high availability (HA) configuration where an FQDN template-node on the 'active' unit is 'Force Offline', and the configuration is synchronized to the 'standby' unit, upon 'Enable' on that FQDN template-node in the 'active' unit (and the configuration is synchronized to the 'standby' unit), the ephemeral nodes associated with that FQDN template node remain Unavailable on the 'standby' unit.
Conditions:
HA configuration is configured with 'active' sync.
-- FQDN template-node is configured.
-- After ephemeral nodes are refreshed on the 'active' unit, it transitions to the 'standby' unit.
-- The FQDN template node on the (new-'active') unit is 'Force Offline' by the user.
-- The user explicitly 'Enable' that FQDN template node on the 'active' unit.
Impact:
The ephemerals on the 'standby' unit remain unavailable, even though the associated FQDN template node is 'available'. However, as no traffic is routed to the 'standby' unit, traffic is unaffected. Upon transition from 'standby' to' active', the ephemeral nodes will be refreshed and traffic should continue.
Workaround:
You can use either of these configuration options to prevent this issue from occurring:
-- Select 'Disabled' (rather than 'Force Offline') for the FQDN template node on the 'active' unit.
-- Configure the node without using FQDN.
Fix:
Upon 'Force Offline' and then 'Enable' for an FQDN template node on an 'active' unit in an HA configuration, the ephemerals on the 'standby' unit will reflect the re-enabled status based on the associated FQDN template-node on the 'active' unit.
710148-2 : CVE-2017-1000111 & CVE-2017-1000112
Solution Article: K60250153
710140-1 : TMM may consume excessive resources when processing SSL Intercept traffic
Solution Article: K20134942
710116-1 : VPN clients experience packet loss/disconnection
Component: Access Policy Manager
Symptoms:
VPN clients experience packet loss/disconnection.
Conditions:
In certain scenarios, the tunnel establishment procedure might leak a small memory. If the tmm is running for a longer duration, this small leak can accumulate and result in out-of-memory condition
Impact:
Connections start to drop as tmm runs out of memory. TMM will eventually run out of memory and connections could be terminated. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
A rare memory leak during APM VPN establishment has been corrected.
710110-1 : AVR does not publish DNS statistics to external log when usr-offbox is enabled.
Component: Application Visibility and Reporting
Symptoms:
AVR does not send DNS statistics to external logs when analytics global setting usr-offbox is enabled, if the following security analytics settings are set to disable:
-- collected-stats-internal-logging.
-- collected-stats-external-logging.
Conditions:
-- Security analytics settings collected-stats-internal-logging is disabled.
-- Security analytics settings collected-stats-external-logging is disabled.
-- Analytics global settings usr-offbox is enabled.
Impact:
DNS statistic are not sent to external log.
Workaround:
To work around this issue, perform the following procedure:
1. Provision ASM or AFM.
2. Run the tmsh command to set to enabled the security analytics setting collected-stats-external-logging.
2. Deprovision ASM/AFM.
Fix:
AVR now publishes DNS statistics to external logs when usr-offbox is enabled, as expected.
710032-1 : 'No Access' error when viewing GSLB Server's virtual server that has a name indicating a partition that does not exist on that BIG-IP system.
Component: Global Traffic Manager (DNS)
Symptoms:
The BIG-IP system posts a 'No Access' error message instead of the virtual server's properties.
Conditions:
-- At least two BIG-IP systems in a sync group.
-- One of the BIG-IP systems has a partition that does not exist on the other with an LTM virtual server on that partition.
-- The issue occurs when a GSLB Server discovers that LTM virtual server and displays it on its virtual server page.
Note: This same error message displays for GSLB pool member properties accessed by navigating to GSLB :: pools :: [pool] :: members :: Member : Address. The differing issues have been fixed in differing releases. You can find information about the similar issue in the AskF5 Bug Tracker article for 722734.
Impact:
It makes the GSLB Server's virtual server's properties page unavailable in this case.
Workaround:
Use either of the following workaroudns:
-- Use TMSH to view or edit the properties of that virtual server.
-- Create partitions on the GTM device to match those appearing to be referenced in the object names.
Fix:
Partition checking has been disabled for virtual servers on the GTM side, since a virtual server owned by a server is always in the partition of that server (/Common).
710028-2 : LTM SQL monitors may stop monitoring if multiple monitors querying same database
Component: Local Traffic Manager
Symptoms:
When using an SQL monitor to monitor the health of SQL database pool members, one of the health monitors may stop actively monitoring one or more pool members.
When this problem occurs, the following error messages may be logged in /var/log/DBDaemon-0.log:
[if debug = yes in monitor configuration]:
Using cached DB connection for connection string '<connection string>'
then multiple, periodic instances of the following message, referencing the same connection string:
Abandoning hung SQL query: '<query string>' for: '<connection string>'
or:
<connection string>(<thread-number>): Hung SQL query; abandoning
Conditions:
This may occur when all of the following conditions are met:
-- Using one of the following LTM monitors: mssql, mysql, oracle, postgresql.
-- Configuring multiple pool members for the same node (server).
-- Configuring multiple SQL monitors that query the same server and database.
And when one or both of the following conditions are met:
Either:
-- The SQL monitor is configured with a non-zero 'count' value.
Or:
-- An error occurs while querying a SQL database, such as [recorded in the DBDaemon log]:
java.io.EOFException: Can not read response from server. Expected to read 4 bytes, read 0 bytes before connection was unexpectedly lost.
Impact:
When this problem occurs, the affected pool members are reported down, even though the database is actually up and responding correctly to traffic.
Workaround:
When this problem occurs, successful monitoring can be temporarily restored by disabling then re-enabling monitoring of affected pool members.
To avoid one possible trigger for this issue (and thus reduce the likelihood of this issue occurring), configure the 'count' parameter in the SQL monitor configuration to a value of '0'.
Fix:
LTM SQL monitors continue monitoring when multiple monitors/ query the same server and database.
709972-6 : CVE-2017-12613: APR Vulnerability
Solution Article: K52319810
709936 : Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.
Component: TMOS
Symptoms:
/var/log/boot.log has this error:
dhcp_config: save error: 01070911:3: The requested host (ntp-servers-ip) is invalid for servers in ntp (/Common/ntp).
Conditions:
- The BIG-IP system has DHCP enabled for management interface.
- Multiple NTP servers or domain-search are specified in the dhclient lease (stored at /var/lib/dhclient/dhclient.leases).
Impact:
- DNS and NTP servers are not configured in MCPD.
- Name resolution can break.
Workaround:
None.
Fix:
Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.
709828-2 : fasthttp can crash with Large Receive Offload enabled
Component: Local Traffic Manager
Symptoms:
fasthttp and lro can lead to a tmm crash.
Conditions:
fasthttp and lro enabled. (lro is enabled by default >= 13.1.0)
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use fasthttp
Fix:
fasthttp with lro enabled no longer causes tmm to crash.
709688-3 : dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733
Solution Article: K08306700
709670-2 : iRule triggered from RADIUS occasionally fails to create subscribers.
Component: Policy Enforcement Manager
Symptoms:
The subscriber can not be added with the same IP address after retries. This is a rarely occurring issue: if the daily average of subscriber additions is ~30000 subscribers, 5 to 6 subscribers face this problem (0.02%).
Conditions:
Running iRule to create PEM sessions from RADIUS packets using the 'PEM::subscriber create' command.
Impact:
Intermittently (a few operations per day), the command silently fails. No session is created, and no TCL error is produced. Subscriber addition requires manual intervention.
Workaround:
Trigger a RADIUS START using a different IP address for the subscriber.
709610-3 : Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM
Component: Policy Enforcement Manager
Symptoms:
Session replacement fails as a result of a race condition between multiple RADIUS Accounting Start and Stop messages for the same subscriber.
Conditions:
This occurs when the following conditions are met:
-- These SysDB variables are set as follows:
sys db tmm.pem.session.radius.retransmit.timeout {
value "0"
}
sys db tmm.pem.session.provisioning.continuous {
value "disable"
}
-- Actions occur in the following order:
1. PEM receives RADIUS START with subscriber ID1 and IP1.
2. PEM receives RADIUS STOP with subscriber ID1 and IP1.
3. PEM receives RADIUS START with subscriber ID1 and IP2.
4. PEM receives RADIUS STOP with subscriber ID1 and IP2.
-- The time interval between steps 1 and 2 is very small (less than ~1ms).
Impact:
Subscriber session creation via PEM may fail.
Workaround:
There is no workaround other than to leave SysDbs variables set to the default values.
Fix:
The system now handles PEM subscriber session updates properly, so this issue no longer occurs.
709444-2 : "NTP not configured on device" warning seen when NTP symmetric key authentication is configured
Component: TMOS
Symptoms:
When NTP symmetric key authentication is configured, as per https://support.f5.com/csp/article/K14120, and the BIG-IP is part of a device service cluster, then a warning similar to this will be seen periodically in /var/log/ltm:
warning mcpd[6317]: 01071af0:4: NTP not configured on device 1.2.3.4 - within a trust
Conditions:
- NTP symmetric key authentication must be configured.
- The BIG-IP must be part of a device service cluster.
- Non-authenticated NTP servers must not be in-use.
Impact:
Incorrect NTP warnings are seen periodically in /var/log/ltm.
Workaround:
There is no workaround at this time.
Fix:
Prevented this warning from being emitted when NTP symmetric key authentication is in-use in a device service cluster.
709383-2 : DIAMETER::persist reset non-functional
Component: Service Provider
Symptoms:
When the iRule DIAMETER::persist reset is called, it is meant to remove existing persistence records from diadb. Without this bug fix, calling DIAMETER::persist reset has no effect and the persistence record remains.
Conditions:
Diameter session profile has persistence enabled and an iRule attempts to remove a persistence record.
Impact:
You are unable to remove diameter persistence entries.
Workaround:
none
Fix:
DIAMETER::persist reset now functions properly. You can delete diameter persistence records with this iRule.
709334-1 : Memory leak when SSL Forward proxy is used and ssl re-negotiates
Component: Local Traffic Manager
Symptoms:
When looking at tmsh show sys memory you will see
ssl_compat continue to grow and fails to release memory.
Conditions:
-SSL Forward Proxy In use
-SSL Re-negotiations happening
Impact:
Eventually memory reaper will kick in.
Workaround:
There is no workaround at this time.
Fix:
ssl_compat now properly releases connections on re-negotiation.
709319-2 : Post-login client-side alerts are missing username in bigIQ
Component: Fraud Protection Services
Symptoms:
A client-side alert that contains a FPS-Username header with a value, but an empty fpm_username parameter - will be reported with "Unknown" username in bigIQ.
Conditions:
1. post login (alert is sent after submitting username parameter) client side alerts
2. alert-pool points to bigIQ IP (not Alert-Server)
Impact:
Post login client side alerts are missing username (will show as "Unknown" in bigIQ, works well with Alert-Server).
Workaround:
Route all client-side alerts to another virtual server and strip of the empty fpm_username parameter from payload/query-string.
Fix:
FPS will always send username in the fpm_username parameter in case it was empty and FPS has username value.
709274-1 : RADIUS Accounting requests egress on different Self IP addresses than they did pre-v13.1.0
Component: Access Policy Manager
Symptoms:
RADIUS Accounting requests egress different self IP addresses.
* START accounting message egresses floating self IP addresses.
* STOP accounting message egresses local self IP addresses.
Some RADIUS messages will come from floating IP addresses, some from self IP addresses. The RADIUS server should be configured to accept all self- and floating-IP addresses of all the devices in the high availability (HA) group, to ensure all messages are received.
Conditions:
RADIUS server configured with pool option.
Impact:
Causes RADIUS server to be unable to reconcile accounting messages.
Workaround:
You can reconcile accounting messages by tracking them through the Acct-Session-Id in RADIUS AVP's message, which is the same for the corresponding START and STOP messages to uniquely identify the session.
Fix:
RADIUS START and STOP messages now egress the same interface.
709256-2 : CVE-2017-9074: Local Linux Kernel Vulnerability
Solution Article: K61223103
709192-1 : GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart
Component: TMOS
Symptoms:
The export operation of SSL keys and certificate into a .tgz archive file fails when the httpd daemon is restarted.
Conditions:
-- Export SSL Keys and certificates into archive file.
-- httpd is restarted.
Impact:
Export of SSL Keys and certificates into archive file does not work immediately after httpd restart via GUI/iControl.
Workaround:
After httpd restart, perform other operation like creating a key/cert before exporting archive file.
Fix:
The system allows exporting SSL keys and certificate to be archived into .tgz files after httpd restart.
709133-2 : When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur
Component: Local Traffic Manager
Symptoms:
When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error can occur.
Conditions:
-- The BigDB variable tmm.ssl.loggingcreatedcerts is set.
-- Forward proxy is being used.
-- An error occurs when reading the certificate serial number.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than not setting the tmm.ssl.loggingcreatedcerts BigDB variable.
Fix:
Double-free removed.
709132-1 : When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur
Component: Local Traffic Manager
Symptoms:
When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a buffer overflow can occur.
Conditions:
-- The BigDB variable tmm.ssl.loggingcreatedcerts is set.
-- Forward proxy is being used.
-- A malformed certificate with a serial number length equal to 256 bytes is parsed during forging.
Impact:
A off-by-one error causes one byte to write off the end of an array.
Workaround:
There is no workaround other than to not set tmm.ssl.loggingcreatedcerts BigDB variable.
Fix:
Buffer no longer overflows.
708956-1 : During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'
Solution Article: K51206433
Component: TMOS
Symptoms:
During system bootup, the system occasionally posts the following error message and the system does not come up:
Dataplane INOPERABLE - only 1 HSBes found on this platform.
Conditions:
This occurs occasionally at system bootup.
-- Using the following platforms:
i4600, i4800, i10600, i10800, i2600, i2800, i7600, i7800, i5600, i5800, i15600, i15800, i12600, i12800, HERCULON i2800, HERCULON i5800, HERCULON i10800, i11600, i11800, i11800-DS, i5820-DF, i7820-DF.
Impact:
System does not come up.
Workaround:
Reboot system.
Because this condition only happens occasionally, rebooting typically corrects the issue.
Fix:
This release fixes a race condition that might have occurred while reading FPGA firmware loading status.
708888-1 : Some DNS truncated responses may not be processed by BIG-IP
Solution Article: K79814103
Component: Advanced Firewall Manager
Symptoms:
On 13.1.x DNS responses with truncated bit set are dropped when AFM DNS DoS is enabled.
Conditions:
-- AFM DNS DoS is enabled.
-- Using 13.1.x.
Impact:
Clients do not receive truncated DNS responses.
Workaround:
Disable DNS DoS protection by changing the dos.dnsport variable to another port for which there is no valid traffic. For instance:
tmsh modify sys db dos.dnsport value 54
708840 : 13.0.0-to-13.1.0 upgrade operation on VIPRION 2250 blades might fail if global whitelist is configured
Component: Advanced Firewall Manager
Symptoms:
Upgrading from 13.0.0 to 13.1.0 on VIPRION 2250 blades might fail if global whitelist is configured. After the upgrade, the system will stay offline.
Conditions:
-- Global whitelist configured.
-- Running on VIPRION 2250 blades.
Impact:
System fails to run normally.
Workaround:
Remove global whitelist before upgrading to 13.1.0, add it back after upgrading.
Fix:
This issue no longer occurs in fixed versions, so you can upgrade from 13.0.0 to a post-13.1.0 version of the software without encountering this issue.
708830-2 : Inbound or hairpin connections may get stuck consuming memory.
Component: Carrier-Grade NAT
Symptoms:
When inbound or hairpin connections require a remote Session DB lookup and the lookup request or response messages get lost, the connections can get stuck in an embryonic state. They will be stuck in this state until they timeout and expire. In this state UDP connections will queue inbound packets. If the client application continues to send packets, the connection may never expire. The queued packets will accumulate consuming memory. If the memory consumption becomes excessive, connections may be killed and “TCP: Memory pressure activated” and “Aggressive mode activated” messages will appear in the logs.
Conditions:
A LSN pool with inbound and/or hairpin connections enabled. Lost Session DB messages due to heavy load or hardware failure. Remote lookups are more likely when using PBA mode or NAPT mode with default DAG.
Impact:
Excessive memory consumption that leads to dropped connections.
Workaround:
There is no workaround at this time.
Fix:
When Session DB messages are lost, the connection will be killed and any queued packets will be discarded. If the client application resends packets they will be treated as a new connection.
708653-1 : TMM may crash while processing TCP traffic
Solution Article: K07550539
708484-2 : Network Map might take a long time to load
Component: TMOS
Symptoms:
Network Map loading time is directly proportional to the number of profiles/policies associated with a virtual server. When there are a significant number, Network Map might take many tens of seconds to load; when there are fewer associated profiles/policies, loading time is shorter.
For example, consider a configuration that contains virtual servers with a large number of associated profiles/policies.
In the following example config, the virtual server has two associated profiles. The time to load the Network Map page increases with each additional profile/policy.
# tmsh list ltm virtual vs
ltm virtual vs {
creation-time 2018-03-06:18:27:53
destination 0.0.0.0:any
ip-protocol tcp
last-modified-time 2018-03-06:18:27:53
mask any
profiles {
myhttp { }
tcp { }
}
rules {
myrule
}
source 0.0.0.0/0
translate-address disabled
translate-port disabled
vlans {
socks-tunnel
}
vs-index 5
}
Conditions:
-- Navigate to Local Traffic :: Network Map in the BIG-IP Configuration Utility.
-- The configuration contains a significantly large number of profiles/policies associated with the virtual server.
Impact:
It takes tens of seconds to load the Network Map page.
Workaround:
None.
708389 : BADOS monitoring with Grafana requires admin privilege
Component: Anomaly Detection Services
Symptoms:
Current Grafana monitoring requires admin privilege.
Grafana stores its internal database in unencrypted format, so the admin password can be extracted from a compromised computer.
Conditions:
Monitoring using Grafana.
Impact:
Guest user cannot access data needed for Grafana.
Workaround:
None.
Fix:
There is now a REST call to pool the Grafana statistics. This allows any user (including guest), not just admin or root, to access data needed for Grafana.
Behavior Change:
This release introduces the following tmsh commands:
-- tmsh run util admdb - for help
+ list-element path_folder - lists folder
+ view-element path_file - view file contents
+ list-metrics path vs
+ table-query base_path db sRate tsfiles ts metric_columns_aliases
The path must be under /shared/admdb, for example:
-- run util admdb list-element /shared/admdb/default/_a_l_l
-- run util admdb view-element /shared/admdb/default/_a_l_l/info.sysinfo/1000/1522229248000.txt
-- run util admdb table-query /shared/admdb default 1000 '[1522233344000]' '[1522234774492,1522235074492]' '[["info.attack",["v0"],"Attack"],["sig.health",["v0"],"Health"],["info.learning",["v0"],"Learning"],["info.learning",["v2"],"Learned samples"]]'
708305-2 : Discover task may get stuck in CHECK_IS_ACTIVE step
Component: Device Management
Symptoms:
The discover tasks is running periodically after user creates the task. But it may get stuck in the middle steps and fail to run periodically.
Conditions:
When HA failover group is set up and a discover task is created on one of the devices.
Impact:
The discover task will periodically pull the OpenID information and update oauth jwt and jwk configurations in MCP. If the task sticks, the jwt and jwk configuration will not sync to the latest version and may cause access policy fail.
Workaround:
If the task is stuck in any step that is not SLEEP_AND_RUN_AGAIN for more than one minute, manually cancel and delete the task and create the same task again.
Fix:
Discover task no longer gets stuck in CHECK_IS_ACTIVE step.
708249-2 : nitrox_diag utility generates QKView files with 5 MB maximum file size limit
Component: Local Traffic Manager
Symptoms:
When nitrox_diag generates a QKView file, the utility does not use the -s0 flag for the qkview command. That means there is a 5 MB file-size limit for the resulting QKView file nitrox_diag generates.
Conditions:
Run the nitrox_diag command.
Impact:
QKView files generated in response to running the nitrox_diag command might not contain all necessary information, for example, the result might contain truncated log files.
Workaround:
After running nitrox_diag, run the following command to generate a complete QKView file: qkview -s0
Fix:
Nitrox_diag utility now uses the -s0 command to generate QKView files, so there is no longer a 5 MB maximum file size limit, and the full QKView file is created.
708189 : OAuth Discovery Auto Pilot is implemented
Component: Access Policy Manager
Symptoms:
This now adds a new capability to allow user to select a period to have OAuth auto discovery automatically pull down JWT keys.
Conditions:
Follow the new added UI and configure frequency to start.
Impact:
No impact, it has usability improvement over manual discovery.
Workaround:
There is no workaround.
Fix:
New auto pilot capability is added for usability.
708114-1 : TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed
Solution Article: K33319853
Component: Local Traffic Manager
Symptoms:
TMM crashes when receiving the HUDEVT_SSL_OCSP_RESUME_CLNT_HS after the SSL connection is closed.
Conditions:
-- The SSL connection has been closed.
-- SSL receives the HUDEVT_SSL_OCSP_RESUME_CLNT_HS message.
Impact:
TMM crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now ensures that SSL can still properly process the messages, even when the SSL connection is closed.
708068-2 : Tcl commands like "HTTP::path -normalize" do not return normalized path.
Component: Local Traffic Manager
Symptoms:
When using HTTP::path with the -normalized parameter:
"%2E%2E" is converted to ".." (expected)
"/foo/../bar" is converted to "/bar" (expected)
"/foo/%2E%2E/bar" is converted to "/foo/../bar" (unexpected)
Conditions:
The TCL command HTTP::path -normalize does not return normalized path as expected.
Impact:
Unexpected result.
Workaround:
There is no workaround.
Fix:
The TCL command HTTP::path -normalize should return normalized path.
708054-1 : Web Acceleration: TMM may crash on very large HTML files with conditional comments
Component: TMOS
Symptoms:
Web Acceleration feature may not handle big HTML file with improper conditional comments inside in some cases. TMM may crash processing such files if Web Acceleration profile is attached to VIP.
Conditions:
- HTML file with conditional comments inside:
<!--[if condition...]> ... <![endif]-->
- The size of "condition" from the pattern above is comparable with RAM size of BIG-IP box, i.e. ~8-10GB.
Impact:
TMM crash interrupts all active sessions.
Workaround:
There is no workaround at this time.
Fix:
Now Web Acceleration feature can handle long HTML conditional comments correctly.
708005-1 : Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources
Solution Article: K12423316
Component: Access Policy Manager
Symptoms:
When using VMware View HTML5 client, end users are able to authenticate and see available View resources on the APM webtop. However, any attempt to launch the resource (desktop or application) in HTML5 mode momentarily appears to function, but then redirects to the initial APM login page.
Conditions:
This occurs when the following conditions are met:
-- BIG-IP APM is protecting VMware Horizon View 7.4 resources.
-- End user tries to launch a View resource from the APM webtop using the Horizon View HTML5 client.
Impact:
End user cannot launch VMware View resources with View HTML5 client.
Workaround:
You can use the following workarounds:
-- If you are already running Horizon 7.4, use native View clients instead.
-- If you have not upgraded to Horizon 7.4, stay on an older Horizon release until this issue is resolved.
-- If you are running BIG-IP APM release 13.1.0, you can add the following iRule to the virtual server that handles HTML5 client connections:
when HTTP_REQUEST {
if { ([info exists tmm_apm_view_uuid]) &&
([HTTP::method] == "GET") &&
([HTTP::uri] ends_with "/portal/webclient/sessiondata")} {
HTTP::cookie remove "sessionDataServiceId"
}
}
when HTTP_RESPONSE {
if { ([info exists tmm_apm_view_uuid]) } {
set cookieNames [HTTP::cookie names]
foreach aCookie $cookieNames {
set path [HTTP::cookie path $aCookie]
if {[string length $path] > 0} {
HTTP::cookie path $aCookie "/f5vdifwd/vmview/$tmm_apm_view_uuid$path"
}
}
}
}
Important:
-- After applying the iRule and before attempting a connection, be sure to clear all cache and cookies from the client systems. Otherwise, the test operation may need to be executed before exhibiting successful behavior.
-- The iRule workaround is for BIG-IP APM release 13.1.0. It is not supported for older BIG-IP releases.
Fix:
Horizon View version 7.4 in HTML5 mode now functions correctly with APM.
707990-2 : Unexpected TMUI output in SSL Certificate Instance page
Solution Article: K41704442
707961-2 : Unable to add policy to virtual server; error = Failed to compile the combined policies
Solution Article: K50013510
Component: Local Traffic Manager
Symptoms:
LTM policy does not compile if it has more than one similar condition, and some of them refer to datagroup and others to non-datagroup types. The policy compiles if similar conditions all refer to datagroups or to non-datagroups.
010716d8:3: Compilation of ltm policies for virtual server /Common/vs_name failed; Failed to compile the combined policies.
Conditions:
-- LTM policy that has more than one similar condition.
-- Some conditions refer to datagroup types.
-- Some conditions refer to non-datagroup types.
Following is an example of such an LTM policy (i.e., referring to both datagroup and non-datagroup types):
ltm policy /Common/example_ltm_policy {
published-copy /Common/block_URI
requires { http }
rules {
example_Rule {
conditions {
0 {
http-host
host
datagroup /Common/example_datagroup <------ Datagroup
}
1 {
http-host
host
values { example.com } <------ Non-Datagroup
}
}
}
}
strategy /Common/first-match
}
Impact:
LTM policy does not compile. Cannot use the policy.
Workaround:
Create a datagroup for the non-datagroup type and use it in policy instead.
Fix:
LTM Policy compiles if it has more than one similar condition, and some of them refer to datagroup and others to non-datagroup types.
707951-2 : Stalled mirrored flows on HA next-active when OneConnect is used.
Component: Local Traffic Manager
Symptoms:
-- 'tmctl -d blade tmm/umem_usage_stat | grep xdata' may show increased memory usage.
-- 'tmsh show sys connect' shows idle flows.
Conditions:
- OneConnect profile is configured.
- High availability (HA) mirroring is enabled.
Impact:
- Some flows are mirrored incorrectly.
- Stalled flows may occupy a lot of memory.
Workaround:
Disable OneConnect.
Fix:
Stalled mirrored flows no longer appear when OneConnect is used.
707740-4 : Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination
Component: TMOS
Symptoms:
When attempting to delete a GTM monitor, the system indicates that it is in use, even after removing that monitor from all GTM virtual servers. The system posts a message similar to the following:
01070083:3: Monitor /Common/mon-A is in use.
Conditions:
1. Attach a GTM monitor to multiple GTM virtual servers in the same transaction, where both of the virtual servers are monitoring the same ip:port.
2. Remove the monitor from all virtual servers.
3. Attempt to delete the monitor from the configuration.
Impact:
Cannot delete the unused monitor.
Workaround:
After removing the monitor from all virtual servers, reload the GTM configuration using the following command:
tmsh load sys config gtm-only
You can now delete the monitor.
Fix:
You can now delete an unused GTM monitor, if that monitor was attached to multiple GTM virtual servers of the same ip+port combination.
707691-4 : BIG-IP handles some pathmtu messages incorrectly
Component: Local Traffic Manager
Symptoms:
FastL4 virtual servers incorrectly handle some pathmtu messages, such as ICMPv4 unreachable/fragmentation needed and ICMPv6 packet too big.
Conditions:
This occurs when the following conditions are true:
-- The client sends a window scaling factor greater than 0 (zero).
-- The server sends a window scaling factor equal to 0 (zero).
-- The pmtu message is within the window, but does not reflect the exact expected sequence number. The delta is bigger than the advertised window scaled at a factor of 0 (zero).
Impact:
pmtu message is erroneously ignored.
Workaround:
There is no workaround at this time.
Fix:
This issue no longer occurs.
707676-1 : Memory leak in Machine Certificate Check agent of the apmd process
Component: Access Policy Manager
Symptoms:
The apmd process leaks a small amount of memory in Machine Certificate Check agent
Conditions:
- Machine Certificate Check agent is configured in an Access Policy
- inspected machine certificate is revoked by CRL
Impact:
The apmd process may grow in size. This may lead to high memory utilization and instability in BIG-IP.
Workaround:
There is no workaround
Fix:
A memory leak in the APM Machine Certificate check agent has been corrected.
707631-2 : The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI
Component: TMOS
Symptoms:
The 'SYN Challenge Handling' setting of a TCP profile can be reverted to defaults when a TCP profile is updated using the BIG-IP management GUI.
Conditions:
The SYN Challenge Handling settings of a TCP profile have previously been set to non-default values, and a configuration change is later made to the same TCP profile using the GUI.
Impact:
Loss of TCP profile syn challenge configuration settings
Workaround:
In the GUI, specifically set the SYN Challenge Handling fields after making an update to other TCP profile fields, or use tmsh to make the changes instead
SYN Challenge
GUI Setting: Nominal
TMSH:
syn-cookie-enable enabled
syn-cookie-whitelist disabled
GUI Setting: Challenge and Remember
TMSH:
syn-cookie-enable enabled
syn-cookie-whitelist enabled
GUI Setting: Disable Challenges:
syn-cookie-enable disabled
syn-cookie-whitelist disabled
Fix:
Now syn challenge handling setting isn't overwritten when tcp profile is updated
707585-1 : Use native driver for 82599 NICs instead of UNIC
Component: TMOS
Symptoms:
-- Lower performance in TPS.
-- Increased CPU consumption for throughput.
Conditions:
-- Running BIG-IP Virtual Edition (VE) (UNIC is the default Virtual Function Network Driver for VE).
-- High data rates, perhaps particularly when connection mirroring is configured.
Impact:
Lower TPS performance numbers and higher CPU usage in throughput tests.
Workaround:
In case of UNIC, extra CPUs must be allocated to handle SoftIRQs for higher performance.
Fix:
This release provides a native driver based on F5's physical platforms.
707509-1 : Initial vCMP guest creations can fail if certain hotfixes are used
Component: TMOS
Symptoms:
vCMP guest fails to enter the 'provisioned' or 'deployed' states and similar messages can be seen in /var/log/ltm:
-- vcmpd[14254]: 01510003:2: Guest (guest_name): Install failed.
-- vcmpd[14254]: 01510004:3: Guest (guest_name): Install to VDisk /shared/vmdisks/guest_name.img FAILED: Child exited with non-zero exit code: 255
Conditions:
Creating vCMP guest using certain hotfix images, such as BIG-IP HF software released as partial .iso software images, and engineering hotfixes.
Impact:
vCMP guest cannot be created.
Workaround:
1. Create and deploy the vCMP guest using the full .iso base software image.
2. Log in to the vCMP guest once it has finished starting up.
3. Apply the hotfix image or engineering hotfix.
Fix:
Guest creation succeeds.
707447-1 : Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles.
Component: Local Traffic Manager
Symptoms:
SSL SNI mechanism creates a hash containing a mapping between SAN entries in a given profile's certificate and the profile. This hash is owned by the default NI profile, however is held by the other profiles on the VIP without a reference. If a connection utilizes SNI to use a non-default SNI profile *and* the default SNI profile reinitializes its state for any reason, the prf->sni_certsn_hash can be cleared and freed, leaving the existing connection(s) with profiles that refer to the freed hash. If then the connection attempts a renegotiation that causes the hash to be used, the freed hash can cause a fault should it have been reused in the meantime (i.e. the contents are invalid).
The fix: When the default SNI profile is initializing, and SSL handshake is searching SAN/COMMON cert from
non-default SNI profile, stop the search and return NULL.
Conditions:
SNI configured with one default SNI profile, one or multiple SNI profiles. The default SNI profile is changed and renegotiation with SNI(with non-default SNI profile) is issued.
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
There is no workaround at this time.
Fix:
When the default SNI profile is initializing, and SSL handshake is searching SAN/COMMON cert from non-default SNI profile, stop the search and return NULL.
707445-3 : Nitrox 3 compression hangs/unable to recover
Component: TMOS
Symptoms:
LTM logs show the following message:
Nitrox 3, Hang Detected: compression device was reset
When the error manifests, there will be three error messages sent to the log over a period of several seconds. The device is then considered unrecoverable and marked down, and will no longer accept compression requests.
Conditions:
This applies only to vCMP guests. Some compression requests can stall the device after a bad compression request is made.
Note: Traffic volume and concurrence, along with the type of error have to occur together in order to result in this issue, so the issue is not easily reproduced.
Impact:
Once the device is marked down, compression will be sent to the software compression provider, until tmm on the device is restarted. This can cause local CPU utilization to climb.
Workaround:
There is no complete workaround without a software fix. However, compression will always default to the software compression provider when hardware cannot be recovered.
There are three recovery options available if the TMM-internal reset fails to recover the compression device automatically. These should be employed in this order:
A. Restart tmm using the command: bigstart restart tmm.
B. Restart the vCMP guest.
C. Restart the host (which restarts all guests).
Note: Because of the traffic volume, timing, and error type that cause this condition, this error might recur. This issue appears to be caused by a particular compression request. So regardless of the recovery method you execute, the problem may recur in a short time, or months later.
Fix:
Compression device reset recovery made more robust for some compression failures.
707391-2 : BGP may keep announcing routes after disabling route health injection
Component: TMOS
Symptoms:
As a result of a known issue BIG-IP with BGP configured may continue to announce routes even after disabling the virtual address or disabling route announcement on the virtual address.
Conditions:
BGP configured with multiple routes announced via Virtual-address route announcements.
Configuration changes made on the BGP configuration itself.
Virtual address or its route health announcement disabled.
Impact:
Prefixes continue to exist in the BGP table even after disabling the virtual address (visible via imish with the "show ip bgp" command); which will continue to announce the prefix to configured peers.
Workaround:
Workaround would be to restart the dynamic routing process.
Fix:
BGP may no longer keeps announcing routes after disabling route health injection
707310-2 : DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs)
Component: Global Traffic Manager (DNS)
Symptoms:
It is possible that when performing a sufficiently large DNSSEC signed zone transfer (e.g., ~1 KB records) that the final packet (or several packets) of NSEC3s and RRSIGs could be missing from the zone. This issue can be detected using a free third-party tool such as ldns-verify-zone or some other DNSSEC validating tool.
Conditions:
-- Dynamic DNSSEC signing of zone transfers is configured for a given zone from an authoritative DNS Server (this could be on-box BIND, off-box BIND, etc.), or from DNS Express.
Impact:
The DNSSEC signed zone transfer could be incomplete, that is missing some NSEC3s and RRSIGs. An incomplete DNSSEC zone is considered an invalid zone.
Workaround:
There is no workaround at this time.
Fix:
DNSSEC signed zone transfers from general authoritative DNS Servers as well as from DNS Express are now complete regardless of the number of records in the zone.
707267 : REST Framework HTTP header limit size increased to 8 KB
Component: TMOS
Symptoms:
HTTP Header size limit causing 'Error getting auth token from login provider' GUI messages.
Conditions:
A client uses an HTTP Header larger than 4 KB to make a request to the REST framework.
Impact:
Users cannot login or access certain pages in the GUI.
Workaround:
Clear browser cookies, or otherwise reduce the size of the HTTP headers, so that the entire content HTTP headers is smaller than 4 KB.
Fix:
The HTTP header size limit for the REST Framework has been increased to 8 KB to match the limit set by Apache.
707246-1 : TMM would crash if SSL Client profile could not load cert-key-chain successfully
Component: Local Traffic Manager
Symptoms:
TMM would crash if SSL Client profile could not load cert-key-chain successfully, and SSL is working in the fwd-proxy-mode.
Conditions:
1. SSL is working in the fwd-proxy-mode.
2. SSL could not load the cert-key-chain in the clientssl profile successfully. There could be couple of reasons:
2.1.We fail to configure the password required by the cert-key-chain.
2.2.Configured cert-key-chain type is not supported.
2.3.cert-key-chain name is incorrect.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Configure the cert-key-chain in the clientssl profile correctly.
Fix:
If we fail to load the cert-key-chain in the clientssl profile, and ssl is working in the fwd-proxy-mode, we will mark the corresponding ssl clientssl profile as invalid, then we will not accept the incoming SSL handshake destined to this profile.
707244-3 : iRule command clientside and serverside may crash tmm
Component: Local Traffic Manager
Symptoms:
Using clientside and serverside command in iRules may crash tmm.
Conditions:
Using such HTTP commands as HTTP::password in clientside and serverside nesting script.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this point.
Fix:
Fix clientside and serverside command do not work with certain HTTP commands.
707226 : DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations
Component: TMOS
Symptoms:
Mitigations might CVE-2017-5754 Meltdown/PTI (Page Table Isolation) can negatively impact performance.
Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.
Conditions:
Mitigations for CVE-2017-5754 Meltdown/PTI (Page Table Isolation) enabled.
Impact:
Meltdown/PTI mitigations may negatively impact performance.
Workaround:
Disable CVE-2017-5754 Meltdown/PTI mitigations.
To turn off mitigations for CVE-2017-5754 Meltdown/PTI, run the following command:
tmsh modify sys db kernel.pti value disable
Note: Turning off these mitigations renders the system vulnerable to CVE-2017-5754 Meltdown; but in order to take advantage of this vulnerability, they must already possess the ability to run arbitrary code on the system. Good access controls and keeping your system up-to-date with regards to security fixes will mitigate this risk on non-VCMP systems. vCMP systems with multiple tenants should leave these mitigations enabled.
Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.
Fix:
On releases that provide mitigations for CVE-2017-5754 Meltdown/PTI, the protection is enabled by default, but can be controlled using db variables.
Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.
707207-1 : iRuleLx returning undefined value may cause TMM restart
Component: Local Traffic Manager
Symptoms:
When an iRulesLX rule returns an undefined value, TMM may restart. An example of an undefined value is one where
its jsonrpc v2.0 representation is missing required fields, such as "result".
Conditions:
iRulesLX is licensed, and a rule is run that returns an undefined value.
Impact:
Traffic is interrupted.
Workaround:
There is no workaround at this time.
Fix:
A TMM restart resulting from an iRulesLX rule returning an undefined value was fixed.
707186-1 : TMM may crash while processing HTTP/2 traffic
Solution Article: K45320419
707147-1 : High CPU consumed by asm_config_server_rpc_handler_async.pl
Component: Application Security Manager
Symptoms:
During a period of heavy learning from Policy Builder, typically due to Collapse Common elements, the backlog of events can cause a process to consume high CPU.
Conditions:
1) Automatic Policy Builder is enabled
2) An element is configured to "Always" learn new entities, and collapse common elements
3) An extended period of heavy learning due to traffic is enountered
Impact:
A process may consume high CPU even after the high traffic period is finished.
Workaround:
Kill asm_config_server.pl (This will not affect traffic)
Optionally modify one of the following
A) Learn "Always" to another mode
B) Turn off Collapse common URLs
C) Change from Automatic Learning to Manual
707109-1 : Memory leak when using C3D
Component: Local Traffic Manager
Symptoms:
When using the Client Certificate Constrained Delegation Support (C3D) feature, memory can leak.
Conditions:
Traffic passes through a virtual server with C3D enabled.
Impact:
Memory is leaked.
Workaround:
There is no workaround.
Fix:
When using C3D memory no longer leaks.
707100 : Potentially fail to create user in AzureStack
Component: TMOS
Symptoms:
Using Microsoft Azure Stack on the BIG-IP Virtual Edition (VE) configured with password authentication, the system sometimes fails to create the provided user, which means that the VE admin cannot ssh in after deployment. Note that an unexpected reboot causes this to occur during provisioning, and that Microsoft might have already fixed this issue.
Conditions:
Azure Stack VE provisioned with password authentication.
Impact:
Admin loses provisioned VE instance because there is no way to ssh in.
Workaround:
Deploy VE with key authentication.
Fix:
Extra handling was added to make user creation work even with unexpected reboots happening during Azure Stack provisioning.
707054-1 : SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162
Component: Advanced Firewall Manager
Symptoms:
User cannot configure SYN Cookie MSS values for Fast L4 Profiles outside of 256-9162.
Conditions:
Under syncookie activated condition, SYN Cookie MSS value is set to < 256.
Impact:
Under syncookie activated condition, server side MSS lower than SYN Cookie MSS lower limit cannot be honored on client side. As a result, server side MSS discards data segment if larger than SYN Cookie MSS lower limit.
Fix:
This ID allows to configured 128-9162.
707003-3 : Unexpected syntax error in TMSH AVR
Component: TMOS
Symptoms:
The following tmsh command does not work: tmsh show analytics http report view-by virtual measures { transactions } drilldown
It fails with the following error message: 'Syntax Error: "drilldown" property requires at least one of (device device-list) to be specified before using.'
Conditions:
Whenever the affected tmsh command is run.
Impact:
The following tmsh command will not run: tmsh show analytics http report view-by virtual measures { transactions } drilldown
Workaround:
There is no workaround besides not running the affected command.
Fix:
The following command now works as expected: tmsh show analytics http report view-by virtual measures { transactions } drilldown
706998-3 : Memory leak when OCSP is configured in clientSSL profile for C3D, or in serverSSL profile for server authentication
Component: TMOS
Symptoms:
There is a memory leak when OCSP is configured in the clientSSL profile for C3D feature, or in serverSSL profile for server certificate authentication.
Conditions:
OCSP is configured in the clientSSL profile for C3D feature, or in serverSSL profile for server certificate authentication.
Impact:
TMM will run out of memory.
Workaround:
There is no workaround at this time.
Fix:
The memory leak has been fixed.
706845-2 : False positive illegal multipart violation
Component: Application Security Manager
Symptoms:
A false positive multipart violation.
Conditions:
Uploading a file with a filename value that is encoded in non utf-8 encoding.
Impact:
A false positive violation, request rejected.
Workaround:
Might be workaround using an irule
Fix:
Corrected ASM multipart parsing.
706835 : When cloning a profile, URL parameters are not shown
Component: Fraud Protection Services
Symptoms:
In Fraud Protection Service GUI, cloning a profile and then navigating to a URL, its parameters are not shown.
Conditions:
Provision and license Fraud Protection Service.
Impact:
Fraud Protection Service GUI.
Workaround:
Navigating again from Profiles will show the parameters.
Fix:
Parameters are now shown on first attempt after cloning a profile.
706804-1 : SNMP trap destination configuration of network option is missing "default" keyword
Component: TMOS
Symptoms:
When SNMP trap destinations are configured, the user can specify the network that the traps are transmitted out from. By default, the routing table is consulted. Use the network keyword to overwrite this with either "management" or "other". There is also a "default" keyword, which was removed since it was confusing. However, this broke backward compatibility of the REST API; so, it was put back.
Conditions:
Including the "network default" keywords in trap configuration reports an error with version 13.0.0 where the "default" keyword was removed.
Impact:
Existing scripts may encounter errors if they used this keyword.
Workaround:
Don't use the "default" keyword with the snmp trap destination network configuration.
Fix:
The "default" keyword was put back.
706771-1 : FPS ajax-mapping property may be set even when it should be blocked
Component: Fraud Protection Services
Symptoms:
Ajax mapping may be set only when 1) ajax-encryption is enabled OR 2) ajax-integrity AND strong-integrity are enabled.
The bug allows to set ajax-mapping even for the following (invalid) configuration:
ajax-encryption: disabled
ajax-integrity: enabled
strong-integrity: disabled
Conditions:
1)
ajax-encryption: disabled
ajax-integrity: enabled
strong-integrity: disabled
2)
non-empty ajax-mapping
Impact:
System will set the ajax-mapping field when it should have been blocked.
Workaround:
There is no workaround at this time.
Fix:
FPS should block ajax-mapping configuration when the pre-conditions weren't met.
706750-1 : Changing CGNAT SIP ALG profile log settings while handling traffic may cause tmm crash.
Component: Service Provider
Symptoms:
Altering the router profile log settings (log publisher and logging profile) may cause the tmm to crash when handling traffic.
Conditions:
-- CGNAT SIP ALG.
-- Changing log settings while handling traffic.
Impact:
TMM may crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Changing CGNAT SIP ALG profile log settings while handling traffic no longer causes tmm core.
706688 : Automatically add additional certificates to BIG-IP system in C2S and IC environments
Component: TMOS
Symptoms:
In order to function properly, the BIG-IP system's failover and autoscale features need extra certificates (which are used inside C2S environments) and endpoint URL. The extra certificates must be pointed to by the $AWS_CA_BUNDLE environment variable. The BIG-IP system's failover and autoscale feature use AWS CLI commands. Those AWS CLI commands need to have the $AWS_CA_BUNDLE pointing to the certificate files location and endpoint URL. These must be configured manually.
Conditions:
-- BIG-IP is running in AWS C2S (Commercial Cloud Services) where the domain is either c2s.ic.gov or sc2c.sgov.gov.
-- The BIG-IP system is configured to do failover or autoscale in those environments.
Impact:
Requires manual copying of the extra certificates, which are pointed to by AWS_CA_BUNDLE, to the BIG-IP system.
Workaround:
None.
Fix:
In this release, you can add all the needed certificates' URLs in the AWS user-data. The BIG-IP system then automatically downloads and stores the certificate and sets the $AWS_CA_BUNDLE environment variable and endpoint-url.
To use the functionality, when launching the BIG-IP system from the AWS web console, specify the C2S certificate URL and test URL in the following format:
c2s-keys-urls=url1,url2,url3;c2s-cert-test-url=ec2.us-iso-east-1.c2s.ic.gov:443;
Where the syntax explanation is as follows:
1. The string literal : c2s-keys-urls=
2. List of comma separated URLs.
3. A semicolon (;).
4. The string literal : c2s-cert-test-url=
5. A URL which is of following format
<A service name (e.g., ec2)>.<The region where it is running (e.g., us-iso-east-1)>.<the domain name :443 (e.g., c2s.ic.gov:443)>
Example: ec2.us-iso-east-1.c2s.ic.gov:443;
706665-2 : ASM policy is modified after pabnagd restart
Component: Application Security Manager
Symptoms:
ASM policy modifications might occur after the the pabnagd daemon is restarted. Modifications include the following:
-- Length attributes might change from 'any' to a low auto learning value.
-- Check signature / metachars might change from unchecked to checked.
This applies for the following entity types:
filetypes, URLs, parameters, cookies, WS URLs, content profiles.
Conditions:
-- Configuration containing a policy in which automatic learning mode is configured.
-- Restart of pabnagd (the automated policy-building operations daemon).
Impact:
ASM policy is modified.
Workaround:
Switch policy builder to manual learning mode.
Fix:
Prevent unwanted adjust operations from being called on policy-catchup complete.
706651-1 : Cloning URL does not clone "Description" field
Component: Fraud Protection Services
Symptoms:
When cloning URL using the "Clone URL" feature in FPS/DataSafe GUI, description field is not cloned to new URL.
Conditions:
Provision and license FPS/DataSafe.
Impact:
Not all expected configuration values of the URL are cloned.
Workaround:
There is no workaround.
Fix:
Description field is now cloned to the new URL.
706642-2 : wamd may leak memory during configuration changes and cluster events
Component: WebAccelerator
Symptoms:
wamd memory consumption increases over time.
Conditions:
-- AAM is provisioned so wamd is running.
-- User-initiated configuration change and/or other internal configuration or cluster events.
Impact:
wamd grows slowly over time, eventually crashing due to lack of memory. Temporary outage of services provided by wamd such as PDF linearization, invalidation, etc.
Workaround:
No workaround available.
Fix:
wamd n longer leaks memory during configuration changes and cluster events.
706631-2 : A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured.
Component: Local Traffic Manager
Symptoms:
According to RFC2818, if the certificate sent by the TLS server has a valid Common Name, but the Subject Alternative Name does not match the Authenticate Name in the server-ssl profile, the connection should be terminated.
Conditions:
-- A server-ssl profile is enabled on a virtual server and has the 'authenticate-name' property set.
-- The TLS server presents a certificate in which the Subject Alternative Name does not match the configured authenticate-name.
-- Common Criteria mode licensed and configured.
Impact:
A TLS connection succeeds which should fail.
Workaround:
There is no workaround at this time.
Fix:
A remote TLS server certificate with a bad Subject Alternative Name is now rejected when Common Criteria mode is licensed and configured.
706534-1 : L7 connection mirroring may not be fully mirrored on standby BigIP
Component: Local Traffic Manager
Symptoms:
As a result of a known issue L7 connection mirroring may not be fully mirrored on standby BigIP
Conditions:
L7 VIP with mirroring configured
Connections with transfer of substantial size.
Impact:
Connections may be mirrored initially but removed after some time.
If there is a failover these connections may not be correctly handled.
Workaround:
Disabling LRO via
tmsh modify sys db tm.tcplargereceiveoffload value disable
May workaround this issue
Fix:
BIG-IP now fully mirrors all L7 connections
706423-1 : tmm may restart if an IKEv2 child SA expires during an async encryption or decryption
Component: TMOS
Symptoms:
TMM may discard an existing child-SA via timer during the moment it is in use for encryption or decryption. And in another spot, an error aborting negotiation can cause multiple timers associated with one child-SA, which fight one another.
Conditions:
Errors in IPsec config that fail negotiation can happen when a child-SA is in a state that does not manage timers correctly.
A config with short SA lifetime, causing frequent re-keying, can have the effect of searching for a race condition when expire happens during active use in crypto.
Impact:
TMM restarts, disrupting traffic and causing HA failover.
Workaround:
Ensure that the IPsec IKEv2 configuration in the IPsec policy is correct (the same) on both IPsec peers. Also, ensure SA lifetime has longer duration, instead of merely seconds. (The default is one day.)
Fix:
Now we ensure only one timer can be associated with a child-SA related to short-term progress toward maturity during negotiation, even if an error happens.
Now we also ensure a child-SA is safe during async crypto operations, even if they expire while currently in use.
706361 : IPS stats tables are empty after upgrade from 13.1.0 to 14.0.0★
Component: Application Visibility and Reporting
Symptoms:
The IPS stats tables are empty after upgrade from 13.1.0 to 14.0.0.
Conditions:
-- Upgrade from 13.1.0 to 14.0.0.
-- AVR is NOT provisioned.
-- Viewing IPS stats tables.
Impact:
All statistics that relate to IPS are lost.
Workaround:
Before upgrading, run the following SQL command:
update AVR_CONF_FACT_TABLES set export_dir='/shared/avr_afm' where fact_name="AVR_STAT_IPS";
Fix:
The IPS stats tables are now saved in the '/shared_avr_afm' export directory.
706354-2 : OPT-0045 optic unable to link
Component: TMOS
Symptoms:
The OPT-0045 optical transceiver when inserted into a 40G port does not function. The following error appears in /var/log/ltm:
Invalid module for bundle configuration of interface <portNumber>.0.
Conditions:
OPT-0045 in a 40G port.
Impact:
Optic does not work; interface does not come up.
Workaround:
None.
Fix:
This release supports the OPT-0045 optical transceiver.
706305-1 : bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled
Component: TMOS
Symptoms:
bgpd may crash on a BIG-IP system configured for dynamic routing announcing multiple overlapping aggregate-addresses with extended asn capabilities enabled.
Conditions:
- BGP enabled on route-domain
- BGP configured to announce several overlapping aggregate-addresses
- BGP configured with extended-asn-cap enabled.
Impact:
Inability for the unit to use BGP
Workaround:
Disabling extended-asn-cap or not announcing multiple overlapping aggregate addresses may allow to workaround this issue.
Fix:
bgpd no longer crashes with overlapping aggregate addresses and extended-asn-cap enabled
706276-1 : Unnecessary pop-up appears
Component: Fraud Protection Services
Symptoms:
A pop-up dialog box appears when 'Enhanced Data Integrity Check' is clicked.
Conditions:
-- Provision and license FPS.
-- Add URL.
-- Disable 'Check Full AJAX for Data Manipulation'.
Impact:
Unnecessary dialog box appears.
Workaround:
None.
Fix:
The pop-up does not appear.
706176-1 : TMM crash can occur when using LRO
Solution Article: K51754851
706169-3 : tmsh memory leak
Component: TMOS
Symptoms:
tmsh is leaking approximately 24 KB for every 'save sys config' call.
Conditions:
this occurs under the following conditions:
-- In tmsh, run the following command repeatedly:
save sys config
-- In the GUI, modify the configuration and click Update, change pages, or otherwise cause a save to the configuration.
Impact:
This results in a memory leak, and a possible out-of-memory condition.
Workaround:
None.
Fix:
tmsh no longer leaks memory when performing configuration-save operations.
706128-2 : DNSSEC Signed Zone Transfers Can Leak Memory
Component: Global Traffic Manager (DNS)
Symptoms:
TMM might leak memory when performing DNSSEC signed zone transfers. You can detect this issue by examining system memory before and after performing zone transfers.
For example:
tmsh show sys memory raw | grep dnssec
Conditions:
-- Dynamic DNSSEC signing of zone transfers is configured for a given zone from an authoritative DNS Server (this could be on-box BIND, off-box BIND, etc) or from DNS Express.
Impact:
TMM leaks memory related to the signed zone transfer.
Workaround:
There is no workaround at this time.
Fix:
TMM no longer leaks DNSSEC zone transfer related memory.
706104-3 : Dynamically advertised route may flap
Component: TMOS
Symptoms:
ZebOS may repeatedly add and delete the routes from protocol daemons. This may cause the protocol daemons to delete and re-advertise the default route.
Conditions:
- Dynamic routing in use
- Kernel routes redistributed into a routing protocol
- Static route configure in TMOS
- Route advertisement enabled on the virtual-address that's the same as the static route
Impact:
Route flapping may cause instability in the network, including inability to reach the default network advertised by the BIG-IP.
Workaround:
Since the static route will be redistributed in the same way as the virtual-address, there is no need to enable route-advertisement on the VIP virtual-address. Disabling this will resolve the problem.
The problem will also be resolved by moving the route from tmsh into ZebOS.
- In imish config mode, "ip route <route> <gateway>"
- In tmsh, "delete net route <route>"
Fix:
Configuring a static route in TMOS and enabling route-advertisement on the same virtual-address no longer causes route flapping in ZebOS.
706102-2 : SMTP monitor does not handle all multi-line banner use cases
Component: Local Traffic Manager
Symptoms:
An SMTP monitor does not handle all multi-line banner use cases, such as when the banner is physically split across two packets. This issue is due to attempting to parse the banner value from the first packet without a portion of the banner value that may arrive in a second packet.
Conditions:
An SMTP monitor is configured; and uses a multi-line banner; and the SMTP monitor banner is split across two physical packets.
Impact:
The SMTP monitor sends an RST after the first packet, and marks the resource down.
Workaround:
Use an SMTP monitor with a single-line banner. Or, rather than using an SMTP monitor, instead use a TCP monitor with send/recv strings.
Fix:
An SMTP monitor handles all use cases that include a multi-line banner.
706087 : Entry for SSL key replaced by config-sync causes tmsh load config to fail
Component: TMOS
Symptoms:
After config-sync, the secondary unit's key file does not match the passphrase stored for the key. This is a generic problem where config-sync is not synchronizing any differing file-objects on the secondary unit that happen to have the same cache_path as the primary.
Conditions:
If the cache_path of the encrypted key happens to be the same on the HA-pair, but the keys are different and have different passphrases.
Impact:
Secondary unit will fail to load the config during boot-up, so it will be offline. Other file-objects that had the same cache_path but where different files do not sync. The latter may not be noticed since nothing fails on the secondary unit.
Workaround:
Check if the cache_path of the encrypted key is the same on both systems prior to config-sync and that the sha1sum are different. If this is the case, remove the key on one of the systems and re-install the key and make sure the cache_path name is different.
Fix:
The key files (in the cache_path) will sync despite having the same name. The problem goes away. The same goes for any file-object that happened to have the same cache_path prior to sync.
706086-3 : PAM RADIUS authentication subsystem hardening
Solution Article: K62750376
705925-1 : Websocket Message Type not displayed in Request Log
Component: Application Security Manager
Symptoms:
You are unable to filter for websocket message types.
Conditions:
This is encountered on ASM when viewing the request log.
Impact:
Websocket Message Type not available to be displayed in Request Log.
Workaround:
N/A
Fix:
Websocket Message Type correctly displayed in Request Log
705818-1 : GUI Network Map Policy with forward Rule to Pool, Pool does not show up
Component: TMOS
Symptoms:
When a Virtual Server has a Policy with a rule to forward request to a Pool, the Pool should be associated to the Virtual Server on the Network Map.
Conditions:
Create a Virtual Server with a Policy to forward requests to a Pool.
Impact:
The relationship of the Virtual Server to the Pool via the indirect Policy Rule is not visible in the network map.
Workaround:
No workaround to the visual.
Fix:
Associate Virtual Server with Policy that forwards requests to a Pool on the Network Map.
705799-2 : TMSH improvements
Solution Article: K77313277
705794-2 : Under certain circumstances a stale HTTP/2 stream might cause a tmm crash
Component: Local Traffic Manager
Symptoms:
A HTTP/2 stream is getting overlooked when cleaning up a HTTP/2 flow.
Conditions:
The only known condition is that the closing_stream is not empty. Exact entrance conditions are not clear.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
HTTP/2 flows are now properly cleaned up to prevent a tmm crash.
705774-1 : Add a set of disallowed file types to RDP template
Component: Application Security Manager
Symptoms:
Universally dangerous filetypes are not included in RDP policy template.
Conditions:
The user creates a new policy using the RDP template.
Impact:
Universally dangerous filetypes are not disallowed.
Workaround:
Dangerous filetypes can be added to policies created from RDP template.
Fix:
Universally dangerous filetypes are now included in RDP policy template.
705611-2 : The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used
Component: Local Traffic Manager
Symptoms:
The TMM may later crash after a configuration change done under load if the HTTP/2 profile is used.
Conditions:
A configuration change occurs. The configuration change is large enough, or the TMM load large enough that the change is not synchronous. The change involves a HTTP/2 profile.
Data traffic progresses through a partially initialized HTTP/2 virtual server, potentially causing a later crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
Large configuration changes to the TMM involving a HTTP/2 profile will no longer potentially cause a TMM crash.
705593-5 : CVE-2015-7940: Bouncy Castle Java Vulnerability
Component: Device Management
Symptoms:
An attacker could extract private keys used by Bouncy Castle in elliptic curve cryptography with a few thousand queries.
Conditions:
No specific conditions.
Impact:
None. BIG-IP software does not use the impacted library features.
Fix:
Version 1.59 of the library is installed on the BIG-IP system at the following paths:
/usr/share/java/rest/libs/bcprov-1.59.jar
/usr/share/java/rest/libs/bcpkix-1.59.jar
705559-1 : FPS: false positive "no strong integrity param" when none of the configured data-integrity params are present in request
Component: Fraud Protection Services
Symptoms:
A false positive "no strong integrity param" is sent when none of the configured data-integrity parameters are present in the request.
Conditions:
1. a protected URL has at least one parameter configured with data0integrity check enabled
2. enhanced data manipulation is enabled
3. a request without any of the data-integrity parameters is sent to the protected URL
Impact:
A false positive "no strong integrity param" alert is sent.
Workaround:
There is no workaround at this time.
Fix:
"No strong integrity param" alert should be suppressed in case that none of the data-integrity parameters were sent.
In case that forcing all data-integrity parameters was enabled (tmsh modify sys db antifraud.autotransactions.parameternameintegrity value enable) - the alert will be sent.
705503-3 : Context leaked from iRule DNS lookup
Component: Global Traffic Manager (DNS)
Symptoms:
The memory usage increases, and stats are inaccurate.
Conditions:
Call RESOLV::lookup from an iRule.
Impact:
Memory leak that accumulates over time and inaccurate stats.
Workaround:
There is no workaround other than not using RESOLV::lookup in an iRule.
Fix:
Memory leak no longer occurs.
705476-2 : Appliance Mode does not follow design best practices
Solution Article: K28003839
705456-1 : VCMP Guests unable to install block-device-image ISOs when http->https redirection is enabled
Component: TMOS
Symptoms:
ISOs of type block-device-image do not show up on VCMP Guests and are not available for installation when http->https redirection is enabled.
Conditions:
VCMP Guest has http->https redirection enabled.
Impact:
Not all available images are installable.
Workaround:
User must manually copy images to VCMP guest.
Fix:
Configured iControl REST to allow appropriate daemons access when http->https is enabled.
705442-1 : GUI Network Map objects search on Virtual Server IP Address and Port does not work
Component: TMOS
Symptoms:
Searching for a Virtual Server using the IP Address and Port of the Virtual Server does not work.
Conditions:
Create a Virtual Server with name vs1 and address.
Impact:
Users are unable to search using an IP Address to filter Virtual Server results.
Workaround:
There is no workaround at this time.
Fix:
We now include the Virtual Server's IP Address and Port as searchable values.
705161-1 : TMM may crash when processing TCP DNS traffic
Solution Article: K23520761
Component: Advanced Firewall Manager
Symptoms:
Under certain conditions, when processing TCP DNS traffic, TMM may crash
Conditions:
DNS profile enabled
TCP profile enabled
AVR enabled
ASM enabled
Impact:
TMM crash, leading to a failover event.
Fix:
TMM processes TCP DNS traffic as expected
704804-1 : The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address
Component: TMOS
Symptoms:
The NAS-IP-Address in RADIUS remote authentication requests is set to the loopback address, not the management IP.
Conditions:
This applies to remote authentication for the control plane, not APM.
Impact:
Login may be impacted.
Workaround:
There is no workaround at this time.
Fix:
NAS-IP-Address Attribute is now set correctly when the the BIG-IP system is configured to use RADIUS authentication.
704764-3 : SASP monitor marks members down with non-default route domains
Component: Local Traffic Manager
Symptoms:
The LTM SASP monitor marks pool members down, whose address include non-default route domains.
Conditions:
1. Using the SASP health monitor to monitor a pool or pool member.
2. The address of the pool member includes a non-default route domain, such as:
ltm pool rd_test {
members {
test_1:http {
address 12.34.56.78%99
}
}
monitor my_sasp
}
Impact:
Pool members with non-default route domains will never be marked up by the SASP monitor.
Workaround:
Do not specify non-default route domains in the addresses of pool members monitored by the SASP health monitor.
The SASP protocol does not support the use of route domains in member addresses. Thus, the SASP GWM (Global Workload Manager) will ignore route domain information included in the member addresses when registered by the SASP monitor in BIG-IP, and will report the status of members using addresses without route domains.
Therefore, even with a fixed version of the SASP monitor, BIG-IP LTM administrators must be careful to avoid configuring multiple pool members with the same address except for different route domains, to be monitored by the SASP monitor. If case of such a configuration error, the status of the member reported by the SASP GWM may not accurately reflect the status of one or more of the pool members with matching IP addresses.
Fix:
The LTM SASP monitor will correctly report the status of pool members configured with addresses that include a non-default route domain, if the SASP GWM is monitoring members with matching addresses (minus route-domain information).
704755-1 : EUD_M package could not be installed on 800 platforms
Component: TMOS
Symptoms:
Attempts to install the EUD_M EUD package fail on 800 platforms even though they are supposed to be supported.
Conditions:
Attempt to install EUD_M package on 800 platforms.
Impact:
Cannot install EUD_M package on a platform that is claimed to support it.
Workaround:
None.
Fix:
EUD_M package can now be installed on 800 platforms as expected.
704733-1 : NAS-IP-Address is sent with the bytes in reverse order
Component: TMOS
Symptoms:
The NAS-IP-Address has the address of the local device sent with the bytes in reverse order (e.g., 78.56.30.172, where 172.30.56.78 is expected).
Conditions:
-- This affects IPv4 addresses only.
-- BIG-IP system is configured for RADIUS authentication.
Impact:
The server may be configured to check the NAS-IP-Address before allowing logins, in which case it would fail.
Workaround:
There is no workaround at this time.
Fix:
This has been corrected.
704666-1 : memory corruption can occur when using certain certificates
Component: Local Traffic Manager
Symptoms:
If a certificate has an extremely long common name, or an extremely long alternative name and is attached to an SSL profile, memory corruption can occur when loading the profile.
Conditions:
An SSL profile is loaded with a certificate containing an extremely long common name or subject alternative name.
Impact:
TMM could crash.
Workaround:
Do not use certificates with extremely long common names
Fix:
A length check has been added to avoid corruption when using extremely long common names.
704643-1 : Backslashes preceding a forward slash are mistakenly doubled in regular expression within Signature rule
Component: Application Security Manager
Symptoms:
When adding or modifying a user-defined Attack Signature in Simple Edit Mode, backslashes preceding a forward slash are mistakenly doubled in regular expression keywords within the Signature.
Conditions:
-- Add or modify a user-defined Attack Signature with a regular expression keyword containing an escaped forward slash in Simple Edit Mode.
Impact:
The backslash escaping the forward slash is doubled, which changes the enforced signature rule.
Workaround:
Create or modify the Signature rule using Advanced Edit Mode.
Fix:
When adding or modifying a user-defined Attack Signature in Simple Edit Mode, backslashes preceding a forward slash are handled correctly in regular expression keywords within the Signature rule.
704580-1 : apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP
Solution Article: K05018525
704552 : Support for ONAP site licensing
Component: TMOS
Symptoms:
ONAP site licensing not supported.
Conditions:
-- Attempting to use ONAP site licensing
Impact:
BIG-IP system does not license.
Workaround:
None.
Fix:
Ported ONAP site licensing support to this version of the software.
Behavior Change:
This version of the software supports ONAP site licensing.
704528-2 : tmm may run out of memory during IP shunning
Component: Advanced Firewall Manager
Symptoms:
If no AppIQ is configured on an AFM-provisioned system, over time the system can run out of memory causing tmm to crash/restart.
Conditions:
-- Blacklist profile is configured with blacklist categories.
-- AppIQ is not configured.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
If no AppIQ is configured, the system now handles the shunned IP's that are to be sent to ECM server.
704512-1 : Automated upload of qkview to iHealth can time out resulting in error
Component: TMOS
Symptoms:
The automated upload of qkview files to iHealth via the support page of the BIG-IP GUI can time out waiting for an analysis from iHealth. Sometimes, iHealth can take several minutes to complete analysis, and this is a realistic scenario.
If the BIG-IP system times-out waiting for completion of the analysis, the link to the iHealth record is not stored.
Conditions:
iHealth takes longer than three minutes to complete analysis of a qkview file after uploading.
Impact:
Support history will not contain links to completed qkviews.
Workaround:
Run qkview from the command line and upload to iHealth manually.
Fix:
The iHealth link is now stored immediately after the qkview is successfully uploaded, and the timeout is not considered an error.
704435-1 : Client connection may hang when NTLM and OneConnect profiles used together
Component: Local Traffic Manager
Symptoms:
In deployments where a NT LanManager (NTLM) authentication profile and a OneConnect profile are used together in a LTM virtual server to label an authenticated connection to a Domain Controller (DC), if the persisted connection to the DC is re-used, the connection may hang. A connection in this state may not be cleaned up by the sweeper, resulting in a memory leak.
Conditions:
The NTLM and OneConnect profiles are associated with a LTM virtual server.
Impact:
A client connection is not serviced, and TMM memory will leak. Over a long time period, this may result in more widespread service disruptions.
Workaround:
Avoid the use of OneConnect profiles on virtual servers that use NTLM profiles. The connections to the Domain Controller are not pooled, but all other features are retained.
Fix:
Fixed a problem that prevented NTLM and OneConnect profiles from working properly on the same LTM virtual server.
704381-5 : SSL/TLS handshake failures and terminations are logged at too low a level
Component: Local Traffic Manager
Symptoms:
SSL/TLS handshake failures and terminations are being logged at too low of a level (INFO).
Conditions:
-- SSL/TLS connections are received or sent.
-- Handshake failures are logged.
Impact:
Sometimes other errors are produced, and the cause is a SSL/TLS handshake failure, but this failure is not being logged.
Workaround:
There is no workaround.
Fix:
SSL/TLS handhake failures and terminations are now logged at a higher level (WARNING).
704369-2 : TMM on BIG-IP restarts if a dos profile is attached to a virtual with sip-routing enabled
Component: Advanced Firewall Manager
Symptoms:
TMM restarts on a BIG-IP if a dos profile is attached to a virtual with sip-routing enabled
Conditions:
1. A virtual with sip-routing enabled.
2. A dos profile is attached to this virtual
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
There is no workaround at this time.
Fix:
After fix, tmm is not restarting any more.
704336-1 : Updating 3rd party device cert not copied correctly to trusted certificate store
Component: TMOS
Symptoms:
When a BIG-IP admin updates the Device Certificate which also includes multiple CA intermediate and root certificates, it's expected that the new Device Certificate and its trust chain certificates are written to /config/big3d/client.crt and /config/gtm/server.crt. However, if the new Device Certificate is signed by a third party, only the Device Certificate is copied to client.crt and server.crt, even though root and intermediate certificates are written to /config/httpd/conf/ssl.crt/server.crt.
Conditions:
Updating Device certificate which also includes multiple intermediate and root certificates.
Impact:
The Trusted Device and Trusted server Certificates do not include intermediate CA and root certificates.
Workaround:
Manually copy/append the missing intermediate and root certificate to /config/big3d/client.crt and /config/gtm/server.crt.
Fix:
The fix will now add all the intermediate and root certificate including device certificate to Trusted Server and Trusted Device certificate bundle.
704282-2 : TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy
Component: TMOS
Symptoms:
Rarely, TMM halts and restarts when calculating the BWC pass rate for dynamic bwc policy.
Conditions:
-- Using BWC dynamic bwc policy.
-- Fair share rate is low.
For this to happen, the fair share rate of the instance of dynamic policy has to be less than than 32 times the average packet size of the instance of policy.
For example, if the average packet size is 1 KB, then the fair share would be under 32 KB.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
F5 does not recommend running the BWC under 64Kbps.
Either decrease the number of subscribers or increase the max-rate of dynamic policy.
Fix:
TMM no longer halts and restarts when calculating the BWC pass rate for dynamic bwc policy when fair share rate is low.
704247-2 : BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted
Component: TMOS
Symptoms:
BIG-IP .iso images may fail to install if multiple copies of the same image are present and have been deleted.
Conditions:
-- Have multiple copies of the same image .iso in the /shared directory on a BIG-IP system.
-- Delete one of them.
Impact:
Installation attempt of the remaining image(s) might fail.
Workaround:
Restart the lind process, so the installation can continue.
Fix:
The BIG-IP system now installs an image if multiple copies of the same image are present and have been deleted
704236-1 : TMM Crash when attaching fastl4 profile
Component: Anomaly Detection Services
Symptoms:
TMM crashes
Conditions:
fastl4 profile is attached to virtual server
Impact:
Traffic disrupted while tmm restarts.
Workaround:
do not use fastl4 profile
Fix:
No tmm core
704207-1 : DNS query name is not showing up in DNS AVR reporting
Component: Advanced Firewall Manager
Symptoms:
DNS query name is not showing up in DNS AVR reporting.
Conditions:
Sending traffic to Virtual with DNS profile.
Impact:
No query information for DNS is reported in AVR.
Workaround:
There is no workaround at this time.
Fix:
After fix, the query name is now showing up in AVR reporting.
704184-6 : APM MAC Client create files with owner only read write permissions
Solution Article: K52171282
704143-1 : BD memory leak
Component: Application Security Manager
Symptoms:
A BD memory leak.
Conditions:
websocket traffic with specific configuration
Impact:
Resident memory increases, swap getting used.
Workaround:
Make sure the web socket violations are not due to bad websocket URL configuration, that they are turned on in Learn/Alarm or block and that there is a local logger configured and attached.
704073-1 : Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm
Solution Article: K24233427
Component: Local Traffic Manager
Symptoms:
'bad transition' OOPS messages may be repeatedly logged to /var/log/ltm and /var/log/tmm over time, polluting the log files.
Conditions:
Although there are no definitive user-discernible conditions, use of SSL functionality might increase the likelihood of logging.
Impact:
Log pollution and potential for performance degradation.
Workaround:
Suppress the logging using the following command:
tmsh modify sys db tmm.oops value silent
Fix:
The 'bad transition' OOPS logging has been demoted to internal, debug builds only.
703959 : Manual thresholds for DoS Protection Dynamic Signatures are not accepted via TMUI
Component: Advanced Firewall Manager
Symptoms:
Manual thresholds for DoS Protection Dynamic Signatures are not accepted via TMUI. The 'Infinite' values for detection and mitigation are retained. No error message is returned.
Conditions:
Attempting to configure manual AFM detection and mitigation threshold for DoS Protection Dynamic Signatures using the Management GUI.
Impact:
The BIG-IP system Administrator is not aware that config change failed to be applied.
Workaround:
Manual thresholds for Dynamic Signatures can be configured using TMSH.
Fix:
You can now change manual detection and mitigation threshold via TMUI.
703940-2 : Malformed HTTP/2 frame consumes excessive system resources
Solution Article: K45611803
703914-2 : TMM SIGSEGV crash in poolmbr_conn_dec.
Component: Local Traffic Manager
Symptoms:
TMM cores in poolmbr_conn_dec function.
Conditions:
A connection limit is reached on a VS having an iRule using LB::reselect and a pool using request queueing.
Impact:
TMM core, traffic interruption, possible failover.
Workaround:
Do not use LB::reselect, disable request queueing on a pool associated with the VS.
Fix:
TMM correctly handles LB:reselect on virtual servers with pools using request queueing.
703869 : Waagent updated to 2.2.21
Component: TMOS
Symptoms:
Microsoft updates waagent via an opensource process, but it is not compatible with BIG-IP software, and so cannot be upgraded outside of BIG-IP releases. Without this, Microsoft will not support older releases of BIG-IP systems in their environment.
Conditions:
Using Microsoft Azure.
Impact:
Microsoft does not support the version of waagent shipped as part of BIG-IP software.
Workaround:
None.
Fix:
Waagent was updated to 2.2.21 from Microsoft along with F5 changes for compatibility with BIG-IP software.
703848-1 : Possible memory leak when reusing statistics rows in tables
Component: TMOS
Symptoms:
The handling of the pointers to memory in the statistics tables includes a path that zeros out a pointer to more memory that should be free'd. This means the memory is not free'd for that case.
Conditions:
This condition is usually only hit when the entire file is being deleted and so it doesn't matter that the list is not fully traversed.
Impact:
When slabs are being reused this bug may cause a memory leak.
Workaround:
There is no workaround at this time.
Fix:
The code has been fixed to properly follow the list.
703833-1 : Some bot detected features might not work as expected on Single Page Applications
Component: Application Security Manager
Symptoms:
Some client side features do not work correctly when enabling single page application.
Conditions:
Enabling single page application (on DoS or ASM), and Web Scraping-> Persistent Client Identification
Impact:
Captcha challenge causes a loop of ajax requests.
Workaround:
There is no workaround at this time.
Fix:
Fixing Persistent Client Identification for Single Page Applications.
703793-3 : tmm restarts when using ACCESS::perflow get' in certain events
Component: Access Policy Manager
Symptoms:
tmm will restart when using 'ACCESS::perflow get' if the per-request policy has not been started yet.
Conditions:
Use 'ACCESS::perflow get' iRule in an event that runs before the per-request policy (e.g., CLIENT_ACCEPTED).
Impact:
tmm cores and traffic flow will be interrupted while it restarts.
Workaround:
None.
Fix:
Initialization of certain variables was reworked so that the iRule command will not cause a core anymore if the per-flow value is unavailable due to the per-request policy not having been started yet.
703761-2 : Disable DSA keys for public-key and host-based authentication in Common Criteria mode
Component: TMOS
Symptoms:
On a BIG-IP system configured for Common Criteria (CC) mode, DSA keys can still be used for key-based authentication to the BIG-IP system.
Conditions:
-- Running a CC release with CC Mode enabled.
-- Attempt to SSH-connect to the BIG-IP system from another system with a DSA key.
-- That DSA key is present in the BIG-IP system's authorized_keys file.
Impact:
If the key is in the BIG-IP system's authorized_keys file, public-key authentication succeeds, when DSA authentication should be disabled in CC mode.
Workaround:
There is no workaround at this time.
Fix:
DSA SSH keys are now disabled for public-key and host-based authentication in Common Criteria mode, as expected.
703702 : Fixed iControl REST not listing GTM Listeners
Component: Global Traffic Manager (DNS)
Symptoms:
When using iControl REST to get a list of GTM Listeners, no listeners will be returned.
Conditions:
Use iControl REST to get a list of GTM Listeners
Impact:
Cannot get a list of GTM Listeners by iControl REST
Workaround:
Use iControl REST to get a list of all LTM Virtual Servers, and then look for virtual-servers with a DNS Profile
Fix:
Fixed issue preventing iControl REST from returning a list of GTM Listeners
703669-2 : Eventd restarts on NULL pointer access
Component: TMOS
Symptoms:
The loop that reads /config/eventd.xml to load configuration data processes data in 1024-byte chunks. If the size of the file is a multiple of 1024 bytes, the end of file condition that terminates the file read does not occur until the subsequent read. The subsequent read returns zero (0) bytes and passes an empty buffer to the parser, which causes eventd to restart repeatedly.
Conditions:
The length of the file /config/eventd.xml is a multiple of 1024 bytes.
Impact:
Causes eventd to crash.
Workaround:
To work around the problem, insert whitespace in /config/eventd.xml to pad the file to a size that is not a multiple of 1024 bytes.
703580-1 : TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host.
Component: Local Traffic Manager
Symptoms:
TLS1.1 handshake failure on guest. The following error appears in /var/log/ltm:
warning tmm[11611]: 01260009:4: Connection error: ssl_hs_cn_vfy_fin:2339: corrupt Finished (20)
Conditions:
-- Using the VIPRION 42xx/43xx and B21xx blades.
-- Running BIG-IP software earlier than v12.1.3 (for example v12.1.2-hf2) on the vCMP host system.
-- Deploying vCMP guest running v12.1.3.
-- Using TLS1.1.
Impact:
TLS1.1 handshake fails on the guest.
Workaround:
Use the same software version on the vCMP host and vCMP guests.
Fix:
TLS1.1 handshake no longer fails running v12.x/v13.x vCMP guest with earlier BIG-IP software version on vCMP host.
703545-1 : DNS::return iRule "loop" checking disabled
Component: Global Traffic Manager (DNS)
Symptoms:
In ID 517347, checking was added to attempt to detect infinite loops caused by improper use of the DNS::return iRule command.
This is occasionally catching false positive loops resulting in connections being dropped incorrectly.
Conditions:
A virtual with a DNS profile that is using the udp profile instead of the udp_gtm_dns profile. An iRule that uses the DNS::return command.
Impact:
If a loop is erroneously detected, the connection will be dropped.
Workaround:
Where possible use the udp_gtm_dns profile instead of udp on virtuals with a DNS profile.
Where possible, use a "return" command immediately after the "DNS::return" command to prevent accidentally calling DNS::return multiple times.
Fix:
The loop detection logic has been removed.
703517 : TMM may crash when processing TCP DNS traffic
Solution Article: K23520761
Component: Advanced Firewall Manager
Symptoms:
Under certain conditions, when processing TCP DNS traffic, TMM may crash
Conditions:
DNS profile enabled
TCP profile enabled
AVR enabled
ASM enabled
Impact:
TMM crash, leading to a failover event.
Fix:
TMM processes TCP DNS traffic as expected
703515-3 : MRF SIP LB - Message corruption when using custom persistence key
Solution Article: K44933323
Component: Service Provider
Symptoms:
If the custom persistence key is not a multiple of 3 bytes, the SIP request message may be corrupted when the via header is inserted.
Conditions:
Custom persistence key is not a multiple of 3 bytes
Impact:
The SIP request message may be corrupted when the via header is inserted.
Workaround:
Pad the custom persistence key to a multiple of 3 bytes in length.
Fix:
All persistence key lengths work as expected.
703429-2 : Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services
Component: Access Policy Manager
Symptoms:
Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services through F5 BIG-IP APM virtual server. The application closes just after entering the credentials.
Conditions:
-- Citrix Receiver for Android (v3.13.1) is used.
-- PNAgent replacement mode is configured for BIG-IP APM virtual server.
Impact:
No access to published Applications and Desktops through Citrix Receiver for Android.
Workaround:
None.
Fix:
System now provides valid data to Citrix Receiver for Android client.
703298-2 : Licensing and phonehome_upload are not using the sync'd key/certificate
Component: TMOS
Symptoms:
After config-sync, the secondary unit's key passphrase does not decrypt the cached key file.
Conditions:
The original file for f5_api_com.key is used instead of the cached file.
Impact:
phonehome_upload will fail on the secondary unit because the passphrase doesn't match the key file.
Workaround:
After sync, copy the file /config/filestore/files_d/Common_d/certificate_key_d/:Common:f5_api_com.key_xxxx over to /config/ssl/ssl.key/f5_api_com.key using the following commands:
# cd /config/filestore/files_d/Common_d/certificate_key_d
# cp -a :Common:f5_api_com.key_xxxx /config/ssl/ssl.key/f5_api_com.key :Common:f5_api_com.key_xxxx
Once the /config/ssl/ssl.key file is in sync, then loading the config with either cached or un-cached file will work fine.
Fix:
The system now removes the source-path files and only keeps the cache-path files. phonehome_upload now will work on the standby unit after a config-sync. Without the source-path files which do not get sync'd, there is no danger of re-loading them.
703266-2 : Potential MCP memory leak in LTM policy compile code
Component: Local Traffic Manager
Symptoms:
Failure in processing LTM policy may result in MCP memory leak
Conditions:
When Centralized Policy Management (CPM) fails to process LTM policy
Impact:
MCP memory leak
Workaround:
There is no workaround at this time.
Fix:
This fix handles rare MCP memory leak which may occur if CPM fails to process LTM policy
703233 : Some filters don't work in Security->Reporting->URL Latencies page
Component: Application Visibility and Reporting
Symptoms:
If a filter by Virtual Servers or URLs in Security->Reporting->URL Latencies page, the data is not filtered.
Conditions:
No special condition.
Impact:
It it impossible to filter data in the aforementioned page.
Workaround:
There is no workaround at this time.
Fix:
An incorrect SQL query was applied to the statistics database upon such data request. The SQL query is fixed.
703208-1 : PingAccessAgent causes TMM core
Component: Access Policy Manager
Symptoms:
PingAccessAgent can cause TMM to core due to accessing freed memory.
Conditions:
It happens in edge case situation. Exact steps are still under investigation. Suspicion is that the client aborts the connection while TMM/PingAccessAgent module is still awaiting response from the PingAccessAgent back-end server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
703191-2 : HTTP2 requests may contain invalid headers when sent to servers
Component: Local Traffic Manager
Symptoms:
HTTP requests handled by an HTTP/2 virtual server may have blank header names when proxied through to the server or when handled via iRules.
Conditions:
-- Virtual server has the HTTP/2 profile assigned.
-- Client and the BIG-IP system negotiate/use HTTP/2.
Impact:
HTTP/2 applications may generate CSRF-related errors. Alternately, the server may return intermittent (and from the client's perspective, spurious) 400 Bad Request responses.
Workaround:
There is no workaround other than to remove the HTTP/2 profile from the virtual server.
703171-1 : High CPU usage for apmd, localdbmgr and oauth processes
Component: Access Policy Manager
Symptoms:
High CPU Usage for apmd, localdbmgr, and oauthd with large configurations.
Conditions:
-- APM provisioned.
-- BIG-IP has a large configuration (i.e., a large number of virtual servers).
-- One of the following:
+ A full config sync happens from one device (with a large configuration) to another device.
+ When loading BIG-IP configurations that contain a large number of virtual servers.
Impact:
Depending on the operation:
+ The process on the second device exhibits high CPU usage
+ The loading device exhibits high CPU usage.
APM end user traffic might not be processed by APM until it is done processing all the config changes. The amount of time service is down depends on how large the configuration is.
Workaround:
None.
Fix:
Startup processing of apmd, localdbmgr, and oauthd have been optimized to reduce the CPU usage.
703045-1 : If using TMSH commands with deprecated attributes in iApp, the upgrade will fail.
Component: TMOS
Symptoms:
TMSH commands with deprecated attributes will fail if used in iApp.
Conditions:
TMSH commands with deprecated attributes will fail if used in iApp. This is so whether the iApp is activated during the upgrade process or simply run under iApp service at the user display.
Impact:
TMSH commands will not execute like create command will result in no objects (e.g., monitor, virtual server, etc.) being created.
Workaround:
Try to avoid deprecated attributes of the object in the iApp.
Fix:
All TMSH commands should handle deprecated attributes of objects consistently across TMSH command line, CLI Script and iApp and like so:
- run TMSH commands to full execution with only warning message.
- full execution means objects action should be executed without error and no something amiss silently either.
702946-3 : Added option to reset staging period for signatures
Component: Application Security Manager
Symptoms:
In cases where a staging period was started, but no traffic passed through security policy, you might want to reset the staging period when traffic starts, but there is no option to do so.
Conditions:
Staging enabled for signatures in policy.
Impact:
There is a suggestion to enforce the signature before any traffic can influence this decision.
Workaround:
If all signatures are staged, you can enforce them all, and then enable staging again.
Note: Apply policy is required between actions.
Fix:
Added option to reset the staging period for all or specific signatures. In modal windows shown after clicking 'Change properties...' on the Policy Signatures screen, when 'No' is not selected for 'Perform Staging', the system presents a checkbox: Reset Staging Period.
702936-1 : TMM SIGSEGV under specific conditions.
Component: Anomaly Detection Services
Symptoms:
TMM SIGSEGV when running heavy traffic with LTM, ASM, AVR, and FPS provisioned when span port is enabled. tmm crash
Conditions:
-- LTM, ASM, AVR, and FPS are provisioned.
-- Span port is enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This issue no longer occurs.
702792-1 : Upgrade creates Server SSL profiles with invalid cipher strings
Solution Article: K82327396
Component: Local Traffic Manager
Symptoms:
Upgrade of BIG-IP creates Server SSL profiles for custom HTTPS monitors that may have an invalid Ciphers attribute. This does not prevent the configuration from loading, but attempting to modify the existing SSL profile or create a new one with matching configuration fails with the following message:
01070312:3: Invalid keyword 'kedh' in ciphers list for profile /Common/name-of-server-ssl-profile
Conditions:
Custom HTTPS monitors configured prior to an upgrade result in these profiles being created during the upgrade.
The default HTTPS cipherlist is 'DEFAULT:+SHA:+3DES:+kEDH', which is a valid OpenSSL cipher list, but is not a valid Client SSL / Server SSL cipher list.
Impact:
Upgrade creates configurations that are challenging to manage as a result of MCPD validation.
Workaround:
Reconfigure the cipher list to be valid according to both the OpenSSL cipher list and the Client SSL / Server SSL cipher list expectations.
For instance, use "DEFAULT:+SHA:+3DES:+EDH" instead of "DEFAULT:+SHA:+3DES:+kEDH".
Fix:
Upgrade no longer creates Server SSL profiles with invalid cipher strings.
702738-1 : Tmm might crash activating new blob when changing firewall rules
Solution Article: K32181540
Component: Advanced Firewall Manager
Symptoms:
TMM crashes with core when changing firewall rules. TMM can enter a crash-loop, so it will crash again after restarting.
Conditions:
Updating, removing, or adding firewall rules.
Specific characteristics of change that can cause this issue are unknown; this issue occurs rarely.
Impact:
Data traffic processing stops.
Workaround:
There are two workaround options:
Option A
1. Delete all policies.
2. Create them again without allowing blob compilation.
3. Repeat steps 1 and 2 until all the policies have been created (enable on-demand-compilation).
Option B
Modify all the rules simultaneously.
For example, the following steps will resolve this issue:
1. Enable on-demand-compilation
2. Select an IP address that is not used in any rules, e.g., 1.1.1.1.
3. Add that IP address to all the rules/source in all of the policies. To do so, run the following command for each policy:
tmsh modify security firewall policy POLICY_NAME rules modify { all { source { addresses add { 1.1.1.1 } } } }
4. Delete the IP address (restore rules) in all of the policies. To do so, run the following command for each policy:
tmsh modify security firewall policy POLICY_NAME rules modify { all { source { addresses delete { 1.1.1.1 } } } }
5. Disable on-demand-compilation. Doing so starts new blob compilation.
Fix:
TMM no longer crashes when changing firewall rules.
702705-2 : Core observed during lease query testing when RADIUS Authentication is configured in DHCP profile
Component: Policy Enforcement Manager
Symptoms:
Tmm may halt and restart when RADIUS Authentication is configured in DHCP profile.
Conditions:
1. RADIUS Authentication is configured in a DHCP profile.
2. DHCP response does not have proper info.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
This version handles these conditions, so tmm does not halt and restart.
702520-2 : Same AZ failover in AWS fails in some configurations with two or more objects sharing the same IP address.
Solution Article: K53330514
Component: TMOS
Symptoms:
BIG-IP fails to reattach floating addresses to local interfaces during failover, when two or more objects are configured with the same IP address in a given traffic group.
Failover fails with the following error in /var/log/ltm: err logger: /usr/libexec/aws/aws-failover-tgactive.sh (traffic-group-1): Failed to reassign some or all address(es): <IP address> <the same IP address> on interface <eni address>.
Conditions:
-- AZ AWS failover.
-- Same IP address is used for two or more virtual addresses, self IPs, NAT, SNAT translation.
Note: Having two virtual servers with the same IP address (but different ports) does not cause the problem. Also, there is no conflict when using the same IP address for different traffic groups.
Impact:
Failover will fail; some or all IP addresses will not be transferred to the active BIG-IP system.
Workaround:
The only workaround is to change the configuration to use unique IP addresses for conflicting objects.
Fix:
This issue has been resolved.
702487-3 : AD/LDAP admins with spaces in names are not supported
Component: Access Policy Manager
Symptoms:
If admin is imported from Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) and the name contains spaces, Visual Policy Editor (VPE), import/export/copy/delete, etc., fail, and post an error message similar to the following: sourceMCPD::loadDll User 'test user' have no access to partition 'Common'.
Note: Names containing spaces are not supported on BIG-IP systems.
Conditions:
-- Admin name containing spaces is imported from AD or LDAP.
-- Attempt to perform operations in VPE.
Impact:
VPE, import/export/copy/delete do not work.
Workaround:
There is no workaround other than to not use admin names containing spaces.
Fix:
VPE and utilities operations are now supported, even for admins with spaces in names. However, F5 recommends against using spaces in admin names, and recommends that you modify the admin name to remove the spaces.
702457-2 : DNS Cache connections remain open indefinitely
Component: Global Traffic Manager (DNS)
Symptoms:
Resize / Clearing the DNS cache while a lot of traffic is running can cause numerous connections to remain open indefinitely
Conditions:
Resize / Clear the DNS Cache while it is resolving connections.
Impact:
Connections remain open forever, eating up memory
Workaround:
If you are encountering this, you can remove these connections by restarting tmm:
tmsh restart sys service tmm
Impact of workaround: restarting tmm causes a traffic disruption.
Fix:
Fixed an issue where the DNS Cache would keep connections open indefinitely when clearing or resizing a cache with active resolutions occurring.
702450-1 : The validation error message generated by deleting certain object types referenced by a policy action is incorrect
Component: Local Traffic Manager
Symptoms:
When deleting certain objects that are referenced by policy actions, you may see a validation error like this:
# tmsh delete ltm virtual test-vs
01071726:3: Cannot delete policy action '/Common/test-vs'. It is in use by ltm policy '/Common/test-policy'.
The referenced object is not a "policy action" in this case, but is a virtual server.
Conditions:
LTM policies must be in use, and at least one policy action must forward to an object. The user must attempt to delete that object.
Impact:
Possible confusion at the error message.
Workaround:
There is no workaround at this time.
Fix:
Made the error message accurately reflect what the user was attempting to delete.
702439 : Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset
Solution Article: K04964898
Component: Local Traffic Manager
Symptoms:
If the HTTP/2 configuration header_table_size is changed from the default value of 4096, then streams will be reset with a RST_STREAM error.
Conditions:
The header_table_size field in the HTTP/2 profile is changed from the default.
Impact:
HTTP/2 connections will be unusable.
Workaround:
Set the header table size argument back to its default.
Fix:
The HTTP/2 filter correctly handles the dynamic header table resize notifications triggered by a non-default header table size. Streams will not be reset with a RST_STREAM error.
Additionally, the BIG-IP system will now send the correct number of dynamic header table resize notifications when the table is resized by the client multiple times between header blocks.
702419 : Protocol Inspection needs add-on license to work
Component: Protocol Inspection
Symptoms:
Protocol Inspection does not work.
Conditions:
-- AFM is licensed and provisioned through 'Good' or 'Better' license, but no add-on subscription license for Protocol Inspection. Alternately, AFM licensed as an add-on module to another module (typically LTM).
-- Protocol Inspection profile configured and applied to a Virtual Server or referenced in a firewall rule in an active firewall policy.
-- Upgrade to 13.1.0.3 or later.
-- Attempt to use Protocol Inspection functionality.
Impact:
Protocol Inspection functions that used to work no longer work.
Workaround:
Activate an add-on subscription or obtain an AFM standalone license. Protocol Inspection functionality now requires one of these.
Fix:
Protocol Inspection now requires an add-on license to work.
Note: If you previously had Protocol Inspection configured without an add-on license installed, the features are not applied to traffic until the add-on license is obtained, even though the interface allows you to configure them.
Behavior Change:
The Protocol Inspection (PI) Intrusion Detection and Prevention System functionality now requires either an add-on subscription or an AFM standalone license for any of the features to work. A 'Good' or 'Better' license no longer enables the PI features.
Note: The Configuration Utility allows you to configure inspection profiles, compliance checks, and signatures, but they are not applied to traffic. There is no feedback that they are not applied. The operations simply fail silently.
702278-2 : Potential XSS security exposure on APM logon page.
Component: Access Policy Manager
Symptoms:
Potential XSS security exposure on APM logon page.
Conditions:
-- A LTM virtual server with an Access Policy assigned to it.
-- The Access Policy is configured to use a 'Logon Page' VPE agent, followed by AAA agent with 'Max Logon Attempts Allowed' set to a value greater than 1.
Impact:
Potential XSS security exposure.
Workaround:
1. Using APM Advance Customization UI, remove setOrigUriLink(); call in logon.inc from the next JS function:
369 function OnLoad()
370 {
371 var header = document.getElementById("credentials_table_header");
372 var softTokenHeaderStr = getSoftTokenPrompt();
373 if ( softTokenHeaderStr ) {
374 header.innerHTML = softTokenHeaderStr;
375 }
376 setFormAttributeByQueryParams("auth_form", "action", "/subsession_logon_submit.php3");
377 setFormAttributeByQueryParams("v2_original_url", "href", "/subsession_logon_submit.php3");
378 // ===> REMOVE THIS ONE setOrigUriLink();
----
Fix:
Potential security exposure has been removed from APM logon page.
702263-1 : An access profile with large number of SAML Resources (greater than 200) causes APM error ERR_TOOBIG while loading.
Component: Access Policy Manager
Symptoms:
Using a SAML SP-initiated use case (APM is IdP) and having a large Access Policy with 200 or more SAML resources assigned to users. Each time a new SAML resource is added to that Access Policy, the entire SSO service becomes unusable. No new sessions can be established. The system generates internal metadata that consists of the names of all the SAML resources along with its SSO name. This has a limit of size 4 KB. When this limit is reached, the system logs errors similar to the following:
-- err tmm3[15840]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_TOOBIG. File: ../modules/hudfilter/access/access.c, Function: access_create_saml_meta_data, Line: 21001
-- err tmm3[15840]: 014d1014:3: /Common/SAML_SSO_access:Common:7a34161c:SAML SSO: Error(16) Unable to find SAML SSO/SP Connector object matching SAML Authn Request.
Conditions:
A SAML SSO Access policy has a large number of SAML Resources assigned to it (such that the combined length of their names is greater-than-or-equal-to 4 KB).
Impact:
The system logs an error on running the Access Policy, the whole SSO service becomes unusable. No new sessions can be established.
Workaround:
Delete any unused SAML resources from SAML SSO access policy so that the combined length of the names of all SAML resources assigned to Access policy is less than 4 KB.
Fix:
The system now allocate memory dynamically for the internally stored metadata, so it can handle large lists of assigned SAML resource objects.
702232-1 : TMM may crash while processing FastL4 TCP traffic
Solution Article: K25573437
702227-3 : Memory leak in TMSH load sys config
Component: TMOS
Symptoms:
When loading a configuration, either through tmsh load sys config or the corresponding iControl REST command, the TMSH or icrd_child processes can leak memory.
Conditions:
When configuration is loaded via TMSH or iControl REST.
Impact:
The TMSH process memory or icrd_child process memory continues to grow every time the config is loaded.
Workaround:
If memory consumption grows in the TMSH process, restart the TMSH process.
If memory consumption grows in iControl REST, restart the REST service using the following command: bigstart restart restjavad.
Fix:
There is no longer a memory leak when loading configuration in TMSH or iControl REST.
702222-1 : RADIUS and SecurID Auth fails with empty password
Component: Access Policy Manager
Symptoms:
If password value is empty, the following error message will be logged in /var/log/apm:
err apmd[14259]: 014902f0:3: /Common/profile_name:Common:eb69a5gd: RADIUS Agent: Failed to read Password Source session variable:
Conditions:
This occurs only when following conditions are met:
- RADIUS or SecurID auth agent is included in the access policy.
- Empty password value is used for authentication.
Impact:
User may not be authenticated.
Workaround:
- Add variable assignment agent before RADIUS/SecurID auth agent in the access policy.
- Set 'session.logon.last.password' (or whatever password source is used for authentication) to a random value.
Fix:
RADIUS/SecurID auth agent allows empty password value for authentication.
702151-1 : HTTP/2 can garble large headers
Component: Local Traffic Manager
Symptoms:
The HTTP/2 filter may incorrectly encode large headers.
Conditions:
A header that encodes to larger than 2048 bytes may be incorrectly encoded.
Impact:
The garbled header may no longer conform to the HPACK spec, and cause the connection to be dropped. The garbled header may be correctly formed, but contain incorrect data.
Fix:
The HTTP/2 filter correctly encodes large HTTP headers.
702008-1 : ASM REST: Missing DB Cleanup for some tables
Component: Application Security Manager
Symptoms:
Finished REST tasks that are not deleted by the client that initiated them are meant to be cleaned periodically. Certain tasks are not included in this cleanup job.
Conditions:
The following tasks are not reaped automatically if left uncleaned by the REST client that initiated them:
From 13.0.x:
-- /mgmt/tm/asm/tasks/apply-server-technologies
-- /mgmt/tm/asm/tasks/bulk
-- /mgmt/tm/asm/tasks/export-policy-template
-- /mgmt/tm/asm/tasks/export-requests
-- /mgmt/tm/asm/tasks/import-policy-template
From 13.1.0:
-- /mgmt/tm/asm/tasks/export-data-protection
-- /mgmt/tm/asm/tasks/import-data-protection
-- /mgmt/tm/asm/tasks/import-certificate
-- /mgmt/tm/asm/tasks/policy-diff
-- /mgmt/tm/asm/tasks/policy-merge
-- /mgmt/tm/asm/tasks/update-enforcer
Impact:
DB space usage grows with each ASM REST task that is not cleaned up.
Workaround:
REST Clients that initiate tasks can delete them after verifying the task has reached a final state.
Fix:
REST tasks left behind are now be pruned by the DB Cleanup process.
701889-1 : Setting log.ivs.level or log-config filter level to informational causes crash
Component: Service Provider
Symptoms:
Certain log messages for internal virtual server (IVS) at 'informational' log level, cause TMM to crash when they are logged. The messages are logged at the end of an HTTP transaction to or from an IVS.
Conditions:
Information level logging enabled:
- sys db log.ivs.level informational or
- log-config filter level set to info
A transaction that passes HTTP to/from an internal virtual server.
Impact:
TMM crashes and restarts, causing loss of connections.
Workaround:
Avoid setting log.ivs.level to 'informational' or higher level and/ log-config filter level to 'info' or higher. By default the level is 'error' which does not trigger the bug.
Fix:
Informational messages for internal virtual server (IVS) are logged as expected and TMM does not crash.
701856-1 : Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart
Component: Application Security Manager
Symptoms:
In rare circumstance, when Policy Builder restarts continuously (in response to a different issue in which there are many shmem segments allocated and used by tmm), ASM-config Event Dispatcher memory usage grows uncontrollably.
Conditions:
In rare circumstances, Policy Builder restarts continuously (in response to a different issue in which there are many shmem segments allocated and used by tmm).
Impact:
ASM-config Event Dispatcher memory usage grows continuously until the device eventually fails over.
Workaround:
Restart asm_config_server on all devices using the following command:
killall asm_config_server.pl
Fix:
ASM-config Event Dispatcher memory usage remains stable even upon multiple Policy Builder restarts.
701841-2 : Unnecessary file recovery_db/conf.tar.gz consumes /var disk space
Component: Application Security Manager
Symptoms:
A file, /ts/var/install/recovery_db/conf.tar.gz ,is saved unnecessarily during UCS file save, and consumes /var disk space.
Conditions:
UCS file is saved.
Impact:
The /var filesystem can become full; this may degrade system performance over time, and can eventually lead to traffic disruptions.
Workaround:
Manually delete /ts/var/install/recovery_db/conf.tar.
Fix:
Unnecessary file recovery_db/conf.tar.gz is no longer written.
701826 : qkview upload to ihealth fails or unable to untar qkview file
Component: TMOS
Symptoms:
qkview upload to ihealth fails unable to untar qkview file.
Conditions:
When qkview file is untarred, it creates a same directory name in loop as below and fails to untar successfully.
.../dir1/
.../dir1/dir1/
.../dir1/dir1/dir1/
...
This happens due to dangling symlink dir1 which points to nothing.
[root@localhost:Active:Standalone] config # ls -l /config/bigip/auth/pam.d/dir1
lrwxrwxrwx. 1 root root 64 2018-01-30 08:56 /config/bigip/auth/pam.d/dir1 ->
[root@localhost:Active:Standalone] config # stat /config/bigip/auth/pam.d/dir1
File: `/config/bigip/auth/pam.d/dir1' -> `'
Size: 64 Blocks: 8 IO Block: 4096 symbolic link
Device: fd16h/64790d Inode: 112045 Links: 1
Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2018-01-30 08:56:20.000000000 -0800
Modify: 2018-01-30 08:56:20.000000000 -0800
Change: 2018-01-31 08:39:35.000000000 -0800
[root@localhost:Active:Standalone] config #
Impact:
Unable to untar qkview or qkview upload to ihealth fails.
Workaround:
Identify the dangling symlink and delete. Then generate qkview or use ihealth to generate qkview and upload to ihealth.
Fix:
Qkview tool will identify dangling symlink and handle safely to avoid looping.
701800-2 : SSO-enabled native RDP resources cannot be launched from APM Webtop with Mac RDP client 10.x
Component: Access Policy Manager
Symptoms:
Mac RDP client 10.x shows credentials prompt when SSO-enabled native RDP resource is launched from the APM Webtop. If the user enters credentials manually, the RDP client will display an error message.
Conditions:
-- Mac RDP client is of version 10.x (e.g., 10.1.6).
-- Native RDP resource is assigned to the webtop.
-- SSO is enabled on the RDP Resource.
Impact:
RDP resource cannot be launched.
Workaround:
Add the following to 'Custom Parameters' of SSO-enabled RDP resources:
full address:s:%{session.server.network.name}
promptcredentialonce:i:1
Fix:
SSO-enabled native RDP resources now can be launched from APM Webtop with Mac RDP client 10.2.0.
701792-2 : JS Injection into cached HTML response causes TCP RST on the fictive URLs
Component: Application Security Manager
Symptoms:
TCP RST being sent when a browser requests a fictive URL that starts with either of the following strings:
-- /TSPD/xxx...xxx?type=x
-- /TSbd/xxx...xxx?type=x.
Conditions:
This occurs in either of the following scenarios:
-- ASM policy is attached to a virtual server, and any of the following is enabled: Cross-Site Request Forgery (CSRF), Web Scraping/Single Page Application/AJAX Blocking internal.
-- DoS profile with Single Page Application enabled is attached to a virtual server.
Impact:
CSRF/Web Scraping/Single Page Application/AJAX Blocking page features might not work. This happens intermittently when the back-end server's HTML page (the one where the fictive URL is injected) is cached in the browser for more than two days.
Workaround:
Use an iRule to disable caching for HTML pages where a fictive URL is injected.
Fix:
The system now disables cached headers to HTML responses where a fictive URL is injected.
701785-2 : Linux kernel vulnerability: CVE-2017-18017
Solution Article: K18352029
701740-1 : apmd leaks memory when updating Access V2 policy
Component: Access Policy Manager
Symptoms:
A small leak occurs in the apmd process when processing mcp notifications about configuration updates.
Conditions:
-- Changing an Access Policy configurations.
-- apmd receives a notification about it.
Impact:
apmd grows in size very slowly. The issue does not have any immediate and significant impact on BIG-IP system functionality.
Workaround:
There is no workaround at this time.
Fix:
apmd no longer leaks a small amount when processing MCP notifications.
701737-1 : apmd may leak memory on destroying Kerberos cache
Component: Access Policy Manager
Symptoms:
ampd leaks memory in AD Query agent.
Conditions:
The leak happens in response to any of the following conditions:
-- A Kerberos cache reset is requested (any of the caches - GROUP/PSO/KERBEROS).
-- Change to associated AAA AD Server were made and new Access Policy is applied.
-- AD Query was not able to make ldap_bind to KDC and the error is NOT a timeout (e.g., invalid administrator password).
Impact:
The ampd leaks memory and might cause unstable behavior.
The apmd process, or some other daemon may be killed by OOM killer when it tries to allocate memory.
Workaround:
There is no workaround at this time.
Fix:
AD Query agent no longer causes apmd memory leak during group cache update.
701736-1 : Memory leak in Machine Certificate Check agent of the apmd process
Component: Access Policy Manager
Symptoms:
apmd process leaks memory in Machine Certificate Check agent
Conditions:
Machine Certificate Check agent is configured in an Access Policy.
Impact:
apmd may grow in size. This may lead to the apmd process or another process, to be killed by OOM-killer
Workaround:
There is no workaround at this time.
Fix:
An apmd memory leak in the Machine Certificate Check agent has been fixed.
701690-1 : Fragmented ICMP forwarded with incorrect icmp checksum
Solution Article: K53819652
Component: Local Traffic Manager
Symptoms:
Large fragmented ICMP packets that traverse the BIG-IP might have their source or destination IP addresses changed and transmitted with the checksum incorrectly calculated.
Conditions:
A FastL4 virtual server able to transmit ICMP frames (ip-protocol ICMP or any), or SNAT/NAT only when a fragmented ICMP packet is received and is expected to be passed through the virtual server (or SNAT or NAT).
Impact:
Large ICMP echo packets (greater than MTU) will be dropped by the recipient due to the checksum error. No echo response will be seen.
Workaround:
Turn on IP fragment reassembly on the FastL4 profile associated with the virtual server.
701678-2 : Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded
Component: Local Traffic Manager
Symptoms:
TMM may periodically stop sending packets to the server for a few seconds when the configured virtual server rate-limited value is exceeded.
Conditions:
-- Virtual configured with rate-limit.
-- Uses a UDP profile (i.e., not using TCP or FastL4).
-- The idle-timeout is set to immediate.
Impact:
The virtual server might intermittently stop sending packets to the pool member server for a few seconds.
Workaround:
None.
Fix:
UDP rate-limited virtual server now correctly sends packets to the server.
701639-1 : Session variables in Requested Authentication Context Class in SP do not get resolved when Authentication Request is generated by BIG-IP as SP.
Component: Access Policy Manager
Symptoms:
Session variables in Requested Authentication Context Class in SP do not get resolved when Authentication Request is generated by the BIG-IP system as SP. They are sent as is. This is a behavior change from v12.1.2/v12.1.3/v13.0.0, where, the value gets substituted in the SP's AuthnRequest sent to IDP.
Conditions:
On configuring Requested Authentication Context Class in SP to define a session variable similar to the following:
%{session.client.type}
Impact:
The generated Authentication Request does not have the session variable resolved. The string is sent as is. The Authentication Request fails and the session cannot be established.
Workaround:
None.
Fix:
The system now resolves the session variable in the configured Authentication Context Class for SP while generating the Authentication Request.
701637 : Crash in bcm56xxd during TMM failover
Component: Advanced Firewall Manager
Symptoms:
During a TMM failover, such as after an upgrade to a later version of software, bcm56xxd might crash.
Conditions:
TMM failover.
Impact:
Restart of bcm56xxd; temporary loss of network connectivity.
Workaround:
There is no workaround at this time.
Fix:
Bcm56xxd no longer crashes and restarts on a TMM failover.
701626-2 : GUI resets custom Certificate Key Chain in child client SSL profile
Solution Article: K16465222
Component: TMOS
Symptoms:
In the GUI, editing a client SSL profile or selecting a different parent profile changes the Certificate Key Chain to default (i.e., /Common/default.crt and /Common/default.key).
Conditions:
This happens in the following scenario:
1. Using the GUI, create a client SSL profile.
2. Configure the new profile to inherit from a client SSL profile other than the default, clientssl.
3. Click the Custom box for Certificate Key Chain and select a different cert and key from the default.
4. Click Update.
5. In the GUI, change any setting in the newly created profile, or select a different parent profile (but not the clientssl profile).
6. Click Update again.
Impact:
The system resets Certificate Key Chain to default, even though the Custom box is checked.
Workaround:
To work around this issue in the GUI, click the Custom checkbox next to the 'Certificate Key Chain' option in the parent profile. This will set the value of inherit-certkeychain to false , preventing the issue from occurring.
You can also use tmsh to update parent profile settings to avoid the occurrence of this issue..
Fix:
GUI no longer resets custom Certificate Key Chain in child client SSL profiles.
701538-2 : SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured
Component: Local Traffic Manager
Symptoms:
SSL handshake fails if the client initiates the handshake with TLS false start (specifically, client SSL sends the SSL record data to the server before the Server sends out the CSS is FINISHED notification).
Conditions:
1. Client initiates the SSL handshake with False Start.
2. The BIG-IP system has SSL hardware acceleration enabled (which is default for for non-virtual edition (VE) versions).
Impact:
The BIG-IP system sends the RST to tear down the connection in TLS false start.
Workaround:
There are no true workarounds. You must disable one of the conditions to workaround the issue:
-- Disable TLS False Start. (Note: this might not be feasible because it needs to be done on all clients.)
-- Disable SSL acceleration.
-- Disable AES-GCM ciphers in the client SSL profile. Without AES-GCM, clients do not try to use TLS false start and still be able to use (EC)DHE.
Fix:
The system no longer processes application data before verifying that the finished message arrives and handshake is complete.
701447-1 : CVE-2017-5754 (Meltdown)
Solution Article: K91229003
701445-1 : CVE-2017-5753 (Spectre Variant 1)
Solution Article: K91229003
701359-4 : BIND vulnerability CVE-2017-3145
Solution Article: K08613310
701327-2 : failed configuration deletion may cause unwanted bd exit
Component: Application Security Manager
Symptoms:
Immediately after the deletion of a configuration fails, bd exists.
Conditions:
When deleting a configuration fails.
Impact:
Unwanted bd restart.
Workaround:
None.
Fix:
bd will exit upon a failed configuration only when configured to exit on failure.
701288-1 : Server health significantly increases during DoSL7 TPS prevention
Component: Anomaly Detection Services
Symptoms:
Mitigation of DoSL7 TPS affects server health value.
Conditions:
-- DoSL7 TPS configured together with BADOS.
-- DoSL7 TPS is active.
Impact:
-- Incorrect Server Health reporting.
-- Might activate Behavioral DoS (BADoS) false-attack detection when attacks mitigated by DoSL7 TPS are stopped.
Workaround:
None.
Fix:
Server health now displays the actual backend server state, and does not incorrectly grow.
701253-5 : TMM core when using MPTCP
Solution Article: K16248201
701249-1 : RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1
Component: TMOS
Symptoms:
RADIUS requests from BIG-IP have attribute NAS-IP-Address = 127.0.0.1, which might cause authentication to fail.
The NAS-IP-Address is essentially the resource an end user client is trying to authenticate to. This is typically the management IP address of the BIG-IP system, but the BIG-IP system always sends 127.0.0.1 instead. That might fail or it might work, depending on how the server is configured.
Conditions:
This is an issue for all RADIUS authentication requests that use the attribute NAS-IP-Address.
Note: This affects remote control plane authentication only, not APM or other uses of RADIUS.
Impact:
BIG-IP system always sends 127.0.0.1 instead of the BIG-IP system's management IP address. RADIUS server might not service the request, so authentication fails.
Workaround:
There is no workaround.
701244-1 : An incorrect data manipulation in cipher encrypt and decrypt could cause TMM crash with SIGABRT
Solution Article: K81742541
Component: Local Traffic Manager
Symptoms:
TMM receives SIGABRT from failover daemon, sod, due to heartbeat failure shortly after TMM starts up.
Conditions:
In some rare scenarios, TCP fast open encrypt/decrypt key may not be properly initialized when traffic comes into the BIG-IP system.
Impact:
Multiple TMM threads can get into a loop, causing heartbeat failure. TMM restarts, Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The incorrect data manipulation in cipher encrypt and decrypt has been fixed.
701202-3 : SSL memory corruption
Solution Article: K35023432
Component: Local Traffic Manager
Symptoms:
In some instances random memory can be corrupted causing TMM core.
Conditions:
SSL is configured (either client-ssl or server-ssl) and SNI is used to select a non-default profile.
Impact:
TMM crash, disrupting traffic.
Workaround:
There is no workaround at this time.
Fix:
The memory corruption issue has been fixed.
701147-2 : ProxySSL does not work properly with Extended Master Secret and OCSP
Solution Article: K36563645
Component: Local Traffic Manager
Symptoms:
SSL handshake fails if the BIG-IP system is operating in ProxySSL mode, while client and server negotiate to use the Extended Master Secret and OCSP features together.
Conditions:
1. Virtual server is configured to work in ProxySSL mode.
2. Client and server negotiate the SSL handshake with the Extended Master Secret.
3. Client and Server negotiate to use the OCSP.
Impact:
ProxySSL does not work properly with Extended Master Secret and OCSP simultaneously.
Workaround:
None.
Fix:
Included the certificate status message in the calculation of Extended Master Secret.
701056-1 : User is not able to reset their Active Directory password
Component: Access Policy Manager
Symptoms:
When Active Directory is used for authenticating APM users and the user is required to change password on next APM logon, APM fails to update the password.
Conditions:
- APM is licensed and provisioned
- Active Directory is used for authenticating the users
- When logging on to APM, user is asked to change the password
Impact:
User is not able to change the password.
Workaround:
There is no workaround.
Fix:
APM end users can now successfully reset the password.
700895-1 : GUI Network Map objects in subfolders are not being shown
Solution Article: K34944451
Component: TMOS
Symptoms:
Objects created in subfolders under a partition are not showing up in the GUI Network Map when selecting the partition.
Conditions:
-- Create a virtual server under a subfolder.
-- View Network Map while /Common is the active partition.
For example:
1. Create a subfolder such as /Common/subfolder.
2. In that subfolder, create a virtual server such as /Common/subfolder/virtualserver1.
3. Select /Common as the partition.
4. View the Network Map.
The virtual server /Common/subfolder/virtualServer1 is not shown on the Network Map.
Impact:
Cannot see the objects in the subfolder.
Workaround:
Select the partition 'All[Read Only]' to see all objects in subfolders.
700889-3 : Software syncookies without TCP TS improperly include TCP options that are not encoded
Solution Article: K07330445
Component: Local Traffic Manager
Symptoms:
When sending a software syncookie and there is no TCP timestamp option, tmm sends back TCP options like window scaling (WS), sackOK, etc. The values for these options are encoded in the timestamp field which is not sent. When the final ACK of the 3WHS arrives (without a timestamp), there is no way to know that the BIG-IP system negotiated the use of SACK, WS and other options that were encoded in the timestamp. This will leave the client believing that options are enabled and the BIG-IP believing that they are not.
Conditions:
TCP timestamps are disabled by the client, or in the TCP profile.
Impact:
In one known case, the client was Windows 7 which apparently disables timestamps by default. Users might experience poor connection performance because the client believed it was using WS, and that the BIG-IP system would scale up the advertised window. However, the BIG-IP system does not using WS in this case, and used the window size from the TCP header directly, causing the BIG-IP system to send small packets (believing it had filled the window) and wait for a response.
Workaround:
Specifically prevent the WS issue by lowering the send_buffer_size and receive_window_size to less than or equal to 65535.
Fix:
Added dependency between the window scale option and the timestamp option in a SYN/ACK response.
700862-1 : tmm SIGFPE 'valid node'
Solution Article: K15130240
Component: Local Traffic Manager
Symptoms:
A rare TMM crash with tmm SIGFPE 'valid node' may occur if the host is unreachable.
Conditions:
The host is unreachable.
Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This fix handles a rare TMM crash when the host is unreachable.
700827-4 : B2250 blades may lose efficiency when source ports form an arithmetic sequence.
Component: TMOS
Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command: tmsh show sys tmm-traffic
Conditions:
Source ports used to connect to B2250 blade form an arithmetic sequence.
For example, some servers always use randomly selected even source port numbers. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8… 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.
Impact:
Traffic imbalance between tmm threads may result in sub-optimal performance.
Workaround:
Randomize source ports when connecting via a BIG-IP system.
Fix:
This release introduces a new variable mhdag.pu.table.size.multiplier. Setting it to 2 or 3 mitigates the issue.
700812-1 : asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview
Component: Application Security Manager
Symptoms:
asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview.
Conditions:
Try to deploy a qkview on a BIG-IP using the asmrepro tool
while BIG-IP has a 4 element version like 13.1.0.1.
Impact:
Cannot deploy a 4 element version qkview on a BIG-IP using the asmrepro tool.
Workaround:
n/a
Fix:
asmrepro now handles the version number properly.
700757-1 : vcmpd may crash when it is exiting
Component: TMOS
Symptoms:
vcmpd may crash when it is exiting. The system logs an error message similar to the following in /var/log/ltm:
err vcmpd[14604]: 01510000:3: Uncaught exception: basic_string::_S_create
It's possible that vcmpd will then not start up, logging errors similar to the following in /var/log/ltm:
umount(/var/tmstat-vcmp/<guest name>) failed: (16, Device or resource busy
Conditions:
vCMP must be in use.
Impact:
vcmpd cores, but does so when already exiting. It is possible that vcmpd will then be unable to restart itself, and will need to be manually restarted.
Workaround:
If vcmpd cannot restart itself, you can manually restart it by running the following command:
tmsh restart sys service vcmpd
Fix:
Prevented vcmpd from crashing when exiting.
700726-2 : Search engine list was updated, and fixing case of multiple entries
Component: Application Security Manager
Symptoms:
Default search engine list does not identify current search engines, and blocks traffic unnecessarily. Part of the issue is that when adding custom search engines, there may be multiple search engines which match the User-Agent header, and this causes the match to fail.
Conditions:
Site accessed by search engines.
Impact:
Traffic from search engines is blocked unnecessarily.
Workaround:
Manually add search engines.
Fix:
Search engine list has been updated to reflect current common search engine usage. Also, this version removes the check of multiple search engines, so that now when multiple Search Engines are matched, the Search Engine bypasses the challenges.
700724-2 : Client connection with large number of HTTP requests may cause tmm to restart
Component: Access Policy Manager
Symptoms:
tmm may restart while processing client request
Conditions:
- PingAccess profile is configured on the virtual server.
- Client connection sends over 64k HTTP requests that result in BIG-IP's connection to the PingAccess policy server.
Impact:
Traffic will be disrupted while TMM restarts.
Workaround:
Modify HTTP profile used by affected virtual to specify the limit of HTTP requests per connection "maximum requests per connection" to be less then 64k, e.g. 63000 or less.
Fix:
Traffic will no longer be disrupted when client sends over 64k uncached requests on the same TCP connection.
700696-1 : SSID does not cache fragmented Client Certificates correctly via iRule
Component: Local Traffic Manager
Symptoms:
The last few bytes of a very large-sized Client Certificate (typically greater than 16,384 bytes) are not cached correctly if the certificate is received fragmented by the SSL Session ID (SSID) parser.
Conditions:
-- Client Authentication is enabled.
-- A very large Client Certificate is supplied (typically greater than 16,384 bytes).
-- SSL Session ID Persistence is enabled.
-- The iRule CLIENTSSL_CLIENTCERT is enabled.
Impact:
The client certificate is not stored on the BIG-IP device correctly. The last few bytes are missing.
Workaround:
Disable the CLIENTSSL_CLIENTCERT iRule when SSL Session ID (SSID) persistence is in use. Even though the Client Certificate does not get cached, that is preferable to caching an incorrect client certificate.
Fix:
This release supports caching of fragmented client certificates in the SSL Session ID (SSID) persistence feature to properly cache very large-size client certificates (typically exceeding 16,384 bytes).
700597-1 : Local Traffic Policy on HTTP/2 virtual server no longer matches
Component: Local Traffic Manager
Symptoms:
Local Traffic Policies may not match properly when a virtual server is handling HTTP/2 traffic.
Conditions:
Virtual server with Local Traffic Policy and HTTP/2 profile.
Impact:
Traffic fails to pass through the virtual server, or fails to be processed as expected.
Workaround:
If able, use HTTP rather than HTTP/2. Or disable the policy. Otherwise there is no workaround.
Fix:
Traffic now processed as expected.
700576-1 : GUI - Server SSL Profile shows irrelevant options when "Server Certificate" is set to "Ignore"
Component: TMOS
Symptoms:
In the GUI, the ServerSSL Profile options "Expire Certificate Response Control" and "Untrusted Certificate Response Control" are shown as stand alone options, yet those settings are not honored when the "Server Certificate" option is set to "Ignore" (default).
Conditions:
Create server SSL profile with "Server Certificate" option is set to "Ignore" (default).
It shows "Expire Certificate Response Control" and "Untrusted Certificate Response Control" options, yet those settings are not honored.
Impact:
No functional Impact, it may cause confusion allowing view/modify for irrelevant options.
Workaround:
No functional Impact, Expire Certificate Response Control" and "Untrusted Certificate Response Control" options can be ignored when "Server Certificate" option is set to "Ignore" (default).
Fix:
"Expire Certificate Response Control" and "Untrusted Certificate Response Control" server SSL profile options are hidden when "Server Certificate" option is set to "Ignore" (default).
700571-4 : SIP MR profile, setting incorrect branch param for CANCEL to INVITE
Component: Service Provider
Symptoms:
BIG-IP SIP profile MR does not maintain the Via 'branch parameter' ID when the Via header insertion is enabled for INVITE and CANCEL for the same INVITE.
Conditions:
This happens only when the following conditions are both met:
-- The transport connection that issued INVITE has been terminated.
-- A new transport is used to issue CANCEL
Impact:
The result is different branch IDs for the BIG-IP system-generated Via header. INVITE is only cancelled on the calling side, while on the called side, the line will ring until time out.
Workaround:
None.
Fix:
The branch parameter value calculation now remains consistent throughout the connection.
700556-1 : TMM may crash when processing WebSockets data
Solution Article: K11718033
700527-3 : cmp-hash change can cause repeated iRule DNS-lookup hang
Component: Global Traffic Manager (DNS)
Symptoms:
An iRule that uses RESOLV::lookup can hang repeatedly when cmp-hash configuration is changed.
Conditions:
-- iRule is in the middle of a call to RESOLV::lookup.
-- A change is made to VLAN cmp-hash configuration.
Impact:
The iRule call can hang repeatedly.
Workaround:
Restart the TMM. This will interrupt client traffic while TMM restarts.
Fix:
The iRule connection is reestablished when the pending query expires, so subsequent RESOLV::lookup calls do not hang per TMM.
700522-1 : APMD may unexpectedly restart when worker threads are stuck
Component: Access Policy Manager
Symptoms:
APMD restarts and logs a message about all threads being stuck.
Conditions:
A race condition allows the busy thread count to remain higher than the actual value. If it reaches the maximum thread count, APMD will restart.
Impact:
APMD can restart unexpectedly.
Workaround:
There is no workaround.
Fix:
A rare APM timing condition leading to an unexpected restart of services has been corrected.
700433-1 : Memory leak when attaching an LTM policy to a virtual server
Solution Article: K10870739
Component: Local Traffic Manager
Symptoms:
BIG-IP LTM policies may cause an mcpd process memory leak.
As a result of this issue, you may encounter one or more of the following symptoms:
-- Latency when configuring the BIG-IP system.
-- Error messages logged in /var/log/ltm similar to the following example:
01140029:4: HA daemon_heartbeat mcpd fails action is restart.
-- The mcpd process may generate a core file in the /var/core directory.
Conditions:
This issue occurs when all of the following conditions are met:
-- Your configuration includes one or more virtual servers with an associated BIG-IP LTM policy.
-- The BIG-IP LTM policy has at least one rule.
Note: Rules with actions or conditions can leak increased amounts of memory.
-- You delete and add BIG-IP LTM policies that are associated with the virtual server.
Note: This modification causes the memory leak to increase over time.
Impact:
The mcpd process might run slower as memory is consumed, and can fail when all system memory is exhausted. Devices in a high availability (HA) configuration may experience a failover event.
Workaround:
None.
Fix:
The system now prevents MCP from leaking memory when attaching an LTM policy to a virtual server.
700426 : Switching partitions while viewing objects in GUI can result in empty list
Solution Article: K58033284
Component: TMOS
Symptoms:
In LTM Pool List, Node List, and Address Translations pages, switching partitions while viewing objects in the GUI can result in empty list.
Conditions:
This issue is present when all of the following conditions are met:
-- One partition contains multiple pages of objects.
-- The page count in one partition is greater than the page count in another.
-- The active page number is greater than 1.
-- You switch to a partition whose max number of pages is lower than the active page number.
For example, in the GUI:
1. Create two non-Common partitions.
2. In one partition, create enough pools so that they do not fit on one page.
3. In the second partition, create only enough pools for one page.
4. On the Local Traffic :: Pools list page in the first partition, navigate to the second page of objects.
5. Switch to the other partition.
6. Note that the displayed page contains no objects.
Impact:
The list of pools is empty despite the fact that there are pools available.
Workaround:
Return to the first page of objects before switching to any other partition.
Fix:
The system now resets to the first page if the page number is greater than the page count, so the partition's objects display correctly.
700393-3 : Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash
Solution Article: K53464344
Component: Local Traffic Manager
Symptoms:
Tmm might crash due to a stale/stalled HTTP/2 stream.
Conditions:
HTTP/2 profile in use.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
Stale/stalled HTTP2 streams are handled correctly to prevent a tmm crash.
700386-2 : mcpd may dump core on startup
Component: TMOS
Symptoms:
mcpd may generate a core file upon startup, with a message being logged that overdog restarted it because mcpd failed to send a heartbeat for five minutes.
Conditions:
This can happen only at startup.
Impact:
mcpd restarts, but resumes normal operation.
Workaround:
None.
Fix:
mcpd no longer generates a core on startup.
700320 : tmm core under stress when BADOS configured and attack signatures enabled
Component: Anomaly Detection Services
Symptoms:
Tmm core under stress. Note: This issue has a very low probability of occurring.
Conditions:
-- Out of memory.
-- BADOS configured.
-- Attack signatures enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None, except to not configure attack signatures.
Fix:
Added protection for the case when context adm_filters allocation is failed.
700315-2 : Ctrl+C does not terminate TShark
Solution Article: K26130444
Component: TMOS
Symptoms:
A running TShark process on the BIG-IP system has problems exiting when the user is finished capturing and presses CTRL+C while listening on a tmm VLAN or 0.0.
Conditions:
-- Using TShark on a tmm VLAN or 0.0.
-- Pressing Ctrl+C to exit.
Impact:
TShark does not exit as expected when pressing CTRL+C.
Workaround:
To recover, you can move the process to the background (CTRL+Z) and then halt the process, by running a command similar to the following: kill -9 'pidof tshark'
Fix:
Ctrl+C now terminates TShark as expected.
700250-3 : qkviews for secondary blade appear to be corrupt
Solution Article: K59327012
Component: TMOS
Symptoms:
Normally, a qkview created on a multi-blade system will include a qkview for every blade on the system. Those qkview files have an error that makes the tar-ball appear corrupt.
Conditions:
Running a qkview on a system with blades.
Attempt to access the tar-ball using the following command: tar -tvzf 127.3.0.2.qkview | tail.
Impact:
The system posts the following messages:
gzip: stdin: unexpected end of file
tar: Child returned status 1
tar: Error is not recoverable: exiting now
Confuses troubleshooters into thinking that the blade qkview files are corrupt, which they are not.
Workaround:
None.
Fix:
By not always writing an errant newline, the problem is solved.
700247 : APM Client Software may be missing after doing fresh install of BIG-IP VE
Solution Article: K60053504
Component: TMOS
Symptoms:
apm client software checks is broken in VM created with BIG-IP-13.1.0.1.0.0.8.ALL-scsi.ova.
Conditions:
Any software instance created by deployment of any OVA for the affected software versions.
Impact:
APM endpoint inspection feature (for Mac, windows and Linux clients). [Users affected]
Configuration of APM client software check APM Visual policy editor. [Admin UI]
APM Client package @ Connectivity / VPN : Connectivity : Profiles if you select "Web Browser Add-ons for BIG-IP Edge Client" option. [Admin UI]
Workaround:
Try the "epsec refresh" commands again after removing all environment locks on the shared RPM database using the following command:
rm /shared/lib/rpm/__db.*
epsec refresh
Fix:
After deployment of a new OVA for the fixed version(s), the problem no longer occurs.
700143-2 : ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages
Component: Application Security Manager
Symptoms:
Attempting to delete request logs by a filter (10,000 at a time), only works once. Subsequent delete by filter actions do not remove additional earlier logs.
Conditions:
System has over 10,000 ASM request logs by a selected filter, and delete all by filter is used multiple times.
Impact:
Only the latest 10,000 events are deleted.
Workaround:
No work around for deleting by a filter.
Delete all (without filter) works, and deleting selected requests works.
Fix:
Deletion by filter correctly deletes subsequent sets of 10,000 rows per action.
700090-2 : tmm crash during execution of a per-request policy when modified during execution.
Component: Access Policy Manager
Symptoms:
Modify/delete of per-request policy during heavy traffic flow causes tmm to crash.
Conditions:
While a per-request policy (macro) is getting executed.
Admin deletes the parent policy item (at the same time).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than not deleting per-request policies during heavy traffic flow.
Fix:
Per-request access policies edited during execution are now held until not in use, so this issue no longer occurs.
700086-1 : AWS C5/M5 Instances do not support BIG-IP VE
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) does not function on AWS C5/M5 instances.
Conditions:
BIG-IP VE on AWS C5/M5 instances.
Impact:
Cannot use BIG-IP VE on AWS C5/M5 instances.
Workaround:
None.
Fix:
BIG-IP VE now functions on AWS C5/M5 Instances.
700061-4 : Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file
Component: Local Traffic Manager
Symptoms:
Restarting service MCPD or rebooting the BIG-IP device adds Unix 'other' read file permissions for key files.
Key files Unix permission changes from '-rw-r-----' to
'-rw-r--r--'
Conditions:
1. Restarting the service MCPD
2. Rebooting BIG-IP device.
Impact:
Key file Unix read permission changes from '-rw-r-----' to
'-rw-r--r--'
Workaround:
There is no workaround at this time.
Fix:
Fix made sure restart of service MCPD and reboot of device does not change key files Unix read permissions from '-rw-r-----' to
'-rw-r--r--'
700057-4 : LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved
Component: Local Traffic Manager
Symptoms:
After upgrading to an affected build, the default key will have incorrect group ownership.
Conditions:
Upgrade or load a .ucs with SSL keys configured.
Impact:
File permissions are not preserved in the .ucs file. The httpd process will not be able to use the default key, so anything using it will fail.
Workaround:
Run the following two commands:
tmsh save /sys config
tmsh load /sys config
Fix:
The system now preserves correct permissions for default.key across upgrade and ucs load.
700056-1 : MCPD process may lock up and restart when applying Local Traffic Policy to virtual server
Component: Local Traffic Manager
Symptoms:
The mcpd process becomes unresponsive while attempting to load the configuration, or attempting to apply a configuration change that associates a particular local traffic policy to a virtual server. The mcpd process may also periodically restart every 5 minutes.
Conditions:
- Virtual servers configured.
- Specific policies configured and attached used by virtual servers.
Only policies configured in a specific way will trigger this situation. The specifics are not well understood, however, the vast majority of Local Traffic Policies are unaffected by this issue.
Impact:
Traffic disrupted while mcpd restarts.
Workaround:
There is no workaround.
Fix:
mcpd is responsive when an LTM Policy is attached to a virtual server, or when an already-attached policy is updated.
699720-1 : ASM crash when configuring remote logger for WebSocket traffic with response-logging:all
Component: Application Security Manager
Symptoms:
ASM may crash when configuring remote logger for WebSocket traffic virtual server.
Conditions:
-- Virtual server handling WebSocket traffic.
-- ASM remote logger on the same virtual server.
Impact:
ASM crash; system goes offline.
Workaround:
Use either of the following workarounds:
-- Remove remote logger.
-- Have response logging for illegal requests only.
Fix:
The system now handles memory correctly and avoids crashing in this specific scenario.
699686-1 : localdbmgr can occasionally crash during shutdown
Component: Access Policy Manager
Symptoms:
When localdbmgr process is restarted, occasionally, the process crashes and a core file will be generated.
Conditions:
-- APM is provisioned.
-- localdbmgr process is restarted.
Impact:
Although the process restarts, there is no impact to the APM functionality.
Workaround:
None.
Fix:
localdbmgr no longer crashes during shutdown.
699624-1 : Config with custom 'SIP' or 'Firepass' monitor fails to load after upgrade★
Component: Local Traffic Manager
Symptoms:
A configuration that contains custom 'SIP' or 'FirePass' monitors that is upgraded from a version earlier than v13.1.0 may either fail to load, or may result in a configuration that loads the first time after the upgrade, but cannot be re-loaded from the text config files.
If the BIG-IP system has partitions other than 'Common', the initial configuration load may fail with an error such as:
01070726:3: monitor /Common/sip-monitor in partition Common cannot reference SSL profile monitor parameter /Common/sip-monitor 1 SSL_PROFILE_NAME= in partition name-of-other-partition
If the BIG-IP system only has a 'Common' partition, the initial configuration load will succeed, but subsequent attempts to load the configuration (e.g., 'tmsh load sys config') may fail with this error:
Syntax Error:(/config/bigip.conf at line: 63) "user-defined" unknown property
Which corresponds to a SIP or FirePass monitor in the configuration such as:
ltm monitor sip /Common/test_sip_monitor {
cipherlist DEFAULT:+SHA:+3DES:+kEDH
compatibility enabled
debug no
defaults-from /Common/sip
destination *:*
filter 488
interval 5
mode tcp
time-until-up 0
timeout 16
user-defined SSL_PROFILE_NAME /Common/test_sip_monitor_ssl_profile
}
Conditions:
Custom 'SIP' or 'FirePass' monitor is configured, and the config is upgraded from a version earlier than v13.1.0 to version v13.1.0.
Impact:
After upgrade, the configuration fails to load with an error such as:
01070726:3: monitor /Common/sip-monitor in partition /Common cannot reference SSL profile monitor parameter /Common/sip-monitor 1 SSL_PROFILE_NAME= in partition name-of-other-partition.
Alternatively, the configuration loads after upgrade, but the config file is corrupted, and will fail to load (such as after a system restart, or upon explicit 'tmsh load sys config'), with an error such as:
Syntax Error:(/config/bigip.conf at line: 63) "user-defined" unknown property
Workaround:
Remove custom 'SIP' and 'FirePass' monitors from the configuration, and re-create them manually after upgrade is complete.
Fix:
In this release, a configuration that contains a custom 'SIP' or 'FirePass ' monitor from a version earlier than v13.1.0 now loads correctly and continues to load as expected.
699598-2 : HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR
Component: Local Traffic Manager
Symptoms:
HTTP/2 requests with a large body may result in the BIG-IP system sending RST_STREAM with FRAME_SIZE_ERROR.
Conditions:
-- HTTP/2 profile is configured on the virtual server.
-- Request has body size greater than 16 KB.
Impact:
HTTP/2 stream is reset with FRAME_SIZE_ERROR and transfer does not complete.
Workaround:
None.
Fix:
Large HTTP/2 requests are now processed as expected.
699531-1 : Potential TMM crash due to incorrect number of attributes in a PEM iRule command
Component: Policy Enforcement Manager
Symptoms:
TMM crash.
Conditions:
An iRule with a PEM iRule command that does not have the minimum number of attributes.
Impact:
Loss of service. Traffic disrupted while tmm restarts.
Workaround:
Make sure the PEM iRule command is called with at least the minimum number of parameters.
For example, make sure to call 'PEM::subscriber config policy referential set' with referential policies.
Fix:
The system now provides the correct number of attributes, preventing a NULL pointer dereference.
699455-4 : SAML export does not follow best practices
Solution Article: K50254952
699454-4 : Web UI does not follow current best coding practices
Component: Advanced Firewall Manager
Symptoms:
The web UI does not follow current best coding practices while processing URL DB updates.
Conditions:
Authenticated web UI user.
Impact:
UI does not respond as intended.
Workaround:
None.
Fix:
The web UI now follows current best coding practices while processing URL DB updates.
699453-4 : Web UI does not follow current best coding practices
Solution Article: K20222812
699452-4 : Web UI does not follow current best coding practices
Component: Advanced Firewall Manager
Symptoms:
The web UI does not follow current best coding practices while processing PEM configuration updates.
Conditions:
PEM provisioned.
Impact:
UI does not respond as intended.
Workaround:
None.
Fix:
The web UI now follows current best coding practices while processing PEM configuration updates.
699451-3 : OAuth reports do not follow best practices
Solution Article: K30500703
699431-3 : Possible memory leak in MRF under low memory
Component: Service Provider
Symptoms:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.
Conditions:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.
Impact:
The table entry will be remain until the box resets.
Workaround:
There is no workaround at this time.
Fix:
The code has been fixed to remove the table entry when a memory allocation failure occurs while adding the record.
699346-3 : NetHSM capacity reduces when handling errors
Solution Article: K53931245
699339-3 : Geolocation upgrade files fail to replicate to secondary blades
Solution Article: K24634702
Component: Global Traffic Manager (DNS)
Symptoms:
Geolocation upgrade files fail to replicate to secondary blades.
Conditions:
-- Multiblade VIPRION platforms/vCMP guests.
-- Upgrading geolocation files on the primary blade.
-- Viewing the geolocation files on the secondary blades.
Impact:
Geoip database is not updated to match primary blade.
Workaround:
Use either of the following workarounds:
-- Use the root account to manually create the /shared/GeoIP/v2 directory on secondary blades, and then run geoip_update_data on primary blade.
-- On primary blade:
1. Edit /etc/csyncd.conf as shown below.
2. Restart csyncd.
3. Run geoip_update_data.
To edit /etc/csyncd.conf:
Merge the following two terms:
monitor dir /shared/GeoIP {...)
monitor dir /shared/GeoIP/v2 {...}
into one term, as follows:
monitor dir /shared/GeoIP {
queue geoip
pull pri2sec
recurse yes
defer no
lnksync yes
md5 no
post "/usr/local/bin/geoip_reload_data"
}
Fix:
Geolocation upgrade files now correctly replicate to secondary blades.
699298-2 : 13.0.0 Hotfix HF3 3.0.1679 TMM CORED due to SIGSEGV.
Component: Local Traffic Manager
Symptoms:
TMM may crash when woodside congestion-control is in use.
Conditions:
When woodside congestion-control is in use.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Other congestion control algorithms can be used as a workaround.
Fix:
This fix handles a rare TMM crash when woodside congestion-control is in use.
699281-1 : Version format of hypervisor bundle matches Version format of ISO
Component: TMOS
Symptoms:
Recently F5 incorporated 4th element into versioning scheme. 4th and 5th are separated by dash (instead of dot) in ISO name. This change/bug insures that names of hypervisor bundles also use dash between 4th and 5th elements.
Conditions:
Applies to hypervisor bundles (for example ova files for vmware).
Impact:
Version format in names of hypervisor bundles matches version format of ISO file
Workaround:
Version format in names of hypervisor bundles matches version format of ISO file
Fix:
Version format in names of hypervisor bundles matches version format of ISO file (usage of dash between 4th and 5th elements).
699273-1 : TMM Core During FTP Monitor Use
Component: Local Traffic Manager
Symptoms:
TMM Cores.
Conditions:
When the FTP monitor is used.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Turn off FTP monitoring.
Fix:
The tmm no longer cores when using a FTP monitor.
699267-2 : LDAP Query may fail to resolve nested groups
Component: Access Policy Manager
Symptoms:
LDAP Query agent may fail to resolve nested groups for a user.
/var/log/apm logfile contains the following error messages when 'debug' log level is enabled for Access Profile:
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while getting group membership down with error (No such object.).
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while querying LDAP with error (No such object.).
Conditions:
LDAP Query agent is configured in an Access Policy.
'Fetch groups to which the user or group belong' option is enabled
Impact:
LDAP Query agent fails.
unable to get user identity.
unable to finalize Access Policy.
Fix:
after fix, LDAP Query resolves all nested groups as expected and session.ldap.last.attr.memberOf attributes contains user's groups
699135-1 : tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip
Component: Global Traffic Manager (DNS)
Symptoms:
tmm cores with SIGSEGV in dns_rebuild_response.
Conditions:
1. Create a wideip of type other than A/AAAA.
2. Create a iRule with a host command for the previously created wideip.
3. Create a related zonerunner record with the same name and type.
4. Dig against the wideip with type any.
5. Observe that tmm cores.
Impact:
tmm cores.
Workaround:
Don't use host command for non type A/AAAA wideips.
699103-1 : tmm continuously restarts after provisioning AFM
Component: Traffic Classification Engine
Symptoms:
tmm continuously restarts when the Webroot database is getting downloaded to a BIG-IP system with less than 16 GB RAM and AFM provisioned.
Conditions:
-- Webroot URL categorization configured for Traffic Classification.
-- BIG-IP system with less than 16 GB RAM.
-- AFM is provisioned.
Impact:
tmm restarts. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than to ensure that more than 16 GB RAM is available when AFM is provisioned.
Fix:
The BIG-IP system with less than 16 GB RAM and AFM provisioned now prevents downloading the Webroot database or any updates if it is not already downloaded.
Note: If the Webroot database already exists before upgrade to this release, Webroot lookup will continue to work.
699012-1 : TMM may crash when processing SSL/TLS data
Solution Article: K43121447
698992-1 : Performance degraded
Component: Performance
Symptoms:
Portal access performance had a slight performance degradation. This was identified to be due to a new queuing strategy implemented to improve per-request policy auth use-case performance for higher end platforms in the 13.0 release. The nature of the problem is such that overall system degradation may be observed if APM is provisioned and per-request policy is not used.
Conditions:
APM is provisioned, but functionality is not related to per-request policy.
Impact:
Performance will be slightly lower under load.
Workaround:
None.
Fix:
The queuing strategy was altered to take minimal CPU resources when idle.
698984-1 : Auto-disable TMM.HTTP.TCL.Validation when APM is provisioned
Component: Access Policy Manager
Symptoms:
The db variable Tmm.HTTP.TCL.Validation is enabled by default. This db variable should be disabled when APM is provisioned/enabled, and when ACCESS::restrict_irule_event is disabled and HTTP_RESPONSE_RELEASE events are detected with the assigned iRules.
Conditions:
Steps to Reproduce:
1. Define the following iRule in the virtual server.
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
set u [ HTTP::uri ]
log local0. "XXX: [ HTTP::uri ]"
}
when HTTP_RESPONSE_RELEASE {
log local0. "XXX: [ HTTP::status ] [ HTTP::header Location ]"
set l [ HTTP::header Location ]
if { $l starts_with {/my.policy} } {
append l {?modified_by_irule=1}
HTTP::header replace Location $l
} elseif { $l starts_with {/renderer/agent_logon_page_form.eui} } {
# Next response will be the real response to the client.
ACCESS::log "XXX: lp_seen"
set lp_seen 1
}
if { [ HTTP::status ] == 200 && [ info exists lp_seen ] && $lp_seen == 1 } {
unset lp_seen
HTTP::header insert X-MyAppSpecialHeader 1
}
}
2. Configure START :: LOGON PAGE :: ALLOW policy.
3. Access the virtual server.
Impact:
TCP reset triggered when it should not. With respect to the specific condition described, the system should post the logon page.
Workaround:
Manually disable Tmm.HTTP.TCL.Validation.
Fix:
Tmm.HTTP.TCL.Validation is now disabled automatically when APM provisioned during the upgrades. This is correct behavior.
698947-2 : BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled.
Component: TMOS
Symptoms:
The BIG-IP system may incorrectly drop packets from a GRE point-to-point tunnel with auto-lasthop disabled.
Conditions:
The auto-lasthop of a GRE point-to-point tunnel is disabled.
Impact:
The decapsulated packets may be dropped in the BIG-IP system.
Fix:
The BIG-IP system correctly processes decapsulated packets from a GRE point-to-point tunnel.
698940-1 : Add new security policy template for API driven systems - "API Security"
Component: Application Security Manager
Symptoms:
No security policy template for API Security for API driven systems.
Conditions:
-- Using API.
-- Attempting to define REST API protection, Web Socket protection.
Impact:
No policy template.
Workaround:
None.
Fix:
Added new security policy template for API driven systems - 'API Security'.
698919-3 : Anti virus false positive detection on long XML uploads
Component: Application Security Manager
Symptoms:
A false positive virus-detected violation. The description of the violation explains that the ICAP server was not contacted.
Conditions:
-- A long XML upload or payload.
-- The assigned XML profile is configured to be inspected by the ICAP server.
Impact:
Violation is detected where no violation has occurred (false positive violation).
Workaround:
Increase the internal parameter max_raw_request_len to the required length of the XML.
Note: This workaround will affect the amount of logged data from ASM.
Fix:
Fixed a false positive virus-detected violation related to long XML uploads.
698916-1 : TMM crash with HTTP/2 under specific condition
Component: Local Traffic Manager
Symptoms:
TMM may crash when upgrading an HTTP/1.1 connection to an HTTP/2 connnection.
Conditions:
-- HTTP/2 gateway enabled.
-- Pool member supports protocol switching.
Impact:
TMM crash, leading to a failover event.
Workaround:
There is no workaround other than removing the HTTP/2 profile from the virtual server.
Fix:
TMM properly handles protocol upgrade requests from pool members when HTTP/2 is enabled, so no crash occurs.
698875-1 : Qkview Security Hardening
Component: TMOS
Symptoms:
Qkview does not follow best practices for sanitizing and anonymizing collected data
Conditions:
Qkview created
Impact:
Under certain conditions, Qkviews may include sensitive information, which may in turn be uploaded to iHealth
Workaround:
None.
Fix:
Qkview now follows best practices for sanitizing and anonymizing collected data
698813-2 : When processing DNSX transfers ZoneRunner does not enforce best practices
Solution Article: K45435121
698619-2 : Disable port bridging on HSB ports for non-vCMP systems
Component: TMOS
Symptoms:
Internal packets flooded on internal switch interfaces by the HSB can be bridged back to the HSB on BIG-IP 5000/7000 and VIPRION B2100 blades configured to enable port bridging by the switch.
Conditions:
-- Packets being flooded from the HSB to VLAN members when adding/deleting VLANs.
-- Non-vCMP systems.
-- Virtual server configured for Direct Server Return (DSR or nPath Routing).
Impact:
This triggers a FDB flush and can result in packet flooding back to the HSB and potential network saturation.
Workaround:
None.
Fix:
Port bridging on HSB interfaces in the switch for non-vCMP systems is now disabled, so this issue no longer occurs.
698461-1 : tmm may crash in fastl4 TCP
Component: Local Traffic Manager
Symptoms:
tmm crash and BIGIP fail over.
Conditions:
Virtual with fastl4 and TCP profile configured and used.
LRO is used.
Impact:
tmm may crash
Fix:
the crash is fixed.
698429-1 : Misleading log error message: Store Read invalid store addr 0x3800, len 10
Component: TMOS
Symptoms:
On rare occasions, messages like these can appear in /var/log/ltm:
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Loading keys from the file.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Read the unit key file if exists.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash from key header: 9d:e6:90:...
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash computed from read key:9d:e6:90:...
Oct 20 14:21:04 localhost err mcpd[4139]: 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071029:5: Symmmetric Unit Key decrypt
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071027:5: Master key OpenSSL error: 1506270960:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:587:
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Attempting Master Key migration to new unit key.
Oct 20 14:21:04 localhost warning chmand[5559]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
Oct 20 14:21:04 localhost warning chmand[5559]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
Oct 20 14:21:04 localhost warning mcpd[4139]: 012a0004:4: halStorageRead: unable to read storage on this platform.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071029:5: Cannot open unit key store
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Reloading the RSA unit to support config roll forward.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Loading keys from the file.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Read the unit key file if exists.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash from key header: 9d:e6:90:...
These messages are due to a transient failure reading the system's unit key from the virtual EEPROM on a vCMP guest. The error handling from this failure causes misleading messages, but it does successfully read the unit key during this error recovery.
Conditions:
These messages can only happen on a vCMP guest with SecureVault, and are very rare.
Impact:
None. These messages do not indicate an actual problem with the system.
698424-1 : Traffic over a QinQ VLAN (double tagged) will not pass
Solution Article: K11906514
Component: Local Traffic Manager
Symptoms:
Traffic on a QinQ VLAN will not pass.
Conditions:
This issue exists when a VLAN is configured as a QinQ VLAN (i.e., a double-tagged VLAN).
Impact:
Traffic on a QinQ VLAN will not pass.
Workaround:
Disabling LRO may workaround this issue.
Fix:
Traffic on a QinQ VLAN now passes successfully.
698396-1 : Config load failed after upgrade from 12.1.2 to 13.x or 14.x★
Component: Traffic Classification Engine
Symptoms:
Sys load fails with following errors,
....
Loading schema version: 14.0.0
0107153e:3: Application id out of the valid range of [8192-16384).
Unexpected Error: Loading configuration process failed.
Conditions:
When an CEC IM is applied to 12.1.2 and then when we upgrade to 13.x or 14.x, sys load will fail.
Impact:
System will fail to come to Active state after upgrade.
Workaround:
It can be fixed by manually deleting /var/libdata/dpi/conf/classification_update.conf
698379-2 : HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR(
Solution Article: K61238215
Component: Local Traffic Manager
Symptoms:
Uploads for the HTTP2 virtual server fail intermittently with HTTP2 error error_code=FLOW_CONTROL_ERROR.
Conditions:
HTTP2 virtual server configured.
Impact:
Uploads for the HTTP2 virtual server might fail intermittently.
Workaround:
None.
Fix:
Uploads for the HTTP2 virtual server do not fail intermittently anymore.
698338-1 : Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection
Component: Service Provider
Symptoms:
The system may core.
Conditions:
-- Egress messages are queued waiting for MR_EGRESS event to be raised.
-- Current MR event exits with an error, thus aborting the connection.
Impact:
The system cores and will restart.
Workaround:
None.
Fix:
The system now returns pending messages back to the originator if the connection aborts due to an iRule error.
698333-1 : TMM core upon matching a past (saved) dynamic signature of a specific family (network or dns) after the dynamic signature is disabled for that family on the parent context (but still enabled for other families)
Solution Article: K43392052
Component: Advanced Firewall Manager
Symptoms:
TMM would core upon matching a past (saved) dynamic signature of a specific family (network or dns) after the dynamic signature is disabled for that family on the parent context (but still enabled for other families).
Conditions:
This occurs in the following scenario:
-- Enable Network and DNS BDOS simultaneously (on DoS Device config).
-- Generate dynamic signature that has both network and DNS metrics.
-- Wait for signature to be moved to 'past' (persist) state.
-- Disable either network or DNS BDOS (but not both).
-- TMM cores if the traffic matches this signature.
Impact:
Traffic interruption due to TMM restart. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
In this release, if the dynamic signature is disabled for a specific family on a parent context (but not disabled for other family on that context), any past attack signature for the context is now deleted from the system.
698226-1 : Filters under Security :: Reports :: DoS :: URL Latencies work incorrectly
Component: Application Visibility and Reporting
Symptoms:
When filtering data by a field in the 'Security :: Reports :: DoS :: URL Latencies' form, the filtering fails and the monpd process crashes.
Conditions:
There is some statistical data for DoS.
Impact:
Reports based on GUI filters are not complete.
Workaround:
No workaround.
Fix:
The system now creates the correct query for this filter, so the issue no longer occurs.
698182 : Upgrading from 13.1.1 to newer release might cause config to not be copied over★
Component: Advanced Firewall Manager
Symptoms:
Upgrading from 13.1.1 to newer release might cause config to not be copied over. This is due to the UUID being available on the older release but not on the newer one.
Conditions:
Upgrade or loading a UCS from 13.1.1 to newer release.
Impact:
Config cannot be loaded or fails.
Workaround:
Copy config and remove UUID-specific schema before loading the config.
Fix:
When upgrading to a version in which UUID is not supported, the system now automatically copies the config and removes UUID-specific schema before loading it.
698084-3 : IPsec log messages in /var/log/ltm missing module ID to reach bigiq logs
Solution Article: K03776801
Component: TMOS
Symptoms:
Some groups of messages logged by tmipsecd are missing the errdefs annotation that identifies IPsec as the module. Messages reported when tunnels go up and down, or problems with listeners, go only to ltm logs, with no visibility to bigiq logs.
Conditions:
Missing the IPsec module subset ID.
Impact:
Missing IPsec messages in the bigiq logs.
Workaround:
No workaround at this time.
Fix:
The IPsec module subset ID has been added to tmipsecd log messages, so those messages will reach bigiq logs. Some log messages previously appearing only in /var/log/ltm now also appear in ipsec.log and also reach bigiq logs.
698080-3 : TMM may consume excessive resources when processing with PEM
Solution Article: K54562183
698000-3 : Connections may stop passing traffic after a route update
Solution Article: K04473510
Component: Local Traffic Manager
Symptoms:
When a pool is used with a non-translating virtual server, routing updates may lead to an incorrect lookup of the nexthop for the connection.
Conditions:
-- Pool on a non-translating virtual server.
-- Routing update occurs.
Impact:
Connections may fail after routing updates. New connections will not be affected.
Workaround:
Use a route to direct traffic to the ultimate destination rather than using a pool to indicate the nexthop.
Fix:
Routing updates no longer interrupts traffic to connections using a pool member to reach the nexthop.
697988-3 : During config sync, if many client-ssl profiles are on a virtual server the CPU may briefly spike to 100%
Component: Local Traffic Manager
Symptoms:
During config sync, if many (hundreds) of client-ssl profiles are attached to a virtual server, the CPU may spike to 100%.
Conditions:
-- Many (hundreds) of client-ssl profiles are attached to a virtual server.
-- Config sync is executed.
Impact:
If enough client-ssl profiles are attached, the watchdog could fire, crashing tmm and causing service disruption. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than not attaching hundreds of client-ssl profiles to a virtual server, or disabling config sync.
Fix:
Issue no longer occurs when there are 2000+ client-ssl profiles attached to a virtual server and config sync is executed.
697756-1 : Policy with CSRF URL parameter cannot be imported as binary policy file
Component: Application Security Manager
Symptoms:
A policy with at least 1 CSRF URL parameter defined cannot be imported as a binary policy file.
Conditions:
A policy has at least 1 CSRF URL parameter defined.
Impact:
The policy cannot be imported as a binary policy file.
Workaround:
There is no workaround at this time.
Fix:
A policy with CSRF URL parameters defined can now be imported as a binary policy file.
697718-1 : Increase PEM HSL reporting buffer size to 4K.
Component: Policy Enforcement Manager
Symptoms:
Before this fix, PEM HSL reporting buffer size is limited by 512 bytes.
Conditions:
If any PEM HSL flow reporting stream goes beyond 512 bytes, it will be truncated.
Impact:
Part of PEM HSL flow reporting information will be lost.
Fix:
We increase PEM HSL reporting buffer size to 4K, which should be enough for uses cases we currently know.
697636-3 : ACCESS is not replacing headers while replacing POST body
Component: Access Policy Manager
Symptoms:
If the first request for a session is a POST, APM will save the POST to replay after the policy completes. When the POST is restored after policy completion and released to the backend, the headers are the same as the most recent client request, not the original POST. In particular, the Content-Length header will not match the original POST.
Conditions:
First request for the session is a POST.
Impact:
Backend servers may complain of an incomplete HTTP POST due to a mismatching Content-Length header.
Workaround:
None.
Fix:
Now, the system takes all headers from the original POST, except the Authorization header that Kerberos RBA needs, which is taken from the most recent client request.
697616-2 : Report Device error: crypto codec qat-crypto0-0 queue is stuck on vCMP guests
Component: TMOS
Symptoms:
Failure in SSL traffic in vCMP configurations. The system logs the following device error:
-- crit tmm[17083]: 01010025:2: Device error: crypto codec qat-crypto0-0 queue is stuck.
-- warning sod[7759]: 01140029:4: HA crypto_failsafe_t qat-crypto0-0 fails action is failover.
Conditions:
-- vCMP guests when performing crypto operations.
-- i5600, i5800, i7600, i7800, i10600, i10800, i12600, i12800, i15600, i15800 platforms.
Impact:
The 'crypto queue stuck' message is reported, and failover will be triggered.
Workaround:
None.
Fix:
The 'crypto queue stuck' issue on vCMP platforms no longer occurs.
697615-1 : Neurond may restart indefinitely after boot, with neurond_i2c_config message
Solution Article: K65013424
Component: TMOS
Symptoms:
The neurond daemon may continually restart after a reboot. The problem may persist even after a reboot of the BIG-IP system. Manually stopping and starting neurond will not resolve the problem.
Conditions:
- This occurs only on BIG-IP platforms that contain a specific hardware part running v13.1.0.
- The issue happens only after a reboot of the BIG-IP system.
Impact:
The BIG-IP system constantly logs messages similar to the following:
emerg logger: Re-starting neurond
The /var/log/neurond logfile contains messages similar to the following:
-- neurond_i2c_config_steps: STEP 20 Checking for Lane Alignment
-- neurond_i2c_config_steps: Timeout waiting for good rx_align for ILK1 of NSP
-- neurond_i2c_config: neurond_i2c_config_steps failed.
Workaround:
If you are not using FIX features, disabling the neurond service is a safe option.
If your configuration relies on the FIX feature, a cold reboot by removing the BIG-IP system from the power may resolve the problem. However, multiple retries are sometimes necessary to get the part to initialize.
Fix:
This release increases the number of initialization retries to handle this condition, so continual restarts no longer occur.
697516 : Upgrading using a ucs or scf file does not autogenerate uuids when current config has the uuid-default-autogenerate flag enabled
Component: Advanced Firewall Manager
Symptoms:
Upgrading using a UCS or SCF file does not autogenerate uuids when the current config has the uuid-default-autogenerate flag enabled. This might cause issues when upgrading from older versions where uuids need to be quickly generated for existing firewall policies, rule lists, and management rules.
Conditions:
Upgrading from an older version with an existing security policy which has no uuids configured.
Impact:
Requires manually configuration of uuids for rules that come in from the older config.
Workaround:
Generate uuids for all policies, rule-lists, and management rules using the following three tmsh commands:
-- tmsh modify sec fire policy all rules modify { all { uuid auto-generate}}
-- tmsh modify sec fire rule-list all rules modify { all { uuid auto-generate}}
-- tmsh modify sec fire management-ip-rules rules modify { all { uuid auto-generate}}
Optionally, to ensure rules created in the future have uuids autogenerated issue the following tmsh command:
-- tmsh modify sec firewall uuid-default-autogenerate mode enabled
Fix:
No fix provided, Current behavior causes the uuid-default-autogenerate flag to be overwritten to disabled by the ucs load process. Workaround has been provided to mitigate against this behavior.
697452-1 : Websso crashes because of bad argument in logging
Component: Access Policy Manager
Symptoms:
Websso would crash because of bad argument in logging
Conditions:
Only when kerberos sso is configured
Impact:
Websso would crash and so single sign on may fail.
Workaround:
The workaround is not configure kerberos SSO
Fix:
This issue has been fixed.
697424-1 : iControl-REST crashes on /example for firewall address-lists
Component: TMOS
Symptoms:
Making a call to /example on firewall address-list crashes iControl-REST.
Conditions:
Making a call to /example on firewall address-list.
Impact:
The icrd_child process crashes.
Workaround:
There is no workaround other than not calling /example on firewall address-lists.
697421 : Monpd core when trying to restart
Component: Application Visibility and Reporting
Symptoms:
Monpd tries to restart and tries to access a non-initiated variable
Conditions:
Monpd tries to restart due to change of primary blade
Impact:
Monpd cores
Workaround:
N/A
Fix:
Adding sanity check to the non-initiated variable before trying to access it
697363-1 : FPS should forward all XFF header values
Component: Fraud Protection Services
Symptoms:
For BIG-IP alerts, FPS will insert a single XFF with the client IP and discard all XFF values/headers in the original request (the request which triggered the alert)
Conditions:
Alert generated on BIG-IP side.
Impact:
Original XFF information will be lost: only a single XFF header (containing client IP) will be present.
Workaround:
None.
Fix:
FPS now copies all original XFF headers to the generated alert.
697303-1 : BD crash
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
-- The internal parameter relax_unicode_in_json is set to 1.
-- Specific traffic scenario.
Impact:
BD crash, failover, and traffic disturbance.
Workaround:
Turn off the internal parameter relax_unicode_in_json.
Fix:
BD no longer crashes under these conditions.
697259-2 : Different versioned vCMP guests on the same chassis may crash.
Solution Article: K14023450
Component: Local Traffic Manager
Symptoms:
The vCMP guest TMM crashes soon after startup.
Conditions:
-- You are using BIG-IP software versions 12.1.0-12.1.2.
-- vCMP guests are deployed in a chassis.
-- You configure a new guest running unaffected software alongside an existing or new guest running affected software. In other words, the issue occurs if you mix guests running affected and non-affected versions in a single vCMP host.
Impact:
vCMP guests running older versions of the software might crash. Blades continuously crash and restart. Traffic cannot pass. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Different versioned vCMP guests on the same chassis no longer crash.
696808-1 : Disabling a single pool member removes all GTM persistence records
Component: Global Traffic Manager (DNS)
Symptoms:
Disabling a single pool member removes all GTM persistence records.
Conditions:
1. WideIP with persistence enabled.
2. drain-persistent-requests no.
3. GTM pool member toggled from enabled to disabled.
Impact:
All GTM persistence records are accidently cleared.
Workaround:
Set drain-persistent-requests yes.
Fix:
When drain-persistent-requests is set to no, only the persistence records associated with the affected pool members are cleared when a resource is disabled.
696789-1 : PEM Diameter incomplete flow crashes when TCL resumed
Component: Policy Enforcement Manager
Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, and the irule is resumed because of timeout.
Conditions:
PEM Diameter flow not fully created, suspended by iRule, and the iRule is resumed by timeout.
Impact:
The tmm will restart and all flows will reset.
Fix:
The PEM diameter flow is now created in such a way to prevent any crash by iRule resumed by timeout.
696755 : HTTP/2 may truncate a response body when served from cache
Component: Local Traffic Manager
Symptoms:
BIG-IP provides a client side HTTP/2 Gateway protocol implementation in conjunction with HTTP 1.x on a server side. A response can be cached in BIG-IP with a web acceleration profile. Sometimes a response served from cache is prematurely marked with END_STREAM flag causing the client to ignore the rest of the response body.
Conditions:
BIG-IP has a virtual where HTTP/2 and Web Acceleration profiles are configured.
Impact:
Some clients' browsers do not retry a resource causing incorrect rendering of an HTML page.
Workaround:
Adding the following iRule causes the body to be displayed:
when HTTP_RESPONSE_RELEASE {
set con_len [string trim [HTTP::header value Content-Length]]
HTTP::header remove Content-Length
HTTP::header insert Content-Length "$con_len"
}
Fix:
With provided fix HTTP/2 users no longer experience the problem of incorrect page rendering due to this issue.
696732-3 : tmm may crash in a compression provider
Solution Article: K54431534
Component: TMOS
Symptoms:
TMM may crash with the following panic message in the log files:
panic: ../codec/compress/compress.c:1161: Assertion "context active" failed.
Conditions:
-- Running on the following platforms: BIG-IP i-series or VIPRION 4400 blades.
-- Virtual servers are performing compression.
Impact:
TMM crashes, Traffic disrupted while tmm restarts.
Workaround:
Do not use compression, or use software compression instead of hardware compression. To configure for software compression, run the following command:
tmsh modify sys db compression.strategy value softwareonly
696731-3 : The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled
Solution Article: K94062594
Component: TMOS
Symptoms:
The standard LinkUp/LinkDown traps are issued when a port's status changes; that is, the link goes up or down. Additionally, the network manager can administratively enable and disable ports. For some platforms, there is no reliably issued standard LinkUp/LinkDown trap when a port is administratively enabled/disabled.
Conditions:
Administrative disabling an interface on BIG-IP
Impact:
May issue only the F5 Link change trap and not the additional standard MIB trap. The standard LinkUp/LinkDown traps may not be issued.
Workaround:
Use the F5-proprietary MIB: 1.3.6.1.4.1.3375.2.4.0.37 F5-BIG-IP-COMMON-MIB::BIG-IPExternalLinkChange trap to track administrative changes to links.
696669-1 : Users cannot change or reset RSA PIN
Component: Access Policy Manager
Symptoms:
User is not able to reset the PIN when RSA SecurID or RADIUS Auth agent is included in access policy.
Conditions:
- APM is licensed and provisioned.
- RSA SecurID or RADIUS Auth agent is included in an access policy.
- APM end user is challenged to reset the PIN or reenter the PIN/token.
Impact:
APM end users cannot reset the PIN or do not get authenticated.
Workaround:
There is no workaround.
Fix:
APM users can now successfully reset the PIN or reenter the token.
696642-1 : monpd core is sometimes created when the system is under heavy load.
Component: Application Visibility and Reporting
Symptoms:
When system is under heavy load, aggregation of statistics tables in the database sometimes takes too much time and watchdog is triggered. When that happens, watchdog aborts the application and produces a core file.
Conditions:
-- System under heavy load.
-- Setting and resetting DoS profile on virtual servers.
-- Using AVR.
-- Displaying aggregated statistics.
Impact:
System produces monpd core file, when no real crash occurs.
Workaround:
None.
Fix:
Watchdog trigger no longer creates core by default under these conditions.
696544-1 : APM end users can not change/reset password when auth agents are included in per-req policy
Component: Access Policy Manager
Symptoms:
Users cannot change password when AD, Radius or LocalDb auth agents are included in per-req policy.
Conditions:
- Per-req policy is attached to Virtual Server.
- AD Auth, Radius Auth or LocalDB auth agents are included in per-req policy.
- End user is challenged to change/reset the password.
Impact:
Users can not change password.
Fix:
Users now can successfully change or reset the password.
696525-1 : B2250 blades experience degraded performance.
Component: Performance
Symptoms:
B2250 blades have degraded performance by up to 17%. This is caused by connections not being offloaded to hardware as often as expected.
Conditions:
This occurs when the FastL4 profile is configured to offload to hardware and the service provider DAG is configured and in use on B2250 blades.
Impact:
Performance will be degraded due to more connections being handled in software.
Workaround:
None.
Fix:
The performance issue for the B2250 blades has been fixed.
696383-1 : PEM Diameter incomplete flow crashes when sweeped
Component: Policy Enforcement Manager
Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, the sweeper may encounter a tmm crash.
Conditions:
-- PEM Diameter flow not fully created.
-- The flow is suspended by an iRule.
-- There is a CMP state change (likely) or a manual cluster-mirror change (less likely) while the flow is suspended.
Impact:
The tmm restarts and all flows reset. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The PEM diameter flow is now created in such a way to prevent any crash by the sweeper.
696333-1 : Threat campaign filter doesn't return campaign if filter contains quote
Component: Application Security Manager
Symptoms:
A threat campaign is not displayed in the GUI on the Security :: Application Security : Threat Campaigns page.
Conditions:
Filtering for a campaign name that contains a quote.
Impact:
Threat campaign filter by name will not work.
Fix:
Fixed REST escaping.
696294-1 : TMM core may be seen when using Application reporting with flow filter in PEM
Component: Policy Enforcement Manager
Symptoms:
TMM core with flow filter when Application reporting action is enabled
Conditions:
If Application reporting is enabled along with flow filter
Impact:
TMM restart causing service interruption
Fix:
Initialize the application start buffer so as to prevent the TMM core
696265-5 : BD crash
Solution Article: K60985582
Component: Application Security Manager
Symptoms:
BD crash.
Conditions:
ecard_max_http_req_uri_len is set to a value greater than 8 KB.
Impact:
Potential traffic disturbance and failover.
Workaround:
Change the value of ecard_max_http_req_uri_len to a size lower than 8 KB.
Fix:
Fixed a BD crash scenario.
696260-1 : GUI Network Map as Start Screen presents database error
Solution Article: K53103420
Component: TMOS
Symptoms:
If the Network Map is set as the Preferences Start Screen, the GUI will display a database error page.
Conditions:
Set System :: Preferences : Start Screen to Network Map.
Impact:
Error page is displayed.
Workaround:
Navigate to the Network Map via the left navigation menu: Local Traffic :: Network Map.
Fix:
The Screen Start now launches successfully into the Network Map page.
696212-1 : monpd does not return data for multi-dimension query
Component: Application Visibility and Reporting
Symptoms:
When querying 'time-series' data for multiple-dimensions, most multi-dimension queries receive an empty response.
Conditions:
This occurs because the order of entities in the query is not sorted by priority.
Impact:
The corresponding dashboard displays incorrect statistics.
Workaround:
There is no workaround at this time.
Fix:
The monpd process now performs two queries in order to get the 'time-series' data for multi-dimensions:
-- The first query gets the top entities.
-- The second query gets data that is 'drilled down' by the top entities, the ones received from the first query.
696201-1 : Anomaly threshold floor calculation (for bins with very low learnt threshold) during signature generation
Component: Advanced Firewall Manager
Symptoms:
AFM might generate a dynamic signature for those bins that have a very low learnt threshold during the learning phase, if the current traffic rate spikes and increases above the anomaly threshold floor db variable value as specified by l4bdos.anomaly.threshold.floor
Conditions:
AFM dynamic signature feature is enabled.
Impact:
This might cause AFM to generate signatures with higher false positives.
This is specifically due to incorrect application of db variable setting 'l4bdos.anomaly.threshold.floor' that should be interpreted as the 'floor' value of learnt thresholds for any bin. So, if the learnt threshold of a bin is lower than this db variable, the baseline threshold of the bin should be set to the db variable for anomaly detection phase.
Workaround:
There is no workaround at this time.
Fix:
This issue is fixed by making sure that db variable 'l4bdos.anomaly.threshold.floor' is used as the 'floor' value of baseline thresholds for those bins that have a learnt threshold lower than this db variable.
696113-3 : Extra IPsec reference added per crypto operation overflows connflow refcount
Component: TMOS
Symptoms:
The size of the refcount field in connflow became smaller, making the length of some crypto queues in IPsec able to reach and exceed the maximum refcount value.
Conditions:
When a large data transfer under an IPsec SA creates a queue of crypto operations longer than the connflow's refcount can handle, the refcount can overflow.
Impact:
Unexpected tmm failover after refcount overflow.
Workaround:
There is no workaround at this time.
Fix:
An object tracking crypto operations now adds a sole reference to the connflow as long as the count of crypto operation pending is nonzero.
696073-2 : BD core on a specific scenario
Component: Application Security Manager
Symptoms:
bd process crashes, and core file created in the /shared/core/ directory.
Conditions:
Specific request and response characteristics that relates to CSP headers sent by the server.
Impact:
Failover in high availability units.
Workaround:
Disable CSP headers handling in ASM by running the following commands:
/usr/share/ts/bin/add_del_internal add csp_enabled 0
bigstart restart asm
Fix:
The system now reinitializes the CSP headers before each response headers event, so this issue no longer occurs.
696049-1 : High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running
Component: Service Provider
Symptoms:
High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running.
Conditions:
Multiple response messages arrive on a connection while an asynchronous Tcl command is running on that connection.
Impact:
High CPU load might occur as multiple responses will be assigned the same request_sequence_number.
Workaround:
None.
Fix:
Request_sequence_numbers are not assigned to response messages until the Tcl event is executed for that message. This avoids assigning the same number to multiple events.
695968-1 : Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.
Component: Policy Enforcement Manager
Symptoms:
Memory leak resulting in a potential OOM scenario.
Conditions:
1. PEM configured with Gx
2. Flaky Diameter connection
3. Subscriber creation via PEM
Impact:
Potential loss of service.
Workaround:
There is no workaround at this time.
Fix:
Freed Diameter messages appropriately.
695953-1 : Custom URL Filter object is missing after load sys config TMSH command
Component: Access Policy Manager
Symptoms:
Cannot see the custom URL Filter object that is created either through TMSH/GUI. If the filter object is referred in an Access Policy, the policy fails to load when running the command: load sys config. The system logs errors similar to the following:
01070712:3: Values (/Common/custurlfilter) specified for URL Filter Lookup Agent (/Common/prp_act_url_filter_lookup_ag): foreign key index (name_FK) do not point at an item that exists in the database.
Unexpected Error: Loading configuration process failed.
Conditions:
-- Configure custom URL Filter object
-- SWG is not provisioned.
Impact:
The access policy fails to load if it refers the URL Filter object. Running the 'load sys config' command in TMSH removes the filter.
Workaround:
You can use either of the following workarounds:
-- Provision SWG, and recreate the URL Filter.
-- Edit bigip.conf to include the URL Filter object.
Fix:
Now during 'load sys config', custom URL filters get saved properly.
695925-1 : tmm crash when showing connections for a CMP disabled virtual server
Component: Local Traffic Manager
Symptoms:
tmm crashes when performing 'tmsh show sys connection' and there is a connection from a secondary blade to a CMP-disabled virtual server.
Conditions:
This occurs when all of the following conditions are met:
-- There is a CMP-disabled virtual server.
-- There is a connection to that server from the control plane of a secondary blade (this can include monitoring traffic).
-- Connections are displayed that include the connection from the secondary blade ('tmsh show sys connection').
Impact:
tmm crashes and restarts impacting traffic.
Workaround:
Do not use 'cmp-enabled no' virtual servers when there will be connections from the BIG-IP control plane to the virtual server.
Avoid using tmsh show sys connection
695901-1 : TMM may crash when processing ProxySSL data
Solution Article: K46940010
695707-5 : BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection
Component: Local Traffic Manager
Symptoms:
BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection.
Conditions:
Close an MPTCP connection.
Impact:
If a DATA_ACK is not received for the DATA_FIN, the connection will stall until it times out.
Workaround:
There is no workaround at this time.
Fix:
Keep the retransmission timer running if an MPTCP connection can retransmit a DATA_FIN.
695563-1 : Improve speed of ASM initialization on first startup
Component: Application Security Manager
Symptoms:
ASM initialization on first startup takes a long time.
Conditions:
Provision ASM.
Impact:
ASM initialization takes a long time.
Workaround:
There is no workaround at this time.
Fix:
ASM initialization on first startup is faster.
695072-2 : CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558
Solution Article: K23030550
694922-5 : ASM Auto-Sync Device Group Does Not Sync
Component: Application Security Manager
Symptoms:
In rare circumstances a device may enter an untrusted state and confuse the device group.
Conditions:
1) ASM sync is enabled on an autosync device group
2) A new ASM entity is created on a device
Impact:
ASM configuration is not correctly synchronized between devices
Workaround:
1) Remove ASM sync from the device group (Under Security ›› Options : Application Security : Synchronization : Application Security Synchronization)
2) Restart asm_config_server.pl on both devices and wait until they come back up
3) Change the device group to a manual sync group
4) On the device with the good configuration re-enable ASM sync for the device group
5) Make a spurious ASM change, and push the configuration.
6) Change the sync type back to automatic
Fix:
Devices no longer spuriously enter an untrusted state
694897-2 : Unsupported Copper SFP can trigger a crash on i4x00 platforms.
Component: TMOS
Symptoms:
PFMAND can crash when an unsupported Proline Copper SFP is inserted in the 1G interfaces.
Conditions:
-- Using Proline CuSFP, Part number FCLF8521P2BTLTAA.
-- Inserted into 1 GB interfaces.
-- On i4x00 platforms.
Impact:
PFMAND cores.
Workaround:
Use only F5 branded Copper SFPs
Fix:
This release updates SFP string parsing in PFMAND to account for NULL terminated vendor information.
694849-1 : TMM crash when packet sampling is turned for DNS BDOS signatures.
Component: Advanced Firewall Manager
Symptoms:
TMM crashes upon traffic matching a DNS BDOS signature if packet sampling is turned on by enabling db variable (l4bdos.signature.sample.packet.frequency).
Conditions:
DB variable l4bdos.signature.sample.packet.frequency is modified to a non-zero value (to collect DNS packet info upon matching a DNS dynamic signature).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable the packet sampling feature for BDOS signatures by setting the db variable l4bdos.signature.sample.packet.frequency to default value (0).
Fix:
TMM no longer crashes when packet sampling is turned on and traffic matches DNS BDOS signature.
694778-1 : Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size
Component: Local Traffic Manager
Symptoms:
SSO-enabled Native RDP resources cannot be accessed via hardware (HW) BIG-IP systems with 'Intel Cave Creek' coprocessor (i.e., SSL connection cannot be established with the db variable 'crypto.hwacceleration' enabled, and RSA key used).
Conditions:
The failure might occur in the following scenario:
-- Running on Intel Cave Creek Engine (e.g., BIG-IP 2000 (C112) or 4000 (C113)).
-- Client OS is Mac, iOS, or Android.
-- HW crypto is enabled
-- Using a virtual server with a client SSL profile and 2048 bit RSA key on.
-- Native RDP resource with enabled SSO is used on hardware BIG-IP with 'Intel Cave Creek' coprocessor.
-- Output buffer size differs from RSA private key size.
Impact:
-- SSL connection fails.
-- RDP client cannot launch the requested resource (desktop/application).
Workaround:
There is no workaround other than to disable crypto HW acceleration with following command:
tmsh modify sys db crypto.hwacceleration value disable
Fix:
SSL connection can now be established as expected. SSO-enabled Native RDP resources now can now be accessed via hardware BIG-IP systems with 'Intel Cave Creek' coprocessor (e.g., BIG-IP 2000 (C112) or 4000 (C113) platforms) from Mac, iOS, and Android clients.
694740-3 : BIG-IP reboot during a TMM core results in an incomplete core dump
Component: TMOS
Symptoms:
If an HSB lockup occurs on i10600 and i10800 platforms, then HSB panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. On this platform, the reboot occurs before the core file is fully written, resulting in a truncated core.
Conditions:
An HSB lockup occurs, triggering a core dump and a nic_failsafe reboot.
Impact:
The reboot happens before the core dump completes, resulting in an incomplete core dump which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.
Workaround:
No workaround; does not hinder device operation, but does prevent post-crash analysis.
Fix:
Reboot is delayed until TMM core file is completed.
694717-1 : Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.
Component: Policy Enforcement Manager
Symptoms:
TMM crashes
Conditions:
PEM iRule command that would result in an inter-TMM lookup on a long lived flow that would result in the PEM iRule command being hit several times. For example, a long lived flow with multiple HTTP transactions.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Always release the connFlow reference associated with the TCL command to avoid a memory leak and potential crash.
694696-5 : On multiblade Viprion, creating a new traffic-group causes the device to go Offline
Component: TMOS
Symptoms:
All devices in the failover device group will go offline, resulting in traffic disruption and possible failovers.
Conditions:
When a new traffic-group is created on a multiblade Viprion system that is a member of a sync-failover device group.
Impact:
Traffic to all other traffic-groups is disrupted for several seconds.
Workaround:
There is no workaround at this time.
Fix:
Creating a new traffic-group does not disrupt existing traffic-groups.
694656-1 : Routing changes may cause TMM to restart
Solution Article: K05186205
Component: Local Traffic Manager
Symptoms:
When routing changes are made while traffic is passing through the BIG-IP system, TMM might restart. This isn't a general issue, but can occur when other functionality is in use (such as Firewall NAT).
Conditions:
-- Routing changes occurring while BIG-IP is active and passing traffic.
-- Dynamic routing, due to its nature, is likely increase the potential for the issue to occur.
-- Usage of Firewall NAT functionality is one specific case known to contribute to the issue (there may be others).
Impact:
TMM restarts, resulting in a failover and/or traffic outage.
Workaround:
If dynamic routing is not in use, avoiding static route changes may avoid the issue.
If dynamic routing is in use, there is no workaround.
Fix:
TMM now properly manages routing information for active connections.
694624-1 : SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor
Component: Access Policy Manager
Symptoms:
APM Webtop's SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor (e.g. BIG-IP 2000 (C112) or 4000 (C113)) from Mac, iOS and Android clients. Each launch attempt generates following errors in /var/log/apm:
... err vdi[123] ... {45.C} RsaDecryptData error: AsyncError:5: InvalidData
... err vdi[123] ... {45.C} An exception is thrown: handshake: decryption failed or bad record mac
Conditions:
Native RDP resource with enabled SSO is used on hardware BIG-IP with "Intel Cave Creek" coprocessor (e.g. BIG-IP 2000 (C112) or 4000 (C113)).
The client OS is Mac, iOS or Android.
Impact:
RDP client can't launch requested resource (desktop/application).
Workaround:
Disable crypto HW acceleration with following command:
tmsh modify sys db crypto.hwacceleration value disable
Fix:
SSO enabled Native RDP resources now can be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor (e.g. BIG-IP 2000 (C112) or 4000 (C113) platforms) from Mac, iOS and Android clients.
694547-2 : TMSH save sys config creates unneeded generate_config processes.
Solution Article: K74203532
Component: TMOS
Symptoms:
When saving a configuration through TMSH or iControl REST, the system creates an unneeded process named generate_config.
Conditions:
Run tmsh save sys config, or the same command through iControl REST.
Impact:
One generate_config process is generated per save operation. If config save occurs often, these extraneous processes can slowly fill up the process table.
Workaround:
There is no real workaround except to not save the config often enough to fill up process table with these extraneous processes.
If this issue has already occurred, you can recover by locating the parent process that has an associated zombie process, and restart the parent process to purge the zombie processes. icrd_child and/or scriptd are the parent processes known to cause this issue. To find out which daemon to restart and how to restart it, perform the following procedure:
Impact of workaround: Restarting any daemon on the BIG-IP system may cause service disruption, and F5 recommends performing this procedure only during a scheduled maintenance period. For more information about daemons' functions, refer to K05645522: BIG-IP daemons (13.x) (https://support.f5.com/csp/article/K05645522).
1. If you are still logged on to the tmsh command-line utility that was performing the configuration-save operation, exit from it first.
2. Login to the BIG-IP system's advanced shell using an account with Administrator credentials.
3. Locate the zombie process and its parent process using the following command:
ps --forest | grep -B1 generate_config.*defunct
4. With the parent process name discovered in the previous step, restart the associated daemon using the following commands that apply:
-- For the icrd_child process: tmsh restart /sys service restjavad
-- For the scriptd process: tmsh restart /sys service scriptd
Fix:
tmsh save sys config no longer generates generate_config processes.
694319-1 : CCA without a request type AVP cannot be tracked in PEM.
Component: Policy Enforcement Manager
Symptoms:
May cause diagnostic issues as not all CCA messages cannot be tracked.
Conditions:
1. PEM with Gx/Gy configured
2. PCRF sends CCA's without a request type AVP
Impact:
May hamper effective diagnostics.
Workaround:
Mitigation:
Configure the PCRF to always include a request type in its CCAs.
Fix:
Add a statistics counter to track CCA's that do not request type AVPs.
Name of new counter:cca_unknown_type
694318-1 : PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.
Component: Policy Enforcement Manager
Symptoms:
Subscriber sessions in PEM will be stuck in a "Marked for Delete" state.
Conditions:
1. PEM provisioned with Gx.
2. PCRF responds to a CCR-t with a DIAMETER_TOO_BUSY return code and no Request type AVP.
Impact:
Subscriber sessions stuck in delete pending resulting in a potential increase in memry consumption over a period of time.
Workaround:
Mitigation:
PCRF (remote Diameter end point) must send a CCA-t with a request type AVP in case a DIAMETER_TOO_BUSY return code is present.
Fix:
Handle the DIAMETER_TOO_BUSY return code on a CCA-t regardless of the request type AVP.
694274-1 : [RHSA-2017:3195-01] Important: httpd security update - EL6.7
Solution Article: K23565223
694078-1 : In rare cases, TMM may crash with high APM traffic
Component: Access Policy Manager
Symptoms:
Intermittent tmm core under load.
Conditions:
-- Provision APM (at least).
-- Additional required conditions are not well understood.
-- Seems more likely to occur when APM is provisioned with other modules, especially ASM or AVR.
Impact:
The BIG-IP system stops processing traffic while the TMM restarts.
Workaround:
None.
Fix:
Tmm core no longer occurs with high APM traffic.
694073-3 : All signature update details are shown in 'View update history from previous BIG-IP versions' popup
Component: Application Security Manager
Symptoms:
If you are running a BIG-IP release named with 4 digits (e.g., 12.1.3.1), all signature update details are shown only in 'View update history from previous BIG-IP versions' popup. The 'Latest update details' section is missing.
Conditions:
Running a BIG-IP software release named with 4 digits (e.g., 12.1.3.1).
Impact:
Low and incorrect visibility of signature update details.
Workaround:
Signature update details can be viewed in 'View update history from previous BIG-IP versions' popup.
Fix:
Signature updates are now shown correctly for all versions.
693996-5 : MCPD sync errors and restart after multiple modifications to file object in chassis
Solution Article: K42285625
Component: TMOS
Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:
1. Errors are logged to /var/log/ltm similar to the following:
-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..
2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.
Conditions:
Making multiple changes to the same file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group.
Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.
Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.
693979 : Autoscale is not functional because of the change in file permission of the /shared/vadc/aws/iid-document document
Component: TMOS
Symptoms:
The /shared/vadc/aws/iid-document's file permission changed and as a result the autoscale feature was failing.
Conditions:
Whenever autoscale is triggered
Impact:
The autoscale feature does not work
Workaround:
The permission of /shared/vadc/aws/iid-document was never set explicitly. It inherited file permission flags from /shared/vadc/. We set the file permission explicitly.
Fix:
The autoscale feature is functional after changing file permissions of /shared/vadc/aws/iid-document.
693966-1 : TCP sndpack not reset along with other tcp profile stats
Component: Local Traffic Manager
Symptoms:
TCP sndpack stat added is not being properly reset when a tmsh reset-stats command is issued.
Conditions:
When tmsh reset-stats command is issued.
-- tmsh reset-stats /ltm profile tcp <profile-name>
Impact:
TCP sndpack stat doesn't reset when tmsh reset-stats command is issued.
Workaround:
There is no workaround.
Fix:
With this fix, TCP sndpack stat will reset when tmsh reset-stats command is issued.
693964-1 : Qkview utility may generate invalid XML in files contained in Qkview
Component: TMOS
Symptoms:
When Qkview runs, it may gather XML files that are not well-formed, and contain ASCII control characters. This is most commonly seen with mcp_module.xml.
An XML validator may report an error such as:
mcp_module.xml:536081: parser error : PCDATA invalid Char value 29
<msgs></msgs>
^
Conditions:
-- Running Qkview.
-- An ASCII control character exists within a certain string field.
Impact:
The control character will be written verbatim into XML without encoding. Automated tools (e.g., iHealth) that attempt to process these files may fail.
Workaround:
iHealth automatically detects and corrects this issue in uploaded Qkviews.
You can analyze the XML files with some other tool, a tar.gz, so it can be unpacked, the XML files edited to correct the formatting, and then repacked. The xmllint command-line tool (present on the BIG-IP system) can also recover valid XML by removing the invalid characters.
To do so, you can run a command similar to the following:
xmllint --recover mcp_module.xml --output mcp_module.xml
Fix:
Qkview no longer writes control characters in XML text, but instead processes them as expected.
693910-4 : Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)
Component: Local Traffic Manager
Symptoms:
Some MAC addresses might experience delayed forwarding after the interface on which they are learned transition to a STP blocked state. This is because the FDB entries are not being flushed on these interfaces after they change to a block state. Traffic destined to these MAC addresses gets dropped until their associated entries in the FDB age out.
Conditions:
MAC addresses are learned on a STP forwarding interface that transitions to a blocked interface following a topology change.
Impact:
Traffic interruption for up to a few minutes for MAC addresses learned on the affected interface.
Workaround:
None.
Fix:
FDB entries are now flushed by interface whenever an interface transitions to a STP block state.
693884-1 : ospfd core on secondary blade during network unstability
Component: TMOS
Symptoms:
ospfd core on secondary blade while network is unstable.
Conditions:
-- Dynamic routing configured with OSPF on a chassis.
-- During a period of network instability.
Impact:
Dynamic routing process ospfd core on secondary blade.
Workaround:
None.
693844-1 : APMD may restart continuously and cannot come up
Solution Article: K58335157
Component: Access Policy Manager
Symptoms:
apmd process cannot start correctly and restarts in an infinite loop. When apmd initializes the Allow Ending agent, the process tries to load all resources (including ACLs, the webtop, and all resources for every webtop, app tunnels, rdp, etc.). The most likely configuration to encounter this issue is with ACLs. For example, if you have thousands of ACL records, the Allow agent pulls them all at once. If the mcpd process is consumed with other operations, it might be that apmd cannot initialize the Allow agent in 30 secs, so it restarts, at which point the process tries to load all resources, cannot complete within the 30 seconds, and restarts in a loop.
Conditions:
Too many resources assigned in an Access Policy profile
for example thousands of ACLs configured.
apmd cannot initialize the Allow Ending agent in 30 seconds and decides it has stopped responding. Then it restarts by it's own, but problem is not solved, so it restarts in a loop
Impact:
APM end users cannot authenticate.
Workaround:
Reduce amount of resources so every agent can initialize within the 30-second timeframe.
693810-6 : CVE-2018-5529: APM Linux Client Vulnerability
Solution Article: K52171282
693780-1 : Proactive Bot Defense sends CAPTCHA to the UC browser on iOS devices
Component: Application Security Manager
Symptoms:
When a request arrives from UCBrowser running on iOS and without TSPD_101 (proactive bot defense cookie). The big-ip respond with captcha challenge.
Conditions:
Dos profile attached to a virtual.
Dos profile has application security enabled.
Dos profile has proactive bot defense enabled.
Impact:
UC browser end-user presented with captcha challenge.
Workaround:
Increase proactive bot defense score.
list sys db dosl7.browser_legit_min_score_captcha
sys db dosl7.browser_legit_min_score_captcha {
value "60"
}
Fix:
User agent parser has been changed (adjusted) for the UC browser. The UC browser is detected as safari ios.
693744-4 : CVE-2018-5531: vCMP vulnerability
Solution Article: K64721111
693694-1 : tmsh::load within IApp template results in unpredicted behavior
Component: iApp Technology
Symptoms:
tmsh::load command within IApp template triggers transaction within transaction and it is not supported by the MCP. One of the unexpected behavior seen is with the template having ASM policy and LTM policy. IApp framework doesn't let user to reconfigure the application service without turning off strict updates and also on rerunning, breaks association of LTM Policy with ASM Policy
Conditions:
tmsh::load command need to be used in in template to create ASM policy. With this tmsh::create there is no issue seen.
Impact:
Association b/w LTM Policy and ASM Policy broken
Workaround:
Use tmsh::create or tmsh::modify to create/update ASM policy through IApp template
693663-1 : Proactive Bot Defense sends CAPTCHA to the Firefox browser on iOS only in desktop mode
Component: Application Security Manager
Symptoms:
When a request arrives from Firefox running on iOS in desktop mode and without TSPD_101 (proactive bot defense cookie). The big-ip respond with captcha challenge.
Conditions:
Dos profile attached to a virtual.
Dos profile has application security enabled.
Dos profile has proactive bot defense enabled.
Impact:
Firefox (iOS desktop mode only) end-user presented with captcha challenge.
Workaround:
Increase proactive bot defense score.
list sys db dosl7.browser_legit_min_score_captcha
sys db dosl7.browser_legit_min_score_captcha {
value "60"
}
Fix:
User agent parser has been changed (adjusted) for the Firefox browser running in desktop mode. The browser is detected as safari pc and the browser version is taken from Mac version number.
693611-3 : IKEv2 ike-peer might crash on stats object during peer modification update
Solution Article: K76313256
Component: TMOS
Symptoms:
A crash occurs upon passing traffic through the IPsec interface.
Conditions:
When an ike-peer is updated, or first defined at startup.
Impact:
Tmm restarts on crash.
Workaround:
No workaround is known at this time.
Fix:
IKEv2 ike-peer no longer crashes on stats object during peer modification update.
693578-2 : switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0
Component: TMOS
Symptoms:
switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0
Conditions:
None
Impact:
switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0
Workaround:
None
Fix:
No fix.
693359-1 : AWS M5 and C5 instance families are supported
Component: TMOS
Symptoms:
AWS has announced support for M5 and C5 instance families. No previous BIG-IP Virtual Edition (VE) software supports these new AWS instance families.
Conditions:
Attempting to install pre-v14.0.0.1 VE software on M5 and C5 instance families.
Impact:
The system experiences a kernel panic and might crash.
Workaround:
None.
Fix:
All necessary components are added to support AWS M5 and C5 instance families.
Behavior Change:
No previous BIG-IP Virtual Edition (VE) software supports the newly announced AWS M5 and C5 instance families. Version 14.0.0.1 officially supports the AWS M5 and C5 instance families.
693312-1 : vCMPd may crash when processing bridged network traffic
Solution Article: K03165684
693308-1 : SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain
Component: Local Traffic Manager
Symptoms:
When a very large Client Certificate Chain, typically exceeding 16,384 bytes, is received by BIG-IP on a virtual service, and Session Persistence is enabled, the handshake hangs.
Conditions:
[1] SSL client authentication is enabled on the backend server
[2] No SSL profile is specified on the BIG-IP device for the virtual service, on both, client and server side
[3] An SSL connection is initiated from the front-end client, via the BIG-IP's virtual service, to the backend server.
[4] The client certificate chain is passed to the BIG-IP device as part of initiating the connection.
Impact:
The backend server will not be securely accessible via SSL because the connection hangs
Workaround:
Disable SSL Session Persistence.
Fix:
Whenever a fragmented message is received by a BIG-IP virtual service, subsequent messages contain a 5-byte header, each, which should be accounted for. Upon taking this into consideration, no more multiple-of-5 bytes are found missing while the message is being parsed by the Session Persistence parser, and the parser no longer hangs.
693244-2 : BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned
Component: Local Traffic Manager
Symptoms:
BIG-IP silently drop the serverside TCP flow, when it receives a client-side reset and the server-side flow is still in the SYN-SENT state.
Conditions:
BIG-IP receives a client-side reset when client-side TCP flow is in ESTABLISHED state and server-side TCP flow is in SYN-SENT state, serverside flow is silently dropped.
Impact:
Since serverside pool member does not receive the RST, it remains in SYN-RECEIVED state until it runs out of syn retransmissions and eventually, due to timeout, it returns to LISTEN state.
Fix:
BIG-IP resets serverside TCP flow with RST when it receives a client-side reset and the server-side flow is still in the SYN-SENT state.
693106-1 : IKEv1 newest established phase-one SAs should be found first in a search
Component: TMOS
Symptoms:
Some IKEv1 implementations might delete "duplicate" phase one IKE SAs, even though not yet expired, keeping only the most recently negotiated IKE-SA. If this happens, and BIG-IP uses an older SA to negotiate, then phase two negotiation can fail.
If at all possible, we want BIG-IP to prefer the newest SA for a given remote peer. If a peer deletes a second SA without notifying BigIP, preferring a newest SA may mitigate the problem.
Conditions:
The situation seems mostly easily arranged when two peers initiate a new IKE-SA at the same time, so that both are negotiated concurrently, since neither has yet been established. Afterward, there are two IKE-SAs for one remote peer, nearly the same age.
If the other end deletes a duplicate without sending a DELETE message to BigIP, we might accidently use the older SA of a pair.
Impact:
If BIG-IP picks a mature IKE-SA for phase two negotiation that has been deleted by a peer, then BIG-IP's attempt to negotiate a new phase two SA will fail.
Workaround:
Try to configure other IPsec implementations to avoid deleting duplicate IKE-SAs.
Fix:
At the momenet a new IKE-SA is established, we now move that SA to the head of the hashmap bucket searched for that remote peer in the future. This makes us more likely to use the newest SA from the perspective of a remote peer, the next time we initiate another phase two negotiation ourselves.
693007-1 : Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC
Component: Global Traffic Manager (DNS)
Symptoms:
The current IPv4 address for b.root-servers.net is 192.228.79.201. The IPv4 address for b.root-servers.net will be renumbered to 199.9.14.201, effective 2017-10-24. The older number will be invalid after that date.
Conditions:
Several profiles contain the b.root-servers.net IPv4 address as 192.228.79.201.
Impact:
The impact is likely minimal, at most a single timeout for pending TLD queries when they happen to round-robin onto an old IP address, probably not more often than the hint's TTL, which is more than a month, and even this should cause a timeout only when the old IP actually stops responding.
Workaround:
Update the root hints for all affected profiles manually except the hardwired ones.
Fix:
The IPv4 address for b.root-servers.net has been renumbered to 199.9.14.201, effective 2017-10-24.
Behavior Change:
The IPv4 address for b.root-servers.net has been renumbered to 199.9.14.201, effective 2017-10-24, according to InterNIC. The old IPv4 address (192.228.79.201) will continue to answer queries for at least 6 months.
692970-2 : Using UDP port 67 for purposes other than DHCP might cause TMM to crash
Component: Local Traffic Manager
Symptoms:
DHCP relay presumes that a flow found via lookup is always a server-side flow of type DHCP relay. Hence TMM can crash when DHCP relay makes a server connection if UDP port 67 is used for another purpose, in which case a wrong DHCP server flow could be selected.
Conditions:
A UDP port 67 is configured for a purpose other than DHCP relay.
Impact:
TMM restart causes traffic interruption or failover.
Workaround:
Do not use UDP port 67 for other virtual servers, or configure a drop listener on certain VLANs that cannot avoid using UDP port 67.
Fix:
TMM no longer crashes with DHCP flow validation.
692941-1 : GTMD and TMM SIGSEGV when changing wide IP pool in GTMD
Component: Global Traffic Manager (DNS)
Symptoms:
Changing wide IP causes gtmd and tmm core under certain conditions.
Conditions:
-- GTM pool is removed when it is referenced by a persist record.
-- That record is accessed before it is purged.
Impact:
gtmd and/or tmm core. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Changing wide IP no longer causes gtmd and tmm core when GTM pool is removed when it is referenced by a persist record, and that record is accessed before it is purged.
692890-3 : Adding support for BIG-IP 800 in 13.1.x
Component: TMOS
Symptoms:
Installing software version 13.1.0 fails on BIG-IP 800.
# tmsh show sys soft
---------------------------------------------------------Sys::Software Status
Volume Product Version Build Active Status
---------------------------------------------------------
HD1.1 BIG-IP 13.1.0 0.0.1868 no failed (Failed to install.)
HD1.2 BIG-IP 13.0.0 0.0.1645 yes complete
HD1.3 BIG-IP 11.6.0 0.0.401 no complete
---------------------------
Sys::Software Update Check
---------------------------
Check Enabled true
Phonehome Enabled true
Frequency weekly
Status none
Errors 0
The system logs the following messages in /var/log/liveinstall.log:
info: Hardware is lm capable
info: System is lm capable
info: Adding application-package ltm7-application/noarch to transaction.
info: Adding application-package ros7-application/noarch to transaction.
info: Adding application-package sam-main/noarch to transaction.
info: Adding application-package sum-application/noarch to transaction.
info: Adding application-package ts-application/noarch to transaction.
info: Adding application-package wa-master/noarch to transaction.
info: Adding application-package (lm) woc-application-lm/noarch to transaction.
error: Product has no root package for Mercury
error: couldn't get package list file for LTM.ROS.SAM.SUM.TS.WA.WOC group Terminal error: Failed to install.
*** Live install end at 2018/01/02 13:29:45: failed (return code 255) ***
Conditions:
-- Installing/upgrading to v13.1.x.
-- Using the BIG-IP 800 platform.
Impact:
Install/upgrade will fail.
Workaround:
None.
Fix:
Installation now completes successfully on the BIG-IP 800 platform.
692753-1 : shutting down trap not sent when shutdown -r or shutdown -h issued from shell
Component: TMOS
Symptoms:
Shutting down trap not sent when shutdown -r or shutdown -h issued from shell.
Conditions:
When user access the linux shell and issues "shutdown -h" or "shutdown -r", the BIG-IP does not send shutting down trap.
Impact:
None.
Since this is user triggered command, the user is aware of the shutdown event, so the lack of trap is not critical.
Workaround:
None
Fix:
The shutdown trap is sent when user issues "shutdown -r" or "shutdown -h" from the linux shell.
692683-1 : Core with /usr/bin/tmm.debug at qa_device_mgr_uninit
Component: TMOS
Symptoms:
Running a debug version of tmm (/usr/bin/tmm.debug) on BIG-IP 2xxx and 4xxx platforms, crashes at qa_device_mgr_uninit when issuing either of the following commands:
-- bigstart stop tmm
-- bigstart restart tmm
Conditions:
Running a debug version of tmm.
-- BIG-IP 2xxx and 4xxx platforms.
-- Running either of the following commands:
+ bigstart stop tmm
+ bigstart restart tmm
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than not using a debug version of tmm on BIG-IP 2xxx and 4xxx platforms.
Fix:
tmm no longer halts and restarts under these conditions.
692557-1 : When BIG-IP as SAML IdP processes signed authentication requests from external SAML SP, a block of memory may become corrupted.
Component: Access Policy Manager
Symptoms:
After processing signed authentication requests from external SAML SP, SAML IdP may corrupt a block of tmm memory.
Conditions:
- BIG-IP system is configured as SAML IdP.
- IdP is configured with external SP's signing certificate.
- External SP sends signed authentication request.
Impact:
Various possible negative effects, including TMM core. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
BIG-IP as SAML IdP no longer causes memory corruption when handling certain traffic.
692328-1 : Tmm core due to incorrect memory allocation
Component: Advanced Firewall Manager
Symptoms:
In a rare condition after providing afm, we get a tmm core.
You will see the following line in avrd.log
/usr/bin/avrinstall -c20 -t10 -s2401000 --provisionAVR=0 --provisionASM=0 --provisionAFM=0 --provisionPBD=0 --provisionAPM=0 --provisionFPS=0 --provisionPEM=0 --provisionVCMP=0
Conditions:
AFM provisioned.
Attack started.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
We check that the shared memory was allocated correctly before reporting on an attack.
692310-2 : ICAP modified HTTP 1.1 request/response without content-length gets "chunked" even with no body
Solution Article: K69250459
Component: Service Provider
Symptoms:
When a modified HTTP v1.1 request or response is returned from an ICAP server and has no body (and also no content-length), a 'Transfer-Encoding: chunked' header is added and a zero-length chunk is appended.
Conditions:
-- HTTP profile.
-- Either request-adapt or response-adapt profile.
-- Modified HTTP v1.1 request/response has no body (and no content-length header).
Impact:
The HTTP server or client to which the modified request or response is destined, receives invalid HTTP and might behave in an unexpected manner.
Workaround:
Use an iRule to detect the lack of a Content-Length header in the modified request or response, and insert 'Content-Length: 0'.
For example with modified request:
when ADAPT_REQUEST_HEADERS {
if {([HTTP::method] eq "GET") and (not [HTTP::header exists 'Content-Length'])} {
HTTP::header insert Content-Length 0
}
}
Similarly when ADAPT_RESPONSE_HEADERS {} for a response.
Fix:
A modified HTTP v1.1 request or response with no body is never 'chunked'.
692307-3 : User with 'operator' role may not be able to view some session variables
Component: Access Policy Manager
Symptoms:
When a user with 'operator' role tries to view the session variables, the GUI may show the following error: An error has occurred while trying to process you request.
Conditions:
This occurs when there is a huge blob of data associated with the user whose session variable is being viewed. For example Active Directory (AD) user accounts with thumbnailphoto and userCertificate user attributes containing binary data.
Impact:
User cannot view the session variables for those particular sessions. This data is available, however, via clicking on the Session ID.
Workaround:
Find this data via clicking on the session ID.
Fix:
User with 'operator' role can now view all expected session variables
692189-1 : errdefsd fails to generate a core file on request.
Component: TMOS
Symptoms:
Should errdefsd crash or be manually cored for the purpose of gathering diagnostic information, no core file will be generated.
Conditions:
Forcing errdefsd to core for diagnostic purposes.
Impact:
Increased communication required with F5 Support when attempting to diagnose problems with errdefsd.
Workaround:
1. Add the following lines to the official errdefsd script, /etc/bigstart/scripts/errdefsd:
16a17,19
> # set resource limits, affinity, etc
> setproperties ${service}
>
2. Run the following command: bigstart restart errdefsd
Fix:
errdefsd now generates a core file when forced to core.
692179-1 : Potential high memory usage from errdefsd.
Component: TMOS
Symptoms:
errdefsd memory usage grows with each config-sync or config update.
Conditions:
Ever increasing errdefsd memory usage is visible when the following conditions are met:
-- Config updates are frequent.
-- management-port logging is not being used.
Impact:
In extreme cases, errdefsd memory usage might increase userland memory-pressure. Note, however, that it isn't actually using the extra memory, so while Virtual Memory Size (VSZ) might be high, Resident Set Size (RSS) need not be.
Workaround:
A workaround for this problem is to periodically send logs to a management-port destination. The destination may be as simple as a dummy UDP port on 127.0.0.1. Adding such a destination to the publisher for an existing, active log source will work. errdefsd just needs a reason to process and flush accumulating configurations.
Fix:
The changes in this bug force errdefsd to check for config changes once every second in addition to checking whenever management-port destination logs come in.
692158-1 : iCall and CLI script memory leak when saving configuration
Component: TMOS
Symptoms:
Whenever an iCall script or CLI script saves the configuration, the scriptd process on the device leaks memory.
Conditions:
Use of iCall or CLI scripts to save the configuration.
Impact:
Repeated invocation might cause the system to run out of memory eventually, causing tmm to restart and disrupting traffic.
Workaround:
There is no workaround other than not saving the configuration from iCall or CLI scripts.
Fix:
scriptd process on the device no longer leaks memory when iCall and CLI scripts are used to save the configuration.
692123 : GET parameter is grayed out if MobileSafe is not licensed
Component: Fraud Protection Services
Symptoms:
GET parameter is grayed out if MobileSafe is not licensed.
Conditions:
-- Provision FPS on a system whose license has at least one active feature.
-- Do not license MobileSafe.
Impact:
In FPS Parameter's list, the GET method is always grayed out.
Workaround:
Use either of the following workarounds:
-- License MobileSafe.
-- Use TMSH or REST.
Fix:
The GET method is not grayed out if MobileSafe is not licensed.
692095-1 : bigd logs monitor status unknown for FQDN Node/Pool Member
Solution Article: K65311501
Component: Local Traffic Manager
Symptoms:
While monitoring FQDN nodes or pool members, bigd may log the current or previous monitor status of the node or pool member as 'unknown' in messages where that state internally could have been logged as 'checking' or 'no address' for FQDN template nodes. Other states for FQDN configured nodes or pool members log monitor status as expected. Messages are similar to the following:
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status unknown [ ip.address: unknown ] [ was up for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: unknown ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: up ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status unknown. [ ] [ was unchecked for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status up. [ ] [ was unknown for ##hrs:##mins:##sec ]
Conditions:
This may occur of the FQDN template node or pool member is in a 'checking' or 'no address' state.
The 'checking' state may occur if the DNS resolution of the FQDN node or pool member name is in progress.
The 'no address' state may occur if no IP addresses were returned by the DNS server for the configured FQDN node or pool member name.
Impact:
Unable to triage state of FQDN nodes or pool members identified in these log messages, to determine whether further troubleshooting is required, or what specific problem condition might require further investigation.
Workaround:
None.
Fix:
An FQDN-configured node or pool member logs each internal monitor status, including for scenarios of 'checking' and 'no address' for FQDN template nodes which were previously logged as 'unknown'.
691897-3 : Names of the modified cookies do not appear in the event log
Component: Application Security Manager
Symptoms:
A modified domain cookies violation happened. When trying to see additional details by clicking the violation link, the name and value of the modified cookie is empty.
Conditions:
A modified domain cookies violation happens.
Note: This can happen only if there are also non-modified or staged cookies.
Impact:
Expected violation details are not displayed.
Workaround:
There is no workaround at this time.
Fix:
Issue with modified domain cookie violation details is now fixed.
691806-1 : RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state
Solution Article: K61815412
Component: Local Traffic Manager
Symptoms:
The BIG-IP system resets connection with RST if it receives FIN/ACK in SYN-RECEIVED state.
Conditions:
The BIG-IP system receives FIN/ACK when it is in SYN-RECEIVED state.
Impact:
The BIG-IP system resets connection with RST.
Workaround:
None.
Fix:
The BIG-IP system now responds with FIN/ACK to early FIN/ACK.
691785-1 : The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes
Component: Local Traffic Manager
Symptoms:
The bcm570x driver will cause TMM to core with the log message:
panic: ifoutput: packet_data_compact failed to reduce pkt size below 4.
Conditions:
-- Running on a platform that uses the bcm570x driver (BIG-IP 800, 1600, 3600).
-- A packet larger than 6144 bytes is transmitted from the BIG-IP system.
Impact:
TMM core. Failover or outage. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Removed the panic statement that caused TMM to core. TMM will now log an error and drop the packet instead.
691670-5 : Rare BD crash in a specific scenario
Component: Application Security Manager
Symptoms:
BD crash or False reporting of signature ID 200023003.
Conditions:
JSON/XML/parameters traffic (should not happen with the enforce value signature).
Impact:
Failover, traffic disturbance in the core case. False positive violation or blocking in the other scenario.
Workaround:
Removing attack signature 200023003 from the security policy stops the issue.
Fix:
Fix a bug in the signatures engine that causes a false positive reporting of a signature. In some rare cases, this false reporting may cause a crash.
A newly released attack signature update changes the signature in a way that it no longer causes the issue to happen.
691609-1 : 1NIC: Configuration error: Clearing IP on interface mgmt failed - Cannot assign requested address★
Component: TMOS
Symptoms:
The error:
Configuration error: Clearing IP on interface mgmt failed - Cannot assign requested add
Conditions:
Starting VE in 1NIC mode without a DHCP server and configuring the management interface.
Impact:
No management IP or Self IP.
Workaround:
There is no workaround at this time.
Fix:
Configuring the management IP in 1NIC mode now works.
691589-4 : When using LDAP client auth, tamd may become stuck
Component: TMOS
Symptoms:
When a virtual server uses an LDAP auth profile for client authentication, the system can get into a state where all authentications time out. This condition persists until tamd restarts. Traffic analysis between the BIG-IP system and the LDAP server shows that the BIG-IP system makes a TCP handshake with the server, then immediately sends FIN. Tamd cores may be seen.
Conditions:
-- Virtual server using LDAP auth profile.
-- BIG-IP system makes a TCP handshake with the server, then immediately sends FIN.
Impact:
Authentication to the virtual server fails until tamd is restarted.
Workaround:
To recover, restart tamd by running the following command: bigstart restart tamd
Fix:
tamd no longer becomes stuck when using LDAP client auth.
691504-1 : PEM content insertion in a compressed response may cause a crash.
Solution Article: K54562183
691498-3 : Connection failure during iRule DNS lookup can crash TMM
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM crashes in the DNS response cache periodic sweep.
Conditions:
The DNS resolver connection fails after a successful lookup response is cached. This has been reproduced with a failure due to a lost route. Other failures such as down ports do not cause a crash.
Impact:
The TMM cores and automatically restarts, Traffic disrupted while tmm restarts.
Workaround:
No known workaround.
Fix:
The reference counting of the resolver connection was fixed.
691497-2 : tmsh save sys ucs <file> fails due to missing patch file in /config/.diffVersions
Component: TMOS
Symptoms:
The .diffVersions directory has config change-diffs saved into patch files every time tmsh saves the configs. This is used for diagnostic purposes only.
Conditions:
When doing a 'tmsh save sys ucs <file>', it is possible that a background 'tmsh save sys config' gets run at the same time, causing a patch file to be deleted that the ucs-save feature now expected to exist.
Impact:
The ucs-save feature complains about the missing patch file and exits.
Workaround:
Re-run the 'tmsh save sys ucs <file>' ignoring the missing patch file message. That missing file doesn't need to be restored.
Fix:
With this defect fixed, patch files that end up missing once 'tmsh load sys ucs <file>' is started will not be reported as an error, and the tmsh command will complete normally.
691491-5 : 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces
Solution Article: K13841403
Component: TMOS
Symptoms:
2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces
Conditions:
-- 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms.
-- SNMP query of network interfaces via OID sysIfxStatHighSpeed.
Impact:
Value returned for 10G/40G/100G interfaces may be incorrect.
Workaround:
Use OID sysInterfaceMediaActiveSpeed.
Fix:
The BIG-IP system now correctly returns SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces.
691477-2 : ASM standby unit showing future date and high version count for ASM Device Group
Component: Application Security Manager
Symptoms:
Policy builder is changing configuration of standby unit.
Conditions:
The system state changes from active to standby (also when blade is changed from master to non-master).
Impact:
Unexpected changes are made to the policy on standby device (CID increment).
Workaround:
Restart pabnagd when switching device from active to standby (also when blade is changed from master no non-master):
killall -s SIGHUP pabnagd
Fix:
Policy builder now updates its state correctly and doesn't make changes to a policy on a standby device.
691462-1 : Bad actors detection might not work when signature mitigation blocks bad traffic
Component: Anomaly Detection Services
Symptoms:
When signature detected and mitigating no bad actors detection
Conditions:
1. Signatures detected and mitigating
2. Attack traffic is not significantly higher than the good traffic
Impact:
No bad actors detected.
Only signatures provides DoS protection.
BIG-IP CPU utilization is higher than necessary
Workaround:
No workaround at this time.
Fix:
The fix takes in account also SIGNATURES DROPS to decide when bad actors detection should be more agressive.
691287-1 : tmm crashes on iRule with GTM pool command
Component: Global Traffic Manager (DNS)
Symptoms:
tmm crashes with a SIGSEGV when a GTM iRule executes a 'pool' command against Tcl variables that have internal string representations, which can occur when a value is a result of (some) string commands (e.g., 'string tolower') or if the value comes from a built-in iRules command (such as 'class').
For example:
when DNS_REQUEST {
pool [string tolower "Test.com"]
}
or:
when DNS_REQUEST {
pool [class lookup pool-dg key-value]
}
Conditions:
GTM iRule executes a 'pool' command against Tcl variables that have internal string representations.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Pass the 'pool' argument through 'string trim'. For instance:
when DNS_REQUEST {
pool [string trim [class lookup pool-dg key-value]]
}
Fix:
tmm no longer crashes on GTM iRules that use the 'pool' command.
691224-3 : Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled
Solution Article: K59327001
Component: Local Traffic Manager
Symptoms:
Node Server rejects received-and-incomplete ClientHello message and connection terminates.
Conditions:
This occurs when the following conditions are met:
-- SSL Persistence is enabled.
-- There is no ClientSSL and ServerSSL profile.
-- The BIG-IP device receives fragments of a ClientHello message (typically, 11 bytes each) from an SSL front-end client.
Impact:
With Session Persistence enabled
-- The parser fails to reassemble fragmented ClientHello messages prior to passing it on to the backend server.
-- As a result, the backend server responds as if it has received an incomplete ClientHello message, rejects the handshake, and terminates the connection.
Workaround:
The issue disappears when SSL Persistence is disabled.
691210-1 : Traffic stops on tmm restart when guest VLAN tagging is used for BIG-IP VE.
Component: TMOS
Symptoms:
Traffic stops after tmm restart. BIG-IP Virtual Edition (VE) becomes unresponsive and requires power cycle.
Conditions:
This occurs when the following conditions are met:
-- Using VE.
-- Data plane interfaces are SR-IOV VF.
-- Guest VLAN tagging is used.
-- tmm restart.
Impact:
BIG-IP system stops working, and management connection may be lost, requiring power cycle.
Workaround:
Use VLAN tagging from host.
Fix:
The BIG-IP system now continues to work after tmm restart when guest VLAN tagging is used with SR-IOV interfaces for BIG-IP VE.
691095-1 : CA bundle manager loses certificates in the CA bundle if the serial number is longer than 4 bytes
Component: Local Traffic Manager
Symptoms:
CA certificates with long but different serial numbers are treated identical and duplicate, thus get lost in the CA certificate merge operation. Only one would be left.
Conditions:
- The CA bundle file is managed by the CA bundle manager.
- The file contains certificates with large serial numbers.
Impact:
Certificates with large serial numbers are treated as duplicate, and removed.
Workaround:
There is no workaround at this time.
Fix:
Large serial numbers are treated correctly.
691048-1 : Support DIAMETER Experimental-Result AVP response
Solution Article: K34553736
Component: Service Provider
Symptoms:
When the Diameter server returns an answer message with an Experimental-Result AVP, but doesn't have Result-Code AVP inside, then the server side flow is aborted.
Conditions:
Diameter answer message doesn't have Result-Code AVP available, but with Experimental-Result AVP.
Impact:
The server side flow is aborted.
Workaround:
Use iRule to insert Result-Code AVP in all Diameter answer messages.
Fix:
This release supports DIAMETER Experimental-Result AVP response.
690890-1 : Running sod manually can cause issues/failover
Component: TMOS
Symptoms:
If multiple instances of the system failover daemon are executed, improper behavior results. The system failover daemon is run internally by the system service manager (bigstart). When accidentally or intentionally executing the command 'sod', the second running instance will disrupt the failover system.
Conditions:
Accidentally or intentionally executing the command 'sod'.
Impact:
System might failover, reboot, or perform other undesirable actions that result in traffic interruption.
Workaround:
Do not attempt to invoke the 'sod' daemon directly. There is no use case for executing 'sod' directly, it is managed by 'bigstart'.
Fix:
The failover daemon detects that an instance is already running, and exits without disrupting the system.
690883-1 : BIG-IQ: Changing learning mode for elements does not always take effect
Component: Application Security Manager
Symptoms:
When changing learning mode for an element type (e.g., WebSocket URLs), if no other changes are made to the default '*' entity, then suggestions are not created correctly.
Conditions:
Changes are deployed from a BIG-IQ device, where the learning mode for an element type (e.g., WebSocket URLs) is changed (e.g., from Never to Always), and no other changes are made to the default '*' entity.
Impact:
Suggestions are not created correctly.
Workaround:
Modify the '*' entity as well (change description).
Fix:
Learning mode changes are correctly handled from BIG-IQ.
690819-1 : Using an iRule module after a 'session lookup' may result in crash
Component: TMOS
Symptoms:
'session lookup' does not clean up an internal structure after the call finishes. If another iRule module uses the values in this internal structure after a 'session lookup', it may result in a core or other undesired behavior.
Conditions:
Calling 'session lookup' in an iRule where a result is successfully retrieved, and then calling another module.
Impact:
The system may core, or result in undefined and/or undesired behavior.
Workaround:
Check the return value of 'session lookup' before using another iRule module.
If 'session lookup' says that the entry exists, call 'session lookup' again for a key that is known to not exist.
690793-1 : TMM may crash and dump core due to improper connflow tracking
Solution Article: K25263287
Component: TMOS
Symptoms:
In rare circumstances, it is possible for the embedded Packet Velocity Acceleration (ePVA) chip to try to process non-ePVA connflows. Due to this improper internal connflow tracking, TMM can crash and dump core.
Conditions:
This issue can occur on any system equipped with an ePVA and configured with virtual servers that make use of it to accelerate flows.
While no other conditions are required, it is known that modifying a FastL4 virtual server to Standard while the virtual server is processing traffic is very likely to cause the issue.
Impact:
TMM crashes and dumps core. A redundant unit will fail over. Traffic may be impacted while TMM restarts.
Workaround:
It is not recommended to switch virtual server profiles while running traffic. To change virtual server profiles, it is recommended to halt traffic to the system first.
However, this does not eliminate entirely the chances of running into this issue.
Fix:
The system now checks for HSB flow status update data and prevents false positive matches to virtual servers with non-FastL4 profiles.
690778-1 : Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule
Solution Article: K53531153
Component: Local Traffic Manager
Symptoms:
Memory leak; the memory_usage_stat cur_allocs will increase each time the iRule is invoked.
Conditions:
This occurs when using an iRule that calls the STREAM::replace command more than once in the iRule's STREAM_MATCHED event.
Impact:
Memory leak; eventually the system will run out of memory and TMM will restart (causing a failover or outage). Traffic disrupted while tmm restarts.
Workaround:
Change the way the iRule is written so that the STREAM::replace command is not called more than once in the iRule's STREAM_MATCHED event.
Fix:
Prevented memory leak in stream code.
690756-1 : APM depends on undocumented internal behavior of HTTP iRule commands after a retry is initiated
Component: Local Traffic Manager
Symptoms:
Using the ACCESS::restrict_irule_events disable command to allow iRule events triggered by APM-generated responses to be visible to the iRule no longer works.
Conditions:
-- ACCESS::restrict_irule_events disable.
-- HTTP iRules commands used in HTTP_RESPONSE_RELEASE after a retry has been triggered by APM.
Impact:
iRule execution is aborted.
Workaround:
The only possible workaround is to abandon the iRule, and implement the functionality using a VIP-targeting-VIP configuration.
Note: This might not be acceptable in many cases either because of functionality loss (e.g., client certificate auth), or because there are complicated issues specifically solved by iRules.
Fix:
APM triggers a new iRule event when it retries a request. This new event allows iRules to be notified when this occurs.
The HTTP_RESPONSE_RELEASE event is no longer triggered on an internal retry as no response will be sent.
A BigDB variable has been added to disable run-time validation of HTTP iRule commands. This is intended to ease the roll-forward of old APM iRules.
690215-2 : Missing requests in request log
Component: Application Security Manager
Symptoms:
Requests are missing from request log
Conditions:
Either of:
- pabnagd restart
- asm restart
- failover
Impact:
- Requests are not logged for up to an hour (affected by the amount of policies)
Workaround:
No workaround.
Fix:
All requests are now logged always.
690166-1 : ZoneRunner create new stub zone when creating a SRV WIP with more subdomains
Component: Global Traffic Manager (DNS)
Symptoms:
Creating SRV wideip will result in stub zone creation even there are already matching zones.
Conditions:
Creating SRV wideip with three more layers than existing zone.
Impact:
Unnecessary stub zones created.
690116-1 : websso daemon might crash when logging set to debug
Component: Access Policy Manager
Symptoms:
If the authentication type is HTTP headers and the log level is set to debug, an incorrect parameter gets printed, and if it happens to be NULL the websso daemon crashes.
Conditions:
-- Authentication type is HTTP headers.
-- Log level is debug for WebSSO (the single-sign-on (SSO) functionality for Web access through the BIG-IP APM system).
Impact:
websso daemon might crash.
Workaround:
Set log level to Informational.
Note: The data logged specifically for debug level is targeted toward developers, and is rarely useful in a production environment.
Fix:
The websso daemon no longer crashes when running in debug logging mode and handling certain traffic.
690042-1 : Potential Tcl leak during iRule suspend operation
Solution Article: K43412307
Component: Local Traffic Manager
Symptoms:
TMM's Tcl memory usage increases over time, and does not decrease. Memory leak of Tcl objects might cause TMM to core.
Conditions:
-- iRules are in use.
-- Some combination of nested proc calls and/or loops must go at least five levels deep.
-- Inside the nested calls, an iRule executes a suspend operation.
Impact:
Degraded performance. TMM out-of-memory crash. A failover or temporary outage might occur. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer leaks memory.
689730-3 : Software installations from v13.1.0 might fail★
Component: TMOS
Symptoms:
Installation terminates with the following final log messages:
info: updating shared filesystem directories...
progress: 10/100
error: mkdir /mnt/tm_install/3543.JENFeQ/core failed - File exists
Terminal error: Failed to install.
Conditions:
-- BIG-IP Virtual Editions, or the following appliances:
+ i2600
+ i2800
+ i4600
+ i4800
+ i5600
+ i5800
+ i5820
+ i7600
+ i7800
+ i7820
+ i10600
+ i10800
+ i11600
+ i11800
-- Running BIG-IP software v13.1.0 or earlier.
-- Installing BIG-IP software with --instslot option.
Impact:
Installation of new software cannot proceed.
Workaround:
Remove the '/shared/core' symlink, the restart the installation.
Fix:
The installer now properly detects the symlink and proceeds without error.
689691-2 : iStats line length greater than 4032 bytes results in corrupted statistics or merge errors
Component: TMOS
Symptoms:
You can create dynamic statistics using the istats command and iStats directive in iRules. The maximum length of the line (the sum of all columns) is 4032 bytes. If the user attempts to create an iStat whose column sizes when summed exceed this value then there will be errors in the ltm and logs, and the statistic will not be incremented or merged. Log messages appear similar to the following:
-- notice 4: tmstat_row_alloc(1520): tmstat segment blade/tmm0 appears to be damaged at 0x42e2d50.
-- err tmm[21822]: 01220001:3: TCL error: /Common/istat_it <HTTP_REQUEST> - Error: tmstat_row_alloc(1520): tmstat segment blade/tmm0 appears to be damaged (line 1) invoked from within "ISTATS::incr "ltm.virtual [virtual name] counter $host-$path" 1".
Conditions:
An iStat is created or modified such that the sum of the column widths is greater than 4032 bytes.
Impact:
Statistics corruption or merge errors occur. The statistic is not maintained. This is a system limit. An iStat should not be created such that its record length exceeds the 4032-byte limit.
Workaround:
This is a system limit. An istat should not be created such that it's record length exceeds the limit.
Fix:
Line length enforcement was added and an error log is output when the length is exceeded. Now, when the limit is reached, there are no corruption or merge errors. The system posts messages similar to the following in the tmm log file:
-- notice iStat for table 'ltm_virtual' column 'www_qqwabc3584' cannot be added as row size '4040' is too long at 0x46dcd90
To avoid errors like this, do not add columns to iStats in iRule directives.
689591-2 : When pingaccess SDK processes certain POST requests from the client, the TMM may restart
Component: Access Policy Manager
Symptoms:
BIG-IP's tmm may restart when processing certain client's POST requests body on which need to be inspected by the PingAccess policy server.
Conditions:
- BIG-IP virtual server is configured as policy decision point with PingAccess policy server.
- User sends a POST request to BIG-IP.
- Policy configured on PingAccess server requires inspection of the body of the POST request sent by the user.
Impact:
Traffic will be temporarily disrupted while tmm restarts.
Fix:
TMM will no longer restart when processing client's POST requests that need to be inspected by the PingAccess policy server.
689577-3 : ospf6d may crash when processing specific LSAs
Solution Article: K45800333
Component: TMOS
Symptoms:
When OSPFv3 is configured and another router in the network performs a graceful restart, ospf6d may crash.
Conditions:
-- OSPFv3 in use.
-- Graceful restart initiated by another system.
Impact:
OSPFv3 routing will interrupted while the daemon restarts and the protocol re-converges.
Workaround:
Disabling graceful restart on other network systems will prevent ospf6d from crashing on the BIG-IP system. However, it will cause a routing interruption on a system that restarts.
Fix:
The ospf6d daemon no longer crashes when a graceful restart occurs in the network.
689561-1 : HTTPS request hangs when multiple virtual https servers shares the same ip address
Component: Local Traffic Manager
Symptoms:
SSL forward proxy reuses the server ssl session when client ip, server ip and server port matches the ssl session. when multiple virtual https servers share the same ip address, it could happen server ssl reuse a session previously from other virtual server. in such a situation, client cannot forge certificate and hangs the ssh handshake.
Conditions:
multiple virtual https servers share the same ip address, and they internally share the ssl sessions. we saw it happens in several google domain.
Impact:
client cannot access some https web server.
Workaround:
A workaround is disabling the "Session Ticket" in the server ssl profile, since we do not support session id resumption in the server ssl, this will cause it do full handshake to web server every time, so server_certchain will not be NULL.
Fix:
it matches the client ip, server ip and port as well as the server name in the SNI to the server ssl session cache. it will not reuse the sessions does not match virtual server name after the fix.
689540-1 : The same DOS attack generates new signatures even if there are signatures generated during previous attacks.
Component: Anomaly Detection Services
Symptoms:
The same DOS attack generates new signatures even if there are signatures generated during previous attacks.
Conditions:
Repeated DOS attack with the same attacking traffic
Impact:
Generated redundant useless signatures.
Workaround:
There is no workaround at this time.
Fix:
Prevent generation of new signatures handles requests which are already covered by the old ones.
689491 : cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled
Component: TMOS
Symptoms:
CPU usage stats are incorrect and system looks idle when it's actually busy
Conditions:
vcmp guests with 1-core or htsplit disabled
Impact:
CPU stats are incorrect and it might make it difficult to trouble shoot problems.
689449-1 : Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured
Component: Local Traffic Manager
Symptoms:
As a result of a known issue, in some circumstances the system may experience an unconstrained TMM memory growth when a virtual server is configured for spdy/http2 and http with fallback-host.
Conditions:
- VIP configured with spdy/http2 and http with fallback-host.
Impact:
TMM may eventually enter aggressive sweeper mode where this memory will be released. In the process it is possible that some legitimate connections will killed.
Workaround:
No workaround at this time.
Fix:
BIG-IP no longer attempts to send a response with a configured fallback host in HTTP profile, when a connection is aborted by a client or due to an internal error. It prevents the internal flow to stay in memory after the connection has died.
689437-1 : icrd_child cores due to infinite recursion caused by incorrect group name handling
Component: TMOS
Symptoms:
Every time the virtual server stats are requested via REST, icrd_child consumes high CPU, grows rapidly toward the 4 GB max process size (32-bit process), and might eventually core.
Conditions:
Virtual server stats are requested via iControl REST with a special string that includes the dotted group names.
Impact:
icrd_child consumes high CPU, grows rapidly, and might eventually core.
Workaround:
Clear the virtual server stats via reset-stats and icrd_child no longer cores.
Fix:
icrd_child parsing logic update is needed to not enter recursion.
689375-1 : Unable configure 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled
Solution Article: K01512833
Component: TMOS
Symptoms:
TMUI hides several SSL client/server settings when 'Proxy SSL' is enabled, including the 'Generic Alert' setting, so you cannot set it.
Conditions:
Enable 'Proxy SSL' on SSL client/server profile in TMUI.
Impact:
TMUI hides many config settings, including 'Generic Alert'. You cannot modify 'Generic Alert' setting on SSL client/server profile using the GUI when 'Proxy SSL' is enabled.
Workaround:
Modify the same setting through TMSH modify client/server SSL profile command, as follows:
tmsh modify ltm profile client-ssl <profile_name> generic-alert disabled
tmsh modify ltm profile server-ssl <profile_name> generic-alert disabled
Fix:
You can now modify 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled.
689343-2 : Diameter persistence entries with bi-directional flag created with 10 sec timeout
Component: Service Provider
Symptoms:
Diameter persistence entries have timeout value less than 10 seconds, although the configured persistence timeout is 120 seconds
Conditions:
When Diameter custom persistence "DIAMETER::persist key 1" bi-directional iRule is used.
Impact:
The persist timeout is less than 10 seconds, thus subsequent requests will be dispatched to other pool member.
Workaround:
Don't use bi-directional persistence iRule. Use AVP persistence type with session-id as the persist key.
Fix:
When the Diameter custom persistence iRule "DIAMETER::persist key 1" is used, the persist timeout value will be set correctly as configured.
689211-3 : IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 }
Component: TMOS
Symptoms:
If you accidentally change an ike-peer version to { v1 v2 } for both IKEv1 and IKEv2 support then IKEv1 does not work when version is changed to { v1 }. Note: This is not a recommended action.
Packets from a remote peer after this appear to arrive via IPv6 and will not match the IPv4 config of the actual peer, so tunnels cannot be established.
Conditions:
Transiently changing an ike-peer version to { v1 v2 } before fixing it with 'version replace-all-with { v1 }' to target IKEv1 alone.
Impact:
IKEv1 tunnels cannot be established when the remote peer initiates. (If the local peer initiates, negotiation may succeed anyway, until the SA is expired or deleted.) After this, tmm forwards packets to racoon improperly.
Workaround:
After changing version to v1 alone, issue the following command to have the config work correctly:
bigstart restart
Fix:
Added check for the IPv6 flag in the packet, in addition to testing for a v4-in-v6 address; this corrects the corner case of an address containing all zero when forwarded.
689089-1 : VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot
Component: Local Traffic Manager
Symptoms:
The cluster configuration file can be lost or corrupted, resulting in the out-of-band cluster management IP reverting to the default value.
Conditions:
Unexpected system restart while the configuration file is being updated may cause the file to become corrupted. If this occurs, the following error will be logged during blade startup:
"err clusterd[8171]: 013a0027:3: Chassis has N slots, config file has 0, ignoring config file"
Where "N" is the number of physical slots in the chassis (2, 4, or 8).
Impact:
Management IP reverts to 192.168.1.246, resulting in loss of access to the chassis through the out-of-band management network.
Workaround:
If this occurs, the management IP can be restored using TMSH or the UI through an in-band self IP, or with TMSH through the management console port.
Fix:
The configuration file update logic has been changed to prevent file corruption during update.
689002-3 : Stackoverflow when JSON is deeply nested
Component: TMOS
Symptoms:
When the returned JSON payload from iControl REST is very large and deeply nested, the JSON destruction could trigger stack overflow due to deep recursion. This will crash icrd_child.
Conditions:
Deeply nested JSON returned from iControl-REST.
Impact:
icrd_child process coredumps.
Workaround:
None.
Fix:
The fix changes the destruction mechanism into an iterative solution, to completely avoid the stack overflow.
688942-5 : ICAP: Chunk parser performs poorly with very large chunk
Component: Service Provider
Symptoms:
When an ICAP response contains a very large chunk (MB-GB), the BIG-IP system buffers the entire chunk and reevaluates the amount of data received as each new packet arrives.
Conditions:
ICAP server returns large payload entirely in a single chunk, or otherwise generates very large chunks (MB to GB range).
Impact:
The BIG-IP system uses memory to buffer the entire chunk. In extreme cases the parser can peg the CPU utilization at 100% as long as packets are arriving.
Workaround:
If possible, configure the ICAP server to chunk the response payload in mulitple normal sized chunks (up to a few tens of KB).
Fix:
When an ICAP response contains a very large chunk (MB-GB), the BIG-IP system streams content back to the HTTP client or server as it arrives, without undue memory use or performance impact.
688911-1 : LTM Policy GUI incorrectly shows conditions with datagroups
Solution Article: K94296004
Component: TMOS
Symptoms:
When editing an LTM policy rule, the GUI defaults to using the datagroup value, overriding previous rule values, because the policy rule introduced the datagroups.
Conditions:
Editing a policy rule.
Impact:
The previous rule values are overridden by the datagroup's values.
Workaround:
Use TMSH to modify the rule.
Fix:
The GUI was updated to default to using the policy rule's values and not the datagroup values.
688813-2 : Some ASM tables can massively grow in size.
Solution Article: K23345645
Component: Application Visibility and Reporting
Symptoms:
/var/lib/mysql mount point gets full.
Conditions:
Many combinations of IP addresses, Device IDs (and other ASM dimensions) in traffic over very long period of time (potentially weeks/months).
Impact:
While other dimensions are being collapsed correctly, the Device ID field is not being collapsed causing the growth in size.
-- High disk usage.
-- Frequent need to clear AVR data.
Workaround:
Manually delete AVR mysql partitions located in /var/lib/mysql/AVR.
Fix:
Over time, no of the AVR_STAT_ASM_HTTP_CLIENT_IP_X#...MYD file exceeds 300 MB, so this problem no longer occurs.
688744-1 : LTM Policy does not correctly handle multiple datagroups
Solution Article: K11793920
Component: Local Traffic Manager
Symptoms:
Policy in use where the conditions reference two or more datagroups, but only the conditions that refer to the first datagroup have any effect.
Conditions:
LTM Policy where the conditions reference two or more datagroups.
Impact:
LTM Policy conditions do not check against second and subsequent datagroups, resulting in policy not working as intended.
Workaround:
Only mitigation is to refactor the policy so that it does not refer to more than one datagroup-based condition.
Fix:
LTM Policy correctly handles policies referencing multiple datagroups
688629-1 : Deleting data-group in use by iRule does not trigger validation error
Solution Article: K52334096
Component: Local Traffic Manager
Symptoms:
iRule aborts due to failed commands, causing connflow aborts.
Conditions:
-- Delete a data group.
-- iRule uses that data-group on a virtual server
Impact:
In use data-group can be deleted without error. iRule aborts leading to connflow aborts.
Workaround:
Don't delete data-groups in use by an iRule.
Fix:
An attempt to delete a data-group in use by an iRule now triggers a validation error.
688625-5 : PHP Vulnerability CVE-2017-11628
Solution Article: K75543432
688571-2 : Untrusted cert might be accepted by the server-ssl even though when 'untrusted-cert-response-control drop' is configured in the server-ssl profile.
Solution Article: K40332712
Component: Local Traffic Manager
Symptoms:
If the server-ssl profile is configured with 'untrusted-cert-response-control drop', and the system receives the certificate from the backend server which is not trusted by current BIG-IP system, the expected behavior is that the system should end the connection.
But the current server-side behavior is that the system still accepts the untrusted certificate and establishes the SSL connection with backend server.
Conditions:
-- The BIG-IP system receives a certificate from the backend server that is not trusted by the BIG-IP system.
-- Configure the 'untrusted-cert-response-control drop' in the server-ssl profile.
-- The corresponding server-ssl is configured at the virtual server.
Impact:
Virtual server might communicate with the backend server that sends the untrusted certificate to the BIG-IP system. Untrusted cert could still be accepted by the server-ssl virtual server even though 'untrusted-cert-response-control drop' is configured in the server-ssl profile.
Workaround:
None.
Fix:
When the system receives the untrusted certificate from backend server and the server-ssl profile is configured with 'untrusted-cert-response-control drop', the system will end the current SSL handshake procedure instead of continuing to proceed to finish it.
688570-5 : BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes
Component: Local Traffic Manager
Symptoms:
After an MPTCP connection closes properly, the BIG-IP will occasionally start sending MP_FASTCLOSE.
Conditions:
An MPTCP connection is closed.
Impact:
The MPTCP connection on the remote device is closed, but the connection on the BIG-IP remains open until the fastclose retransmission times out.
Workaround:
There is no workaround at this time.
Fix:
Fixed event processing at the end of a connection.
688557-1 : Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull'
Solution Article: K50462482
Component: Local Traffic Manager
Symptoms:
The description of the 'mode' parameter shown by tmsh help for the ltm sasp monitor indicates that the default value for the 'mode' parameter is 'pull' (where the load balancer sends Get Weight Requests to the GWM).
As of BIG-IP v13.0.0 and v12.1.2-hf1, the default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).
This is a change from prior versions of BIG-IP, where the default value for the 'mode' parameter was 'pull'.
Conditions:
The incorrect description appears when issuing the 'tmsh help ltm monitor sasp' command on BIG-IP v13.0.0, v12.1.2-hf1, and later.
Impact:
Incorrect information about the default value for the 'mode' parameter for the ltm sasp monitor.
Workaround:
The default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).
Fix:
The 'tmsh help ltm monitor sasp' command now lists the correct default value for the 'mode' parameter.
688516-1 : vCMPd may crash when processing bridged network traffic
Solution Article: K03165684
688406-1 : HA-Group Score showing 0
Solution Article: K14513346
Component: TMOS
Symptoms:
The 'show sys ha-group' command incorrectly displays a "0" for the total score even if the pools/trunks/clusters components have non-zero scores.
Conditions:
If the sys ha-group object is not currently assigned to any traffic-group.
Impact:
The total score is not calculated. An incorrect score value is displayed.
Workaround:
Refer to the component Score Contributions displayed using the following command: show sys ha-group detail.
Fix:
The total HA-Group Score is now displayed correctly.
688246-1 : An invalid mode in the LSN::persistence command causes TMM crash
Component: Carrier-Grade NAT
Symptoms:
When an iRule is triggered and the LSN::persistence command is passed an invalid persistence mode, TMM will crash.
Conditions:
An iRule using the LSN::persistence command with an invalid persistence mode that is attached to a Virtual Server and is triggered by traffic.
Impact:
TMM restarts. Traffic is interrupted. It is likely that the iRule will be triggered again causing repeated crashes.
Workaround:
The persistence mode must be set to one of "none", "address", "address-port" or "strict-address-port".
Fix:
TMM no longer crashes when an invalid persistence mode is used. Instead the LSN::persistence command returns an error.
688148-3 : IKEv1 racoon daemon SEGV during phase-two SA list iteration
Component: TMOS
Symptoms:
The wrong list linkage is iterated when phase-two SAs are deleted.
Conditions:
Deleting phase-two SAs, either manually or in response to notifications.
Impact:
IKEv1 tunnel outage until the racoon daemon restarts.
Workaround:
None.
Fix:
Fixed list iteration to use the correct list linkage, so iterating one phase-one SAs list does not instead visit the global list of phase-two SAs.
688011-7 : Dig utility does not apply best practices
Solution Article: K02043709
688009-7 : Appliance Mode TMSH hardening
Solution Article: K46121888
687987 : Presentation of signatures in human-readable format
Component: Anomaly Detection Services
Symptoms:
When publishing signature with predicates such as http.referer and http.uri, the system presents the result of the hash operation as follows: http.uri_file_hashes-to 42
Conditions:
Always when publishing signature with predicates such as http.referer and http.uri.
Impact:
It is not clear what '42' means.
Workaround:
None.
Fix:
When publishing signatures, the system now presents the hashes as follows:
http.referer_hashes-like '/zzz'
http.uri_file_hashes-like '/123'
687986 : High CPU consumption during signature generation, not limited number of signatures per virtual server
Component: Anomaly Detection Services
Symptoms:
The number of the signatures per virtual server is not limited. This can result in a very large number of generated signatures during sophisticated attacks that use changing patterns. After a time, when a system experiences a number of attacks, the list of generated signatures can be too long.
Conditions:
-- Sophisticated attacks that use changing patterns.
-- System experiences a large number of attacks.
Impact:
High CPU utilization when mitigating. Overloaded GUI signatures screen.
Workaround:
Manually remove old / not-often-used signatures.
Fix:
The system now limits the number of signatures per virtual servers, and optimizes per-signatures operation.
687984 : Attacks with randomization of HTTP headers parameters generates too many signatures
Component: Anomaly Detection Services
Symptoms:
When attackers randomize HTTP headers parameters, Behavioral DoS (BADoS) might generate too many signatures.
Conditions:
Attacks with randomization of HTTP headers parameters.
Impact:
The list of generated signatures is too long. It produces unnecessary CPU utilization for attack mitigation.
Workaround:
None.
Fix:
Improved algorithm that detects a randomization.
687937-1 : RDP URIs generated by APM Webtop are not properly encoded
Component: Access Policy Manager
Symptoms:
RDP URIs used to launch Native RDP resources form APM Webtop on Android/iOS/Mac are not properly encoded. As a result, RDP client might misinterpret the URI, in cases in which some RDP parameter contains the ampersand ( & ) symbol.
Conditions:
Native RDP resource is launched via RDP URI from APM Webtop.
One of RDP parameters contains symbol that should be URI encoded, e.g., '&'.
Impact:
RDP client misinterprets URI, which may result in failure to open RDP resource.
Workaround:
None.
Fix:
RDP URIs used to launch Native RDP resources from APM Webtop on Android/iOS/Mac are now properly encoded.
687905-2 : OneConnect profile causes CMP redirected connections on the HA standby
Solution Article: K72040312
Component: TMOS
Symptoms:
When virtual server uses OneConnect profile in HA setup, it can cause Clustered Multiprocessing (CMP) redirected connections and memory leak on high availability (HA) standby systems, including high memory usage on standby units.
Conditions:
-- Virtual server uses OneConnect profile in HA configuration.
-- Mirroring is enabled.
-- BIG-IP platform supports CMP.
Impact:
Redirected connections and memory leak on a standby device.
Workaround:
Remove OneConnect profile from the virtual server.
687759-1 : bd crash
Component: Application Security Manager
Symptoms:
A bd crash.
Conditions:
-- A config change follows a bd crash.
-- There is a policy that is misconfigured, for example, a form-data parsing is applied on a non-form-data payload (such as XML or JSON).
Impact:
bd crashes; system fails over; traffic disturbance occurs.
Workaround:
Set the following internal parameter to 0: max_converted_length_to_cache
687658 : Monitor operations in transaction will cause it to stay unchecked
Component: TMOS
Symptoms:
If a monitored object is deleted and created or modified in the same transaction, and any of its monitor configuration is changed (either the monitor, or the state user-down), the monitor state will become unchecked.
Conditions:
This only happens within transactions.
Note: Using the command 'modify ltm pool <name> members replace-all-with' is considered a transaction containing a delete and create of pool members.
Impact:
Monitor state never returns to its correct value.
Workaround:
Do not do these operations in transactions. For pool members, use 'modify ltm pool <name> members modify' instead of replace-all-with.
687635-1 : Tmm becomes unresponsive and might restart
Solution Article: K58002142
Component: Local Traffic Manager
Symptoms:
Under certain conditions, the tmm process can become unresponsive, and eventually be restarted by the watchdog process.
Conditions:
Problem occurs when there is an unexpected interaction between HTTP and SSL handlers during an abnormal connection shutdown.
Impact:
Tmm becomes unresponsive and restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Tmm correctly shuts down HTTPS connection.
687534-1 : If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page
Component: TMOS
Symptoms:
- Create a pool with name containing two dots (that is, the string '..')
- Go to the GUI Local Traffic :: Pools : Member List page and click the Add button to add a member.
- There is a No Access error preventing you from adding a member to the pool
Conditions:
This issue occurs when a pool name contains .. in the name.
Impact:
Cannot add a Member to the pool using the GUI.
Workaround:
Use tmsh to add pool members to an existing pool using a command similar to the following.
tmsh modify ltm pool <pool name> members add { <member info> }
Fix:
For pools with '..' in the name, it is now possible to add members after pool creation using the GUI Local Traffic :: Pools : Member List page.
687353-1 : Qkview truncates tmstat snapshot files
Solution Article: K35595105
Component: TMOS
Symptoms:
Qkview truncates the snapshot files it collects in /shared/tmstat/snapshots/.
Conditions:
Files are larger than 5 MiB, or the 'max file size' limit specified when running Qkview (the -s argument).
Note: 5 MiB is qkview utility's default maximum file size value.
Impact:
Snapshot data may not be collected in qkview. This may result in data being lost if the issue is only identified once important data has rotated out of history.
Workaround:
To specify no file size limit when collecting qkviews, use the following tmsh command:
qkview -s0
687205-2 : Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart
Component: Local Traffic Manager
Symptoms:
During flow shutdown, SSL may deliver HUDEVT_SENT messages, causing additional messages to be queued by higher filters, which may result in a tmm crash and restart.
Conditions:
This happens in response to a relatively rare condition that occurs during shutdown, such as HUDEVT_SENT queued after HUDCTL_SHUTDOWN.
Impact:
Possible tmm restart. Traffic disrupted while tmm restarts.
Workaround:
None.
687128-1 : gtm::host iRule validation for ipv4 and ipv6 addresses
Component: Global Traffic Manager (DNS)
Symptoms:
gtm::host iRule isn't validating that the host given matches the type of WideIP it is attached to.
Conditions:
An AAAA-type wideip with a ipv4 gtm::host iRule, or A-type wideip with an ipv6 gtm::host iRUle.
Impact:
Incorrect host information was being returned.
Workaround:
Only attach gtm::host of IPv4 type to A-type WideIPs, and gtm::host rules of IPv6 to AAAA-type WideIPs.
Fix:
FIxed issue allowing incorrect gtm::host iRule commands to trigger on incorrect wideip types.
686972-4 : The change of APM log settings will reset the SSL session cache.
Component: Local Traffic Manager
Symptoms:
If you change the configuration of APM log settings, it might cause the SSL session cache to be reset. Also, subsequent resumption of SSL sessions may fail after such change causing a situation where full ssl handshakes may occur more frequently.
Conditions:
-- Change the configuration of APM log settings.
-- SSL session cache is not empty.
Impact:
The change of APM log settings resets the SSL session cache, which causes the SSL session to initiate full-handshake instead of abbreviated re-negotiation.
Workaround:
Follow this procedure:
1. Change access policy.
2. The status of that access policy changes to 'Apply Access Policy'.
3. Re-apply that.
Fix:
The change of APM log settings now limits its effect on APM module instead of affecting other (SSL) module's data.
686926-2 : IPsec: responder N(cookie) in SA_INIT response handled incorrectly
Component: TMOS
Symptoms:
IKEv2 negotiation fails when a responder uses N(cookie) in the SA_INIT response, because the BIG-IP system does not expect a second response with the same zero message_id always used by SA_INIT.
Conditions:
Any time a responder sends N(cookie) in the first response to SA_INIT from a BIG-IP initiator.
Impact:
The SA negotiation fails when a responder includes N(cookie) in a SA_INIT response, because a second response appears to have an out-of-order message ID when BIG-IP believe the first message_id of zero was already handled earlier.
Workaround:
None.
Fix:
The BIG-IP system now correctly tracks a need to receive a SECOND response with message_id zero, to finish the SA_INIT exchange, whenever the first SA_INIT response caused the BIG-IP system to resend the first request with the cookie included.
686906-2 : Fragmented IPv6 packets not handled correctly on Virtual Edition
Component: TMOS
Symptoms:
Use of IP fragmentation with IPv6 packets might not be handled correctly by BIG-IP Virtual Edition (VE) platforms. The initial fragmented are received, but subsequent fragments are discarded.
Conditions:
VE with IPv6 packets and IP fragmentation.
Impact:
Traffic which depends upon fragmented IPv6 packets will not be successfully processed.
Workaround:
There is no workaround at this time.
Fix:
These fragments are now handled correctly in the same manner as IPv4.
686890-1 : X509_EXTENSION memory blocks leak when C3D forges the certificate.
Component: Local Traffic Manager
Symptoms:
One X509_EXTENSION memory block leaks when C3D forges the certificate.
Conditions:
When C3D forges the certificate.
Impact:
X509_EXTENSION memory blocks leak when forged certificate is successful.
Workaround:
None.
Fix:
The system now frees the leaked X509_EXTENSION when C3D forges the certificate.
686765-2 : Database cleaning failure may allow MySQL space to fill the disk entirely
Component: Application Security Manager
Symptoms:
Database cleaning failure may allow MySQL space to fill the disk entirely, which prevents any modification of ASM policy configuration.
In /var/log/ts/asm_config_server.log you might see these errors repeatedly:
Jun 9 09:38:45 10gal-f5-5000-2 crit g_server_rpc_handler.pl[16654]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::handle_error): Code: 999, Error message = DBD::mysql::db do failed: The table 'NEGSIG_SIGNATURES' is full
Conditions:
This occurs if database cleaning failures occur.
Impact:
Disk will fill up, and you will be unable to modify ASM policies.
686631-2 : Deselect a compression provider at the end of a job and reselect a provider for a new job
Component: Local Traffic Manager
Symptoms:
The system might potentially retain a compression context, even though there is no data to be compressed or decompressed. This can affect the calculation of the load of the compression provider.
Conditions:
-- A connection is up.
-- Compression context is active.
-- There is no data for the compression provider.
Impact:
It affects the compression provider selection.
Workaround:
None.
Fix:
The system now deselects a provider at the end of a compression/decompression operation, and reselects a provider at the beginning of another compression/decompression operation.
686517-2 : Changes to a parent policy that has no active children are not synced to the secondary chassis slots.
Component: Application Security Manager
Symptoms:
Changes to a parent policy that has no active children are not synced to the secondary chassis slots.
Conditions:
-- ASM provisioned.
-- Having a parent policy that has no active children.
Impact:
On a chassis failover, the new Primary slot will have an outdated version of the parent policy.
Workaround:
None.
Fix:
Changes to a parent policy that has no active children are now synced to the secondary chassis slots.
686510-1 : If tmm was restarted during an attack, the attack might appear ongoing in GUI
Component: Application Visibility and Reporting
Symptoms:
Attack appears ongoing, even though it ended.
Conditions:
Rare condition of tmm restart during an attack.
Impact:
The GUI falsely shows the attack as ongoing, even though it ended.
Workaround:
No workaround.
Fix:
Now, when tmm is restarted during an attack, this specific attack is shown as ended in DoS overview page after 15 minutes.
686470-1 : Enable AJAX Response Page or Single Page Application support causes the part of the web page failed to load.
Component: Application Security Manager
Symptoms:
AJAX requests are not sent, JavaScript errors, AJAX-based web-app malfunctions.
Conditions:
1a. Single page application enabled either via a DoS application profile or in an ASM policy.
1b. AJAX Response Page enabled via ASM policy.
2. Web Application client side code uses jQuery or any other AJAX clientside framework.
Impact:
AJAX request might not be sent, and the overall website's clientside functionality related to the AJAX requests might not work as expected.
Workaround:
Disable Single Page Application support.
Fix:
Fixed Single Page Application AJAX hook to support the AJAX response onload callback re-assignment.
686452-1 : File Content Detection Formats are not exported in Policy XML
Component: Application Security Manager
Symptoms:
If a policy is configured with Data Guard enabled with File Content Detection, the selected File Content Detection Formats are not correctly exported in the Policy XML.
When the policy is then imported, the Data Guard settings will be invalid and cannot be changed until the File Content Detection Formats are configured again.
Conditions:
A policy is configured with Data Guard enabled with File Content Detection, and then exported in XML format.
Impact:
When the policy is then imported, the Data Guard settings will be invalid and cannot be changed until the File Content Detection Formats are configured again.
The formerly selected file content formats will not be correctly identified.
Workaround:
Use Binary Policy import/export.
Fix:
File Content Detection Formats are correctly exported.
686389-1 : APM does not honor per-farm HTML5 client disabling at the View Connection Server
Component: Access Policy Manager
Symptoms:
Current logic for determining whether to offer HTML5 client option works for Horizon 6.x (and earlier) but it does not work for Horizon 7.x.
With Horizon 7.x, VMware has enhanced the XML so that each resource includes a flag to indicate whether HTML5 client is enabled (absence of <html-access-disabled/> tag). APM does not honor this flag to show HTML5 client option to APM end user only if it has been enabled for that resource.
Conditions:
-- APM webtop with a VMware View resource assigned.
-- HTML5 Access disabled for some of the RDS farms managed by the broker.
Impact:
APM offers HTML5 client launch option and actually runs it if requested, although it is disabled at the backend.
Workaround:
There is no workaround at this time.
Fix:
For Horizon 7.x, the system now honors the <html5-access-disabled> flag in broker responses to disable HTML5 client for those RDS desktops and apps that have this flag set.
Behavior Change:
Before this fix, all the RDS desktops and apps were available for HTML5 client if it was installed on VCS.
Now, for those desktops and apps where HTML5 access has been deliberately disabled at the broker, only the native client option will be available.
686376-2 : Scheduled blob and current blob no longer work after restarting BIG-IP or PCCD daemon
Component: Advanced Firewall Manager
Symptoms:
When there are scheduled firewall rules, and the BIG-IP system is restarted or PCCD daemon is restarted, new blob compilation succeeds, but TMM fails to activate the new blob. Both GUI and TMSH show error status: Firewall rules deployment failed. After the system gets in this state it cannot be fixed except by removing or disabling all scheduled firewall rules.
Conditions:
-- There are scheduled firewall rules.
-- The BIG-IP system is restarted or the PCCD daemon is restarted.
Impact:
After this failure, firewall rules are not applied on data traffic.
Workaround:
Remove or disable all scheduled firewall rules.
Fix:
New blob deployed and new firewall rules applied successfully.
686307-3 : Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later
Solution Article: K10665315
Component: Local Traffic Manager
Symptoms:
When upgrading, monitor attributes such as receive string and send string might contain escape sequences that must be processed after the upgrade. However, due to a problem introduced by the LTM policy upgrade script, this processing is not performed, resulting in monitors not functioning correctly after the upgrade.
Note: Without LTM policies in the configuration, monitors upgrade without problem.
Conditions:
-- Upgrading and rolling forward monitor configuration data.
-- LTM policy data present.
Impact:
Monitors may not work after upgrade.
Workaround:
No workaround at this time.
Fix:
This release addresses the underlying problem so the issue no longer occurs.
686305-1 : TMM may crash while processing SSL forward proxy traffic
Solution Article: K64552448
686228-1 : TMM may crash in some circumstances with VLAN failsafe
Solution Article: K23243525
Component: Local Traffic Manager
Symptoms:
TMM may crash when managing traffic in response to the VLAN failsafe traffic generating mechanisms
Conditions:
- VLAN failsafe is configured with low timers.
- VLAN failsafe is triggered and multiple responses are received for traffic generating in fast succession.
Impact:
A TMM may core file may be produced. Traffic disrupted while tmm restarts.
Workaround:
Relax the timer to the default VLAN failsafe timer setting.
Fix:
TMM no longer crashes in some circumstances with VLAN failsafe.
686190-1 : LRO performance impact with BWC and FastL4 virtual server
Component: TMOS
Symptoms:
Using Bandwidth controller (BWC) might result in a very large drop in performance of up to 75%. In this release, Large receive offload (LRO) is enabled by default.
Conditions:
-- BWC is configured.
-- Virtual server has a FastL4 profile assigned.
-- LRO is enabled (enabled by default in 13.1.0).
Impact:
Very large performance impact to the BWC policy (up to 75%). For example, if the BWC policy rate limit is set to 100Mb, the actual rate limit could be 25Mb.
Workaround:
Disabling LRO recaptures most of the performance degradation related to using FastL4. To disable LRO (this is a system-wide setting), run the following command:
tmsh modify sys db tm.largereceiveoffload value disable
Important note: Although you can disable LRO to recapture much of the 13.0.0-level performance, you will likely still experience some impact: 2-5% for small files, 17-22% degradation for the '10 requests per connection' benchmark. The only guaranteed way to avoid performance degradation is to remain on version 13.0.0.
686124-1 : IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs
Solution Article: K83576240
Component: TMOS
Symptoms:
Deleting SAs on a remote peer can cause improper handling in the IKEv1 racoon daemon when invalid SPI notifications are processed.
Conditions:
Events causing deletion of phase one IKE SAs.
Impact:
IPsec IKEv1 tunnels will halt or restart. Connectivity between remote private networks will be interrupted.
Workaround:
None.
Fix:
Phase one and phase two SA relationships are now more robust, tolerating operations that occur in any order, so tearing down old data structures will be done safely.
686108-1 : User gets blocking page instead of captcha during brute force attack
Component: Application Security Manager
Symptoms:
Unexpected blocking page while captcha is configured.
Conditions:
-- Brute force configured with alarm and captcha mitigation.
-- The only source configured is username.
-- These are the first failed login requests after a system start up or after a login page configuration change.
Impact:
Unexpected blocking page mitigation where captcha mitigation was expected.
Workaround:
There are two workarounds:
-- Access the login page at least 10 times within 5 minutes.
-- Run the following command: tmsh modify sys db asm.cs_qualified_urls value <YOUR_LOGIN_URL>
Fix:
Fixed an issue with unexpected blocking page while captcha is configured.
686065-2 : RESOLV::lookup iRule command can trigger crash with slow resolver
Component: Local Traffic Manager
Symptoms:
If thousands of connections are serviced by an iRule that performs a lookup for the same FQDN before the FQDN can be resolved, tmm may crash.
Conditions:
iRule with RESOLV::lookup.
Slow DNS resolver.
Thousand of connections triggering resolution of the same name.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Remove RESOLV::lookup from the workflow if it is not required.
Fix:
The scenario now works as expected and no longer results in a crash.
686029-2 : A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces
Component: TMOS
Symptoms:
FDB flushing on VLAN deletes is performed by VLAN member interface reference only, without regard to VLAN tags. This can result in unrelated VLAN FDB entries also being flushed on shared VLAN member interfaces.
Conditions:
Issuing a VLAN delete with other VLANs using shared tagged member interfaces with the VLAN being deleted.
Impact:
FDB entries for unrelated VLANs will be flushed if they share the same tagged VLAN member interfaces as the VLAN being deleted.
Workaround:
None.
Fix:
Correct FDB flushing on VLAN deletes, by limiting the scope to be VLAN specific.
685964-1 : cs_qualified_urls bigdb does not cause configured URLs to be qualified.
Component: Application Security Manager
Symptoms:
cs_qualified_urls is configured but is not functional.
Conditions:
-- cs_qualified_urls is configured.
-- A request to the URL listed in the bigdb arrives.
-- The URL is seen as non-qualified although configured.
Impact:
URLs that are not supposed to getting through configuration.
Workaround:
None.
Fix:
Fixed a bigdb issue with cs_qualified_urls variable.
685862-1 : BIG-IP as SAML IdP/SP may include last x509 certificate found in the configured bundle in signed SAML Response or single logout message
Component: Access Policy Manager
Symptoms:
When BIG-IP is used as SAML IdP, and signing is configured, BIG-IP will sign the message by configured signing key, and include last certificate from the configured signing certificate chain in the SAML protocol message. Expected behavior is to include first certificate from the configured signing certificate chain.
The same applies to SAML SP generating SLO request/response messages.
Conditions:
All of the following:
- BIG-IP is used as SAML IdP or SAML as SP with SLO configured.
- BIG-IP generates signed SAML response containing assertion or SLO request/response
- Configured on BIG-IP signing certificate is a security chain and not a single certificate
Impact:
Impact is based on the SAML implementation on the receiving end of message sent by BIG-IP.
Some implementation may drop signed SAML message if last certificate from the bundle is included in the message. Other implementations will accept such signed messages. Note that signing operation itself is performed correctly by BIG-IP using configured signing certificate, and digital signature will contain correct value.
Workaround:
Instead of using signing certificate chain, change BIG-IP SAML IdP/SP configured signing certificate to refer to a standalone signing certificate (single X509 object) by extracting first certificate from the chain.
Fix:
After the fix, BIG-IP will include first certificate found within configured signing certificate (chain).
685771-1 : Policies cannot be created with SAP, OWA, or SharePoint templates
Component: Application Security Manager
Symptoms:
Attempting to create a security policy using "OWA Exchange", "SAP NetWeaver", or "SharePoint" Policy Template fails.
Conditions:
Attempt to create a security policy using "OWA Exchange", "SAP NetWeaver", or "SharePoint" Policy Templates
Impact:
Policy creation fails.
Workaround:
None.
Fix:
Policies can be created using these factory templates.
685743-5 : When changing internal parameter 'request_buffer_size' in large request violations might not be reported
Component: Application Security Manager
Symptoms:
When the internal 'request_buffer_size' is set to a large value, long requests might be blocked, and no violation is reported.
Conditions:
-- Internal parameter 'request_buffer_size' is set to a large value (~50 KB or larger).
-- Request is long (~50 KB or longer).
-- Violations found.
Impact:
Requests might be blocked, and no reason is reported.
Workaround:
Reset internal 'request_buffer_size' to default.
Fix:
The system now handles the case in which the internal 'request_buffer_size' is set to a large value, so long requests are no longer blocked, and the violation is reported.
685708-4 : Routing via iRule to a host without providing a transport from a transport-config created connection cores
Component: Service Provider
Symptoms:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.
Conditions:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Specify a transport to use for creating a new outgoing connection in the MR::message route command.
Fix:
The system will no longer core.
685628-1 : Performance regression on B4450 blade★
Component: Performance
Symptoms:
Performance degradation may occur for certain types of traffic when the system is under heavy traffic load. L4 and L7 performance may be degraded by up to 5% compared to previous BIG-IP releases.
Conditions:
- L4 and L7 traffic when system is under heavy traffic load.
- VIPRION B4450 blades.
Impact:
You may encounter a performance degradation for certain types of traffic upon upgrading.
Workaround:
None.
Fix:
Performance regression on B4450 blade has been eliminated.
685615-4 : Incorrect source mac for TCP Reset with vlangroup for host traffic
Solution Article: K24447043
Component: Local Traffic Manager
Symptoms:
BIG-IP outbound host TCP RST packets have incorrect source-mac-address.
Conditions:
BIG-IP host traffic is exiting via VLANs in a VLAN group.
Impact:
TCP Reset for traffic exiting the BIG-IP system with incorrect source-mac-address, which could include monitor traffic.
Workaround:
Use transparent mode on the VLAN group.
Fix:
source-mac-address for host traffic is correctly set.
685582-7 : Incorrect output of b64 unit key hash by command f5mku -f
Component: TMOS
Symptoms:
The output of the b64 unit key hash is inconsistent upon each 'f5mku -f' command, whereas the hex version of the unit key hash was always correct/consistent.
Conditions:
Viewing output of 'f5mku -f' command.
Impact:
Inconsistent output of the b64 unit key.
Workaround:
Adding the verbose option (v) to the f5mku command will print additional information. The following command prints the hex version of the unit key header hash, which will be stable and can be used to detect changes to the unit key:
f5mku -vf
For example:
# f5mku -vf
...
-- hdr.hash = c9:0d:13:2a:74:d4:7e:31:a4:78:5e:c8:3e:9c:b5:3d:7b:65:9c:7d
...
Fix:
The unit key hash is now the correct length and is consistent upon each 'f5mku -f' command.
685519-1 : Mirrored connections ignore the handshake timeout
Component: Local Traffic Manager
Symptoms:
Mirrored connections that do not complete the TCP 3-way-handshake do not honor the configured TCP handshake timeout on active and standby systems.
Conditions:
High availability mirroring enabled on virtual server with attached FastL4 profile.
Impact:
Unestablished TCP sessions in the connection table stay open for the duration of the TCP idle-timeout.
Workaround:
None.
Fix:
Mirrored connections now honor the TCP handshake timeout.
685475-1 : Unexpected error when applying hotfix
Solution Article: K93145012
Component: TMOS
Symptoms:
Software 'install hotfix' commands fail with a message similar to the following: Image (BIG-IP-11.6.1.0.0.317.iso) has a software image entry in MCP database but does not exist on the filesystem.
Conditions:
Before installing the hotfix, the necessary full (base) software image prerequisite was added to the images directory, but then was removed before issuing the hotfix command.
For example, to apply 'Hotfix-BIG-IP-11.6.1.2.0.338-HF2.iso', the system must have access to the base image; 'BIG-IP-11.6.1.0.0.317.iso'.
Here is another example: on multi-bladed VIPRION systems, where it is resolved by running 12.1.3.6.
1) Install and boot into 12.0.0 on the VIPRION system:
-- install /sys software image 12.0.0.iso create-volume volume HD1.test
-- reboot volume HD1.test
2) Install and boot into 12.1.2.0.402.249:
-- install /sys software hotfix Hotfix-BIG-IP-12.1.2.0.402.249-ENG.iso create-volume volume HD1.test2
-- reboot volume HD1.test2
3) Delete 12.0.0.iso and volume HD1.test:
-- delete sys software image 12.0.0.iso
-- delete sys software volume HD1.test
4) Copy over Hotfix-BIG-IP-13.1.0.7.0.17.1-ENG.iso without the 13.1.0.7 base image.
5) Check the /var/log/ltm logs for the following message:
-- lind[6288]: 013c0006:5: Image (BIG-IP-12.0.0.0.0.606.iso) has a software image entry in MCP database but does not exist on the filesystem.
Impact:
Cannot apply hotfix until the full base image is present.
Workaround:
Perform the following procedure:
1. Copy the base image to the images directory on the BIG-IP system.
2. Restart the 'lind' daemon.
3. Try the hotfix installation operation again.
Fix:
Issuing a 'install hotfix' command when the base image is not available sends the system into a 'wait' state. The process status is 'waiting for base image', which should make clear what needs to be done. When the base image becomes available (in the images directory), the hotfix installation proceeds.
685467-1 : Certain header manipulations in HTTP profile may result in losing connection.
Solution Article: K12933087
Component: Local Traffic Manager
Symptoms:
HTTP profile has an option 'Insert X-Forwarded-For' which adds a header when a request is forwarding to a pool member. When a virtual server has iRule with a collect command like SSL::collect, it is affected by the HTTP profile processing. Same issue has an option 'Request Header Erase' available in HTTP profile.
Conditions:
A virtual server meets the following conditions:
-- ClientSSL profile.
-- HTTP profile with option 'Insert X-Forwarded-For' enabled and/or configured option 'Request Header Erase'.
-- iRule that has an 'SSL::collect' command in at least two events (e.g., CLIENTSSL_HANDSHAKE and CLIENTSSL_DATA).
Impact:
TCP connection is reset, and no response is provided to a client.
Workaround:
Use iRule to insert X-Forwarded-For with an appropriate IP address and/or remove headers configured in 'Request Header Erase' option of HTTP profile.
Fix:
An issue of a resetting connections due to configuration options 'Insert X-Forwarded-For' and 'Request Header Erase' in HTTP profile no longer happens.
685458-7 : merged fails merging a table when a table row has incomplete keys defined.
Solution Article: K44738140
Component: TMOS
Symptoms:
There is as timing issue in merged where it will fail processing a table row with incomplete keys defined.
Conditions:
There are no specific conditions required, only that merged is running, which is true on every BIG-IP system, when the BIG-IP system is processing a table row with incomplete keys defined.
Although this issue is not dependent on configuration or traffic, it appears that it is more prevalent on vCMP hosts.
Impact:
There will be a few second gap in available statistics during the time when a core is being created and merged restarts.
Workaround:
None.
Fix:
merged now detect this scenario, a table row with incomplete keys defined, and does not fail.
685254-2 : RAM Cache Exceeding Watchdog Timeout in Header Field Search
Solution Article: K14013100
Component: Local Traffic Manager
Symptoms:
SOD halts TMM while RAM cache is processing a header.
Conditions:
When RAM cache is attempting to match an ETag and fails to find it in the header field.
Impact:
The search continues until a match is found in memory, or a NUL byte is encountered. If the search takes too long, sod kills RAM cache on a watchdog timeout violation.
Workaround:
No workaround at this time.
Fix:
SOD no longer halts TMM while RAM cache is processing a header.
685230-3 : memory leak on a specific server scenario
Component: Application Security Manager
Symptoms:
The bd process memory increases.
Conditions:
A specific server scenario of handling the traffic.
Impact:
Swap may be used. The kernel OOM killer may be invoked. Possible traffic disturbance.
Workaround:
There is no workaround at this time.
Fix:
A memory leaked related to a specific server scenario was fixed.
685207-1 : DoS client side challenge does not encode the Referer header.
Component: Application Security Manager
Symptoms:
XSS reflection when DoS client side is enabled as a mitigation, or a proactive bot defense is enabled.
Conditions:
1. Login to the client IP address and send the ab request.
2. Once the DoS attack starts, sends the curl request
hl=en&q=drpdrp'-alert(1)-'drpdrp".
3. Unencoded Referer header is visible.
Impact:
The XSS reflection occurs after triggering the DoS attack.
Workaround:
None.
Fix:
DoS client side challenge now encodes the Referer header.
685193-1 : If Inheritance is None in the Parent Policy and there are at least 1 child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies
Component: Application Security Manager
Symptoms:
If Inheritance is None in the Parent Policy and there is at least one child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies.
Conditions:
1) Create Parent policy and set some section's Inheritance to None.
2) Create child policy and assign it to the parent created above.
3) Go to the Parent Policy Inheritance Setting tab, you will see that number of comments for sections with None will be equal to number of child policies.
Impact:
There is an incorrect number of Comments shown in Inheritance Settings
Workaround:
None.
Fix:
The correct number of comments will be shown for each section in Inheritance Setting tab for Parent Policy. In case of None inheritance nothing will be shown.
685164-1 : In partitions with default route domain != 0 request log is not showing requests
Component: Application Security Manager
Symptoms:
No requests in request log when partition selected, while they can be seen when 'All [Read Only]' is selected.
Conditions:
Select a partition whose default route domain is not 0 (zero).
Impact:
No requests in request log.
Workaround:
As a partial workaround, you can use [All], but it's read only.
Fix:
Fixed filter by Source IP, which worked incorrectly in partitions whose default route domain was not 0 (zero).
685110-1 : With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.
Solution Article: K05430133
Component: Local Traffic Manager
Symptoms:
1. FQDN Node/pools fails to populate with members.
2. An error similar to the following is logged in /var/log/ltm when an FQDN node or pool member is created:
err mcpd[####]: 01070356:3: Ratio load balancing feature not licensed.
Conditions:
1. License a BIG-IP system with non-LTM license lacking the ltm_lb_ratio feature.
Such licenses include APM and/or ASM licenses for certain newer platforms which do not support the AAM module.
Affected platforms include certain iSeries and Virtual Edition (VE) releases.
2. Configure an FQDN node/pool member. Do not specify a 'ratio' value.
Impact:
Unable to use FDQN nodes/pool members with non-LTM license.
Workaround:
None.
Fix:
Non-LTM license (ASM, APM, etc.), ephemeral nodes are now created for FQDN nodes/pool members.
685056 : VE OVAs is not the supported platform to run VMware guest OS customization
Component: TMOS
Symptoms:
VMware vCenter fails to create customization specification wizard because the BIG-IP Virtual Edition (VE) OVA's OSType is set to 'Other 64-bit'.
Conditions:
When applying VMware guest OS customization on VMware BIG-IP VE.
Impact:
VMware guest OS customization fails (cannot create customization specification wizard).
Workaround:
You can use either of the following workarounds:
- Apply VMware guest OS customization with 'ovftool'.
- Manually set OSType to 'Other 3.x Linux 64-bit'.
Fix:
OS type embedded in .ovf file in VE OVAs has been changed from 'Other 64-bit' to 'Other 3.x Linux 64-bit' to enable VMware guest OS customization.
Behavior Change:
In this release, the OS type set in .ovf file in the BIG-IP VE SCSI OVA images for VMware has been changed from 'Other 64bit' to 'Other 3.x Linux 64bit'. This enables 'VMware Guest Customization' via VMware vCenter.
685020-3 : Enhancement to SessionDB provides timeout
Component: TMOS
Symptoms:
In some cases, calls made to SessionDB never return from the remote TMM.
Conditions:
-- Using add, update, delete, and lookup commands to remote TMM.
-- SessionDB request is not returned.
Impact:
Calls made to SessionDB never return from the remote TMM.
Workaround:
None.
Fix:
The system initiates a timeout after 2 seconds. If a timeout occurs, the calling command receives a result of err==ERR_TIMEOUT.
A new sys db variable was added to enable the timeout for the iRule table command. It defaults to false. Below is the new definition followed by the tmsh command to set the value.
# Enable or disable iRule table cmd timeout override to cause all
# requests to be 'remembered' so that we do not leak them
# if subsystems fail.
[Tmm.SessionDB.table_cmd_timeout_override]
default=false
type=enum
realm=common
enum=|true|false|
Behavior Change:
A new sys db variable was added to enable the timeout for the iRule table command. It defaults to false. Below is the new definition followed by the tmsh command to set the value.
# Enable or disable iRule table cmd timeout override to cause all
# requests to be 'remembered' so that we do not leak them
# if subsystems fail.
[Tmm.SessionDB.table_cmd_timeout_override]
default=false
type=enum
realm=common
enum=|true|false|
684937-3 : [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users
Solution Article: K26451305
Component: Access Policy Manager
Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over period of time.
Websso process CPU usage is very high during this time. The latency can vary between APM end users.
Conditions:
-- A large number of APM end users have logged on and are using Kerberos SSO.
-- Running APM.
Impact:
Increased latency of HTTP request processing.
Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.
Fix:
LRU cache performance no longer drops linearly with the number of caches Kerberos tickets, the latency of HTTP request processing has been significantly improved.
684852-1 : Obfuscator not producing deterministic output
Component: Fraud Protection Services
Symptoms:
Proactive defense challenge is not passed.
Conditions:
The obfuscator does not produce the same output for the same pair of key and seed. Therefore, on multi-blade devices, or on active-active deployments, when the request to the page (url=/) and the request to the javascript (/TSPD/*?type=10) each go to a different blade or a different device.
More frequently, it happens when the page and javascript are loaded from the same blade, but the javascript is stored in the cache.
Then another refresh, and the request goes to the second blade. Because the javascript in the cache was received from the first blade, it does not match the page.
Impact:
Proactive defense challenge is not passed; challenge remains on blank page on chassis.
Workaround:
None.
Fix:
Obfuscator now uses common Random object.
684583-1 : Buitin Okta Scopes Request object uses client -id and client-secret
Component: Access Policy Manager
Symptoms:
Buitin Okta Scopes Request object uses client credentials instead of resource server credentials.
Conditions:
Buitin Okta Scopes Request object
Impact:
Scope request with Buitin Okta Scopes Request object fails.
Workaround:
Use modified Request object.
Fix:
Buitin Okta Scopes Request object is fixed to use resource server credentials.
684391-3 : Existing IPsec tunnels reload. tmipsecd creates a core file.
Component: TMOS
Symptoms:
Existing IPsec tunnels reload. tmipsecd creates a core file.
Conditions:
Although an exact replication of the issue has not been reliable, the one instance occurred after the following conditions:
-- Remote peer repeatedly tries to establish a tunnel.
-- The IPsec IKEv1 daemon 'racoon' is dead.
Impact:
Existing IPsec tunnels reload when tmipsecd aborts. tmipsecd creates a core file.
Workaround:
None.
Fix:
Exception handling in tmipsecd has been improved so that tmipsecd will not reload when encountering some unusual conditions.
684370-1 : APM now supports VMware Workspace ONE integration with VIDM as ID Provider
Component: Access Policy Manager
Symptoms:
When VMware Horizon resources are behind APM, you can see available desktops and application on VMware Workspace One (WS1) portal, but you cannot launch them.
Conditions:
-- VMware virtual desktops and applications are hosted on VMware Horizon behind APM.
-- Authenticate with VMware Identity Manager (VIDM) and see available virtual desktops and applications on WS1 portal.
-- Attempt to launch a virtual desktop or application with VMware HTML5 client.
Impact:
BIG-IP users get authenticated with VIDM and can see available desktops and applications on the WS1 portal, but cannot launch a desktop or application with View HTML5 client.
Workaround:
Not applicable.
Fix:
APM now supports VMware Workspace One (WS1) with VMware Identity Manager (VIDM) as the Identity Provider and APM as a service provider, protecting VMware Horizon desktops and applications.
684333-1 : PEM session created by Gx may get deleted across HA multiple switchover with CLI command
Component: Policy Enforcement Manager
Symptoms:
PEM sessions may get cleaned up with terminate cause of FATAL GRACE TIMEOUT, if multiple high availability (HA) failover is being performed using the following command: tmsh run sys failover standby.
Conditions:
Multiple HA failover performed using the following command: tmsh run sys failover standby.
Impact:
PEM session created using Gx may get deleted.
Workaround:
Initiate failover using alternate commands, such as the following:
tmm big start restart.
684325-1 : APMD Memory leak when applying a specific access profile
Component: Access Policy Manager
Symptoms:
Access profile having CheckMachineCert agent, while updating profile using 'Apply access policy', each time it leaks 12096 bytes of memory.
Conditions:
-- Access profile configured with agent 'CheckMachineCert'.
-- Repeatedly update the profile using 'Apply access policy'.
Impact:
APMD process stops after repeated application of the script.
Workaround:
None.
Fix:
APMD no longer leaks memory when applying Access profile configured with agent 'CheckMachineCert'.
684312-1 : During Apply Policy action, bd agent crashes, causing the machine to go Offline
Solution Article: K54140729
Component: Application Security Manager
Symptoms:
During Apply Policy action, bd agent crashes, causing with this error:
--------------------
crit perl[21745]: 01310027:2: ASM subsystem error (bd_agent,): bd_agent exiting, error:[Bit::Vector::new_Dec(): input string syntax error at /usr/local/share/perl5/F5/CfgConvert.pm line 66, <$inf> line 1. ]
--------------------
Causing bd and bd_agent processes restart, and causing the machine to go Offline.
Conditions:
-- ASM provisioned.
-- Applying policy.
-- Corrupted data was attempted to be loaded during an Apply Policy action.
Impact:
bd and bd_agent processes restart, causing the machine to go Offline while the processes restart..
Workaround:
None.
Fix:
During Apply Policy action, bd agent no longer crashes when attempting to load corrupted data.
684218-1 : vADC 'live-install' Downgrade from v13.1.0 is not possible
Component: TMOS
Symptoms:
vADC v13.1.0 has a new storage format that is incompatible with earlier versions. It should be possible to use the '--format' option of 'image2disk' to downgrade a v13.1.0 vADC system, but it is not.
Conditions:
Running v13.1.0, attempt software downgrade to 11.5.4, for example:
image2disk --format=volumes --nosaveconfig 11.5.4
Impact:
request is not allowed. no changes are made.
Workaround:
deploy a new 11.5.4 software image via the hypervisor environment
684033-3 : CVE-2017-9798 : Apache Vulnerability (OptionsBleed)
Solution Article: K70084351
683741-1 : APM now supports VMware Workspace ONE integration with vIDM as ID Provider
Component: Access Policy Manager
Symptoms:
When VMware Horizon resources are behind APM, APM end user is able to see available desktops and application on VMware Workspace ONE portal but is not able to launch them.
Conditions:
-- VMware virtual desktops and applications are hosted on VMware Horizon behind APM.
-- APM end user authenticates with VMware Identity Manager (IDM) and sees available virtual desktops and applications on Workspace ONE portal.
-- APM end user attempts to launch a virtual desktop or application with VMware native client.
Impact:
Users authenticates but is not able to launch a desktop or application with View native client.
Workaround:
None.
Fix:
APM now supports VMware Workspace ONE with VMware IDM as Identity Provider and APM as service provider, protecting VMware Horizon desktops and applications.
683697-1 : SASP monitor may use the same UID for multiple HA device group members
Component: Local Traffic Manager
Symptoms:
Under rare timing conditions, the SASP monitor running on one member of an HA group (failover device group) may use the same LB UID as another member of the device group.
The LB UID used to connect to the Server/Application State Protocol (SASP) Group Workload Manager (GWM) is required to be unique for each client connecting to the GWM.
As a result, only the first HA group member using the duplicated UID is able to successfully use the SASP monitor.
The SASP monitor instance running on the HA group member using the duplicated UID will fail to connect to the SASP GWM.
Conditions:
This occurs under rare timing conditions when using the SASP monitor on a BIG-IP system that belongs to an HA group.
It is possible that the necessary timing conditions may occur if the external SASP monitor daemon is forcibly restarted (such as for troubleshooting purposes).
Impact:
The SASP monitor is unable to monitor pool member availability on all members of the HA group.
Workaround:
Forcing the mcpd process to reload the configuration (as described in article K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030) allows recovery from this condition.
It is possible that less-intrusive measures such as restarting the external SASP monitor daemon (such as by sending a SIGTERM to the SASPD_monitor process) may also allow recovery. Due to the rare occurrence of this symptom, this solution has not been confirmed.
Fix:
The SASP monitor reliably uses a unique UID across HA group members, allowing all HA group members to successfully connect to the SASP GWM.
683508-1 : WebSockets: umu memory leak of binary frames when remote logger is configured
Solution Article: K00152663
Component: Application Security Manager
Symptoms:
ASM out of memory error messages in /var/log/asm.
Conditions:
-- Virtual server configured with WebSocket profile.
-- ASM remote logger configured and assigned to the virtual server.
Impact:
ASM out of memory, memory leak.
Workaround:
Remove ASM remote logging profile from a virtual server.
Fix:
This release correctly releases unused memory after WebSocket message is sent to the logging destination.
683474 : The case-sensitive problem during comparison of 2 Virtual Servers
Component: Application Visibility and Reporting
Symptoms:
Failed to load "incident types volume graph" if incident was filtered by Virtual Server
Impact:
Chart of incident data will not be displayed.
Workaround:
Avoid to create virtual servers that have the same letters, differing only by capital letters verses small letters.
Fix:
monpd process uses a case-sensitive comparison of virtual servers
683389-3 : Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file
Component: Access Policy Manager
Symptoms:
Flash ActionScript3 application shows Error #2134 when trying to call flash.net::SharedObject.getLocal with localPath specified.
Conditions:
Attempt to create local SharedObject.
Impact:
Affected Flash applications are not working when accessed through Portal Access.
Workaround:
None.
Fix:
Addressed an issue in Portal Access which caused rewritten Flash files to show Error #2134 on attempt to create local SharedObject.
683297-2 : Portal Access may use incorrect back-end for resources referenced by CSS
Component: Access Policy Manager
Symptoms:
If HTML page contains reference to external CSS file with URL beginning with '//', then host-less references in this CSS file are handled incorrectly by Portal Access.
Conditions:
- HTML page at http://example.host/page.html:
<link rel=stylesheet href=//another.host/some/path/my.css>
- and this CSS contains reference with absolute path like this:
html { background-image: url(/misc/image/some.png); }
Portal Access uses 'http://example.host' as back-end for this image instead of correct 'http://another.host'.
Impact:
Web application may not work correctly.
Workaround:
Use iRule to correct back-end host.
Fix:
Portal Access uses correct back-end host for references in CSS files included with scheme-less URL.
683241-1 : Improve CSRF token handling
Solution Article: K70517410
Component: Application Security Manager
Symptoms:
Under certain conditions, CSRF token handling does not follow current best practices.
Conditions:
CSRF is configured.
Impact:
CSRF token handling does not follow current best practices.
Workaround:
None.
Fix:
CSRF token handling now follows current best practices.
683131-1 : Hotfix install fails on vCMP guest when both guest and host have the same base version ISO present★
Component: TMOS
Symptoms:
BIG-IP software installations will fail and report a status of:
waiting for cleanup; multiple base builds found (BIG-IP 13.0.0)
Conditions:
- Perform software installation in a vCMP guest when guest is running v13.0.0 or newer.
- Ask the guest to install a hotfix (e.g. "tmsh install /sys software hotfix 13.0.0-hf2.iso volume HD1.2 create-volume") to a boot location that does not have a base software version installed.
- Hypervisor has a valid copy of the the correct base image (e.g. v13.0.0 build 0.0.1645)
- Guest has a valid copy of the correct base image (e.g. v13.0.0 build 0.0.1645)
Impact:
Software installation fails, and will not complete/continue.
Workaround:
Delete the base software image from either the hypervisor or guest's file system
Fix:
The condition no longer causes an error; the installation request successfully runs to completion.
683114-2 : Need support for 4th element version in Update Check
Component: TMOS
Symptoms:
Previously, there was no 4th element version Update Check functionality.
Conditions:
Using Update Check.
Impact:
No 4th element version support provided.
Workaround:
None.
Fix:
There is now 4th element version support in Update Check.
683113-3 : [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users
Solution Article: K22904904
Component: Access Policy Manager
Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over a period of time.
Websso CPU usage is very high.
The BIG-IP system response can rate drop to the point that the clients disconnect after waiting for a response. The system logs error messages similar to the following: Failure occurred when processing the work item.
Conditions:
-- Running APM.
-- A large number of APM end users (~20 KB) have logged on and are using Kerberos SSO.
Impact:
Increased latency of HTTP request processing.
Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.
Fix:
Improvements to the krb5 library have been implemented for better scalability, so the latency of HTTP request processing has been significantly improved.
683029-1 : Sync of virtual address and self IP traffic groups only happens in one direction
Component: TMOS
Symptoms:
If you have a virtual address and a self IP that both listen on the same IP address, changing the traffic group of the self IP will make an equivalent change to the traffic group of the virtual address. However, this does not work in reverse. Changing the traffic group of the virtual address will not cause a change of the traffic group of the self IP.
Conditions:
You have a virtual address and a self IP that both listen on the same IP address. (The subnet mask need not be the same.)
Impact:
This is by design, but is counterintuitive, and there is no warning message that this is the case. Setting the traffic group on both objects will always work properly.
Workaround:
Care should be taken to ensure that the desired traffic group is set on both objects.
682944-1 : key-id missing for installed netHSM key for standby BIG-IP system in HA setup
Component: Local Traffic Manager
Symptoms:
In a BIG-IP high availability (HA) configuration, the nethsm key installed has empty key-id string for the standby BIG-IP system. That is, the BIG-IP system that actually gets the key installed has the key-id string properly displayed. But its peer BIG-IP system does not display a key-id string associated with the installed key.
Conditions:
-- nethsm key installed.
-- Standby BIG-IP system in an HA configuration.
Impact:
The peer BIG-IP system has no key-id string properly displayed.
Workaround:
Even though key-id does not display, the key is present on the peer BIG-IP system and can be used there.
Fix:
The netHSM key for standby BIG-IP system in HA configurations now shows up after a successful configsync.
682837-2 : Compression watchdog period too brief.
Component: TMOS
Symptoms:
Compression TPS can be reduced on certain platforms when sustained, very high compression request traffic is present.
Conditions:
Very high sustained system-wide compression request traffic.
Impact:
Accelerated compression throughput can drop significantly; some flows dropped.
Workaround:
Switch to software compression.
Fix:
Compression request monitor tuned to account for systems with smaller bandwidth.
682500-2 : VDI Profile and Storefront Portal Access resource do not work together
Component: Access Policy Manager
Symptoms:
Accessing a Citrix Storefront portal access resource and clicking on the application does not work since VDI returns HTTP status 404.
Conditions:
-- VDI profile is attached to the Virtual server.
-- Access policy has Citrix Storefront portal access resource.
-- Citrix remote-desktop resource is attached.
Impact:
Citrix Storefront portal access resource cannot be used to launch applications.
Workaround:
None.
Fix:
Citrix Storefront portal access resources can now be used with Citrix Remote desktop resources.
682335-1 : TMM can establish multiple connections to the same gtmd
Component: Global Traffic Manager (DNS)
Symptoms:
TMM can establish multiple connections to the same gtmd, and tmm may core.
Conditions:
This timing-related issue involves coordination between license blob arrival, gtmd connection teardown/establishment, and gtmd restart.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed, if there is an existing connflow, don't start another connection.
682283-2 : Malformed HTTP/2 request with invalid Content-Length value is served against RFC
Component: Local Traffic Manager
Symptoms:
HTTP/2 request can include Content-Length header. When the value of a Content-Length header does not match the sum of lengths of all DATA frames from the stream, RFC requires that the system reset the stream.
Conditions:
-- A virtual server is configured with HTTP/2 profile.
-- The value of Content-Length header does not match the sum of lengths of all DATA frames from the stream.
Impact:
The BIG-IP system sends a request to a server and serves a provided response, which is not in conformance with the RFC.
Workaround:
None.
Fix:
Now, when a client sends a request over an HTTP/2 connection with a malformed HEADERS frame in which Content-Length does not match the payload size in DATA frames, the BIG-IP system correctly resets the stream with RST_STREAM frame.
682213-1 : TLS v1.2 support in IP reputation daemon
Solution Article: K31623549
Component: TMOS
Symptoms:
The IP reputation daemon opens SSL connections to the Webroot BrightCloud server using TLS 1.0 protocol.
Conditions:
This occurs when using IP reputation.
Impact:
Because IP reputation services are used to accept/deny connections to critical business applications, there might be concerns about the service. Also some configurations might require that all transactions exfiltrating a PCI-controlled environment leverage secure protocols and ciphers, which won't be the case for IP reputation services.
Workaround:
None.
Fix:
Webroot updated BrightCloud servers to support TLS 1.2. This is additional support. To preserve backward compatiblity, the servers support TLS 1.0, TLS 1.1, TLS 1.2, SSL 2.0 and SSL 3.0.
In addition, this software version supports TLS 1.2 on the client side by customizing the SDK used by the IP reputation daemon.
682104-3 : HTTP PSM leaks memory when looking up evasion descriptions
Component: Local Traffic Manager
Symptoms:
http_psm_description_lookup leaks xfrags containing PSM evasion descriptions.
Conditions:
When PSM looks up evasion descriptions.
Impact:
Memory leaked each time might eventually cause out of memory to the TMM.
Workaround:
None.
Fix:
This fix will stop the memory leakage.
681955-1 : Apache CVE-2017-9788
Solution Article: K23565223
681782-6 : Unicast IP address can be configured in a failover multicast configuration
Component: TMOS
Symptoms:
Failover multicast configuration does not work when configured with a unicast IP address. Although this is an invalid configuration, the system does not prevent it.
Conditions:
Specify a unicast IP address under 'Failover Multicast Configuration' for network failover in high availability configurations.
Impact:
Failover multicast configuration does not work.
Workaround:
Specify a multicast IP address under 'Failover Multicast Configuration' for network failover.
Fix:
The system now prevents specifying a unicast IP address when configuring multicast failover.
681757-3 : Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member'
Solution Article: K32521651
Component: Local Traffic Manager
Symptoms:
In response to this issue, you might see the following symptoms:
-- System remains inoperative
-- Screen alerts similar to the following are posted: 'Configuration has not yet loaded'.
-- Configuration fails to load after upgrade to v12.1.0 or higher.
The system records an error message similar to the following in the ltm log file:
emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 010716de:3: Policy '/Common/Policy', rule 'Policy-Rule'; target 'forward' action 'select' does not support parameter of type 'member'. Unexpected Error: Loading configuration process failed.
Conditions:
Local Traffic Policy with a forward action that selects a target of type 'member'.
Impact:
Configuration fails to load on upgrade.
Workaround:
Modify the local traffic policies to use a target type of 'node' before upgrading, or, after upgrading, edit the config file and modify 'member' to 'node' in the local traffic policy, and then reload the configuration.
Fix:
Upon upgrade to v12.1.0 or later, policies that perform the action 'forward - select - member' will be automatically changed to 'forward - select - node', and configuration will load successfully.
681673-4 : tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results
Component: Local Traffic Manager
Symptoms:
TMSH does not block modify FDB commands that add a multicast MAC addresses.
Conditions:
This occurs when the following is configured using tmsh commands when the mac-address is multicast:
fdb vlan <vlan> records add {<mac-address> {interface <slot>/<port>}}.
Impact:
There is not enough information to map the outgoing MAC address to a multi-cast group, and therefore it gets a default entry added that has no ports mapped. The result is that the frame will not go out the interface indicated in the tmsh command yet no warning is provided.
Workaround:
None.
Fix:
TMSH modify FDB command is no longer permitted to add multicast MAC addresses, so this issue no longer occurs.
681415-3 : Copying of profile with advanced customization or images might fail
Component: Access Policy Manager
Symptoms:
Copying a profile with advanced customization or images produces an error message similar to the following: 'Please specify language code' or similar
Conditions:
Access Profile has advanced customization group or customization image assigned to any of object connected to profile.
Impact:
Unable to copy policy.
Workaround:
None.
Fix:
Copying of profile with advanced customization or images now succeeds as expected.
681385-2 : Forward proxy forged cert lifespan can be configured from days into hours.
Component: Local Traffic Manager
Symptoms:
Once support for OCSP in place, you may need to forge certificates in lifespan shorter than one day. Previously, there was no way to configure that.
Conditions:
Configure forward proxy forged cert lifespan shorter than a day.
Impact:
None. This is a request for enhancement.
Workaround:
None.
Fix:
A new DB variable (tmm.ssl.certlifespaninhours) is added to support specifying hours instead of days:
[root@localhost:Active:Standalone] config # tmsh list sys db tmm.ssl.certlifespaninhours
sys db tmm.ssl.certlifespaninhours {
value "disable"
}
[root@localhost:Active:Standalone] config # tmsh modify sys db tmm.ssl.certlifespaninhours value enable
[root@localhost:Active:Standalone] config # tmsh list sys db tmm.ssl.certlifespaninhours
sys db tmm.ssl.certlifespaninhours {
value "enable"
}
When this variable is enabled, the configured lifespan is treated as hours. When this variable is disabled, the configured lifespan is treated as days.
Behavior Change:
Configured Forward proxy forged cert lifespan allows changing
from days to hours using a new DB variable: tmm.ssl.certlifespaninhours.
681175-3 : TMM may crash during routing updates
Solution Article: K32153360
Component: Local Traffic Manager
Symptoms:
When dynamic routing is configured and ECMP routes are received, certain routing updates may lead to a TMM crash.
Conditions:
-- Dynamic routing.
-- ECMP routes.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable ECMP routes by configuring "max-paths 1" in ZebOS.
Fix:
TMM no longer crashes on routing updates when ECMP is in use.
680856-2 : IPsec config via REST scripts may require post-definition touch of both policy and traffic selector
Component: TMOS
Symptoms:
A new IPsec tunnel may not work after being configured over REST. While the configuration is correct, a log message similar to the following may appear in ipsec.log (IKEv2 example):
info tmm[24203]: 017c0000 [0.0] [IKE] [INTERNAL_ERR]: selector index (/Common/Peer_172.16.4.1) does not have corresponding policy
Conditions:
A new IPsec tunnel is configured over REST.
Impact:
The newly configured IPsec tunnel does not start.
Workaround:
The following methods cause the traffic-selector and ipsec-policy to be correctly related to one another:
-- Restart tmm.
-- Change the configuration, for example the Description field, of both the policy and the traffic selector. This may also be done using REST.
Fix:
A traffic selector can no longer use a deleted policy by name, and if recreated after deletion, the policy is correctly constructed.
680850-2 : Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage.
Solution Article: K48342409
Component: Global Traffic Manager (DNS)
Symptoms:
Enabling debug logging on zxfrd (DNSX) can result in excessive CPU and disk usage, as well as errors during DNS AXFR or IXFR processing.
Conditions:
log.zxfrd.level is set to debug by running the following command: tmsh modify sys db log.zxfrd.level value debug
Impact:
IXFRs or AXFRs may fail and be rescheduled due to high CPU usage by zxfrd, which causes it to fail to process data packets during a transfer.
Workaround:
To avoid this issue, do not set log.zxfrd.level to debug.
Fix:
With this change, the dump to /var/tmp/zxfrd.out occurs only when a new db variable, dnsexpress.dumpastext, is set to true. This enables turning on logging for debug without consuming all the CPU and disk necessary to dump packets and zone contents.
Note: Setting this value to true will cause the information to be dumped to stderr, which reveals the original issue, potentially causing transfer failures and high system resource usage. F5 recommends that you enable it only when directed to do so by F5 support staff.
Behavior Change:
Previously, setting the zxfrd log level to debug caused all AXFR and IXFR requests and responses to be logged to /var/tmp/zxfrd.out. Doing so also caused the contents of all zones to be dumped, as text, to /var/tmp/zxfrd.out when the database was saved.
This was extremely CPU-, memory-, and disk-intensive. The CPU load could cause zxfrd to fail to process transfer data packets in a timely fashion, which could cause the master DNS server to close the connection.
With this fix, setting log.zxfrd.level debug no longer outputs this information.
Although it is not generally useful to output the contents of the transfer packets or the contents of the database, if this information is required for troubleshooting or information-verification purposes, you can set the new db variable: dnsexpress.dumpastext.
Note: Setting this value to true will cause the information to be dumped to stderr, which reveals the original issue, potentially causing transfer failures and high system resource usage. F5 recommends that you enable it only when directed to do so by F5 support staff.
680838-2 : IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator
Component: TMOS
Symptoms:
A tmm restart and corefile can occur in rare cases while negotiating an IKEv2 IPsec tunnel.
A child_sa managed to process GETSPI_DONE once in the IDLING state, where the ike_sa was expected to be the initiator, but it appeared not to be -- failing an assert.
Conditions:
The BIG-IP is negotiating an IPsec tunnel as the Initiator, but an unexpected state change associated with being the Responder occurs.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM will no longer restart due to assertion failure.
680729-1 : DHCP Trace log incorrectly marked as an Error log.
Solution Article: K64307999
Component: Policy Enforcement Manager
Symptoms:
The following sample DHCP debug log may be found repeatedly in the TMM logs.
<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>
Conditions:
Send a DHCP request through a DHCP virtual and wait for 30 seconds for the DHCP callback to trigger.
Impact:
Possible clutte