Supplemental Document : BIG-IP 13.1.1.5 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 13.1.1

BIG-IP APM

  • 13.1.1

BIG-IP Analytics

  • 13.1.1

BIG-IP Link Controller

  • 13.1.1

BIG-IP LTM

  • 13.1.1

BIG-IP AFM

  • 13.1.1

BIG-IP PEM

  • 13.1.1

BIG-IP DNS

  • 13.1.1

BIG-IP ASM

  • 13.1.1
Original Publication Date: 03/27/2019 Updated Date: 06/21/2020

BIG-IP Release Information

Version: 13.1.1.5
Build: 4.0

NOTE: This release includes fixes for the Spectre Variant 1 and Meltdown vulnerabilities (CVE-2017-5753, CVE-2017-5754).
In some configurations, installing software containing these fixes might impact performance. You can disable these fixes to recover performance. Please see K91229003 for additional Spectre and Meltdown information.

Cumulative fixes from BIG-IP v13.1.1.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.8 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.7 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.6 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.5 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.1 that are included in this release
Known Issues in BIG-IP v13.1.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
757025-3 CVE-2018-5744 K00040234 BIND Update
757027-3 CVE-2019-6465 K01713115 BIND Update
745257-3 CVE-2018-14634 K20934447 Linux kernel vulnerability: CVE-2018-14634


Functional Change Fixes

ID Number Severity Solution Article(s) Description
703835-2 2-Critical   When using scp into BIG-IP, user must specify the target filename
745387-3 3-Major   Resource-admin user roles can no longer get bash access
698376-3 3-Major   Non-admin users have limited bash commands and can only write to certain directories


TMOS Fixes

ID Number Severity Solution Article(s) Description
673842-4 1-Blocking   vCMP does not follow best security practices
753796-2 2-Critical   SNMP does not follow best security practices
752835-3 2-Critical   Mitigate mcpd out of memory error with auto-sync enabled.
750586-1 2-Critical   HSL may incorrectly handle pending TCP connections with elongated handshake time.
737731-2 2-Critical   iControl REST input sanitization
737574-2 2-Critical   iControl REST input sanitization
737565-2 2-Critical   iControl REST input sanitization
707013 2-Critical   vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest
702472-3 2-Critical   Appliance Mode Security Hardening
699515-1 2-Critical   nsm cores during update of nexthop for ECMP recursive route
621260-4 2-Critical   mcpd core on iControl REST reference to non-existing pool
760222-5 3-Major   SCP fails unexpected when FIPS mode is enabled
757414 3-Major   GUI Network Map slow page load with large configuration
757026-3 3-Major   BIND Update
756088-1 3-Major   The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address
754567 3-Major   Child clientSSL profile's inherit-certkeychain can be unexpectedly set to false after updating the certificate file
754345-3 3-Major   WebUI does not follow best security practices
751011-1 3-Major   ihealth.sh script and qkview locking mechanism not working
750447-1 3-Major   GUI VLAN list page loading slowly with 50 records per screen
750318-1 3-Major   HTTPS monitor does not appear to be using cert from server-ssl profile
748187-2 3-Major   'Transaction Not Found' Error on PATCH after Transaction has been Created
745165-3 3-Major   Users without Advanced Shell Access are not allowed SFTP access
742226-2 3-Major   TMSH platform_check utility does not follow best security practices
740345-1 3-Major   TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled.
738330-1 3-Major   /mgmt/toc endpoint broken after configuring remote authentication
725791-4 3-Major   Potential HW/HSB issue detected
723794-3 3-Major   PTI (Meltdown) mitigation should be disabled on AMD-based platforms
722380-2 3-Major   The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core.
721805 3-Major   Traffic Policy edit to datagroup errors on adding ASM disable action
720819-2 3-Major   Certain platforms may take longer than expected to detect and recover from HSB lock-ups
720269-2 3-Major   TACACS audit logging may append garbage characters to the end of log strings
714626-2 3-Major   When licensing through a proxy, setting the db variables for proxy.host, proxy.port, etc., has no effect.
702469-3 3-Major   Appliance mode hardening in scp
701898-1 3-Major   Certain virtual address route-advertisement settings break upgrades from 13.0.0 hotfix rollups
683135-2 3-Major   Hardware syncookies number for virtual server stats is unrealistically high
681009-1 3-Major   Large configurations can cause memory exhaustion during live-install
581921-3 3-Major K22327083 Required files under /etc/ssh are not moved during a UCS restore
697766-1 4-Minor   Cisco IOS XR ISIS routers may report 'Authentication TLV not found'
687368-1 4-Minor K64414880 The Configuration utility may calculate and display an incorrect HA Group Score
686111-1 4-Minor K89363245 Searching and Reseting Audit Logs not working as expected


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
753975 2-Critical   TMM may crash while processing HTTP traffic with AAM
753912 2-Critical   UDP flows may not be swept
752930-1 2-Critical   Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state
745533-4 2-Critical   NodeJS Vulnerability: CVE-2016-5325
680564-1 2-Critical   "MCP Message:" seen on boot up with Best License
756270-2 3-Major   SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle
750843-1 3-Major   HTTP data re-ordering when receiving data while iRule parked
750200-1 3-Major   DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode
749689-1 3-Major   HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart
747968-2 3-Major   DNS64 stats not increasing when requests go through dns cache resolver
747617-1 3-Major   TMM core when processing invalid timer
745713-1 3-Major   TMM may crash when processing HTTP/2 traffic
742078-2 3-Major   Incoming SYNs are dropped and the connection does not time out.
738523-2 3-Major   SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages
727292-1 3-Major   SSL in proxy shutdown case does not deliver server TCP FIN
726327-2 3-Major   NodeJS debugger accepts connections from any host
712664-2 3-Major   IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address
710564 3-Major   DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0
709952-1 3-Major   Disallow DHCP relay traffic to traverse between route domains
699979-2 3-Major   Support for Safenet Client Software v7.x
698437-1 3-Major   Internal capacity increase
688553-3 3-Major   SASP GWM monitor may not mark member UP as expected
599567-3 3-Major   APM assumes SNAT automap, does not use SNAT pool
746077-1 4-Minor   If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified
664618-1 4-Minor   Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block'
658382-2 5-Cosmetic   Large numbers of ERR_UNKNOWN appearing in the logs


Performance Fixes

ID Number Severity Solution Article(s) Description
735832-1 2-Critical   RAM Cache traffic fails on B2150


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
756774-4 2-Critical   Aborted DNS queries to a cache may cause a TMM crash
756094-3 2-Critical   DNS express in restart loop, 'Error writing scratch database' in ltm log
753776-1 2-Critical   TMM may consume excessive resources when processing UDP traffic
749508-3 3-Major   LDNS and DNSSEC: Various OOM conditions need to be handled properly
749222-3 3-Major   dname compression offset overflow causes bad compression pointer
748902-7 3-Major   Incorrect handling of memory allocations while processing DNSSEC queries
746877-3 3-Major   Omitted check for success of memory allocation for DNSsec resource record
737332-3 3-Major   It is possible for DNSX to serve partial zone information for a short period of time
748177-3 4-Minor   Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
759360 2-Critical   Apply Policy fails due to policy corruption from previously enforced signature
758961 2-Critical K58243048 During brute force attack, the attempted passwords may be logged
723790-1 2-Critical   Idle asm_config_server handlers consumes a lot of memory
760878-2 3-Major   Incorrect enforcement of explicit global parameters
755005-3 3-Major   Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations
754365-3 3-Major   Updated flags for countries that changed their flags since 2010
751710-2 3-Major   False positive cookie hijacking violation
750187-3 3-Major   ASM REST may consume excessive resources
749109-1 3-Major   CSRF situation on BIGIP-ASM GUI
739945-2 3-Major   JavaScript challenge on POST with 307 breaks application
738647-2 3-Major   Add the login detection criteria of 'status code is not X'
721399-2 3-Major   Signature Set cannot be modified to Accuracy = 'All' after another value
717525-1 3-Major   Behavior for classification in manual learning mode
691945-1 3-Major   Security Policy Configuration Changes When Disabling Learning
761921-3 4-Minor   avrd high CPU utilization due to perpetual connection attempts
758336-1 4-Minor   Incorrect recommendation in Online Help of Proactive Bot Defense


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
763349-1 2-Critical   AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out
756205-3 2-Critical   TMSTAT offbox statistics are not continuous
754944-3 2-Critical   AVR reporting UI does not follow best practices
764665-1 3-Major   AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change
763005-2 3-Major   Aggregated Domain Names in DNS statistics are shown as random domain name
760356-4 3-Major   Users with Application Security Administrator role cannot delete Scheduled Reports
753446-1 3-Major   avrd process crash during shutdown if connected to BIG-IQ
738614-2 3-Major   "Internal error" appears on Goodput GUI page
738197-2 3-Major   IP address from XFF header is not taken into account when there are trailing spaces after IP address
737863-1 3-Major   Advanced Filters for Captured Transactions not working on Multi-Blade Platforms
718655 3-Major   DNS profile measurement unit name is incorrect.
710857-2 3-Major   iControl requests may cause excessive resource usage
700322-2 3-Major   Upgrade may fail on a multi blade system when there are scheduled reports in configuration
754330-1 4-Minor   Monpd might load many CSV files such that stats for AVR are not loaded to the database as quickly as expected


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
752592-2 2-Critical   VMware Horizon PCoIP clients may fail to connect shortly after logout
704587-2 2-Critical   Authentication with UTF-8 chars in password or handling of IP addresses fail due to byte-array processing in iRules
660826-3 2-Critical   BIG-IQ Deployment fails with customization-templates
758764-4 3-Major   APMD Core when CRLDP Auth fails to download revoked certificate
757992-1 3-Major   RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup
757781-1 3-Major   Portal Access: cookie exchange may be broken sometimes
755507-3 3-Major   [App Tunnel] 'URI sanitization' error
755475-3 3-Major   Corrupted customization group on target after updating logon page agent field on source device and config sync
749057-3 3-Major   VMware Horizon idle timeout is ignored when connecting via APM
738430-1 3-Major   APM is not able to do compliance check on iOS devices running F5 Access VPN client
734291-2 3-Major   Logon page modification fails to sync to standby
695985-2 3-Major   Access HUD filter has URL length limit (4096 bytes)
656784-1 3-Major K98510679 Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM


Wan Optimization Manager Fixes

ID Number Severity Solution Article(s) Description
748502-3 3-Major   TMM may crash when processing iSession traffic


Service Provider Fixes

ID Number Severity Solution Article(s) Description
704555-2 2-Critical   Core occurs if DIAMETER::persist reset is called if no persistence key is set.
752822-3 3-Major   SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type
751179-3 3-Major   MRF: Race condition may create to many outgoing connections to a peer
749603-3 3-Major   MRF SIP ALG: Potential to end wrong call when BYE received
748043-3 3-Major   MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP
747187-3 3-Major   SIP falsely detects media flow collision when SDP is in both 183 and 200 response
744949-3 3-Major   MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
751869 2-Critical   Possible tmm crash when using manual mode mitigation in DoS Profile
757279 3-Major   LDAP authenticated Firewall Manager role cannot edit firewall policies
753893-1 3-Major   Inconsistent validation for firewall address-list's nested address-list causes load failure
748081-2 3-Major   Memory leak in BDoS module
745371-2 3-Major   AFM GUI does not follow best security practices
710262-1 3-Major   Firewall is not updated when adding new rules


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
750460-3 3-Major   Subscriber management configuration GUI


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
749879-4 3-Major   Possible interruption while processing VPN traffic
739272-1 3-Major   Incorrect zombie counts in PBA stats with long PBA block-lifetimes


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
752782-3 3-Major   'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
760961 2-Critical   TMM crashes due to webroot database shared memory channel corruption when wr_urldbd daemon restarts
757088-3 2-Critical   TMM clock advances and cluster failover happens during webroot db nightly updates
752047-2 2-Critical   iRule running reject in CLASSIFICATION_DETECTED event can cause core
761273-1 3-Major   wr_urldbd daemon's log is changed to binary type after log rotation


Device Management Fixes

ID Number Severity Solution Article(s) Description
761300 3-Major   Errors in REST token requests may log sensitive data



Cumulative fixes from BIG-IP v13.1.1.4 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
744035-4 CVE-2018-15332 K12130880 APM Client Vulnerability: CVE-2018-15332
739970-2 CVE-2018-5390 K95343321 Linux kernel vulnerability: CVE-2018-5390
738119-2 CVE-2019-6589 K23566124 SIP routing UI does not follow best practices
745358-3 CVE-2019-6607 K14812883 ASM GUI does not follow best practices
737910-2 CVE-2019-6609 K18535734 Security hardening on the following platforms
737442-2 CVE-2019-6591 K32840424 Error in APM Hosted Content when set to public access
658557-3 CVE-2019-6606 K35209601 The snmpd daemon may leak memory when processing requests.
530775-3 CVE-2019-6600 K23734425 Login page may generate unexpected HTML output
701785-2 CVE-2017-18017 K18352029 Linux kernel vulnerability: CVE-2017-18017


Functional Change Fixes

ID Number Severity Solution Article(s) Description
744685-1 2-Critical   BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension
744188 2-Critical   First successful auth iControl REST requests will now be logged in audit and secure log files
748851-1 3-Major   Bot Detection injection include tags which may cause faulty display of application
725878-2 3-Major   AVR does not collect all of APM TMStats
667257-4 3-Major   CPU Usage Reaches 100% With High FastL4 Traffic


TMOS Fixes

ID Number Severity Solution Article(s) Description
682837-2 1-Blocking   Compression watchdog period too brief.
744331 2-Critical   OpenSSH hardening
743790-3 2-Critical   BIG-IP system should trigger a HA failover event when expected HSB device is missing from PCI bus
741423-2 2-Critical   Secondary blade goes offline when provisioning ASM/FPS on already established config-sync
738887-3 2-Critical   The snmpd daemon may leak memory when processing requests.
726487-2 2-Critical   MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.
723298-2 2-Critical   BIND upgrade to version 9.11.4
713380 2-Critical K23331143 Multiple B4450 blades in the same chassis run into inconsistent DAG state
712738-1 2-Critical   fpdd may core dump when the system is going down
710277-1 2-Critical   IKEv2 further child_sa validity checks
697424-1 2-Critical   iControl-REST crashes on /example for firewall address-lists
688148-3 2-Critical   IKEv1 racoon daemon SEGV during phase-two SA list iteration
680556-1 2-Critical   Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted
677937-3 2-Critical K41517253 APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets
668041-2 2-Critical K27535157 Config load fails when an iRule comment ends with backslash in a config where there is also a policy.
751009-1 3-Major   Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out
748206 3-Major   Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position
743803-2 3-Major   IKEv2 potential double free of object when async request queueing fails
737536-1 3-Major   Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.
737437-2 3-Major   IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages
737397-3 3-Major   User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP
724143-1 3-Major   IKEv2 connflow expiration upon ike-peer change
723579-4 3-Major   OSPF routes missing
722691 3-Major   Available datagroup list does not contain datagroups with the correct type.
721016 3-Major   vcmpd fails updating VLAN information on vcmp guest
720110-2 3-Major   0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session.
718817-2 3-Major   Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail.
718405-1 3-Major   RSA signature PAYLOAD_AUTH mismatch with certificates
718397-1 3-Major   IKEv2: racoon2 appends spurious trailing null byte to ID payloads
710666-1 3-Major   VE with interface(s) marked down may report high cpu usage
706104-3 3-Major   Dynamically advertised route may flap
705442-1 3-Major   GUI Network Map objects search on Virtual Server IP Address and Port does not work
700827-4 3-Major   B2250 blades may lose efficiency when source ports form an arithmetic sequence.
698947-2 3-Major   BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled.
693884-1 3-Major   ospfd core on secondary blade during network unstability
693106-1 3-Major   IKEv1 newest established phase-one SAs should be found first in a search
686926-2 3-Major   IPsec: responder N(cookie) in SA_INIT response handled incorrectly
686124-1 3-Major K83576240 IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs
680838-2 3-Major   IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator
678925-1 3-Major   Using a multicast VXLAN tunnel without a proper route may cause a TMM crash.
678380-2 3-Major K26023811 Deleting an IKEv1 peer in current use could SEGV on race conditions.
676897-3 3-Major K25082113 IPsec keeps failing to reconnect
676092-3 3-Major   IPsec keeps failing to reconnect
674145-1 3-Major   chmand error log message missing data
670197-1 3-Major   IPsec: ASSERT 'BIG-IP_conn tag' failed
652502-2 3-Major   snmpd returns 'No Such Object available' for ltm OIDs
639619-5 3-Major   UCS may fail to load due to Master key decryption failure on EEPROM-less systems
598085-1 3-Major   Expected telemetry is not transmitted by sFlow on the standby-mode unit.
491560-2 3-Major   Using proxy for IP intelligence updates
738985-2 4-Minor   BIND vulnerability: CVE-2018-5740
689491 4-Minor   cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled
689211-3 4-Minor   IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 }
680856-2 4-Minor   IPsec config via REST scripts may require post-definition touch of both policy and traffic selector
713491-2 5-Cosmetic   IKEv1 logging shows spi of deleted SA with opposite endianess


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
744269-2 2-Critical   dynconfd restarts if FQDN template node deleted while IP address change in progress
744117-5 2-Critical K18263026 The HTTP URI is not always parsed correctly
743857 2-Critical K21942600 clientssl accepts non-SSL traffic when cipher-group is configured
742627-2 2-Critical   SSL session mirroring may cause memory leakage if HA channel is down
741919 2-Critical   HTTP response may be dropped following a 100 continue message.
740963-2 2-Critical   VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart
740490-1 2-Critical   Configuration changes involving HTTP2 or SPDY may leak memory
739003-1 2-Critical   TMM may crash when fastl4 is used on epva-capable BIG-IP
738945-2 2-Critical   SSL persistence does not work when there are multiple handshakes present in a single record
738046-2 2-Critical   SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby
737758-2 2-Critical   MPTCP Passthrough and VIP-on-VIP can lead to TMM core
734276-2 2-Critical   TMM may leak memory when SSL certificates with VDI or EAM in use
727206 2-Critical   Memory corruption when using SSL Forward Proxy on certain platforms
720136-1 2-Critical   Upgrade may fail on mcpd when external netHSM is used
718210-2 2-Critical   Connections using virtual targeting virtual and time-wait recycle result in a connection being improperly reused
716714-1 2-Critical   OCSP should be configured to avoid TMM crash.
702792-1 2-Critical K82327396 Upgrade creates Server SSL profiles with invalid cipher strings
685254-2 2-Critical K14013100 RAM Cache Exceeding Watchdog Timeout in Header Field Search
513310-5 2-Critical   TMM might core when a profile is changed.
752078 3-Major   Header Field Value String Corruption
739963-2 3-Major   TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
739379-2 3-Major   Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error
739349-1 3-Major   LRO segments might be erroneously VLAN-tagged.
738521-1 3-Major   i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.
726319-2 3-Major   'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses
724564-1 3-Major   A FastL4 connection can fail with loose-init and hash persistence enabled
724327-1 3-Major   Changes to a cipher rule do not immediately have an effect
721621-1 3-Major   Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node
720799-2 3-Major   Virtual Server/VIP flaps with FQDN pool members when all IP addresses change
717896-2 3-Major   Monitor instances deleted in peer unit after sync
717100-3 3-Major   FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member
716716-2 3-Major   Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core
714559-2 3-Major   Removal of HTTP hash persistence cookie when a pool member goes down.
711981-5 3-Major   BIG-IP system accepts larger-than-egress MTU, PMTU update
710028-2 3-Major   LTM SQL monitors may stop monitoring if multiple monitors querying same database
708068-2 3-Major   Tcl commands like "HTTP::path -normalize" do not return normalized path.
707691-4 3-Major   BIG-IP handles some pathmtu messages incorrectly
706102-2 3-Major   SMTP monitor does not handle all multi-line banner use cases
701678-2 3-Major   Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded
685519-1 3-Major   Mirrored connections ignore the handshake timeout
683697-1 3-Major K00647240 SASP monitor may use the same UID for multiple HA device group members
674591-3 3-Major K37975308 Packets with payload smaller than MSS are being marked to be TSOed
504522-1 3-Major   Trailing space present after 'tmsh ltm pool members monitor' attribute value
719247-2 4-Minor K10845686 HTTP::path and HTTP::query iRule functions cannot be set to a blank string
618884-6 4-Minor   Behavior when using VLAN-Group and STP


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
739846-3 2-Critical   Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection
749774-3 3-Major   EDNS0 client subnet behavior inconsistent when DNS Caching is enabled
749675-3 3-Major   DNS cache resolver may return a malformed truncated response with multiple OPT records
744707-4 3-Major   Fixed crash related to DNSSEC key rollover
726255-2 3-Major   dns_path lingering in memory with last_access 0 causing high memory usage
723288-2 3-Major   DNS cache replication between TMMs does not always work for net dns-resolver
710246-2 3-Major   DNS-Express was not sending out NOTIFY messages on VE
702457-2 3-Major   DNS Cache connections remain open indefinitely
717113-2 4-Minor   It is possible to add the same GSLB Pool monitor multiple times


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
750922-3 2-Critical   BD crash when content profile used for login page has no parse parameters set
726537-1 2-Critical   Rare TMM crash when Single Page Application is enabled on DoSL7
576123-4 2-Critical K23221623 ASM policies are created as inactive policies on the peer device
750356-3 3-Major   Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted
747777-1 3-Major   Extractions are learned in manual learning mode
747550-1 3-Major   Error 'This Logout URL already exists!' when updating logout page via GUI
745802-3 3-Major   Brute Force CAPTCHA response page truncates last digit in the support id
744347-2 3-Major   Protocol Security logging profiles cause slow ASM upgrade and apply policy
743961-3 3-Major   Signature Overrides for Content Profiles do not work after signature update
738864-1 3-Major   javascript functions in href are learned from response as new URLs
738211-3 3-Major   pabnagd core when centralized learning is turned on
734228-1 3-Major   False-positive illegal-length violation can appear
726377-1 3-Major   False-positive cookie hijacking violation
721752-2 3-Major   Null char returned in REST for Suggestion with more than MAX_INT occurrences
705925-1 3-Major   Websocket Message Type not displayed in Request Log
701792-2 3-Major   JS Injection into cached HTML response causes TCP RST on the fictive URLs
696333-1 3-Major   Threat campaign filter does not return campaign if filter contains quotation marks
690215-2 3-Major   Missing requests in request log
676416-4 3-Major   BD restart when switching FTP profiles
676223-4 3-Major   Internal parameter in order not to sign allowed cookies
663535-2 3-Major   Sending ASM cookies with "secure" attribute even without client-ssl profile
605649-2 3-Major K28782793 The cbrd daemon runs at 100% CPU utilization
748999-1 4-Minor   invalid inactivity timeout suggestion for cookies
747905-1 4-Minor   'Illegal Query String Length' violation displays wrong length
745531-1 4-Minor   Puffin Browser gets blocked by Bot Defense
739345 4-Minor   Reporting invalid signature id after specific signature upgrade
685743-5 4-Minor   When changing internal parameter 'request_buffer_size' in large request violations might not be reported
665470-3 4-Minor   Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
746941 2-Critical   avrd memory leak when BIG-IQ fails to receive stats information
739446-2 2-Critical   Resetting SSL-socket correctly for AVR connection
737813-1 2-Critical   BIG-IP is unable to send statistics to BIG-IQ DCD node using IPv6 address
749464 3-Major   Race condition while BIG-IQ updates common file
749461 3-Major   Race condition while modifying analytics global-settings
746823 3-Major   AVRD crash when configured to send data externally, and there are large number of virtuals/pool-members
745027 3-Major   AVR is doing extra activity of DNS data collection even when it should not
744595-1 3-Major   DoS-related reports might not contain some of the activity that took place
744589-1 3-Major   Missing data for Firewall Events Statistics
741767-2 3-Major   ASM Resource :: CPU Utilization statistics are in wrong scale
740086 3-Major   AVR report ignore partitions for Admin users
716782-2 3-Major   AVR should add new field to the events it sends: Microtimestamp


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
753368 1-Blocking   Unable to import access policy with pool
747621-2 2-Critical   Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used
744556-1 2-Critical K01226413 Upgrade PingAccess SDK used by BIG-IP APM to v1.1.3
714716-2 2-Critical K10248311 Apmd logs password for acp messages when in debug mode
754346-1 3-Major   Access policy was not found while creating configuration snapshot.
750496-1 3-Major   TMM crashes on traffic passthrough when SSO Config object is deleted while being used in SSO Configuration Select Agent in PRP
746771-1 3-Major   APMD recreates config snapshots for all access profiles every minute
746768-1 3-Major   APMD leaks memory if access policy policy contains variable/resource assign policy items
745654-2 3-Major   Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server
745574-3 3-Major   URL is not removed from custom category when deleted
743437-1 3-Major   Portal Access: Issue with long 'data:' URL
743150-1 3-Major   Increase the limit of the maximum allowed timestamp for OAuth token processing for OAuth Client
739744-1 3-Major   Import of Policy using Pool with members is failing
719079-1 3-Major   Portal Access: same-origin AJAX request may fail under some conditions.
718136-2 3-Major   32-bit F5 VPN and Endpoint Inspector apps are discontinued on Linux


Service Provider Fixes

ID Number Severity Solution Article(s) Description
742829-3 3-Major   SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0
741951-2 3-Major   Multiple extensions in SIP NOTIFY request cause message to be dropped.
699431-3 3-Major   Possible memory leak in MRF under low memory


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
747104-3 1-Blocking K52868493 LibSSH Vulnerability: CVE-2018-10933
753028-1 3-Major   AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule
747926 3-Major   Rare TMM restart due to NULL pointer access during AFM ACL logging
745809 3-Major   The /var partition may become 100% full requiring manual intervention to clear space


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
744516-1 2-Critical   TMM panics after a large number of LSN remote picks
744959-1 3-Major   SNMP OID for sysLsnPoolStatTotal not incremented in stats
727212-1 3-Major   Subscriber-id query using full length IPv6 address fails.


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
748976 3-Major   DataSafe Logging Settings page is missing when DataSafe license is active
742037-3 3-Major   FPS live updates do not install when minor version is different
741449-1 4-Minor   alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts
726039 5-Cosmetic   Information is not updated after installing FPS live update via GUI


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
748813-1 2-Critical   tmm cores under stress test on virtual server with DoS profile with admd enabled
748121-1 2-Critical   admd livelock under CPU starvation
741761-1 2-Critical   admd might fail the heartbeat, resulting in a core
704236-1 2-Critical   TMM crash when attaching FastL4 profile
702936-1 2-Critical   TMM SIGSEGV under specific conditions.
653573-4 2-Critical   ADMd not cleaning up child rsync processes
741993-1 3-Major   The BIG-IP system does not answer the request matching L7 policy that disabled DOSL7 when BADOS configured.
741752-1 3-Major   [BADOS] state file is not saved when virtual server reuses a self IP of the device


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
724847 3-Major K95010813 DNS traffic does not get classified for AFM port misuse case



Cumulative fixes from BIG-IP v13.1.1.3 that are included in this release


Functional Change Fixes

ID Number Severity Solution Article(s) Description
745783-3 3-Major   Anti-fraud: remote logging of login attempts


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
684370-1 3-Major   APM now supports VMware Workspace ONE integration with VIDM as ID Provider
683741-1 3-Major   APM now supports VMware Workspace ONE integration with vIDM as ID Provider
635509-1 3-Major   APM does not support Vmware'e Blast UDP



Cumulative fixes from BIG-IP v13.1.1.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
739947-1 CVE-2019-6610 K42465020 TMM may crash while processing APM traffic
737443-5 CVE-2018-5546 K54431371 BIG-IP APM client for Linux and macOS vulnerability CVE-2018-5546
737441-5 CVE-2018-5546 K54431371 Disallow hard links to svpn log files
726089-2 CVE-2018-15312 K44462254 Modifications to AVR metrics page
725815-1 CVE-2018-15320 K72442354 vlangroup usage may cause a excessive resource consumption
724339-1 CVE-2018-15314 K04524282 Unexpected TMUI output in AFM
724335-1 CVE-2018-15313 K21042153 Unexpected TMUI output in AFM
722677-4 CVE-2019-6604 K26455071 High-Speed Bridge may lock up
722387-3 CVE-2019-6596 K97241515 TMM may crash when processing APM DTLS traffic
722091-3 CVE-2018-15319 K64208870 TMM may crash while processing HTTP traffic
717888 CVE-2018-15323 K26583415 TMM may leak memory when a virtual server uses the MQTT profile.
717742-5 CVE-2018-2798, CVE-2018-2811, CVE-2018-2795, CVE-2018-2790, CVE-2018-2783, CVE-2018-2825, CVE-2018-2826, CVE-2018-2796, CVE-2018-2799, CVE-2018-2815, CVE-2018-2800, CVE-2018-2814, CVE-2018-2797, CVE-2018-2794 K44923228 Oracle Java SE vulnerability CVE-2018-2783
707990-2 CVE-2018-15315 K41704442 Unexpected TMUI output in SSL Certificate Instance page
704184-6 CVE-2018-5529 K52171282 APM MAC Client create files with owner only read write permissions
701253-5 CVE-2018-15318 K16248201 TMM core when using MPTCP
693810-6 CVE-2018-5529 K52171282 CVE-2018-5529: APM Linux Client Vulnerability
741858-1 CVE-2018-15324 K52206731 TMM may crash while processing Portal Access requests
734822-3 CVE-2018-15325 K77313277 TMSH improvements
725801-4 CVE-2017-7889 K80440915 CVE-2017-7889: Kernel Vulnerability
725635-2 CVE-2018-3665 K21344224 CVE-2018-3665: Intel Lazy FPU Vulnerability
721924-2 2018-17539 K17264695 bgpd may crash processing extended ASNs
719554-2 CVE-2018-8897 K17403481 Linux Kernel Vulnerability: CVE-2018-8897
716900-2 CVE-2019-6594 K91026261 TMM core when using MPTCP
710705-2 CVE-2018-7320, CVE-2018-7321, CVE-2018-7322, CVE-2018-7423, CVE-2018-7324, CVE-2018-7325, CVE-2018-7326, CVE-2018-7327, CVE-2018-7428, CVE-2018-7329, CVE-2018-7330, CVE-2018-7331, CVE-2018-7332, CVE-2018-7333, CVE-2018-7334, CVE-2018-7335, CVE-2018-7336, CVE-2018-7337, CVE-2018-7417, CVE-2018-7418, CVE-2018-7419, CVE-2018-7420, CVE-2018-7421 K34035645 Multiple Wireshark vulnerabilities
705799-2 CVE-2018-15325 K77313277 TMSH improvements
699453-4 CVE-2018-15327 K20222812 Web UI does not follow current best coding practices
699452-4 CVE-2019-6597 K29280193 Web UI does not follow current best coding practices
712876-2 CVE-2017-8824 K15526101 CVE-2017-8824: Kernel Vulnerability


Functional Change Fixes

ID Number Severity Solution Article(s) Description
734527-1 3-Major   BGP 'capability graceful-restart' for peer-group not properly advertised when configured
715750-2 3-Major   The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.


TMOS Fixes

ID Number Severity Solution Article(s) Description
693611-3 1-Blocking K76313256 IKEv2 ike-peer might crash on stats object during peer modification update
743810-1 2-Critical   AWS: Disk resizing in m5/c5 instances fails silently.
743082-1 2-Critical   Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members
739507 2-Critical   How to recover from a failed state due to FIPS integrity check
739505 2-Critical   Automatic ISO digital signature checking not required when FIPS license active
739285-1 2-Critical   GUI partially missing when VCMP is provisioned
725696-1 2-Critical   A timer loop might occur when OCSP Stapling is enabled resulting in tmm getting aborted
724680-4 2-Critical   OpenSSL Vulnerability: CVE-2018-0732
723722-2 2-Critical   MCPD crashes if several thousand files are created between config syncs.
721350-2 2-Critical   The size of the icrd_child process is steadily growing
717785-1 2-Critical   Interface-cos shows no egress stats for CoS configurations
716391-2 2-Critical K76031538 High priority for MySQL on 2 core vCMP may lead to control plane process starvation
711683-2 2-Critical   bcm56xxd crash with empty trunk in QinQ VLAN
707003-3 2-Critical   Unexpected syntax error in TMSH AVR
706423-1 2-Critical   tmm may restart if an IKEv2 child SA expires during an async encryption or decryption
703669-2 2-Critical   Eventd restarts on NULL pointer access
703045-1 2-Critical   If using TMSH commands with deprecated attributes in iApp, the upgrade will fail.
700386-2 2-Critical   mcpd may dump core on startup
693996-5 2-Critical K42285625 MCPD sync errors and restart after multiple modifications to file object in chassis
692158-1 2-Critical   iCall and CLI script memory leak when saving configuration
691589-4 2-Critical   When using LDAP client auth, tamd may become stuck
690819-1 2-Critical   Using an iRule module after a 'session lookup' may result in crash
689437-1 2-Critical K49554067 icrd_child cores due to infinite recursion caused by incorrect group name handling
689002-3 2-Critical   Stackoverflow when JSON is deeply nested
658410-2 2-Critical   icrd_child generates a core when calling PUT on ltm/data-group/internal/
652877-5 2-Critical   Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades
638091-6 2-Critical   Config sync after changing named pool members can cause mcpd on secondary blades to restart
739126 3-Major   Multiple VE installations may have different sized volumes
733585-3 3-Major   Merged can use %100 of CPU if all stats snapshot files are in the future
727467-1 3-Major   Some iSeries appliances can experience traffic disruption when the HA peer is upgraded from 12.1.3 and earlier to 13.1.0 or later.
726409-4 3-Major   Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077
722682-2 3-Major   Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load
721740-2 3-Major   CPU stats are not correctly recorded when snapshot files have timestamps in the future
720713-2 3-Major   TMM traffic to/from a i5800/i7800/i10800 device in vCMP host mode may fail
720461-2 3-Major   qkview prompts for password on chassis
718525-1 3-Major   PostGreSQL errors seen on startup after removing the mcpd binary database and rebooting
714974-2 3-Major   Platform-migrate of UCS containing QinQ fails on VE
714903-2 3-Major   Errors in chmand
714654-2 3-Major   Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM
713813-2 3-Major   Node monitor instances not showing up in GUI
712102-2 3-Major K11430165 customizing or changing the HTTP Profile's IPv6 field hides the field or the row
710232-2 3-Major   platform-migrate fails when LACP trunks are in use
709444-2 3-Major   "NTP not configured on device" warning seen when NTP symmetric key authentication is configured
709192-1 3-Major   GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart
707740-4 3-Major   Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination
707509-1 3-Major   Initial vCMP guest creations can fail if certain hotfixes are used
707391-2 3-Major   BGP may keep announcing routes after disabling route health injection
706804-1 3-Major   SNMP trap destination configuration of network option is missing "default" keyword
706354-2 3-Major   OPT-0045 optic unable to link
706169-3 3-Major   tmsh memory leak
705456-1 3-Major   VCMP Guests unable to install block-device-image ISOs when http->https redirection is enabled
704755-1 3-Major   EUD_M package could not be installed on 800 platforms
704512-1 3-Major   Automated upload of qkview to iHealth can time out resulting in error
704336-1 3-Major   Updating 3rd party device cert not copied correctly to trusted certificate store
702227-3 3-Major   Memory leak in TMSH load sys config
700757-1 3-Major   vcmpd may crash when it is exiting
700576-1 3-Major   GUI - Server SSL Profile shows irrelevant options when "Server Certificate" is set to "Ignore"
700426 3-Major K58033284 Switching partitions while viewing objects in GUI can result in empty list
700250-3 3-Major K59327012 qkviews for secondary blade appear to be corrupt
698875-1 3-Major   Qkview Security Hardening
698084-3 3-Major K03776801 IPsec log messages in /var/log/ltm missing module ID to reach bigiq logs
696731-3 3-Major K94062594 The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled
693578-2 3-Major   switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0
692189-1 3-Major   errdefsd fails to generate a core file on request.
692179-1 3-Major   Potential high memory usage from errdefsd.
691609-1 3-Major   1NIC: Configuration error: Clearing IP on interface mgmt failed - Cannot assign requested address
690890-1 3-Major   Running sod manually can cause issues/failover
689375-1 3-Major K01512833 Unable configure 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled
688406-1 3-Major K14513346 HA-Group Score showing 0
687905-2 3-Major K72040312 OneConnect profile causes CMP redirected connections on the HA standby
687534-1 3-Major   If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page
684391-3 3-Major   Existing IPsec tunnels reload. tmipsecd creates a core file.
684218-1 3-Major   vADC 'live-install' Downgrade from v13.1.0 is not possible
681782-6 3-Major   Unicast IP address can be configured in a failover multicast configuration
679347-2 3-Major K44117473 ECP does not work for PFS in IKEv2 child SAs
678488-1 3-Major K59332320 BGP default-originate not announced to peers if several are peering over different VLANs
677485-1 3-Major   Discovery of DSC clustered BIG-IP systems fails due to secure value decryption error
671712-2 3-Major   The values returned for the ltmUserStatProfileStat table are incorrect.
670528-4 3-Major K20251354 Warnings during vCMP host upgrade.
651413-4 3-Major K34042229 tmsh list ltm node does not return an error when node does not exist
642923-6 3-Major   MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system
617643-2 3-Major   iControl.ForceSessions enabled results in GUI error on certain pages
551925-4 3-Major   Misdirected UDP traffic with hardware acceleration
464650-6 3-Major   Failure of mcpd with invalid authentication context.
727297-3 4-Minor   GUI TACACS+ remote server list should accept hostname
725612-1 4-Minor   syslog-ng does not send any messages to the remote servers after reconfiguration
719770-2 4-Minor   tmctl -H -V and -l options without values crashed
714749-2 4-Minor   cURL Vulnerability: CVE-2018-1000120
713947-1 4-Minor   stpd repeatedly logs "hal sendMessage failed"
713932-1 4-Minor   Commands are replicated to PostgreSQL even when not in use.
707631-2 4-Minor   The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI
707267 4-Minor   REST Framework HTTP header limit size increased to 8 KB
701826 4-Minor   qkview upload to ihealth fails or unable to untar qkview file
691491-5 4-Minor K13841403 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces
685582-7 4-Minor   Incorrect output of b64 unit key hash by command f5mku -f
683029-1 4-Minor   Sync of virtual address and self IP traffic groups only happens in one direction
679135-2 4-Minor   IKEv1 and IKEv2 cannot share common local address in tunnels
678388-1 4-Minor K00050055 IKEv1 racoon daemon is not restarted when killed multiple times


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
722594-2 1-Blocking   TCP flow may not work as expected if double tagging is used
737445-2 2-Critical   Use of TCP Verified Accept can disable server-side flow control
727044-2 2-Critical   TMM may crash while processing compressed data
726239-4 2-Critical   interruption of traffic handling as sod daemon restarts TMM
725545-1 2-Critical   Ephemeral listener might not be set up correctly
724906-1 2-Critical   sasp_gwm monitor leaks memory over time
724868-1 2-Critical   dynconfd memory usage increases over time
724213-1 2-Critical K74431483 Modified ssl_profile monitor param not synced correctly
722893-1 2-Critical K30764018 The TMM - host interface may stall when the kernel memory is fragmented
716213-1 2-Critical   BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic
713612-1 2-Critical   tmm might restart if the HTTP passthrough on pipeline option is used
710221-2 2-Critical K67352313 Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled
673664-1 2-Critical   TMM crashes when sys db Crypto.HwAcceleration is disabled.
635191-2 2-Critical   Under rare circumstances TMM may crash
727222-1 3-Major   206 Partial Content responses from ramcache have malformed Content-Range header
723300-2 3-Major   TMM may crash when tracing iRules containing nameless listeners on internal virtual servers
722363-2 3-Major   Client fails to connect to server when using PVA offload at Established
721261-1 3-Major   v12.x Policy rule names containing slashes are not migrated properly
720293-3 3-Major   HTTP2 IPv4 to IPv6 fails
719600-2 3-Major   TCP::collect iRule with L7 policy present may result in connection reset
717346-2 3-Major K13040347 [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total
715883 3-Major   tmm crash due to invalid cookie attribute
715785-2 3-Major   Incorrect encryption error for monitors during sync or upgrade
715756-2 3-Major   Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only
715467-2 3-Major   Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY
714384-3 3-Major   DHCP traffic may not be forwarded when BWC is configured
707951-2 3-Major   Stalled mirrored flows on HA next-active when OneConnect is used.
704764-3 3-Major   SASP monitor marks members down with non-default route domains
703580-1 3-Major   TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host.
703266-2 3-Major   Potential MCP memory leak in LTM policy compile code
702450-1 3-Major   The validation error message generated by deleting certain object types referenced by a policy action is incorrect
701690-1 3-Major K53819652 Fragmented ICMP forwarded with incorrect icmp checksum
700696-1 3-Major   SSID does not cache fragmented Client Certificates correctly via iRule
699273-1 3-Major   TMM Core During FTP Monitor Use
695925-1 3-Major   tmm crash when showing connections for a CMP disabled virtual server
691785-1 3-Major   The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes
691224-3 3-Major K59327001 Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled
690778-1 3-Major K53531153 Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule
688629-1 3-Major K52334096 Deleting data-group in use by iRule does not trigger validation error
685110-1 3-Major K05430133 With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.
681757-3 3-Major K32521651 Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member'
681673-4 3-Major   tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results
679613-1 3-Major K23531420 i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1'
672312-3 3-Major   IP ToS may not be forwarded to serverside with syncookie activated
602708-4 3-Major K84837413 Traffic may not passthrough CoS by default
716922-2 4-Minor   Reduction in PUSH flags when Nagle Enabled
712637-2 4-Minor   Host header persistence not implemented
700433-1 4-Minor K10870739 Memory leak when attaching an LTM policy to a virtual server
697988-3 4-Minor K34554754 During config sync, if many client-ssl profiles are on a virtual server the CPU may briefly spike to 100%
693966-1 4-Minor   TCP sndpack not reset along with other tcp profile stats
688557-1 4-Minor K50462482 Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull'
495242-4 4-Minor   mcpd log messages: Failed to unpublish LOIPC object


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
718885-3 2-Critical K25348242 Under certain conditions, monitor probes may not be sent at the configured interval
723792-2 3-Major   GTM regex handling of some escape characters renders it invalid
719644-2 3-Major   If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
737500-2 2-Critical   Apply Policy and Upgrade time degradation when there are previous enforced rules
726090-1 2-Critical   No Bot Defense Logs when ASM Policy is used without Proactive Bot Defense
724414-2 2-Critical   ASM UMU memory leak when WebSocket url has json profile with parse parameters enabled
724032-1 2-Critical   Searching Request Log for value containing backslash does not return expected result
721741-3 2-Critical   BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative
704143-1 2-Critical   BD memory leak
701856-1 2-Critical   Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart
740719-2 3-Major   ASM CSP header parser does not honor unsafe-inline attribute within script-src directive


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
737867-1 3-Major   Scheduled reports are being incorrectly displayed in different partitions


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
739716-2 1-Blocking   APM Subroutine loops without finishing
740777-1 2-Critical   Secondary blades mcp daemon restart when subroutine properties are configured
739674-1 2-Critical   TMM might core in SWG scenario with per-request policy.
722013 2-Critical   MCPD restarts on all secondary blades post config-sync involving APM customization group
713820-1 2-Critical   Pass in IP address to urldb categorization engine
739939-1 3-Major   Ping Access Agent Module leaks memory in TMM.
739190 3-Major   Policies could be exported with not patched /Common partition
738582-1 3-Major   Ping Access Agent Module leaks memory in TMM.
738397-1 3-Major   SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails.
737355-1 3-Major   HTTP Strict-Transport-Security (HSTS) headers not being added to all APM generated files
737064-2 3-Major   ACCESS::session iRule commands may not work in serverside events
726895 3-Major K02205915 VPE cannot modify subroutine settings
726616-1 3-Major   TMM crashes when a session is terminated
726592-1 3-Major   Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop
725867-2 3-Major   ADFS proxy does not fetch configuration for non-floating virtual servers
725412-1 3-Major   APM does not follow current best practices for HTTP headers
724571-1 3-Major   Importing access profile takes a long time
722969-2 3-Major   Access Policy import with 'reuse' enabled instead rewrites shared objects
722423-1 3-Major   Analytics agent always resets when Category Lookup is of type custom only
720757-1 3-Major   Without proper licenses Category Lookup always fails with license error in Allow Ending
713655-2 3-Major   RouteDomainSelectionAgent might fail under heavy control plane traffic/activities
711427-2 3-Major   Edge Browser does not launch F5 VPN App
710884-1 3-Major   Portal Access might omit some valid cookies when rewriting HTTP request.
701800-2 3-Major   SSO-enabled native RDP resources cannot be launched from APM Webtop with Mac RDP client 10.x
701056-1 3-Major   User is not able to reset their Active Directory password
698984-1 3-Major   Auto-disable TMM.HTTP.TCL.Validation when APM is provisioned
696669-1 3-Major   Users cannot change or reset RSA PIN
696544-1 3-Major   APM end users can not change/reset password when auth agents are included in per-req policy
671323-1 3-Major   Reset PIN Fail if Token input field is not 'password' field
734595-2 4-Minor   sp-connector is not being deleted together with profile
721375-1 4-Minor   Export then import of config with RSA server in it might fail


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
706642-2 2-Critical   wamd may leak memory during configuration changes and cluster events


Service Provider Fixes

ID Number Severity Solution Article(s) Description
709383-2 3-Major   DIAMETER::persist reset non-functional
706750-1 3-Major   Changing CGNAT SIP ALG profile log settings while handling traffic may cause tmm crash.
691048-1 3-Major K34553736 Support DIAMETER Experimental-Result AVP response
688942-5 3-Major   ICAP: Chunk parser performs poorly with very large chunk


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
724532-2 2-Critical   SIG SEGV during IP intelligence category match in TMM
720045-1 2-Critical   IP fragmented UDP DNS request and response packets dropped as DNS Malformed
710755-1 2-Critical   Crash when cached route information becomes stale and the system accesses the information from it.
698333-1 2-Critical K43392052 TMM core upon matching a past (saved) dynamic signature of a specific family (network or dns) after the dynamic signature is disabled for that family on the parent context (but still enabled for other families)
694849-1 2-Critical   TMM crash when packet sampling is turned for DNS BDOS signatures.
672514-1 2-Critical   Local Traffic/Virtual Server/Security page crashed
630137-2 2-Critical   Dynamic Signatures feature can fill up /config partition impacting system stability
726154-2 3-Major   TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies
704528-2 3-Major   tmm may run out of memory during IP shunning
704369-2 3-Major   TMM on BIG-IP restarts if a dos profile is attached to a virtual with sip-routing enabled
696201-1 3-Major   Anomaly threshold floor calculation (for bins with very low learnt threshold) during signature generation
686376-2 3-Major   Scheduled blob and current blob no longer work after restarting BIG-IP or PCCD daemon
707054-1 4-Minor   SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162
699454-4 4-Minor   Web UI does not follow current best coding practices


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
726647-3 3-Major   PEM content insertion in a compressed response may truncate some data
721704-1 3-Major   UDP flows are not deleted after subscriber deletion
709670-2 3-Major   iRule triggered from RADIUS occasionally fails to create subscribers.


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
721570-1 1-Blocking K20285019 TMM core when trying to log an unknown subscriber
734446-2 2-Critical   TMM crash after changing LSN pool mode from PBA to NAPT
688246-1 2-Critical   An invalid mode in the LSN::persistence command causes TMM crash
708830-2 3-Major   Inbound or hairpin connections may get stuck consuming memory.


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
738669-2 3-Major   Login validation may fail for a large request with early server response
737368-1 3-Major   Fingerprint cookie large value may result in tmm core.


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
739277 2-Critical   TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode
720585-1 3-Major   Signatures generated by Behavioral DOS algorithm can create false-positive signatures
689540-1 3-Major   The same DOS attack generates new signatures even if there are signatures generated during previous attacks.


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
726303-1 3-Major   Unlock 10 million custom db entry limit


iApp Technology Fixes

ID Number Severity Solution Article(s) Description
726872-2 3-Major   iApp LX directory disappears after upgrade or restoring from UCS



Cumulative fixes from BIG-IP v13.1.1.1 that are included in this release


Functional Change Fixes

None



Cumulative fixes from BIG-IP v13.1.1 that are included in this release


Functional Change Fixes

ID Number Severity Solution Article(s) Description
693359-1 1-Blocking   AWS M5 and C5 instance families are supported


TMOS Fixes

ID Number Severity Solution Article(s) Description
721364 1-Blocking   BIG-IP per-application VE BYOL license does not support three wildcard virtual servers
716469 1-Blocking   OpenSSL 1.0.1l fails with 512 bit DSA keys
697615-1 1-Blocking K65013424 Neurond may restart indefinitely after boot, with neurond_i2c_config message
675921-2 1-Blocking   Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running
723130-1 2-Critical K13996 Invalid-certificate warning displayed when deploying BIG-IP VE OVA file
700086-1 2-Critical   AWS C5/M5 Instances do not support BIG-IP VE
696732-3 2-Critical K54431534 tmm may crash in a compression provider
721985 3-Major   PAYG License remains inactive as dossier verification fails.
721512 3-Major   Config tool fails to configure management-ip when default routes exist for both IPv4 and IPv6.
721342 3-Major   No support for Per-App VE LTM and Per-App VE WAF images for various cloud environments.
720961-1 3-Major   Upgrading in Intelligence Community AWS environment may fail
720756-1 3-Major   SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS
720651-2 3-Major   Running Guest Changed to Provisioned Never Stops
720104-1 3-Major   BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'
719396-1 3-Major K34339214 DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot.
717832 3-Major   Remove unneeded files from UCS backup directories
714303-1 3-Major K25057050 X520 virtual functions do not support MAC masquerading
712266-1 3-Major   Decompression of large buffer might fail with comp_code=11 with Nitrox 3 hardware
697616-2 3-Major   Report Device error: crypto codec qat-crypto0-0 queue is stuck on vCMP guests
680086 3-Major   md5sum check on BMC firmware fails
673996-2 3-Major   Unable to set 'media-fixed' on management port on BIG-IP i15000 platforms
680388-1 4-Minor   f5optics should not show function name in non-debug log messages
653759-1 4-Minor   Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update
720391-2 5-Cosmetic   BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware'


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
737550 2-Critical   State Mirroring between BIG-IP 13.0.x and 13.1.x systems may cause TMM core on standby system during upgrade
701538-2 2-Critical   SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured
720460-1 3-Major   Compression traffic still goes to hardware accelerator when compression.strategy is set to softwareonly
694778-1 3-Major   Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size
686631-2 3-Major   Deselect a compression provider at the end of a job and reselect a provider for a new job
679494-1 3-Major   Change the default compression strategy to speed
495443-9 3-Major K16621 ECDH negotiation failures logged as critical errors.
679496-2 4-Minor   Add 'comp_req' to the output of 'tmctl compress'


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
717909 2-Critical   tmm can abort on sPVA flush if the HSB flush does not succeed
701637 2-Critical   Crash in bcm56xxd during TMM failover
644822 2-Critical K19245372 FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned
702738-1 3-Major K32181540 Tmm might crash activating new blob when changing firewall rules
698182 3-Major   Upgrading from 13.1.1 to newer release might cause config to not be copied over
697516 3-Major   Upgrading using a ucs or scf file does not autogenerate uuids when current config has the uuid-default-autogenerate flag enabled



Cumulative fixes from BIG-IP v13.1.0.8 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
716992-2 CVE-2018-5539 K75432956 The ASM bd process may crash
715923-1 CVE-2018-15317 K43625118 When processing TLS traffic TMM may reset connections
710244-3 CVE-2018-5536 K27391542 Memory Leak of access policy execution objects
710140-1 CVE-2018-5527 K20134942 TMM may consume excessive resources when processing SSL Intercept traffic
709688-3 CVE-2017-3144
CVE-2018-5732
CVE-2018-5733
K08306700 dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733
695072-2 CVE-2016-8399
CVE-2017-1000111
CVE-2017-1000112
CVE-2017-11176
CVE-2017-14106
CVE-2017-7184
CVE-2017-7541
CVE-2017-7542
CVE-2017-7558
K23030550 CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558
693744-4 CVE-2018-5531 K64721111 CVE-2018-5531: vCMP vulnerability
651741-2 CVE-2017-5970, K60104355 CVE-2017-5970 kernel.el7: ipv4: Invalid IP options could cause skb->dst drop
717900-2 CVE-2018-5528 K27044729 TMM crash while processing APM data
710827-2 CVE-2019-6598 K44603900 TMUI dashboard daemon stability issue
710148-2 CVE-2017-1000111
CVE-2017-1000112
K60250153 CVE-2017-1000111 & CVE-2017-1000112
709256-2 CVE-2017-9074
CVE-2017-7542
K61223103 CVE-2017-9074: Local Linux Kernel Vulnerability
705476-2 CVE-2018-15322 K28003839 Appliance Mode does not follow design best practices
698813-2 CVE-2018-5538 K45435121 When processing DNSX transfers ZoneRunner does not enforce best practices
688625-5 CVE-2017-11628 K75543432 PHP Vulnerability CVE-2017-11628
662850-6 CVE-2015-2716 K50459349 Expat XML library vulnerability CVE-2015-2716
714879-3 CVE-2018-15326 K34652116 APM CRLDP Auth passes all certs


Functional Change Fixes

ID Number Severity Solution Article(s) Description
685020-3 3-Major   Enhancement to SessionDB provides timeout


TMOS Fixes

ID Number Severity Solution Article(s) Description
708956-1 1-Blocking K51206433 During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'
719597 2-Critical   HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0
715820-1 2-Critical   vCMP in HA configuration with VIPRION chassis might cause unstable data plane
712401-1 2-Critical   Enhanced administrator lock/unlock for Common Criteria compliance
676203-3 2-Critical   Inter-blade mpi connection fails, does not recover, and eventually all memory consumed.
665362-2 2-Critical   MCPD might crash if the AOM restarts
581851-6 2-Critical K16234725 mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands
711249-1 3-Major   NAS-IP-Address added to RADIUS packet unexpectedly
710976-1 3-Major   Network Map might take a long time to load
708484-2 3-Major   Network Map might take a long time to load
707445-3 3-Major K47025244 Nitrox 3 compression hangs/unable to recover
705818-1 3-Major   GUI Network Map Policy with forward Rule to Pool, Pool does not show up
704804-1 3-Major   The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address
704733-1 3-Major   NAS-IP-Address is sent with the bytes in reverse order
704247-2 3-Major   BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted
701249-1 3-Major   RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1
700895-1 3-Major K34944451 GUI Network Map objects in subfolders are not being shown
696260-1 3-Major K53103420 GUI Network Map as Start Screen presents database error
694696-5 3-Major   On multiblade Viprion, creating a new traffic-group causes the device to go Offline
694547-2 3-Major K74203532 TMSH save sys config creates unneeded generate_config processes.
689730-3 3-Major   Software installations from v13.1.0 might fail
687658 3-Major   Monitor operations in transaction will cause it to stay unchecked
686906-2 3-Major   Fragmented IPv6 packets not handled correctly on Virtual Edition
674455-5 3-Major   Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS
678254-1 4-Minor   Error logged when restarting Tomcat


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
721571-1 2-Critical   State Mirroring between BIG-IP 12.1.3.* and 13.* or 14.* systems may cause TMM core on standby system during upgrade
718071-1 2-Critical   HTTP2 with ASM policy not passing traffic
715747 2-Critical   TMM may restart when running traffic through custom SSLO deployments.
709828-2 2-Critical   fasthttp can crash with Large Receive Offload enabled
707244-3 2-Critical   iRule command clientside and serverside may crash tmm
707207-1 2-Critical   iRuleLx returning undefined value may cause TMM restart
700597-1 2-Critical   Local Traffic Policy on HTTP/2 virtual server no longer matches
700056-1 2-Critical   MCPD process may lock up and restart when applying Local Traffic Policy to virtual server
690756-1 2-Critical   APM depends on undocumented internal behavior of HTTP iRule commands after a retry is initiated
571651-4 2-Critical   Reset Nitrox3 crypto accelerator queue if it becomes stuck.
713951-5 3-Major   tmm core files produced by nitrox_diag may be missing data
713934-2 3-Major   Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response
712819-2 3-Major   'HTTP::hsts preload' iRule command cannot be used
712475-3 3-Major K56479945 DNS zones without servers will prevent DNS Express reading zone data
712437-3 3-Major K20355559 Records containing hyphens (-) will prevent child zone from loading correctly
711281-5 3-Major   nitrox_diag may run out of space on /shared
710996-2 3-Major   VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP
709133-2 3-Major   When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur
709132-1 3-Major   When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur
707961-2 3-Major K50013510 Unable to add policy to virtual server; error = Failed to compile the combined policies
707109-1 3-Major   Memory leak when using C3D
704381-5 3-Major   SSL/TLS handshake failures and terminations are logged at too low a level
702151-1 3-Major   HTTP/2 can garble large headers
700889-3 3-Major K07330445 Software syncookies without TCP TS improperly include TCP options that are not encoded
700061-4 3-Major   Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file
699598-2 3-Major   HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR
696755 3-Major   HTTP/2 may truncate a response body when served from cache
693308-1 3-Major   SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain
689089-1 3-Major   VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot
688744-1 3-Major K11793920 LTM Policy does not correctly handle multiple datagroups
686890-1 3-Major   X509_EXTENSION memory blocks leak when C3D forges the certificate.
682944-1 3-Major   key-id missing for installed netHSM key for standby BIG-IP system in HA setup
682283-2 3-Major   Malformed HTTP/2 request with invalid Content-Length value is served against RFC
678872-3 3-Major   Inconsistent behavior for virtual-address and selfip on the same ip-address
673399-3 3-Major   HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server.
653201-2 3-Major   Update the default CA certificate bundle file to the latest version and remove expiring certificates from it
713533-2 4-Minor   list self-ip with queries does not work
708249-2 4-Minor   nitrox_diag utility generates QKView files with 5 MB maximum file size limit
692095-1 4-Minor K65311501 bigd logs monitor status unknown for FQDN Node/Pool Member
678801-4 4-Minor   WS::enabled returned empty string
677958-4 4-Minor   WS::frame prepend and WS::frame append do not insert string in the right place.


Performance Fixes

ID Number Severity Solution Article(s) Description
698992-1 3-Major   Performance degraded


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
713066-1 2-Critical K10620131 Connection failure during DNS lookup to disabled nameserver can crash TMM
707310-2 2-Critical   DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs)
721895 3-Major   Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery)
715448-2 3-Major   Providing LB::status with a GTM Pool name in a variable caused validation issues
710032-1 3-Major   'No Access' error when viewing GSLB Server's virtual server that has a name indicating a partition that does not exist on that BIG-IP system.
706128-2 3-Major   DNSSEC Signed Zone Transfers Can Leak Memory
703545-1 3-Major   DNS::return iRule "loop" checking disabled


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
718152 2-Critical K14591455 ASM GUI request log does not load on cluster
716788-2 2-Critical   TMM may crash while response modifications are being performed within DoSL7 filter
713390-1 2-Critical   ASM Signature Update cannot be performed on hourly billing cloud instance
685230-3 2-Critical   memory leak on a specific server scenario
606983-2 2-Critical   ASM errors during policy import
719459-2 3-Major   Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled
719005-1 3-Major   Login request may arrive corrupted to the backend server after CAPTCHA or CSID mitigation
717756-2 3-Major   High CPU usage from asm_config_server
716940-2 3-Major   Traffic Learning screen graphs shows data for the last day only
715128-1 3-Major   Simple mode Signature edit does not escape semicolon
713282-1 3-Major   Remote logger violation_details field does not appear when virtual server has more than one remote logger
712362-3 3-Major   ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase
711405-1 3-Major K14770331 ASM GUI Fails to Display Policy List After Upgrade
710327-1 3-Major   Remote logger message is truncated at NULL character.
707147-1 3-Major   High CPU consumed by asm_config_server_rpc_handler_async.pl
706845-2 3-Major   False positive illegal multipart violation
706665-2 3-Major   ASM policy is modified after pabnagd restart
704643-1 3-Major   Backslashes preceding a forward slash are mistakenly doubled in regular expression within Signature rule
702008-1 3-Major   ASM REST: Missing DB Cleanup for some tables
700143-2 3-Major   ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages
691897-3 3-Major   Names of the modified cookies do not appear in the event log
687759-1 3-Major   bd crash
686765-2 3-Major   Database cleaning failure may allow MySQL space to fill the disk entirely
674256-2 3-Major K60745057 False positive cookie hijacking violation
675232-6 4-Minor   Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
710315-1 2-Critical   AVR-profile might cause issues when loading a configuration or when using config sync
698226-1 2-Critical   Filters under Security :: Reports :: DoS :: URL Latencies work incorrectly
696642-1 2-Critical   monpd core is sometimes created when the system is under heavy load.
721474-1 3-Major   AVR does not send all SSLO statistics to offbox machine.
715110 3-Major   AVR should report 'resolutions' in module GtmWideip
712118 3-Major   AVR should report on all 'global tags' in external logs
706361 3-Major   IPS stats tables are empty after upgrade from 13.1.0 to 14.0.0
696212-1 3-Major   monpd does not return data for multi-dimension query
648242-2 3-Major K73521040 Administrator users unable to access all partition via TMSH for AVR reports
649161-2 4-Minor K42340304 AVR caching mechanism not working properly


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
720214-1 2-Critical   NTLM Authentication might fail if Strict Update in iApp is modified
720189-1 2-Critical   VDI settings in APM Webtop have the incorrect URL for Citrix Receiver client download
719149-2 2-Critical   VDI plugin might hang while processing native RDP connections
716747-2 2-Critical   TMM my crash while processing APM or SWG traffic
715250-1 2-Critical   TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED
713156-1 2-Critical   AGC cannot do redeploy in Exchange and ADFS use cases
710116-1 2-Critical   VPN clients experience packet loss/disconnection
694078-1 2-Critical   In rare cases, TMM may crash with high APM traffic
720695-1 3-Major   Export then import of APM access Profile/Policy with advanced customization is failing
719192 3-Major   In VPE Agent VMware View Policy shows no properties
715207-3 3-Major   coapi errors while modifying per-request policy in VPE
714961-1 3-Major   antserver creates large temporary file in /tmp directory
714700-2 3-Major   SSO for native RDP resources is not compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy
713111-1 3-Major   When ASM and APM are configured on the same virtual server, ASM might report some errors in its logging.
710305-1 3-Major   When ASM and APM are configured on the same virtual server, ASM could throw some errors in its logging.
709274-1 3-Major   RADIUS Accounting requests egress on different Self IP addresses than they did pre-v13.1.0
699267-2 3-Major   LDAP Query may fail to resolve nested groups
658278-1 3-Major   Network Access configuration with Layered-VS does not work with Edge Client


Service Provider Fixes

ID Number Severity Solution Article(s) Description
703515-3 2-Critical K44933323 MRF SIP LB - Message corruption when using custom persistence key
692310-2 3-Major K69250459 ICAP modified HTTP 1.1 request/response without content-length gets "chunked" even with no body


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
677473-3 2-Critical   MCPD core is generated on multiple add/remove of Mgmt-Rules


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
711570-3 3-Major   PEM iRule subscriber policy name query using subscriber ID, may not return applied policies
663874-2 3-Major K77173309 Off-box HSL logging does not work with PEM in SPAN mode.


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
719186-2 3-Major   Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts
716318-2 3-Major   Engine/Signatures automatic update check may fail to find/download the latest update


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
714334-1 2-Critical   admd stops responding and generates a core while under stress.
718772-2 3-Major   The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists)
718685-1 3-Major   The measured number of pending requests is two times higher than actual one
701288-1 3-Major   Server health significantly increases during DoSL7 TPS prevention


iApp Technology Fixes

ID Number Severity Solution Article(s) Description
693694-1 3-Major   tmsh::load within IApp template results in unpredicted behavior



Cumulative fixes from BIG-IP v13.1.0.7 that are included in this release


Functional Change Fixes

ID Number Severity Solution Article(s) Description
716392-1 1-Blocking   Support for 24 vCMP guests on a single 4450 blade
712429 1-Blocking   Serverside packets excluded from DoS stats
704552 3-Major   Support for ONAP site licensing


TMOS Fixes

ID Number Severity Solution Article(s) Description
707100 2-Critical   Potentially fail to create user in AzureStack
706688 2-Critical   Automatically add additional certificates to BIG-IP system in C2S and IC environments
709936 3-Major   Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.
707585-1 3-Major   Use native driver for 82599 NICs instead of UNIC
703869 3-Major   Waagent updated to 2.2.21


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
713273 2-Critical   BIG-IP sys db variable avr.stats.internal.maxentitiespertable resets back to default value on services restart
715153-1 3-Major   AVR can generate many files in /var/avr/loader folder, which might cause disk-usage problem


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
716746 3-Major   Possible tmm restart when disabling single endpoint vector while attack is ongoing
712710 3-Major   TMM may halt and restart when threshold mode is set to stress-based mitigation


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
699103-1 3-Major   tmm continuously restarts after provisioning AFM



Cumulative fixes from BIG-IP v13.1.0.6 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
709972-6 CVE-2017-12613 K52319810 CVE-2017-12613: APR Vulnerability
707186-1 CVE-2018-5514 K45320419 TMM may crash while processing HTTP/2 traffic
702232-1 CVE-2018-5517 K25573437 TMM may crash while processing FastL4 TCP traffic
693312-1 CVE-2018-5518 K03165684 vCMPd may crash when processing bridged network traffic
688516-1 CVE-2018-5518 K03165684 vCMPd may crash when processing bridged network traffic
686305-1 CVE-2018-5534 K64552448 TMM may crash while processing SSL forward proxy traffic
589233-2 CVE-2018-5518 K03165684 vCMPd may crash when processing bridged network traffic
714369 CVE-2018-5526 K62201098 ADM may fail when processing HTTP traffic
714350 CVE-2018-5526 K62201098 BADOS mitigation may fail
710314-1 CVE-2018-5537 K94105051 TMM may crash while processing HTML traffic
706176-1 CVE-2018-5512 K51754851 TMM crash can occur when using LRO
706086-3 CVE-2018-5515 K62750376 PAM RADIUS authentication subsystem hardening
703940-2 CVE-2018-5530 K45611803 Malformed HTTP/2 frame consumes excessive system resources
699346-3 CVE-2018-5524 K53931245 NetHSM capacity reduces when handling errors
688011-7 CVE-2018-5520 K02043709 Dig utility does not apply best practices
688009-7 CVE-2018-5519 K46121888 Appliance Mode TMSH hardening
677088-2 CVE-2018-15321 K01067037 BIG-IP tmsh vulnerability CVE-2018-15321
708653-1 CVE-2018-15311 K07550539 TMM may crash while processing TCP traffic
632875-5 CVE-2018-5516 K37442533 Non-Administrator TMSH users no longer allowed to run dig


Functional Change Fixes

ID Number Severity Solution Article(s) Description
708389 3-Major   BADOS monitoring with Grafana requires admin privilege
680850-2 3-Major K48342409 Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage.


TMOS Fixes

ID Number Severity Solution Article(s) Description
694897-2 1-Blocking   Unsupported Copper SFP can trigger a crash on i4x00 platforms.
708054-1 2-Critical   Web Acceleration: TMM may crash on very large HTML files with conditional comments
706305-1 2-Critical   bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled
706087 2-Critical   Entry for SSL key replaced by config-sync causes tmsh load config to fail
703761-2 2-Critical   Disable DSA keys for public-key and host-based authentication in Common Criteria mode
696113-3 2-Critical   Extra IPsec reference added per crypto operation overflows connflow refcount
692683-1 2-Critical   Core with /usr/bin/tmm.debug at qa_device_mgr_uninit
690793-1 2-Critical K25263287 TMM may crash and dump core due to improper connflow tracking
689577-3 2-Critical K45800333 ospf6d may crash when processing specific LSAs
688911-1 2-Critical K94296004 LTM Policy GUI incorrectly shows conditions with datagroups
563661-1 2-Critical   Datastor may crash
704282-2 3-Major   TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy
703298-2 3-Major   Licensing and phonehome_upload are not using the sync'd key/certificate
701626-2 3-Major K16465222 GUI resets custom Certificate Key Chain in child client SSL profile
698429-1 3-Major   Misleading log error message: Store Read invalid store addr 0x3800, len 10
693964-1 3-Major   Qkview utility may generate invalid XML in files contained in Qkview
691497-2 3-Major   tmsh save sys ucs <file> fails due to missing patch file in /config/.diffVersions
691210-1 3-Major   Traffic stops on tmm restart when guest VLAN tagging is used for BIG-IP VE.
687353-1 3-Major K35595105 Qkview truncates tmstat snapshot files
631316-2 3-Major K62532020 Unable to load config with client-SSL profile error
514703-3 4-Minor   gtm listener cannot be listed across partitions


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
709334-1 2-Critical   Memory leak when SSL Forward proxy is used and ssl re-negotiates
708114-1 2-Critical K33319853 TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed
707447-1 2-Critical   Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles.
707246-1 2-Critical   TMM would crash if SSL Client profile could not load cert-key-chain successfully
706631-2 2-Critical   A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured.
705611-2 2-Critical   The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used
704666-1 2-Critical   memory corruption can occur when using certain certificates
704435-1 2-Critical   Client connection may hang when NTLM and OneConnect profiles used together
703914-2 2-Critical   TMM SIGSEGV crash in poolmbr_conn_dec.
703191-2 2-Critical   HTTP2 requests may contain invalid headers when sent to servers
701244-1 2-Critical K81742541 An incorrect data manipulation in cipher encrypt and decrypt could cause TMM crash with SIGABRT
701202-3 2-Critical K35023432 SSL memory corruption
700393-3 2-Critical K53464344 Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash
697259-2 2-Critical K14023450 Different versioned vCMP guests on the same chassis may crash.
694656-1 2-Critical K05186205 Routing changes may cause TMM to restart
686228-1 2-Critical K23243525 TMM may crash in some circumstances with VLAN failsafe
680074-2 2-Critical   TMM crashes when serverssl cannot provide certificate to backend server.
667770-1 2-Critical K12472293 SIGSEGV to tmm when performing multiple, repeated SSL profile updates, or during UCS restore
648320-5 2-Critical K38159538 Downloading via APM tunnels could experience performance downgrade.
705794-2 3-Major   Under certain circumstances a stale HTTP/2 stream might cause a tmm crash
701147-2 3-Major K36563645 ProxySSL does not work properly with Extended Master Secret and OCSP
700057-4 3-Major   LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved
693910-4 3-Major   Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)
693244-2 3-Major   BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned
690042-1 3-Major K43412307 Potential Tcl leak during iRule suspend operation
689561-1 3-Major   HTTPS request hangs when multiple virtual https servers shares the same ip address
686972-4 3-Major   The change of APM log settings will reset the SSL session cache.
685615-4 3-Major K24447043 Incorrect source mac for TCP Reset with vlangroup for host traffic
677525-2 3-Major   Translucent VLAN group may use unexpected source MAC address
663821-1 3-Major K41344010 SNAT Stats may not include port FTP traffic
653976-4 3-Major K00610259 SSL handshake fails if server certificate contains multiple CommonNames
594751-1 3-Major K90535529 LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
710424-2 2-Critical K00874337 Possible SIGSEGV in GTMD when GTM persistence is enabled.
678861-1 2-Critical   DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
710870 2-Critical   Temporary browser challenge failure after installing older ASU
711011-2 3-Major   'API Security' security policy template changes
683241-1 3-Major K70517410 Improve CSRF token handling


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
710947-1 2-Critical   AVR does not send errdef for entity DosIpLogReporting.
710110-1 2-Critical   AVR does not publish DNS statistics to external log when usr-offbox is enabled.
711929-1 3-Major   AVR should not send statistic on hidden rows for module InterfaceTraffic and module InterfaceHealth


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
679221-2 1-Blocking   APMD may generate core file or appears locked up after APM configuration changed
708005-1 2-Critical K12423316 Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources
703208-1 2-Critical   PingAccessAgent causes TMM core
702278-2 2-Critical   Potential XSS security exposure on APM logon page.
700522-1 2-Critical   APMD may unexpectedly restart when worker threads are stuck
700090-2 2-Critical   tmm crash during execution of a per-request policy when modified during execution.
699686-1 2-Critical   localdbmgr can occasionally crash during shutdown
697452-1 2-Critical   Websso crashes because of bad argument in logging
712924-1 3-Major   In VPE SecurID servers list are not being displayed in SecurID authentication dialogue
703793-3 3-Major   tmm restarts when using ACCESS::perflow get' in certain events
703171-1 3-Major   High CPU usage for apmd, localdbmgr and oauth processes
702487-3 3-Major   AD/LDAP admins with spaces in names are not supported
684937-3 3-Major K26451305 [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users
683113-3 3-Major K22904904 [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users
681415-3 3-Major   Copying of profile with advanced customization or images might fail
678427-1 3-Major K03138339 Safari 11 displays F5 EPI and F5 VPN launch confirmation dialogs twice
675775-4 3-Major   TMM crashes inside dynamic ACL building session db callback
671597-3 3-Major   Import, export, copy and delete is taking too long on 1000 entries policy
673717-3 4-Minor   VPE loading times can be very long


Service Provider Fixes

ID Number Severity Solution Article(s) Description
701889-1 2-Critical   Setting log.ivs.level or log-config filter level to informational causes crash
679114-4 3-Major   Persistence record expires early if an error is returned for a BYE command


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
708888-1 2-Critical K79814103 Some DNS truncated responses may not be processed by BIG-IP
667353 2-Critical   Intermittent TMM crash when AFM dynamic (behavioral) signature is enabled and past attack signatures incorrectly exist in the correlation stats table


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
702705-2 2-Critical   Core observed during lease query testing when RADIUS Authentication is configured in DHCP profile
699531-1 2-Critical   Potential TMM crash due to incorrect number of attributes in a PEM iRule command
696294-1 2-Critical   TMM core may be seen when using Application reporting with flow filter in PEM
711093-1 3-Major   PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled
709610-3 3-Major   Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM
697718-1 3-Major   Increase PEM HSL reporting buffer size to 4K.
677494-1 3-Major   Flow filter with Periodic content insertion action could leak insert content record
677148-1 3-Major   Periodic content insertion creates duplicate records if same policy is added to Global high and subscriber specific
676346-2 3-Major   PEM displays incorrect policy action counters when the gate status is disabled.
648802-1 3-Major   Required custom AVPs are not included in an RAA when reporting an error.


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
710701-1 3-Major   "Application Layer Encryption" option is not saved in DataSafe GUI
709319-2 3-Major   Post-login client-side alerts are missing username in bigIQ
706835 3-Major   When cloning a profile, URL parameters are not shown
706771-1 3-Major   FPS ajax-mapping property may be set even when it should be blocked
706651-1 3-Major   Cloning URL does not clone "Description" field
706276-1 4-Minor   Unnecessary pop-up appears


Device Management Fixes

ID Number Severity Solution Article(s) Description
708305-2 3-Major   Discover task may get stuck in CHECK_IS_ACTIVE step
705593-5 4-Minor   CVE-2015-7940: Bouncy Castle Java Vulnerability



Cumulative fixes from BIG-IP v13.1.0.5 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
633441-1 3-Major   Datasync Background Tasks running even without features requiring it


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
708189 4-Minor   OAuth Discovery Auto Pilot is implemented


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
708840 3-Major   13.0.0-to-13.1.0 upgrade operation on VIPRION 2250 blades might fail if global whitelist is configured



Cumulative fixes from BIG-IP v13.1.0.4 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
700556-1 CVE-2018-5504 K11718033 TMM may crash when processing WebSockets data
699012-1 CVE-2018-5502 K43121447 TMM may crash when processing SSL/TLS data
698080-3 CVE-2018-5503 K54562183 TMM may consume excessive resources when processing with PEM
695901-1 CVE-2018-5513 K46940010 TMM may crash when processing ProxySSL data
691504-1 CVE-2018-5503 K54562183 PEM content insertion in a compressed response may cause a crash.
704580-1 CVE-2018-5549 K05018525 apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP
701447-1 CVE-2017-5754 K91229003 CVE-2017-5754 (Meltdown)
701445-1 CVE-2017-5753
CVE-2017-9074
CVE-2017-7542
CVE-2017-11176
K91229003 CVE-2017-5753 (Spectre Variant 1)
701359-4 CVE-2017-3145 K08613310 BIND vulnerability CVE-2017-3145
699455-4 CVE-2018-5523 K50254952 SAML export does not follow best practices
699451-3 CVE-2018-5511 K30500703 OAuth reports do not follow best practices
676457-5 CVE-2017-6153 K52167636 TMM may consume excessive resource when processing compressed data
640766-2 CVE-2016-10088
CVE-2016-9576
K05513373 Linux kernel vulnerability: CVE-2016-10088 CVE-2016-9576


Functional Change Fixes

ID Number Severity Solution Article(s) Description
686389-1 3-Major   APM does not honor per-farm HTML5 client disabling at the View Connection Server
678524-1 3-Major   Join FF02::2 multicast group when router-advertisement is configured
693007-1 4-Minor   Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC


TMOS Fixes

ID Number Severity Solution Article(s) Description
707226 1-Blocking   DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations
700315-2 1-Blocking K26130444 Ctrl+C does not terminate TShark
667148-3 1-Blocking K02500042 Config load or upgrade can fail when loading GTM objects from a non-/Common partition
706998-3 2-Critical   Memory leak when OCSP is configured in clientSSL profile for C3D, or in serverSSL profile for server authentication
692890-3 2-Critical   Adding support for BIG-IP 800 in 13.1.x
685458-7 2-Critical K44738140 merged fails merging a table when a table row has incomplete keys defined.
665354-1 2-Critical K31190471 Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log
703848-1 3-Major   Possible memory leak when reusing statistics rows in tables
702520-2 3-Major K53330514 Same AZ failover in AWS fails in some configurations with two or more objects sharing the same IP address.
694740-3 3-Major   BIG-IP reboot during a TMM core results in an incomplete core dump
692753-1 3-Major   shutting down trap not sent when shutdown -r or shutdown -h issued from shell
689691-2 3-Major   iStats line length greater than 4032 bytes results in corrupted statistics or merge errors
686029-2 3-Major   A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces
669462-2 3-Major   Error adding /Common/WideIPs as members to GTM Pool in non-Common partition
589083-6 3-Major   TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.
699281-1 4-Minor   Version format of hypervisor bundle matches Version format of ISO
685475-1 4-Minor K93145012 Unexpected error when applying hotfix


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
706534-1 1-Blocking   L7 connection mirroring may not be fully mirrored on standby BigIP
698424-1 1-Blocking K11906514 Traffic over a QinQ VLAN (double tagged) will not pass
700862-1 2-Critical K15130240 tmm SIGFPE 'valid node'
699298-2 2-Critical   13.0.0 Hotfix HF3 3.0.1679 TMM CORED due to SIGSEGV.
698461-1 2-Critical   tmm may crash in fastl4 TCP
692970-2 2-Critical   Using UDP port 67 for purposes other than DHCP might cause TMM to crash
691095-1 2-Critical   CA bundle manager loses certificates in the CA bundle if the serial number is longer than 4 bytes
687635-1 2-Critical K58002142 Tmm becomes unresponsive and might restart
687205-2 2-Critical   Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart
681175-3 2-Critical K32153360 TMM may crash during routing updates
674576-3 2-Critical   Outage may occur with VIP-VIP configurations
452283-5 2-Critical   An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows
440620-1 2-Critical   New connections may be reset when a client reuses the same port as it used for a recently closed connection
704073-1 3-Major K24233427 Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm
702439 3-Major K04964898 Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset
698916-1 3-Major   TMM crash with HTTP/2 under specific condition
698379-2 3-Major K61238215 HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR(
698000-3 3-Major K04473510 Connections may stop passing traffic after a route update
695707-5 3-Major   BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection
691806-1 3-Major K61815412 RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state
689449-1 3-Major   Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured
688571-2 3-Major K40332712 Untrusted cert might be accepted by the server-ssl even though when 'untrusted-cert-response-control drop' is configured in the server-ssl profile.
688570-5 3-Major   BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes
686307-3 3-Major K10665315 Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later
686065-2 3-Major   RESOLV::lookup iRule command can trigger crash with slow resolver
682104-3 3-Major   HTTP PSM leaks memory when looking up evasion descriptions
680264-2 3-Major   HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags
677666-2 3-Major   /var/tmstat/blades/scripts segment grows in size.
664528-2 3-Major K53282793 SSL record can be larger than maximum fragment size (16384 bytes)
251162-1 3-Major K11564 The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name
685467-1 4-Minor K12933087 Certain header manipulations in HTTP profile may result in losing connection.


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
699135-1 2-Critical   tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip
692941-1 2-Critical   GTMD and TMM SIGSEGV when changing wide IP pool in GTMD
691287-1 2-Critical   tmm crashes on iRule with GTM pool command
682335-1 2-Critical   TMM can establish multiple connections to the same gtmd
580537-3 2-Critical   The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data
562921-5 2-Critical   Cipher 3DES and iQuery encrypting traffic between BIG-IP systems
705503-3 3-Major   Context leaked from iRule DNS lookup
703702 3-Major   Fixed iControl REST not listing GTM Listeners
700527-3 3-Major   cmp-hash change can cause repeated iRule DNS-lookup hang
699339-3 3-Major K24634702 Geolocation upgrade files fail to replicate to secondary blades
696808-1 3-Major   Disabling a single pool member removes all GTM persistence records
691498-3 3-Major   Connection failure during iRule DNS lookup can crash TMM
690166-1 3-Major   ZoneRunner create new stub zone when creating a SRV WIP with more subdomains
687128-1 3-Major   gtm::host iRule validation for ipv4 and ipv6 addresses
680069-1 3-Major K81834254 zxfrd core during transfer while network failure and DNS server removed from DNS zone config
679149-1 3-Major   TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0]
667469-3 3-Major K35324588 Higher than expected CPU usage when using DNS Cache
636997-1 4-Minor   big3d may crash
636994-1 4-Minor   big3d may crash
636992-1 4-Minor   big3d may crash
636986-1 4-Minor   big3d may crash
636982-1 4-Minor   big3d may crash


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
705774-1 3-Major   Add a set of disallowed file types to RDP template
703833-1 3-Major   Some bot detected features might not work as expected on Single Page Applications
702946-3 3-Major   Added option to reset staging period for signatures
701841-2 3-Major   Unnecessary file recovery_db/conf.tar.gz consumes /var disk space
701327-2 3-Major   failed configuration deletion may cause unwanted bd exit
700812-1 3-Major   asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview
700726-2 3-Major   Search engine list was updated, and fixing case of multiple entries
698919-3 3-Major   Anti virus false positive detection on long XML uploads
697756-1 3-Major   Policy with CSRF URL parameter cannot be imported as binary policy file
697303-1 3-Major   BD crash
696265-5 3-Major K60985582 BD crash
696073-2 3-Major   BD core on a specific scenario
695563-1 3-Major   Improve speed of ASM initialization on first startup
694922-5 3-Major   ASM Auto-Sync Device Group Does Not Sync
693780-1 3-Major   Proactive Bot Defense sends CAPTCHA to the UC browser on iOS devices
693663-1 3-Major   Proactive Bot Defense sends CAPTCHA to the Firefox browser on iOS only in desktop mode
691477-2 3-Major   ASM standby unit showing future date and high version count for ASM Device Group
679384-3 3-Major K85153939 The policy builder is not getting updates about the newly added signatures.
678293-2 3-Major K25066531 Uncleaned policy history files cause /var disk exhaustion
665992-2 3-Major K40510140 Live Update via Proxy No Longer Works
608988-1 3-Major   Error when deleting multiple ASM Policies


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
703233 3-Major   Some filters don't work in Security->Reporting->URL Latencies page


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
707676-1 2-Critical   Memory leak in Machine Certificate Check agent of the apmd process
700724-2 2-Critical   Client connection with large number of HTTP requests may cause tmm to restart
692557-1 2-Critical   When BIG-IP as SAML IdP processes signed authentication requests from external SAML SP, a block of memory may become corrupted.
690116-1 2-Critical   websso daemon might crash when logging set to debug
689591-2 2-Critical   When pingaccess SDK processes certain POST requests from the client, the TMM may restart
677368-2 2-Critical   Websso crash due to uninitialized member in websso context object while processing a log message
631286-3 2-Critical   TMM Memory leak caused by APM URI cache entries
703429-2 3-Major   Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services
702263-1 3-Major   An access profile with large number of SAML Resources (greater than 200) causes APM error ERR_TOOBIG while loading.
702222-1 3-Major   RADIUS and SecurID Auth fails with empty password
701740-1 3-Major   apmd leaks memory when updating Access V2 policy
701737-1 3-Major   apmd may leak memory on destroying Kerberos cache
701736-1 3-Major   Memory leak in Machine Certificate Check agent of the apmd process
701639-1 3-Major   Session variables in Requested Authentication Context Class in SP do not get resolved when Authentication Request is generated by BIG-IP as SP.
697636-3 3-Major   ACCESS is not replacing headers while replacing POST body
695953-1 3-Major   Custom URL Filter object is missing after load sys config TMSH command
694624-1 3-Major   SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor
693844-1 3-Major K58335157 APMD may restart continuously and cannot come up
692307-3 3-Major   User with 'operator' role may not be able to view some session variables
687937-1 3-Major   RDP URIs generated by APM Webtop are not properly encoded
685862-1 3-Major   BIG-IP as SAML IdP/SP may include last x509 certificate found in the configured bundle in signed SAML Response or single logout message
684583-1 3-Major   Buitin Okta Scopes Request object uses client -id and client-secret
684325-1 3-Major   APMD Memory leak when applying a specific access profile
683389-3 3-Major   Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file
683297-2 3-Major   Portal Access may use incorrect back-end for resources referenced by CSS
682500-2 3-Major   VDI Profile and Storefront Portal Access resource do not work together
678851-3 3-Major   Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase()
675866-4 3-Major   WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO
671627-3 3-Major K06424790 HTTP responces without body may contain chunked body with empty payload being processed by Portal Access.
632646-1 3-Major   APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server.
629334-1 3-Major   Portal Access: JavaScript expressions in parentheses may be rewritten incorrectly
612792-1 3-Major   Support RDP redirection for connections launched from APM Webtop on iOS
612118-2 3-Major   Nexthop explicit proxy is not used for the very first connection to communicate with the backend.
536831-1 3-Major   APM PAM module does not handle local-only users list correctly


Service Provider Fixes

ID Number Severity Solution Article(s) Description
698338-1 2-Critical   Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection
689343-2 2-Critical   Diameter persistence entries with bi-directional flag created with 10 sec timeout
685708-4 2-Critical   Routing via iRule to a host without providing a transport from a transport-config created connection cores
700571-4 3-Major   SIP MR profile, setting incorrect branch param for CANCEL to INVITE
696049-1 3-Major   High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running
674747-4 3-Major K30837366 sipdb cannot delete custom bidirectional persistence entries.
656901-3 3-Major   MRF add 'existing_connection_only' and 'outgoing_connection_instance_seed' two iRule commands


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
704207-1 2-Critical   DNS query name is not showing up in DNS AVR reporting
703517 2-Critical K23520761 TMM may crash when processing TCP DNS traffic
692328-1 2-Critical   Tmm core due to incorrect memory allocation
705161-1 3-Major K23520761 TMM may crash when processing TCP DNS traffic
703959 3-Major   Manual thresholds for DoS Protection Dynamic Signatures are not accepted via TMUI
631418-1 3-Major   Packets dropped by HW grey list may not be counted toward AVR.


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
696383-1 2-Critical   PEM Diameter incomplete flow crashes when sweeped
694717-1 2-Critical   Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.
616008-1 2-Critical K23164003 TMM core may be seen when using an HSL format script for HSL reporting in PEM
696789-1 3-Major   PEM Diameter incomplete flow crashes when TCL resumed
695968-1 3-Major   Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.
694319-1 3-Major   CCA without a request type AVP cannot be tracked in PEM.
694318-1 3-Major   PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.
684333-1 3-Major   PEM session created by Gx may get deleted across HA multiple switchover with CLI command
678820-1 3-Major   Potential memory leak if PEM Diameter sessions are not created successfully.
642068-4 3-Major   PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens
624231-4 3-Major   No flow control when using content-insertion with compression
680729-1 4-Minor K64307999 DHCP Trace log incorrectly marked as an Error log.


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
697363-1 2-Critical   FPS should forward all XFF header values
705559-1 3-Major   FPS: false positive "no strong integrity param" when none of the configured data-integrity params are present in request
662311-1 3-Major   CS alerts should contain actual client IP address in XFF header


Protocol Inspection Fixes

ID Number Severity Solution Article(s) Description
671716-1 3-Major   UCS version check was too strict for IPS hitless upgrade



Cumulative fixes from BIG-IP v13.1.0.3 that are included in this release


Functional Change Fixes

ID Number Severity Solution Article(s) Description
702419 3-Major   Protocol Inspection needs add-on license to work


TMOS Fixes

ID Number Severity Solution Article(s) Description
660239-6 4-Minor   When accessing the dashboard, invalid HTTP headers may be present


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
677919-4 3-Major   Enhanced Data Manipulation AJAX Support



Cumulative fixes from BIG-IP v13.1.0.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
681955-1 CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 K23565223 Apache CVE-2017-9788
673595-9 CVE-2017-3167 CVE-2017-3169 K34125394 Apache CVE-2017-3167
694274-1 CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 CVE-2017-9798 K23565223 [RHSA-2017:3195-01] Important: httpd security update - EL6.7
672124-6 CVE-2018-5541 K12403422 Excessive resource usage when BD is processing requests
673607-9 CVE-2017-3169 K83043359 Apache CVE-2017-3169
672667-6 CVE-2017-7679 K75429050 CVE-2017-7679: Apache vulnerability
641101-7 CVE-2016-8743 K00373024 httpd security and bug fix update CVE-2016-8743
684033-3 CVE-2017-9798 K70084351 CVE-2017-9798 : Apache Vulnerability (OptionsBleed)
661939-2 CVE-2017-2647 K32115847 Linux kernel vulnerability CVE-2017-2647


Functional Change Fixes

ID Number Severity Solution Article(s) Description
685056 3-Major   VE OVAs is not the supported platform to run VMware guest OS customization
670103-1 3-Major   No way to query logins to BIG-IP in TMUI
681385-2 4-Minor   Forward proxy forged cert lifespan can be configured from days into hours.


TMOS Fixes

ID Number Severity Solution Article(s) Description
700247 2-Critical K60053504 APM Client Software may be missing after doing fresh install of BIG-IP VE
693979 3-Major   Autoscale is not functional because of the change in file permission of the /shared/vadc/aws/iid-document document
683131-1 3-Major   Hotfix install fails on vCMP guest when both guest and host have the same base version ISO present
682213-1 3-Major K31623549 TLS v1.2 support in IP reputation daemon
669585-1 3-Major   The tmsh sys log filter is unable to display information in uncompressed log files.
668826-1 3-Major   File named /root/.ssh/bigip.a.k.bak is present but should not be
668276-1 3-Major   BIG-IP does not display failed login attempts since last login in GUI
668273-1 3-Major K12541531 Logout button not available in Configuration Utility when using Client Cert LDAP
471237-4 3-Major K12155235 BIG-IP VE instances do not work with an encrypted disk in AWS.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
699624-1 2-Critical   Config with custom 'SIP' or 'Firepass' monitor fails to load after upgrade
463097-5 3-Major   Clock advanced messages with large amount of data maintained in DNS Express zones


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
672504-2 2-Critical K52325625 Deleting zones from large databases can take excessive amounts of time.
667542-6 2-Critical   DNS Express does not correctly process multi-message DNS IXFR updates.
645615-6 2-Critical K70543226 zxfrd may fail and restart after multiple failovers between blades in a chassis.
655233-2 3-Major K93338593 DNS Express using wrong TTL for SOA RRSIG record in NoData response
648766-2 3-Major K57853542 DNS Express responses missing SOA record in NoData responses if CNAMEs present
646615-2 4-Minor   Improved default storage size for DNS Express database


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
699720-1 2-Critical   ASM crash when configuring remote logger for WebSocket traffic with response-logging:all
691670-5 2-Critical   Rare BD crash in a specific scenario
686108-1 2-Critical   User gets blocking page instead of captcha during brute force attack
684312-1 2-Critical K54140729 During Apply Policy action, bd agent crashes, causing the machine to go Offline
698940-1 3-Major   Add new security policy template for API driven systems - "API Security"
690883-1 3-Major   BIG-IQ: Changing learning mode for elements does not always take effect
686517-2 3-Major   Changes to a parent policy that has no active children are not synced to the secondary chassis slots.
686470-1 3-Major   Enable AJAX Response Page or Single Page Application support causes the part of the web page failed to load.
686452-1 3-Major   File Content Detection Formats are not exported in Policy XML
685964-1 3-Major   cs_qualified_urls bigdb does not cause configured URLs to be qualified.
685771-1 3-Major   Policies cannot be created with SAP, OWA, or SharePoint templates
685207-1 3-Major   DoS client side challenge does not encode the Referer header.
685164-1 3-Major   In partitions with default route domain != 0 request log is not showing requests
683508-1 3-Major K00152663 WebSockets: umu memory leak of binary frames when remote logger is configured
680353-1 3-Major   Brute force sourced based mitigation is not working as expected
674494-4 3-Major K77993010 BD memory leak on specific configuration and specific traffic
668184-2 3-Major   Huge values are shown in the AVR statistics for ASM violations
694073-3 4-Minor   All signature update details are shown in 'View update history from previous BIG-IP versions' popup
685193-1 4-Minor   If Inheritance is None in the Parent Policy and there are at least 1 child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
679861 1-Blocking   Weak Access Restrictions on the AVR Reporting Interface
697421 3-Major   Monpd core when trying to restart
688813-2 3-Major K23345645 Some ASM tables can massively grow in size.
686510-1 3-Major   If tmm was restarted during an attack, the attack might appear ongoing in GUI
683474 3-Major   The case-sensitive problem during comparison of 2 Virtual Servers
679088-1 3-Major   Avr reporting and analytics does not display statistics of many source regions


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
684852-1 2-Critical   Obfuscator not producing deterministic output
692123 3-Major   GET parameter is grayed out if MobileSafe is not licensed


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
700320 2-Critical   tmm core under stress when BADOS configured and attack signatures enabled
691462-1 3-Major   Bad actors detection might not work when signature mitigation blocks bad traffic
687987 3-Major   Presentation of signatures in human-readable format
687986 3-Major   High CPU consumption during signature generation, not limited number of signatures per virtual server
687984 3-Major   Attacks with randomization of HTTP headers parameters generates too many signatures


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
698396-1 2-Critical   Config load failed after upgrade from 12.1.2 to 13.x or 14.x



Cumulative fixes from BIG-IP v13.1.0.1 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
686190-1 2-Critical   LRO performance impact with BWC and FastL4 virtual server
667173-1 2-Critical   13.1.0 cannot join a device group with 13.1.0.1
683114-2 3-Major   Need support for 4th element version in Update Check


Performance Fixes

ID Number Severity Solution Article(s) Description
685628-1 1-Blocking   Performance regression on B4450 blade
673832-1 1-Blocking   Performance impact for certain platforms after upgrading to 13.1.0.
696525-1 2-Critical   B2250 blades experience degraded performance.

 

Cumulative fix details for BIG-IP v13.1.1.5 that are included in this release

764665-1 : AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change

Component: Application Visibility and Reporting

Symptoms:
When BIG-IP is registered on BIG-IQ system, sometimes avrd crashes with core.

Conditions:
-- BIG-IP is registered at BIG-IQ.
-- BIG-IQ sends configuration update to BIG-IP.

Impact:
Avrd cores and restarts. Functionality is not impacted, stats data are sent to BIG-IQ.

Workaround:
None.

Fix:
Corrected issue in setting value for internal flag.


763349-1 : AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out

Component: Application Visibility and Reporting

Symptoms:
avrd application on BIG-IP crashes; core is generated.

Conditions:
-- The BIG-IP is configured to send data to BIG-IQ DCD node via the HTTPS protocol.

-- Connection to DCD is established but response does not arrive within the timeout interval, so the connection times out.

Impact:
avrd crashes, and a core is generated.

Workaround:
None.

Fix:
avrd now reconnects to BIG-IQ DCD in a different sequence so this issue no longer occurs.


763005-2 : Aggregated Domain Names in DNS statistics are shown as random domain name

Component: Application Visibility and Reporting

Symptoms:
Many DNS queries (e.g., 50000) with different query domain names are sent and AVR aggregates data it shows aggregated names using a random name taken from the first lookup table record.

Conditions:
-- Run 50000 DNS queries, all with different domain names.
-- View Statistics :: Analytics :: DNS, and choose View By : Domain Names.

Impact:
There is one random domain name with a high counter value, other domains are shown with counter 1.

Workaround:
None.


761921-3 : avrd high CPU utilization due to perpetual connection attempts

Component: Application Security Manager

Symptoms:
avrd shows high CPU utilization. Repeated retries on auth token client failed connection attempts.

Conditions:
-- The BIG-IQ system is not available (even though it is configured).
-- Frequent connection retries.

Impact:
avrd consumes a large amount of CPU.

Workaround:
Correct BIG-IQ availability and restart avrd.

Fix:
avrd now waits between connection retries, so this issue does not occur.


761300 : Errors in REST token requests may log sensitive data

Component: Device Management

Symptoms:
When requests for REST tokens generate a parsing error the logged message may contain sensitive data present in the request, including passwords.

Conditions:
Error in token request parsing. Typically causes include a typo or other JSON syntax error in the POST body of the REST request.

Impact:
Restlogs record sensitive data. Properly formatted requests do not generate this error logging and do not record sensitive data.

Workaround:
None.

Fix:
Sensitive data is now filtered from logging.


761273-1 : wr_urldbd daemon's log is changed to binary type after log rotation

Component: Traffic Classification Engine

Symptoms:
After log rotation, the wr_urldbd daemon continues to write at the pre-rotate position, so the next message is written at offset N and all N-1 characters are replaced with zeroes.

Conditions:
System rotates log files.

Impact:
Some automated systems might not be able to read log file.

Workaround:
None.

Fix:
Log file preserves text file type after log rotation.


760961 : TMM crashes due to webroot database shared memory channel corruption when wr_urldbd daemon restarts

Component: Traffic Classification Engine

Symptoms:
Webroot daemon (wr_urldbd) crashes because of a socket handler issue that occurs when sending the URI categorization request to the BrightCloud server.

Wr_urldbd daemon restarts, and during startup, it loads the downloaded database to the shared memory channel. This shared memory channel is being used by the TMM, which has no information about the wr_urldbd restart, so tmm restarts.

Conditions:
-- Wr_urldbd restarts (which occurs due to an issue in socket handler when sending URL categorization requests to the BrightCloud server).

-- During wr_urldbd startup, the daemon starts loading the downloaded webroot database to the shared memory channel set up between the wr_urldbd and TMM.

-- TMM accesses this shared memory channel to perform a URL category lookup (due to traffic).

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes under these conditions.


760878-2 : Incorrect enforcement of explicit global parameters

Component: Application Security Manager

Symptoms:
A false positive or false negative enforcement of explicit global parameter.

Conditions:
-- A configuration with more than 255 security policies.
-- Policies configured with an explicit parameter that is unique (for example, 'static', a disabled signature, etc.).
-- Attempt to enforce that parameter.

Impact:
Wrong blocking/violations. The parameter is not found, and the wildcard * parameter is enforced instead.

Workaround:
Make the explicit parameters a wildcard parameter.

Fix:
Explicit parameters are enforced correctly on all parameters.


760356-4 : Users with Application Security Administrator role cannot delete Scheduled Reports

Component: Application Visibility and Reporting

Symptoms:
User accounts configured with the Application Security Administrator role cannot delete scheduled reports, while they can create/view/edit them.

Conditions:
-- Logged on with a user account configured as an Application Security Administrator.
-- Attempting to delete a scheduled report.

Impact:
Cannot complete the delete operation. Deleting scheduled reports requires root/admin intervention.

Workaround:
Use root or a user account configured as Administrator to delete scheduled reports.

Fix:
User accounts configured with the Application Security Administrator role can now delete Scheduled Reports


760222-5 : SCP fails unexpected when FIPS mode is enabled

Component: TMOS

Symptoms:
Secure Copy (scp) to some locations fails with the following message:
Path not allowed.

Conditions:
-- FIPS mode is enabled.
-- Copying a file to a restricted location using SCP.

Impact:
Cannot use SCP to copy to restricted locations on the BIG-IP system.

Workaround:
None.

Fix:
This scp issue no longer occurs when FIPS cards are installed.


759360 : Apply Policy fails due to policy corruption from previously enforced signature

Component: Application Security Manager

Symptoms:
Apply Policy fails due to policy corruption in PLC database from a previously enforced signature.

Conditions:
1. Export a policy containing a signature with an enforced rule.
2. Update ASM Signatures (ASU).
3. Import that previously exported policy.
4. Apply the newly imported policy.

Impact:
Apply policy fails.

Workaround:
As a workaround, run the following SQL, and then apply the policy:

----------------------------------------------------------------------
UPDATE PLC.PL_POLICY_NEGSIG_SIGNATURES SET previous_enforced_rule_md5 = '' WHERE previous_enforced_rule = '' and previous_enforced_rule_md5 != ''
----------------------------------------------------------------------


758961 : During brute force attack, the attempted passwords may be logged

Solution Article: K58243048

Component: Application Security Manager

Symptoms:
Request data potentially included passwords is not masked in the ASM local and remote logger.

Conditions:
A brute force attack is in progress and login traffic is blocked from the suspicious IPs.

Impact:
An exposure of potentially sensitive data to the bigip logger.

Workaround:
N/A

Fix:
Potentially sensitive data from brute force blocked requests is no longer logged.


758764-4 : APMD Core when CRLDP Auth fails to download revoked certificate

Component: Access Policy Manager

Symptoms:
Download CRLDP Auth fails to download revoked certificates, so the list of revoked certificate remains empty (NULL). APMD cores while accessing this empty (NULL) list.

Conditions:
Empty revoked-certificate list handling.

Impact:
APMD core. No access policy enforcement for user session or any MPI-reliant processes, such as rewrite and websso while apmd restarts.

Workaround:
None.

Fix:
The system now checks for empty revoked certificate lists (for NULL) and lets the validation OK (because there is nothing to validate against).


758336-1 : Incorrect recommendation in Online Help of Proactive Bot Defense

Component: Application Security Manager

Symptoms:
The online help of Proactive Bot Defense within the DoS profile shows the following under the 'Cross-Domain Requests' section:

Allow configured domains; validate in bulk: ... We recommend this option if your web site has many cross-domain resources.

Allow configured domains; validate upon request: ... We recommend this option if your web site does not have many cross-domain resources.

The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.

Conditions:
Application has multiple cross-domain resources.

Impact:
Confusing documentation. The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.

Workaround:
For many cross-domain resources, it is better to use 'validate upon request'.

Fix:
The online help of Proactive Bot Defense has been corrected under the 'Cross-Domain Requests' section.


757992-1 : RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup

Component: Access Policy Manager

Symptoms:
RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup

Conditions:
-- Configure Floating IP with route domain.
-- Configure RADIUS accounting server with Pool Setup.
-- Configure the virtual server containing the access policy to use the RADIUS Accounting server.
-- Access the virtual server.

Impact:
-- START message is being sent through proper egress floating IP address.
-- STOP message is not sent, and the system logs the following error message:
-- err tmm1[11193]: 01490586:3: (null):Common:8a505e8c: Processing radius acct stop message failed, connection failure.
-- err tmm1[11193]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_RTE. File: ../modules/hudfilter/access/access_session.c, Function: access_session_final_callback, Line: 4439.

Workaround:
This issue is present only when the floating IP address is configured with a non-default route domain. It works fine with the default route domain. Use of default route domain is recommended.

Fix:
RADIUS Acct STOP message is now sent as expected.


757781-1 : Portal Access: cookie exchange may be broken sometimes

Component: Access Policy Manager

Symptoms:
Portal Access uses special HTTP request with URL '/private/fm/volatile.html' to exchange cookie data between client and BIG-IP. Sometimes the BIG-IP system might send an invalid response to such a request. As a result, no cookie data can be sent from the backend server to the client.

Conditions:
Invalid response to HTTP requests with the following URL:
/private/fm/volatile.html.

Impact:
Portal Access client cannot see cookies set by the backend server. Backend server does not send cookie data to the client.

Workaround:
None.

Fix:
Portal Access now sends correct HTTP responses with backend cookie data to the client.


757414 : GUI Network Map slow page load with large configuration

Component: TMOS

Symptoms:
Network Map loads very slowly when displaying large configurations.

Conditions:
Open Network Map page with a large configuration, for example, 2500 or more virtual servers, pools, and pool members.

Impact:
The Network Map page loads too slowly to be usable.

Workaround:
None.

Fix:
Network Map no longer loads very slowly when displaying large configurations.


757279 : LDAP authenticated Firewall Manager role cannot edit firewall policies

Component: Advanced Firewall Manager

Symptoms:
The system posts the following message when the LDAP authenticated Firewall Manager role creates/modifies a firewall policy with rules or upgrading existing firewall policy:
User does not have modify access to object (fw_uuid_config).

Conditions:
-- Log in using an account with the Firewall Manager role.
-- Create/modify firewall policy with rules or upgrade existing firewall policy.

Impact:
Firewall modification operations fail with access to object (fw_uuid_config) error.

Workaround:
None.

Fix:
Firewall manager can now edit firewall policies.


757088-3 : TMM clock advances and cluster failover happens during webroot db nightly updates

Component: Traffic Classification Engine

Symptoms:
Webroot database mapping and unmapping takes a very long amount of time on TMM, so you might see clock advances occur. The long interval might result in a failover/state-transition in clustered environment.

Conditions:
-- Webroot database is downloaded.
-- TMM needs to swap to the new instance.

Impact:
TMM does not process traffic because of the long delay in mapping and unmapping, and failover might happen in a clustered environment.

Workaround:
You can avoid this issue by disabling BrightCloud updates, however, your environments will miss the latest updates as a result.

#vi /etc/wr_urldbd/bcsdk.cfg
  DoBcap=true
  DoRtu=false
  DownloadDatabase=false

Fix:
Mapping/Unmapping the database is done asynchronously and the delay is reduced so that the CDP failover doesn't happen.


757027-3 : BIND Update

Solution Article: K01713115


757026-3 : BIND Update

Component: TMOS

Symptoms:
Upgrade BIND to 9.11.5-P4 per recommendation from ISC

Conditions:
GTM provisioned.

Impact:
BIND not up-to-date

Workaround:
None.

Fix:
Upgrade to BIND 9.11.5-P4


757025-3 : BIND Update

Solution Article: K00040234


756774-4 : Aborted DNS queries to a cache may cause a TMM crash

Component: Global Traffic Manager (DNS)

Symptoms:
TMM may crash if an attempt is made to send a response to a TCP connection that has already been torn down.

Conditions:
TCP connections that are aborted before receiving a RESPONSE from a cache.

Impact:
Loss of service until TMM is restarted. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Aborted DNS queries to a cache no longer cause a TMM crash.


756270-2 : SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle

Component: Local Traffic Manager

Symptoms:
If there are multiple certificates in the trusted CA bundle with the same common name, CRL signature verification checks only one of them while looking for CRL issuer.

Conditions:
Multiple certificates with the same subject name as the CRL issuer in the trusted CA bundle used for authentication in SSL profiles.

Impact:
Handshake failure.

Workaround:
None.

Fix:
This has been fixed to check for the issuer among all certificates that have the same subject name as the CRL issuer.


756205-3 : TMSTAT offbox statistics are not continuous

Component: Application Visibility and Reporting

Symptoms:
When BIG-IP systems are manged by BIG-IQ, the device health statistics have gaps (missing samples).

Conditions:
BIG-IP systems managed by BIG-IQ,

Impact:
Missing data on device health, such as CPU load and memory occupancy.

Workaround:
None.

Fix:
Functionality restored - BIG-IP systems send all the data as expected.


756094-3 : DNS express in restart loop, 'Error writing scratch database' in ltm log

Component: Global Traffic Manager (DNS)

Symptoms:
DNS express (zxfrd) daemon gets stuck in a restart loop with the messages:
-- In /var/log/ltm:
Error writing scratch database (no error information available), serving database is unchanged. zxfrd will exit and restart.
-- The system posts the following message on the command line every few seconds:
emerg logger: Re-starting zxfrd

Conditions:
An update to an SOA record (and only an SOA) is received through a incremental zone transfer update (IXFR).

Impact:
Zone updates from the DNS master servers are not processed.

Workaround:
As a partial workaround, the DNS express cache files can be removed, forcing zxfrd to pull the entire zone using an AXFR request. To do so, use the following commands, in sequence:

   bigstart stop zxfrd
   rm /shared/zxfrd/*
   bigstart start zxfrd

Note: DNS express will not be able to service DNS responses until the zone transfers have completed. For this reason, this procedure should be carried out on the standby device, if possible.

Fix:
The system now properly handles IXFRs that contain only starting and ending SOA RRs, and no other RRs.


756088-1 : The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address

Component: TMOS

Symptoms:
The BIG-IP system unexpectedly responds to ICMP echo requests to a virtual-address that is unavailable, or unexpectedly does not respond to ICMP echo requests to a virtual-address that is available.

The BIG-IP system fails to remove a dynamic route for a virtual-address that is unavailable or fails to add a dynamic route for a virtual-address that is available.

Conditions:
-- There are multiple virtual servers associated with a virtual address.

-- The virtual-address icmp-echo is set to 'all' or 'any'.

-- The virtual-address route-advertisement is set to 'all' or 'any'.

Impact:
The BIG-IP might respond incorrectly to ICMP echo requests sent to a virtual-address.

-- If the virtual-address icmp-echo is set to 'all' or 'any', the BIG-IP may not respond correctly after a virtual-address availability change.

-- If the virtual-address route-advertisement is set to 'all' or 'any', the route for the virtual-address may not advertise properly after a virtual-address availability change.

The BIG-IP might fail to insert or remove a dynamic route for a virtual-address. This might cause the network to direct traffic to a down virtual-address or alternatively, not direct traffic to an up virtual-address.

Workaround:
None.


755507-3 : [App Tunnel] 'URI sanitization' error

Component: Access Policy Manager

Symptoms:
URI sanitization error with app tunnel (application tunnel). The system posts messages similar to the following:
-- APM log: warning tmm[19703]: 01490586:4: /Common/AP-AD:Common:ff776e4a: Invalid Resource Access For RESOURCENAME. RST due to URI sanitization
-- LTM log: err tmm[19703]: 01230140:3: RST sent from 10.0.0.1:80 to 10.0.0.1:228, [0x2263e2c:7382] Unrecognized resource access (RESOURCENAME)

Conditions:
Access Policy that includes a 'Logon Page' and 'Advanced Resource Assign' (full webtop and app tunnel).

Impact:
APM does not send a response after receiving a request to 'GET /vdesk/resource_app_tunnels_info.xml'.

Workaround:
None.


755475-3 : Corrupted customization group on target after updating logon page agent field on source device and config sync

Component: Access Policy Manager

Symptoms:
After making changes to the logon page agent field, performing config sync to another device and opening the logon agent in VPE on the sync target device encounters an error.

Conditions:
1. Form a failover device group with two devices.

2. On one device, create an access policy with logon page agent. Initiate config sync to sync the policy to other devices. Verify everything is correct on target device (specifically: open VPE for the policy, Logon Page is in the policy, click on the agent, and edit box appears without issue).

3. On source device, launch VPE for the policy, click on Logon Page agent, make changes to Agent (e.g., choose 'password' type for field3. Save the change and make a config sync again.

4. Go to target device, open VPE for the policy, and click on Logon Page is in the policy.

Impact:
Config is not synced properly to another device in the device group.

Workaround:
In addition to changing the logon page field, also make a change in the 'Customization' section (e.g., update the text for Logon Page Input Field).

Fix:
Target device receives identical configuration as source one after config sync after user updates logon page field in logon agent editing dialog.


755005-3 : Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations

Component: Application Security Manager

Symptoms:
Illegal Request Length uses Illegal Query String Length template and vice versa, so the incorrect titles are shown in violation details.

Conditions:
Open details of Illegal Request Length or Illegal Query String Length violation in request log.

Impact:
Illegal Request Length uses Illegal Query String Length template and vice versa. Only the titles are wrong. The actual requests are recorded correctly.

Workaround:
None.

Fix:
Correct templates are now used for Illegal Request Length and Illegal Query String Length violations, so the correct titles show.


754944-3 : AVR reporting UI does not follow best practices

Component: Application Visibility and Reporting

Symptoms:
The AVR reporting UI does not follow best practices.

Conditions:
Administrative access to the AVR reporting web UI.

Impact:
Unexpected HTML output.

Workaround:
The AVR reporting UI does not follow best practices.

Fix:
The AVR reporting UI now follows best practices.


754567 : Child clientSSL profile's inherit-certkeychain can be unexpectedly set to false after updating the certificate file

Component: TMOS

Symptoms:
Child client SSL profile's inherit-certkeychain can be unexpectedly set to false after updating the certificate file used by the profile.

Conditions:
The issue is seen intermittently when all of the following conditions are met.
-- The client SSL profile is a child client SSL profile profile, i.e., it has a parent client SSL profile.
-- The child and the parent profile are using the same certificate.
-- The certificate file is updated, for example, by using a command similar to the following:
tmsh modify sys file ssl-cert child.crt { source-path file:///config/ssl/ssl.crt/default.crt app-service none cert-validation-options { } issuer-cert none }

Impact:
The child client SSL profile may unexpectedly end up using a different cert-key-chain from its parent profile.

Workaround:
The inherit-certkeychain flag can be set only in the GUI location: Local Traffic :: Profiles : SSL : Client :: child_profile.

In the row 'Configuration: \ Certificate Key Chain', uncheck the checkbox on the right side. That sets inherit-certkeychain to true (or does not customize the cert-key-chain for the child profile). Once the box is unchecked, the Certificate Key Chain field appears greyed out and filled with parent profile's cert-key-chain.

Fix:
The child profile's inherit-certkeychain flag is no longer unexpectedly set to false after updating the certificate file.


754365-3 : Updated flags for countries that changed their flags since 2010

Component: Application Security Manager

Symptoms:
Old flags for countries that changed their flags since 2010.

Conditions:
Requests from one of the following counties:
-- Myanmar
-- Iraq
-- Libya

Impact:
Old flag is shown.

Workaround:
None.

Fix:
The three flags are now updated in ASM.


754346-1 : Access policy was not found while creating configuration snapshot.

Component: Access Policy Manager

Symptoms:
APMD fails to create configuration snapshot with the following error:

--err apmd[16675]: 01490000:3: AccessPolicyProcessor/AccessPolicyProcessor.cpp func: "dispatchEvent()" line: 1195 Msg: EXCEPTION AccessPolicyProcessor/ProfileAccess.cpp line:234 function: snapshotConfigVariables - AccessPolicy ("/Common/myPolicy") not found while creating configuration snapshot!!!!

If you attempt to modify the policy in question, the system reports a second error:

-- err apmd[16675]: 01490089:3: 00000000: Configuration change notification received for an unknown access profile: /Common/myPolicy

Conditions:
If TMM restarts and new access policy is added before TMM is fully up and running.

Impact:
Configuration snapshot is not created, and users cannot log on.

Workaround:
Recreate the access profile when TMM is stable.


754345-3 : WebUI does not follow best security practices

Component: TMOS

Symptoms:
WebUI does not follow best security practices.

Conditions:
Authenticated administrative user access to WebUI.

Impact:
WebUI does not follow best security practices.

Workaround:
None.

Fix:
WebUI now follows best security practices.


754330-1 : Monpd might load many CSV files such that stats for AVR are not loaded to the database as quickly as expected

Component: Application Visibility and Reporting

Symptoms:
Monpd attempts to load a batch of CSV files that exceed the partition threshold. This might cause Monpd to falsely detect a corrupted database.

Conditions:
-- Monpd is down for a given interval, and needs to load a batch of CSV files.
-- Monpd gets lower priority for CPU and does not manage loading CSV files within a specific timeframe.
-- Some of the reports are more demanding than others, and create CSV files more often, which makes it harder for Monpd to load efficiently.

Impact:
Stats for AVR might not be loaded to the database within an expected interval.

Workaround:
None.

Fix:
Monpd now checks whether a new partition is required after each CSV file load. When needed, it creates one and aggregates data in the database to avoid this issue.


753975 : TMM may crash while processing HTTP traffic with AAM

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing HTTP traffic with AAM.

Conditions:
An active virtual server with an AAM profile and RAM cache enabled.

Impact:
TMM crash leading to a failover event.

Workaround:
None.

Fix:
TMM now processes AAM traffic as expected.


753912 : UDP flows may not be swept

Component: Local Traffic Manager

Symptoms:
Some UDP connection flows do not show in connection table but do show up in stats. This might occur with datagram_lb mode is enabled on the UDP profile under heavy load.

Conditions:
-- UDP profile with datagram_lb mode enabled.
-- System under heavy load.

Impact:
Increased memory utilization of TMM.

Workaround:
None.

Fix:
The system now correctly manages all expired flows.


753893-1 : Inconsistent validation for firewall address-list's nested address-list causes load failure

Component: Advanced Firewall Manager

Symptoms:
Inconsistent validation for firewall address-list's nested address-lists causes load failure. The operation validates 'addresses' in the address-list but misses the case of modifying the address-list nested in the address-list. The system posts a message similar to the following:

01071a5a:3: Cannot configure mix of IPv4 and IPv6 address(es) in this object.
Unexpected Error: Loading configuration process failed.

Conditions:
-- Modify an address-list's address-lists to contain mixed IPv4 and IPv6 addresses.
-- Save the configuration.
-- Load the configuration.

Impact:
Missing validation for nested address-list modification allows an invalid configuration to be specified and saved into bigip*.conf, which causes load failure.

Note: This might cause upgrade from v12.1.x to fail when the configuration contains a mix of IPv4 and IPv6 within an address-list.

Workaround:
Edit the bigip*.conf file to remove the mix of IPv4 and IPv6 addresses in the nested address-lists.

Fix:
This release contains validation to nested address-lists to check for overlapping IP addresses in the same address family.


753796-2 : SNMP does not follow best security practices

Component: TMOS

Symptoms:
Under certain conditions, SNMP does not follow best security practices when responding with specific MIBs.

Conditions:
SNMP access granted (no remote SNMP access is allowed in the default configuration).

Impact:
SNMP does not follow best security practices.

Workaround:
Restrict access to SNMP via IP and/or SNMPv3 authentication.

Fix:
SNMP now follows best security practices for all MIBs.


753776-1 : TMM may consume excessive resources when processing UDP traffic

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, TMM may consume excessive resources while processing UDP traffic.

Conditions:
Enabled virtual server with a UDP profile.
datagram_lb mode enabled.

Impact:
Excessive resource consumption, potentially leading to a failover event.

Workaround:
None.

Fix:
TMM now processes UDP traffic as expected.


753446-1 : avrd process crash during shutdown if connected to BIG-IQ

Component: Application Visibility and Reporting

Symptoms:
During shutdown of BIG-IP, if it is connected to BIG-IQ then avrd might crash.

Conditions:
BIG-IP is set to shutdown and configured to send statistics to BIG-IQ.

Impact:
No serious impact, since the BIG-IP is already instructed to shutdown, so the process crash is not causing any damage.

Workaround:
N/A

Fix:
Issue is fixed, avrd does not crash during shutdown


753368 : Unable to import access policy with pool

Component: Access Policy Manager

Symptoms:
If your exported policy contains a pool object (e.g., Active Directory (AD) or LDAP Auth object) import of such a policy fails.

Conditions:
-- Exported policy contains a pool.
-- Attempt to import that policy.

Impact:
Unable to import certain configurations.

Workaround:
None.

Fix:
Policies with pools are imported successfully.


753028-1 : AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule

Component: Advanced Firewall Manager

Symptoms:
When Proxy ARP is enabled for destination addresses in an FW NAT rule performing destination NAT (static-nat/static-pat), forwarding ICMP traffic matching that rule is incorrectly dropped by AFM instead of being forwarded through the BIG-IP system.

Conditions:
-- Proxy ARP is enabled for destination addresses in an FW NAT rule.
-- The BIG-IP system (AFM) receives forwarding ICMP traffic for these (untranslated) destination addresses.

Impact:
Forwarding ICMP traffic is dropped by the BIG-IP system.

Workaround:
You can disable Proxy ARP functionality for FW NAT rules to cause the BIG-IP system (AFM) to handle forwarding ICMP traffic correctly and pass it through the system to the backend.

However, this causes the BIG-IP system to not respond to ARP requests anymore for destination addresses in such rules. As a further mitigation action, you can configure static ARP entries to handle this.

Fix:
The BIG-IP system (AFM) now correctly forwards ICMP traffic through to the backend when Proxy ARP is enabled on destination addresses in the matching FW NAT rule.


752930-1 : Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state

Component: Local Traffic Manager

Symptoms:
Virtual Servers left in unknown state. Blade keeps restarting.

Conditions:
Change default route domain (RD) of partition with wildcard Virtual Servers.

Impact:
-- Cannot persist the wildcard virtual server RD configuration.
-- Changing virtual server description after moving route-domain fails.
-- Secondary blade in constant reboot loop.

Workaround:
1. Delete wildcard virtual servers before changing default route-domain on partition.

2. Execute the following commands, in sequence, substituting your values for the configuration-specific ones in this example:

# ssh slot2 bigstart stop

# modify auth partition pa-1098-blkbbsi0000csa21ad1142 default-route-domain 109

# save sys config

# clsh rm -f /var/db/mcpdb.bin

# ssh slot2 bigstart start

Note: This recovery method might have to be executed multiple times to restore a working setup.


752835-3 : Mitigate mcpd out of memory error with auto-sync enabled.

Component: TMOS

Symptoms:
If auto-sync is enabled and many configuration changes are sent quickly, it is possible for a peer system to fall behind in syncs. Once it does, it will exponentially get further behind due to extra sync data, leading to the sending mcpd running out of memory and core dumping.

Conditions:
-- Auto-sync enabled in an HA pair.
-- High volume of configuration changes made in rapid succession. Typically, this requires hundreds or thousands of changes per minute for several minutes to encounter this condition.

Impact:
mcpd crashes.

Workaround:
There are no workarounds other than not using auto-sync, or reducing the frequency of system configuration changes.

Fix:
This is not a complete fix. It is still possible for mcpd to run out of memory due to a peer not processing sync messages quickly enough. It does, however, make it more difficult for this scenario to happen, so configuration changes with auto-sync on can be sent somewhat more quickly without crashing mcpd as often.


752822-3 : SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type

Component: Service Provider

Symptoms:
SIP ALG calls that fail translation during ingress are not cleaned up by the system, which might result in memory being leaked inside the TMM processes.

Conditions:
SIP ALG calls that fail translation during ingress.

Impact:
TMM leaks memory, which can slow down performance and eventually cause TMM to run out of memory and restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now cleans up SIP ALG calls that fail translation during ingress, so this issue no longer occurs.


752782-3 : 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'

Component: Fraud Protection Services

Symptoms:
The 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'.

Conditions:
FPS Provisioning and a DataSafe license.

Impact:
The menu name has changed in this release.

Workaround:
None.

Fix:
'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'.


752592-2 : VMware Horizon PCoIP clients may fail to connect shortly after logout

Component: Access Policy Manager

Symptoms:
Sometimes if user closes opened PCoIP desktop and logs out and then logs in again, he can't launch the same desktop anymore.

Conditions:
PCoIP UDP VS has "vdi" profile assigned.

Impact:
User can't open PCoIP remote desktop during short time period (1 minute).

Workaround:
Remove "vdi" profile and assign "remotedesktop" profile to the PCoIP UDP VS:
# tmsh modify ltm virtual <PCoIP UDP VS> profiles delete { vdi }
# tmsh modify ltm virtual <PCoIP UDP VS> profiles add { remotedesktop }

In admin UI the assignment of "remotedesktop" profile can be controlled via "Application Tunnels (Java & Per-App VPN)" checkbox (right under "VDI Profile" dropdown).

Fix:
Assignment of "vdi" profile to PCoIP UDP VS does not cause intermittent connection problems anymore.


752078 : Header Field Value String Corruption

Component: Local Traffic Manager

Symptoms:
This is specific to HTTP/2.

In some rare cases, the header field value string can have one or more of its prefix characters removed by the BIG-IP.

Conditions:
If the header field value string is exceptionally long, and has embedded white space characters, this bug may occur.

Impact:
A header such as:

x-info: very_long_string that has white space characters

may be sent to the client thus:

x-info: ery_long_string that has white space characters

Fix:
Fixed.


752047-2 : iRule running reject in CLASSIFICATION_DETECTED event can cause core

Component: Traffic Classification Engine

Symptoms:
The CLASSIFICATION_DETECTED iRule event can run very early when classification happens in the classification database (srdb). If the iRule then issues a reject command, tmm cores.

Conditions:
CLASSIFICATION_DETECTED on L4 executing reject command.

Impact:
tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
iRule running reject in CLASSIFICATION_DETECTED event no longer causes tmm core.


751869 : Possible tmm crash when using manual mode mitigation in DoS Profile

Component: Advanced Firewall Manager

Symptoms:
tmm crash and restart is possible when using manual mode mitigation in DoS Profile.

Conditions:
When manual mode mitigation is used for any vector that is enabled in the DoS Profile that is attached to a Protected Object.

Impact:
tmm crash and restart is possible. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm crash and restart no longer occurs when using manual mode mitigation in DoS Profile.


751710-2 : False positive cookie hijacking violation

Component: Application Security Manager

Symptoms:
A false positive cookie hijacking violation.

Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.

Impact:
False positive violation / blocking.

Workaround:
N/A


751179-3 : MRF: Race condition may create to many outgoing connections to a peer

Component: Service Provider

Symptoms:
If two different connections attempt to create an outgoing connection to a peer at the same time, multiple connections may be created, even if the peer object is configured for one connection per peer. This is due to a race condition in message routing framework during connection creation.

Conditions:
-- Two different connections attempt to create an outgoing connection to a peer at the same time.
-- The peer is configured for one connection per peer.

Impact:
More than one connection to a peer is created.

Workaround:
None.

Fix:
Only one connection is created under these conditions.


751011-1 : ihealth.sh script and qkview locking mechanism not working

Component: TMOS

Symptoms:
Two qkviews can be started up on a system at the same time, which results in conflicts for each.

Conditions:
Running qkview on one terminal and then ihealth.sh in another.

Impact:
Running of two qkviews at the same time breaks both qkviews since they compete for the same files.

Workaround:
Run either qkview or ihealth.sh, not both simultaneously.

Fix:
Starting a qkview and then running ihealth.sh halts immediately as the system detects that qkview is running.


751009-1 : Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out

Component: TMOS

Symptoms:
After generating a Qkview or collecting a tcpdump via the BIG-IP GUI, or using the 'tmsh run util ihealth' command to do the equivalent, the /var/tmp/mcpd.out file is missing.

Conditions:
-- Generating a Qkview or collecting a tcpdump via the BIG-IP GUI.
-- Using the 'tmsh run util ihealth' command to do the equivalent operation.

Impact:
The file /var/tmp/mpcd.out is a debug file used by mcpd, primarily for collecting debug-level log information from MCPD.

The file being deleted causes challenges with trying to collect diagnostic information from a BIG-IP system (turning on mcpd debug logging), because it now requires a service impact (restarting mcpd).

Additionally, may cause challenges in managing disk space on /shared filesystem, as mcpd keeps writing to a deleted file, and it cannot be truncated.

Workaround:
Generating Qkviews by invoking the 'qkview' command directly avoids this issue.

Edit the /usr/bin/ihealth.sh script to remove the corresponding line.

From a bash shell:
1. mount -o remount,rw /usr
2. /bin/cp /usr/bin/ihealth.sh{,751009.bak}
3. sed -i '/\/bin\/rm -f \/var\/tmp\/mcpd.out/d' /usr/bin/ihealth.sh
4. mount -o remount,ro /usr

Note: This workaround does not persist across software installs/upgrades, nor does it ConfigSync or replicate across blades in a VIPRION chassis.

Fix:
The problem line has been removed from the script, so this mcpd debug file is left alone (not deleted) after running ihealth.sh. Note that the GUI version of running qkview uses ihealth.sh script.


750922-3 : BD crash when content profile used for login page has no parse parameters set

Component: Application Security Manager

Symptoms:
Bd crashes. No traffic goes through ASM.

Conditions:
-- A Json Login page is configured.
-- The content profile used for the login page does not have parse parameters set.

Impact:
No traffic goes through ASM. Bd crashes.

Workaround:
Set the parse parameters setting.

Fix:
BD no longer crashes when the content profile used for login page has no parse parameters set.


750843-1 : HTTP data re-ordering when receiving data while iRule parked

Component: Local Traffic Manager

Symptoms:
Under certain circumstances tmm can reorder or omit HTTP data segments when they are received while processing an iRule which is parked.

Conditions:
- HTTP iRule execution suspended, e.g., waiting for a table command to return.
- Ingress data is processed during this state.

Impact:
Data corruption or loss can occur.

Workaround:
There is no workaround other than not using iRule suspend commands in HTTP_* events.

Fix:
tmm now handles ingress data correctly when in the parked iRule state.


750586-1 : HSL may incorrectly handle pending TCP connections with elongated handshake time.

Component: TMOS

Symptoms:
HSL may incorrectly handle TCP connections that are pending 3-way handshake completion that exceed default handshake timeout.

Conditions:
-- HSL or ReqLog configured to send logging data to pool via TCP protocol.
-- TCP 3-way handshake takes longer than 20 seconds (the default handshake timeout) to complete.

Impact:
-- Service interruption while TMM restarts.
-- Failover event.

Workaround:
None.

Fix:
HSL handles unusually long pending TCP handshakes gracefully and does not cause outage.


750496-1 : TMM crashes on traffic passthrough when SSO Config object is deleted while being used in SSO Configuration Select Agent in PRP

Component: Access Policy Manager

Symptoms:
TMM crashes on traffic passthrough when SSO Config object is deleted while being used in SSO Configuration Select Agent in PRP.

Conditions:
Create a basic SSO item.
Create a PRP that has the SSO Assign in it and select the basic SSO item.
Create a PSP that is Start->Allow
Create a VS that uses the PRP, PSP, and an pool.
Delete the SSO item in the UI.
Run traffic through the VS

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not delete the SSO config object referenced by SSO Configuration Select agent in PRP.

Fix:
SSO Configuration Select agent should fail with error code when sso_config cannot be found (i.e. NULL).


750460-3 : Subscriber management configuration GUI

Component: Policy Enforcement Manager

Symptoms:
Subscriber management configuration GUI does not follow best security practices.

Conditions:
PEM provisioned
Authenticated user accesses Subscriber Management->Activity Log->Log Configuration page.

Impact:
Subscriber management configuration GUI does not follow best security practices.

Workaround:
None

Fix:
Subscriber management configuration GUI now follows best security practices.


750447-1 : GUI VLAN list page loading slowly with 50 records per screen

Component: TMOS

Symptoms:
GUI VLAN list page is loading slowly with there are 3200+ VLANs with the Records Per Screen Preference set to 50.

Conditions:
-- Using a VIPRION system.
-- Configuration containing 3200 or more VLANs.
-- System Preferences Records Per Screen set to 50.

Impact:
Cannot use the page.

Workaround:
Use tmsh or guishell tool to see the VLANs.

You can also try using a smaller value for the Records Per Screen option in System :: Preferences.

Fix:
Improved data retrieval and rendering for the VLAN list page.


750356-3 : Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted

Component: Application Security Manager

Symptoms:
In any Split View page (Request Log, Learning, etc.): All user-defined filters are removed if you delete a newly created filter without reloading the page first.

Conditions:
-- Create a new filter.
-- Remove the new filter.

Impact:
The system removes all user-defined filters.

Workaround:
Before you delete a newly created filter, reload the page.

Fix:
Filter removal now completes successfully for all scenarios.


750318-1 : HTTPS monitor does not appear to be using cert from server-ssl profile

Component: TMOS

Symptoms:
An HTTPS monitor using a client certificate configured in the server-ssl profile fails to send the certificate during the SSL handshake.

A tcpdump shows a 0-byte certificate being sent.

Conditions:
-- In-tmm monitoring is disabled (default).
-- The server-ssl profile has been modified but without changing the configured certificate or key.

The resulting message passed from mcpd to bigd will contain only the incremental modification to the profile, which bigd treats as a complete profile, meaning that it is possible for the certificate and key parameters to be lost.

Impact:
SSL handshake might fail to complete and the HTTPS monitor fails.

Workaround:
Restart bigd process by running the following command:
bigstart restart bigd

Fix:
mcpd now sends the full profile configuration to bigd upon modification.


750200-1 : DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode

Component: Local Traffic Manager

Symptoms:
DHCP requests from the client are sent only to the first member in the DHCP server pool.

Conditions:
- BIG-IP system configured as a DHCP Relay.
- DHCP server pool contains more than one DHCP server.

Impact:
- DHCP server load balancing is not achieved.
- If the first DHCP server in the DHCP server pool does not respond or is unreachable, the DHCP client will not be assigned an IP address.

Workaround:
None.


750187-3 : ASM REST may consume excessive resources

Component: Application Security Manager

Symptoms:
While processing ASM REST calls from authorized users ASM may consume excessive resources.

Conditions:
ASM provisioned and licensed
REST calls from an authorized user

Impact:
Excessive resource consumption potentially leading to a failover event.

Workaround:
None.

Fix:
ASM REST now consumes resources as expected.


749879-4 : Possible interruption while processing VPN traffic

Component: Carrier-Grade NAT

Symptoms:
When processing certain rare data sequences occurring in VPN traffic, the Traffic Management Microkernel may execute incorrect logic, triggering a TMM restart.

Conditions:
The problem occurs only with the CGNAT feature provisioned and when at least one virtual server is configured with certain profiles.

Impact:
The restart of the TMM disrupts network traffic until either an HA-configured partner TMM assumes processing or the TMM restart has completed.

Workaround:
No Workaround.

Fix:
Improved handling of PPTP messages in PPTP profile.


749774-3 : EDNS0 client subnet behavior inconsistent when DNS Caching is enabled

Component: Global Traffic Manager (DNS)

Symptoms:
When EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled, the responses differ in their inclusion of EDNS0 client subnet information based on whether the response was supplied by the cache or not.

Conditions:
This occurs when EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled.

Impact:
Inconsistent behavior.

Workaround:
None.

Fix:
In this release, responses are now consistent when caching is enabled.


749689-1 : HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart

Component: Local Traffic Manager

Symptoms:
HTTPS monitor sends different amount of cipher suites in client hello during SSL handshake and sometimes back end server fails to find a desired cipher suite from client hello. As a result, sometimes SSL handshake fails and monitor wrongly marks pool member down.

Conditions:
-- Have an SSL profile to be used by an HTTPS monitor.
-- Load the same config more than once.

Impact:
HTTPS monitor might incorrectly mark pool member down because of a failed SSL handshake.

Workaround:
Restart bigd using the following command:
bigstart restart bigd

Fix:
HTTPS monitor now sends a consistent number of cipher suites in the client hello message during the SSL handshake.


749675-3 : DNS cache resolver may return a malformed truncated response with multiple OPT records

Component: Global Traffic Manager (DNS)

Symptoms:
A configured DNS resolving cache returns a response with two OPT records when the response is truncated and not in the cache.

Conditions:
This can occur when:
-- A DNS resolving cache is configured.
-- The DNS query being handled is not already cached.
-- The response for the query must be truncated because it is larger than the size the client can handle (either 512 bytes or the buffer size indicated by an OPT record in the query).

Impact:
A DNS message with multiple OPT records is considered malformed and will likely be dropped by the client.

Workaround:
A second query will return the cached record, which will only have one OPT record.

Fix:
DNS cache resolver now returns the correct response under these conditions.


749603-3 : MRF SIP ALG: Potential to end wrong call when BYE received

Component: Service Provider

Symptoms:
When a BYE is received, the media flows for a different call might be closed in error.

Conditions:
If the hash of the call-id (masked to 12 bits) matches the hash of another's call-id.

Impact:
The media flows for both calls will be closed when one receives a BYE command. A call may be incorrectly terminated early.

Workaround:
None.

Fix:
Entire call-id checked before terminating media flows.


749508-3 : LDNS and DNSSEC: Various OOM conditions need to be handled properly

Component: Global Traffic Manager (DNS)

Symptoms:
Some LDNS and DNSSEC out-of-memory (OOM) conditions are not handled properly.

Conditions:
LDNS and DNSSEC OOM conditions.

Impact:
Various traffic-processing issue, for example, TMM panic during processing of DNSSEC activity.

Workaround:
None.

Fix:
The system contains improvements for handling OOM conditions properly.


749464 : Race condition while BIG-IQ updates common file

Component: Application Visibility and Reporting

Symptoms:
The file /var/config/rest/downloads/app_mapping.json is being used by two processes: BIG-IQ and avrd.
This can cause a race-condition between the two and in some rare cases can cause avrd to crash.

Conditions:
BIG-IQ updating /var/config/rest/downloads/app_mapping.json while avrd is reading it.

Impact:
avrd might read incomplete data, and can even core in some rare cases.

Workaround:
None.

Fix:
This race condition no longer occurs.


749461 : Race condition while modifying analytics global-settings

Component: Application Visibility and Reporting

Symptoms:
Updating the analytics global-settings might cause a core for avrd.

The avrd.log contains the following record:
AVRD_CONFIG|NOTICE... 13931|lib/avrpublisher/infrastructure/avr_mcp_msg_parser.cpp:2985| Modified Analytics Global Settings, added "0" offbox TCP addresses

Conditions:
Analytics global-settings are updated either explicitly, using a tmsh command, or implicitly, by internal process script.

Impact:
Might cause a core for avrd. After coring once, avrd is expected to start normally without any additional cores. The configuration change is expected to be applied correctly after restart is complete.

Workaround:
None.

Fix:
Race condition no longer occurs while modifying analytics global-settings.


749222-3 : dname compression offset overflow causes bad compression pointer

Component: Global Traffic Manager (DNS)

Symptoms:
DNS requests receive error response:
- Got bad packet: bad compression pointer
- Got bad packet: bad label type

Conditions:
When dns response is large enough so that dname redirect to an offset larger than 0x3f ff.

Impact:
DNS response is malformed.


749109-1 : CSRF situation on BIGIP-ASM GUI

Component: Application Security Manager

Symptoms:
CSRF situation on the BIG-IP ASM GUI that might potentially lead to resource exhaustion on the device for the moment it is being run.

Conditions:
The following URL accepts a wildcard in the parameter id, making it a heavy URL:

https://BIG-IP/dms/policy/pl_negsig.php?id=*

Impact:
Once multiple requests are sent to the target GUI, it is possible to see httpd process spiking even in core 0 (VMWare).

Workaround:
None.

Fix:
If the query string parameter has a string value the query is not executed.


749057-3 : VMware Horizon idle timeout is ignored when connecting via APM

Component: Access Policy Manager

Symptoms:
VMware Horizon has an option to set idle timeout under "View Configuration\Global Settings\General\Client-dependent settings\For clients that support applications". When there is no keyboard or mouse activity for the given time, application sessions should be disconnected (desktop sessions are staying, though).
This settings has no effect when connecting via APM.

Conditions:
VMware Horizon idle timeout setting for applications is configured and remote application is launched via APM.

Impact:
VMware Horizon idle timeout setting for applications has no effect.

Workaround:
None.

Fix:
VMware Horizon idle timeout "For clients that support applications" is now honored when connecting via APM.


748999-1 : invalid inactivity timeout suggestion for cookies

Component: Application Security Manager

Symptoms:
ASM will report "invalid inactivity timeout" suggestions to delete a cookie, even though the cookies are being sent and are valid.

Conditions:
- Inactivity timeout feature is configured in Policy Builder
- Cookie entity is configured in the policy
- Valid, non-violating traffic containing cookies is passed

Impact:
Since non-violating traffic is not sent to the policy engine, the inactivity timeout timer is never reset, which will eventually lead to suggestions to delete the inactive cookie entities. These suggestions are erroneous because valid cookies are being sent in the traffic.

Workaround:
Ignore the inactive entity suggestions for cookies

Fix:
Inactivity learning for cookies has been deprecated, the feature does not cover cookies anymore.


748976 : DataSafe Logging Settings page is missing when DataSafe license is active

Component: Fraud Protection Services

Symptoms:
DataSafe Logging Settings page is missing when DataSafe license is active

Conditions:
1. DataSafe license is active
2. Logging of Login attempts feature enabled

Impact:
DataSafe Logging Settings page is missing in GUI.

Workaround:
Use tmsh to configure the logging of Login attempts feature.

Fix:
FPS GUI should display Logging Settings page also when DataSafe license is active.


748902-7 : Incorrect handling of memory allocations while processing DNSSEC queries

Component: Global Traffic Manager (DNS)

Symptoms:
tmm crashes.

Conditions:
-- Heavy DNS traffic using DNS security signatures.
-- Use of external HSM may aggravate the problem.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release corrects the handling of memory allocations while processing DNSSEC queries.


748851-1 : Bot Detection injection include tags which may cause faulty display of application

Component: Application Security Manager

Symptoms:
The Bot Detection feature / Bot Defense profile includes JavaScript which is injected within <APM_DO_NOT_TOUCH> tags. Some web applications may be displayed incorrectly due to these tags.

Conditions:
- Your application includes JavaScript which dynamically adds HTML elements and expects a certain set of tags in the <head> section of the HTML.
- Bot Detection / Bot Defense are enabled.

Impact:
Some web applications may be displayed incorrectly.

Workaround:
None

Fix:
There is now an ASM Internal Parameter 'inject_apm_do_not_touch' and a db variable 'asm.inject_apm_do_not_touch', which can be disabled (modify sys db asm.inject_apm_do_not_touch value false) to prevent the <APM_DO_NOT_TOUCH> tag from being injected, thus allowing the application to be displayed correctly.

Behavior Change:
This release provides an ASM Internal Parameter 'inject_apm_do_not_touch', and a db variable 'asm.inject_apm_do_not_touch', which can be disabled (the default is enabled) to prevent the <APM_DO_NOT_TOUCH> tag from being injected, thus allowing the application to be displayed correctly.

To disable db variable, run the following command:
modify sys db asm.inject_apm_do_not_touch value false


748813-1 : tmm cores under stress test on virtual server with DoS profile with admd enabled

Component: Anomaly Detection Services

Symptoms:
tmm cores

Conditions:
-- Systems under stress testing.
-- Virtual server with DoS profile with admd enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Turn off Behavioral DOS.

Fix:
This tmm core no longer occurs under these conditions.


748502-3 : TMM may crash when processing iSession traffic

Component: Wan Optimization Manager

Symptoms:
The TMM process may crash when processing traffic with an iSession virtual server.

Conditions:
iSession virtual server enabled

Impact:
TMM may crash, leading to failover event.

Workaround:
None.

Fix:
TMM now processes iSession traffic as expected.


748206 : Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position

Component: TMOS

Symptoms:
Browser becomes unresponsive.

Conditions:
Loading the network map with a virtual server that contains a forwarding rule policy in the second position.

Impact:
Browser becomes unresponsive and must be restarted.

Workaround:
Change the position of the forwarding rule policy.

Fix:
The browser now behaves as expected when loading the network map with a virtual server that contains a forwarding rule policy in the second position.


748187-2 : 'Transaction Not Found' Error on PATCH after Transaction has been Created

Component: TMOS

Symptoms:
In systems under heavy load of transactions with multiple icrd_child processes, the system might post an erroneous 'Transaction Not Found' response after the transaction has definitely been created.

Conditions:
Systems under heavy load of transactions with multiple icrd_child processes.

Impact:
Failure to provide PATCH to a transaction whose ID has been created and logged as created.

Workaround:
If transaction is not very large, configure icrd_child to only run single-threaded.

Fix:
Erroneous 'Transaction Not Found' messages no longer occur under these conditions.


748177-3 : Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character

Component: Global Traffic Manager (DNS)

Symptoms:
Multiple wildcards not matched to the most specific WideIP.

Conditions:
Two wildcard WideIPs differ on a '?' and a non-wildcard character.

Impact:
DNS request will get wrong answer.

Workaround:
There is no workaround at this time.


748121-1 : admd livelock under CPU starvation

Component: Anomaly Detection Services

Symptoms:
Due to the resources starvation the worker thread of admd does not get CPU for more than two minutes. At the same time, the configuration thread does get CPU.

The admd heartbeat failure occurs at 120 seconds. The SOD daemon kills admd.

The system posts messages similar to the following:

-- notice sod[6783]: 01140041:5: Killing /usr/bin/admd pid 6732
-- warning sod[6783]: 01140029:4: HA daemon_heartbeat ADMD.Anomaly0 fails action is restart.
-- warning sod[6783]: 01140029:4: HA daemon_heartbeat ADMD.Publisher0 fails action is restart.

Conditions:
-- High CPU / memory utilization,
-- Very large configuration.

Note: There are no known special configuration requirements to have this occur.

Impact:
admd restarts.
Behavioral DoS does not work.

Workaround:
Reboot the BIG-IP system.

Fix:
admd livelock event no longer occurs in response to CPU starvation in very large configurations.


748081-2 : Memory leak in BDoS module

Component: Advanced Firewall Manager

Symptoms:
TMM runs out of memory and restarts.
The memory usage as shown in "tmctl memory_usage_stat", under module line tag "session" is noticed to be high, and keeps growing.

Conditions:
The issue is seen when BDoS feature is configured, and if there exits Custom or Auto Generated BDoS Signatures. When such signatures exist, the BDoS one second timer callback leaks memory.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable BDoS feature.
Disable all configured and auto generated BDoS signatures using TMSH command:
modify security dos dos-signature all { state disabled }


748043-3 : MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP

Component: Service Provider

Symptoms:
SIP Server sends SIP Request to the client.
The SIP Server inserts a different port, so that response are received on a different port.
The Client sends the response on the new requested port.
BIG-IP drops the packet

Conditions:
SIP Server wants the SIP Response to be coming on a different port.

Impact:
SIP Request will not receive the SIP Response

Workaround:
There is no workaround.

Fix:
Fix BIG-IP to process the SIP Response and send it to the SIP Server


747968-2 : DNS64 stats not increasing when requests go through dns cache resolver

Component: Local Traffic Manager

Symptoms:
DNS64 stats are not incrementing when running the tmsh show ltm profile dns or in tmctl profile_dns_stat commands if responses are coming from dns cache resolver.

Conditions:
DNS responses are coming from dns cache resolver.

Impact:
DNS64 stats not correct.

Workaround:
There is no workaround at this time.


747926 : Rare TMM restart due to NULL pointer access during AFM ACL logging

Component: Advanced Firewall Manager

Symptoms:
Tmm crashes while performing log ACL match logging.

Conditions:
The problem can happen only with the following configuration:
1) AFM Logging for ACLs enabled.
2) Security Network Logging profile has the property "log-translation-fields enabled"

The problem happens under extremely rare circumstances.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Defensive error handling to avoid the scenario of NULL pointer access.


747905-1 : 'Illegal Query String Length' violation displays wrong length

Component: Application Security Manager

Symptoms:
When the system decodes a query string that exceeds the allowed query string length, the system reports the incorrect 'Illegal Query String Length' violation string length.

Conditions:
-- 'Illegal Query String Length' violation is encountered.
-- The query string is decoded and reported.

Impact:
The system reports the decoded character count rather than bytes. For example, for a Detected Query String Length = 3391, the system posts a Detected Query String Length = 1995.

Workaround:
None.


747777-1 : Extractions are learned in manual learning mode

Component: Application Security Manager

Symptoms:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"

Conditions:
Direct cause: Policy contains parameters with dynamic type

Indirect cause: Policy Builder is configured to classify parameters as dynamic (related to bug 717525)

Impact:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"

Workaround:
- Change all dynamic parameters value types to User Input with Alpha Numeric data type

- Unset parameters' dynamic value type (or uncheck all parameters' dynamic classification options in 'Learning And Blocking Settings').

Fix:
Policy Builder does not set extractions for dynamic parameters in manual mode


747621-2 : Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used

Component: Access Policy Manager

Symptoms:
Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used, e.g. RADIUS server performs two factor authentication.

Conditions:
1. Native VMware Horizon client is used to connect via APM.
2. RADIUS authentication agent is present in Access Policy.
3. RADIUS server asks for challenge response (e.g. 2FA).

Impact:
Authentication fails. User can't get access to VMware Horizon resources.

Workaround:
None.

Fix:
Fixed issue preventing native VMware Horizon client to authenticate with RADIUS challenge.


747617-1 : TMM core when processing invalid timer

Component: Local Traffic Manager

Symptoms:
TMM crashes while processing an SSLO iRules that enables the SSL filter on an aborted flow.

Conditions:
SSLO is configured and passing traffic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround

Fix:
SSL filter will no longer be enabled after connection close.


747550-1 : Error 'This Logout URL already exists!' when updating logout page via GUI

Component: Application Security Manager

Symptoms:
When you try to update the Logout Page, you get an error about the URL existence: Error 'This Logout URL already exists!'

Conditions:
1. Create any Logout page.
2. Try to update it.

Impact:
The properties of the Logout Page cannot be updated.

Workaround:
Delete the logout page and create a new one.

Fix:
This release addresses the issue, so that no error is reported when updating the Logout Page.


747187-3 : SIP falsely detects media flow collision when SDP is in both 183 and 200 response

Component: Service Provider

Symptoms:
A spurious error message is logged ("MR SIP: Media flow creation (...) failed due to collision") and media does not flow.

Conditions:
A SIP server responds to an INVITE with both a 183 "Session Progress" and later a "200 OK" for a single SIP call, and both responses contain an SDP with the same media info.

Impact:
Media does not flow on pinholes for which a collision was detected and reported.

Workaround:
None

Fix:
No collision is detected or logged when multiple messages with SDP recreate the same flows in the same call.


747104-3 : LibSSH Vulnerability: CVE-2018-10933

Solution Article: K52868493

Component: Advanced Firewall Manager

Symptoms:
For more information see: https://support.f5.com/csp/article/K52868493

Conditions:
For more information see: https://support.f5.com/csp/article/K52868493

Impact:
For more information see: https://support.f5.com/csp/article/K52868493

Fix:
For more information see: https://support.f5.com/csp/article/K52868493


746941 : avrd memory leak when BIG-IQ fails to receive stats information

Component: Application Visibility and Reporting

Symptoms:
AVRD has memory leak when it is failing to send statistical information to BIG-IQ.

Conditions:
BIG-IP is used by BIG-IQ version 6.0.0 or higher, and stats collection is enabled.
Plus, BIG-IQ has some malfunction that prevents it from receiving the statistical information that BIG-IP is sending (for example: all DCDs are down, or not network connection between BIG-IP and BIG-IQ).

Impact:
avrd memory is increased over time, leading to avrd restart when it is getting too large

Workaround:
Connectivity issue between BIG-IP and BIG-IQ should be fixed, not just in order to prevent this memory leak, but for more important functionality such as visibility and alerts features in BIG-IQ.

Fix:
Memory leak is fixed.


746877-3 : Omitted check for success of memory allocation for DNSsec resource record

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM may panic from SIGABRT while logging this message:
./rdata.c:25: ldns_rdf_size: Assertion `rd != ((void *)0)' failed.

Conditions:
During memory stress while handling DNSsec traffic.

Impact:
TMM panic and subsequent interruption of network traffic.

Workaround:
Keeping the workload within normal ranges reduces the probability of encounter.


746823 : AVRD crash when configured to send data externally, and there are large number of virtuals/pool-members

Component: Application Visibility and Reporting

Symptoms:
In a configuration that AVR is set to send telemetry data to external source (like connection with BIG-IQ), and there is large number of config objects in the system, such as virtual servers and pool-members. AVRD is constantly crashing.

Conditions:
1. AVR is set to send telemetry data to external source (like connection with BIG-IQ).
2. Large number of config objects in the system, such as virtual servers and pool-members.

Impact:
AVRD process is crashing and telemetry data is not collected.

Workaround:
N/A

Fix:
The issue is fixed, AVR can handle any number of virtuals/pool-members when sending its telemetry.


746771-1 : APMD recreates config snapshots for all access profiles every minute

Component: Access Policy Manager

Symptoms:
When the access profile configurations in APMD and MCPD are out of sync, APMD will detect the config snapshot for one access profile is missing. This triggers AMPD to recreates the config snapshots for all access profiles. The detect-recreate cycle will repeat every minute.

Sep 11 17:57:39 BIG-IP err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...

Sep 11 17:57:59 BIG-IP notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.
...

Sep 11 17:58:39 BIG-IP err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...

Sep 11 17:59:00 BIG-IP notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.

Conditions:
The condition under which the access profile configurations in APMD and MCPD become out of sync is unknown.

Impact:
TMM memory usage will increase due to excessive config snapshots created.

Workaround:
Restart APMD to clear the APMD and MCPD out of sync condition.

Fix:
N/A


746768-1 : APMD leaks memory if access policy policy contains variable/resource assign policy items

Component: Access Policy Manager

Symptoms:
If an access policy contains variable/resource assign policy items, APMD will leak memory every time the policy is modified and applied.

Conditions:
1. Access policy has variable/resource assign policy items.
2. The access policy is modified and applied.

Impact:
APMD's memory footprint will increase whenever the access policy is applied.

Workaround:
There is no workaround.

Fix:
Memory growth has been addressed.


746077-1 : If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified

Component: Local Traffic Manager

Symptoms:
DHCP-RELAY does overwrite the 'giaddr' field containing some non-zero value, this violates RFC 1542.

Conditions:
DHCP-RELAY processing a message with the 'giaddr' field containing some non-zero value,

Impact:
rfc violation

Workaround:
none

Fix:
DHCP-RELAY does no longer overwrite the 'giaddr' field containing some non-zero value.


745809 : The /var partition may become 100% full requiring manual intervention to clear space

Component: Advanced Firewall Manager

Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free

Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open.

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition

Workaround:
This workaround is temporary in nature, should the conditions of this bug still be met, and may need to be periodically performed either manually or from a script. While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.

Run the following commands, in sequence:
 bigstart stop restjavad
 rm -rf /var/config/rest/storage*.zip
 rm -rf /var/config/rest/*.tmp
 bigstart start restjavad

Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.


745802-3 : Brute Force CAPTCHA response page truncates last digit in the support id

Component: Application Security Manager

Symptoms:
Brute Force CAPTCHA response page shown to an end-user has a support id and the last digit is truncated.

Conditions:
- ASM Provisioned
- ASM policy attached to a virtual server
- ASM Brute Force Protection enabled in the asm policy
- ASM Brute Force sends captcha mitigation page when a website is under brute force attack.

Impact:
The support id presented to an end-user won't be matched to the one shown in the asm logs

Workaround:
There is no workaround at this time.

Fix:
The code is fixed, correct support id is shown in the captcha response page.


745783-3 : Anti-fraud: remote logging of login attempts

Component: Fraud Protection Services

Symptoms:
There is no support for logging of login attempts to a remote service.

Conditions:
Using high speed logging (HSL) to log login attempts.

Impact:
There is no support for logging of login attempts.

Workaround:
None.

Fix:
FPS now uses HSL to report login attempts using configured templates, rate-limit, and publisher to a remote service.

To enable this feature:

# via tmsh only
tmsh modify sys db antifraud.riskengine.reportlogins value enable
 
# via tmsh or GUI
tmsh modify sys db antifraud.internalconfig.string1 value "<login attempt log template>"
tmsh modify sys db antifraud.internalconfig.string2 value "<log-rate-exceeded log template>"
tmsh modify sys db antifraud.internalconfig.number1 value "<log-rate-exceeded threshold>"
tmsh modify security anti-fraud profile <fps profile> risk-engine-publisher <publisher>
 
 
It is recommended that you use encoding when composing an HTTP template. The default encoding level is 0, meaning 'never encode'.

To change encoding level:

tmsh modify sys db antifraud.internalconfig.number2 value <0/1/2>

Behavior Change:
FPS now includes the ability to perform High Speed Logging (HSL) of all login attempts to specific protected URLs. These events can be forwarded to remote services (e.g. SIEM Server), and, when enabled, can help indicate whether applications are under attack.


745713-1 : TMM may crash when processing HTTP/2 traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash when processing HTTP/2 traffic

Conditions:
HTTP/2 profile enabled

Impact:
TMM crash, leading to a failover event.

Workaround:
N/A

Fix:
TMM now processes HTTP/2 traffic as expected.


745654-2 : Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server

Component: Access Policy Manager

Symptoms:
When there are a lot of tcp connections that needs new kerberos ticket to be fetched from kdc, then the websso processes requests slower than the incoming requests. This could lead to low throughput and virtual server is very slow to respond to requests.

Conditions:
Large number of APM users using Kerberos SSO to access backend resources and all the tickets expire at the same time.

Impact:
Low throughput and slow responses from Virtual server.

Workaround:
There is no workaround at this time.

Fix:
Increase the size of websso worker queue, so that tmm and websso process can communicate effectively. This eliminates VS slowness and hence increase throughput.


745574-3 : URL is not removed from custom category when deleted

Component: Access Policy Manager

Symptoms:
When the admin goes to delete a certain URL from a custom category, it should be removed from the category and not be matched anymore with that category. In certain cases, the URL is not removed effectively.

Conditions:
This only occurs when the syntax "http*://" is used at the beginning of the URL when inserted into custom categories.

Impact:
When the URL with syntax "http*://" is deleted from the custom category, it will not take effect for SSL matches. For example, if "http*://www.f5.com/" was inserted and then deleted, and the user passed traffic for http://www.f5.com/ and https://www.f5.com/, the SSL traffic would still be categorized with the custom category even though it was deleted. The HTTP traffic would be categorized correctly.

Workaround:
"bigstart restart tmm" will resolve the issue.

Fix:
Made sure that the deletion takes effect properly and SSL traffic is no longer miscategorized after removal of the URL from the custom category.


745533-4 : NodeJS Vulnerability: CVE-2016-5325

Component: Local Traffic Manager

Symptoms:
It was found that the reason argument in ServerResponse#writeHead() was not properly validated.

Conditions:
iRules LX is running at the BigIP.

Impact:
A remote attacker could possibly use this flaw to conduct an HTTP response splitting attack via a specially-crafted HTTP request.

Workaround:
N/A.

Fix:
NodeJS updated to patch for CVE-2016-5325


745531-1 : Puffin Browser gets blocked by Bot Defense

Component: Application Security Manager

Symptoms:
Users using the Puffin Browser are blocked when accessing the Virtual Server when it is protected with either Proactive Bot Defense (within DoSL7 profile) or with the Bot Defense profile.
This applies to all version of the Puffin Browsers: Desktop, Android, iOS.

Conditions:
- Users using the Puffin Browser on Desktop, Android, iOS
- Bot Defense Profile, or: DoSL7 profile with Proactive Bot Defense is used while the "Block Suspicious Browsers" checkbox is enabled

Impact:
Users of the Puffin Browser cannot access the website

Workaround:
None

Fix:
Users of the Puffin Browser can now access the website that is protected by Bot Defense without getting blocked.
For the fix to be applied, both BIG-IP Release and ASU must be installed which contain the fix. Also, it is recommended to enable the following DB variables:
tmsh modify sys db dosl7.proactive_defense_validate_ip value disable
tmsh modify sys db dosl7.cs_validate_ip value disable


745387-3 : Resource-admin user roles can no longer get bash access

Component: TMOS

Symptoms:
Resource-admin users with bash access may write to system files beyond the scope of their assigned access.

Conditions:
Resource-admin users configured with bash shell access.

Impact:
Resource-admin users with bash access may write to system files causing security risks.

Workaround:
Do not assign bash access for resource-admin users.

Fix:
Resource-admin users restricted to tmsh access now. If a resource-admin user had bash access in a prior version and upgrades to this version, that user will get converted to tmsh access automatically after the upgrade process.

Behavior Change:
Resource-admin roles can no longer have bash shell access. And upon upgrade, resource-admin users with bash access will get converted to tmsh shell access.


745371-2 : AFM GUI does not follow best security practices

Component: Advanced Firewall Manager

Symptoms:
AFM GUI does not follow best security practices.

Conditions:
AFM provisioned
Authenticated administrative user

Impact:
AFM GUI does not follow best security practices.

Workaround:
None.

Fix:
AFM GUI now follows best security practices.


745358-3 : ASM GUI does not follow best practices

Solution Article: K14812883


745257-3 : Linux kernel vulnerability: CVE-2018-14634

Solution Article: K20934447


745165-3 : Users without Advanced Shell Access are not allowed SFTP access

Component: TMOS

Symptoms:
Users that do not have Advanced Shell Access can access BIG-IP via SFTP.

Conditions:
User without Advanced Shell Access.

Impact:
Users that do not have Advanced Shell Access cannot access BIG-IP via SFTP.

Workaround:
None.

Fix:
Users that do not have Advanced Shell Access can no longer sftp into BIG-IP. Such users can still use scp for file transfers.


745027 : AVR is doing extra activity of DNS data collection even when it should not

Component: Application Visibility and Reporting

Symptoms:
When collecting DNS data, AVR generates data that is used only for BIG-IQ, even if not connected to BIG-IQ.

Conditions:
DNS Statistics collection or DNS-DoS is configured.

Impact:
avrd process is taking more CPU cycles for activity that is not needed. There is no impact to functionality.

Workaround:
None.

Fix:
The system no longer performs extra computation that is not needed in this case.


744959-1 : SNMP OID for sysLsnPoolStatTotal not incremented in stats

Component: Carrier-Grade NAT

Symptoms:
SNMP OID for sysLsnPoolStatTotal is not incremented in stats totals.

Conditions:
This affects all of the global port block allocation (PBA) counters.

Impact:
SNMP OID for sysLsnPoolStatTotal is not incremented when it should be. Stats are not accurate.

Workaround:
None.

Fix:
SNMP OID for sysLsnPoolStatTotal is now incremented in stats totals.


744949-3 : MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix

Component: Service Provider

Symptoms:
SIP response messages have the wrong IP address in the FROM header when using NAT64.

Conditions:
If the client's IPv6 address does not match the virtual server's configured IPv6 prefix, the FROM header on a response message will have a different IP address that the request message.

Impact:
The SIP ALG with SNAT system will be unable to establish a call for the client.

Workaround:
There is no workaround at this time.

Fix:
The FROM header will now contain the client's IP address.


744707-4 : Fixed crash related to DNSSEC key rollover

Component: Global Traffic Manager (DNS)

Symptoms:
When running out of memory, a DNSSKEY rollover event can cause a tmm core dump.

Conditions:
System low/out of memory.
DNSSKEY rollover event.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround.

Fix:
Fixed an issue in DNSSEC Key Rollover event that can cause a crash.


744685-1 : BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension

Component: Local Traffic Manager

Symptoms:
An intermediate CA certificate should be considered invalid if the certificate does not contain both 'Basic Constraints: critical' and 'CA:TRUE' in its extension. The BIG-IP system does not enforce this.

Conditions:
The SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop.

Impact:
The system might unexpectedly accept the SSL connection while the peer is using an inappropriate certificate.

Workaround:
None.

Fix:
With this fix, if the SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, the system drops the SSL handshake if the peer's CA certificate does not contain both 'Basic Constraints: critical' and 'CA:TRUE' in its extension.

Behavior Change:
When authenticating a peer's SSL certificate, the system requires a CA certificate to have the 'Basic Constraints' and 'CA:True' in its extension, like this:

            X509v3 Basic Constraints: critical
                CA:TRUE

If an SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, the system drops the handshake if the peer's CA certificate does not satisfy this requirement.


744595-1 : DoS-related reports might not contain some of the activity that took place

Component: Application Visibility and Reporting

Symptoms:
Occasionally, some telemetry data of DoS related activity is lost.

Conditions:
No specific condition other than using the BIG-IP system anti-DDoS feature.

Impact:
DoS related reports might not contain some of the activity that takes place.

Workaround:
None.

Fix:
Issue was fixed, all telemetry data is collected without errors.


744589-1 : Missing data for Firewall Events Statistics

Component: Application Visibility and Reporting

Symptoms:
Statistical information that is collected for Firewall event, has some data that is getting lost and not reported.

When this is taking place, the following message appears at avrd log:
Some rows of load_stat_firewall_events_<some number> not loaded

Conditions:
AFM is used, no particular condition that leads to this situation of losing some of the stats, usually takes place under heavy activity.

Impact:
Statistical reports of Firewall Events are missing some the the activity that actually took place.

Workaround:
There is no workaround at this time.

Fix:
Issue with missing data was fixed.


744556-1 : Upgrade PingAccess SDK used by BIG-IP APM to v1.1.3

Solution Article: K01226413

Component: Access Policy Manager

Symptoms:
Upgrading PingAccess SDK from v1.0.0 to v1.1.3

Conditions:
The SDK is upgraded during system upgrade.

Impact:
BIG-IP APM will internally use PingAccess SDK v1.1.3 when interacting with PingAccess servers.

Workaround:
Not Applicable.

Fix:
Upgraded PingAccess SDK used by BIG-IP APM to the v1.1.3, applicable when BIG-IP APM interacts with PingAccess servers.


744516-1 : TMM panics after a large number of LSN remote picks

Component: Carrier-Grade NAT

Symptoms:
TMM panics with the assertion "nexthop ref valid" failed. This occurs after a large number of remote picks cause the nexthop reference count to overflow.

Conditions:
A LSN Pool and remote picks. Remote picks occur when the local TMM does not have any addresses or port blocks available. Remote picks are more likely when inbound and hairpin connections are enabled.

Impact:
TMM restarts. Traffic is interrupted.

Workaround:
There is no workaround.

Fix:
TMM no longer panics regardless of the number of remote picks.


744347-2 : Protocol Security logging profiles cause slow ASM upgrade and apply policy

Component: Application Security Manager

Symptoms:
ASM upgrade and apply policy are delayed by an additional 3 seconds for each virtual server associated with a Protocol Security logging profile (regardless of whether ASM is active on that virtual server). During upgrade, all active policies are applied, which leads to multiple delays for each policy.

Conditions:
There are multiple virtual servers associated with Protocol Security logging profiles.

Impact:
ASM upgrade and apply policy are delayed.

Workaround:
There is no workaround at this time.


744331 : OpenSSH hardening

Component: TMOS

Symptoms:
The default OpenSSH configuration does not follow best practices for security hardening.

Conditions:
Administrative SSH access enabled.

Impact:
OpenSSH does not follow best practices.

Fix:
The default OpenSSH configuration includes best practices for security hardening.


744269-2 : dynconfd restarts if FQDN template node deleted while IP address change in progress

Component: Local Traffic Manager

Symptoms:
The dynconfd daemon may crash and restart if an FQDN template node is deleted (by user action or config sync) while ephemeral nodes are in the process of being created, and deleted as the result of new IP addresses being returned by a recent DNS query.

Conditions:
This may occur on BIG-IP version 14.0.0.3 (and BIG-IP versions 13.1.x or v12.1.x with engineering hotfixes for ID 720799, ID 721621 and ID 726319), under the following conditions:
1. A DNS query returns a different set of IP addresses for one or more FQDN names.
2. While new ephemeral node(s) are being created (for new IP addresses and deleted (for old IP addresses), an FQDN template node is deleted (either by user action or config sync).

Impact:
The dynconfd daemon crashes and restarts.
Ephemeral nodes may not be updated in a timely manner while the dynconfd daemon is restarting.

Fix:
The dynconfd daemon does not crash and restart if an FQDN template node is deleted while ephemeral nodes are in the process of being created and deleted as the result of new IP addresses being returned by a recent DNS query.


744188 : First successful auth iControl REST requests will now be logged in audit and secure log files

Component: TMOS

Symptoms:
Previously, when making a REST request from a client for the first time and it is successful, this action was not logged.

Just subsequent REST calls were logged or initial failed REST calls from a client were logged.

Conditions:
Making a successfully auth-ed initial REST request from a new client to BIG-IP.

Impact:
BIG-IP admins would not know when a new client first made a successful REST call to BIG-IP.

Workaround:
None.

Fix:
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files.

Here's an example of what shows in audit log:

-- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user bart2 - RAW: httpd(pam_audit): user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".

Here's an example of what shows in secure log:

-- info httpd(pam_audit)[26561]: user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".
-- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user usr2 - RAW: httpd(pam_audit): user=usr2(usr2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".

Subsequent REST calls will continue to be logged normally.

Behavior Change:
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files.

Subsequent REST calls will continue to be logged normally.


744117-5 : The HTTP URI is not always parsed correctly

Solution Article: K18263026

Component: Local Traffic Manager

Symptoms:
The HTTP URI exposed by the HTTP::uri iRule command, Traffic Policies, or used by ASM is incorrect.

Conditions:
-- HTTP profile is configured.
-- The URI is inspected.

Impact:
If the URI is used for security checks, then those checks might be bypassed.

Workaround:
None.

Fix:
The HTTP URI is parsed in a more robust manner.


744035-4 : APM Client Vulnerability: CVE-2018-15332

Solution Article: K12130880


743961-3 : Signature Overrides for Content Profiles do not work after signature update

Component: Application Security Manager

Symptoms:
JSON profile signature override does not include legacy signature after Automatic Signature Update (ASU).

Conditions:
Signature override on content profile ASU with major update to targeted sig.

Impact:
-- Unexpected block on a previously white-listed signature.
-- Confusing logging for why the signature was blocked (should indicate it was due to using an old signature version).

Workaround:
-- Create the signature override at higher context, e.g., the URL. Removing the URL context override again keeps it fixed.
-- Enforce new version of sig globally.

Fix:
Signature Overrides for Content Profiles now work after signature update.


743857 : clientssl accepts non-SSL traffic when cipher-group is configured

Solution Article: K21942600

Component: Local Traffic Manager

Symptoms:
clientssl accepts Non-SSL traffic even when "Non-SSL Connections" is disabled.

Conditions:
In clientssl profile, Cipher Group is configured and one of the "No SSL/TLS/DTLS" option is enabled.

Impact:
Connections to VIP with clientssl profile are not encrypted.
If SSL client authentication is enabled, plaintext request is successful meaning that client can get access to resources otherwise requiring a valid client certificate.

Workaround:
Use Cipher String instead of Cipher Group when configuring clientssl profile.

Fix:
Properly validate cipher suites in a cipher group before use.


743810-1 : AWS: Disk resizing in m5/c5 instances fails silently.

Component: TMOS

Symptoms:
Resizing the disk in an m5/c5 instance in AWS has no impact on the disk size, and this operation fails silently.

Conditions:
BIG-IP system deployed in AWS with m5/c5 instance type that uses NVME disks instead of the usual native paravirt disks.

Impact:
Disk resizing fails; administrators cannot grow the instance disk in response to their requirements and instance utilization post-deployment.

Workaround:
There is no workaround.

Fix:
AWS: Disk resizing now works as expected.


743803-2 : IKEv2 potential double free of object when async request queueing fails

Component: TMOS

Symptoms:
TMM may core during an IPsec cleanup of a failed async operation.

Conditions:
When an async IPsec crypto operation fails to queue.

Impact:
Restart of tmm. All tunnels lost must be re-established.

Workaround:
No workaround known at this time.


743790-3 : BIG-IP system should trigger a HA failover event when expected HSB device is missing from PCI bus

Component: TMOS

Symptoms:
In some rare circumstances, the HSB device might drop off the PCI bus, resulting in the BIG-IP system not being able to pass traffic. However, no high availability (HA) failover condition is triggered, so the BIG-IP system stays active.

Conditions:
HSB drops off the PCI bus. This is caused in response to certain traffic patterns (FPGA issue) that are yet to be determined.

Impact:
No failover to standby unit after this error condition, causing site outage.

Workaround:
None.

Fix:
Now the active BIG-IP system fails over to the standby when HSB on the active unit drops off the PCI bus.


743437-1 : Portal Access: Issue with long 'data:' URL

Component: Access Policy Manager

Symptoms:
HTML page may contain a very long 'data:' URL. Portal Access cannot handle such URLs correctly.

Conditions:
HTML page with very long 'data:' similar to the following example:

    data:image/png;base64,...

Such URLs might be several megabytes long.

Impact:
The rewrite plugin cannot process HTML pages with very long URLs and restarts. The page is not sent to the end user client; web application may not work correctly.

Workaround:
There is no workaround at this time.

Fix:
Now Portal Access handles very long 'data:' URLs correctly.


743150-1 : Increase the limit of the maximum allowed timestamp for OAuth token processing for OAuth Client

Component: Access Policy Manager

Symptoms:
During OAuth token processing for OAuth Client, if the timestamp is set to a value greater than INT32_MAX (2147483647), the BIG-IP system posts an error message, but the error is not descriptive enough to assist in troubleshooting. The error message appears similar to the following:
 err apmd[14229]: 01490290:3: /Internet/Oauth_OpenAM_Preprod:Internet:46ea50d9:/Internet/server_act_oauth_client_ag: OAuth Client: failed for server '/Internet/server1' using 'authorization_code' grant type (client_id=oidc), error: stoi

Conditions:
-- OAuth token processing for OAuth Client.
-- Timestamp value greater than INT32_MAX.

Impact:
The APM end user is not granted access because the the policy does not complete successfully.

Workaround:
None.

Fix:
The maximum allowed timestamp is increased from INT32_MAX (2147483647) to 6249223209600, and now includes more descriptive error messages for better troubleshooting when the BIG-IP system receives invalid timestamps.


743082-1 : Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members

Component: TMOS

Symptoms:
Upgrading to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 might result a configuration that fails to load due to a stray colon-character that gets added to the configuration file.

Conditions:
-- Upgrade from pre-12.1.3 to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2.
-- GTM Pool Members.

Impact:
Configuration fails to load.

Workaround:
Remove stray colon-character from bigip_gtm.conf.

Fix:
Fixed an issue preventing configurations from loading into 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from a version before 12.1.3.


742829-3 : SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0

Component: Service Provider

Symptoms:
The BIG-IP system incorrectly handles SDP media ports. UAC sends SDP message body publishing capable of handling voice, text, and video. UAS responds, publishing voice, text and video not desired by setting video port to '0'. The BIG-IP system does not honor the fact that UAS does not want video, and translates video port '0' to an ephemeral port, causing the UAC to believe it must open a video channel. When the UAC sends a video connection request, the BIG-IP system sends the request to the wrong port, i.e., to the media port for text, which causes the connection to fail.

Conditions:
RTP media port defined in the SIP message is set to 0.

Impact:
Improper media channel creation.

Workaround:
You can use an iRule workaround to remove the media attributes with ports set to 0 at the ingress, and update the message body size accordingly.


742627-2 : SSL session mirroring may cause memory leakage if HA channel is down

Component: Local Traffic Manager

Symptoms:
If SSL session mirroring is enabled, but the HA channel is down, attempts to mirror may result in memory leakage.

Conditions:
- SSL session mirroring enabled
- HA channel is down

Impact:
Memory leakage over time resulting in eventual memory pressure leading to performance degradation and possible TMOS restart.

Workaround:
Ensuring that the HA peer is present and connected will avoid the leakage. Otherwise, no reasonable workaround exists short of disabling SSL session mirroring.

Fix:
SSL session mirroring no longer leaks memory when the HA channel is down.


742226-2 : TMSH platform_check utility does not follow best security practices

Component: TMOS

Symptoms:
No functional issues.

Conditions:
TMSH access to the platform_check command

Impact:
None.

Workaround:
None.

Fix:
Security violation removed


742078-2 : Incoming SYNs are dropped and the connection does not time out.

Component: Local Traffic Manager

Symptoms:
There is a hard-coded limit on the number of SYNs forwarded on a FastL4 connection. This might cause a problem when a connection is reused, for example, if a connection is not correctly closed.

Conditions:
-- SYN forwarding on FastL4 connections.
-- The number of SYNs on a single connection reaches the hard-coded limit.

Impact:
If the number of SYNs on a single connection reaches this limit, subsequent incoming SYNs are dropped and the connection might not time out.

Workaround:
There is no workaround.


742037-3 : FPS live updates do not install when minor version is different

Component: Fraud Protection Services

Symptoms:
Install update file with a different minor version.
For example, install update file versioned 13.1.1 on BIG-IP version 13.1.0.

Conditions:
FPS is licensed and provisioned.

Impact:
FPS engine and signature cannot be updated.

Workaround:
N/A

Fix:
The minor version in update file is now ignored and only the major version is validated.


741993-1 : The BIG-IP system does not answer the request matching L7 policy that disabled DOSL7 when BADOS configured.

Component: Anomaly Detection Services

Symptoms:
The BIG-IP system does not answer the request matching the L7 policy that disabled DOSL7 when BADOS is configured. The connection hangs.

Conditions:
1. Create a DoS profile Behavioral & Stress-based (D)DoS Detection.
2. Create an L7 policy to disable DoS profile (even on all URLs).
3. Attach both to a virtual server.
4. Send a request to the virtual server.

Impact:
Connection hangs.

Workaround:
There is no workaround other than disabling the Behavioral & Stress-based (D)DoS Detection from the DoS profile.

Fix:
The system now correctly handles a disabled DOSL7 policy.


741951-2 : Multiple extensions in SIP NOTIFY request cause message to be dropped.

Component: Service Provider

Symptoms:
When SIP NOTIFY messages are sent with a request URI that contains multiple client extensions, the system does not forward the message as expected.

Conditions:
SIP NOTIFY messages sent with a request URI that contains multiple client extensions.

Impact:
NOTIFY message is not forwarded.

Workaround:
None.

Fix:
Improved SIP URI parser now correctly handles multiple extensions in a URI.


741919 : HTTP response may be dropped following a 100 continue message.

Component: Local Traffic Manager

Symptoms:
When a 100 response a quickly followed by another HTTP response (2xx/4xx), the second response might be dropped.

Conditions:
When a 100 response is quickly followed by another HTTP response (i.e., a 2xx/4xx response arrives within a few microseconds).

Impact:
The second response might be dropped, so the end user client might not receive all the HTTP responses coming from the server.

Note: This does not happen all the time, and depends on how the underlying data packets are formed and delivered to the HTTP filter.

Workaround:
You can use either of the following workarounds:
-- Use an iRule to disable the HTTP filter in the HTTP_REQUEST event.

-- Disable LRO by running the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable


741858-1 : TMM may crash while processing Portal Access requests

Solution Article: K52206731


741767-2 : ASM Resource :: CPU Utilization statistics are in wrong scale

Component: Application Visibility and Reporting

Symptoms:
Security :: Reporting : ASM Resources : CPU Utilization have the wrong scale for statistics.

Conditions:
Having the 'CPU Utilization' statistics under 'ASM Resources' available.

Impact:
Wrong scale of statistics.

Workaround:
To work around this issue:

1. Edit the following file: /etc/avr/monpd/monp_asm_cpu_info_measures.cfg
2. Remove all division by 100 on 'formula' of each entity.
3. Save the change and restart monpd (bigstart restart monpd).

Fix:
Scale is now fixed and is not pre-divided by 100.


741761-1 : admd might fail the heartbeat, resulting in a core

Component: Anomaly Detection Services

Symptoms:
When the system is under heavy I/O stress, admd might fail the heartbeat (which is required by sod, the failover daemon), so sod kills the admd daemon, resulting in a core.

Conditions:
-- System is under heavy I/O stress.
-- admd fails the heartbeat.

Impact:
The system generates an admd core file. Traffic disrupted while admd restarts.

Workaround:
None.


741752-1 : [BADOS] state file is not saved when virtual server reuses a self IP of the device

Component: Anomaly Detection Services

Symptoms:
BADOS state file is not saved.

Conditions:
Virtual server reuses a self IP of the device.

Impact:
After admd restarts, learned information - baseline and good dataset can disappear.

Workaround:
None.

Fix:
This system now handles this situation without impact, so the state file is saved as expected.


741449-1 : alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts

Component: Fraud Protection Services

Symptoms:
JAVASCRIPT_THRESHOLD alert should contain 2 timestamps:
1. component-validation cookie timestamp (set on cookie creation)
2. current BIG-IP timestamp

currently, these timestamps are not available in the alert details

Conditions:
JAVASCRIPT_THRESHOLD alert is triggered

Impact:
it is impossible to analyze the alert

Workaround:
There is no workaround at this time.

Fix:
FPS should always include both timestamps when triggering the JAVASCRIPT_THRESHOLD alert


741423-2 : Secondary blade goes offline when provisioning ASM/FPS on already established config-sync

Component: TMOS

Symptoms:
When provisioning ASM for the first time on a device that is already linked in a high availability (HA) config-sync configuration, any other cluster device that is on the trust domain experiences mcpd restarting on all secondary blades due to a configuration error.

The system logs messages similar to the following in /var/log/ltm:
-- notice mcpd[12369]: 010718ed:5: DATASYNC: Done initializing datasync configuration for provisioned modules [ none ].
-- err mcpd[9791]: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.
-- err mcpd[9791]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.... failed validation with error 16908342.
-- notice mcpd[12369]: 0107092a:5: Secondary slot 2 disconnected.

Conditions:
-- Cluster devices are joined in the trust for HA or config-sync.
-- Provisioning ASM or FPS on clusters which are already joined in a trust.
-- ASM and FPS have not been provisioned on any of the devices: this is the first ASM/FPS provisioning in the trust.

Impact:
Traffic on all secondary blades is interrupted while mcpd restarts. Then, traffic is resumed.

Workaround:
Before provisioning ASM/FPS (but after setting up a trust configuration):

1. On the device on which ASM/FPS is about to be provisioned, create the datasync-global-dg device group and add all of the available devices.

For example, if there are two devices in the Trust Domain: test1.lab.com and test2.lab.com, and you plan to provision ASM/FPS for the first time on test1.lab.com, first run the following command from test1.lab.com:

tmsh create cm device-group datasync-global-dg devices add { test1.lab.com test2.lab.com }

2. Do not sync the device group.
3. Then on test1.lab.com, you can provision ASM/FPS.

Fix:
Secondary blades no longer go offline when provisioning ASM/FPS on already established HA or config-sync configurations.


740963-2 : VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart

Component: Local Traffic Manager

Symptoms:
VIP-on-VIP traffic might cause TCP retransmit bursts, which in certain situations can cause tmm to restart.

Conditions:
- Virtual server handling TCP traffic.
- iRule using the 'virtual' command.

Impact:
Temporary memory consumption and potential for tmm to restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TCP retransmit bursts are now handled gracefully.


740777-1 : Secondary blades mcp daemon restart when subroutine properties are configured

Component: Access Policy Manager

Symptoms:
Secondary blades' MCP daemons restart with the following error messages:
-- err mcpd[26818]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested Subroutine Properties (/Common/confirm_10 /Common/confirm_10) was not found.... failed validation with error 16908342.

Conditions:
When a subroutine is configured in the access policy.

Impact:
The secondary blade MCP daemon restarts. Cannot use subroutine in the access policy.

Workaround:
There is no workaround other than to not use subroutine in the access policy.

Fix:
You can now use subroutines in the access policy.


740719-2 : ASM CSP header parser does not honor unsafe-inline attribute within script-src directive

Component: Application Security Manager

Symptoms:
Browser reports Content-Security-Policy error when ASM modifies the 'Content-Security-Policy' (CSP) header.

Conditions:
1. ASM provisioned.
2. ASM policy attached to a virtual server.
3. CSRF or Ajax blocking page enabled within ASM policy
4. Backend server sends 'Content-Security-Policy' header with 'script-src' 'unsafe-inline' directive.

Impact:
Browser posts 'Content-Security-Policy' error and stops JavaScript execution.

Workaround:
Disable 'Content-Security-Policy' header parsing for ASM policies. To do so, follow these steps:

1. In /usr/share/ts/bin/add_del_internal, run the following command:
add csp_enabled 0

2. Restart ASM by running the following command:
bigstart restart asm

Fix:
ASM 'Content-Security-Policy' header parser no longer modifies the 'Content-Security-Policy' header when there is 'script-src' 'unsafe-inline' directive arriving from a backend server. This is correct behavior.


740490-1 : Configuration changes involving HTTP2 or SPDY may leak memory

Component: Local Traffic Manager

Symptoms:
If virtual servers which have HTTP2 or SPDY profiles are updated, then the TMM may leak memory.

Conditions:
-- A virtual server has a HTTP2 or SPDY profile.
-- Any configuration object attached to that virtual server changes.

Impact:
The TMM leaks memory, and may take longer to execute future configuration changes. If the configuration changes take too long, the TMM may be restarted by SOD.

Workaround:
None.

Fix:
The TMM no longer leaks memory when virtual servers that contain a HTTP2 or SPDY profile are reconfigured.


740345-1 : TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled.

Component: TMOS

Symptoms:
TMM generates cores files on the device.

Conditions:
Issue is seen when connection mirroring, session mirroring and OCSP stapling is enabled.

Impact:
If a failover happens when a SSL handshake is in progress,
TMM restarts and a core file is generated on the standby device. Traffic disrupted while tmm restarts.

Workaround:
None.


740086 : AVR report ignore partitions for Admin users

Component: Application Visibility and Reporting

Symptoms:
The behavior of AVR's reporting feature changed after an upgrade.

Reports generated for specific partition include data from all partitions.

Conditions:
-- Users with Admin role.
-- AVR provisioned.
-- AVR profile configured and attached to a virtual server.
-- User with Admin role creates Scheduled Reports or uses GUI to view AVR reports.

Impact:
AVR GUI pages or Scheduled Reports defined for one partition include AVR data from other partitions.

Workaround:
One workaround is to have non-Admin users generate reports.

For non-Admin users, the partition is honored.

Fix:
AVR GUI pages or Scheduled Reports defined for one partition now show all users AVR data from only that partition.


739970-2 : Linux kernel vulnerability: CVE-2018-5390

Solution Article: K95343321


739963-2 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup

Component: Local Traffic Manager

Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.

Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.

Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.

Workaround:
To restore the state of the member, remove it and add it back to the pool.


739947-1 : TMM may crash while processing APM traffic

Solution Article: K42465020


739945-2 : JavaScript challenge on POST with 307 breaks application

Component: Application Security Manager

Symptoms:
A JavaScript whitepage challenge does not reconstruct when the challenge is on a POST request and the response from the back-end server is 307 Redirect. This happens only if the challenged URL is on a different path than the redirected URL. This prevents the application flow from completing.

Conditions:
- JavaScript challenge / CAPTCHA is enabled from either Bot Defense, Proactive Bot Defense, Web Scraping, DoSL7 Mitigation or Brute Force Mitigation.
- The challenge is happening on a POST request on which the response from the server is a 307 Redirect to a different path.

Impact:
Server is not able to parse the request payload and application does not work. This issue occurs because the TS*75 cookie is set on the path of the challenged URL, so the redirected URL does not contain the cookie, and the payload is not reconstructed properly to the server.

Workaround:
As a workaround, you can construct an iRule to identify that the response from the server is 307 Redirect, retrieve the TS*75 cookie from the request, and add to the response a Set-Cookie header, setting the TS*75 cookie on the '/' path.

Fix:
Having a JavaScript challenge on a POST request with 307 Response no longer prevents the application from working.


739939-1 : Ping Access Agent Module leaks memory in TMM.

Component: Access Policy Manager

Symptoms:
Whenever a ping access request traverses through apm_ivs (internal virtual server) to the Ping Access Agent (e.g., Cache-Miss), a memory leak occurs.

Conditions:
Ping Access Agent request that is not served from local cache (e.g., in the Cache-Miss case).

Impact:
The slow memory leak might eventually cause TMM to restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Ping Access Agent Module no longer leaks memory in TMM.


739846-3 : Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection

Component: Global Traffic Manager (DNS)

Symptoms:
When the big3d runs out of memory for iQuery connections, a segmentation fault might occur.

Conditions:
-- Not enough memory to create additional iQuery connections.
-- Receive an new iQuery connection.

Impact:
Segmentation fault and big3d restarts. No statistics collection or auto-discovery while big3d restarts.

Workaround:
None.

Fix:
The big3d process no longer gets a segmentation fault when reaching the limits of the memory footprint while trying to establish iQuery connections.


739744-1 : Import of Policy using Pool with members is failing

Component: Access Policy Manager

Symptoms:
Import of Policy using Pool with members is failing with an error Pool member node (/Common/u.x.y.z%0) and existing node (/Common/u.x.y.z) cannot use the same IP Address (u.x.y.z)

Conditions:
Policy has pool attached to it with resource assign or chained objects

Impact:
Policy is not being imported on the same box

Workaround:
There is no workaround at this time.

Fix:
ng-import is now importing policy correctly.


739716-2 : APM Subroutine loops without finishing

Component: Access Policy Manager

Symptoms:
Some APM subroutines never finish. In authentication use cases, the end-users will continue to see logon pages, even after submitting correct credentials. In SWG confirm-and-continue use cases, the end-users will continue to see confirm boxes, even if they had already clicked "continue".

Conditions:
APM with a subroutine. Reproducibility will vary by platform and deployment.

Impact:
Subroutines never finish. End-users are not able to access resources.

Workaround:
TMM restart does resolve the issue.

Fix:
The memory corruption issue was resolved and the subroutines now correctly finish.


739674-1 : TMM might core in SWG scenario with per-request policy.

Component: Access Policy Manager

Symptoms:
TMM can core when Secure Web Gateway (SWG) is configured, and SSL is resumed through per-request policy.

Conditions:
-- SWG is configured.
-- SSL is resumed through per-request policy.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM does not core now when using SWG scenario with per-request policy.


739507 : How to recover from a failed state due to FIPS integrity check

Component: TMOS

Symptoms:
After FIPS 140-2 license is installed on FIPS-certified hardware devices, and the device rebooted, the system halts upon performing FIPS integrity check.

Conditions:
[1] Some system applications, monitored by FIPS 140-2, get routinely changed.
[2] The device was containing a FIPS 140-2 enabled license installed.
[3] The device operator installs a FIPS 140-2 enabled license
[4] The device is rebooted

Impact:
The device is halted and cannot be used.

Workaround:
Workaround:
[1] The device needs to have serial console access (Telnet).
[2] From the Telnet console, enter the GRUB menu and boot into a different partition not having a FIPS 140-2 enabled license.
[3] Examine the contents of file /config/fipserr which will show the files that were changed, leading to failure of the FIPS 140-2 license-enabled partition.
[4] Restore those files to their original ones and reboot.

If system still halts, repeat from Step [1] above, until this no longer happens.

Fix:
Here are the steps, in summary form.

[1] Connect a terminal to the BIG-IP serial console port
[2] From the Telnet console, enter the GRUB menu.
[3] Before the countdown expires, use the Up Arrow and Down Arrow keys to stop the countdown, and select the appropriate boot image.
[4] Press the key 'E' to start the edit options. A new GRUB menu displays.
[5] Use the Up Arrow and Down Arrow keys to navigate to the line that contains the keyword "module".
[6] Add a space, followed by NO_FIPS_INTEGRITY=1. DO NOT press ENTER.
[7] Press the Ctrl-X sequence or the F10 key to restart the system using the modified options.

The machine will boot into the partition containing FIPS 140-2-enabled license.

[8] Examine the content of file /config/f5_public/fipserr to ascertain the cause of the FIPS module startup error.
[9] Fix the problem reported in the aforementioned error file.
[10] Run the test tool /usr/libexec/sys-eicheck.py to ensure that no fatal error is reported, such as:

Integrity Check Result: [ FAIL ]

If fatal error persists, DO NOT REBOOT (otherwise the system will go into the halt state, and the steps starting from Step [1] will need to be repeated). Instead, fix the problematic files reported. Re-run the test tool until no error is seen.


739505 : Automatic ISO digital signature checking not required when FIPS license active

Component: TMOS

Symptoms:
Automatic ISO digital signature checking occurs but is not required when FIPS license active.

The system logs an error message upon an attempt to install or update the BIG-IP system:
 failed (Signature file not found - /shared/images/BIGIP-13.1.0.0.0.1868.iso.sig)

Conditions:
When the FIPS license is active, digital signature checking of the ISO is automatically performed. This requires that both the ISO and the digital signature (.sig) file are uploaded to the system.

Impact:
Installation does not complete if the .sig file is not present or not valid. Installation failure.

Workaround:
To validate the ISO on the BIG-IP system, follow the procedure described in K24341140: Verifying BIG-IP software images using .sig and .pem files :: https://support.f5.com/csp/article/K24341140.

Fix:
The restriction of requiring automatic signature checking of the ISO is removed. The procedure described in K24341140: Verifying BIG-IP software images using .sig and .pem files :: https://support.f5.com/csp/article/K24341140 to perform the checks on or off the BIG-IP system is still valid, but that checking is optional.


739446-2 : Resetting SSL-socket correctly for AVR connection

Component: Application Visibility and Reporting

Symptoms:
SSL socket is being corrupted.

Conditions:
The conditions under which this occurs have not been fully identified.

Impact:
AVR fails to make an SSL connection and report externally correctly.

Workaround:
None.

Fix:
Resetting the SSL-connection whenever required.


739379-2 : Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error

Component: Local Traffic Manager

Symptoms:
In situation where multiple SSL forward proxies are connected via virtual targeting, the SNI value extracted from ClientHello and saved in 1st layer of SSL forward proxy may get overwritten by the 2nd layer of SSL forward proxy. When this happens, certification verification will fail when 1st layer of SSL forward proxy attempts to validate certificate.

Conditions:
Two SSL forward proxies connected via virtual command in iRule.

Impact:
Client traffic gets random reset.

Workaround:
None.

Fix:
The search scope of storing parsed SNI is now local to each SSL forward proxy.


739349-1 : LRO segments might be erroneously VLAN-tagged.

Component: Local Traffic Manager

Symptoms:
Segments being processed for large receive offload (LRO) (the action the system performs to aggregate multiple incoming packets within a buffer before passing them up)
might be erroneously VLAN-tagged when LRO is enabled.

Conditions:
-- TCP LRO enabled.
-- Egress VLAN untagged.

Impact:
Egress traffic might sometimes be tagged.

Workaround:
Disable TCP LRO. To enable or disable LRO functionality, you can use the following command syntax:

tmsh modify sys db tm.tcplargereceiveoffload value <enable | disable>

Fix:
The system now ensures that fragment packet flags are correctly set.


739345 : Reporting invalid signature id after specific signature upgrade

Component: Application Security Manager

Symptoms:
An incorrect/invalid signature id is reported.

Conditions:
The signature was changed in an upgrade.

Impact:
Not able to confirm successful signature update.

Workaround:
When the signature id prefix is 6, replace it with 2 when looking for the actual signature.

Fix:
Fixed a reporting issue with signature ids after upgrade.


739285-1 : GUI partially missing when VCMP is provisioned

Component: TMOS

Symptoms:
GUI may be partially missing.

Conditions:
VCMP must be provisioned.

Impact:
GUI may be partially missing.

Workaround:
Use tmsh or deprovision VCMP.

Fix:
the GUI now works as expected when VCMP is provisioned.


739277 : TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode

Component: Anomaly Detection Services

Symptoms:
TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode

Conditions:
-- The virtual server is deleted during POST data.
-- BADOS configured in standard/aggressive mode.

Impact:
TMM core / traffic does not path through till TMM restarts.

Workaround:
You can work around this issue using either of the following options if you plan to delete a virtual server:

-- First detach the DoS protection profile.
-- Remove BADOS configuration or change BADOS mitigation to Conservative.

Fix:
This release corrects an TMM crash that occurred when the virtual server was deleted during POST data and BADOS was in standard/aggressive mode.


739272-1 : Incorrect zombie counts in PBA stats with long PBA block-lifetimes

Component: Carrier-Grade NAT

Symptoms:
Due to a truncation error, a long Port Block Allocation (PBA) block lifetime can cause the PBA zombie stats to get incremented before the block lifetime expires and even though a zombie block has not been created.

Conditions:
Large Scale NAT (LSN) pool or Firewall NAT source-translation with a Port Block Allocation Block Lifetime greater than 65535.

Impact:
This bug affects only the 'Active Zombie Port Blocks', 'Total Zombie Port Blocks Created', and “Total Zombie Port Blocks Deleted” counters. It does not convert active blocks to zombie blocks before the block lifetime expires.

Workaround:
There is no workaround.

Fix:
The 'Active Zombie Port Blocks', 'Total Zombie Port Blocks Created' counters are now incremented only when the PBA block lifetime expires.


739190 : Policies could be exported with not patched /Common partition

Component: Access Policy Manager

Symptoms:
Policies could be exported with not patched /Common partition and it's heading to profiles that are not being imported.

Conditions:
Policy has objects outside of partition of the policy.

Impact:
Policy cannot be imported on the same system it was exported from.

Workaround:
There is no workaround.

Fix:
Proper naming of partitions has been restored, import is back to working.


739126 : Multiple VE installations may have different sized volumes

Component: TMOS

Symptoms:
When installing a 2nd, 3rd, (or more) version of BIG-IP to a Virtual Edition (VE) instance, the sizes of the non-shared volumes may be smaller than the first. This can be an issue if, for example, /var is smaller and fills up due to UCS archives, data gathered during troubleshooting, etc.

Conditions:
Install an additional version of BIG-IP to an existing VE instance.

Impact:
Disk volumes may run out of space sooner than expected, leading to issues when that space is needed for other operations.

Workaround:
Provision additional disk space to expand the available storage.

Fix:
In this release, the installer handles this condition without issue.


739003-1 : TMM may crash when fastl4 is used on epva-capable BIG-IP

Component: Local Traffic Manager

Symptoms:
TMM may crash when fastl4 is used on epva-capable BIG-IP.

Conditions:
The virtual server has fastl4 profile installed, has iRule installed and the iRule uses SERVER_CONNECTED event. The pool member is route-able but does not exist.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
The issue is fixed.


738985-2 : BIND vulnerability: CVE-2018-5740

Component: TMOS

Symptoms:
deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an assertion failure in name.c.

Conditions:
"deny-answer-aliases" feature is explicitly enabled

Impact:
Crash of the BIND process and loss of service while the process is restarted

Workaround:
Only servers which have explicitly enabled the "deny-answer-aliases" feature are at risk and disabling the feature prevents exploitation.

Fix:
BIND patched to correct CVE-2018-5740


738945-2 : SSL persistence does not work when there are multiple handshakes present in a single record

Component: Local Traffic Manager

Symptoms:
SSL persistence hangs while parsing SSL records comprising multiple handshake messages.

Conditions:
This issue intermittently happens when an incoming SSL record contains multiple handshake messages.

Impact:
SSL persistence parser fails to parse such messages correctly. The start of the record may be forwarded on to server but then connection will stall and eventually idle timeout.

Workaround:
There is no workaround other than using a different persistence, or disabling SSL persistence altogether.

After changing or disabling persistence, the transaction succeeds and no longer hangs.


738887-3 : The snmpd daemon may leak memory when processing requests.

Component: TMOS

Symptoms:
Under certain conditions, the snmpd daemon may leak memory when processing requests.

Conditions:
This issue is known to occur on a multi-blade vCMP guest after specific maintenance operations have been carried out by an Administrator on the guest.

Impact:
Once enough memory has leaked, the system may become unstable and fail unpredictably.

Workaround:
If the snmpd daemon is consuming excessive memory, restart it with the following command:

bigstart restart snmpd

Fix:
The snmpd daemon no longer leaks memory when a multi-blade vCMP guest reaches a certain condition.


738864-1 : javascript functions in href are learned from response as new URLs

Component: Application Security Manager

Symptoms:
New urls representing javascript functions are learned from response.

Conditions:
Learn from response is turned on and URLs learning set to 'Always'

Impact:
Wrong URLs are created and added to the policy (not really interfering with enforcement but adds redundant noise to the policy)

Workaround:
Either:
- Change URL learning from 'Always' to any of the other learning options (Compact \ Selective \ Never).
- Disable learn from response

Fix:
javacript functions are no longer learned from responses as new URLs.


738669-2 : Login validation may fail for a large request with early server response

Component: Fraud Protection Services

Symptoms:
in case of large request/response, if FPS needs to store ingress and ingress chunks in buffer for additional processing (ingress :: for parameter parsing, egress :: for login validation's banned/mandatory strings check or scripts injection), if the server responds fast enough, the buffer may contain mixed parts of request/response. This may have several effects, from incorrectly performing login-validation to generating a tmm core file.

Conditions:
-- Login validation is enabled and configured to check for banned/mandatory string.
-- A username parameter is configured.
-- There are no parameters configured for encrypt/HTML Field Obfuscation (HFO), and no decoy parameters.
-- There is a large request and response.
-- The system response very quickly.

Impact:
This results in one or more of the following:
-- Login validation failure/skip.
-- Bad response/script injection.
-- tmm core. In this case, traffic is disrupted while tmm restarts.

Workaround:
None.

Fix:
FPS now handles ingress/egress buffers separately, so this issue no longer occurs.


738647-2 : Add the login detection criteria of 'status code is not X'

Component: Application Security Manager

Symptoms:
There is a criterion needed to detect successful login.

Conditions:
Attempting to detect successful login when the response code is not X (where 'x' = some code).

Impact:
Cannot configure login criteria.

Workaround:
None.

Fix:
This release adds a new criterion to the login criteria.


738614-2 : "Internal error" appears on Goodput GUI page

Component: Application Visibility and Reporting

Symptoms:
When you open "Statistics ›› Analytics : TCP : Goodput" GUI page displays "Internal Error", and data is not displayed.

Conditions:
This can occur on multi-blade VIPRION systems.

Impact:
You are unable to see statistics for TCP Goodput on a multi-blade system.

Workaround:
Edit /etc/avr/monpd/monp_tcp_measures.cfg file:

1) In [cs_avg_conn_goodput_rcv_m] section replace existing value of merge_formula parameter with the following one:
merge_formula=IF(SUM(cs_avg_conn_goodput_rcv_m)=0,"N/A",ROUND(SUM(cs_numendings_m*cs_avg_conn_goodput_rcv_m)/SUM(cs_numendings_m),2))

2) In [cs_avg_conn_goodput_snt_m]section replace existing value of merge_formula parameter with the following one:
merge_formula=IF(SUM(cs_avg_conn_goodput_snt_m)=0,"N/A",ROUND(SUM(cs_numendings_m*cs_avg_conn_goodput_snt_m)/SUM(cs_numendings_m),2))

3) In both aforementioned sections add the following parameter:
merge_deps=cs_numendings_m

Restart monpd daemon:
tmsh restart sys service monpd

Fix:
Fixed an issue with Goodput statistics on multi-blade systems.


738582-1 : Ping Access Agent Module leaks memory in TMM.

Component: Access Policy Manager

Symptoms:
While handling Ping Access Request, if the internal events passing between modules fail, it might cause a memory leak inside TMM.

Conditions:
Internal events passing between Ping Access Request processing modules fail.

Impact:
Ping Access Agent Module leaks memory in TMM.

Workaround:
None.


738523-2 : SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages

Component: Local Traffic Manager

Symptoms:
When monitoring an SMTP server that emits multi-line '250' responses to the initial 'HELO' message, the monitor fails. If monitor logging is enabled on the pool member, the system posts an error similar to the following in the monitor log:

09:50:08.580145:(_Tcl /Common/mysmtp): ERROR: failed to complete the transfer, Failed to identify domain.

Conditions:
-- Monitoring an SMTP server.
-- SMTP server is configured to return a multi-line '250' response to the initial 'HELO' message.

Impact:
The pool member is marked down even though it is actually up.

Workaround:
None.

Fix:
The system now handles multi-line '250' responses to the initial 'HELO' message.


738521-1 : i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.

Component: Local Traffic Manager

Symptoms:
A trunk configured between a BIG-IP i4x00/i2x00 platform and an upstream switch may go down due to the presence of the VLAN tag.

Conditions:
LACP configured between a BIG-IP i4x00/i2x00 platform and an upstream switch.

Impact:
Trunks are brought down by upstream switch.

Workaround:
There are two workarounds:

-- Configure the trunk as 'untagged' in one of the VLANs in which it's configured.
-- Disable LACP.

Fix:
The system no longer transmits a VLAN tag for LACP PDUs, so this issue no longer occurs.


738430-1 : APM is not able to do compliance check on iOS devices running F5 Access VPN client

Component: Access Policy Manager

Symptoms:
Compliance check against Microsoft Intune fails when an APM end user attempts a VPN connection from a managed iOS device running the F5 Access VPN client.

Conditions:
-- APM policy is configured to use Microsoft Intune for device compliance check.
-- APM end user is attempting VPN connection using the F5 Access VPN client on an iOS device.

Impact:
APM is not able to do compliance checks on the device, and VPN connection fails.

Workaround:
None.

Fix:
APM can now check iOS devices for compliance against Microsoft Intune.


738397-1 : SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails.

Component: Access Policy Manager

Symptoms:
For a BIG-IP system configured as IdP, in the SAML-IdP-initiated case: If the IdP has a Per-Request policy (in addition to a V1 policy), such that the Per-Request policy has a subroutine or a subroutine macro with a logon page, the system reports access failure on running the policy.

The error logged is similar to the following: '/Common/sso_access:Common:218f759e: Authorization failure: Denied request for SAML resource /Common/saml_resource_obj1&state=000fffff032db022'.

Conditions:
-- BIG-IP system configured as IdP.
-- SAML IdP initiated case in which the following is true:
  + The IdP has a Per-Request policy (in addition to a V1 policy).
  + That Per-Request policy has a subroutine or a subroutine macro with a logon page.

Impact:
Access is denied. The request URI has '&state=<per-flow-id>' appended to the SAML Resource name.

Workaround:
None.

Fix:
The system now checks for additional query parameters in the request_uri while extracting Resource name so it is not incorrectly set to 'ResourceName&state=<per-flow-id>' which causes the access failure.


738330-1 : /mgmt/toc endpoint broken after configuring remote authentication

Component: TMOS

Symptoms:
'Invalid username or password.' error on the /mgmt/toc page after configuring remote authentication.

Conditions:
When remote auth is configured.

Impact:
Cannot configure remote authentication.

Workaround:
None.


738211-3 : pabnagd core when centralized learning is turned on

Component: Application Security Manager

Symptoms:
pabnagd (the process responsible for automated and manual policy building operations) restarts and generates a core file. This might result in a loss of learning progress.

Note: This is a very rarely occurring issue.

Conditions:
Centralized learning is enabled for a policy.

Impact:
If there are locally learned policies, the system might lose some number of hours of learning progress. How many hours might be lost depends on the version, as follows:

-- For 13.1.0: 24 hours (12 hours, on average).
-- For 14.0.0: 1 hour (1/2 hour, on average).

Workaround:
None.

Fix:
The pabnagd process no longer restarts/cores when centralized learning is enabled.


738197-2 : IP address from XFF header is not taken into account when there are trailing spaces after IP address

Component: Application Visibility and Reporting

Symptoms:
X-FORWARDED-FOR (XFF) header is ignored by BIG-IP ASM even though usage of XFF is enabled in HTTP profile.

In DoS statistics, the original source IP is reported (instead of one taken from XFF).

Conditions:
There are spaces after IP address in the XFF header.

Impact:
Source IP is not reported as expected in all BIG-IP reports.

Workaround:
Configure the proxy server to not add trailing spaces after the IP address in the XFF header.

Fix:
Trailing spaces are now ignored when extracting IP addresses from XFF headers in AVR.


738119-2 : SIP routing UI does not follow best practices

Solution Article: K23566124


738046-2 : SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby

Component: Local Traffic Manager

Symptoms:
For FastL4 connections, SERVER_CONNECTED currently doesn't fire on the standby device. If the standby device then becomes active, the first packet from the server on an existing FastL4 connection causes SERVER_CONNECTED to fire. Depending on what the iRule does in SERVER_CONNECTED, a variety of results can occur, including TMM coring due to commands being executed in unexpected states.

Conditions:
-- High availability configuration.
-- Mirrored FastL4 virtual server.
-- Attached iRule contains a SERVER_CONNECTED event.

Impact:
SERVER_CONNECTED does not fire when expected on standby device. When the standby device becomes active, the SERVER_CONNECTED iRule may cause TMM to core with traffic being disrupted while TMM restarts.

Workaround:
None.

Fix:
SERVER_CONNECTED now fires when expected on the standby device.


737910-2 : Security hardening on the following platforms

Solution Article: K18535734


737867-1 : Scheduled reports are being incorrectly displayed in different partitions

Component: Application Visibility and Reporting

Symptoms:
Scheduled analytics reports are being displayed in the list regardless of selected partition. However, you can only open reports belonging to the selected partition, even if they belong to 'Common'.

Conditions:
System configured with multiple partitions.

Impact:
It makes it difficult to modify reports from different partitions.

Workaround:
Switch to the report's partition before editing it.

Fix:
Report's partition is now indicated in the list and correct handling is performed according to standard partition rules.


737863-1 : Advanced Filters for Captured Transactions not working on Multi-Blade Platforms

Component: Application Visibility and Reporting

Symptoms:
On multi-blade systems, when you navigates to System :: Logs : Captured Transactions, click on Expand Advanced Filters, choose something, and click Update, the GUI reports a 'Could not get captured events' message.

Conditions:
-- Multi-blade systems.
-- AVR provisioned.
-- AVR HTTP Analytics Profile configured with 'Internal Traffic Capturing Logging Type' option enabled.

Impact:
The Captured Transactions filter does not work.

Workaround:
None.

Fix:
The Captured Transactions filter now works as expected.


737813-1 : BIG-IP is unable to send statistics to BIG-IQ DCD node using IPv6 address

Component: Application Visibility and Reporting

Symptoms:
When IPv6 is used for transferring data from BIG-IP systems to BIG-IQ DCD nodes, no traffic arrives to the BIG-IQ.

Conditions:
-- DCD node uses IPv6 interface for collecting data from BIG-IP systems.
-- BIG-IP is registered on BIG-IQ as 'BIG-IP device' the regular way (not necessary via IPv6 management interface).

Impact:
No statistics from BIG-IP systems are collected.

Workaround:
Use IPv4 addresses instead.

Fix:
You can now use IPv6 addresses in BIG-IP systems, and statistics arrive to the BIG-IQ.


737758-2 : MPTCP Passthrough and VIP-on-VIP can lead to TMM core

Component: Local Traffic Manager

Symptoms:
If a FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled, TMM may produce a core upon receiving certain traffic.

Conditions:
A FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with a TCP profile attached that has MPTCP passthrough enabled, and certain traffic is received.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not using an iRule with the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled.

Fix:
If MPTCP passthrough is enabled, the system now processes incoming MPTCP connections coming from the loop device as if MPTCP is disabled.


737731-2 : iControl REST input sanitization

Component: TMOS

Symptoms:
iControl REST worker input sanitization issue.

Conditions:
iControl REST worker service running on BIG-IP.

Impact:
iControl REST

Workaround:
None

Fix:
Improved iControl REST worker input sanitization.


737574-2 : iControl REST input sanitization

Component: TMOS

Symptoms:
iControl REST worker input sanitization issue.

Conditions:
iControl REST worker service running on BIG-IP.

Impact:
iControl REST and TMSH

Workaround:
None.

Fix:
Improved iControl REST worker input sanitization.


737565-2 : iControl REST input sanitization

Component: TMOS

Symptoms:
iControl REST worker input sanitization issue.

Conditions:
iControl REST worker service running on BIG-IP.

Impact:
iControl REST and tmsh

Workaround:
None

Fix:
Improved iControl REST worker input sanitization.


737550 : State Mirroring between BIG-IP 13.0.x and 13.1.x systems may cause TMM core on standby system during upgrade

Component: Local Traffic Manager

Symptoms:
BIG-IP devices running 13.0.x (13.0.x or a 13.0.x point release) and 13.1.x software versions in a High-Availability (HA) configuration with state mirroring enabled may cause a standby system to produce a TMM core file.

Conditions:
-- State mirroring configured on two or more BIG-IP systems (state mirroring is enabled by default).
-- For VIPRION clusters or VIPRION-based vCMP guests, the systems are configured to mirror 'Between Clusters'.
-- The active system is running v13.0.x, and the standby system is running v13.1.x, e.g., as a result of an in-progress upgrade.

Impact:
TMM may crash on a standby system during upgrade.

This issue should not disrupt traffic, because the TMM is coring only on the standby unit.

Workaround:
To workaround this issue, disable State Mirroring prior to upgrading, and re-enable it once both devices are running v13.1.x, or complete the upgrade of both devices to v13.1.x.

1. You can disable mirroring using either the GUI or the command line.

1a. In the GUI:
-- Set the Primary and Secondary Local Mirror Address configurations to 'None' under Device Management :: Devices :: [Self] device :: Mirroring Configuration.

1b. From the command-line:
-- Run the following command:
tmsh modify cm device <name-of-self-device> mirror-ip any6 mirror-secondary-ip any6 && tmsh save sys config


Important: This action results in connection state loss on failover.


2. Once all devices are running the same software version, re-enable state mirroring by re-adding the device mirror IPs removed previously.

Note: F5 recommends that BIG-IP systems run with the same software version on all devices.

Fix:
TMM on standby no longer cores during upgrade.


737536-1 : Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.

Component: TMOS

Symptoms:
The use case is the following:
|OSPF 1|---|Network1|------[|OSPF process 1|---BIG-IP system---|OSPF process 2|]-----|Network2|---|OSPF 2|

Attempting to redistribute default route received from OSPF process that is peering with the Internet to OSPF process 2. However, if that route is removed (e.g., an Internet link goes down), OSPF process 2 removes the associated route and the 'default-information originate' command is the ideal choice, because as long as the OSPF process 1 default route is in the routing table, the default route is redistributed into OSPF process 2. If that route is gone, OSPF process 2 immediately removes it from routing table. Enabling 'default-information originate' on OSPF process 2 does not affect the outcome, and a default route is not injected like it should be.

Conditions:
-- On the BIG-IP system, OSPF routing protocol is enabled on a route-domain.
-- Routing configuration example:

OSPF router config examples:
***
OSPF 1:
!router ospf 1
 ospf router-id 10.13.0.7
 redistribute ospf
 network 10.13.0.0/16 area 0.0.0.1
 default-information originate

OSPF 2:
router ospf 1
 ospf router-id 10.14.0.5
 redistribute ospf
 network 10.14.0.0/16 area 0.0.0.1

BIG-IP system:
router ospf 1
 ospf router-id 10.13.0.2
 network 10.13.0.0/16 area 0.0.0.1
router ospf 2
 ospf router-id 10.14.0.9
 network 10.14.0.0/16 area 0.0.0.1
***

-- Enable 'default-information originate' on BIG-IP OSPF process 2 should allow OSPF process 2 to receive advertised default route from BIG-IP OSPF process 1 if such exists.

# expected OSPF routers configuration on the BIG-IP system:
router ospf 1
 ospf router-id 10.13.0.2
 network 10.13.0.0/16 area 0.0.0.1
router ospf 2
 ospf router-id 10.14.0.9
 network 10.14.0.0/16 area 0.0.0.1
 default-information originate

Impact:
A default route from OSPF process 1 is not advertised into OSPF process 2 routing table.

Workaround:
None.

Fix:
Enabling 'default-information originate' on OSPF process 2 forces OSPF process 2 to receive a default route from OSPF process 1 if such exists.


737500-2 : Apply Policy and Upgrade time degradation when there are previous enforced rules

Component: Application Security Manager

Symptoms:
When there are previously enforced rules present in the system, the time to apply changes made to a policy, and the time to upgrade the configuration to a new version suffers.

Conditions:
-- Signature Staging is enabled.
-- Updated Signature Enforcement is set to 'Retain previous rule enforcement and place updated rule in staging'.
-- Signatures are enforced on a policy.
-- A new ASM Signature Update is installed, which modifies the matching rule for some enforced signatures.

Impact:
The time to apply changes made to a policy, and the time to upgrade the configuration to a new version, suffers from a inefficiently performing query related to the existence of previously enforced rules.

Workaround:
There is no workaround at this time.

Fix:
Query indexing and performance is fixed: Apply Policy executes in the same time whether there are previously enforced rules in the system or not.

Enforcing all signatures in a set now correctly removes the previously enforced rule from the signature.


737445-2 : Use of TCP Verified Accept can disable server-side flow control

Component: Local Traffic Manager

Symptoms:
Unexpectedly high memory usage, aggressive sweeper messages, TCP memory pressure messages in logs.

Conditions:
Verified Accept is enabled in TCP profiles that are associated with virtual servers.

Impact:
Excessive memory usage.

Workaround:
There is no workaround other than disabling Verified Accept.

Fix:
Fixed server-side flow control.


737443-5 : BIG-IP APM client for Linux and macOS vulnerability CVE-2018-5546

Solution Article: K54431371


737442-2 : Error in APM Hosted Content when set to public access

Solution Article: K32840424


737441-5 : Disallow hard links to svpn log files

Solution Article: K54431371


737437-2 : IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages

Component: TMOS

Symptoms:
The BIG-IP system might fail to re-establish an IKEv1 phase 1 security association (ISAKMP-SA) when the Initiator starts the exchange using UDP port 4500. The exchange progresses to the point of NAT detection, whereupon the BIG-IP system stops using the Non-ESP marker and sends malformatted ISAKMP.

Conditions:
All of the following must be true:
-- The BIG-IP system is an IKEv1 Responder.
-- ISAKMP phase 1 negotiation starts on UDP port 4500.
-- NAT is detected on only one side during the phase 1 exchange.

Impact:
-- Establishment of an ISAKMP-SA will fail until the peer device switches to UDP port 500.
-- The remote peer may send INVALID-SPI messages quoting SPI numbers that do not exist.

Workaround:
To help workaround this issue, you can try the following:
-- Make sure the BIG-IP system is always the Initiator.
-- Bypass NAT.
-- Configure both the BIG-IP system and remote peer to use address IDs that are not the same as the IP addresses used in the ISAKMP exchange, thus causing the BIG-IP system to think there is NAT on both sides.

Fix:
The BIG-IP system now keeps the Non-ESP marker when NAT is detected.


737397-3 : User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP

Component: TMOS

Symptoms:
Unable to archive certificates or keys using GUI and iControlSOAP.

Conditions:
When the user is in Certificate Manager role.

Impact:
Unable to backup certificates or keys.

Workaround:
The user in Certificate Manager role is still be able to export the key and see its PEM string. So you can manually create an archive file by copying the PEM string into a file.


737368-1 : Fingerprint cookie large value may result in tmm core.

Component: Fraud Protection Services

Symptoms:
The JavaScript component calculates part of the fingerprint cookie value. In some rare cases, large values are generated and may result in tmm core.

Conditions:
A large value (more than 35 characters) inside the fingerprint cookie.

Impact:
Memory overrun, tmm core in some cases.

Workaround:
N/A

Fix:
FPS will check the value and truncate it if it exceeds the maximum length.


737355-1 : HTTP Strict-Transport-Security (HSTS) headers not being added to all APM generated files

Component: Access Policy Manager

Symptoms:
HTTP Strict-Transport-Security (HSTS) headers are missing for some APM-generated files.

Conditions:
This occurs when the following conditions are met:
-- HTTP profile is configured with HSTS enabled.
-- HTTP GET requests for APM renderer files, including CSS, JS, and image files from the webtop.

Impact:
Without these headers, the user agent (browser) may switch to non-secure communication.

Workaround:
None.

Fix:
When the HTTP profile is configured with HSTS enabled, all APM renderer files are now sent with HSTS headers.


737332-3 : It is possible for DNSX to serve partial zone information for a short period of time

Component: Global Traffic Manager (DNS)

Symptoms:
During zone transfers into DNS Express, partial zone data may be available until the transfer completes.

Conditions:
-- Two zones being transferred during the same time period
  + zone1.example.net
  + zone2.example.net

-- Transfer of zone1 has started, but not finished.

-- zone2 starts a transfer and finishes before zone1 finishes, meaning that the database might be updated with all of the zone2 data, and only part of the zone1 data.

Impact:
Partial zone data will be served, including possible NXDOMAIN or NODATA messages. This happens until zone1 finishes and saves to the database, at which time both zones' data will be complete and correct.

Workaround:
The workaround is to limit the number of concurrent transfers to 1. However this severely limits the ability of DNS Express to update zones in a timely fashion if there are many zones and many updates.

Fix:
All zone transfers are now staged until they are complete. The zone transfer data is then saved to the database. Only when the zone data has completed updating to the database will the data be available to queries.


737064-2 : ACCESS::session iRule commands may not work in serverside events

Component: Access Policy Manager

Symptoms:
-- 'ACCESS::session sid' will returns empty.
-- 'ACCESS::session data get <varname>' returns empty.

Conditions:
-- Using IP-based sessions
-- ACCESS::session iRule commands in a serverside iRule event, such as HTTP_PROXY_CONNECT.
-- Using SSL Bypass. Note: This issue is known to occur when using SSL Bypass, but this is not the only configuration that exhibits the problem.

Impact:
iRules may not work as expected.

Workaround:
There is no workaround at this time.

Fix:
The ACCESS::session iRules now work in serverside events when doing IP-based sessions.


735832-1 : RAM Cache traffic fails on B2150

Component: Performance

Symptoms:
Rendering pages from RAM Cache fails. System does not pass RAM Cache traffic on B2150 platform.

Conditions:
-- VIPRION B2150 blade.
-- Attempting to pass traffic from RAM Cache.

Impact:
B2150 does not pass any RAM Cache traffic.

Workaround:
None.

Fix:
RAM Cache traffic now succeeds on B2150.


734822-3 : TMSH improvements

Solution Article: K77313277


734595-2 : sp-connector is not being deleted together with profile

Component: Access Policy Manager

Symptoms:
If a profile is connected to an SSO SAML IdP configuration with an SP connector, the sp-connector is not available for delete when the profile is deleted.

Conditions:
-- Profile is connected to an SSO SAML IdP configuration with an SP connector.
-- Deleting the profile and attempting to delete the sp-connector.

Impact:
The SP connector is not listed for delete when the profile is deleted.

Workaround:
To delete the SP connector, run the following command:
tmsh delete apm sso saml-sp-connector NAME

Fix:
SP connectors are now available for delete when profile is deleted.


734527-1 : BGP 'capability graceful-restart' for peer-group not properly advertised when configured

Component: TMOS

Symptoms:
BGP neighbor using peer-group with 'capability graceful-restart' enabled (which is the default). However, on the system, peer-group defaults to disable. Because there is no config statement to enable 'capability graceful-restart' after restart, it gets turned off after config load, which also turns it off for any BGP neighbor using it.

Conditions:
- Neighbor configured to use peer-group.
- Peer-group configured with capability graceful-restart, but with the default: disabled.

Impact:
Because peer-group is set to disable by default, and there is no operation to enable it after restart, 'capability graceful-restart' gets turned off after config load, and neighbors using it from peer-group get turned off as well.

Workaround:
Re-issue the commands to set peer-group 'capability graceful-restart' and 'clear ip bgp *' to reset BGP neighbors.

Fix:
The peer-group now has 'capability graceful-restart' enabled by default, so this issue no longer occurs.

Behavior Change:
In this release, peer-group has 'capability graceful-restart' enabled by default.


734446-2 : TMM crash after changing LSN pool mode from PBA to NAPT

Component: Carrier-Grade NAT

Symptoms:
TMM crashes after changing LSN pool mode from PBA to NAPT when long lived connections are killed due to the PBA block lifetime and zombie timeout expiring.

Conditions:
An LSN pool using PBA mode with a block lifetime and zombie timeout set and long lived connections.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Instead of changing the LSN pool mode from PBA to NAPT, create a new LSN pool configured for NAPT and change the source-address-translation pool on the virtual servers that use the PBA pool.

The PBA pool can be deleted after the virtual servers are no longer using it.

Fix:
TMM no longer crashes after changing LSN pool mode from PBA to NAPT.


734291-2 : Logon page modification fails to sync to standby

Component: Access Policy Manager

Symptoms:
Changes in the login page of VPE do not sync to standby.

Conditions:
1. You make changes to the logon page on the active device, making changes to the username or any other field on the login page of VPE.
2. You sync to standby, and it succeeds.

Impact:
When you access in standby device, the customization error failure message appears, and the dialog fails to open in VPE. You cannot see the changes made on the active device from standby device.

Workaround:
Do not make changes to fields on the login page.

Fix:
Changes in the login page of VPE now sync to standby.


734276-2 : TMM may leak memory when SSL certificates with VDI or EAM in use

Component: Local Traffic Manager

Symptoms:
TMM 'method' memory usage grows over time when VDI and serverssl *or* EAM and clientssl are configured on the same VIP.

Conditions:
One or both of the following:

-- VDI and serverssl are configured on the same VIP
-- EAM and clientssl are configured on the same VIP

Impact:
TMM memory usage grows over time leading to eventual performance degradation and potential traffic outage if TMM cores.

Workaround:
No workaround short of not using these combinations of features.

Fix:
TMM no longer leaks memory when VDI and serverssl *or* EAM and clientssl are configured together on the same VIP.


734228-1 : False-positive illegal-length violation can appear

Component: Application Security Manager

Symptoms:
A false-positive illegal-length violation.

Conditions:
A chunked request where the request length is more than half of the configured max-request length.

Impact:
False-positive illegal-length violation.

Workaround:
Configure a higher max request length violation.

Fix:
Fixed a false-positive request-length violation.


733585-3 : Merged can use %100 of CPU if all stats snapshot files are in the future

Component: TMOS

Symptoms:
Merged uses %100 of CPU if it cannot remove the oldest snapshot file, due to all snapshot files having timestamps in the future.

Conditions:
All stats snapshot file having timestamps in the future, release has the fix for issue 721740, but not this issue.

Impact:
Merged using %100 of the CPU.

Workaround:
Remove snapshot stats files that have timestamps in the future and restart merged.

Fix:
Correctly exit cleanup logic when all stats snapshot files have timestamps in the future.


727467-1 : Some iSeries appliances can experience traffic disruption when the HA peer is upgraded from 12.1.3 and earlier to 13.1.0 or later.

Component: TMOS

Symptoms:
-- CPU core 0 can be seen utilizing 100% CPU.
-- Other even cores may show a 40% increase in CPU usage.
-- Pool monitors are seen flapping in /var/log/ltm.
-- System posts the following messages:
   + In /var/log/ltm:
     - err tmm4[21025]: 01340004:3: HA Connection detected dissimilar peer: local npgs 1, remote npgs 1, local npus 8, remote npus 8, local pg 0, remote pg 0, local pu 4, remote pu 0. Connection will be aborted.
    + In /var/log/tmm:
      - notice DAGLIB: Invalid table size 12
      - notice DAG: Failed to consume DAG data

Conditions:
-- Active unit on a pre-12.1.3.1 release.
-- Standby peer upgraded to a 13.1.0 or later release.
-- Device is an iSeries device (i5600 or later).

Important: This issue may also affect iSeries HA peers on the same software version if the devices do not share the same model number.

Note: Although this also occurs when upgrading to 12.1.3.8 and 13.0.x, the issue is not as severe.

Impact:
- High CPU usage.
- Traffic disruption.

Workaround:
Minimize impact on affected active devices by keeping the upgraded post-13.1.0 unit offline as long as possible before going directly to Active.

For example, on a 12.1.3 unit to be upgraded (pre-upgrade):
-- Run the following command: tmsh run sys failover offline persist
-- Run the following command: tmsh save sys config
-- Upgrade to 13.1.0.8.
-- Unit comes back up on 13.1.0.8 as 'Forced Offline' and does not communicate with the active unit running 12.1.3 at all.
-- Set up HA group and make sure the 12.1.3 Active unit's HA score is lower than 13.1.0.8.
-- To cause the 13.1.0.8 unit to go directly to Active and take over traffic, run the following command on the unit running 13.1.0.8:
tmsh run sys failover online

At this point, the 12.1.3 unit starts to show symptoms of this issue, however, because it is no longer processing traffic, there is no cause for concern.

Fix:
This release introduces a new bigdb variable DAG.OverrideTableSize. To prevent the issue on an upgraded post-13.1.0 unit, set DAG.OverrideTableSize to 3.

In order to return the system to typical CPU usage, you must set the db variable, and then restart tmm by running the following command:
bigstart restart tmm

(Restarting tmm is required for 13.1.1.2 and newer 13.1.1.x releases.)

Note: Because the restart is occurring on the Standby unit, no traffic is disrupted while tmm restarts.


727297-3 : GUI TACACS+ remote server list should accept hostname

Component: TMOS

Symptoms:
Cannot add hostnames to the Remote - TACACS+ server list in the GUI.

Conditions:
-- On the System :: Users : Authentication page with Remote - TACACS+ specified.
-- Add hostname to the server list.

Impact:
Validation does not accept a hostname. Cannot add hostname as a server.

Workaround:
Use tmsh to add a hostname.

Fix:
The system now allows hostname to be added with proper validation in this case.


727292-1 : SSL in proxy shutdown case does not deliver server TCP FIN

Component: Local Traffic Manager

Symptoms:
Connection is not torn down.

Conditions:
HTTPS server disconnects connection when in handshake.

Impact:
Potential resource exhaustion.

Workaround:
You can mitigate this condition in either of the following ways:

-- Wait for system to clean up lingering connections.

-- Use tmsh to clean up connections. (Note: Sometimes this might not work as expected depending on conditions.)

Fix:
SSL server side handles this error situation by sending out all remaining egress data and sending a shutdown signal to lower filters.


727222-1 : 206 Partial Content responses from ramcache have malformed Content-Range header

Component: Local Traffic Manager

Symptoms:
When ramcache serves a 206 Partial Content response from cache, the Content-Range header repeats the name:

  Content-Range: Content-Range: bytes 0-5/28

Conditions:
Request from client for partial document (Range header) against a virtual server with a web-acceleration profile having no applications (ramcache), where the requested document is present in ramcache.

Impact:
The client may mishandle the response, as the Content-Range header is malformed. This may cause additional traffic as the client may retrieve the entire document in a subsequent request due to the malformed response.

Workaround:
Remove the duplicate portion of the Content-Range header using an iRule at HTTP_RESPONSE_RELEASE time.

Fix:
The Content-Range header is now correctly formed for 206 Partial Content responses served from ramcache.


727212-1 : Subscriber-id query using full length IPv6 address fails.

Component: Carrier-Grade NAT

Symptoms:
FW NAT / CGNAT modules query the subscriber ID using IPv6 address. If the query is done using the IPv6 mask, under some circumstances the query fails.

Conditions:
The network is using an IPv6 mask other than 128. Subscribers are created using the masked IP address as the key. If NAT module uses the complete IP address as the query key, the subscriber will not be found.

Impact:
Logs contain UNKNOWN subscriber-id.

Workaround:
There is no workaround at this time.

Fix:
Subscriber ID queries using IPv6 address are now returning the subscriber-id.


727206 : Memory corruption when using SSL Forward Proxy on certain platforms

Component: Local Traffic Manager

Symptoms:
When using SSL Forward proxy, memory corruption can occur, which can eventually lead to a tmm crash.

Conditions:
Client SSL profile on a virtual server with SSL Forward proxy enabled.

-- Using the following platforms:
   - vCMP host
   - 2000s / 2200s
   - 5000s / 5200v
   - 5050s / 5250v / 5250v-F
   - 10350V-F

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes under these conditions.


727044-2 : TMM may crash while processing compressed data

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing compressed data.

Conditions:
Compression enabled
Hardware compression disabled

Impact:
TMM crash leading to a failover event.

Workaround:
No workaround.

Fix:
TMM now correctly processes compressed traffic


726895 : VPE cannot modify subroutine settings

Solution Article: K02205915

Component: Access Policy Manager

Symptoms:
Open per-request policy in Visual Policy Editor (VPE) that has a subroutine. Click 'Subroutine Settings / Rename.

Numeric values like the inactivity timeout are displayed as 'NaN. Attempts to modify the values results in MCP validation errors such as one of these:
- Unable to execute transaction because of:
- Unable to execute transaction because of: 01020036:3: The requested user role partition (admin Common) was not found.

Conditions:
-- Per-request policy in the VPE.
-- Subroutine in the per-request policy.
-- Attempt to change the values.

Impact:
All fields say 'NaN', and error when trying to modify properties. Subroutine settings like the Inactivity Timeout and Gating Criteria cannot be modified through the VPE

Workaround:
Use tmsh to modify these values, for example:

tmsh modify apm policy access-policy <policy_name> subroutine properties modify { all { inactivity-timeout 301 } }

Fix:
The issue has been fixed; it is now possible to view and modify subroutine settings in the VPE.


726872-2 : iApp LX directory disappears after upgrade or restoring from UCS

Component: iApp Technology

Symptoms:
After BIG-IP version upgrade or restoring from UCS, iApps/Application Services/Applications LX screen displays instances of iApps LX, but their UI is not functional. That is caused by the software defect causing iApp LX directory to disappear from /var/config/rest/iapps.

Conditions:
Initial startup after BIG-IP version upgrade or restoring from UCS.

The more iApps LX instances and the more configuration they use, the more likely this issue is to occur, for example, this issue occurs with 90 or more instances of f5-ddos-hybrid-defender iApp LX.

Impact:
The iAppLX code is removed from the system, which makes iAppLX UI unusable. The configuration deployed by iApp LX instances remains in effect. The iApp LX configuration data remain intact, and the UI can be completely restored after manual installation of iApp LX code.

Workaround:
To workaround this issue, follow these steps:

1. Copy iAppLX code from an unaffected BIG-IP system to the BIG-IP system impacted by this defect, for example,
/var/config/rest/iapps/f5-ddos-hybrid-defender
2. Create a symlink to the UI code for UI to work, for example:
ln -sfvn /var/config/rest/iapps/f5-ddos-hybrid-defender/presentation /var/iapps/www/f5-ddos-hybrid-defender
3. Restart restjavad:
bigstart restart restjavad
4. Restart restnoded:
bigstart restart restnoded

Fix:
iApp LX directory no longer disappears after upgrading or restoring from UCS


726647-3 : PEM content insertion in a compressed response may truncate some data

Component: Policy Enforcement Manager

Symptoms:
HTTP compressed response with content insert action can truncate data.

Conditions:
PEM content insertion action with compressed HTTP response.

Impact:
Data might be truncated.

Workaround:
There is no workaround other than disabling compression accept-encoding attribute in the HTTP request.

Fix:
HTTP compressed response with content insert action no longer truncates data.


726616-1 : TMM crashes when a session is terminated

Component: Access Policy Manager

Symptoms:
TMM crashes when it is releasing the memory used by a session that is terminated. Either one of the following error messages might appear in the TMM log:

-- notice panic: ../kern/umem.c:4166: Assertion "valid type" failed.

-- notice panic: ../kern/page_alloc.c:705: Assertion "vmem_hashlist_remove not found" failed.

Conditions:
The memory used by a session is corrupted during the lifetime of the session. This issue happens infrequently.

Impact:
TMM restarts, causing service interruption if the BIG-IP system is not part of a high-availability setup.

Workaround:
There is no workaround at this time.

Fix:
TMM no longer crashes when removing an access session.


726592-1 : Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop

Component: Access Policy Manager

Symptoms:
Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop. This could be triggered by invalid state of our control plane daemons.

Conditions:
This is an extremely rare situation that can be caused by invalid logsetting config messaging between our daemons. However, once it happens it can impact multiple daemons at the same time causing all of them to hang.

Impact:
Once this happens it can impact multiple daemons (apmd, apm_websso, localdbmgr) at the same time causing all of them to hang.

Workaround:
There is no workaround at this time, you can recover by restarting the daemons that hang.

Fix:
We have fixed a memory corruption that can break the linkages in our data structure which would cause certain traversals to loop indefinitely.


726537-1 : Rare TMM crash when Single Page Application is enabled on DoSL7

Component: Application Security Manager

Symptoms:
There is a rare TMM crash that may happen when Single Page Application is enabled on the DoS Application profile.

Conditions:
Single Page Application is enabled on the DoS Application profile.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Rare TMM crash no longer occurs when Single Page Application is enabled on DoSL7.


726487-2 : MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.

Component: TMOS

Symptoms:
The MCPD daemon on secondary VIPRION or vCMP blades exits and restarts, logging errors similar to the following:

-- err mcpd[11869]: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5.

-- err mcpd[11869]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5... failed validation with error 17237812.

Or:

--- err mcpd[8320]: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).

--- err mcpd[8320]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).... failed validation with error 17236027.

Conditions:
This issue occurs when all of the following conditions are met:

-- VIPRION or vCMP platform with more than one blade.
-- A partition with a non-default route domain.
-- Creating a pool member in the aforementioned partition while a configuration save is taking place at the same time (either system or user initiated).

Impact:
If the system is Active, traffic will be disrupted as the secondary blades restart. The capacity of the system will be reduced until all blades are on-line again. Additionally, depending on the system configuration, the system may fail over to its peer (if one exists).

Workaround:
There is no workaround other than not to create pool members from a different client while saving configuration changes in another client. However, this does not help if the configuration save operation was system-initiated.

Fix:
MCPD on secondary blades no longer restarts if a pool member is created in a partition that uses a non-default route domain at the same as the configuration is being saved.


726409-4 : Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077

Component: TMOS

Symptoms:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890
The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allows attackers to cause a denial of service (double free) or
possibly have unspecified other impact by leveraging use of the accept system call.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075
The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076
The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077
The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.

Conditions:
For more information see: https://support.f5.com/csp/article/K02236463
https://support.f5.com/csp/article/K02613439

Impact:
denial of service

Workaround:
don't allow login

Fix:
For more information see: https://support.f5.com/csp/article/K02236463
https://support.f5.com/csp/article/K02613439


726377-1 : False-positive cookie hijacking violation

Component: Application Security Manager

Symptoms:
A false-positive cookie hijacking violation.

Conditions:
-- Several sites are configured on the policy, without subdomains.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.

Impact:
False positive violation / blocking.

Workaround:
Cookie hijacking violation when the device ID feature is turned off is almost never relevant, as it should be able to detect only cases where some of the TS cookies were taken. The suggestion is to turn off this violation.

Fix:
False-positive cookie hijacking violation no longer happens working with multiple domains on some scenarios.


726327-2 : NodeJS debugger accepts connections from any host

Component: Local Traffic Manager

Symptoms:
The NodeJS debugger accepts connections from any host.

Note: Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. This issue exists in Node.js, not in BIG-IP software.

Conditions:
This occurs under either of the following conditions:
-- iRuleLX plugin configured.
-- Administrator starts node-inspector.

Impact:
NodeJS Debugger exposed to remote access.

Important: Enabling the NodeJS debugger should only be part of active troubleshooting; it is not a recommended configuration for a production system.

Workaround:
Specify an authorized host for remote access using the following command:
--debug=<host>:<port>


726319-2 : 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses

Component: Local Traffic Manager

Symptoms:
When FQDN nodes and pool members are used in LTM pools, a message similar to the following may be logged if the DNS server returns a different set of IP address records to resolve the FQDN name:

err mcpd[20479]: 01020066:3: The requested Pool Member (****) already exists in partition ****.

Conditions:
This message may be logged when the DNS server returns a different set of IP address records to resolve the FQDN name, and new ephemeral pool members are created corresponding to the new IP addresses.

This may occur intermittently depending on timing conditions.

Impact:
These log messages are cosmetic and do not indicate any impact to traffic or BIG-IP operations.

Workaround:
None.

Fix:
'The requested Pool Member ... already exists' messages are no longer logged occasionally when an FQDN pool member name resolves to different IP addresses.


726303-1 : Unlock 10 million custom db entry limit

Component: Traffic Classification Engine

Symptoms:
Cannot add more than 10 million custom db entries.

Conditions:
This happens when you try to add more than 10 million custom db entries.

Impact:
Not able to add more than 10 million entries.

Workaround:
There is no workaround at this time.

Fix:
This release provides a sys db var, tmm.urlcat.no_db_limit, to allow growth beyond the existing limit of 10 million custom db entries.


726255-2 : dns_path lingering in memory with last_access 0 causing high memory usage

Component: Global Traffic Manager (DNS)

Symptoms:
dns_path not released after exceeding the inactive path ttl.

Conditions:
1. Multiple tmm's in sync group
2. Multiple dns paths per GTM needed for load balancing.

Impact:
High memory usage.

Workaround:
There is no workaround at this time.

Fix:
dns_path memory will be released after ttl.


726239-4 : interruption of traffic handling as sod daemon restarts TMM

Component: Local Traffic Manager

Symptoms:
When the receiving host in a TCP connection has set its send window to zero (stopping the flow of data), following certain unusual protocol sequences, the logic in the TMM that persists in probing the zero window may enter an endless loop.

Conditions:
When the TCP implementation is probing a zero-window connection under control of a persist timer.

Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This fix handles a rare TMM crash when TCP persist timer is active.


726154-2 : TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies

Component: Advanced Firewall Manager

Symptoms:
TMM might restart when changing firewall or NAT configurations on a virtual server with the same name as a route-domain.

Conditions:
- There is a virtual server and a route-domain that have the same name in the configuration.
- A firewall or NAT policy is being attached or removed from one or both of the virtual server or route-domain.

Impact:
TMM might halt and traffic processing temporarily ceases. TMM restarts and traffic processing resumes.

Workaround:
There is no workaround other than not to use the same name for virtual server and route-domain objects.

Fix:
TMM no longer crashes under the conditions described. Firewall and NAT configurations are applied correctly on virtual servers with the same names as route-domains.


726090-1 : No Bot Defense Logs when ASM Policy is used without Proactive Bot Defense

Component: Application Security Manager

Symptoms:
Device ID challenges are not logged in the Bot Defense Request Log (local and remote) when associating the Bot Defense logging profile to the virtual server.

Conditions:
-- Device ID is enabled on the ASM Policy.
-- DoS profile with Proactive Bot Defense is not associated with the virtual server.

Impact:
There are no logs to show the browser challenges and the requests from clients that do not support JavaScript.

Workaround:
There is no workaround at this time.

Fix:
Requests are now logged to the Bot Defense Request Log with Device ID enabled on the ASM Policy and no associated DoS profile.


726089-2 : Modifications to AVR metrics page

Solution Article: K44462254


726039 : Information is not updated after installing FPS live update via GUI

Component: Fraud Protection Services

Symptoms:
The GUI does not display the updated information after installing an update.

Conditions:
FPS is licensed and provisioned.

Impact:
Cosmetic only.

Workaround:
Refreshing the page.

Fix:
The information is updated after installing an update.


725878-2 : AVR does not collect all of APM TMStats

Component: Application Visibility and Reporting

Symptoms:
AVR does not collect all of APM TMStats

Conditions:
Using AVR to view APM stats.

Impact:
Cannot view all values.

Workaround:
None.

Fix:
This release now provides stats for the following:
-- License Stats :: show apm license
-- Session Stats (ACL Stats) :: show apm acl
-- Access Profile Stats :: show apm profile access
-- OAuth Client Stats :: show apm aaa oauth-server
-- OAuth Profile Stats :: show apm profile oauth
-- Network Access Stats :: show net tunnels ppp

Behavior Change:
This release now provides stats for the following:
-- License Stats :: show apm license
-- Session Stats (ACL Stats) :: show apm acl
-- Access Profile Stats :: show apm profile access
-- OAuth Client Stats :: show apm aaa oauth-server
-- OAuth Profile Stats :: show apm profile oauth
-- Network Access Stats :: show net tunnels ppp


725867-2 : ADFS proxy does not fetch configuration for non-floating virtual servers

Component: Access Policy Manager

Symptoms:
If the virtual address of a virtual server has a non-floating traffic group (e.g., traffic-group-local-only), ADFS proxy does not perform periodic configuration updates, including listing allowed URIs from ADFS, and thus blocks all the requests (by responding with 404).

Conditions:
-- Virtual address of virtual server has non-floating traffic group.

-- ADFS proxy feature is enabled on the virtual server.

Impact:
All the requests to ADFS are blocked.

Workaround:
Set floating traffic group for virtual address (e.g., traffic-group-1).

Fix:
ADFS proxy now fetches configuration from ADFS for non-floating virtual servers.


725815-1 : vlangroup usage may cause a excessive resource consumption

Solution Article: K72442354


725801-4 : CVE-2017-7889: Kernel Vulnerability

Solution Article: K80440915


725791-4 : Potential HW/HSB issue detected

Component: TMOS

Symptoms:
There are a number of High-Speed Bridge (HSB) stats registers that monitor the errors in HSB SRAM that are critical for passing traffic, for example, RQM_CRC_ERROR Count 0, RQM_CRC_ERROR count 1, RQM_CRC_ERROR Count 2, etc. Any errors in any of these registers may indicate a hardware error in the HSB SRAM that impedes traffic through embedded Packet Velocity Acceleration (ePVA). In that case, ePVA-accelerated flow might fail.

With a burst of CRC errors in the SRAM for ePVA transformation cache, it won't trigger a failover and causes a silent traffic outage on the FastL4 VIP with hardware traffic acceleration. This is because the health check watchdog packets are still functioning correctly, and the current TMOS software primarily monitors watchdog packets tx/rx failures to trigger failover.

In these cases, there might be the following messages in /var/log/tmm*:

  Device error: hsb_lbb* tre2_crc_errs count *

Conditions:
Traffic is offloaded to HSB hardware for acceleration.

Impact:
Hardware accelerated traffic drop.

Workaround:
Switch traffic to software acceleration.

Fix:
Including traffic-critical registers in failover triggers, helps failover happen quickly with minimum disruption to traffic in the case of SRAM hardware failures.


725696-1 : A timer loop might occur when OCSP Stapling is enabled resulting in tmm getting aborted

Component: TMOS

Symptoms:
When OCSP Stapling is enabled on a client SSL profile, certain uncommon operations might result in a tmm timer queue getting into a loop, which results in tmm being aborted by sod. tmm restart

Conditions:
-- There are SSL handshakes waiting for an OCSP response, and one of the following:
  + There is a CMP transition.
  + There are changes made to the OCSP object.

Impact:
tmm restarts. Traffic interrupted while tmm restarts.

Workaround:
There is no workaround other than disabling OCSP stapling.

Fix:
The timer issue has been corrected.


725635-2 : CVE-2018-3665: Intel Lazy FPU Vulnerability

Solution Article: K21344224


725612-1 : syslog-ng does not send any messages to the remote servers after reconfiguration

Component: TMOS

Symptoms:
Changing syslog remote server IP address (tmsh sys syslog remote-servers) requires a syslog-ng process restart to take effect. Syslog operations do not use the new remote destination address on syslog service reconfiguration.

Conditions:
1. Add a Remote Syslog server (Server A) using System :: Logs :: Configuration :: Remote Syslog.
2. Click Update (Syslog messages go out toward Server A).
3. Remove Server A from configuration.
4. Add new Server B (different IP address).
5. Click Update.

Impact:
After reconfiguring remote syslog host IP addresses, syslog messages continue to be sent to the previously configured addresses.

Workaround:
Restart the syslog service using the following command:

   bigstart restart syslog-ng

Messages will now properly be sent toward Server B (the new IP address).

Fix:
Syslog operations now use the new remote destination address on syslog service reconfiguration.


725545-1 : Ephemeral listener might not be set up correctly

Component: Local Traffic Manager

Symptoms:
When ephemeral listeners are set up across a cluster, the transaction might fail.

Conditions:
When using Network Access tunnel with proxy ARP and no SNAT.

Impact:
The client-assigned IP address might intermittently fail to be resolved via ARP on the serverside/leasepool VLAN.

Workaround:
None.

Fix:
The ephemeral listener is now set up correctly.


725412-1 : APM does not follow current best practices for HTTP headers

Component: Access Policy Manager

Symptoms:
APM does not follow current best practices for HTTP headers

Conditions:
APM enabled

Impact:
HTTP headers not generated as intended

Workaround:
None.

Fix:
APM now follows current best practices for HTTP headers


724906-1 : sasp_gwm monitor leaks memory over time

Component: Local Traffic Manager

Symptoms:
The Server/Application State Protocol (SASP) monitor, sasp_gwm memory usage slowly increases over time.

Conditions:
The Server/Application State Protocol (SASP) monitor is configured.
The leakage occurs during normal operation of the monitor and is not tied to any specific user or traffic action.

Impact:
sasp_gwm grows over time and eventually the system may be pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.

Workaround:
Periodic restarts of sasp_gwm processes avoids the growth affecting the system.

Fix:
The sasp_gwm monitor no longer leaks memory when processing messages.


724868-1 : dynconfd memory usage increases over time

Component: Local Traffic Manager

Symptoms:
dynconfd memory usage slowly increases over time as it processes various state-related messages.

Conditions:
No special conditions as dynconfd is a core LTM process. Large numbers of pool members combined with flapping might increase the rate of memory usage increase.

Impact:
dynconfd grows over time and eventually the system is pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.

Workaround:
Periodic restarts of dynconfd avoids the growth affecting the system.

Fix:
dynconfd no longer leaks memory when processing messages.


724847 : DNS traffic does not get classified for AFM port misuse case

Solution Article: K95010813

Component: Traffic Classification Engine

Symptoms:
When DNS query name has a label length of greater than 23 bytes, it does not get classified as DNS.

Conditions:
-- AFM provisioned.
-- A port misuse policy for DNS and a service policy configured.
-- DNS query name with label length of greater than 23 bytes.

Impact:
DNS does not get classified properly for some cases.

Workaround:
There is no workaround at this time.

Fix:
Allowed DNS label length is now 64 bytes, so any DNS query name where each label name is fewer than 64 byes is now properly classified.


724680-4 : OpenSSL Vulnerability: CVE-2018-0732

Component: TMOS

Symptoms:
For more information see: https://support.f5.com/csp/article/K21665601

Conditions:
For more information see: https://support.f5.com/csp/article/K21665601

Impact:
For more information see: https://support.f5.com/csp/article/K21665601

Workaround:
None.

Fix:
For more information see: https://support.f5.com/csp/article/K21665601


724571-1 : Importing access profile takes a long time

Component: Access Policy Manager

Symptoms:
It takes a long time for the 'Apply Access Policy' link to show up on the admin UI after importing an access profile.

Conditions:
-- Access policy with many macros.
-- Import exported profile multiple times with Reuse Existing Objects checked
-- As the number of imports increases, so does the latency.

Impact:
The imported access policy takes a long time to be imported and ready to use.

Workaround:
None.


724564-1 : A FastL4 connection can fail with loose-init and hash persistence enabled

Component: Local Traffic Manager

Symptoms:
The BIG-IP system fails to create a connection after 3WHS when using loose-init and hash persistence.

This can happen if traffic is redirected from one BIG-IP system to another, with the second BIG-IP system failing to create the connection, causing an interruption of traffic on that connection.

Conditions:
-- Virtual server configured with hash persistence.
-- FastL4 profile with loose-init enabled.

Impact:
Traffic fails when redirected from one BIG-IP system to another.

Workaround:
There is no workaround other than to disable hash persistence.

Fix:
A FastL4 connection no longer fails with loose-init and hash persistence enabled.


724532-2 : SIG SEGV during IP intelligence category match in TMM

Component: Advanced Firewall Manager

Symptoms:
TMM restart while matching traffic from source IP to IP Intelligence category.

Conditions:
Multiple configuration changes that include deleting the custom IP intelligence categories.

Impact:
TMM restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer restarts while matching traffic from source IP to IP Intelligence category.


724414-2 : ASM UMU memory leak when WebSocket url has json profile with parse parameters enabled

Component: Application Security Manager

Symptoms:
When ASM inspects WebSocket frames, the bd daemon memory is leaking; eventually ASM stops inspecting traffic and sends resets or bypass requests.

Conditions:
ASM module is provisioned.
-- ASM policy and WebSocket profile are attached to a virtual server.
-- WebSocket URL has JSON profile attached to it.
-- JSON profile has parse parameters flag enabled (this is the default).

Impact:
ASM may reset connections; failover might occur.

Workaround:
There are two workarounds:
-- Remove JSON profile from WebSocket URL in the ASM policy.

-- Disable parse parameters flag in the json profile.

Fix:
The system now frees the allocated memory when it finishes the inspect of a WebSocket frame.


724339-1 : Unexpected TMUI output in AFM

Solution Article: K04524282


724335-1 : Unexpected TMUI output in AFM

Solution Article: K21042153


724327-1 : Changes to a cipher rule do not immediately have an effect

Component: Local Traffic Manager

Symptoms:
If a cipher rule is changed, and a cipher group that uses the rule is attached to an SSL profile, the change does not take effect until something else on the SSL profile changes.

Conditions:
-- A cipher group is used by an SSL profile.
-- One of its cipher rules changes.

Impact:
Unexpected behavior occurs because the cipher rule change does not take effect immediately.

Workaround:
After changing the cipher rule that's used by a cipher group, make a change to any SSL profile that uses the associated cipher group.

Fix:
Any changes to a cipher rule or cipher group now takes immediate effect.


724213-1 : Modified ssl_profile monitor param not synced correctly

Solution Article: K74431483

Component: Local Traffic Manager

Symptoms:
After modifying the ssl_profile attribute on an HTTPS monitor on a device in a high availability (HA) configuration, and after performing a full ConfigSync, the corresponding monitor on the peer-sync unit does not have the updated value.

Conditions:
-- An HTTPS monitor is used on BIG-IP systems in an HA configuration.
-- The ssl_profile field is modified on an HTTPS monitor.
-- A sync-to-peer (full ConfigSync, not incremental sync) is attempted to propagate the modified ssl_profile value to the peer units.

Impact:
The ssl_profile value for the HTTPS monitor on the peer unit is set to none, resulting in the two devices reporting themselves as in-sync, but having potentially different HTTPS monitor configurations.

Workaround:
-- Do not run HTTPS monitors using in-tmm monitors,
-- Use the traditional HTTPS monitor configuration for SSL-attributes (cipherlist, key, cert, and compatibility attributes on HTTPS monitor).

Note: Using these attributes generates deprecation warnings, but the configuration still takes effect.

Fix:
After modifying the ssl_profile attribute on an HTTPS monitor on a system within an HA configuration, and after performing a full ConfigSync, the corresponding monitor on the peer unit now receives the updated monitor attribute, as expected.


724143-1 : IKEv2 connflow expiration upon ike-peer change

Component: TMOS

Symptoms:
Altering the definition of an ike-peer does not expire the connflow used for the tunnel, so it remains in use for the tunnel.

Conditions:
-- Making any change to an IKEv2 ike-peer, even insignificant changes such as a description change.
-- Running a system version that has new attribute auth-rule inside ike-peer.

Note: This is not likely to occur in older system versions where no ike-peer state exists inside a connflow, because any ike-peer changes do replace the associated objects. In those cases, even though the same connflow is used, the system uses new algorithms for the ike-peer.

Impact:
In effect, you cannot change the configuration of the flow by changing the peer definition.

Workaround:
There is no workaround at this time.

Fix:
Changes in ike-peer now expire any existing connflow for that ike-peer. This affects only a system version that has new attribute auth-rule inside ike-peer.


724032-1 : Searching Request Log for value containing backslash does not return expected result

Component: Application Security Manager

Symptoms:
Searching within Request Log for a value containing backslash does not return the expected result. This happens because escaping of backslashes in REST API access is handled differently with 'eq' and 'contains' filters.

Conditions:
Searching within Request Log for a value containing backslash.

Impact:
Search within Request Log record containing backslash does not return the expected result.

Workaround:
Backslashes in REST API requests should be doubled when searching using 'contains' filter, but must not be doubled when searching with 'eq' filter.

Fix:
Searching within Request Log for a value containing backslash returns the expected result.


723794-3 : PTI (Meltdown) mitigation should be disabled on AMD-based platforms

Component: TMOS

Symptoms:
Platforms with AMD processors freeze when the PTI (Page Table Isolation) mitigation is enabled, after a period ranging from several hours to several days.

You can find information about which versions have the PTI (Meltdown) mitigations enabled in the AskF5 Article: Bug ID 707226: DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations :: https://cdn.f5.com/product/bugtracker/ID707226.html.

Conditions:
-- AMD-based platforms:
   + BIG-IP B4100 blades
   + BIG-IP B4200 blades
   + BIG-IP 6900 and NEBS appliances
   + BIG-IP 89x0 appliances
   + BIG-IP 6400 FIPS and NEBS platforms
   + BIG-IP 110x0 appliances

-- The database variable kernel.pti is set to enable (to address PTI (Meltdown)).

Impact:
System locks up and is rebooted by the watchdog timer.

Workaround:
Set the database variable kernel.pti to disable by running the following command:

tmsh modify sys db kernel.pti value disable

According to AMD, these AMD processors are not vulnerable to PTI (Meltdown), so there is no reason to leave the db variable enabled.

Fix:
PTI (Page Table Isolation) mitigation is no longer enabled on AMD-based platforms.


723792-2 : GTM regex handling of some escape characters renders it invalid

Component: Global Traffic Manager (DNS)

Symptoms:
The memory footprint of big3d increases.

Conditions:
GTM monitor recv string such as the following: ^http\/\d\.\d[23]\d\d

Impact:
Escaped characters are mishandled. This causes the regex compilation to fail and leak memory. The monitor marks the server it is monitoring UP as long as the server returns any response.

Workaround:
If you notice big3d memory footprint increase and you have a monitor recv string that has escaped characters such as '^http\/\d\.\d[23]\d\d', try changing the recv string to something similar to the following: ^HTTP/[0-9][.][0-9] [23][0-9]{2}

Fix:
Fixed handling of escape characters. Recv strings that previously failed to compile will now compile.


723790-1 : Idle asm_config_server handlers consumes a lot of memory

Component: Application Security Manager

Symptoms:
Idle asm_config_server handlers needlessly uses a large amount of memory.

Conditions:
This issue might result from several sets of conditions. Here is one:

Exporting a big XML ASM policy and then leaving the BIG-IP system idle. Relevant asm_config_server handler process increases its memory consumption and stays that way, holding on to the memory until it is released with a restart.

Impact:
Unnecessary memory consumption.

Workaround:
1) Lower the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server:
---------------
# perl -pi.bak -e 's/MaxMemorySize=471859200/MaxMemorySize=262144000/' /etc/ts/tools/asm_config_server.cfg
---------------

2) Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------

Notes:
-- The provided workaround does not permanently fix the issue. Instead it alleviates the symptoms of memory pressure, by (1) lowering the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server, and (2) freeing up all the memory that is currently taken by all asm_config_server processes.
-- This workaround does not cause any down time; the asm_config_server processes automatically start within ~30 seconds.


723722-2 : MCPD crashes if several thousand files are created between config syncs.

Component: TMOS

Symptoms:
If more than several thousand (typically 20,000, but number varies by platform) files, for example SSL certificates or keys, are created between config syncs, the next config sync operation will take too long and mcpd will be killed by sod.

Conditions:
Creation of several thousand SSL certificates or keys followed by a config sync operation.

Impact:
Traffic is disrupted while the MCPD process restarts.

Workaround:
Run a config sync operation after every ~5000 files created.

Fix:
MCPD no longer crashes if several thousand files are created between config sync operations.


723579-4 : OSPF routes missing

Component: TMOS

Symptoms:
When newer link-state advertisement (LSA) (with greater seq) comes in, the Open Shortest Path First (OSPF) discards the old one by marking it DISCARD. The SPF calculation function suspends the calculation every 100 vertexes. If the discard happens during such a suspend, then after the calculation resumes, the discarded LSAs are ignored,n which can cause route unreachable, and eventually route withdraws.

Conditions:
A very large number (~500, beyond best practices) of routers in a single OSPF area.

Impact:
Intermittent route flaps occur that might cause unreachable destination or increased network traffic due to the non-optimal route choice.

Workaround:
There is no workaround.

Fix:
The 'vertex threshold' IMISH parameter is now provided for OSPF/OSPF6, and it is meant to control the amount of vertexes calculated in one bunch (the default value is 100). This value can be increased to prevent LSA discards. The value of 0 means that SPF calculation is not suspended at all, and in case of large areas this may cause slow responsiveness of OSPF and LSA drops, eventually.


723300-2 : TMM may crash when tracing iRules containing nameless listeners on internal virtual servers

Component: Local Traffic Manager

Symptoms:
TMM may crash when tracing iRules containing nameless listeners on internal virtual servers.

Conditions:
-- Using iRule tracing.
-- Internal virtual servers.
-- Listener iRule, where the listener has no name.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when tracing iRules containing nameless listeners on internal virtual servers.


723298-2 : BIND upgrade to version 9.11.4

Component: TMOS

Symptoms:
The BIG-IP system is running BIND version 9.9.9.

Conditions:
BIND on BIG-IP system.

Impact:
BIND 9.9 Extended Support Version was supported until June, 2018.

Workaround:
None.

Fix:
BIND version has been upgraded to 9.11.4.


723288-2 : DNS cache replication between TMMs does not always work for net dns-resolver

Component: Global Traffic Manager (DNS)

Symptoms:
System DNS resolvers (net dns-resolver objects) do not share DNS reply information between the dns resolver instances across TMMs, which can result in separate TMMs performing seemingly-unnecessary DNS lookups.

Conditions:
There are no LTM DNS *cache* objects present in the BIG-IP configuration.

Impact:
A performance impact resulting from each TMM having to perform unnecessary DNS lookups.

Workaround:
Use tmsh to create a placeholder LTM DNS cache resolver object. The object does not need to be used anywhere, just present in the config.

Note: This workaround is effective even without a DNS license (although in that case, the placeholder object must be created using tmsh, as the GUI menu would not be available without a DNS license.)


723130-1 : Invalid-certificate warning displayed when deploying BIG-IP VE OVA file

Solution Article: K13996

Component: TMOS

Symptoms:
The OVA signing certificate that signs BIG-IP Virtual Edition (VE) OVA files expired. When deploying a BIG-IP VE from an OVA file, an invalid-certificate warning might be displayed due to the expired OVA signing certificate.

Conditions:
This issue may be encountered during the creation of new instances of BIG-IP VE in clients that check the validity of the OVA signing certificate (e.g., VMware).

Note: Existing BIG-IP VE instances are not subject to this issue.

Impact:
There might be questions about the integrity of the OVA file, and in some cases, might not be able to deploy a new instance from an OVA file.

Workaround:
The expired OVA signing certificate has been replaced with a valid signing certificate.

Fix:
The expired OVA signing certificate has been replaced with a valid signing certificate.


722969-2 : Access Policy import with 'reuse' enabled instead rewrites shared objects

Component: Access Policy Manager

Symptoms:
If a policy is exported and then imported with 'reuse' it rewrites objects on the server instead of simply reusing them.

Conditions:
-- Exporting profile A.
-- Importing profile B, with 'reuse' configured.
-- The objects in both profiles are named the same and are the same type.

Impact:
-- 'Reused' objects on the system are modified.
-- Policy A requires 'apply', because objects shared with Policy B are overwritten.

Workaround:
None.

Fix:
Access policy import with 'reuse' option enabled no longer rewrites shared objects


722893-1 : The TMM - host interface may stall when the kernel memory is fragmented

Solution Article: K30764018

Component: Local Traffic Manager

Symptoms:
MCP logs 'Removed publication with publisher id TMMx' and the affected TMM restarts.

Conditions:
This occurs when the following conditions are met:
-- Linux kernel memory fragmentation exists.
-- Another operation is occurring, including (among others):
  + Config-sync with full reload is initiated.
  + Running tcpdump.

Impact:
Degraded performance and unexpected failover when tmm restarts. Traffic disrupted while tmm restarts.

Note: If this issue is encountered during early startup, instead of restarting, TMM may continuously log 'MCP connection expired early in startup; retrying'. In this case it may be necessary to manually restart TMM.

Workaround:
None.

Fix:
The internal driver has been improved, allowing it to work in low- and/or fragmented-memory conditions.


722691 : Available datagroup list does not contain datagroups with the correct type.

Component: TMOS

Symptoms:
Available datagroup list contains only datagroups with type string and is not repopulated with datagroups that have a different type to match when the operand/selector changes.

Conditions:
-- Using the GUI.
-- Operand or selector in a condition is changed to a combination that is not compatible with string-type datagroups.

Impact:
Cannot assign a non string-type datagroup to a condition.

Workaround:
Use TMSH to configure the policy rule condition.

Fix:
Datagroups list is repopulated with datagroups of the appropriate type when its rule condition's operand or selector is changed.


722682-2 : Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load

Component: TMOS

Symptoms:
Loading configuration process failed after upgrade when pool member names contain colons. The system posts errors similar to the following:
01070226:3: Pool Member 443:10.10.10.10 references a nonexistent Virtual Server
Unexpected Error: Loading configuration process failed.

Conditions:
-- GTM pool member has colon in its name.
-- Upgrade to any of the following versions:
  + 12.1.3.x
  + Any 13.0.x
  + All 13.1.x earlier than 13.1.1.2
  + 14.0.x earlier than 14.0.0.3

Impact:
The system removes the part of the pool member name that precedes the colon, and configuration load fails. For example, when the configuration contains a pool member named example_pm:443:10:10:10:10, the system removes the part of the pool member name that precedes the first colon, in this case, example_pm, leaving the pool member name 443:10.10.10.10.

Workaround:
After upgrade, add two backslash characters, \\ before the first colon, : character.

1. Upgrade the BIG-IP DNS system to the new version of software.
2. SSH to log into the bash prompt of the BIG-IP DNS system.
3. Run the following command to add the string \\ in front of the first colon character, : in the name of each affected GTM pool member:

  for j in $(find /config/ -name bigip_gtm.conf); do for i in $(awk '$0 ~ /^gtm server.*:/ {gsub("[/:]"," ",$0); print $4}' ${j}); do sed -i "s, /Common/${i}, /Common/${i}\\\\\\\,g" ${j} | grep " /Common/${i}"; done; done

4. Run the following command: load sys config gtm-only

Fix:
Configuration load no longer fails when upgrading with a configuration that contains BIG-IP DNS pools with members whose names contain colon characters.


722677-4 : High-Speed Bridge may lock up

Solution Article: K26455071


722594-2 : TCP flow may not work as expected if double tagging is used

Component: Local Traffic Manager

Symptoms:
TCP flow may have an incorrect ACK number, and the flow may stall or reset. The BIG-IP system sends an ACK that is higher than it should be based on the data received from the client.

Conditions:
Double tagging is used.

Impact:
TCP connection fails.

Workaround:
Change the db variable tm.tcplargereceiveoffload value to disable.

Fix:
TCP flow now has the correct ACK number when double tagging is used.


722423-1 : Analytics agent always resets when Category Lookup is of type custom only

Component: Access Policy Manager

Symptoms:
Analytics errors out with a log that says you cannot use custom lookup only along with analytics (/var/log/apm). Even if the Analytics agent is set to disable RST on failure, the agent will send a RST.

Conditions:
In the per-request policy, Category Lookup agent is set to custom lookup only.

Impact:
This configuration leads to an Analytics agent with 'RST on Failure' disabled. The BIG-IP Admin cannot make the choice to disable RST on failure for this particular setup (even though it is a misconfiguration).

Workaround:
You can avoid the RST and error by modifying the configuration to use a standard category lookup before the analytics agent.

Using a custom-only 'Category Lookup' immediately followed by 'Response Analytics' is not a valid configuration. In this configuration, Analytics cannot run the way it is supposed to because it does not have the right information. 'Response Analytics' gives the option to choose what to do on error: RST, or continue on, implying that the non-RST option is valid. If the admin chooses to not reset, the system should log the error and continue. In this case, the system actually does send a RST, even though the RST is not what the BIG-IP admin intended to configure.

Fix:
Disabling RST on failure now works properly in this scenario now. The configuration is still technically incorrect, but now the system takes the correct specified action-upon-error.


722387-3 : TMM may crash when processing APM DTLS traffic

Solution Article: K97241515


722380-2 : The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core.

Component: TMOS

Symptoms:
If an HSB lockup occurs on i10600 and i10800 platforms, then TMM panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. On these platforms, the reboot occurs before the core file is fully written, resulting in a truncated core.

Conditions:
An HSB lockup occurs on an i10600 or i10800 platform, triggering a core dump and a nic_failsafe reboot.

Impact:
The reboot happens after the core dump begins before it completes, resulting in a truncated core dump, which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Reboot is delayed until TMM core file is completed.


722363-2 : Client fails to connect to server when using PVA offload at Established

Component: Local Traffic Manager

Symptoms:
A client can fail to connect to the server on subsequent attempts if using FastL4 with hardware (HW) acceleration.

When this issue occurs, the profile_bigproto_stat/rxsynatestablished stat is non-zero.

Conditions:
A FastL4 virtual server is configured with offload_state = EST.

Impact:
Clients fail to connect to the server.

Workaround:
There is no workaround other than to disable PVA acceleration.


722091-3 : TMM may crash while processing HTTP traffic

Solution Article: K64208870


722013 : MCPD restarts on all secondary blades post config-sync involving APM customization group

Component: Access Policy Manager

Symptoms:
After performing a series of specific config-sync operations between multi-blade systems, the MCPD daemon restarts on all secondary blades of one of the systems.

Each affected blade will log an error message similar to the following example:

-- err mcpd[5038]: 01070711:3: Caught runtime exception, Failed to collect files (snapshot path () req (7853) pmgr (7853) not valid msg (create_if { customization_group { customization_group_name "/Common/Test-A_secure_access_client_customization" customization_group_app_id "" customization_group_config_source 0 customization_group_cache_path "/config/filestore/files_d/Common_d/customization_group_d/:Common:Test-A_secure_access_client_customization_66596_1" customization_group_system_path "" customization_group_is_system 0 customization_group_access 3 customization_group_is_dynamic 0 customization_group_checksum "SHA1:62:fd61541c1097d460e42c50904684def2794ba70d" customization_group_create_time 1524643393 customization_group_last_update_time 1524643393 customization_group_created_by "admin" customization_group_last_updated_by "admin" customization_group_size 62 customization_group_mode 33188 customization_group_update_revision 1

Conditions:
This issue occurs when all of the following conditions are met:

- You have configured a device-group consisting of multi-blade systems (such as VIPRION devices or vCMP guests).

- Systems are provisioned for APM.

- The device-group is configured for incremental manual synchronizations.

- On one system (for example, source_system), you create an APM configuration object (for example, a connectivity profile) that causes the automatic creation of an associated customization group.

- You synchronize the configuration from the source_system to the device-group.

- On the source_system, you create a new configuration object of any kind (for example, an LTM node).

- Instead of synchronizing the newest configuration to the device-group, you synchronize the configuration from another device in the device-group to the source_system (which effectively undoes your recent change).

- The MCPD daemon restarts on all secondary blades of the source_system.

Impact:
While the MCPD daemon restarts, the blade is offline, and many other BIG-IP daemons need to restart along with MCPD.

-- If the source_system is Active, the load capacity of the system temporarily decreases proportionally to the number of blades restarting. Additionally, if the systems use the min-up-members or HA-Group features, losing a certain number of secondary blades may trigger a failover.

-- If the source_system is Standby, some of the previously mirrored information may become lost as TMM on secondary blades restarts along with MCPD. Should this system later become the Active system, traffic may be impacted by the lack of previously mirrored information.

Workaround:
None.

Fix:
The MCPD daemon no longer restarts on secondary blades after config-sync of APM.


721985 : PAYG License remains inactive as dossier verification fails.

Component: TMOS

Symptoms:
- BIG-IP is deployed in a cloud environment (AWS/Azure/GCE) with PAYG licenses. The license won't activate on the startup.

Conditions:
- There are multiple ways this can happen but all of those come down to user networking issue where the http calls to the cloud metadata service fails.

- This can be a simple routing issue to the metadata service or a firewall issue.

Impact:
As license activation fails, the instance becomes unusable.

Workaround:
User should look at /var/log/ltm to determine the networking issue that is causing the dossier verification failure. This would be typically printed in the following way:

Curl request to metadata service failed with error(<error-code>): '<error-message>'

By resolving this networking error, license activation should succeed.

Fix:
PAYG License remains inactive as dossier verification fails.


721924-2 : bgpd may crash processing extended ASNs

Solution Article: K17264695

Component: TMOS

Symptoms:
Under certain conditions bgpd may crash while processing extended ASNs.

Conditions:
Dynamic routing enabled.
Extended ASP capabilities enabled: bgp extended-asn-cap enabled

Impact:
Dynamic routing disrupted while bgpd restarts.

Fix:
bgpd now processes extended ASNs as expected.


721895 : Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery)

Component: Global Traffic Manager (DNS)

Symptoms:
big3d advertises a TLSv1.0 version. Even though big3d requires previously exchanged certificates to validate a connection request, the TLSv1.0 advertisement triggers various vulnerability scanners and is flagged.

Conditions:
Running a vulnerability scanner or other SSL test tool.

Impact:
The scanner or tool reports that big3d might potentially accept a TLSv1.0 connection request (which is considered insecure). Vulnerability scanners then flag the BIG-IP system as vulnerable.

Workaround:
Although there is no workaround, because big3d accepts connections only from clients that match the certificates on the BIG-IP system, the risk is minimal.

In addition, you can deploy firewall rules to accept connections only on port 4353 from know BIG-IP systems.

Fix:
This version adds a db variable for the big3d
big3d.minimum.tls.version. By default the value is 'TLSv1'. You can also specify TLSV1.1 or TLSV1.2 (the setting is case insensitive).

After changing the DB variable, restart big3d. Change the value on all BIG-IP systems that are subject to scans. This includes GTM as well as LTM configurations.


721805 : Traffic Policy edit to datagroup errors on adding ASM disable action

Component: TMOS

Symptoms:
Adding an ASM disable action will trigger a message similar to the following:

 transaction failed:010716de:3: Policy '/Common/Drafts/TD180420-07', rule 'test'; target 'asm' action 'disable' does not support parameter of type 'policy'.

Conditions:
Using the GUI to submit a rule with a 'disable asm' action and a condition with datagroup.

Impact:
Cannot create a 'disable asm' action.

Workaround:
Create the rule using tmsh.

Fix:
You can now use the GUI to submit a rule with a 'disable asm' action and a condition with datagroup.


721752-2 : Null char returned in REST for Suggestion with more than MAX_INT occurrences

Component: Application Security Manager

Symptoms:
Unable to view ASM event log details for a majority of violations.

Conditions:
Suggestion with more than MAX_INT (2,147,483,647) occurrences.

Impact:
Null char returned in REST for Suggestion with more than MAX_INT occurrences.

Workaround:
Use the following sql command:

UPDATE PLC.PL_SUGGESTIONS set occurrence_count = 2147483647 where occurrence_count < 0;

Fix:
Null char is no longer returned in REST for Suggestion with more than MAX_INT occurrences.


721741-3 : BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative

Component: Application Security Manager

Symptoms:
bd log spits this error.
-------
ECARD_POLICY|NOTICE|May 24 04:49:42.035|4143|table.h:2408|IPTableList::del_object key not found in table
ECARD|ERR |May 24 04:49:42.035|4143|table.h:0398|KEY_UPDATE: Failed to REMOVE data will continue to add
-------

Conditions:
Configuring IP Address Exceptions in certain order - w/ and w/o route domain.

Impact:
BD and BD_Agent out-of-sync for IP Address Exception, causes false positives / false negatives

Workaround:
There is no workaround at this time.

Fix:
System no longer generates these false positive/negative log entries.


721740-2 : CPU stats are not correctly recorded when snapshot files have timestamps in the future

Component: TMOS

Symptoms:
One symptom is that a message similar to the following comes out in the log files frequently.

May 24 16:31:53 lusia_60.F5.COM warning merged[6940]: 011b0914:4: No individual CPU information is available.

Merged CPU stats will be 0.

Conditions:
If all of the snapshot stats files have timestamps in the future, CPU stats will not be correctly merged.

Impact:
Frequent error messages in the logs, and incorrect merged CPU stats.

Workaround:
Remove all of the stats snapshot files that have timestamps in the future and restart merged.

Fix:
Merged has been update to correctly deal with the case where all of the stats snapshot file have timestamps in the future, and will correctly merge the CPU stats.


721704-1 : UDP flows are not deleted after subscriber deletion

Component: Policy Enforcement Manager

Symptoms:
UDP flows continue to live till UDP idle time occurs, even after the subscriber is gone and the option for immediate deletion of the flow is enabled.

Conditions:
-- The option to delete flows upon subscriber deletion is enabled.
-- The UDP flow is established with an idle time greater than the re-evaluate timeout.

Impact:
The UDP flows continue to be alive after the required time, but only act to drop the traffic.

Workaround:
To work around this issue:
1. Modify the UDP idle timer to a suitable value.
2. Force delete the UDP flow from CLI.

Fix:
UDP flows are now deleted after subscriber deletion.


721621-1 : Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node

Component: Local Traffic Manager

Symptoms:
If an LTM pool is configured with only FQDN members, the DNS server resolves the FQDN to IP addresses that match statically-configured LTM nodes, and the IP address records returned by the DNS server change, an ephemeral pool member may not be added to the pool for the new IP address.

When in this state, if the FQDN template pool member is deleted from the pool, a new ephemeral pool member may be added corresponding to the last IP address record returned by the DNS server.

Conditions:
This may occur when:
1. Static nodes are configured which match addresses that may be returned in the DNS query for a given FQDN name.
2. An FQDN node is created with autopopulate disabled, for an address which may resolve to the same address as one of the static nodes.
3. This FQDN node is added (as a pool member) with autopopulate disabled, to a pool with no other non-FQDN members.
4. The DNS server resolves the FQDN name to an address that matches one of the static nodes.
5. A subsequent DNS query resolves the FQDN name to a different address that matches a different static node.

Impact:
In this case:
-- The original ephemeral member is removed from the pool.
-- A new ephemeral member for the new address may NOT be added to the pool.
-- In this state, if the FQDN template member is deleted from the pool, a new ephemeral member (i.e., the missing ephemeral with new IP address) is re-added to the pool.

Note. This symptom can occur only if the statically-configured node is created prior to an ephemeral pool member being created for the same IP address. If an ephemeral pool member and node are created first, it is not possible to create a statically-configured node or pool member using the same IP address.

Overall, traffic for the affected pool may not be sent to correct pool member (new ephemeral address).

If no other members are defined in the pool, traffic will be interrupted.

Workaround:
This issue can be prevented by:
-- Avoiding configuring a static (non-FQDN) node with an IP address that matches any address that might be returned by the DNS server when resolving the FQDN.
-- Adding a statically-configured pool member to the pool in addition to the FQDN template member.

Once the symptom occurs, recovery is possible by performing either of the following actions:
-- Delete the statically-configured node with the conflicting IP address.
-- Recreate the node using the following procedure:
1. Delete the FQDN template member from the pool.
2. Delete the orphaned ephemeral member from the pool.
3. Re-add the FQDN template member to the pool.

Fix:
When an FQDN pool member address resolves to the same IP address as an existing static node, the corresponding ephemeral pool member is successfully created and deleted as expected, including when the IP address returned by the DNS query changes.


721571-1 : State Mirroring between BIG-IP 12.1.3.* and 13.* or 14.* systems may cause TMM core on standby system during upgrade

Component: Local Traffic Manager

Symptoms:
BIG-IP devices running 12.1.3.x (12.1.3 or a 12.1.3 point release) and 13.x or 14.x software versions in a high-availability (HA) configuration with state mirroring enabled may cause a standby system to produce a TMM core file.

Conditions:
-- The high availability (HA) configuration is one of the following:
+ The active system is running v12.1.3.x, and the standby system is running v13.x or v14.x, as a result of an in-progress upgrade.
+ The active system is running v13.x or v14.x and the standby system is running v12.1.3.x.
-- State mirroring configured on two or more BIG-IP systems (state mirroring is enabled by default).
-- For VIPRION clusters or VIPRION-based vCMP guests, the systems are configured to mirror 'Between Clusters'.

Impact:
TMM may crash on a standby system during upgrade.

This issue should not disrupt traffic, because the TMM is coring only on the standby unit.

Workaround:
To workaround this issue, disable State Mirroring prior to upgrading, and re-enable it once both devices are running v13.x or v14.x, or complete the upgrade of both devices to v13.x or v14.x.

1. You can disable mirroring using either the GUI or the command line.

1a. In the GUI: -- Set the Primary and Secondary Local Mirror Address configurations to 'None' under Device Management :: Devices :: [Self] device :: Mirroring Configuration.

1b. From the command-line: -- Run the following command:
tmsh modify cm device <name-of-self-device> mirror-ip any6 mirror-secondary-ip any6 && tmsh save sys config

Important: This action results in connection state loss on failover.

2. Once all devices are running the same software version, re-enable state mirroring by re-adding the device mirror IP addresses removed previously.

Note: F5 recommends that BIG-IP systems in HA configurations run with the same software version on all devices.

Fix:
tmm no longer crashes on a standby device when upgrading from 12.1.3.x.


721570-1 : TMM core when trying to log an unknown subscriber

Solution Article: K20285019

Component: Carrier-Grade NAT

Symptoms:
Using CGNAT or FW-NAT with subscriber-id logging enabled can cause a TMM core when the subscriber ID is unknown.

Conditions:
-- A LSN pool or FW-NAT source translation that has a logging profile with subscriber-id enabled.
-- A PEM profile that allows unknown subscribers.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Config PEM to deny connections from unknown subscribers.

Fix:
The system no longer crashes. It logs 'unknown' for unknown subscribers.


721512 : Config tool fails to configure management-ip when default routes exist for both IPv4 and IPv6.

Component: TMOS

Symptoms:
Configuration tool fails to configure management-ip when default routes exist for both IPv4 and IPv6.

Conditions:
This can happen in following two scenarios:
-- A configured IPv4 management-ip that is switched to IPv6.
-- A configured IPv6 management-ip that is switched to IPv4.

Impact:
Cannot successfully change an IPv4 or IPv6 management-ip address using config.

For either of the above cases, if the IP addresses are switched back to IPv4/IPv6, the config tools fails to configure management-ip with this error:

ERROR: route_mgmt_entry count is 2

Workaround:
Manually delete the default6 (if current management-ip is IPv4) or default (if current management-ip is IPv6) management-route by running the following command:

  tmsh delete sys management-route <default/default6>

Fix:
Config tool now works to configure management-ip when default routes exist for both IPv4 and IPv6, so you can switch back and forth between IPv4 and IPv6 IP addresses without error.


721474-1 : AVR does not send all SSLO statistics to offbox machine.

Component: Application Visibility and Reporting

Symptoms:
When using the 'use-offbox' option, AVR does not send SSLO statistics to the offbox system.

Conditions:
-- AVR provisioned.
-- Use-offbox is enabled.

Impact:
SSLO statistics are not available for BIG-IQ analytics.

Workaround:
There is no workaround.

Fix:
AVR now sends SSLO statistics to offbox systems when the 'use-offbox' option is enabled.


721399-2 : Signature Set cannot be modified to Accuracy = 'All' after another value

Component: Application Security Manager

Symptoms:
ASM Signature Set cannot be modified to Accuracy = 'All' after another value was used previously.

Conditions:
-- ASM Signature Set has a value set for Accuracy filter.
-- Accuracy is subsequently set to 'All'.

Impact:
The change to Accuracy = 'All' does not take effect. ASM Signature Set cannot be modified to Accuracy = 'All'.

Workaround:
You can use either of the following workarounds:

-- Delete and re-create the Signature Set with the desired value.
-- Modify the filter to a value that will match all results (such as Accuracy is greater than or equal to 'Low').

Fix:
ASM Signature Set can now be set to Accuracy = 'All' after a value was previously set.


721375-1 : Export then import of config with RSA server in it might fail

Component: Access Policy Manager

Symptoms:
If an exported policy configuration contains both an RSA server as well as the RSA-provided sdconf.rec and sdstatus.12 config files, policy import might fail.

Conditions:
-- RSA server and access profile are in the same, non-Common partition.
-- Exported policy contains an RSA server as well as both the RSA-provided sdconf.rec and sdstatus.12 config files.

Impact:
Unable to import the exported configuration. This occurs because of how the names for the files are resolved in the exported configuration.

Workaround:
Although there is no actual workaround, you can avoid this issue if the profile is outside of the partition. That case uses a different name resolution during the export, so import works as expected.

Fix:
You can now successfully import an exported policy containing an RSA server as well as both sdconf.rec and sdstatus.12 files.


721364 : BIG-IP per-application VE BYOL license does not support three wildcard virtual servers

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) admin can create only 1 wildcard virtual servers for per-application BYOL license.

Note: If you are using BIG-IQ 6.0.0 or 6.0.1 to manage AWS-based, per-app BIG-IP VE systems running versions 13.1.0.5 through 13.1.0.8, you must use the following AWS templates:

-- Default-AWS-f5-HTTPS-WAF-lb-template
-- Default-AWS-f5-HTTPS-offload-lb-template

For these two templates, ports 443 and 80 (for HTTP redirect) are hard-coded in an iRule, which enable this functionality.

Conditions:
Per-app VE with BYOL license.

Impact:
Per-app VE with BYOL license does not work as expected.

Workaround:
N/A

Fix:
Per-app VE BYOL license now supports three wildcard virtual servers.


721350-2 : The size of the icrd_child process is steadily growing

Component: TMOS

Symptoms:
The resident segment size (rss) for the icrd_child process continues to increase on issuing iCR GET requests. This increase is permanent and the rss does not drop back to its original size.

Conditions:
The following is an example config under which this issue occurs. Note this is an illustrative example; the actual issue might occur for various config objects.

GET tm/ltm/virtual?expandSubcollections=true wherein the virtual has some profiles associated with it.

ltm pool p-http { }
ltm virtual novel-1000 {
...
    pool p-http
    profiles {
        analytics { }
        http { }
        tcp { }
    }
....
}


# tmctl proc_pid_stat 'proc_name=icrd_child' -s proc_name,ppid,vsize,rss

On subsequent GET requests the rss size continues to increase.

Impact:
Increase in the rss of the icrd_child process. This increase could lead to icrd_child core or swapping of processes into the rss due to limited memory left for other processes.

Workaround:
There is no workaround.

Fix:
The memory leak was identified and fixed.


721342 : No support for Per-App VE LTM and Per-App VE WAF images for various cloud environments.

Component: TMOS

Symptoms:
No Per-App Virtual Edition (VE) LTM or Per-App VE WAF images for various cloud environments.

Conditions:
Various Cloud environments (i.e., Azure, Google, AWS).

Impact:
No options to use various Per-App VE features.

Workaround:
None.

Fix:
There are now offerings for various cloud environments (Azure, Google, AWS). There are two types of Per-App VE LTM and two of Per-App VE WAF images.


721261-1 : v12.x Policy rule names containing slashes are not migrated properly

Component: Local Traffic Manager

Symptoms:
When migrating from v12.x to v13.0.x, 13.1.x, or 14.0.x, LTM polices that have rules containing the slash character will not migrate properly, and roll-forward migration will fail.

Conditions:
-- BIG-IP systems running v12.x.
-- Configuration contains LTM Policy rules whose names include the slash (/) character.
-- Upgrading to v13.0.x, 13.1.x, or 14.0.x.

Impact:
Roll-forward migration fails with the error: illegal characters in rule name.

Workaround:
Edit the rule names within LTM Policies, replacing the now-illegal slash (/) character with a legal alternative, such as the underscore (_).

Alternately, prior to migration, rename the rules on the v12.x system, and then perform the upgrade.

Fix:
BIG-IP software v12.x Policy rule names containing slashes are properly migrated.


721016 : vcmpd fails updating VLAN information on vcmp guest

Component: TMOS

Symptoms:
VLANs are not properly attached to a vCMP guest. They are in fact absent from the VLAN shared memory segment.

In the host /var/log/ltm, this message is observed:
err vcmpd[7839]: 01510004:3: Error updating vlan shm seg: -39

In the guest, these messages are observed:
warning chmand[8827]: 012a0004:4: VcmpShmIntf::querySeg: err code -30
warning chmand[8827]: 012a0004:4: readShmData: vCmpShmIntf: Query segment error
warning chmand[8827]: 012a0004:4: VcmpShmIntf::querySeg: err code -30

Conditions:
-- vCMPd provisioned on a BIG-IP system.
-- vCMP guests deployed.
-- More than 3259 VLANs attached to guests from host.

Impact:
Cannot use newly deployed VLAN in the guest. Running the following command does not show the attached VLANs.
$ tmsh list net vlan in the guest

Workaround:
None.


720961-1 : Upgrading in Intelligence Community AWS environment may fail

Component: TMOS

Symptoms:
After importing an AWS instance into the Intelligence Community (IC) AWS environment you cannot upgrade to 13.1.0.2 (or later) because their license fails to validate afterwards.

Conditions:
-- Manually imported BIG-IP image into AWS IC.
-- Upgraded to 13.1.0.2 or newer.

Impact:
The system fails to validate the license after rebooting into the new software. Licenses are inoperative after the upgrade.

Workaround:
To work around this issue, perform the following procedure:
1. Redeploy a BYOL image from the IC marketplace.
2. Move over the license.
3. Configure the system.

Fix:
This release provides improved license validation to address this situation by detecting the IC environment, but allowing prior licenses to function.


720819-2 : Certain platforms may take longer than expected to detect and recover from HSB lock-ups

Component: TMOS

Symptoms:
In the unlikely event of a HSB lock-up, certain BIG-IP platforms may take longer than expected to detect and recover from the condition.

For instance, it may take several minutes for an affected unit to detect the condition and initiate the predefined failsafe action.

Instead, the recovery mechanism should trigger almost instantaneously.

Conditions:
This issue occurs when all of the following conditions are met:

-- The BIG-IP system is an i56xx/i58xx, i76xx/i78xx, or i106xx/i108xx platform.

-- The HSB locks-up due to a different issue.

Impact:
Traffic is negatively impacted until the BIG-IP system detects and remedies the condition. This might take up to 15 minutes before remedied by a reboot, depending on other traffic being processed.

Workaround:
None.

Fix:
The HSB lock-up is now promptly detected and remedied.


720799-2 : Virtual Server/VIP flaps with FQDN pool members when all IP addresses change

Component: Local Traffic Manager

Symptoms:
When using FQDN pool members, if all ephemeral members are removed and replaced by a DNS query that returns an entirely new set of IP addresses (no overlap with previous DNS query results), all ephemeral pool members are removed before the new ephemeral pool members are created.

This results in a brief moment when there are no ephemeral members (that can receive traffic) in the pool.

Conditions:
A DNS query for the FQDN node in which the pool members belong, returns an entirely new set of IP addresses (no overlap with previous DNS query results).

Impact:
The brief moment during which there are no ephemeral members (that can receive traffic) in the pool can cause a Virtual Server or Virtual Address using that pool to flap.

Workaround:
It is possible to work around this issue by:
1. Adding a pool member with a statically-configured IP address.
2. Including multiple FQDN pool members in the pool, to limit the effect of the ephemeral members changing for a single FQDN pool member.

Fix:
When using FQDN pool members, ephemeral members whose IP addresses are not present in the most DNS query results are not immediately deleted from the pool.

To prevent the brief condition in which there are no ephemeral members in the pool (which can cause a Virtual Server or Virtual Address using that pool to flap), creation of new ephemeral nodes and pool members occurs immediately, but deletion of old new ephemeral nodes and pool members occurs after a delay.

The duration of the delay follows the fqdn 'down-interval' value configured for the associated FQDN template node.


720757-1 : Without proper licenses Category Lookup always fails with license error in Allow Ending

Component: Access Policy Manager

Symptoms:
When a per-request policy's Category Lookup agent queries Standard Categories with an expired SWG/URLF license (and has 'RST on failure' disabled), the execution always ends with the following log messages:

Error: Global concurrent url filter session limit reached

The connection is aborted.

Conditions:
Category Lookup agent set to query the urldb engine (standard categories) with either no SWG/URLF license or an expired license.

Impact:
Even if 'RST on failure' is disabled, traffic cannot reach the allow ending successfully.

Workaround:
Remove the Category Lookup with standard category lookup from the per-request policy if the licenses do not allow for its use.

Fix:
The allow ending is now reached successfully and does not error out if Category Lookup fails due to licensing errors but is set to disable 'RST on failure'.


720756-1 : SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS

Component: TMOS

Symptoms:
The SNMP query for platform marketing name is 'unknown' for i11400-DS/i11600-DS/i11800-DS.

Conditions:
-- On licensed system, check OID marketing name.
-- Using i11400-DS/i11600-DS/i11800-DS platforms.

Impact:
Cannot tell the actual platform name in the SNMP query.

Workaround:
There is no workaround at this time.

Fix:
SNMP platform name is now reported correctly on BIG-IP i11400-DS/i11600-DS/i11800-DS platforms.


720713-2 : TMM traffic to/from a i5800/i7800/i10800 device in vCMP host mode may fail

Component: TMOS

Symptoms:
When a BIG-IP iSeries i5800, i7800, or i10800 device is configured as a vCMP host and at least one vCMP guest is running (or ever ran), TMM traffic to the vCMP host may fail.

Note: Management port traffic to/from the device is unaffected.

Note: TMM traffic to/from the vCMP guests running on the device is unaffected. This issue affects only the vCMP host.

The most visible symptom is that TMM on the vCMP host fails to answer ARP requests that it receives for its own Self-IP addresses.

Conditions:
This issue occurs when all of the following conditions apply:

- BIG-IP iSeries i5800, i7800, or i10800 device in vCMP host mode.

- At least one vCMP guest is deployed or was deployed, at some point.

Impact:
Inability to communicate to/from the vCMP host via its Self-IP addresses.

Workaround:
Ensure that the host is running a compatible version of BIG-IP. For more information on supported host/guest versions, see K14088: vCMP host and compatible guest version matrix, available at https://support.f5.com/csp/article/K14088

Fix:
The vCMP host continues to handle traffic correctly once a guest is started.


720695-1 : Export then import of APM access Profile/Policy with advanced customization is failing

Component: Access Policy Manager

Symptoms:
An exported policy containing advanced customization fails to import.

Conditions:
-- Export policy containing advanced customization.
-- Import the same policy.

Impact:
Import fails.

Workaround:
None.

Fix:
Access policy import containing advanced customization now succeeds.


720651-2 : Running Guest Changed to Provisioned Never Stops

Component: TMOS

Symptoms:
After changing a vCMP guest status to provisioned the guest remains running showing a status of stopping.

Conditions:
-- Guests deployed on a BIG-IP VCMP host.
-- Changing the state from deployed to provisioned.

Impact:
Guests do not stop and change status until vcmpd process is restarted.

Workaround:
There is no workaround.

Fix:
The guest now stops when the state is changed from deployed to provisioned.


720585-1 : Signatures generated by Behavioral DOS algorithm can create false-positive signatures

Component: Anomaly Detection Services

Symptoms:
There is probability that the generated signatures will block unknown traffic (the traffic that was not presenting before the attack) even if it's not necessary from service health perspective

Conditions:
Run attack traffic.
In parallel run unknown traffic.
It should exceed the learned baseline together with the good traffic.

Impact:
The signatures may block unknown traffic even if it's not necessary from S/H perspective

Workaround:
There is no workaround at this time.

Fix:
Implement adaptive ratio threshold for covering current bad traffic samples. The ratio increases as long as the health is not good.
If the health returns to good levels (below one) the ratio is restarted to the initial value.


720461-2 : qkview prompts for password on chassis

Component: TMOS

Symptoms:
Qkview prompts for a password when executing getnodedates from the chassis module.

Conditions:
SSH auth keys are missing or corrupted.

Impact:
This blocks collecting qkview.

Workaround:
Edit the /user/bin/getnodedates script and add -oBatchMode=yes for the SSH command as shown in the following example:

        $date = `/usr/bin/ssh -q -oBatchMode=yes -oStrictHostKeyChecking=no $ip /bin/date`;

Fix:
The qkview is no longer blocked with a password prompt.


720460-1 : Compression traffic still goes to hardware accelerator when compression.strategy is set to softwareonly

Component: Local Traffic Manager

Symptoms:
The sys db compression.strategy is used to control the compression-provider selection. When it is set to 'softwareonly', compression somehow still selects a hardware accelerator.

Conditions:
This always happens when compression.strategy is set to 'softwareonly'.

Impact:
Compression.strategy set to 'softwareonly' does not work, and if there is a problem in a hardware accelerator, compression will still select the hardware accelerator, even though software compression is desired.

Workaround:
There is no workaround.

Fix:
The system now supports software compression when the sys db variable compression.strategy is set to 'softwareonly'.


720391-2 : BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware'

Component: TMOS

Symptoms:
BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' and 'unknown' when OID sysObjectID is queried.

Conditions:
1. Execute 'tmsh show sys hardware'.
2. Query for OID sysObjectID using snmpwalk.

Impact:
System is reported as 'none', when it should be i7800-D. Platform with dual SSD not correctly identified using tmsh command or snmpwalk.

Workaround:
None.

Fix:
Added new SNMP OID for BIG-IP i7800 Dual SSD, reported as BIG-IP i7800-D, which is the correct designation.


720293-3 : HTTP2 IPv4 to IPv6 fails

Component: Local Traffic Manager

Symptoms:
An IPv4-formatted virtual server with an IPv6-formatted pool member cannot establish the connection to the pool member if HTTP2 is configured.

Conditions:
-- IPv4 virtual Server.
-- IPv6 pool member.
-- HTTP2 profile.

Impact:
Traffic connection does not establish; no traffic passes.

Workaround:
None.

Fix:
In this release, an IPv4-formatted virtual server with an IPv6-formatted pool member works with HTTP2.


720269-2 : TACACS audit logging may append garbage characters to the end of log strings

Component: TMOS

Symptoms:
When using TACACS audit logging, you might see extra 'garbage' characters appended to the end of logging strings.

Conditions:
Using audit forwarding with a remote TACACS server.

Impact:
Confusing log messages. Remote TACACS logging might stop altogether after some time.

Workaround:
There is no workaround at this time.

Fix:
Prevented extra characters from being appended to TACACS audit logs.


720214-1 : NTLM Authentication might fail if Strict Update in iApp is modified

Component: Access Policy Manager

Symptoms:
Exchange Proxy NTLM Authentication failure when iApp strict updates is disabled initially and then turned on. NTLM authentication fails with STATUS_NO_LOGON_SERVERS.

Conditions:
The Strict Update option in the iApp is modified.

Impact:
Any service using NTLM authentication will be disrupted.

Workaround:
Restart ECA and NLAD modules to work correctly again. To do so, run the following commands:

bigstart restart nlad
bigstart restart eca

Fix:
NTLM authentication now works as expected when Strict Update in the iApp is modified.


720189-1 : VDI settings in APM Webtop have the incorrect URL for Citrix Receiver client download

Component: Access Policy Manager

Symptoms:
VDI settings have HTML5 package URL instead of Citrix Receiver download link. Hyperlink directs to HTML5 package link.

Conditions:
-- Citrix VDI is configured in Replacement mode.
-- HTML5 package is configured using Citrix client bundle.
-- Citrix HTML5 client bundle is used with Connectivity profile attached to the virtual server.

Impact:
The incorrect package is downloaded to the APM Webtop user.

Workaround:
None.

Fix:
Fixed the hyperlink for Citrix Receiver download in VDI settings of Webtop.


720136-1 : Upgrade may fail on mcpd when external netHSM is used

Component: Local Traffic Manager

Symptoms:
When upgrading from 13.1 to 14.1, there might be deadlock between mcpd and mcpd. "bigstart status pkcs11d" might return
"pkcs11d down, waiting for mcpd to release running semaphore".

Conditions:
Upgrading from 13.1 to 14.1 for BIG-IP with external netHSM enabled.

Impact:
External netHSM is not functional or the whole appliance/blade is not functional.

Workaround:
Try reinstalling external netHSM.

Fix:
The fix broke the circular dependency between mcpd's validation and pkcs11d.


720110-2 : 0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session.

Component: TMOS

Symptoms:
Neither learned nor default-originate default routes (0.0.0.0/0) are sent to the BGP peer if the BGP peer has terminated the BGP session with TCP FIN, without BGP notify message.

Conditions:
1. BGP session is terminated without BGP notify (just TCP FIN).
2. Either learned (not originated in DUT) and default-originate (originated in DUT) routes are not sent.

Impact:
Default routes are not propagated in the network after the BGP peer restart.

Workaround:
There is no workaround at this time.

Fix:
Default routes are now always sent after the BGP session reset. Consistent behavior between BGP session reset with and without BGP notify message.


720104-1 : BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'

Component: TMOS

Symptoms:
BIG-IP i2800/i2600 650W AC PSU is missing marketing name under 'show sys hardware' and displays 'unknown' when OID sysObjectID is queried.

Conditions:
-- Execute 'tmsh show sys hardware'.
-- Query for OID sysObjectID using snmpwalk.
-- Using BIG-IP i2800/i2600 platforms.

Impact:
System reports an empty marketing name when queried. Platform with 650W AC PSU not identified using tmsh command or snmpwalk.

Workaround:
There is no workaround at this time.

Fix:
Added new SNMP OID for BIG-IP i2800/i2600 650W AC PSU.


720045-1 : IP fragmented UDP DNS request and response packets dropped as DNS Malformed

Component: Advanced Firewall Manager

Symptoms:
AFM/DHD treats the IP fragmented UDP DNS packet (request or response) as DNS Malformed packet and drops these packets.

Conditions:
-- AFM/DHD is enabled (provisioned and licensed).
-- DNS Malformed vector is enabled at Device context (by default, it's always enabled).
-- AFM/DHD receives fragmented IP packet for UDP DNS request or response.

Impact:
AFM/DHD incorrectly treats such packets as DNS malformed and drops them.

If AFM/DHD receives any DNS request/response UDP packet that is fragmented at the IP layer, the system drops the packet, interrupting DNS service between client/servers through BIG-IP systems.

Workaround:
None.

Fix:
This issue is now fixed, as follows:

a) For IP fragmented UDP DNS request packet, AFM parses the first IP fragment to retrieve the L4 (UDP) header and DNS header and Question section.

  - If this information is available in the first IP fragment, AFM processes the packet for further DoS checks.
  - If this information is not available in first IP fragment, AFM drops the fragment as DNS Malformed.

b) For IP fragmented UDP DNS response packet, AFM parses the first IP fragment to retrieve the L4 (UDP) header and DNS header and Question section.

  - If this information is available in the first IP fragment, AFM processes the packet for further DOS checks.
  - If, however, this information is not available in first IP fragment, default behavior is that AFM allows such fragmented DNS response packet through. This behavior can be changed to drop incomplete IP fragmented DNS response packet by setting db variable 'Dos.dns.respfrag.allow' to 'false'.


719770-2 : tmctl -H -V and -l options without values crashed

Component: TMOS

Symptoms:
When the -H, -V or -l options were passed to tmctl without a following value, then tmctl crashed.

Conditions:
Use one of these options without the required value.

Impact:
Core file. No other impact.

Workaround:
Be sure to pass the required value with these options.

Fix:
The missing value is now reported as an error.


719644-2 : If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions

Component: Global Traffic Manager (DNS)

Symptoms:
When an LTM configuration has virtual server names containing period (.), a GTM configuration with auto-discovery enabled is upgraded from v11.5.x to a later version might lose consistency.

Conditions:
-- Upgrading GTM from v11.5.x to later versions (e.g., BIG-IP DNS v12.x).
-- Auto-discovery is enabled.
-- LTM configuration containing virtual server names containing the period character (.).
-- The same virtual server name is used in multiple partitions.

Impact:
The configuration after the upgrade might be affected in the following ways:
-- Missing virtual servers.
-- Deletion of some pool members.
-- Virtual servers with incorrect addresses.

Workaround:
There is no workaround at this time.

Fix:
This release supports GTM upgrades from 11.x to BIG-IP DNS 12.x and later versions for cases where:
-- Auto-discovery is enabled.
-- LTM virtual server name a period character (.).
-- The same virtual server name is used in multiple partitions.


719600-2 : TCP::collect iRule with L7 policy present may result in connection reset

Component: Local Traffic Manager

Symptoms:
If an iRule utilizing TCP::collect and HTTP_REQUEST is on a virtual server with an L7 policy, the policy engine may cause the connection to be unexpectedly reset with a 'policy execution error' reset cause, and 'Unable to resume pending policy event on connflow' will be logged to /var/log/ltm.

Conditions:
TCP::collect and HTTP_REQUEST iRule with L7 policy on virtual server.

Impact:
Connections may be unexpectedly reset and errors logged to /var/log/ltm.

Workaround:
At the start of the HTTP_REQUEST event, issue an 'after 1' command to allow the policy engine to reach a consistent state before proceeding with the remainder of the iRule.


719597 : HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0

Component: TMOS

Symptoms:
When two VIPRION chassis with B2250 blades try to form a high availability (HA) connection, with one running v12.1.1 and the other running v13.1.0, HA connections between TMMs on Active and TMMs on Standby might fail.

Conditions:
-- Two VIPRION chassis with B2250 blades.
-- One blade running v12.1.1 and the other running v13.1.0.
-- Try to configure HA connection.

Impact:
Fail to form HA connection.

Workaround:
There is no workaround other than installing the same software on both blades.

Fix:
A new sys db mhdag.bitshift is added to support HA configurations using B2250 blades running v12.1.1 and v13.1.x. Set mhdag.bitshift to 5 on VIPRION chassis with B2250 blades running v13.1.x by running the following command: tmsh modify sys db mhdag.bitshift value 5

HA between VIPRION chassis running v12.1.1 and v13.1.x with B2250 blades now works as expected.


719554-2 : Linux Kernel Vulnerability: CVE-2018-8897

Solution Article: K17403481


719459-2 : Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled

Component: Application Security Manager

Symptoms:
Policy builder suggests adding already existing URLs (as HTTPS) learned from response.

Conditions:
-- Differentiate HTTP and HTTPS URLs is disabled.
-- Learn-from response is enabled.
-- Server responses contain HTTPS links for HTTP requests instead of using protocol-relative URLs.

Impact:
This is a cosmetic issue in that incorrect suggestions are created. There is no impact to functionality.

Workaround:
Add the incorrect suggestions to the 'ignore' list.

Fix:
Policy builder no longer creates suggestions to add already existing URLs.


719396-1 : DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot.

Solution Article: K34339214

Component: TMOS

Symptoms:
DHCP Client on the BIG-IP system sends host-name 'localhost' in DISCOVER packet after first boot.

Note: The problem goes away after the first boot.

Conditions:
-- DHCP is enabled (this is the default on BIG-IP systems).
-- Initial startup.

Impact:
This can affect the lease given out by the DHCP server in the given network if the DHCP server is configured in such a way as to dynamically update the DNS based on the host-name option in the lease.

Workaround:
-- Empty the /var/lib/dhclient/dhclient.leases file.
-- Run the following command: bigstart restart dhclient

Fix:
DHCP Client on the BIG-IP system no longer sends 'localhost' as the host-name in DISCOVER packet after first boot.


719247-2 : HTTP::path and HTTP::query iRule functions cannot be set to a blank string

Solution Article: K10845686

Component: Local Traffic Manager

Symptoms:
The HTTP::path and HTTP::query iRule functions generate an error if called with an argument that is a blank string, resulting in connection termination.

Conditions:
In an iRule where the argument is a blank string:
  HTTP::path ""
  HTTP::query ""

Impact:
Error encountered while executing iRule "HTTP::query $blank", and the connection is terminated with an error in the logs similar to the following:
   -- err tmm[17219]: 01220001:3: TCL error: /Common/ir_1-4045405141_query <HTTP_REQUEST>

Workaround:
To set HTTP::query to blank, use the following function:
HTTP::uri [HTTP::path]

To set HTTP::path to blank, use the following function:
HTTP::uri [HTTP::query]

Fix:
HTTP::path and HTTP::query iRule functions now accept blank string arguments.


719192 : In VPE Agent VMware View Policy shows no properties

Component: Access Policy Manager

Symptoms:
When opened in Visual Policy Editor (VPE) VMware View, the policy shows an empty properties page instead of the expected policy options.

Conditions:
Open a policy in VPE VMware View.

Impact:
Unable to configure VMware view policy from VPE.

Workaround:
Use tmsh to configure VMware View policies.

Fix:
Properties are now displayed correctly in Visual Policy Editor (VPE) VMware View.


719186-2 : Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts

Component: Fraud Protection Services

Symptoms:
Multipart/form-data requests are not supported in FPS. FPS-protected pages which have the enhanced data-manipulation feature enabled, may generate a false-positive 'missing strong integrity parameter' alert for multipart/form-data requests.

Conditions:
-- FPS profile attached to a virtual server.
-- Multipart/form-data requests to a URL.
-- Enhanced data-manipulation feature enabled on a protected URL.

Impact:
False-positive 'missing strong integrity parameter' alert.

Workaround:
Use the ANTIFRAUD::disable_alert iRule command to drop the alert:

(set the static::drop_alert variable, probably matching URL name and checking that Content-Type header starts with 'multipart/form-data')

when ANTIFRAUD_ALERT {
    if {$static::drop_alert eq 1 &&
            [ANTIFRAUD::alert_type] eq "vtoken" &&
            [ANTIFRAUD::alert_component] eq "no_strong_integrity_param" } {
        ANTIFRAUD::disable_alert
        set static::drop_alert 0
    }
}

Fix:
FPS no longer sends automatic-transaction alerts for unsupported requests, so multipart/form-data requests no longer generate false positive 'missing strong integrity parameter' alerts.


719149-2 : VDI plugin might hang while processing native RDP connections

Component: Access Policy Manager

Symptoms:
Rarely, during processing of native RDP connections, the VDI plugin might hang, which prevents launch of VDI resources (Native RDP, Citrix, VMware View) from the APM Webtop.

Conditions:
APM Webtop is configured with native RDP resource.

Impact:
VDI resources (Native RDP, Citrix, VMware View) cannot be launched from APM Webtop.

Workaround:
None.

Fix:
Fixed rare VDI plugin hang caused by processing of native RDP connections.


719079-1 : Portal Access: same-origin AJAX request may fail under some conditions.

Component: Access Policy Manager

Symptoms:
Portal Access may reject response to same-origin AJAX request if host names in request and its origin differ in case.

Conditions:
Same-origin AJAX request with a host name whose case differs from the case of the origin page's host name, for example:

Request page: https://example.com/some/file
Page with URL: https://Example.com/origin/page.html

Impact:
Web application may not work correctly.

Workaround:
Use an iRule to remove 'F5_origin' parameter from the AJAX requests, for example:

when HTTP_REQUEST {
  if { [ HTTP::path ] contains "/iNotes/Forms9.nsf/iNotes/Proxy/" and [ HTTP::query ] contains "F5_origin=" } {
    regsub {F5_origin=[0-9a-f]+&F5CH=I} [ HTTP::query ] {F5CH=I} query
    HTTP::query $query
  }
}

Fix:
Now Portal Access handles same-origin AJAX requests correctly when host name case differs from the host name of origin page.


719005-1 : Login request may arrive corrupted to the backend server after CAPTCHA or CSID mitigation

Component: Application Security Manager

Symptoms:
Login request arrives corrupted (specifically, some of the characters in the payload are changed).

Conditions:
-- A brute force CAPTCHA or CSID mitigation happens.
-- Specific traffic conditions.

Impact:
Login request fails.

Workaround:
None.

Fix:
CAPTCHA or CSID request-handling now works as expected.


718885-3 : Under certain conditions, monitor probes may not be sent at the configured interval

Solution Article: K25348242

Component: Global Traffic Manager (DNS)

Symptoms:
When sufficient resources are configured with the same monitor interval, and the monitor timeout value is no more than two times the monitor interval, the monitored resource may be marked as unavailable (due to a timeout) then immediately changed to available.

Conditions:
Monitor interval is lower than the number of resources configured with the same monitor interval.

Impact:
Monitor probes are not consistently performed at the configured interval.

Workaround:
Set the monitor interval to a value greater than the number of resources monitored using that same interval value.

The key to this workaround is to ensure that the sum of the resources monitored at a given interval is not greater than the interval. That can be accomplished several ways depending on your configuration and requirements.

For example, if the monitoring interval is 30 seconds and there are 40 different monitors with a 30-second interval and each monitor is assigned to exactly one resource, there are at least two options:

-- Change the interval for 10 of the monitors to a different value.

-- Set the monitor interval to 40.

Note: If you change the monitor interval, make sure to also change the timeout value to follow best practices:
timeout value = (3 x interval) + 1.

Fix:
Monitoring is now consistently performed at the configured interval regardless of the number of resources with the same monitor interval.


718817-2 : Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail.

Component: TMOS

Symptoms:
Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest fails due to a race condition.

There are log entries in /var/log/liveinstall.log:

-- error: status 256 returned by command: F5_INSTALL_SESSION_TYPE=install tmsh -f save sys ucs /var/tmp/kRf24pKXTQ.ucs.
-- info: tar: config/.ucs_base_mac: Cannot stat: No such file or directory.
-- info: Unexpected Error: UCS saving process failed.

Conditions:
-- Installing onto secondary VIPRION blade or onto VIPRION-based vCMP guest.

Impact:
Software installation fails.

Workaround:
You can use either workaround:
-- Add 'ignore .ucs_base_mac' to the 'monitor dir /config' stanza in /etc/csyncd.conf on all blades, and then restart csyncd on all blades by running "clsh bigstart restart csyncd"

-- Retry the installation until it succeeds.


718772-2 : The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists)

Component: Anomaly Detection Services

Symptoms:
The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists).

Conditions:
Attack with traffic with 'unknown' header, for example
'Upgrade-Insecure-Requests: 1'.

Impact:
In the GUI, when the signature with the predicate 'unknown_header' is edited, this predicate is empty (instead of exists / does not exist).

Workaround:
There is no workaround.

Fix:
1. Change 'http.unknown_header' predicate into 'http.unknown_header_exists'.
2. Keep supporting the old format 'http.unknown_header'.


718685-1 : The measured number of pending requests is two times higher than actual one

Component: Anomaly Detection Services

Symptoms:
The measured number of pending requests is two times higher than actual.

Conditions:
Virtual server configured with a Behavioral DoS profile.

Impact:
Server stress mechanism is more sensitive than planned. A temporary traffic spike can cause unnecessary DoS mitigation start.

Note: The admd process provides stress-based DoS detection and mitigation control. When admd is not running, there is no stress-based anomaly detection or behavioral statistics aggregation.

Workaround:
Modify the adm.health.sensitivity value.

For example, to change health sensitivity from 50 to 500, run the following command:
tmsh modify sys db adm.health.sensitivity value 500

Fix:
Fixed initial adm flow sampling, so that the measured number of pending requests now equals actual.


718655 : DNS profile measurement unit name is incorrect.

Component: Application Visibility and Reporting

Symptoms:
DNS profile statistics values are incorrect.

Conditions:
DNS profile statistics are collected and reported using the following command:
tmsh show analytics dns-profile report view-by vs-name/name measures { measures-list}

Impact:
Unexpected values are reported. Although the values are correct, the metric label is misleading. The values reported do not match individual totals, but rather the average/second over the data range, for example, when the statistics collected represent 3000 requests in 600 seconds, the system reports the following values:

/Common/test-dns | 10.00
_listener | 0.00


A more accurate label for each metric is 'average_<metric_name>', as follows:

average_per_second_/Common/test-dns | 10.00
average_per_second__listener | 0.00

Workaround:
None.

Fix:
In this release, the values for DNS profile statistics are more accurately labeled.


718525-1 : PostGreSQL errors seen on startup after removing the mcpd binary database and rebooting

Component: TMOS

Symptoms:
After removing the mcpd binary database and restarting, occasionally there are errors similar to the following in /var/log/ltm:

warning postgres[7663]: [3-1] ERROR: duplicate key value violates unique constraint "vlan_pkey"

(The object type may be something other than 'vlan_pkey'.)

Conditions:
This occurs when you remove the mcpd binary database and reboot the system.

Impact:
The configuration does not load until 'bigstart restart' is executed.

Workaround:
None.

Fix:
The 'duplicate key value' errors are no longer seen when removing the mcpd binary database and restarting.


718405-1 : RSA signature PAYLOAD_AUTH mismatch with certificates

Component: TMOS

Symptoms:
IPsec IKEv2 negotiation with other vendors may fail to establish tunnels when certificate authentication is configured, using either RSA signature or DSS.

The value of PAYLOAD_AUTH does not match when the BIG-IP system compares it with what the remote peer sends. The same certificate works when the BIG-IP system is the initiator, but not when another vendor is the initiator.

Conditions:
Interoperating with other vendors under IKEv2 while using certificates.

Impact:
IKEv2 tunnels fail to establish, failing the second IKE_AUTH exchange in the protocol.

Workaround:
Use pre-shared key authentication.

Fix:
BIG-IP systems now correctly build -- and verify -- AUTH payloads for RSA signatures and DSS, which should match other vendors and succeed, resulting in IKEv2 tunnels being created using certificates.

The DSS signature is no longer DER encoded, and the RSA signature now includes the 15-byte DER prefix (mandated by RFC3447, page 42) before the 20-byte SHA1 digest is signed by RSA.


718397-1 : IKEv2: racoon2 appends spurious trailing null byte to ID payloads

Component: TMOS

Symptoms:
IPsec clients implementing RFC5996 correctly cannot interoperate with the BIG-IP system when the peers-id-type is anything other than address, because racoon2 inside BIG-IP appends a null byte to any string-based ID type (for both peers_id and my_id). This makes the IKE_AUTH exchange fail, usually because the ID_I from the initiator cannot match the peers-id-value in config for that ike-peer, because there is a one-byte difference between the compared strings.

Conditions:
When any non-BIG-IP client initiates an IKE negotiation using any id-type that is not IPv4 or IPv6. In particular, fqdn and asn1dn for peers-id-type in local BIG-IP configurations.

Impact:
IKE negotiation fails during the second IKE_AUTH exchange of messages, preventing any tunnel from being established. Outage with a non-BIG-IP client is permanent until the config is changed to use peers-id-type=address.

Workaround:
Use peers-id-type=address to interoperate with non-BIG-IP clients for IPsec.

Fix:
Because RFC5996 forbids trailing null bytes in ID payloads, the BIG-IP software was actually not compliant with the RFC by encoding payloads this way itself. It only worked because both initiator and responder did the same thing. Now the BIG-IP software does not add the extra trailing null byte into ID payloads and local ID values, so the BIG-IP system can accept IKE_AUTH messages from non-BIG-IP clients.

Note: this fix creates an incompatibility with previous BIG-IP version when peers-id-type is any other type than address.


718210-2 : Connections using virtual targeting virtual and time-wait recycle result in a connection being improperly reused

Component: Local Traffic Manager

Symptoms:
In very rare circumstances, connections that use virtual targeting virtual server and time-wait recycle result in a connection being improperly reused.

Conditions:
Virtual server targeting virtual server (usually occurs in an iRule) with time-wait recycle being used on the virtual server's TCP profile.

Note: This is the default value, so any virtual servers defined internally are using it.

Impact:
A connection might be reused even though it is a new one. TMM can crash and restart. Traffic disrupted while tmm restarts.

Note: This is an extremely rare issue.

Workaround:
None.

Fix:
This issue has been fixed.


718152 : ASM GUI request log does not load on cluster

Solution Article: K14591455

Component: Application Security Manager

Symptoms:
The ASM Request Log fails to load, and it keeps reading 'Loading Requests Log...'.
'Security :: Event Logs :: Application :: Requests'.

Conditions:
-- Any cluster device (vCMP or not), even if there is a single blade in use.
-- Running BIG-IP v13.1.0.4, v13.1.0.5, v13.1.0.6, or v13.1.0.7. (Other releases are not affected.)

Impact:
Cannot view the Request Log in the GUI.

Workaround:
None

Fix:
The ASM request log can now be loaded correctly on cluster devices.


718136-2 : 32-bit F5 VPN and Endpoint Inspector apps are discontinued on Linux

Component: Access Policy Manager

Symptoms:
32-bit F5 VPN and Endpoint Inspector apps are not available for new installation or update on Linux.

Conditions:
Use a browser (Mozilla Firefox or Google Chrome) to establish network access (VPN) for 32-bit F5 VPN and Endpoint Inspector apps.

Impact:
APM end user cannot establish network access (VPN) on 32-bit Linux using a browser. APM does not offer 32-bit F5 VPN and Endpoint Inspector apps for installations or update.

Workaround:
Use 32-bit CLI VPN client.

Fix:
Because of increased size, low usage, and industry trends, F5 has discontinued support of the desktop Linux 32-bit VPN and Endpoint Inspection apps.


718071-1 : HTTP2 with ASM policy not passing traffic

Component: Local Traffic Manager

Symptoms:
HTTP2 traffic does not pass traffic if an ASM policy is applied.

Conditions:
-- HTTP2 virtual server.
-- ASM policy applied.

Impact:
Traffic does not pass.

Workaround:
No workaround.

Fix:
HTTP2 and ASM now work correctly together.


717909 : tmm can abort on sPVA flush if the HSB flush does not succeed

Component: Advanced Firewall Manager

Symptoms:
When the BIG-IP system comes up, or when tmm/dwbld/iprepd restarts, tmm does a flush of sPVA. If the operation does not succeed, the system can wait for 10 seconds, which might cause an abort due to heartbeat failure. tmm crash

Conditions:
-- BIG-IP system comes up, or tmm/dwbld/iprepd restart.
-- HSB flush does not succeed within ~3 seconds (it is supposed to succeed within ~3 seconds unless something is wrong with the HSB).

Impact:
tmm will have to be restarted. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
The system now checks asynchronously to determine whether or not the flush sPVA has succeeded.


717900-2 : TMM crash while processing APM data

Solution Article: K27044729


717896-2 : Monitor instances deleted in peer unit after sync

Component: Local Traffic Manager

Symptoms:
An incremental-sync from a modified-node that was set to 'user-down' causes the target-node on the target-device to have only a single monitor instance, rather than the several monitor instances that were present on the from-node.

During the incremental sync, the system issues several messages similar to the following: err mcpd[6900]: 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 24913.

Conditions:
-- In high availability (HA) configurations.
-- A node is modified, and then manually set to 'user-down'.
-- That node has more than one associated monitor.
-- An incremental-sync occurs to the paired device.

Impact:
After incremental-sync, a single monitor instance exists for the node on a 'backup' unit in an HA configuration, rather than the several monitor instances that exist for that node on the 'active' unit; and that node session is 'enabled' (where the 'from-node' was 'disabled); and that node status may be 'up' (where the 'from-node' was 'user-down'), and later transition to 'down' from a monitor-fail.

Thus, after incremental-sync, the target-node may then be 'down', while the active unit in the HA configuration continues to function as expected.

Workaround:
There are several workarounds:
-- Perform a 'full-sync' (rather than an 'incremental-sync').
-- Ensure the node is 'user-up' (not 'user-down') before the incremental-sync.
-- Perform 'tmsh load sys config' on the target unit. In this case, the 'Invalid monitor rule instance identifier' messages will be seen, but the configuration will successfully load, and the target-unit will run correctly with the expected configuration.

Fix:
An incremental-sync from a modified-node that was set to 'user-down' successfully replicates the several monitor instances on that node to the target-node on the backup device in an HA configuration.


717888 : TMM may leak memory when a virtual server uses the MQTT profile.

Solution Article: K26583415


717832 : Remove unneeded files from UCS backup directories

Component: TMOS

Symptoms:
When using auto scale cloud formation templates, the system creates large bigip.ucs files that require additional storage space.

Conditions:
Deploy BIG-IP as part of auto scale cloud formation template (CFT).

Impact:
Large bigip.ucs file created requires additional storage space and might increase network traffic. (Size greater than 100 MB.)

Workaround:
Delete /config/cloud/* directories from the bigip.ucs file.

Fix:
This system no longer saves /config/cloud/ directories in UCS files, so the issue no longer occurs.


717785-1 : Interface-cos shows no egress stats for CoS configurations

Component: TMOS

Symptoms:
No egress packet counts per CoS queue are reported on B21x0 and 5x00/7x00 platforms. The issue affects the egress packet statistics reporting per CoS queue only. The operation of the CoS feature is not affected and the egress packets statistics reporting per external interface is also not affected.

Conditions:
-- Valid 8 HW CoS feature configuration has been enabled and passing traffic.
-- BIG-IP 5x00/7x00 platforms and VIPRION 21x0 blades.
-- Running the show net interface-cos command.

Impact:
Egress packet statistics reported per CoS queue shows no counts.

Workaround:
None.

Fix:
This release supports per egress CoS queue packet count statistics reporting for BIG-IP 5x00/7x00 platforms and VIPRION 21x0 blades.


717756-2 : High CPU usage from asm_config_server

Component: Application Security Manager

Symptoms:
Use of Automatic policy builder might result in high CPU usage of asm_config_server (and ASM slowdown).

Conditions:
- Automatic policy builder.
- Several entity types learning in 'Add all entities' configuration.

Impact:
ASM availability impacted.

Workaround:
-- Switch to Manual policy builder.
-- Set entity types learning to compact / selective / never.

Fix:
Policy builder no longer puts unnecessary load on ASM configurations.


717742-5 : Oracle Java SE vulnerability CVE-2018-2783

Solution Article: K44923228


717525-1 : Behavior for classification in manual learning mode

Component: Application Security Manager

Symptoms:
- Extractions are added to parameters in manual mode.
- In manual learning mode on 'fallback to default' URL classification is not ended properly (resulting in repetitive audit log attempts to end URL classification).
- In manual learning mode on 'fallback to default', parameter staging is set to true.
- The system writes errors to pabnagd.log.

Conditions:
- Manual learning mode.
- Classification is on for either parameters or URLs.
- Any option of 'Learn Dynamic Parameters' is turned on (even if checkbox is disabled).

Impact:
- URL content types are not enforced in manual mode.
- Parameters are getting staged automatically in manual mode.
- Parameters are classified as dynamic (value type).
- Extractions are added to dynamic parameters

Workaround:
- Update the URLs manually (any update will take them out of classification).
- Manually unstage parameters with 'fallback to default'.
- Unset parameters' dynamic value type (or uncheck all parameters' dynamic classification options in 'Learning And Blocking Settings').

Fix:
- URLs end classification successfully on 'fallback to default' in manual mode.
- Parameters staging is not changed on 'fallback to default' in manual mode.
- Parameters are not classified as dynamic in manual mode.
- Extractions are not added to dynamic parameters in manual mode.
- No errors in pabnagd.log.


717346-2 : [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total

Solution Article: K13040347

Component: Local Traffic Manager

Symptoms:
WebSocket profile statistics for current and maximum connections are always very large, even right after restarting the system. The numbers are several orders of magnitude larger than the statistics for total connections.

Conditions:
Rarely occurring, unstable network could be one of the reasons.

Impact:
Cannot use stats for troubleshooting.

Workaround:
Reset the stats using the following command:
# tmsh reset-stats ltm profile websocket


717113-2 : It is possible to add the same GSLB Pool monitor multiple times

Component: Global Traffic Manager (DNS)

Symptoms:
After adding a monitor in the Web GUI and updating, the monitor does not get removed from the Available list and can be added again.

Conditions:
This issue affects the GSLB Pool create and properties pages.

Impact:
The impact is only for those adding the monitor. No extra system resources are used when adding multiple identical monitors to a pool.

Workaround:
None.

Fix:
Once a monitor is added via the Web GUI, that monitor is now removed from the Available list.


717100-3 : FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member

Component: Local Traffic Manager

Symptoms:
FQDN ephemeral pool members and corresponding FQDN ephemeral nodes may not be created if multiple FQDN template pool members are created rapidly, without the corresponding FQDN template nodes being created first.

The missing FQDN ephemeral pool members may be created an hour after initial operations.

Conditions:
This may occur when all of the following conditions are true:
-- Multiple FQDN template pool members are created rapidly, such as during config load or multiple FQDN template pool members created in a single tmsh cli transaction, without the corresponding FQDN template nodes being created first.
-- The FQDN names in the newly-created FQDN template nodes all resolve to the same IP address.

Impact:
One or more FQDN ephemeral pool members may not be created, which could result in a pool with no members, and any virtual servers using that pool to fail to pass traffic.

Workaround:
The following steps, alone or in combination, may help avoid this issue:

1. Avoid rapid creation of multiple FQDN template pool members (such as by creating multiple in a single tmsh CLI transaction).
2. Create the corresponding FQDN template nodes first, before creating the FQDN template pool members.

Once this issue occurs (such as, after a config load), you can recover from this condition by deleting and recreating the FQDN template pool members that have no corresponding FQDN ephemeral pool members.

In addition, creating the corresponding FQDN template nodes first, with an FQDN 'interval' value set to a shorter timeout than the default (3600 seconds) allows automatic recovery from this condition after the configured FQDN 'interval' period (instead of after the default period of one hour).

Fix:
Ephemeral pool members are now created for each pool under these conditions.


716992-2 : The ASM bd process may crash

Solution Article: K75432956


716940-2 : Traffic Learning screen graphs shows data for the last day only

Component: Application Security Manager

Symptoms:
Traffic Learning screen graphs shows data for the last day only.

Conditions:
Visit Learning screen 1 hour after policy creation.

Impact:
Statistics shown are for the last day. No statistics for longer or for shorter periods of time.

Workaround:
There is no workaround.

Fix:
Statistics are shown for the correct time interval, at most 2 weeks/policy creation date. Possible statistics intervals are as follows: 1 hour, 1 day, 2 weeks.


716922-2 : Reduction in PUSH flags when Nagle Enabled

Component: Local Traffic Manager

Symptoms:
When Nagle is enabled in the TCP profile, the number of PUSH flags generated by the BIG-IP system drops substantially compared to the Nagle-disabled case, or to the Nagle-enabled case prior to v12.1.2-HF1. This matters most when there is a single outstanding unsent segment in the send buffer awaiting acknowledgment of all other data.

Conditions:
-- Nagle is enabled.
-- Running BIG-IP software versions later than v12.1.2-HF1.

Note: The problem is only impactful when the client withholds ACKs when there is no PUSH flag.

Impact:
If the client withholds ACKs, this can save handset power, but it also causes Nagle's algorithm to withhold the last bit of data, increasing latency.

Workaround:
Set Nagle to the 'Auto' setting or 'Disabled'.

Mote: To take advantage of some of the Nagle benefits, use 'Auto'.

Fix:
Revised PUSH flag setting logic to set the flag in cases where sending is Nagle-limited.


716900-2 : TMM core when using MPTCP

Solution Article: K91026261


716788-2 : TMM may crash while response modifications are being performed within DoSL7 filter

Component: Application Security Manager

Symptoms:
TMM might crash when a response is modified by the DoSL7 filter while injecting an HTML response from a backend server.

Conditions:
-- ASM provisioned.
-- DoS application profile is attached to a virtual server.

Impact:
Traffic disrupted while tmm restarts, failover may occur.

Workaround:
There is no workaround other than to remove the DoS application profile from the virtual server.

Fix:
Response modification handler has been modified so that this issue no longer occurs.


716782-2 : AVR should add new field to the events it sends: Microtimestamp

Component: Application Visibility and Reporting

Symptoms:
When AVR send events to 'offbox' devices, the time stamp it uses is in seconds resolution.

Conditions:
Viewing AVR events in external logs.

Impact:
Measurement is in seconds.

Workaround:
None.

Fix:
This release adds a Microtimestamp field for AVR events (external log only).


716747-2 : TMM my crash while processing APM or SWG traffic

Component: Access Policy Manager

Symptoms:
Under certain circumstances, TMM may crash when processing APM or SWG.

There will be a log message in /var/log/apm near the time of crash with this:

err tmm[20598]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_initiate_swgt_policy_done, Line: 17000.

Conditions:
APM or SWG enabled.

Impact:
TMM crash, leading to a failover event.

Workaround:
There is no workaround at this time.

Fix:
TMM now processes APM and SWG traffic as expected.


716746 : Possible tmm restart when disabling single endpoint vector while attack is ongoing

Component: Advanced Firewall Manager

Symptoms:
tmm restarts.

Conditions:
-- AFM DoS single endpoint (sweep or flood) vector is configured.
-- The attack is ongoing.
-- The attack vector is being mitigated in hardware (HW).
-- The vector is manually disabled.

Impact:
tmm can crash and restart. Traffic disrupted while tmm restarts.

Workaround:
If you do not want to mitigate, set the mitigation_threshold to infinite.

Note: Do not disable the single endpoint vectors when an attack is ongoing and the vector is being mitigated in HW.

Fix:
tmm no longer restarts when disabling single endpoint vector while an attack is ongoing.


716716-2 : Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core

Component: Local Traffic Manager

Symptoms:
TMM cores when the system has a kernel route configured, but no matching TMM route.

Conditions:
The scenario that can lead to this state is unknown.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
Either remove the kernel route, or add a matching TMM route.

Fix:
This release prevents the core that occurred when the kernel has a route that has no corresponding TMM route.


716714-1 : OCSP should be configured to avoid TMM crash.

Component: Local Traffic Manager

Symptoms:
TMM generates a core if OCSP is not configured in the SSL profile.

Conditions:
OCSP not configured in the SSL profile.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than configuring OCSP in SSL profiles.

Fix:
In this release, TMM skips processing OCSP if it is not enabled.


716469 : OpenSSL 1.0.1l fails with 512 bit DSA keys

Component: TMOS

Symptoms:
In certain cases with FIPS enabled the box would fail to boot because of attempts to use 512 bit DSA keys.

Conditions:
During BIG-IP booting and fips is enabled.

Impact:
BIG-IP failed to boot.

Workaround:
There is no workaround at this time.

Fix:
Boot will no longer fail with OpenSSL and 512 bit DSA keys.


716392-1 : Support for 24 vCMP guests on a single 4450 blade

Component: TMOS

Symptoms:
Cannot create more than 12 vCMP guests per blade.

Conditions:
-- Using vCMP.
-- VIPRION blades.

Impact:
Cannot configure more than 12 vCMP guests.

Workaround:
None.

Fix:
This release supports 24 vCMP guests on 4450 blades. Increased vCMP density ensures that all guests can access the hardware capabilities available from the BIG-IP platforms and VIPRION blades.

Behavior Change:
This release supports 24 vCMP guests on VIPRION 4450 blades. Increased vCMP density ensures that all guests can access the hardware capabilities available from BIG-IP platforms and VIPRION blades.


716391-2 : High priority for MySQL on 2 core vCMP may lead to control plane process starvation

Solution Article: K76031538

Component: TMOS

Symptoms:
vCMP guest with only 2 cores (or 2 cores per blade for multi-blade guests) may undergo control plane process starvation, which could lead to failover due to CPU starvation of sod.

Conditions:
-- A device using Intel Hyper-Threading Technology is configured with only 2 cores (or 2 cores per blade for multi-blade vCMP guests).
-- A module using MySQL is provisioned, MySQL, for example BIG-IP ASM and BIG-IP Analytics (AVR). These other modules also implicitly provision AVR: ASM, AFM, DOS, APM, PEM, and vCMP.

Impact:
Control plane processes may experience CPU starvation, including failover due to CPU starvation of sod. This is a rarely occurring issue.

Workaround:
Revert to pre-11.5.1 HF4 behavior by setting the scheduler.splitplanes.asmopt database key to false.
 
IMPORTANT: You should not revert to pre-11.5.1 HF4 behavior unless requested by F5 Support. However, if required, you can disable this new behavior and revert to pre-11.5.1-HF4 behavior. For instructions on how to do so, see K16469: Certain BIG-IP ASM control plane processes are now pinned to the highest-numbered logical CPU core :: https://support.f5.com/csp/article/K16469.


716318-2 : Engine/Signatures automatic update check may fail to find/download the latest update

Component: Fraud Protection Services

Symptoms:
Engine/Signatures automatic update check may fail to find/download the latest update if the timestamp of the factory update file is later than the timestamp of the update file in downloads.f5.com.

Note: This issue is relevant only for engineering hotfixes.

Conditions:
This occurs when the following conditions are met:
-- Engineering hotfix.
-- The factory update file timestamp is later than the timestamp of the update file in downloads.f5.com.

Impact:
Automatic update check will detect the wrong update file.

Workaround:
Manually check, and then download and install the update file from downloads.f5.com, if needed.

Fix:
The factory update file timestamp is now set to 0, unless there is a reason to install the factory file over the current update file in downloads.f5.com.


716213-1 : BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic

Component: Local Traffic Manager

Symptoms:
When APM connects to Active Directory Federation Services (ADFS), a blank page is observed. The log file /var/log/ltm exhibits a TCP reset issued by the BIG-IP system. The TCP capture informs that the issue is due to an out-of-bounds error that occurs when traffic gets parsed by the SSL Persistence Parser (SSID).

Conditions:
-- SSL persistence (SSID) is enabled for a virtual host.
-- APM connects to ADFS.

Impact:
A blank page is observed due to the TCP reset.

Workaround:
No workaround is available.

Fix:
The SSL persistence parser now validates the handshake message data-bytes are available prior to fetching them, so the bounds error does not get raised.


715923-1 : When processing TLS traffic TMM may reset connections

Solution Article: K43625118


715883 : tmm crash due to invalid cookie attribute

Component: Local Traffic Manager

Symptoms:
tmm crash due to invalid request-side cookie attribute.

Conditions:
While processing an HTTP request, an iRule tries to add a cookie attribute to a cookie that is only valid in an HTTP response (for instance, an 'expires' attribute).

Impact:
TMM cored. Traffic disrupted while tmm restarts.

Workaround:
None.


715820-1 : vCMP in HA configuration with VIPRION chassis might cause unstable data plane

Component: TMOS

Symptoms:
When multiple vCMP guests are deployed in a high availability (HA) with VIPRION chassis, the data plane cluster might become unstable. When this issue occurs, the system posts repeated log messages in /var/log/ltm similar to the following:

-- CDP: exceeded 1/2 timeout for PG 3

Conditions:
-- Multiple vCMP guests are deployed.
-- HA configured.
-- Using VIPRION chassis.

Impact:
Unstable data plane might cause traffic disruption/packet drops.

Workaround:
None.

Fix:
This issue no longer occurs.


715785-2 : Incorrect encryption error for monitors during sync or upgrade

Component: Local Traffic Manager

Symptoms:
The system logs an error message similar to the following in /var/log/ltm:

err mcpd[6823]: 01071768:3: Encryption of the field (password) for object (<monitor name>) failed.

This may cause a configuration sync to fail, or an upgrade to fail.

Conditions:
The exact conditions are unknown, however it may occur under these circumstances:

-- Performing a config sync operation.
-- Performing an upgrade.

Impact:
Inability to sync peer devices, or an inability to upgrade.

Workaround:
There is no workaround at this time.

Fix:
This error is no longer triggered erroneously.


715756-2 : Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only

Component: Local Traffic Manager

Symptoms:
When filesystems critical to TMOS functional operation are mounted read-only, clusterd on that blade should trigger a primary election if it was primary. Either way, the cluster should be informed of this critical error state.

Conditions:
A critical filesystem (e.g., '/', '/var', '/var/run', '/config', '/shared') has been mounted read-only.

Impact:
The blade with read-only filesystems and degraded functionality might stay primary and claim to be passing traffic.

Workaround:
There is no workaround other than to avoid mounting filesystems read-only on a BIG-IP system.

Fix:
The blade with read-only filesystems and degraded functionality now yields primaryship to a more healthy cluster member.


715750-2 : The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.

Component: Local Traffic Manager

Symptoms:
Upon receiving a FIN midstream in an SSL connection, the BIG-IP system will immediately proxy the FIN to the remote host on the peer side. At this point, depending on the specific configuration of the remote host on the peer side, the BIG-IP system may exhibit behaviors that may be deemed undesirable.

For instance, if the remote host on the peer side acknowledges the FIN but ignores it and keeps sending data to the BIG-IP system, the BIG-IP system will drop all ingress data (i.e., not proxy it) while keeping the side that transmitted the original FIN open indefinitely.

Once the remote host on the peer side completes transmitting data and sends a FIN of its own, the BIG-IP system will finally release the side that sent the original FIN by allowing it to close.

Conditions:
This issue occurs when the following conditions are met:

-- A standard virtual server with the clientssl and serverssl profiles in use.

-- As part of a connection handled by the virtual server, one side sends a FIN midstream to the BIG-IP system.

Impact:
There is no real impact to the BIG-IP system because of this issue. However, both the client and the server can be negatively impacted by this issue.

For example, if the original FIN was received by the BIG-IP system on the clientside:

-- The client connection is not allowed to close for potentially a very long time. During this time, the client does not receive anything other than Keep-Alive packets from the BIG-IP system. This can delay or adversely impact applications on the client.

-- The server continues to send data to the BIG-IP system unnecessarily. After accounting for the fact this could be a lot of data and many connections could be in this state, the server and/or its surrounding network could become impacted/congested. At a minimum, this might cause a waste of resources.

Workaround:
There is no workaround at this time.

Fix:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.

Behavior Change:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.


715747 : TMM may restart when running traffic through custom SSLO deployments.

Component: Local Traffic Manager

Symptoms:
TMM restarts with a SIGSEGV signal and dumps core.

Conditions:
This issue is known to happen when passing traffic through some custom SSLO deployments (e.g., iRule-based configurations).

Impact:
TMM restarts. If the system is in a high availability configuration, a failover occurs. Traffic disrupted while TMM restarts.

Workaround:
There is no workaround at this time.

Fix:
TMM no longer restarts.


715467-2 : Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY

Component: Local Traffic Manager

Symptoms:
If the 'A' record for an FQDN node is removed or replaced on the DNS server, then the BIG-IP system does not remove the old ephemeral pool member or create the new pool member and node.

Conditions:
-- FQDN nodes.
-- Pool members with a service port of ANY.

Impact:
Ephemeral pool member and nodes are not removed or updated when the DNS 'A' record is removed or changed.

Workaround:
There is no workaround at this time.

Fix:
Upon a DNS 'A' record being removed or changed, the ephemeral pool members and nodes based on the old value are removed or changed.


715448-2 : Providing LB::status with a GTM Pool name in a variable caused validation issues

Component: Global Traffic Manager (DNS)

Symptoms:
When utilizing an LB::status iRule where the GTM Pool name was provided in a variable, instead of directly written into the command, the system posts the following error message: Can't read 'monkey': no such variable.

Conditions:
LB::status pool a <Variable containing string>.

Impact:
Unable to use LB::status iRule.

Workaround:
There is no workaround at this time.

Fix:
Can now use LB::status iRule command to display the status of a GTM Pool when the name of the pool is provided in a variable.


715250-1 : TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED

Component: Access Policy Manager

Symptoms:
TMM generates a core and restarts when RPC resumes iRule event ACCESS_SESSION_CLOSED.

Conditions:
Plugin RPC call has iRule event ACCESS_SESSION_CLOSED configured.

Impact:
System instability, failover, traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


715207-3 : coapi errors while modifying per-request policy in VPE

Component: Access Policy Manager

Symptoms:
System reports errors about coapi in /var/log/ltm when modifying a per-request policy in the Visual Policy Editor (VPE).

err coapi: PHP: requested conversion of uninitialized member.

Conditions:
-- The per-request policy being modified is attached to the virtual server.
-- Using VPE.

Impact:
The impact can vary by version.
-- In some versions it represents a stray error log.
-- In other versions the 'Accepted Languages' in the Logon Page agent does not have the full list.
-- In other versions, there are server 500 errors when modifying agents.

Workaround:
To work around this issue, perform the following procedure: 1. Remove the per-request policy from the virtual server.
2. Modify the policy.
3. Add the policy back to the virtual server.

Fix:
Now per-request access policies can be simultaneously used and edited without causing spurious 'coapi' log errors.


715153-1 : AVR can generate many files in /var/avr/loader folder, which might cause disk-usage problem

Component: Application Visibility and Reporting

Symptoms:
-- The folder /var/avr/loader contains many files (e.g., more than 1500 files).
-- monpd is not running.

Conditions:
This occurs when the following conditions are met:
-- Avrd is running.
-- monpd is down.

Impact:
AVR writes many files to /var/avr/loader. Depending on disk usage, this might cause disk-usage problems.

Workaround:
There are two possible workarounds:
-- Restart monpd. When monpd starts up, it deletes the files under /var/avr/loader.
-- Delete all files under /var/avr/loader.

Fix:
There is now a limit for the /var/avr/loader folder, so that it can contain no more than 1100 files. This prevents disk-usage problems.


715128-1 : Simple mode Signature edit does not escape semicolon

Component: Application Security Manager

Symptoms:
When creating a user-defined ASM Signature in Simple mode, semicolon followed by space cannot be used in a keyword.

Conditions:
-- Using a user-defined ASM Signature in Simple mode.
-- There is a semicolon followed by a space in a keyword.

Impact:
The signature cannot be created.

Workaround:
The signature can be created in Advanced Mode by escaping semicolon as "|3B|".


715110 : AVR should report 'resolutions' in module GtmWideip

Component: Application Visibility and Reporting

Symptoms:
AVR does not report 'resolutions' in GtmWideip module.

Conditions:
One of the following modules is provisioned: AVR, AFM, or DNS/GTM.

Impact:
There are no statistics reported on 'resolutions' in GtmWideip module.

Workaround:
There is no workaround.

Fix:
AVR now reports 'resolutions' in GtmWideip module.


714974-2 : Platform-migrate of UCS containing QinQ fails on VE

Component: TMOS

Symptoms:
If you are doing platform-migrate from a hardware device to a Virtual Edition (VE) guest, and the UCS that came from the hardware device has a QinQ VLAN configuration, then the upgrade will fail.

Conditions:
-- VLAN with a QinQ configuration exists on the hardware configuration.
-- UCS file is saved on the hardware device.
-- UCS is copied to a VE guest.
-- Attempt to load the configuration using the following command: load sys ucs <UCS filename> no-license platform-migrate.

Impact:
The UCS load will fail and generate an error:

01071bd8:3: The tag-mode for requested member <VLAN name> has to be 'none' on platforms that do not support QinQ. Unexpected Error: Loading configuration process failed.

Workaround:
None.

Fix:
The configuration now loads successfully, disables QinQ on the associated VLAN, and warns that this action was automatically taken.


714961-1 : antserver creates large temporary file in /tmp directory

Component: Access Policy Manager

Symptoms:
SWG Analytics (running through the antserver daemon) creates a large temporary file in the /tmp directory due to a lack of write permissions on the appropriate directory.

Conditions:
-- SWG provisioned.
-- Viewing SWG Analytics.

Impact:
/tmp is temporarily populated with a large file that might fill up the directory if it is already close to capacity.

Workaround:
There is no workaround at this time.

Fix:
System now writes to /shared/tmp/ant_server so that it no longer writes to /tmp, so the issue no longer occurs.


714903-2 : Errors in chmand

Component: TMOS

Symptoms:
VIPRION cluster does not form; only primary blade stays online. Chassis manager chmand generated a core file. System logs the following error in ltm log: err clusterd[11162]: 013a0004:3: Error adding cluster mgmt addr, HAL error 7.

Conditions:
-- Restoring UCS.
-- Chassis starting up.
-- System in stressed condition, where there is very little or no memory available.

Impact:
Cluster does not form.

Workaround:
None.

Fix:
These errors in chmand are fixed.


714879-3 : APM CRLDP Auth passes all certs

Solution Article: K34652116


714749-2 : cURL Vulnerability: CVE-2018-1000120

Component: TMOS

Symptoms:
It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, resulting in a crash, or an unspecified behavior.

Conditions:
BIG-IP systems are not affected by this vulnerability.

Impact:
None.

Workaround:
None.

Fix:
Patched CVE-2018-1000120


714716-2 : Apmd logs password for acp messages when in debug mode

Solution Article: K10248311

Component: Access Policy Manager

Symptoms:
Apmd logs password when executing policy via iRule.

Conditions:
-- APM is licensed and provisioned
-- Executing policy via iRule using iRule command 'ACCESS::policy evaluate'.
-- Clear text password is supplied for authentication
-- Debug mode active

Impact:
Apmd logs clear text password

Fix:
Apmd now no longer logs password in debug mode when evaluating policy via iRule.


714700-2 : SSO for native RDP resources is not compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy

Component: Access Policy Manager

Symptoms:
To address a vulnerability in their CredSSP implementation Microsoft released set of updates for all versions of Windows (https://aka.ms/credssp). Although the APM implementation is not affected by this vulnerability, the Microsoft Windows Server fix introduces compatibility issues. The update adds new Group Policy 'Encryption Oracle Remediation', which, if set to 'Force Updated Clients' on the server might break SSO for APM's native RDP resources.

Conditions:
-- RDP server has https://aka.ms/credssp update installed.
-- 'Encryption Oracle Remediation' Group Policy on the RDP server is set to 'Force Updated Clients'.

Impact:
SSO for native RDP resources does not work.

Workaround:
Set 'Encryption Oracle Remediation' Group Policy on the RDP server to 'Mitigated'.

Fix:
SSO for native RDP resources is now compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy.


714654-2 : Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM

Component: TMOS

Symptoms:
While creating a static route, tmrouted disconnects with error: existing entry is not a dynamic.

Conditions:
Creating a static route for a network that already has an advertised dynamic route.

Impact:
TMM's connection to tmrouted goes down, which results in loss of the dynamic route for TMM.

Workaround:
There is no workaround other than not creating a static route for routes received through dynamic routing.

Fix:
Creating static routes for advertised dynamic route no longer causes the tmrouted-to-TMM connection to drop.


714626-2 : When licensing through a proxy, setting the db variables for proxy.host, proxy.port, etc., has no effect.

Component: TMOS

Symptoms:
When the BIG-IP system is behind a proxy server, the licensing process does not work, despite having set the db variables for proxy.host, proxy.port, proxy.protocol, etc.

Conditions:
-- The BIG-IP system is behind a proxy server that gates internet access.
-- Attempting to license (or revoke the license of) the BIG-IP system is not possible using GUI or tmsh since communications with the license server will fail.

Impact:
Cannot license, reactivate license, or revoke the license of the BIG-IP system.

Workaround:
Instead of using GUI or tmsh, run the following command, substituting your proxy specification for <proxy> and your license registration key for <reg-key>:

/usr/local/bin/SOAPLicenseClient --proxy <proxy> --basekey <reg-key> --certupdatecheck

Fix:
Licensing/revoke licensing works as expected by simply setting the tmsh sys db variables proxy.host, proxy.port, etc.


714559-2 : Removal of HTTP hash persistence cookie when a pool member goes down.

Component: Local Traffic Manager

Symptoms:
When HTTP cookie hash persistence is configured the cookie is removed when a pool member goes down. This is incorrect if pool members are using session replication.

Conditions:
- Cookie hash persistence is configured.
- A pool member that the persistence record points to goes down.
- Pool members are using session replication.

Impact:
Connected clients must establish a new session.

Workaround:
To configure HTTP cookie hash persistence, use an iRule similar to the following:

when CLIENT_ACCEPTED {
    persist cookie hash JSESSIONID
}

Fix:
HTTP hash persistence cookie is no longer removed when a pool member goes down.

If you need to remove the cookie, use an iRule similar to the following:

when PERSIST_DOWN {
    HTTP::cookie remove JSESSIONID
}


714384-3 : DHCP traffic may not be forwarded when BWC is configured

Component: Local Traffic Manager

Symptoms:
DHCP traffic may not be forwarded when BWC is configured on the system.

Conditions:
-- DHCP virtual server configured.
-- BWC policy configured and attached to the route-domain.

Impact:
DHCP traffic may not be forwarded.

Workaround:
There is no workaround other than to remove the BWC policy.

Fix:
DHCP traffic is now forwarded when BWC is configured,


714369 : ADM may fail when processing HTTP traffic

Solution Article: K62201098


714350 : BADOS mitigation may fail

Solution Article: K62201098


714334-1 : admd stops responding and generates a core while under stress.

Component: Anomaly Detection Services

Symptoms:
admd stops responding and generates a core while under stress.

Conditions:
-- The BIG-IP system is under stress.
-- CPU starvation is occurring.

Impact:
admd core and restart.

Note: The admd process provides stress-based DoS detection and mitigation control. When admd is not running, there is no stress-based anomaly detection or behavioral statistics aggregation.

Workaround:
None.

Fix:
This issue no longer occurs.


714303-1 : X520 virtual functions do not support MAC masquerading

Solution Article: K25057050

Component: TMOS

Symptoms:
MAC masquerading is not supported when using X520 virtual functions via SR-IOV in Virtual Edition (VE). This is due to a lack of functionality in the underlying hardware.

Conditions:
-- Use SR-IOV virtual functions as interfaces within VE.
-- Configure MAC masquerading with a shared MAC that should follow the active system after traffic group failovers.

Impact:
MAC masquerading will not function in this environment.

Workaround:
To make Mac Masquerade work with Intel X520 Network Interface Card:

-- Virtual functions must have MAC addresses before deploying the BIG-IP system

-- Trust mode must be set on the host.

-- The DB variable, tm.macmasqaddr_per_vlan must be set to true if virtual functions belong to the same PF.

-- The driver version must match the following:
  + driver: ixgbe
  + version: 5.1.0-k-rh7.5
  + firmware-version: 0x80000656

Fix:
MAC masquerading is now supported when using X520 virtual functions via SR-IOV in Virtual Edition (VE).


713951-5 : tmm core files produced by nitrox_diag may be missing data

Component: Local Traffic Manager

Symptoms:
When the nitrox_diag utility generates a tmm core file, that file might include data for only one tmm thread instead of all tmm threads.

Conditions:
-- Running the nitrox_diag utility.
-- Using devices with the Cavium Nitrox crypto card.
-- The nitrox_diag utility generates a tmm core file.

Impact:
The resulting core file might include data for only one tmm thread instead of all tmm threads, making it more difficult for F5 to diagnose reported problems with the Cavium Nitrox crypto card. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
When the nitrox_diag utility generates a tmm core file, that file now includes data for all tmm threads instead of only one.


713947-1 : stpd repeatedly logs "hal sendMessage failed"

Component: TMOS

Symptoms:
On non-primary clustered blades in a BIG-IP chassis environment, stpd may repeatedly log "hal sendMessage failed"

Conditions:
Two or more blades clustered in a chassis with STP enabled on one or more ports.

Impact:
All BIG-IP blades

Workaround:
No workaround except to ignore log messages - they are spurious and have no ill effect on the system besides log spam.


713934-2 : Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response

Component: Local Traffic Manager

Symptoms:
Received malformed Truncated DNS response.

Conditions:
-- Using iRule 'DNS::question name' to shorten the name.
-- DNS response is longer than 4096 UDP limit.

Impact:
DNS request might not be resolved correctly.

Workaround:
There is no workaround at this time.

Fix:
In this release, when DNS::query name changes the query name, the software ensures that the request is updated with proper lengths.


713932-1 : Commands are replicated to PostgreSQL even when not in use.

Component: TMOS

Symptoms:
In MCP, PostgreSQL is used only by AFM. Even when AFM is not provisioned, however, commands are being replicated to PostgreSQL.

Conditions:
AFM is not provisioned.

Impact:
Unnecessary CPU cycles spent by MCP replicating commands to PostgreSQL.

Workaround:
None.

Fix:
Prevented replication of commands to PostgreSQL when it is not in use.


713820-1 : Pass in IP address to urldb categorization engine

Component: Access Policy Manager

Symptoms:
Category lookup results might be inaccurate. In some cases, the system returns 'uncategorized' when the reference (Forcepoint) returns a specific category.

Conditions:
Category Lookup agent is in per-request policy using the categorization engine to lookup up a website's classification.

Impact:
Actions leveraging categorization results are applied incorrectly.

Workaround:
None.

Fix:
This release can now pass in more information to the urldb categorization engine, which supports finer-grained categorization.


713813-2 : Node monitor instances not showing up in GUI

Component: TMOS

Symptoms:
Navigating to Local Traffic :: Monitors :: <some_monitor> should show a list of nodes with some_monitor assigned to them. GUI does not list related nodes under Instances tab.

Conditions:
-- At Local Traffic :: Monitors :: <some_monitor>.
-- Under the Instances tab.

Impact:
No instances listed. Cannot use the GUI to determine which nodes are associated with a monitor.

Workaround:
Use tmsh to list nodes associated with a monitor.

Fix:
The GUI now lists all associated nodes under Local Traffic ›› Monitors :: <some_monitor> :: Instances tab.


713655-2 : RouteDomainSelectionAgent might fail under heavy control plane traffic/activities

Component: Access Policy Manager

Symptoms:
If per-session access policy requests route domain selection during policy evaluation, the agent might hang and fail to retrieve route domain information. APMD might restart and produce a core file.

Conditions:
-- Policy sync operation.
-- System receives a query for route domain information.
-- There is a heavy load of control plane traffic to process.

Impact:
Poor performance and/or APMD restarts with a core file, causing brief disruption of the authentication service.

Workaround:
None.

Fix:
Route domain selection operations no longer fail under heavy control-plane traffic/activities.


713612-1 : tmm might restart if the HTTP passthrough on pipeline option is used

Component: Local Traffic Manager

Symptoms:
The TMM may crash if the HTTP profile's 'passthrough_pipeline' field is set to 'passthrough'.

Conditions:
-- HTTP profile is configured as a transparent proxy.
-- HTTP profile has the 'passthrough_pipeline' field is set to 'passthrough'.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
tmm no longer crashes when HTTP switches to passthrough mode in some cases.


713533-2 : list self-ip with queries does not work

Component: Local Traffic Manager

Symptoms:
"list net self" command always returns all Self IPs, regardless of the regex patterns.

Conditions:
list net self always returns all Self IPs

Impact:
You are unable to filter the Self IP list using a regex pattern.

Fix:
You can now use pattern matching to list Self IPs


713491-2 : IKEv1 logging shows spi of deleted SA with opposite endianess

Component: TMOS

Symptoms:
Sometimes the IKEv1 racoon daemon logs a 32-bit child-SA spi with octets in backwards order (reversing the endianness).

Conditions:
When an SA is deleted.

Impact:
Logging typically shows a network byte order spi in the wrong order. Cosmetic interference with logging interpretation.

Workaround:
There is no workaround at this time.

Fix:
The spi values are shown in the correct endianness now.


713390-1 : ASM Signature Update cannot be performed on hourly billing cloud instance

Component: Application Security Manager

Symptoms:
ASM Signature Update cannot be performed on hourly billing cloud (AWS) instance. Licenses on these devices cannot be updated and have a fixed Service Check Date (SCD), which must be more recent to allow ASM Signature Update.

Conditions:
Attempt to perform ASM Signature Update on hourly billing cloud (AWS) instance.

Impact:
Performing ASM Signature Update fails.

Workaround:
There is no workaround at this time.

Fix:
ASM Signature Update can now be performed on hourly billing cloud instance.


713380 : Multiple B4450 blades in the same chassis run into inconsistent DAG state

Solution Article: K23331143

Component: TMOS

Symptoms:
Multiple B4450 blades in the same chassis can run into inconsistent DAGv2 state.

Conditions:
More than one B4450 blade in the same chassis.

Impact:
Inconsistent DAG state can cause traffic disruption.

Workaround:
Restart tmm on one blade in the chassis and force the blades to reform the cluster in data plane.

Fix:
Multiple B4450 blades in the same chassis no longer experiences an inconsistent DAG state.


713282-1 : Remote logger violation_details field does not appear when virtual server has more than one remote logger

Component: Application Security Manager

Symptoms:
Remote logger violation_details field appears empty.

Conditions:
-- More than one remote logger is attached to the virtual server.
-- A violation occurs.
-- Viewing the associated log.

Impact:
Violation_details field appears empty in logs.

Workaround:
There is no workaround at this time.

Fix:
Remote logger violation_details field is now populated as expected when the virtual server has more than one remote logger.


713273 : BIG-IP sys db variable avr.stats.internal.maxentitiespertable resets back to default value on services restart

Component: Application Visibility and Reporting

Symptoms:
After a BIG-IP system reset, a modified setting for the BIG-IP sys db variable avr.stats.internal.maxentitiespertable returns to the default value.

Conditions:
1. avr.stats.internal.maxentitiespertable value is modified from the default.
2. The BIG-IP system restarts.

Impact:
avr.stats.internal.maxentitiespertable returns to its default value.

Workaround:
After BIG-IP system reset, specify the value of avr.stats.internal.maxentitiespertable again.

Fix:
A modified avr.stats.internal.maxentitiespertable value no longer returns to the default value after BIG-IP system restart.


713156-1 : AGC cannot do redeploy in Exchange and ADFS use cases

Component: Access Policy Manager

Symptoms:
In AGC exchanges or Active Directory Federation Services (ADFS) configurations, the system creates an SSL HTML form and SSO HTML form control object. Because of the limitation of ICRD, the system cannot directly delete SSO HTML form control objects.

Conditions:
-- Redeploy occurs in an AGC exchange ADFS configuration.
-- Modifying existing configurations.

Impact:
Redeploy fails, configuration remain unmodified.

Workaround:
Do a undeploy, followed by a deploy.

Fix:
Redeploy now succeeds when using AGC with Exchange and ADFS use cases.


713111-1 : When ASM and APM are configured on the same virtual server, ASM might report some errors in its logging.

Component: Access Policy Manager

Symptoms:
When APM (SSO feature) and ASM are configured on the same virtual server, WebSSO recreates requests on 401 responses. Such requests have the same support ID, so ASM logs errors.

Conditions:
APM (WebSSO) and ASM are configured on same virtual server.

Impact:
ASM might potentially block such requests, so APM SSO functionality may not work.

Workaround:
There is no workaround except to not configure APM (WebSSO) and ASM on same virtual server.

Fix:
This issue has been fixed.


713066-1 : Connection failure during DNS lookup to disabled nameserver can crash TMM

Solution Article: K10620131

Component: Global Traffic Manager (DNS)

Symptoms:
TMM restart as a result of a DNS lookup to disabled nameserver.

Conditions:
DNS lookup that tries to connect to a nameserver that is not reachable for some reason.

This could be an explicit 'RESOLV::lookup' command in iRule, or it could be DNS lookups internally triggered by APM or HTTP.

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
Verify connectivity to nameserver.

As an alternative, refrain from using RESOLV::lookup in iRules.

Fix:
This issue is now fixed.


712924-1 : In VPE SecurID servers list are not being displayed in SecurID authentication dialogue

Component: Access Policy Manager

Symptoms:
In VPE SecurID servers list are not being displayed in SecurID authentication dialogue. List is displaying only None.

Conditions:
Always when adding SecureID authentication action.

Impact:
Inability to (re)configure SecureId via VPE.

Workaround:
Manually modify RSA AAA server in SecurID Auth Agent via tmsh:

tmsh modify apm policy agent aaa-securid <aaa agent> server <securid server name>


712876-2 : CVE-2017-8824: Kernel Vulnerability

Solution Article: K15526101


712819-2 : 'HTTP::hsts preload' iRule command cannot be used

Component: Local Traffic Manager

Symptoms:
Using the 'HTTP::hsts preload' iRule command in the GUI, you might see error message similar to the following:
01070151:3: Rule [/Common/test] error: /Common/test:3: error: ["invalid argument preload; expected syntax spec: "][HTTP::hsts preload enable].

The message is incorrect: the command has the correct format. However, the system does not run it.

Conditions:
Using the 'HTTP::hsts preload' iRule command in the GUI.

Impact:
The command does not run. Cannot use the 'HTTP::hsts preload' iRule command in the GUI.

Workaround:
None.

Fix:
'HTTP::hsts preload' iRule command now works as expected.


712738-1 : fpdd may core dump when the system is going down

Component: TMOS

Symptoms:
fpdd may core dump when the system is going down. This is because the LED manager in the daemon cannot use the hal library to talk to other daemons.

Conditions:
The problem happens when the system is going down.

Impact:
This is a rarely occurring issue. When it happens, fpdd creates a core file. The LEDs may not reflect the status right before the shutdown. But the LEDs are reinitialized after the bootup.

Workaround:
None.

Fix:
fpdd no longer core dumps when the system is going down.


712710 : TMM may halt and restart when threshold mode is set to stress-based mitigation

Component: Advanced Firewall Manager

Symptoms:
When auto-DoS vector's threshold mode is set to stress-based mitigation, but the vector is in disabled state, TMM may halt and restart.

Conditions:
-- Threshold mode is set to stress-based mitigation.
-- Vector is disabled.

Impact:
TMM restarts. Traffic disrupted while TMM restarts.

Workaround:
There is no workaround other than not setting threshold mode to stress-based mitigation if the vector is disabled.

Fix:
TMM no longer restarts when threshold mode is set to stress-based mitigation and the vector is in disabled state.


712664-2 : IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address

Component: Local Traffic Manager

Symptoms:
As a result of a known issue IPv6 NS may be dropped if corresponds for host on remote VLAN of transparent vlangroup and matches a Virtual address with disabled ARP setting

Conditions:
- transparent vlan-group
 - Virtual Address with ARP disabled
 - Virtual Address corresponds to remote IPv6 host address

Impact:
NS for the host is dropped.
Traffic will not reach the remote host as resolution does not complete.

Workaround:
Do not use overlapping Virtual-addresses with ARP disabled, or enable ARP.

Fix:
IPv6 NS is no longer dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address.


712637-2 : Host header persistence not implemented

Component: Local Traffic Manager

Symptoms:
Online documentation describes a persistence mechanism which uses the HTTP Host: header. However, this mechanism is not implemented, and attempts to use it generates an error.

Conditions:
Online help for ltm persistence says that Host persistence can be enabled via iRule, but attempting to do so generates an error 'invalid argument host'.

Impact:
Although this does not impact any existing functionality, the documented function is not available.

Workaround:
There is no workaround at this time.

Fix:
LTM Host: header persistence is implemented.


712475-3 : DNS zones without servers will prevent DNS Express reading zone data

Solution Article: K56479945

Component: Local Traffic Manager

Symptoms:
DNS Express does not return dig requests.

Conditions:
DNS Express is configured a zone without a server.

Impact:
DNS Express does not return dig requests.

Workaround:
You can use either of the following workarounds:
-- Remove the zone without the server.
-- Configure a server for the zone.

Fix:
DNS zones without servers no longer prevent DNS Express reading zone data.


712437-3 : Records containing hyphens (-) will prevent child zone from loading correctly

Solution Article: K20355559

Component: Local Traffic Manager

Symptoms:
The dig command returns no record with SOA from the parent zone even though dnsxdump shows that the record exists.

Conditions:
-- Parent zone has a record containing - (a hyphen) and the preceding characters match the child zone. For example,
 myzone.com -- parent
 foo.myzone.com -- child
 
-- In myzone.com, you have a record of the following form:
foo-record.myzone.com

Impact:
DNS can not resolve records correctly.

Workaround:
None.

Fix:
DNS now handles the case in which the parent zone has a record containing - (a hyphen) and the preceding characters match the child zone.


712429 : Serverside packets excluded from DoS stats

Component: Advanced Firewall Manager

Symptoms:
BIG-IP systems configured with L4 DoS Protection might not provide sufficiently granular DDoS detection and mitigation to ensure that legitimate traffic is not impacted.

Conditions:
Configured for DDoS detection and mitigation.

Impact:
Legitimate traffic might be impacted.

Workaround:
None.

Fix:
The following DoS vectors no longer count serverside packets.

-- Single-Endpoint Flood
-- Global-Device level aggregate vectors
-- Bad-actor/attacked-dst for all vectors

Additionally, hardware-accelerated, device-level (global) aggregate DoS vectors are now programmed dynamically when traffic is detected, rather than at configuration time.

These behavior changes provide greater granularity in DDoS detection and mitigation to ensure that legitimate traffic is not impacted.

Behavior Change:
The following DoS vectors no longer count serverside packets.

-- Single-Endpoint Flood
-- Global-Device level aggregate vectors
-- Bad-actor/attacked-dst for all vectors

Additionally, hardware-accelerated, device-level (global) aggregate DoS vectors are now programmed dynamically when traffic is detected, rather than at configuration time.

These behavior changes provide greater granularity in DDoS detection and mitigation to ensure that legitimate traffic is not impacted.


712401-1 : Enhanced administrator lock/unlock for Common Criteria compliance

Component: TMOS

Symptoms:
The Network Device and Firewall collaborative Protection Profiles v2.0 require certain behavior for locking and unlocking administrative-user accounts on the BIG-IP system. BIG-IP software needs to be enhanced for compliance with those requirements.

Conditions:
The ccmode script must be run to activate these enhancements. Also, see the Common Criteria Guidance document (published when the certificate is obtained) for more details.

Impact:
Without these enhancements activated, the BIG-IP system is not compliant with Common Criteria requirements.

Workaround:
Risk acceptance for Common Criteria non-compliance.

Fix:
To meet Common Criteria requirements, the BIG-IP system is enhanced in two areas:

1. The primary administrative user account (generally 'admin') can be locked out, as any other administrative-user account can be. However, it is never locked out when signing in from the serial console.

2. Locked out administrative-users are unlocked only after an administrator-specified time period has passed. The default is 10 minutes, and is set in the ccmode script.


712362-3 : ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase

Component: Application Security Manager

Symptoms:
When the WebSocket HTTP handshake response comes without 'Switching Protocols' reason phrase at the first line, the ASM does not follow up WebSocket frames on the WebSocket's connection.

The system posts the following messages in /ts/log/bd.log:
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0269|101 Switching Protocols HTTP status arrived, but the websocket hanshake failed.
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0270|Possible reasons are websocket profile isn't assigned on a virtual server or handshake is illegal.

Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- WebSocket backend server sends 101 response without the 'Switching Protocols' phrase.

Impact:
WebSocket frames stalls.

Workaround:
#1 Change the backend server:
Change WebSocket backend server to return 101 response to include the 'Switching Protocols' reason phrase:

HTTP/1.1 101 Switching Protocols


#2 Use an irRule:
when SERVER_CONNECTED {
    TCP::collect 15
}
when SERVER_DATA {
    if { [TCP::payload 15] contains "HTTP/1.1 101 \r\n" } {
        TCP::payload replace 0 12 "HTTP/1.1 101 Switching Protocols"
    }
}

Fix:
This release correctly handles 101 responses even without the 'Switching Protocols' reason phrase.


712266-1 : Decompression of large buffer might fail with comp_code=11 with Nitrox 3 hardware

Component: TMOS

Symptoms:
Messages like the following may show up in /var/log/ltm:

-- crit tmm5[28908]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=11): ctx dropped.

This occurs because the decompression of large compressed data failed.

Conditions:
This issue occurs when compressed data cannot be decompressed in a single request to the Nitrox 3 hardware accelerator.

Impact:
Requests fail with a connection reset.

Workaround:
Use zlib software decompression.

Fix:
This release fixes this decompression issue in the Nitrox 3 driver.


712118 : AVR should report on all 'global tags' in external logs

Component: Application Visibility and Reporting

Symptoms:
AVR reports only 'ssgName' from the global tags.

Conditions:
-- A BIG-IQ operation configures the 'tag file' (/var/config/rest/downloads/app_mapping.json) on the BIG-IP system.
-- Statistics are sent to the BIG-IQ system.

Impact:
Not all the tags are sent to the BIG-IQ system.

Workaround:
There is no workaround at this time.

Fix:
AVR now reports statistics on all tags to the BIG-IQ system.


712102-2 : customizing or changing the HTTP Profile's IPv6 field hides the field or the row

Solution Article: K11430165

Component: TMOS

Symptoms:
Customizing or changing the HTTP Profile's IPv6 field hides the field or the row.

Conditions:
Customizing or changing the HTTP Profile's IPv6 field.

Impact:
The HTTP Profile's IPv6 field cannot be customized or changed.

Workaround:
Use tmsh to set the HTTP Profile's IPv6 field.

Fix:
Customizing or changing the HTTP Profile's IPv6 field doesn't hide the field or the row.


711981-5 : BIG-IP system accepts larger-than-egress MTU, PMTU update

Component: Local Traffic Manager

Symptoms:
A Path MTU (PMTU) message can lead to the BIG-IP system to falsely assume an egress MTU on the related flow to be larger than the interface egress MTU.

Conditions:
A valid PMTU message.

Impact:
BIG-IP sends larger-than-configured interface egress MTU messages.

Workaround:
None.

Fix:
The BIG-IP system now limits the flow egress MTU to the interface egress MTU.


711929-1 : AVR should not send statistic on hidden rows for module InterfaceTraffic and module InterfaceHealth

Component: Application Visibility and Reporting

Symptoms:
AVR sends data on all interfaces, hidden and not hidden. It should send information only on not-hidden interfaces.

Conditions:
-- Tmstat table interface_stat exists.
-- Viewing statistics for module InterfaceTraffic and module InterfaceHealth.

Impact:
Irrelevant data is sent.

Workaround:
None.

Fix:
AVR now sends data only on not-hidden interfaces.


711683-2 : bcm56xxd crash with empty trunk in QinQ VLAN

Component: TMOS

Symptoms:
When an empty trunk (no members) is configured 'tagged' in a QinQ VLAN, bcm56xxd will continuously crash.

Conditions:
Trunk with no members, configured as 'tagged' in a QinQ VLAN.

Impact:
bcm56xxd continuously crashes.

Workaround:
Use either of the following workarounds:
-- Add members to the trunk.

-- Remove the trunk from the QinQ VLAN.

Fix:
Do not program QinQ switch hardware if the trunk has no members.


711570-3 : PEM iRule subscriber policy name query using subscriber ID, may not return applied policies

Component: Policy Enforcement Manager

Symptoms:
PEM::subscriber config policy get <subscriber id> does not return policy names

Conditions:
PEM iRule using subscriber ID to get policy name.

Impact:
Subscriber policy names are not returned.

Workaround:
Use PEM::subscriber config policy get <IP address> instead.

Fix:
Subscriber policy names are now returned when running PEM iRules using subscriber ID to get policy names.


711427-2 : Edge Browser does not launch F5 VPN App

Component: Access Policy Manager

Symptoms:
On Microsoft Windows v10, use Edge Browser to establish VPN. Edge Browser does not launch F5 VPN App.

Conditions:
On Windows 10, use Edge Browser to establish VPN.

Impact:
APM end user cannot establish VPN tunnel using Edge Browser.

Workaround:
Use Mozilla Firefox or Google Chrome.

Fix:
You can now use Windows 10 to launch Edge Browser to establish VPN connections.


711405-1 : ASM GUI Fails to Display Policy List After Upgrade

Solution Article: K14770331

Component: Application Security Manager

Symptoms:
After upgrade to version 13.1.0 or later, ASM GUI fails to display the Policy List.

Conditions:
Using an 11.5.0 to 11.5.4-HF1 version that is affected by the issue of policies with duplicate REST IDs that occurred after restoring from policy history or using Policy Diff to compare policies.

Impact:
ASM GUI starting using the REST API from version 13.1.0, so any systems that have been affected by this issue on a previous version now cause the GUI to fail to display the Policy List.

Workaround:
On the device run the following script:
---------------------------------
perl -MF5::DbUtils -MF5::Utils::Rest -MF5::ASMConfig::Entity::Policy -e '$dbh = F5::DbUtils::get_dbh();
 $dbh->begin_work();
 $dbh->do("UPDATE PLC.PL_POLICIES a SET a.rest_uuid = \"\" WHERE a.rest_uuid IN ( SELECT rest_uuid FROM (SELECT rest_uuid FROM PLC.PL_POLICIES GROUP BY rest_uuid having count(*) > 1) b)");
 F5::Utils::Rest::populate_uuids(dbh => $dbh);
 $dbh->commit();'
---------------------------------
Note: In a management environment, this change must be pushed to the peer as a full sync. The easiest way to do so is to ensure that the ASM sync device group is in manual sync mode, and to push the config to the peers from the device where the script was run.

Fix:
This data inconsistency is now repaired on upgrade, and the GUI loads the policy list successfully.


711281-5 : nitrox_diag may run out of space on /shared

Component: Local Traffic Manager

Symptoms:
Running nitrox_diag may lose collected data if there is insufficient free space for the tar file to be created.

Conditions:
-- Running nitrox_diag.
-- Insufficient free space available on /shared.

Impact:
Might lose data required to diagnose problems with Cavium Nitrox chips.

Workaround:
The only workaround is to ensure there is enough free space for the files to be created.

In general, planning enough space for two copies of a tmm core file and two copies of a qkview works. That might require approximately one gigabyte. Though more might be needed for systems with a large amount of RAM.

Fix:
nitrox_diag now clears the older data before gathering new data, instead of after. Note, however, that if there is insufficient free space on /shared to collect the raw data, the operation still cannot succeed.


711249-1 : NAS-IP-Address added to RADIUS packet unexpectedly

Component: TMOS

Symptoms:
RADIUS authentication request contains NAS-IP-Address attribute with value 127.0.0.1.

Conditions:
VIPRION (single or multiblade) with no cluster member IP addresses configured.

Impact:
Authentication does not work as it has invalid/unrecognized source NAS-IP-Address.

Workaround:
Configure cluster member IP address or define hostname and address via global-settings remote-host.


711093-1 : PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled

Component: Policy Enforcement Manager

Symptoms:
PEM sessions may stay in the marked-for-delete state after session deletion.

Conditions:
This occurs if Gx final usage reporting response comes before Gy delete response (CCA).

Impact:
PEM sessions remain in marked-for-delete state.

Workaround:
None.

Fix:
PEM sessions no longer stay in the marked-for-delete state after session delete


711011-2 : 'API Security' security policy template changes

Component: Application Security Manager

Symptoms:
Parameter-related Learn/Alarm/Block settings in 'API Security' security policy template should be 'ON' by default.

Conditions:
Learn/Alarm/Block settings in 'API Security' security policy template.

Impact:
Settings not active.

Workaround:
None.

Fix:
Parameter-related Learn/Alarm/Block settings in 'API Security' security policy template are now 'ON' by default.


710996-2 : VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP

Component: Local Traffic Manager

Symptoms:
The behavior of outgoing IPv6 management and IPv4 management traffic from the primary blade differs:
IPv4 traffic is sourced from the cluster IP
IPv6 traffic is sourced from the cluster member IP

Conditions:
IPv6 configured on the 'cluster' address and 'cluster member' address.

Impact:
The blade IP address, rather than the cluster floating IP, will be used as the source IP when querying the RADIUS server for remote-auth login against the management port.

Workaround:
There is no workaround at this time.


710976-1 : Network Map might take a long time to load

Component: TMOS

Symptoms:
Network Map loading time is directly proportional to the number of profiles/policies associated with a virtual server. When there are a significant number, Network Map might take many tens of seconds to load; when there are fewer associated profiles/policies, loading time is shorter.

For example, consider a configuration that contains virtual servers with a large number of associated profiles/policies.

In the following example config, the virtual server has two associated profiles. The time to load the Network Map page increases with each additional profile/policy.

# tmsh list ltm virtual vs
ltm virtual vs {
    creation-time 2018-03-06:18:27:53
    destination 0.0.0.0:any
    ip-protocol tcp
    last-modified-time 2018-03-06:18:27:53
    mask any
    profiles {
        myhttp { }
        tcp { }
    }
    rules {
        myrule
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        socks-tunnel
    }
    vs-index 5
}

Conditions:
-- Navigate to Local Traffic :: Network Map in the BIG-IP Configuration Utility.

-- The configuration contains a significantly large number of profiles/policies associated with the virtual server.

Impact:
It takes tens of seconds to load the Network Map page.

Workaround:
None.

Fix:
The data loading performance was improved to load the page faster.


710947-1 : AVR does not send errdef for entity DosIpLogReporting.

Component: Application Visibility and Reporting

Symptoms:
AVR does not send errdef for entity DosIpLogReporting.

Conditions:
-- AVR is configured.
-- View the DosIpLogReporting report.

Impact:
There is no errdef for module DosIpLogReporting

Workaround:
None.

Fix:
Added errdef for module DosIpLogReporting.


710884-1 : Portal Access might omit some valid cookies when rewriting HTTP request.

Component: Access Policy Manager

Symptoms:
Portal Access is not sending certain cookies to the backend application.

Conditions:
-- Request path and cookie path are equal.
-- The last character of request path is not a forward slash (/).

Impact:
Backend application does not receive some cookies and may decide that APM end users are not authenticated, when they are.

Workaround:
There is no workaround at this time.

Fix:
Fixed an issue in Portal Access which could cause web-applications to lose some valid cookies.


710870 : Temporary browser challenge failure after installing older ASU

Component: Application Security Manager

Symptoms:
After installing an older ASM Signature Update (ASU) may cause the browser challenge to fail for the first few minutes after provisioning ASM.

Conditions:
-- Using BIG-IP version 13.1.0.5.
-- Installing an ASU from before April 2018.

Impact:
Browsers remain on whitepage after receiving a browser challenge.

Note: The problem should go away after 10-to-15 minutes of provisioning ASM, when more versions of JavaScript are generated.

Workaround:
Install the latest ASU.

Fix:
The browser challenges will succeed even after installing an older ASU.


710857-2 : iControl requests may cause excessive resource usage

Component: Application Visibility and Reporting

Symptoms:
Under certain conditions, iControl requests submitted by authenticated users may cause excessive resource usage.

Conditions:
Authenticated iControl user

Impact:
Excessive resource usage, potentially leading to a failover event.

Workaround:
None.

Fix:
iControl now processes requests as expected.


710827-2 : TMUI dashboard daemon stability issue

Solution Article: K44603900


710755-1 : Crash when cached route information becomes stale and the system accesses the information from it.

Component: Advanced Firewall Manager

Symptoms:
The crash happens intermittently when the cached route information becomes stale and the system accesses the information from it.

Conditions:
Use stale cached route information.

Impact:
This condition can lead to a crash as the route information is no longer valid, and can lead to illegal memory access.

Workaround:
None.

Fix:
The system now fetches the latest egress route/interface information before accessing it.


710705-2 : Multiple Wireshark vulnerabilities

Solution Article: K34035645


710701-1 : "Application Layer Encryption" option is not saved in DataSafe GUI

Component: Fraud Protection Services

Symptoms:
"Application Layer Encryption" checkbox will remain enabled if un-checked via DataSafe GUI and will not be saved.

Conditions:
- Install DataSafe license
- Provision FPS
- Create URL

Impact:
Cannot enable/disable "Application Layer Encryption" via DataSafe GUI.

Workaround:
Application Layer Encryption can be enabled or disabled via TMSH command line or REST API.

Fix:
"Application Layer Encryption" option is saved if changed via DataSafe GUI.


710666-1 : VE with interface(s) marked down may report high cpu usage

Component: TMOS

Symptoms:
The "tmm" process may appear to be running at 90% or above in linux cpu reporting utilities such as "top" or "ps", even if the system is not handling a large amount of traffic.

In this case, "tmsh show sys tmm-info" continues to report tmm's cpu usage accurately.

Conditions:
- BIG-IP Virtual Edition
- One or more interfaces configured and used in the BIG-IP configuration is marked down

Impact:
tmm consumes cpu cycles even when idle. This may impact other guests running on the same hardware if the hypervisor has oversubscribed its cpu resources.

Workaround:
Disable any interface that is currently marked down.

For example:
  tmsh modify net interface 1.1 disabled

and then restart tmm:
  bigstart restart tmm


710564 : DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0

Component: Local Traffic Manager

Symptoms:
The DNS filter returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0.

Conditions:
- Virtual Server configured with 'DNS Profile' set to 'dns' or a 'dns'-derived profile.
- DNS queries with EDNS0 ECS option set.

Impact:
If the response ECS Scope Netmask has a value other than '0', LTM drops it, causing timeout and retry on client side.

Workaround:
There is no workaround at this time.


710424-2 : Possible SIGSEGV in GTMD when GTM persistence is enabled.

Solution Article: K00874337

Component: Global Traffic Manager (DNS)

Symptoms:
When GTM persistence is enabled, GTMD may occasionally crash and restart.

Conditions:
GTM persistence is enabled.

Impact:
GTMD may occasionally restart.

Workaround:
Disable GTM persistence.

Fix:
GTMD will no longer crash and restart when persistence is enabled.


710327-1 : Remote logger message is truncated at NULL character.

Component: Application Security Manager

Symptoms:
When a request including binary null character has been sent to an remote logger, configured for ASM, the request will arrive to the remote destination and will be truncated exactly at binary NULL character.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM remote logger attached to a virtual server.
-- Request including binary NULL character is sent to the remote logger destination.

Impact:
Partial request is logged at the remote logger destination.

Workaround:
None.

Fix:
Binary NULL character is now escaped before being sent to the remote logger destination, so the request is no longer truncated.


710315-1 : AVR-profile might cause issues when loading a configuration or when using config sync

Component: Application Visibility and Reporting

Symptoms:
Some fields in AVR-profile contain lists of items. Those lists can be set only if the relevant flag is set to 'true'. In case of a flag configuration change, the system must keep the lists as they were and not reset them, so they can be available in case the flag changes back again.

Validation settings were created such that the lists flag is set to 'true' by default, but this can cause the load/merge process to break if the list was set, and afterwards the flag was set to 'false'.

Conditions:
Setting the relevant flag to 'false' after creating a list of items.

The relevant fields in AVR-profile that have that logic are:
-- IPs-list.
-- Subnets-list.
-- Countries-list.
-- URLs-list.

Impact:
Management load and sync process may not work as expected.

Workaround:
None.

Fix:
Validation for those fields when the associated flag is set to 'false' will be skipped in a load/merge scenario.


710314-1 : TMM may crash while processing HTML traffic

Solution Article: K94105051


710305-1 : When ASM and APM are configured on the same virtual server, ASM could throw some errors in its logging.

Component: Access Policy Manager

Symptoms:
When ASM and APM WebSSO are on same virtual server, WebSSO might generate a new request. When that happens, ASM might see multiple requests with same support ID. This can cause issues with ASM and log errors.

Conditions:
When APM WebSSO is configured (only for Basic, NTLM, Kerberos).

Impact:
ASM stops processing the HTTP requests that have duplicate support IDs, causing an issue to ASM/APM end users.

Workaround:
None.

Fix:
When ASM and APM WebSSO are on same virtual server, WebSSO no longer generates a new request, so duplicate support IDs are no longer created.


710277-1 : IKEv2 further child_sa validity checks

Component: TMOS

Symptoms:
A tmm restart can occur when a child_sa is rekeyed at expiration time, provided a race condition occurs.

Conditions:
Encountering the issue in which rekeying a child_sa might core when race conditions allowed that child_sa to be destroyed while in use.

Impact:
Restart of tmm and outage of IPsec tunnels until renegotiated.

Workaround:
None.

Fix:
The validity of a child_sa and its traffic selector are checked now before use, to prevent failure when freed objects are accidentally used.


710262-1 : Firewall is not updated when adding new rules

Component: Advanced Firewall Manager

Symptoms:
When adding new rules into existing firewall policies, firewall may be not updated, so new rules are not used in traffic processing.

If on-demand-compilation mode is enabled, firewall may remain in quiescent state instead of compilation-pending state after adding rules.

Conditions:
-- Firewall rules are added into existing firewall policies.
-- No rules are deleted or modified.

Impact:
Firewall is not updated and new rules do not affect data traffic.

If on-demand-compilation mode is enabled, firewall remain in quiescent state instead of going to compilation-pending state after adding rules.

Workaround:
Make additional changes to firewall rules in order to start firewall update, for esample:

-- Add a placeholder rule, and then delete it.

-- Modify a rule (e.g. by adding an IP address), and then revert the modification by removing that IP address.

Fix:
When adding new rules, firewall is now always updated.

If on-demand-compilation mode is enabled, firewall goes to the compilation-pending state after adding rules.


710246-2 : DNS-Express was not sending out NOTIFY messages on VE

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express is not sending out NOTIFY messages on BIG-IP Virtual Edition (VE).

Conditions:
-- DNS Express configured to send out NOTIFY messages.
-- Running on BIG-IP VE configuration.

Impact:
DNS secondary servers serving stale data.

Workaround:
There is no workaround at this time.

Fix:
DNS Express now sends out NOTIFY messages on VE.


710244-3 : Memory Leak of access policy execution objects

Solution Article: K27391542


710232-2 : platform-migrate fails when LACP trunks are in use

Component: TMOS

Symptoms:
Use of the platform-migrate option might fail due to some configurations being invalid on the new system. The error message generated appears as follows:

01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform.

Conditions:
You have a trunk with LACP enabled.
-- You are migrating from a hardware platform to a Virtual Edition (VE).

Impact:
Configuration fails to migrate.

Workaround:
After taking the old system offline, but before saving the UCS, disable LACP on all trunks.


710221-2 : Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled

Solution Article: K67352313

Component: Local Traffic Manager

Symptoms:
In an high availability (HA) configuration where an FQDN template-node on the 'active' unit is 'Force Offline', and the configuration is synchronized to the 'standby' unit, upon 'Enable' on that FQDN template-node in the 'active' unit (and the configuration is synchronized to the 'standby' unit), the ephemeral nodes associated with that FQDN template node remain Unavailable on the 'standby' unit.

Conditions:
HA configuration is configured with 'active' sync.
-- FQDN template-node is configured.
-- After ephemeral nodes are refreshed on the 'active' unit, it transitions to the 'standby' unit.
-- The FQDN template node on the (new-'active') unit is 'Force Offline' by the user.
-- The user explicitly 'Enable' that FQDN template node on the 'active' unit.

Impact:
The ephemerals on the 'standby' unit remain unavailable, even though the associated FQDN template node is 'available'. However, as no traffic is routed to the 'standby' unit, traffic is unaffected. Upon transition from 'standby' to' active', the ephemeral nodes will be refreshed and traffic should continue.

Workaround:
You can use either of these configuration options to prevent this issue from occurring:
-- Select 'Disabled' (rather than 'Force Offline') for the FQDN template node on the 'active' unit.
-- Configure the node without using FQDN.

Fix:
Upon 'Force Offline' and then 'Enable' for an FQDN template node on an 'active' unit in an HA configuration, the ephemerals on the 'standby' unit will reflect the re-enabled status based on the associated FQDN template-node on the 'active' unit.


710148-2 : CVE-2017-1000111 & CVE-2017-1000112

Solution Article: K60250153


710140-1 : TMM may consume excessive resources when processing SSL Intercept traffic

Solution Article: K20134942


710116-1 : VPN clients experience packet loss/disconnection

Component: Access Policy Manager

Symptoms:
VPN clients experience packet loss/disconnection.

Conditions:
In certain scenarios, the tunnel establishment procedure might leak a small memory. If the tmm is running for a longer duration, this small leak can accumulate and result in out-of-memory condition

Impact:
Connections start to drop as tmm runs out of memory. TMM will eventually run out of memory and connections could be terminated. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
A rare memory leak during APM VPN establishment has been corrected.


710110-1 : AVR does not publish DNS statistics to external log when usr-offbox is enabled.

Component: Application Visibility and Reporting

Symptoms:
AVR does not send DNS statistics to external logs when analytics global setting usr-offbox is enabled, if the following security analytics settings are set to disable:
-- collected-stats-internal-logging.
-- collected-stats-external-logging.

Conditions:
-- Security analytics settings collected-stats-internal-logging is disabled.
-- Security analytics settings collected-stats-external-logging is disabled.
-- Analytics global settings usr-offbox is enabled.

Impact:
DNS statistic are not sent to external log.

Workaround:
To work around this issue, perform the following procedure:
1. Provision ASM or AFM.
2. Run the tmsh command to set to enabled the security analytics setting collected-stats-external-logging.
2. Deprovision ASM/AFM.

Fix:
AVR now publishes DNS statistics to external logs when usr-offbox is enabled, as expected.


710032-1 : 'No Access' error when viewing GSLB Server's virtual server that has a name indicating a partition that does not exist on that BIG-IP system.

Component: Global Traffic Manager (DNS)

Symptoms:
The BIG-IP system posts a 'No Access' error message instead of the virtual server's properties.

Conditions:
-- At least two BIG-IP systems in a sync group.
-- One of the BIG-IP systems has a partition that does not exist on the other with an LTM virtual server on that partition.
-- The issue occurs when a GSLB Server discovers that LTM virtual server and displays it on its virtual server page.

Note: This same error message displays for GSLB pool member properties accessed by navigating to GSLB :: pools :: [pool] :: members :: Member : Address. The differing issues have been fixed in differing releases. You can find information about the similar issue in the AskF5 Bug Tracker article for 722734.

Impact:
It makes the GSLB Server's virtual server's properties page unavailable in this case.

Workaround:
Use either of the following workaroudns:
-- Use TMSH to view or edit the properties of that virtual server.

-- Create partitions on the GTM device to match those appearing to be referenced in the object names.

Fix:
Partition checking has been disabled for virtual servers on the GTM side, since a virtual server owned by a server is always in the partition of that server (/Common).


710028-2 : LTM SQL monitors may stop monitoring if multiple monitors querying same database

Component: Local Traffic Manager

Symptoms:
When using an SQL monitor to monitor the health of SQL database pool members, one of the health monitors may stop actively monitoring one or more pool members.

When this problem occurs, the following error messages may be logged in /var/log/DBDaemon-0.log:

[if debug = yes in monitor configuration]:
Using cached DB connection for connection string '<connection string>'

then multiple, periodic instances of the following message, referencing the same connection string:

Abandoning hung SQL query: '<query string>' for: '<connection string>'

or:

<connection string>(<thread-number>): Hung SQL query; abandoning

Conditions:
This may occur when all of the following conditions are met:
-- Using one of the following LTM monitors: mssql, mysql, oracle, postgresql.
-- Configuring multiple pool members for the same node (server).
-- Configuring multiple SQL monitors that query the same server and database.

And when one or both of the following conditions are met:
Either:
-- The SQL monitor is configured with a non-zero 'count' value.
Or:
-- An error occurs while querying a SQL database, such as [recorded in the DBDaemon log]:
java.io.EOFException: Can not read response from server. Expected to read 4 bytes, read 0 bytes before connection was unexpectedly lost.

Impact:
When this problem occurs, the affected pool members are reported down, even though the database is actually up and responding correctly to traffic.

Workaround:
When this problem occurs, successful monitoring can be temporarily restored by disabling then re-enabling monitoring of affected pool members.

To avoid one possible trigger for this issue (and thus reduce the likelihood of this issue occurring), configure the 'count' parameter in the SQL monitor configuration to a value of '0'.

Fix:
LTM SQL monitors continue monitoring when multiple monitors/ query the same server and database.


709972-6 : CVE-2017-12613: APR Vulnerability

Solution Article: K52319810


709952-1 : Disallow DHCP relay traffic to traverse between route domains

Component: Local Traffic Manager

Symptoms:
DHCP traffic can traverse between route domains, e.g., when working with a route domain with a parent. Under certain circumstances, this is not desired.

Conditions:
DHCP relay in use on a route domain with a parent relationship or strict isolation disabled.

Impact:
The DHCP server side flow might get established to the parent route domain, and will persist even after the route in its own route domain becomes available again.

Workaround:
There is no workaround at this time.

Fix:
A db key has been introduced, tmm.dhcp.routedomain.strictisolate, which allows enforcement of route domain traversal if desired/configured.


709936 : Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.

Component: TMOS

Symptoms:
/var/log/boot.log has this error:
dhcp_config: save error: 01070911:3: The requested host (ntp-servers-ip) is invalid for servers in ntp (/Common/ntp).

Conditions:
- The BIG-IP system has DHCP enabled for management interface.
- Multiple NTP servers or domain-search are specified in the dhclient lease (stored at /var/lib/dhclient/dhclient.leases).

Impact:
- DNS and NTP servers are not configured in MCPD.
- Name resolution can break.

Workaround:
None.

Fix:
Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.


709828-2 : fasthttp can crash with Large Receive Offload enabled

Component: Local Traffic Manager

Symptoms:
fasthttp and lro can lead to a tmm crash.

Conditions:
fasthttp and lro enabled. (lro is enabled by default >= 13.1.0)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use fasthttp

Fix:
fasthttp with lro enabled no longer causes tmm to crash.


709688-3 : dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733

Solution Article: K08306700


709670-2 : iRule triggered from RADIUS occasionally fails to create subscribers.

Component: Policy Enforcement Manager

Symptoms:
The subscriber can not be added with the same IP address after retries. This is a rarely occurring issue: if the daily average of subscriber additions is ~30000 subscribers, 5 to 6 subscribers face this problem (0.02%).

Conditions:
Running iRule to create PEM sessions from RADIUS packets using the 'PEM::subscriber create' command.

Impact:
Intermittently (a few operations per day), the command silently fails. No session is created, and no TCL error is produced. Subscriber addition requires manual intervention.

Workaround:
Trigger a RADIUS START using a different IP address for the subscriber.


709610-3 : Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM

Component: Policy Enforcement Manager

Symptoms:
Session replacement fails as a result of a race condition between multiple RADIUS Accounting Start and Stop messages for the same subscriber.

Conditions:
This occurs when the following conditions are met:
-- These SysDB variables are set as follows:
sys db tmm.pem.session.radius.retransmit.timeout {
    value "0"
}
sys db tmm.pem.session.provisioning.continuous {
    value "disable"
}

-- Actions occur in the following order:
 1. PEM receives RADIUS START with subscriber ID1 and IP1.
 2. PEM receives RADIUS STOP with subscriber ID1 and IP1.
 3. PEM receives RADIUS START with subscriber ID1 and IP2.
 4. PEM receives RADIUS STOP with subscriber ID1 and IP2.

-- The time interval between steps 1 and 2 is very small (less than ~1ms).

Impact:
Subscriber session creation via PEM may fail.

Workaround:
There is no workaround other than to leave SysDbs variables set to the default values.

Fix:
The system now handles PEM subscriber session updates properly, so this issue no longer occurs.


709444-2 : "NTP not configured on device" warning seen when NTP symmetric key authentication is configured

Component: TMOS

Symptoms:
When NTP symmetric key authentication is configured, as per https://support.f5.com/csp/article/K14120, and the BIG-IP is part of a device service cluster, then a warning similar to this will be seen periodically in /var/log/ltm:

warning mcpd[6317]: 01071af0:4: NTP not configured on device 1.2.3.4 - within a trust

Conditions:
- NTP symmetric key authentication must be configured.
- The BIG-IP must be part of a device service cluster.
- Non-authenticated NTP servers must not be in-use.

Impact:
Incorrect NTP warnings are seen periodically in /var/log/ltm.

Workaround:
There is no workaround at this time.

Fix:
Prevented this warning from being emitted when NTP symmetric key authentication is in-use in a device service cluster.


709383-2 : DIAMETER::persist reset non-functional

Component: Service Provider

Symptoms:
When the iRule DIAMETER::persist reset is called, it is meant to remove existing persistence records from diadb. Without this bug fix, calling DIAMETER::persist reset has no effect and the persistence record remains.

Conditions:
Diameter session profile has persistence enabled and an iRule attempts to remove a persistence record.

Impact:
You are unable to remove diameter persistence entries.

Workaround:
none

Fix:
DIAMETER::persist reset now functions properly. You can delete diameter persistence records with this iRule.


709334-1 : Memory leak when SSL Forward proxy is used and ssl re-negotiates

Component: Local Traffic Manager

Symptoms:
When looking at tmsh show sys memory you will see
ssl_compat continue to grow and fails to release memory.

Conditions:
-SSL Forward Proxy In use
-SSL Re-negotiations happening

Impact:
Eventually memory reaper will kick in.

Workaround:
There is no workaround at this time.

Fix:
ssl_compat now properly releases connections on re-negotiation.


709319-2 : Post-login client-side alerts are missing username in bigIQ

Component: Fraud Protection Services

Symptoms:
A client-side alert that contains a FPS-Username header with a value, but an empty fpm_username parameter - will be reported with "Unknown" username in bigIQ.

Conditions:
1. post login (alert is sent after submitting username parameter) client side alerts
2. alert-pool points to bigIQ IP (not Alert-Server)

Impact:
Post login client side alerts are missing username (will show as "Unknown" in bigIQ, works well with Alert-Server).

Workaround:
Route all client-side alerts to another virtual server and strip of the empty fpm_username parameter from payload/query-string.

Fix:
FPS will always send username in the fpm_username parameter in case it was empty and FPS has username value.


709274-1 : RADIUS Accounting requests egress on different Self IP addresses than they did pre-v13.1.0

Component: Access Policy Manager

Symptoms:
RADIUS Accounting requests egress different self IP addresses.
* START accounting message egresses floating self IP addresses.
* STOP accounting message egresses local self IP addresses.

Some RADIUS messages will come from floating IP addresses, some from self IP addresses. The RADIUS server should be configured to accept all self- and floating-IP addresses of all the devices in the high availability (HA) group, to ensure all messages are received.

Conditions:
RADIUS server configured with pool option.

Impact:
Causes RADIUS server to be unable to reconcile accounting messages.

Workaround:
You can reconcile accounting messages by tracking them through the Acct-Session-Id in RADIUS AVP's message, which is the same for the corresponding START and STOP messages to uniquely identify the session.

Fix:
RADIUS START and STOP messages now egress the same interface.


709256-2 : CVE-2017-9074: Local Linux Kernel Vulnerability

Solution Article: K61223103


709192-1 : GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart

Component: TMOS

Symptoms:
The export operation of SSL keys and certificate into a .tgz archive file fails when the httpd daemon is restarted.

Conditions:
-- Export SSL Keys and certificates into archive file.
-- httpd is restarted.

Impact:
Export of SSL Keys and certificates into archive file does not work immediately after httpd restart via GUI/iControl.

Workaround:
After httpd restart, perform other operation like creating a key/cert before exporting archive file.

Fix:
The system allows exporting SSL keys and certificate to be archived into .tgz files after httpd restart.


709133-2 : When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur

Component: Local Traffic Manager

Symptoms:
When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error can occur.

Conditions:
-- The BigDB variable tmm.ssl.loggingcreatedcerts is set.
-- Forward proxy is being used.
-- An error occurs when reading the certificate serial number.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not setting the tmm.ssl.loggingcreatedcerts BigDB variable.

Fix:
Double-free removed.


709132-1 : When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur

Component: Local Traffic Manager

Symptoms:
When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a buffer overflow can occur.

Conditions:
-- The BigDB variable tmm.ssl.loggingcreatedcerts is set.
-- Forward proxy is being used.
-- A malformed certificate with a serial number length equal to 256 bytes is parsed during forging.

Impact:
A off-by-one error causes one byte to write off the end of an array.

Workaround:
There is no workaround other than to not set tmm.ssl.loggingcreatedcerts BigDB variable.

Fix:
Buffer no longer overflows.


708956-1 : During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'

Solution Article: K51206433

Component: TMOS

Symptoms:
During system bootup, the system occasionally posts the following error message and the system does not come up:
 Dataplane INOPERABLE - only 1 HSBes found on this platform.

Conditions:
This occurs occasionally at system bootup.
-- Using the following platforms:
i4600, i4800, i10600, i10800, i2600, i2800, i7600, i7800, i5600, i5800, i15600, i15800, i12600, i12800, HERCULON i2800, HERCULON i5800, HERCULON i10800, i11600, i11800, i11800-DS, i5820-DF, i7820-DF.

Impact:
System does not come up.

Workaround:
Reboot system.

Because this condition only happens occasionally, rebooting typically corrects the issue.

Fix:
This release fixes a race condition that might have occurred while reading FPGA firmware loading status.


708888-1 : Some DNS truncated responses may not be processed by BIG-IP

Solution Article: K79814103

Component: Advanced Firewall Manager

Symptoms:
On 13.1.x DNS responses with truncated bit set are dropped when AFM DNS DoS is enabled.

Conditions:
-- AFM DNS DoS is enabled.
-- Using 13.1.x.

Impact:
Clients do not receive truncated DNS responses.

Workaround:
Disable DNS DoS protection by changing the dos.dnsport variable to another port for which there is no valid traffic. For instance:

tmsh modify sys db dos.dnsport value 54


708840 : 13.0.0-to-13.1.0 upgrade operation on VIPRION 2250 blades might fail if global whitelist is configured

Component: Advanced Firewall Manager

Symptoms:
Upgrading from 13.0.0 to 13.1.0 on VIPRION 2250 blades might fail if global whitelist is configured. After the upgrade, the system will stay offline.

Conditions:
-- Global whitelist configured.
-- Running on VIPRION 2250 blades.

Impact:
System fails to run normally.

Workaround:
Remove global whitelist before upgrading to 13.1.0, add it back after upgrading.

Fix:
This issue no longer occurs in fixed versions, so you can upgrade from 13.0.0 to a post-13.1.0 version of the software without encountering this issue.


708830-2 : Inbound or hairpin connections may get stuck consuming memory.

Component: Carrier-Grade NAT

Symptoms:
When inbound or hairpin connections require a remote Session DB lookup and the lookup request or response messages get lost, the connections can get stuck in an embryonic state. They will be stuck in this state until they timeout and expire. In this state UDP connections will queue inbound packets. If the client application continues to send packets, the connection may never expire. The queued packets will accumulate consuming memory. If the memory consumption becomes excessive, connections may be killed and “TCP: Memory pressure activated” and “Aggressive mode activated” messages will appear in the logs.

Conditions:
A LSN pool with inbound and/or hairpin connections enabled. Lost Session DB messages due to heavy load or hardware failure. Remote lookups are more likely when using PBA mode or NAPT mode with default DAG.

Impact:
Excessive memory consumption that leads to dropped connections.

Workaround:
There is no workaround at this time.

Fix:
When Session DB messages are lost, the connection will be killed and any queued packets will be discarded. If the client application resends packets they will be treated as a new connection.


708653-1 : TMM may crash while processing TCP traffic

Solution Article: K07550539


708484-2 : Network Map might take a long time to load

Component: TMOS

Symptoms:
Network Map loading time is directly proportional to the number of profiles/policies associated with a virtual server. When there are a significant number, Network Map might take many tens of seconds to load; when there are fewer associated profiles/policies, loading time is shorter.

For example, consider a configuration that contains virtual servers with a large number of associated profiles/policies.

In the following example config, the virtual server has two associated profiles. The time to load the Network Map page increases with each additional profile/policy.

# tmsh list ltm virtual vs
ltm virtual vs {
    creation-time 2018-03-06:18:27:53
    destination 0.0.0.0:any
    ip-protocol tcp
    last-modified-time 2018-03-06:18:27:53
    mask any
    profiles {
        myhttp { }
        tcp { }
    }
    rules {
        myrule
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        socks-tunnel
    }
    vs-index 5
}

Conditions:
-- Navigate to Local Traffic :: Network Map in the BIG-IP Configuration Utility.

-- The configuration contains a significantly large number of profiles/policies associated with the virtual server.

Impact:
It takes tens of seconds to load the Network Map page.

Workaround:
None.


708389 : BADOS monitoring with Grafana requires admin privilege

Component: Anomaly Detection Services

Symptoms:
Current Grafana monitoring requires admin privilege.
Grafana stores its internal database in unencrypted format, so the admin password can be extracted from a compromised computer.

Conditions:
Monitoring using Grafana.

Impact:
Guest user cannot access data needed for Grafana.

Workaround:
None.

Fix:
There is now a REST call to pool the Grafana statistics. This allows any user (including guest), not just admin or root, to access data needed for Grafana.

Behavior Change:
This release introduces the following tmsh commands:
-- tmsh run util admdb - for help
   + list-element path_folder - lists folder
   + view-element path_file - view file contents
   + list-metrics path vs
   + table-query base_path db sRate tsfiles ts metric_columns_aliases

The path must be under /shared/admdb, for example:

-- run util admdb list-element /shared/admdb/default/_a_l_l

-- run util admdb view-element /shared/admdb/default/_a_l_l/info.sysinfo/1000/1522229248000.txt

-- run util admdb table-query /shared/admdb default 1000 '[1522233344000]' '[1522234774492,1522235074492]' '[["info.attack",["v0"],"Attack"],["sig.health",["v0"],"Health"],["info.learning",["v0"],"Learning"],["info.learning",["v2"],"Learned samples"]]'


708305-2 : Discover task may get stuck in CHECK_IS_ACTIVE step

Component: Device Management

Symptoms:
The discover tasks is running periodically after user creates the task. But it may get stuck in the middle steps and fail to run periodically.

Conditions:
When HA failover group is set up and a discover task is created on one of the devices.

Impact:
The discover task will periodically pull the OpenID information and update oauth jwt and jwk configurations in MCP. If the task sticks, the jwt and jwk configuration will not sync to the latest version and may cause access policy fail.

Workaround:
If the task is stuck in any step that is not SLEEP_AND_RUN_AGAIN for more than one minute, manually cancel and delete the task and create the same task again.

Fix:
Discover task no longer gets stuck in CHECK_IS_ACTIVE step.


708249-2 : nitrox_diag utility generates QKView files with 5 MB maximum file size limit

Component: Local Traffic Manager

Symptoms:
When nitrox_diag generates a QKView file, the utility does not use the -s0 flag for the qkview command. That means there is a 5 MB file-size limit for the resulting QKView file nitrox_diag generates.

Conditions:
Run the nitrox_diag command.

Impact:
QKView files generated in response to running the nitrox_diag command might not contain all necessary information, for example, the result might contain truncated log files.

Workaround:
After running nitrox_diag, run the following command to generate a complete QKView file: qkview -s0

Fix:
Nitrox_diag utility now uses the -s0 command to generate QKView files, so there is no longer a 5 MB maximum file size limit, and the full QKView file is created.


708189 : OAuth Discovery Auto Pilot is implemented

Component: Access Policy Manager

Symptoms:
This now adds a new capability to allow user to select a period to have OAuth auto discovery automatically pull down JWT keys.

Conditions:
Follow the new added UI and configure frequency to start.

Impact:
No impact, it has usability improvement over manual discovery.

Workaround:
There is no workaround.

Fix:
New auto pilot capability is added for usability.


708114-1 : TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed

Solution Article: K33319853

Component: Local Traffic Manager

Symptoms:
TMM crashes when receiving the HUDEVT_SSL_OCSP_RESUME_CLNT_HS after the SSL connection is closed.

Conditions:
-- The SSL connection has been closed.
-- SSL receives the HUDEVT_SSL_OCSP_RESUME_CLNT_HS message.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now ensures that SSL can still properly process the messages, even when the SSL connection is closed.


708068-2 : Tcl commands like "HTTP::path -normalize" do not return normalized path.

Component: Local Traffic Manager

Symptoms:
When using HTTP::path with the -normalized parameter:

"%2E%2E" is converted to ".." (expected)
"/foo/../bar" is converted to "/bar" (expected)
"/foo/%2E%2E/bar" is converted to "/foo/../bar" (unexpected)

Conditions:
The TCL command HTTP::path -normalize does not return normalized path as expected.

Impact:
Unexpected result.

Workaround:
There is no workaround.

Fix:
The TCL command HTTP::path -normalize should return normalized path.


708054-1 : Web Acceleration: TMM may crash on very large HTML files with conditional comments

Component: TMOS

Symptoms:
Web Acceleration feature may not handle big HTML file with improper conditional comments inside in some cases. TMM may crash processing such files if Web Acceleration profile is attached to VIP.

Conditions:
- HTML file with conditional comments inside:
  <!--[if condition...]> ... <![endif]-->

- The size of "condition" from the pattern above is comparable with RAM size of BIG-IP box, i.e. ~8-10GB.

Impact:
TMM crash interrupts all active sessions.

Workaround:
There is no workaround at this time.

Fix:
Now Web Acceleration feature can handle long HTML conditional comments correctly.


708005-1 : Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources

Solution Article: K12423316

Component: Access Policy Manager

Symptoms:
When using VMware View HTML5 client, end users are able to authenticate and see available View resources on the APM webtop. However, any attempt to launch the resource (desktop or application) in HTML5 mode momentarily appears to function, but then redirects to the initial APM login page.

Conditions:
This occurs when the following conditions are met:
-- BIG-IP APM is protecting VMware Horizon View 7.4 resources.
-- End user tries to launch a View resource from the APM webtop using the Horizon View HTML5 client.

Impact:
End user cannot launch VMware View resources with View HTML5 client.

Workaround:
You can use the following workarounds:

-- If you are already running Horizon 7.4, use native View clients instead.

-- If you have not upgraded to Horizon 7.4, stay on an older Horizon release until this issue is resolved.

-- If you are running BIG-IP APM release 13.1.0, you can add the following iRule to the virtual server that handles HTML5 client connections:

when HTTP_REQUEST {
    if { ([info exists tmm_apm_view_uuid]) &&
         ([HTTP::method] == "GET") &&
         ([HTTP::uri] ends_with "/portal/webclient/sessiondata")} {
        HTTP::cookie remove "sessionDataServiceId"
    }
}

when HTTP_RESPONSE {
    if { ([info exists tmm_apm_view_uuid]) } {
        set cookieNames [HTTP::cookie names]
        foreach aCookie $cookieNames {
            set path [HTTP::cookie path $aCookie]
            if {[string length $path] > 0} {
                HTTP::cookie path $aCookie "/f5vdifwd/vmview/$tmm_apm_view_uuid$path"
            }
        }
    }
}

Important:
-- After applying the iRule and before attempting a connection, be sure to clear all cache and cookies from the client systems. Otherwise, the test operation may need to be executed before exhibiting successful behavior.
-- The iRule workaround is for BIG-IP APM release 13.1.0. It is not supported for older BIG-IP releases.

Fix:
Horizon View version 7.4 in HTML5 mode now functions correctly with APM.


707990-2 : Unexpected TMUI output in SSL Certificate Instance page

Solution Article: K41704442


707961-2 : Unable to add policy to virtual server; error = Failed to compile the combined policies

Solution Article: K50013510

Component: Local Traffic Manager

Symptoms:
LTM policy does not compile if it has more than one similar condition, and some of them refer to datagroup and others to non-datagroup types. The policy compiles if similar conditions all refer to datagroups or to non-datagroups.

010716d8:3: Compilation of ltm policies for virtual server /Common/vs_name failed; Failed to compile the combined policies.

Conditions:
-- LTM policy that has more than one similar condition.
-- Some conditions refer to datagroup types.
-- Some conditions refer to non-datagroup types.

Following is an example of such an LTM policy (i.e., referring to both datagroup and non-datagroup types):

ltm policy /Common/example_ltm_policy {
      published-copy /Common/block_URI
      requires { http }
      rules {
          example_Rule {
              conditions {
                  0 {
                      http-host
                      host
                      datagroup /Common/example_datagroup <------ Datagroup
                  }
                  1 {
                      http-host
                      host
                      values { example.com } <------ Non-Datagroup
                  }
              }
          }
      }
      strategy /Common/first-match
 }

Impact:
LTM policy does not compile. Cannot use the policy.

Workaround:
Create a datagroup for the non-datagroup type and use it in policy instead.

Fix:
LTM Policy compiles if it has more than one similar condition, and some of them refer to datagroup and others to non-datagroup types.


707951-2 : Stalled mirrored flows on HA next-active when OneConnect is used.

Component: Local Traffic Manager

Symptoms:
-- 'tmctl -d blade tmm/umem_usage_stat | grep xdata' may show increased memory usage.
-- 'tmsh show sys connect' shows idle flows.

Conditions:
- OneConnect profile is configured.
- High availability (HA) mirroring is enabled.

Impact:
- Some flows are mirrored incorrectly.
- Stalled flows may occupy a lot of memory.

Workaround:
Disable OneConnect.

Fix:
Stalled mirrored flows no longer appear when OneConnect is used.


707740-4 : Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination

Component: TMOS

Symptoms:
When attempting to delete a GTM monitor, the system indicates that it is in use, even after removing that monitor from all GTM virtual servers. The system posts a message similar to the following:
01070083:3: Monitor /Common/mon-A is in use.

Conditions:
1. Attach a GTM monitor to multiple GTM virtual servers in the same transaction, where both of the virtual servers are monitoring the same ip:port.
2. Remove the monitor from all virtual servers.
3. Attempt to delete the monitor from the configuration.

Impact:
Cannot delete the unused monitor.

Workaround:
After removing the monitor from all virtual servers, reload the GTM configuration using the following command:
tmsh load sys config gtm-only

You can now delete the monitor.

Fix:
You can now delete an unused GTM monitor, if that monitor was attached to multiple GTM virtual servers of the same ip+port combination.


707691-4 : BIG-IP handles some pathmtu messages incorrectly

Component: Local Traffic Manager

Symptoms:
FastL4 virtual servers incorrectly handle some pathmtu messages, such as ICMPv4 unreachable/fragmentation needed and ICMPv6 packet too big.

Conditions:
This occurs when the following conditions are true:
-- The client sends a window scaling factor greater than 0 (zero).
-- The server sends a window scaling factor equal to 0 (zero).
-- The pmtu message is within the window, but does not reflect the exact expected sequence number. The delta is bigger than the advertised window scaled at a factor of 0 (zero).

Impact:
pmtu message is erroneously ignored.

Workaround:
There is no workaround at this time.

Fix:
This issue no longer occurs.


707676-1 : Memory leak in Machine Certificate Check agent of the apmd process

Component: Access Policy Manager

Symptoms:
The apmd process leaks a small amount of memory in Machine Certificate Check agent

Conditions:
- Machine Certificate Check agent is configured in an Access Policy
- inspected machine certificate is revoked by CRL

Impact:
The apmd process may grow in size. This may lead to high memory utilization and instability in BIG-IP.

Workaround:
There is no workaround

Fix:
A memory leak in the APM Machine Certificate check agent has been corrected.


707631-2 : The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI

Component: TMOS

Symptoms:
The 'SYN Challenge Handling' setting of a TCP profile can be reverted to defaults when a TCP profile is updated using the BIG-IP management GUI.

Conditions:
The SYN Challenge Handling settings of a TCP profile have previously been set to non-default values, and a configuration change is later made to the same TCP profile using the GUI.

Impact:
Loss of TCP profile syn challenge configuration settings

Workaround:
In the GUI, specifically set the SYN Challenge Handling fields after making an update to other TCP profile fields, or use tmsh to make the changes instead

SYN Challenge

GUI Setting: Nominal
TMSH:
    syn-cookie-enable enabled
    syn-cookie-whitelist disabled

GUI Setting: Challenge and Remember
TMSH:
    syn-cookie-enable enabled
    syn-cookie-whitelist enabled


GUI Setting: Disable Challenges:
    syn-cookie-enable disabled
    syn-cookie-whitelist disabled

Fix:
Now syn challenge handling setting isn't overwritten when tcp profile is updated


707585-1 : Use native driver for 82599 NICs instead of UNIC

Component: TMOS

Symptoms:
-- Lower performance in TPS.
-- Increased CPU consumption for throughput.

Conditions:
-- Running BIG-IP Virtual Edition (VE) (UNIC is the default Virtual Function Network Driver for VE).
-- High data rates, perhaps particularly when connection mirroring is configured.

Impact:
Lower TPS performance numbers and higher CPU usage in throughput tests.

Workaround:
In case of UNIC, extra CPUs must be allocated to handle SoftIRQs for higher performance.

Fix:
This release provides a native driver based on F5's physical platforms.


707509-1 : Initial vCMP guest creations can fail if certain hotfixes are used

Component: TMOS

Symptoms:
vCMP guest fails to enter the 'provisioned' or 'deployed' states and similar messages can be seen in /var/log/ltm:

-- vcmpd[14254]: 01510003:2: Guest (guest_name): Install failed.
-- vcmpd[14254]: 01510004:3: Guest (guest_name): Install to VDisk /shared/vmdisks/guest_name.img FAILED: Child exited with non-zero exit code: 255

Conditions:
Creating vCMP guest using certain hotfix images, such as BIG-IP HF software released as partial .iso software images, and engineering hotfixes.

Impact:
vCMP guest cannot be created.

Workaround:
1. Create and deploy the vCMP guest using the full .iso base software image.
2. Log in to the vCMP guest once it has finished starting up.
3. Apply the hotfix image or engineering hotfix.

Fix:
Guest creation succeeds.


707447-1 : Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles.

Component: Local Traffic Manager

Symptoms:
SSL SNI mechanism creates a hash containing a mapping between SAN entries in a given profile's certificate and the profile. This hash is owned by the default NI profile, however is held by the other profiles on the VIP without a reference. If a connection utilizes SNI to use a non-default SNI profile *and* the default SNI profile reinitializes its state for any reason, the prf->sni_certsn_hash can be cleared and freed, leaving the existing connection(s) with profiles that refer to the freed hash. If then the connection attempts a renegotiation that causes the hash to be used, the freed hash can cause a fault should it have been reused in the meantime (i.e. the contents are invalid).
       
The fix: When the default SNI profile is initializing, and SSL handshake is searching SAN/COMMON cert from
non-default SNI profile, stop the search and return NULL.

Conditions:
SNI configured with one default SNI profile, one or multiple SNI profiles. The default SNI profile is changed and renegotiation with SNI(with non-default SNI profile) is issued.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
There is no workaround at this time.

Fix:
When the default SNI profile is initializing, and SSL handshake is searching SAN/COMMON cert from non-default SNI profile, stop the search and return NULL.


707445-3 : Nitrox 3 compression hangs/unable to recover

Solution Article: K47025244

Component: TMOS

Symptoms:
LTM logs show the following message:

    Nitrox 3, Hang Detected: compression device was reset

When the error manifests, there will be three error messages sent to the log over a period of several seconds. The device is then considered unrecoverable and marked down, and will no longer accept compression requests.

Conditions:
This applies only to vCMP guests. Some compression requests can stall the device after a bad compression request is made.

Note: Traffic volume and concurrence, along with the type of error have to occur together in order to result in this issue, so the issue is not easily reproduced.

Impact:
Once the device is marked down, compression will be sent to the software compression provider, until tmm on the device is restarted. This can cause local CPU utilization to climb.

Workaround:
There is no complete workaround without a software fix. However, compression will always default to the software compression provider when hardware cannot be recovered.

There are three recovery options available if the TMM-internal reset fails to recover the compression device automatically. These should be employed in this order:

A. Restart tmm using the command: bigstart restart tmm.
B. Restart the vCMP guest.
C. Restart the host (which restarts all guests).

Note: Because of the traffic volume, timing, and error type that cause this condition, this error might recur. This issue appears to be caused by a particular compression request. So regardless of the recovery method you execute, the problem may recur in a short time, or months later.

Fix:
Compression device reset recovery made more robust for some compression failures.


707391-2 : BGP may keep announcing routes after disabling route health injection

Component: TMOS

Symptoms:
As a result of a known issue BIG-IP with BGP configured may continue to announce routes even after disabling the virtual address or disabling route announcement on the virtual address.

Conditions:
BGP configured with multiple routes announced via Virtual-address route announcements.
Configuration changes made on the BGP configuration itself.
Virtual address or its route health announcement disabled.

Impact:
Prefixes continue to exist in the BGP table even after disabling the virtual address (visible via imish with the "show ip bgp" command); which will continue to announce the prefix to configured peers.

Workaround:
Workaround would be to restart the dynamic routing process.

Fix:
BGP may no longer keeps announcing routes after disabling route health injection


707310-2 : DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs)

Component: Global Traffic Manager (DNS)

Symptoms:
It is possible that when performing a sufficiently large DNSSEC signed zone transfer (e.g., ~1 KB records) that the final packet (or several packets) of NSEC3s and RRSIGs could be missing from the zone. This issue can be detected using a free third-party tool such as ldns-verify-zone or some other DNSSEC validating tool.

Conditions:
-- Dynamic DNSSEC signing of zone transfers is configured for a given zone from an authoritative DNS Server (this could be on-box BIND, off-box BIND, etc.), or from DNS Express.

Impact:
The DNSSEC signed zone transfer could be incomplete, that is missing some NSEC3s and RRSIGs. An incomplete DNSSEC zone is considered an invalid zone.

Workaround:
There is no workaround at this time.

Fix:
DNSSEC signed zone transfers from general authoritative DNS Servers as well as from DNS Express are now complete regardless of the number of records in the zone.


707267 : REST Framework HTTP header limit size increased to 8 KB

Component: TMOS

Symptoms:
HTTP Header size limit causing 'Error getting auth token from login provider' GUI messages.

Conditions:
A client uses an HTTP Header larger than 4 KB to make a request to the REST framework.

Impact:
Users cannot login or access certain pages in the GUI.

Workaround:
Clear browser cookies, or otherwise reduce the size of the HTTP headers, so that the entire content HTTP headers is smaller than 4 KB.

Fix:
The HTTP header size limit for the REST Framework has been increased to 8 KB to match the limit set by Apache.


707246-1 : TMM would crash if SSL Client profile could not load cert-key-chain successfully

Component: Local Traffic Manager

Symptoms:
TMM would crash if SSL Client profile could not load cert-key-chain successfully, and SSL is working in the fwd-proxy-mode.

Conditions:
1. SSL is working in the fwd-proxy-mode.
2. SSL could not load the cert-key-chain in the clientssl profile successfully. There could be couple of reasons:

2.1.We fail to configure the password required by the cert-key-chain.
2.2.Configured cert-key-chain type is not supported.
2.3.cert-key-chain name is incorrect.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure the cert-key-chain in the clientssl profile correctly.

Fix:
If we fail to load the cert-key-chain in the clientssl profile, and ssl is working in the fwd-proxy-mode, we will mark the corresponding ssl clientssl profile as invalid, then we will not accept the incoming SSL handshake destined to this profile.


707244-3 : iRule command clientside and serverside may crash tmm

Component: Local Traffic Manager

Symptoms:
Using clientside and serverside command in iRules may crash tmm.

Conditions:
Using such HTTP commands as HTTP::password in clientside and serverside nesting script.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this point.

Fix:
Fix clientside and serverside command do not work with certain HTTP commands.


707226 : DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations

Component: TMOS

Symptoms:
Mitigations might CVE-2017-5754 Meltdown/PTI (Page Table Isolation) can negatively impact performance.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Conditions:
Mitigations for CVE-2017-5754 Meltdown/PTI (Page Table Isolation) enabled.

Impact:
Meltdown/PTI mitigations may negatively impact performance.

Workaround:
Disable CVE-2017-5754 Meltdown/PTI mitigations.

To turn off mitigations for CVE-2017-5754 Meltdown/PTI, run the following command:

tmsh modify sys db kernel.pti value disable

Note: Turning off these mitigations renders the system vulnerable to CVE-2017-5754 Meltdown; but in order to take advantage of this vulnerability, they must already possess the ability to run arbitrary code on the system. Good access controls and keeping your system up-to-date with regards to security fixes will mitigate this risk on non-VCMP systems. vCMP systems with multiple tenants should leave these mitigations enabled.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Fix:
On releases that provide mitigations for CVE-2017-5754 Meltdown/PTI, the protection is enabled by default, but can be controlled using db variables.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.


707207-1 : iRuleLx returning undefined value may cause TMM restart

Component: Local Traffic Manager

Symptoms:
When an iRulesLX rule returns an undefined value, TMM may restart. An example of an undefined value is one where
its jsonrpc v2.0 representation is missing required fields, such as "result".

Conditions:
iRulesLX is licensed, and a rule is run that returns an undefined value.

Impact:
Traffic is interrupted.

Workaround:
There is no workaround at this time.

Fix:
A TMM restart resulting from an iRulesLX rule returning an undefined value was fixed.


707186-1 : TMM may crash while processing HTTP/2 traffic

Solution Article: K45320419


707147-1 : High CPU consumed by asm_config_server_rpc_handler_async.pl

Component: Application Security Manager

Symptoms:
During a period of heavy learning from Policy Builder, typically due to Collapse Common elements, the backlog of events can cause a process to consume high CPU.

Conditions:
1) Automatic Policy Builder is enabled
2) An element is configured to "Always" learn new entities, and collapse common elements
3) An extended period of heavy learning due to traffic is enountered

Impact:
A process may consume high CPU even after the high traffic period is finished.

Workaround:
Kill asm_config_server.pl (This will not affect traffic)

Optionally modify one of the following
A) Learn "Always" to another mode
B) Turn off Collapse common URLs
C) Change from Automatic Learning to Manual


707109-1 : Memory leak when using C3D

Component: Local Traffic Manager

Symptoms:
When using the Client Certificate Constrained Delegation Support (C3D) feature, memory can leak.

Conditions:
Traffic passes through a virtual server with C3D enabled.

Impact:
Memory is leaked.

Workaround:
There is no workaround.

Fix:
When using C3D memory no longer leaks.


707100 : Potentially fail to create user in AzureStack

Component: TMOS

Symptoms:
Using Microsoft Azure Stack on the BIG-IP Virtual Edition (VE) configured with password authentication, the system sometimes fails to create the provided user, which means that the VE admin cannot ssh in after deployment. Note that an unexpected reboot causes this to occur during provisioning, and that Microsoft might have already fixed this issue.

Conditions:
Azure Stack VE provisioned with password authentication.

Impact:
Admin loses provisioned VE instance because there is no way to ssh in.

Workaround:
Deploy VE with key authentication.

Fix:
Extra handling was added to make user creation work even with unexpected reboots happening during Azure Stack provisioning.


707054-1 : SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162

Component: Advanced Firewall Manager

Symptoms:
User cannot configure SYN Cookie MSS values for Fast L4 Profiles outside of 256-9162.

Conditions:
Under syncookie activated condition, SYN Cookie MSS value is set to < 256.

Impact:
Under syncookie activated condition, server side MSS lower than SYN Cookie MSS lower limit cannot be honored on client side. As a result, server side MSS discards data segment if larger than SYN Cookie MSS lower limit.

Fix:
This ID allows to configured 128-9162.


707013 : vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest

Component: TMOS

Symptoms:
-- clusterd restarts on secondary blade.

-- Messages similar to the following are logged in each secondary blade's /var/log/ltm file as clusterd restarts:

Management IP (<guest_management_ip>) already in use by (vcmp guest <guest_name>)

-- Messages similar to the following are logged in the primary blade's /var/log/ltm file when clusterd restarts on a secondary blade:

notice clusterd[3676]: 013a0006:5: Hello from slot 1.
notice clusterd[3676]: 013a0006:5: Informing MCP about slot ID 1 member status.
notice clusterd[3676]: 013a0006:5: Goodbye from slot 1.

Conditions:
-- Power-cycling a blade reproduces the issue most of the time.
-- Possibly specific to platform:
   + This issue has been seen multiple hardware platforms, including B2100, B2150, B2250, and PB300.
   + Issue does not reproduce under the same conditions on a VIPRION 4800.

Impact:
Secondary slot on VIPRION hypervisor is in 'INOPERATIVE' state.

Workaround:
On the vCMP Host, copy the file /shared/db/cluster.conf from the primary to each secondary cluster members. For each secondary blade's slot, use a command similar to the following:

scp /shared/db/cluster.conf slot<slot number>:/shared/db/cluster.conf

Note: Implementing the workaround does not prevent the issue from recurring. An upgrade to an unaffected version is recommended.


707003-3 : Unexpected syntax error in TMSH AVR

Component: TMOS

Symptoms:
The following tmsh command does not work: tmsh show analytics http report view-by virtual measures { transactions } drilldown

It fails with the following error message: 'Syntax Error: "drilldown" property requires at least one of (device device-list) to be specified before using.'

Conditions:
Whenever the affected tmsh command is run.

Impact:
The following tmsh command will not run: tmsh show analytics http report view-by virtual measures { transactions } drilldown

Workaround:
There is no workaround besides not running the affected command.

Fix:
The following command now works as expected: tmsh show analytics http report view-by virtual measures { transactions } drilldown


706998-3 : Memory leak when OCSP is configured in clientSSL profile for C3D, or in serverSSL profile for server authentication

Component: TMOS

Symptoms:
There is a memory leak when OCSP is configured in the clientSSL profile for C3D feature, or in serverSSL profile for server certificate authentication.

Conditions:
OCSP is configured in the clientSSL profile for C3D feature, or in serverSSL profile for server certificate authentication.

Impact:
TMM will run out of memory.

Workaround:
There is no workaround at this time.

Fix:
The memory leak has been fixed.


706845-2 : False positive illegal multipart violation

Component: Application Security Manager

Symptoms:
A false positive multipart violation.

Conditions:
Uploading a file with a filename value that is encoded in non utf-8 encoding.

Impact:
A false positive violation, request rejected.

Workaround:
Might be workaround using an irule

Fix:
Corrected ASM multipart parsing.


706835 : When cloning a profile, URL parameters are not shown

Component: Fraud Protection Services

Symptoms:
In Fraud Protection Service GUI, cloning a profile and then navigating to a URL, its parameters are not shown.

Conditions:
Provision and license Fraud Protection Service.

Impact:
Fraud Protection Service GUI.

Workaround:
Navigating again from Profiles will show the parameters.

Fix:
Parameters are now shown on first attempt after cloning a profile.


706804-1 : SNMP trap destination configuration of network option is missing "default" keyword

Component: TMOS

Symptoms:
When SNMP trap destinations are configured, the user can specify the network that the traps are transmitted out from. By default, the routing table is consulted. Use the network keyword to overwrite this with either "management" or "other". There is also a "default" keyword, which was removed since it was confusing. However, this broke backward compatibility of the REST API; so, it was put back.

Conditions:
Including the "network default" keywords in trap configuration reports an error with version 13.0.0 where the "default" keyword was removed.

Impact:
Existing scripts may encounter errors if they used this keyword.

Workaround:
Don't use the "default" keyword with the snmp trap destination network configuration.

Fix:
The "default" keyword was put back.


706771-1 : FPS ajax-mapping property may be set even when it should be blocked

Component: Fraud Protection Services

Symptoms:
Ajax mapping may be set only when 1) ajax-encryption is enabled OR 2) ajax-integrity AND strong-integrity are enabled.

The bug allows to set ajax-mapping even for the following (invalid) configuration:

  ajax-encryption: disabled
  ajax-integrity: enabled
  strong-integrity: disabled

Conditions:
1)
  ajax-encryption: disabled
  ajax-integrity: enabled
  strong-integrity: disabled

2)
  non-empty ajax-mapping

Impact:
System will set the ajax-mapping field when it should have been blocked.

Workaround:
There is no workaround at this time.

Fix:
FPS should block ajax-mapping configuration when the pre-conditions weren't met.


706750-1 : Changing CGNAT SIP ALG profile log settings while handling traffic may cause tmm crash.

Component: Service Provider

Symptoms:
Altering the router profile log settings (log publisher and logging profile) may cause the tmm to crash when handling traffic.

Conditions:
-- CGNAT SIP ALG.
-- Changing log settings while handling traffic.

Impact:
TMM may crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Changing CGNAT SIP ALG profile log settings while handling traffic no longer causes tmm core.


706688 : Automatically add additional certificates to BIG-IP system in C2S and IC environments

Component: TMOS

Symptoms:
In order to function properly, the BIG-IP system's failover and autoscale features need extra certificates (which are used inside C2S environments) and endpoint URL. The extra certificates must be pointed to by the $AWS_CA_BUNDLE environment variable. The BIG-IP system's failover and autoscale feature use AWS CLI commands. Those AWS CLI commands need to have the $AWS_CA_BUNDLE pointing to the certificate files location and endpoint URL. These must be configured manually.

Conditions:
-- BIG-IP is running in AWS C2S (Commercial Cloud Services) where the domain is either c2s.ic.gov or sc2c.sgov.gov.

-- The BIG-IP system is configured to do failover or autoscale in those environments.

Impact:
Requires manual copying of the extra certificates, which are pointed to by AWS_CA_BUNDLE, to the BIG-IP system.

Workaround:
None.

Fix:
In this release, you can add all the needed certificates' URLs in the AWS user-data. The BIG-IP system then automatically downloads and stores the certificate and sets the $AWS_CA_BUNDLE environment variable and endpoint-url.

To use the functionality, when launching the BIG-IP system from the AWS web console, specify the C2S certificate URL and test URL in the following format:
 
c2s-keys-urls=url1,url2,url3;c2s-cert-test-url=ec2.us-iso-east-1.c2s.ic.gov:443;

Where the syntax explanation is as follows:
1. The string literal : c2s-keys-urls=
2. List of comma separated URLs.
3. A semicolon (;).
4. The string literal : c2s-cert-test-url=
5. A URL which is of following format
    <A service name (e.g., ec2)>.<The region where it is running (e.g., us-iso-east-1)>.<the domain name :443 (e.g., c2s.ic.gov:443)>
     
Example: ec2.us-iso-east-1.c2s.ic.gov:443;


706665-2 : ASM policy is modified after pabnagd restart

Component: Application Security Manager

Symptoms:
ASM policy modifications might occur after the the pabnagd daemon is restarted. Modifications include the following:

-- Length attributes might change from 'any' to a low auto learning value.
-- Check signature / metachars might change from unchecked to checked.

This applies for the following entity types:
filetypes, URLs, parameters, cookies, WS URLs, content profiles.

Conditions:
-- Configuration containing a policy in which automatic learning mode is configured.
-- Restart of pabnagd (the automated policy-building operations daemon).

Impact:
ASM policy is modified.

Workaround:
Switch policy builder to manual learning mode.

Fix:
Prevent unwanted adjust operations from being called on policy-catchup complete.


706651-1 : Cloning URL does not clone "Description" field

Component: Fraud Protection Services

Symptoms:
When cloning URL using the "Clone URL" feature in FPS/DataSafe GUI, description field is not cloned to new URL.

Conditions:
Provision and license FPS/DataSafe.

Impact:
Not all expected configuration values of the URL are cloned.

Workaround:
There is no workaround.

Fix:
Description field is now cloned to the new URL.


706642-2 : wamd may leak memory during configuration changes and cluster events

Component: WebAccelerator

Symptoms:
wamd memory consumption increases over time.

Conditions:
-- AAM is provisioned so wamd is running.
-- User-initiated configuration change and/or other internal configuration or cluster events.

Impact:
wamd grows slowly over time, eventually crashing due to lack of memory. Temporary outage of services provided by wamd such as PDF linearization, invalidation, etc.

Workaround:
No workaround available.

Fix:
wamd n longer leaks memory during configuration changes and cluster events.


706631-2 : A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured.

Component: Local Traffic Manager

Symptoms:
According to RFC2818, if the certificate sent by the TLS server has a valid Common Name, but the Subject Alternative Name does not match the Authenticate Name in the server-ssl profile, the connection should be terminated.

Conditions:
-- A server-ssl profile is enabled on a virtual server and has the 'authenticate-name' property set.

-- The TLS server presents a certificate in which the Subject Alternative Name does not match the configured authenticate-name.

-- Common Criteria mode licensed and configured.

Impact:
A TLS connection succeeds which should fail.

Workaround:
There is no workaround at this time.

Fix:
A remote TLS server certificate with a bad Subject Alternative Name is now rejected when Common Criteria mode is licensed and configured.


706534-1 : L7 connection mirroring may not be fully mirrored on standby BigIP

Component: Local Traffic Manager

Symptoms:
As a result of a known issue L7 connection mirroring may not be fully mirrored on standby BigIP

Conditions:
L7 VIP with mirroring configured
Connections with transfer of substantial size.

Impact:
Connections may be mirrored initially but removed after some time.
If there is a failover these connections may not be correctly handled.

Workaround:
Disabling LRO via
tmsh modify sys db tm.tcplargereceiveoffload value disable

May workaround this issue

Fix:
BIG-IP now fully mirrors all L7 connections


706423-1 : tmm may restart if an IKEv2 child SA expires during an async encryption or decryption

Component: TMOS

Symptoms:
TMM may discard an existing child-SA via timer during the moment it is in use for encryption or decryption. And in another spot, an error aborting negotiation can cause multiple timers associated with one child-SA, which fight one another.

Conditions:
Errors in IPsec config that fail negotiation can happen when a child-SA is in a state that does not manage timers correctly.

A config with short SA lifetime, causing frequent re-keying, can have the effect of searching for a race condition when expire happens during active use in crypto.

Impact:
TMM restarts, disrupting traffic and causing HA failover.

Workaround:
Ensure that the IPsec IKEv2 configuration in the IPsec policy is correct (the same) on both IPsec peers. Also, ensure SA lifetime has longer duration, instead of merely seconds. (The default is one day.)

Fix:
Now we ensure only one timer can be associated with a child-SA related to short-term progress toward maturity during negotiation, even if an error happens.

Now we also ensure a child-SA is safe during async crypto operations, even if they expire while currently in use.


706361 : IPS stats tables are empty after upgrade from 13.1.0 to 14.0.0

Component: Application Visibility and Reporting

Symptoms:
The IPS stats tables are empty after upgrade from 13.1.0 to 14.0.0.

Conditions:
-- Upgrade from 13.1.0 to 14.0.0.
-- AVR is NOT provisioned.
-- Viewing IPS stats tables.

Impact:
All statistics that relate to IPS are lost.

Workaround:
Before upgrading, run the following SQL command:

update AVR_CONF_FACT_TABLES set export_dir='/shared/avr_afm' where fact_name="AVR_STAT_IPS";

Fix:
The IPS stats tables are now saved in the '/shared_avr_afm' export directory.


706354-2 : OPT-0045 optic unable to link

Component: TMOS

Symptoms:
The OPT-0045 optical transceiver when inserted into a 40G port does not function. The following error appears in /var/log/ltm:
Invalid module for bundle configuration of interface <portNumber>.0.

Conditions:
OPT-0045 in a 40G port.

Impact:
Optic does not work; interface does not come up.

Workaround:
None.

Fix:
This release supports the OPT-0045 optical transceiver.


706305-1 : bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled

Component: TMOS

Symptoms:
bgpd may crash on a BIG-IP system configured for dynamic routing announcing multiple overlapping aggregate-addresses with extended asn capabilities enabled.

Conditions:
- BGP enabled on route-domain
- BGP configured to announce several overlapping aggregate-addresses
- BGP configured with extended-asn-cap enabled.

Impact:
Inability for the unit to use BGP

Workaround:
Disabling extended-asn-cap or not announcing multiple overlapping aggregate addresses may allow to workaround this issue.

Fix:
bgpd no longer crashes with overlapping aggregate addresses and extended-asn-cap enabled


706276-1 : Unnecessary pop-up appears

Component: Fraud Protection Services

Symptoms:
A pop-up dialog box appears when 'Enhanced Data Integrity Check' is clicked.

Conditions:
-- Provision and license FPS.
-- Add URL.
-- Disable 'Check Full AJAX for Data Manipulation'.

Impact:
Unnecessary dialog box appears.

Workaround:
None.

Fix:
The pop-up does not appear.


706176-1 : TMM crash can occur when using LRO

Solution Article: K51754851


706169-3 : tmsh memory leak

Component: TMOS

Symptoms:
tmsh is leaking approximately 24 KB for every 'save sys config' call.

Conditions:
this occurs under the following conditions:
-- In tmsh, run the following command repeatedly:
 save sys config
-- In the GUI, modify the configuration and click Update, change pages, or otherwise cause a save to the configuration.

Impact:
This results in a memory leak, and a possible out-of-memory condition.

Workaround:
None.

Fix:
tmsh no longer leaks memory when performing configuration-save operations.


706128-2 : DNSSEC Signed Zone Transfers Can Leak Memory

Component: Global Traffic Manager (DNS)

Symptoms:
TMM might leak memory when performing DNSSEC signed zone transfers. You can detect this issue by examining system memory before and after performing zone transfers.

For example:

tmsh show sys memory raw | grep dnssec

Conditions:
-- Dynamic DNSSEC signing of zone transfers is configured for a given zone from an authoritative DNS Server (this could be on-box BIND, off-box BIND, etc) or from DNS Express.

Impact:
TMM leaks memory related to the signed zone transfer.

Workaround:
There is no workaround at this time.

Fix:
TMM no longer leaks DNSSEC zone transfer related memory.


706104-3 : Dynamically advertised route may flap

Component: TMOS

Symptoms:
ZebOS may repeatedly add and delete the routes from protocol daemons. This may cause the protocol daemons to delete and re-advertise the default route.

Conditions:
- Dynamic routing in use
- Kernel routes redistributed into a routing protocol
- Static route configure in TMOS
- Route advertisement enabled on the virtual-address that's the same as the static route

Impact:
Route flapping may cause instability in the network, including inability to reach the default network advertised by the BIG-IP.

Workaround:
Since the static route will be redistributed in the same way as the virtual-address, there is no need to enable route-advertisement on the VIP virtual-address. Disabling this will resolve the problem.

The problem will also be resolved by moving the route from tmsh into ZebOS.
 - In imish config mode, "ip route <route> <gateway>"
 - In tmsh, "delete net route <route>"

Fix:
Configuring a static route in TMOS and enabling route-advertisement on the same virtual-address no longer causes route flapping in ZebOS.


706102-2 : SMTP monitor does not handle all multi-line banner use cases

Component: Local Traffic Manager

Symptoms:
An SMTP monitor does not handle all multi-line banner use cases, such as when the banner is physically split across two packets. This issue is due to attempting to parse the banner value from the first packet without a portion of the banner value that may arrive in a second packet.

Conditions:
An SMTP monitor is configured; and uses a multi-line banner; and the SMTP monitor banner is split across two physical packets.

Impact:
The SMTP monitor sends an RST after the first packet, and marks the resource down.

Workaround:
Use an SMTP monitor with a single-line banner. Or, rather than using an SMTP monitor, instead use a TCP monitor with send/recv strings.

Fix:
An SMTP monitor handles all use cases that include a multi-line banner.


706087 : Entry for SSL key replaced by config-sync causes tmsh load config to fail

Component: TMOS

Symptoms:
After config-sync, the secondary unit's key file does not match the passphrase stored for the key. This is a generic problem where config-sync is not synchronizing any differing file-objects on the secondary unit that happen to have the same cache_path as the primary.

Conditions:
If the cache_path of the encrypted key happens to be the same on the HA-pair, but the keys are different and have different passphrases.

Impact:
Secondary unit will fail to load the config during boot-up, so it will be offline. Other file-objects that had the same cache_path but where different files do not sync. The latter may not be noticed since nothing fails on the secondary unit.

Workaround:
Check if the cache_path of the encrypted key is the same on both systems prior to config-sync and that the sha1sum are different. If this is the case, remove the key on one of the systems and re-install the key and make sure the cache_path name is different.

Fix:
The key files (in the cache_path) will sync despite having the same name. The problem goes away. The same goes for any file-object that happened to have the same cache_path prior to sync.


706086-3 : PAM RADIUS authentication subsystem hardening

Solution Article: K62750376


705925-1 : Websocket Message Type not displayed in Request Log

Component: Application Security Manager

Symptoms:
You are unable to filter for websocket message types.

Conditions:
This is encountered on ASM when viewing the request log.

Impact:
Websocket Message Type not available to be displayed in Request Log.

Workaround:
N/A

Fix:
Websocket Message Type correctly displayed in Request Log


705818-1 : GUI Network Map Policy with forward Rule to Pool, Pool does not show up

Component: TMOS

Symptoms:
When a Virtual Server has a Policy with a rule to forward request to a Pool, the Pool should be associated to the Virtual Server on the Network Map.

Conditions:
Create a Virtual Server with a Policy to forward requests to a Pool.

Impact:
The relationship of the Virtual Server to the Pool via the indirect Policy Rule is not visible in the network map.

Workaround:
No workaround to the visual.

Fix:
Associate Virtual Server with Policy that forwards requests to a Pool on the Network Map.


705799-2 : TMSH improvements

Solution Article: K77313277


705794-2 : Under certain circumstances a stale HTTP/2 stream might cause a tmm crash

Component: Local Traffic Manager

Symptoms:
A HTTP/2 stream is getting overlooked when cleaning up a HTTP/2 flow.

Conditions:
The only known condition is that the closing_stream is not empty. Exact entrance conditions are not clear.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
HTTP/2 flows are now properly cleaned up to prevent a tmm crash.


705774-1 : Add a set of disallowed file types to RDP template

Component: Application Security Manager

Symptoms:
Universally dangerous filetypes are not included in RDP policy template.

Conditions:
The user creates a new policy using the RDP template.

Impact:
Universally dangerous filetypes are not disallowed.

Workaround:
Dangerous filetypes can be added to policies created from RDP template.

Fix:
Universally dangerous filetypes are now included in RDP policy template.


705611-2 : The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used

Component: Local Traffic Manager

Symptoms:
The TMM may later crash after a configuration change done under load if the HTTP/2 profile is used.

Conditions:
A configuration change occurs. The configuration change is large enough, or the TMM load large enough that the change is not synchronous. The change involves a HTTP/2 profile.

Data traffic progresses through a partially initialized HTTP/2 virtual server, potentially causing a later crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Large configuration changes to the TMM involving a HTTP/2 profile will no longer potentially cause a TMM crash.


705593-5 : CVE-2015-7940: Bouncy Castle Java Vulnerability

Component: Device Management

Symptoms:
An attacker could extract private keys used by Bouncy Castle in elliptic curve cryptography with a few thousand queries.

Conditions:
No specific conditions.

Impact:
None. BIG-IP software does not use the impacted library features.

Fix:
Version 1.59 of the library is installed on the BIG-IP system at the following paths:
/usr/share/java/rest/libs/bcprov-1.59.jar
/usr/share/java/rest/libs/bcpkix-1.59.jar


705559-1 : FPS: false positive "no strong integrity param" when none of the configured data-integrity params are present in request

Component: Fraud Protection Services

Symptoms:
A false positive "no strong integrity param" is sent when none of the configured data-integrity parameters are present in the request.

Conditions:
1. a protected URL has at least one parameter configured with data0integrity check enabled
2. enhanced data manipulation is enabled
3. a request without any of the data-integrity parameters is sent to the protected URL

Impact:
A false positive "no strong integrity param" alert is sent.

Workaround:
There is no workaround at this time.

Fix:
"No strong integrity param" alert should be suppressed in case that none of the data-integrity parameters were sent.

In case that forcing all data-integrity parameters was enabled (tmsh modify sys db antifraud.autotransactions.parameternameintegrity value enable) - the alert will be sent.


705503-3 : Context leaked from iRule DNS lookup

Component: Global Traffic Manager (DNS)

Symptoms:
The memory usage increases, and stats are inaccurate.

Conditions:
Call RESOLV::lookup from an iRule.

Impact:
Memory leak that accumulates over time and inaccurate stats.

Workaround:
There is no workaround other than not using RESOLV::lookup in an iRule.

Fix:
Memory leak no longer occurs.


705476-2 : Appliance Mode does not follow design best practices

Solution Article: K28003839


705456-1 : VCMP Guests unable to install block-device-image ISOs when http->https redirection is enabled

Component: TMOS

Symptoms:
ISOs of type block-device-image do not show up on VCMP Guests and are not available for installation when http->https redirection is enabled.

Conditions:
VCMP Guest has http->https redirection enabled.

Impact:
Not all available images are installable.

Workaround:
User must manually copy images to VCMP guest.

Fix:
Configured iControl REST to allow appropriate daemons access when http->https is enabled.


705442-1 : GUI Network Map objects search on Virtual Server IP Address and Port does not work

Component: TMOS

Symptoms:
Searching for a Virtual Server using the IP Address and Port of the Virtual Server does not work.

Conditions:
Create a Virtual Server with name vs1 and address.

Impact:
Users are unable to search using an IP Address to filter Virtual Server results.

Workaround:
There is no workaround at this time.

Fix:
We now include the Virtual Server's IP Address and Port as searchable values.


705161-1 : TMM may crash when processing TCP DNS traffic

Solution Article: K23520761

Component: Advanced Firewall Manager

Symptoms:
Under certain conditions, when processing TCP DNS traffic, TMM may crash

Conditions:
DNS profile enabled
TCP profile enabled
AVR enabled
ASM enabled

Impact:
TMM crash, leading to a failover event.

Fix:
TMM processes TCP DNS traffic as expected


704804-1 : The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address

Component: TMOS

Symptoms:
The NAS-IP-Address in RADIUS remote authentication requests is set to the loopback address, not the management IP.

Conditions:
This applies to remote authentication for the control plane, not APM.

Impact:
Login may be impacted.

Workaround:
There is no workaround at this time.

Fix:
NAS-IP-Address Attribute is now set correctly when the the BIG-IP system is configured to use RADIUS authentication.


704764-3 : SASP monitor marks members down with non-default route domains

Component: Local Traffic Manager

Symptoms:
The LTM SASP monitor marks pool members down, whose address include non-default route domains.

Conditions:
1. Using the SASP health monitor to monitor a pool or pool member.
2. The address of the pool member includes a non-default route domain, such as:

ltm pool rd_test {
    members {
        test_1:http {
            address 12.34.56.78%99
        }
    }
    monitor my_sasp
}

Impact:
Pool members with non-default route domains will never be marked up by the SASP monitor.

Workaround:
Do not specify non-default route domains in the addresses of pool members monitored by the SASP health monitor.

The SASP protocol does not support the use of route domains in member addresses. Thus, the SASP GWM (Global Workload Manager) will ignore route domain information included in the member addresses when registered by the SASP monitor in BIG-IP, and will report the status of members using addresses without route domains.

Therefore, even with a fixed version of the SASP monitor, BIG-IP LTM administrators must be careful to avoid configuring multiple pool members with the same address except for different route domains, to be monitored by the SASP monitor. If case of such a configuration error, the status of the member reported by the SASP GWM may not accurately reflect the status of one or more of the pool members with matching IP addresses.

Fix:
The LTM SASP monitor will correctly report the status of pool members configured with addresses that include a non-default route domain, if the SASP GWM is monitoring members with matching addresses (minus route-domain information).


704755-1 : EUD_M package could not be installed on 800 platforms

Component: TMOS

Symptoms:
Attempts to install the EUD_M EUD package fail on 800 platforms even though they are supposed to be supported.

Conditions:
Attempt to install EUD_M package on 800 platforms.

Impact:
Cannot install EUD_M package on a platform that is claimed to support it.

Workaround:
None.

Fix:
EUD_M package can now be installed on 800 platforms as expected.


704733-1 : NAS-IP-Address is sent with the bytes in reverse order

Component: TMOS

Symptoms:
The NAS-IP-Address has the address of the local device sent with the bytes in reverse order (e.g., 78.56.30.172, where 172.30.56.78 is expected).

Conditions:
-- This affects IPv4 addresses only.
-- BIG-IP system is configured for RADIUS authentication.

Impact:
The server may be configured to check the NAS-IP-Address before allowing logins, in which case it would fail.

Workaround:
There is no workaround at this time.

Fix:
This has been corrected.


704666-1 : memory corruption can occur when using certain certificates

Component: Local Traffic Manager

Symptoms:
If a certificate has an extremely long common name, or an extremely long alternative name and is attached to an SSL profile, memory corruption can occur when loading the profile.

Conditions:
An SSL profile is loaded with a certificate containing an extremely long common name or subject alternative name.

Impact:
TMM could crash.

Workaround:
Do not use certificates with extremely long common names

Fix:
A length check has been added to avoid corruption when using extremely long common names.


704643-1 : Backslashes preceding a forward slash are mistakenly doubled in regular expression within Signature rule

Component: Application Security Manager

Symptoms:
When adding or modifying a user-defined Attack Signature in Simple Edit Mode, backslashes preceding a forward slash are mistakenly doubled in regular expression keywords within the Signature.

Conditions:
-- Add or modify a user-defined Attack Signature with a regular expression keyword containing an escaped forward slash in Simple Edit Mode.

Impact:
The backslash escaping the forward slash is doubled, which changes the enforced signature rule.

Workaround:
Create or modify the Signature rule using Advanced Edit Mode.

Fix:
When adding or modifying a user-defined Attack Signature in Simple Edit Mode, backslashes preceding a forward slash are handled correctly in regular expression keywords within the Signature rule.


704587-2 : Authentication with UTF-8 chars in password or handling of IP addresses fail due to byte-array processing in iRules

Component: Access Policy Manager

Symptoms:
This issue can have a number of observable effects, including:
1. APM end users cannot login to the server. The log contains a message similar to the following: iRule err 'bad IP address format'.
2. When using the HTTP::header insert command, an iRule produces the following error: bad IP address format.
3. An iRule may produce other 'bad format' errors when processing inputs containing UTF-8 characters or other objects that are handled as byte arrays.

Conditions:
The corresponding conditions under which the above-described symptoms may occur include:
1. APM end users who have UTF-8 characters in their password.
2. An iRule uses the 'HTTP::header insert' command to insert the '[HTTP::header True-Client-IP]' object.
3. An iRule processes other input containing IP addresses (such as 'IP::addr') or UTF-8 characters or other objects that are handled as byte arrays.

These symptoms may occur when low-level Tcl functions servicing iRule APIs parse UTF-8 characters into strings. The Tcl marshaling routines used by some iRule functions (including HTTP::header insert) coerce some arguments into the bytearray type, which receives special treatment when coerced into other objects (such as IP addresses). Under certain conditions, when a string is coerced into a bytearray, the coercion fails and the error noted in the logs is produced.
Because APM user authentication is implemented via iRules, the handling of UTF-8 characters in iRules affects APM user authentication when the user password contains UTF-8 characters.

These symptoms may occur on affected versions of BIG-IP software due to underlying changes in the low-level Tcl implementation.

Impact:
For the above-described symptoms, the corresponding impacts include:
1. APM authentication service is unavailable.
2. An iRule fails when using the HTTP::header insert command.
3. Other iRules may fail when using other APIs that process IP addresses (such as 'IP::addr') or strings containing UTF-8 characters or other objects that are handled as byte arrays.

Workaround:
1. To work around the APM authentication symptom, add a Variable Assign agent after the Logon Page with following assignment:

(check the secure checkbox)
session.logon.last.password = set pass [mcget -secure session.logon.last.password]; binary scan $pass c* chars; set newpass ""; foreach {ch} $chars { append newpass [format %c [expr $ch & 0xFF]] }; return $newpass

2. To work around errors processing 'HTTP::header insert' commands, avoid processing string variables with the 'HTTP::header insert' command. You can first convert the string to an IP address with IP::addr. For example:

 Change
    HTTP::header insert X-Forwarded-For $myip1
 To
    HTTP::header insert X-Forwarded-For [IP::addr $myip1 mask "255.255.255.255"]

 where $myip1 could be a string representation of an ip address defined earlier with "set myip1 "78.210.81.133"

3. It may be possible to work around other iRule errors related to processing IP addresses (such as 'IP::addr') or UTF-8 characters or other objects that are handled as byte arrays by troubleshooting the iRule to determine the source of the error, and assigning the value to another string variable before further processing.

Fix:
Special UTF-8 characters (including in user passwords authenticated using APM), IP addresses, and other objects that are handled as byte arrays in iRules are now handled properly.


704580-1 : apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP

Solution Article: K05018525


704555-2 : Core occurs if DIAMETER::persist reset is called if no persistence key is set.

Component: Service Provider

Symptoms:
tmm crashes and restarts.

Conditions:
The system is configured to use a custom persistence key, but no persistence key has been set and DIAMETER::persist reset command is used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid using DIAMETER::persist reset if a persistence key has not been set.

Fix:
System ignores the reset command if the key has not been set


704552 : Support for ONAP site licensing

Component: TMOS

Symptoms:
ONAP site licensing not supported.

Conditions:
-- Attempting to use ONAP site licensing

Impact:
BIG-IP system does not license.

Workaround:
None.

Fix:
Ported ONAP site licensing support to this version of the software.

Behavior Change:
This version of the software supports ONAP site licensing.


704528-2 : tmm may run out of memory during IP shunning

Component: Advanced Firewall Manager

Symptoms:
If no AppIQ is configured on an AFM-provisioned system, over time the system can run out of memory causing tmm to crash/restart.

Conditions:
-- Blacklist profile is configured with blacklist categories.
-- AppIQ is not configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
If no AppIQ is configured, the system now handles the shunned IP's that are to be sent to ECM server.


704512-1 : Automated upload of qkview to iHealth can time out resulting in error

Component: TMOS

Symptoms:
The automated upload of qkview files to iHealth via the support page of the BIG-IP GUI can time out waiting for an analysis from iHealth. Sometimes, iHealth can take several minutes to complete analysis, and this is a realistic scenario.

If the BIG-IP system times-out waiting for completion of the analysis, the link to the iHealth record is not stored.

Conditions:
iHealth takes longer than three minutes to complete analysis of a qkview file after uploading.

Impact:
Support history will not contain links to completed qkviews.

Workaround:
Run qkview from the command line and upload to iHealth manually.

Fix:
The iHealth link is now stored immediately after the qkview is successfully uploaded, and the timeout is not considered an error.


704435-1 : Client connection may hang when NTLM and OneConnect profiles used together

Component: Local Traffic Manager

Symptoms:
In deployments where a NT LanManager (NTLM) authentication profile and a OneConnect profile are used together in a LTM virtual server to label an authenticated connection to a Domain Controller (DC), if the persisted connection to the DC is re-used, the connection may hang. A connection in this state may not be cleaned up by the sweeper, resulting in a memory leak.

Conditions:
The NTLM and OneConnect profiles are associated with a LTM virtual server.

Impact:
A client connection is not serviced, and TMM memory will leak. Over a long time period, this may result in more widespread service disruptions.

Workaround:
Avoid the use of OneConnect profiles on virtual servers that use NTLM profiles. The connections to the Domain Controller are not pooled, but all other features are retained.

Fix:
Fixed a problem that prevented NTLM and OneConnect profiles from working properly on the same LTM virtual server.


704381-5 : SSL/TLS handshake failures and terminations are logged at too low a level

Component: Local Traffic Manager

Symptoms:
SSL/TLS handshake failures and terminations are being logged at too low of a level (INFO).

Conditions:
-- SSL/TLS connections are received or sent.
-- Handshake failures are logged.

Impact:
Sometimes other errors are produced, and the cause is a SSL/TLS handshake failure, but this failure is not being logged.

Workaround:
There is no workaround.

Fix:
SSL/TLS handhake failures and terminations are now logged at a higher level (WARNING).


704369-2 : TMM on BIG-IP restarts if a dos profile is attached to a virtual with sip-routing enabled

Component: Advanced Firewall Manager

Symptoms:
TMM restarts on a BIG-IP if a dos profile is attached to a virtual with sip-routing enabled

Conditions:
1. A virtual with sip-routing enabled.
2. A dos profile is attached to this virtual

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
There is no workaround at this time.

Fix:
After fix, tmm is not restarting any more.


704336-1 : Updating 3rd party device cert not copied correctly to trusted certificate store

Component: TMOS

Symptoms:
When a BIG-IP admin updates the Device Certificate which also includes multiple CA intermediate and root certificates, it's expected that the new Device Certificate and its trust chain certificates are written to /config/big3d/client.crt and /config/gtm/server.crt. However, if the new Device Certificate is signed by a third party, only the Device Certificate is copied to client.crt and server.crt, even though root and intermediate certificates are written to /config/httpd/conf/ssl.crt/server.crt.

Conditions:
Updating Device certificate which also includes multiple intermediate and root certificates.

Impact:
The Trusted Device and Trusted server Certificates do not include intermediate CA and root certificates.

Workaround:
Manually copy/append the missing intermediate and root certificate to /config/big3d/client.crt and /config/gtm/server.crt.

Fix:
The fix will now add all the intermediate and root certificate including device certificate to Trusted Server and Trusted Device certificate bundle.


704282-2 : TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy

Component: TMOS

Symptoms:
Rarely, TMM halts and restarts when calculating the BWC pass rate for dynamic bwc policy.

Conditions:
-- Using BWC dynamic bwc policy.
-- Fair share rate is low.

For this to happen, the fair share rate of the instance of dynamic policy has to be less than than 32 times the average packet size of the instance of policy.

For example, if the average packet size is 1 KB, then the fair share would be under 32 KB.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
F5 does not recommend running the BWC under 64Kbps.

Either decrease the number of subscribers or increase the max-rate of dynamic policy.

Fix:
TMM no longer halts and restarts when calculating the BWC pass rate for dynamic bwc policy when fair share rate is low.


704247-2 : BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted

Component: TMOS

Symptoms:
BIG-IP .iso images may fail to install if multiple copies of the same image are present and have been deleted.

Conditions:
-- Have multiple copies of the same image .iso in the /shared directory on a BIG-IP system.
-- Delete one of them.

Impact:
Installation attempt of the remaining image(s) might fail.

Workaround:
Restart the lind process, so the installation can continue.

Fix:
The BIG-IP system now installs an image if multiple copies of the same image are present and have been deleted


704236-1 : TMM crash when attaching FastL4 profile

Component: Anomaly Detection Services

Symptoms:
TMM crashes and generates a core file.

Conditions:
-- FastL4 profile is attached to a virtual server.
-- L4 stats profile is defined.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes under these conditions.


704207-1 : DNS query name is not showing up in DNS AVR reporting

Component: Advanced Firewall Manager

Symptoms:
DNS query name is not showing up in DNS AVR reporting.

Conditions:
Sending traffic to Virtual with DNS profile.

Impact:
No query information for DNS is reported in AVR.

Workaround:
There is no workaround at this time.

Fix:
After fix, the query name is now showing up in AVR reporting.


704184-6 : APM MAC Client create files with owner only read write permissions

Solution Article: K52171282


704143-1 : BD memory leak

Component: Application Security Manager

Symptoms:
A BD memory leak.

Conditions:
websocket traffic with specific configuration

Impact:
Resident memory increases, swap getting used.

Workaround:
Make sure the web socket violations are not due to bad websocket URL configuration, that they are turned on in Learn/Alarm or block and that there is a local logger configured and attached.


704073-1 : Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm

Solution Article: K24233427

Component: Local Traffic Manager

Symptoms:
'bad transition' OOPS messages may be repeatedly logged to /var/log/ltm and /var/log/tmm over time, polluting the log files.

Conditions:
Although there are no definitive user-discernible conditions, use of SSL functionality might increase the likelihood of logging.

Impact:
Log pollution and potential for performance degradation.

Workaround:
Suppress the logging using the following command:
tmsh modify sys db tmm.oops value silent

Fix:
The 'bad transition' OOPS logging has been demoted to internal, debug builds only.


703959 : Manual thresholds for DoS Protection Dynamic Signatures are not accepted via TMUI

Component: Advanced Firewall Manager

Symptoms:
Manual thresholds for DoS Protection Dynamic Signatures are not accepted via TMUI. The 'Infinite' values for detection and mitigation are retained. No error message is returned.

Conditions:
Attempting to configure manual AFM detection and mitigation threshold for DoS Protection Dynamic Signatures using the Management GUI.

Impact:
The BIG-IP system Administrator is not aware that config change failed to be applied.

Workaround:
Manual thresholds for Dynamic Signatures can be configured using TMSH.

Fix:
You can now change manual detection and mitigation threshold via TMUI.


703940-2 : Malformed HTTP/2 frame consumes excessive system resources

Solution Article: K45611803


703914-2 : TMM SIGSEGV crash in poolmbr_conn_dec.

Component: Local Traffic Manager

Symptoms:
TMM cores in poolmbr_conn_dec function.

Conditions:
A connection limit is reached on a VS having an iRule using LB::reselect and a pool using request queueing.

Impact:
TMM core, traffic interruption, possible failover.

Workaround:
Do not use LB::reselect, disable request queueing on a pool associated with the VS.

Fix:
TMM correctly handles LB:reselect on virtual servers with pools using request queueing.


703869 : Waagent updated to 2.2.21

Component: TMOS

Symptoms:
Microsoft updates waagent via an opensource process, but it is not compatible with BIG-IP software, and so cannot be upgraded outside of BIG-IP releases. Without this, Microsoft will not support older releases of BIG-IP systems in their environment.

Conditions:
Using Microsoft Azure.

Impact:
Microsoft does not support the version of waagent shipped as part of BIG-IP software.

Workaround:
None.

Fix:
Waagent was updated to 2.2.21 from Microsoft along with F5 changes for compatibility with BIG-IP software.


703848-1 : Possible memory leak when reusing statistics rows in tables

Component: TMOS

Symptoms:
The handling of the pointers to memory in the statistics tables includes a path that zeros out a pointer to more memory that should be free'd. This means the memory is not free'd for that case.

Conditions:
This condition is usually only hit when the entire file is being deleted and so it doesn't matter that the list is not fully traversed.

Impact:
When slabs are being reused this bug may cause a memory leak.

Workaround:
There is no workaround at this time.

Fix:
The code has been fixed to properly follow the list.


703835-2 : When using scp into BIG-IP, user must specify the target filename

Component: TMOS

Symptoms:
File transfers via scp allow indistinct target filenames.

Conditions:
File transfers using scp into BIG-IP.

Impact:
Transfers allowed without explicit specification of target filename.

Workaround:
None.

Fix:
Users without Advanced Shell Access must specify a target file name when using scp command, such as:

$ scp source_filename1 user1@BIG-IP-ADDR:/tmp/target_filename1

Behavior Change:
When using scp to copy files to BIG-IP, you must specify the target filename in the URL path, like so:

$ scp filename1 root@100.100.28.39:/tmp/target_filename1


703833-1 : Some bot detected features might not work as expected on Single Page Applications

Component: Application Security Manager

Symptoms:
Some client side features do not work correctly when enabling single page application.

Conditions:
Enabling single page application (on DoS or ASM), and Web Scraping-> Persistent Client Identification

Impact:
Captcha challenge causes a loop of ajax requests.

Workaround:
There is no workaround at this time.

Fix:
Fixing Persistent Client Identification for Single Page Applications.


703793-3 : tmm restarts when using ACCESS::perflow get' in certain events

Component: Access Policy Manager

Symptoms:
tmm will restart when using 'ACCESS::perflow get' if the per-request policy has not been started yet.

Conditions:
Use 'ACCESS::perflow get' iRule in an event that runs before the per-request policy (e.g., CLIENT_ACCEPTED).

Impact:
tmm cores and traffic flow will be interrupted while it restarts.

Workaround:
None.

Fix:
Initialization of certain variables was reworked so that the iRule command will not cause a core anymore if the per-flow value is unavailable due to the per-request policy not having been started yet.


703761-2 : Disable DSA keys for public-key and host-based authentication in Common Criteria mode

Component: TMOS

Symptoms:
On a BIG-IP system configured for Common Criteria (CC) mode, DSA keys can still be used for key-based authentication to the BIG-IP system.

Conditions:
-- Running a CC release with CC Mode enabled.
-- Attempt to SSH-connect to the BIG-IP system from another system with a DSA key.
-- That DSA key is present in the BIG-IP system's authorized_keys file.

Impact:
If the key is in the BIG-IP system's authorized_keys file, public-key authentication succeeds, when DSA authentication should be disabled in CC mode.

Workaround:
There is no workaround at this time.

Fix:
DSA SSH keys are now disabled for public-key and host-based authentication in Common Criteria mode, as expected.


703702 : Fixed iControl REST not listing GTM Listeners

Component: Global Traffic Manager (DNS)

Symptoms:
When using iControl REST to get a list of GTM Listeners, no listeners will be returned.

Conditions:
Use iControl REST to get a list of GTM Listeners

Impact:
Cannot get a list of GTM Listeners by iControl REST

Workaround:
Use iControl REST to get a list of all LTM Virtual Servers, and then look for virtual-servers with a DNS Profile

Fix:
Fixed issue preventing iControl REST from returning a list of GTM Listeners


703669-2 : Eventd restarts on NULL pointer access

Component: TMOS

Symptoms:
The loop that reads /config/eventd.xml to load configuration data processes data in 1024-byte chunks. If the size of the file is a multiple of 1024 bytes, the end of file condition that terminates the file read does not occur until the subsequent read. The subsequent read returns zero (0) bytes and passes an empty buffer to the parser, which causes eventd to restart repeatedly.

Conditions:
The length of the file /config/eventd.xml is a multiple of 1024 bytes.

Impact:
Causes eventd to crash.

Workaround:
To work around the problem, insert whitespace in /config/eventd.xml to pad the file to a size that is not a multiple of 1024 bytes.


703580-1 : TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host.

Component: Local Traffic Manager

Symptoms:
TLS1.1 handshake failure on guest. The following error appears in /var/log/ltm:
warning tmm[11611]: 01260009:4: Connection error: ssl_hs_cn_vfy_fin:2339: corrupt Finished (20)

Conditions:
-- Using the VIPRION 42xx/43xx and B21xx blades.
-- Running BIG-IP software earlier than v12.1.3 (for example v12.1.2-hf2) on the vCMP host system.
-- Deploying vCMP guest running v12.1.3.
-- Using TLS1.1.

Impact:
TLS1.1 handshake fails on the guest.

Workaround:
Use the same software version on the vCMP host and vCMP guests.

Fix:
TLS1.1 handshake no longer fails running v12.x/v13.x vCMP guest with earlier BIG-IP software version on vCMP host.


703545-1 : DNS::return iRule "loop" checking disabled

Component: Global Traffic Manager (DNS)

Symptoms:
In ID 517347, checking was added to attempt to detect infinite loops caused by improper use of the DNS::return iRule command.

This is occasionally catching false positive loops resulting in connections being dropped incorrectly.

Conditions:
A virtual with a DNS profile that is using the udp profile instead of the udp_gtm_dns profile. An iRule that uses the DNS::return command.

Impact:
If a loop is erroneously detected, the connection will be dropped.

Workaround:
Where possible use the udp_gtm_dns profile instead of udp on virtuals with a DNS profile.

Where possible, use a "return" command immediately after the "DNS::return" command to prevent accidentally calling DNS::return multiple times.

Fix:
The loop detection logic has been removed.


703517 : TMM may crash when processing TCP DNS traffic

Solution Article: K23520761

Component: Advanced Firewall Manager

Symptoms:
Under certain conditions, when processing TCP DNS traffic, TMM may crash

Conditions:
DNS profile enabled
TCP profile enabled
AVR enabled
ASM enabled

Impact:
TMM crash, leading to a failover event.

Fix:
TMM processes TCP DNS traffic as expected


703515-3 : MRF SIP LB - Message corruption when using custom persistence key

Solution Article: K44933323

Component: Service Provider

Symptoms:
If the custom persistence key is not a multiple of 3 bytes, the SIP request message may be corrupted when the via header is inserted.

Conditions:
Custom persistence key is not a multiple of 3 bytes

Impact:
The SIP request message may be corrupted when the via header is inserted.

Workaround:
Pad the custom persistence key to a multiple of 3 bytes in length.

Fix:
All persistence key lengths work as expected.


703429-2 : Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services

Component: Access Policy Manager

Symptoms:
Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services through F5 BIG-IP APM virtual server. The application closes just after entering the credentials.

Conditions:
-- Citrix Receiver for Android (v3.13.1) is used.
-- PNAgent replacement mode is configured for BIG-IP APM virtual server.

Impact:
No access to published Applications and Desktops through Citrix Receiver for Android.

Workaround:
None.

Fix:
System now provides valid data to Citrix Receiver for Android client.


703298-2 : Licensing and phonehome_upload are not using the sync'd key/certificate

Component: TMOS

Symptoms:
After config-sync, the secondary unit's key passphrase does not decrypt the cached key file.

Conditions:
The original file for f5_api_com.key is used instead of the cached file.

Impact:
phonehome_upload will fail on the secondary unit because the passphrase doesn't match the key file.

Workaround:
After sync, copy the file /config/filestore/files_d/Common_d/certificate_key_d/:Common:f5_api_com.key_xxxx over to /config/ssl/ssl.key/f5_api_com.key using the following commands:

# cd /config/filestore/files_d/Common_d/certificate_key_d
# cp -a :Common:f5_api_com.key_xxxx /config/ssl/ssl.key/f5_api_com.key :Common:f5_api_com.key_xxxx

Once the /config/ssl/ssl.key file is in sync, then loading the config with either cached or un-cached file will work fine.

Fix:
The system now removes the source-path files and only keeps the cache-path files. phonehome_upload now will work on the standby unit after a config-sync. Without the source-path files which do not get sync'd, there is no danger of re-loading them.


703266-2 : Potential MCP memory leak in LTM policy compile code

Component: Local Traffic Manager

Symptoms:
Failure in processing LTM policy may result in MCP memory leak

Conditions:
When Centralized Policy Management (CPM) fails to process LTM policy

Impact:
MCP memory leak

Workaround:
There is no workaround at this time.

Fix:
This fix handles rare MCP memory leak which may occur if CPM fails to process LTM policy


703233 : Some filters don't work in Security->Reporting->URL Latencies page

Component: Application Visibility and Reporting

Symptoms:
If a filter by Virtual Servers or URLs in Security->Reporting->URL Latencies page, the data is not filtered.

Conditions:
No special condition.

Impact:
It it impossible to filter data in the aforementioned page.

Workaround:
There is no workaround at this time.

Fix:
An incorrect SQL query was applied to the statistics database upon such data request. The SQL query is fixed.


703208-1 : PingAccessAgent causes TMM core

Component: Access Policy Manager

Symptoms:
PingAccessAgent can cause TMM to core due to accessing freed memory.

Conditions:
It happens in edge case situation. Exact steps are still under investigation. Suspicion is that the client aborts the connection while TMM/PingAccessAgent module is still awaiting response from the PingAccessAgent back-end server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


703191-2 : HTTP2 requests may contain invalid headers when sent to servers

Component: Local Traffic Manager

Symptoms:
HTTP requests handled by an HTTP/2 virtual server may have blank header names when proxied through to the server or when handled via iRules.

Conditions:
-- Virtual server has the HTTP/2 profile assigned.
-- Client and the BIG-IP system negotiate/use HTTP/2.

Impact:
HTTP/2 applications may generate CSRF-related errors. Alternately, the server may return intermittent (and from the client's perspective, spurious) 400 Bad Request responses.

Workaround:
There is no workaround other than to remove the HTTP/2 profile from the virtual server.


703171-1 : High CPU usage for apmd, localdbmgr and oauth processes

Component: Access Policy Manager

Symptoms:
High CPU Usage for apmd, localdbmgr, and oauthd with large configurations.

Conditions:
-- APM provisioned.
-- BIG-IP has a large configuration (i.e., a large number of virtual servers).
-- One of the following:
  + A full config sync happens from one device (with a large configuration) to another device.
  + When loading BIG-IP configurations that contain a large number of virtual servers.

Impact:
Depending on the operation:
  + The process on the second device exhibits high CPU usage
  + The loading device exhibits high CPU usage.

APM end user traffic might not be processed by APM until it is done processing all the config changes. The amount of time service is down depends on how large the configuration is.

Workaround:
None.

Fix:
Startup processing of apmd, localdbmgr, and oauthd have been optimized to reduce the CPU usage.


703045-1 : If using TMSH commands with deprecated attributes in iApp, the upgrade will fail.

Component: TMOS

Symptoms:
TMSH commands with deprecated attributes will fail if used in iApp.

Conditions:
TMSH commands with deprecated attributes will fail if used in iApp. This is so whether the iApp is activated during the upgrade process or simply run under iApp service at the user display.

Impact:
TMSH commands will not execute like create command will result in no objects (e.g., monitor, virtual server, etc.) being created.

Workaround:
Try to avoid deprecated attributes of the object in the iApp.

Fix:
All TMSH commands should handle deprecated attributes of objects consistently across TMSH command line, CLI Script and iApp and like so:

- run TMSH commands to full execution with only warning message.
- full execution means objects action should be executed without error and no something amiss silently either.


702946-3 : Added option to reset staging period for signatures

Component: Application Security Manager

Symptoms:
In cases where a staging period was started, but no traffic passed through security policy, you might want to reset the staging period when traffic starts, but there is no option to do so.

Conditions:
Staging enabled for signatures in policy.

Impact:
There is a suggestion to enforce the signature before any traffic can influence this decision.

Workaround:
If all signatures are staged, you can enforce them all, and then enable staging again.

Note: Apply policy is required between actions.

Fix:
Added option to reset the staging period for all or specific signatures. In modal windows shown after clicking 'Change properties...' on the Policy Signatures screen, when 'No' is not selected for 'Perform Staging', the system presents a checkbox: Reset Staging Period.


702936-1 : TMM SIGSEGV under specific conditions.

Component: Anomaly Detection Services

Symptoms:
TMM SIGSEGV when running heavy traffic with LTM, ASM, AVR, and FPS provisioned when span port is enabled. tmm crash

Conditions:
-- LTM, ASM, AVR, and FPS are provisioned.
-- Span port is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This issue no longer occurs.


702792-1 : Upgrade creates Server SSL profiles with invalid cipher strings

Solution Article: K82327396

Component: Local Traffic Manager

Symptoms:
Upgrade of BIG-IP creates Server SSL profiles for custom HTTPS monitors that may have an invalid Ciphers attribute. This does not prevent the configuration from loading, but attempting to modify the existing SSL profile or create a new one with matching configuration fails with the following message:

    01070312:3: Invalid keyword 'kedh' in ciphers list for profile /Common/name-of-server-ssl-profile

Conditions:
Custom HTTPS monitors configured prior to an upgrade result in these profiles being created during the upgrade.

The default HTTPS cipherlist is 'DEFAULT:+SHA:+3DES:+kEDH', which is a valid OpenSSL cipher list, but is not a valid Client SSL / Server SSL cipher list.

Impact:
Upgrade creates configurations that are challenging to manage as a result of MCPD validation.

Workaround:
Reconfigure the cipher list to be valid according to both the OpenSSL cipher list and the Client SSL / Server SSL cipher list expectations.

For instance, use "DEFAULT:+SHA:+3DES:+EDH" instead of "DEFAULT:+SHA:+3DES:+kEDH".

Fix:
Upgrade no longer creates Server SSL profiles with invalid cipher strings.


702738-1 : Tmm might crash activating new blob when changing firewall rules

Solution Article: K32181540

Component: Advanced Firewall Manager

Symptoms:
TMM crashes with core when changing firewall rules. TMM can enter a crash-loop, so it will crash again after restarting.

Conditions:
Updating, removing, or adding firewall rules.

Specific characteristics of change that can cause this issue are unknown; this issue occurs rarely.

Impact:
Data traffic processing stops.

Workaround:
There are two workaround options:
Option A
1. Delete all policies.
2. Create them again without allowing blob compilation.
3. Repeat steps 1 and 2 until all the policies have been created (enable on-demand-compilation).

Option B
Modify all the rules simultaneously.

For example, the following steps will resolve this issue:
1. Enable on-demand-compilation
2. Select an IP address that is not used in any rules, e.g., 1.1.1.1.
3. Add that IP address to all the rules/source in all of the policies. To do so, run the following command for each policy:
tmsh modify security firewall policy POLICY_NAME rules modify { all { source { addresses add { 1.1.1.1 } } } }

4. Delete the IP address (restore rules) in all of the policies. To do so, run the following command for each policy:
tmsh modify security firewall policy POLICY_NAME rules modify { all { source { addresses delete { 1.1.1.1 } } } }
5. Disable on-demand-compilation. Doing so starts new blob compilation.

Fix:
TMM no longer crashes when changing firewall rules.


702705-2 : Core observed during lease query testing when RADIUS Authentication is configured in DHCP profile

Component: Policy Enforcement Manager

Symptoms:
Tmm may halt and restart when RADIUS Authentication is configured in DHCP profile.

Conditions:
1. RADIUS Authentication is configured in a DHCP profile.
2. DHCP response does not have proper info.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
This version handles these conditions, so tmm does not halt and restart.


702520-2 : Same AZ failover in AWS fails in some configurations with two or more objects sharing the same IP address.

Solution Article: K53330514

Component: TMOS

Symptoms:
BIG-IP fails to reattach floating addresses to local interfaces during failover, when two or more objects are configured with the same IP address in a given traffic group.

Failover fails with the following error in /var/log/ltm: err logger: /usr/libexec/aws/aws-failover-tgactive.sh (traffic-group-1): Failed to reassign some or all address(es): <IP address> <the same IP address> on interface <eni address>.

Conditions:
-- AZ AWS failover.
-- Same IP address is used for two or more virtual addresses, self IPs, NAT, SNAT translation.

Note: Having two virtual servers with the same IP address (but different ports) does not cause the problem. Also, there is no conflict when using the same IP address for different traffic groups.

Impact:
Failover will fail; some or all IP addresses will not be transferred to the active BIG-IP system.

Workaround:
The only workaround is to change the configuration to use unique IP addresses for conflicting objects.

Fix:
This issue has been resolved.


702487-3 : AD/LDAP admins with spaces in names are not supported

Component: Access Policy Manager

Symptoms:
If admin is imported from Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) and the name contains spaces, Visual Policy Editor (VPE), import/export/copy/delete, etc., fail, and post an error message similar to the following: sourceMCPD::loadDll User 'test user' have no access to partition 'Common'.

Note: Names containing spaces are not supported on BIG-IP systems.

Conditions:
-- Admin name containing spaces is imported from AD or LDAP.
-- Attempt to perform operations in VPE.

Impact:
VPE, import/export/copy/delete do not work.

Workaround:
There is no workaround other than to not use admin names containing spaces.

Fix:
VPE and utilities operations are now supported, even for admins with spaces in names. However, F5 recommends against using spaces in admin names, and recommends that you modify the admin name to remove the spaces.


702472-3 : Appliance Mode Security Hardening

Component: TMOS

Symptoms:
Appliance Mode does not follow best security practices for administrative users.

Conditions:
Appliance Mode licensed
Administrative user access

Impact:
Appliance Mode does not follow best security practices.

Workaround:
None.

Fix:
Appliance Mode now follows best security practices.


702469-3 : Appliance mode hardening in scp

Component: TMOS

Symptoms:
When running in Appliance mode scp permits greater access than is required for administration tasks.

Conditions:
Appliance mode licensed.

Impact:
Appliance mode does not restrict scp access as strictly as possible.

Workaround:
N/A.

Fix:
Appliance mode functionality of scp now applies stronger restrictions.


702457-2 : DNS Cache connections remain open indefinitely

Component: Global Traffic Manager (DNS)

Symptoms:
Resize / Clearing the DNS cache while a lot of traffic is running can cause numerous connections to remain open indefinitely. tmm crash

Conditions:
Resize / Clear the DNS Cache while it is resolving connections.

Impact:
Connections remain open forever, using up memory

Workaround:
If you are encountering this, you can remove these connections by restarting tmm:

tmsh restart sys service tmm

Impact of workaround: Traffic disrupted while tmm restarts.

Fix:
Fixed an issue where the DNS Cache kept connections open indefinitely when clearing or resizing a cache with active resolutions occurring.


702450-1 : The validation error message generated by deleting certain object types referenced by a policy action is incorrect

Component: Local Traffic Manager

Symptoms:
When deleting certain objects that are referenced by policy actions, you may see a validation error like this:

# tmsh delete ltm virtual test-vs
01071726:3: Cannot delete policy action '/Common/test-vs'. It is in use by ltm policy '/Common/test-policy'.

The referenced object is not a "policy action" in this case, but is a virtual server.

Conditions:
LTM policies must be in use, and at least one policy action must forward to an object. The user must attempt to delete that object.

Impact:
Possible confusion at the error message.

Workaround:
There is no workaround at this time.

Fix:
Made the error message accurately reflect what the user was attempting to delete.


702439 : Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset

Solution Article: K04964898

Component: Local Traffic Manager

Symptoms:
If the HTTP/2 configuration header_table_size is changed from the default value of 4096, then streams will be reset with a RST_STREAM error.

Conditions:
The header_table_size field in the HTTP/2 profile is changed from the default.

Impact:
HTTP/2 connections will be unusable.

Workaround:
Set the header table size argument back to its default.

Fix:
The HTTP/2 filter correctly handles the dynamic header table resize notifications triggered by a non-default header table size. Streams will not be reset with a RST_STREAM error.

Additionally, the BIG-IP system will now send the correct number of dynamic header table resize notifications when the table is resized by the client multiple times between header blocks.


702419 : Protocol Inspection needs add-on license to work

Component: Protocol Inspection

Symptoms:
Protocol Inspection does not work.

Conditions:
-- AFM is licensed and provisioned through 'Good' or 'Better' license, but no add-on subscription license for Protocol Inspection. Alternately, AFM licensed as an add-on module to another module (typically LTM).
-- Protocol Inspection profile configured and applied to a Virtual Server or referenced in a firewall rule in an active firewall policy.
-- Upgrade to 13.1.0.3 or later.
-- Attempt to use Protocol Inspection functionality.

Impact:
Protocol Inspection functions that used to work no longer work.

Workaround:
Activate an add-on subscription or obtain an AFM standalone license. Protocol Inspection functionality now requires one of these.

Fix:
Protocol Inspection now requires an add-on license to work.

Note: If you previously had Protocol Inspection configured without an add-on license installed, the features are not applied to traffic until the add-on license is obtained, even though the interface allows you to configure them.

Behavior Change:
The Protocol Inspection (PI) Intrusion Detection and Prevention System functionality now requires either an add-on subscription or an AFM standalone license for any of the features to work. A 'Good' or 'Better' license no longer enables the PI features.

Note: The Configuration Utility allows you to configure inspection profiles, compliance checks, and signatures, but they are not applied to traffic. There is no feedback that they are not applied. The operations simply fail silently.


702278-2 : Potential XSS security exposure on APM logon page.

Component: Access Policy Manager

Symptoms:
Potential XSS security exposure on APM logon page.

Conditions:
-- A LTM virtual server with an Access Policy assigned to it.
-- The Access Policy is configured to use a 'Logon Page' VPE agent, followed by AAA agent with 'Max Logon Attempts Allowed' set to a value greater than 1.

Impact:
Potential XSS security exposure.

Workaround:
1. Using APM Advance Customization UI, remove setOrigUriLink(); call in logon.inc from the next JS function:

369 function OnLoad()
370 {
371 var header = document.getElementById("credentials_table_header");
372 var softTokenHeaderStr = getSoftTokenPrompt();
373 if ( softTokenHeaderStr ) {
374 header.innerHTML = softTokenHeaderStr;
375 }
376 setFormAttributeByQueryParams("auth_form", "action", "/subsession_logon_submit.php3");
377 setFormAttributeByQueryParams("v2_original_url", "href", "/subsession_logon_submit.php3");
378 // ===> REMOVE THIS ONE setOrigUriLink();
----

Fix:
Potential security exposure has been removed from APM logon page.


702263-1 : An access profile with large number of SAML Resources (greater than 200) causes APM error ERR_TOOBIG while loading.

Component: Access Policy Manager

Symptoms:
Using a SAML SP-initiated use case (APM is IdP) and having a large Access Policy with 200 or more SAML resources assigned to users. Each time a new SAML resource is added to that Access Policy, the entire SSO service becomes unusable. No new sessions can be established. The system generates internal metadata that consists of the names of all the SAML resources along with its SSO name. This has a limit of size 4 KB. When this limit is reached, the system logs errors similar to the following:

-- err tmm3[15840]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_TOOBIG. File: ../modules/hudfilter/access/access.c, Function: access_create_saml_meta_data, Line: 21001


-- err tmm3[15840]: 014d1014:3: /Common/SAML_SSO_access:Common:7a34161c:SAML SSO: Error(16) Unable to find SAML SSO/SP Connector object matching SAML Authn Request.

Conditions:
A SAML SSO Access policy has a large number of SAML Resources assigned to it (such that the combined length of their names is greater-than-or-equal-to 4 KB).

Impact:
The system logs an error on running the Access Policy, the whole SSO service becomes unusable. No new sessions can be established.

Workaround:
Delete any unused SAML resources from SAML SSO access policy so that the combined length of the names of all SAML resources assigned to Access policy is less than 4 KB.

Fix:
The system now allocate memory dynamically for the internally stored metadata, so it can handle large lists of assigned SAML resource objects.


702232-1 : TMM may crash while processing FastL4 TCP traffic

Solution Article: K25573437


702227-3 : Memory leak in TMSH load sys config

Component: TMOS

Symptoms:
When loading a configuration, either through tmsh load sys config or the corresponding iControl REST command, the TMSH or icrd_child processes can leak memory.

Conditions:
When configuration is loaded via TMSH or iControl REST.

Impact:
The TMSH process memory or icrd_child process memory continues to grow every time the config is loaded.

Workaround:
If memory consumption grows in the TMSH process, restart the TMSH process.

If memory consumption grows in iControl REST, restart the REST service using the following command: bigstart restart restjavad.

Fix:
There is no longer a memory leak when loading configuration in TMSH or iControl REST.


702222-1 : RADIUS and SecurID Auth fails with empty password

Component: Access Policy Manager

Symptoms:
If password value is empty, the following error message will be logged in /var/log/apm:

err apmd[14259]: 014902f0:3: /Common/profile_name:Common:eb69a5gd: RADIUS Agent: Failed to read Password Source session variable:

Conditions:
This occurs only when following conditions are met:
- RADIUS or SecurID auth agent is included in the access policy.
- Empty password value is used for authentication.

Impact:
User may not be authenticated.

Workaround:
- Add variable assignment agent before RADIUS/SecurID auth agent in the access policy.
- Set 'session.logon.last.password' (or whatever password source is used for authentication) to a random value.

Fix:
RADIUS/SecurID auth agent allows empty password value for authentication.


702151-1 : HTTP/2 can garble large headers

Component: Local Traffic Manager

Symptoms:
The HTTP/2 filter may incorrectly encode large headers.

Conditions:
A header that encodes to larger than 2048 bytes may be incorrectly encoded.

Impact:
The garbled header may no longer conform to the HPACK spec, and cause the connection to be dropped. The garbled header may be correctly formed, but contain incorrect data.

Fix:
The HTTP/2 filter correctly encodes large HTTP headers.


702008-1 : ASM REST: Missing DB Cleanup for some tables

Component: Application Security Manager

Symptoms:
Finished REST tasks that are not deleted by the client that initiated them are meant to be cleaned periodically. Certain tasks are not included in this cleanup job.

Conditions:
The following tasks are not reaped automatically if left uncleaned by the REST client that initiated them:

From 13.0.x:
-- /mgmt/tm/asm/tasks/apply-server-technologies
-- /mgmt/tm/asm/tasks/bulk
-- /mgmt/tm/asm/tasks/export-policy-template
-- /mgmt/tm/asm/tasks/export-requests
-- /mgmt/tm/asm/tasks/import-policy-template

From 13.1.0:
-- /mgmt/tm/asm/tasks/export-data-protection
-- /mgmt/tm/asm/tasks/import-data-protection
-- /mgmt/tm/asm/tasks/import-certificate
-- /mgmt/tm/asm/tasks/policy-diff
-- /mgmt/tm/asm/tasks/policy-merge
-- /mgmt/tm/asm/tasks/update-enforcer

Impact:
DB space usage grows with each ASM REST task that is not cleaned up.

Workaround:
REST Clients that initiate tasks can delete them after verifying the task has reached a final state.

Fix:
REST tasks left behind are now be pruned by the DB Cleanup process.


701898-1 : Certain virtual address route-advertisement settings break upgrades from 13.0.0 hotfix rollups

Component: TMOS

Symptoms:
Upgrading from a version of 13.0.0 other than the base build may result in failure depending on the values of the virtual address route-advertisement setting. If set to 'selective', 'any', or 'all', the configuration will fail to load after the upgrade with an error similar to the following example in the /var/log/ltm file:

load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- Loading schema version: 13.0.0 Syntax Error:(/config/bigip.conf at line: 1790) invalid property value "route-advertisement":"selective"

Conditions:
- Upgrading from a version of 13.0.0 other than the base (i.e. HF1 or later).
- Upgrading to 13.1.0 or later.
- At least one virtual address with its route-advertisement value set to 'selective', 'any', or 'all'.

Impact:
Configuration will not load. If the unit being upgraded is a stand-alone unit, this will result in a traffic outage.

Workaround:
If you become aware of this issue prior to upgrading:

1. Note any virtual address route-advertisement settings that are 'selective', 'any', or 'all'.

2. Change all of these values to either 'enabled' or 'disabled' (note that this will change the route advertisement behavior temporarily).

3. Perform the upgrade. The goal of this step is to have the BIG-IP system perform an installation while carrying forward the new, modified configuration. Note that if your chosen destination (i.e. HD1.3) already exists and contains the very software you want to install (i.e. 13.1.1.2), then you must first delete the destination before you can re-use it. This is because, by design, the BIG-IP system will not perform an installation if the desired software is already present in the destination boot location. Attempting such an installation would just result in the BIG-IP system immediately rebooting to activate that boot location, without performing any installation and thus defeating the point of this workaround.

4. Once the upgrade completes, change the route advertisement settings back to their original values.


If you become aware of this issue after the upgrade has already failed:

1. Boot back into the old/working boot location.

2. Delete the boot location containing the failed installation.

3. Follow the procedure detailed under 'If you become aware of this issue prior to upgrading'.

Fix:
Upgrades from 13.0.0 hotfix rollups involving certain virtual address route-advertisement settings no longer fail.


701889-1 : Setting log.ivs.level or log-config filter level to informational causes crash

Component: Service Provider

Symptoms:
Certain log messages for internal virtual server (IVS) at 'informational' log level, cause TMM to crash when they are logged. The messages are logged at the end of an HTTP transaction to or from an IVS.

Conditions:
Information level logging enabled:

- sys db log.ivs.level informational or
- log-config filter level set to info

A transaction that passes HTTP to/from an internal virtual server.

Impact:
TMM crashes and restarts, causing loss of connections.

Workaround:
Avoid setting log.ivs.level to 'informational' or higher level and/ log-config filter level to 'info' or higher. By default the level is 'error' which does not trigger the bug.

Fix:
Informational messages for internal virtual server (IVS) are logged as expected and TMM does not crash.


701856-1 : Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart

Component: Application Security Manager

Symptoms:
In rare circumstance, when Policy Builder restarts continuously (in response to a different issue in which there are many shmem segments allocated and used by tmm), ASM-config Event Dispatcher memory usage grows uncontrollably.

Conditions:
In rare circumstances, Policy Builder restarts continuously (in response to a different issue in which there are many shmem segments allocated and used by tmm).

Impact:
ASM-config Event Dispatcher memory usage grows continuously until the device eventually fails over.

Workaround:
Restart asm_config_server on all devices using the following command:
 killall asm_config_server.pl

Fix:
ASM-config Event Dispatcher memory usage remains stable even upon multiple Policy Builder restarts.


701841-2 : Unnecessary file recovery_db/conf.tar.gz consumes /var disk space

Component: Application Security Manager

Symptoms:
A file, /ts/var/install/recovery_db/conf.tar.gz ,is saved unnecessarily during UCS file save, and consumes /var disk space.

Conditions:
UCS file is saved.

Impact:
The /var filesystem can become full; this may degrade system performance over time, and can eventually lead to traffic disruptions.

Workaround:
Manually delete /ts/var/install/recovery_db/conf.tar.

Fix:
Unnecessary file recovery_db/conf.tar.gz is no longer written.


701826 : qkview upload to ihealth fails or unable to untar qkview file

Component: TMOS

Symptoms:
qkview upload to ihealth fails unable to untar qkview file.

Conditions:
When qkview file is untarred, it creates a same directory name in loop as below and fails to untar successfully.

.../dir1/
.../dir1/dir1/
.../dir1/dir1/dir1/
...

This happens due to dangling symlink dir1 which points to nothing.

[root@localhost:Active:Standalone] config # ls -l /config/bigip/auth/pam.d/dir1
lrwxrwxrwx. 1 root root 64 2018-01-30 08:56 /config/bigip/auth/pam.d/dir1 ->
[root@localhost:Active:Standalone] config # stat /config/bigip/auth/pam.d/dir1
  File: `/config/bigip/auth/pam.d/dir1' -> `'
  Size: 64 Blocks: 8 IO Block: 4096 symbolic link
Device: fd16h/64790d Inode: 112045 Links: 1
Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2018-01-30 08:56:20.000000000 -0800
Modify: 2018-01-30 08:56:20.000000000 -0800
Change: 2018-01-31 08:39:35.000000000 -0800
[root@localhost:Active:Standalone] config #

Impact:
Unable to untar qkview or qkview upload to ihealth fails.

Workaround:
Identify the dangling symlink and delete. Then generate qkview or use ihealth to generate qkview and upload to ihealth.

Fix:
Qkview tool will identify dangling symlink and handle safely to avoid looping.


701800-2 : SSO-enabled native RDP resources cannot be launched from APM Webtop with Mac RDP client 10.x

Component: Access Policy Manager

Symptoms:
Mac RDP client 10.x shows credentials prompt when SSO-enabled native RDP resource is launched from the APM Webtop. If the user enters credentials manually, the RDP client will display an error message.

Conditions:
-- Mac RDP client is of version 10.x (e.g., 10.1.6).
-- Native RDP resource is assigned to the webtop.
-- SSO is enabled on the RDP Resource.

Impact:
RDP resource cannot be launched.

Workaround:
Add the following to 'Custom Parameters' of SSO-enabled RDP resources:
full address:s:%{session.server.network.name}
promptcredentialonce:i:1

Fix:
SSO-enabled native RDP resources now can be launched from APM Webtop with Mac RDP client 10.2.0.


701792-2 : JS Injection into cached HTML response causes TCP RST on the fictive URLs

Component: Application Security Manager

Symptoms:
TCP RST being sent when a browser requests a fictive URL that starts with either of the following strings:
-- /TSPD/xxx...xxx?type=x
-- /TSbd/xxx...xxx?type=x.

Conditions:
This occurs in either of the following scenarios:
-- ASM policy is attached to a virtual server, and any of the following is enabled: Cross-Site Request Forgery (CSRF), Web Scraping/Single Page Application/AJAX Blocking internal.

-- DoS profile with Single Page Application enabled is attached to a virtual server.

Impact:
CSRF/Web Scraping/Single Page Application/AJAX Blocking page features might not work. This happens intermittently when the back-end server's HTML page (the one where the fictive URL is injected) is cached in the browser for more than two days.

Workaround:
Use an iRule to disable caching for HTML pages where a fictive URL is injected.

Fix:
The system now disables cached headers to HTML responses where a fictive URL is injected.


701785-2 : Linux kernel vulnerability: CVE-2017-18017

Solution Article: K18352029


701740-1 : apmd leaks memory when updating Access V2 policy

Component: Access Policy Manager

Symptoms:
A small leak occurs in the apmd process when processing mcp notifications about configuration updates.

Conditions:
-- Changing an Access Policy configurations.
-- apmd receives a notification about it.

Impact:
apmd grows in size very slowly. The issue does not have any immediate and significant impact on BIG-IP system functionality.

Workaround:
There is no workaround at this time.

Fix:
apmd no longer leaks a small amount when processing MCP notifications.


701737-1 : apmd may leak memory on destroying Kerberos cache

Component: Access Policy Manager

Symptoms:
ampd leaks memory in AD Query agent.

Conditions:
The leak happens in response to any of the following conditions:
-- A Kerberos cache reset is requested (any of the caches - GROUP/PSO/KERBEROS).
-- Change to associated AAA AD Server were made and new Access Policy is applied.
-- AD Query was not able to make ldap_bind to KDC and the error is NOT a timeout (e.g., invalid administrator password).

Impact:
The ampd leaks memory and might cause unstable behavior.
The apmd process, or some other daemon may be killed by OOM killer when it tries to allocate memory.

Workaround:
There is no workaround at this time.

Fix:
AD Query agent no longer causes apmd memory leak during group cache update.


701736-1 : Memory leak in Machine Certificate Check agent of the apmd process

Component: Access Policy Manager

Symptoms:
apmd process leaks memory in Machine Certificate Check agent

Conditions:
Machine Certificate Check agent is configured in an Access Policy.

Impact:
apmd may grow in size. This may lead to the apmd process or another process, to be killed by OOM-killer

Workaround:
There is no workaround at this time.

Fix:
An apmd memory leak in the Machine Certificate Check agent has been fixed.


701690-1 : Fragmented ICMP forwarded with incorrect icmp checksum

Solution Article: K53819652

Component: Local Traffic Manager

Symptoms:
Large fragmented ICMP packets that traverse the BIG-IP might have their source or destination IP addresses changed and transmitted with the checksum incorrectly calculated.

Conditions:
A FastL4 virtual server able to transmit ICMP frames (ip-protocol ICMP or any), or SNAT/NAT only when a fragmented ICMP packet is received and is expected to be passed through the virtual server (or SNAT or NAT).

Impact:
Large ICMP echo packets (greater than MTU) will be dropped by the recipient due to the checksum error. No echo response will be seen.

Workaround:
Turn on IP fragment reassembly on the FastL4 profile associated with the virtual server.


701678-2 : Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded

Component: Local Traffic Manager

Symptoms:
TMM may periodically stop sending packets to the server for a few seconds when the configured virtual server rate-limited value is exceeded.

Conditions:
-- Virtual configured with rate-limit.
-- Uses a UDP profile (i.e., not using TCP or FastL4).
-- The idle-timeout is set to immediate.

Impact:
The virtual server might intermittently stop sending packets to the pool member server for a few seconds.

Workaround:
None.

Fix:
UDP rate-limited virtual server now correctly sends packets to the server.


701639-1 : Session variables in Requested Authentication Context Class in SP do not get resolved when Authentication Request is generated by BIG-IP as SP.

Component: Access Policy Manager

Symptoms:
Session variables in Requested Authentication Context Class in SP do not get resolved when Authentication Request is generated by the BIG-IP system as SP. They are sent as is. This is a behavior change from v12.1.2/v12.1.3/v13.0.0, where, the value gets substituted in the SP's AuthnRequest sent to IDP.

Conditions:
On configuring Requested Authentication Context Class in SP to define a session variable similar to the following:
%{session.client.type}

Impact:
The generated Authentication Request does not have the session variable resolved. The string is sent as is. The Authentication Request fails and the session cannot be established.

Workaround:
None.

Fix:
The system now resolves the session variable in the configured Authentication Context Class for SP while generating the Authentication Request.


701637 : Crash in bcm56xxd during TMM failover

Component: Advanced Firewall Manager

Symptoms:
During a TMM failover, such as after an upgrade to a later version of software, bcm56xxd might crash.

Conditions:
TMM failover.

Impact:
Restart of bcm56xxd; temporary loss of network connectivity.

Workaround:
There is no workaround at this time.

Fix:
Bcm56xxd no longer crashes and restarts on a TMM failover.


701626-2 : GUI resets custom Certificate Key Chain in child client SSL profile

Solution Article: K16465222

Component: TMOS

Symptoms:
In the GUI, editing a client SSL profile or selecting a different parent profile changes the Certificate Key Chain to default (i.e., /Common/default.crt and /Common/default.key).

Conditions:
This happens in the following scenario:

1. Using the GUI, create a client SSL profile.
2. Configure the new profile to inherit from a client SSL profile other than the default, clientssl.
3. Click the Custom box for Certificate Key Chain and select a different cert and key from the default.
4. Click Update.
5. In the GUI, change any setting in the newly created profile, or select a different parent profile (but not the clientssl profile).
6. Click Update again.

Impact:
The system resets Certificate Key Chain to default, even though the Custom box is checked.

Workaround:
To work around this issue in the GUI, click the Custom checkbox next to the 'Certificate Key Chain' option in the parent profile. This will set the value of inherit-certkeychain to false , preventing the issue from occurring.

You can also use tmsh to update parent profile settings to avoid the occurrence of this issue..

Fix:
GUI no longer resets custom Certificate Key Chain in child client SSL profiles.


701538-2 : SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured

Component: Local Traffic Manager

Symptoms:
SSL handshake fails if the client initiates the handshake with TLS false start (specifically, client SSL sends the SSL record data to the server before the Server sends out the CSS is FINISHED notification).

Conditions:
1. Client initiates the SSL handshake with False Start.
2. The BIG-IP system has SSL hardware acceleration enabled (which is default for for non-virtual edition (VE) versions).

Impact:
The BIG-IP system sends the RST to tear down the connection in TLS false start.

Workaround:
There are no true workarounds. You must disable one of the conditions to workaround the issue:

-- Disable TLS False Start. (Note: this might not be feasible because it needs to be done on all clients.)
-- Disable SSL acceleration.
-- Disable AES-GCM ciphers in the client SSL profile. Without AES-GCM, clients do not try to use TLS false start and still be able to use (EC)DHE.

Fix:
The system no longer processes application data before verifying that the finished message arrives and handshake is complete.


701447-1 : CVE-2017-5754 (Meltdown)

Solution Article: K91229003


701445-1 : CVE-2017-5753 (Spectre Variant 1)

Solution Article: K91229003


701359-4 : BIND vulnerability CVE-2017-3145

Solution Article: K08613310


701327-2 : failed configuration deletion may cause unwanted bd exit

Component: Application Security Manager

Symptoms:
Immediately after the deletion of a configuration fails, bd exists.

Conditions:
When deleting a configuration fails.

Impact:
Unwanted bd restart.

Workaround:
None.

Fix:
bd will exit upon a failed configuration only when configured to exit on failure.


701288-1 : Server health significantly increases during DoSL7 TPS prevention

Component: Anomaly Detection Services

Symptoms:
Mitigation of DoSL7 TPS affects server health value.

Conditions:
-- DoSL7 TPS configured together with BADOS.
-- DoSL7 TPS is active.

Impact:
-- Incorrect Server Health reporting.
-- Might activate Behavioral DoS (BADoS) false-attack detection when attacks mitigated by DoSL7 TPS are stopped.

Workaround:
None.

Fix:
Server health now displays the actual backend server state, and does not incorrectly grow.


701253-5 : TMM core when using MPTCP

Solution Article: K16248201


701249-1 : RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1

Component: TMOS

Symptoms:
RADIUS requests from BIG-IP have attribute NAS-IP-Address = 127.0.0.1, which might cause authentication to fail.

The NAS-IP-Address is essentially the resource an end user client is trying to authenticate to. This is typically the management IP address of the BIG-IP system, but the BIG-IP system always sends 127.0.0.1 instead. That might fail or it might work, depending on how the server is configured.

Conditions:
This is an issue for all RADIUS authentication requests that use the attribute NAS-IP-Address.

Note: This affects remote control plane authentication only, not APM or other uses of RADIUS.

Impact:
BIG-IP system always sends 127.0.0.1 instead of the BIG-IP system's management IP address. RADIUS server might not service the request, so authentication fails.

Workaround:
There is no workaround.


701244-1 : An incorrect data manipulation in cipher encrypt and decrypt could cause TMM crash with SIGABRT

Solution Article: K81742541

Component: Local Traffic Manager

Symptoms:
TMM receives SIGABRT from failover daemon, sod, due to heartbeat failure shortly after TMM starts up.

Conditions:
In some rare scenarios, TCP fast open encrypt/decrypt key may not be properly initialized when traffic comes into the BIG-IP system.

Impact:
Multiple TMM threads can get into a loop, causing heartbeat failure. TMM restarts, Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The incorrect data manipulation in cipher encrypt and decrypt has been fixed.


701202-3 : SSL memory corruption

Solution Article: K35023432

Component: Local Traffic Manager

Symptoms:
In some instances random memory can be corrupted causing TMM core.

Conditions:
SSL is configured (either client-ssl or server-ssl) and SNI is used to select a non-default profile.

Impact:
TMM crash, disrupting traffic.

Workaround:
There is no workaround at this time.

Fix:
The memory corruption issue has been fixed.


701147-2 : ProxySSL does not work properly with Extended Master Secret and OCSP

Solution Article: K36563645

Component: Local Traffic Manager

Symptoms:
SSL handshake fails if the BIG-IP system is operating in ProxySSL mode, while client and server negotiate to use the Extended Master Secret and OCSP features together.

Conditions:
1. Virtual server is configured to work in ProxySSL mode.
2. Client and server negotiate the SSL handshake with the Extended Master Secret.
3. Client and Server negotiate to use the OCSP.

Impact:
ProxySSL does not work properly with Extended Master Secret and OCSP simultaneously.

Workaround:
None.

Fix:
Included the certificate status message in the calculation of Extended Master Secret.


701056-1 : User is not able to reset their Active Directory password

Component: Access Policy Manager

Symptoms:
When Active Directory is used for authenticating APM users and the user is required to change password on next APM logon, APM fails to update the password.

Conditions:
- APM is licensed and provisioned
- Active Directory is used for authenticating the users
- When logging on to APM, user is asked to change the password

Impact:
User is not able to change the password.

Workaround:
There is no workaround.

Fix:
APM end users can now successfully reset the password.


700895-1 : GUI Network Map objects in subfolders are not being shown

Solution Article: K34944451

Component: TMOS

Symptoms:
Objects created in subfolders under a partition are not showing up in the GUI Network Map when selecting the partition.

Conditions:
-- Create a virtual server under a subfolder.
-- View Network Map while /Common is the active partition.

For example:

1. Create a subfolder such as /Common/subfolder.
2. In that subfolder, create a virtual server such as /Common/subfolder/virtualserver1.
3. Select /Common as the partition.
4. View the Network Map.

The virtual server /Common/subfolder/virtualServer1 is not shown on the Network Map.

Impact:
Cannot see the objects in the subfolder.

Workaround:
Select the partition 'All[Read Only]' to see all objects in subfolders.


700889-3 : Software syncookies without TCP TS improperly include TCP options that are not encoded

Solution Article: K07330445

Component: Local Traffic Manager

Symptoms:
When sending a software syncookie and there is no TCP timestamp option, tmm sends back TCP options like window scaling (WS), sackOK, etc. The values for these options are encoded in the timestamp field which is not sent. When the final ACK of the 3WHS arrives (without a timestamp), there is no way to know that the BIG-IP system negotiated the use of SACK, WS and other options that were encoded in the timestamp. This will leave the client believing that options are enabled and the BIG-IP believing that they are not.

Conditions:
TCP timestamps are disabled by the client, or in the TCP profile.

Impact:
In one known case, the client was Windows 7 which apparently disables timestamps by default. Users might experience poor connection performance because the client believed it was using WS, and that the BIG-IP system would scale up the advertised window. However, the BIG-IP system does not using WS in this case, and used the window size from the TCP header directly, causing the BIG-IP system to send small packets (believing it had filled the window) and wait for a response.

Workaround:
Specifically prevent the WS issue by lowering the send_buffer_size and receive_window_size to less than or equal to 65535.

Fix:
Added dependency between the window scale option and the timestamp option in a SYN/ACK response.


700862-1 : tmm SIGFPE 'valid node'

Solution Article: K15130240

Component: Local Traffic Manager

Symptoms:
A rare TMM crash with tmm SIGFPE 'valid node' may occur if the host is unreachable.

Conditions:
The host is unreachable.

Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This fix handles a rare TMM crash when the host is unreachable.


700827-4 : B2250 blades may lose efficiency when source ports form an arithmetic sequence.

Component: TMOS

Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command: tmsh show sys tmm-traffic

Conditions:
Source ports used to connect to B2250 blade form an arithmetic sequence.

For example, some servers always use randomly selected even source port numbers. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8… 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.

Impact:
Traffic imbalance between tmm threads may result in sub-optimal performance.

Workaround:
Randomize source ports when connecting via a BIG-IP system.

Fix:
This release introduces a new variable mhdag.pu.table.size.multiplier. Setting it to 2 or 3 mitigates the issue.


700812-1 : asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview

Component: Application Security Manager

Symptoms:
asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview.

Conditions:
Try to deploy a qkview on a BIG-IP using the asmrepro tool
while BIG-IP has a 4 element version like 13.1.0.1.

Impact:
Cannot deploy a 4 element version qkview on a BIG-IP using the asmrepro tool.

Workaround:
n/a

Fix:
asmrepro now handles the version number properly.


700757-1 : vcmpd may crash when it is exiting

Component: TMOS

Symptoms:
vcmpd may crash when it is exiting. The system logs an error message similar to the following in /var/log/ltm:

err vcmpd[14604]: 01510000:3: Uncaught exception: basic_string::_S_create

It's possible that vcmpd will then not start up, logging errors similar to the following in /var/log/ltm:

umount(/var/tmstat-vcmp/<guest name>) failed: (16, Device or resource busy

Conditions:
vCMP must be in use.

Impact:
vcmpd cores, but does so when already exiting. It is possible that vcmpd will then be unable to restart itself, and will need to be manually restarted.

Workaround:
If vcmpd cannot restart itself, you can manually restart it by running the following command:

tmsh restart sys service vcmpd

Fix:
Prevented vcmpd from crashing when exiting.


700726-2 : Search engine list was updated, and fixing case of multiple entries

Component: Application Security Manager

Symptoms:
Default search engine list does not identify current search engines, and blocks traffic unnecessarily. Part of the issue is that when adding custom search engines, there may be multiple search engines which match the User-Agent header, and this causes the match to fail.

Conditions:
Site accessed by search engines.

Impact:
Traffic from search engines is blocked unnecessarily.

Workaround:
Manually add search engines.

Fix:
Search engine list has been updated to reflect current common search engine usage. Also, this version removes the check of multiple search engines, so that now when multiple Search Engines are matched, the Search Engine bypasses the challenges.


700724-2 : Client connection with large number of HTTP requests may cause tmm to restart

Component: Access Policy Manager

Symptoms:
tmm may restart while processing client request

Conditions:
- PingAccess profile is configured on the virtual server.

- Client connection sends over 64k HTTP requests that result in BIG-IP's connection to the PingAccess policy server.

Impact:
Traffic will be disrupted while TMM restarts.

Workaround:
Modify HTTP profile used by affected virtual to specify the limit of HTTP requests per connection "maximum requests per connection" to be less then 64k, e.g. 63000 or less.

Fix:
Traffic will no longer be disrupted when client sends over 64k uncached requests on the same TCP connection.


700696-1 : SSID does not cache fragmented Client Certificates correctly via iRule

Component: Local Traffic Manager

Symptoms:
The last few bytes of a very large-sized Client Certificate (typically greater than 16,384 bytes) are not cached correctly if the certificate is received fragmented by the SSL Session ID (SSID) parser.

Conditions:
-- Client Authentication is enabled.
-- A very large Client Certificate is supplied (typically greater than 16,384 bytes).
-- SSL Session ID Persistence is enabled.
-- The iRule CLIENTSSL_CLIENTCERT is enabled.

Impact:
The client certificate is not stored on the BIG-IP device correctly. The last few bytes are missing.

Workaround:
Disable the CLIENTSSL_CLIENTCERT iRule when SSL Session ID (SSID) persistence is in use. Even though the Client Certificate does not get cached, that is preferable to caching an incorrect client certificate.

Fix:
This release supports caching of fragmented client certificates in the SSL Session ID (SSID) persistence feature to properly cache very large-size client certificates (typically exceeding 16,384 bytes).


700597-1 : Local Traffic Policy on HTTP/2 virtual server no longer matches

Component: Local Traffic Manager

Symptoms:
Local Traffic Policies may not match properly when a virtual server is handling HTTP/2 traffic.

Conditions:
Virtual server with Local Traffic Policy and HTTP/2 profile.

Impact:
Traffic fails to pass through the virtual server, or fails to be processed as expected.

Workaround:
If able, use HTTP rather than HTTP/2. Or disable the policy. Otherwise there is no workaround.

Fix:
Traffic now processed as expected.


700576-1 : GUI - Server SSL Profile shows irrelevant options when "Server Certificate" is set to "Ignore"

Component: TMOS

Symptoms:
In the GUI, the ServerSSL Profile options "Expire Certificate Response Control" and "Untrusted Certificate Response Control" are shown as stand alone options, yet those settings are not honored when the "Server Certificate" option is set to "Ignore" (default).

Conditions:
Create server SSL profile with "Server Certificate" option is set to "Ignore" (default).
It shows "Expire Certificate Response Control" and "Untrusted Certificate Response Control" options, yet those settings are not honored.

Impact:
No functional Impact, it may cause confusion allowing view/modify for irrelevant options.

Workaround:
No functional Impact, Expire Certificate Response Control" and "Untrusted Certificate Response Control" options can be ignored when "Server Certificate" option is set to "Ignore" (default).

Fix:
"Expire Certificate Response Control" and "Untrusted Certificate Response Control" server SSL profile options are hidden when "Server Certificate" option is set to "Ignore" (default).


700571-4 : SIP MR profile, setting incorrect branch param for CANCEL to INVITE

Component: Service Provider

Symptoms:
BIG-IP SIP profile MR does not maintain the Via 'branch parameter' ID when the Via header insertion is enabled for INVITE and CANCEL for the same INVITE.

Conditions:
This happens only when the following conditions are both met:
-- The transport connection that issued INVITE has been terminated.
-- A new transport is used to issue CANCEL

Impact:
The result is different branch IDs for the BIG-IP system-generated Via header. INVITE is only cancelled on the calling side, while on the called side, the line will ring until time out.

Workaround:
None.

Fix:
The branch parameter value calculation now remains consistent throughout the connection.


700556-1 : TMM may crash when processing WebSockets data

Solution Article: K11718033


700527-3 : cmp-hash change can cause repeated iRule DNS-lookup hang

Component: Global Traffic Manager (DNS)

Symptoms:
An iRule that uses RESOLV::lookup can hang repeatedly when cmp-hash configuration is changed.

Conditions:
-- iRule is in the middle of a call to RESOLV::lookup.
-- A change is made to VLAN cmp-hash configuration.

Impact:
The iRule call can hang repeatedly.

Workaround:
Restart the TMM. This will interrupt client traffic while TMM restarts.

Fix:
The iRule connection is reestablished when the pending query expires, so subsequent RESOLV::lookup calls do not hang per TMM.


700522-1 : APMD may unexpectedly restart when worker threads are stuck

Component: Access Policy Manager

Symptoms:
APMD restarts and logs a message about all threads being stuck.

Conditions:
A race condition allows the busy thread count to remain higher than the actual value. If it reaches the maximum thread count, APMD will restart.

Impact:
APMD can restart unexpectedly.

Workaround:
There is no workaround.

Fix:
A rare APM timing condition leading to an unexpected restart of services has been corrected.


700433-1 : Memory leak when attaching an LTM policy to a virtual server

Solution Article: K10870739

Component: Local Traffic Manager

Symptoms:
BIG-IP LTM policies may cause an mcpd process memory leak.

As a result of this issue, you may encounter one or more of the following symptoms:

-- Latency when configuring the BIG-IP system.
-- Error messages logged in /var/log/ltm similar to the following example:
01140029:4: HA daemon_heartbeat mcpd fails action is restart.
-- The mcpd process may generate a core file in the /var/core directory.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your configuration includes one or more virtual servers with an associated BIG-IP LTM policy.
-- The BIG-IP LTM policy has at least one rule.
Note: Rules with actions or conditions can leak increased amounts of memory.

-- You delete and add BIG-IP LTM policies that are associated with the virtual server.
Note: This modification causes the memory leak to increase over time.

Impact:
The mcpd process might run slower as memory is consumed, and can fail when all system memory is exhausted. Devices in a high availability (HA) configuration may experience a failover event.

Workaround:
None.

Fix:
The system now prevents MCP from leaking memory when attaching an LTM policy to a virtual server.


700426 : Switching partitions while viewing objects in GUI can result in empty list

Solution Article: K58033284

Component: TMOS

Symptoms:
In LTM Pool List, Node List, and Address Translations pages, switching partitions while viewing objects in the GUI can result in empty list.

Conditions:
This issue is present when all of the following conditions are met:
-- One partition contains multiple pages of objects.
-- The page count in one partition is greater than the page count in another.
-- The active page number is greater than 1.
-- You switch to a partition whose max number of pages is lower than the active page number.

For example, in the GUI:
1. Create two non-Common partitions.
2. In one partition, create enough pools so that they do not fit on one page.
3. In the second partition, create only enough pools for one page.
4. On the Local Traffic :: Pools list page in the first partition, navigate to the second page of objects.
5. Switch to the other partition.
6. Note that the displayed page contains no objects.

Impact:
The list of pools is empty despite the fact that there are pools available.

Workaround:
Return to the first page of objects before switching to any other partition.

Fix:
The system now resets to the first page if the page number is greater than the page count, so the partition's objects display correctly.


700393-3 : Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash

Solution Article: K53464344

Component: Local Traffic Manager

Symptoms:
Tmm might crash due to a stale/stalled HTTP/2 stream.

Conditions:
HTTP/2 profile in use.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Stale/stalled HTTP2 streams are handled correctly to prevent a tmm crash.


700386-2 : mcpd may dump core on startup

Component: TMOS

Symptoms:
mcpd may generate a core file upon startup, with a message being logged that overdog restarted it because mcpd failed to send a heartbeat for five minutes.

Conditions:
This can happen only at startup.

Impact:
mcpd restarts, but resumes normal operation.

Workaround:
None.

Fix:
mcpd no longer generates a core on startup.


700322-2 : Upgrade may fail on a multi blade system when there are scheduled reports in configuration

Component: Application Visibility and Reporting

Symptoms:
Unable to upgrade to newer version or hotfix fail. Secondary slot always fails upgrade with the following error in var/log/liveinstall.log:

error: status 256 returned by command: F5_INSTALL_SESSION_TYPE=install tmsh -f save sys ucs /var/tmp/fbSBcyXrsz.ucs
info: >++++ result:
info: Saving active configuration...
info: Thrift: Tue Dec 19 10:53:45 2017 TSocket::open() connect() <Host: localhost Port: 9090>Connection refused
info: Error during config save.
info: Unexpected Error: UCS saving process failed.

Conditions:
1) System has two or more slots (multi-blade)
2) There are scheduled reports in configuration.

Impact:
Upgrade fails.

Workaround:
1) Save configuration for scheduled reports aside.
2) Remove all scheduled reports from configuration.
3) Perform upgrade.
4) Add scheduled reports back to configuration.

Fix:
On secondary blades monpd listens on slot-specific local address 127.0.3.X, so tmsh should use this address when it establishes connection to monpd (instead of 127.0.0.1)


700320 : tmm core under stress when BADOS configured and attack signatures enabled

Component: Anomaly Detection Services

Symptoms:
Tmm core under stress. Note: This issue has a very low probability of occurring.

Conditions:
-- Out of memory.
-- BADOS configured.
-- Attack signatures enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None, except to not configure attack signatures.

Fix:
Added protection for the case when context adm_filters allocation is failed.


700315-2 : Ctrl+C does not terminate TShark

Solution Article: K26130444

Component: TMOS

Symptoms:
A running TShark process on the BIG-IP system has problems exiting when the user is finished capturing and presses CTRL+C while listening on a tmm VLAN or 0.0.

Conditions:
-- Using TShark on a tmm VLAN or 0.0.
-- Pressing Ctrl+C to exit.

Impact:
TShark does not exit as expected when pressing CTRL+C.

Workaround:
To recover, you can move the process to the background (CTRL+Z) and then halt the process, by running a command similar to the following: kill -9 'pidof tshark'

Fix:
Ctrl+C now terminates TShark as expected.


700250-3 : qkviews for secondary blade appear to be corrupt

Solution Article: K59327012

Component: TMOS

Symptoms:
Normally, a qkview created on a multi-blade system will include a qkview for every blade on the system. Those qkview files have an error that makes the tar-ball appear corrupt.

Conditions:
Running a qkview on a system with blades.
Attempt to access the tar-ball using the following command: tar -tvzf 127.3.0.2.qkview | tail.

Impact:
The system posts the following messages:
    gzip: stdin: unexpected end of file
    tar: Child returned status 1
    tar: Error is not recoverable: exiting now


Confuses troubleshooters into thinking that the blade qkview files are corrupt, which they are not.

Workaround:
None.

Fix:
By not always writing an errant newline, the problem is solved.


700247 : APM Client Software may be missing after doing fresh install of BIG-IP VE

Solution Article: K60053504

Component: TMOS

Symptoms:
apm client software checks is broken in VM created with BIG-IP-13.1.0.1.0.0.8.ALL-scsi.ova.

Conditions:
Any software instance created by deployment of any OVA for the affected software versions.

Impact:
APM endpoint inspection feature (for Mac, windows and Linux clients). [Users affected]
Configuration of APM client software check APM Visual policy editor. [Admin UI]
APM Client package @ Connectivity / VPN : Connectivity : Profiles if you select "Web Browser Add-ons for BIG-IP Edge Client" option. [Admin UI]

Workaround:
Try the "epsec refresh" commands again after removing all environment locks on the shared RPM database using the following command:

rm /shared/lib/rpm/__db.*
epsec refresh

Fix:
After deployment of a new OVA for the fixed version(s), the problem no longer occurs.


700143-2 : ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages

Component: Application Security Manager

Symptoms:
Attempting to delete request logs by a filter (10,000 at a time), only works once. Subsequent delete by filter actions do not remove additional earlier logs.

Conditions:
System has over 10,000 ASM request logs by a selected filter, and delete all by filter is used multiple times.

Impact:
Only the latest 10,000 events are deleted.

Workaround:
No work around for deleting by a filter.
Delete all (without filter) works, and deleting selected requests works.

Fix:
Deletion by filter correctly deletes subsequent sets of 10,000 rows per action.


700090-2 : tmm crash during execution of a per-request policy when modified during execution.

Component: Access Policy Manager

Symptoms:
Modify/delete of per-request policy during heavy traffic flow causes tmm to crash.

Conditions:
While a per-request policy (macro) is getting executed.
Admin deletes the parent policy item (at the same time).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not deleting per-request policies during heavy traffic flow.

Fix:
Per-request access policies edited during execution are now held until not in use, so this issue no longer occurs.


700086-1 : AWS C5/M5 Instances do not support BIG-IP VE

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) does not function on AWS C5/M5 instances.

Conditions:
BIG-IP VE on AWS C5/M5 instances.

Impact:
Cannot use BIG-IP VE on AWS C5/M5 instances.

Workaround:
None.

Fix:
BIG-IP VE now functions on AWS C5/M5 Instances.


700061-4 : Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file

Component: Local Traffic Manager

Symptoms:
Restarting service MCPD or rebooting the BIG-IP device adds Unix 'other' read file permissions for key files.
Key files Unix permission changes from '-rw-r-----' to
'-rw-r--r--'

Conditions:
1. Restarting the service MCPD
2. Rebooting BIG-IP device.

Impact:
Key file Unix read permission changes from '-rw-r-----' to
'-rw-r--r--'

Workaround:
There is no workaround at this time.

Fix:
Fix made sure restart of service MCPD and reboot of device does not change key files Unix read permissions from '-rw-r-----' to
'-rw-r--r--'


700057-4 : LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved

Component: Local Traffic Manager

Symptoms:
After upgrading to an affected build, the default key will have incorrect group ownership.

Conditions:
Upgrade or load a .ucs with SSL keys configured.

Impact:
File permissions are not preserved in the .ucs file. The httpd process will not be able to use the default key, so anything using it will fail.

Workaround:
Run the following two commands:
tmsh save /sys config
tmsh load /sys config

Fix:
The system now preserves correct permissions for default.key across upgrade and ucs load.


700056-1 : MCPD process may lock up and restart when applying Local Traffic Policy to virtual server

Component: Local Traffic Manager

Symptoms:
The mcpd process becomes unresponsive while attempting to load the configuration, or attempting to apply a configuration change that associates a particular local traffic policy to a virtual server. The mcpd process may also periodically restart every 5 minutes.

Conditions:
- Virtual servers configured.
- Specific policies configured and attached used by virtual servers.

Only policies configured in a specific way will trigger this situation. The specifics are not well understood, however, the vast majority of Local Traffic Policies are unaffected by this issue.

Impact:
Traffic disrupted while mcpd restarts.

Workaround:
There is no workaround.

Fix:
mcpd is responsive when an LTM Policy is attached to a virtual server, or when an already-attached policy is updated.


699979-2 : Support for Safenet Client Software v7.x

Component: Local Traffic Manager

Symptoms:
The BIG-IP system is not compatible with SafeNet v7.x.

Conditions:
Attempting to use a BIG-IP system with the Safenet v7.x client software.

Impact:
No support provided for the SafeNet network HSMs.

Workaround:
There is no workaround other than using an HSM with the supported SafeNet client software.

Fix:
The BIG-IP system now supports SafeNet v7.x in the following configuration:

-- Client software: 7.1.
-- HSM software: 7.1.
-- HSM firmware 7.0.2.


699720-1 : ASM crash when configuring remote logger for WebSocket traffic with response-logging:all

Component: Application Security Manager

Symptoms:
ASM may crash when configuring remote logger for WebSocket traffic virtual server.

Conditions:
-- Virtual server handling WebSocket traffic.
-- ASM remote logger on the same virtual server.

Impact:
ASM crash; system goes offline.

Workaround:
Use either of the following workarounds:

-- Remove remote logger.
-- Have response logging for illegal requests only.

Fix:
The system now handles memory correctly and avoids crashing in this specific scenario.


699686-1 : localdbmgr can occasionally crash during shutdown

Component: Access Policy Manager

Symptoms:
When localdbmgr process is restarted, occasionally, the process crashes and a core file will be generated.

Conditions:
-- APM is provisioned.
-- localdbmgr process is restarted.

Impact:
Although the process restarts, there is no impact to the APM functionality.

Workaround:
None.

Fix:
localdbmgr no longer crashes during shutdown.


699624-1 : Config with custom 'SIP' or 'Firepass' monitor fails to load after upgrade

Component: Local Traffic Manager

Symptoms:
A configuration that contains custom 'SIP' or 'FirePass' monitors that is upgraded from a version earlier than v13.1.0 may either fail to load, or may result in a configuration that loads the first time after the upgrade, but cannot be re-loaded from the text config files.

If the BIG-IP system has partitions other than 'Common', the initial configuration load may fail with an error such as:

01070726:3: monitor /Common/sip-monitor in partition Common cannot reference SSL profile monitor parameter /Common/sip-monitor 1 SSL_PROFILE_NAME= in partition name-of-other-partition

If the BIG-IP system only has a 'Common' partition, the initial configuration load will succeed, but subsequent attempts to load the configuration (e.g., 'tmsh load sys config') may fail with this error:

Syntax Error:(/config/bigip.conf at line: 63) "user-defined" unknown property

Which corresponds to a SIP or FirePass monitor in the configuration such as:

ltm monitor sip /Common/test_sip_monitor {
    cipherlist DEFAULT:+SHA:+3DES:+kEDH
    compatibility enabled
    debug no
    defaults-from /Common/sip
    destination *:*
    filter 488
    interval 5
    mode tcp
    time-until-up 0
    timeout 16
    user-defined SSL_PROFILE_NAME /Common/test_sip_monitor_ssl_profile
}

Conditions:
Custom 'SIP' or 'FirePass' monitor is configured, and the config is upgraded from a version earlier than v13.1.0 to version v13.1.0.

Impact:
After upgrade, the configuration fails to load with an error such as:

01070726:3: monitor /Common/sip-monitor in partition /Common cannot reference SSL profile monitor parameter /Common/sip-monitor 1 SSL_PROFILE_NAME= in partition name-of-other-partition.

Alternatively, the configuration loads after upgrade, but the config file is corrupted, and will fail to load (such as after a system restart, or upon explicit 'tmsh load sys config'), with an error such as:

Syntax Error:(/config/bigip.conf at line: 63) "user-defined" unknown property

Workaround:
Remove custom 'SIP' and 'FirePass' monitors from the configuration, and re-create them manually after upgrade is complete.

Fix:
In this release, a configuration that contains a custom 'SIP' or 'FirePass ' monitor from a version earlier than v13.1.0 now loads correctly and continues to load as expected.


699598-2 : HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR

Component: Local Traffic Manager

Symptoms:
HTTP/2 requests with a large body may result in the BIG-IP system sending RST_STREAM with FRAME_SIZE_ERROR.

Conditions:
-- HTTP/2 profile is configured on the virtual server.
-- Request has body size greater than 16 KB.

Impact:
HTTP/2 stream is reset with FRAME_SIZE_ERROR and transfer does not complete.

Workaround:
None.

Fix:
Large HTTP/2 requests are now processed as expected.


699531-1 : Potential TMM crash due to incorrect number of attributes in a PEM iRule command

Component: Policy Enforcement Manager

Symptoms:
TMM crash.

Conditions:
An iRule with a PEM iRule command that does not have the minimum number of attributes.

Impact:
Loss of service. Traffic disrupted while tmm restarts.

Workaround:
Make sure the PEM iRule command is called with at least the minimum number of parameters.

For example, make sure to call 'PEM::subscriber config policy referential set' with referential policies.

Fix:
The system now provides the correct number of attributes, preventing a NULL pointer dereference.


699515-1 : nsm cores during update of nexthop for ECMP recursive route

Component: TMOS

Symptoms:
The Net­work Services Module daemon (nsm) cores while processing updates for ECMP recursive route nexthop.

Conditions:
Dynamic routing enabled.
BGP peers provides ECMP routes with recursive nexthop.

Impact:
Failures passing traffic using the dynamic routes.

Workaround:
There is no workaround.

Fix:
nsm is able to process ECMP route updates without problem.


699455-4 : SAML export does not follow best practices

Solution Article: K50254952


699454-4 : Web UI does not follow current best coding practices

Component: Advanced Firewall Manager

Symptoms:
The web UI does not follow current best coding practices while processing URL DB updates.

Conditions:
Authenticated web UI user.

Impact:
UI does not respond as intended.

Workaround:
None.

Fix:
The web UI now follows current best coding practices while processing URL DB updates.


699453-4 : Web UI does not follow current best coding practices

Solution Article: K20222812


699452-4 : Web UI does not follow current best coding practices

Solution Article: K29280193


699451-3 : OAuth reports do not follow best practices

Solution Article: K30500703


699431-3 : Possible memory leak in MRF under low memory

Component: Service Provider

Symptoms:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.

Conditions:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.

Impact:
The table entry will be remain until the box resets.

Workaround:
There is no workaround at this time.

Fix:
The code has been fixed to remove the table entry when a memory allocation failure occurs while adding the record.


699346-3 : NetHSM capacity reduces when handling errors

Solution Article: K53931245


699339-3 : Geolocation upgrade files fail to replicate to secondary blades

Solution Article: K24634702

Component: Global Traffic Manager (DNS)

Symptoms:
Geolocation upgrade files fail to replicate to secondary blades.

Conditions:
-- Multiblade VIPRION platforms/vCMP guests.
-- Upgrading geolocation files on the primary blade.
-- Viewing the geolocation files on the secondary blades.

Impact:
Geoip database is not updated to match primary blade.

Workaround:
Use either of the following workarounds:

-- Use the root account to manually create the /shared/GeoIP/v2 directory on secondary blades, and then run geoip_update_data on primary blade.

-- On primary blade:
1. Edit /etc/csyncd.conf as shown below.
2. Restart csyncd.
3. Run geoip_update_data.

To edit /etc/csyncd.conf:

Merge the following two terms:
 monitor dir /shared/GeoIP {...)
 monitor dir /shared/GeoIP/v2 {...}

into one term, as follows:
monitor dir /shared/GeoIP {
        queue geoip
        pull pri2sec
        recurse yes
        defer no
        lnksync yes
        md5 no
        post "/usr/local/bin/geoip_reload_data"
}

Fix:
Geolocation upgrade files now correctly replicate to secondary blades.


699298-2 : 13.0.0 Hotfix HF3 3.0.1679 TMM CORED due to SIGSEGV.

Component: Local Traffic Manager

Symptoms:
TMM may crash when woodside congestion-control is in use.

Conditions:
When woodside congestion-control is in use.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Other congestion control algorithms can be used as a workaround.

Fix:
This fix handles a rare TMM crash when woodside congestion-control is in use.


699281-1 : Version format of hypervisor bundle matches Version format of ISO

Component: TMOS

Symptoms:
Recently F5 incorporated 4th element into versioning scheme. 4th and 5th are separated by dash (instead of dot) in ISO name. This change/bug insures that names of hypervisor bundles also use dash between 4th and 5th elements.

Conditions:
Applies to hypervisor bundles (for example ova files for vmware).

Impact:
Version format in names of hypervisor bundles matches version format of ISO file

Workaround:
Version format in names of hypervisor bundles matches version format of ISO file

Fix:
Version format in names of hypervisor bundles matches version format of ISO file (usage of dash between 4th and 5th elements).


699273-1 : TMM Core During FTP Monitor Use

Component: Local Traffic Manager

Symptoms:
TMM Cores.

Conditions:
When the FTP monitor is used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Turn off FTP monitoring.

Fix:
The tmm no longer cores when using a FTP monitor.


699267-2 : LDAP Query may fail to resolve nested groups

Component: Access Policy Manager

Symptoms:
LDAP Query agent may fail to resolve nested groups for a user.
/var/log/apm logfile contains the following error messages when 'debug' log level is enabled for Access Profile:
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while getting group membership down with error (No such object.).
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while querying LDAP with error (No such object.).

Conditions:
LDAP Query agent is configured in an Access Policy.
'Fetch groups to which the user or group belong' option is enabled

Impact:
LDAP Query agent fails.
unable to get user identity.
unable to finalize Access Policy.

Fix:
after fix, LDAP Query resolves all nested groups as expected and session.ldap.last.attr.memberOf attributes contains user's groups


699135-1 : tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip

Component: Global Traffic Manager (DNS)

Symptoms:
tmm cores with SIGSEGV in dns_rebuild_response.

Conditions:
1. Create a wideip of type other than A/AAAA.
2. Create a iRule with a host command for the previously created wideip.
3. Create a related zonerunner record with the same name and type.
4. Dig against the wideip with type any.
5. Observe that tmm cores.

Impact:
tmm cores.

Workaround:
Don't use host command for non type A/AAAA wideips.


699103-1 : tmm continuously restarts after provisioning AFM

Component: Traffic Classification Engine

Symptoms:
tmm continuously restarts when the Webroot database is getting downloaded to a BIG-IP system with less than 16 GB RAM and AFM provisioned.

Conditions:
-- Webroot URL categorization configured for Traffic Classification.
-- BIG-IP system with less than 16 GB RAM.
-- AFM is provisioned.

Impact:
tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than to ensure that more than 16 GB RAM is available when AFM is provisioned.

Fix:
The BIG-IP system with less than 16 GB RAM and AFM provisioned now prevents downloading the Webroot database or any updates if it is not already downloaded.

Note: If the Webroot database already exists before upgrade to this release, Webroot lookup will continue to work.


699012-1 : TMM may crash when processing SSL/TLS data

Solution Article: K43121447


698992-1 : Performance degraded

Component: Performance

Symptoms:
Portal access performance had a slight performance degradation. This was identified to be due to a new queuing strategy implemented to improve per-request policy auth use-case performance for higher end platforms in the 13.0 release. The nature of the problem is such that overall system degradation may be observed if APM is provisioned and per-request policy is not used.

Conditions:
APM is provisioned, but functionality is not related to per-request policy.

Impact:
Performance will be slightly lower under load.

Workaround:
None.

Fix:
The queuing strategy was altered to take minimal CPU resources when idle.


698984-1 : Auto-disable TMM.HTTP.TCL.Validation when APM is provisioned

Component: Access Policy Manager

Symptoms:
The db variable Tmm.HTTP.TCL.Validation is enabled by default. This db variable should be disabled when APM is provisioned/enabled, and when ACCESS::restrict_irule_event is disabled and HTTP_RESPONSE_RELEASE events are detected with the assigned iRules.

Conditions:
Steps to Reproduce:
1. Define the following iRule in the virtual server.

when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
    set u [ HTTP::uri ]
    log local0. "XXX: [ HTTP::uri ]"
}
when HTTP_RESPONSE_RELEASE {
    log local0. "XXX: [ HTTP::status ] [ HTTP::header Location ]"
    set l [ HTTP::header Location ]
    if { $l starts_with {/my.policy} } {
       append l {?modified_by_irule=1}
       HTTP::header replace Location $l
    } elseif { $l starts_with {/renderer/agent_logon_page_form.eui} } {
        # Next response will be the real response to the client.
        ACCESS::log "XXX: lp_seen"
        set lp_seen 1
    }
    if { [ HTTP::status ] == 200 && [ info exists lp_seen ] && $lp_seen == 1 } {
        unset lp_seen
        HTTP::header insert X-MyAppSpecialHeader 1
    }
}
2. Configure START :: LOGON PAGE :: ALLOW policy.
3. Access the virtual server.

Impact:
TCP reset triggered when it should not. With respect to the specific condition described, the system should post the logon page.

Workaround:
Manually disable Tmm.HTTP.TCL.Validation.

Fix:
Tmm.HTTP.TCL.Validation is now disabled automatically when APM provisioned during the upgrades. This is correct behavior.


698947-2 : BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled.

Component: TMOS

Symptoms:
The BIG-IP system may incorrectly drop packets from a GRE point-to-point tunnel with auto-lasthop disabled.

Conditions:
The auto-lasthop of a GRE point-to-point tunnel is disabled.

Impact:
The decapsulated packets may be dropped in the BIG-IP system.

Fix:
The BIG-IP system correctly processes decapsulated packets from a GRE point-to-point tunnel.


698940-1 : Add new security policy template for API driven systems - "API Security"

Component: Application Security Manager

Symptoms:
No security policy template for API Security for API driven systems.

Conditions:
-- Using API.
-- Attempting to define REST API protection, Web Socket protection.

Impact:
No policy template.

Workaround:
None.

Fix:
Added new security policy template for API driven systems - 'API Security'.


698919-3 : Anti virus false positive detection on long XML uploads

Component: Application Security Manager

Symptoms:
A false positive virus-detected violation. The description of the violation explains that the ICAP server was not contacted.

Conditions:
-- A long XML upload or payload.
-- The assigned XML profile is configured to be inspected by the ICAP server.

Impact:
Violation is detected where no violation has occurred (false positive violation).

Workaround:
Increase the internal parameter max_raw_request_len to the required length of the XML.

Note: This workaround will affect the amount of logged data from ASM.

Fix:
Fixed a false positive virus-detected violation related to long XML uploads.


698916-1 : TMM crash with HTTP/2 under specific condition

Component: Local Traffic Manager

Symptoms:
TMM may crash when upgrading an HTTP/1.1 connection to an HTTP/2 connnection.

Conditions:
-- HTTP/2 gateway enabled.
-- Pool member supports protocol switching.

Impact:
TMM crash, leading to a failover event.

Workaround:
There is no workaround other than removing the HTTP/2 profile from the virtual server.

Fix:
TMM properly handles protocol upgrade requests from pool members when HTTP/2 is enabled, so no crash occurs.


698875-1 : Qkview Security Hardening

Component: TMOS

Symptoms:
Qkview does not follow best practices for sanitizing and anonymizing collected data

Conditions:
Qkview created

Impact:
Under certain conditions, Qkviews may include sensitive information, which may in turn be uploaded to iHealth

Workaround:
None.

Fix:
Qkview now follows best practices for sanitizing and anonymizing collected data


698813-2 : When processing DNSX transfers ZoneRunner does not enforce best practices

Solution Article: K45435121


698461-1 : tmm may crash in fastl4 TCP

Component: Local Traffic Manager

Symptoms:
tmm crash and BIGIP fail over.

Conditions:
Virtual with fastl4 and TCP profile configured and used.
LRO is used.

Impact:
tmm may crash

Fix:
the crash is fixed.


698437-1 : Internal capacity increase

Component: Local Traffic Manager

Symptoms:
tmm restarts unexpectely.

Conditions:
Internal to the tmm, a capacity limit is exceeded.

Impact:
Traffic is disrupted while tmm restarts.

Workaround:
N/A

Fix:
Tmm does not experience unexpected restart due to insufficient internal capacity.


698429-1 : Misleading log error message: Store Read invalid store addr 0x3800, len 10

Component: TMOS

Symptoms:
On rare occasions, messages like these can appear in /var/log/ltm:

Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Loading keys from the file.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Read the unit key file if exists.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash from key header: 9d:e6:90:...
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash computed from read key:9d:e6:90:...
Oct 20 14:21:04 localhost err mcpd[4139]: 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071029:5: Symmmetric Unit Key decrypt
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071027:5: Master key OpenSSL error: 1506270960:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:587:
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Attempting Master Key migration to new unit key.
Oct 20 14:21:04 localhost warning chmand[5559]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
Oct 20 14:21:04 localhost warning chmand[5559]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
Oct 20 14:21:04 localhost warning mcpd[4139]: 012a0004:4: halStorageRead: unable to read storage on this platform.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071029:5: Cannot open unit key store
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Reloading the RSA unit to support config roll forward.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Loading keys from the file.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Read the unit key file if exists.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash from key header: 9d:e6:90:...

These messages are due to a transient failure reading the system's unit key from the virtual EEPROM on a vCMP guest. The error handling from this failure causes misleading messages, but it does successfully read the unit key during this error recovery.

Conditions:
These messages can only happen on a vCMP guest with SecureVault, and are very rare.

Impact:
None. These messages do not indicate an actual problem with the system.


698424-1 : Traffic over a QinQ VLAN (double tagged) will not pass

Solution Article: K11906514

Component: Local Traffic Manager

Symptoms:
Traffic on a QinQ VLAN will not pass.

Conditions:
This issue exists when a VLAN is configured as a QinQ VLAN (i.e., a double-tagged VLAN).

Impact:
Traffic on a QinQ VLAN will not pass.

Workaround:
Disabling LRO may workaround this issue.

Fix:
Traffic on a QinQ VLAN now passes successfully.


698396-1 : Config load failed after upgrade from 12.1.2 to 13.x or 14.x

Component: Traffic Classification Engine

Symptoms:
Sys load fails with following errors,
....
Loading schema version: 14.0.0
0107153e:3: Application id out of the valid range of [8192-16384).
Unexpected Error: Loading configuration process failed.

Conditions:
When an CEC IM is applied to 12.1.2 and then when we upgrade to 13.x or 14.x, sys load will fail.

Impact:
System will fail to come to Active state after upgrade.

Workaround:
It can be fixed by manually deleting /var/libdata/dpi/conf/classification_update.conf


698379-2 : HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR(

Solution Article: K61238215

Component: Local Traffic Manager

Symptoms:
Uploads for the HTTP2 virtual server fail intermittently with HTTP2 error error_code=FLOW_CONTROL_ERROR.

Conditions:
HTTP2 virtual server configured.

Impact:
Uploads for the HTTP2 virtual server might fail intermittently.

Workaround:
None.

Fix:
Uploads for the HTTP2 virtual server do not fail intermittently anymore.


698376-3 : Non-admin users have limited bash commands and can only write to certain directories

Component: TMOS

Symptoms:
TMSH access to Linux utilities does not follow best security practices.

Conditions:
Users without Advanced Shell Access running Linux utilities from inside TMSH.

Impact:
TMSH does not follow best security practices

Workaround:
None.

Fix:
TMSH access to Linux utilities now follows best security practices.

Behavior Change:
Some tmsh util commands will be restricted to writing files to certain directories.


698338-1 : Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection

Component: Service Provider

Symptoms:
The system may core.

Conditions:
-- Egress messages are queued waiting for MR_EGRESS event to be raised.
-- Current MR event exits with an error, thus aborting the connection.

Impact:
The system cores and will restart.

Workaround:
None.

Fix:
The system now returns pending messages back to the originator if the connection aborts due to an iRule error.


698333-1 : TMM core upon matching a past (saved) dynamic signature of a specific family (network or dns) after the dynamic signature is disabled for that family on the parent context (but still enabled for other families)

Solution Article: K43392052

Component: Advanced Firewall Manager

Symptoms:
TMM would core upon matching a past (saved) dynamic signature of a specific family (network or dns) after the dynamic signature is disabled for that family on the parent context (but still enabled for other families).

Conditions:
This occurs in the following scenario:
-- Enable Network and DNS BDOS simultaneously (on DoS Device config).
-- Generate dynamic signature that has both network and DNS metrics.
-- Wait for signature to be moved to 'past' (persist) state.
-- Disable either network or DNS BDOS (but not both).
-- TMM cores if the traffic matches this signature.

Impact:
Traffic interruption due to TMM restart. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
In this release, if the dynamic signature is disabled for a specific family on a parent context (but not disabled for other family on that context), any past attack signature for the context is now deleted from the system.


698226-1 : Filters under Security :: Reports :: DoS :: URL Latencies work incorrectly

Component: Application Visibility and Reporting

Symptoms:
When filtering data by a field in the 'Security :: Reports :: DoS :: URL Latencies' form, the filtering fails and the monpd process crashes.

Conditions:
There is some statistical data for DoS.

Impact:
Reports based on GUI filters are not complete.

Workaround:
No workaround.

Fix:
The system now creates the correct query for this filter, so the issue no longer occurs.


698182 : Upgrading from 13.1.1 to newer release might cause config to not be copied over

Component: Advanced Firewall Manager

Symptoms:
Upgrading from 13.1.1 to newer release might cause config to not be copied over. This is due to the UUID being available on the older release but not on the newer one.

Conditions:
Upgrade or loading a UCS from 13.1.1 to newer release.

Impact:
Config cannot be loaded or fails.

Workaround:
Copy config and remove UUID-specific schema before loading the config.

Fix:
When upgrading to a version in which UUID is not supported, the system now automatically copies the config and removes UUID-specific schema before loading it.


698084-3 : IPsec log messages in /var/log/ltm missing module ID to reach bigiq logs

Solution Article: K03776801

Component: TMOS

Symptoms:
Some groups of messages logged by tmipsecd are missing the errdefs annotation that identifies IPsec as the module. Messages reported when tunnels go up and down, or problems with listeners, go only to ltm logs, with no visibility to bigiq logs.

Conditions:
Missing the IPsec module subset ID.

Impact:
Missing IPsec messages in the bigiq logs.

Workaround:
No workaround at this time.

Fix:
The IPsec module subset ID has been added to tmipsecd log messages, so those messages will reach bigiq logs. Some log messages previously appearing only in /var/log/ltm now also appear in ipsec.log and also reach bigiq logs.


698080-3 : TMM may consume excessive resources when processing with PEM

Solution Article: K54562183


698000-3 : Connections may stop passing traffic after a route update

Solution Article: K04473510

Component: Local Traffic Manager

Symptoms:
When a pool is used with a non-translating virtual server, routing updates may lead to an incorrect lookup of the nexthop for the connection.

Conditions:
-- Pool on a non-translating virtual server.
-- Routing update occurs.

Impact:
Connections may fail after routing updates. New connections will not be affected.

Workaround:
Use a route to direct traffic to the ultimate destination rather than using a pool to indicate the nexthop.

Fix:
Routing updates no longer interrupts traffic to connections using a pool member to reach the nexthop.


697988-3 : During config sync, if many client-ssl profiles are on a virtual server the CPU may briefly spike to 100%

Solution Article: K34554754

Component: Local Traffic Manager

Symptoms:
During config sync, if many (hundreds) of client-ssl profiles are attached to a virtual server, the CPU may spike to 100%.

Conditions:
-- Many (hundreds) of client-ssl profiles are attached to a virtual server.
-- Config sync is executed.

Impact:
If enough client-ssl profiles are attached, the watchdog could fire, crashing tmm and causing service disruption. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not attaching hundreds of client-ssl profiles to a virtual server, or disabling config sync.

Fix:
Issue no longer occurs when there are 2000+ client-ssl profiles attached to a virtual server and config sync is executed.


697766-1 : Cisco IOS XR ISIS routers may report 'Authentication TLV not found'

Component: TMOS

Symptoms:
When peering with ISIS to Cisco IOS XR routers, messages similar to the following may be seen

isis[1003]: %ROUTING-ISIS-5-AUTH_FAILURE_DROP : Dropped L2 LSP from TenGigE0/0/0/1 SNPA 0001.47fd.a801 due to authentication TLV not found.

Conditions:
The BIG-IP system is configured for dynamic routing using the ISIS protocol, and is peered with an IOS XR router, or with another BIG-IP system running software older than than version 11.6.1.

In addition, authentication needs to be configured, and a value needs to be set for lsp-refresh-interval, or for max-lsp-lifetime. For example:


   router isis isisrouter
   is-type level-2-only
   authentication mode md5
   authentication key-chain keychain-isis
   lsp-refresh-interval 5
   max-lsp-lifetime 65535
   net 49.8002.00c1.0000.0000.f523.00

Impact:
This is a cosmetic issue. Routing is not impacted. LSPs containing actual routing information do contain the Auth TLV, as expected.

Workaround:
None.

Fix:
This issue no longer occurs.


697756-1 : Policy with CSRF URL parameter cannot be imported as binary policy file

Component: Application Security Manager

Symptoms:
A policy with at least 1 CSRF URL parameter defined cannot be imported as a binary policy file.

Conditions:
A policy has at least 1 CSRF URL parameter defined.

Impact:
The policy cannot be imported as a binary policy file.

Workaround:
There is no workaround at this time.

Fix:
A policy with CSRF URL parameters defined can now be imported as a binary policy file.


697718-1 : Increase PEM HSL reporting buffer size to 4K.

Component: Policy Enforcement Manager

Symptoms:
Before this fix, PEM HSL reporting buffer size is limited by 512 bytes.

Conditions:
If any PEM HSL flow reporting stream goes beyond 512 bytes, it will be truncated.

Impact:
Part of PEM HSL flow reporting information will be lost.

Fix:
We increase PEM HSL reporting buffer size to 4K, which should be enough for uses cases we currently know.


697636-3 : ACCESS is not replacing headers while replacing POST body

Component: Access Policy Manager

Symptoms:
If the first request for a session is a POST, APM will save the POST to replay after the policy completes. When the POST is restored after policy completion and released to the backend, the headers are the same as the most recent client request, not the original POST. In particular, the Content-Length header will not match the original POST.

Conditions:
First request for the session is a POST.

Impact:
Backend servers may complain of an incomplete HTTP POST due to a mismatching Content-Length header.

Workaround:
None.

Fix:
Now, the system takes all headers from the original POST, except the Authorization header that Kerberos RBA needs, which is taken from the most recent client request.


697616-2 : Report Device error: crypto codec qat-crypto0-0 queue is stuck on vCMP guests

Component: TMOS

Symptoms:
Failure in SSL traffic in vCMP configurations. The system logs the following device error:
-- crit tmm[17083]: 01010025:2: Device error: crypto codec qat-crypto0-0 queue is stuck.
-- warning sod[7759]: 01140029:4: HA crypto_failsafe_t qat-crypto0-0 fails action is failover.

Conditions:
-- vCMP guests when performing crypto operations.
-- i5600, i5800, i7600, i7800, i10600, i10800, i12600, i12800, i15600, i15800 platforms.

Impact:
The 'crypto queue stuck' message is reported, and failover will be triggered.

Workaround:
None.

Fix:
The 'crypto queue stuck' issue on vCMP platforms no longer occurs.


697615-1 : Neurond may restart indefinitely after boot, with neurond_i2c_config message

Solution Article: K65013424

Component: TMOS

Symptoms:
The neurond daemon may continually restart after a reboot. The problem may persist even after a reboot of the BIG-IP system. Manually stopping and starting neurond will not resolve the problem.

Conditions:
- This occurs only on BIG-IP platforms that contain a specific hardware part running v13.1.0.
- The issue happens only after a reboot of the BIG-IP system.

Impact:
The BIG-IP system constantly logs messages similar to the following:

emerg logger: Re-starting neurond


The /var/log/neurond logfile contains messages similar to the following:

-- neurond_i2c_config_steps: STEP 20 Checking for Lane Alignment
-- neurond_i2c_config_steps: Timeout waiting for good rx_align for ILK1 of NSP
-- neurond_i2c_config: neurond_i2c_config_steps failed.

Workaround:
If you are not using FIX features, disabling the neurond service is a safe option.

If your configuration relies on the FIX feature, a cold reboot by removing the BIG-IP system from the power may resolve the problem. However, multiple retries are sometimes necessary to get the part to initialize.

Fix:
This release increases the number of initialization retries to handle this condition, so continual restarts no longer occur.


697516 : Upgrading using a ucs or scf file does not autogenerate uuids when current config has the uuid-default-autogenerate flag enabled

Component: Advanced Firewall Manager

Symptoms:
Upgrading using a UCS or SCF file does not autogenerate uuids when the current config has the uuid-default-autogenerate flag enabled. This might cause issues when upgrading from older versions where uuids need to be quickly generated for existing firewall policies, rule lists, and management rules.

Conditions:
Upgrading from an older version with an existing security policy which has no uuids configured.

Impact:
Requires manually configuration of uuids for rules that come in from the older config.

Workaround:
Generate uuids for all policies, rule-lists, and management rules using the following three tmsh commands:

-- tmsh modify sec fire policy all rules modify { all { uuid auto-generate}}
-- tmsh modify sec fire rule-list all rules modify { all { uuid auto-generate}}
-- tmsh modify sec fire management-ip-rules rules modify { all { uuid auto-generate}}

Optionally, to ensure rules created in the future have uuids autogenerated issue the following tmsh command:

-- tmsh modify sec firewall uuid-default-autogenerate mode enabled

Fix:
No fix provided, Current behavior causes the uuid-default-autogenerate flag to be overwritten to disabled by the ucs load process. Workaround has been provided to mitigate against this behavior.


697452-1 : Websso crashes because of bad argument in logging

Component: Access Policy Manager

Symptoms:
Websso would crash because of bad argument in logging

Conditions:
Only when kerberos sso is configured

Impact:
Websso would crash and so single sign on may fail.

Workaround:
The workaround is not configure kerberos SSO

Fix:
This issue has been fixed.


697424-1 : iControl-REST crashes on /example for firewall address-lists

Component: TMOS

Symptoms:
Making a call to /example on firewall address-list crashes iControl-REST.

Conditions:
Making a call to /example on firewall address-list.

Impact:
The icrd_child process crashes.

Workaround:
There is no workaround other than not calling /example on firewall address-lists.


697421 : Monpd core when trying to restart

Component: Application Visibility and Reporting

Symptoms:
Monpd tries to restart and tries to access a non-initiated variable

Conditions:
Monpd tries to restart due to change of primary blade

Impact:
Monpd cores

Workaround:
N/A

Fix:
Adding sanity check to the non-initiated variable before trying to access it


697363-1 : FPS should forward all XFF header values

Component: Fraud Protection Services

Symptoms:
For BIG-IP alerts, FPS will insert a single XFF with the client IP and discard all XFF values/headers in the original request (the request which triggered the alert)

Conditions:
Alert generated on BIG-IP side.

Impact:
Original XFF information will be lost: only a single XFF header (containing client IP) will be present.

Workaround:
None.

Fix:
FPS now copies all original XFF headers to the generated alert.


697303-1 : BD crash

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
-- The internal parameter relax_unicode_in_json is set to 1.
-- Specific traffic scenario.

Impact:
BD crash, failover, and traffic disturbance.

Workaround:
Turn off the internal parameter relax_unicode_in_json.

Fix:
BD no longer crashes under these conditions.


697259-2 : Different versioned vCMP guests on the same chassis may crash.

Solution Article: K14023450

Component: Local Traffic Manager

Symptoms:
The vCMP guest TMM crashes soon after startup.

Conditions:
-- You are using BIG-IP software versions 12.1.0-12.1.2.
-- vCMP guests are deployed in a chassis.
-- You configure a new guest running unaffected software alongside an existing or new guest running affected software. In other words, the issue occurs if you mix guests running affected and non-affected versions in a single vCMP host.

Impact:
vCMP guests running older versions of the software might crash. Blades continuously crash and restart. Traffic cannot pass. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Different versioned vCMP guests on the same chassis no longer crash.


696808-1 : Disabling a single pool member removes all GTM persistence records

Component: Global Traffic Manager (DNS)

Symptoms:
Disabling a single pool member removes all GTM persistence records.

Conditions:
1. WideIP with persistence enabled.
2. drain-persistent-requests no.
3. GTM pool member toggled from enabled to disabled.

Impact:
All GTM persistence records are accidently cleared.

Workaround:
Set drain-persistent-requests yes.

Fix:
When drain-persistent-requests is set to no, only the persistence records associated with the affected pool members are cleared when a resource is disabled.


696789-1 : PEM Diameter incomplete flow crashes when TCL resumed

Component: Policy Enforcement Manager

Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, and the irule is resumed because of timeout.

Conditions:
PEM Diameter flow not fully created, suspended by iRule, and the iRule is resumed by timeout.

Impact:
The tmm will restart and all flows will reset.

Fix:
The PEM diameter flow is now created in such a way to prevent any crash by iRule resumed by timeout.


696755 : HTTP/2 may truncate a response body when served from cache

Component: Local Traffic Manager

Symptoms:
BIG-IP provides a client side HTTP/2 Gateway protocol implementation in conjunction with HTTP 1.x on a server side. A response can be cached in BIG-IP with a web acceleration profile. Sometimes a response served from cache is prematurely marked with END_STREAM flag causing the client to ignore the rest of the response body.

Conditions:
BIG-IP has a virtual where HTTP/2 and Web Acceleration profiles are configured.

Impact:
Some clients' browsers do not retry a resource causing incorrect rendering of an HTML page.

Workaround:
Adding the following iRule causes the body to be displayed:

when HTTP_RESPONSE_RELEASE {
    set con_len [string trim [HTTP::header value Content-Length]]
    HTTP::header remove Content-Length
    HTTP::header insert Content-Length "$con_len"
}

Fix:
With provided fix HTTP/2 users no longer experience the problem of incorrect page rendering due to this issue.


696732-3 : tmm may crash in a compression provider

Solution Article: K54431534

Component: TMOS

Symptoms:
TMM may crash with the following panic message in the log files:

panic: ../codec/compress/compress.c:1161: Assertion "context active" failed.

Conditions:
-- Running on the following platforms: BIG-IP i-series or VIPRION 4400 blades.
-- Virtual servers are performing compression.

Impact:
TMM crashes, Traffic disrupted while tmm restarts.

Workaround:
Do not use compression, or use software compression instead of hardware compression. To configure for software compression, run the following command:

tmsh modify sys db compression.strategy value softwareonly


696731-3 : The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled

Solution Article: K94062594

Component: TMOS

Symptoms:
The standard LinkUp/LinkDown traps are issued when a port's status changes; that is, the link goes up or down. Additionally, the network manager can administratively enable and disable ports. For some platforms, there is no reliably issued standard LinkUp/LinkDown trap when a port is administratively enabled/disabled.

Conditions:
Administrative disabling an interface on BIG-IP

Impact:
May issue only the F5 Link change trap and not the additional standard MIB trap. The standard LinkUp/LinkDown traps may not be issued.

Workaround:
Use the F5-proprietary MIB: 1.3.6.1.4.1.3375.2.4.0.37 F5-BIG-IP-COMMON-MIB::BIG-IPExternalLinkChange trap to track administrative changes to links.


696669-1 : Users cannot change or reset RSA PIN

Component: Access Policy Manager

Symptoms:
User is not able to reset the PIN when RSA SecurID or RADIUS Auth agent is included in access policy.

Conditions:
- APM is licensed and provisioned.
- RSA SecurID or RADIUS Auth agent is included in an access policy.
- APM end user is challenged to reset the PIN or reenter the PIN/token.

Impact:
APM end users cannot reset the PIN or do not get authenticated.

Workaround:
There is no workaround.

Fix:
APM users can now successfully reset the PIN or reenter the token.


696642-1 : monpd core is sometimes created when the system is under heavy load.

Component: Application Visibility and Reporting

Symptoms:
When system is under heavy load, aggregation of statistics tables in the database sometimes takes too much time and watchdog is triggered. When that happens, watchdog aborts the application and produces a core file.

Conditions:
-- System under heavy load.
-- Setting and resetting DoS profile on virtual servers.
-- Using AVR.
-- Displaying aggregated statistics.

Impact:
System produces monpd core file, when no real crash occurs.

Workaround:
None.

Fix:
Watchdog trigger no longer creates core by default under these conditions.


696544-1 : APM end users can not change/reset password when auth agents are included in per-req policy

Component: Access Policy Manager

Symptoms:
Users cannot change password when AD, Radius or LocalDb auth agents are included in per-req policy.

Conditions:
- Per-req policy is attached to Virtual Server.
- AD Auth, Radius Auth or LocalDB auth agents are included in per-req policy.
- End user is challenged to change/reset the password.

Impact:
Users can not change password.

Fix:
Users now can successfully change or reset the password.


696525-1 : B2250 blades experience degraded performance.

Component: Performance

Symptoms:
B2250 blades have degraded performance by up to 17%. This is caused by connections not being offloaded to hardware as often as expected.

Conditions:
This occurs when the FastL4 profile is configured to offload to hardware and the service provider DAG is configured and in use on B2250 blades.

Impact:
Performance will be degraded due to more connections being handled in software.

Workaround:
None.

Fix:
The performance issue for the B2250 blades has been fixed.


696383-1 : PEM Diameter incomplete flow crashes when sweeped

Component: Policy Enforcement Manager

Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, the sweeper may encounter a tmm crash.

Conditions:
-- PEM Diameter flow not fully created.
-- The flow is suspended by an iRule.
-- There is a CMP state change (likely) or a manual cluster-mirror change (less likely) while the flow is suspended.

Impact:
The tmm restarts and all flows reset. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The PEM diameter flow is now created in such a way to prevent any crash by the sweeper.


696333-1 : Threat campaign filter does not return campaign if filter contains quotation marks

Component: Application Security Manager

Symptoms:
A threat campaign is not displayed in the GUI on the Security :: Application Security : Threat Campaigns page.

Conditions:
Filtering for a campaign name that contains a quotation mark.

Impact:
Threat campaign filter by name does not work.

Workaround:
There is no workaround other than not using quotation marks.

Fix:
REST escaping now supports this configuration..


696294-1 : TMM core may be seen when using Application reporting with flow filter in PEM

Component: Policy Enforcement Manager

Symptoms:
TMM core with flow filter when Application reporting action is enabled

Conditions:
If Application reporting is enabled along with flow filter

Impact:
TMM restart causing service interruption

Fix:
Initialize the application start buffer so as to prevent the TMM core


696265-5 : BD crash

Solution Article: K60985582

Component: Application Security Manager

Symptoms:
BD crash.

Conditions:
ecard_max_http_req_uri_len is set to a value greater than 8 KB.

Impact:
Potential traffic disturbance and failover.

Workaround:
Change the value of ecard_max_http_req_uri_len to a size lower than 8 KB.

Fix:
Fixed a BD crash scenario.


696260-1 : GUI Network Map as Start Screen presents database error

Solution Article: K53103420

Component: TMOS

Symptoms:
If the Network Map is set as the Preferences Start Screen, the GUI will display a database error page.

Conditions:
Set System :: Preferences : Start Screen to Network Map.

Impact:
Error page is displayed.

Workaround:
Navigate to the Network Map via the left navigation menu: Local Traffic :: Network Map.

Fix:
The Screen Start now launches successfully into the Network Map page.


696212-1 : monpd does not return data for multi-dimension query

Component: Application Visibility and Reporting

Symptoms:
When querying 'time-series' data for multiple-dimensions, most multi-dimension queries receive an empty response.

Conditions:
This occurs because the order of entities in the query is not sorted by priority.

Impact:
The corresponding dashboard displays incorrect statistics.

Workaround:
There is no workaround at this time.

Fix:
The monpd process now performs two queries in order to get the 'time-series' data for multi-dimensions:
-- The first query gets the top entities.
-- The second query gets data that is 'drilled down' by the top entities, the ones received from the first query.


696201-1 : Anomaly threshold floor calculation (for bins with very low learnt threshold) during signature generation

Component: Advanced Firewall Manager

Symptoms:
AFM might generate a dynamic signature for those bins that have a very low learnt threshold during the learning phase, if the current traffic rate spikes and increases above the anomaly threshold floor db variable value as specified by l4bdos.anomaly.threshold.floor

Conditions:
AFM dynamic signature feature is enabled.

Impact:
This might cause AFM to generate signatures with higher false positives.

This is specifically due to incorrect application of db variable setting 'l4bdos.anomaly.threshold.floor' that should be interpreted as the 'floor' value of learnt thresholds for any bin. So, if the learnt threshold of a bin is lower than this db variable, the baseline threshold of the bin should be set to the db variable for anomaly detection phase.

Workaround:
There is no workaround at this time.

Fix:
This issue is fixed by making sure that db variable 'l4bdos.anomaly.threshold.floor' is used as the 'floor' value of baseline thresholds for those bins that have a learnt threshold lower than this db variable.


696113-3 : Extra IPsec reference added per crypto operation overflows connflow refcount

Component: TMOS

Symptoms:
The size of the refcount field in connflow became smaller, making the length of some crypto queues in IPsec able to reach and exceed the maximum refcount value.

Conditions:
When a large data transfer under an IPsec SA creates a queue of crypto operations longer than the connflow's refcount can handle, the refcount can overflow.

Impact:
Unexpected tmm failover after refcount overflow.

Workaround:
There is no workaround at this time.

Fix:
An object tracking crypto operations now adds a sole reference to the connflow as long as the count of crypto operation pending is nonzero.


696073-2 : BD core on a specific scenario

Component: Application Security Manager

Symptoms:
bd process crashes, and core file created in the /shared/core/ directory.

Conditions:
Specific request and response characteristics that relates to CSP headers sent by the server.

Impact:
Failover in high availability units.

Workaround:
Disable CSP headers handling in ASM by running the following commands:

/usr/share/ts/bin/add_del_internal add csp_enabled 0
bigstart restart asm

Fix:
The system now reinitializes the CSP headers before each response headers event, so this issue no longer occurs.


696049-1 : High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running

Component: Service Provider

Symptoms:
High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running.

Conditions:
Multiple response messages arrive on a connection while an asynchronous Tcl command is running on that connection.

Impact:
High CPU load might occur as multiple responses will be assigned the same request_sequence_number.

Workaround:
None.

Fix:
Request_sequence_numbers are not assigned to response messages until the Tcl event is executed for that message. This avoids assigning the same number to multiple events.


695985-2 : Access HUD filter has URL length limit (4096 bytes)

Component: Access Policy Manager

Symptoms:
Access HUD filter cannot process a URL if it is longer than 4096 bytes.

Conditions:
Any URL with a request consisting of more than 4096 bytes.

Impact:
The URL cannot be processed, and client gets a RST.

Workaround:
None.

Fix:
In this release, the URL length limit increased to 8192 bytes.


695968-1 : Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.

Component: Policy Enforcement Manager

Symptoms:
Memory leak resulting in a potential OOM scenario.

Conditions:
1. PEM configured with Gx
2. Flaky Diameter connection
3. Subscriber creation via PEM

Impact:
Potential loss of service.

Workaround:
There is no workaround at this time.

Fix:
Freed Diameter messages appropriately.


695953-1 : Custom URL Filter object is missing after load sys config TMSH command

Component: Access Policy Manager

Symptoms:
Cannot see the custom URL Filter object that is created either through TMSH/GUI. If the filter object is referred in an Access Policy, the policy fails to load when running the command: load sys config. The system logs errors similar to the following:

01070712:3: Values (/Common/custurlfilter) specified for URL Filter Lookup Agent (/Common/prp_act_url_filter_lookup_ag): foreign key index (name_FK) do not point at an item that exists in the database.
Unexpected Error: Loading configuration process failed.

Conditions:
-- Configure custom URL Filter object
-- SWG is not provisioned.

Impact:
The access policy fails to load if it refers the URL Filter object. Running the 'load sys config' command in TMSH removes the filter.

Workaround:
You can use either of the following workarounds:
-- Provision SWG, and recreate the URL Filter.
-- Edit bigip.conf to include the URL Filter object.

Fix:
Now during 'load sys config', custom URL filters get saved properly.


695925-1 : tmm crash when showing connections for a CMP disabled virtual server

Component: Local Traffic Manager

Symptoms:
tmm crashes when performing 'tmsh show sys connection' and there is a connection from a secondary blade to a CMP-disabled virtual server.

Conditions:
This occurs when all of the following conditions are met:

-- There is a CMP-disabled virtual server.

-- There is a connection to that server from the control plane of a secondary blade (this can include monitoring traffic).

-- Connections are displayed that include the connection from the secondary blade ('tmsh show sys connection').

Impact:
tmm crashes and restarts impacting traffic.

Workaround:
Do not use 'cmp-enabled no' virtual servers when there will be connections from the BIG-IP control plane to the virtual server.

Avoid using tmsh show sys connection


695901-1 : TMM may crash when processing ProxySSL data

Solution Article: K46940010


695707-5 : BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection

Component: Local Traffic Manager

Symptoms:
BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection.

Conditions:
Close an MPTCP connection.

Impact:
If a DATA_ACK is not received for the DATA_FIN, the connection will stall until it times out.

Workaround:
There is no workaround at this time.

Fix:
Keep the retransmission timer running if an MPTCP connection can retransmit a DATA_FIN.


695563-1 : Improve speed of ASM initialization on first startup

Component: Application Security Manager

Symptoms:
ASM initialization on first startup takes a long time.

Conditions:
Provision ASM.

Impact:
ASM initialization takes a long time.

Workaround:
There is no workaround at this time.

Fix:
ASM initialization on first startup is faster.


695072-2 : CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558

Solution Article: K23030550


694922-5 : ASM Auto-Sync Device Group Does Not Sync

Component: Application Security Manager

Symptoms:
In rare circumstances a device may enter an untrusted state and confuse the device group.

Conditions:
1) ASM sync is enabled on an autosync device group
2) A new ASM entity is created on a device

Impact:
ASM configuration is not correctly synchronized between devices

Workaround:
1) Remove ASM sync from the device group (Under Security ›› Options : Application Security : Synchronization : Application Security Synchronization)
2) Restart asm_config_server.pl on both devices and wait until they come back up
3) Change the device group to a manual sync group
4) On the device with the good configuration re-enable ASM sync for the device group
5) Make a spurious ASM change, and push the configuration.
6) Change the sync type back to automatic

Fix:
Devices no longer spuriously enter an untrusted state


694897-2 : Unsupported Copper SFP can trigger a crash on i4x00 platforms.

Component: TMOS

Symptoms:
PFMAND can crash when an unsupported Proline Copper SFP is inserted in the 1G interfaces.

Conditions:
-- Using Proline CuSFP, Part number FCLF8521P2BTLTAA.
-- Inserted into 1 GB interfaces.
-- On i4x00 platforms.

Impact:
PFMAND cores.

Workaround:
Use only F5 branded Copper SFPs

Fix:
This release updates SFP string parsing in PFMAND to account for NULL terminated vendor information.


694849-1 : TMM crash when packet sampling is turned for DNS BDOS signatures.

Component: Advanced Firewall Manager

Symptoms:
TMM crashes upon traffic matching a DNS BDOS signature if packet sampling is turned on by enabling db variable (l4bdos.signature.sample.packet.frequency).

Conditions:
DB variable l4bdos.signature.sample.packet.frequency is modified to a non-zero value (to collect DNS packet info upon matching a DNS dynamic signature).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable the packet sampling feature for BDOS signatures by setting the db variable l4bdos.signature.sample.packet.frequency to default value (0).

Fix:
TMM no longer crashes when packet sampling is turned on and traffic matches DNS BDOS signature.


694778-1 : Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size

Component: Local Traffic Manager

Symptoms:
SSO-enabled Native RDP resources cannot be accessed via hardware (HW) BIG-IP systems with 'Intel Cave Creek' coprocessor (i.e., SSL connection cannot be established with the db variable 'crypto.hwacceleration' enabled, and RSA key used).

Conditions:
The failure might occur in the following scenario:
-- Running on Intel Cave Creek Engine (e.g., BIG-IP 2000 (C112) or 4000 (C113)).
-- Client OS is Mac, iOS, or Android.
-- HW crypto is enabled
-- Using a virtual server with a client SSL profile and 2048 bit RSA key on.
-- Native RDP resource with enabled SSO is used on hardware BIG-IP with 'Intel Cave Creek' coprocessor.
-- Output buffer size differs from RSA private key size.

Impact:
-- SSL connection fails.
-- RDP client cannot launch the requested resource (desktop/application).

Workaround:
There is no workaround other than to disable crypto HW acceleration with following command:
tmsh modify sys db crypto.hwacceleration value disable

Fix:
SSL connection can now be established as expected. SSO-enabled Native RDP resources now can now be accessed via hardware BIG-IP systems with 'Intel Cave Creek' coprocessor (e.g., BIG-IP 2000 (C112) or 4000 (C113) platforms) from Mac, iOS, and Android clients.


694740-3 : BIG-IP reboot during a TMM core results in an incomplete core dump

Component: TMOS

Symptoms:
If an HSB lockup occurs on i10600 and i10800 platforms, then HSB panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. On this platform, the reboot occurs before the core file is fully written, resulting in a truncated core.

Conditions:
An HSB lockup occurs, triggering a core dump and a nic_failsafe reboot.

Impact:
The reboot happens before the core dump completes, resulting in an incomplete core dump which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.

Workaround:
No workaround; does not hinder device operation, but does prevent post-crash analysis.

Fix:
Reboot is delayed until TMM core file is completed.


694717-1 : Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.

Component: Policy Enforcement Manager

Symptoms:
TMM crashes

Conditions:
PEM iRule command that would result in an inter-TMM lookup on a long lived flow that would result in the PEM iRule command being hit several times. For example, a long lived flow with multiple HTTP transactions.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Always release the connFlow reference associated with the TCL command to avoid a memory leak and potential crash.


694696-5 : On multiblade Viprion, creating a new traffic-group causes the device to go Offline

Component: TMOS

Symptoms:
All devices in the failover device group will go offline, resulting in traffic disruption and possible failovers.

Conditions:
When a new traffic-group is created on a multiblade Viprion system that is a member of a sync-failover device group.

Impact:
Traffic to all other traffic-groups is disrupted for several seconds.

Workaround:
There is no workaround at this time.

Fix:
Creating a new traffic-group does not disrupt existing traffic-groups.


694656-1 : Routing changes may cause TMM to restart

Solution Article: K05186205

Component: Local Traffic Manager

Symptoms:
When routing changes are made while traffic is passing through the BIG-IP system, TMM might restart. This isn't a general issue, but can occur when other functionality is in use (such as Firewall NAT).

Conditions:
-- Routing changes occurring while BIG-IP is active and passing traffic.

-- Dynamic routing, due to its nature, is likely increase the potential for the issue to occur.

-- Usage of Firewall NAT functionality is one specific case known to contribute to the issue (there may be others).

Impact:
TMM restarts, resulting in a failover and/or traffic outage.

Workaround:
If dynamic routing is not in use, avoiding static route changes may avoid the issue.

If dynamic routing is in use, there is no workaround.

Fix:
TMM now properly manages routing information for active connections.


694624-1 : SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor

Component: Access Policy Manager

Symptoms:
APM Webtop's SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor (e.g. BIG-IP 2000 (C112) or 4000 (C113)) from Mac, iOS and Android clients. Each launch attempt generates following errors in /var/log/apm:
... err vdi[123] ... {45.C} RsaDecryptData error: AsyncError:5: InvalidData
... err vdi[123] ... {45.C} An exception is thrown: handshake: decryption failed or bad record mac

Conditions:
Native RDP resource with enabled SSO is used on hardware BIG-IP with "Intel Cave Creek" coprocessor (e.g. BIG-IP 2000 (C112) or 4000 (C113)).
The client OS is Mac, iOS or Android.

Impact:
RDP client can't launch requested resource (desktop/application).

Workaround:
Disable crypto HW acceleration with following command:
tmsh modify sys db crypto.hwacceleration value disable

Fix:
SSO enabled Native RDP resources now can be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor (e.g. BIG-IP 2000 (C112) or 4000 (C113) platforms) from Mac, iOS and Android clients.


694547-2 : TMSH save sys config creates unneeded generate_config processes.

Solution Article: K74203532

Component: TMOS

Symptoms:
When saving a configuration through TMSH or iControl REST, the system creates an unneeded process named generate_config.

Conditions:
Run tmsh save sys config, or the same command through iControl REST.

Impact:
One generate_config process is generated per save operation. If config save occurs often, these extraneous processes can slowly fill up the process table.

Workaround:
There is no real workaround except to not save the config often enough to fill up process table with these extraneous processes.

If this issue has already occurred, you can recover by locating the parent process that has an associated zombie process, and restart the parent process to purge the zombie processes. icrd_child and/or scriptd are the parent processes known to cause this issue. To find out which daemon to restart and how to restart it, perform the following procedure:

Impact of workaround: Restarting any daemon on the BIG-IP system may cause service disruption, and F5 recommends performing this procedure only during a scheduled maintenance period. For more information about daemons' functions, refer to K05645522: BIG-IP daemons (13.x) (https://support.f5.com/csp/article/K05645522).

1. If you are still logged on to the tmsh command-line utility that was performing the configuration-save operation, exit from it first.
2. Login to the BIG-IP system's advanced shell using an account with Administrator credentials.
3. Locate the zombie process and its parent process using the following command:
ps --forest | grep -B1 generate_config.*defunct
 
4. With the parent process name discovered in the previous step, restart the associated daemon using the following commands that apply:
-- For the icrd_child process: tmsh restart /sys service restjavad
-- For the scriptd process: tmsh restart /sys service scriptd

Fix:
tmsh save sys config no longer generates generate_config processes.


694319-1 : CCA without a request type AVP cannot be tracked in PEM.

Component: Policy Enforcement Manager

Symptoms:
May cause diagnostic issues as not all CCA messages cannot be tracked.

Conditions:
1. PEM with Gx/Gy configured
2. PCRF sends CCA's without a request type AVP

Impact:
May hamper effective diagnostics.

Workaround:
Mitigation:
Configure the PCRF to always include a request type in its CCAs.

Fix:
Add a statistics counter to track CCA's that do not request type AVPs.
Name of new counter:cca_unknown_type


694318-1 : PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.

Component: Policy Enforcement Manager

Symptoms:
Subscriber sessions in PEM will be stuck in a "Marked for Delete" state.

Conditions:
1. PEM provisioned with Gx.
2. PCRF responds to a CCR-t with a DIAMETER_TOO_BUSY return code and no Request type AVP.

Impact:
Subscriber sessions stuck in delete pending resulting in a potential increase in memry consumption over a period of time.

Workaround:
Mitigation:
PCRF (remote Diameter end point) must send a CCA-t with a request type AVP in case a DIAMETER_TOO_BUSY return code is present.

Fix:
Handle the DIAMETER_TOO_BUSY return code on a CCA-t regardless of the request type AVP.


694274-1 : [RHSA-2017:3195-01] Important: httpd security update - EL6.7

Solution Article: K23565223


694078-1 : In rare cases, TMM may crash with high APM traffic

Component: Access Policy Manager

Symptoms:
Intermittent tmm core under load.

Conditions:
-- Provision APM (at least).

-- Additional required conditions are not well understood.

-- Seems more likely to occur when APM is provisioned with other modules, especially ASM or AVR.

Impact:
The BIG-IP system stops processing traffic while the TMM restarts.

Workaround:
None.

Fix:
Tmm core no longer occurs with high APM traffic.


694073-3 : All signature update details are shown in 'View update history from previous BIG-IP versions' popup

Component: Application Security Manager

Symptoms:
If you are running a BIG-IP release named with 4 digits (e.g., 12.1.3.1), all signature update details are shown only in 'View update history from previous BIG-IP versions' popup. The 'Latest update details' section is missing.

Conditions:
Running a BIG-IP software release named with 4 digits (e.g., 12.1.3.1).

Impact:
Low and incorrect visibility of signature update details.

Workaround:
Signature update details can be viewed in 'View update history from previous BIG-IP versions' popup.

Fix:
Signature updates are now shown correctly for all versions.


693996-5 : MCPD sync errors and restart after multiple modifications to file object in chassis

Solution Article: K42285625

Component: TMOS

Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:

1. Errors are logged to /var/log/ltm similar to the following:

-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..

2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.

Conditions:
Making multiple changes to the same file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group.

Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.

Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.


693979 : Autoscale is not functional because of the change in file permission of the /shared/vadc/aws/iid-document document

Component: TMOS

Symptoms:
The /shared/vadc/aws/iid-document's file permission changed and as a result the autoscale feature was failing.

Conditions:
Whenever autoscale is triggered

Impact:
The autoscale feature does not work

Workaround:
The permission of /shared/vadc/aws/iid-document was never set explicitly. It inherited file permission flags from /shared/vadc/. We set the file permission explicitly.

Fix:
The autoscale feature is functional after changing file permissions of /shared/vadc/aws/iid-document.


693966-1 : TCP sndpack not reset along with other tcp profile stats

Component: Local Traffic Manager

Symptoms:
TCP sndpack stat added is not being properly reset when a tmsh reset-stats command is issued.

Conditions:
When tmsh reset-stats command is issued.
-- tmsh reset-stats /ltm profile tcp <profile-name>

Impact:
TCP sndpack stat doesn't reset when tmsh reset-stats command is issued.

Workaround:
There is no workaround.

Fix:
With this fix, TCP sndpack stat will reset when tmsh reset-stats command is issued.


693964-1 : Qkview utility may generate invalid XML in files contained in Qkview

Component: TMOS

Symptoms:
When Qkview runs, it may gather XML files that are not well-formed, and contain ASCII control characters. This is most commonly seen with mcp_module.xml.

An XML validator may report an error such as:

    mcp_module.xml:536081: parser error : PCDATA invalid Char value 29
      <msgs></msgs>
            ^

Conditions:
-- Running Qkview.
-- An ASCII control character exists within a certain string field.

Impact:
The control character will be written verbatim into XML without encoding. Automated tools (e.g., iHealth) that attempt to process these files may fail.

Workaround:
iHealth automatically detects and corrects this issue in uploaded Qkviews.

You can analyze the XML files with some other tool, a tar.gz, so it can be unpacked, the XML files edited to correct the formatting, and then repacked. The xmllint command-line tool (present on the BIG-IP system) can also recover valid XML by removing the invalid characters.

To do so, you can run a command similar to the following:

    xmllint --recover mcp_module.xml --output mcp_module.xml

Fix:
Qkview no longer writes control characters in XML text, but instead processes them as expected.


693910-4 : Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)

Component: Local Traffic Manager

Symptoms:
Some MAC addresses might experience delayed forwarding after the interface on which they are learned transition to a STP blocked state. This is because the FDB entries are not being flushed on these interfaces after they change to a block state. Traffic destined to these MAC addresses gets dropped until their associated entries in the FDB age out.

Conditions:
MAC addresses are learned on a STP forwarding interface that transitions to a blocked interface following a topology change.

Impact:
Traffic interruption for up to a few minutes for MAC addresses learned on the affected interface.

Workaround:
None.

Fix:
FDB entries are now flushed by interface whenever an interface transitions to a STP block state.


693884-1 : ospfd core on secondary blade during network unstability

Component: TMOS

Symptoms:
ospfd core on secondary blade while network is unstable.

Conditions:
-- Dynamic routing configured with OSPF on a chassis.
-- During a period of network instability.

Impact:
Dynamic routing process ospfd core on secondary blade.

Workaround:
None.


693844-1 : APMD may restart continuously and cannot come up

Solution Article: K58335157

Component: Access Policy Manager

Symptoms:
apmd process cannot start correctly and restarts in an infinite loop. When apmd initializes the Allow Ending agent, the process tries to load all resources (including ACLs, the webtop, and all resources for every webtop, app tunnels, rdp, etc.). The most likely configuration to encounter this issue is with ACLs. For example, if you have thousands of ACL records, the Allow agent pulls them all at once. If the mcpd process is consumed with other operations, it might be that apmd cannot initialize the Allow agent in 30 secs, so it restarts, at which point the process tries to load all resources, cannot complete within the 30 seconds, and restarts in a loop.

Conditions:
Too many resources assigned in an Access Policy profile
for example thousands of ACLs configured.

apmd cannot initialize the Allow Ending agent in 30 seconds and decides it has stopped responding. Then it restarts by it's own, but problem is not solved, so it restarts in a loop

Impact:
APM end users cannot authenticate.

Workaround:
Reduce amount of resources so every agent can initialize within the 30-second timeframe.


693810-6 : CVE-2018-5529: APM Linux Client Vulnerability

Solution Article: K52171282


693780-1 : Proactive Bot Defense sends CAPTCHA to the UC browser on iOS devices

Component: Application Security Manager

Symptoms:
When a request arrives from UCBrowser running on iOS and without TSPD_101 (proactive bot defense cookie). The big-ip respond with captcha challenge.

Conditions:
Dos profile attached to a virtual.
Dos profile has application security enabled.
Dos profile has proactive bot defense enabled.

Impact:
UC browser end-user presented with captcha challenge.

Workaround:
Increase proactive bot defense score.
list sys db dosl7.browser_legit_min_score_captcha
sys db dosl7.browser_legit_min_score_captcha {
    value "60"
}

Fix:
User agent parser has been changed (adjusted) for the UC browser. The UC browser is detected as safari ios.


693744-4 : CVE-2018-5531: vCMP vulnerability

Solution Article: K64721111


693694-1 : tmsh::load within IApp template results in unpredicted behavior

Component: iApp Technology

Symptoms:
tmsh::load command within IApp template triggers transaction within transaction and it is not supported by the MCP. One of the unexpected behavior seen is with the template having ASM policy and LTM policy. IApp framework doesn't let user to reconfigure the application service without turning off strict updates and also on rerunning, breaks association of LTM Policy with ASM Policy

Conditions:
tmsh::load command need to be used in in template to create ASM policy. With this tmsh::create there is no issue seen.

Impact:
Association b/w LTM Policy and ASM Policy broken

Workaround:
Use tmsh::create or tmsh::modify to create/update ASM policy through IApp template


693663-1 : Proactive Bot Defense sends CAPTCHA to the Firefox browser on iOS only in desktop mode

Component: Application Security Manager

Symptoms:
When a request arrives from Firefox running on iOS in desktop mode and without TSPD_101 (proactive bot defense cookie). The big-ip respond with captcha challenge.

Conditions:
Dos profile attached to a virtual.
Dos profile has application security enabled.
Dos profile has proactive bot defense enabled.

Impact:
Firefox (iOS desktop mode only) end-user presented with captcha challenge.

Workaround:
Increase proactive bot defense score.
list sys db dosl7.browser_legit_min_score_captcha
sys db dosl7.browser_legit_min_score_captcha {
    value "60"
}

Fix:
User agent parser has been changed (adjusted) for the Firefox browser running in desktop mode. The browser is detected as safari pc and the browser version is taken from Mac version number.


693611-3 : IKEv2 ike-peer might crash on stats object during peer modification update

Solution Article: K76313256

Component: TMOS

Symptoms:
A crash occurs upon passing traffic through the IPsec interface.

Conditions:
When an ike-peer is updated, or first defined at startup.

Impact:
Tmm restarts on crash.

Workaround:
No workaround is known at this time.

Fix:
IKEv2 ike-peer no longer crashes on stats object during peer modification update.


693578-2 : switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0

Component: TMOS

Symptoms:
switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0

Conditions:
None

Impact:
switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0

Workaround:
None

Fix:
No fix.


693359-1 : AWS M5 and C5 instance families are supported

Component: TMOS

Symptoms:
AWS has announced support for M5 and C5 instance families. No previous BIG-IP Virtual Edition (VE) software supports these new AWS instance families.

Conditions:
Attempting to install pre-v14.0.0.1 VE software on M5 and C5 instance families.

Impact:
The system experiences a kernel panic and might crash.

Workaround:
None.

Fix:
All necessary components are added to support AWS M5 and C5 instance families.

Behavior Change:
No previous BIG-IP Virtual Edition (VE) software supports the newly announced AWS M5 and C5 instance families. Version 14.0.0.1 officially supports the AWS M5 and C5 instance families.


693312-1 : vCMPd may crash when processing bridged network traffic

Solution Article: K03165684


693308-1 : SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain

Component: Local Traffic Manager

Symptoms:
When a very large Client Certificate Chain, typically exceeding 16,384 bytes, is received by BIG-IP on a virtual service, and Session Persistence is enabled, the handshake hangs.

Conditions:
[1] SSL client authentication is enabled on the backend server
[2] No SSL profile is specified on the BIG-IP device for the virtual service, on both, client and server side
[3] An SSL connection is initiated from the front-end client, via the BIG-IP's virtual service, to the backend server.
[4] The client certificate chain is passed to the BIG-IP device as part of initiating the connection.

Impact:
The backend server will not be securely accessible via SSL because the connection hangs

Workaround:
Disable SSL Session Persistence.

Fix:
Whenever a fragmented message is received by a BIG-IP virtual service, subsequent messages contain a 5-byte header, each, which should be accounted for. Upon taking this into consideration, no more multiple-of-5 bytes are found missing while the message is being parsed by the Session Persistence parser, and the parser no longer hangs.


693244-2 : BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned

Component: Local Traffic Manager

Symptoms:
BIG-IP silently drop the serverside TCP flow, when it receives a client-side reset and the server-side flow is still in the SYN-SENT state.

Conditions:
BIG-IP receives a client-side reset when client-side TCP flow is in ESTABLISHED state and server-side TCP flow is in SYN-SENT state, serverside flow is silently dropped.

Impact:
Since serverside pool member does not receive the RST, it remains in SYN-RECEIVED state until it runs out of syn retransmissions and eventually, due to timeout, it returns to LISTEN state.

Fix:
BIG-IP resets serverside TCP flow with RST when it receives a client-side reset and the server-side flow is still in the SYN-SENT state.


693106-1 : IKEv1 newest established phase-one SAs should be found first in a search

Component: TMOS

Symptoms:
Some IKEv1 implementations might delete "duplicate" phase one IKE SAs, even though not yet expired, keeping only the most recently negotiated IKE-SA. If this happens, and BIG-IP uses an older SA to negotiate, then phase two negotiation can fail.

If at all possible, we want BIG-IP to prefer the newest SA for a given remote peer. If a peer deletes a second SA without notifying BigIP, preferring a newest SA may mitigate the problem.

Conditions:
The situation seems mostly easily arranged when two peers initiate a new IKE-SA at the same time, so that both are negotiated concurrently, since neither has yet been established. Afterward, there are two IKE-SAs for one remote peer, nearly the same age.

If the other end deletes a duplicate without sending a DELETE message to BigIP, we might accidently use the older SA of a pair.

Impact:
If BIG-IP picks a mature IKE-SA for phase two negotiation that has been deleted by a peer, then BIG-IP's attempt to negotiate a new phase two SA will fail.

Workaround:
Try to configure other IPsec implementations to avoid deleting duplicate IKE-SAs.

Fix:
At the momenet a new IKE-SA is established, we now move that SA to the head of the hashmap bucket searched for that remote peer in the future. This makes us more likely to use the newest SA from the perspective of a remote peer, the next time we initiate another phase two negotiation ourselves.


693007-1 : Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC

Component: Global Traffic Manager (DNS)

Symptoms:
The current IPv4 address for b.root-servers.net is 192.228.79.201. The IPv4 address for b.root-servers.net will be renumbered to 199.9.14.201, effective 2017-10-24. The older number will be invalid after that date.

Conditions:
Several profiles contain the b.root-servers.net IPv4 address as 192.228.79.201.

Impact:
The impact is likely minimal, at most a single timeout for pending TLD queries when they happen to round-robin onto an old IP address, probably not more often than the hint's TTL, which is more than a month, and even this should cause a timeout only when the old IP actually stops responding.

Workaround:
Update the root hints for all affected profiles manually except the hardwired ones.

Fix:
The IPv4 address for b.root-servers.net has been renumbered to 199.9.14.201, effective 2017-10-24.

Behavior Change:
The IPv4 address for b.root-servers.net has been renumbered to 199.9.14.201, effective 2017-10-24, according to InterNIC. The old IPv4 address (192.228.79.201) will continue to answer queries for at least 6 months.


692970-2 : Using UDP port 67 for purposes other than DHCP might cause TMM to crash

Component: Local Traffic Manager

Symptoms:
DHCP relay presumes that a flow found via lookup is always a server-side flow of type DHCP relay. Hence TMM can crash when DHCP relay makes a server connection if UDP port 67 is used for another purpose, in which case a wrong DHCP server flow could be selected.

Conditions:
A UDP port 67 is configured for a purpose other than DHCP relay.

Impact:
TMM restart causes traffic interruption or failover.

Workaround:
Do not use UDP port 67 for other virtual servers, or configure a drop listener on certain VLANs that cannot avoid using UDP port 67.

Fix:
TMM no longer crashes with DHCP flow validation.


692941-1 : GTMD and TMM SIGSEGV when changing wide IP pool in GTMD

Component: Global Traffic Manager (DNS)

Symptoms:
Changing wide IP causes gtmd and tmm core under certain conditions.

Conditions:
-- GTM pool is removed when it is referenced by a persist record.
-- That record is accessed before it is purged.

Impact:
gtmd and/or tmm core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Changing wide IP no longer causes gtmd and tmm core when GTM pool is removed when it is referenced by a persist record, and that record is accessed before it is purged.


692890-3 : Adding support for BIG-IP 800 in 13.1.x

Component: TMOS

Symptoms:
Installing software version 13.1.0 fails on BIG-IP 800.

# tmsh show sys soft


---------------------------------------------------------Sys::Software Status
Volume Product Version Build Active Status
---------------------------------------------------------
HD1.1 BIG-IP 13.1.0 0.0.1868 no failed (Failed to install.)
HD1.2 BIG-IP 13.0.0 0.0.1645 yes complete
HD1.3 BIG-IP 11.6.0 0.0.401 no complete

---------------------------
Sys::Software Update Check
---------------------------
  Check Enabled true
  Phonehome Enabled true
  Frequency weekly
  Status none
  Errors 0

The system logs the following messages in /var/log/liveinstall.log:

info: Hardware is lm capable
info: System is lm capable
info: Adding application-package ltm7-application/noarch to transaction.
info: Adding application-package ros7-application/noarch to transaction.
info: Adding application-package sam-main/noarch to transaction.
info: Adding application-package sum-application/noarch to transaction.
info: Adding application-package ts-application/noarch to transaction.
info: Adding application-package wa-master/noarch to transaction.
info: Adding application-package (lm) woc-application-lm/noarch to transaction.
error: Product has no root package for Mercury
error: couldn't get package list file for LTM.ROS.SAM.SUM.TS.WA.WOC group Terminal error: Failed to install.
*** Live install end at 2018/01/02 13:29:45: failed (return code 255) ***

Conditions:
-- Installing/upgrading to v13.1.x.
-- Using the BIG-IP 800 platform.

Impact:
Install/upgrade will fail.

Workaround:
None.

Fix:
Installation now completes successfully on the BIG-IP 800 platform.


692753-1 : shutting down trap not sent when shutdown -r or shutdown -h issued from shell

Component: TMOS

Symptoms:
Shutting down trap not sent when shutdown -r or shutdown -h issued from shell.

Conditions:
When user access the linux shell and issues "shutdown -h" or "shutdown -r", the BIG-IP does not send shutting down trap.

Impact:
None.
Since this is user triggered command, the user is aware of the shutdown event, so the lack of trap is not critical.

Workaround:
None

Fix:
The shutdown trap is sent when user issues "shutdown -r" or "shutdown -h" from the linux shell.


692683-1 : Core with /usr/bin/tmm.debug at qa_device_mgr_uninit

Component: TMOS

Symptoms:
Running a debug version of tmm (/usr/bin/tmm.debug) on BIG-IP 2xxx and 4xxx platforms, crashes at qa_device_mgr_uninit when issuing either of the following commands:
-- bigstart stop tmm
-- bigstart restart tmm

Conditions:
Running a debug version of tmm.
-- BIG-IP 2xxx and 4xxx platforms.
-- Running either of the following commands:
   + bigstart stop tmm
   + bigstart restart tmm

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not using a debug version of tmm on BIG-IP 2xxx and 4xxx platforms.

Fix:
tmm no longer halts and restarts under these conditions.


692557-1 : When BIG-IP as SAML IdP processes signed authentication requests from external SAML SP, a block of memory may become corrupted.

Component: Access Policy Manager

Symptoms:
After processing signed authentication requests from external SAML SP, SAML IdP may corrupt a block of tmm memory.

Conditions:
- BIG-IP system is configured as SAML IdP.
- IdP is configured with external SP's signing certificate.
- External SP sends signed authentication request.

Impact:
Various possible negative effects, including TMM core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
BIG-IP as SAML IdP no longer causes memory corruption when handling certain traffic.


692328-1 : Tmm core due to incorrect memory allocation

Component: Advanced Firewall Manager

Symptoms:
In a rare condition after providing afm, we get a tmm core.
You will see the following line in avrd.log
/usr/bin/avrinstall -c20 -t10 -s2401000 --provisionAVR=0 --provisionASM=0 --provisionAFM=0 --provisionPBD=0 --provisionAPM=0 --provisionFPS=0 --provisionPEM=0 --provisionVCMP=0

Conditions:
AFM provisioned.
Attack started.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
We check that the shared memory was allocated correctly before reporting on an attack.


692310-2 : ICAP modified HTTP 1.1 request/response without content-length gets "chunked" even with no body

Solution Article: K69250459

Component: Service Provider

Symptoms:
When a modified HTTP v1.1 request or response is returned from an ICAP server and has no body (and also no content-length), a 'Transfer-Encoding: chunked' header is added and a zero-length chunk is appended.

Conditions:
-- HTTP profile.
-- Either request-adapt or response-adapt profile.
-- Modified HTTP v1.1 request/response has no body (and no content-length header).

Impact:
The HTTP server or client to which the modified request or response is destined, receives invalid HTTP and might behave in an unexpected manner.

Workaround:
Use an iRule to detect the lack of a Content-Length header in the modified request or response, and insert 'Content-Length: 0'.

For example with modified request:

when ADAPT_REQUEST_HEADERS {
    if {([HTTP::method] eq "GET") and (not [HTTP::header exists 'Content-Length'])} {
        HTTP::header insert Content-Length 0
    }
}

Similarly when ADAPT_RESPONSE_HEADERS {} for a response.

Fix:
A modified HTTP v1.1 request or response with no body is never 'chunked'.


692307-3 : User with 'operator' role may not be able to view some session variables

Component: Access Policy Manager

Symptoms:
When a user with 'operator' role tries to view the session variables, the GUI may show the following error: An error has occurred while trying to process you request.

Conditions:
This occurs when there is a huge blob of data associated with the user whose session variable is being viewed. For example Active Directory (AD) user accounts with thumbnailphoto and userCertificate user attributes containing binary data.

Impact:
User cannot view the session variables for those particular sessions. This data is available, however, via clicking on the Session ID.

Workaround:
Find this data via clicking on the session ID.

Fix:
User with 'operator' role can now view all expected session variables


692189-1 : errdefsd fails to generate a core file on request.

Component: TMOS

Symptoms:
Should errdefsd crash or be manually cored for the purpose of gathering diagnostic information, no core file will be generated.

Conditions:
Forcing errdefsd to core for diagnostic purposes.

Impact:
Increased communication required with F5 Support when attempting to diagnose problems with errdefsd.

Workaround:
1. Add the following lines to the official errdefsd script, /etc/bigstart/scripts/errdefsd:
16a17,19
> # set resource limits, affinity, etc
> setproperties ${service}
>
2. Run the following command: bigstart restart errdefsd

Fix:
errdefsd now generates a core file when forced to core.


692179-1 : Potential high memory usage from errdefsd.

Component: TMOS

Symptoms:
errdefsd memory usage grows with each config-sync or config update.

Conditions:
Ever increasing errdefsd memory usage is visible when the following conditions are met:
-- Config updates are frequent.
-- management-port logging is not being used.

Impact:
In extreme cases, errdefsd memory usage might increase userland memory-pressure. Note, however, that it isn't actually using the extra memory, so while Virtual Memory Size (VSZ) might be high, Resident Set Size (RSS) need not be.

Workaround:
A workaround for this problem is to periodically send logs to a management-port destination. The destination may be as simple as a dummy UDP port on 127.0.0.1. Adding such a destination to the publisher for an existing, active log source will work. errdefsd just needs a reason to process and flush accumulating configurations.

Fix:
The changes in this bug force errdefsd to check for config changes once every second in addition to checking whenever management-port destination logs come in.


692158-1 : iCall and CLI script memory leak when saving configuration

Component: TMOS

Symptoms:
Whenever an iCall script or CLI script saves the configuration, the scriptd process on the device leaks memory.

Conditions:
Use of iCall or CLI scripts to save the configuration.

Impact:
Repeated invocation might cause the system to run out of memory eventually, causing tmm to restart and disrupting traffic.

Workaround:
There is no workaround other than not saving the configuration from iCall or CLI scripts.

Fix:
scriptd process on the device no longer leaks memory when iCall and CLI scripts are used to save the configuration.


692123 : GET parameter is grayed out if MobileSafe is not licensed

Component: Fraud Protection Services

Symptoms:
GET parameter is grayed out if MobileSafe is not licensed.

Conditions:
-- Provision FPS on a system whose license has at least one active feature.
-- Do not license MobileSafe.

Impact:
In FPS Parameter's list, the GET method is always grayed out.

Workaround:
Use either of the following workarounds:
-- License MobileSafe.
-- Use TMSH or REST.

Fix:
The GET method is not grayed out if MobileSafe is not licensed.


692095-1 : bigd logs monitor status unknown for FQDN Node/Pool Member

Solution Article: K65311501

Component: Local Traffic Manager

Symptoms:
While monitoring FQDN nodes or pool members, bigd may log the current or previous monitor status of the node or pool member as 'unknown' in messages where that state internally could have been logged as 'checking' or 'no address' for FQDN template nodes. Other states for FQDN configured nodes or pool members log monitor status as expected. Messages are similar to the following:

notice bigd[####]: 01060141:5: Node /Common/node_name monitor status unknown [ ip.address: unknown ] [ was up for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: unknown ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: up ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status unknown. [ ] [ was unchecked for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status up. [ ] [ was unknown for ##hrs:##mins:##sec ]

Conditions:
This may occur of the FQDN template node or pool member is in a 'checking' or 'no address' state.
The 'checking' state may occur if the DNS resolution of the FQDN node or pool member name is in progress.
The 'no address' state may occur if no IP addresses were returned by the DNS server for the configured FQDN node or pool member name.

Impact:
Unable to triage state of FQDN nodes or pool members identified in these log messages, to determine whether further troubleshooting is required, or what specific problem condition might require further investigation.

Workaround:
None.

Fix:
An FQDN-configured node or pool member logs each internal monitor status, including for scenarios of 'checking' and 'no address' for FQDN template nodes which were previously logged as 'unknown'.


691945-1 : Security Policy Configuration Changes When Disabling Learning

Component: Application Security Manager

Symptoms:
When Learning is enabled in either manual or automatic mode, and is then disabled. This was considered to be the end of the learning process, and so changes are automatically made to the default wildcard entities ("*" URL, Parameter, Filetype) such as removing the element from staging.

The user is not notified of these changes, and they may not be expected, leading to undesired security enforcement.

Conditions:
-- Learning is enabled in Manual or Automatic mode.
-- Learning is then disabled.

Impact:
Unexpected changes to the default wildcard elements in the policy can lead to undesired security enforcement.

Workaround:
The audit log shows all changes that were made to the policy, and undesired changes can be remedied before the policy changes are applied.

Fix:
No changes are made to the default wildcard entities upon disabling of learning.


691897-3 : Names of the modified cookies do not appear in the event log

Component: Application Security Manager

Symptoms:
A modified domain cookies violation happened. When trying to see additional details by clicking the violation link, the name and value of the modified cookie is empty.

Conditions:
A modified domain cookies violation happens.

Note: This can happen only if there are also non-modified or staged cookies.

Impact:
Expected violation details are not displayed.

Workaround:
There is no workaround at this time.

Fix:
Issue with modified domain cookie violation details is now fixed.


691806-1 : RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state

Solution Article: K61815412

Component: Local Traffic Manager

Symptoms:
The BIG-IP system resets connection with RST if it receives FIN/ACK in SYN-RECEIVED state.

Conditions:
The BIG-IP system receives FIN/ACK when it is in SYN-RECEIVED state.

Impact:
The BIG-IP system resets connection with RST.

Workaround:
None.

Fix:
The BIG-IP system now responds with FIN/ACK to early FIN/ACK.


691785-1 : The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes

Component: Local Traffic Manager

Symptoms:
The bcm570x driver will cause TMM to core with the log message:

panic: ifoutput: packet_data_compact failed to reduce pkt size below 4.

Conditions:
-- Running on a platform that uses the bcm570x driver (BIG-IP 800, 1600, 3600).
-- A packet larger than 6144 bytes is transmitted from the BIG-IP system.

Impact:
TMM core. Failover or outage. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Removed the panic statement that caused TMM to core. TMM will now log an error and drop the packet instead.


691670-5 : Rare BD crash in a specific scenario

Component: Application Security Manager

Symptoms:
BD crash or False reporting of signature ID 200023003.

Conditions:
JSON/XML/parameters traffic (should not happen with the enforce value signature).

Impact:
Failover, traffic disturbance in the core case. False positive violation or blocking in the other scenario.

Workaround:
Removing attack signature 200023003 from the security policy stops the issue.

Fix:
Fix a bug in the signatures engine that causes a false positive reporting of a signature. In some rare cases, this false reporting may cause a crash.

A newly released attack signature update changes the signature in a way that it no longer causes the issue to happen.


691609-1 : 1NIC: Configuration error: Clearing IP on interface mgmt failed - Cannot assign requested address

Component: TMOS

Symptoms:
The error:

Configuration error: Clearing IP on interface mgmt failed - Cannot assign requested add

Conditions:
Starting VE in 1NIC mode without a DHCP server and configuring the management interface.

Impact:
No management IP or Self IP.

Workaround:
There is no workaround at this time.

Fix:
Configuring the management IP in 1NIC mode now works.


691589-4 : When using LDAP client auth, tamd may become stuck

Component: TMOS

Symptoms:
When a virtual server uses an LDAP auth profile for client authentication, the system can get into a state where all authentications time out. This condition persists until tamd restarts. Traffic analysis between the BIG-IP system and the LDAP server shows that the BIG-IP system makes a TCP handshake with the server, then immediately sends FIN. Tamd cores may be seen.

Conditions:
-- Virtual server using LDAP auth profile.
-- BIG-IP system makes a TCP handshake with the server, then immediately sends FIN.

Impact:
Authentication to the virtual server fails until tamd is restarted.

Workaround:
To recover, restart tamd by running the following command: bigstart restart tamd

Fix:
tamd no longer becomes stuck when using LDAP client auth.


691504-1 : PEM content insertion in a compressed response may cause a crash.

Solution Article: K54562183


691498-3 : Connection failure during iRule DNS lookup can crash TMM

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes in the DNS response cache periodic sweep.

Conditions:
The DNS resolver connection fails after a successful lookup response is cached. This has been reproduced with a failure due to a lost route. Other failures such as down ports do not cause a crash.

Impact:
The TMM cores and automatically restarts, Traffic disrupted while tmm restarts.

Workaround:
No known workaround.

Fix:
The reference counting of the resolver connection was fixed.


691497-2 : tmsh save sys ucs <file> fails due to missing patch file in /config/.diffVersions

Component: TMOS

Symptoms:
The .diffVersions directory has config change-diffs saved into patch files every time tmsh saves the configs. This is used for diagnostic purposes only.

Conditions:
When doing a 'tmsh save sys ucs <file>', it is possible that a background 'tmsh save sys config' gets run at the same time, causing a patch file to be deleted that the ucs-save feature now expected to exist.

Impact:
The ucs-save feature complains about the missing patch file and exits.

Workaround:
Re-run the 'tmsh save sys ucs <file>' ignoring the missing patch file message. That missing file doesn't need to be restored.

Fix:
With this defect fixed, patch files that end up missing once 'tmsh load sys ucs <file>' is started will not be reported as an error, and the tmsh command will complete normally.


691491-5 : 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces

Solution Article: K13841403

Component: TMOS

Symptoms:
2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces

Conditions:
-- 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms.
-- SNMP query of network interfaces via OID sysIfxStatHighSpeed.

Impact:
Value returned for 10G/40G/100G interfaces may be incorrect.

Workaround:
Use OID sysInterfaceMediaActiveSpeed.

Fix:
The BIG-IP system now correctly returns SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces.


691477-2 : ASM standby unit showing future date and high version count for ASM Device Group

Component: Application Security Manager

Symptoms:
Policy builder is changing configuration of standby unit.

Conditions:
The system state changes from active to standby (also when blade is changed from master to non-master).

Impact:
Unexpected changes are made to the policy on standby device (CID increment).

Workaround:
Restart pabnagd when switching device from active to standby (also when blade is changed from master no non-master):

killall -s SIGHUP pabnagd

Fix:
Policy builder now updates its state correctly and doesn't make changes to a policy on a standby device.


691462-1 : Bad actors detection might not work when signature mitigation blocks bad traffic

Component: Anomaly Detection Services

Symptoms:
When signature detected and mitigating no bad actors detection

Conditions:
1. Signatures detected and mitigating
2. Attack traffic is not significantly higher than the good traffic

Impact:
No bad actors detected.
Only signatures provides DoS protection.
BIG-IP CPU utilization is higher than necessary

Workaround:
No workaround at this time.

Fix:
The fix takes in account also SIGNATURES DROPS to decide when bad actors detection should be more agressive.


691287-1 : tmm crashes on iRule with GTM pool command

Component: Global Traffic Manager (DNS)

Symptoms:
tmm crashes with a SIGSEGV when a GTM iRule executes a 'pool' command against Tcl variables that have internal string representations, which can occur when a value is a result of (some) string commands (e.g., 'string tolower') or if the value comes from a built-in iRules command (such as 'class').

For example:

when DNS_REQUEST {
    pool [string tolower "Test.com"]
}

or:

when DNS_REQUEST {
    pool [class lookup pool-dg key-value]
}

Conditions:
GTM iRule executes a 'pool' command against Tcl variables that have internal string representations.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Pass the 'pool' argument through 'string trim'. For instance:

when DNS_REQUEST {
    pool [string trim [class lookup pool-dg key-value]]
}

Fix:
tmm no longer crashes on GTM iRules that use the 'pool' command.


691224-3 : Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled

Solution Article: K59327001

Component: Local Traffic Manager

Symptoms:
Node Server rejects received-and-incomplete ClientHello message and connection terminates.

Conditions:
This occurs when the following conditions are met:
-- SSL Persistence is enabled.
-- There is no ClientSSL and ServerSSL profile.
-- The BIG-IP device receives fragments of a ClientHello message (typically, 11 bytes each) from an SSL front-end client.

Impact:
With Session Persistence enabled
-- The parser fails to reassemble fragmented ClientHello messages prior to passing it on to the backend server.
-- As a result, the backend server responds as if it has received an incomplete ClientHello message, rejects the handshake, and terminates the connection.

Workaround:
The issue disappears when SSL Persistence is disabled.


691210-1 : Traffic stops on tmm restart when guest VLAN tagging is used for BIG-IP VE.

Component: TMOS

Symptoms:
Traffic stops after tmm restart. BIG-IP Virtual Edition (VE) becomes unresponsive and requires power cycle.

Conditions:
This occurs when the following conditions are met:
-- Using VE.
-- Data plane interfaces are SR-IOV VF.
-- Guest VLAN tagging is used.
-- tmm restart.

Impact:
BIG-IP system stops working, and management connection may be lost, requiring power cycle.

Workaround:
Use VLAN tagging from host.

Fix:
The BIG-IP system now continues to work after tmm restart when guest VLAN tagging is used with SR-IOV interfaces for BIG-IP VE.


691095-1 : CA bundle manager loses certificates in the CA bundle if the serial number is longer than 4 bytes

Component: Local Traffic Manager

Symptoms:
CA certificates with long but different serial numbers are treated identical and duplicate, thus get lost in the CA certificate merge operation. Only one would be left.

Conditions:
- The CA bundle file is managed by the CA bundle manager.

- The file contains certificates with large serial numbers.

Impact:
Certificates with large serial numbers are treated as duplicate, and removed.

Workaround:
There is no workaround at this time.

Fix:
Large serial numbers are treated correctly.


691048-1 : Support DIAMETER Experimental-Result AVP response

Solution Article: K34553736

Component: Service Provider

Symptoms:
When the Diameter server returns an answer message with an Experimental-Result AVP, but doesn't have Result-Code AVP inside, then the server side flow is aborted.

Conditions:
Diameter answer message doesn't have Result-Code AVP available, but with Experimental-Result AVP.

Impact:
The server side flow is aborted.

Workaround:
Use iRule to insert Result-Code AVP in all Diameter answer messages.

Fix:
This release supports DIAMETER Experimental-Result AVP response.


690890-1 : Running sod manually can cause issues/failover

Component: TMOS

Symptoms:
If multiple instances of the system failover daemon are executed, improper behavior results. The system failover daemon is run internally by the system service manager (bigstart). When accidentally or intentionally executing the command 'sod', the second running instance will disrupt the failover system.

Conditions:
Accidentally or intentionally executing the command 'sod'.

Impact:
System might failover, reboot, or perform other undesirable actions that result in traffic interruption.

Workaround:
Do not attempt to invoke the 'sod' daemon directly. There is no use case for executing 'sod' directly, it is managed by 'bigstart'.

Fix:
The failover daemon detects that an instance is already running, and exits without disrupting the system.


690883-1 : BIG-IQ: Changing learning mode for elements does not always take effect

Component: Application Security Manager

Symptoms:
When changing learning mode for an element type (e.g., WebSocket URLs), if no other changes are made to the default '*' entity, then suggestions are not created correctly.

Conditions:
Changes are deployed from a BIG-IQ device, where the learning mode for an element type (e.g., WebSocket URLs) is changed (e.g., from Never to Always), and no other changes are made to the default '*' entity.

Impact:
Suggestions are not created correctly.

Workaround:
Modify the '*' entity as well (change description).

Fix:
Learning mode changes are correctly handled from BIG-IQ.


690819-1 : Using an iRule module after a 'session lookup' may result in crash

Component: TMOS

Symptoms:
'session lookup' does not clean up an internal structure after the call finishes. If another iRule module uses the values in this internal structure after a 'session lookup', it may result in a core or other undesired behavior.

Conditions:
Calling 'session lookup' in an iRule where a result is successfully retrieved, and then calling another module.

Impact:
The system may core, or result in undefined and/or undesired behavior.

Workaround:
Check the return value of 'session lookup' before using another iRule module.

If 'session lookup' says that the entry exists, call 'session lookup' again for a key that is known to not exist.


690793-1 : TMM may crash and dump core due to improper connflow tracking

Solution Article: K25263287

Component: TMOS

Symptoms:
In rare circumstances, it is possible for the embedded Packet Velocity Acceleration (ePVA) chip to try to process non-ePVA connflows. Due to this improper internal connflow tracking, TMM can crash and dump core.

Conditions:
This issue can occur on any system equipped with an ePVA and configured with virtual servers that make use of it to accelerate flows.

While no other conditions are required, it is known that modifying a FastL4 virtual server to Standard while the virtual server is processing traffic is very likely to cause the issue.

Impact:
TMM crashes and dumps core. A redundant unit will fail over. Traffic may be impacted while TMM restarts.

Workaround:
It is not recommended to switch virtual server profiles while running traffic. To change virtual server profiles, it is recommended to halt traffic to the system first.

However, this does not eliminate entirely the chances of running into this issue.

Fix:
The system now checks for HSB flow status update data and prevents false positive matches to virtual servers with non-FastL4 profiles.


690778-1 : Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule

Solution Article: K53531153

Component: Local Traffic Manager

Symptoms:
Memory leak; the memory_usage_stat cur_allocs will increase each time the iRule is invoked.

Conditions:
This occurs when using an iRule that calls the STREAM::replace command more than once in the iRule's STREAM_MATCHED event.

Impact:
Memory leak; eventually the system will run out of memory and TMM will restart (causing a failover or outage). Traffic disrupted while tmm restarts.

Workaround:
Change the way the iRule is written so that the STREAM::replace command is not called more than once in the iRule's STREAM_MATCHED event.

Fix:
Prevented memory leak in stream code.


690756-1 : APM depends on undocumented internal behavior of HTTP iRule commands after a retry is initiated

Component: Local Traffic Manager

Symptoms:
Using the ACCESS::restrict_irule_events disable command to allow iRule events triggered by APM-generated responses to be visible to the iRule no longer works.

Conditions:
-- ACCESS::restrict_irule_events disable.
-- HTTP iRules commands used in HTTP_RESPONSE_RELEASE after a retry has been triggered by APM.

Impact:
iRule execution is aborted.

Workaround:
The only possible workaround is to abandon the iRule, and implement the functionality using a VIP-targeting-VIP configuration.

Note: This might not be acceptable in many cases either because of functionality loss (e.g., client certificate auth), or because there are complicated issues specifically solved by iRules.

Fix:
APM triggers a new iRule event when it retries a request. This new event allows iRules to be notified when this occurs.

The HTTP_RESPONSE_RELEASE event is no longer triggered on an internal retry as no response will be sent.

A BigDB variable has been added to disable run-time validation of HTTP iRule commands. This is intended to ease the roll-forward of old APM iRules.


690215-2 : Missing requests in request log

Component: Application Security Manager

Symptoms:
Requests are missing from request log

Conditions:
Either of:
- pabnagd restart
- asm restart
- failover

Impact:
- Requests are not logged for up to an hour (affected by the amount of policies)

Workaround:
No workaround.

Fix:
All requests are now logged always.


690166-1 : ZoneRunner create new stub zone when creating a SRV WIP with more subdomains

Component: Global Traffic Manager (DNS)

Symptoms:
Creating SRV wideip will result in stub zone creation even there are already matching zones.

Conditions:
Creating SRV wideip with three more layers than existing zone.

Impact:
Unnecessary stub zones created.


690116-1 : websso daemon might crash when logging set to debug

Component: Access Policy Manager

Symptoms:
If the authentication type is HTTP headers and the log level is set to debug, an incorrect parameter gets printed, and if it happens to be NULL the websso daemon crashes.

Conditions:
-- Authentication type is HTTP headers.
-- Log level is debug for WebSSO (the single-sign-on (SSO) functionality for Web access through the BIG-IP APM system).

Impact:
websso daemon might crash.

Workaround:
Set log level to Informational.

Note: The data logged specifically for debug level is targeted toward developers, and is rarely useful in a production environment.

Fix:
The websso daemon no longer crashes when running in debug logging mode and handling certain traffic.


690042-1 : Potential Tcl leak during iRule suspend operation

Solution Article: K43412307

Component: Local Traffic Manager

Symptoms:
TMM's Tcl memory usage increases over time, and does not decrease. Memory leak of Tcl objects might cause TMM to core.

Conditions:
-- iRules are in use.
-- Some combination of nested proc calls and/or loops must go at least five levels deep.
-- Inside the nested calls, an iRule executes a suspend operation.

Impact:
Degraded performance. TMM out-of-memory crash. A failover or temporary outage might occur. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer leaks memory.


689730-3 : Software installations from v13.1.0 might fail

Component: TMOS

Symptoms:
Installation terminates with the following final log messages:

info: updating shared filesystem directories...
progress: 10/100
error: mkdir /mnt/tm_install/3543.JENFeQ/core failed - File exists
Terminal error: Failed to install.

Conditions:
-- BIG-IP Virtual Editions, or the following appliances:
   + i2600
   + i2800
   + i4600
   + i4800
   + i5600
   + i5800
   + i5820
   + i7600
   + i7800
   + i7820
   + i10600
   + i10800
   + i11600
   + i11800

-- Running BIG-IP software v13.1.0 or earlier.
-- Installing BIG-IP software with --instslot option.

Impact:
Installation of new software cannot proceed.

Workaround:
Remove the '/shared/core' symlink, the restart the installation.

Fix:
The installer now properly detects the symlink and proceeds without error.


689691-2 : iStats line length greater than 4032 bytes results in corrupted statistics or merge errors

Component: TMOS

Symptoms:
You can create dynamic statistics using the istats command and iStats directive in iRules. The maximum length of the line (the sum of all columns) is 4032 bytes. If the user attempts to create an iStat whose column sizes when summed exceed this value then there will be errors in the ltm and logs, and the statistic will not be incremented or merged. Log messages appear similar to the following:
-- notice 4: tmstat_row_alloc(1520): tmstat segment blade/tmm0 appears to be damaged at 0x42e2d50.
-- err tmm[21822]: 01220001:3: TCL error: /Common/istat_it <HTTP_REQUEST> - Error: tmstat_row_alloc(1520): tmstat segment blade/tmm0 appears to be damaged (line 1) invoked from within "ISTATS::incr "ltm.virtual [virtual name] counter $host-$path" 1".

Conditions:
An iStat is created or modified such that the sum of the column widths is greater than 4032 bytes.

Impact:
Statistics corruption or merge errors occur. The statistic is not maintained. This is a system limit. An iStat should not be created such that its record length exceeds the 4032-byte limit.

Workaround:
This is a system limit. An istat should not be created such that it's record length exceeds the limit.

Fix:
Line length enforcement was added and an error log is output when the length is exceeded. Now, when the limit is reached, there are no corruption or merge errors. The system posts messages similar to the following in the tmm log file:

-- notice iStat for table 'ltm_virtual' column 'www_qqwabc3584' cannot be added as row size '4040' is too long at 0x46dcd90

To avoid errors like this, do not add columns to iStats in iRule directives.


689591-2 : When pingaccess SDK processes certain POST requests from the client, the TMM may restart

Component: Access Policy Manager

Symptoms:
BIG-IP's tmm may restart when processing certain client's POST requests body on which need to be inspected by the PingAccess policy server.

Conditions:
- BIG-IP virtual server is configured as policy decision point with PingAccess policy server.
- User sends a POST request to BIG-IP.
- Policy configured on PingAccess server requires inspection of the body of the POST request sent by the user.

Impact:
Traffic will be temporarily disrupted while tmm restarts.

Fix:
TMM will no longer restart when processing client's POST requests that need to be inspected by the PingAccess policy server.


689577-3 : ospf6d may crash when processing specific LSAs

Solution Article: K45800333

Component: TMOS

Symptoms:
When OSPFv3 is configured and another router in the network performs a graceful restart, ospf6d may crash.

Conditions:
-- OSPFv3 in use.
-- Graceful restart initiated by another system.

Impact:
OSPFv3 routing will interrupted while the daemon restarts and the protocol re-converges.

Workaround:
Disabling graceful restart on other network systems will prevent ospf6d from crashing on the BIG-IP system. However, it will cause a routing interruption on a system that restarts.

Fix:
The ospf6d daemon no longer crashes when a graceful restart occurs in the network.


689561-1 : HTTPS request hangs when multiple virtual https servers shares the same ip address

Component: Local Traffic Manager

Symptoms:
SSL forward proxy reuses the server ssl session when client ip, server ip and server port matches the ssl session. when multiple virtual https servers share the same ip address, it could happen server ssl reuse a session previously from other virtual server. in such a situation, client cannot forge certificate and hangs the ssh handshake.

Conditions:
multiple virtual https servers share the same ip address, and they internally share the ssl sessions. we saw it happens in several google domain.

Impact:
client cannot access some https web server.

Workaround:
A workaround is disabling the "Session Ticket" in the server ssl profile, since we do not support session id resumption in the server ssl, this will cause it do full handshake to web server every time, so server_certchain will not be NULL.

Fix:
it matches the client ip, server ip and port as well as the server name in the SNI to the server ssl session cache. it will not reuse the sessions does not match virtual server name after the fix.


689540-1 : The same DOS attack generates new signatures even if there are signatures generated during previous attacks.

Component: Anomaly Detection Services

Symptoms:
The same DOS attack generates new signatures even if there are signatures generated during previous attacks.

Conditions:
Repeated DOS attack with the same attacking traffic

Impact:
Generated redundant useless signatures.

Workaround:
There is no workaround at this time.

Fix:
Prevent generation of new signatures handles requests which are already covered by the old ones.


689491 : cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled

Component: TMOS

Symptoms:
CPU usage stats are incorrect and system looks idle when it's actually busy

Conditions:
vcmp guests with 1-core or htsplit disabled

Impact:
CPU stats are incorrect and it might make it difficult to trouble shoot problems.


689449-1 : Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, in some circumstances the system may experience an unconstrained TMM memory growth when a virtual server is configured for spdy/http2 and http with fallback-host.

Conditions:
- VIP configured with spdy/http2 and http with fallback-host.

Impact:
TMM may eventually enter aggressive sweeper mode where this memory will be released. In the process it is possible that some legitimate connections will killed.

Workaround:
No workaround at this time.

Fix:
BIG-IP no longer attempts to send a response with a configured fallback host in HTTP profile, when a connection is aborted by a client or due to an internal error. It prevents the internal flow to stay in memory after the connection has died.


689437-1 : icrd_child cores due to infinite recursion caused by incorrect group name handling

Solution Article: K49554067

Component: TMOS

Symptoms:
Every time the virtual server stats are requested via REST, icrd_child consumes high CPU, grows rapidly toward the 4 GB max process size (32-bit process), and might eventually core.

Conditions:
Virtual server stats are requested via iControl REST with a special string that includes the dotted group names.

Impact:
icrd_child consumes high CPU, grows rapidly, and might eventually core.

Workaround:
Clear the virtual server stats via reset-stats and icrd_child no longer cores.

Fix:
icrd_child parsing logic update is needed to not enter recursion.


689375-1 : Unable configure 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled

Solution Article: K01512833

Component: TMOS

Symptoms:
TMUI hides several SSL client/server settings when 'Proxy SSL' is enabled, including the 'Generic Alert' setting, so you cannot set it.

Conditions:
Enable 'Proxy SSL' on SSL client/server profile in TMUI.

Impact:
TMUI hides many config settings, including 'Generic Alert'. You cannot modify 'Generic Alert' setting on SSL client/server profile using the GUI when 'Proxy SSL' is enabled.

Workaround:
Modify the same setting through TMSH modify client/server SSL profile command, as follows:

tmsh modify ltm profile client-ssl <profile_name> generic-alert disabled

tmsh modify ltm profile server-ssl <profile_name> generic-alert disabled

Fix:
You can now modify 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled.


689343-2 : Diameter persistence entries with bi-directional flag created with 10 sec timeout

Component: Service Provider

Symptoms:
Diameter persistence entries have timeout value less than 10 seconds, although the configured persistence timeout is 120 seconds

Conditions:
When Diameter custom persistence "DIAMETER::persist key 1" bi-directional iRule is used.

Impact:
The persist timeout is less than 10 seconds, thus subsequent requests will be dispatched to other pool member.

Workaround:
Don't use bi-directional persistence iRule. Use AVP persistence type with session-id as the persist key.

Fix:
When the Diameter custom persistence iRule "DIAMETER::persist key 1" is used, the persist timeout value will be set correctly as configured.


689211-3 : IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 }

Component: TMOS

Symptoms:
If you accidentally change an ike-peer version to { v1 v2 } for both IKEv1 and IKEv2 support then IKEv1 does not work when version is changed to { v1 }. Note: This is not a recommended action.

Packets from a remote peer after this appear to arrive via IPv6 and will not match the IPv4 config of the actual peer, so tunnels cannot be established.

Conditions:
Transiently changing an ike-peer version to { v1 v2 } before fixing it with 'version replace-all-with { v1 }' to target IKEv1 alone.

Impact:
IKEv1 tunnels cannot be established when the remote peer initiates. (If the local peer initiates, negotiation may succeed anyway, until the SA is expired or deleted.) After this, tmm forwards packets to racoon improperly.

Workaround:
After changing version to v1 alone, issue the following command to have the config work correctly:
 bigstart restart

Fix:
Added check for the IPv6 flag in the packet, in addition to testing for a v4-in-v6 address; this corrects the corner case of an address containing all zero when forwarded.


689089-1 : VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot

Component: Local Traffic Manager

Symptoms:
The cluster configuration file can be lost or corrupted, resulting in the out-of-band cluster management IP reverting to the default value.

Conditions:
Unexpected system restart while the configuration file is being updated may cause the file to become corrupted. If this occurs, the following error will be logged during blade startup:

"err clusterd[8171]: 013a0027:3: Chassis has N slots, config file has 0, ignoring config file"

Where "N" is the number of physical slots in the chassis (2, 4, or 8).

Impact:
Management IP reverts to 192.168.1.246, resulting in loss of access to the chassis through the out-of-band management network.

Workaround:
If this occurs, the management IP can be restored using TMSH or the UI through an in-band self IP, or with TMSH through the management console port.

Fix:
The configuration file update logic has been changed to prevent file corruption during update.


689002-3 : Stackoverflow when JSON is deeply nested

Component: TMOS

Symptoms:
When the returned JSON payload from iControl REST is very large and deeply nested, the JSON destruction could trigger stack overflow due to deep recursion. This will crash icrd_child.

Conditions:
Deeply nested JSON returned from iControl-REST.

Impact:
icrd_child process coredumps.

Workaround:
None.

Fix:
The fix changes the destruction mechanism into an iterative solution, to completely avoid the stack overflow.


688942-5 : ICAP: Chunk parser performs poorly with very large chunk

Component: Service Provider

Symptoms:
When an ICAP response contains a very large chunk (MB-GB), the BIG-IP system buffers the entire chunk and reevaluates the amount of data received as each new packet arrives.

Conditions:
ICAP server returns large payload entirely in a single chunk, or otherwise generates very large chunks (MB to GB range).

Impact:
The BIG-IP system uses memory to buffer the entire chunk. In extreme cases the parser can peg the CPU utilization at 100% as long as packets are arriving.

Workaround:
If possible, configure the ICAP server to chunk the response payload in mulitple normal sized chunks (up to a few tens of KB).

Fix:
When an ICAP response contains a very large chunk (MB-GB), the BIG-IP system streams content back to the HTTP client or server as it arrives, without undue memory use or performance impact.


688911-1 : LTM Policy GUI incorrectly shows conditions with datagroups

Solution Article: K94296004

Component: TMOS

Symptoms:
When editing an LTM policy rule, the GUI defaults to using the datagroup value, overriding previous rule values, because the policy rule introduced the datagroups.

Conditions:
Editing a policy rule.

Impact:
The previous rule values are overridden by the datagroup's values.

Workaround:
Use TMSH to modify the rule.

Fix:
The GUI was updated to default to using the policy rule's values and not the datagroup values.


688813-2 : Some ASM tables can massively grow in size.

Solution Article: K23345645

Component: Application Visibility and Reporting

Symptoms:
/var/lib/mysql mount point gets full.

Conditions:
Many combinations of IP addresses, Device IDs (and other ASM dimensions) in traffic over very long period of time (potentially weeks/months).

Impact:
While other dimensions are being collapsed correctly, the Device ID field is not being collapsed causing the growth in size.
-- High disk usage.
-- Frequent need to clear AVR data.

Workaround:
Manually delete AVR mysql partitions located in /var/lib/mysql/AVR.

Fix:
Over time, no of the AVR_STAT_ASM_HTTP_CLIENT_IP_X#...MYD file exceeds 300 MB, so this problem no longer occurs.


688744-1 : LTM Policy does not correctly handle multiple datagroups

Solution Article: K11793920

Component: Local Traffic Manager

Symptoms:
Policy in use where the conditions reference two or more datagroups, but only the conditions that refer to the first datagroup have any effect.

Conditions:
LTM Policy where the conditions reference two or more datagroups.

Impact:
LTM Policy conditions do not check against second and subsequent datagroups, resulting in policy not working as intended.

Workaround:
Only mitigation is to refactor the policy so that it does not refer to more than one datagroup-based condition.

Fix:
LTM Policy correctly handles policies referencing multiple datagroups


688629-1 : Deleting data-group in use by iRule does not trigger validation error

Solution Article: K52334096

Component: Local Traffic Manager

Symptoms:
iRule aborts due to failed commands, causing connflow aborts.

Conditions:
-- Delete a data group.
-- iRule uses that data-group on a virtual server

Impact:
In use data-group can be deleted without error. iRule aborts leading to connflow aborts.

Workaround:
Don't delete data-groups in use by an iRule.

Fix:
An attempt to delete a data-group in use by an iRule now triggers a validation error.


688625-5 : PHP Vulnerability CVE-2017-11628

Solution Article: K75543432


688571-2 : Untrusted cert might be accepted by the server-ssl even though when 'untrusted-cert-response-control drop' is configured in the server-ssl profile.

Solution Article: K40332712

Component: Local Traffic Manager

Symptoms:
If the server-ssl profile is configured with 'untrusted-cert-response-control drop', and the system receives the certificate from the backend server which is not trusted by current BIG-IP system, the expected behavior is that the system should end the connection.

But the current server-side behavior is that the system still accepts the untrusted certificate and establishes the SSL connection with backend server.

Conditions:
-- The BIG-IP system receives a certificate from the backend server that is not trusted by the BIG-IP system.

-- Configure the 'untrusted-cert-response-control drop' in the server-ssl profile.

-- The corresponding server-ssl is configured at the virtual server.

Impact:
Virtual server might communicate with the backend server that sends the untrusted certificate to the BIG-IP system. Untrusted cert could still be accepted by the server-ssl virtual server even though 'untrusted-cert-response-control drop' is configured in the server-ssl profile.

Workaround:
None.

Fix:
When the system receives the untrusted certificate from backend server and the server-ssl profile is configured with 'untrusted-cert-response-control drop', the system will end the current SSL handshake procedure instead of continuing to proceed to finish it.


688570-5 : BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes

Component: Local Traffic Manager

Symptoms:
After an MPTCP connection closes properly, the BIG-IP will occasionally start sending MP_FASTCLOSE.

Conditions:
An MPTCP connection is closed.

Impact:
The MPTCP connection on the remote device is closed, but the connection on the BIG-IP remains open until the fastclose retransmission times out.

Workaround:
There is no workaround at this time.

Fix:
Fixed event processing at the end of a connection.


688557-1 : Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull'

Solution Article: K50462482

Component: Local Traffic Manager

Symptoms:
The description of the 'mode' parameter shown by tmsh help for the ltm sasp monitor indicates that the default value for the 'mode' parameter is 'pull' (where the load balancer sends Get Weight Requests to the GWM).
As of BIG-IP v13.0.0 and v12.1.2-hf1, the default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).
This is a change from prior versions of BIG-IP, where the default value for the 'mode' parameter was 'pull'.

Conditions:
The incorrect description appears when issuing the 'tmsh help ltm monitor sasp' command on BIG-IP v13.0.0, v12.1.2-hf1, and later.

Impact:
Incorrect information about the default value for the 'mode' parameter for the ltm sasp monitor.

Workaround:
The default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).

Fix:
The 'tmsh help ltm monitor sasp' command now lists the correct default value for the 'mode' parameter.


688553-3 : SASP GWM monitor may not mark member UP as expected

Component: Local Traffic Manager

Symptoms:
Pool members monitored by the SASP monitor may be incorrectly marked DOWN when they should be marked UP.

Conditions:
This may occur on affected BIG-IP versions when using the SASP monitor targeting a Load Balancing Advisor GWM (Global Workload Manager).

This is more likely to occur if pool members monitored by the SASP monitor are also monitored by an additional monitor which has marked the members DOWN, or if one or more pool members monitored by the SASP monitor have been manually marked down (state user-down via tmsh, or Disabled in the GUI).

This is not expected to occur with non-affected BIG-IP versions or when using the SASP monitor targeting a Lifeline GWM (Global Workload Manager).

Impact:
Traffic handled by pool members monitored by the SASP monitor may be disrupted.

Workaround:
Removing the SASP monitor from the pool or pool member configuration then re-adding the SASP monitor may reset the pool member status to the correct state.


688516-1 : vCMPd may crash when processing bridged network traffic

Solution Article: K03165684


688406-1 : HA-Group Score showing 0

Solution Article: K14513346

Component: TMOS

Symptoms:
The 'show sys ha-group' command incorrectly displays a "0" for the total score even if the pools/trunks/clusters components have non-zero scores.

Conditions:
If the sys ha-group object is not currently assigned to any traffic-group.

Impact:
The total score is not calculated. An incorrect score value is displayed.

Workaround:
Refer to the component Score Contributions displayed using the following command: show sys ha-group detail.

Fix:
The total HA-Group Score is now displayed correctly.


688246-1 : An invalid mode in the LSN::persistence command causes TMM crash

Component: Carrier-Grade NAT

Symptoms:
When an iRule is triggered and the LSN::persistence command is passed an invalid persistence mode, TMM will crash.

Conditions:
An iRule using the LSN::persistence command with an invalid persistence mode that is attached to a Virtual Server and is triggered by traffic.

Impact:
TMM restarts. Traffic is interrupted. It is likely that the iRule will be triggered again causing repeated crashes.

Workaround:
The persistence mode must be set to one of "none", "address", "address-port" or "strict-address-port".

Fix:
TMM no longer crashes when an invalid persistence mode is used. Instead the LSN::persistence command returns an error.


688148-3 : IKEv1 racoon daemon SEGV during phase-two SA list iteration

Component: TMOS

Symptoms:
The wrong list linkage is iterated when phase-two SAs are deleted.

Conditions:
Deleting phase-two SAs, either manually or in response to notifications.

Impact:
IKEv1 tunnel outage until the racoon daemon restarts.

Workaround:
None.

Fix:
Fixed list iteration to use the correct list linkage, so iterating one phase-one SAs list does not instead visit the global list of phase-two SAs.


688011-7 : Dig utility does not apply best practices

Solution Article: K02043709


688009-7 : Appliance Mode TMSH hardening

Solution Article: K46121888


687987 : Presentation of signatures in human-readable format

Component: Anomaly Detection Services

Symptoms:
When publishing signature with predicates such as http.referer and http.uri, the system presents the result of the hash operation as follows: http.uri_file_hashes-to 42

Conditions:
Always when publishing signature with predicates such as http.referer and http.uri.

Impact:
It is not clear what '42' means.

Workaround:
None.

Fix:
When publishing signatures, the system now presents the hashes as follows:

http.referer_hashes-like '/zzz'
http.uri_file_hashes-like '/123'


687986 : High CPU consumption during signature generation, not limited number of signatures per virtual server

Component: Anomaly Detection Services

Symptoms:
The number of the signatures per virtual server is not limited. This can result in a very large number of generated signatures during sophisticated attacks that use changing patterns. After a time, when a system experiences a number of attacks, the list of generated signatures can be too long.

Conditions:
-- Sophisticated attacks that use changing patterns.
-- System experiences a large number of attacks.

Impact:
High CPU utilization when mitigating. Overloaded GUI signatures screen.

Workaround:
Manually remove old / not-often-used signatures.

Fix:
The system now limits the number of signatures per virtual servers, and optimizes per-signatures operation.


687984 : Attacks with randomization of HTTP headers parameters generates too many signatures

Component: Anomaly Detection Services

Symptoms:
When attackers randomize HTTP headers parameters, Behavioral DoS (BADoS) might generate too many signatures.

Conditions:
Attacks with randomization of HTTP headers parameters.

Impact:
The list of generated signatures is too long. It produces unnecessary CPU utilization for attack mitigation.

Workaround:
None.

Fix:
Improved algorithm that detects a randomization.


687937-1 : RDP URIs generated by APM Webtop are not properly encoded

Component: Access Policy Manager

Symptoms:
RDP URIs used to launch Native RDP resources form APM Webtop on Android/iOS/Mac are not properly encoded. As a result, RDP client might misinterpret the URI, in cases in which some RDP parameter contains the ampersand ( & ) symbol.

Conditions:
Native RDP resource is launched via RDP URI from APM Webtop.

One of RDP parameters contains symbol that should be URI encoded, e.g., '&'.

Impact:
RDP client misinterprets URI, which may result in failure to open RDP resource.

Workaround:
None.

Fix:
RDP URIs used to launch Native RDP resources from APM Webtop on Android/iOS/Mac are now properly encoded.


687905-2 : OneConnect profile causes CMP redirected connections on the HA standby

Solution Article: K72040312

Component: TMOS

Symptoms:
When virtual server uses OneConnect profile in HA setup, it can cause Clustered Multiprocessing (CMP) redirected connections and memory leak on high availability (HA) standby systems, including high memory usage on standby units.

Conditions:
-- Virtual server uses OneConnect profile in HA configuration.
-- Mirroring is enabled.
-- BIG-IP platform supports CMP.

Impact:
Redirected connections and memory leak on a standby device.

Workaround:
Remove OneConnect profile from the virtual server.


687759-1 : bd crash

Component: Application Security Manager

Symptoms:
A bd crash.

Conditions:
-- A config change follows a bd crash.
-- There is a policy that is misconfigured, for example, a form-data parsing is applied on a non-form-data payload (such as XML or JSON).

Impact:
bd crashes; system fails over; traffic disturbance occurs.

Workaround:
Set the following internal parameter to 0: max_converted_length_to_cache


687658 : Monitor operations in transaction will cause it to stay unchecked

Component: TMOS

Symptoms:
If a monitored object is deleted and created or modified in the same transaction, and any of its monitor configuration is changed (either the monitor, or the state user-down), the monitor state will become unchecked.

Conditions:
This only happens within transactions.

Note: Using the command 'modify ltm pool <name> members replace-all-with' is considered a transaction containing a delete and create of pool members.

Impact:
Monitor state never returns to its correct value.

Workaround:
Do not do these operations in transactions. For pool members, use 'modify ltm pool <name> members modify' instead of replace-all-with.


687635-1 : Tmm becomes unresponsive and might restart

Solution Article: K58002142

Component: Local Traffic Manager

Symptoms:
Under certain conditions, the tmm process can become unresponsive, and eventually be restarted by the watchdog process.

Conditions:
Problem occurs when there is an unexpected interaction between HTTP and SSL handlers during an abnormal connection shutdown.

Impact:
Tmm becomes unresponsive and restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Tmm correctly shuts down HTTPS connection.


687534-1 : If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page

Component: TMOS

Symptoms:
- Create a pool with name containing two dots (that is, the string '..')
- Go to the GUI Local Traffic :: Pools : Member List page and click the Add button to add a member.
- There is a No Access error preventing you from adding a member to the pool

Conditions:
This issue occurs when a pool name contains .. in the name.

Impact:
Cannot add a Member to the pool using the GUI.

Workaround:
Use tmsh to add pool members to an existing pool using a command similar to the following.
 tmsh modify ltm pool <pool name> members add { <member info> }

Fix:
For pools with '..' in the name, it is now possible to add members after pool creation using the GUI Local Traffic :: Pools : Member List page.


687368-1 : The Configuration utility may calculate and display an incorrect HA Group Score

Solution Article: K64414880

Component: TMOS

Symptoms:
The Configuration utility may calculate and display a high availability (HA) Group Score of 0, while in reality the correct HA Group Score is greater than 0.

Conditions:
This issue occurs when a particular HA Group object (for example, a Pool) has no available members, and the 'Minimum Member Count' option is not used (this is the default).

Impact:
This issue is cosmetic as it is limited to what the Configuration utility calculates and displays to the user. Internally, the system uses the correct HA Group Score to determine the role of the unit. However, it is possible for a BIG-IP Administrator to be mislead by this issue and take a wrong or unnecessary corrective action because of it.

Workaround:
You can use the TMSH utility from the command line to display the correct HA Group Score.

Fix:
The Configuration utility no longer calculates and displays an incorrect HA Group Score.


687353-1 : Qkview truncates tmstat snapshot files

Solution Article: K35595105

Component: TMOS

Symptoms:
Qkview truncates the snapshot files it collects in /shared/tmstat/snapshots/.

Conditions:
Files are larger than 5 MiB, or the 'max file size' limit specified when running Qkview (the -s argument).

Note: 5 MiB is qkview utility's default maximum file size value.

Impact:
Snapshot data may not be collected in qkview. This may result in data being lost if the issue is only identified once important data has rotated out of history.

Workaround:
To specify no file size limit when collecting qkviews, use the following tmsh command:
qkview -s0


687205-2 : Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart

Component: Local Traffic Manager

Symptoms:
During flow shutdown, SSL may deliver HUDEVT_SENT messages, causing additional messages to be queued by higher filters, which may result in a tmm crash and restart.

Conditions:
This happens in response to a relatively rare condition that occurs during shutdown, such as HUDEVT_SENT queued after HUDCTL_SHUTDOWN.

Impact:
Possible tmm restart. Traffic disrupted while tmm restarts.

Workaround:
None.


687128-1 : gtm::host iRule validation for ipv4 and ipv6 addresses

Component: Global Traffic Manager (DNS)

Symptoms:
gtm::host iRule isn't validating that the host given matches the type of WideIP it is attached to.

Conditions:
An AAAA-type wideip with a ipv4 gtm::host iRule, or A-type wideip with an ipv6 gtm::host iRUle.

Impact:
Incorrect host information was being returned.

Workaround:
Only attach gtm::host of IPv4 type to A-type WideIPs, and gtm::host rules of IPv6 to AAAA-type WideIPs.

Fix:
FIxed issue allowing incorrect gtm::host iRule commands to trigger on incorrect wideip types.


686972-4 : The change of APM log settings will reset the SSL session cache.

Component: Local Traffic Manager

Symptoms:
If you change the configuration of APM log settings, it might cause the SSL session cache to be reset. Also, subsequent resumption of SSL sessions may fail after such change causing a situation where full ssl handshakes may occur more frequently.

Conditions:
-- Change the configuration of APM log settings.
-- SSL session cache is not empty.

Impact:
The change of APM log settings resets the SSL session cache, which causes the SSL session to initiate full-handshake instead of abbreviated re-negotiation.

Workaround:
Follow this procedure:
1. Change access policy.
2. The status of that access policy changes to 'Apply Access Policy'.
3. Re-apply that.

Fix:
The change of APM log settings now limits its effect on APM module instead of affecting other (SSL) module's data.


686926-2 : IPsec: responder N(cookie) in SA_INIT response handled incorrectly

Component: TMOS

Symptoms:
IKEv2 negotiation fails when a responder uses N(cookie) in the SA_INIT response, because the BIG-IP system does not expect a second response with the same zero message_id always used by SA_INIT.

Conditions:
Any time a responder sends N(cookie) in the first response to SA_INIT from a BIG-IP initiator.

Impact:
The SA negotiation fails when a responder includes N(cookie) in a SA_INIT response, because a second response appears to have an out-of-order message ID when BIG-IP believe the first message_id of zero was already handled earlier.

Workaround:
None.

Fix:
The BIG-IP system now correctly tracks a need to receive a SECOND response with message_id zero, to finish the SA_INIT exchange, whenever the first SA_INIT response caused the BIG-IP system to resend the first request with the cookie included.


686906-2 : Fragmented IPv6 packets not handled correctly on Virtual Edition

Component: TMOS

Symptoms:
Use of IP fragmentation with IPv6 packets might not be handled correctly by BIG-IP Virtual Edition (VE) platforms. The initial fragmented are received, but subsequent fragments are discarded.

Conditions:
VE with IPv6 packets and IP fragmentation.

Impact:
Traffic which depends upon fragmented IPv6 packets will not be successfully processed.

Workaround:
There is no workaround at this time.

Fix:
These fragments are now handled correctly in the same manner as IPv4.


686890-1 : X509_EXTENSION memory blocks leak when C3D forges the certificate.

Component: Local Traffic Manager

Symptoms:
One X509_EXTENSION memory block leaks when C3D forges the certificate.

Conditions:
When C3D forges the certificate.

Impact:
X509_EXTENSION memory blocks leak when forged certificate is successful.

Workaround:
None.

Fix:
The system now frees the leaked X509_EXTENSION when C3D forges the certificate.


686765-2 : Database cleaning failure may allow MySQL space to fill the disk entirely

Component: Application Security Manager

Symptoms:
Database cleaning failure may allow MySQL space to fill the disk entirely, which prevents any modification of ASM policy configuration.

In /var/log/ts/asm_config_server.log you might see these errors repeatedly:

Jun 9 09:38:45 10gal-f5-5000-2 crit g_server_rpc_handler.pl[16654]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::handle_error): Code: 999, Error message = DBD::mysql::db do failed: The table 'NEGSIG_SIGNATURES' is full

Conditions:
This occurs if database cleaning failures occur.

Impact:
Disk will fill up, and you will be unable to modify ASM policies.


686631-2 : Deselect a compression provider at the end of a job and reselect a provider for a new job

Component: Local Traffic Manager

Symptoms:
The system might potentially retain a compression context, even though there is no data to be compressed or decompressed. This can affect the calculation of the load of the compression provider.

Conditions:
-- A connection is up.
-- Compression context is active.
-- There is no data for the compression provider.

Impact:
It affects the compression provider selection.

Workaround:
None.

Fix:
The system now deselects a provider at the end of a compression/decompression operation, and reselects a provider at the beginning of another compression/decompression operation.


686517-2 : Changes to a parent policy that has no active children are not synced to the secondary chassis slots.

Component: Application Security Manager

Symptoms:
Changes to a parent policy that has no active children are not synced to the secondary chassis slots.

Conditions:
-- ASM provisioned.
-- Having a parent policy that has no active children.

Impact:
On a chassis failover, the new Primary slot will have an outdated version of the parent policy.

Workaround:
None.

Fix:
Changes to a parent policy that has no active children are now synced to the secondary chassis slots.


686510-1 : If tmm was restarted during an attack, the attack might appear ongoing in GUI

Component: Application Visibility and Reporting

Symptoms:
Attack appears ongoing, even though it ended.

Conditions:
Rare condition of tmm restart during an attack.

Impact:
The GUI falsely shows the attack as ongoing, even though it ended.

Workaround:
No workaround.

Fix:
Now, when tmm is restarted during an attack, this specific attack is shown as ended in DoS overview page after 15 minutes.


686470-1 : Enable AJAX Response Page or Single Page Application support causes the part of the web page failed to load.

Component: Application Security Manager

Symptoms:
AJAX requests are not sent, JavaScript errors, AJAX-based web-app malfunctions.

Conditions:
1a. Single page application enabled either via a DoS application profile or in an ASM policy.
1b. AJAX Response Page enabled via ASM policy.

2. Web Application client side code uses jQuery or any other AJAX clientside framework.

Impact:
AJAX request might not be sent, and the overall website's clientside functionality related to the AJAX requests might not work as expected.

Workaround:
Disable Single Page Application support.

Fix:
Fixed Single Page Application AJAX hook to support the AJAX response onload callback re-assignment.


686452-1 : File Content Detection Formats are not exported in Policy XML

Component: Application Security Manager

Symptoms:
If a policy is configured with Data Guard enabled with File Content Detection, the selected File Content Detection Formats are not correctly exported in the Policy XML.

When the policy is then imported, the Data Guard settings will be invalid and cannot be changed until the File Content Detection Formats are configured again.

Conditions:
A policy is configured with Data Guard enabled with File Content Detection, and then exported in XML format.

Impact:
When the policy is then imported, the Data Guard settings will be invalid and cannot be changed until the File Content Detection Formats are configured again.

The formerly selected file content formats will not be correctly identified.

Workaround:
Use Binary Policy import/export.

Fix:
File Content Detection Formats are correctly exported.


686389-1 : APM does not honor per-farm HTML5 client disabling at the View Connection Server

Component: Access Policy Manager

Symptoms:
Current logic for determining whether to offer HTML5 client option works for Horizon 6.x (and earlier) but it does not work for Horizon 7.x.

With Horizon 7.x, VMware has enhanced the XML so that each resource includes a flag to indicate whether HTML5 client is enabled (absence of <html-access-disabled/> tag). APM does not honor this flag to show HTML5 client option to APM end user only if it has been enabled for that resource.

Conditions:
-- APM webtop with a VMware View resource assigned.
-- HTML5 Access disabled for some of the RDS farms managed by the broker.

Impact:
APM offers HTML5 client launch option and actually runs it if requested, although it is disabled at the backend.

Workaround:
There is no workaround at this time.

Fix:
For Horizon 7.x, the system now honors the <html5-access-disabled> flag in broker responses to disable HTML5 client for those RDS desktops and apps that have this flag set.

Behavior Change:
Before this fix, all the RDS desktops and apps were available for HTML5 client if it was installed on VCS.
Now, for those desktops and apps where HTML5 access has been deliberately disabled at the broker, only the native client option will be available.


686376-2 : Scheduled blob and current blob no longer work after restarting BIG-IP or PCCD daemon

Component: Advanced Firewall Manager

Symptoms:
When there are scheduled firewall rules, and the BIG-IP system is restarted or PCCD daemon is restarted, new blob compilation succeeds, but TMM fails to activate the new blob. Both GUI and TMSH show error status: Firewall rules deployment failed. After the system gets in this state it cannot be fixed except by removing or disabling all scheduled firewall rules.

Conditions:
-- There are scheduled firewall rules.
-- The BIG-IP system is restarted or the PCCD daemon is restarted.

Impact:
After this failure, firewall rules are not applied on data traffic.

Workaround:
Remove or disable all scheduled firewall rules.

Fix:
New blob deployed and new firewall rules applied successfully.


686307-3 : Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later

Solution Article: K10665315

Component: Local Traffic Manager

Symptoms:
When upgrading, monitor attributes such as receive string and send string might contain escape sequences that must be processed after the upgrade. However, due to a problem introduced by the LTM policy upgrade script, this processing is not performed, resulting in monitors not functioning correctly after the upgrade.

Note: Without LTM policies in the configuration, monitors upgrade without problem.

Conditions:
-- Upgrading and rolling forward monitor configuration data.
-- LTM policy data present.

Impact:
Monitors may not work after upgrade.

Workaround:
No workaround at this time.

Fix:
This release addresses the underlying problem so the issue no longer occurs.


686305-1 : TMM may crash while processing SSL forward proxy traffic

Solution Article: K64552448


686228-1 : TMM may crash in some circumstances with VLAN failsafe

Solution Article: K23243525

Component: Local Traffic Manager

Symptoms:
TMM may crash when managing traffic in response to the VLAN failsafe traffic generating mechanisms

Conditions:
- VLAN failsafe is configured with low timers.
- VLAN failsafe is triggered and multiple responses are received for traffic generating in fast succession.

Impact:
A TMM may core file may be produced. Traffic disrupted while tmm restarts.

Workaround:
Relax the timer to the default VLAN failsafe timer setting.

Fix:
TMM no longer crashes in some circumstances with VLAN failsafe.


686190-1 : LRO performance impact with BWC and FastL4 virtual server

Component: TMOS

Symptoms:
Using Bandwidth controller (BWC) might result in a very large drop in performance of up to 75%. In this release, Large receive offload (LRO) is enabled by default.

Conditions:
-- BWC is configured.
-- Virtual server has a FastL4 profile assigned.
-- LRO is enabled (enabled by default in 13.1.0).

Impact:
Very large performance impact to the BWC policy (up to 75%). For example, if the BWC policy rate limit is set to 100Mb, the actual rate limit could be 25Mb.

Workaround:
Disabling LRO recaptures most of the performance degradation related to using FastL4. To disable LRO (this is a system-wide setting), run the following command:
 tmsh modify sys db tm.largereceiveoffload value disable

Important note: Although you can disable LRO to recapture much of the 13.0.0-level performance, you will likely still experience some impact: 2-5% for small files, 17-22% degradation for the '10 requests per connection' benchmark. The only guaranteed way to avoid performance degradation is to remain on version 13.0.0.


686124-1 : IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs

Solution Article: K83576240

Component: TMOS

Symptoms:
Deleting SAs on a remote peer can cause improper handling in the IKEv1 racoon daemon when invalid SPI notifications are processed.

Conditions:
Events causing deletion of phase one IKE SAs.

Impact:
IPsec IKEv1 tunnels will halt or restart. Connectivity between remote private networks will be interrupted.

Workaround:
None.

Fix:
Phase one and phase two SA relationships are now more robust, tolerating operations that occur in any order, so tearing down old data structures will be done safely.


686111-1 : Searching and Reseting Audit Logs not working as expected

Solution Article: K89363245

Component: TMOS

Symptoms:
Clicking the Search and Reset buttons on Audit Logs might post the following error message: An error has occurred while trying to process your request.

Conditions:
Clicking the 'Search' or 'Reset' button on Audit Logs.

Impact:
Cannot search Audit Logs.

Workaround:
Use tmsh or bash.

Fix:
Searching and Reseting Audit Logs now works as expected.


686108-1 : User gets blocking page instead of captcha during brute force attack

Component: Application Security Manager

Symptoms:
Unexpected blocking page while captcha is configured.

Conditions:
-- Brute force configured with alarm and captcha mitigation.
-- The only source configured is username.
-- These are the first failed login requests after a system start up or after a login page configuration change.

Impact:
Unexpected blocking page mitigation where captcha mitigation was expected.

Workaround:
There are two workarounds:

-- Access the login page at least 10 times within 5 minutes.

-- Run the following command: tmsh modify sys db asm.cs_qualified_urls value <YOUR_LOGIN_URL>

Fix:
Fixed an issue with unexpected blocking page while captcha is configured.


686065-2 : RESOLV::lookup iRule command can trigger crash with slow resolver

Component: Local Traffic Manager

Symptoms:
If thousands of connections are serviced by an iRule that performs a lookup for the same FQDN before the FQDN can be resolved, tmm may crash.

Conditions:
iRule with RESOLV::lookup.
Slow DNS resolver.
Thousand of connections triggering resolution of the same name.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove RESOLV::lookup from the workflow if it is not required.

Fix:
The scenario now works as expected and no longer results in a crash.


686029-2 : A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces

Component: TMOS

Symptoms:
FDB flushing on VLAN deletes is performed by VLAN member interface reference only, without regard to VLAN tags. This can result in unrelated VLAN FDB entries also being flushed on shared VLAN member interfaces.

Conditions:
Issuing a VLAN delete with other VLANs using shared tagged member interfaces with the VLAN being deleted.

Impact:
FDB entries for unrelated VLANs will be flushed if they share the same tagged VLAN member interfaces as the VLAN being deleted.

Workaround:
None.

Fix:
Correct FDB flushing on VLAN deletes, by limiting the scope to be VLAN specific.


685964-1 : cs_qualified_urls bigdb does not cause configured URLs to be qualified.

Component: Application Security Manager

Symptoms:
cs_qualified_urls is configured but is not functional.

Conditions:
-- cs_qualified_urls is configured.
-- A request to the URL listed in the bigdb arrives.
-- The URL is seen as non-qualified although configured.

Impact:
URLs that are not supposed to getting through configuration.

Workaround:
None.

Fix:
Fixed a bigdb issue with cs_qualified_urls variable.


685862-1 : BIG-IP as SAML IdP/SP may include last x509 certificate found in the configured bundle in signed SAML Response or single logout message

Component: Access Policy Manager

Symptoms:
When BIG-IP is used as SAML IdP, and signing is configured, BIG-IP will sign the message by configured signing key, and include last certificate from the configured signing certificate chain in the SAML protocol message. Expected behavior is to include first certificate from the configured signing certificate chain.
The same applies to SAML SP generating SLO request/response messages.

Conditions:
All of the following:
- BIG-IP is used as SAML IdP or SAML as SP with SLO configured.
- BIG-IP generates signed SAML response containing assertion or SLO request/response
- Configured on BIG-IP signing certificate is a security chain and not a single certificate

Impact:
Impact is based on the SAML implementation on the receiving end of message sent by BIG-IP.
Some implementation may drop signed SAML message if last certificate from the bundle is included in the message. Other implementations will accept such signed messages. Note that signing operation itself is performed correctly by BIG-IP using configured signing certificate, and digital signature will contain correct value.

Workaround:
Instead of using signing certificate chain, change BIG-IP SAML IdP/SP configured signing certificate to refer to a standalone signing certificate (single X509 object) by extracting first certificate from the chain.

Fix:
After the fix, BIG-IP will include first certificate found within configured signing certificate (chain).


685771-1 : Policies cannot be created with SAP, OWA, or SharePoint templates

Component: Application Security Manager

Symptoms:
Attempting to create a security policy using "OWA Exchange", "SAP NetWeaver", or "SharePoint" Policy Template fails.

Conditions:
Attempt to create a security policy using "OWA Exchange", "SAP NetWeaver", or "SharePoint" Policy Templates

Impact:
Policy creation fails.

Workaround:
None.

Fix:
Policies can be created using these factory templates.


685743-5 : When changing internal parameter 'request_buffer_size' in large request violations might not be reported

Component: Application Security Manager

Symptoms:
When the internal 'request_buffer_size' is set to a large value, long requests might be blocked, and no violation is reported.

Conditions:
-- Internal parameter 'request_buffer_size' is set to a large value (~50 KB or larger).
-- Request is long (~50 KB or longer).
-- Violations found.

Impact:
Requests might be blocked, and no reason is reported.

Workaround:
Reset internal 'request_buffer_size' to default.

Fix:
The system now handles the case in which the internal 'request_buffer_size' is set to a large value, so long requests are no longer blocked, and the violation is reported.


685708-4 : Routing via iRule to a host without providing a transport from a transport-config created connection cores

Component: Service Provider

Symptoms:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.

Conditions:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Specify a transport to use for creating a new outgoing connection in the MR::message route command.

Fix:
The system will no longer core.


685628-1 : Performance regression on B4450 blade

Component: Performance

Symptoms:
Performance degradation may occur for certain types of traffic when the system is under heavy traffic load. L4 and L7 performance may be degraded by up to 5% compared to previous BIG-IP releases.

Conditions:
- L4 and L7 traffic when system is under heavy traffic load.
- VIPRION B4450 blades.

Impact:
You may encounter a performance degradation for certain types of traffic upon upgrading.

Workaround:
None.

Fix:
Performance regression on B4450 blade has been eliminated.


685615-4 : Incorrect source mac for TCP Reset with vlangroup for host traffic

Solution Article: K24447043

Component: Local Traffic Manager

Symptoms:
BIG-IP outbound host TCP RST packets have incorrect source-mac-address.

Conditions:
BIG-IP host traffic is exiting via VLANs in a VLAN group.

Impact:
TCP Reset for traffic exiting the BIG-IP system with incorrect source-mac-address, which could include monitor traffic.

Workaround:
Use transparent mode on the VLAN group.

Fix:
source-mac-address for host traffic is correctly set.


685582-7 : Incorrect output of b64 unit key hash by command f5mku -f

Component: TMOS

Symptoms:
The output of the b64 unit key hash is inconsistent upon each 'f5mku -f' command, whereas the hex version of the unit key hash was always correct/consistent.

Conditions:
Viewing output of 'f5mku -f' command.

Impact:
Inconsistent output of the b64 unit key.

Workaround:
Adding the verbose option (v) to the f5mku command will print additional information. The following command prints the hex version of the unit key header hash, which will be stable and can be used to detect changes to the unit key:

 f5mku -vf

For example:

# f5mku -vf
...
-- hdr.hash = c9:0d:13:2a:74:d4:7e:31:a4:78:5e:c8:3e:9c:b5:3d:7b:65:9c:7d
...

Fix:
The unit key hash is now the correct length and is consistent upon each 'f5mku -f' command.


685519-1 : Mirrored connections ignore the handshake timeout

Component: Local Traffic Manager

Symptoms:
Mirrored connections that do not complete the TCP 3-way-handshake do not honor the configured TCP handshake timeout on active and standby systems.

Conditions:
High availability mirroring enabled on virtual server with attached FastL4 profile.

Impact:
Unestablished TCP sessions in the connection table stay open for the duration of the TCP idle-timeout.

Workaround:
None.

Fix:
Mirrored connections now honor the TCP handshake timeout.


685475-1 : Unexpected error when applying hotfix

Solution Article: K93145012

Component: TMOS

Symptoms:
Software 'install hotfix' commands fail with a message similar to the following: Image (BIG-IP-11.6.1.0.0.317.iso) has a software image entry in MCP database but does not exist on the filesystem.

Conditions:
Before installing the hotfix, the necessary full (base) software image prerequisite was added to the images directory, but then was removed before issuing the hotfix command.

For example, to apply 'Hotfix-BIG-IP-11.6.1.2.0.338-HF2.iso', the system must have access to the base image; 'BIG-IP-11.6.1.0.0.317.iso'.

Here is another example: on multi-bladed VIPRION systems, where it is resolved by running 12.1.3.6.

1) Install and boot into 12.0.0 on the VIPRION system:
-- install /sys software image 12.0.0.iso create-volume volume HD1.test
-- reboot volume HD1.test
2) Install and boot into 12.1.2.0.402.249:
-- install /sys software hotfix Hotfix-BIG-IP-12.1.2.0.402.249-ENG.iso create-volume volume HD1.test2
-- reboot volume HD1.test2
3) Delete 12.0.0.iso and volume HD1.test:
-- delete sys software image 12.0.0.iso
-- delete sys software volume HD1.test
4) Copy over Hotfix-BIG-IP-13.1.0.7.0.17.1-ENG.iso without the 13.1.0.7 base image.
5) Check the /var/log/ltm logs for the following message:
-- lind[6288]: 013c0006:5: Image (BIG-IP-12.0.0.0.0.606.iso) has a software image entry in MCP database but does not exist on the filesystem.

Impact:
Cannot apply hotfix until the full base image is present.

Workaround:
Perform the following procedure:
1. Copy the base image to the images directory on the BIG-IP system.
2. Restart the 'lind' daemon.
3. Try the hotfix installation operation again.

Fix:
Issuing a 'install hotfix' command when the base image is not available sends the system into a 'wait' state. The process status is 'waiting for base image', which should make clear what needs to be done. When the base image becomes available (in the images directory), the hotfix installation proceeds.


685467-1 : Certain header manipulations in HTTP profile may result in losing connection.

Solution Article: K12933087

Component: Local Traffic Manager

Symptoms:
HTTP profile has an option 'Insert X-Forwarded-For' which adds a header when a request is forwarding to a pool member. When a virtual server has iRule with a collect command like SSL::collect, it is affected by the HTTP profile processing. Same issue has an option 'Request Header Erase' available in HTTP profile.

Conditions:
A virtual server meets the following conditions:
-- ClientSSL profile.
-- HTTP profile with option 'Insert X-Forwarded-For' enabled and/or configured option 'Request Header Erase'.
-- iRule that has an 'SSL::collect' command in at least two events (e.g., CLIENTSSL_HANDSHAKE and CLIENTSSL_DATA).

Impact:
TCP connection is reset, and no response is provided to a client.

Workaround:
Use iRule to insert X-Forwarded-For with an appropriate IP address and/or remove headers configured in 'Request Header Erase' option of HTTP profile.

Fix:
An issue of a resetting connections due to configuration options 'Insert X-Forwarded-For' and 'Request Header Erase' in HTTP profile no longer happens.


685458-7 : merged fails merging a table when a table row has incomplete keys defined.

Solution Article: K44738140

Component: TMOS

Symptoms:
There is as timing issue in merged where it will fail processing a table row with incomplete keys defined.

Conditions:
There are no specific conditions required, only that merged is running, which is true on every BIG-IP system, when the BIG-IP system is processing a table row with incomplete keys defined.

Although this issue is not dependent on configuration or traffic, it appears that it is more prevalent on vCMP hosts.

Impact:
There will be a few second gap in available statistics during the time when a core is being created and merged restarts.

Workaround:
None.

Fix:
merged now detect this scenario, a table row with incomplete keys defined, and does not fail.


685254-2 : RAM Cache Exceeding Watchdog Timeout in Header Field Search

Solution Article: K14013100

Component: Local Traffic Manager

Symptoms:
SOD halts TMM while RAM cache is processing a header.

Conditions:
When RAM cache is attempting to match an ETag and fails to find it in the header field.

Impact:
The search continues until a match is found in memory, or a NUL byte is encountered. If the search takes too long, sod kills RAM cache on a watchdog timeout violation.

Workaround:
No workaround at this time.

Fix:
SOD no longer halts TMM while RAM cache is processing a header.


685230-3 : memory leak on a specific server scenario

Component: Application Security Manager

Symptoms:
The bd process memory increases.

Conditions:
A specific server scenario of handling the traffic.

Impact:
Swap may be used. The kernel OOM killer may be invoked. Possible traffic disturbance.

Workaround:
There is no workaround at this time.

Fix:
A memory leaked related to a specific server scenario was fixed.


685207-1 : DoS client side challenge does not encode the Referer header.

Component: Application Security Manager

Symptoms:
XSS reflection when DoS client side is enabled as a mitigation, or a proactive bot defense is enabled.

Conditions:
1. Login to the client IP address and send the ab request.
2. Once the DoS attack starts, sends the curl request
hl=en&q=drpdrp'-alert(1)-'drpdrp".
3. Unencoded Referer header is visible.

Impact:
The XSS reflection occurs after triggering the DoS attack.

Workaround:
None.

Fix:
DoS client side challenge now encodes the Referer header.


685193-1 : If Inheritance is None in the Parent Policy and there are at least 1 child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies

Component: Application Security Manager

Symptoms:
If Inheritance is None in the Parent Policy and there is at least one child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies.

Conditions:
1) Create Parent policy and set some section's Inheritance to None.
2) Create child policy and assign it to the parent created above.
3) Go to the Parent Policy Inheritance Setting tab, you will see that number of comments for sections with None will be equal to number of child policies.

Impact:
There is an incorrect number of Comments shown in Inheritance Settings

Workaround:
None.

Fix:
The correct number of comments will be shown for each section in Inheritance Setting tab for Parent Policy. In case of None inheritance nothing will be shown.


685164-1 : In partitions with default route domain != 0 request log is not showing requests

Component: Application Security Manager

Symptoms:
No requests in request log when partition selected, while they can be seen when 'All [Read Only]' is selected.

Conditions:
Select a partition whose default route domain is not 0 (zero).

Impact:
No requests in request log.

Workaround:
As a partial workaround, you can use [All], but it's read only.

Fix:
Fixed filter by Source IP, which worked incorrectly in partitions whose default route domain was not 0 (zero).


685110-1 : With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.

Solution Article: K05430133

Component: Local Traffic Manager

Symptoms:
1. FQDN Node/pools fails to populate with members.

2. An error similar to the following is logged in /var/log/ltm when an FQDN node or pool member is created:

err mcpd[####]: 01070356:3: Ratio load balancing feature not licensed.

Conditions:
1. License a BIG-IP system with non-LTM license lacking the ltm_lb_ratio feature.
Such licenses include APM and/or ASM licenses for certain newer platforms which do not support the AAM module.
Affected platforms include certain iSeries and Virtual Edition (VE) releases.
2. Configure an FQDN node/pool member. Do not specify a 'ratio' value.

Impact:
Unable to use FDQN nodes/pool members with non-LTM license.

Workaround:
None.

Fix:
Non-LTM license (ASM, APM, etc.), ephemeral nodes are now created for FQDN nodes/pool members.


685056 : VE OVAs is not the supported platform to run VMware guest OS customization

Component: TMOS

Symptoms:
VMware vCenter fails to create customization specification wizard because the BIG-IP Virtual Edition (VE) OVA's OSType is set to 'Other 64-bit'.

Conditions:
When applying VMware guest OS customization on VMware BIG-IP VE.

Impact:
VMware guest OS customization fails (cannot create customization specification wizard).

Workaround:
You can use either of the following workarounds:
 - Apply VMware guest OS customization with 'ovftool'.
 - Manually set OSType to 'Other 3.x Linux 64-bit'.

Fix:
OS type embedded in .ovf file in VE OVAs has been changed from 'Other 64-bit' to 'Other 3.x Linux 64-bit' to enable VMware guest OS customization.

Behavior Change:
In this release, the OS type set in .ovf file in the BIG-IP VE SCSI OVA images for VMware has been changed from 'Other 64bit' to 'Other 3.x Linux 64bit'. This enables 'VMware Guest Customization' via VMware vCenter.


685020-3 : Enhancement to SessionDB provides timeout

Component: TMOS

Symptoms:
In some cases, calls made to SessionDB never return from the remote TMM.

Conditions:
-- Using add, update, delete, and lookup commands to remote TMM.
-- SessionDB request is not returned.

Impact:
Calls made to SessionDB never return from the remote TMM.

Workaround:
None.

Fix:
The system initiates a timeout after 2 seconds. If a timeout occurs, the calling command receives a result of err==ERR_TIMEOUT.

A new sys db variable was added to enable the timeout for the iRule table command. It defaults to false. Below is the new definition followed by the tmsh command to set the value.

# Enable or disable iRule table cmd timeout override to cause all
# requests to be 'remembered' so that we do not leak them
# if subsystems fail.
[Tmm.SessionDB.table_cmd_timeout_override]
default=false
type=enum
realm=common
enum=|true|false|

Behavior Change:
A new sys db variable was added to enable the timeout for the iRule table command. It defaults to false. Below is the new definition followed by the tmsh command to set the value.

# Enable or disable iRule table cmd timeout override to cause all
# requests to be 'remembered' so that we do not leak them
# if subsystems fail.
[Tmm.SessionDB.table_cmd_timeout_override]
default=false
type=enum
realm=common
enum=|true|false|


684937-3 : [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users

Solution Article: K26451305

Component: Access Policy Manager

Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over period of time.
Websso process CPU usage is very high during this time. The latency can vary between APM end users.

Conditions:
-- A large number of APM end users have logged on and are using Kerberos SSO.
-- Running APM.

Impact:
Increased latency of HTTP request processing.

Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.

Fix:
LRU cache performance no longer drops linearly with the number of caches Kerberos tickets, the latency of HTTP request processing has been significantly improved.


684852-1 : Obfuscator not producing deterministic output

Component: Fraud Protection Services

Symptoms:
Proactive defense challenge is not passed.

Conditions:
The obfuscator does not produce the same output for the same pair of key and seed. Therefore, on multi-blade devices, or on active-active deployments, when the request to the page (url=/) and the request to the javascript (/TSPD/*?type=10) each go to a different blade or a different device.

More frequently, it happens when the page and javascript are loaded from the same blade, but the javascript is stored in the cache.

Then another refresh, and the request goes to the second blade. Because the javascript in the cache was received from the first blade, it does not match the page.

Impact:
Proactive defense challenge is not passed; challenge remains on blank page on chassis.

Workaround:
None.

Fix:
Obfuscator now uses common Random object.


684583-1 : Buitin Okta Scopes Request object uses client -id and client-secret

Component: Access Policy Manager

Symptoms:
Buitin Okta Scopes Request object uses client credentials instead of resource server credentials.

Conditions:
Buitin Okta Scopes Request object

Impact:
Scope request with Buitin Okta Scopes Request object fails.

Workaround:
Use modified Request object.

Fix:
Buitin Okta Scopes Request object is fixed to use resource server credentials.


684391-3 : Existing IPsec tunnels reload. tmipsecd creates a core file.

Component: TMOS

Symptoms:
Existing IPsec tunnels reload. tmipsecd creates a core file.

Conditions:
Although an exact replication of the issue has not been reliable, the one instance occurred after the following conditions:
-- Remote peer repeatedly tries to establish a tunnel.
-- The IPsec IKEv1 daemon 'racoon' is dead.

Impact:
Existing IPsec tunnels reload when tmipsecd aborts. tmipsecd creates a core file.

Workaround:
None.

Fix:
Exception handling in tmipsecd has been improved so that tmipsecd will not reload when encountering some unusual conditions.


684370-1 : APM now supports VMware Workspace ONE integration with VIDM as ID Provider

Component: Access Policy Manager

Symptoms:
When VMware Horizon resources are behind APM, you can see available desktops and application on VMware Workspace One (WS1) portal, but you cannot launch them.

Conditions:
-- VMware virtual desktops and applications are hosted on VMware Horizon behind APM.
-- Authenticate with VMware Identity Manager (VIDM) and see available virtual desktops and applications on WS1 portal.
-- Attempt to launch a virtual desktop or application with VMware HTML5 client.

Impact:
BIG-IP users get authenticated with VIDM and can see available desktops and applications on the WS1 portal, but cannot launch a desktop or application with View HTML5 client.

Workaround:
Not applicable.

Fix:
APM now supports VMware Workspace One (WS1) with VMware Identity Manager (VIDM) as the Identity Provider and APM as a service provider, protecting VMware Horizon desktops and applications.


684333-1 : PEM session created by Gx may get deleted across HA multiple switchover with CLI command

Component: Policy Enforcement Manager

Symptoms:
PEM sessions may get cleaned up with terminate cause of FATAL GRACE TIMEOUT, if multiple high availability (HA) failover is being performed using the following command: tmsh run sys failover standby.

Conditions:
Multiple HA failover performed using the following command: tmsh run sys failover standby.

Impact:
PEM session created using Gx may get deleted.

Workaround:
Initiate failover using alternate commands, such as the following:
 tmm big start restart.


684325-1 : APMD Memory leak when applying a specific access profile

Component: Access Policy Manager

Symptoms:
Access profile having CheckMachineCert agent, while updating profile using 'Apply access policy', each time it leaks 12096 bytes of memory.

Conditions:
-- Access profile configured with agent 'CheckMachineCert'.
-- Repeatedly update the profile using 'Apply access policy'.

Impact:
APMD process stops after repeated application of the script.

Workaround:
None.

Fix:
APMD no longer leaks memory when applying Access profile configured with agent 'CheckMachineCert'.


684312-1 : During Apply Policy action, bd agent crashes, causing the machine to go Offline

Solution Article: K54140729

Component: Application Security Manager

Symptoms:
During Apply Policy action, bd agent crashes, causing with this error:
--------------------
crit perl[21745]: 01310027:2: ASM subsystem error (bd_agent,): bd_agent exiting, error:[Bit::Vector::new_Dec(): input string syntax error at /usr/local/share/perl5/F5/CfgConvert.pm line 66, <$inf> line 1. ]
--------------------

Causing bd and bd_agent processes restart, and causing the machine to go Offline.

Conditions:
-- ASM provisioned.
-- Applying policy.
-- Corrupted data was attempted to be loaded during an Apply Policy action.

Impact:
bd and bd_agent processes restart, causing the machine to go Offline while the processes restart..

Workaround:
None.

Fix:
During Apply Policy action, bd agent no longer crashes when attempting to load corrupted data.


684218-1 : vADC 'live-install' Downgrade from v13.1.0 is not possible

Component: TMOS

Symptoms:
vADC v13.1.0 has a new storage format that is incompatible with earlier versions. It should be possible to use the '--format' option of 'image2disk' to downgrade a v13.1.0 vADC system, but it is not.

Conditions:
Running v13.1.0, attempt software downgrade to 11.5.4, for example:

image2disk --format=volumes --nosaveconfig 11.5.4

Impact:
request is not allowed. no changes are made.

Workaround:
deploy a new 11.5.4 software image via the hypervisor environment


684033-3 : CVE-2017-9798 : Apache Vulnerability (OptionsBleed)

Solution Article: K70084351


683741-1 : APM now supports VMware Workspace ONE integration with vIDM as ID Provider

Component: Access Policy Manager

Symptoms:
When VMware Horizon resources are behind APM, APM end user is able to see available desktops and application on VMware Workspace ONE portal but is not able to launch them.

Conditions:
-- VMware virtual desktops and applications are hosted on VMware Horizon behind APM.
-- APM end user authenticates with VMware Identity Manager (IDM) and sees available virtual desktops and applications on Workspace ONE portal.
-- APM end user attempts to launch a virtual desktop or application with VMware native client.

Impact:
Users authenticates but is not able to launch a desktop or application with View native client.

Workaround:
None.

Fix:
APM now supports VMware Workspace ONE with VMware IDM as Identity Provider and APM as service provider, protecting VMware Horizon desktops and applications.


683697-1 : SASP monitor may use the same UID for multiple HA device group members

Solution Article: K00647240

Component: Local Traffic Manager

Symptoms:
Under rare timing conditions, the SASP monitor running on one member of an HA group (failover device group) may use the same LB UID as another member of the device group.

The LB UID used to connect to the Server/Application State Protocol (SASP) Group Workload Manager (GWM) is required to be unique for each client connecting to the GWM.

As a result, only the first HA group member using the duplicated UID is able to successfully use the SASP monitor.

The SASP monitor instance running on the HA group member using the duplicated UID will fail to connect to the SASP GWM.

Conditions:
This occurs under rare timing conditions when using the SASP monitor on a BIG-IP system that belongs to an HA group.

It is possible that the necessary timing conditions may occur if the external SASP monitor daemon is forcibly restarted (such as for troubleshooting purposes).

Impact:
The SASP monitor is unable to monitor pool member availability on all members of the HA group.

Workaround:
Forcing the mcpd process to reload the configuration (as described in article K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030) allows recovery from this condition.

It is possible that less-intrusive measures such as restarting the external SASP monitor daemon (such as by sending a SIGTERM to the SASPD_monitor process) may also allow recovery. Due to the rare occurrence of this symptom, this solution has not been confirmed.

Fix:
The SASP monitor reliably uses a unique UID across HA group members, allowing all HA group members to successfully connect to the SASP GWM.


683508-1 : WebSockets: umu memory leak of binary frames when remote logger is configured

Solution Article: K00152663

Component: Application Security Manager

Symptoms:
ASM out of memory error messages in /var/log/asm.

Conditions:
-- Virtual server configured with WebSocket profile.
-- ASM remote logger configured and assigned to the virtual server.

Impact:
ASM out of memory, memory leak.

Workaround:
Remove ASM remote logging profile from a virtual server.

Fix:
This release correctly releases unused memory after WebSocket message is sent to the logging destination.


683474 : The case-sensitive problem during comparison of 2 Virtual Servers

Component: Application Visibility and Reporting

Symptoms:
Failed to load "incident types volume graph" if incident was filtered by Virtual Server

Impact:
Chart of incident data will not be displayed.

Workaround:
Avoid to create virtual servers that have the same letters, differing only by capital letters verses small letters.

Fix:
monpd process uses a case-sensitive comparison of virtual servers


683389-3 : Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file

Component: Access Policy Manager

Symptoms:
Flash ActionScript3 application shows Error #2134 when trying to call flash.net::SharedObject.getLocal with localPath specified.

Conditions:
Attempt to create local SharedObject.

Impact:
Affected Flash applications are not working when accessed through Portal Access.

Workaround:
None.

Fix:
Addressed an issue in Portal Access which caused rewritten Flash files to show Error #2134 on attempt to create local SharedObject.


683297-2 : Portal Access may use incorrect back-end for resources referenced by CSS

Component: Access Policy Manager

Symptoms:
If HTML page contains reference to external CSS file with URL beginning with '//', then host-less references in this CSS file are handled incorrectly by Portal Access.

Conditions:
- HTML page at http://example.host/page.html:

    <link rel=stylesheet href=//another.host/some/path/my.css>

- and this CSS contains reference with absolute path like this:

    html { background-image: url(/misc/image/some.png); }

Portal Access uses 'http://example.host' as back-end for this image instead of correct 'http://another.host'.

Impact:
Web application may not work correctly.

Workaround:
Use iRule to correct back-end host.

Fix:
Portal Access uses correct back-end host for references in CSS files included with scheme-less URL.


683241-1 : Improve CSRF token handling

Solution Article: K70517410

Component: Application Security Manager

Symptoms:
Under certain conditions, CSRF token handling does not follow current best practices.

Conditions:
CSRF is configured.

Impact:
CSRF token handling does not follow current best practices.

Workaround:
None.

Fix:
CSRF token handling now follows current best practices.


683135-2 : Hardware syncookies number for virtual server stats is unrealistically high

Component: TMOS

Symptoms:
In some situations 'tmsh show ltm virtual' shows unrealistically high hardware (HW) syncookie numbers.

These unrealistically high HW syncookie stats cause AFM DoS TCP synflood vector to have high numbers, and that can cause TCP synflood vector to drop packets in HW based on the configured rate-limit for that vector.

Conditions:
Virtual server with hardware syncookie protection enabled.

Impact:
Stats issue. Can have impact to traffic if AFM TCP Synflood vector is enabled in mitigation mode.

Workaround:
Disable the TCP Synflood vector in mitigate mode.

Since Syncookie is already providing protection, the TCP Synflood option should be enabled only in detect-only mode, if at all.

Fix:
Hardware syncookies number for virtual server now reports stats as expected.


683131-1 : Hotfix install fails on vCMP guest when both guest and host have the same base version ISO present

Component: TMOS

Symptoms:
BIG-IP software installations will fail and report a status of:

    waiting for cleanup; multiple base builds found (BIG-IP 13.0.0)

Conditions:
- Perform software installation in a vCMP guest when guest is running v13.0.0 or newer.
- Ask the guest to install a hotfix (e.g. "tmsh install /sys software hotfix 13.0.0-hf2.iso volume HD1.2 create-volume") to a boot location that does not have a base software version installed.
- Hypervisor has a valid copy of the the correct base image (e.g. v13.0.0 build 0.0.1645)
- Guest has a valid copy of the correct base image (e.g. v13.0.0 build 0.0.1645)

Impact:
Software installation fails, and will not complete/continue.

Workaround:
Delete the base software image from either the hypervisor or guest's file system

Fix:
The condition no longer causes an error; the installation request successfully runs to completion.


683114-2 : Need support for 4th element version in Update Check

Component: TMOS

Symptoms:
Previously, there was no 4th element version Update Check functionality.

Conditions:
Using Update Check.

Impact:
No 4th element version support provided.

Workaround:
None.

Fix:
There is now 4th element version support in Update Check.


683113-3 : [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users

Solution Article: K22904904

Component: Access Policy Manager

Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over a period of time.

Websso CPU usage is very high.

The BIG-IP system response can rate drop to the point that the clients disconnect after waiting for a response. The system logs error messages similar to the following: Failure occurred when processing the work item.

Conditions:
-- Running APM.
-- A large number of APM end users (~20 KB) have logged on and are using Kerberos SSO.

Impact:
Increased latency of HTTP request processing.

Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.

Fix:
Improvements to the krb5 library have been implemented for better scalability, so the latency of HTTP request processing has been significantly improved.


683029-1 : Sync of virtual address and self IP traffic groups only happens in one direction

Component: TMOS

Symptoms:
If you have a virtual address and a self IP that both listen on the same IP address, changing the traffic group of the self IP will make an equivalent change to the traffic group of the virtual address. However, this does not work in reverse. Changing the traffic group of the virtual address will not cause a change of the traffic group of the self IP.

Conditions:
You have a virtual address and a self IP that both listen on the same IP address. (The subnet mask need not be the same.)

Impact:
This is by design, but is counterintuitive, and there is no warning message that this is the case. Setting the traffic group on both objects will always work properly.

Workaround:
Care should be taken to ensure that the desired traffic group is set on both objects.


682944-1 : key-id missing for installed netHSM key for standby BIG-IP system in HA setup

Component: Local Traffic Manager

Symptoms:
In a BIG-IP high availability (HA) configuration, the nethsm key installed has empty key-id string for the standby BIG-IP system. That is, the BIG-IP system that actually gets the key installed has the key-id string properly displayed. But its peer BIG-IP system does not display a key-id string associated with the installed key.

Conditions:
-- nethsm key installed.
-- Standby BIG-IP system in an HA configuration.

Impact:
The peer BIG-IP system has no key-id string properly displayed.

Workaround:
Even though key-id does not display, the key is present on the peer BIG-IP system and can be used there.

Fix:
The netHSM key for standby BIG-IP system in HA configurations now shows up after a successful configsync.


682837-2 : Compression watchdog period too brief.

Component: TMOS

Symptoms:
Compression TPS can be reduced on certain platforms when sustained, very high compression request traffic is present.

Conditions:
Very high sustained system-wide compression request traffic.

Impact:
Accelerated compression throughput can drop significantly; some flows dropped.

Workaround:
Switch to software compression.

Fix:
Compression request monitor tuned to account for systems with smaller bandwidth.


682500-2 : VDI Profile and Storefront Portal Access resource do not work together

Component: Access Policy Manager

Symptoms:
Accessing a Citrix Storefront portal access resource and clicking on the application does not work since VDI returns HTTP status 404.

Conditions:
-- VDI profile is attached to the Virtual server.
-- Access policy has Citrix Storefront portal access resource.
-- Citrix remote-desktop resource is attached.

Impact:
Citrix Storefront portal access resource cannot be used to launch applications.

Workaround:
None.

Fix:
Citrix Storefront portal access resources can now be used with Citrix Remote desktop resources.


682335-1 : TMM can establish multiple connections to the same gtmd

Component: Global Traffic Manager (DNS)

Symptoms:
TMM can establish multiple connections to the same gtmd, and tmm may core.

Conditions:
This timing-related issue involves coordination between license blob arrival, gtmd connection teardown/establishment, and gtmd restart.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed, if there is an existing connflow, don't start another connection.


682283-2 : Malformed HTTP/2 request with invalid Content-Length value is served against RFC

Component: Local Traffic Manager

Symptoms:
HTTP/2 request can include Content-Length header. When the value of a Content-Length header does not match the sum of lengths of all DATA frames from the stream, RFC requires that the system reset the stream.

Conditions:
-- A virtual server is configured with HTTP/2 profile.
-- The value of Content-Length header does not match the sum of lengths of all DATA frames from the stream.

Impact:
The BIG-IP system sends a request to a server and serves a provided response, which is not in conformance with the RFC.

Workaround:
None.

Fix:
Now, when a client sends a request over an HTTP/2 connection with a malformed HEADERS frame in which Content-Length does not match the payload size in DATA frames, the BIG-IP system correctly resets the stream with RST_STREAM frame.


682213-1 : TLS v1.2 support in IP reputation daemon

Solution Article: K31623549

Component: TMOS

Symptoms:
The IP reputation daemon opens SSL connections to the Webroot BrightCloud server using TLS 1.0 protocol.

Conditions:
This occurs when using IP reputation.

Impact:
Because IP reputation services are used to accept/deny connections to critical business applications, there might be concerns about the service. Also some configurations might require that all transactions exfiltrating a PCI-controlled environment leverage secure protocols and ciphers, which won't be the case for IP reputation services.

Workaround:
None.

Fix:
Webroot updated BrightCloud servers to support TLS 1.2. This is additional support. To preserve backward compatiblity, the servers support TLS 1.0, TLS 1.1, TLS 1.2, SSL 2.0 and SSL 3.0.

In addition, this software version supports TLS 1.2 on the client side by customizing the SDK used by the IP reputation daemon.


682104-3 : HTTP PSM leaks memory when looking up evasion descriptions

Component: Local Traffic Manager

Symptoms:
http_psm_description_lookup leaks xfrags containing PSM evasion descriptions.

Conditions:
When PSM looks up evasion descriptions.

Impact:
Memory leaked each time might eventually cause out of memory to the TMM.

Workaround:
None.

Fix:
This fix will stop the memory leakage.


681955-1 : Apache CVE-2017-9788

Solution Article: K23565223


681782-6 : Unicast IP address can be configured in a failover multicast configuration

Component: TMOS

Symptoms:
Failover multicast configuration does not work when configured with a unicast IP address. Although this is an invalid configuration, the system does not prevent it.

Conditions:
Specify a unicast IP address under 'Failover Multicast Configuration' for network failover in high availability configurations.

Impact:
Failover multicast configuration does not work.

Workaround:
Specify a multicast IP address under 'Failover Multicast Configuration' for network failover.

Fix:
The system now prevents specifying a unicast IP address when configuring multicast failover.


681757-3 : Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member'

Solution Article: K32521651

Component: Local Traffic Manager

Symptoms:
In response to this issue, you might see the following symptoms:
-- System remains inoperative
-- Screen alerts similar to the following are posted: 'Configuration has not yet loaded'.
-- Configuration fails to load after upgrade to v12.1.0 or higher.

The system records an error message similar to the following in the ltm log file:

 emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 010716de:3: Policy '/Common/Policy', rule 'Policy-Rule'; target 'forward' action 'select' does not support parameter of type 'member'. Unexpected Error: Loading configuration process failed.

Conditions:
Local Traffic Policy with a forward action that selects a target of type 'member'.

Impact:
Configuration fails to load on upgrade.

Workaround:
Modify the local traffic policies to use a target type of 'node' before upgrading, or, after upgrading, edit the config file and modify 'member' to 'node' in the local traffic policy, and then reload the configuration.

Fix:
Upon upgrade to v12.1.0 or later, policies that perform the action 'forward - select - member' will be automatically changed to 'forward - select - node', and configuration will load successfully.


681673-4 : tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results

Component: Local Traffic Manager

Symptoms:
TMSH does not block modify FDB commands that add a multicast MAC addresses.

Conditions:
This occurs when the following is configured using tmsh commands when the mac-address is multicast:
 fdb vlan <vlan> records add {<mac-address> {interface <slot>/<port>}}.

Impact:
There is not enough information to map the outgoing MAC address to a multi-cast group, and therefore it gets a default entry added that has no ports mapped. The result is that the frame will not go out the interface indicated in the tmsh command yet no warning is provided.

Workaround:
None.

Fix:
TMSH modify FDB command is no longer permitted to add multicast MAC addresses, so this issue no longer occurs.


681415-3 : Copying of profile with advanced customization or images might fail

Component: Access Policy Manager

Symptoms:
Copying a profile with advanced customization or images produces an error message similar to the following: 'Please specify language code' or similar

Conditions:
Access Profile has advanced customization group or customization image assigned to any of object connected to profile.

Impact:
Unable to copy policy.

Workaround:
None.

Fix:
Copying of profile with advanced customization or images now succeeds as expected.


681385-2 : Forward proxy forged cert lifespan can be configured from days into hours.

Component: Local Traffic Manager

Symptoms:
Once support for OCSP in place, you may need to forge certificates in lifespan shorter than one day. Previously, there was no way to configure that.

Conditions:
Configure forward proxy forged cert lifespan shorter than a day.

Impact:
None. This is a request for enhancement.

Workaround:
None.

Fix:
A new DB variable (tmm.ssl.certlifespaninhours) is added to support specifying hours instead of days:

[root@localhost:Active:Standalone] config # tmsh list sys db tmm.ssl.certlifespaninhours
sys db tmm.ssl.certlifespaninhours {
    value "disable"
}
[root@localhost:Active:Standalone] config # tmsh modify sys db tmm.ssl.certlifespaninhours value enable
[root@localhost:Active:Standalone] config # tmsh list sys db tmm.ssl.certlifespaninhours
sys db tmm.ssl.certlifespaninhours {
    value "enable"
}

When this variable is enabled, the configured lifespan is treated as hours. When this variable is disabled, the configured lifespan is treated as days.

Behavior Change:
Configured Forward proxy forged cert lifespan allows changing
from days to hours using a new DB variable: tmm.ssl.certlifespaninhours.


681175-3 : TMM may crash during routing updates

Solution Article: K32153360

Component: Local Traffic Manager

Symptoms:
When dynamic routing is configured and ECMP routes are received, certain routing updates may lead to a TMM crash.

Conditions:
-- Dynamic routing.
-- ECMP routes.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable ECMP routes by configuring "max-paths 1" in ZebOS.

Fix:
TMM no longer crashes on routing updates when ECMP is in use.


681009-1 : Large configurations can cause memory exhaustion during live-install

Component: TMOS

Symptoms:
system memory can be exhausted and the kernel will kill processes as a result.

Conditions:
During live-install, if configuration roll-forward is enabled, and the compressed configuration size is of a similar order of magnitude as total system memory.

Impact:
The kernel will kill any number of processes; any/all critical applications could become non-functional.

Workaround:
Make sure there are no un-intended large files included in the configuration. Any file stored under /config is considered part of the configuration.

If the configuration is, as intended, on the same order of magnitude as total system memory, do not roll it forward as part of live install. Instead, save it manually and restore it after rebooting to the new software.

to turn off config roll forward; setdb liveinstall.saveconfig disable

to save/restore configuration manually; see
https://support.f5.com/csp/article/K13132


680856-2 : IPsec config via REST scripts may require post-definition touch of both policy and traffic selector

Component: TMOS

Symptoms:
A new IPsec tunnel may not work after being configured over REST. While the configuration is correct, a log message similar to the following may appear in ipsec.log (IKEv2 example):

info tmm[24203]: 017c0000 [0.0] [IKE] [INTERNAL_ERR]: selector index (/Common/Peer_172.16.4.1) does not have corresponding policy

Conditions:
A new IPsec tunnel is configured over REST.

Impact:
The newly configured IPsec tunnel does not start.

Workaround:
The following methods cause the traffic-selector and ipsec-policy to be correctly related to one another:
-- Restart tmm.
-- Change the configuration, for example the Description field, of both the policy and the traffic selector. This may also be done using REST.

Fix:
A traffic selector can no longer use a deleted policy by name, and if recreated after deletion, the policy is correctly constructed.


680850-2 : Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage.

Solution Article: K48342409

Component: Global Traffic Manager (DNS)

Symptoms:
Enabling debug logging on zxfrd (DNSX) can result in excessive CPU and disk usage, as well as errors during DNS AXFR or IXFR processing.

Conditions:
log.zxfrd.level is set to debug by running the following command: tmsh modify sys db log.zxfrd.level value debug

Impact:
IXFRs or AXFRs may fail and be rescheduled due to high CPU usage by zxfrd, which causes it to fail to process data packets during a transfer.

Workaround:
To avoid this issue, do not set log.zxfrd.level to debug.

Fix:
With this change, the dump to /var/tmp/zxfrd.out occurs only when a new db variable, dnsexpress.dumpastext, is set to true. This enables turning on logging for debug without consuming all the CPU and disk necessary to dump packets and zone contents.

Note: Setting this value to true will cause the information to be dumped to stderr, which reveals the original issue, potentially causing transfer failures and high system resource usage. F5 recommends that you enable it only when directed to do so by F5 support staff.

Behavior Change:
Previously, setting the zxfrd log level to debug caused all AXFR and IXFR requests and responses to be logged to /var/tmp/zxfrd.out. Doing so also caused the contents of all zones to be dumped, as text, to /var/tmp/zxfrd.out when the database was saved.

This was extremely CPU-, memory-, and disk-intensive. The CPU load could cause zxfrd to fail to process transfer data packets in a timely fashion, which could cause the master DNS server to close the connection.

With this fix, setting log.zxfrd.level debug no longer outputs this information.

Although it is not generally useful to output the contents of the transfer packets or the contents of the database, if this information is required for troubleshooting or information-verification purposes, you can set the new db variable: dnsexpress.dumpastext.

Note: Setting this value to true will cause the information to be dumped to stderr, which reveals the original issue, potentially causing transfer failures and high system resource usage. F5 recommends that you enable it only when directed to do so by F5 support staff.


680838-2 : IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator

Component: TMOS

Symptoms:
A tmm restart and corefile can occur in rare cases while negotiating an IKEv2 IPsec tunnel.

A child_sa managed to process GETSPI_DONE once in the IDLING state, where the ike_sa was expected to be the initiator, but it appeared not to be -- failing an assert.

Conditions:
The BIG-IP is negotiating an IPsec tunnel as the Initiator, but an unexpected state change associated with being the Responder occurs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM will no longer restart due to assertion failure.


680729-1 : DHCP Trace log incorrectly marked as an Error log.

Solution Article: K64307999

Component: Policy Enforcement Manager

Symptoms:
The following sample DHCP debug log may be found repeatedly in the TMM logs.

<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>

Conditions:
Send a DHCP request through a DHCP virtual and wait for 30 seconds for the DHCP callback to trigger.

Impact:
Possible clutter in the TMM logs.

Workaround:
Set the db variable to critical. To do so, run the following command: setdb tmm.dhcp.log.level critical

Fix:
The following log can be seen only when DHCP debug logs are set to enabled.
<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>


680564-1 : "MCP Message:" seen on boot up with Best License

Component: Local Traffic Manager

Symptoms:
This message can be seen in /var/log/tmm

notice MCP message handling failed in 0x7aa640 (16973843): Aug 28 12:41:02 - MCP Message:

Conditions:
This occurs when booting BIG-IP that has a Best license applied.

Impact:
This message can be ignored.

Workaround:
Ignore message

Fix:
With fix, message goes away


680556-1 : Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted

Component: TMOS

Symptoms:
TMM crashes with a subkey that has master_record field set to true.

Conditions:
The specific conditions under which this occurs are not known.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Although the issue is not known, the system now handles the situation without necessarily restarting tmm.


680388-1 : f5optics should not show function name in non-debug log messages

Component: TMOS

Symptoms:
For logging thresholds other than debug, the function name appears in log messages created by f5optics.

Conditions:
-- BIG-IP is running.
-- Logging thresholds is set to a value other than debug.

Impact:
Log files contain unexpected data.

Workaround:
There is no workaround at this time.

Fix:
With the fix, f5optics is not displaying function names in non-debug logging messages.


680353-1 : Brute force sourced based mitigation is not working as expected

Component: Application Security Manager

Symptoms:
Brute force mitigations are not working by the configured order under some conditions - for example a captcha is arriving instead of a drop.

Conditions:
-- Brute force is configured.
-- There is more than one source (for example, User and IP address).

Impact:
The incorrect mitigation is received.

Workaround:
None.

Fix:
Fixed an issue with brute force mitigations.


680264-2 : HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags

Component: Local Traffic Manager

Symptoms:
Intermittently, HTTP2 experiences protocol resets.

Conditions:
-- xfrag is 2 bytes in length.
-- The header length is greater than 128.
-- xfrag starts.

For example, the following returns the incorrect header length:
 (0xFF BYTE1) next byte, http2_arbint_read.

Impact:
Unexpected loss of HTTP2 frames due to protocol resets.

Workaround:
No effective workaround.

Fix:
HTTP2 now parses the request, regardless of its xfrags distribution.


680086 : md5sum check on BMC firmware fails

Component: TMOS

Symptoms:
Checking the md5 sum of BMC firmware fails when issuing the command 'md5sum -c /usr/firmware/shuttle_x.x.xx.ima_enc.md5'. The command fails with the following message: (...) listed file could not be read".

Conditions:
iSeries appliances:
- i2000
- i4000
- i5000
- i7000
- i10000
- i15000

Impact:
'md5sum -c' does not work for BMC firmware checksums.

Workaround:
Indirectly check the md5sum by calculating it with 'md5sum /usr/firmware/shuttle*.ima_enc' and comparing it to 'cat /usr/firmware/shuttle*.ima_enc.md5'. Or use this command:

diff -sy <(md5sum < /usr/firmware/shuttle*.ima_enc | awk '{ print $1 }') <(cat /usr/firmware/shuttle*.ima_enc.md5 | awk '{ print $1 }')

Fix:
Fixed 'md5sum -c' not working for BMC firmware checksums.


680074-2 : TMM crashes when serverssl cannot provide certificate to backend server.

Component: Local Traffic Manager

Symptoms:
TMM halts and restarts when server SSL cannot provide a certificate to the backend server.

Conditions:
-- The backend server is configured to require a client certificate to complete the SSL handshake.
-- The server SSL profile is not configured with a client certificate.

Impact:
TMM halts and restarts. Traffic disrupted while tmm restarts.

Workaround:
No workaround at this time.

Fix:
TMM no longer halts and restarts when server SSL cannot provide a certificate to the backend server.


680069-1 : zxfrd core during transfer while network failure and DNS server removed from DNS zone config

Solution Article: K81834254

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd cores and restarts.

Conditions:
While zone transfer is in progress, the network fails and the DNS server is removed from the DNS zone configuration.

Impact:
zxfrd cores.

Workaround:
None.

Fix:
zxfrd no longer cores during transfer while network failure and DNS server removed from DNS zone config.


679861 : Weak Access Restrictions on the AVR Reporting Interface

Component: Application Visibility and Reporting

Symptoms:
The AVR reporting interface does not follow best practices for access restrictions.

Conditions:
AVR provisioned

Impact:
If accessed the AVR reporting interface may disclose:
 - Client and server IP addresses
 - URIs from client requests
 - Metadata about attacks detected by BIG-IP

Workaround:
Ensure that network access to the management port is restricted and that Port Lockdown setting for Self-IPs is not set to "Allow All". The default port lockdown of "Allow Default" provides mitigation against access via Self-IP.

Fix:
Stronger access restrictions enforced on the AVR reporting interface.


679613-1 : i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1'

Solution Article: K23531420

Component: Local Traffic Manager

Symptoms:
When an interface is associated with a VLAN whose tag value is '1', traffic is incorrectly sent out as untagged.

Conditions:
1. Create a VLAN with a tag value of '1'.
2. Associate an interface with the VLAN whose value is '1'.
3. Send traffic out that interface.

Impact:
Incorrect routing/switching of traffic.

Workaround:
Use VLANs with a tag value different from '1'.


679496-2 : Add 'comp_req' to the output of 'tmctl compress'

Component: Local Traffic Manager

Symptoms:
The output of 'tmctl compress' displays the total numbers of requests (tot_req), but does not distinguish between deflate (compression) requests and inflate (decompression) requests.

Conditions:
Viewing the output of the 'tmctl compress' command.

Impact:
Cannot determine the different types of requests.

Workaround:
There is no workaround at this time.

Fix:
This release now distinguishes between deflate (compression) requests and inflate (decompression) requests, as follows: there is an indicator, 'comp_req', for compression requests. The number of decompression request is tot_req - comp_req.


679494-1 : Change the default compression strategy to speed

Component: Local Traffic Manager

Symptoms:
The current default compression.strategy is 'latency', which does not perform properly, i.e., the provider selection algorithm does not react to load change fast enough.

Conditions:
Using compression.strategy to distribute workload among hardware and software compression providers.

Impact:
The work load may not be distributed evenly among hardware and software compression providers when compression.strategy is 'latency'.

Workaround:
Modify the tmsh sys db variable compression.strategy to 'speed'.

Fix:
The default compression strategy is now set to 'speed'.


679384-3 : The policy builder is not getting updates about the newly added signatures.

Solution Article: K85153939

Component: Application Security Manager

Symptoms:
The policy builder is not getting updates about the newly added signatures.

Conditions:
When ASU is installed or user-defined signatures are added/updated.

Impact:
No learning suggestions for some of the newly added signatures.

Workaround:
Use either of the following workarounds:
-- One workaround is restarting the policy builder. This will revert the learning progress made in the last 24 hours:
 killall -s SIGHUP pabnagd

-- Manually change some Policy Attack Signature Set in Learning and Blocking Settings (e.g., disabling and re-enabling Learn checkbox).

Fix:
After the fix, Policy Builder will be aware of all newly added signatures.


679347-2 : ECP does not work for PFS in IKEv2 child SAs

Solution Article: K44117473

Component: TMOS

Symptoms:
The original racoon2 code has no support for DH generate or compute using elliptic curve algorithms for (perfect forward security).

Additionally, the original interfaces are synchronous, but the only ECP support present uses API with async organization and callbacks, so adding ECP does not work.

Conditions:
Changing an ike-peer definition from the default phase1-perfect-forward-secrecy value of modp1024 to something using ECP: ecp256, ecp384, or ecp512.

Note: The first child SA is negotiated successfully.

Impact:
Once the first child SA expires (or is deleted), the IKEv2 tunnel goes down when another SA cannot be negotiated.

Workaround:
Use MODP for perfect-forward-secrecy instead of ECP.

Fix:
Full support for ECP as PFS has now been added, so a new child-SA negotiated in a IKEV2EXCH_CREATE_CHILD_SA exchange works as expected for ecp256, ecp384, and ecp512.


679221-2 : APMD may generate core file or appears locked up after APM configuration changed

Component: Access Policy Manager

Symptoms:
Right after clicking the 'Apply Access Policy' link, APMD may generate a core file and restart; or appears to be locked up.

Conditions:
-- Changing APM configuration, especially Per-Session and Per-Request Policy.
-- Configured for AD or LDAP Auth Agent.

Impact:
If APMD restarts, then AAA service will be interrupted for a brief period of time. If APMD appears to be locked up, then AAA service will be stopped until manually restarted.

Workaround:
None.

Fix:
APMD now processes the configuration changes correctly during 'modify apm profile access <profile name> generation-action increment' (TMSH) or 'Apply Access Policy' (GUI), and no service interruption occurs.


679149-1 : TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0]

Component: Global Traffic Manager (DNS)

Symptoms:
TMM may crash or LB::server returns unexpected result.

Conditions:
GTM rule command LB::server is executed before a load balance decision is made or the decision is not to a real pool member.

Impact:
GTM rule command LB::server returns unexpected result. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
GTM rule command LB::server is now executed at the correct time, so TMM does not crash and LB::server returns expected results.


679135-2 : IKEv1 and IKEv2 cannot share common local address in tunnels

Component: TMOS

Symptoms:
When IKEv1 and IKEv2 IPsec tunnels are configured to use the same local IP address, either all the IKEv1 or all the IKEv2 tunnels will not establish.

Note: This is as designed: the system does not support using the same local self IP to establish both IKEv1 and IKEv2 tunnels. However, the system does not prevent it, and there is no indication of the reason for the failure.

Conditions:
-- Use the same self IP as the local address of an IPsec tunnel for IKEv1, as well as the local address of a tunnel for IKEv2.
-- Try to create competing listeners.

Impact:
Either the IKEv1 or IKEv2 tunnel will not work, because the listener for that tunnel fails to establish. Usually the IKEv1 tunnel will not work after tmm restart or BIG-IP reboot.

Workaround:
Use another self IP for the tunnel local address to keep IKEv1 and IKEv2 local tunnel addresses separate.

Note: If IKEv1 tunnels use one local address, while IKEv2 tunnels use another, everything works as expected.

Fix:
Logging in /var/log/ltm now reveals failure to establish listener, along with a suggestion to avoid sharing one local address across IKEv1 and IKEv2 tunnels.


679114-4 : Persistence record expires early if an error is returned for a BYE command

Component: Service Provider

Symptoms:
When an error is returned for a SIP command, the persistence timeout is set to the transaction timeout.

Conditions:
An error is returned for a any SIP command.

Impact:
The persistence record will expire early when the call has not been ended.

Workaround:
None.

Fix:
For BYE commands, the timeout is not set to transaction timeout on failure.


679088-1 : Avr reporting and analytics does not display statistics of many source regions

Component: Application Visibility and Reporting

Symptoms:
1. The network reporting does not show the statistics related to some Source Regions.
2. In the Security=>Reporting=>Network=>Enforced Rules dashboard are impossible to select or find some Source Region using filtering .
For example, there are list of some missing Source Regions:
France, Ile-de-France, Ukraine, Kyyiv,Russian Federation, Tambovskaya oblast, South Africa, Western Cape and Spain,Madrid

Conditions:
This occurs when attempting to filter on the affected source regions.

Impact:
The network reporting does not show the statistics related to some Source Regions.


678925-1 : Using a multicast VXLAN tunnel without a proper route may cause a TMM crash.

Component: TMOS

Symptoms:
Using a multicast VXLAN tunnel without a proper route associated with the tunnel's local-address may cause a TMM crash.

Conditions:
When the following conditions are met:
- No route is associated with the tunnel's local-address.
- A selfip address is assigned to the tunnel.

Then, a connection using the tunnel may cause a TMM crash.

Note that the user can use the TMSH command "show net route lookup <address>" to check if there is a route associated with the tunnel's local-address.

Impact:
The TMM crashes and traffic is disrupted.

Workaround:
Make sure that there is a route associated with the tunnel's local-address, before using the tunnel.

Fix:
The TMM no longer crashes.


678872-3 : Inconsistent behavior for virtual-address and selfip on the same ip-address

Component: Local Traffic Manager

Symptoms:
Inconsistent ICMP/ARP behavior for self IP address or virtual-address when virtual-address and self IP address have the same IP address.

Conditions:
Virtual-address and self IP address have the same IP address.
-- Virtual-address ICMP and ARP disabled.

Impact:
ICMP echo reply and ARP for the IP address might be inconsistent. Self IP address might override the ARP setting of a virtual address.

Workaround:
No workaround.

Fix:
This implements the initialization-order-independent set of rules of whether particular IP address should have ARP/ICMP enabled for multiple maching vaddrs. The lookup is performed from the most fine netmask to the most coarse netmask. If for particular netmask there is no maching vaddr then more coarse netmask is lookedup. Otherwise if any machnig vaddr for particular netmask have ARP/ICMP enabled then IP address will have ARP/ICMP enabled. If none of matching vaddrs for particular netmask have ARP/ICMP enabled the then IP address will have ARP/ICMP disabled.

The rule above have one exception, due to the performance optimizations. If the vaddr have both ARP and ICMP disabled then the vaddr is considered deleted.


678861-1 : DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other

Component: Global Traffic Manager (DNS)

Symptoms:
Upgrade fails with a message similar to the following.

emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 01070356:3: Link Controller feature not licensed. Unexpected Error: Loading configuration process failed.

Conditions:
Previously had Link Controller with DNS:: commands in an iRule proc.

Impact:
Upgrade fails.

Workaround:
Remove DNS:: commands from procs before upgrade.

Or use AFM instead of iRules.


678851-3 : Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase()

Component: Access Policy Manager

Symptoms:
Java applets containing call of getDocumentBase() through a reference to java.applet.AppletStub are incorrectly rewritten.

Attempt to call incorrectly patched method causes following exception:
java.lang.VerifyError: (...) Illegal type in constant pool

Conditions:
This occurs when using rewrite on Java applets that call getDocumentBase().

Impact:
Affected Java applets cannot be started through Portal Access.

Workaround:
None.

Fix:
Rewritten applets with calls of java.applet.AppletStub interface methods are no longer causing java.lang.VerifyError exception during execution.


678820-1 : Potential memory leak if PEM Diameter sessions are not created successfully.

Component: Policy Enforcement Manager

Symptoms:
Memory leak resulting in reduction in available memory.

Conditions:
1. PEM configured with Gx.
2. PCRF Gx end point operationally DOWN
3. Subscriber creation attempt.

Impact:
Loss of service

Workaround:
There is no workaround at this time.

Fix:
Diameter context is freed in case of a failed Diameter session creation.


678801-4 : WS::enabled returned empty string

Component: Local Traffic Manager

Symptoms:
WS::enabled command returned empty string instead of 0 or 1 for status.

Conditions:
-- WS::enabled command is used to query the status of WebSocket processing.
-- WebSocket and HTTP profiles are configured on the virtual server.

Impact:
Unable to determine the status of WebSocket processing using iRule commands.

Workaround:
There is no workaround at this time.

Fix:
Invoke appropriate method via WebSocket Tcl code.


678524-1 : Join FF02::2 multicast group when router-advertisement is configured

Component: Local Traffic Manager

Symptoms:
MLD snooping switches may not deliver router solicitation packets to BIG-IP, which breaks BIG-IP's router advertisement functionality. MLD snooping switches may not deliver the packets because BIG-IP has not joined the FF02::2 multicast group.

Conditions:
router-advertisement configured, MLD snooping switches.

Impact:
IPv6 hosts never receive router advertisements from BIG-IP in response to their router solicitations.

Workaround:
Disable MLD snooping on switches.

Fix:
BIG-IP now joins the FF02::2 multicast group when router-advertisements are configured.

Behavior Change:
BIG-IP now joins the FF02::2 multicast group when router-advertisement is configured.


678488-1 : BGP default-originate not announced to peers if several are peering over different VLANs

Solution Article: K59332320

Component: TMOS

Symptoms:
BGP default-originate is not announced to peers if several are configured as peers over different VLANs.

Conditions:
-- default-originate is configured on four similar neighbors.
-- The neighbors are reachable over different interfaces/subnets.

Impact:
Only some of the peered neighbors get the default route.

Workaround:
Add the following to the the BGP configuration:
 network 0.0.0.0/0

Fix:
All peered neighbors now get the default route.


678427-1 : Safari 11 displays F5 EPI and F5 VPN launch confirmation dialogs twice

Solution Article: K03138339

Component: Access Policy Manager

Symptoms:
Safari 11 displays confirmation dialogs to launch F5 EPI or F5 VPN app twice. Although functionality is not affected, the user experience might be confusing.

Conditions:
-- Safari 11, F5 EPI, or F5 VPN app installed.
-- Endpoint check or VPN configured in access policy.

Impact:
None. The extra dialog box does not affect system functionality.

Workaround:
None.

Fix:
Confirmation dialog is now displayed only once during VPN establishment with Safari browser.


678388-1 : IKEv1 racoon daemon is not restarted when killed multiple times

Solution Article: K00050055

Component: TMOS

Symptoms:
IPsec IKEv1 tunnels will fail and stay down indefinitely if the IKEv1 racoon daemon crashes. racoon does not get restarted by tmipsecd. This can occur if racoon has crashed more than once beforehand.

Conditions:
The IPsec IKEv1 racoon daemon crashes, or is killed manually, multiple times.

Impact:
IPsec IKEv1 tunnels cannot be established because the racoon daemon is dead. The user will receive no CLI or web UI clues to indicate that racoon is dead. Attempts to reconfigure IPsec while racoon is dead will not resolve the problem.

Workaround:
Run the following command to restart the IPsec IKEv1 racoon and tmipsecd daemons at the same time:
tmsh restart sys service tmipsecd

Fix:
Fixed tmipsecd so it correctly tracks whether the IKEv1 racoon daemon is still running or needs a restart. This also covers odd timing, such as killing racoon right after it starts.


678380-2 : Deleting an IKEv1 peer in current use could SEGV on race conditions.

Solution Article: K26023811

Component: TMOS

Symptoms:
When either deleting a peer in IKEv1 or updating it, this problem causes the v1 racoon daemon to crash with a SIGSEGV under some race conditions, intermittently.

Conditions:
This requires a peer using IKEv1, which gets updated or deleted while the IKEv1 racoon daemon is performing operations related to this peer.

Impact:
If the problem occurs, the IKEv1 racoon daemon restarts and interrupts IPsec traffic.

Workaround:
None.

Fix:
The system now checks whether the old peer definition is valid when navigating from phase-one SAs to the IKEv1 peer definition.


678293-2 : Uncleaned policy history files cause /var disk exhaustion

Solution Article: K25066531

Component: Application Security Manager

Symptoms:
There are hundreds of policy history files for non-existent policies stored under /ts/dms/policy/policy_versions, which might cause /var disk exhaustion.

Conditions:
There are hundreds of policy history files for non-existent policies stored under /ts/dms/policy/policy_versions.

Two possible causes might explain what caused the history files to be copied:
-- The device was synchronized from itself.
-- There was a UCS loaded on the device.

Impact:
/var disk usage is high.

Workaround:
Use the following one-liner to find unreferenced policy history files that can be deleted:

----------------------------------------------------------------------
perl -MData::Dumper -MF5::DbUtils -MFile::Find -e '$dbh = F5::DbUtils::get_dbh(); $sql = ($dbh->selectrow_array(q{show tables in PLC like ?}, undef, q{PL_POLICY_VERSIONS})) ? q{select policy_version, policy_id from PLC.PL_POLICY_VERSIONS} : q{select revision, policy_id from PLC.PL_POLICY_HISTORY}; %known_history_files = map { (qq{$_->[1]/$_->[0].plc} => 1) } @{$dbh->selectall_arrayref($sql)}; find({ wanted => sub { next unless -f $_; $_ =~ m|/policy_versions/(.*)$|; if (! $known_history_files{$1}) { print qq{$_\n} } }, no_chdir => 1, }, q{/ts/dms/policy/policy_versions});'
----------------------------------------------------------------------

Manually verity the file list output. If it seems correct, you can then delete the files by piping the output into 'xargs rm'.

In addition, you can delete the following file: /var/ts/var/install/recovery_db/conf.tar.gz.


678254-1 : Error logged when restarting Tomcat

Component: TMOS

Symptoms:
An error is logged after restarting Tomcat and using the web UI.

Conditions:
Using the web UI to restart tomcat.

Impact:
An error is logged after restarting Tomcat and using the web UI.

Workaround:
There is no workaround.

Fix:
When restarting Tomcat and using the web UI, and error will be logged only if the debug flag is enabled.


677958-4 : WS::frame prepend and WS::frame append do not insert string in the right place.

Component: Local Traffic Manager

Symptoms:
When WS::frame prepend and WS::frame append are used together in the same event, the strings are not inserted in the right place.

Conditions:
-- Both WS::frame prepend and WS::frame append commands are present in the same iRule event.
-- WebSocket and HTTP profile are configured on the virtual.
-- Client/server send and receive WebSocket frames.

Impact:
The user-supplied string is not inserted in the right place when sent to the end-point.

Workaround:
None.

Fix:
Separate buffers were now used for append and prepend, instead of reusing the same buffer.


677937-3 : APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets

Solution Article: K41517253

Component: TMOS

Symptoms:
APM client cannot connect to server when the APM tunnel is encapsulated in an IPsec tunnel.

Conditions:
This requires a relatively complicated network setup of configuring an APM tunnel over an IPsec tunnel (and iSession is in use).

Impact:
No connectivity between the client and the server.

Workaround:
Do not encapsulate APM tunnel in an IPsec tunnel. (The APM tunnel has its own TLS.)

Fix:
APM tunnel and IPsec over IPsec tunnel now correctly accepts isession-SYN connect packets.


677919-4 : Enhanced Data Manipulation AJAX Support

Component: Fraud Protection Services

Symptoms:
Need enhanced data manipulation detection to protect against modifying parameters in real-time (malware script in the browser) that are sent by JSON.

Conditions:
There is a malware script in the browser performing real-time modification of parameters that are sent by JSON.

Impact:
End-users already under attack could send manipulated JSON data to backend servers.

Workaround:
None.

Fix:
The Enhanced Data Manipulation Check has been improved so that it can now detect JSON data manipulation in the browser.


677666-2 : /var/tmstat/blades/scripts segment grows in size.

Component: Local Traffic Manager

Symptoms:
Over time the /var/tmstat/blade/scripts file size grows. This can eventually lead to the system no longer providing up-to-date statistics.

Conditions:
-- Using istats.
-- Deleting configurations.
-- Using ASM.

Impact:
Virtual size of merged process grows linearly with /var/tmstat/blades/scripts segment. This could lead to out-of-memory condition as well as out-of-date statistics.

Workaround:
No known workarounds.

Fix:
Condition corrected.


677525-2 : Translucent VLAN group may use unexpected source MAC address

Component: Local Traffic Manager

Symptoms:
When a VLAN group is configured in translucent mode, IPv6 neighbor discovery packets sent from the BIG-IP system may have the locally unique bit flipped in the source MAC address.

Conditions:
VLAN group in translucent mode.

Impact:
In an HA configuration, switches in the network may have FDB entries for the standby system assigned to the port of the active system.

Workaround:
No workaround at this time.

Fix:
Translucent VLAN group no longer send neighbor discovery packets whose source MAC has the locally unique bit flipped.


677494-1 : Flow filter with Periodic content insertion action could leak insert content record

Component: Policy Enforcement Manager

Symptoms:
Subscriber using flow filter and periodic insert content could create multiple records for same insert content action.

Conditions:
If two flows belonging to the same subscriber matching 2 different rules of the same policy and alternates and in the meanwhile policy rule action is updated.

Impact:
More than one record being created for the same insert content action.

Workaround:
There is no workaround at this time.

Fix:
Update the insert content array as soon as the pemdb record is updated.


677485-1 : Discovery of DSC clustered BIG-IP systems fails due to secure value decryption error

Component: TMOS

Symptoms:
After initially configuring a DSC cluster, iControl-REST on BIG-IP systems might fail to decrypt the secure values due to a stale BIG-IP master key in its cache, and returns the secure values encrypted by the BIG-IP master key. BIG-IQ is unable to decrypt these secure values and fails to discover the BIG-IP system.

Conditions:
-- DSC cluster.
-- iControl REST.
-- BIG-IP system with stale BIG-IP master key in its cache.
-- BIG-IQ attempts to decrypt the secure values.

Impact:
Discovery fails due to secure value decryption error.

Workaround:
Restart iControl-REST server on the BIG-IP system.

On BIG-IP v12.0.0 and later:
-- In TMSH, run the following command:
restart sys service restjavad
-- On the console, run the following command:
bigstart restart restjavad

On BIG-IP v11.x.x:
-- In TMSH, run the following command:
restart sys service icrd
-- On the console, run the following command:
bigstart restart icrd

Fix:
The system now enforces obtaining the BIG-IP master key if the first decryption fails to proceed properly.


677473-3 : MCPD core is generated on multiple add/remove of Mgmt-Rules

Component: Advanced Firewall Manager

Symptoms:
MCP crashes with core. MCP automatically restarts causing other dependent daemons, including tmm, to restart. Corresponding messages (restarting mcp, restarting tmm, and so on) are broadcast in all command line connections (terminals). Core files are written into /shared/core directory. The BIG-IP system might become unusable while daemons restart, so both control-plane (tmsh/GUI) and data traffic processing are stopped until all daemons restart.

Conditions:
-- AFM is licensed and provisioned.
-- There are firewall policies/rules defined in configuration.
-- Remove firewall rules/policies, especially rules attached to management-IP (might have to repeat this).

Impact:
The BIG-IP system might become unusable for few minutes while daemons restart, so both control-plane (tmsh/GUI) and data traffic processing are stopped. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
MCP no longer crashes, and other dependent daemons no longer restart. The BIG-IP system remains operational in both control-plane (tmsh/GUI) and data traffic processing.


677368-2 : Websso crash due to uninitialized member in websso context object while processing a log message

Component: Access Policy Manager

Symptoms:
Websso crashes occasionally on processing a log message on TMEVT_CLOSE event. This happens when a TMEVT_CLOSE event is received without receiving a request.

Conditions:
TMEVT_CLOSE event is received without receiving a request.

Impact:
Websso process crash.

Workaround:
None.

Fix:
A rare condition that caused the websso module to core is fixed by removing the webssocontext object from the logging function.


677148-1 : Periodic content insertion creates duplicate records if same policy is added to Global high and subscriber specific

Component: Policy Enforcement Manager

Symptoms:
If same pem policy with insert content is added to global high and subscriber specific, insert content could add duplicate records. This result in a case where if the periodic content tag is absent, the periodic content insertion will not scheduled immediately, but will add only after the expiry of the current interval.

Conditions:
If same pem policy with insert content is added to global high and subscriber specific.

Impact:
if the periodic content tag is absent, the periodic content insertion will not scheduled immediately.

Workaround:
This is a wrong configuration, a pem policy should be included either in Global High, or subscriber specific, not both.

Fix:
Re-use the already created record in case of same policy attached to Global high and subscriber specific


677088-2 : BIG-IP tmsh vulnerability CVE-2018-15321

Solution Article: K01067037


676897-3 : IPsec keeps failing to reconnect

Solution Article: K25082113

Component: TMOS

Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.

Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.

Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.

Workaround:
Manually delete the SA.

Fix:
This release corrects this issue.


676457-5 : TMM may consume excessive resource when processing compressed data

Solution Article: K52167636


676416-4 : BD restart when switching FTP profiles

Component: Application Security Manager

Symptoms:
Switching a Virtual Server from an FTP profile with Protocol Security enabled to an FTP profile with Protocol Security disabled, causes the BIG-IP system to go offline, generates errors in the bd log, and causes BD to restart.

Conditions:
-- Running FTP traffic with FTP profile with Protocol Security enabled.
-- On FTP service, change to FTP profile with Protocol Security disabled.

Impact:
BD restart, traffic disrupted, and failover in high availability (HA) configuration.

Workaround:
There is no workaround at this time.

Fix:
This version provides an improved mechanism for switching FTP profiles, so that now there is no BD restart.


676346-2 : PEM displays incorrect policy action counters when the gate status is disabled.

Component: Policy Enforcement Manager

Symptoms:
Action counters are incorrect.

Conditions:
PEM policy actions enabled with gate status of disabled.

Impact:
May provide an inconsistent view of PEM actions.

Workaround:
There is no workaround.

Fix:
Counters are managed correctly regardless of the gate status.


676223-4 : Internal parameter in order not to sign allowed cookies

Component: Application Security Manager

Symptoms:
ASM TS cookies may get big (up to 4k).

Conditions:
policy building is turned on (manual or automatic). There are allowed cookies.

Impact:
This increases web site throughput.

Workaround:
N/A

Fix:
Parameter to not to sign allowed cookies added.


676203-3 : Inter-blade mpi connection fails, does not recover, and eventually all memory consumed.

Component: TMOS

Symptoms:
TMM memory usage suddenly increases rapidly.

Conditions:
The inter-blade mpi connection fails and does not recover.

Impact:
Inter-blade mpi requests do not complete and the system eventually exhausts memory.

Workaround:
None.

Fix:
Inter-blade mpi connection now continues as expected, without memory issues.


676092-3 : IPsec keeps failing to reconnect

Component: TMOS

Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.

Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.

Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.

Workaround:
Manually delete the SA.

Fix:
The system now correctly handles these conditions so the issue no longer occurs.


675921-2 : Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running

Component: TMOS

Symptoms:
Creating 'ssl-mode dedicated' guests on the BIG-IP i5800, the 5th guest and beyond get an error, however they do become deployed with Status of 'running'.

Conditions:
-- Creating 5 (or more) 'ssl-mode dedicated' vCMP guests.
-- Running on the BIG-IP i5800 platform.

Impact:
5th guest and beyond result in an error.

Workaround:
There is no workaround other than not creating more than 4 'ssl-mode dedicated' vCMP guests when provisioning vCMP guests on the i5800 platform.

Fix:
The system now limits the maximum number of 'ssl-mode dedicated' vCMP guests to the number that the BIG-IP i5800 can physically support.


675866-4 : WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO

Component: Access Policy Manager

Symptoms:
Kerberos rejects tickets with 2 minutes left in their ticket lifetime. This causes tickets to be rejected by KDC, causing APM to disable SSO.

Conditions:
This occurs with Kerberos-protected resources using Windows Server 2012-based DC due to issue described in the Microsoft KB: Kerberos authentication fails when the computer tries to request a service ticket from a Windows Server 2012-based DC, https://support.microsoft.com/en-us/help/2877460/kerberos-authentication-fails-when-the-computer-tries-to-request-a-ser.

Impact:
Cannot access the Kerberos-protected resources.

Workaround:
None.

Fix:
Kerberos SSO (S4U) tickets are not used when the remaining lifetime is less than 5 minutes. Existing tickets with more than half the configured lifetime or at least 1 hour of lifetime remaining are used. If there are no such tickets, then new tickets are acquired and used.


675775-4 : TMM crashes inside dynamic ACL building session db callback

Component: Access Policy Manager

Symptoms:
Race condition between PPP tunnel close and Session expired happening on different TMM almost at the same time may cause TMM restart in dynamic ACL building session db callback.

Conditions:
Race condition between PPP tunnel close and Session expired happening on different TMM almost at the same time.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Guard against NULL pointer dereference for dynamic ACL build.


675232-6 : Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction

Component: Application Security Manager

Symptoms:
Errors encountered -

In TMSH CLI transaction:
----------------
transaction failed: 01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------

In iApp template implementation:
----------------
script did not successfully complete: (01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------

Conditions:
In an iApp template implementation or TMSH CLI transaction, create a new ASM policy and then try to modify it's active state.

Impact:
The policy is created but the modify action cannot find the policy.

Workaround:
iApps are built to work with ASM Policy Templates.

A new ASM Policy Template can be created from the desired ASM Policy.

That can be done via GUI and starting from from v13.0 via REST as well.

Then, the newly created ASM Policy Template can be referenced in the iApp template implementation or TMSH CLI transaction as follows:
-----------------
tmsh::create asm policy <some_policy> active policy-template NEWLY_CREATED_POLICY_TEMPLATE
-----------------

Fix:
iApp template implementation and TMSH CLI transaction can now modify a newly created ASM policy.


674747-4 : sipdb cannot delete custom bidirectional persistence entries.

Solution Article: K30837366

Component: Service Provider

Symptoms:
Custom bidirectional SIP persistence entries cannot be deleted using the sipdb tool.

Conditions:
Rules and SIP messages created custom bidirectional SIP persistence entries.

Impact:
Custom bidirectional SIP persistence entries exist and can be viewed with the sipdb utility. They cannot be deleted,
however.

Workaround:
None.

Fix:
The sipdb tool now supports deletion of bidirectional SIP persistence entries.


674591-3 : Packets with payload smaller than MSS are being marked to be TSOed

Solution Article: K37975308

Component: Local Traffic Manager

Symptoms:
Packets with length less than the specified MSS are sent as TSO packets, and the Broadcom NIC drops those to degrade performance.

Conditions:
When TM.TcpSegmentationOffload is enabled, Packets with length less than MSS are sent as TSO packets.

Impact:
TCP Packets are dropped.

Workaround:
Disable TSO option by setting the following SYS DB variable to disable: TM.TcpSegmentationOffload.

Fix:
Packets less than MSS are not sent as TSO packets, so there is no performance degradation.


674576-3 : Outage may occur with VIP-VIP configurations

Component: Local Traffic Manager

Symptoms:
In some VIP-VIP configurations, TMM may produce a core with a 'no trailing data' assert.

Conditions:
VIP-VIP configuration.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround at this time.

Fix:
TMM no longer produces a core with a 'no trailing data' assert.


674494-4 : BD memory leak on specific configuration and specific traffic

Solution Article: K77993010

Component: Application Security Manager

Symptoms:
RSS memory of the bd grows.

Conditions:
-- Remote logger is configured.
-- IP has ignore logging configured.
-- Traffic is coming from the ignored logging IP.

Impact:
Potential memory exhaustion. The kernel might run out of memory and may kill bd, causing traffic disruption.

Workaround:
None.

Fix:
Freeing up the remote loggers data when deciding not to log remotly.


674455-5 : Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS

Component: TMOS

Symptoms:
When booted into the Maintenance OS image from the grub boot menu, running tmidiag -r drops the serial console from the grub kernel line, which causes a loss of communication on the serial console after rebooting.

Conditions:
-- Booted into Maintenance OS.
-- Running the command: tmidiag -r

Impact:
Serial console baud rate settings are incorrect. Uses the bios baud rate on the console.

Workaround:
When booting, edit the grub kernel line to include console=ttyS0.

Note: The value is "tty", an uppercase "S" character, and zero, so ttyS0.

Fix:
tmidiag has been fixed to not strip out console=ttyS0.


674256-2 : False positive cookie hijacking violation

Solution Article: K60745057

Component: Application Security Manager

Symptoms:
A false positive cookie hijacking violation.

Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.

Impact:
False positive violation / blocking.

Workaround:
Cookie hijacking violation when the device ID feature is turned off is almost never relevant, as it should be able to detect only cases where some of the TS cookies were taken. The suggestion is to turn off this violation.


674145-1 : chmand error log message missing data

Component: TMOS

Symptoms:
When there is an error with communication between chmand and lopd, a message is logged giving information about the problem. That message is missing data useful to F5 for determining the cause of the communications error.

Messages similar to:
Jul 11 11:10:19 localhost warning chmand[7815]: 012a0004:4: getLopReg: lop response data does not match request, u16DataLen=0xb expected=0xb, u8Length=0x8 expected=0x, u8Page=0x28 expected=0x$, u8Register=0x50 expected=0xP

The expected data values are missing in this message, making it more difficult for F5 engineers to determine what caused the original communications problem.

Conditions:
This issue only occurs when there is some problem with the communication channel between chmand and lopd.

Impact:
Added difficulty for F5 to determine what problem caused the error message to be logged.

Fix:
The expected data values are properly printed in the log message.


673996-2 : Unable to set 'media-fixed' on management port on BIG-IP i15000 platforms

Component: TMOS

Symptoms:
Changing 'media-fixed' on management port on BIG-IP i15000 platforms using tmsh command 'tmsh modify net interface mgmt media-fixed <speed>' does not take effect.

Conditions:
-- Connecting two BIG-IP i15000 units via management port.
-- Changing the 'media-fixed' value.

Impact:
Changing the 'media-fixed' value does not work.

Workaround:
Pull the management cable out and plug it back in to get the link up at the respective speeds.

Fix:
Users can now change the 'media-fixed' value using tmsh commands.


673842-4 : vCMP does not follow best security practices

Component: TMOS

Symptoms:
Under certain conditions, vCMP may generate internal configuration data that does not comply with best security practices.

Conditions:
vCMP platform

Impact:
vCMP does not comply with best security practices.

Workaround:
None.

Fix:
vCMP does now complies with best security practices.


673832-1 : Performance impact for certain platforms after upgrading to 13.1.0.

Component: Performance

Symptoms:
Performance impact for certain platforms after upgrading to 13.1.0.

Conditions:
The following platforms, with Fast HTTP/OneConnect/Full Proxy configured.

-- i2800
-- i4800
-- i5800
-- i7800
-- i10800
-- i11800
-- B2250
-- B4450

Impact:
The performance impacts occur on the following platforms under the associated conditions:

-- i2800 2%-3% Full Proxy traffic.
-- i4800 2%-3% Full Proxy traffic.
-- i5800 3%-8% Fast HTTP/Full Proxy traffic.
-- i7800 3%-7% Fast HTTP/Full Proxy traffic.
-- i10800 3%-7% Fast HTTP/Full Proxy traffic.
-- i11800 2%-3% Fast HTTP traffic.
-- B2250 3%-6% OneConnect/Full Proxy traffic.
-- B4450 4%-10% Fast HTTP/OneConnect/Full Proxy traffic.

Workaround:
None.

Fix:
Performance impact for certain platforms has been eliminated.


673717-3 : VPE loading times can be very long

Component: Access Policy Manager

Symptoms:
When a configuration contains 2000-3000 Access Policy objects, the Visual Policy Editor (VPE) loading operations can take tens of seconds to load.

Conditions:
-- Access Policy configured with 2000-3000 Access Policy objects.
-- Open in VPE.

Impact:
Policies with thousands of entries can take tens of seconds or more to load.

Workaround:
None.

Fix:
Configuration load has been optimized, so VPE loading time is significantly shorter for these types of configurations.


673664-1 : TMM crashes when sys db Crypto.HwAcceleration is disabled.

Component: Local Traffic Manager

Symptoms:
TMM crashes when sys db Crypto.HwAcceleration is disabled.

Conditions:
This occurs when sys db Crypto.HwAcceleration is disabled.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
Enable crypto hardware acceleration using the following command:
tmsh modify sys db crypto.hwacceleration value enable


673607-9 : Apache CVE-2017-3169

Solution Article: K83043359


673595-9 : Apache CVE-2017-3167

Solution Article: K34125394


673399-3 : HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server.

Component: Local Traffic Manager

Symptoms:
The client sends a GET request with switching protocols and the server responds with a 401. Subsequent GET request from client is dropped.

Conditions:
HTTP and Websocket profiles are attached to the virtual server. The client sends a GET request with switching protocols indicating upgrade to Websockets, and the server responds with a 401. Subsequent GET request from client is dropped.

Impact:
Connection is reset.

Workaround:
Disable Websockets profile on the virtual server.

Fix:
We now check whether the Websockets filter is on the virtual server before attempting an insert.


672667-6 : CVE-2017-7679: Apache vulnerability

Solution Article: K75429050


672514-1 : Local Traffic/Virtual Server/Security page crashed

Component: Advanced Firewall Manager

Symptoms:
Local Traffic/Virtual Server/Security page crashes when AFM policy with 20k rules is attached to a virtual.

Conditions:
1. AFM provisioned.
2. AFM policy attached to Virtual with 20k rules with UUID.
3. Traffic hitting Virtual.

Impact:
Unable to manage the AFM policy using the management utility.

Workaround:
Use tmsh to attach AFM policy and other security items

Fix:
The issue is fixed. Policy Rules are displayed on Virtual security page only for Management context.


672504-2 : Deleting zones from large databases can take excessive amounts of time.

Solution Article: K52325625

Component: Global Traffic Manager (DNS)

Symptoms:
When deleting a zone or large number of Resource Records, zxfrd can reach 100% CPU for large amounts of time.

Conditions:
With a significantly sized database, deletes might be very time-intensive.

Impact:
Because zxfrd takes an excessive amount of time deleting records, it can delay transfer requests

Workaround:
None.

Fix:
Dramatically improved algorithm, to remove significant delay in deletions.


672312-3 : IP ToS may not be forwarded to serverside with syncookie activated

Component: Local Traffic Manager

Symptoms:
IP ToS field may not be preserved on forwarding in a FastL4 virtual server when syncookie is activated.

Conditions:
-- FastL4 ip-forwarding virtual server.
-- ToS in passthrough mode.
-- Syncookie is activated in hardware mode.
-- On a hardware platform with ePVA.

Impact:
IP ToS header is not forwarded to the serverside.

Workaround:
None.

Fix:
The BIG-IP system now forwards IP ToS in syncookie mode.


672124-6 : Excessive resource usage when BD is processing requests

Solution Article: K12403422


671716-1 : UCS version check was too strict for IPS hitless upgrade

Component: Protocol Inspection

Symptoms:
When we upgrade from one minor release to another, e.g. from 13.1 to 13.2, then UCS upgrade of IPS IM packages fail.

Conditions:
During upgrade from one minor release to another.

Impact:
The default library will be used instead of the last updated IM/IPS library in last build.

Workaround:
Install the IM package available for that new release.


671712-2 : The values returned for the ltmUserStatProfileStat table are incorrect.

Component: TMOS

Symptoms:
An SNMP table entry that intermittently comes back incorrectly. Specifically, an LTM profile user statistic value is returned with an OID that is off by one in the table.

Conditions:
A statistics profile is attached to a virtual server with an iRule that increments statistics on the profile. The SNMP walk of the table created by the statistics profile intermittently returns the values shifted up one OID such that the last row is zero and the first row is lost. A subsequent request is correct.

Impact:
Incorrect data returned in SNMP walk of LTM profile table.

Workaround:
The statistics themselves are kept correctly and can be accessed without using SNMP.

Fix:
The values in the ltmUserStatProfileStat table are always correct.


671627-3 : HTTP responces without body may contain chunked body with empty payload being processed by Portal Access.

Solution Article: K06424790

Component: Access Policy Manager

Symptoms:
Some HTTP responses do not contain any body. For instance, responses with status codes 1xx, 204, or 304 must not include body. Portal Access adds 'Transfer-Encoding: chunked' header and may add chunked body with empty payload to such responses.

Conditions:
HTTP response without body processed by Portal Access

Impact:
Most browsers ignore invalid 'Transfer-Encoding' header and/or body for responses which must not include body at all. And yet, some traffic validators may refuse to pass invalid responses.

Workaround:
Use an iRule to remove 'Transfer-Encoding' header and/or body from HTTP responses with status codes 1xx, 204, and 304.

Fix:
Now Portal Access does not add invalid 'Transfer-Encoding' header and/or body to responses which have no body.


671597-3 : Import, export, copy and delete is taking too long on 1000 entries policy

Component: Access Policy Manager

Symptoms:
Huge policies with 10^3 items are impossible to import, export and copy.

Conditions:
When access policy has 1000+ entires.

Impact:
Import, export and copy are abandoned or fail due to out of memory condition.

Workaround:
Use ng_export, ng_import and ng_profile rather than UI to import/export.

Fix:
ng_export speed has been improved 5 times
ng_import and ng_profile are working 50 times faster because of avoiding denormalisation and optimisation

ng_export is still should be used from the console.


671323-1 : Reset PIN Fail if Token input field is not 'password' field

Component: Access Policy Manager

Symptoms:
User is not able to reset the PIN when the password source field in RSA SecurID or RADIUS Auth agent is not set to default value(%{session.logon.last.password})

Conditions:
- APM is licensed and provisioned.
- RSA SecurID or RADIUS Auth agent is included in an access policy.
- Password source field in this agent is changed to a custom value.
- APM end user is challenged to reset the PIN or reenter the PIN/token.

Impact:
APM end users cannot reset the PIN or do not get authenticated.

Workaround:
There is no workaround other than not changing the default value in password source fields for RADIUS or RSA SecureID auth agent.

Fix:
APM end users can now successfully reset the PIN or reenter the token. They can also use custom password session variables for authentication.


670528-4 : Warnings during vCMP host upgrade.

Solution Article: K20251354

Component: TMOS

Symptoms:
- Log message repeats every 5 seconds in /var/log/ltm
     slot<#>/<host> warning vcmpd[<pid>]: 01510005:4: Failed to find value for enum::cli_id (ha_feature_t::provisioning-failed).

Conditions:
- Configure vCMP host in 12.1.x or 11.6.x.
 - Deploy 13.x guest.
 - Monitor /var/log/ltm.

Impact:
Warning message displayed every 5 seconds.

Workaround:
Run the following command:
 tmsh create sys log-config filter stop_vcmpd_log message-id 01510005 publisher none


670197-1 : IPsec: ASSERT 'BIG-IP_conn tag' failed

Component: TMOS

Symptoms:
When using IPsec, tmm assert with 'BIG-IP_conn tag' failed.

Conditions:
The conditions under which this assert occurs when using IPsec are unknown.

Impact:
The tmm restarts and all connections are reset. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
When using IPsec, tmm no longer asserts with 'BIG-IP_conn tag' failed.


670103-1 : No way to query logins to BIG-IP in TMUI

Component: TMOS

Symptoms:
Cannot use the GUI to query logins to the BIG-IP system based on a time range or a specific user.

Conditions:
-- Using the GUI.
-- Gather login information.

Impact:
No support for queries.

Workaround:
None.

Fix:
Added support for using using the GUI to query logins to the BIG-IP system.

Behavior Change:
The ability to query logins on the BIG-IP, using the GUI, was added at System >> Logins : History. Users can query all available login data that is present on the BIG-IP. This information can be filtered by time, username, status, access method, and host.


669585-1 : The tmsh sys log filter is unable to display information in uncompressed log files.

Component: TMOS

Symptoms:
You notice missing log information when reviewing system logs using the tmsh show sys log command.

Conditions:
One or more of the BIG-IP sytem backup log files, designated with .1, .2, etc are not compressed.
Note: Backup log files should end with the .gz extension. For example, ltm.1.gz.
You use the tmsh show sys log command to view log information for one or more days in the past.

Impact:
Unable to view the full range of backup log information.

Workaround:
To log in to the Advanced shell (bash).
To ensure all backup logs for a particular log type are compressed, use the following command syntax:

gzip /var/log/<log>.*

For example, to compress the full set of backup logs for the ltm log type, type the following command:

Note: The following message is expected if the log file is already compressed: gzip: /var/log/<log>.gz already has .gz suffix -- unchanged'

gzip /var/log/ltm.*

Fix:
Increased flexibility of log reading mechanism, to look for both compressed (ending in .gz) and uncompressed (ending in .#) log files.


669462-2 : Error adding /Common/WideIPs as members to GTM Pool in non-Common partition

Component: TMOS

Symptoms:
Unable to use Pool Members from /Common/ when outside of /Common/

Conditions:
Adding /Common/WideIPs as members in non-Common GTM Pool

Impact:
Unable to use pool-members from /Common/ when outside of /Common/

Workaround:
No workaround at this time.

Fix:
Fixed issue preventing users from using GTM pool-members within /Common/ on GTM Pools outside of /Common/


668826-1 : File named /root/.ssh/bigip.a.k.bak is present but should not be

Component: TMOS

Symptoms:
In AWS instances, a file /root/.ssh/bigip.a.k.bak is present which should not be. It is harmless to users other than that it is confusing.

Conditions:
After the first boot, this file should be deleted, but it is not.

Impact:
No real impact other than possibly confusion as this file isn't used in this environment. The file does not contain any sensitive data as it's a dangling symlink.

Workaround:
No need to workaround as the presence of the file is harmless. Users could manually remove this file if desired.

Fix:
This file is no longer present which is the correct state.


668276-1 : BIG-IP does not display failed login attempts since last login in GUI

Component: TMOS

Symptoms:
The BIG-IP does not have a mechanism in the GUI to display information about login attempts.

Conditions:
n/a

Impact:
Administrators cannot use the GUI to evaluate login attempts to the BIG-IP.

Workaround:
Administrators can view the logs at /var/log/secure.

Fix:
New GUI pages were create to allow administrators, resource admins, and auditors to view information about login attempts to the BIG-IP. These pages are available at System >> Logins in the GUI.
The user logins summary, available at System >> Logins : Summary can be set as the default start screen for BIG-IP users. However, this process is not as straightforward as other pages, as these pages are available only to users with a role of admin, resource admin, or auditor. Because of these restrictions, setting this page as default is accomplished by setting a DB variable, UI.Users.RedirectSuperUsersToAuthSummary, to true.
When this DB variable is set to true, users with roles of admin, resource admin, or auditor will be redirected to the System >> Logins : Summary page. Users with other roles will be redirected to the Start Screen that is set in System >> Preferences.


668273-1 : Logout button not available in Configuration Utility when using Client Cert LDAP

Solution Article: K12541531

Component: TMOS

Symptoms:
When the BIG-IP system is configured to use the Client Cert LDAP for Remote Authorization, the Logout button is not available.

Conditions:
A BIG-IP system is configured to use Client Cert LDAP for Remote Authorization.

Impact:
BIG-IP system users cannot end the session on the BIG-IP system.

Workaround:
Close all windows to end the session.

Fix:
Now, when the BIG-IP system is configured to use Client Cert LDAP as the Remote Auth method, there is a Logout button in the window, and when the Logout button is clicked, the system displays a modal window to instruct the user on how to end the session.


668184-2 : Huge values are shown in the AVR statistics for ASM violations

Component: Application Security Manager

Symptoms:
Huge values are shown in the AVR statistics for ASM violations.

Conditions:
Out-of memory-condition in the ASM. Some other extreme conditions might also cause this behavior.

Impact:
ASM violation numbers are incorrectly reported.

Workaround:
None.

Fix:
An issue with bd sending wrong numbers to AVR was fixed.


668041-2 : Config load fails when an iRule comment ends with backslash in a config where there is also a policy.

Solution Article: K27535157

Component: TMOS

Symptoms:
Config load fails when an iRule contains a commented line that ends with an escape character (backslash), and the config also contains an LTM policy. Depending on the iRule, you might also see the following error: Syntax Error:(/config/bigip.conf at line: 42078) double quotes are not balanced.

Conditions:
-- iRule contains commented line that ends with a backslash.
-- The config also contains a policy.

For example, an iRule similar to the first example, and a policy similar to the second:

ltm rule /Common/log_info {
  when HTTP_RESPONSE {
    #log local0. "Original Location header value: [HTTP::header value Location],\
     updated: [string map ":[TCP::remote_port]/ /" [HTTP::header value Location]]"
}
}

...

ltm policy /Common/Test_Policy {
    controls { forwarding }
    requires { http tcp }
    rules {
        TestPol_Rule1 {
            actions {
                0 {
                    forward
                    select
                    node 10.2.10.20
                }
            }
            conditions {
                0 {
                    tcp
                    address
                    matches
                    values { 10.1.10.20 }
                }
            }
        }
    }
    strategy /Common/first-match
}

Impact:
Config load fails.

Workaround:
You can use any of the following workarounds:
-- Delete the line of code with the comment.
-- Put the entire comment on one line of code.
-- Divide lengthy comments into a series of smaller ones, so that each comment fits within one line of code.
-- Move the iRule so that it is sequentially before the LTM policy in the config file.

Fix:
Config load no longer fails when an iRule comment ends with backslash in a config where there is also a policy.


667770-1 : SIGSEGV to tmm when performing multiple, repeated SSL profile updates, or during UCS restore

Solution Article: K12472293

Component: Local Traffic Manager

Symptoms:
The BIG-IP system sends a SIGSEGV to the TMM process when performing multiple change operations on configurations that contain a combination of SSL profiles and AVR (analytics).

Conditions:
-- Configuration contains a combination of SSL profiles and AVR.

-- Performing multiple, repeated SSL profile updates, or during UCS restore.

Impact:
The BIG-IP system sends a SIGSEGV to the TMM process. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround.

Fix:
TMM no longer halts and restarts when performing multiple change operations on configurations that contain a combination of SSL profiles and AVR (analytics).


667542-6 : DNS Express does not correctly process multi-message DNS IXFR updates.

Component: Global Traffic Manager (DNS)

Symptoms:
If DNS Express sends an IXFR query to a DNS server, and that server responds with an IXFR update that is larger than one DNS message, DNS Express processes only the first message.

DNS Express then updates the SOA serial number to match that of the IXFR, marks the IXFR as successful and the Zone as 'Green'.

There is no indication that the IXFR was incomplete.

DNS Express might then have, and might serve, incorrect data for that Zone.

Conditions:
An IXFR response from a DNS server spans multiple DNS messages.

Note: This is not a common condition, but it is possible.

Impact:
This might result in incomplete or otherwise inaccurate Zone data, which DNS Express will serve.

Workaround:
Note: Although this does have a workaround, there is no way for you to determine that the Zone is complete other than to query the entire zone and compare it to the zone from the master DNS server.

To workaround this issue:
1. Stop zxfrd.
2. Remove the database /var/db/zxfrd.bin.
3. Restart zxfrd.

This triggers a full transfer (AXFR) of the zone, as well as all the other zones.

Fix:
The system now continues the processing of DNS messages until the closing SOA RR is encountered.


667469-3 : Higher than expected CPU usage when using DNS Cache

Solution Article: K35324588

Component: Global Traffic Manager (DNS)

Symptoms:
CPU usage shows higher than expected usage when using the DNS Cache.

Conditions:
Usage of any of the 3 DNS Cache types, particularly on chassis with multiple blades.

Impact:
Higher than expected CPU usage.

Workaround:
No workaround at this time.

Fix:
Improvements have been made to the efficiency of the DNS Cache inter-tmm mirroring. These efficiencies may result in better CPU utilization and/or higher responses per second.


667353 : Intermittent TMM crash when AFM dynamic (behavioral) signature is enabled and past attack signatures incorrectly exist in the correlation stats table

Component: Advanced Firewall Manager

Symptoms:
Intermittent TMM crash when AFM dynamic (behavioral) signature is enabled and past attack signatures incorrectly exist in the correlation stats table - issue is due to TMM (self) abort due to memory corruption in one of the TMSTAT tables AFM uses for correlating dynamic signatures.

Conditions:
Following conditions suffice to trigger the TMM crash due to self abort in one of the TMSTAT tables:

a) Generate a set of N dynamic signatures (few context).

b) When attack stops, the current set of signatures are moved to 'past' attack state.

c) If in between, TMM restarts (or receives MCP config again e.g via load), these past attack signatures are incorrectly created in tmstat table which is used only for the current attack signatures - this is the *cause* of the issue!

d) New attack appears that somewhat overlap with the 'past' signatures and this causes the following TMSTAT table to be corrupted over period of time.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
This issue is fixed, the past attack signatures are never created in the correlation stats table (even for conditions explicitly described above)


667257-4 : CPU Usage Reaches 100% With High FastL4 Traffic

Component: TMOS

Symptoms:
CPU usage reaches 100% with high FastL4 traffic. Issue with re-offloading evicted FastL4 traffic to ePVA.
Typically observed on systems handling a lot of FastL4 traffic that have been upgraded to a version that has re-offload behavior implemented by Bug ID 563475: ePVA dynamic offloading can result in immediate eviction and re-offloading of flows.

Conditions:
-- Most traffic is FastL4 forwarding deterministic LDNS.
-- ePVA hardware is in use.

Impact:
Default configurations may suddenly show higher CPU performance profile usage after upgrade.

Workaround:
None.

Fix:
The following db variables have been added to control re-offload behavior:

sys db pva.reoffload.delay {
    value "5"
}
sys db pva.reoffload.exponential {
    value "true"
}

pva.reoffload.delay is in seconds. This is the amount of time that needs to expire before TMM attempts to re-offload the flow to the ePVA.

If pva.reoffload.exponential is 'true', then if there is a collision, there is an exponential backoff (5 seconds, 10 seconds, 20 seconds, and so on), before the flow is re-offloaded).

If pva.reoffload.exponential is 'false', then there is no backoff, and the flow is re-offloaded after the pva.reoffload.delay expires.

Behavior Change:
The following db variables have been added to control re-offload behavior:

sys db pva.reoffload.delay {
    value "5"
}
sys db pva.reoffload.exponential {
    value "true"
}

pva.reoffload.delay is in seconds. This is the amount of time that needs to expire before TMM attempts to re-offload the flow to the ePVA.

If pva.reoffload.exponential is 'true', then if there is a collision, there is an exponential backoff (5 seconds, 10 seconds, 20 seconds, and so on), before the flow is re-offloaded).

If pva.reoffload.exponential is 'false', then there is no backoff, and the flow is re-offloaded after the pva.reoffload.delay expires.


667173-1 : 13.1.0 cannot join a device group with 13.1.0.1

Component: TMOS

Symptoms:
13.1.0.1 cannot form device trust with a 13.1.0 device.

Conditions:
A device running 13.1.0 wanting to establish device trust with a device running 13.1.0.1 or vice versa.

Impact:
Cannot form Device Trust.

Workaround:
13.1.0 cannot initially form device trust with a 13.1.0.1 device. However, if you establish trust from the 13.1.0.1 device and then bring in the 13.1.0 device from 13.1.0.1, you can mitigate this issue. Once trust is formed, there should be no issue.

Fix:
13.1.0.1 now can form device trust with a 13.1.0 device.


667148-3 : Config load or upgrade can fail when loading GTM objects from a non-/Common partition

Solution Article: K02500042

Component: TMOS

Symptoms:
GTM configuration fails to load.

Conditions:
GTM config referencing non-/Common partition objects from /Common.

Impact:
GTM configuration fails to load, which may keep a system from becoming active

Workaround:
No workaround.

Fix:
Fixed issue preventing GTM configurations from loading when non-Common partitioned items present.


665992-2 : Live Update via Proxy No Longer Works

Solution Article: K40510140

Component: Application Security Manager

Symptoms:
BIG-IP devices that need to use a proxy server to communicate with callhome.f5.com, no longer receive, or check for, automatic updates.

Conditions:
The BIG-IP device is behind a network firewall and outbound communication must be through a proxy.

Impact:
The BIG-IP will not be able to contact the callhome server to check for, or receive, updates.

Workaround:
Updates can be downloaded manually from the F5 Downloads server and installed directly on the BIG-IP.

Fix:
Proxy settings are correctly used when contacting the F5 callhome server.


665470-3 : Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised

Component: Application Security Manager

Symptoms:
Failed to Learn page malicious IP addresses in a specific case.

Conditions:
-- IP intelligence is turn on.
-- Logging is turned off.

Impact:
Requests that should be learned are not.

Workaround:
Turn on logging.

Fix:
The system now Learns page malicious IP addresses when IP intelligence is turn on and logging is turned off.


665362-2 : MCPD might crash if the AOM restarts

Component: TMOS

Symptoms:
In very rare circumstances, mcpd might crash when the AOM restarts.

Conditions:
This can occur while AOM is restarting.

Impact:
System goes offline for a few minutes.

Workaround:
None.

Fix:
Added error handling to prevent crash. If this error occurs in the future it will not crash, but a restart of mcpd is required.


665354-1 : Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log

Solution Article: K31190471

Component: TMOS

Symptoms:
The most common symptom is a reboot of the unit without much detail in the normal tmm or ltm logs. From there, inspect the SEL logs. In the SEL logs, you will see a message about a bad_tlp_status, followed shortly by a message about completion_time_out_status.

Those two messages together indicate this known issue.

Conditions:
-- There are empty 10 GB ports or 10 GB ports that have optics but are not connected to a proper link.
-- Running on one of the following platforms: i2600, i2800, i4600, i4800.

Impact:
The unit intermittently reboots.

Workaround:
To prevent the issue from occurring, you must populate all 10 Gb ports with optic cables and ensure they are connecting to a working peer link. A single 10 Gb empty or improperly connected port can cause a system reboot.

If that is not possible, however, there is no workaround, and you must contact F5 Technical Support to request a software update or engineering hotfix.

Important: A device Return Materials Authorization (RMA) will not prevent this issue.

Fix:
There is a BIG-IP system software update to disable the 10 Gb FPGA mac receiver until a valid link is detected. This eliminates the issue and prevents the ultra jumbo packet from being sent to the FPGA datapath.


664618-1 : Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block'

Component: Local Traffic Manager

Symptoms:
When using Protocol Security profiles for HTTP, the HTTP Protocol Checks 'Alarm' vs. 'Block' setting will not be honored for the 'Check maximum number of headers' check. If an HTTP response contains more than the configured maximum number of headers, the connection will be reset.

Client traffic with more than the maximum allowed headers will be allowed through to the server, and an alert will be generated, as expected. The server response will also have too many headers, but the connection will be reset.

Conditions:
-- PSM HTTP Protocol Checks configured in 'Alarm' mode ('Block' disabled).
-- The maximum number of headers is exceeded for server responses.

Impact:
Connections are reset, when only alerting is expected.

Workaround:
None.

Fix:
Two threshold values are now available for monitoring the number of HTTP headers:
-- Use the HTTP security profile and select 'alarm' (as opposed to 'block').
-- Use the HTTP service protocol profile. When the 'alarm' threshold is hit, the HTTP traffic remains intact, and logging can be seen in the PSM event logs. When the HTTP service protocol profile's threshold is hit, the HTTP traffic will be blocked, and logging to be seen in both LTM log and PSM event logs.


664528-2 : SSL record can be larger than maximum fragment size (16384 bytes)

Solution Article: K53282793

Component: Local Traffic Manager

Symptoms:
SSL record containing handshake data can exceed maximum fragment size of 16384 bytes because handshake data is not fragmented.

Conditions:
This usually happen when a large certificate or certificate chain is configured for server or client authentication.

Impact:
SSL handshake will fail with client or server that properly checks the record size.

Workaround:
Use a certificate that is smaller in size.

Fix:
Properly fragment handshake data.


663874-2 : Off-box HSL logging does not work with PEM in SPAN mode.

Solution Article: K77173309

Component: Policy Enforcement Manager

Symptoms:
While on-box HSL logging works, off-box HSL logging does not work with PEM in SPAN mode.

Conditions:
-- PEM in SPAN mode.
-- Off-box HSL logging is configured.

Impact:
Cannot use off-box HSL logging with PEM in SPAN mode; must use on-box HSL logging instead.

Workaround:
There is no workaround at this time.

Fix:
Off-box HSL logging now works with PEM in SPAN mode.


663821-1 : SNAT Stats may not include port FTP traffic

Solution Article: K41344010

Component: Local Traffic Manager

Symptoms:
Using 'tmsh show ltm snat' command or the GUI, SNAT stats are not updated for port 21 traffic (FTP).

Conditions:
-- SNAT is configured.
-- FTP connections transverse the SNAT.

Impact:
Stats are not incremented in tmsh or GUI

Workaround:
None.

Fix:
SNAT Stats now include port FTP traffic, and values are incremented as expected.


663535-2 : Sending ASM cookies with "secure" attribute even without client-ssl profile

Component: Application Security Manager

Symptoms:
ASM cookies can be set with "secure" attribute on when BIG-IP works on SSL profile.

Conditions:
Enabling ASM, network to BIG-IP without client-ssl.

Impact:
When working with encrypted network in the client side but clear network in the ASM virtual, cookies cannot be set with "secure" attributes.

Workaround:
There is no workaround at this time.

Fix:
Added an internal parameter "assume_https", to decide always setting the "secure" attribute, even when the BIG-IP network is clear.


662850-6 : Expat XML library vulnerability CVE-2015-2716

Solution Article: K50459349


662311-1 : CS alerts should contain actual client IP address in XFF header

Component: Fraud Protection Services

Symptoms:
When no XFF header exists, the alert server will use the sender IP address as the client IP address. Doing so is incorrect behavior because the sender IP address is always the BIG-IP system's IP address. Even if XFF headers exist, the client IP address as known to the BIG-IP system may be missing in the XFF header.

Conditions:
This occurs under either of the following conditions:
-- There is no XFF header in the original request.
-- An XFF header exists, but it does not contain the actual client IP address (as seen by the BIG-IP system).

Impact:
Alert server/BIG-IQ does not show the actual client IP address.

Workaround:
None.

Fix:
FPS now always appends the client IP address to the end of the last XFF header in the alert request. If there is no XFF header, FPS inserts one.


661939-2 : Linux kernel vulnerability CVE-2017-2647

Solution Article: K32115847


660826-3 : BIG-IQ Deployment fails with customization-templates

Component: Access Policy Manager

Symptoms:
BIG-IQ involving multiple commands in a transaction to modify customization group fails.

Conditions:
Simulation by tmsh for what's done in BIG-IQ:

1) Add a log-on agent in your policy.

2) Edit the log-on agent customization (Advanced Customication: logon.inc and view.inc both)
This should create two customization templates.

3) Make a backup of the customization template files in some folder (/tmp). For example: To copy logon.inc and view.inc for logon agent in sjc-access policy?(sjc-access_act_logon_page_ag) below cp statements worked.

cp Common_d/customization_template_d/\:Common\:sjc-access_act_logon_page_ag\:\:logon.inc_74991_2 /tmp/logon.inc
:Common:sjc-access_act_logon_page_ag::logon.inc_74991_2

cp Common_d/customization_template_d/\:Common\:sjc-access_act_logon_page_ag\:\:view.inc_74991_2 /tmp/view.inc

4) tmsh

5) create /cli transaction

6) modify /apm policy customization-group sjc-access_act_logon_page_ag templates modify { logon.inc { local-path /tmp/logon.inc } }

7) modify /apm policy customization-group sjc-access_act_logon_page_ag templates modify { view.inc { local-path /tmp/view.inc } }

8) submit /cli transaction

Impact:
BIG IQ operation failed with scenario involving change to customization group.

Workaround:
There is no workaround.

Fix:
BIG-IQ will be able to operate on customization group successfully.


660239-6 : When accessing the dashboard, invalid HTTP headers may be present

Component: TMOS

Symptoms:
When accessing parts of the BIG-IP dashboard via the GUI, there might be invalid HTTP headers in the responses.

Conditions:
Access the dashboard via Statistics :: Dashboard.

Impact:
The invalid HTTP headers might cause issues with the dashboard if there are intervening proxies between the browser and the BIG-IP.

You may see such errors in the http error logs

Feb 20 08:47:58 myBIG-IP err httpd[13777]: [error] [client 10.20.30.40] Response header name '<PostData><![CDATA[table=log%5Fstat]]></PostData>Cache-Control' contains invalid characters, aborting request, referer: https://mybigip.com/tmui/dashboard/MonitorDashboardModule.swf

Workaround:
There is no workaround at this time.

Fix:
Eliminated invalid header data.


658557-3 : The snmpd daemon may leak memory when processing requests.

Solution Article: K35209601


658410-2 : icrd_child generates a core when calling PUT on ltm/data-group/internal/

Component: TMOS

Symptoms:
icrd_child generates a core file when calling PUT on ltm/data-group/internal/.

Conditions:
Calling PUT on ltm/data-group/internal/.

Impact:
The iControl REST API is temporarily not available for configuration queries or modifications.

Workaround:
There is no workaround at this time.

Fix:
icrd_child no longer cores when calling PUT on ltm/data-group/internal/.


658382-2 : Large numbers of ERR_UNKNOWN appearing in the logs

Component: Local Traffic Manager

Symptoms:
There are times when LTM Policy subsystem attempts to execute particular actions, which fail and result in LTM Policy writing an error to the logs with an error type of ERR_UNKNOWN.

Conditions:
This has been observed when plugins are active and experiencing high traffic volumes. The logging of ERR_UNKNOWN occurs when filters and plug-ins experience failures (such as out of memory) and react by initiating a reset of the connection. When these filters and plug-ins return an error to LTM Policy, LTM Policy logs ERR_UNKNOWN.

Impact:
This is a case of unnecessary logging, and there is no adverse effect other than a higher-than-normal amount of logging.

Workaround:
None


658278-1 : Network Access configuration with Layered-VS does not work with Edge Client

Component: Access Policy Manager

Symptoms:
When Network Access is configured in virtual server-to-virtual server targeting, the Edge client cannot connect.

Conditions:
Network Access is configured as follows :
-- The external-client-facing virtual server has the SSL profile attached.
-- The internal virtual server has the Access profile and connectivity profile attached.
-- The external-client-facing virtual server has an iRule that forwards the HTTP requests to the internal virtual server.

Impact:
When Edge client connects, the external-client-facing virtual server issues a request for '/pre/config.php?version=2.0', and the Edge client hangs.

Workaround:
None.

Fix:
Network Access configuration with Layered-VS now works with Edge Client.


656901-3 : MRF add 'existing_connection_only' and 'outgoing_connection_instance_seed' two iRule commands

Component: Service Provider

Symptoms:
If the MRF 'existing_connection_only' is not there, then MRF will forward the new message to either the existing connection or creating a new connection.

If the MRF 'outgoing_connection_instance_seed' is not there, then the generation of the connection's instance number will use some internal originating connection id. Same client IP with different src_port may end up to different outgoing connection.

Conditions:
If these two new iRule commands were not there.

Impact:
1. Won't always reuse the existing connection.
2. The requests from same client IP with different src_port, the outgoing connection may be different.

Workaround:
There is no workaround at this time.

Fix:
MR::message existing_connections_only <boolean> Gets or sets a flag that instructs the MRF to only forward the message using existing connections,
and if a connection to the selected host does not exist then the route will fail.

MR::message outgoing_connection_instance_seed <integer>Gets or if been set by this iRule then this seed will be used to generate the connection instance number instead of this generated by some internal originating connection id. (See MR::connection_instance iRule command).

If the number received is larger than 32 bit then the 64 bit number will be hashed to 32 bit number.


656784-1 : Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM

Solution Article: K98510679

Component: Access Policy Manager

Symptoms:
After upgrading to Windows 10 Creators Update (version 1703), when attempting to connect to a remote desktop through APM with the Remote Desktop Gateway (RDG) feature, the remote desktop client is not able to authenticate and connect.

Windows 10 Version 1703 RDP client is using Negotiate HTTP authentication scheme, while APM requires NTLM scheme for RD Gateway.

Conditions:
- You are accessing Microsoft Remote Desktop through BIG-IP APM using Remote Desktop Gateway (RDG) feature.
- You upgrade to Windows 10 Creators Update (version 1703).

Impact:
Remote desktop client is not able to authenticate and connect to the desktop.

Workaround:
Use either of the following workarounds:

-- Force the Windows RDP client to use NTLM authentication scheme (instead of Negotiate) by setting Group Policy 'User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\RD Gateway\Set RD Gateway authentication method' to 'Ask for credentials, use NTLM protocol'.

-- Use the following iRule to convert Negotiate to NTLM:
when HTTP_REQUEST {
    set is_rdg_request [expr { [HTTP::method] starts_with "RDG_" }]
    if {!$is_rdg_request} { return; }

    set auth [HTTP::header Authorization]
    set is_nego_auth [expr { $auth contains "Negotiate" }]

    if { $is_nego_auth } {
        set auth [string map {"Negotiate" "NTLM"} $auth]
        HTTP::header replace Authorization $auth
    }
}
when HTTP_RESPONSE_RELEASE {
    if {!$is_rdg_request || !$is_nego_auth} { return; }

    catch {
        set auth [HTTP::header WWW-Authenticate]
        if { $auth contains "NTLM" } {
            set auth [string map {"NTLM" "Negotiate"} $auth]
            HTTP::header replace WWW-Authenticate $auth
        }
    }
}

Fix:
After upgrading to Windows 10 Creators Update (version 1703), the RDP client can still authenticate and connect via APM used as RD Gateway.


655233-2 : DNS Express using wrong TTL for SOA RRSIG record in NoData response

Solution Article: K93338593

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express returns an incorrect TTL for the SOA RRSIG record in a NoData response.

Conditions:
-- DNS Express configured.
-- A query that results in a NoData response and DNSSEC signing requested.

Impact:
This brings the behavior in line with RFC2308. There is no known functional impact.

Workaround:
There is no workaround.

Fix:
The TTL of the RRSIG record now matches the TTL of the covered SOA record.


653976-4 : SSL handshake fails if server certificate contains multiple CommonNames

Solution Article: K00610259

Component: Local Traffic Manager

Symptoms:
SSL server side handshake fails when the external server certificate's Subject field contains multiple CommonNames.

Conditions:
This issue occurs when both of the following conditions are met:
-- The external server certificate's Subject field contains multiple CommonNames.
-- The certificate does not contain subjAltName extension (or if it does, the same names are not included in the subjAltName's dNSName list).

Impact:
Connection with external server cannot be established. In case of forward proxy, bypass or intercept will fail.

Workaround:
In case of forward proxy bypass, configure IP address bypass instead of hostname bypass since IP address bypass check happens before SSL handshake.

The second option is to update the external server's certificate to include the list of CommonNames in subjAltName extension as dNSName.

Fix:
The system now checks all CommonNames in a certificate's Subject field instead of checking only the longest one in length.


653759-1 : Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update

Component: TMOS

Symptoms:
Chassis Variant number is not specified when checking the log file /var/log/ltm, for example:

#grep queryFDD /var/log/ltm
...debug chmand[12982]: 012a0007:7: queryFDD returned 1 items for: update|F100|||NONE|NONE|NONE|0x0

This should contain the Variant number 400-0028-04, as follows:
...debug chmand[32663]: 012a0007:7: queryFDD returned 1 items for: update|F100|400-0028-04||NONE|NONE|NONE|0x0

Conditions:
-- B2100/B2150/B2200 blade in C2200/C2400 chassis.
-- Checking for the Chassis Variant number.

Impact:
This has no impact, since there are no Variants currently defined for the C2200/C2400 chassis.

Workaround:
There is no workaround at this time.

Fix:
Chassis Variant number is printed out as expected in the log file.


653573-4 : ADMd not cleaning up child rsync processes

Component: Anomaly Detection Services

Symptoms:
ADMd daemon on device is spinning up rsync processes and not cleaning them up properly, causing tons of this zombie processes

Conditions:
If rsync process ends via exit (in the case of some trouble)

Impact:
No technical impact, but there are many zombie processes

Workaround:
Restart admd (bigstart restart admd) to remove all existing rsync zombies.

Fix:
admd should handle SIGCHLD signal from rsync (in the case of some trouble)


653201-2 : Update the default CA certificate bundle file to the latest version and remove expiring certificates from it

Component: Local Traffic Manager

Symptoms:
The default CA certificate bundle file used by the system contains some older certificates, e.g., expired or soon-to-be expired.

Conditions:
If the default CA certificate bundle file is configured in SSL profiles, it is used as a set of built-in trusted certificates when verifying peer's certificate during SSL handshake.

Impact:
When the built-in trusted certificates are obsolete, i.e., containing a certain number of expired certificates, the systems might fail to verify peers certificate correctly.

Workaround:
You can either directly update the default CA certificate bundle file /config/ssl/ssl.crt/ca-bundle.crt with proper certificates and then 'bigstart restart tmm'

Alternatively, you can use a separate certificate, for example:
tmsh install sys crypto cert better_ca_bundle from-local-file /shared/better_ca_bundle.pem
tmsh modify ltm profile client-ssl cssl ca-file better_ca_bundle.crt

Fix:
This release updates the default CA certificate bundle file by adding the latest certificates and removing the expired certificates.


652877-5 : Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades

Component: TMOS

Symptoms:
All services on one or all secondary blades in a VIPRION chassis restart, and MCPD logs errors similar to the following:

-- err mcpd[9063]: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)
-- err mcpd[9063]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3:Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)... failed validation with error 17237812.

In versions prior to v11.6.0, the error is: 'Can't save/checkpoint DB object,' rather than 'Can't update_indexes/checkpoint DB object'.

Conditions:
Multi-bladed VIPRION system, where the 'if-index' value for VLANs differs between blades.

You can check the 'if-index' value by running the following command on each blade: tmsh list net vlan all if-index.

Impact:
MCPD restart on all secondary blades results in partial service outage.

Workaround:
Reactivate the license only on a system that is standby/offline.

Fix:
Reactivating the license on a VIPRION system no longer causes MCPD process restart on one or all secondary blades.


652502-2 : snmpd returns 'No Such Object available' for ltm OIDs

Component: TMOS

Symptoms:
When the BIG-IP starts with an expired license snmp queries for ltm related OIDs will return 'No Such Object available on this agent at this OID'.

Even if you re-activate the license or install a new one snmpd will not be notified of the change in license and will stil return 'No Such Object available on this agent at this OID' until the snmpd process is restarted.

Conditions:
The BIG-IP starts with an expired licensed which is reactivated later.

Impact:
snmp queries to the ltm OIDs like ltmRst and ltmVirtual will not return any data.

Workaround:
A restart of snmpd (bigstart restart) after the license is re-activated or a new one is installed will resolve the issue.


651741-2 : CVE-2017-5970 kernel.el7: ipv4: Invalid IP options could cause skb->dst drop

Solution Article: K60104355


651413-4 : tmsh list ltm node does not return an error when node does not exist

Solution Article: K34042229

Component: TMOS

Symptoms:
TMSH does not post an error message in response to the tmsh command to list a specific, non-existent LTM node, or when listing a set of non-existent nodes using regular expressions.

Conditions:
-- Running the command: tmsh list ltm node.
-- Running a regular expression to list a set of nodes.
-- The specified node does not exist.

Impact:
The command produces no output or error message. No indication of why there is no output, nor is there a description of the possible error condition.

Workaround:
None.

Fix:
TMSH now posts the appropriate, node-not-found error message when LTM nodes do not exist when running the command: tmsh list ltm node.


649161-2 : AVR caching mechanism not working properly

Solution Article: K42340304

Component: Application Visibility and Reporting

Symptoms:
The AVR caching mechanism fails to store dimension-based queries properly, which leads to incorrect reports.

Conditions:
Using AVR caching mechanism (turned-on by default).

Impact:
Reports will be incorrect.

Workaround:
Using the following TMSH command should solve the problem:
tmsh modify sys db avr.requestcache value disable

* NOTE: the above might cause AVR to perform a bit slower.

Fix:
The system no longer stores the dimension-based queries in the AVR cache.


648802-1 : Required custom AVPs are not included in an RAA when reporting an error.

Component: Policy Enforcement Manager

Symptoms:
Custom Attribute-Value-Pairs (AVPs) defined on the system will not be visible in a Re-Auth-Answer (RAA).

Conditions:
This occurs when the following conditions are met:
-- PEM enabled with Gx.
-- Custom AVPs configured.
-- PEM responds with an error code in an RAA against a Policy and Charging Rules Function (PCRF) triggered action.

Impact:
Lack of custom AVPs in such an RAA may result in loss of AVP dependent service.

Workaround:
There is no workaround at this time.

Fix:
Custom AVPs included regardless of an error code in an RAA.


648766-2 : DNS Express responses missing SOA record in NoData responses if CNAMEs present

Solution Article: K57853542

Component: Global Traffic Manager (DNS)

Symptoms:
A valid NoData response can contain CNAMEs if a partial chase occurred without final resolution. DNS Express is not including the expected SOA record in this scenario.

Conditions:
-- DNS Express configured.
-- Partial CNAME chase resulting in incomplete resolution.

Impact:
A valid DNS response with a a partial chase but missing the SOA record may not be considered authoritative due to the missing record.

Workaround:
None.

Fix:
The SOA record is now included as appropriate.


648320-5 : Downloading via APM tunnels could experience performance downgrade.

Solution Article: K38159538

Component: Local Traffic Manager

Symptoms:
Multiple DTLS records can be packed into one UDP packet. When packet size is too large, packet fragmentation is possible at IP layer. This causes high number of packet drops and therefore performance downgrade.

Conditions:
When downloading using APM tunnels.

Impact:
High number of packet drops and inferior performance.

Workaround:
None.

Fix:
One DTLS record is now contained in each UDP packet to avoid packet fragmentation.


648242-2 : Administrator users unable to access all partition via TMSH for AVR reports

Solution Article: K73521040

Component: Application Visibility and Reporting

Symptoms:
Using the TMSH for AVR reports can fail if it contains partition based entities, even with an administrator user (which should have permissions to all partitions).

Conditions:
Using the TMSH for querying partitioned based stats with an administrator user.

Impact:
AVR reports via TMSH will fail when using partition based entities.

Workaround:
None.

Fix:
Allowing for administrator users to get all partitions available on query.


646615-2 : Improved default storage size for DNS Express database

Component: Global Traffic Manager (DNS)

Symptoms:
A tweak has been made to the DNS Express database to improve the initial database size.

Conditions:
DNS Express with configured zones.

Impact:
Possibly reduced database size.

Workaround:
N/A as this is an improvement.

Fix:
A tweak has been made to the DNS Express database to improve the initial database size.


645615-6 : zxfrd may fail and restart after multiple failovers between blades in a chassis.

Solution Article: K70543226

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd may fail and restart after multiple failovers between blades in a single chassis.

Conditions:
DNS Express must be configured in a multi-blade chassis. If a blade transitions from active to backup to active states and the DNS Express (tmmdns.bin) database has been re-created while the blade was in backup status, zxfrd may fail when attempting to reference old data.

Impact:
zxfrd will create a core file and restart, picking up where it left off.

Workaround:
None.

Fix:
The cause of the failure is now addressed.


644822 : FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned

Solution Article: K19245372

Component: Advanced Firewall Manager

Symptoms:
If AFM provisioned, a FastL4 virtual server with enabled loose-init option drops all RST packets that do not relate to any existing flows.

This behavior does not match the BIG-IP behavior when AFM is not provisioned.

Conditions:
AFM provisioned.
-- FastL4 virtual server.
-- Loose-init option enabled.

Impact:
RST packets that do not relate to any existing flows are dropped, while they should not be dropped if the loose-init option enabled.

Workaround:
No workaround.

Fix:
Fixed, so FastL4 virtual servers with enabled loose-init option will forward any RST packets.


642923-6 : MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system

Component: TMOS

Symptoms:
MCP may timeout and be killed by the sod watchdog, causing mcpd to restart.

Conditions:
Certain operations, under certain conditions, on certain platforms, may take longer to complete than the mcpd heartbeat timeout (300 seconds). When that happens, the system considers mcpd unresponsive, and will kill mcpd before it has finished its task, resulting in this issue.

There are a number of ways that this issue may manifest.

For example, the default mcpd heartbeat timeout might be reached when loading a configuration file with a large number* of file objects configured (e.g., SSL certificates and keys, data-groups, APM customizations, EPSEC file updates, external monitors, or other data present in the filestore (/config/filestore)).

*Note: Depending the operations mcpd is performing, the performance of the hardware, the speed of disk access, and other potential factors, 3,000 is a relative estimate of the number of filestore objects that might cause this issue to occur.

Impact:
mcpd restarts, which causes a system to go offline and restart services.

Workaround:
To prevent the issue from occurring, you can temporarily disable the heartbeat timeout using the following command:

   modify sys daemon-ha mcpd heartbeat disable

Important: Disabling the heartbeat timer means that, should the mcpd process legitimately become unresponsive, the system will not automatically restart mcpd to recover.

Note: If you have a large number of objects (more than 3,000) in the filestore, and are able to reduce this by deleting their related configuration objects, you may be able to work around the issue.

To determine the specific cause of the issue, you can open a support case with F5, to inspect the resulting mcpd core file.

Fix:
A possible case where mcpd goes too long without updating the heartbeat has been fixed by replacing one algorithm with a more efficient one.


642068-4 : PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens

Component: Policy Enforcement Manager

Symptoms:
PEM sessions stay in the marked-for-delete state if CCR-T times out.

Conditions:
This occurs if PCRF does not respond to CCR-T packets from the BIG-IP system during session termination.

Impact:
PEM sessions remain in the marked-for-delete state.

Workaround:
Configure the required timeout value in the sys db variable tmm.pem.session.timeout.endpointdeleteresponse.

Note: The value must be greater than 0 (zero).

Fix:
PEM sessions no longer stay in the marked-for-delete state if CCR-T times out.


641101-7 : httpd security and bug fix update CVE-2016-8743

Solution Article: K00373024


640766-2 : Linux kernel vulnerability: CVE-2016-10088 CVE-2016-9576

Solution Article: K05513373


639619-5 : UCS may fail to load due to Master key decryption failure on EEPROM-less systems

Component: TMOS

Symptoms:
The following error:
'Symmetric Unit Key decrypt failure - decrypt failure'
is logged to /var/log/ltm when attempting to load a UCS.
Configuration fails then to load due to a secure attribute decryption failure.

Conditions:
1. UCS contains secure attributes.
2. UCS contains a '/config/bigip/kstore/.unitkey' file.
3. The current '/config/bigip/kstore/.unitkey' file does not match the '.unitkey' file within UCS.
4. System does not utilize an EEPROM for storing its unitkey. (For more information, see K73034260: Overview of the BIG-IP system Secure Vault feature :: https://support.f5.com/csp/article/K73034260.)

Impact:
The configuration fails to load.

Workaround:
Perform the following procedure:

1. Stop the system:
# bigstart stop
2. Replace the '/config/bigip/kstore/.unitkey' file with the '.unitkey' file from the UCS
3. Replace the '/config/bigip/kstore/master' file with the 'master' file from the UCS
4. Remove the mcp db to forcibly reload the keys:
# rm -f /var/db/mcpd.bin
# rm -f /var/db/mcpd.info

5. Restart the system and reload the configuration:
# bigstart start
# tmsh load sys config
or
# reboot

Fix:
The system now always reload the .unitkey from storage when loading other keys, so the UCS loads as expected.


638091-6 : Config sync after changing named pool members can cause mcpd on secondary blades to restart

Component: TMOS

Symptoms:
After performing a ConfigSync, mcpd restarts and the following error is seen in /var/log/ltm:

     01070734:3: Configuration error: Invalid mcpd context, folder not found <foldername>

Conditions:
- Chassis cluster with at least two blades
- sync-failover device group set to full-sync and auto-sync disabled
- Changing a named pool-member in non-default partition without syncing between delete and create

Impact:
Secondary blades do not process traffic as they restart

Workaround:
To prevent blade restart, follow the workaround in K16592: ConfigSync may fail when deleting and recreating a pool member with a node name set (https://support.f5.com/csp/article/K16592).

To work around this issue, you can synchronize the configuration just after deleting the pool member and node, before re-creating the pool member. To do so, perform the following procedure:

Impact of workaround: Performing the following procedure may impact client connectivity to the node. You should perform this procedure only during a maintenance window.

1. Log in to the BIG-IP system Configuration utility.
2. Navigate to Local Traffic :: Pools, and select the Pool with the member you want to delete.
3. From the top of the menu, click Members.
4. Select the checkbox next to the pool member you want to delete, and click Remove.
5. Navigate to Local Traffic :: Nodes.
6. Select the checkbox next to the node with the same name, and click Delete.
7. Navigate to Device Management :: Overview.
8. Select the local device by hostname (self).
9. Click the Sync option.
10. If the ConfigSync was successful, you may now re-create the pool member.

Fix:
Config sync after changing named pool members no longer causes mcpd on secondary blades to restart.


636997-1 : big3d may crash

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, big3d may crash or malfunction while processing GTM data

Conditions:
GTM enabled

Impact:
iQuery connection may be reset

Workaround:
None

Fix:
big3d processes GTM data as expected


636994-1 : big3d may crash

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, big3d may crash or malfunction while processing GTM data

Conditions:
GTM enabled

Impact:
iQuery connection may be reset

Workaround:
None

Fix:
big3d processes GTM data as expected


636992-1 : big3d may crash

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, big3d may crash or malfunction while processing GTM data

Conditions:
GTM enabled

Impact:
iQuery connection may be reset

Workaround:
None

Fix:
big3d processes GTM data as expected


636986-1 : big3d may crash

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, big3d may crash or malfunction while processing GTM data

Conditions:
GTM enabled

Impact:
iQuery connection may be reset

Workaround:
None

Fix:
big3d processes GTM data as expected


636982-1 : big3d may crash

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, big3d may crash or malfunction while processing GTM data

Conditions:
GTM enabled

Impact:
iQuery connection may be reset

Workaround:
None

Fix:
big3d processes GTM data as expected


635509-1 : APM does not support Vmware'e Blast UDP

Component: Access Policy Manager

Symptoms:
APM does not support Blast Extreme Adaptive Transport (BEAT) protocol which is required for Blast UDP

Conditions:
1. Vmware View Connection Server is configured for Blast UDP
2. Client attempts Blast UDP

Impact:
Since APM does not support Blast UDP, Vmware Horizon Client always uses TCP transport even when the network conditions dictate that UDP transport would be more efficient

Workaround:
None

Fix:
APM now adds support for Blast Extreme Adaptive Transport protocol, which in turn enables Blast UDP.


635191-2 : Under rare circumstances TMM may crash

Component: Local Traffic Manager

Symptoms:
tmm crash and BIG-IP failover.

Conditions:
There are no known, reproducible conditions under which this occurs. However, the tmm restart happens once, and then does not recur. The only way to determine that the issue exists is through a review of the core stack, which must be completed by F5 Support.

Impact:
tmm restart and failover. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The tmm restart and failover no longer occur.


633441-1 : Datasync Background Tasks running even without features requiring it

Component: TMOS

Symptoms:
The Datasync Background Tasks are running daily for several hours and consuming CPU. This is expected and required to generated dynamic versions of obfuscated JavaScript. However, this is running even if there are no features enabled which require JavaScript.

Conditions:
ASM is provisioned.

Impact:
Spikes of daily CPU usage during several hours even if there are no features requiring JavaScript.

Workaround:
If there are no features requiring JavaScript, then this command limits to a single version of obfuscated JavaScript, causing this CPU spike to remain a short one, and only once daily.

tmsh modify security datasync local-profile cs-asm-dosl7 max-gen-rows 1

Important: It is not recommended to keep this configuration if any of the JavaScript features are enabled in either ASM Policy or DoS profile, because it will significantly reduce the JavaScript security.

To re-enable full JavaScript obfuscation, run this command:

tmsh modify security datasync local-profile cs-asm-dosl7 max-gen-rows infinite

The log /var/log/datasync/datasyncd.log can be used to monitor the Background Tasks.

Fix:
The Datasync Background Tasks are now running only if there are features requiring JavaScript.


632875-5 : Non-Administrator TMSH users no longer allowed to run dig

Solution Article: K37442533


632646-1 : APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server.

Component: Access Policy Manager

Symptoms:
APM - OAM login with invalid ObSSOCookie results in error page instead of redirecting to login page.

Conditions:
This happens occasionally if a session cookie (ObSSOCookie) is deleted from OAM server, or an OAM session is deleted from server.

Impact:
OAM login with invalid ObSSOCookie results in error page. However, expected behavior is that user is redirected to login page if login with ObSSOCokkie fails.

Workaround:
No Workaround

Fix:
Issue is fixed - On authenticate with ObSSOCookie, read getStatus() API call to check the ObSSOCookie status and redirect to IDP if it is not 1 (LOGGEDIN, AWAITINGLOGIN). With this fix user will be redirected to IDP on logging with cookie that is deleted manually from the OAM server.


631418-1 : Packets dropped by HW grey list may not be counted toward AVR.

Component: Advanced Firewall Manager

Symptoms:
If the system supports hardware grey list, packets dropped by HW grey list may not be counted toward AVR.

Conditions:
AFM license, HW grey list support.

Impact:
User visibility.

Workaround:
There is no workaround at this time.

Fix:
The issue is fixed.


631316-2 : Unable to load config with client-SSL profile error

Solution Article: K62532020

Component: TMOS

Symptoms:
Config loading fails with an error similar to the following: 'Client SSL profile cannot contain more than one set of same certificate/key type.'

Conditions:
This occurs when both of the following conditions are met:
 -- The system is loading config.
 -- The config contains a client SSL profile which has an RSA cert-key-chain whose key is default (/Common/default.key), but whose chain is non-empty, or the cert is different from /Common/default.crt. For example:

    cert-key-chain {
        cert /Common/default.crt <==== default cert
        chain /Common/chainCA.crt <==== non-empty
        key /Common/default.key <==== default key
        rsa {
            cert /Common/default.crt <==== default cert
            chain /Common/chainCA.crt <==== non-empty
            key /Common/default.key <==== default key
        }
    }

Impact:
Configuration can not be loaded.

Workaround:
Remove or adjust the problematic client SSL profile by editing the appropriate bigip.conf file (/config/bigip.conf or /config/partitions/<name>/bigip.conf, depending on the partition the profile resides in), and then load the configuration again.

Steps:
1. Open the configuration file in a text editor.
2. Load the file /config/bigip.conf (or /config/partitions/<name>/bigip.conf, if the client SSL profile is in a partition).
   
3. Update the client SSL profile by setting .crt and .key to non-default, as shown in the following example:

    cert-key-chain {
        cert /Common/kc.crt <==== changed to non-default
        chain /Common/chainCA.crt
        key /Common/kc.key <==== changed to non-default
        rsa {
            cert /Common/kc.crt <==== changed to non-default
            chain /Common/chainCA.crt
            key /Common/kc.key <==== changed to non-default
        }
    }

4. Save your changes, and then run the following command:
 tmsh load sys conf


631286-3 : TMM Memory leak caused by APM URI cache entries

Component: Access Policy Manager

Symptoms:
Tmctl stats for "access_uri_info" gradually grows and can lead to TMM memory exhaustion.

Conditions:
APM or SWG in use.

Impact:
TMM memory exhaustion.

Workaround:
Restart tmm.

Fix:
This release implements a limit of how many entries the system stores in the URI cache. The default is 2048 entries. The DB variable allows a range of 2048 - 8192. You can the following DB variable to control the max limit:

access.max.euie_uri.cache.entries


630137-2 : Dynamic Signatures feature can fill up /config partition impacting system stability

Component: Advanced Firewall Manager

Symptoms:
When the AFM DoS Dynamic Signatures feature is enabled, inadequate file housekeeping results in the /config/filestore partition filling up. mcpd halts the other running daemons and the system becomes unresponsive.

Conditions:
AFM DoS Dynamic Signatures feature enabled

Configuration changes made but not saved

Device receives traffic.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Make all configuration changes via Configuration Tool (UI) or issue a 'save sys config partitions all' command.

If rolling back the configuration is a requirement, before making changes to the configuration, save a configuration snapshot to a file with the 'save sys config file <filename>' command. You can then load the previous configuration with a 'load sys config file <filename>' command.

Fix:
AFM DoS Dynamic Signatures file housekeeping improved, /config filestore no longer fills up.


629334-1 : Portal Access: JavaScript expressions in parentheses may be rewritten incorrectly

Component: Access Policy Manager

Symptoms:
In some cases Portal Access rewrites incorrectly JavaScript expressions enclosed into parentheses.

Conditions:
JavaScript code with the following constructions:
- (a.b) (...)
- (a[b]) (...)
- (b) = ...
Assuming 'b' is an element to be rewritten.
Some examples:
- (window.open) ("", "_blank");
- (form["submit"])();
- (location) = "http://some.org/";

Impact:
JavaScript code may not work correctly. In some cases, JavaScript code becomes syntactically incorrect.

Workaround:
Use iRule to remove parentheses around JavaScript expressions where necessary.

Fix:
Now JavaScript expressions in parentheses are rewritten correctly.


624231-4 : No flow control when using content-insertion with compression

Component: Policy Enforcement Manager

Symptoms:
Packets can get queued in PEM and cause performance impact.
It could cause memory corruptions in some cases

Conditions:
This issue can happen when system there is are a lot of connections with compression enabled, hardware offload is not enabled, and content insertion is enabled

Impact:
Performance impact to flows and possible system crash.

Workaround:
Enable hardware offload and use the pem throttle feature for content insertion


621260-4 : mcpd core on iControl REST reference to non-existing pool

Component: TMOS

Symptoms:
MCPd cores when attempting to create a pool and a monitor reference by using a REST call such as:

curl -u admin:admin -H "Content-Type: application/json" -X POST http://localhost:8100/tm/ltm/pool -d'{"name":"test_pool","monitor":" "}'

Conditions:
The monitor reference in the REST call must be comprised of a single space character.

Impact:
MCPd restarts, causing many of the system daemons to restart as well.

Workaround:
Don't use spaces in the monitor reference name.


618884-6 : Behavior when using VLAN-Group and STP

Component: Local Traffic Manager

Symptoms:
May not see ICMP response traffic when using Ping within the same VLAN when STP mode is configured.

Conditions:
-- STP mode is configured.
-- Ping is issued in the same VLAN.

Note: This issue is a constraint to soft switched platforms.

Impact:
May not see ICMP response traffic.

Workaround:
None.


617643-2 : iControl.ForceSessions enabled results in GUI error on certain pages

Component: TMOS

Symptoms:
GUI pages display 'An error has occurred while trying to process your request.'

Conditions:
Visiting pages related to PKI (cert/key), SNMP, AFM or licensing tasks when iControl.ForceSessions is enabled.

Impact:
Unable to use GUI for certain tasks when iControl.ForceSessions is enabled.

Workaround:
Use shell for related administrative tasks or if feature is not used, disable with the following command:

tmsh# modify sys db icontrol.forcesessions value disable

Fix:
Enabled GUI to adapt when the iControl.ForceSessions is set to 'enable'.


616008-1 : TMM core may be seen when using an HSL format script for HSL reporting in PEM

Solution Article: K23164003

Component: Policy Enforcement Manager

Symptoms:
TMM core resulting in potential loss of service.

Conditions:
Requires a PEM HSL reporting action with an HSL format script against a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
In an iRule against the virtual server, set a Tcl variable in the first line after an iRule event. Unset the same Tcl variable in the last line of the iRule event.

Fix:
TMM core no longer occurs when using an HSL format script for HSL reporting in PEM.


612792-1 : Support RDP redirection for connections launched from APM Webtop on iOS

Component: Access Policy Manager

Symptoms:
Launching Native RDP resource from APM Webtop might fail on iOS.

Conditions:
1. Native RDP resource is launched from APM Webtop on iOS.
2. The RDP connection is redirected from one RDP server to another. This typically happens in RDP farm (multiple RDP servers) deployments.

Impact:
Native RDP resource can't be launched.

Workaround:
iOS RDP client version 8.1.35 allows workaround with following “Variable Assign” agent in Access Policy:
  Custom Variable:
    session.client.platform
  Custom Expression:
    set client_os [mcget {session.client.platform}];
    return [expr {$client_os == "iOS" ? "Android" : $client_os}];

Fix:
RDP redirection is now supported for connections launched from APM Webtop on iOS. Launching RDP resources from APM Webtop now requires at least version 8.1.35 of iOS RDP client.


612118-2 : Nexthop explicit proxy is not used for the very first connection to communicate with the backend.

Component: Access Policy Manager

Symptoms:
In SWG / forward proxy, nexthop explicit proxy is not used for the very first connection to communicate with the backend.

Conditions:
SWG per-request policy with proxy select agent.

Impact:
The BIG-IP system directly communicates with the backend to fetch server certificates.

Workaround:
None.

Fix:
Next-hop proxy gets used for all the connections that use proxy-select agent even for fetching the backend cert. In earlier version it would use the default route to fetch the certificate.

In transparent mode for https traffic, the proxy select agent is able to use the host & port information gathered from the backend certificate as the per-request policy can run before the cert fetching process. Therefore there is no longer a requirement for the per-request policy to have a category lookup agent before the proxy select agent.


608988-1 : Error when deleting multiple ASM Policies

Component: Application Security Manager

Symptoms:
Error when attempting to delete multiple ASM policies at once.

Conditions:
Multiple ASM policies are selected for deletion that have multiple XML profiles configured on their URLs.

Impact:
Operation fails with ASM subsystem error messages in asm log.

Workaround:
Delete policies one at a time.

Fix:
Multiple ASM policy delete finishes successfully.


606983-2 : ASM errors during policy import

Component: Application Security Manager

Symptoms:
Import failure when importing ASM policy with many Session Awareness Data Points.

ASM logs errors similar to the following:
-- crit g_server_rpc_handler_async.pl[10933]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): Could not update the Export Policy Task 'Export Policy Task (1469519765.114479)'. DBD::mysql::db do failed: Got a packet bigger than 'max_allowed_packet' bytes.

Conditions:
-- ASM provisioned.
-- Session Awareness enabled.
-- Many (more than 1000) active Session Awareness 'Block All' data points are present.
-- Export a policy.
-- Import the same policy.

Impact:
asm_config_server crash occurs. asm_config_server recovers automatically, within ~15-30 seconds.

Workaround:
Either release all Session Awareness Data Points before export, or remove them from the exported policy before importing it back.

Fix:
Import failure no longer occurs when importing ASM policy with more than 1000 Session Awareness Data Points. Now, there is a maximum of 1000 Session Awareness Data Points exported into an XML policy export.


605649-2 : The cbrd daemon runs at 100% CPU utilization

Solution Article: K28782793

Component: Application Security Manager

Symptoms:
The cbrd daemon runs at 100% CPU utilization.

You may notice this issue while inspecting:

- The performance graphs for the BIG-IP device.
- SNMP reports from the BIG-IP device.
- The output of utilities such as top or ps.

Note: The cbrd daemon performs XML Content-Based Routing on the BIG-IP system. However, the daemon runs regardless of provisioning and whether the feature is actually being utilized or not.

Conditions:
This is a rarely occurring event whose cause is not known.

Impact:
The cbrd daemon may run inefficiently. Additionally, other control-plane processes running on the BIG-IP device may also be detrimentally affected (depending on the size of the BIG-IP device and its configuration).

Workaround:
You can try to work around this issue by restarting the cbrd daemon using the following command:
bigstart restart cbrd

As the issue occurs rarely, you may not experience this issue again for a long time. This is, however, only a temporary workaround, and will have to be repeated as needed.


602708-4 : Traffic may not passthrough CoS by default

Solution Article: K84837413

Component: Local Traffic Manager

Symptoms:
Traffic being forwarded by TMM may not passthrough the Class of Service (CoS) received.

Conditions:
-- IP forwarding Virtual server.
-- Traffic received with priority other than 3.

Impact:
Traffic is set to L2 QoS priority 3 and may cause issues on other networking devices.

Workaround:
Create a default CoS configuration or apply L2 QoS settings in the FastL4 profile.

Fix:
TMM now correctly passes through CoS by default.


599567-3 : APM assumes SNAT automap, does not use SNAT pool

Component: Local Traffic Manager

Symptoms:
When a virtual server configured to use a SNAT pool is also associated with APM (for example, when configured as a RDP gateway), the SNAT pool setting is not honored.
Also SNAT configuration of 'None' does not work. It always works as if it is configured with Automap.

Conditions:
SNAT pool configured.
-- APM configured (one example is deploying the Horizon View iApp for APM).

Impact:
The VLAN Self IP address is used instead of the SNAT pool addresses.

Workaround:
First, follow the configuration details in K03113285: Overview of BIG-IP APM layered virtual servers :: https://support.f5.com/csp/article/K03113285, to ensure everything is configured properly.

Then ensure that the appropriate SNAT pool is set on the new layered forwarding virtual sever.

Note: This workaround does not work when using a pool of VMware vCenter Server (VCS) as configured by default with the iApp.

Fix:
The system now honors the virtual server SNAT configuration.


598085-1 : Expected telemetry is not transmitted by sFlow on the standby-mode unit.

Component: TMOS

Symptoms:
The expected telemetry is not transmitted by sFlow on the standby-mode unit. In a high-availability (HA)/redundant BIG-IP configuration, standby BIG-IP units are failing to generate sFlow telemetry packets containing unit-specific data.

Conditions:
In a high-availability/redundant BIG-IP configuration with sFlow configured.

Impact:
The sFlow data being transmitted by the standby unit consists of packet samples of the HA Heartbeat traffic, and no other telemetry information.

Workaround:
None.


594751-1 : LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN

Solution Article: K90535529

Component: Local Traffic Manager

Symptoms:
Vlan Name and Vlan Tag values are not seen by the LLDP neighbors of the BIG-IP system.

Conditions:
1. LLDP is enabled globally and per interface.

2. Interfaces are added to a trunk after it has already been assigned to a VLAN.

For instance, assume the following protocol were followed for creating an LLDP trunk:

tmsh modify net lldp-globals enabled
tmsh modify net interface 1.1 lldp-admin txrx lldp-tlvmap 114680
tmsh modify net interface 1.2 lldp-admin txrx lldp-tlvmap 114680
tmsh create net trunk myTrunk
tmsh create net vlan myVlan
tmsh modify net trunk myTrunk interfaces add { 1.1 1.2 }
tmsh modify net vlan myVlan interfaces add { myTrunk }

The neighbor to this BIG-IP unit would not see the Vlan Name and Vlan Tag information of this trunk because the interfaces were added after the trunk was already assigned to a VLAN.

Impact:
LLDP Neighbors are unable to see VLAN information for the LLDP interfaces of the BIG-IP.

Workaround:
If the configuration has not yet been performed, the issue can be prevented by assigning all the desired interfaces to a trunk before assigning the trunk to a VLAN.

If the problem already exists, it can be remedied by performing a restart of the LLDP service. This should not impact dataplane services outside of LLDP. To do so, run the following command:
 bigstart restart lldpd

Fix:
VLANs are now properly applied to any interfaces added to a trunk if the trunk already belongs to any VLANs.


589233-2 : vCMPd may crash when processing bridged network traffic

Solution Article: K03165684


589083-6 : TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.

Component: TMOS

Symptoms:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation fails because of permission errors.

Using iControl, the system posts an error similar to the following: Error processing request for URI:http://localhost:8110/mgmt/tm/sys/config
{code:400,message: Can't create tmsh temp directory \"/config/.config.backup\" Permission denied, errorStack:[]}.

Using TMSH (e.g., running the command: tmsh save sys config), the system posts an error similar to the following:

Can't create tmsh temp directory "/config/.config.backup" Permission denied

Conditions:
This occurs when the following conditions are met:
-- Remote Authentication is configured.
-- User is logged in as a remote user who has the admin role.
-- Using TMSH or iControl for remotely authenticated user operations.

Impact:
Cannot save the configuration.

Workaround:
Use one of the following workarounds:
-- Use the GUI to save the configuration.
-- Have a locally authenticated user with admin role save the configuration.

Fix:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation now completes as expected, without permission errors.


581921-3 : Required files under /etc/ssh are not moved during a UCS restore

Solution Article: K22327083

Component: TMOS

Symptoms:
The SSH files required for SSH sign on are not transferred when performing a UCS restore operation. Further, files are not transferred even during upgrade.

Conditions:
This can happen when performing a UCS restore operation, or when upgrading from one version to the next.

Impact:
This might impact SSH operations.

Workaround:
Add the /etc/ssh directory to the UCS backup configuration. This causes all subsequent UCS backup and restore operations will now include the /etc/ssh/ directory.

To complete this procedure, refer to K4422: Viewing and modifying the files that are configured for inclusion in a UCS archive :: https://support.f5.com/csp/article/K4422.

Fix:
The correct folder is now present when performing a UCS restore operation, so that all of the files required for the operation of SSH are transferred.


581851-6 : mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands

Solution Article: K16234725

Component: TMOS

Symptoms:
The Master Control Program Daemon (MCPD) on secondary blades may unexpectedly restart when the BIG-IP system processes multiple, concurrent TMOS Shell (tmsh) commands.

Under these circumstances, a race condition may occur and cause the mcpd process on the secondary blades to fail to correctly process concurrent updates from the primary blade.

As a result of this issue, you may encounter one or more of the following symptoms:

-- The mcpd process on secondary blades unexpectedly restarts.
-- You notice error messages in the /var/log/ltm file on the BIG-IP system that appears similar to the following example:
 + err mcpd[<PID>]: 01070823:3: Read Access Denied: The current update partition ([None]) does not match the object's partition (Common), stats not reset

 + err mcpd[<PID>]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070823:3: Read Access Denied: The current update partition ([None]) does not match the object's partition (Common), stats not reset

-- Depending on your high availability (HA) configuration, the device may unexpectedly fail over to another system in the device group.

Conditions:
This issue occurs when all of the following conditions are met:

-- You have a VIPRION platform or Virtual Clustered Multiprocessing (vCMP) guest configuration that uses two or more blades.
-- You attempt to run multiple, concurrent tmsh commands on the BIG-IP system. For example, you run a tmsh command to continually reset persistence records and at the same time run another tmsh command to continually reset the TCP statistics.

Impact:
The BIG-IP system may experience performance degradation when the secondary blades become unavailable while the mcpd process restarts. Depending on your HA configuration, the device may fail over.

Workaround:
None.

Fix:
This issue no longer occurs.


580537-3 : The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data

Component: Global Traffic Manager (DNS)

Symptoms:
The geoip_update_data script will not install a City2 GeoIP data.

Conditions:
Attempting to install the City2 GeoIP data.

Impact:
The City2 GeoIP data must be installed manually.

Workaround:
The City2 GeoIP data can be installed manually by extracting the contents of the RPM and updating the associated files. The commands are:

rpm -U <full path to the City2 GeoIP RPM file>
rm /shared/GeoIP/F5GeoIP.dat
ln -s /shared/GeoIP/F5GeoIPCity2.dat /shared/GeoIP/F5GeoIP.dat
rm /shared/GeoIP/v2/F5GeoIP.dat

Fix:
The geoip_update_data script was updated to support installing City2 GeoIP data.


576123-4 : ASM policies are created as inactive policies on the peer device

Solution Article: K23221623

Component: Application Security Manager

Symptoms:
ASM policies are created as inactive policies on the peer device.

Conditions:
This occurs when the following conditions are met:
-- ASM Sync is enabled on a Sync-Only auto-sync Device Group.
-- There is either no failover group, or the failover group is a manual sync group.

Impact:
ASM policies are created as inactive policies on the peer device, resulting in an inconsistency between peers.

Workaround:
You can use either of the following workarounds:
-- Set the device group with ASM sync enabled to manual sync.
-- Enable auto-sync for the failover group.

Fix:
This release fixes the ASM Synchronization mechanism so that ASM policies are correctly created on the peer device


571651-4 : Reset Nitrox3 crypto accelerator queue if it becomes stuck.

Component: Local Traffic Manager

Symptoms:
Certain configuration parameters used during an SSL handshake can elicit a 'queue stuck' message from the accelerator. When this happens, the /var/log/ltm log file will contain a message similar to the following:

    'n3-cryptoX request queue stuck'.

Conditions:
The BIG-IP system uses Nitrox 3 encryption hardware to perform SSL encryption.

An SSL handshake sent to the BIG-IP system is incorrectly configured or contains bad information.

Impact:
In-flight and queued contexts for the specific accelerator are dropped. After device recovery, new requests will be accelerated.

Workaround:
Disable crypto acceleration.

Fix:
The crypto accelerator is gracefully reset when the accelerator stalls due to a misconfigured request.

Note: This issue resolution is limited to SSL handshake issues, and is not a resolution for all possible causes of a 'queue stuck' event.


563661-1 : Datastor may crash

Component: TMOS

Symptoms:
In rare cases, datastor may crash to protect the system from corruption. After datastor restarts, tmm may crash when attempting to communicate with datastor.

Conditions:
WAM provisioned and enabled.

Impact:
Datastor and TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This issue has been fixed.


562921-5 : Cipher 3DES and iQuery encrypting traffic between BIG-IP systems

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP systems use the iQuery protocol to securely communicate with other BIG-IP systems. The BIG-IP system supports the AES/3DES ciphers for encrypting iQuery traffic. Some of these ciphers are now considered unsecure.

Conditions:
The value is hardcoded into the product.

Note: This is completely independent of the TMM profiles or the httpd cipher values.

Impact:
There is no way to configure this; the value is hardcoded. Scanner operations performed on your configuration will report this as an unsecure cipher.

Workaround:
If you do not need iQuery at all, you can block port 4353 completely. For those who do need it, there is no workaround.

Fix:
The cipher list in use is now
"AESGCM:AES:!ADH:!AECDH:!PSK:!aECDH:!DSS:!ECDSA:!AES128:-SHA1:AES256-SHA"


551925-4 : Misdirected UDP traffic with hardware acceleration

Component: TMOS

Symptoms:
UDP traffic might be forwarded to the wrong destination when using hardware acceleration.

Conditions:
If the UDP timeout is lower than the embedded Packet Velocity Acceleration (ePVA) aging timeout.

This occurs because UDP connections are accelerated until the ePVA aging timeout expires for the connection. If the ePVA aging timeout is greater than the UDP timeout, then TMM removes the connection from software, but the connection is still accelerated in the ePVA. Subsequent traffic then matches to the original connection, causing it to be sent to the wrong destination.

Impact:
Traffic can be sent to the wrong destination.

Workaround:
You can use either or both of the following workarounds:
-- Increase the UDP timeout (60s or more).
-- Disable UDP hardware acceleration.


536831-1 : APM PAM module does not handle local-only users list correctly

Component: Access Policy Manager

Symptoms:
The following log messages are shown in /var/log/secure, when remote-auth (APM based) is configured and when trying to authenticate local users:

-- notice httpd[8281]: pam_apm: module returning Failure, ClientHandler auth failed!(admin)
-- notice httpd[8281]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=X.X.X.X attempts=1 start="Wed Jan 17 14:49:21 2018"

This failure log shows that the system first attempts to authenticate local users (like admin, root, etc.) remotely.

Conditions:
This occurs when following conditions are met:
- APM is provisioned on a BIG-IP system.
- APM-based remote-auth is configured.
- Local users (like admin, root, etc.) attempt to log into the management interface of that BIG-IP system.

Impact:
Local users credentials are sent to remote authentication servers which will return auth failure. However, in the second attempt, the system attempts to authenticate a user locally, and it will succeed, as expected. Check below logs:

-- notice httpd[8281]: pam_apm: module returning Failure, ClientHandler auth failed!(admin)
-- notice httpd[8281]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=X.X.X.X attempts=1 start="Wed Jan 17 14:49:21 2018"

Workaround:
None.

Fix:
Local users are authenticated locally. The system no longer sends request to remote servers for local users.


530775-3 : Login page may generate unexpected HTML output

Solution Article: K23734425


514703-3 : gtm listener cannot be listed across partitions

Component: TMOS

Symptoms:
Unable to reference (perform operations: list, create, modify ...) gtm listeners across partitions.

Conditions:
-- In one partition.
-- Listener in another partition.
-- Attempt to perform operations on the listener in the other partition.

For example, the current partition is /Common, and a listener exists in /DifferentPartition, and you try to perform operations on the listener under /DifferentPartition.

Impact:
Cannot perform any operations on that listener. The listener will be listed as non-existent.

Workaround:
Change to the partition where the listener exists before performing any operations on it.

Fix:
The system can now reference GTM listeners across partitions.


513310-5 : TMM might core when a profile is changed.

Component: Local Traffic Manager

Symptoms:
TMM might core when a profile is changed.

Conditions:
A "standard" type virtual server configured with the TCP or SCTP protocol profile, and a Persistence, Access or Auth profile. This issue might occur in either of the following scenarios:
-- Change profile on the active device.
-- Change profile on the standby device and perform a config sync to the active ones.

Impact:
TMM might core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now reinitializes the TCP proxy filter chain on profile change, so that tmm no longer cores.


504522-1 : Trailing space present after 'tmsh ltm pool members monitor' attribute value

Component: Local Traffic Manager

Symptoms:
Values returned from the tmsh command 'ltm pool pool members monitor' have a trailing space, such as returning '/Common/myhttps ' (note the trailing-space). This trailing-space is also observed for the value returned from a REST call.

Conditions:
'tmsh' or a REST call is used to return the 'monitor' for pool members.

Impact:
Scripts or custom applications processing this returned output may wish to 'trim' whitespace on the value (as a trailing space is present); or should not assume the trailing space will be present in the future (as this behavior is not guaranteed).

Workaround:
Use a script or custom applications to 'trim' trailing whitespace for returned values.

Fix:
Values returned from the tmsh command 'ltm pool pool members monitor' no longer have a trailing space.


495443-9 : ECDH negotiation failures logged as critical errors.

Solution Article: K16621

Component: Local Traffic Manager

Symptoms:
When a failure occurs in an SSL negotiation involving Elliptic Curve Diffie-Hellman (ECDH) key agreement, a critical error may be logged. However, an SSL negotiation failure is not a critical issue.

Conditions:
An SSL negotiation failure involving ECDH key agreement.

Impact:
Spurious critical error logs.

Workaround:
Treat SSL ECDH negotiation failures as non-critical errors.

Fix:
These ECDH failures are now logged as non-critical errors.


495242-4 : mcpd log messages: Failed to unpublish LOIPC object

Component: Local Traffic Manager

Symptoms:
The system posts the following error: err mcpd[7143]: 010716d6:3: Failed to unpublish LOIPC object for (loipc_name.1417443578.297505208). Call to (shm_unlink) failed with errno (2) errstr (No such file or directory).

Conditions:
This is an intermittent issue that occurs on standby systems in High Availability (HA) configurations. In this case, the system is attempting to remove a file/directory that does not exist. Either the file has already been removed or it was not created.

Impact:
This is a benign error that can be safely ignored.

Workaround:
None.

Fix:
The system now suppresses logging when attempting to delete non-existent file.


491560-2 : Using proxy for IP intelligence updates

Component: TMOS

Symptoms:
When connecting to the proxy server, the iprepd daemon doesn't send in CONNECT request the value of DB variable iprep.server but its locally resolved IP address.

Conditions:
The following DB variables are configured to use proxy:
proxy.host
proxy.port

This presents a problem when the proxy server is configured to allow only IPs that have a reverse lookup.

Impact:
When the proxy sees the traffic it denies it, because the reverse lookup for that server IP is not present.

Workaround:
Use one of the workarounds:

-- Do not use proxy.

-- Check the server IP address regularly and maintain proxy white list manually.

Fix:
Now the iprepd daemon sends CONNECT request with the value of DB variable iprep.server and lets the proxy server do the DNS lookup.


471237-4 : BIG-IP VE instances do not work with an encrypted disk in AWS.

Solution Article: K12155235

Component: TMOS

Symptoms:
BIG-IP VE instances cannot use encrypted disks in AWS as encryption-decryption introduces some data corruption in the disk that causes failure in some of the TMOS daemons at run-time.

Conditions:
Deploy a BIG-IP VE guests in AWS with an encrypted disk.

Impact:
TMM cores at startup, and does not start.

Workaround:
Do not use encrypted disks in AWS for BIG-IP VE instances.

Fix:
BIG-IP VE instances can now work with an encrypted disk in AWS.


464650-6 : Failure of mcpd with invalid authentication context.

Component: TMOS

Symptoms:
MCPd cores.

Conditions:
It is not known what triggers this core.

Impact:
Mcpd restarts

Workaround:
None.

Fix:
Failure of mcpd with invalid authentication context no longer occurs.


463097-5 : Clock advanced messages with large amount of data maintained in DNS Express zones

Component: Local Traffic Manager

Symptoms:
Clock advanced messages with a large amount of data maintained in DNS Express (DNSX) zones, the TMM can suffer from clock advances when performing the DB reload.

Conditions:
Large enough zones into DNSX (several hundred thousand to several million records depending on hardware).

Impact:
Clock advance messages in log. No traffic can be passed for this duration. When DNS Express zones are updated, you may see messages similar to the following in the /var/log/ltm log: notice tmm[25454]: 01010029:5: Clock advanced by 121 ticks.

Workaround:
Prevent all updates to DNSX zones.

Fix:
AXFR and IXFR to DNS Express (DNSX) with large zones has been significantly improved. DNSX DB now reside in /shared to resolve DB size issues.


452283-5 : An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows

Component: Local Traffic Manager

Symptoms:
An MPTCP connection that never expires can be seen using the command "tmsh show sys conn". Its idle time periodically resets to 0.

Conditions:
A virtual server is configured with a TCP profile with "Multipath TCP" enabled.
BIG-IP receives an MP_FASTCLOSE while the BIG-IP is advertising a zero window.

Impact:
A connection remains that never expires; its idle time periodically resets to 0.

Workaround:
There is no workaround at this time.

Fix:
Fixed MP_FASTCLOSE handling.


440620-1 : New connections may be reset when a client reuses the same port as it used for a recently closed connection

Component: Local Traffic Manager

Symptoms:
If a client reuses the same port that it used for a recently closed connection, the new connection may receive a RST in response to the client's SYN.

Conditions:
A client reuses the same port that it used for a recently closed connection. The 4-tuple of local address, local port, remote address, and remote port must be the same to trigger this issue.

Impact:
New connections reusing a 4-tuple may be reset for a brief period following a connection close.

Workaround:
Lowering the "Close Wait" and "Fin Wait 1" timeouts in the TCP profile will shorten the amount of time that a particular 4-tuple remains unusable.

Fix:
Improved abort handling to better clean up hanging connections.


251162-1 : The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name

Solution Article: K11564

Component: Local Traffic Manager

Symptoms:
If you apply a custom HTTP profile to a virtual server, and the maximum header size defined in the profile is exceeded, the BIG-IP system lists the wrong profile name in the corresponding log message. Instead of logging the profile name associated with the virtual server, the BIG-IP system logs the profile name as http.

For example:

tmm1[5133]: 011f0005:3: HTTP header (34083) exceeded maximum allowed size of 32768 (Client side: vip=http_10.1.0.30 profile=http pool=apache2)

Conditions:
-- You apply a custom HTTP profile to a virtual server.
-- The maximum header size defined in the profile is exceeded.

Impact:
The BIG-IP system lists the wrong profile name in the corresponding log message. This is a cosmetic error, as the correct profile is affected. Only its name is incorrectly reported.

Workaround:
None.



Known Issues in BIG-IP v13.1.x


TMOS Issues

ID Number Severity Solution Article(s) Description
774445-3 1-Blocking   BIG-IP VE does not pass traffic on ESXi 6.7 Update 2
698085 1-Blocking   Transparent mode VLAN group may not work on vCMP guests
774361-3 2-Critical   IPsec High Availability sync during multiple failover via RFC6311 messages
769817 2-Critical   BFD fails to propagate sessions state change during blade restart
769809-2 2-Critical   vCMP guests 'INOPERATIVE' after upgrade
769169-1 2-Critical   BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring
767877-1 2-Critical   TMM core with Bandwidth Control on flows egressing on a VLAN group
767013-4 2-Critical   Reboot when B2150 and B2250 blades' HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch
762205-1 2-Critical   IKEv2 rekey fails to recognize VENDOR_ID payload when it appears
760408-1 2-Critical K23438711 System Integrity Status: Invalid after BIOS update
757722-1 2-Critical   Unknown notify message types unsupported in IKEv2
757357 2-Critical   Tmm crashes when using virtio direct descriptors and packets 2 KB or larger
756830-4 2-Critical   BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'
756402-1 2-Critical   Re-transmitted IPsec packets can have garbled contents
756071-1 2-Critical   MCPD crash
753650 2-Critical   The BIG-IP system reports frequent kernel page allocation failures.
749388 2-Critical   'table delete' iRule command can cause TMM to crash
748205-1 2-Critical   SSD bay identification incorrect for RAID drive replacement
747203-4 2-Critical   Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding
746464-3 2-Critical   MCPD sync errors and restart after multiple modifications to file object in chassis
743271-3 2-Critical   Querying vCMP Health Status May Show Stale Statistics
742419-1 2-Critical   BIG-IP NIC teaming of SR-IOV interfaces does not work under VMware ESXi
740994-1 2-Critical   AWS pool member discovery (f5-iAppLX-aws-autoscale) does not work
737692-1 2-Critical   Handle x520 PF DOWN/UP sequence automatically by VE
737055-2 2-Critical   Unable to access BIG-IP Configuration Utility when BIG-IP system is behind a Reverse proxy
734539-3 2-Critical   The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads
724556-2 2-Critical   icrd_child spawns more than maximum allowed times (zombie processes)
714281-2 2-Critical   NSH tunnel reject inner packet from other vendor
708968-2 2-Critical   OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address
705730-1 2-Critical   Config fails to load due to invalid SSL cipher after upgrade from v13.1.0
693206 2-Critical   iSeries LCD screen is frozen on a red spinning 'please wait' indicator
686996-1 2-Critical   TMM core under heavy load with PEM
671741-3 2-Critical   LCD on iSeries devices can lock at red 'loading' screen.
648270-3 2-Critical   mcpd can crash if viewing a fast-growing log file through the GUI
593536-6 2-Critical K64445052 Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations
775797 3-Major   Previously deleted user account might get authenticated
775733-2 3-Major   /etc/qkview_obfuscate.conf not synced across blades
773577-3 3-Major   SNMPv3: When a security-name and a username are the same but have different passwords then traps are not properly crafted
773333-3 3-Major   IPsec CLI help missing encryption algorithm descriptions
772497-3 3-Major   When BIG-IP is configured to use a proxy server, updatecheck fails
772117-1 3-Major   Overwriting FIPS keys from the HA peer with older config leads to abandoned key on FIPS card
769029-2 3-Major   Non-admin users fail to create tmp dir under /var/system/tmp/tmsh
767737-3 3-Major   Timing issues during startup may make an HA peer stay in the inoperative state
767305-3 3-Major   If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried
765969-3 3-Major   Not able to get HSB register dump from hsb_snapshot on B4450 blade
764873-4 3-Major   An accelerated flow transmits packets to a dated, down pool member.
762073-1 3-Major   Continuous TMM restarts when HSB drops off the PCI bus
761993-4 3-Major   The nsm process may crash if it detects a nexthop mismatch
761321-4 3-Major   'Connection Rate Limit' is hidden, but 'Connection Rate Limit Mode' is not
760950-2 3-Major   Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment
760622-1 3-Major   Allow Device Certificate renewal from BIG-IP Configuration Utility
760363 3-Major   Update Alias Address field with default placeholder text
760259-2 3-Major   Qkview silently fails to capture qkviews from other blades
759735-1 3-Major   OSPF ASE route calculation for new external-LSA delayed
758781-1 3-Major   iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates
758387-4 3-Major   BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it
756820-1 3-Major   Non-UTF8 characters returned from /bin/createmanifest
755197-1 3-Major   UCS creation might fail during frequent config save transactions
753860-1 3-Major   Virtual server config changes causing incorrect route injection.
753423-4 3-Major   Disabling and immediately re-enabling the slot resulting interfaces from the slot permanently removed from aggregation
753001-3 3-Major   mcpd can be killed if the configuration contains a very high number of nested references
752994-3 3-Major   Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod
752228 3-Major   GUI Network Map to account for objects in a Disabled By Parent state
751581-1 3-Major   REST API Timeout while queriying large number of persistence profiles
751409-3 3-Major   MCP Validation does not detect when virtual servers differ only by overlapping VLANs
751024-2 3-Major   i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd
751021-3 3-Major   One or more TMM instances may be left without dynamic routes.
749785-1 3-Major   nsm can become unresponsive when processing recursive routes
747799-2 3-Major   'Unable to load the certificate file' error and configuration-load failure upgrading from 11.5.4-HF2 to a later version, due to empty cert/key in client SSL profile
747676-1 3-Major   Remote logging needs 'localip' to set source IP properly
746758 3-Major   Qkview produces core file if interrupted while exiting
746657-3 3-Major   tmsh help for FQDN node or pool member shows incorrect default for fqdn interval
746650 3-Major   Stale packets in HSB transmit queue causes HSB DMA lockup
746333 3-Major   Setting the hostname to non-FQDN value prevents upgrade
746266-1 3-Major   Vcmp guest vlan mac mismatch across blades.
745825-3 3-Major   The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading
745261-1 3-Major   The TMM process may crash in some tunnel cases
744936 3-Major   Adding a default tmm gateway in AWS breaks failover between two instances if the default tmm gateway can't provide route to the ec2 metadata service at 169.254.169.254.
744520-3 3-Major   virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface
744252-3 3-Major   BGP route map community value: either component cannot be set to 65535
743132-4 3-Major   mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile
742753-2 3-Major   Accessing the BIG-IP system's WebUI via special proxy solutions may fail
741902-3 3-Major   sod does not validate message length vs. received packet length
740589-3 3-Major   mcpd crash with core after 'tmsh edit /sys syslog-all-properties'
740517-3 3-Major   Application Editor users are unable to edit HTTPS Monitors via the Web UI
740413-3 3-Major   sod not logging Failover Condition messages
740280-1 3-Major   Configuration Utility and tmsh may not validate Certificate Authority profile names
740135-3 3-Major   Traffic Group ha-order list does not load correctly after reset to default configuration
739872-2 3-Major   The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover
739820-3 3-Major   Validation does not reject IPv6 address for TACACS auth configuration
739533-4 3-Major   In rare circumstances, config sync may fail to delete files in /config/filestore/.snapshots_d/, filling up /config
739400 3-Major   iControl REST fails to list virtual servers
739118-3 3-Major   Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration
738943-5 3-Major   imish command hangs when ospfd is enabled
738445-2 3-Major   IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup
737901-2 3-Major   Management MAC address and host VLAN MAC address is the same on iSeries platforms when in vCMP mode
737346-3 3-Major   After entering username and before password, the logging on user's failure count is incremented.
735565-1 3-Major   BGP neighbor peer-group config element not persisting
734846-3 3-Major   Redirection to logon summary page does not occur after session timeout
734836-3 3-Major   Network Map summary counts pool members more than once if they are shared across pools
725985-1 3-Major   REST API takes more than 20 seconds when 1000+ virtual servers with SNAT-Pool configured
724889 3-Major   BIG-IP VE in AWS does not failover NATs in same availability zone
724706-1 3-Major   iControl REST statistics request causes CPU spike
723553-1 3-Major   BIG-IP installations on RAID systems (old style) may not boot
721806 3-Major   Traffic Policy edit to datagroup errors on adding ASM disable action
721020-3 3-Major   Changes to the master key are reverted after full sync
720610 3-Major   Updatecheck logs bogus 'Update Server unavailable' on every run
718800-2 3-Major   Cannot set a password to the current value of its encrypted password
716166-4 3-Major   Dynamic routing not added when conflicting self IPs exist
715379-1 3-Major   IKEv2 accepts asn1dn for peers-id only as file path of certificate file
715115 3-Major   Application Security roles are not showing all accessible objects in GUI
715061-2 3-Major   vCMP: tmm core in guest when stopping vCMP guest from host
714986-3 3-Major   Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot
714216-2 3-Major   Folder in a partition may result in load sys config error
713708 3-Major   Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI
712033-2 3-Major   When making a REST request to an object in /stats that is an association list, the selfLink has a duplicate name
710173 3-Major   TMSH dns-resolver allows route-domain from another partition
709559-2 3-Major   LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name
709544-2 3-Major   VCMP guests in HA configuration become Active/Active during upgrade
707320-2 3-Major   Upgrades from pre-12.0.0 BIG-IPs to 12.0.0 with WideIPs with ipv6-no-error-response enabled will no longer delete AAAA-type WideIPs
706703-1 3-Major   TMM crashes when changing virtual server's profile to fastL4 profiles while traffic flows
705651-1 3-Major   Async transaction may ignore polling requests
705037-2 3-Major   System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart
704546 3-Major   Symlinks may be corrupted by upgrade
703090-4 3-Major   With many iApps configured, scriptd may fail to start
702310-1 3-Major   The ':l' and ':h' options are not available on the tmm interface in tcpdump
701722-1 3-Major   Potential mcpd memory leak for signed iRules
701529-1 3-Major   Configuration may not load or not accept vlan or tunnel names as "default" or "all"
701341-1 3-Major K52941103 If /config/BigDB.dat is empty, mcpd continuously restarts
700897-1 3-Major   sod is unable to handle the maximum (127) allowable traffic groups if there are 8 devices in the DG
700794-1 3-Major   Cannot replace a FIPS key with another FIPS key via tmsh
698933-1 3-Major   Setting metric-type via ospf redistribute command may not work correctly
698619-2 3-Major   Disable port bridging on HSB ports for non-vCMP systems
698432-2 3-Major   Invalid error messages: warning chmand[5730]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
698222-1 3-Major   Added RX latency with ixlv devices on VE after host reboot
698034-1 3-Major   PKCS12 file imported via Configuration utility into folder is placed at partition root
698013-1 3-Major K27216452 TACACS+ system auth and file descriptors leak
693563-1 3-Major K22942093 No warning when LDAP is configured with SSL but with a client certificate with no matching key
692371 3-Major   Unexpected Octeon, Nitrox, and/or Super IO recovery warnings in LTM log
691749-1 3-Major   Delete sys connection operations cannot be part of TMSH transactions
690928 3-Major   System posts error message: 01010054:3: tmrouted connection closed
690259 3-Major   Benign message 'keymgmtd started' is reported at log-level alert.
689567-1 3-Major   Some WOM/AAM pages in the GUI are visible to users with iSeries platforms even when AAM cannot be provisioned
688231 3-Major   Unable to set VET, AZOT, and AZOST timezones
687617-1 3-Major   DHCP request-options when set to "none" are reset to defaults when loading the config.
687115-2 3-Major   SNMP performance can be impacted by a long list of allowed-addresses
686816-1 3-Major   Link from iApps Components page to Policy Rules invalid
684096-2 3-Major   stats self-link might include the oid twice
683767-1 3-Major   Users are not able to complete the sync using GUI
683706-3 3-Major   Pool member status remains 'checking' when manually forced down at creation
679901-1 3-Major   iControl-REST timeout value is not configurable.
675298-2 3-Major   F5 MIB value types changed to become RFC compliant
673952-3 3-Major   1NIC VE in HA device-group shows 'Changes Pending' after reboot
667618-1 3-Major   Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts
664017-9 3-Major   OCSP may reject valid responses
658716-1 3-Major   MCPd SIGSEGV in boost::checked_delete
657912-3 3-Major   PIM can be configured to use a floating self IP address
657834-6 3-Major K45005512 Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent
649682-1 3-Major   'list cm device build' data is not synchronized correctly across a device trust group
648917 3-Major   Need to re-provision vCMP after upgrading to 13.1.x or later on the BIG-IP 10350F platform
648621-5 3-Major   SCTP: Multihome connections may not expire
641450-5 3-Major K30053855 A transaction that deletes and recreates a virtual may result in an invalid configuration
627760-5 3-Major   gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card
626030-1 3-Major   TMM restart and failover.
624016 3-Major   Traffic data stats got lost on hardware accelerated flows when the flows are terminated earlier
620954-5 3-Major   Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable
606032-3 3-Major   Network Failover-based HA in AWS may fail
601220-1 3-Major   Multi-blade trunks seem to leak packets ingressed via one blade to a different blade
596020-5 3-Major   Devices in a device-group may report out-of-sync after one of the devices is rebooted
593361-2 3-Major   The malformed MAC for inner pkt with dummy MAC for NSH with VXLAN-GPE.
591305-1 3-Major   Audit log messages with "user unknown" appear on install
589856-5 3-Major   iControl REST : possible to get duplicate transaction ids when transactions are created by multiple clients
587821-6 3-Major K91818030 vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.
569859-1 3-Major   Password policy enforcement for root user when mcpd is not available
402691-1 3-Major   The fields displayed in the 'tmsh show net ipsec' should be visible through SNMP
766321 4-Minor   boot slots created on pre-14.x systems lack ACLs
761084 4-Minor   Custom monitor fields appear editable for Auditor, Operator, or Guest
759852-2 4-Minor   SNMP configuration for trap destinations can cause a warning in the log
758348 4-Minor   Cannot access GUI via hostname when it contains _ (underscore character)
753536 4-Minor   REST no longer requires a token to login for TACACS use
751103 4-Minor   TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop
749469 4-Minor   Unable to issue iControl rest API to perform 'tmsh show running-config' command
748940-1 4-Minor   iControl REST cert creation not working for non-Common folder
746152-3 4-Minor   Bogus numbers in hsbe2_internal_pde_ring table's rqm_dma_drp_pkts column
742105-1 4-Minor   Displaying network map with virtual servers is slow
734269 4-Minor   Difficulty in selection from large numbers of iRules for Virtual Server configuration
726317-4 4-Minor   Improved debugging output for mcpd
723988-2 4-Minor   IKEv1 phase2 key length can be changed during SA negotiation
723833-1 4-Minor   IPsec related routing changes can misfire, like changing tunnel mode to interface mode
722647-2 4-Minor   The configuration of some of the Nokia alerts is incorrect
721526-2 4-Minor   tcpdump fails to write verbose packet data to file
715331-1 4-Minor   IKEv2 logs peers_id comparisons and cert verfication failures
713183-2 4-Minor   Malformed JSON files may be present on vCMP host
713169 4-Minor   License String 'ASM-VE' was not recognized by the UI in the policy rule page
713138-2 4-Minor   TMUI ILX Editor inserts an unnecessary linefeed
713134-2 4-Minor   Small tmctl memory leak when viewing stats for snapshot files
712241 4-Minor   A vCMP guest may not provide guest health stats to the vCMP host
708415-2 4-Minor   Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled
703509-2 4-Minor   Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled
699209-1 4-Minor   API errors can prevent access to login history in Configuration Utility
698991-1 4-Minor K64258832 CPU utilization on i850 is not a reliable indicator of system capacity
692172-1 4-Minor   rewrite profile causes "No available pool member" failures when connection limit reached
692165-1 4-Minor   A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token
691571 4-Minor   tmsh show sys software doesn't show the correct HF version
691171-1 4-Minor   static and dynamically learned blackhole route from ZebOS cannot be deleted
689147 4-Minor   Confusing log messages on certain user/role/partition misconfiguration when using remote role groups
685233-1 4-Minor K13125441 tmctl -d blade command does not work in an SNMP custom MIB
673811-1 4-Minor   After an upgrade, IPsec tunnels may fail to start
627506-1 4-Minor   Unable to change management-ip address
611724 4-Minor   LTM v11.5.4 HF1 iApp folders removed on partition load
550526-2 4-Minor   Some time zones prevent configuring trust with a peer device using the GUI.
484683-3 4-Minor   Certificate_summary is not created at peer when the chain certificate is synced to HA peer.
769145-3 5-Cosmetic   Syncookie threshold warning is logged when the threshold is disabled
761621-4 5-Cosmetic   Ephemeral FQDN pool members in Partition shown as Common under Local Traffic > Pools > "Members"
720669-2 5-Cosmetic   Within the GUI, the 'MQTT-TLS' service port is incorrectly reported as 'common.all.MQTT-TLS'.
719555 5-Cosmetic   Interface listed as 'disable' after SFP insertion and enable
713519-2 5-Cosmetic   Enabling MCP Audit logging does not produce log entry for audit logging change
679431-1 5-Cosmetic   In routing module the 'sh ipv6 interface <interface> brief' command may not show header


Local Traffic Manager Issues

ID Number Severity Solution Article(s) Description
759968 1-Blocking   Distinct vCMP guests are able to cluster with each other.
770953-4 2-Critical   'smbclient' executable does not work
757441-2 2-Critical   Specific sequence of packets causes Fast Open to be effectively disabled
757391-3 2-Critical   Datagroup iRule command class can lead to memory corruption
756450-2 2-Critical   Traffic using route entry that's more specific than existing blackhole route can cause core
755585-3 2-Critical   mcpd can restart on secondary blades if a policy is created, published, and attached to a vs in a single transaction
746710-2 2-Critical   Use of HTTP::cookie after HTTP:disable causes TMM core
745589-4 2-Critical   In very rare situations, some filters may cause data-corruption.
743950-2 2-Critical   TMM crashes due to memory leak found during SSL OCSP with C3D feature enabled
742184-1 2-Critical   TMM memory leak
739927-3 2-Critical   Bigd crashes after a specific combination of logging operations
737985 2-Critical   BIG-IP systems cannot be deployed in an L2 transparent mode with VLAN groups in Standard Proxy mode.
734551 2-Critical   L2 transparent VLAN group based deployments require configuration of a transparent next hop per virtual server
724214-3 2-Critical   TMM core when using Multipath TCP
715088 2-Critical   Changing WebSocket payload protocol profile from mqtt back to none causes TMM restart
711907 2-Critical   TMM may consume excessive resources when processing UDP traffic
706501 2-Critical   VCMP guest, tmm continues to restart on Cavium Nitrox PX platform
691706-5 2-Critical   HTTP2/SPDY profile can cause orphaned connections
682273-1 2-Critical   Connection rate limit on a pool member can be exceeded
667779-1 2-Critical   iRule commands may cause the TMM to crash in very rare situations.
663925-1 2-Critical   Virtual server state not updated with pool- or node-based connection limiting
431480-5 2-Critical K17297 Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message
776229-4 3-Major   iRule 'pool' command no longer accepts pool members with ports that have a value of zero
773421-2 3-Major   Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied
770477-3 3-Major   SSL aborted when client_hello includes both renegotiation info extension and SCSV
769193-1 3-Major   Added support for faster congestion window increase in slow-start for stretch ACKs
767217-3 3-Major   Under certain conditions when deleting an iRule, an incorrect dependency error is seen
763093-1 3-Major   LRO packets are not taken into account for ifc_stats (VLAN stats)
760771-3 3-Major   FastL4-steered traffic might cause SSL resume handshake delay
760679 3-Major   Memory corruption when using C3D on certain platforms
760550-3 3-Major   Retransmitted TCP packet has FIN bit set
760050-4 3-Major   cwnd warning message in log
759056-1 3-Major   stpd memory leak on secondary blades in a multi-blade system
758992-1 3-Major   The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address
758631-2 3-Major   ec_point_formats extension might be included in the server hello even if not specified in the client hello
758437-4 3-Major   SYN w/ data disrupts stat collection in Fast L4
758436-2 3-Major   Optimistic ACKs degrade Fast L4 statistics
757505-2 3-Major   peer-cert-mode set to 'always' does not work when client-ssl is enabled with session-ticket
757442-1 3-Major   A missed SYN cookie check causes crash at the standby TMM in HA mirroring system
757029-4 3-Major   Ephemeral pool members may not be created after config load or reboot
756812-1 3-Major   Nitrox 3 instruction/request logger may fail due to SELinux permission error
756647-3 3-Major   Global SNAT connections do not reset upon timeout.
756538-1 3-Major   Failure to open data channel for active FTP connections mirrored across an HA pair.
755997-1 3-Major   Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address
755791-4 3-Major   UDP monitor not behaving properly on different ICMP reject codes.
755727-3 3-Major   Ephemeral pool members not created after DNS flap and address record changes
755631-3 3-Major   UDP / DNS monitor marking node down
754604-3 3-Major   iRule : [string first] returns incorrect results when string2 contains null
754349 3-Major   FTP connections to virtual server drop when both sides of data channel are offloaded via FastL4
754218-1 3-Major   Stateless virtual servers does not work for non-standard load-balancing methods
753805-1 3-Major   BIG-IP system failed to advertise virtual address even after the virtual address was in Available state.
753594-3 3-Major   In-TMM monitors may have duplicate instances or stop monitoring
753526-3 3-Major   IP::addr iRule command does not allow single digit mask
753514-1 3-Major   Large configurations containing LTM Policies load slowly
753159-3 3-Major   Pool IP ToS/QoS settings are not preserved on mirrored FastL4 connections
752530-3 3-Major   TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput.
752334-3 3-Major   Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation
751718 3-Major   Connection tear down takes longer when using FastL4 profiles and connection mirroring.
751036-3 3-Major   Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone
750473-3 3-Major   VA status change while 'disabled' are not taken into account after being 'enabled' again
749414-2 3-Major   Modifying nodes/pool-member can lose monitor_instance and monitor_rule_instances for unrelated objects
749294-2 3-Major   TMM cores when query session index is out of boundary
748891-3 3-Major   Traffic bridged between VLANs in virtual-wire setups may have the wrong destination MAC in packets that egress from the BIG-IP system.
748182 3-Major   pkcs11d error code not logged in logs
747907-1 3-Major   Persistence records leak while the HA mirror connection is down
747077-1 3-Major   Potential crash in TMM when updating pool members
746922-4 3-Major   When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.
746078-3 3-Major   Upgrades break existing iRulesLX workspaces that use node version 6
743900-3 3-Major   Custom DIAMETER monitor requests do not have their 'request' flag set
743257-1 3-Major   Fix block size insecurity init and assign
742838-3 3-Major   A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition
742237-2 3-Major   CPU spikes appear wider than actual in graphs
740959-2 3-Major   User with manager rights cannot delete FQDN node on non-Common partition
739638-2 3-Major   BGP failed to connect with neighbor when pool route is used
738450-3 3-Major   Parsing pool members as variables with IP tuple syntax
726734-1 3-Major   DAGv2 port lookup stringent may fail
726232-2 3-Major   iRule drop/discard may crash tmm
726058 3-Major   DHCP in forwarding mode decrements the received DHCP client side IP TTL prior to forwarding the packets towards the DHCP server
726001-1 3-Major   Rapid datagroup updates can cause type corruption
723306-3 3-Major   Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition
722707-4 3-Major   mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall
720440-1 3-Major   Radius monitor marks pool members down after 6 seconds
720219 3-Major K13109068 HSL::log command can fail to pick new pool member if last picked member is 'checking'
719304-2 3-Major   Inconsistent node ICMP monitor operation for IPv6 nodes
719300 3-Major   ICMP unreachable packets are transmitted via BIG-IP systems with the BIG-IP system's MAC address as the source MAC address
718867-2 3-Major   tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades
718790-3 3-Major   Traffic does not forward to fallback host when all pool members are marked down
716952-2 3-Major   With TCP Nagle enabled, SSL filter will hold the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message until the last data packet offload process complete.
716492-2 3-Major K59332523 Rateshaper stalls when TSO packet length exceeds max ceiling.
716167-1 3-Major   the value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the mtu of the kernel interface tmm_bp as given by $ ip a list dev tmm_bp or $ ifconfig tmm_bpq
715323 3-Major   iControl SOAP attribute ssl_profile not supported for in-tmm https monitor
714503-2 3-Major   When creating a new iRulesLX rule, the GUI appends .tcl to rule filenames that already end in .tcl
714495-2 3-Major   When creating a new iRulesLX rule, TMSH appends ".tcl" to rule filenames that already end in ".tcl"
714372-2 3-Major   Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari
714292-1 3-Major   Transparent forwarding mode across multiple VLAN groups or virtual-wire
713585-3 3-Major K31544054 When the system config has many iRules and they are installed on many virtual servers, the config loading time is significantly long
712919-1 3-Major   Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server.
712489-2 3-Major   TMM crashes with message 'bad transition'
710930-1 3-Major   Enabling BigDB key bigd.tmm may cause SSL monitors to fail
709963-2 3-Major   Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.
709837-2 3-Major   Cookie persistence profile may be configured with invalid parameter combination.
709381 3-Major   iRules LX plugin imported from a system with a different version does not properly run, and the associated iRule times out.
706505-2 3-Major   iRule table lookup command may crash tmm when used in FLOW_INIT
705387 3-Major   HTTP/2, ALPN and SSL
705112-2 3-Major   DHCP server flows are not re-established after expiration
704450-3 3-Major   bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration
699758 3-Major   Intermittent connection resets are seen in HTTP/2 gateway when HTTP/2 preface is sent to server
698420-1 3-Major   SSL handshake fails for some servers if their root certificates are not in the configured CA bundle
695109-1 3-Major K15047377 Changes to fallback persistence profiles attached to a Virtual server are not effective
694697-1 3-Major K62065305 clusterd logs heartbeat check messages at log level info
693582-1 3-Major   Monitor node log not rotated for certain monitor types
690699-2 3-Major   Fragmented SSL handshake messages cause Proxy SSL handshake to fail
689361-1 3-Major   Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor)
688140-2 3-Major   Forward Proxy SSL server side may send a wrong SNI extension when the client does not send one
687887-1 3-Major   Unexpected result from multiple changes to a monitor-related object in a single transaction
687044-3 3-Major   tcp-half-open monitors might mark a node up in error
686563-1 3-Major   WMI monitor on invalid node never transitions to DOWN
686547-1 3-Major   WMI monitor sends logging data for credentials when no credentials specified
686101-1 3-Major K73346501 Creating a pool with a new node always assigns the partition of the pool to that node.
686059-2 3-Major   FDB entries for existing VLANs may be flushed when creating a new VLAN.
683061-1 3-Major   Rapid creation/update/deletion of the same external datagroup may cause core
681814-1 3-Major   Changes to a cipher group are not propagated to SSL profiles until the configuration is reloaded
679687-1 3-Major   LTM Policy applied to large number of virtual servers causes mcpd restart
676557-1 3-Major   Binary data marshalled to TCL may be converted to UTF8
675367-2 3-Major K95393925 The IMAP and POP3 monitors might fail if the mail server supports GSSAPI authentication
655383-3 3-Major   Failure to extend database continues to execute rather than halting because of fragmented state.
649275-1 3-Major   RSASSA-PSS client certificates support in Client SSL
646440-3 3-Major   TMSH allows mirror for persistence even when no mirroring configuration exists
637613-5 3-Major K24133500 Cluster blade being disabled immediately returns to enabled/green
620053-2 3-Major   Gratuitous ARPs may be transmitted by active unit being forced offline
604811-2 3-Major   Under certain conditions TMM may crash while processing OneConnect traffic
544958-3 3-Major   Monitors packets are sent even when pool member is 'Forced Offline'.
429124-5 3-Major K15069 ePVA does not work with lasthop pools with only one member
273104-1 3-Major   Modulate tcp_now on a per-tuple basis to hide uptime in tcp timestamps
774173-1 4-Minor   WebUI - Cipher Group preview causes HA sync state to become Changes Pending
772297-3 4-Minor   LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade
769309-3 4-Minor   DB monitor reconnects to server on every probe when count = 0
763197-2 4-Minor   Flows not mirrored on wildcard Virtual Server with opaque VLAN group
760683-2 4-Minor   RST from non-floating self-ip may use floating self-ip source mac-address
758435 4-Minor   Ordinal value in LTM policy rules sometimes do not work as expected
757777-2 4-Minor   bigtcp does not issue a RST in all circumstances
756443 4-Minor   GUI cannot edit ILX workspace/extension objects with certain non-alphanumeric characters.
747628-3 4-Minor   BIG-IP sends spurious ICMP PMTU message to server
747585-2 4-Minor   TCP Analytics supports ANY protocol number
744210-1 4-Minor   DHCPv6 does not have the ability to override the hop limit from the client.
743116-2 4-Minor   Chunked responses may be incorrectly handled by HTTP/2
726983 4-Minor   Inserting multi-line HTTP header not handled correctly
724746-1 4-Minor   Incorrect RST message after 'reject' command
722534-3 4-Minor   load sys config merge not supported for iRulesLX
699076-1 4-Minor   URI::path iRules command warns end and start values equal
693901-4 4-Minor   Active FTP data connection may change source port on client-side
680680-1 4-Minor   The POP3 monitor used to send STAT command on v10.x, but now sends LIST command
675911-4 4-Minor K13272442 Dashboard CPU history file may contain incorrect values
594064-5 4-Minor K57004151 tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.
592503-1 4-Minor   TMM 'timer' device does not report 'busy' for non-priority timers.
571622-2 4-Minor   'Exceeding pool member limit' error with FQDN pool members and non-LTM license
470807-2 4-Minor   iRule data-groups are not checked for existence
666378-3 5-Cosmetic   A virtual server's connections per second (precision.last_value) is confusingly named.


Performance Issues

ID Number Severity Solution Article(s) Description
682209 2-Critical   Per Request Access Policy subroutine performance down by about 7%
746620-1 3-Major   "source-port preserve" does not work on BIG-IP Virtual Edition
747960 4-Minor   BIG-IP VE with 1nic does not handle fragmented traffic to webui or ssh properly


Global Traffic Manager (DNS) Issues

ID Number Severity Solution Article(s) Description
737726-2 2-Critical   If named is restarted and zrd is not restarted, ZoneRunner can lose contact with the DNS server daemon
722741-3 2-Critical   Damaged tmm dns db file causes zxfrd/tmm core
264701-2 2-Critical   GTM: zrd exits on error from bind about .jnl file error (Formerly CR 68608)
774481-3 3-Major   DNS Virtual Server creation problem with Dependency List
774225-1 3-Major   mcpd can get in restart loop if making changes to DNSSEC key on other GTM while the primary GTM is rebooting
760615-4 3-Major   Virtual Server discovery may not work after a GTM device is removed from the sync group
756177-1 3-Major   GTM marks pool members down across datacenters
754901-3 3-Major   Frequent zone update notifications may cause TMM to restart
751540-1 3-Major   GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server
750213-2 3-Major K25351434 DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.
746719-3 3-Major   SERVFAIL when attempting to view or edit NS resource records in zonerunner
746348-1 3-Major   On rare occasions, gtmd fails to process probe responses originating from the same system.
745035-1 3-Major   gtmd crash
744787-2 3-Major   Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias
739553-3 3-Major   Setting large number for Wide IP Persistence TTL breaks Wide IP persistence
737529-2 3-Major   [GTM] load or save configs removes backslash \ from GTM pool member name
723095-2 3-Major   Add record type breaks commands 'modify gtm pool type all'; errors on nonexistent pool
722734-1 3-Major   'No Access' error when viewing properties page of a GTM Pool member whose name includes a partition that does not exist on that BIG-IP system.
716701-1 3-Major K43005133 iControl REST: Unable to create Topology when STATE name contains space
714507-2 3-Major   [tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server
712500-1 3-Major   Unhandled Query Action Drops Stat does not increment after transparent cache miss
708421-2 3-Major K52142743 DNS::question 'set' options are applied to packet, but not to already parsed dns_msg
704198-3 3-Major K29403988 Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance
701232-2 3-Major   Two-way iQuery connections fail to get established between GTM devices with the same address on different networks connected through address translation
698211-1 3-Major K35504512 DNS express response to non-existent record is NOERROR instead of NXDOMAIN.
688335-5 3-Major K00502202 big3d may restart in a loop on secondary blades of a chassis system
679316-5 3-Major   iQuery connections reset during SSL renegotiation
672491-5 3-Major K10990182 net resolver uses internal IP as source if matching wildcard forwarding virtual server
222220-2 3-Major   Distributed application statistics
775801-4 4-Minor   [GTM] [GUI] 'Route Advertisement' checked but not saved when creating GTM listener
755282-3 4-Minor   [GTM] bigip_add password prompt for IPv4-mapped IPv6 address
752216-4 4-Minor K33587043 DNS queries without the RD bit set may generate responses with the RD bit set
744280-1 4-Minor   Enabling or disabling a Distributed Application results in a small memory leak
740284-2 4-Minor   Virtual servers 'In Maintenance Mode' or 'VS limit(s) exceeded on GTM'
726412-2 4-Minor   Virtual server drop down missing objects on pool creation
712335-1 4-Minor   GTMD may intermittently crash under unusual conditions.
688266-5 4-Minor   big3d and big3d_install use different logics to determine which version of big3d is newer


Application Security Manager Issues

ID Number Severity Solution Article(s) Description
662308 2-Critical   BD core
773553-4 3-Major   ASM JSON parser should allow numbers, strings, or one of three literal names (false, null, true) as per RFC8259
769981-3 3-Major   bd crashes in a specific scenario
764373-1 3-Major   'Modified domain cookie' violation with multiple enforced domain cookies with different paths
761941-3 3-Major   ASM does not remove CSRT token query parameter before forwarding a request to the backend server
761565-3 3-Major   ASM BD core when custom captcha page configured size more than 45K with %ASM.captcha.support_id% placeholder is at the end
760949 3-Major   Empty hostname in remote log after modification
738789-2 3-Major   ASM/XML family parser does not support us-ascii encoding when it appears in the document prolog
718232-2 3-Major   Some FTP servers may cause false positive for ftp_security
716324-2 3-Major   CSRF protection fails when the total size of the configured URL list is more than 2 KB
711818-3 3-Major   Connection might get reset when coming to virtual server with offload iRule
701025-2 3-Major   BD restart on a device where 'provision.tmmcountactual' is set to a non-default value
698361-1 3-Major   The ASM-FPS fingerprint is not presented in dashboard
694934-1 3-Major   bd crashes on a very specific and rare scenario
689982-3 3-Major   FTP Protocol Security breaks FTP connection
686763-1 3-Major   asm_start is consuming too much memory
686500-1 3-Major   Adding user defined signature on device with many policies is very slow
667414-1 3-Major   JSON learning of parameters in WebSocket context is not working
424588-1 3-Major   iRule command [DOSL7::profile] returns empty value
772473-1 4-Minor   Request reconstruct issue after challenge
754109-3 4-Minor   ASM content-security-policy header modification violates Content Security Policy directive
750689-1 4-Minor   Request Log: Accept Request button available when not needed
747560-3 4-Minor   ASM REST: Unable to download Whitehat vulnerabilities
737476 4-Minor   End users using virtual keyboard might be blocked during clientside features
720581-2 4-Minor   Policy Merge creates incorrect references when merging XML Profiles that contain Schema Files
708576-2 4-Minor   Errors related to dosl7d_tcpdumps_cleaner appearing in email every hour
699898-2 4-Minor   Wrong policy version time in policy created after synchronization between active and stand by machines.
688833-3 4-Minor   Inconsistent XFF field in ASM log depending violation category
652793-1 4-Minor   "Signature Update Available" message is not cleared by UCS load/sync
613728-2 4-Minor   Import/Activate Security policy with 'Replace policy associated with virtual server' option fails


Application Visibility and Reporting Issues

ID Number Severity Solution Article(s) Description
756102-3 2-Critical   TMM can crash with core on ABORT signal due to non-responsible AVR code
753485-2 2-Critical   AVR global settings are being overridden by HA peers
771025-1 3-Major   AVR send domain names as an aggregate
752971 3-Major   ACL-related reports might not contain some of the activity that takes place
746837-3 3-Major   AVR JS injection can cause error on page if the JS was not injected
703225 3-Major   DoS Visibility does not support display of more than 500 attacks and/or virtual servers
703196-5 3-Major   Reports for AVR are missing data
700035-5 3-Major   /var/log/avr/monpd.disk.provision not rotate
758996-4 4-Minor   Data in the 'Last 4 hours' view have a 1-hour delay


Access Policy Manager Issues

ID Number Severity Solution Article(s) Description
761373-1 2-Critical   Debug information logged to stdout
760130-1 2-Critical   [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK
748572-1 2-Critical   Occasionally ramcache might crash when data is sent without the corresponding event.
747192-2 2-Critical   Small memory leak while creating Access Policy items
745600-3 2-Critical   Removal of timer object from tmm timer-ring when a tcl context is released.
741535-1 2-Critical   Memory leak with Form-based Client-initiated SSO
723402-2 2-Critical   Apmd crashes running command: tmsh restart sys service all
702296-1 2-Critical   Importing the LocalDB csv file fails after editing with Microsoft Excel
686282-2 2-Critical   APMD intermittently crash when processing access policies
683598-1 2-Critical   Redeployment of SAML-SP app fails if HTTP-header-based SSO is configured
681352-1 2-Critical   Performance of a client certificate validation with OCSP agent is degraded
660913-4 2-Critical   For ActiveSync client type, browscap info provided is incorrect.
647590-1 2-Critical   Apmd crashes with segmentation fault when trying to load access policy
644750-1 2-Critical   'epsec' tool fails in older version after use in newer version.
775621-4 3-Major   urldb memory grows past the expected ~3.5GB
773841 3-Major   Per-request access policy may handle logon pages incorrectly
768025-1 3-Major   SAML requests/responses fail with "failed to find certificate"
765621-1 3-Major   POST request being rejected when using OAuth Resource Server mode
761303-4 3-Major   Upgrade of standby BIG-IP system results in empty Local Database
760410-3 3-Major   Connection reset is seen when Category lookup agent is used in per-req policy
759638-1 3-Major   APM current active and established session counts out of sync after failover
759392-4 3-Major   HTTP_REQUEST iRule event triggered for internal APM request
759356-1 3-Major   Access session data cache might leak if there are multiple TMMs
758542-1 3-Major   OAuth database instance appears empty after upgrade from v13.x
757782-4 3-Major   OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default
754542-4 3-Major   TMM may crash when using RADIUS Accounting agent
750823-3 3-Major   Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD
750631-1 3-Major   There may be a latency between session termination and deletion of its associated IP address mapping
750170-1 3-Major   SP Connector config changes causes BIG-IP tmm core sometimes during handling of SAML SLO request
749161-1 3-Major   Problem sync policy contains non-ASCII characters
748944 3-Major   Import is failing for APM SSO Config Saml object
747624-1 3-Major   RADIUS Authentication over RSA SecureID is not working in challenge mode
744532-2 3-Major   Websso fails to decrypt secured session variables
744316 3-Major   Config sync of APM policy fails with Cannot update_indexes validation error.
743475 3-Major   Upgrades from releases earlier than 13.1.1 may fail when AD servers are invalid
741967 3-Major   APM custom report with active field failed on vcmp
738547-1 3-Major   SAML Sax Parser returns error when importing metadata file that contains certain UTF-8 encoded characters other than ASCII
722991-2 3-Major   'dead.letter' file might appear in the /root directory
720030-4 3-Major   Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U)
718602 3-Major   Old config snapshots do not time out on standby
714902-1 3-Major   Restjavad may hang if discover task fails and the interval is 0
714043-1 3-Major   NPAPI inspection host plugin does not work with latest epsec image on macOS
712857-2 3-Major   SWG-Explicit rejects large POST bodies during policy evaluation
711056-2 3-Major   License check VPE expression fails when access profile name contains dots
710044-3 3-Major   Portal Access: same-origin AJAX request may fail in some case.
707953-2 3-Major   Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page
706797-1 3-Major   Portal Access: some multibyte characters in JavaScript code may not be handled correctly
706374-4 3-Major   Heavy use of APM Kerberos SSO can sometimes lead to memory corruption
704524-4 3-Major   [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries
703984-7 3-Major   Machine Cert agent improperly matches hostname with CN and SAN
698836-2 3-Major   Increased APM session capacity is not available after installing an APM session count License
688046-2 3-Major   Change condition and expression for Protocol Lookup agent expression builder
687213-3 3-Major   When access to APM is denied, system changes connection mode to ALWAYS_DISCONNECTED
684399-1 3-Major   Connectivity profiles GUI shows (Not Licensed) when LTM base is presented
682751-7 3-Major   Kerberos keytab file content may be visible.
681836 3-Major   Portal Access: JavaScript code may be corrupted in debug mode
680855 3-Major   Safari 11 sometimes start more than one session
679735-3 3-Major   Multidomain SSO infinite redirects from session ID parameters
676599-1 3-Major   SAML IdP connectors created by SAML IdP automation are not deleted automatically when the metadata is updated such that the corresponding entityDescriptors are removed.
676463-1 3-Major   Having two SAML IdP metadata automation objects that point to the same metadata and different SP results in 'join fail' of the IdP connector with SP object.
675143-1 3-Major   The SAML IdP metadata automation periodic update of metadata file that has Certificate may cause 'Apply Access Policy' to show up even if no changes to the IdP connector object are made.
673357-3 3-Major   SWG puts flow in intercept mode when session is not found
653210-1 3-Major   Rare resets during the login process
621158-3 3-Major   f5vpn does not close upon closing session
600985-3 3-Major   Network access tunnel data stalls
578989-6 3-Major   Maximum request body size is limited to 25 MB
534187-3 3-Major   Passphrase protected signing keys are not supported by SAML IDP/SP
376615 3-Major   Logon failure when Access Policy contains On-Demand Cert Agent for legacy logon method
307037-3 3-Major   Dynamic Resources Are Assigned But Not Accessible
770621-1 4-Minor   [Portal Access] HTTP 308 redirect does not get rewritten
744422 4-Minor   APM iRule events intermittently fail to execute
719246 4-Minor   Tomcat process restarts and GUI hangs when trying to view large number of static ACL Group entries
685888-1 4-Minor   OAuth client stores incorrectly escaped JSON values in session variables
610436-1 4-Minor K13222132 DNS resolution does not work in a particular case of DNS Relay Proxy Service when two adapters have the same DNS Server address on Windows 10.


WebAccelerator Issues

ID Number Severity Solution Article(s) Description
717397 3-Major   TMM restarted once, in response to an assertion that catches cache collisions.
701977-1 3-Major   Non-URL encoded links to CSS files are not stripped from the response during concatenation
751383-2 4-Minor   Invalidation trigger parameter values are limited to 256 bytes
748031-3 4-Minor   Invalidation trigger parameter containing reserved XML characters does not create invalidation rule


Service Provider Issues

ID Number Severity Solution Article(s) Description
766405-3 2-Critical   MRF SIP ALG with SNAT: Fix for potential crash on next-active device
745397-3 2-Critical   Virtual server configured with FIX profile can leak memory.
763157-4 3-Major   MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped
760370-4 3-Major   MRF SIP ALG with SNAT: Next active ingress queue filling
759370-1 3-Major   FIX protocol messages parsed incorrectly when fragmented between the body and the trailer.
759077-4 3-Major   MRF SIP filter queue sizes not configurable
755311-3 3-Major   No DIAMETER Disconnect-Peer-Request message sent when TMM is shutting down
754658-1 3-Major   Improved matching of response messages uses end-to-end ID
754617-1 3-Major   iRule 'DIAMETER::avp read' command does not work with 'source' option
753637-1 3-Major   Diameter MBLB profile does not change the hop-by-hop ID by default
753501-3 3-Major   iRule commands (such as relate_server) do not work with MRP SIP
749528-3 3-Major   IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap
749227-3 3-Major   MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE
748253-3 3-Major   Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection
746825-3 3-Major   MRF SIP ALG with SNAT: Ephemeral listeners not created for un-subscribed outgoing calls
746731-3 3-Major   BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set
745628-3 3-Major   MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message
745514-3 3-Major   MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message
745404-2 3-Major   MRF SIP ALG does not reparse SDP payload if replaced
744275-3 3-Major   BIG-IP system sends Product-Name AVP in CER with Mandatory bit set
738070-2 3-Major   Persist value for the RADIUS Framed-IP-Address attribute is not correct
727288-3 3-Major   Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC
701680-2 3-Major   MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds
676709-3 3-Major K37604585 Diameter virtual server has different behavior of connection-prime when persistence is on/off
753790 4-Minor   Allow 'DIAMETER::persist reset' command in EGRESS events
749704-3 4-Minor   GTPv2 Serving-Network field with mixed MNC digits
747909-3 4-Minor   GTPv2 MEI and Serving-Network fields decoded incorrectly


Advanced Firewall Manager Issues

ID Number Severity Solution Article(s) Description
763121-1 2-Critical   Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM.
757359-3 2-Critical   pccd crashes when deleting a nested Address List
752363 2-Critical   Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled
749402-1 2-Critical   AFM ACL Rule with Redirect to Virtual action can on rare occasions cause TMM restart
747922-2 2-Critical   With AFM enabled, during bootup, there is a small possibility of a tmm crash
702413-1 2-Critical   TCP handshake rejected if SYN cookies attack is detected
685820-3 2-Critical   Active connections are silently dropped after HA-failover if ASM licensed and provisioned but AFM is not
603124-1 2-Critical   [FW FQDN] RFE to address lower minimum allowed refresh interval (than current min of 10 mins)
771173-1 3-Major   FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.
761345-1 3-Major   Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode
751116-3 3-Major   DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring
749761 3-Major   AFM Policy with Send to Virtual and TMM crash in a specific scenario
724679-2 3-Major   Non-attacking IP addresses could be logged along with attacking IP addresses when DoS detects an attack
721610 3-Major   GUI does not show selfIP active firewall policies in non-0 route domains
720242 3-Major   GUI for AFM rules shows protocol value IPENCAP for rules under rule-list
691367-1 3-Major   Attack-destination for a DoS vector was not predicting right thresholds in some cases
684369-2 3-Major K35423171 AFM ACL Rule Policy applied on Standby device
679722-1 3-Major   Configuration sync failure involving self IP references
677322-1 3-Major   PCP Inbound connections logging is not supported
677066-1 3-Major   Dynamic signatures are incorrectly removed from configuration after loading saved ucs
663946-4 3-Major   VCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments
651169-1 3-Major   The Dashboard does not show an alert when a power supply is unplugged
627447-2 3-Major   Sync fails after firewall policy deletion
613836-1 3-Major   Error message in ltm log when adding a DoS profile to virtual server in cluster setup
701555-1 4-Minor   DNS Security Logs report Drop action for unhandled rejected DNS queries
756477-3 5-Cosmetic   Drop Redirect tab incorrectly named as 'Redirect Drop'


Policy Enforcement Manager Issues

ID Number Severity Solution Article(s) Description
760518-1 2-Critical   PEM flow filter with DSCP attribute optimizes traffic resulting in some PEM action enforcement
750491-2 2-Critical   PEM Once-Every content insertion action may insert more than once during an interval
740228-1 2-Critical   TMM crash while sending a DHCP Lease Query to a DHCP server that is offline
726665-2 2-Critical   tmm core dump due to SEGFAULT
760438-1 3-Major   PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions
759192-1 3-Major   TMM core during display of PEM session under some specific conditions
756311-1 3-Major   High CPU during erroneous deletion
753163-2 3-Major   PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days
753014-1 3-Major   PEM iRule action with RULE_INIT event fails to attach to PEM policy
747065-3 3-Major   PEM iRule burst of session ADDs leads to missing sessions
741213-3 3-Major   Modifying disabled PEM policy causes coredump
737374-1 3-Major   local-db PEM Subscriber Activity log missing
726011-2 3-Major   PEM transaction-enabled policy action lookup optimization to be controlled by a sys db
719107-2 3-Major   Message type is not displayed in CLI and incorrect message type is displayed in GUI for Subscriber Management diameter protocol profile message type CCA-T.
670994-3 3-Major   There is no validation for IP address on the ip-address-list for static subscriber
667700-1 3-Major   Web UI: PEM rule page only displays webroot categories for classification filter. Websense categories are not displayed


Carrier-Grade NAT Issues

ID Number Severity Solution Article(s) Description
723658-1 2-Critical   TMM core when processing an unexpected remote session DB response.
669645-3 2-Critical   tmm crashes after LSN pool member change
691338-3 3-Major   Using an iRule to change virtual servers prevents correct DAG detection for PBA and DNAT modes
673826-1 3-Major   Some FTP log messages may not be logged to /var/log/ltm
721579-3 4-Minor   LSN Persistence TTL and Inbound Connection Age were reset in the middle of decreasing/increasing


Fraud Protection Services Issues

ID Number Severity Solution Article(s) Description
686422-1 3-Major   URI reported in alert may not contain the actual traffic URI
660759-3 3-Major   Cookie hash persistence sends alerts to application server.
748427 4-Minor   FPS to splunk logging is confusing
698307-1 4-Minor   Datasafe: Fingerprinting code runs, but is not needed.


Anomaly Detection Services Issues

ID Number Severity Solution Article(s) Description
691196-1 2-Critical   one Cisco NEXUS switch and 2 BIG-IP WCCP web caches do not work together


Traffic Classification Engine Issues

ID Number Severity Solution Article(s) Description
752803-2 2-Critical   CLASSIFICATION_DETECTED running reject can lead to a tmm core
758421 3-Major   Category ID for new Traffic Intelligence Categories needs range check
754854 3-Major   Incompatible libcec may sync from standby to active with automatic hitless upgrade.
689614-1 3-Major   If DNS is not configured and management proxy is setup correctly, Webroot database fails to download
765985 4-Minor   Ultrasurf traffic not classified in PEM stats
674795-2 4-Minor   tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds, when it should be hours.


Device Management Issues

ID Number Severity Solution Article(s) Description
718796 2-Critical   iControl REST token issue after upgrade
718033-1 2-Critical   REST calls fail after installing BIG-IP software or changing admin passwords
717174 3-Major   WebUI shows error: Error getting auth token from login provider
710809-2 3-Major   Restjavad hangs and causes GUI page timeouts
676107-1 3-Major   With admin account disabled, user cannot use token-based authentication


Protocol Inspection Issues

ID Number Severity Solution Article(s) Description
705661-1 3-Major   Virtual server in a non-default partition cannot select protocol inspection profile in the /Common partition
715166 4-Minor   IPS only works over UDP or TCP virtual server


Guided Configuration Issues

ID Number Severity Solution Article(s) Description
723563 3-Major   Factory default reset procedure does not remove AGC deployments

 

Known Issue details for BIG-IP v13.1.x

776229-4 : iRule 'pool' command no longer accepts pool members with ports that have a value of zero

Component: Local Traffic Manager

Symptoms:
Values of 0 (zero) are no longer accepted for pool member ports in iRule 'pool' commands. The system reports an error similar to the following in /var/log/ltm:

err tmm3[12179]: 01220001:3: TCL error: /Common/_user_script_member <CLIENT_ACCEPTED> - bad port in 'pool member <addr> <port>' cmd while executing "pool test_pool member 10.1.30.10 0"

Conditions:
-- Configure an iRule to use the 'pool' command to go to the pool member using a zero port in the CLIENT_ACCEPTED event.
-- Attach the iRule to the virtual server.
-- Run traffic through it.

Impact:
The iRule rejects traffic when the pool member's port number is 0.

Workaround:
Configure any iRule using the 'pool' command to go to apool member using a non-0 port in the CLIENT_ACCEPTED event.


775801-4 : [GTM] [GUI] 'Route Advertisement' checked but not saved when creating GTM listener

Component: Global Traffic Manager (DNS)

Symptoms:
'Route Advertisement' is not enabled even if you check the checkbox.

Conditions:
Creating GTM listener using the GUI.

Impact:
'Route Advertisement' is not enabled.

Workaround:
After the listener is created, modify the listener in the GUI and check the checkbox for 'Route Advertisement', and save.


775797 : Previously deleted user account might get authenticated

Component: TMOS

Symptoms:
A user account which may have originally been manually configured as a local user (auth user) but may have since been removed, might still get authenticated and be able to modify the BIG-IP configuration.

Conditions:
-- User account configured as local user.
-- The user account is deleted later.

(Note: The exact steps to produce this issue are not yet known).

Impact:
The deleted user that no longer exists in the local user list and which is also not explicitly authorized by remote role groups, can get authenticated. The deleted user is also able to modify the BIG-IP configuration via iControl.

Workaround:
None.


775733-2 : /etc/qkview_obfuscate.conf not synced across blades

Component: TMOS

Symptoms:
By default, sensitive data, such as SSL keys, are excluded from QKView files. However, in some cases you may want to include sensitive information in the QKView file, so it must be obfuscated it for security purposes. (Note: For information on how to configure this feature, see K55559493: Obfuscating sensitive data in a QKView file :: https://support.f5.com/csp/article/K55559493.)

In high availability (HA) configurations, the /etc/qkview_obfuscate.conf file is not copied to secondary blades on chassis platforms during sync operations.

Conditions:
-- Run qkview.
-- Upload qkview file to iHealth.

Impact:
Potentially sensitive information could be uploaded to iHealth or F5 Support. This occurs because qkview acts differently if there is an obfuscate.conf on the active by automatically gathering the same information on the blades, but not obfuscating that sensitive data.

Workaround:
Manually copy /etc/qkview_obfuscate.conf to all blades.

Note: Do not upload sensitive data to iHealth or F5 Support. If you are obfuscating data, make sure to complete this step for every blade.


775621-4 : urldb memory grows past the expected ~3.5GB

Component: Access Policy Manager

Symptoms:
When using the categorization engine (urldb), memory may increase when real-time update databases are downloaded (once every ten minutes, as available).

Conditions:
-- SWG provisioned.
-- Using urldb.
-- Real-time database updates occurring.

Impact:
Memory increases, and if there is not enough room on the BIG-IP system, urldb can core.

Workaround:
None.


774481-3 : DNS Virtual Server creation problem with Dependency List

Component: Global Traffic Manager (DNS)

Symptoms:
Could not create virtual server through GUI with dependent virtual server.

Conditions:
This occurs when creating a virtual server that contains a dependent virtual server.

Impact:
Not able to creat virtual server with dependent virtual server in one step with GUI.

Workaround:
1. Use tmsh;
Or
2. Create the virtual server through GUI without dependent virtual server first and then edit the virtual server to add dependency.


774445-3 : BIG-IP VE does not pass traffic on ESXi 6.7 Update 2

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) does not pass traffic when deployed on ESXi 6.7 Update 2 hypervisors, when the VE is using VMXNET 3 network interfaces (VMXNET 3 interfaces are the default).

Conditions:
-- BIG-IP VE running on VMware ESXi 6.7 Update 2 (build number 13006603) hypervisor
-- VMXNET 3 NICs.

Impact:
Traffic does not pass through non-mgmt interfaces.

Workaround:
You can use the following workarounds:

-- On BIG-IP v14.1.0, switch to the 'sock' driver.

-- On versions earlier than 14.1.0, switch to the 'unic' driver.

Note: This workaround must be applied individually to devices, and does not synchronize via ConfigSync.


To switch:

1. Add a line to /config/tmm_init.tcl that reads 'device driver vendor_dev 15ad:07b0 DRIVER' (replacing DRIVER with 'unic' or 'sock', as appropriate). for example:

    echo "device driver vendor_dev 15ad:07b0 sock" >> /config/tmm_init.tcl

2. Restart tmm for the changes to take effect (restarting tmm disrupts traffic):

    bigstart restart tmm

3. After tmm restarts, confirm the driver in use by examining the output of:

    tmctl -d blade tmm/device_probed


774361-3 : IPsec High Availability sync during multiple failover via RFC6311 messages

Component: TMOS

Symptoms:
After multiple failover events, BIG-IP can fail to coordinate with a remote peer via RFC6311 protocol messages, whose content can present the wrong message IDs, which are also marshalled in host byte order instead of network byte order.

Conditions:
When active and standby systems failover multiple times, and a newly active system must sync IDs with the newly standby system before exchanging messages with a remote peer to synchronize expected ID sequences.

Impact:
IPsec tunnels experience a temporary outage until new security associations are negotiated.

Workaround:
No workaround is known at this time.


774225-1 : mcpd can get in restart loop if making changes to DNSSEC key on other GTM while the primary GTM is rebooting

Component: Global Traffic Manager (DNS)

Symptoms:
mcpd is in a restart loop after creating an internal DNSSEC FIPS key on a secondary GTM while rebooting the primary DNSSEC key generator GTM (gtm.peerinfolocalid==0).

Conditions:
New DNSSEC internal FIPS key is created and assigned to DNSSEC zone when BIG-IP system with gtm.peerinfolocalid==0 is down.

Impact:
mcpd is in a restart loop.

Workaround:
For maintenance window operations, set DNSSEC peer leader to the unit that will remain UP while rebooting the primary key generator in sync group (gtm.peerinfolocalid==0).

# tmsh modify gtm global-settings general peer-leader <gtm-server-name>


After the reboot is complete, all devices are back up, and everything looks good in the configs, clear the peer-leader setting:

# tmsh modify gtm global-settings general peer-leader none


If there are two GTM units: GTM1 (having gtm.peerinfolocalid == 0), GTM2, and you are going to reboot GTM1, then before rebooting, run the following command to configure the DNSSEC peer-leader setting:

# tmsh modify gtm global-settings general peer-leader GTM2


After reboot, clear the peer-leader setting:

# tmsh modify gtm global-settings general peer-leader none


774173-1 : WebUI - Cipher Group preview causes HA sync state to become Changes Pending

Component: Local Traffic Manager

Symptoms:
In the GUI, editing a cipher group without submitting causes the high availability (HA) configuration sync state to become 'Changes Pending'.

Conditions:
Edit cipher group in GUI without submitting.

Impact:
HA sync state becomes 'Changes Pending' even though you have not submitted the changes.

Workaround:
Edit and preview cipher group using tmsh:

tmsh modify ltm cipher group
tmsh show ltm cipher group


773841 : Per-request access policy may handle logon pages incorrectly

Component: Access Policy Manager

Symptoms:
If challenge-based authentication is used in per-request access policy, it may not show challenge page correctly.

Conditions:
- per-request access policy with subroutine which includes logon page agent.

- challenge-based authentication is configured, for example, with one-time passcode;

Impact:
User cannot authenticate.

Workaround:
None.


773577-3 : SNMPv3: When a security-name and a username are the same but have different passwords then traps are not properly crafted

Component: TMOS

Symptoms:
On an SNMPv3 configuration, when a security-name and a username are the same but have different passwords, then traps are not properly crafted.

Conditions:
security-name is the same as an SNMPv3 username

Impact:
SNMP traps can't be decoded

Workaround:
Delete or rename user.


773553-4 : ASM JSON parser should allow numbers, strings, or one of three literal names (false, null, true) as per RFC8259

Component: Application Security Manager

Symptoms:
ASM policy blocks legitimate JSON payload

Conditions:
-- ASM provisioned
-- ASM policy assigned to a virtual server
-- JSON profile enabled (enabled default)
-- JSON payload is string/number or false/true/null

Impact:
HTTP request is blocked, blocking page presented to the end-user

Workaround:
Disable the json profile within asm policy.


773421-2 : Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied

Component: Local Traffic Manager

Symptoms:
When OneConnect is applied to a virtual server, the server-side packets larger than the client-side MTU may be dropped.

Conditions:
-- If the client-side MTU is smaller than server-side (either via Path MTU Discovery (PMTUD), or by manually configuring the client-side VLAN).

-- OneConnect is applied.

-- proxy-mss is enabled (the default value starting in v12.0.0).

Impact:
The BIG-IP system rejects server-side ingress packets larger than the client-side MTU, with an ICMP fragmentation needed message. Connections could hang if the server ignores ICMP fragmentation needed and still sends TCP packets with larger size.

Workaround:
Disable proxy-mss in the configured TCP profile.


773333-3 : IPsec CLI help missing encryption algorithm descriptions

Component: TMOS

Symptoms:
Encryption algorithms against IPsec help are not listed in the CLI.

Conditions:
LTM licensed on the BIG-IP.

Impact:
Unable to view the help


772497-3 : When BIG-IP is configured to use a proxy server, updatecheck fails

Component: TMOS

Symptoms:
Executing Update Check fails when run on a BIG-IP system that is behind a proxy server.

Conditions:
-- A proxy server is configured on the BIG-IP system using proxy.host db variable (and associated port, protocol, etc.).
-- You run Update Check.

Impact:
The Update Check fails to connect because the script resolves the IP address prior to sending the request to the proxy server.

Workaround:
You can use either of the following workarounds:

I
=======
Modify the /usr/bin/updatecheck script to not resolve the service ip for callhome.f5.com. To do so, remove the script text 'PeerAddr => $service_ip,' from lines 336,337:

1. Locate the following section in the script:
 @LWP::Protocol::http::EXTRA_SOCK_OPTS = ( PeerAddr => $service_ip,
     SSL_hostname => $service_name,

2. Update the script to remove the content 'PeerAddr => $service_ip,', so that it looks like the following example:
 @LWP::Protocol::http::EXTRA_SOCK_OPTS = ( SSL_hostname => $service_name,


II
=======
As an alternative, use a sed command, as follows:
1. Remount /usr as rw.
2. Run the following command:
 # sed -e "s/PeerAddr => $service_ip,//" -i /usr/bin/updatecheck


772473-1 : Request reconstruct issue after challenge

Component: Application Security Manager

Symptoms:
False positive on Content-Type header in GET request.

Conditions:
After challenge is completed, the server responds to the reconstructed request with a 302-redirect.

Impact:
The BIG-IP adds to the next request (GET request) a Content-Type header.

Workaround:
There is no workaround at this time.


772297-3 : LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade

Component: Local Traffic Manager

Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.

Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.

Impact:
LLDP-related options under 'tmsh net interface' for that secondary blade are reset to default.

Workaround:
Run 'tmsh load sys config' on the primary blade, and the LLDP-settings will reapply to the interfaces.


772117-1 : Overwriting FIPS keys from the HA peer with older config leads to abandoned key on FIPS card

Component: TMOS

Symptoms:
A key being overwritten is not removed from the FIPS card, so it becomes an abandoned key in the FIPS card, which cannot be used and properly tracked by the BIG-IP system.

An abandoned key appears similar to the following:

[root@big8:Active:Standalone] config # tmsh show sys crypto fips
-------------------------------------------
FIPS 140 Hardware Device
-------------------------------------------
=== private keys (1)
ID MOD.LEN(bits)
d3d8ecc5a489c64b8dfd731945d59950 2048 <==== properly tracked and configured key in BIG-IP
        /Common/fffff.key

e35e900af8b269d2f10b20c47e517fd1 2048 <==== no name, abandoned

Conditions:
The issue is seen when all the following conditions are met:
1. High availability (HA) setup formed by multiple BIG-IP systems with FIPS cards.
2. An Administrator of one of the BIG-IP systems deletes its FIPS key, and creates another FIPS key using the same name.
3. HA sync occurs from another BIG-IP system (with the older config) back to the first BIG-IP system (i.e., the operation overwrites the newly created FIPS key with the old FIPS key).

Impact:
It leads to orphan keys on the FIPS card, meaning that the keys are not present in the BIG-IP configuration as a configured key, so the key cannot be used by the BIG-IP system.

Workaround:
Manually delete the abandoned key from the FIPS card using the following command.

tmsh delete sys crypto fips key <key-id>

For example, for the abandoned key specified earlier, use the following command:
tmsh delete sys crypto fips key "e35e900af8b269d2f10b20c47e517fd1"


771173-1 : FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.

Component: Advanced Firewall Manager

Symptoms:
The system does not roll forward the FastL4 profile syn-cookie-enable attribute after upgrading from 12.x to 13.x and beyond.

Conditions:
This happens when upgrading from 12.x to 13.x and beyond.

Impact:
If syn cookies are explicitly disabled on a FastL4 profile prior to upgrading, they may be enabled.

Workaround:
You can fix the configuration by modifying it manually after upgrading.

In tmsh:
tmsh modify ltm profile fastl4 <profile_name> syn-cookie-enable <enabled|disabled>


771025-1 : AVR send domain names as an aggregate

Component: Application Visibility and Reporting

Symptoms:
AVR sends domain name as an aggregate of a number of domain names.

Conditions:
-- AVR receives more than the number of domain names it can handle.
-- After AVR gets DNS calls with different domain name, it no longer clears the domain name.
-- When AVR receives the maximum number of total domain names, it start to aggregate all the new domain names.

Impact:
Cannot see the correct domain name.

Workaround:
None.


770953-4 : 'smbclient' executable does not work

Component: Local Traffic Manager

Symptoms:
Service Message Block (SMB) monitor is not functional.

Conditions:
This occurs under all conditions.

Impact:
SMB monitors fail. This occurs because the 'smbclient' executable is not functional.

Workaround:
None.


770621-1 : [Portal Access] HTTP 308 redirect does not get rewritten

Component: Access Policy Manager

Symptoms:
Requests with URLs that are not rewritten in web application.

Conditions:
HTTP response from the backend with 308 redirect.

Impact:
HTTP Status Code 308 (Permanent Redirect) is not supported. Unexpected web application operation.

Workaround:
Use a custom iRule to rewrite the request.


770477-3 : SSL aborted when client_hello includes both renegotiation info extension and SCSV

Component: Local Traffic Manager

Symptoms:
Client SSL reports an error and terminates handshake.

Conditions:
Initial client_hello message includes both signaling mechanism for secure renegotiation: empty renegotiation_info extension and TLS_EMPTY_RENEGOTIATION_INFO_SCSV.

Impact:
Unable to connect with SSL.

Workaround:
None.


769981-3 : bd crashes in a specific scenario

Component: Application Security Manager

Symptoms:
bd crash with a core file.

Conditions:
-- XML profile with schema validation is attached to a security policy.

-- The bd.log shows out-of-memory messages relating to XML.

Impact:
Failover; traffic disruption.

Workaround:
Increase the memory XML uses by using the internal parameters total_xml_memory and/or additional_xml_memory_in_mb. For more information, see K10803: Customizing the amount of memory allocated to the BIG-IP ASM XML processing engine available at https://support.f5.com/csp/article/K10803


769817 : BFD fails to propagate sessions state change during blade restart

Component: TMOS

Symptoms:
BFD fails to propagate sessions state change during blade restart.

Conditions:
-- On a chassis with multiple blades, several routing protocol sessions are established, (e.g., BGP sessions).
-- BFD sessions are configured for each BGP session to sustain fast failover of BGP sessions.
-- There is a BGP session that can be established only via specific blade and the corresponding BFD session of this BGP session is processed on the same blade.
-- This blade is restarted (e.g., using the bladectl command) or experienced a blade failure.

Impact:
The BFD session remains in the BFD sessions table and remains there until BGP session is timed out by hold the timer (90 seconds, by default). Dynamic routes, which are learnt via affected BGP session, remain in the routing table until the hold time is reached.

Workaround:
Change BGP hold time to reasonable lower value.


769809-2 : vCMP guests 'INOPERATIVE' after upgrade

Component: TMOS

Symptoms:
After upgrading the host or creating new vCMP guests, the prompt in the vCMP guests report as INOPERATIVE.

Conditions:
-- The system truncates the unit key. (Note: This occurs because the unit key is designed to be a certain length, and the internally generated unit key for the guest has a NULL in it.)
-- Upgrading the host.
-- Creating new guests.

Impact:
vCMP guests are sent a truncated unit key and fail to decrypt the master key needed to load the config. vCMP Guests report 'INOPERATIVE' after upgrade.

Workaround:
None.


769309-3 : DB monitor reconnects to server on every probe when count = 0

Component: Local Traffic Manager

Symptoms:
When using an LTM database monitor configured with the default 'count' value of 0 (zero), the database monitor reconnects to the monitored server (pool member) to perform each health monitor probe, then closes the connection once the probe is complete.

Conditions:
This occurs when using one of the LTM mssql, mysql, oracle or postgresql monitor types is configured with the default 'count' value of 0 (zero).

Impact:
Connections to the monitored database server are opened and closed for each periodic health monitor probe.

Workaround:
Configure the 'count' value for the monitor to some non-zero value (such as 100) to allow the network connection to the database server to remain open for the specified number of monitor probes before it is closed and a new network connection is created.


769193-1 : Added support for faster congestion window increase in slow-start for stretch ACKs

Component: Local Traffic Manager

Symptoms:
When Appropriate Byte Counting is enabled (the default), TCP's congestion window increases slower in slow-start when the data receiver sends stretch ACKs.

Conditions:
-- TCP data sender receives stretch ACKs (ACKs that acknowledges more than 2*MSS bytes of data).
-- Appropriate Byte Counting (ABC) is enabled in slow-start.

Impact:
ABC limits the increase of congestion window by 2*MSS bytes per ACK. TCP's congestion window is increased slower in slow-start, which may lead to longer transfer times.

Workaround:
There is no workaround at this time.


769169-1 : BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring

Component: TMOS

Symptoms:
BIG-IQ sends a lot of request to the BIG-IP system to collect the stats it makes the BIG-IP slow and eventually GUI goes unresponsive.

Conditions:
-- BIG-IQ monitoring a large BIG-IP configuration.
-- With a very large number of requests, and with resource-expensive requests.

Impact:
ICRD requests wait longer in the ICRD queue, which can make the BIG-IP system becomes unresponsive. Policy Creation, Device Overview, and stats pages take more time to respond, and eventually, the GUI becomes unresponsive on these three pages.

Lot of process terminated/re-created messages in restjavad logs.

Workaround:
Remove the BIG-IP device from the BIG-IQ and restart the mcpd.


769145-3 : Syncookie threshold warning is logged when the threshold is disabled

Component: TMOS

Symptoms:
Setting connection.syncookies.threshold to zero disables the threshold, but the system still reports log messages similar to:

warning tmm3[18189]: 01010055:4: Syncookie embryonic connection counter 38 exceeded sys threshold 0

Conditions:
Setting connection.syncookies.threshold to zero.

Impact:
Warnings that do not provide valid information. If the threshold value is a non-zero value, it does indicate an issue. However, this message is benign when the end of the message reads 'exceeded sys threshold 0'.

Workaround:
None.


769029-2 : Non-admin users fail to create tmp dir under /var/system/tmp/tmsh

Component: TMOS

Symptoms:
The cron.daily/tmpwatch script deletes the /var/system/tmp/tmsh directory. After some time, the tmsh directory is created again as part of another cron job.

During the interval, if a non-admin accesses tmsh, tmsh creates the /tmp/tmsh directory with that user's permissions, which creates issues for subsequently non-admin user logons.

Conditions:
Try to access the tmsh from non-admin users when /var/system/tmp/tmsh is deleted.

Impact:
The first non-admin user can access tmsh. Other, subsequent non-admin users receive the following error:

01420006:3: Can't create temp directory, /var/system/tmp/tmsh/SKrmSB, errno 13] Permission denied.

After some time this /var/system/tmp/tmsh permission is updated automatically.

Workaround:
So that the script does not remove tmsh directory, but deletes 1-day old tmp files under /var/system/tmp/tmsh, update the last line of /etc/cron.daily/tmpwatch as follows:

tmpwatch --nodirs 1d /var/system/tmp


768025-1 : SAML requests/responses fail with "failed to find certificate"

Component: Access Policy Manager

Symptoms:
BIG-IP as SP and BIG-IP as IdP fail to generated signed SAML requests/responses or SAML Single Logout (SLO) requests/responses after certificate that is used for signing is modified.

Conditions:
When certificate used for signing SAML requests/responses or SAML SLO requests/responses is modified or re-imported, then subsequent SAML/SAML SLO requests/responses fail with the error "failed to find certificate".

Impact:
When this issue occurs, SAML services are impacted when BIG-IP is configured as SP or IdP.
When BIG-IP is configured as IdP, then SAML Authentication fails and SAML/SAML SLO services do not work.

When BIG-IP is configured as SP, resources that need SAML Authentication cannot be accessed. Also, SAML SLO service does not work.

Workaround:
When BIG-IP as IdP is affected, configure a different certificate associated with SAML IdP configuration that is used for signing, and then change it back to the original certificate, and then apply policy.

Similarly, when BIG-IP as SP is affected, configure a different certificate associated with SAML SP configuration that is used for signing, then change it back to the original certificate, and then apply policy.


767877-1 : TMM core with Bandwidth Control on flows egressing on a VLAN group

Component: TMOS

Symptoms:
TMM cores during operation.

Conditions:
Known condition:
1. BWC attached to serverside connflow
2. Serverside traffic traversing/egressing VLAN group

Impact:
Traffic disrupted while tmm restarts.


767737-3 : Timing issues during startup may make an HA peer stay in the inoperative state

Component: TMOS

Symptoms:
When two BIG-IP systems are paired, it is possible during startup for the network connection to be made too early during the boot sequence. This may leave a peer in the inoperative state.

Conditions:
This is a timing-related issue that might occur during boot up of high availability (HA) peers.

Impact:
An HA peer does not become ACTIVE when it should.

Workaround:
None.


767305-3 : If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried

Component: TMOS

Symptoms:
Upon querying a sysTmmStat* SNMP OID (for example, sysTmmStatTmUsageRatio5s), you find your SNMP client returns an error message similar to the following example:

No Such Instance currently exists at this OID

The very next time you query that same SNMP OID (or any other sysTmmStat* SNMP OID), you find they all work as expected and return the correct result.

Conditions:
This issue occurs after restarting only the mcpd daemon, i.e., running bigstart restart mcpd.

Impact:
All sysTmmStat* SNMP OIDs do not work until one of them is queried at least once, and the query is allowed to fail. After that, all sysTmmStat* SNMP OIDs work as expected.

Workaround:
Restart all services together, i.e., running the command: bigstart restart.

Should the mcpd daemon happen to be restarted on its own, you can simply ignore the error message and allow your SNMP polling station to fail a single polling cycle.

If you want to ensure that this issue does not occur, for example, so that your SNMP polling station does not generate unnecessary alarms, do not restart the mcpd daemon on its own, but rather restart all services together by running the following command:

bigstart restart


767217-3 : Under certain conditions when deleting an iRule, an incorrect dependency error is seen

Component: Local Traffic Manager

Symptoms:
If an iRule is being referenced by another iRule, and the reference is then removed, attempts to delete the formerly referenced iRule will result in an error similar to the following:

01070265:3: The rule (/Common/irule1) cannot be deleted because it is in use by a rule (/Common/irule2).

Conditions:
-- An iRule referencing another iRule.
-- The referencing iRule is in use.

Impact:
Unable to delete the iRule.

Workaround:
Save and re-load the configuration.


767013-4 : Reboot when B2150 and B2250 blades' HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch

Component: TMOS

Symptoms:
In a rare scenario, the HSB sends a large amount and continuous pause frames to the Broadcom switch, which indicates that the HSB is in a bad state.

Conditions:
This happens when there is heavy traffic load on VIPRION B2150 and B2250 blades. The root cause of that is still under investigation. It happens extreme rarely.

Impact:
Reboot the BIG-IP system.

Workaround:
None.


766405-3 : MRF SIP ALG with SNAT: Fix for potential crash on next-active device

Component: Service Provider

Symptoms:
The next active device may crash with a core when attempting to create media flows.

Conditions:
The names for the LSN pool and router profile are longer than expected.

Impact:
The TMM on the next active device may core. Traffic disrupted while tmm restarts; If the next-active device was not carrying traffic for a traffic group, traffic is not disrupted.

Workaround:
None.


766321 : boot slots created on pre-14.x systems lack ACLs

Component: TMOS

Symptoms:
Creation of HD1.x slots from 14.1.0.2 creates filesystems with slightly different properties than on slots created from 12.1.x for example. This is allowing ACL/XATTR support by default for the former units, which can triggers errors in some 14.1.x installations.

Conditions:
- Running 14.x, which had its slot created from a system running 12.x or 14.x
- Triggering journal creation (login? tmsh commands? unclear)

Impact:
An error may be generated after creating the journal:
warning kernel: [143381.837840]: systemd-journald[658]: Failed to read ACL on /var/log/journal/sample/user-sample.journal, ignoring: Operation not supported

This instance of the error message might not be critical.

If anything else depends on the ACLs to be present right at the start of the installation, some components might behave differently.


765985 : Ultrasurf traffic not classified in PEM stats

Component: Traffic Classification Engine

Symptoms:
The PEM DPI classifier does not classify traffic received from the Ultrasurf client application.

Conditions:
A user is using the Ultrasurf client application to tunnel/VPN traffic to remote dynamically changing Ultrasurf proxies.

Impact:
Ultrasurf traffic does not get classified in gpa classification stats. No visibility of Ultrasurf traffic.

Workaround:
Dynamically changing ultrasurf IP proxies can be dynamically identified by packet capturing ultrasurf traffic other methods, identifying which ultrasurf proxy IPs the Ultrasurf client try to connect to, then block the dynamically changing discovered Ultrasurf proxy IPs


765969-3 : Not able to get HSB register dump from hsb_snapshot on B4450 blade

Component: TMOS

Symptoms:
Running hsb_snapshot tool fails on B4450 blades with the following message:
Too many rows in tmm/hsb_internal_pde_info table

Conditions:
When vCMP is provisioned on VIPRION B4450 blades.

Impact:
HSB register dump is not available in hsb_snapshot orQkview for diagnostic purpose.

Workaround:
None.


765621-1 : POST request being rejected when using OAuth Resource Server mode

Component: Access Policy Manager

Symptoms:
POST request is rejected.

Conditions:
-- Using OAuth Resource Server access type.
-- Client sends a large POST body.

Impact:
The request is rejected.

Workaround:
Increase the tmm.access.maxrequestbodysize sys db variable to be larger than the POST body size.


764873-4 : An accelerated flow transmits packets to a dated, down pool member.

Component: TMOS

Symptoms:
Normally, when a pool member becomes unavailable, the flow is redirected towards another available pool member. However, an accelerated flow can continue to send traffic to the dated pool member rather than the updated one.

Conditions:
A flow changes the pool member it goes to while the flow is accelerated.

Impact:
The traffic continues to target the dated pool member that is not available.

Workaround:
Disable HW acceleration.

Or on BIG-IP v14.1.0 and later, if a pool member goes away, run the following command to flush all accelerated flow to be handled correctly by software:
tmsh modify sys conn flow-accel-type software-only


764373-1 : 'Modified domain cookie' violation with multiple enforced domain cookies with different paths

Component: Application Security Manager

Symptoms:
When the server sends enforced cookies with the same name for different paths, a false-positive 'Modified domain cookie' violation is reported.

Conditions:
Server sends enforced cookies with the same name but with different paths.

Impact:
A valid request might be rejected.

Workaround:
None.


763197-2 : Flows not mirrored on wildcard Virtual Server with opaque VLAN group

Component: Local Traffic Manager

Symptoms:
In an high availability (HA) configuration using an opaque VLAN group and a default (wildcard, 0.0.0.0/0) virtual server configured for connection mirroring, the standby device does not create the mirrored connection.

Conditions:
-- VLAN group configured and set to opaque.
-- db vlangroup.forwarding.override is set to 'disable'.
-- Default virtual server configured for all ports (destination 0.0.0.0/0 :0) with connection mirroring.

Impact:
In the event of a failover, connections that are expected to be mirrored will fail, which can cause traffic loss and client disruption.

Workaround:
None.


763157-4 : MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped

Component: Service Provider

Symptoms:
Processing the response to an outbound request at the same time as an inbound request message on the same connection could cause internal state generated to be confused and the inbound request to be dropped.

Conditions:
Processing the response to an outbound request at the same time as an inbound request message on the same connection.

Impact:
The inbound request will be dropped.

Workaround:
None.


763121-1 : Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM.

Component: Advanced Firewall Manager

Symptoms:
TMM crashes and produces a core file. The crash is a SIGFPE accompanied by the following panic string:

Assertion "packet must already have an ethernet header" failed.

Conditions:
This issue occurs when all of the following conditions are met:

- The system is provisioned for AFM.
- A TCP Half Open attack to the system is underway.
- A BIG-IP Administrator attempts to use the AFM Packet Tester tool, and simulates sending a TCP segment with the SYN flag set.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use the AFM Packet Tester tool while a TCP Half Open attack is underway.


763093-1 : LRO packets are not taken into account for ifc_stats (VLAN stats)

Component: Local Traffic Manager

Symptoms:
The ifc_stats do not correctly reflect the number of incoming octets/packets. There is a discrepancy between octets/packets in/out in the ifc_stats table, which tracks per VLAN stats.

Conditions:
LRO is enabled and used for incoming packets.

Impact:
ifc_stats are incorrect for incoming octets and packets.

Workaround:
Disable LRO using the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable


762205-1 : IKEv2 rekey fails to recognize VENDOR_ID payload when it appears

Component: TMOS

Symptoms:
Rekey with non BIG-IP systems can fail when a response contains a VENDOR_ID payload.

Conditions:
- IKEv2 Responder sends VENDOR_ID payload in rekey response.
- The ipsec.log misleadingly reports:
  [I] [PROTO_ERR]: unexpected critical payload (type 43)
  Note: This message may be correctly present under other conditions, with different type constants not equal to 43.

Impact:
BIG-IP as the initiator of rekey drops the rekey negotiation without making further progress when the responder included a VENDOR_ID payload in a response. This will result in deleting the SA for good when the hard lifetime expires, causing a tunnel outage.

Workaround:
No workaround is known at this time.


762073-1 : Continuous TMM restarts when HSB drops off the PCI bus

Component: TMOS

Symptoms:
In the unlikely event that HSB drops off the PCI bus, TMM continuously restarts until the BIG-IP system is rebooted.

Conditions:
The conditions under which the issue occurs are unknown, but it is a rarely occurring issue.

Impact:
Repeated TMM restarts. Traffic disrupted until you reboot the BIG-IP system. The HSB reappears and is functional after reboot.

Workaround:
Manually reboot the BIG-IP system.


761993-4 : The nsm process may crash if it detects a nexthop mismatch

Component: TMOS

Symptoms:
If there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop, nsm may crash and restart.

Conditions:
-- Dynamic routing is in use.
-- A mismatch between tmrouted and nsm for the interface index or gateway of a nexthop exists.

Impact:
There is a temporary interruption to dynamic routing while nsm is restarted.

Workaround:
None.


761941-3 : ASM does not remove CSRT token query parameter before forwarding a request to the backend server

Component: Application Security Manager

Symptoms:
CSRT query parameter observed in tcpdump on the BIG-IP system's server side.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- CSRF enabled in ASM policy.

Impact:
Backend app gets CSRT parameter, which might impact its business logic.

Workaround:
You can remove a CSRT query parameter using a URI modification iRule on the server side.


761621-4 : Ephemeral FQDN pool members in Partition shown as Common under Local Traffic > Pools > "Members"

Component: TMOS

Symptoms:
When Ephemeral FQDL pool members exist in non-Common partition, they are shown to be in the /Common partition on the Local Traffic : Pools : Members page. In the statistics view of the same object, they are shown appropriately with their non-Common partition.

Conditions:
-- Ephemeral FQDL pool members exist in a non-Common partition.
-- View the FQDL pool members on Local Traffic : Pools : Members page.

Impact:
No impact to configuration, however, the display is confusing and shows contradictory partition information.

Workaround:
None.


761565-3 : ASM BD core when custom captcha page configured size more than 45K with %ASM.captcha.support_id% placeholder is at the end

Component: Application Security Manager

Symptoms:
ASM BD crash when custom captcha page configured size is 45K

Conditions:
- ASM provisioned.
- ASM policy attached to a virtual server.
- CAPTCHA page size is bigger than 45 KB.
- CAPTCHA protection is enabled via brute force or ASM::captcha iRule.

Impact:
There is an ASM BD crash that occurs upon a request protection by CAPTCHA mitigation. If configured for high availability (HA), failover occurs.

Workaround:
Define CAPTCHA page sizes smaller than 45 KB.


761373-1 : Debug information logged to stdout

Component: Access Policy Manager

Symptoms:
There is debug information logged to stdout

-- err mcpd[6943]: 01071392:3: Background command '/usr/libexec/mdmsyncmgr -o restore' failed.
-- err mcpd[6943]: 01071703:3: Postprocess action (/usr/libexec/mdmsyncmgr -o restore) failed with exit code (9).

Conditions:
Whenever logging config is changed.

Impact:
Log messages are seen when logged in via a terminal.

Workaround:
None.


761345-1 : Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode

Component: Advanced Firewall Manager

Symptoms:
When manual config-sync mode is enabled for a HA setup, additional config-sync may be required after firewall blob compilation.

Conditions:
Firewall rule configuration modified on a high availability (HA) setup with manual config-sync mode enabled.

Impact:
Additional config-sync may be required after compilation completion.
A warning may be given: "There is a possible change conflict between <device1> and <device2>.", and full sync may be forced.

Workaround:
Enable auto config-sync instead of manual config-sync.


761321-4 : 'Connection Rate Limit' is hidden, but 'Connection Rate Limit Mode' is not

Component: TMOS

Symptoms:
'Connection Rate Limit' setting is hidden when it is appropriate to do so. However, the 'Connection Rate Limit Mode' setting is still visible, even when 'Connection Rate Limit' is hidden.

Conditions:
1. Create a Virtual Server with type Standard.
2. Click Configuration 'Advanced'.
3. Enter values for 'Connection Rate Limit" and "Connection Rate Limit Mode'.
4. Save the configuration.
5. Change the virtual server type to Forwarding (Layer 2).

Impact:
'Connection Rate Limit' is hidden -- which it should be, but 'Connection Rate Limit Mode' is not -- which it should be as well. Although 'Connection Rate Limit Mode' is available, the system ignores any setting specified.

Workaround:
Do not configure 'Connection Rate Limit Mode', as it has no effect.


761303-4 : Upgrade of standby BIG-IP system results in empty Local Database

Component: Access Policy Manager

Symptoms:
Upgrade of standby BIG-IP system results in empty Local Database.

Conditions:
This happens on standby device in a high availability (HA) setup.

Impact:
All previously existing local users disappear from the standby device. If a failover happens, then none of the local users will be able to login now.

Workaround:
To trigger a full database dump from the active BIG-IP system that returns the standby device's database to its original state, on the standby device, do the following:

1. Reboot.
2. Switch to a new installation volume.
3. Force stop the localdbmgr process:
bigstart stop localdbmgr
4. Wait at least 15 minutes.
5. Restart the localdbmgr:
bigstart restart localdbmgr


761084 : Custom monitor fields appear editable for Auditor, Operator, or Guest

Component: TMOS

Symptoms:
Mozilla Firefox browser shows custom monitor fields editable for Auditor, Operator, or Guest role users.

Conditions:
You can experience this issue by following these steps:

1. Create custom monitor (e.g., http, mysql, tcp).
2. Use FireFox browser to logon to the BIG-IP system Configuration utility with a user role that is Auditor, Operator, or Guest.
3. Access the custom monitor. Note that Send String, Receive String, and Receive Disable String are all grayed out.
4. Click the browser Back button.
5. Click the browser Forward button.

Impact:
Send String, Receive String, and Receive Disable String are now editable fields. Although the Auditor, Operator, or Guest. user can edit the fields, the Update button is still grayed out, so any entry is not saved.

Workaround:
None.


760950-2 : Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment

Component: TMOS

Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.

Note: A previous bug had this same symptom, but was due to a different root cause.

Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.

Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.

Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.


760949 : Empty hostname in remote log after modification

Component: Application Security Manager

Symptoms:
The hostname is empty in ASM remote log after certain modifications to hostname.

Conditions:
Device hostname is modified such that the new value precedes the old value alphabetically.

Impact:
The hostname is empty in ASM remote log.

Workaround:
Restart ASM after modifying hostname.


760771-3 : FastL4-steered traffic might cause SSL resume handshake delay

Component: Local Traffic Manager

Symptoms:
When a FastL4 virtual server steers traffic to another SSL-enabled virtual server, there can be a delay on SSL session resumption because SSL is unable to identify the connection flow.

Additionally, it has been observed that if fallback persistence is configured, the BIG-IP system might fail to start the connection serverside.

Conditions:
-- FastL4 virtual server.
-- iRule is used to steer traffic to another virtual server with client SSL enabled.
-- Multiple tmm's.

Impact:
-- Potential impact to SSL performance.
-- Possible connection failure.

Workaround:
To workaround this issue:
-- Disable FastL4.
-- Enable OneConnect.


760683-2 : RST from non-floating self-ip may use floating self-ip source mac-address

Component: Local Traffic Manager

Symptoms:
A RST from non-floating self-ip may use floating self-ip source mac-address when AFM or ASM is enabled.

Conditions:
-- AFM or ASM is enabled.
-- RST generated from non-floating self-ip address.

Impact:
An L2 switch may update the fwd table incorrectly.

Workaround:
None.


760679 : Memory corruption when using C3D on certain platforms

Component: Local Traffic Manager

Symptoms:
When using Client Certificate Constrained Delegation (C3D), memory corruption can occur, which can eventually lead to a tmm crash.

Conditions:
C3D is enabled on a virtual server.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.


760622-1 : Allow Device Certificate renewal from BIG-IP Configuration Utility

Component: TMOS

Symptoms:
Unable to renew Device Certificate from System :: Certificate Management : Device Certificate Management : Device Certificate :: server.crt in non-English BIG-IP configurations.

Conditions:
Attempting to renew a device certificate on the System :: Certificate Management : Device Certificate Management : Device Certificate :: using the server.crt-equivalent on a non-English BIG-IP system.

Impact:
Unable to renew Device Certificate from the BIG-IP Configuration Utility.

Workaround:
Use a command of the following syntax, replacing key name, cert name, and # of days with your values:

openssl req -new -x509 -key ../ssl.key/server.key -days <# of days> -out server.crt

For example, to renew the siteserver.key and siteserver.crt for 90 days, use the following command:

openssl req -new -x509 -key ../ssl.key/siteserver.key -days 90 -out siteserver.crt


760615-4 : Virtual Server discovery may not work after a GTM device is removed from the sync group

Component: Global Traffic Manager (DNS)

Symptoms:
LTM configuration does not auto-discover GTM-configured virtual servers.

Conditions:
-- GTM is deprovisioned on one or more GTM sync group members, or the sync group is reconfigured on one or more members.

-- Those devices remain present in the GTM configuration as 'gtm server' objects.

-- iQuery is connected to those members.

Impact:
Virtual servers are not discovered or added automatically.

Workaround:
You can use either of the following workarounds:

-- Manually add the desired GTM server virtual servers.

-- Delete the 'gtm server' objects that represent the devices that are no longer part of the GTM sync group. These can then be recreated if the devices are operating as LTM-configured devices.


760550-3 : Retransmitted TCP packet has FIN bit set

Component: Local Traffic Manager

Symptoms:
After TCP sends a packet with FIN, retransmitted data earlier in the sequence space might also have the FIN bit set.

Conditions:
-- Nagle is enabled.
-- TCP has already sent a FIN.
-- A packet is retransmitted with less than MSS bytes in the send queue.

Impact:
The retransmitted packet has the FIN bit set even if it does not contain the end of the data stream. This might cause the connection to stall near the end.

Workaround:
Set Nagle to disabled in the TCP profile.


760518-1 : PEM flow filter with DSCP attribute optimizes traffic resulting in some PEM action enforcement

Component: Policy Enforcement Manager

Symptoms:
Some PEM action enforcement does not work with flow filter with PEM attribute set.

Conditions:
Flow filter has the Differentiated Services Code Point (DSCP) attribute set

Impact:
Some PEM actions such as http-redirect do not perform as expected.

Workaround:
Set the DSCP to the default value


760438-1 : PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions

Component: Policy Enforcement Manager

Symptoms:
tmm coredump

Conditions:
-- Using an iRule to apply a referential policy in a rigorous loop.
-- This is a rarely occurring timing issue.

Impact:
Traffic impact due to tmm coredump. Traffic disrupted while tmm restarts.

Workaround:
None.


760410-3 : Connection reset is seen when Category lookup agent is used in per-req policy

Component: Access Policy Manager

Symptoms:
The BIG-IP system sends reset to client when Category Lookup agent is used in per-req policy.

Conditions:
-- APM or SSLO is licensed and provisioned.
-- URLDB and SWG are not provisioned.
-- Category Lookup agent is used in the policy to process custom categories.

Impact:
Connection reset is seen on client from APM/SSLO box.

Workaround:
Modify Category Lookup agent 'lookup-type' property to 'custom-only' via TMSH, for example, by using a command similar to the following:

modify apm policy agent category-lookup example_prp_act_category_lookup_ag lookup-type custom-only


760408-1 : System Integrity Status: Invalid after BIOS update

Solution Article: K23438711

Component: TMOS

Symptoms:
When BIG-IP system boots, it performs a System Integrity Check. The System Integrity Status may return one of three states: Valid, Unavailable, or Invalid.

This issue causes the System Integrity Status to return a value of 'Invalid'.

Conditions:
-- BIG-IP systems that have been manufactured using a earlier BIOS version.
-- Updating to a newer BIOS version.

Impact:
The System Integrity Status returns a status of Invalid, which may falsely indicate that the system BIOS or OS has been compromised.

Workaround:
Install the new BIOS, which fixes the issue that causes the 'Invalid' status to be reported, and, on systems where the BIOS and OS have not been compromised, returns a status of 'Valid'.


760370-4 : MRF SIP ALG with SNAT: Next active ingress queue filling

Component: Service Provider

Symptoms:
When running MRF SIP ALG with SNAT, the ingress queue may fill, causing messages to be dropped on the next-active device.

Conditions:
-- The active device determines that an operation can be skipped because the details are already discovered processing a previous message.
-- The next-active device has not yet processed the previous message and is not able to skip the operation.

Impact:
Mirroring state is lost for the connection.

Workaround:
None.


760363 : Update Alias Address field with default placeholder text

Component: TMOS

Symptoms:
Unable to update Alias Address field with the default value under Local Traffic :: Monitors :: [MonitorName] after removing everything from the input field and updating again with the placeholder text.

Conditions:
-- Using a system running software in which the GUI supports Chinese characters.
-- Remove content from the Alias Address field under Local Traffic :: Monitors:: [MonitorName].
-- Enter the default placeholder text.

Impact:
Unable to update the Alias Address input field with default placeholder text after replacing the said field with blank text or a valid value.

Workaround:
Pass empty value or ::


760259-2 : Qkview silently fails to capture qkviews from other blades

Component: TMOS

Symptoms:
When capturing a qkview on a chassis, there are no warnings provided if the qkview utility is run to gather a qkview from other blades.

Conditions:
-- On a chassis system, rename/move the qkview binary from a given blade.

-- Execute qkview on another blade, verify that no warnings or errors are produced.

Impact:
There is no warning that the qkview failed for a given blade.

Workaround:
There is no workaround other than running the qkview on the actual blade.


760130-1 : [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK

Component: Access Policy Manager

Symptoms:
-- Increased overall TMM memory usage, which eventually forces TMM to start closing connections to reduce memory usage.
-- connflow memory usage keeps increasing. Memory usage can be observed with this command:
# tmctl -f /var/tmstat/blade/tmm0 memory_usage_stat -w200

Conditions:
1. Using PingAccess.
2. Errors are being logged in /var/log/paa.

Impact:
-- Memory leak.
-- Eventually TMM starts closing connections randomly.

Workaround:
None.


760050-4 : cwnd warning message in log

Component: Local Traffic Manager

Symptoms:
The following benign message appears in the log: cwnd too low.

Conditions:
The TCP congestion window has dropped below one Maximum Segment Size, which should not happen.

Impact:
None. TCP resets the congestion window to 1 MSS.

Workaround:
This message does not indicate a functional issue, so you can safely ignore this message. There is no action to take, but the presence of the message can be useful information for debugging other TCP problems.


759968 : Distinct vCMP guests are able to cluster with each other.

Component: Local Traffic Manager

Symptoms:
--Distinct vCMP guests are able to cluster with each other.

--Guests end up having duplicate rebroad_mac on one or more slots. This can be checked using below command:

clsh tmctl -d blade tmm/vcmp -w 200

Look at the "rebroad_mac" field.

Conditions:
--It is not yet clear under what circumstances the issue occurs.

--One of the ways this issue occurs is when guests are moved between blades and they end up having a non-null and duplicate "rebroad_mac" on one or more slots.

Impact:
Only the vCMP guest acting as primary will be operative.

Workaround:
--Disable clusterd from sending packets over tmm_bp by turning off the db variable clusterd.communicateovertmmbp:

modify sys db clusterd.communicateovertmmbp value false.

Note: This command should be issued on the guest acting as primary since config changes are only allowed on cluster primary.


759852-2 : SNMP configuration for trap destinations can cause a warning in the log

Component: TMOS

Symptoms:
The snmpd configuration parameters can cause net-snmp to issue a warning about deprecated syntax.

Conditions:
The use of a sys snmp command similar to the following to modify the snmpd.conf file:
sys snmp v2-traps { TRAP1 { host 1.2.3.4 community somestring } }

Impact:
net-snmp issues a warning that the syntax has been deprecated and reports a warning message in the log.

Workaround:
None.


759735-1 : OSPF ASE route calculation for new external-LSA delayed

Component: TMOS

Symptoms:
External link-state advertisement (LSA) update does not trigger OSPF ASE route calculation, resulting in delay for route state changes from external LSA.

Conditions:
-- OSPF enabled.
-- More than 20 updated external LSA.
-- No updated router and network LSA.

Impact:
Delay of route update from external LSA.

Workaround:
Manually clear ip ospf process.


759638-1 : APM current active and established session counts out of sync after failover

Component: Access Policy Manager

Symptoms:
The 'tmsh show apm license' command shows that the current established session count is much larger than the current active session count. In the extreme case, current established session count can reach the maximum allowed, and the system reports the ERR_TOOBIG error in the apm log.

err tmm3[12351]: 01490581:3: (null):Common:00000000: Access stats encountered error: SessionDB operation failed (key: tmm.license.global_estab_stats.f26de3c7, ret: ERR_TOOBIG).

Conditions:
This counter out-of-sync period happens right after failover and lasts for five minutes.

Impact:
There is no impact to user sessions. Only the connection counts are impacted.

Workaround:
None.


759392-4 : HTTP_REQUEST iRule event triggered for internal APM request

Component: Access Policy Manager

Symptoms:
Requests for the internal APM renderer for logo customization trigger the HTTP_REQUEST iRule event.

Conditions:
Customized logo in Access Profile

Impact:
HTTP_REQUEST event will be raised for requests for the customized logo in the Access Profile.

Workaround:
Inside the HTTP_REQUEST event, if it is necessary to not take a certain action on a customized logo, it is possible to check that the URL does not equal the URL for the logo (it should start with '/public/images/customization/' and contain the image name).


759370-1 : FIX protocol messages parsed incorrectly when fragmented between the body and the trailer.

Component: Service Provider

Symptoms:
FIX message has successfully parsed header part (iRule event FIX_HEADER triggered), but is eventually discarded as incomplete (no iRule event FIX_MESSAGE).

Conditions:
FIX message fragmented between body part and the trailer (tag 10).

Impact:
FIX protocol messages are not forwarded.

Workaround:
Assure FIX protocol packet size does not exceed MTU value.


759356-1 : Access session data cache might leak if there are multiple TMMs

Component: Access Policy Manager

Symptoms:
Due to asynchronicity in the TMM subsystem, it is possible that the session data cache might be created after the session is terminated. As a result, that session data cache never gets released.

Conditions:
-- Transparent SWG.
-- The BIG-IP system has more than one TMM.

Impact:
TMM memory might be exhausted eventually.

Workaround:
None.


759192-1 : TMM core during display of PEM session under some specific conditions

Component: Policy Enforcement Manager

Symptoms:
TMM crashes during display of PEM session if the session has multiple IP addresses added under certain conditions.

Conditions:
-- Session has multiple IP addresses added.
-- When the session was created, addition of multiple IP addresses was not allowed.

Impact:
TMM restart. Traffic disrupted while tmm restarts.

Workaround:
Do not change the value of sys db variable tmm.pem.session.ip.addr.max while some sessions are already created.


759077-4 : MRF SIP filter queue sizes not configurable

Component: Service Provider

Symptoms:
The ingress and egress queues of the MRF SIP filter have fixed sizes that cannot be configured.

Conditions:
If the hard-coded queue size of 512 messages or 65535 bytes are exceeded, the filter enables its flow control logic.

Impact:
Messages may be dropped.

Workaround:
None.


759056-1 : stpd memory leak on secondary blades in a multi-blade system

Component: Local Traffic Manager

Symptoms:
On secondary blades in a multi-blade system, stpd shows continued increased memory usage.

Conditions:
A non passthru STP mode (STP, RSTP or MSTP) is enabled on the system.

Impact:
System performance is degraded due to needless memory usage by stpd.

Workaround:
None.


758996-4 : Data in the 'Last 4 hours' view have a 1-hour delay

Component: Application Visibility and Reporting

Symptoms:
AVR aggregates data hourly, so data reported in the 'Last 4 hours' view are shown with a 1-hour delay.

Conditions:
Viewing data in the 'Last 4 hours' view.

Impact:
Some data in the 'Last 4 hours' view is reported after a 1-hour delay.

Workaround:
None.


758992-1 : The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address

Component: Local Traffic Manager

Symptoms:
tmm may use a combination of the traffic-group MAC address and the per-VLAN MAC address for traffic associated with the traffic-group.

Conditions:
All of the following:
-- The traffic-group has a MAC address set.
-- The sys db variable 'tm.macmasqaddr_per_vlan' is set to true.
-- There are multiple tmm processes running on the BIG-IP system.

Note: BIG-IP Virtual Edition is not affected since there is only one tmm process.

Impact:
Incorrect MAC address used for traffic associated with the traffic-group.

Workaround:
None.


758781-1 : iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates

Component: TMOS

Symptoms:
The following commands take a long time to complete when there are a large number of certificates:
get_certificate_list()
get_certificate_list_v2()
get_certificate_list_v3()

Conditions:
-- Using the get_certificate_list(), get_certificate_list_v2(), and get_certificate_list_v3() commands to get certificate information.
-- A large number of certificates (typically in the thousands) are installed on the BIG-IP system.

Impact:
Slowness might cause timeouts in applications that are calling these functions.

Workaround:
Use iControl REST API corresponding to sys/file/ssl-cert.


758631-2 : ec_point_formats extension might be included in the server hello even if not specified in the client hello

Component: Local Traffic Manager

Symptoms:
RFC 5246 states that if an extension does not exist in the client hello, it must not exist in the server hello. When an EC cipher suite is selected, the server might send the ec_point_formats extension, even if none exists in the client hello.

Conditions:
-- An EC cipher suite is selected.
-- The client does not send an ec_point_formats extension.

Impact:
Some clients abort the connection in this case.

Workaround:
There is no workaround other than not configuring any EC cipher suites.


758542-1 : OAuth database instance appears empty after upgrade from v13.x

Component: Access Policy Manager

Symptoms:
The database from a prior configuration does not seem to have any tokens. The tokens are being stored in a new database with a different name.

Conditions:
Upgrade from v13.x.
-- The name of one OAuth database instance is duplicated entirely in another instance name (for example, 'oauthdb' and 'oauthdbprod').

Impact:
Old database seems to have lost tokens. In the case of these two database instances:

oauthdb
oauthdbprod

Because the name 'oauthdb' is also present in the name 'oathdbprod', the system creates a new database instance of 'oauthdb' at upgrade, so oauthdb will have an empty database.

Workaround:
Before upgrading, do the following:

1) Copy database oauth to another database with a completely different name.
2) Copy tokens in new database to the old, empty database.


758437-4 : SYN w/ data disrupts stat collection in Fast L4

Component: Local Traffic Manager

Symptoms:
Fast L4 analytics reports very large integers for goodput.

Conditions:
BIG-IP receives SYNs with attached data.

Impact:
Goodput data is unreliable.

Workaround:
None.


758436-2 : Optimistic ACKs degrade Fast L4 statistics

Component: Local Traffic Manager

Symptoms:
Fast L4 Analytics reports very large integers for goodput.

Conditions:
Endpoints send ACKs for data that has not been sent.

Impact:
Goodput statistics are not usable in certain data sets.

Workaround:
None.


758435 : Ordinal value in LTM policy rules sometimes do not work as expected

Component: Local Traffic Manager

Symptoms:
Which actions trigger in a first-match policy should depend on the ordinal of their rule. Sometimes, this does not work correctly.

Conditions:
The conditions under which this occurs are not known.

Impact:
LTM policy rules do not execute in the expected order.

Workaround:
It may be possible to re-arrange the rules to avoid the incorrect action execution.


758421 : Category ID for new Traffic Intelligence Categories needs range check

Component: Traffic Classification Engine

Symptoms:
In Traffic Intelligence Categories, while creating new URL Category allows category ID to be outside range 28672-32768. There is no indication in the GUI that it needs to be within that range.

Conditions:
-- AFM license with Traffic Classification feature flag enabled.
-- Create New URL Category with Category ID outside valid range.

Impact:
GUI allows creation of New URL Category with Category ID outside valid range.

Workaround:
None.


758387-4 : BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it

Component: TMOS

Symptoms:
In STP 'passthru' mode, any packet sent to the BIG-IP system with a destination MAC of 01-80-c2-00-00-00 is treated as an STP bridge protocol data unit (BPDU), and is flooded to the VLAN.

Conditions:
-- The BIG-IP system is configured for STP 'passthru' mode
-- The BIG-IP system receives a packet with MAC 01-80-c2-00-00-00.

Impact:
A packet that is not an STP BPDU, but is sent to the same destination MAC address may be flooded as if it was a BPDU.

Workaround:
None.


758348 : Cannot access GUI via hostname when it contains _ (underscore character)

Component: TMOS

Symptoms:
BIG-IP allows configuring hostname with embedded '_' (underscore). However the BIG-IP GUI is not accessible when hostname includes '_', and results in a 400 Bad Request.

Conditions:
BIG-IP hostname includes '_'

Impact:
BIG-IP GUI cannot be accessed.

Workaround:
No known work around if having '_' in hostname is a requirement.


757782-4 : OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default

Component: Access Policy Manager

Symptoms:
Invalid 'sub' claim in JWT access token that is generated by OAuth Authorization Server.

Conditions:
-- OAuth Authorization Server is configured to return JWT access token.
-- Subject field is configured to be a session variable other than the default '%{session.assigned.uuid}'.

Impact:
Invalid value in 'sub' claim in JWT access token. If OAuth resource server depends on the value of 'sub' claim, then that functionality does not work.

Workaround:
Add Variable assign agent after OAuth Authorization agent, and assign session.assigned.oauth.authz.token.subject with the session variable name such as the following:
session.logon.last.logonname.


757777-2 : bigtcp does not issue a RST in all circumstances

Component: Local Traffic Manager

Symptoms:
bigtcp does not issue a TCP reset, e.g. when using the iRule reject command on CLIENT_ACCEPTED

Conditions:
bigtcp in use, tcp connection, connection ungracefully shut down via a 'reject' command in an iRule

Impact:
TCP RST is not sent, and the SYN is silently dropped.

Workaround:
none


757722-1 : Unknown notify message types unsupported in IKEv2

Component: TMOS

Symptoms:
IKE negotiation fails when an unrecognized notify payload type is seen in a message processed by IKEv2.

Conditions:
Receiving an IKE message that contains a notify payload whose numeric type value is unrecognized by IKEv2.

Impact:
Negotiation fails with an aborted connection, preventing tunnel creation.

Workaround:
A peer can suppress notification payloads with advisory values that get rejected by IKEv2 within the BIG-IP system.


757505-2 : peer-cert-mode set to 'always' does not work when client-ssl is enabled with session-ticket

Component: Local Traffic Manager

Symptoms:
When a session is restored using a session-ticket, the peer-cert-mode setting is not acknowledged.

Conditions:
-- Session tickets are enabled.
-- The peer-cert-mode in the client SSL profile is set to `always'.
-- A session is restored using a ticket.

Impact:
The SSL client is validated only once, instead of each time.

Workaround:
Disable session ticket.


757442-1 : A missed SYN cookie check causes crash at the standby TMM in HA mirroring system

Component: Local Traffic Manager

Symptoms:
In a high availability (HA) mirroring configuration, an L7 packet SYN cookie check may be skipped on the standby unit and eventually causes TMM to crash.

Conditions:
-- L7 traffic being passed to an HA configuration that is configured for mirroring traffic.
-- Failover occurs.

Impact:
TMM crashes on the standby device. No connections shown on the standby unit even when mirroring isenabled.

Workaround:
Do not use HA mirroring.


757441-2 : Specific sequence of packets causes Fast Open to be effectively disabled

Component: Local Traffic Manager

Symptoms:
You see this warning in the logs:

warning tmm[21063]: 01010055:4: Syncookie embryonic connection counter -1 exceeded sys threshold 64000.

Conditions:
-- TCP Fast Open and ECN are both enabled.
-- There are multiple RST segments from the receive window received in SYN_RECEIVED state.

Impact:
TCP Fast open is disabled, as the pre_established_connections becomes very large (greater than a threshold).

Workaround:
TCP ECN option can be disabled.


757391-3 : Datagroup iRule command class can lead to memory corruption

Component: Local Traffic Manager

Symptoms:
When using the iRule command to access datagroups within a foreach loop, memory can be corrupted and tmm can crash.

Conditions:
A [class] command used within a foreach loop.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround aside from removing that iRule.


757359-3 : pccd crashes when deleting a nested Address List

Component: Advanced Firewall Manager

Symptoms:
When removing a nested Address List or Port List, the pccd process might crash.

Conditions:
This might occur under the following conditions:
-- Removing a nested Address List or Port List using a tmsh transaction with an incorrect tmsh command order consistently results in this crash.

-- A high availability (HA) setup with config-sync enabled and there are intermittent problems with HA-connections, or out-of-memory system state, might intermittently result in this crash.

Impact:
pccd crashes with core, restarts, and correctly compiles the new configuration. There is a resulting, small delay in applying the new configuration due to the pccd restart.

Workaround:
-- If the crash occurs as a result of incorrect tmsh commands in a transaction, reorder commands to the parent list is modified or deleted before deleting the nested list.

-- If the crash is an intermittent issue due to problems with HA-connections, or an out-of-memory system state, no action is necessary; pccd correctly compiles new configuration after it restarts.


757357 : Tmm crashes when using virtio direct descriptors and packets 2 KB or larger

Component: TMOS

Symptoms:
Some virtio backend implementations send large packets (2 KB or larger) even when LRO is disabled. If the backend uses direct descriptors, this combination might lead to a tmm core. The standard KVM implementation of virtio does not have this behavior.

Conditions:
-- BIG-IP Virtual Edition (VE) using virtio interfaces with direct descriptors.
-- A 2 KB or larger packet is delivered to the virtio interface.

Impact:
Tmm may restart. Traffic disrupted while tmm restarts.

Workaround:
To work around this issue, use this procedure:

1. Add the following line to /config/tmm_init.tcl:

device driver vendor_dev 1af4:1000 unic

2. Restart tmm using the following command:

bigstart restart tmm


757029-4 : Ephemeral pool members may not be created after config load or reboot

Component: Local Traffic Manager

Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP system reboot operation.

Conditions:
This may occur on affected BIG-IP versions when:

-- Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.
-- DNS queries to resolve these FQDN names occur almost simultaneously.

The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.

Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected.

As a result, some pools may not have any active pool members, and do not pass traffic.

This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default FQDN interval value of 3600 seconds, such downtime lasts approximately one hour.

Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter FQDN interval value for the FQDN nodes:

tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }
Where ## is the desired number of seconds between successive DNS queries to resolve the configure FQDN name.


756830-4 : BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'

Component: TMOS

Symptoms:
The BIG-IP system may fail source translation for connections matching a virtual server that has connection mirroring enabled and source port selection set to 'preserve strict'.

Conditions:
Connections match a virtual server that has following settings:

- Connection mirroring is enabled.
- Source Port set to 'Preserve Strict'.

In addition, CMP hash selection (DAG mode) on the corresponding VLANs is set to 'Default DAG'.

Impact:
Source translation may fail on BIG-IP system, leading to client connection failures.

Workaround:
You can try either of the following:

-- Do not use the Source Port setting of 'Preserve Strict'.

-- Disable connection mirroring on the virtual server.


756820-1 : Non-UTF8 characters returned from /bin/createmanifest

Component: TMOS

Symptoms:
/bin/createmanifest reads from mcpd values stored for items that are obtained from firmware. These might contain non-UTF8 characters. This program is called in qkview, which then gets updated to iHealth. If any non-UTF8 character is present, the output is omitted (because XML cannot handle non-UTF8 characters).

Conditions:
Data stored in mcpd obtained from firmware contain non-UTF8 characters.

Impact:
The upload to iHealth will not contain any of the manifest data set obtained via createmanifest.

Workaround:
The values can be obtained from the qkview by reading the qkview_run.data, but the convenience of reading these in iHealth is not possible.


756812-1 : Nitrox 3 instruction/request logger may fail due to SELinux permission error

Component: Local Traffic Manager

Symptoms:
When the tmm Nitrox 3 queue stuck problem is encountered, the Nitrox 3 code tries to log the instruction/request, but it may fail due to SELinux permissions error.

The system posts messages in /var/log/ltm similar to the following:

-- crit tmm1[21300]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 00:09.7, discarded 54).
-- crit tmm1[21300]: 01010025:2: Device error: n3-compress0 Failed to open instruction log file '/shared/nitroxdiag/instrlog/tmm01_00:09.7_inst.log' err=2.

Conditions:
-- tmm Nitrox 3 queue stuck problem is encountered.
-- The Nitrox 3 code tries to log the instruction/request.

Impact:
Error messages occur, and the tmm Nitrox 3 code cannot log the instruction/request.

Workaround:
None.


756647-3 : Global SNAT connections do not reset upon timeout.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system does not send reset packets when a connection times out.

Conditions:
BIG-IP configured with global SNAT.

Impact:
Client or server might unnecessarily keep the connection open.

Workaround:
You can use either of the following workarounds:

-- Use forwarding virtual server with snatpool instead of global SNAT.

-- Modify tmm_base.tcl as follows:
profile bigproto _bigproto {
    reset_on_timeout enable
}


756538-1 : Failure to open data channel for active FTP connections mirrored across an HA pair.

Component: Local Traffic Manager

Symptoms:
Occasionally, attempting to actively open a data channel from an FTP session that is mirrored across a BIG-IP high availability pair will fail. This is due to aggressive port reuse on the active BIG-IP system, causing ports that are still in a TIME_WAIT state to be used for the data connection.

Conditions:
-- Have a BIG-IP HA pair configured.
-- Create an FTP virtual server with mirroring enabled.
-- Have the pool member(s) of the virtual server be either 3CDaemon or IIS servers (this issue has been confirmed only for 3CDaemon and IIS, but it could affect other servers as well).
-- Client attempts to download data through the virtual server via active FTP.

Impact:
Data connections fail to open; data transfer is unsuccessful.

Workaround:
Use passive FTP, or do not use mirroring for FTP virtual servers.


756477-3 : Drop Redirect tab incorrectly named as 'Redirect Drop'

Component: Advanced Firewall Manager

Symptoms:
Incorrect naming on navigation tabs Security :: Debug :: Drop Redirect.

Conditions:
Navigating to Security :: Debug :: Drop Redirect.

Impact:
The page name is Drop Redirect instead of Redirect Drop.

Workaround:
None.


756450-2 : Traffic using route entry that's more specific than existing blackhole route can cause core

Component: Local Traffic Manager

Symptoms:
TMM asserts with 'Attempting to free loopback interface'message.

Conditions:
- Using blackhole routes.
- Have a route entry that is more specific than the existing blackhole route.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use /32 blackhole routes.


756443 : GUI cannot edit ILX workspace/extension objects with certain non-alphanumeric characters.

Component: Local Traffic Manager

Symptoms:
iRules LX (ILX) Object names including non alpha-numeric characters are not handled by the GUI.

Conditions:
ILX workspaces or extensions with names that include non alpha-numeric characters.

$ (USD symbol) are prohibited in BIG-IP object names. However, they are allowed in the iRules LX workspace and extension names. This applies to both tmsh and iControl REST.

Impact:
These ILX workspaces or extensions are inaccessible in the GUI. Cannot use the GUI to edit them.

Workaround:
Rename your workspaces and extensions.


756402-1 : Re-transmitted IPsec packets can have garbled contents

Component: TMOS

Symptoms:
Before re-transmitting a packet, it is discovered to be garbled, mainly in the form of having physical length that no longer matches the logical length recorded inside the packet.

Conditions:
Possibly rare condition that might cause packet freeing while still in use.

Impact:
Likely tunnel outage until re-established.

Workaround:
No workaround is known at this time.


756311-1 : High CPU during erroneous deletion

Component: Policy Enforcement Manager

Symptoms:
The utilization of some CPUs in the system starts going up and remains so for a long time. Might see messages similar tot he following in tmm logs:

-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.10.10%0-4a89723e; Instance ID mismatch ERR_OK for subscriber id 310012348494 with 10.1.10.10-0-4a8987ea.

-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.18.10%0-4a8b850c; Look up returned err ERR_OK for subscriber id 3101512411557

Conditions:
The exact conditions under which this occurs are unknown. One potential trigger is CDP flap.

Impact:
TMM may need to be restarted if the CPU usage does not subside. Traffic disrupted while tmm restarts.

Workaround:
Try deleting all subscribers from the CLI.


756177-1 : GTM marks pool members down across datacenters

Component: Global Traffic Manager (DNS)

Symptoms:
GTM pool members are marked down even though the monitored resource is available.

GTM debug logs indicate that each GTM is relying on the other GTM to conduct probing:

debug gtmd[13166]: 011ae039:7: Check probing of IP:Port in DC /Common/dc1.
debug gtmd[13166]: 011ae03a:7: Will not probe in DC /Common/dc1 because will be done by other GTM (/Common/gtm2).
---
debug gtmd[7991]: 011ae039:7: Check probing of IP:Port in DC /Common/dc2.
debug gtmd[7991]: 011ae03a:7: Will not probe in DC /Common/dc2 because will be done by other GTM (/Common/gtm1).

Conditions:
-- GTM configured in different data centers.
-- GTM pool configured with a single monitor, and the monitor uses an alias address that can be pinged from both data centers.
-- GTM pool members configured from different data centers.

Impact:
Pool members are marked down.

Workaround:
Instead of a single monitor, use a monitor created specifically for each data center.


756102-3 : TMM can crash with core on ABORT signal due to non-responsible AVR code

Component: Application Visibility and Reporting

Symptoms:
ABORT signal is sent to TMM by SOD, TMM aborts with a core.

Conditions:
No special conditions.

Impact:
Traffic disrupted while tmm restarts.


756071-1 : MCPD crash

Component: TMOS

Symptoms:
mcpd crashes on out of memory.

Conditions:
A memory leak occurs when the following tmsh command is run:

tmsh reset-stats ltm virtual

Impact:
MCPD can run out of memory and crash. Traffic disrupted while mcpd restarts.

Workaround:
Try to use the reset-stats tmsh command sparingly.


755997-1 : Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address

Component: Local Traffic Manager

Symptoms:
When IPsec traffic is processed by a FastL4 profile, which is not related to an IPsec listener, and is send out via a gateway pool or a dynamic route, the source address of this traffic can be erroneously changed to 127.0.0.x.

Conditions:
-- IPsec traffic is processed by a FastL4 profile, which is not related to an IPSEC listener.
-- The traffic is sent out via a gateway pool or a dynamic route.

Impact:
The incorrect source address is used.

Workaround:
None.


755791-4 : UDP monitor not behaving properly on different ICMP reject codes.

Component: Local Traffic Manager

Symptoms:
Unexpected or improper pool/node member status.

Conditions:
The BIG-IP system receives the ICMP rejection code as icmp-net/host-unreachable.

Impact:
The monitor might consider a server available when some type of ICMP rejection has been received that is not port unreachable.

Workaround:
You can use either of the following workarounds:
-- Use UDP monitors configured with a receive string.
-- Do not use UDP monitors.


755727-3 : Ephemeral pool members not created after DNS flap and address record changes

Component: Local Traffic Manager

Symptoms:
When using FQDN node/pool members, ephemeral pool members may not be created for one or more pools after address records change on the DNS server.

Once this condition occurs, ephemeral pool members are no longer created for a given FQDN name in the affected pool.

Conditions:
This issue may occur under rare timing conditions when the following factors are present:

-- Using FQDN nodes/pool members.
-- Changes occur in the address records on the DNS server, causing new ephemeral nodes/pool members to be created and old ephemeral nodes/pool members to be deleted.
-- There is a temporary loss of connectivity to/responsiveness from the DNS server.

Impact:
When this issue occurs, the affected pool may be left with no active pool members. In that case, virtual servers targeting the affected pool become unavailable and stop passing traffic.

Workaround:
When this issue occurs, the ability to create ephemeral pool members can be restored by either of the following actions:

1. Restart the dynconfd daemon:
bigstart restart dynconfd

2. Delete and re-create the FQDN template pool member using the following two commands:
tmsh mod ltm pool affected_pool members del { fqdn_pool_member:port }
tmsh mod ltm pool affected_pool members add { fqdn_pool_member:port { additional field values } }


To ensure that a pool contains active members even if this issue occurs, populate each pool with more than one FQDN pool member, or with an additional non-FQDN pool member.


755631-3 : UDP / DNS monitor marking node down

Component: Local Traffic Manager

Symptoms:
The UDP / DNS monitor marks nodes down.

Conditions:
-- UDP or DNS monitor configured.
-- Interval is multiple of timeout.
-- The response is delayed by over one interval.

Impact:
Pool member is marked down.

Workaround:
Increase the interval to be greater than the response time of the server.


755585-3 : mcpd can restart on secondary blades if a policy is created, published, and attached to a vs in a single transaction

Component: Local Traffic Manager

Symptoms:
On a VIPRION cluster, if a single transaction creates a policy with the name Drafts/NAME, publishes the policy, and attaches the policy to a virtual server, mcpd restarts on the secondary blades.

Conditions:
-- VIPRION chassis with more than one blade.
-- Single mcp transaction that:
  * Creates a policy with 'Drafts/' as part of the policy name.
  * Publishes that policy.
  * Attaches that policy to a virtual server, either in the same transaction or a later transaction.

Impact:
mcpd restarts on all secondary blades of a cluster.

Workaround:
You can use either of the following workarounds:
-- Do not create policies with 'Drafts/' in the name.
-- Do not create and publish a policy in the same transaction.


755311-3 : No DIAMETER Disconnect-Peer-Request message sent when TMM is shutting down

Component: Service Provider

Symptoms:
When TMM is shutting down with active DIAMETER connections, it does not send out any Disconnect-Peer-Request messages to its DIAMETER pool members.

Conditions:
- DIAMETER in use.
- Active connections from the BIG-IP system to its DIAMETER pool members.
- TMM is shutting down.

Impact:
The remote server is not notified of the change in DIAMETER peer status.

Workaround:
None.


755282-3 : [GTM] bigip_add password prompt for IPv4-mapped IPv6 address

Component: Global Traffic Manager (DNS)

Symptoms:
After running the big_ip add script without a specifying a server address, the host address posted in the ssh password prompt is an IPv4-mapped IPv6 address for IPv4 servers.

For example:
Enter root password for 0000:0000:0000:0000:0000:FFFF:0A3C:010A

Conditions:
Run bigip_add without a server address, when the host address is an IPv4-mapped IPv6 address.

Impact:
There is no way to tell what the actual server name is without converting the IPv4-mapped IPv6 addresses back to an IPv4 to find which password to enter, for example: 0A3C:010A to 10.60.1.10

Workaround:
To workaround this, edit the bigip_add script.

IMPORTANT: Make sure to back up the bigip_add script before making modifications.

1. Make /usr folder writable
# mount -o rw,remount /usr
2. Backup bigip_add:
# cp /usr/local/bin/bigip_add /shared/tmp/bigip_add.backup
3. Edit bigip_add by adding different 'print' output for IPv4 servers.

Replace this:
< print "Enter $ruser password for $ip if prompted\n";

With something similar to this:
> if ($ip =~ /0000:0000:0000:0000:0000:FFFF:/) {
> my $display_ipv4 = ipv6_to_ipv4($ip);
> print "Enter $ruser password for $display_ipv4 if prompted\n";
> } else {
> print "Enter $ruser password for $ip if prompted\n";
> }

NOTE: Do not modify the actual value for $ip.

Below is an example diff:
# diff /shared/tmp/bigip_add.backup /usr/local/bin/bigip_add
18a19
>
43a45,51
> sub ipv6_to_ipv4
> {
> my $in_addr = $_[0];
> my @ipv6 = split /:/, $in_addr;
>
> my $ipv6_part1 = hex ($ipv6[6]);
> my $ipv6_part2 = hex($ipv6[7]);
44a53,60
> my $ipv4_1=scalar($ipv6_part1>>8);
> my $ipv4_2=scalar($ipv6_part1&0xff);
> my $ipv4_3=scalar($ipv6_part2>>8);
> my $ipv4_4=scalar($ipv6_part2&0xff);
>
> my $ipv4 = "${ipv4_1}.${ipv4_2}.${ipv4_3}.${ipv4_4}";
> return $ipv4;
> }
75d90
<
152c167,173
< print "Enter $ruser password for $ip if prompted\n";
---
>
> if ($ip =~ /0000:0000:0000:0000:0000:FFFF:/) {
> my $display_ipv4 = ipv6_to_ipv4($ip);
> print "Enter $ruser password for $display_ipv4 if prompted\n";
> } else {
> print "Enter $ruser password for $ip if prompted\n";
> }
179d199
<


755197-1 : UCS creation might fail during frequent config save transactions

Component: TMOS

Symptoms:
If 'tmsh save sys config' is run simultaneously with 'tmsh save sys ucs <file>', there is the possibility of a race condition where a file gets scheduled to be added to the UCS file, but gets deleted by the save-config before it actually gets saved.

Conditions:
-- Run 'save sys config' at the same time as 'save sys ucs <file>' in tmsh.
-- Files are getting added by one tmsh command, yet deleted by the other. For example, when deleting a file that has not been saved to the configuration, while the system tried to create a UCS that contains that to-be-deleted file.

Note: There are many operations in which 'save sys config' is performed internally, so running the 'save sys ucs <file>' operation might encounter the timing error any time, even when you are not manually running 'save sys config'.

Impact:
The UCS is not created, and system posts messages similar to the following:
-- config/bigip_base.conf/: Cannot stat: No such file or directory.
-- Exiting with failure status due to previous errors.
-- Operation aborted.

This is a rare, timing-related occurrence. Even though the 'save sys ucs <file>' aborts and logs errors, simply re-running the command is likely to succeed.

Workaround:
Re-run the 'save sys ucs <file>' after it aborts. Nothing else needs to be changed or restored.


754901-3 : Frequent zone update notifications may cause TMM to restart

Component: Global Traffic Manager (DNS)

Symptoms:
When there are frequent zone update notifications, the watchdog for TMM may trip and TMM crash/restarts. There may also be 'clock advanced' messages in /var/log/ltm.

Conditions:
- Using DNS express.
- DNS zone with allow notify.
- Frequent zone NOTIFY messages resulting in zone transfers.

Impact:
TMM restart potentially resulting in failing or impacting services. Traffic disrupted while tmm restarts.

Workaround:
None.


754854 : Incompatible libcec may sync from standby to active with automatic hitless upgrade.

Component: Traffic Classification Engine

Symptoms:
TMM may enter a restart loop after an upgrade if automatic hitless upgrade enabled for classification.

Example:
A standby system is upgraded to v13.1.x while the active is running v12.1.x. Due to automatic hitless upgrade, a standby device might download the latest classification IM signature file on the standby and then sync it with active, which is still running older BIG-IP system software. This results in a library incompatibility on active device.

Conditions:
This may happen if the following conditions are true:
-- The configuration has Traffic Intelligence automatic classification signature update turned on
-- A standby unit in the device group is temporarily booted to a different software version than other units in the group.
-- The BIG-IP system is running an AFM or PEM, or PEM Custom DB license.

Impact:
Active system may enter a tmm restart loop.

Workaround:
Turn off automatic hitless upgrade for the LTM classification signature-update-schedule during maintenance upgrades that cause a device to run a different software version than other device-group members.


754658-1 : Improved matching of response messages uses end-to-end ID

Component: Service Provider

Symptoms:
Some responses incorrectly match requests when their hop-by-hop IDs match. This causes the response to be dropped.

Conditions:
Matching hop-by-hop ID.

Impact:
Responses rarely match the wrong request, but when they do, they will be dropped.

Workaround:
None.


754617-1 : iRule 'DIAMETER::avp read' command does not work with 'source' option

Component: Service Provider

Symptoms:
Configuring a 'source' option with the iRule 'DIAMETER::avp read' command does not work.

The operation posts a TCL error in /var/log/ltm logs:
err tmm3[11998]: 01220001:3: TCL error: /Common/part1 <MR_INGRESS> - Illegal value (line 1) error Illegal value invoked from within "DIAMETER::avp read 444 source [DIAMETER::avp data get 443 grouped]".

Conditions:
Using the 'DIAMETER::avp read' iRule command with a 'source' option.

Impact:
'DIAMETER::avp read' does not work with the 'source' option.

Workaround:
Use 'DIAMETER::avp get data' with the 'source' option, and re-create the header part when needed.


754604-3 : iRule : [string first] returns incorrect results when string2 contains null

Component: Local Traffic Manager

Symptoms:
In an iRule such as 'string first $string1 $string2' returns incorrect results when $string2 contains a null byte and $string1 is not found within $string2. Performing the same search in tclsh, the expected -1 (not found) result is returned.

Conditions:
-- 'string first $string1 $string2' iRule.
-- string2 in an iRule contains a null byte.

Impact:
Operation does not return the expected -1 (not found) result, but instead returns an unexpected, random result.

Workaround:
None.


754542-4 : TMM may crash when using RADIUS Accounting agent

Component: Access Policy Manager

Symptoms:
TMM may crash when using RADIUS Accounting agent in either per-session or per-request policy.

Conditions:
- APM is provisioned and licensed.
- RADIUS Accounting agent is used in either per-session or per-request policy.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


754349 : FTP connections to virtual server drop when both sides of data channel are offloaded via FastL4

Component: Local Traffic Manager

Symptoms:
FTP uploads that are offloaded on both sides drop after the idle timeout period, even though data is flowing.

Conditions:
-- FTP virtual server set up with a standard profile and FastL4 offloading.
-- Attempt a file upload to the virtual server where both client and server side of the data channel are offloaded.

Impact:
Dropped connections; data loss.

Workaround:
You can do either of the following:
-- Enable Inherit Parent Profile on the FTP profile.
-- Turn off FastL4 offloading.


754218-1 : Stateless virtual servers does not work for non-standard load-balancing methods

Component: Local Traffic Manager

Symptoms:
Load-balancing does not work properly for stateless virtual servers with ratio-member load balancing, least-connection methods.

Conditions:
Stateless virtual server with ratio-member load balancing or least-connection load balancing method.

Impact:
Traffic is processed only with a single pool member. Ratio-load balancing does not work properly.

Workaround:
Use the default round-robin load balancing method.


754109-3 : ASM content-security-policy header modification violates Content Security Policy directive

Component: Application Security Manager

Symptoms:
When the backend server sends a content-security-policy header where source-src and default-src directives are missing, ASM will modify the header when it does its own JavaScript injection, which might cause a csp policy violation for inline JavaScript code.

Conditions:
-- ASM provisioned.
-- ASM policy attached on a virtual server.
-- ASM policy has CSRF or AJAX Blocking page enabled.

Impact:
Inline JavaScript does not run. The Browser reports a content-security-policy violation.

Workaround:
Disable csp in ASM by running the following commands:
-- /usr/share/ts/bin/add_del_internal add csp_enabled 0
-- bigstart restart asm


753860-1 : Virtual server config changes causing incorrect route injection.

Component: TMOS

Symptoms:
Updating the virtual server to use a different virtual address (VADDR) does not work as expected. The old VADDR route should remove and inject the new route for the new virtual address. Instead, it injects incorrect routes into the routing protocols.

Conditions:
-- Change the VADDR on a virtual server.
-- Set route-advertisement on both VADDRs.

Impact:
Incorrect routes are injected into routing protocols.

Workaround:
None.


753805-1 : BIG-IP system failed to advertise virtual address even after the virtual address was in Available state.

Component: Local Traffic Manager

Symptoms:
After failover, a longer time than expected for the virtual server to become available.

Conditions:
-- There is a configuration difference in the pool members before and after the configuration synchronization.
-- Probe status is also different.

Impact:
Virtual server takes longer than expected to become available.

Workaround:
Run full sync (force-full-load-push) from the active BIG-IP system to solve this issue.


753790 : Allow 'DIAMETER::persist reset' command in EGRESS events

Component: Service Provider

Symptoms:
The 'DIAMETER::persist reset' command is not allowed in EGRESS events; it is blocked by validation.

Conditions:
In an iRule, attempt to use 'DIAMETER::persist reset' in an EGRESS event for DIAMETER.

Impact:
Unable to reset persistence records on an EGRESS event in DIAMETER through iRules.

Workaround:
None.


753650 : The BIG-IP system reports frequent kernel page allocation failures.

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:

swapper/16: page allocation failure: order:2, mode:0x104020

After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This issue is known to occur on the following VIPRION blade models:

- B2250 (A112)
- B4450 (A114)

Please note the issue is known to occur regardless of whether the system is running in vCMP mode or not, and regardless of whether the system is Active or Standby.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.

It is recommend to increase this to either 64 MB (65536 KB) or 128 MB (131072 KB). You must do this on all blades installed in the system.

When instantiating this workaround, you must consider whether you want the workaround to only survive reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the primary blade only and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"


753637-1 : Diameter MBLB profile does not change the hop-by-hop ID by default

Component: Service Provider

Symptoms:
The Diameter MBLB profile does not change the hop-by-hop ID.

Conditions:
Diameter MBLB virtual server.

Impact:
The hop-by-hop ID is not changed.

Workaround:
None.


753594-3 : In-TMM monitors may have duplicate instances or stop monitoring

Component: Local Traffic Manager

Symptoms:
Most monitored resources (such as pools) report messages similar to the following:

Availability : unknown
Reason : The children pool member(s) either don't have service checking enabled, or service check results are not available yet.
 
A fraction of the monitored resources report the correct status based on the state of the resource.
 
Enabling bigdlog may show instances of messaging containing 'tmm_mid=x:0' (where x can be values like 0, 1, 2 etc.), for example, it is tmm_mid=1:0 in the following example:

[0][11288] 2019-03-08 10:03:04.608: ID 10859 :(_do_ping): post ping, status=UNKNOWN [ tmm?=true td=true tr=false tmm_mid=1:0 addr=::ffff:1.2.37.44:443 mon=/Common/https fd=-1 pend=0 #conn=0 up_intvl=5 dn_intvl=5 timeout=16 time_until_up=0 immed=0 next_ping=[1552068189.684126][2019-03-08 10:03:09] last_ping=[1552068184.684909][2019-03-08 10:03:04] deadline=[1552067610.048558][2019-03-08 09:53:30] on_service_list=True snd_cnt=119 rcv_cnt=0 ]
 

The following error might appear in /var/log/ltm:

-- failed to handle TMA_MSG_DELETE message: MID 0, error TMA_ERR_INVALID_MID(Monitor ID is invalid or unused)

Conditions:
Configure In-TMM monitoring with a sufficiently large number of monitored objects or perform rapid modification of In-TMM monitors.

Impact:
Some monitors may be executed multiple times per configured interval on a resource, and some monitors may not be executed at all against resources.

Workaround:
Switch to traditional bigd monitoring instead of In-TMM:

tmsh modify sys db bigd.tmm value disable


753536 : REST no longer requires a token to login for TACACS use

Component: TMOS

Symptoms:
Configurations that previously used TACACS for authentication in order to make REST requests are no longer required to use a token for remote authentication. You can simply use username and password.

Conditions:
Use of remote authentication using TACACS.

Impact:
If you have scripts that automatically request tokens, you no longer need them.

Workaround:
None.


753526-3 : IP::addr iRule command does not allow single digit mask

Component: Local Traffic Manager

Symptoms:
When plain literal IP address and mask are used in IP::addr command, the validation fails if the mask is single digit.

Conditions:
The address mask is single digit.

Impact:
Validation fails.

Workaround:
Assign address/mask to a variable and use the variable in the command.


753514-1 : Large configurations containing LTM Policies load slowly

Component: Local Traffic Manager

Symptoms:
Very slow performance when loading a configuration, for example, at system start up. During this time, the tmsh process shows high CPU usage.

Conditions:
Big IP 13.1.x, 14.x. Large configuration (1 MB or larger) and at least one, but more likely tens or hundreds of LTM policies defined in the configuration.

Impact:
Slow configuration loading, or in cases with very large configurations, full config load may fail after a long wait. Slowness increases with overall configuration size and number of LTM policies defined.

Workaround:
None.


753501-3 : iRule commands (such as relate_server) do not work with MRP SIP

Component: Service Provider

Symptoms:
Some iRule commands (such as relate_server) fail when used in conjunction with Message Routing Protocol (MRP) SIP configurations using message routing transport.

Conditions:
-- MRP SIP configuration uses transport-config.
-- iRule command 'relate_server' is configured on the corresponding virtual server.

Impact:
iRule commands such as relate_server cannot be used with MRF SIP.

Workaround:
None.


753485-2 : AVR global settings are being overridden by HA peers

Component: Application Visibility and Reporting

Symptoms:
Configuration of AVR global settings is being overridden by high availability (HA) peers, and thus report incorrectly to BIG-IQ Data Collection Devices (DCDs).

Conditions:
Configuring HA for systems connected to BIG-IQ.

Impact:
Configuration of BIG-IP systems in HA configuration can override each other. This might result in the following behavior:

-- They incorrectly identify themselves to BIG-IQ.
-- They report to the wrong DCD.
-- They report to DCD even if they are not configured to report at all.
-- The do not report at all even if they are configured to report.

Workaround:
None.


753423-4 : Disabling and immediately re-enabling the slot resulting interfaces from the slot permanently removed from aggregation

Component: TMOS

Symptoms:
working-mbr-count not showing correct number of interfaces.

Conditions:
Slot got disabled and re-enabled immediately.

Impact:
Interfaces may be removed from an aggregation permanently.

Workaround:
Disable and re-enable the slot with time gap of one second.


753163-2 : PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days

Component: Policy Enforcement Manager

Symptoms:
No connection request with PCRF/OCS if high availability (HA) failover occurs after 26 days. tmm crash

Conditions:
-- Using PEM.
-- HA failover occurs after 26 days.

Impact:
PEM does send the reconnect request within the configured reconnect, so there is no connection initiated with PCRF/OCS.

Workaround:
To restart the connection, restart tmm restart using the following command:
tmm restart

Note: Traffic disrupted while tmm restarts.


753159-3 : Pool IP ToS/QoS settings are not preserved on mirrored FastL4 connections

Component: Local Traffic Manager

Symptoms:
Mirrored serverside FastL4 connections do not inherit the IP ToS/QoS values from the selected pool or values set via iRule IP::tos/LINK::qos commands.

Conditions:
-- FastL4 virtual server with mirroring.
-- Pool with non-zero IP ToS/QoS values.
or
-- iRule with IP::tos/LINK::qos serverside commands

Impact:
IP ToS/QoS values are not set on mirrored connection after failover.

Workaround:
Configure desired IP ToS/QoS values in FastL4 profile


753014-1 : PEM iRule action with RULE_INIT event fails to attach to PEM policy

Component: Policy Enforcement Manager

Symptoms:
PEM iRule action with RULE_INIT event fails to attach to PEM policy.

Conditions:
Attaching PEM policy with PEM iRule action that contains a RULE_INIT event.

Impact:
PEM fails to update the new iRule action.

Workaround:
Force mcpd to reload the BIG-IP configuration.

To do so, follow the steps in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.


753001-3 : mcpd can be killed if the configuration contains a very high number of nested references

Component: TMOS

Symptoms:
mcpd can be killed by sod if the configuration contains a very high number of nested references. This results in a core file due to a SIGABRT signal.

Conditions:
A very high number of nested configuration references (such as SSL certificate file objects).

Impact:
Failover or outage (if not HA). The system sends no traffic or status while mcpd restarts.

Workaround:
None.


752994-3 : Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod

Component: TMOS

Symptoms:
With a large number of client SSL profiles, combined with shallow nesting of these profiles, all referring to a single SSL certificate file object, mcpd can take a lot of time to process an update to that certificate. It is possible this amount of time will be longer than sod's threshold, and cause it to kill mcpd.

Conditions:
- A large number (hundreds or thousands) of client SSL profiles that have a shallow nesting structure and all point back to a single SSL certificate file object.
- Happens when the SSL certificate is updated.

Impact:
sod kills mcpd, which causes a failover (when high availability (HA) is configured) or an outage (when there is no HA configured).

Workaround:
None.


752971 : ACL-related reports might not contain some of the activity that takes place

Component: Application Visibility and Reporting

Symptoms:
Occasionally, some telemetry data of ACL-related activity is lost. You might see messages similar to the following:
../src/loader/monpd_stat.cc:load_file:0571| Some rows of load_stat_enforced_acl_154392960.1 not loaded (1597 rows affected).

Conditions:
No specific condition other than using the AFM Rules feature.

Impact:
ACL-related reports might not contain some of the activity that takes place.

Workaround:
None.


752803-2 : CLASSIFICATION_DETECTED running reject can lead to a tmm core

Component: Traffic Classification Engine

Symptoms:
When the CLASSIFICATION_DETECTED event is run on a serverside flow, and then an iRule command (e.g., to reject a flow) is run, tmm crashes.

Conditions:
-- CLASSIFICATION_DETECTED event runs on a serverside flow.
-- An iRule command runs (e.g., reject a flow).

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


752530-3 : TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput.

Component: Local Traffic Manager

Symptoms:
Fast L4 TCP Analytics reports incorrect goodput when server sequence number and the TMM generated sequence number are different.

Conditions:
This occurs when either of the following conditions are met:

-- tcp-generate-isn is set in the Fast L4 profile.
-- SYN cookie is active.

Impact:
The GUI page Statistics :: Analytics :: TCP :: Goodput page displays incorrect goodput values.

Workaround:
None.


752363 : Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled

Component: Advanced Firewall Manager

Symptoms:
Client request fails, due to being dropped on the BIG-IP system.

Conditions:
-- The BIG-IP AFM L4 BDoS feature is enabled.
-- Virtual server setup is such that the client-facing virtual server's destination is forwarded through another virtual server, which is an internally forwarded flow.

Impact:
Client request gets dropped due to BIG-IP AFM dropping the flow.

Workaround:
Disable BDoS feature. The feature can be disabled using the following commands:

-- To disable BDoS globally, run the following command:
modify security dos device-config dos-device-config dynamic-signatures { network { detection disabled mitigation none }}

To disable BDoS globally per-profile, run the following command:
modify security dos profile <profile-name> dos-network modify { test { dynamic-signatures { detection disabled mitigation none } } }
modify security dos profile test protocol-dns modify { test { dynamic-signatures { detection disabled mitigation none } } }


752334-3 : Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation

Component: Local Traffic Manager

Symptoms:
When Fast L4 receives out of order TCP packets, TCP analytics may compute wrong goodput value.

Conditions:
When FAST L4 receives out-of-order packets.

Impact:
Fast L4 reports an incorrect goodput value for the connection.

Workaround:
None.


752228 : GUI Network Map to account for objects in a Disabled By Parent state

Component: TMOS

Symptoms:
When an object has a Disabled By Parent state, it is counted in the Unknown status instead of evaluating its actual Availability status.

Conditions:
Viewing objects with Disabled By Parent state in Network Map.

Impact:
The status shown in the map and summary view does not reflect the correct status.

Workaround:
Use the object list views to filter by status to see the correct status.


752216-4 : DNS queries without the RD bit set may generate responses with the RD bit set

Solution Article: K33587043

Component: Global Traffic Manager (DNS)

Symptoms:
If the BIG-IP system is configured to use forward zones, responses to DNS queries may include the RD bit, even if RD bit is not set on the query.

Conditions:
-- Forward zone is configured.
-- Processing a query without the RD bit.

Impact:
Some responses to DNS queries may include the RD bit, even thought the RD bit is not set on the query. This is cosmetic, but some DNS tools may report this as an RFC violation.

Workaround:
None.


751718 : Connection tear down takes longer when using FastL4 profiles and connection mirroring.

Component: Local Traffic Manager

Symptoms:
Connection tear down takes longer when using FastL4 profiles and connection mirroring.

Conditions:
FastL4 profile with connection mirroring.

Impact:
Delay during TCP connection tear down.

Workaround:
There is no workaround other than disabling the db variable tm.fastl4_ack_mirror to disable mirroring when using FastL4.


751581-1 : REST API Timeout while queriying large number of persistence profiles

Component: TMOS

Symptoms:
When you have a large number of collections in BIG-IP, REST API seems to be timed out without any response from BIG-IP

Conditions:
When BIG-IP has large number of persistence profiles.

Impact:
REST API gets timed out when REST API queries the BIG-IP for persistence profiles. There is no response sent for given REST API.

Workaround:
When you have a large number of collections, you are recommended to use paging mechanism.

Please refer https://devcentral.f5.com/d/icontrol-rest-user-guide-version-131-246.

"iControl ® REST supports pagination options for large collections.


751540-1 : GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server

Component: Global Traffic Manager (DNS)

Symptoms:
GTM changes in some devices are not synced to other GTM-configured devices in the same syncgroup.

Conditions:
-- There are multiple self IP addresses configured on one VLAN.
-- Some, but not all, self IP addresses are configured for GTM server.

Impact:
GTM Sync group not syncing properly.

Workaround:
Configure all self IP addresses in the syncgroup for GTM server.


751409-3 : MCP Validation does not detect when virtual servers differ only by overlapping VLANs

Component: TMOS

Symptoms:
It is possible to configure two virtual servers with the same address, port, and route domain, and have them overlap only in VLANs. MCP does not detect the overlap.

Errors like this may be seen in the ltm log:

err tmm1[29243]: 01010009:3: Failed to bind to address

Conditions:
Two (or more) virtual servers with the same address, port, and route domain, and have them overlap only in VLANs

Impact:
Traffic does not get routed properly.

Workaround:
There is no workaround other than ensuring that virtual servers that have the same address, port, and route domain have no overlap of VLANs.


751383-2 : Invalidation trigger parameter values are limited to 256 bytes

Component: WebAccelerator

Symptoms:
Invalidation trigger parameter values are limited to a internal representation of 256 bytes. The values are escaped for regex matching, so the effective value size from the user perspective can be somewhat smaller than 256 bytes. Oversize values result in invalidation of all content on the target policy node.

Conditions:
- AAM policy with invalidation trigger.
- invalidation trigger request with parameter value larger than 256 bytes.

Impact:
All content on target policy node is invalidated rather than the specific content targeted.

Workaround:
None.


751116-3 : DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring

Component: Advanced Firewall Manager

Symptoms:
The DoS visibility screens (Monitoring :: Security :: Reporting : DoS) may display DNS and Network protocol DoS attacks with the incorrect mitigation details.

Conditions:
An attacked object assigned to a DoS profile with either DNS or Network security protocols that are configured to have detect-only or learn-only states for DoS attacks.

Impact:
Network or DNS DoS attacks, detected by a DoS profile with detect-only or learn-only protection, display mitigation as Blocking instead of the configured Transparent protection. This does not affect the reported traffic data found in the DoS visibility dimensions and charts.

Workaround:
None.


751103 : TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop

Component: TMOS

Symptoms:
Issuing the command 'tmsh save sys config' results in a question when display threshold is set and when management routes are configured. There is no prompt when no management routes are configured. This question is posted only when management-routes are configured, and does not appear when other provisioning commands are issued and the config is saved.

Conditions:
1. Set the cli preference display-threshold to a smaller value than the default.
2. Create management routes.
3. Issue the following command:
tmsh save sys config

Impact:
When there are more items configured than the threshold, the system presents a question:
Display all <number> items? (y/n)

Scripts are stopped until the prompt is answered.

Workaround:
To prevent the question from popping up, set display threshold to 0 (zero).


In the case of this script, you can also delete the management route definitions to prevent the question from being asked.


751036-3 : Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone

Component: Local Traffic Manager

Symptoms:
Virtual server status becomes unavailable when the connections are over the rate limit, and stays unavailable when the number of connections fall below the limit.

Conditions:
-- The connections are over the rate limit, making the virtual server status unavailable.
-- The number of connections fall below the limit.

Impact:
Virtual server status reports unavailable, even though it should be available.

Workaround:
This problem does not impact virtual server processing traffic. It simply reports the wrong status.


751024-2 : i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd

Component: TMOS

Symptoms:
Messages similar to the following appear in /var/log/ltm:

info bcm56xxd: 012c0012:6: I2C muxes are not cleared. Problem with mux 224:

Conditions:
-- i5000/i7000/i10000 platforms.
-- May be caused by a defective optic, rebooting/upgrading BIG-IP, removing and reinserting optics.

Impact:
Changes in optic state may be ignored while I2C bus is unavailable.

Workaround:
For each SFP, perform the following procedure:

1. Unplug the optic.
2. Wait 10 seconds.
3. Plug optic back in.

Note: This message might be caused by a defective optic. If error messages stop when one optic is removed, and error messages resume when the optic is inserted, replace that optic.


751021-3 : One or more TMM instances may be left without dynamic routes.

Component: TMOS

Symptoms:
Inspecting the BIG-IP's routing table (for instance, using tmsh or ZebOS commands) shows that dynamic routes have been learnt correctly and should be in effect.

However, while passing traffic through the system, you experience intermittent failures. Further investigation reveals that the failures are limited to one or more TMM instances (all other TMM instances are processing traffic correctly). The situation does not self-recover and the system remains in this state indefinitely.

An example of a traffic failure can be a client connection reset with cause 'No route to host'. If the client retries the same request, and this hits a different TMM instance, the request might succeed.

Conditions:
This issue is known to occur when all of the following conditions are met:

- The system is a multi-blade VIPRION or vCMP cluster.

- The system just underwent an event such as a software upgrade, a reboot of one or more blades, a restart of the services on one or more blades, etc.

Impact:
Traffic fails intermittently, with errors that point to lack of routes to certain destinations.

Workaround:
You can try to temporarily resolve the issue by restarting the tmrouted daemon on all blades. To do so, run the following command:

# clsh "bigstart restart tmrouted"

However, there is no strict guarantee this will resolve the issue, given the nature of the issue.

Alternatively, you could temporarily replace the dynamic routes with static routes.


750823-3 : Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD

Component: Access Policy Manager

Symptoms:
Memory usage in TMM keeps going up.

Conditions:
Access::policy evaluate command fails with error message in /var/log/ltm:

TCL error: ... - Failed to forward request to apmd.

Impact:
Memory leaks in TMM, which cause a TMM crash eventually.

Workaround:
Limit the amount of data that will be forwarded to APMD.


750689-1 : Request Log: Accept Request button available when not needed

Component: Application Security Manager

Symptoms:
There are several violations that make request unlearnable, but the Accept Request Button is still enabled.

Conditions:
Request log has requests with following violations that make requests unlearnable:
 - Threat Campaign detected
 - Null character found in WebSocket text message
 - Access from disallowed User/Session/IP/Device ID
 - Failed to convert character
+ 2 subviolations of HTTP protocol compliance failed violation:
 - Unparsable request content
 - Null in request
 - Bad HTTP version

or only following violations were detected:
 - Access from malicious IP address
 - IP is blacklisted
 - CSRF attack detected
 - Brute Force: Maximum login attempts are exceeded

Impact:
Accept Request button is available, but pressing it doesn't change the policy


750631-1 : There may be a latency between session termination and deletion of its associated IP address mapping

Component: Access Policy Manager

Symptoms:
In SWG, if a new request from a client executes iRule command "ACCESS::session exists" when the session has expired previously, the command will return false. However, if command "ACCESS::session create" is executed following the exist command, the session ID of the previous session may be returned.

Conditions:
In SWG, if a new request from a client IP comes into the system right after its previous session has expired.

Impact:
The Access filter will determine that the session ID is stale and, therefore, will redirect the client to /my.policy


750491-2 : PEM Once-Every content insertion action may insert more than once during an interval

Component: Policy Enforcement Manager

Symptoms:
Successful PEM content insertion accounting is lost during re-evaluation, resulting in more insertions per insertion interval.

Conditions:
During re-evaluation to update the existing flow.

Impact:
More than expected Insert content action with Once-Every method of insert content action

Workaround:
None.


750473-3 : VA status change while 'disabled' are not taken into account after being 'enabled' again

Component: Local Traffic Manager

Symptoms:
The virtual-address network is not advertised with route-advertisement enabled.

Conditions:
1. Using a virtual-address with route advertisement enabled.
2. Disable virtual-address while state is down.
3. Enable virtual-address after state comes up.

Impact:
No route-advertisement of the virtual-address.

Workaround:
Toggle the route-advertisement for virtual-address.


750213-2 : DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.

Solution Article: K25351434

Component: Global Traffic Manager (DNS)

Symptoms:
FPGA hardware-accelerated DNS Cache can respond improperly to DNS queries that contain EDNS OPT Records. This improper response can take several forms, ranging from not responding with an OPT record, to a query timeout, to a badvers response.

Conditions:
-- Using VIPRION B2250 blades.
-- This may occur if a client sends a query with an EDNS OPT record that has an unknown version or other values that the Hardware-accelerated Cache does not understand. These errors only occur when matching the query to a hardware cached response.

Note: If the response is not in the hardware cache, then the query should be properly handled.

Impact:
Hardware-accelerated DNS Cache drops the request. Clients will experience a timeout for that query.

This is occurring now because of the changes coming to software from certain DNS software vendors that remove specific workarounds on February 1st, 2019. This is known as DNS Flag Day.

Workaround:
None.


750170-1 : SP Connector config changes causes BIG-IP tmm core sometimes during handling of SAML SLO request

Component: Access Policy Manager

Symptoms:
tmm crashes.

Conditions:
This occurs when BIG-IP handles SAML SLO requests, and SP Configuration is changed by the admin around the same time.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround.


749785-1 : nsm can become unresponsive when processing recursive routes

Component: TMOS

Symptoms:
imish hangs, and the BIG-IP Network Services Module (nsm) daemon consuming 100% CPU.

Conditions:
-- Dynamic routing enabled
-- Processing recursive routes from a BGP peer with different prefixlen values.

Impact:
Dynamic routing, and services using dynamic routes do not operate. nsm does not recover and must be restarted.

Workaround:
None.


749761 : AFM Policy with Send to Virtual and TMM crash in a specific scenario

Component: Advanced Firewall Manager

Symptoms:
TMM restart in a specific scenario when AFM Policy is configured in multiple contexts (Global, Route Domain, Virtual Server), with Log Translations enabled, and Send-To-VS feature configured in at least one of the rules in the Security Policy.

Conditions:
-- When using Firewall ACL Policy in more than one context, i.e., more than one of the following context has ACL Security Policy applied:
  + Global Context
  + Route Domain
  + Virtual Server Context

-- Send To Virtual Server is configured on any Rule on the Security policy.

-- Traffic matching a Rule (with logging enabled) in more than one context.

-- AFM Security Logging Profile has log Translation Field Enabled.

Impact:
TMM restart causes service disruption. Traffic disrupted while tmm restarts.

Workaround:
Disable Logging of Translation Fields in Security Logging Profile.


749704-3 : GTPv2 Serving-Network field with mixed MNC digits

Component: Service Provider

Symptoms:
iRules command 'GTP::ie get value' incorrectly decodes Serving-Network field, putting the least significant digit of mobile network codes (MNC) value before the other two.

Conditions:
Using the iRule command 'GTP::ie get value' to retrieve the Serving-Network field from a GTP message (the iRule construction: GTP::ie get value -message $gtp_message 83).

Impact:
The operation returns results in which the least significant digit is inserted before the other two, resulting in incorrect data being returned.

Workaround:
None.


749528-3 : IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap

Component: Service Provider

Symptoms:
Under certain conditions the wrong self-IP can be selected as a source address for connections from an Internal Virtual Server to remote servers.

Conditions:
- Using an Internal Virtual Server (IVS).
- The VLAN being used to connect from the IVS to the server does not have a floating self-IP configured.
- At least one other VLAN has a floating self-IP configured.
- The primary virtual server that connects to the IVS is using SNAT automap.

Impact:
IVS traffic might not be routed properly.

Workaround:
- Configure a floating self-IP on the IVS server side VLAN.
or
- Use a SNAT pool instead of automap.


749469 : Unable to issue iControl rest API to perform 'tmsh show running-config' command

Component: TMOS

Symptoms:
Cannot mimic a tmsh show or list command using iControl REST.

Conditions:
Referred to the iControl REST User Guide, version 13.

Impact:
Not able to replace a tmsh show or list command with an iControl REST request.

Workaround:
There are no hard and fast rules to mimic the show or list command in iControl REST, other than to make a GET request to an endpoint. This information is stated in the user guide. Based on the tmsh man page, running-config is an option and a suggestion is to try: /mgmt/tm/sys/proc-info/stats?options=running-config


749414-2 : Modifying nodes/pool-member can lose monitor_instance and monitor_rule_instances for unrelated objects

Component: Local Traffic Manager

Symptoms:
There are two symptoms:

-- Modifying the monitor for a node or pool-member might remove monitor rule instances and monitor instances for other nodes/pool-members.
-- After those unrelated monitor rule instances and monitor instances are removed, if you try to alter the state of the pool-member/node, the system posts the following message: Invalid monitor rule instance identifier.

Conditions:
-- BIG-IP system is configured with nodes, pool-members, and pools with monitors.
-- Modify one of the nodes that is not in a pool.
-- Run the following command: tmsh load /sys config
-- Loading ucs/scf file can trigger the issue also.

Impact:
The system might delete monitor rule instances for unrelated nodes/pool-members. Pool members are incorrectly marked down.

Workaround:
Failover or failback traffic to the affected device.


749402-1 : AFM ACL Rule with Redirect to Virtual action can on rare occasions cause TMM restart

Component: Advanced Firewall Manager

Symptoms:
TMM restart when Traffic hits AFM Policy Rule having Redirect to Virtual Action, and when the Redirected to Virtual is being modified or when traffic hits the box immediately on TMM service being up.

During the time when the TMM has just started, some of the Virtual Server could be in the process of being Ready. When traffic hits the TMM right after TMM startup, and if the Redirect to Virtual is not yet Ready is when this crash is likely.

Virtual Server can also be in a not yet Ready state during configuration change of the Virtual Server.

Conditions:
AFM Rule with Redirect to Virtual configured
Traffic Matching the Redirect to Virtual rule
The Redirect to Virtual Server is not Ready. When a Virtual Server goes through configuration change, or when TMM has just started and not all Virtual Servers are in Ready state yet, this problem can be hit.

Impact:
TMM restart and service disruption.

Since the issue can happen when TMM is just up after initialization, when the Virtual Servers are in the process of being initialized one by one, a restart of TMM could cause repeated such TMM crash and restarts.


749388 : 'table delete' iRule command can cause TMM to crash

Component: TMOS

Symptoms:
TMM SegFaults and restarts.

Conditions:
'table delete' gets called after another iRule command.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
Call 'table lookup' on any key before performing a 'table delete'.
Whether or not the key was added into the database beforehand does not matter.


749294-2 : TMM cores when query session index is out of boundary

Component: Local Traffic Manager

Symptoms:
TMM cores when the queried session index is out of boundary. This is not a usual case. It is most likely caused by the memory corrupted issue.

Conditions:
When session index equals the size of session caches.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
None.


749227-3 : MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE

Component: Service Provider

Symptoms:
INVITE message being processed operation creates a temporary registration entry for a unregistered subscriber, this registration entry is not extended if a subsequent invite occurs. This could cause the registration to expire during a call, thus allowing the reserved translated addresses to be provided to a different subscriber.

Conditions:
An INVITE message is received when unregistered-subscriber-callout attribute in the siprouter-alg profile

Impact:
The system adds a temporary registration entry to the registration table. The lifetime for this entry is the max-session-timeout value from the siprouter-alg profile. Subsequent INVITES will not extend the lifetime.

This could cause the registration to expire during a call, allowing the reserved translated addresses to be provided to a different subscriber.

Workaround:
None.


749161-1 : Problem sync policy contains non-ASCII characters

Component: Access Policy Manager

Symptoms:
When access policy contain non-ASCII characters, policy sync either fails or the characters are not sync'ed properly on the target.

Conditions:
-- Using an access profile.

-- Access profile contains non-ASCII characters (code point greater than 0x7f), e.g.,in VPE, add an 'Advanced Resource Assign' agent and specify an expression similar to the following in addition to the resource:

expr { [string tolower [mcget -decode {session.ad.last.attr.memberOf}]] contains [string tolower "CN=Suporte_TransmissãČo,"] || [string tolower [mcget -decodde {session.ad.last.attr.memberOf}]] contains [string tolower "CN=suporte_tx,"]}

-- Start policy sync on the profile.

Impact:
Policy sync fails or does not complete properly for the non-ASCII characters.

Workaround:
None.


748944 : Import is failing for APM SSO Config Saml object

Component: Access Policy Manager

Symptoms:
Import of policy is failing with Syntax Error:
'[api-status-warning]' unexpected argument.

Conditions:
Imported policy has APM SSO Config Saml object.

Impact:
Unable to import policy.

Workaround:
To workaround this issue, follow this procedure:

1. Unpack conf.tar.gz.
2. Edit the ng-export.conf file to find and remove the line containing [api-status-warning].
3. Packup conf.tar.gz again.


748940-1 : iControl REST cert creation not working for non-Common folder

Component: TMOS

Symptoms:
Certificate creation under a non-Common folder using iControl REST doesn't work.

For example, the user sends the iControl REST message and gets the error message return:

curl -sk -u admin:f5site02 https://10.192.84.16/mgmt/tm/sys/crypto/cert/ -H 'Content-Type: application/json' -X POST -d '{"name":"/my_dir/mmmmm", "common-name":"cn","key":"/my_dir/mmmmm"}' | ~/bin/json-parser-linux64

        {
          "code": 400,
          "message": "Unable to extract key information from \"/config/filestore/files_d/my_dir_d/certificate_key_d/:my_dir:mmmmm_166121_1\"to \"/var/system/tmp/tmsh/87bOS1/ssl.key//my_dir/mmmmm\"",
          "errorStack": [],
          "apiError": 26214401
        }

Conditions:
The user attempts to create an SSL certificate under a non-Common folder using iControl REST.

Impact:
Unable to create an SSL certificate in non-Common folder.

Workaround:
Create the SSL certificate using tmsh.


748891-3 : Traffic bridged between VLANs in virtual-wire setups may have the wrong destination MAC in packets that egress from the BIG-IP system.

Component: Local Traffic Manager

Symptoms:
Potential MAC relearning at the switches the BIG-IP system is connected to.

Conditions:
-- DB variable connection.vlankeyed set to disabled.
-- Multiple virtual-wires configured on the BIG-IP system.
-- Client to server and server to client traffic using different virtual wires on the BIG-IP system.

Impact:
Packets reach their L3 destination using an unexpected L2 path.

Workaround:
None.


748572-1 : Occasionally ramcache might crash when data is sent without the corresponding event.

Component: Access Policy Manager

Symptoms:
Ramcache filter causes crash when sending data without HUDCTL_RESPONSE while in CACHE_COLLECT event.

Conditions:
When the access_policy_trace db variable is enabled, failure in insertion of policy path cookie in the header while sending a redirect to the client might cause the ramcache filter to SIGSEGV.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Turn off the access_policy_trace db variable.


748427 : FPS to splunk logging is confusing

Component: Fraud Protection Services

Symptoms:
When using a splunk destination for the risk-engine publisher, the log message template is ignored. instead all available fields are logged in a splunk formatted way.

On the other hand, FPS requires a non-empty log message for actually sending the logs, this means that the user must assign a dummy value in the log message template.

Conditions:
1. splunk destination
2. non empty log message (sys db antifraud.internalconfig.strin1 or antifraud.internalconfig.strin2)

Impact:
User must set a dummy content for the log messages in order to be able to send the logs. However, the actual content will be not as expected in case of a splunk formatted destination.

Workaround:
Set a dummy value (a single space will do) in the log messages template.


748253-3 : Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection

Component: Service Provider

Symptoms:
Depending on the DIAMETER settings of the BIG-IP system, there can be a race condition in a mirrored device cluster where the standby BIG-IP system resets its mirror connection to the active device.

Conditions:
-- MRF DIAMETER in use.
-- The DIAMETER session profile on the BIG-IP system is configured to use a non-zero watchdog timeout.
-- The DIAMETER session profile on the BIG-IP system is configured to use Reset on Timeout.
-- This is more likely to happen if (in the DIAMETER session profile) the Maximum Watchdog Failures is set to 1, and the Watchdog Timeout is configured to be the same value as the remote DIAMETER system.

Impact:
The standby is no longer mirroring the active system, and gets out of sync with it. There may be connections lost if a failover occurs.

Workaround:
To mitigate this issue:

1. Configure the Maximum Watchdog Failures to a value greater than 1.
2. Configure the Watchdog Timeout as something different from the same timeout on the remote peer, preferably to something that will have little overlap (i.e., the two timers should fire at the exact same time very infrequently).


748205-1 : SSD bay identification incorrect for RAID drive replacement

Component: TMOS

Symptoms:
On iSeries platforms with dual SSDs, the 'bay' of a given SSD indicated in the 'tmsh show sys raid' command may be incorrect. If a drive fails, or for some other reason it is intended to be replaced, and you are using the bay number listed from the tmsh command, the wrong drive could be removed from the system resulting in system failure to operate or boot.

Conditions:
iSeries platform with dual SSDs.

Impact:
Removal of the one working drive could result in system failure and subsequent failure to boot

Workaround:
If you discover that you removed the incorrect drive, you can attempt to recover by re-inserting the drive into the bay that it was in, and powering on the device.

The following steps will help to avoid inadvertently removing the wrong drive:

As a rule for systems with this issue:
-- Power should be off when you remove a drive. This makes it possible to safely check the serial number of the removed drive.
-- Power should be on, and the system should be completely 'up' before you add a new drive.

Here are some steps to follow to prevent this issue from occurring.


1. Identify the failed drive, taking careful note of its serial number (SN). You can use any of the following commands to get the serial number:
     • tmsh show sys raid
     • tmsh show sys raid array
     • array
2. Logically remove the failed drive using the following command: tmsh modify sys raid array MD1 remove HD<>
3. Power down the unit.
4. Remove the fan tray and physically remove the failed drive.
5. Manually inspect the SN on the failed drive to ensure that the correct drive was removed.
6. Replace the fan tray.
7. Power on the unit with the remaining, single drive.
8. Once booted, wait for the system to identify the remaining (good) drive. You can confirm that this has happened when it appears in the 'array' command output.
9. Remove fan tray again (with the system running).
10. Install the new drive.
11. Use the 'array' command to determine that the new drive is recognized (Note: the tmsh commands do not show new drive at this stage.)
12. Logically add the new drive using the command command: tmsh modify sys raid array MD1 add HD<>
13. Monitor the rebuild using any of the commands shown in step 1.

Note: You must follow these steps exactly. If you insert the new drive while the system is off, and you then boot the system with the previously existing working drive and the new blank drive present, the system recognizes the blank drive as the working Array member, and you cannot add it to the array. That means system responds and replicates as if 'HD already exists'.


748182 : pkcs11d error code not logged in logs

Component: Local Traffic Manager

Symptoms:
When NetHSM debug logging is turned on, pkcs11d does not log the return codes it receives via PKCS11 API from the Safenet Luna and Thales.

Conditions:
It occurs when any pkcs11 api fails for some reason.

Impact:
Makes it more difficult to debug the root cause of pkcs11 failure.

Workaround:
Engage F5 Support when this level of diagnostic information is required.


748031-3 : Invalidation trigger parameter containing reserved XML characters does not create invalidation rule

Component: WebAccelerator

Symptoms:
If a parameter value for an invalidation trigger contains reserved XML characters, compilation of the resulting invalidation rule fails due to the reserved characters not being escaped.

Conditions:
- AAM policy with invalidation trigger defined
- trigger request with parameter value(s) containing reserved XML characters

Impact:
The invalidation rule requested by the trigger request is not created. Content is not invalidated as expected.

Workaround:
No workaround exists.


747960 : BIG-IP VE with 1nic does not handle fragmented traffic to webui or ssh properly

Component: Performance

Symptoms:
Attempts to send fragmented packets destined for SSH or the webui of BIG-IP VE running with 1 NIC will fail. This is a rare situation generally, but one noted area where we have seen it is when BIG-IQ attempts to discover the BIG-IP.

Conditions:
BIG-IP VE configured with 1 network interface. Send IP fragmented traffic to either SSH or the web interface (TCP/8443 for 1nic).

Impact:
The IP fragments will not be properly reassembled and the connection will ultimately fail. This is only an issue for IP fragmented traffic sent with 1nic destined for SSH or the webui.

Workaround:
Prevent IP fragmentation, or configure multiple network interfaces.


747922-2 : With AFM enabled, during bootup, there is a small possibility of a tmm crash

Component: Advanced Firewall Manager

Symptoms:
During bootup, with AFM enabled, there is a small possibility of a tmm crash. The tmm process generates a core file and then automatically restart.

Conditions:
-- AFM enabled.
-- sPVA-capable hardware platform.
-- Boot up the system.

Impact:
tmm crashes, coredumps, and then restarts. Traffic disrupted while tmm restarts.

Workaround:
None.


747909-3 : GTPv2 MEI and Serving-Network fields decoded incorrectly

Component: Service Provider

Symptoms:
MEI and Serving-Network vales obtained with GTP::ie get iRule command contains digits swapped in pairs, first digit missing and a random digit added at the back.

Conditions:
Processing GTP traffic with iRules.

Impact:
It is impossible to obtain correct value of MEI and Serving-Network fields of the GTPv2 packets when processing with iRules.

Workaround:
No workaround.


747907-1 : Persistence records leak while the HA mirror connection is down

Component: Local Traffic Manager

Symptoms:
Memory may leak on the active unit while the HA mirror connection is down.

Conditions:
Persistence configured which requires state stored on BIG-IP.
Mirroring configured on the persistence profile or the virtual server.
Mirror connection is down. For example, next active is down/offline/unavailable.

Impact:
Memory leak until the HA mirror connection is up. Once mirror connection is up, memory will be released.

Workaround:
- Disable persistence while HA mirror connection is down (e.g., performing maintenance).
- Disable session mirroring for iRules.
- Use persistence which does not requires state stored on BIG-IP.
- Restore HA connection.


747799-2 : 'Unable to load the certificate file' error and configuration-load failure upgrading from 11.5.4-HF2 to a later version, due to empty cert/key in client SSL profile

Component: TMOS

Symptoms:
During upgrade, the configuration fails to load due to an invalid client SSL profile cert/key configuration. The system posts an error: Unable to load the certificate file.

This occurs as a result of an invalid configuration that can be created as a result of a bug (614675) that exists in 11.5.4-HF2 (and only in 11.5.4-HF2). Because of the bug, it is possible to create a client SSL profile with an empty cert-key-chain, as shown in the following example:

 ltm profile client-ssl /Common/cssl {
     app-service none
     cert none
     cert-key-chain {
         "" { } <=============== empty cert-key-chain
         defualt_rsa_ckc { <==== typo: 'defualt'
             cert /Common/default.crt
             key /Common/default.key
         }
     }
     key none
 }

Note: This upgrade failure has an unique symptom: the typo 'defualt_rsa_ckc'. However, the name has no specific negative impact; the issue is with the empty cert-key-chain.

After upgrading such a configuration from 11.5.4-HF2 to any later version of the software, the system posts a validation error, and the configuration fails to load.

Conditions:
The issue occurs when all the following conditions are met:

-- You are using 11.5.4-HF2.
-- The 11.5.4-HF2 configuration contains an invalid client SSL profile (i.e., a client SSL profile containing an empty cert-key-chain).
-- You upgrade to any software version later than 11.5.4-HF2.

Impact:
After upgrade, the configuration fails to load. The system posts an error message similar to the following:

-- "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- Loading schema version: 11.5.4 Loading schema version: 13.1.0.8 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file. Unexpected Error: Loading configuration process failed.

Workaround:
You can fix the profile configuration in /config/bigip.conf either before the upgrade (in 11.5.4-HF2), or after the upgrade failure.

To do so:
1. Replace 'cert none' with a cert name, such as /Common/default.crt.
2. Replace 'key none' with a key name, such as /Common/default.key.
3. Remove the entire line containing the following: "" { }.
4. Correct the spelling of 'defualt' to 'default'. Although there are no negative consequences of this typo, it is still a good idea.

The new profile should appear similar to the following:

   ltm profile client-ssl /Common/cssl {
       app-service none
       cert /Common/default.crt
       chain none
       cert-key-chain {
           default_rsa_ckc {
               cert /Common/default.crt
               key /Common/default.key
           }
       }
       key /Common/default.key
   }


747676-1 : Remote logging needs 'localip' to set source IP properly

Component: TMOS

Symptoms:
Source ip of log entries sometimes use self-ip.

Conditions:
It happens when configuring mgmt IP and route is slower than syslog-ng start.

This issue happens in case of the HA scenario also.

Impact:
Remote log entry has wrong source IP address.

Workaround:
Use localip keyword to force specific IP address.

udp("1.1.1.9" port (514) localip("100.100.100.101"));

In case of the HA configuration, use persist-name key word or syslog-ng may fail to start.

# setting for device A
udp("1.1.1.9" port (514) localip("100.100.100.101") persist-name(devA) );
# setting for device B
udp("1.1.1.9" port (514) localip("100.100.100.102") persist-name(devB));


747628-3 : BIG-IP sends spurious ICMP PMTU message to server

Component: Local Traffic Manager

Symptoms:
After negotiating an MSS in the TCP handshake, BIG-IP then sends an ICMP PMTU message because the packet is too large.

Conditions:
The serverside allows timestamps and the clientside doesn't negotiate them.

The clientside MTU is lower than the serverside's.

There is no ICMP message on the clientside connection.

Impact:
Unnecessary retransmission by server, suboptimal xfrag sizes (and possibly packet sizes)

Workaround:
Disable timestamps on the serverside TCP profile, or proxy-mss on the clientside profile.


747624-1 : RADIUS Authentication over RSA SecureID is not working in challenge mode

Component: Access Policy Manager

Symptoms:
Cannot change/reset RSA PIN.

Conditions:
Using RADIUS Auth Agent to communicate with RSA SecurID server for user authentication.

Impact:
Users cannot change or reset RSA PIN.

Workaround:
None.


747585-2 : TCP Analytics supports ANY protocol number

Component: Local Traffic Manager

Symptoms:
No TCP analytics data is collected for an ANY virtual server.

Conditions:
1. Provision AVR
2. Create a FastL4 server that accepts all protocols.
3. Attach a TCP Analytics profile
4. Try to run UDP traffic through it.

Impact:
No TCP analytics data is collected for TCP flows when a virtual server's protocol number is ANY.

Workaround:
There is no workaround this time.


747560-3 : ASM REST: Unable to download Whitehat vulnerabilities

Component: Application Security Manager

Symptoms:
When using the Whitehat Sentinel scanner, the REST endpoint for importing vulnerabilities (/mgmt/tm/asm/tasks/import-vulnerabilities) does not download the vulnerabilities from the server automatically when no file is provided.

Conditions:
The ASM REST API (/mgmt/tm/asm/tasks/import-vulnerabilities) is used to download vulnerabilities from the server when a Whitehat Sentinel Scanner is configured.

Impact:
Vulnerabilities from the Whitehat server are not automatically downloaded when no file is provided, and it must be downloaded manually, or the GUI must be used.

Workaround:
The ASM GUI can be used to download the vulnerabilities from the Whitehat Server, or the file can be downloaded separately, and provided to the REST endpoint directly.


747203-4 : Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding

Component: TMOS

Symptoms:
-- SYN/ACK packets arriving on a tunnel fail to be matched to an existing flow followed by a RST issued by the BIG-IP system.
-- The BIG-IP system reports 'no flow found'.
-- MAC addresses can contain random values, or fe:fe:fe:fe:fe:fe.

Conditions:
-- Using IKEv2 with both NAT-T and interface mode.
-- The BIG-IP is configured to use several tmm instances.
-- The combination of IP addresses and port numbers result in distributing legs of processing one flow across several tmm instances.

Impact:
NATT/ESP tunnel flows can end with a RST reset.

Workaround:
None.


747192-2 : Small memory leak while creating Access Policy items

Component: Access Policy Manager

Symptoms:
Memory slowly leaks for every access policy item added: 32 + 80 bytes for each item.

Conditions:
The leak occurs while creating new policy items in Access.

Impact:
After a long uptime interval, mcpd may crash due to lack of memory.

Workaround:
Restart mcpd periodically if you modify Access policies frequently by adding or deleting policy items.


747077-1 : Potential crash in TMM when updating pool members

Component: Local Traffic Manager

Symptoms:
In very rare cases, TMM can crash while updating pool members.

Conditions:
The conditions that lead to this are not known.

Impact:
TMM crashes, which can cause a failover or outage.

Workaround:
There is no workaround.


747065-3 : PEM iRule burst of session ADDs leads to missing sessions

Component: Policy Enforcement Manager

Symptoms:
Some PEM sessions that were originally added, later disappear and cannot be added back.

Conditions:
-- Subscriber addition is done by iRule on UDP virtual servers.
-- The sessions are added in a burst.
-- A small fraction of such sessions cannot be added back after delete.

Impact:
Policies available in the missing session cannot be accessed.

Workaround:
Add a delay of at least a few milliseconds between adding multiple session with same subscriber-id and IP address.


746922-4 : When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.

Component: Local Traffic Manager

Symptoms:
In a situation when a routing entity belonging to the child route domain is searching for an egress point for a traffic flow, it's searching for a routing entry in the child domain first, then if nothing is found, it searches for it in the parent route domain and returns the best found routing entry.

If the best routing entry from the parent route domain is selected, then it is held by a routing entity and is used to forward a traffic flow. Later, a new route entry is added to the child route domain's routing table and this route entry could be better than the current previously selected routing entry. But previously selected entry doesn’t get invalidated, thus the routing entity which is holding this entry is forwarding traffic to a less preferable egress point.

#Example:
RD0(parent) -> RD1(child)
routing table: default gw for RD0 is 0.0.0.0/0%0
pool member is 1.1.1.1/32%1
-
Pool member searched for the best egress point and found nothing in the routing table for the route domain 1 and later found a routing entry, but from the parent route domain - 0.0.0.0/0%0.
Later new gw for RD1 was added - 0.0.0.0/0%1, it's more preferable for 1.1.1.1/32%1 pool member. 0.0.0.0/0%0 should be (but is not) invalidated to force the pool member to search for a new routing entry and find a better one if it exists, as in our case - 0.0.0.0/0%1.

Conditions:
1) There are more than one route domains in the parent-child relationship.
2) There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object(for instance, pool member) which is from child route domain.
3) The routing entry from a parent route domain was selected as an egress point for the object from the child route domain.
4) New routing entry for child route domain is added.

Impact:
If a new added route is more preferable than existing in a different route domain, then the new route is not going to be used by a routing object, which has selected an "old" route previously. Thus traffic flows through these routing objects to the unexpected/incorrect egress point. This could present undesirable behavior: the route could be unreachable and all traffic for a specific pool member is dropped or virtual server couldn't find an available SNAT address or just that the wrong egress interface is being used.

Workaround:
There are several ways:
Either of this workaround should be done after a new route in child domain was added.
- Recreate a route.
Recreate a parent route domain's routes. Restart tmrouted deamon if routes were gathered via routing protocols.
-----
- Recreate a routing object.
If a pool member is affected, recreate the pool member.
If a SNAT pool list is affected, recreate it.
And so on.


746837-3 : AVR JS injection can cause error on page if the JS was not injected

Component: Application Visibility and Reporting

Symptoms:
If page-load-time is enabled in the AVR profile, and the response is small enough to not be chunked, AVR 'promises' to the client a JS injection in the response by adding the expected length of the JS to the Content-length header.

If later, it is identified that the response contains no HTML tag, AVR does not inject the JS; instead it wraps the response with spaces.

This can lead to errors in cases where the change in response size is not supported.

Conditions:
AVR is configured to collect 'Page Load Time' and the response from the web server has these conditions:
-- The response is uncompressed.
-- The context-type header is text/html.
-- The response is not chunked (Context-length header exists).
-- The payload does not include the HTML head tag.

Impact:
White Spaces at the end of the page can cause it to be invalid for some applications.

Workaround:
To avoid trying to inject to pages where the JS does not fit, use iRules to control which pages should get the JS injection.

For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.


746825-3 : MRF SIP ALG with SNAT: Ephemeral listeners not created for un-subscribed outgoing calls

Component: Service Provider

Symptoms:
When a temporary registration is created for an un-subscribed user making an outgoing call, an ephemeral listener to receive incoming messages is not created.

Conditions:
If nonregister-subscriber-callout attribute in the siprouter-alg profile is enabled, and an unregiatered client device places an outgoing call, a temporary registration is created. This temporary registration lives for the life of the call. During the lifetime of the temporary registration if the connection from the client is closed, it is not possible for an external device to reach the client.

Impact:
The callee of an outgoing call initiated by an un-registered sip device will not be able to end the call.

Workaround:
There is no workaround at this time.


746758 : Qkview produces core file if interrupted while exiting

Component: TMOS

Symptoms:
If, during qkview operation's exit stage, it is interrupted (with Ctrl-C for example), it produces a core file.

Conditions:
-- Qkview is exiting.
-- The qkview operation receives an interrupt.

Impact:
A core file is produced.

Workaround:
When closing qkview, or if it is closing, do not interrupt it; wait for it to exit.


746731-3 : BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set

Component: Service Provider

Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Firmware-Revision AVPs in DIAMETER Capabilities Exchange Request messages.

Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Firmware-Revision AVP.

Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.

Workaround:
Configure an iRule in the MRF transport-config, for example:

ltm rule workaround {
    when DIAMETER_EGRESS {
        if {[serverside] && [DIAMETER::command] == "257" } {
            DIAMETER::avp flags set 267 0
        }
    }
}


746719-3 : SERVFAIL when attempting to view or edit NS resource records in zonerunner

Component: Global Traffic Manager (DNS)

Symptoms:
While attempting to use ZoneRunner to edit NS resource records, getting error:
01150b21:3: RCODE returned from query: 'SERVFAIL'.

Conditions:
- An NS resource record is selected using the zonerunner GUI
- The NS record points to a zone that bind is not authoritative for.
- Recursion is enabled on the zone in question
- The bind process is not able to reach the nameserver referenced in the NS record.

Impact:
Administrator is unable to use ZoneRunner to edit NS records.

Workaround:
Set recursion to no for the appropriate zone, perform the change, set recursion back to yes.

Note: This will be impacting to any clients expecting recursion for the duration of the change.


746710-2 : Use of HTTP::cookie after HTTP:disable causes TMM core

Component: Local Traffic Manager

Symptoms:
When an iRule disables HTTP with HTTP:disable, subsequent use of HTTP::cookie for that request will cause a TMM core dump.

Conditions:
1) HTTP profile is configured on the virtual.
2) HTTP:disable is called on request.
3) HTTP:cookie is then called on that request.

Impact:
Use of iRules in the above mentioned order will result in a TMM core. Traffic disrupted while tmm restarts.

Workaround:
Do not call HTTP:cookie on requests that have had HTTP disabled by HTTP:disable


746657-3 : tmsh help for FQDN node or pool member shows incorrect default for fqdn interval

Component: TMOS

Symptoms:
The tmsh help text for LTM nodes and pools shows the incorrect default for the fqdn 'interval' value.
The default is indicated as the TTL, whereas the actual default value is 3600 seconds (1 hour).
The configured value is displayed correctly if the node or pool is displayed using the 'all-properties' keyword.

Conditions:
Always.

Impact:
FQDN nodes and pool members may be created with a different fqdn refresh interval than intended.

Workaround:
When creating an FQDN node or pool member, specify the desired fqdn 'interval' value (either TTL, or the desired number of seconds).


746650 : Stale packets in HSB transmit queue causes HSB DMA lockup

Component: TMOS

Symptoms:
A stale packet in the HSB transmit queue without the packet_ending flag set might cause HSB transmission failure and DMA lockup.

Conditions:
Conditions under which this occurs have not been reproduced.

Impact:
The HSB transmit failures leads to HSB DMA lockup and impacts traffic.

Workaround:
Reboot the unit to recover from the HSB DMA lockup.


746620-1 : "source-port preserve" does not work on BIG-IP Virtual Edition

Component: Performance

Symptoms:
BIG-IP Virtual Edition uses RSS hashing for selecting TMMs which has the side effect of causing "source-port preserve" to reuse ports aggressively. This can ultimately lead to connection failures.

Conditions:
BIG-IP virtual edition with "source-port preserve" configured on a fastl4 virtual server and VE configures RSS hash. VE will configure RSS hash if both the below conditions are met

1. VE supports RSS hash on the NIC. Currently, RSS is supported on ixlv and vmxnet3 NICs
2. The number of TMMs <= maximum number of queues supported by the NIC. For ixlv this is 4 and for vmxnet3 this is 8

Impact:
Connections may fail due to reusing ports too quickly.

Workaround:
On the Virtual Server, set source-port to "change".


746464-3 : MCPD sync errors and restart after multiple modifications to file object in chassis

Component: TMOS

Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:

1. Errors are logged to /var/log/ltm similar to the following:

-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..

2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.

Conditions:
This can be encountered when rapidly making changes to files such as creating and then deleting them while the config sync of the file creation is still in progress.

Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.

Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.


746348-1 : On rare occasions, gtmd fails to process probe responses originating from the same system.

Component: Global Traffic Manager (DNS)

Symptoms:
On rare occasions, some resources are marked 'unavailable' because gtmd fails to process some probe responses sent by the instance big3d that resides on the same BIG-IP system.

Conditions:
The monitor response from big3d going to gtmd on the same device is being lost. The conditions under which this occurs have not been identified.

Impact:
Some resources are marked 'unavailable' on one BIG-IP system, while the other BIG-IP systems in the sync group mark the resource as 'available'.

Workaround:
Restart gtmd on the affected BIG-IP system.


746333 : Setting the hostname to non-FQDN value prevents upgrade

Component: TMOS

Symptoms:
Upgrade of the BIG-IP system fails.

Conditions:
BIG-IP systems that contain hostnames that do not meet FQDN standards.

For instance, this could be due to the use of invalid characters, such as asterisk '*'. An example of an invalid hostname is as follows: test***.example.com.

Impact:
Inability to upgrade.

Note: Setting hostname in tmsh CLI does not validate FQDN like the GUI does, so when you use tmsh to set hostnames, make sure to use an FQDN-compliant one.

Workaround:
When attempting to upgrade you must make sure all hostnames are FQDN compliant.


746266-1 : Vcmp guest vlan mac mismatch across blades.

Component: TMOS

Symptoms:
Guests running on blades in a single chassis report different MAC addresses on a single vlan upon host reboot for vcmp guest.

Conditions:
This issue may be seen when all of the following conditions are met:

- One (or more) blade(s) are turned off completely via AOM.
- Create two vlans.
- Deploy a multi-slot guest with the higher lexicographic vlan.
- Now, assign the smaller vlan to the guest.
- Reboot the host

Impact:
Incorrect MAC addresses are reported by some blades.

Workaround:
There is no workaround at this time.


746152-3 : Bogus numbers in hsbe2_internal_pde_ring table's rqm_dma_drp_pkts column

Component: TMOS

Symptoms:
The DMA drop packet and bytes registers (rqm_dma_drp_pkts and rqm_dma_drp_bytes in tmm/hsbe2_internal_pde_ring
table) can have huge numbers, which appear to be close to multiples of 4G (2^32). The count reported in the register from hsb_snapshot shows very small number:

from tmm/hsbe2_internal_pde_ring

name active bus rqm_dma_drp_pkts rqm_dma_drp_bytes
---------------- ------ --- ---------------- -----------------

lbb0_pde1_ring2 1 2 17179869185 4398046511186
lbb0_pde1_ring3 1 2 8589934597 2199023256108
lbb0_pde2_ring0 1 2 0 0
lbb0_pde2_ring1 1 2 0 0
lbb0_pde2_ring2 1 2 8589934592 2199023255552
lbb0_pde2_ring3 1 2 0 0
lbb0_pde3_ring0 1 2 0 0
lbb0_pde3_ring1 1 2 0 0
lbb0_pde3_ring2 1 2 8589934592 2199023255552
lbb0_pde3_ring3 1 2 0 0
lbb0_pde4_ring0 1 2 0 0
lbb0_pde4_ring1 1 2 0 0
lbb0_pde4_ring2 1 2 8589934592 2199023255552
lbb0_pde4_ring3 1 2 0 0

lbb1_pde1_ring1 1 3 0 0
lbb1_pde1_ring2 1 3 4294967298 1099511627952



From hsb_snapshot for pde1's ring 0 to ring 3:

50430: 00000000 rqm_dma_drp_pkt_cnt_4
50530: 00000000 rqm_dma_drp_pkt_cnt_5
50630: 00000001 rqm_dma_drp_pkt_cnt_6
50730: 00000005 rqm_dma_drp_pkt_cnt_7

Conditions:
The register reads sometimes return a 0 value.

Impact:
The DMA drop stats are not accurate

Workaround:
Restart tmm can reset the stats, but it will disrupt traffic.


746078-3 : Upgrades break existing iRulesLX workspaces that use node version 6

Component: Local Traffic Manager

Symptoms:
When upgrading a BIG-IP with iRulesLX plugins, if those plugins are based on workspaces that use node version 6 (instead of version 0.12) they will fail to work properly after the upgrade once the plugin is reloaded from the workspace.

Errors like this will be seen in /var/log/ltm:

Oct 5 06:37:12 B7200-R14-S36 info sdmd[17582]: 018e0017:6: pid[26853] plugin[/Common/test-jt-plugin.test-jt-extension] Starting the server.....jt...after upgrade...
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: Resuming log processing at this invocation; held 233 messages.
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] /var/sdm/plugin_store/plugins/:Common:test-jt-plugin_62858_3/extensions/test-jt-extension/node_modules/f5-nodejs/lib/ilx_server.js:30
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] ILXServerWrap = process.binding('ILXServerWrap').ILXServerWrap;
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] ^
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] Error: No such module: ILXServerWrap
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] at Error (native)

Conditions:
Upgrading a version of BIG-IP that is using iRulesLX that has a workspace based on node version 6. Later reloading the iRulesLX plugin from the workspace.

Impact:
The iRulesLX plugin no longer works.

Workaround:
- Navigate to the workspace folder on the BIG-IP (/var/ilx/workspaces/<partition>/<workspace name>.
- Make the file "node_version" writable (chmod +w node_version).
- Edit the node_version file: change "0.12" to "6"
- Save the node_version file.
- Make the file "node_version" read-only (chmod -w node_version).
- Reload the iRulesLX plugin from the workspace.


745825-3 : The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading

Component: TMOS

Symptoms:
This message may be logged while the audit_forwarder is loading the configuration:

audit_forwarder is disabled as the configuration is incomplete. Please define the following db variables: config.auditing.forward.sharedsecret, config.auditing.forward.destination and config.auditing.forward.type. And make sure config.auditing.forward.destination is not set to "::".

These DB variables may all be actually configured correctly, but since the configuration has not loaded yet this message may be logged multiple times.

Conditions:
The audit_forwarder process is starting up and loading the configuration.

Impact:
Confusing error messages in /var/log/ltm. Logging will still work as configured.

Workaround:
There is no workaround.


745628-3 : MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message

Component: Service Provider

Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a NOTIFY message has been processed.

Conditions:
This occurs because the NOTIFY message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.

Impact:
Media addresses in the SDP payload are not translated.

Workaround:
There is no workaround.


745600-3 : Removal of timer object from tmm timer-ring when a tcl context is released.

Component: Access Policy Manager

Symptoms:
If a tcl context is associated with a tmm-timer (while creating access session) using iRule, the timer object is removed during tcl context release but its association remains. When the timer fires, it tries to access a memory which is already freed, causing tmm to crash and generate a core.

Conditions:
Creating access session using iRule.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


745589-4 : In very rare situations, some filters may cause data-corruption.

Component: Local Traffic Manager

Symptoms:
In very rare situations, an internal data-moving function may cause corruption.

Filters that use the affected functionality are:
HTTP2, Sip, Sipmsg, MQTTsession, serdes_diameter, FTP.

Conditions:
The affected filters are used, and some very rare situation occurs.

Impact:
This may cause silent data corruption, or a TMM crash.

Workaround:
There is no workaround at this time.


745514-3 : MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message

Component: Service Provider

Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a SUBSCRIBE message has been processed.

Conditions:
This occurs because the SUBSCRIBE message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.

Impact:
Media addresses in the SDP payload are not translated.

Workaround:
There is no workaround.


745404-2 : MRF SIP ALG does not reparse SDP payload if replaced

Component: Service Provider

Symptoms:
When a SIP message is loaded, the SDP is parsed. If modified or replaced, the system does not reparse the modified payload.

Conditions:
This occurs internally while processing SDP in a SIP message.

Impact:
Changes to the SDP are ignored when creating media pinhole flows

Workaround:
None.


745397-3 : Virtual server configured with FIX profile can leak memory.

Component: Service Provider

Symptoms:
System memory increases with each transmitted FIX message. tmm crash.

Conditions:
-- Virtual server configured with a FIX profile.
-- FIX profile specifies a message-log-publisher.

Impact:
Memory leak. Specifically, in the xdata cache. Potential traffic disruption while tmm restarts.

Workaround:
If possible, discontinue use of message logging functionality. Removing the message-log-publisher from the FIX profile stops xdata growth.


745261-1 : The TMM process may crash in some tunnel cases

Component: TMOS

Symptoms:
When Direct Server Return (DSR) or asymmetric routing with a tunnel is deployed, the TMM process may crash.

Conditions:
There are two scenarios that may lead to this issue:

Scenario 1: DSR
- DSR is deployed.


Scenario 2: Asymmetric routing
- The sys db variable connection.vlankeyed is set to 'disable'.
- A VLAN and a tunnel are used to handle asymmetric routing.

Impact:
The TMM process crashes.Traffic disrupted while tmm restarts.

Workaround:
None.


745035-1 : gtmd crash

Component: Global Traffic Manager (DNS)

Symptoms:
gtmd crashes

Conditions:
This rarely occurs when an iQuery connection is abnormally terminated.

Impact:
Under rare circumstances, gtmd may crash and restart.

Workaround:
None


744936 : Adding a default tmm gateway in AWS breaks failover between two instances if the default tmm gateway can't provide route to the ec2 metadata service at 169.254.169.254.

Component: TMOS

Symptoms:
Instance failover breaks with the following messages in /var/log/ltm:

/usr/libexec/aws/aws-failover-tgactive.sh (traffic-group-1): Instance sanity check failed with error:
/usr/libexec/aws/aws-failover-tgactive.sh (traffic-group-1): ('Connection aborted.', error(111, 'Connection refused'))

Conditions:
- BIG-IP is deployed in AWS with multiple NICs.

- Also, the BIG-IP is part of a failover group.

- The Failover/HA in AWS depends on access to the instance metadata provided by the EC2 cloud via the http endpoint at 169.254.169.254.

- The default gateway provided by AWS through DHCP ensures access to this metadata endpoint without any additional configuration. However, when using a custom default gateway, the access to the instance metadata endpoint might not work.

Impact:
As moving the elastic-ip between the Active and Stand-by instances breaks, the failover can't complete and the new Active instance can't takeover the BIG-IP operations.

Workaround:
Add the ip rule for the link local address 169.254.169.254 as following:

ip rule add to 169.254.169.254 lookup 245


744787-2 : Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias

Component: Global Traffic Manager (DNS)

Symptoms:
WideIP alias will be replaced.

Conditions:
There is an existing alias for a WideIP and adding the same alias for another WideIP.

Impact:
The previous WideIP will be replaced.

Workaround:
Avoid adding existing WideIP for other WideIP.


744532-2 : Websso fails to decrypt secured session variables

Component: Access Policy Manager

Symptoms:
Whenever websso tries to decrypt secure session variables, the following error is seen /var/log/apm:

Aug 15 21:36:25 abcd err websso.0[20421]: 014d0028:3: /Common/Test_PRP:Common:2b8e7abc: Master Decrypt failed for user test with error 'ckDecrypt: invalid ciphertext'
Aug 15 21:36:25 abcd info websso.0[20421]: 014d0009:6: /Common/Test_PRP:Common:2b8e7abc: Websso basic authentication for user 'test' using config '/Common/sso_test_obj'

Conditions:
- Per-req policy is attached to virtual server.
- Secure subsession variables are assigned to session variables using Variable Assign Agent in per-req policy.
- SSO Configuration Select agent is used in per-req policy.

Impact:
Single Sign-On (SSO) won't work correctly.

Workaround:
There is no workaround at this time.


744520-3 : virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface

Component: TMOS

Symptoms:
virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface.

Conditions:
Virtual server with pem profile and Vxlan-GRE tunnel interface.

Impact:
Traffic drop.

Workaround:
There is no workaround.


744422 : APM iRule events intermittently fail to execute

Component: Access Policy Manager

Symptoms:
ACCESS_PER_REQUEST_AGENT_EVENT iRule event intermittently fails to execute.

Conditions:
No particular sequence of events that reliably triggers this. Initially thought to be happening when modifying iRules while running traffic.

Impact:
ACCESS_PER_REQUEST_AGENT_EVENT iRule event will not run and the iRule commands in it will not be executed.

Workaround:
There is no workaround at this time.


744316 : Config sync of APM policy fails with Cannot update_indexes validation error.

Component: Access Policy Manager

Symptoms:
Config sync operation fails for APM policy when policy item of same name points to different agent on source and target

The system posts errors similar to the following:

Sync error on rfang-vemgmt.lab.labnet.com: Load failed from /Common/rfang-ve-3mgmt.lab.labnet.com 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (access_policy_item_agent) object ID (/Common/resm_act_message_box_1 /Common/resm_act_message_box_ag_1). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:access_policy_item_agent status:13)"

Conditions:
This occurs in the following scenario:

1. Configure a failover device group containing two BIG-IP systems.
2. Create an APM access profile on one unit.
  + Launch VPE for the policy.
  + Add a macro.
  + In macro add an agent, e.g., Message box.
  + Add macro to the main policy.
3. Initiate config sync to another device.
4. On one BIG-IP system, add another Message box agent using the same macro. On the other BIG-IP system, make a copy of the access profile.
5. On either BIG-IP system, initiate another config sync operation.

Impact:
Unable to sync configuration in a failover device group.

Workaround:
You can work around this using the following procedure:

1. On the device receiving the config sync, delete the APM policies that contain the referenced APM policy items.
2. Perform an overwrite-config-sync operation from the sending device to this device.


744280-1 : Enabling or disabling a Distributed Application results in a small memory leak

Component: Global Traffic Manager (DNS)

Symptoms:
Enabling or disabling a Distributed Application results in an 8 byte memory leak.

Conditions:
Enabling or disabling a Distributed Application.

Impact:
8 bytes of memory are leaked every time a Distributed Application is enabled or disabled. If Distributed Applications are repeatedly programmatically enabled and disabled, over time, the system might eventually exhaust all available memory.

Workaround:
None.


744275-3 : BIG-IP system sends Product-Name AVP in CER with Mandatory bit set

Component: Service Provider

Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Product-Name AVPs in DIAMETER Capabilities Exchange Request messages.

Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Product-Name AVP.

Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.

Workaround:
Configure an iRule in the MRF transport-config, for example:

ltm rule workaround {
    when DIAMETER_EGRESS {
        if {[serverside] && [DIAMETER::command] == "257" } {
            DIAMETER::avp flags set 269 0
        }
    }
}


744252-3 : BGP route map community value: either component cannot be set to 65535

Component: TMOS

Symptoms:
The community value for BGP route map entries should allow values of 1-65535 for both components, but it is not allowing 65535 for either component.

Conditions:
-- Using BGP route map community values.
-- Attempting to set one or both components to 65535.

Impact:
Unable to use the full range of BGP route map community values

Workaround:
There is no workaround at this time.


744210-1 : DHCPv6 does not have the ability to override the hop limit from the client.

Component: Local Traffic Manager

Symptoms:
DHCPv6 packet may be dropped by a device after the DHCP relay if the client provided hop limit is 1.

Conditions:
DHCPv6 Relay configured on the BIG-IP.

Impact:
Loss of DHCPv6 service.

Workaround:
There is no workaround at this time.


743950-2 : TMM crashes due to memory leak found during SSL OCSP with C3D feature enabled

Component: Local Traffic Manager

Symptoms:
TMM raises a segmentation violation and restarts.

Conditions:
-- Set up client-side and server-side SSL with:
  + Client Certificate Constrained Delegation (C3D) enabled.
  + OCSP enabled.

-- Supply SSL traffic.

Impact:
Memory leaks when traffic is supplied. When traffic intensifies, more memory leaks occur, and eventually, tmm raises a segmentation fault, crashes, and restarts itself. All SSL connections get terminated. Traffic disrupted while tmm restarts.

Workaround:
Disable C3D.


743900-3 : Custom DIAMETER monitor requests do not have their 'request' flag set

Component: Local Traffic Manager

Symptoms:
Using the technique detailed in the Article: K14536: Customizing the BIG-IP Diameter monitor https://support.f5.com/csp/article/K14536 to create custom DIAMETER monitor requests fails for any request that uses the numeric form of a DIAMETER command code, because the 'request' flag is not set in the DIAMETER packet.

Conditions:
-- Using custom DIAMETER monitor requests.
-- Using numeric DIAMETER command codes.

Impact:
The monitor probes fail because the BIG-IP system does not set the DIAMETER 'request' flag for requests it sends when using a numeric value for the command code, so the DIAMETER server thinks it is a response

Workaround:
None.


743475 : Upgrades from releases earlier than 13.1.1 may fail when AD servers are invalid

Component: Access Policy Manager

Symptoms:
If an invalid AD server is configured, upgrades to releases 13.1.1 may fail due to MCP validation that enforces valid AD server

Conditions:
Upgrade to 13.1.1 or higher with invalid AD server configured

Impact:
Upgrade failure

Workaround:
Edit .conf file and remove the invalid AD server or correct it.


743271-3 : Querying vCMP Health Status May Show Stale Statistics

Component: TMOS

Symptoms:
Stale statistics collected while the guest was running a pre-13.1.0 version may periodically be seen when querying vCMP health status in the Configuration Utility or via tmsh show vcmp health commands.

Conditions:
This issue may be seen when all of the following conditions are met:

- the vCMP guest is deployed on more than one blade
- the vCMP guest is upgraded from a pre-13.1.0 release to 13.1.0 or above

Impact:
Health status is not always accurately reported

Workaround:
The issue may be resolved by setting the guest status temporarily to configured and then back to deployed.


743257-1 : Fix block size insecurity init and assign

Component: Local Traffic Manager

Symptoms:
After an HA failover the block size insecurity checks were creating conditions for an infinite loop. This causes tmm to be killed by sod daemon via SIGABRT.

Conditions:
Rare not reproducible.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround.


743132-4 : mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile

Component: TMOS

Symptoms:
On a chassis platform, if 'tmsh modify sys httpd ssl-certificate' is run immediately after creating a new certificate file, it's possible for mcpd to restart on the secondary blades. This happens when it takes longer for csyncd to copy the new certificate file to the other blades than it takes mcpd to send the modify message to the other blades.

Conditions:
Chassis platform with multiple blades.
Setting the httpd ssl-certificate to a new file.

Impact:
mcpd stops on secondary blades, causing those blades to go offline for a short time while mcpd and other daemons restart.

Workaround:
When setting the httpd ssl-certificate to a new file, wait a few seconds after creating the file before issuing the tmsh modify command.


743116-2 : Chunked responses may be incorrectly handled by HTTP/2

Component: Local Traffic Manager

Symptoms:
When a chunked HTTP response is serialized by HTTP/2, the chunking headers should be removed. This does not occur in some cases.

Conditions:
The HTTP/2 filter is used. Some other profiles are used on the same virtual. (In particular, the request logging profile triggers this issue.)

Impact:
The HTTP/2 payload will include chunking headers, corrupting it.

Workaround:
An iRule may be used to detect a HTTP/2 client, and forcibly turn on unchunking in the HTTP_RESPONSE event.

Example:

ltm rule unchunk_http2 {
when HTTP_REQUEST {
        set is_http2 [HTTP2::active]
    }
when HTTP_RESPONSE {
        if { $is_http2 } {
            HTTP::payload unchunk
        }
    }
}


742838-3 : A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition

Component: Local Traffic Manager

Symptoms:
If you have a published policy in /Common that is in use by a virtual server in a different partition, if you try to create and modify a draft of the existing policy, you will get an error like this:

"01070726:3: Policy /Common/Drafts/test-policy in partition Common cannot reference policy reference /Common/Drafts/test-policy /test/test-vs in partition test"

This happens in both the GUI and TMSH.

Conditions:
-- A published policy exists in /Common.
-- The published policy is attached to a virtual server in a different partition.
-- Attempt to create and modify a draft of the policy.

Impact:
Inability to edit the published policy.

Workaround:
None.


742753-2 : Accessing the BIG-IP system's WebUI via special proxy solutions may fail

Component: TMOS

Symptoms:
If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail.

Conditions:
This issue is known to happen with special proxy solutions that do one of the following things:

- Remove the Referer header.

- Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another.

Impact:
Users cannot log on to the BIG-IP system's WebUI.

Workaround:
As a workaround, you can do any of the following things:

- Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution).

- Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header).

- Modify the proxy solution so that it inserts compatible Referer and Host headers.


742419-1 : BIG-IP NIC teaming of SR-IOV interfaces does not work under VMware ESXi

Component: TMOS

Symptoms:
Configuring multiple SR-IOV interfaces into a trunk does not function correctly when running BIG-IP as a guest under VMware ESXi. The interface will show as uninitialized.

Conditions:
A system that passes SR-IOV virtual functions directly to a BIG-IP guest when running on VMware ESXi.

Impact:
The trunk will fail to initialize.

Workaround:
None.


742237-2 : CPU spikes appear wider than actual in graphs

Component: Local Traffic Manager

Symptoms:
Graphs of CPU usage show spikes that are wider than actual CPU usage.

Conditions:
CPU usage has spikes.

Impact:
Graphs of CPU spikes appear to last longer than they actually last.

Workaround:
Perform the following procedure:

1. Run the following command to record the 5-second average rather than the 1-second average:

sed -i.bak 's/TMCOLNAME "ratio"/TMCOLNAME "five_sec_avg.ratio"/;s/TMCOLNAME "cpu_ratio_curr"/TMCOLNAME "cpu_ratio_5sec"/g' /config/statsd.conf

2. Restart statsd to load the new configuration:

bigstart restart statsd


742184-1 : TMM memory leak

Component: Local Traffic Manager

Symptoms:
-- High TMM memory utilization;
-- Aggressive sweeper activated;
-- the 'packet', 'xdata' and 'xhead' caches in the memory_usage_stat tmstat table have high 'allocated' and 'curr_allocs' numbers with a steadily increasing profile.

Conditions:
A fastL4 and a L7 profile (e.g. HTTP) are assigned to a virtual server.

Impact:
Degraded performance, possible TMM crash due to out-of-memory condition.

Workaround:
Do not add a L7 profile to a fastL4 virtual server.


742105-1 : Displaying network map with virtual servers is slow

Component: TMOS

Symptoms:
The network map loads slowly when it contains lots of objects.

Conditions:
Load the network map in a configuration that contains 1000 or more objects.

Impact:
The network map loads very slowly.

Workaround:
None.


741967 : APM custom report with active field failed on vcmp

Component: Access Policy Manager

Symptoms:
APM custom report, when including active field, fail to run on VCMP platform.

Conditions:
1. Create an APM custom report (Access :: Overview :: Access Reports, click on "Custom Reports" panel, then "create". Select fields for the report, make sure check "Active" under "Session")

2. Run the report

Impact:
Unable to run the report with the specific field.

Workaround:
There is no workaround at this time.


741902-3 : sod does not validate message length vs. received packet length

Component: TMOS

Symptoms:
sod may crash or produce unexpected behavior.

Conditions:
If a malformed network failover packet is received by sod, it may cause an invalid memory access.

Impact:
sod may crash, causing a failover.

Workaround:
None.


741535-1 : Memory leak with Form-based Client-initiated SSO

Component: Access Policy Manager

Symptoms:
With Form-based Client-initiated SSO configured, BIG-IP system memory usage increases with every HTTP request that is proxied to the backend. The type of memory that increases is tmjail. You can view memory usage using the following command: tmsh sys show memory.

At some point, the BIG-IP system enables connection evictions in order to reduce the memory pressure, which causes service disruptions. You might see the following warning log messages.

-- warning tmm[20537]: 011e0002:4: sweeper_segment_cb_any: Aggressive mode /Common/default-eviction-policy activated (0) (global memory).
-- warning tmm1[20537]: 01010290:4: TCP: Memory pressure activated.
-- err tmm1[20537]: 011e0003:3: Aggressive mode sweeper: /Common/default-eviction-policy (100000000000b) (global memory) 413 Connections killed.

Conditions:
Form-based Client-initiated SSO is used.

Impact:
Potential service disruption.

Workaround:
No workaround other than not using Form-based Client-initiated SSO.


741213-3 : Modifying disabled PEM policy causes coredump

Component: Policy Enforcement Manager

Symptoms:
TMM undergoes core dump after a disabled policy has a new rule added.

Conditions:
-- Add a rule to disabled PEM policy.
-- Enable the PEM policy, and this policy is applied by PCRF.
-- Traffic is generated for this subscriber.

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
Modify a PEM policy only when the policy is enabled.


740994-1 : AWS pool member discovery (f5-iAppLX-aws-autoscale) does not work

Component: TMOS

Symptoms:
Backend servers are not getting added to the pool. The system posts messages to /var/log/ltm:

/usr/libexec/aws/autoscale/aws-autoscale-pool-manager.sh (): execute_aws_cmd expects 6 parameters but got 7. AWS command is aws autoscaling describe-auto-scaling-groups."

Conditions:
-- Applies only to AWS.
-- Occurs when you configure pool member discovery via built-in f5-iAppLX-aws-autoscale iApp.

Impact:
AWS pool member discovery (f5-iAppLX-aws-autoscale) does not work.

Workaround:
Use Service Discovery in AS3. For information, see Using Service Discovery with AS3 ::
https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/userguide/service-discovery.html.


740959-2 : User with manager rights cannot delete FQDN node on non-Common partition

Component: Local Traffic Manager

Symptoms:
A user that has manager rights for a non-Common partition, but not for the /Common partition, may be denied delete privileges for an FQDN template node that is created on the non-Common partition for which the user does have manager rights.

This occurs because ephemeral nodes created from the FQDN template node are 'shared' in the /Common partition, so the delete transaction fails because the user has insufficient permissions to delete the dependent ephemeral nodes on the /Common partition.

Conditions:
-- A user is created with manager rights for a non-Common partition.

-- That user does not have manager rights for the /Common partition;

-- At least one ephemeral node is created from that FQDN template node (due to DNS lookup), which is not also shared by other FQDN template nodes.

-- That user attempts to delete an FQDN template node on the non-Common partition for which the user has manager rights.

Impact:
The transaction to delete the FQDN template node fails due to insufficient permissions. No configuration changes occur as a result of the FQDN template node-delete attempt.

Workaround:
You can use either of the following workarounds:

-- Perform the FQDN template node-delete operation with a user that has manager rights to the /Common partition.

-- Create the FQDN template node on the /Common partition.


740589-3 : mcpd crash with core after 'tmsh edit /sys syslog-all-properties'

Component: TMOS

Symptoms:
Syslog-ng consumes more than 95% CPU starving other processes of CPU time. This leads to eventual mcpd crash with core.

Conditions:
Configuring nonexistent local IP addresses and remote log server.

Impact:
Abnormal CPU usage. Potential eventual mcpd crash with core.

Workaround:
To mitigate the issue, you can use either of the following:

-- Follow these two steps:
 1. Remove the remote log server from the configuration.
 2. Replace the nonexistent local IP addresses with self IP addresses.

-- Configure the remote destination host with a unique parameter in the configuration so that syslog does not get confused if there are multiple entries:
udp(190.45.32.51 port(514) localip(190.46.2.221) persist-name(r1));
udp(190.45.32.51 port(514) localip(190.46.2.222) persist-name(r2));
udp(190.200.60.1 port(514) localip(190.46.2.221) persist-name(r3));
udp(190.200.60.1 port(514) localip(190.46.2.222) persist-name(r4));


740517-3 : Application Editor users are unable to edit HTTPS Monitors via the Web UI

Component: TMOS

Symptoms:
A user with Application Editor role cannot modify an HTTPS Monitor via the GUI. The user is sent the the following, misleading and incorrect error message: Access Denied: user does not have delete access to object (ssl_cert_monitor_param)

Conditions:
The logged in GUI user must be an Application Editor role for the partition containing the HTTPS Monitor

Impact:
The user must use TMSH to modify an HTTPS Monitor.

Workaround:
Run the following tmsh command: modify ltm monitor https"\


740413-3 : sod not logging Failover Condition messages

Component: TMOS

Symptoms:
When a failsafe fault occurs, sod does not log a message indicating that the device is unable to become Active.

Conditions:
Failsafe fault.

Impact:
No 'Failover Condition'messages logged in /var/log/ltm.

Workaround:
None.


740284-2 : Virtual servers 'In Maintenance Mode' or 'VS limit(s) exceeded on GTM'

Component: Global Traffic Manager (DNS)

Symptoms:
Virtual servers on generic-hosts may be marked as Yellow, with a message of 'In Maintenance Mode' or 'VS limit(s) exceeded on GTM'.

Conditions:
The conditions under which this occurs are not known.

Impact:
Virtual server is marked Yellow erroneously 'In Maintenance Mode'.

Workaround:
Use any of the following to reset the condition:

-- Restart gtmd by issuing the following command:
bigstart restart gtmd

-- Restart the system.

-- Remove any monitors from the affected server, save the configuration, and then add any required monitors.

-- Delete the affected server from the configuration and recreate it.


740280-1 : Configuration Utility and tmsh may not validate Certificate Authority profile names

Component: TMOS

Symptoms:
Under certain circumstances it is possible to create a Certificate Authority profile with the same name of an already existing profile. The system should prevent the creation of the duplicate-name profile, but it allows it. Once the duplicate-name profile is created, the system reports a validation error when loading the configuration.

Conditions:
-- A profile exists with a specific name.
-- A new Certificate Authority profile is created with the same name as the existing profile.
-- The configuration with the new Certificate Authority profile is saved (note that this should not be allowed, and validation should fail and prevent the save operation).

Impact:
Although this is a prohibited configuration, the system does not prevent it. After saving, when you reload the configuration using the command 'tmsh load sys configuration', the system reports a validation error similar to the following:

01070293:3: The profile name (/Common/ca_profile_name) is already assigned to another profile.
Unexpected Error: Validating configuration process failed.

Workaround:
There is no workaround other than to ensure that every Certificate Authority profile has a unique name.


740228-1 : TMM crash while sending a DHCP Lease Query to a DHCP server that is offline

Component: Policy Enforcement Manager

Symptoms:
TMM crashes.

Conditions:
- DHCP Lease Query is enabled on the BIG-IP system.
- DHCP server is offline.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


740135-3 : Traffic Group ha-order list does not load correctly after reset to default configuration

Component: TMOS

Symptoms:
After resetting the BIG-IP configuration to default (i.e., 'tmsh load sys config default'), if a configuration is loaded where the name of the self-device changes, this may cause the self-device to be removed from any traffic group HA Order lists.

Conditions:
-- Must be loading a configuration after resetting to default.
-- Must have at least one traffic group using the 'HA Order' Failover Method.

Impact:
Incorrect HA configuration.

Workaround:
Reload the configuration a second time.


739927-3 : Bigd crashes after a specific combination of logging operations

Component: Local Traffic Manager

Symptoms:
Bigd crashes. Bigd core will be generated.

Conditions:
1. Boot the system and set up any monitor.
2. Enable and disable bigd.debug:
-- tmsh modify sys db bigd.debug value enable
-- tmsh modify sys db bigd.debug value disable
3. Enable monitor logging.

Impact:
Bigd crashes.

Workaround:
None.


739872-2 : The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover

Component: TMOS

Symptoms:
Running the 'load sys config verify' command for a configuration that would alter the high availability (HA) Group score for a Traffic Group can cause the HA group score to be updated.

Conditions:
Run 'load sys config verify' with configuration data that affects a Traffic Group's HA Group score.

Impact:
Unintended failover.

Workaround:
None.


739820-3 : Validation does not reject IPv6 address for TACACS auth configuration

Component: TMOS

Symptoms:
TACACS authentication does not support IPv6 address for the authentication server, but both GUI and TMSH allow IPv6 addresses to be configured for TACACS. Such configurations may result in failed logins with messages in /var/log/secure like

Aug 8 10:47:39 gtm-13108-174 err httpd[5948]: pam_tacplus: skip invalid server: 2001::1001:1001 (invalid port: no digits)

Conditions:
Use the GUI or TMSH to create or modify a TACACS server

Impact:
Remote authentication will fail unless a second server is configured with IPv4 address.

Workaround:
Do not configure IPv6 address for TACACS server


739638-2 : BGP failed to connect with neighbor when pool route is used

Component: Local Traffic Manager

Symptoms:
BGP peering fails to be established.

Conditions:
- Dynamic routing enabled.
- BGP peer connect through a pool route or ECMP route.

Impact:
BGP dynamic route paths are not created.

Workaround:
Use a gateway route.


739553-3 : Setting large number for Wide IP Persistence TTL breaks Wide IP persistence

Component: Global Traffic Manager (DNS)

Symptoms:
Wide IP persistence is not working. Previous Wide IP persistence records are cleared.

Conditions:
This occurs when the Wide IP Persistence TTL plus the persist-record creation time is greater than 4294967295.

Impact:
Wide IP persistence does not work.

Workaround:
There is no workaround other than not setting Wide IP Persistence TTL to a number greater than 4294967295.


739533-4 : In rare circumstances, config sync may fail to delete files in /config/filestore/.snapshots_d/, filling up /config

Component: TMOS

Symptoms:
If mcpd loses connection with a peer in the middle of a config sync operation when a large file is being transferred, the temporary copy of that file in /config/filestore/.snapshots_d/ might not be deleted. If this happens enough times with large enough files, those temporary files might fill the /config filesystem.

Conditions:
-- A config sync of a large file is happening.
-- The mcp connection between peers is lost.

Impact:
When that happens, the temporary files that should be deleted, might not be. This is not a problem until the issue has occurred many times, leaving many temporary files, at which point /config can run out of space. /config may get to 100% full. Having /config at 100% full might cause config sync to fail, prevent configuration changes, and other issues.

Workaround:
Delete all files in /config/filestore/.snapshots_d that are more than an hour old.


739400 : iControl REST fails to list virtual servers

Component: TMOS

Symptoms:
An attempt to add a forward action to an LTM policy generated an error. A separate attempt to use iControl REST to list virtual servers also failed.

Conditions:
Insert a non-breaking space (&nbsp;) character in the description field of a virtual server entry. Try to create a forward action using the TMUI on BIG-IP version 13.1.0.8, or use iControl REST to list virtual servers.

Impact:
In iControl REST, the character causes an error response, which prevents a response with a listing of virtual servers.

Workaround:
Verify that the description field for a virtual server does not contain any characters like non-breaking spaces. Avoid copying and pasting content into description fields, especially if the source is HTML format since it may contain a non-breaking space character.


739118-3 : Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration

Component: TMOS

Symptoms:
Changing existing self IP addresses in bigip_base.conf file directly. After uploading the changed configuration file, BIG-IP routing service provides out of date Self IP route information to dependent services.

Conditions:
- Self IP address is configured on the BIG-IP system.
- Manually change the IP address of a self IP in bigip_base.conf file.
- Load changed configuration via tmsh.

Impact:
Different services have different route information:
-- tmsh table - has the old route.
-- Dynamic routing - hHas the old and new routes.
-- Kernel table - has the new route.

Workaround:
There are two workarounds, preventive and corrective.
Preventive:
Do not manually change self IP addresses in bigip_base.conf file. It is not recommended way to add/change BIG-IP configuration. Use GUI or tmsh instead.

Corrective:
If changed configuration is uploaded. In GUI or tmsh, delete changed self IP address, and then create a self IP address with old IP address and delete it as well. Now, all affected routes are removed.


738943-5 : imish command hangs when ospfd is enabled

Component: TMOS

Symptoms:
- dynamic routing enabled
- ospfd protocol enabled
- imish hangs

Conditions:
- running imish command

Impact:
ability to show dynamic routing state using imish

Workaround:
restart ospfd daemon


738789-2 : ASM/XML family parser does not support us-ascii encoding when it appears in the document prolog

Component: Application Security Manager

Symptoms:
ASM blocks requests when a request payload is an xml document with a prolog line at the begging with encoding="us-ascii".

Conditions:
- ASM provisioned.
- ASM policy attached to a virtual server.
- ASM handles XML traffic with encoding="us-ascii" (use of the value encoding="us-ascii" is very uncommon, the typical value is encoding="utf-8").

Impact:
Blocked XML requests.

Workaround:
You can use either of the following workarounds:

-- Remove XML profile from a URL in the ASM policy.

-- Disable XML malformed document detection via ASM policy blocking settings.


738547-1 : SAML Sax Parser returns error when importing metadata file that contains certain UTF-8 encoded characters other than ASCII

Component: Access Policy Manager

Symptoms:
When SAML metadata file that contains certain UTF-8 characters other than ASCII is imported, SAML SAX Parser returns error

Conditions:
When SAML metadata file contains certain UTF-8 characters other than the ASCII set,

Impact:
SAML metadata file is not imported, and the system reports an error. SAML configuration on BIG-IP systems is impacted.

Workaround:
Remove the non-ASCII UTF-8 characters, and try the import operation again.


738450-3 : Parsing pool members as variables with IP tuple syntax

Component: Local Traffic Manager

Symptoms:
There is a config loading warning at tmsh similar to the following: unexpected end of arguments;expected argument spec:PORT.

Conditions:
Tcl variable is used for the IP tuple instead of a plain value.

Impact:
iRule LB::reselect command may not recognize an IP tuple when it is a variable. tmsh warning shows.

Note: There is no warning in the GUI.

Workaround:
Use plain value instead of variable.


738445-2 : IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup

Component: TMOS

Symptoms:
INVALID_SPI notification does not delete the IPsec-SA with the SPI value that appears in the notify payload. This occurs because the handler of INVALID-SPI notifications performs the following incorrect actions:

-- Fetches SPI from payload as if it's a string, rather than the network byte order integer it actually is.

-- Attempts phase 2 lookup via selector ID (reqid) rather than SPI.

Either alone prevents finding the SA to delete.

Conditions:
An IKEv1 IPsec peer sends an INVALID-SPI notification to the BIG-IP system.

Impact:
The IPsec-SA with that SPI cannot be found and is not deleted.

Workaround:
From the BIG-IP command line, you can still manually delete any IPsec-SA, including the invalid SPI, using the following command:
# tmsh delete net ipsec ipsec-sa spi <spi number>


738070-2 : Persist value for the RADIUS Framed-IP-Address attribute is not correct

Component: Service Provider

Symptoms:
Using the RADIUS Framed-IP-Address attribute as a persistence value does not work correctly.

Conditions:
Using RADIUS and persisting on the Framed-IP Address attribute (RADIUS AVP 8).

Impact:
RADIUS requests may not get persisted to the servers they should be.

Workaround:
Use an iRule to persist instead, e.g.:

ltm rule radius-persistence {
    when CLIENT_DATA {
    persist uie [RADIUS::avp 8]
}
}


737985 : BIG-IP systems cannot be deployed in an L2 transparent mode with VLAN groups in Standard Proxy mode.

Component: Local Traffic Manager

Symptoms:
Services that require Standard Proxy mode cannot be availed of.

Conditions:
A BIG-IP system deployed in an L2 transparent mode using VLAN groups.

Impact:
Prevents services that require Standard Proxy mode from being leveraged in an L2 transparent deployment.

Workaround:
None.


737901-2 : Management MAC address and host VLAN MAC address is the same on iSeries platforms when in vCMP mode

Component: TMOS

Symptoms:
On iSeries platforms, when a VLAN is attached to a vCMP guest, the management MAC address and the host VLAN MAC address will be the same.

Conditions:
-- Creating a VLAN on the host and attaching it to a vCMP guest.
-- iSeries platforms.

Impact:
The management MAC address is the same as the Host VLAN MAC address, resulting in the same MAC being used for the VLAN traffic originating from the vCMP Host along with the Host's mgmt Interface traffic, potentially resulting in issues relating to the inability to differentiate traffic to mgmt port or traffic ports.

Workaround:
There is no workaround at this time.


737726-2 : If named is restarted and zrd is not restarted, ZoneRunner can lose contact with the DNS server daemon

Component: Global Traffic Manager (DNS)

Symptoms:
ZoneRunner displays the following error message when attempting to list resource records: No route to host.

Conditions:
-- named is restarted outside of the normal start up procedure.
-- zrd is not restarted.

Impact:
ZoneRunner cannot communicate with named, and thus cannot display resource records.

There are temporary addresses created on the loopback address to facilitate communication between the zrd and named processes. When named is restarted, these temporary address are inadvertently removed.

Workaround:
Restart the zrd process using the following command:
bigstart restart zrd


737692-1 : Handle x520 PF DOWN/UP sequence automatically by VE

Component: TMOS

Symptoms:
When BIG-IP VE is running on a host, there is the host interface's Physical Function (PF, the actual interface on the host device), and Virtual Function (VF, a virtual PCI device that is passed to the BIG-IP-VE). If an x520 device's PF is set down and then up, tmm does not recover traffic on that interface.

Conditions:
-- VE is using a VF from a PF.
-- The PF is set down and then up.

Impact:
VE does not process any traffic on that VF.

Workaround:
Reboot VE.


737529-2 : [GTM] load or save configs removes backslash \ from GTM pool member name

Component: Global Traffic Manager (DNS)

Symptoms:
GTM config fails to load, and posts an error similar to the following:

Syntax Error:(/config/bigip_gtm.conf at line: 47) the "create" command does not accept wildcard configuration identifiers

Conditions:
GTM server virtual server name contains a backslash (\) character.

Impact:
GTM config fails to load.

Workaround:
Edit bigip_gtm.conf manually and add the \ character.

Important: The system removes the \ (which results in further validation failures) in response to any of the following actions:
-- Load the GTM config.
-- Make changes to the GTM config, and you or the system saves it.
-- cpcfg operation.
-- Upgrade the system.


737476 : End users using virtual keyboard might be blocked during clientside features

Component: Application Security Manager

Symptoms:
End users using a virtual keyboard may be blocked when being challenge with CAPTCHA or when Web Scraping or Bot Defense profile are enabled.

Conditions:
This occurs when end users use virtual keyboard, and one of the following:

-- End users are being challenged with CAPTCHA mitigation on ASM policy or DoS profile (v14.0.0 or later).

-- Web Scraping with Bot Detection is configured (v13.1.0 or later).

Impact:
User using a virtual keyboard might be blocked.

Workaround:
There is no workaround at this time.


737374-1 : local-db PEM Subscriber Activity log missing

Component: Policy Enforcement Manager

Symptoms:
PEM subscriber activity log is empty when published to local database.

Conditions:
-- PEM subscriber activity log is configured.
-- The endpoint is local-db.

Impact:
Missing activity logs for external server.

Workaround:
Configure the destination as local-syslog publisher.


737346-3 : After entering username and before password, the logging on user's failure count is incremented.

Component: TMOS

Symptoms:
Listing login failures (i.e., using the following command: 'tmsh show auth login-failures') shows a failed login for the user who is currently logging in via console or SSH.

Conditions:
-- A user is logging in via console or SSH.
-- Between the time the system presents the password prompt and the user enters the password.

Note: This does not apply to GUI or iControl REST logins.

Impact:
If many logins for the same user get to this state simultaneously, it may be enough to exceed a specified lockout threshold, locking the user out.

Workaround:
There is no workaround other than using the GUI or iControl REST to log in to the system.


737055-2 : Unable to access BIG-IP Configuration Utility when BIG-IP system is behind a Reverse proxy

Component: TMOS

Symptoms:
When a BIG-IP management interface is accessed through a Reverse Proxy, you cannot login to the Configuration Utility. Instead the system presents a blank page, as the Reverse Proxy IP/hostname is in the Referer header instead of that of the BIG-IP system.

Conditions:
You are accessing the BIG-IP Configuration Utility through a Reverse Proxy.

Impact:
You are unable to login to the Configuration Utility.

Workaround:
Configure their Reverse Proxy to place the IP address of the BIG-IP system in the Referer header.


735565-1 : BGP neighbor peer-group config element not persisting

Component: TMOS

Symptoms:
neighbor peer-group configuration element not persisting after restart

Conditions:
- dynamic routing enabled
- BGP neighbor configured with peer-group
- BIG-IP or tmrouted daemon restart

Impact:
BGP peer-group configuration elements don't persist

Workaround:
Reconfigure BGP neighbor peer-group after restart


734846-3 : Redirection to logon summary page does not occur after session timeout

Component: TMOS

Symptoms:
After a BIG-IP Administrator user session times out, the user is not automatically redirected to the logon summary page, despite being configured to do so.

Conditions:
-- The BIG-IP system is configured to redirect to the logon summary page immediately after logging in, using the following db variable:
ui.users.redirectsuperuserstoauthsummary = true

-- The BIG-IP Administrator users' session automatically times out.

Impact:
The system does not comply with government security requirements that BIG-IP Administrator users be sent automatically to the logon summary. BIG-IP Administrator users must manually navigate to the logon summary page

Workaround:
Manually navigate to the logon summary page.


734836-3 : Network Map summary counts pool members more than once if they are shared across pools

Component: TMOS

Symptoms:
On the page at Local Traffic :: Network Map, in the summary view, the total number of pool members shows a larger number if there are pool members referenced by multiple pools.

Conditions:
-- Network Map summary view.
-- Pool members referenced by multiple pools.

Impact:
The number of pools value is higher than the actual number of pools because of how the system tracks a single pool member referenced in multiple pools.

Workaround:
There is no workaround at this time.


734551 : L2 transparent VLAN group based deployments require configuration of a transparent next hop per virtual server

Component: Local Traffic Manager

Symptoms:
Configuration overhead that requires configuration of a virtual server per VLAN group.

Conditions:
A BIG-IP system deployed in an L2 transparent mode using VLAN groups.

Impact:
Configuration overhead to configure virtual server per VLAN group.

Workaround:
None.


734539-3 : The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads

Component: TMOS

Symptoms:
When an IKEv1 peer sends an INVALID-SPI payload, and BIG-IP system cannot find the phase-two Security Association (SA) for that SPI but can find phase-one SA involved; the racoon daemon may crash if there are additional INVALID-SPI payloads afterward.

Conditions:
-- An INVALID-SPI notification is received.
-- That phase-two SA is already gone.
-- The phase-one parent SA is still around.
-- Subsequent notification INVALID-SPI payloads involve the same phase-one SA.

Impact:
The v1 racoon daemon cores, interrupting traffic until new tunnels can be established after racoon restarts.

Workaround:
There is no workaround at this time.


734269 : Difficulty in selection from large numbers of iRules for Virtual Server configuration

Component: TMOS

Symptoms:
Users who wish to select large numbers of iRules for an individual virtual server may find difficulty in locating and selecting iRules because of the relatively small size of the control on the page.

Conditions:
A user has a large number of iRules configured and wishes to select one or more iRules for an individual virtual server.

Impact:
A user may have difficulty finding their desired iRule(s).

Workaround:
iControl REST or TMSH


727288-3 : Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC

Component: Service Provider

Symptoms:
Diameter message routing framework sends Capabilities-Exchange-Request (CER)/Device-Watchdog-Request (DWR) with hop-by-hop (h2h) ID and end-to-end (e2e) ID set to 0 as the server.

Conditions:
Diameter Message Routing Framework (MRF) in use

Impact:
The BIG-IP system sends CER and DWR to remote peers.
However, the BIG-IP system sends e2e=0 and h2h=0 as the server ID in the CER and DWR requests. This does not comply with RFC 6733 (https://tools.ietf.org/html/rfc6733).

Workaround:
Use an DIAMETER_EGRESS iRule event to change the hop-by-hop ID and end-to-end server ID.


726983 : Inserting multi-line HTTP header not handled correctly

Component: Local Traffic Manager

Symptoms:
Using an iRule to insert an HTTP header that contains an embedded newline followed by whitespace is not parsed properly. It can result in the new header being incorrectly split into multiple headers.

Conditions:
iRule which adds a header containing embedded newline followed by whitespace:
    HTTP::header insert X-Multi "This is a\n multi-line header"

Impact:
New header does not get parsed properly, and its values are treated like new header values. In some cases the tmm may be restarted.

Workaround:
Ensure that the trailing whitespace text is not present (if not legitimately there). For manipulation of HTTP Cookie headers, use the HTTP::cookie API rather than directly via HTTP::header.


726734-1 : DAGv2 port lookup stringent may fail

Component: Local Traffic Manager

Symptoms:
Under certain circumstances tmm might not be able to find a local port, and the connection may fail. This happens, for example, for active FTP with mirroring enabled.

Conditions:
Active FTP with mirroring enabled.

Impact:
Connection cannot get established.

Workaround:
There is no workaround other than to disable mirroring.


726665-2 : tmm core dump due to SEGFAULT

Component: Policy Enforcement Manager

Symptoms:
tmm core dump due to SEGFAULT.

Conditions:
System under load in network. Other conditions required to recreate this are unknown, but indicated a potential memory-handling issue.

Impact:
The blade reboots resulting in failover. Traffic disrupted while tmm restarts.

Workaround:
None.


726412-2 : Virtual server drop down missing objects on pool creation

Component: Global Traffic Manager (DNS)

Symptoms:
Available virtual servers are not populated in the drop down list during Pool creation.

Conditions:
Virtual server names containing single quote, backslash, or greater-than and less-than signs: ' \ < >.

Impact:
Unable to add available virtual servers to pools.

Workaround:
After pool creation, go into that newly created pool, click 'Members', and then click 'Manage', and use the Virtual Server drop-down list to add any virtual servers.


726317-4 : Improved debugging output for mcpd

Component: TMOS

Symptoms:
In some cases, mcpd debugging output is insufficient for diagnosing a problem.

Conditions:
Using debugging in mcpd, specifically, setting log.mcpd.level to debug.

Impact:
None. Has no effect without log.mcpd.level set to debug.

Workaround:
None.


726232-2 : iRule drop/discard may crash tmm

Component: Local Traffic Manager

Symptoms:
TMM crash after an iRule attempts to drop packet.

Conditions:
Virtual server with UDP profile, and following iRule:
when LB_SELECTED {
    drop
    # discard - drop is the same as discard
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


726058 : DHCP in forwarding mode decrements the received DHCP client side IP TTL prior to forwarding the packets towards the DHCP server

Component: Local Traffic Manager

Symptoms:
DHCP packet dropped by the DHCP relay agent after the BIG-IP system, if the DHCP clientside packet received by the BIG-IP system has a TTL of 1.

Conditions:
-- BIG-IP system configured as a DHCP forwarder.
-- DHCP client side packet received with a TTL of 1.

Impact:
Loss of DHCP service via the BIG-IP system.

Workaround:
To mitigate this issue, have the DHCP client send a DHCP request with an IP TTL greater than or equal to 2.


726011-2 : PEM transaction-enabled policy action lookup optimization to be controlled by a sys db

Component: Policy Enforcement Manager

Symptoms:
There is no way to disable optimization if time-based actions are enabled in the PEM policy and a statistical transaction-based action enforcement is desired.

Conditions:
If the PEM classification tokens do not change.

Impact:
Time-based actions such as insert content may not get applied to such flows.

Workaround:
None.


726001-1 : Rapid datagroup updates can cause type corruption

Component: Local Traffic Manager

Symptoms:
'invalid class type" error message in /var/log/ltm.

Conditions:
Using external datagroups and updating them before the previous update has finished, such as with:

-- Executing config-sync.

-- echo "create sys file data-group dg-test source-path file:///var/tmp/dg_test type string separator :=; create ltm data-group external dg-test external-file-name dg-test; modify sys file data-group dg-test source-path file:///var/tmp/dg_test" | tmsh -a

Impact:
iRule fails.

Workaround:
Ensure that changes to a datagroup are done processing (by looking for the 'finished' message in the LTM logs) before updating them again.


725985-1 : REST API takes more than 20 seconds when 1000+ virtual servers with SNAT-Pool configured

Component: TMOS

Symptoms:
REST API takes more than 20 seconds to complete the GET request when there are 1000+ virtual servers configured with the same SNAT-Pool.

Conditions:
-- A large number (1000+) of virtual servers.
-- Configured with the same SNAT pool.

Impact:
REST API takes more than 20 seconds to response to the GET request.

Workaround:
None.


724889 : BIG-IP VE in AWS does not failover NATs in same availability zone

Component: TMOS

Symptoms:
If BIG-IP Virtual Edition (VE) in AWS is configured with a traffic group to failover and its peer is in the same AWS availability zone, NAT objects will not fail over during high availability (HA) events.

Conditions:
-- BIG-IP VE running in AWS, configured to failover with a peer that's in the same availability zone.
-- NAT in the configuration.
-- Failover event occurs.

Impact:
The NAT object will not failover and the newly active system for the traffic group will not receive traffic for it.

Workaround:
None.


724746-1 : Incorrect RST message after 'reject' command

Component: Local Traffic Manager

Symptoms:
BIG-IP sends RST containing "Internal error in tcpproxy invalid state for repick" instead of correct "iRule execution (reject command)".

Conditions:
Virtual Server with a HTTP profile, and an iRule using 'reject' command.

Impact:
Investigating RST causes may be confusing.

Workaround:
There is no workaround at this time.


724706-1 : iControl REST statistics request causes CPU spike

Component: TMOS

Symptoms:
BIG-IQ makes iControl REST requests to BIG-IP systems to get statistics. Regardless of the page size setting, the request causes the CPU to spike to 100% utilization.

Conditions:
An iControl REST API request from a BIG-IQ device for a few stats for an object on a BIG-IP system.

Note: A request for a single statistic usually does not cause a spike.

Impact:
Frequent requests by BIG-IQ for stats causes repeated spikes.

Workaround:
None.


724679-2 : Non-attacking IP addresses could be logged along with attacking IP addresses when DoS detects an attack

Component: Advanced Firewall Manager

Symptoms:
During an attack, MySQL might log IP addresses that are not part of an attack along with the IP addresses that are part of the attack.

Conditions:
This occurs when the system detects a BadEndpoint attack.

Impact:
The system might log messages related to IP addresses that are not part of the attack. These IP addresses are not part of the attack and may be ignored.

Workaround:
None.


724556-2 : icrd_child spawns more than maximum allowed times (zombie processes)

Component: TMOS

Symptoms:
icrd_child is issued a SIGTERM. The SIGTERM might not succeed in destroying the process, especially if the system is under a lot of load. This leads to zombie processes.

Conditions:
-- The icrd_child process is issued a SIGTERM that does not successfully destroy the icrd_child process.
-- System under heavy load.

Impact:
There are zombie icrd_child processes consuming memory.

Workaround:
Restart the system.


724214-3 : TMM core when using Multipath TCP

Component: Local Traffic Manager

Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.

Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.

Impact:
Traffic interrupted while TMM restarts.

Workaround:
There is no workaround other than to disable MPTCP.


723988-2 : IKEv1 phase2 key length can be changed during SA negotiation

Component: TMOS

Symptoms:
Using IKEv1, if phase2 key length does not agree on both sides, a responder accepts whatever the initiator proposes as key length, but only after an initiator is authenticated. This results in key length downgrade or upgrade at a trusted peer's request, because the IKEv1 daemon was configured to obey the other peer's key length request.

Conditions:
The value of the ike-phase2-encrypt-algorithm on both sides agree on the encryption algorithm, but differ in key length. For example, if the initiator picks AES128 when the responder expects AES256.

Impact:
The responder accepts AES128 anyway. Although phase1 key length must be an exact match, when phase2 key length does not match, this allows an initiating peer to change the key length a responder uses, thus changing the strength configured by that responder.

Workaround:
No workaround is known at this time.


723833-1 : IPsec related routing changes can misfire, like changing tunnel mode to interface mode

Component: TMOS

Symptoms:
IPsec config changes that rely upon interface mode tunnels, which are driven by routes with associated tunnel VLANs, can sometimes fail to pass traffic after a config change altering routes, or altering the number of tunnels involved.

Conditions:
- Changing tunnel mode to interface mode.
- Adding or removing routes for interface mode IPsec tunnels.
- Deleting an IPsec tunnel object.

Impact:
An IPsec tunnel outage may occur before a system restart, which looks like absence of proper routing config, but which is due to inconsistent update when changes affect routing used by IPsec tunnels in interface mode. In some cases, a tmm core can occur which interrupts service briefly until restarted.

Workaround:
Typically saving before bigstart restart gets routing config related to IPsec back into working order.


723658-1 : TMM core when processing an unexpected remote session DB response.

Component: Carrier-Grade NAT

Symptoms:
Using CGNAT or FW-NAT on a cluster may cause a TMM core if there are intra-cluster communication issues that cause CMP state transitions.

The system writes messages to /var/log/tmm* similar to the following:

   notice CDP: exceeded 1/2 timeout for PG 1
   notice CDP: PG 1 timed out
   notice CDP: New pending state 0f -> 0d
   notice Immediately transitioning dissaggregator to state 0xd
   notice cmp state: 0xd
   notice CDP: New pending state 0d -> 0f
   ...
   notice cmp state: 0xf
   notice CDP: exceeded 1/2 timeout for PG 1

Conditions:
-- A LSN pool or FW-NAT source translation that has persistence enabled.
-- Intra-cluster communication issues that cause CMP state transitions.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


723563 : Factory default reset procedure does not remove AGC deployments

Component: Guided Configuration

Symptoms:
BIG-IP software has a procedure to reset the configuration to factory defaults:
load sys config defaults

This command clears most of the BIG-IP configuration, but does not delete objects inside of the Access Guided Config (AGC) configuration database.

Conditions:
-- Configuration containing AGC deployments.
-- Use the following command to reset the configuration to factory defaults:
tmsh load sys config default

Impact:
Configurations made with AGC (iApps LX) are not removed. There is no particular functional impact, but these customization deployment objects remain on the system.

Workaround:
To work around this, use the following procedure:
1. Run the command 'load sys config default'.
2. Wait until the BIG-IP system has been reset.
3. Navigate to iApps :: Application Services :: Applications LX.
4. Use the GUI to delete all apps.


723553-1 : BIG-IP installations on RAID systems (old style) may not boot

Component: TMOS

Symptoms:
Kernel panic at boot time with specific message similar to the following:

mdadm: Devices UUID-<...> and UUID-<...> have the same name: /dev/md<X>.

Conditions:
-- System is a RAID platform, with an an earlier style RAID configuration such as the following:
   + 10000s / 10200v
   + 10050s / 10250v
   + 10055s / 10255v

-- System has been upgraded through v14.1.0 and then downgraded to v14.0.0 or earlier.

Note: For RAID platforms such as i15600 / i15800 and newer, this is not an issue.

Impact:
The downgraded v14.0.0 or earlier version does not boot.

Workaround:
To downgrade, boot and install the desired software version from external media.


723402-2 : Apmd crashes running command: tmsh restart sys service all

Component: Access Policy Manager

Symptoms:
Rarely occurring apmd crash.

Conditions:
-- APM is licensed and provisioned.
-- Running the command: tmsh restart sys service all.

Impact:
Apmd crashes and cenerates a core file. Traffic may be disrupted while apmd restarts.

Workaround:
None.


723306-3 : Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition

Component: Local Traffic Manager

Symptoms:
Loading correct configuration with 'tmsh load /sys config' fails. The error message appears similar to the following:

    01070726:3: Virtual Address /test/0.0.0.0 in partition test cannot be referenced by Virtual Server /Common/test-internal in partition Common.
Unexpected Error: Loading configuration process failed.

Conditions:
Creating internal virtual server, when 0.0.0.0 address exists on another partition.

Impact:
Inability to load config, with created internal virtual server.

Workaround:
Create internal virtual server first; then create the 0.0.0.0 address on different partition.


723095-2 : Add record type breaks commands 'modify gtm pool type all'; errors on nonexistent pool

Component: Global Traffic Manager (DNS)

Symptoms:
tmsh command returns an error similar to the following message:
01070227:3: Pool Member references a nonexistent Pool (/Common/poolname of type NAPTR)

Conditions:
Changing the record type on GTM pool members by running the following command: tmsh modify gtm pool type all members add.

Impact:
Unable to add pool members quickly to all pools of the same type.

Workaround:
There is no workaround at this time.


722991-2 : 'dead.letter' file might appear in the /root directory

Component: Access Policy Manager

Symptoms:
In the /root directory, there is a file named 'dead.letter' containing the following:

  /etc/cron.daily/cleanup_sync_files:
  ls: cannot access /config/filestore/sync_file_request_d: No such file or directory.

Conditions:
cron is running.

Impact:
The file /root/dead.letter grows daily by 5 lines regarding missing sync_file_request_d directory.

Workaround:
To avoid output that triggers mail to the dead.mail file, do the following:

add '2> /dev/null' to the crontab daily script: /etc/cron.daily/cleanup_sync_files

- for file in `ls $path`
+ for file in `ls $path 2>/dev/null` # <-- the 2>/dev/null


722741-3 : Damaged tmm dns db file causes zxfrd/tmm core

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd/tmm cores on startup.

Conditions:
Damaged tmm dns db file.

Impact:
System remains in a tmm-restart loop caused by tmm opening a corrupted tmmdns.bin on startup and segfaulting. Traffic disrupted while tmm restarts.

Workaround:
Delete the damaged db files.


722734-1 : 'No Access' error when viewing properties page of a GTM Pool member whose name includes a partition that does not exist on that BIG-IP system.

Component: Global Traffic Manager (DNS)

Symptoms:
The BIG-IP system posts a 'No Access' error message instead of the GTM Pool member's properties.

Conditions:
-- At least two BIG-IP systems in a sync group.
-- One of the BIG-IP systems has a partition that does not exist on the other, with a GTM Pool member on that partition.
-- The issue occurs when a GSLB Server discovers that GTM Pool member and displays it on its properties page.

Note: This same error message displays for GSLB Server's virtual server properties accessed by navigating to GSLB :: servers :: [server] :: virtual servers :: [virtual server]. The differing issues have been fixed in differing releases. You can find information about the similar issue in the AskF5 Bug Tracker article for 710032.

Impact:
It makes the GSLB pool member's properties page unavailable in this case.

Workaround:
Use either of the following workaroudns:
-- Use TMSH to view or edit the properties of that GTM Pool member.

-- Create partitions on the GTM device to match those appearing to be referenced in the object names.


722707-4 : mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall

Component: Local Traffic Manager

Symptoms:
The 'debug' log for a 'mysql' monitor may incorrectly report data being received from the database when network routing is configured to drop packets from that database, causing confusion when diagnosing packet traffic. This might be stimulated by configuring the firewall to enable traffic to/from the 'mysql' database, and then (after the 'mysql' monitor successfully connecting with the database) changing firewall rules to drop packets returned *from* the database.

Conditions:
-- A 'mysql' monitor successfully connects to the 'MySql' database.
2. Once connection is established, firewall rules are changed to 'DROP' packets returned from the 'MySQL' database, resulting in several entries in the 'mysql' monitor 'debug' log that incorrectly suggest packets were received from the 'MySQL' database.

Impact:
Several log entries may be made in the 'mysql' debug log suggesting packets were received from the 'MySQL' database (after a previous successful database probe connection), when in fact those packets were dropped due to changes in the firewall rules. These log entries may confuse debugging scenarios, but will typically self-correct (such as after three log message entries).

Workaround:
When configuring network traffic for 'MySQL' database resources, ensure symmetry for traffic handling (either bi-directional packet routing between 'bigd' and the 'MySQL' database is supported, or neither 'send' nor 'receive' packet routing to the 'MySQL' database is supported).


722647-2 : The configuration of some of the Nokia alerts is incorrect

Component: TMOS

Symptoms:
The categories for perceived severity in the alert_nokia.conf file are 0-4, 10-11, but there is an entry in the file with a value of 6.

Conditions:
-- Traps are enabled to support SNMP alerts in the Nokia NetAct format, e.g., using the following command:
tmsh modify sys db alertd.nokia.alarm value enable
-- The values in the alert_nokia.conf file are applied.

Impact:
Some of the values are incorrect. Handling of the trap/clear for the mislabeled trap is incorrect.

Workaround:
Edit the alert_nokia.conf file and restart the alert daemon.


722534-3 : load sys config merge not supported for iRulesLX

Component: Local Traffic Manager

Symptoms:
iRulesLX configurations are (for the most part) contained in the file system, rather than the 'traditional' BIG-IP config files. An attempt to merge configurations containing iRulesLX using the tmsh command 'load sys config merge' options fails with an error similar to the following:

# load sys config merge from-terminal
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ilx plugin test-plugin {
  from-workspace test-ws
}
Validating configuration...
Unexpected Error: "basic_string::at"

Conditions:
The configuration being merged contains iRulesLX.

Impact:
The merge will fail with the error: Unexpected Error: "basic_string::at". The previous configuration will continue to work.

Workaround:
There is no workaround at this time for merging iRulesLX configuration. If the iRulesLX configuration is removed from the configuration to be merged, the merge will work.


721806 : Traffic Policy edit to datagroup errors on adding ASM disable action

Component: TMOS

Symptoms:
Adding an ASM disable action triggers an error when the rule is submitted. The system posts a message similar to the following:

transaction failed:010716de:3: Policy '/Common/Drafts/TD180420-07', rule 'test'; target 'asm' action 'disable' does not support parameter of type 'policy'.

Conditions:
Using the GUI to submit a rule with a 'disable asm' action and a condition with datagroup configured.

Impact:
Cannot create a 'disable asm' action.

Workaround:
Create the rule using tmsh.


721610 : GUI does not show selfIP active firewall policies in non-0 route domains

Component: Advanced Firewall Manager

Symptoms:
Selecting a self-IP containing '%' does not filter the policy/rules.

Conditions:
This occurs when the following conditions are met:
-- Using the GUI.
-- Viewing active policies for a selfIP in a non-Common partition.
-- The self-IP is in RDx (where RD is route domain, and x is not 0 (zero), as designated by the percent (%) sign).

Impact:
Active Rules page do not show filtered policy/rules for a selected self-IP.

Workaround:
Use tmsh to find the policy attached to a given self-IP


721579-3 : LSN Persistence TTL and Inbound Connection Age were reset in the middle of decreasing/increasing

Component: Carrier-Grade NAT

Symptoms:
When checking persistence TTL by using 'lsndb list all', TTL for 'LSN Persistence Entries' and Age for 'LSN Inbound Mapping Entries' are reset once at around the halfway point of the persistence timeout, even though there is no traffic.

Conditions:
-- LSN with persistence timeout configured.
-- Using the following command: lsndb list all.

Impact:
lsndb shows misleading stats.

Workaround:
There is no workaround at this time.


721526-2 : tcpdump fails to write verbose packet data to file

Component: TMOS

Symptoms:
On some BIG-IP platforms, tcpdump is unable to write verbose packet data to a file (e.g., 'tcpdump -nni 2.1:nn -e -vvv -s 0 -w /tmp/dump.pcap').

Conditions:
Use tcpdump with -w and -v options on a front panel interface that is actively sending/receiving traffic.

This occurs on the following hardware:

-- BIG-IP 5000,7000, 10000, i5000, i7000, i10000, i11000, and i15000 platforms.
-- VIPRION B4400, B4300, B2200, and B2100 blades.

Impact:
Cannot use tcpdump to write verbose packet data to file.

Workaround:
There is no workaround at this time.


721020-3 : Changes to the master key are reverted after full sync

Component: TMOS

Symptoms:
Changing the master key on a device that is in a device cluster are reverted when performing a full sync of any device-group. The master key is reset to its previous value.

Conditions:
-- The BIG-IP system is in a device cluster.
-- You change the master key from within TMSH.

Impact:
Subsequent configuration loads fail on the device.

Workaround:
There is no workaround.


720669-2 : Within the GUI, the 'MQTT-TLS' service port is incorrectly reported as 'common.all.MQTT-TLS'.

Component: TMOS

Symptoms:
In some sections of the GUI, the 'MQTT-TLS' service port may be incorrectly reported as 'common.all.MQTT-TLS'.

Conditions:
This is currently known to happen in the 'Virtual Server List' screen when a virtual server is configured to listen on port 8883 (a.k.a. MQTT-TLS).

Impact:
None. The issue is cosmetic and has no effect on traffic.

Workaround:
None.


720610 : Updatecheck logs bogus 'Update Server unavailable' on every run

Component: TMOS

Symptoms:
The updatecheck operation erroneously logs that the Update Server is unavailable on every run, successful or not.

Conditions:
The BIG-IP system is configured to run the Automatic Update Check feature.

Impact:
Misleading messages in the log file, implying that the update server is not available.

Workaround:
None.


720581-2 : Policy Merge creates incorrect references when merging XML Profiles that contain Schema Files

Component: Application Security Manager

Symptoms:
When using Policy Merge to add an XML Profile from policy A to policy B, if there are any Schema files (such as xsd or wsdl) associated with the profile, then the XML Profile added to policy B erroneously points to the file that is in policy A and does not create a new reference within policy B.

Conditions:
Policy Merge is used to add an XML Policy that contains a schema file from one policy to another.

Impact:
-- The reference to an object in another policy breaks BIG-IQ discovery.
-- The policy is not consistent after export/import.

Workaround:
None.


720440-1 : Radius monitor marks pool members down after 6 seconds

Component: Local Traffic Manager

Symptoms:
The radius monitor marks a pool member down if it does not respond within 6 seconds, regardless of the interval or timeout settings in the monitor configuration.

Conditions:
A radius monitor is used, and the pool member takes more than 6 seconds to respond to a radius request.

Impact:
The pool member may be marked down incorrectly if the monitor interval is configured to be greater than 6 seconds.

Workaround:
There is no workaround at this time.


720242 : GUI for AFM rules shows protocol value IPENCAP for rules under rule-list

Component: Advanced Firewall Manager

Symptoms:
When you set the protocol field to 'IPv4', it is displayed as 'IPENCAP' after saving.

Conditions:
This occurs only for rules under RuleList.

Impact:
Protocol value is displayed as 'IPENCAP' as opposed to 'IPv4'.

Workaround:
None.


720219 : HSL::log command can fail to pick new pool member if last picked member is 'checking'

Solution Article: K13109068

Component: Local Traffic Manager

Symptoms:
This occurs in certain configurations where the HSL::log command is using a remote high speed log (HSL) pool with failing pool members. If a pool member goes into a 'checking' state and the command attempts to send the log via that pool member, it can fail to send and all future log commands from that iRule will also fail, if that pool member is actually unavailable.

Conditions:
-- Using HSL::log command.
-- iRule with a remote high speed logging configured.

Impact:
Failure to send log messages via HSL.

Workaround:
Follow this procedure:
1. Change the 'distribution' method of the remote high speed config to something else.
2. Save the configuration.
3. Change the method back.


720030-4 : Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U)

Component: Access Policy Manager

Symptoms:
Kerberos DNS SRV requests are generated without enabling EDNS0. Without this, internal DNS server (dnscached) truncates the UDP response if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in a lot of TIME_WAIT connections on the socket using dnscached.

Conditions:
APM end users using Kerberos SSO to access backend resources.

Impact:
Ability to create new DNS requests is affected, if there are numerous sockets in TIME_WAIT. This can result in scalability issues.

Workaround:
For BIG-IP software v12.x and later,

Edit the /etc/resolv.conf file to add an EDNS0 option.

There is no workaround if you are running a version earlier than 12.x.


719555 : Interface listed as 'disable' after SFP insertion and enable

Component: TMOS

Symptoms:
If an unpopulated front panel interface is disabled, then an SFP inserted and the interface re-enabled, TMSH will continue to display the interface as 'disabled' in 'tmsh show net interface output' commands.

Conditions:
-- BIG-IP appliance or blade.
-- Unpopulated front panel interface is disabled.
-- SFP inserted and the interface re-enabled.
-- Running the command: tmsh show net interface output.

Impact:
Output of the command shows the interface is disabled even though it is enabled and fully operational.

Workaround:
This issue is cosmetic; the interface is functional so it may be used.

To correctly identify the enabled/disabled state of the interface, use the following command: tmsh list net interface


719304-2 : Inconsistent node ICMP monitor operation for IPv6 nodes

Component: Local Traffic Manager

Symptoms:
While running ping from different blades in a multi-blade environment, pings fail from blades that do not have the tmm that is responsible for pinging the node.

Conditions:
The blade that does not contain the owning tmm is responsible for the node monitors.

Impact:
The node will be incorrectly marked as being unavailable/down.

Workaround:
You can use the following workarounds:
-- Statically assign the NDP entries.
-- Set the route to a gateway that has a non-zero host portion in the address.


719300 : ICMP unreachable packets are transmitted via BIG-IP systems with the BIG-IP system's MAC address as the source MAC address

Component: Local Traffic Manager

Symptoms:
ICMP unreachable packets sent by a server may be received by a client with the BIG-IP system's MAC address as the source MAC address.

Conditions:
BIG-IP deployed in an L2 transparent mode using VLAN groups.

Impact:
May impact services on the client that rely on source MAC address of incoming packets.

Workaround:
None.


719246 : Tomcat process restarts and GUI hangs when trying to view large number of static ACL Group entries

Component: Access Policy Manager

Symptoms:
Tomcat process restarts and UI hangs. LTM logs show the following messages:

-- notice logger: /usr/bin/syscalld ==> /usr/bin/bigstart restart tomcat
-- warning bigstart: get_db failed for is_provisioned wam - returning not-provisioned.

Conditions:
1. Under System :: Preferences, set 'Records Per Screen' to 272 or larger.
2. Populate more than 272 ACLs.
3. Go to Access :: Access Control Lists : User-defined ACLs.
4. On the dropdown 'pages' menu for the returned results, select 'Show All'.

Impact:
GUI freeze.

Workaround:
You can use either of the following workarounds:

-- Under System :: Preferences, set 'Records Per Screen' to a value of 271 or lower.

-- Using tmsh, run the following command:
tmsh modify sys db ui.system.preferences.recordsperscreen value


719107-2 : Message type is not displayed in CLI and incorrect message type is displayed in GUI for Subscriber Management diameter protocol profile message type CCA-T.

Component: Policy Enforcement Manager

Symptoms:
If versions earlier than v13.1.0 have Subscriber Management diameter protocol message type CCA-T, their message type is not displayed on the command-line interface (CLI) and is incorrectly displayed as CCR-I in the GUI when upgraded to later versions.

Conditions:
-- Upgrade to v13.1.0 or later.
-- Configuration has Subscriber Management diameter protocol message type CCA-T.

Impact:
incorrectly displayed as CCR-I in the GUI.

Note: This configuration has no effect.

Workaround:
Delete the Subscriber Management diameter protocol message that has no message-type when viewed from CLI.


718867-2 : tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades

Component: Local Traffic Manager

Symptoms:
The db variable 'tmm.umem_reap_aggrlevel' (to set the memory-usage level at which aggressive connection-reaping begins) does not persist across upgrades; on upgrade it will be reset to its default value (80%).

Conditions:
-- The db variable 'tmm.umem_reap_aggrlevel' is set to a custom value (specifically, not '80').
-- The BIG-IP system is upgraded.

Impact:
The value for 'tmm.umem_reap_aggrlevel' has reset to '80', its default value.

Workaround:
Reset the variable's custom value after upgrade.


718800-2 : Cannot set a password to the current value of its encrypted password

Component: TMOS

Symptoms:
Attempting to set a password to the current value of its encrypted password silently fails without changing the password. For example, running the following tmsh command sets the encrypted password to the value 'password':

modify auth user <username> encrypted-password password

Attempting to set the password to 'password' using the command does not report an error, but does not change the password (meaning that encrypted password remains 'password'):

modify auth user <username> password password

Conditions:
Changing a password to the value of encrypted-password.

Impact:
Difficult to recover from this situation because trying to simply change the password to the correct value doesnot work.

(It is likely this initially happened by accident: attempting to set 'password', but setting 'encrypted-password' instead.)

Workaround:
First, change the password to something else. Then, change it back to the correct value.


718796 : iControl REST token issue after upgrade

Component: Device Management

Symptoms:
When upgrading to version 13.1.0.x, sometimes a user who previously had permissions to make calls to iControl REST loses the ability to make those calls.

Conditions:
Upgrading to version 13.1.0.x.

Impact:
A previously privileged user can no longer query iControl REST. Also, some remotely authenticated users may loose access to the Network Map and Analytics view after the upgrade.

Workaround:
You can repair the current users permissions with the following process:
   1) Delete the state maintained by IControlRoleMigrationWorker and let it rerun by restarting restjavad process:
      # restcurl -X DELETE "shared/storage?key=shared/authz/icontrol-role-migrator"
      # bigstart restart restjavad.

   2) Update shared/authz/roles/iControl_REST_API_User userReference list to add repro user account using PUT:
      # restcurl shared/authz/roles/iControl_REST_API_User > role.json
      # vim role.json and add { "link": "https://localhost/mgmt/shared/authz/users/[your-user-name]" } object to userReferences list
      # curl -u admin:admin -X PUT -d@role.json http://localhost/mgmt/shared/authz/roles/iControl_REST_API_User

Now, when you create a new user, the permissions should start in a healthy state.


718790-3 : Traffic does not forward to fallback host when all pool members are marked down

Component: Local Traffic Manager

Symptoms:
Traffic does not get forwarded to fallback hosts.

Conditions:
All the pool members are marked administrative down.

Impact:
Traffic does not get forwarded.

Workaround:
Pick a monitor working properly for the pool.


718602 : Old config snapshots do not time out on standby

Component: Access Policy Manager

Symptoms:
SessionDB does not time out config snapshots on standby devices. Therefore, those config snapshots stay around until failover. TMM memory exhaustion can happen if access profiles get updated frequently, and there is no failover in the interim. tmm crash

Conditions:
-- High availability (HA) configuration.
-- Old snapshots available on the system.
-- Update access profiles frequently.

Impact:
TMM memory exhaustion and potential crash. Traffic disrupted while tmm restarts.

Workaround:
You can use either of the following:
-- Upgrade to v13.1.0 or later. Config snapshots are no longer created on the standby BIG-IP systems in these versions.

-- Force failover every few days (or as needed). When a standby device becomes active, SessionDB's timeout mechanism is activated, and the old config snapshots will be removed in 1 hour.


718232-2 : Some FTP servers may cause false positive for ftp_security

Component: Application Security Manager

Symptoms:
A login might get rejected after a lower number of failed logins than is configured for 'Maximum Username Login Retries'. BIG-IP system posts the following error message: 530 Too many failed login attempts by the user.

Conditions:
-- The server sends unexpected ingresses that are rejected.
-- There is a value specified for 'Maximum Username Login Retries'.

Impact:
A legitimate user might be rejected and have to wait until the configured 'Re-enable login' time.

Workaround:
There is no workaround at this time.


718033-1 : REST calls fail after installing BIG-IP software or changing admin passwords

Component: Device Management

Symptoms:
After installing the latest BIG-IP software, or changing the BIG-IP admin passwords once or twice, REST calls might fail with the following error: 400 - Bad Request.

Conditions:
The conditions under which this occurs are not well understood. The issue occurs randomly, and is likely the result of a timing issue.

Impact:
REST calls or GUI operations fail to work. Get errors on screen.

Workaround:
Run the following command on the BIG-IP system:
$ bigstart restart restjavad


717397 : TMM restarted once, in response to an assertion that catches cache collisions.

Component: WebAccelerator

Symptoms:
TMM restarted once, in response to an assertion that catches cache collisions.

Conditions:
The specific mix of requests, responses, and configuration variables to cause this issue is unknown.

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
None known.


717174 : WebUI shows error: Error getting auth token from login provider

Component: Device Management

Symptoms:
Occasionally, the BIG-IP Admin Utility TMUI fails to function correctly and produces the following error:
Error getting auth token from login provider.

This occurs when the BIG-IP REST Daemon restjavad fails to start up properly.

Conditions:
This error most often occurs on the first or second boot after upgrade, and more often on Virtual Edition BIG-IP platforms running on oversubscribed or slow hypervisors.

Impact:
TMUI and any other BIG-IP system components that rely on REST Workers such as: OpenID Connect key rotation discovery, portions of the TMOS Web Configuration Utility, and Guided Configuration (AGC and WGC) fail to function properly.

Workaround:
Restarting the BIG-IP REST daemons restjavadt and restnoded will usually correct the problem. To do so, connect to the SSH console and issue the following two commands:

bigstart restart restjavad
bigstart restart restnoded


716952-2 : With TCP Nagle enabled, SSL filter will hold the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message until the last data packet offload process complete.

Component: Local Traffic Manager

Symptoms:
When TCP Nagle enabled, the data sent from server is handled by the SSL filter to offload data processing. The SSL filter forwards the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message to TCP4 filter. Because Nagle is enabled, this leaves the last offloaded packet 'stuck' in the TCP4 filter.

Conditions:
-- Nagle is enabled.
-- SSL filter is in the chain.

Impact:
The last data packet waits until all other packets have been ACKd.

Workaround:
None.


716701-1 : iControl REST: Unable to create Topology when STATE name contains space

Solution Article: K43005133

Component: Global Traffic Manager (DNS)

Symptoms:
Cannot use iControl REST to create topology records when whitespace exist in a STATE name.

Conditions:
STATE name contains a space (e.g., New Mexico).

Impact:
Unable to create a topology record using iControl REST.

Workaround:
Use TMSH with quotes or escaping to create topology records for a STATE with whitespace in the name.


716492-2 : Rateshaper stalls when TSO packet length exceeds max ceiling.

Solution Article: K59332523

Component: Local Traffic Manager

Symptoms:
If a TCP Segmentation Offload (TSO) packet length exceeds the rateshaper's max ceiling, it causes the flow to stall.

Conditions:
TSO packet length exceeds the rateshaper's configured max ceiling.

Impact:
The flow stalls. Subsequent flows cannot go to the rateshaper from that particular tmm.

Workaround:
If you are running BIG-IP software v12.1.3.2 (or later) or v13.1.0(.x), you can use the following workaround:

There is a sys db variable called 'rateshaper.cmpdivide', which is enabled by default. When enabled, the system internally divides the bandwidth (rate/ceiling/burst) between the available tmm cores. If this issue occurs, set 'rateshaper.cmpdivide' to enabled.

There is no workaround for other versions.


716324-2 : CSRF protection fails when the total size of the configured URL list is more than 2 KB

Component: Application Security Manager

Symptoms:
When the cross-site request forgery (CSRF) protection URL list is of a total size that is greater than 2 KB. As a result, CSRF injection fails.

Conditions:
- CSRF protection is enabled.
- The total length of the defined CSRF URL list is more than 2 KB.
- A protected URL is accessed.

Impact:
CSRF false-positive violation.

Workaround:
Use wildcards to minimize total CSRF URL size.


716167-1 : the value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the mtu of the kernel interface tmm_bp as given by $ ip a list dev tmm_bp or $ ifconfig tmm_bpq

Component: Local Traffic Manager

Symptoms:
The MTU of the tmm_bp kernel interface may be out-of-sync with the value of sys db vlan.backplane.mtu as well as out-of-sync with the MTU displayed by $ tmsh show /net vlan all-properties -hidden.

Conditions:
This issue occurs on first-boot after upgrading to versions after
12.1.1 HF1.

Impact:
From the data plane perspective, this issue can cause excessive IP fragmentation on tmm_bp vlan and high cpu usage.
In some cases it would also cause packet loss.
From the config perspective, this issue has a few smaller impacts:
(a) fragmented packets on the tmm_bp interface if those packets have length greater than the actual MTU of this interface as given by the kernel with $ ip a list dev tmm_bp | egrep -i mtu or $ifconfig tmm_bp.
   (i) Note: This isn’t impactful to the running system. Fragmented packets are reassembled in order for TCP clients of the tmm_bp interface.
(b) the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the mtu of the kernel interface tmm_bp as given by $ ip a list dev tmm_bp or $ ifconfig tmm_bp .

(c) similarly, the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the mtu of the Net::Vlan tmm_bp as given by $ tmsh show net vlan -hidden tmm_bp.


Paraphrasing: vlan tmm_bp MTU (as found in vlan.backplane.MTU) is not applied to the corresponding kernel interface.

Workaround:
A series of subsequent restarts rolls the correct setting through:
  # tmsh stop sys service all
  # tmsh start sys service all

To verify:
  # ip addr show dev tmm_bp ; tmsh show net vlan -hidden tmm_bp \; list sys db vlan.backplane.mtu


716166-4 : Dynamic routing not added when conflicting self IPs exist

Component: TMOS

Symptoms:
Missing dynamic route in dynamic routing daemon as shown via 'show ip route'.

Conditions:
When a self IP host address is the same as the network address of the dynamic route being propagated. For example: self IP 10.10.10.0/31 versus dynamic route 10.10.10.0/24; or 10.10.0.0/24 versus dynamic route 10.10.0.0/16.

Impact:
Propagation of the dynamic route to the kernel, TMM.

Workaround:
There is no workaround other than not creating self IPs on the network address of a prefix.


715379-1 : IKEv2 accepts asn1dn for peers-id only as file path of certificate file

Component: TMOS

Symptoms:
IKEv2 only has a very inconvenient way to specify ID for an ike-peer when using peers-id-type asn1dn. The string value of peers-id-value was understood only as a file path, and not as a representation of the asn1dn value itself. The file had to be a certificate, whose subject happened to be the ID of the remote peer as a distinguished name (DN), so this could be extracted as binary DER for asn1dn. This was both awkward and error prone, requiring what amounts to a copy of a peer's certificate before it is sent during negotiation.

Conditions:
-- Using certificate based authentication in IPsec IKEv2.
-- Configuring an ike-peer with peers-id-type as asn1dn.

Impact:
Very difficult to use asn1dn as the ID of a peer, impeding inter-operation with other vendors.

Workaround:
If you can install a local copy of the peer's certificate, with an asn1dn value inside matching what that peer will actually send in an IKE_AUTH exchange, IKEv2 can extract the asn1dn provided the value of peers-id-value is an absolute file system path to this local certificate copy.


715331-1 : IKEv2 logs peers_id comparisons and cert verfication failures

Component: TMOS

Symptoms:
Insufficient information is logged when a certificate fails verification, or when ID_I in an IKE_AUTH request does not match configuration for peers_id in the ike-peer description.

Conditions:
When IKE_AUTH fails due to either certificate verification failure or mismatch of ID_I and peers_id.

Impact:
Hard to diagnose proximate cause of IKE negotiation failure during IKE_AUTH exchange.

Workaround:
There is no workaround at this time.


715323 : iControl SOAP attribute ssl_profile not supported for in-tmm https monitor

Component: Local Traffic Manager

Symptoms:
iControl SOAP cannot be used to modify the 'ssl_profile' attribute on an 'https' monitor when 'in-tmm' monitoring is enabled.

Conditions:
-- 'https' monitor is configured.
-- 'in-tmm' monitors are enabled.
-- Use iControl SOAP to set/get the 'ssl_profile' attribute for an 'https' monitor.

Impact:
'ssl_profile' attribute on an 'https' monitor cannot be modified through iControl SOAP.

Workaround:
You can use either of the following workarounds:

-- Use a different mechanism, such as through the GUI or tmsh, to modify the 'ssl_profile' attribute associated with an 'https' monitor.

-- Disable 'in-tmm' monitors.


715166 : IPS only works over UDP or TCP virtual server

Component: Protocol Inspection

Symptoms:
For Standard or FastL4 virtual, Protocol Inspection does notwork over SCTP/IPsec/Other protocols.

Conditions:
-- Standard virtual server with protocol configured as SCTP or IPsec.
-- Performance L4 virtual servers with protocol configured as Other.

Impact:
Protocol Inspection does not work.

Workaround:
Configure TCP/UDP virtual servers.


715115 : Application Security roles are not showing all accessible objects in GUI

Component: TMOS

Symptoms:
Not all configuration objects are exposed to users of type Application Security Administrator and Application Security Editor that are technically accessible by the user role.

Conditions:
-- Users exist with roles of Application Security Administrator and Application Security Editor.
-- Attempting to work with certain configuration objects.

Impact:
Users configured with these roles cannot view all object types using the GUI. Certain pages cannot be reached from the menu, as the software hides most of the configuration pages for these roles.

Workaround:
Users can use TMSH.


715088 : Changing WebSocket payload protocol profile from mqtt back to none causes TMM restart

Component: Local Traffic Manager

Symptoms:
When WebSocket profile's payload protocol profile configuration value is modified from 'mqtt' to 'None', TMM restarts once upon receiving traffic.

Conditions:
-- The WebSocket profile is attached to a virtual server.
-- Protocol profile configuration value is modified from 'mqtt' to 'None'.

Impact:
TMM restarts when traffic is processed by the virtual server to which the WebSocket profile is attached.

Workaround:
After changing WebSocket profile's payload protocol profile configuration value from 'mqtt' to 'None', issue the following command in BIG-IP system shell, before processing any traffic.

# bigstart restart tmm


715061-2 : vCMP: tmm core in guest when stopping vCMP guest from host

Component: TMOS

Symptoms:
A tmm core in the guest on the primary blade, not the secondary blade, after the guest is disabled on the hypervisor.

Conditions:
-- A cross-blade vCMP guest.
-- Guest is disabled on the hypervisor.

Impact:
Because the guest is in the process of being disabled, there is no impact on traffic, however, the core file may take up space on the guest on the primary blade.

Workaround:
To mitigate the disk problem, manually delete the core file.


714986-3 : Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot

Component: TMOS

Symptoms:
On an iSeries platform, when the console baud rate is changed through TMSH, new terminal sessions revert back to the previous baud rate instead of adopting the new setting unless the unit is rebooted.

Conditions:
1. Modify the console baud rate in BIG-IP through TMSH on an iSeries platform (i2xxx, i4xxx, i5xxx, i7xxx, i10xxx, i15xxx), for example: tmsh modify sys console baud-rate 9600.

2. Exit from the login prompt in the current terminal session, or kill it and start a new session.

Impact:
The BIG-IP system reverts to the previous baud rate instead of the new setting. Inability to create any new serial console connections with the modified baud-rate without a reboot.

Workaround:
The problem can be mitigated by manually reprogramming the TTY device and restarting the agetty process and bash login sessions. This closes any existing console connections, but newly established connections will connect at the modified baud rate.

1. Use TMSH to modify the baud rate to the desired speed by running a command similar to the following:

tmsh modify sys console baud-rate 9600

2. Re-program the TTY device with the desired speed by running a command similar to the following:

stty -F /dev/ttyS0 9600

3. Kill the existing agetty process so it will re-start at the new baud rate by running the following command:

/usr/bin/killall -q agetty

4. Restart bash logins by running the following command:

/bin/kill -HUP `/bin/ps -A | /bin/grep ttyS0 | /bin/grep -v grep | /bin/grep bash | /bin/awk '{print $1}'` >/dev/null 2>&1


714902-1 : Restjavad may hang if discover task fails and the interval is 0

Component: Access Policy Manager

Symptoms:
If a discover task fails because of a network issue, the system tries to run the task again at the next scheduled time. If the discover interval is set to 0, the system retries immediately, which may cause restjavad hang.

Conditions:
If a provider has configured discover interval 0 and the discover task failed because of network issues.

Impact:
The discover task tries to use a lot CPU when restjavad continuously retries the task.

Workaround:
Change the discover interval to 1 hour or more.


714507-2 : [tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server

Component: Global Traffic Manager (DNS)

Symptoms:
GTM pool member dependency cannot be listed correctly using the following command:
# tmsh list gtm pool

Conditions:
-- Virtual server dependency in GTM server.
-- Running the command: tmsh list gtm pool.

Impact:
1. Pool member dependencies are not listed.
2. Pool member dependency information is missing when saving config:
    # tmsh save sys config gtm-only

Workaround:
List specific gtm pools instead by running a command similar to the following:
# tmsh list gtm pool a p1


714503-2 : When creating a new iRulesLX rule, the GUI appends .tcl to rule filenames that already end in .tcl

Component: Local Traffic Manager

Symptoms:
When using the GUI to create a new iRulesLX rule with the extension .tcl as part of the rule name, the GUI will append another .tcl at the end of the file. This is problematic when attempting to view the iRule in the iRulesLX workspace (at Local Traffic :: iRules : LX Workspaces :: <workspace name>).

Conditions:
-- Creating a new iRulesLX iRule in the GUI.
-- Adding the extension .tcl.

Impact:
Cannot view or delete the iRule from the iRulesLX GUI.

Workaround:
Do not name rules with the .tcl extension. The system will do that for you.


714495-2 : When creating a new iRulesLX rule, TMSH appends ".tcl" to rule filenames that already end in ".tcl"

Component: Local Traffic Manager

Symptoms:
When using TMSH to create a new iRulesLX rule with the extension '.tcl' as part of the rule name, TMSH will append another '.tcl' at the end of the file. This is problematic when attempting to view the iRule in the GUI (in the iRulesLX workspace at Local Traffic :: iRules : LX Workspaces :: <workspace name>).

Conditions:
Creating a new iRulesLX iRule in TMSH.

Impact:
Cannot view or delete the iRule from the iRulesLX GUI.

Workaround:
Do not name rules with the '.tcl' extension.


714372-2 : Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari

Component: Local Traffic Manager

Symptoms:
If the BIG-IP system has a web-acceleration which provides a number of caching and optimization options suitable for HTTP/1.1. It uses 'Connection: Keep-Alive' header on a server side, which results in appearance of 'Keep-Alive' header in a response. Such a HTTP header was adopted by the industry but not standardized. When a web-acceleration profile is configured and provides a response, Safari clients do not accept responses with a such header and reject those with a RST_STREAM message.

Conditions:
-- BIG-IP has a virtual server with HTTP/2 profile and a web-acceleration profile.
-- A pool member responds with 'Keep-Alive' header in the following format: Keep-Alive: timeout=<number>, max=<number>.

Impact:
A response to a request is rejected, which might cause incorrect rendering of HTTP page.

Workaround:
Use an iRule to remove the Keep-Alive header:

when HTTP_RESPONSE_RELEASE {
    HTTP::header remove keep-alive
}

Alternatively use an LTM Policy where this header is removed from a server's response.


714292-1 : Transparent forwarding mode across multiple VLAN groups or virtual-wire

Component: Local Traffic Manager

Symptoms:
This is a virtual-wire or vlan-group deployment scenario in which there is a BIG-IP system connecting two networks with more than one link. This scenario is referred as 'asymmetric deployment'. In this case. the outgoing packet does not have the correct VLAN configured.

Conditions:
-- Virtual-wire or vlan-group configured.
-- BIG-IP system is connecting two networks with more than one link.
-- There is more than one virtual-wire/vlan-group to handle the traffic across multiple links.
-- Packets belonging to a flow arrive on any link with a valid VLAN.

Impact:
The connectivity between the endpoints fails.

Workaround:
None.


714281-2 : NSH tunnel reject inner packet from other vendor

Component: TMOS

Symptoms:
NSH does not interoperate between BIG-IP systems and some external NSH vendors.

Conditions:
-- NSH tunnel.
-- The external NSH vendor cannot configure inner packet MAC destination.

Impact:
The BIG-IP system rejects the packet. Lost connectivity with some of the vendors.

Workaround:
To work around this limitation, you can do either of the following:

-- Use an external vendor that does support configuration of inner packet MAC destination.

-- Avoid use NSH for external vendors without such ability.


714216-2 : Folder in a partition may result in load sys config error

Component: TMOS

Symptoms:
If you run the command 'tmsh load sys config current_partition' in a partition that includes a folder, the command may return an error.

Conditions:
This occurs in the following scenario:
-- Create a partition.
-- Create a folder in that partition.
-- In the newly-created partition.
-- Save the configuration with the command 'save sys conf'.
-- In the same partition, run the following command to load the configuration: 'tmsh load sys config current_partition'.

Impact:
The load configuration process fails with an error that the folder does not exist.

Workaround:
There is no workaround at this time.


714043-1 : NPAPI inspection host plugin does not work with latest epsec image on macOS

Component: Access Policy Manager

Symptoms:
NPAPI inspection host plugin on macOS does not work with the latest Endpoint Security (EPSEC) image because the policy server is bundled with individual applications and is not a part of OESIS package. There is no workaround at this time.

Conditions:
-- NPAPI plugin.
-- One of the recent EPSIC image 684.0, AV/FW endpoint inspection.
-- Safari web browser

Impact:
NPAPI plugin does not work.

Workaround:
There is no workaround at this time.


713708 : Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI

Component: TMOS

Symptoms:
On the BIG-IP GUI, under System :: Software Management :: Update Check, after pressing 'Check now', the 'Available Update' shows a long string 'OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install' instead of the EPSEC version, e.g.: epsec-1.0.0-679.0.

Conditions:
-- Under System :: Software Management :: Update Check.
-- Press 'Check now'.

Impact:
Cannot determine what version is available by viewing 'Available Update'. Although this is how all the other updates work, it can result in a confusing BIG-IP user experience.

Workaround:
To have the browser show the link's destination address, view the browser's status fields while hovering the cursor over the following link text: OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install.


713585-3 : When the system config has many iRules and they are installed on many virtual servers, the config loading time is significantly long

Solution Article: K31544054

Component: Local Traffic Manager

Symptoms:
Config load could be very long and CPU usage very high.

Conditions:
There are many iRule and they are installed on many virtual servers.

Impact:
BIG-IP system performance could be degraded during the load and may cause system lock up.

Workaround:
Run "tmsh modify sys db rule.validation value syntax", this causes iRule validation to check iRule syntax only; the semantic checks will not be performed.


713519-2 : Enabling MCP Audit logging does not produce log entry for audit logging change

Component: TMOS

Symptoms:
When you enable MCP audit logging, the action of changing the audit logging entry is not logged. All actions after the configuration change are logged.

Conditions:
This occurs when enabling MCP audit logging.

Impact:
The audit logging change itself is not logged in the audit logs.

Workaround:
None.


713183-2 : Malformed JSON files may be present on vCMP host

Component: TMOS

Symptoms:
Malformed JSON files may be present on vCMP host.

Conditions:
All needed conditions are not yet defined.

- vCMP is provisioned.
- Guests are deployed.
- Software versions later than 11.6.0 for both guest/host may be affected.

Impact:
Some vCMP guests may not show up in the output of the command:
 tmsh show vcmp health

In addition, there might be files present named using the following structure:
 /var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.

There is no functional impact to the guests or to the host, other than these lost tables, which are provided as a convenience to the vCMP host administrator.

Workaround:
None.


713169 : License String 'ASM-VE' was not recognized by the UI in the policy rule page

Component: TMOS

Symptoms:
When a BIG-IP system is licensed with the license string that includes 'ASM-VE' instead of the standard 'ASM', the policy page does not recognize it and does not provide the 'Enable ASM' option.

Conditions:
BIG-IP system is licensed with the license string that includes 'ASM-VE' instead of the standard 'ASM'.

Impact:
The policy page does not recognize it and does not provide the 'Enable ASM' option.

Workaround:
Use TMSH to create policy.


713138-2 : TMUI ILX Editor inserts an unnecessary linefeed

Component: TMOS

Symptoms:
If you use the TMUI edit for ILX, the system will append a linefeed character every time you save. This is not usually apparent, but if you edit the file, then delete your changes, and then save it, it will still register as changed.

A message indicates the need to refresh the workspace, and the actual content of the file will change, but not the functionality.

Conditions:
Edit a workspace file in ILX via the TMUI editor (i.e., the GUI).

Impact:
File contents can change unexpectedly and have needless characters at the end.

Workaround:
Use TMSH or a different editor, that is not TMUI, to change those files.


713134-2 : Small tmctl memory leak when viewing stats for snapshot files

Component: TMOS

Symptoms:
When viewing statistics for snapshot files, tmctl leaks a small amount of memory and displays the message:

tmctl: BUG: tmstat_dealloc invoked on a handle with rows outstanding; release all rows before calling tmstat_dealloc at <address>

Conditions:
Using tmctl to view statistics of snapshot files, for example:
tmctl -D /shared/tmstat/snapshots memory_usage_stat -s time,name,allocated,max_allocated name=access

Impact:
Errors written to output when running tmctl. The leak itself is very small and is only for tmctl (i.e., it does not have a cumulative, detrimental effect on the system that a TMM or MCP leak might).

Workaround:
None.


712919-1 : Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server.

Component: Local Traffic Manager

Symptoms:
When an iRule is removed from a Virtual Server, especially one with explicitly specified high priority (with "priority" keyword), other iRules on the same Virtual Server may become "invisible" i.e. they are present but some of them are no longer executed. It may affect all the events or only certain types of them. Under certain conditions the defect may even disappear upon removing another iRule, particularly if it has low priority and handles the same event as the one which introduced the problem.

Conditions:
Removing an iRule from a Virtual Server.

Impact:
Some or all iRules on given Virtual Servers stop being executed.

Workaround:
Restart or reload the configuration. If removing iRules needs to be performed in run-time and it triggers the problem, it can be prevented by having any iRule (even an empty one) for the same event, as the iRule which is going to be removed, but with higher priority e.g. with attribute "priority 1".


712857-2 : SWG-Explicit rejects large POST bodies during policy evaluation

Component: Access Policy Manager

Symptoms:
When an access profile of type SWG-Explicit is being used, there is a 128 KB limit on POST bodies while the policy is being evaluated.

The system posts an error message similar to the following in /var/log/apm:
err tmm[13751]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 3048

Conditions:
This applies only during policy evaluation. After the policy has been set to 'Allow', there is no limit to the POST body.

Impact:
Unable to start an SWG-Explicit policy with a large POST body.

Workaround:
None.


712500-1 : Unhandled Query Action Drops Stat does not increment after transparent cache miss

Component: Global Traffic Manager (DNS)

Symptoms:
After a transparent cache miss, if the LTM DNS profile has Unhandled Query Action set to Drop, the request is dropped without incrementing the Unhandled Query Action Drops stat.

Conditions:
LTM DNS profile with a Transparent Cache and Unhandled Query Action set to Drop.

Impact:
Inaccurate statistics for the Unhandled Query Action Drops

Workaround:
None.


712489-2 : TMM crashes with message 'bad transition'

Component: Local Traffic Manager

Symptoms:
TMM crashes under a set of conditions in which the system detects an internal inconsistency. The system posts an error similar to the following in the LTM and TMM logs:
crit tmm[18755]: 01010289:2: Oops @ 0x2285e10:5157: bad transition

Conditions:
Conditions that cause this to happen are not predictable, but these might make it more likely:
-- FastL4 virtual server and HTTP are configured
-- db variable tmm.oops set to 'panic'.
-- Client sends three GET requests at once, and then closes the connection after a few seconds.
-- The server sends a partial 'Connection: close' response.

Impact:
TMM crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
None.


712335-1 : GTMD may intermittently crash under unusual conditions.

Component: Global Traffic Manager (DNS)

Symptoms:
GTMD may intermittently crash when an unexpected error occurs while creating a statistics row for a resource added to the configuration.

Conditions:
When a pool member is added to the system and there is an unexpected failure to create the associated statistics row.

Impact:
GTMD restarts.

Workaround:
There is no workaround at this time.


712241 : A vCMP guest may not provide guest health stats to the vCMP host

Component: TMOS

Symptoms:
A vCMP guest usually provides the vCMP host with some guest health statistics as a convenience to the vCMP host administrator. These stats are:
-- mgmt/tm/sys/ha-status
-- mgmt/tm/sys/software/status
-- mgmt/tm/sys/software/provision

These tables are created by the host when host vcmpd queries the guest over the vmchannel using REST.

These RESTful queries may sometimes fail, causing the queried vCMP guest to be omitted in the display of the output of the following command: $ tmsh show vcmp guest

Conditions:
-- vCMP provisioned.
-- Guests are deployed.
-- Host vcmpd queries the guest over the vmchannel using REST.

Impact:
There is no functional impact to the guests or to the host, other than these lost tables.

-- Some vCMP guests may not show up in the output of the following command: tmsh show vcmp health
-- Some guests may appear with the wrong status in the GUI. Such as being grey when it should be green.
-- Files containing guest information, kept in:
/var/run/vcmpd/<guestname>/json/(sys-ha-status.json|sys-provision.json|sys-software.json) may be missing from that directory.
-- There might be files present there named using the following structure:
 /var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.

Workaround:
There is no workaround at this time.


712033-2 : When making a REST request to an object in /stats that is an association list, the selfLink has a duplicate name

Component: TMOS

Symptoms:
When you make a REST request to association list in /stats you get a duplicate name in the selfLink after members in both the entries and the selfLink, e.g.:

# restcurl -X GET -u admin /tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/stats
{
  "kind": "tm:ltm:pool:members:membersstats",
  "generation": 3,
  "selfLink": "https://localhost/mgmt/tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/stats?ver\u003d14.0.0",
  "entries": {
    "https://localhost/mgmt/tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/~Common~node1:8105/stats": {

Conditions:
When making a REST request to an object in /stats that is an association list.

Impact:
The selfLink has a duplicate name. SelfLinks for associations do not work.

Workaround:
None.


711907 : TMM may consume excessive resources when processing UDP traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions BIG-IP systems may leak memory. Over time, the memory lost might affect performance/scalability as the unit approaches an out-of-memory condition.

Conditions:
UDP profile enabled
CLIENT_ACCEPTED iRule enabled

Impact:
Over time, this issue might lead to a BIG-IP system out-of-memory condition, which would require a TMM crash and failover event.


711818-3 : Connection might get reset when coming to virtual server with offload iRule

Component: Application Security Manager

Symptoms:
When IN_DOSL7_ATTACK event is triggered, and iRule has an async command in it, events might be released out of order, causing connection RST.

Conditions:
1. Have DoS profile with iRule turned on.
2. iRule is async (such as wait, DNS resolving, etc.).
3. Send POST request.

Impact:
Connection receives a RST.

Workaround:
There is no workaround at this time.


711056-2 : License check VPE expression fails when access profile name contains dots

Component: Access Policy Manager

Symptoms:
License Check Agent always flows down fallback branch. Logs show the following pattern:

-- err apmd[13738]: 01490190:3: /Common/my.profile.name:Common:2a392ccd: Key 'tmm.profilelicense./Common/my.profile.name#' was not found in MEMCACHED.

-- err apmd[13738]: 01490086:3: /Common/my.profile.name:Common:2a392ccd: Rule evaluation failed with error: can't use empty string as operand of "-"

Conditions:
-- Access profile contains '.' (dot) characters in its name.
-- License Check agent is used in the VPE to check against profile license.

Impact:
License check always fails, resulting in denied logon.

Workaround:
Use a different policy name without '.' characters.


710930-1 : Enabling BigDB key bigd.tmm may cause SSL monitors to fail

Component: Local Traffic Manager

Symptoms:
When bigd.tmm is enabled, SSL monitors may begin to fail.

Conditions:
-- The in-tmm monitoring feature is enabled via the bigd.tmm db variable (it is disabled by default)
-- The cipher string of the attached SSL profile uses keywords that are invalid with TMM.

Impact:
The cipher string will no longer be valid when bigd.tmm is enabled and the keywords will need to be modified or removed. SSL monitors begin to fail after modifying bigd.tmm.

Workaround:
Modify or remove incompatible keywords from the ciphers string; the in-tmm monitoring feature only allows ciphers that are allowed by SSL profiles.


710809-2 : Restjavad hangs and causes GUI page timeouts

Component: Device Management

Symptoms:
Restjavad stops responding, causing GUI page timeouts.

Conditions:
The conditions behind this issue are not known.

Impact:
restjavad is active, but all endpoints are nonresponsive.

Workaround:
Restart restjavad.


710173 : TMSH dns-resolver allows route-domain from another partition

Component: TMOS

Symptoms:
User is able to modify a dns-resolver config object in the /Common partition such that TMSH accepts the route-domain name from another partition
Subsequent import of the BIG-IP LTM config into the BIG-IQ fails on this partition validation check.

Conditions:
Import LTM config into BIG-IQ

Impact:
Incorrect dns-resolver configuration and BIG-IQ import failure

Workaround:
N/A


710044-3 : Portal Access: same-origin AJAX request may fail in some case.

Component: Access Policy Manager

Symptoms:
If base URL for current HTML page contains default port number, same-origin AJAX request from this page may fail via Portal Access.

Conditions:
- HTML page with explicit default port in base URL, for example:
  <base href='https://some.com:443/path/'>

- Same-origin AJAX request from this page, for example:
  var xhr = new XMLHttpRequest;
  xhr.open('GET', 'some.file');

Impact:
Web application may not work correctly.

Workaround:
It is possible to use iRule to remove default port number from encoded back-end host definition in Portal Access requests, for example:

when RULE_INIT {
  # hex-encoded string for 'https://some.com'
  set ::encoded_backend {68747470733a2f2f736f6d652e636f6d}
  # '3a343433' is hex-encoded form for ':443'
  set ::pattern "/f5-w-${encoded_backend}3a343433\$"
  set ::remove_end [ expr { [ string length $::pattern ] - 2 } ]
  set ::remove_start [ expr {$::remove_end - 7} ]
}

when HTTP_REQUEST {
  if { [HTTP::path] starts_with "$::pattern" } {
    set path [ string replace [HTTP::path] $::remove_start $::remove_end "" ]
    HTTP::path "$path"
  }
}


709963-2 : Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.

Component: Local Traffic Manager

Symptoms:
For the i4x00 and 4000 platforms, egress trunk distribution will be unbalanced if the number of trunk members is not a power of 2.

Conditions:
A trunk is configured with an odd number of trunk interfaces or a trunk member goes down such that the number of working members is odd.

Impact:
Uneven traffic distribution. Some interfaces will see more traffic than others.

Workaround:
Insure the number of trunk interfaces is a power of 2: 2, 4, or 8.


709837-2 : Cookie persistence profile may be configured with invalid parameter combination.

Component: Local Traffic Manager

Symptoms:
Configuring Cookie persistence profile via TMSH or iControl REST allows invalid parameter combinations.

Conditions:
Cookie persistence profile is configured via TMSH or iControl REST. TMUI is not affected.

Impact:
Invalid parameters for any method type of a Cookie persistence profile are ignored by TMM, no functional impact.

Workaround:
Use only the allowed parameters of each method type when Cookie persistence is configured via TMSH or iControl REST.


709559-2 : LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name

Component: TMOS

Symptoms:
Loading configuration fails on upgrade

Conditions:
Must have a profile named "/Common/ssh" and must be upgrading to v12.1.2

Impact:
The system won't be functional

Workaround:
Delete or rename "/Common/ssh"


709544-2 : VCMP guests in HA configuration become Active/Active during upgrade

Component: TMOS

Symptoms:
When devices in a Device Service Cluster (DSC) are upgraded, multiple devices might become Active simultaneously.

During upgrade, the process erroneously clears the management-ip during reboot, and then synchronizes to other members of the DSC. If the system is not performing an upgrade, the error is repaired as the device starts up, and has no visible effect. If an upgrade is being performed, the management-ip cannot be repaired, and the DSC members lose contact with each other, so they all become Active.

Conditions:
-- Running on VIPRION chassis systems, either natively, or as a vCMP guest.
-- Upgrading from any affected versions (TMOS v12.1.3, TMOS v13.0.0, TMOS v13.0.1, TMOS v13.1.0), to any other version.

Impact:
When multiple devices become Active simultaneously, traffic is disrupted.

Workaround:
There is no workaround other than to remain in Active/Active state until upgrade is complete on all chassis in the DSC are finished. See K43990943: VIPRION systems configured for high availability may become active-active during the upgrade process :: https://support.f5.com/csp/article/K43990943 for more information on how to mitigate this issue.


709381 : iRules LX plugin imported from a system with a different version does not properly run, and the associated iRule times out.

Component: Local Traffic Manager

Symptoms:
An iRules LX plugin does not properly run and messages similar to the following example are logged to the /var/log/ltm file:

err tmm[17616]: 01220001:3: TCL error: /Common/my-plugin/my-rule <HTTP_REQUEST> - ILX timeout. invoked from within "ILX::call $ilx_handle -timeout 3000 my-function"

Conditions:
An iRules LX workspace archive is imported to BIG-IP version 13.1.0 or later from a previous software version.

It should be noted this is what happens during a regular software upgrade. Therefore, you might encounter this issue when upgrading a system to BIG-IP version 13.1.0 or later.

Impact:
The affected iRules LX are not functional under the new software version, and the virtual servers utilizing them will experience various failures.

Workaround:
Change the node version from 0.12.15 to 6.9.1 and back.


708968-2 : OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address

Component: TMOS

Symptoms:
Route entries for IPv4-mapped IPv6 address (::ffff:<IPv4>) are not created in TMM when passed from Dynamic Routing protocols like OSPFv3.

Conditions:
- Route entry is for IPv4-mapped IPv6 address, that is ::ffff:<IPv4>.

Impact:
- Route entry is not created in TMM, packets addressed to such a destination might not be delivered at all or might not be delivered using the most efficient route.
- Connection between TMM and tmrouted is restarted that is a small performance overhead.

Workaround:
- If possible IPv4 address or IPv4-compatible IPv6 address should be passed instead of IPv4-mapped IPv6 address, however this depends on other routers.


708576-2 : Errors related to dosl7d_tcpdumps_cleaner appearing in email every hour

Component: Application Security Manager

Symptoms:
Errors may be sent in system emails once an hour due to a runtime error in the dosl7d_tcpdumps_cleaner which is run in an hourly cron job.

Here is an example of such an email:

From: root (Cron Daemon)
To: root
Subject: Cron <root@servername> run-parts /etc/cron.hourly
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
X-Cron-Env: <LANG=en_US.UTF-8>
X-Cron-Env: <SHELL=/bin/bash>
X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin>
X-Cron-Env: <MAILTO=root>
X-Cron-Env: <HOME=/>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>

/etc/cron.hourly/dosl7d_tcpdumps_cleaner:

Use of uninitialized value $s in division (/) at /etc/cron.hourly/dosl7d_tcpdumps_cleaner line 111.

Conditions:
- The administrator configures the BIG-IP system to deliver locally generated email messages, or the administrator checks local emails to root, on the BIG-IP.
- The hardware supports RAID, even if RAID is not configured.

Impact:
- Email messages with errors being sent once an hour.
- DoSL7 tcpdump files may not be automatically cleaned if used in the DoS profile.

Workaround:
None


708421-2 : DNS::question 'set' options are applied to packet, but not to already parsed dns_msg

Solution Article: K52142743

Component: Global Traffic Manager (DNS)

Symptoms:
For certain types of iRules, using the DNS command DNS::question for type AAAA, when the DNS transparent cache is involved in the filter, the type can be reverted.

Conditions:
-- DNS transparent cache.

-- Using an iRule similar to the following:
when DNS_REQUEST {
   DNS::question type AAAA
}

Impact:
When the packet goes to the pool, the type is reverted.

Workaround:
Enable gslb or dnsx on the profile.


708415-2 : Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled

Component: TMOS

Symptoms:
When setting the flow control value of an interface with a copper SFP to any value other than 'none' and the link partner has flow control disabled on their end, the interface stats will not reflect the configured flow control setting. This is because the interface stats reflect the negotiated link state rather than the advertised capabilities.

Conditions:
BIG-IP device is using copper SFPs.
-- Flow control is enabled on an interface.
-- That interface is connected to another device where flow control has not been enabled.

For example, an administrator might perform the following on a BIG-IP system with a copper SFP on interface 1.1:

# modify net interface 1.1 flow-control tx-rx

# show net interface 1.1 all-properties

Under the 'Flow Ctrl' column of the interface properties, the value will indicate 'none' even though the interface was configured to enable transmit and receive flow control. This is because the column does not indicate the advertised capabilities but rather the negotiated property of the link.

Impact:
There is no functional impact, as flow control cannot be performed until both link partners agree to support it.

Workaround:
Flow control must be enabled on the remote device and the link must be re-negotiated, in order for the flow control configuration to take effect and be reflected in the interface properties of the link.


707953-2 : Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page

Component: Access Policy Manager

Symptoms:
APM and APM Lite licenses are not distinguishable from the Provisioning UI: they both show as Licensed but APM lite only includes licenses for 10 sessions.

Conditions:
Viewing APM and APM Lite licenses in the GUI.

Impact:
Cannot distinguish the difference in types of licenses.

Workaround:
Check license file and verify what type of apm license is enabled: mod_apm (Full APM) or mod_apml (APM Lite).


707320-2 : Upgrades from pre-12.0.0 BIG-IPs to 12.0.0 with WideIPs with ipv6-no-error-response enabled will no longer delete AAAA-type WideIPs

Component: TMOS

Symptoms:
A pre-12.0.0 WideIP with ipv6-no-error-response enabled and a IPv4 last-resort-pool will only spawn an A-type WideIP after the upgrade

Conditions:
Pre-12.0.0 WideIP with an IPv4 last-resort-pool and ipv6-no-error-response enabled.

Impact:
Loss of the AAAA-type WideIP configuration item

Workaround:
There is no workaround at this time.


706797-1 : Portal Access: some multibyte characters in JavaScript code may not be handled correctly

Component: Access Policy Manager

Symptoms:
If JavaScript code contains multi-byte character which contains 0x0A in the last byte after conversion to UTF-32 form, then this character is handled as NEW LINE by Portal Access server-side JavaScript parser. If NEW LINE is not valid in this place, JavaScript code cannot be parsed.

Conditions:
JavaScript code with multi-byte character which contains 0x0A in the last byte after conversion to UTF-32 form, for example:

  //上 aa bb

(上) gives (4E 0A) in UTF32 form. So this line is processed as the following TWO lines:

  //
  aa bb

The second line is not a valid JavaScript code.

Impact:
Web application may not work correctly.

Workaround:
There is no workaround at this time.


706703-1 : TMM crashes when changing virtual server's profile to fastL4 profiles while traffic flows

Component: TMOS

Symptoms:
TMM crashes and creates core file when changing virtual server's profile from non-fastL4 to fastL4 profiles on-the-fly with traffic flowing.

Conditions:
Change the profile of the virtual server to fastL4 profiles while traffic is flowing.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Don't change the virtual server's profile while traffic is flowing.


706505-2 : iRule table lookup command may crash tmm when used in FLOW_INIT

Component: Local Traffic Manager

Symptoms:
iRule table lookup command may crash tmm when used in FLOW_INIT.

Conditions:
iRule table lookup command is used in FLOW_INIT.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use table lookup in the events after the flow is constructed.


706501 : VCMP guest, tmm continues to restart on Cavium Nitrox PX platform

Component: Local Traffic Manager

Symptoms:
TMM continues to restart on vCMP guest.
/var/log/tmm shows:
<13> Feb 1 00:00:30 slot1/hostname notice ** SIGSEGV **
<13> Feb 1 00:00:30 slot1/hostname notice fault addr: 0x1d8
<13> Feb 1 00:00:30 slot1/hostname notice fault code: 0x1
.
.
.

Conditions:
-- Using the following platforms:
  + BIG-IP 800, 1600, 3600, 3900, 6900, 89xx, 11xxx.
  + VIPRION 42xx/43xx and B21xx blades.
-- Configure vCMP host and guest.

System has Common Criteria or FIPS mode enabled.

Impact:
vCMP guest can't become active.

Workaround:
There is no workaround.


706374-4 : Heavy use of APM Kerberos SSO can sometimes lead to memory corruption

Component: Access Policy Manager

Symptoms:
Kerberos SSO under high load can sometimes lead to system instability.

Conditions:
APM users using Kerberos SSO to access backend resources.

Impact:
This might result in unpredictable behavior such as memory corruption or core. However, the occurrence is rare since it only impacts concurrent DNS SRV requests to resolve different KDCs.

Workaround:
There is no workaround.


705730-1 : Config fails to load due to invalid SSL cipher after upgrade from v13.1.0

Component: TMOS

Symptoms:
Config with apparently invalid SSL cipher entry fails to load after upgrade from v13.1.0, and requires a manual config load after upgrade: 'tmsh load sys config'

This occurs because starting in v13.1.0, 'https' monitors rely upon SSL-attributes configured through a 'serverssl' profile, which does not support the 'kEDH' cipher; but the 'kEDH' cipher was a default cipher for previous releases (where 'https' relied upon 'OpenSSL').

Conditions:
-- Config uses 'https' monitors.
-- Upgrade occurs from v13.1.0 to a later version.

Impact:
The configuration fails to load, an error message is issued, and the device remains offline until a manual config load is performed.

Workaround:
You can use either of the following workarounds:

-- After upgrade from v13.1.0, perform manual config load by running the following command: tmsh load sys config

(This works because upon a manual config load command ('tmsh load sys config'), the system replaces the existing 'https' ciphers with defaults appropriate for a 'serverssl' profile in the new version of the software. Even though the system posts an error referencing the invalid 'kEDH' cipher, the device will become 'Active' seconds later, and new default ciphers will be established for 'https' monitors.)

-- Remove 'https' monitors prior to upgrade, and add again after upgrade.


705661-1 : Virtual server in a non-default partition cannot select protocol inspection profile in the /Common partition

Component: Protocol Inspection

Symptoms:
Virtual server in a non-default partition is not able to select protocol inspection profile in the /Common partition. The system posts messages similar to the following:
01070726:3: Virtual Server /internal/vs-internalvs in partition internal cannot be referenced by Protocol Inspection Profile /Common/protocol_inspection in partition Common

Conditions:
-- Create a partition.
-- Create a virtual server in that partition.
-- Try and associate an IPS profile from /Common partition to the created virtual server.

Impact:
Cannot associate the profile.

Workaround:
None.


705651-1 : Async transaction may ignore polling requests

Component: TMOS

Symptoms:
Querying for the status of an asynchronous transaction by making a GET request may cause the query to block. The transaction will complete, even though the query may return an error status (400) to indicate that the GET request timed out.

Conditions:
A typical asynchronous transaction that returns a 202 status to indicate that you successfully created a transaction.

Impact:
The query returns an error.

Workaround:
To avoid having the query request block, refrain from querying the transaction for status.


705387 : HTTP/2, ALPN and SSL

Component: Local Traffic Manager

Symptoms:
The SSL filter will not always add the ALPN extension.

Conditions:
If the negotiated cipher is not HTTP/2 compliant, the SSL filter may not add the ALPN extension.

Impact:
The failure to add the ALPN extension may result in the failure to negotiate the proper protocol.

Workaround:
There is no workaround at this time.


705112-2 : DHCP server flows are not re-established after expiration

Component: Local Traffic Manager

Symptoms:
DHCP relay agent doesn't have server flows connecting to all active DHCP servers after a while.

Conditions:
- More than one DHCP servers configured for a DHCP virtual.
- Server flows timeout in 60 seconds

Impact:
DHCP server traffic not load balanced.

Workaround:
None.


705037-2 : System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart

Component: TMOS

Symptoms:
It is possible for the BIG-IP system to present duplicate if_index statistics of network objects, either viewed internally or polled via SNMP.

Conditions:
-- High availability (HA) configuration.
-- Tunnels configured.
-- If dynamic routing is configured, additional impact may be noted.

Impact:
-- Unreliable or confusing statistics via SNMP polling.

-- If dynamic routing is also configured, possible nsm daemon restart, which may lead to loss of dynamic routes.

Workaround:
None.


704546 : Symlinks may be corrupted by upgrade

Component: TMOS

Symptoms:
In rare cases after a software version upgrade, a corrupted symbolic link that points to a nonexistent file may exist. Processes that try to use the file will fail, often generating the message 'No such file or directory'.

Conditions:
Happens after an upgrade.

This rarely encountered issue occurs when the symlink points to an absolute path (/a/b/c/d) rather than a relative one (if you are in /a/b, then the target would be c/d).

Impact:
A symlink is broken, but it depends on whether the symlink is necessary to BIG-IP operation as to whether a problem will be immediately apparent.

Workaround:
If creating a symlink is necessary, use a relative path rather than an absolute one.

If this condition is found, use the following command to rebuild the symlink:

ln -fs <target> <symlink_name>


704524-4 : [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries

Component: Access Policy Manager

Symptoms:
Kerberos DNS SRV requests do not contain EDNS headers. Without this header, DNS server truncates the UDP responses if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in unnecessary round trips in order to resolve DNS SRV queries.

Conditions:
APM users using Kerberos SSO to access backend resources.

Impact:
Increased latency of HTTP request processing. If the number of APM users is large, then this issue is magnified.

Workaround:
There is no workaround at this time.


704450-3 : bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration

Component: Local Traffic Manager

Symptoms:
A rarely seen scenario exists where 'bigd' crashes when the BIG-IP system is under extremely heavy load, due to 'bigd' running with an incomplete configuration and attempting to interact with 'mcpd' prior to being fully configured by 'mcpd'. This may occur when 'mcpd' is sufficiently delayed in configuring 'bigd' upon 'bigd' process start (at system-start, or upon 'bigd' process re-start), such that 'bigd' attempts to report monitoring results to 'mcpd' prior to fully receiving its configuration (from 'mcpd').

Conditions:
BIG-IP is under heavy load; and 'bigd' process is (re-)started; and 'mcpd' is delayed in relaying the full configuration to 'bigd'; and 'bigd' attempts to report monitoring results to 'mcpd'.

Impact:
Monitoring is delayed while bigd is restarting. If the load lasts for a long enough period of time, bigd might repeatedly fail to start and monitoring will not resume. In some cases 'bigd' may run with an incomplete configuration.

Workaround:
Reduce the load on the system.


704198-3 : Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance

Solution Article: K29403988

Component: Global Traffic Manager (DNS)

Symptoms:
Orphaned monitor_instance records in mcpd. Secondary blade restarting in a loop.

Conditions:
Modify the monitor for GTM objects using tmsh with replace-all-with.

Impact:
There is an leaked/extra monitor instance. Restarting the secondary slot results in a restart loop.

Workaround:
Impact of workaround: Might change the primary slot.

Restart services using the following command:
# bigstart restart


703984-7 : Machine Cert agent improperly matches hostname with CN and SAN

Component: Access Policy Manager

Symptoms:
MacOS Machine certificate agent matches the configured hostname with the actual hostname upon a beginning partial string match.

Conditions:
MacOS APM client using Machine Certificate Check agent.

Impact:
Hostname match may be incorrect in these cases.

Workaround:
There is no workaround at this time.


703509-2 : Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled

Component: TMOS

Symptoms:
Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled.

...notice tmsh[32418]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.
...notice tmsh[32418]: 01420003:5: The current session has been terminated.
...err tmsh[32417]: 01420006:3: Project-Id-Version: f5_tmsh 9.7.0 POT-Creation-Date: 2008-05-13 16:18-0700 PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE Last-Translator: F5 Networks <support@f5.com> Language-Team: LANGUAGE <en@li.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit
...err tmsh[32415]: 01420006:3: UCS saving process failed.

Conditions:
The default admin account is disabled, using an alternate user that has the administrator role.

Impact:
User is unable to save the configuration.

Workaround:
A user with the administrator role can save the config.
The root user can save the config.


703225 : DoS Visibility does not support display of more than 500 attacks and/or virtual servers

Component: Application Visibility and Reporting

Symptoms:
If there are more than 500 Attacks or Virtual Servers in the system at a given time, DoS Visibility is unable to consistently show all relevant data. The reasons are both technical and due to performance considerations.

This applies to the attacks chart and table, and the virtuals table in the center of the dashboard page. This does not apply to the dimension widgets on the right side.

Conditions:
More than 500 Virtual Servers exist, or/and more than 500 DoS Attacks are logged during the selected time period.

Impact:
Not all attacks/virtuals are displayed on the DoS Visibility overview page.

Workaround:
Zoom into a shorter time period, or use filters to limit the amount of displayed data. Once number of attacks and virtuals are under 500, data should be correct.


703196-5 : Reports for AVR are missing data

Component: Application Visibility and Reporting

Symptoms:
Some data collected by AVR is missing on some aggregation levels and thus missing from the reports.

Conditions:
Using AVR statistics.

Impact:
Expected AVR statistics may be missing.

Workaround:
Run the following shell command on BIG-IP:

sed -i "s|\(\s\)*SET\ p_aggr_to_ts.*$|$1$(grep "SET p_aggr_to_ts" /var/avr/avr_srv_code.sql | sed 's/truncate(/CEILING/' | sed 's/,0)//')|" /var/avr/avr_srv_code.sql


703090-4 : With many iApps configured, scriptd may fail to start

Component: TMOS

Symptoms:
If many iApp instances are installed, scriptd may have issues starting up, including the log message:

"script has exceeded its time to live, terminating the script"

Conditions:
This occurs when many iApp instances exist. F5's internal testing has been able to show that it occurs with 70 instances.

Impact:
The error message will show up, and some instances of the script will not run.

Workaround:
Restarting scriptd will resolve the issue.


702413-1 : TCP handshake rejected if SYN cookies attack is detected

Component: Advanced Firewall Manager

Symptoms:
TCP handshake rejected if SYN cookies attack is detected on platforms with some multiple HSB devices and BIG-IP Virtual Edition (VE) environments.

Conditions:
Enable syncookie protection in LTM global setting, and start SYN flood attacks.

Impact:
Regular traffic gets reset because of handshake failures.

Workaround:
Turn off syncookie protection.


702310-1 : The ':l' and ':h' options are not available on the tmm interface in tcpdump

Component: TMOS

Symptoms:
The ':l' and ':h' options are not available on the tmm interface in tcpdump.

Conditions:
Running tcpdump.

Impact:
Packet capture on the tmm interface from the Linux side or the host side of tmm interface is not possible.

Workaround:
There is no workaround at this time.


702296-1 : Importing the LocalDB csv file fails after editing with Microsoft Excel

Component: Access Policy Manager

Symptoms:
Using the Excel sheet to edit and save the LocalDB CSV breaks the Import functionality.

Conditions:
Admin Exports the LocalDB CSV file ( Access->Authentication->Local User DB->Users -> Export to CSV)
Admin edits the file using Excel Sheet and saves it
Admin Imports the CSV file

Impact:
File saved using Excel Sheet cannot be used for Import

Workaround:
Dont use excel sheet to edit the file.
Use a simple text editor (like Textpad , vim) to edit and save the file.


701977-1 : Non-URL encoded links to CSS files are not stripped from the response during concatenation

Component: WebAccelerator

Symptoms:
Non-URL encoded links to CSS files are not stripped from the response during concatenation.

Conditions:
White space in the URLs.

Impact:
As above.

Workaround:
No workaround at this time.


701722-1 : Potential mcpd memory leak for signed iRules

Component: TMOS

Symptoms:
There is an MCP memory leak that occurs when th message "Signature encryption failed" is seen in /var/log/ltm.

Conditions:
Signing of iRules must be in use. Signature encryption must be problematic.

Impact:
MCP leak memory.

Workaround:
Resolve the signature encryption issue.


701680-2 : MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds

Component: Service Provider

Symptoms:
Applying rate-limiting to MBLB SIP or Diameter virtual servers might cause the virtual server to periodically stop sending packets to the pool member server for a few seconds.

Conditions:
-- MBLB SIP or Diameter virtual server.
-- Rate-limited is applied.

Impact:
The virtual server might intermittently stop sending packets to the pool member server for a few seconds.

Workaround:
There is no workaround at this time.


701555-1 : DNS Security Logs report Drop action for unhandled rejected DNS queries

Component: Advanced Firewall Manager

Symptoms:
DNS Security Logs report Drop action for unhandled rejected DNS queries.

Conditions:
DNS profile set unhandled-query-action reject.

Impact:
Incorrect event log. This is an incorrectly logged event and doe not indicate an issue with the system

Workaround:
None.


701529-1 : Configuration may not load or not accept vlan or tunnel names as "default" or "all"

Component: TMOS

Symptoms:
As a result of a known issue, configurations containing vlan or tunnels named "default" or "all" are no longer accepted.

Conditions:
Attempting to configure this will result in a log message similar to the following:

root@(f5-ve)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net tunnels tunnel default profile ppp
01070712:3: Cannot create tunnel 'default' in rd1 - ioctl failed: Invalid argument

Impact:
A configuration that contained this in earlier versions and upgraded to the affected version will fail to load.

Workaround:
Change or rename all instances of vlans and/or tunnels named "default" or "all"


701341-1 : If /config/BigDB.dat is empty, mcpd continuously restarts

Solution Article: K52941103

Component: TMOS

Symptoms:
If another issue causes /config/BigDB.dat to be empty, mcpd will fail to start up.

Conditions:
The event causing BigDB.dat to be truncated is unknown at this time.

Impact:
The system will fail to start up, and mcpd will continually restart.

Workaround:
Remove this empty file. (If BigDB.dat is nonexistent, the issue will not occur.)


701232-2 : Two-way iQuery connections fail to get established between GTM devices with the same address on different networks connected through address translation

Component: Global Traffic Manager (DNS)

Symptoms:
Two GTM devices that have the same local IP address are not able to establish an iQuery connection, even when a translated address is configured.

Conditions:
This condition may occur if two GTM servers have the same self IP address on separate networks that are attempting to use address translation to establish a connection.

Impact:
When one or more GTM devices attempt to establish an iQuery connection to another device, it actually establishes a connection with itself instead of the other device.

Workaround:
To resolve the issue,
1. Configure the devices to have different self IP addresses.
2. Change the addresses and translated addresses of the corresponding GTM servers to match the new configuration using the following example command:
tmsh modify gtm server <server_name> addresses ...


701025-2 : BD restart on a device where 'provision.tmmcountactual' is set to a non-default value

Component: Application Security Manager

Symptoms:
BD restarts with this error:
    Plugin configuration load timeout. Exiting.

Conditions:
The db variable 'provision.tmmcountactual' is set to a number lower than the actual CPU count.

Impact:
BD restarts continuously.

Workaround:
You can use any of these workarounds:
-- In the GUI, set 'RWThreads' under Security :: Options : Application Security : Advanced Configuration : System Variables.

-- Use the 'add_del_internal' utility:
----------------------
# /usr/share/ts/bin/add_del_internal
USAGE:
/usr/share/ts/bin/add_del_internal add <param_name> <param_value> [--default <default_value>]
/usr/share/ts/bin/add_del_internal update <param_name> <param_value> [--default <default_value>]
/usr/share/ts/bin/add_del_internal delete <param_name>
----------------------

-- Set the bd internal parameter num_rw_threads to the amount of plugin channels that TMM expects.

-- Revert 'provision.tmmcountactual' sys db to the default value.


700897-1 : sod is unable to handle the maximum (127) allowable traffic groups if there are 8 devices in the DG

Component: TMOS

Symptoms:
sod consumes excessive amount of CPU time, and the traffic-group Active and Next-Active locations do not stabilize.

Conditions:
When the number of devices in the failover device group or the number of traffic groups is large. The limit varies by platform capacity, but any Device Service Cluster with more than 4 devices or more than 32 traffic groups can experience this issue.

Impact:
If the Active location is unstable, traffic will not be processed correctly. Excessive CPU consumption and network traffic interferes with other control plane functions including the UI.

Workaround:
There is no workaround at this time.


700794-1 : Cannot replace a FIPS key with another FIPS key via tmsh

Component: TMOS

Symptoms:
If you try to replace an existing FIPS key using "tmsh install sys crypto key" the command fails with "is already FIPS". This can also occur when issuing the commands via the REST API.

Conditions:
If a FIPS key already created/installed via tmsh, it can not be replaced or overwritten via "tmsh install sys crypto" command.

Impact:
Fail to overwrite a FIPS key with another FIPS key via tmsh


700035-5 : /var/log/avr/monpd.disk.provision not rotate

Component: Application Visibility and Reporting

Symptoms:
the log file may fill-up /var partition

Conditions:
there is no special condition for this issue - if the log is big it won't rotate

Impact:
the log file may fill-up /var partition

Workaround:
1. gzip /var/log/avr/monpd.disk.provision
2. touch /var/log/avr/monpd.disk.provision


699898-2 : Wrong policy version time in policy created after synchronization between active and stand by machines.

Component: Application Security Manager

Symptoms:
After synchronization, the policy version time in the policy created on the standby BIG-IP system is different from the policy version time on the original policy on the active BIG-IP system.

Conditions:
Synchronizing the new policies on the active system with new policies on the standby system.

Impact:
Policy version timestamp on standby system is not synchronized properly.

Workaround:
Run full synchronization again from active system to the group.


699758 : Intermittent connection resets are seen in HTTP/2 gateway when HTTP/2 preface is sent to server

Component: Local Traffic Manager

Symptoms:
HTTP/2 connection in gateway scenario is reset when HTTP/2 preface makes it to the server instead of being consumed by the BIG-IP system. The backend connection to the server in gateway scenario is an HTTP/1 connection. The connection is reset when HTTP/2 preface is sent on the backend connection instead of being consumed by the BIG-IP system.

Conditions:
HTTP/2 gateway is configured.

Impact:
HTTP/2 connection reset is seen.

Workaround:
None.


699209-1 : API errors can prevent access to login history in Configuration Utility

Component: TMOS

Symptoms:
Accessing the login history pages at System :: Logins, results in an error message similar to the following: Can't create temp directory, /var/system/tmp/tmsh/xxxxx, errno 13] Permission denied. The login history is not shown.

Conditions:
Accessing the login history pages at System :: Logins to view the login history.

Impact:
Cannot access login history in the Configuration Utility.

Workaround:
None at this time.


699076-1 : URI::path iRules command warns end and start values equal

Component: Local Traffic Manager

Symptoms:
URI::path iRules command warns end and start values equal

Conditions:
The end and start values equal

Impact:
Warning message shows in console.

Workaround:
Ignore the warning.


698991-1 : CPU utilization on i850 is not a reliable indicator of system capacity

Solution Article: K64258832

Component: TMOS

Symptoms:
Unlike previous platforms, the i850 may report between 50-70% CPU utilization when at full capacity. The specific number is workload dependent, and therefore should not be used as an indicator of system headroom for sizing purposes.

Conditions:
Running BIG-IP software on an i850.

Impact:
Confusion of actual capacity usage.

Workaround:
Refer to the BIG-IP stats and published capabilities to determine utilized capacity under a specific workload.


698933-1 : Setting metric-type via ospf redistribute command may not work correctly

Component: TMOS

Symptoms:
When using a dynamic routing configuration, where an OSPF process redistributes routes setting a metric-type from another OSPF process the metric type is not changed.

Conditions:
Dynamic routing configuration with 2 or more OSPF processes redistributing routes using the "redistribute ospf <other process number> metric-type <type>"

Impact:
Metric type is not changed.

Workaround:
Change metric-type using a route-map applied to the redistribute command.


698836-2 : Increased APM session capacity is not available after installing an APM session count License

Component: Access Policy Manager

Symptoms:
Unable to use extra capacity after installing an APM add-on license with a larger session count.

Conditions:
This occurs when the add-on License generated lacks the mod_apm license, meaning that no full APM license was previously installed, only the APM Light license (which constrains connections to a 10-session maximum).

To determine whether this condition exists, check the bigip.license file, or execute the following command: tmsh show sys license details. If only mod_apml is present and session counts are higher than 10, then the system is in the condition that triggers the problem.

Impact:
Unable to use extra session capability; can use only the 10-session maximum provided by the APM Light license.

Workaround:
Contact your F5 sales representative to get the correct APM add-on license with mod_apm, as well as the additional session count capability.


698619-2 : Disable port bridging on HSB ports for non-vCMP systems

Component: TMOS

Symptoms:
Internal packets flooded on internal switch interfaces by the HSB can be bridged back to the HSB on BIG-IP 5000/7000 and VIPRION B2100 blades configured to enable port bridging by the switch.

Conditions:
-- Packets being flooded from the HSB to VLAN members when adding/deleting VLANs.
-- Non-vCMP systems.
-- Virtual server configured for Direct Server Return (DSR or nPath Routing).

Impact:
This triggers a FDB flush and can result in packet flooding back to the HSB and potential network saturation.

Workaround:
None.


698432-2 : Invalid error messages: warning chmand[5730]: 012a0004:4: Store Read invalid store addr 0x3800, len 10

Component: TMOS

Symptoms:
Loading a UCS in a vCMP guest which was taken from a different guest or a hardware device can produce the following error messages:

warning mcpd[5953]: 012a0004:4: halStorageRead: unable to read storage on this platform.
warning chmand[5730]: 012a0004:4: Store Read invalid store addr 0x3800, len 10

This is a cosmetic issue that occurs when the encrypted master key on a VCMP guest cannot be decrypted with the unit key of that system. This most often occurs when a UCS taken on a different guest is loaded.

Conditions:
Taking a UCS from one vCMP guest or hardware device and loading it onto a different vCMP guest.

Note: F5 does not support this configuration.

Impact:
Although there is no adverse effect on the system, error messages will be logged.

Workaround:
None.


698420-1 : SSL handshake fails for some servers if their root certificates are not in the configured CA bundle

Component: Local Traffic Manager

Symptoms:
SSL code builds the chain only until it can find the first trust anchor. However, the OCSP and CRL code builds the chain all the way up to the root. In a case where the intermediate cert was found, but the root was not found in the CA bundle, the cert chain building fails and the handshake will be aborted.

Conditions:
Forward Proxy and OCSP are enabled on a serverssl profile

Impact:
SSL handshake fails for some servers if their root certificates are not in the configured CA bundle.

Workaround:
Upgrade the ca bundle used to configure 'Trusted Certificate Authorities' on ServerSSL profile to include the root certificate for the server.


698361-1 : The ASM-FPS fingerprint is not presented in dashboard

Component: Application Security Manager

Symptoms:
The fingerprint is not presented in dashboard.

Conditions:
An iRule selects the FPS profile (by using ANTIFRAUD::enable).

Impact:
No fingerprint presented. Missing reporting.

Workaround:
None.


698307-1 : Datasafe: Fingerprinting code runs, but is not needed.

Component: Fraud Protection Services

Symptoms:
When both datasafe and fingerprint are enabled, fingerprint collection code will be unnecessarily run on the clientside. The results of this collection are not used.

Conditions:
Both datasafe and fingerprint are enabled.

Impact:
Extra resources requested from the BIG-IP system by the client.

Workaround:
To turn off fingerprint, use the following syntax:

tmsh modify security anti-fraud profile <PROFILE_NAME> { fingerprint { collect disabled} }


698222-1 : Added RX latency with ixlv devices on VE after host reboot

Component: TMOS

Symptoms:
Received frames may be delivered in groups of four leading to added latency.

Conditions:
BIG-IP VE using a ixlv virtual function (Intel X710/XL710/XXV710 NIC with SR-IOV) on the very first attach after a reboot of the underlying compute host (hypervisor). Packets will appear to arrive in groups of 4 to virtual servers and selfips via tmm.

Impact:
This will impact production traffic as extra latency will be introduced to incoming traffic before the tmm can process it.

Workaround:
Restart tmm or reboot the guest at least once after starting it following a reboot of the physical compute host on which it runs.


698211-1 : DNS express response to non-existent record is NOERROR instead of NXDOMAIN.

Solution Article: K35504512

Component: Global Traffic Manager (DNS)

Symptoms:
The DNS express response to a non-existent record is NOERROR instead of NXDOMAIN.

Conditions:
Delete a wildcard resource record to the related DNS express zone.

Impact:
DNS returns the incorrect response.

Workaround:
Delete the old db files: /var/db/tmmdns.bin and /var/db/zxfrd.bin, and then restart zxfrd.


698085 : Transparent mode VLAN group may not work on vCMP guests

Component: TMOS

Symptoms:
Traffic not being passed through.

Conditions:
-- vCMP guest with server-side and client-side VLANs mapped on the host to the vCMP guest.
-- VLAN group configured in transparent mode and attached to the VLANs configured on the vCMP guest.
-- VLAN group configured to bridge all traffic.
-- Host configured on client side and on server side host, with corresponding VLANs attached.
-- Self IP addresses configured in the same subnet on client, vCMP guest, and server.
-- Send traffic from client to server or vice-versa.

Impact:
No traffic flow between client and server under this configuration.

Workaround:
None.


698034-1 : PKCS12 file imported via Configuration utility into folder is placed at partition root

Component: TMOS

Symptoms:
When importing a certificate (cert) using the GUI Configuration utility, you can specify a partition folder, and the system imports the cert into that partition folder. However, specifying a partition folder when importing a PKCS12 cert imports it to the root partition folder, Common.

Conditions:
Login to GUI:
 - Navigate to:
System :: Certificate Management : Traffic Certificate Management : SSL Certificate List.

 - Click Import:
Select 'PKCS'.

 - Give the cert a name:
sync_group/pk12gui

Impact:
PKCS12 files imported using the GUI Configuration utility are placed at root partition folder, Common, rather than the partition folder.

Workaround:
You can use either workaround:
-- Once the PKCS12 file has been imported, export the cert and key, and then re-import into the partition folder.

-- Import PKCS12 file using TMSH.


698013-1 : TACACS+ system auth and file descriptors leak

Solution Article: K27216452

Component: TMOS

Symptoms:
Administrative access to the system with remote authenticated accounts fails, and the following is seen in the security log (/var/log/secure):

-- httpd[###]: PAM [error: /lib/security/pam_bigip_authz.so: cannot open shared object file: Too many open files].
-- httpd[###]: PAM audit_open() failed: Too many open files
-- Other errors that refer to 'Too many open files'.

This might eventually lead to lack of HTTP-based access to the BIG-IP system.

Conditions:
-- Remote system authentication configured to use TACACS+.
-- Administrative access to the BIG-IP system using any HTTP-based results in leaked file descriptors. Relevant access methods include Web UI, iControl and iControl-REST.
-- Repeated automated access using iControl is the fastest route.

Impact:
In some circumstances, the leak might accumulate to the point that no file descriptors are available and administrative access using remote authenticated accounts is no longer possible. This also includes access from SSH and console. The root account, which always uses local authentication, is not affected.

Workaround:
Workaround options:
1. Use only SSH for administrative access.
2. Restart httpd as needed.


695109-1 : Changes to fallback persistence profiles attached to a Virtual server are not effective

Solution Article: K15047377

Component: Local Traffic Manager

Symptoms:
Changes to fallback persistence profiles attached to a Virtual server may not be effective.

Conditions:
-- Virtual server configured with persistence and a fallback persistence profile.
-- Changes made to the fallback persistence profile.

Impact:
Changes to the fallback persistence profile are not effective with new connections until a change is made to the virtual server or TMM is restarted.

Workaround:
Make a simple change, for instance to the description field, to the virtual servers that have the changed fallback persistence profile configured.


694934-1 : bd crashes on a very specific and rare scenario

Component: Application Security Manager

Symptoms:
When the system is configured in a specific way and the request sender responds incorrectly, bd crashes.

Conditions:
This rarely encountered crash occurs when there is a very specific BIG-IP system configuration, and ICAP is configured but not responding.

Impact:
bd crashes.

Workaround:
None.


694697-1 : clusterd logs heartbeat check messages at log level info

Solution Article: K62065305

Component: Local Traffic Manager

Symptoms:
The system reports clusterd logs heartbeat check messages at log level info, similar to the following.

-- info clusterd[6161]: 013a0007:6: Skipping heartbeat check on peer slot 3: Slot is DOWN.
-- info clusterd[5705]: 013a0007:6: Checking heartbeat of peer slot: 2 (Last heartbeat 0 seconds ago)

Conditions:
log.clusterd.level set to info.

Impact:
This is a cosmetic issue: clusterd heartbeat messages will be logged at info to the /var/log/ltm.

Workaround:
Set log.clusterd.level to notice.


693901-4 : Active FTP data connection may change source port on client-side

Component: Local Traffic Manager

Symptoms:
The active FTP data connection on the client-side may use source port other than what was configured in the 'Data Port' parameter of the FTP profile.

Conditions:
FTP profile is attached to a virtual server and the 'Data Port' parameter is either left as default (20) or defined as a specific value.

Impact:
Active FTP data connection may be blocked by firewalls that expect a pre-defined source port.

Workaround:
None.


693582-1 : Monitor node log not rotated for certain monitor types

Component: Local Traffic Manager

Symptoms:
When Monitor Logging is enabled for an LTM node or pool member using certain monitor types, the monitor node log under /var/log/monitors/ is not rotated or compressed when log rotation occurs.

Conditions:
This occurs if Monitor Logging is enabled for an LTM node or pool member, and the LTM node or pool member uses any of the following monitor types:
- icmp
- gateway-icmp
- external

Impact:
Depending on the affected BIG-IP version in use, effects may include the following symptoms:

1. The active monitor node log is not rotated (not renamed from *.log to *.log.1).

2. The active monitor node log is rotated (renamed from *.log to *.log.1), but subsequent messages are logged to the rotated log file (*.log.1) instead of to the 'current' log file name (*.log).

3. The active monitor node log is not compressed (*.log.2.gz) when log rotation occurs.

Workaround:
To allow logging to the correct monitor node log file to occur, and for rotated monitor node log files to be compressed, disable Monitor Logging for the affected node or pool member(s).

-- If symptom #1 occurs, Monitor Logging can be re-enabled after log rotation has occurred.

-- To address symptoms #2 or #3, Monitor Logging can be re-enabled immediately.

For more information on Monitor Logging, see:
K12531: Troubleshooting health monitors :: https://support.f5.com/csp/article/K12531.


693563-1 : No warning when LDAP is configured with SSL but with a client certificate with no matching key

Solution Article: K22942093

Component: TMOS

Symptoms:
When LDAP auth is configured with SSL:

- Authentication attempts fail
- Packet captures between the BIG-IP system and the LDAP server show the BIG-IP system sending FIN after TCP handshake.

Conditions:
LDAP auth is configured with SSL with client cert set but no matching key.

Impact:
LDAP auth fails. There is no warning that the auth failed.

Workaround:
Configure a key that matches the specified client certificate.


693206 : iSeries LCD screen is frozen on a red spinning 'please wait' indicator

Component: TMOS

Symptoms:
There are conditions where the LCD looks frozen on a red spinning 'please wait' indicator. Known conditions include: power supply swaps, AC power cycles, or LCD connection issues to the host or AOM.

Conditions:
This occurs during power supply swaps, AC power cycles, or LCD connection issues to the host or AOM.

Impact:
iSeries LCD screen is frozen on a red spinning 'please wait' indicator. At this point the LCD screen is not usable until it is reset.

Workaround:
Using a command line prompt, from either the front panel management port or serial port, issue the following IPMI commands to reset the LCD module:

ipmiutil cmd 00 20 e8 29 5 1
ipmiutil cmd 00 20 e8 29 5 0


692371 : Unexpected Octeon, Nitrox, and/or Super IO recovery warnings in LTM log

Component: TMOS

Symptoms:
Unexpected warnings in the LTM log indicating Octeon, Nitrox, and/or Super IO recovery happening in BIOS.

Messages appear similar to the following:
-- warning chmand[5972]: 012a0004:4: Nitrox recoveries: 1
-- warning chmand[5972]: 012a0004:4: Octeon recoveries: 1
-- warning chmand[6018]: 012a0004:4: Host CPU subsystem power-off event caused by Super IO

Conditions:
-- Currently released BIOS with error recovery enabled.
-- VIPRION B2150 and B2250 blades.

Impact:
There is no functional impact to the system. The BIOS shipping with the VIPRION B2150 and B2250 blades configures the PCIe interfaces in such an order that BIOS recovery may have to take over. These messages are generated as BIOS error recovery is implemented to correct the PCIe interfaces configuration issues after which the system will boot normally. These messages are then benign.

Workaround:
These are benign messages in the LTM and shows that BIOS error recovery is working. The messages may be ignored.


692172-1 : rewrite profile causes "No available pool member" failures when connection limit reached

Component: TMOS

Symptoms:
ltm rewrite profile (with mode uri-translation) can cause connections on ltm forwarding virtual server to be terminated with reason "No available pool member".

Conditions:
Virtual server configured with ltm rewrite profile. Default pool has request queuing enabled and connection limits configured for all its nodes.

Impact:
When the connection limit is reached, further connections are terminated with "No available pool member" cause instead of being queued.

Workaround:
An iRule which selects default pool on HTTP_REQUEST:

when HTTP_REQUEST priority 1000 {
    pool [LB::server pool]
}


692165-1 : A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token

Component: TMOS

Symptoms:
For some HTTP requests, a request-log profile can log nothing for the $VIRTUAL_POOL_NAME token (which expands to an empty string in the resulting logs).

Conditions:
- The virtual server where the request-log profile is used also uses OneConnect.

- The client uses HTTP Keep-Alive and sends multiple HTTP requests over the same TCP connection.

Impact:
For all HTTP requests the client sends except the first one, the $VIRTUAL_POOL_NAME token logs nothing. As a result, a BIG-IP Administrator may struggle to determine which pool serviced which request.

Workaround:
The $SERVER_IP and $SERVER_PORT tokens work for all requests, and so if those are also being logged it may be possible to deduce the pool name from that information.

However, there is no workaround to make the $VIRTUAL_POOL_NAME token work all of the time.


691749-1 : Delete sys connection operations cannot be part of TMSH transactions

Component: TMOS

Symptoms:
TMSH operations that delete sys connection cannot be part of transactions. Once the TMSH transaction is submitted, TMSH freezes up if a 'delete sys connection ...' command is included.

Conditions:
Include delete sys connection operations in TMSH transactions.

Impact:
TMSH freezes up and transactions do not complete.

Workaround:
Only use tmsh delete sys connection outside of TMSH transactions.


691706-5 : HTTP2/SPDY profile can cause orphaned connections

Component: Local Traffic Manager

Symptoms:
When tearing down a HTTP2 connection, which is composed of a clientside HTTP2 connection and 'n' serverside HTTP1.1 connections, the system might leave a subset of the 'n' serverside HTTP1.1 connection behind. Those left behind connections are still referencing the clientside PCB, which might result in a crash should they ever be expired, e.g., due to an AFM firewall policy change triggering the sweeper.

Conditions:
-- HTTP2 leaves serverside connections behind.
-- AFM firewall policy change occurs that triggers the sweeper.

Impact:
Orphaned connections might result in various behaviors, from a small memory leak to a tmm restart, which has the possibility of disrupting traffic.

Workaround:
None.


691571 : tmsh show sys software doesn't show the correct HF version

Component: TMOS

Symptoms:
tmsh show sys software does not show the correct hotfix version. Instead, it shows the base 12.1.2 release, not the 12.1.2 HF1 hotfix version. However, selecting it boots the correct version. At the login prompt, in /VERSION and in tmsh show sys version the correct hotfix version is shown.

Conditions:
Using tmsh command: tmsh show sys software

Impact:
Hotfix version is not correct.

Workaround:
At the login prompt, using /VERSION or using tmsh show sys version, the correct hotfix version will be shown.


691367-1 : Attack-destination for a DoS vector was not predicting right thresholds in some cases

Component: Advanced Firewall Manager

Symptoms:
When attack-destination is enabled for a vector, then thresholds predicted by attack-destination (bad dest ip) were not correct in some cases.

Conditions:
It can occur when attack-destination is enabled for a DoS vector in a config.

Impact:
Some times wrong threshold values could be predicted for the DoS vector if attack-destination is enabled.

Workaround:
There is no workaround at this time.


691338-3 : Using an iRule to change virtual servers prevents correct DAG detection for PBA and DNAT modes

Component: Carrier-Grade NAT

Symptoms:
When redirecting the traffic by using iRule 'virtual <virtual_server>' on a PBA or DNAT LSN pool associated virtual server, the system resets the connection and logs errors similar to the following:

err tmm2[19158]: 01670024:3: Unsupported DAG mode for LSN pool(/Common/session1_pool) mode PBA on interface _loopback
err tmm2[19158]: 01670024:3: Unsupported DAG mode for LSN pool(/Common/dnat_pool) mode DNAT on interface _loopback

This occurs because using an iRule to change virtual servers prevents correct DAG detection for PBA and DNAT modes.

Conditions:
-- LSN pool is configured in either PBA or DNAT mode.
-- An iRule redirects traffic to a different virtual server.

Impact:
Connections fail using this iRule.

Workaround:
To work around this issue, configure the lsn-pools with NAPT mode.


691196-1 : one Cisco NEXUS switch and 2 BIG-IP WCCP web caches do not work together

Component: Anomaly Detection Services

Symptoms:
The one Cisco CATALIST switch and 2 BIG-IP WCCP works perfect.
The one Cisco NEXUSswitch and 2 BIG-IP WCCP does not work together.
The difference is in the "WCCP Message Type: 2.0 I see you (11)" generated by NEXUS router.

Existing code did not support offset (expect "Number of elements" always equal 0) as CATALIST and other switches set.
But NEXUS use this element and it produce some offset in frames.

As result BIG-IP can't understand it for case 1 NEXUS and two (or more) BIG-IP's

This point is badly described in WCCP draft and investigation was based on WireShark dissector.

Conditions:
1 NEXUS and two (or more) BIG-IP's have interability problem

Impact:
1 NEXUS and two (or more) BIG-IP's can't work together.

Workaround:
avoid such configuration.


691171-1 : static and dynamically learned blackhole route from ZebOS cannot be deleted

Component: TMOS

Symptoms:
-- Static route added via IMISH can not be deleted.
-- Dynamically learned blackhole route can not be unlearned.

Conditions:
- Dynamic routing enabled.
- Added static route via IMISH or learning blackhole route via dynamic routing.

Impact:
Unintended route remains.

Workaround:
Restart tmrouted.


690928 : System posts error message: 01010054:3: tmrouted connection closed

Component: TMOS

Symptoms:
Beginning in BIG-IP 12.0.0, the tmrouted process pushes dynamic routes directly to the Traffic Management Microkernel (TMM). This message indicates the system is shutting down and is expected behavior during the reboot or shutdown process. The appearance of this message on a stable running system may indicate an issue with tmrouted functionality.

System posts the following message in /var/log/ltm: 01010054:3: tmrouted connection closed

Conditions:
This message occurs when all of the following conditions are met:

-- You have configured the BIG-IP system to use dynamic routing.
-- The BIG-IP system is in the process of shutting down or rebooting.

Impact:
This message is benign, unless you view the message on a stable running system. In this case, the message may indicate an issue with the tmrouted process.

Workaround:
None.


690699-2 : Fragmented SSL handshake messages cause Proxy SSL handshake to fail

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system uses Proxy-SSL mode, and the virtual server receives a fragmented SSL handshake message, SSL handshake might fail.

Conditions:
1. BIG-IP (VIP) uses Proxy-SSL mode.

2. The BIG-IP system receives a fragmented SSL handshake message (this is especially common when the certificate message is larger than 16 KB, which requires it to be fragmented).

Impact:
If the system receives SSL Fragmented SSL handshake message, SSL handshake is rejected.

Workaround:
The only workaround is to trim down the list of acceptable client CAs advertised in the CertificateRequest message.(specifically, use client certificate chains that are smaller than 16 KB).


690259 : Benign message 'keymgmtd started' is reported at log-level alert.

Component: TMOS

Symptoms:
Whenever keymgmtd starts, a benign message reporting that keymgmtd has started is reported in ltm logs at log-level alert: alert keymgmtd[7853]: 01a40000:1: keymgmtd started.

Note: The keymgmtd daemon provides CA-bundle management functionality.

Conditions:
Whenever keymgmtd starts.

Impact:
No functional impact. This is a benign message that you can safely ignore.

Workaround:
None.


689982-3 : FTP Protocol Security breaks FTP connection

Component: Application Security Manager

Symptoms:
FTP Protocol Security breaks FTP connection.

Conditions:
-- ASM provisioned
-- FTP profile (Local Traffic :: Profiles : Services : FTP) with 'Protocol Security' enabled is assigned to a virtual server.

Impact:
-- RST on transaction.
-- bd PLUGIN_TAG_ABORT messages in mpidump.

Workaround:
Create and use a custom "FTP Security Profile" instead of the system default one.

1. Navigate to Security :: Protocol Security : Security Profiles : FTP.
2. Create a custom FTP Security Profile alongside the system default named 'ftp_security'.
3. Navigate to Security :: Protocol Security : Profiles Assignment : FTP.
4. From the Assigned Security Profile drop-down menu, choose the newly created custom FTP Security Profile, instead of the pre-selected system default 'ftp_security'.


689614-1 : If DNS is not configured and management proxy is setup correctly, Webroot database fails to download

Component: Traffic Classification Engine

Symptoms:
If DNS is not configured and management proxy is setup correctly, Webroot database fails to download and cloud lookup fails as well.

Conditions:
DNS is not configured and management proxy is setup.

Impact:
Webroot database download & cloud lookup fails.

Workaround:
There is no workaround at this time.


689567-1 : Some WOM/AAM pages in the GUI are visible to users with iSeries platforms even when AAM cannot be provisioned

Component: TMOS

Symptoms:
Several pages in the Acceleration tab (e.g., Acceleration :: Quick Start : Symmetric Properties) display a warning message that directs you to provision AAM in order to access WOM utilities. These pages are visible even if it is impossible for you to provision AAM, which is confusing.

Conditions:
You have an iSeries platform with no AAM license.

Impact:
The impact is cosmetic only. The page is confusing because it suggests that AAM can be provisioned without the proper license (e.g., that WOM/AAM can be set up with only an LTM license), which it cannot. You can safely ignore the warning messages.

Workaround:
No workaround at this time.


689361-1 : Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor)

Component: Local Traffic Manager

Symptoms:
It is possible for an overwrite-configsync to change an 'unchecked' monitor to 'up', when that unchecked monitor references a node that does not respond to ICMP requests. This may occur when a node does not respond to ICMP requests for exactly one of two paired devices, but a configuration change made to one device causes the 'up' status to be propagated to the 'unchecked' device.

Conditions:
Two pool members are monitored; and one references a node not responding to ICMP requests; and a gateway_icmp monitor is on both nodes; and an overwrite-configsync is initiated from a paired device, where the node does respond to ICMP requests from that paired device.

Impact:
The overwrite-configsync causes the 'unchecked' monitor to transition to 'up', when it should remain 'unchecked' for the device to which the node does not respond to ICMP requests.

Workaround:
Ensure network configuration such that a monitored node responds to ICMP requests from both (or neither) of each paired-device. Alternatively, initiate configuration changes only from the device to which the node will not respond to ICMP requests.


689147 : Confusing log messages on certain user/role/partition misconfiguration when using remote role groups

Component: TMOS

Symptoms:
When using remote role groups to set user/role/partition information, user login fails, but logs in /var/log/secure indicate that authentication was successful.

Errors similar to the following appear in /var/log/ltm:

-- User restriction error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition.
-- Input error: invalid remote user credentials, partition does not exist, broken-partition

Errors similar to the following appear in /var/log/secure:

tac_authen_pap_read: invalid reply content, incorrect key?

Conditions:
Using remote role groups to set user/role/partition information for remote users, and either of the following:
-- A remote user is configured with the role of administrator, resource administrator, auditor, or web application security administrator, with access to a particular partition, rather than all. (These roles require access to all partitions.)
-- A remote user is configured with partition access set to a partition that does not exist on the BIG-IP system.

Impact:
The messages in /var/log/secure may be confusing and make it more difficult to diagnose the login failure.

Workaround:
Check /var/log/ltm for more specific error messages.


688833-3 : Inconsistent XFF field in ASM log depending violation category

Component: Application Security Manager

Symptoms:
Depending on the violation category, the xff ip field is reported as 'xff_ip' and sometimes as 'xff ip'.

Conditions:
Viewing the XFF results in ASM log.

Impact:
This might cause problems with the syslog filters configured on the remote loggers.

Workaround:
Put in the rules that the client is using both 'xff ip' and 'xff_ip'.


688335-5 : big3d may restart in a loop on secondary blades of a chassis system

Solution Article: K00502202

Component: Global Traffic Manager (DNS)

Symptoms:
After big3d_install is run against a target system, and this target system is a multi-blade chassis, the big3d utility may begin restarting in a loop on all secondary blades of the target system. The primary blade is not affected, where big3d continues to run stable.

Conditions:
The following conditions are required to encounter this issue:

-- The big3d_install utility is used against a target system.
-- The target system is a multi-blade chassis.
-- The big3d_install utility picks the iQuery installation method (and not the SSH one).
-- The big3d_install utility incorrectly determines that the local version of the big3d utility should be copied to the remote system.

Impact:
big3d does not typically do anything on secondary blades, so this issue should have no immediate material impact.

However, should the cluster elect a new primary blade, and should big3d still be restarting on that blade, this could cause iQuery communication failures between that system and remote BIG-IP systems.

Workaround:
To stop secondary blades from restarting, manually restart big3d on the primary blade using the following command:
 bigstart restart big3d

To prevent this issue from happening, you can run the big3d_install by specifying that the SSH installation method be used using the following command:
 big3d_install -use_ssh <target IP>


688266-5 : big3d and big3d_install use different logics to determine which version of big3d is newer

Component: Global Traffic Manager (DNS)

Symptoms:
The big3d_install utility includes logic to determine whether the local system should copy its version of the big3d daemon to the remote system specified by the user.

This logic is incorrect and may result in the local copy of the big3d daemon being unnecessarily copied to the remote system or not copied when actually necessary.

Conditions:
A user runs the big3d_install utility.

Impact:
If the local big3d daemon was unnecessarily copied over to the remote system, there is no tangible impact (other than the fact big3d restarts on the remote system, which is expected). Eventually, the remote system restores and uses its version of the big3d daemon.

If the local big3d daemon was not copied over when it should have been, then the remote system may continue to run an older version of the big3d daemon, which may impede iQuery communication.

Workaround:
If the local big3d daemon was unnecessarily copied over to the remote system, you do not need to perform any remedial action. The remote system will automatically resolve this situation by restoring the intended (i.e., newer) big3d version.

If the local big3d daemon was not copied over when it should have been, you can invoke the big3d_install utility using the -f argument, which forces an install of the big3d daemon regardless of the local and remote versions.


688231 : Unable to set VET, AZOT, and AZOST timezones

Component: TMOS

Symptoms:
Unable to set VET, AZOT, and AZOST timezones

Conditions:
This occurs under normal operation.

Impact:
Cannot set these timezones.

Workaround:
Use the following zones with the same offset:

The AZOT timezone is the same offset as
N – November Time Zone.

The AZOST timezone is the same offset as
Z – Zulu Time Zone,
GMT – Greenwich Mean Time,
WET – Western European Time.

The VET timezone is the same offset as
AST – Atlantic Standard Time,
CDT – Cuba Daylight Time, CLT – Chile Standard Time,
EDT – Eastern Daylight Time,
FKT – Falkland Island Time,
Q – Quebec Time Zone.


688140-2 : Forward Proxy SSL server side may send a wrong SNI extension when the client does not send one

Component: Local Traffic Manager

Symptoms:
Forward Proxy SSL at server side may send a wrong SNI extension when the client does not send one in its Client Hello message.

Conditions:
Forward Proxy SSL when the client does not send SNI extension in ClientHello, the server side will send a wrong SNI extension in its ClientHello.

Impact:
The server side of the proxy will use a wrong SNI in SSL handshake.

Workaround:
There is no workaround.


688046-2 : Change condition and expression for Protocol Lookup agent expression builder

Component: Access Policy Manager

Symptoms:
Protocol lookup agent shows the incorrect condition and expression in the expression builder when included in the per-request policy.

Conditions:
This occurs when the protocol lookup agent is used in the expression builder for branching.

Impact:
Cannot follow successful branch in per-request policy.

Workaround:
To work around this issue:
1. Include Protocol lookup agent in the expression builder.
2. Click the 'change' link right next to the existing expression.
3. Go to the Advanced tab and change the expression to one of the following (depending on whether you are using HTTPS or HTTP):
-- "expr { [mcget {perflow.protocol_lookup.result}] == "https" }"
-- "expr { [mcget {perflow.protocol_lookup.result}] == "http" }"
4. Click Finished.


687887-1 : Unexpected result from multiple changes to a monitor-related object in a single transaction

Component: Local Traffic Manager

Symptoms:
When a transaction attempts multiple commands (delete, create, modify) for the same object in the same transaction, the results can be unexpected or undefined. A common example is: 'transaction { delete key create_if key }' where the transaction will attempt to 'delete key', and then 'create_if key', which unmarks the delete operation on the key (so in this case the key remains unmodified). In other cases it is possible that monitoring stops for the associated object, such as for: pool, pool_member, node_address, monitor.

Conditions:
A user-initiated transaction attempts multiple commands for the same monitor-related object, such as (delete, create, modify).

Impact:
The monitor-related object may be unchanged; or monitoring may stop for that object.

Workaround:
Transactions modifying a monitor-related object (pool, pool_member, node_address, monitor) should perform a single command upon that object (such as one of: 'delete', 'create', 'modify').


687617-1 : DHCP request-options when set to "none" are reset to defaults when loading the config.

Component: TMOS

Symptoms:
Config load resets the request-option in "tmsh sys management-dhcp" to its default value when they are set to "none" in configuration.

Conditions:
- A config load in which request-option in "tmsh sys management-dhcp" is set to "none".

Impact:
User configuration is reverted as a side-effect of config load.

Workaround:
request-option specify the minimal set of configuration that DHCP server must provide as part of the lease. Setting it to "none" defeats the whole purpose of DHCP. It's better to set it to a minimal value like "routers, subnet-mask" in order to have management connectivity.


687213-3 : When access to APM is denied, system changes connection mode to ALWAYS_DISCONNECTED

Component: Access Policy Manager

Symptoms:
When access to APM is denied, Edge Client goes into ALWAYS_DISCONNECTED mode. Hence, it does not retry to establish VPN tunnel.

Conditions:
-- Edge Client installed in ALWAYS_CONNECTED mode (locked client).
-- Access to APM is denied.

Impact:
No VPN tunnel is established, even if APM becomes accessible momentarily.

Workaround:
None.


687115-2 : SNMP performance can be impacted by a long list of allowed-addresses

Component: TMOS

Symptoms:
If the SNMP configuration includes a long list of allowed-addresses in the configuration then it can impact SNMP performance.

Conditions:
-- The SNMP daemon consults a system file to determine whether a request can be serviced.

-- There is a long list of allowed addresses in the configuration.

Impact:
Potentially slow SNMP response.

Workaround:
Make the list of allowed addresses be the minimum set of your clients.


687044-3 : tcp-half-open monitors might mark a node up in error

Component: Local Traffic Manager

Symptoms:
The tcp-half-open monitor might mark a node or pool member up when it is actually down, when multiple transparent monitors within multiple 'bigd' processes probe the same IP-address/port.

Conditions:
All of the following are true:
-- There are multiple bigd processes running on the BIG-IP system.
-- There are multiple tcp-half-open monitors configured to monitor the same IP address.
-- One or more of the monitored objects are up and one or more of the monitored objects are down.

Impact:
The BIG-IP system might occasionally have an incorrect node or pool-member status, where future probes may fix an incorrect status.

Workaround:
You can use any of the following workarounds:

-- Configure bigd to run in single process mode by running the following command:
   tmsh modify sys db bigd.numprocs value 1

-- Use a tcp monitor in place of the tcp-half-open monitor.

-- Configure each transparent monitor for different polling cycles to reduce the probability that an 'up' response from the IP address/port is mistakenly viewed as a response to another monitor that is currently 'down'.


686996-1 : TMM core under heavy load with PEM

Component: TMOS

Symptoms:
An internal race condition when deleting stale PEM data may cause a TMM core due to a use after free.

Conditions:
PEM policies configured. The crash is more likely with CGNAT / FWNAT configured and after a CMP state change such as after a blade failure.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
none


686816-1 : Link from iApps Components page to Policy Rules invalid

Component: TMOS

Symptoms:
In an application that contains a Local Traffic policy, the link from the Components page to the Rule will not be valid.

Conditions:
-- Application creates or contains a Local Traffic Policy.
-- Click the link from the iApps Components page to the Policy Rules page.

Impact:
Cannot navigate to the policy rule directly from the Components page.

Workaround:
Click on the Policy within the Components page to navigate to the Rule from that page.


686763-1 : asm_start is consuming too much memory

Component: Application Security Manager

Symptoms:
asm_start is consuming too much memory.

Conditions:
Roll forward a device with a large ASM configuration.

Impact:
Increase memory pressure on the device.

Workaround:
Run the following command: restart asm


686563-1 : WMI monitor on invalid node never transitions to DOWN

Component: Local Traffic Manager

Symptoms:
A WMI monitor configured for an invalid node defaults to 'UP', and never transitions to 'DOWN'. Upon loading a configuration, a node defaults to 'UP' as an initial probe is sent based on the monitor configuration, and the node is then marked 'DOWN' as probes timeout or monitor responses indicate an error. However, an WMI monitor probe sent to a non-existent node is not detected as an error, and that node may persist in an 'UP' state (not transitioning to 'DOWN' as expected, such as after expiration of the configured monitor timeout).

Conditions:
WMI monitor is configured for an invalid node address, or for a node address on which no WMI service is running.

Impact:
The node persists in an 'UP' state, even though no WMI service is available, or that node does not exist.

Workaround:
An additional node monitor can be created to confirm the node is available (which may be a partial solution in some configurations). Using a non-WMI monitor (such as TCP) to probe availability of the WMI service on the target node may be possible in other scenarios.


686547-1 : WMI monitor sends logging data for credentials when no credentials specified

Component: Local Traffic Manager

Symptoms:
A properly configured WMI monitor requires username and password credentials; but when these are omitted from the configuration, logging data is sent in place of the username and password (with the monitored object likely being marked 'down'). Because username/password credentials are required, the monitor should have been identified as wrongly configured before the monitor is marked down.

Conditions:
A WMI monitor is configured without including the required username/password credentials.

Impact:
The monitored object will be marked 'down'.

Workaround:
Configure the WMI monitor to include the username/password credentials.


686500-1 : Adding user defined signature on device with many policies is very slow

Component: Application Security Manager

Symptoms:
Adding or modifying a user-defined signature on a device with many policies is very slow.

Conditions:
The user adds or modifies a user-defined signature.

Impact:
The process takes a long time.


686422-1 : URI reported in alert may not contain the actual traffic URI

Component: Fraud Protection Services

Symptoms:
URI reported in alert may not contain the actual traffic URI.

Conditions:
The alert was triggered for a wildcard-configured URL.

Impact:
Request URI is not reported correctly. The reported URI will contain the configured URL instead of traffic URL. For example:
-- A configured URL: /*.
-- Traffic URI: /a/b/c?n=v.
-- Reported URI: /*.
-- Reported URI should be traffic URI: /a/b/c?n=v.

Workaround:
None.


686282-2 : APMD intermittently crash when processing access policies

Component: Access Policy Manager

Symptoms:
APMD process may crash intermittently (rare) when processing access policies.

Conditions:
This rarely encountered issue occurs when any one of the following conditions exist:

-- iRule is configured with 'ACCESS::policy evaluate'.
-- NTLM authentication configured and ECA plugin is involved (for example VDI RDG).
-- Kerberos authentication is configured with RBA enabled.

Impact:
APM end users cannot pass access policy, cannot login.

Workaround:
None.


686101-1 : Creating a pool with a new node always assigns the partition of the pool to that node.

Solution Article: K73346501

Component: Local Traffic Manager

Symptoms:
When creating a node while creating a pool, the partition of the node is set to the one of the pool regardless of what was expected. For example, after running the command below, the new node will be assigned to differentpartition:
root@(v13)(Active)(/differentpartition)(tmos)# create ltm pool my_pool2 members add { /Common/172.16.199.33:0 }

Conditions:
Creating a node while creating a pool in a partition different from the node.

Impact:
The node is displayed in the wrong partition.

Workaround:
Create a node separately and then add it to the pool.


686059-2 : FDB entries for existing VLANs may be flushed when creating a new VLAN.

Component: Local Traffic Manager

Symptoms:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN.

Conditions:
- Creating a new VLAN with existing VLANs using trunk members. - STP is enabled on its trunk member.

Impact:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN. This will result in potential network saturation.

Workaround:
To avoid the FDB flushing on trunk member interfaces of existing, unrelated VLANs, ensure that STP is disabled on its trunk member.


685888-1 : OAuth client stores incorrectly escaped JSON values in session variables

Component: Access Policy Manager

Symptoms:
1) The slash (/) is double escaped (\\/). The slash is common in URLs.
2) Unicode escaped characters (\uXXXX) are not correctly un-escaped into UTF-8 characters, ends up unrecognizable.

Conditions:
Occurs in 13.1 and earlier releases when OAuth servers response in JSON, such as the OIDC User Info.

Impact:
APM applications who read JSON node session variables may not get the correct values.

Workaround:
1) For double escaped slash, workaround is like,
session.oauth.client.last.UserInfo.picture = return [string map {{\\/} /} [ mcget {session.oauth.client.last.UserInfo.picture} ]]

2) For incorrect UTF-8 characters, there is no workaround.


685820-3 : Active connections are silently dropped after HA-failover if ASM licensed and provisioned but AFM is not

Component: Advanced Firewall Manager

Symptoms:
If ASM licensed and provisioned, but AFM is not licensed/provisioned, active connections are silently dropped after HA-failover.

In earlier versions, active connections were reset after HA-failover if only ASM was licensed/provisioned. When AFM is also licensed/provisioned, existing active connections were always silently dropped after HA-failover.

Conditions:
-- ASM licensed and provisioned, but AFM is not licensed/provisioned.
-- HA-failover occurs.

Impact:
ASM client connections are not reset, but are silently dropped after HA-failover event.

Workaround:
None.


685233-1 : tmctl -d blade command does not work in an SNMP custom MIB

Solution Article: K13125441

Component: TMOS

Symptoms:
tmctl -d blade commands run in an SNMP custom MIB fail.

Conditions:
-- Using an SNMP custom MIB.
-- Running tmctl -d blade commands.

Impact:
Unable to configure a custom MIB to gather data via a tmctl -d blade command.

Workaround:
Instead of tmctl -d blade, use the following command:
 tmctl -d /var/tmstat/blade.


684399-1 : Connectivity profiles GUI shows (Not Licensed) when LTM base is presented

Component: Access Policy Manager

Symptoms:
In APM, the connectivity profile GUI shows the following message when LTM base is presented: (Not Licensed)

Conditions:
LTM and APM are provisioned.

Impact:
GUI shows FEC profile as not licensed. You can still choose and configure the FEC profile, and the profile works as expected. This is a cosmetic issue, and is not indicative of a functional problem.

Workaround:
This message is spurious, and you can safely ignore it.


684369-2 : AFM ACL Rule Policy applied on Standby device

Solution Article: K35423171

Component: Advanced Firewall Manager

Symptoms:
In a Active/Standby setup, with a Virtual Server configured to Mirror Connection State, the Standby Device is aware of the state of connections. The Standby device apart from maintaining the state of connections, need not apply ACL policy to the mirrored connections.

But in a specific case where a ACL Policy happens to have Rule with Schedules attached, the Standby happens to apply policy on mirrored connections, which also generates ACL rule hit logs.

Conditions:
1) Active/Standby device setup.
2) Virtual Server with Connection Mirroring enabled.
3) ACL Policy with a Rule having a Schedule attached, and during periods of transition when a Schedule may cause a Rule to be enforced or expired.

Impact:
Does not impact handling of traffic.

Generation of ACL Rule hit logs from Standby is unexpected, and is not desirable.

Workaround:
Objective:
- Disable sweeper applying ACL policy on Standby device.
- Sys DB tunable must disable only on Standby device. Because sys db settings are auto-sync'd to Active device as well, you must do so using the following procedure.
 
Steps to Apply Sys DB setting only on Standby device:
1. Turn off auto-sync for the device-group.
2. Apply settings just before Rule Schedule expiry on Standby device.
3. Wait till Rule Schedule change takes effect.
4. Revert the settings to normal, and enable auto-sync again.


TMSH Command Sequence:

root@(BIG-IP-primary)(cfg-sync In Sync)(Standby)(/Common)(tmos)
 # list sys db tm.sweeper.flow.acl value

 sys db tm.sweeper.flow.acl {
    value "enable" <<<< Set this to 'disable'
 }

root@(BIG-IP-primary)(cfg-sync In Sync)(Standby)(/Common)(tmos)
 # modify cm device-group <device-group-for-failover> auto-sync disabled

root@(BIG-IP-primary)(cfg-sync In Sync)(Standby)(/Common)(tmos)
 # modify sys db tm.sweeper.flow.acl value disable

root@(BIG-IP-primary)(cfg-sync Changes Pending)(Standby)(/Common)(tmos)
 # list sys db tm.sweeper.flow.acl value

 sys db tm.sweeper.flow.acl {
    value "disable"
 }

On Active, it's still 'enable':

root@(BIG-IP-secondary)(cfg-sync Changes Pending)(Active)(/Common)(tmos)
 # list sys db tm.sweeper.flow.acl value

 sys db tm.sweeper.flow.acl {
    value "enable"
 }

Enable auto-sync again:

root@(BIG-IP-primary)(cfg-sync In Sync)(Standby)(/Common)(tmos)
 # modify cm device-group <device-group-for-failover> auto-sync enable

Might have to issue this run command if the device is reported as 'requiring sync'.

root@(BIG-IP-primary)(cfg-sync Changes Pending)(Standby)(/Common)(tmos)
 # run cm config-sync to-group <device-group-for-failover>


684096-2 : stats self-link might include the oid twice

Component: TMOS

Symptoms:
The object ID might be erroneously embedded in the self-link twice.

Conditions:
query for stats such as https://<host>/mgmt/tm/ltm/pool/p1/stats

Impact:
incorrect self-link returned

Workaround:
be mindful when parsing the self-link


683767-1 : Users are not able to complete the sync using GUI

Component: TMOS

Symptoms:
A validation error occurred while syncing to a remote device
Sync error on unitA.lab.local: Load failed from /Common/unitB.lab.local 01070080:3: The requested pool member is already in use as a self IP address (1.1.2.1)

The above is expected as unit B is unable to validate the config for unit A. Incremental sync adds and removes configuration on unit A, hence the error.

Conditions:
1.Units A and B in HA with manual incremental sync, unit B is active.
2.On unit B add a pool with a member having IP address matching the self IP of unit A. Then delete it.
3.create ltm pool p1 members add { 1.1.2.1:80 }
4.delete ltm pool p1
5.Try config-sync (using GUI). You will end up with a Sync Failed message:
  A validation error occurred while syncing to a remote device
Sync error on unitA.lab.local: Load failed from /Common/unitB.lab.local 01070080:3: The requested pool member is already in use as a self IP address (1.1.2.1

Impact:
Users are not able to complete the sync using GUI

Workaround:
using tmsh to force a full sync


683706-3 : Pool member status remains 'checking' when manually forced down at creation

Component: TMOS

Symptoms:
When a pool member is created with an associated monitor, and initially forced offline (e.g., '{session user-disabled state user-down}'), that pool member status remains in 'checking'. By default, the pool member status initializes to 'checking' until the first monitor probe confirms the pool member is available. However, by creating-and-forcing-offline the pool member, no monitoring is performed and the status remains in 'checking'.

Conditions:
Pool member is created with an associated monitor, and that pool member is simultaneously forced offline.

Example: create ltm pool test1 members add { 10.1.108.2:80 { session user-disabled state user-down } } monitor http

Impact:
Pool member remains offline as directed, but pool member status indicates 'checking' rather than 'user-down'.

Workaround:
Create the pool member with associated monitor, and in a separate step, force the pool member offline.


683598-1 : Redeployment of SAML-SP app fails if HTTP-header-based SSO is configured

Component: Access Policy Manager

Symptoms:
Redeployment of SAML-SP app fails, and the app enters an error state.

Conditions:
-- Redeployment of SAML-SP app.
-- HTTP-header-based SSO is configured.

Impact:
Redeployment fails; new configuration objects are not created.

Workaround:
Undeploy the app and then deploy it again.


683061-1 : Rapid creation/update/deletion of the same external datagroup may cause core

Component: Local Traffic Manager

Symptoms:
-- notice tmm[15187]: 01010259:5: External Datagroup (/Common/Datagroup_1) queued.
-- notice tmm[15187]: 01010259:5: External Datagroup (/Common/Datagroup_1) queued for update.
-- err tmm[15187]: 01010258:3: External Datagroup (/Common/Datagroup_1) creation failed: initial load error, deleting.

Conditions:
Using external datagroup, rapidly creating updating and then deleting it.

Impact:
TMM fails

Workaround:
Allow TMM enough time to finish processing external data-group before starting another operation. Depending on the size of the datagroup anywhere from 1s to 10s or more may be needed. The LTM log can be examined for the create/finished message to help determine how much wait time is required.


682751-7 : Kerberos keytab file content may be visible.

Component: Access Policy Manager

Symptoms:
Kerberos keytab file content may be visible.

Conditions:
Import a Kerberos keytab file.

From the command line, check the file permissions. It is readable.

Impact:
keytab is similar to a private key file and should not be readable.

Workaround:
Use chmod to change the keytab file permission manually so that it is not world-readable.


682273-1 : Connection rate limit on a pool member can be exceeded

Component: Local Traffic Manager

Symptoms:
The connection rate-limit to a pool member can exceeded.

Conditions:
When a virtual is configured with UDP, FastL4, and pva acceleration is enabled.

Impact:
The connection rate limit on the pool member can be exceeded.

Workaround:
Disable pva acceleration using the following command:
"tmsh modify sys db pva.acceleration value none".


682209 : Per Request Access Policy subroutine performance down by about 7%

Component: Performance

Symptoms:
The performance of the per-request access policy with subroutines, even an empty one (in->out) is down by about 7%.

Conditions:
All of the following must be true for this issue to be exposed.
1) APM is provisioned.
2) An APM profile is attached to the virtual server.
3) A Per-Request access policy containing a subroutine is attached to the virtual server.

Impact:
Maximum RADIUS TPS is degraded (~7%).

Workaround:
No workaround at this time.


681836 : Portal Access: JavaScript code may be corrupted in debug mode

Component: Access Policy Manager

Symptoms:
Sometimes Portal Access corrupts JavaScript code if it is running in debug mode.

Conditions:
- Portal Access in debug mode (i.e., with debug log setting).
- JavaScript code.

Impact:
Web application may not work correctly.

Workaround:
Disable debug logging mode for Portal Access.


681814-1 : Changes to a cipher group are not propagated to SSL profiles until the configuration is reloaded

Component: Local Traffic Manager

Symptoms:
Changes to a cipher group, even indirect changes such as changing an underlying cipher rule, will not be propagated to the SSL profiles until the configuration is reloaded.

Conditions:
-- An SSL profile is using cipher groups (instead of the cipher string).
-- Some changes are made to that group.

Impact:
The available ciphers on an SSL profile might not be as expected.

Workaround:
You can use either of the following workarounds:

-- Always reload the configuration after changing a cipher group.
-- Use the existing cipher string mechanism instead.


681352-1 : Performance of a client certificate validation with OCSP agent is degraded

Component: Access Policy Manager

Symptoms:
Performance is being degraded for OCSP agent. This can lead to Access Policy performance degradation if there are no more heavy agents configured.

Conditions:
OCSP agent is configured in an Access Policy.

Impact:
Fewer logons processed per second by the access policy that contains OCSP agent configured.

Workaround:
There is no workaround at this time.


680855 : Safari 11 sometimes start more than one session

Component: Access Policy Manager

Symptoms:
In Safari 11 after session is finished and being restarted by "Click here to establish a new session" more than one session appears. It looks like Safari 11 beta and release bug.

Conditions:
Safari 11 beta and official release
Policy with webtop
Several passes from start to finish

Impact:
At certain point browser is reaching max sessions per IP and hangs on webtop.

Workaround:
Don't use Safari 11 for now


680680-1 : The POP3 monitor used to send STAT command on v10.x, but now sends LIST command

Component: Local Traffic Manager

Symptoms:
in BIG-IP version 10.x, the POP3 monitor sent STAT command (which returned a count of messages in the mailbox). Now, the monitor sends the LIST command (which returns a list of messages and their sizes).

Conditions:
POP3 monitor set up on a mailbox.

Impact:
If the polled mailbox used in the monitoring has a huge amount of messages, the STAT command might fail to return results in time.

Workaround:
1. Create a mail account that does not receive many emails.
2. Make sure that the mailbox is nearly empty all the time (copy /dev/null periodically to the mailbox file).


679901-1 : iControl-REST timeout value is not configurable.

Component: TMOS

Symptoms:
Updating a large (75 KB or more records) data-group results in errors. This occurs because the communication between icrd_child and restjavad times out, and consequently the system raises errors. The timeout is set to approximately 60 seconds.

Conditions:
Using iControl REST to update a data-group that contains 75 KB or more records.

Impact:
The operation times out and there is no way to configure the iControl REST timeout value.

Workaround:
None.


679735-3 : Multidomain SSO infinite redirects from session ID parameters

Component: Access Policy Manager

Symptoms:
If an application uses a URL parameter of 'sid', 'sess', or 'S', the APM can enter an infinite redirect loop.

In a packet capture, the policy completes on the auth virtual server. After policy completion, the client is redirected back to the resource virtual server. The resource virtual server cannot find the session, and redirects back to the auth virtual server. This begins the infinite loop of redirecting between resource and auth virtual servers.

Conditions:
Application with URL paramater containing 'sid', 'sess', or 'S' while using multidomain SSO.

Impact:
Applications that use 'sid', 'sess', or 'S' parameters cannot be fronted by an APM.

Workaround:
None.


679722-1 : Configuration sync failure involving self IP references

Component: Advanced Firewall Manager

Symptoms:
Configuration sync fails, generating an error similar to the following:

Caught configuration exception (0), Values (self-IP) specified for self IP (<name>): foreign key index (fw_enforced_policy_FK) do not point at an item that exists in the database..

Conditions:
-- There is another object, such as a firewall policy, that references a self IP address.
-- The self IP address is non-syncable; that is, its traffic group is set to 'traffic-group-local-only'.

Impact:
Sync operation fails.

Workaround:
Set the self IP address' traffic group to a value other than 'traffic-group-local-only', and then force a full load push from the first device.


679687-1 : LTM Policy applied to large number of virtual servers causes mcpd restart

Component: Local Traffic Manager

Symptoms:
When a large policy (on the order of several dozen rules), is applied to a large number of virtual servers (on the order of hundreds), the mcpd process compiles the policy to an optimized, intermediate form for each virtual server. The compilation occurs in the mcpd process, and because it becomes so busy/non-responsive, a watchdog process intervenes and restarts the mcpd process.

Conditions:
-- Relatively large policy (~30 or more rules) applied to large number of virtual servers (~100 or more).
-- Creating a draft of the policy that is currently applied to those virtual servers, when a similarly attached policy is published.

Impact:
The mcpd process becomes unresponsive and is reset by a watchdog process.

Workaround:
Two possible workarounds:
-- Make copies of the policy and apply a different copy of policy to different subsets of virtual servers.
-- Implement the policy using iRules.


679431-1 : In routing module the 'sh ipv6 interface <interface> brief' command may not show header

Component: TMOS

Symptoms:
In the BIG-IP Advanced Routing module the 'sh ipv6 interface <interface> brief' command does not show header

Conditions:
- Advanced Routing module licensed and configured
- From within imish shell, run the command 'sh ipv6 interface <interface> brief'.

Impact:
The header is not shown.

Workaround:
Run the equivalent command without indicating the interface:
sh ipv6 interface brief


679316-5 : iQuery connections reset during SSL renegotiation

Component: Global Traffic Manager (DNS)

Symptoms:
Error in /var/log/gtm:
err gtmd[14797]: 011ae0fa:3: iqmgmt_receive: SSL error: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record

Conditions:
This occurs when a system tries to send data over the iQuery connection while the two endpoints are performing SSL renegotiation.

Note: iQuery connections automatically perform SSL renegotiation every 24 hours.

Impact:
The BIG-IP system is marked 'down' until the connection is reestablished. This usually takes no longer than one second.

Note: This is a subtly different issue from the one (with a very similar error, 140940F5 vs 140940E5) described in Bug ID 477240: iQuery connection resets every 24 hours :: https://cdn.f5.com/product/bugtracker/ID477240.html (K16185: BIG-IP GTM iQuery connections may be reset during SSL key renegotiation :: https://support.f5.com/csp/article/K16185).

This issue occurs even in versions where ID477240 is fixed. There is no fix for this specific trigger of the same message.

Workaround:
There is no workaround at this time.


677322-1 : PCP Inbound connections logging is not supported

Component: Advanced Firewall Manager

Symptoms:
PCP inbound connections logs are not generated even if logging is enabled under NAT Policy and LTM.

Conditions:
Configure PCP inbound in AFM Source translation object and attach it to a NAT Policy. configure logging in NAT Policy.

Impact:
Logs are not generated.

Workaround:
No Workaround.


677066-1 : Dynamic signatures are incorrectly removed from configuration after loading saved ucs

Component: Advanced Firewall Manager

Symptoms:
Dynamic signatures (part of L4 BDoS) are incorrectly removed from the configuration after loading a saved UCS.

Conditions:
-- Existing dynamic signatures are saved as part of UCS configuration.
-- Later, the configuration is restored from the saved UCS.

Impact:
Any existing dynamic signatures that also exist in the UCS will be removed from the system when the configuration is loaded from the saved UCS.

Workaround:
None.


676709-3 : Diameter virtual server has different behavior of connection-prime when persistence is on/off

Solution Article: K37604585

Component: Service Provider

Symptoms:
When using an Diameter MBLB profile with per-AVP persistence enabled and connection priming enabled, not all pool members may have a connection established as part of priming.

Conditions:
-- Diameter MBLB profile.
-- Per-AVP persistence enabled.
-- Connection priming enabled.

Impact:
It is possible that not all pool members will have a connection established as part of priming.

Workaround:
None.


676599-1 : SAML IdP connectors created by SAML IdP automation are not deleted automatically when the metadata is updated such that the corresponding entityDescriptors are removed.

Component: Access Policy Manager

Symptoms:
SAML IdP connectors created by SAML IdP automation are not deleted automatically when the metadata is updated such that the corresponding EntityDescriptors are removed.

Conditions:
1. Create a SAML IdP Connector Automation object pointing to a metadata file with multiple EntityDescriptors.
2. Wait for the timer(frequency) to expire. The automation would have created one IdP connector object per EntityDescriptor in the metadata file.
3. Now, update the metadata file by removing one or some of the EntityDescriptors.
4. Notice that when the timer expires after this update, the previously created IdP connectors (whose EntityDescriptors have been deleted from the metadata file) still exist.

Impact:
SAML IdP connector objects created by SAML IdP automation continue to exist even after the corresponding EntityDescriptors have been deleted from the metadata file.

Workaround:
Delete the IdP connector objects manually.


676557-1 : Binary data marshalled to TCL may be converted to UTF8

Component: Local Traffic Manager

Symptoms:
Binary data marshalled out of some iRule commands may be mistakenly converted to UTF8.

Conditions:
Unspecified commands return raw binary data (instead of strings). These commands may have their output incorrectly converted to UTF8. This will corrupt the binary data.

Impact:
Data corruption in some iRule commands

Workaround:
None.


676463-1 : Having two SAML IdP metadata automation objects that point to the same metadata and different SP results in 'join fail' of the IdP connector with SP object.

Component: Access Policy Manager

Symptoms:
If two SAML IdP metadata automation objects are created both pointing to the same metadata file but different SP, the first object whose timer goes off creates the IdP connector. The association with SAML SP is also successful.

However, the second object whose timer goes off later, reports the following errors related to IdP connector-SP association:

-- association result result { result_code 16908342 result_message "01020036:3: The requested AAA SAML server SAML IDP connector.
-- (/Common/Testing_code /Common/meta1_over_http_original_TWO_cert_bfb602549f9cee02e2bdb90947c884ca) was not found." }.

Conditions:
1. Create 2 SAML IdP metadata automation objects that both point to the same metadata file and different SP.

2. Wait for one automation object's timer to expire.

3. Verify that the IdP connector object is created and that the IdP connector-SP join is successful.

4. When the next automation object's timer expires, note that the IdP connector-SP association fails.

Impact:
The IdP connector-SP association is not successful for the automation object whose timer expires later.

Workaround:
Manually bind the IdP connector to the SP object related to the second IdP metadata automation.


676107-1 : With admin account disabled, user cannot use token-based authentication

Component: Device Management

Symptoms:
To allow special characters in usernames when using remote authentication providers (LDAP, Radius, etc.) there are additional iControl REST calls during the login process to detect the authentication source type. Since there is no system account on the BIG-IP system, the operation uses the hardcoded admin account to perform that function. If the admin account is disabled, this fails, so the user cannot use token-based authentication.

Conditions:
-- admin account is disabled.
-- Remote authentication configured.
-- Logging on using iControl.

(Disabling the admin account might occur as a result of following the instructions in K15632: Disabling the admin and root accounts using the Configuration utility or tmsh :: https://support.f5.com/csp/article/K15632).

Impact:
Cannot use token-based authentication.

Workaround:
There is no workaround other than not disabling the admin user account.


675911-4 : Dashboard CPU history file may contain incorrect values

Solution Article: K13272442

Component: Local Traffic Manager

Symptoms:
Values such as 33%, 66% and 99% may appear in the CSV file exported from the dashboard utility

Conditions:
htsplit is enabled.

Impact:
CPU history in exported CSV file does not match actual CPU usage.

Workaround:
You can obtain CPU history through various other means.
One way is to use the sar utility:

In 12.x and 13.x:
  sar -f /var/log/sa6/sa
or for older data
  sar -f /var/log/sa6/sa.1
The oldest data is found compressed in /var/log/sa6 and must be gunzipped before use.

In 11.x:
  sar -f /var/log/sa/sa
or for older data
  sar -f /var/log/sa/sa.1
The oldest data is found compressed in /var/log/sa and must be gunzipped before use.


675367-2 : The IMAP and POP3 monitors might fail if the mail server supports GSSAPI authentication

Solution Article: K95393925

Component: Local Traffic Manager

Symptoms:
The IMAP and POP3 monitors might fail if the mail server supports GSSAPI authentication.

Conditions:
An IMAP and POP3 monitor is configured and the server returns GSSAPI as an available authentication mechanism.

Impact:
The monitor fails and marks the server down, even when it might be available.

Workaround:
If possible, use one of the following workarounds:

-- Turn off GSSAPI authentication on the mail server.
-- Use an alternate monitor type.


675298-2 : F5 MIB value types changed to become RFC compliant

Component: TMOS

Symptoms:
In BIG-IP Version 12.1.2 several F5 MIB variables changed from 64-bit counter types to 32-bit gauge types. This change was made to make the MIBs RFC compliant. In a mixed environment, where some BIG-IPs are running 11.x and some running 12.x this can cause problems with the management station. If the management station cannot load MIBs dependent upon BIG-IP version then those variables can cause errors to be reported on the management station due to type mismatch.

Conditions:
An environment where a management station is managing BIG-IP systems with a mix of version 11.x and 12.x. The station may import a MIB version whose types do not match the MIBs on the BIG-IP system with regards to the type changes made in version 12.x.

Impact:
The management station reports errors due to type mismatch for some variables.

Workaround:
None.


675143-1 : The SAML IdP metadata automation periodic update of metadata file that has Certificate may cause 'Apply Access Policy' to show up even if no changes to the IdP connector object are made.

Component: Access Policy Manager

Symptoms:
On creating a SAML IdP metadata automation object with a metadata file that has Certificate, an IdP connector object is created and associated with SP object after the first timer expiry. If the SP is attached to an Access Policy, 'Apply Access Policy' shows up as expected.

Next, if the metadata file in the automaton object changes such that no IdP connector object fields are impacted, 'Apply Access Policy' still shows up after next timer expiry. This is confusing because it should not show up when there is no update made to the IdP connector object or its association with SP object.

Conditions:
1. Create a SAML IdP connector automation object pointing to a metadata file that has Certificate, and the SP object is attached to an Access Policy.

2. Wait for the timer to expire the first time.

3. Make sure that the IdP connector object is created from the above metadata and associated to the SP object. Click on 'Apply Access Policy'.

4. Before the next timer event, change some field in the metadata that should not cause any update in the IdP connector object created above.

5. Next time the timer expires, notice that 'Apply Access Policy' still shows up, even though no IdP connector field was updated.

Impact:
'Apply Access Policy' shows up when there was no update to the IdP connector or the SP-IdP connector join, which is misleading.

Workaround:
None.


674795-2 : tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds, when it should be hours.

Component: Traffic Classification Engine

Symptoms:
tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds. In fact, it is in hours.

Conditions:
-- Viewing tmsh help/man page.
-- Searching for urldb feedlist polling interval.

Impact:
Note that the interval described is in hours instead of seconds.

Workaround:
None.


673952-3 : 1NIC VE in HA device-group shows 'Changes Pending' after reboot

Component: TMOS

Symptoms:
When Virtual Edition (VE) is configured for 1NIC, you will see the following logs on reboot indicating that configuration has been loaded from file:

 notice tmsh[12232]: 01420002:5: AUDIT - pid=12232 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all base
 notice tmsh[12392]: 01420002:5: AUDIT - pid=12392 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all

Conditions:
- VE configured in 1NIC mode.
- Unit booted either through reboot or power on.

Impact:
This is unlikely to have any impact if the VE is in standalone mode but could result in an unexpected config if the configuration files differ.
If the VE is part of an HA device-group, then this will result in a commit id update and the units will show 'Changes pending'.

Workaround:
None.


673826-1 : Some FTP log messages may not be logged to /var/log/ltm

Component: Carrier-Grade NAT

Symptoms:
Some FTP log messages may not be logged to /var/log/ltm

Conditions:
Virtual with FTP profile is configured

Impact:
Some FTP_SETUP/FTP_TEARDOWN and FTP_DATA_SETUP/FTP_DATA_TEARDOWN logs may not be logged to /var/log/ltm.

Workaround:
Use remote HSL logging


673811-1 : After an upgrade, IPsec tunnels may fail to start

Component: TMOS

Symptoms:
After an upgrade, the post-upgrade ipsec-policy or ike-peer configuration may be different from the pre-upgrade version.

Conditions:
-- ipsec-policy or ike-peer uses default setting(s).
-- The BIG-IP software is upgraded.

Impact:
After an upgrade, tunnels may fail to establish or establish using a stronger cipher set.

Workaround:
After upgrade, set the configuration objects to the required values.


673357-3 : SWG puts flow in intercept mode when session is not found

Component: Access Policy Manager

Symptoms:
In SWG, flows that should be getting bypassed are placed in intercept mode.

Conditions:
This occurs when the per-request policy receives an https request and a session is not established.

Impact:
In some cases, the client sees certificate warning.

Workaround:
If the access policy is "start->allow"; following iRule can be used for workaround:

when CLIENT_ACCEPTED {
        if { [ACCESS::session exists] } {
            log local0. "Found Access Session"
            log local0. [ACCESS::session exists]
        } else {
          set sid [ACCESS::session create -lifetime 300 -timeout 300 -flow]
          log local0. "No Access Session found, creating $sid"
          ACCESS::session data set session.ui.mode "0"
          ACCESS::session data set session.policy.result "allow"
        }
}


672491-5 : net resolver uses internal IP as source if matching wildcard forwarding virtual server

Solution Article: K10990182

Component: Global Traffic Manager (DNS)

Symptoms:
If a net resolver is created and contains a forwarding zone that matches an existing wildcard forwarding virtual server, an incorrect internal IP address will be used as the source.

Upon listener lookup for the net resolver, the wildcard virtual server will be matched to the forwarding zone resulting in a loopback IP address being used as the source IP address.

Conditions:
When creating an AFM policy that restricts FQDNs, a net resolver is needed to resolve the FQDNs. If the forwarding zone of this net resolver matches a wildcard server, DNS queries from the net resolver will use a loopback IP address as the source IP address.

Impact:
Failed DNS queries as a result of incorrect source IP address.

Workaround:
None.


671741-3 : LCD on iSeries devices can lock at red 'loading' screen.

Component: TMOS

Symptoms:
There are cases when TMOS is under stress conditions that the LCD on iSeries devices can lock at red 'loading' screen.

Conditions:
-- iSeries platforms.
-- Device under stress.

Impact:
LCD on iSeries devices can lock at red 'loading' screen. Appliance power cycle is required to correct the error.

Workaround:
None. You must power cycle the device to correct the condition.


670994-3 : There is no validation for IP address on the ip-address-list for static subscriber

Component: Policy Enforcement Manager

Symptoms:
You can add IP address for a static subscriber with a subnet mask, and the system creates a subscriber by discarding the subnet mask without any error message.

Conditions:
This occurs when you add a ip address with a subnet mask to the ip address list for a static subscriber.

Impact:
An invalid ip address is added without warning or error.


669645-3 : tmm crashes after LSN pool member change

Component: Carrier-Grade NAT

Symptoms:
Changing LSN pool members while processing traffic may cause tmm to crash.

Conditions:
-- Changing, using, or removing an LSN pool.
-- Traffic is being processed.

Impact:
When tmm crashes, traffic processing will stop until tmm restarts. Note that this can occur, even if the change was on a high-availability peer unit and config-sync has taken place.

Workaround:
Recommend to change LSN pool members during a maintainence window with low traffic or ideally to use an HA pair with a standby unit for implementing configuration changes on live traffic.


667779-1 : iRule commands may cause the TMM to crash in very rare situations.

Component: Local Traffic Manager

Symptoms:
A TMM crash may occur in very rare situations.

Conditions:
A Tcl iRule command is used.

Impact:
A TMM Core. Traffic disrupted while tmm restarts.

Workaround:
None.


667700-1 : Web UI: PEM rule page only displays webroot categories for classification filter. Websense categories are not displayed

Component: Policy Enforcement Manager

Symptoms:
PEM rule page only displays webroot categories for classification filter. Websense categories are not displayed. So User cannot create PEM rule with web sense classification filters from Web UI.

Conditions:
Creation of PEM rule with classification filter from Web UI

Impact:
None. User can update the configuration from TMSH.

Workaround:
Use TMSH to add websense classification filter to a PEM rule.


667618-1 : Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts

Component: TMOS

Symptoms:
Hardware SYN Cookies activated on a virtual server under a SYN attack may not deactivate after the SYN attack ends and valid TCP traffic starts. The non-supported TCP options under SYN Cookie protection will continue to be unsupported until the machine exit hardware SYN cookies.

Conditions:
A SYN flood attack or similar SYN attack where SYNs are flooded into the BIG-IP system.

Impact:
This can successfully cause hardware SYN cookies to be activated on the BIG-IP virtual server under attack. However, once the attack subsides and falls below the SYN check threshold, SYN cookies may not immediately deactivate.

Because SYN cookie protection is still active, and because under SYN cookie protection some TCP options are not supported, the options will not be taken into account when processing traffic. For example, under SYN cookie protection, MSS is fixed to a few sizes. For traffic that arrives with a different MSS size, the system uses a supported size instead.

Note that if no good traffic hits the virtual server, syncookies will also fail to deactivate, but will do so once both good traffic has been seen, and the attack has ended.

Workaround:
There is no workaround at this time.


667414-1 : JSON learning of parameters in WebSocket context is not working

Component: Application Security Manager

Symptoms:
When a JSON parameter arrives in WebSocket, it is not sent to policy builder, and thus is not learned.

Conditions:
1. WebSocket traffic contains JSON data.
2. In the JSON profile, parse parameter is enabled.

Impact:
JSON parameter arriving in WebSocket is not learned.

Workaround:
None.


666378-3 : A virtual server's connections per second (precision.last_value) is confusingly named.

Component: Local Traffic Manager

Symptoms:
A virtual server's current connections-per-second statistic has a confusing name. The statistic is maintained when rate limiting is configured for a virtual server. The statistic is updated when the virtual hits a rate-limiting condition, and it stays at the last value it held when the limit was hit.

Conditions:
If the rate limit is never configured then the value is 0. If the rate limit is configured and is hit, then the value is the active count when the limit was hit. The value stays at that count until the limit is hit again.

Impact:
There is no functional impact, but the statistic's meaning is confusing.

Workaround:
The MIB description should clarify the meaning of this statistic.


664017-9 : OCSP may reject valid responses

Component: TMOS

Symptoms:
If OCSP is configured with certain responders, a valid response may be rejected with the following error:

OCSP response: got EOF

Conditions:
This is entirely dependent on the behavior of the server. If a responder sends null or blank data (but does not close the connection) OCSP simply ends the response.

Impact:
Valid OCSP responses may be rejected.

Workaround:
None.


663946-4 : VCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments

Component: Advanced Firewall Manager

Symptoms:
When DNS is under load greater than the AFM-configured rate limit, certain IPv4 packets are categorized as IPv6 atomic fragments and may be dropped due to rate limits.

Conditions:
-- AFM enabled.
-- DNS load greater than AFM-configured rate limit for IPv6 atomic fragments (default 10 KB).

Impact:
May result in lower than expected DNS load test results.

Workaround:
Use either of the following workarounds:
-- Disable AFM.
-- Increase detection limit for IPv6 atomic fragments under AFM.

Note: For AFM HW DoS protection, the host and vCMP guest must be the same version, disable hardware DoS checking on the vCMP guest to prevent this issue. To do so, set sys db dos.forceswdos to 'true'.


663925-1 : Virtual server state not updated with pool- or node-based connection limiting

Component: Local Traffic Manager

Symptoms:
Rate- or connection-limited pool members and nodes do not immediately affect virtual server status.

Conditions:
The connection count reaches the configured connection limit.

Impact:
Virtual server is not automatically disabled when connection limit is reached and does not return from the unavailable state after connections decrease.

Workaround:
None.


662308 : BD core

Component: Application Security Manager

Symptoms:
BD process crashes and produces a core file; traffic disturbance.

Conditions:
BD threads access the data structure, and in a rare circumstance, one thread touches while the other is processing data.

Note: This issue very timing sensitive to occur so it is unlikely to occur in normal operating conditions.

Impact:
Memory corruption on one of the internal data structures. Traffic disrupted while bd restarts.

Workaround:
None.


660913-4 : For ActiveSync client type, browscap info provided is incorrect.

Component: Access Policy Manager

Symptoms:
Clients using Microsoft ActiveSync are failing access policy evaluation.

Conditions:
-- This occurs with clients using Microsoft ActiveSync.
-- It can be encountered on upgrade if you are upgrading to version 12.1.2 - 14.1.0 from an earlier version.

Impact:
Clients using ActiveSync cannot authenticate.

Workaround:
None.


660759-3 : Cookie hash persistence sends alerts to application server.

Component: Fraud Protection Services

Symptoms:
When Persistence cookie insert is enabled with a non-default cookie name, the cookie might be overwritten after an alert is handled.

Conditions:
-- Persistence profile in their virtual server.
-- Profile relies on cookie hash persistence.
-- Non-default Cookie name used for cookie persistence.

(Default cookie naming strategy appends Pool Name, which results in two cookies set with different names and different values, leaving the application pool persistence cookie unmodified.)

Impact:
Sends alerts to application server. Traffic might be sent to wrong pool member.

Workaround:
Use an iRule similar to the following to remove persistence cookie in case of alerts:

ltm rule /Common/cookie_persist_exclude_alerts {
    when HTTP_REQUEST {
    
    #enable the usual persistence cookie profile.

    if { [HTTP::path] eq "/<alert-path>/" } {
        persist none
    }
}
}


658716-1 : MCPd SIGSEGV in boost::checked_delete

Component: TMOS

Symptoms:
MCPd SIGSEGV during tear down of DSC connections. System logs messages similar to the following to /var/log/ltm:
 warning mcpd[4822]: 01071aea:4: CMI heartbeat timer expired, status: 192.168.254.253.

Conditions:
During tear down of DSC connections, a heartbeat operation may be attempted on an already deleted connection.

Impact:
MCPd will be restarted, possibly resulting in other daemons restarting as well.

Workaround:
There is no workaround at this time.


657912-3 : PIM can be configured to use a floating self IP address

Component: TMOS

Symptoms:
Using PIM-Sparse Mode for multicast traffic with BGP for unicast routing/reverse path filtering may prevent PIM neighbor routers from switching from the RPT to the SPT.

Conditions:
-- PIM-Sparse Mode.
-- BGP.
-- Floating self IP address.

Impact:
Routers upstream and including BIG-IP will never receive PIM JOIN messages from the rendezvous point, which is required for traffic to switch from the RPT to the SPT. The sender's DR may continue to send traffic to the RP in register messages indefinitely.

Workaround:
Remove the floating self IP address from the traffic group or select a routing protocol that does not use it, such as OSPF.


657834-6 : Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent

Solution Article: K45005512

Component: TMOS

Symptoms:
When using OSPF with high load and network recalculation there is a possibility of a race condition that can lead to additional OSPF retransmissions being sent out. This might also cause SNMP traps to be sent, if configured on the system.

Conditions:
-- OSPF routing protocol configured.
-- System configured to send SNMP traps.
-- OSPF instability/networking flaps.

Note: The greater the number of routes flapping, the more likely to see the condition.

Impact:
There is no impact on the OSPF processing itself. The additional traffic does not cause failing adjacencies or loss of routing information.

However, this might cause many additional OSPF related traps to be sent, which might cause additional load on the external network monitoring system.

Workaround:
While this does not have a direct workaround, you may want to investigate the cause of the network/OSPF instability that causes the additional retransmissions.


655383-3 : Failure to extend database continues to execute rather than halting because of fragmented state.

Component: Local Traffic Manager

Symptoms:
Rarely occurring failure to extend database results in operations continuing to execute rather than halting because of fragmented state. Various behavior might occur, for example: unexpected traffic to disabled pool members, intermittent updated cert usage, receipt of messages such as 'MCP message handling failed' or 'Memory allocation failed: can't allocate memory to extend db size', and others.

Conditions:
TMM heap is fragmented such that memory allocation fails when extending the database.

Impact:
Operations continues to execute rather than halting, as might be expected. The system might report a variety of unexpected log messages and/or behaviors due to subsequent inconsistent state.

Note: This is an extremely rare condition that occurs only when TMM is left in an inconsistent state. Although it is possible that this might eventually lead to bad behavior downstream, the event itself does not cause memory issues.

Workaround:
None.


653210-1 : Rare resets during the login process

Component: Access Policy Manager

Symptoms:
On rare occasions, the login process resets and a NULL sresult message will be logged in /var/log/apm:

-- notice tmm[18397]: 01490505:5: /Common/ltm-apm_main_irules:Common:448568c9: Get license - Unexpected NULL session reply. Resetting connection.

Conditions:
A race condition allows license information to be processed out of order.

Impact:
The system resets the client connection attempt. The APM end user client must retry the login process.

Workaround:
Have the APM end user client retry the login operation.


652793-1 : "Signature Update Available" message is not cleared by UCS load/sync

Component: Application Security Manager

Symptoms:
If the most recent Signature Update was loaded by device group sync or UCS load, the "Signature Update Available" message is never cleared out.

Conditions:
ASM provisioned and "Signature Update Available" was indicated prior to loading the most recent Signature Update by device group sync or UCS load.

Impact:
The "Signature Update Available" message is never cleared out.

Workaround:
Restart ASM, or kill asmcrond ("pkill -f asmcrond").


651169-1 : The Dashboard does not show an alert when a power supply is unplugged

Component: Advanced Firewall Manager

Symptoms:
The TMUI Dashboard's alert panel will not show any warning if the cord to one of the power supplies is unplugged.

Conditions:
One of the power supplies is unplugged.

Impact:
Watching the Dashboard will not alert the administrator to an unplugged power supply.

Workaround:
None.


649682-1 : 'list cm device build' data is not synchronized correctly across a device trust group

Component: TMOS

Symptoms:
The output of 'tmsh list /cm device' shows different version/build numbers for different devices, although all devices in the device-group are running the same software version.

Conditions:
Running the following command to view build information on multiple devices: tmsh list /cm device.

Impact:
The output reports different version/build numbers for different devices, although all devices in the device-group are running the same software version. Shows different/misleading build information about hotfix/engineering hotfix status across the trust.

Note: This information is displayed in the UI Device Management :: Devices screen.

Workaround:
There is no workaround at this time.


649275-1 : RSASSA-PSS client certificates support in Client SSL

Component: Local Traffic Manager

Symptoms:
Client certificate verification in BIG-IP v11.6.0 through 13.1.0 does not support client certificates that are signed using the RSASSA-PSS signature algorithm. Validation of such client certificates will fail.

Conditions:
- Client certificate signed with RSASSA-PSS algorithm.
- Client Certificate is set to 'Required' in Client SSL profile.
- Running any version from BIG-IP v11.6.0 through 13.1.0.

Impact:
SSL connections using client PSS certificates are rejected.

Workaround:
None.


648917 : Need to re-provision vCMP after upgrading to 13.1.x or later on the BIG-IP 10350F platform

Component: TMOS

Symptoms:
With vCMP provisioned, upgrading to 13.1.x or later release will not enable IOMMU support after the upgrade.

Conditions:
-- Upgrading to 13.1.x or later.
-- vCMP already provisioned.
-- Running on the BIG-IP 10350F platform.

Impact:
Guests configured with FIPS functionality will fail to start until IOMMU is enabled.

Workaround:
You can use either of the following workarounds:

-- Re-provision vCMP after the upgrade to enable IOMMU support.

1. Modify the value of the DB variable kernel.iommu to 'enable'.
2. Restart the BIG-IP system.


648621-5 : SCTP: Multihome connections may not expire

Component: TMOS

Symptoms:
SCTP: Multihome connections may not expire when forcibly deleted.

Conditions:
When the multi-homing connections have been forcibly deleted from tmsh command.

Impact:
The multi-homing connections won't be expired.

Workaround:
Don't manually deleted the multi-homing connections.


648270-3 : mcpd can crash if viewing a fast-growing log file through the GUI

Component: TMOS

Symptoms:
If the GUI tries to display a log file that is actively growing by thousands of log entries per second, the GUI might hang, and mcpd could run out of memory and crash.

Conditions:
The GUI tries to display a log file that is actively growing by thousands of log entries per second.

Impact:
mcpd crashes, and it and tmm restart. Traffic disrupted while tmm restarts.

Workaround:
Do not use the GUI to view a log file that is growing by thousands of log entries per second.


647590-1 : Apmd crashes with segmentation fault when trying to load access policy

Component: Access Policy Manager

Symptoms:
Rarely, apmd restarts when trying to re-load an access policy.

Conditions:
This occurs when some of the policy items are modified while apmd is trying to re-load the access policy.

Impact:
The apmd process restarts.

Workaround:
None.


646440-3 : TMSH allows mirror for persistence even when no mirroring configuration exists

Component: Local Traffic Manager

Symptoms:
When Mirroring is not configured in a high-availability (HA) configuration, the Configuration Utility (GUI) correctly hides the 'mirror' option for Persistence profile. However, Persistence Mirroring can still be enabled via TMSH.

Conditions:
-- Mirroring is configured in an HA configuration.
-- Persistence profile.
-- Using TMSH.

Impact:
A memory leak and degraded performance can occur when:

-- The Mirroring option of a Persistence profile is enabled.
-- Mirroring in the HA environment is not configured.

Workaround:
Always use the Configuration Utility (GUI) to configure Persistence profiles.

If you encounter this issue, complete the following procedure to locate Persistence profiles with Mirroring enabled, and then disable Mirroring for those profiles:

1. Access the BIG-IP Bash prompt.

2. List the Persistence profiles with the following command:
      tmsh list ltm persistence

3. Examine the Persistence profiles to identify the ones with 'mirror enabled'.

4. Disable Mirroring for each Persistence profile, using a command similar to the following:
tmsh modify ltm persistence <persistence_type> <profile_name> mirror disabled

5. Save the changes to the Persistence profiles:
tmsh save sys config


644750-1 : 'epsec' tool fails in older version after use in newer version.

Component: Access Policy Manager

Symptoms:
Update to v13.0.x or v13.1.x removes EPSEC backward compatibility with BIG-IP systems running software versions earlier than v13.0.0.

Conditions:
Use 'System :: Software Management : Antivirus Check Updates' facilities in v13.0.0, boot back to 11.6.x or 11.5.x, and then run an EPSEC command such as the following: epsec -v version

Impact:
Errors are reported; EPSEC commands are not functional.

Workaround:
Remove all environment locks on the shared RPM database and then try the EPSEC commands again. To remove all environment locks, run the following command:

rm /shared/lib/rpm__*.db


641450-5 : A transaction that deletes and recreates a virtual may result in an invalid configuration

Solution Article: K30053855

Component: TMOS

Symptoms:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp) may result in an invalid in-memory configuration. This may also result in traffic failing to pass, because TMM rejects the invalid configuration.

Config load error:
    01070095:3: Virtual server /Common/vs_icr_test lists incompatible profiles.

Configuration-change-time error in /var/log/ltm:
    err tmm[22370]: 01010007:3: Config error: Incomplete hud chain for listener: <name>

Conditions:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp).

Impact:
Configuration fails to load in the future.
Traffic fails to pass, because TMM rejects the configuration.

Workaround:
Within tmsh, use the following command: profiles replace-all-with.
Within iControl REST, use three separate calls:
   1. Delete virtual server.
   2. Create virtual server (with an empty profile list).
   3. Modify the virtual server's profile list.


637613-5 : Cluster blade being disabled immediately returns to enabled/green

Solution Article: K24133500

Component: Local Traffic Manager

Symptoms:
In some scenarios, disabling a blade will result in the blade immediately returning to online.

Conditions:
This can occur intermittently under these conditions:

- 2 chassis in an HA pair configured with min-up-members (for example, 2 chassis, 2 blades each, and min-up-members=2)
- You disable a primary blade on the active unit, causing the cluster to failover due to insufficient min-up-members.

Impact:
Disabling the primary blade fails and it remains the primary blade with a status of online.

Workaround:
This is an intermittent issue, and re-trying may work. If it does not, you can configure min-up-members to a lower value or disable it completely while you are disabling the primary blade. The issue is triggered when the act of disabling the primary blade would cause the number of members to drop below min-up-members.


627760-5 : gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card

Component: TMOS

Symptoms:
When running gtm_add from one BIG-IP system to another, if the system being added already has the same DNSSEC key (dictated by DNSSEC key name), and you synchronize the FIPS card, then the FIPS card is wiped out (as expected), but the key is not re-added.

Conditions:
-- There is an existing DNSSEC key on one system.
-- A second system has a DNSSEC key of the same name.
-- Run gtm_add, with instructions to synchronize FIPS cards.

Impact:
No DNSSEC key of that name is present on FIPS card.

Workaround:
None.


627506-1 : Unable to change management-ip address

Component: TMOS

Symptoms:
After the management-ip address is changed, the BIG-IP system continues to use the old management-ip address. You might see the following error in /var/log/ltm:
-- warning chmand[6584]: 012a0004:4: mcp_admin_ip_remove, delMgmtAddr() catch exception: Network Socket: Open Error [No such device], possibly nonexistent.

Conditions:
Running on platforms that use eth0 interface for management traffic.

To determine whether the platform you have uses the eth0 interface for management traffic, run following command: ifconfig eth0.

Impact:
Unable to change management-ip address. After changing the management-ip, the old address will continue to be listed.

Workaround:
Save the change and reboot the system. After the changes have been saved, they will be applied after the unit is rebooted.


627447-2 : Sync fails after firewall policy deletion

Component: Advanced Firewall Manager

Symptoms:
When deleting a firewall policy and then creating a new one, sync to standby fails.

Conditions:
Delete firewall policy then create a new one. Sync to Standby.

Impact:
Sync fails.

Workaround:
None.


626030-1 : TMM restart and failover.

Component: TMOS

Symptoms:
Under rare circumstances, an HSB-received failure can cause can cause TMM to restart

Conditions:
The conditions required for this issue to occur are unknown.

Impact:
TMM restart and failover. Traffic disrupted while tmm restarts.

Workaround:
None.


624016 : Traffic data stats got lost on hardware accelerated flows when the flows are terminated earlier

Component: TMOS

Symptoms:
When the clients tend to reset HTTP keep alive connections immediately after data are received, instead of gracefully closing the connections per RFC, it presents a problem for TMOS, as we rely on the hardware FSUs (flow status updates) to calculate the packet counts for offloaded flows, but these flows were reset before the FSUs were sent from the hardware. So, we lost these packet stats for the offloaded flows, because BIG-IP can not determine the traffic direction without the connection flow information. FIN packets will have the same effects to close the connection. If there are FSUs after the FIN packets, they won’t be counted either.

Conditions:
Clients that reset connection immediately after data is received.

Impact:
pva traffic stats may not accurately show the packets/bytes counts for the offloaded flows.

Workaround:
One workaround fix is to consult with the hardware ePVA packet and byte forward counters in addition to the global PVA traffic stats. For verification purposes, this can be quickly used without any code changes with the following command:

# tmctl -d blade -s name,active,bus,rqm_epva_fwd_pkts,rqm_epva_fwd_bytes tmm/hsbe2_internal_pde


These rqm_epva_fwd_pkts/bytes counters are the current hardware counters from the ePVA registers, whare are more up to date. The only catch is that you will need to correspond the lbb_pde number to the individual PVA numbers in the output of "tmsh show sys pva-traffic". To get the global stats for all PDEs as in "tmsh show sys pva-traffic global", you will have to add thses number up with a script.


621158-3 : f5vpn does not close upon closing session

Component: Access Policy Manager

Symptoms:
f5vpn does not close upon closing session.

Conditions:
-- With Network Access started and connected to BIG-IP using browser.
-- Clicking 'Logout' button on webtop.

Impact:
Session closes. Network Access window does not close, but instead remains in disconnected state.

Workaround:
None.


620954-5 : Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable

Component: TMOS

Symptoms:
Contention for /var/log/tallylog lock might result in users failing to authenticate correctly. As a result of this issue, you might see the following message:
 PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable.

Conditions:
High concurrent authentication attempts may trigger this issue. For example, open a connection, using basic authentication, performing a query (for example, get node list, get virtual address list, and set pool min active members), then close the connection. If done frequently enough, there is an occasional authentication failure.

Impact:
This intermittent authentication failure results in users not being able to login.

Workaround:
Since this is an intermittent authentication failure, wait a few seconds and then attempt to log in again.


620053-2 : Gratuitous ARPs may be transmitted by active unit being forced offline

Component: Local Traffic Manager

Symptoms:
When cluster's active is forced offline, the non-primary blades may send gratuitous ARPs.

Conditions:
Cluster's active blade is forced offline.

Impact:
Potential impact to traffic if the gratuitous ARPs of the blade which goes offline is received before the unit taking over as primary, or if gratuitous ARPs are rate-limited on upstream or downstream devices.

Workaround:
Failover the cluster before forcing offline or configuring MAC masquerading.


613836-1 : Error message in ltm log when adding a DoS profile to virtual server in cluster setup

Component: Advanced Firewall Manager

Symptoms:
In a cluster environment, when adding DoS profile to a virtual server, ltm log shows a configuration exception error message complaining about a file missing.

Conditions:
-- The setup is a cluster.
-- DoS profile is created and attached to a virtual server.

Impact:
No functional impact, but unnecessary error message is seen in ltm log.

Workaround:
None.


613728-2 : Import/Activate Security policy with 'Replace policy associated with virtual server' option fails

Component: Application Security Manager

Symptoms:
Visible errors in the BIG-IP Configuration utility:

-- MCP Validation error - 01071abb:3: Cannot create/modify published policy '/Common/<ltm_policy_name>' directly, try specifying a draft folder like '/Common/Drafts/<ltm_policy_name>'.

-- MCP Validation error - 01071726:3: Cannot deactivate policy action '/Common/<asm_policy_name>'. It is in use by ltm policy '/Common/<asm_policy_name>'.

Conditions:
-- ASM provisioned.

-- Having an active Security policy 'A' assigned to an LTM L7 Policy 'L'.

-- Import/Activate Security policy 'B' with the option 'Replace policy associated with virtual server' enabled, to replace security policy 'A'.

Impact:
Security Policy is activated but not assigned to the LTM policy.

Workaround:
Run the following command prior to the Import/Activate of a Security policy action:
---------
# tmsh modify ltm policy L legacy
---------


611724 : LTM v11.5.4 HF1 iApp folders removed on partition load

Component: TMOS

Symptoms:
Folder is missing after loading partition.

Conditions:
Must have configured a folder, saved the partition, and then loaded the partition.

Impact:
Unable to restore iApp configuration saved from particular partition.

Workaround:
Save and load the entire configuration, or manually add the missing folder to the partition config being loaded.


610436-1 : DNS resolution does not work in a particular case of DNS Relay Proxy Service when two adapters have the same DNS Server address on Windows 10.

Solution Article: K13222132

Component: Access Policy Manager

Symptoms:
DNS resolution does not work in a particular case of DNS Relay Proxy Service, when two adapters have the same DNS Server address on Microsoft Windows version 10.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP APM configuration uses a network access profile.
-- The user device is running Windows 10 and is connected to two networks through two network interfaces.
-- The Windows user has installed the BIG-IP Edge Client that includes the DNS Relay Proxy Service.
-- Prior to establishing an access session, the lower index network interface of the Windows device is disconnected.
-- The Windows user establishes an access session using BIG-IP Edge Client.
-- The Windows device's lower index network interface is reconnected.
-- The Windows user attempts a DNS resolution.

Impact:
DNS resolution completely stops working on client systems until the VPN is disconnected.

Workaround:
To work around this issue, add the following registry key:

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DnsClient with DWORD EnableMultiHomedRouteConflicts set to 0.

This reverts the Windows DNS client behavior to pre-Windows 10 behavior, so the DNS relay proxy creates listeners on loopback for incoming requests, and the driver redirects DNS requests to the listener on the loopback.

Important: Use extreme care when editing Windows registry keys. Incorrect modification of keys might cause unexpected behavior.

For step-by-step instructions for adding this registry key, see K13222132: The DNS Relay Proxy Service may fail to resolve DNS requests :: https://support.f5.com/csp/article/K13222132.


606032-3 : Network Failover-based HA in AWS may fail

Component: TMOS

Symptoms:
MCPD posts an error that network failover is not configurable:
01071ac2:3: Device-group (/Common/autoscale-group): network-failover property must be disabled in VE-1NIC.

Conditions:
Attempting to setup high availability (HA) in Amazon Web Services (AWS) with only 1 network interface.

Impact:
Configuration of HA in AWS cannot be completed.

Workaround:
The current workaround is to configure HA in AWS with at least 2 network interfaces.


604811-2 : Under certain conditions TMM may crash while processing OneConnect traffic

Component: Local Traffic Manager

Symptoms:
TMM may crash while processing OneConnect traffic

Conditions:
Removing the OneConnect profile from a virtual server while passing traffic.

Impact:
TMM crash leading to a failover event


603124-1 : [FW FQDN] RFE to address lower minimum allowed refresh interval (than current min of 10 mins)

Component: Advanced Firewall Manager

Symptoms:
Firewall FQDN feature allowed the periodic refresh interval to be no less than 10 minutes. However, there are use cases where the FQDN -> IP mappings may change more frequently than 10 minutes.

This would cause mis-match between the actual FQDN -> IP mappings and the mappings AFM/Firewall had learnt.

Conditions:
Firewall rules have been configured with FQDNs as one of the match dimensions (either source or destination or both).

AFM DNS resolver refresh interval can be set to lowest possible allowed value of 10 minutes whereas the FQDN -> IP mappings change more frequently than 10 minutes.

Impact:
This would cause mis-match between the actual FQDN -> IP mappings and the mappings AFM/Firewall had learnt/cached.

Workaround:
None


601220-1 : Multi-blade trunks seem to leak packets ingressed via one blade to a different blade

Component: TMOS

Symptoms:
When a multi-blade VIPRION deployment first starts up or recovers from a chassis-wide force-offline/release-offline event, multi-blade trunks seem to leak packets that ingressed on one blade, out the same trunk's member interfaces on other blades.

Conditions:
-- Multi-blade VIPRION deployment.
-- Chassis-wide reboot or force-offline/release-offline event occurs.

Impact:
This is a very intermittent issue that is not reproducible and happens for only a few milliseconds. This may temporarily impact the upstream switch L2 FDB and cause slight traffic redirection as the upstream switch will learn the source MAC of the gratuitous ARPing host from the same trunk the traffic was broadcast to.

Note: This is not an F5-specific problem. It occurs on every stack switch hardware under these conditions.

Workaround:
There is no workaround.


600985-3 : Network access tunnel data stalls

Component: Access Policy Manager

Symptoms:
In certain scenarios, the network access tunnel stays up; however, no data transfer occurs on the tunnel. This issue occurs intermittently.

Conditions:
The cause of this issue is not yet known.

Impact:
Data stalls on the tunnel and hence wont be able to access any applications. However, Edge Client shows the VPN tunnel as 'Connected'.

Workaround:
Manually re-establish the tunnel.


596020-5 : Devices in a device-group may report out-of-sync after one of the devices is rebooted

Component: TMOS

Symptoms:
Devices in a device-group may report out-of-sync after one of the devices is rebooted.

As a result of this issue, you may encounter the following symptoms:

- After the reboot, the config-sync originator reports 'Not All Devices Synced'.
- After the reboot, the other devices in the device-group report 'Changes Pending'.

Conditions:
This issue occurs when all of the following conditions are met:

- You have a Sync or Sync-Failover device-group with multiple devices in it.
- On a device (the config-sync originator, you modify the configuration, triggering the devices to become out of synchronization.
- Using the Overwrite Configuration option in the GUI, you manually initiate a synchronization of the configuration from the device where the configuration was modified, to the device-group.
- The devices in the device-group display that they are in the synchronized state.
- You reboot the config-sync originator device.

Impact:
After the reboot, the devices report out-of-sync.

Note: This issue is purely cosmetic; no configuration is lost as result of this issue.

Workaround:
You can work around this issue by not using the Overwrite Configuration option in the Configuration utility if you know you will have to reboot the device soon.

Also note that once the issue occurs, you can restore normal config-sync status on the devices by performing a new config-sync operation.


594064-5 : tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.

Solution Article: K57004151

Component: Local Traffic Manager

Symptoms:
When the tcpdump utility is used with the ':p' modifier, it appears that the first few serverside packets are not captured.

Conditions:
-- Using the ':p' modifier with the tcpdump utility to capture serverside flows associated with clientside flows that match a tcpdump filter.
-- FastL4 or standard virtual server UDP flows are being captured.

Impact:
Typically, the peer flow will not be captured until the second packet is processed on the original flow that is captured by the tcpdump filter. Although there is no operational impact, it might cause confusion when looking for serverside traffic when capturing using a command similar to the following: tcpdump -i <vlan>:p host <client-ip>

Typical examples of missing packets include:
  -- Serverside syn and syn-ack from FastL4 TCP traffic.
  -- All serverside packets for single packet request/reply traffic, e.g., dns request/reply.

Workaround:
Specify filter that includes serverside traffic (e.g., include pool member addresses as 'host <addr>').


593536-6 : Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations

Solution Article: K64445052

Component: TMOS

Symptoms:
Devices do not have matching configuration, but system reports device group as being 'In Sync'.

Conditions:
This occurs when the following conditions are met:
-- Device Service Cluster Device Group with incremental sync is enabled.
-- A ConfigSync operation occurs where a configuration transaction fails validation.
-- A subsequent (or the final) configuration transaction is successful.

Impact:
The BIG-IP system incorrectly reports that the configuration is in-sync, despite the fact that it is not in sync. You might experience various, unexpected failures or unexplained behavior or traffic impact from this.

Workaround:
Turn off incremental sync (by enabling 'Full Sync' / 'full load on sync') for affected device groups.

Once the systems are in sync, you can turn back on incremental sync, and it will work as expected.


593361-2 : The malformed MAC for inner pkt with dummy MAC for NSH with VXLAN-GPE.

Component: TMOS

Symptoms:
The target platform implementation need to be ensure that it is update to date with draft and additionally tested with other open sources and commercial implementations to deem stable. If not a stable and production version as in case below, sender packets can be with a dummy MAC which is not recognized by BIG-IP.

Conditions:
Target platforms which may be unstable and untested in VXLAN-GPE.

Impact:
BIG-IP drop packets since it does not recognize inner pkt MAC.

Workaround:
Ensure target platform is stable, tested and production version wrt VXLAN-GPE and NSH.


592503-1 : TMM 'timer' device does not report 'busy' for non-priority timers.

Component: Local Traffic Manager

Symptoms:
A discrepancy in CPU utilization reporting can observed when looking at different utilities or reporting systems (i.e. top, tmctl, SNMP, the performance graphs in the GUI, etc.).

Specifically, certain utilities may report that TMM hyperthreads are 100% busy, while other utilities may indicate that TMM instances are only moderately busy.

In this case, the utilities or systems reporting the higher CPU utilization are correct.

Conditions:
This issue has been seen extremely rarely, as it requires some other edge condition to also be occurring (TMM firing non-priority timers in a looping manner).

Impact:
A BIG-IP Administrator monitoring CPU utilization on the system may be confused about how busy TMM actually is.

Although the main impacted system here is the tmm/stat tmctl table, these values are also exposed via the sysTmmStatTmUsageRatio5s MIB (which is more likely to be monitored by a BIG-IP Administrator).

Workaround:
Refer to utilities such as 'top' to monitor the CPU utilization of TMM hyperthreads.


591305-1 : Audit log messages with "user unknown" appear on install

Component: TMOS

Symptoms:
Multiple log entries in /var/log/audit similar to

May 4 11:37:35 localhost notice mcpd[5488]: 01070417:5: AUDIT - client Unknown, user Unknown - transaction #33-1 - object 0 - create_if { db_variable { db_variable_name "version.edition" db_variable_value "<none>" db_variable_sync_type "private_internal" db_variable_data_type "string" db_variable_display_name "Version.Edition" } } [Status=Command OK]

Conditions:
This happens on initial install, it is not yet known what triggers it.

Impact:
This is the result of a daemon on the system not properly identifying itself to mcpd. The log messages can be safely ignored.


589856-5 : iControl REST : possible to get duplicate transaction ids when transactions are created by multiple clients

Component: TMOS

Symptoms:
When 2 iControl REST clients using the same username create transactions simultaneously, they can potentially get the same transaction id. This completely messes up both the client code execution.

Conditions:
Client requests to create transaction are close to each other in time.

Impact:
Transaction semantics are not followed, and unintended errors may occur


587821-6 : vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.

Solution Article: K91818030

Component: TMOS

Symptoms:
On the affected slot, the vCMP guest is unable to pass traffic to or from the VLANs. If the guest has multiple slots, the CMP state logged in /var/log/tmm on that slot differs from the CMP state logged by other slots of the same guest.

In the vCMP guest, 'tmsh show net interface -hidden' shows 0.x interfaces for the affected slot that differ from the 0.x interfaces shown by 'tmsh show vcmp guest all-properties' on the vCMP hypervisor for the same guest slot.

Conditions:
The MCPD daemon on one of the blades of the vCMP hypervisor crashes or restarts.

Impact:
The vCMP guests that are still running since before the MCPD daemon restarted may be unable to communicate to VLAN networks. Incoming traffic may also be affected, even though the vCMP guest has other functional slots to process traffic.

Workaround:
On the hypervisor, modify the vCMP guest configuration to not run on the affected slot. Wait to confirm the vCMP guest has stopped on the affected slot. Then modify the vCMP guest to run on the previously affected slot.

Alternatively, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.


578989-6 : Maximum request body size is limited to 25 MB

Component: Access Policy Manager

Symptoms:
When a POST request with body size exceeds 25 MB is sent to APM virtual server, the request fails.

Conditions:
POST request body size exceeded 25 MB.

Impact:
The POST request fails. The maximum request body size is limited to 25 MB

Workaround:
There is no workaround at this time.


571622-2 : 'Exceeding pool member limit' error with FQDN pool members and non-LTM license

Component: Local Traffic Manager

Symptoms:
When configuring FQDN pool members on a BIG-IP system with a license that does not include the LTM module, an error similar to the following may be logged by mcpd:

01071732:3: Exceeding pool member limit (3). Cannot add pool member to pool:(/Common/pool_name).

Conditions:
This may occur if:
1. The active BIG-IP license does not include the LTM module. Specifically, the active license defines a pool member limit (ltm_lb_pool_member_limit) other than 'unlimited'. This applies to AFM, APM, and ASM licenses.
2. FQDN pool members are configured with 'autopopulate' set to 'enabled'.

Impact:
Under these conditions, the ephemeral FQDN pool members are counted against the pool member limit (ltm_lb_pool_member_limit) defined in the LTM license. Cannot configure FQDN pool members with autopopulate enabled on BIG-IP systems without an LTM license.

Workaround:
There are two workarounds for this issue:
Workaround 1
-----------
1. Configure FQDN pool members with autopopulate disabled.
2. Do not attempt to configure more pool members than are permitted by the active license.

Workaround 2
-----------
Add the LTM module to the license configuration.


569859-1 : Password policy enforcement for root user when mcpd is not available

Component: TMOS

Symptoms:
When the mcpd configuration database is not available password policy is not enforced when changing passwords for the user 'root' using the command-line utility 'passwd' utility.

Conditions:
-- Advanced shell access
-- mcpd is not available.
-- Change root password with the 'passwd' utility.

Impact:
Root password may be set to a string that does not comply with the current password policy.

Workaround:
None.


550526-2 : Some time zones prevent configuring trust with a peer device using the GUI.

Component: TMOS

Symptoms:
AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, and AWDT time zones prevent configuring trust with a peer device using the GUI.

Conditions:
-- Setting a BIG-IP system timezone to AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, or AWDT.

-- Using the GUI to add a peer device to a trust configuration.

Impact:
Adding a peer device using the GUI fails.

Workaround:
You can use either of the following workarounds (you might find the first one easier):

-- Temporarily set the device timezone to a non-affected timezone (e.g.; UTC), establish trust, and set it back:

1. Navigate to System :: Platform.

2. Under 'Time Zone', select 'UTC', and click 'Update'

3. Repeat steps one and two to change all devices that are to be part of the trust domain.

4. Establish device trust by navigating to Device Management :: Device Trust :: Add all peers to be part of the trust domain.

5. Once trust is established, navigate to System :: Platform, and change Time Zone back to preferred time zone.

-- Use tmsh to add a peer device in these timezones: AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, or AWDT.


544958-3 : Monitors packets are sent even when pool member is 'Forced Offline'.

Component: Local Traffic Manager

Symptoms:
If you have a pool member associated with more than one virtual server and the pool member is marked Forced-Offline, the pool monitor will continue to function if the monitor is assigned to both pools.

Conditions:
-- Pools containing identical members.
-- Pool monitoring configured.
-- Pool members are Forced Offline.

Impact:
Monitors packets are sent even when pool member is 'Forced Offline'.

Workaround:
None.


534187-3 : Passphrase protected signing keys are not supported by SAML IDP/SP

Component: Access Policy Manager

Symptoms:
Signing operation may fail if the BIG-IP system is used as a SAML Identity Provider or Service Provider and is configured to use passphrase-protected signing keys.

Conditions:
Private key used to perform digital signing operations is passphrase protected.

Impact:
SAML protocol will not function properly due to inability to sign messages.

Workaround:
To work around the problem, remove the passphrase from the signing key.


484683-3 : Certificate_summary is not created at peer when the chain certificate is synced to HA peer.

Component: TMOS

Symptoms:
The other Peer of a high-availability (HA) pair cannot show the summary of cert-chain by 'tmsh run sys crypto check-cert verbose enabled' after config-sync.

Conditions:
Conditions leading to this issue include:
1. On the command line or in the GUI, setup an HA Pair
2. Import Certificate chain to one BIG-IP system.
3. 'run config-sync' to sync the Certificate chain to the peer BIG-IP system.

Impact:
After a ConfigSync operation, the certificate chain summary is not created on other HA peers.

Workaround:
Copy the cert-chain file to a place (such as /shared/tmp/), and update the cert-chain using a command similar to the following:
modify sys file ssl-cert Cert-Chain_Browser_Serv.crt source-path file:/shared/tmp/Cert-Chain_Browser_Serv.crt_58761_1


470807-2 : iRule data-groups are not checked for existence

Component: Local Traffic Manager

Symptoms:
When an iRule specifies a data-group that is not in Common, or that does not have an explicit path to it, it does not result in an error when the iRule is saved, or during runtime.

Conditions:
User saves an iRule with a data-group not in Common or with an explicit path to it.

Impact:
When such an iRule is saved, it can cause all traffic to fail.

Workaround:
None.


431480-5 : Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message

Solution Article: K17297

Component: Local Traffic Manager

Symptoms:
Occasionally, you might encounter a situation in which tmm dumps a core, and the system writes to the logs a message similar to the following: notice panic: ../base/listener.c:1116: Assertion 'laddr is not NULL' failed.

Conditions:
The exact conditions that result in this error are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time, but the system recovers without any user action.


429124-5 : ePVA does not work with lasthop pools with only one member

Solution Article: K15069

Component: Local Traffic Manager

Symptoms:
ePVA does not work with lasthop pools with only one member.

Conditions:
ePVA does not work with lasthop pools with only one member.

Impact:
ePVA does not work with lasthop pools with only one member.

Workaround:
None.


424588-1 : iRule command [DOSL7::profile] returns empty value

Component: Application Security Manager

Symptoms:
iRule command [DOSL7::profile] returns an empty value.

Conditions:
iRule with the [DOSL7::profile] command attached to a virtual server.

Impact:
The iRule returns an empty value.

Workaround:
None.


402691-1 : The fields displayed in the 'tmsh show net ipsec' should be visible through SNMP

Component: TMOS

Symptoms:
The status information about traffic selectors in IPsec can be displayed with the TMSH command 'show net ipsec', but there is no way to manage the BIG-IP system and gather data using SNMP.

Conditions:
Using SNMP to query the BIG-IP system for IPsec traffic selector status.

Impact:
Use TMSH or customized SNMP solutions.

Workaround:
None.


376615 : Logon failure when Access Policy contains On-Demand Cert Agent for legacy logon method

Component: Access Policy Manager

Symptoms:
Username and password are not sent when the On-Demand Cert Auth agent is used in an access policy.

Conditions:
- On-Demand Cert Auth agent is used in an access policy.
- Clients: iOS, Android, Windows Mobile, and Linux CLI.

Impact:
Logon fails.

This is a known limitation for clients that utilize legacy logon method (this includes clients running iOS, Android, Windows Mobile clients, Linux CLI, etc).

The limitation occurs because the On-Demand Cert Agent triggers a few client redirects (HTTP 302) for renegotiation, and that causes the post data to my.activation to be lost.

Workaround:
To work around the problem, put the Logon page agent before the On-Demand Cert Agent in the access policy.


307037-3 : Dynamic Resources Are Assigned But Not Accessible

Component: Access Policy Manager

Symptoms:
Resources appear assigned in session record but are not accessible by the client.

Conditions:
This issue occurs if the resources are assigned via Variable Assign agent.

Impact:
Resources are unavailable to client.

Workaround:
In the VPE, add a branch with Resource Assign agent that will never reach. With the Resource Assign agent, assign all the resources that are referenced by Variable Assign agent.


273104-1 : Modulate tcp_now on a per-tuple basis to hide uptime in tcp timestamps

Component: Local Traffic Manager

Symptoms:
Nmap can be used to determine the uptime of a BIG-IP by sampling timestamps and their update frequency.

Conditions:
Always.

Impact:
Nmap can be used to determine the uptime of a BIG-IP by sampling timestamps and their update frequency.


264701-2 : GTM: zrd exits on error from bind about .jnl file error (Formerly CR 68608)

Component: Global Traffic Manager (DNS)

Symptoms:
The zrd process exits and cannot be restarted.

Conditions:
This occurs when the journal is out-of-sync with the zone.

Impact:
The zrd process cannot be restarted.

Workaround:
Before beginning, ensure that no one else is making config changes (i.e., consider making changes during a maintenance window).

I) On a working system, perform the following:
1. # rndc freeze $z

(Do this for all nonworking zones. Do not perform the thaw until you finish copying all needed files to the nonworking system.)

2. # tar zcvf /tmp/named.zone.files namedb/db.[nonworking zones].
3. # rndc thaw $z

II) On each nonworking system, perform the following:
1. # bigstart stop zrd; bigstart stop named
2. Copy the nonworking /tmp/named.zone.files from a working GTM system.
3. # bigstart start named; bigstart start zrd.

(Before continuing, review /var/log/daemon.log for named errors, and review /var/log/gtm for zrd errors0.)

Repeat part II until all previously nonworking systems are working.

III) On a working GTM system, run the following command:
# touch /var/named/config/named.conf.


222220-2 : Distributed application statistics

Component: Global Traffic Manager (DNS)

Symptoms:
Distributed application statistics shows only requests passed to its first wide IP.

Conditions:
Using Distributed application statistics and multiple wide-IP-members.

Impact:
The system does not include statistics for requests passed to other wide-IP-members of the distributed application.

Workaround:
None.




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************